@ozdao/martyrs 0.2.563 → 0.2.565

package/dist/abac-DYoheWuc.js

@@ -1,1031 +0,0 @@
-import { C as CacheNamespaced } from "./core.cache-DALYFDdy.js";
-import { L as LoggerNamespaced } from "./core.logger-C3q8A9dl.js";
-class ABACCore {
-  constructor(abac) {
-    this.abac = abac;
-    this.runningPolicies = /* @__PURE__ */ new Map();
-  }
-  // Нормализация контекста
-  normalizeContext(input) {
-    const context = {
-      user: null,
-      action: null,
-      resource: null,
-      currentResource: null,
-      data: {},
-      req: null,
-      socket: null,
-      params: {},
-      _cache: /* @__PURE__ */ new Map(),
-      _abac: this.abac,
-      // Добавляем флаг для пропуска field policies (например, для админов)
-      skipFieldPolicies: input.skipFieldPolicies || false
-    };
-    if (input.req) {
-      context.user = input.user || input.req.userId;
-      context.data = {
-        ...input.req.body,
-        ...input.req.query,
-        params: input.req.params
-      };
-      context.params = input.req.params;
-      context.req = input.req;
-    } else if (input.socket) {
-      context.user = input.user || input.socket.userId;
-      context.socket = input.socket;
-      context.data = input.data || {};
-    }
-    return Object.assign(context, input);
-  }
-  // Выполнение политики с кэшированием
-  async executePolicyWithCache(policyName, policyFn, context) {
-    const contextCacheKey = `${policyName}_${context.action}`;
-    if (context._cache.has(contextCacheKey)) {
-      return context._cache.get(contextCacheKey);
-    }
-    const globalCacheKey = `policy_${policyName}_${context.user}_${context.resource}_${context.action}`;
-    if (this.abac.options.cacheEnabled) {
-      const cached = await this.abac.cache.get(globalCacheKey);
-      if (cached !== void 0) {
-        context._cache.set(contextCacheKey, cached);
-        return cached;
-      }
-    }
-    const result = await policyFn(context);
-    context._cache.set(contextCacheKey, result);
-    if (this.abac.options.cacheEnabled) {
-      await this.abac.cache.setWithTags(globalCacheKey, result, [
-        `user_${context.user}`,
-        `resource_${context.resource}`,
-        `policy_${policyName}`
-      ]);
-    }
-    return result;
-  }
-  // Выполнение политик с ограничением параллельности
-  async executePoliciesLimited(policies, context, stopOnDeny = false) {
-    const results = [];
-    const limit = this.abac.options.concurrencyLimit;
-    const batches = [];
-    for (let i = 0; i < policies.length; i += limit) {
-      batches.push(policies.slice(i, i + limit));
-    }
-    for (const batch of batches) {
-      const batchPromises = batch.map(async ([name, policy]) => {
-        try {
-          const policyFn = typeof policy === "function" ? policy : policy.fn;
-          const result = await this.executePolicyWithCache(name, policyFn, context);
-          return { name, result: this.normalizeResult(result, name) };
-        } catch (error) {
-          console.error(`Error in policy ${name}:`, error);
-          return {
-            name,
-            result: {
-              allow: !this.abac.options.strictMode,
-              reason: `POLICY_ERROR_${name.toUpperCase()}`
-            },
-            error
-          };
-        }
-      });
-      const batchResults = await Promise.all(batchPromises);
-      results.push(...batchResults);
-      if (stopOnDeny) {
-        const shouldStop = batchResults.some((r) => !r.result.allow || r.result.force);
-        if (shouldStop) break;
-      }
-    }
-    return results;
-  }
-  // Нормализация результата политики
-  normalizeResult(result, policyName) {
-    if (this.abac.options.strictMode && result === void 0) {
-      return { allow: false, force: false, reason: `UNDEFINED_IN_STRICT_MODE_${policyName.toUpperCase()}` };
-    }
-    if (result && typeof result === "object" && ("allow" in result || "force" in result)) {
-      return {
-        allow: result.allow !== void 0 ? !!result.allow : true,
-        force: !!result.force,
-        reason: result.reason || `POLICY_${policyName.toUpperCase()}`
