npm - @opensaas/stack-core - Versions diffs - 0.20.1 → 0.21.0 - Mend

@opensaas/stack-core 0.20.1 → 0.21.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (105) hide show

package/.turbo/turbo-build.log +1 -1
package/CHANGELOG.md +72 -0
package/CLAUDE.md +18 -2
package/dist/access/access-filter.d.ts +29 -0
package/dist/access/access-filter.d.ts.map +1 -0
package/dist/access/access-filter.js +68 -0
package/dist/access/access-filter.js.map +1 -0
package/dist/access/engine.d.ts +15 -48
package/dist/access/engine.d.ts.map +1 -1
package/dist/access/engine.js +14 -280
package/dist/access/engine.js.map +1 -1
package/dist/access/field-access.d.ts +44 -0
package/dist/access/field-access.d.ts.map +1 -0
package/dist/access/field-access.js +123 -0
package/dist/access/field-access.js.map +1 -0
package/dist/access/field-access.test.d.ts +2 -0
package/dist/access/field-access.test.d.ts.map +1 -0
package/dist/access/{engine.test.js → field-access.test.js} +2 -2
package/dist/access/field-access.test.js.map +1 -0
package/dist/access/field-visibility.d.ts +13 -0
package/dist/access/field-visibility.d.ts.map +1 -0
package/dist/access/field-visibility.js +155 -0
package/dist/access/field-visibility.js.map +1 -0
package/dist/access/index.d.ts +4 -1
package/dist/access/index.d.ts.map +1 -1
package/dist/access/index.js +8 -1
package/dist/access/index.js.map +1 -1
package/dist/config/index.d.ts +1 -1
package/dist/config/index.d.ts.map +1 -1
package/dist/config/types.d.ts +45 -4
package/dist/config/types.d.ts.map +1 -1
package/dist/context/hook-pipeline.d.ts +49 -0
package/dist/context/hook-pipeline.d.ts.map +1 -0
package/dist/context/hook-pipeline.js +75 -0
package/dist/context/hook-pipeline.js.map +1 -0
package/dist/context/index.d.ts.map +1 -1
package/dist/context/index.js +30 -462
package/dist/context/index.js.map +1 -1
package/dist/context/nested-operations.d.ts.map +1 -1
package/dist/context/nested-operations.js +72 -68
package/dist/context/nested-operations.js.map +1 -1
package/dist/context/write-pipeline.d.ts +158 -0
package/dist/context/write-pipeline.d.ts.map +1 -0
package/dist/context/write-pipeline.js +306 -0
package/dist/context/write-pipeline.js.map +1 -0
package/dist/extend.d.ts +3 -0
package/dist/extend.d.ts.map +1 -0
package/dist/extend.js +10 -0
package/dist/extend.js.map +1 -0
package/dist/fields/index.d.ts +1 -0
package/dist/fields/index.d.ts.map +1 -1
package/dist/fields/index.js +213 -2
package/dist/fields/index.js.map +1 -1
package/dist/hooks/index.d.ts +20 -0
package/dist/hooks/index.d.ts.map +1 -1
package/dist/hooks/index.js +202 -0
package/dist/hooks/index.js.map +1 -1
package/dist/index.d.ts +5 -9
package/dist/index.d.ts.map +1 -1
package/dist/index.js +19 -10
package/dist/index.js.map +1 -1
package/dist/internal.d.ts +8 -0
package/dist/internal.d.ts.map +1 -0
package/dist/internal.js +16 -0
package/dist/internal.js.map +1 -0
package/dist/validation/field-config.d.ts +55 -0
package/dist/validation/field-config.d.ts.map +1 -0
package/dist/validation/field-config.js +100 -0
package/dist/validation/field-config.js.map +1 -0
package/dist/validation/field-config.test.d.ts +2 -0
package/dist/validation/field-config.test.d.ts.map +1 -0
package/dist/validation/field-config.test.js +159 -0
package/dist/validation/field-config.test.js.map +1 -0
package/package.json +11 -3
package/src/access/access-filter.ts +97 -0
package/src/access/engine.ts +13 -396
package/src/access/{engine.test.ts → field-access.test.ts} +1 -1
package/src/access/field-access.ts +159 -0
package/src/access/field-visibility.ts +247 -0
package/src/access/index.ts +7 -4
package/src/config/index.ts +1 -0
package/src/config/types.ts +51 -4
package/src/context/hook-pipeline.ts +160 -0
package/src/context/index.ts +29 -667
package/src/context/nested-operations.ts +142 -111
package/src/context/write-pipeline.ts +543 -0
package/src/extend.ts +14 -0
package/src/fields/index.ts +310 -2
package/src/hooks/index.ts +227 -0
package/src/index.ts +27 -90
package/src/internal.ts +49 -0
package/src/validation/field-config.test.ts +199 -0
package/src/validation/field-config.ts +145 -0
package/tests/access-relationships.test.ts +4 -4
package/tests/access.test.ts +1 -1
package/tests/field-hooks.test.ts +410 -0
package/tests/field-types.test.ts +1 -1
package/tests/hook-pipeline.test.ts +233 -0
package/tests/nested-operation-registry.test.ts +206 -0
package/tests/write-pipeline.test.ts +588 -0
package/tsconfig.tsbuildinfo +1 -1
package/vitest.config.ts +43 -1
package/dist/access/engine.test.d.ts +0 -2
package/dist/access/engine.test.d.ts.map +0 -1
package/dist/access/engine.test.js.map +0 -1

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,4 +1,4 @@
-> @opensaas/stack-core@0.20.1 build /home/runner/work/stack/stack/packages/core
+> @opensaas/stack-core@0.21.0 build /home/runner/work/stack/stack/packages/core
 > tsc

