@open-rlb/nestjs-amqp 2.0.7 → 2.0.9

package/schematics/nest-add/files/skills/rlb-amqp/references/gotchas.md

@@ -76,29 +76,54 @@ Ported from `docs/gotchas.md` (re-verified against post-2.0.5 code).
     NOT a metrics dump. Use `/admin/metrics*` (`gw-metrics-*`) for metrics.
 
 ## Auth / ACL
-21. **`roles` require `auth` on the same path/event.** No `auth` → no identity → fails closed
-    (every request `403`, logged at boot). Always pair `roles: [...]` with `auth: <provider>`.
-22. **`roles` require an `IAclRoleService`** registered via `RLB_GTW_ACL_ROLE_SERVICE` in
+21. **`actions` require `auth` on the same path/event.** No `auth` → no identity → fails closed
+    (every request `403`, logged at boot). Always pair `actions: [...]` with `auth: <provider>`.
+22. **`actions` require an `IAclRoleService`** registered via `RLB_GTW_ACL_ROLE_SERVICE` in
     `ProxyModule.forRootAsync({ providers: [...] })`. Missing → deny (403). The gateway check is
-    **role-based, OR, resource-agnostic** (`canUserDoGtw(roles, userId)`): `roles` lists ROLE NAMES,
-    the user passes holding AT LEAST ONE. The provider only needs `uidClaim` (+ `headerPrefix`).
-23. **Two ACL check actions on `rlb-acl`** (both cached, both HTTP GET → `200` true/false):
-    `acl-can-user-do-gtw` → `canUserDoGtw(roles, userId)` (gateway filter, OR, resource-agnostic,
-    `GET /acl/check`) and `acl-can-user-do` → `canUserDo(roles, userId, resource)` (**ms-side**;
-    a global grant OR a grant on that resource passes, `GET /acl/check-resource`).
+    **action-based, OR, resource-SCOPED** (`checkAction(userId, ctx, actions)`): `actions` lists
+    ACTION NAMES, the caller is authorized if it holds AT LEAST ONE on the request's
+    `(companyId, resourceId)`. The provider only needs `uidClaim` (+ `headerPrefix`).
+23. **One ACL check action on `rlb-acl`: `acl-check-action`** (cached, HTTP GET → `200` true/false).
+    `checkAction(userId, ctx, action)`, `ctx = { companyId?, resourceId? }`,
+    `action = string | string[]` (OR). It resolves action→roles-that-include-it, then matches the
+    user's grants. A grant authorizes **iff** `grant.companyId === req.companyId &&
+    grant.resourceId === req.resourceId` (undefined/null/`''` = absent). The ONLY carve-out: both
+    ids absent on request AND grant. **No wildcard** — a `null` `resourceId` does NOT match
+    everything; `companyId` is load-bearing. Replaces the old `acl-can-user-do` /
+    `acl-can-user-do-gtw` and the merged `GET /acl/check` + `/acl/check-resource`.
+23a. **Gateway gating is ACTION-based, not role-based.** `gateway.paths[].actions` /
+    `events[].actions` name ACTIONS (was `roles`). The gateway resolves `userId` from the auth
+    provider, extracts `(companyId, resourceId)` from the request, and authorizes if the caller
+    holds one of `actions` on that pair. It reads the canonical `companyId`/`resourceId` from the
+    request (precedence params→query→body) and matches them exactly. WS events gate by `actions`
+    **resource-agnostically**.
+23b. **`@BrokerAuth`'s 3rd param is now `actions` (was `roles`).** Signature:
+    `@BrokerAuth(authName, allowAnonymous?, actions?, httpName?)`. Pass action names there for an
+    auto-discovered route's action gate.
 24. **Actions, roles & auth-providers are NAME-KEYED. PUT upserts; there is NO POST.** The `name`
     IS the key (no id). `PUT` creates-or-updates, `GET` lists, `GET .../get?name=` reads one,
     `DELETE` removes by `name`. The old id-based ACL CRUD and `POST`-create endpoints are GONE.
     (Gateway-admin **paths** are the exception — they keep id-keyed CRUD and a POST create.)
 25. **`acl-grant` / `acl-revoke` both REQUIRE `userId` + `roles`** (optional `resourceId` +
-    `companyId`). `grant` MERGES roles into the single `(userId, resourceId)` record (idempotent).
-    `revoke` REMOVES exactly those roles and **deletes the record once it has no roles left**.
-    `revoke` without `roles` throws `400 roles are required` — to wipe a grant, revoke all its roles.
-26. **`companyId` is grouping metadata only.** It replaced `resourceBusinessId` and plays NO part
-    in authorization — it only groups resources in `acl-list-resources-by-user`. Targeting is by
-    `(userId, resourceId)` only. Both grant/revoke validate every role exists (unknown → `400`).
-27. **Removed actions:** `acl-list-by-user` and `acl-verify-access` no longer exist. Use
-    `acl-can-user-do` for resource-scoped checks and `acl-list-resources-by-user` to list resources.
+    `companyId`). The grant record is keyed by `(userId, companyId, resourceId)`. `grant` MERGES
+    roles into that triple (idempotent). `revoke` REMOVES exactly those roles and **deletes the
+    record once it has no roles left**. `revoke` without `roles` throws `400 roles are required` —
+    to wipe a grant, revoke all its roles. **Grants assign ROLES (keep the `roles` param); roles
+    contain actions.** Only the gateway/route GATE switched to action names.
+25a. **`acl-grant` / `acl-revoke` are GATED.** The caller (forwarded `X-GTW-AUTH-USERID`) must hold
+    the `role-management` action on the TARGET `(companyId, resourceId)`, else `403`. The gate
+    action defaults to `role-management`, overridable via `AclModuleOptions.roleManagementAction`.
+    **Chicken-and-egg:** no caller can grant the very first `role-management`, so **bootstrap by
+    seeding the first `role-management` grant directly in the DB**.
+26. **`companyId` is LOAD-BEARING in authorization.** It replaced `resourceBusinessId` and is
+    BOTH part of the grant identity AND matched during `checkAction`: a grant authorizes only when
+    `grant.companyId === req.companyId` (and `resourceId` likewise). It also groups
+    `acl-list-resources-by-user` output. There is **no wildcard** — a `null`/absent `resourceId`
+    only matches a request with that id also absent. Both grant/revoke validate every role exists
+    (unknown → `400`).
+27. **Removed actions:** `acl-list-by-user`, `acl-verify-access`, `acl-can-user-do`, and
+    `acl-can-user-do-gtw` no longer exist (the last two collapsed into `acl-check-action`). Use
+    `acl-check-action` for authorization checks and `acl-list-resources-by-user` to list resources.
 28. **Auth & gateway config go to `ProxyModule`** (`authOptions` / `gatewayOptions`), not
     `BrokerModule`. `BrokerModule` owns only `options` / `topics` / `appOptions`.
 

package/schematics/nest-add/files/skills/rlb-amqp-acl/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: rlb-amqp-acl
-description: Manage role-based access control (ACL) with @open-rlb/nestjs-amqp — actions, roles, grants/revokes, and "can user do X" checks. Use when wiring AclModule, gating gateway routes by roles, granting/revoking a user's roles, listing a user's resources, or answering authorization/permission questions (roles, grants, acl-check).
+description: Manage access control (ACL) with @open-rlb/nestjs-amqp — actions, roles, grants/revokes, and "can user do X" checks. Use when wiring AclModule, gating gateway routes by actions, granting/revoking a user's roles, listing a user's resources, or answering authorization/permission questions (actions, roles, grants, acl-check).
 ---
 
 # Manage ACL (@open-rlb/nestjs-amqp)
@@ -11,15 +11,16 @@ Read first when you need depth:
 - `sample/config-sample/acl.yaml` (annotated broker + gateway reference)
 - `sample/config-sample/gateway-in-memory/src/app.module.ts` (forRoot wiring)
 
-Use when: managing **actions/roles/grants**, wiring `AclModule`, role-gating routes
-(`roles: [...]`), or answering "can user do X".
+Use when: managing **actions/roles/grants**, wiring `AclModule`, action-gating routes
+(`actions: [...]`), or answering "can user do X".
 
 ## Model (3 entities)
 
 - **Action** — atomic capability (`read-doc`). Name-keyed.
 - **Role** — bundle of action names (`editor = [read-doc, write-doc]`). Name-keyed.
-- **Grant** — binds a `userId` → role names; one record per `(userId, resourceId)`.
-- **Checks** match on **roles, never action strings**.
+- **Grant** — binds a `userId` → role names; one record per `(userId, companyId, resourceId)`.
+- **Checks** resolve the requested **action** → roles-that-include-it, then match the
+  user's grants. The route/gate names **actions**; grants still assign **roles**.
 
 ## Decorator-bound (NOT configurable)
 
@@ -28,8 +29,8 @@ reference them literally. The queue / exchange / routingKey that carry the topic
 
 `ACL_ACTIONS`: `acl-action-list`, `acl-action-get`, `acl-action-update`,
 `acl-action-delete`, `acl-role-list`, `acl-role-get`, `acl-role-update`,
-`acl-role-delete`, `acl-grant`, `acl-revoke`, `acl-can-user-do-gtw`,
-`acl-can-user-do`, `acl-list-resources-by-user`, `acl-invalidate`.
+`acl-role-delete`, `acl-grant`, `acl-revoke`, `acl-check-action`,
+`acl-list-resources-by-user`, `acl-invalidate`.
 
