@siremzam/sentinel 0.3.1 → 0.3.2

package/dist/middleware/nestjs.cjs

@@ -0,0 +1,84 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/middleware/nestjs.ts
+var nestjs_exports = {};
+__export(nestjs_exports, {
+  createAuthGuard: () => createAuthGuard,
+  createAuthorizeDecorator: () => createAuthorizeDecorator,
+  getAuthorizeMetadata: () => getAuthorizeMetadata
+});
+module.exports = __toCommonJS(nestjs_exports);
+var metadataStore = /* @__PURE__ */ new WeakMap();
+function getAuthorizeMetadata(...targets) {
+  for (const target of targets) {
+    const meta = metadataStore.get(target);
+    if (meta) return meta;
+  }
+  return void 0;
+}
+function createAuthorizeDecorator() {
+  return function Authorize(action, resource) {
+    return (_target, _propertyKey, descriptor) => {
+      if (!descriptor?.value) return descriptor;
+      const metadata = {
+        action,
+        resource
+      };
+      metadataStore.set(descriptor.value, metadata);
+      return descriptor;
+    };
+  };
+}
+function createAuthGuard(options) {
+  const { engine, getSubject, getResourceContext, getTenantId } = options;
+  class AccessControlGuard {
+    canActivate(context) {
+      const handler = context.getHandler();
+      const cls = context.getClass();
+      const metadata = getAuthorizeMetadata(handler, cls);
+      if (!metadata) return true;
+      const request = context.switchToHttp().getRequest();
+      const subject = getSubject(request);
+      if (!subject) return false;
+      try {
+        const resourceContext = getResourceContext?.(request) ?? {};
+        const tenantId = getTenantId?.(request);
+        const decision = engine.evaluate(
+          subject,
+          metadata.action,
+          metadata.resource,
+          resourceContext,
+          tenantId
+        );
+        return decision.allowed;
+      } catch {
+        return false;
+      }
+    }
+  }
+  return AccessControlGuard;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuthGuard,
+  createAuthorizeDecorator,
+  getAuthorizeMetadata
+});
+//# sourceMappingURL=nestjs.cjs.map

package/dist/middleware/nestjs.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/middleware/nestjs.ts"],"sourcesContent":["import type { AccessEngine } from \"../engine.js\";\nimport type { SchemaDefinition, InferAction, InferResource, Subject, ResourceContext } from \"../types.js\";\n\n/**\n * NestJS-compatible guard and decorator factory.\n *\n * Since we don't want a hard dependency on @nestjs/common or reflect-metadata,\n * this module uses a WeakMap to store metadata and provides factory functions\n * that produce NestJS-shaped guards and decorators.\n */\n\n// ---------------------------------------------------------------------------\n// Minimal NestJS interfaces (avoids @nestjs/common dependency)\n// ---------------------------------------------------------------------------\n\ninterface ExecutionContext {\n  switchToHttp(): {\n    getRequest(): Record<string, unknown>;\n    getResponse(): Record<string, unknown>;\n  };\n  getHandler(): (...args: unknown[]) => unknown;\n  getClass(): new (...args: unknown[]) => unknown;\n}\n\ninterface CanActivate {\n  canActivate(context: ExecutionContext): boolean | Promise<boolean>;\n}\n\n// ---------------------------------------------------------------------------\n// Metadata storage (no reflect-metadata needed)\n// ---------------------------------------------------------------------------\n\nexport interface AuthorizeMetadata {\n  action: string;\n  resource: string;\n}\n\nconst metadataStore = new WeakMap<object, AuthorizeMetadata>();\n\n/**\n * Retrieve stored authorization metadata for a handler or class.\n */\nexport function getAuthorizeMetadata(\n  ...targets: object[]\n): AuthorizeMetadata | undefined {\n  for (const target of targets) {\n    const meta = metadataStore.get(target);\n    if (meta) return meta;\n  }\n  return undefined;\n}\n\n/**\n * Creates a method decorator that stores authorization metadata.\n *\n * Usage in a NestJS controller:\n * ```ts\n * const Authorize = createAuthorizeDecorator<MySchema>();\n *\n * @Controller(\"invoices\")\n * class InvoiceController {\n *   @Post(\":id/approve\")\n *   @Authorize(\"invoice:approve\", \"invoice\")\n *   approve(@Param(\"id\") id: string) { ... }\n * }\n * ```\n */\nexport function createAuthorizeDecorator<S extends SchemaDefinition>() {\n  return function Authorize(\n    action: InferAction<S>,\n    resource: InferResource<S>,\n  ): MethodDecorator {\n    return (_target, _propertyKey, descriptor: PropertyDescriptor) => {\n      if (!descriptor?.value) return descriptor;\n      const metadata: AuthorizeMetadata = {\n        action: action as string,\n        resource: resource as string,\n      };\n      metadataStore.set(descriptor.value as object, metadata);\n      return descriptor;\n    };\n  };\n}\n\n// ---------------------------------------------------------------------------\n// Guard factory\n// ---------------------------------------------------------------------------\n\nexport interface NestGuardOptions<S extends SchemaDefinition> {\n  engine: AccessEngine<S>;\n  getSubject: (request: Record<string, unknown>) => Subject<S> | undefined;\n  getResourceContext?: (request: Record<string, unknown>) => ResourceContext;\n  getTenantId?: (request: Record<string, unknown>) => string | undefined;\n}\n\n/**\n * Creates a NestJS CanActivate guard class.\n *\n * Usage:\n * ```ts\n * const AuthGuard = createAuthGuard({\n *   engine,\n *   getSubject: (req) => req.user as Subject<MySchema>,\n * });\n *\n * // Use as a global guard:\n * app.useGlobalGuards(new AuthGuard());\n * ```\n */\nexport function createAuthGuard<S extends SchemaDefinition>(\n  options: NestGuardOptions<S>,\n): new () => CanActivate {\n  const { engine, getSubject, getResourceContext, getTenantId } = options;\n\n  class AccessControlGuard implements CanActivate {\n    canActivate(context: ExecutionContext): boolean {\n      const handler = context.getHandler();\n      const cls = context.getClass();\n      const metadata = getAuthorizeMetadata(handler, cls);\n\n      if (!metadata) return true;\n\n      const request = context.switchToHttp().getRequest();\n      const subject = getSubject(request);\n      if (!subject) return false;\n\n      try {\n        const resourceContext = getResourceContext?.(request) ?? {};\n        const tenantId = getTenantId?.(request);\n\n        const decision = engine.evaluate(\n          subject,\n          metadata.action as Parameters<typeof engine.evaluate>[1],\n          metadata.resource as Parameters<typeof engine.evaluate>[2],\n          resourceContext,\n          tenantId,\n        );\n\n        return decision.allowed;\n      } catch {\n        return false;\n      }\n    }\n  }\n\n  return AccessControlGuard;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAqCA,IAAM,gBAAgB,oBAAI,QAAmC;AAKtD,SAAS,wBACX,SAC4B;AAC/B,aAAW,UAAU,SAAS;AAC5B,UAAM,OAAO,cAAc,IAAI,MAAM;AACrC,QAAI,KAAM,QAAO;AAAA,EACnB;AACA,SAAO;AACT;AAiBO,SAAS,2BAAuD;AACrE,SAAO,SAAS,UACd,QACA,UACiB;AACjB,WAAO,CAAC,SAAS,cAAc,eAAmC;AAChE,UAAI,CAAC,YAAY,MAAO,QAAO;AAC/B,YAAM,WAA8B;AAAA,QAClC;AAAA,QACA;AAAA,MACF;AACA,oBAAc,IAAI,WAAW,OAAiB,QAAQ;AACtD,aAAO;AAAA,IACT;AAAA,EACF;AACF;AA2BO,SAAS,gBACd,SACuB;AACvB,QAAM,EAAE,QAAQ,YAAY,oBAAoB,YAAY,IAAI;AAAA,EAEhE,MAAM,mBAA0C;AAAA,IAC9C,YAAY,SAAoC;AAC9C,YAAM,UAAU,QAAQ,WAAW;AACnC,YAAM,MAAM,QAAQ,SAAS;AAC7B,YAAM,WAAW,qBAAqB,SAAS,GAAG;AAElD,UAAI,CAAC,SAAU,QAAO;AAEtB,YAAM,UAAU,QAAQ,aAAa,EAAE,WAAW;AAClD,YAAM,UAAU,WAAW,OAAO;AAClC,UAAI,CAAC,QAAS,QAAO;AAErB,UAAI;AACF,cAAM,kBAAkB,qBAAqB,OAAO,KAAK,CAAC;AAC1D,cAAM,WAAW,cAAc,OAAO;AAEtC,cAAM,WAAW,OAAO;AAAA,UACtB;AAAA,UACA,SAAS;AAAA,UACT,SAAS;AAAA,UACT;AAAA,UACA;AAAA,QACF;AAEA,eAAO,SAAS;AAAA,MAClB,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;","names":[]}

