@seifer-webapp-factory/authorization 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (112) hide show
  1. package/README.md +17 -0
  2. package/backend/templates/cache/ttl-cache.ts +41 -0
  3. package/backend/templates/config/config-fragment.ts +41 -0
  4. package/backend/templates/nestjs/authz.controller.ts +253 -0
  5. package/backend/templates/nestjs/authz.module.ts +158 -0
  6. package/backend/templates/nestjs/tokens.ts +41 -0
  7. package/backend/templates/persistence/migrations/0001_authz.sql +45 -0
  8. package/backend/templates/persistence/migrations/index.ts +84 -0
  9. package/backend/templates/persistence/pg-policy-store.ts +193 -0
  10. package/backend/templates/persistence/seed.ts +60 -0
  11. package/dist/backend/src/index.d.ts +10 -0
  12. package/dist/backend/src/index.d.ts.map +1 -0
  13. package/dist/backend/src/index.js +9 -0
  14. package/dist/backend/src/index.js.map +1 -0
  15. package/dist/backend/src/policy.d.ts +13 -0
  16. package/dist/backend/src/policy.d.ts.map +1 -0
  17. package/dist/backend/src/policy.js +49 -0
  18. package/dist/backend/src/policy.js.map +1 -0
  19. package/dist/backend/src/ports.d.ts +90 -0
  20. package/dist/backend/src/ports.d.ts.map +1 -0
  21. package/dist/backend/src/ports.js +2 -0
  22. package/dist/backend/src/ports.js.map +1 -0
  23. package/dist/backend/src/services.d.ts +81 -0
  24. package/dist/backend/src/services.d.ts.map +1 -0
  25. package/dist/backend/src/services.js +234 -0
  26. package/dist/backend/src/services.js.map +1 -0
  27. package/dist/contract/endpoints.d.ts +433 -0
  28. package/dist/contract/endpoints.d.ts.map +1 -0
  29. package/dist/contract/endpoints.js +57 -0
  30. package/dist/contract/endpoints.js.map +1 -0
  31. package/dist/contract/errors.d.ts +33 -0
  32. package/dist/contract/errors.d.ts.map +1 -0
  33. package/dist/contract/errors.js +51 -0
  34. package/dist/contract/errors.js.map +1 -0
  35. package/dist/contract/events.d.ts +50 -0
  36. package/dist/contract/events.d.ts.map +1 -0
  37. package/dist/contract/events.js +13 -0
  38. package/dist/contract/events.js.map +1 -0
  39. package/dist/contract/index.d.ts +10 -0
  40. package/dist/contract/index.d.ts.map +1 -0
  41. package/dist/contract/index.js +10 -0
  42. package/dist/contract/index.js.map +1 -0
  43. package/dist/contract/permissions.d.ts +35 -0
  44. package/dist/contract/permissions.d.ts.map +1 -0
  45. package/dist/contract/permissions.js +37 -0
  46. package/dist/contract/permissions.js.map +1 -0
  47. package/dist/contract/schemas.d.ts +288 -0
  48. package/dist/contract/schemas.d.ts.map +1 -0
  49. package/dist/contract/schemas.js +91 -0
  50. package/dist/contract/schemas.js.map +1 -0
  51. package/dist/frontend/src/client.d.ts +31 -0
  52. package/dist/frontend/src/client.d.ts.map +1 -0
  53. package/dist/frontend/src/client.js +83 -0
  54. package/dist/frontend/src/client.js.map +1 -0
  55. package/dist/frontend/src/composables.d.ts +62 -0
  56. package/dist/frontend/src/composables.d.ts.map +1 -0
  57. package/dist/frontend/src/composables.js +170 -0
  58. package/dist/frontend/src/composables.js.map +1 -0
  59. package/dist/frontend/src/guards.d.ts +12 -0
  60. package/dist/frontend/src/guards.d.ts.map +1 -0
  61. package/dist/frontend/src/guards.js +10 -0
  62. package/dist/frontend/src/guards.js.map +1 -0
  63. package/dist/frontend/src/index.d.ts +12 -0
  64. package/dist/frontend/src/index.d.ts.map +1 -0
  65. package/dist/frontend/src/index.js +9 -0
  66. package/dist/frontend/src/index.js.map +1 -0
  67. package/dist/manifest.d.ts +56 -0
  68. package/dist/manifest.d.ts.map +1 -0
  69. package/dist/manifest.js +100 -0
  70. package/dist/manifest.js.map +1 -0
  71. package/dist/scaffolder/core/config.d.ts +86 -0
  72. package/dist/scaffolder/core/config.d.ts.map +1 -0
  73. package/dist/scaffolder/core/config.js +92 -0
  74. package/dist/scaffolder/core/config.js.map +1 -0
  75. package/dist/scaffolder/core/errors.d.ts +46 -0
  76. package/dist/scaffolder/core/errors.d.ts.map +1 -0
  77. package/dist/scaffolder/core/errors.js +60 -0
  78. package/dist/scaffolder/core/errors.js.map +1 -0
  79. package/dist/scaffolder/core/extend.d.ts +86 -0
  80. package/dist/scaffolder/core/extend.d.ts.map +1 -0
  81. package/dist/scaffolder/core/extend.js +94 -0
  82. package/dist/scaffolder/core/extend.js.map +1 -0
  83. package/dist/scaffolder/core/materialize.d.ts +71 -0
  84. package/dist/scaffolder/core/materialize.d.ts.map +1 -0
  85. package/dist/scaffolder/core/materialize.js +47 -0
  86. package/dist/scaffolder/core/materialize.js.map +1 -0
  87. package/dist/scaffolder/core/ports.d.ts +39 -0
  88. package/dist/scaffolder/core/ports.d.ts.map +1 -0
  89. package/dist/scaffolder/core/ports.js +33 -0
  90. package/dist/scaffolder/core/ports.js.map +1 -0
  91. package/dist/scaffolder/core/presence.d.ts +34 -0
  92. package/dist/scaffolder/core/presence.d.ts.map +1 -0
  93. package/dist/scaffolder/core/presence.js +29 -0
  94. package/dist/scaffolder/core/presence.js.map +1 -0
  95. package/dist/scaffolder/core/three-way-merge.d.ts +113 -0
  96. package/dist/scaffolder/core/three-way-merge.d.ts.map +1 -0
  97. package/dist/scaffolder/core/three-way-merge.js +184 -0