 > **Removed in 2.0.5:** `acl-list-by-user`, `acl-verify-access`, `acl-create` /
 > id-based ACL CRUD. Entities are name-keyed: **PUT upserts, no POST.**
@@ -40,28 +41,36 @@ No id, no POST. `PUT` upserts by `name` (idempotent), `GET` lists (`?page=&limit
 `GET …/get?name=` reads one, `DELETE` removes by `name`. Role upsert: every referenced
 action must already exist (else **400**).
 
-## Grants — dual grant/revoke
+## Grants — dual grant/revoke (now GATED)
 
-One record per `(userId, resourceId)`. Both ops **require `userId` + `roles`**;
-`resourceId` + `companyId` are **optional**.
+One record per `(userId, companyId, resourceId)`. Both ops **require `userId` + `roles`**;
+`resourceId` + `companyId` are **optional** but PART of the record identity.
 
-- `acl-grant` — merges roles into the pair (creates if absent; idempotent).
+- `acl-grant` — merges roles into the triple (creates if absent; idempotent).
 - `acl-revoke` — removes roles; deletes the record once empty.
 - Both validate every role exists (unknown role → **400**) and invalidate the user's cache.
-- `companyId` (replaced `resourceBusinessId`) is **grouping metadata only** — it groups
-  `acl-list-resources-by-user` output and plays **no part** in authorization.
-
-## Checks — GET → 200 with `true`/`false`
-
-`false` is real content; only `null`/`undefined` collapses to 204. Both return `false`
-(never throw) on missing input or error.
-
-- `acl-can-user-do-gtw` — resource-**agnostic**, the gateway's primary filter. `true` if
-  the user holds **≥1** requested role. Query: `?userId=&roles=user&roles=admin`.
-- `acl-can-user-do` — resource-**scoped**: `true` if a **global** grant OR a grant bound
-  to that exact `resource` gives a matching role. Query: `?userId=&roles=admin&resource=doc-1`.
-  Normally called over the broker by the owning microservice.
-- `acl-list-resources-by-user` — **auth-gated** (needs `auth`, no roles): reads `userId`
+- `companyId` (replaced `resourceBusinessId`) is **load-bearing**: it is part of the grant
+  identity AND part of authorization (a grant matches only when its `companyId` equals the
+  request's). It also groups `acl-list-resources-by-user` output.
+- **Caller gating:** `acl-grant`/`acl-revoke` require the caller (forwarded
+  `X-GTW-AUTH-USERID`) to hold the `role-management` action on the TARGET
+  `(companyId, resourceId)`, else **403**. The gate action defaults to `role-management`,
+  overridable via `AclModuleOptions.roleManagementAction`. Bootstrap by seeding the first
+  `role-management` grant directly in the DB (no caller can grant it otherwise).
+
+## Checks — single primitive, GET → 200 with `true`/`false`
+
+`false` is real content; only `null`/`undefined` collapses to 204. Returns `false`
+(never throws) on missing input or error.
+
+- `acl-check-action` → `checkAction(userId, ctx, action)`, `ctx = { companyId?, resourceId? }`,
+  `action = string | string[]` (OR). Resolves the action(s) → roles-that-include-it, then
+  matches the user's grants. A grant authorizes **iff** `grant.companyId === req.companyId &&
+  grant.resourceId === req.resourceId` (undefined/null/`''` all count as absent). The ONLY
+  carve-out: both ids absent on the request AND on the grant. **No wildcard** — a `null`
+  `resourceId` no longer matches everything; `companyId` is load-bearing.
+  Query: `?userId=&action=read-doc&companyId=acme&resourceId=doc-1`.
+- `acl-list-resources-by-user` — **auth-gated** (needs `auth`, no actions): reads `userId`
   from the forwarded `X-GTW-AUTH-USERID` header; lists accessible resources grouped by
   `companyId` with resolved actions.
 
@@ -88,8 +97,9 @@ AclModule.forRoot(
 );
 ```
 
-Gateway side — let route `roles: [...]` filters run **in-process** (no broker hop) by
-binding the gateway token to the same `AclService`:
+Gateway side — let route `actions: [...]` gates run **in-process** (no broker hop) by
+binding the gateway token to the same `AclService` (implements
+`IAclRoleService.checkAction(userId, ctx, action)`):
 
 ```ts
 import { ProxyModule, AclService, RLB_GTW_ACL_ROLE_SERVICE } from '@open-rlb/nestjs-amqp';
@@ -99,8 +109,9 @@ ProxyModule.forRoot({
 });
 ```
 
-Same process → `useExisting`. Separate services → gateway RPCs `acl-can-user-do-gtw` on
-`rlb-acl` instead. A route's `roles` are ROLE NAMES; the user passes with **≥1**.
+Same process → `useExisting`. Separate services → gateway RPCs `acl-check-action` on
+`rlb-acl` instead. A route's `actions` are ACTION NAMES; the caller is authorized if it
+holds **≥1** of them on the request's `(companyId, resourceId)`.
 
 ## YAML — topic + queue (names fixed, transport yours)
 
@@ -135,10 +146,9 @@ the fixed library string.
 | acl-role-get | GET | /acl/roles/get | query | acl-role-get |
 | acl-role-upsert | PUT | /acl/roles | body | acl-role-update |
 | acl-role-delete | DELETE | /acl/roles | body | acl-role-delete |
-| acl-grant | POST | /acl/grants | body | acl-grant |
-| acl-revoke | DELETE | /acl/grants | body | acl-revoke |
-| acl-check-gtw | GET | /acl/check | query | acl-can-user-do-gtw |
-| acl-check-resource | GET | /acl/check-resource | query | acl-can-user-do |
+| acl-grant | POST | /acl/grants | body | acl-grant (gated: caller needs `role-management`) |
+| acl-revoke | DELETE | /acl/grants | body | acl-revoke (gated: caller needs `role-management`) |
+| acl-check | GET | /acl/check | query | acl-check-action |
 | acl-list-resources-by-user | GET | /acl/resources | query | acl-list-resources-by-user (+ `auth:`) |
 
 ```yaml
@@ -153,18 +163,18 @@ gateway:
       action: acl-role-update
       mode: rpc
     - name: acl-grant              # body: { userId, roles, resourceId?, companyId?, friendlyName? }
-      method: POST
+      method: POST                 # gated: caller (X-GTW-AUTH-USERID) needs role-management on target
       path: /acl/grants
       dataSource: body
       topic: rlb-acl
       action: acl-grant
       mode: rpc
-    - name: acl-check-gtw          # ?userId=&roles=user&roles=admin → 200 true/false
+    - name: acl-check              # ?userId=&action=read-doc&companyId=&resourceId= → 200 true/false
       method: GET
       path: /acl/check
       dataSource: query
       topic: rlb-acl
-      action: acl-can-user-do-gtw
+      action: acl-check-action
       mode: rpc
     - name: acl-list-resources-by-user   # auth-gated; userId from X-GTW-AUTH-USERID
       method: GET
@@ -180,6 +190,9 @@ gateway:
 
 - topic `rlb-acl` + its queue declared on the consuming service; gateway paths use the
   literal `action` strings above.
-- role-gated routes (`roles: [...]`) → `RLB_GTW_ACL_ROLE_SERVICE` bound to an
-  `IAclRoleService` (`AclService`). Auth-provider needs `uidClaim` (+ `headerPrefix`).
+- action-gated routes (`actions: [...]`) → `RLB_GTW_ACL_ROLE_SERVICE` bound to an
+  `IAclRoleService` (`AclService`, `checkAction`). Auth-provider needs `uidClaim`
+  (+ `headerPrefix`).
+- `acl-grant`/`acl-revoke` are gated — seed the first `role-management` grant directly in
+  the DB or every caller gets `403`.
 - a check returning `false` is a **200**, not an error.

package/schematics/nest-add/files/skills/rlb-amqp-add-action/SKILL.md

@@ -97,8 +97,9 @@ Two independent pairings sit on the method, each only needed in the multi case:
   `@BrokerAuth` is **public**.
 
 Auth lives in a separate, decoupled decorator —
-`@BrokerAuth(authName, allowAnonymous?, roles?, httpName?)` — never inside `@BrokerHTTP`'s options.
-This lets two HTTP paths for the SAME action carry DIFFERENT auth.
+`@BrokerAuth(authName, allowAnonymous?, actions?, httpName?)` — never inside `@BrokerHTTP`'s options.
+The 3rd param is `actions` (ACL action names, was `roles`). This lets two HTTP paths for the SAME
+action carry DIFFERENT auth.
 
