@objectstack/spec 2.0.4 → 2.0.5

package/dist/index-CDN6TRx9.d.ts

@@ -0,0 +1,765 @@
+import { z } from 'zod';
+
+/**
+ * Entity (Object) Level Permissions
+ * Defines CRUD + VAMA (View All / Modify All) + Lifecycle access.
+ *
+ * Refined with enterprise data lifecycle controls:
+ * - Transfer (Ownership change)
+ * - Restore (Soft delete recovery)
+ * - Purge (Hard delete / Compliance)
+ */
+declare const ObjectPermissionSchema: z.ZodObject<{
+    allowCreate: z.ZodDefault<z.ZodBoolean>;
+    allowRead: z.ZodDefault<z.ZodBoolean>;
+    allowEdit: z.ZodDefault<z.ZodBoolean>;
+    allowDelete: z.ZodDefault<z.ZodBoolean>;
+    allowTransfer: z.ZodDefault<z.ZodBoolean>;
+    allowRestore: z.ZodDefault<z.ZodBoolean>;
+    allowPurge: z.ZodDefault<z.ZodBoolean>;
+    viewAllRecords: z.ZodDefault<z.ZodBoolean>;
+    modifyAllRecords: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+ * Field Level Security (FLS)
+ */
+declare const FieldPermissionSchema: z.ZodObject<{
+    readable: z.ZodDefault<z.ZodBoolean>;
+    editable: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+ * Permission Set Schema
+ * Defines a collection of permissions that can be assigned to users.
+ *
+ * DIFFERENTIATION:
+ * - Profile: The ONE primary functional definition of a user (e.g. Standard User).
+ * - Permission Set: Add-on capabilities assigned to users (e.g. Export Reports).
+ * - Role: (Defined in src/system/role.zod.ts) Defines data visibility hierarchy.
+ *
+ * **NAMING CONVENTION:**
+ * Permission set names MUST be lowercase snake_case to prevent security issues.
+ *
+ * @example Good permission set names
+ * - 'read_only'
+ * - 'system_admin'
+ * - 'standard_user'
+ * - 'api_access'
+ *
+ * @example Bad permission set names (will be rejected)
+ * - 'ReadOnly' (camelCase)
+ * - 'SystemAdmin' (mixed case)
+ * - 'Read Only' (spaces)
+ */
+declare const PermissionSetSchema: z.ZodObject<{
+    name: z.ZodString;
+    label: z.ZodOptional<z.ZodString>;
+    isProfile: z.ZodDefault<z.ZodBoolean>;
+    objects: z.ZodRecord<z.ZodString, z.ZodObject<{
+        allowCreate: z.ZodDefault<z.ZodBoolean>;
+        allowRead: z.ZodDefault<z.ZodBoolean>;
+        allowEdit: z.ZodDefault<z.ZodBoolean>;
+        allowDelete: z.ZodDefault<z.ZodBoolean>;
+        allowTransfer: z.ZodDefault<z.ZodBoolean>;
+        allowRestore: z.ZodDefault<z.ZodBoolean>;
+        allowPurge: z.ZodDefault<z.ZodBoolean>;
+        viewAllRecords: z.ZodDefault<z.ZodBoolean>;
+        modifyAllRecords: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    fields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
+        readable: z.ZodDefault<z.ZodBoolean>;
+        editable: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>>;
+    systemPermissions: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    rowLevelSecurity: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        name: z.ZodString;
+        label: z.ZodOptional<z.ZodString>;
+        description: z.ZodOptional<z.ZodString>;
+        object: z.ZodString;
+        operation: z.ZodEnum<{
+            insert: "insert";
+            update: "update";
+            delete: "delete";
+            select: "select";
+            all: "all";
+        }>;
+        using: z.ZodOptional<z.ZodString>;
+        check: z.ZodOptional<z.ZodString>;
+        roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        priority: z.ZodDefault<z.ZodNumber>;
+        tags: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>>>;
+    contextVariables: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strip>;
+type PermissionSet = z.infer<typeof PermissionSetSchema>;
+type ObjectPermission = z.infer<typeof ObjectPermissionSchema>;
+type FieldPermission = z.infer<typeof FieldPermissionSchema>;
+
+/**
+ * Organization-Wide Defaults (OWD)
+ * The baseline security posture for an object.
