@siremzam/sentinel 0.3.1 → 0.3.2

package/dist/policy-builder.js

@@ -1,92 +0,0 @@
-let ruleCounter = 0;
-function nextRuleId(prefix) {
-    return `${prefix}-${++ruleCounter}`;
-}
-export class RuleBuilder {
-    _effect;
-    _roles = "*";
-    _actions = "*";
-    _resources = "*";
-    _conditions = [];
-    _priority = 0;
-    _description;
-    _id;
-    constructor(effect) {
-        this._effect = effect;
-        this._id = nextRuleId(effect);
-    }
-    id(id) {
-        this._id = id;
-        return this;
-    }
-    roles(...roles) {
-        this._roles = roles;
-        return this;
-    }
-    anyRole() {
-        this._roles = "*";
-        return this;
-    }
-    actions(...actions) {
-        this._actions = actions;
-        return this;
-    }
-    anyAction() {
-        this._actions = "*";
-        return this;
-    }
-    on(...resources) {
-        this._resources = resources;
-        return this;
-    }
-    anyResource() {
-        this._resources = "*";
-        return this;
-    }
-    when(condition) {
-        this._conditions.push(condition);
-        return this;
-    }
-    priority(p) {
-        this._priority = p;
-        return this;
-    }
-    describe(desc) {
-        this._description = desc;
-        return this;
-    }
-    build() {
-        return {
-            id: this._id,
-            effect: this._effect,
-            roles: this._roles,
-            actions: this._actions,
-            resources: this._resources,
-            conditions: this._conditions.length > 0 ? this._conditions : undefined,
-            priority: this._priority,
-            description: this._description,
-        };
-    }
-}
-export function allow() {
-    return new RuleBuilder("allow");
-}
-export function deny() {
-    return new RuleBuilder("deny");
-}
-/**
- * Creates schema-bound allow/deny factories so you don't need to pass
- * the generic parameter on every call.
- *
- * ```ts
- * const { allow, deny } = createPolicyFactory<MySchema>();
- * allow().roles("admin").anyAction().anyResource().build();
- * ```
- */
-export function createPolicyFactory() {
-    return {
-        allow: () => new RuleBuilder("allow"),
-        deny: () => new RuleBuilder("deny"),
-    };
-}
-//# sourceMappingURL=policy-builder.js.map

package/dist/policy-builder.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"policy-builder.js","sourceRoot":"","sources":["../src/policy-builder.ts"],"names":[],"mappings":"AAUA,IAAI,WAAW,GAAG,CAAC,CAAC;AAEpB,SAAS,UAAU,CAAC,MAAc;IAChC,OAAO,GAAG,MAAM,IAAI,EAAE,WAAW,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,OAAO,WAAW;IACd,OAAO,CAAe;IACtB,MAAM,GAAyB,GAAG,CAAC;IACnC,QAAQ,GAA2B,GAAG,CAAC;IACvC,UAAU,GAA6B,GAAG,CAAC;IAC3C,WAAW,GAAmB,EAAE,CAAC;IACjC,SAAS,GAAG,CAAC,CAAC;IACd,YAAY,CAAU;IACtB,GAAG,CAAS;IAEpB,YAAY,MAAoB;QAC9B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,GAAG,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,EAAE,CAAC,EAAU;QACX,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,GAAG,KAAqB;QAC5B,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO;QACL,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,GAAG,OAAyB;QAClC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,SAAS;QACP,IAAI,CAAC,QAAQ,GAAG,GAAG,CAAC;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,EAAE,CAAC,GAAG,SAA6B;QACjC,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,WAAW;QACT,IAAI,CAAC,UAAU,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,SAAuB;QAC1B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,QAAQ,CAAC,CAAS;QAChB,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,QAAQ,CAAC,IAAY;QACnB,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK;QACH,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,GAAG;YACZ,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,KAAK,EAAE,IAAI,CAAC,MAAM;YAClB,OAAO,EAAE,IAAI,CAAC,QAAQ;YACtB,SAAS,EAAE,IAAI,CAAC,UAAU;YAC1B,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACtE,QAAQ,EAAE,IAAI,CAAC,SAAS;YACxB,WAAW,EAAE,IAAI,CAAC,YAAY;SAC/B,CAAC;IACJ,CAAC;CACF;AAED,MAAM,UAAU,KAAK;IACnB,OAAO,IAAI,WAAW,CAAI,OAAO,CAAC,CAAC;AACrC,CAAC;AAED,MAAM,UAAU,IAAI;IAClB,OAAO,IAAI,WAAW,CAAI,MAAM,CAAC,CAAC;AACpC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,mBAAmB;IAIjC,OAAO;QACL,KAAK,EAAE,GAAG,EAAE,CAAC,IAAI,WAAW,CAAI,OAAO,CAAC;QACxC,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,WAAW,CAAI,MAAM,CAAC;KACvC,CAAC;AACJ,CAAC"}