  98. package/dist/scaffolder/core/three-way-merge.js.map +1 -0
  99. package/dist/scaffolder/index.d.ts +25 -0
  100. package/dist/scaffolder/index.d.ts.map +1 -0
  101. package/dist/scaffolder/index.js +24 -0
  102. package/dist/scaffolder/index.js.map +1 -0
  103. package/frontend/templates/components/PermissionMatrix.vue +134 -0
  104. package/frontend/templates/i18n/en.json +61 -0
  105. package/frontend/templates/i18n/nl.json +61 -0
  106. package/frontend/templates/middleware/permission.ts +54 -0
  107. package/frontend/templates/pages/access-assignments.vue +151 -0
  108. package/frontend/templates/pages/role-editor.vue +169 -0
  109. package/frontend/templates/pages/roles-list.vue +84 -0
  110. package/frontend/templates/plugins/authz.client.ts +108 -0
  111. package/frontend/templates/runtime.ts +60 -0
  112. package/package.json +76 -0
@@ -0,0 +1,57 @@
1
+ import { createRoleRequestSchema, updateRoleRequestSchema, roleSchema, roleListResponseSchema, permissionListResponseSchema, assignmentRequestSchema, subjectRolesResponseSchema, mePermissionsResponseSchema, checkRequestSchema, checkResponseSchema, relationRequestSchema, acknowledgementSchema, } from './schemas.js';
2
+ import { AUTHZ_MANAGE } from './permissions.js';
3
+ export const AUTHZ_ENDPOINTS = {
4
+ listRoles: {
5
+ method: 'GET', path: '/authz/roles', request: null, response: roleListResponseSchema,
6
+ errors: ['forbidden', 'unauthenticated'], auth: true, requiredPermission: AUTHZ_MANAGE,
7
+ },
8
+ createRole: {
9
+ method: 'POST', path: '/authz/roles', request: createRoleRequestSchema, response: roleSchema,
10
+ errors: ['forbidden', 'unauthenticated', 'permission_unknown', 'role_cycle', 'escalation_denied', 'validation_failed'],
11
+ auth: true, requiredPermission: AUTHZ_MANAGE,
12
+ },
13
+ updateRole: {
14
+ method: 'PATCH', path: '/authz/roles/:id', request: updateRoleRequestSchema, response: roleSchema,
15
+ errors: ['forbidden', 'unauthenticated', 'role_not_found', 'permission_unknown', 'role_cycle', 'escalation_denied', 'validation_failed'],
16
+ auth: true, requiredPermission: AUTHZ_MANAGE,
17
+ },
18
+ deleteRole: {
19
+ method: 'DELETE', path: '/authz/roles/:id', request: null, response: acknowledgementSchema,
20
+ errors: ['forbidden', 'unauthenticated', 'role_not_found'], auth: true, requiredPermission: AUTHZ_MANAGE,
21
+ },
22
+ listPermissions: {
23
+ method: 'GET', path: '/authz/permissions', request: null, response: permissionListResponseSchema,
24
+ errors: ['forbidden', 'unauthenticated'], auth: true, requiredPermission: AUTHZ_MANAGE,
25
+ },
26
+ subjectRoles: {
27
+ method: 'GET', path: '/authz/subjects/:id/roles', request: null, response: subjectRolesResponseSchema,
28
+ errors: ['forbidden', 'unauthenticated'], auth: true, requiredPermission: AUTHZ_MANAGE,
29
+ },
30
+ assignRole: {
31
+ method: 'POST', path: '/authz/assignments', request: assignmentRequestSchema, response: acknowledgementSchema,
32
+ errors: ['forbidden', 'unauthenticated', 'role_not_found', 'assignment_exists', 'escalation_denied'],
33
+ auth: true, requiredPermission: AUTHZ_MANAGE,
34
+ },
35
+ revokeRole: {
36
+ method: 'DELETE', path: '/authz/assignments', request: assignmentRequestSchema, response: acknowledgementSchema,
37
+ errors: ['forbidden', 'unauthenticated', 'role_not_found', 'self_lockout'],
38
+ auth: true, requiredPermission: AUTHZ_MANAGE,
39
+ },
40
+ mePermissions: {
41
+ method: 'GET', path: '/authz/me/permissions', request: null, response: mePermissionsResponseSchema,
42
+ errors: ['unauthenticated'], auth: true, requiredPermission: null,
43
+ },
44
+ check: {
45
+ method: 'POST', path: '/authz/check', request: checkRequestSchema, response: checkResponseSchema,
46
+ errors: ['unauthenticated', 'validation_failed'], auth: true, requiredPermission: null,
47
+ },
48
+ writeRelation: {
49
+ method: 'POST', path: '/authz/relations', request: relationRequestSchema, response: acknowledgementSchema,
50
+ errors: ['forbidden', 'unauthenticated', 'invalid_relation'], auth: true, requiredPermission: AUTHZ_MANAGE,
51
+ },
52
+ removeRelation: {
53
+ method: 'DELETE', path: '/authz/relations', request: relationRequestSchema, response: acknowledgementSchema,
54
+ errors: ['forbidden', 'unauthenticated', 'invalid_relation'], auth: true, requiredPermission: AUTHZ_MANAGE,
55
+ },
56
+ };
57
+ //# sourceMappingURL=endpoints.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"endpoints.js","sourceRoot":"","sources":["../../contract/endpoints.ts"],"names":[],"mappings":"AACA,OAAO,EACL,uBAAuB,EACvB,uBAAuB,EACvB,UAAU,EACV,sBAAsB,EACtB,4BAA4B,EAC5B,uBAAuB,EACvB,0BAA0B,EAC1B,2BAA2B,EAC3B,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AA0BhD,MAAM,CAAC,MAAM,eAAe,GAAG;IAC7B,SAAS,EAAE;QACT,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,sBAAsB;QACpF,MAAM,EAAE,CAAC,WAAW,EAAE,iBAAiB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,YAAY;KACvF;IACD,UAAU,EAAE;QACV,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAU;QAC5F,MAAM,EAAE,CAAC,WAAW,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;QACtH,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,YAAY;KAC7C;IACD,UAAU,EAAE;QACV,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,UAAU;QACjG,MAAM,EAAE,CAAC,WAAW,