@powerhousedao/vetra 6.0.0-dev.23 → 6.0.0-dev.24

package/dist/subgraphs/permission-utils.js

@@ -0,0 +1,101 @@
+import { GraphQLError } from "graphql";
+/**
+ * Check if user has global read access (admin, user, or guest)
+ */
+export function hasGlobalReadAccess(ctx) {
+    const isGlobalAdmin = ctx.isAdmin?.(ctx.user?.address ?? "");
+    const isGlobalUser = ctx.isUser?.(ctx.user?.address ?? "");
+    const isGlobalGuest = ctx.isGuest?.(ctx.user?.address ?? "") || process.env.FREE_ENTRY === "true";
+    return !!(isGlobalAdmin || isGlobalUser || isGlobalGuest);
+}
+/**
+ * Check if user has global write access (admin or user, not guest)
+ */
+export function hasGlobalWriteAccess(ctx) {
+    const isGlobalAdmin = ctx.isAdmin?.(ctx.user?.address ?? "");
+    const isGlobalUser = ctx.isUser?.(ctx.user?.address ?? "");
+    return !!(isGlobalAdmin || isGlobalUser);
+}
+/**
+ * Get the parent IDs function for hierarchical permission checks
+ */
+function getParentIdsFn(subgraph) {
+    return async (documentId) => {
+        try {
+            const result = await subgraph.reactorClient.getParents(documentId);
+            return result.results.map((doc) => doc.header.id);
+        }
+        catch {
+            return [];
+        }
+    };
+}
+/**
+ * Check if user can read a document (with hierarchy)
+ */
+export async function canReadDocument(subgraph, documentId, ctx) {
+    // Global access allows reading
+    if (hasGlobalReadAccess(ctx)) {
+        return true;
+    }
+    // Check document-level permissions with hierarchy
+    if (subgraph.documentPermissionService) {
+        return subgraph.documentPermissionService.canRead(documentId, ctx.user?.address, getParentIdsFn(subgraph));
+    }
+    return false;
+}
+/**
+ * Check if user can write to a document (with hierarchy)
+ */
+export async function canWriteDocument(subgraph, documentId, ctx) {
+    // Global write access allows writing
+    if (hasGlobalWriteAccess(ctx)) {
+        return true;
+    }
+    // Check document-level permissions with hierarchy
+    if (subgraph.documentPermissionService) {
+        return subgraph.documentPermissionService.canWrite(documentId, ctx.user?.address, getParentIdsFn(subgraph));
+    }
+    return false;
+}
+/**
+ * Throw an error if user cannot read the document
+ */
+export async function assertCanRead(subgraph, documentId, ctx) {
+    const canRead = await canReadDocument(subgraph, documentId, ctx);
+    if (!canRead) {
+        throw new GraphQLError("Forbidden: insufficient permissions to read this document");
+    }
+}
+/**
+ * Throw an error if user cannot write to the document
+ */
+export async function assertCanWrite(subgraph, documentId, ctx) {
+    const canWrite = await canWriteDocument(subgraph, documentId, ctx);
+    if (!canWrite) {
+        throw new GraphQLError("Forbidden: insufficient permissions to write to this document");
+    }
+}
+/**
+ * Check if user can execute a specific operation on a document.
+ * Throws an error if the operation is restricted and user lacks permission.
+ */
+export async function assertCanExecuteOperation(subgraph, documentId, operationType, ctx) {
+    // Skip if no permission service
+    if (!subgraph.documentPermissionService) {
+        return;
+    }
+    // Global admins bypass operation-level restrictions
+    if (ctx.isAdmin?.(ctx.user?.address ?? "")) {
+        return;
+    }
+    // Check if this operation has any restrictions set
+    const isRestricted = await subgraph.documentPermissionService.isOperationRestricted(documentId, operationType);
+    if (isRestricted) {
+        // Operation is restricted, check if user has permission
+        const canExecute = await subgraph.documentPermissionService.canExecuteOperation(documentId, operationType, ctx.user?.address);
+        if (!canExecute) {
+            throw new GraphQLError(`Forbidden: insufficient permissions to execute operation "${operationType}" on this document`);
+        }
+    }
+}

