npm - @ozdao/martyrs - Versions diffs - 0.2.564 → 0.2.566 - Mend

@ozdao/martyrs 0.2.564 → 0.2.566

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (366) hide show

package/dist/abac-BPl9Bmf9.js ADDED Viewed

@@ -0,0 +1,1527 @@
+import { C as CacheNamespaced } from "./core.cache-DALYFDdy.js";
+import set from "lodash/set.js";
+import get from "lodash/get.js";
+import unset from "lodash/unset.js";
+import cloneDeep from "lodash/cloneDeep.js";
+class Logger {
+  constructor(db) {
+    this.LogModel = db.log;
+  }
+  async log(level, message) {
+    const logEntry = new this.LogModel({
+      level,
+      message
+    });
+    try {
+      await logEntry.save();
+      console.info(`Logged: ${level} - ${message}`);
+    } catch (err) {
+      console.error("Logging error:", err);
+    }
+  }
+  async info(message) {
+    await this.log("info", message);
+  }
+  async error(message) {
+    await this.log("error", message);
+  }
+}
+const instances = /* @__PURE__ */ new Map();
+class LoggerNamespaced {
+  constructor(namespaceOrDb, db) {
+    if (!db && namespaceOrDb && typeof namespaceOrDb === "object") {
+      const namespace2 = "global";
+      if (instances.has(namespace2)) {
+        return instances.get(namespace2);
+      }
+      const instance3 = new Logger(namespaceOrDb);
+      instances.set(namespace2, instance3);
+      return instance3;
+    }
+    const namespace = namespaceOrDb;
+    if (instances.has(namespace)) {
+      return instances.get(namespace);
+    }
+    const instance2 = new Logger(db);
+    instances.set(namespace, instance2);
+    return instance2;
+  }
+  // Статический метод для получения всех namespace'ов
+  static getNamespaces() {
+    return Array.from(instances.keys());
+  }
+}
+class ABACCore {
+  constructor(abac) {
+    this.abac = abac;
+    this.runningPolicies = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Нормализация контекста
+   */
+  normalizeContext(input) {
+    const context = {
+      user: null,
+      action: null,
+      resource: null,
+      currentResource: null,
+      resourceId: null,
+      // Добавляем ID ресурса для кэша
+      data: {},
+      req: null,
+      socket: null,
+      params: {},
+      _cache: /* @__PURE__ */ new Map(),
+      _abac: this.abac,
+      skipFieldPolicies: input.skipFieldPolicies || false
+    };
+    if (input.req) {
+      context.user = input.user || input.req.userId;
+      context.data = {
+        body: input.req.body || {},
+        query: input.req.query || {},
+        params: input.req.params || {}
+      };
+      context.params = input.req.params;
+      context.req = input.req;
+      context.resourceId = input.req.params?._id || input.req.params?.id || input.req.body?._id || input.req.body?.id;
+    } else if (input.socket) {
+      context.user = input.user || input.socket.userId;
+      context.socket = input.socket;
+      context.data = input.data || {};
+      context.resourceId = input.data?._id || input.data?.id;
+    }
+    return Object.assign(context, {
+      ...input,
+      data: context.data
+      // Сохраняем структурированную data
+    });
+  }
+  /**
+   * Выполнение политики с кэшированием
+   */
+  async executePolicyWithCache(policyName, policyFn, context) {
+    const contextCacheKey = `${policyName}_${context.action}`;
+    if (context._cache.has(contextCacheKey)) {
+      return context._cache.get(contextCacheKey);
+    }
+    const globalCacheKey = this._buildCacheKey(policyName, context);
+    if (this.abac.options.cacheEnabled) {
+      const cached = await this.abac.cache.get(globalCacheKey);
+      if (cached !== void 0) {
+        context._cache.set(contextCacheKey, cached);
+        return cached;
+      }
+    }
+    const result = await policyFn(context);
+    context._cache.set(contextCacheKey, result);
+    if (this.abac.options.cacheEnabled) {
+      const tags = [
+        `user_${context.user}`,
+        `resource_${context.resource}`,
+        `policy_${policyName}`
+      ];
+      if (context.resourceId) {
+        tags.push(`resourceId_${context.resourceId}`);
+      }
+      await this.abac.cache.setWithTags(globalCacheKey, result, tags);
+    }
+    return result;
+  }
+  /**
+   * Построение ключа кэша с учетом ID ресурса
+   * @private
+   */
+  _buildCacheKey(policyName, context) {
+    const parts = [
+      "policy",
+      policyName,
+      context.user,
+      context.resource,
+      context.action
+    ];
+    if (context.resourceId) {
+      parts.push(context.resourceId);
+    }
+    return parts.join("_");
+  }
+  /**
+   * Выполнение политик с ограничением параллельности
+   */
+  async executePoliciesLimited(policies, context, stopOnDeny = false) {
+    const results = [];
+    const limit = this.abac.options.concurrencyLimit;
+    const batches = [];
+    for (let i = 0; i < policies.length; i += limit) {
+      batches.push(policies.slice(i, i + limit));
+    }
+    for (const batch of batches) {
+      const batchPromises = batch.map(async ([name, policy]) => {
+        try {
+          const policyFn = typeof policy === "function" ? policy : policy.fn;
+          const result = await this.executePolicyWithCache(name, policyFn, context);
+          return { name, result: this.normalizeResult(result, name) };
+        } catch (error) {
+          this.abac.logger?.error("Policy execution error", {
+            policy: name,
+            error: error.message,
+            stack: error.stack
+          });
+          return {
+            name,
+            result: {
+              allow: !this.abac.options.strictMode,
+              reason: `POLICY_ERROR_${name.toUpperCase()}`
+            },
+            error
+          };
+        }
+      });
+      const batchResults = await Promise.all(batchPromises);
+      results.push(...batchResults);
+      if (stopOnDeny) {
+        const shouldStop = batchResults.some((r) => !r.result.allow || r.result.force);
