@kyro-cms/core 0.9.0 → 0.9.2

package/dist/chunk-NKPKR5BW.cjs

@@ -0,0 +1,188 @@
+'use strict';
+
+// src/auth/rbac/roles.ts
+var DEFAULT_ROLES = [
+  {
+    name: "super_admin",
+    level: 100,
+    inherits: [],
+    description: "Full system access across all tenants"
+  },
+  {
+    name: "admin",
+    level: 90,
+    inherits: ["editor"],
+    description: "Full tenant access with all content permissions"
+  },
+  {
+    name: "editor",
+    level: 70,
+    inherits: ["author"],
+    description: "Edit and publish all content"
+  },
+  {
+    name: "author",
+    level: 50,
+    inherits: ["customer"],
+    description: "Create and edit own content"
+  },
+  {
+    name: "customer",
+    level: 30,
+    inherits: [],
+    description: "Access own data and make purchases"
+  },
+  {
+    name: "guest",
+    level: 10,
+    inherits: [],
+    description: "Public read-only access"
+  }
+];
+var ROLE_PERMISSIONS = {
+  super_admin: ["*"],
+  admin: [
+    "users:admin",
+    "users:read",
+    "users:update",
+    "audit_logs:read",
+    "posts:admin",
+    "posts:read",
+    "posts:create",
+    "posts:update",
+    "posts:delete",
+    "pages:admin",
+    "pages:read",
+    "pages:create",
+    "pages:update",
+    "pages:delete",
+    "media:admin",
+    "media:read",
+    "media:create",
+    "media:update",
+    "media:delete",
+    "categories:admin",
+    "categories:read",
+    "categories:create",
+    "categories:update",
+    "categories:delete",
+    "products:admin",
+    "products:read",
+    "products:create",
+    "products:update",
+    "products:delete",
+    "orders:admin",
+    "orders:read",
+    "orders:update",
+    "customers:admin",
+    "customers:read",
+    "customers:update",
+    "coupons:admin",
+    "coupons:read",
+    "coupons:create",
+    "coupons:update",
+    "coupons:delete",
+    "navigation:admin",
+    "navigation:read",
+    "navigation:create",
+    "navigation:update",
+    "navigation:delete",
+    "settings:admin",
+    "settings:read",
+    "settings:update",
+    "profile:admin",
+    "profile:read",
+    "profile:update"
+  ],
+  editor: [
+    "posts:admin",
+    "posts:read",
+    "posts:create",
+    "posts:update",
+    "posts:delete",
+    "pages:admin",
+    "pages:read",
+    "pages:create",
+    "pages:update",
+    "pages:delete",
+    "media:read",
+    "media:create",
+    "media:update",
+    "categories:read",
+    "categories:create",
+    "categories:update",
+    "products:read",
+    "orders:read",
+    "orders:update",
+    "navigation:read",
+    "navigation:create",
+    "navigation:update",
+    "profile:read",
+    "profile:update"
+  ],
+  author: [
+    "posts:read",
+    "posts:create",
+    "posts:update",
+    "media:read",
+    "media:create",
+    "categories:read",
+    "profile:read",
+    "profile:update"
+  ],
+  customer: ["profile:read", "profile:update", "orders:read", "orders:create"],
+  guest: ["posts:read", "pages:read", "products:read"]
+};
+function getRoleHierarchy(role, roles = DEFAULT_ROLES) {
+  const hierarchy = [role];
+  const roleMap = new Map(roles.map((r) => [r.name, r]));
+  const addInherited = (r) => {
+    const roleData = roleMap.get(r);
+    if (roleData && roleData.inherits) {
+      for (const inherited of roleData.inherits) {
+        if (!hierarchy.includes(inherited)) {
+          hierarchy.push(inherited);
+          addInherited(inherited);
+        }
+      }
+    }
+  };
+  addInherited(role);
+  return hierarchy;
+}
+
+// src/auth/rbac/checker.ts
+function hasPermission(user, permission, rolePermissions = ROLE_PERMISSIONS) {
+  if (!user || !user.role) return false;
+  const userPermissions = getUserPermissions(user, rolePermissions);
+  if (userPermissions.includes("*")) return true;
+  if (userPermissions.includes(permission)) return true;
+  const [resource, action] = permission.split(":");
+  if (userPermissions.includes(`${resource}:*`)) return true;
+  if (userPermissions.includes(`${resource}:admin`)) return true;
+  return false;
+}
+function hasAnyRole(user, checkRoles) {
+  if (!user || !user.role) return false;
+  const hierarchy = getRoleHierarchy(user.role);
+  return checkRoles.some((role) => hierarchy.includes(role));
+}
+function getUserPermissions(user, rolePermissions = ROLE_PERMISSIONS) {
+  if (!user || !user.role) return [];
+  const hierarchy = getRoleHierarchy(user.role);
+  const permissions = /* @__PURE__ */ new Set();
+  for (const role of hierarchy) {
