npm - @ozdao/martyrs - Versions diffs - 0.2.564 → 0.2.565 - Mend

@ozdao/martyrs 0.2.564 → 0.2.565

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (279) hide show

package/dist/abac-DYoheWuc.js DELETED Viewed

@@ -1,1031 +0,0 @@
-import { C as CacheNamespaced } from "./core.cache-DALYFDdy.js";
-import { L as LoggerNamespaced } from "./core.logger-C3q8A9dl.js";
-class ABACCore {
-  constructor(abac) {
-    this.abac = abac;
-    this.runningPolicies = /* @__PURE__ */ new Map();
-  }
-  // Нормализация контекста
-  normalizeContext(input) {
-    const context = {
-      user: null,
-      action: null,
-      resource: null,
-      currentResource: null,
-      data: {},
-      req: null,
-      socket: null,
-      params: {},
-      _cache: /* @__PURE__ */ new Map(),
-      _abac: this.abac,
-      // Добавляем флаг для пропуска field policies (например, для админов)
-      skipFieldPolicies: input.skipFieldPolicies || false
-    };
-    if (input.req) {
-      context.user = input.user || input.req.userId;
-      context.data = {
-        ...input.req.body,
-        ...input.req.query,
-        params: input.req.params
-      };
-      context.params = input.req.params;
-      context.req = input.req;
-    } else if (input.socket) {
-      context.user = input.user || input.socket.userId;
-      context.socket = input.socket;
-      context.data = input.data || {};
-    }
-    return Object.assign(context, input);
-  }
-  // Выполнение политики с кэшированием
-  async executePolicyWithCache(policyName, policyFn, context) {
-    const contextCacheKey = `${policyName}_${context.action}`;
-    if (context._cache.has(contextCacheKey)) {
-      return context._cache.get(contextCacheKey);
-    }
-    const globalCacheKey = `policy_${policyName}_${context.user}_${context.resource}_${context.action}`;
-    if (this.abac.options.cacheEnabled) {
-      const cached = await this.abac.cache.get(globalCacheKey);
-      if (cached !== void 0) {
-        context._cache.set(contextCacheKey, cached);
-        return cached;
-      }
-    }
-    const result = await policyFn(context);
-    context._cache.set(contextCacheKey, result);
-    if (this.abac.options.cacheEnabled) {
-      await this.abac.cache.setWithTags(globalCacheKey, result, [
-        `user_${context.user}`,
-        `resource_${context.resource}`,
-        `policy_${policyName}`
-      ]);
-    }
-    return result;
-  }
-  // Выполнение политик с ограничением параллельности
-  async executePoliciesLimited(policies, context, stopOnDeny = false) {
-    const results = [];
-    const limit = this.abac.options.concurrencyLimit;
-    const batches = [];
-    for (let i = 0; i < policies.length; i += limit) {
-      batches.push(policies.slice(i, i + limit));
-    }
-    for (const batch of batches) {
-      const batchPromises = batch.map(async ([name, policy]) => {
-        try {
-          const policyFn = typeof policy === "function" ? policy : policy.fn;
-          const result = await this.executePolicyWithCache(name, policyFn, context);
-          return { name, result: this.normalizeResult(result, name) };
-        } catch (error) {
-          console.error(`Error in policy ${name}:`, error);
-          return {
-            name,
-            result: {
-              allow: !this.abac.options.strictMode,
-              reason: `POLICY_ERROR_${name.toUpperCase()}`
-            },
-            error
-          };
-        }
-      });
-      const batchResults = await Promise.all(batchPromises);
-      results.push(...batchResults);
-      if (stopOnDeny) {
-        const shouldStop = batchResults.some((r) => !r.result.allow || r.result.force);
-        if (shouldStop) break;
-      }
-    }
-    return results;
-  }
-  // Нормализация результата политики
-  normalizeResult(result, policyName) {
-    if (this.abac.options.strictMode && result === void 0) {
-      return { allow: false, force: false, reason: `UNDEFINED_IN_STRICT_MODE_${policyName.toUpperCase()}` };
-    }
-    if (result && typeof result === "object" && ("allow" in result || "force" in result)) {
-      return {
-        allow: result.allow !== void 0 ? !!result.allow : true,