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;QACxI,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,YAAY;KAC7C;IACD,UAAU,EAAE;QACV,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,qBAAqB;QAC1F,MAAM,EAAE,CAAC,WAAW,EAAE,iBAAiB,EAAE,gBAAgB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,YAAY;KACzG;IACD,eAAe,EAAE;QACf,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,4BAA4B;QAChG,MAAM,EAAE,CAAC,WAAW,EAAE,iBAAiB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,YAAY;KACvF;IACD,YAAY,EAAE;QACZ,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,2BAA2B,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,0BAA0B;QACrG,MAAM,EAAE,CAAC,WAAW,EAAE,iBAAiB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,YAAY;KACvF;IACD,UAAU,EAAE;QACV,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,qBAAqB;QAC7G,MAAM,EAAE,CAAC,WAAW,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;QACpG,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,YAAY;KAC7C;IACD,UAAU,EAAE;QACV,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,oBAAoB,EAAE,OAAO,EAAE,uBAAuB,EAAE,QAAQ,EAAE,qBAAqB;QAC/G,MAAM,EAAE,CAAC,WAAW,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,cAAc,CAAC;QAC1E,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,YAAY;KAC7C;IACD,aAAa,EAAE;QACb,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,uBAAuB,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,2BAA2B;QAClG,MAAM,EAAE,CAAC,iBAAiB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI;KAClE;IACD,KAAK,EAAE;QACL,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,mBAAmB;QAChG,MAAM,EAAE,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,IAAI;KACvF;IACD,aAAa,EAAE;QACb,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,qBAAqB;QACzG,MAAM,EAAE,CAAC,WAAW,EAAE,iBAAiB,EAAE,kBAAkB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,YAAY;KAC3G;IACD,cAAc,EAAE;QACd,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,qBAAqB,EAAE,QAAQ,EAAE,qBAAqB;QAC3G,MAAM,EAAE,CAAC,WAAW,EAAE,iBAAiB,EAAE,kBAAkB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,YAAY;KAC3G;CACuF,CAAC"}
@@ -0,0 +1,33 @@
1
+ /**
2
+ * US-Z0102 — Error-taxonomie + i18n-sleutels. Eén gedeelde foutcodelijst die beide helften (backend
3
+ * mapping → HTTP, frontend weergave → i18n) uit het contract afleiden. Denial-reasons zijn veilig:
4
+ * ze lekken nooit de interne policy of welke permissie precies ontbrak (no-catalog-leak, US-Z0703).
5
+ */
6
+ export declare const AUTHZ_ERROR_CODES: readonly ["forbidden", "role_not_found", "permission_unknown", "role_cycle", "assignment_exists", "self_lockout", "escalation_denied", "invalid_relation", "unauthenticated", "validation_failed"];
7
+ export type AuthzErrorCode = (typeof AUTHZ_ERROR_CODES)[number];
8
+ export interface AuthzErrorDescriptor {
9
+ /** HTTP-status waarnaar de backend deze fout mapt. */
10
+ readonly httpStatus: number;
11
+ /** i18n-sleutel die de frontend toont (nooit rauwe details). */
12
+ readonly i18nKey: string;
13
+ }
14
+ /** Enige bron van de code→HTTP + code→i18n-mapping. Bewust generiek gehouden (geen policy-lek). */
15
+ export declare const AUTHZ_ERROR_TAXONOMY: Readonly<Record<AuthzErrorCode, AuthzErrorDescriptor>>;
16
+ /** Contract-vorm van een foutrespons (body). Bevat nooit stacktraces of policy-interne details. */
17
+ export interface AuthzErrorBody {
18
+ readonly code: AuthzErrorCode;
19
+ readonly message: string;
20
+ /** Optioneel: veld-gebonden validatiefouten (paden), zonder ingevoerde waarden. */
21
+ readonly fields?: Readonly<Record<string, string[]>>;
22
+ }
23
+ /**
24
+ * Domein-fout die de backend-services gooien; de HTTP-laag (surface) mapt `code` via de taxonomie naar
25
+ * status. Draagt nooit gevoelige context mee.
26
+ */
27
+ export declare class AuthzError extends Error {
28
+ readonly code: AuthzErrorCode;
29
+ readonly fields: Readonly<Record<string, string[]>> | undefined;
30
+ constructor(code: AuthzErrorCode, message?: string, fields?: Record<string, string[]>);
31
+ toBody(): AuthzErrorBody;
32
+ }
33
+ //# sourceMappingURL=errors.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../contract/errors.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,eAAO,MAAM,iBAAiB,oMAWpB,CAAC;AAEX,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,iBAAiB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEhE,MAAM,WAAW,oBAAoB;IACnC,sDAAsD;IACtD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,gEAAgE;IAChE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED,mGAAmG;AACnG,eAAO,MAAM,oBAAoB,EAAE,QAAQ,CAAC,MAAM,CAAC,cAAc,EAAE,oBAAoB,CAAC,CAWtF,CAAC;AAEH,mGAAmG;AACnG,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,mFAAmF;IACnF,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;CACtD;AAED;;;GAGG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,GAAG,SAAS,CAAC;gBACpD,IAAI,EAAE,cAAc,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;IAOrF,MAAM,IAAI,cAAc;CAKzB"}
@@ -0,0 +1,51 @@
1
+ /**
2
+ * US-Z0102 — Error-taxonomie + i18n-sleutels. Eén gedeelde foutcodelijst die beide helften (backend
3
+ * mapping → HTTP, frontend weergave → i18n) uit het contract afleiden. Denial-reasons zijn veilig:
4
+ * ze lekken nooit de interne policy of welke permissie precies ontbrak (no-catalog-leak, US-Z0703).
