npm - @m5kdev/backend - Versions diffs - 0.6.0 → 0.8.0 - Mend

@m5kdev/backend 0.6.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (553) hide show

package/dist/src/modules/base/base.grants.mjs ADDED Viewed

@@ -0,0 +1,103 @@
+import { err, ok } from "neverthrow";
+//#region src/modules/base/base.grants.ts
+function flattenNestedGrants(nestedGrants) {
+	return Object.entries(nestedGrants).flatMap(([resource, levels]) => {
+		return Object.entries(levels).flatMap(([level, roles]) => {
+			return Object.entries(roles).flatMap(([role, actions]) => {
+				return Object.entries(actions).map(([action, access]) => {
+					return {
+						resource,
+						level,
+						role,
+						action,
+						access
+					};
+				});
+			});
+		});
+	});
+}
+function checkOwnership(entityField, contextValue, entities) {
+	if (!contextValue) return false;
+	if (!entities) return false;
+	return Array.isArray(entities) ? entities.every((e) => e[entityField] === contextValue) : entities[entityField] === contextValue;
+}
+const LEVEL_PRIORITY = [
+	"user",
+	"team",
+	"organization"
+];
+function getRoleForLevel(level, ctx) {
+	switch (level) {
+		case "user": return ctx.userRole;
+		case "team": return ctx.teamRole;
+		case "organization": return ctx.organizationRole;
+	}
+}
+function getContextValueForLevel(level, ctx) {
+	switch (level) {
+		case "user": return ctx.userId;
+		case "team": return ctx.teamId;
+		case "organization": return ctx.organizationId;
+	}
+}
+function getOwnershipFieldForLevel(level) {
+	switch (level) {
+		case "user": return "userId";
+		case "team": return "teamId";
+		case "organization": return "organizationId";
+	}
+}
+function hasAllAccess(grants, roles) {
+	for (const level of LEVEL_PRIORITY) for (const grant of grants) {
+		if (grant.level !== level) continue;
+		if (grant.access !== "all") continue;
+		if (grant.role === getRoleForLevel(level, roles)) return true;
+	}
+	return false;
+}
+function checkOwnAccess(grants, roles, contextValues, entities) {
+	for (const level of LEVEL_PRIORITY) for (const grant of grants) {
+		if (grant.level !== level) continue;
+		if (grant.access !== "own") continue;
+		if (grant.role !== getRoleForLevel(level, roles)) continue;
+		if (checkOwnership(getOwnershipFieldForLevel(level), getContextValueForLevel(level, contextValues), entities)) return true;
+	}
+	return false;
+}
+function checkPermissionSync(actor, grants, entities) {
+	if (!grants || grants.length === 0) return false;
+	const roles = {
+		userRole: actor.userRole,
+		teamRole: actor.teamRole,
+		organizationRole: actor.organizationRole
+	};
+	const contextValues = {
+		userId: actor.userId,
+		teamId: actor.teamId,
+		organizationId: actor.organizationId
+	};
+	if (hasAllAccess(grants, roles)) return true;
+	return checkOwnAccess(grants, roles, contextValues, entities);
+}
+async function checkPermissionAsync(actor, grants, getEntities) {
+	if (!grants || grants.length === 0) return ok(false);
+	const roles = {
+		userRole: actor.userRole,
+		teamRole: actor.teamRole,
+		organizationRole: actor.organizationRole
+	};
+	const contextValues = {
+		userId: actor.userId,
+		teamId: actor.teamId,
+		organizationId: actor.organizationId
+	};
+	if (hasAllAccess(grants, roles)) return ok(true);
+	const entities = await getEntities();
+	if (entities.isErr()) return err(entities.error);
+	return ok(checkOwnAccess(grants, roles, contextValues, entities.value));
+}
+//#endregion
+export { checkPermissionAsync, checkPermissionSync, flattenNestedGrants };
+//# sourceMappingURL=base.grants.mjs.map

package/dist/src/modules/base/base.grants.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"base.grants.mjs","names":[],"sources":["../../../../src/modules/base/base.grants.ts"],"sourcesContent":["import { err, ok } from \"neverthrow\";\r\nimport type { ServiceActor } from \"./base.actor\";\r\nimport type { ServerResultAsync } from \"./base.dto\";\r\n\r\ntype Level = \"user\" | \"team\" | \"organization\";\r\ntype Access = \"all\" | \"own\";\r\n\r\nexport type Entity = Partial<{\r\n userId: string | null;\r\n teamId: string | null;\r\n organizationId: string | null;\r\n}>;\r\n\r\nexport type Grant = {\r\n level: Level;\r\n role: string;\r\n action: string;\r\n resource: string;\r\n access: Access;\r\n attributes?: string[];\r\n};\r\n\r\nexport type NestedGrants = Record<\r\n string,\r\n Partial<Record<Level, Record<string, Record<string, Access>>>>\r\n>;\r\n\r\nexport type ResourceGrant = Omit<Grant, \"resource\">;\r\n\r\nexport type ResourceActionGrant = Omit<ResourceGrant, \"action\">;\r\n\r\nexport function flattenNestedGrants(nestedGrants: NestedGrants): Grant[] {\r\n return Object.entries(nestedGrants).flatMap(([resource, levels]) => {\r\n return Object.entries(levels).flatMap(([level, roles]) => {\r\n return Object.entries(roles).flatMap(([role, actions]) => {\r\n return Object.entries(actions).map(([action, access]) => {\r\n return {\r\n resource,\r\n level: level as Level,\r\n role,\r\n action,\r\n access,\r\n };\r\n });\r\n });\r\n });\r\n });\r\n}\r\n\r\nfunction checkOwnership(\r\n entityField: keyof Entity,\r\n contextValue: string | null | undefined,\r\n entities?: Entity | Entity[]\r\n): boolean {\r\n if (!contextValue) return false;\r\n if (!entities) return false;\r\n return Array.isArray(entities)\r\n ? entities.every((e) => e[entityField] === contextValue)\r\n : entities[entityField] === contextValue;\r\n}\r\n\r\ntype GrantLevel = \"user\" | \"team\" | \"organization\";\r\n\r\n// Level priority: user -> team -> organization (bottom-up)\r\nconst LEVEL_PRIORITY: readonly GrantLevel[] = [\"user\", \"team\", \"organization\"];\r\n\r\ninterface RoleContext {\r\n userRole: string | null;\r\n teamRole: string | null;\r\n organizationRole: string | null;\r\n}\r\n\r\ninterface ContextValues {\r\n userId: string;\r\n teamId: string | null;\r\n organizationId: string | null;\r\n}\r\n\r\nfunction getRoleForLevel(level: GrantLevel, ctx: RoleContext): string | null {\r\n switch (level) {\r\n case \"user\":\r\n return ctx.userRole;\r\n case \"team\":\r\n return ctx.teamRole;\r\n case \"organization\":\r\n return ctx.organizationRole;\r\n }\r\n}\r\n\r\nfunction getContextValueForLevel(level: GrantLevel, ctx: ContextValues): string | null {\r\n switch (level) {\r\n case \"user\":\r\n return ctx.userId;\r\n case \"team\":\r\n return ctx.teamId;\r\n case \"organization\":\r\n return ctx.organizationId;\r\n }\r\n}\r\n\r\nfunction getOwnershipFieldForLevel(level: GrantLevel): keyof Entity {\r\n switch (level) {\r\n case \"user\":\r\n return \"userId\";\r\n case \"team\":\r\n return \"teamId\";\r\n case \"organization\":\r\n return \"organizationId\";\r\n }\r\n}\r\n\r\nfunction hasAllAccess(grants: ResourceActionGrant[], roles: RoleContext): boolean {\r\n for (const level of LEVEL_PRIORITY) {\r\n for (const grant of grants) {\r\n if (grant.level !== level) continue;\r\n if (grant.access !== \"all\") continue;\r\n if (grant.role === getRoleForLevel(level, roles)) return true;\r\n }\r\n }\r\n return false;\r\n}\r\n\r\nfunction checkOwnAccess(\r\n grants: ResourceActionGrant[],\r\n roles: RoleContext,\r\n contextValues: ContextValues,\r\n entities: Entity | Entity[] | undefined\r\n): boolean {\r\n for (const level of LEVEL_PRIORITY) {\r\n for (const grant of grants) {\r\n if (grant.level !== level) continue;\r\n if (grant.access !== \"own\") continue;\r\n if (grant.role !