+    const rolePerms = rolePermissions[role];
+    if (rolePerms) {
+      for (const perm of rolePerms) {
+        permissions.add(perm);
+      }
+    }
+  }
+  return Array.from(permissions);
+}
+
+exports.hasAnyRole = hasAnyRole;
+exports.hasPermission = hasPermission;
+//# sourceMappingURL=chunk-NKPKR5BW.cjs.map
+//# sourceMappingURL=chunk-NKPKR5BW.cjs.map

package/dist/chunk-NKPKR5BW.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth/rbac/roles.ts","../src/auth/rbac/checker.ts"],"names":[],"mappings":";;;AAmCO,IAAM,aAAA,GAAwB;AAAA,EACnC;AAAA,IACE,IAAA,EAAM,aAAA;AAAA,IACN,KAAA,EAAO,GAAA;AAAA,IACP,UAAU,EAAC;AAAA,IACX,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,IAAA,EAAM,OAAA;AAAA,IACN,KAAA,EAAO,EAAA;AAAA,IACP,QAAA,EAAU,CAAC,QAAQ,CAAA;AAAA,IACnB,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,IAAA,EAAM,QAAA;AAAA,IACN,KAAA,EAAO,EAAA;AAAA,IACP,QAAA,EAAU,CAAC,QAAQ,CAAA;AAAA,IACnB,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,IAAA,EAAM,QAAA;AAAA,IACN,KAAA,EAAO,EAAA;AAAA,IACP,QAAA,EAAU,CAAC,UAAU,CAAA;AAAA,IACrB,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,IAAA,EAAM,UAAA;AAAA,IACN,KAAA,EAAO,EAAA;AAAA,IACP,UAAU,EAAC;AAAA,IACX,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,IAAA,EAAM,OAAA;AAAA,IACN,KAAA,EAAO,EAAA;AAAA,IACP,UAAU,EAAC;AAAA,IACX,WAAA,EAAa;AAAA;AAEjB,CAAA;AA2EO,IAAM,gBAAA,GAA6C;AAAA,EACxD,WAAA,EAAa,CAAC,GAAG,CAAA;AAAA,EAEjB,KAAA,EAAO;AAAA,IACL,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,iBAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,kBAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,gBAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,iBAAA;AAAA,IACA,iBAAA;AAAA,IACA,cAAA;AAAA,IACA,aAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,gBAAA;AAAA,IACA,kBAAA;AAAA,IACA,eAAA;AAAA,IACA,cAAA;AAAA,IACA,gBAAA;AAAA,IACA,gBAAA;AAAA,IACA,gBAAA;AAAA,IACA,kBAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,gBAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,eAAA;AAAA,IACA,cAAA;AAAA,IACA;AAAA,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,aAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,eAAA;AAAA,IACA,aAAA;AAAA,IACA,eAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA,mBAAA;AAAA,IACA,cAAA;AAAA,IACA;AAAA,GACF;AAAA,EAEA,MAAA,EAAQ;AAAA,IACN,YAAA;AAAA,IACA,cAAA;AAAA,IACA,cAAA;AAAA,IACA,YAAA;AAAA,IACA,cAAA;AAAA,IACA,iBAAA;AAAA,IACA,cAAA;AAAA,IACA;AAAA,GACF;AAAA,EAEA,QAAA,EAAU,CAAC,cAAA,EAAgB,gBAAA,EAAkB,eAAe,eAAe,CAAA;AAAA,EAE3E,KAAA,EAAO,CAAC,YAAA,EAAc,YAAA,EAAc,eAAe;AACrD,CAAA;AAEO,SAAS,gBAAA,CACd,IAAA,EACA,KAAA,GAAgB,aAAA,EACN;AACV,EAAA,MAAM,SAAA,GAAsB,CAAC,IAAI,CAAA;AACjC,EAAA,MAAM,OAAA,GAAU,IAAI,GAAA,CAAI,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,IAAA,EAAM,CAAC,CAAC,CAAC,CAAA;AAErD,EAAA,MAAM,YAAA,GAAe,CAAC,CAAA,KAAc;AAClC,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,GAAA,CAAI,CAAC,CAAA;AAC9B,IAAA,IAAI,QAAA,IAAY,SAAS,QAAA,EAAU;AACjC,MAAA,KAAA,MAAW,SAAA,IAAa,SAAS,QAAA,EAAU;AACzC,QAAA,IAAI,CAAC,SAAA,CAAU,QAAA,CAAS,SAAS,CAAA,EAAG;AAClC,UAAA,SAAA,CAAU,KAAK,SAAS,CAAA;AACxB,UAAA,YAAA,CAAa,SAAS,CAAA;AAAA,QACxB;AAAA,MACF;AAAA,IACF;AAAA,EACF,CAAA;AAEA,EAAA,YAAA,CAAa,IAAI,CAAA;AACjB,EAAA,OAAO,SAAA;AACT;;;AC3PO,SAAS,aAAA,CACd,IAAA,EACA,UAAA,EACA,eAAA,GAA4C,gBAAA,EACnC;AACT,EAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,IAAA,CAAK,MAAM,OAAO,KAAA;AAEhC,EAAA,MAAM,eAAA,GAAkB,kBAAA,CAAmB,IAAA,EAAM,eAAe,CAAA;AAEhE,EAAA,IAAI,eAAA,CAAgB,QAAA,CAAS,GAAG,CAAA,EAAG,OAAO,IAAA;AAC1C,EAAA,IAAI,eAAA,CAAgB,QAAA,CAAS,UAAU,CAAA,EAAG,OAAO,IAAA;AAEjD,EAAA,MAAM,CAAC,QAAA,EAAU,MAAM,CAAA,GAAI,UAAA,CAAW,MAAM,GAAG,CAAA;AAC/C,EAAA,IAAI,gBAAgB,QAAA,CAAS,CAAA,EAAG,QAAQ,CAAA,EAAA,CAAI,GAAG,OAAO,IAAA;AACtD,EAAA,IAAI,gBAAgB,QAAA,CAAS,CAAA,EAAG,QAAQ,CAAA,MAAA,CAAQ,GAAG,OAAO,IAAA;AAE1D,EAAA,OAAO,KAAA;AACT;AAaO,SAAS,UAAA,CAAW,MAAgB,UAAA,EAA+B;AACxE,EAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,IAAA,CAAK,MAAM,OAAO,KAAA;AAEhC,EAAA,MAAM,SAAA,GAAY,gBAAA,CAAiB,IAAA,CAAK,IAAI,CAAA;AAC5C,EAAA,OAAO,WAAW,IAAA,CAAK,CAAC,SAAS,SAAA,CAAU,QAAA,CAAS,IAAI,CAAC,CAAA;AAC3D;AASO,SAAS,kBAAA,CACd,IAAA,EACA,eAAA,GAA4C,gBAAA,EAClC;AACV,EAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,IAAA,CAAK,IAAA,SAAa,EAAC;AAEjC,EAAA,MAAM,SAAA,GAAY,gBAAA,CAAiB,IAAA,CAAK,IAAI,CAAA;AAC5C,EAAA,MAAM,WAAA,uBAAkB,GAAA,EAAY;AAEpC,EAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,IAAA,MAAM,SAAA,GAAY,gBAAgB,IAAI,CAAA;AACtC,IAAA,IAAI,SAAA,EAAW;AACb,MAAA,KAAA,MAAW,QAAQ,SAAA,EAAW;AAC5B,QAAA,WAAA,CAAY,IAAI,IAAI,CAAA;AAAA,MACtB;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,KAAA,CAAM,KAAK,WAAW,CAAA;AAC/B","file":"chunk-NKPKR5BW.cjs","sourcesContent":["export