npm - @memberjunction/core-entities - Versions diffs - 5.29.0 → 5.30.0 - Mend

@memberjunction/core-entities 5.29.0 → 5.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

package/dist/custom/MJConversationDetailEntityExtended.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import { EntityDeleteOptions, EntitySaveOptions } from '@memberjunction/core';
+import { MJConversationDetailEntity } from '../generated/entity_subclasses.js';
+/**
+ * Server-side defense-in-depth for conversation sharing. The Angular chat UI
+ * disables the message input when the current user only holds `View` access,
+ * but that's a cosmetic gate — a determined caller could still hit the API
+ * directly. This override blocks Create/Update/Delete of conversation
+ * messages unless the context user is either:
+ *
+ *  1. The conversation's owner (`MJ: Conversations.UserID`), or
+ *  2. A grantee on `MJ: Resource Permissions` with `PermissionLevel` of
+ *     `Edit` or `Owner` (directly or via role) and `Status='Approved'`.
+ *
+ * Runs on the server only (`ProviderType === 'Database'`) — client-side
+ * executions pass straight through to `super` so offline/optimistic paths
+ * still work. `ResourcePermissionEngine`'s cache is used to avoid per-save
+ * round trips for permission lookups.
+ */
+export declare class MJConversationDetailEntityExtended extends MJConversationDetailEntity {
+    Save(options?: EntitySaveOptions): Promise<boolean>;
+    Delete(options?: EntityDeleteOptions): Promise<boolean>;
+    private currentUserMayWrite;
+    /**
+     * Populate `LatestResult.Message` so callers that inspect the save result
+     * see why the write was refused rather than a generic failure.
+     */
+    private RecordDenied;
+}
+/** Tree-shaking guard — referenced from the MJCoreEntities barrel so the decorator fires. */
+export declare function LoadMJConversationDetailEntityExtended(): void;
+//# sourceMappingURL=MJConversationDetailEntityExtended.d.ts.map

package/dist/custom/MJConversationDetailEntityExtended.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"MJConversationDetailEntityExtended.d.ts","sourceRoot":"","sources":["../../src/custom/MJConversationDetailEntityExtended.ts"],"names":[],"mappings":"AAAA,OAAO,EAEH,mBAAmB,EACnB,iBAAiB,EAGpB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACH,0BAA0B,EAG7B,MAAM,gCAAgC,CAAC;AAMxC;;;;;;;;;;;;;;;GAeG;AACH,qBACa,kCAAmC,SAAQ,0BAA0B;IAC/D,IAAI,CAAC,OAAO,CAAC,EAAE,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC;IAOnD,MAAM,CAAC,OAAO,CAAC,EAAE,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC;YAOxD,mBAAmB;IA6DjC;;;OAGG;IACH,OAAO,CAAC,YAAY;CAOvB;AAED,6FAA6F;AAC7F,wBAAgB,sCAAsC,IAAI,IAAI,CAE7D"}

package/dist/custom/MJConversationDetailEntityExtended.js ADDED Viewed

@@ -0,0 +1,106 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { BaseEntity, LogError } from '@memberjunction/core';
+import { RegisterClass, UUIDsEqual } from '@memberjunction/global';
+import { MJConversationDetailEntity } from '../generated/entity_subclasses.js';
+import { ResourcePermissionEngine } from './ResourcePermissions/ResourcePermissionEngine.js';
+/** `MJ: Resource Types.ID` for Conversations — seeded in the resource type catalog. */
+const CONVERSATIONS_RESOURCE_TYPE_ID = '81D4BC3D-9FEB-EF11-B01A-286B35C04427';
+/**
+ * Server-side defense-in-depth for conversation sharing. The Angular chat UI
+ * disables the message input when the current user only holds `View` access,
+ * but that's a cosmetic gate — a determined caller could still hit the API
+ * directly. This override blocks Create/Update/Delete of conversation
+ * messages unless the context user is either:
+ *
+ *  1. The conversation's owner (`MJ: Conversations.UserID`), or
+ *  2. A grantee on `MJ: Resource Permissions` with `PermissionLevel` of
+ *     `Edit` or `Owner` (directly or via role) and `Status='Approved'`.
+ *
+ * Runs on the server only (`ProviderType === 'Database'`) — client-side
+ * executions pass straight through to `super` so offline/optimistic paths
+ * still work. `ResourcePermissionEngine`'s cache is used to avoid per-save
+ * round trips for permission lookups.
+ */
+let MJConversationDetailEntityExtended = class MJConversationDetailEntityExtended extends MJConversationDetailEntity {
+    async Save(options) {
+        if (!(await this.currentUserMayWrite())) {
+            return false;
+        }
+        return super.Save(options);
+    }
+    async Delete(options) {
+        if (!(await this.currentUserMayWrite())) {
+            return false;
+        }
+        return super.Delete(options);
+    }
+    async currentUserMayWrite() {
+        const provider = this.ProviderToUse;
+        if (provider?.ProviderType !== 'Database') {
+            // Client-side path — trust the enforcement that already ran upstream.
+            return true;
+        }
+        const user = this.ContextCurrentUser;
+        if (!user) {
+            // No user context on a server save = system operation; allow.
+            return true;
+        }
+        try {
+            const conversation = await provider.GetEntityObject('MJ: Conversations', user);
+            const loaded = await conversation.Load(this.ConversationID);
+            if (!loaded) {
+                // Parent conversation missing — let the FK/base save handle it.
+                return true;
+            }
+            if (conversation.UserID && UUIDsEqual(conversation.UserID, user.ID)) {
+                return true;
+            }
+            const engine = ResourcePermissionEngine.GetProviderInstance(provider, ResourcePermissionEngine);
+            await engine.Config(false, user);
+            const grant = engine
+                .GetUserAvailableResources(user, CONVERSATIONS_RESOURCE_TYPE_ID)
+                .find((p) => UUIDsEqual(p.ResourceRecordID, this.ConversationID));
+            if (!grant) {
+                this.RecordDenied('You do not have access to this conversation.');
+                return false;
+            }
+            if (grant.PermissionLevel === 'Edit' || grant.PermissionLevel === 'Owner') {
+                return true;
+            }
+            // Only View — block writes.
+            this.RecordDenied('You have view-only access to this conversation.');
+            return false;
+        }
+        catch (error) {
+            LogError(`MJConversationDetailEntityExtended.currentUserMayWrite failed: ${error instanceof Error ? error.message : String(error)}`);
+            // Fail closed — safer to deny than silently allow a compromised write.
+            this.RecordDenied('Unable to verify conversation permissions.');
+            return false;
+        }
+    }
+    /**
+     * Populate `LatestResult.Message` so callers that inspect the save result
+     * see why the write was refused rather than a generic failure.
+     */
+    RecordDenied(message) {
+        const result = this.LatestResult;
+        if (result) {
+            result.Success = false;
+            result.Message = message;
+        }
+    }
+};
+MJConversationDetailEntityExtended = __decorate([
+    RegisterClass(BaseEntity, 'MJ: Conversation Details')
+], MJConversationDetailEntityExtended);
+export { MJConversationDetailEntityExtended };
+/** Tree-shaking guard — referenced from the MJCoreEntities barrel so the decorator fires. */
+export function LoadMJConversationDetailEntityExtended() {
+    // intentionally empty
+}
+//# sourceMappingURL=MJConversationDetailEntityExtended.js.map

