@siremzam/sentinel 0.3.0

package/dist/role-hierarchy.js

@@ -0,0 +1,87 @@
+/**
+ * Defines a role inheritance hierarchy.
+ *
+ * When a role inherits from another, it gains all permissions of its parent roles.
+ * Cycles are detected and rejected at definition time.
+ *
+ * ```ts
+ * const hierarchy = new RoleHierarchy<MySchema>()
+ *   .define("admin", ["manager", "viewer"])
+ *   .define("manager", ["member"])
+ *   .define("member", ["viewer"]);
+ *
+ * hierarchy.resolve("admin");
+ * // Set { "admin", "manager", "member", "viewer" }
+ * ```
+ */
+export class RoleHierarchy {
+    parents = new Map();
+    cache = new Map();
+    /**
+     * Define that `role` inherits permissions from `inheritsFrom` roles.
+     * Clears the resolution cache.
+     */
+    define(role, inheritsFrom) {
+        this.parents.set(role, inheritsFrom);
+        this.cache.clear();
+        this.detectCycle(role, new Set());
+        return this;
+    }
+    /**
+     * Resolve the full set of roles a given role expands to,
+     * including all inherited roles (transitive).
+     */
+    resolve(role) {
+        const roleStr = role;
+        const cached = this.cache.get(roleStr);
+        if (cached)
+            return cached;
+        const result = new Set();
+        this.walk(roleStr, result);
+        this.cache.set(roleStr, result);
+        return result;
+    }
+    /**
+     * Resolve multiple roles at once, returning the merged set.
+     */
+    resolveAll(roles) {
+        const result = new Set();
+        for (const role of roles) {
+            for (const r of this.resolve(role)) {
+                result.add(r);
+            }
+        }
+        return result;
+    }
+    /**
+     * Get all defined roles that have inheritance rules.
+     */
+    definedRoles() {
+        return [...this.parents.keys()];
+    }
+    walk(role, visited) {
+        if (visited.has(role))
+            return;
+        visited.add(role);
+        const parents = this.parents.get(role);
+        if (parents) {
+            for (const parent of parents) {
+                this.walk(parent, visited);
+            }
+        }
+    }
+    detectCycle(role, visiting) {
+        if (visiting.has(role)) {
+            throw new Error(`Cycle detected in role hierarchy: ${[...visiting, role].join(" → ")}`);
+        }
+        visiting.add(role);
+        const parents = this.parents.get(role);
+        if (parents) {
+            for (const parent of parents) {
+                this.detectCycle(parent, visiting);
+            }
+        }
+        visiting.delete(role);
+    }
+}
+//# sourceMappingURL=role-hierarchy.js.map

package/dist/role-hierarchy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-hierarchy.js","sourceRoot":"","sources":["../src/role-hierarchy.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;GAeG;AACH,MAAM,OAAO,aAAa;IAChB,OAAO,GAAG,IAAI,GAAG,EAAoB,CAAC;IACtC,KAAK,GAAG,IAAI,GAAG,EAAuB,CAAC;IAE/C;;;OAGG;IACH,MAAM,CAAC,IAAkB,EAAE,YAA4B;QACrD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,YAAwB,CAAC,CAAC;QACjD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,WAAW,CAAC,IAAc,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,OAAO,CAAC,IAAkB;QACxB,MAAM,OAAO,GAAG,IAAc,CAAC;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;QACjC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAChC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,KAA6B;QACtC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;QACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,YAAY;QACV,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAClC,CAAC;IAEO,IAAI,CAAC,IAAY,EAAE,OAAoB;QAC7C,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO;QAC9B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAClB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IAEO,WAAW,CAAC,IAAY,EAAE,QAAqB;QACrD,IAAI,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CACb,qCAAqC,CAAC,GAAG,QAAQ,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CACvE,CAAC;QACJ,CAAC;QACD,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QACD,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC;CACF"}

package/dist/serialization.d.ts

@@ -0,0 +1,52 @@
+import type { SchemaDefinition, PolicyRule, PolicyEffect, Condition } from "./types.js";
+export interface JsonPolicyRule {
+    id: string;
+    effect: PolicyEffect;
+    roles: string[] | "*";
+    actions: string[] | "*";
+    resources: string[] | "*";
+    conditions?: string[];
+    priority?: number;
+    description?: string;
+}
+export interface JsonPolicyDocument {
+    version: 1;
+    rules: JsonPolicyRule[];
+}
+/**
+ * A registry that maps condition names to condition functions.
