@m5kdev/backend 0.5.0 → 0.7.0

package/dist/src/modules/auth/auth.trpc.d.ts

@@ -1,7 +1,7 @@
 import { type TRPCMethods } from "../../utils/trpc";
 import type { AuthService } from "./auth.service";
 export declare function createAuthTRPC({ router, publicProcedure, privateProcedure: procedure, adminProcedure }: TRPCMethods, authService: AuthService): import("@trpc/server").TRPCBuiltRouter<{
-    ctx: import("./auth.lib").Context;
+    ctx: import("../../utils/trpc").Context;
     meta: any;
     errorShape: import("@trpc/server").TRPCDefaultErrorShape;
     transformer: true;
@@ -49,10 +49,10 @@ export declare function createAuthTRPC({ router, publicProcedure, privateProcedu
         input: void;
         output: {
             id: string;
-            status: string;
             createdAt: Date;
             updatedAt: Date | null;
             expiresAt: Date | null;
+            status: string;
             claimUserId: string | null;
             claimedAt: Date | null;
             claimedEmail: string | null;
@@ -67,11 +67,11 @@ export declare function createAuthTRPC({ router, publicProcedure, privateProcedu
         output: {
             id: string;
             email: string;
-            url: string;
             createdAt: Date;
-            userId: string;
             expiresAt: Date | null;
+            userId: string;
             claimId: string;
+            url: string;
         };
         meta: any;
     }>;
@@ -82,11 +82,11 @@ export declare function createAuthTRPC({ router, publicProcedure, privateProcedu
         output: {
             id: string;
             email: string;
-            url: string;
             createdAt: Date;
-            userId: string;
             expiresAt: Date | null;
+            userId: string;
             claimId: string;
+            url: string;
         }[];
         meta: any;
     }>;
@@ -139,11 +139,11 @@ export declare function createAuthTRPC({ router, publicProcedure, privateProcedu
         input: void;
         output: {
             id: string;
-            email: string | null;
             name: string | null;
-            status: string;
+            email: string | null;
             createdAt: Date;
             updatedAt: Date | null;
+            status: string;
         }[];
         meta: any;
     }>;
@@ -153,11 +153,11 @@ export declare function createAuthTRPC({ router, publicProcedure, privateProcedu
         };
         output: {
             id: string;
-            email: string | null;
             name: string | null;
-            status: string;
+            email: string | null;
             createdAt: Date;
             updatedAt: Date | null;
+            status: string;
         };
         meta: any;
     }>;
@@ -184,11 +184,11 @@ export declare function createAuthTRPC({ router, publicProcedure, privateProcedu
         };
         output: {
             id: string;
-            email: string | null;
             name: string | null;
-            status: string;
+            email: string | null;
             createdAt: Date;
             updatedAt: Date | null;
+            status: string;
         };
         meta: any;
     }>;
@@ -198,11 +198,11 @@ export declare function createAuthTRPC({ router, publicProcedure, privateProcedu
         };
         output: {
             id: string;
-            email: string | null;
             name: string | null;
-            status: string;
+            email: string | null;
             createdAt: Date;
             updatedAt: Date | null;
+            status: string;
         };
         meta: any;
     }>;
@@ -212,11 +212,11 @@ export declare function createAuthTRPC({ router, publicProcedure, privateProcedu
         };
         output: {
             id: string;
-            email: string | null;
             name: string | null;
-            status: string;
+            email: string | null;
             createdAt: Date;
             updatedAt: Date | null;
+            status: string;
         };
         meta: any;
     }>;

package/dist/src/modules/base/base.abstract.d.ts

@@ -1,8 +1,8 @@
 import type { TRPC_ERROR_CODE_KEY } from "@trpc/server";
-import type { ServerResult, ServerResultAsync } from "./base.dto";
-import type { ServerErrorLayer } from "./base.types";
 import { ServerError } from "../../utils/errors";
 import { logger } from "../../utils/logger";
+import type { ServerResult, ServerResultAsync } from "./base.dto";
+import type { ServerErrorLayer } from "./base.types";
 export declare abstract class Base {
     layer: ServerErrorLayer;
     logger: ReturnType<typeof logger.child>;
@@ -15,4 +15,5 @@ export declare abstract class Base {
     handleUnknownError(error: unknown): ServerError;
     throwable<T>(fn: () => ServerResult<T>): ServerResult<T>;
     throwableAsync<T>(fn: () => ServerResultAsync<T>): ServerResultAsync<T>;
+    throwablePromise<T>(fn: () => Promise<T>, errorHandler?: (error: unknown) => ServerError): ServerResultAsync<T>;
 }