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,77 @@
 # @opensaas/stack-core
+## 0.21.0
+### Minor Changes
+- [#415](https://github.com/OpenSaasAU/stack/pull/415) [`8980ff3`](https://github.com/OpenSaasAU/stack/commit/8980ff36ffb0879d8f4409740493dd940572cc9d) Thanks [@borisno2](https://github.com/borisno2)! - Curate the `@opensaas/stack-core` public surface into clearly-scoped entry points
+  The root entry point now exposes only the everyday consumer surface — `config`,
+  `list`, `getContext`, the naming helpers (`getDbKey`, `getUrlKey`,
+  `getListKeyFromUrl`), `ValidationError`, and the config/access types you annotate
+  with. Plugin and field authoring contracts move to a new `/extend` path, and the
+  plumbing shared with sibling packages and generated code moves to `/internal`.
+  ```typescript
+  // Everyday usage (unchanged)
+  import { config, list, getContext } from '@opensaas/stack-core'
+  // Authoring a plugin or a third-party field package
+  import type { Plugin, BaseFieldConfig, TypeInfo } from '@opensaas/stack-core/extend'
+  ```
+  `@opensaas/stack-core/internal` carries no semver guarantees; application code
+  should never import from it. `Session` stays on the root entry point because it is
+  the module-augmentation target.
+  Removed from the public surface (zero callers): the nine `*HookArgs` types and the
+  callerless typed-query runtime types. The other `@opensaas/*` packages and the CLI
+  generator are updated to import from the new paths.
+- [#416](https://github.com/OpenSaasAU/stack/pull/416) [`841a836`](https://github.com/OpenSaasAU/stack/commit/841a836494e2647f390ae19a8c4121d38ebd2fa4) Thanks [@borisno2](https://github.com/borisno2)! - Move field-config types to `@opensaas/stack-core/fields`, beside their builders
+  The concrete field-config types (`TextField`, `IntegerField`, `CheckboxField`,
+  `TimestampField`, `PasswordField`, `SelectField`, `RelationshipField`,
+  `JsonField`, `VirtualField`, plus `DecimalField`, `CalendarDayField`, and
+  `PrismaRelationResult`) now live on the `/fields` entry point alongside the
+  builders that produce them, instead of the root barrel. One concept, one import
+  path:
+  ```typescript
+  import { text, decimal } from '@opensaas/stack-core/fields'
+  import type { TextField, DecimalField } from '@opensaas/stack-core/fields'
+  ```
+  `DecimalField` and `CalendarDayField` were previously defined but exported from
+  nowhere — they are now public, and the CLI's lists generator maps `decimal`/
+  `calendarDay` fields to their precise types instead of the generic
+  `BaseFieldConfig` fallback. The umbrella `FieldConfig` stays on the root entry
+  point and `BaseFieldConfig` stays on `/extend`.
+### Patch Changes
+- [#441](https://github.com/OpenSaasAU/stack/pull/441) [`bc20bf4`](https://github.com/OpenSaasAU/stack/commit/bc20bf447cf724bd0ee153ea9a69d54cc26a6bb2) Thanks [@borisno2](https://github.com/borisno2)! - Validate field self-containment at config load instead of failing deep in generation
+  Core now exports `validateFieldConfig(field, fieldKey, listKey?)` and `validateConfigFields(config)` (plus the `FieldConfigValidationError` type). They check each field implements its generation contract — `getPrismaType`, `getTypeScriptType`, and `getZodSchema` (or `getPrismaRelation` for relationships; virtual fields skip `getPrismaType`) — and return structured per-field errors. `opensaas generate` runs this first and fails fast with a clear message naming the list, field, and missing method, rather than throwing an opaque stack trace mid-generation.
+- [#428](https://github.com/OpenSaasAU/stack/pull/428) [`50371ea`](https://github.com/OpenSaasAU/stack/commit/50371ea3dd134f6b3718f347fed2c0d3b7dc63ce) Thanks [@borisno2](https://github.com/borisno2)! - Fix outdated SQLite adapter guidance to match the installed `@prisma/adapter-better-sqlite3` API (`PrismaBetterSqlite3` constructed with `{ url }`), so copied examples actually run. Updates the CLI "missing adapter" error message and the migration config it generates, plus the `prismaClientConstructor` JSDoc example.
+- [#440](https://github.com/OpenSaasAU/stack/pull/440) [`70b4f53`](https://github.com/OpenSaasAU/stack/commit/70b4f538d380bbf546af50a985d29b48a71d3b4d) Thanks [@borisno2](https://github.com/borisno2)! - Refactor nested-operation dispatch into a handler registry (internal, no behaviour change)
+- [#397](https://github.com/OpenSaasAU/stack/pull/397) [`8e394ab`](https://github.com/OpenSaasAU/stack/commit/8e394abe9df2da53ba23b93836853516bb4e25d5) Thanks [@borisno2](https://github.com/borisno2)! - Move relationship Prisma schema generation into the relationship field builder
+  The relationship field now exposes a `getPrismaRelation()` method that returns its complete Prisma schema contribution (FK line, relation line, synthetic back-relation). The Prisma generator delegates to this method instead of special-casing relationships, keeping it a neutral coordinator. Generated schemas are unchanged.
+- [#455](https://github.com/OpenSaasAU/stack/pull/455) [`d3fdf2a`](https://github.com/OpenSaasAU/stack/commit/d3fdf2a2e5374302bc7fe1fe814cb0f567a349df) Thanks [@borisno2](https://github.com/borisno2)! - Exclude `**/dist/**` from Vitest test discovery and gate coverage on `src/access`, `src/context`, and `src/validation` via per-file thresholds.
+- [#403](https://github.com/OpenSaasAU/stack/pull/403) [`0f9c644`](https://github.com/OpenSaasAU/stack/commit/0f9c644a115ad747e338e6138b4762b4a48a9144) Thanks [@borisno2](https://github.com/borisno2)! - Split the access engine into named two-phase-read modules: Access Filter (pre-query), Field Visibility (post-query), and a shared field-access evaluator. No behaviour or public API change.
+- [#411](https://github.com/OpenSaasAU/stack/pull/411) [`96258b0`](https://github.com/OpenSaasAU/stack/commit/96258b00bb762d9e38cfb83eacae65ce670b161f) Thanks [@borisno2](https://github.com/borisno2)! - Deduplicate field-level hook execution helpers by promoting them to `hooks/index.ts`, and remove a stray `console.log` that ran on every create/update.
+- [#439](https://github.com/OpenSaasAU/stack/pull/439) [`898e477`](https://github.com/OpenSaasAU/stack/commit/898e47747abc02e457a54e2a78939450d16da5fb) Thanks [@borisno2](https://github.com/borisno2)! - Internal refactor: extract the write transform+validate span into a single Hook Pipeline that the Write Pipeline delegates to. No behaviour change.
+- [#438](https://github.com/OpenSaasAU/stack/pull/438) [`29966b2`](https://github.com/OpenSaasAU/stack/commit/29966b23597199bcf4233298b1d0de6401b91acd) Thanks [@borisno2](https://github.com/borisno2)! - Refactor the write path into a single Write Pipeline. The canonical secured write sequence (hooks, validation, access, writable-field filtering, nested operations, persistence, after-hooks, Field Visibility) now lives in one module; create/update/delete are thin adapters over it parameterised by a per-operation strategy. Internal refactor only — no public API or behaviour change.
 ## 0.20.1
 ## 0.20.0