== getRoleForLevel(level, roles)) continue;\r\n\r\n const ownershipField = getOwnershipFieldForLevel(level);\r\n const contextValue = getContextValueForLevel(level, contextValues);\r\n\r\n if (checkOwnership(ownershipField, contextValue, entities)) return true;\r\n }\r\n }\r\n return false;\r\n}\r\n\r\nexport function checkPermissionSync<T extends Entity>(\r\n actor: ServiceActor,\r\n grants: ResourceActionGrant[],\r\n entities?: T | T[]\r\n): boolean {\r\n if (!grants || grants.length === 0) return false;\r\n\r\n const roles = {\r\n userRole: actor.userRole,\r\n teamRole: actor.teamRole,\r\n organizationRole: actor.organizationRole,\r\n };\r\n const contextValues = {\r\n userId: actor.userId,\r\n teamId: actor.teamId,\r\n organizationId: actor.organizationId,\r\n };\r\n\r\n // Pass 1: Check for \"all\" access first (no ownership check needed)\r\n if (hasAllAccess(grants, roles)) return true;\r\n\r\n // Pass 2: Check \"own\" access with ownership validation\r\n return checkOwnAccess(grants, roles, contextValues, entities);\r\n}\r\n\r\nexport async function checkPermissionAsync<T extends Entity>(\r\n actor: ServiceActor,\r\n grants: ResourceActionGrant[],\r\n getEntities: () => ServerResultAsync<T | T[] | undefined>\r\n): ServerResultAsync<boolean> {\r\n if (!grants || grants.length === 0) return ok(false);\r\n\r\n const roles = {\r\n userRole: actor.userRole,\r\n teamRole: actor.teamRole,\r\n organizationRole: actor.organizationRole,\r\n };\r\n const contextValues = {\r\n userId: actor.userId,\r\n teamId: actor.teamId,\r\n organizationId: actor.organizationId,\r\n };\r\n\r\n // Pass 1: Check for \"all\" access first (no entity fetch needed)\r\n if (hasAllAccess(grants, roles)) return ok(true);\r\n\r\n // Pass 2: Only fetch entities if we need to check ownership\r\n const entities = await getEntities();\r\n if (entities.isErr()) return err(entities.error);\r\n return ok(checkOwnAccess(grants, roles, contextValues, entities.value));\r\n}\r\n"],"mappings":";;AA+BA,SAAgB,oBAAoB,cAAqC;AACvE,QAAO,OAAO,QAAQ,aAAa,CAAC,SAAS,CAAC,UAAU,YAAY;AAClE,SAAO,OAAO,QAAQ,OAAO,CAAC,SAAS,CAAC,OAAO,WAAW;AACxD,UAAO,OAAO,QAAQ,MAAM,CAAC,SAAS,CAAC,MAAM,aAAa;AACxD,WAAO,OAAO,QAAQ,QAAQ,CAAC,KAAK,CAAC,QAAQ,YAAY;AACvD,YAAO;MACL;MACO;MACP;MACA;MACA;MACD;MACD;KACF;IACF;GACF;;AAGJ,SAAS,eACP,aACA,cACA,UACS;AACT,KAAI,CAAC,aAAc,QAAO;AAC1B,KAAI,CAAC,SAAU,QAAO;AACtB,QAAO,MAAM,QAAQ,SAAS,GAC1B,SAAS,OAAO,MAAM,EAAE,iBAAiB,aAAa,GACtD,SAAS,iBAAiB;;AAMhC,MAAM,iBAAwC;CAAC;CAAQ;CAAQ;CAAe;AAc9E,SAAS,gBAAgB,OAAmB,KAAiC;AAC3E,SAAQ,OAAR;EACE,KAAK,OACH,QAAO,IAAI;EACb,KAAK,OACH,QAAO,IAAI;EACb,KAAK,eACH,QAAO,IAAI;;;AAIjB,SAAS,wBAAwB,OAAmB,KAAmC;AACrF,SAAQ,OAAR;EACE,KAAK,OACH,QAAO,IAAI;EACb,KAAK,OACH,QAAO,IAAI;EACb,KAAK,eACH,QAAO,IAAI;;;AAIjB,SAAS,0BAA0B,OAAiC;AAClE,SAAQ,OAAR;EACE,KAAK,OACH,QAAO;EACT,KAAK,OACH,QAAO;EACT,KAAK,eACH,QAAO;;;AAIb,SAAS,aAAa,QAA+B,OAA6B;AAChF,MAAK,MAAM,SAAS,eAClB,MAAK,MAAM,SAAS,QAAQ;AAC1B,MAAI,MAAM,UAAU,MAAO;AAC3B,MAAI,MAAM,WAAW,MAAO;AAC5B,MAAI,MAAM,SAAS,gBAAgB,OAAO,MAAM,CAAE,QAAO;;AAG7D,QAAO;;AAGT,SAAS,eACP,QACA,OACA,eACA,UACS;AACT,MAAK,MAAM,SAAS,eAClB,MAAK,MAAM,SAAS,QAAQ;AAC1B,MAAI,MAAM,UAAU,MAAO;AAC3B,MAAI,MAAM,WAAW,MAAO;AAC5B,MAAI,MAAM,SAAS,gBAAgB,OAAO,MAAM,CAAE;AAKlD,MAAI,eAHmB,0BAA0B,MAAM,EAClC,wBAAwB,OAAO,cAAc,EAEjB,SAAS,CAAE,QAAO;;AAGvE,QAAO;;AAGT,SAAgB,oBACd,OACA,QACA,UACS;AACT,KAAI,CAAC,UAAU,OAAO,WAAW,EAAG,QAAO;CAE3C,MAAM,QAAQ;EACZ,UAAU,MAAM;EAChB,UAAU,MAAM;EAChB,kBAAkB,MAAM;EACzB;CACD,MAAM,gBAAgB;EACpB,QAAQ,MAAM;EACd,QAAQ,MAAM;EACd,gBAAgB,MAAM;EACvB;AAGD,KAAI,aAAa,QAAQ,MAAM,CAAE,QAAO;AAGxC,QAAO,eAAe,QAAQ,OAAO,eAAe,SAAS;;AAG/D,eAAsB,qBACpB,OACA,QACA,aAC4B;AAC5B,KAAI,CAAC,UAAU,OAAO,WAAW,EAAG,QAAO,GAAG,MAAM;CAEpD,MAAM,QAAQ;EACZ,UAAU,MAAM;EAChB,UAAU,MAAM;EAChB,kBAAkB,MAAM;EACzB;CACD,MAAM,gBAAgB;EACpB,QAAQ,MAAM;EACd,QAAQ,MAAM;EACd,gBAAgB,MAAM;EACvB;AAGD,KAAI,aAAa,QAAQ,MAAM,CAAE,QAAO,GAAG,KAAK;CAGhD,MAAM,WAAW,MAAM,aAAa;AACpC,KAAI,SAAS,OAAO,CAAE,QAAO,IAAI,SAAS,MAAM;AAChD,QAAO,GAAG,eAAe,QAAQ,OAAO,eAAe,SAAS,MAAM,CAAC"}

package/dist/src/modules/base/base.procedure.d.mts ADDED Viewed

@@ -0,0 +1,111 @@
+import { ServerError } from "../../utils/errors.mjs";
+import { ServerResult, ServerResultAsync } from "./base.dto.mjs";
+import { logger } from "../../utils/logger.mjs";
+import { Base } from "./base.abstract.mjs";
+import { Actor, ActorScope, AuthenticatedActor } from "./base.actor.mjs";
+import { Entity, ResourceActionGrant } from "./base.grants.mjs";
+import { TRPC_ERROR_CODE_KEY } from "@trpc/server";
+import { QueryInput } from "@m5kdev/commons/modules/schemas/query.schema";
+//#region src/modules/base/base.procedure.d.ts
+type ServiceLogger = ReturnType<typeof logger.child>;
+type RepositoryMap = Record<string, Base>;
+type ServiceMap = Record<string, Base>;
+type ServiceProcedureContext = {
+  actor?: AuthenticatedActor | null;
+} & Record<string, unknown>;
+type ServiceProcedureState = Record<string, unknown>;
+type ServiceProcedureStoredValue<T> = [T] extends [undefined] ? undefined : Awaited<T>;
+type ServiceProcedureResultLike<T> = T | ServerResult<T> | Promise<T | ServerResult<T>>;
+type ServiceProcedureContextFilterScope = ActorScope;
+type ServiceProcedureContextFilteredInput<TInput> = Extract<NonNullable<TInput>, QueryInput>;
+type ServiceProcedureAuthContext<Scope extends ActorScope> = {
+  actor: Actor[Scope];
+};
+type ServiceProcedureRequiredScopeFromFilter<TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined> = TInclude extends readonly ServiceProcedureContextFilterScope[] ? "team" extends TInclude[number] ? "team" : "organization" extends TInclude[number] ? "organization" : "user" : "user";
+type ServiceProcedure<TInput, TCtx extends ServiceProcedureContext, TOutput> = (input: TInput, ctx: TCtx) => ServerResultAsync<TOutput>;
+type ServiceProcedureArgs<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState> = {
+  input: TInput;
+  ctx: TCtx;
+  state: State;
+  repository: Repositories;
+  service: Services;
+  logger: ServiceLogger;
+};
+type ServiceProcedureStep<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TOutput = undefined> = (args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>) => ServiceProcedureResultLike<ServiceProcedureStoredValue<TOutput>>;
+type ServiceProcedureInputMapper<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TNextInput> = (args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>) => ServiceProcedureResultLike<ServiceProcedureStoredValue<TNextInput>>;
+type ServiceProcedureHandler<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TOutput> = (args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>) => ServiceProcedureResultLike<TOutput>;
+type ServiceProcedureEntityResolver<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TEntities extends Entity | Entity[] | undefined> = TEntities | ((args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>) => ServiceProcedureResultLike<TEntities>);
+type ServiceProcedureAccessBaseConfig = {
+  action: string;
+  grants?: ResourceActionGrant[];
+};
+type ServiceProcedureEntityStepName<State extends ServiceProcedureState> = Extract<{ [Key in keyof State]: State[Key] extends Entity | Entity[] | undefined ? Key : never }[keyof State], string>;
+type ServiceProcedureAccessEntitiesConfig<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TEntities extends Entity | Entity[] | undefined = undefined> = ServiceProcedureAccessBaseConfig & {
+  entities?: ServiceProcedureEntityResolver<TInput, TCtx, Repositories, Services, State, TEntities>;
+  entityStep?: never;
+};
+type ServiceProcedureAccessStateConfig<State extends ServiceProcedureState, StepName extends ServiceProcedureEntityStepName<State>> = ServiceProcedureAccessBaseConfig & {
+  entityStep: StepName;
+  entities?: never;
+};
+type ServiceProcedureAccessConfig<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState, TEntities extends Entity | Entity[] | undefined = undefined> = ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State, TEntities> | ServiceProcedureAccessStateConfig<State, ServiceProcedureEntityStepName<State>>;
+interface ServiceProcedureBuilder<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState = Record<string, never>> {
+  use<StepName extends string, TOutput = void>(stepName: StepName, step: ServiceProcedureStep<TInput, TCtx, Repositories, Services, State, TOutput>): ServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TOutput>>>;
+  mapInput<StepName extends string, TNextInput>(stepName: StepName, step: ServiceProcedureInputMapper<TInput, TCtx, Repositories, Services, State, TNextInput>): ServiceProcedureBuilder<ServiceProcedureStoredValue<TNextInput>, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TNextInput>>>;
