@rockster/core 0.0.2 → 0.1.0

package/access/entities/scope-access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-access.js","sourceRoot":"./","sources":["access/entities/scope-access.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,mEAA+D;AAC/D,iFAAoE;AACpE,qDAAwD;AACxD,iFAAoE;AACpE,qFAAwE;AACxE,2CAAuC;AACvC,+CAA2C;AAC3C,qCAAgC;AAGzB,IAAM,WAAW,GAAjB,MAAM,WACV,SAAQ,wBAAU;CA6BpB,CAAA;AA9BY,kCAAW;AAQrB;IAHC,IAAA,mBAAM,GAAE;IACR,IAAA,qBAAQ,GAAE;IACV,IAAA,yBAAM,GAAE;;gDACW;AAKpB;IAHC,IAAA,mBAAM,GAAE;IACR,IAAA,qBAAQ,GAAE;IACV,IAAA,yBAAM,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;8CACR;AAMnB;IAJC,IAAA,mBAAM,GAAE;IACR,IAAA,qBAAQ,GAAE;IACV,IAAA,eAAK,GAAE;IACP,IAAA,yBAAM,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;2CACX;AAKhB;IAHC,IAAA,mBAAM,GAAE;IACR,IAAA,qBAAQ,GAAE;IACV,IAAA,6BAAQ,EAAC,GAAG,EAAE,CAAC,wBAAU,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;4CAC9B;AAKjB;IAHC,IAAA,mBAAM,GAAE;IACR,IAAA,qBAAQ,GAAE;IACV,IAAA,6BAAQ,EAAC,GAAG,EAAE,CAAC,oBAAQ,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;wCAChC;sBA7BH,WAAW;IADvB,IAAA,yBAAM,GAAE;GACI,WAAW,CA8BvB"}

package/access/entities/scope-group-user.d.ts

@@ -0,0 +1,7 @@
+import { IScopeGroupUser, IScopeUserMapped } from "@rockster/common/access";
+import { BaseEntity } from "../../common/entities/base-entity";
+export declare class ScopeGroupUser extends BaseEntity implements IScopeGroupUser {
+    groupId: string;
+    userId: string;
+    user?: IScopeUserMapped;
+}

package/access/entities/scope-group-user.js

@@ -0,0 +1,47 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScopeGroupUser = void 0;
+const base_entity_1 = require("../../common/entities/base-entity");
+const entity_decorator_1 = require("../../database/decorators/entity.decorator");
+const class_pipe_1 = require("@rockster/class-pipe");
+const relation_decorator_1 = require("../../database/decorators/relation.decorator");
+const scope_group_1 = require("./scope-group");
+const column_decorator_1 = require("../../database/decorators/column.decorator");
+const typeorm_1 = require("typeorm");
+const scope_user_mapped_1 = require("../models/scope-user-mapped");
+let ScopeGroupUser = class ScopeGroupUser extends base_entity_1.BaseEntity {
+};
+exports.ScopeGroupUser = ScopeGroupUser;
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsRequired)(),
+    (0, class_pipe_1.IsString)(),
+    (0, relation_decorator_1.Relation)(() => scope_group_1.ScopeGroup),
+    __metadata("design:type", String)
+], ScopeGroupUser.prototype, "groupId", void 0);
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsRequired)(),
+    (0, class_pipe_1.IsString)(),
+    (0, typeorm_1.Index)(),
+    (0, column_decorator_1.Column)(),
+    __metadata("design:type", String)
+], ScopeGroupUser.prototype, "userId", void 0);
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsType)(() => scope_user_mapped_1.ScopeUserMapped),
+    __metadata("design:type", Object)
+], ScopeGroupUser.prototype, "user", void 0);
+exports.ScopeGroupUser = ScopeGroupUser = __decorate([
+    (0, entity_decorator_1.Entity)()
+], ScopeGroupUser);
+//# sourceMappingURL=scope-group-user.js.map

