@siremzam/sentinel 0.3.0 → 0.3.2

package/dist/index.js

@@ -1,7 +1,839 @@
-export { AccessEngine } from "./engine.js";
-export { RuleBuilder, allow, deny, createPolicyFactory } from "./policy-builder.js";
-export { RoleHierarchy } from "./role-hierarchy.js";
-export { ConditionRegistry, exportRules, exportRulesToJson, importRules, importRulesFromJson, } from "./serialization.js";
-export { createAuthServer } from "./server.js";
-export { toAuditEntry } from "./types.js";
+// src/policy-builder.ts
+var ruleCounter = 0;
+function nextRuleId(prefix) {
+  return `${prefix}-${++ruleCounter}`;
+}
+var RuleBuilder = class {
+  _effect;
+  _roles = "*";
+  _actions = "*";
+  _resources = "*";
+  _conditions = [];
+  _priority = 0;
+  _description;
+  _id;
+  constructor(effect) {
+    this._effect = effect;
+    this._id = nextRuleId(effect);
+  }
+  id(id) {
+    this._id = id;
+    return this;
+  }
+  roles(...roles) {
+    this._roles = roles;
+    return this;
+  }
+  anyRole() {
+    this._roles = "*";
+    return this;
+  }
+  actions(...actions) {
+    this._actions = actions;
+    return this;
+  }
+  anyAction() {
+    this._actions = "*";
+    return this;
+  }
+  on(...resources) {
+    this._resources = resources;
+    return this;
+  }
+  anyResource() {
+    this._resources = "*";
+    return this;
+  }
+  when(condition) {
+    this._conditions.push(condition);
+    return this;
+  }
+  priority(p) {
+    this._priority = p;
+    return this;
+  }
+  describe(desc) {
+    this._description = desc;
+    return this;
+  }
+  build() {
+    return {
+      id: this._id,
+      effect: this._effect,
+      roles: this._roles,
+      actions: this._actions,
+      resources: this._resources,
+      conditions: this._conditions.length > 0 ? this._conditions : void 0,
+      priority: this._priority,
+      description: this._description
+    };
+  }
+};
+function allow() {
+  return new RuleBuilder("allow");
+}
+function deny() {
+  return new RuleBuilder("deny");
+}
+function createPolicyFactory() {
+  return {
+    allow: () => new RuleBuilder("allow"),
+    deny: () => new RuleBuilder("deny")
+  };
+}
+
+// src/engine.ts
+function escapeRegexMeta(s) {
+  return s.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
+}
+function compileActionPatterns(actions) {
+  if (actions === "*") return null;
+  const patterns = [];
+  for (const action of actions) {
+    if (action.includes("*")) {
+      const escaped = escapeRegexMeta(action).replace(/\*/g, "[^:]*");
+      patterns.push(new RegExp("^" + escaped + "$"));
+    }
+  }
+  return patterns.length > 0 ? patterns : null;
+}
+var AccessEngine = class {
+  compiled = [];
+  listeners = [];
+  asyncConditions;
+  _defaultDeny;
+  _strictTenancy;
+  hierarchy;
+  cache;
+  conditionErrorHandler;
+  constructor(options) {
+    this.asyncConditions = options.asyncConditions ?? false;
+    this._defaultDeny = (options.defaultEffect ?? "deny") === "deny";
+    this._strictTenancy = options.strictTenancy ?? false;
+    this.hierarchy = options.roleHierarchy;
+    this.conditionErrorHandler = options.onConditionError;
+    if (options.cacheSize && options.cacheSize > 0) {
+      this.cache = new LRUCache(options.cacheSize);
+    }
+    if (options.onDecision) {
+      this.listeners.push(options.onDecision);
+    }
+  }
+  // -----------------------------------------------------------------------
+  // Rule management
+  // -----------------------------------------------------------------------
+  addRule(rule) {
+    const frozen = Object.freeze({ ...rule });
+    this.compiled.push({
+      rule: frozen,
+      actionPatterns: compileActionPatterns(frozen.actions)
+    });
+    this.cache?.clear();
+    return this;
+  }
+  addRules(...rules) {
+    for (const rule of rules) {
+      const frozen = Object.freeze({ ...rule });
+      this.compiled.push({
+        rule: frozen,
+        actionPatterns: compileActionPatterns(frozen.actions)
+      });
+    }
+    this.cache?.clear();
+    return this;
+  }
+  removeRule(ruleId) {