-        force: !!result.force,
-        reason: result.reason || `POLICY_${policyName.toUpperCase()}`
-      };
-    }
-    if (result === true) {
-      return { allow: true, force: false, reason: `ALLOWED_BY_${policyName.toUpperCase()}` };
-    }
-    if (result === false) {
-      return { allow: false, force: false, reason: `DENIED_BY_${policyName.toUpperCase()}` };
-    }
-    return { allow: !this.abac.options.strictMode, force: false, reason: `NEUTRAL_${policyName.toUpperCase()}` };
-  }
-  // Основной метод проверки доступа
-  async checkAccess(rawContext, customPolicies = {}) {
-    const startTime = Date.now();
-    const context = this.normalizeContext(rawContext);
-    if (context.isServiceRequest) {
-      return { allow: true, reason: "SERVICE_REQUEST_ALLOWED" };
-    }
-    if (!context.user && !context.options?.allowUnauthenticated) {
-      return { allow: false, reason: "UNAUTHENTICATED_ACCESS_DENIED" };
-    }
-    if (!context.currentResource && (context.data?._id || context.data?.params?._id || context.data?.url)) {
-      await this.loadResource(context);
-    }
-    const result = await this.abac.policies.evaluate(context, customPolicies);
-    if (this.abac.options.enableAudit) {
-      await this.audit(context, result, Date.now() - startTime);
-    }
-    console.error("result logging:", result);
-    return result;
-  }
-  // Загрузка ресурса
-  async loadResource(context) {
-    const resourceModel = this.abac.getResourceModel(context.resource);
-    if (!resourceModel) return;
-    try {
-      let currentResource;
-      const id = context.data._id || context.data.params?._id;
-      if (id) {
-        currentResource = await resourceModel.findById(id);
-      } else if (context.data.url) {
-        currentResource = await resourceModel.findOne({ url: context.data.url });
-      }
-      if (currentResource) {
-        context.currentResource = currentResource;
-        context.resourceModel = resourceModel;
-      }
-    } catch (error) {
-      console.error("Resource loading error:", error);
-    }
-  }
-  // Аудит
-  async audit(context, result, duration) {
-    try {
-      let info = JSON.stringify({
-        type: "ACCESS_CHECK",
-        timestamp: /* @__PURE__ */ new Date(),
-        user: context.user,
-        resource: context.resource,
-        action: context.action,
-        result: result.allow,
-        reason: result.reason,
-        duration,
-        metadata: context.auditMetadata || {}
-      });
-      await this.abac.logger.log("info", info);
-      console.error("Audit logging:", info);
-    } catch (error) {
-      console.error("Audit logging error:", error);
-    }
-  }
-}
-class ABACPolicies {
-  constructor(abac) {
-    this.abac = abac;
-    this.global = /* @__PURE__ */ new Map();
-    this.resources = /* @__PURE__ */ new Map();
-    this.extensions = /* @__PURE__ */ new Map();
-    this.priorities = {
-      static: [],
-      dynamic: [],
-      extensions: []
-    };
-  }
-  registerGlobalPolicy(name, policyFn, metadata = {}) {
-    if (typeof policyFn !== "function") {
-      throw new Error(`Global policy "${name}" must be a function`);
-    }
-    const policy = {
-      fn: policyFn,
-      type: metadata.type || "dynamic",
-      ...metadata
-    };
-    this.global.set(name, policy);
-    this.updatePriorities();
-    return this.abac;
-  }
-  registerResourcePolicy(resourceName, policyFn, options = {}) {
-    if (typeof policyFn !== "function") {
-      throw new Error(`Resource policy for "${resourceName}" must be a function`);
-    }
-    this.resources.set(resourceName, {
-      fn: policyFn,
-      modelName: options.modelName || options.model || resourceName,
-      ...options
-    });
-    return this.abac;
-  }
-  registerExtension(moduleName, extensionFn) {
-    if (typeof extensionFn !== "function") {
-      throw new Error(`Extension "${moduleName}" must be a function`);
-    }
-    this.extensions.set(moduleName, extensionFn);
-    this.updatePriorities();
-    return this.abac;
-  }
-  updatePriorities() {
-    this.priorities = {
-      static: [],
