@objectstack/spec 2.0.4 → 2.0.5

package/dist/security/index.d.mts

@@ -0,0 +1,2 @@
+export { B as AuditPolicySchema, k as CriteriaSharingRule, C as CriteriaSharingRuleSchema, c as FieldPermission, F as FieldPermissionSchema, N as NetworkPolicySchema, d as OWDModel, b as ObjectPermission, O as ObjectPermissionSchema, l as OwnerSharingRule, g as OwnerSharingRuleSchema, z as PasswordPolicySchema, a as PermissionSet, P as PermissionSetSchema, E as Policy, D as PolicySchema, y as RLS, v as RLSConfig, r as RLSConfigSchema, x as RLSEvaluationResult, t as RLSEvaluationResultSchema, R as RLSOperation, w as RLSUserContext, s as RLSUserContextSchema, u as RowLevelSecurityPolicy, q as RowLevelSecurityPolicySchema, A as SessionPolicySchema, f as ShareRecipientType, e as SharingLevel, j as SharingRule, h as SharingRuleSchema, S as SharingRuleType, o as Territory, p as TerritoryModel, m as TerritoryModelSchema, n as TerritorySchema, T as TerritoryType } from '../index-CDN6TRx9.mjs';
+import 'zod';

package/dist/security/index.d.ts

@@ -0,0 +1,2 @@
+export { B as AuditPolicySchema, k as CriteriaSharingRule, C as CriteriaSharingRuleSchema, c as FieldPermission, F as FieldPermissionSchema, N as NetworkPolicySchema, d as OWDModel, b as ObjectPermission, O as ObjectPermissionSchema, l as OwnerSharingRule, g as OwnerSharingRuleSchema, z as PasswordPolicySchema, a as PermissionSet, P as PermissionSetSchema, E as Policy, D as PolicySchema, y as RLS, v as RLSConfig, r as RLSConfigSchema, x as RLSEvaluationResult, t as RLSEvaluationResultSchema, R as RLSOperation, w as RLSUserContext, s as RLSUserContextSchema, u as RowLevelSecurityPolicy, q as RowLevelSecurityPolicySchema, A as SessionPolicySchema, f as ShareRecipientType, e as SharingLevel, j as SharingRule, h as SharingRuleSchema, S as SharingRuleType, o as Territory, p as TerritoryModel, m as TerritoryModelSchema, n as TerritorySchema, T as TerritoryType } from '../index-CDN6TRx9.js';
+import 'zod';

package/dist/security/index.js

@@ -0,0 +1,666 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/security/index.ts
+var security_exports = {};
+__export(security_exports, {
+  AuditPolicySchema: () => AuditPolicySchema,
+  CriteriaSharingRuleSchema: () => CriteriaSharingRuleSchema,
+  FieldPermissionSchema: () => FieldPermissionSchema,
+  NetworkPolicySchema: () => NetworkPolicySchema,
+  OWDModel: () => OWDModel,
+  ObjectPermissionSchema: () => ObjectPermissionSchema,
+  OwnerSharingRuleSchema: () => OwnerSharingRuleSchema,
+  PasswordPolicySchema: () => PasswordPolicySchema,
+  PermissionSetSchema: () => PermissionSetSchema,
+  PolicySchema: () => PolicySchema,
+  RLS: () => RLS,
+  RLSConfigSchema: () => RLSConfigSchema,
+  RLSEvaluationResultSchema: () => RLSEvaluationResultSchema,
+  RLSOperation: () => RLSOperation,
+  RLSUserContextSchema: () => RLSUserContextSchema,
+  RowLevelSecurityPolicySchema: () => RowLevelSecurityPolicySchema,
+  SessionPolicySchema: () => SessionPolicySchema,
+  ShareRecipientType: () => ShareRecipientType,
+  SharingLevel: () => SharingLevel,
+  SharingRuleSchema: () => SharingRuleSchema,
+  SharingRuleType: () => SharingRuleType,
+  TerritoryModelSchema: () => TerritoryModelSchema,
+  TerritorySchema: () => TerritorySchema,
+  TerritoryType: () => TerritoryType
+});
+module.exports = __toCommonJS(security_exports);
+
+// src/security/permission.zod.ts
+var import_zod3 = require("zod");
+
+// src/shared/identifiers.zod.ts