package/dist/middleware/nestjs.d.cts

@@ -0,0 +1,67 @@
+import { S as SchemaDefinition, A as AccessEngine, r as Subject, R as ResourceContext, I as InferAction, k as InferResource } from '../engine-C6IASR5F.cjs';
+
+/**
+ * NestJS-compatible guard and decorator factory.
+ *
+ * Since we don't want a hard dependency on @nestjs/common or reflect-metadata,
+ * this module uses a WeakMap to store metadata and provides factory functions
+ * that produce NestJS-shaped guards and decorators.
+ */
+interface ExecutionContext {
+    switchToHttp(): {
+        getRequest(): Record<string, unknown>;
+        getResponse(): Record<string, unknown>;
+    };
+    getHandler(): (...args: unknown[]) => unknown;
+    getClass(): new (...args: unknown[]) => unknown;
+}
+interface CanActivate {
+    canActivate(context: ExecutionContext): boolean | Promise<boolean>;
+}
+interface AuthorizeMetadata {
+    action: string;
+    resource: string;
+}
+/**
+ * Retrieve stored authorization metadata for a handler or class.
+ */
+declare function getAuthorizeMetadata(...targets: object[]): AuthorizeMetadata | undefined;
+/**
+ * Creates a method decorator that stores authorization metadata.
+ *
+ * Usage in a NestJS controller:
+ * ```ts
+ * const Authorize = createAuthorizeDecorator<MySchema>();
+ *
+ * @Controller("invoices")
+ * class InvoiceController {
+ *   @Post(":id/approve")
+ *   @Authorize("invoice:approve", "invoice")
+ *   approve(@Param("id") id: string) { ... }
+ * }
+ * ```
+ */
+declare function createAuthorizeDecorator<S extends SchemaDefinition>(): (action: InferAction<S>, resource: InferResource<S>) => MethodDecorator;
+interface NestGuardOptions<S extends SchemaDefinition> {
+    engine: AccessEngine<S>;
+    getSubject: (request: Record<string, unknown>) => Subject<S> | undefined;
+    getResourceContext?: (request: Record<string, unknown>) => ResourceContext;
+    getTenantId?: (request: Record<string, unknown>) => string | undefined;
+}
+/**
+ * Creates a NestJS CanActivate guard class.
+ *
+ * Usage:
+ * ```ts
+ * const AuthGuard = createAuthGuard({
+ *   engine,
+ *   getSubject: (req) => req.user as Subject<MySchema>,
+ * });
+ *
+ * // Use as a global guard:
+ * app.useGlobalGuards(new AuthGuard());
+ * ```
+ */
+declare function createAuthGuard<S extends SchemaDefinition>(options: NestGuardOptions<S>): new () => CanActivate;
+
+export { type AuthorizeMetadata, type NestGuardOptions, createAuthGuard, createAuthorizeDecorator, getAuthorizeMetadata };