+ */
+declare const OWDModel: z.ZodEnum<{
+    private: "private";
+    public_read: "public_read";
+    public_read_write: "public_read_write";
+    controlled_by_parent: "controlled_by_parent";
+}>;
+/**
+ * Sharing Rule Type
+ * How is the data shared?
+ */
+declare const SharingRuleType: z.ZodEnum<{
+    owner: "owner";
+    criteria: "criteria";
+}>;
+/**
+ * Sharing Level
+ * What access is granted?
+ */
+declare const SharingLevel: z.ZodEnum<{
+    full: "full";
+    read: "read";
+    edit: "edit";
+}>;
+/**
+ * Recipient Type
+ * Who receives the access?
+ */
+declare const ShareRecipientType: z.ZodEnum<{
+    role: "role";
+    user: "user";
+    group: "group";
+    role_and_subordinates: "role_and_subordinates";
+    guest: "guest";
+}>;
+/**
+ * 1. Criteria-Based Sharing Rule
+ * Share records that meet specific field criteria.
+ */
+declare const CriteriaSharingRuleSchema: z.ZodObject<{
+    name: z.ZodString;
+    label: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+    object: z.ZodString;
+    active: z.ZodDefault<z.ZodBoolean>;
+    accessLevel: z.ZodDefault<z.ZodEnum<{
+        full: "full";
+        read: "read";
+        edit: "edit";
+    }>>;
+    sharedWith: z.ZodObject<{
+        type: z.ZodEnum<{
+            role: "role";
+            user: "user";
+            group: "group";
+            role_and_subordinates: "role_and_subordinates";
+            guest: "guest";
+        }>;
+        value: z.ZodString;
+    }, z.core.$strip>;
+    type: z.ZodLiteral<"criteria">;
+    condition: z.ZodString;
+}, z.core.$strip>;
+/**
+ * 2. Owner-Based Sharing Rule
+ * Share records owned by a specific group of users.
+ */
+declare const OwnerSharingRuleSchema: z.ZodObject<{
+    name: z.ZodString;
+    label: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+    object: z.ZodString;
+    active: z.ZodDefault<z.ZodBoolean>;
+    accessLevel: z.ZodDefault<z.ZodEnum<{
+        full: "full";
+        read: "read";
+        edit: "edit";
+    }>>;
+    sharedWith: z.ZodObject<{
+        type: z.ZodEnum<{
+            role: "role";
+            user: "user";
+            group: "group";
+            role_and_subordinates: "role_and_subordinates";
+            guest: "guest";
+        }>;
+        value: z.ZodString;
+    }, z.core.$strip>;
+    type: z.ZodLiteral<"owner">;
+    ownedBy: z.ZodObject<{
+        type: z.ZodEnum<{
+            role: "role";
+            user: "user";
+            group: "group";
+            role_and_subordinates: "role_and_subordinates";
+            guest: "guest";
+        }>;
+        value: z.ZodString;
+    }, z.core.$strip>;
+}, z.core.$strip>;
+/**
+ * Master Sharing Rule Schema
+ */
+declare const SharingRuleSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    name: z.ZodString;
+    label: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+    object: z.ZodString;
+    active: z.ZodDefault<z.ZodBoolean>;
+    accessLevel: z.ZodDefault<z.ZodEnum<{
+        full: "full";
+        read: "read";
+        edit: "edit";
+    }>>;
+    sharedWith: z.ZodObject<{
+        type: z.ZodEnum<{
+            role: "role";
+            user: "user";
+            group: "group";
+            role_and_subordinates: "role_and_subordinates";
+            guest: "guest";
+        }>;
+        value: z.ZodString;
+    }, z.core.$strip>;
+    type: z.ZodLiteral<"criteria">;
+    condition: z.ZodString;
+}, z.core.$strip>, z.ZodObject<{
+    name: z.ZodString;
+    label: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+    object: z.ZodString;
+    active: z.ZodDefault<z.ZodBoolean>;
+    accessLevel: z.ZodDefault<z.ZodEnum<{
+        full: "full";
+        read: "read";
