@nodii/grpc-interceptors 0.0.2 → 0.2.1

package/dist/compose.d.ts

@@ -0,0 +1,7 @@
+import type { UnaryInterceptor } from "./types";
+/**
+ * Fold `interceptors` outer→inner into a single factory. The first entry
+ * becomes the outermost wrapper, the last is closest to the handler.
+ */
+export declare function composeUnaryInterceptors(interceptors: readonly UnaryInterceptor[]): UnaryInterceptor;
+//# sourceMappingURL=compose.d.ts.map

package/dist/compose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compose.d.ts","sourceRoot":"","sources":["../src/compose.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAgB,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAE9D;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,YAAY,EAAE,SAAS,gBAAgB,EAAE,GACxC,gBAAgB,CASlB"}

package/dist/compose.js

@@ -0,0 +1,20 @@
+// composeUnaryInterceptors — local copy of the @nodii/grpc-auth helper,
+// kept in this package so it can be the source-of-truth for the locked
+// composition order. Bytewise identical to the grpc-auth helper per spec
+// § 5.1 — outer→inner fold.
+/**
+ * Fold `interceptors` outer→inner into a single factory. The first entry
+ * becomes the outermost wrapper, the last is closest to the handler.
+ */
+export function composeUnaryInterceptors(interceptors) {
+    return (methodName, handler) => {
+        let wrapped = handler;
+        for (let i = interceptors.length - 1; i >= 0; i--) {
+            const factory = interceptors[i];
+            if (factory)
+                wrapped = factory(methodName, wrapped);
+        }
+        return wrapped;
+    };
+}
+//# sourceMappingURL=compose.js.map

package/dist/compose.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compose.js","sourceRoot":"","sources":["../src/compose.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,uEAAuE;AACvE,yEAAyE;AACzE,4BAA4B;AAI5B;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,YAAyC;IAEzC,OAAO,CAAC,UAAkB,EAAE,OAAqB,EAAgB,EAAE;QACjE,IAAI,OAAO,GAAG,OAAO,CAAC;QACtB,KAAK,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAClD,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;YAChC,IAAI,OAAO;gBAAE,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC;AACJ,CAAC"}

package/dist/configure.d.ts

@@ -0,0 +1,66 @@
+import type { AuditConfig, CancellationConfig, DbConnection, DeadlineConfig, EnrichAuthConfig, ErrorMapEntry, InterceptorLogger, LoggingConfig, UnaryInterceptor } from "./types";
+export interface ConfigureGrpcInterceptorsOptions {
+    /** Service short-name baked into the `<short>.audit_ctx` GUC. Required. */
+    serviceShortName: string;
+    /** Postgres connection abstraction — required for tenant/audit context. */
+    db?: DbConnection;
+    /**
+     * gRPC methods that REQUIRE `x-nodii-idempotency-key` per spec § 5.7
+     * (idempotencyGuard re-export). Empty set = guard is a no-op for every
+     * method (back-compat).
+     */
+    mutatorMethods?: ReadonlySet<string>;
+    /** gRPC methods that opt out of `SET app.tenant_id` (system context). */
+    systemContextMethods?: ReadonlySet<string>;
+    /** Methods that bypass the entire stack (e.g. health probes). */
+    skipForMethods?: ReadonlySet<string>;
+    /** Service-owned error catalog merged over `STANDARD_ERROR_CATALOG`. */
+    errorCatalog?: Record<string, ErrorMapEntry>;
+    logging?: LoggingConfig;
+    audit?: AuditConfig;
+    enrich?: EnrichAuthConfig;
+    deadline?: DeadlineConfig;
+    cancellation?: CancellationConfig;
+    /** Inject an alternate logger across all owned interceptors. */
+    logger?: InterceptorLogger;
+    /**
+     * Methods tagged `require_saga_context: true` per spec § 5.7 (sagaContext
+     * re-export from @nodii/saga). Missing = no methods enforced.
+     */
+    requireSagaContextMethods?: ReadonlySet<string>;
+    /** sagaContext enforcement mode — warn | reject. Default 'warn'. */
+    sagaContextEnforce?: "warn" | "reject";
+}
+export interface ConfiguredGrpcInterceptors {
+    /**
+     * Returns the composed UnaryInterceptor wired with the locked-order
+     * stack (spec § 5.4). Adopters wrap their service handlers with it:
+     *
+     *   const composed = configured.standardStack();
+     *   const wrapped = composed("/billing.X/CancelInvoice", handlerFn);
+     */
+    standardStack(): UnaryInterceptor;
+    /** Snapshot of the resolved config (useful for diagnostics + tests). */
+    readonly resolved: ResolvedGrpcInterceptorsConfig;
+}
+export interface ResolvedGrpcInterceptorsConfig {
+    readonly serviceShortName: string;
+    readonly db: DbConnection | null;
+    readonly mutatorMethods: ReadonlySet<string>;
+    readonly systemContextMethods: ReadonlySet<string>;
+    readonly skipForMethods: ReadonlySet<string>;
+    readonly errorCatalog: Record<string, ErrorMapEntry>;
+    readonly requireSagaContextMethods: ReadonlySet<string>;
+    readonly sagaContextEnforce: "warn" | "reject";
+}
+/**
+ * Bootstrap the gRPC interceptor stack. Idempotent (re-calls warn + are
+ * ignored). Returns a handle exposing `standardStack()` which adopters
+ * call once per RPC server set-up.
+ */
+export declare function configureGrpcInterceptors(options: ConfigureGrpcInterceptorsOptions): ConfiguredGrpcInterceptors;
+/** Diagnostics — returns null when configureGrpcInterceptors not yet called. */
+export declare function getConfiguredOrNull(): ConfiguredGrpcInterceptors | null;
+/** Test-only — drop the resolved registry so the next call re-bootstraps. */
+export declare function _resetConfigureForTests(): void;
+//# sourceMappingURL=configure.d.ts.map

