@m5kdev/backend 0.1.0 → 0.1.2

package/dist/src/modules/access/access.repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.repository.d.ts","sourceRoot":"","sources":["../../../../src/modules/access/access.repository.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAGzD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAE/D,QAAA,MAAM,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAAc,CAAC;AAC3B,KAAK,MAAM,GAAG,OAAO,MAAM,CAAC;AAC5B,KAAK,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;AAElC,qBAAa,gBAAiB,SAAQ,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAChF,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC;IAatF,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC;CAU7E"}

package/dist/src/modules/access/access.repository.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessRepository = void 0;
+const tslib_1 = require("tslib");
+const drizzle_orm_1 = require("drizzle-orm");
+const neverthrow_1 = require("neverthrow");
+const auth = tslib_1.__importStar(require("#modules/auth/auth.db"));
+const base_repository_1 = require("#modules/base/base.repository");
+const schema = { ...auth };
+class AccessRepository extends base_repository_1.BaseRepository {
+    async getOrganizationRole(userId, organizationId) {
+        return this.throwableAsync(async () => {
+            const [member] = await this.orm
+                .select({ role: schema.members.role })
+                .from(schema.members)
+                .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema.members.organizationId, organizationId), (0, drizzle_orm_1.eq)(schema.members.userId, userId)))
+                .limit(1);
+            return (0, neverthrow_1.ok)(member?.role ?? "");
+        });
+    }
+    async getTeamRole(userId, teamId) {
+        return this.throwableAsync(async () => {
+            const [member] = await this.orm
+                .select({ role: schema.teamMembers.role })
+                .from(schema.teamMembers)
+                .where((0, drizzle_orm_1.and)((0, drizzle_orm_1.eq)(schema.teamMembers.teamId, teamId), (0, drizzle_orm_1.eq)(schema.teamMembers.userId, userId)))
+                .limit(1);
+            return (0, neverthrow_1.ok)(member?.role ?? "");
+        });
+    }
+}
+exports.AccessRepository = AccessRepository;

package/dist/src/modules/access/access.service.d.ts

@@ -0,0 +1,22 @@
+import type { Statements } from "better-auth/plugins/access";
+import type { AccessRepository } from "#modules/access/access.repository";
+import type { AccessControlRoles } from "#modules/access/access.utils";
+import type { ServerResultAsync } from "#modules/base/base.dto";
+import { BaseService } from "#modules/base/base.service";
+type User = {
+    id: string;
+    role: string;
+};
+export declare class AccessService<T extends Statements> extends BaseService<{
+    access: AccessRepository;
+}, never> {
+    acr: AccessControlRoles<T>;
+    constructor(repositories: {
+        access: AccessRepository;
+    }, acr: AccessControlRoles<T>);
+    authorize(level: "user" | "team" | "organization", role: string, request: any, connector?: "OR" | "AND"): boolean;
+    checkAccess(user: User, level: "team" | "organization", levelId: string, request: any, connector?: "OR" | "AND"): ServerResultAsync<boolean>;
+    hasAccess(user: User, level: "user" | "team" | "organization", levelId: string, request: any, connector?: "OR" | "AND"): ServerResultAsync<boolean>;
+}
+export {};
+//# sourceMappingURL=access.service.d.ts.map

package/dist/src/modules/access/access.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.service.d.ts","sourceRoot":"","sources":["../../../../src/modules/access/access.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AAE7D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAC1E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAEzD,KAAK,IAAI,GAAG;IACV,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,qBAAa,aAAa,CAAC,CAAC,SAAS,UAAU,CAAE,SAAQ,WAAW,CAClE;IAAE,MAAM,EAAE,gBAAgB,CAAA;CAAE,EAC5B,KAAK,CACN;IACC,GAAG,EAAE,kBAAkB,CAAC,CAAC,CAAC,CAAC;gBAEf,YAAY,EAAE;QAAE,MAAM,EAAE,gBAAgB,CAAA;KAAE,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAKlF,SAAS,CACP,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,cAAc,EACvC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,GAAG,EACZ,SAAS,GAAE,IAAI,GAAG,KAAa;IAU3B,WAAW,CACf,IAAI,EAAE,IAAI,EACV,KAAK,EAAE,MAAM,GAAG,cAAc,EAC9B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,GAAG,EACZ,SAAS,GAAE,IAAI,GAAG,KAAa,GAC9B,iBAAiB,CAAC,OAAO,CAAC;IASvB,SAAS,CACb,IAAI,EAAE,IAAI,EACV,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,cAAc,EACvC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,GAAG,EACZ,SAAS,GAAE,IAAI,GAAG,KAAa,GAC9B,iBAAiB,CAAC,OAAO,CAAC;CAsB9B"}