package/access/entities/scope-group-user.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-group-user.js","sourceRoot":"./","sources":["access/entities/scope-group-user.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,mEAA+D;AAC/D,iFAAoE;AACpE,qDAA4E;AAC5E,qFAAwE;AACxE,+CAA2C;AAC3C,iFAAoE;AACpE,qCAAgC;AAChC,mEAA8D;AAGvD,IAAM,cAAc,GAApB,MAAM,cACV,SAAQ,wBAAU;CAqBpB,CAAA;AAtBY,wCAAc;AASxB;IAJC,IAAA,mBAAM,GAAE;IACR,IAAA,uBAAU,GAAE;IACZ,IAAA,qBAAQ,GAAE;IACV,IAAA,6BAAQ,EAAC,GAAG,EAAE,CAAC,wBAAU,CAAC;;+CACX;AAOhB;IALC,IAAA,mBAAM,GAAE;IACR,IAAA,uBAAU,GAAE;IACZ,IAAA,qBAAQ,GAAE;IACV,IAAA,eAAK,GAAE;IACP,IAAA,yBAAM,GAAE;;8CACM;AAKf;IAFC,IAAA,mBAAM,GAAE;IACR,IAAA,mBAAM,EAAC,GAAG,EAAE,CAAC,mCAAe,CAAC;;4CACN;yBArBd,cAAc;IAD1B,IAAA,yBAAM,GAAE;GACI,cAAc,CAsB1B"}

package/access/entities/scope-group.d.ts

@@ -0,0 +1,12 @@
+import { IScopeAccess, IScopeGroup } from "@rockster/common/access";
+import { BaseEntity } from "../../common/entities/base-entity";
+import { ScopeAccessProfile } from "./scope-access-profile";
+export declare class ScopeGroup extends BaseEntity implements IScopeGroup {
+    contextName: string;
+    contextId?: string;
+    isReadOnly?: boolean;
+    name: string;
+    scopeAccessProfileId?: string;
+    keys?: IScopeAccess[];
+    scopeAccessProfile?: ScopeAccessProfile;
+}

package/access/entities/scope-group.js

@@ -0,0 +1,72 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScopeGroup = void 0;
+const base_entity_1 = require("../../common/entities/base-entity");
+const entity_decorator_1 = require("../../database/decorators/entity.decorator");
+const column_decorator_1 = require("../../database/decorators/column.decorator");
+const class_pipe_1 = require("@rockster/class-pipe");
+const relation_decorator_1 = require("../../database/decorators/relation.decorator");
+const scope_access_1 = require("./scope-access");
+const scope_access_profile_1 = require("./scope-access-profile");
+let ScopeGroup = class ScopeGroup extends base_entity_1.BaseEntity {
+};
+exports.ScopeGroup = ScopeGroup;
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsRequired)(),
+    (0, class_pipe_1.IsString)(),
+    (0, column_decorator_1.Column)(),
+    __metadata("design:type", String)
+], ScopeGroup.prototype, "contextName", void 0);
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsOptional)(),
+    (0, class_pipe_1.IsString)(),
+    (0, column_decorator_1.Column)({ nullable: true }),
+    __metadata("design:type", String)
+], ScopeGroup.prototype, "contextId", void 0);
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsBoolean)(),
+    (0, column_decorator_1.Column)({ nullable: true }),
+    __metadata("design:type", Boolean)
+], ScopeGroup.prototype, "isReadOnly", void 0);
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsRequired)(),
+    (0, class_pipe_1.IsString)(),
+    (0, column_decorator_1.Column)(),
+    __metadata("design:type", String)
+], ScopeGroup.prototype, "name", void 0);
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsOptional)(),
+    (0, class_pipe_1.IsString)(),
+    (0, relation_decorator_1.Relation)(() => scope_access_profile_1.ScopeAccessProfile, { nullable: true }),
+    __metadata("design:type", String)
+], ScopeGroup.prototype, "scopeAccessProfileId", void 0);
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsArray)(),
+    (0, class_pipe_1.IsType)(() => scope_access_1.ScopeAccess),
+    __metadata("design:type", Array)
+], ScopeGroup.prototype, "keys", void 0);
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsOptional)(),
+    (0, class_pipe_1.IsType)(() => scope_access_profile_1.ScopeAccessProfile),
+    __metadata("design:type", scope_access_profile_1.ScopeAccessProfile)
+], ScopeGroup.prototype, "scopeAccessProfile", void 0);
+exports.ScopeGroup = ScopeGroup = __decorate([
+    (0, entity_decorator_1.Entity)()
+], ScopeGroup);
+//# sourceMappingURL=scope-group.js.map

