@nwire/rbac 0.7.0

package/dist/filters.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Query filter helpers — the synthesis's "getFilterFor to prevent N+1".
+ *
+ * When listing resources ("show me all posts I can read"), checking
+ * permission per row is the classic N+1. CASL solves this with
+ * `rulesToQuery(ability, action, subjectType, ...)` from `@casl/ability/extra`,
+ * which compiles the ability's matching rules into a single disjunctive
+ * MongoDB-style query.
+ *
+ *   import { conditionsFor } from "@nwire/rbac";
+ *
+ *   const q = conditionsFor(ability, "read", "Post");
+ *   //  null               → no rules → user can read NOTHING (return [])
+ *   //  { $or: [{}] }      → an unrestricted rule exists → user can read ALL
+ *   //  { $or: [{ authorId: user.id }, { teamId: ... }] } → disjunctive
+ *
+ *   // For Drizzle, translate via @casl/drizzle (community) or roll your own.
+ *
+ * The raw query lives in the canonical shape from CASL so the ecosystem
+ * bridges (`@casl/mongoose`, `@casl/prisma`, `@casl/drizzle`) drop right
+ * in. We expose it; users pick their bridge.
+ */
+import type { Ability } from "./rbac";
+/**
+ * The MongoDB-style disjunctive query the ability allows for the given
+ * (action, subjectType). Three return shapes:
+ *   - `null`                — no allowing rules; user can access nothing
+ *   - `{ $or: [{}] }`       — an unrestricted rule; user can access all
+ *   - `{ $or: [{...}, ...]}` — conditional; OR over each allowed shape
+ */
+export declare function conditionsFor(ability: Ability, action: string, subjectType: string): {
+    $or?: object[];
+    $and?: object[];
+} | null;
+/**
+ * Convenience: a Drizzle-friendly variant that returns a function
+ * producing a where-clause expression, given the ORM-specific column
+ * references. Keeps the bridge logic explicit and tested.
+ */
+export interface DrizzleFilterBuilder {
+    /** Return `null` when no filter needed; falsy expr when denied; otherwise the where clause. */
+    build<TColumns>(columns: TColumns): unknown;
+}
+//# sourceMappingURL=filters.d.ts.map

package/dist/filters.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"filters.d.ts","sourceRoot":"","sources":["../src/filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AAEtC;;;;;;GAMG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,GAClB;IAAE,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAAG,IAAI,CAE5C;AAED;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACnC,+FAA+F;IAC/F,KAAK,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,GAAG,OAAO,CAAC;CAC7C"}

package/dist/filters.js

@@ -0,0 +1,34 @@
+/**
+ * Query filter helpers — the synthesis's "getFilterFor to prevent N+1".
+ *
+ * When listing resources ("show me all posts I can read"), checking
+ * permission per row is the classic N+1. CASL solves this with
+ * `rulesToQuery(ability, action, subjectType, ...)` from `@casl/ability/extra`,
+ * which compiles the ability's matching rules into a single disjunctive
+ * MongoDB-style query.
+ *
+ *   import { conditionsFor } from "@nwire/rbac";
+ *
+ *   const q = conditionsFor(ability, "read", "Post");
+ *   //  null               → no rules → user can read NOTHING (return [])
+ *   //  { $or: [{}] }      → an unrestricted rule exists → user can read ALL
+ *   //  { $or: [{ authorId: user.id }, { teamId: ... }] } → disjunctive
+ *
+ *   // For Drizzle, translate via @casl/drizzle (community) or roll your own.
+ *
+ * The raw query lives in the canonical shape from CASL so the ecosystem
+ * bridges (`@casl/mongoose`, `@casl/prisma`, `@casl/drizzle`) drop right
+ * in. We expose it; users pick their bridge.
+ */
+import { rulesToQuery } from "@casl/ability/extra";
+/**
+ * The MongoDB-style disjunctive query the ability allows for the given
+ * (action, subjectType). Three return shapes:
+ *   - `null`                — no allowing rules; user can access nothing
+ *   - `{ $or: [{}] }`       — an unrestricted rule; user can access all
+ *   - `{ $or: [{...}, ...]}` — conditional; OR over each allowed shape
+ */
+export function conditionsFor(ability, action, subjectType) {
+    return rulesToQuery(ability, action, subjectType, (rule) => rule.conditions ?? {});
+}
+//# sourceMappingURL=filters.js.map

package/dist/filters.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"filters.js","sourceRoot":"","sources":["../src/filters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGnD;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAC3B,OAAgB,EAChB,MAAc,EACd,WAAmB;IAEnB,OAAO,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;AACrF,CAAC"}