+    const idx = this.compiled.findIndex((c) => c.rule.id === ruleId);
+    if (idx === -1) return false;
+    this.compiled.splice(idx, 1);
+    this.cache?.clear();
+    return true;
+  }
+  getRules() {
+    return this.compiled.map((c) => c.rule);
+  }
+  clearRules() {
+    this.compiled = [];
+    this.cache?.clear();
+  }
+  // -----------------------------------------------------------------------
+  // Cache control
+  // -----------------------------------------------------------------------
+  clearCache() {
+    this.cache?.clear();
+  }
+  get cacheStats() {
+    if (!this.cache) return null;
+    return { size: this.cache.size, maxSize: this.cache.maxSize };
+  }
+  // -----------------------------------------------------------------------
+  // Fluent rule builders bound to this engine's schema
+  // -----------------------------------------------------------------------
+  allow() {
+    return allow();
+  }
+  deny() {
+    return deny();
+  }
+  // -----------------------------------------------------------------------
+  // Observability
+  // -----------------------------------------------------------------------
+  onDecision(listener) {
+    this.listeners.push(listener);
+    return () => {
+      const idx = this.listeners.indexOf(listener);
+      if (idx !== -1) this.listeners.splice(idx, 1);
+    };
+  }
+  emit(decision) {
+    for (const listener of this.listeners) {
+      try {
+        const result = listener(decision);
+        if (result instanceof Promise) {
+          result.catch(() => {
+          });
+        }
+      } catch {
+      }
+    }
+  }
+  // -----------------------------------------------------------------------
+  // Evaluation
+  // -----------------------------------------------------------------------
+  evaluate(subject, action, resource, resourceContext = {}, tenantId) {
+    if (this.asyncConditions) {
+      throw new Error(
+        "Engine has asyncConditions enabled. Use evaluateAsync() instead."
+      );
+    }
+    this.validateInput(subject, action, resource);
+    this.enforceTenancy(subject, tenantId);
+    const cacheKey = this.cache ? buildCacheKey(subject.id, action, resource, tenantId) : void 0;
+    if (cacheKey) {
+      const cached = this.cache.get(cacheKey);
+      if (cached) {
+        this.emit(cached);
+        return cached;
+      }
+    }
+    const start = performance.now();
+    const ctx = this.buildContext(subject, action, resource, resourceContext, tenantId);
+    const candidates = this.matchRules(subject, action, resource, tenantId);
+    let matched = null;
+    let matchedHasConditions = false;
+    for (const compiled of candidates) {
+      const { rule } = compiled;
+      if (!rule.conditions || rule.conditions.length === 0) {
+        matched = compiled;
+        matchedHasConditions = false;
+        break;
+      }
+      const allMet = this.evaluateConditionsSync(rule, ctx);
+      if (allMet) {
+        matched = compiled;
+        matchedHasConditions = true;
+        break;
+      }
+    }
+    const decision = this.buildDecision(matched?.rule ?? null, ctx, start);
+    if (cacheKey && !matchedHasConditions) {
+      this.cache.set(cacheKey, decision);
+    }
+    this.emit(decision);
+    return decision;
+  }
+  async evaluateAsync(subject, action, resource, resourceContext = {}, tenantId) {
+    this.validateInput(subject, action, resource);
+    this.enforceTenancy(subject, tenantId);
+    const start = performance.now();
+    const ctx = this.buildContext(subject, action, resource, resourceContext, tenantId);
+    const candidates = this.matchRules(subject, action, resource, tenantId);
+    let matched = null;
+    for (const compiled of candidates) {
+      const { rule } = compiled;
+      if (!rule.conditions || rule.conditions.length === 0) {
+        matched = rule;
+        break;
+      }
+      const results = await Promise.all(
+        rule.conditions.map(
+          (c, i) => Promise.resolve().then(() => c(ctx)).catch((err) => {
+            this.emitConditionError(rule.id, i, err);
+            return false;