package/dist/subgraphs/processor-module/resolvers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../../../subgraphs/processor-module/resolvers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAiB/D,eAAO,MAAM,YAAY,GACvB,UAAU,YAAY,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAgNxB,CAAC"}
+{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../../../subgraphs/processor-module/resolvers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAW,MAAM,4BAA4B,CAAC;AA2BxE,eAAO,MAAM,YAAY,GACvB,UAAU,YAAY,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CA0SxB,CAAC"}

package/dist/subgraphs/processor-module/resolvers.js

@@ -1,17 +1,21 @@
 import { addFile } from "document-drive";
 import { setName } from "document-model";
+import { GraphQLError } from "graphql";
 import { actions, processorModuleDocumentType, } from "@powerhousedao/vetra/document-models/processor-module";
+import { assertCanRead, assertCanWrite, assertCanExecuteOperation, canReadDocument, hasGlobalReadAccess, hasGlobalWriteAccess, } from "../permission-utils.js";
 export const getResolvers = (subgraph) => {
     const reactor = subgraph.reactor;
     return {
         Query: {
-            ProcessorModule: async () => {
+            ProcessorModule: (_, __, ctx) => {
                 return {
                     getDocument: async (args) => {
                         const { docId, driveId } = args;
                         if (!docId) {
                             throw new Error("Document id is required");
                         }
+                        // Check read permission before accessing document
+                        await assertCanRead(subgraph, docId, ctx);
                         if (driveId) {
                             const docIds = await reactor.getDocuments(driveId);
                             if (!docIds.includes(docId)) {
@@ -32,6 +36,8 @@ export const getResolvers = (subgraph) => {
                     },
                     getDocuments: async (args) => {
                         const { driveId } = args;
+                        // Check read permission on drive before listing documents
+                        await assertCanRead(subgraph, driveId, ctx);
                         const docsIds = await reactor.getDocuments(driveId);
                         const docs = await Promise.all(docsIds.map(async (docId) => {
                             const doc = await reactor.getDocument(docId);
@@ -46,14 +52,34 @@ export const getResolvers = (subgraph) => {
                                 revision: doc.header?.revision?.global ?? 0,
                             };
                         }));
-                        return docs.filter((doc) => doc.header.documentType === processorModuleDocumentType);
+                        const filteredByType = docs.filter((doc) => doc.header.documentType === processorModuleDocumentType);
+                        // If user doesn't have global read access, filter by document-level permissions
+                        if (!hasGlobalReadAccess(ctx) &&
+                            subgraph.documentPermissionService) {
+                            const filteredDocs = [];
+                            for (const doc of filteredByType) {
+                                const canRead = await canReadDocument(subgraph, doc.id, ctx);
+                                if (canRead) {
+                                    filteredDocs.push(doc);
+                                }
+                            }
+                            return filteredDocs;
+                        }
+                        return filteredByType;
                     },
                 };
             },
         },
         Mutation: {
-            ProcessorModule_createDocument: async (_, args) => {
+            ProcessorModule_createDocument: async (_, args, ctx) => {
                 const { driveId, name } = args;
+                // If creating under a drive, check write permission on drive
+                if (driveId) {
+                    await assertCanWrite(subgraph, driveId, ctx);
+                }
+                else if (!hasGlobalWriteAccess(ctx)) {
+                    throw new GraphQLError("Forbidden: insufficient permissions to create documents");
+                }
                 const document = await reactor.addDocument(processorModuleDocumentType);
                 if (driveId) {
                     await reactor.addAction(driveId, addFile({
@@ -67,8 +93,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return document.header.id;
             },
-            ProcessorModule_setProcessorName: async (_, args) => {
+            ProcessorModule_setProcessorName: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_PROCESSOR_NAME", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -79,8 +108,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            ProcessorModule_setProcessorType: async (_, args) => {
+            ProcessorModule_setProcessorType: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_PROCESSOR_TYPE", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -91,8 +123,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            ProcessorModule_addDocumentType: async (_, args) => {
+            ProcessorModule_addDocumentType: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "ADD_DOCUMENT_TYPE", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -103,8 +138,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            ProcessorModule_removeDocumentType: async (_, args) => {
+            ProcessorModule_removeDocumentType: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "REMOVE_DOCUMENT_TYPE", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -115,8 +153,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            ProcessorModule_setProcessorStatus: async (_, args) => {
+            ProcessorModule_setProcessorStatus: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_PROCESSOR_STATUS", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");