package/dist/middleware/nestjs.d.ts

@@ -1,5 +1,5 @@
-import type { AccessEngine } from "../engine.js";
-import type { SchemaDefinition, InferAction, InferResource, Subject, ResourceContext } from "../types.js";
+import { S as SchemaDefinition, A as AccessEngine, r as Subject, R as ResourceContext, I as InferAction, k as InferResource } from '../engine-C6IASR5F.js';
+
 /**
  * NestJS-compatible guard and decorator factory.
  *
@@ -18,14 +18,14 @@ interface ExecutionContext {
 interface CanActivate {
     canActivate(context: ExecutionContext): boolean | Promise<boolean>;
 }
-export interface AuthorizeMetadata {
+interface AuthorizeMetadata {
     action: string;
     resource: string;
 }
 /**
  * Retrieve stored authorization metadata for a handler or class.
  */
-export declare function getAuthorizeMetadata(...targets: object[]): AuthorizeMetadata | undefined;
+declare function getAuthorizeMetadata(...targets: object[]): AuthorizeMetadata | undefined;
 /**
  * Creates a method decorator that stores authorization metadata.
  *
@@ -41,8 +41,8 @@ export declare function getAuthorizeMetadata(...targets: object[]): AuthorizeMet
  * }
  * ```
  */
-export declare function createAuthorizeDecorator<S extends SchemaDefinition>(): (action: InferAction<S>, resource: InferResource<S>) => MethodDecorator;
-export interface NestGuardOptions<S extends SchemaDefinition> {
+declare function createAuthorizeDecorator<S extends SchemaDefinition>(): (action: InferAction<S>, resource: InferResource<S>) => MethodDecorator;
+interface NestGuardOptions<S extends SchemaDefinition> {
     engine: AccessEngine<S>;
     getSubject: (request: Record<string, unknown>) => Subject<S> | undefined;
     getResourceContext?: (request: Record<string, unknown>) => ResourceContext;
@@ -62,6 +62,6 @@ export interface NestGuardOptions<S extends SchemaDefinition> {
  * app.useGlobalGuards(new AuthGuard());
  * ```
  */
-export declare function createAuthGuard<S extends SchemaDefinition>(options: NestGuardOptions<S>): new () => CanActivate;
-export {};
-//# sourceMappingURL=nestjs.d.ts.map
+declare function createAuthGuard<S extends SchemaDefinition>(options: NestGuardOptions<S>): new () => CanActivate;
+
+export { type AuthorizeMetadata, type NestGuardOptions, createAuthGuard, createAuthorizeDecorator, getAuthorizeMetadata };

package/dist/middleware/nestjs.js

@@ -1,82 +1,57 @@
-const metadataStore = new WeakMap();
-/**
- * Retrieve stored authorization metadata for a handler or class.
- */
-export function getAuthorizeMetadata(...targets) {
-    for (const target of targets) {
-        const meta = metadataStore.get(target);
-        if (meta)
-            return meta;
-    }
-    return undefined;
+// src/middleware/nestjs.ts
+var metadataStore = /* @__PURE__ */ new WeakMap();
+function getAuthorizeMetadata(...targets) {
+  for (const target of targets) {
+    const meta = metadataStore.get(target);
+    if (meta) return meta;
+  }
+  return void 0;
 }
-/**
- * Creates a method decorator that stores authorization metadata.
- *
- * Usage in a NestJS controller:
- * ```ts
- * const Authorize = createAuthorizeDecorator<MySchema>();
- *
- * @Controller("invoices")
- * class InvoiceController {
- *   @Post(":id/approve")
- *   @Authorize("invoice:approve", "invoice")
- *   approve(@Param("id") id: string) { ... }
- * }
- * ```
- */
-export function createAuthorizeDecorator() {
-    return function Authorize(action, resource) {
-        return (_target, _propertyKey, descriptor) => {
-            if (!descriptor?.value)
-                return descriptor;
-            const metadata = {
-                action: action,
-                resource: resource,
-            };
-            metadataStore.set(descriptor.value, metadata);
-            return descriptor;
-        };
+function createAuthorizeDecorator() {
+  return function Authorize(action, resource) {
+    return (_target, _propertyKey, descriptor) => {
+      if (!descriptor?.value) return descriptor;
+      const metadata = {
+        action,
+        resource
+      };
+      metadataStore.set(descriptor.value, metadata);
+      return descriptor;
     };
+  };
 }
-/**
- * Creates a NestJS CanActivate guard class.
- *
- * Usage:
- * ```ts
- * const AuthGuard = createAuthGuard({
- *   engine,
- *   getSubject: (req) => req.user as Subject<MySchema>,
- * });
- *
- * // Use as a global guard:
- * app.useGlobalGuards(new AuthGuard());
- * ```
- */
-export function createAuthGuard(options) {
-    const { engine, getSubject, getResourceContext, getTenantId } = options;
-    class AccessControlGuard {
-        canActivate(context) {
-            const handler = context.getHandler();
-            const cls = context.getClass();
-            const metadata = getAuthorizeMetadata(handler, cls);
-            if (!metadata)
-                return true;
-            const request = context.switchToHttp().getRequest();
-            const subject = getSubject(request);
-            if (!subject)
-                return false;
-            try {
-                const resourceContext = getResourceContext?.(request) ?? {};
-                const tenantId = getTenantId?.(request);
-                const decision = engine.evaluate(subject, metadata.action, metadata.resource, resourceContext, tenantId);
-                return decision.allowed;
-            }
-            catch {
-                return false;
-            }
-        }
+function createAuthGuard(options) {
+  const { engine, getSubject, getResourceContext, getTenantId } = options;
+  class AccessControlGuard {
+    canActivate(context) {
+      const handler = context.getHandler();
+      const cls = context.getClass();
+      const metadata = getAuthorizeMetadata(handler, cls);
+      if (!metadata) return true;
+      const request = context.switchToHttp().getRequest();
+      const subject = getSubject(request);
+      if (!subject) return false;
+      try {
+        const resourceContext = getResourceContext?.(request) ?? {};
+        const tenantId = getTenantId?.(request);
+        const decision = engine.evaluate(
+          subject,
+          metadata.action,
+          metadata.resource,
+          resourceContext,
+          tenantId
+        );
+        return decision.allowed;
+      } catch {
+        return false;
+      }
     }
-    return AccessControlGuard;
+  }
+  return AccessControlGuard;
 }
+export {
+  createAuthGuard,
+  createAuthorizeDecorator,
+  getAuthorizeMetadata
+};
 //# sourceMappingURL=nestjs.js.map