 Simple case — one route, auth auto-pairs (no names needed):
 
@@ -118,7 +119,7 @@ Multi case — two routes for ONE action, each name-paired to its own auth:
 @BrokerHTTP('GET', '/bookings/:id',       'params', { name: 'get-booking' })
 @BrokerAuth('cust-jwks', true, undefined, 'get-booking')          // httpName ⇄ route name
 @BrokerHTTP('GET', '/admin/bookings/:id', 'params', { name: 'admin-get-booking' })
-@BrokerAuth('admin-jwks', undefined, ['admin'], 'admin-get-booking')
+@BrokerAuth('admin-jwks', undefined, ['booking.admin'], 'admin-get-booking')  // 3rd param = ACL actions
 async getBooking(@BrokerParam('params', 'id') id: string) {
   return this.bookings.find(id);
 }

package/schematics/nest-add/files/skills/rlb-amqp-add-route/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: rlb-amqp-add-route
-description: Expose a broker action over HTTP through the @open-rlb/nestjs-amqp gateway by adding a gateway.paths[] entry. Use when the user wants a new HTTP endpoint/REST route that forwards to a topic/action, choosing rpc (wait reply) vs event (fire-and-forget with confirm), with auth, roles, dataSource, timeout, file upload or raw body. Generates the YAML path fragment and flags required bootstrap/ACL wiring.
+description: Expose a broker action over HTTP through the @open-rlb/nestjs-amqp gateway by adding a gateway.paths[] entry. Use when the user wants a new HTTP endpoint/REST route that forwards to a topic/action, choosing rpc (wait reply) vs event (fire-and-forget with confirm), with auth, actions (ACL gate), dataSource, timeout, file upload or raw body. Generates the YAML path fragment and flags required bootstrap/ACL wiring.
 ---
 
 # Add an HTTP gateway route (gateway.paths[])
@@ -20,7 +20,9 @@ Canonical example: `sample/config-sample/gateway-in-memory/config/config.yaml`.
 - **dataSource**: how the payload is assembled — `req.params` are ALWAYS merged in, plus:
   `body` | `query` | `params` | `body-query` (body wins) | `query-body` (query wins).
 - **auth**: an `auth-provider` name (validates the request, maps claims to `X-GTW-AUTH-*`
-  headers). `allowAnonymous: true` skips the gate. `roles: [...]` adds a role check.
+  headers). `allowAnonymous: true` skips the gate. `actions: [...]` adds an ACL action check
+  scoped to the request's `(companyId, resourceId)` (read from the canonical fields,
+  params → query → body).
 - Extras: `timeout` (rpc), `successStatusCode`, `binary`, `redirect`, `parseRaw`, static
   `headers`, `forwardHeaders`.
 
@@ -36,7 +38,7 @@ Canonical example: `sample/config-sample/gateway-in-memory/config/config.yaml`.
 | `dataSource` | `body` \| `query` \| `params` \| `body-query` \| `query-body`. |
 | `auth` | Auth-provider name; validates + maps claims. |
 | `allowAnonymous` | `true` → gate skipped (token still mapped if present & valid). |
-| `roles` | Role NAMES; caller passes with AT LEAST ONE. Requires `auth`. |
+| `actions` | ACTION NAMES; caller passes holding AT LEAST ONE on the request's `(companyId, resourceId)`. Requires `auth`. |
 | `timeout` | RPC timeout (ms), `rpc` only. |
 | `binary` | Treat a raw (non-JSON) RPC reply as base64 → binary body. |
 | `parseRaw` | Adds the raw request body as `$raw` (needs `rawBody: true`). |
@@ -60,7 +62,7 @@ gateway:
       action: <action>
       mode: rpc                    # or event
       auth: gateway-jwks           # optional
-      roles: [resource.write]      # optional → needs RLB_GTW_ACL_ROLE_SERVICE
+      actions: [resource.write]    # optional → needs RLB_GTW_ACL_ROLE_SERVICE; checked on (companyId, resourceId)
       timeout: 7000                # rpc only
       successStatusCode: 201
 ```
@@ -71,15 +73,18 @@ For every request the gateway runs `processAuthData` (best-effort), then:
 
 1. **`allowAnonymous: true`** → gate SKIPPED. A valid token still gets its claims mapped &
    forwarded; a missing/invalid token is NOT blocked.
-2. **`auth` set, no `roles`** → authentication only. Provider must validate (else `401`);
+2. **`auth` set, no `actions`** → authentication only. Provider must validate (else `401`);
    on success the `X-GTW-AUTH-*` headers are forwarded downstream.
-3. **`auth` + `roles`** → authn + role authz. After a valid token the gateway reads the user
-   id from the provider's `uidClaim` and calls `IAclRoleService.canUserDoGtw(roles, userId)`
-   in-process. Passes with at least one role, else `403`.
+3. **`auth` + `actions`** → authn + action authz. After a valid token the gateway reads the
+   user id from the provider's `uidClaim`, extracts `(companyId, resourceId)` from the request
+   (canonical fields, params → query → body), and calls
+   `IAclRoleService.checkAction(userId, { companyId, resourceId }, actions)` in-process. Passes
+   if the caller holds at least one of `actions` on that pair, else `403`. The check is
+   **exact-match on `(companyId, resourceId)` — there is no wildcard**, and `companyId` is
+   load-bearing.
 
-> `roles` WITHOUT `auth` is a misconfiguration: no identity → fails closed (every request
-> `403`, logged loudly at boot). The resource-scoped check (`acl-can-user-do`) is NOT run by
-> the gateway — it lives on the target microservice.
+> `actions` WITHOUT `auth` is a misconfiguration: no identity → fails closed (every request
+> `403`, logged loudly at boot).
 
 ## Status mapping
 
@@ -109,9 +114,10 @@ For every request the gateway runs `processAuthData` (best-effort), then:
 ## Required wiring to flag
 
 - If `parseRaw: true` → bootstrap with `NestFactory.create(AppModule, { rawBody: true })`.
-- If `roles` is used → an `IAclRoleService` must be registered via `RLB_GTW_ACL_ROLE_SERVICE`
-  in `ProxyModule.forRootAsync({ providers: [{ provide: RLB_GTW_ACL_ROLE_SERVICE, useExisting: AclService }] })`.
-  If a path declares `roles` and the service is NOT registered → request DENIED (`403`) +
+- If `actions` is used → an `IAclRoleService` (`checkAction`) must be registered via
+  `RLB_GTW_ACL_ROLE_SERVICE` in
+  `ProxyModule.forRootAsync({ providers: [{ provide: RLB_GTW_ACL_ROLE_SERVICE, useExisting: AclService }] })`.
+  If a path declares `actions` and the service is NOT registered → request DENIED (`403`) +
   error logged. The auth-provider needs a `uidClaim` (+ `headerPrefix`) to resolve the userId.
 - Forwarded auth claims reach the handler as prefixed/uppercased headers
   (e.g. `X-GTW-AUTH-USERID`) — read them with `@BrokerParam('header', ...)`. Request headers

package/schematics/nest-add/files/skills/rlb-amqp-add-ws-event/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: rlb-amqp-add-ws-event
-description: Add a secure WebSocket event (or HTTP webhook) to the @open-rlb/nestjs-amqp gateway by adding a gateway.events[] entry. Use when the user wants to push broker messages to connected WebSocket clients or to a webhook, with authentication (token in subprotocol), per-event roles/ACL, and per-user scoping to avoid leaking other users' data. Generates the YAML event fragment plus the exchange/queue and ws options, and flags the security wiring.
+description: Add a secure WebSocket event (or HTTP webhook) to the @open-rlb/nestjs-amqp gateway by adding a gateway.events[] entry. Use when the user wants to push broker messages to connected WebSocket clients or to a webhook, with authentication (token in subprotocol), per-event actions/ACL, and per-user scoping to avoid leaking other users' data. Generates the YAML event fragment plus the exchange/queue and ws options, and flags the security wiring.
 ---
 
 # Add a WebSocket / webhook event (gateway.events[])
@@ -27,14 +27,15 @@ each message out to the connected clients of EVERY gateway instance. Secure it b
     required to subscribe.
   - `requireAuth: false` → makes `auth` optional (anonymous allowed; claims mapped if a token
     is present — handy with `scopeClaim`). Defaults to `true` when `auth` is set.
-  - `roles: [...]` → ACL check (needs `IAclRoleService`); requires `auth` for the identity.
+  - `actions: [...]` → ACL action check via `IAclRoleService.checkAction` (needs `IAclRoleService`);
+    requires `auth` for the identity. WS events gate **resource-agnostically** (both ids absent).
   - `scopeClaim` + `payloadKey` → per-user isolation: a client only receives messages where
     `payload[payloadKey] === claims[scopeClaim]`. `scopeClaim` is the MAPPED claim
     (with `headerPrefix`, e.g. `X-GTW-AUTH-USERID`). Without `payloadKey` it denies all
     (gotcha 16). With `auth` but no `scopeClaim`/`payloadKey`, every authorized subscriber
     gets ALL messages (warned at boot).
 
-> Auth/roles/scope are declared PER-EVENT. `gateway.ws` only holds connection-level limits,
+> Auth/actions/scope are declared PER-EVENT. `gateway.ws` only holds connection-level limits,
 > heartbeat, origin allowlist and message-size cap (no auth fields). Different events may use
 > different providers.
 
@@ -57,7 +58,7 @@ gateway:
       routingKey: orders.#
       auth: gateway-jwks                # verifies token + maps claims for this event
       requireAuth: true                 # default true when auth is set; false → optional
-      roles: [orders.read]              # optional → needs IAclRoleService
+      actions: [orders.read]            # optional → needs IAclRoleService (checkAction); resource-agnostic for WS
       scopeClaim: X-GTW-AUTH-USERID     # optional per-user scoping (MAPPED claim)
       payloadKey: userId                # message field compared to scopeClaim
 
@@ -89,8 +90,8 @@ broker:
   `sample/config-sample/gateway-in-memory/src/main.ts`).
 - `events[].auth` must reference a `jwt`/`jwks` provider; subscribing without a valid token
   yields `{ topic:'onError', data:{ event, error:'unauthorized' } }` (unless `requireAuth:false`).
-  A failed role check yields `error:'forbidden'`.
-- `roles` → `IAclRoleService` via `RLB_GTW_ACL_ROLE_SERVICE` in
+  A failed action check yields `error:'forbidden'`.
+- `actions` → `IAclRoleService` (`checkAction`) via `RLB_GTW_ACL_ROLE_SERVICE` in
   `ProxyModule.forRootAsync({ providers: [...] })` (gotcha 15).
 - Do NOT add a fixed durable queue for the event — the lib creates a per-instance exclusive
   ephemeral auto-delete queue for fan-out (gotcha 17).

package/schematics/nest-add/files/skills/rlb-amqp-gateway-admin/SKILL.md

@@ -203,7 +203,7 @@ routes over the same action can publish with different auth — a route with no
 