+ * This allows JSON policies to reference conditions by name
+ * while keeping the actual logic in code.
+ *
+ * ```ts
+ * const conditions = new ConditionRegistry<MySchema>();
+ * conditions.register("isOwner", ctx => ctx.subject.id === ctx.resourceContext.ownerId);
+ * conditions.register("isActive", ctx => ctx.resourceContext.status === "active");
+ * ```
+ */
+export declare class ConditionRegistry<S extends SchemaDefinition> {
+    private conditions;
+    register(name: string, condition: Condition<S>): this;
+    get(name: string): Condition<S> | undefined;
+    has(name: string): boolean;
+    names(): string[];
+}
+/**
+ * Serialize rules to a JSON-safe document.
+ * Conditions are stripped unless a reverse lookup map is provided.
+ */
+export declare function exportRules<S extends SchemaDefinition>(rules: ReadonlyArray<PolicyRule<S>>, conditionNames?: Map<Condition<S>, string>): JsonPolicyDocument;
+/**
+ * Serialize rules to a JSON string.
+ */
+export declare function exportRulesToJson<S extends SchemaDefinition>(rules: ReadonlyArray<PolicyRule<S>>, conditionNames?: Map<Condition<S>, string>): string;
+/**
+ * Deserialize a JSON policy document into PolicyRule objects.
+ * Condition names are resolved via the provided registry.
+ */
+export declare function importRules<S extends SchemaDefinition>(doc: JsonPolicyDocument, registry?: ConditionRegistry<S>): PolicyRule<S>[];
+/**
+ * Parse a JSON string into PolicyRule objects.
+ */
+export declare function importRulesFromJson<S extends SchemaDefinition>(json: string, registry?: ConditionRegistry<S>): PolicyRule<S>[];
+//# sourceMappingURL=serialization.d.ts.map

package/dist/serialization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"serialization.d.ts","sourceRoot":"","sources":["../src/serialization.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,gBAAgB,EAChB,UAAU,EACV,YAAY,EACZ,SAAS,EACV,MAAM,YAAY,CAAC;AAMpB,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,YAAY,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IACtB,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IACxB,SAAS,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,CAAC,CAAC;IACX,KAAK,EAAE,cAAc,EAAE,CAAC;CACzB;AAED;;;;;;;;;;GAUG;AACH,qBAAa,iBAAiB,CAAC,CAAC,SAAS,gBAAgB;IACvD,OAAO,CAAC,UAAU,CAAmC;IAErD,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI;IAWrD,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS;IAI3C,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI1B,KAAK,IAAI,MAAM,EAAE;CAGlB;AAMD;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,gBAAgB,EACpD,KAAK,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EACnC,cAAc,CAAC,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,GACzC,kBAAkB,CAyBpB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,SAAS,gBAAgB,EAC1D,KAAK,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EACnC,cAAc,CAAC,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,GACzC,MAAM,CAER;AAMD;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,gBAAgB,EACpD,GAAG,EAAE,kBAAkB,EACvB,QAAQ,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC,GAC9B,UAAU,CAAC,CAAC,CAAC,EAAE,CA6DjB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,SAAS,gBAAgB,EAC5D,IAAI,EAAE,MAAM,EACZ,QAAQ,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC,GAC9B,UAAU,CAAC,CAAC,CAAC,EAAE,CAUjB"}

package/dist/serialization.js

@@ -0,0 +1,144 @@
+/**
+ * A registry that maps condition names to condition functions.
+ * This allows JSON policies to reference conditions by name
+ * while keeping the actual logic in code.