5
+ */
6
+ export const AUTHZ_ERROR_CODES = [
7
+ 'forbidden',
8
+ 'role_not_found',
9
+ 'permission_unknown',
10
+ 'role_cycle',
11
+ 'assignment_exists',
12
+ 'self_lockout',
13
+ 'escalation_denied',
14
+ 'invalid_relation',
15
+ 'unauthenticated',
16
+ 'validation_failed',
17
+ ];
18
+ /** Enige bron van de code→HTTP + code→i18n-mapping. Bewust generiek gehouden (geen policy-lek). */
19
+ export const AUTHZ_ERROR_TAXONOMY = Object.freeze({
20
+ forbidden: { httpStatus: 403, i18nKey: 'authz.error.forbidden' },
21
+ role_not_found: { httpStatus: 404, i18nKey: 'authz.error.role_not_found' },
22
+ permission_unknown: { httpStatus: 422, i18nKey: 'authz.error.permission_unknown' },
23
+ role_cycle: { httpStatus: 409, i18nKey: 'authz.error.role_cycle' },
24
+ assignment_exists: { httpStatus: 409, i18nKey: 'authz.error.assignment_exists' },
25
+ self_lockout: { httpStatus: 409, i18nKey: 'authz.error.self_lockout' },
26
+ escalation_denied: { httpStatus: 403, i18nKey: 'authz.error.escalation_denied' },
27
+ invalid_relation: { httpStatus: 422, i18nKey: 'authz.error.invalid_relation' },
28
+ unauthenticated: { httpStatus: 401, i18nKey: 'authz.error.unauthenticated' },
29
+ validation_failed: { httpStatus: 422, i18nKey: 'authz.error.validation_failed' },
30
+ });
31
+ /**
32
+ * Domein-fout die de backend-services gooien; de HTTP-laag (surface) mapt `code` via de taxonomie naar
33
+ * status. Draagt nooit gevoelige context mee.
34
+ */
35
+ export class AuthzError extends Error {
36
+ code;
37
+ fields;
38
+ constructor(code, message, fields) {
39
+ super(message ?? code);
40
+ this.name = 'AuthzError';
41
+ this.code = code;
42
+ this.fields = fields;
43
+ Object.setPrototypeOf(this, AuthzError.prototype);
44
+ }
45
+ toBody() {
46
+ return this.fields
47
+ ? { code: this.code, message: this.message, fields: this.fields }
48
+ : { code: this.code, message: this.message };
49
+ }
50
+ }
51
+ //# sourceMappingURL=errors.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"errors.js","sourceRoot":"","sources":["../../contract/errors.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,WAAW;IACX,gBAAgB;IAChB,oBAAoB;IACpB,YAAY;IACZ,mBAAmB;IACnB,cAAc;IACd,mBAAmB;IACnB,kBAAkB;IAClB,iBAAiB;IACjB,mBAAmB;CACX,CAAC;AAWX,mGAAmG;AACnG,MAAM,CAAC,MAAM,oBAAoB,GAA2D,MAAM,CAAC,MAAM,CAAC;IACxG,SAAS,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,uBAAuB,EAAE;IAChE,cAAc,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,4BAA4B,EAAE;IAC1E,kBAAkB,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,gCAAgC,EAAE;IAClF,UAAU,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,wBAAwB,EAAE;IAClE,iBAAiB,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,+BAA+B,EAAE;IAChF,YAAY,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,0BAA0B,EAAE;IACtE,iBAAiB,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,+BAA+B,EAAE;IAChF,gBAAgB,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,8BAA8B,EAAE;IAC9E,eAAe,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,6BAA6B,EAAE;IAC5E,iBAAiB,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,OAAO,EAAE,+BAA+B,EAAE;CACjF,CAAC,CAAC;AAUH;;;GAGG;AACH,MAAM,OAAO,UAAW,SAAQ,KAAK;IAC1B,IAAI,CAAiB;IACrB,MAAM,CAAiD;IAChE,YAAY,IAAoB,EAAE,OAAgB,EAAE,MAAiC;QACnF,KAAK,CAAC,OAAO,IAAI,IAAI,CAAC,CAAC;QACvB,IAAI,CAAC,IAAI,GAAG,YAAY,CAAC;QACzB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;IACD,MAAM;QACJ,OAAO,IAAI,CAAC,MAAM;YAChB,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE;YACjE,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;IACjD,CAAC;CACF"}
@@ -0,0 +1,50 @@
1
+ /**
2
+ * US-Z0103 — Domein-events. De module publiceert deze events (bv. voor audit-log US-Z0705 of
3
+ * host-hooks). Payloads bevatten identificatie, nooit policy-interne details of secret-materiaal.
