@klerick/acl-json-api-nestjs 0.1.0

package/src/lib/types/acl-context.types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acl-context.types.js","sourceRoot":"","sources":["../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/types/acl-context.types.ts"],"names":[],"mappings":""}

package/src/lib/types/acl-options.types.d.ts

@@ -0,0 +1,97 @@
+import type { Type } from '@nestjs/common';
+import { AclRule, AclRulesLoader } from './acl-rules.types';
+import { AclContextStore } from './acl-context.types';
+/**
+ * Policy for handling resources with no ACL rules defined
+ */
+export type OnNoRulesPolicy = 'deny' | 'allow';
+/**
+ * Options for configuring ACL module
+ */
+export interface AclModuleOptions {
+    /**
+     * Service class that loads ACL rules from external source
+     * Must implement AclRulesLoader interface
+     * Will be retrieved via moduleRef to support services from other modules
+     */
+    rulesLoader: Type<AclRulesLoader>;
+    /**
+     * Context store for passing ACL data through request pipeline
+     * Required to access ExtendableAbility in pipes/guards/services via CLS
+     * Can be ClsService from nestjs-cls or any service with set/get methods
+     *
+     * @example
+     * ```typescript
+     * import { ClsService } from 'nestjs-cls';
+     *
+     * AclPermissionsModule.forRoot({
+     *   rulesLoader: MyRulesLoader,
+     *   contextStore: ClsService
+     * })
+     * ```
+     */
+    contextStore: Type<AclContextStore>;
+    /**
+     * Strict mode for template interpolation in rules
+     *
+     * - `true`: Throws error if variable/function not found in context
+     * - `false` (default): Logs warning and omits field with missing variable
+     *
+     * @default false
+     *
+     * @example
+     * ```typescript
+     * // Development mode - fail fast on configuration errors
+     * AclPermissionsModule.forRoot({
+     *   rulesLoader: MyRulesLoader,
+     *   strictInterpolation: true
+     * })
+     *
+     * // Production mode - graceful degradation
+     * AclPermissionsModule.forRoot({
+     *   rulesLoader: MyRulesLoader,
+     *   strictInterpolation: false
+     * })
+     * ```
+     */
+    strictInterpolation?: boolean;
+    /**
+     * Policy for handling resources with no ACL rules defined
+     *
+     * - 'deny': Throw 403 Forbidden - DEFAULT (production mode)
+     * - 'allow': Allow access + warning in logs (development mode)
+     *
+     * @default 'deny'
+     *
+     * @example
+     * ```typescript
+     * // Production - deny by default (strict)
+     * AclPermissionsModule.forRoot({
+     *   rulesLoader: MyRulesLoader,
+     *   onNoRules: 'deny'
+     * })
+     *
+     * // Development - allow access with warning
+     * AclPermissionsModule.forRoot({
+     *   rulesLoader: MyRulesLoader,
+     *   onNoRules: 'allow'
+     * })
+     * ```
+     */
+    onNoRules?: OnNoRulesPolicy;
+    /**
+     * Дефолтные правила fallback (опционально)
+     * Используются когда rulesLoader возвращает пустой массив
+     *
+     * @example
+     * ```typescript
+     * AclPermissionsModule.forRoot({
+     *   rulesLoader: MyRulesLoader,
+     *   defaultRules: [
+     *     { action: 'getAll', subject: 'all', inverted: false }
+     *   ]
+     * })
+     * ```
+     */
+    defaultRules?: AclRule[];
+}

package/src/lib/types/acl-options.types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=acl-options.types.js.map

package/src/lib/types/acl-options.types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acl-options.types.js","sourceRoot":"","sources":["../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/types/acl-options.types.ts"],"names":[],"mappings":""}