package/dist/role-hierarchy.d.ts

@@ -1,42 +0,0 @@
-import type { SchemaDefinition, InferRole } from "./types.js";
-/**
- * Defines a role inheritance hierarchy.
- *
- * When a role inherits from another, it gains all permissions of its parent roles.
- * Cycles are detected and rejected at definition time.
- *
- * ```ts
- * const hierarchy = new RoleHierarchy<MySchema>()
- *   .define("admin", ["manager", "viewer"])
- *   .define("manager", ["member"])
- *   .define("member", ["viewer"]);
- *
- * hierarchy.resolve("admin");
- * // Set { "admin", "manager", "member", "viewer" }
- * ```
- */
-export declare class RoleHierarchy<S extends SchemaDefinition> {
-    private parents;
-    private cache;
-    /**
-     * Define that `role` inherits permissions from `inheritsFrom` roles.
-     * Clears the resolution cache.
-     */
-    define(role: InferRole<S>, inheritsFrom: InferRole<S>[]): this;
-    /**
-     * Resolve the full set of roles a given role expands to,
-     * including all inherited roles (transitive).
-     */
-    resolve(role: InferRole<S>): Set<string>;
-    /**
-     * Resolve multiple roles at once, returning the merged set.
-     */
-    resolveAll(roles: Iterable<InferRole<S>>): Set<string>;
-    /**
-     * Get all defined roles that have inheritance rules.
-     */
-    definedRoles(): string[];
-    private walk;
-    private detectCycle;
-}
-//# sourceMappingURL=role-hierarchy.d.ts.map

package/dist/role-hierarchy.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"role-hierarchy.d.ts","sourceRoot":"","sources":["../src/role-hierarchy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE9D;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,aAAa,CAAC,CAAC,SAAS,gBAAgB;IACnD,OAAO,CAAC,OAAO,CAA+B;IAC9C,OAAO,CAAC,KAAK,CAAkC;IAE/C;;;OAGG;IACH,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI;IAO9D;;;OAGG;IACH,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC;IAWxC;;OAEG;IACH,UAAU,CAAC,KAAK,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC;IAUtD;;OAEG;IACH,YAAY,IAAI,MAAM,EAAE;IAIxB,OAAO,CAAC,IAAI;IAWZ,OAAO,CAAC,WAAW;CAepB"}

package/dist/role-hierarchy.js

@@ -1,87 +0,0 @@
-/**
- * Defines a role inheritance hierarchy.
- *
- * When a role inherits from another, it gains all permissions of its parent roles.
- * Cycles are detected and rejected at definition time.
- *
- * ```ts
- * const hierarchy = new RoleHierarchy<MySchema>()
- *   .define("admin", ["manager", "viewer"])
- *   .define("manager", ["member"])
- *   .define("member", ["viewer"]);
- *
- * hierarchy.resolve("admin");
- * // Set { "admin", "manager", "member", "viewer" }
- * ```
- */
-export class RoleHierarchy {
-    parents = new Map();
-    cache = new Map();
-    /**
-     * Define that `role` inherits permissions from `inheritsFrom` roles.
-     * Clears the resolution cache.
-     */
-    define(role, inheritsFrom) {
-        this.parents.set(role, inheritsFrom);
-        this.cache.clear();
-        this.detectCycle(role, new Set());
-        return this;
-    }
-    /**
-     * Resolve the full set of roles a given role expands to,
-     * including all inherited roles (transitive).
-     */
-    resolve(role) {
-        const roleStr = role;
-        const cached = this.cache.get(roleStr);
-        if (cached)
-            return cached;
-        const result = new Set();
-        this.walk(roleStr, result);
-        this.cache.set(roleStr, result);
-        return result;
-    }
-    /**
-     * Resolve multiple roles at once, returning the merged set.
-     */
-    resolveAll(roles) {
-        const result = new Set();
-        for (const role of roles) {
-            for (const r of this.resolve(role)) {
-                result.add(r);
-            }
-        }
-        return result;
-    }
-    /**
-     * Get all defined roles that have inheritance rules.
-     */
-    definedRoles() {
-        return [...this.parents.keys()];
-    }
-    walk(role, visited) {
-        if (visited.has(role))
-            return;
-        visited.add(role);
-        const parents = this.parents.get(role);
-        if (parents) {
-            for (const parent of parents) {
-                this.walk(parent, visited);
-            }
-        }
-    }
-    detectCycle(role, visiting) {
-        if (visiting.has(role)) {
-            throw new Error(`Cycle detected in role hierarchy: ${[...visiting, role].join(" → ")}`);
-        }
-        visiting.add(role);
-        const parents = this.parents.get(role);
-        if (parents) {
-            for (const parent of parents) {
-                this.detectCycle(parent, visiting);
-            }
-        }
-        visiting.delete(role);
-    }
-}
-//# sourceMappingURL=role-hierarchy.js.map