+        edit: "edit";
+    }>>;
+    sharedWith: z.ZodObject<{
+        type: z.ZodEnum<{
+            role: "role";
+            user: "user";
+            group: "group";
+            role_and_subordinates: "role_and_subordinates";
+            guest: "guest";
+        }>;
+        value: z.ZodString;
+    }, z.core.$strip>;
+    type: z.ZodLiteral<"owner">;
+    ownedBy: z.ZodObject<{
+        type: z.ZodEnum<{
+            role: "role";
+            user: "user";
+            group: "group";
+            role_and_subordinates: "role_and_subordinates";
+            guest: "guest";
+        }>;
+        value: z.ZodString;
+    }, z.core.$strip>;
+}, z.core.$strip>], "type">;
+type SharingRule = z.infer<typeof SharingRuleSchema>;
+type CriteriaSharingRule = z.infer<typeof CriteriaSharingRuleSchema>;
+type OwnerSharingRule = z.infer<typeof OwnerSharingRuleSchema>;
+
+/**
+ * Territory Management Protocol
+ * Defines a matrix reporting structure that exists parallel to the Role Hierarchy.
+ *
+ * USE CASE:
+ * - Enterprise Sales Teams (Geo-based: "EMEA", "APAC")
+ * - Industry Verticals (Industry-based: "Healthcare", "Financial")
+ * - Strategic Accounts (Account-based: "Strategic Accounts")
+ *
+ * DIFFERENCE FROM ROLE:
+ * - Role: Hierarchy of PEOPLE (Who reports to whom). Stable. HR-driven.
+ * - Territory: Hierarchy of ACCOUNTS/REVENUE (Who owns which market). Flexible. Sales-driven.
+ * - One User can be assigned to MANY Territories (Matrix).
+ * - One User has only ONE Role (Tree).
+ */
+declare const TerritoryType: z.ZodEnum<{
+    geography: "geography";
+    industry: "industry";
+    named_account: "named_account";
+    product_line: "product_line";
+}>;
+/**
+ * Territory Model Schema
+ * A container for a version of territory planning.
+ * (e.g. "Fiscal Year 2024 Planning" vs "Fiscal Year 2025 Planning")
+ */
+declare const TerritoryModelSchema: z.ZodObject<{
+    name: z.ZodString;
+    state: z.ZodDefault<z.ZodEnum<{
+        active: "active";
+        planning: "planning";
+        archived: "archived";
+    }>>;
+    startDate: z.ZodOptional<z.ZodString>;
+    endDate: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+/**
+ * Territory Node Schema
+ * A single node in the territory tree.
+ *
+ * **NAMING CONVENTION:**
+ * Territory names are machine identifiers and must be lowercase snake_case.
+ *
+ * @example Good territory names
+ * - 'west_coast'
+ * - 'emea_region'
+ * - 'healthcare_vertical'
+ * - 'strategic_accounts'
+ *
+ * @example Bad territory names (will be rejected)
+ * - 'WestCoast' (PascalCase)
+ * - 'West Coast' (spaces)
+ */
+declare const TerritorySchema: z.ZodObject<{
+    name: z.ZodString;
+    label: z.ZodString;
+    modelId: z.ZodString;
+    parent: z.ZodOptional<z.ZodString>;
+    type: z.ZodDefault<z.ZodEnum<{
+        geography: "geography";
+        industry: "industry";
+        named_account: "named_account";
+        product_line: "product_line";
+    }>>;
+    assignmentRule: z.ZodOptional<z.ZodString>;
+    assignedUsers: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    accountAccess: z.ZodDefault<z.ZodEnum<{
+        read: "read";
+        edit: "edit";
+    }>>;
+    opportunityAccess: z.ZodDefault<z.ZodEnum<{
+        read: "read";
+        edit: "edit";
+    }>>;
+    caseAccess: z.ZodDefault<z.ZodEnum<{
+        read: "read";
+        edit: "edit";
+    }>>;
+}, z.core.$strip>;
+type Territory = z.infer<typeof TerritorySchema>;
+type TerritoryModel = z.infer<typeof TerritoryModelSchema>;
+
+/**
+ * # Row-Level Security (RLS) Protocol
+ *
+ * Implements fine-grained record-level access control inspired by PostgreSQL RLS
+ * and Salesforce Criteria-Based Sharing Rules.
