@siremzam/sentinel 0.3.1 → 0.3.3

package/dist/server.cjs

@@ -0,0 +1,184 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server.ts
+var server_exports = {};
+__export(server_exports, {
+  createAuthServer: () => createAuthServer
+});
+module.exports = __toCommonJS(server_exports);
+var import_node_http = require("http");
+var DEFAULT_MAX_BODY_BYTES = 1024 * 1024;
+function readBody(req, maxBytes) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let received = 0;
+    let settled = false;
+    function settle(fn) {
+      if (!settled) {
+        settled = true;
+        fn();
+      }
+    }
+    req.on("data", (chunk) => {
+      if (settled) return;
+      received += chunk.length;
+      if (received > maxBytes) {
+        req.resume();
+        settle(() => reject(new Error(`Request body exceeds ${maxBytes} bytes`)));
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on("end", () => {
+      settle(() => resolve(Buffer.concat(chunks).toString("utf-8")));
+    });
+    req.on("error", (err) => {
+      settle(() => reject(err));
+    });
+  });
+}
+function sendJson(res, status, body) {
+  const json = JSON.stringify(body);
+  res.writeHead(status, {
+    "Content-Type": "application/json",
+    "Content-Length": Buffer.byteLength(json)
+  });
+  res.end(json);
+}
+function createAuthServer(options) {
+  const {
+    engine,
+    port = 3100,
+    host = "0.0.0.0",
+    maxBodyBytes = DEFAULT_MAX_BODY_BYTES
+  } = options;
+  const startTime = Date.now();
+  const server = (0, import_node_http.createServer)(async (req, res) => {
+    const pathname = new URL(req.url ?? "/", "http://localhost").pathname;
+    const method = req.method ?? "GET";
+    try {
+      if (options.authenticate) {
+        const authed = await options.authenticate(req);
+        if (authed !== true) {
+          sendJson(res, 401, { error: "Unauthorized" });
+          return;
+        }
+      }
+      if (method === "GET" && pathname === "/health") {
+        const body = {
+          status: "ok",
+          rulesLoaded: engine.getRules().length,
+          uptime: Date.now() - startTime
+        };
+        sendJson(res, 200, body);
+        return;
+      }
+      if (method === "GET" && pathname === "/rules") {
+        const rules = engine.getRules().map((r) => ({
+          id: r.id,
+          effect: r.effect,
+          roles: r.roles,
+          actions: r.actions,
+          resources: r.resources,
+          priority: r.priority,
+          description: r.description,
+          hasConditions: (r.conditions?.length ?? 0) > 0
+        }));
+        sendJson(res, 200, { rules });
+        return;
+      }
+      if (method === "POST" && pathname === "/evaluate") {
+        let raw;
+        try {
+          raw = await readBody(req, maxBodyBytes);
+        } catch (err) {
+          sendJson(res, 413, {
+            error: err instanceof Error ? err.message : "Payload too large"
+          });
+          return;
+        }
+        let body;
+        try {
+          body = JSON.parse(raw);
+        } catch {
+          sendJson(res, 400, { error: "Invalid JSON body" });
+          return;
+        }
+        if (!body.subject || !body.action || !body.resource) {
+          sendJson(res, 400, {
+            error: "Missing required fields: subject, action, resource"
+          });
+          return;
+        }
+        if (typeof body.action !== "string" || typeof body.resource !== "string") {
+          sendJson(res, 400, { error: "action and resource must be strings" });
+          return;
+        }
