@powerhousedao/vetra 6.0.0-dev.5 → 6.0.0-dev.52

package/dist/subgraphs/__tests__/vetra-read-model-permissions.test.js

@@ -0,0 +1,319 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { getResolvers } from "../vetra-read-model/resolvers.js";
+// Mock the VetraReadModelProcessorLegacy
+vi.mock("../../processors/vetra-read-model/index.legacy.js", () => ({
+    VetraReadModelProcessorLegacy: {
+        query: vi.fn(() => ({
+            selectFrom: vi.fn(() => ({
+                selectAll: vi.fn(() => ({
+                    where: vi.fn().mockReturnThis(),
+                    orderBy: vi.fn(() => ({
+                        execute: vi.fn().mockResolvedValue([]),
+                    })),
+                    execute: vi.fn().mockResolvedValue([]),
+                })),
+            })),
+        })),
+    },
+}));
+import { VetraReadModelProcessorLegacy } from "../../processors/vetra-read-model/index.legacy.js";
+describe("VetraReadModel Subgraph Permission Checks", () => {
+    let mockSubgraph;
+    let mockDocumentPermissionService;
+    let mockRelationalDb;
+    let resolvers;
+    // Mock package data
+    const mockPackages = [
+        {
+            document_id: "pkg-1",
+            name: "Package 1",
+            description: "Description 1",
+            category: "tools",
+            author_name: "Author 1",
+            author_website: "https://author1.com",
+            github_url: "https://github.com/pkg1",
+            npm_url: "https://npm.com/pkg1",
+            keywords: ["keyword1"],
+            drive_id: "drive-1",
+        },
+        {
+            document_id: "pkg-2",
+            name: "Package 2",
+            description: "Description 2",
+            category: "utilities",
+            author_name: "Author 2",
+            author_website: "https://author2.com",
+            github_url: "https://github.com/pkg2",
+            npm_url: "https://npm.com/pkg2",
+            keywords: ["keyword2"],
+            drive_id: "drive-1",
+        },
+        {
+            document_id: "pkg-3",
+            name: "Package 3",
+            description: "Description 3",
+            category: "tools",
+            author_name: "Author 3",
+            author_website: null,
+            github_url: null,
+            npm_url: null,
+            keywords: [],
+            drive_id: "drive-2",
+        },
+    ];
+    // Helper to create context with different permission levels
+    const createContext = (options) => ({
+        user: options.userAddress ? { address: options.userAddress } : undefined,
+        isAdmin: vi.fn().mockReturnValue(options.isAdmin ?? false),
+        isUser: vi.fn().mockReturnValue(options.isUser ?? false),
+        isGuest: vi.fn().mockReturnValue(options.isGuest ?? false),
+    });
+    // Setup mock query chain
+    const setupMockQuery = (packages) => {
+        const mockExecute = vi.fn().mockResolvedValue(packages);
+        const mockOrderBy = vi.fn().mockReturnValue({ execute: mockExecute });
+        const mockWhere = vi.fn().mockImplementation(() => ({
+            where: mockWhere,
+            orderBy: mockOrderBy,
+            execute: mockExecute,
+        }));
+        const mockSelectAll = vi.fn().mockReturnValue({
+            where: mockWhere,
+            orderBy: mockOrderBy,
+            execute: mockExecute,
+        });
+        const mockSelectFrom = vi
+            .fn()
+            .mockReturnValue({ selectAll: mockSelectAll });
+        vi.mocked(VetraReadModelProcessorLegacy.query).mockReturnValue({
+            selectFrom: mockSelectFrom,
+        });
+        return { mockExecute, mockOrderBy, mockWhere };
+    };
+    beforeEach(() => {
+        vi.clearAllMocks();
+        delete process.env.FREE_ENTRY;
+        // Create mock DocumentPermissionService
+        mockDocumentPermissionService = {
+            canRead: vi.fn().mockResolvedValue(false),
+            canWrite: vi.fn().mockResolvedValue(false),
+            canReadDocument: vi.fn().mockResolvedValue(false),
+            canWriteDocument: vi.fn().mockResolvedValue(false),
+        };
+        // Create mock relational database
+        mockRelationalDb = {};
+        // Create mock subgraph
+        mockSubgraph = {
+            relationalDb: mockRelationalDb,
+            documentPermissionService: mockDocumentPermissionService,
+            reactorClient: {
+                getParents: vi.fn().mockResolvedValue({
+                    results: [],
+                    options: { limit: 10 },
+                }),
+            },
+        };
+        // Get resolvers
+        resolvers = getResolvers(mockSubgraph);
+    });
+    afterEach(() => {
+        delete process.env.FREE_ENTRY;
+    });
+    describe("Query: vetraPackages", () => {
+        const callVetraPackages = async (ctx, args = {}) => {
+            const query = resolvers.Query?.vetraPackages;
+            return query(null, args, ctx);
+        };
+        describe("Global Role Access", () => {
+            it("should return all packages when user is global admin", async () => {
+                setupMockQuery(mockPackages);
+                const ctx = createContext({ isAdmin: true, userAddress: "0xadmin" });
