@lssm/lib.identity-rbac 0.0.0-canary-20251206160926

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+import { CreateUserContract, CreateUserInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, SuccessResultModel, UpdateUserContract, UpdateUserInputModel, UserDeletedPayloadModel, UserProfileModel } from "./contracts/user.js";
+import { AcceptInviteContract, AcceptInviteInputModel, CreateOrgContract, CreateOrgInputModel, GetOrgContract, GetOrgInputModel, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrganizationModel, OrganizationWithRoleModel, RemoveMemberContract, RemoveMemberInputModel, UpdateOrgContract, UpdateOrgInputModel } from "./contracts/organization.js";
+import { AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateRoleContract, CreateRoleInputModel, DeleteRoleContract, DeleteRoleInputModel, ListRolesContract, ListRolesOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, PermissionCheckResultModel, PolicyBindingModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, UpdateRoleContract, UpdateRoleInputModel } from "./contracts/rbac.js";
+import { AccountEntity, SessionEntity, UserEntity, VerificationEntity } from "./entities/user.js";
+import { InvitationEntity, MemberEntity, OrganizationEntity, OrganizationTypeEnum, TeamEntity, TeamMemberEntity } from "./entities/organization.js";
+import { ApiKeyEntity, PasskeyEntity, PermissionEntity, PolicyBindingEntity, RoleEntity } from "./entities/rbac.js";
+import { identityRbacEntities, identityRbacSchemaContribution } from "./entities/index.js";
+import { IdentityRbacEvents, OrgCreatedEvent, OrgDeletedEvent, OrgInviteAcceptedEvent, OrgInviteDeclinedEvent, OrgInviteSentEvent, OrgMemberAddedEvent, OrgMemberRemovedEvent, OrgMemberRoleChangedEvent, OrgUpdatedEvent, RoleAssignedEvent, RoleRevokedEvent, UserCreatedEvent, UserDeletedEvent, UserEmailVerifiedEvent, UserUpdatedEvent } from "./events.js";
+import { Permission, PermissionCheckInput, PermissionCheckResult, PermissionKey, PolicyBindingForEval, RBACPolicyEngine, RoleWithPermissions, StandardRole, createRBACEngine } from "./policies/engine.js";
+export { AcceptInviteContract, AcceptInviteInputModel, AccountEntity, ApiKeyEntity, AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateOrgContract, CreateOrgInputModel, CreateRoleContract, CreateRoleInputModel, CreateUserContract, CreateUserInputModel, DeleteRoleContract, DeleteRoleInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, GetOrgContract, GetOrgInputModel, IdentityRbacEvents, InvitationEntity, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListRolesContract, ListRolesOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, MemberEntity, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrgCreatedEvent, OrgDeletedEvent, OrgInviteAcceptedEvent, OrgInviteDeclinedEvent, OrgInviteSentEvent, OrgMemberAddedEvent, OrgMemberRemovedEvent, OrgMemberRoleChangedEvent, OrgUpdatedEvent, OrganizationEntity, OrganizationModel, OrganizationTypeEnum, OrganizationWithRoleModel, PasskeyEntity, Permission, PermissionCheckInput, PermissionCheckResult, PermissionCheckResultModel, PermissionEntity, PermissionKey, PolicyBindingEntity, PolicyBindingForEval, PolicyBindingModel, RBACPolicyEngine, RemoveMemberContract, RemoveMemberInputModel, RevokeRoleContract, RevokeRoleInputModel, RoleAssignedEvent, RoleEntity, RoleModel, RoleRevokedEvent, RoleWithPermissions, SessionEntity, StandardRole, SuccessResultModel, TeamEntity, TeamMemberEntity, UpdateOrgContract, UpdateOrgInputModel, UpdateRoleContract, UpdateRoleInputModel, UpdateUserContract, UpdateUserInputModel, UserCreatedEvent, UserDeletedEvent, UserDeletedPayloadModel, UserEmailVerifiedEvent, UserEntity, UserProfileModel, UserUpdatedEvent, VerificationEntity, createRBACEngine, identityRbacEntities, identityRbacSchemaContribution };