package/dist/configure.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"configure.d.ts","sourceRoot":"","sources":["../src/configure.ts"],"names":[],"mappings":"AA0CA,OAAO,KAAK,EACV,WAAW,EACX,kBAAkB,EAClB,YAAY,EACZ,cAAc,EACd,gBAAgB,EAChB,aAAa,EACb,iBAAiB,EACjB,aAAa,EAGb,gBAAgB,EACjB,MAAM,SAAS,CAAC;AAGjB,MAAM,WAAW,gCAAgC;IAC/C,2EAA2E;IAC3E,gBAAgB,EAAE,MAAM,CAAC;IACzB,2EAA2E;IAC3E,EAAE,CAAC,EAAE,YAAY,CAAC;IAClB;;;;OAIG;IACH,cAAc,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACrC,yEAAyE;IACzE,oBAAoB,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAC3C,iEAAiE;IACjE,cAAc,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACrC,wEAAwE;IACxE,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAC7C,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC,gEAAgE;IAChE,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B;;;OAGG;IACH,yBAAyB,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAChD,oEAAoE;IACpE,kBAAkB,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC;CACxC;AAED,MAAM,WAAW,0BAA0B;IACzC;;;;;;OAMG;IACH,aAAa,IAAI,gBAAgB,CAAC;IAClC,wEAAwE;IACxE,QAAQ,CAAC,QAAQ,EAAE,8BAA8B,CAAC;CACnD;AAED,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAClC,QAAQ,CAAC,EAAE,EAAE,YAAY,GAAG,IAAI,CAAC;IACjC,QAAQ,CAAC,cAAc,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAC7C,QAAQ,CAAC,oBAAoB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACnD,QAAQ,CAAC,cAAc,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAC7C,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACrD,QAAQ,CAAC,yBAAyB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACxD,QAAQ,CAAC,kBAAkB,EAAE,MAAM,GAAG,QAAQ,CAAC;CAChD;AAID;;;;GAIG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,gCAAgC,GACxC,0BAA0B,CAuF5B;AAED,gFAAgF;AAChF,wBAAgB,mBAAmB,IAAI,0BAA0B,GAAG,IAAI,CAEvE;AAED,6EAA6E;AAC7E,wBAAgB,uBAAuB,IAAI,IAAI,CAE9C"}