package/access/entities/scope-group.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-group.js","sourceRoot":"./","sources":["access/entities/scope-group.ts"],"names":[],"mappings":";;;;;;;;;;;;AAIA,mEAA+D;AAC/D,iFAAoE;AACpE,iFAAoE;AACpE,qDAQ8B;AAC9B,qFAAwE;AACxE,iDAA6C;AAC7C,iEAA4D;AAGrD,IAAM,UAAU,GAAhB,MAAM,UACV,SAAQ,wBAAU;CA2CpB,CAAA;AA5CY,gCAAU;AASpB;IAJC,IAAA,mBAAM,GAAE;IACR,IAAA,uBAAU,GAAE;IACZ,IAAA,qBAAQ,GAAE;IACV,IAAA,yBAAM,GAAE;;+CACW;AAMpB;IAJC,IAAA,mBAAM,GAAE;IACR,IAAA,uBAAU,GAAE;IACZ,IAAA,qBAAQ,GAAE;IACV,IAAA,yBAAM,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;6CACR;AAKnB;IAHC,IAAA,mBAAM,GAAE;IACR,IAAA,sBAAS,GAAE;IACX,IAAA,yBAAM,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;8CACN;AAMrB;IAJC,IAAA,mBAAM,GAAE;IACR,IAAA,uBAAU,GAAE;IACZ,IAAA,qBAAQ,GAAE;IACV,IAAA,yBAAM,GAAE;;wCACI;AAMb;IAJC,IAAA,mBAAM,GAAE;IACR,IAAA,uBAAU,GAAE;IACZ,IAAA,qBAAQ,GAAE;IACV,IAAA,6BAAQ,EAAC,GAAG,EAAE,CAAC,yCAAkB,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;wDACzB;AAM9B;IAHC,IAAA,mBAAM,GAAE;IACR,IAAA,oBAAO,GAAE;IACT,IAAA,mBAAM,EAAC,GAAG,EAAE,CAAC,0BAAW,CAAC;;wCACJ;AAKtB;IAHC,IAAA,mBAAM,GAAE;IACR,IAAA,uBAAU,GAAE;IACZ,IAAA,mBAAM,EAAC,GAAG,EAAE,CAAC,yCAAkB,CAAC;8BACZ,yCAAkB;sDAAC;qBA3C9B,UAAU;IADtB,IAAA,yBAAM,GAAE;GACI,UAAU,CA4CtB"}

package/access/entities/scope-key.d.ts

@@ -0,0 +1,5 @@
+import { IScopeKey } from "@rockster/common/access";
+export declare class ScopeKey implements IScopeKey {
+    contextName: string;
+    name: string;
+}

package/access/entities/scope-key.js

@@ -0,0 +1,35 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScopeKey = void 0;
+const class_pipe_1 = require("@rockster/class-pipe");
+const entity_decorator_1 = require("../../database/decorators/entity.decorator");
+const column_decorator_1 = require("../../database/decorators/column.decorator");
+const id_decorator_1 = require("../../database/decorators/id.decorator");
+let ScopeKey = class ScopeKey {
+};
+exports.ScopeKey = ScopeKey;
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsString)(),
+    (0, column_decorator_1.Column)(),
+    __metadata("design:type", String)
+], ScopeKey.prototype, "contextName", void 0);
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsString)(),
+    (0, id_decorator_1.Id)(),
+    __metadata("design:type", String)
+], ScopeKey.prototype, "name", void 0);
+exports.ScopeKey = ScopeKey = __decorate([
+    (0, entity_decorator_1.Entity)()
+], ScopeKey);
+//# sourceMappingURL=scope-key.js.map

package/access/entities/scope-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-key.js","sourceRoot":"./","sources":["access/entities/scope-key.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,qDAAwD;AACxD,iFAAoE;AACpE,iFAAoE;AACpE,yEAA4D;AAIrD,IAAM,QAAQ,GAAd,MAAM,QAAQ;CAYpB,CAAA;AAZY,4BAAQ;AAMlB;IAHC,IAAA,mBAAM,GAAE;IACR,IAAA,qBAAQ,GAAE;IACV,IAAA,yBAAM,GAAE;;6CACW;AAKpB;IAHC,IAAA,mBAAM,GAAE;IACR,IAAA,qBAAQ,GAAE;IACV,IAAA,iBAAE,GAAE;;sCACQ;mBAXH,QAAQ;IADpB,IAAA,yBAAM,GAAE;GACI,QAAQ,CAYpB"}

package/access/entities/scope-owner.d.ts

@@ -0,0 +1,7 @@
+import { IScopeOwner } from "@rockster/common/access";
+import { BaseEntity } from "../../common/entities/base-entity";
+export declare class ScopeOwner extends BaseEntity implements IScopeOwner {
+    contextName: string;
+    contextId?: string;
+    userId: string;
+}