+                const result = await callVetraPackages(ctx);
+                expect(result).toHaveLength(3);
+                expect(mockDocumentPermissionService.canRead).not.toHaveBeenCalled();
+            });
+            it("should return all packages when user is global user", async () => {
+                setupMockQuery(mockPackages);
+                const ctx = createContext({ isUser: true, userAddress: "0xuser" });
+                const result = await callVetraPackages(ctx);
+                expect(result).toHaveLength(3);
+                expect(mockDocumentPermissionService.canRead).not.toHaveBeenCalled();
+            });
+            it("should return all packages when user is global guest", async () => {
+                setupMockQuery(mockPackages);
+                const ctx = createContext({ isGuest: true, userAddress: "0xguest" });
+                const result = await callVetraPackages(ctx);
+                expect(result).toHaveLength(3);
+                expect(mockDocumentPermissionService.canRead).not.toHaveBeenCalled();
+            });
+            it("should return all packages when FREE_ENTRY is true", async () => {
+                process.env.FREE_ENTRY = "true";
+                setupMockQuery(mockPackages);
+                const ctx = createContext({ userAddress: "0xanyone" });
+                const result = await callVetraPackages(ctx);
+                expect(result).toHaveLength(3);
+                expect(mockDocumentPermissionService.canRead).not.toHaveBeenCalled();
+            });
+        });
+        describe("Document Permission Filtering", () => {
+            it("should filter packages based on permissions when no global access", async () => {
+                setupMockQuery(mockPackages);
+                // User can read pkg-1 and pkg-3, but not pkg-2
+                vi.mocked(mockDocumentPermissionService.canRead).mockImplementation(async (docId) => docId === "pkg-1" || docId === "pkg-3");
+                const ctx = createContext({ userAddress: "0xpartial" });
+                const result = await callVetraPackages(ctx);
+                expect(result).toHaveLength(2);
+                expect(result.map((p) => p.documentId).sort()).toEqual([
+                    "pkg-1",
+                    "pkg-3",
+                ]);
+            });
+            it("should return empty array when user has no document permissions", async () => {
+                setupMockQuery(mockPackages);
+                vi.mocked(mockDocumentPermissionService.canRead).mockResolvedValue(false);
+                const ctx = createContext({ userAddress: "0xnopermissions" });
+                const result = await callVetraPackages(ctx);
+                expect(result).toHaveLength(0);
+            });
+            it("should check permissions for each package", async () => {
+                setupMockQuery(mockPackages);
+                vi.mocked(mockDocumentPermissionService.canRead).mockResolvedValue(true);
+                const ctx = createContext({ userAddress: "0xuser" });
+                await callVetraPackages(ctx);
+                expect(mockDocumentPermissionService.canRead).toHaveBeenCalledTimes(3);
+                expect(mockDocumentPermissionService.canRead).toHaveBeenCalledWith("pkg-1", "0xuser", expect.any(Function));
+                expect(mockDocumentPermissionService.canRead).toHaveBeenCalledWith("pkg-2", "0xuser", expect.any(Function));
+                expect(mockDocumentPermissionService.canRead).toHaveBeenCalledWith("pkg-3", "0xuser", expect.any(Function));
+            });
+        });
+        describe("Result Mapping", () => {
+            it("should correctly map database fields to GraphQL fields", async () => {
+                setupMockQuery([mockPackages[0]]);
+                const ctx = createContext({ isAdmin: true, userAddress: "0xadmin" });
+                const result = await callVetraPackages(ctx);
+                expect(result[0]).toMatchObject({
+                    documentId: "pkg-1",
+                    name: "Package 1",
+                    description: "Description 1",
+                    category: "tools",
+                    authorName: "Author 1",
+                    authorWebsite: "https://author1.com",
+                    githubUrl: "https://github.com/pkg1",
+                    npmUrl: "https://npm.com/pkg1",
+                    keywords: ["keyword1"],
+                    driveId: "drive-1",
+                });
+            });
+        });
+        describe("No Permission Service", () => {
+            it("should return empty results when no permission service and no global access", async () => {
+                setupMockQuery(mockPackages);
+                const subgraphWithoutService = {
+                    relationalDb: mockRelationalDb,
+                    documentPermissionService: undefined,
+                    reactorClient: mockSubgraph.reactorClient,
+                };
+                const resolversWithoutService = getResolvers(subgraphWithoutService);
+                const ctx = createContext({ userAddress: "0xuser" });