+          })
+        )
+      );
+      if (results.every(Boolean)) {
+        matched = rule;
+        break;
+      }
+    }
+    const decision = this.buildDecision(matched, ctx, start);
+    this.emit(decision);
+    return decision;
+  }
+  // -----------------------------------------------------------------------
+  // permitted() — list allowed actions on a resource for UI rendering
+  // -----------------------------------------------------------------------
+  permitted(subject, resource, actions, resourceContext = {}, tenantId) {
+    const allowed = /* @__PURE__ */ new Set();
+    for (const action of actions) {
+      const decision = this.asyncConditions ? (() => {
+        throw new Error("Use permittedAsync() with asyncConditions enabled.");
+      })() : this.evaluate(subject, action, resource, resourceContext, tenantId);
+      if (decision.allowed) {
+        allowed.add(action);
+      }
+    }
+    return allowed;
+  }
+  async permittedAsync(subject, resource, actions, resourceContext = {}, tenantId) {
+    const allowed = /* @__PURE__ */ new Set();
+    const results = await Promise.all(
+      actions.map(
+        (action) => this.evaluateAsync(subject, action, resource, resourceContext, tenantId)
+      )
+    );
+    for (let i = 0; i < actions.length; i++) {
+      if (results[i].allowed) {
+        allowed.add(actions[i]);
+      }
+    }
+    return allowed;
+  }
+  // -----------------------------------------------------------------------
+  // explain() — full evaluation trace for debugging
+  // -----------------------------------------------------------------------
+  explain(subject, action, resource, resourceContext = {}, tenantId) {
+    if (this.asyncConditions) {
+      throw new Error(
+        "Engine has asyncConditions enabled. Use explainAsync() instead."
+      );
+    }
+    this.enforceTenancy(subject, tenantId);
+    const start = performance.now();
+    const ctx = this.buildContext(subject, action, resource, resourceContext, tenantId);
+    const subjectRoles = this.resolveRoles(subject, tenantId);
+    const evaluatedRules = [];
+    let firstMatch = null;
+    const sorted = this.sortCandidates([...this.compiled]);
+    for (const compiled of sorted) {
+      const { rule } = compiled;
+      const roleMatched = rule.roles === "*" || rule.roles.some((r) => subjectRoles.has(r));
+      const actionMatched = rule.actions === "*" || this.matchesAction(compiled, action);
+      const resourceMatched = rule.resources === "*" || rule.resources.includes(resource);
+      const conditionResults = [];
+      let allConditionsPassed = true;
+      if (roleMatched && actionMatched && resourceMatched && rule.conditions) {
+        for (let i = 0; i < rule.conditions.length; i++) {
+          try {
+            const result = rule.conditions[i](ctx);
+            if (result !== true) {
+              conditionResults.push({ index: i, passed: false });
+              allConditionsPassed = false;
+            } else {
+              conditionResults.push({ index: i, passed: true });
+            }
+          } catch (err) {
+            conditionResults.push({
+              index: i,
+              passed: false,
+              error: err instanceof Error ? err.message : String(err)
+            });
+            allConditionsPassed = false;
+          }
+        }
+      }
+      const matched = roleMatched && actionMatched && resourceMatched && (!rule.conditions || rule.conditions.length === 0 || allConditionsPassed);
+      evaluatedRules.push({
+        rule,
+        roleMatched,
+        actionMatched,
+        resourceMatched,
+        conditionResults,
+        matched
+      });
+      if (matched && !firstMatch) {
+        firstMatch = rule;
+      }
+    }
+    const allowed = firstMatch != null ? firstMatch.effect === "allow" : !this._defaultDeny;
+    const effect = firstMatch?.effect ?? "default-deny";
+    const reason = firstMatch ? `Matched rule "${firstMatch.id}"${firstMatch.description ? `: ${firstMatch.description}` : ""}` : "No matching rule \u2014 default deny";