package/dist/src/modules/base/base.abstract.js

@@ -43,11 +43,20 @@ class Base {
     }
     async throwableAsync(fn) {
         try {
-            return fn();
+            return await fn();
         }
         catch (error) {
             return (0, neverthrow_1.err)(this.handleUnknownError(error));
         }
     }
+    async throwablePromise(fn, errorHandler) {
+        try {
+            const result = await fn();
+            return (0, neverthrow_1.ok)(result);
+        }
+        catch (error) {
+            return (0, neverthrow_1.err)(errorHandler ? errorHandler(error) : this.handleUnknownError(error));
+        }
+    }
 }
 exports.Base = Base;

package/dist/src/modules/base/base.actor.d.ts

@@ -0,0 +1,68 @@
+import type { Session, User } from "../auth/auth.lib";
+export type UserActor = {
+    userId: string;
+    userRole: string;
+    organizationId: string | null;
+    organizationRole: string | null;
+    teamId: string | null;
+    teamRole: string | null;
+};
+export type OrganizationActor = {
+    userId: string;
+    userRole: string;
+    organizationId: string;
+    organizationRole: string;
+    teamId: string | null;
+    teamRole: string | null;
+};
+export type TeamActor = {
+    userId: string;
+    userRole: string;
+    organizationId: string;
+    organizationRole: string;
+    teamId: string;
+    teamRole: string;
+};
+export type AuthenticatedActor = UserActor | OrganizationActor | TeamActor;
+/** @deprecated Prefer `AuthenticatedActor` — kept for grants and legacy call sites */
+export type ServiceActor = AuthenticatedActor;
+export type Actor = {
+    user: UserActor;
+    organization: OrganizationActor;
+    team: TeamActor;
+    authenticated: AuthenticatedActor;
+};
+export type ActorScope = "user" | "organization" | "team";
+export type RequiredServiceActor<Scope extends ActorScope> = Actor[Scope];
+/** Claims shape used by tests and factories */
+export type ServiceActorClaims = {
+    userId: string;
+    userRole: string;
+    organizationId?: string | null;
+    organizationRole?: string | null;
+    teamId?: string | null;
+    teamRole?: string | null;
+};
+/** @deprecated Prefer `OrganizationActor` */
+export type ServiceOrganizationActor = OrganizationActor;
+/** @deprecated Prefer `TeamActor` */
+export type ServiceTeamActor = TeamActor;
+export declare function createActorFromContext(context: {
+    user: User;
+    session: Session;
+}, scope: "team"): TeamActor;
+export declare function createActorFromContext(context: {
+    user: User;
+    session: Session;
+}, scope: "organization"): OrganizationActor;
+export declare function createActorFromContext(context: {
+    user: User;
+    session: Session;
+}, scope: "user"): UserActor;
+export declare function validateActor(actor: AuthenticatedActor, scope: ActorScope): boolean;
+/**
+ * Builds a flat actor for tests / grants without session. Validates that team scope implies organization.
+ */
+export declare function createServiceActor(claims: ServiceActorClaims): AuthenticatedActor;
+export declare function getServiceActorScope(actor: AuthenticatedActor): ActorScope;
+export declare function hasServiceActorScope(actor: AuthenticatedActor, scope: ActorScope): boolean;