package/dist/middleware/nestjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"nestjs.js","sourceRoot":"","sources":["../../src/middleware/nestjs.ts"],"names":[],"mappings":"AAqCA,MAAM,aAAa,GAAG,IAAI,OAAO,EAA6B,CAAC;AAE/D;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAG,OAAiB;IAEpB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;IACxB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,SAAS,SAAS,CACvB,MAAsB,EACtB,QAA0B;QAE1B,OAAO,CAAC,OAAO,EAAE,YAAY,EAAE,UAA8B,EAAE,EAAE;YAC/D,IAAI,CAAC,UAAU,EAAE,KAAK;gBAAE,OAAO,UAAU,CAAC;YAC1C,MAAM,QAAQ,GAAsB;gBAClC,MAAM,EAAE,MAAgB;gBACxB,QAAQ,EAAE,QAAkB;aAC7B,CAAC;YACF,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,KAAe,EAAE,QAAQ,CAAC,CAAC;YACxD,OAAO,UAAU,CAAC;QACpB,CAAC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAaD;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,eAAe,CAC7B,OAA4B;IAE5B,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,kBAAkB,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IAExE,MAAM,kBAAkB;QACtB,WAAW,CAAC,OAAyB;YACnC,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;YACrC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,oBAAoB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAEpD,IAAI,CAAC,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAE3B,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;YACpD,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;YACpC,IAAI,CAAC,OAAO;gBAAE,OAAO,KAAK,CAAC;YAE3B,IAAI,CAAC;gBACH,MAAM,eAAe,GAAG,kBAAkB,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;gBAC5D,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC;gBAExC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAC9B,OAAO,EACP,QAAQ,CAAC,MAA+C,EACxD,QAAQ,CAAC,QAAiD,EAC1D,eAAe,EACf,QAAQ,CACT,CAAC;gBAEF,OAAO,QAAQ,CAAC,OAAO,CAAC;YAC1B,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;KACF;IAED,OAAO,kBAAkB,CAAC;AAC5B,CAAC"}
+{"version":3,"sources":["../../src/middleware/nestjs.ts"],"sourcesContent":["import type { AccessEngine } from \"../engine.js\";\nimport type { SchemaDefinition, InferAction, InferResource, Subject, ResourceContext } from \"../types.js\";\n\n/**\n * NestJS-compatible guard and decorator factory.\n *\n * Since we don't want a hard dependency on @nestjs/common or reflect-metadata,\n * this module uses a WeakMap to store metadata and provides factory functions\n * that produce NestJS-shaped guards and decorators.\n */\n\n// ---------------------------------------------------------------------------\n// Minimal NestJS interfaces (avoids @nestjs/common dependency)\n// ---------------------------------------------------------------------------\n\ninterface ExecutionContext {\n  switchToHttp(): {\n    getRequest(): Record<string, unknown>;\n    getResponse(): Record<string, unknown>;\n  };\n  getHandler(): (...args: unknown[]) => unknown;\n  getClass(): new (...args: unknown[]) => unknown;\n}\n\ninterface CanActivate {\n  canActivate(context: ExecutionContext): boolean | Promise<boolean>;\n}\n\n// ---------------------------------------------------------------------------\n// Metadata storage (no reflect-metadata needed)\n// ---------------------------------------------------------------------------\n\nexport interface AuthorizeMetadata {\n  action: string;\n  resource: string;\n}\n\nconst metadataStore = new WeakMap<object, AuthorizeMetadata>();\n\n/**\n * Retrieve stored authorization metadata for a handler or class.\n */\nexport function getAuthorizeMetadata(\n  ...targets: object[]\n): AuthorizeMetadata | undefined {\n  for (const target of targets) {\n    const meta = metadataStore.get(target);\n    if (meta) return meta;\n  }\n  return undefined;\n}\n\n/**\n * Creates a method decorator that stores authorization metadata.\n *\n * Usage in a NestJS controller:\n * ```ts\n * const Authorize = createAuthorizeDecorator<MySchema>();\n *\n * @Controller(\"invoices\")\n * class InvoiceController {\n *   @Post(\":id/approve\")\n *   @Authorize(\"invoice:approve\", \"invoice\")\n *   approve(@Param(\"id\") id: string) { ... }\n * }\n * ```\n */\nexport function createAuthorizeDecorator<S extends SchemaDefinition>() {\n  return function Authorize(\n    action: InferAction<S>,\n    resource: InferResource<S>,\n  ): MethodDecorator {\n    return (_target, _propertyKey, descriptor: PropertyDescriptor) => {\n      if (!descriptor?.value) return descriptor;\n      const metadata: AuthorizeMetadata = {\n        action: action as string,\n        resource: resource as string,\n      };\n      metadataStore.set(descriptor.value as object, metadata);\n      return descriptor;\n    };\n  };\n}\n\n// ---------------------------------------------------------------------------\n// Guard factory\n// ---------------------------------------------------------------------------\n\nexport interface NestGuardOptions<S extends SchemaDefinition> {\n  engine: AccessEngine<S>;\n  getSubject: (request: Record<string, unknown>) => Subject<S> | undefined;\n  getResourceContext?: (request: Record<string, unknown>) => ResourceContext;\n  getTenantId?: (request: Record<string, unknown>) => string | undefined;\n}\n\n/**\n * Creates a NestJS CanActivate guard class.\n *\n * Usage:\n * ```ts\n * const AuthGuard = createAuthGuard({\n *   engine,\n *   getSubject: (req) => req.user as Subject<MySchema>,\n * });\n *\n * // Use as a global guard:\n * app.useGlobalGuards(new AuthGuard());\n * ```\n */\nexport function createAuthGuard<S extends SchemaDefinition>(\n  options: NestGuardOptions<S>,\n): new () => CanActivate {\n  const { engine, getSubject, getResourceContext, getTenantId } = options;\n\n  class AccessControlGuard implements CanActivate {\n    canActivate(context: ExecutionContext): boolean {\n      const handler = context.getHandler();\n      const cls = context.getClass();\n      const metadata = getAuthorizeMetadata(handler, cls);\n\n      if (!metadata) return true;\n\n      const request = context.switchToHttp().getRequest();\n      const subject = getSubject(request);\n      if (!subject) return false;\n\n      try {\n        const resourceContext = getResourceContext?.(request) ?? {};\n        const tenantId = getTenantId?.(request);\n\n        const decision = engine.evaluate(\n          subject,\n          metadata.action as Parameters<typeof engine.evaluate>[1],\n          metadata.resource as Parameters<typeof engine.evaluate>[2],\n          resourceContext,\n          tenantId,\n        );\n\n        return decision.allowed;\n      } catch {\n        return false;\n      }\n    }\n  }\n\n  return AccessControlGuard;\n}\n"],"mappings":";AAqCA,IAAM,gBAAgB,oBAAI,QAAmC;AAKtD,SAAS,wBACX,SAC4B;AAC/B,aAAW,UAAU,SAAS;AAC5B,UAAM,OAAO,cAAc,IAAI,MAAM;AACrC,QAAI,KAAM,QAAO;AAAA,EACnB;AACA,SAAO;AACT;AAiBO,SAAS,2BAAuD;AACrE,SAAO,SAAS,UACd,QACA,UACiB;AACjB,WAAO,CAAC,SAAS,cAAc,eAAmC;AAChE,UAAI,CAAC,YAAY,MAAO,QAAO;AAC/B,YAAM,WAA8B;AAAA,QAClC;AAAA,QACA;AAAA,MACF;AACA,oBAAc,IAAI,WAAW,OAAiB,QAAQ;AACtD,aAAO;AAAA,IACT;AAAA,EACF;AACF;AA2BO,SAAS,gBACd,SACuB;AACvB,QAAM,EAAE,QAAQ,YAAY,oBAAoB,YAAY,IAAI;AAAA,EAEhE,MAAM,mBAA0C;AAAA,IAC9C,YAAY,SAAoC;AAC9C,YAAM,UAAU,QAAQ,WAAW;AACnC,YAAM,MAAM,QAAQ,SAAS;AAC7B,YAAM,WAAW,qBAAqB,SAAS,GAAG;AAElD,UAAI,CAAC,SAAU,QAAO;AAEtB,YAAM,UAAU,QAAQ,aAAa,EAAE,WAAW;AAClD,YAAM,UAAU,WAAW,OAAO;AAClC,UAAI,CAAC,QAAS,QAAO;AAErB,UAAI;AACF,cAAM,kBAAkB,qBAAqB,OAAO,KAAK,CAAC;AAC1D,cAAM,WAAW,cAAc,OAAO;AAEtC,cAAM,WAAW,OAAO;AAAA,UACtB;AAAA,UACA,SAAS;AAAA,UACT,SAAS;AAAA,UACT;AAAA,UACA;AAAA,QACF;AAEA,eAAO,SAAS;AAAA,MAClB,QAAQ;AACN,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;","names":[]}