package/dist/custom/MJConversationDetailEntityExtended.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"MJConversationDetailEntityExtended.js","sourceRoot":"","sources":["../../src/custom/MJConversationDetailEntityExtended.ts"],"names":[],"mappings":";;;;;;AAAA,OAAO,EACH,UAAU,EAIV,QAAQ,EACX,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACnE,OAAO,EACH,0BAA0B,EAG7B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,wBAAwB,EAAE,MAAM,gDAAgD,CAAC;AAE1F,uFAAuF;AACvF,MAAM,8BAA8B,GAAG,sCAAsC,CAAC;AAE9E;;;;;;;;;;;;;;;GAeG;AAEI,IAAM,kCAAkC,GAAxC,MAAM,kCAAmC,SAAQ,0BAA0B;IACrE,KAAK,CAAC,IAAI,CAAC,OAA2B;QAC3C,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,mBAAmB,EAAE,CAAC,EAAE,CAAC;YACtC,OAAO,KAAK,CAAC;QACjB,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/B,CAAC;IAEQ,KAAK,CAAC,MAAM,CAAC,OAA6B;QAC/C,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,mBAAmB,EAAE,CAAC,EAAE,CAAC;YACtC,OAAO,KAAK,CAAC;QACjB,CAAC;QACD,OAAO,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAEO,KAAK,CAAC,mBAAmB;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,aAA6C,CAAC;QACpE,IAAI,QAAQ,EAAE,YAAY,KAAK,UAAU,EAAE,CAAC;YACxC,sEAAsE;YACtE,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,CAAC;QACrC,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,8DAA8D;YAC9D,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,IAAI,CAAC;YACD,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,eAAe,CAC/C,mBAAmB,EACnB,IAAI,CACP,CAAC;YACF,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAC5D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACV,gEAAgE;gBAChE,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,IAAI,YAAY,CAAC,MAAM,IAAI,UAAU,CAAC,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;gBAClE,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,MAAM,MAAM,GAAG,wBAAwB,CAAC,mBAAmB,CACvD,QAA6B,EAC7B,wBAAwB,CACC,CAAC;YAC9B,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAEjC,MAAM,KAAK,GAAG,MAAM;iBACf,yBAAyB,CAAC,IAAI,EAAE,8BAA8B,CAAC;iBAC/D,IAAI,CAAC,CAAC,CAA6B,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,gBAAgB,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC;YAElG,IAAI,CAAC,KAAK,EAAE,CAAC;gBACT,IAAI,CAAC,YAAY,CAAC,8CAA8C,CAAC,CAAC;gBAClE,OAAO,KAAK,CAAC;YACjB,CAAC;YACD,IAAI,KAAK,CAAC,eAAe,KAAK,MAAM,IAAI,KAAK,CAAC,eAAe,KAAK,OAAO,EAAE,CAAC;gBACxE,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,4BAA4B;YAC5B,IAAI,CAAC,YAAY,CAAC,iDAAiD,CAAC,CAAC;YACrE,OAAO,KAAK,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,QAAQ,CACJ,kEACI,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACzD,EAAE,CACL,CAAC;YACF,uEAAuE;YACvE,IAAI,CAAC,YAAY,CAAC,4CAA4C,CAAC,CAAC;YAChE,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED;;;OAGG;IACK,YAAY,CAAC,OAAe;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,YAA6E,CAAC;QAClG,IAAI,MAAM,EAAE,CAAC;YACT,MAAM,CAAC,OAAO,GAAG,KAAK,CAAC;YACvB,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC;QAC7B,CAAC;IACL,CAAC;CACJ,CAAA;AAvFY,kCAAkC;IAD9C,aAAa,CAAC,UAAU,EAAE,0BAA0B,CAAC;GACzC,kCAAkC,CAuF9C;;AAED,6FAA6F;AAC7F,MAAM,UAAU,sCAAsC;IAClD,sBAAsB;AAC1B,CAAC"}