package/dist/rbac.d.ts

@@ -0,0 +1,116 @@
+/**
+ * `@nwire/rbac` — declarative permissions powered by CASL.
+ *
+ *   import { defineAbility, rbacPlugin, can } from "@nwire/rbac";
+ *
+ *   // 1. Declare what each role can do
+ *   export const buildAbility = defineAbility((user, { allow, deny }) => {
+ *     if (!user) return;
+ *     if (user.roles?.includes("admin")) { allow("manage", "all"); return; }
+ *     allow("read", "Post");
+ *     allow("create", "Post");
+ *     allow("update", "Post", { authorId: user.id });
+ *     allow("delete", "Post", { authorId: user.id });
+ *   });
+ *
+ *   // 2. Plug it in
+ *   defineApp("my-app", {
+ *     plugins: [identityPlugin({ adapter }), rbacPlugin({ buildAbility })],
+ *   });
+ *
+ *   // 3a. Declarative — gate an HTTP route binding
+ *   httpInterface()
+ *     .wire(post("/posts/:id", { policy: ["update", "Post"] }), async ({ input }) => { ... })
+ *     .run();
+ *
+ *   // 3b. Programmatic — gate inside a handler
+ *   defineAction({
+ *     name: "posts.delete",
+ *     handler: async (input, ctx) => {
+ *       const post = await db.query.posts.findFirst({ where: eq(posts.id, input.id) });
+ *       if (!post) throw NotFound;
+ *       const ability = ctx.ability();
+ *       if (ability.cannot("delete", subject("Post", post))) throw Forbidden;
+ *       ...
+ *     }
+ *   });
+ *
+ * Why CASL: 8-yr-old, mature, MongoDB-style conditions (`{ authorId: user.id }`),
+ * field-level permissions, full TypeScript support, used by NestJS / RedwoodJS /
+ * many production teams. We don't reinvent — we glue.
+ */
+import { type MongoAbility, type MongoQuery, subject as caslSubject } from "@casl/ability";
+import { type User } from "@nwire/auth";
+import { type HandlerContext, type PluginDefinition } from "@nwire/forge";
+/**
+ * The Ability type — what `buildAbility(user)` returns and what
+ * `ctx.ability()` exposes. We use CASL's `MongoAbility` so MongoDB-style
+ * conditions (e.g. `{ authorId: user.id }`) work out of the box without
+ * any extra `conditionsMatcher` wiring at the call site.
+ */
+export type Ability = MongoAbility;
+/**
+ * Builder API exposed to `defineAbility(user, { allow, deny }) => ...`.
+ * Wraps CASL's `AbilityBuilder.can/cannot` under nicer names (`allow/deny`
+ * read better in business code; `can/cannot` is already overloaded with
+ * the query verbs we expose elsewhere).
+ */
+export interface AbilityBuilderCtx {
+    allow: (action: string | string[], subject: any, conditions?: MongoQuery, fields?: string | string[]) => void;
+    deny: (action: string | string[], subject: any, conditions?: MongoQuery, fields?: string | string[]) => void;
+}
+/** Re-export CASL's subject() helper — tag a plain object with its type. */
+export declare const subject: typeof caslSubject;
+/**
+ * Define an ability factory — pure function from User to a CASL Ability.
+ * Called once per dispatch (cached per envelope by the middleware).
+ *
+ *   const buildAbility = defineAbility((user, { allow, deny }) => {
+ *     allow("read", "Post");
+ *     if (user.role === "admin") allow("manage", "all");
+ *   });
+ */
+export declare function defineAbility(factory: (user: User | null, ctx: AbilityBuilderCtx) => void): (user: User | null) => Ability;
+export interface RbacPluginOptions {
+    readonly buildAbility: (user: User | null) => Ability;
+    /**
+     * Container token the ability factory is registered under. Default:
+     * `"buildAbility"`. The middleware looks it up by this key, so custom
+     * names let an app register multiple factories (e.g. for different
+     * tenants).
+     */
+    readonly name?: string;
+}
+/**
+ * RBAC plugin — registers `buildAbility` on the container and installs a
+ * dispatch middleware that resolves the current user's Ability, stashes it
+ * on the handler ctx, and enforces `action.policy` when it's an
+ * `[action, subject]` tuple.
+ */
+export declare function rbacPlugin(options: RbacPluginOptions): PluginDefinition;
+/**
+ * Test helper — build an ability and return it directly. Used in unit
+ * tests that don't want to spin up the full app/plugin stack.
+ */
+export declare function abilityFor(buildAbility: (user: User | null) => Ability, user: User | null): Ability;
+/**
+ * Koa middleware variant of `can(verb, subj)` for use with the http
+ * builder's `RouteBinding.middleware`:
+ *
+ *   .wire(post("/posts/:id", { params, body, middleware: [canKoa("update", "Post")] }), handler)
+ *
+ * Lifts `buildAbility` off the container (registered by `rbacPlugin`),
+ * resolves the current user from `ctx.state.user` (set by an upstream
+ * auth middleware), and throws `ForbiddenError` if the verb is denied.
+ *
+ * For instance-level checks (e.g. owner-only `update`), the handler
+ * should still call `ability.cannot(verb, subject("Post", record))`
+ * after loading the instance — same as in dispatch handlers.
+ */
+export declare function canKoa(verb: string, subj: string): import("koa").Middleware;
+export declare function abilityFromCtx(ctx: HandlerContext): Ability | null;
+export { permission, parsePermission, type Permission, } from "./typed";
+export { resolver, ownedBy, sameTenant, authorize, type Resolver, type ResolverFn, } from "./resolvers";
+export { conditionsFor, type DrizzleFilterBuilder, } from "./filters";
+export { ActionDeniedError, OwnershipMismatchError, ScopeMissingError, RoleMissingError, isOwnershipMismatchError, isScopeMissingError, isRoleMissingError, } from "./errors";
+//# sourceMappingURL=rbac.d.ts.map

