@rpcbase/db 0.26.0 → 0.28.0

package/dist/acl/accessible.d.ts

@@ -0,0 +1,3 @@
+import { AclAction, AclSubjectType, AppAbility } from './types';
+export declare const getAccessibleByQuery: (ability: AppAbility, action: AclAction, subject: Exclude<AclSubjectType, "all">) => Record<string, unknown>;
+//# sourceMappingURL=accessible.d.ts.map

package/dist/acl/accessible.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"accessible.d.ts","sourceRoot":"","sources":["../../src/acl/accessible.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AAGpE,eAAO,MAAM,oBAAoB,GAC/B,SAAS,UAAU,EACnB,QAAQ,SAAS,EACjB,SAAS,OAAO,CAAC,cAAc,EAAE,KAAK,CAAC,KACtC,MAAM,CAAC,MAAM,EAAE,OAAO,CAExB,CAAA"}

package/dist/acl/buildAbility.d.ts

@@ -0,0 +1,3 @@
+import { AclContext, AppAbility } from './types';
+export declare const buildAbility: (ctx: AclContext) => AppAbility;
+//# sourceMappingURL=buildAbility.d.ts.map

package/dist/acl/buildAbility.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"buildAbility.d.ts","sourceRoot":"","sources":["../../src/acl/buildAbility.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AAGrD,eAAO,MAAM,YAAY,GAAI,KAAK,UAAU,KAAG,UAc9C,CAAA"}

package/dist/acl/can.d.ts

@@ -0,0 +1,3 @@
+import { AclAction, AclSubjectMap, AclSubjectType, AppAbility } from './types';
+export declare const can: <TSubject extends Exclude<AclSubjectType, "all">>(ability: AppAbility, action: AclAction, subjectType: TSubject, object?: Partial<AclSubjectMap[TSubject]> | null) => boolean;
+//# sourceMappingURL=can.d.ts.map

package/dist/acl/can.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"can.d.ts","sourceRoot":"","sources":["../../src/acl/can.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAc,aAAa,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AAG/F,eAAO,MAAM,GAAG,GAAI,QAAQ,SAAS,OAAO,CAAC,cAAc,EAAE,KAAK,CAAC,EACjE,SAAS,UAAU,EACnB,QAAQ,SAAS,EACjB,aAAa,QAAQ,EACrB,SAAS,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,GAAG,IAAI,KAC/C,OAKF,CAAA"}

package/dist/acl/index.d.ts

@@ -0,0 +1,7 @@
+export * from './types';
+export * from './registry';
+export * from './buildAbility';
+export * from './session';
+export * from './accessible';
+export * from './can';
+//# sourceMappingURL=index.d.ts.map

package/dist/acl/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/acl/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAA;AACvB,cAAc,YAAY,CAAA;AAC1B,cAAc,gBAAgB,CAAA;AAC9B,cAAc,WAAW,CAAA;AACzB,cAAc,cAAc,CAAA;AAC5B,cAAc,OAAO,CAAA"}

package/dist/acl/registry.d.ts

@@ -0,0 +1,10 @@
+import { AbilityBuilder } from '@casl/ability';
+import { AclContext, AclSubjectType, AppAbility } from './types';
+export type AclPolicy = {
+    subject: Exclude<AclSubjectType, "all">;
+    define: (builder: AbilityBuilder<AppAbility>, ctx: AclContext) => void;
+};
+export declare const registerPolicy: (policy: AclPolicy) => void;
+export declare const registerPoliciesFromModules: (modules: Record<string, unknown>) => void;
+export declare const getRegisteredPolicies: () => Array<AclPolicy["define"]>;
+//# sourceMappingURL=registry.d.ts.map

