@kyro-cms/core 0.5.5 → 0.7.0

package/dist/chunk-3ZFYL34R.js

@@ -0,0 +1,391 @@
+// src/database/base.ts
+var AbstractBaseAdapter = class {
+  collections = /* @__PURE__ */ new Map();
+  globals = /* @__PURE__ */ new Map();
+  connected = false;
+  async init(collections, globals = []) {
+    for (const config of collections) {
+      this.collections.set(config.slug, config);
+    }
+    for (const config of globals) {
+      this.globals.set(config.slug, config);
+    }
+    await this.connect();
+  }
+  // ========================================================================
+  // Utility Methods
+  // ========================================================================
+  getCollection(slug) {
+    const collection = this.collections.get(slug);
+    if (!collection) {
+      throw new Error(`Collection "${slug}" not found in adapter`);
+    }
+    return collection;
+  }
+  applyTenantFilter(where = {}, tenantID) {
+    if (tenantID) {
+      return {
+        ...where,
+        tenantID: { equals: tenantID }
+      };
+    }
+    return where;
+  }
+  getTableName(slug) {
+    return slug.replace(/-/g, "_");
+  }
+  prepareData(data, collection) {
+    const prepared = { ...data };
+    if (collection.timestamps) {
+      prepared.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+      if (!prepared.createdAt) {
+        prepared.createdAt = (/* @__PURE__ */ new Date()).toISOString();
+      }
+    }
+    if (collection.auth && prepared.password) ;
+    return prepared;
+  }
+  processRelationships(data, fields, depth) {
+    return data;
+  }
+  parseSort(sort) {
+    if (!sort) return { field: "createdAt", direction: "desc" };
+    if (sort.startsWith("-")) {
+      return { field: sort.slice(1), direction: "desc" };
+    }
+    return { field: sort, direction: "asc" };
+  }
+  calculatePagination(page, limit, totalDocs) {
+    const totalPages = Math.ceil(totalDocs / limit);
+    return {
+      totalDocs,
+      limit,
+      totalPages,
+      page,
+      pagingCounter: (page - 1) * limit + 1,
+      hasPrevPage: page > 1,
+      hasNextPage: page < totalPages,
+      prevPage: page > 1 ? page - 1 : null,
+      nextPage: page < totalPages ? page + 1 : null
+    };
+  }
+  selectFields(data, select) {
+    if (!select || select.length === 0) return data;
+    const result = {};
+    for (const field of select) {
+      if (field in data) {
+        result[field] = data[field];
+      }
+    }
+    result["id"] = data.id;
+    return result;
+  }
+  isRelationshipField(field) {
+    return field.type === "relationship";
+  }
+  isUploadField(field) {
+    return field.type === "upload";
+  }
+  getRelationshipFields(fields) {
+    const result = [];
+    for (const field of fields) {
+      if (field.type === "relationship") {
+        result.push(field);
+      } else if ("fields" in field && field.fields) {
+        result.push(...this.getRelationshipFields(field.fields));
+      }
+    }
+    return result;
+  }
+  getUploadFields(fields) {
+    const result = [];
+    for (const field of fields) {
+      if (field.type === "upload") {
+        result.push(field);
+      } else if ("fields" in field && field.fields) {
+        result.push(...this.getUploadFields(field.fields));
+      }
+    }
+    return result;
+  }
+};
+
+// src/auth/rbac/roles.ts
+var DEFAULT_ROLES = [
+  {
+    name: "super_admin",
+    level: 100,
+    inherits: [],
+    description: "Full system access across all tenants"
+  },
+  {
+    name: "admin",
+    level: 90,
+    inherits: ["editor"],
+    description: "Full tenant access with all content permissions"
+  },
+  {
+    name: "editor",
+    level: 70,
+    inherits: ["author"],
+    description: "Edit and publish all content"
+  },
+  {
+    name: "author",
+    level: 50,
+    inherits: ["customer"],
+    description: "Create and edit own content"
+  },
+  {
+    name: "customer",
+    level: 30,
+    inherits: [],
+    description: "Access own data and make purchases"
+  },
+  {
+    name: "guest",
+    level: 10,
+    inherits: [],
+    description: "Public read-only access"
+  }
+];
+var ROLE_PERMISSIONS = {
+  super_admin: ["*"],
+  admin: [
+    "users:admin",
+    "users:read",
+    "users:update",
+    "audit_logs:read",
+    "posts:admin",
+    "posts:read",
+    "posts:create",
+    "posts:update",
+    "posts:delete",
+    "pages:admin",
+    "pages:read",
+    "pages:create",
+    "pages:update",
+    "pages:delete",
+    "media:admin",
+    "media:read",
+    "media:create",
+    "media:update",
+    "media:delete",
+    "categories:admin",
+    "categories:read",
+    "categories:create",
+    "categories:update",
+    "categories:delete",
+    "products:admin",
+    "products:read",
+    "products:create",
+    "products:update",
+    "products:delete",
+    "orders:admin",
+    "orders:read",
+    "orders:update",
+    "customers:admin",
+    "customers:read",
+    "customers:update",
+    "coupons:admin",
+    "coupons:read",
+    "coupons:create",
+    "coupons:update",
+    "coupons:delete",
+    "navigation:admin",
+    "navigation:read",
+    "navigation:create",
+    "navigation:update",
+    "navigation:delete",
+    "settings:admin",
+    "settings:read",
+    "settings:update",
+    "profile:admin",
+    "profile:read",
+    "profile:update"
+  ],
+  editor: [
+    "posts:admin",
+    "posts:read",
+    "posts:create",
+    "posts:update",
+    "posts:delete",
+    "pages:admin",
+    "pages:read",
+    "pages:create",
+    "pages:update",
+    "pages:delete",
+    "media:read",
+    "media:create",
+    "media:update",
+    "categories:read",
+    "categories:create",
+    "categories:update",
+    "products:read",
+    "orders:read",
+    "orders:update",
+    "navigation:read",
+    "navigation:create",
+    "navigation:update",
+    "profile:read",
+    "profile:update"
+  ],
+  author: [
+    "posts:read",
+    "posts:create",
+    "posts:update",
+    "media:read",
+    "media:create",
+    "categories:read",
+    "profile:read",
+    "profile:update"