package/dist/role-hierarchy.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"role-hierarchy.js","sourceRoot":"","sources":["../src/role-hierarchy.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;GAeG;AACH,MAAM,OAAO,aAAa;IAChB,OAAO,GAAG,IAAI,GAAG,EAAoB,CAAC;IACtC,KAAK,GAAG,IAAI,GAAG,EAAuB,CAAC;IAE/C;;;OAGG;IACH,MAAM,CAAC,IAAkB,EAAE,YAA4B;QACrD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,YAAwB,CAAC,CAAC;QACjD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,IAAI,CAAC,WAAW,CAAC,IAAc,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,OAAO,CAAC,IAAkB;QACxB,MAAM,OAAO,GAAG,IAAc,CAAC;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;QACjC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAChC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,KAA6B;QACtC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;QACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,YAAY;QACV,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAClC,CAAC;IAEO,IAAI,CAAC,IAAY,EAAE,OAAoB;QAC7C,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO;QAC9B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAClB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IAEO,WAAW,CAAC,IAAY,EAAE,QAAqB;QACrD,IAAI,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CACb,qCAAqC,CAAC,GAAG,QAAQ,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CACvE,CAAC;QACJ,CAAC;QACD,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QACD,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC;CACF"}

package/dist/serialization.d.ts

@@ -1,52 +0,0 @@
-import type { SchemaDefinition, PolicyRule, PolicyEffect, Condition } from "./types.js";
-export interface JsonPolicyRule {
-    id: string;
-    effect: PolicyEffect;
-    roles: string[] | "*";
-    actions: string[] | "*";
-    resources: string[] | "*";
-    conditions?: string[];
-    priority?: number;
-    description?: string;
-}
-export interface JsonPolicyDocument {
-    version: 1;
-    rules: JsonPolicyRule[];
-}
-/**
- * A registry that maps condition names to condition functions.
- * This allows JSON policies to reference conditions by name
- * while keeping the actual logic in code.
- *
- * ```ts
- * const conditions = new ConditionRegistry<MySchema>();
- * conditions.register("isOwner", ctx => ctx.subject.id === ctx.resourceContext.ownerId);
- * conditions.register("isActive", ctx => ctx.resourceContext.status === "active");
- * ```
- */
-export declare class ConditionRegistry<S extends SchemaDefinition> {
-    private conditions;
-    register(name: string, condition: Condition<S>): this;
-    get(name: string): Condition<S> | undefined;
-    has(name: string): boolean;
-    names(): string[];
-}
-/**
- * Serialize rules to a JSON-safe document.
- * Conditions are stripped unless a reverse lookup map is provided.
- */
-export declare function exportRules<S extends SchemaDefinition>(rules: ReadonlyArray<PolicyRule<S>>, conditionNames?: Map<Condition<S>, string>): JsonPolicyDocument;
-/**
- * Serialize rules to a JSON string.
- */
-export declare function exportRulesToJson<S extends SchemaDefinition>(rules: ReadonlyArray<PolicyRule<S>>, conditionNames?: Map<Condition<S>, string>): string;
-/**
- * Deserialize a JSON policy document into PolicyRule objects.
- * Condition names are resolved via the provided registry.
- */
-export declare function importRules<S extends SchemaDefinition>(doc: JsonPolicyDocument, registry?: ConditionRegistry<S>): PolicyRule<S>[];
-/**
- * Parse a JSON string into PolicyRule objects.
- */
-export declare function importRulesFromJson<S extends SchemaDefinition>(json: string, registry?: ConditionRegistry<S>): PolicyRule<S>[];
-//# sourceMappingURL=serialization.d.ts.map