package/dist/index.js

@@ -0,0 +1 @@
+import{IdentityRbacEvents as e,OrgCreatedEvent as t,OrgDeletedEvent as n,OrgInviteAcceptedEvent as r,OrgInviteDeclinedEvent as i,OrgInviteSentEvent as a,OrgMemberAddedEvent as o,OrgMemberRemovedEvent as s,OrgMemberRoleChangedEvent as c,OrgUpdatedEvent as l,RoleAssignedEvent as u,RoleRevokedEvent as d,UserCreatedEvent as f,UserDeletedEvent as p,UserEmailVerifiedEvent as m,UserUpdatedEvent as h}from"./events.js";import{AccountEntity as g,SessionEntity as _,UserEntity as v,VerificationEntity as y}from"./entities/user.js";import{InvitationEntity as b,MemberEntity as x,OrganizationEntity as S,OrganizationTypeEnum as C,TeamEntity as w,TeamMemberEntity as T}from"./entities/organization.js";import{ApiKeyEntity as E,PasskeyEntity as D,PermissionEntity as O,PolicyBindingEntity as k,RoleEntity as A}from"./entities/rbac.js";import{identityRbacEntities as j,identityRbacSchemaContribution as M}from"./entities/index.js";import{CreateUserContract as N,CreateUserInputModel as P,DeleteUserContract as F,DeleteUserInputModel as I,GetCurrentUserContract as L,ListUsersContract as R,ListUsersInputModel as z,ListUsersOutputModel as B,SuccessResultModel as V,UpdateUserContract as H,UpdateUserInputModel as U,UserDeletedPayloadModel as W,UserProfileModel as G}from"./contracts/user.js";import{AcceptInviteContract as K,AcceptInviteInputModel as q,CreateOrgContract as J,CreateOrgInputModel as Y,GetOrgContract as X,GetOrgInputModel as Z,InvitationModel as Q,InviteMemberContract as $,InviteMemberInputModel as ee,ListMembersContract as te,ListMembersInputModel as ne,ListMembersOutputModel as re,ListUserOrgsContract as ie,ListUserOrgsOutputModel as ae,MemberModel as oe,MemberRemovedPayloadModel as se,MemberUserModel as ce,OrganizationModel as le,OrganizationWithRoleModel as ue,RemoveMemberContract as de,RemoveMemberInputModel as fe,UpdateOrgContract as pe,UpdateOrgInputModel as me}from"./contracts/organization.js";import{AssignRoleContract as he,AssignRoleInputModel as ge,BindingIdPayloadModel as _e,CheckPermissionContract as ve,CheckPermissionInputModel as ye,CreateRoleContract as be,CreateRoleInputModel as xe,DeleteRoleContract as Se,DeleteRoleInputModel as Ce,ListRolesContract as we,ListRolesOutputModel as Te,ListUserPermissionsContract as Ee,ListUserPermissionsInputModel as De,ListUserPermissionsOutputModel as Oe,PermissionCheckResultModel as ke,PolicyBindingModel as Ae,RevokeRoleContract as je,RevokeRoleInputModel as Me,RoleModel as Ne,UpdateRoleContract as Pe,UpdateRoleInputModel as Fe}from"./contracts/rbac.js";import"./contracts/index.js";import{Permission as Ie,RBACPolicyEngine as Le,StandardRole as Re,createRBACEngine as ze}from"./policies/engine.js";import"./policies/index.js";export{K as AcceptInviteContract,q as AcceptInviteInputModel,g as AccountEntity,E as ApiKeyEntity,he as AssignRoleContract,ge as AssignRoleInputModel,_e as BindingIdPayloadModel,ve as CheckPermissionContract,ye as CheckPermissionInputModel,J as CreateOrgContract,Y as CreateOrgInputModel,be as CreateRoleContract,xe as CreateRoleInputModel,N as CreateUserContract,P as CreateUserInputModel,Se as DeleteRoleContract,Ce as DeleteRoleInputModel,F as DeleteUserContract,I as DeleteUserInputModel,L as GetCurrentUserContract,X as GetOrgContract,Z as GetOrgInputModel,e as IdentityRbacEvents,b as InvitationEntity,Q as InvitationModel,$ as InviteMemberContract,ee as InviteMemberInputModel,te as ListMembersContract,ne as ListMembersInputModel,re as ListMembersOutputModel,we as ListRolesContract,Te as ListRolesOutputModel,ie as ListUserOrgsContract,ae as ListUserOrgsOutputModel,Ee as ListUserPermissionsContract,De as ListUserPermissionsInputModel,Oe as ListUserPermissionsOutputModel,R as ListUsersContract,z as ListUsersInputModel,B as ListUsersOutputModel,x as MemberEntity,oe as MemberModel,se as MemberRemovedPayloadModel,ce as MemberUserModel,t as OrgCreatedEvent,n as OrgDeletedEvent,r as OrgInviteAcceptedEvent,i as OrgInviteDeclinedEvent,a as OrgInviteSentEvent,o as OrgMemberAddedEvent,s as OrgMemberRemovedEvent,c as OrgMemberRoleChangedEvent,l as OrgUpdatedEvent,S as OrganizationEntity,le as OrganizationModel,C as OrganizationTypeEnum,ue as OrganizationWithRoleModel,D as PasskeyEntity,Ie as Permission,ke as PermissionCheckResultModel,O as PermissionEntity,k as PolicyBindingEntity,Ae as PolicyBindingModel,Le as RBACPolicyEngine,de as RemoveMemberContract,fe as RemoveMemberInputModel,je as RevokeRoleContract,Me as RevokeRoleInputModel,u as RoleAssignedEvent,A as RoleEntity,Ne as RoleModel,d as RoleRevokedEvent,_ as SessionEntity,Re as StandardRole,V as SuccessResultModel,w as TeamEntity,T as TeamMemberEntity,pe as UpdateOrgContract,me as UpdateOrgInputModel,Pe as UpdateRoleContract,Fe as UpdateRoleInputModel,H as UpdateUserContract,U as UpdateUserInputModel,f as UserCreatedEvent,p as UserDeletedEvent,W as UserDeletedPayloadModel,m as UserEmailVerifiedEvent,v as UserEntity,G as UserProfileModel,h as UserUpdatedEvent,y as VerificationEntity,ze as createRBACEngine,j as identityRbacEntities,M as identityRbacSchemaContribution};