package/dist/configure.js

@@ -0,0 +1,169 @@
+// configureGrpcInterceptors — spec § 5.2 + § 5.5.
+//
+// Boot helper that stores the resolved stack config in process-local
+// state and produces the composed standard server stack on demand.
+// Services call this once at process start (after `initSaga` +
+// `initIdempotency` + auth bootstrap have run); subsequent calls to
+// `createStandardServerStack()` reach into the registry for defaults.
+//
+// Surface:
+//   configureGrpcInterceptors({
+//     serviceShortName: "billing",
+//     db,
+//     redis,        // optional — used by idempotencyGuard slot
+//     errorCatalog?,
+//     logging?,
+//     audit?,
+//     enrich?,
+//     deadline?,
+//     cancellation?,
+//     mutatorMethods?,         // gRPC methods that REQUIRE the idempotency header
+//     systemContextMethods?,   // gRPC methods that opt out of tenant scoping
+//   });
+//
+// Returns the composed `UnaryInterceptor` factory wired with the full
+// locked stack (logging → audit → auth → enrich → saga → signal-binder →
+// idempotency-guard → tenant → audit-ctx → mfa → deadline → cancellation
+// → error-map → handler).
+import { idempotencyGuard } from "@nodii/idempotency";
+import { sagaContext } from "@nodii/saga";
+import { signalBinder } from "./interceptors/signal-binder";
+import { cancellationGuard, deadlineGuard, enrichAuthContext, errorMap, STANDARD_ERROR_CATALOG, tenantContext, withAuditUnary, withLoggingUnary, } from "./interceptors-exports";
+import { auditContext } from "./interceptors/audit-context";
+import { GrpcStatusError } from "./types";
+let resolved = null;
+/**
+ * Bootstrap the gRPC interceptor stack. Idempotent (re-calls warn + are
+ * ignored). Returns a handle exposing `standardStack()` which adopters
+ * call once per RPC server set-up.
+ */
+export function configureGrpcInterceptors(options) {
+    if (!options) {
+        throw new GrpcStatusError("INTERNAL", "interceptor_config_required");
+    }
+    if (!options.serviceShortName) {
+        throw new GrpcStatusError("INTERNAL", "service_short_name_required");
+    }
+    if (resolved) {
+        // eslint-disable-next-line no-console
+        console.warn("[@nodii/grpc-interceptors] configureGrpcInterceptors() called more than once; ignoring subsequent call.");
+        return resolved;
+    }
+    const resolvedConfig = {
+        serviceShortName: options.serviceShortName,
+        db: options.db ?? null,
+        mutatorMethods: options.mutatorMethods ?? new Set(),
+        systemContextMethods: options.systemContextMethods ?? new Set(),
+        skipForMethods: options.skipForMethods ?? new Set(),
+        errorCatalog: {
+            ...STANDARD_ERROR_CATALOG,
+            ...(options.errorCatalog ?? {}),
+        },
+        requireSagaContextMethods: options.requireSagaContextMethods ?? new Set(),
+        sagaContextEnforce: options.sagaContextEnforce ?? "warn",
+    };
+    const interceptors = [
+        withLoggingUnary({
+            ...(options.logging ?? {}),
+            logger: options.logger ?? options.logging?.logger,
+        }),
+        withAuditUnary(options.audit ?? {}),
+        // withAuthUnary slot: services supply their own configured wrapper
+        // via the re-exported `withAuthUnary` (it requires JWKS / token
+        // manager wiring that varies per service). This factory composes
+        // around a passthrough; services that need auth wrap THEIR handler
+        // with the auth re-export before passing to standardStack().
+        passthroughSlot(),
+        enrichAuthContext(options.enrich ?? {}),
+        // Real saga sagaContext re-export. Requires saga library to be
+        // initialized; if not initialized, sagaContext throws — that's
+        // intentional (the service should init saga before this boot helper).
+        sagaContextSlot(resolvedConfig.requireSagaContextMethods, resolvedConfig.sagaContextEnforce),
+        // Real signalBinder.
+        signalBinder(),
+        // Real idempotencyGuard re-export.
+        idempotencyGuardSlot(resolvedConfig.mutatorMethods),
+        ...(options.db
+            ? [
+                tenantContext({
+                    db: options.db,
+                    systemContextMethods: resolvedConfig.systemContextMethods,
+                }),
+                auditContext({
+                    db: options.db,
+                    serviceShortName: options.serviceShortName,
+                }),
+            ]
+            : []),
+        passthroughSlot(), // mfaRequiredInterceptor slot — service-wired
+        deadlineGuard(options.deadline ?? {}),
+        cancellationGuard(options.cancellation ?? {}),
+        errorMap(resolvedConfig.errorCatalog),
+    ];
+    resolved = {
+        standardStack() {
+            return (methodName, handler) => {
+                if (resolvedConfig.skipForMethods.has(methodName))
+                    return handler;
+                let wrapped = handler;
+                for (let i = interceptors.length - 1; i >= 0; i--) {
+                    const factory = interceptors[i];
+                    if (factory)
+                        wrapped = factory(methodName, wrapped);
+                }
+                return wrapped;
+            };
+        },
+        resolved: resolvedConfig,
+    };
+    return resolved;
+}
+/** Diagnostics — returns null when configureGrpcInterceptors not yet called. */
+export function getConfiguredOrNull() {
+    return resolved;
+}
+/** Test-only — drop the resolved registry so the next call re-bootstraps. */
+export function _resetConfigureForTests() {
+    resolved = null;
+}
+// ── Internal slot helpers ────────────────────────────────────────────────────
+function passthroughSlot() {
+    return (_method, handler) => async (call) => handler(call);
+}
+function sagaContextSlot(requireMethods, enforce) {
+    // sagaContext from @nodii/saga is a method-name-keyed enforcer; build it
+    // here so we can swap the requireSagaContextMethods set lazily.
+    const built = sagaContext({
+        requireSagaContextMethods: requireMethods,
+        enforce,
+    });
+    return (methodName, handler) => {
+        const inner = built(methodName, handler);
+        return async (call) => inner(call);
+    };
+}
+function idempotencyGuardSlot(mutatorMethods) {
+    // idempotencyGuard from @nodii/idempotency returns a handler-wrapper, not
+    // a method-keyed factory. We adapt it to the UnaryInterceptor contract by
+    // wrapping per call and supplying method extraction via the call.
+    const built = idempotencyGuard({
+        mutatorMethods: new Set(mutatorMethods),
+        getMethodName: (call) => {
+            const direct = call
+                .__methodName;
+            if (typeof direct === "string")
+                return direct;
+            return call.call?.handler?.path ?? "<unknown-method>";
+        },
+    });
+    return (methodName, handler) => {
+        return async (call) => {
+            // Stamp the method name onto the call so the guard's getMethodName
+            // can pick it up without a real @grpc/grpc-js call envelope.
+            call.__methodName = methodName;
+            const guarded = built(handler);
+            return guarded(call);
+        };
+    };
+}
+//# sourceMappingURL=configure.js.map