+    return {
+      allowed,
+      effect,
+      reason,
+      evaluatedRules,
+      durationMs: performance.now() - start
+    };
+  }
+  async explainAsync(subject, action, resource, resourceContext = {}, tenantId) {
+    this.enforceTenancy(subject, tenantId);
+    const start = performance.now();
+    const ctx = this.buildContext(subject, action, resource, resourceContext, tenantId);
+    const subjectRoles = this.resolveRoles(subject, tenantId);
+    const evaluatedRules = [];
+    let firstMatch = null;
+    const sorted = this.sortCandidates([...this.compiled]);
+    for (const compiled of sorted) {
+      const { rule } = compiled;
+      const roleMatched = rule.roles === "*" || rule.roles.some((r) => subjectRoles.has(r));
+      const actionMatched = rule.actions === "*" || this.matchesAction(compiled, action);
+      const resourceMatched = rule.resources === "*" || rule.resources.includes(resource);
+      const conditionResults = [];
+      let allConditionsPassed = true;
+      if (roleMatched && actionMatched && resourceMatched && rule.conditions) {
+        for (let i = 0; i < rule.conditions.length; i++) {
+          try {
+            const result = await rule.conditions[i](ctx);
+            if (result !== true) {
+              conditionResults.push({ index: i, passed: false });
+              allConditionsPassed = false;
+            } else {
+              conditionResults.push({ index: i, passed: true });
+            }
+          } catch (err) {
+            conditionResults.push({
+              index: i,
+              passed: false,
+              error: err instanceof Error ? err.message : String(err)
+            });
+            allConditionsPassed = false;
+          }
+        }
+      }
+      const matched = roleMatched && actionMatched && resourceMatched && (!rule.conditions || rule.conditions.length === 0 || allConditionsPassed);
+      evaluatedRules.push({
+        rule,
+        roleMatched,
+        actionMatched,
+        resourceMatched,
+        conditionResults,
+        matched
+      });
+      if (matched && !firstMatch) {
+        firstMatch = rule;
+      }
+    }
+    const allowed = firstMatch != null ? firstMatch.effect === "allow" : !this._defaultDeny;
+    const effect = firstMatch?.effect ?? "default-deny";
+    const reason = firstMatch ? `Matched rule "${firstMatch.id}"${firstMatch.description ? `: ${firstMatch.description}` : ""}` : "No matching rule \u2014 default deny";
+    return {
+      allowed,
+      effect,
+      reason,
+      evaluatedRules,
+      durationMs: performance.now() - start
+    };
+  }
+  // -----------------------------------------------------------------------
+  // Fluent check API: can(subject).perform(action).on(resource)
+  // -----------------------------------------------------------------------
+  can(subject) {
+    return new PerformStep(this, subject);
+  }
+  // -----------------------------------------------------------------------
+  // Internal helpers
+  // -----------------------------------------------------------------------
+  validateInput(subject, action, resource) {
+    if (!subject || typeof subject.id !== "string") {
+      throw new Error("subject must be an object with a string id");
+    }
+    if (!Array.isArray(subject.roles)) {
+      throw new Error("subject.roles must be an array");
+    }
+    if (!action || typeof action !== "string") {
+      throw new Error("action must be a non-empty string");
+    }
+    if (!resource || typeof resource !== "string") {
+      throw new Error("resource must be a non-empty string");
+    }
+  }
+  enforceTenancy(subject, tenantId) {
+    if (!this._strictTenancy || tenantId != null) return;
+    const hasTenantScoped = subject.roles.some((r) => r.tenantId != null);
+    if (hasTenantScoped) {
+      throw new Error(
+        "strictTenancy is enabled and subject has tenant-scoped roles, but no tenantId was provided to evaluate(). This could cause cross-tenant privilege escalation. Pass an explicit tenantId."