+  addContextFilter<TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined = undefined>(include?: TInclude): ServiceProcedureBuilder<ServiceProcedureContextFilteredInput<TInput>, TCtx & ServiceProcedureAuthContext<ServiceProcedureRequiredScopeFromFilter<TInclude>>, Repositories, Services, State & {
+    contextFilter: ServiceProcedureContextFilteredInput<TInput>;
+  }>;
+  requireAuth<Scope extends ActorScope = "user">(scope?: Scope): ServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<Scope>, Repositories, Services, State>;
+  handle<TOutput>(handler: ServiceProcedureHandler<TInput, TCtx, Repositories, Services, State, TOutput>): ServiceProcedure<TInput, TCtx, TOutput>;
+}
+interface PermissionServiceProcedureBuilder<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState = Record<string, never>> extends ServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State> {
+  use<StepName extends string, TOutput = void>(stepName: StepName, step: ServiceProcedureStep<TInput, TCtx, Repositories, Services, State, TOutput>): PermissionServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TOutput>>>;
+  mapInput<StepName extends string, TNextInput>(stepName: StepName, step: ServiceProcedureInputMapper<TInput, TCtx, Repositories, Services, State, TNextInput>): PermissionServiceProcedureBuilder<ServiceProcedureStoredValue<TNextInput>, TCtx, Repositories, Services, State & Record<StepName, ServiceProcedureStoredValue<TNextInput>>>;
+  addContextFilter<TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined = undefined>(include?: TInclude): PermissionServiceProcedureBuilder<ServiceProcedureContextFilteredInput<TInput>, TCtx & ServiceProcedureAuthContext<ServiceProcedureRequiredScopeFromFilter<TInclude>>, Repositories, Services, State & {
+    contextFilter: ServiceProcedureContextFilteredInput<TInput>;
+  }>;
+  requireAuth<Scope extends ActorScope = "user">(scope?: Scope): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<Scope>, Repositories, Services, State>;
+  access(config: ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State>): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<"user">, Repositories, Services, State>;
+  access<TEntities extends Entity | Entity[] | undefined>(config: ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State, TEntities>): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<"user">, Repositories, Services, State & {
+    access: TEntities;
+  }>;
+  access<StepName extends ServiceProcedureEntityStepName<State>>(config: ServiceProcedureAccessStateConfig<State, StepName>): PermissionServiceProcedureBuilder<TInput, TCtx & ServiceProcedureAuthContext<"user">, Repositories, Services, State & {
+    access: State[StepName];
+  }>;
+}
+type BaseServiceProcedureHost<Repositories extends RepositoryMap, Services extends ServiceMap> = {
+  repository: Repositories;
+  service: Services;
+  logger: ServiceLogger;
+  addContextFilter(actor: AuthenticatedActor, include?: {
+    user?: boolean;
+    organization?: boolean;
+    team?: boolean;
+  }, query?: QueryInput): QueryInput;
+  error(code: TRPC_ERROR_CODE_KEY, message?: string, options?: {
+    cause?: unknown;
+    clientMessage?: string;
+    log?: boolean;
+  }): ServerResult<never>;
+  throwableAsync<T>(fn: () => ServerResultAsync<T>): ServerResultAsync<T>;
+  handleUnknownError(error: unknown): ServerError;
+};
+type PermissionServiceProcedureHost<Repositories extends RepositoryMap, Services extends ServiceMap> = BaseServiceProcedureHost<Repositories, Services> & {
+  checkPermission<T extends Entity>(actor: AuthenticatedActor, action: string, entities?: T | T[], grants?: ResourceActionGrant[]): boolean;
+  checkPermissionAsync<T extends Entity>(actor: AuthenticatedActor, action: string, getEntities: () => ServerResultAsync<T | T[] | undefined>, grants?: ResourceActionGrant[]): ServerResultAsync<boolean>;
+};
+type ProcedureRuntimeStep<Repositories extends RepositoryMap, Services extends ServiceMap> = {
+  stage: "use" | "input" | "auth" | "access";
+  stepName: string;
+  run: (args: ServiceProcedureArgs<unknown, ServiceProcedureContext, Repositories, Services, ServiceProcedureState>) => Promise<ServerResult<unknown>>;
+};
+type ProcedureBuilderConfig<Repositories extends RepositoryMap, Services extends ServiceMap> = {
+  name: string;
+  steps: ProcedureRuntimeStep<Repositories, Services>[];
+};
+declare function createServiceProcedureBuilder<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState = Record<string, never>>(host: BaseServiceProcedureHost<Repositories, Services>, config: ProcedureBuilderConfig<Repositories, Services>): ServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State>;
+declare function createPermissionServiceProcedureBuilder<TInput, TCtx extends ServiceProcedureContext, Repositories extends RepositoryMap, Services extends ServiceMap, State extends ServiceProcedureState = Record<string, never>>(host: PermissionServiceProcedureHost<Repositories, Services>, config: ProcedureBuilderConfig<Repositories, Services>): PermissionServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State>;
+//#endregion
+export { PermissionServiceProcedureBuilder, ServiceProcedure, ServiceProcedureAccessConfig, ServiceProcedureAccessEntitiesConfig, ServiceProcedureAccessStateConfig, ServiceProcedureArgs, ServiceProcedureBuilder, ServiceProcedureContext, ServiceProcedureContextFilterScope, ServiceProcedureContextFilteredInput, ServiceProcedureEntityResolver, ServiceProcedureEntityStepName, ServiceProcedureHandler, ServiceProcedureInputMapper, ServiceProcedureResultLike, ServiceProcedureState, ServiceProcedureStep, ServiceProcedureStoredValue, createPermissionServiceProcedureBuilder, createServiceProcedureBuilder };
+//# sourceMappingURL=base.procedure.d.mts.map

package/dist/src/modules/base/base.procedure.mjs ADDED Viewed

@@ -0,0 +1,252 @@
+import { validateActor } from "./base.actor.mjs";
+import { ok } from "neverthrow";
+//#region src/modules/base/base.procedure.ts
+const DEFAULT_CONTEXT_FILTER_INCLUDE = ["user"];
+function isServerResult(value) {
+	return typeof value === "object" && value !== null && "isErr" in value && typeof value.isErr === "function" && "isOk" in value && typeof value.isOk === "function";
+}
+async function normalizeProcedureResult(result) {
+	const resolved = await result;
+	return isServerResult(resolved) ? resolved : ok(resolved);
+}
+function assertUniqueStepName(steps, stepName) {
+	if (steps.some((step) => step.stepName === stepName)) throw new Error(`Duplicate service procedure step name: ${stepName}`);
+}
+function hasStepName(steps, stepName) {
+	return steps.some((step) => step.stepName === stepName);
+}
+function getContextFilterInclude(include = DEFAULT_CONTEXT_FILTER_INCLUDE) {
+	return {
+		user: include.includes("user"),
+		organization: include.includes("organization"),
+		team: include.includes("team")
+	};
+}
+function getFailureStage(code) {
+	return code === "FORBIDDEN" || code === "UNAUTHORIZED" ? "forbidden" : "error";
+}
+function logProcedureStage(host, procedureName, ctx, stage, { stepName, durationMs, errorCode } = {}) {
+	host.logger.debug({
+		procedureName,
+		stage,
+		stepName,
+		durationMs,
+		errorCode,
+		hasActor: Boolean(ctx.actor)
+	});
+}
+function requireProcedureActor(host, ctx, scope) {
+	if (!ctx.actor) return host.error("UNAUTHORIZED", "Unauthorized");
+	if (!validateActor(ctx.actor, scope)) return host.error("FORBIDDEN", "Forbidden");
+	return ok(ctx.actor);
+}
+function createRequireAuthStep(host, scope = "user") {
+	return {
+		stage: "auth",
+		stepName: "auth",
+		run: async ({ ctx }) => {
+			return requireProcedureActor(host, ctx, scope);
+		}
+	};
+}
+function createUseStep(stepName, step) {
+	return {
+		stage: "use",
+		stepName,
+		run: async (args) => normalizeProcedureResult(step(args))
+	};
+}
+function createInputStep(stepName, step) {
+	return {
+		stage: "input",
+		stepName,