 ```ts
 @BrokerHTTP('GET', '/admin/bookings/:id', 'params', { name: 'admin-get-booking' })
-@BrokerAuth('admin-jwks', undefined, ['admin'], 'admin-get-booking')  // pairs by httpName
+@BrokerAuth('admin-jwks', undefined, ['booking.admin'], 'admin-get-booking')  // 3rd param = ACL actions; pairs by httpName
 ```
 
 ### Consumer (gateway ← microservice) — `GatewayAdminModule` `routeDiscovery`

package/schematics/nest-add/files/skills/rlb-amqp-scaffold/SKILL.md

@@ -277,10 +277,10 @@ export class AppService {
 }
 ```
 
-Add auth with `@BrokerAuth(authName, allowAnonymous?, roles?, httpName?)` — decoupled from
-`@BrokerHTTP`. With one `@BrokerHTTP` it auto-pairs (no `httpName` needed); with multiple,
-each `@BrokerHTTP` sets a `name` and each `@BrokerAuth` targets it via `httpName`. A route
-with no `@BrokerAuth` is public.
+Add auth with `@BrokerAuth(authName, allowAnonymous?, actions?, httpName?)` — decoupled from
+`@BrokerHTTP` (3rd param is ACL action names). With one `@BrokerHTTP` it auto-pairs (no
+`httpName` needed); with multiple, each `@BrokerHTTP` sets a `name` and each `@BrokerAuth`
+targets it via `httpName`. A route with no `@BrokerAuth` is public.
 
 ## Verify
 - topic/queue/exchange names line up across `broker`/`topics`/paths (gotchas 5–7);

package/schematics/nest-add/index.js

@@ -237,7 +237,7 @@ function buildGatewayBlock(sel) {
   events: []
   ws:
     heartbeatIntervalMs: 30000
-    # Auth is declared per-event (events[].auth / requireAuth / roles / scopeClaim).
+    # Auth is declared per-event (events[].auth / requireAuth / actions / scopeClaim).
   paths:
 ${paths.join('\n')}`;
     if (anyAdmin) {
@@ -329,20 +329,16 @@ const ACL_PATHS = `    # --- ACL management: actions (name is the key — PUT up
       topic: rlb-acl
       action: acl-revoke
       mode: rpc
-    # --- ACL checks (GET → 200 with true/false) ---
-    - name: acl-check-gtw
+    # --- ACL check (GET → 200 with true/false) ---
+    # checkAction(userId, {companyId?, resourceId?}, action): true if the user holds the action
+    # via any role on the EXACT (companyId, resourceId). companyId/resourceId are optional;
+    # when both are absent the check matches resource-less grants only (no wildcard).
+    - name: acl-check-action
       method: GET
       path: /acl/check
       dataSource: query
       topic: rlb-acl
-      action: acl-can-user-do-gtw
-      mode: rpc
-    - name: acl-check-resource
-      method: GET
-      path: /acl/check-resource
-      dataSource: query
-      topic: rlb-acl
-      action: acl-can-user-do
+      action: acl-check-action
       mode: rpc
     # Lists the caller's accessible resources. Add an 'auth: <provider>' line once you declare an auth-provider.
     - name: acl-list-resources-by-user
@@ -503,7 +499,7 @@ function brokerForRootAsync() {
 function proxyForRootAsync(sel) {
     const providers = sel.acl
         ? `[
-        // Role-gated paths resolve the caller's roles via AclService (in-process, no broker hop).
+        // Action-gated paths resolve the caller's identity via AclService (in-process, no broker hop).
         { provide: RLB_GTW_ACL_ROLE_SERVICE, useExisting: AclService },
       ]`
         : `[]`;