package/dist/src/modules/base/base.actor.js

@@ -0,0 +1,99 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createActorFromContext = createActorFromContext;
+exports.validateActor = validateActor;
+exports.createServiceActor = createServiceActor;
+exports.getServiceActorScope = getServiceActorScope;
+exports.hasServiceActorScope = hasServiceActorScope;
+const errors_1 = require("../../utils/errors");
+function createActorFromContext(context, scope) {
+    if (!context.user.role) {
+        throw new errors_1.ServerError({
+            code: "BAD_REQUEST",
+            message: "User role not found in context",
+            layer: "controller",
+            layerName: "ActorValidation",
+        });
+    }
+    if (scope === "organization") {
+        if (!context.session.activeOrganizationId || !context.session.activeOrganizationRole) {
+            throw new errors_1.ServerError({
+                code: "FORBIDDEN",
+                message: "Active organization context required",
+                layer: "controller",
+                layerName: "ActorValidation",
+            });
+        }
+    }
+    if (scope === "team") {
+        if (!context.session.activeOrganizationId || !context.session.activeOrganizationRole) {
+            throw new errors_1.ServerError({
+                code: "FORBIDDEN",
+                message: "Active organization context required for team scope",
+                layer: "controller",
+                layerName: "ActorValidation",
+            });
+        }
+        if (!context.session.activeTeamId || !context.session.activeTeamRole) {
+            throw new errors_1.ServerError({
+                code: "FORBIDDEN",
+                message: "Active team context required",
+                layer: "controller",
+                layerName: "ActorValidation",
+            });
+        }
+    }
+    return {
+        userId: context.user.id,
+        userRole: context.user.role,
+        organizationId: context.session.activeOrganizationId,
+        organizationRole: context.session.activeOrganizationRole,
+        teamId: context.session.activeTeamId,
+        teamRole: context.session.activeTeamRole,
+    };
+}
+function validateActor(actor, scope) {
+    if (!actor.userId || !actor.userRole)
+        return false;
+    if (scope === "user")
+        return true;
+    if (scope === "organization") {
+        return Boolean(actor.organizationId && actor.organizationRole);
+    }
+    return Boolean(actor.organizationId && actor.organizationRole && actor.teamId && actor.teamRole);
+}
+/**
+ * Builds a flat actor for tests / grants without session. Validates that team scope implies organization.
+ */
+function createServiceActor(claims) {
+    const organizationId = claims.organizationId ?? null;
+    const organizationRole = claims.organizationRole ?? null;
+    const teamId = claims.teamId ?? null;
+    const teamRole = claims.teamRole ?? null;
+    if ((teamId || teamRole) && (!organizationId || !organizationRole)) {
+        throw new Error("organization access before team access");
+    }
+    return {
+        userId: claims.userId,
+        userRole: claims.userRole,
+        organizationId,
+        organizationRole,
+        teamId,
+        teamRole,
+    };
+}
+function getServiceActorScope(actor) {
+    if (validateActor(actor, "team"))
+        return "team";
+    if (validateActor(actor, "organization"))
+        return "organization";
+    return "user";
+}
+function hasServiceActorScope(actor, scope) {
+    if (scope === "team")
+        return validateActor(actor, "team");
+    if (scope === "organization") {
+        return validateActor(actor, "organization") || validateActor(actor, "team");
+    }
+    return validateActor(actor, "user");
+}

package/dist/src/modules/base/base.actor.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/src/modules/base/base.actor.test.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const base_actor_1 = require("./base.actor");
+describe("base.actor", () => {
+    it("creates a user actor when only user claims are present", () => {
+        const actor = (0, base_actor_1.createServiceActor)({
+            userId: "user-1",
+            userRole: "member",
+        });
+        expect(actor).toEqual({
+            userId: "user-1",
+            userRole: "member",
+            organizationId: null,
+            organizationRole: null,
+            teamId: null,
+            teamRole: null,
+        });
+    });
+    it("derives the highest available scope", () => {
+        expect((0, base_actor_1.getServiceActorScope)({
+            userId: "user-1",
+            userRole: "member",
+            organizationId: "org-1",
+            organizationRole: "owner",
+            teamId: null,
+            teamRole: null,
+        })).toBe("organization");
+        expect((0, base_actor_1.getServiceActorScope)({
+            userId: "user-1",
+            userRole: "member",
+            organizationId: "org-1",
+            organizationRole: "owner",
+            teamId: "team-1",
+            teamRole: "manager",
+        })).toBe("team");
+    });
+    it("validates hierarchy before building a team actor", () => {
+        expect(() => (0, base_actor_1.createServiceActor)({
+            userId: "user-1",
+            userRole: "member",
+            teamId: "team-1",
+            teamRole: "manager",
+        })).toThrow("organization access before team access");
+    });
+    it("checks required scope against broader actors", () => {
+        const actor = (0, base_actor_1.createServiceActor)({
+            userId: "user-1",
+            userRole: "member",
+            organizationId: "org-1",
+            organizationRole: "owner",
+            teamId: "team-1",
+            teamRole: "manager",
+        });
+        expect((0, base_actor_1.hasServiceActorScope)(actor, "user")).toBe(true);
+        expect((0, base_actor_1.hasServiceActorScope)(actor, "organization")).toBe(true);
+        expect((0, base_actor_1.hasServiceActorScope)(actor, "team")).toBe(true);
+    });
+});