+        if (shouldStop) break;
+      }
+    }
+    return results;
+  }
+  /**
+   * Нормализация результата политики
+   */
+  normalizeResult(result, policyName) {
+    if (this.abac.options.strictMode && result === void 0) {
+      return {
+        allow: false,
+        force: false,
+        reason: `UNDEFINED_IN_STRICT_MODE_${policyName.toUpperCase()}`
+      };
+    }
+    if (result && typeof result === "object" && ("allow" in result || "force" in result)) {
+      return {
+        allow: result.allow !== void 0 ? !!result.allow : true,
+        force: !!result.force,
+        reason: result.reason || `POLICY_${policyName.toUpperCase()}`
+      };
+    }
+    if (result === true) {
+      return {
+        allow: true,
+        force: false,
+        reason: `ALLOWED_BY_${policyName.toUpperCase()}`
+      };
+    }
+    if (result === false) {
+      return {
+        allow: false,
+        force: false,
+        reason: `DENIED_BY_${policyName.toUpperCase()}`
+      };
+    }
+    return {
+      allow: !this.abac.options.strictMode,
+      force: false,
+      reason: `NEUTRAL_${policyName.toUpperCase()}`
+    };
+  }
+  /**
+   * Основной метод проверки доступа
+   */
+  async checkAccess(rawContext, customPolicies = {}) {
+    const startTime = Date.now();
+    const context = this.normalizeContext(rawContext);
+    if (context.isServiceRequest) {
+      return { allow: true, reason: "SERVICE_REQUEST_ALLOWED" };
+    }
+    if (!context.user && !context.options?.allowUnauthenticated) {
+      return { allow: false, reason: "UNAUTHENTICATED_ACCESS_DENIED" };
+    }
+    if (!context.currentResource) {
+      await this.loadResource(context);
+    }
+    const result = await this.abac.policies.evaluate(context, customPolicies);
+    if (this.abac.options.enableAudit) {
+      await this.audit(context, result, Date.now() - startTime);
+    }
+    return result;
+  }
+  /**
+   * Загрузка ресурса
+   */
+  async loadResource(context) {
+    const resourceModel = this.abac.getResourceModel(context.resource);
+    if (!resourceModel) return;
+    try {
+      let currentResource;
+      const id = context.resourceId || context.data?.body?._id || context.data?.params?._id;
+      if (id) {
+        currentResource = await resourceModel.findById(id);
+      } else if (context.data?.body?.url || context.data?.params?.url) {
+        const url = context.data.body?.url || context.data.params?.url;
+        currentResource = await resourceModel.findOne({ url });
+      }
+      if (currentResource) {
+        context.currentResource = currentResource;
+        context.resourceModel = resourceModel;
+        context.resourceId = currentResource._id?.toString();
+      }
+    } catch (error) {
+      this.abac.logger?.error("Resource loading error", {
+        resource: context.resource,
+        error: error.message
+      });
+    }
+  }
+  /**
+   * Структурированный аудит
+   */
+  async audit(context, result, duration) {
+    try {
+      const auditEntry = {
+        type: "ACCESS_CHECK",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        user: context.user,
+        resource: context.resource,
+        resourceId: context.resourceId,
+        action: context.action,
+        result: result.allow,
+        reason: result.reason,
+        duration,
+        ip: context.req?.ip,
+        userAgent: context.req?.get?.("user-agent"),
+        metadata: context.auditMetadata || {}
+      };
+      await this.abac.logger.info("Access check", auditEntry);
+      if (["delete", "admin", "export"].includes(context.action)) {
+        await this.abac.logger.warn("Critical action attempt", auditEntry);
+      }
+    } catch (error) {
+      this.abac.logger?.error("Audit logging error", {
+        error: error.message
+      });
+    }
+  }
+}
+class ABACPolicies {
+  constructor(abac) {
+    this.abac = abac;
+    this.global = /* @__PURE__ */ new Map();
+    this.resources = /* @__PURE__ */ new Map();
+    this.extensions = /* @__PURE__ */ new Map();
+    this.priorities = {
+      static: [],
+      dynamic: [],
+      extensions: []
+    };
+  }
+  /**
+   * Регистрация глобальной политики
+   */
+  registerGlobalPolicy(name, policyFn, metadata = {}) {
+    if (typeof policyFn !== "function") {
+      throw new Error(`Global policy "${name}" must be a function`);
+    }
+    const policy = {
+      fn: policyFn,
+      type: metadata.type || "dynamic",
+      priority: metadata.priority || 0,
+      ...metadata
+    };
+    this.global.set(name, policy);
+    this.updatePriorities();
+    return this.abac;
+  }
+  /**
+   * Регистрация политики ресурса
+   */
+  registerResourcePolicy(resourceName, policyFn, options = {}) {
+    if (typeof policyFn !== "function") {
+      throw new Error(`Resource policy for "${resourceName}" must be a function`);
+    }
+    this.resources.set(resourceName, {
+      fn: policyFn,
+      modelName: options.modelName || options.model || resourceName,
+      ...options
+    });
+    return this.abac;
+  }
+  /**
+   * Регистрация расширения
+   */
+  registerExtension(moduleName, extensionFn) {
+    if (typeof extensionFn !== "function") {
+      throw new Error(`Extension "${moduleName}" must be a function`);
+    }
+    this.extensions.set(moduleName, extensionFn);
+    this.updatePriorities();
+    return this.abac;
+  }
+  /**
+   * Обновление приоритетов с сортировкой
+   */
+  updatePriorities() {
+    this.priorities = {
+      static: [],
+      dynamic: [],
+      extensions: []
+    };
+    for (const [name, policy] of this.global) {
+      const type = policy.type || "dynamic";
+      this.priorities[type].push([name, policy]);
+    }
+    this.priorities.static.sort((a, b) => (b[1].priority || 0) - (a[1].priority || 0));
+    this.priorities.dynamic.sort((a, b) => (b[1].priority || 0) - (a[1].priority || 0));
+    this.priorities.extensions = Array.from(this.extensions.entries());