package/dist/policies/engine.d.ts

@@ -0,0 +1,132 @@
+//#region src/policies/engine.d.ts
+/**
+ * Standard permissions for identity-rbac module.
+ */
+declare const Permission: {
+  readonly USER_CREATE: "user.create";
+  readonly USER_READ: "user.read";
+  readonly USER_UPDATE: "user.update";
+  readonly USER_DELETE: "user.delete";
+  readonly USER_LIST: "user.list";
+  readonly USER_MANAGE: "user.manage";
+  readonly ORG_CREATE: "org.create";
+  readonly ORG_READ: "org.read";
+  readonly ORG_UPDATE: "org.update";
+  readonly ORG_DELETE: "org.delete";
+  readonly ORG_LIST: "org.list";
+  readonly MEMBER_INVITE: "member.invite";
+  readonly MEMBER_REMOVE: "member.remove";
+  readonly MEMBER_UPDATE_ROLE: "member.update_role";
+  readonly MEMBER_LIST: "member.list";
+  readonly MANAGE_MEMBERS: "org.manage_members";
+  readonly TEAM_CREATE: "team.create";
+  readonly TEAM_UPDATE: "team.update";
+  readonly TEAM_DELETE: "team.delete";
+  readonly TEAM_MANAGE: "team.manage";
+  readonly ROLE_CREATE: "role.create";
+  readonly ROLE_UPDATE: "role.update";
+  readonly ROLE_DELETE: "role.delete";
+  readonly ROLE_ASSIGN: "role.assign";
+  readonly ROLE_REVOKE: "role.revoke";
+  readonly BILLING_VIEW: "billing.view";
+  readonly BILLING_MANAGE: "billing.manage";
+  readonly PROJECT_CREATE: "project.create";
+  readonly PROJECT_READ: "project.read";
+  readonly PROJECT_UPDATE: "project.update";
+  readonly PROJECT_DELETE: "project.delete";
+  readonly PROJECT_MANAGE: "project.manage";
+  readonly ADMIN_ACCESS: "admin.access";
+  readonly ADMIN_IMPERSONATE: "admin.impersonate";
+};
+type PermissionKey = (typeof Permission)[keyof typeof Permission];
+/**
+ * Standard role definitions.
+ */
+declare const StandardRole: {
+  readonly OWNER: {
+    readonly name: "owner";
+    readonly description: "Organization owner with full access";
+    readonly permissions: ("user.create" | "user.read" | "user.update" | "user.delete" | "user.list" | "user.manage" | "org.create" | "org.read" | "org.update" | "org.delete" | "org.list" | "member.invite" | "member.remove" | "member.update_role" | "member.list" | "org.manage_members" | "team.create" | "team.update" | "team.delete" | "team.manage" | "role.create" | "role.update" | "role.delete" | "role.assign" | "role.revoke" | "billing.view" | "billing.manage" | "project.create" | "project.read" | "project.update" | "project.delete" | "project.manage" | "admin.access" | "admin.impersonate")[];
+  };
+  readonly ADMIN: {
+    readonly name: "admin";
+    readonly description: "Administrator with most permissions";
+    readonly permissions: readonly ["user.read", "user.list", "org.read", "org.update", "member.invite", "member.remove", "member.update_role", "member.list", "org.manage_members", "team.create", "team.update", "team.delete", "team.manage", "project.create", "project.read", "project.update", "project.delete", "project.manage", "billing.view"];
+  };
+  readonly MEMBER: {
+    readonly name: "member";
+    readonly description: "Regular organization member";
+    readonly permissions: readonly ["user.read", "org.read", "member.list", "project.read", "project.create"];
+  };
+  readonly VIEWER: {
+    readonly name: "viewer";
+    readonly description: "Read-only access";
+    readonly permissions: readonly ["user.read", "org.read", "member.list", "project.read"];
+  };
+};
+/**
+ * Permission check input.
+ */
+interface PermissionCheckInput {
+  userId: string;
+  orgId?: string;
+  permission: PermissionKey | string;
+}
+/**
+ * Permission check result.
+ */
+interface PermissionCheckResult {
+  allowed: boolean;
+  reason?: string;
+  matchedRole?: string;
+}
+/**
+ * Role with permissions.
+ */
+interface RoleWithPermissions {
+  id: string;
+  name: string;
+  permissions: string[];
+}
+/**
+ * Policy binding for permission evaluation.
+ */
+interface PolicyBindingForEval {
+  roleId: string;
+  role: RoleWithPermissions;
+  targetType: 'user' | 'organization';
+  targetId: string;
+  expiresAt?: Date | null;
+}
+/**
+ * RBAC Policy Engine for permission checks.
+ */
+declare class RBACPolicyEngine {
+  private roleCache;
+  private bindingCache;
+  /**
+   * Check if a user has a specific permission.
+   */
+  checkPermission(input: PermissionCheckInput, bindings: PolicyBindingForEval[]): Promise<PermissionCheckResult>;
+  /**
+   * Get all permissions for a user in a context.
+   */
+  getPermissions(userId: string, orgId: string | undefined, bindings: PolicyBindingForEval[]): Promise<{
+    permissions: Set<string>;
+    roles: RoleWithPermissions[];
+  }>;
+  /**
+   * Check if user has any of the specified permissions.
+   */
+  hasAnyPermission(userId: string, orgId: string | undefined, permissions: string[], bindings: PolicyBindingForEval[]): Promise<boolean>;
+  /**
+   * Check if user has all of the specified permissions.
+   */
+  hasAllPermissions(userId: string, orgId: string | undefined, permissions: string[], bindings: PolicyBindingForEval[]): Promise<boolean>;
+}
+/**
+ * Create a new RBAC policy engine instance.
+ */
+declare function createRBACEngine(): RBACPolicyEngine;
+//#endregion
+export { Permission, PermissionCheckInput, PermissionCheckResult, PermissionKey, PolicyBindingForEval, RBACPolicyEngine, RoleWithPermissions, StandardRole, createRBACEngine };