package/dist/acl/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/acl/registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAA;AAEnD,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,SAAS,CAAA;AAGrE,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,OAAO,CAAC,cAAc,EAAE,KAAK,CAAC,CAAA;IACvC,MAAM,EAAE,CAAC,OAAO,EAAE,cAAc,CAAC,UAAU,CAAC,EAAE,GAAG,EAAE,UAAU,KAAK,IAAI,CAAA;CACvE,CAAA;AAuBD,eAAO,MAAM,cAAc,GAAI,QAAQ,SAAS,KAAG,IAIlD,CAAA;AAED,eAAO,MAAM,2BAA2B,GAAI,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,IAmB9E,CAAA;AAED,eAAO,MAAM,qBAAqB,QAAO,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,CAMjE,CAAA"}

package/dist/acl/session.d.ts

@@ -0,0 +1,17 @@
+import { AppAbility } from './types';
+type SessionUserLike = {
+    id?: unknown;
+    signedInTenants?: unknown;
+    tenantRoles?: unknown;
+};
+type SessionLike = {
+    user?: SessionUserLike;
+};
+export declare const getTenantRolesFromSessionUser: (user: unknown, tenantId: string) => string[];
+export declare const buildAbilityFromSession: ({ tenantId, session, claims, }: {
+    tenantId: string;
+    session: SessionLike | null | undefined;
+    claims?: Record<string, unknown>;
+}) => AppAbility;
+export {};
+//# sourceMappingURL=session.d.ts.map

package/dist/acl/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/acl/session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAyB,MAAM,SAAS,CAAA;AAGhE,KAAK,eAAe,GAAG;IACrB,EAAE,CAAC,EAAE,OAAO,CAAA;IACZ,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB,WAAW,CAAC,EAAE,OAAO,CAAA;CACtB,CAAA;AAED,KAAK,WAAW,GAAG;IACjB,IAAI,CAAC,EAAE,eAAe,CAAA;CACvB,CAAA;AA+BD,eAAO,MAAM,6BAA6B,GAAI,MAAM,OAAO,EAAE,UAAU,MAAM,KAAG,MAAM,EAKrF,CAAA;AAED,eAAO,MAAM,uBAAuB,GAAI,gCAIrC;IACD,QAAQ,EAAE,MAAM,CAAA;IAChB,OAAO,EAAE,WAAW,GAAG,IAAI,GAAG,SAAS,CAAA;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACjC,KAAG,UAuBH,CAAA"}

package/dist/acl/types.d.ts

@@ -0,0 +1,22 @@
+import { ForcedSubject, MongoAbility } from '@casl/ability';
+export type AclAction = "manage" | "create" | "read" | "update" | "delete";
+export interface AclSubjectMap {
+    RBUploadSession: Record<string, unknown>;
+    RBNotification: Record<string, unknown>;
+    RBNotificationSettings: Record<string, unknown>;
+}
+export type AclSubjectType = keyof AclSubjectMap | "all";
+type AclSubjectObject = {
+    [K in keyof AclSubjectMap]: ForcedSubject<K> & Partial<AclSubjectMap[K]>;
+}[keyof AclSubjectMap];
+export type AclSubject = AclSubjectType | AclSubjectObject;
+export type AppAbility = MongoAbility<[AclAction, AclSubject]>;
+export type TenantRolesByTenantId = Record<string, string[]>;
+export type AclContext = {
+    tenantId: string;
+    userId: string | null;
+    roles: string[];
+    claims?: Record<string, unknown>;
+};
+export {};
+//# sourceMappingURL=types.d.ts.map

package/dist/acl/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/acl/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,eAAe,CAAA;AAGhE,MAAM,MAAM,SAAS,GACjB,QAAQ,GACR,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,QAAQ,CAAA;AAEZ,MAAM,WAAW,aAAa;IAC5B,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACxC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACvC,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAChD;AAED,MAAM,MAAM,cAAc,GAAG,MAAM,aAAa,GAAG,KAAK,CAAA;AAExD,KAAK,gBAAgB,GAAG;KACrB,CAAC,IAAI,MAAM,aAAa,GAAG,aAAa,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;CACzE,CAAC,MAAM,aAAa,CAAC,CAAA;AAEtB,MAAM,MAAM,UAAU,GAAG,cAAc,GAAG,gBAAgB,CAAA;AAE1D,MAAM,MAAM,UAAU,GAAG,YAAY,CAAC,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC,CAAA;AAE9D,MAAM,MAAM,qBAAqB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;AAE5D,MAAM,MAAM,UAAU,GAAG;IACvB,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;IACrB,KAAK,EAAE,MAAM,EAAE,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACjC,CAAA"}