+  ],
+  customer: ["profile:read", "profile:update", "orders:read", "orders:create"],
+  guest: ["posts:read", "pages:read", "products:read"]
+};
+function getRoleHierarchy(role, roles = DEFAULT_ROLES) {
+  const hierarchy = [role];
+  const roleMap = new Map(roles.map((r) => [r.name, r]));
+  const addInherited = (r) => {
+    const roleData = roleMap.get(r);
+    if (roleData && roleData.inherits) {
+      for (const inherited of roleData.inherits) {
+        if (!hierarchy.includes(inherited)) {
+          hierarchy.push(inherited);
+          addInherited(inherited);
+        }
+      }
+    }
+  };
+  addInherited(role);
+  return hierarchy;
+}
+
+// src/auth/rbac/checker.ts
+function hasPermission(user, permission, rolePermissions = ROLE_PERMISSIONS) {
+  if (!user || !user.role) return false;
+  const userPermissions = getUserPermissions(user, rolePermissions);
+  if (userPermissions.includes("*")) return true;
+  if (userPermissions.includes(permission)) return true;
+  const [resource, action] = permission.split(":");
+  if (userPermissions.includes(`${resource}:*`)) return true;
+  if (userPermissions.includes(`${resource}:admin`)) return true;
+  return false;
+}
+function hasAnyRole(user, checkRoles) {
+  if (!user || !user.role) return false;
+  const hierarchy = getRoleHierarchy(user.role);
+  return checkRoles.some((role) => hierarchy.includes(role));
+}
+function getUserPermissions(user, rolePermissions = ROLE_PERMISSIONS) {
+  if (!user || !user.role) return [];
+  const hierarchy = getRoleHierarchy(user.role);
+  const permissions = /* @__PURE__ */ new Set();
+  for (const role of hierarchy) {
+    const rolePerms = rolePermissions[role];
+    if (rolePerms) {
+      for (const perm of rolePerms) {
+        permissions.add(perm);
+      }
+    }
+  }
+  return Array.from(permissions);
+}
+
+// src/auth/rls/tenant.ts
+var DEFAULT_RLS_CONFIG = {
+  tenantEnabled: true,
+  tenantField: "tenantId",
+  ownershipRules: {
+    posts: {
+      ownerField: "authorId",
+      bypassRoles: ["super_admin", "admin", "editor"]
+    },
+    pages: {
+      ownerField: "authorId",
+      bypassRoles: ["super_admin", "admin", "editor"]
+    },
+    media: {
+      ownerField: "uploadedBy",
+      bypassRoles: ["super_admin", "admin", "editor"]
+    },
+    orders: {
+      ownerField: "customerId",
+      bypassRoles: ["super_admin", "admin", "editor"]
+    },
+    customers: { ownerField: "id", bypassRoles: ["super_admin", "admin"] },
+    navigation: { ownerField: "id", bypassRoles: ["super_admin", "admin"] }
+  }
+};
+function addTenantFilter(query, context, config = DEFAULT_RLS_CONFIG) {
+  if (!config.tenantEnabled || context.isSuperAdmin) {
+    return query;
+  }
+  return {
+    ...query,
+    where: {
+      ...query.where,
+      [config.tenantField]: context.tenantId
+    }
+  };
+}
+function applyOwnershipRule(query, collection, context, config = DEFAULT_RLS_CONFIG) {
+  const rule = config.ownershipRules[collection];
+  if (!rule) {
+    return query;
+  }
+  if (rule.bypassRoles && hasAnyRole({ role: context.role }, rule.bypassRoles)) {
+    return query;
+  }
+  if (rule.ownerField === "id" && context.userId) {
+    return {
+      ...query,
+      where: {
+        ...query.where,
+        id: context.userId
+      }
+    };
+  }
+  if (rule.ownerField && context.userId) {
+    return {
+      ...query,
+      where: {
+        ...query.where,
+        [rule.ownerField]: context.userId
+      }
+    };
+  }
+  return query;
+}
+function applyRLS(query, collection, context, config = DEFAULT_RLS_CONFIG) {
+  let result = query;
+  result = addTenantFilter(result, context, config);
+  result = applyOwnershipRule(result, collection, context, config);
+  return result;
+}
+function canAccessDocument(doc, collection, context, config = DEFAULT_RLS_CONFIG) {
+  if (context.isSuperAdmin) {
+    return true;
+  }
+  if (config.tenantEnabled && doc[config.tenantField] !== context.tenantId) {
+    return false;
+  }
+  const rule = config.ownershipRules[collection];
+  if (!rule) {
+    return true;
+  }
+  if (rule.bypassRoles && hasAnyRole({ role: context.role }, rule.bypassRoles)) {
+    return true;
+  }
+  if (rule.ownerField === "id") {
+    return doc.id === context.userId;
+  }
+  if (rule.ownerField) {
+    return doc[rule.ownerField] === context.userId;
+  }
+  return true;
+}
+
+export { AbstractBaseAdapter, DEFAULT_RLS_CONFIG, applyRLS, canAccessDocument, hasPermission };
+//# sourceMappingURL=chunk-3ZFYL34R.js.map
+//# sourceMappingURL=chunk-3ZFYL34R.js.map

package/dist/chunk-3ZFYL34R.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/database/base.ts","../src/auth/rbac/roles.ts","../src/auth/rbac/checker.ts","../src/auth/rls/tenant.ts"],"names":[],"mappings":";AAwBO,IAAe,sBAAf,MAA0D;AAAA,EACrD,WAAA,uBAAiD,GAAA,EAAI;AAAA,EACrD,OAAA,uBAAyC,GAAA,EAAI;AAAA,EAC7C,SAAA,GAAY,KAAA;AAAA,EAKtB,MAAM,IAAA,CAAK,WAAA,EAAiC,OAAA,GAA0B,EAAC,EAAkB;AACvF,IAAA,KAAA,MAAW,UAAU,WAAA,EAAa;AAChC,MAAA,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,MAAA,CAAO,IAAA,EAAM,MAAM,CAAA;AAAA,IAC1C;AACA,IAAA,KAAA,MAAW,UAAU,OAAA,EAAS;AAC5B,MAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,IAAA,EAAM,MAAM,CAAA;AAAA,IACtC;AACA,IAAA,MAAM,KAAK,OAAA,EAAQ;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EA2BU,cAAc,IAAA,EAAgC;AACtD,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,IAAI,CAAA;AAC5C,IAAA,IAAI,CAAC,UAAA,EAAY;AACf,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,YAAA,EAAe,IAAI,CAAA,sBAAA,CAAwB,CAAA;AAAA,IAC7D;AACA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA,EAEU,iBAAA,CAAkB,KAAA,GAA6B,EAAC,EAAG,QAAA,EAAwC;AACnG,IAAA,IAAI,QAAA,EAAU;AACZ,MAAA,OAAO;AAAA,QACL,GAAG,KAAA;AAAA,QACH,QAAA,EAAU,EAAE,MAAA,EAAQ,QAAA;AAAS,OAC/B;AAAA,IACF;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEU,aAAa,IAAA,EAAsB;AAC3C,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA;AAAA,EAC/B;AAAA,EAEU,WAAA,CAAY,MAA2B,UAAA,EAAmD;AAClG,IAAA,MAAM,QAAA,GAAgC,EAAE,GAAG,IAAA,EAAK;AAEhD,IAAA,IAAI,WAAW,UAAA,EAAY;AACzB,MAAA,QAAA,CAAS,SAAA,GAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAC5C,MAAA,IAAI,CAAC,SAAS,SAAA,EAAW;AACvB,QAAA,QAAA,CAAS,SAAA,GAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAC9C;AAAA,IACF;AAGA,IAAA,IAAI,UAAA,CAAW,IAAA,IAAQ,QAAA,CAAS,QAAA,EAAU;AAI1C,IAAA,OAAO,QAAA;AAAA,EACT;AAAA,EAEU,oBAAA,CACR,IAAA,EACA,MAAA,EACA,KAAA,EACqB;AAErB,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEU,UAAU,IAAA,EAA6D;AAC/E,IAAA,IAAI,CAAC,IAAA,EAAM,OAAO,EAAE,KAAA,EAAO,WAAA,EAAa,WAAW,MAAA,EAAO;AAC1D,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,GAAG,CAAA,EAAG;AACxB,MAAA,OAAO,EAAE,KAAA,EAAO,IAAA,CAAK,MAAM,CAAC,CAAA,EAAG,WAAW,MAAA,EAAO;AAAA,IACnD;AACA,IAAA,OAAO,EAAE,KAAA,EAAO,IAAA,EAAM,SAAA,EAAW,KAAA,EAAM;AAAA,EACzC;AAAA,EAEU,mBAAA,CAAoB,IAAA,EAAc,KAAA,EAAe,SAAA,EAAmB;AAC5E,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,IAAA,CAAK,SAAA,GAAY,KAAK,CAAA;AAC9C,IAAA,OAAO;AAAA,MACL,SAAA;AAAA,MACA,KAAA;AAAA,MACA,UAAA;AAAA,MACA,IAAA;AAAA,MACA,aAAA,EAAA,CAAgB,IAAA,GAAO,CAAA,IAAK,KAAA,GAAQ,CAAA;AAAA,MACpC,aAAa,IAAA,GAAO,CAAA;AAAA,MACpB,aAAa,IAAA,GAAO,UAAA;AAAA,MACpB,QAAA,EAAU,IAAA,GAAO,CAAA,GAAI,IAAA,GAAO,CAAA,GAAI,IAAA;AAAA,MAChC,QAAA,EAAU,IAAA,GAAO,UAAA,GAAa,IAAA,GAAO,CAAA,GAAI;AAAA,KAC3C;AAAA,EACF;AAAA,EAEU,YAAA,CAAa,MAA2B,MAAA,EAAwC;AACxF,IAAA,IAAI,CAAC,MAAA,IAAU,MAAA,CAAO,MAAA,KAAW,GAAG,OAAO,IAAA;AAC3C,IAAA,MAAM,SAA8B,EAAC;AACrC,IAAA,KAAA,MAAW,SAAS,MAAA,EAAQ;AAC1B,MAAA,IAAI,SAAS,IAAA,EAAM;AACjB,QAAA,MAAA,CAAO,KAAK,CAAA,GAAI,IAAA,CAAK,KAAK,CAAA;AAAA,MAC5B;AAAA,IACF;AACA,IAAA,MAAA,CAAO,IAAI,IAAI,IAAA,CAAK,EAAA;AACpB,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEU,oBAAoB,KAAA,EAA0C;AACtE,IAAA,OAAO,MAAM,IAAA,KAAS,cAAA;AAAA,EACxB;AAAA,EAEU,cAAc,KAAA,EAAoC;AAC1D,IAAA,OAAO,MAAM,IAAA,KAAS,QAAA;AAAA,EACxB;AAAA,EAEU,sBAAsB,MAAA,EAAsC;AACpE,IAAA,MAAM,SAA8B,EAAC;AACrC,IAAA,KAAA,MAAW,SAAS,MAAA,EAAQ;AAC1B,MAAA,IAAI,KAAA,CAAM,SAAS,cAAA,EAAgB;AACjC,QAAA,MAAA,CAAO,KAAK,KAAK,CAAA;AAAA,MACnB,CAAA,MAAA,IAAW,QAAA,IAAY,KAAA,IAAS,KAAA,CAAM,MAAA,EAAQ;AAC5C,QAAA,MAAA,CAAO,KAAK,GAAG,IAAA,CAAK,qBAAA,CAAsB,KAAA,CAAM,MAAM,CAAC,CAAA;AAAA,MACzD;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEU,gBAAgB,MAAA,EAAgC;AACxD,IAAA,MAAM,SAAwB,EAAC;AAC/B,IAAA,KAAA,MAAW,SAAS,MAAA,EAAQ;AAC1B,MAAA,IAAI,KAAA,CAAM,SAAS,QAAA,EAAU;AAC3B,QAAA,MAAA,CAAO,KAAK,KAAK,CAAA;AAAA,MACnB,CAAA,MAAA,IAAW,QAAA,IAAY,KAAA,IAAS,KAAA,CAAM,MAAA,EAAQ;AAC5C,QAAA,MAAA,CAAO,KAAK,GAAG,IAAA,CAAK,eAAA,CAAgB,KAAA,CAAM,MAAM,CAAC,CAAA;AAAA,MACnD;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AACF;;;ACnJO,IAAM,aAAA,GAAwB;AAAA,EACnC;AAAA,IACE,IAAA,EAAM,aAAA;AAAA,IACN,KAAA,EAAO,GAAA;AAAA,IACP,UAAU,EAAC;AAAA,IACX,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,IAAA,EAAM,OAAA;AAAA,IACN,KAAA,EAAO,EAAA;AAAA,IACP,QAAA,EAAU,CAAC,QAAQ,CAAA;AAAA,IACnB,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,IAAA,EAAM,QAAA;AAAA,IACN,KAAA,EAAO,EAAA;AAAA,IACP,QAAA,EAAU,CAAC,QAAQ,CAAA;AAAA,IACnB,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,IAAA,EAAM,QAAA;AAAA,IACN,KAAA,EAAO,EAAA;AAAA,IACP,QAAA,EAAU,CAAC,UAAU,CAAA;AAAA,IACrB,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,IAAA,EAAM,UAAA;AAAA,IACN,KAAA,EAAO,EAAA;AAAA,IACP,UAAU,EAAC;AAAA,IACX,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,IAAA,EAAM,OAAA;AAAA,IACN,KAAA,EAAO,EAAA;AAAA,IACP,UAAU,EAAC;AAAA,IACX,WAAA,EAAa;AAAA;AAEjB,CAAA;AA2EO,IAAM,gBAAA,GAA6C;AAAA,EACxD,WAAA,EAAa,CAAC,GAAG,CAAA;AAAA,EAEjB,KAAA,EAAO;AAAA,IACL,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,iBAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,kBAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,gBAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,iBAAA;AAAA,IACA,iBAAA;AAAA,IACA,cAAA;AAAA,IACA,aAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,gBAAA;AAAA,IACA,kBAAA;AAAA,IACA,eAAA;AAAA,IACA,cAAA;AAAA,IACA,gBAAA;AAAA,IACA,gBAAA;AAAA,IACA,gBAAA;AAAA,IACA,kBAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,gBAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,eAAA;AAAA,IACA,cAAA;AAAA,IACA;AAAA,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,eAAA;AAAA,IACA,aAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,cAAA;AAAA,IACA;AAAA,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,iBAAA;AAAA,IACA,cAAA;AAAA,IACA;AAAA,GACF;AAAA,EAEA,QAAA,EAAU,CAAC,cAAA,EAAgB,gBAAA,EAAkB,eAAe,eAAe,CAAA;AAAA,EAE3E,KAAA,EAAO,CAAC,YAAA,EAAc,YAAA,EAAc,eAAe;AACrD,CAAA;AAEO,SAAS,gBAAA,CACd,IAAA,EACA,KAAA,GAAgB,aAAA,EACN;AACV,EAAA,MAAM,SAAA,GAAsB,CAAC,IAAI,CAAA;AACjC,EAAA,MAAM,OAAA,GAAU,IAAI,GAAA,CAAI,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,IAAA,EAAM,CAAC,CAAC,CAAC,CAAA;AAErD,EAAA,MAAM,YAAA,GAAe,CAAC,CAAA,KAAc;AAClC,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,GAAA,CAAI,CAAC,CAAA;AAC9B,IAAA,IAAI,QAAA,IAAY,SAAS,QAAA,EAAU;AACjC,MAAA,KAAA,MAAW,SAAA,IAAa,SAAS,QAAA,EAAU;AACzC,QAAA,IAAI,CAAC,SAAA,CAAU,QAAA,CAAS,SAAS,CAAA,EAAG;AAClC,UAAA,SAAA,CAAU,KAAK,SAAS,CAAA;AACxB,UAAA,YAAA,CAAa,SAAS,CAAA;AAAA,QACxB;AAAA,MACF;AAAA,IACF;AAAA,EACF,CAAA;AAEA,EAAA,YAAA,CAAa,IAAI,CAAA;AACjB,EAAA,OAAO,SAAA;AACT;;;AC3PO,SAAS,aAAA,CACd,IAAA,EACA,UAAA,EACA,eAAA,GAA4C,gBAAA,EACnC;AACT,EAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,IAAA,CAAK,MAAM,OAAO,KAAA;AAEhC,EAAA,MAAM,eAAA,GAAkB,kBAAA,CAAmB,IAAA,EAAM,eAAe,CAAA;AAEhE,EAAA,IAAI,eAAA,CAAgB,QAAA,CAAS,GAAG,CAAA,EAAG,OAAO,IAAA;AAC1C,EAAA,IAAI,eAAA,CAAgB,QAAA,CAAS,UAAU,CAAA,EAAG,OAAO,IAAA;AAEjD,EAAA,MAAM,CAAC,QAAA,EAAU,MAAM,CAAA,GAAI,UAAA,CAAW,MAAM,GAAG,CAAA;AAC/C,EAAA,IAAI,gBAAgB,QAAA,CAAS,CAAA,EAAG,QAAQ,CAAA,EAAA,CAAI,GAAG,OAAO,IAAA;AACtD,EAAA,IAAI,gBAAgB,QAAA,CAAS,CAAA,EAAG,QAAQ,CAAA,MAAA,CAAQ,GAAG,OAAO,IAAA;AAE1D,EAAA,OAAO,KAAA;AACT;AAaO,SAAS,UAAA,CAAW,MAAgB,UAAA,EAA+B;AACxE,EAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,IAAA,CAAK,MAAM,OAAO,KAAA;AAEhC,EAAA,MAAM,SAAA,GAAY,gBAAA,CAAiB,IAAA,CAAK,IAAI,CAAA;AAC5C,EAAA,OAAO,WAAW,IAAA,CAAK,CAAC,SAAS,SAAA,CAAU,QAAA,CAAS,IAAI,CAAC,CAAA;AAC3D;AASO,SAAS,kBAAA,CACd,IAAA,EACA,eAAA,GAA4C,gBAAA,EAClC;AACV,EAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,IAAA,CAAK,IAAA,SAAa,EAAC;AAEjC,EAAA,MAAM,SAAA,GAAY,gBAAA,CAAiB,IAAA,CAAK,IAAI,CAAA;AAC5C,