+ *
+ * ## Overview
+ *
+ * Row-Level Security (RLS) allows you to control which rows users can access
+ * in database tables based on their identity and role. Unlike object-level
+ * permissions (CRUD), RLS provides record-level filtering.
+ *
+ * ## Use Cases
+ *
+ * 1. **Multi-Tenant Data Isolation**
+ *    - Users only see records from their organization
+ *    - `using: "tenant_id = current_user.tenant_id"`
+ *
+ * 2. **Ownership-Based Access**
+ *    - Users only see records they own
+ *    - `using: "owner_id = current_user.id"`
+ *
+ * 3. **Department-Based Access**
+ *    - Users only see records from their department
+ *    - `using: "department = current_user.department"`
+ *
+ * 4. **Regional Access Control**
+ *    - Sales reps only see accounts in their territory
+ *    - `using: "region IN (current_user.assigned_regions)"`
+ *
+ * 5. **Time-Based Access**
+ *    - Users can only access active records
+ *    - `using: "status = 'active' AND expiry_date > NOW()"`
+ *
+ * ## PostgreSQL RLS Comparison
+ *
+ * PostgreSQL RLS Example:
+ * ```sql
+ * CREATE POLICY tenant_isolation ON accounts
+ *   FOR SELECT
+ *   USING (tenant_id = current_setting('app.current_tenant_id')::uuid);
+ *
+ * CREATE POLICY account_insert ON accounts
+ *   FOR INSERT
+ *   WITH CHECK (tenant_id = current_setting('app.current_tenant_id')::uuid);
+ * ```
+ *
+ * ObjectStack RLS Equivalent:
+ * ```typescript
+ * {
+ *   name: 'tenant_isolation',
+ *   object: 'account',
+ *   operation: 'select',
+ *   using: 'tenant_id = current_user.tenant_id'
+ * }
+ * ```
+ *
+ * ## Salesforce Sharing Rules Comparison
+ *
+ * Salesforce uses "Sharing Rules" and "Role Hierarchy" for record-level access.
+ * ObjectStack RLS provides similar functionality with more flexibility.
+ *
+ * Salesforce:
+ * - Criteria-Based Sharing: Share records matching criteria with users/roles
+ * - Owner-Based Sharing: Share records based on owner's role
+ * - Manual Sharing: Individual record sharing
+ *
+ * ObjectStack RLS:
+ * - More flexible formula-based conditions
+ * - Direct SQL-like syntax
+ * - Supports complex logic with AND/OR/NOT
+ *
+ * ## Best Practices
+ *
+ * 1. **Always Define SELECT Policy**: Control what users can view
+ * 2. **Define INSERT/UPDATE CHECK Policies**: Prevent data leakage
+ * 3. **Use Role-Based Policies**: Apply different rules to different roles
+ * 4. **Test Thoroughly**: RLS can have complex interactions
+ * 5. **Monitor Performance**: Complex RLS policies can impact query performance
+ *
+ * ## Security Considerations
+ *
+ * 1. **Defense in Depth**: RLS is one layer; use with object permissions
+ * 2. **Default Deny**: If no policy matches, access is denied
+ * 3. **Policy Precedence**: More permissive policy wins (OR logic)
+ * 4. **Context Variables**: Ensure current_user context is always set
+ *
+ * @see https://www.postgresql.org/docs/current/ddl-rowsecurity.html
+ * @see https://help.salesforce.com/s/articleView?id=sf.security_sharing_rules.htm
+ */
+/**
+ * RLS Operation Enum
+ * Specifies which database operation this policy applies to.
