npm - @lssm/lib.identity-rbac - Versions diffs - 0.0.0-canary-20251217063201 → 0.0.0-canary-20251217072406 - Mend

@lssm/lib.identity-rbac 0.0.0-canary-20251217063201 → 0.0.0-canary-20251217072406

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (143) hide show

package/dist/identity-rbac.feature.js CHANGED Viewed

@@ -1 +1,186 @@
-const e={meta:{key:`identity-rbac`,title:`Identity & RBAC`,description:`User identity, organization management, and role-based access control`,domain:`platform`,owners:[`@platform.identity-rbac`],tags:[`identity`,`rbac`,`users`,`organizations`,`permissions`],stability:`stable`},operations:[{name:`identity.user.create`,version:1},{name:`identity.user.update`,version:1},{name:`identity.user.delete`,version:1},{name:`identity.user.me`,version:1},{name:`identity.user.list`,version:1},{name:`identity.org.create`,version:1},{name:`identity.org.update`,version:1},{name:`identity.org.get`,version:1},{name:`identity.org.list`,version:1},{name:`identity.org.invite`,version:1},{name:`identity.org.invite.accept`,version:1},{name:`identity.org.member.remove`,version:1},{name:`identity.org.members.list`,version:1},{name:`identity.rbac.role.create`,version:1},{name:`identity.rbac.role.update`,version:1},{name:`identity.rbac.role.delete`,version:1},{name:`identity.rbac.role.list`,version:1},{name:`identity.rbac.assign`,version:1},{name:`identity.rbac.revoke`,version:1},{name:`identity.rbac.check`,version:1},{name:`identity.rbac.permissions`,version:1}],events:[{name:`user.created`,version:1},{name:`user.updated`,version:1},{name:`user.deleted`,version:1},{name:`user.email_verified`,version:1},{name:`org.created`,version:1},{name:`org.updated`,version:1},{name:`org.deleted`,version:1},{name:`org.member.added`,version:1},{name:`org.member.removed`,version:1},{name:`org.member.role_changed`,version:1},{name:`org.invite.sent`,version:1},{name:`org.invite.accepted`,version:1},{name:`org.invite.declined`,version:1},{name:`role.assigned`,version:1},{name:`role.revoked`,version:1}],presentations:[],opToPresentation:[],presentationsTargets:[],capabilities:{provides:[{key:`identity`,version:1},{key:`rbac`,version:1}],requires:[]}};export{e as IdentityRbacFeature};
+//#region src/identity-rbac.feature.ts
+/**
+* Identity RBAC feature module that bundles user, organization,
+* and role-based access control capabilities.
+*/
+const IdentityRbacFeature = {
+	meta: {
+		key: "identity-rbac",
+		title: "Identity & RBAC",
+		description: "User identity, organization management, and role-based access control",
+		domain: "platform",
+		owners: ["@platform.identity-rbac"],
+		tags: [
+			"identity",
+			"rbac",
+			"users",
+			"organizations",
+			"permissions"
+		],
+		stability: "stable"
+	},
+	operations: [
+		{
+			name: "identity.user.create",
+			version: 1
+		},
+		{
+			name: "identity.user.update",
+			version: 1
+		},
+		{
+			name: "identity.user.delete",
+			version: 1
+		},
+		{
+			name: "identity.user.me",
+			version: 1
+		},
+		{
+			name: "identity.user.list",
+			version: 1
+		},
+		{
+			name: "identity.org.create",
+			version: 1
+		},
+		{
+			name: "identity.org.update",
+			version: 1
+		},
+		{
+			name: "identity.org.get",
+			version: 1
+		},
+		{
+			name: "identity.org.list",
+			version: 1
+		},
+		{
+			name: "identity.org.invite",
+			version: 1
+		},
+		{
+			name: "identity.org.invite.accept",
+			version: 1
+		},
+		{
+			name: "identity.org.member.remove",
+			version: 1
+		},
+		{
+			name: "identity.org.members.list",
+			version: 1
+		},
+		{
+			name: "identity.rbac.role.create",
+			version: 1
+		},
+		{
+			name: "identity.rbac.role.update",
+			version: 1
+		},
+		{
+			name: "identity.rbac.role.delete",
+			version: 1
+		},
+		{
+			name: "identity.rbac.role.list",
+			version: 1
+		},
+		{
+			name: "identity.rbac.assign",
+			version: 1
+		},
+		{
+			name: "identity.rbac.revoke",
+			version: 1
+		},
+		{
+			name: "identity.rbac.check",
+			version: 1
+		},
+		{
+			name: "identity.rbac.permissions",
+			version: 1
+		}
+	],
+	events: [
+		{
+			name: "user.created",
+			version: 1
+		},
+		{
+			name: "user.updated",
+			version: 1
+		},
+		{
+			name: "user.deleted",
+			version: 1
+		},
+		{
+			name: "user.email_verified",
+			version: 1
+		},
+		{
+			name: "org.created",
+			version: 1
+		},
+		{
+			name: "org.updated",
+			version: 1
+		},
+		{
+			name: "org.deleted",
+			version: 1
+		},
+		{
+			name: "org.member.added",
+			version: 1
+		},
+		{
+			name: "org.member.removed",
+			version: 1
+		},
+		{
+			name: "org.member.role_changed",
+			version: 1
+		},
+		{
+			name: "org.invite.sent",
+			version: 1
+		},
+		{
+			name: "org.invite.accepted",
+			version: 1
+		},
+		{
+			name: "org.invite.declined",
+			version: 1
+		},
+		{
+			name: "role.assigned",
+			version: 1
+		},
+		{
+			name: "role.revoked",
+			version: 1
+		}
+	],
+	presentations: [],
+	opToPresentation: [],
+	presentationsTargets: [],
+	capabilities: {
+		provides: [{
+			key: "identity",
+			version: 1
+		}, {
+			key: "rbac",
+			version: 1
+		}],
+		requires: []
+	}
+};
+//#endregion
+export { IdentityRbacFeature };