+var import_zod = require("zod");
+var SystemIdentifierSchema = import_zod.z.string().min(2, { message: "System identifier must be at least 2 characters" }).regex(/^[a-z][a-z0-9_.]*$/, {
+  message: 'System identifier must be lowercase, starting with a letter, and may contain letters, numbers, underscores, or dots (e.g., "user_profile" or "order.created")'
+}).describe("System identifier (lowercase with underscores or dots)");
+var SnakeCaseIdentifierSchema = import_zod.z.string().min(2, { message: "Identifier must be at least 2 characters" }).regex(/^[a-z][a-z0-9_]*$/, {
+  message: 'Identifier must be lowercase snake_case, starting with a letter, and may contain only letters, numbers, and underscores (e.g., "user_profile")'
+}).describe("Snake case identifier (lowercase with underscores only)");
+var EventNameSchema = import_zod.z.string().min(3, { message: "Event name must be at least 3 characters" }).regex(/^[a-z][a-z0-9_.]*$/, {
+  message: 'Event name must be lowercase with dots for namespacing (e.g., "user.created", "order.paid")'
+}).describe("Event name (lowercase with dot notation for namespacing)");
+
+// src/security/rls.zod.ts
+var import_zod2 = require("zod");
+var RLSOperation = import_zod2.z.enum(["select", "insert", "update", "delete", "all"]);
+var RowLevelSecurityPolicySchema = import_zod2.z.object({
+  /**
+   * Unique identifier for this policy.
+   * Must be unique within the object.
+   * Use snake_case following ObjectStack naming conventions.
+   * 
+   * @example "tenant_isolation", "owner_access", "manager_team_view"
+   */
+  name: import_zod2.z.string().regex(/^[a-z_][a-z0-9_]*$/).describe("Policy unique identifier (snake_case)"),
+  /**
+   * Human-readable label for the policy.
+   * Used in admin UI and logs.
+   * 
+   * @example "Multi-Tenant Data Isolation", "Owner-Based Access"
+   */
+  label: import_zod2.z.string().optional().describe("Human-readable policy label"),
+  /**
+   * Description explaining what this policy does and why.
+   * Helps with governance and compliance.
+   * 
+   * @example "Ensures users can only access records from their own tenant organization"
+   */
+  description: import_zod2.z.string().optional().describe("Policy description and business justification"),
+  /**
+   * Target object (table) this policy applies to.
+   * Must reference a valid ObjectStack object name.
+   * 
+   * @example "account", "opportunity", "contact", "custom_object"
+   */
+  object: import_zod2.z.string().describe("Target object name"),
+  /**
+   * Database operation(s) this policy applies to.
+   * 
+   * - **select**: Controls read access (SELECT queries)
+   * - **insert**: Controls insert access (INSERT statements)
+   * - **update**: Controls update access (UPDATE statements)
+   * - **delete**: Controls delete access (DELETE statements)
+   * - **all**: Applies to all operations
+   * 
+   * @example "select" - Most common, controls what users can view
+   * @example "all" - Apply same rule to all operations
+   */
+  operation: RLSOperation.describe("Database operation this policy applies to"),
+  /**
+   * USING clause - Filter condition for SELECT/UPDATE/DELETE.
+   * 
+   * This is a SQL-like expression evaluated for each row.
+   * Only rows where this expression returns TRUE are accessible.
+   * 
+   * **Note**: For INSERT-only policies, USING is not required (only CHECK is needed).
+   * For SELECT/UPDATE/DELETE operations, USING is required.