package/CLAUDE.md CHANGED Viewed

@@ -6,6 +6,18 @@ Core stack providing config system, access control engine, hooks, field types, a
 The foundation of OpenSaas Stack. Defines the config DSL, executes access control, runs hooks, and generates Prisma schema and TypeScript types from config.
+## Entry Points
+The package exposes a curated surface across several import paths. Use the narrowest one that fits:
+- **`@opensaas/stack-core`** (root) — the everyday consumer surface: `config`, `list`, `getContext`, the naming helpers (`getDbKey`, `getUrlKey`, `getListKeyFromUrl`), `ValidationError`, and the config/access types you annotate with (`OpenSaasConfig`, `ListConfig`, `FieldConfig`, `AccessControl`, `FieldAccess`, `Session`, `AccessContext`, `PrismaFilter`, `OperationAccess`).
+- **`@opensaas/stack-core/fields`** — field builder functions (`text()`, `integer()`, …) and their config types (`TextField`, `IntegerField`, `DecimalField`, `CalendarDayField`, …, plus `PrismaRelationResult`). The builders and the types they produce live together here.
+- **`@opensaas/stack-core/extend`** — authoring contracts: implement these to build a plugin (`Plugin`, `PluginContext`, `GeneratedFiles`) or a third-party field package (`BaseFieldConfig`, `TypeInfo`, `TypeDescriptor`).
+- **`@opensaas/stack-core/mcp`** — MCP runtime handlers.
+- **`@opensaas/stack-core/internal`** — `@internal` plumbing shared between the `@opensaas/*` packages and generated `.opensaas/` code. **No semver guarantees**; application code should never import from here.
+`Session` deliberately stays on the root entry point because it is the module-augmentation target (`declare module '@opensaas/stack-core'`).
 ## Key Files & Exports
 ### Config (`src/config/`)
@@ -115,12 +127,16 @@ Hook types:
 Run via CLI: `pnpm generate`
-### Utilities (`src/utils.ts`)
+### Utilities (`src/lib/case-utils.ts`)
+Public naming helpers (exported from the root entry point):
 - `getDbKey(listKey)` - PascalCase → camelCase (e.g., `BlogPost` → `blogPost`)
 - `getUrlKey(listKey)` - PascalCase → kebab-case (e.g., `BlogPost` → `blog-post`)
 - `getListKeyFromUrl(urlKey)` - kebab-case → PascalCase (e.g., `blog-post` → `BlogPost`)
+The lower-level converters (`pascalToCamel`, `pascalToKebab`, `kebabToPascal`, `kebabToCamel`) are internal plumbing on `@opensaas/stack-core/internal`.
 ## Architecture Patterns
 ### Field Self-Containment
@@ -206,7 +222,7 @@ const context = createContext<typeof prisma>(config, prisma, session)
 ### With Third-Party Field Packages
-- Packages export field builders implementing `BaseFieldConfig`
+- Packages export field builders implementing `BaseFieldConfig` (imported from `@opensaas/stack-core/extend`)
 - No changes needed to core - fields are self-contained
 - Example: `@opensaas/stack-tiptap` provides `richText()` field

package/dist/access/access-filter.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import type { Session, AccessContext, PrismaFilter } from './types.js';
+import type { OpenSaasConfig, FieldConfig } from '../config/types.js';
+/**
+ * Access Filter — phase 1 of the two-phase read (pre-query).
+ *
+ * This module scopes which rows and relationships the database is allowed to
+ * return, before the query runs. It evaluates *operation-level* `query` access
+ * on related lists and turns the results into a Prisma `include`/`where` clause,
+ * so denied rows and relations never leave the database.
+ *
+ * Phase 2 (post-query field stripping + `resolveOutput` + virtual computation)
+ * lives in `field-visibility.ts`. The two phases cannot be merged: virtual
+ * fields are computed in JavaScript and post-query field access can depend on
+ * the fetched row, neither of which is expressible in SQL. See
+ * `docs/adr/0001-access-control-is-a-two-phase-read.md` and the access-control
+ * glossary in `CONTEXT.md`.
+ */
+/**
+ * Build Prisma include object with access control filters
+ * This allows us to filter relationships at the database level instead of in memory
+ */
+export declare function buildIncludeWithAccessControl(fieldConfigs: Record<string, FieldConfig>, args: {
+    session: Session | null;
+    context: AccessContext;
+}, config: OpenSaasConfig, depth?: number): Promise<Record<string, boolean | {
+    where?: PrismaFilter;
+    include?: Record<string, boolean | /*elided*/ any>;
+}> | undefined>;
+//# sourceMappingURL=access-filter.d.ts.map

package/dist/access/access-filter.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"access-filter.d.ts","sourceRoot":"","sources":["../../src/access/access-filter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AACtE,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAGrE;;;;;;;;;;;;;;GAcG;AAEH;;;GAGG;AACH,wBAAsB,6BAA6B,CACjD,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,EACzC,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,OAAO,EAAE,aAAa,CAAA;CACvB,EACD,MAAM,EAAE,cAAc,EACtB,KAAK,GAAE,MAAU;YAeuB,YAAY;cAAY,MAAM,CAAC,MAAM,2BAAe;gBAkD7F"}

package/dist/access/access-filter.js ADDED Viewed

@@ -0,0 +1,68 @@
+import { checkAccess, getRelatedListConfig } from './engine.js';
+/**
+ * Access Filter — phase 1 of the two-phase read (pre-query).
+ *
+ * This module scopes which rows and relationships the database is allowed to
+ * return, before the query runs. It evaluates *operation-level* `query` access
+ * on related lists and turns the results into a Prisma `include`/`where` clause,
+ * so denied rows and relations never leave the database.
+ *
+ * Phase 2 (post-query field stripping + `resolveOutput` + virtual computation)
+ * lives in `field-visibility.ts`. The two phases cannot be merged: virtual
+ * fields are computed in JavaScript and post-query field access can depend on
+ * the fetched row, neither of which is expressible in SQL. See
+ * `docs/adr/0001-access-control-is-a-two-phase-read.md` and the access-control
+ * glossary in `CONTEXT.md`.
+ */
+/**
+ * Build Prisma include object with access control filters
+ * This allows us to filter relationships at the database level instead of in memory
+ */
+export async function buildIncludeWithAccessControl(fieldConfigs, args, config, depth = 0) {
+    const MAX_DEPTH = 5;
+    if (depth >= MAX_DEPTH) {
+        return undefined;
+    }
+    // Skip auto-including relationships when inside a resolveOutput hook
+    // This prevents infinite loops when hooks make DB queries that include
+    // relationships back to the same entity (e.g., User virtual field queries Posts
+    // which includes author back to User, triggering the virtual field again)
+    if (args.context._resolveOutputCounter.depth > 0) {
+        return undefined;
+    }
+    const include = {};
+    let hasRelationships = false;
+    for (const [fieldName, fieldConfig] of Object.entries(fieldConfigs)) {
+        if (fieldConfig?.type === 'relationship' && 'ref' in fieldConfig && fieldConfig.ref) {
+            hasRelationships = true;
+            const relatedConfig = getRelatedListConfig(fieldConfig.ref, config);
+            if (relatedConfig) {
+                // Check query access for the related list
+                const queryAccess = relatedConfig.listConfig.access?.operation?.query;
+                const accessResult = await checkAccess(queryAccess, {
+                    session: args.session,
+                    context: args.context,
+                });
+                // If access is completely denied, exclude this relationship
+                if (accessResult === false) {
+                    continue;
+                }
+                // Build the include entry
+                const includeEntry = {};
+                // If access returns a filter, add it to the where clause
+                if (typeof accessResult === 'object') {
+                    includeEntry.where = accessResult;
+                }
+                // Recursively build nested includes
+                const nestedInclude = await buildIncludeWithAccessControl(relatedConfig.listConfig.fields, args, config, depth + 1);
+                if (nestedInclude && Object.keys(nestedInclude).length > 0) {
+                    includeEntry.include = nestedInclude;
+                }
+                // Add to include object
+                include[fieldName] = Object.keys(includeEntry).length > 0 ? includeEntry : true;
+            }
+        }
+    }
+    return hasRelationships ? include : undefined;
+}
+//# sourceMappingURL=access-filter.js.map