-      };
-    }
-    if (result === true) {
-      return { allow: true, force: false, reason: `ALLOWED_BY_${policyName.toUpperCase()}` };
-    }
-    if (result === false) {
-      return { allow: false, force: false, reason: `DENIED_BY_${policyName.toUpperCase()}` };
-    }
-    return { allow: !this.abac.options.strictMode, force: false, reason: `NEUTRAL_${policyName.toUpperCase()}` };
-  }
-  // Основной метод проверки доступа
-  async checkAccess(rawContext, customPolicies = {}) {
-    const startTime = Date.now();
-    const context = this.normalizeContext(rawContext);
-    if (context.isServiceRequest) {
-      return { allow: true, reason: "SERVICE_REQUEST_ALLOWED" };
-    }
-    if (!context.user && !context.options?.allowUnauthenticated) {
-      return { allow: false, reason: "UNAUTHENTICATED_ACCESS_DENIED" };
-    }
-    if (!context.currentResource && (context.data?._id || context.data?.params?._id || context.data?.url)) {
-      await this.loadResource(context);
-    }
-    const result = await this.abac.policies.evaluate(context, customPolicies);
-    if (this.abac.options.enableAudit) {
-      await this.audit(context, result, Date.now() - startTime);
-    }
-    console.error("result logging:", result);
-    return result;
-  }
-  // Загрузка ресурса
-  async loadResource(context) {
-    const resourceModel = this.abac.getResourceModel(context.resource);
-    if (!resourceModel) return;
-    try {
-      let currentResource;
-      const id = context.data._id || context.data.params?._id;
-      if (id) {
-        currentResource = await resourceModel.findById(id);
-      } else if (context.data.url) {
-        currentResource = await resourceModel.findOne({ url: context.data.url });
-      }
-      if (currentResource) {
-        context.currentResource = currentResource;
-        context.resourceModel = resourceModel;
-      }
-    } catch (error) {
-      console.error("Resource loading error:", error);
-    }
-  }
-  // Аудит
-  async audit(context, result, duration) {
-    try {
-      let info = JSON.stringify({
-        type: "ACCESS_CHECK",
-        timestamp: /* @__PURE__ */ new Date(),
-        user: context.user,
-        resource: context.resource,
-        action: context.action,
-        result: result.allow,
-        reason: result.reason,
-        duration,
-        metadata: context.auditMetadata || {}
-      });
-      await this.abac.logger.log("info", info);
-      console.error("Audit logging:", info);
-    } catch (error) {
-      console.error("Audit logging error:", error);
-    }
-  }
-}
-class ABACPolicies {
-  constructor(abac) {
-    this.abac = abac;
-    this.global = /* @__PURE__ */ new Map();
-    this.resources = /* @__PURE__ */ new Map();
-    this.extensions = /* @__PURE__ */ new Map();
-    this.priorities = {
-      static: [],
-      dynamic: [],
-      extensions: []
-    };
-  }
-  registerGlobalPolicy(name, policyFn, metadata = {}) {
-    if (typeof policyFn !== "function") {
-      throw new Error(`Global policy "${name}" must be a function`);
-    }
-    const policy = {
-      fn: policyFn,
-      type: metadata.type || "dynamic",
-      ...metadata
-    };
-    this.global.set(name, policy);
-    this.updatePriorities();
-    return this.abac;
-  }
-  registerResourcePolicy(resourceName, policyFn, options = {}) {
-    if (typeof policyFn !== "function") {
-      throw new Error(`Resource policy for "${resourceName}" must be a function`);
-    }
-    this.resources.set(resourceName, {
-      fn: policyFn,
-      modelName: options.modelName || options.model || resourceName,
-      ...options
-    });
-    return this.abac;
-  }
-  registerExtension(moduleName, extensionFn) {
-    if (typeof extensionFn !== "function") {
-      throw new Error(`Extension "${moduleName}" must be a function`);
-    }
-    this.extensions.set(moduleName, extensionFn);
-    this.updatePriorities();
-    return this.abac;
-  }
-  updatePriorities() {
-    this.priorities = {
-      static: [],
-      dynamic: [],
-      extensions: []
-    };
-    for (const [name, policy] of this.global) {
