@rbacbee-lib/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,300 @@
1
+ type RbacDecision = 'allow' | 'deny';
2
+ type RbacRequirementMode = 'all' | 'any';
3
+ interface RbacPrincipal {
4
+ readonly userId: string;
5
+ readonly tenantId?: string;
6
+ readonly metadata?: Readonly<Record<string, unknown>>;
7
+ }
8
+ interface RbacAuthorizationContext {
9
+ readonly tenantId?: string;
10
+ readonly resourceType?: string;
11
+ readonly resourceId?: string;
12
+ readonly attributes?: Readonly<Record<string, unknown>>;
13
+ readonly now?: Date;
14
+ }
15
+ interface AccessPermission {
16
+ readonly key: string;
17
+ readonly tenantId?: string;
18
+ readonly resourceType?: string;
19
+ readonly resourceId?: string;
20
+ readonly expiresAt?: Date;
21
+ readonly sourceRoleId?: string;
22
+ }
23
+ interface AccessRole {
24
+ readonly id: string;
25
+ readonly name?: string;
26
+ readonly tenantId?: string;
27
+ readonly resourceType?: string;
28
+ readonly resourceId?: string;
29
+ readonly expiresAt?: Date;
30
+ }
31
+ interface AccessProfile {
32
+ readonly userId: string;
33
+ readonly tenantId?: string;
34
+ readonly permissions: readonly AccessPermission[];
35
+ readonly roles: readonly AccessRole[];
36
+ readonly loadedAt: Date;
37
+ }
38
+ interface AuthorizationResult {
39
+ readonly decision: RbacDecision;
40
+ readonly reason: string;
41
+ readonly principal: RbacPrincipal;
42
+ readonly context: RbacAuthorizationContext;
43
+ readonly permission?: string;
44
+ readonly role?: string;
45
+ readonly policy?: string;
46
+ readonly matched?: readonly string[];
47
+ }
48
+ interface PermissionDefinition {
49
+ readonly key: string;
50
+ readonly description?: string;
51
+ }
52
+ interface RoleDefinition {
53
+ readonly id: string;
54
+ readonly name: string;
55
+ readonly tenantId?: string;
56
+ readonly permissions?: readonly string[];
57
+ }
58
+ interface RoleAssignment {
59
+ readonly userId: string;
60
+ readonly roleId: string;
61
+ readonly tenantId?: string;
62
+ readonly resourceType?: string;
63
+ readonly resourceId?: string;
64
+ readonly expiresAt?: Date;
65
+ }
66
+ interface RoleAssignmentRevocation {
67
+ readonly userId: string;
68
+ readonly roleId: string;
69
+ readonly tenantId?: string;
70
+ readonly resourceType?: string;
71
+ readonly resourceId?: string;
72
+ }
73
+
74
+ interface RbacPolicyInput {
75
+ readonly principal: RbacPrincipal;
76
+ readonly context: RbacAuthorizationContext;
77
+ }
78
+ type RbacPolicyHandler = (input: RbacPolicyInput) => boolean | AuthorizationResult | Promise<boolean | AuthorizationResult>;
79
+ declare class PolicyRegistry {
80
+ private readonly handlers;
81
+ register(policy: string, handler: RbacPolicyHandler): void;
82
+ has(policy: string): boolean;
83
+ evaluate(policy: string, principal: RbacPrincipal, context: RbacAuthorizationContext): Promise<AuthorizationResult>;
84
+ }
85
+
86
+ interface AccessProfileQuery {
87
+ readonly userId: string;
88
+ readonly tenantId?: string;
89
+ }
90
+ interface AccessRepository {
91
+ getAccessProfile(query: AccessProfileQuery): Promise<AccessProfile | null>;
92
+ }
93
+ interface PermissionRepository {
94
+ upsertPermission(permission: PermissionDefinition): Promise<void>;
95
+ deletePermission(permissionKey: string): Promise<void>;
96
+ }
97
+ interface RoleRepository {
98
+ createRole(role: RoleDefinition): Promise<void>;
99
+ deleteRole(roleId: string): Promise<void>;
100
+ grantPermissionToRole(roleId: string, permissionKey: string): Promise<void>;
101
+ revokePermissionFromRole(roleId: string, permissionKey: string): Promise<void>;
102
+ }
103
+ interface AssignmentRepository {
104
+ assignRole(assignment: RoleAssignment): Promise<void>;
105
+ revokeRole(revocation: RoleAssignmentRevocation): Promise<void>;
106
+ }
107
+
108
+ type RbacAuditEventType = 'authorization.checked' | 'policy.checked' | 'role.checked' | 'role.assigned' | 'role.revoked';
109
+ interface RbacAuditEvent {
110
+ readonly type: RbacAuditEventType;
111
+ readonly occurredAt: Date;
112
+ readonly decision?: RbacDecision;
113
+ readonly principal?: RbacPrincipal;
114
+ readonly permission?: string;
115
+ readonly role?: string;
116
+ readonly policy?: string;
117