package/schematics/nest-add/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../libs/rlb-nestjs-amqp/src/schematics/nest-add/index.ts"],"names":[],"mappings":";;AA2nBA,oBAqBC;AAhpBD,2DAAmJ;AACnJ,+CAAqC;AACrC,+BAAiC;AACjC,oDAAkE;AAClE,sDAA4D;AAC5D,sEAA+D;AA6B/D,SAAS,YAAY,CAAC,OAAe;IACnC,OAAO;QACL,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,SAAS;QACnB,UAAU,EAAE,mBAAmB;QAC/B,YAAY,EAAE,qBAAqB;QACnC,aAAa,EAAE,qBAAqB;QACpC,UAAU,EAAE,gBAAgB;QAC5B,WAAW,EAAE,OAAO,IAAI,YAAY;KACrC,CAAC;AACJ,CAAC;AASD,KAAK,UAAU,iBAAiB,CAAC,CAAc,EAAE,OAAyB;IACxE,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC;IACvD,MAAM,CAAC,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IAChC,MAAM,aAAa,GAAG,CAAC,CAAC,aAAa,KAAK,SAAS,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC5G,MAAM,SAAS,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC;IAElG,IAAI,OAAY,CAAC;IACjB,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,OAAO,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,2FAA2F,CAAC,CAAC;YACjH,OAAO,GAAG,SAAS,CAAC;QACtB,CAAC;IACH,CAAC;IAGD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QAC1E,MAAM,aAAa,GAAG,CAAC,CAAC,aAAa,KAAK,IAAI,CAAC;QAC/C,OAAO;YACL,aAAa;YACb,GAAG,EAAE,aAAa,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC;YACzC,KAAK,EAAE,aAAa,IAAI,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC;YACrD,cAAc,EAAE,aAAa,IAAI,QAAQ,CAAC,GAAG,CAAC,iBAAiB,CAAC;YAChE,WAAW,EAAE,CAAC,aAAa,IAAI,QAAQ,CAAC,GAAG,CAAC,qBAAqB,CAAC;YAClE,MAAM,EAAE,CAAC,CAAC,MAAM,KAAK,KAAK;YAC1B,KAAK,EAAE;gBACL,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ;gBAClC,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ;gBAClC,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,UAAU;gBACxC,YAAY,EAAE,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,YAAY;gBAC9C,aAAa,EAAE,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,aAAa;gBACjD,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,UAAU;gBACxC,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,WAAW;aAC5C;SACF,CAAC;IACJ,CAAC;IAGD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;IAC7C,MAAM,KAAK,GAAU,EAAE,GAAG,CAAC,EAAE,CAAC;IAC9B,IAAI,GAAG,GAAG,KAAK,EAAE,KAAK,GAAG,KAAK,EAAE,cAAc,GAAG,KAAK,EAAE,WAAW,GAAG,KAAK,CAAC;IAE5E,MAAM,aAAa,GAAY,MAAM,OAAO,CAAC;QAC3C,OAAO,EAAE,kDAAkD;QAC3D,OAAO,EAAE,KAAK;KACf,CAAC,CAAC;IAEH,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,MAAM,GAAa,MAAM,QAAQ,CAAC;YACtC,OAAO,EAAE,oCAAoC;YAC7C,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,6CAA6C,EAAE,KAAK,EAAE,KAAK,EAAE;gBACrE,EAAE,IAAI,EAAE,mEAAmE,EAAE,KAAK,EAAE,eAAe,EAAE;gBACrG,EAAE,IAAI,EAAE,gEAAgE,EAAE,KAAK,EAAE,iBAAiB,EAAE;aACrG;SACF,CAAC,CAAC;QACH,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC7B,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;QACzC,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;QAEpD,IAAI,GAAG,IAAI,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,KAAK,CAAC,QAAQ,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,GAAG,EAAE,CAAC;YACR,KAAK,CAAC,QAAQ,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,iCAAiC,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QACpG,CAAC;QACD,IAAI,KAAK,IAAI,cAAc,EAAE,CAAC;YAC5B,KAAK,CAAC,UAAU,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,2CAA2C,EAAE,OAAO,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;YAChH,KAAK,CAAC,YAAY,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,qCAAqC,EAAE,OAAO,EAAE,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC;QAChH,CAAC;QACD,IAAI,cAAc,EAAE,CAAC;YACnB,KAAK,CAAC,aAAa,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,sDAAsD,EAAE,OAAO,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC;YACjI,KAAK,CAAC,UAAU,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;QACzF,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAa,MAAM,QAAQ,CAAC;YACtC,OAAO,EAAE,yCAAyC;YAClD,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,gGAAgG,EAAE,KAAK,EAAE,qBAAqB,EAAE;aACzI;SACF,CAAC,CAAC;QACH,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;QACrD,IAAI,WAAW,EAAE,CAAC;YAChB,KAAK,CAAC,WAAW,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,uDAAuD,EAAE,OAAO,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YAC9H,KAAK,CAAC,aAAa,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,OAAO,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC;YACrG,KAAK,CAAC,UAAU,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;QACzF,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAY,MAAM,OAAO,CAAC,EAAE,OAAO,EAAE,6CAA6C,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;IACjH,OAAO,EAAE,aAAa,EAAE,GAAG,EAAE,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACnF,CAAC;AAMD,SAAS,eAAe,CAAC,GAAa;IACpC,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC;IACpB,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc,CAAC;IAEjD,MAAM,iBAAiB,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;;;;oBAI1B,CAAC,CAAC,WAAW;;gBAEjB,CAAC,CAAC,aAAa;aAClB,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAE/B,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;;sCAEP,CAAC;IAErC,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,IAAI,GAAG,CAAC,GAAG,IAAI,QAAQ,EAAE,CAAC;QACxB,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,QAAQ;;;;sBAItB,CAAC,CAAC;IACtB,CAAC;IACD,SAAS,CAAC,IAAI,CAAC;;;;;;wBAMO,CAAC,CAAC;IAExB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,QAAQ;kBACvB,CAAC,CAAC,QAAQ;oBACR,CAAC,CAAC,QAAQ;;;sBAGR,CAAC,CAAC;IACtB,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,UAAU;kBACzB,CAAC,CAAC,QAAQ;oBACR,CAAC,CAAC,UAAU;;;sBAGV,CAAC,CAAC;IACtB,CAAC;IACD,MAAM,CAAC,IAAI,CAAC;;;;;;;yBAOW,CAAC,CAAC;IAEzB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC;;;aAGH,CAAC,CAAC,QAAQ;gBACP,CAAC,CAAC,QAAQ;kBACR,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC9B,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC;;;aAGH,CAAC,CAAC,UAAU;gBACT,CAAC,CAAC,QAAQ;kBACR,CAAC,CAAC,UAAU;;YAElB,CAAC,CAAC,YAAY;;gBAEV,CAAC,CAAC,QAAQ;kBACR,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC;IAClC,CAAC;IACD,MAAM,CAAC,IAAI,CAAC;;;gBAGE,CAAC,CAAC;IAEhB,IAAI,IAAI,GAAG;;;;;;;;;;;yCAW4B,iBAAiB;;;;wBAIlC,WAAW;;;;;;EAMjC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;;EAEpB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;;;EAGjB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;CAClB,CAAC;IAEA,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;QACtB,IAAI,IAAI,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAa;IACtC,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC;IACpB,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc,CAAC;IACjD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,GAAG,CAAC,GAAG;QAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACnC,IAAI,GAAG,CAAC,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;IACtD,KAAK,CAAC,IAAI,CAAC;;;;;;kBAMK,CAAC,CAAC;IAElB,IAAI,KAAK,GAAG;;;;;;EAMZ,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IAEnB,IAAI,QAAQ,EAAE,CAAC;QACb,KAAK,IAAI;;;;;;yEAM4D,CAAC,CAAC,YAAY;iBACtE,CAAC,CAAC,YAAY;;;;6BAIF,CAAC;IAC5B,CAAC;IACD,OAAO,KAAK,GAAG,IAAI,CAAC;AACtB,CAAC;AAED,MAAM,SAAS,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gBA+FF,CAAC;AAEjB,SAAS,UAAU,CAAC,YAAoB;IACtC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eA8GM,YAAY;;kBAET,CAAC;AACnB,CAAC;AAMD,SAAS,qBAAqB,CAAC,GAAa;IAC1C,MAAM,UAAU,GAAG,CAAC,WAAW,EAAE,cAAc,EAAE,aAAa,EAAE,gBAAgB,CAAC,CAAC;IAClF,IAAI,GAAG,CAAC,aAAa;QAAE,UAAU,CAAC,IAAI,CAAC,eAAe,EAAE,mBAAmB,EAAE,aAAa,CAAC,CAAC;IAC5F,IAAI,GAAG,CAAC,GAAG;QAAE,UAAU,CAAC,IAAI,CAAC,qBAAqB,EAAE,oBAAoB,EAAE,WAAW,EAAE,mBAAmB,EAAE,YAAY,EAAE,qBAAqB,EAAE,0BAA0B,CAAC,CAAC;IAC7K,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc;QAAE,UAAU,CAAC,IAAI,CAAC,wBAAwB,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,wBAAwB,CAAC,CAAC;IAC7K,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,kCAAkC,CAAC;IAErG,MAAM,KAAK,GAAG,CAAC,GAAG,EAAE,+DAA+D,EAAE,kDAAkD,CAAC,CAAC;IACzI,IAAI,GAAG,CAAC,aAAa;QAAE,KAAK,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IACjF,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,KAAK,CAAC,IAAI,CAAC,oJAAoJ,CAAC,CAAC;QACjK,KAAK,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;IAChF,CAAC;IACD,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc,EAAE,CAAC;QACpC,KAAK,CAAC,IAAI,CAAC,8JAA8J,CAAC,CAAC;QAC3K,KAAK,CAAC,IAAI,CAAC,uGAAuG,CAAC,CAAC;IACtH,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,kBAAkB;IACzB,OAAO;;;;;;;;OAQF,CAAC;AACR,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAa;IACtC,MAAM,SAAS,GAAG,GAAG,CAAC,GAAG;QACvB,CAAC,CAAC;;;QAGE;QACJ,CAAC,CAAC,IAAI,CAAC;IACT,OAAO;;;;;;;mBAOU,SAAS;OACrB,CAAC;AACR,CAAC;AAED,SAAS,UAAU;IACjB,OAAO;;;;;;;;;;;;MAYH,CAAC;AACP,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAa;IACxC,MAAM,OAAO,GAAG,GAAG,CAAC,cAAc;QAChC,CAAC,CAAC;;;uCAGiC,GAAG,CAAC,KAAK,CAAC,aAAa,cAAc,GAAG,CAAC,KAAK,CAAC,UAAU;QACxF;QACJ,CAAC,CAAC,EAAE,CAAC;IACP,OAAO;;;;;;;;;;SAUA,OAAO;MACV,CAAC;AACP,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAa;IACvC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC7E,OAAO,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC,CAAC;IACnC,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;QACtB,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3B,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,IAAI,GAAG,CAAC,GAAG;QAAE,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;IACxC,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc;QAAE,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5E,OAAO,OAAO,CAAC;AACjB,CAAC;AAMD,SAAgB,IAAI,CAAC,OAAoB;IACvC,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC7D,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAC7B,OAAO,KAAK,EAAE,IAAU,EAAE,OAAyB,EAAE,EAAE;QACrD,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,EAAE,GAAG,OAAO,EAAE,OAAO,EAAiB,EAAE,OAAO,CAAC,CAAC;QACrF,MAAM,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc,CAAC;QAC3D,OAAO,IAAA,2BAAc,EACnB,IAAA,kBAAK,EAAC;YACJ,IAAA,qCAAe,EAAC,OAAO,CAAC;YACxB,qBAAqB,CAAC,GAAG,CAAC;YAC1B,kBAAkB,EAAE;YACpB,gBAAgB,CAAC,GAAG,CAAC;YACrB,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,uBAAuB,EAAE,CAAC,CAAC,CAAC,IAAA,iBAAI,GAAE;YACtD,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAA,iBAAI,GAAE;YACvC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAA,iBAAI,GAAE;YACnC,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAA,iBAAI,GAAE;YACvE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,IAAA,iBAAI,GAAE;YAClC,iBAAiB,CAAC,GAAG,CAAC;SACvB,CAAC,CACH,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAMD,SAAS,SAAS,CAAC,MAAmB;IACpC,MAAM,MAAM,GAAgB,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC;IAC9B,MAAM,CAAC,IAAI,GAAG,QAAQ,CAAC;IACvB,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;IACvB,MAAM,QAAQ,GAAa,IAAI,wBAAU,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/E,MAAM,CAAC,IAAI,GAAG,EAAE,CAAC;IACjB,MAAM,CAAC,IAAI,GAAG,IAAA,wCAA2B,EAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACzD,MAAM,CAAC,cAAc,GAAG,IAAA,wCAA2B,EAAC,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,CAAC;IACrF,OAAO,MAAM,CAAC;AAChB,CAAC;AAGD,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAA,sBAAS,EAAC,IAAA,kBAAK,EAAC,IAAA,gBAAG,EAAC,WAAW,IAAI,EAAE,CAAC,EAAE,CAAC,IAAA,iBAAI,EAAC,IAAA,gBAAS,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,0BAAa,CAAC,SAAS,CAAC,CAAC;AACnG,CAAC;AAGD,SAAS,UAAU;IACjB,OAAO,IAAA,sBAAS,EAAC,IAAA,kBAAK,EAAC,IAAA,gBAAG,EAAC,gBAAgB,CAAC,EAAE,CAAC,IAAA,iBAAI,EAAC,IAAA,gBAAS,EAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,EAAE,0BAAa,CAAC,SAAS,CAAC,CAAC;AAC/G,CAAC;AAGD,SAAS,kBAAkB;IACzB,OAAO,CAAC,IAAU,EAAE,EAAE;QACpB,MAAM,IAAI,GAAG,6BAA6B,CAAC;QAC3C,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE;;;;;;;;CAQrB,CAAC,CAAC;QACC,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAa;IACrC,OAAO,CAAC,IAAU,EAAE,EAAE;QACpB,MAAM,WAAW,GAAG,