@lssm/lib.identity-rbac 0.0.0-canary-20251217080011 → 1.41.0

package/dist/identity-rbac.feature.js

@@ -1,186 +1 @@
-//#region src/identity-rbac.feature.ts
-/**
-* Identity RBAC feature module that bundles user, organization,
-* and role-based access control capabilities.
-*/
-const IdentityRbacFeature = {
-	meta: {
-		key: "identity-rbac",
-		title: "Identity & RBAC",
-		description: "User identity, organization management, and role-based access control",
-		domain: "platform",
-		owners: ["@platform.identity-rbac"],
-		tags: [
-			"identity",
-			"rbac",
-			"users",
-			"organizations",
-			"permissions"
-		],
-		stability: "stable"
-	},
-	operations: [
-		{
-			name: "identity.user.create",
-			version: 1
-		},
-		{
-			name: "identity.user.update",
-			version: 1
-		},
-		{
-			name: "identity.user.delete",
-			version: 1
-		},
-		{
-			name: "identity.user.me",
-			version: 1
-		},
-		{
-			name: "identity.user.list",
-			version: 1
-		},
-		{
-			name: "identity.org.create",
-			version: 1
-		},
-		{
-			name: "identity.org.update",
-			version: 1
-		},
-		{
-			name: "identity.org.get",
-			version: 1
-		},
-		{
-			name: "identity.org.list",
-			version: 1
-		},
-		{
-			name: "identity.org.invite",
-			version: 1
-		},
-		{
-			name: "identity.org.invite.accept",
-			version: 1
-		},
-		{
-			name: "identity.org.member.remove",
-			version: 1
-		},
-		{
-			name: "identity.org.members.list",
-			version: 1
-		},
-		{
-			name: "identity.rbac.role.create",
-			version: 1
-		},
-		{
-			name: "identity.rbac.role.update",
-			version: 1
-		},
-		{
-			name: "identity.rbac.role.delete",
-			version: 1
-		},
-		{
-			name: "identity.rbac.role.list",
-			version: 1
-		},
-		{
-			name: "identity.rbac.assign",
-			version: 1
-		},
-		{
-			name: "identity.rbac.revoke",
-			version: 1
-		},
-		{
-			name: "identity.rbac.check",
-			version: 1
-		},
-		{
-			name: "identity.rbac.permissions",
-			version: 1
-		}
-	],
-	events: [
-		{
-			name: "user.created",
-			version: 1
-		},
-		{
-			name: "user.updated",
-			version: 1
-		},
-		{
-			name: "user.deleted",
-			version: 1
-		},
-		{
-			name: "user.email_verified",
-			version: 1
-		},
-		{
-			name: "org.created",
-			version: 1
-		},
-		{
-			name: "org.updated",
-			version: 1
-		},
-		{
-			name: "org.deleted",
-			version: 1
-		},
-		{
-			name: "org.member.added",
-			version: 1
-		},
-		{
-			name: "org.member.removed",
-			version: 1
-		},
-		{
-			name: "org.member.role_changed",
-			version: 1
-		},
-		{
-			name: "org.invite.sent",
-			version: 1
-		},
-		{
-			name: "org.invite.accepted",
-			version: 1
-		},
-		{
-			name: "org.invite.declined",
-			version: 1
-		},
-		{
-			name: "role.assigned",
-			version: 1
-		},
-		{
-			name: "role.revoked",
-			version: 1
-		}
-	],
-	presentations: [],
-	opToPresentation: [],
-	presentationsTargets: [],
-	capabilities: {
-		provides: [{
-			key: "identity",
-			version: 1
-		}, {
-			key: "rbac",
-			version: 1
-		}],
-		requires: []
-	}
-};
-
-//#endregion
-export { IdentityRbacFeature };
+const e={meta:{key:`identity-rbac`,title:`Identity & RBAC`,description:`User identity, organization management, and role-based access control`,domain:`platform`,owners:[`@platform.identity-rbac`],tags:[`identity`,`rbac`,`users`,`organizations`,`permissions`],stability:`stable`},operations:[{name:`identity.user.create`,version:1},{name:`identity.user.update`,version:1},{name:`identity.user.delete`,version:1},{name:`identity.user.me`,version:1},{name:`identity.user.list`,version:1},{name:`identity.org.create`,version:1},{name:`identity.org.update`,version:1},{name:`identity.org.get`,version:1},{name:`identity.org.list`,version:1},{name:`identity.org.invite`,version:1},{name:`identity.org.invite.accept`,version:1},{name:`identity.org.member.remove`,version:1},{name:`identity.org.members.list`,version:1},{name:`identity.rbac.role.create`,version:1},{name:`identity.rbac.role.update`,version:1},{name:`identity.rbac.role.delete`,version:1},{name:`identity.rbac.role.list`,version:1},{name:`identity.rbac.assign`,version:1},{name:`identity.rbac.revoke`,version:1},{name:`identity.rbac.check`,version:1},{name:`identity.rbac.permissions`,version:1}],events:[{name:`user.created`,version:1},{name:`user.updated`,version:1},{name:`user.deleted`,version:1},{name:`user.email_verified`,version:1},{name:`org.created`,version:1},{name:`org.updated`,version:1},{name:`org.deleted`,version:1},{name:`org.member.added`,version:1},{name:`org.member.removed`,version:1},{name:`org.member.role_changed`,version:1},{name:`org.invite.sent`,version:1},{name:`org.invite.accepted`,version:1},{name:`org.invite.declined`,version:1},{name:`role.assigned`,version:1},{name:`role.revoked`,version:1}],presentations:[],opToPresentation:[],presentationsTargets:[],capabilities:{provides:[{key:`identity`,version:1},{key:`rbac`,version:1}],requires:[]}};export{e as IdentityRbacFeature};