+      );
+    }
+  }
+  buildContext(subject, action, resource, resourceContext, tenantId) {
+    return { subject, action, resource, resourceContext, tenantId };
+  }
+  evaluateConditionsSync(rule, ctx) {
+    if (!rule.conditions) return true;
+    for (let i = 0; i < rule.conditions.length; i++) {
+      try {
+        if (rule.conditions[i](ctx) !== true) return false;
+      } catch (err) {
+        this.emitConditionError(rule.id, i, err);
+        return false;
+      }
+    }
+    return true;
+  }
+  emitConditionError(ruleId, conditionIndex, error) {
+    if (this.conditionErrorHandler) {
+      try {
+        this.conditionErrorHandler({ ruleId, conditionIndex, error });
+      } catch {
+      }
+    }
+  }
+  matchRules(subject, action, resource, tenantId) {
+    const subjectRoles = this.resolveRoles(subject, tenantId);
+    const matched = this.compiled.filter((compiled) => {
+      const { rule } = compiled;
+      if (rule.roles !== "*" && !rule.roles.some((r) => subjectRoles.has(r))) return false;
+      if (rule.actions !== "*" && !this.matchesAction(compiled, action)) return false;
+      if (rule.resources !== "*" && !rule.resources.includes(resource)) return false;
+      return true;
+    });
+    return this.sortCandidates(matched);
+  }
+  sortCandidates(candidates) {
+    return candidates.sort((a, b) => {
+      const pa = a.rule.priority ?? 0;
+      const pb = b.rule.priority ?? 0;
+      if (pb !== pa) return pb - pa;
+      if (a.rule.effect === "deny" && b.rule.effect === "allow") return -1;
+      if (a.rule.effect === "allow" && b.rule.effect === "deny") return 1;
+      return 0;
+    });
+  }
+  matchesAction(compiled, action) {
+    const { rule, actionPatterns } = compiled;
+    if (rule.actions === "*") return true;
+    const actionStr = action;
+    if (rule.actions.includes(actionStr)) return true;
+    if (actionPatterns) {
+      for (const pattern of actionPatterns) {
+        if (pattern.test(actionStr)) return true;
+      }
+    }
+    return false;
+  }
+  resolveRoles(subject, tenantId) {
+    const directRoles = /* @__PURE__ */ new Set();
+    for (const assignment of subject.roles) {
+      if (tenantId == null || assignment.tenantId == null || assignment.tenantId === tenantId) {
+        directRoles.add(assignment.role);
+      }
+    }
+    if (!this.hierarchy) return directRoles;
+    const expanded = /* @__PURE__ */ new Set();
+    for (const role of directRoles) {
+      for (const r of this.hierarchy.resolve(role)) {
+        expanded.add(r);
+      }
+    }
+    return expanded;
+  }
+  buildDecision(matched, ctx, start) {
+    const allowed = matched != null ? matched.effect === "allow" : !this._defaultDeny;
+    const effect = matched?.effect ?? "default-deny";
+    const reason = matched ? `Matched rule "${matched.id}"${matched.description ? `: ${matched.description}` : ""}` : "No matching rule \u2014 default deny";
+    return {
+      allowed,
+      effect,
+      matchedRule: matched,
+      subject: ctx.subject,
+      action: ctx.action,
+      resource: ctx.resource,
+      resourceContext: ctx.resourceContext,
+      tenantId: ctx.tenantId,
+      timestamp: Date.now(),
+      durationMs: performance.now() - start,
+      reason
+    };
+  }
+};
+var PerformStep = class {
+  constructor(engine, subject) {
+    this.engine = engine;
+    this.subject = subject;
+  }
+  perform(action) {
+    return new OnStep(this.engine, this.subject, action);
+  }
+};
+var OnStep = class {
+  constructor(engine, subject, action) {
+    this.engine = engine;
+    this.subject = subject;
+    this.action = action;
+  }
+  on(resource, resourceContext = {}, tenantId) {
+    return this.engine.evaluate(
+      this.subject,