package/dist/src/modules/base/base.grants.d.ts

@@ -1,4 +1,4 @@
-import type { Session, User } from "../auth/auth.lib";
+import type { ServiceActor } from "./base.actor";
 import type { ServerResultAsync } from "./base.dto";
 type Level = "user" | "team" | "organization";
 type Access = "all" | "own";
@@ -19,10 +19,6 @@ export type NestedGrants = Record<string, Partial<Record<Level, Record<string, R
 export type ResourceGrant = Omit<Grant, "resource">;
 export type ResourceActionGrant = Omit<ResourceGrant, "action">;
 export declare function flattenNestedGrants(nestedGrants: NestedGrants): Grant[];
-interface PermissionContext {
-    session: Session;
-    user: User;
-}
-export declare function checkPermissionSync<T extends Entity>(ctx: PermissionContext, grants: ResourceActionGrant[], entities?: T | T[]): boolean;
-export declare function checkPermissionAsync<T extends Entity>(ctx: PermissionContext, grants: ResourceActionGrant[], getEntities: () => ServerResultAsync<T | T[] | undefined>): ServerResultAsync<boolean>;
+export declare function checkPermissionSync<T extends Entity>(actor: ServiceActor, grants: ResourceActionGrant[], entities?: T | T[]): boolean;
+export declare function checkPermissionAsync<T extends Entity>(actor: ServiceActor, grants: ResourceActionGrant[], getEntities: () => ServerResultAsync<T | T[] | undefined>): ServerResultAsync<boolean>;
 export {};

package/dist/src/modules/base/base.grants.js

@@ -92,26 +92,38 @@ function checkOwnAccess(grants, roles, contextValues, entities) {
     }
     return false;
 }
-function checkPermissionSync(ctx, grants, entities) {
+function checkPermissionSync(actor, grants, entities) {
     if (!grants || grants.length === 0)
         return false;
-    const { id: userId, role: userRole } = ctx.user;
-    const { activeOrganizationRole: organizationRole, activeTeamRole: teamRole, activeOrganizationId: organizationId, activeTeamId: teamId, } = ctx.session;
-    const roles = { userRole, teamRole, organizationRole };
-    const contextValues = { userId, teamId, organizationId };
+    const roles = {
+        userRole: actor.userRole,
+        teamRole: actor.teamRole,
+        organizationRole: actor.organizationRole,
+    };
+    const contextValues = {
+        userId: actor.userId,
+        teamId: actor.teamId,
+        organizationId: actor.organizationId,
+    };
     // Pass 1: Check for "all" access first (no ownership check needed)
     if (hasAllAccess(grants, roles))
         return true;
     // Pass 2: Check "own" access with ownership validation
     return checkOwnAccess(grants, roles, contextValues, entities);
 }
-async function checkPermissionAsync(ctx, grants, getEntities) {
+async function checkPermissionAsync(actor, grants, getEntities) {
     if (!grants || grants.length === 0)
         return (0, neverthrow_1.ok)(false);
-    const { id: userId, role: userRole } = ctx.user;
-    const { activeOrganizationRole: organizationRole, activeTeamRole: teamRole, activeOrganizationId: organizationId, activeTeamId: teamId, } = ctx.session;
-    const roles = { userRole, teamRole, organizationRole };
-    const contextValues = { userId, teamId, organizationId };
+    const roles = {
+        userRole: actor.userRole,
+        teamRole: actor.teamRole,
+        organizationRole: actor.organizationRole,
+    };
+    const contextValues = {
+        userId: actor.userId,
+        teamId: actor.teamId,
+        organizationId: actor.organizationId,
+    };
     // Pass 1: Check for "all" access first (no entity fetch needed)
     if (hasAllAccess(grants, roles))
         return (0, neverthrow_1.ok)(true);