package/dist/index.js CHANGED Viewed

@@ -1 +1,14 @@
-import{IdentityRbacEvents as e,OrgCreatedEvent as t,OrgDeletedEvent as n,OrgInviteAcceptedEvent as r,OrgInviteDeclinedEvent as i,OrgInviteSentEvent as a,OrgMemberAddedEvent as o,OrgMemberRemovedEvent as s,OrgMemberRoleChangedEvent as c,OrgUpdatedEvent as l,RoleAssignedEvent as u,RoleRevokedEvent as d,UserCreatedEvent as f,UserDeletedEvent as p,UserEmailVerifiedEvent as m,UserUpdatedEvent as h}from"./events.js";import{IdentityRbacFeature as g}from"./identity-rbac.feature.js";import{AccountEntity as _,SessionEntity as v,UserEntity as y,VerificationEntity as b}from"./entities/user.js";import{InvitationEntity as x,MemberEntity as S,OrganizationEntity as C,OrganizationTypeEnum as w,TeamEntity as T,TeamMemberEntity as E}from"./entities/organization.js";import{ApiKeyEntity as D,PasskeyEntity as O,PermissionEntity as k,PolicyBindingEntity as A,RoleEntity as j}from"./entities/rbac.js";import{identityRbacEntities as M,identityRbacSchemaContribution as N}from"./entities/index.js";import{CreateUserContract as P,CreateUserInputModel as F,DeleteUserContract as I,DeleteUserInputModel as L,GetCurrentUserContract as R,ListUsersContract as z,ListUsersInputModel as B,ListUsersOutputModel as V,SuccessResultModel as H,UpdateUserContract as U,UpdateUserInputModel as W,UserDeletedPayloadModel as G,UserProfileModel as K}from"./contracts/user.js";import{AcceptInviteContract as q,AcceptInviteInputModel as J,CreateOrgContract as Y,CreateOrgInputModel as X,GetOrgContract as Z,GetOrgInputModel as Q,InvitationModel as $,InviteMemberContract as ee,InviteMemberInputModel as te,ListMembersContract as ne,ListMembersInputModel as re,ListMembersOutputModel as ie,ListUserOrgsContract as ae,ListUserOrgsOutputModel as oe,MemberModel as se,MemberRemovedPayloadModel as ce,MemberUserModel as le,OrganizationModel as ue,OrganizationWithRoleModel as de,RemoveMemberContract as fe,RemoveMemberInputModel as pe,UpdateOrgContract as me,UpdateOrgInputModel as he}from"./contracts/organization.js";import{AssignRoleContract as ge,AssignRoleInputModel as _e,BindingIdPayloadModel as ve,CheckPermissionContract as ye,CheckPermissionInputModel as be,CreateRoleContract as xe,CreateRoleInputModel as Se,DeleteRoleContract as Ce,DeleteRoleInputModel as we,ListRolesContract as Te,ListRolesOutputModel as Ee,ListUserPermissionsContract as De,ListUserPermissionsInputModel as Oe,ListUserPermissionsOutputModel as ke,PermissionCheckResultModel as Ae,PolicyBindingModel as je,RevokeRoleContract as Me,RevokeRoleInputModel as Ne,RoleModel as Pe,UpdateRoleContract as Fe,UpdateRoleInputModel as Ie}from"./contracts/rbac.js";import"./contracts/index.js";import{Permission as Le,RBACPolicyEngine as Re,StandardRole as ze,createRBACEngine as Be}from"./policies/engine.js";import"./policies/index.js";export{q as AcceptInviteContract,J as AcceptInviteInputModel,_ as AccountEntity,D as ApiKeyEntity,ge as AssignRoleContract,_e as