4
+ */
5
+ export declare const AUTHZ_EVENTS: readonly ["role.created", "role.updated", "role.deleted", "role.assigned", "role.revoked", "access.denied"];
6
+ export type AuthzEventName = (typeof AUTHZ_EVENTS)[number];
7
+ export interface AuthzEventBase {
8
+ readonly name: AuthzEventName;
9
+ /** ISO-8601 timestamp — door de host/klok geïnjecteerd, niet hier gegenereerd. */
10
+ readonly occurredAt: string;
11
+ /** Het subject dat de mutatie uitvoerde (de actor), voor audit-attributie. */
12
+ readonly actorId: string;
13
+ }
14
+ export interface RoleCreatedEvent extends AuthzEventBase {
15
+ readonly name: 'role.created';
16
+ readonly roleId: string;
17
+ readonly roleKey: string;
18
+ }
19
+ export interface RoleUpdatedEvent extends AuthzEventBase {
20
+ readonly name: 'role.updated';
21
+ readonly roleId: string;
22
+ }
23
+ export interface RoleDeletedEvent extends AuthzEventBase {
24
+ readonly name: 'role.deleted';
25
+ readonly roleId: string;
26
+ }
27
+ export interface RoleAssignedEvent extends AuthzEventBase {
28
+ readonly name: 'role.assigned';
29
+ readonly subjectId: string;
30
+ readonly roleId: string;
31
+ }
32
+ export interface RoleRevokedEvent extends AuthzEventBase {
33
+ readonly name: 'role.revoked';
34
+ readonly subjectId: string;
35
+ readonly roleId: string;
36
+ }
37
+ export interface AccessDeniedEvent extends AuthzEventBase {
38
+ readonly name: 'access.denied';
39
+ /** De gevraagde permissie of action (geen policy-interne details). */
40
+ readonly requested: string;
41
+ /** Optioneel resource-type/-id waartegen werd gecheckt. */
42
+ readonly resourceType?: string;
43
+ readonly resourceId?: string;
44
+ }
45
+ export type AuthzEvent = RoleCreatedEvent | RoleUpdatedEvent | RoleDeletedEvent | RoleAssignedEvent | RoleRevokedEvent | AccessDeniedEvent;
46
+ /** Poort die de host levert om events te consumeren (audit-log/analytics/…). */
47
+ export interface AuthzEventSink {
48
+ emit(event: AuthzEvent): void;
49
+ }
50
+ //# sourceMappingURL=events.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../contract/events.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,eAAO,MAAM,YAAY,6GAOf,CAAC;AAEX,MAAM,MAAM,cAAc,GAAG,CAAC,OAAO,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC;AAE3D,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,kFAAkF;IAClF,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,8EAA8E;IAC9E,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,gBAAiB,SAAQ,cAAc;IACtD,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AACD,MAAM,WAAW,gBAAiB,SAAQ,cAAc;IACtD,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AACD,MAAM,WAAW,gBAAiB,SAAQ,cAAc;IACtD,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AACD,MAAM,WAAW,iBAAkB,SAAQ,cAAc;IACvD,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC;IAC/B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AACD,MAAM,WAAW,gBAAiB,SAAQ,cAAc;IACtD,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AACD,MAAM,WAAW,iBAAkB,SAAQ,cAAc;IACvD,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC;IAC/B,sEAAsE;IACtE,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,2DAA2D;IAC3D,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,MAAM,UAAU,GAClB,gBAAgB,GAChB,gBAAgB,GAChB,gBAAgB,GAChB,iBAAiB,GACjB,gBAAgB,GAChB,iBAAiB,CAAC;AAEtB,gFAAgF;AAChF,MAAM,WAAW,cAAc;IAC7B,IAAI,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI,CAAC;CAC/B"}
@@ -0,0 +1,13 @@
1
+ /**
2
+ * US-Z0103 — Domein-events. De module publiceert deze events (bv. voor audit-log US-Z0705 of
3
+ * host-hooks). Payloads bevatten identificatie, nooit policy-interne details of secret-materiaal.
4
+ */
5
+ export const AUTHZ_EVENTS = [
6
+ 'role.created',
7
+ 'role.updated',
8
+ 'role.deleted',
9
+ 'role.assigned',
10
+ 'role.revoked',
11
+ 'access.denied',
12
+ ];
13
+ //# sourceMappingURL=events.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"events.js","sourceRoot":"","sources":["../../contract/events.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,cAAc;IACd,cAAc;IACd,cAAc;IACd,eAAe;IACf,cAAc;IACd,eAAe;CACP,CAAC"}
@@ -0,0 +1,10 @@
1
+ /**
2
+ * authorization — het contract (de seam). Eén bron waaruit backend-validatie én frontend-client hun
3
+ * types afleiden. Bevat geen mechanisme, alleen schema's/typen/taxonomie/events/permissie-catalogus.
4
+ */
5
+ export * from './permissions.js';
6
+ export * from './schemas.js';
7
+ export * from './errors.js';
8
+ export * from './events.js';
9
+ export * from './endpoints.js';
10
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../contract/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,cAAc,kBAAkB,CAAC;AACjC,cAAc,cAAc,CAAC;AAC7B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,gBAAgB,CAAC"}
@@ -0,0 +1,10 @@
1
+ /**
2
+ * authorization — het contract (de seam). Eén bron waaruit backend-validatie én frontend-client hun
3
+ * types afleiden. Bevat geen mechanisme, alleen schema's/typen/taxonomie/events/permissie-catalogus.
4
+ */
5
+ export * from './permissions.js';
6
+ export * from './schemas.js';
7
+ export * from './errors.js';
8
+ export * from './events.js';
9
+ export * from './endpoints.js';
10
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../contract/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,cAAc,kBAAkB,CAAC;AACjC,cAAc,cAAc,CAAC;AAC7B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,gBAAgB,CAAC"}
@@ -0,0 +1,35 @@
1
+ /**
2
+ * US-Z0104 — Het permissie-catalogus-format (de seam voor "welke permissies bestaan").
3
+ *
4
+ * Permissies zijn **enforcement-punten in code**: de catalogus is code-declared en getypt, zodat een
5
+ * typefout een compile-fout wordt in plaats van een stille runtime-grant. Wélke subjects welke rollen
6
+ * hebben is daarentegen data (DB, US-Z0604). De host breidt de catalogus additief uit (US-Z1002); de
7
+ * backend synchroniseert de catalogus-rijen naar de DB (US-Z0203).
8
+ */
9
+ /** Eén permissie in de catalogus: een stabiele sleutel + een i18n-bare omschrijving. */
10
+ export interface PermissionDescriptor {
11
+ /** Stabiele, code-gerefereerde sleutel, bv. `authz.manage`. Puntgescheiden namespace-conventie. */
12
+ readonly key: string;
13
+ /** Menselijke omschrijving (of i18n-sleutel) — puur informatief, nooit een autorisatie-conditie. */
14
+ readonly description: string;
15
+ }
16
+ export type PermissionCatalog = readonly PermissionDescriptor[];
17
+ /**
18
+ * De bootstrap-permissie waarmee de module zijn eigen beheer-endpoints bewaakt. De seed (US-Z0604)
19
+ * kent deze aan precies één first-admin toe; zonder deze permissie is geen enkele mutatie mogelijk.
20
+ */
21
+ export declare const AUTHZ_MANAGE = "authz.manage";
22
+ /**
23
+ * De permissies die de module zélf meebrengt. Een host voegt hier zijn eigen app-permissies aan toe
24
+ * (US-Z1002) door de catalogus samen te voegen; dubbele sleutels zijn een fout (zie {@link mergeCatalog}).