package/dist/custom/PermissionProviders/AIAgentPermissionProvider.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import { GranteeType, NormalizedPermission, PermissionAction, PermissionCheckResult, PermissionProviderBase, UserInfo } from '@memberjunction/core';
+/**
+ * Wraps `MJ: AI Agent Permissions` behind the unified {@link PermissionProviderBase} contract.
+ *
+ * AIAgentPermission rows grant either a User (via UserID) or a Role (via RoleID) — never both;
+ * the underlying entity enforces this via a table-level validator. Action mapping:
+ * - CanView → `Read`
+ * - CanRun  → `Execute`
+ * - CanEdit → `Update`
+ * - CanDelete → `Delete`
+ *
+ * User+Role grants for the same user are OR-aggregated (any grant of an action suffices).
+ *
+ * `resourceType` is `"AI Agents"`. `resourceId` is the agent ID.
+ */
+export declare class AIAgentPermissionProvider extends PermissionProviderBase {
+    readonly DomainName = "AI Agent Permissions";
+    readonly Description = "User- or role-level permissions on AI agents. Actions: View (Read), Run (Execute), Edit (Update), Delete.";
+    readonly SupportedGranteeTypes: GranteeType[];
+    readonly SupportedActions: PermissionAction[];
+    readonly SupportsDeny = false;
+    GetResourceTypes(): string[];
+    CheckPermission(user: UserInfo, _resourceType: string, resourceId: string | null, action: PermissionAction): Promise<PermissionCheckResult>;
+    GetEffectivePermissions(user: UserInfo, _resourceType: string, resourceId: string): Promise<NormalizedPermission[]>;
+    GetUserResources(user: UserInfo, resourceType?: string): Promise<NormalizedPermission[]>;
+    GetResourcePermissions(resourceType: string, resourceId: string): Promise<NormalizedPermission[]>;
+    private fetchPermissionsForAgent;
+    private actionsForUser;
+    private rowActions;
+}
+//# sourceMappingURL=AIAgentPermissionProvider.d.ts.map

package/dist/custom/PermissionProviders/AIAgentPermissionProvider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"AIAgentPermissionProvider.d.ts","sourceRoot":"","sources":["../../../src/custom/PermissionProviders/AIAgentPermissionProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,WAAW,EACX,oBAAoB,EACpB,gBAAgB,EAChB,qBAAqB,EACrB,sBAAsB,EACtB,QAAQ,EACX,MAAM,sBAAsB,CAAC;AAgB9B;;;;;;;;;;;;;GAaG;AACH,qBACa,yBAA0B,SAAQ,sBAAsB;IACjE,QAAQ,CAAC,UAAU,0BAA0B;IAC7C,QAAQ,CAAC,WAAW,+GAC4F;IAChH,QAAQ,CAAC,qBAAqB,EAAE,WAAW,EAAE,CAAoB;IACjE,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,CAA2C;IACxF,QAAQ,CAAC,YAAY,SAAS;IAErB,gBAAgB,IAAI,MAAM,EAAE;IAI/B,eAAe,CACjB,IAAI,EAAE,QAAQ,EACd,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,MAAM,EAAE,gBAAgB,GACzB,OAAO,CAAC,qBAAqB,CAAC;IAqB3B,uBAAuB,CAAC,IAAI,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAYnH,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAuCxF,sBAAsB,CAAC,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;YA8BzF,wBAAwB;IAStC,OAAO,CAAC,cAAc;IAYtB,OAAO,CAAC,UAAU;CAQrB"}

package/dist/custom/PermissionProviders/AIAgentPermissionProvider.js ADDED Viewed