package/dist/server.cjs

@@ -0,0 +1,184 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server.ts
+var server_exports = {};
+__export(server_exports, {
+  createAuthServer: () => createAuthServer
+});
+module.exports = __toCommonJS(server_exports);
+var import_node_http = require("http");
+var DEFAULT_MAX_BODY_BYTES = 1024 * 1024;
+function readBody(req, maxBytes) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let received = 0;
+    let settled = false;
+    function settle(fn) {
+      if (!settled) {
+        settled = true;
+        fn();
+      }
+    }
+    req.on("data", (chunk) => {
+      if (settled) return;
+      received += chunk.length;
+      if (received > maxBytes) {
+        req.resume();
+        settle(() => reject(new Error(`Request body exceeds ${maxBytes} bytes`)));
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on("end", () => {
+      settle(() => resolve(Buffer.concat(chunks).toString("utf-8")));
+    });
+    req.on("error", (err) => {
+      settle(() => reject(err));
+    });
+  });
+}
+function sendJson(res, status, body) {
+  const json = JSON.stringify(body);
+  res.writeHead(status, {
+    "Content-Type": "application/json",
+    "Content-Length": Buffer.byteLength(json)
+  });
+  res.end(json);
+}
+function createAuthServer(options) {
+  const {
+    engine,
+    port = 3100,
+    host = "0.0.0.0",
+    maxBodyBytes = DEFAULT_MAX_BODY_BYTES
+  } = options;
+  const startTime = Date.now();
+  const server = (0, import_node_http.createServer)(async (req, res) => {
+    const pathname = new URL(req.url ?? "/", "http://localhost").pathname;
+    const method = req.method ?? "GET";
+    try {
+      if (options.authenticate) {
+        const authed = await options.authenticate(req);
+        if (authed !== true) {
+          sendJson(res, 401, { error: "Unauthorized" });
+          return;
+        }
+      }
+      if (method === "GET" && pathname === "/health") {
+        const body = {
+          status: "ok",
+          rulesLoaded: engine.getRules().length,
+          uptime: Date.now() - startTime
+        };
+        sendJson(res, 200, body);
+        return;
+      }
+      if (method === "GET" && pathname === "/rules") {
+        const rules = engine.getRules().map((r) => ({
+          id: r.id,
+          effect: r.effect,
+          roles: r.roles,
+          actions: r.actions,
+          resources: r.resources,
+          priority: r.priority,
+          description: r.description,
+          hasConditions: (r.conditions?.length ?? 0) > 0
+        }));
+        sendJson(res, 200, { rules });
+        return;
+      }
+      if (method === "POST" && pathname === "/evaluate") {
+        let raw;
+        try {
+          raw = await readBody(req, maxBodyBytes);
+        } catch (err) {
+          sendJson(res, 413, {
+            error: err instanceof Error ? err.message : "Payload too large"
+          });
+          return;
+        }
+        let body;
+        try {
+          body = JSON.parse(raw);
+        } catch {
+          sendJson(res, 400, { error: "Invalid JSON body" });
+          return;
+        }
+        if (!body.subject || !body.action || !body.resource) {
+          sendJson(res, 400, {
+            error: "Missing required fields: subject, action, resource"
+          });
+          return;
+        }
+        if (typeof body.action !== "string" || typeof body.resource !== "string") {
+          sendJson(res, 400, { error: "action and resource must be strings" });
+          return;
+        }
+        if (typeof body.subject !== "object" || typeof body.subject.id !== "string" || !Array.isArray(body.subject.roles)) {
+          sendJson(res, 400, {
+            error: "subject must have a string id and a roles array"
+          });
+          return;
+        }
+        const subject = options.resolveSubject ? await options.resolveSubject(body) : body.subject;
+        const decision = engine.evaluate(
+          subject,
+          body.action,
+          body.resource,
+          body.resourceContext ?? {},
+          body.tenantId
+        );
+        const response = {
+          allowed: decision.allowed,
+          effect: decision.effect,
+          reason: decision.reason,
+          matchedRuleId: decision.matchedRule?.id ?? null,
+          durationMs: decision.durationMs
+        };
+        sendJson(res, 200, response);
+        return;
+      }
+      sendJson(res, 404, { error: "Not found" });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Internal server error";
+      sendJson(res, 500, { error: message });
+    }
+  });
+  return {
+    start() {
+      return new Promise((resolve) => {
+        server.listen(port, host, () => {
+          resolve();
+        });
+      });
+    },
+    stop() {
+      return new Promise((resolve, reject) => {
+        server.close((err) => err ? reject(err) : resolve());
+      });
+    },
+    httpServer: server
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuthServer
+});
+//# sourceMappingURL=server.cjs.map