-      const type = policy.type || "dynamic";
-      this.priorities[type].push([name, policy]);
-    }
-    this.priorities.extensions = Array.from(this.extensions.entries());
-  }
-  async evaluate(context, customPolicies = {}) {
-    const core = this.abac.core;
-    let hasForceAllow = false;
-    let hasForceDisallow = false;
-    let hasDeny = false;
-    let denyReason = "";
-    let allowReason = "";
-    const processResult = (result) => {
-      if (result.force) {
-        if (result.allow) {
-          hasForceAllow = true;
-          allowReason = result.reason;
-        } else {
-          hasForceDisallow = true;
-          denyReason = result.reason;
-        }
-      } else if (!result.allow) {
-        hasDeny = true;
-        if (!denyReason) denyReason = result.reason;
-      }
-    };
-    const checkForceFlags = () => {
-      if (hasForceDisallow) {
-        return {
-          allow: false,
-          reason: denyReason || "FORCE_DENIED_BY_POLICY"
-        };
-      }
-      if (hasForceAllow) {
-        return {
-          allow: true,
-          reason: allowReason || "FORCE_ALLOWED_BY_POLICY"
-        };
-      }
-      return null;
-    };
-    for (const type of ["static", "dynamic"]) {
-      const policies = [...this.priorities[type]];
-      if (type === "dynamic") {
-        for (const [name, fn] of Object.entries(customPolicies)) {
-          policies.push([name, { fn, type: "dynamic" }]);
-        }
-      }
-      const results = await core.executePoliciesLimited(
-        policies,
-        context,
-        type === "static"
-        // Для static останавливаемся на deny
-      );
-      for (const { result, error } of results) {
-        if (error) continue;
-        processResult(result);
-      }
-      const forceResult = checkForceFlags();
-      if (forceResult) return forceResult;
-    }
-    const resourcePolicy = this.resources.get(context.resource);
-    if (resourcePolicy) {
-      const results = await core.executePoliciesLimited(
-        [[`RESOURCE_${context.resource}`, resourcePolicy]],
-        context
-      );
-      if (!results[0].error) {
-        processResult(results[0].result);
-      }
-      const forceResult = checkForceFlags();
-      if (forceResult) return forceResult;
-    }
-    if (hasDeny) {
-      return {
-        allow: false,
-        reason: denyReason || "DENIED_BY_POLICY"
-      };
-    }
-    const extensionResults = await core.executePoliciesLimited(
-      this.priorities.extensions,
-      context
-    );
-    for (const { result } of extensionResults) {
-      if (result.allow) {
-        return { allow: true, reason: result.reason };
-      }
-    }
-    const defaultAllow = !this.abac.options.defaultDeny;
-    return {
-      allow: defaultAllow,
-      reason: defaultAllow ? "DEFAULT_ALLOW" : "DEFAULT_DENY"
-    };
-  }
-  // Проверка конкретных политик
-  async checkPolicies(rawContext, policyNames = [], customPolicies = {}) {
-    const context = this.abac.core.normalizeContext(rawContext);
-    const policies = this.getPoliciesByNames(policyNames, customPolicies);
-    const results = await this.abac.core.executePoliciesLimited(
-      Object.entries(policies),
-      context,
-      this.abac.options.strictMode
-    );
-    for (const { result } of results) {
-      if (result.force) return { allow: result.allow, reason: result.reason };
-      if (!result.allow && this.abac.options.strictMode) {
-        return { allow: false, reason: result.reason };
-      }
-    }
-    return { allow: true, reason: "POLICIES_PASSED" };
-  }
-  getPoliciesByNames(names, customPolicies = {}) {
-    const policies = {};
-    for (const name of names) {
-      if (this.global.has(name)) {
-        policies[name] = this.global.get(name);
-      } else if (this.extensions.has(name)) {
-        policies[name] = { fn: this.extensions.get(name), type: "extension" };
-      }
-    }
-    Object.assign(policies, customPolicies);
-    return policies;
-  }
-}
-class ABACFields {
-  constructor(abac) {
-    this.abac = abac;
-    this.configs = /* @__PURE__ */ new Map();
-  }
-  /**
-   * Регистрация field policies