@@ -0,0 +1,151 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { PermissionProviderBase, } from '@memberjunction/core';
+import { RegisterClass, UUIDsEqual } from '@memberjunction/global';
+/**
+ * Wraps `MJ: AI Agent Permissions` behind the unified {@link PermissionProviderBase} contract.
+ *
+ * AIAgentPermission rows grant either a User (via UserID) or a Role (via RoleID) — never both;
+ * the underlying entity enforces this via a table-level validator. Action mapping:
+ * - CanView → `Read`
+ * - CanRun  → `Execute`
+ * - CanEdit → `Update`
+ * - CanDelete → `Delete`
+ *
+ * User+Role grants for the same user are OR-aggregated (any grant of an action suffices).
+ *
+ * `resourceType` is `"AI Agents"`. `resourceId` is the agent ID.
+ */
+let AIAgentPermissionProvider = class AIAgentPermissionProvider extends PermissionProviderBase {
+    constructor() {
+        super(...arguments);
+        this.DomainName = 'AI Agent Permissions';
+        this.Description = 'User- or role-level permissions on AI agents. Actions: View (Read), Run (Execute), Edit (Update), Delete.';
+        this.SupportedGranteeTypes = ['User', 'Role'];
+        this.SupportedActions = ['Read', 'Execute', 'Update', 'Delete'];
+        this.SupportsDeny = false;
+    }
+    GetResourceTypes() {
+        return ['AI Agents'];
+    }
+    async CheckPermission(user, _resourceType, resourceId, action) {
+        if (!resourceId) {
+            return {
+                Allowed: false,
+                DomainName: this.DomainName,
+                Reason: 'AI Agent permissions require a specific agent ID',
+            };
+        }
+        const rows = await this.fetchPermissionsForAgent(resourceId);
+        const actions = this.actionsForUser(user, rows);
+        const allowed = actions.includes(action);
+        return {
+            Allowed: allowed,
+            DomainName: this.DomainName,
+            Reason: allowed
+                ? `User has ${action} via user or role grant on agent '${resourceId}'`
+                : `User has no ${action} permission on agent '${resourceId}'`,
+        };
+    }
+    async GetEffectivePermissions(user, _resourceType, resourceId) {
+        const rows = await this.fetchPermissionsForAgent(resourceId);
+        const actions = this.actionsForUser(user, rows);
+        if (actions.length === 0)
+            return [];
+        const nameMap = await this.bulkLookupNames('MJ: AI Agents', [resourceId]);
+        return [this.buildNormalizedPermission({
+                resourceType: 'AI Agents', resourceId, resourceName: nameMap.get(resourceId),
+                granteeType: 'User', granteeId: user.ID, granteeName: user.Name, actions,
+            })];
+    }
+    async GetUserResources(user, resourceType) {
+        if (resourceType && resourceType !== 'AI Agents')
+            return [];
+        const userRoleIds = (user.UserRoles ?? []).map((ur) => ur.RoleID);
+        const userFilter = `UserID='${user.ID}'`;
+        const roleFilter = userRoleIds.length ? `RoleID IN (${userRoleIds.map((r) => `'${r}'`).join(',')})` : null;
+        const combinedFilter = roleFilter ? `(${userFilter}) OR (${roleFilter})` : userFilter;
+        const rows = await this.fetchRows('MJ: AI Agent Permissions', combinedFilter, ['ID', 'AgentID', 'RoleID', 'UserID', 'CanView', 'CanRun', 'CanEdit', 'CanDelete'], 'GetUserResources');
+        // Group by agent and aggregate actions
+        const byAgent = new Map();
+        for (const row of rows) {
+            const bucket = byAgent.get(row.AgentID) ?? { actions: new Set(), sourceIds: [] };
+            for (const a of this.rowActions(row))
+                bucket.actions.add(a);
+            bucket.sourceIds.push(row.ID);
+            byAgent.set(row.AgentID, bucket);
+        }
+        if (byAgent.size === 0)
+            return [];
+        const nameMap = await this.bulkLookupNames('MJ: AI Agents', Array.from(byAgent.keys()));
+        const results = [];
+        for (const [agentId, { actions, sourceIds }] of byAgent) {
+            if (actions.size === 0)
+                continue;
+            results.push(this.buildNormalizedPermission({
+                resourceType: 'AI Agents', resourceId: agentId, resourceName: nameMap.get(agentId),
+                granteeType: 'User', granteeId: user.ID, granteeName: user.Name,
+                actions: Array.from(actions),
+                sourceRecordId: sourceIds.length === 1 ? sourceIds[0] : undefined,
+            }));
+        }
+        return results;
+    }
+    async GetResourcePermissions(resourceType, resourceId) {
+        if (resourceType !== 'AI Agents')
+            return [];
+        const rows = await this.fetchRows('MJ: AI Agent Permissions', `AgentID='${resourceId}'`, ['ID', 'AgentID', 'RoleID', 'UserID', 'Role', 'User', 'CanView', 'CanRun', 'CanEdit', 'CanDelete'], 'GetResourcePermissions');
+        if (rows.length === 0)
+            return [];
+        const nameMap = await this.bulkLookupNames('MJ: AI Agents', [resourceId]);
+        const resourceName = nameMap.get(resourceId);
+        const results = [];
+        for (const row of rows) {
+            const actions = this.rowActions(row);
+            if (actions.length === 0)
+                continue;
+            const isUser = row.UserID != null;
+            results.push(this.buildNormalizedPermission({
+                resourceType: 'AI Agents', resourceId, resourceName,
+                granteeType: isUser ? 'User' : 'Role',
+                granteeId: isUser ? row.UserID : row.RoleID,
+                granteeName: isUser ? row.User ?? undefined : row.Role ?? undefined,
+                actions,
+                sourceRecordId: row.ID,
+            }));
+        }
+        return results;
+    }
+    async fetchPermissionsForAgent(agentId) {
+        return this.fetchRows('MJ: AI Agent Permissions', `AgentID='${agentId}'`, ['ID', 'AgentID', 'RoleID', 'UserID', 'CanView', 'CanRun', 'CanEdit', 'CanDelete'], 'fetchPermissionsForAgent');
+    }
+    actionsForUser(user, rows) {
+        const set = new Set();
+        for (const row of rows) {
+            const matches = (row.UserID && UUIDsEqual(row.UserID, user.ID)) ||
+                (row.RoleID && user.UserRoles?.some((ur) => UUIDsEqual(ur.RoleID, row.RoleID)));
+            if (!matches)
+                continue;
+            for (const a of this.rowActions(row))
+                set.add(a);
+        }
+        return Array.from(set);
+    }
+    rowActions(row) {
+        return this.boolsToActions({
+            Read: row.CanView,
+            Execute: row.CanRun,
+            Update: row.CanEdit,
+            Delete: row.CanDelete,
+        });
+    }
+};
+AIAgentPermissionProvider = __decorate([
+    RegisterClass(PermissionProviderBase, 'MJAIAgentPermissionProvider')
+], AIAgentPermissionProvider);
+export { AIAgentPermissionProvider };
+//# sourceMappingURL=AIAgentPermissionProvider.js.map