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AAEpC,EAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,IAAA,MAAM,SAAA,GAAY,gBAAgB,IAAI,CAAA;AACtC,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AAAA,MACtB;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B;;;ACzDO,IAAM,kBAAA,GAAgC;AAAA,EAC3C,aAAA,EAAe,IAAA;AAAA,EACf,WAAA,EAAa,UAAA;AAAA,EACb,cAAA,EAAgB;AAAA,IACd,KAAA,EAAO;AAAA,MACL,UAAA,EAAY,UAAA;AAAA,MACZ,WAAA,EAAa,CAAC,aAAA,EAAe,OAAA,EAAS,QAAQ;AAAA,KAChD;AAAA,IACA,KAAA,EAAO;AAAA,MACL,UAAA,EAAY,UAAA;AAAA,MACZ,WAAA,EAAa,CAAC,aAAA,EAAe,OAAA,EAAS,QAAQ;AAAA,KAChD;AAAA,IACA,KAAA,EAAO;AAAA,MACL,UAAA,EAAY,YAAA;AAAA,MACZ,WAAA,EAAa,CAAC,aAAA,EAAe,OAAA,EAAS,QAAQ;AAAA,KAChD;AAAA,IACA,MAAA,EAAQ;AAAA,MACN,UAAA,EAAY,YAAA;AAAA,MACZ,WAAA,EAAa,CAAC,aAAA,EAAe,OAAA,EAAS,QAAQ;AAAA,KAChD;AAAA,IACA,SAAA,EAAW,EAAE,UAAA,EAAY,IAAA,EAAM,aAAa,CAAC,aAAA,EAAe,OAAO,CAAA,EAAE;AAAA,IACrE,UAAA,EAAY,EAAE,UAAA,EAAY,IAAA,EAAM,aAAa,CAAC,aAAA,EAAe,OAAO,CAAA;AAAE;AAE1E;AA0BO,SAAS,eAAA,CACd,KAAA,EACA,OAAA,EACA,MAAA,GAAoB,kBAAA,EACjB;AACH,EAAA,IAAI,CAAC,MAAA,CAAO,aAAA,IAAiB,OAAA,CAAQ,YAAA,EAAc;AACjD,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,OAAO;AAAA,IACL,GAAG,KAAA;AAAA,IACH,KAAA,EAAO;AAAA,MACL,GAAG,KAAA,CAAM,KAAA;AAAA,MACT,CAAC,MAAA,CAAO,WAAW,GAAG,OAAA,CAAQ;AAAA;AAChC,GACF;AACF;AAEO,SAAS,kBAAA,CACd,KAAA,EACA,UAAA,EACA,OAAA,EACA,SAAoB,kBAAA,EACC;AACrB,EAAA,MAAM,IAAA,GAAO,MAAA,CAAO,cAAA,CAAe,UAAU,CAAA;AAE7C,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,IACE,IAAA,CAAK,WAAA,IACL,UAAA,CAAW,EAAE,IAAA,EAAM,QAAQ,IAAA,EAAK,EAAe,IAAA,CAAK,WAAW,CAAA,EAC/D;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,IAAI,IAAA,CAAK,UAAA,KAAe,IAAA,IAAQ,OAAA,CAAQ,MAAA,EAAQ;AAC9C,IAAA,OAAO;AAAA,MACL,GAAG,KAAA;AAAA,MACH,KAAA,EAAO;AAAA,QACL,GAAG,KAAA,CAAM,KAAA;AAAA,QACT,IAAI,OAAA,CAAQ;AAAA;AACd,KACF;AAAA,EACF;AAEA,EAAA,IAAI,IAAA,CAAK,UAAA,IAAc,OAAA,CAAQ,MAAA,EAAQ;AACrC,IAAA,OAAO;AAAA,MACL,GAAG,KAAA;AAAA,MACH,KAAA,EAAO;AAAA,QACL,GAAG,KAAA,CAAM,KAAA;AAAA,QACT,CAAC,IAAA,CAAK,UAAU,GAAG,OAAA,CAAQ;AAAA;AAC7B,KACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA;AACT;AAEO,SAAS,QAAA,CACd,KAAA,EACA,UAAA,EACA,OAAA,EACA,SAAoB,kBAAA,EACjB;AACH,EAAA,IAAI,MAAA,GAAS,KAAA;AAEb,EAAA,MAAA,GAAS,eAAA,CAAgB,MAAA,EAAQ,OAAA,EAAS,MAAM,CAAA;AAEhD,EAAA,MAAA,GAAS,kBAAA,CAAmB,MAAA,EAAQ,UAAA,EAAY,OAAA,EAAS,MAAM,CAAA;AAE/D,EAAA,OAAO,MAAA;AACT;AAEO,SAAS,iBAAA,CACd,GAAA,EACA,UAAA,EACA,OAAA,EACA,SAAoB,kBAAA,EACX;AACT,EAAA,IAAI,QAAQ,YAAA,EAAc;AACxB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,OAAO,aAAA,IAAiB,GAAA,CAAI,OAAO,WAAW,CAAA,KAAM,QAAQ,QAAA,EAAU;AACxE,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,MAAM,IAAA,GAAO,MAAA,CAAO,cAAA,CAAe,UAAU,CAAA;AAE7C,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IACE,IAAA,CAAK,WAAA,IACL,UAAA,CAAW,EAAE,IAAA,EAAM,QAAQ,IAAA,EAAK,EAAe,IAAA,CAAK,WAAW,CAAA,EAC/D;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,IAAA,CAAK,eAAe,IAAA,EAAM;AAC5B,IAAA,OAAO,GAAA,CAAI,OAAO,OAAA,CAAQ,MAAA;AAAA,EAC5B;AAEA,EAAA,IAAI,KAAK,UAAA,EAAY;AACnB,IAAA,OAAO,GAAA,CAAI,IAAA,CAAK,UAAU,CAAA,KAAM,OAAA,CAAQ,MAAA;AAAA,EAC1C;AAEA,EAAA,OAAO,IAAA;AACT","file":"chunk-3ZFYL34R.js","sourcesContent":["import type {\n  BaseAdapter,\n  CollectionConfig,\n  GlobalConfig,\n  FindArgs,\n  FindByIDArgs,\n  CreateArgs,\n  UpdateArgs,\n  DeleteArgs,\n  FindResult,\n  DraftFindArgs,\n  DraftUpsertArgs,\n  DraftDeleteArgs,\n  DraftSnapshot,\n  VersionRecord,\n  CreateVersionArgs,\n  FindVersionsArgs,\n} from '../registry/types.js';\nimport type { Field, RelationshipField, UploadField } from '../fields/types.js';\n\n// ============================================================================\n// Abstract Base Adapter\n// ============================================================================\n\nexport abstract class AbstractBaseAdapter implements BaseAdapter {\n  protected collections: Map<string, CollectionConfig> = new Map();\n  protected globals: Map<string, GlobalConfig> = new Map();\n  protected connected = false;\n\n  abstract connect(): Promise<void>;\n  abstract disconnect(): Promise<void>;\n\n  async init(collections: CollectionConfig[], globals: GlobalConfig[] = []): Promise<void> {\n    for (const config of collections) {\n      this.collections.set(config.slug, config);\n    }\n    for (const config of globals) {\n      this.globals.set(config.slug, config);\n    }\n    await this.connect();\n  }\n\n  abstract find<T>(args: FindArgs): Promise<FindResult<T>>;\n  abstract findByID<T>(args: FindByIDArgs): Promise<T | null>;\n  abstract create<T>(args: CreateArgs): Promise<T>;\n  abstract update<T>(args: UpdateArgs): Promise<T>;\n  abstract delete<T>(args: DeleteArgs): Promise<T>;\n  abstract count(args: { collection: string; where?: Record<string, any>; tenantID?: string }): Promise<number>;\n\n  abstract findOne(args: { collection: string; where: Record<string, any>; tenantID?: string; draft?: boolean }): Promise<any>;\n\n  abstract findVersions(args: FindVersionsArgs): Promise<FindResult<VersionRecord>>;\n  abstract findVersionByID(args: { collection: string; versionId: string; tenantID?: string }): Promise<VersionRecord | null>;\n  abstract createVersion<T = Record<string, any>>(args: CreateVersionArgs<T>): Promise<VersionRecord<T>>;\n  abstract deleteVersions(args: { collection: string; documentId: string; keepLatest?: number; tenantID?: string }): Promise<void>;\n  abstract findDraft<T>(args: DraftFindArgs): Promise<DraftSnapshot<T> | null>;\n  abstract upsertDraft<T>(args: DraftUpsertArgs<T>): Promise<DraftSnapshot<T>>;\n  abstract deleteDraft(args: DraftDeleteArgs): Promise<void>;\n\n  async migrate?(): Promise<void>;\n  async rollback?(): Promise<void>;\n  async transaction?