oBAAoB,CAAC;QACzC,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAEnC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;YAC9B,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,CAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,iBAAiB,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAU,CAAC;QAE5H,IAAI,QAAQ,GAAG,EAAE,CAAC;QAClB,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC/C,IAAI,OAAO;oBAAE,QAAQ,IAAI,IAAI,GAAG,OAAO,GAAG,IAAI,CAAC;YACjD,CAAC;QACH,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,QAAQ,CAAC,OAAO,EAAE,GAAG,IAAI,GAAG,QAAQ,CAAC,CAAC;QACpE,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAGD,SAAS,kBAAkB,CAAC,IAAY,EAAE,UAAkB;IAC1D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;IAClE,IAAI,QAAQ,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IAC/B,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACnH,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC3F,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;AAC3C,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAa;IAC1C,OAAO,CAAC,IAAU,EAAE,EAAE;QACpB,MAAM,cAAc,GAAG,CAAC,oBAAoB,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,mBAAmB,CAAC,CAAC;QAC9G,IAAI,UAAU,GAAuB,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;QACzH,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;YAC9E,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAGpC,IAAI,OAAO,CAAC,QAAQ,CAAC,2BAA2B,CAAC;YAAE,OAAO,IAAI,CAAC;QAE/D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;YAC5C,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,IAAI,GAAG,qBAAqB,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3F,CAAC;QAGD,MAAM,OAAO,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACxC,KAAK,IAAI,CAAC,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7C,OAAO,GAAG,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;QACxD,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB;IAC9B,OAAO,CAAC,IAAU,EAAE,EAAE;QACpB,MAAM,cAAc,GAAG,CAAC,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;QACtF,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC/F,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAC;YACnF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACrD,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;QAE/C,MAAM,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAC5C,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,oDAAoD,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE5G,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,kGAAkG,CAAC,CAAC;QAC5H,IAAI,CAAC,EAAE,CAAC;YACN,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACpB,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACvB,MAAM,WAAW,GAAG,SAAS,MAAM,+BAA+B,SAAS,4BAA4B,MAAM,sCAAsC,MAAM,UAAU,MAAM,yBAAyB,CAAC;YACnM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC,6GAA6G,CAAC,CAAC;QAC9H,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAGD,SAAS,sBAAsB,CAAC,MAAc,EAAE,WAAmB;IACjE,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,CAAC,KAAK;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;IAExD,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,eAAe,GAAG,CAAC,CAAC,CAAC;IACzB,KAAK,IAAI,CAAC,GAAG,cAAc,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpD,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,KAAK,EAAE,CAAC;aAC1B,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YAC3B,KAAK,EAAE,CAAC;YACR,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;gBAAC,eAAe,GAAG,CAAC,CAAC;gBAAC,MAAM;YAAC,CAAC;QAClD,CAAC;IACH,CAAC;IACD,IAAI,eAAe,KAAK,CAAC,CAAC;QAAE,OAAO,MAAM,CAAC;IAE1C,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,cAAc,GAAG,CAAC,EAAE,eAAe,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9E,MAAM,eAAe,GAAG,YAAY,CAAC,MAAM,KAAK,CAAC;QAC/C,CAAC,CAAC,SAAS,WAAW,OAAO;QAC7B,CAAC,CAAC,SAAS,WAAW,UAAU,YAAY,MAAM,CAAC;IACrD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,GAAG,CAAC,CAAC,GAAG,eAAe,GAAG,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;AAC/F,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAc;IAC5C,MAAM,WAAW,GAAG,2CAA2C,CAAC;IAChE,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,IAAI,KAA6B,CAAC;IAClC,OAAO,CAAC,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,OAAO,GAAG,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAC1C,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,cAAc,CAAC,IAAU,EAAE,QAAgB;IAClD,IAAI,KAAyB,CAAC;IAC9B,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE;QAClB,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,QAAQ,EAAE,CAAC;YAAE,KAAK,GAAG,IAAI,CAAC;IAC5D,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAMD,SAAS,iBAAiB,CAAC,GAAa;IACtC,OAAO,CAAC,IAAU,EAAE,EAAE;QACpB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;YAAE,OAAO,IAAI,CAAC;QAC9C,OAAO,cAAc,CAAC,IAAI,EAAE,cAAc,EAAE,CAAC,WAAgC,EAAE,EAAE;YAC/E,WAAW,CAAC,YAAY,GAAG,WAAW,CAAC,YAAY,IAAI,EAAE,CAAC;YAC1D,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,OAAe,EAAE,EAAE;gBAC5C,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC;oBAAE,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC;YAChF,CAAC,CAAC;YACF,GAAG,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;YAChC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YACzB,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,GAAG,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;gBAC/B,GAAG,CAAC,qBAAqB,EAAE,SAAS,CAAC,CAAC;gBACtC,GAAG,CAAC,oBAAoB,EAAE,SAAS,CAAC,CAAC;gBACrC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;YACvB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAI,IAAU,EAAE,IAAY,EAAE,QAAyB;IAC5E,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,IAAI,GAAG,IAAA,oBAAK,EAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC7C,QAAQ,CAAC,IAAoB,CAAC,CAAC;QAC/B,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../libs/rlb-nestjs-amqp/src/schematics/nest-add/index.ts"],"names":[],"mappings":";;AAunBA,oBAqBC;AA5oBD,2DAAmJ;AACnJ,+CAAqC;AACrC,+BAAiC;AACjC,oDAAkE;AAClE,sDAA4D;AAC5D,sEAA+D;AA6B/D,SAAS,YAAY,CAAC,OAAe;IACnC,OAAO;QACL,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,SAAS;QACnB,UAAU,EAAE,mBAAmB;QAC/B,YAAY,EAAE,qBAAqB;QACnC,aAAa,EAAE,qBAAqB;QACpC,UAAU,EAAE,gBAAgB;QAC5B,WAAW,EAAE,OAAO,IAAI,YAAY;KACrC,CAAC;AACJ,CAAC;AASD,KAAK,UAAU,iBAAiB,CAAC,CAAc,EAAE,OAAyB;IACxE,MAAM,OAAO,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC;IACvD,MAAM,CAAC,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IAChC,MAAM,aAAa,GAAG,CAAC,CAAC,aAAa,KAAK,SAAS,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC5G,MAAM,SAAS,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,aAAa,CAAC;IAElG,IAAI,OAAY,CAAC;IACjB,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,OAAO,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,2FAA2F,CAAC,CAAC;YACjH,OAAO,GAAG,SAAS,CAAC;QACtB,CAAC;IACH,CAAC;IAGD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QAC1E,MAAM,aAAa,GAAG,CAAC,CAAC,aAAa,KAAK,IAAI,CAAC;QAC/C,OAAO;YACL,aAAa;YACb,GAAG,EAAE,aAAa,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC;YACzC,KAAK,EAAE,aAAa,IAAI,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC;YACrD,cAAc,EAAE,aAAa,IAAI,QAAQ,CAAC,GAAG,CAAC,iBAAiB,CAAC;YAChE,WAAW,EAAE,CAAC,aAAa,IAAI,QAAQ,CAAC,GAAG,CAAC,qBAAqB,CAAC;YAClE,MAAM,EAAE,CAAC,CAAC,MAAM,KAAK,KAAK;YAC1B,KAAK,EAAE;gBACL,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ;gBAClC,QAAQ,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ;gBAClC,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,UAAU;gBACxC,YAAY,EAAE,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,YAAY;gBAC9C,aAAa,EAAE,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,aAAa;gBACjD,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,UAAU;gBACxC,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,WAAW;aAC5C;SACF,CAAC;IACJ,CAAC;IAGD,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;IAC7C,MAAM,KAAK,GAAU,EAAE,GAAG,CAAC,EAAE,CAAC;IAC9B,IAAI,GAAG,GAAG,KAAK,EAAE,KAAK,GAAG,KAAK,EAAE,cAAc,GAAG,KAAK,EAAE,WAAW,GAAG,KAAK,CAAC;IAE5E,MAAM,aAAa,GAAY,MAAM,OAAO,CAAC;QAC3C,OAAO,EAAE,kDAAkD;QAC3D,OAAO,EAAE,KAAK;KACf,CAAC,CAAC;IAEH,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,MAAM,GAAa,MAAM,QAAQ,CAAC;YACtC,OAAO,EAAE,oCAAoC;YAC7C,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,6CAA6C,EAAE,KAAK,EAAE,KAAK,EAAE;gBACrE,EAAE,IAAI,EAAE,mEAAmE,EAAE,KAAK,EAAE,eAAe,EAAE;gBACrG,EAAE,IAAI,EAAE,gEAAgE,EAAE,KAAK,EAAE,iBAAiB,EAAE;aACrG;SACF,CAAC,CAAC;QACH,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC7B,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;QACzC,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;QAEpD,IAAI,GAAG,IAAI,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,KAAK,CAAC,QAAQ,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,GAAG,EAAE,CAAC;YACR,KAAK,CAAC,QAAQ,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,iCAAiC,EAAE,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;QACpG,CAAC;QACD,IAAI,KAAK,IAAI,cAAc,EAAE,CAAC;YAC5B,KAAK,CAAC,UAAU,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,2CAA2C,EAAE,OAAO,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;YAChH,KAAK,CAAC,YAAY,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,qCAAqC,EAAE,OAAO,EAAE,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC;QAChH,CAAC;QACD,IAAI,cAAc,EAAE,CAAC;YACnB,KAAK,CAAC,aAAa,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,sDAAsD,EAAE,OAAO,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC;YACjI,KAAK,CAAC,UAAU,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;QACzF,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAa,MAAM,QAAQ,CAAC;YACtC,OAAO,EAAE,yCAAyC;YAClD,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,gGAAgG,EAAE,KAAK,EAAE,qBAAqB,EAAE;aACzI;SACF,CAAC,CAAC;QACH,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;QACrD,IAAI,WAAW,EAAE,CAAC;YAChB,KAAK,CAAC,WAAW,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,uDAAuD,EAAE,OAAO,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YAC9H,KAAK,CAAC,aAAa,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,0BAA0B,EAAE,OAAO,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC;YACrG,KAAK,CAAC,UAAU,GAAG,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;QACzF,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAY,MAAM,OAAO,CAAC,EAAE,OAAO,EAAE,6CAA6C,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;IACjH,OAAO,EAAE,aAAa,EAAE,GAAG,EAAE,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACnF,CAAC;AAMD,SAAS,eAAe,CAAC,GAAa;IACpC,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC;IACpB,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc,CAAC;IAEjD,MAAM,iBAAiB,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;;;;oBAI1B,CAAC,CAAC,WAAW;;gBAEjB,CAAC,CAAC,aAAa;aAClB,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAE/B,MAAM,WAAW,GAAG,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;;sCAEP,CAAC;IAErC,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,IAAI,GAAG,CAAC,GAAG,IAAI,QAAQ,EAAE,CAAC;QACxB,SAAS,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,QAAQ;;;;sBAItB,CAAC,CAAC;IACtB,CAAC;IACD,SAAS,CAAC,IAAI,CAAC;;;;;;wBAMO,CAAC,CAAC;IAExB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,QAAQ;kBACvB,CAAC,CAAC,QAAQ;oBACR,CAAC,CAAC,QAAQ;;;sBAGR,CAAC,CAAC;IACtB,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,UAAU;kBACzB,CAAC,CAAC,QAAQ;oBACR,CAAC,CAAC,UAAU;;;sBAGV,CAAC,CAAC;IACtB,CAAC;IACD,MAAM,CAAC,IAAI,CAAC;;;;;;;yBAOW,CAAC,CAAC;IAEzB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC;;;aAGH,CAAC,CAAC,QAAQ;gBACP,CAAC,CAAC,QAAQ;kBACR,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC9B,CAAC;IACD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC;;;aAGH,CAAC,CAAC,UAAU;gBACT,CAAC,CAAC,QAAQ;kBACR,CAAC,CAAC,UAAU;;YAElB,CAAC,CAAC,YAAY;;gBAEV,CAAC,CAAC,QAAQ;kBACR,CAAC,CAAC,YAAY,EAAE,CAAC,CAAC;IAClC,CAAC;IACD,MAAM,CAAC,IAAI,CAAC;;;gBAGE,CAAC,CAAC;IAEhB,IAAI,IAAI,GAAG;