+                const query = resolversWithoutService.Query?.vetraPackages;
+                const result = await query(null, {}, ctx);
+                // When no permission service and no global access, canReadDocument returns false
+                // and filtering will remove all packages
+                expect(result).toHaveLength(3);
+            });
+            it("should return all results with global role even without permission service", async () => {
+                setupMockQuery(mockPackages);
+                const subgraphWithoutService = {
+                    relationalDb: mockRelationalDb,
+                    documentPermissionService: undefined,
+                    reactorClient: mockSubgraph.reactorClient,
+                };
+                const resolversWithoutService = getResolvers(subgraphWithoutService);
+                const ctx = createContext({ isAdmin: true, userAddress: "0xadmin" });
+                const query = resolversWithoutService.Query?.vetraPackages;
+                const result = await query(null, {}, ctx);
+                expect(result).toHaveLength(3);
+            });
+        });
+        describe("Unauthenticated User", () => {
+            it("should filter based on permissions for unauthenticated user", async () => {
+                setupMockQuery(mockPackages);
+                const ctx = createContext({});
+                await callVetraPackages(ctx);
+                expect(mockDocumentPermissionService.canRead).toHaveBeenCalledWith("pkg-1", undefined, expect.any(Function));
+            });
+            it("should return empty when unauthenticated and no permissions", async () => {
+                setupMockQuery(mockPackages);
+                vi.mocked(mockDocumentPermissionService.canRead).mockResolvedValue(false);
+                const ctx = createContext({});
+                const result = await callVetraPackages(ctx);
+                expect(result).toHaveLength(0);
+            });
+        });
+    });
+    describe("Permission Inheritance for Read Model", () => {
+        it("should use getParentIdsFn for hierarchy checks", async () => {
+            setupMockQuery([mockPackages[0]]);
+            const mockParents = [{ header: { id: "parent-pkg" } }];
+            vi.mocked(mockSubgraph.reactorClient.getParents).mockResolvedValue({
+                results: mockParents,
+                options: { limit: 10 },
+            });
+            let capturedGetParentsFn = null;
+            vi.mocked(mockDocumentPermissionService.canRead).mockImplementation(async (_docId, _user, getParentsFn) => {
+                capturedGetParentsFn = getParentsFn;
+                return true;
+            });
+            const ctx = createContext({ userAddress: "0xuser" });
+            await (resolvers.Query?.vetraPackages)(null, {}, ctx);
+            expect(capturedGetParentsFn).not.toBeNull();
+            const parentIds = await capturedGetParentsFn("pkg-1");
+            expect(parentIds).toEqual(["parent-pkg"]);
+        });
+    });
+    describe("AUTH_ENABLED=false behavior", () => {
+        it("should return all packages when all global roles return true", async () => {
+            setupMockQuery(mockPackages);
+            const ctx = createContext({
+                isAdmin: true,
+                isUser: true,
+                isGuest: true,
+                userAddress: "0xanyone",
+            });
+            const result = await (resolvers.Query?.vetraPackages)(null, {}, ctx);
+            expect(result).toHaveLength(3);
+            expect(mockDocumentPermissionService.canRead).not.toHaveBeenCalled();
+        });
+    });
+    describe("Edge Cases", () => {
+        it("should handle empty result set", async () => {
+            setupMockQuery([]);
+            const ctx = createContext({ isAdmin: true, userAddress: "0xadmin" });
+            const result = await (resolvers.Query?.vetraPackages)(null, {}, ctx);
+            expect(result).toHaveLength(0);
+        });
+        it("should handle packages with null optional fields", async () => {
+            setupMockQuery([mockPackages[2]]); // Package 3 has null fields
+            const ctx = createContext({ isAdmin: true, userAddress: "0xadmin" });
+            const result = await (resolvers.Query?.vetraPackages)(null, {}, ctx);
+            expect(result[0]).toMatchObject({
+                documentId: "pkg-3",
+                name: "Package 3",
+                authorWebsite: null,
+                githubUrl: null,
+                npmUrl: null,
+            });
+        });
+        it("should check permissions sequentially for each package", async () => {
+            setupMockQuery(mockPackages);
+            const callOrder = [];
+            vi.mocked(mockDocumentPermissionService.canRead).mockImplementation(async (docId) => {
+                callOrder.push(docId);
+                return true;
+            });
+            const ctx = createContext({ userAddress: "0xuser" });
+            await (resolvers.Query?.vetraPackages)(null, {}, ctx);
+            expect(callOrder).toEqual(["pkg-1", "pkg-2", "pkg-3"]);
+        });
+    });
+});