package/dist/custom/PermissionProviders/AIAgentPermissionProvider.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"AIAgentPermissionProvider.js","sourceRoot":"","sources":["../../../src/custom/PermissionProviders/AIAgentPermissionProvider.ts"],"names":[],"mappings":";;;;;;AAAA,OAAO,EAKH,sBAAsB,GAEzB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAenE;;;;;;;;;;;;;GAaG;AAEI,IAAM,yBAAyB,GAA/B,MAAM,yBAA0B,SAAQ,sBAAsB;IAA9D;;QACM,eAAU,GAAG,sBAAsB,CAAC;QACpC,gBAAW,GAChB,2GAA2G,CAAC;QACvG,0BAAqB,GAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,qBAAgB,GAAuB,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC/E,iBAAY,GAAG,KAAK,CAAC;IA8IlC,CAAC;IA5IY,gBAAgB;QACrB,OAAO,CAAC,WAAW,CAAC,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,eAAe,CACjB,IAAc,EACd,aAAqB,EACrB,UAAyB,EACzB,MAAwB;QAExB,IAAI,CAAC,UAAU,EAAE,CAAC;YACd,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,MAAM,EAAE,kDAAkD;aAC7D,CAAC;QACN,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,CAAC;QAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACzC,OAAO;YACH,OAAO,EAAE,OAAO;YAChB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,MAAM,EAAE,OAAO;gBACX,CAAC,CAAC,YAAY,MAAM,qCAAqC,UAAU,GAAG;gBACtE,CAAC,CAAC,eAAe,MAAM,yBAAyB,UAAU,GAAG;SACpE,CAAC;IACN,CAAC;IAED,KAAK,CAAC,uBAAuB,CAAC,IAAc,EAAE,aAAqB,EAAE,UAAkB;QACnF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,CAAC;QAC7D,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAChD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAEpC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAC1E,OAAO,CAAC,IAAI,CAAC,yBAAyB,CAAC;gBACnC,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;gBAC5E,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,CAAC,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,OAAO;aAC3E,CAAC,CAAC,CAAC;IACR,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,IAAc,EAAE,YAAqB;QACxD,IAAI,YAAY,IAAI,YAAY,KAAK,WAAW;YAAE,OAAO,EAAE,CAAC;QAE5D,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC;QAClE,MAAM,UAAU,GAAG,WAAW,IAAI,CAAC,EAAE,GAAG,CAAC;QACzC,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;QAC3G,MAAM,cAAc,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,UAAU,SAAS,UAAU,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC;QAEtF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAC7B,0BAA0B,EAC1B,cAAc,EACd,CAAC,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,EAClF,kBAAkB,CACrB,CAAC;QAEF,uCAAuC;QACvC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmE,CAAC;QAC3F,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACrB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,GAAG,EAAoB,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;YACnG,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC5D,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QACD,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAElC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QACxF,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,KAAK,MAAM,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,IAAI,OAAO,EAAE,CAAC;YACtD,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC;gBAAE,SAAS;YACjC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC;gBACxC,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;gBAClF,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,CAAC,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,IAAI;gBAC/D,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC;gBAC5B,cAAc,EAAE,SAAS,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;aACpE,CAAC,CAAC,CAAC;QACR,CAAC;QACD,OAAO,OAAO,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,YAAoB,EAAE,UAAkB;QACjE,IAAI,YAAY,KAAK,WAAW;YAAE,OAAO,EAAE,CAAC;QAE5C,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAC7B,0BAA0B,EAC1B,YAAY,UAAU,GAAG,EACzB,CAAC,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,EAClG,wBAAwB,CAC3B,CAAC;QACF,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAEjC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;QAC1E,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACrB,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YACnC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC;YAClC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,yBAAyB,CAAC;gBACxC,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,YAAY;gBACnD,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;gBACrC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM;gBAC3C,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS;gBACnE,OAAO;gBACP,cAAc,EAAE,GAAG,CAAC,EAAE;aACzB,CAAC,CAAC,CAAC;QACR,CAAC;QACD,OAAO,OAAO,CAAC;IACnB,CAAC;IAEO,KAAK,CAAC,wBAAwB,CAAC,OAAe;QAClD,OAAO,IAAI,CAAC,SAAS,CACjB,0BAA0B,EAC1B,YAAY,OAAO,GAAG,EACtB,CAAC,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,EAClF,0BAA0B,CAC7B,CAAC;IACN,CAAC;IAEO,cAAc,CAAC,IAAc,EAAE,IAA4B;QAC/D,MAAM,GAAG,GAAG,IAAI,GAAG,EAAoB,CAAC;QACxC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACrB,MAAM,OAAO,GACT,CAAC,GAAG,CAAC,MAAM,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC/C,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,CAAC,MAAO,CAAC,CAAC,CAAC,CAAC;YACrF,IAAI,CAAC,OAAO;gBAAE,SAAS;YACvB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACrD,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAEO,UAAU,CAAC,GAAyB;QACxC,OAAO,IAAI,CAAC,cAAc,CAAC;YACvB,IAAI,EAAE,GAAG,CAAC,OAAO;YACjB,OAAO,EAAE,GAAG,CAAC,MAAM;YACnB,MAAM,EAAE,GAAG,CAAC,OAAO;YACnB,MAAM,EAAE,GAAG,CAAC,SAAS;SACxB,CAAC,CAAC;IACP,CAAC;CACJ,CAAA;AApJY,yBAAyB;IADrC,aAAa,CAAC,sBAAsB,EAAE,6BAA6B,CAAC;GACxD,yBAAyB,CAoJrC"}