package/dist/serialization.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"serialization.d.ts","sourceRoot":"","sources":["../src/serialization.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,gBAAgB,EAChB,UAAU,EACV,YAAY,EACZ,SAAS,EACV,MAAM,YAAY,CAAC;AAMpB,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,YAAY,CAAC;IACrB,KAAK,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IACtB,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IACxB,SAAS,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,CAAC,CAAC;IACX,KAAK,EAAE,cAAc,EAAE,CAAC;CACzB;AAED;;;;;;;;;;GAUG;AACH,qBAAa,iBAAiB,CAAC,CAAC,SAAS,gBAAgB;IACvD,OAAO,CAAC,UAAU,CAAmC;IAErD,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI;IAWrD,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS;IAI3C,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI1B,KAAK,IAAI,MAAM,EAAE;CAGlB;AAMD;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,gBAAgB,EACpD,KAAK,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EACnC,cAAc,CAAC,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,GACzC,kBAAkB,CAyBpB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,SAAS,gBAAgB,EAC1D,KAAK,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EACnC,cAAc,CAAC,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,GACzC,MAAM,CAER;AAMD;;;GAGG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,gBAAgB,EACpD,GAAG,EAAE,kBAAkB,EACvB,QAAQ,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC,GAC9B,UAAU,CAAC,CAAC,CAAC,EAAE,CA6DjB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,SAAS,gBAAgB,EAC5D,IAAI,EAAE,MAAM,EACZ,QAAQ,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC,GAC9B,UAAU,CAAC,CAAC,CAAC,EAAE,CAUjB"}