package/src/lib/types/acl-rules.types.d.ts

@@ -0,0 +1,201 @@
+import type { MongoQuery } from '@casl/ability';
+import type { MethodName } from '@klerick/json-api-nestjs';
+import type { AnyEntity, EntityClass } from '@klerick/json-api-nestjs-shared';
+/**
+ * Reserved variable name for external input data in rule templates
+ * This data comes from outside (request body, query params, database entity, etc.)
+ * and is NOT part of the context returned by getContext()
+ *
+ * In templates, use @input (with @) for readability: '${@input.userId}'
+ * Internally, the @ symbol is removed before interpolation since @ is not valid in JS variable names
+ *
+ * @example
+ * ```typescript
+ * // In rule template (user-facing):
+ * { conditions: { ownerId: '${@input.userId}' } }
+ *
+ * // Internally reserved variable name (without @):
+ * const scope = { input: externalData };
+ * ```
+ */
+export declare const ACL_INPUT_VAR: "input";
+/**
+ * Template placeholder with @ symbol for user-facing templates
+ * This is replaced with ACL_INPUT_VAR before interpolation
+ */
+export declare const ACL_INPUT_TEMPLATE: "@input";
+/**
+ * Type for external input data
+ *
+ * TODO: Extend to support both new input AND old values from database
+ * Use case: In patchOne, we need to compare old value vs new value in rules
+ * Example: Allow removing only self from coAuthorIds array
+ * - Current: { coAuthorIds: [1, 2, 3] } from DB
+ * - New: { coAuthorIds: [1, 3] } from @input
+ * - Helper: isOnlyRemovedUser(@input.__current.coAuthorIds, @input.coAuthorIds, userId)
+ *
+ * Proposed structure:
+ * - @input.* - new values from request
+ * - @input.__current.* - old values from database (for patchOne only)
+ */
+export type AclInputData = Record<string, any>;
+/**
+ * Utility type to exclude reserved @input variable from context/helpers
+ */
+type WithoutReservedVars<T extends Record<string, any>> = {
+    [K in keyof T as K extends typeof ACL_INPUT_VAR ? never : K]: T[K];
+};
+/**
+ * Type for CASL action
+ * Can be any method from JsonBaseController or custom string
+ */
+export type AclAction<E extends MethodName | string = MethodName | string> = E;
+/**
+ * Type for CASL subject - entity class or instance
+ * Can be:
+ * - Entity class (e.g., User, Post)
+ * - Entity instance (e.g., new User())
+ * - String with entity name (e.g., 'User', 'Post')
+ */
+export type AclSubject<E extends AnyEntity = AnyEntity> = EntityClass<E> | E | string;
+/**
+ * ACL rule definition
+ */
+export interface AclRule<E extends AnyEntity = AnyEntity, Action extends string = string> {
+    /**
+     * Action to check (e.g., 'getAll', 'postOne', 'patchOne', etc.)
+     */
+    action: Action;
+    /**
+     * Subject to check against (entity class or name)
+     */
+    subject: AclSubject<E>;
+    /**
+     * Optional conditions (MongoDB query format)
+     */
+    conditions?: MongoQuery<E>;
+    /**
+     * Optional fields restriction
+     */
+    fields?: Array<keyof E | string>;
+    /**
+     * Whether this is an inverted rule (cannot)
+     */
+    inverted?: boolean;
+    /**
+     * Optional reason for the rule
+     */
+    reason?: string;
+}
+/**
+ * Interface for loading ACL rules from external source
+ * Implementation is provided by the user
+ */
+export interface AclRulesLoader {
+    /**
+     * Loads ACL rules for the current request
+     *
+     * @param subject - Entity class or name of subject for which to load rules
+     * @param action - Action being performed (method name from JsonBaseController)
+     * @returns Array of CASL rules in JSON format (may contain template strings like '${userId}')
+     *
+     * @example
+     * ```typescript
+     * @Injectable()
+     * class MyRulesLoader implements AclRulesLoader {
+     *   async loadRules<E extends AnyEntity>(
+     *     entity: EntityClass<E>,
+     *     action: AclAction
+     *   ): Promise<AclRule<E>[]> {
+     *     const user = this.request.user;
+     *     const rules = await this.db.query(
+     *       'SELECT * FROM permissions WHERE userId = ? AND entity = ? AND action = ?',
+     *       [user.id, entity.name, action]
+     *     );
+     *     return rules.map(r => ({
+     *       action: r.action,
+     *       subject: entity,
+     *       conditions: r.conditions, // May contain: { userId: '${userId}' }
+     *       fields: r.fields
+     *     }));
+     *   }
+     * }
+     * ```
+     */
+    loadRules<E extends AnyEntity>(subject: AclSubject<E>, action: AclAction): Promise<AclRule<E>[]>;
+    /**
+     * Provides context variables for template interpolation in rules
+     *
+     * IMPORTANT: Cannot use reserved variable name 'input' - it's reserved for external input data
+     * In templates, write @input which gets converted to input internally
+     *
+     * @returns Promise with object containing variables (without 'input' key)
+     *
+     * @example
+     * ```typescript
+     * @Injectable()
+     * class MyRulesLoader implements AclRulesLoader {
+     *   constructor(
+     *     @Inject(REQUEST) private request: Request,
+     *     private usersService: UsersService
+     *   ) {}
+     *
+     *   async getContext() {
+     *     const user = this.request.user;
+     *     const userGroups = await this.usersService.getUserGroups(user.id);
+     *
+     *     return {
+     *       userId: user.id,
+     *       userEmail: user.email,
+     *       userData: {
+     *         groups: userGroups,
+     *         roles: user.roles,
+     *       },
+     *       // 'input': {} // ← TypeScript error: reserved variable
+     *     };
+     *   }
+     * }
+     * ```
+     */
+    getContext(): Promise<WithoutReservedVars<Record<string, unknown>>>;
+    /**
+     * Provides custom helper functions for template interpolation in rules
+     *
+     * These functions can be used in rule templates like: '${getValProps(@input.userGroups, "id")}'
+     *
+     * IMPORTANT: Cannot use reserved function name 'input' - it's reserved for external input data
+     * In templates, write @input which gets converted to input internally
+     *
+     * @returns Promise with object containing helper functions (without 'input' key)
+     *
+     * @example
+     * ```typescript
+     * @Injectable()
+     * class MyRulesLoader implements AclRulesLoader {
+     *   async getHelpers() {
+     *     return {
+     *       // Extract property values from array of objects
+     *       getValProps: (arr: any[], prop: string) => arr.map(item => item[prop]),
+     *
+     *       // Check if array contains value
+     *       includes: (arr: any[], value: any) => arr.includes(value),
+     *
+     *       // Get current timestamp
+     *       now: () => Date.now(),
+     *
+     *       // Custom business logic
+     *       isOwner: (resource: any, userId: number) => resource.ownerId === userId,
+     *
+     *       // 'input': () => {} // ← TypeScript error: reserved variable
+     *     };
+     *   }
+     * }
+     *
+     * // Usage in rule template:
+     * // { groupIds: { $in: '${getValProps(@input.userGroups, "id")}' } }
+     * // { ownerId: '${@input.userId}' }
+     * ```
+     */
+    getHelpers(): Promise<WithoutReservedVars<Record<string, (...args: any[]) => any>>>;
+}
+export {};