package/dist/index.js

@@ -1,14 +1 @@
-import { IdentityRbacEvents, OrgCreatedEvent, OrgDeletedEvent, OrgInviteAcceptedEvent, OrgInviteDeclinedEvent, OrgInviteSentEvent, OrgMemberAddedEvent, OrgMemberRemovedEvent, OrgMemberRoleChangedEvent, OrgUpdatedEvent, RoleAssignedEvent, RoleRevokedEvent, UserCreatedEvent, UserDeletedEvent, UserEmailVerifiedEvent, UserUpdatedEvent } from "./events.js";
-import { IdentityRbacFeature } from "./identity-rbac.feature.js";
-import { AccountEntity, SessionEntity, UserEntity, VerificationEntity } from "./entities/user.js";
-import { InvitationEntity, MemberEntity, OrganizationEntity, OrganizationTypeEnum, TeamEntity, TeamMemberEntity } from "./entities/organization.js";
-import { ApiKeyEntity, PasskeyEntity, PermissionEntity, PolicyBindingEntity, RoleEntity } from "./entities/rbac.js";
-import { identityRbacEntities, identityRbacSchemaContribution } from "./entities/index.js";
-import { CreateUserContract, CreateUserInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, SuccessResultModel, UpdateUserContract, UpdateUserInputModel, UserDeletedPayloadModel, UserProfileModel } from "./contracts/user.js";
-import { AcceptInviteContract, AcceptInviteInputModel, CreateOrgContract, CreateOrgInputModel, GetOrgContract, GetOrgInputModel, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrganizationModel, OrganizationWithRoleModel, RemoveMemberContract, RemoveMemberInputModel, UpdateOrgContract, UpdateOrgInputModel } from "./contracts/organization.js";
-import { AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateRoleContract, CreateRoleInputModel, DeleteRoleContract, DeleteRoleInputModel, ListRolesContract, ListRolesOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, PermissionCheckResultModel, PolicyBindingModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, UpdateRoleContract, UpdateRoleInputModel } from "./contracts/rbac.js";
-import "./contracts/index.js";
-import { Permission, RBACPolicyEngine, StandardRole, createRBACEngine } from "./policies/engine.js";
-import "./policies/index.js";
-
-export { AcceptInviteContract, AcceptInviteInputModel, AccountEntity, ApiKeyEntity, AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateOrgContract, CreateOrgInputModel, CreateRoleContract, CreateRoleInputModel, CreateUserContract, CreateUserInputModel, DeleteRoleContract, DeleteRoleInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, GetOrgContract, GetOrgInputModel, IdentityRbacEvents, IdentityRbacFeature, InvitationEntity, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListRolesContract, ListRolesOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, MemberEntity, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrgCreatedEvent, OrgDeletedEvent, OrgInviteAcceptedEvent, OrgInviteDeclinedEvent, OrgInviteSentEvent, OrgMemberAddedEvent, OrgMemberRemovedEvent, OrgMemberRoleChangedEvent, OrgUpdatedEvent, OrganizationEntity, OrganizationModel, OrganizationTypeEnum, OrganizationWithRoleModel, PasskeyEntity, Permission, PermissionCheckResultModel, PermissionEntity, PolicyBindingEntity, PolicyBindingModel, RBACPolicyEngine, RemoveMemberContract, RemoveMemberInputModel, RevokeRoleContract, RevokeRoleInputModel, RoleAssignedEvent, RoleEntity, RoleModel, RoleRevokedEvent, SessionEntity, StandardRole, SuccessResultModel, TeamEntity, TeamMemberEntity, UpdateOrgContract, UpdateOrgInputModel, UpdateRoleContract, UpdateRoleInputModel, UpdateUserContract, UpdateUserInputModel, UserCreatedEvent, UserDeletedEvent, UserDeletedPayloadModel, UserEmailVerifiedEvent, UserEntity, UserProfileModel, UserUpdatedEvent, VerificationEntity, createRBACEngine, identityRbacEntities, identityRbacSchemaContribution };
+import{IdentityRbacEvents as e,OrgCreatedEvent as t,OrgDeletedEvent as n,OrgInviteAcceptedEvent as r,OrgInviteDeclinedEvent as i,OrgInviteSentEvent as a,OrgMemberAddedEvent as o,OrgMemberRemovedEvent as s,OrgMemberRoleChangedEvent as c,OrgUpdatedEvent as l,RoleAssignedEvent as u,RoleRevokedEvent as d,UserCreatedEvent as f,UserDeletedEvent as p,UserEmailVerifiedEvent as m,UserUpdatedEvent as h}from"./events.js";import{IdentityRbacFeature as g}from"./identity-rbac.feature.js";import{AccountEntity as _,SessionEntity as v,UserEntity as y,VerificationEntity as b}from"./entities/user.js";import{InvitationEntity as x,MemberEntity as S,OrganizationEntity as C,OrganizationTypeEnum as w,TeamEntity as T,TeamMemberEntity as