+ *
+ * - **select**: Controls which rows can be read (SELECT queries)
+ * - **insert**: Controls which rows can be inserted (INSERT statements)
+ * - **update**: Controls which rows can be updated (UPDATE statements)
+ * - **delete**: Controls which rows can be deleted (DELETE statements)
+ * - **all**: Shorthand for all operations (equivalent to defining 4 separate policies)
+ */
+declare const RLSOperation: z.ZodEnum<{
+    insert: "insert";
+    update: "update";
+    delete: "delete";
+    select: "select";
+    all: "all";
+}>;
+type RLSOperation = z.infer<typeof RLSOperation>;
+/**
+ * Row-Level Security Policy Schema
+ *
+ * Defines a single RLS policy that filters records based on conditions.
+ * Multiple policies can be defined for the same object, and they are
+ * combined with OR logic (union of results).
+ *
+ * @example Multi-Tenant Isolation
+ * ```typescript
+ * {
+ *   name: 'tenant_isolation',
+ *   label: 'Multi-Tenant Data Isolation',
+ *   object: 'account',
+ *   operation: 'select',
+ *   using: 'tenant_id = current_user.tenant_id',
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Owner-Based Access
+ * ```typescript
+ * {
+ *   name: 'owner_access',
+ *   label: 'Users Can View Their Own Records',
+ *   object: 'opportunity',
+ *   operation: 'select',
+ *   using: 'owner_id = current_user.id',
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Manager Can View Team Records
+ * ```typescript
+ * {
+ *   name: 'manager_team_access',
+ *   label: 'Managers Can View Team Records',
+ *   object: 'task',
+ *   operation: 'select',
+ *   using: 'assigned_to_id IN (SELECT id FROM users WHERE manager_id = current_user.id)',
+ *   roles: ['manager', 'director'],
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Prevent Cross-Tenant Data Insertion
+ * ```typescript
+ * {
+ *   name: 'tenant_insert_check',
+ *   label: 'Prevent Cross-Tenant Data Creation',
+ *   object: 'account',
+ *   operation: 'insert',
+ *   check: 'tenant_id = current_user.tenant_id',
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Regional Sales Access
+ * ```typescript
+ * {
+ *   name: 'regional_sales_access',
+ *   label: 'Sales Reps Access Regional Accounts',
+ *   object: 'account',
+ *   operation: 'select',
+ *   using: 'region = current_user.region OR region IS NULL',
+ *   roles: ['sales_rep'],
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Time-Based Access Control
+ * ```typescript
+ * {
+ *   name: 'active_records_only',
+ *   label: 'Users Only Access Active Records',
+ *   object: 'contract',
+ *   operation: 'select',
+ *   using: 'status = "active" AND start_date <= NOW() AND end_date >= NOW()',
+ *   enabled: true
+ * }
+ * ```
+ *
+ * @example Hierarchical Access (Role-Based)
+ * ```typescript
+ * {
+ *   name: 'executive_full_access',
+ *   label: 'Executives See All Records',
+ *   object: 'account',
+ *   operation: 'all',
+ *   using: '1 = 1', // Always true - see everything
+ *   roles: ['ceo', 'cfo', 'cto'],
+ *   enabled: true
+ * }
+ * ```
+ */
+declare const RowLevelSecurityPolicySchema: z.ZodObject<{
+    name: z.ZodString;
+    label: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+    object: z.ZodString;
+    operation: z.ZodEnum<{
+        insert: "insert";
+        update: "update";
+        delete: "delete";
+        select: "select";
+        all: "all";
+    }>;
+    using: z.ZodOptional<z.ZodString>;
+    check: z.ZodOptional<z.ZodString>;
+    roles: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    priority: z.ZodDefault<z.ZodNumber>;
+    tags: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+/**
+ * RLS Configuration Schema
+ *
+ * Global configuration for the Row-Level Security system.