package/src/lib/types/acl-rules.types.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ACL_INPUT_TEMPLATE = exports.ACL_INPUT_VAR = void 0;
+/**
+ * Reserved variable name for external input data in rule templates
+ * This data comes from outside (request body, query params, database entity, etc.)
+ * and is NOT part of the context returned by getContext()
+ *
+ * In templates, use @input (with @) for readability: '${@input.userId}'
+ * Internally, the @ symbol is removed before interpolation since @ is not valid in JS variable names
+ *
+ * @example
+ * ```typescript
+ * // In rule template (user-facing):
+ * { conditions: { ownerId: '${@input.userId}' } }
+ *
+ * // Internally reserved variable name (without @):
+ * const scope = { input: externalData };
+ * ```
+ */
+exports.ACL_INPUT_VAR = 'input';
+/**
+ * Template placeholder with @ symbol for user-facing templates
+ * This is replaced with ACL_INPUT_VAR before interpolation
+ */
+exports.ACL_INPUT_TEMPLATE = '@input';
+//# sourceMappingURL=acl-rules.types.js.map

package/src/lib/types/acl-rules.types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acl-rules.types.js","sourceRoot":"","sources":["../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/types/acl-rules.types.ts"],"names":[],"mappings":";;;AAIA;;;;;;;;;;;;;;;;GAgBG;AACU,QAAA,aAAa,GAAG,OAAgB,CAAC;AAE9C;;;GAGG;AACU,QAAA,kBAAkB,GAAG,QAAiB,CAAC"}