package/dist/src/modules/access/access.service.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessService = void 0;
+const neverthrow_1 = require("neverthrow");
+const base_service_1 = require("#modules/base/base.service");
+class AccessService extends base_service_1.BaseService {
+    acr;
+    constructor(repositories, acr) {
+        super(repositories);
+        this.acr = acr;
+    }
+    authorize(level, role, request, connector = "AND") {
+        try {
+            return !!this.acr[level][role].authorize(request, connector).success;
+        }
+        catch (error) {
+            console.error(error);
+            return false;
+        }
+    }
+    async checkAccess(user, level, levelId, request, connector = "AND") {
+        const role = level === "organization"
+            ? await this.repository.access.getOrganizationRole(user.id, levelId)
+            : await this.repository.access.getTeamRole(user.id, levelId);
+        if (role.isErr())
+            return (0, neverthrow_1.err)(role.error);
+        return (0, neverthrow_1.ok)(this.authorize(level, role.value, request, connector));
+    }
+    async hasAccess(user, level, levelId, request, connector = "AND") {
+        // FIXME: catch all admin user access for now
+        if (user.role === "admin")
+            return (0, neverthrow_1.ok)(true);
+        const userAccess = this.authorize("user", user.role, request, connector);
+        if (level === "user")
+            return (0, neverthrow_1.ok)(userAccess && user.id === levelId);
+        if (userAccess)
+            return (0, neverthrow_1.ok)(true);
+        const organizationAccess = await this.checkAccess(user, "organization", levelId, request, connector);
+        if (organizationAccess.isErr())
+            return (0, neverthrow_1.err)(organizationAccess.error);
+        if (level === "organization")
+            return organizationAccess;
+        if (organizationAccess.value)
+            return (0, neverthrow_1.ok)(true);
+        const teamAccess = await this.checkAccess(user, "team", levelId, request, connector);
+        if (teamAccess.isErr())
+            return (0, neverthrow_1.err)(teamAccess.error);
+        return teamAccess;
+    }
+}
+exports.AccessService = AccessService;

package/dist/src/modules/access/access.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=access.test.d.ts.map

package/dist/src/modules/access/access.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.test.d.ts","sourceRoot":"","sources":["../../../../src/modules/access/access.test.ts"],"names":[],"mappings":""}