package/dist/rbac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.d.ts","sourceRoot":"","sources":["../src/rbac.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,EAGL,KAAK,YAAY,EACjB,KAAK,UAAU,EACf,OAAO,IAAI,WAAW,EACvB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAkB,KAAK,IAAI,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAGL,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACtB,MAAM,cAAc,CAAC;AAEtB;;;;;GAKG;AACH,MAAM,MAAM,OAAO,GAAG,YAAY,CAAC;AAEnC;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAEhC,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,KAAK,IAAI,CAAC;IAE9G,IAAI,EAAG,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,KAAK,IAAI,CAAC;CAC/G;AAED,4EAA4E;AAC5E,eAAO,MAAM,OAAO,oBAAc,CAAC;AAEnC;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,EAAE,GAAG,EAAE,iBAAiB,KAAK,IAAI,GAC3D,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,KAAK,OAAO,CAShC;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,YAAY,EAAE,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,KAAK,OAAO,CAAC;IACtD;;;;;OAKG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAsBD;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,gBAAgB,CA4BvE;AAED;;;GAGG;AACH,wBAAgB,UAAU,CACxB,YAAY,EAAE,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,KAAK,OAAO,EAC5C,IAAI,EAAE,IAAI,GAAG,IAAI,GAChB,OAAO,CAET;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,KAAK,EAAE,UAAU,CAuB3E;AAID,wBAAgB,cAAc,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO,GAAG,IAAI,CAGlE;AAWD,OAAO,EACL,UAAU,EACV,eAAe,EACf,KAAK,UAAU,GAChB,MAAM,SAAS,CAAC;AAEjB,OAAO,EACL,QAAQ,EACR,OAAO,EACP,UAAU,EACV,SAAS,EACT,KAAK,QAAQ,EACb,KAAK,UAAU,GAChB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,aAAa,EACb,KAAK,oBAAoB,GAC1B,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EACtB,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,EACxB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,UAAU,CAAC"}