package/dist/acl.d.ts

@@ -0,0 +1,2 @@
+export * from './acl/index';
+//# sourceMappingURL=acl.d.ts.map

package/dist/acl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"acl.d.ts","sourceRoot":"","sources":["../src/acl.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAA"}

package/dist/index.d.ts

@@ -3,4 +3,5 @@ export * from './schema';
 export * from './createModels';
 export * from './loadModel';
 export * from './tenantFilesystemDb';
+export * from './acl';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAA;AACxB,cAAc,UAAU,CAAA;AACxB,cAAc,gBAAgB,CAAA;AAC9B,cAAc,aAAa,CAAA;AAC3B,cAAc,sBAAsB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAA;AACxB,cAAc,UAAU,CAAA;AACxB,cAAc,gBAAgB,CAAA;AAC9B,cAAc,aAAa,CAAA;AAC3B,cAAc,sBAAsB,CAAA;AACpC,cAAc,OAAO,CAAA"}

package/dist/index.js

@@ -3,12 +3,15 @@ import { z, ZodMap, ZodRecord, ZodAny, ZodUnion, ZodNullable, ZodOptional, ZodDe
 export * from "zod";
 import { z as z2 } from "zod";
 import assert from "assert";
+import { accessibleBy, accessibleRecordsPlugin } from "@casl/mongoose";
+import { AbilityBuilder, createMongoAbility, subject } from "@casl/ability";
 const ZRBUser = z.object({
   email: z.string().email().optional(),
   password: z.string(),
   name: z.string().optional(),
   phone: z.string().optional(),
   tenants: z.array(z.string()),
+  tenantRoles: z.record(z.string(), z.array(z.string())).optional(),
   emailVerificationCode: z.string().length(6).optional(),
   emailVerificationExpiresAt: z.date().optional()
 });
@@ -18,6 +21,7 @@ const RBUserSchema = new Schema({
   password: { type: String, required: true },
   name: String,
   tenants: { type: [String], index: true, required: true },
+  tenantRoles: { type: Map, of: [String], required: false, default: {} },
   emailVerificationCode: { type: String, required: false },
   emailVerificationExpiresAt: { type: Date, required: false }
 }, { collection: "users" });
@@ -244,6 +248,23 @@ const RBUploadSessionSchema = new Schema(
   }
 );
 RBUploadSessionSchema.index({ expiresAt: 1 }, { expireAfterSeconds: 0 });
+const RBUploadSessionPolicy = {
+  subject: "RBUploadSession",
+  define: (builder, ctx) => {
+    builder.can("create", "RBUploadSession");
+    if (ctx.userId) {
+      builder.can("read", "RBUploadSession", { userId: ctx.userId });
+      builder.can("update", "RBUploadSession", { userId: ctx.userId });
+      builder.can("delete", "RBUploadSession", { userId: ctx.userId });
+    }
+    const uploadKeyHash = typeof ctx.claims?.uploadKeyHash === "string" ? ctx.claims.uploadKeyHash.trim() : "";
+    if (uploadKeyHash) {
+      builder.can("read", "RBUploadSession", { ownerKeyHash: uploadKeyHash });
+      builder.can("update", "RBUploadSession", { ownerKeyHash: uploadKeyHash });
+      builder.can("delete", "RBUploadSession", { ownerKeyHash: uploadKeyHash });
+    }
+  }
+};
 const ZRBUploadChunk = z.object({
   uploadId: z.string(),
   index: z.number().int().min(0),
@@ -305,6 +326,16 @@ RBNotificationSchema.index({ userId: 1, archivedAt: 1, createdAt: -1 });
 RBNotificationSchema.index({ userId: 1, seenAt: 1, archivedAt: 1, createdAt: -1 });