package/dist/serialization.js

@@ -1,144 +0,0 @@
-/**
- * A registry that maps condition names to condition functions.
- * This allows JSON policies to reference conditions by name
- * while keeping the actual logic in code.
- *
- * ```ts
- * const conditions = new ConditionRegistry<MySchema>();
- * conditions.register("isOwner", ctx => ctx.subject.id === ctx.resourceContext.ownerId);
- * conditions.register("isActive", ctx => ctx.resourceContext.status === "active");
- * ```
- */
-export class ConditionRegistry {
-    conditions = new Map();
-    register(name, condition) {
-        if (!name || typeof name !== "string") {
-            throw new Error("Condition name must be a non-empty string");
-        }
-        if (typeof condition !== "function") {
-            throw new Error(`Condition "${name}" must be a function`);
-        }
-        this.conditions.set(name, condition);
-        return this;
-    }
-    get(name) {
-        return this.conditions.get(name);
-    }
-    has(name) {
-        return this.conditions.has(name);
-    }
-    names() {
-        return [...this.conditions.keys()];
-    }
-}
-// ---------------------------------------------------------------------------
-// Export: PolicyRule[] → JSON
-// ---------------------------------------------------------------------------
-/**
- * Serialize rules to a JSON-safe document.
- * Conditions are stripped unless a reverse lookup map is provided.
- */
-export function exportRules(rules, conditionNames) {
-    const jsonRules = rules.map((rule) => {
-        const jr = {
-            id: rule.id,
-            effect: rule.effect,
-            roles: rule.roles,
-            actions: rule.actions,
-            resources: rule.resources,
-            priority: rule.priority,
-            description: rule.description,
-        };
-        if (rule.conditions && conditionNames) {
-            const names = [];
-            for (const cond of rule.conditions) {
-                const name = conditionNames.get(cond);
-                if (name)
-                    names.push(name);
-            }
-            if (names.length > 0)
-                jr.conditions = names;
-        }
-        return jr;
-    });
-    return { version: 1, rules: jsonRules };
-}
-/**
- * Serialize rules to a JSON string.
- */
-export function exportRulesToJson(rules, conditionNames) {
-    return JSON.stringify(exportRules(rules, conditionNames), null, 2);
-}
-// ---------------------------------------------------------------------------
-// Import: JSON → PolicyRule[]
-// ---------------------------------------------------------------------------
-/**
- * Deserialize a JSON policy document into PolicyRule objects.
- * Condition names are resolved via the provided registry.
- */
-export function importRules(doc, registry) {
-    if (!doc || typeof doc !== "object") {
-        throw new Error("Policy document must be a non-null object");
-    }
-    if (doc.version !== 1) {
-        throw new Error(`Unsupported policy document version: ${doc.version}`);
-    }
-    if (!Array.isArray(doc.rules)) {
-        throw new Error("Policy document must have a 'rules' array");
-    }
-    return doc.rules.map((jr, index) => {
-        if (!jr || typeof jr !== "object") {
-            throw new Error(`Rule at index ${index} must be a non-null object`);
-        }
-        if (!jr.id || typeof jr.id !== "string") {
-            throw new Error(`Rule at index ${index} is missing a valid "id" field.`);
-        }
-        if (jr.effect !== "allow" && jr.effect !== "deny") {
-            throw new Error(`Invalid effect "${jr.effect}" in rule "${jr.id}". Must be "allow" or "deny".`);
-        }
-        if (jr.roles !== "*" && !Array.isArray(jr.roles)) {
-            throw new Error(`Rule "${jr.id}": roles must be "*" or an array of strings`);
-        }
-        if (jr.actions !== "*" && !Array.isArray(jr.actions)) {
-            throw new Error(`Rule "${jr.id}": actions must be "*" or an array of strings`);
-        }
-        if (jr.resources !== "*" && !Array.isArray(jr.resources)) {
-            throw new Error(`Rule "${jr.id}": resources must be "*" or an array of strings`);
-        }
-        const conditions = [];
-        if (jr.conditions && registry) {
-            for (const name of jr.conditions) {
-                const cond = registry.get(name);
-                if (!cond) {
-                    throw new Error(`Unknown condition "${name}" in rule "${jr.id}". ` +
-                        `Registered conditions: ${registry.names().join(", ") || "(none)"}`);
-                }
-                conditions.push(cond);
-            }
-        }
-        return {
-            id: jr.id,
-            effect: jr.effect,
-            roles: jr.roles,
-            actions: jr.actions,
-            resources: jr.resources,
-            conditions: conditions.length > 0 ? conditions : undefined,
-            priority: jr.priority,
-            description: jr.description,
-        };
-    });
-}
-/**
- * Parse a JSON string into PolicyRule objects.
- */
-export function importRulesFromJson(json, registry) {
-    let doc;
-    try {
-        doc = JSON.parse(json);
-    }
-    catch (err) {
-        throw new Error(`Failed to parse policy JSON: ${err instanceof Error ? err.message : String(err)}`);
-    }
-    return importRules(doc, registry);
-}
-//# sourceMappingURL=serialization.js.map