+		run: async (args) => normalizeProcedureResult(step(args))
+	};
+}
+function createContextFilterStep(host, include) {
+	const contextInclude = getContextFilterInclude(include);
+	const requiredScope = contextInclude.team ? "team" : contextInclude.organization ? "organization" : "user";
+	return {
+		stage: "input",
+		stepName: "contextFilter",
+		run: async ({ input, ctx }) => {
+			const actor = requireProcedureActor(host, ctx, requiredScope);
+			if (actor.isErr()) return actor;
+			return ok(host.addContextFilter(actor.value, contextInclude, input));
+		}
+	};
+}
+function createAccessStep(host, config) {
+	return {
+		stage: "access",
+		stepName: "access",
+		run: async (args) => {
+			const typedArgs = args;
+			const actor = requireProcedureActor(host, typedArgs.ctx, "user");
+			if (actor.isErr()) return actor;
+			if ("entityStep" in config && typeof config.entityStep === "string") {
+				const entities = typedArgs.state[config.entityStep];
+				if (!host.checkPermission(actor.value, config.action, entities, config.grants)) return host.error("FORBIDDEN");
+				return ok(entities);
+			}
+			if (typeof config.entities === "function") {
+				const resolveEntities = config.entities;
+				let loadedEntities;
+				const permission = await host.checkPermissionAsync(actor.value, config.action, async () => {
+					const entityResult = await normalizeProcedureResult(resolveEntities(typedArgs));
+					if (entityResult.isOk()) loadedEntities = entityResult.value;
+					return entityResult;
+				}, config.grants);
+				if (permission.isErr()) return permission;
+				if (!permission.value) return host.error("FORBIDDEN");
+				return ok(loadedEntities);
+			}
+			const entities = config.entities;
+			if (!host.checkPermission(actor.value, config.action, entities, config.grants)) return host.error("FORBIDDEN");
+			return ok(entities);
+		}
+	};
+}
+function createProcedureHandler(host, config, handler) {
+	return async (input, ctx) => host.throwableAsync(async () => {
+		const state = {};
+		const startTime = Date.now();
+		const typedCtx = ctx;
+		let currentInput = input;
+		logProcedureStage(host, config.name, typedCtx, "start");
+		try {
+			for (const step of config.steps) {
+				const stepResult = await step.run({
+					input: currentInput,
+					ctx: typedCtx,
+					state,
+					repository: host.repository,
+					service: host.service,
+					logger: host.logger
+				});
+				if (stepResult.isErr()) {
+					logProcedureStage(host, config.name, typedCtx, getFailureStage(stepResult.error.code), {
+						stepName: step.stepName,
+						durationMs: Date.now() - startTime,
+						errorCode: stepResult.error.code
+					});
+					return stepResult;
+				}
+				state[step.stepName] = stepResult.value;
+				if (step.stage === "input") currentInput = stepResult.value;
+				if (step.stage === "auth") logProcedureStage(host, config.name, typedCtx, "auth_passed", { stepName: step.stepName });
+				if (step.stage === "access") logProcedureStage(host, config.name, typedCtx, "access_passed", { stepName: step.stepName });
+			}
+			const handlerResult = await normalizeProcedureResult(handler({
+				input: currentInput,
+				ctx,
+				state,
+				repository: host.repository,
+				service: host.service,
+				logger: host.logger
+			}));
+			if (handlerResult.isErr()) {
+				logProcedureStage(host, config.name, typedCtx, getFailureStage(handlerResult.error.code), {
+					durationMs: Date.now() - startTime,
+					errorCode: handlerResult.error.code
+				});
+				return handlerResult;
+			}
+			logProcedureStage(host, config.name, typedCtx, "success", { durationMs: Date.now() - startTime });
+			return handlerResult;
+		} catch (error) {
+			const serverError = host.handleUnknownError(error);
+			logProcedureStage(host, config.name, typedCtx, getFailureStage(serverError.code), {
+				durationMs: Date.now() - startTime,
+				errorCode: serverError.code
+			});
+			throw error;
+		}
+	});
+}
+function createServiceProcedureBuilder(host, config) {
+	function addContextFilter(include) {
+		const steps = hasStepName(config.steps, "auth") ? config.steps : [...config.steps, createRequireAuthStep(host, "user")];
+		assertUniqueStepName(steps, "contextFilter");
+		return createServiceProcedureBuilder(host, {
+			...config,
+			steps: [...steps, createContextFilterStep(host, include)]
+		});
+	}
+	return {
+		use(stepName, step) {
+			assertUniqueStepName(config.steps, stepName);
+			return createServiceProcedureBuilder(host, {
+				...config,
+				steps: [...config.steps, createUseStep(stepName, step)]
+			});
+		},
+		mapInput(stepName, step) {
+			assertUniqueStepName(config.steps, stepName);
+			return createServiceProcedureBuilder(host, {
+				...config,
+				steps: [...config.steps, createInputStep(stepName, step)]
+			});
+		},
+		addContextFilter,
+		requireAuth(scope) {
+			assertUniqueStepName(config.steps, "auth");
+			return createServiceProcedureBuilder(host, {
+				...config,
+				steps: [...config.steps, createRequireAuthStep(host, scope ?? "user")]
+			});
+		},
+		handle(handler) {
+			return createProcedureHandler(host, config, handler);
+		}
+	};
+}
+function createPermissionServiceProcedureBuilder(host, config) {
+	function addContextFilter(include) {
+		const steps = hasStepName(config.steps, "auth") ? config.steps : [...config.steps, createRequireAuthStep(host, "user")];
+		assertUniqueStepName(steps, "contextFilter");
+		return createPermissionServiceProcedureBuilder(host, {
+			...config,
+			steps: [...steps, createContextFilterStep(host, include)]
+		});
+	}
+	function access(accessConfig) {
+		assertUniqueStepName(config.steps, "access");
+		return createPermissionServiceProcedureBuilder(host, {
+			...config,
+			steps: [...config.steps, createAccessStep(host, accessConfig)]
+		});
+	}
+	return {
+		use(stepName, step) {
+			assertUniqueStepName(config.steps, stepName);
+			return createPermissionServiceProcedureBuilder(host, {
+				...config,
+				steps: [...config.steps, createUseStep(stepName, step)]
+			});
+		},
+		mapInput(stepName, step) {
+			assertUniqueStepName(config.steps, stepName);
+			return createPermissionServiceProcedureBuilder(host, {
+				...config,
+				steps: [...config.steps, createInputStep(stepName, step)]
+			});
+		},
+		addContextFilter,
+		requireAuth(scope) {
+			assertUniqueStepName(config.steps, "auth");
+			return createPermissionServiceProcedureBuilder(host, {
+				...config,
+				steps: [...config.steps, createRequireAuthStep(host, scope ?? "user")]
+			});
+		},
+		access,
+		handle(handler) {
+			return createProcedureHandler(host, config, handler);
+		}
+	};
+}
+//#endregion
+export { createPermissionServiceProcedureBuilder, createServiceProcedureBuilder };
+//# sourceMappingURL=base.procedure.mjs.map

package/dist/src/modules/base/base.procedure.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"base.procedure.mjs","names":[],"sources":["../../../../src/modules/base/base.procedure.ts"],"sourcesContent":["import type { QueryInput } from \"@m5kdev/commons/modules/schemas/query.schema\";\r\nimport type { TRPC_ERROR_CODE_KEY } from \"@trpc/server\";\r\nimport { ok } from \"neverthrow\";\r\nimport type { ServerError } from \"../../utils/errors\";\r\nimport type { logger } from \"../../utils/logger\";\r\nimport type { Base } from \"./base.abstract\";\r\nimport { type Actor, type ActorScope, type AuthenticatedActor, validateActor } from \"./base.actor\";\r\nimport type { ServerResult, ServerResultAsync } from \"./base.dto\";\r\nimport type { Entity, ResourceActionGrant } from \"./base.grants\";\r\n\r\ntype ServiceLogger = ReturnType<typeof logger.child>;\r\ntype RepositoryMap = Record<string, Base>;\r\ntype ServiceMap = Record<string, Base>;\r\n\r\nexport type ServiceProcedureContext = {\r\n actor?: AuthenticatedActor | null;\r\n} & Record<string, unknown>;\r\n\r\nexport type ServiceProcedureState = Record<string, unknown>;\r\nexport type ServiceProcedureStoredValue<T> = [T] extends [undefined] ? undefined : Awaited<T>;\r\nexport type