package/dist/configure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"configure.js","sourceRoot":"","sources":["../src/configure.ts"],"names":[],"mappings":"AAAA,kDAAkD;AAClD,EAAE;AACF,qEAAqE;AACrE,mEAAmE;AACnE,+DAA+D;AAC/D,oEAAoE;AACpE,sEAAsE;AACtE,EAAE;AACF,WAAW;AACX,gCAAgC;AAChC,mCAAmC;AACnC,UAAU;AACV,gEAAgE;AAChE,qBAAqB;AACrB,gBAAgB;AAChB,cAAc;AACd,eAAe;AACf,iBAAiB;AACjB,qBAAqB;AACrB,mFAAmF;AACnF,8EAA8E;AAC9E,QAAQ;AACR,EAAE;AACF,sEAAsE;AACtE,yEAAyE;AACzE,yEAAyE;AACzE,0BAA0B;AAE1B,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EACL,iBAAiB,EACjB,aAAa,EACb,iBAAiB,EACjB,QAAQ,EACR,sBAAsB,EACtB,aAAa,EACb,cAAc,EACd,gBAAgB,GACjB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAc5D,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AA2D1C,IAAI,QAAQ,GAAsC,IAAI,CAAC;AAEvD;;;;GAIG;AACH,MAAM,UAAU,yBAAyB,CACvC,OAAyC;IAEzC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,eAAe,CAAC,UAAU,EAAE,6BAA6B,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC9B,MAAM,IAAI,eAAe,CAAC,UAAU,EAAE,6BAA6B,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,QAAQ,EAAE,CAAC;QACb,sCAAsC;QACtC,OAAO,CAAC,IAAI,CACV,yGAAyG,CAC1G,CAAC;QACF,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,cAAc,GAAmC;QACrD,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;QAC1C,EAAE,EAAE,OAAO,CAAC,EAAE,IAAI,IAAI;QACtB,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,IAAI,GAAG,EAAE;QACnD,oBAAoB,EAAE,OAAO,CAAC,oBAAoB,IAAI,IAAI,GAAG,EAAE;QAC/D,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,IAAI,GAAG,EAAE;QACnD,YAAY,EAAE;YACZ,GAAG,sBAAsB;YACzB,GAAG,CAAC,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC;SAChC;QACD,yBAAyB,EAAE,OAAO,CAAC,yBAAyB,IAAI,IAAI,GAAG,EAAE;QACzE,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,IAAI,MAAM;KACzD,CAAC;IAEF,MAAM,YAAY,GAAuB;QACvC,gBAAgB,CAAC;YACf,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC;YAC1B,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,OAAO,EAAE,MAAM;SAClD,CAAC;QACF,cAAc,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;QACnC,mEAAmE;QACnE,gEAAgE;QAChE,iEAAiE;QACjE,mEAAmE;QACnE,6DAA6D;QAC7D,eAAe,EAAE;QACjB,iBAAiB,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;QACvC,+DAA+D;QAC/D,+DAA+D;QAC/D,sEAAsE;QACtE,eAAe,CACb,cAAc,CAAC,yBAAyB,EACxC,cAAc,CAAC,kBAAkB,CAClC;QACD,qBAAqB;QACrB,YAAY,EAAE;QACd,mCAAmC;QACnC,oBAAoB,CAAC,cAAc,CAAC,cAAc,CAAC;QACnD,GAAG,CAAC,OAAO,CAAC,EAAE;YACZ,CAAC,CAAC;gBACE,aAAa,CAAC;oBACZ,EAAE,EAAE,OAAO,CAAC,EAAE;oBACd,oBAAoB,EAAE,cAAc,CAAC,oBAAoB;iBAC1D,CAAC;gBACF,YAAY,CAAC;oBACX,EAAE,EAAE,OAAO,CAAC,EAAE;oBACd,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;iBAC3C,CAAC;aACH;YACH,CAAC,CAAC,EAAE,CAAC;QACP,eAAe,EAAE,EAAE,8CAA8C;QACjE,aAAa,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,iBAAiB,CAAC,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC;QAC7C,QAAQ,CAAC,cAAc,CAAC,YAAY,CAAC;KACtC,CAAC;IAEF,QAAQ,GAAG;QACT,aAAa;YACX,OAAO,CAAC,UAAkB,EAAE,OAAqB,EAAgB,EAAE;gBACjE,IAAI,cAAc,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC;oBAAE,OAAO,OAAO,CAAC;gBAClE,IAAI,OAAO,GAAG,OAAO,CAAC;gBACtB,KAAK,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;oBAClD,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;oBAChC,IAAI,OAAO;wBAAE,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;gBACtD,CAAC;gBACD,OAAO,OAAO,CAAC;YACjB,CAAC,CAAC;QACJ,CAAC;QACD,QAAQ,EAAE,cAAc;KACzB,CAAC;IACF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,mBAAmB;IACjC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,6EAA6E;AAC7E,MAAM,UAAU,uBAAuB;IACrC,QAAQ,GAAG,IAAI,CAAC;AAClB,CAAC;AAED,gFAAgF;AAEhF,SAAS,eAAe;IACtB,OAAO,CAAC,OAAe,EAAE,OAAqB,EAAE,EAAE,CAAC,KAAK,EAAE,IAAe,EAAE,EAAE,CAC3E,OAAO,CAAC,IAAI,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,eAAe,CACtB,cAAmC,EACnC,OAA0B;IAE1B,yEAAyE;IACzE,gEAAgE;IAChE,MAAM,KAAK,GAAG,WAAW,CAAC;QACxB,yBAAyB,EAAE,cAAc;QACzC,OAAO;KACR,CAAC,CAAC;IACH,OAAO,CAAC,UAAkB,EAAE,OAAqB,EAAE,EAAE;QACnD,MAAM,KAAK,GAAG,KAAK,CACjB,UAAU,EACV,OAAgB,CACU,CAAC;QAC7B,OAAO,KAAK,EAAE,IAAe,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAChD,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,cAAmC;IAEnC,0EAA0E;IAC1E,0EAA0E;IAC1E,kEAAkE;IAClE,MAAM,KAAK,GAAG,gBAAgB,CAAC;QAC7B,cAAc,EAAE,IAAI,GAAG,CAAC,cAAc,CAAC;QACvC,aAAa,EAAE,CAAC,IAAI,EAAE,EAAE;YACtB,MAAM,MAAM,GAAI,IAA6C;iBAC1D,YAAY,CAAC;YAChB,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,OAAO,MAAM,CAAC;YAC9C,OAAO,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,IAAI,kBAAkB,CAAC;QACxD,CAAC;KACF,CAAC,CAAC;IACH,OAAO,CAAC,UAAkB,EAAE,OAAqB,EAAE,EAAE;QACnD,OAAO,KAAK,EAAE,IAAe,EAAE,EAAE;YAC/B,mEAAmE;YACnE,6DAA6D;YAC5D,IAA6C,CAAC,YAAY,GAAG,UAAU,CAAC;YACzE,MAAM,OAAO,GAAG,KAAK,CAAC,OAAgB,CAAC,CAAC;YACxC,OAAO,OAAO,CAAC,IAAa,CAAC,CAAC;QAChC,CAAC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}