-      dynamic: [],
-      extensions: []
-    };
-    for (const [name, policy] of this.global) {
-      const type = policy.type || "dynamic";
-      this.priorities[type].push([name, policy]);
-    }
-    this.priorities.extensions = Array.from(this.extensions.entries());
-  }
-  async evaluate(context, customPolicies = {}) {
-    const core = this.abac.core;
-    let hasForceAllow = false;
-    let hasForceDisallow = false;
-    let hasDeny = false;
-    let denyReason = "";
-    let allowReason = "";
-    const processResult = (result) => {
-      if (result.force) {
-        if (result.allow) {
-          hasForceAllow = true;
-          allowReason = result.reason;
-        } else {
-          hasForceDisallow = true;
-          denyReason = result.reason;
-        }
-      } else if (!result.allow) {
-        hasDeny = true;
-        if (!denyReason) denyReason = result.reason;
-      }
-    };
-    const checkForceFlags = () => {
-      if (hasForceDisallow) {
-        return {
-          allow: false,
-          reason: denyReason || "FORCE_DENIED_BY_POLICY"
-        };
-      }
-      if (hasForceAllow) {
-        return {
-          allow: true,
-          reason: allowReason || "FORCE_ALLOWED_BY_POLICY"
-        };
-      }
-      return null;
-    };
-    for (const type of ["static", "dynamic"]) {
-      const policies = [...this.priorities[type]];
-      if (type === "dynamic") {
-        for (const [name, fn] of Object.entries(customPolicies)) {
-          policies.push([name, { fn, type: "dynamic" }]);
-        }
-      }
-      const results = await core.executePoliciesLimited(
-        policies,
-        context,
-        type === "static"
-        // Для static останавливаемся на deny
-      );
-      for (const { result, error } of results) {
-        if (error) continue;
-        processResult(result);
-      }
-      const forceResult = checkForceFlags();
-      if (forceResult) return forceResult;
-    }
-    const resourcePolicy = this.resources.get(context.resource);
-    if (resourcePolicy) {
-      const results = await core.executePoliciesLimited(
-        [[`RESOURCE_${context.resource}`, resourcePolicy]],
-        context
-      );
-      if (!results[0].error) {
-        processResult(results[0].result);
-      }
-      const forceResult = checkForceFlags();
-      if (forceResult) return forceResult;
-    }
-    if (hasDeny) {
-      return {
-        allow: false,
-        reason: denyReason || "DENIED_BY_POLICY"
-      };
-    }
-    const extensionResults = await core.executePoliciesLimited(
-      this.priorities.extensions,
-      context
-    );
-    for (const { result } of extensionResults) {
-      if (result.allow) {
-        return { allow: true, reason: result.reason };
-      }
-    }
-    const defaultAllow = !this.abac.options.defaultDeny;
-    return {
-      allow: defaultAllow,
-      reason: defaultAllow ? "DEFAULT_ALLOW" : "DEFAULT_DENY"
-    };
-  }
-  // Проверка конкретных политик
-  async checkPolicies(rawContext, policyNames = [], customPolicies = {}) {
-    const context = this.abac.core.normalizeContext(rawContext);
-    const policies = this.getPoliciesByNames(policyNames, customPolicies);
-    const results = await this.abac.core.executePoliciesLimited(
-      Object.entries(policies),
-      context,
-      this.abac.options.strictMode
-    );
-    for (const { result } of results) {
-      if (result.force) return { allow: result.allow, reason: result.reason };
-      if (!result.allow && this.abac.options.strictMode) {
-        return { allow: false, reason: result.reason };
-      }
-    }
-    return { allow: true, reason: "POLICIES_PASSED" };
-  }
-  getPoliciesByNames(names, customPolicies = {}) {
-    const policies = {};
-    for (const name of names) {
-      if (this.global.has(name)) {
-        policies[name] = this.global.get(name);
-      } else if (this.extensions.has(name)) {
-        policies[name] = { fn: this.extensions.get(name), type: "extension" };
-      }
-    }
-    Object.assign(policies, customPolicies);
-    return policies;
-  }
-}
-class ABACFields {
-  constructor(abac) {