package/dist/policies/engine.js

@@ -0,0 +1 @@
+import{z as e}from"zod";const t={USER_CREATE:`user.create`,USER_READ:`user.read`,USER_UPDATE:`user.update`,USER_DELETE:`user.delete`,USER_LIST:`user.list`,USER_MANAGE:`user.manage`,ORG_CREATE:`org.create`,ORG_READ:`org.read`,ORG_UPDATE:`org.update`,ORG_DELETE:`org.delete`,ORG_LIST:`org.list`,MEMBER_INVITE:`member.invite`,MEMBER_REMOVE:`member.remove`,MEMBER_UPDATE_ROLE:`member.update_role`,MEMBER_LIST:`member.list`,MANAGE_MEMBERS:`org.manage_members`,TEAM_CREATE:`team.create`,TEAM_UPDATE:`team.update`,TEAM_DELETE:`team.delete`,TEAM_MANAGE:`team.manage`,ROLE_CREATE:`role.create`,ROLE_UPDATE:`role.update`,ROLE_DELETE:`role.delete`,ROLE_ASSIGN:`role.assign`,ROLE_REVOKE:`role.revoke`,BILLING_VIEW:`billing.view`,BILLING_MANAGE:`billing.manage`,PROJECT_CREATE:`project.create`,PROJECT_READ:`project.read`,PROJECT_UPDATE:`project.update`,PROJECT_DELETE:`project.delete`,PROJECT_MANAGE:`project.manage`,ADMIN_ACCESS:`admin.access`,ADMIN_IMPERSONATE:`admin.impersonate`},n={OWNER:{name:`owner`,description:`Organization owner with full access`,permissions:Object.values(t)},ADMIN:{name:`admin`,description:`Administrator with most permissions`,permissions:[t.USER_READ,t.USER_LIST,t.ORG_READ,t.ORG_UPDATE,t.MEMBER_INVITE,t.MEMBER_REMOVE,t.MEMBER_UPDATE_ROLE,t.MEMBER_LIST,t.MANAGE_MEMBERS,t.TEAM_CREATE,t.TEAM_UPDATE,t.TEAM_DELETE,t.TEAM_MANAGE,t.PROJECT_CREATE,t.PROJECT_READ,t.PROJECT_UPDATE,t.PROJECT_DELETE,t.PROJECT_MANAGE,t.BILLING_VIEW]},MEMBER:{name:`member`,description:`Regular organization member`,permissions:[t.USER_READ,t.ORG_READ,t.MEMBER_LIST,t.PROJECT_READ,t.PROJECT_CREATE]},VIEWER:{name:`viewer`,description:`Read-only access`,permissions:[t.USER_READ,t.ORG_READ,t.MEMBER_LIST,t.PROJECT_READ]}};var r=class{roleCache=new Map;bindingCache=new Map;async checkPermission(e,t){let{userId:n,orgId:r,permission:i}=e,a=new Date,o=t.filter(e=>e.targetType===`user`&&e.targetId===n),s=r?t.filter(e=>e.targetType===`organization`&&e.targetId===r):[],c=[...o,...s].filter(e=>!e.expiresAt||e.expiresAt>a);if(c.length===0)return{allowed:!1,reason:`No active role bindings found`};for(let e of c)if(e.role.permissions.includes(i))return{allowed:!0,matchedRole:e.role.name};return{allowed:!1,reason:`No role grants the "${i}" permission`}}async getPermissions(e,t,n){let r=new Date,i=n.filter(t=>t.targetType===`user`&&t.targetId===e),a=t?n.filter(e=>e.targetType===`organization`&&e.targetId===t):[],o=[...i,...a].filter(e=>!e.expiresAt||e.expiresAt>r),s=new Set,c=[];for(let e of o){c.push(e.role);for(let t of e.role.permissions)s.add(t)}return{permissions:s,roles:c}}async hasAnyPermission(e,t,n,r){let{permissions:i}=await this.getPermissions(e,t,r);return n.some(e=>i.has(e))}async hasAllPermissions(e,t,n,r){let{permissions:i}=await this.getPermissions(e,t,r);return n.every(e=>i.has(e))}};function i(){return new r}export{t as Permission,r as RBACPolicyEngine,n as StandardRole,i as createRBACEngine};

package/dist/policies/index.d.ts

@@ -0,0 +1,2 @@
+import { Permission, PermissionCheckInput, PermissionCheckResult, PermissionKey, PolicyBindingForEval, RBACPolicyEngine, RoleWithPermissions, StandardRole, createRBACEngine } from "./engine.js";
+export { Permission, type PermissionCheckInput, type PermissionCheckResult, type PermissionKey, type PolicyBindingForEval, RBACPolicyEngine, type RoleWithPermissions, StandardRole, createRBACEngine };