E}from"./entities/organization.js";import{ApiKeyEntity as D,PasskeyEntity as O,PermissionEntity as k,PolicyBindingEntity as A,RoleEntity as j}from"./entities/rbac.js";import{identityRbacEntities as M,identityRbacSchemaContribution as N}from"./entities/index.js";import{CreateUserContract as P,CreateUserInputModel as F,DeleteUserContract as I,DeleteUserInputModel as L,GetCurrentUserContract as R,ListUsersContract as z,ListUsersInputModel as B,ListUsersOutputModel as V,SuccessResultModel as H,UpdateUserContract as U,UpdateUserInputModel as W,UserDeletedPayloadModel as G,UserProfileModel as K}from"./contracts/user.js";import{AcceptInviteContract as q,AcceptInviteInputModel as J,CreateOrgContract as Y,CreateOrgInputModel as X,GetOrgContract as Z,GetOrgInputModel as Q,InvitationModel as $,InviteMemberContract as ee,InviteMemberInputModel as te,ListMembersContract as ne,ListMembersInputModel as re,ListMembersOutputModel as ie,ListUserOrgsContract as ae,ListUserOrgsOutputModel as oe,MemberModel as se,MemberRemovedPayloadModel as ce,MemberUserModel as le,OrganizationModel as ue,OrganizationWithRoleModel as de,RemoveMemberContract as fe,RemoveMemberInputModel as pe,UpdateOrgContract as me,UpdateOrgInputModel as he}from"./contracts/organization.js";import{AssignRoleContract as ge,AssignRoleInputModel as _e,BindingIdPayloadModel as ve,CheckPermissionContract as ye,CheckPermissionInputModel as be,CreateRoleContract as xe,CreateRoleInputModel as Se,DeleteRoleContract as Ce,DeleteRoleInputModel as we,ListRolesContract as Te,ListRolesOutputModel as Ee,ListUserPermissionsContract as De,ListUserPermissionsInputModel as Oe,ListUserPermissionsOutputModel as ke,PermissionCheckResultModel as Ae,PolicyBindingModel as je,RevokeRoleContract as Me,RevokeRoleInputModel as Ne,RoleModel as Pe,UpdateRoleContract as Fe,UpdateRoleInputModel as Ie}from"./contracts/rbac.js";import"./contracts/index.js";import{Permission as Le,RBACPolicyEngine as Re,StandardRole as ze,createRBACEngine as Be}from"./policies/engine.js";import"./policies/index.js";export{q as AcceptInviteContract,J as AcceptInviteInputModel,_ as AccountEntity,D as ApiKeyEntity,ge as AssignRoleContract,_e as AssignRoleInputModel,ve as BindingIdPayloadModel,ye as CheckPermissionContract,be as CheckPermissionInputModel,Y as CreateOrgContract,X as CreateOrgInputModel,xe as CreateRoleContract,Se as CreateRoleInputModel,P as CreateUserContract,F as CreateUserInputModel,Ce as DeleteRoleContract,we as DeleteRoleInputModel,I as DeleteUserContract,L as DeleteUserInputModel,R as GetCurrentUserContract,Z as GetOrgContract,Q as GetOrgInputModel,e as IdentityRbacEvents,g as IdentityRbacFeature,x as InvitationEntity,$ as InvitationModel,ee as InviteMemberContract,te as InviteMemberInputModel,ne as ListMembersContract,re as ListMembersInputModel,ie as ListMembersOutputModel,Te as ListRolesContract,Ee as ListRolesOutputModel,ae as ListUserOrgsContract,oe as ListUserOrgsOutputModel,De as ListUserPermissionsContract,Oe as ListUserPermissionsInputModel,ke as ListUserPermissionsOutputModel,z as ListUsersContract,B as ListUsersInputModel,V as ListUsersOutputModel,S as MemberEntity,se as MemberModel,ce as MemberRemovedPayloadModel,le as MemberUserModel,t as OrgCreatedEvent,n as OrgDeletedEvent,r as OrgInviteAcceptedEvent,i as OrgInviteDeclinedEvent,a as OrgInviteSentEvent,o as OrgMemberAddedEvent,s as OrgMemberRemovedEvent,c as OrgMemberRoleChangedEvent,l as OrgUpdatedEvent,C as OrganizationEntity,ue as OrganizationModel,w as OrganizationTypeEnum,de as OrganizationWithRoleModel,O as PasskeyEntity,Le as Permission,Ae as PermissionCheckResultModel,k as PermissionEntity,A as PolicyBindingEntity,je as PolicyBindingModel,Re as RBACPolicyEngine,fe as RemoveMemberContract,pe as RemoveMemberInputModel,Me as RevokeRoleContract,Ne as RevokeRoleInputModel,u as RoleAssignedEvent,j as RoleEntity,Pe as RoleModel,d as RoleRevokedEvent,v as SessionEntity,ze as StandardRole,H as SuccessResultModel,T as TeamEntity,E as TeamMemberEntity,me as UpdateOrgContract,he as UpdateOrgInputModel,Fe as UpdateRoleContract,Ie as UpdateRoleInputModel,U as UpdateUserContract,W as UpdateUserInputModel,f as UserCreatedEvent,p as UserDeletedEvent,G as UserDeletedPayloadModel,m as UserEmailVerifiedEvent,y as UserEntity,K as UserProfileModel,h as UserUpdatedEvent,b as VerificationEntity,Be as createRBACEngine,M as identityRbacEntities,N as identityRbacSchemaContribution};