-    this.abac = abac;
-    this.configs = /* @__PURE__ */ new Map();
-  }
-  /**
-   * Регистрация field policies
-   */
-  registerFieldsPolicy(resourceName, config) {
-    const normalized = {};
-    for (const [pattern, conf] of Object.entries(config)) {
-      const { actions, ...baseSettings } = conf;
-      const base = {
-        actions: baseSettings.actions || "*",
-        access: baseSettings.access || "allow",
-        validator: baseSettings.validator || null,
-        transform: baseSettings.transform || null,
-        rule: baseSettings.rule || "remove",
-        force: baseSettings.force || false,
-        pattern
-      };
-      if (actions && typeof actions === "object") {
-        normalized[pattern] = {
-          base,
-          actions: Object.entries(actions).reduce((acc, [action, override]) => {
-            acc[action] = { ...base, ...override };
-            return acc;
-          }, {})
-        };
-      } else {
-        normalized[pattern] = { base };
-      }
-    }
-    this.configs.set(resourceName, normalized);
-    return this;
-  }
-  /**
-   * Проверка доступа к полям
-   */
-  async checkFields(context, data, action = null) {
-    const normalizedContext = this.abac.core.normalizeContext(context);
-    if (normalizedContext.skipFieldPolicies) {
-      return {
-        allowed: data,
-        denied: [],
-        errors: [],
-        transformed: data
-      };
-    }
-    const { resource } = normalizedContext;
-    const fieldAction = action || normalizedContext.action;
-    const config = normalizedContext.options?.fieldsConfig || this.configs.get(resource);
-    if (!config) {
-      return { allowed: data, denied: [], errors: [], transformed: data };
-    }
-    if (this.abac.policies && this.abac.policies.priorities.extensions.length > 0) {
-      for (const [name, extensionFn] of this.abac.policies.priorities.extensions) {
-        try {
-          await extensionFn(normalizedContext);
-        } catch (error) {
-          console.error(`Extension ${name} error:`, error);
-        }
-      }
-    }
-    const result = {
-      allowed: JSON.parse(JSON.stringify(data)),
-      denied: [],
-      errors: [],
-      transformed: null
-    };
-    const rules = this._collectRules(data, config, fieldAction);
-    const forced = rules.filter((r) => r.rule.force);
-    const regular = rules.filter((r) => !r.rule.force);
-    for (const { path, value, rule } of [...forced, ...regular]) {
-      const processed = /* @__PURE__ */ new Set();
-      if (processed.has(path)) continue;
-      processed.add(path);
-      const hasAccess = await this._checkFieldAccess(
-        rule.access,
-        normalizedContext,
-        path,
-        value
-      );
-      if (!hasAccess) {
-        await this._handleDenied(result, path, rule.rule);
-        continue;
-      }
-      if (rule.validator && rule.access !== "optional") {
-        const validation = await this._validateField(
-          rule.validator,
-          value,
-          normalizedContext,
-          path
-        );
-        if (!validation.isValid) {
-          result.errors.push({ path, errors: validation.errors });
-          if (rule.rule === "error") {
-            throw new Error(`Validation failed: ${path}`);
-          }
-          await this._handleDenied(result, path, rule.rule);
-        }
-      }
-    }
-    result.transformed = JSON.parse(JSON.stringify(result.allowed));
-    for (const { path, value, rule } of [...forced, ...regular]) {
-      if (!rule.transform) continue;
-      const isDenied = result.denied.some((d) => d.path === path);
-      if (isDenied) continue;
-      const transformed = await this._transformField(
-        rule.transform,
-        value,
-        normalizedContext,
-        path,
-        result.transformed
-      );
-      this._setValue(result.transformed, path, transformed);
-    }
-    return result;
-  }
-  /**
-   * Проверка доступа к полю
-   * @private
-   */
-  async _checkFieldAccess(access, context, fieldPath, fieldValue) {
-    if (access === "allow") return true;
-    if (access === "deny") return false;