package/dist/rbac.js

@@ -0,0 +1,177 @@
+/**
+ * `@nwire/rbac` — declarative permissions powered by CASL.
+ *
+ *   import { defineAbility, rbacPlugin, can } from "@nwire/rbac";
+ *
+ *   // 1. Declare what each role can do
+ *   export const buildAbility = defineAbility((user, { allow, deny }) => {
+ *     if (!user) return;
+ *     if (user.roles?.includes("admin")) { allow("manage", "all"); return; }
+ *     allow("read", "Post");
+ *     allow("create", "Post");
+ *     allow("update", "Post", { authorId: user.id });
+ *     allow("delete", "Post", { authorId: user.id });
+ *   });
+ *
+ *   // 2. Plug it in
+ *   defineApp("my-app", {
+ *     plugins: [identityPlugin({ adapter }), rbacPlugin({ buildAbility })],
+ *   });
+ *
+ *   // 3a. Declarative — gate an HTTP route binding
+ *   httpInterface()
+ *     .wire(post("/posts/:id", { policy: ["update", "Post"] }), async ({ input }) => { ... })
+ *     .run();
+ *
+ *   // 3b. Programmatic — gate inside a handler
+ *   defineAction({
+ *     name: "posts.delete",
+ *     handler: async (input, ctx) => {
+ *       const post = await db.query.posts.findFirst({ where: eq(posts.id, input.id) });
+ *       if (!post) throw NotFound;
+ *       const ability = ctx.ability();
+ *       if (ability.cannot("delete", subject("Post", post))) throw Forbidden;
+ *       ...
+ *     }
+ *   });
+ *
+ * Why CASL: 8-yr-old, mature, MongoDB-style conditions (`{ authorId: user.id }`),
+ * field-level permissions, full TypeScript support, used by NestJS / RedwoodJS /
+ * many production teams. We don't reinvent — we glue.
+ */
+import { AbilityBuilder, createMongoAbility, subject as caslSubject, } from "@casl/ability";
+import { ForbiddenError } from "@nwire/auth";
+import { definePlugin, } from "@nwire/forge";
+/** Re-export CASL's subject() helper — tag a plain object with its type. */
+export const subject = caslSubject;
+/**
+ * Define an ability factory — pure function from User to a CASL Ability.
+ * Called once per dispatch (cached per envelope by the middleware).
+ *
+ *   const buildAbility = defineAbility((user, { allow, deny }) => {
+ *     allow("read", "Post");
+ *     if (user.role === "admin") allow("manage", "all");
+ *   });
+ */
+export function defineAbility(factory) {
+    return (user) => {
+        const builder = new AbilityBuilder(createMongoAbility);
+        factory(user, {
+            allow: builder.can.bind(builder),
+            deny: builder.cannot.bind(builder),
+        });
+        return builder.build();
+    };
+}
+const ABILITY_BUILDER_KEY = Symbol.for("nwire.rbac.builder");
+const CURRENT_ABILITY_KEY = Symbol.for("nwire.rbac.ability");
+/**
+ * Stash the ability + builder on the handler ctx so:
+ *   1. The `can()` middleware can read the resolved ability for the gate.
+ *   2. Handlers can call `ctx.ability()` programmatically.
+ * Implementation: we side-channel through `handlerCtx` (passed across
+ * middleware) using well-known Symbol keys — type-safe AND framework-agnostic.
+ */
+function getAbility(ctx) {
+    if (!ctx || typeof ctx !== "object")
+        return null;
+    return ctx[CURRENT_ABILITY_KEY] ?? null;
+}
+function setAbility(ctx, ability) {
+    if (!ctx || typeof ctx !== "object")
+        return;
+    ctx[CURRENT_ABILITY_KEY] = ability;
+}
+/**
+ * RBAC plugin — registers `buildAbility` on the container and installs a
+ * dispatch middleware that resolves the current user's Ability, stashes it
+ * on the handler ctx, and enforces `action.policy` when it's an
+ * `[action, subject]` tuple.
+ */
+export function rbacPlugin(options) {
+    const containerKey = options.name ?? "buildAbility";
+    const middleware = async (next, action, _input, ctx) => {
+        const user = (ctx.envelope?.user ?? null);
+        const ability = options.buildAbility(user);
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        setAbility(ctx, ability);
+        // Tuple-form policy on actions: `policy: ["update", "Post"]`.
+        if (Array.isArray(action.policy) && action.policy.length === 2) {
+            const [verb, subj] = action.policy;
+            if (ability.cannot(verb, subj)) {
+                throw new ForbiddenError(`Not allowed to ${verb} ${subj}`);
+            }
+        }
+        return next();
+    };
+    return definePlugin("rbac", {
+        register: (container) => {
+            // Container factory: wrapping in `() => fn` so Awilix returns the
+            // function itself instead of treating it as a factory of its return.
+            container.register(containerKey, () => options.buildAbility);
+            container.register(ABILITY_BUILDER_KEY.toString(), () => options.buildAbility);
+        },
+        middleware: [middleware],
+    });
+}
+/**
+ * Test helper — build an ability and return it directly. Used in unit
+ * tests that don't want to spin up the full app/plugin stack.
+ */
+export function abilityFor(buildAbility, user) {
+    return buildAbility(user);
+}
+/**
+ * Koa middleware variant of `can(verb, subj)` for use with the http
+ * builder's `RouteBinding.middleware`:
+ *
+ *   .wire(post("/posts/:id", { params, body, middleware: [canKoa("update", "Post")] }), handler)
+ *
+ * Lifts `buildAbility` off the container (registered by `rbacPlugin`),
+ * resolves the current user from `ctx.state.user` (set by an upstream
+ * auth middleware), and throws `ForbiddenError` if the verb is denied.
+ *
+ * For instance-level checks (e.g. owner-only `update`), the handler
+ * should still call `ability.cannot(verb, subject("Post", record))`
+ * after loading the instance — same as in dispatch handlers.
+ */
+export function canKoa(verb, subj) {
+    return async (koaCtx, next) => {
+        // The container reaches Koa through `ctx.state._container` (set by
+        // `@nwire/http` when an app is being served) or by reading the
+        // app's container via the http builder's `.provide(...)` plumbing.
+        // We don't want a hard dep on those internals — the builder
+        // exposes the container indirectly on the request scope. Read it
+        // via the documented Koa `state` channel.
+        const state = koaCtx.state;
+        const container = state._container;
+        if (!container) {
+            throw new ForbiddenError("RBAC: container not available on Koa state (mount canKoa downstream of provide(container))");
+        }
+        const buildAbility = container.resolve("buildAbility");
+        const ability = buildAbility(state.user ?? null);
+        if (ability.cannot(verb, subj)) {
+            throw new ForbiddenError(`Not allowed to ${verb} ${subj}`);
+        }
+        await next();
+    };
+}
+// Expose the dispatch-ctx accessor so handler code (or higher-level helpers)
+// can retrieve the ability without poking at Symbols directly.
+export function abilityFromCtx(ctx) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    return getAbility(ctx);
+}
+// ─── Polish layer ──────────────────────────────────────────────────
+//
+// Adds the synthesis's "best DX" affordances on top of the CASL core:
+//   - typed `resource:action` permission strings (template literals)
+//   - composable ownership/relation resolvers
+//   - conditionsFor → CASL accessibleBy for query-time filtering (no N+1)
+//   - structured error subclasses (OwnershipMismatchError, ScopeMissing,
+//     RoleMissing) so the API can tell the UI *why* a denial happened
+export { permission, parsePermission, } from "./typed";
+export { resolver, ownedBy, sameTenant, authorize, } from "./resolvers";
+export { conditionsFor, } from "./filters";
+export { ActionDeniedError, OwnershipMismatchError, ScopeMissingError, RoleMissingError, isOwnershipMismatchError, isScopeMissingError, isRoleMissingError, } from "./errors";
+//# sourceMappingURL=rbac.js.map

