npm - @lssm/lib.identity-rbac - Versions diffs - 0.0.0-canary-20251217083314 → 1.41.0 - Mend

@lssm/lib.identity-rbac 0.0.0-canary-20251217083314 → 1.41.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (148) hide show

package/dist/contracts/rbac.js CHANGED Viewed

@@ -1,487 +1 @@
-import { ScalarTypeEnum } from "../schema/dist/ScalarTypeEnum.js";
-import { SchemaModel } from "../schema/dist/SchemaModel.js";
-import "../schema/dist/index.js";
-import { defineCommand, defineQuery } from "./dist/spec.js";
-import "./dist/index.js";
-import { SuccessResultModel } from "./user.js";
-//#region src/contracts/rbac.ts
-const OWNERS = ["platform.identity-rbac"];
-const RoleModel = new SchemaModel({
-	name: "Role",
-	description: "RBAC role definition",
-	fields: {
-		id: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		name: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		description: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: true
-		},
-		permissions: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false,
-			isArray: true
-		},
-		createdAt: {
-			type: ScalarTypeEnum.DateTime(),
-			isOptional: false
-		}
-	}
-});
-const PolicyBindingModel = new SchemaModel({
-	name: "PolicyBinding",
-	description: "Role assignment to a target",
-	fields: {
-		id: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		roleId: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		targetType: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		targetId: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		expiresAt: {
-			type: ScalarTypeEnum.DateTime(),
-			isOptional: true
-		},
-		createdAt: {
-			type: ScalarTypeEnum.DateTime(),
-			isOptional: false
-		},
-		role: {
-			type: RoleModel,
-			isOptional: false
-		}
-	}
-});
-const PermissionCheckResultModel = new SchemaModel({
-	name: "PermissionCheckResult",
-	description: "Result of a permission check",
-	fields: {
-		allowed: {
-			type: ScalarTypeEnum.Boolean(),
-			isOptional: false
-		},
-		reason: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: true
-		},
-		matchedRole: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: true
-		}
-	}
-});
-const CreateRoleInputModel = new SchemaModel({
-	name: "CreateRoleInput",
-	description: "Input for creating a role",
-	fields: {
-		name: {
-			type: ScalarTypeEnum.NonEmptyString(),
-			isOptional: false
-		},
-		description: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: true
-		},
-		permissions: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false,
-			isArray: true
-		}
-	}
-});
-const UpdateRoleInputModel = new SchemaModel({
-	name: "UpdateRoleInput",
-	description: "Input for updating a role",
-	fields: {
-		roleId: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		name: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: true
-		},
-		description: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: true
-		},
-		permissions: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: true,
-			isArray: true
-		}
-	}
-});
-const DeleteRoleInputModel = new SchemaModel({
-	name: "DeleteRoleInput",
-	description: "Input for deleting a role",
-	fields: { roleId: {
-		type: ScalarTypeEnum.String_unsecure(),
-		isOptional: false
-	} }
-});
-const ListRolesOutputModel = new SchemaModel({
-	name: "ListRolesOutput",
-	description: "Output for listing roles",
-	fields: { roles: {
-		type: RoleModel,
-		isOptional: false,
-		isArray: true
-	} }
-});
-const AssignRoleInputModel = new SchemaModel({
-	name: "AssignRoleInput",
-	description: "Input for assigning a role",
-	fields: {
-		roleId: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		targetType: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		targetId: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		expiresAt: {
-			type: ScalarTypeEnum.DateTime(),
-			isOptional: true
-		}
-	}
-});
-const RevokeRoleInputModel = new SchemaModel({
-	name: "RevokeRoleInput",
-	description: "Input for revoking a role",
-	fields: { bindingId: {
-		type: ScalarTypeEnum.String_unsecure(),
-		isOptional: false
-	} }
-});
-const BindingIdPayloadModel = new SchemaModel({
-	name: "BindingIdPayload",
-	description: "Payload with binding ID",
-	fields: { bindingId: {
-		type: ScalarTypeEnum.String_unsecure(),
-		isOptional: false
-	} }
-});
-const CheckPermissionInputModel = new SchemaModel({
-	name: "CheckPermissionInput",
-	description: "Input for checking a permission",
-	fields: {
-		userId: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		orgId: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: true
-		},
-		permission: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		}
-	}
-});
-const ListUserPermissionsInputModel = new SchemaModel({
-	name: "ListUserPermissionsInput",
-	description: "Input for listing user permissions",
-	fields: {
-		userId: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false
-		},
-		orgId: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: true
-		}
-	}
-});
-const ListUserPermissionsOutputModel = new SchemaModel({
-	name: "ListUserPermissionsOutput",
-	description: "Output for listing user permissions",
-	fields: {
-		permissions: {
-			type: ScalarTypeEnum.String_unsecure(),
-			isOptional: false,
-			isArray: true
-		},
-		roles: {
-			type: RoleModel,
-			isOptional: false,
-			isArray: true
-		}
-	}
-});
-/**
-* Create a new role.