package/dist/server.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server.ts"],"sourcesContent":["import { createServer, type IncomingMessage, type ServerResponse } from \"node:http\";\nimport type { AccessEngine } from \"./engine.js\";\nimport type { SchemaDefinition, Subject, ResourceContext } from \"./types.js\";\n\nconst DEFAULT_MAX_BODY_BYTES = 1024 * 1024; // 1 MB\n\n// ---------------------------------------------------------------------------\n// Standalone HTTP authorization server\n// ---------------------------------------------------------------------------\n\nexport interface ServerOptions<S extends SchemaDefinition> {\n  engine: AccessEngine<S>;\n  port?: number;\n  host?: string;\n  /**\n   * Optional hook to resolve a Subject from the request body.\n   * Defaults to using body.subject directly.\n   */\n  resolveSubject?: (body: EvalRequestBody) => Subject<S> | Promise<Subject<S>>;\n  /**\n   * Optional authentication hook. Return true to allow the request,\n   * false to reject with 401. Called before any endpoint logic.\n   * If not provided, all requests are allowed (suitable for internal networks only).\n   */\n  authenticate?: (req: IncomingMessage) => boolean | Promise<boolean>;\n  /** Maximum request body size in bytes. Defaults to 1 MB. */\n  maxBodyBytes?: number;\n}\n\nexport interface EvalRequestBody {\n  subject: {\n    id: string;\n    roles: { role: string; tenantId?: string }[];\n    attributes?: Record<string, unknown>;\n  };\n  action: string;\n  resource: string;\n  resourceContext?: ResourceContext;\n  tenantId?: string;\n}\n\ninterface EvalResponseBody {\n  allowed: boolean;\n  effect: string;\n  reason: string;\n  matchedRuleId: string | null;\n  durationMs: number;\n}\n\ninterface HealthResponse {\n  status: \"ok\";\n  rulesLoaded: number;\n  uptime: number;\n}\n\nfunction readBody(req: IncomingMessage, maxBytes: number): Promise<string> {\n  return new Promise((resolve, reject) => {\n    const chunks: Buffer[] = [];\n    let received = 0;\n    let settled = false;\n\n    function settle(fn: () => void) {\n      if (!settled) {\n        settled = true;\n        fn();\n      }\n    }\n\n    req.on(\"data\", (chunk: Buffer) => {\n      if (settled) return;\n      received += chunk.length;\n      if (received > maxBytes) {\n        req.resume();\n        settle(() => reject(new Error(`Request body exceeds ${maxBytes} bytes`)));\n        return;\n      }\n      chunks.push(chunk);\n    });\n    req.on(\"end\", () => {\n      settle(() => resolve(Buffer.concat(chunks).toString(\"utf-8\")));\n    });\n    req.on(\"error\", (err) => {\n      settle(() => reject(err));\n    });\n  });\n}\n\nfunction sendJson(res: ServerResponse, status: number, body: unknown): void {\n  const json = JSON.stringify(body);\n  res.writeHead(status, {\n    \"Content-Type\": \"application/json\",\n    \"Content-Length\": Buffer.byteLength(json),\n  });\n  res.end(json);\n}\n\n/**\n * Create a standalone HTTP authorization server.\n *\n * Endpoints:\n *   POST /evaluate  — evaluate an authorization request\n *   GET  /health    — health check + rule count\n *   GET  /rules     — list all loaded rules (without conditions)\n *\n * **Security**: This server has no authentication by default.\n * In production, provide an `authenticate` hook or run behind a VPN/service mesh.\n */\nexport function createAuthServer<S extends SchemaDefinition>(\n  options: ServerOptions<S>,\n) {\n  const {\n    engine,\n    port = 3100,\n    host = \"0.0.0.0\",\n    maxBodyBytes = DEFAULT_MAX_BODY_BYTES,\n  } = options;\n  const startTime = Date.now();\n\n  const server = createServer(async (req, res) => {\n    const pathname = new URL(req.url ?? \"/\", \"http://localhost\").pathname;\n    const method = req.method ?? \"GET\";\n\n    try {\n      if (options.authenticate) {\n        const authed = await options.authenticate(req);\n        if (authed !== true) {\n          sendJson(res, 401, { error: \"Unauthorized\" });\n          return;\n        }\n      }\n\n      if (method === \"GET\" && pathname === \"/health\") {\n        const body: HealthResponse = {\n          status: \"ok\",\n          rulesLoaded: engine.getRules().length,\n          uptime: Date.now() - startTime,\n        };\n        sendJson(res, 200, body);\n        return;\n      }\n\n      if (method === \"GET\" && pathname === \"/rules\") {\n        const rules = engine.getRules().map((r) => ({\n          id: r.id,\n          effect: r.effect,\n          roles: r.roles,\n          actions: r.actions,\n          resources: r.resources,\n          priority: r.priority,\n          description: r.description,\n          hasConditions: (r.conditions?.length ?? 0) > 0,\n        }));\n        sendJson(res, 200, { rules });\n        return;\n      }\n\n      if (method === \"POST\" && pathname === \"/evaluate\") {\n        let raw: string;\n        try {\n          raw = await readBody(req, maxBodyBytes);\n        } catch (err) {\n          sendJson(res, 413, {\n            error: err instanceof Error ? err.message : \"Payload too large\",\n          });\n          return;\n        }\n\n        let body: EvalRequestBody;\n        try {\n          body = JSON.parse(raw);\n        } catch {\n          sendJson(res, 400, { error: \"Invalid JSON body\" });\n          return;\n        }\n\n        if (!body.subject || !body.action || !body.resource) {\n          sendJson(res, 400, {\n            error: \"Missing required fields: subject, action, resource\",\n          });\n          return;\n        }\n\n        if (typeof body.action !