package/dist/rbac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.js","sourceRoot":"","sources":["../src/rbac.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,EACL,cAAc,EACd,kBAAkB,EAGlB,OAAO,IAAI,WAAW,GACvB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,cAAc,EAAa,MAAM,aAAa,CAAC;AACxD,OAAO,EACL,YAAY,GAIb,MAAM,cAAc,CAAC;AAuBtB,4EAA4E;AAC5E,MAAM,CAAC,MAAM,OAAO,GAAG,WAAW,CAAC;AAEnC;;;;;;;;GAQG;AACH,MAAM,UAAU,aAAa,CAC3B,OAA4D;IAE5D,OAAO,CAAC,IAAiB,EAAW,EAAE;QACpC,MAAM,OAAO,GAAG,IAAI,cAAc,CAAU,kBAAkB,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,EAAE;YACZ,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC;YAChC,IAAI,EAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;SACpC,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC,CAAC;AACJ,CAAC;AAaD,MAAM,mBAAmB,GAAI,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AAC9D,MAAM,mBAAmB,GAAI,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AAE9D;;;;;;GAMG;AACH,SAAS,UAAU,CAAC,GAAY;IAC9B,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACjD,OAAS,GAA+B,CAAC,mBAAmB,CAAyB,IAAI,IAAI,CAAC;AAChG,CAAC;AAED,SAAS,UAAU,CAAC,GAAY,EAAE,OAAgB;IAChD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO;IAC3C,GAA+B,CAAC,mBAAmB,CAAC,GAAG,OAAO,CAAC;AAClE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,OAA0B;IACnD,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,IAAI,cAAc,CAAC;IAEpD,MAAM,UAAU,GAAuB,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE;QACzE,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,IAAI,IAAI,CAAgB,CAAC;QACzD,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QAC3C,8DAA8D;QAC9D,UAAU,CAAC,GAAU,EAAE,OAAO,CAAC,CAAC;QAEhC,8DAA8D;QAC9D,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/D,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,MAAM,CAAC,MAA0B,CAAC;YACvD,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;gBAC/B,MAAM,IAAI,cAAc,CAAC,kBAAkB,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QACD,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC;IAEF,OAAO,YAAY,CAAC,MAAM,EAAE;QAC1B,QAAQ,EAAE,CAAC,SAAS,EAAE,EAAE;YACtB,kEAAkE;YAClE,qEAAqE;YACrE,SAAS,CAAC,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;YAC7D,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACjF,CAAC;QACD,UAAU,EAAE,CAAC,UAAU,CAAC;KACzB,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CACxB,YAA4C,EAC5C,IAAiB;IAEjB,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,MAAM,CAAC,IAAY,EAAE,IAAY;IAC/C,OAAO,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE;QAC5B,mEAAmE;QACnE,+DAA+D;QAC/D,mEAAmE;QACnE,4DAA4D;QAC5D,iEAAiE;QACjE,0CAA0C;QAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,KAGpB,CAAC;QACF,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC;QACnC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,cAAc,CAAC,4FAA4F,CAAC,CAAC;QACzH,CAAC;QACD,MAAM,YAAY,GAAG,SAAS,CAAC,OAAO,CAA8B,cAAc,CAAC,CAAC;QACpF,MAAM,OAAO,GAAQ,YAAY,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC;QACtD,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,cAAc,CAAC,kBAAkB,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,MAAM,IAAI,EAAE,CAAC;IACf,CAAC,CAAC;AACJ,CAAC;AAED,6EAA6E;AAC7E,+DAA+D;AAC/D,MAAM,UAAU,cAAc,CAAC,GAAmB;IAChD,8DAA8D;IAC9D,OAAO,UAAU,CAAC,GAAU,CAAC,CAAC;AAChC,CAAC;AAED,sEAAsE;AACtE,EAAE;AACF,sEAAsE;AACtE,qEAAqE;AACrE,8CAA8C;AAC9C,0EAA0E;AAC1E,yEAAyE;AACzE,sEAAsE;AAEtE,OAAO,EACL,UAAU,EACV,eAAe,GAEhB,MAAM,SAAS,CAAC;AAEjB,OAAO,EACL,QAAQ,EACR,OAAO,EACP,UAAU,EACV,SAAS,GAGV,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,aAAa,GAEd,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EACtB,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,EACxB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,UAAU,CAAC"}

