@omnifyjp/ts 1.1.4 → 1.1.6

package/dist/cli.js

@@ -52,6 +52,7 @@ function resolveFromConfig(configPath) {
         resource: laravelConfig?.resource,
         factory: laravelConfig?.factory,
         provider: laravelConfig?.provider,
+        policy: laravelConfig?.policy,
     } : undefined;
     return {
         input: resolve(configDir, schemasPath),

package/dist/php/index.js

@@ -21,6 +21,7 @@ import { generateResources } from './resource-generator.js';
 import { generateFactories } from './factory-generator.js';
 import { generateServiceProvider } from './service-provider-generator.js';
 import { generateTranslationModels } from './translation-model-generator.js';
+import { generatePolicies } from './policy-generator.js';
 export { derivePhpConfig } from './types.js';
 /** Generate all PHP files from schemas.json data. */
 export function generatePhp(data, overrides) {
@@ -38,5 +39,6 @@ export function generatePhp(data, overrides) {
     files.push(...generateRequests(reader, config));
     files.push(...generateResources(reader, config));
     files.push(...generateFactories(reader, config));
+    files.push(...generatePolicies(reader, config));
     return files;
 }

package/dist/php/policy-generator.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Laravel Policy class generator.
+ *
+ * Generates Policy classes from Cedar-style ABAC policy definitions.
+ * Only generates for schemas that have `policies` defined.
+ */
+import { SchemaReader } from './schema-reader.js';
+import type { GeneratedFile, PhpConfig } from './types.js';
+import type { SchemaDefinition, SingleCondition } from '../types.js';
+/** Generate Laravel Policy classes for all schemas that have policies. */
+export declare function generatePolicies(reader: SchemaReader, config: PhpConfig): GeneratedFile[];
+/** Convert a single condition to a PHP expression. */
+export declare function conditionToPhp(cond: SingleCondition, schema: SchemaDefinition, reader: SchemaReader): string;