+   * 
+   * **Security Note**: RLS conditions are executed at the database level with
+   * parameterized queries. The implementation must use prepared statements
+   * to prevent SQL injection. Never concatenate user input directly into
+   * RLS conditions.
+   * 
+   * **SQL Dialect**: Compatible with PostgreSQL SQL syntax. Implementations
+   * may adapt to other databases (MySQL, SQL Server, etc.) but should maintain
+   * semantic equivalence.
+   * 
+   * Available context variables:
+   * - `current_user.id` - Current user's ID
+   * - `current_user.tenant_id` - Current user's tenant (maps to `tenantId` in RLSUserContext)
+   * - `current_user.role` - Current user's role
+   * - `current_user.department` - Current user's department
+   * - `current_user.*` - Any custom user field
+   * - `NOW()` - Current timestamp
+   * - `CURRENT_DATE` - Current date
+   * - `CURRENT_TIME` - Current time
+   * 
+   * **Context Variable Mapping**: The RLSUserContext schema uses camelCase (e.g., `tenantId`),
+   * but expressions use snake_case with `current_user.` prefix (e.g., `current_user.tenant_id`).
+   * Implementations must handle this mapping.
+   * 
+   * Supported operators:
+   * - Comparison: =, !=, <, >, <=, >=, <> (not equal)
+   * - Logical: AND, OR, NOT
+   * - NULL checks: IS NULL, IS NOT NULL
+   * - Set operations: IN, NOT IN
+   * - String: LIKE, NOT LIKE, ILIKE (case-insensitive)
+   * - Pattern matching: ~ (regex), !~ (not regex)
+   * - Subqueries: (SELECT ...)
+   * - Array operations: ANY, ALL
+   * 
+   * **Prohibited**: Dynamic SQL, DDL statements, DML statements (INSERT/UPDATE/DELETE)
+   * 
+   * @example "tenant_id = current_user.tenant_id"
+   * @example "owner_id = current_user.id OR created_by = current_user.id"
+   * @example "department IN (SELECT department FROM user_departments WHERE user_id = current_user.id)"
+   * @example "status = 'active' AND expiry_date > NOW()"
+   */
+  using: import_zod2.z.string().optional().describe("Filter condition for SELECT/UPDATE/DELETE (PostgreSQL SQL WHERE clause syntax with parameterized context variables). Optional for INSERT-only policies."),
+  /**
+   * CHECK clause - Validation for INSERT/UPDATE operations.
+   * 
+   * Similar to USING but applies to new/modified rows.
+   * Prevents users from creating/updating rows they wouldn't be able to see.
+   * 
+   * **Default Behavior**: If not specified, implementations should use the
+   * USING clause as the CHECK clause. This ensures data integrity by preventing
+   * users from creating records they cannot view.
+   * 
+   * Use cases:
+   * - Prevent cross-tenant data creation
+   * - Enforce mandatory field values
+   * - Validate data integrity rules
+   * - Restrict certain operations (e.g., only allow creating "draft" status)
+   * 
+   * @example "tenant_id = current_user.tenant_id"
+   * @example "status IN ('draft', 'pending')" - Only allow certain statuses
+   * @example "created_by = current_user.id" - Must be the creator
+   */
+  check: import_zod2.z.string().optional().describe("Validation condition for INSERT/UPDATE (defaults to USING clause if not specified - enforced at application level)"),
+  /**
+   * Restrict this policy to specific roles.
+   * If specified, only users with these roles will have this policy applied.
+   * If omitted, policy applies to all users (except those with bypassRLS permission).
+   * 
+   * Role names must match defined roles in the system.
+   * 
+   * @example ["sales_rep", "account_manager"]
+   * @example ["employee"] - Apply to all employees
+   * @example ["guest"] - Special restrictions for guests
+   */
+  roles: import_zod2.z.array(import_zod2.z.string()).optional().describe("Roles this policy applies to (omit for all roles)"),
+  /**
+   * Whether this policy is currently active.
+   * Disabled policies are not evaluated.