package/dist/resolvers.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Composable resolver helpers — the synthesis's "named rules" pattern.
+ *
+ * Real apps have a handful of relationship predicates that show up over
+ * and over: "is the owner of this resource", "is a member of the same
+ * team", "is in the same tenant", "is the assignee". The synthesis
+ * recommends naming them once and composing.
+ *
+ *   const isOwner    = resolver<User, Post>((u, p) => u.id === p.authorId);
+ *   const isTeammate = resolver<User, Post>(async (u, p) => (
+ *     await db.query.memberships.findFirst({
+ *       where: and(eq(memberships.userId, u.id), eq(memberships.teamId, p.teamId)),
+ *     }) != null
+ *   ));
+ *
+ *   // Compose
+ *   const canEdit = isOwner.or(isTeammate);
+ *
+ *   // Use programmatically
+ *   if (!(await canEdit(user, post))) throw new OwnershipMismatchError({...});
+ *
+ *   // Or as a CASL ability condition (returns the matcher function)
+ *   allow("update", "Post", canEdit.condition(user));
+ *
+ * Why a separate primitive from CASL's MongoQuery conditions: the
+ * MongoQuery form is great for "fields on the row" checks (e.g.
+ * `{ authorId: user.id }`), but it can't express async I/O ("is the
+ * user in this team's membership table"). `Resolver` handles both.
+ */
+import type { User } from "@nwire/auth";
+export type ResolverFn<TSubject> = (user: User, subject: TSubject) => boolean | Promise<boolean>;
+export interface Resolver<TSubject> {
+    readonly fn: ResolverFn<TSubject>;
+    (user: User, subject: TSubject): Promise<boolean>;
+    or(other: Resolver<TSubject> | ResolverFn<TSubject>): Resolver<TSubject>;
+    and(other: Resolver<TSubject> | ResolverFn<TSubject>): Resolver<TSubject>;
+    not(): Resolver<TSubject>;
+}
+/**
+ * Wrap a `(user, subject) => boolean` predicate as a composable resolver.
+ * The returned value is both callable and chainable.
+ */
+export declare function resolver<TSubject>(fn: ResolverFn<TSubject>): Resolver<TSubject>;
+/**
+ * Convenience — the most common predicate. Pass the field name on the
+ * subject that holds the owner id (defaults to `"authorId"`, which
+ * matches the synthesis's "article.authorId" example).
+ */
+export declare function ownedBy<TSubject extends Record<string, unknown>>(field?: string): Resolver<TSubject>;
+/**
+ * Convenience — same-tenant predicate. The synthesis calls this out as
+ * one of the most common reusable rules in multi-tenant SaaS.
+ */
+export declare function sameTenant<TSubject extends {
+    tenant?: string;
+    tenantId?: string;
+}>(): Resolver<TSubject>;
+export declare function authorize<TSubject>(user: User | null | undefined, action: string, subject: TSubject, rule: Resolver<TSubject> | ResolverFn<TSubject>, opts?: {
+    readonly subjectName?: string;
+}): Promise<void>;
+//# sourceMappingURL=resolvers.d.ts.map

package/dist/resolvers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../src/resolvers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAExC,MAAM,MAAM,UAAU,CAAC,QAAQ,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEjG,MAAM,WAAW,QAAQ,CAAC,QAAQ;IAChC,QAAQ,CAAC,EAAE,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAClD,EAAE,CAAC,KAAK,EAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzE,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC1E,GAAG,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC;CAC3B;AAQD;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,EAAE,EAAE,UAAU,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAgB/E;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9D,KAAK,GAAE,MAAmB,GACzB,QAAQ,CAAC,QAAQ,CAAC,CAEpB;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,QAAQ,SAAS;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAKxG;AAYD,wBAAsB,SAAS,CAAC,QAAQ,EACtC,IAAI,EAAE,IAAI,GAAG,IAAI,GAAG,SAAS,EAC7B,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,QAAQ,EACjB,IAAI,EAAE,QAAQ,CAAC,QAAQ,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,EAC/C,IAAI,GAAE;IAAE,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAO,GAC3C,OAAO,CAAC,IAAI,CAAC,CAiBf"}