ServiceProcedureResultLike<T> = T | ServerResult<T> | Promise<T | ServerResult<T>>;\r\nexport type ServiceProcedureContextFilterScope = ActorScope;\r\nexport type ServiceProcedureContextFilteredInput<TInput> = Extract<NonNullable<TInput>, QueryInput>;\r\ntype ServiceProcedureAuthContext<Scope extends ActorScope> = {\r\n actor: Actor[Scope];\r\n};\r\ntype ServiceProcedureRequiredScopeFromFilter<\r\n TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined,\r\n> = TInclude extends readonly ServiceProcedureContextFilterScope[]\r\n ? \"team\" extends TInclude[number]\r\n ? \"team\"\r\n : \"organization\" extends TInclude[number]\r\n ? \"organization\"\r\n : \"user\"\r\n : \"user\";\r\n\r\nexport type ServiceProcedure<TInput, TCtx extends ServiceProcedureContext, TOutput> = (\r\n input: TInput,\r\n ctx: TCtx\r\n) => ServerResultAsync<TOutput>;\r\n\r\nexport type ServiceProcedureArgs<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState,\r\n> = {\r\n input: TInput;\r\n ctx: TCtx;\r\n state: State;\r\n repository: Repositories;\r\n service: Services;\r\n logger: ServiceLogger;\r\n};\r\n\r\nexport type ServiceProcedureStep<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState,\r\n TOutput = undefined,\r\n> = (\r\n args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>\r\n) => ServiceProcedureResultLike<ServiceProcedureStoredValue<TOutput>>;\r\n\r\nexport type ServiceProcedureInputMapper<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState,\r\n TNextInput,\r\n> = (\r\n args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>\r\n) => ServiceProcedureResultLike<ServiceProcedureStoredValue<TNextInput>>;\r\n\r\nexport type ServiceProcedureHandler<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState,\r\n TOutput,\r\n> = (\r\n args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>\r\n) => ServiceProcedureResultLike<TOutput>;\r\n\r\nexport type ServiceProcedureEntityResolver<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState,\r\n TEntities extends Entity | Entity[] | undefined,\r\n> =\r\n | TEntities\r\n | ((\r\n args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>\r\n ) => ServiceProcedureResultLike<TEntities>);\r\n\r\ntype ServiceProcedureAccessBaseConfig = {\r\n action: string;\r\n grants?: ResourceActionGrant[];\r\n};\r\n\r\nexport type ServiceProcedureEntityStepName<State extends ServiceProcedureState> = Extract<\r\n {\r\n [Key in keyof State]: State[Key] extends Entity | Entity[] | undefined ? Key : never;\r\n }[keyof State],\r\n string\r\n>;\r\n\r\nexport type ServiceProcedureAccessEntitiesConfig<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState,\r\n TEntities extends Entity | Entity[] | undefined = undefined,\r\n> = ServiceProcedureAccessBaseConfig & {\r\n entities?: ServiceProcedureEntityResolver<TInput, TCtx, Repositories, Services, State, TEntities>;\r\n entityStep?: never;\r\n};\r\n\r\nexport type ServiceProcedureAccessStateConfig<\r\n State extends ServiceProcedureState,\r\n StepName extends ServiceProcedureEntityStepName<State>,\r\n> = ServiceProcedureAccessBaseConfig & {\r\n entityStep: StepName;\r\n entities?: never;\r\n};\r\n\r\nexport type ServiceProcedureAccessConfig<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState,\r\n TEntities extends Entity | Entity[] | undefined = undefined,\r\n> =\r\n | ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State, TEntities>\r\n | ServiceProcedureAccessStateConfig<State, ServiceProcedureEntityStepName<State>>;\r\n\r\nexport interface ServiceProcedureBuilder<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState = Record<string, never>,\r\n> {\r\n use<StepName extends string, TOutput = void>(\r\n stepName: StepName,\r\n step: ServiceProcedureStep<TInput, TCtx, Repositories, Services, State, TOutput>\r\n ): ServiceProcedureBuilder<\r\n TInput,\r\n TCtx,\r\n Repositories,\r\n Services,\r\n State & Record<StepName, ServiceProcedureStoredValue<TOutput>>\r\n >;\r\n mapInput<StepName extends string, TNextInput>(\r\n stepName: StepName,\r\n step: ServiceProcedureInputMapper<TInput, TCtx, Repositories, Services, State, TNextInput>\r\n ): ServiceProcedureBuilder<\r\n ServiceProcedureStoredValue<TNextInput>,\r\n TCtx,\r\n Repositories,\r\n Services,\r\n State & Record<StepName, ServiceProcedureStoredValue<TNextInput>>\r\n >;\r\n addContextFilter<\r\n TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined = undefined,\r\n >(\r\n include?: TInclude\r\n ): ServiceProcedureBuilder<\r\n ServiceProcedureContextFilteredInput<TInput>,\r\n TCtx & ServiceProcedureAuthContext<ServiceProcedureRequiredScopeFromFilter<TInclude>>,\r\n Repositories,\r\n Services,\r\n State & { contextFilter: ServiceProcedureContextFilteredInput<TInput> }\r\n >;\r\n requireAuth<Scope extends ActorScope = \"user\">(\r\n scope?: Scope\r\n ): ServiceProcedureBuilder<\r\n TInput,\r\n TCtx & ServiceProcedureAuthContext<Scope>,\r\n Repositories,\r\n Services,\r\n State\r\n >;\r\n handle<TOutput>(\r\n handler: ServiceProcedureHandler<TInput, TCtx, Repositories, Services, State, TOutput>\r\n ): ServiceProcedure<TInput, TCtx, TOutput>;\r\n}\r\n\r\nexport interface PermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState = Record<string, never>,\r\n> extends ServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State> {\r\n use<StepName extends string, TOutput = void>(\r\n stepName: StepName,\r\n step: ServiceProcedureStep<TInput, TCtx, Repositories, Services, State, TOutput>\r\n ): PermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx,\r\n Repositories,\r\n Services,\r\n State & Record<StepName, ServiceProcedureStoredValue<TOutput>>\r\n >;\r\n mapInput<StepName extends string, TNextInput>(\r\n stepName: StepName,\r\n step: ServiceProcedureInputMapper<TInput, TCtx, Repositories, Services, State, TNextInput>\r\n ): PermissionServiceProcedureBuilder<\r\n ServiceProcedureStoredValue<TNextInput>,\r\n TCtx,\r\n Repositories,\r\n Services,\r\n State & Record<StepName, ServiceProcedureStoredValue<TNextInput>>\r\n >;\r\n addContextFilter<\r\n TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined = undefined,\r\n >(\r\n include?: TInclude\r\n ): PermissionServiceProcedureBuilder<\r\n ServiceProcedureContextFilteredInput<TInput>,\r\n TCtx & ServiceProcedureAuthContext<ServiceProcedureRequiredScopeFromFilter<TInclude>>,\r\n Repositories,\r\n Services,\r\n State & { contextFilter: ServiceProcedureContextFilteredInput<TInput> }\r\n >;\r\n requireAuth<Scope extends ActorScope = \"user\">(\r\n scope?: Scope\r\n ): PermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx & ServiceProcedureAuthContext<Scope>,\r\n Repositories,\r\n Services,\r\n State\r\n >;\r\n access(\r\n config: ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State>\r\n ): PermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx & ServiceProcedureAuthContext<\"user\">,\r\n Repositories,\r\n Services,\r\n State\r\n >;\r\n access<TEntities extends Entity | Entity[] | undefined>(\r\n config: ServiceProcedureAccessEntitiesConfig<\r\n TInput,\r\n TCtx,\r\n Repositories,\r\n Services,\r\n State,\r\n TEntities\r\n >\r\n ): PermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx & ServiceProcedureAuthContext<\"user\">,\r\n Repositories,\r\n Services,\r\n State & { access: TEntities }\r\n >;\r\n access<StepName extends ServiceProcedureEntityStepName<State>>(\r\n config: ServiceProcedureAccessStateConfig<State, StepName>\r\n ): PermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx & ServiceProcedureAuthContext<\"user\">,\r\n Repositories,\r\n Services,\r\n State & { access: State[StepName] }\r\n >;\r\n}\r\n\r\ntype BaseServiceProcedureHost<Repositories extends RepositoryMap, Services extends ServiceMap> = {\r\n repository: Repositories;\r\n service: Services;\r\n logger: ServiceLogger;\r\n addContextFilter(\r\n actor: AuthenticatedActor,\r\n include?: { user?: boolean; organization?: boolean; team?: boolean },\r\n query?: QueryInput\r\n ): QueryInput;\r\n error(\r\n code: TRPC_ERROR_CODE_KEY,\r\n message?: string,\r\n options?: { cause?: unknown; clientMessage?: string; log?: boolean }\r\n ): ServerResult<never>;\r\n throwableAsync<T>(fn: () => ServerResultAsync<T>): ServerResultAsync<T>;\r\n handleUnknownError(error: unknown): ServerError;\r\n};\r\n\r\ntype PermissionServiceProcedureHost<\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n> = BaseServiceProcedureHost<Repositories, Services> & {\r\n checkPermission<T extends Entity>(\r\n actor: AuthenticatedActor,\r\n action: string,\r\n entities?: T | T[],\r\n grants?: ResourceActionGrant[]\r\n ): boolean;\r\n checkPermissionAsync<T extends Entity>(\r\n actor: AuthenticatedActor,\r\n action: string,\r\n getEntities: () => ServerResultAsync<T | T[] | undefined>,\r\n grants?: ResourceActionGrant[]\r\n ): ServerResultAsync<boolean>;\r\n};\r\n\r\ntype ProcedureStage = \"start\" | \"auth_passed\" | \"access_passed\" | \"forbidden\" | \"success\" | \"error\";\r\n\r\ntype ProcedureRuntimeStep<Repositories extends RepositoryMap, Services extends ServiceMap> = {\r\n stage: \"use\" | \"input\" | \"auth\" | \"access\";\r\n stepName: string;\r\n run: (\r\n args: ServiceProcedureArgs<\r\n unknown,\r\n ServiceProcedureContext,\r\n Repositories,\r\n Services,\r\n ServiceProcedureState\r\n >\r\n ) => Promise<ServerResult<unknown>>;\r\n};\r\n\r\ntype ProcedureBuilderConfig<Repositories extends RepositoryMap, Services extends ServiceMap> = {\r\n name: string;\r\n steps: ProcedureRuntimeStep<Repositories, Services>[];\r\n};\r\n\r\nconst DEFAULT_CONTEXT_FILTER_INCLUDE = [\r\n \"user\",\r\n] as const satisfies readonly ServiceProcedureContextFilterScope[];\r\n\r\nfunction isServerResult<T>(value: unknown): value is ServerResult<T> {\r\n return (\r\n typeof value === \"object\" &&\r\n value !== null &&\r\n \"isErr\" in value &&\r\n typeof (value as { isErr: unknown }).isErr === \"function\" &&\r\n \"isOk\" in value &&\r\n typeof (value as { isOk: unknown }).isOk === \"function\"\r\n );\r\n}\r\n\r\nasync function normalizeProcedureResult<T>(\r\n result: ServiceProcedureResultLike<T>\r\n): Promise<ServerResult<T>> {\r\n const resolved = await result;\r\n return isServerResult<T>(resolved) ? resolved : ok(resolved);\r\n}\r\n\r\nfunction assertUniqueStepName<Repositories extends RepositoryMap, Services extends ServiceMap>(\r\n steps: ProcedureRuntimeStep<Repositories, Services>[],\r\n stepName: string\r\n) {\r\n if (steps.some((step) => step.stepName === stepName)) {\r\n throw new Error(`Duplicate service procedure step name: ${stepName}`);\r\n }\r\n}\r\n\r\nfunction hasStepName<Repositories extends RepositoryMap, Services extends ServiceMap>(\r\n steps: ProcedureRuntimeStep<Repositories, Services>[],\r\n stepName: string\r\n) {\r\n return steps.some((step) => step.stepName === stepName);\r\n}\r\n\r\nfunction getContextFilterInclude(\r\n include: readonly ServiceProcedureContextFilterScope[] = DEFAULT_CONTEXT_FILTER_INCLUDE\r\n) {\r\n return {\r\n user: include.includes(\"user\"),\r\n organization: include.includes(\"organization\"),\r\n team: include.includes(\"team\"),\r\n };\r\n}\r\n\r\nfunction getFailureStage(code: TRPC_ERROR_CODE_KEY | undefined): ProcedureStage {\r\n return code === \"FORBIDDEN\" || code === \"UNAUTHORIZED\" ? \"forbidden\" : \"error\";\r\n}\r\n\r\nfunction logProcedureStage<Repositories extends RepositoryMap, Services extends ServiceMap>(\r\n host: BaseServiceProcedureHost<Repositories, Services>,\r\n procedureName: string,\r\n ctx: ServiceProcedureContext,\r\n stage: ProcedureStage,\r\n {\r\n stepName,\r\n durationMs,\r\n errorCode,\r\n }: {\r\n stepName?: string;\r\n durationMs?: number;\r\n errorCode?: TRPC_ERROR_CODE_KEY;\r\n } = {}\r\n) {\r\n host.logger.debug({\r\n procedureName,\r\n stage,\r\n stepName,\r\n durationMs,\r\n errorCode,\r\n hasActor: Boolean(ctx.actor),\r\n });\r\n}\r\n\r\nfunction requireProcedureActor<\r\n Scope extends ActorScope,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n>(\r\n host: BaseServiceProcedureHost<Repositories, Services>,\r\n ctx: ServiceProcedureContext,\r\n scope: Scope\r\n): ServerResult<Actor[Scope]> {\r\n if (!ctx.actor) {\r\n return host.error(\"UNAUTHORIZED\", \"Unauthorized\");\r\n }\r\n\r\n if (!validateActor(ctx.actor, scope)) {\r\n return host.error(\"FORBIDDEN\", \"Forbidden\");\r\n }\r\n\r\n return ok(ctx.actor as Actor[Scope]);\r\n}\r\n\r\nfunction createRequireAuthStep<Repositories extends RepositoryMap, Services extends ServiceMap>(\r\n host: BaseServiceProcedureHost<Repositories, Services>,\r\n scope: ActorScope = \"user\"\r\n): ProcedureRuntimeStep<Repositories, Services> {\r\n return {\r\n stage: \"auth\",\r\n stepName: \"auth\",\r\n run: async ({ ctx }) => {\r\n return requireProcedureActor(host, ctx, scope);\r\n },\r\n };\r\n}\r\n\r\nfunction createUseStep<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState,\r\n TOutput,\r\n>(\r\n stepName: string,\r\n step: ServiceProcedureStep<TInput, TCtx, Repositories, Services, State, TOutput>\r\n): ProcedureRuntimeStep<Repositories, Services> {\r\n return {\r\n stage: \"use\",\r\n stepName,\r\n run: async (args) =>\r\n normalizeProcedureResult(\r\n step(args as ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>)\r\n ),\r\n };\r\n}\r\n\r\nfunction createInputStep<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState,\r\n TNextInput,\r\n>(\r\n stepName: string,\r\n step: ServiceProcedureInputMapper<TInput, TCtx, Repositories, Services, State, TNextInput>\r\n): ProcedureRuntimeStep<Repositories, Services> {\r\n return {\r\n stage: \"input\",\r\n stepName,\r\n run: async (args) =>\r\n normalizeProcedureResult(\r\n step(args as ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>)\r\n ),\r\n };\r\n}\r\n\r\nfunction createContextFilterStep<Repositories extends RepositoryMap, Services extends ServiceMap>(\r\n host: BaseServiceProcedureHost<Repositories, Services>,\r\n include?: readonly ServiceProcedureContextFilterScope[]\r\n): ProcedureRuntimeStep<Repositories, Services> {\r\n const contextInclude = getContextFilterInclude(include);\r\n const requiredScope: ActorScope = contextInclude.team\r\n ? \"team\"\r\n : contextInclude.organization\r\n ? \"organization\"\r\n : \"user\";\r\n\r\n return {\r\n stage: \"input\",\r\n stepName: \"contextFilter\",\r\n run: async ({ input, ctx }) => {\r\n const actor = requireProcedureActor(host, ctx, requiredScope);\r\n if (actor.isErr()) return actor;\r\n return ok(host.addContextFilter(actor.value, contextInclude, input as QueryInput));\r\n },\r\n };\r\n}\r\n\r\nfunction createAccessStep<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState,\r\n TEntities extends Entity | Entity[] | undefined,\r\n>(\r\n host: PermissionServiceProcedureHost<Repositories, Services>,\r\n config: ServiceProcedureAccessConfig<TInput, TCtx, Repositories, Services, State, TEntities>\r\n): ProcedureRuntimeStep<Repositories, Services> {\r\n return {\r\n stage: \"access\",\r\n stepName: \"access\",\r\n run: async (args) => {\r\n const typedArgs = args as ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>;\r\n const actor = requireProcedureActor(host, typedArgs.ctx, \"user\");\r\n if (actor.isErr()) return actor;\r\n\r\n if (\"entityStep\" in config && typeof config.entityStep === \"string\") {\r\n const entities = typedArgs.state[config.entityStep] as TEntities;\r\n const hasPermission = host.checkPermission(\r\n actor.value,\r\n config.action,\r\n entities as Entity | Entity[] | undefined,\r\n config.grants\r\n );\r\n\r\n if (!hasPermission) {\r\n return host.error(\"FORBIDDEN\");\r\n }\r\n\r\n return ok(entities);\r\n }\r\n\r\n if (typeof config.entities === \"function\") {\r\n const resolveEntities = config.entities as (\r\n args: ServiceProcedureArgs<TInput, TCtx, Repositories, Services, State>\r\n ) => ServiceProcedureResultLike<TEntities>;\r\n\r\n let loadedEntities: TEntities | undefined;\r\n const permission = await host.checkPermissionAsync(\r\n actor.value,\r\n config.action,\r\n async () => {\r\n const entityResult = await normalizeProcedureResult(resolveEntities(typedArgs));\r\n