package/dist/policies/engine.js

@@ -1,167 +1 @@
-//#region src/policies/engine.ts
-/**
-* Standard permissions for identity-rbac module.
-*/
-const Permission = {
-	USER_CREATE: "user.create",
-	USER_READ: "user.read",
-	USER_UPDATE: "user.update",
-	USER_DELETE: "user.delete",
-	USER_LIST: "user.list",
-	USER_MANAGE: "user.manage",
-	ORG_CREATE: "org.create",
-	ORG_READ: "org.read",
-	ORG_UPDATE: "org.update",
-	ORG_DELETE: "org.delete",
-	ORG_LIST: "org.list",
-	MEMBER_INVITE: "member.invite",
-	MEMBER_REMOVE: "member.remove",
-	MEMBER_UPDATE_ROLE: "member.update_role",
-	MEMBER_LIST: "member.list",
-	MANAGE_MEMBERS: "org.manage_members",
-	TEAM_CREATE: "team.create",
-	TEAM_UPDATE: "team.update",
-	TEAM_DELETE: "team.delete",
-	TEAM_MANAGE: "team.manage",
-	ROLE_CREATE: "role.create",
-	ROLE_UPDATE: "role.update",
-	ROLE_DELETE: "role.delete",
-	ROLE_ASSIGN: "role.assign",
-	ROLE_REVOKE: "role.revoke",
-	BILLING_VIEW: "billing.view",
-	BILLING_MANAGE: "billing.manage",
-	PROJECT_CREATE: "project.create",
-	PROJECT_READ: "project.read",
-	PROJECT_UPDATE: "project.update",
-	PROJECT_DELETE: "project.delete",
-	PROJECT_MANAGE: "project.manage",
-	ADMIN_ACCESS: "admin.access",
-	ADMIN_IMPERSONATE: "admin.impersonate"
-};
-/**
-* Standard role definitions.
-*/
-const StandardRole = {
-	OWNER: {
-		name: "owner",
-		description: "Organization owner with full access",
-		permissions: Object.values(Permission)
-	},
-	ADMIN: {
-		name: "admin",
-		description: "Administrator with most permissions",
-		permissions: [
-			Permission.USER_READ,
-			Permission.USER_LIST,
-			Permission.ORG_READ,
-			Permission.ORG_UPDATE,
-			Permission.MEMBER_INVITE,
-			Permission.MEMBER_REMOVE,
-			Permission.MEMBER_UPDATE_ROLE,
-			Permission.MEMBER_LIST,
-			Permission.MANAGE_MEMBERS,
-			Permission.TEAM_CREATE,
-			Permission.TEAM_UPDATE,
-			Permission.TEAM_DELETE,
-			Permission.TEAM_MANAGE,
-			Permission.PROJECT_CREATE,
-			Permission.PROJECT_READ,
-			Permission.PROJECT_UPDATE,
-			Permission.PROJECT_DELETE,
-			Permission.PROJECT_MANAGE,
-			Permission.BILLING_VIEW
-		]
-	},
-	MEMBER: {
-		name: "member",
-		description: "Regular organization member",
-		permissions: [
-			Permission.USER_READ,
-			Permission.ORG_READ,
-			Permission.MEMBER_LIST,
-			Permission.PROJECT_READ,
-			Permission.PROJECT_CREATE
-		]
-	},
-	VIEWER: {
-		name: "viewer",
-		description: "Read-only access",
-		permissions: [
-			Permission.USER_READ,
-			Permission.ORG_READ,
-			Permission.MEMBER_LIST,
-			Permission.PROJECT_READ
-		]
-	}
-};
-/**
-* RBAC Policy Engine for permission checks.
-*/
-var RBACPolicyEngine = class {
-	roleCache = /* @__PURE__ */ new Map();
-	bindingCache = /* @__PURE__ */ new Map();
-	/**
-	* Check if a user has a specific permission.
-	*/
-	async checkPermission(input, bindings) {
-		const { userId, orgId, permission } = input;
-		const now = /* @__PURE__ */ new Date();
-		const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
-		const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
-		const activeBindings = [...userBindings, ...orgBindings].filter((b) => !b.expiresAt || b.expiresAt > now);
-		if (activeBindings.length === 0) return {
-			allowed: false,
-			reason: "No active role bindings found"
-		};
-		for (const binding of activeBindings) if (binding.role.permissions.includes(permission)) return {
-			allowed: true,
-			matchedRole: binding.role.name
-		};
-		return {
-			allowed: false,
-			reason: `No role grants the "${permission}" permission`
-		};
-	}
-	/**
-	* Get all permissions for a user in a context.
-	*/
-	async getPermissions(userId, orgId, bindings) {
-		const now = /* @__PURE__ */ new Date();
-		const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
-		const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
-		const activeBindings = [...userBindings, ...orgBindings].filter((b) => !b.expiresAt || b.expiresAt > now);