-   */
-  registerFieldsPolicy(resourceName, config) {
-    const normalized = {};
-    for (const [pattern, conf] of Object.entries(config)) {
-      const { actions, ...baseSettings } = conf;
-      const base = {
-        actions: baseSettings.actions || "*",
-        access: baseSettings.access || "allow",
-        validator: baseSettings.validator || null,
-        transform: baseSettings.transform || null,
-        rule: baseSettings.rule || "remove",
-        force: baseSettings.force || false,
-        pattern
-      };
-      if (actions && typeof actions === "object") {
-        normalized[pattern] = {
-          base,
-          actions: Object.entries(actions).reduce((acc, [action, override]) => {
-            acc[action] = { ...base, ...override };
-            return acc;
-          }, {})
-        };
-      } else {
-        normalized[pattern] = { base };
-      }
-    }
-    this.configs.set(resourceName, normalized);
-    return this;
-  }
-  /**
-   * Проверка доступа к полям
-   */
-  async checkFields(context, data, action = null) {
-    const normalizedContext = this.abac.core.normalizeContext(context);
-    if (normalizedContext.skipFieldPolicies) {
-      return {
-        allowed: data,
-        denied: [],
-        errors: [],
-        transformed: data
-      };
-    }
-    const { resource } = normalizedContext;
-    const fieldAction = action || normalizedContext.action;
-    const config = normalizedContext.options?.fieldsConfig || this.configs.get(resource);
-    if (!config) {
-      return { allowed: data, denied: [], errors: [], transformed: data };
-    }
-    if (this.abac.policies && this.abac.policies.priorities.extensions.length > 0) {
-      for (const [name, extensionFn] of this.abac.policies.priorities.extensions) {
-        try {
-          await extensionFn(normalizedContext);
-        } catch (error) {
-          console.error(`Extension ${name} error:`, error);
-        }
-      }
-    }
-    const result = {
-      allowed: JSON.parse(JSON.stringify(data)),
-      denied: [],
-      errors: [],
-      transformed: null
-    };
-    const rules = this._collectRules(data, config, fieldAction);
-    const forced = rules.filter((r) => r.rule.force);
-    const regular = rules.filter((r) => !r.rule.force);
-    for (const { path, value, rule } of [...forced, ...regular]) {
-      const processed = /* @__PURE__ */ new Set();
-      if (processed.has(path)) continue;
-      processed.add(path);
-      const hasAccess = await this._checkFieldAccess(
-        rule.access,
-        normalizedContext,
-        path,
-        value
-      );
-      if (!hasAccess) {
-        await this._handleDenied(result, path, rule.rule);
-        continue;
-      }
-      if (rule.validator && rule.access !== "optional") {
-        const validation = await this._validateField(
-          rule.validator,
-          value,
-          normalizedContext,
-          path
-        );
-        if (!validation.isValid) {
-          result.errors.push({ path, errors: validation.errors });
-          if (rule.rule === "error") {
-            throw new Error(`Validation failed: ${path}`);
-          }
-          await this._handleDenied(result, path, rule.rule);
-        }
-      }
-    }
-    result.transformed = JSON.parse(JSON.stringify(result.allowed));
-    for (const { path, value, rule } of [...forced, ...regular]) {
-      if (!rule.transform) continue;
-      const isDenied = result.denied.some((d) => d.path === path);
-      if (isDenied) continue;
-      const transformed = await this._transformField(
-        rule.transform,
-        value,
-        normalizedContext,
-        path,
-        result.transformed
-      );
-      this._setValue(result.transformed, path, transformed);
-    }
-    return result;
-  }
-  /**
-   * Проверка доступа к полю
-   * @private
-   */
-  async _checkFieldAccess(access, context, fieldPath, fieldValue) {
-    if (access === "allow") return true;
-    if (access === "deny") return false;
-    if (access === "optional") return true;
-    if (typeof access === "function") {
-      try {