package/dist/serialization.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"serialization.js","sourceRoot":"","sources":["../src/serialization.ts"],"names":[],"mappings":"AA2BA;;;;;;;;;;GAUG;AACH,MAAM,OAAO,iBAAiB;IACpB,UAAU,GAAG,IAAI,GAAG,EAAwB,CAAC;IAErD,QAAQ,CAAC,IAAY,EAAE,SAAuB;QAC5C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,OAAO,SAAS,KAAK,UAAU,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,cAAc,IAAI,sBAAsB,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,KAAK;QACH,OAAO,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;IACrC,CAAC;CACF;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,WAAW,CACzB,KAAmC,EACnC,cAA0C;IAE1C,MAAM,SAAS,GAAqB,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACrD,MAAM,EAAE,GAAmB;YACzB,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,OAAO,EAAE,IAAI,CAAC,OAAyB;YACvC,SAAS,EAAE,IAAI,CAAC,SAA2B;YAC3C,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;QAEF,IAAI,IAAI,CAAC,UAAU,IAAI,cAAc,EAAE,CAAC;YACtC,MAAM,KAAK,GAAa,EAAE,CAAC;YAC3B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACnC,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACtC,IAAI,IAAI;oBAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;gBAAE,EAAE,CAAC,UAAU,GAAG,KAAK,CAAC;QAC9C,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,KAAmC,EACnC,cAA0C;IAE1C,OAAO,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,EAAE,cAAc,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,WAAW,CACzB,GAAuB,EACvB,QAA+B;IAE/B,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,GAAG,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wCAAwC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IAED,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,iBAAiB,KAAK,4BAA4B,CAAC,CAAC;QACtE,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,EAAE,IAAI,OAAO,EAAE,CAAC,EAAE,KAAK,QAAQ,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,iBAAiB,KAAK,iCAAiC,CAAC,CAAC;QAC3E,CAAC;QAED,IAAI,EAAE,CAAC,MAAM,KAAK,OAAO,IAAI,EAAE,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CACb,mBAAmB,EAAE,CAAC,MAAM,cAAc,EAAE,CAAC,EAAE,+BAA+B,CAC/E,CAAC;QACJ,CAAC;QAED,IAAI,EAAE,CAAC,KAAK,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,EAAE,6CAA6C,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,EAAE,CAAC,OAAO,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,EAAE,+CAA+C,CAAC,CAAC;QACjF,CAAC;QACD,IAAI,EAAE,CAAC,SAAS,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC,EAAE,iDAAiD,CAAC,CAAC;QACnF,CAAC;QAED,MAAM,UAAU,GAAmB,EAAE,CAAC;QACtC,IAAI,EAAE,CAAC,UAAU,IAAI,QAAQ,EAAE,CAAC;YAC9B,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC;gBACjC,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAChC,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,MAAM,IAAI,KAAK,CACb,sBAAsB,IAAI,cAAc,EAAE,CAAC,EAAE,KAAK;wBAClD,0BAA0B,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CACpE,CAAC;gBACJ,CAAC;gBACD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,OAAO;YACL,EAAE,EAAE,EAAE,CAAC,EAAE;YACT,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,KAAK,EAAE,EAAE,CAAC,KAAK;YACf,OAAO,EAAE,EAAE,CAAC,OAAO;YACnB,SAAS,EAAE,EAAE,CAAC,SAAS;YACvB,UAAU,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;YAC1D,QAAQ,EAAE,EAAE,CAAC,QAAQ;YACrB,WAAW,EAAE,EAAE,CAAC,WAAW;SACX,CAAC;IACrB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,IAAY,EACZ,QAA+B;IAE/B,IAAI,GAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAuB,CAAC;IAC/C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,gCAAgC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACnF,CAAC;IACJ,CAAC;IACD,OAAO,WAAW,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;AACpC,CAAC"}

package/dist/server.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgB,KAAK,eAAe,EAAE,KAAK,cAAc,EAAE,MAAM,WAAW,CAAC;AACpF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAQ7E,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,gBAAgB;IACvD,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE,eAAe,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7E;;;;OAIG;IACH,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,eAAe,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACpE,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE;QACP,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,EAAE,CAAC;QAC7C,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACtC,CAAC;IACF,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAyDD;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,CAAC,SAAS,gBAAgB,EACzD,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC;aAyHd,OAAO,CAAC,IAAI,CAAC;YAQd,OAAO,CAAC,IAAI,CAAC;;EAQxB"}