AssignRoleInputModel,ve as BindingIdPayloadModel,ye as CheckPermissionContract,be as CheckPermissionInputModel,Y as CreateOrgContract,X as CreateOrgInputModel,xe as CreateRoleContract,Se as CreateRoleInputModel,P as CreateUserContract,F as CreateUserInputModel,Ce as DeleteRoleContract,we as DeleteRoleInputModel,I as DeleteUserContract,L as DeleteUserInputModel,R as GetCurrentUserContract,Z as GetOrgContract,Q as GetOrgInputModel,e as IdentityRbacEvents,g as IdentityRbacFeature,x as InvitationEntity,$ as InvitationModel,ee as InviteMemberContract,te as InviteMemberInputModel,ne as ListMembersContract,re as ListMembersInputModel,ie as ListMembersOutputModel,Te as ListRolesContract,Ee as ListRolesOutputModel,ae as ListUserOrgsContract,oe as ListUserOrgsOutputModel,De as ListUserPermissionsContract,Oe as ListUserPermissionsInputModel,ke as ListUserPermissionsOutputModel,z as ListUsersContract,B as ListUsersInputModel,V as ListUsersOutputModel,S as MemberEntity,se as MemberModel,ce as MemberRemovedPayloadModel,le as MemberUserModel,t as OrgCreatedEvent,n as OrgDeletedEvent,r as OrgInviteAcceptedEvent,i as OrgInviteDeclinedEvent,a as OrgInviteSentEvent,o as OrgMemberAddedEvent,s as OrgMemberRemovedEvent,c as OrgMemberRoleChangedEvent,l as OrgUpdatedEvent,C as OrganizationEntity,ue as OrganizationModel,w as OrganizationTypeEnum,de as OrganizationWithRoleModel,O as PasskeyEntity,Le as Permission,Ae as PermissionCheckResultModel,k as PermissionEntity,A as PolicyBindingEntity,je as PolicyBindingModel,Re as RBACPolicyEngine,fe as RemoveMemberContract,pe as RemoveMemberInputModel,Me as RevokeRoleContract,Ne as RevokeRoleInputModel,u as RoleAssignedEvent,j as RoleEntity,Pe as RoleModel,d as RoleRevokedEvent,v as SessionEntity,ze as StandardRole,H as SuccessResultModel,T as TeamEntity,E as TeamMemberEntity,me as UpdateOrgContract,he as UpdateOrgInputModel,Fe as UpdateRoleContract,Ie as UpdateRoleInputModel,U as UpdateUserContract,W as UpdateUserInputModel,f as UserCreatedEvent,p as UserDeletedEvent,G as UserDeletedPayloadModel,m as UserEmailVerifiedEvent,y as UserEntity,K as UserProfileModel,h as UserUpdatedEvent,b as VerificationEntity,Be as createRBACEngine,M as identityRbacEntities,N as identityRbacSchemaContribution};
+import { IdentityRbacEvents, OrgCreatedEvent, OrgDeletedEvent, OrgInviteAcceptedEvent, OrgInviteDeclinedEvent, OrgInviteSentEvent, OrgMemberAddedEvent, OrgMemberRemovedEvent, OrgMemberRoleChangedEvent, OrgUpdatedEvent, RoleAssignedEvent, RoleRevokedEvent, UserCreatedEvent, UserDeletedEvent, UserEmailVerifiedEvent, UserUpdatedEvent } from "./events.js";
+import { IdentityRbacFeature } from "./identity-rbac.feature.js";
+import { AccountEntity, SessionEntity, UserEntity, VerificationEntity } from "./entities/user.js";
+import { InvitationEntity, MemberEntity, OrganizationEntity, OrganizationTypeEnum, TeamEntity, TeamMemberEntity } from "./entities/organization.js";