package/dist/policies/index.js

@@ -0,0 +1 @@
+import{Permission as e,RBACPolicyEngine as t,StandardRole as n,createRBACEngine as r}from"./engine.js";export{e as Permission,t as RBACPolicyEngine,n as StandardRole,r as createRBACEngine};

package/dist/schema/dist/EnumType.js

@@ -0,0 +1 @@
+import{z as e}from"zod";import"graphql";

package/dist/schema/dist/FieldType.js

@@ -0,0 +1 @@
+import{z as e}from"zod";import{GraphQLScalarType as t}from"graphql";var n=class extends t{zodSchema;jsonSchemaDef;constructor(e){super(e),this.zodSchema=e.zod,this.jsonSchemaDef=e.jsonSchema}getZod(){return this.zodSchema}getPothos(){return this}getJson(){return typeof this.jsonSchemaDef==`function`?this.jsonSchemaDef():this.jsonSchemaDef}getJsonSchemaDef(){return this.jsonSchemaDef}getJsonSchema(){let e=t=>{let n=typeof t==`function`?t():t;if(Array.isArray(n))return n.map(t=>e(t));if(n&&typeof n==`object`){let t={};for(let[r,i]of Object.entries(n))t[r]=e(i);return t}return n};return e(this.getJson())}};export{n};