+   * Useful for temporary policy changes without deletion.
+   * 
+   * @default true
+   */
+  enabled: import_zod2.z.boolean().default(true).describe("Whether this policy is active"),
+  /**
+   * Policy priority for conflict resolution.
+   * Higher numbers = higher priority.
+   * When multiple policies apply, the most permissive wins (OR logic).
+   * Priority is only used for ordering evaluation (performance).
+   * 
+   * @default 0
+   */
+  priority: import_zod2.z.number().int().default(0).describe("Policy evaluation priority (higher = evaluated first)"),
+  /**
+   * Tags for policy categorization and reporting.
+   * Useful for governance, compliance, and auditing.
+   * 
+   * @example ["compliance", "gdpr", "pci"]
+   * @example ["multi-tenant", "security"]
+   */
+  tags: import_zod2.z.array(import_zod2.z.string()).optional().describe("Policy categorization tags")
+}).superRefine((data, ctx) => {
+  if (!data.using && !data.check) {
+    ctx.addIssue({
+      code: import_zod2.z.ZodIssueCode.custom,
+      message: 'At least one of "using" or "check" must be specified. For SELECT/UPDATE/DELETE operations, provide "using". For INSERT operations, provide "check".'
+    });
+  }
+});
+var RLSConfigSchema = import_zod2.z.object({
+  /**
+   * Global RLS enable/disable flag.
+   * When false, all RLS policies are ignored (use with caution!).
+   * 
+   * @default true
+   */
+  enabled: import_zod2.z.boolean().default(true).describe("Enable RLS enforcement globally"),
+  /**
+   * Default behavior when no policies match.
+   * 
+   * - **deny**: Deny access (secure default)
+   * - **allow**: Allow access (permissive mode, not recommended)
+   * 
+   * @default "deny"
+   */
+  defaultPolicy: import_zod2.z.enum(["deny", "allow"]).default("deny").describe("Default action when no policies match"),
+  /**
+   * Whether to allow superusers to bypass RLS.
+   * Superusers include system administrators and service accounts.
+   * 
+   * @default true
+   */
+  allowSuperuserBypass: import_zod2.z.boolean().default(true).describe("Allow superusers to bypass RLS"),
+  /**
+   * List of roles that can bypass RLS.
+   * Users with these roles see all records regardless of policies.
+   * 
+   * @example ["system_admin", "data_auditor"]
+   */
+  bypassRoles: import_zod2.z.array(import_zod2.z.string()).optional().describe("Roles that bypass RLS (see all data)"),
+  /**
+   * Whether to log RLS policy evaluations.
+   * Useful for debugging and auditing.
+   * Can impact performance if enabled globally.
+   * 
+   * @default false
+   */
+  logEvaluations: import_zod2.z.boolean().default(false).describe("Log RLS policy evaluations for debugging"),
+  /**
+   * Cache RLS policy evaluation results.
+   * Can improve performance for frequently accessed records.
+   * Cache is invalidated when policies change or user context changes.
+   * 
+   * @default true
+   */
+  cacheResults: import_zod2.z.boolean().default(true).describe("Cache RLS evaluation results"),
+  /**
+   * Cache TTL in seconds.
+   * How long to cache RLS evaluation results.
+   * 
+   * @default 300 (5 minutes)
+   */
+  cacheTtlSeconds: import_zod2.z.number().int().positive().default(300).describe("Cache TTL in seconds"),
+  /**
+   * Performance optimization: Pre-fetch user context.
+   * Load user context once per request instead of per-query.