-    if (access === "optional") return true;
-    if (typeof access === "function") {
-      try {
-        return !!await access(context, fieldPath, fieldValue);
-      } catch (e) {
-        console.error("Field access check error:", e);
-        return false;
-      }
-    }
-    return true;
-  }
-  /**
-   * Валидация поля
-   * @private
-   */
-  async _validateField(validator, value, context, fieldPath) {
-    if (typeof validator === "function") {
-      try {
-        const result = await validator(value, context, fieldPath);
-        if (typeof result === "boolean") {
-          return { isValid: result, errors: result ? [] : ["Validation failed"] };
-        }
-        return result;
-      } catch (e) {
-        return { isValid: false, errors: [e.message] };
-      }
-    }
-    if (validator && validator.validate) {
-      return validator.validate(value);
-    }
-    return { isValid: true, errors: [] };
-  }
-  /**
-   * Трансформация поля
-   * @private
-   */
-  async _transformField(transform, value, context, fieldPath, currentData) {
-    try {
-      return await transform(value, context, fieldPath, currentData);
-    } catch (error) {
-      console.error("Field transform error:", error);
-      return value;
-    }
-  }
-  /**
-   * Сбор применимых правил
-   * @private
-   */
-  _collectRules(data, config, action) {
-    const rules = [];
-    const patterns = Object.keys(config);
-    const dataPaths = this._extractPaths(data);
-    for (const path of dataPaths) {
-      for (const pattern of patterns) {
-        if (this._matchesPattern(path, pattern)) {
-          const fieldConfig = config[pattern];
-          let rule;
-          if (fieldConfig.actions && fieldConfig.actions[action]) {
-            rule = fieldConfig.actions[action];
-          } else {
-            rule = fieldConfig.base;
-          }
-          if (this._matchesAction(rule.actions, action)) {
-            rules.push({
-              path,
-              value: this._getValue(data, path),
-              rule
-            });
-            break;
-          }
-        }
-      }
-    }
-    return rules;
-  }
-  /**
-   * Проверка паттерна
-   * @private
-   */
-  _matchesPattern(path, pattern) {
-    if (pattern === path) return true;
-    if (pattern === "*") return true;
-    const pathParts = path.split(".");
-    const patternParts = pattern.split(".");
-    for (let i = 0; i < patternParts.length; i++) {
-      const pp = patternParts[i];
-      const pathPart = pathParts[i];
-      if (pp === "**") return true;
-      if (pp === "*" && pathPart !== void 0) continue;
-      if (pp === "[*]" && /^\[\d+\]$/.test(pathPart)) continue;
-      if (pp !== pathPart) return false;
-    }
-    return pathParts.length === patternParts.length;
-  }
-  /**
-   * Извлечение путей
-   * @private
-   */
-  _extractPaths(obj, prefix = "") {
-    const paths = [];
-    if (!obj || typeof obj !== "object") return paths;
-    if (Array.isArray(obj)) {
-      obj.forEach((item, i) => {
-        const path = prefix ? `${prefix}[${i}]` : `[${i}]`;
-        paths.push(path);
-        paths.push(...this._extractPaths(item, path));
-      });
-    } else {
-      for (const key in obj) {
-        if (obj.hasOwnProperty(key)) {
-          const path = prefix ? `${prefix}.${key}` : key;
-          paths.push(path);
-          if (obj[key] && typeof obj[key] === "object") {
-            paths.push(...this._extractPaths(obj[key], path));
-          }
-        }
-      }
-    }
-    return paths;
-  }
-  /**
-   * Проверка доступа
-   * @private
-   */
-  async _checkAccess(access, ctx) {
-    if (access === "allow") return true;
-    if (access === "deny") return false;
-    if (access === "optional") return true;
-    if (typeof access === "function") {
-      try {
-        return !!await access(ctx);
-      } catch (e) {
-        console.error("Access check error:", e);
-        return false;
-      }
-    }
-    return true;
-  }
-  /**
-   * Валидация
-   * @private
-   */
-  async _validate(validator, value, ctx) {
-    if (typeof validator === "function") {
-      try {
-        const result = await validator(value, ctx);