package/dist/schema/dist/ScalarTypeEnum.js

@@ -0,0 +1 @@
+import{n as e}from"./FieldType.js";import{z as t}from"zod";import{Kind as n}from"graphql";const r=/^[A-Za-z]{2}(?:-[A-Za-z0-9]{2,8})*$/,i=/^(?:UTC|[A-Za-z_]+\/[A-Za-z_]+)$/,a=/^[+]?\d[\d\s().-]{3,}$/,o=/^[A-Z]{3}$/,s=/^[A-Z]{2}$/,c=-180,l={String_unsecure:()=>new e({name:`String_unsecure`,description:`Unvalidated string scalar`,zod:t.string(),parseValue:e=>t.string().parse(e),serialize:e=>String(e),parseLiteral:e=>{if(e.kind!==n.STRING)throw TypeError(`Invalid literal`);return e.value},jsonSchema:{type:`string`}}),Int_unsecure:()=>new e({name:`Int_unsecure`,description:`Unvalidated integer scalar`,zod:t.number().int(),parseValue:e=>{let n=typeof e==`number`?e:Number(e);return t.number().int().parse(n)},serialize:e=>Math.trunc(typeof e==`number`?e:Number(e)),parseLiteral:e=>{if(e.kind!==n.INT)throw TypeError(`Invalid literal`);return Number(e.value)},jsonSchema:{type:`integer`}}),Float_unsecure:()=>new e({name:`Float_unsecure`,description:`Unvalidated float scalar`,zod:t.number(),parseValue:e=>{let n=typeof e==`number`?e:Number(e);return t.number().parse(n)},serialize:e=>Number(e),parseLiteral:e=>{if(e.kind!==n.FLOAT&&e.kind!==n.INT)throw TypeError(`Invalid literal`);return Number(e.value)},jsonSchema:{type:`number`}}),Boolean:()=>new e({name:`Boolean`,description:`Unvalidated boolean scalar`,zod:t.boolean(),parseValue:e=>t.coerce.boolean().parse(e),serialize:e=>!!e,parseLiteral:e=>{if(e.kind!==n.BOOLEAN)throw TypeError(`Invalid literal`);return e.value},jsonSchema:{type:`boolean`}}),ID:()=>new e({name:`ID`,description:`Unvalidated id scalar`,zod:t.string(),parseValue:e=>t.string().parse(e),serialize:e=>String(e),parseLiteral:e=>{if(e.kind!==n.STRING)throw TypeError(`Invalid literal`);return e.value},jsonSchema:{type:`string`}}),JSON:()=>new e({name:`JSON`,zod:t.any(),parseValue:e=>e,serialize:e=>e,jsonSchema:{}}),JSONObject:()=>new e({name:`JSONObject`,zod:t.record(t.string(),t.any()),parseValue:e=>t.record(t.string(),t.any()).parse(e),serialize:e=>e??{},jsonSchema:{type:`object`}}),Date:()=>new e({name:`Date`,zod:t.date(),parseValue:e=>e instanceof Date?e:new Date(String(e)),serialize:e=>e instanceof Date?e.toISOString().split(`T`)[0]:String(e),jsonSchema:{type:`string`,format:`date`}}),DateTime:()=>new e({name:`DateTime`,zod:t.date(),parseValue:e=>e instanceof Date?e:new Date(String(e)),serialize:e=>e instanceof Date?e.toISOString():String(e),jsonSchema:{type:`string`,format:`date-time`}}),Time:()=>new e({name:`Time`,zod:t.string().regex(/^\d{2}:\d{2}(:\d{2})?