package/dist/src/modules/access/access.test.js

@@ -0,0 +1,182 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const tslib_1 = require("tslib");
+const client_1 = require("@libsql/client");
+const libsql_1 = require("drizzle-orm/libsql");
+const fs_1 = tslib_1.__importDefault(require("fs"));
+const path_1 = tslib_1.__importDefault(require("path"));
+const access_repository_1 = require("#modules/access/access.repository");
+const access_service_1 = require("#modules/access/access.service");
+const access_utils_1 = require("#modules/access/access.utils");
+const authSchema = tslib_1.__importStar(require("#modules/auth/auth.db"));
+describe("AccessService", () => {
+    const statements = {
+        project: ["create", "share", "update", "delete"],
+    };
+    const roleDefinitions = {
+        user: {
+            admin: { project: ["create", "share", "update"] },
+        },
+        team: {
+            admin: { project: ["create", "share", "update"] },
+        },
+        organization: {
+            admin: { project: ["create", "share", "update"] },
+        },
+    };
+    const acr = (0, access_utils_1.createAccessRoles)(statements, roleDefinitions);
+    // Minimal repository stub; not used by authorize() unit tests
+    const accessService = new access_service_1.AccessService({ access: {} }, acr);
+    describe("user level", () => {
+        it("allows defined action", () => {
+            expect(accessService.authorize("user", "admin", { project: ["create"] })).toBe(true);
+        });
+        it("denies undefined action", () => {
+            expect(accessService.authorize("user", "admin", { project: ["delete"] })).toBe(false);
+        });
+        it("handles AND vs OR connectors for multiple actions", () => {
+            // admin has create but not delete
+            expect(accessService.authorize("user", "admin", { project: ["create", "delete"] }, "AND")).toBe(false);
+            expect(accessService.authorize("user", "admin", { project: { actions: ["create", "delete"], connector: "OR" } }, "OR")).toBe(true);
+        });
+    });
+    describe("team level", () => {
+        it("allows defined action", () => {
+            expect(accessService.authorize("team", "admin", { project: ["share"] })).toBe(true);
+        });
+        it("denies undefined action", () => {
+            expect(accessService.authorize("team", "admin", { project: ["delete"] })).toBe(false);
+        });
+    });
+    describe("organization level", () => {
+        it("allows defined action", () => {
+            expect(accessService.authorize("organization", "admin", { project: ["update"] })).toBe(true);
+        });
+        it("denies undefined action", () => {
+            expect(accessService.authorize("organization", "admin", { project: ["delete"] })).toBe(false);
+        });
+    });
+});
+describe("AccessRepository (libsql local)", () => {
+    const dbFile = path_1.default.join(__dirname, "access.test.sqlite");
+    const url = `file:${dbFile}`;
+    const client = (0, client_1.createClient)({ url });
+    const orm = (0, libsql_1.drizzle)(client, { schema: authSchema });
+    const repo = new access_repository_1.AccessRepository({ orm, schema: authSchema }, {});
+    beforeAll(async () => {
+        // Create minimal tables required for tests
+        await client.execute(`
+      CREATE TABLE IF NOT EXISTS members (
+        id TEXT PRIMARY KEY,
+        organization_id TEXT NOT NULL,
+        user_id TEXT NOT NULL,
+        role TEXT NOT NULL
+      );
+    `);
+        await client.execute(`
+      CREATE TABLE IF NOT EXISTS teammembers (
+        id TEXT PRIMARY KEY,
+        team_id TEXT NOT NULL,
+        user_id TEXT NOT NULL,
+        role TEXT NOT NULL
+      );
+    `);
+    });
+    beforeEach(async () => {
+        await client.execute({
+            sql: "INSERT INTO members (id, organization_id, user_id, role) VALUES (?, ?, ?, ?)",
+            args: ["m1", "org1", "user1", "admin"],
+        });
+        await client.execute({
+            sql: "INSERT INTO teammembers (id, team_id, user_id, role) VALUES (?, ?, ?, ?)",
+            args: ["tm1", "team1", "user1", "admin"],
+        });
+    });
+    afterEach(async () => {
+        await client.execute("DELETE FROM members;");
+        await client.execute("DELETE FROM teammembers;");
+    });
+    afterAll(async () => {
+        try {
+            await client.close();
+        }
+        catch { }
+        try {
+            if (fs_1.default.existsSync(dbFile))
+                fs_1.default.unlinkSync(dbFile);
+        }
+        catch { }
+    });
+    it("returns organization role for user", async () => {
+        const res = await repo.getOrganizationRole("user1", "org1");
+        expect(res.isOk()).toBe(true);
+        if (res.isOk())
+            expect(res.value).toBe("admin");
+    });
+    it("returns team role for user", async () => {
+        const res = await repo.getTeamRole("user1", "team1");
+        expect(res.isOk()).toBe(true);
+        if (res.isOk())
+            expect(res.value).toBe("admin");
+    });
+    describe("AccessService.hasAccess (with repo)", () => {
+        const hasAccessStatements = {
+            project: ["create", "share", "update", "delete"],
+        };
+        const hasAccessRoles = {
+            user: {
+                member: { project: ["create"] },
+            },
+            team: {
+                manager: { project: ["share"] },
+            },
+            organization: {
+                manager: { project: ["update"] },
+            },
+        };
+        const acr2 = (0, access_utils_1.createAccessRoles)(hasAccessStatements, hasAccessRoles);
+        const service = new access_service_1.AccessService({ access: repo }, acr2);
+        it("admin override grants access", async () => {
+            const result = await service.hasAccess({ id: "any", role: "admin" }, "organization", "whatever", { project: ["delete"] });
+            expect(result.isOk()).toBe(true);
+            if (result.isOk())
+                expect(result.value).toBe(true);
+        });
+        it("user level access only for self and allowed action", async () => {
+            const allowSelf = await service.hasAccess({ id: "user2", role: "member" }, "user", "user2", {
+                project: ["create"],
+            });
+            expect(allowSelf.isOk()).toBe(true);
+            if (allowSelf.isOk())
+                expect(allowSelf.value).toBe(true);
+            const denyOther = await service.hasAccess({ id: "user2", role: "member" }, "user", "other", {
+                project: ["create"],
+            });
+            expect(denyOther.isOk()).toBe(true);
+            if (denyOther.isOk())
+                expect(denyOther.value).toBe(false);
+        });
+        it("organization membership grants access based on repo role", async () => {
+            await client.execute({
+                sql: "INSERT INTO members (id, organization_id, user_id, role) VALUES (?, ?, ?, ?)",
+                args: ["m2", "org2", "user2", "manager"],
+            });
+            const result = await service.hasAccess({ id: "user2", role: "member" }, "organization", "org2", { project: ["update"] });
+            expect(result.isOk()).toBe(true);
+            if (result.isOk())
+                expect(result.value).toBe(true);
+        });
+        it("team membership grants access based on repo role", async () => {
+            await client.execute({
+                sql: "INSERT INTO teammembers (id, team_id, user_id, role) VALUES (?, ?, ?, ?)",
+                args: ["tm2", "team2", "user2", "manager"],
+            });
+            const result = await service.hasAccess({ id: "user2", role: "member" }, "team", "team2", {
+                project: ["share"],
+            });
+            expect(result.isOk()).toBe(true);
+            if (result.isOk())
+                expect(result.value).toBe(true);
+        });
+    });
+});