interface Role {\n  name: string;\n  level: number;\n  inherits: string[];\n  description: string;\n  createdAt?: string;\n  updatedAt?: string;\n}\n\nexport interface Permission {\n  resource: string;\n  action: \"create\" | \"read\" | \"update\" | \"delete\" | \"admin\";\n  conditions?: Condition[];\n}\n\nexport interface Condition {\n  field: string;\n  operator:\n    | \"eq\"\n    | \"neq\"\n    | \"in\"\n    | \"nin\"\n    | \"gt\"\n    | \"lt\"\n    | \"gte\"\n    | \"lte\"\n    | \"contains\";\n  value: any;\n}\n\nexport interface RolePermission {\n  role: string;\n  permissions: Permission[];\n}\n\nexport const DEFAULT_ROLES: Role[] = [\n  {\n    name: \"super_admin\",\n    level: 100,\n    inherits: [],\n    description: \"Full system access across all tenants\",\n  },\n  {\n    name: \"admin\",\n    level: 90,\n    inherits: [\"editor\"],\n    description: \"Full tenant access with all content permissions\",\n  },\n  {\n    name: \"editor\",\n    level: 70,\n    inherits: [\"author\"],\n    description: \"Edit and publish all content\",\n  },\n  {\n    name: \"author\",\n    level: 50,\n    inherits: [\"customer\"],\n    description: \"Create and edit own content\",\n  },\n  {\n    name: \"customer\",\n    level: 30,\n    inherits: [],\n    description: \"Access own data and make purchases\",\n  },\n  {\n    name: \"guest\",\n    level: 10,\n    inherits: [],\n    description: \"Public read-only access\",\n  },\n];\n\nexport const DEFAULT_PERMISSIONS: Permission[] = [\n  { resource: \"users\", action: \"admin\" },\n  { resource: \"users\", action: \"read\" },\n  { resource: \"users\", action: \"create\" },\n  { resource: \"users\", action: \"update\" },\n  { resource: \"users\", action: \"delete\" },\n\n  { resource: \"audit_logs\", action: \"admin\" },\n  { resource: \"audit_logs\", action: \"read\" },\n\n  { resource: \"posts\", action: \"admin\" },\n  { resource: \"posts\", action: \"read\" },\n  { resource: \"posts\", action: \"create\" },\n  { resource: \"posts\", action: \"update\" },\n  { resource: \"posts\", action: \"delete\" },\n\n  { resource: \"pages\", action: \"admin\" },\n  { resource: \"pages\", action: \"read\" },\n  { resource: \"pages\", action: \"create\" },\n  { resource: \"pages\", action: \"update\" },\n  { resource: \"pages\", action: \"delete\" },\n\n  { resource: \"media\", action: \"admin\" },\n  { resource: \"media\", action: \"read\" },\n  { resource: \"media\", action: \"create\" },\n  { resource: \"media\", action: \"update\" },\n  { resource: \"media\", action: \"delete\" },\n\n  { resource: \"categories\", action: \"admin\" },\n  { resource: \"categories\", action: \"read\" },\n  { resource: \"categories\", action: \"create\" },\n  { resource: \"categories\", action: \"update\" },\n  { resource: \"categories\", action: \"delete\" },\n\n  { resource: \"products\", action: \"admin\" },\n  { resource: \"products\", action: \"read\" },\n  { resource: \"products\", action: \"create\" },\n  { resource: \"products\", action: \"update\" },\n  { resource: \"products\", action: \"delete\" },\n\n  { resource: \"orders\", action: \"admin\" },\n  { resource: \"orders\", action: \"read\" },\n  { resource: \"orders\", action: \"create\" },\n  { resource: \"orders\", action: \"update\" },\n  { resource: \"orders\", action: \"delete\" },\n\n  { resource: \"customers\", action: \"admin\" },\n  { resource: \"customers\", action: \"read\" },\n  { resource: \"customers\", action: \"create\" },\n  { resource: \"customers\", action: \"update\" },\n  { resource: \"customers\", action: \"delete\" },\n\n  { resource: \"coupons\", action: \"admin\" },\n  { resource: \"coupons\", action: \"read\" },\n  { resource: \"coupons\", action: \"create\" },\n  { resource: \"coupons\", action: \"update\" },\n  { resource: \"coupons\", action: \"delete\" },\n\n  { resource: \"menu\", action: \"admin\" },\n  { resource: \"menu\", action: \"read\" },\n  { resource: \"menu\", action: \"create\" },\n  { resource: \"menu\", action: \"update\" },\n  { resource: \"menu\", action: \"delete\" },\n\n  { resource: \"settings\", action: \"admin\" },\n  { resource: \"settings\", action: \"read\" },\n  { resource: \"settings\", action: \"update\" },\n\n  { resource: \"profile\", action: \"admin\" },\n  { resource: \"profile\", action: \"read\" },\n  { resource: \"profile\", action: \"update\" },\n];\n\nexport const ROLE_PERMISSIONS: Record<string, string[]> = {\n  