package/dist/types.d.ts

@@ -1,137 +0,0 @@
-/**
- * Core type definitions for the authorization engine.
- *
- * The type system is designed so that defining a schema once
- * propagates full autocomplete through every API surface:
- * policies, checks, audits, and middleware.
- */
-export type ActionString = `${string}:${string}`;
-export interface SchemaDefinition {
-    roles: string;
-    resources: string;
-    actions: ActionString;
-    tenantId?: string;
-}
-/**
- * Infer concrete union types from a schema definition.
- * Used internally to thread type narrowing everywhere.
- */
-export type InferRole<S extends SchemaDefinition> = S["roles"];
-export type InferResource<S extends SchemaDefinition> = S["resources"];
-export type InferAction<S extends SchemaDefinition> = S["actions"];
-export type InferTenantId<S extends SchemaDefinition> = S["tenantId"] extends string ? S["tenantId"] : string;
-export interface RoleAssignment<S extends SchemaDefinition> {
-    role: InferRole<S>;
-    tenantId?: InferTenantId<S>;
-}
-export interface Subject<S extends SchemaDefinition> {
-    id: string;
-    roles: RoleAssignment<S>[];
-    attributes?: Record<string, unknown>;
-}
-export interface ResourceContext {
-    id?: string;
-    tenantId?: string;
-    [key: string]: unknown;
-}
-export interface EvaluationContext<S extends SchemaDefinition> {
-    subject: Subject<S>;
-    action: InferAction<S>;
-    resource: InferResource<S>;
-    resourceContext: ResourceContext;
-    tenantId?: string;
-    environment?: Record<string, unknown>;
-}
-export type Condition<S extends SchemaDefinition> = (ctx: EvaluationContext<S>) => boolean | Promise<boolean>;
-export type PolicyEffect = "allow" | "deny";
-export interface PolicyRule<S extends SchemaDefinition> {
-    readonly id: string;
-    readonly effect: PolicyEffect;
-    readonly roles: InferRole<S>[] | "*";
-    readonly actions: InferAction<S>[] | "*";
-    readonly resources: InferResource<S>[] | "*";
-    readonly conditions?: Condition<S>[];
-    /**
-     * Higher priority wins. Deny at equal priority wins over allow.
-     * Default: 0
-     */
-    readonly priority?: number;
-    readonly description?: string;
-}
-export interface Decision<S extends SchemaDefinition> {
-    allowed: boolean;
-    effect: PolicyEffect | "default-deny";
-    matchedRule: PolicyRule<S> | null;
-    subject: Subject<S>;
-    action: InferAction<S>;
-    resource: InferResource<S>;
-    resourceContext: ResourceContext;
-    tenantId?: string;
-    timestamp: number;
-    durationMs: number;
-    reason: string;
-}
-export interface AuditEntry {
-    allowed: boolean;
-    effect: string;
-    matchedRuleId: string | null;
-    matchedRuleDescription: string | null;
-    subjectId: string;
-    action: string;
-    resource: string;
-    tenantId?: string;
-    timestamp: number;
-    durationMs: number;
-    reason: string;
-}
-/**
- * Convert a Decision to a serialization-safe AuditEntry
- * (strips functions, large objects, and condition references).
- */
-export declare function toAuditEntry<S extends SchemaDefinition>(decision: Decision<S>): AuditEntry;
-export interface ConditionResult {
-    index: number;
-    passed: boolean;
-    error?: string;
-}
-export interface RuleEvaluation<S extends SchemaDefinition> {
-    rule: PolicyRule<S>;
-    roleMatched: boolean;
-    actionMatched: boolean;
-    resourceMatched: boolean;
-    conditionResults: ConditionResult[];
-    matched: boolean;
-}
-export interface ExplainResult<S extends SchemaDefinition> {
-    allowed: boolean;
-    effect: PolicyEffect | "default-deny";
-    reason: string;
-    evaluatedRules: RuleEvaluation<S>[];
-    durationMs: number;
-}
-export type DecisionListener<S extends SchemaDefinition> = (decision: Decision<S>) => void | Promise<void>;
-export interface ConditionError {
-    ruleId: string;
-    conditionIndex: number;
-    error: unknown;
-}
-export type ConditionErrorHandler = (err: ConditionError) => void;
-export interface EngineOptions<S extends SchemaDefinition> {
-    schema: S;
-    defaultEffect?: PolicyEffect;
-    onDecision?: DecisionListener<S>;
-    onConditionError?: ConditionErrorHandler;
-    /**
-     * When true, async conditions are awaited.
-     * When false (default), only synchronous conditions are supported
-     * and evaluate is guaranteed synchronous.
-     */
-    asyncConditions?: boolean;
-    /**
-     * When true, evaluate() throws if tenantId is omitted and the subject
-     * has any tenant-scoped role assignments. Prevents accidental
-     * cross-tenant privilege escalation.
-     */
-    strictTenancy?: boolean;
-}
-//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,MAAM,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC;AAEjD,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,YAAY,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,MAAM,SAAS,CAAC,CAAC,SAAS,gBAAgB,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC;AAC/D,MAAM,MAAM,aAAa,CAAC,CAAC,SAAS,gBAAgB,IAAI,CAAC,CAAC,WAAW,CAAC,CAAC;AACvE,MAAM,MAAM,WAAW,CAAC,CAAC,SAAS,gBAAgB,IAAI,CAAC,CAAC,SAAS,CAAC,CAAC;AACnE,MAAM,MAAM,aAAa,CAAC,CAAC,SAAS,gBAAgB,IAAI,CAAC,CAAC,UAAU,CAAC,SAAS,MAAM,GAChF,CAAC,CAAC,UAAU,CAAC,GACb,MAAM,CAAC;AAMX,MAAM,WAAW,cAAc,CAAC,CAAC,SAAS,gBAAgB;IACxD,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IACnB,QAAQ,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,OAAO,CAAC,CAAC,SAAS,gBAAgB;IACjD,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAMD,MAAM,WAAW,eAAe;IAC9B,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAMD,MAAM,WAAW,iBAAiB,CAAC,CAAC,SAAS,gBAAgB;IAC3D,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;IACpB,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IACvB,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;IAC3B,eAAe,EAAE,eAAe,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACvC;AAMD,MAAM,MAAM,SAAS,CAAC,CAAC,SAAS,gBAAgB,IAAI,CAClD,GAAG,EAAE,iBAAiB,CAAC,CAAC,CAAC,KACtB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAMhC,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,MAAM,CAAC;AAE5C,MAAM,WAAW,UAAU,CAAC,CAAC,SAAS,gBAAgB;IACpD,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC;IACrC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC;IACzC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC;IAC7C,QAAQ,CAAC,UAAU,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;IACrC;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAMD,MAAM,WAAW,QAAQ,CAAC,CAAC,SAAS,gBAAgB;IAClD,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,YAAY,GAAG,cAAc,CAAC;IACtC,WAAW,EAAE,UAAU,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IAClC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;IACpB,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IACvB,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;IAC3B,eAAe,EAAE,eAAe,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;CAChB;AAMD,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,sBAAsB,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,CAAC,SAAS,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,GAAG,UAAU,CAc1F;AAMD,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAc,CAAC,CAAC,SAAS,gBAAgB;IACxD,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;IACpB,WAAW,EAAE,OAAO,CAAC;IACrB,aAAa,EAAE,OAAO,CAAC;IACvB,eAAe,EAAE,OAAO,CAAC;IACzB,gBAAgB,EAAE,eAAe,EAAE,CAAC;IACpC,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,gBAAgB;IACvD,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,YAAY,GAAG,cAAc,CAAC;IACtC,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;IACpC,UAAU,EAAE,MAAM,CAAC;CACpB;AAMD,MAAM,MAAM,gBAAgB,CAAC,CAAC,SAAS,gBAAgB,IAAI,CACzD,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,KAClB,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE1B,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,KAAK,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,MAAM,qBAAqB,GAAG,CAAC,GAAG,EAAE,cAAc,KAAK,IAAI,CAAC;AAMlE,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,gBAAgB;IACvD,MAAM,EAAE,CAAC,CAAC;IACV,aAAa,CAAC,EAAE,YAAY,CAAC;IAC7B,UAAU,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC;IACjC,gBAAgB,CAAC,EAAE,qBAAqB,CAAC;IACzC;;;;OAIG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B;;;;OAIG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB"}