+        if (typeof body.subject !== "object" || typeof body.subject.id !== "string" || !Array.isArray(body.subject.roles)) {
+          sendJson(res, 400, {
+            error: "subject must have a string id and a roles array"
+          });
+          return;
+        }
+        const subject = options.resolveSubject ? await options.resolveSubject(body) : body.subject;
+        const decision = engine.evaluate(
+          subject,
+          body.action,
+          body.resource,
+          body.resourceContext ?? {},
+          body.tenantId
+        );
+        const response = {
+          allowed: decision.allowed,
+          effect: decision.effect,
+          reason: decision.reason,
+          matchedRuleId: decision.matchedRule?.id ?? null,
+          durationMs: decision.durationMs
+        };
+        sendJson(res, 200, response);
+        return;
+      }
+      sendJson(res, 404, { error: "Not found" });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Internal server error";
+      sendJson(res, 500, { error: message });
+    }
+  });
+  return {
+    start() {
+      return new Promise((resolve) => {
+        server.listen(port, host, () => {
+          resolve();
+        });
+      });
+    },
+    stop() {
+      return new Promise((resolve, reject) => {
+        server.close((err) => err ? reject(err) : resolve());
+      });
+    },
+    httpServer: server
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuthServer
+});
+//# sourceMappingURL=server.cjs.map

package/dist/server.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server.ts"],"sourcesContent":["import { createServer, type IncomingMessage, type ServerResponse } from \"node:http\";\nimport type { AccessEngine } from \"./engine.js\";\nimport type { SchemaDefinition, Subject, ResourceContext } from \"./types.js\";\n\nconst DEFAULT_MAX_BODY_BYTES = 1024 * 1024; // 1 MB\n\n// ---------------------------------------------------------------------------\n// Standalone HTTP authorization server\n// ---------------------------------------------------------------------------\n\nexport interface ServerOptions<S extends SchemaDefinition> {\n  engine: AccessEngine<S>;\n  port?: number;\n  host?: string;\n  /**\n   * Optional hook to resolve a Subject from the request body.\n   * Defaults to using body.subject directly.\n   */\n  resolveSubject?: (body: EvalRequestBody) => Subject<S> | Promise<Subject<S>>;\n  /**\n   * Optional authentication hook. Return true to allow the request,\n   * false to reject with 401. Called before any endpoint logic.\n   * If not provided, all requests are allowed (suitable for internal networks only).\n   */\n  authenticate?: (req: IncomingMessage) => boolean | Promise<boolean>;\n  /** Maximum request body size in bytes. Defaults to 1 MB. */\n  maxBodyBytes?: number;\n}\n\nexport interface EvalRequestBody {\n  subject: {\n    id: string;\n    roles: { role: string; tenantId?: string }[];\n    attributes?: Record<string, unknown>;\n  };\n  action: string;\n  resource: string;\n  resourceContext?: ResourceContext;\n  tenantId?: string;\n}\n\ninterface EvalResponseBody {\n  allowed: boolean;\n  effect: string;\n  reason: string;\n  matchedRuleId: string | null;\n  durationMs: number;\n}\n\ninterface HealthResponse {\n  status: \"ok\";\n  rulesLoaded: number;\n  uptime: number;\n}\n\nfunction readBody(req: IncomingMessage, maxBytes: number): Promise<string> {\n  return new Promise((resolve, reject) => {\n    const chunks: Buffer[] = [];\n    let received = 0;\n    let settled = false;\n\n    function settle(fn: () => void) {\n      if (!settled) {\n        settled = true;\n        fn();\n      }\n    }\n\n    req.on(\"data\", (chunk: Buffer) => {\n      if (settled) return;\n      received += chunk.length;\n      if (received > maxBytes) {\n        req.resume();\n        settle(() => reject(new Error(`Request body exceeds ${maxBytes} bytes`)));\n        return;\n      }\n      chunks.push(chunk);\n    });\n    req.on(\"end\", () => {\n      settle(() => resolve(Buffer.concat(chunks).toString(\"utf-8\")));\n    });\n    req.on(\"error\", (err) => {\n      settle(() => reject(err));\n    });\n  });\n}\n\nfunction sendJson(res: ServerResponse, status: number, body: unknown): void {\n  const json = JSON.stringify(body);\n  res.writeHead(status, {\n    \"Content-Type\": \"application/json\",\n    \"Content-Length\": Buffer.byteLength(json),\n  });\n  res.end(json);\n}\n\n/**\n * Create a standalone HTTP authorization server.\n *\n * Endpoints:\n *   POST /evaluate  — evaluate an authorization request\n *   GET  /health    — health check + rule count\n *   GET  /rules     — list all loaded rules (without conditions)\n *\n * **Security**: This server has no authentication by default.\n * In production, provide an `authenticate` hook or run behind a VPN/service mesh.\n */\nexport function createAuthServer<S extends SchemaDefinition>(\n  options: ServerOptions<S>,\n) {\n  const {\n    engine,\n    port = 3100,\n    host = \"0.0.0.0\",\n    maxBodyBytes = DEFAULT_MAX_BODY_BYTES,\n  } = options;\n  const startTime = Date.now();\n\n  const server = createServer(async (req, res) => {\n    const pathname = new URL(req.url ?? \"/\", \"http://localhost\").pathname;\n    const method = req.method ?? \"GET\";\n\n    try {\n      if (options.authenticate) {\n        const authed = await options.authenticate(req);\n        if (authed !== true) {\n          sendJson(res, 401, { error: \"Unauthorized\" });\n          return;\n        }\n      }\n\n      if (method === \"GET\" && pathname === \"/health\") {\n        const body: HealthResponse = {\n          status: \"ok\",\n          rulesLoaded: engine.getRules().length,\n          uptime: Date.now() - startTime,\n        };\n        sendJson(res, 200, body);\n        return;\n      }\n\n      if (method === \"GET\" && pathname === \"/rules\") {\n        const rules = engine.getRules().map((r) => ({\n          id: r.id,\n          effect: r.effect,\n          roles: r.roles,\n          actions: r.actions,\n          resources: r.resources,\n          priority: r.priority,\n          description: r.description,\n          hasConditions: (r.conditions?.length ?? 0) > 0,\n        }));\n        sendJson(res, 200, { rules });\n        return;\n      }\n\n      if (method === \"POST\" && pathname === \"/evaluate\") {\n        let raw: string;\n        try {\n          raw = await readBody(req, maxBodyBytes);\n        } catch (err) {\n          sendJson(res, 413, {\n            error: err instanceof Error ? err.message : \"Payload too large\",\n          });\n          return;\n        }\n\n        let body: EvalRequestBody;\n        try {\n          body = JSON.parse(raw);\n        } catch {\n          sendJson(res, 400, { error: \"Invalid JSON body\" });\n          return;\n        }\n\n        if (!body.subject || !body.action || !body.resource) {\n          sendJson(res, 400, {\n            error: \"Missing required fields: subject, action, resource\",\n          });\n          return;\n        }\n\n        if (typeof body.action !== \"string\" || typeof body.resource !