package/dist/factory.d.ts

@@ -0,0 +1,7 @@
+import type { StandardServerStackConfig, UnaryInterceptor } from "./types";
+/**
+ * Build the standard composed stack with the locked outer→inner order
+ * per spec § 5.4. Accepts a single config; rejects custom-order args.
+ */
+export declare function createStandardServerStack(config: StandardServerStackConfig): UnaryInterceptor;
+//# sourceMappingURL=factory.d.ts.map

package/dist/factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../src/factory.ts"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EACV,yBAAyB,EAGzB,gBAAgB,EACjB,MAAM,SAAS,CAAC;AAUjB;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,yBAAyB,GAChC,gBAAgB,CAmFlB"}

package/dist/factory.js

@@ -0,0 +1,100 @@
+// createStandardServerStack — spec § 5.3 + § 5.4.
+//
+// Produces the locked 13-interceptor outer→inner composition. v0.1.1: the
+// saga/idempotency slots are REAL re-exports from @nodii/saga and
+// @nodii/idempotency (sibling libs on main). The withAuthUnary + mfa
+// slots remain passthrough at this layer because they require
+// service-specific JWKS / token-manager wiring; services wrap their
+// handler with `withAuthUnary` from `@nodii/grpc-auth` (re-exported from
+// this lib) before passing it to the composed factory.
+import { idempotencyGuard } from "@nodii/idempotency";
+import { sagaContext } from "@nodii/saga";
+import { signalBinder } from "./interceptors/signal-binder";
+import { cancellationGuard, deadlineGuard, enrichAuthContext, errorMap, STANDARD_ERROR_CATALOG, tenantContext, withAuditUnary, withLoggingUnary, auditContext, } from "./interceptors-exports";
+import { GrpcStatusError } from "./types";
+/** Pure passthrough — used for slots services wire themselves. */
+function passthrough() {
+    return (_methodName, handler) => async (call) => handler(call);
+}
+/**
+ * Build the standard composed stack with the locked outer→inner order
+ * per spec § 5.4. Accepts a single config; rejects custom-order args.
+ */
+export function createStandardServerStack(config) {
+    if (!config) {
+        throw new GrpcStatusError("INTERNAL", "interceptor_config_required");
+    }
+    if ("interceptors" in config ||
+        "order" in config) {
+        // Spec § 5.4 — custom-order args rejected at v0.1.0.
+        throw new GrpcStatusError("INTERNAL", "composition_order_locked");
+    }
+    const skipFor = config.skipForMethods ?? new Set();
+    const mutatorMethods = config.mutatorMethods ?? new Set();
+    const requireSagaCtxMethods = config.requireSagaContextMethods ?? new Set();
+    const sagaEnforce = config.sagaContextEnforce ?? "warn";
+    const builtSagaContext = sagaContext({
+        requireSagaContextMethods: requireSagaCtxMethods,
+        enforce: sagaEnforce,
+    });
+    const builtIdemGuard = idempotencyGuard({
+        mutatorMethods: new Set(mutatorMethods),
+        getMethodName: (call) => {
+            const direct = call
+                .__methodName;
+            if (typeof direct === "string")
+                return direct;
+            return call.call?.handler?.path ?? "<unknown-method>";
+        },
+    });
+    const stack = [
+        withLoggingUnary({ ...(config.logging ?? {}), logger: config.logger }),
+        withAuditUnary(config.audit ?? {}),
+        passthrough(), // withAuthUnary slot — service-wired
+        enrichAuthContext(config.enrich ?? {}),
+        (methodName, handler) => {
+            const inner = builtSagaContext(methodName, handler);
+            return async (call) => inner(call);
+        },
+        signalBinder(),
+        (methodName, handler) => {
+            return async (call) => {
+                call.__methodName =
+                    methodName;
+                const guarded = builtIdemGuard(handler);
+                return guarded(call);
+            };
+        },
+        ...(config.db
+            ? [
+                tenantContext({
+                    db: config.db,
+                    systemContextMethods: config.tenant?.systemContextMethods,
+                }),
+                auditContext({
+                    db: config.db,
+                    serviceShortName: config.serviceShortName,
+                }),
+            ]
+            : []),
+        passthrough(), // mfaRequiredInterceptor slot — service-wired
+        deadlineGuard(config.deadline ?? {}),
+        cancellationGuard(config.cancellation ?? {}),
+        errorMap({
+            ...STANDARD_ERROR_CATALOG,
+            ...(config.errorCatalog ?? {}),
+        }),
+    ];
+    return (methodName, handler) => {
+        if (skipFor.has(methodName))
+            return handler;
+        let wrapped = handler;
+        for (let i = stack.length - 1; i >= 0; i--) {
+            const factory = stack[i];
+            if (factory)
+                wrapped = factory(methodName, wrapped);
+        }
+        return wrapped;
+    };
+}
+//# sourceMappingURL=factory.js.map