package/dist/custom/PermissionProviders/AccessControlRuleProvider.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { GranteeType, NormalizedPermission, PermissionAction, PermissionCheckResult, PermissionProviderBase, UserInfo } from '@memberjunction/core';
+/**
+ * Wraps `MJ: Access Control Rules` behind the unified {@link PermissionProviderBase} contract.
+ *
+ * ACRs are record-scoped permissions on any entity, using a single polymorphic
+ * `(GranteeType, GranteeID)` column pair. They support the broadest grantee set
+ * (User, Role, Everyone, Public), the full CRUD+Share action set, and optional
+ * time-bound expiration via `ExpiresAt`.
+ *
+ * `resourceType` is the entity name the ACR targets (e.g., `"Accounts"`); the provider
+ * resolves it to the EntityID before querying. `resourceId` is the `RecordID` value
+ * (typically a UUID but stored as nvarchar(500) to accommodate composite keys).
+ */
+export declare class AccessControlRuleProvider extends PermissionProviderBase {
+    readonly DomainName = "Access Control Rules";
+    readonly Description = "Record-level permissions with User/Role/Everyone/Public grantees, full CRUD+Share, and optional expiration.";
+    readonly SupportedGranteeTypes: GranteeType[];
+    readonly SupportedActions: PermissionAction[];
+    readonly SupportsDeny = false;
+    readonly SupportsExpiration = true;
+    GetResourceTypes(): string[];
+    CheckPermission(user: UserInfo, resourceType: string, resourceId: string | null, action: PermissionAction): Promise<PermissionCheckResult>;
+    GetEffectivePermissions(user: UserInfo, resourceType: string, resourceId: string): Promise<NormalizedPermission[]>;
+    GetUserResources(user: UserInfo, resourceType?: string): Promise<NormalizedPermission[]>;
+    GetResourcePermissions(resourceType: string, resourceId: string): Promise<NormalizedPermission[]>;
+    /**
+     * ACRs where this user is the User-type grantee AND someone else issued the grant.
+     * Excludes rules the user created for themselves. Role/Everyone/Public grants don't
+     * belong in the personal "Shared with me" view — they're always aggregated, and there's
+     * no single recipient they were shared *with*. Only unexpired rules are returned.
+     */
+    GetPermissionsSharedWithUser(grantee: UserInfo): Promise<NormalizedPermission[]>;
+    /**
+     * Every ACR where this user is the grantor. Only unexpired rules are returned — an
+     * expired ACR can't be acted on, so surfacing it in "Shared by me" would be noise.
+     */
+    GetPermissionsGrantedByUser(grantor: UserInfo): Promise<NormalizedPermission[]>;
+    private resolveEntityId;
+    private fetchActiveRules;
+    private resolveGranteeName;
+    private actionsForUser;
+    private granteeMatchesUser;
+    private rowActions;
+}
+//# sourceMappingURL=AccessControlRuleProvider.d.ts.map

package/dist/custom/PermissionProviders/AccessControlRuleProvider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"AccessControlRuleProvider.d.ts","sourceRoot":"","sources":["../../../src/custom/PermissionProviders/AccessControlRuleProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,WAAW,EAEX,oBAAoB,EACpB,gBAAgB,EAChB,qBAAqB,EACrB,sBAAsB,EACtB,QAAQ,EACX,MAAM,sBAAsB,CAAC;AAyB9B;;;;;;;;;;;GAWG;AACH,qBACa,yBAA0B,SAAQ,sBAAsB;IACjE,QAAQ,CAAC,UAAU,0BAA0B;IAC7C,QAAQ,CAAC,WAAW,iHAC8F;IAClH,QAAQ,CAAC,qBAAqB,EAAE,WAAW,EAAE,CAA0C;IACvF,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,CAAmD;IAChG,QAAQ,CAAC,YAAY,SAAS;IAC9B,QAAQ,CAAC,kBAAkB,QAAQ;IAE1B,gBAAgB,IAAI,MAAM,EAAE;IAI/B,eAAe,CACjB,IAAI,EAAE,QAAQ,EACd,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,MAAM,EAAE,gBAAgB,GACzB,OAAO,CAAC,qBAAqB,CAAC;IA6B3B,uBAAuB,CAAC,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAclH,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAqDxF,sBAAsB,CAAC,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAsBvG;;;;;OAKG;IACY,4BAA4B,CAAC,OAAO,EAAE,QAAQ,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAyB/F;;;OAGG;IACY,2BAA2B,CAAC,OAAO,EAAE,QAAQ,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;IA0B9F,OAAO,CAAC,eAAe;YAMT,gBAAgB;IAS9B,OAAO,CAAC,kBAAkB;IAc1B,OAAO,CAAC,cAAc;IAStB,OAAO,CAAC,kBAAkB;IAc1B,OAAO,CAAC,UAAU;CASrB"}

package/dist/custom/PermissionProviders/AccessControlRuleProvider.js ADDED Viewed