-        if (typeof result === "boolean") {
-          return { isValid: result, errors: result ? [] : ["Validation failed"] };
-        }
-        return result;
-      } catch (e) {
-        return { isValid: false, errors: [e.message] };
-      }
-    }
-    if (validator && validator.validate) {
-      return validator.validate(value);
-    }
-    return { isValid: true, errors: [] };
-  }
-  /**
-   * Обработка отказа
-   * @private
-   */
-  async _handleDenied(result, path, rule, ctx) {
-    result.denied.push({ path, reason: rule });
-    if (rule === "remove") {
-      this._removePath(result.allowed, path);
-    } else if (rule === "error") {
-      throw new Error(`Access denied: ${path}`);
-    }
-  }
-  /**
-   * Проверка действия
-   * @private
-   */
-  _matchesAction(actions, action) {
-    if (actions === "*") return true;
-    return Array.isArray(actions) ? actions.includes(action) : actions === action;
-  }
-  /**
-   * Получение значения
-   * @private
-   */
-  _getValue(obj, path) {
-    const parts = path.split(/\.|\[|\]/).filter(Boolean);
-    let current = obj;
-    for (const part of parts) {
-      if (!current) return void 0;
-      current = /^\d+$/.test(part) ? current[parseInt(part)] : current[part];
-    }
-    return current;
-  }
-  /**
-   * Установка значения
-   * @private
-   */
-  _setValue(obj, path, value) {
-    const parts = path.split(/\.|\[|\]/).filter(Boolean);
-    let current = obj;
-    for (let i = 0; i < parts.length - 1; i++) {
-      const part = parts[i];
-      const next = parts[i + 1];
-      const isArray = /^\d+$/.test(next);
-      if (!current[part]) {
-        current[part] = isArray ? [] : {};
-      }
-      current = current[part];
-    }
-    const last = parts[parts.length - 1];
-    if (/^\d+$/.test(last)) {
-      current[parseInt(last)] = value;
-    } else {
-      current[last] = value;
-    }
-  }
-  /**
-   * Удаление пути
-   * @private
-   */
-  _removePath(obj, path) {
-    const parts = path.split(/\.|\[|\]/).filter(Boolean);
-    let current = obj;
-    for (let i = 0; i < parts.length - 1; i++) {
-      const part = /^\d+$/.test(parts[i]) ? parseInt(parts[i]) : parts[i];
-      if (!current[part]) return;
-      current = current[part];
-    }
-    const last = parts[parts.length - 1];
-    if (/^\d+$/.test(last)) {
-      current.splice(parseInt(last), 1);
-    } else {
-      delete current[last];
-    }
-  }
-  getConfig(resourceName) {
-    return this.configs.get(resourceName);
-  }
-  hasConfig(resourceName) {
-    return this.configs.has(resourceName);
-  }
-  removeConfig(resourceName) {
-    return this.configs.delete(resourceName);
-  }
-}
-class ABACExpressAdapter {
-  constructor(abac) {
-    this.abac = abac;
-  }
-  middleware(resource, action, options = {}) {
-    return async (req, res, next) => {
-      try {
-        const context = {
-          user: req.userId,
-          resource,
-          action,
-          req,
-          data: {
-            ...req.body,
-            ...req.query,
-            params: req.params
-          },
-          params: req.params,
-          customPolicies: options.policies || {},
-          options
-        };
-        const accessResult = await this.abac.checkAccess(context, context.customPolicies);
-        if (!accessResult.allow) {
-          return res.status(403).json({
-            error: {
-              code: "ACCESS_DENIED",
-              message: accessResult.reason
-            }
-          });
-        }
-        if (options.checkFields) {
-          const fieldsResult = await this.abac.checkFields(context, req.body, action);
-          if (fieldsResult.errors.length > 0 && options.strictFieldsMode) {
-            return res.status(400).json({
-              error: {
-                code: "FIELD_VALIDATION_ERROR",
-                fields: fieldsResult.errors
-              }
-            });
-          }
-          req.body = fieldsResult.allowed;
-          req.abacFieldsResult = fieldsResult;
-        }
-        next();
-      } catch (error) {
-        console.error("ABAC middleware error:", error);