package/dist/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.js","sourceRoot":"","sources":["../src/factory.ts"],"names":[],"mappings":"AAAA,kDAAkD;AAClD,EAAE;AACF,0EAA0E;AAC1E,kEAAkE;AAClE,qEAAqE;AACrE,8DAA8D;AAC9D,oEAAoE;AACpE,yEAAyE;AACzE,uDAAuD;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EACL,iBAAiB,EACjB,aAAa,EACb,iBAAiB,EACjB,QAAQ,EACR,sBAAsB,EACtB,aAAa,EACb,cAAc,EACd,gBAAgB,EAChB,YAAY,GACb,MAAM,wBAAwB,CAAC;AAOhC,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAE1C,kEAAkE;AAClE,SAAS,WAAW;IAClB,OAAO,CAAC,WAAmB,EAAE,OAAqB,EAAgB,EAAE,CAClE,KAAK,EAAE,IAAI,EAAE,EAAE,CACb,OAAO,CAAC,IAAI,CAAC,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CACvC,MAAiC;IAEjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,eAAe,CAAC,UAAU,EAAE,6BAA6B,CAAC,CAAC;IACvE,CAAC;IACD,IACE,cAAc,IAAK,MAA6C;QAChE,OAAO,IAAK,MAA6C,EACzD,CAAC;QACD,qDAAqD;QACrD,MAAM,IAAI,eAAe,CAAC,UAAU,EAAE,0BAA0B,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,cAAc,IAAI,IAAI,GAAG,EAAU,CAAC;IAC3D,MAAM,cAAc,GAAG,MAAM,CAAC,cAAc,IAAI,IAAI,GAAG,EAAU,CAAC;IAClE,MAAM,qBAAqB,GACzB,MAAM,CAAC,yBAAyB,IAAI,IAAI,GAAG,EAAU,CAAC;IACxD,MAAM,WAAW,GAAG,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC;IAExD,MAAM,gBAAgB,GAAG,WAAW,CAAC;QACnC,yBAAyB,EAAE,qBAAqB;QAChD,OAAO,EAAE,WAAW;KACrB,CAAC,CAAC;IACH,MAAM,cAAc,GAAG,gBAAgB,CAAC;QACtC,cAAc,EAAE,IAAI,GAAG,CAAC,cAAc,CAAC;QACvC,aAAa,EAAE,CAAC,IAAI,EAAE,EAAE;YACtB,MAAM,MAAM,GAAI,IAA6C;iBAC1D,YAAY,CAAC;YAChB,IAAI,OAAO,MAAM,KAAK,QAAQ;gBAAE,OAAO,MAAM,CAAC;YAC9C,OAAO,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,IAAI,kBAAkB,CAAC;QACxD,CAAC;KACF,CAAC,CAAC;IAEH,MAAM,KAAK,GAAuB;QAChC,gBAAgB,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;QACtE,cAAc,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QAClC,WAAW,EAAE,EAAE,qCAAqC;QACpD,iBAAiB,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;QACtC,CAAC,UAAkB,EAAE,OAAqB,EAAE,EAAE;YAC5C,MAAM,KAAK,GAAG,gBAAgB,CAC5B,UAAU,EACV,OAAgB,CACU,CAAC;YAC7B,OAAO,KAAK,EAAE,IAAe,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChD,CAAC;QACD,YAAY,EAAE;QACd,CAAC,UAAkB,EAAE,OAAqB,EAAE,EAAE;YAC5C,OAAO,KAAK,EAAE,IAAe,EAAE,EAAE;gBAC9B,IAA6C,CAAC,YAAY;oBACzD,UAAU,CAAC;gBACb,MAAM,OAAO,GAAG,cAAc,CAAC,OAAgB,CAAC,CAAC;gBACjD,OAAO,OAAO,CAAC,IAAa,CAAC,CAAC;YAChC,CAAC,CAAC;QACJ,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,EAAE;YACX,CAAC,CAAC;gBACE,aAAa,CAAC;oBACZ,EAAE,EAAE,MAAM,CAAC,EAAE;oBACb,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,oBAAoB;iBAC1D,CAAC;gBACF,YAAY,CAAC;oBACX,EAAE,EAAE,MAAM,CAAC,EAAE;oBACb,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;iBAC1C,CAAC;aACH;YACH,CAAC,CAAC,EAAE,CAAC;QACP,WAAW,EAAE,EAAE,8CAA8C;QAC7D,aAAa,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;QACpC,iBAAiB,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC;QAC5C,QAAQ,CAAC;YACP,GAAG,sBAAsB;YACzB,GAAG,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC;SAC/B,CAAC;KACH,CAAC;IAEF,OAAO,CAAC,UAAkB,EAAE,OAAqB,EAAgB,EAAE;QACjE,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,OAAO,OAAO,CAAC;QAC5C,IAAI,OAAO,GAAG,OAAO,CAAC;QACtB,KAAK,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3C,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACzB,IAAI,OAAO;gBAAE,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACtD,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -1,3 +1,20 @@
 export declare const LIB_NAME = "grpc-interceptors";
-export declare const VERSION = "0.0.1";
+export declare const VERSION = "0.1.1";
+export { withLoggingUnary } from "./interceptors/logging";
+export { withAuditUnary } from "./interceptors/audit";
+export { enrichAuthContext } from "./interceptors/enrich-auth";
+export { tenantContext } from "./interceptors/tenant-context";
+export { auditContext } from "./interceptors/audit-context";
+export { deadlineGuard } from "./interceptors/deadline-guard";
+export { cancellationGuard } from "./interceptors/cancellation-guard";
+export { errorMap, STANDARD_ERROR_CATALOG, } from "./interceptors/error-map";
+export { createStandardServerStack } from "./factory";
+export { composeUnaryInterceptors } from "./compose";
+export { configureGrpcInterceptors, getConfiguredOrNull, _resetConfigureForTests, } from "./configure";
+export type { ConfigureGrpcInterceptorsOptions, ConfiguredGrpcInterceptors, ResolvedGrpcInterceptorsConfig, } from "./configure";
+export { _resetTelemetryShimForTests, _setTelemetryShimForTests, } from "./telemetry-shim";
+export * from "./reexports";
+export type { SagaHeaderInjector } from "./interceptors/saga-headers";