+ readonly context?: RbacAuthorizationContext;
118
+ readonly reason?: string;
119
+ readonly metadata?: Readonly<Record<string, unknown>>;
120
+ }
121
+ interface AuditPort {
122
+ record(event: RbacAuditEvent): Promise<void> | void;
123
+ }
124
+
125
+ interface CachePort {
126
+ get<TValue>(key: string): Promise<TValue | undefined>;
127
+ set<TValue>(key: string, value: TValue, ttlMs?: number): Promise<void>;
128
+ delete(key: string): Promise<void>;
129
+ deleteByPrefix?(prefix: string): Promise<void>;
130
+ }
131
+
132
+ interface ClockPort {
133
+ now(): Date;
134
+ }
135
+
136
+ interface RbacEngine {
137
+ can(principal: RbacPrincipal, permission: string, context?: RbacAuthorizationContext): Promise<AuthorizationResult>;
138
+ assertCan(principal: RbacPrincipal, permission: string, context?: RbacAuthorizationContext): Promise<void>;
139
+ hasRole(principal: RbacPrincipal, role: string, context?: RbacAuthorizationContext): Promise<AuthorizationResult>;
140
+ evaluatePolicy(policy: string, principal: RbacPrincipal, context?: RbacAuthorizationContext): Promise<AuthorizationResult>;
141
+ }
142
+ interface RbacEngineDependencies {
143
+ readonly accessRepository: AccessRepository;
144
+ readonly cache?: CachePort;
145
+ readonly audit?: AuditPort;
146
+ readonly clock?: ClockPort;
147
+ readonly policies?: PolicyRegistry;
148
+ readonly cacheTtlMs?: number;
149
+ }
150
+ declare class DefaultRbacEngine implements RbacEngine {
151
+ private readonly checkPermission;
152
+ private readonly checkRole;
153
+ private readonly policies;
154
+ private readonly audit?;
155
+ private readonly clock;
156
+ constructor(dependencies: RbacEngineDependencies);
157
+ can(principal: RbacPrincipal, permission: string, context?: RbacAuthorizationContext): Promise<AuthorizationResult>;
158
+ assertCan(principal: RbacPrincipal, permission: string, context?: RbacAuthorizationContext): Promise<void>;
159
+ hasRole(principal: RbacPrincipal, role: string, context?: RbacAuthorizationContext): Promise<AuthorizationResult>;
160
+ evaluatePolicy(policy: string, principal: RbacPrincipal, context?: RbacAuthorizationContext): Promise<AuthorizationResult>;
161
+ }
162
+ declare function createRbacEngine(dependencies: RbacEngineDependencies): RbacEngine;
163
+
164
+ declare class PermissionEvaluator {
165
+ evaluatePermission(profile: AccessProfile, principal: RbacPrincipal, requiredPermission: string, context: RbacAuthorizationContext): AuthorizationResult;
166
+ evaluateRole(profile: AccessProfile, principal: RbacPrincipal, requiredRole: string, context: RbacAuthorizationContext): AuthorizationResult;
167
+ }
168
+ declare function matchesPermission(granted: string, required: string): boolean;
169
+
170
+ interface CheckPermissionDependencies {
171
+ readonly accessRepository: AccessRepository;
172
+ readonly evaluator?: PermissionEvaluator;
173
+ readonly cache?: CachePort;
174
+ readonly audit?: AuditPort;
175
+ readonly clock?: ClockPort;
176
+ readonly cacheTtlMs?: number;
177
+ }
178
+ declare class CheckPermissionUseCase {
179
+ private readonly accessRepository;
180
+ private readonly evaluator;
181
+ private readonly cache?;
182
+ private readonly audit?;
183
+ private readonly clock;
184
+ private readonly cacheTtlMs?;
185
+ constructor(dependencies: CheckPermissionDependencies);
186
+ execute(principal: RbacPrincipal, requiredPermission: string, context?: RbacAuthorizationContext): Promise<AuthorizationResult>;
187
+ private loadProfile;
188
+ }
189
+ declare function normalizeContext(principal: RbacPrincipal, context: RbacAuthorizationContext, now: Date): RbacAuthorizationContext;
190
+ declare function accessProfileCacheKey(userId: string, tenantId?: string): string;
191
+
192
+ interface CheckRoleDependencies {
193
+ readonly accessRepository: AccessRepository;
194
+ readonly evaluator?: PermissionEvaluator;
195
+ readonly cache?: CachePort;
196
+ readonly audit?: AuditPort;
197
+ readonly clock?: ClockPort;
198
+ readonly cacheTtlMs?: number;
199
+ }
200
+ declare class CheckRoleUseCase {
201
+ private readonly accessRepository;
202
+ private readonly evaluator;
203
+ private readonly cache?;
204
+ private readonly audit?;
205
+ private readonly clock;
206
+ private readonly cacheTtlMs?;