-*/
-const CreateRoleContract = defineCommand({
-	meta: {
-		name: "identity.rbac.role.create",
-		version: 1,
-		stability: "stable",
-		owners: [...OWNERS],
-		tags: [
-			"identity",
-			"rbac",
-			"role",
-			"create"
-		],
-		description: "Create a new role with permissions.",
-		goal: "Allow admins to define custom roles.",
-		context: "Role management in admin settings."
-	},
-	io: {
-		input: CreateRoleInputModel,
-		output: RoleModel,
-		errors: { ROLE_EXISTS: {
-			description: "A role with this name already exists",
-			http: 409,
-			gqlCode: "ROLE_EXISTS",
-			when: "Role name is taken"
-		} }
-	},
-	policy: { auth: "admin" },
-	sideEffects: { audit: ["role.created"] }
-});
-/**
-* Update a role.
-*/
-const UpdateRoleContract = defineCommand({
-	meta: {
-		name: "identity.rbac.role.update",
-		version: 1,
-		stability: "stable",
-		owners: [...OWNERS],
-		tags: [
-			"identity",
-			"rbac",
-			"role",
-			"update"
-		],
-		description: "Update an existing role.",
-		goal: "Allow admins to modify role permissions.",
-		context: "Role management in admin settings."
-	},
-	io: {
-		input: UpdateRoleInputModel,
-		output: RoleModel
-	},
-	policy: { auth: "admin" },
-	sideEffects: { audit: ["role.updated"] }
-});
-/**
-* Delete a role.
-*/
-const DeleteRoleContract = defineCommand({
-	meta: {
-		name: "identity.rbac.role.delete",
-		version: 1,
-		stability: "stable",
-		owners: [...OWNERS],
-		tags: [
-			"identity",
-			"rbac",
-			"role",
-			"delete"
-		],
-		description: "Delete an existing role.",
-		goal: "Allow admins to remove unused roles.",
-		context: "Role management. Removes all policy bindings using this role."
-	},
-	io: {
-		input: DeleteRoleInputModel,
-		output: SuccessResultModel,
-		errors: { ROLE_IN_USE: {
-			description: "Role is still assigned to users or organizations",
-			http: 409,
-			gqlCode: "ROLE_IN_USE",
-			when: "Role has active bindings"
-		} }
-	},
-	policy: { auth: "admin" },
-	sideEffects: { audit: ["role.deleted"] }
-});
-/**
-* List all roles.
-*/
-const ListRolesContract = defineQuery({
-	meta: {
-		name: "identity.rbac.role.list",
-		version: 1,
-		stability: "stable",
-		owners: [...OWNERS],
-		tags: [
-			"identity",
-			"rbac",
-			"role",
-			"list"
-		],
-		description: "List all available roles.",
-		goal: "Show available roles for assignment.",
-		context: "Role assignment UI."
-	},
-	io: {
-		input: null,
-		output: ListRolesOutputModel
-	},
-	policy: { auth: "user" }
-});
-/**
-* Assign a role to a user or organization.