-        res.status(500).json({
-          error: {
-            code: "INTERNAL_ERROR",
-            message: "Access control error"
-          }
-        });
-      }
-    };
-  }
-  policyMiddleware(policyNames = [], customPolicies = {}, options = {}) {
-    return async (req, res, next) => {
-      try {
-        const context = {
-          user: req.userId,
-          resource: options.resource || "custom",
-          action: options.action || "access",
-          req,
-          data: {
-            ...req.body,
-            ...req.query,
-            params: req.params
-          },
-          params: req.params,
-          options
-        };
-        const result = await this.abac.checkPolicies(context, policyNames, customPolicies);
-        if (!result.allow) {
-          return res.status(403).json({
-            error: {
-              code: "POLICY_DENIED",
-              message: result.reason
-            }
-          });
-        }
-        next();
-      } catch (error) {
-        console.error("Policy middleware error:", error);
-        res.status(500).json({
-          error: {
-            code: "INTERNAL_ERROR",
-            message: "Policy check error"
-          }
-        });
-      }
-    };
-  }
-  fieldsMiddleware(resource, options = {}) {
-    return async (req, res, next) => {
-      try {
-        const methodActionMap = {
-          "GET": "read",
-          "POST": "create",
-          "PUT": "update",
-          "PATCH": "update",
-          "DELETE": "delete"
-        };
-        const action = options.action || methodActionMap[req.method] || "access";
-        const context = {
-          user: req.userId,
-          resource,
-          action,
-          req,
-          data: {
-            ...req.body,
-            ...req.query,
-            params: req.params
-          },
-          params: req.params,
-          options
-        };
-        let dataToCheck = req.body;
-        if (req.method === "GET" && options.checkQuery) {
-          dataToCheck = req.query;
-        }
-        if (options.checkResponse && res.locals.data) {
-          dataToCheck = res.locals.data;
-        }
-        const fieldsResult = await this.abac.checkFields(context, dataToCheck, action);
-        if (fieldsResult.errors.length > 0) {
-          if (options.strictMode) {
-            return res.status(400).json({
-              error: {
-                code: "FIELD_VALIDATION_ERROR",
-                fields: fieldsResult.errors
-              }
-            });
-          }
-          console.warn("Field validation errors:", fieldsResult.errors);
-        }
-        if (req.method === "GET" && options.checkQuery) {
-          req.query = fieldsResult.allowed;
-        } else if (options.checkResponse && res.locals.data) {
-          res.locals.data = fieldsResult.transformed || fieldsResult.allowed;
-        } else {
-          req.body = fieldsResult.allowed;
-        }
-        req.abacFieldsResult = fieldsResult;
-        next();
-      } catch (error) {
-        console.error("Fields middleware error:", error);
-        if (options.passErrors) {
-          next(error);
-        } else {
-          res.status(500).json({
-            error: {
-              code: "INTERNAL_ERROR",
-              message: "Field check error"
-            }
-          });
-        }
-      }
-    };
-  }
-}
-class ABACWebSocketAdapter {
-  constructor(abac) {
-    this.abac = abac;
-  }
-  handler(moduleName, options = {}) {
-    return async (ws, message) => {
-      try {
-        const { action = "access", resource = moduleName } = options;
-        const context = {
-          user: ws.userId,
-          resource,
-          action,
-          data: message,
-          socket: ws,
-          customPolicies: options.policies || {}
-        };
-        const accessResult = await this.abac.checkAccess(context, context.customPolicies);
-        if (!accessResult.allow) {
-          ws.send(JSON.stringify({
-            type: "error",
-            error: {
-              code: "ACCESS_DENIED",
-              message: accessResult.reason
-            }
-          }));