+ * Defines how RLS is enforced across the entire platform.
+ */
+declare const RLSConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    defaultPolicy: z.ZodDefault<z.ZodEnum<{
+        deny: "deny";
+        allow: "allow";
+    }>>;
+    allowSuperuserBypass: z.ZodDefault<z.ZodBoolean>;
+    bypassRoles: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    logEvaluations: z.ZodDefault<z.ZodBoolean>;
+    cacheResults: z.ZodDefault<z.ZodBoolean>;
+    cacheTtlSeconds: z.ZodDefault<z.ZodNumber>;
+    prefetchUserContext: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+ * User Context Schema
+ *
+ * Represents the current user's context for RLS evaluation.
+ * This data is used to evaluate USING and CHECK clauses.
+ */
+declare const RLSUserContextSchema: z.ZodObject<{
+    id: z.ZodString;
+    email: z.ZodOptional<z.ZodString>;
+    tenantId: z.ZodOptional<z.ZodString>;
+    role: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
+    department: z.ZodOptional<z.ZodString>;
+    attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strip>;
+/**
+ * RLS Policy Evaluation Result
+ *
+ * Result of evaluating an RLS policy for a specific record.
+ * Used for debugging and audit logging.
+ */
+declare const RLSEvaluationResultSchema: z.ZodObject<{
+    policyName: z.ZodString;
+    granted: z.ZodBoolean;
+    durationMs: z.ZodOptional<z.ZodNumber>;
+    error: z.ZodOptional<z.ZodString>;
+    usingResult: z.ZodOptional<z.ZodBoolean>;
+    checkResult: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+ * Type exports
+ */
+type RowLevelSecurityPolicy = z.infer<typeof RowLevelSecurityPolicySchema>;
+type RLSConfig = z.infer<typeof RLSConfigSchema>;
+type RLSUserContext = z.infer<typeof RLSUserContextSchema>;
+type RLSEvaluationResult = z.infer<typeof RLSEvaluationResultSchema>;
+/**
+ * Helper factory for creating RLS policies
+ */
+declare const RLS: {
+    /**
+     * Create a simple owner-based policy
+     */
+    readonly ownerPolicy: (object: string, ownerField?: string) => RowLevelSecurityPolicy;
+    /**
+     * Create a tenant isolation policy
+     */
+    readonly tenantPolicy: (object: string, tenantField?: string) => RowLevelSecurityPolicy;
+    /**
+     * Create a role-based policy
+     */
+    readonly rolePolicy: (object: string, roles: string[], condition: string) => RowLevelSecurityPolicy;
+    /**
+     * Create a permissive policy (allow all for specific roles)
+     */
+    readonly allowAllPolicy: (object: string, roles: string[]) => RowLevelSecurityPolicy;
+};
+
+/**
+ * Password Complexity Policy
+ */
+declare const PasswordPolicySchema: z.ZodObject<{
+    minLength: z.ZodDefault<z.ZodNumber>;
+    requireUppercase: z.ZodDefault<z.ZodBoolean>;
+    requireLowercase: z.ZodDefault<z.ZodBoolean>;
+    requireNumbers: z.ZodDefault<z.ZodBoolean>;
+    requireSymbols: z.ZodDefault<z.ZodBoolean>;
+    expirationDays: z.ZodOptional<z.ZodNumber>;
+    historyCount: z.ZodDefault<z.ZodNumber>;
+}, z.core.$strip>;
+/**
+ * Network Access Policy (IP Whitelisting)
+ */
+declare const NetworkPolicySchema: z.ZodObject<{
+    trustedRanges: z.ZodArray<z.ZodString>;
+    blockUnknown: z.ZodDefault<z.ZodBoolean>;
+    vpnRequired: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+ * Session Policy
+ */
+declare const SessionPolicySchema: z.ZodObject<{
+    idleTimeout: z.ZodDefault<z.ZodNumber>;
+    absoluteTimeout: z.ZodDefault<z.ZodNumber>;