super_admin: [\"*\"],\n\n  admin: [\n    \"users:admin\",\n    \"users:read\",\n    \"users:update\",\n    \"audit_logs:read\",\n    \"posts:admin\",\n    \"posts:read\",\n    \"posts:create\",\n    \"posts:update\",\n    \"posts:delete\",\n    \"pages:admin\",\n    \"pages:read\",\n    \"pages:create\",\n    \"pages:update\",\n    \"pages:delete\",\n    \"media:admin\",\n    \"media:read\",\n    \"media:create\",\n    \"media:update\",\n    \"media:delete\",\n    \"categories:admin\",\n    \"categories:read\",\n    \"categories:create\",\n    \"categories:update\",\n    \"categories:delete\",\n    \"products:admin\",\n    \"products:read\",\n    \"products:create\",\n    \"products:update\",\n    \"products:delete\",\n    \"orders:admin\",\n    \"orders:read\",\n    \"orders:update\",\n    \"customers:admin\",\n    \"customers:read\",\n    \"customers:update\",\n    \"coupons:admin\",\n    \"coupons:read\",\n    \"coupons:create\",\n    \"coupons:update\",\n    \"coupons:delete\",\n    \"navigation:admin\",\n    \"navigation:read\",\n    \"navigation:create\",\n    \"navigation:update\",\n    \"navigation:delete\",\n    \"settings:admin\",\n    \"settings:read\",\n    \"settings:update\",\n    \"profile:admin\",\n    \"profile:read\",\n    \"profile:update\",\n  ],\n\n  editor: [\n    \"posts:admin\",\n    \"posts:read\",\n    \"posts:create\",\n    \"posts:update\",\n    \"posts:delete\",\n    \"pages:admin\",\n    \"pages:read\",\n    \"pages:create\",\n    \"pages:update\",\n    \"pages:delete\",\n    \"media:read\",\n    \"media:create\",\n    \"media:update\",\n    \"categories:read\",\n    \"categories:create\",\n    \"categories:update\",\n    \"products:read\",\n    \"orders:read\",\n    \"orders:update\",\n    \"navigation:read\",\n    \"navigation:create\",\n    \"navigation:update\",\n    \"profile:read\",\n    \"profile:update\",\n  ],\n\n  author: [\n    \"posts:read\",\n    \"posts:create\",\n    \"posts:update\",\n    \"media:read\",\n    \"media:create\",\n    \"categories:read\",\n    \"profile:read\",\n    \"profile:update\",\n  ],\n\n  customer: [\"profile:read\", \"profile:update\", \"orders:read\", \"orders:create\"],\n\n  guest: [\"posts:read\", \"pages:read\", \"products:read\"],\n};\n\nexport function getRoleHierarchy(\n  role: string,\n  roles: Role[] = DEFAULT_ROLES,\n): string[] {\n  const hierarchy: string[] = [role];\n  const roleMap = new Map(roles.map((r) => [r.name, r]));\n\n  const addInherited = (r: string) => {\n    const roleData = roleMap.get(r);\n    if (roleData && roleData.inherits) {\n      for (const inherited of roleData.inherits) {\n        if (!hierarchy.includes(inherited)) {\n          hierarchy.push(inherited);\n          addInherited(inherited);\n        }\n      }\n    }\n  };\n\n  addInherited(role);\n  return hierarchy;\n}\n\nexport function getRoleLevel(\n  role: string,\n  roles: Role[] = DEFAULT_ROLES,\n): number {\n  const roleMap = new Map(roles.map((r) => [r.name, r]));\n  const roleData = roleMap.get(role);\n  return roleData?.level ?? 0;\n}\n\nexport function isRoleHigherOrEqual(\n  role1: string,\n  role2: string,\n  roles: Role[] = DEFAULT_ROLES,\n): boolean {\n  return getRoleLevel(role1, roles) >= getRoleLevel(role2, roles);\n}\n\nexport function canInheritRole(\n  role: string,\n  targetRole: string,\n  roles: Role[] = DEFAULT_ROLES,\n): boolean {\n  const hierarchy = getRoleHierarchy(role, roles);\n  return hierarchy.includes(targetRole);\n}\n","import type { AuthUser } from \"../types.js\";\nimport {\n  ROLE_PERMISSIONS,\n  getRoleHierarchy,\n  type Permission,\n  type Condition,\n} from \"./roles.js\";\n\nexport interface PermissionContext {\n  user: AuthUser;\n  resource?: string;\n  action?: string;\n  doc?: Record<string, any>;\n  data?: Record<string, any>;\n  tenantId?: string;\n}\n\nexport function hasPermission(\n  user: AuthUser,\n  permission: string,\n  rolePermissions: Record<string, string[]> = ROLE_PERMISSIONS,\n): boolean {\n  if (!user || !user.role) return false;\n\n  const userPermissions = getUserPermissions(user, rolePermissions);\n\n  if (userPermissions.includes(\"*\")) return true;\n  if (userPermissions.includes(permission)) return true;\n\n  const [resource, action] = permission.split(\":\");\n  if (userPermissions.includes(`${resource}:*`)) return true;\n  if (userPermissions.includes(`${resource}:admin`)) return true;\n\n  return false;\n}\n\nexport function hasRole(\n  user: AuthUser,\n  role: string,\n  roles: string[] = [],\n): boolean {\n  if (!user || !user.role) return false;\n\n  const hierarchy = getRoleHierarchy(user.role);\n  return hierarchy.includes(role);\n}\n\nexport function hasAnyRole(user: AuthUser, checkRoles: string[]): boolean {\n  if (!user || !user.role) return false;\n\n  const hierarchy = getRoleHierarchy(user.role);\n  return checkRoles.some((role) => hierarchy.includes(role));\n}\n\nexport function hasAllRoles(user: AuthUser, checkRoles: string[]): boolean {\n  if (!user || !user.role) return false;\n\n  const hierarchy = getRoleHierarchy(user.role);\n  return checkRoles.every((role) => hierarchy.includes(role));\n}\n\nexport function getUserPermissions(\n  user: AuthUser,\n  rolePermissions: Record<string, string[]> = ROLE_PERMISSIONS,\n): string[] {\n  if (!user || !user.role) return [];\n\n  const hierarchy = getRoleHierarchy(user.role);\n  const permissions = new Set<string>();\n\n  for (const role of hierarchy) {\n    const rolePerms = rolePermissions[role];\n    if (rolePerms) {\n      for (const perm of rolePerms) {\n        permissions.add(perm);\n      }\n    }\n  }\n\n  return Array.from(permissions);\n}\n\nexport function getEffectivePermissions(\n  user: AuthUser,\n  rolePermissions: Record<string, string[]> = ROLE_PERMISSIONS,\n): string[] {\n  return getUserPermissions(user, rolePermissions);\n}\n\nexport function canAccessResource(\n  user: AuthUser,\n  resource: string,\n  action: string,\n  rolePermissions: Record<string, string[]> = ROLE_PERMISSIONS,\n): boolean {\n  return hasPermission(user, `${resource}:${action}`, rolePermissions);\n}\n\nexport function filterPermissions(\n  permissions: string[],\n  resource?: string,\n): string[] {\n  if (!resource) return permissions;\n\n  return permissions.filter((perm) => {\n    const [permResource] = perm.split(\":\");\n    return permResource === resource || permResource === \"*\";\n  });\n}\n\nexport function parsePermission(permission: string): {\n  resource: string;\n  action: string;\n  condition?: Condition;\n} {\n  const [resource, action, ...rest] = permission.split(\":\");\n  return {\n    resource,\n    action,\n    condition: rest.length > 0 ? JSON.parse(rest.join(\":\")) : undefined,\n  };\n}\n\nexport function buildPermission(\n  resource: string,\n  action: string,\n  condition?: Condition,\n): string {\n  if (condition) {\n    return `${resource}:${action}:${JSON.stringify(condition)}`;\n  }\n  return `${resource}:${action}`;\n}\n\nexport function evaluateCondition(\n  condition: Condition,\n  context: Record<string, any>,\n): boolean {\n  const { field, operator, value } = condition;\n  const fieldValue = context[field];\n\n  if (fieldValue === undefined) return false;\n\n  switch (operator) {\n    case \"eq\":\n      return fieldValue === value;\n    case \"neq\":\n      return fieldValue !== value;\n    case \"in\":\n      return Array.isArray(value) && value.includes(fieldValue);\n    case \"nin\":\n      return Array.isArray(value) && !value.includes(fieldValue);\n    case \"gt\":\n      return fieldValue > value;\n    case \"lt\":\n      return fieldValue < value;\n    case \"gte\":\n      return fieldValue >= value;\n    case \"lte\":\n      return fieldValue <= value;\n    case \"contains\":\n      if (typeof fieldValue === \"string\") {\n        return fieldValue.includes(value);\n      }\n      if (Array.isArray(fieldValue)) {\n        return fieldValue.includes(value);\n      }\n      return false;\n    default:\n      return false;\n  }\n}\n\nexport function evaluateConditions(\n  conditions: Condition[],\n  context: Record<string, any>,\n): boolean {\n  if (!conditions || conditions.length === 0) return true;\n\n  return conditions.every((condition) => evaluateCondition(condition, context));\n}\n\nexport function resolveConditionValue(\n  value: any,\n  context: Record<string, any>,\n): any {\n  if (typeof value !== \"string\") return value;\n\n  if (value.startsWith(\"${\") && value.endsWith(\"}\")) {\n    const path = value.slice(2, -1);\n    const keys = path.split(\".