+  }
+  /**
+   * Основная логика оценки политик
+   */
+  async evaluate(context, customPolicies = {}) {
+    const core = this.abac.core;
+    const evaluation = {
+      hasForceAllow: false,
+      hasForceDisallow: false,
+      hasDeny: false,
+      denyReason: "",
+      allowReason: "",
+      appliedPolicies: []
+    };
+    const processResult = (name, result) => {
+      evaluation.appliedPolicies.push({ name, result });
+      if (result.force) {
+        if (result.allow) {
+          evaluation.hasForceAllow = true;
+          evaluation.allowReason = result.reason;
+        } else {
+          evaluation.hasForceDisallow = true;
+          evaluation.denyReason = result.reason;
+        }
+      } else if (!result.allow) {
+        evaluation.hasDeny = true;
+        if (!evaluation.denyReason) {
+          evaluation.denyReason = result.reason;
+        }
+      }
+    };
+    const checkForceFlags = () => {
+      if (evaluation.hasForceDisallow) {
+        return {
+          allow: false,
+          reason: evaluation.denyReason || "FORCE_DENIED_BY_POLICY",
+          policies: evaluation.appliedPolicies
+        };
+      }
+      if (evaluation.hasForceAllow) {
+        return {
+          allow: true,
+          reason: evaluation.allowReason || "FORCE_ALLOWED_BY_POLICY",
+          policies: evaluation.appliedPolicies
+        };
+      }
+      return null;
+    };
+    const staticResults = await core.executePoliciesLimited(
+      this.priorities.static,
+      context,
+      true
+      // останавливаемся на deny
+    );
+    for (const { name, result, error } of staticResults) {
+      if (!error) {
+        processResult(name, result);
+      }
+    }
+    let forceResult = checkForceFlags();
+    if (forceResult) return forceResult;
+    const dynamicPolicies = [...this.priorities.dynamic];
+    for (const [name, fn] of Object.entries(customPolicies)) {
+      dynamicPolicies.push([name, { fn, type: "dynamic" }]);
+    }
+    const dynamicResults = await core.executePoliciesLimited(
+      dynamicPolicies,
+      context,
+      false
+    );
+    for (const { name, result, error } of dynamicResults) {
+      if (!error) {
+        processResult(name, result);
+      }
+    }
+    forceResult = checkForceFlags();
+    if (forceResult) return forceResult;
+    const resourcePolicy = this.resources.get(context.resource);
+    if (resourcePolicy) {
+      const results = await core.executePoliciesLimited(
+        [[`RESOURCE_${context.resource}`, resourcePolicy]],
+        context
+      );
+      if (!results[0].error) {
+        processResult(`RESOURCE_${context.resource}`, results[0].result);
+      }
+      forceResult = checkForceFlags();
+      if (forceResult) return forceResult;
+    }
+    if (evaluation.hasDeny) {
+      return {
+        allow: false,
+        reason: evaluation.denyReason || "DENIED_BY_POLICY",
+        policies: evaluation.appliedPolicies
+      };
+    }
+    const extensionResults = await core.executePoliciesLimited(
+      this.priorities.extensions,
+      context
+    );
+    for (const { name, result } of extensionResults) {
+      processResult(name, result);
+      if (result.allow) {
+        return {
+          allow: true,
+          reason: result.reason,
+          policies: evaluation.appliedPolicies
+        };
+      }
+    }
+    const defaultAllow = !this.abac.options.defaultDeny;
+    return {
+      allow: defaultAllow,
+      reason: defaultAllow ? "DEFAULT_ALLOW" : "DEFAULT_DENY",
+      policies: evaluation.appliedPolicies
+    };
+  }
+  /**
+   * Проверка конкретных политик
+   */
+  async checkPolicies(rawContext, policyNames = [], customPolicies = {}) {
+    const context = this.abac.core.normalizeContext(rawContext);
+    const policies = this.getPoliciesByNames(policyNames, customPolicies);
+    const results = await this.abac.core.executePoliciesLimited(
+      Object.entries(policies),
+      context,
+      this.abac.options.strictMode
+    );
+    const evaluation = {
+      passed: [],
+      failed: [],
+      errors: []
+    };
+    for (const { name, result, error } of results) {
+      if (error) {
+        evaluation.errors.push({ name, error: error.message });
+        continue;
+      }
+      if (result.force) {
+        return {
+          allow: result.allow,
+          reason: result.reason,
+          evaluation
+        };
+      }
+      if (result.allow) {
+        evaluation.passed.push(name);
+      } else {
+        evaluation.failed.push({ name, reason: result.reason });
+        if (this.abac.options.strictMode) {
+          return {
+            allow: false,
+            reason: result.reason,
+            evaluation
+          };
+        }
+      }
+    }
+    const allPassed = evaluation.failed.length === 0 && evaluation.errors.length === 0;
+    return {
+      allow: allPassed,
+      reason: allPassed ? "POLICIES_PASSED" : `FAILED: ${evaluation.failed[0]?.name}`,
+      evaluation
+    };
+  }
+  /**
+   * Получение политик по именам
+   */
+  getPoliciesByNames(names, customPolicies = {}) {
+    const policies = {};
+    for (const name of names) {
+      if (this.global.has(name)) {
+        policies[name] = this.global.get(name);
+      } else if (this.extensions.has(name)) {
+        policies[name] = { fn: this.extensions.get(name), type: "extension" };
+      } else if (this.resources.has(name)) {
+        policies[name] = this.resources.get(name);
+      } else {
+        this.abac.logger?.warn("Policy not found", { name });
+      }
+    }
+    Object.assign(policies, customPolicies);
+    return policies;
+  }
+}
+class ABACFields {
+  constructor(abac) {
+    this.abac = abac;
+    this.configs = /* @__PURE__ */ new Map();
+    this.compiledPatterns = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Регистрация field policies
+   */
+  registerFieldsPolicy(resourceName, config) {