+ *
+ * ```ts
+ * const conditions = new ConditionRegistry<MySchema>();
+ * conditions.register("isOwner", ctx => ctx.subject.id === ctx.resourceContext.ownerId);
+ * conditions.register("isActive", ctx => ctx.resourceContext.status === "active");
+ * ```
+ */
+export class ConditionRegistry {
+    conditions = new Map();
+    register(name, condition) {
+        if (!name || typeof name !== "string") {
+            throw new Error("Condition name must be a non-empty string");
+        }
+        if (typeof condition !== "function") {
+            throw new Error(`Condition "${name}" must be a function`);
+        }
+        this.conditions.set(name, condition);
+        return this;
+    }
+    get(name) {
+        return this.conditions.get(name);
+    }
+    has(name) {
+        return this.conditions.has(name);
+    }
+    names() {
+        return [...this.conditions.keys()];
+    }
+}
+// ---------------------------------------------------------------------------
+// Export: PolicyRule[] → JSON
+// ---------------------------------------------------------------------------
+/**
+ * Serialize rules to a JSON-safe document.
+ * Conditions are stripped unless a reverse lookup map is provided.
+ */
+export function exportRules(rules, conditionNames) {
+    const jsonRules = rules.map((rule) => {
+        const jr = {
+            id: rule.id,
+            effect: rule.effect,
+            roles: rule.roles,
+            actions: rule.actions,
+            resources: rule.resources,
+            priority: rule.priority,
+            description: rule.description,
+        };
+        if (rule.conditions && conditionNames) {
+            const names = [];
+            for (const cond of rule.conditions) {
+                const name = conditionNames.get(cond);
+                if (name)
+                    names.push(name);
+            }
+            if (names.length > 0)
+                jr.conditions = names;
+        }
+        return jr;
+    });
+    return { version: 1, rules: jsonRules };
+}
+/**
+ * Serialize rules to a JSON string.
+ */
+export function exportRulesToJson(rules, conditionNames) {
+    return JSON.stringify(exportRules(rules, conditionNames), null, 2);
+}
+// ---------------------------------------------------------------------------
+// Import: JSON → PolicyRule[]
+// ---------------------------------------------------------------------------
+/**
+ * Deserialize a JSON policy document into PolicyRule objects.
+ * Condition names are resolved via the provided registry.
+ */
+export function importRules(doc, registry) {
+    if (!doc || typeof doc !== "object") {
+        throw new Error("Policy document must be a non-null object");
+    }
+    if (doc.version !== 1) {
+        throw new Error(`Unsupported policy document version: ${doc.version}`);
+    }
+    if (!Array.isArray(doc.rules)) {
+        throw new Error("Policy document must have a 'rules' array");
+    }
+    return doc.rules.map((jr, index) => {
+        if (!jr || typeof jr !== "object") {
+            throw new Error(`Rule at index ${index} must be a non-null object`);
+        }
+        if (!jr.id || typeof jr.id !== "string") {
+            throw new Error(`Rule at index ${index} is missing a valid "id" field.`);
+        }
+        if (jr.effect !== "allow" && jr.effect !== "deny") {
+            throw new Error(`Invalid effect "${jr.effect}" in rule "${jr.id}". Must be "allow" or "deny".`);
+        }
+        if (jr.roles !== "*" && !Array.isArray(jr.roles)) {
+            throw new Error(`Rule "${jr.id}": roles must be "*" or an array of strings`);
+        }
+        if (jr.actions !== "*" && !Array.isArray(jr.actions)) {
+            throw new Error(`Rule "${jr.id}": actions must be "*" or an array of strings`);
+        }
+        if (jr.resources !== "*" && !Array.isArray(jr.resources)) {
+            throw new Error(`Rule "${jr.id}": resources must be "*" or an array of strings`);
+        }
+        const conditions = [];
+        if (jr.conditions && registry) {
+            for (const name of jr.conditions) {
+                const cond = registry.get(name);
+                if (!cond) {
+                    throw new Error(`Unknown condition "${name}" in rule "${jr.id}". ` +
+                        `Registered conditions: ${registry.names().join(", ") || "(none)"}`);
+                }
+                conditions.push(cond);
+            }
+        }
+        return {
+            id: jr.id,
+            effect: jr.effect,
+            roles: jr.roles,
+            actions: jr.actions,
+            resources: jr.resources,
+            conditions: conditions.length > 0 ? conditions : undefined,
+            priority: jr.priority,
+            description: jr.description,
+        };
+    });
+}
+/**
+ * Parse a JSON string into PolicyRule objects.