\");\n    let resolved = context;\n\n    for (const key of keys) {\n      if (resolved === undefined || resolved === null) return undefined;\n      resolved = resolved[key];\n    }\n\n    return resolved;\n  }\n\n  return value;\n}\n\nexport function evaluateConditionWithContext(\n  condition: Condition,\n  context: Record<string, any>,\n): boolean {\n  const resolvedCondition = {\n    ...condition,\n    value: resolveConditionValue(condition.value, context),\n  };\n\n  return evaluateCondition(resolvedCondition, context);\n}\n\nexport class PermissionChecker {\n  private rolePermissions: Record<string, string[]>;\n\n  constructor(rolePermissions: Record<string, string[]> = ROLE_PERMISSIONS) {\n    this.rolePermissions = rolePermissions;\n  }\n\n  check(user: AuthUser, permission: string): boolean {\n    return hasPermission(user, permission, this.rolePermissions);\n  }\n\n  checkRole(user: AuthUser, role: string): boolean {\n    return hasRole(user, role);\n  }\n\n  checkAnyRole(user: AuthUser, roles: string[]): boolean {\n    return hasAnyRole(user, roles);\n  }\n\n  checkAllRoles(user: AuthUser, roles: string[]): boolean {\n    return hasAllRoles(user, roles);\n  }\n\n  getPermissions(user: AuthUser): string[] {\n    return getUserPermissions(user, this.rolePermissions);\n  }\n\n  canAccess(user: AuthUser, resource: string, action: string): boolean {\n    return canAccessResource(user, resource, action, this.rolePermissions);\n  }\n\n  filterByResource(permissions: string[], resource: string): string[] {\n    return filterPermissions(permissions, resource);\n  }\n}\n"]}

package/dist/chunk-NWUEVLQT.cjs

@@ -0,0 +1,99 @@
+'use strict';
+
+var chunkE2763JUP_cjs = require('./chunk-E2763JUP.cjs');
+var chunk5PMQQFRE_cjs = require('./chunk-5PMQQFRE.cjs');
+var chunkIDVRRRAK_cjs = require('./chunk-IDVRRRAK.cjs');
+var chunkRFFSZSCL_cjs = require('./chunk-RFFSZSCL.cjs');
+var chunk7OS7TX2Q_cjs = require('./chunk-7OS7TX2Q.cjs');
+var chunkQ23GAMLE_cjs = require('./chunk-Q23GAMLE.cjs');
+var chunkGXFOGU7N_cjs = require('./chunk-GXFOGU7N.cjs');
+var projectConfig = require('kyro:config');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var projectConfig__default = /*#__PURE__*/_interopDefault(projectConfig);
+
+exports.kyroInstance = null;
+var initPromise = null;
+async function doInit() {
+  if (exports.kyroInstance) return;
+  try {
+    const config = projectConfig__default.default.default || projectConfig__default.default;
+    exports.kyroInstance = chunkE2763JUP_cjs.createKyro(config);
+    await exports.kyroInstance.init();
+    await exports.kyroInstance.loadSettings();
+    const db = exports.kyroInstance.db;
+    let bootstrapAuthAdapter = void 0;
+    if (db instanceof chunkRFFSZSCL_cjs.DrizzleAdapter) {
+      if (db.dialect === "postgres") {
+        bootstrapAuthAdapter = new chunk7OS7TX2Q_cjs.PostgresAuthAdapter({ db: db.client });
+      } else if (db.dialect === "sqlite") {
+        const authDbPath = process.env.KYRO_AUTH_DB_PATH || "./data/auth.db";
+        bootstrapAuthAdapter = new chunkIDVRRRAK_cjs.SQLiteAuthAdapter({ path: authDbPath });
+      }
+    } else if (db instanceof chunkE2763JUP_cjs.LocalAdapter) {
+      const authDbPath = process.env.KYRO_AUTH_DB_PATH || "./data/auth.db";
+      bootstrapAuthAdapter = new chunkIDVRRRAK_cjs.SQLiteAuthAdapter({ path: authDbPath });
+    } else if (db instanceof chunkQ23GAMLE_cjs.MongoDBAdapter) {
+      bootstrapAuthAdapter = new chunkGXFOGU7N_cjs.MongoDBAuthAdapter({ db: db.db });
+    }
+    if (bootstrapAuthAdapter?.connect) {
+      await bootstrapAuthAdapter.connect();
+    }
+    const result = await chunk5PMQQFRE_cjs.autoBootstrap(bootstrapAuthAdapter);
+    if (result?.success) {
+      console.log(`[Kyro] Admin user auto-created from env: ${result.user?.email}`);
+    }
+    if (typeof exports.kyroInstance.startWebSocket === "function") {
+      exports.kyroInstance.startWebSocket().catch((err) => {
+        console.error("[Kyro] WebSocket auto-start failed:", err);
+      });
+    }
+    globalThis.__KYRO_INSTANCE__ = exports.kyroInstance;
+    console.log("[Kyro API] Backend initialized via Astro Integration");
+  } catch (err) {
+    exports.kyroInstance = null;
+    initPromise = null;
+    console.error("[Kyro API] Init failed, will retry:", err);
+    throw err;
+  }
+}
+async function warmKyroInstance() {
+  if (!initPromise) {
+    initPromise = doInit();
+  }
+  await initPromise;
+}
+var ALL = async (context) => {
+  if (!exports.kyroInstance) {
+    if (!initPromise) {
+      initPromise = doInit();
+    }
+    try {
+      await Promise.race([
+        initPromise,
+        new Promise(
+          (_, reject) => setTimeout(() => reject(new Error("Initialization timeout")), 3e4)
+        )
+      ]);
+    } catch {
+      return new Response(JSON.stringify({
+        error: "Service Unavailable",
+        message: "Kyro CMS is still starting up. Please try again in a moment."