package/dist/subgraphs/subgraph-module/resolvers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../../../subgraphs/subgraph-module/resolvers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAc/D,eAAO,MAAM,YAAY,GACvB,UAAU,YAAY,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAwIxB,CAAC"}
+{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../../../subgraphs/subgraph-module/resolvers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAW,MAAM,4BAA4B,CAAC;AAwBxE,eAAO,MAAM,YAAY,GACvB,UAAU,YAAY,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAiMxB,CAAC"}

package/dist/subgraphs/subgraph-module/resolvers.js

@@ -1,17 +1,21 @@
 import { addFile } from "document-drive";
 import { setName } from "document-model";
+import { GraphQLError } from "graphql";
 import { actions, subgraphModuleDocumentType, } from "@powerhousedao/vetra/document-models/subgraph-module";
+import { assertCanRead, assertCanWrite, assertCanExecuteOperation, canReadDocument, hasGlobalReadAccess, hasGlobalWriteAccess, } from "../permission-utils.js";
 export const getResolvers = (subgraph) => {
     const reactor = subgraph.reactor;
     return {
         Query: {
-            SubgraphModule: async () => {
+            SubgraphModule: (_, __, ctx) => {
                 return {
                     getDocument: async (args) => {
                         const { docId, driveId } = args;
                         if (!docId) {
                             throw new Error("Document id is required");
                         }
+                        // Check read permission before accessing document
+                        await assertCanRead(subgraph, docId, ctx);
                         if (driveId) {
                             const docIds = await reactor.getDocuments(driveId);
                             if (!docIds.includes(docId)) {
@@ -32,6 +36,8 @@ export const getResolvers = (subgraph) => {
                     },
                     getDocuments: async (args) => {
                         const { driveId } = args;
+                        // Check read permission on drive before listing documents
+                        await assertCanRead(subgraph, driveId, ctx);
                         const docsIds = await reactor.getDocuments(driveId);
                         const docs = await Promise.all(docsIds.map(async (docId) => {
                             const doc = await reactor.getDocument(docId);
@@ -46,14 +52,34 @@ export const getResolvers = (subgraph) => {
                                 revision: doc.header?.revision?.global ?? 0,
                             };
                         }));
-                        return docs.filter((doc) => doc.header.documentType === subgraphModuleDocumentType);
+                        const filteredByType = docs.filter((doc) => doc.header.documentType === subgraphModuleDocumentType);
+                        // If user doesn't have global read access, filter by document-level permissions
+                        if (!hasGlobalReadAccess(ctx) &&
+                            subgraph.documentPermissionService) {
+                            const filteredDocs = [];
+                            for (const doc of filteredByType) {
+                                const canRead = await canReadDocument(subgraph, doc.id, ctx);
+                                if (canRead) {
+                                    filteredDocs.push(doc);
+                                }
+                            }
+                            return filteredDocs;
+                        }
+                        return filteredByType;
                     },
                 };
             },
         },
         Mutation: {
-            SubgraphModule_createDocument: async (_, args) => {
+            SubgraphModule_createDocument: async (_, args, ctx) => {
                 const { driveId, name } = args;
+                // If creating under a drive, check write permission on drive
+                if (driveId) {
+                    await assertCanWrite(subgraph, driveId, ctx);
+                }
+                else if (!hasGlobalWriteAccess(ctx)) {
+                    throw new GraphQLError("Forbidden: insufficient permissions to create documents");
+                }
                 const document = await reactor.addDocument(subgraphModuleDocumentType);
                 if (driveId) {
                     await reactor.addAction(driveId, addFile({
@@ -67,8 +93,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return document.header.id;
             },
-            SubgraphModule_setSubgraphName: async (_, args) => {
+            SubgraphModule_setSubgraphName: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_SUBGRAPH_NAME", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -79,8 +108,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            SubgraphModule_setSubgraphStatus: async (_, args) => {
+            SubgraphModule_setSubgraphStatus: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_SUBGRAPH_STATUS", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");