+export type { AuditConfig, AuditContextConfig, AuditEmitter, AuthOnCall, CancellationConfig, DbConnection, DeadlineConfig, EnrichAuthConfig, ErrorMapEntry, GrpcStatusCode, InterceptorLogger, LoggingConfig, StandardServerStackConfig, TelemetryShim, TenantContextConfig, UnaryCall, UnaryHandler, UnaryInterceptor, } from "./types";
+export { GrpcStatusError, NotImplementedError, RpcCancelledError, } from "./types";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,QAAQ,sBAAsB,CAAC;AAC5C,eAAO,MAAM,OAAO,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAUA,eAAO,MAAM,QAAQ,sBAAsB,CAAC;AAC5C,eAAO,MAAM,OAAO,UAAU,CAAC;AAG/B,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EACL,QAAQ,EACR,sBAAsB,GACvB,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,yBAAyB,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,wBAAwB,EAAE,MAAM,WAAW,CAAC;AAGrD,OAAO,EACL,yBAAyB,EACzB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,gCAAgC,EAChC,0BAA0B,EAC1B,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,GAC1B,MAAM,kBAAkB,CAAC;AAI1B,cAAc,aAAa,CAAC;AAC5B,YAAY,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AAGtE,YAAY,EACV,WAAW,EACX,kBAAkB,EAClB,YAAY,EACZ,UAAU,EACV,kBAAkB,EAClB,YAAY,EACZ,cAAc,EACd,gBAAgB,EAChB,aAAa,EACb,cAAc,EACd,iBAAiB,EACjB,aAAa,EACb,yBAAyB,EACzB,aAAa,EACb,mBAAmB,EACnB,SAAS,EACT,YAAY,EACZ,gBAAgB,GACjB,MAAM,SAAS,CAAC;AACjB,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -1,7 +1,32 @@
-// @nodii/grpc-interceptors — placeholder at v0.0.1.
-// Implementation lands at v0.1.0 per the locked feature_doc.
+// @nodii/grpc-interceptors — v0.1.1 public barrel.
 //
-// Spec: https://planning.dev.nucleus-cloud.in/api/v1/feature-docs?serviceId=nodii-libs&docKey=grpc-interceptors
+// Spec: planning hub feature_doc serviceId=nodii-libs docKey=grpc-interceptors.
+//
+// Single-import surface: 8 owned cross-cutting interceptors + real
+// re-exports of every gRPC interceptor + `composeUnaryInterceptors`
+// helper from the peer libraries (`@nodii/grpc-auth`, `@nodii/saga`,
+// `@nodii/idempotency`) + `configureGrpcInterceptors` boot helper +
+// `createStandardServerStack` factory locked-order composer.
 export const LIB_NAME = "grpc-interceptors";
-export const VERSION = "0.0.1";
+export const VERSION = "0.1.1";
+// Owned interceptors.
+export { withLoggingUnary } from "./interceptors/logging";
+export { withAuditUnary } from "./interceptors/audit";
+export { enrichAuthContext } from "./interceptors/enrich-auth";
+export { tenantContext } from "./interceptors/tenant-context";
+export { auditContext } from "./interceptors/audit-context";
+export { deadlineGuard } from "./interceptors/deadline-guard";
+export { cancellationGuard } from "./interceptors/cancellation-guard";
+export { errorMap, STANDARD_ERROR_CATALOG, } from "./interceptors/error-map";
+// Composed-stack factory + composer.
+export { createStandardServerStack } from "./factory";
+export { composeUnaryInterceptors } from "./compose";
+// Boot helper (spec § 5.2 + § 5.5).
+export { configureGrpcInterceptors, getConfiguredOrNull, _resetConfigureForTests, } from "./configure";
+// Test doubles + helpers.
+export { _resetTelemetryShimForTests, _setTelemetryShimForTests, } from "./telemetry-shim";
+// Re-export façade (real grpc-auth + real saga + real idempotency + owned
+// signalBinder + withSagaHeaders).
+export * from "./reexports";
+export { GrpcStatusError, NotImplementedError, RpcCancelledError, } from "./types";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,oDAAoD;AACpD,6DAA6D;AAC7D,EAAE;AACF,gHAAgH;AAEhH,MAAM,CAAC,MAAM,QAAQ,GAAG,mBAAmB,CAAC;AAC5C,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,mDAAmD;AACnD,EAAE;AACF,gFAAgF;AAChF,EAAE;AACF,mEAAmE;AACnE,oEAAoE;AACpE,qEAAqE;AACrE,oEAAoE;AACpE,6DAA6D;AAE7D,MAAM,CAAC,MAAM,QAAQ,GAAG,mBAAmB,CAAC;AAC5C,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,sBAAsB;AACtB,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,8BAA8B,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,+BAA+B,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EACL,QAAQ,EACR,sBAAsB,GACvB,MAAM,0BAA0B,CAAC;AAElC,qCAAqC;AACrC,OAAO,EAAE,yBAAyB,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,wBAAwB,EAAE,MAAM,WAAW,CAAC;AAErD,oCAAoC;AACpC,OAAO,EACL,yBAAyB,EACzB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,aAAa,CAAC;AAOrB,0BAA0B;AAC1B,OAAO,EACL,2BAA2B,EAC3B,yBAAyB,GAC1B,MAAM,kBAAkB,CAAC;AAE1B,0EAA0E;AAC1E,mCAAmC;AACnC,cAAc,aAAa,CAAC;AAwB5B,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,SAAS,CAAC"}