@@ -0,0 +1,253 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { Metadata, PermissionProviderBase, } from '@memberjunction/core';
+import { RegisterClass, UUIDsEqual } from '@memberjunction/global';
+/** Fields pulled for every `GetPermissionsGrantedByUser` / `GetPermissionsSharedWithUser` query. */
+const ACR_GRANT_FIELDS = [
+    'ID', 'EntityID', 'Entity', 'RecordID', 'GranteeType', 'GranteeID', 'GrantedByUserID',
+    'CanRead', 'CanCreate', 'CanUpdate', 'CanDelete', 'CanShare', 'ExpiresAt',
+];
+/**
+ * Wraps `MJ: Access Control Rules` behind the unified {@link PermissionProviderBase} contract.
+ *
+ * ACRs are record-scoped permissions on any entity, using a single polymorphic
+ * `(GranteeType, GranteeID)` column pair. They support the broadest grantee set
+ * (User, Role, Everyone, Public), the full CRUD+Share action set, and optional
+ * time-bound expiration via `ExpiresAt`.
+ *
+ * `resourceType` is the entity name the ACR targets (e.g., `"Accounts"`); the provider
+ * resolves it to the EntityID before querying. `resourceId` is the `RecordID` value
+ * (typically a UUID but stored as nvarchar(500) to accommodate composite keys).
+ */
+let AccessControlRuleProvider = class AccessControlRuleProvider extends PermissionProviderBase {
+    constructor() {
+        super(...arguments);
+        this.DomainName = 'Access Control Rules';
+        this.Description = 'Record-level permissions with User/Role/Everyone/Public grantees, full CRUD+Share, and optional expiration.';
+        this.SupportedGranteeTypes = ['User', 'Role', 'Everyone', 'Public'];
+        this.SupportedActions = ['Read', 'Create', 'Update', 'Delete', 'Share'];
+        this.SupportsDeny = false;
+        this.SupportsExpiration = true;
+    }
+    GetResourceTypes() {
+        return new Metadata().Entities.map((e) => e.Name).sort((a, b) => a.localeCompare(b));
+    }
+    async CheckPermission(user, resourceType, resourceId, action) {
+        if (!resourceId) {
+            return {
+                Allowed: false,
+                DomainName: this.DomainName,
+                Reason: 'ACRs require a specific record ID',
+            };
+        }
+        const entityId = this.resolveEntityId(resourceType);
+        if (!entityId) {
+            return {
+                Allowed: false,
+                DomainName: this.DomainName,
+                Reason: `Unknown entity '${resourceType}'`,
+            };
+        }
+        const rows = await this.fetchActiveRules(entityId, resourceId);
+        const actions = this.actionsForUser(user, rows);
+        const allowed = actions.includes(action);
+        return {
+            Allowed: allowed,
+            DomainName: this.DomainName,
+            Reason: allowed
+                ? `User has ${action} via an active ACR`
+                : `No active ACR grants ${action} on ${resourceType}/${resourceId}`,
+        };
+    }
+    async GetEffectivePermissions(user, resourceType, resourceId) {
+        const entityId = this.resolveEntityId(resourceType);
+        if (!entityId)
+            return [];
+        const rows = await this.fetchActiveRules(entityId, resourceId);
+        const actions = this.actionsForUser(user, rows);
+        if (actions.length === 0)
+            return [];
+        return [this.buildNormalizedPermission({
+                resourceType, resourceId,
+                granteeType: 'User', granteeId: user.ID, granteeName: user.Name, actions,
+            })];
+    }
+    async GetUserResources(user, resourceType) {
+        const userRoleIds = (user.UserRoles ?? []).map((ur) => `'${ur.RoleID}'`);
+        const granteeClauses = [
+            `(GranteeType='User' AND GranteeID='${user.ID}')`,
+            `(GranteeType IN ('Everyone','Public'))`,
+        ];
+        if (userRoleIds.length > 0) {
+            granteeClauses.push(`(GranteeType='Role' AND GranteeID IN (${userRoleIds.join(',')}))`);
+        }
+        const granteeFilter = granteeClauses.join(' OR ');
+        let filter = `(${granteeFilter}) AND (ExpiresAt IS NULL OR ExpiresAt > GETUTCDATE())`;
+        if (resourceType) {
+            const entityId = this.resolveEntityId(resourceType);
+            if (!entityId)
+                return [];
+            filter = `(${filter}) AND EntityID='${entityId}'`;
+        }
+        const rows = await this.fetchRows('MJ: Access Control Rules', filter, ACR_GRANT_FIELDS.filter((f) => f !== 'GrantedByUserID'), 'GetUserResources');
+        const buckets = new Map();
+        for (const row of rows) {
+            const key = `${row.EntityID}|${row.RecordID}`;
+            const bucket = buckets.get(key) ?? { actions: new Set(), sourceIds: [], entityName: row.Entity ?? null };
+            for (const a of this.rowActions(row))
+                bucket.actions.add(a);
+            bucket.sourceIds.push(row.ID);
+            if (!bucket.entityName && row.Entity)
+                bucket.entityName = row.Entity;
+            buckets.set(key, bucket);
+        }
+        const results = [];
+        for (const [key, bucket] of buckets) {
+            const [, recordId] = key.split('|');
+            if (bucket.actions.size === 0)
+                continue;
+            results.push(this.buildNormalizedPermission({
+                resourceType: bucket.entityName ?? 'Unknown',
+                resourceId: recordId,
+                granteeType: 'User', granteeId: user.ID, granteeName: user.Name,
+                actions: Array.from(bucket.actions),
+                sourceRecordId: bucket.sourceIds.length === 1 ? bucket.sourceIds[0] : undefined,
+            }));
+        }
+        return results;
+    }