package/dist/src/modules/base/base.grants.test.js

@@ -1,53 +1,24 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const neverthrow_1 = require("neverthrow");
-const base_grants_1 = require("./base.grants");
 const errors_1 = require("../../utils/errors");
-// ============================================
-// Mock Factories
-// ============================================
-function createMockUser(overrides = {}) {
-    return {
-        id: "user-123",
-        role: "member",
-        email: "test@example.com",
-        emailVerified: true,
-        name: "Test User",
-        createdAt: new Date(),
-        updatedAt: new Date(),
-        image: null,
-        onboarding: null,
-        preferences: null,
-        flags: null,
-        stripeCustomerId: null,
-        paymentCustomerId: null,
-        paymentPlanTier: null,
-        paymentPlanExpiresAt: null,
-        ...overrides,
-    };
-}
-function createMockSession(overrides = {}) {
-    return {
-        id: "session-123",
-        userId: "user-123",
-        token: "token-123",
-        expiresAt: new Date(Date.now() + 86400000),
-        createdAt: new Date(),
-        updatedAt: new Date(),
-        ipAddress: null,
-        userAgent: null,
-        activeOrganizationId: null,
-        activeTeamId: null,
-        activeOrganizationRole: null,
-        activeTeamRole: null,
-        ...overrides,
-    };
-}
+const base_actor_1 = require("./base.actor");
+const base_grants_1 = require("./base.grants");
 function createMockContext(userOverrides = {}, sessionOverrides = {}) {
-    return {
-        user: createMockUser(userOverrides),
-        session: createMockSession(sessionOverrides),
-    };
+    const organizationId = sessionOverrides.activeOrganizationId ?? (sessionOverrides.activeTeamId ? "org-123" : null);
+    const organizationRole = sessionOverrides.activeOrganizationRole ?? (sessionOverrides.activeTeamRole ? "member" : null);
+    const actor = (0, base_actor_1.createServiceActor)({
+        userId: userOverrides.id ?? "user-123",
+        userRole: userOverrides.role ?? "member",
+        organizationId,
+        organizationRole,
+        teamId: sessionOverrides.activeTeamId ?? null,
+        teamRole: sessionOverrides.activeTeamRole ?? null,
+    });
+    if (!actor) {
+        throw new Error("Expected actor");
+    }
+    return actor;
 }
 function createMockEntity(overrides = {}) {
     return {