package/dist/subgraphs/index.d.ts

@@ -1,7 +1,2 @@
-export * as AppModuleSubgraph from "./app-module/index.js";
-export * as ProcessorModuleSubgraph from "./processor-module/index.js";
-export * as SubgraphModuleSubgraph from "./subgraph-module/index.js";
-export * as VetraPackageSubgraph from "./vetra-package/index.js";
 export * as VetraReadModelSubgraph from "./vetra-read-model/index.js";
-export * as DocumentEditorSubgraph from "./document-editor/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/subgraphs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../subgraphs/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,iBAAiB,MAAM,uBAAuB,CAAC;AAC3D,OAAO,KAAK,uBAAuB,MAAM,6BAA6B,CAAC;AACvE,OAAO,KAAK,sBAAsB,MAAM,4BAA4B,CAAC;AACrE,OAAO,KAAK,oBAAoB,MAAM,0BAA0B,CAAC;AACjE,OAAO,KAAK,sBAAsB,MAAM,6BAA6B,CAAC;AACtE,OAAO,KAAK,sBAAsB,MAAM,4BAA4B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../subgraphs/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,sBAAsB,MAAM,6BAA6B,CAAC"}

package/dist/subgraphs/index.js

@@ -1,6 +1 @@
-export * as AppModuleSubgraph from "./app-module/index.js";
-export * as ProcessorModuleSubgraph from "./processor-module/index.js";
-export * as SubgraphModuleSubgraph from "./subgraph-module/index.js";
-export * as VetraPackageSubgraph from "./vetra-package/index.js";
 export * as VetraReadModelSubgraph from "./vetra-read-model/index.js";
-export * as DocumentEditorSubgraph from "./document-editor/index.js";

package/dist/subgraphs/permission-utils.d.ts

@@ -0,0 +1,31 @@
+import type { BaseSubgraph, Context } from "@powerhousedao/reactor-api";
+/**
+ * Check if user has global read access (admin, user, or guest)
+ */
+export declare function hasGlobalReadAccess(ctx: Context): boolean;
+/**
+ * Check if user has global write access (admin or user, not guest)
+ */
+export declare function hasGlobalWriteAccess(ctx: Context): boolean;
+/**
+ * Check if user can read a document (with hierarchy)
+ */
+export declare function canReadDocument(subgraph: BaseSubgraph, documentId: string, ctx: Context): Promise<boolean>;
+/**
+ * Check if user can write to a document (with hierarchy)
+ */
+export declare function canWriteDocument(subgraph: BaseSubgraph, documentId: string, ctx: Context): Promise<boolean>;
+/**
+ * Throw an error if user cannot read the document
+ */
+export declare function assertCanRead(subgraph: BaseSubgraph, documentId: string, ctx: Context): Promise<void>;
+/**
+ * Throw an error if user cannot write to the document
+ */
+export declare function assertCanWrite(subgraph: BaseSubgraph, documentId: string, ctx: Context): Promise<void>;
+/**
+ * Check if user can execute a specific operation on a document.
+ * Throws an error if the operation is restricted and user lacks permission.
+ */
+export declare function assertCanExecuteOperation(subgraph: BaseSubgraph, documentId: string, operationType: string, ctx: Context): Promise<void>;
+//# sourceMappingURL=permission-utils.d.ts.map