if (entityResult.isOk()) {\r\n loadedEntities = entityResult.value;\r\n }\r\n return entityResult;\r\n },\r\n config.grants\r\n );\r\n\r\n if (permission.isErr()) {\r\n return permission;\r\n }\r\n\r\n if (!permission.value) {\r\n return host.error(\"FORBIDDEN\");\r\n }\r\n\r\n return ok(loadedEntities);\r\n }\r\n\r\n const entities = config.entities;\r\n const hasPermission = host.checkPermission(\r\n actor.value,\r\n config.action,\r\n entities,\r\n config.grants\r\n );\r\n\r\n if (!hasPermission) {\r\n return host.error(\"FORBIDDEN\");\r\n }\r\n\r\n return ok(entities);\r\n },\r\n };\r\n}\r\n\r\nfunction createProcedureHandler<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState,\r\n TOutput,\r\n>(\r\n host: BaseServiceProcedureHost<Repositories, Services>,\r\n config: ProcedureBuilderConfig<Repositories, Services>,\r\n handler: ServiceProcedureHandler<TInput, TCtx, Repositories, Services, State, TOutput>\r\n): ServiceProcedure<TInput, TCtx, TOutput> {\r\n return async (input, ctx) =>\r\n host.throwableAsync(async () => {\r\n const state: ServiceProcedureState = {};\r\n const startTime = Date.now();\r\n const typedCtx = ctx as ServiceProcedureContext;\r\n let currentInput: unknown = input;\r\n\r\n logProcedureStage(host, config.name, typedCtx, \"start\");\r\n\r\n try {\r\n for (const step of config.steps) {\r\n const stepResult = await step.run({\r\n input: currentInput,\r\n ctx: typedCtx,\r\n state,\r\n repository: host.repository,\r\n service: host.service,\r\n logger: host.logger,\r\n });\r\n\r\n if (stepResult.isErr()) {\r\n logProcedureStage(host, config.name, typedCtx, getFailureStage(stepResult.error.code), {\r\n stepName: step.stepName,\r\n durationMs: Date.now() - startTime,\r\n errorCode: stepResult.error.code,\r\n });\r\n return stepResult as ServerResult<TOutput>;\r\n }\r\n\r\n state[step.stepName] = stepResult.value;\r\n\r\n if (step.stage === \"input\") {\r\n currentInput = stepResult.value;\r\n }\r\n\r\n if (step.stage === \"auth\") {\r\n logProcedureStage(host, config.name, typedCtx, \"auth_passed\", {\r\n stepName: step.stepName,\r\n });\r\n }\r\n\r\n if (step.stage === \"access\") {\r\n logProcedureStage(host, config.name, typedCtx, \"access_passed\", {\r\n stepName: step.stepName,\r\n });\r\n }\r\n }\r\n\r\n const handlerResult = await normalizeProcedureResult(\r\n handler({\r\n input: currentInput as TInput,\r\n ctx: ctx as TCtx,\r\n state: state as State,\r\n repository: host.repository,\r\n service: host.service,\r\n logger: host.logger,\r\n })\r\n );\r\n\r\n if (handlerResult.isErr()) {\r\n logProcedureStage(\r\n host,\r\n config.name,\r\n typedCtx,\r\n getFailureStage(handlerResult.error.code),\r\n {\r\n durationMs: Date.now() - startTime,\r\n errorCode: handlerResult.error.code,\r\n }\r\n );\r\n return handlerResult;\r\n }\r\n\r\n logProcedureStage(host, config.name, typedCtx, \"success\", {\r\n durationMs: Date.now() - startTime,\r\n });\r\n return handlerResult;\r\n } catch (error) {\r\n const serverError = host.handleUnknownError(error);\r\n logProcedureStage(host, config.name, typedCtx, getFailureStage(serverError.code), {\r\n durationMs: Date.now() - startTime,\r\n errorCode: serverError.code,\r\n });\r\n throw error;\r\n }\r\n });\r\n}\r\n\r\nexport function createServiceProcedureBuilder<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState = Record<string, never>,\r\n>(\r\n host: BaseServiceProcedureHost<Repositories, Services>,\r\n config: ProcedureBuilderConfig<Repositories, Services>\r\n): ServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State> {\r\n function addContextFilter<\r\n TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined = undefined,\r\n >(include?: TInclude) {\r\n const steps = hasStepName(config.steps, \"auth\")\r\n ? config.steps\r\n : [...config.steps, createRequireAuthStep(host, \"user\")];\r\n\r\n assertUniqueStepName(steps, \"contextFilter\");\r\n\r\n return createServiceProcedureBuilder<\r\n ServiceProcedureContextFilteredInput<TInput>,\r\n TCtx & ServiceProcedureAuthContext<ServiceProcedureRequiredScopeFromFilter<TInclude>>,\r\n Repositories,\r\n Services,\r\n State & { contextFilter: ServiceProcedureContextFilteredInput<TInput> }\r\n >(host, {\r\n ...config,\r\n steps: [...steps, createContextFilterStep(host, include)],\r\n });\r\n }\r\n\r\n const builder: ServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State> = {\r\n use<StepName extends string, TOutput = void>(\r\n stepName: StepName,\r\n step: ServiceProcedureStep<TInput, TCtx, Repositories, Services, State, TOutput>\r\n ) {\r\n assertUniqueStepName(config.steps, stepName);\r\n return createServiceProcedureBuilder<\r\n TInput,\r\n TCtx,\r\n Repositories,\r\n Services,\r\n State & Record<StepName, ServiceProcedureStoredValue<TOutput>>\r\n >(host, {\r\n ...config,\r\n steps: [...config.steps, createUseStep(stepName, step)],\r\n });\r\n },\r\n mapInput<StepName extends string, TNextInput>(\r\n stepName: StepName,\r\n step: ServiceProcedureInputMapper<TInput, TCtx, Repositories, Services, State, TNextInput>\r\n ) {\r\n assertUniqueStepName(config.steps, stepName);\r\n return createServiceProcedureBuilder<\r\n ServiceProcedureStoredValue<TNextInput>,\r\n TCtx,\r\n Repositories,\r\n Services,\r\n State & Record<StepName, ServiceProcedureStoredValue<TNextInput>>\r\n >(host, {\r\n ...config,\r\n steps: [...config.steps, createInputStep(stepName, step)],\r\n });\r\n },\r\n addContextFilter,\r\n requireAuth<Scope extends ActorScope = \"user\">(scope?: Scope) {\r\n assertUniqueStepName(config.steps, \"auth\");\r\n return createServiceProcedureBuilder<\r\n TInput,\r\n TCtx & ServiceProcedureAuthContext<Scope>,\r\n Repositories,\r\n Services,\r\n State\r\n >(host, {\r\n ...config,\r\n steps: [...config.steps, createRequireAuthStep(host, scope ?? \"user\")],\r\n });\r\n },\r\n handle<TOutput>(\r\n handler: ServiceProcedureHandler<TInput, TCtx, Repositories, Services, State, TOutput>\r\n ) {\r\n return createProcedureHandler(host, config, handler);\r\n },\r\n };\r\n\r\n return builder;\r\n}\r\n\r\nexport function createPermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx extends ServiceProcedureContext,\r\n Repositories extends RepositoryMap,\r\n Services extends ServiceMap,\r\n State extends ServiceProcedureState = Record<string, never>,\r\n>(\r\n host: PermissionServiceProcedureHost<Repositories, Services>,\r\n config: ProcedureBuilderConfig<Repositories, Services>\r\n): PermissionServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State> {\r\n function addContextFilter<\r\n TInclude extends readonly ServiceProcedureContextFilterScope[] | undefined = undefined,\r\n >(include?: TInclude) {\r\n const steps = hasStepName(config.steps, \"auth\")\r\n ? config.steps\r\n : [...config.steps, createRequireAuthStep(host, \"user\")];\r\n\r\n assertUniqueStepName(steps, \"contextFilter\");\r\n\r\n return createPermissionServiceProcedureBuilder<\r\n ServiceProcedureContextFilteredInput<TInput>,\r\n TCtx & ServiceProcedureAuthContext<ServiceProcedureRequiredScopeFromFilter<TInclude>>,\r\n Repositories,\r\n Services,\r\n State & { contextFilter: ServiceProcedureContextFilteredInput<TInput> }\r\n >(host, {\r\n ...config,\r\n steps: [...steps, createContextFilterStep(host, include)],\r\n });\r\n }\r\n\r\n function access(\r\n accessConfig: ServiceProcedureAccessEntitiesConfig<TInput, TCtx, Repositories, Services, State>\r\n ): PermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx & ServiceProcedureAuthContext<\"user\">,\r\n Repositories,\r\n Services,\r\n State\r\n >;\r\n function access<TEntities extends Entity | Entity[] | undefined>(\r\n accessConfig: ServiceProcedureAccessEntitiesConfig<\r\n TInput,\r\n TCtx,\r\n Repositories,\r\n Services,\r\n State,\r\n TEntities\r\n >\r\n ): PermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx & ServiceProcedureAuthContext<\"user\">,\r\n Repositories,\r\n Services,\r\n State & { access: TEntities }\r\n >;\r\n function access<StepName extends ServiceProcedureEntityStepName<State>>(\r\n