+import { ApiKeyEntity, PasskeyEntity, PermissionEntity, PolicyBindingEntity, RoleEntity } from "./entities/rbac.js";
+import { identityRbacEntities, identityRbacSchemaContribution } from "./entities/index.js";
+import { CreateUserContract, CreateUserInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, SuccessResultModel, UpdateUserContract, UpdateUserInputModel, UserDeletedPayloadModel, UserProfileModel } from "./contracts/user.js";
+import { AcceptInviteContract, AcceptInviteInputModel, CreateOrgContract, CreateOrgInputModel, GetOrgContract, GetOrgInputModel, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrganizationModel, OrganizationWithRoleModel, RemoveMemberContract, RemoveMemberInputModel, UpdateOrgContract, UpdateOrgInputModel } from "./contracts/organization.js";
+import { AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateRoleContract, CreateRoleInputModel, DeleteRoleContract, DeleteRoleInputModel, ListRolesContract, ListRolesOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, PermissionCheckResultModel, PolicyBindingModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, UpdateRoleContract, UpdateRoleInputModel } from "./contracts/rbac.js";
+import "./contracts/index.js";
+import { Permission, RBACPolicyEngine, StandardRole, createRBACEngine } from "./policies/engine.js";
+import "./policies/index.js";
+export { AcceptInviteContract, AcceptInviteInputModel, AccountEntity, ApiKeyEntity, AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateOrgContract, CreateOrgInputModel, CreateRoleContract, CreateRoleInputModel, CreateUserContract, CreateUserInputModel, DeleteRoleContract, DeleteRoleInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, GetOrgContract, GetOrgInputModel, IdentityRbacEvents, IdentityRbacFeature, InvitationEntity, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListRolesContract, ListRolesOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, MemberEntity, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrgCreatedEvent, OrgDeletedEvent, OrgInviteAcceptedEvent, OrgInviteDeclinedEvent, OrgInviteSentEvent, OrgMemberAddedEvent, OrgMemberRemovedEvent, OrgMemberRoleChangedEvent, OrgUpdatedEvent, OrganizationEntity, OrganizationModel, OrganizationTypeEnum, OrganizationWithRoleModel, PasskeyEntity, Permission, PermissionCheckResultModel, PermissionEntity, PolicyBindingEntity, PolicyBindingModel, RBACPolicyEngine, RemoveMemberContract, RemoveMemberInputModel, RevokeRoleContract, RevokeRoleInputModel, RoleAssignedEvent, RoleEntity, RoleModel, RoleRevokedEvent, SessionEntity, StandardRole, SuccessResultModel, TeamEntity, TeamMemberEntity, UpdateOrgContract, UpdateOrgInputModel, UpdateRoleContract, UpdateRoleInputModel, UpdateUserContract, UpdateUserInputModel, UserCreatedEvent, UserDeletedEvent, UserDeletedPayloadModel, UserEmailVerifiedEvent, UserEntity, UserProfileModel, UserUpdatedEvent, VerificationEntity, createRBACEngine, identityRbacEntities, identityRbacSchemaContribution };