package/src/lib/types/decorator-options.types.d.ts

@@ -0,0 +1,64 @@
+import type { JsonBaseController } from '@klerick/json-api-nestjs';
+import type { AnyEntity } from '@klerick/json-api-nestjs-shared';
+import type { AclSubject } from './acl-rules.types';
+import { AclModuleOptions } from './acl-options.types';
+/**
+ * Extract function property names from a type
+ */
+type FunctionPropertyNames<T> = {
+    [K in keyof T]: T[K] extends Function ? K : never;
+}[keyof T];
+/**
+ * Extract method names from controller class
+ */
+export type ControllerMethods<T> = FunctionPropertyNames<T>;
+export type AclControllerMethodsOptions = boolean | Omit<AclModuleOptions, 'rulesLoader' | 'contextStore' | 'strictInterpolation'>;
+/**
+ * Partial record of controller methods with boolean values
+ * Typed by specific controller class
+ */
+export type ControllerMethodsConfig<T> = Partial<Record<ControllerMethods<T>, AclControllerMethodsOptions>>;
+/**
+ * Options for @AclController decorator
+ * Generic Controller type allows type-safe method configuration
+ */
+export interface AclControllerOptions<E extends AnyEntity = AnyEntity, Controller = JsonBaseController<E, 'id'>> {
+    /**
+     * Subject for ACL checks
+     * Can be Entity class, instance, or string name
+     *
+     * @example
+     * subject: User
+     * subject: 'User'
+     */
+    subject: AclSubject<E>;
+    /**
+     * Configuration for which controller methods should have ACL enabled
+     * If not specified, all methods are enabled by default
+     * Type-safe based on Controller generic parameter
+     *
+     * @example
+     * methods: {
+     *   getAll: true,
+     *   getOne: true,
+     *   postOne: true,
+     *   patchOne: false,  // disabled
+     *   deleteOne: false, // disabled
+     * }
+     */
+    methods?: ControllerMethodsConfig<Controller>;
+    /**
+     * Whether ACL is enabled for this controller
+     * @default true
+     */
+    enabled?: boolean;
+}
+/**
+ * Metadata stored by @AclController decorator
+ */
+export interface AclControllerMetadata<E extends AnyEntity = AnyEntity> {
+    subject: AclSubject<E>;
+    methods: Record<string, AclControllerMethodsOptions>;
+    enabled: boolean;
+}
+export {};

package/src/lib/types/decorator-options.types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=decorator-options.types.js.map

package/src/lib/types/decorator-options.types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decorator-options.types.js","sourceRoot":"","sources":["../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/types/decorator-options.types.ts"],"names":[],"mappings":""}

package/src/lib/types/index.d.ts

@@ -0,0 +1,4 @@
+export * from './acl-options.types';
+export * from './acl-rules.types';
+export * from './decorator-options.types';
+export * from './acl-context.types';

package/src/lib/types/index.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+tslib_1.__exportStar(require("./acl-options.types"), exports);
+tslib_1.__exportStar(require("./acl-rules.types"), exports);
+tslib_1.__exportStar(require("./decorator-options.types"), exports);
+tslib_1.__exportStar(require("./acl-context.types"), exports);
+//# sourceMappingURL=index.js.map

package/src/lib/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/types/index.ts"],"names":[],"mappings":";;;AAAA,8DAAmC;AACnC,4DAAiC;AACjC,oEAAyC;AACzC,8DAAmC"}

package/src/lib/utils/index.d.ts

@@ -0,0 +1,10 @@
+import { PipeTransform, Type } from '@nestjs/common';
+import { AnyEntity, EntityClass } from '@klerick/json-api-nestjs-shared';
+import { AclControllerMethodsOptions, AclModuleOptions } from '../types';
+export * from './orm-proxy';
+export declare function factoryPipeMixin(entity: EntityClass<AnyEntity>, pipe: Type<PipeTransform>): Type<PipeTransform<any, any>>;
+export declare const nameIt: (name: string, cls: new (...rest: unknown[]) => Record<never, unknown>) => {
+    new (...arg: unknown[]): {};
+};
+export declare function copyMethodMetadata(source: Function, target: Function): void;
+export declare function getActionOptions(moduleOptions: AclModuleOptions, actionOptions: AclControllerMethodsOptions): Exclude<AclControllerMethodsOptions, boolean>;