== \"string\" || typeof body.resource !== \"string\") {\n          sendJson(res, 400, { error: \"action and resource must be strings\" });\n          return;\n        }\n\n        if (\n          typeof body.subject !== \"object\" ||\n          typeof body.subject.id !== \"string\" ||\n          !Array.isArray(body.subject.roles)\n        ) {\n          sendJson(res, 400, {\n            error: \"subject must have a string id and a roles array\",\n          });\n          return;\n        }\n\n        const subject: Subject<S> = options.resolveSubject\n          ? await options.resolveSubject(body)\n          : (body.subject as unknown as Subject<S>);\n\n        const decision = engine.evaluate(\n          subject,\n          body.action as Parameters<typeof engine.evaluate>[1],\n          body.resource as Parameters<typeof engine.evaluate>[2],\n          body.resourceContext ?? {},\n          body.tenantId,\n        );\n\n        const response: EvalResponseBody = {\n          allowed: decision.allowed,\n          effect: decision.effect,\n          reason: decision.reason,\n          matchedRuleId: decision.matchedRule?.id ?? null,\n          durationMs: decision.durationMs,\n        };\n        sendJson(res, 200, response);\n        return;\n      }\n\n      sendJson(res, 404, { error: \"Not found\" });\n    } catch (err) {\n      const message = err instanceof Error ? err.message : \"Internal server error\";\n      sendJson(res, 500, { error: message });\n    }\n  });\n\n  return {\n    start(): Promise<void> {\n      return new Promise((resolve) => {\n        server.listen(port, host, () => {\n          resolve();\n        });\n      });\n    },\n\n    stop(): Promise<void> {\n      return new Promise((resolve, reject) => {\n        server.close((err) => (err ? reject(err) : resolve()));\n      });\n    },\n\n    httpServer: server,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,uBAAwE;AAIxE,IAAM,yBAAyB,OAAO;AAmDtC,SAAS,SAAS,KAAsB,UAAmC;AACzE,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAM,SAAmB,CAAC;AAC1B,QAAI,WAAW;AACf,QAAI,UAAU;AAEd,aAAS,OAAO,IAAgB;AAC9B,UAAI,CAAC,SAAS;AACZ,kBAAU;AACV,WAAG;AAAA,MACL;AAAA,IACF;AAEA,QAAI,GAAG,QAAQ,CAAC,UAAkB;AAChC,UAAI,QAAS;AACb,kBAAY,MAAM;AAClB,UAAI,WAAW,UAAU;AACvB,YAAI,OAAO;AACX,eAAO,MAAM,OAAO,IAAI,MAAM,wBAAwB,QAAQ,QAAQ,CAAC,CAAC;AACxE;AAAA,MACF;AACA,aAAO,KAAK,KAAK;AAAA,IACnB,CAAC;AACD,QAAI,GAAG,OAAO,MAAM;AAClB,aAAO,MAAM,QAAQ,OAAO,OAAO,MAAM,EAAE,SAAS,OAAO,CAAC,CAAC;AAAA,IAC/D,CAAC;AACD,QAAI,GAAG,SAAS,CAAC,QAAQ;AACvB,aAAO,MAAM,OAAO,GAAG,CAAC;AAAA,IAC1B,CAAC;AAAA,EACH,CAAC;AACH;AAEA,SAAS,SAAS,KAAqB,QAAgB,MAAqB;AAC1E,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,MAAI,UAAU,QAAQ;AAAA,IACpB,gBAAgB;AAAA,IAChB,kBAAkB,OAAO,WAAW,IAAI;AAAA,EAC1C,CAAC;AACD,MAAI,IAAI,IAAI;AACd;AAaO,SAAS,iBACd,SACA;AACA,QAAM;AAAA,IACJ;AAAA,IACA,OAAO;AAAA,IACP,OAAO;AAAA,IACP,eAAe;AAAA,EACjB,IAAI;AACJ,QAAM,YAAY,KAAK,IAAI;AAE3B,QAAM,aAAS,+BAAa,OAAO,KAAK,QAAQ;AAC9C,UAAM,WAAW,IAAI,IAAI,IAAI,OAAO,KAAK,kBAAkB,EAAE;AAC7D,UAAM,SAAS,IAAI,UAAU;AAE7B,QAAI;AACF,UAAI,QAAQ,cAAc;AACxB,cAAM,SAAS,MAAM,QAAQ,aAAa,GAAG;AAC7C,YAAI,WAAW,MAAM;AACnB,mBAAS,KAAK,KAAK,EAAE,OAAO,eAAe,CAAC;AAC5C;AAAA,QACF;AAAA,MACF;AAEA,UAAI,WAAW,SAAS,aAAa,WAAW;AAC9C,cAAM,OAAuB;AAAA,UAC3B,QAAQ;AAAA,UACR,aAAa,OAAO,SAAS,EAAE;AAAA,UAC/B,QAAQ,KAAK,IAAI,IAAI;AAAA,QACvB;AACA,iBAAS,KAAK,KAAK,IAAI;AACvB;AAAA,MACF;AAEA,UAAI,WAAW,SAAS,aAAa,UAAU;AAC7C,cAAM,QAAQ,OAAO,SAAS,EAAE,IAAI,CAAC,OAAO;AAAA,UAC1C,IAAI,EAAE;AAAA,UACN,QAAQ,EAAE;AAAA,UACV,OAAO,EAAE;AAAA,UACT,SAAS,EAAE;AAAA,UACX,WAAW,EAAE;AAAA,UACb,UAAU,EAAE;AAAA,UACZ,aAAa,EAAE;AAAA,UACf,gBAAgB,EAAE,YAAY,UAAU,KAAK;AAAA,QAC/C,EAAE;AACF,iBAAS,KAAK,KAAK,EAAE,MAAM,CAAC;AAC5B;AAAA,MACF;AAEA,UAAI,WAAW,UAAU,aAAa,aAAa;AACjD,YAAI;AACJ,YAAI;AACF,gBAAM,MAAM,SAAS,KAAK,YAAY;AAAA,QACxC,SAAS,KAAK;AACZ,mBAAS,KAAK,KAAK;AAAA,YACjB,OAAO,eAAe,QAAQ,IAAI,UAAU;AAAA,UAC9C,CAAC;AACD;AAAA,QACF;AAEA,YAAI;AACJ,YAAI;AACF,iBAAO,KAAK,MAAM,GAAG;AAAA,QACvB,QAAQ;AACN,mBAAS,KAAK,KAAK,EAAE,OAAO,oBAAoB,CAAC;AACjD;AAAA,QACF;AAEA,YAAI,CAAC,KAAK,WAAW,CAAC,KAAK,UAAU,CAAC,KAAK,UAAU;AACnD,mBAAS,KAAK,KAAK;AAAA,YACjB,OAAO;AAAA,UACT,CAAC;AACD;AAAA,QACF;AAEA,YAAI,OAAO,KAAK,WAAW,YAAY,OAAO,KAAK,aAAa,UAAU;AACxE,mBAAS,KAAK,KAAK,EAAE,OAAO,sCAAsC,CAAC;AACnE;AAAA,QACF;AAEA,YACE,OAAO,KAAK,YAAY,YACxB,OAAO,KAAK,QAAQ,OAAO,YAC3B,CAAC,MAAM,QAAQ,KAAK,QAAQ,KAAK,GACjC;AACA,mBAAS,KAAK,KAAK;AAAA,YACjB,OAAO;AAAA,UACT,CAAC;AACD;AAAA,QACF;AAEA,cAAM,UAAsB,QAAQ,iBAChC,MAAM,QAAQ,eAAe,IAAI,IAChC,KAAK;AAEV,cAAM,WAAW,OAAO;AAAA,UACtB;AAAA,UACA,KAAK;AAAA,UACL,KAAK;AAAA,UACL,KAAK,mBAAmB,CAAC;AAAA,UACzB,KAAK;AAAA,QACP;AAEA,cAAM,WAA6B;AAAA,UACjC,SAAS,SAAS;AAAA,UAClB,QAAQ,SAAS;AAAA,UACjB,QAAQ,SAAS;AAAA,UACjB,eAAe,SAAS,aAAa,MAAM;AAAA,UAC3C,YAAY,SAAS;AAAA,QACvB;AACA,iBAAS,KAAK,KAAK,QAAQ;AAC3B;AAAA,MACF;AAEA,eAAS,KAAK,KAAK,EAAE,OAAO,YAAY,CAAC;AAAA,IAC3C,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,eAAS,KAAK,KAAK,EAAE,OAAO,QAAQ,CAAC;AAAA,IACvC;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,QAAuB;AACrB,aAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,eAAO,OAAO,MAAM,MAAM,MAAM;AAC9B,kBAAQ;AAAA,QACV,CAAC;AAAA,MACH,CAAC;AAAA,IACH;AAAA,IAEA,OAAsB;AACpB,aAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,eAAO,MAAM,CAAC,QAAS,MAAM,OAAO,GAAG,IAAI,QAAQ,CAAE;AAAA,MACvD,CAAC;AAAA,IACH;AAAA,IAEA,YAAY;AAAA,EACd;AACF;","names":[]}