package/dist/access/access-filter.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"access-filter.js","sourceRoot":"","sources":["../../src/access/access-filter.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AAE/D;;;;;;;;;;;;;;GAcG;AAEH;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,YAAyC,EACzC,IAGC,EACD,MAAsB,EACtB,QAAgB,CAAC;IAEjB,MAAM,SAAS,GAAG,CAAC,CAAA;IACnB,IAAI,KAAK,IAAI,SAAS,EAAE,CAAC;QACvB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,qEAAqE;IACrE,uEAAuE;IACvE,gFAAgF;IAChF,0EAA0E;IAC1E,IAAI,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;QACjD,OAAO,SAAS,CAAA;IAClB,CAAC;IAID,MAAM,OAAO,GAAiC,EAAE,CAAA;IAChD,IAAI,gBAAgB,GAAG,KAAK,CAAA;IAE5B,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACpE,IAAI,WAAW,EAAE,IAAI,KAAK,cAAc,IAAI,KAAK,IAAI,WAAW,IAAI,WAAW,CAAC,GAAG,EAAE,CAAC;YACpF,gBAAgB,GAAG,IAAI,CAAA;YACvB,MAAM,aAAa,GAAG,oBAAoB,CAAC,WAAW,CAAC,GAAa,EAAE,MAAM,CAAC,CAAA;YAE7E,IAAI,aAAa,EAAE,CAAC;gBAClB,0CAA0C;gBAC1C,MAAM,WAAW,GAAG,aAAa,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,CAAA;gBACrE,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,WAAW,EAAE;oBAClD,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,OAAO,EAAE,IAAI,CAAC,OAAO;iBACtB,CAAC,CAAA;gBAEF,4DAA4D;gBAC5D,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;oBAC3B,SAAQ;gBACV,CAAC;gBAED,0BAA0B;gBAC1B,MAAM,YAAY,GAA4B,EAAE,CAAA;gBAEhD,yDAAyD;gBACzD,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;oBACrC,YAAY,CAAC,KAAK,GAAG,YAAY,CAAA;gBACnC,CAAC;gBAED,oCAAoC;gBACpC,MAAM,aAAa,GAAG,MAAM,6BAA6B,CACvD,aAAa,CAAC,UAAU,CAAC,MAAM,EAC/B,IAAI,EACJ,MAAM,EACN,KAAK,GAAG,CAAC,CACV,CAAA;gBAED,IAAI,aAAa,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3D,YAAY,CAAC,OAAO,GAAG,aAAa,CAAA;gBACtC,CAAC;gBAED,wBAAwB;gBACxB,OAAO,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAA;YACjF,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;AAC/C,CAAC"}

package/dist/access/engine.d.ts CHANGED Viewed

@@ -1,6 +1,19 @@
 import type { AccessControl, Session, AccessContext, PrismaFilter } from './types.js';
-import type { FieldAccess } from './types.js';
-import type { OpenSaasConfig, ListConfig, FieldConfig } from '../config/types.js';
+import type { OpenSaasConfig, ListConfig } from '../config/types.js';
+/**
+ * Access engine — operation-level access control and shared helpers.
+ *
+ * This module holds the *operation-level* (list-level) access primitives and
+ * the ref-parsing helper shared across both phases of the two-phase read:
+ *
+ *   - Phase 1, Access Filter (pre-query row/relation scoping): `access-filter.ts`
+ *   - Phase 2, Field Visibility (post-query field stripping + resolveOutput +
+ *     virtual fields): `field-visibility.ts`
+ *
+ * Field-level access evaluation is centralized in `field-access.ts`
+ * (`checkFieldAccess`). See `docs/adr/0001-access-control-is-a-two-phase-read.md`
+ * and the access-control glossary in `CONTEXT.md`.
+ */
 /**
  * Check if access control result is a boolean
  */
@@ -33,50 +46,4 @@ export declare function checkAccess<T = Record<string, unknown>>(accessControl:
  * Merge user filter with access control filter
  */
 export declare function mergeFilters(userFilter: PrismaFilter | undefined, accessFilter: boolean | PrismaFilter): PrismaFilter | null;
-/**
- * Check field-level access for a specific operation
- */
-export declare function checkFieldAccess(fieldAccess: FieldAccess | undefined, operation: 'read' | 'create' | 'update', args: {
-    session: Session | null;
-    item?: Record<string, unknown>;
-    context: AccessContext & {
-        _isSudo?: boolean;
-    };
-    inputData?: Record<string, unknown>;
-}): Promise<boolean>;
-/**
- * Build Prisma include object with access control filters
- * This allows us to filter relationships at the database level instead of in memory
- */
-export declare function buildIncludeWithAccessControl(fieldConfigs: Record<string, FieldConfig>, args: {
-    session: Session | null;
-    context: AccessContext;
-}, config: OpenSaasConfig, depth?: number): Promise<Record<string, boolean | {
-    where?: PrismaFilter;
-    include?: Record<string, boolean | /*elided*/ any>;
-}> | undefined>;
-/**
- * Filter fields from an object based on read access
- * Recursively applies access control to nested relationships
- */
-export declare function filterReadableFields<T extends Record<string, unknown>>(item: T, fieldConfigs: Record<string, FieldConfig>, args: {
-    session: Session | null;
-    context: AccessContext & {
-        _isSudo?: boolean;
-    };
-}, config?: OpenSaasConfig, depth?: number, listKey?: string): Promise<Partial<T>>;
-/**
- * Filter fields from input data based on write access (create/update)
- */
-export declare function filterWritableFields<T extends Record<string, unknown>>(data: T, fieldConfigs: Record<string, {
-    access?: FieldAccess;
-    type?: string;
-}>, operation: 'create' | 'update', args: {
-    session: Session | null;
-    item?: Record<string, unknown>;
-    context: AccessContext & {
-        _isSudo?: boolean;
-    };
-    inputData?: Record<string, unknown>;
-}): Promise<Partial<T>>;
 //# sourceMappingURL=engine.d.ts.map