+ */
+export function importRulesFromJson(json, registry) {
+    let doc;
+    try {
+        doc = JSON.parse(json);
+    }
+    catch (err) {
+        throw new Error(`Failed to parse policy JSON: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    return importRules(doc, registry);
+}
+//# sourceMappingURL=serialization.js.map

package/dist/serialization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"serialization.js","sourceRoot":"","sources":["../src/serialization.ts"],"names":[],"mappings":"AA2BA;;;;;;;;;;GAUG;AACH,MAAM,OAAO,iBAAiB;IACpB,UAAU,GAAG,IAAI,GAAG,EAAwB,CAAC;IAErD,QAAQ,CAAC,IAAY,EAAE,SAAuB;QAC5C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,OAAO,SAAS,KAAK,UAAU,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,cAAc,IAAI,sBAAsB,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,KAAK;QACH,OAAO,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;IACrC,CAAC;CACF;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,WAAW,CACzB,KAAmC,EACnC,cAA0C;IAE1C,MAAM,SAAS,GAAqB,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACrD,MAAM,EAAE,GAAmB;YACzB,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,OAAO,EAAE,IAAI,CAAC,OAAyB;YACvC,SAAS,EAAE,IAAI,CAAC,SAA2B;YAC3C,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;QAEF,IAAI,IAAI,CAAC,UAAU,IAAI,cAAc,EAAE,CAAC;YACtC,MAAM,KAAK,GAAa,EAAE,CAAC;YAC3B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACnC,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACtC,IAAI,IAAI;oBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;gBAAE,EAAE,CAAC,UAAU,GAAG,KAAK,CAAC;QAC9C,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,KAAmC,EACnC,cAA0C;IAE1C,OAAO,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,EAAE,cAAc,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,WAAW,CACzB,GAAuB,EACvB,QAA+B;IAE/B,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,GAAG,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wCAAwC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IAED,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,iBAAiB,KAAK,4BAA4B,CAAC,CAAC;QACtE,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC,EAAE,KAAK,QAAQ,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,iBAAiB,KAAK,iCAAiC,CAAC,CAAC;QAC3E,CAAC;QAED,IAAI,EAAE,CAAC,MAAM,KAAK,OAAO,IAAI,EAAE,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CACb,mBAAmB,EAAE,CAAC,MAAM,cAAc,EAAE,CAAC,EAAE,+BAA+B,CAC/E,CAAC;QACJ,CAAC;QAED,IAAI,EAAE,CAAC,KAAK,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,EAAE,6CAA6C,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,EAAE,CAAC,OAAO,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,EAAE,+CAA+C,CAAC,CAAC;QACjF,CAAC;QACD,IAAI,EAAE,CAAC,SAAS,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,EAAE,iDAAiD,CAAC,CAAC;QACnF,CAAC;QAED,MAAM,UAAU,GAAmB,EAAE,CAAC;QACtC,IAAI,EAAE,CAAC,UAAU,IAAI,QAAQ,EAAE,CAAC;YAC9B,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC;gBACjC,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAChC,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,IAAI,KAAK,CACb,sBAAsB,IAAI,cAAc,EAAE,CAAC,EAAE,KAAK;wBAClD,0BAA0B,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CACpE,CAAC;gBACJ,CAAC;gBACD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,OAAO;YACL,EAAE,EAAE,EAAE,CAAC,EAAE;YACT,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,KAAK,EAAE,EAAE,CAAC,KAAK;YACf,OAAO,EAAE,EAAE,CAAC,OAAO;YACnB,SAAS,EAAE,EAAE,CAAC,SAAS;YACvB,UAAU,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAC1D,QAAQ,EAAE,EAAE,CAAC,QAAQ;YACrB,WAAW,EAAE,EAAE,CAAC,WAAW;SACX,CAAC;IACrB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAAY,EACZ,QAA+B;IAE/B,IAAI,GAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAuB,CAAC;IAC/C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,gCAAgC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACnF,CAAC;IACJ,CAAC;IACD,OAAO,WAAW,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;AACpC,CAAC"}

package/dist/server.d.ts

@@ -0,0 +1,52 @@
+import { type IncomingMessage, type ServerResponse } from "node:http";
+import type { AccessEngine } from "./engine.js";
+import type { SchemaDefinition, Subject, ResourceContext } from "./types.js";
+export interface ServerOptions<S extends SchemaDefinition> {
+    engine: AccessEngine<S>;
+    port?: number;
+    host?: string;
+    /**
+     * Optional hook to resolve a Subject from the request body.