package/dist/resolvers.js

@@ -0,0 +1,100 @@
+/**
+ * Composable resolver helpers — the synthesis's "named rules" pattern.
+ *
+ * Real apps have a handful of relationship predicates that show up over
+ * and over: "is the owner of this resource", "is a member of the same
+ * team", "is in the same tenant", "is the assignee". The synthesis
+ * recommends naming them once and composing.
+ *
+ *   const isOwner    = resolver<User, Post>((u, p) => u.id === p.authorId);
+ *   const isTeammate = resolver<User, Post>(async (u, p) => (
+ *     await db.query.memberships.findFirst({
+ *       where: and(eq(memberships.userId, u.id), eq(memberships.teamId, p.teamId)),
+ *     }) != null
+ *   ));
+ *
+ *   // Compose
+ *   const canEdit = isOwner.or(isTeammate);
+ *
+ *   // Use programmatically
+ *   if (!(await canEdit(user, post))) throw new OwnershipMismatchError({...});
+ *
+ *   // Or as a CASL ability condition (returns the matcher function)
+ *   allow("update", "Post", canEdit.condition(user));
+ *
+ * Why a separate primitive from CASL's MongoQuery conditions: the
+ * MongoQuery form is great for "fields on the row" checks (e.g.
+ * `{ authorId: user.id }`), but it can't express async I/O ("is the
+ * user in this team's membership table"). `Resolver` handles both.
+ */
+function intoResolver(x) {
+    return typeof x === "function" && "fn" in x === false
+        ? resolver(x)
+        : x;
+}
+/**
+ * Wrap a `(user, subject) => boolean` predicate as a composable resolver.
+ * The returned value is both callable and chainable.
+ */
+export function resolver(fn) {
+    const call = async (user, subject) => Boolean(await fn(user, subject));
+    const r = call;
+    // Attach properties — `r` is the call function so `r(u, s)` works.
+    Object.defineProperty(r, "fn", { value: fn });
+    r.or = (other) => {
+        const o = intoResolver(other);
+        return resolver(async (u, s) => (await call(u, s)) || (await o(u, s)));
+    };
+    r.and = (other) => {
+        const o = intoResolver(other);
+        return resolver(async (u, s) => (await call(u, s)) && (await o(u, s)));
+    };
+    r.not = () => resolver(async (u, s) => !(await call(u, s)));
+    return r;
+}
+/**
+ * Convenience — the most common predicate. Pass the field name on the
+ * subject that holds the owner id (defaults to `"authorId"`, which
+ * matches the synthesis's "article.authorId" example).
+ */
+export function ownedBy(field = "authorId") {
+    return resolver((user, subject) => subject[field] === user.id);
+}
+/**
+ * Convenience — same-tenant predicate. The synthesis calls this out as
+ * one of the most common reusable rules in multi-tenant SaaS.
+ */
+export function sameTenant() {
+    return resolver((user, subject) => {
+        const subTenant = (subject.tenant ?? subject.tenantId);
+        return Boolean(user.tenant && subTenant && user.tenant === subTenant);
+    });
+}
+/**
+ * Higher-order helper: turn a resolver into an authorize call that
+ * throws the right structured error on denial. The synthesis's
+ * "structured error" pattern.
+ *
+ *   import { authorize, ownedBy } from "@nwire/rbac";
+ *   await authorize(user, "update", post, ownedBy());
+ */
+import { OwnershipMismatchError } from "./errors";
+export async function authorize(user, action, subject, rule, opts = {}) {
+    if (!user) {
+        throw new OwnershipMismatchError({
+            action,
+            subject: opts.subjectName ?? "resource",
+            reason: "Not authenticated",
+        });
+    }
+    const r = intoResolver(rule);
+    const ok = await r(user, subject);
+    if (!ok) {
+        throw new OwnershipMismatchError({
+            action,
+            subject: opts.subjectName ?? "resource",
+            userId: user.id,
+        });
+    }
+}
+//# sourceMappingURL=resolvers.js.map

package/dist/resolvers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolvers.js","sourceRoot":"","sources":["../src/resolvers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAcH,SAAS,YAAY,CAAI,CAA8B;IACrD,OAAO,OAAO,CAAC,KAAK,UAAU,IAAI,IAAI,IAAI,CAAC,KAAK,KAAK;QACnD,CAAC,CAAC,QAAQ,CAAC,CAAkB,CAAC;QAC9B,CAAC,CAAE,CAAiB,CAAC;AACzB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAW,EAAwB;IACzD,MAAM,IAAI,GAAG,KAAK,EAAE,IAAU,EAAE,OAAiB,EAAoB,EAAE,CACrE,OAAO,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IACnC,MAAM,CAAC,GAAG,IAAqC,CAAC;IAChD,mEAAmE;IACnE,MAAM,CAAC,cAAc,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;IAC9C,CAAC,CAAC,EAAE,GAAG,CAAC,KAAK,EAAE,EAAE;QACf,MAAM,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QAC9B,OAAO,QAAQ,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,CAAC,CAAC;IACF,CAAC,CAAC,GAAG,GAAG,CAAC,KAAK,EAAE,EAAE;QAChB,MAAM,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QAC9B,OAAO,QAAQ,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,CAAC,CAAC;IACF,CAAC,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5D,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,OAAO,CACrB,QAAgB,UAAU;IAE1B,OAAO,QAAQ,CAAW,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU;IACxB,OAAO,QAAQ,CAAW,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE;QAC1C,MAAM,SAAS,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,QAAQ,CAAuB,CAAC;QAC7E,OAAO,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,SAAS,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;GAOG;AACH,OAAO,EAAE,sBAAsB,EAAE,MAAM,UAAU,CAAC;AAElD,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAA6B,EAC7B,MAAc,EACd,OAAiB,EACjB,IAA+C,EAC/C,OAA0C,EAAE;IAE5C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,sBAAsB,CAAC;YAC/B,MAAM;YACN,OAAO,EAAE,IAAI,CAAC,WAAW,IAAI,UAAU;YACvC,MAAM,EAAG,mBAAmB;SAC7B,CAAC,CAAC;IACL,CAAC;IACD,MAAM,CAAC,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAClC,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,IAAI,sBAAsB,CAAC;YAC/B,MAAM;YACN,OAAO,EAAE,IAAI,CAAC,WAAW,IAAI,UAAU;YACvC,MAAM,EAAG,IAAI,CAAC,EAAE;SACjB,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/dist/typed.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Typed permission helpers — the "Read-Like-English" + autocomplete layer
+ * over CASL. Apps declare their vocabulary once (verbs + subjects); the
+ * rest of the codebase gets autocompletion + typo-prevention on every
+ * `can("update", "Post")` call.
+ *
+ *   // Declare your vocabulary once.
+ *   type AppVerbs    = "read" | "create" | "update" | "delete" | "manage";
+ *   type AppSubjects = "Post" | "Comment" | "User" | "all";
+ *   export type AppPermission = Permission<AppVerbs, AppSubjects>;
+ *   //  ^ "read:Post" | "create:Post" | ... | "manage:all"
+ *
+ *   // Now per-route middleware is autocomplete-driven:
+ *   http().wire(post("/posts", {
+ *     body, middleware: [canKoa<AppVerbs, AppSubjects>("update", "Post")],
+ *   }), handler);
+ *
+ * The `resource:action` string form is also exposed via `parsePermission`
+ * for places where a single string is more ergonomic (config files, route
+ * tags, audit logs).
+ */
+/**
+ * The `resource:action` permission string — Template Literal Type the
+ * synthesis recommends. Apps narrow Verbs/Subjects to their domain
+ * vocabulary and get IDE autocomplete + typo-prevention everywhere.
+ */
+export type Permission<TVerb extends string = string, TSubject extends string = string> = `${TVerb}:${TSubject}`;
+/**
+ * Build a permission string. Type-narrow when called with const-literal
+ * arguments; the inferred string lands in IDE tooltips.
+ *
+ *   const p = permission("update", "Post"); // typed `update:Post`
+ */
+export declare function permission<TVerb extends string, TSubject extends string>(verb: TVerb, subject: TSubject): Permission<TVerb, TSubject>;
+/** Split a `resource:action` permission string into a tuple. */
+export declare function parsePermission<P extends Permission>(p: P): readonly [string, string];
+//# sourceMappingURL=typed.d.ts.map