package/dist/src/modules/base/base.procedure.d.ts

@@ -0,0 +1,109 @@
+import type { QueryInput } from "@m5kdev/commons/modules/schemas/query.schema";
+import type { TRPC_ERROR_CODE_KEY } from "@trpc/server";
+import type { ServerError } from "../../utils/errors";
+import type { logger } from "../../utils/logger";
+import type { Base } from "./base.abstract";
+import { type Actor, type ActorScope, type AuthenticatedActor } from "./base.actor";
+import type { ServerResult, ServerResultAsync } from "./base.dto";
+import type { Entity, ResourceActionGrant } from "./base.grants";
+type ServiceLogger = ReturnType<typeof logger.child>;
+type RepositoryMap = Record<string, Base>;
+type ServiceMap = Record<string, Base>;
+export type ServiceProcedureContext = {
+    actor?: AuthenticatedActor | null;
+} & Record<string, unknown>;
+export type ServiceProcedureState = Record<string, unknown>;
+export type ServiceProcedureStoredValue<T> = [T] extends [undefined] ? undefined : Awaited<T>;
+export type ServiceProcedureResultLike<T> = T | ServerResult<T> | Promise<T | ServerResult<T>>;
+export type ServiceProcedureContextFilterScope = ActorScope;
+export type ServiceProcedureContextFilteredInput<TInput> = Extract<NonNullable<TInput>, QueryInput>;
+type ServiceProcedureAuthContext<Scope extends ActorScope> = {
+    actor: Actor[Scope];
+};
+type ServiceProcedureRequiredScopeFromFilter<TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined> = TInclude extends readonly ServiceProcedureContextFilterScope[] ? "team" extends TInclude[number] ? "team" : "organization" extends TInclude[number] ? "organization" : "user" : "user";
+export type ServiceProcedure<TInput, TCtx extends ServiceProcedureContext, TOutput> = (input: TInput, ctx: TCtx) => ServerResultAsync<TOutput>;
+export type ServiceProcedureArgs<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState> = {
+    input: TInput;
+    ctx: TCtx;
+    state: State;
+    repository: Repositories;
+    service: Services;
+    logger: ServiceLogger;
+};
+export type ServiceProcedureStep<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TOutput = undefined> = (args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>) => ServiceProcedureResultLike<ServiceProcedureStoredValue<TOutput>>;
+export type ServiceProcedureInputMapper<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TNextInput> = (args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>) => ServiceProcedureResultLike<ServiceProcedureStoredValue<TNextInput>>;
+export type ServiceProcedureHandler<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TOutput> = (args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>) => ServiceProcedureResultLike<TOutput>;
+export type ServiceProcedureEntityResolver<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TEntities extends Entity | Entity[] | undefined> = TEntities | ((args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>) => ServiceProcedureResultLike<TEntities>);
+type ServiceProcedureAccessBaseConfig = {
+    action: string;
+    grants?: ResourceActionGrant[];
+};
+export type ServiceProcedureEntityStepName<State extends ServiceProcedureState> = Extract<{
+    [Key in keyof State]: State[Key] extends Entity | Entity[] | undefined ? Key : never;
+}[keyof State], string>;
+export type ServiceProcedureAccessEntitiesConfig<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TEntities extends Entity | Entity[] | undefined = undefined> = ServiceProcedureAccessBaseConfig & {
+    entities?: ServiceProcedureEntityResolver<TInput, TCtx, Repositories, Services, State, TEntities>;
+    entityStep?: never;
+};
+export type ServiceProcedureAccessStateConfig<State extends ServiceProcedureState, StepName extends ServiceProcedureEntityStepName<State>> = ServiceProcedureAccessBaseConfig & {
+    entityStep: StepName;
+    entities?: never;
+};
+export type ServiceProcedureAccessConfig<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TEntities extends Entity | Entity[] | undefined = undefined> = ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State, TEntities> | ServiceProcedureAccessStateConfig<State, ServiceProcedureEntityStepName<State>>;
+export interface ServiceProcedureBuilder<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState = Record<string, never>> {
+    use<StepName extends string, TOutput = void>(stepName: StepName, step: ServiceProcedureStep<TInput, TCtx, Repositories, Services, State, TOutput>): ServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TOutput>>>;
+    mapInput<StepName extends string, TNextInput>(stepName: StepName, step: ServiceProcedureInputMapper<TInput, TCtx, Repositories, Services, State, TNextInput>): ServiceProcedureBuilder<ServiceProcedureStoredValue<TNextInput>, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TNextInput>>>;