+    async GetResourcePermissions(resourceType, resourceId) {
+        const entityId = this.resolveEntityId(resourceType);
+        if (!entityId)
+            return [];
+        const rows = await this.fetchActiveRules(entityId, resourceId);
+        const results = [];
+        for (const row of rows) {
+            const actions = this.rowActions(row);
+            if (actions.length === 0)
+                continue;
+            results.push(this.buildNormalizedPermission({
+                resourceType, resourceId,
+                granteeType: row.GranteeType,
+                granteeId: row.GranteeID,
+                granteeName: this.resolveGranteeName(row),
+                actions,
+                sourceRecordId: row.ID,
+                expiresAt: row.ExpiresAt ? new Date(row.ExpiresAt) : undefined,
+            }));
+        }
+        return results;
+    }
+    /**
+     * ACRs where this user is the User-type grantee AND someone else issued the grant.
+     * Excludes rules the user created for themselves. Role/Everyone/Public grants don't
+     * belong in the personal "Shared with me" view — they're always aggregated, and there's
+     * no single recipient they were shared *with*. Only unexpired rules are returned.
+     */
+    async GetPermissionsSharedWithUser(grantee) {
+        const rows = await this.fetchRows('MJ: Access Control Rules', `GranteeType='User' AND GranteeID='${grantee.ID}' ` +
+            `AND GrantedByUserID <> '${grantee.ID}' ` +
+            `AND (ExpiresAt IS NULL OR ExpiresAt > GETUTCDATE())`, ACR_GRANT_FIELDS, 'GetPermissionsSharedWithUser');
+        const results = [];
+        for (const row of rows) {
+            const actions = this.rowActions(row);
+            if (actions.length === 0)
+                continue;
+            results.push(this.buildNormalizedPermission({
+                resourceType: row.Entity ?? 'Unknown',
+                resourceId: row.RecordID,
+                granteeType: 'User', granteeId: grantee.ID, granteeName: grantee.Name, actions,
+                sourceRecordId: row.ID,
+                expiresAt: row.ExpiresAt ? new Date(row.ExpiresAt) : undefined,
+            }));
+        }
+        return results;
+    }
+    /**
+     * Every ACR where this user is the grantor. Only unexpired rules are returned — an
+     * expired ACR can't be acted on, so surfacing it in "Shared by me" would be noise.
+     */
+    async GetPermissionsGrantedByUser(grantor) {
+        const rows = await this.fetchRows('MJ: Access Control Rules', `GrantedByUserID='${grantor.ID}' AND (ExpiresAt IS NULL OR ExpiresAt > GETUTCDATE())`, ACR_GRANT_FIELDS, 'GetPermissionsGrantedByUser');
+        const results = [];
+        for (const row of rows) {
+            const actions = this.rowActions(row);
+            if (actions.length === 0)
+                continue;
+            results.push(this.buildNormalizedPermission({
+                resourceType: row.Entity ?? 'Unknown',
+                resourceId: row.RecordID,
+                granteeType: row.GranteeType,
+                granteeId: row.GranteeID,
+                granteeName: this.resolveGranteeName(row),
+                actions,
+                sourceRecordId: row.ID,
+                expiresAt: row.ExpiresAt ? new Date(row.ExpiresAt) : undefined,
+            }));
+        }
+        return results;
+    }
+    resolveEntityId(entityName) {
+        const md = new Metadata();
+        const entity = md.EntityByName(entityName);
+        return entity?.ID ?? null;
+    }
+    async fetchActiveRules(entityId, recordId) {
+        return this.fetchRows('MJ: Access Control Rules', `EntityID='${entityId}' AND RecordID='${recordId}' AND (ExpiresAt IS NULL OR ExpiresAt > GETUTCDATE())`, ACR_GRANT_FIELDS.filter((f) => f !== 'GrantedByUserID' && f !== 'Entity'), 'fetchActiveRules');
+    }
+    resolveGranteeName(row) {
+        switch (row.GranteeType) {
+            case 'Role':
+                if (!row.GranteeID)
+                    return undefined;
+                return new Metadata().Roles.find((r) => UUIDsEqual(r.ID, row.GranteeID))?.Name;
+            case 'Everyone':
+                return 'All authenticated users';
+            case 'Public':
+                return 'Unauthenticated public';
+            default:
+                return undefined;
+        }
+    }
+    actionsForUser(user, rows) {
+        const set = new Set();
+        for (const row of rows) {
+            if (!this.granteeMatchesUser(user, row))
+                continue;
+            for (const a of this.rowActions(row))
+                set.add(a);
+        }
+        return Array.from(set);
+    }
+    granteeMatchesUser(user, row) {
+        switch (row.GranteeType) {
+            case 'Everyone':
+            case 'Public':
+                return true;
+            case 'User':
+                return !!row.GranteeID && UUIDsEqual(row.GranteeID, user.ID);
+            case 'Role':
+                return !!row.GranteeID && (user.UserRoles ?? []).some((ur) => UUIDsEqual(ur.RoleID, row.GranteeID));
+            default:
+                return false;
+        }
+    }
+    rowActions(row) {
+        return this.boolsToActions({
+            Read: row.CanRead,
+            Create: row.CanCreate,
+            Update: row.CanUpdate,
+            Delete: row.CanDelete,
+            Share: row.CanShare,
+        });
+    }
+};
+AccessControlRuleProvider = __decorate([
+    RegisterClass(PermissionProviderBase, 'MJAccessControlRuleProvider')
+], AccessControlRuleProvider);
+export { AccessControlRuleProvider };
+//# sourceMappingURL=AccessControlRuleProvider.js.map