+   * 
+   * @default true
+   */
+  prefetchUserContext: import_zod2.z.boolean().default(true).describe("Pre-fetch user context for performance")
+});
+var RLSUserContextSchema = import_zod2.z.object({
+  /**
+   * User ID
+   */
+  id: import_zod2.z.string().describe("User ID"),
+  /**
+   * User email
+   */
+  email: import_zod2.z.string().email().optional().describe("User email"),
+  /**
+   * Tenant/Organization ID
+   */
+  tenantId: import_zod2.z.string().optional().describe("Tenant/Organization ID"),
+  /**
+   * User role(s)
+   */
+  role: import_zod2.z.union([
+    import_zod2.z.string(),
+    import_zod2.z.array(import_zod2.z.string())
+  ]).optional().describe("User role(s)"),
+  /**
+   * User department
+   */
+  department: import_zod2.z.string().optional().describe("User department"),
+  /**
+   * Additional custom attributes
+   * Can include any custom user fields for RLS evaluation
+   */
+  attributes: import_zod2.z.record(import_zod2.z.string(), import_zod2.z.unknown()).optional().describe("Additional custom user attributes")
+});
+var RLSEvaluationResultSchema = import_zod2.z.object({
+  /**
+   * Policy name that was evaluated
+   */
+  policyName: import_zod2.z.string().describe("Policy name"),
+  /**
+   * Whether access was granted
+   */
+  granted: import_zod2.z.boolean().describe("Whether access was granted"),
+  /**
+   * Evaluation duration in milliseconds
+   */
+  durationMs: import_zod2.z.number().optional().describe("Evaluation duration in milliseconds"),
+  /**
+   * Error message if evaluation failed
+   */
+  error: import_zod2.z.string().optional().describe("Error message if evaluation failed"),
+  /**
+   * Evaluated USING clause result
+   */
+  usingResult: import_zod2.z.boolean().optional().describe("USING clause evaluation result"),
+  /**
+   * Evaluated CHECK clause result (for INSERT/UPDATE)
+   */
+  checkResult: import_zod2.z.boolean().optional().describe("CHECK clause evaluation result")
+});
+var RLS = {
+  /**
+   * Create a simple owner-based policy
+   */
+  ownerPolicy: (object, ownerField = "owner_id") => ({
+    name: `${object}_owner_access`,
+    label: `Owner Access for ${object}`,
+    object,
+    operation: "all",
+    using: `${ownerField} = current_user.id`,
+    enabled: true,
+    priority: 0
+  }),
+  /**
+   * Create a tenant isolation policy
+   */
+  tenantPolicy: (object, tenantField = "tenant_id") => ({
+    name: `${object}_tenant_isolation`,
+    label: `Tenant Isolation for ${object}`,
+    object,
+    operation: "all",
+    using: `${tenantField} = current_user.tenant_id`,
+    check: `${tenantField} = current_user.tenant_id`,
+    enabled: true,
+    priority: 0
+  }),
+  /**
+   * Create a role-based policy
+   */
+  rolePolicy: (object, roles, condition) => ({
+    name: `${object}_${roles.join("_")}_access`,
+    label: `${roles.join(", ")} Access for ${object}`,
+    object,
+    operation: "select",
+    using: condition,
+    roles,
+    enabled: true,
+    priority: 0
+  }),
+  /**
+   * Create a permissive policy (allow all for specific roles)
+   */
+  allowAllPolicy: (object, roles) => ({
+    name: `${object}_${roles.join("_")}_full_access`,
+    label: `Full Access for ${roles.join(", ")}`,
+    object,
+    operation: "all",
+    using: "1 = 1",
+    // Always true
+    roles,
+    enabled: true,
+    priority: 0
+  })
+};
+
+// src/security/permission.zod.ts
+var ObjectPermissionSchema = import_zod3.z.object({
+  /** C: Create */
+  allowCreate: import_zod3.z.boolean().default(false).describe("Create permission"),
+  /** R: Read (Owned records or Shared records) */
+  allowRead: import_zod3.z.boolean().default(false).describe("Read permission"),
+  /** U: Edit (Owned records or Shared records) */
+  allowEdit: import_zod3.z.boolean().default(false).describe("Edit permission"),
+  /** D: Delete (Owned records or Shared records) */
+  allowDelete: import_zod3.z.boolean().default(false).describe("Delete permission"),
+  /** Lifecycle Operations */
+  allowTransfer: import_zod3.z.boolean().default(false).describe("Change record ownership"),
+  allowRestore: import_zod3.z.boolean().default(false).describe("Restore from trash (Undelete)"),
+  allowPurge: import_zod3.z.boolean().default(false).describe("Permanently delete (Hard Delete/GDPR)"),
+  /** 
+   * View All Records: Super-user read access. 