-		const permissions = /* @__PURE__ */ new Set();
-		const roles = [];
-		for (const binding of activeBindings) {
-			roles.push(binding.role);
-			for (const perm of binding.role.permissions) permissions.add(perm);
-		}
-		return {
-			permissions,
-			roles
-		};
-	}
-	/**
-	* Check if user has any of the specified permissions.
-	*/
-	async hasAnyPermission(userId, orgId, permissions, bindings) {
-		const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
-		return permissions.some((p) => userPerms.has(p));
-	}
-	/**
-	* Check if user has all of the specified permissions.
-	*/
-	async hasAllPermissions(userId, orgId, permissions, bindings) {
-		const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
-		return permissions.every((p) => userPerms.has(p));
-	}
-};
-/**
-* Create a new RBAC policy engine instance.
-*/
-function createRBACEngine() {
-	return new RBACPolicyEngine();
-}
-
-//#endregion
-export { Permission, RBACPolicyEngine, StandardRole, createRBACEngine };
+const e={USER_CREATE:`user.create`,USER_READ:`user.read`,USER_UPDATE:`user.update`,USER_DELETE:`user.delete`,USER_LIST:`user.list`,USER_MANAGE:`user.manage`,ORG_CREATE:`org.create`,ORG_READ:`org.read`,ORG_UPDATE:`org.update`,ORG_DELETE:`org.delete`,ORG_LIST:`org.list`,MEMBER_INVITE:`member.invite`,MEMBER_REMOVE:`member.remove`,MEMBER_UPDATE_ROLE:`member.update_role`,MEMBER_LIST:`member.list`,MANAGE_MEMBERS:`org.manage_members`,TEAM_CREATE:`team.create`,TEAM_UPDATE:`team.update`,TEAM_DELETE:`team.delete`,TEAM_MANAGE:`team.manage`,ROLE_CREATE:`role.create`,ROLE_UPDATE:`role.update`,ROLE_DELETE:`role.delete`,ROLE_ASSIGN:`role.assign`,ROLE_REVOKE:`role.revoke`,BILLING_VIEW:`billing.view`,BILLING_MANAGE:`billing.manage`,PROJECT_CREATE:`project.create`,PROJECT_READ:`project.read`,PROJECT_UPDATE:`project.update`,PROJECT_DELETE:`project.delete`,PROJECT_MANAGE:`project.manage`,ADMIN_ACCESS:`admin.access`,ADMIN_IMPERSONATE:`admin.impersonate`},t={OWNER:{name:`owner`,description:`Organization owner with full access`,permissions:Object.values(e)},ADMIN:{name:`admin`,description:`Administrator with most permissions`,permissions:[e.USER_READ,e.USER_LIST,e.ORG_READ,e.ORG_UPDATE,e.MEMBER_INVITE,e.MEMBER_REMOVE,e.MEMBER_UPDATE_ROLE,e.MEMBER_LIST,e.MANAGE_MEMBERS,e.TEAM_CREATE,e.TEAM_UPDATE,e.TEAM_DELETE,e.TEAM_MANAGE,e.PROJECT_CREATE,e.PROJECT_READ,e.PROJECT_UPDATE,e.PROJECT_DELETE,e.PROJECT_MANAGE,e.BILLING_VIEW]},MEMBER:{name:`member`,description:`Regular organization member`,permissions:[e.USER_READ,e.ORG_READ,e.MEMBER_LIST,e.PROJECT_READ,e.PROJECT_CREATE]},VIEWER:{name:`viewer`,description:`Read-only access`,permissions:[e.USER_READ,e.ORG_READ,e.MEMBER_LIST,e.PROJECT_READ]}};var n=class{roleCache=new Map;bindingCache=new Map;async checkPermission(e,t){let{userId:n,orgId:r,permission:i}=e,a=new Date,o=t.filter(e=>e.targetType===`user`&&e.targetId===n),s=r?t.filter(e=>e.targetType===`organization`&&e.targetId===r):[],c=[...o,...s].filter(e=>!e.expiresAt||e.expiresAt>a);if(c.length===0)return{allowed:!1,reason:`No active role bindings found`};for(let e of c)if(e.role.permissions.includes(i))return{allowed:!0,matchedRole:e.role.name};return{allowed:!1,reason:`No role grants the "${i}" permission`}}async getPermissions(e,t,n){let r=new Date,i=n.filter(t=>t.targetType===`user`&&t.targetId===e),a=t?n.filter(e=>e.targetType===`organization`&&e.targetId===t):[],o=[...i,...a].filter(e=>!e.expiresAt||e.expiresAt>r),s=new Set,c=[];for(let e of o){c.push(e.role);for(let t of e.role.permissions)s.add(t)}return{permissions:s,roles:c}}async hasAnyPermission(e,t,n,r){let{permissions:i}=await this.getPermissions(e,t,r);return n.some(e=>i.has(e))}async hasAllPermissions(e,t,n,r){let{permissions:i}=await this.getPermissions(e,t,r);return n.every(e=>i.has(e))}};function r(){return new n}export{e as Permission,n as RBACPolicyEngine,t as StandardRole,r as createRBACEngine};