$/),parseValue:e=>t.string().regex(/^\d{2}:\d{2}(:\d{2})?$/).parse(e),serialize:e=>String(e),jsonSchema:{type:`string`,pattern:`^\\d{2}:\\d{2}(:\\d{2})?$`}}),EmailAddress:()=>new e({name:`EmailAddress`,zod:t.string().email(),parseValue:e=>t.string().email().parse(e),serialize:e=>String(e),jsonSchema:{type:`string`,format:`email`}}),URL:()=>new e({name:`URL`,zod:t.string().url(),parseValue:e=>t.string().url().parse(e),serialize:e=>String(e),jsonSchema:{type:`string`,format:`uri`}}),PhoneNumber:()=>new e({name:`PhoneNumber`,zod:t.string().regex(a),parseValue:e=>t.string().regex(a).parse(e),serialize:e=>String(e),jsonSchema:{type:`string`,pattern:a.source}}),NonEmptyString:()=>new e({name:`NonEmptyString`,zod:t.string().min(1),parseValue:e=>t.string().min(1).parse(e),serialize:e=>String(e),jsonSchema:{type:`string`,minLength:1}}),Locale:()=>new e({name:`Locale`,zod:t.string().regex(r),parseValue:e=>t.string().regex(r).parse(e),serialize:e=>String(e),jsonSchema:{type:`string`,pattern:r.source}}),TimeZone:()=>new e({name:`TimeZone`,zod:t.string().regex(i),parseValue:e=>t.string().regex(i).parse(e),serialize:e=>String(e),jsonSchema:{type:`string`,pattern:i.source}}),Latitude:()=>new e({name:`Latitude`,zod:t.number().min(-90).max(90),parseValue:e=>t.coerce.number().min(-90).max(90).parse(e),serialize:e=>Number(e),jsonSchema:{type:`number`,minimum:-90,maximum:90}}),Longitude:()=>new e({name:`Longitude`,zod:t.number().min(c).max(180),parseValue:e=>t.coerce.number().min(c).max(180).parse(e),serialize:e=>Number(e),jsonSchema:{type:`number`,minimum:c,maximum:180}}),Currency:()=>new e({name:`Currency`,zod:t.string().regex(o),parseValue:e=>t.string().regex(o).parse(e),serialize:e=>String(e),jsonSchema:{type:`string`,pattern:o.source}}),CountryCode:()=>new e({name:`CountryCode`,zod:t.string().regex(s),parseValue:e=>t.string().regex(s).parse(e),serialize:e=>String(e),jsonSchema:{type:`string`,pattern:s.source}})};export{l};

package/dist/schema/dist/SchemaModel.js

@@ -0,0 +1 @@
+import"./EnumType.js";import"./FieldType.js";import{z as e}from"zod";var t=class{constructor(e){this.config=e}getZod(){let t=Object.entries(this.config.fields).reduce((t,[n,r])=>{let i=r.type.getZod(),a=r.isArray?e.array(i):i;return t[n]=r.isOptional?a.optional():a,t},{});return e.object(t)}getPothosInput(){return this.config.name}};export{t};