-        return !!await access(context, fieldPath, fieldValue);
-      } catch (e) {
-        console.error("Field access check error:", e);
-        return false;
-      }
-    }
-    return true;
-  }
-  /**
-   * Валидация поля
-   * @private
-   */
-  async _validateField(validator, value, context, fieldPath) {
-    if (typeof validator === "function") {
-      try {
-        const result = await validator(value, context, fieldPath);
-        if (typeof result === "boolean") {
-          return { isValid: result, errors: result ? [] : ["Validation failed"] };
-        }
-        return result;
-      } catch (e) {
-        return { isValid: false, errors: [e.message] };
-      }
-    }
-    if (validator && validator.validate) {
-      return validator.validate(value);
-    }
-    return { isValid: true, errors: [] };
-  }
-  /**
-   * Трансформация поля
-   * @private
-   */
-  async _transformField(transform, value, context, fieldPath, currentData) {
-    try {
-      return await transform(value, context, fieldPath, currentData);
-    } catch (error) {
-      console.error("Field transform error:", error);
-      return value;
-    }
-  }
-  /**
-   * Сбор применимых правил
-   * @private
-   */
-  _collectRules(data, config, action) {
-    const rules = [];
-    const patterns = Object.keys(config);
-    const dataPaths = this._extractPaths(data);
-    for (const path of dataPaths) {
-      for (const pattern of patterns) {
-        if (this._matchesPattern(path, pattern)) {
-          const fieldConfig = config[pattern];
-          let rule;
-          if (fieldConfig.actions && fieldConfig.actions[action]) {
-            rule = fieldConfig.actions[action];
-          } else {
-            rule = fieldConfig.base;
-          }
-          if (this._matchesAction(rule.actions, action)) {
-            rules.push({
-              path,
-              value: this._getValue(data, path),
-              rule
-            });
-            break;
-          }
-        }
-      }
-    }
-    return rules;
-  }
-  /**
-   * Проверка паттерна
-   * @private
-   */
-  _matchesPattern(path, pattern) {
-    if (pattern === path) return true;
-    if (pattern === "*") return true;
-    const pathParts = path.split(".");
-    const patternParts = pattern.split(".");
-    for (let i = 0; i < patternParts.length; i++) {
-      const pp = patternParts[i];
-      const pathPart = pathParts[i];
-      if (pp === "**") return true;
-      if (pp === "*" && pathPart !== void 0) continue;
-      if (pp === "[*]" && /^\[\d+\]$/.test(pathPart)) continue;
-      if (pp !== pathPart) return false;
-    }
-    return pathParts.length === patternParts.length;
-  }
-  /**
-   * Извлечение путей
-   * @private
-   */
-  _extractPaths(obj, prefix = "") {
-    const paths = [];
-    if (!obj || typeof obj !== "object") return paths;
-    if (Array.isArray(obj)) {
-      obj.forEach((item, i) => {
-        const path = prefix ? `${prefix}[${i}]` : `[${i}]`;
-        paths.push(path);
-        paths.push(...this._extractPaths(item, path));
-      });
-    } else {
-      for (const key in obj) {
-        if (obj.hasOwnProperty(key)) {
-          const path = prefix ? `${prefix}.${key}` : key;
-          paths.push(path);
-          if (obj[key] && typeof obj[key] === "object") {
-            paths.push(...this._extractPaths(obj[key], path));
-          }
-        }
-      }
-    }
-    return paths;
-  }
-  /**
-   * Проверка доступа
-   * @private
-   */
-  async _checkAccess(access, ctx) {
-    if (access === "allow") return true;
-    if (access === "deny") return false;
-    if (access === "optional") return true;
-    if (typeof access === "function") {
-      try {
-        return !!await access(ctx);
-      } catch (e) {
-        console.error("Access check error:", e);
-        return false;
-      }
-    }
-    return true;
-  }
-  /**
-   * Валидация
-   * @private
-   */
-  async _validate(validator, value, ctx) {
-    if (typeof validator === "function") {
-      try {
-        const result = await validator(value, ctx);
-        if (typeof result === "boolean") {