+     * Defaults to using body.subject directly.
+     */
+    resolveSubject?: (body: EvalRequestBody) => Subject<S> | Promise<Subject<S>>;
+    /**
+     * Optional authentication hook. Return true to allow the request,
+     * false to reject with 401. Called before any endpoint logic.
+     * If not provided, all requests are allowed (suitable for internal networks only).
+     */
+    authenticate?: (req: IncomingMessage) => boolean | Promise<boolean>;
+    /** Maximum request body size in bytes. Defaults to 1 MB. */
+    maxBodyBytes?: number;
+}
+export interface EvalRequestBody {
+    subject: {
+        id: string;
+        roles: {
+            role: string;
+            tenantId?: string;
+        }[];
+        attributes?: Record<string, unknown>;
+    };
+    action: string;
+    resource: string;
+    resourceContext?: ResourceContext;
+    tenantId?: string;
+}
+/**
+ * Create a standalone HTTP authorization server.
+ *
+ * Endpoints:
+ *   POST /evaluate  — evaluate an authorization request
+ *   GET  /health    — health check + rule count
+ *   GET  /rules     — list all loaded rules (without conditions)
+ *
+ * **Security**: This server has no authentication by default.
+ * In production, provide an `authenticate` hook or run behind a VPN/service mesh.
+ */
+export declare function createAuthServer<S extends SchemaDefinition>(options: ServerOptions<S>): {
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    httpServer: import("http").Server<typeof IncomingMessage, typeof ServerResponse>;
+};
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgB,KAAK,eAAe,EAAE,KAAK,cAAc,EAAE,MAAM,WAAW,CAAC;AACpF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAQ7E,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,gBAAgB;IACvD,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE,eAAe,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7E;;;;OAIG;IACH,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,eAAe,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACpE,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE;QACP,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,EAAE,CAAC;QAC7C,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACtC,CAAC;IACF,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAyDD;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,CAAC,SAAS,gBAAgB,EACzD,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC;aAyHd,OAAO,CAAC,IAAI,CAAC;YAQd,OAAO,CAAC,IAAI,CAAC;;EAQxB"}

package/dist/server.js

@@ -0,0 +1,163 @@
+import { createServer } from "node:http";
+const DEFAULT_MAX_BODY_BYTES = 1024 * 1024; // 1 MB
+function readBody(req, maxBytes) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let received = 0;
+        let settled = false;
+        function settle(fn) {
+            if (!settled) {
+                settled = true;
+                fn();
+            }
+        }
+        req.on("data", (chunk) => {
+            if (settled)
+                return;
+            received += chunk.length;
+            if (received > maxBytes) {
+                req.resume();
+                settle(() => reject(new Error(`Request body exceeds ${maxBytes} bytes`)));
+                return;
+            }
+            chunks.push(chunk);
+        });
+        req.on("end", () => {
+            settle(() => resolve(Buffer.concat(chunks).toString("utf-8")));
+        });
+        req.on("error", (err) => {
+            settle(() => reject(err));
+        });
+    });
+}
+function sendJson(res, status, body) {
+    const json = JSON.stringify(body);
+    res.writeHead(status, {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(json),
+    });
+    res.end(json);
+}
+/**
+ * Create a standalone HTTP authorization server.
+ *
+ * Endpoints:
+ *   POST /evaluate  — evaluate an authorization request
+ *   GET  /health    — health check + rule count
+ *   GET  /rules     — list all loaded rules (without conditions)
+ *
+ * **Security**: This server has no authentication by default.
+ * In production, provide an `authenticate` hook or run behind a VPN/service mesh.