+      this.action,
+      resource,
+      resourceContext,
+      tenantId
+    );
+  }
+  async onAsync(resource, resourceContext = {}, tenantId) {
+    return this.engine.evaluateAsync(
+      this.subject,
+      this.action,
+      resource,
+      resourceContext,
+      tenantId
+    );
+  }
+};
+function buildCacheKey(subjectId, action, resource, tenantId) {
+  return `${subjectId.length}:${subjectId}\0${action}\0${resource}\0${tenantId ?? ""}`;
+}
+var LRUCache = class {
+  map = /* @__PURE__ */ new Map();
+  maxSize;
+  constructor(maxSize) {
+    this.maxSize = maxSize;
+  }
+  get size() {
+    return this.map.size;
+  }
+  get(key) {
+    const value = this.map.get(key);
+    if (value !== void 0) {
+      this.map.delete(key);
+      this.map.set(key, value);
+    }
+    return value;
+  }
+  set(key, value) {
+    if (this.map.has(key)) {
+      this.map.delete(key);
+    } else if (this.map.size >= this.maxSize) {
+      const oldest = this.map.keys().next().value;
+      if (oldest !== void 0) this.map.delete(oldest);
+    }
+    this.map.set(key, value);
+  }
+  clear() {
+    this.map.clear();
+  }
+};
+
+// src/role-hierarchy.ts
+var RoleHierarchy = class {
+  parents = /* @__PURE__ */ new Map();
+  cache = /* @__PURE__ */ new Map();
+  /**
+   * Define that `role` inherits permissions from `inheritsFrom` roles.
+   * Clears the resolution cache.
+   */
+  define(role, inheritsFrom) {
+    this.parents.set(role, inheritsFrom);
+    this.cache.clear();
+    this.detectCycle(role, /* @__PURE__ */ new Set());
+    return this;
+  }
+  /**
+   * Resolve the full set of roles a given role expands to,
+   * including all inherited roles (transitive).
+   */
+  resolve(role) {
+    const roleStr = role;
+    const cached = this.cache.get(roleStr);
+    if (cached) return cached;
+    const result = /* @__PURE__ */ new Set();
+    this.walk(roleStr, result);
+    this.cache.set(roleStr, result);
+    return result;
+  }
+  /**
+   * Resolve multiple roles at once, returning the merged set.
+   */
+  resolveAll(roles) {
+    const result = /* @__PURE__ */ new Set();
+    for (const role of roles) {
+      for (const r of this.resolve(role)) {
+        result.add(r);
+      }
+    }
+    return result;
+  }
+  /**
+   * Get all defined roles that have inheritance rules.
+   */
+  definedRoles() {
+    return [...this.parents.keys()];
+  }
+  walk(role, visited) {
+    if (visited.has(role)) return;
+    visited.add(role);
+    const parents = this.parents.get(role);
+    if (parents) {
+      for (const parent of parents) {
+        this.walk(parent, visited);
+      }
+    }
+  }
+  detectCycle(role, visiting) {
+    if (visiting.has(role)) {
+      throw new Error(
+        `Cycle detected in role hierarchy: ${[...visiting, role].join(" \u2192 ")}`
+      );
+    }
+    visiting.add(role);
+    const parents = this.parents.get(role);
+    if (parents) {
+      for (const parent of parents) {
+        this.detectCycle(parent, visiting);
+      }
+    }
+    visiting.delete(role);
+  }
+};
+
+// src/serialization.ts
+var ConditionRegistry = class {
+  conditions = /* @__PURE__ */ new Map();
+  register(name, condition) {
+    if (!name || typeof name !== "string") {
+      throw new Error("Condition name must be a non-empty string");
+    }
+    if (typeof condition !== "function") {
+      throw new Error(`Condition "${name}" must be a function`);
+    }
+    this.conditions.set(name, condition);
+    return this;
+  }
+  get(name) {
+    return this.conditions.get(name);
+  }
+  has(name) {
+    return this.conditions.has(name);
+  }
+  names() {
+    return [...this.conditions.keys()];
+  }
+};
+function exportRules(rules, conditionNames) {
+  const jsonRules = rules.map((rule) => {