;;;;;;;;;;yCAW4B,iBAAiB;;;;wBAIlC,WAAW;;;;;;EAMjC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;;EAEpB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;;;EAGjB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;CAClB,CAAC;IAEA,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;QACtB,IAAI,IAAI,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAa;IACtC,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC;IACpB,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc,CAAC;IACjD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,GAAG,CAAC,GAAG;QAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACnC,IAAI,GAAG,CAAC,KAAK;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;IACtD,KAAK,CAAC,IAAI,CAAC;;;;;;kBAMK,CAAC,CAAC;IAElB,IAAI,KAAK,GAAG;;;;;;EAMZ,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IAEnB,IAAI,QAAQ,EAAE,CAAC;QACb,KAAK,IAAI;;;;;;yEAM4D,CAAC,CAAC,YAAY;iBACtE,CAAC,CAAC,YAAY;;;;6BAIF,CAAC;IAC5B,CAAC;IACD,OAAO,KAAK,GAAG,IAAI,CAAC;AACtB,CAAC;AAED,MAAM,SAAS,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;gBA2FF,CAAC;AAEjB,SAAS,UAAU,CAAC,YAAoB;IACtC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;eA8GM,YAAY;;kBAET,CAAC;AACnB,CAAC;AAMD,SAAS,qBAAqB,CAAC,GAAa;IAC1C,MAAM,UAAU,GAAG,CAAC,WAAW,EAAE,cAAc,EAAE,aAAa,EAAE,gBAAgB,CAAC,CAAC;IAClF,IAAI,GAAG,CAAC,aAAa;QAAE,UAAU,CAAC,IAAI,CAAC,eAAe,EAAE,mBAAmB,EAAE,aAAa,CAAC,CAAC;IAC5F,IAAI,GAAG,CAAC,GAAG;QAAE,UAAU,CAAC,IAAI,CAAC,qBAAqB,EAAE,oBAAoB,EAAE,WAAW,EAAE,mBAAmB,EAAE,YAAY,EAAE,qBAAqB,EAAE,0BAA0B,CAAC,CAAC;IAC7K,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc;QAAE,UAAU,CAAC,IAAI,CAAC,wBAAwB,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,wBAAwB,CAAC,CAAC;IAC7K,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,kCAAkC,CAAC;IAErG,MAAM,KAAK,GAAG,CAAC,GAAG,EAAE,+DAA+D,EAAE,kDAAkD,CAAC,CAAC;IACzI,IAAI,GAAG,CAAC,aAAa;QAAE,KAAK,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;IACjF,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,KAAK,CAAC,IAAI,CAAC,oJAAoJ,CAAC,CAAC;QACjK,KAAK,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;IAChF,CAAC;IACD,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc,EAAE,CAAC;QACpC,KAAK,CAAC,IAAI,CAAC,8JAA8J,CAAC,CAAC;QAC3K,KAAK,CAAC,IAAI,CAAC,uGAAuG,CAAC,CAAC;IACtH,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,kBAAkB;IACzB,OAAO;;;;;;;;OAQF,CAAC;AACR,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAa;IACtC,MAAM,SAAS,GAAG,GAAG,CAAC,GAAG;QACvB,CAAC,CAAC;;;QAGE;QACJ,CAAC,CAAC,IAAI,CAAC;IACT,OAAO;;;;;;;mBAOU,SAAS;OACrB,CAAC;AACR,CAAC;AAED,SAAS,UAAU;IACjB,OAAO;;;;;;;;;;;;MAYH,CAAC;AACP,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAa;IACxC,MAAM,OAAO,GAAG,GAAG,CAAC,cAAc;QAChC,CAAC,CAAC;;;uCAGiC,GAAG,CAAC,KAAK,CAAC,aAAa,cAAc,GAAG,CAAC,KAAK,CAAC,UAAU;QACxF;QACJ,CAAC,CAAC,EAAE,CAAC;IACP,OAAO;;;;;;;;;;SAUA,OAAO;MACV,CAAC;AACP,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAa;IACvC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC7E,OAAO,CAAC,IAAI,CAAC,kBAAkB,EAAE,CAAC,CAAC;IACnC,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;QACtB,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3B,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,IAAI,GAAG,CAAC,GAAG;QAAE,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;IACxC,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc;QAAE,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5E,OAAO,OAAO,CAAC;AACjB,CAAC;AAMD,SAAgB,IAAI,CAAC,OAAoB;IACvC,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,YAAY,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC7D,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAC7B,OAAO,KAAK,EAAE,IAAU,EAAE,OAAyB,EAAE,EAAE;QACrD,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,EAAE,GAAG,OAAO,EAAE,OAAO,EAAiB,EAAE,OAAO,CAAC,CAAC;QACrF,MAAM,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc,CAAC;QAC3D,OAAO,IAAA,2BAAc,EACnB,IAAA,kBAAK,EAAC;YACJ,IAAA,qCAAe,EAAC,OAAO,CAAC;YACxB,qBAAqB,CAAC,GAAG,CAAC;YAC1B,kBAAkB,EAAE;YACpB,gBAAgB,CAAC,GAAG,CAAC;YACrB,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,uBAAuB,EAAE,CAAC,CAAC,CAAC,IAAA,iBAAI,GAAE;YACtD,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAA,iBAAI,GAAE;YACvC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAA,iBAAI,GAAE;YACnC,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,IAAA,iBAAI,GAAE;YACvE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,IAAA,iBAAI,GAAE;YAClC,iBAAiB,CAAC,GAAG,CAAC;SACvB,CAAC,CACH,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAMD,SAAS,SAAS,CAAC,MAAmB;IACpC,MAAM,MAAM,GAAgB,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC;IAC9B,MAAM,CAAC,IAAI,GAAG,QAAQ,CAAC;IACvB,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;IACvB,MAAM,QAAQ,GAAa,IAAI,wBAAU,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/E,MAAM,CAAC,IAAI,GAAG,EAAE,CAAC;IACjB,MAAM,CAAC,IAAI,GAAG,IAAA,wCAA2B,EAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACzD,MAAM,CAAC,cAAc,GAAG,IAAA,wCAA2B,EAAC,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,CAAC;IACrF,OAAO,MAAM,CAAC;AAChB,CAAC;AAGD,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAA,sBAAS,EAAC,IAAA,kBAAK,EAAC,IAAA,gBAAG,EAAC,WAAW,IAAI,EAAE,CAAC,EAAE,CAAC,IAAA,iBAAI,EAAC,IAAA,gBAAS,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,0BAAa,CAAC,SAAS,CAAC,CAAC;AACnG,CAAC;AAGD,SAAS,UAAU;IACjB,OAAO,IAAA,sBAAS,EAAC,IAAA,kBAAK,EAAC,IAAA,gBAAG,EAAC,gBAAgB,CAAC,EAAE,CAAC,IAAA,iBAAI,EAAC,IAAA,gBAAS,EAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,EAAE,0BAAa,CAAC,SAAS,CAAC,CAAC;AAC/G,CAAC;AAGD,SAAS,kBAAkB;IACzB,OAAO,CAAC,IAAU,EAAE,EAAE;QACpB,MAAM,IAAI,GAAG,6BAA6B,CAAC;QAC3C,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE;;;;;;;;CAQrB,CAAC,CAAC;QACC,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAa;IACrC,OAAO,CAAC,IAAU,EAAE,EAAE;QACpB,MAAM,WAAW,GAAG,oBAAoB,CAAC;QACzC,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAEnC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;YAC9B,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,CAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,iBAAiB,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAU,CAAC;QAE5H,IAAI,QAAQ,GAAG,EAAE,CAAC;QAClB,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC/C,IAAI,OAAO;oBAAE,QAAQ,IAAI,IAAI,GAAG,OAAO,GAAG,IAAI,CAAC;YACjD,CAAC;QACH,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,QAAQ,CAAC,OAAO,EAAE,GAAG,IAAI,GAAG,QAAQ,CAAC,CAAC;QACpE,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAGD,SAAS,kBAAkB,CAAC,IAAY,EAAE,UAAkB;IAC1D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;IAClE,IAAI,QAAQ,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IAC/B,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACnH,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC3F,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;AAC3C,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAa;IAC1C,OAAO,CAAC,IAAU,EAAE,EAAE;QACpB,MAAM,cAAc,GAAG,CAAC,oBAAoB,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,mBAAmB,CAAC,CAAC;QAC9G,IAAI,UAAU,GAAuB,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC;QACzH,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;YAC9E,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClC,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAGpC,IAAI,OAAO,CAAC,QAAQ,CAAC,2BAA2B,CAAC;YAAE,OAAO,IAAI,CAAC;QAE/D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;YAC5C,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,IAAI,GAAG,qBAAqB,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3F,CAAC;QAGD,MAAM,OAAO,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACxC,KAAK,IAAI,CAAC,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7C,OAAO,GAAG,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;QACxD,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB;IAC9B,OAAO,CAAC,IAAU,EAAE,EAAE;QACpB,MAAM,cAAc,GAAG,CAAC,cAAc,EAAE,cAAc,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;QACtF,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,cAAc,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC/F,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAC;YACnF,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACrD,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;QAE/C,MAAM,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAC5C,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,oDAAoD,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE5G,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,kGAAkG,CAAC,CAAC;QAC5H,IAAI,CAAC,EAAE,CAAC;YACN,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACpB,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACvB,MAAM,WAAW,GAAG,SAAS,MAAM,+BAA+B,SAAS,4BAA4B,MAAM,sCAAsC,MAAM,UAAU,MAAM,yBAAyB,CAAC;YACnM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;QAC/C,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC,6GAA6G,CAAC,CAAC;QAC9H,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAGD,SAAS,sBAAsB,CAAC,MAAc,EAAE,WAAmB;IACjE,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,CAAC,KAAK;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;IAExD,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,eAAe,GAAG,CAAC,CAAC,CAAC;IACzB,KAAK,IAAI,CAAC,GAAG,cAAc,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpD,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,KAAK,EAAE,CAAC;aAC1B,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YAC3B,KAAK,EAAE,CAAC;YACR,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;gBAAC,eAAe,GAAG,CAAC,CAAC;gBAAC,MAAM;YAAC,CAAC;QAClD,CAAC;IACH,CAAC;IACD,IAAI,eAAe,KAAK,CAAC,CAAC;QAAE,OAAO,MAAM,CAAC;IAE1C,MAAM,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,cAAc,GAAG,CAAC,EAAE,eAAe,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9E,MAAM,eAAe,GAAG,YAAY,CAAC,MAAM,KAAK,CAAC;QAC/C,CAAC,CAAC,SAAS,WAAW,OAAO;QAC7B,CAAC,CAAC,SAAS,WAAW,UAAU,YAAY,MAAM,CAAC;IACrD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,GAAG,CAAC,CAAC,GAAG,eAAe,GAAG,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;AAC/F,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAc;IAC5C,MAAM,WAAW,GAAG,2CAA2C,CAAC;IAChE,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,IAAI,KAA6B,CAAC;IAClC,OAAO,CAAC,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,OAAO,GAAG,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAC1C,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,cAAc,CAAC,IAAU,EAAE,QAAgB;IAClD,IAAI,KAAyB,CAAC;IAC9B,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE;QAClB,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,QAAQ,EAAE,CAAC;YAAE,KAAK,GAAG,IAAI,CAAC;IAC5D,CAAC,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC;AAMD,SAAS,iBAAiB,CAAC,GAAa;IACtC,OAAO,CAAC,IAAU,EAAE,EAAE;QACpB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;YAAE,OAAO,IAAI,CAAC;QAC9C,OAAO,cAAc,CAAC,IAAI,EAAE,cAAc,EAAE,CAAC,WAAgC,EAAE,EAAE;YAC/E,WAAW,CAAC,YAAY,GAAG,WAAW,CAAC,YAAY,IAAI,EAAE,CAAC;YAC1D,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,OAAe,EAAE,EAAE;gBAC5C,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC;oBAAE,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC;YAChF,CAAC,CAAC;YACF,GAAG,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;YAChC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YACzB,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;gBACtB,GAAG,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;gBAC/B,GAAG,CAAC,qBAAqB,EAAE,SAAS,CAAC,CAAC;gBACtC,GAAG,CAAC,oBAAoB,EAAE,SAAS,CAAC,CAAC;gBACrC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;YACvB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAI,IAAU,EAAE,IAAY,EAAE,QAAyB;IAC5E,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,IAAI,GAAG,IAAA,oBAAK,EAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAC7C,QAAQ,CAAC,IAAoB,CAAC,CAAC;QAC/B,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/schematics/nest-add/index.ts