-          return { isValid: result, errors: result ? [] : ["Validation failed"] };
-        }
-        return result;
-      } catch (e) {
-        return { isValid: false, errors: [e.message] };
-      }
-    }
-    if (validator && validator.validate) {
-      return validator.validate(value);
-    }
-    return { isValid: true, errors: [] };
-  }
-  /**
-   * Обработка отказа
-   * @private
-   */
-  async _handleDenied(result, path, rule, ctx) {
-    result.denied.push({ path, reason: rule });
-    if (rule === "remove") {
-      this._removePath(result.allowed, path);
-    } else if (rule === "error") {
-      throw new Error(`Access denied: ${path}`);
-    }
-  }
-  /**
-   * Проверка действия
-   * @private
-   */
-  _matchesAction(actions, action) {
-    if (actions === "*") return true;
-    return Array.isArray(actions) ? actions.includes(action) : actions === action;
-  }
-  /**
-   * Получение значения
-   * @private
-   */
-  _getValue(obj, path) {
-    const parts = path.split(/\.|\[|\]/).filter(Boolean);
-    let current = obj;
-    for (const part of parts) {
-      if (!current) return void 0;
-      current = /^\d+$/.test(part) ? current[parseInt(part)] : current[part];
-    }
-    return current;
-  }
-  /**
-   * Установка значения
-   * @private
-   */
-  _setValue(obj, path, value) {
-    const parts = path.split(/\.|\[|\]/).filter(Boolean);
-    let current = obj;
-    for (let i = 0; i < parts.length - 1; i++) {
-      const part = parts[i];
-      const next = parts[i + 1];
-      const isArray = /^\d+$/.test(next);
-      if (!current[part]) {
-        current[part] = isArray ? [] : {};
-      }
-      current = current[part];
-    }
-    const last = parts[parts.length - 1];
-    if (/^\d+$/.test(last)) {
-      current[parseInt(last)] = value;
-    } else {
-      current[last] = value;
-    }
-  }
-  /**
-   * Удаление пути
-   * @private
-   */
-  _removePath(obj, path) {
-    const parts = path.split(/\.|\[|\]/).filter(Boolean);
-    let current = obj;
-    for (let i = 0; i < parts.length - 1; i++) {
-      const part = /^\d+$/.test(parts[i]) ? parseInt(parts[i]) : parts[i];
-      if (!current[part]) return;
-      current = current[part];
-    }
-    const last = parts[parts.length - 1];
-    if (/^\d+$/.test(last)) {
-      current.splice(parseInt(last), 1);
-    } else {
-      delete current[last];
-    }
-  }
-  getConfig(resourceName) {
-    return this.configs.get(resourceName);
-  }
-  hasConfig(resourceName) {
-    return this.configs.has(resourceName);
-  }
-  removeConfig(resourceName) {
-    return this.configs.delete(resourceName);
-  }
-}
-class ABACExpressAdapter {
-  constructor(abac) {
-    this.abac = abac;
-  }
-  middleware(resource, action, options = {}) {
-    return async (req, res, next) => {
-      try {
-        const context = {
-          user: req.userId,
-          resource,
-          action,
-          req,
-          data: {
-            ...req.body,
-            ...req.query,
-            params: req.params
-          },
-          params: req.params,
-          customPolicies: options.policies || {},
-          options
-        };
-        const accessResult = await this.abac.checkAccess(context, context.customPolicies);
-        if (!accessResult.allow) {
-          return res.status(403).json({
-            error: {
-              code: "ACCESS_DENIED",
-              message: accessResult.reason
-            }
-          });
-        }
-        if (options.checkFields) {
-          const fieldsResult = await this.abac.checkFields(context, req.body, action);
-          if (fieldsResult.errors.length > 0 && options.strictFieldsMode) {
-            return res.status(400).json({
-              error: {
-                code: "FIELD_VALIDATION_ERROR",
-                fields: fieldsResult.errors
-              }
-            });
-          }
-          req.body = fieldsResult.allowed;
-          req.abacFieldsResult = fieldsResult;
-        }
-        next();
-      } catch (error) {
-        console.error("ABAC middleware error:", error);
-        res.status(500).json({
-          error: {