-          return false;
-        }
-        return true;
-      } catch (error) {
-        console.error("WebSocket access control error:", error);
-        ws.send(JSON.stringify({
-          type: "error",
-          error: {
-            code: "INTERNAL_ERROR",
-            message: "Access control error"
-          }
-        }));
-        return false;
-      }
-    };
-  }
-  // Метод для RPC вызовов через WebSocket
-  rpcHandler(module, method, options = {}) {
-    return async (params, context) => {
-      const abacContext = {
-        user: context.userId,
-        resource: module,
-        action: method,
-        data: params,
-        socket: context.ws,
-        customPolicies: options.policies || {}
-      };
-      const accessResult = await this.abac.checkAccess(abacContext, abacContext.customPolicies);
-      if (!accessResult.allow) {
-        throw new Error(accessResult.reason);
-      }
-      if (options.checkFields && params) {
-        const fieldsResult = await this.abac.checkFields(abacContext, params, method);
-        if (fieldsResult.denied.length > 0) {
-          if (options.strictFieldsMode) {
-            throw new Error(`Fields access denied: ${fieldsResult.denied.map((d) => d.path).join(", ")}`);
-          }
-          return fieldsResult.allowed;
-        }
-        return fieldsResult.transformed || params;
-      }
-      return params;
-    };
-  }
-}
-class GlobalABAC {
-  constructor(db, options = {}) {
-    this.db = db;
-    this.options = {
-      strictMode: false,
-      defaultDeny: false,
-      serviceKey: process.env.SERVICE_KEY,
-      enableAudit: true,
-      cacheEnabled: true,
-      cacheTTL: 300,
-      // 5 минут
-      concurrencyLimit: 10,
-      ...options
-    };
-    this.cache = new CacheNamespaced({ ttlSeconds: this.options.cacheTTL });
-    this.logger = options.auditLogger || new LoggerNamespaced(db);
-    this.core = new ABACCore(this);
-    this.policies = new ABACPolicies(this);
-    this.fields = new ABACFields(this);
-    this.express = new ABACExpressAdapter(this);
-    this.websocket = new ABACWebSocketAdapter(this);
-  }
-  // API методы для регистрации политик
-  registerGlobalPolicy(name, policyFn, metadata = {}) {
-    return this.policies.registerGlobalPolicy(name, policyFn, metadata);
-  }
-  registerResourcePolicy(resourceName, policyFn, options = {}) {
-    return this.policies.registerResourcePolicy(resourceName, policyFn, options);
-  }
-  registerFieldsPolicy(resourceName, builderFn) {
-    return this.fields.registerFieldsPolicy(resourceName, builderFn);
-  }
-  registerExtension(moduleName, extensionFn) {
-    return this.policies.registerExtension(moduleName, extensionFn);
-  }
-  // Основные методы проверки
-  async checkAccess(context, customPolicies = {}) {
-    return this.core.checkAccess(context, customPolicies);
-  }
-  async checkFields(context, data, action = null, isQuery = false) {
-    return this.fields.checkFields(context, data, action, isQuery);
-  }
-  async checkPolicies(context, policyNames = [], customPolicies = {}) {
-    return this.policies.checkPolicies(context, policyNames, customPolicies);
-  }
-  // Адаптеры
-  middleware(resource, action, options = {}) {
-    return this.express.middleware(resource, action, options);
-  }
-  policyMiddleware(policyNames = [], customPolicies = {}, options = {}) {
-    return this.express.policyMiddleware(policyNames, customPolicies, options);
-  }
-  fieldsMiddleware(resource, options = {}) {
-    return this.express.fieldsMiddleware(resource, options);
-  }
-  wsHandler(moduleName, options = {}) {
-    return this.websocket.handler(moduleName, options);
-  }
-  getResourceModel(resourceName) {
-    const resourcePolicy = this.policies.resources.get(resourceName);
-    if (!resourcePolicy) return null;
-    const modelName = resourcePolicy.modelName || resourceName;
-    return this.db[modelName] || null;
-  }
-}
-let instance = null;
-const getInstance = (db, options) => {
-  if (!instance) {
-    instance = new GlobalABAC(db, options);
-  }
-  return instance;
-};
-const ABAC = { getInstance };
-export {
-  ABAC as A
-};