package/dist/access/engine.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/access/engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AACrF,OAAO,KAAK,EAAE,~~WAAW,EAAE,MAAM,YAAY,CAAA;AAC7C,OAAO,KAAK,EAAE,~~cAAc,EAAE,UAAU,EAAE,~~WAAW,EAAE,~~MAAM,oBAAoB,CAAA;~~AAgBjF~~;;GAEG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,OAAO,CAE1D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,YAAY,CAEpE;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,EAAE,MAAM,EACvB,MAAM,EAAE,cAAc,GAErB;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,CAAA;CAAE,GAAG,IAAI,CAe1D;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC3D,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,SAAS,EAC3C,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,IAAI,CAAC,EAAE,CAAC,CAAA;IACR,OAAO,EAAE,aAAa,CAAA;CACvB,GACA,OAAO,CAAC,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,CAUpC;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,UAAU,EAAE,YAAY,GAAG,SAAS,EACpC,YAAY,EAAE,OAAO,GAAG,YAAY,GACnC,YAAY,GAAG,IAAI,CAoBrB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,WAAW,GAAG,SAAS,EACpC,SAAS,EAAE,MAAM,GAAG,QAAQ,GAAG,QAAQ,EACvC,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC9B,OAAO,EAAE,aAAa,GAAG;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,CAAA;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACpC,GACA,OAAO,CAAC,OAAO,CAAC,CAmClB;AA8BD;;;GAGG;AACH,wBAAsB,6BAA6B,CACjD,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,EACzC,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,OAAO,EAAE,aAAa,CAAA;CACvB,EACD,MAAM,EAAE,cAAc,EACtB,KAAK,GAAE,MAAU;YAeuB,YAAY;cAAY,MAAM,CAAC,MAAM,2BAAe;gBAkD7F;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1E,IAAI,EAAE,CAAC,EACP,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,EACzC,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,OAAO,EAAE,aAAa,GAAG;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,CAAA;CAC/C,EACD,MAAM,CAAC,EAAE,cAAc,EACvB,KAAK,GAAE,MAAU,EACjB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAqJrB;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1E,IAAI,EAAE,CAAC,EACP,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE;IAAE,MAAM,CAAC,EAAE,WAAW,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,EACrE,SAAS,EAAE,QAAQ,GAAG,QAAQ,EAC9B,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC9B,OAAO,EAAE,aAAa,GAAG;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,CAAA;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACpC,GACA,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAgDrB"}
1	+ {"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../src/access/engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AACrF,OAAO,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAEpE;;;;;;;;;;;;;GAaG;AAEH;;GAEG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,OAAO,CAE1D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,YAAY,CAEpE;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,EAAE,MAAM,EACvB,MAAM,EAAE,cAAc,GAErB;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,CAAA;CAAE,GAAG,IAAI,CAe1D;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC3D,aAAa,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,SAAS,EAC3C,IAAI,EAAE;IACJ,OAAO,EAAE,OAAO,GAAG,IAAI,CAAA;IACvB,IAAI,CAAC,EAAE,CAAC,CAAA;IACR,OAAO,EAAE,aAAa,CAAA;CACvB,GACA,OAAO,CAAC,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,CAUpC;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,UAAU,EAAE,YAAY,GAAG,SAAS,EACpC,YAAY,EAAE,OAAO,GAAG,YAAY,GACnC,YAAY,GAAG,IAAI,CAoBrB"}