package/dist/php/policy-generator.js

@@ -0,0 +1,406 @@
+/**
+ * Laravel Policy class generator.
+ *
+ * Generates Policy classes from Cedar-style ABAC policy definitions.
+ * Only generates for schemas that have `policies` defined.
+ */
+import { toPascalCase, toSnakeCase, toCamelCase } from './naming-helper.js';
+import { baseFile, userFile } from './types.js';
+// ============================================================================
+// Action mapping: Omnify → Laravel
+// ============================================================================
+/** Maps omnify action names to Laravel policy method names. */
+const ACTION_METHOD_MAP = {
+    view: 'view',
+    list: 'viewAny',
+    create: 'create',
+    edit: 'update',
+    delete: 'delete',
+};
+/** All standard actions (used for wildcard expansion). */
+const ALL_ACTIONS = ['view', 'list', 'create', 'edit', 'delete'];
+/** Actions that receive both $user and $record parameters. */
+const RECORD_ACTIONS = new Set(['view', 'edit', 'delete']);
+// ============================================================================
+// Public API
+// ============================================================================
+/** Generate Laravel Policy classes for all schemas that have policies. */
+export function generatePolicies(reader, config) {
+    const files = [];
+    for (const [name, schema] of Object.entries(reader.getProjectVisibleObjectSchemas())) {
+        if (!schema.policies || schema.policies.length === 0)
+            continue;
+        files.push(...generateForSchema(name, schema, reader, config));
+    }
+    return files;
+}
+// ============================================================================
+// Per-schema generation
+// ============================================================================
+function generateForSchema(name, schema, reader, config) {
+    return [
+        generateBasePolicyClass(name, schema, reader, config),
+        generateUserPolicyClass(name, config),
+    ];
+}
+function generateBasePolicyClass(name, schema, reader, config) {
+    const modelName = toPascalCase(name);
+    const baseNamespace = config.policies.baseNamespace;
+    const modelNamespace = config.models.namespace;
+    const policies = schema.policies;
+    const hasSoftDelete = schema.options?.softDelete ?? false;
+    const needsCidrHelper = policiesUseCidr(policies);
+    // Collect all actions that have policies
+    const expandedPolicies = expandWildcards(policies);
+    // Build methods
+    const methods = [];
+    for (const action of ALL_ACTIONS) {
+        const methodName = ACTION_METHOD_MAP[action];
+        const hasRecord = RECORD_ACTIONS.has(action);
+        const body = generateMethodBody(action, expandedPolicies, schema, reader, hasRecord);
+        methods.push(buildMethod(methodName, modelName, hasRecord, body));
+    }
+    // SoftDelete: restore + forceDelete
+    if (hasSoftDelete) {
+        const restoreBody = generateMethodBody('delete', expandedPolicies, schema, reader);
+        methods.push(buildMethod('restore', modelName, true, restoreBody));
+        const forceDeleteBody = generateMethodBody('delete', expandedPolicies, schema, reader);
+        methods.push(buildMethod('forceDelete', modelName, true, forceDeleteBody));
+    }
+    const cidrHelper = needsCidrHelper ? buildCidrHelper() : '';
+    const content = `<?php
+
+namespace ${baseNamespace};
+
+/**
+ * DO NOT EDIT - This file is auto-generated by Omnify.
+ * Any changes will be overwritten on next generation.
+ *
+ * @generated by omnify
+ */
+
+use ${modelNamespace}\\${modelName};
+use App\\Models\\User;
+use Illuminate\\Auth\\Access\\HandlesAuthorization;
+
+class ${modelName}PolicyBase
+{
+    use HandlesAuthorization;
+${methods.join('\n')}${cidrHelper}
+}
+`;
+    return baseFile(`${config.policies.basePath}/${modelName}PolicyBase.php`, content);
+}
+function generateUserPolicyClass(name, config) {
+    const modelName = toPascalCase(name);
+    const policyNamespace = config.policies.namespace;
+    const baseNamespace = config.policies.baseNamespace;
+    const content = `<?php
+
+namespace ${policyNamespace};
+
+use ${baseNamespace}\\${modelName}PolicyBase;
+
+/**
+ * ${modelName} Policy
+ *
+ * This file is generated once and can be customized.
+ * Add your custom authorization logic here.
+ */
+class ${modelName}Policy extends ${modelName}PolicyBase
+{
+    // Add your custom policy methods here
+}
+`;
+    return userFile(`${config.policies.path}/${modelName}Policy.php`, content);
+}
+// ============================================================================
+// Method body generation
+// ============================================================================
+/**
+ * Generate the body of a policy method.
+ * Cedar evaluation order: forbid first → permit → default deny.
+ *
+ * When hasRecord is false (e.g. viewAny, create), conditions referencing
+ * $record properties are dropped. A conditional policy whose condition is
+ * entirely record-dependent becomes unconditional.
+ */
+function generateMethodBody(action, policies, schema, reader, hasRecord = true) {
+    const relevantPolicies = policies.filter(p => p.actions.includes(action));
+    if (relevantPolicies.length === 0) {