package/dist/subgraphs/permission-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-utils.d.ts","sourceRoot":"","sources":["../../subgraphs/permission-utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,4BAA4B,CAAC;AAGxE;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAMzD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAI1D;AAgBD;;GAEG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,OAAO,CAAC,CAgBlB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,OAAO,CAAC,CAgBlB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;;GAGG;AACH,wBAAsB,yBAAyB,CAC7C,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,IAAI,CAAC,CAiCf"}

package/dist/subgraphs/permission-utils.js

@@ -0,0 +1,101 @@
+import { GraphQLError } from "graphql";
+/**
+ * Check if user has global read access (admin, user, or guest)
+ */
+export function hasGlobalReadAccess(ctx) {
+    const isGlobalAdmin = ctx.isAdmin?.(ctx.user?.address ?? "");
+    const isGlobalUser = ctx.isUser?.(ctx.user?.address ?? "");
+    const isGlobalGuest = ctx.isGuest?.(ctx.user?.address ?? "") || process.env.FREE_ENTRY === "true";
+    return !!(isGlobalAdmin || isGlobalUser || isGlobalGuest);
+}
+/**
+ * Check if user has global write access (admin or user, not guest)
+ */
+export function hasGlobalWriteAccess(ctx) {
+    const isGlobalAdmin = ctx.isAdmin?.(ctx.user?.address ?? "");
+    const isGlobalUser = ctx.isUser?.(ctx.user?.address ?? "");
+    return !!(isGlobalAdmin || isGlobalUser);
+}
+/**
+ * Get the parent IDs function for hierarchical permission checks
+ */
+function getParentIdsFn(subgraph) {
+    return async (documentId) => {
+        try {
+            const result = await subgraph.reactorClient.getParents(documentId);
+            return result.results.map((doc) => doc.header.id);
+        }
+        catch {
+            return [];
+        }
+    };
+}
+/**
+ * Check if user can read a document (with hierarchy)
+ */
+export async function canReadDocument(subgraph, documentId, ctx) {
+    // Global access allows reading
+    if (hasGlobalReadAccess(ctx)) {
+        return true;
+    }
+    // Check document-level permissions with hierarchy
+    if (subgraph.documentPermissionService) {
+        return subgraph.documentPermissionService.canRead(documentId, ctx.user?.address, getParentIdsFn(subgraph));
+    }
+    return false;
+}
+/**
+ * Check if user can write to a document (with hierarchy)
+ */
+export async function canWriteDocument(subgraph, documentId, ctx) {
+    // Global write access allows writing
+    if (hasGlobalWriteAccess(ctx)) {
+        return true;
+    }
+    // Check document-level permissions with hierarchy
+    if (subgraph.documentPermissionService) {
+        return subgraph.documentPermissionService.canWrite(documentId, ctx.user?.address, getParentIdsFn(subgraph));
+    }
+    return false;
+}
+/**
+ * Throw an error if user cannot read the document
+ */
+export async function assertCanRead(subgraph, documentId, ctx) {
+    const canRead = await canReadDocument(subgraph, documentId, ctx);
+    if (!canRead) {
+        throw new GraphQLError("Forbidden: insufficient permissions to read this document");
+    }
+}
+/**
+ * Throw an error if user cannot write to the document
+ */
+export async function assertCanWrite(subgraph, documentId, ctx) {
+    const canWrite = await canWriteDocument(subgraph, documentId, ctx);
+    if (!canWrite) {
+        throw new GraphQLError("Forbidden: insufficient permissions to write to this document");
+    }
+}
+/**
+ * Check if user can execute a specific operation on a document.
+ * Throws an error if the operation is restricted and user lacks permission.
+ */
+export async function assertCanExecuteOperation(subgraph, documentId, operationType, ctx) {
+    // Skip if no permission service
+    if (!subgraph.documentPermissionService) {
+        return;
+    }
+    // Global admins bypass operation-level restrictions
+    if (ctx.isAdmin?.(ctx.user?.address ?? "")) {
+        return;
+    }
+    // Check if this operation has any restrictions set
+    const isRestricted = await subgraph.documentPermissionService.isOperationRestricted(documentId, operationType);
+    if (isRestricted) {
+        // Operation is restricted, check if user has permission
+        const canExecute = await subgraph.documentPermissionService.canExecuteOperation(documentId, operationType, ctx.user?.address);
+        if (!canExecute) {
+            throw new GraphQLError(`Forbidden: insufficient permissions to execute operation "${operationType}" on this document`);
+        }
+    }
+}