25
+ */
26
+ export declare const AUTHZ_PERMISSIONS: readonly [{
27
+ readonly key: "authz.manage";
28
+ readonly description: "Beheer rollen, permissies en rol-toewijzingen";
29
+ }];
30
+ /**
31
+ * Voegt catalogi samen en weigert dubbele sleutels fail-fast — zo kan een host-uitbreiding nooit
32
+ * stilzwijgend een bestaande permissie-betekenis overschrijven.
33
+ */
34
+ export declare function mergeCatalog(...catalogs: PermissionCatalog[]): PermissionCatalog;
35
+ //# sourceMappingURL=permissions.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../contract/permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,wFAAwF;AACxF,MAAM,WAAW,oBAAoB;IACnC,mGAAmG;IACnG,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,oGAAoG;IACpG,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,MAAM,iBAAiB,GAAG,SAAS,oBAAoB,EAAE,CAAC;AAEhE;;;GAGG;AACH,eAAO,MAAM,YAAY,iBAAiB,CAAC;AAE3C;;;GAGG;AACH,eAAO,MAAM,iBAAiB;;;EAEQ,CAAC;AAEvC;;;GAGG;AACH,wBAAgB,YAAY,CAAC,GAAG,QAAQ,EAAE,iBAAiB,EAAE,GAAG,iBAAiB,CAWhF"}
@@ -0,0 +1,37 @@
1
+ /**
2
+ * US-Z0104 — Het permissie-catalogus-format (de seam voor "welke permissies bestaan").
3
+ *
4
+ * Permissies zijn **enforcement-punten in code**: de catalogus is code-declared en getypt, zodat een
5
+ * typefout een compile-fout wordt in plaats van een stille runtime-grant. Wélke subjects welke rollen
6
+ * hebben is daarentegen data (DB, US-Z0604). De host breidt de catalogus additief uit (US-Z1002); de
7
+ * backend synchroniseert de catalogus-rijen naar de DB (US-Z0203).
8
+ */
9
+ /**
10
+ * De bootstrap-permissie waarmee de module zijn eigen beheer-endpoints bewaakt. De seed (US-Z0604)
11
+ * kent deze aan precies één first-admin toe; zonder deze permissie is geen enkele mutatie mogelijk.
12
+ */
13
+ export const AUTHZ_MANAGE = 'authz.manage';
14
+ /**
15
+ * De permissies die de module zélf meebrengt. Een host voegt hier zijn eigen app-permissies aan toe
16
+ * (US-Z1002) door de catalogus samen te voegen; dubbele sleutels zijn een fout (zie {@link mergeCatalog}).
17
+ */
18
+ export const AUTHZ_PERMISSIONS = [
19
+ { key: AUTHZ_MANAGE, description: 'Beheer rollen, permissies en rol-toewijzingen' },
20
+ ];
21
+ /**
22
+ * Voegt catalogi samen en weigert dubbele sleutels fail-fast — zo kan een host-uitbreiding nooit
23
+ * stilzwijgend een bestaande permissie-betekenis overschrijven.
24
+ */
25
+ export function mergeCatalog(...catalogs) {
26
+ const byKey = new Map();
27
+ for (const catalog of catalogs) {
28
+ for (const descriptor of catalog) {
29
+ if (byKey.has(descriptor.key)) {
30
+ throw new Error(`Dubbele permissie-sleutel in catalogus: "${descriptor.key}"`);
31
+ }
32
+ byKey.set(descriptor.key, descriptor);
33
+ }
34
+ }
35
+ return [...byKey.values()];
36
+ }
37
+ //# sourceMappingURL=permissions.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../contract/permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAYH;;;GAGG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,cAAc,CAAC;AAE3C;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,EAAE,GAAG,EAAE,YAAY,EAAE,WAAW,EAAE,+CAA+C,EAAE;CAC/C,CAAC;AAEvC;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,GAAG,QAA6B;IAC3D,MAAM,KAAK,GAAG,IAAI,GAAG,EAAgC,CAAC;IACtD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,KAAK,MAAM,UAAU,IAAI,OAAO,EAAE,CAAC;YACjC,IAAI,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC9B,MAAM,IAAI,KAAK,CAAC,4CAA4C,UAAU,CAAC,GAAG,GAAG,CAAC,CAAC;YACjF,CAAC;YACD,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;AAC7B,CAAC"}
@@ -0,0 +1,288 @@
1
+ import { z } from 'zod';
2
+ /**
3
+ * US-Z0101 — DTO-schema's (de seam). Eén set Zod-schema's waaruit de backend valideert én de frontend
4
+ * zijn getypte client afleidt (`z.infer`). Rol-/permissie-namen zijn data; de vorm + minimale
5
+ * invarianten staan hier. Geen policy-logica — die zit in de `access-control`-kit.