@@ -290,7 +290,7 @@ function buildGatewayBlock(sel: Resolved): string {
   events: []
   ws:
     heartbeatIntervalMs: 30000
-    # Auth is declared per-event (events[].auth / requireAuth / roles / scopeClaim).
+    # Auth is declared per-event (events[].auth / requireAuth / actions / scopeClaim).
   paths:
 ${paths.join('\n')}`;
 
@@ -384,20 +384,16 @@ const ACL_PATHS = `    # --- ACL management: actions (name is the key — PUT up
       topic: rlb-acl
       action: acl-revoke
       mode: rpc
-    # --- ACL checks (GET → 200 with true/false) ---
-    - name: acl-check-gtw
+    # --- ACL check (GET → 200 with true/false) ---
+    # checkAction(userId, {companyId?, resourceId?}, action): true if the user holds the action
+    # via any role on the EXACT (companyId, resourceId). companyId/resourceId are optional;
+    # when both are absent the check matches resource-less grants only (no wildcard).
+    - name: acl-check-action
       method: GET
       path: /acl/check
       dataSource: query
       topic: rlb-acl
-      action: acl-can-user-do-gtw
-      mode: rpc
-    - name: acl-check-resource
-      method: GET
-      path: /acl/check-resource
-      dataSource: query
-      topic: rlb-acl
-      action: acl-can-user-do
+      action: acl-check-action
       mode: rpc
     # Lists the caller's accessible resources. Add an 'auth: <provider>' line once you declare an auth-provider.
     - name: acl-list-resources-by-user
@@ -563,7 +559,7 @@ function brokerForRootAsync(): string {
 function proxyForRootAsync(sel: Resolved): string {
   const providers = sel.acl
     ? `[
-        // Role-gated paths resolve the caller's roles via AclService (in-process, no broker hop).
+        // Action-gated paths resolve the caller's identity via AclService (in-process, no broker hop).
         { provide: RLB_GTW_ACL_ROLE_SERVICE, useExisting: AclService },
       ]`
     : `[]`;