 RBNotificationSchema.index({ userId: 1, readAt: 1, archivedAt: 1, createdAt: -1 });
 RBNotificationSchema.index({ archivedAt: 1 }, { expireAfterSeconds: TTL_90_DAYS_S });
+const RBNotificationPolicy = {
+  subject: "RBNotification",
+  define: (builder, ctx) => {
+    if (!ctx.userId) return;
+    builder.can("create", "RBNotification");
+    builder.can("read", "RBNotification", { userId: ctx.userId });
+    builder.can("update", "RBNotification", { userId: ctx.userId });
+    builder.can("delete", "RBNotification", { userId: ctx.userId });
+  }
+};
 const ZRBNotificationDigestFrequency = z.enum(["off", "daily", "weekly"]);
 const ZRBNotificationTopicPreference = z.object({
   topic: z.string(),
@@ -350,9 +381,20 @@ const RBNotificationSettingsSchema = new Schema(
 );
 RBNotificationSettingsSchema.index({ userId: 1 }, { unique: true });
 RBNotificationSettingsSchema.index({ userId: 1, "topicPreferences.topic": 1 });
+const RBNotificationSettingsPolicy = {
+  subject: "RBNotificationSettings",
+  define: (builder, ctx) => {
+    if (!ctx.userId) return;
+    builder.can("create", "RBNotificationSettings");
+    builder.can("read", "RBNotificationSettings", { userId: ctx.userId });
+    builder.can("update", "RBNotificationSettings", { userId: ctx.userId });
+  }
+};
 const frameworkSchemas = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
   __proto__: null,
+  RBNotificationPolicy,
   RBNotificationSchema,
+  RBNotificationSettingsPolicy,
   RBNotificationSettingsSchema,
   RBRtsChangeSchema,
   RBRtsCounterSchema,
@@ -360,6 +402,7 @@ const frameworkSchemas = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.de
   RBTenantSubscriptionEventSchema,
   RBTenantSubscriptionSchema,
   RBUploadChunkSchema,
+  RBUploadSessionPolicy,
   RBUploadSessionSchema,
   RBUserSchema,
   ZRBNotification,
@@ -1262,10 +1305,129 @@ const rtsChangeLogPlugin = (schema) => {
     }
   });
 };
-const RTS_CHANGELOG_EXCLUDED_MODELS = /* @__PURE__ */ new Set(["RBRtsChange", "RBRtsCounter"]);
+const POLICIES_GLOBAL_KEY = /* @__PURE__ */ Symbol.for("@rpcbase/db/acl/policiesBySubject");
+const getGlobalPoliciesMap = () => {
+  const store = globalThis;
+  const existing = store[POLICIES_GLOBAL_KEY];
+  if (existing instanceof Map) {
+    return existing;
+  }
+  const created = /* @__PURE__ */ new Map();
+  store[POLICIES_GLOBAL_KEY] = created;
+  return created;
+};
+const policiesBySubject = getGlobalPoliciesMap();
+const isPolicy = (value) => {
+  if (!value || typeof value !== "object") return false;
+  const maybe = value;
+  return typeof maybe.subject === "string" && typeof maybe.define === "function";
+};
+const registerPolicy = (policy) => {
+  const set = policiesBySubject.get(policy.subject) ?? /* @__PURE__ */ new Set();
+  set.add(policy.define);
+  policiesBySubject.set(policy.subject, set);
+};
+const registerPoliciesFromModules = (modules) => {
+  for (const [exportName, value] of Object.entries(modules)) {
+    if (!isPolicy(value)) continue;
+    if (!exportName.endsWith("Policy")) {
+      throw new Error(