package/src/lib/utils/index.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.nameIt = void 0;
+exports.factoryPipeMixin = factoryPipeMixin;
+exports.copyMethodMetadata = copyMethodMetadata;
+exports.getActionOptions = getActionOptions;
+const tslib_1 = require("tslib");
+const change_case_commonjs_1 = require("change-case-commonjs");
+const common_1 = require("@nestjs/common");
+tslib_1.__exportStar(require("./orm-proxy"), exports);
+function factoryPipeMixin(entity, pipe) {
+    const entityName = entity.name;
+    const pipeClass = (0, exports.nameIt)(`${(0, change_case_commonjs_1.pascalCase)(entityName)}${pipe.name}`, pipe);
+    (0, common_1.Injectable)()(pipeClass);
+    return pipeClass;
+}
+const nameIt = (name, cls) => ({
+    [name]: class extends cls {
+        constructor(...arg) {
+            super(...arg);
+        }
+    },
+}[name]);
+exports.nameIt = nameIt;
+function copyMethodMetadata(source, target) {
+    const metadataKeys = Reflect.getMetadataKeys(source);
+    for (const key of metadataKeys) {
+        const value = Reflect.getMetadata(key, source);
+        Reflect.defineMetadata(key, value, target);
+    }
+    Object.defineProperty(target, 'name', {
+        value: source.name,
+        writable: false,
+    });
+}
+function getActionOptions(moduleOptions, actionOptions) {
+    const defaultOptions = {
+        onNoRules: moduleOptions.onNoRules,
+        defaultRules: moduleOptions.defaultRules,
+    };
+    if (actionOptions === undefined ||
+        actionOptions === true ||
+        actionOptions === false)
+        return defaultOptions;
+    return {
+        ...defaultOptions,
+        ...{
+            onNoRules: actionOptions.onNoRules,
+            defaultRules: actionOptions.defaultRules,
+        },
+    };
+}
+//# sourceMappingURL=index.js.map

package/src/lib/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../../libs/acl-permissions/nestjs-acl-permissions/src/lib/utils/index.ts"],"names":[],"mappings":";;;AAQA,4CAcC;AAcD,gDAYC;AAED,4CAuBC;;AAzED,+DAAkD;AAClD,2CAAiE;AAKjE,sDAA4B;AAE5B,SAAgB,gBAAgB,CAC9B,MAA8B,EAC9B,IAAyB;IAEzB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC;IAE/B,MAAM,SAAS,GAAG,IAAA,cAAM,EACtB,GAAG,IAAA,iCAAU,EAAC,UAAU,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,EACvC,IAAI,CACkB,CAAC;IAEzB,IAAA,mBAAU,GAAE,CAAC,SAAS,CAAC,CAAC;IAExB,OAAO,SAAS,CAAC;AACnB,CAAC;AAEM,MAAM,MAAM,GAAG,CACpB,IAAY,EACZ,GAAuD,EACvD,EAAE,CACF,CAAC;IACC,CAAC,IAAI,CAAC,EAAE,KAAM,SAAQ,GAAG;QACvB,YAAY,GAAG,GAAc;YAC3B,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC;QAChB,CAAC;KACF;CACF,CAAC,IAAI,CAAC,CAAC,CAAC;AAVE,QAAA,MAAM,UAUR;AAEX,SAAgB,kBAAkB,CAAC,MAAgB,EAAE,MAAgB;IACnE,MAAM,YAAY,GAAG,OAAO,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IAErD,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAC/C,OAAO,CAAC,cAAc,CAAC,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE;QACpC,KAAK,EAAE,MAAM,CAAC,IAAI;QAClB,QAAQ,EAAE,KAAK;KAChB,CAAC,CAAC;AACL,CAAC;AAED,SAAgB,gBAAgB,CAC9B,aAA+B,EAC/B,aAA0C;IAE1C,MAAM,cAAc,GAAG;QACrB,SAAS,EAAE,aAAa,CAAC,SAAS;QAClC,YAAY,EAAE,aAAa,CAAC,YAAY;KACzC,CAAC;IAEF,IACE,aAAa,KAAK,SAAS;QAC3B,aAAa,KAAK,IAAI;QACtB,aAAa,KAAK,KAAK;QAEvB,OAAO,cAAc,CAAC;IAExB,OAAO;QACL,GAAG,cAAc;QACjB,GAAG;YACD,SAAS,EAAE,aAAa,CAAC,SAAS;YAClC,YAAY,EAAE,aAAa,CAAC,YAAY;SACzC;KACF,CAAC;AACJ,CAAC"}