package/access/entities/scope-owner.js

@@ -0,0 +1,45 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScopeOwner = void 0;
+const base_entity_1 = require("../../common/entities/base-entity");
+const entity_decorator_1 = require("../../database/decorators/entity.decorator");
+const class_pipe_1 = require("@rockster/class-pipe");
+const column_decorator_1 = require("../../database/decorators/column.decorator");
+const typeorm_1 = require("typeorm");
+let ScopeOwner = class ScopeOwner extends base_entity_1.BaseEntity {
+};
+exports.ScopeOwner = ScopeOwner;
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsString)(),
+    (0, typeorm_1.Index)(),
+    (0, column_decorator_1.Column)(),
+    __metadata("design:type", String)
+], ScopeOwner.prototype, "contextName", void 0);
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsString)(),
+    (0, typeorm_1.Index)(),
+    (0, column_decorator_1.Column)({ nullable: true }),
+    __metadata("design:type", String)
+], ScopeOwner.prototype, "contextId", void 0);
+__decorate([
+    (0, class_pipe_1.Expose)(),
+    (0, class_pipe_1.IsString)(),
+    (0, typeorm_1.Index)(),
+    (0, column_decorator_1.Column)(),
+    __metadata("design:type", String)
+], ScopeOwner.prototype, "userId", void 0);
+exports.ScopeOwner = ScopeOwner = __decorate([
+    (0, entity_decorator_1.Entity)()
+], ScopeOwner);
+//# sourceMappingURL=scope-owner.js.map

package/access/entities/scope-owner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-owner.js","sourceRoot":"./","sources":["access/entities/scope-owner.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,mEAA+D;AAC/D,iFAAoE;AACpE,qDAAwD;AACxD,iFAAoE;AACpE,qCAAgC;AAGzB,IAAM,UAAU,GAAhB,MAAM,UACV,SAAQ,wBAAU;CAoBpB,CAAA;AArBY,gCAAU;AAQpB;IAJC,IAAA,mBAAM,GAAE;IACR,IAAA,qBAAQ,GAAE;IACV,IAAA,eAAK,GAAE;IACP,IAAA,yBAAM,GAAE;;+CACW;AAMpB;IAJC,IAAA,mBAAM,GAAE;IACR,IAAA,qBAAQ,GAAE;IACV,IAAA,eAAK,GAAE;IACP,IAAA,yBAAM,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;;6CACR;AAMnB;IAJC,IAAA,mBAAM,GAAE;IACR,IAAA,qBAAQ,GAAE;IACV,IAAA,eAAK,GAAE;IACP,IAAA,yBAAM,GAAE;;0CACM;qBApBL,UAAU;IADtB,IAAA,yBAAM,GAAE;GACI,UAAU,CAqBtB"}

package/access/env.d.ts

@@ -0,0 +1,10 @@
+import { IScopeKey } from "@rockster/common/access";
+import { IScopeServiceRegistry } from "./interfaces/scope-service-registry";
+import { ScopeAccessService } from "./services/scope-access.service";
+import { ScopeOwnerService } from "./services/scope-owner.service";
+export declare const env: {
+    scopesKeys: Map<string, IScopeKey[]>;
+    scopeServiceRegistry: Map<string, IScopeServiceRegistry>;
+    scopeAccessService: ScopeAccessService;
+    scopeOwnerService: ScopeOwnerService;
+};

package/access/env.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.env = void 0;
+exports.env = {
+    scopesKeys: new Map(),
+    scopeServiceRegistry: new Map(),
+    scopeAccessService: null,
+    scopeOwnerService: null
+};
+//# sourceMappingURL=env.js.map

package/access/env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.js","sourceRoot":"./","sources":["access/env.ts"],"names":[],"mappings":";;;AAKa,QAAA,GAAG,GAAG;IAChB,UAAU,EAAE,IAAI,GAAG,EAAuB;IAC1C,oBAAoB,EAAE,IAAI,GAAG,EAAiC;IAC9D,kBAAkB,EAAE,IAA0B;IAC9C,iBAAiB,EAAE,IAAyB;CAC9C,CAAA"}

package/access/functions/assert-context-admin-access.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Gate for IAM-management actions (the access controllers: scope keys, groups,
+ * owners, access profiles). For the given context it requires the caller to be
+ * the **owner**, hold the context **admin** key, or hold the platform **master**
+ * key at the hierarchy root.
+ *
+ * Back-compat: a context that was NOT registered with an admin hierarchy
+ * (no `root` / `rootScope` / `adminKey` via `registerScope`) is left ungated, so
+ * apps that don't use this hierarchy keep their previous behavior.
+ */
+export declare function assertContextAdminAccess(options: {
+    contextName: string;
+    contextId?: string;
+    userId?: string;
+}): Promise<void>;