-*/
-const AssignRoleContract = defineCommand({
-	meta: {
-		name: "identity.rbac.assign",
-		version: 1,
-		stability: "stable",
-		owners: [...OWNERS],
-		tags: [
-			"identity",
-			"rbac",
-			"assign"
-		],
-		description: "Assign a role to a user or organization.",
-		goal: "Grant permissions via role assignment.",
-		context: "User/org permission management."
-	},
-	io: {
-		input: AssignRoleInputModel,
-		output: PolicyBindingModel,
-		errors: {
-			ROLE_NOT_FOUND: {
-				description: "The specified role does not exist",
-				http: 404,
-				gqlCode: "ROLE_NOT_FOUND",
-				when: "Role ID is invalid"
-			},
-			ALREADY_ASSIGNED: {
-				description: "This role is already assigned to the target",
-				http: 409,
-				gqlCode: "ALREADY_ASSIGNED",
-				when: "Binding already exists"
-			}
-		}
-	},
-	policy: { auth: "admin" },
-	sideEffects: {
-		emits: [{
-			name: "role.assigned",
-			version: 1,
-			when: "Role is assigned",
-			payload: PolicyBindingModel
-		}],
-		audit: ["role.assigned"]
-	}
-});
-/**
-* Revoke a role from a user or organization.
-*/
-const RevokeRoleContract = defineCommand({
-	meta: {
-		name: "identity.rbac.revoke",
-		version: 1,
-		stability: "stable",
-		owners: [...OWNERS],
-		tags: [
-			"identity",
-			"rbac",
-			"revoke"
-		],
-		description: "Revoke a role from a user or organization.",
-		goal: "Remove permissions via role revocation.",
-		context: "User/org permission management."
-	},
-	io: {
-		input: RevokeRoleInputModel,
-		output: SuccessResultModel,
-		errors: { BINDING_NOT_FOUND: {
-			description: "The policy binding does not exist",
-			http: 404,
-			gqlCode: "BINDING_NOT_FOUND",
-			when: "Binding ID is invalid"
-		} }
-	},
-	policy: { auth: "admin" },
-	sideEffects: {
-		emits: [{
-			name: "role.revoked",
-			version: 1,
-			when: "Role is revoked",
-			payload: BindingIdPayloadModel
-		}],
-		audit: ["role.revoked"]
-	}
-});
-/**
-* Check if a user has a specific permission.
-*/
-const CheckPermissionContract = defineQuery({
-	meta: {
-		name: "identity.rbac.check",
-		version: 1,
-		stability: "stable",
-		owners: [...OWNERS],
-		tags: [
-			"identity",
-			"rbac",
-			"check",
-			"permission"
-		],
-		description: "Check if a user has a specific permission.",
-		goal: "Authorization check before sensitive operations.",
-		context: "Called by other services to verify permissions."
-	},
-	io: {
-		input: CheckPermissionInputModel,
-		output: PermissionCheckResultModel
-	},
-	policy: { auth: "user" }
-});
-/**
-* List permissions for a user.
-*/
-const ListUserPermissionsContract = defineQuery({
-	meta: {
-		name: "identity.rbac.permissions",
-		version: 1,
-		stability: "stable",
-		owners: [...OWNERS],
-		tags: [
-			"identity",
-			"rbac",
-			"permissions",
-			"user"
-		],
-		description: "List all permissions for a user in a context.",
-		goal: "Show what a user can do in an org.",
-		context: "UI permission display, debugging."