package/src/lib/utils/orm-proxy/extract-field-paths.d.ts

@@ -0,0 +1,73 @@
+import { AnyEntity, EntityClass, QueryField } from '@klerick/json-api-nestjs-shared';
+import { EntityParam, EntityParamMap, QueryOne, Query } from '@klerick/json-api-nestjs';
+import { ModuleRef } from '@nestjs/core';
+/**
+ * Singleton class for extracting field paths from entity objects
+ *
+ * Features:
+ * - Skips primary keys (they are always accessible, no ACL check needed)
+ * - Recursively processes relationships
+ * - Returns flat array of dot-notation paths
+ * - Handles one-to-many (arrays) and one-to-one (objects) relationships
+ *
+ * @example
+ * const extractor = ExtractFieldPaths.getInstance(entityParamMap);
+ * const obj = {
+ *   id: 1,  // primary key - will be skipped
+ *   login: 'user',
+ *   profile: { id: 10, phone: '123' }  // profile.id also skipped
+ * };
+ *
+ * const paths = extractor.fields(obj, User);
+ * // Returns: ['login', 'profile.phone']
+ */
+export declare class ExtractFieldPaths {
+    private entityParamMap;
+    private constructor();
+    private extractField;
+    fields<E extends object>(obj: E, entityClass: EntityClass<E>): string[];
+    /**
+     * Extracts only props (entity fields) from object, excluding relationships and primary key
+     * Skips primary key (same as fields() method)
+     *
+     * Use case: Create merged entity with only base fields for ACL checks
+     *
+     * @param obj - Source entity object (may contain loaded relationships)
+     * @param entityClass - Entity class
+     * @returns New object with only entity props (no relationships, no primary key)
+     *
+     * @example
+     * const entity = { id: 1, login: 'user', role: 'admin', profile: { phone: '123' } };
+     * const propsOnly = extractor.props(entity, User);
+     * // Returns: { login: 'user', role: 'admin' }
+     * // Note: id (primary key) and profile (relationship) excluded
+     */
+    props<E extends object>(obj: E, entityClass: EntityClass<E>): Partial<E>;
+    private static instance;
+    static getInstance(entityParamMap: EntityParamMap<EntityClass<AnyEntity>>): ExtractFieldPaths;
+}
+export declare function getCurrentEntityAndParamMap<E extends object>(moduleRef: ModuleRef): {
+    readonly currentEntity: EntityClass<E>;
+    readonly entityParamMap: EntityParam<EntityClass<object>>;
+    readonly entityParamMapService: EntityParamMap<EntityClass<object>>;
+};
+/**
+ * Extracts field paths for ACL checking
+ *
+ * This function:
+ * 1. Gets entity metadata from moduleRef
+ * 2. Clones the sample item
+ * 3. Removes ACL-added fields that weren't requested by user
+ * 4. Extracts field paths for checking
+ *
+ * @param moduleRef - NestJS module reference
+ * @param sampleItem - Sample entity item (first item for getAll, result for getOne)
+ * @param userQuery - Original user query
+ * @param aclQueryData - ACL query data (fields and include that were added by ACL)
+ * @returns Array of field paths to check
+ */
+export declare function extractFieldsForCheck<E extends object, IdKey extends string, Q extends QueryOne<E, IdKey> | Query<E, IdKey>>(moduleRef: ModuleRef, sampleItem: E, userQuery: Q, aclQueryData?: {
+    fields?: Q[QueryField.fields];
+    include?: Q[QueryField.include];
+    rulesForQuery?: Record<string, unknown>;
+}): string[];