+ */
+export function createAuthServer(options) {
+    const { engine, port = 3100, host = "0.0.0.0", maxBodyBytes = DEFAULT_MAX_BODY_BYTES, } = options;
+    const startTime = Date.now();
+    const server = createServer(async (req, res) => {
+        const pathname = new URL(req.url ?? "/", "http://localhost").pathname;
+        const method = req.method ?? "GET";
+        try {
+            if (options.authenticate) {
+                const authed = await options.authenticate(req);
+                if (authed !== true) {
+                    sendJson(res, 401, { error: "Unauthorized" });
+                    return;
+                }
+            }
+            if (method === "GET" && pathname === "/health") {
+                const body = {
+                    status: "ok",
+                    rulesLoaded: engine.getRules().length,
+                    uptime: Date.now() - startTime,
+                };
+                sendJson(res, 200, body);
+                return;
+            }
+            if (method === "GET" && pathname === "/rules") {
+                const rules = engine.getRules().map((r) => ({
+                    id: r.id,
+                    effect: r.effect,
+                    roles: r.roles,
+                    actions: r.actions,
+                    resources: r.resources,
+                    priority: r.priority,
+                    description: r.description,
+                    hasConditions: (r.conditions?.length ?? 0) > 0,
+                }));
+                sendJson(res, 200, { rules });
+                return;
+            }
+            if (method === "POST" && pathname === "/evaluate") {
+                let raw;
+                try {
+                    raw = await readBody(req, maxBodyBytes);
+                }
+                catch (err) {
+                    sendJson(res, 413, {
+                        error: err instanceof Error ? err.message : "Payload too large",
+                    });
+                    return;
+                }
+                let body;
+                try {
+                    body = JSON.parse(raw);
+                }
+                catch {
+                    sendJson(res, 400, { error: "Invalid JSON body" });
+                    return;
+                }
+                if (!body.subject || !body.action || !body.resource) {
+                    sendJson(res, 400, {
+                        error: "Missing required fields: subject, action, resource",
+                    });
+                    return;
+                }
+                if (typeof body.action !== "string" || typeof body.resource !== "string") {
+                    sendJson(res, 400, { error: "action and resource must be strings" });
+                    return;
+                }
+                if (typeof body.subject !== "object" ||
+                    typeof body.subject.id !== "string" ||
+                    !Array.isArray(body.subject.roles)) {
+                    sendJson(res, 400, {
+                        error: "subject must have a string id and a roles array",
+                    });
+                    return;
+                }
+                const subject = options.resolveSubject
+                    ? await options.resolveSubject(body)
+                    : body.subject;
+                const decision = engine.evaluate(subject, body.action, body.resource, body.resourceContext ?? {}, body.tenantId);
+                const response = {
+                    allowed: decision.allowed,
+                    effect: decision.effect,
+                    reason: decision.reason,
+                    matchedRuleId: decision.matchedRule?.id ?? null,
+                    durationMs: decision.durationMs,
+                };
+                sendJson(res, 200, response);
+                return;
+            }
+            sendJson(res, 404, { error: "Not found" });
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : "Internal server error";
+            sendJson(res, 500, { error: message });
+        }
+    });
+    return {
+        start() {
+            return new Promise((resolve) => {
+                server.listen(port, host, () => {
+                    resolve();
+                });
+            });
+        },
+        stop() {
+            return new Promise((resolve, reject) => {
+                server.close((err) => (err ? reject(err) : resolve()));
+            });
+        },
+        httpServer: server,
+    };
+}