+    const normalized = {};
+    for (const [pattern, conf] of Object.entries(config)) {
+      const { actions, ...baseSettings } = conf;
+      const base = {
+        actions: baseSettings.actions || "*",
+        access: baseSettings.access || "allow",
+        validator: baseSettings.validator || null,
+        transform: baseSettings.transform || null,
+        rule: baseSettings.rule || "remove",
+        force: baseSettings.force || false,
+        pattern
+      };
+      if (actions && typeof actions === "object") {
+        normalized[pattern] = {
+          base,
+          actions: Object.entries(actions).reduce((acc, [action, override]) => {
+            acc[action] = { ...base, ...override };
+            return acc;
+          }, {})
+        };
+      } else {
+        normalized[pattern] = { base };
+      }
+    }
+    this.configs.set(resourceName, normalized);
+    this.compiledPatterns.delete(resourceName);
+    return this;
+  }
+  /**
+   * Проверка доступа к полям
+   */
+  async checkFields(context, data, action = null) {
+    const normalizedContext = this.abac.core.normalizeContext(context);
+    if (normalizedContext.skipFieldPolicies) {
+      return {
+        allowed: data,
+        denied: [],
+        errors: [],
+        transformed: data
+      };
+    }
+    const { resource } = normalizedContext;
+    const fieldAction = action || normalizedContext.action;
+    const config = normalizedContext.options?.fieldsConfig || this.configs.get(resource);
+    if (!config) {
+      return { allowed: data, denied: [], errors: [], transformed: data };
+    }
+    await this._applyExtensions(normalizedContext);
+    const result = {
+      allowed: this._deepClone(data),
+      denied: [],
+      errors: [],
+      transformed: null
+    };
+    const rules = this._collectRulesOptimized(data, config, fieldAction, resource);
+    const forced = rules.filter((r) => r.rule.force);
+    const regular = rules.filter((r) => !r.rule.force);
+    const processed = /* @__PURE__ */ new Set();
+    for (const { path, value, rule } of [...forced, ...regular]) {
+      if (processed.has(path)) continue;
+      processed.add(path);
+      const hasAccess = await this._checkFieldAccess(
+        rule.access,
+        normalizedContext,
+        path,
+        value
+      );
+      if (!hasAccess) {
+        await this._handleDenied(result, path, rule.rule);
+        continue;
+      }
+      if (rule.validator && rule.access !== "optional") {
+        const validation = await this._validateField(
+          rule.validator,
+          value,
+          normalizedContext,
+          path
+        );
+        if (!validation.isValid) {
+          result.errors.push({ path, errors: validation.errors });
+          if (rule.rule === "error") {
+            throw new Error(`Validation failed: ${path}`);
+          }
+          await this._handleDenied(result, path, rule.rule);
+        }
+      }
+    }
+    result.transformed = this._deepClone(result.allowed);
+    for (const { path, value, rule } of [...forced, ...regular]) {
+      if (!rule.transform) continue;
+      const isDenied = result.denied.some((d) => d.path === path);
+      if (isDenied) continue;
+      const transformed = await this._transformField(
+        rule.transform,
+        value,
+        normalizedContext,
+        path,
+        result.transformed
+      );
+      set(result.transformed, path, transformed);
+    }
+    return result;
+  }
+  /**
+   * Применение расширений
+   * @private
+   */
+  async _applyExtensions(context) {
+    if (!this.abac.policies || !this.abac.policies.priorities.extensions.length) {
+      return;
+    }
+    for (const [name, extensionFn] of this.abac.policies.priorities.extensions) {
+      try {
+        await extensionFn(context);
+      } catch (error) {
+        this.abac.logger?.error("Extension error", { name, error });
+      }
+    }
+  }
+  /**
+   * Безопасное клонирование
+   * @private
+   */
+  _deepClone(obj) {
+    if (typeof structuredClone === "function") {
+      try {
+        return structuredClone(obj);
+      } catch (e) {
+      }
+    }
+    return cloneDeep(obj);
+  }
+  /**
+   * Оптимизированный сбор правил
+   * @private
+   */
+  _collectRulesOptimized(data, config, action, resource) {
+    const rules = [];
+    const compiledPatterns = this._getCompiledPatterns(resource, config);
+    const hasWildcard = compiledPatterns.has("*");
+    const dataPaths = this._extractPathsOptimized(data);
+    if (hasWildcard) {
+      const wildcardConfig = config["*"];
+      const rule = this._getRuleForAction(wildcardConfig, action);
+      if (this._matchesAction(rule.actions, action)) {
+        for (const path of dataPaths) {
+          rules.push({
+            path,
+            value: get(data, path),
+            rule
+          });
+        }
+        return rules;
+      }
+    }
+    for (const path of dataPaths) {
+      for (const [pattern, matcher] of compiledPatterns) {
+        if (pattern === "*") continue;
+        if (matcher(path)) {
+          const fieldConfig = config[pattern];
+          const rule = this._getRuleForAction(fieldConfig, action);
+          if (this._matchesAction(rule.actions, action)) {
+            rules.push({
+              path,
+              value: get(data, path),
+              rule
+            });
+            break;
+          }
+        }
+      }
+    }
+    return rules;
+  }
+  /**
+   * Получение скомпилированных паттернов
+   * @private
+   */
+  _getCompiledPatterns(resource, config) {
+    if (!this.compiledPatterns.has(resource)) {
+      const compiled = /* @__PURE__ */ new Map();
+      for (const pattern of Object.keys(config)) {
+        compiled.set(pattern, this._compilePattern(pattern));
+      }
+      this.compiledPatterns.set(resource, compiled);
+    }
+    return this.compiledPatterns.get(resource);