+   * Bypasses Sharing Rules and Ownership checks.
+   * Equivalent to Microsoft Dataverse "Organization" level read access.
+   */
+  viewAllRecords: import_zod3.z.boolean().default(false).describe("View All Data (Bypass Sharing)"),
+  /** 
+   * Modify All Records: Super-user write access. 
+   * Bypasses Sharing Rules and Ownership checks.
+   * Equivalent to Microsoft Dataverse "Organization" level write access.
+   */
+  modifyAllRecords: import_zod3.z.boolean().default(false).describe("Modify All Data (Bypass Sharing)")
+});
+var FieldPermissionSchema = import_zod3.z.object({
+  /** Can see this field */
+  readable: import_zod3.z.boolean().default(true).describe("Field read access"),
+  /** Can edit this field */
+  editable: import_zod3.z.boolean().default(false).describe("Field edit access")
+});
+var PermissionSetSchema = import_zod3.z.object({
+  /** Unique permission set name */
+  name: SnakeCaseIdentifierSchema.describe("Permission set unique name (lowercase snake_case)"),
+  /** Display label */
+  label: import_zod3.z.string().optional().describe("Display label"),
+  /** Is this a Profile? (Base set for a user) */
+  isProfile: import_zod3.z.boolean().default(false).describe("Whether this is a user profile"),
+  /** Object Permissions Map: <entity_name> -> permissions */
+  objects: import_zod3.z.record(import_zod3.z.string(), ObjectPermissionSchema).describe("Entity permissions"),
+  /** Field Permissions Map: <entity_name>.<field_name> -> permissions */
+  fields: import_zod3.z.record(import_zod3.z.string(), FieldPermissionSchema).optional().describe("Field level security"),
+  /** System permissions (e.g., "manage_users") */
+  systemPermissions: import_zod3.z.array(import_zod3.z.string()).optional().describe("System level capabilities"),
+  /** 
+   * Row-Level Security Rules
+   * 
+   * Row-level security policies that filter records based on user context.
+   * These rules are applied in addition to object-level permissions.
+   * 
+   * Uses the canonical RLS protocol from rls.zod.ts for comprehensive
+   * row-level security features including PostgreSQL-style USING and CHECK clauses.
+   * 
+   * @see {@link RowLevelSecurityPolicySchema} for full RLS specification
+   * @see {@link file://./rls.zod.ts} for comprehensive RLS documentation
+   * 
+   * @example Multi-tenant isolation
+   * ```typescript
+   * rls: [{
+   *   name: 'tenant_filter',
+   *   object: 'account',
+   *   operation: 'select',
+   *   using: 'tenant_id = current_user.tenant_id'
+   * }]
+   * ```
+   */
+  rowLevelSecurity: import_zod3.z.array(RowLevelSecurityPolicySchema).optional().describe("Row-level security policies (see rls.zod.ts for full spec)"),
+  /**
+   * Context-Based Access Control Variables
+   * 
+   * Custom context variables that can be referenced in RLS rules.
+   * These variables are evaluated at runtime based on the user's session.