+        `Invalid policy export name "${exportName}". Policies must be exported as "<ModelName>Policy".`
+      );
+    }
+    const expectedSubject = exportName.slice(0, -"Policy".length);
+    if (value.subject !== expectedSubject) {
+      throw new Error(
+        `Invalid policy "${exportName}": expected subject "${expectedSubject}", got "${value.subject}".`
+      );
+    }
+    registerPolicy(value);
+  }
+};
+const getRegisteredPolicies = () => {
+  const out = [];
+  for (const set of policiesBySubject.values()) {
+    for (const fn of set) out.push(fn);
+  }
+  return out;
+};
+const buildAbility = (ctx) => {
+  const builder = new AbilityBuilder(createMongoAbility);
+  const { can: can2 } = builder;
+  if (ctx.roles.includes("owner") || ctx.roles.includes("admin")) {
+    can2("manage", "all");
+  }
+  for (const define of getRegisteredPolicies()) {
+    define(builder, ctx);
+  }
+  return builder.build();
+};
+const normalizeRole = (raw) => {
+  if (typeof raw !== "string") return null;
+  const normalized = raw.trim();
+  return normalized ? normalized : null;
+};
+const normalizeRoles = (raw) => {
+  if (Array.isArray(raw)) {
+    return raw.map(normalizeRole).filter((r) => Boolean(r));
+  }
+  const role = normalizeRole(raw);
+  return role ? [role] : [];
+};
+const normalizeRolesByTenantId = (raw) => {
+  if (!raw || typeof raw !== "object") return null;
+  if (raw instanceof Map) {
+    return Object.fromEntries(Array.from(raw.entries()).map(([key, value]) => [String(key), normalizeRoles(value)]));
+  }
+  const obj = raw;
+  const out = {};
+  for (const [key, value] of Object.entries(obj)) {
+    const tenantId = String(key).trim();
+    if (!tenantId) continue;
+    out[tenantId] = normalizeRoles(value);
+  }
+  return out;
+};
+const getTenantRolesFromSessionUser = (user, tenantId) => {
+  if (!user || typeof user !== "object") return [];
+  const rolesByTenantId = normalizeRolesByTenantId(user.tenantRoles);
+  if (!rolesByTenantId) return [];
+  return rolesByTenantId[tenantId]?.filter(Boolean) ?? [];
+};
+const buildAbilityFromSession = ({
+  tenantId,
+  session,
+  claims
+}) => {
+  const user = session?.user;
+  const userId = typeof user?.id === "string" ? user.id.trim() : "";
+  const rolesByTenantId = normalizeRolesByTenantId(user?.tenantRoles);
+  const hasExplicitTenantEntry = Boolean(
+    rolesByTenantId && Object.prototype.hasOwnProperty.call(rolesByTenantId, tenantId)
+  );
+  const signedInTenantsRaw = user?.signedInTenants;
+  const signedInTenants = Array.isArray(signedInTenantsRaw) ? signedInTenantsRaw.map(String) : [];
+  const roles = hasExplicitTenantEntry ? rolesByTenantId[tenantId] ?? [] : userId && signedInTenants.includes(tenantId) ? ["owner"] : getTenantRolesFromSessionUser(user, tenantId);
+  return buildAbility({
+    tenantId,
+    userId: userId || null,
+    roles,
+    claims
+  });
+};
+const getAccessibleByQuery = (ability, action, subject2) => {
+  return accessibleBy(ability, action).ofType(subject2);
+};
+const can = (ability, action, subjectType, object) => {