-            code: "INTERNAL_ERROR",
-            message: "Access control error"
-          }
-        });
-      }
-    };
-  }
-  policyMiddleware(policyNames = [], customPolicies = {}, options = {}) {
-    return async (req, res, next) => {
-      try {
-        const context = {
-          user: req.userId,
-          resource: options.resource || "custom",
-          action: options.action || "access",
-          req,
-          data: {
-            ...req.body,
-            ...req.query,
-            params: req.params
-          },
-          params: req.params,
-          options
-        };
-        const result = await this.abac.checkPolicies(context, policyNames, customPolicies);
-        if (!result.allow) {
-          return res.status(403).json({
-            error: {
-              code: "POLICY_DENIED",
-              message: result.reason
-            }
-          });
-        }
-        next();
-      } catch (error) {
-        console.error("Policy middleware error:", error);
-        res.status(500).json({
-          error: {
-            code: "INTERNAL_ERROR",
-            message: "Policy check error"
-          }
-        });
-      }
-    };
-  }
-  fieldsMiddleware(resource, options = {}) {
-    return async (req, res, next) => {
-      try {
-        const methodActionMap = {
-          "GET": "read",
-          "POST": "create",
-          "PUT": "update",
-          "PATCH": "update",
-          "DELETE": "delete"
-        };
-        const action = options.action || methodActionMap[req.method] || "access";
-        const context = {
-          user: req.userId,
-          resource,
-          action,
-          req,
-          data: {
-            ...req.body,
-            ...req.query,
-            params: req.params
-          },
-          params: req.params,
-          options
-        };
-        let dataToCheck = req.body;
-        if (req.method === "GET" && options.checkQuery) {
-          dataToCheck = req.query;
-        }
-        if (options.checkResponse && res.locals.data) {
-          dataToCheck = res.locals.data;
-        }
-        const fieldsResult = await this.abac.checkFields(context, dataToCheck, action);
-        if (fieldsResult.errors.length > 0) {
-          if (options.strictMode) {
-            return res.status(400).json({
-              error: {
-                code: "FIELD_VALIDATION_ERROR",
-                fields: fieldsResult.errors
-              }
-            });
-          }
-          console.warn("Field validation errors:", fieldsResult.errors);
-        }
-        if (req.method === "GET" && options.checkQuery) {
-          req.query = fieldsResult.allowed;
-        } else if (options.checkResponse && res.locals.data) {
-          res.locals.data = fieldsResult.transformed || fieldsResult.allowed;
-        } else {
-          req.body = fieldsResult.allowed;
-        }
-        req.abacFieldsResult = fieldsResult;
-        next();
-      } catch (error) {
-        console.error("Fields middleware error:", error);
-        if (options.passErrors) {
-          next(error);
-        } else {
-          res.status(500).json({
-            error: {
-              code: "INTERNAL_ERROR",
-              message: "Field check error"
-            }
-          });
-        }
-      }
-    };
-  }
-}
-class ABACWebSocketAdapter {
-  constructor(abac) {
-    this.abac = abac;
-  }
-  handler(moduleName, options = {}) {
-    return async (ws, message) => {
-      try {
-        const { action = "access", resource = moduleName } = options;
-        const context = {
-          user: ws.userId,
-          resource,
-          action,
-          data: message,
-          socket: ws,
-          customPolicies: options.policies || {}
-        };
-        const accessResult = await this.abac.checkAccess(context, context.customPolicies);
-        if (!accessResult.allow) {
-          ws.send(JSON.stringify({
-            type: "error",
-            error: {
-              code: "ACCESS_DENIED",
-              message: accessResult.reason
-            }
-          }));
-          return false;