-	},
-	io: {
-		input: ListUserPermissionsInputModel,
-		output: ListUserPermissionsOutputModel
-	},
-	policy: { auth: "user" }
-});
-//#endregion
-export { AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateRoleContract, CreateRoleInputModel, DeleteRoleContract, DeleteRoleInputModel, ListRolesContract, ListRolesOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, PermissionCheckResultModel, PolicyBindingModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, UpdateRoleContract, UpdateRoleInputModel };
+import{SuccessResultModel as e}from"./user.js";import{ScalarTypeEnum as t,SchemaModel as n}from"@lssm/lib.schema";import{defineCommand as r,defineQuery as i}from"@lssm/lib.contracts";const a=[`platform.identity-rbac`],o=new n({name:`Role`,description:`RBAC role definition`,fields:{id:{type:t.String_unsecure(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!1},description:{type:t.String_unsecure(),isOptional:!0},permissions:{type:t.String_unsecure(),isOptional:!1,isArray:!0},createdAt:{type:t.DateTime(),isOptional:!1}}}),s=new n({name:`PolicyBinding`,description:`Role assignment to a target`,fields:{id:{type:t.String_unsecure(),isOptional:!1},roleId:{type:t.String_unsecure(),isOptional:!1},targetType:{type:t.String_unsecure(),isOptional:!1},targetId:{type:t.String_unsecure(),isOptional:!1},expiresAt:{type:t.DateTime(),isOptional:!0},createdAt:{type:t.DateTime(),isOptional:!1},role:{type:o,isOptional:!1}}}),c=new n({name:`PermissionCheckResult`,description:`Result of a permission check`,fields:{allowed:{type:t.Boolean(),isOptional:!1},reason:{type:t.String_unsecure(),isOptional:!0},matchedRole:{type:t.String_unsecure(),isOptional:!0}}}),l=new n({name:`CreateRoleInput`,description:`Input for creating a role`,fields:{name:{type:t.NonEmptyString(),isOptional:!1},description:{type:t.String_unsecure(),isOptional:!0},permissions:{type:t.String_unsecure(),isOptional:!1,isArray:!0}}}),u=new n({name:`UpdateRoleInput`,description:`Input for updating a role`,fields:{roleId:{type:t.String_unsecure(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!0},description:{type:t.String_unsecure(),isOptional:!0},permissions:{type:t.String_unsecure(),isOptional:!0,isArray:!0}}}),d=new n({name:`DeleteRoleInput`,description:`Input for deleting a role`,fields:{roleId:{type:t.String_unsecure(),isOptional:!1}}}),f=new n({name:`ListRolesOutput`,description:`Output for listing roles`,fields:{roles:{type:o,isOptional:!1,isArray:!0}}}),p=new n({name:`AssignRoleInput`,description:`Input for assigning a role`,fields:{roleId:{type:t.String_unsecure(),isOptional:!1},targetType:{type:t.String_unsecure(),isOptional:!1},targetId:{type:t.String_unsecure(),isOptional:!1},expiresAt:{type:t.DateTime(),isOptional:!0}}}),m=new n({name:`RevokeRoleInput`,description:`Input for revoking a role`,fields:{bindingId:{type:t.String_unsecure(),isOptional:!1}}}),h=new n({name:`BindingIdPayload`,description:`Payload with binding ID`,fields:{bindingId:{type:t.String_unsecure(),isOptional:!1}}}),g=new n({name:`CheckPermissionInput`,description:`Input for checking a permission`,fields:{userId:{type:t.String_unsecure(),isOptional:!1},orgId:{type:t.String_unsecure(),isOptional:!0},permission:{type:t.String_unsecure(),isOptional:!1}}}),_=new n({name:`ListUserPermissionsInput`,description:`Input for listing user permissions`,fields:{userId:{type:t.String_unsecure(),isOptional:!1},orgId:{type:t.String_unsecure(),isOptional:!0}}}),v=new n({name:`ListUserPermissionsOutput`,description:`Output for listing user permissions`,fields:{permissions:{type:t.String_unsecure(),isOptional:!1,isArray:!0},roles:{type:o,isOptional:!1,isArray:!0}}}),y=r({meta:{name:`identity.rbac.role.create`,version:1,stability:`stable`,owners:[...a],tags:[`identity`,`rbac`,`role`,`create`],description:`Create a new role with permissions.`,goal:`Allow admins to define custom roles.