package/dist/interceptors/audit-context.d.ts

@@ -0,0 +1,3 @@
+import type { AuditContextConfig, UnaryInterceptor } from "../types";
+export declare function auditContext(config: AuditContextConfig): UnaryInterceptor;
+//# sourceMappingURL=audit-context.d.ts.map

package/dist/interceptors/audit-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-context.d.ts","sourceRoot":"","sources":["../../src/interceptors/audit-context.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EACV,kBAAkB,EAGlB,gBAAgB,EACjB,MAAM,UAAU,CAAC;AAGlB,wBAAgB,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,gBAAgB,CA6BzE"}

package/dist/interceptors/audit-context.js

@@ -0,0 +1,59 @@
+// auditContext — spec § 5.9.
+//
+// `SELECT set_config('<service>.audit_ctx', $1, true)` on the same ALS-bound
+// connection used by `tenantContext`. Read by service-side audit triggers
+// via `current_setting('<service>.audit_ctx', true)::jsonb`. Best-effort:
+// `set_config` failures log + the call proceeds (audit-as-best-effort).
+import { resolveTelemetry } from "../telemetry-shim";
+import { GrpcStatusError } from "../types";
+export function auditContext(config) {
+    if (!config.db) {
+        throw new GrpcStatusError("INTERNAL", "audit_context_db_unconfigured");
+    }
+    if (!config.serviceShortName) {
+        throw new GrpcStatusError("INTERNAL", "audit_context_service_short_name_required");
+    }
+    const gucName = `${config.serviceShortName}.audit_ctx`;
+    return (_methodName, handler) => {
+        return async (call) => {
+            const payload = buildPayload(call);
+            try {
+                await config.db.exec("SELECT set_config($1, $2, true)", [
+                    gucName,
+                    JSON.stringify(payload),
+                ]);
+            }
+            catch (err) {
+                resolveTelemetry().logger.error("audit_context.set_config_failed", {
+                    error: err instanceof Error ? err.message : String(err),
+                    guc: gucName,
+                });
+            }
+            return handler(call);
+        };
+    };
+}
+function buildPayload(call) {
+    const service = call.auth?.serviceActor;
+    const user = call.auth?.userActor;
+    const reqCtx = call.auth?.requestContext;
+    return {
+        service_actor: service
+            ? {
+                service_id: service.service_id ?? service.serviceId,
+                service_name: service.service_name ?? service.serviceName,
+            }
+            : null,
+        user_actor: user
+            ? {
+                user_id: user.user_id,
+                tenant_id: user.tenant_id,
+                user_role: user.user_role,
+            }
+            : null,
+        correlation_id: reqCtx?.correlationId ?? null,
+        tenant_id: reqCtx?.tenant_id ?? null,
+        intent_id: reqCtx?.intent_id ?? null,
+    };
+}
+//# sourceMappingURL=audit-context.js.map

package/dist/interceptors/audit-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-context.js","sourceRoot":"","sources":["../../src/interceptors/audit-context.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAC7B,EAAE;AACF,6EAA6E;AAC7E,0EAA0E;AAC1E,0EAA0E;AAC1E,wEAAwE;AAExE,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAOrD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE3C,MAAM,UAAU,YAAY,CAAC,MAA0B;IACrD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,MAAM,IAAI,eAAe,CAAC,UAAU,EAAE,+BAA+B,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC7B,MAAM,IAAI,eAAe,CACvB,UAAU,EACV,2CAA2C,CAC5C,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,MAAM,CAAC,gBAAgB,YAAY,CAAC;IAEvD,OAAO,CAAC,WAAmB,EAAE,OAAqB,EAAgB,EAAE;QAClE,OAAO,KAAK,EAAE,IAAe,EAAoB,EAAE;YACjD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,iCAAiC,EAAE;oBACtD,OAAO;oBACP,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;iBACxB,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,gBAAgB,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;oBACjE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;oBACvD,GAAG,EAAE,OAAO;iBACb,CAAC,CAAC;YACL,CAAC;YACD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,IAAe;IACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC;IAClC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC;IACzC,OAAO;QACL,aAAa,EAAE,OAAO;YACpB,CAAC,CAAC;gBACE,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,SAAS;gBACnD,YAAY,EAAE,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,WAAW;aAC1D;YACH,CAAC,CAAC,IAAI;QACR,UAAU,EAAE,IAAI;YACd,CAAC,CAAC;gBACE,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B;YACH,CAAC,CAAC,IAAI;QACR,cAAc,EAAE,MAAM,EAAE,aAAa,IAAI,IAAI;QAC7C,SAAS,EAAE,MAAM,EAAE,SAAS,IAAI,IAAI;QACpC,SAAS,EAAE,MAAM,EAAE,SAAS,IAAI,IAAI;KACrC,CAAC;AACJ,CAAC"}

package/dist/interceptors/audit.d.ts

@@ -0,0 +1,7 @@
+import type { AuditConfig, UnaryInterceptor } from "../types";
+/**
+ * Build the audit interceptor. Sits between logging and auth in the
+ * locked composition.
+ */
+export declare function withAuditUnary(config?: AuditConfig): UnaryInterceptor;
+//# sourceMappingURL=audit.d.ts.map

package/dist/interceptors/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/interceptors/audit.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EACV,WAAW,EAIX,gBAAgB,EACjB,MAAM,UAAU,CAAC;AA+BlB;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,GAAE,WAAgB,GAAG,gBAAgB,CAoDzE"}