+  }
+  /**
+   * Компиляция паттерна в функцию проверки
+   * @private
+   */
+  _compilePattern(pattern) {
+    if (pattern === "*") return () => true;
+    const escaped = pattern.replace(/\./g, "\\.").replace(/\*\*/g, ".*").replace(/\*/g, "[^.]+").replace(/\[\*\]/g, "\\[\\d+\\]");
+    const regex = new RegExp(`^${escaped}$`);
+    return (path) => regex.test(path);
+  }
+  /**
+   * Оптимизированное извлечение путей
+   * @private
+   */
+  _extractPathsOptimized(obj, prefix = "", paths = []) {
+    if (!obj || typeof obj !== "object") return paths;
+    if (Array.isArray(obj)) {
+      obj.forEach((item, i) => {
+        const path = prefix ? `${prefix}[${i}]` : `[${i}]`;
+        paths.push(path);
+        this._extractPathsOptimized(item, path, paths);
+      });
+    } else {
+      for (const key in obj) {
+        if (obj.hasOwnProperty(key)) {
+          const path = prefix ? `${prefix}.${key}` : key;
+          paths.push(path);
+          if (obj[key] && typeof obj[key] === "object") {
+            this._extractPathsOptimized(obj[key], path, paths);
+          }
+        }
+      }
+    }
+    return paths;
+  }
+  /**
+   * Получение правила для действия
+   * @private
+   */
+  _getRuleForAction(fieldConfig, action) {
+    if (fieldConfig.actions && fieldConfig.actions[action]) {
+      return fieldConfig.actions[action];
+    }
+    return fieldConfig.base;
+  }
+  /**
+   * Проверка доступа к полю
+   * @private
+   */
+  async _checkFieldAccess(access, context, fieldPath, fieldValue) {
+    if (access === "allow") return true;
+    if (access === "deny") return false;
+    if (access === "optional") return true;
+    if (typeof access === "function") {
+      try {
+        return !!await access(context, fieldPath, fieldValue);
+      } catch (e) {
+        this.abac.logger?.error("Field access check error", {
+          field: fieldPath,
+          error: e.message
+        });
+        return false;
+      }
+    }
+    return true;
+  }
+  /**
+   * Валидация поля
+   * @private
+   */
+  async _validateField(validator, value, context, fieldPath) {
+    if (typeof validator === "function") {
+      try {
+        const result = await validator(value, context, fieldPath);
+        if (typeof result === "boolean") {
+          return { isValid: result, errors: result ? [] : ["Validation failed"] };
+        }
+        return result;
+      } catch (e) {
+        return { isValid: false, errors: [e.message] };
+      }
+    }
+    if (validator && validator.validate) {
+      return validator.validate(value);
+    }
+    return { isValid: true, errors: [] };
+  }
+  /**
+   * Трансформация поля
+   * @private
+   */
+  async _transformField(transform, value, context, fieldPath, currentData) {
+    try {
+      return await transform(value, context, fieldPath, currentData);
+    } catch (error) {
+      this.abac.logger?.error("Field transform error", {
+        field: fieldPath,
+        error: error.message
+      });
+      return value;
+    }
+  }
+  /**
+   * Обработка отказа
+   * @private
+   */
+  async _handleDenied(result, path, rule) {
+    result.denied.push({ path, reason: rule });
+    if (rule === "remove") {
+      unset(result.allowed, path);
+    } else if (rule === "error") {
+      throw new Error(`Access denied: ${path}`);
+    }
+  }
+  /**
+   * Проверка действия
+   * @private
+   */
+  _matchesAction(actions, action) {
+    if (actions === "*") return true;
+    return Array.isArray(actions) ? actions.includes(action) : actions === action;
+  }
+  // Публичные методы для управления конфигами
+  getConfig(resourceName) {
+    return this.configs.get(resourceName);
+  }
+  hasConfig(resourceName) {
+    return this.configs.has(resourceName);
+  }
+  removeConfig(resourceName) {
+    this.compiledPatterns.delete(resourceName);
+    return this.configs.delete(resourceName);
+  }
+}
+class ABACExpressAdapter {
+  constructor(abac) {
+    this.abac = abac;
+  }
+  /**
+   * Основной middleware - разделен на составные части
+   */
+  middleware(resource, action, options = {}) {
+    const middlewares = [];
+    middlewares.push(this._accessMiddleware(resource, action, options));
+    if (options.checkFields) {
+      middlewares.push(this._fieldsValidationMiddleware(resource, action, options));
+    }
+    return middlewares;
+  }
+  /**
+   * Middleware проверки доступа
+   * @private
+   */
+  _accessMiddleware(resource, action, options = {}) {
+    return async (req, res, next) => {
+      try {
+        const context = this._buildContext(req, resource, action, options);
+        const accessResult = await this.abac.checkAccess(context, context.customPolicies);
+        if (!accessResult.allow) {
+          return this._sendAccessDenied(res, accessResult.reason);
+        }
+        req.abacContext = context;
+        req.abacAccessResult = accessResult;
+        next();
+      } catch (error) {
+        this.abac.logger?.error("ABAC middleware error", {
+          resource,
+          action,
+          error: error.message,
+          stack: error.stack
+        });
+        return this._sendError(res);
+      }
+    };
+  }
+  /**
+   * Middleware проверки полей
+   * @private
+   */
+  _fieldsValidationMiddleware(resource, action, options = {}) {
+    return async (req, res, next) => {
+      try {
+        const context = req.abacContext || this._buildContext(req, resource, action, options);
+        const fieldsResult = await this.abac.checkFields(context, req.body, action);
+        if (fieldsResult.errors.length > 0 && options.strictFieldsMode) {
+          return this._sendFieldError(res, fieldsResult.errors);
+        }
+        req.body = fieldsResult.allowed;
+        req.abacFieldsResult = fieldsResult;
+        next();
+      } catch (error) {
+        this.abac.logger?.error("Fields middleware error", {
+          resource,
+          action,
+          error: error.message