+   * 
+   * Common context variables:
+   * - `current_user.id` - Current user ID
+   * - `current_user.tenant_id` - User's tenant/organization ID
+   * - `current_user.department` - User's department
+   * - `current_user.role` - User's role
+   * - `current_user.region` - User's geographic region
+   * 
+   * @example Custom context
+   * ```typescript
+   * contextVariables: {
+   *   allowed_regions: ['US', 'EU'],
+   *   access_level: 2,
+   *   custom_attribute: 'value'
+   * }
+   * ```
+   */
+  contextVariables: import_zod3.z.record(import_zod3.z.string(), import_zod3.z.unknown()).optional().describe("Context variables for RLS evaluation")
+});
+
+// src/security/sharing.zod.ts
+var import_zod4 = require("zod");
+var OWDModel = import_zod4.z.enum([
+  "private",
+  // Only owner can see
+  "public_read",
+  // Everyone can see, owner can edit
+  "public_read_write",
+  // Everyone can see and edit
+  "controlled_by_parent"
+  // Access derived from parent record (Master-Detail)
+]);
+var SharingRuleType = import_zod4.z.enum([
+  "owner",
+  // Based on record ownership (Role Hierarchy)
+  "criteria"
+  // Based on field values (e.g. Status = 'Open')
+]);
+var SharingLevel = import_zod4.z.enum([
+  "read",
+  // Read Only
+  "edit",
+  // Read / Write
+  "full"
+  // Full Access (Transfer, Share, Delete)
+]);
+var ShareRecipientType = import_zod4.z.enum([
+  "user",
+  "group",
+  "role",
+  "role_and_subordinates",
+  "guest"
+  // for public sharing
+]);
+var BaseSharingRuleSchema = import_zod4.z.object({
+  // Identification
+  name: import_zod4.z.string().regex(/^[a-z_][a-z0-9_]*$/).describe("Unique rule name (snake_case)"),
+  label: import_zod4.z.string().optional().describe("Human-readable label"),
+  description: import_zod4.z.string().optional().describe("Administrative notes"),
+  // Scope
+  object: import_zod4.z.string().describe("Target Object Name"),
+  active: import_zod4.z.boolean().default(true),
+  // Access
+  accessLevel: SharingLevel.default("read"),
+  // Recipient (Whom to share with)
+  sharedWith: import_zod4.z.object({
+    type: ShareRecipientType,
+    value: import_zod4.z.string().describe("ID or Code of the User/Group/Role")
+  }).describe("The recipient of the shared access")
+});
+var CriteriaSharingRuleSchema = BaseSharingRuleSchema.extend({
+  type: import_zod4.z.literal("criteria"),
+  condition: import_zod4.z.string().describe(`Formula condition (e.g. "department = 'Sales'")`)
+});
+var OwnerSharingRuleSchema = BaseSharingRuleSchema.extend({
+  type: import_zod4.z.literal("owner"),
+  ownedBy: import_zod4.z.object({
+    type: ShareRecipientType,
+    value: import_zod4.z.string()
+  }).describe("Source group/role whose records are being shared")
+});
+var SharingRuleSchema = import_zod4.z.discriminatedUnion("type", [
+  CriteriaSharingRuleSchema,
+  OwnerSharingRuleSchema
+]);
+
+// src/security/territory.zod.ts
+var import_zod5 = require("zod");
+var TerritoryType = import_zod5.z.enum([
+  "geography",
+  // Region/Country/City
+  "industry",
+  // Vertical
+  "named_account",
+  // Key Accounts
+  "product_line"
+  // Product Specialty
+]);
+var TerritoryModelSchema = import_zod5.z.object({
+  name: import_zod5.z.string().describe("Model Name (e.g. FY24 Planning)"),
+  state: import_zod5.z.enum(["planning", "active", "archived"]).default("planning"),
+  startDate: import_zod5.z.string().optional(),
+  endDate: import_zod5.z.string().optional()
+});
+var TerritorySchema = import_zod5.z.object({
+  /** Identity */
+  name: SnakeCaseIdentifierSchema.describe("Territory unique name (lowercase snake_case)"),
+  label: import_zod5.z.string().describe('Territory Label (e.g. "West Coast")'),
+  /** Structure */
+  modelId: import_zod5.z.string().describe("Belongs to which Territory Model"),
+  parent: import_zod5.z.string().optional().describe("Parent Territory"),
+  type: TerritoryType.default("geography"),
+  /** 
+   * Assignment Rules (The "Magic")
+   * How do accounts automatically fall into this territory?