+  if (object && typeof object === "object") {
+    return ability.can(action, subject(subjectType, object));
+  }
+  return ability.can(action, subjectType);
+};
 const rtsChangeLogApplied = /* @__PURE__ */ new WeakSet();
+const accessibleRecordsApplied = /* @__PURE__ */ new WeakSet();
 let cachedModels = null;
-const isRtsChangelogExcludedModelName = (name) => name.startsWith("RB") || RTS_CHANGELOG_EXCLUDED_MODELS.has(name);
+const isRtsChangelogExcludedModelName = (name) => name.startsWith("RB");
 const assertSchema = (exportName, value) => {
   if (value instanceof mongoose.Schema) return value;
   throw new Error(
@@ -1279,6 +1441,10 @@ const assertSchema = (exportName, value) => {
 const buildAppModels = (modules) => Object.entries(modules).filter(([key]) => key.endsWith("Schema")).map(([key, schemaValue]) => {
   const schema = assertSchema(key, schemaValue);
   const name = key.replace(/Schema$/, "");
+  if (!accessibleRecordsApplied.has(schema)) {
+    schema.plugin(accessibleRecordsPlugin);
+    accessibleRecordsApplied.add(schema);
+  }
   if (!isRtsChangelogExcludedModelName(name)) {
     if (!rtsChangeLogApplied.has(schema)) {
       schema.plugin(rtsChangeLogPlugin);
@@ -1293,6 +1459,10 @@ const buildAppModels = (modules) => Object.entries(modules).filter(([key]) => ke
 const buildFrameworkModels = () => Object.entries(frameworkSchemas).filter(([key]) => key.endsWith("Schema")).map(([key, schemaValue]) => {
   const schema = assertSchema(key, schemaValue);
   const name = key.replace(/Schema$/, "");
+  if (!accessibleRecordsApplied.has(schema)) {
+    schema.plugin(accessibleRecordsPlugin);
+    accessibleRecordsApplied.add(schema);
+  }
   if (!isRtsChangelogExcludedModelName(name)) {
     if (!rtsChangeLogApplied.has(schema)) {
       schema.plugin(rtsChangeLogPlugin);
@@ -1313,6 +1483,8 @@ const buildModels = (modules) => {
   }, {});
 };
 const registerModels = (modules) => {
+  registerPoliciesFromModules(frameworkSchemas);
+  registerPoliciesFromModules(modules);
   cachedModels = buildModels(modules);
 };
 const getRegisteredModels = () => {
@@ -1390,7 +1562,9 @@ const getTenantFilesystemDbFromCtx = async (ctx) => {
 };
 export {
   LANGUAGE_CODE_REGEX,
+  RBNotificationPolicy,
   RBNotificationSchema,
+  RBNotificationSettingsPolicy,
   RBNotificationSettingsSchema,
   RBRtsChangeSchema,
   RBRtsCounterSchema,
@@ -1398,6 +1572,7 @@ export {
   RBTenantSubscriptionEventSchema,
   RBTenantSubscriptionSchema,
   RBUploadChunkSchema,
+  RBUploadSessionPolicy,
   RBUploadSessionSchema,
   RBUserSchema,
   ZRBNotification,
@@ -1420,14 +1595,22 @@ export {
   ZRBUploadSession,
   ZRBUploadSessionStatus,
   ZRBUser,
+  buildAbility,
+  buildAbilityFromSession,
   buildLocaleFallbackChain,
+  can,
   createModels,
   extendZod,
+  getAccessibleByQuery,
+  getRegisteredPolicies,
   getTenantFilesystemDb,
   getTenantFilesystemDbFromCtx,
   getTenantFilesystemDbName,
+  getTenantRolesFromSessionUser,
   loadModel,
   loadRbModel,
+  registerPoliciesFromModules,
+  registerPolicy,
   resolveLocalizedString,
   withLocalizedStringFallback,
   z2 as z,