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAC;AAIpF,MAAM,sBAAsB,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AAmDnD,SAAS,QAAQ,CAAC,GAAoB,EAAE,QAAgB;IACtD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,SAAS,MAAM,CAAC,EAAc;YAC5B,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,IAAI,CAAC;gBACf,EAAE,EAAE,CAAC;YACP,CAAC;QACH,CAAC;QAED,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC/B,IAAI,OAAO;gBAAE,OAAO;YACpB,QAAQ,IAAI,KAAK,CAAC,MAAM,CAAC;YACzB,IAAI,QAAQ,GAAG,QAAQ,EAAE,CAAC;gBACxB,GAAG,CAAC,MAAM,EAAE,CAAC;gBACb,MAAM,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,QAAQ,QAAQ,CAAC,CAAC,CAAC,CAAC;gBAC1E,OAAO;YACT,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACtB,MAAM,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CAAC,GAAmB,EAAE,MAAc,EAAE,IAAa;IAClE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAClC,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE;QACpB,cAAc,EAAE,kBAAkB;QAClC,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;KAC1C,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAyB;IAEzB,MAAM,EACJ,MAAM,EACN,IAAI,GAAG,IAAI,EACX,IAAI,GAAG,SAAS,EAChB,YAAY,GAAG,sBAAsB,GACtC,GAAG,OAAO,CAAC;IACZ,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC7C,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;QACtE,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC;QAEnC,IAAI,CAAC;YACH,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;gBAC/C,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;oBACpB,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;oBAC9C,OAAO;gBACT,CAAC;YACH,CAAC;YAED,IAAI,MAAM,KAAK,KAAK,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC/C,MAAM,IAAI,GAAmB;oBAC3B,MAAM,EAAE,IAAI;oBACZ,WAAW,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,MAAM;oBACrC,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBAC/B,CAAC;gBACF,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;gBACzB,OAAO;YACT,CAAC;YAED,IAAI,MAAM,KAAK,KAAK,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC1C,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,KAAK,EAAE,CAAC,CAAC,KAAK;oBACd,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,SAAS,EAAE,CAAC,CAAC,SAAS;oBACtB,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,WAAW,EAAE,CAAC,CAAC,WAAW;oBAC1B,aAAa,EAAE,CAAC,CAAC,CAAC,UAAU,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC;iBAC/C,CAAC,CAAC,CAAC;gBACJ,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;gBAC9B,OAAO;YACT,CAAC;YAED,IAAI,MAAM,KAAK,MAAM,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;gBAClD,IAAI,GAAW,CAAC;gBAChB,IAAI,CAAC;oBACH,GAAG,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;gBAC1C,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE;wBACjB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB;qBAChE,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,IAAI,IAAqB,CAAC;gBAC1B,IAAI,CAAC;oBACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACzB,CAAC;gBAAC,MAAM,CAAC;oBACP,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;oBACnD,OAAO;gBACT,CAAC;gBAED,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACpD,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE;wBACjB,KAAK,EAAE,oDAAoD;qBAC5D,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACzE,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,qCAAqC,EAAE,CAAC,CAAC;oBACrE,OAAO;gBACT,CAAC;gBAED,IACE,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;oBAChC,OAAO,IAAI,CAAC,OAAO,CAAC,EAAE,KAAK,QAAQ;oBACnC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAClC,CAAC;oBACD,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE;wBACjB,KAAK,EAAE,iDAAiD;qBACzD,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,MAAM,OAAO,GAAe,OAAO,CAAC,cAAc;oBAChD,CAAC,CAAC,MAAM,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC;oBACpC,CAAC,CAAE,IAAI,CAAC,OAAiC,CAAC;gBAE5C,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAC9B,OAAO,EACP,IAAI,CAAC,MAA+C,EACpD,IAAI,CAAC,QAAiD,EACtD,IAAI,CAAC,eAAe,IAAI,EAAE,EAC1B,IAAI,CAAC,QAAQ,CACd,CAAC;gBAEF,MAAM,QAAQ,GAAqB;oBACjC,OAAO,EAAE,QAAQ,CAAC,OAAO;oBACzB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,aAAa,EAAE,QAAQ,CAAC,WAAW,EAAE,EAAE,IAAI,IAAI;oBAC/C,UAAU,EAAE,QAAQ,CAAC,UAAU;iBAChC,CAAC;gBACF,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC;YAC7E,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,KAAK;YACH,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;gBAC7B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;oBAC7B,OAAO,EAAE,CAAC;gBACZ,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QAED,IAAI;YACF,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACrC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACzD,CAAC,CAAC,CAAC;QACL,CAAC;QAED,UAAU,EAAE,MAAM;KACnB,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,137 @@
+/**
+ * Core type definitions for the authorization engine.
+ *
+ * The type system is designed so that defining a schema once
+ * propagates full autocomplete through every API surface:
+ * policies, checks, audits, and middleware.
+ */
+export type ActionString = `${string}:${string}`;
+export interface SchemaDefinition {
+    roles: string;
+    resources: string;
+    actions: ActionString;
+    tenantId?: string;
+}
+/**
+ * Infer concrete union types from a schema definition.
+ * Used internally to thread type narrowing everywhere.