+   * e.g. "BillingCountry = 'US' AND BillingState = 'CA'"
+   */
+  assignmentRule: import_zod5.z.string().optional().describe("Criteria based assignment rule"),
+  /**
+   * User Assignment
+   * Users assigned to work this territory.
+   */
+  assignedUsers: import_zod5.z.array(import_zod5.z.string()).optional(),
+  /** Access Level */
+  accountAccess: import_zod5.z.enum(["read", "edit"]).default("read"),
+  opportunityAccess: import_zod5.z.enum(["read", "edit"]).default("read"),
+  caseAccess: import_zod5.z.enum(["read", "edit"]).default("read")
+});
+
+// src/security/policy.zod.ts
+var import_zod6 = require("zod");
+var PasswordPolicySchema = import_zod6.z.object({
+  minLength: import_zod6.z.number().default(8),
+  requireUppercase: import_zod6.z.boolean().default(true),
+  requireLowercase: import_zod6.z.boolean().default(true),
+  requireNumbers: import_zod6.z.boolean().default(true),
+  requireSymbols: import_zod6.z.boolean().default(false),
+  expirationDays: import_zod6.z.number().optional().describe("Force password change every X days"),
+  historyCount: import_zod6.z.number().default(3).describe("Prevent reusing last X passwords")
+});
+var NetworkPolicySchema = import_zod6.z.object({
+  trustedRanges: import_zod6.z.array(import_zod6.z.string()).describe("CIDR ranges allowed to access (e.g. 10.0.0.0/8)"),
+  blockUnknown: import_zod6.z.boolean().default(false).describe("Block all IPs not in trusted ranges"),
+  vpnRequired: import_zod6.z.boolean().default(false)
+});
+var SessionPolicySchema = import_zod6.z.object({
+  idleTimeout: import_zod6.z.number().default(30).describe("Minutes before idle session logout"),
+  absoluteTimeout: import_zod6.z.number().default(480).describe("Max session duration (minutes)"),
+  forceMfa: import_zod6.z.boolean().default(false).describe("Require 2FA for all users")
+});
+var AuditPolicySchema = import_zod6.z.object({
+  logRetentionDays: import_zod6.z.number().default(180),
+  sensitiveFields: import_zod6.z.array(import_zod6.z.string()).describe("Fields to redact in logs (e.g. password, ssn)"),
+  captureRead: import_zod6.z.boolean().default(false).describe("Log read access (High volume!)")
+});
+var PolicySchema = import_zod6.z.object({
+  name: import_zod6.z.string().regex(/^[a-z_][a-z0-9_]*$/).describe("Policy Name"),
+  password: PasswordPolicySchema.optional(),
+  network: NetworkPolicySchema.optional(),
+  session: SessionPolicySchema.optional(),
+  audit: AuditPolicySchema.optional(),
+  /** Assignment */
+  isDefault: import_zod6.z.boolean().default(false).describe("Apply to all users by default"),
+  assignedProfiles: import_zod6.z.array(import_zod6.z.string()).optional().describe("Apply to specific profiles")
+});
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuditPolicySchema,
+  CriteriaSharingRuleSchema,
+  FieldPermissionSchema,
+  NetworkPolicySchema,
+  OWDModel,
+  ObjectPermissionSchema,
+  OwnerSharingRuleSchema,
+  PasswordPolicySchema,
+  PermissionSetSchema,
+  PolicySchema,
+  RLS,
+  RLSConfigSchema,
+  RLSEvaluationResultSchema,
+  RLSOperation,
+  RLSUserContextSchema,
+  RowLevelSecurityPolicySchema,
+  SessionPolicySchema,
+  ShareRecipientType,
+  SharingLevel,
+  SharingRuleSchema,
+  SharingRuleType,
+  TerritoryModelSchema,
+  TerritorySchema,
+  TerritoryType
+});
+//# sourceMappingURL=index.js.map