+        });
+        if (options.passErrors) {
+          next(error);
+        } else {
+          return this._sendError(res);
+        }
+      }
+    };
+  }
+  /**
+   * Построение контекста
+   * @private
+   */
+  _buildContext(req, resource, action, options = {}) {
+    return {
+      user: req.userId,
+      resource,
+      action,
+      req,
+      // НЕ смешиваем body и query - передаем структурированно
+      data: {
+        body: req.body || {},
+        query: req.query || {},
+        params: req.params || {}
+      },
+      params: req.params,
+      customPolicies: options.policies || {},
+      options
+    };
+  }
+  /**
+   * Policy middleware
+   */
+  policyMiddleware(policyNames = [], customPolicies = {}, options = {}) {
+    return async (req, res, next) => {
+      try {
+        const context = this._buildContext(
+          req,
+          options.resource || "custom",
+          options.action || "access",
+          options
+        );
+        const result = await this.abac.checkPolicies(context, policyNames, customPolicies);
+        if (!result.allow) {
+          return this._sendPolicyDenied(res, result.reason);
+        }
+        req.abacPolicyResult = result;
+        next();
+      } catch (error) {
+        this.abac.logger?.error("Policy middleware error", {
+          policies: policyNames,
+          error: error.message
+        });
+        return this._sendError(res);
+      }
+    };
+  }
+  /**
+   * Fields middleware для проверки/трансформации полей
+   */
+  fieldsMiddleware(resource, options = {}) {
+    return async (req, res, next) => {
+      try {
+        const action = options.action || this._getActionFromMethod(req.method);
+        const context = this._buildContext(req, resource, action, options);
+        let dataToCheck = this._getDataToCheck(req, res, options);
+        const fieldsResult = await this.abac.checkFields(context, dataToCheck, action);
+        if (fieldsResult.errors.length > 0) {
+          if (options.strictMode) {
+            return this._sendFieldError(res, fieldsResult.errors);
+          }
+          this.abac.logger?.warn("Field validation errors", {
+            resource,
+            action,
+            errors: fieldsResult.errors
+          });
+        }
+        this._applyFieldsResult(req, res, options, fieldsResult);
+        req.abacFieldsResult = fieldsResult;
+        next();
+      } catch (error) {
+        this.abac.logger?.error("Fields middleware error", {
+          resource,
+          error: error.message
+        });
+        if (options.passErrors) {
+          next(error);
+        } else {
+          return this._sendError(res);
+        }
+      }
+    };
+  }
+  /**
+   * Получение action из HTTP метода
+   * @private
+   */
+  _getActionFromMethod(method) {
+    const methodActionMap = {
+      "GET": "read",
+      "POST": "create",
+      "PUT": "update",
+      "PATCH": "update",
+      "DELETE": "delete"
+    };
+    return methodActionMap[method] || "access";
+  }
+  /**
+   * Определение данных для проверки
+   * @private
+   */
+  _getDataToCheck(req, res, options) {
+    if (req.method === "GET" && options.checkQuery) {
+      return req.query;
+    }
+    if (options.checkResponse && res.locals.data) {
+      return res.locals.data;
+    }
+    return req.body;
+  }
+  /**
+   * Применение результатов проверки полей
+   * @private
+   */
+  _applyFieldsResult(req, res, options, fieldsResult) {
+    if (req.method === "GET" && options.checkQuery) {
+      req.query = fieldsResult.allowed;
+    } else if (options.checkResponse && res.locals.data) {
+      res.locals.data = fieldsResult.transformed || fieldsResult.allowed;
+    } else {
+      req.body = fieldsResult.allowed;
+    }
+  }
+  /**
+   * Отправка ошибок - унифицированные методы
+   * @private
+   */
+  _sendAccessDenied(res, reason) {
+    return res.status(403).json({
+      error: {
+        code: "ACCESS_DENIED",
+        message: reason
+      }
+    });
+  }
+  _sendPolicyDenied(res, reason) {
+    return res.status(403).json({
+      error: {
+        code: "POLICY_DENIED",
+        message: reason
+      }
+    });
+  }
+  _sendFieldError(res, errors) {
+    return res.status(400).json({
+      error: {
+        code: "FIELD_VALIDATION_ERROR",
+        fields: errors
+      }
+    });
+  }
+  _sendError(res) {
+    return res.status(500).json({
+      error: {
+        code: "INTERNAL_ERROR",
+        message: "Access control error"
+      }
+    });
+  }
+}
+class ABACWebSocketAdapter {
+  constructor(abac) {
+    this.abac = abac;
+  }
+  /**
+   * WebSocket handler для проверки доступа
+   * @param {string} moduleName - Имя модуля
+   * @param {Object} [options] - Опции
+   * @returns {Function} Handler функция
+   */
+  handler(moduleName, options = {}) {
+    return async (ws, message) => {
+      try {
+        const { action = "access", resource = moduleName } = options;
+        const context = this._buildContext(ws, resource, action, message, options);
+        const accessResult = await this.abac.checkAccess(context, context.customPolicies);
+        if (!accessResult.allow) {
+          await this._sendError(ws, "ACCESS_DENIED", accessResult.reason);
+          return false;
+        }
+        if (options.checkFields && message) {
+          const fieldsResult = await this.abac.checkFields(context, message, action);
+          if (fieldsResult.errors.length > 0 && options.strictFieldsMode) {
+            await this._sendError(ws, "FIELD_VALIDATION_ERROR", "Field validation failed", {
+              fields: fieldsResult.errors
+            });
+            return false;
+          }
+          return {
+            allowed: true,
+            data: fieldsResult.transformed || fieldsResult.allowed,
+            fieldsResult
+          };
+        }
+        return true;
+      } catch (error) {