+        return '        return false;';
+    }
+    const lines = [];
+    // 1. Forbid rules first
+    const forbids = relevantPolicies.filter(p => p.effect === 'forbid');
+    for (const policy of forbids) {
+        if (policy.when) {
+            if (!hasRecord && whenUsesRecord(policy.when)) {
+                // Skip record-dependent conditions for collection methods
+                continue;
+            }
+            const condition = whenToPhp(policy.when, schema, reader);
+            lines.push(`        // ${policy.desc ?? 'Forbid rule'}`);
+            lines.push(`        if (${condition}) {`);
+            lines.push(`            return false;`);
+            lines.push(`        }`);
+            lines.push('');
+        }
+        else {
+            // Unconditional forbid
+            lines.push(`        // ${policy.desc ?? 'Forbid rule'}`);
+            lines.push(`        return false;`);
+            return lines.join('\n');
+        }
+    }
+    // 2. Permit rules
+    const permits = relevantPolicies.filter(p => p.effect === 'permit');
+    for (const policy of permits) {
+        if (policy.when) {
+            if (!hasRecord && whenUsesRecord(policy.when)) {
+                // Skip record-dependent conditions for collection methods
+                continue;
+            }
+            const condition = whenToPhp(policy.when, schema, reader);
+            lines.push(`        // ${policy.desc ?? 'Permit rule'}`);
+            lines.push(`        if (${condition}) {`);
+            lines.push(`            return true;`);
+            lines.push(`        }`);
+            lines.push('');
+        }
+        else {
+            // Unconditional permit
+            lines.push(`        // ${policy.desc ?? 'Permit rule'}`);
+            lines.push(`        return true;`);
+            return lines.join('\n');
+        }
+    }
+    // 3. Default deny
+    lines.push(`        return false;`);
+    return lines.join('\n');
+}
+// ============================================================================
+// Method builder
+// ============================================================================
+function buildMethod(methodName, modelName, hasRecord, body) {
+    const recordParam = hasRecord ? `, ${modelName} $record` : '';
+    const returnType = 'bool';
+    return `
+    /**
+     * Determine whether the user can ${methodName}.
+     */
+    public function ${methodName}(User $user${recordParam}): ${returnType}
+    {
+${body}
+    }`;
+}
+// ============================================================================
+// Condition → PHP translation
+// ============================================================================
+/** Convert a PolicyWhen (single or AND group) to a PHP expression. */
+function whenToPhp(when, schema, reader) {
+    if (isAndCondition(when)) {
+        const parts = when.conditions.map(c => conditionToPhp(c, schema, reader));
+        return parts.map(p => `(${p})`).join(' && ');
+    }
+    return conditionToPhp(when, schema, reader);
+}
+/** Type guard for AND condition groups. */
+function isAndCondition(when) {
+    return when.operator === 'and' && Array.isArray(when.conditions);
+}
+/** Convert a single condition to a PHP expression. */
+export function conditionToPhp(cond, schema, reader) {
+    const { operator, left, right } = cond;
+    // Handle "in" / "not in" operators
+    if (operator === 'in' || operator === 'not in') {
+        return handleInOperator(operator, left, right, schema, reader);
+    }
+    // Standard comparison operators
+    const phpOp = mapOperator(operator);
+    const leftExpr = operandToPhp(left, schema, reader, 'left');
+    const rightExpr = operandToPhp(right, schema, reader, 'right');
+    return `${leftExpr} ${phpOp} ${rightExpr}`;
+}
+/** Map Cedar operator to PHP operator. */
+function mapOperator(op) {
+    switch (op) {
+        case '=': return '===';
+        case '!=': return '!==';
+        case '>': return '>';
+        case '<': return '<';
+        case '>=': return '>=';
+        case '<=': return '<=';
+        default: return op;
+    }
+}
+/** Convert a condition operand to a PHP expression. */
+function operandToPhp(operand, schema, reader, side) {
+    switch (operand.type) {
+        case 'property': {
+            const propName = operand.name;
+            // Check if it's an association (ManyToOne) → use _id
+            const prop = schema.properties?.[propName];
+            if (prop?.relation === 'ManyToOne') {
+                return `$record->${toSnakeCase(propName)}_id`;
+            }
+            return `$record->${toSnakeCase(propName)}`;
+        }
+        case 'variable': {
+            const varName = operand.name;
+            if (varName === '$user') {
+                return '$user->id';
+            }
+            if (varName === '$now') {
+                return 'now()';
+            }
+            if (varName === '$ip') {
+                return "request()->ip()";
+            }
+            // $user.attribute
+            if (varName.startsWith('$user.')) {
+                const attr = varName.slice('$user.'.length);
+                return `$user->${toSnakeCase(attr)}`;
+            }
+            return varName;
+        }