package/access/functions/assert-context-admin-access.js

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertContextAdminAccess = assertContextAdminAccess;
+const common_1 = require("@rockster/common");
+const env_1 = require("../env");
+const get_is_owner_1 = require("./get-is-owner");
+const get_user_keys_1 = require("./get-user-keys");
+/**
+ * Gate for IAM-management actions (the access controllers: scope keys, groups,
+ * owners, access profiles). For the given context it requires the caller to be
+ * the **owner**, hold the context **admin** key, or hold the platform **master**
+ * key at the hierarchy root.
+ *
+ * Back-compat: a context that was NOT registered with an admin hierarchy
+ * (no `root` / `rootScope` / `adminKey` via `registerScope`) is left ungated, so
+ * apps that don't use this hierarchy keep their previous behavior.
+ */
+async function assertContextAdminAccess(options) {
+    const { contextName, contextId, userId } = options;
+    const registry = env_1.env.scopeServiceRegistry.get(contextName);
+    const hasHierarchy = !!(registry?.adminKey || registry?.root || registry?.rootScope);
+    if (!hasHierarchy) {
+        return;
+    }
+    if (!userId) {
+        throw new common_1.UnauthorizedError();
+    }
+    // Owner of the context.
+    if (await (0, get_is_owner_1.getIsOwner)(contextName, userId, contextId)) {
+        return;
+    }
+    const userKeys = contextId
+        ? await (0, get_user_keys_1.getUserKeys)(userId, contextId)
+        : await (0, get_user_keys_1.getUserKeys)(userId);
+    // Context admin.
+    if (registry?.adminKey && userKeys.includes(registry.adminKey)) {
+        return;
+    }
+    // Platform master at the hierarchy root.
+    let rootContextId;
+    let masterKey;
+    if (registry?.root) {
+        rootContextId = contextId;
+        masterKey = registry.masterKey;
+    }
+    else if (registry?.rootScope) {
+        masterKey = env_1.env.scopeServiceRegistry.get(registry.rootScope)?.masterKey;
+        rootContextId = contextId
+            ? await registry.instance?.resolveRootContextId?.(contextId)
+            : undefined;
+    }
+    if (masterKey && rootContextId) {
+        const rootKeys = await (0, get_user_keys_1.getUserKeys)(userId, rootContextId);
+        if (rootKeys.includes(masterKey)) {
+            return;
+        }
+    }
+    throw new common_1.ForbiddenError({
+        message: "Requires owner, admin or master access for this context",
+    });
+}
+//# sourceMappingURL=assert-context-admin-access.js.map

package/access/functions/assert-context-admin-access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"assert-context-admin-access.js","sourceRoot":"./","sources":["access/functions/assert-context-admin-access.ts"],"names":[],"mappings":";;AAeA,4DAwDC;AAvED,6CAAqE;AACrE,gCAA6B;AAC7B,iDAA4C;AAC5C,mDAA8C;AAE9C;;;;;;;;;GASG;AACI,KAAK,UAAU,wBAAwB,CAAC,OAI9C;IACE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IACnD,MAAM,QAAQ,GAAG,SAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAE3D,MAAM,YAAY,GAAG,CAAC,CAAC,CACpB,QAAQ,EAAE,QAAQ,IAAI,QAAQ,EAAE,IAAI,IAAI,QAAQ,EAAE,SAAS,CAC7D,CAAC;IACF,IAAI,CAAC,YAAY,EAAE,CAAC;QACjB,OAAO;IACV,CAAC;IAED,IAAI,CAAC,MAAM,EAAE,CAAC;QACX,MAAM,IAAI,0BAAiB,EAAE,CAAC;IACjC,CAAC;IAED,wBAAwB;IACxB,IAAI,MAAM,IAAA,yBAAU,EAAC,WAAW,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;QACpD,OAAO;IACV,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS;QACvB,CAAC,CAAC,MAAM,IAAA,2BAAW,EAAC,MAAM,EAAE,SAAS,CAAC;QACtC,CAAC,CAAC,MAAM,IAAA,2BAAW,EAAC,MAAM,CAAC,CAAC;IAE/B,iBAAiB;IACjB,IAAI,QAAQ,EAAE,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9D,OAAO;IACV,CAAC;IAED,yCAAyC;IACzC,IAAI,aAAiC,CAAC;IACtC,IAAI,SAA6B,CAAC;IAClC,IAAI,QAAQ,EAAE,IAAI,EAAE,CAAC;QAClB,aAAa,GAAG,SAAS,CAAC;QAC1B,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;IAClC,CAAC;SAAM,IAAI,QAAQ,EAAE,SAAS,EAAE,CAAC;QAC9B,SAAS,GAAG,SAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;QACxE,aAAa,GAAG,SAAS;YACtB,CAAC,CAAC,MAAM,QAAQ,CAAC,QAAQ,EAAE,oBAAoB,EAAE,CAAC,SAAS,CAAC;YAC5D,CAAC,CAAC,SAAS,CAAC;IAClB,CAAC;IAED,IAAI,SAAS,IAAI,aAAa,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,MAAM,IAAA,2BAAW,EAAC,MAAM,EAAE,aAAa,CAAC,CAAC;QAC1D,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAChC,OAAO;QACV,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,uBAAc,CAAC;QACtB,OAAO,EAAE,yDAAyD;KACpE,CAAC,CAAC;AACN,CAAC"}