package/dist/access/engine.js CHANGED Viewed

@@ -1,3 +1,17 @@
+/**
+ * Access engine — operation-level access control and shared helpers.
+ *
+ * This module holds the *operation-level* (list-level) access primitives and
+ * the ref-parsing helper shared across both phases of the two-phase read:
+ *
+ *   - Phase 1, Access Filter (pre-query row/relation scoping): `access-filter.ts`
+ *   - Phase 2, Field Visibility (post-query field stripping + resolveOutput +
+ *     virtual fields): `field-visibility.ts`
+ *
+ * Field-level access evaluation is centralized in `field-access.ts`
+ * (`checkFieldAccess`). See `docs/adr/0001-access-control-is-a-two-phase-read.md`
+ * and the access-control glossary in `CONTEXT.md`.
+ */
 /**
  * Check if access control result is a boolean
  */
@@ -64,284 +78,4 @@ export function mergeFilters(userFilter, accessFilter) {
         AND: [accessFilter, userFilter],
     };
 }
-/**
- * Check field-level access for a specific operation
- */
-export async function checkFieldAccess(fieldAccess, operation, args) {
-    // Skip access check in sudo mode
-    if (args.context._isSudo) {
-        return true;
-    }
-    if (!fieldAccess) {
-        return true; // No field access means allow
-    }
-    const accessControl = fieldAccess[operation];
-    if (!accessControl) {
-        return true; // No specific access control means allow
-    }
-    const result = await accessControl({
-        session: args.session,
-        item: args.item,
-        context: args.context,
-        inputData: args.inputData,
-        operation,
-    });
-    // If result is false, deny access
-    if (result === false) {
-        return false;
-    }
-    // If result is true, allow access
-    if (result === true) {
-        return true;
-    }
-    // Default to allowing access if we can't determine
-    return true;
-}
-/**
- * Simple filter matching for field-level access
- * Checks if an item matches a Prisma-like filter object
- */
-function matchesFilter(item, filter) {
-    for (const [key, condition] of Object.entries(filter)) {
-        if (typeof condition === 'object' && condition !== null) {
-            // Handle nested conditions like { equals: value }
-            if ('equals' in condition) {
-                if (item[key] !== condition.equals) {
-                    return false;
-                }
-            }
-            else if ('not' in condition) {
-                if (item[key] === condition.not) {
-                    return false;
-                }
-            }
-            // Add more condition types as needed
-        }
-        else {
-            // Direct equality check
-            if (item[key] !== condition) {
-                return false;
-            }
-        }
-    }
-    return true;
-}
-/**
- * Build Prisma include object with access control filters
- * This allows us to filter relationships at the database level instead of in memory
- */
-export async function buildIncludeWithAccessControl(fieldConfigs, args, config, depth = 0) {
-    const MAX_DEPTH = 5;
-    if (depth >= MAX_DEPTH) {
-        return undefined;
-    }
-    // Skip auto-including relationships when inside a resolveOutput hook
-    // This prevents infinite loops when hooks make DB queries that include
-    // relationships back to the same entity (e.g., User virtual field queries Posts
-    // which includes author back to User, triggering the virtual field again)
-    if (args.context._resolveOutputCounter.depth > 0) {
-        return undefined;
-    }
-    const include = {};
-    let hasRelationships = false;
-    for (const [fieldName, fieldConfig] of Object.entries(fieldConfigs)) {
-        if (fieldConfig?.type === 'relationship' && 'ref' in fieldConfig && fieldConfig.ref) {
-            hasRelationships = true;
-            const relatedConfig = getRelatedListConfig(fieldConfig.ref, config);
-            if (relatedConfig) {
-                // Check query access for the related list
-                const queryAccess = relatedConfig.listConfig.access?.operation?.query;
-                const accessResult = await checkAccess(queryAccess, {
-                    session: args.session,
-                    context: args.context,
-                });
-                // If access is completely denied, exclude this relationship
-                if (accessResult === false) {
-                    continue;
-                }
-                // Build the include entry
-                const includeEntry = {};
-                // If access returns a filter, add it to the where clause
-                if (typeof accessResult === 'object') {
-                    includeEntry.where = accessResult;
-                }
-                // Recursively build nested includes
-                const nestedInclude = await buildIncludeWithAccessControl(relatedConfig.listConfig.fields, args, config, depth + 1);
-                if (nestedInclude && Object.keys(nestedInclude).length > 0) {
-                    includeEntry.include = nestedInclude;
-                }
-                // Add to include object
-                include[fieldName] = Object.keys(includeEntry).length > 0 ? includeEntry : true;
-            }
-        }
-    }
-    return hasRelationships ? include : undefined;
-}
-/**
- * Filter fields from an object based on read access
- * Recursively applies access control to nested relationships
- */
-export async function filterReadableFields(item, fieldConfigs, args, config, depth = 0, listKey) {
-    const filtered = {};
-    const MAX_DEPTH = 5; // Prevent infinite recursion
-    // Process existing fields from the database result
-    for (const [fieldName, value] of Object.entries(item)) {
-        const fieldConfig = fieldConfigs[fieldName];
-        // Always include id, createdAt, updatedAt
-        if (['id', 'createdAt', 'updatedAt'].includes(fieldName)) {
-            filtered[fieldName] = value;
-            continue;
-        }
-        // Check field access (checkFieldAccess already handles sudo mode)
-        const canRead = await checkFieldAccess(fieldConfig?.access, 'read', {
-            ...args,
-            item,
-        });
-        if (!canRead) {
-            continue;
-        }
-        // Handle relationship fields - recursively filter fields within related items
-        // Note: Access control filtering is now done at database level via buildIncludeWithAccessControl
-        // This only handles field-level access (hiding sensitive fields)
-        if (config &&
-            fieldConfig?.type === 'relationship' &&
-            'ref' in fieldConfig &&
-            fieldConfig.ref &&
-            value !== null &&
-            value !== undefined &&
-            depth < MAX_DEPTH) {
-            const relatedConfig = getRelatedListConfig(fieldConfig.ref, config);
-            if (relatedConfig) {
-                // For many relationships (arrays) - recursively filter fields in each item
-                // The recursive call already handles applying resolveOutput hooks
-                if (Array.isArray(value)) {
-                    filtered[fieldName] = await Promise.all(value.map((relatedItem) => filterReadableFields(relatedItem, relatedConfig.listConfig.fields, args, config, depth + 1, relatedConfig.listName)));
-                }
-                // For single relationships (objects) - recursively filter fields
-                // The recursive call already handles applying resolveOutput hooks
-                else if (typeof value === 'object') {
-                    filtered[fieldName] = await filterReadableFields(value, relatedConfig.listConfig.fields, args, config, depth + 1, relatedConfig.listName);
-                }
-            }
-            else {
-                // Related config not found, include the value as-is
-                filtered[fieldName] = value;
-            }
-        }
-        else {
-            // Non-relationship field or no config provided - apply resolveOutput hook if present
-            if (fieldConfig?.hooks?.resolveOutput && listKey) {
-                // Cast to runtime type for generic execution
-                // At runtime, the hook will receive the correct value type for the field
-                const hook = fieldConfig.hooks.resolveOutput;
-                // Increment depth counter to prevent infinite loops from hooks making DB queries
-                // that include relationships back to the same entity
-                args.context._resolveOutputCounter.depth++;
-                try {
-                    // Use Promise.resolve() to handle both sync and async hooks
-                    filtered[fieldName] = await Promise.resolve(hook({
-                        value,
-                        operation: 'query',
-                        fieldName,
-                        listKey,
-                        item,
-                        context: args.context,
-                    }));
-                }
-                finally {
-                    args.context._resolveOutputCounter.depth--;
-                }
-            }
-            else {
-                filtered[fieldName] = value;
-            }
-        }
-    }
-    // Process virtual fields - compute values from other fields
-    // Virtual fields don't exist in the database result, so we need to compute them separately
-    for (const [fieldName, fieldConfig] of Object.entries(fieldConfigs)) {
-        // Skip if already processed (from database result)
-        if (fieldName in filtered) {
-            continue;
-        }
-        // Only process virtual fields
-        if (!fieldConfig.virtual) {
-            continue;
-        }
-        // Check field access
-        const canRead = await checkFieldAccess(fieldConfig.access, 'read', {
-            ...args,
-            item,
-        });
-        if (!canRead) {
-            continue;
-        }
-        // Virtual fields must have resolveOutput hook to compute their value
-        if (fieldConfig.hooks?.resolveOutput && listKey) {
-            const hook = fieldConfig.hooks.resolveOutput;
-            // Increment depth counter to prevent infinite loops from hooks making DB queries
-            // that include relationships back to the same entity
-            args.context._resolveOutputCounter.depth++;
-            try {
-                // Use Promise.resolve() to handle both sync and async hooks
-                filtered[fieldName] = await Promise.resolve(hook({
-                    value: undefined, // Virtual fields don't have a database value
-                    operation: 'query',
-                    fieldName,
-                    listKey,
-                    item: filtered, // Pass filtered item so virtual field can access other fields
-                    context: args.context,
-                }));
-            }
-            finally {
-                args.context._resolveOutputCounter.depth--;
-            }
-        }
-    }
-    return filtered;
-}
-/**
- * Filter fields from input data based on write access (create/update)
- */
-export async function filterWritableFields(data, fieldConfigs, operation, args) {
-    const filtered = {};
-    // Build a set of foreign key field names to exclude
-    // Foreign keys should not be in the data when using Prisma's relation syntax
-    const foreignKeyFields = new Set();
-    for (const [fieldName, fieldConfig] of Object.entries(fieldConfigs)) {
-        if (fieldConfig.type === 'relationship') {
-            // For non-many relationships, Prisma creates a foreign key field named `${fieldName}Id`
-            const relConfig = fieldConfig;
-            if (!relConfig.many) {
-                foreignKeyFields.add(`${fieldName}Id`);
-            }
-        }
-    }
-    for (const [fieldName, value] of Object.entries(data)) {
-        const fieldConfig = fieldConfigs[fieldName];
-        // Skip system fields
-        if (['id', 'createdAt', 'updatedAt'].includes(fieldName)) {
-            continue;
-        }
-        // Skip virtual fields - they don't store in database
-        // Virtual fields with resolveInput hooks handle side effects separately
-        if (fieldConfig && 'virtual' in fieldConfig && fieldConfig.virtual) {
-            continue;
-        }
-        // Skip foreign key fields (e.g., authorId) when their corresponding relationship field exists
-        // This prevents conflicts when using Prisma's relation syntax (e.g., author: { connect: { id } })
-        if (foreignKeyFields.has(fieldName)) {
-            continue;
-        }
-        // Check field access (checkFieldAccess already handles sudo mode)
-        const canWrite = await checkFieldAccess(fieldConfig?.access, operation, {
-            ...args,
-            inputData: args.inputData,
-        });
-        if (canWrite) {
-            filtered[fieldName] = value;
-        }
-    }
-    return filtered;
-}
 //# sourceMappingURL=engine.js.map