package/dist/policies/engine.js CHANGED Viewed

@@ -1 +1,167 @@
-const e={USER_CREATE:`user.create`,USER_READ:`user.read`,USER_UPDATE:`user.update`,USER_DELETE:`user.delete`,USER_LIST:`user.list`,USER_MANAGE:`user.manage`,ORG_CREATE:`org.create`,ORG_READ:`org.read`,ORG_UPDATE:`org.update`,ORG_DELETE:`org.delete`,ORG_LIST:`org.list`,MEMBER_INVITE:`member.invite`,MEMBER_REMOVE:`member.remove`,MEMBER_UPDATE_ROLE:`member.update_role`,MEMBER_LIST:`member.list`,MANAGE_MEMBERS:`org.manage_members`,TEAM_CREATE:`team.create`,TEAM_UPDATE:`team.update`,TEAM_DELETE:`team.delete`,TEAM_MANAGE:`team.manage`,ROLE_CREATE:`role.create`,ROLE_UPDATE:`role.update`,ROLE_DELETE:`role.delete`,ROLE_ASSIGN:`role.assign`,ROLE_REVOKE:`role.revoke`,BILLING_VIEW:`billing.view`,BILLING_MANAGE:`billing.manage`,PROJECT_CREATE:`project.create`,PROJECT_READ:`project.read`,PROJECT_UPDATE:`project.update`,PROJECT_DELETE:`project.delete`,PROJECT_MANAGE:`project.manage`,ADMIN_ACCESS:`admin.access`,ADMIN_IMPERSONATE:`admin.impersonate`},t={OWNER:{name:`owner`,description:`Organization owner with full access`,permissions:Object.values(e)},ADMIN:{name:`admin`,description:`Administrator with most permissions`,permissions:[e.USER_READ,e.USER_LIST,e.ORG_READ,e.ORG_UPDATE,e.MEMBER_INVITE,e.MEMBER_REMOVE,e.MEMBER_UPDATE_ROLE,e.MEMBER_LIST,e.MANAGE_MEMBERS,e.TEAM_CREATE,e.TEAM_UPDATE,e.TEAM_DELETE,e.TEAM_MANAGE,e.PROJECT_CREATE,e.PROJECT_READ,e.PROJECT_UPDATE,e.PROJECT_DELETE,e.PROJECT_MANAGE,e.BILLING_VIEW]},MEMBER:{name:`member`,description:`Regular organization member`,permissions:[e.USER_READ,e.ORG_READ,e.MEMBER_LIST,e.PROJECT_READ,e.PROJECT_CREATE]},VIEWER:{name:`viewer`,description:`Read-only access`,permissions:[e.USER_READ,e.ORG_READ,e.MEMBER_LIST,e.PROJECT_READ]}};var n=class{roleCache=new Map;bindingCache=new Map;async checkPermission(e,t){let{userId:n,orgId:r,permission:i}=e,a=new Date,o=t.filter(e=>e.targetType===`user`&&e.targetId===n),s=r?t.filter(e=>e.targetType===`organization`&&e.targetId===r):[],c=[...o,...s].filter(e=>!e.expiresAt||e.expiresAt>a);if(c.length===0)return{allowed:!1,reason:`No active role bindings found`};for(let e of c)if(e.role.permissions.includes(i))return{allowed:!0,matchedRole:e.role.name};return{allowed:!1,reason:`No role grants the "${i}" permission`}}async getPermissions(e,t,n){let r=new Date,i=n.filter(t=>t.targetType===`user`&&t.targetId===e),a=t?n.filter(e=>e.targetType===`organization`&&e.targetId===t):[],o=[...i,...a].filter(e=>!e.expiresAt||e.expiresAt>r),s=new Set,c=[];for(let e of o){c.push(e.role);for(let t of e.role.permissions)s.add(t)}return{permissions:s,roles:c}}async hasAnyPermission(e,t,n,r){let{permissions:i}=await this.getPermissions(e,t,r);return n.some(e=>i.has(e))}async hasAllPermissions(e,t,n,r){let{permissions:i}=await this.getPermissions(e,t,r);return n.every(e=>i.has(e))}};function r(){return new n}export{e as Permission,n as RBACPolicyEngine,t as StandardRole,r as createRBACEngine};
+//#region src/policies/engine.ts
+/**
+* Standard permissions for identity-rbac module.
+*/
+const Permission = {
+	USER_CREATE: "user.create",
+	USER_READ: "user.read",
+	USER_UPDATE: "user.update",
+	USER_DELETE: "user.delete",
+	USER_LIST: "user.list",
+	USER_MANAGE: "user.manage",
+	ORG_CREATE: "org.create",
+	ORG_READ: "org.read",
+	ORG_UPDATE: "org.update",
+	ORG_DELETE: "org.delete",
+	ORG_LIST: "org.list",
+	MEMBER_INVITE: "member.invite",
+	MEMBER_REMOVE: "member.remove",
+	MEMBER_UPDATE_ROLE: "member.update_role",
+	MEMBER_LIST: "member.list",
+	MANAGE_MEMBERS: "org.manage_members",
+	TEAM_CREATE: "team.create",
+	TEAM_UPDATE: "team.update",
+	TEAM_DELETE: "team.delete",
+	TEAM_MANAGE: "team.manage",
+	ROLE_CREATE: "role.create",
+	ROLE_UPDATE: "role.update",
+	ROLE_DELETE: "role.delete",
+	ROLE_ASSIGN: "role.assign",
+	ROLE_REVOKE: "role.revoke",
+	BILLING_VIEW: "billing.view",
+	BILLING_MANAGE: "billing.manage",