package/access/functions/assert-master-or-owner.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Gate for GLOBAL IAM resources that have no context (e.g. access profiles).
+ * Allows the platform **master** (holds any registered master key, granted at
+ * any context) or any **owner**. Context admins do NOT pass.
+ *
+ * Back-compat: if no scope registered a master key, the master branch is simply
+ * skipped — only owners pass.
+ */
+export declare function assertMasterOrOwner(userId?: string): Promise<void>;

package/access/functions/assert-master-or-owner.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertMasterOrOwner = assertMasterOrOwner;
+const common_1 = require("@rockster/common");
+const env_1 = require("../env");
+const get_user_keys_1 = require("./get-user-keys");
+/**
+ * Gate for GLOBAL IAM resources that have no context (e.g. access profiles).
+ * Allows the platform **master** (holds any registered master key, granted at
+ * any context) or any **owner**. Context admins do NOT pass.
+ *
+ * Back-compat: if no scope registered a master key, the master branch is simply
+ * skipped — only owners pass.
+ */
+async function assertMasterOrOwner(userId) {
+    if (!userId) {
+        throw new common_1.UnauthorizedError();
+    }
+    // Master: holds any registered master key.
+    const masterKeys = new Set();
+    for (const registry of env_1.env.scopeServiceRegistry.values()) {
+        if (registry.masterKey) {
+            masterKeys.add(registry.masterKey);
+        }
+    }
+    if (masterKeys.size > 0) {
+        const userKeys = await (0, get_user_keys_1.getUserKeys)(userId);
+        if (userKeys.some((key) => masterKeys.has(key))) {
+            return;
+        }
+    }
+    // Owner of any context.
+    if (await env_1.env.scopeOwnerService.getHasAnyOwnership(userId)) {
+        return;
+    }
+    throw new common_1.ForbiddenError({
+        message: "Requires master or owner access",
+    });
+}
+//# sourceMappingURL=assert-master-or-owner.js.map

package/access/functions/assert-master-or-owner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"assert-master-or-owner.js","sourceRoot":"./","sources":["access/functions/assert-master-or-owner.ts"],"names":[],"mappings":";;AAYA,kDA2BC;AAvCD,6CAAqE;AACrE,gCAA6B;AAC7B,mDAA8C;AAE9C;;;;;;;GAOG;AACI,KAAK,UAAU,mBAAmB,CAAC,MAAe;IACtD,IAAI,CAAC,MAAM,EAAE,CAAC;QACX,MAAM,IAAI,0BAAiB,EAAE,CAAC;IACjC,CAAC;IAED,2CAA2C;IAC3C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,KAAK,MAAM,QAAQ,IAAI,SAAG,CAAC,oBAAoB,CAAC,MAAM,EAAE,EAAE,CAAC;QACxD,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;YACtB,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACtC,CAAC;IACJ,CAAC;IACD,IAAI,UAAU,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,MAAM,IAAA,2BAAW,EAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC/C,OAAO;QACV,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,IAAI,MAAM,SAAG,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1D,OAAO;IACV,CAAC;IAED,MAAM,IAAI,uBAAc,CAAC;QACtB,OAAO,EAAE,iCAAiC;KAC5C,CAAC,CAAC;AACN,CAAC"}