6
+ */
7
+ /** Puntgescheiden sleutel-conventie (`authz.manage`, `article.write`), geen spaties. */
8
+ export declare const permissionKeySchema: z.ZodString;
9
+ /** Rol-sleutel: kleine letters/cijfers + scheidingstekens (`admin`, `content-editor`). */
10
+ export declare const roleKeySchema: z.ZodString;
11
+ export declare const subjectIdSchema: z.ZodString;
12
+ export declare const roleIdSchema: z.ZodString;
13
+ export declare const roleSchema: z.ZodObject<{
14
+ id: z.ZodString;
15
+ key: z.ZodString;
16
+ name: z.ZodString;
17
+ permissions: z.ZodArray<z.ZodString, "many">;
18
+ /** Rol-hiërarchie: de bovenliggende rol waarvan deze rol de permissies erft; `null` = geen ouder. */
19
+ parentRoleId: z.ZodNullable<z.ZodString>;
20
+ }, "strip", z.ZodTypeAny, {
21
+ id: string;
22
+ key: string;
23
+ name: string;
24
+ permissions: string[];
25
+ parentRoleId: string | null;
26
+ }, {
27
+ id: string;
28
+ key: string;
29
+ name: string;
30
+ permissions: string[];
31
+ parentRoleId: string | null;
32
+ }>;
33
+ export declare const roleListResponseSchema: z.ZodObject<{
34
+ roles: z.ZodArray<z.ZodObject<{
35
+ id: z.ZodString;
36
+ key: z.ZodString;
37
+ name: z.ZodString;
38
+ permissions: z.ZodArray<z.ZodString, "many">;
39
+ /** Rol-hiërarchie: de bovenliggende rol waarvan deze rol de permissies erft; `null` = geen ouder. */
40
+ parentRoleId: z.ZodNullable<z.ZodString>;
41
+ }, "strip", z.ZodTypeAny, {
42
+ id: string;
43
+ key: string;
44
+ name: string;
45
+ permissions: string[];
46
+ parentRoleId: string | null;
47
+ }, {
48
+ id: string;
49
+ key: string;
50
+ name: string;
51
+ permissions: string[];
52
+ parentRoleId: string | null;
53
+ }>, "many">;
54
+ }, "strip", z.ZodTypeAny, {
55
+ roles: {
56
+ id: string;
57
+ key: string;
58
+ name: string;
59
+ permissions: string[];
60
+ parentRoleId: string | null;
61
+ }[];
62
+ }, {
63
+ roles: {
64
+ id: string;
65
+ key: string;
66
+ name: string;
67
+ permissions: string[];
68
+ parentRoleId: string | null;
69
+ }[];
70
+ }>;
71
+ export declare const createRoleRequestSchema: z.ZodObject<{
72
+ key: z.ZodString;
73
+ name: z.ZodString;
74
+ permissions: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
75
+ parentRoleId: z.ZodDefault<z.ZodNullable<z.ZodString>>;
76
+ }, "strip", z.ZodTypeAny, {
77
+ key: string;
78
+ name: string;
79
+ permissions: string[];
80
+ parentRoleId: string | null;
81
+ }, {
82
+ key: string;
83
+ name: string;
84
+ permissions?: string[] | undefined;
85
+ parentRoleId?: string | null | undefined;
86
+ }>;
87
+ /** Alle velden optioneel: een PATCH die alleen de aangeleverde velden wijzigt. */
88
+ export declare const updateRoleRequestSchema: z.ZodObject<{
89
+ name: z.ZodOptional<z.ZodString>;
90
+ permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
91
+ parentRoleId: z.ZodOptional<z.ZodNullable<z.ZodString>>;
92
+ }, "strip", z.ZodTypeAny, {
93
+ name?: string | undefined;
94
+ permissions?: string[] | undefined;
95
+ parentRoleId?: string | null | undefined;
96
+ }, {
97
+ name?: string | undefined;
98
+ permissions?: string[] | undefined;
99
+ parentRoleId?: string | null | undefined;
100
+ }>;
101
+ export declare const permissionSchema: z.ZodObject<{
102
+ key: z.ZodString;
103
+ description: z.ZodString;
104
+ }, "strip", z.ZodTypeAny, {
105
+ key: string;
106
+ description: string;
107
+ }, {
108
+ key: string;
109
+ description: string;
110
+ }>;
111
+ export declare const permissionListResponseSchema: z.ZodObject<{
112
+ permissions: z.ZodArray<z.ZodObject<{
113
+ key: z.ZodString;
114
+ description: z.ZodString;
115
+ }, "strip", z.ZodTypeAny, {
116
+ key: string;
117
+ description: string;
118
+ }, {
119
+ key: string;
120
+ description: string;
121
+ }>, "many">;
122
+ }, "strip", z.ZodTypeAny, {
123
+ permissions: {
124
+ key: string;
125
+ description: string;
126
+ }[];
127
+ }, {
128
+ permissions: {
129
+ key: string;
130
+ description: string;
131
+ }[];
132
+ }>;
133
+ export declare const assignmentRequestSchema: z.ZodObject<{
134
+ subjectId: z.ZodString;
135
+ roleId: z.ZodString;
136
+ }, "strip", z.ZodTypeAny, {
137
+ subjectId: string;
138
+ roleId: string;
139
+ }, {
140
+ subjectId: string;
141
+ roleId: string;
142
+ }>;
143
+ export declare const subjectRolesResponseSchema: z.ZodObject<{
144
+ subjectId: z.ZodString;
145
+ roles: z.ZodArray<z.ZodObject<{
146
+ id: z.ZodString;
147
+ key: z.ZodString;
148
+ name: z.ZodString;
149
+ permissions: z.ZodArray<z.ZodString, "many">;
150
+ /** Rol-hiërarchie: de bovenliggende rol waarvan deze rol de permissies erft; `null` = geen ouder. */
151
+ parentRoleId: z.ZodNullable<z.ZodString>;
152
+ }, "strip", z.ZodTypeAny, {
153
+ id: string;
154
+ key: string;
155
+ name: string;
156
+ permissions: string[];
157
+ parentRoleId: string | null;
158
+ }, {
159
+ id: string;
160
+ key: string;
161
+ name: string;
162
+ permissions: string[];
163
+ parentRoleId: string | null;
164
+ }>, "many">;
165
+ }, "strip", z.ZodTypeAny, {
166
+ roles: {
167
+ id: string;
168
+ key: string;
169
+ name: string;
170
+ permissions: string[];
171
+ parentRoleId: string | null;
172
+ }[];
173
+ subjectId: string;
174
+ }, {
175
+ roles: {
176
+ id: string;
177
+ key: string;
178
+ name: string;
179
+ permissions: string[];
180
+ parentRoleId: string | null;
181
+ }[];
182
+ subjectId: string;
183
+ }>;
184
+ export declare const mePermissionsResponseSchema: z.ZodObject<{