207
+ constructor(dependencies: CheckRoleDependencies);
208
+ execute(principal: RbacPrincipal, requiredRole: string, context?: RbacAuthorizationContext): Promise<AuthorizationResult>;
209
+ private loadProfile;
210
+ }
211
+
212
+ declare abstract class StringValueObject {
213
+ readonly value: string;
214
+ protected constructor(value: string, name: string, pattern: RegExp, maxLength: number);
215
+ equals(other: StringValueObject): boolean;
216
+ toString(): string;
217
+ }
218
+ declare class UserId extends StringValueObject {
219
+ private constructor();
220
+ static create(value: string): UserId;
221
+ }
222
+ declare class RoleId extends StringValueObject {
223
+ private constructor();
224
+ static create(value: string): RoleId;
225
+ }
226
+ declare class TenantId extends StringValueObject {
227
+ private constructor();
228
+ static create(value: string): TenantId;
229
+ }
230
+ declare class ResourceId extends StringValueObject {
231
+ private constructor();
232
+ static create(value: string): ResourceId;
233
+ }
234
+ declare class PermissionKey extends StringValueObject {
235
+ private constructor();
236
+ static create(value: string): PermissionKey;
237
+ }
238
+ declare class PolicyKey extends StringValueObject {
239
+ private constructor();
240
+ static create(value: string): PolicyKey;
241
+ }
242
+
243
+ declare class Assignment {
244
+ readonly userId: UserId;
245
+ readonly roleId: RoleId;
246
+ readonly tenantId?: TenantId;
247
+ readonly resourceType?: string;
248
+ readonly resourceId?: ResourceId;
249
+ readonly expiresAt?: Date;
250
+ private constructor();
251
+ static create(input: RoleAssignment): Assignment;
252
+ toPrimitives(): RoleAssignment;
253
+ }
254
+
255
+ declare class Permission {
256
+ readonly key: PermissionKey;
257
+ readonly description?: string;
258
+ private constructor();
259
+ static create(input: PermissionDefinition): Permission;
260
+ toPrimitives(): PermissionDefinition;
261
+ }
262
+
263
+ declare class Role {
264
+ readonly id: RoleId;
265
+ readonly name: string;
266
+ readonly tenantId?: TenantId;
267
+ readonly permissions: readonly PermissionKey[];
268
+ private constructor();
269
+ static create(input: RoleDefinition): Role;
270
+ toPrimitives(): RoleDefinition;
271
+ }
272
+
273
+ declare class RbacError extends Error {
274
+ readonly code: string;
275
+ constructor(code: string, message: string);
276
+ }
277
+ declare class RbacValidationError extends RbacError {
278
+ constructor(message: string);
279
+ }
280
+ declare class RbacAuthorizationError extends RbacError {
281
+ constructor(message?: string);
282
+ }
283
+ declare class RbacConfigurationError extends RbacError {
284
+ constructor(message: string);
285
+ }
286
+
287
+ declare class MemoryCache implements CachePort {
288
+ private readonly entries;
289
+ get<TValue>(key: string): Promise<TValue | undefined>;
290
+ set<TValue>(key: string, value: TValue, ttlMs?: number): Promise<void>;
291
+ delete(key: string): Promise<void>;
292
+ deleteByPrefix(prefix: string): Promise<void>;
293
+ clear(): void;
294
+ }
295
+
296
+ declare class SystemClock implements ClockPort {
297
+ now(): Date;
298
+ }
299
+
300
+ export { type AccessPermission, type AccessProfile, type AccessProfileQuery, type AccessRepository, type AccessRole, Assignment, type AssignmentRepository, type AuditPort, type AuthorizationResult, type CachePort, type CheckPermissionDependencies, CheckPermissionUseCase, type CheckRoleDependencies, CheckRoleUseCase, type ClockPort, DefaultRbacEngine, MemoryCache, Permission, type PermissionDefinition, PermissionEvaluator, PermissionKey, type PermissionRepository, PolicyKey, PolicyRegistry, type RbacAuditEvent, type RbacAuditEventType, type RbacAuthorizationContext, RbacAuthorizationError, RbacConfigurationError, type RbacDecision, type RbacEngine, type RbacEngineDependencies, RbacError, type RbacPolicyHandler, type RbacPolicyInput, type RbacPrincipal, type RbacRequirementMode, RbacValidationError, ResourceId, Role, type RoleAssignment, type RoleAssignmentRevocation, type RoleDefinition, RoleId, type RoleRepository, SystemClock, TenantId, UserId, accessProfileCacheKey, createRbacEngine, matchesPermission, normalizeContext };