<T>(fn: (tx: any) => Promise<T>): Promise<T>;\n\n  // ========================================================================\n  // Utility Methods\n  // ========================================================================\n\n  protected getCollection(slug: string): CollectionConfig {\n    const collection = this.collections.get(slug);\n    if (!collection) {\n      throw new Error(`Collection \"${slug}\" not found in adapter`);\n    }\n    return collection;\n  }\n\n  protected applyTenantFilter(where: Record<string, any> = {}, tenantID?: string): Record<string, any> {\n    if (tenantID) {\n      return {\n        ...where,\n        tenantID: { equals: tenantID },\n      };\n    }\n    return where;\n  }\n\n  protected getTableName(slug: string): string {\n    return slug.replace(/-/g, '_');\n  }\n\n  protected prepareData(data: Record<string, any>, collection: CollectionConfig): Record<string, any> {\n    const prepared: Record<string, any> = { ...data };\n    \n    if (collection.timestamps) {\n      prepared.updatedAt = new Date().toISOString();\n      if (!prepared.createdAt) {\n        prepared.createdAt = new Date().toISOString();\n      }\n    }\n\n    // Handle password hashing\n    if (collection.auth && prepared.password) {\n      // Password should be hashed before this point via hooks\n    }\n\n    return prepared;\n  }\n\n  protected processRelationships(\n    data: Record<string, any>,\n    fields: Field[],\n    depth: number\n  ): Record<string, any> {\n    // This is a base implementation - specific adapters override\n    return data;\n  }\n\n  protected parseSort(sort?: string): { field: string; direction: 'asc' | 'desc' } {\n    if (!sort) return { field: 'createdAt', direction: 'desc' };\n    if (sort.startsWith('-')) {\n      return { field: sort.slice(1), direction: 'desc' };\n    }\n    return { field: sort, direction: 'asc' };\n  }\n\n  protected calculatePagination(page: number, limit: number, totalDocs: number) {\n    const totalPages = Math.ceil(totalDocs / limit);\n    return {\n      totalDocs,\n      limit,\n      totalPages,\n      page,\n      pagingCounter: (page - 1) * limit + 1,\n      hasPrevPage: page > 1,\n      hasNextPage: page < totalPages,\n      prevPage: page > 1 ? page - 1 : null,\n      nextPage: page < totalPages ? page + 1 : null,\n    };\n  }\n\n  protected selectFields(data: Record<string, any>, select?: string[]): Record<string, any> {\n    if (!select || select.length === 0) return data;\n    const result: Record<string, any> = {};\n    for (const field of select) {\n      if (field in data) {\n        result[field] = data[field];\n      }\n    }\n    result['id'] = data.id;\n    return result;\n  }\n\n  protected isRelationshipField(field: Field): field is RelationshipField {\n    return field.type === 'relationship';\n  }\n\n  protected isUploadField(field: Field): field is UploadField {\n    return field.type === 'upload';\n  }\n\n  protected getRelationshipFields(fields: Field[]): RelationshipField[] {\n    const result: RelationshipField[] = [];\n    for (const field of fields) {\n      if (field.type === 'relationship') {\n        result.push(field);\n      } else if ('fields' in field && field.fields) {\n        result.push(...this.getRelationshipFields(field.fields));\n      }\n    }\n    return result;\n  }\n\n  protected getUploadFields(fields: Field[]): UploadField[] {\n    const result: UploadField[] = [];\n    for (const field of fields) {\n      if (field.type === 'upload') {\n        result.push(field);\n      } else if ('fields' in field && field.fields) {\n        result.push(...this.getUploadFields(field.fields));\n      }\n    }\n    return result;\n  }\n}\n","export interface Role {\n  name: string;\n  level: number;\n  inherits: string[];\n  description: string;\n  createdAt?: string;\n  updatedAt?: string;\n}\n\nexport interface Permission {\n  resource: string;\n  action: \"create\" | \"read\" | \"update\" | \"delete\" | \"admin\";\n  conditions?: Condition[];\n}\n\nexport interface Condition {\n  field: string;\n  operator:\n    | \"eq\"\n    | \"neq\"\n    | \"in\"\n    | \"nin\"\n    | \"gt\"\n    | \"lt\"\n    | \"gte\"\n    | \"lte\"\n    | \"contains\";\n  value: any;\n}\n\nexport interface RolePermission {\n  role: string;\n  permissions: Permission[];\n}\n\nexport const DEFAULT_ROLES: Role[] = [\n  {\n    name: \"super_admin\",\n    level: 100,\n    inherits: [],\n    description: \"Full system access across all tenants\",\n  },\n  {\n    name: \"admin\",\n    level: 90,\n    inherits: [\"editor\"],\n    description: \"Full tenant access with all content permissions\",\n  },\n  {\n    name: \"editor\",\n    level: 70,\n    inherits: [\"author\"],\n    description: \"Edit and publish all content\",\n  },\n  {\n    name: \"author\",\n    level: 50,\n    inherits: [\"customer\"],\n    description: \"Create and edit own content\",\n  },\n  {\n    name: \"customer\",\n    level: 30,\n    inherits: [],\n    description: \"Access own data and make purchases\",\n  },\n  {\n    name: \"guest\",\n    level: 10,\n    inherits: [],\n    description: \"Public read-only access\",\n  },\n];\n\nexport const DEFAULT_PERMISSIONS: Permission[] = [\n  { resource: \"users\", action: \"admin\" },\n  { resource: \"users\", action: \"read\" },\n  { resource: \"users\", action: \"create\" },\n  { resource: \"users\", action: \"update\" },\n  { resource: \"users\", action: \"delete\" },\n\n  { resource: \"audit_logs\", action: \"admin\" },\n  { resource: \"audit_logs\", action: \"read\" },\n\n  { resource: \"posts\", action: \"admin\" },\n  { resource: \"posts\", action: \"read\" },\n  { resource: \"posts\", action: \"create\" },\n  { resource: \"posts\", action: \"update\" },\n  { resource: \"posts\", action: \"delete\" },\n\n  { resource: \"pages\", action: \"admin\" },\n  { resource: \"pages\", action: \"read\" },\n  { resource: \"pages\", action: \"create\" },\n  { resource: \"pages\", action: \"update\" },\n  { resource: \"pages\", action: \"delete\" },\n\n  { resource: \"media\", action: \"admin\" },\n  { resource: \"media\", action: \"read\" },\n  { resource: \"media\", action: \"create\" },\n  { resource: \"media\", action: \"update\" },\n  { resource: \"media\", action: \"delete\" },\n\n  { resource: \"categories\", action: \"admin\" },\n  { resource: \"categories\", action: \"read\" },\n  { resource: \"categories\", action: \"create\" },\n  { resource: \"categories\", action: \"update\" },\n  { resource: \"categories\", action: \"delete\" },\n\n  { resource: \"products\", action: \"admin\" },\n  { resource: \"products\", action: \"read\" },\n  { resource: \"products\", action: \"create\" },\n  { resource: \"products\", action: \"update\" },\n  { resource: \"products\", action: \"delete\" },\n\n  { resource: \"orders\", action: \"admin\" },\n  { resource: \"orders\", action: \"read\" },\n  { resource: \"orders\", action: \"create\" },\n  { resource: \"orders\", action: \"update\" },\n  { resource: \"orders\", action: \"delete\" },\n\n  { resource: \"customers\", action: \"admin\" },\n  { resource: \"customers\", action: \"read\" },\n  { resource: \"customers\", action: \"create\" },\n  { resource: \"customers\", action: \"update\" },\n  { resource: \"customers\", action: \"delete\" },\n\n  { resource: \"coupons\", action: \"admin\" },\n  { resource: \"coupons\", action: \"read\" },\n  { resource: \"coupons\", action: \"create\" },\n  { resource: \"coupons\", action: \"update\" },\n  { resource: \"coupons\", action: \"delete\" },\n\n  { resource: \"menu\", action: \"admin\" },\n  { resource: \"menu\", action: \"read\" },\n  { resource: \"menu\", action: \"create\" },\n  { resource: \"menu\", action: \"update\" },\n  { resource: \"menu\", action: \"delete\" },\n\n  { resource: \"settings\", action: \"admin\" },\n  { resource: \"settings\", action: \"read\" },\n  { resource: \"settings\", action: \"update\" },\n\n  { resource: \"profile\", action: \"admin\" },\n  { resource: \"profile\", action: \"read\" },\n  { resource: \"profile\", action: \"update\" },\n];\n\nexport const ROLE_PERMISSIONS: Record<string, string[]> = {\n  super_admin: [\"*\"],\n\n  admin: [\n    \"users:admin\",\n    \"users:read\",\n    \"users:update\",\n    \"audit_logs:read\",\n    \"posts:admin\",\n    \"posts:read\",\n    \"posts:create\",\n    \"posts:update\",\n    \"posts:delete\",\n    \"pages:admin\",\n    \"pages:read\",\n    \"pages:create\",\n    \"pages:update\",\n    \"pages:delete\",\n    \"media:admin\",\n    \"media:read\",\n    \"media:create\",\n    \"media:update\",\n    \"media:delete\",\n    \"categories:admin\",\n    \"categories:read\",\n    \"categories:create\",\n    \"categories:update\",\n    \"categories:delete\",\n    \"products:admin\",\n    \"products:read\",\n    \"products:create\",\n    \"products:update\",\n    \"products:delete\",\n    \"orders:admin\",\n    \"orders:read\",\n    \"orders:update\",\n    \"customers:admin\",\n    \"customers:read\",\n    \"customers:update\",\n    \"coupons:admin\",\n    \"coupons:read\",\n    \"coupons:create\",\n    \"coupons:update\",\n    \"coupons:delete\",\n    \"navigation:admin\",\n    \"navigation:read\",\n    \"navigation:create\",\n    \"navigation:update\",\n    \"navigation:delete\",\n    \"settings:admin\",\n    \"settings:read\",\n    \"settings:update\",\n    \"profile:admin\",\n    \"profile:read\",\n    \"profile:update\",\n  ],\n\n  editor: [\n    \"posts:admin\",\n    \"posts:read\",\n    \"posts:create\",\n    \"posts:update\",\n    \"posts:delete\",\n    \"pages:admin\",\n    \"pages:read\",\n    \"pages:create\",\n    \"pages:update\",\n    \"pages:delete\",\n    \"media:read\",\n    \"media:create\",\n    \"media:update\",\n    \"categories:read\",\n    \"categories:create\",\n    \"categories:update\",\n    \"products:read\",\n    \"orders:read\",\n    \"orders:update\",\n    \"navigation:read\",\n    \"navigation:create\",\n    \"navigation:update\",\n    \"profile:read\",\n    \"profile:update\",\n  ],\n\n  author: [\n    \"posts:read\",\n    \"posts:create\",\n    \"posts:update\",\n    \"media:read\",\n    \"media:create\",\n    \"categories:read\",\n    \"profile:read\",\n    \"profile:update\",\n  ],\n\n  customer: [\"profile:read\", \"profile:update\", \"orders:read\", \"orders:create\"],\n\n  guest: [\"posts:read\", \"pages:read\", \"products:read\"],\n};\n\nexport function getRoleHierarchy(\n  role: string,\n  roles: Role[] = DEFAULT_ROLES,\n): string[] {\n  const hierarchy: string[] = [role];\n  const roleMap = new Map(roles.map((r) => [r.name, r]));\n\n  const addInherited = (r: string) => {\n    const roleData = roleMap.get(r);\n    if (roleData && roleData.inherits) {\n      for (const inherited of roleData.inherits) {\n        if (!hierarchy.includes(inherited)) {\n          hierarchy.push(inherited);\n          addInherited(inherited);\n        }\n      }\n    }\n  };\n\n  addInherited(role);\n  return hierarchy;\n}\n\nexport function getRoleLevel(\n  role: string,\n  roles: Role[] = DEFAULT_ROLES,\n): number {\n  const roleMap = new Map(roles.map((r) => [r.name, r]));\n  const roleData = roleMap.get(role);\n  return roleData?.level ?? 0;\n}\n\nexport function isRoleHigherOrEqual(\n  role1: string,\n  role2: string,\n  roles: Role[] = DEFAULT_ROLES,\n): boolean {\n  return getRoleLevel(role1, roles) >= getRoleLevel(role2, roles);\n}\n\nexport function canInheritRole(\n  role: string,\n  targetRole: string,\n  roles: Role[] = DEFAULT_ROLES,\n): boolean {\n  const hierarchy = getRoleHierarchy(role, roles);\n  return hierarchy.includes(targetRole);\n}\n","import type { AuthUser } from \"../types.js\";\nimport {\n  ROLE_PERMISSIONS,\n  getRoleHierarchy,\n  type Permission,\n  type Condition,\n} from \"./roles.js\";\n\nexport interface PermissionContext {\n  user: AuthUser;\n  resource?: string;\n  action?: string;\n  doc?: Record<string, any>;\n  data?: Record<string, any>;\n  tenantId?: string;\n}\n\nexport function hasPermission(\n  user: AuthUser,\n  permission: string,\n  rolePermissions: Record<string, string[]> = ROLE_PERMISSIONS,\n): boolean {\n  if (!user || !user.role) return false;\n\n  const userPermissions = getUserPermissions(user, rolePermissions);\n\n  if (userPermissions.includes(\"*\")) return true;\n  if (userPermissions.includes(permission)) return true;\n\n  const [resource, action] = permission.split(\":\");\n  if (userPermissions.includes(`${resource}:*`)) return true;\n  if (userPermissions.includes(`${resource}:admin`)) return true;\n\n  return false;\n}\n\nexport function hasRole(\n  user: AuthUser,\n  role: string,\n  roles: string[] = [],\n): boolean {\n  if (!user || !user.role) return false;\n\n  const hierarchy = getRoleHierarchy(user.role);\n  return hierarchy.includes(role);\n}\n\nexport function hasAnyRole(user: AuthUser, checkRoles: string[]): boolean {\n  if (!user || !user.role) return false;\n\n  const hierarchy = getRoleHierarchy(user.role);\n  return checkRoles.some((role) => hierarchy.includes(role));\n}\n\nexport function hasAllRoles(user: AuthUser, checkRoles: string[]): boolean {\n  if (!user || !user.role) return false;\n\n  const hierarchy = getRoleHierarchy(user.role);\n  return checkRoles.every((role) => hierarchy.includes(role));\n}\n\nexport function getUserPermissions(\n  user: AuthUser,\n  rolePermissions: Record<string, string[]> = ROLE_PERMISSIONS,\n): string[] {\n  if (!user || !user.role) return [];\n\n  const hierarchy = getRoleHierarchy(user.role);\n  const permissions = new Set<string>();\n\n  for (const role of hierarchy) {\n    const rolePerms = rolePermissions[role];\n    if (rolePerms) {\n      for (const perm of rolePerms) {\n        permissions.add(perm);\n      }\n    }\n  }\n\n  return Array.from(permissions);\n}\n\nexport function getEffectivePermissions(\n  user: AuthUser,\n  rolePermissions: Record<string, string[]> = ROLE_PERMISSIONS,\n): string[] {\n  return getUserPermissions(user, rolePermissions);\n}\n\nexport function canAccessResource(\n  user: AuthUser,\n  resource: string,\n  action: string,\n  rolePermissions: Record<string, string[]> = ROLE_PERMISSIONS,\n): boolean {\n  return hasPermission(user, `${resource}:${action}`, rolePermissions);\n}\n\nexport function filterPermissions(\n  permissions: string[],\n  resource?: string,\n): string[] {\n  if (!resource) return permissions;\n\n  return permissions.filter((perm) => {\n    const [permResource] = perm.split(\":\");\n    return permResource === resource || permResource === \"*\";\n  });\n}\n\nexport function parsePermission(permission: string): {\n  resource: string;\n  action: string;\n  condition?: Condition;\n} {\n  const [resource, action, ...rest] = permission.split(\":\");\n  return {\n    resource,\n    action,\n    condition: rest.length > 0 ? JSON.parse(rest.join(\":\")) : undefined,\n  };\n}\n\nexport function buildPermission(\n  resource: string,\n  action: string,\n  condition?: Condition,\n): string {\n  if (condition) {\n    return `${resource}:${action}:${JSON.stringify(condition)}`;\n  }\n  return `${resource}:${action}`;\n}\n\nexport function evaluateCondition(\n  condition: Condition,\n  context: Record<string, any>,\n): boolean {\n  const { field, operator, value } = condition;\n  const fieldValue = context[field];\n\n  if (fieldValue === undefined) return false;\n\n  switch (operator) {\n    case \"eq\":\n      return fieldValue === value;\n    case \"neq\":\n      return fieldValue !== value;\n    case \"in\":\n      return Array.isArray(value) && value.includes(fieldValue);\n    case \"nin\":\n      return Array.isArray(value) && !value.includes(fieldValue);\n    case \"gt\":\n      return fieldValue > value;\n    case \"lt\":\n      return fieldValue < value;\n    case \"gte\":\n      return fieldValue >= value;\n    case \"lte\":\n      return fieldValue <= value;\n    case \"contains\":\n      if (typeof fieldValue === \"string\") {\n        return fieldValue.includes(value);\n      }\n      if (Array.isArray(fieldValue)) {\n        return fieldValue.includes(value);\n      }\n      return false;\n    default:\n      return false;\n  }\n}\n\nexport function evaluateConditions(\n  conditions: Condition[],\n  context: Record<string, any>,\n): boolean {\n  if (!conditions || conditions.length === 0) return true;\n\n  return conditions.every((condition) => evaluateCondition(condition, context));\n}\n\nexport function resolveConditionValue(\n  value: any,\n  context: Record<string, any>,\n): any {\n  if (typeof value !== \"string\") return value;\n\n  if (value.startsWith(\"${\") && value.endsWith(\"}\")) {\n    const path = value.slice(2, -1);\n    const keys = path.split(\".\");\n    let resolved = context;\n\n    for (const key of keys) {\n      if (resolved === undefined || resolved === null) return undefined;\n      resolved = resolved[key];\n    }\n\n    return resolved;\n  }\n\n  return value;\n}\n\nexport function evaluateConditionWithContext(\n  condition: Condition,\n  context: Record<string, any>,\n): boolean {\n  const resolvedCondition = {\n    ...condition,\n    value: resolveConditionValue(condition.value, context),\n  };\n\n  return evaluateCondition(resolvedCondition, context);\n}\n\nexport class PermissionChecker {\n  private rolePermissions: Record<string, string[]>;\n\n  constructor(rolePermissions: Record<string, string[]> = ROLE_PERMISSIONS) {\n    this.rolePermissions = rolePermissions;\n  }\n\n  check(user: AuthUser, permission: string): boolean {\n    return hasPermission(user, permission, this.rolePermissions);\n  }\n\n  checkRole(user: AuthUser, role: string): boolean {\n    return hasRole(user, role);\n  }\n\n  checkAnyRole(user: AuthUser, roles: string[]): boolean {\n    return hasAnyRole(user, roles);\n  }\n\n  checkAllRoles(user: AuthUser, roles: string[]): boolean {\n    return hasAllRoles(user, roles);\n  }\n\n  getPermissions(user: AuthUser): string[] {\n    return getUserPermissions(user, this.rolePermissions);\n  }\n\n  canAccess(user: AuthUser, resource: string, action: string): boolean {\n    return canAccessResource(user, resource, action, this.rolePermissions);\n  }\n\n  filterByResource(permissions: string[], resource: string): string[] {\n    return filterPermissions(permissions, resource);\n  }\n}\n","import type { AuthUser } from \"../types.js\";\nimport { hasAnyRole } from \"../rbac/checker.js\";\n\nexport interface TenantContext {\n  tenantId: string;\n  userId: string;\n  role: string;\n  roles: string[];\n  permissions: string[];\n  isSuperAdmin: boolean;\n}\n\nexport interface OwnershipRule {\n  ownerField: string;\n  bypassRoles?: string[];\n}\n\nexport interface RLSConfig {\n  tenantEnabled: boolean;\n  tenantField: string;\n  ownershipRules: Record<string, OwnershipRule>;\n}\n\nexport const DEFAULT_RLS_CONFIG: RLSConfig = {\n  tenantEnabled: true,\n  tenantField: \"tenantId\",\n  ownershipRules: {\n    posts: {\n      ownerField: \"authorId\",\n      bypassRoles: [\"super_admin\", \"admin\", \"editor\"],\n    },\n    pages: {\n      ownerField: \"authorId\",\n      bypassRoles: [\"super_admin\", \"admin\", \"editor\"],\n    },\n    media: {\n      ownerField: \"uploadedBy\",\n      bypassRoles: [\"super_admin\", \"admin\", \"editor\"],\n    },\n    orders: {\n      ownerField: \"customerId\",\n      bypassRoles: [\"super_admin\", \"admin\", \"editor\"],\n    },\n    customers: { ownerField: \"id\", bypassRoles: [\"super_admin\", \"admin\"] },\n    navigation: { ownerField: \"id\", bypassRoles: [\"super_admin\", \"admin\"] },\n  },\n};\n\nexport function createTenantContext(user: AuthUser | undefined): TenantContext {\n  if (!user) {\n    return {\n      tenantId: \"public\",\n      userId: \"anonymous\",\n      role: \"guest\",\n      roles: [\"guest\"],\n      permissions: [],\n      isSuperAdmin: false,\n    };\n  }\n\n  const isSuperAdmin = user.role === \"super_admin\";\n\n  return {\n    tenantId: user.tenantId || \"default\",\n    userId: user.id,\n    role: user.role,\n    roles: [user.role],\n    permissions: [],\n    isSuperAdmin,\n  };\n}\n\nexport function addTenantFilter<T extends Record<string, any>>(\n  query: T,\n  context: TenantContext,\n  config: RLSConfig = DEFAULT_RLS_CONFIG,\n): T {\n  if (!config.tenantEnabled || context.isSuperAdmin) {\n    return query;\n  }\n\n  return {\n    ...query,\n    where: {\n      ...query.where,\n      [config.tenantField]: context.tenantId,\n    },\n  };\n}\n\nexport function applyOwnershipRule(\n  query: Record<string, any>,\n  collection: string,\n  context: TenantContext,\n  config: RLSConfig = DEFAULT_RLS_CONFIG,\n): Record<string, any> {\n  const rule = config.ownershipRules[collection];\n\n  if (!rule) {\n    return query;\n  }\n\n  if (\n    rule.bypassRoles &&\n    hasAnyRole({ role: context.role } as AuthUser, rule.bypassRoles)\n  ) {\n    return query;\n  }\n\n  if (rule.ownerField === \"id\" && context.userId) {\n    return {\n      ...query,\n      where: {\n        ...query.where,\n        id: context.userId,\n      },\n    };\n  }\n\n  if (rule.ownerField && context.userId) {\n    return {\n      ...query,\n      where: {\n        ...query.where,\n        [rule.ownerField]: context.userId,\n      },\n    };\n  }\n\n  return query;\n}\n\nexport function applyRLS<T extends Record<string, any>>(\n  query: T,\n  collection: string,\n  context: TenantContext,\n  config: RLSConfig = DEFAULT_RLS_CONFIG,\n): T {\n  let result = query;\n\n  result = addTenantFilter(result, context, config) as T;\n\n  result = applyOwnershipRule(result, collection, context, config) as T;\n\n  return result;\n}\n\nexport function canAccessDocument(\n  doc: Record<string, any>,\n  collection: string,\n  context: TenantContext,\n  config: RLSConfig = DEFAULT_RLS_CONFIG,\n): boolean {\n  if (context.isSuperAdmin) {\n    return true;\n  }\n\n  if (config.tenantEnabled && doc[config.tenantField] !== context.tenantId) {\n    return false;\n  }\n\n  const rule = config.ownershipRules[collection];\n\n  if (!rule) {\n    return true;\n  }\n\n  if (\n    rule.bypassRoles &&\n    hasAnyRole({ role: context.role } as AuthUser, rule.bypassRoles)\n  ) {\n    return true;\n  }\n\n  if (rule.ownerField === \"id\") {\n    return doc.id === context.userId;\n  }\n\n  if (rule.ownerField) {\n    return doc[rule.ownerField] === context.userId;\n  }\n\n  return true;\n}\n\nexport function filterDocumentsByRLS(\n  docs: Record<string, any>[],\n  collection: string,\n  context: TenantContext,\n  config: RLSConfig = DEFAULT_RLS_CONFIG,\n): Record<string, any>[] {\n  if (context.isSuperAdmin) {\n    return docs;\n  }\n\n  return docs.filter((doc) =>\n    canAccessDocument(doc, collection, context, config),\n  );\n}\n\nexport function sanitizeDocumentByRLS(\n  doc: Record<string, any>,\n  collection: string,\n  context: TenantContext,\n  config: RLSConfig = DEFAULT_RLS_CONFIG,\n): Record<string, any> | null {\n  if (!canAccessDocument(doc, collection, context, config)) {\n    return null;\n  }\n\n  if (config.tenantEnabled && !context.isSuperAdmin) {\n    const { [config.tenantField]: _, ...rest } = doc;\n    return rest;\n  }\n\n  return doc;\n}\n\nexport class RLSPolicy {\n  private config: RLSConfig;\n\n  constructor(config: RLSConfig = DEFAULT_RLS_CONFIG) {\n    this.config = config;\n  }\n\n  setConfig(config: RLSConfig): void {\n    this.config = config;\n  }\n\n  getConfig(): RLSConfig {\n    return this.config;\n  }\n\n  addOwnershipRule(collection: string, rule: OwnershipRule): void {\n    this.config.ownershipRules[collection] = rule;\n  }\n\n  removeOwnershipRule(collection: string): void {\n    delete this.config.ownershipRules[collection];\n  }\n\n  createContext(user: AuthUser | undefined): TenantContext {\n    return createTenantContext(user);\n  }\n\n  apply<T extends Record<string, any>>(\n    query: T,\n    collection: string,\n    context: TenantContext,\n  ): T {\n    return applyRLS(query, collection, context, this.config);\n  }\n\n  canAccess(\n    doc: Record<string, any>,\n    collection: string,\n    context: TenantContext,\n  ): boolean {\n    return canAccessDocument(doc, collection, context, this.config);\n  }\n\n  filter(\n    docs: Record<string, any>[],\n    collection: string,\n    context: TenantContext,\n  ): Record<string, any>[] {\n    return filterDocumentsByRLS(docs, collection, context, this.config);\n  }\n\n  sanitize(\n    doc: Record<string, any>,\n    collection: string,\n    context: TenantContext,\n  ): Record<string, any> | null {\n    return sanitizeDocumentByRLS(doc, collection, context, this.config);\n  }\n}\n"]}