package/dist/types.js

@@ -1,27 +0,0 @@
-/**
- * Core type definitions for the authorization engine.
- *
- * The type system is designed so that defining a schema once
- * propagates full autocomplete through every API surface:
- * policies, checks, audits, and middleware.
- */
-/**
- * Convert a Decision to a serialization-safe AuditEntry
- * (strips functions, large objects, and condition references).
- */
-export function toAuditEntry(decision) {
-    return {
-        allowed: decision.allowed,
-        effect: decision.effect,
-        matchedRuleId: decision.matchedRule?.id ?? null,
-        matchedRuleDescription: decision.matchedRule?.description ?? null,
-        subjectId: decision.subject.id,
-        action: decision.action,
-        resource: decision.resource,
-        tenantId: decision.tenantId,
-        timestamp: decision.timestamp,
-        durationMs: decision.durationMs,
-        reason: decision.reason,
-    };
-}
-//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAiIH;;;GAGG;AACH,MAAM,UAAU,YAAY,CAA6B,QAAqB;IAC5E,OAAO;QACL,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,aAAa,EAAE,QAAQ,CAAC,WAAW,EAAE,EAAE,IAAI,IAAI;QAC/C,sBAAsB,EAAE,QAAQ,CAAC,WAAW,EAAE,WAAW,IAAI,IAAI;QACjE,SAAS,EAAE,QAAQ,CAAC,OAAO,CAAC,EAAE;QAC9B,MAAM,EAAE,QAAQ,CAAC,MAAgB;QACjC,QAAQ,EAAE,QAAQ,CAAC,QAAkB;QACrC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,MAAM,EAAE,QAAQ,CAAC,MAAM;KACxB,CAAC;AACJ,CAAC"}