package/dist/typed.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"typed.d.ts","sourceRoot":"","sources":["../src/typed.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH;;;;GAIG;AACH,MAAM,MAAM,UAAU,CAAC,KAAK,SAAS,MAAM,GAAG,MAAM,EAAE,QAAQ,SAAS,MAAM,GAAG,MAAM,IACpF,GAAG,KAAK,IAAI,QAAQ,EAAE,CAAC;AAEzB;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,KAAK,SAAS,MAAM,EAAE,QAAQ,SAAS,MAAM,EACtE,IAAI,EAAK,KAAK,EACd,OAAO,EAAE,QAAQ,GAChB,UAAU,CAAC,KAAK,EAAE,QAAQ,CAAC,CAE7B;AAED,gEAAgE;AAChE,wBAAgB,eAAe,CAAC,CAAC,SAAS,UAAU,EAAE,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAIrF"}

package/dist/typed.js

@@ -0,0 +1,38 @@
+/**
+ * Typed permission helpers — the "Read-Like-English" + autocomplete layer
+ * over CASL. Apps declare their vocabulary once (verbs + subjects); the
+ * rest of the codebase gets autocompletion + typo-prevention on every
+ * `can("update", "Post")` call.
+ *
+ *   // Declare your vocabulary once.
+ *   type AppVerbs    = "read" | "create" | "update" | "delete" | "manage";
+ *   type AppSubjects = "Post" | "Comment" | "User" | "all";
+ *   export type AppPermission = Permission<AppVerbs, AppSubjects>;
+ *   //  ^ "read:Post" | "create:Post" | ... | "manage:all"
+ *
+ *   // Now per-route middleware is autocomplete-driven:
+ *   http().wire(post("/posts", {
+ *     body, middleware: [canKoa<AppVerbs, AppSubjects>("update", "Post")],
+ *   }), handler);
+ *
+ * The `resource:action` string form is also exposed via `parsePermission`
+ * for places where a single string is more ergonomic (config files, route
+ * tags, audit logs).
+ */
+/**
+ * Build a permission string. Type-narrow when called with const-literal
+ * arguments; the inferred string lands in IDE tooltips.
+ *
+ *   const p = permission("update", "Post"); // typed `update:Post`
+ */
+export function permission(verb, subject) {
+    return `${verb}:${subject}`;
+}
+/** Split a `resource:action` permission string into a tuple. */
+export function parsePermission(p) {
+    const idx = p.indexOf(":");
+    if (idx < 0)
+        return [p, ""];
+    return [p.slice(0, idx), p.slice(idx + 1)];
+}
+//# sourceMappingURL=typed.js.map

package/dist/typed.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"typed.js","sourceRoot":"","sources":["../src/typed.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAUH;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CACxB,IAAc,EACd,OAAiB;IAEjB,OAAO,GAAG,IAAI,IAAI,OAAO,EAAiC,CAAC;AAC7D,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,eAAe,CAAuB,CAAI;IACxD,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,GAAG,GAAG,CAAC;QAAE,OAAO,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5B,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;AAC7C,CAAC"}