+        this.abac.logger?.error("WebSocket access control error", {
+          module: moduleName,
+          error: error.message,
+          stack: error.stack
+        });
+        await this._sendError(ws, "INTERNAL_ERROR", "Access control error");
+        return false;
+      }
+    };
+  }
+  /**
+   * RPC handler для вызовов через WebSocket
+   * @param {string} module - Модуль
+   * @param {string} method - Метод
+   * @param {Object} [options] - Опции
+   * @returns {Function} RPC handler
+   */
+  rpcHandler(module, method, options = {}) {
+    return async (params, rpcContext) => {
+      try {
+        const context = this._buildRPCContext(rpcContext, module, method, params, options);
+        const accessResult = await this.abac.checkAccess(context, context.customPolicies);
+        if (!accessResult.allow) {
+          throw new RPCError("ACCESS_DENIED", accessResult.reason);
+        }
+        if (options.checkFields && params) {
+          const fieldsResult = await this.abac.checkFields(context, params, method);
+          if (fieldsResult.errors.length > 0) {
+            if (options.strictFieldsMode) {
+              throw new RPCError(
+                "FIELD_VALIDATION_ERROR",
+                `Fields validation failed: ${fieldsResult.errors.map((e) => e.path).join(", ")}`
+              );
+            }
+            this.abac.logger?.warn("RPC field validation errors", {
+              module,
+              method,
+              errors: fieldsResult.errors
+            });
+          }
+          return fieldsResult.transformed || fieldsResult.allowed;
+        }
+        return params;
+      } catch (error) {
+        if (error instanceof RPCError) {
+          throw error;
+        }
+        this.abac.logger?.error("RPC access control error", {
+          module,
+          method,
+          error: error.message,
+          stack: error.stack
+        });
+        throw new RPCError("INTERNAL_ERROR", "Access control error");
+      }
+    };
+  }
+  /**
+   * Middleware для обработки WebSocket сообщений
+   * @param {Object} [options] - Опции
+   * @returns {Function} Middleware функция
+   */
+  messageMiddleware(options = {}) {
+    return async (ws, message, next) => {
+      try {
+        const { resource = "message", action = "send" } = options;
+        const context = this._buildContext(ws, resource, action, message, options);
+        const accessResult = await this.abac.checkAccess(context, options.policies || {});
+        if (!accessResult.allow) {
+          await this._sendError(ws, "ACCESS_DENIED", accessResult.reason);
+          return;
+        }
+        ws.abacContext = context;
+        ws.abacAccessResult = accessResult;
+        next();
+      } catch (error) {
+        this.abac.logger?.error("WebSocket middleware error", {
+          error: error.message
+        });
+        await this._sendError(ws, "INTERNAL_ERROR", "Access control error");
+      }
+    };
+  }
+  /**
+   * Построение контекста для WebSocket
+   * @private
+   */
+  _buildContext(ws, resource, action, data, options) {
+    return {
+      user: ws.userId || ws.user?.id,
+      resource,
+      action,
+      data: data || {},
+      socket: ws,
+      customPolicies: options.policies || {},
+      options,
+      // Дополнительная информация о соединении
+      connectionInfo: {
+        id: ws.id,
+        remoteAddress: ws._socket?.remoteAddress,
+        protocol: ws.protocol,
+        readyState: ws.readyState
+      }
+    };
+  }
+  /**
+   * Построение контекста для RPC
+   * @private
+   */
+  _buildRPCContext(rpcContext, module, method, params, options) {
+    return {
+      user: rpcContext.userId || rpcContext.user?.id,
+      resource: module,
+      action: method,
+      data: params || {},
+      socket: rpcContext.ws,
+      customPolicies: options.policies || {},
+      options,
+      rpcInfo: {
+        id: rpcContext.id,
+        module,
+        method,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      }
+    };
+  }
+  /**
+   * Отправка ошибки через WebSocket
+   * @private
+   */
+  async _sendError(ws, code, message, details = {}) {
+    if (ws.readyState !== 1) {
+      return;
+    }
+    try {
+      const errorMessage = JSON.stringify({
+        type: "error",
+        error: {
+          code,
+          message,
+          ...details
+        },
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      ws.send(errorMessage);
+    } catch (error) {
+      this.abac.logger?.error("Failed to send WebSocket error", {
+        originalError: { code, message },
+        sendError: error.message
+      });
+    }
+  }
+}
+class RPCError extends Error {
+  constructor(code, message, details = {}) {
+    super(message);
+    this.name = "RPCError";
+    this.code = code;
+    this.details = details;
+  }
+}
+class GlobalABAC {
+  constructor(db, options = {}) {
+    this.db = db;
+    this.options = {
+      strictMode: false,
+      defaultDeny: false,
+      serviceKey: process.env.SERVICE_KEY,
+      enableAudit: true,
+      cacheEnabled: true,
+      cacheTTL: 300,
+      concurrencyLimit: 10,
+      ...options
+    };
+    this.cache = new CacheNamespaced({ ttlSeconds: this.options.cacheTTL });
+    this.logger = this.options.logger || new LoggerNamespaced(db);
+    this.core = new ABACCore(this);
+    this.policies = new ABACPolicies(this);
+    this.fields = new ABACFields(this);
+    this.express = new ABACExpressAdapter(this);
+    this.websocket = new ABACWebSocketAdapter(this);
+  }
+  /**
+   * Регистрация глобальной политики
+   * @param {string} name - Имя политики
+   * @param {Function} policyFn - Функция политики (context) => boolean|{allow, force, reason}
+   * @param {Object} [metadata] - Метаданные политики
+   * @param {string} [metadata.type='dynamic'] - Тип (static|dynamic)
+   * @param {number} [metadata.priority=0] - Приоритет
+   * @returns {GlobalABAC}