package/dist/models/RBNotification.d.ts

@@ -1,5 +1,6 @@
 import { Schema } from '../../../vite/node_modules/mongoose';
 import { z } from '../../../vite/node_modules/zod';
+import { AclPolicy } from '../acl';
 export declare const ZRBNotification: z.ZodObject<{
     userId: z.ZodString;
     topic: z.ZodOptional<z.ZodString>;
@@ -14,4 +15,5 @@ export declare const ZRBNotification: z.ZodObject<{
 }, z.core.$strip>;
 export type IRBNotification = z.infer<typeof ZRBNotification>;
 export declare const RBNotificationSchema: Schema;
+export declare const RBNotificationPolicy: AclPolicy;
 //# sourceMappingURL=RBNotification.d.ts.map

package/dist/models/RBNotification.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"RBNotification.d.ts","sourceRoot":"","sources":["../../src/models/RBNotification.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,eAAO,MAAM,eAAe;;;;;;;;;;;iBAW1B,CAAA;AAEF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAA;AAI7D,eAAO,MAAM,oBAAoB,EAAE,MAiBlC,CAAA"}
+{"version":3,"file":"RBNotification.d.ts","sourceRoot":"","sources":["../../src/models/RBNotification.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAA;AAGvC,eAAO,MAAM,eAAe;;;;;;;;;;;iBAW1B,CAAA;AAEF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAA;AAI7D,eAAO,MAAM,oBAAoB,EAAE,MAiBlC,CAAA;AAOD,eAAO,MAAM,oBAAoB,EAAE,SASlC,CAAA"}

package/dist/models/RBNotificationSettings.d.ts

@@ -1,5 +1,6 @@
 import { Schema } from '../../../vite/node_modules/mongoose';
 import { z } from '../../../vite/node_modules/zod';
+import { AclPolicy } from '../acl';
 export declare const ZRBNotificationDigestFrequency: z.ZodEnum<{
     off: "off";
     daily: "daily";
@@ -28,4 +29,5 @@ export declare const ZRBNotificationSettings: z.ZodObject<{
 }, z.core.$strip>;
 export type IRBNotificationSettings = z.infer<typeof ZRBNotificationSettings>;
 export declare const RBNotificationSettingsSchema: Schema;
+export declare const RBNotificationSettingsPolicy: AclPolicy;
 //# sourceMappingURL=RBNotificationSettings.d.ts.map

package/dist/models/RBNotificationSettings.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"RBNotificationSettings.d.ts","sourceRoot":"","sources":["../../src/models/RBNotificationSettings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,eAAO,MAAM,8BAA8B;;;;EAAqC,CAAA;AAEhF,eAAO,MAAM,8BAA8B;;;;;iBAKzC,CAAA;AAEF,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;iBAKlC,CAAA;AAEF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAY7E,eAAO,MAAM,4BAA4B,EAAE,MAoB1C,CAAA"}
+{"version":3,"file":"RBNotificationSettings.d.ts","sourceRoot":"","sources":["../../src/models/RBNotificationSettings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAA;AAGvC,eAAO,MAAM,8BAA8B;;;;EAAqC,CAAA;AAEhF,eAAO,MAAM,8BAA8B;;;;;iBAKzC,CAAA;AAEF,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;iBAKlC,CAAA;AAEF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAY7E,eAAO,MAAM,4BAA4B,EAAE,MAoB1C,CAAA;AAKD,eAAO,MAAM,4BAA4B,EAAE,SAQ1C,CAAA"}

package/dist/models/RBUploadSession.d.ts

@@ -1,5 +1,6 @@
 import { Schema } from '../../../vite/node_modules/mongoose';
 import { z } from '../../../vite/node_modules/zod';
+import { AclPolicy } from '../acl';
 export declare const ZRBUploadSessionStatus: z.ZodEnum<{
     error: "error";
     done: "done";
@@ -28,4 +29,5 @@ export declare const ZRBUploadSession: z.ZodObject<{
 }, z.core.$strip>;
 export type IRBUploadSession = z.infer<typeof ZRBUploadSession>;
 export declare const RBUploadSessionSchema: Schema;
+export declare const RBUploadSessionPolicy: AclPolicy;
 //# sourceMappingURL=RBUploadSession.d.ts.map