package/dist/schema/dist/entity/defineEntity.js

@@ -0,0 +1 @@
+import{z as e}from"zod";function t(e){return e}function n(e){return e}const r={string(e){return{kind:`scalar`,type:`String`,...e}},int(e){return{kind:`scalar`,type:`Int`,...e}},float(e){return{kind:`scalar`,type:`Float`,...e}},boolean(e){return{kind:`scalar`,type:`Boolean`,...e}},dateTime(e){return{kind:`scalar`,type:`DateTime`,...e}},json(e){return{kind:`scalar`,type:`Json`,...e}},bigInt(e){return{kind:`scalar`,type:`BigInt`,...e}},decimal(e){return{kind:`scalar`,type:`Decimal`,...e}},bytes(e){return{kind:`scalar`,type:`Bytes`,...e}},id(e){return{kind:`scalar`,type:`String`,isId:!0,default:`cuid()`,...e}},uuid(e){return{kind:`scalar`,type:`String`,isId:!0,default:`uuid()`,...e}},autoIncrement(e){return{kind:`scalar`,type:`Int`,isId:!0,default:`autoincrement()`,...e}},createdAt(e){return{kind:`scalar`,type:`DateTime`,default:`now()`,...e}},updatedAt(e){return{kind:`scalar`,type:`DateTime`,updatedAt:!0,...e}},email(t){return{kind:`scalar`,type:`String`,zod:e.email(),...t}},url(t){return{kind:`scalar`,type:`String`,zod:e.url(),...t}},enum(e,t){return{kind:`enum`,enumName:e,...t}},inlineEnum(e,t,n){return{kind:`enum`,enumName:e,values:t,...n}},hasOne(e,t){return{kind:`relation`,type:`hasOne`,target:e,...t}},hasMany(e,t){return{kind:`relation`,type:`hasMany`,target:e,...t}},belongsTo(e,t,n,r){return{kind:`relation`,type:`belongsTo`,target:e,fields:t,references:n,...r}},foreignKey(e){return{kind:`scalar`,type:`String`,...e}}},i={on(e,t){return{fields:e,...t}},unique(e,t){return{fields:e,unique:!0,...t}},compound(e,t,n){return{fields:e,sort:t,...n}}};export{i,n,r,t};

package/dist/schema/dist/entity/index.js

@@ -0,0 +1 @@
+import{i as e,n as t,r as n,t as r}from"./defineEntity.js";import"./types.js";

package/dist/schema/dist/entity/types.js

@@ -0,0 +1 @@
+import{z as e}from"zod";

package/dist/schema/dist/index.js

@@ -0,0 +1 @@
+import"./EnumType.js";import{n as e}from"./FieldType.js";import{l as t}from"./ScalarTypeEnum.js";import{t as n}from"./SchemaModel.js";import{i as r,n as i,r as a,t as o}from"./entity/defineEntity.js";import"./entity/index.js";

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@lssm/lib.identity-rbac",
+  "version": "0.0.0-canary-20251206160926",
+  "description": "Identity, Organizations, and RBAC module for ContractSpec applications",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "type": "module",
+  "scripts": {
+    "publish:pkg": "bun publish --tolerate-republish --ignore-scripts --verbose",
+    "build": "bun build:bundle && bun build:types",
+    "build:bundle": "tsdown",
+    "build:types": "tsc --noEmit",
+    "dev": "bun build:bundle --watch",
+    "clean": "rimraf dist .turbo",
+    "lint": "bun lint:fix",
+    "lint:fix": "eslint src --fix",
+    "lint:check": "eslint src"
+  },
+  "dependencies": {
+    "@lssm/lib.schema": "workspace:*",
+    "@lssm/lib.contracts": "workspace:*",
+    "zod": "^4.1.13"
+  },
+  "devDependencies": {
+    "@lssm/tool.typescript": "workspace:*",
+    "@lssm/tool.tsdown": "workspace:*",
+    "typescript": "^5.9.3"
+  },
+  "exports": {
+    ".": "./dist/index.js",
+    "./contracts": "./dist/contracts/index.js",
+    "./contracts/organization": "./dist/contracts/organization.js",
+    "./contracts/rbac": "./dist/contracts/rbac.js",
+    "./contracts/user": "./dist/contracts/user.js",
+    "./entities": "./dist/entities/index.js",
+    "./entities/organization": "./dist/entities/organization.js",
+    "./entities/rbac": "./dist/entities/rbac.js",
+    "./entities/user": "./dist/entities/user.js",
+    "./events": "./dist/events.js",
+    "./policies": "./dist/policies/index.js",
+    "./policies/engine": "./dist/policies/engine.js",
+    "./*": "./*"
+  },
+  "module": "./dist/index.js",
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  }
+}