package/dist/subgraphs/vetra-package/resolvers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../../../subgraphs/vetra-package/resolvers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAsB/D,eAAO,MAAM,YAAY,GACvB,UAAU,YAAY,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAuUxB,CAAC"}
+{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../../../subgraphs/vetra-package/resolvers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAW,MAAM,4BAA4B,CAAC;AAgCxE,eAAO,MAAM,YAAY,GACvB,UAAU,YAAY,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAwdxB,CAAC"}

package/dist/subgraphs/vetra-package/resolvers.js

@@ -1,17 +1,21 @@
 import { addFile } from "document-drive";
 import { setName } from "document-model";
+import { GraphQLError } from "graphql";
 import { actions, vetraPackageDocumentType, } from "@powerhousedao/vetra/document-models/vetra-package";
+import { assertCanRead, assertCanWrite, assertCanExecuteOperation, canReadDocument, hasGlobalReadAccess, hasGlobalWriteAccess, } from "../permission-utils.js";
 export const getResolvers = (subgraph) => {
     const reactor = subgraph.reactor;
     return {
         Query: {
-            VetraPackage: async () => {
+            VetraPackage: (_, __, ctx) => {
                 return {
                     getDocument: async (args) => {
                         const { docId, driveId } = args;
                         if (!docId) {
                             throw new Error("Document id is required");
                         }
+                        // Check read permission before accessing document
+                        await assertCanRead(subgraph, docId, ctx);
                         if (driveId) {
                             const docIds = await reactor.getDocuments(driveId);
                             if (!docIds.includes(docId)) {
@@ -32,6 +36,8 @@ export const getResolvers = (subgraph) => {
                     },
                     getDocuments: async (args) => {
                         const { driveId } = args;
+                        // Check read permission on drive before listing documents
+                        await assertCanRead(subgraph, driveId, ctx);
                         const docsIds = await reactor.getDocuments(driveId);
                         const docs = await Promise.all(docsIds.map(async (docId) => {
                             const doc = await reactor.getDocument(docId);
@@ -46,14 +52,34 @@ export const getResolvers = (subgraph) => {
                                 revision: doc.header?.revision?.global ?? 0,
                             };
                         }));
-                        return docs.filter((doc) => doc.header.documentType === vetraPackageDocumentType);
+                        const filteredByType = docs.filter((doc) => doc.header.documentType === vetraPackageDocumentType);
+                        // If user doesn't have global read access, filter by document-level permissions
+                        if (!hasGlobalReadAccess(ctx) &&
+                            subgraph.documentPermissionService) {
+                            const filteredDocs = [];
+                            for (const doc of filteredByType) {
+                                const canRead = await canReadDocument(subgraph, doc.id, ctx);
+                                if (canRead) {
+                                    filteredDocs.push(doc);
+                                }
+                            }
+                            return filteredDocs;
+                        }
+                        return filteredByType;
                     },
                 };
             },
         },
         Mutation: {
-            VetraPackage_createDocument: async (_, args) => {
+            VetraPackage_createDocument: async (_, args, ctx) => {
                 const { driveId, name } = args;
+                // If creating under a drive, check write permission on drive
+                if (driveId) {
+                    await assertCanWrite(subgraph, driveId, ctx);
+                }
+                else if (!hasGlobalWriteAccess(ctx)) {
+                    throw new GraphQLError("Forbidden: insufficient permissions to create documents");
+                }
                 const document = await reactor.addDocument(vetraPackageDocumentType);
                 if (driveId) {
                     await reactor.addAction(driveId, addFile({
@@ -67,8 +93,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return document.header.id;
             },
-            VetraPackage_setPackageName: async (_, args) => {
+            VetraPackage_setPackageName: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_PACKAGE_NAME", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -79,8 +108,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            VetraPackage_setPackageDescription: async (_, args) => {
+            VetraPackage_setPackageDescription: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_PACKAGE_DESCRIPTION", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -91,8 +123,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            VetraPackage_setPackageCategory: async (_, args) => {
+            VetraPackage_setPackageCategory: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_PACKAGE_CATEGORY", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -103,8 +138,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            VetraPackage_setPackageAuthor: async (_, args) => {
+            VetraPackage_setPackageAuthor: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_PACKAGE_AUTHOR", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -115,8 +153,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            VetraPackage_setPackageAuthorName: async (_, args) => {
+            VetraPackage_setPackageAuthorName: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_PACKAGE_AUTHOR_NAME", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -127,8 +168,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            VetraPackage_setPackageAuthorWebsite: async (_, args) => {
+            VetraPackage_setPackageAuthorWebsite: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_PACKAGE_AUTHOR_WEBSITE", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -139,8 +183,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            VetraPackage_addPackageKeyword: async (_, args) => {
+            VetraPackage_addPackageKeyword: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "ADD_PACKAGE_KEYWORD", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -151,8 +198,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            VetraPackage_removePackageKeyword: async (_, args) => {
+            VetraPackage_removePackageKeyword: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "REMOVE_PACKAGE_KEYWORD", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -163,8 +213,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            VetraPackage_setPackageGithubUrl: async (_, args) => {
+            VetraPackage_setPackageGithubUrl: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_PACKAGE_GITHUB_URL", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");
@@ -175,8 +228,11 @@ export const getResolvers = (subgraph) => {
                 }
                 return true;
             },
-            VetraPackage_setPackageNpmUrl: async (_, args) => {
+            VetraPackage_setPackageNpmUrl: async (_, args, ctx) => {
                 const { docId, input } = args;
+                // Check write permission before mutating document
+                await assertCanWrite(subgraph, docId, ctx);
+                await assertCanExecuteOperation(subgraph, docId, "SET_PACKAGE_NPM_URL", ctx);
                 const doc = await reactor.getDocument(docId);
                 if (!doc) {
                     throw new Error("Document not found");