`,context:`Role management in admin settings.`},io:{input:l,output:o,errors:{ROLE_EXISTS:{description:`A role with this name already exists`,http:409,gqlCode:`ROLE_EXISTS`,when:`Role name is taken`}}},policy:{auth:`admin`},sideEffects:{audit:[`role.created`]}}),b=r({meta:{name:`identity.rbac.role.update`,version:1,stability:`stable`,owners:[...a],tags:[`identity`,`rbac`,`role`,`update`],description:`Update an existing role.`,goal:`Allow admins to modify role permissions.`,context:`Role management in admin settings.`},io:{input:u,output:o},policy:{auth:`admin`},sideEffects:{audit:[`role.updated`]}}),x=r({meta:{name:`identity.rbac.role.delete`,version:1,stability:`stable`,owners:[...a],tags:[`identity`,`rbac`,`role`,`delete`],description:`Delete an existing role.`,goal:`Allow admins to remove unused roles.`,context:`Role management. Removes all policy bindings using this role.`},io:{input:d,output:e,errors:{ROLE_IN_USE:{description:`Role is still assigned to users or organizations`,http:409,gqlCode:`ROLE_IN_USE`,when:`Role has active bindings`}}},policy:{auth:`admin`},sideEffects:{audit:[`role.deleted`]}}),S=i({meta:{name:`identity.rbac.role.list`,version:1,stability:`stable`,owners:[...a],tags:[`identity`,`rbac`,`role`,`list`],description:`List all available roles.`,goal:`Show available roles for assignment.`,context:`Role assignment UI.`},io:{input:null,output:f},policy:{auth:`user`}}),C=r({meta:{name:`identity.rbac.assign`,version:1,stability:`stable`,owners:[...a],tags:[`identity`,`rbac`,`assign`],description:`Assign a role to a user or organization.`,goal:`Grant permissions via role assignment.`,context:`User/org permission management.`},io:{input:p,output:s,errors:{ROLE_NOT_FOUND:{description:`The specified role does not exist`,http:404,gqlCode:`ROLE_NOT_FOUND`,when:`Role ID is invalid`},ALREADY_ASSIGNED:{description:`This role is already assigned to the target`,http:409,gqlCode:`ALREADY_ASSIGNED`,when:`Binding already exists`}}},policy:{auth:`admin`},sideEffects:{emits:[{name:`role.assigned`,version:1,when:`Role is assigned`,payload:s}],audit:[`role.assigned`]}}),w=r({meta:{name:`identity.rbac.revoke`,version:1,stability:`stable`,owners:[...a],tags:[`identity`,`rbac`,`revoke`],description:`Revoke a role from a user or organization.`,goal:`Remove permissions via role revocation.`,context:`User/org permission management.`},io:{input:m,output:e,errors:{BINDING_NOT_FOUND:{description:`The policy binding does not exist`,http:404,gqlCode:`BINDING_NOT_FOUND`,when:`Binding ID is invalid`}}},policy:{auth:`admin`},sideEffects:{emits:[{name:`role.revoked`,version:1,when:`Role is revoked`,payload:h}],audit:[`role.revoked`]}}),T=i({meta:{name:`identity.rbac.check`,version:1,stability:`stable`,owners:[...a],tags:[`identity`,`rbac`,`check`,`permission`],description:`Check if a user has a specific permission.`,goal:`Authorization check before sensitive operations.`,context:`Called by other services to verify permissions.`},io:{input:g,output:c},policy:{auth:`user`}}),E=i({meta:{name:`identity.rbac.permissions`,version:1,stability:`stable`,owners:[...a],tags:[`identity`,`rbac`,`permissions`,`user`],description:`List all permissions for a user in a context.`,goal:`Show what a user can do in an org.`,context:`UI permission display, debugging.`},io:{input:_,output:v},policy:{auth:`user`}});export{C as AssignRoleContract,p as AssignRoleInputModel,h as BindingIdPayloadModel,T as CheckPermissionContract,g as CheckPermissionInputModel,y as CreateRoleContract,l as CreateRoleInputModel,x as DeleteRoleContract,d as DeleteRoleInputModel,S as ListRolesContract,f as ListRolesOutputModel,E as ListUserPermissionsContract,_ as ListUserPermissionsInputModel,v as ListUserPermissionsOutputModel,c as PermissionCheckResultModel,s as PolicyBindingModel,w as RevokeRoleContract,m as RevokeRoleInputModel,o as RoleModel,b as UpdateRoleContract,u as UpdateRoleInputModel};