+ */
+export type InferRole<S extends SchemaDefinition> = S["roles"];
+export type InferResource<S extends SchemaDefinition> = S["resources"];
+export type InferAction<S extends SchemaDefinition> = S["actions"];
+export type InferTenantId<S extends SchemaDefinition> = S["tenantId"] extends string ? S["tenantId"] : string;
+export interface RoleAssignment<S extends SchemaDefinition> {
+    role: InferRole<S>;
+    tenantId?: InferTenantId<S>;
+}
+export interface Subject<S extends SchemaDefinition> {
+    id: string;
+    roles: RoleAssignment<S>[];
+    attributes?: Record<string, unknown>;
+}
+export interface ResourceContext {
+    id?: string;
+    tenantId?: string;
+    [key: string]: unknown;
+}
+export interface EvaluationContext<S extends SchemaDefinition> {
+    subject: Subject<S>;
+    action: InferAction<S>;
+    resource: InferResource<S>;
+    resourceContext: ResourceContext;
+    tenantId?: string;
+    environment?: Record<string, unknown>;
+}
+export type Condition<S extends SchemaDefinition> = (ctx: EvaluationContext<S>) => boolean | Promise<boolean>;
+export type PolicyEffect = "allow" | "deny";
+export interface PolicyRule<S extends SchemaDefinition> {
+    readonly id: string;
+    readonly effect: PolicyEffect;
+    readonly roles: InferRole<S>[] | "*";
+    readonly actions: InferAction<S>[] | "*";
+    readonly resources: InferResource<S>[] | "*";
+    readonly conditions?: Condition<S>[];
+    /**
+     * Higher priority wins. Deny at equal priority wins over allow.
+     * Default: 0
+     */
+    readonly priority?: number;
+    readonly description?: string;
+}
+export interface Decision<S extends SchemaDefinition> {
+    allowed: boolean;
+    effect: PolicyEffect | "default-deny";
+    matchedRule: PolicyRule<S> | null;
+    subject: Subject<S>;
+    action: InferAction<S>;
+    resource: InferResource<S>;
+    resourceContext: ResourceContext;
+    tenantId?: string;
+    timestamp: number;
+    durationMs: number;
+    reason: string;
+}
+export interface AuditEntry {
+    allowed: boolean;
+    effect: string;
+    matchedRuleId: string | null;
+    matchedRuleDescription: string | null;
+    subjectId: string;
+    action: string;
+    resource: string;
+    tenantId?: string;
+    timestamp: number;
+    durationMs: number;
+    reason: string;
+}
+/**
+ * Convert a Decision to a serialization-safe AuditEntry
+ * (strips functions, large objects, and condition references).
+ */
+export declare function toAuditEntry<S extends SchemaDefinition>(decision: Decision<S>): AuditEntry;
+export interface ConditionResult {
+    index: number;
+    passed: boolean;
+    error?: string;
+}
+export interface RuleEvaluation<S extends SchemaDefinition> {
+    rule: PolicyRule<S>;
+    roleMatched: boolean;
+    actionMatched: boolean;
+    resourceMatched: boolean;
+    conditionResults: ConditionResult[];
+    matched: boolean;
+}
+export interface ExplainResult<S extends SchemaDefinition> {
+    allowed: boolean;
+    effect: PolicyEffect | "default-deny";
+    reason: string;
+    evaluatedRules: RuleEvaluation<S>[];
+    durationMs: number;
+}
+export type DecisionListener<S extends SchemaDefinition> = (decision: Decision<S>) => void | Promise<void>;
+export interface ConditionError {
+    ruleId: string;
+    conditionIndex: number;
+    error: unknown;
+}
+export type ConditionErrorHandler = (err: ConditionError) => void;
+export interface EngineOptions<S extends SchemaDefinition> {
+    schema: S;
+    defaultEffect?: PolicyEffect;
+    onDecision?: DecisionListener<S>;
+    onConditionError?: ConditionErrorHandler;
+    /**
+     * When true, async conditions are awaited.
+     * When false (default), only synchronous conditions are supported
+     * and evaluate is guaranteed synchronous.
+     */
+    asyncConditions?: boolean;
+    /**
+     * When true, evaluate() throws if tenantId is omitted and the subject
+     * has any tenant-scoped role assignments. Prevents accidental
+     * cross-tenant privilege escalation.
+     */
+    strictTenancy?: boolean;
+}
+//# sourceMappingURL=types.d.ts.map