+	PROJECT_CREATE: "project.create",
+	PROJECT_READ: "project.read",
+	PROJECT_UPDATE: "project.update",
+	PROJECT_DELETE: "project.delete",
+	PROJECT_MANAGE: "project.manage",
+	ADMIN_ACCESS: "admin.access",
+	ADMIN_IMPERSONATE: "admin.impersonate"
+};
+/**
+* Standard role definitions.
+*/
+const StandardRole = {
+	OWNER: {
+		name: "owner",
+		description: "Organization owner with full access",
+		permissions: Object.values(Permission)
+	},
+	ADMIN: {
+		name: "admin",
+		description: "Administrator with most permissions",
+		permissions: [
+			Permission.USER_READ,
+			Permission.USER_LIST,
+			Permission.ORG_READ,
+			Permission.ORG_UPDATE,
+			Permission.MEMBER_INVITE,
+			Permission.MEMBER_REMOVE,
+			Permission.MEMBER_UPDATE_ROLE,
+			Permission.MEMBER_LIST,
+			Permission.MANAGE_MEMBERS,
+			Permission.TEAM_CREATE,
+			Permission.TEAM_UPDATE,
+			Permission.TEAM_DELETE,
+			Permission.TEAM_MANAGE,
+			Permission.PROJECT_CREATE,
+			Permission.PROJECT_READ,
+			Permission.PROJECT_UPDATE,
+			Permission.PROJECT_DELETE,
+			Permission.PROJECT_MANAGE,
+			Permission.BILLING_VIEW
+		]
+	},
+	MEMBER: {
+		name: "member",
+		description: "Regular organization member",
+		permissions: [
+			Permission.USER_READ,
+			Permission.ORG_READ,
+			Permission.MEMBER_LIST,
+			Permission.PROJECT_READ,
+			Permission.PROJECT_CREATE
+		]
+	},
+	VIEWER: {
+		name: "viewer",
+		description: "Read-only access",
+		permissions: [
+			Permission.USER_READ,
+			Permission.ORG_READ,
+			Permission.MEMBER_LIST,
+			Permission.PROJECT_READ
+		]
+	}
+};
+/**
+* RBAC Policy Engine for permission checks.
+*/
+var RBACPolicyEngine = class {
+	roleCache = /* @__PURE__ */ new Map();
+	bindingCache = /* @__PURE__ */ new Map();
+	/**
+	* Check if a user has a specific permission.
+	*/
+	async checkPermission(input, bindings) {
+		const { userId, orgId, permission } = input;
+		const now = /* @__PURE__ */ new Date();
+		const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+		const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+		const activeBindings = [...userBindings, ...orgBindings].filter((b) => !b.expiresAt || b.expiresAt > now);
+		if (activeBindings.length === 0) return {
+			allowed: false,
+			reason: "No active role bindings found"
+		};
+		for (const binding of activeBindings) if (binding.role.permissions.includes(permission)) return {
+			allowed: true,
+			matchedRole: binding.role.name
+		};
+		return {
+			allowed: false,
+			reason: `No role grants the "${permission}" permission`
+		};
+	}
+	/**
+	* Get all permissions for a user in a context.
+	*/
+	async getPermissions(userId, orgId, bindings) {
+		const now = /* @__PURE__ */ new Date();
+		const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+		const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+		const activeBindings = [...userBindings, ...orgBindings].filter((b) => !b.expiresAt || b.expiresAt > now);
+		const permissions = /* @__PURE__ */ new Set();
+		const roles = [];
+		for (const binding of activeBindings) {
+			roles.push(binding.role);
+			for (const perm of binding.role.permissions) permissions.add(perm);
+		}
+		return {
+			permissions,
+			roles
+		};
+	}
+	/**
+	* Check if user has any of the specified permissions.
+	*/
+	async hasAnyPermission(userId, orgId, permissions, bindings) {
+		const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+		return permissions.some((p) => userPerms.has(p));
+	}
+	/**
+	* Check if user has all of the specified permissions.
+	*/
+	async hasAllPermissions(userId, orgId, permissions, bindings) {
+		const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+		return permissions.every((p) => userPerms.has(p));
+	}
+};
+/**
+* Create a new RBAC policy engine instance.
+*/
+function createRBACEngine() {
+	return new RBACPolicyEngine();
+}
+//#endregion
+export { Permission, RBACPolicyEngine, StandardRole, createRBACEngine };