+    forceMfa: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+ * Audit Retention Policy
+ */
+declare const AuditPolicySchema: z.ZodObject<{
+    logRetentionDays: z.ZodDefault<z.ZodNumber>;
+    sensitiveFields: z.ZodArray<z.ZodString>;
+    captureRead: z.ZodDefault<z.ZodBoolean>;
+}, z.core.$strip>;
+/**
+ * Security Policy Schema
+ * "The Cloud Compliance Contract"
+ */
+declare const PolicySchema: z.ZodObject<{
+    name: z.ZodString;
+    password: z.ZodOptional<z.ZodObject<{
+        minLength: z.ZodDefault<z.ZodNumber>;
+        requireUppercase: z.ZodDefault<z.ZodBoolean>;
+        requireLowercase: z.ZodDefault<z.ZodBoolean>;
+        requireNumbers: z.ZodDefault<z.ZodBoolean>;
+        requireSymbols: z.ZodDefault<z.ZodBoolean>;
+        expirationDays: z.ZodOptional<z.ZodNumber>;
+        historyCount: z.ZodDefault<z.ZodNumber>;
+    }, z.core.$strip>>;
+    network: z.ZodOptional<z.ZodObject<{
+        trustedRanges: z.ZodArray<z.ZodString>;
+        blockUnknown: z.ZodDefault<z.ZodBoolean>;
+        vpnRequired: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    session: z.ZodOptional<z.ZodObject<{
+        idleTimeout: z.ZodDefault<z.ZodNumber>;
+        absoluteTimeout: z.ZodDefault<z.ZodNumber>;
+        forceMfa: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    audit: z.ZodOptional<z.ZodObject<{
+        logRetentionDays: z.ZodDefault<z.ZodNumber>;
+        sensitiveFields: z.ZodArray<z.ZodString>;
+        captureRead: z.ZodDefault<z.ZodBoolean>;
+    }, z.core.$strip>>;
+    isDefault: z.ZodDefault<z.ZodBoolean>;
+    assignedProfiles: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+type Policy = z.infer<typeof PolicySchema>;
+
+/**
+ * Permission Protocol Exports
+ *
+ * Fine-grained Access Control
+ * - Permission Sets (CRUD + Field-Level Security)
+ * - Sharing Rules (Record Ownership)
+ * - Territory Management (Geographic/Hierarchical)
+ * - Row-Level Security (RLS - PostgreSQL-style)
+ */
+
+declare const index_AuditPolicySchema: typeof AuditPolicySchema;
+type index_CriteriaSharingRule = CriteriaSharingRule;
+declare const index_CriteriaSharingRuleSchema: typeof CriteriaSharingRuleSchema;
+type index_FieldPermission = FieldPermission;
+declare const index_FieldPermissionSchema: typeof FieldPermissionSchema;
+declare const index_NetworkPolicySchema: typeof NetworkPolicySchema;
+declare const index_OWDModel: typeof OWDModel;
+type index_ObjectPermission = ObjectPermission;
+declare const index_ObjectPermissionSchema: typeof ObjectPermissionSchema;
+type index_OwnerSharingRule = OwnerSharingRule;
+declare const index_OwnerSharingRuleSchema: typeof OwnerSharingRuleSchema;
+declare const index_PasswordPolicySchema: typeof PasswordPolicySchema;
+type index_PermissionSet = PermissionSet;
+declare const index_PermissionSetSchema: typeof PermissionSetSchema;
+type index_Policy = Policy;
+declare const index_PolicySchema: typeof PolicySchema;
+declare const index_RLS: typeof RLS;
+type index_RLSConfig = RLSConfig;
+declare const index_RLSConfigSchema: typeof RLSConfigSchema;
+type index_RLSEvaluationResult = RLSEvaluationResult;
+declare const index_RLSEvaluationResultSchema: typeof RLSEvaluationResultSchema;
+type index_RLSOperation = RLSOperation;
+type index_RLSUserContext = RLSUserContext;
+declare const index_RLSUserContextSchema: typeof RLSUserContextSchema;
+type index_RowLevelSecurityPolicy = RowLevelSecurityPolicy;