-        }
-        return true;
-      } catch (error) {
-        console.error("WebSocket access control error:", error);
-        ws.send(JSON.stringify({
-          type: "error",
-          error: {
-            code: "INTERNAL_ERROR",
-            message: "Access control error"
-          }
-        }));
-        return false;
-      }
-    };
-  }
-  // Метод для RPC вызовов через WebSocket
-  rpcHandler(module, method, options = {}) {
-    return async (params, context) => {
-      const abacContext = {
-        user: context.userId,
-        resource: module,
-        action: method,
-        data: params,
-        socket: context.ws,
-        customPolicies: options.policies || {}
-      };
-      const accessResult = await this.abac.checkAccess(abacContext, abacContext.customPolicies);
-      if (!accessResult.allow) {
-        throw new Error(accessResult.reason);
-      }
-      if (options.checkFields && params) {
-        const fieldsResult = await this.abac.checkFields(abacContext, params, method);
-        if (fieldsResult.denied.length > 0) {
-          if (options.strictFieldsMode) {
-            throw new Error(`Fields access denied: ${fieldsResult.denied.map((d) => d.path).join(", ")}`);
-          }
-          return fieldsResult.allowed;
-        }
-        return fieldsResult.transformed || params;
-      }
-      return params;
-    };
-  }
-}
-class GlobalABAC {
-  constructor(db, options = {}) {
-    this.db = db;
-    this.options = {
-      strictMode: false,
-      defaultDeny: false,
-      serviceKey: process.env.SERVICE_KEY,
-      enableAudit: true,
-      cacheEnabled: true,
-      cacheTTL: 300,
-      // 5 минут
-      concurrencyLimit: 10,
-      ...options
-    };
-    this.cache = new CacheNamespaced({ ttlSeconds: this.options.cacheTTL });
-    this.logger = options.auditLogger || new LoggerNamespaced(db);
-    this.core = new ABACCore(this);
-    this.policies = new ABACPolicies(this);
-    this.fields = new ABACFields(this);
-    this.express = new ABACExpressAdapter(this);
-    this.websocket = new ABACWebSocketAdapter(this);
-  }
-  // API методы для регистрации политик
-  registerGlobalPolicy(name, policyFn, metadata = {}) {
-    return this.policies.registerGlobalPolicy(name, policyFn, metadata);
-  }
-  registerResourcePolicy(resourceName, policyFn, options = {}) {
-    return this.policies.registerResourcePolicy(resourceName, policyFn, options);
-  }
-  registerFieldsPolicy(resourceName, builderFn) {
-    return this.fields.registerFieldsPolicy(resourceName, builderFn);
-  }
-  registerExtension(moduleName, extensionFn) {
-    return this.policies.registerExtension(moduleName, extensionFn);
-  }
-  // Основные методы проверки
-  async checkAccess(context, customPolicies = {}) {
-    return this.core.checkAccess(context, customPolicies);
-  }
-  async checkFields(context, data, action = null, isQuery = false) {
-    return this.fields.checkFields(context, data, action, isQuery);
-  }
-  async checkPolicies(context, policyNames = [], customPolicies = {}) {
-    return this.policies.checkPolicies(context, policyNames, customPolicies);
-  }
-  // Адаптеры
-  middleware(resource, action, options = {}) {
-    return this.express.middleware(resource, action, options);
-  }
-  policyMiddleware(policyNames = [], customPolicies = {}, options = {}) {
-    return this.express.policyMiddleware(policyNames, customPolicies, options);
-  }
-  fieldsMiddleware(resource, options = {}) {
-    return this.express.fieldsMiddleware(resource, options);
-  }
-  wsHandler(moduleName, options = {}) {
-    return this.websocket.handler(moduleName, options);
-  }
-  getResourceModel(resourceName) {
-    const resourcePolicy = this.policies.resources.get(resourceName);
-    if (!resourcePolicy) return null;
-    const modelName = resourcePolicy.modelName || resourceName;
-    return this.db[modelName] || null;
-  }
-}
-let instance = null;
-const getInstance = (db, options) => {
-  if (!instance) {
-    instance = new GlobalABAC(db, options);
-  }
-  return instance;
-};
-const ABAC = { getInstance };
-export {
-  ABAC as A
-};