package/dist/server.d.cts

@@ -0,0 +1,54 @@
+import * as http from 'http';
+import { IncomingMessage, ServerResponse } from 'node:http';
+import { R as ResourceContext, S as SchemaDefinition, A as AccessEngine, r as Subject } from './engine-C6IASR5F.cjs';
+
+interface ServerOptions<S extends SchemaDefinition> {
+    engine: AccessEngine<S>;
+    port?: number;
+    host?: string;
+    /**
+     * Optional hook to resolve a Subject from the request body.
+     * Defaults to using body.subject directly.
+     */
+    resolveSubject?: (body: EvalRequestBody) => Subject<S> | Promise<Subject<S>>;
+    /**
+     * Optional authentication hook. Return true to allow the request,
+     * false to reject with 401. Called before any endpoint logic.
+     * If not provided, all requests are allowed (suitable for internal networks only).
+     */
+    authenticate?: (req: IncomingMessage) => boolean | Promise<boolean>;
+    /** Maximum request body size in bytes. Defaults to 1 MB. */
+    maxBodyBytes?: number;
+}
+interface EvalRequestBody {
+    subject: {
+        id: string;
+        roles: {
+            role: string;
+            tenantId?: string;
+        }[];
+        attributes?: Record<string, unknown>;
+    };
+    action: string;
+    resource: string;
+    resourceContext?: ResourceContext;
+    tenantId?: string;
+}
+/**
+ * Create a standalone HTTP authorization server.
+ *
+ * Endpoints:
+ *   POST /evaluate  — evaluate an authorization request
+ *   GET  /health    — health check + rule count
+ *   GET  /rules     — list all loaded rules (without conditions)
+ *
+ * **Security**: This server has no authentication by default.
+ * In production, provide an `authenticate` hook or run behind a VPN/service mesh.
+ */
+declare function createAuthServer<S extends SchemaDefinition>(options: ServerOptions<S>): {
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    httpServer: http.Server<typeof IncomingMessage, typeof ServerResponse>;
+};
+
+export { type EvalRequestBody, type ServerOptions, createAuthServer };