+    addContextFilter<TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined = undefined>(include?: TInclude): ServiceProcedureBuilder<ServiceProcedureContextFilteredInput<TInput>, TCtx & ServiceProcedureAuthContext<ServiceProcedureRequiredScopeFromFilter<TInclude>>, Repositories, Services, State & {
+        contextFilter: ServiceProcedureContextFilteredInput<TInput>;
+    }>;
+    requireAuth<Scope extends ActorScope = "user">(scope?: Scope): ServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<Scope>, Repositories, Services, State>;
+    handle<TOutput>(handler: ServiceProcedureHandler<TInput, TCtx, Repositories, Services, State, TOutput>): ServiceProcedure<TInput, TCtx, TOutput>;
+}
+export interface PermissionServiceProcedureBuilder<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState = Record<string, never>> extends ServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State> {
+    use<StepName extends string, TOutput = void>(stepName: StepName, step: ServiceProcedureStep<TInput, TCtx, Repositories, Services, State, TOutput>): PermissionServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TOutput>>>;
+    mapInput<StepName extends string, TNextInput>(stepName: StepName, step: ServiceProcedureInputMapper<TInput, TCtx, Repositories, Services, State, TNextInput>): PermissionServiceProcedureBuilder<ServiceProcedureStoredValue<TNextInput>, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TNextInput>>>;
+    addContextFilter<TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined = undefined>(include?: TInclude): PermissionServiceProcedureBuilder<ServiceProcedureContextFilteredInput<TInput>, TCtx & ServiceProcedureAuthContext<ServiceProcedureRequiredScopeFromFilter<TInclude>>, Repositories, Services, State & {
+        contextFilter: ServiceProcedureContextFilteredInput<TInput>;
+    }>;
+    requireAuth<Scope extends ActorScope = "user">(scope?: Scope): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<Scope>, Repositories, Services, State>;
+    access(config: ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State>): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<"user">, Repositories, Services, State>;
+    access<TEntities extends Entity | Entity[] | undefined>(config: ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State, TEntities>): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<"user">, Repositories, Services, State & {
+        access: TEntities;
+    }>;
+    access<StepName extends ServiceProcedureEntityStepName<State>>(config: ServiceProcedureAccessStateConfig<State, StepName>): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<"user">, Repositories, Services, State & {
+        access: State[StepName];
+    }>;
+}
+type BaseServiceProcedureHost<Repositories extends RepositoryMap, Services extends ServiceMap> = {
+    repository: Repositories;
+    service: Services;
+    logger: ServiceLogger;
+    addContextFilter(actor: AuthenticatedActor, include?: {
+        user?: boolean;
+        organization?: boolean;
+        team?: boolean;
+    }, query?: QueryInput): QueryInput;
+    error(code: TRPC_ERROR_CODE_KEY, message?: string, options?: {
+        cause?: unknown;
+        clientMessage?: string;
+        log?: boolean;
+    }): ServerResult<never>;
+    throwableAsync<T>(fn: () => ServerResultAsync<T>): ServerResultAsync<T>;
+    handleUnknownError(error: unknown): ServerError;
+};
+type PermissionServiceProcedureHost<Repositories extends RepositoryMap, Services extends ServiceMap> = BaseServiceProcedureHost<Repositories, Services> & {
+    checkPermission<T extends Entity>(actor: AuthenticatedActor, action: string, entities?: T | T[], grants?: ResourceActionGrant[]): boolean;
+    checkPermissionAsync<T extends Entity>(actor: AuthenticatedActor, action: string, getEntities: () => ServerResultAsync<T | T[] | undefined>, grants?: ResourceActionGrant[]): ServerResultAsync<boolean>;
+};
+type ProcedureRuntimeStep<Repositories extends RepositoryMap, Services extends ServiceMap> = {
+    stage: "use" | "input" | "auth" | "access";
+    stepName: string;
+    run: (args: ServiceProcedureArgs<unknown, ServiceProcedureContext, Repositories, Services, ServiceProcedureState>) => Promise<ServerResult<unknown>>;
+};
+type ProcedureBuilderConfig<Repositories extends RepositoryMap, Services extends ServiceMap> = {
+    name: string;
+    steps: ProcedureRuntimeStep<Repositories, Services>[];
+};
+export declare function createServiceProcedureBuilder<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState = Record<string, never>>(host: BaseServiceProcedureHost<Repositories, Services>, config: ProcedureBuilderConfig<Repositories, Services>): ServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State>;
+export declare function createPermissionServiceProcedureBuilder<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState = Record<string, never>>(host: PermissionServiceProcedureHost<Repositories, Services>, config: ProcedureBuilderConfig<Repositories, Services>): PermissionServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State>;
+export {};