package/access/functions/assert-scope-action-access.d.ts

@@ -0,0 +1,32 @@
+import { Dictionary } from "@rockster/common";
+import { PropertyNote } from "@rockster/class-memory";
+import { IControllerProperty } from "../../controllers/interfaces/controller-property";
+import { PendingAction } from "../../core/interfaces/pending-action";
+import { IRequestContext } from "../../core/interfaces/request-context";
+export type ScopeActionKeySlot = "query" | "create" | "modify" | "remove" | "default";
+/**
+ * Enforces scope authorization for an action slot.
+ *
+ * A slot may carry one OR many keys ("a door with several locks"): the user must
+ * satisfy EVERY key (AND). Keys may belong to different scope contexts — each
+ * key resolves its own context id. Being the owner of a context satisfies that
+ * context's keys. Context-id / owner / user-key lookups are memoized within the
+ * call so keys sharing a context don't hit the DB twice; resolvers may also
+ * cache loaded data on `context.scopeStore` for the handler to reuse.
+ *
+ * Invoke it either with a `pending` action (default / query / post / remove
+ * builders) or with an explicit `requestPayload` (restful @Get/@Post… routes).
+ */
+export declare function assertScopeActionAccess(options: {
+    property: PropertyNote<IControllerProperty>;
+    slot: ScopeActionKeySlot;
+    context: IRequestContext;
+    /** Action flow: payload + annotations are read from the pending action. */
+    pending?: PendingAction;
+    /** Restful flow: payload provided explicitly (e.g. merged route params). */
+    requestPayload?: unknown;
+    annotations?: Dictionary<unknown>;
+    postType?: "create" | "modify";
+    /** Entity id for modify/remove when it is not the request body itself. */
+    entityId?: string;
+}): Promise<void>;