package/dist/access/engine.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/access/engine.ts"],"names":[],"mappings":"~~AAkBA~~;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,KAAc;IACtC,OAAO,OAAO,KAAK,KAAK,SAAS,CAAA;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAc;IAC3C,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;AAC7E,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAClC,eAAuB,EACvB,MAAsB;IAGtB,uDAAuD;IACvD,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACxC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;IACzB,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAA;IAEzC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAA;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,aAA2C,EAC3C,IAIC;IAED,0CAA0C;IAC1C,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,sCAAsC;IACtC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,CAAA;IAExC,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,UAAoC,EACpC,YAAoC;IAEpC,mCAAmC;IACnC,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,8CAA8C;IAC9C,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QAC1B,OAAO,UAAU,IAAI,EAAE,CAAA;IACzB,CAAC;IAED,uCAAuC;IACvC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,YAAY,CAAA;IACrB,CAAC;IAED,2BAA2B;IAC3B,OAAO;QACL,GAAG,EAAE,CAAC,YAAY,EAAE,UAAU,CAAC;KAChC,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAoC,EACpC,SAAuC,EACvC,IAKC;IAED,iCAAiC;IACjC,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,IAAI,CAAA,CAAC,8BAA8B;IAC5C,CAAC;IAED,MAAM,aAAa,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IAC5C,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,IAAI,CAAA,CAAC,yCAAyC;IACvD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;QACjC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS;KAC6B,CAAC,CAAA;IAEzC,kCAAkC;IAClC,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,kCAAkC;IAClC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,mDAAmD;IACnD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,IAA6B,EAAE,MAA+B;IACnF,KAAK,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACtD,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACxD,kDAAkD;YAClD,IAAI,QAAQ,IAAI,SAAS,EAAE,CAAC;gBAC1B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,MAAM,EAAE,CAAC;oBACnC,OAAO,KAAK,CAAA;gBACd,CAAC;YACH,CAAC;iBAAM,IAAI,KAAK,IAAI,SAAS,EAAE,CAAC;gBAC9B,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;oBAChC,OAAO,KAAK,CAAA;gBACd,CAAC;YACH,CAAC;YACD,qCAAqC;QACvC,CAAC;aAAM,CAAC;YACN,wBAAwB;YACxB,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;gBAC5B,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,6BAA6B,CACjD,YAAyC,EACzC,IAGC,EACD,MAAsB,EACtB,QAAgB,CAAC;IAEjB,MAAM,SAAS,GAAG,CAAC,CAAA;IACnB,IAAI,KAAK,IAAI,SAAS,EAAE,CAAC;QACvB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,qEAAqE;IACrE,uEAAuE;IACvE,gFAAgF;IAChF,0EAA0E;IAC1E,IAAI,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;QACjD,OAAO,SAAS,CAAA;IAClB,CAAC;IAID,MAAM,OAAO,GAAiC,EAAE,CAAA;IAChD,IAAI,gBAAgB,GAAG,KAAK,CAAA;IAE5B,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACpE,IAAI,WAAW,EAAE,IAAI,KAAK,cAAc,IAAI,KAAK,IAAI,WAAW,IAAI,WAAW,CAAC,GAAG,EAAE,CAAC;YACpF,gBAAgB,GAAG,IAAI,CAAA;YACvB,MAAM,aAAa,GAAG,oBAAoB,CAAC,WAAW,CAAC,GAAa,EAAE,MAAM,CAAC,CAAA;YAE7E,IAAI,aAAa,EAAE,CAAC;gBAClB,0CAA0C;gBAC1C,MAAM,WAAW,GAAG,aAAa,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,CAAA;gBACrE,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,WAAW,EAAE;oBAClD,OAAO,EAAE,IAAI,CAAC,OAAO;oBACrB,OAAO,EAAE,IAAI,CAAC,OAAO;iBACtB,CAAC,CAAA;gBAEF,4DAA4D;gBAC5D,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;oBAC3B,SAAQ;gBACV,CAAC;gBAED,0BAA0B;gBAC1B,MAAM,YAAY,GAA4B,EAAE,CAAA;gBAEhD,yDAAyD;gBACzD,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;oBACrC,YAAY,CAAC,KAAK,GAAG,YAAY,CAAA;gBACnC,CAAC;gBAED,oCAAoC;gBACpC,MAAM,aAAa,GAAG,MAAM,6BAA6B,CACvD,aAAa,CAAC,UAAU,CAAC,MAAM,EAC/B,IAAI,EACJ,MAAM,EACN,KAAK,GAAG,CAAC,CACV,CAAA;gBAED,IAAI,aAAa,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3D,YAAY,CAAC,OAAO,GAAG,aAAa,CAAA;gBACtC,CAAC;gBAED,wBAAwB;gBACxB,OAAO,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAA;YACjF,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,gBAAgB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAA;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAO,EACP,YAAyC,EACzC,IAGC,EACD,MAAuB,EACvB,QAAgB,CAAC,EACjB,OAAgB;IAEhB,MAAM,QAAQ,GAA4B,EAAE,CAAA;IAC5C,MAAM,SAAS,GAAG,CAAC,CAAA,CAAC,6BAA6B;IAEjD,mDAAmD;IACnD,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACtD,MAAM,WAAW,GAAG,YAAY,CAAC,SAAS,CAAC,CAAA;QAE3C,0CAA0C;QAC1C,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACzD,QAAQ,CAAC,SAAS,CAAC,GAAG,KAAK,CAAA;YAC3B,SAAQ;QACV,CAAC;QAED,kEAAkE;QAClE,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE;YAClE,GAAG,IAAI;YACP,IAAI;SACL,CAAC,CAAA;QAEF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,SAAQ;QACV,CAAC;QAED,8EAA8E;QAC9E,iGAAiG;QACjG,iEAAiE;QACjE,IACE,MAAM;YACN,WAAW,EAAE,IAAI,KAAK,cAAc;YACpC,KAAK,IAAI,WAAW;YACpB,WAAW,CAAC,GAAG;YACf,KAAK,KAAK,IAAI;YACd,KAAK,KAAK,SAAS;YACnB,KAAK,GAAG,SAAS,EACjB,CAAC;YACD,MAAM,aAAa,GAAG,oBAAoB,CAAC,WAAW,CAAC,GAAa,EAAE,MAAM,CAAC,CAAA;YAE7E,IAAI,aAAa,EAAE,CAAC;gBAClB,2EAA2E;gBAC3E,kEAAkE;gBAClE,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;oBACzB,QAAQ,CAAC,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CACrC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CACxB,oBAAoB,CAClB,WAAW,EACX,aAAa,CAAC,UAAU,CAAC,MAAM,EAC/B,IAAI,EACJ,MAAM,EACN,KAAK,GAAG,CAAC,EACT,aAAa,CAAC,QAAQ,CACvB,CACF,CACF,CAAA;gBACH,CAAC;gBACD,iEAAiE;gBACjE,kEAAkE;qBAC7D,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACnC,QAAQ,CAAC,SAAS,CAAC,GAAG,MAAM,oBAAoB,CAC9C,KAAgC,EAChC,aAAa,CAAC,UAAU,CAAC,MAAM,EAC/B,IAAI,EACJ,MAAM,EACN,KAAK,GAAG,CAAC,EACT,aAAa,CAAC,QAAQ,CACvB,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,oDAAoD;gBACpD,QAAQ,CAAC,SAAS,CAAC,GAAG,KAAK,CAAA;YAC7B,CAAC;QACH,CAAC;aAAM,CAAC;YACN,qFAAqF;YACrF,IAAI,WAAW,EAAE,KAAK,EAAE,aAAa,IAAI,OAAO,EAAE,CAAC;gBACjD,6CAA6C;gBAC7C,yEAAyE;gBACzE,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,aAAoD,CAAA;gBACnF,iFAAiF;gBACjF,qDAAqD;gBACrD,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAA;gBAC1C,IAAI,CAAC;oBACH,4DAA4D;oBAC5D,QAAQ,CAAC,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,OAAO,CACzC,IAAI,CAAC;wBACH,KAAK;wBACL,SAAS,EAAE,OAAO;wBAClB,SAAS;wBACT,OAAO;wBACP,IAAI;wBACJ,OAAO,EAAE,IAAI,CAAC,OAAO;qBACtB,CAAC,CACH,CAAA;gBACH,CAAC;wBAAS,CAAC;oBACT,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAA;gBAC5C,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,SAAS,CAAC,GAAG,KAAK,CAAA;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IAED,4DAA4D;IAC5D,2FAA2F;IAC3F,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACpE,mDAAmD;QACnD,IAAI,SAAS,IAAI,QAAQ,EAAE,CAAC;YAC1B,SAAQ;QACV,CAAC;QAED,8BAA8B;QAC9B,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;YACzB,SAAQ;QACV,CAAC;QAED,qBAAqB;QACrB,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE;YACjE,GAAG,IAAI;YACP,IAAI;SACL,CAAC,CAAA;QAEF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,SAAQ;QACV,CAAC;QAED,qEAAqE;QACrE,IAAI,WAAW,CAAC,KAAK,EAAE,aAAa,IAAI,OAAO,EAAE,CAAC;YAChD,MAAM,IAAI,GAAG,WAAW,CAAC,KAAK,CAAC,aAAoD,CAAA;YACnF,iFAAiF;YACjF,qDAAqD;YACrD,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAA;YAC1C,IAAI,CAAC;gBACH,4DAA4D;gBAC5D,QAAQ,CAAC,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,OAAO,CACzC,IAAI,CAAC;oBACH,KAAK,EAAE,SAAS,EAAE,6CAA6C;oBAC/D,SAAS,EAAE,OAAO;oBAClB,SAAS;oBACT,OAAO;oBACP,IAAI,EAAE,QAAQ,EAAE,8DAA8D;oBAC9E,OAAO,EAAE,IAAI,CAAC,OAAO;iBACtB,CAAC,CACH,CAAA;YACH,CAAC;oBAAS,CAAC;gBACT,IAAI,CAAC,OAAO,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAA;YAC5C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAsB,CAAA;AAC/B,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAO,EACP,YAAqE,EACrE,SAA8B,EAC9B,IAKC;IAED,MAAM,QAAQ,GAA4B,EAAE,CAAA;IAE5C,oDAAoD;IACpD,6EAA6E;IAC7E,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAU,CAAA;IAC1C,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QACpE,IAAI,WAAW,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YACxC,wFAAwF;YACxF,MAAM,SAAS,GAAG,WAAiC,CAAA;YACnD,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;gBACpB,gBAAgB,CAAC,GAAG,CAAC,GAAG,SAAS,IAAI,CAAC,CAAA;YACxC,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACtD,MAAM,WAAW,GAAG,YAAY,CAAC,SAAS,CAAC,CAAA;QAE3C,qBAAqB;QACrB,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACzD,SAAQ;QACV,CAAC;QAED,qDAAqD;QACrD,wEAAwE;QACxE,IAAI,WAAW,IAAI,SAAS,IAAI,WAAW,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YACnE,SAAQ;QACV,CAAC;QAED,8FAA8F;QAC9F,kGAAkG;QAClG,IAAI,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,SAAQ;QACV,CAAC;QAED,kEAAkE;QAClE,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE;YACtE,GAAG,IAAI;YACP,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAA;QAEF,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,CAAC,SAAS,CAAC,GAAG,KAAK,CAAA;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,QAAsB,CAAA;AAC/B,CAAC"}
1	+ {"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/access/engine.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;;;GAaG;AAEH;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,KAAc;IACtC,OAAO,OAAO,KAAK,KAAK,SAAS,CAAA;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAc;IAC3C,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;AAC7E,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAClC,eAAuB,EACvB,MAAsB;IAGtB,uDAAuD;IACvD,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACxC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;IACzB,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAA;IAEzC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAA;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,aAA2C,EAC3C,IAIC;IAED,0CAA0C;IAC1C,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,sCAAsC;IACtC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,CAAA;IAExC,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,UAAoC,EACpC,YAAoC;IAEpC,mCAAmC;IACnC,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,8CAA8C;IAC9C,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QAC1B,OAAO,UAAU,IAAI,EAAE,CAAA;IACzB,CAAC;IAED,uCAAuC;IACvC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,YAAY,CAAA;IACrB,CAAC;IAED,2BAA2B;IAC3B,OAAO;QACL,GAAG,EAAE,CAAC,YAAY,EAAE,UAAU,CAAC;KAChC,CAAA;AACH,CAAC"}