+        case 'literal': {
+            const val = operand.value;
+            if (typeof val === 'string') {
+                return `'${val}'`;
+            }
+            if (typeof val === 'number') {
+                return String(val);
+            }
+            if (typeof val === 'boolean') {
+                return val ? 'true' : 'false';
+            }
+            return String(val);
+        }
+        case 'set': {
+            const items = operand.items ?? [];
+            const phpItems = items.map(i => `'${i}'`).join(', ');
+            return `[${phpItems}]`;
+        }
+        case 'cidr': {
+            return `'${operand.name}'`;
+        }
+        case 'path': {
+            // Through-association: e.g. "org.members"
+            const pathName = operand.name;
+            const parts = pathName.split('.');
+            // $record->org->members()
+            const chain = parts.slice(0, -1).map(p => toSnakeCase(p)).join('->');
+            const lastRel = toCamelCase(parts[parts.length - 1]);
+            return `$record->${chain}->${lastRel}()`;
+        }
+        default:
+            return `/* unknown operand type: ${operand.type} */`;
+    }
+}
+/** Handle "in" and "not in" operators with various operand types. */
+function handleInOperator(operator, left, right, schema, reader) {
+    const isNotIn = operator === 'not in';
+    // $user in members (ManyToMany)
+    if (left.type === 'variable' && left.name === '$user' && right.type === 'property') {
+        const relName = toCamelCase(right.name);
+        const expr = `$record->${relName}()->where('users.id', $user->id)->exists()`;
+        return isNotIn ? `!${expr}` : expr;
+    }
+    // $user in org.members (through-association)
+    if (left.type === 'variable' && left.name === '$user' && right.type === 'path') {
+        const pathName = right.name;
+        const parts = pathName.split('.');
+        const chain = parts.slice(0, -1).map(p => toCamelCase(p)).join('->');
+        const lastRel = toCamelCase(parts[parts.length - 1]);
+        const expr = `$record->${chain}->${lastRel}()->where('users.id', $user->id)->exists()`;
+        return isNotIn ? `!${expr}` : expr;
+    }
+    // $ip in cidr(...)
+    if (left.type === 'variable' && left.name === '$ip' && right.type === 'cidr') {
+        const expr = `$this->ipInCidr(request()->ip(), '${right.name}')`;
+        return isNotIn ? `!${expr}` : expr;
+    }
+    // property in set / property not in set
+    if (left.type === 'property' && right.type === 'set') {
+        const propExpr = operandToPhp(left, schema, reader, 'left');
+        const items = right.items ?? [];
+        const phpItems = items.map(i => `'${i}'`).join(', ');
+        if (isNotIn) {
+            return `!in_array(${propExpr}, [${phpItems}])`;
+        }
+        return `in_array(${propExpr}, [${phpItems}])`;
+    }
+    // Fallback: generic in
+    const leftExpr = operandToPhp(left, schema, reader, 'left');
+    const rightExpr = operandToPhp(right, schema, reader, 'right');
+    if (isNotIn) {
+        return `!in_array(${leftExpr}, ${rightExpr})`;
+    }
+    return `in_array(${leftExpr}, ${rightExpr})`;
+}
+// ============================================================================
+// Helpers
+// ============================================================================
+/** Check if a when clause uses $record (property or path operands). */
+function whenUsesRecord(when) {
+    if (isAndCondition(when)) {
+        return when.conditions.some(conditionUsesRecord);
+    }
+    return conditionUsesRecord(when);
+}
+/** Check if a single condition references $record. */
+function conditionUsesRecord(cond) {
+    return operandUsesRecord(cond.left) || operandUsesRecord(cond.right);
+}
+/** Check if an operand references $record (property or path type). */
+function operandUsesRecord(operand) {
+    return operand.type === 'property' || operand.type === 'path';
+}
+/** Expand wildcard (*) actions in policies. */
+function expandWildcards(policies) {
+    return policies.map(p => {
+        if (p.actions.includes('*')) {
+            return { ...p, actions: ALL_ACTIONS };
+        }
+        return p;
+    });
+}
+/** Check if any policy uses CIDR conditions. */
+function policiesUseCidr(policies) {
+    for (const p of policies) {
+        if (!p.when)
+            continue;
+        if (isAndCondition(p.when)) {
+            if (p.when.conditions.some(c => c.left.type === 'cidr' || c.right.type === 'cidr'))
+                return true;
+        }
+        else {
+            const cond = p.when;
+            if (cond.left.type === 'cidr' || cond.right.type === 'cidr')
+                return true;
+        }
+    }
+    return false;
+}
+/** Build the ipInCidr helper method. */
+function buildCidrHelper() {
+    return `
+
+    /**
+     * Check if an IP address is within a CIDR range.
+     */
+    protected function ipInCidr(?string $ip, string $cidr): bool
+    {
+        if ($ip === null) {
+            return false;
+        }
+
+        [$subnet, $bits] = explode('/', $cidr);
+        $subnet = ip2long($subnet);
+        $ip = ip2long($ip);
+        $mask = -1 << (32 - (int) $bits);
+
+        return ($ip & $mask) === ($subnet & $mask);
+    }`;
+}