package/dist/policies/index.js

@@ -1,3 +1 @@
-import { Permission, RBACPolicyEngine, StandardRole, createRBACEngine } from "./engine.js";
-
-export { Permission, RBACPolicyEngine, StandardRole, createRBACEngine };
+import{Permission as e,RBACPolicyEngine as t,StandardRole as n,createRBACEngine as r}from"./engine.js";export{e as Permission,t as RBACPolicyEngine,n as StandardRole,r as createRBACEngine};

package/package.json

@@ -1,13 +1,12 @@
 {
   "name": "@lssm/lib.identity-rbac",
-  "version": "0.0.0-canary-20251217080011",
+  "version": "1.41.0",
   "description": "Identity, Organizations, and RBAC module for ContractSpec applications",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "type": "module",
   "scripts": {
     "publish:pkg": "bun publish --tolerate-republish --ignore-scripts --verbose",
-    "publish:pkg:canary": "bun publish:pkg --tag canary",
     "build": "bun build:bundle && bun build:types",
     "build:bundle": "tsdown",
     "build:types": "tsc --noEmit",
@@ -18,29 +17,29 @@
     "lint:check": "eslint src"
   },
   "dependencies": {
-    "@lssm/lib.schema": "0.0.0-canary-20251217080011",
-    "@lssm/lib.contracts": "0.0.0-canary-20251217080011",
+    "@lssm/lib.schema": "workspace:*",
+    "@lssm/lib.contracts": "workspace:*",
     "zod": "^4.1.13"
   },
   "devDependencies": {
-    "@lssm/tool.typescript": "0.0.0-canary-20251217080011",
-    "@lssm/tool.tsdown": "0.0.0-canary-20251217080011",
+    "@lssm/tool.typescript": "workspace:*",
+    "@lssm/tool.tsdown": "workspace:*",
     "typescript": "^5.9.3"
   },
   "exports": {
-    ".": "./dist/index.js",
-    "./contracts": "./dist/contracts/index.js",
-    "./contracts/organization": "./dist/contracts/organization.js",
-    "./contracts/rbac": "./dist/contracts/rbac.js",
-    "./contracts/user": "./dist/contracts/user.js",
-    "./entities": "./dist/entities/index.js",
-    "./entities/organization": "./dist/entities/organization.js",
-    "./entities/rbac": "./dist/entities/rbac.js",
-    "./entities/user": "./dist/entities/user.js",
-    "./events": "./dist/events.js",
-    "./identity-rbac.feature": "./dist/identity-rbac.feature.js",
-    "./policies": "./dist/policies/index.js",
-    "./policies/engine": "./dist/policies/engine.js",
+    ".": "./src/index.ts",
+    "./contracts": "./src/contracts/index.ts",
+    "./contracts/organization": "./src/contracts/organization.ts",
+    "./contracts/rbac": "./src/contracts/rbac.ts",
+    "./contracts/user": "./src/contracts/user.ts",
+    "./entities": "./src/entities/index.ts",
+    "./entities/organization": "./src/entities/organization.ts",
+    "./entities/rbac": "./src/entities/rbac.ts",
+    "./entities/user": "./src/entities/user.ts",
+    "./events": "./src/events.ts",
+    "./identity-rbac.feature": "./src/identity-rbac.feature.ts",
+    "./policies": "./src/policies/index.ts",
+    "./policies/engine": "./src/policies/engine.ts",
     "./*": "./*"
   },
   "module": "./dist/index.js",