+declare const index_RowLevelSecurityPolicySchema: typeof RowLevelSecurityPolicySchema;
+declare const index_SessionPolicySchema: typeof SessionPolicySchema;
+declare const index_ShareRecipientType: typeof ShareRecipientType;
+declare const index_SharingLevel: typeof SharingLevel;
+type index_SharingRule = SharingRule;
+declare const index_SharingRuleSchema: typeof SharingRuleSchema;
+declare const index_SharingRuleType: typeof SharingRuleType;
+type index_Territory = Territory;
+type index_TerritoryModel = TerritoryModel;
+declare const index_TerritoryModelSchema: typeof TerritoryModelSchema;
+declare const index_TerritorySchema: typeof TerritorySchema;
+declare const index_TerritoryType: typeof TerritoryType;
+declare namespace index {
+  export { index_AuditPolicySchema as AuditPolicySchema, type index_CriteriaSharingRule as CriteriaSharingRule, index_CriteriaSharingRuleSchema as CriteriaSharingRuleSchema, type index_FieldPermission as FieldPermission, index_FieldPermissionSchema as FieldPermissionSchema, index_NetworkPolicySchema as NetworkPolicySchema, index_OWDModel as OWDModel, type index_ObjectPermission as ObjectPermission, index_ObjectPermissionSchema as ObjectPermissionSchema, type index_OwnerSharingRule as OwnerSharingRule, index_OwnerSharingRuleSchema as OwnerSharingRuleSchema, index_PasswordPolicySchema as PasswordPolicySchema, type index_PermissionSet as PermissionSet, index_PermissionSetSchema as PermissionSetSchema, type index_Policy as Policy, index_PolicySchema as PolicySchema, index_RLS as RLS, type index_RLSConfig as RLSConfig, index_RLSConfigSchema as RLSConfigSchema, type index_RLSEvaluationResult as RLSEvaluationResult, index_RLSEvaluationResultSchema as RLSEvaluationResultSchema, type index_RLSOperation as RLSOperation, type index_RLSUserContext as RLSUserContext, index_RLSUserContextSchema as RLSUserContextSchema, type index_RowLevelSecurityPolicy as RowLevelSecurityPolicy, index_RowLevelSecurityPolicySchema as RowLevelSecurityPolicySchema, index_SessionPolicySchema as SessionPolicySchema, index_ShareRecipientType as ShareRecipientType, index_SharingLevel as SharingLevel, type index_SharingRule as SharingRule, index_SharingRuleSchema as SharingRuleSchema, index_SharingRuleType as SharingRuleType, type index_Territory as Territory, type index_TerritoryModel as TerritoryModel, index_TerritoryModelSchema as TerritoryModelSchema, index_TerritorySchema as TerritorySchema, index_TerritoryType as TerritoryType };
+}
+
+export { SessionPolicySchema as A, AuditPolicySchema as B, CriteriaSharingRuleSchema as C, PolicySchema as D, type Policy as E, FieldPermissionSchema as F, NetworkPolicySchema as N, ObjectPermissionSchema as O, PermissionSetSchema as P, RLSOperation as R, SharingRuleType as S, TerritoryType as T, type PermissionSet as a, type ObjectPermission as b, type FieldPermission as c, OWDModel as d, SharingLevel as e, ShareRecipientType as f, OwnerSharingRuleSchema as g, SharingRuleSchema as h, index as i, type SharingRule as j, type CriteriaSharingRule as k, type OwnerSharingRule as l, TerritoryModelSchema as m, TerritorySchema as n, type Territory as o, type TerritoryModel as p, RowLevelSecurityPolicySchema as q, RLSConfigSchema as r, RLSUserContextSchema as s, RLSEvaluationResultSchema as t, type RowLevelSecurityPolicy as u, type RLSConfig as v, type RLSUserContext as w, type RLSEvaluationResult as x, RLS as y, PasswordPolicySchema as z };