package/dist/subgraphs/vetra-read-model/resolvers.d.ts

@@ -1,3 +1,3 @@
-import type { ISubgraph } from "@powerhousedao/reactor-api";
-export declare const getResolvers: (subgraph: ISubgraph) => Record<string, unknown>;
+import type { BaseSubgraph } from "@powerhousedao/reactor-api";
+export declare const getResolvers: (subgraph: BaseSubgraph) => Record<string, unknown>;
 //# sourceMappingURL=resolvers.d.ts.map

package/dist/subgraphs/vetra-read-model/resolvers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../../../subgraphs/vetra-read-model/resolvers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAI5D,eAAO,MAAM,YAAY,GAAI,UAAU,SAAS,KAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAiDxE,CAAC"}
+{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../../../subgraphs/vetra-read-model/resolvers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAW,MAAM,4BAA4B,CAAC;AAKxE,eAAO,MAAM,YAAY,GACvB,UAAU,YAAY,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAsExB,CAAC"}

package/dist/subgraphs/vetra-read-model/resolvers.js

@@ -1,9 +1,10 @@
 import { VetraReadModelProcessorLegacy } from "../../processors/vetra-read-model/index.legacy.js";
+import { canReadDocument, hasGlobalReadAccess } from "../permission-utils.js";
 export const getResolvers = (subgraph) => {
     const db = subgraph.relationalDb;
     return {
         Query: {
-            vetraPackages: async (parent, args) => {
+            vetraPackages: async (_parent, args, ctx) => {
                 const { search, documentId_in } = args;
                 const sortOrder = args.sortOrder || "asc";
                 let query = VetraReadModelProcessorLegacy.query("vetra-packages", db)
@@ -16,7 +17,8 @@ export const getResolvers = (subgraph) => {
                     query = query.where("document_id", "in", documentId_in);
                 }
                 query = query.orderBy("name", sortOrder);
-                return (await query.execute()).map((pkg) => ({
+                const results = await query.execute();
+                const mappedResults = results.map((pkg) => ({
                     ...pkg,
                     documentId: pkg.document_id,
                     name: pkg.name,
@@ -29,6 +31,18 @@ export const getResolvers = (subgraph) => {
                     keywords: pkg.keywords,
                     driveId: pkg.drive_id,
                 }));
+                // If user doesn't have global read access, filter by document-level permissions
+                if (!hasGlobalReadAccess(ctx) && subgraph.documentPermissionService) {
+                    const filteredResults = [];
+                    for (const pkg of mappedResults) {
+                        const canRead = await canReadDocument(subgraph, pkg.documentId, ctx);
+                        if (canRead) {
+                            filteredResults.push(pkg);
+                        }
+                    }
+                    return filteredResults;
+                }
+                return mappedResults;
             },
         },
     };