+   */
+  registerGlobalPolicy(name, policyFn, metadata = {}) {
+    return this.policies.registerGlobalPolicy(name, policyFn, metadata);
+  }
+  /**
+   * Регистрация политики для ресурса
+   * @param {string} resourceName - Имя ресурса
+   * @param {Function} policyFn - Функция политики
+   * @param {Object} [options] - Опции
+   * @param {string} [options.modelName] - Имя модели в БД
+   * @returns {GlobalABAC}
+   */
+  registerResourcePolicy(resourceName, policyFn, options = {}) {
+    return this.policies.registerResourcePolicy(resourceName, policyFn, options);
+  }
+  /**
+   * Регистрация политики полей
+   * @param {string} resourceName - Имя ресурса
+   * @param {Object} config - Конфигурация полей
+   * @returns {GlobalABAC}
+   *
+   * @example
+   * abac.registerFieldsPolicy('user', {
+   *   'email': { access: 'deny', actions: ['update'] },
+   *   'password': { access: 'deny', actions: '*', rule: 'remove' },
+   *   'profile.*': {
+   *     access: async (ctx) => ctx.user === ctx.currentResource?.id,
+   *     transform: (value) => sanitize(value)
+   *   }
+   * });
+   */
+  registerFieldsPolicy(resourceName, config) {
+    return this.fields.registerFieldsPolicy(resourceName, config);
+  }
+  /**
+   * Регистрация расширения контекста
+   * @param {string} moduleName - Имя модуля
+   * @param {Function} extensionFn - Функция расширения (context) => void
+   * @returns {GlobalABAC}
+   */
+  registerExtension(moduleName, extensionFn) {
+    return this.policies.registerExtension(moduleName, extensionFn);
+  }
+  /**
+   * Проверка доступа
+   * @param {ABACContext|Object} context - Контекст проверки
+   * @param {Object} [customPolicies] - Дополнительные политики
+   * @returns {Promise<ABACResult>}
+   */
+  async checkAccess(context, customPolicies = {}) {
+    return this.core.checkAccess(context, customPolicies);
+  }
+  /**
+   * Проверка доступа к полям
+   * @param {ABACContext|Object} context - Контекст
+   * @param {Object} data - Данные для проверки
+   * @param {string} [action] - Действие
+   * @returns {Promise<FieldsResult>}
+   */
+  async checkFields(context, data, action = null) {
+    return this.fields.checkFields(context, data, action);
+  }
+  /**
+   * Проверка конкретных политик
+   * @param {ABACContext|Object} context - Контекст
+   * @param {string[]} policyNames - Имена политик
+   * @param {Object} [customPolicies] - Дополнительные политики
+   * @returns {Promise<ABACResult>}
+   */
+  async checkPolicies(context, policyNames = [], customPolicies = {}) {
+    return this.policies.checkPolicies(context, policyNames, customPolicies);
+  }
+  /**
+   * Express middleware для проверки доступа
+   * @param {string} resource - Ресурс
+   * @param {string} action - Действие
+   * @param {Object} [options] - Опции
+   * @returns {Function|Function[]} Middleware функция(и)
+   */
+  middleware(resource, action, options = {}) {
+    return this.express.middleware(resource, action, options);
+  }
+  /**
+   * Express middleware для проверки политик
+   * @param {string[]} policyNames - Имена политик
+   * @param {Object} [customPolicies] - Дополнительные политики
+   * @param {Object} [options] - Опции
+   * @returns {Function} Middleware функция
+   */
+  policyMiddleware(policyNames = [], customPolicies = {}, options = {}) {
+    return this.express.policyMiddleware(policyNames, customPolicies, options);
+  }
+  /**
+   * Express middleware для проверки полей
+   * @param {string} resource - Ресурс
+   * @param {Object} [options] - Опции
+   * @returns {Function} Middleware функция
+   */
+  fieldsMiddleware(resource, options = {}) {
+    return this.express.fieldsMiddleware(resource, options);
+  }
+  /**
+   * WebSocket handler
+   * @param {string} moduleName - Имя модуля
+   * @param {Object} [options] - Опции
+   * @returns {Function} Handler функция
+   */
+  wsHandler(moduleName, options = {}) {
+    return this.websocket.handler(moduleName, options);
+  }
+  /**
+   * Получение модели ресурса из БД
+   * @param {string} resourceName - Имя ресурса
+   * @returns {Object|null} Mongoose модель или null
+   */
+  getResourceModel(resourceName) {
+    const resourcePolicy = this.policies.resources.get(resourceName);
+    if (!resourcePolicy) return null;
+    const modelName = resourcePolicy.modelName || resourceName;
+    return this.db[modelName] || null;
+  }
+  /**
+   * Очистка кэша
+   * @param {Object} [options] - Опции очистки
+   * @param {string} [options.user] - Очистить для пользователя
+   * @param {string} [options.resource] - Очистить для ресурса
+   * @param {string} [options.policy] - Очистить для политики
+   */
+  async clearCache(options = {}) {
+    if (options.user) {
+      await this.cache.invalidateTag(`user_${options.user}`);
+    }
+    if (options.resource) {
+      await this.cache.invalidateTag(`resource_${options.resource}`);
+    }
+    if (options.policy) {
+      await this.cache.invalidateTag(`policy_${options.policy}`);
+    }
+    if (!options.user && !options.resource && !options.policy) {
+      await this.cache.clear();
+    }
+  }
+  /**
+   * Получение статистики
+   * @returns {Object} Статистика системы
+   */
+  getStats() {
+    return {
+      policies: {
+        global: this.policies.global.size,
+        resources: this.policies.resources.size,
+        extensions: this.policies.extensions.size
+      },
+      fields: {
+        configs: this.fields.configs.size
+      },
+      cache: {
+        size: this.cache.size,
+        hits: this.cache.hits,
+        misses: this.cache.misses
+      }
+    };
+  }
+}
+let instance = null;
+const getInstance = (db, options) => {
+  if (!instance) {
+    instance = new GlobalABAC(db, options);
+  }
+  return instance;
+};
+const resetInstance = () => {
+  instance = null;
+};
+const coreabac = { getInstance, resetInstance };
+export {
+  LoggerNamespaced as L,
+  coreabac as c
+};