package/dist/contracts/dist/capabilities/openbanking.js

@@ -1,88 +0,0 @@
-import { StabilityEnum } from "../ownership.js";
-
-//#region ../contracts/dist/capabilities/openbanking.js
-const OWNERS = ["platform.finance"];
-const TAGS = ["open-banking", "finance"];
-const openBankingAccountsReadCapability = {
-	meta: {
-		key: "openbanking.accounts.read",
-		version: 1,
-		kind: "integration",
-		title: "Open Banking Accounts (Read)",
-		description: "Provides read-only access to linked bank accounts, including account summaries and metadata.",
-		domain: "finance",
-		owners: [...OWNERS],
-		tags: [...TAGS],
-		stability: StabilityEnum.Experimental
-	},
-	provides: [
-		{
-			surface: "operation",
-			name: "openbanking.accounts.list",
-			version: 1,
-			description: "List bank accounts linked to a Powens open banking connection."
-		},
-		{
-			surface: "operation",
-			name: "openbanking.accounts.get",
-			version: 1,
-			description: "Retrieve the canonical bank account record for a specific account."
-		},
-		{
-			surface: "operation",
-			name: "openbanking.accounts.sync",
-			version: 1,
-			description: "Trigger a refresh of bank account metadata from the open banking provider."
-		}
-	]
-};
-const openBankingTransactionsReadCapability = {
-	meta: {
-		key: "openbanking.transactions.read",
-		version: 1,
-		kind: "integration",
-		title: "Open Banking Transactions (Read)",
-		description: "Enables retrieval of transaction history for linked bank accounts via open banking providers.",
-		domain: "finance",
-		owners: [...OWNERS],
-		tags: [...TAGS, "transactions"],
-		stability: StabilityEnum.Experimental
-	},
-	provides: [{
-		surface: "operation",
-		name: "openbanking.transactions.list",
-		version: 1,
-		description: "List transactions for a given bank account with optional date filtering."
-	}, {
-		surface: "operation",
-		name: "openbanking.transactions.sync",
-		version: 1,
-		description: "Synchronise transactions from the open banking provider into the canonical ledger."
-	}]
-};
-const openBankingBalancesReadCapability = {
-	meta: {
-		key: "openbanking.balances.read",
-		version: 1,
-		kind: "integration",
-		title: "Open Banking Balances (Read)",
-		description: "Allows querying of current and available balances for linked bank accounts via open banking providers.",
-		domain: "finance",
-		owners: [...OWNERS],
-		tags: [...TAGS, "balances"],
-		stability: StabilityEnum.Experimental
-	},
-	provides: [{
-		surface: "operation",
-		name: "openbanking.balances.get",
-		version: 1,
-		description: "Retrieve the latest known balances for a specified bank account."
-	}, {
-		surface: "operation",
-		name: "openbanking.balances.refresh",
-		version: 1,
-		description: "Force a balance refresh from the open banking provider."
-	}]
-};
-
-//#endregion

package/dist/contracts/dist/client/index.js

@@ -1,5 +0,0 @@
-'use client';
-
-import "./react/feature-render.js";
-import "./react/form-render.js";
-import "./react/index.js";

package/dist/contracts/dist/client/react/feature-render.js

@@ -1,2 +0,0 @@
-import "../../presentations.v2.js";
-import "react";

package/dist/contracts/dist/client/react/form-render.js

@@ -1,4 +0,0 @@
-import "react";
-import "react-hook-form";
-import "@hookform/resolvers/zod";
-import "react/jsx-runtime";

package/dist/contracts/dist/client/react/index.js

@@ -1,4 +0,0 @@
-'use client';
-
-import "./feature-render.js";
-import "./form-render.js";

package/dist/contracts/dist/contract-registry/index.js

@@ -1 +0,0 @@
-import { ContractRegistryFileSchema, ContractRegistryItemSchema, ContractRegistryItemTypeSchema } from "./schemas.js";

package/dist/contracts/dist/contract-registry/schemas.js

@@ -1,60 +0,0 @@
-import { StabilityEnum } from "../ownership.js";
-import z from "zod";
-
-//#region ../contracts/dist/contract-registry/schemas.js
-const ContractRegistryItemTypeSchema = z.enum([
-	"contractspec:operation",
-	"contractspec:event",
-	"contractspec:presentation",
-	"contractspec:form",
-	"contractspec:feature",
-	"contractspec:workflow",
-	"contractspec:template",
-	"contractspec:integration",
-	"contractspec:data-view",
-	"contractspec:migration",
-	"contractspec:telemetry",
-	"contractspec:experiment",
-	"contractspec:app-config",
-	"contractspec:knowledge"
-]);
-const ContractRegistryFileSchema = z.object({
-	path: z.string().min(1),
-	type: z.string().min(1),
-	content: z.string().optional()
-});
-const ContractRegistryItemSchema = z.object({
-	name: z.string().min(1),
-	type: ContractRegistryItemTypeSchema,
-	version: z.number().int().nonnegative(),
-	title: z.string().min(1),
-	description: z.string().min(1),
-	meta: z.object({
-		stability: z.enum([
-			StabilityEnum.Idea,
-			StabilityEnum.InCreation,
-			StabilityEnum.Experimental,
-			StabilityEnum.Beta,
-			StabilityEnum.Stable,
-			StabilityEnum.Deprecated
-		]),
-		owners: z.array(z.string().min(1)).default([]),
-		tags: z.array(z.string().min(1)).default([])
-	}),
-	dependencies: z.array(z.string().min(1)).optional(),
-	registryDependencies: z.array(z.string().min(1)).optional(),
-	files: z.array(ContractRegistryFileSchema).min(1),
-	schema: z.object({
-		input: z.unknown().optional(),
-		output: z.unknown().optional()
-	}).optional()
-});
-const ContractRegistryManifestSchema = z.object({
-	$schema: z.string().min(1).optional(),
-	name: z.string().min(1),
-	homepage: z.string().min(1).optional(),
-	items: z.array(ContractRegistryItemSchema)
-});
-
-//#endregion
-export { ContractRegistryFileSchema, ContractRegistryItemSchema, ContractRegistryItemTypeSchema };