+    const jr = {
+      id: rule.id,
+      effect: rule.effect,
+      roles: rule.roles,
+      actions: rule.actions,
+      resources: rule.resources,
+      priority: rule.priority,
+      description: rule.description
+    };
+    if (rule.conditions && conditionNames) {
+      const names = [];
+      for (const cond of rule.conditions) {
+        const name = conditionNames.get(cond);
+        if (name) names.push(name);
+      }
+      if (names.length > 0) jr.conditions = names;
+    }
+    return jr;
+  });
+  return { version: 1, rules: jsonRules };
+}
+function exportRulesToJson(rules, conditionNames) {
+  return JSON.stringify(exportRules(rules, conditionNames), null, 2);
+}
+function importRules(doc, registry) {
+  if (!doc || typeof doc !== "object") {
+    throw new Error("Policy document must be a non-null object");
+  }
+  if (doc.version !== 1) {
+    throw new Error(`Unsupported policy document version: ${doc.version}`);
+  }
+  if (!Array.isArray(doc.rules)) {
+    throw new Error("Policy document must have a 'rules' array");
+  }
+  return doc.rules.map((jr, index) => {
+    if (!jr || typeof jr !== "object") {
+      throw new Error(`Rule at index ${index} must be a non-null object`);
+    }
+    if (!jr.id || typeof jr.id !== "string") {
+      throw new Error(`Rule at index ${index} is missing a valid "id" field.`);
+    }
+    if (jr.effect !== "allow" && jr.effect !== "deny") {
+      throw new Error(
+        `Invalid effect "${jr.effect}" in rule "${jr.id}". Must be "allow" or "deny".`
+      );
+    }
+    if (jr.roles !== "*" && !Array.isArray(jr.roles)) {
+      throw new Error(`Rule "${jr.id}": roles must be "*" or an array of strings`);
+    }
+    if (jr.actions !== "*" && !Array.isArray(jr.actions)) {
+      throw new Error(`Rule "${jr.id}": actions must be "*" or an array of strings`);
+    }
+    if (jr.resources !== "*" && !Array.isArray(jr.resources)) {
+      throw new Error(`Rule "${jr.id}": resources must be "*" or an array of strings`);
+    }
+    const conditions = [];
+    if (jr.conditions && registry) {
+      for (const name of jr.conditions) {
+        const cond = registry.get(name);
+        if (!cond) {
+          throw new Error(
+            `Unknown condition "${name}" in rule "${jr.id}". Registered conditions: ${registry.names().join(", ") || "(none)"}`
+          );
+        }
+        conditions.push(cond);
+      }
+    }
+    return {
+      id: jr.id,
+      effect: jr.effect,
+      roles: jr.roles,
+      actions: jr.actions,
+      resources: jr.resources,
+      conditions: conditions.length > 0 ? conditions : void 0,
+      priority: jr.priority,
+      description: jr.description
+    };
+  });
+}
+function importRulesFromJson(json, registry) {
+  let doc;
+  try {
+    doc = JSON.parse(json);
+  } catch (err) {
+    throw new Error(
+      `Failed to parse policy JSON: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  return importRules(doc, registry);
+}
+
+// src/types.ts
+function toAuditEntry(decision) {
+  return {
+    allowed: decision.allowed,
+    effect: decision.effect,
+    matchedRuleId: decision.matchedRule?.id ?? null,
+    matchedRuleDescription: decision.matchedRule?.description ?? null,
+    subjectId: decision.subject.id,
+    action: decision.action,
+    resource: decision.resource,
+    tenantId: decision.tenantId,
+    timestamp: decision.timestamp,
+    durationMs: decision.durationMs,
+    reason: decision.reason
+  };
+}
+export {
+  AccessEngine,
+  ConditionRegistry,
+  RoleHierarchy,
+  RuleBuilder,
+  allow,
+  createPolicyFactory,
+  deny,
+  exportRules,
+  exportRulesToJson,
+  importRules,
+  importRulesFromJson,
+  toAuditEntry
+};
 //# sourceMappingURL=index.js.map