package/dist/src/modules/access/access.utils.d.ts

@@ -0,0 +1,17 @@
+import { type AccessControl, type Role, type Statements, type Subset } from "better-auth/plugins/access";
+export type AccessControlRoles<T extends Statements> = {
+    ac: AccessControl<T>;
+    user: Record<string, Role<Subset<keyof T, T>>>;
+    team: Record<string, Role<Subset<keyof T, T>>>;
+    organization: Record<string, Role<Subset<keyof T, T>>>;
+};
+export type RoleDefinition<T extends Statements> = {
+    [K in keyof T]?: T[K] extends readonly (infer A)[] ? readonly A[] : never;
+};
+export type RoleDefinitions<T extends Statements> = {
+    user: Record<string, RoleDefinition<T>>;
+    team: Record<string, RoleDefinition<T>>;
+    organization: Record<string, RoleDefinition<T>>;
+};
+export declare function createAccessRoles<T extends Statements>(statements: T, roleDefinitions: RoleDefinitions<T>): AccessControlRoles<T>;
+//# sourceMappingURL=access.utils.d.ts.map

package/dist/src/modules/access/access.utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.utils.d.ts","sourceRoot":"","sources":["../../../../src/modules/access/access.utils.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,aAAa,EAElB,KAAK,IAAI,EACT,KAAK,UAAU,EACf,KAAK,MAAM,EACZ,MAAM,4BAA4B,CAAC;AAEpC,MAAM,MAAM,kBAAkB,CAAC,CAAC,SAAS,UAAU,IAAI;IACrD,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/C,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/C,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;CACxD,CAAC;AAIF,MAAM,MAAM,cAAc,CAAC,CAAC,SAAS,UAAU,IAAI;KAChD,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,GAAG,SAAS,CAAC,EAAE,GAAG,KAAK;CAC1E,CAAC;AAEF,MAAM,MAAM,eAAe,CAAC,CAAC,SAAS,UAAU,IAAI;IAClD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;IACxC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;IACxC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;CACjD,CAAC;AAEF,wBAAgB,iBAAiB,CAAC,CAAC,SAAS,UAAU,EACpD,UAAU,EAAE,CAAC,EACb,eAAe,EAAE,eAAe,CAAC,CAAC,CAAC,GAClC,kBAAkB,CAAC,CAAC,CAAC,CAevB"}

package/dist/src/modules/access/access.utils.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAccessRoles = createAccessRoles;
+const access_1 = require("better-auth/plugins/access");
+function createAccessRoles(statements, roleDefinitions) {
+    const ac = (0, access_1.createAccessControl)(statements);
+    const user = {};
+    const team = {};
+    const organization = {};
+    for (const [roleName, roleStatements] of Object.entries(roleDefinitions.user)) {
+        user[roleName] = ac.newRole(roleStatements);
+    }
+    for (const [roleName, roleStatements] of Object.entries(roleDefinitions.team)) {
+        team[roleName] = ac.newRole(roleStatements);
+    }
+    for (const [roleName, roleStatements] of Object.entries(roleDefinitions.organization)) {
+        organization[roleName] = ac.newRole(roleStatements);
+    }
+    return { ac, user, team, organization };
+}