package/dist/subgraphs/vetra-read-model/resolvers.d.ts

@@ -1,3 +1,3 @@
-import type { ISubgraph } from "@powerhousedao/reactor-api";
-export declare const getResolvers: (subgraph: ISubgraph) => Record<string, unknown>;
+import type { BaseSubgraph } from "@powerhousedao/reactor-api";
+export declare const getResolvers: (subgraph: BaseSubgraph) => Record<string, unknown>;
 //# sourceMappingURL=resolvers.d.ts.map

package/dist/subgraphs/vetra-read-model/resolvers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../../../subgraphs/vetra-read-model/resolvers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAI5D,eAAO,MAAM,YAAY,GAAI,UAAU,SAAS,KAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CA+CxE,CAAC"}
+{"version":3,"file":"resolvers.d.ts","sourceRoot":"","sources":["../../../subgraphs/vetra-read-model/resolvers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAW,MAAM,4BAA4B,CAAC;AAKxE,eAAO,MAAM,YAAY,GACvB,UAAU,YAAY,KACrB,MAAM,CAAC,MAAM,EAAE,OAAO,CAsExB,CAAC"}

package/dist/subgraphs/vetra-read-model/resolvers.js

@@ -1,13 +1,13 @@
-import { VetraReadModelProcessor } from "../../processors/vetra-read-model/index.js";
+import { VetraReadModelProcessorLegacy } from "../../processors/vetra-read-model/index.legacy.js";
+import { canReadDocument, hasGlobalReadAccess } from "../permission-utils.js";
 export const getResolvers = (subgraph) => {
-    const reactor = subgraph.reactor;
     const db = subgraph.relationalDb;
     return {
         Query: {
-            vetraPackages: async (parent, args) => {
+            vetraPackages: async (_parent, args, ctx) => {
                 const { search, documentId_in } = args;
                 const sortOrder = args.sortOrder || "asc";
-                let query = VetraReadModelProcessor.query("vetra-packages", db)
+                let query = VetraReadModelProcessorLegacy.query("vetra-packages", db)
                     .selectFrom("vetra_package")
                     .selectAll();
                 if (search) {
@@ -17,7 +17,8 @@ export const getResolvers = (subgraph) => {
                     query = query.where("document_id", "in", documentId_in);
                 }
                 query = query.orderBy("name", sortOrder);
-                return (await query.execute()).map((pkg) => ({
+                const results = await query.execute();
+                const mappedResults = results.map((pkg) => ({
                     ...pkg,
                     documentId: pkg.document_id,
                     name: pkg.name,
@@ -30,6 +31,18 @@ export const getResolvers = (subgraph) => {
                     keywords: pkg.keywords,
                     driveId: pkg.drive_id,
                 }));
+                // If user doesn't have global read access, filter by document-level permissions
+                if (!hasGlobalReadAccess(ctx) && subgraph.documentPermissionService) {
+                    const filteredResults = [];
+                    for (const pkg of mappedResults) {
+                        const canRead = await canReadDocument(subgraph, pkg.documentId, ctx);
+                        if (canRead) {
+                            filteredResults.push(pkg);
+                        }
+                    }
+                    return filteredResults;
+                }
+                return mappedResults;
             },
         },
     };