package/dist/php/types.d.ts

@@ -24,6 +24,7 @@ export interface LaravelCodegenOverrides {
     resource?: LaravelPathOverride;
     factory?: LaravelPathOverride;
     provider?: LaravelPathOverride;
+    policy?: LaravelPathOverride;
 }
 /** PHP codegen configuration (resolved with defaults). */
 export interface PhpConfig {
@@ -53,6 +54,12 @@ export interface PhpConfig {
         namespace: string;
         path: string;
     };
+    policies: {
+        namespace: string;
+        baseNamespace: string;
+        path: string;
+        basePath: string;
+    };
 }
 /**
  * Derive full PHP config from optional overrides.

package/dist/php/types.js

@@ -22,6 +22,7 @@ const DEFAULT_REQUEST_PATH = 'app/Http/Requests';
 const DEFAULT_RESOURCE_PATH = 'app/Http/Resources';
 const DEFAULT_FACTORY_PATH = 'database/factories';
 const DEFAULT_PROVIDER_PATH = 'app/Providers';
+const DEFAULT_POLICY_PATH = 'app/Policies/Omnify';
 /**
  * Derive full PHP config from optional overrides.
  * All paths and namespaces fall back to sensible defaults.
@@ -37,6 +38,8 @@ export function derivePhpConfig(overrides) {
     const factoryNs = overrides?.factory?.namespace ?? pathToNamespace(factoryPath);
     const providerPath = overrides?.provider?.path ?? DEFAULT_PROVIDER_PATH;
     const providerNs = overrides?.provider?.namespace ?? pathToNamespace(providerPath);
+    const policyPath = overrides?.policy?.path ?? DEFAULT_POLICY_PATH;
+    const policyNs = overrides?.policy?.namespace ?? pathToNamespace(policyPath);
     return {
         models: {
             namespace: modelNs,
@@ -64,5 +67,11 @@ export function derivePhpConfig(overrides) {
             namespace: providerNs,
             path: providerPath,
         },
+        policies: {
+            namespace: policyNs,
+            baseNamespace: `${policyNs}\\Base`,
+            path: policyPath,
+            basePath: `${policyPath}/Base`,
+        },
     };
 }

package/dist/types.d.ts

@@ -106,6 +106,36 @@ export interface SchemaDefinition {
     readonly expandedProperties?: Record<string, ExpandedProperty>;
     readonly values?: readonly EnumValueDefinition[];
     readonly pivotFor?: readonly string[];
+    readonly policies?: readonly PolicyDefinition[];
+}
+/** Operand type in a policy condition. */
+export type OperandType = 'property' | 'variable' | 'literal' | 'cidr' | 'set' | 'path';
+/** One side of a condition expression. */
+export interface ConditionOperand {
+    readonly type: OperandType;
+    readonly name?: string;
+    readonly value?: string | number | boolean;
+    readonly items?: readonly string[];
+}
+/** A parsed binary condition expression. */
+export interface SingleCondition {
+    readonly operator: string;
+    readonly left: ConditionOperand;
+    readonly right: ConditionOperand;
+}
+/** AND group of conditions. */
+export interface PolicyConditionAnd {
+    readonly operator: 'and';
+    readonly conditions: readonly SingleCondition[];
+}
+/** Policy when clause — either a single condition or AND group. */
+export type PolicyWhen = SingleCondition | PolicyConditionAnd;
+/** A single policy rule (permit or forbid). */
+export interface PolicyDefinition {
+    readonly effect: 'permit' | 'forbid';
+    readonly actions: readonly string[];
+    readonly when?: PolicyWhen;
+    readonly desc?: string;
 }
 /** Application-level validation rules. Single source of truth for both Laravel validation and Zod schemas. */
 export interface ValidationRules {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@omnifyjp/ts",
-  "version": "1.1.4",
+  "version": "1.1.6",
   "description": "TypeScript model type generator from Omnify schemas.json",
   "type": "module",
   "main": "dist/index.js",