accessConfig: ServiceProcedureAccessStateConfig<State, StepName>\r\n ): PermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx & ServiceProcedureAuthContext<\"user\">,\r\n Repositories,\r\n Services,\r\n State & { access: State[StepName] }\r\n >;\r\n function access(\r\n accessConfig:\r\n | ServiceProcedureAccessEntitiesConfig<\r\n TInput,\r\n TCtx,\r\n Repositories,\r\n Services,\r\n State,\r\n Entity | Entity[] | undefined\r\n >\r\n | ServiceProcedureAccessStateConfig<State, ServiceProcedureEntityStepName<State>>\r\n ) {\r\n assertUniqueStepName(config.steps, \"access\");\r\n return createPermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx & ServiceProcedureAuthContext<\"user\">,\r\n Repositories,\r\n Services,\r\n State\r\n >(host, {\r\n ...config,\r\n steps: [...config.steps, createAccessStep(host, accessConfig)],\r\n });\r\n }\r\n\r\n const builder: PermissionServiceProcedureBuilder<TInput, TCtx, Repositories, Services, State> = {\r\n use<StepName extends string, TOutput = void>(\r\n stepName: StepName,\r\n step: ServiceProcedureStep<TInput, TCtx, Repositories, Services, State, TOutput>\r\n ) {\r\n assertUniqueStepName(config.steps, stepName);\r\n return createPermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx,\r\n Repositories,\r\n Services,\r\n State & Record<StepName, ServiceProcedureStoredValue<TOutput>>\r\n >(host, {\r\n ...config,\r\n steps: [...config.steps, createUseStep(stepName, step)],\r\n });\r\n },\r\n mapInput<StepName extends string, TNextInput>(\r\n stepName: StepName,\r\n step: ServiceProcedureInputMapper<TInput, TCtx, Repositories, Services, State, TNextInput>\r\n ) {\r\n assertUniqueStepName(config.steps, stepName);\r\n return createPermissionServiceProcedureBuilder<\r\n ServiceProcedureStoredValue<TNextInput>,\r\n TCtx,\r\n Repositories,\r\n Services,\r\n State & Record<StepName, ServiceProcedureStoredValue<TNextInput>>\r\n >(host, {\r\n ...config,\r\n steps: [...config.steps, createInputStep(stepName, step)],\r\n });\r\n },\r\n addContextFilter,\r\n requireAuth<Scope extends ActorScope = \"user\">(scope?: Scope) {\r\n assertUniqueStepName(config.steps, \"auth\");\r\n return createPermissionServiceProcedureBuilder<\r\n TInput,\r\n TCtx & ServiceProcedureAuthContext<Scope>,\r\n Repositories,\r\n Services,\r\n State\r\n >(host, {\r\n ...config,\r\n steps: [...config.steps, createRequireAuthStep(host, scope ?? \"user\")],\r\n });\r\n },\r\n access,\r\n handle<TOutput>(\r\n handler: ServiceProcedureHandler<TInput, TCtx, Repositories, Services, State, TOutput>\r\n ) {\r\n return createProcedureHandler(host, config, handler);\r\n },\r\n };\r\n\r\n return builder;\r\n}\r\n"],"mappings":";;;AAiVA,MAAM,iCAAiC,CACrC,OACD;AAED,SAAS,eAAkB,OAA0C;AACnE,QACE,OAAO,UAAU,YACjB,UAAU,QACV,WAAW,SACX,OAAQ,MAA6B,UAAU,cAC/C,UAAU,SACV,OAAQ,MAA4B,SAAS;;AAIjD,eAAe,yBACb,QAC0B;CAC1B,MAAM,WAAW,MAAM;AACvB,QAAO,eAAkB,SAAS,GAAG,WAAW,GAAG,SAAS;;AAG9D,SAAS,qBACP,OACA,UACA;AACA,KAAI,MAAM,MAAM,SAAS,KAAK,aAAa,SAAS,CAClD,OAAM,IAAI,MAAM,0CAA0C,WAAW;;AAIzE,SAAS,YACP,OACA,UACA;AACA,QAAO,MAAM,MAAM,SAAS,KAAK,aAAa,SAAS;;AAGzD,SAAS,wBACP,UAAyD,gCACzD;AACA,QAAO;EACL,MAAM,QAAQ,SAAS,OAAO;EAC9B,cAAc,QAAQ,SAAS,eAAe;EAC9C,MAAM,QAAQ,SAAS,OAAO;EAC/B;;AAGH,SAAS,gBAAgB,MAAuD;AAC9E,QAAO,SAAS,eAAe,SAAS,iBAAiB,cAAc;;AAGzE,SAAS,kBACP,MACA,eACA,KACA,OACA,EACE,UACA,YACA,cAKE,EAAE,EACN;AACA,MAAK,OAAO,MAAM;EAChB;EACA;EACA;EACA;EACA;EACA,UAAU,QAAQ,IAAI,MAAM;EAC7B,CAAC;;AAGJ,SAAS,sBAKP,MACA,KACA,OAC4B;AAC5B,KAAI,CAAC,IAAI,MACP,QAAO,KAAK,MAAM,gBAAgB,eAAe;AAGnD,KAAI,CAAC,cAAc,IAAI,OAAO,MAAM,CAClC,QAAO,KAAK,MAAM,aAAa,YAAY;AAG7C,QAAO,GAAG,IAAI,MAAsB;;AAGtC,SAAS,sBACP,MACA,QAAoB,QAC0B;AAC9C,QAAO;EACL,OAAO;EACP,UAAU;EACV,KAAK,OAAO,EAAE,UAAU;AACtB,UAAO,sBAAsB,MAAM,KAAK,MAAM;;EAEjD;;AAGH,SAAS,cAQP,UACA,MAC8C;AAC9C,QAAO;EACL,OAAO;EACP;EACA,KAAK,OAAO,SACV,yBACE,KAAK,KAA0E,CAChF;EACJ;;AAGH,SAAS,gBAQP,UACA,MAC8C;AAC9C,QAAO;EACL,OAAO;EACP;EACA,KAAK,OAAO,SACV,yBACE,KAAK,KAA0E,CAChF;EACJ;;AAGH,SAAS,wBACP,MACA,SAC8C;CAC9C,MAAM,iBAAiB,wBAAwB,QAAQ;CACvD,MAAM,gBAA4B,eAAe,OAC7C,SACA,eAAe,eACb,iBACA;AAEN,QAAO;EACL,OAAO;EACP,UAAU;EACV,KAAK,OAAO,EAAE,OAAO,UAAU;GAC7B,MAAM,QAAQ,sBAAsB,MAAM,KAAK,cAAc;AAC7D,OAAI,MAAM,OAAO,CAAE,QAAO;AAC1B,UAAO,GAAG,KAAK,iBAAiB,MAAM,OAAO,gBAAgB,MAAoB,CAAC;;EAErF;;AAGH,SAAS,iBAQP,MACA,QAC8C;AAC9C,QAAO;EACL,OAAO;EACP,UAAU;EACV,KAAK,OAAO,SAAS;GACnB,MAAM,YAAY;GAClB,MAAM,QAAQ,sBAAsB,MAAM,UAAU,KAAK,OAAO;AAChE,OAAI,MAAM,OAAO,CAAE,QAAO;AAE1B,OAAI,gBAAgB,UAAU,OAAO,OAAO,eAAe,UAAU;IACnE,MAAM,WAAW,UAAU,MAAM,OAAO;AAQxC,QAAI,CAPkB,KAAK,gBACzB,MAAM,OACN,OAAO,QACP,UACA,OAAO,OACR,CAGC,QAAO,KAAK,MAAM,YAAY;AAGhC,WAAO,GAAG,SAAS;;AAGrB,OAAI,OAAO,OAAO,aAAa,YAAY;IACzC,MAAM,kBAAkB,OAAO;IAI/B,IAAI;IACJ,MAAM,aAAa,MAAM,KAAK,qBAC5B,MAAM,OACN,OAAO,QACP,YAAY;KACV,MAAM,eAAe,MAAM,yBAAyB,gBAAgB,UAAU,CAAC;AAC/E,SAAI,aAAa,MAAM,CACrB,kBAAiB,aAAa;AAEhC,YAAO;OAET,OAAO,OACR;AAED,QAAI,WAAW,OAAO,CACpB,QAAO;AAGT,QAAI,CAAC,WAAW,MACd,QAAO,KAAK,MAAM,YAAY;AAGhC,WAAO,GAAG,eAAe;;GAG3B,MAAM,WAAW,OAAO;AAQxB,OAAI,CAPkB,KAAK,gBACzB,MAAM,OACN,OAAO,QACP,UACA,OAAO,OACR,CAGC,QAAO,KAAK,MAAM,YAAY;AAGhC,UAAO,GAAG,SAAS;;EAEtB;;AAGH,SAAS,uBAQP,MACA,QACA,SACyC;AACzC,QAAO,OAAO,OAAO,QACnB,KAAK,eAAe,YAAY;EAC9B,MAAM,QAA+B,EAAE;EACvC,MAAM,YAAY,KAAK,KAAK;EAC5B,MAAM,WAAW;EACjB,IAAI,eAAwB;AAE5B,oBAAkB,MAAM,OAAO,MAAM,UAAU,QAAQ;AAEvD,MAAI;AACF,QAAK,MAAM,QAAQ,OAAO,OAAO;IAC/B,MAAM,aAAa,MAAM,KAAK,IAAI;KAChC,OAAO;KACP,KAAK;KACL;KACA,YAAY,KAAK;KACjB,SAAS,KAAK;KACd,QAAQ,KAAK;KACd,CAAC;AAEF,QAAI,WAAW,OAAO,EAAE;AACtB,uBAAkB,MAAM,OAAO,MAAM,UAAU,gBAAgB,WAAW,MAAM,KAAK,EAAE;MACrF,UAAU,KAAK;MACf,YAAY,KAAK,KAAK,GAAG;MACzB,WAAW,WAAW,MAAM;MAC7B,CAAC;AACF,YAAO;;AAGT,UAAM,KAAK,YAAY,WAAW;AAElC,QAAI,KAAK,UAAU,QACjB,gBAAe,WAAW;AAG5B,QAAI,KAAK,UAAU,OACjB,mBAAkB,MAAM,OAAO,MAAM,UAAU,eAAe,EAC5D,UAAU,KAAK,UAChB,CAAC;AAGJ,QAAI,KAAK,UAAU,SACjB,mBAAkB,MAAM,OAAO,MAAM,UAAU,iBAAiB,EAC9D,UAAU,KAAK,UAChB,CAAC;;GAIN,MAAM,gBAAgB,MAAM,yBAC1B,QAAQ;IACN,OAAO;IACF;IACE;IACP,YAAY,KAAK;IACjB,SAAS,KAAK;IACd,QAAQ,KAAK;IACd,CAAC,CACH;AAED,OAAI,cAAc,OAAO,EAAE;AACzB,sBACE,MACA,OAAO,MACP,UACA,gBAAgB,cAAc,MAAM,KAAK,EACzC;KACE,YAAY,KAAK,KAAK,GAAG;KACzB,WAAW,cAAc,MAAM;KAChC,CACF;AACD,WAAO;;AAGT,qBAAkB,MAAM,OAAO,MAAM,UAAU,WAAW,EACxD,YAAY,KAAK,KAAK,GAAG,WAC1B,CAAC;AACF,UAAO;WACA,OAAO;GACd,MAAM,cAAc,KAAK,mBAAmB,MAAM;AAClD,qBAAkB,MAAM,OAAO,MAAM,UAAU,gBAAgB,YAAY,KAAK,EAAE;IAChF,YAAY,KAAK,KAAK,GAAG;IACzB,WAAW,YAAY;IACxB,CAAC;AACF,SAAM;;GAER;;AAGN,SAAgB,8BAOd,MACA,QACsE;CACtE,SAAS,iBAEP,SAAoB;EACpB,MAAM,QAAQ,YAAY,OAAO,OAAO,OAAO,GAC3C,OAAO,QACP,CAAC,GAAG,OAAO,OAAO,sBAAsB,MAAM,OAAO,CAAC;AAE1D,uBAAqB,OAAO,gBAAgB;AAE5C,SAAO,8BAML,MAAM;GACN,GAAG;GACH,OAAO,CAAC,GAAG,OAAO,wBAAwB,MAAM,QAAQ,CAAC;GAC1D,CAAC;;AAyDJ,QAtDsF;EACpF,IACE,UACA,MACA;AACA,wBAAqB,OAAO,OAAO,SAAS;AAC5C,UAAO,8BAML,MAAM;IACN,GAAG;IACH,OAAO,CAAC,GAAG,OAAO,OAAO,cAAc,UAAU,KAAK,CAAC;IACxD,CAAC;;EAEJ,SACE,UACA,MACA;AACA,wBAAqB,OAAO,OAAO,SAAS;AAC5C,UAAO,8BAML,MAAM;IACN,GAAG;IACH,OAAO,CAAC,GAAG,OAAO,OAAO,gBAAgB,UAAU,KAAK,CAAC;IAC1D,CAAC;;EAEJ;EACA,YAA+C,OAAe;AAC5D,wBAAqB,OAAO,OAAO,OAAO;AAC1C,UAAO,8BAML,MAAM;IACN,GAAG;IACH,OAAO,CAAC,GAAG,OAAO,OAAO,sBAAsB,MAAM,SAAS,OAAO,CAAC;IACvE,CAAC;;EAEJ,OACE,SACA;AACA,UAAO,uBAAuB,MAAM,QAAQ,QAAQ;;EAEvD;;AAKH,SAAgB,wCAOd,MACA,QACgF;CAChF,SAAS,iBAEP,SAAoB;EACpB,MAAM,QAAQ,YAAY,OAAO,OAAO,OAAO,GAC3C,OAAO,QACP,CAAC,GAAG,OAAO,OAAO,sBAAsB,MAAM,OAAO,CAAC;AAE1D,uBAAqB,OAAO,gBAAgB;AAE5C,SAAO,wCAML,MAAM;GACN,GAAG;GACH,OAAO,CAAC,GAAG,OAAO,wBAAwB,MAAM,QAAQ,CAAC;GAC1D,CAAC;;CAqCJ,SAAS,OACP,cAUA;AACA,uBAAqB,OAAO,OAAO,SAAS;AAC5C,SAAO,wCAML,MAAM;GACN,GAAG;GACH,OAAO,CAAC,GAAG,OAAO,OAAO,iBAAiB,MAAM,aAAa,CAAC;GAC/D,CAAC;;AA0DJ,QAvDgG;EAC9F,IACE,UACA,MACA;AACA,wBAAqB,OAAO,OAAO,SAAS;AAC5C,UAAO,wCAML,MAAM;IACN,GAAG;IACH,OAAO,CAAC,GAAG,OAAO,OAAO,cAAc,UAAU,KAAK,CAAC;IACxD,CAAC;;EAEJ,SACE,UACA,MACA;AACA,wBAAqB,OAAO,OAAO,SAAS;AAC5C,UAAO,wCAML,MAAM;IACN,GAAG;IACH,OAAO,CAAC,GAAG,OAAO,OAAO,gBAAgB,UAAU,KAAK,CAAC;IAC1D,CAAC;;EAEJ;EACA,YAA+C,OAAe;AAC5D,wBAAqB,OAAO,OAAO,OAAO;AAC1C,UAAO,wCAML,MAAM;IACN,GAAG;IACH,OAAO,CAAC,GAAG,OAAO,OAAO,sBAAsB,MAAM,SAAS,OAAO,CAAC;IACvE,CAAC;;EAEJ;EACA,OACE,SACA;AACA,UAAO,uBAAuB,MAAM,QAAQ,QAAQ;;EAEvD"}