package/dist/models/RBUploadSession.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"RBUploadSession.d.ts","sourceRoot":"","sources":["../../src/models/RBUploadSession.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,eAAO,MAAM,sBAAsB;;;;;EAAuD,CAAA;AAE1F,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;iBAc3B,CAAA;AAEF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAE/D,eAAO,MAAM,qBAAqB,EAAE,MAoBnC,CAAA"}
+{"version":3,"file":"RBUploadSession.d.ts","sourceRoot":"","sources":["../../src/models/RBUploadSession.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAA;AAGvC,eAAO,MAAM,sBAAsB;;;;;EAAuD,CAAA;AAE1F,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;iBAc3B,CAAA;AAEF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAE/D,eAAO,MAAM,qBAAqB,EAAE,MAoBnC,CAAA;AAID,eAAO,MAAM,qBAAqB,EAAE,SAkBnC,CAAA"}

package/dist/models/User.d.ts

@@ -6,6 +6,7 @@ export declare const ZRBUser: z.ZodObject<{
     name: z.ZodOptional<z.ZodString>;
     phone: z.ZodOptional<z.ZodString>;
     tenants: z.ZodArray<z.ZodString>;
+    tenantRoles: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>>;
     emailVerificationCode: z.ZodOptional<z.ZodString>;
     emailVerificationExpiresAt: z.ZodOptional<z.ZodDate>;
 }, z.core.$strip>;

package/dist/models/User.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"User.d.ts","sourceRoot":"","sources":["../../src/models/User.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,eAAO,MAAM,OAAO;;;;;;;;iBAQlB,CAAA;AAEF,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,OAAO,CAAC,CAAC;AAE9C,eAAO,MAAM,YAAY,EAAE,MAQA,CAAA"}
+{"version":3,"file":"User.d.ts","sourceRoot":"","sources":["../../src/models/User.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAA;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAGvB,eAAO,MAAM,OAAO;;;;;;;;;iBASlB,CAAA;AAEF,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,OAAO,CAAC,CAAC;AAE9C,eAAO,MAAM,YAAY,EAAE,MASA,CAAA"}

package/dist/registerModels.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"registerModels.d.ts","sourceRoot":"","sources":["../src/registerModels.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,UAAU,CAAA;AAU/B,KAAK,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;AAiE3C,eAAO,MAAM,cAAc,GAAI,SAAS,YAAY,SAEnD,CAAA;AAED,eAAO,MAAM,mBAAmB,sEAK/B,CAAA;AAED,YAAY,EAAE,YAAY,EAAE,CAAA"}
+{"version":3,"file":"registerModels.d.ts","sourceRoot":"","sources":["../src/registerModels.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,UAAU,CAAA;AAa/B,KAAK,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;AAwE3C,eAAO,MAAM,cAAc,GAAI,SAAS,YAAY,SAInD,CAAA;AAED,eAAO,MAAM,mBAAmB,sEAK/B,CAAA;AAED,YAAY,EAAE,YAAY,EAAE,CAAA"}

package/package.json

@@ -1,12 +1,24 @@
 {
   "name": "@rpcbase/db",
-  "version": "0.26.0",
+  "version": "0.28.0",
   "type": "module",
   "files": [
     "dist"
   ],
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    },
+    "./acl": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
   "scripts": {
     "build": "wireit",
     "test": "vitest run --coverage",
@@ -55,9 +67,13 @@
     "mongoose": "^9",
     "zod": "^4"
   },
+  "dependencies": {
+    "@casl/ability": "6.7.5",
+    "@casl/mongoose": "8.0.3"
+  },
   "devDependencies": {
-    "@types/node": "24.10.1",
-    "@vitest/coverage-v8": "4.0.9",
-    "vitest": "4.0.9"
+    "@types/node": "25.0.3",
+    "@vitest/coverage-v8": "4.0.16",
+    "vitest": "4.0.16"
   }
 }

package/dist/schema/index.test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=index.test.d.ts.map

package/dist/schema/index.test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.test.d.ts","sourceRoot":"","sources":["../../src/schema/index.test.ts"],"names":[],"mappings":""}