package/access/functions/assert-scope-action-access.js

@@ -0,0 +1,189 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertScopeActionAccess = assertScopeActionAccess;
+const common_1 = require("@rockster/common");
+const get_is_owner_1 = require("./get-is-owner");
+const get_user_keys_1 = require("./get-user-keys");
+const resolve_scope_context_id_1 = require("./resolve-scope-context-id");
+const env_1 = require("../env");
+function resolveRemoveIdValue(requestPayload) {
+    if (requestPayload == null) {
+        return undefined;
+    }
+    if (typeof requestPayload === "string" || typeof requestPayload === "number") {
+        return String(requestPayload);
+    }
+    if (typeof requestPayload === "object") {
+        const record = requestPayload;
+        const id = record.id ?? record.Id;
+        if (id != null && String(id).trim() !== "") {
+            return String(id);
+        }
+    }
+    return undefined;
+}
+function slotToActionKind(slot) {
+    if (slot === "query") {
+        return "query";
+    }
+    if (slot === "create" || slot === "modify") {
+        return "post";
+    }
+    if (slot === "remove") {
+        return "remove";
+    }
+    return "default";
+}
+/**
+ * Enforces scope authorization for an action slot.
+ *
+ * A slot may carry one OR many keys ("a door with several locks"): the user must
+ * satisfy EVERY key (AND). Keys may belong to different scope contexts — each
+ * key resolves its own context id. Being the owner of a context satisfies that
+ * context's keys. Context-id / owner / user-key lookups are memoized within the
+ * call so keys sharing a context don't hit the DB twice; resolvers may also
+ * cache loaded data on `context.scopeStore` for the handler to reuse.
+ *
+ * Invoke it either with a `pending` action (default / query / post / remove
+ * builders) or with an explicit `requestPayload` (restful @Get/@Post… routes).
+ */
+async function assertScopeActionAccess(options) {
+    const { property, slot, context, pending, postType, entityId } = options;
+    const keys = property.keys?.get(slot);
+    if (!keys || keys.length === 0) {
+        return;
+    }
+    const userId = context.session?.userId;
+    if (!userId) {
+        throw new common_1.UnauthorizedError();
+    }
+    const requestPayload = pending
+        ? context.request[pending.requestRef]
+        : options.requestPayload;
+    const annotations = pending?.annotations ?? options.annotations;
+    const actionKind = slotToActionKind(slot);
+    const idValue = entityId
+        ?? (actionKind === "remove"
+            ? resolveRemoveIdValue(requestPayload)
+            : undefined);
+    // Per-request store: resolvers may stash loaded data here so later resolvers
+    // (and the handler) reuse it instead of querying the DB again.
+    const store = (context.scopeStore ?? (context.scopeStore = new Map()));
+    // Per-call memo so several keys on the same context resolve/lookup only once.
+    const contextIdCache = new Map();
+    const ownerCache = new Map();
+    const userKeysCache = new Map();
+    const rootContextIdCache = new Map();
+    const missing = [];
+    for (const key of keys) {
+        const resolverCacheKey = `${key.contextName}|${key.resolverHandler ?? ""}`;
+        let contextId;
+        if (contextIdCache.has(resolverCacheKey)) {
+            contextId = contextIdCache.get(resolverCacheKey);
+        }
+        else {
+            contextId = await (0, resolve_scope_context_id_1.resolveScopeContextId)({
+                contextName: key.contextName,
+                requestPayload,
+                actionKind,
+                postType,
+                idValue,
+                entityTarget: property.data,
+                entityManager: context.entityManager,
+                withId: key.withId,
+                resolverHandler: key.resolverHandler,
+                requestContext: context,
+                pendingAnnotations: annotations,
+                store,
+            });
+            contextIdCache.set(resolverCacheKey, contextId);
+        }
+        if (key.withId && (contextId == null || contextId.trim() === "")) {
+            throw new common_1.ForbiddenError({
+                message: `Context id is required for [${key.contextName}]`,
+            });
+        }
+        const ownerCacheKey = `${key.contextName}|${contextId ?? ""}`;
+        let isOwner;
+        if (ownerCache.has(ownerCacheKey)) {
+            isOwner = ownerCache.get(ownerCacheKey);
+        }
+        else {
+            isOwner = await (0, get_is_owner_1.getIsOwner)(key.contextName, userId, contextId);
+            ownerCache.set(ownerCacheKey, isOwner);
+        }
+        if (isOwner) {
+            continue;
+        }
+        const userKeysCacheKey = contextId ?? "";
+        let userKeys;
+        if (userKeysCache.has(userKeysCacheKey)) {
+            userKeys = userKeysCache.get(userKeysCacheKey);
+        }
+        else {
+            userKeys = contextId
+                ? await (0, get_user_keys_1.getUserKeys)(userId, contextId)
+                : await (0, get_user_keys_1.getUserKeys)(userId);
+            userKeysCache.set(userKeysCacheKey, userKeys);
+        }
+        // Direct grant.
+        if (userKeys.includes(key.name)) {
+            continue;
+        }
+        const registry = env_1.env.scopeServiceRegistry.get(key.contextName);
+        // Context admin: holds this context's admin key → may do anything here.
+        if (registry?.adminKey && userKeys.includes(registry.adminKey)) {
+            continue;
+        }
+        // Platform master: holds the master key at the hierarchy ROOT → may do
+        // anything in any descendant scope. The root context is resolved from the
+        // same request (the root scope's resolver derives e.g. the workspace from
+        // the project/account being acted upon).
+        let rootContextId;
+        let masterKey;
+        if (registry?.root) {
+            rootContextId = contextId;
+            masterKey = registry.masterKey;
+        }
+        else if (registry?.rootScope) {
+            masterKey = env_1.env.scopeServiceRegistry.get(registry.rootScope)?.masterKey;
+            if (rootContextIdCache.has(registry.rootScope)) {
+                rootContextId = rootContextIdCache.get(registry.rootScope);
+            }
+            else {
+                rootContextId = await (0, resolve_scope_context_id_1.resolveScopeContextId)({
+                    contextName: registry.rootScope,
+                    requestPayload,
+                    actionKind,
+                    postType,
+                    idValue,
+                    entityTarget: property.data,
+                    entityManager: context.entityManager,
+                    withId: true,
+                    requestContext: context,
+                    pendingAnnotations: annotations,
+                    store,
+                });
+                rootContextIdCache.set(registry.rootScope, rootContextId);
+            }
+        }
+        if (masterKey && rootContextId) {
+            let rootKeys = userKeysCache.get(rootContextId);
+            if (!rootKeys) {
+                rootKeys = await (0, get_user_keys_1.getUserKeys)(userId, rootContextId);
+                userKeysCache.set(rootContextId, rootKeys);
+            }
+            if (rootKeys.includes(masterKey)) {
+                continue;
+            }
+        }
+        missing.push(key.name);
+    }
+    if (missing.length > 0) {
+        throw new common_1.ForbiddenError({
+            message: "Action require permissions to execute",
+            requirements: missing,
+        });
+    }
+}
+//# sourceMappingURL=assert-scope-action-access.js.map