+      }), {
+        status: 503,
+        headers: {
+          "Content-Type": "application/json",
+          "Retry-After": "5"
+        }
+      });
+    }
+  }
+  const app = exports.kyroInstance.getREST();
+  return app.fetch(context.request, context.locals);
+};
+
+exports.ALL = ALL;
+exports.warmKyroInstance = warmKyroInstance;
+//# sourceMappingURL=chunk-NWUEVLQT.cjs.map
+//# sourceMappingURL=chunk-NWUEVLQT.cjs.map

package/dist/chunk-NWUEVLQT.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/api-handler.ts"],"names":["kyroInstance","projectConfig","createKyro","DrizzleAdapter","PostgresAuthAdapter","SQLiteAuthAdapter","LocalAdapter","MongoDBAdapter","MongoDBAuthAdapter","autoBootstrap"],"mappings":";;;;;;;;;;;;;;;AAYWA,oBAAA,GAAoB;AAC/B,IAAI,WAAA,GAAoC,IAAA;AAExC,eAAe,MAAA,GAAwB;AACrC,EAAA,IAAIA,oBAAA,EAAc;AAElB,EAAA,IAAI;AACF,IAAA,MAAM,MAAA,GAASC,+BAAc,OAAA,IAAWA,8BAAA;AACxC,IAAAD,oBAAA,GAAeE,6BAAW,MAAM,CAAA;AAChC,IAAA,MAAMF,qBAAa,IAAA,EAAK;AACxB,IAAA,MAAMA,qBAAa,YAAA,EAAa;AAEhC,IAAA,MAAM,KAAKA,oBAAA,CAAa,EAAA;AACxB,IAAA,IAAI,oBAAA,GAA4B,KAAA,CAAA;AAEhC,IAAA,IAAI,cAAcG,gCAAA,EAAgB;AAChC,MAAA,IAAI,EAAA,CAAG,YAAY,UAAA,EAAY;AAC7B,QAAA,oBAAA,GAAuB,IAAIC,qCAAA,CAAoB,EAAE,EAAA,EAAI,EAAA,CAAG,QAAQ,CAAA;AAAA,MAClE,CAAA,MAAA,IAAW,EAAA,CAAG,OAAA,KAAY,QAAA,EAAU;AAClC,QAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,GAAA,CAAI,iBAAA,IAAqB,gBAAA;AACpD,QAAA,oBAAA,GAAuB,IAAIC,mCAAA,CAAkB,EAAE,IAAA,EAAM,YAAY,CAAA;AAAA,MACnE;AAAA,IACF,CAAA,MAAA,IAAW,cAAcC,8BAAA,EAAc;AACrC,MAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,GAAA,CAAI,iBAAA,IAAqB,gBAAA;AACpD,MAAA,oBAAA,GAAuB,IAAID,mCAAA,CAAkB,EAAE,IAAA,EAAM,YAAY,CAAA;AAAA,IACnE,CAAA,MAAA,IAAW,cAAcE,gCAAA,EAAgB;AACvC,MAAA,oBAAA,GAAuB,IAAIC,oCAAA,CAAmB,EAAE,EAAA,EAAI,EAAA,CAAG,IAAI,CAAA;AAAA,IAC7D;AAEA,IAAA,IAAI,sBAAsB,OAAA,EAAS;AACjC,MAAA,MAAM,qBAAqB,OAAA,EAAQ;AAAA,IACrC;AAEA,IAAA,MAAM,MAAA,GAAS,MAAMC,+BAAA,CAAc,oBAAoB,CAAA;AACvD,IAAA,IAAI,QAAQ,OAAA,EAAS;AACnB,MAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,yCAAA,EAA4C,MAAA,CAAO,IAAA,EAAM,KAAK,CAAA,CAAE,CAAA;AAAA,IAC9E;AAGA,IAAA,IAAI,OAAOT,oBAAA,CAAa,cAAA,KAAmB,UAAA,EAAY;AACrD,MAAAA,oBAAA,CAAa,cAAA,EAAe,CAAE,KAAA,CAAM,CAAC,GAAA,KAAa;AAChD,QAAA,OAAA,CAAQ,KAAA,CAAM,uCAAuC,GAAG,CAAA;AAAA,MAC1D,CAAC,CAAA;AAAA,IACH;AAGA,IAAC,WAAmB,iBAAA,GAAoBA,oBAAA;AAExC,IAAA,OAAA,CAAQ,IAAI,sDAAsD,CAAA;AAAA,EACpE,SAAS,GAAA,EAAK;AACZ,IAAAA,oBAAA,GAAe,IAAA;AACf,IAAA,WAAA,GAAc,IAAA;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,uCAAuC,GAAG,CAAA;AACxD,IAAA,MAAM,GAAA;AAAA,EACR;AACF;AAEA,eAAsB,gBAAA,GAAkC;AACtD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,WAAA,GAAc,MAAA,EAAO;AAAA,EACvB;AACA,EAAA,MAAM,WAAA;AACR;AAEO,IAAM,GAAA,GAAgB,OAAO,OAAA,KAAY;AAC9C,EAAA,IAAI,CAACA,oBAAA,EAAc;AACjB,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,WAAA,GAAc,MAAA,EAAO;AAAA,IACvB;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,QAAQ,IAAA,CAAK;AAAA,QACjB,WAAA;AAAA,QACA,IAAI,OAAA;AAAA,UAAc,CAAC,CAAA,EAAG,MAAA,KACpB,UAAA,CAAW,MAAM,MAAA,CAAO,IAAI,KAAA,CAAM,wBAAwB,CAAC,CAAA,EAAG,GAAK;AAAA;AACrE,OACD,CAAA;AAAA,IACH,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAI,QAAA,CAAS,IAAA,CAAK,SAAA,CAAU;AAAA,QACjC,KAAA,EAAO,qBAAA;AAAA,QACP,OAAA,EAAS;AAAA,OACV,CAAA,EAAG;AAAA,QACF,MAAA,EAAQ,GAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,aAAA,EAAe;AAAA;AACjB,OACD,CAAA;AAAA,IACH;AAAA,EACF;AAEA,EAAA,MAAM,GAAA,GAAMA,qBAAa,OAAA,EAAQ;AACjC,EAAA,OAAO,GAAA,CAAI,KAAA,CAAM,OAAA,CAAQ,OAAA,EAAS,QAAQ,MAAM,CAAA;AAClD","file":"chunk-NWUEVLQT.cjs","sourcesContent":["import type { APIRoute } from \"astro\";\nimport { createKyro } from \"./createKyro.js\";\nimport { autoBootstrap } from \"./auth/bootstrap.js\";\nimport { DrizzleAdapter } from \"./database/drizzle/adapter.js\";\nimport { PostgresAuthAdapter } from \"./database/drizzle/postgres-auth-adapter.js\";\nimport { LocalAdapter } from \"./database/local/adapter.js\";\nimport { SQLiteAuthAdapter } from \"./auth/sqlite-adapter.js\";\nimport { MongoDBAdapter } from \"./database/mongodb/adapter.js\";\nimport { MongoDBAuthAdapter } from \"./database/mongodb/mongo-auth-adapter.js\";\n// @ts-ignore - handled by vite alias\nimport projectConfig from \"kyro:config\";\n\nexport let kyroInstance: any = null;\nlet initPromise: Promise<void> | null = null;\n\nasync function doInit(): Promise<void> {\n  if (kyroInstance) return;\n\n  try {\n    const config = projectConfig.default || projectConfig;\n    kyroInstance = createKyro(config);\n    await kyroInstance.init();\n    await kyroInstance.loadSettings();\n\n    const db = kyroInstance.db;\n    let bootstrapAuthAdapter: any = undefined;\n    \n    if (db instanceof DrizzleAdapter) {\n      if (db.dialect === \"postgres\") {\n        bootstrapAuthAdapter = new PostgresAuthAdapter({ db: db.client });\n      } else if (db.dialect === \"sqlite\") {\n        const authDbPath = process.env.KYRO_AUTH_DB_PATH || \"./data/auth.db\";\n        bootstrapAuthAdapter = new SQLiteAuthAdapter({ path: authDbPath });\n      }\n    } else if (db instanceof LocalAdapter) {\n      const authDbPath = process.env.KYRO_AUTH_DB_PATH || \"./data/auth.db\";\n      bootstrapAuthAdapter = new SQLiteAuthAdapter({ path: authDbPath });\n    } else if (db instanceof MongoDBAdapter) {\n      bootstrapAuthAdapter = new MongoDBAuthAdapter({ db: db.db });\n    }\n\n    if (bootstrapAuthAdapter?.connect) {\n      await bootstrapAuthAdapter.connect();\n    }\n\n    const result = await autoBootstrap(bootstrapAuthAdapter);\n    if (result?.success) {\n      console.log(`[Kyro] Admin user auto-created from env: ${result.user?.email}`);\n    }\n\n    // Auto-start WebSocket (checks settings.access.apiAccess.wsEnabled internally)\n    if (typeof kyroInstance.startWebSocket === \"function\") {\n      kyroInstance.startWebSocket().catch((err: any) => {\n        console.error(\"[Kyro] WebSocket auto-start failed:\", err);\n      });\n    }\n\n    // Expose instance globally so admin SSR can read DB directly\n    (globalThis as any).__KYRO_INSTANCE__ = kyroInstance;\n\n    console.log(\"[Kyro API] Backend initialized via Astro Integration\");\n  } catch (err) {\n    kyroInstance = null;\n    initPromise = null;\n    console.error(\"[Kyro API] Init failed, will retry:\", err);\n    throw err;\n  }\n}\n\nexport async function warmKyroInstance(): Promise<void> {\n  if (!initPromise) {\n    initPromise = doInit();\n  }\n  await initPromise;\n}\n\nexport const ALL: APIRoute = async (context) => {\n  if (!kyroInstance) {\n    if (!initPromise) {\n      initPromise = doInit();\n    }\n\n    try {\n      await Promise.race([\n        initPromise,\n        new Promise<void>((_, reject) =>\n          setTimeout(() => reject(new Error(\"Initialization timeout\")), 30000)\n        ),\n      ]);\n    } catch {\n      return new Response(JSON.stringify({\n        error: \"Service Unavailable\",\n        message: \"Kyro CMS is still starting up. Please try again in a moment.\",\n      }), {\n        status: 503,\n        headers: {\n          \"Content-Type\": \"application/json\",\n          \"Retry-After\": \"5\",\n        },\n      });\n    }\n  }\n\n  const app = kyroInstance.getREST();\n  return app.fetch(context.request, context.locals);\n};\n"]}