185
+ subjectId: z.ZodString;
186
+ roles: z.ZodArray<z.ZodString, "many">;
187
+ permissions: z.ZodArray<z.ZodString, "many">;
188
+ }, "strip", z.ZodTypeAny, {
189
+ permissions: string[];
190
+ roles: string[];
191
+ subjectId: string;
192
+ }, {
193
+ permissions: string[];
194
+ roles: string[];
195
+ subjectId: string;
196
+ }>;
197
+ export declare const checkRequestSchema: z.ZodEffects<z.ZodObject<{
198
+ /** RBAC-vorm: heeft het huidige subject deze permissie? */
199
+ permission: z.ZodOptional<z.ZodString>;
200
+ /** PDP-vorm: is deze action toegestaan (evt. tegen een resource, voor ReBAC/ownership)? */
201
+ action: z.ZodOptional<z.ZodString>;
202
+ resource: z.ZodOptional<z.ZodObject<{
203
+ id: z.ZodString;
204
+ type: z.ZodOptional<z.ZodString>;
205
+ }, "strip", z.ZodTypeAny, {
206
+ id: string;
207
+ type?: string | undefined;
208
+ }, {
209
+ id: string;
210
+ type?: string | undefined;
211
+ }>>;
212
+ }, "strip", z.ZodTypeAny, {
213
+ permission?: string | undefined;
214
+ action?: string | undefined;
215
+ resource?: {
216
+ id: string;
217
+ type?: string | undefined;
218
+ } | undefined;
219
+ }, {
220
+ permission?: string | undefined;
221
+ action?: string | undefined;
222
+ resource?: {
223
+ id: string;
224
+ type?: string | undefined;
225
+ } | undefined;
226
+ }>, {
227
+ permission?: string | undefined;
228
+ action?: string | undefined;
229
+ resource?: {
230
+ id: string;
231
+ type?: string | undefined;
232
+ } | undefined;
233
+ }, {
234
+ permission?: string | undefined;
235
+ action?: string | undefined;
236
+ resource?: {
237
+ id: string;
238
+ type?: string | undefined;
239
+ } | undefined;
240
+ }>;
241
+ export declare const checkResponseSchema: z.ZodObject<{
242
+ allowed: z.ZodBoolean;
243
+ /** Veilige, niet-lekkende reden (geen policy-interne details). */
244
+ reason: z.ZodString;
245
+ }, "strip", z.ZodTypeAny, {
246
+ allowed: boolean;
247
+ reason: string;
248
+ }, {
249
+ allowed: boolean;
250
+ reason: string;
251
+ }>;
252
+ export declare const relationRequestSchema: z.ZodObject<{
253
+ subjectId: z.ZodString;
254
+ relation: z.ZodString;
255
+ objectType: z.ZodString;
256
+ objectId: z.ZodString;
257
+ }, "strip", z.ZodTypeAny, {
258
+ subjectId: string;
259
+ relation: string;
260
+ objectType: string;
261
+ objectId: string;
262
+ }, {
263
+ subjectId: string;
264
+ relation: string;
265
+ objectType: string;
266
+ objectId: string;
267
+ }>;
268
+ export declare const acknowledgementSchema: z.ZodObject<{
269
+ ok: z.ZodLiteral<true>;
270
+ }, "strip", z.ZodTypeAny, {
271
+ ok: true;
272
+ }, {
273
+ ok: true;
274
+ }>;
275
+ export type Role = z.infer<typeof roleSchema>;
276
+ export type RoleListResponse = z.infer<typeof roleListResponseSchema>;
277
+ export type CreateRoleRequest = z.infer<typeof createRoleRequestSchema>;
278
+ export type UpdateRoleRequest = z.infer<typeof updateRoleRequestSchema>;
279
+ export type Permission = z.infer<typeof permissionSchema>;
280
+ export type PermissionListResponse = z.infer<typeof permissionListResponseSchema>;
281
+ export type AssignmentRequest = z.infer<typeof assignmentRequestSchema>;
282
+ export type SubjectRolesResponse = z.infer<typeof subjectRolesResponseSchema>;
283
+ export type MePermissionsResponse = z.infer<typeof mePermissionsResponseSchema>;
284
+ export type CheckRequest = z.infer<typeof checkRequestSchema>;
285
+ export type CheckResponse = z.infer<typeof checkResponseSchema>;
286
+ export type RelationRequest = z.infer<typeof relationRequestSchema>;
287
+ export type Acknowledgement = z.infer<typeof acknowledgementSchema>;
288
+ //# sourceMappingURL=schemas.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../contract/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;GAIG;AAGH,wFAAwF;AACxF,eAAO,MAAM,mBAAmB,aAIyC,CAAC;AAC1E,0FAA0F;AAC1F,eAAO,MAAM,aAAa,aAIwC,CAAC;AACnE,eAAO,MAAM,eAAe,aAAoB,CAAC;AACjD,eAAO,MAAM,YAAY,aAAoB,CAAC;AAG9C,eAAO,MAAM,UAAU;;;;;IAKrB,qGAAqG;;;;;;;;;;;;;;EAErG,CAAC;AACH,eAAO,MAAM,sBAAsB;;;;;;QAHjC,qGAAqG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAGzB,CAAC;AAE/E,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;EAKlC,CAAC;AACH,kFAAkF;AAClF,eAAO,MAAM,uBAAuB;;;;;;;;;;;;EAIlC,CAAC;AAGH,eAAO,MAAM,gBAAgB;;;;;;;;;EAG3B,CAAC;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;EAAuD,CAAC;AAGjG,eAAO,MAAM,uBAAuB;;;;;;;;;EAGlC,CAAC;AACH,eAAO,MAAM,0BAA0B;;;;;;;QA9BrC,qGAAqG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiCrG,CAAC;AAGH,eAAO,MAAM,2BAA2B;;;;;;;;;;;;EAItC,CAAC;AAGH,eAAO,MAAM,kBAAkB;IAE3B,2DAA2D;;IAE3D,2FAA2F;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAM3F,CAAC;AACL,eAAO,MAAM,mBAAmB;;IAE9B,kEAAkE;;;;;;;;EAElE,CAAC;AAGH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;EAKhC,CAAC;AAGH,eAAO,MAAM,qBAAqB;;;;;;EAAoC,CAAC;AAGvE,MAAM,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAC9C,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AACxE,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AACxE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAClF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AACxE,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAC9E,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAChF,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAChE,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACpE,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC"}