package/dist/policies/index.js CHANGED Viewed

@@ -1 +1,3 @@
-import{Permission as e,RBACPolicyEngine as t,StandardRole as n,createRBACEngine as r}from"./engine.js";export{e as Permission,t as RBACPolicyEngine,n as StandardRole,r as createRBACEngine};
+import { Permission, RBACPolicyEngine, StandardRole, createRBACEngine } from "./engine.js";
+export { Permission, RBACPolicyEngine, StandardRole, createRBACEngine };

package/dist/schema/dist/EnumType.js CHANGED Viewed

@@ -1 +1,2 @@
-import"zod";import"graphql";
+import "zod";
+import "graphql";

package/dist/schema/dist/FieldType.js CHANGED Viewed

@@ -1 +1,49 @@
-import"zod";import{GraphQLScalarType as e}from"graphql";var t=class extends e{zodSchema;jsonSchemaDef;constructor(e){super(e),this.zodSchema=e.zod,this.jsonSchemaDef=e.jsonSchema}getZod(){return this.zodSchema}getPothos(){return this}getJson(){return typeof this.jsonSchemaDef==`function`?this.jsonSchemaDef():this.jsonSchemaDef}getJsonSchemaDef(){return this.jsonSchemaDef}getJsonSchema(){let e=t=>{let n=typeof t==`function`?t():t;if(Array.isArray(n))return n.map(t=>e(t));if(n&&typeof n==`object`){let t={};for(let[r,i]of Object.entries(n))t[r]=e(i);return t}return n};return e(this.getJson())}};export{t};
+import "zod";
+import { GraphQLScalarType } from "graphql";
+//#region ../schema/dist/FieldType.js
+/**
+* GraphQL scalar wrapper that carries zod and JSON Schema metadata.
+*
+* TInternal is the runtime representation; TExternal is the GraphQL output.
+*/
+var FieldType = class extends GraphQLScalarType {
+	zodSchema;
+	jsonSchemaDef;
+	constructor(config) {
+		super(config);
+		this.zodSchema = config.zod;
+		this.jsonSchemaDef = config.jsonSchema;
+	}
+	/** Return the attached zod schema for validation. */
+	getZod() {
+		return this.zodSchema;
+	}
+	/** GraphQL scalar instance usable by Pothos or vanilla GraphQL. */
+	getPothos() {
+		return this;
+	}
+	/** Return the JSON Schema (evaluates factory if provided). */
+	getJson() {
+		return typeof this.jsonSchemaDef === "function" ? this.jsonSchemaDef() : this.jsonSchemaDef;
+	}
+	getJsonSchemaDef() {
+		return this.jsonSchemaDef;
+	}
+	getJsonSchema() {
+		const deepResolve = (v) => {
+			const value = typeof v === "function" ? v() : v;
+			if (Array.isArray(value)) return value.map((item) => deepResolve(item));
+			if (value && typeof value === "object") {
+				const obj = {};
+				for (const [k, val] of Object.entries(value)) obj[k] = deepResolve(val);
+				return obj;
+			}
+			return value;
+		};
+		return deepResolve(this.getJson());
+	}
+};
+//#endregion
+export { FieldType };