package/dist/contracts/dist/docs/PUBLISHING.docblock.js

@@ -1,16 +0,0 @@
-import { registerDocBlocks } from "./registry.js";
-
-//#region ../contracts/dist/docs/PUBLISHING.docblock.js
-const PUBLISHING_DocBlocks = [{
-	id: "docs.PUBLISHING",
-	title: "Publishing ContractSpec Libraries",
-	summary: "This guide describes how we release the ContractSpec libraries to npm. We use a dual-track release system: **Stable** (manual) and **Canary** (automatic).",
-	kind: "reference",
-	visibility: "public",
-	route: "/docs/PUBLISHING",
-	tags: ["PUBLISHING"],
-	body: "# Publishing ContractSpec Libraries\n\nThis guide describes how we release the ContractSpec libraries to npm. We use a dual-track release system: **Stable** (manual) and **Canary** (automatic).\n\n## Release Tracks\n\n| Track | Branch | npm Tag | Frequency | Versioning | Use Case |\n|-------|--------|---------|-----------|------------|----------|\n| **Stable** | `release` | `latest` | Manual | SemVer (e.g., `1.7.4`) | Production, external users |\n| **Canary** | `main` | `canary` | Every Push | Snapshot (e.g., `1.7.4-canary...`) | Dev, internal testing |\n\n## Prerequisites\n\n- ✅ `NPM_TOKEN` secret is configured in GitHub (owner or automation token with _publish_ scope).\n- ✅ `GITHUB_TOKEN` (built-in) has permissions to create PRs (enabled by default in new repos).\n- ✅ For stable releases: `release` branch exists and is protected.\n\n## Canary Workflow (Automatic)\n\nEvery commit pushed to `main` triggers the `.github/workflows/publish-canary.yml` workflow.\n\n1. **Trigger**: Push to `main`.\n2. **Versioning**: Runs `changeset version --snapshot canary` to generate a temporary snapshot version.\n3. **Publish**: Packages are published to npm with the `canary` tag using `changeset publish --tag canary`.\n\n### Consuming Canary Builds\n\nTo install the latest bleeding-edge version:\n\n```bash\nnpm install @lssm/lib.contracts@canary\n# or\nbun add @lssm/lib.contracts@canary\n```\n\n## Stable Release Workflow (Manual)\n\nStable releases are managed via the `release` branch using the standard [Changesets Action](https://github.com/changesets/action).\n\n1. **Develop on `main`**: Create features and fixes.\n2. **Add Changesets**: Run `bun changeset` to document changes and impact (major/minor/patch).\n3. **Merge to `release`**: When ready to ship, open a PR from `main` to `release` or merge manually.\n4. **\"Version Packages\" PR**:\n   - The GitHub Action detects new changesets and automatically creates a Pull Request titled **\"Version Packages\"**.\n   - This PR contains the version bumps and updated `CHANGELOG.md` files.\n5. **Merge & Publish**:\n   - Review and merge the \"Version Packages\" PR.\n   - The Action runs again, detects the versions have been bumped, builds the libraries, and publishes them to npm with the `latest` tag.\n\n### Publishing Steps\n\n1. Ensure all changesets are present on `main`.\n2. Merge `main` into `release`:\n   ```bash\n   git checkout release\n   git pull origin release\n   git merge main\n   git push origin release\n   ```\n3. Go to GitHub Pull Requests. You will see a **\"Version Packages\"** PR created by the bot.\n4. Merge that PR.\n5. The release is now live on npm!\n\n## Manual Verification (Optional)\n\nBefore publishing a new version you can run:\n\n```bash\nbun run build:not-apps\nnpx npm-packlist --json packages/libs/contracts\n```\n\n## Rollback\n\nIf a publish fails mid-way, re-run the workflow once the issue is fixed. Already published packages are skipped automatically. Use `npm deprecate <package>@<version>` if we need to warn consumers about a broken release.\n"
-}];
-registerDocBlocks(PUBLISHING_DocBlocks);
-
-//#endregion