== \"string\") {\n          sendJson(res, 400, { error: \"action and resource must be strings\" });\n          return;\n        }\n\n        if (\n          typeof body.subject !== \"object\" ||\n          typeof body.subject.id !== \"string\" ||\n          !Array.isArray(body.subject.roles)\n        ) {\n          sendJson(res, 400, {\n            error: \"subject must have a string id and a roles array\",\n          });\n          return;\n        }\n\n        const subject: Subject<S> = options.resolveSubject\n          ? await options.resolveSubject(body)\n          : (body.subject as unknown as Subject<S>);\n\n        const decision = engine.evaluate(\n          subject,\n          body.action as Parameters<typeof engine.evaluate>[1],\n          body.resource as Parameters<typeof engine.evaluate>[2],\n          body.resourceContext ?? {},\n          body.tenantId,\n        );\n\n        const response: EvalResponseBody = {\n          allowed: decision.allowed,\n          effect: decision.effect,\n          reason: decision.reason,\n          matchedRuleId: decision.matchedRule?.id ?? null,\n          durationMs: decision.durationMs,\n        };\n        sendJson(res, 200, response);\n        return;\n      }\n\n      sendJson(res, 404, { error: \"Not found\" });\n    } catch (err) {\n      const message = err instanceof Error ? err.message : \"Internal server error\";\n      sendJson(res, 500, { error: message });\n    }\n  });\n\n  return {\n    start(): Promise<void> {\n      return new Promise((resolve) => {\n        server.listen(port, host, () => {\n          resolve();\n        });\n      });\n    },\n\n    stop(): Promise<void> {\n      return new Promise((resolve, reject) => {\n        server.close((err) => (err ? reject(err) : resolve()));\n      });\n    },\n\n    httpServer: server,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,uBAAwE;AAIxE,IAAM,yBAAyB,OAAO;AAmDtC,SAAS,SAAS,KAAsB,UAAmC;AACzE,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAM,SAAmB,CAAC;AAC1B,QAAI,WAAW;AACf,QAAI,UAAU;AAEd,aAAS,OAAO,IAAgB;AAC9B,UAAI,CAAC,SAAS;AACZ,kBAAU;AACV,WAAG;AAAA,MACL;AAAA,IACF;AAEA,QAAI,GAAG,QAAQ,CAAC,UAAkB;AAChC,UAAI,QAAS;AACb,kBAAY,MAAM;AAClB,UAAI,WAAW,UAAU;AACvB,YAAI,OAAO;AACX,eAAO,MAAM,OAAO,IAAI,MAAM,wBAAwB,QAAQ,QAAQ,CAAC,CAAC;AACxE;AAAA,MACF;AACA,aAAO,KAAK,KAAK;AAAA,IACnB,CAAC;AACD,QAAI,GAAG,OAAO,MAAM;AAClB,aAAO,MAAM,QAAQ,OAAO,OAAO,MAAM,EAAE,SAAS,OAAO,CAAC,CAAC;AAAA,IAC/D,CAAC;AACD,QAAI,GAAG,SAAS,CAAC,QAAQ;AACvB,aAAO,MAAM,OAAO,GAAG,CAAC;AAAA,IAC1B,CAAC;AAAA,EACH,CAAC;AACH;AAEA,SAAS,SAAS,KAAqB,QAAgB,MAAqB;AAC1E,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,MAAI,UAAU,QAAQ;AAAA,IACpB,gBAAgB;AAAA,IAChB,kBAAkB,OAAO,WAAW,IAAI;AAAA,EAC1C,CAAC;AACD,MAAI,IAAI,IAAI;AACd;AAaO,SAAS,iBACd,SACA;AACA,QAAM;AAAA,IACJ;AAAA,IACA,OAAO;AAAA,IACP,OAAO;AAAA,IACP,eAAe;AAAA,EACjB,IAAI;AACJ,QAAM,YAAY,KAAK,IAAI;AAE3B,QAAM,aAAS,+BAAa,OAAO,KAAK,QAAQ;AAC9C,UAAM,WAAW,IAAI,IAAI,IAAI,OAAO,KAAK,kBAAkB,EAAE;AAC7D,UAAM,SAAS,IAAI,UAAU;AAE7B,QAAI;AACF,UAAI,QAAQ,cAAc;AACxB,cAAM,SAAS,MAAM,QAAQ,aAAa,GAAG;AAC7C,YAAI,WAAW,MAAM;AACnB,mBAAS,KAAK,KAAK,EAAE,OAAO,eAAe,CAAC;AAC5C;AAAA,QACF;AAAA,MACF;AAEA,UAAI,WAAW,SAAS,aAAa,WAAW;AAC9C,cAAM,OAAuB;AAAA,UAC3B,QAAQ;AAAA,UACR,aAAa,OAAO,SAAS,EAAE;AAAA,UAC/B,QAAQ,KAAK,IAAI,IAAI;AAAA,QACvB;AACA,iBAAS,KAAK,KAAK,IAAI;AACvB;AAAA,MACF;AAEA,UAAI,WAAW,SAAS,aAAa,UAAU;AAC7C,cAAM,QAAQ,OAAO,SAAS,EAAE,IAAI,CAAC,OAAO;AAAA,UAC1C,IAAI,EAAE;AAAA,UACN,QAAQ,EAAE;AAAA,UACV,OAAO,EAAE;AAAA,UACT,SAAS,EAAE;AAAA,UACX,WAAW,EAAE;AAAA,UACb,UAAU,EAAE;AAAA,UACZ,aAAa,EAAE;AAAA,UACf,gBAAgB,EAAE,YAAY,UAAU,KAAK;AAAA,QAC/C,EAAE;AACF,iBAAS,KAAK,KAAK,EAAE,MAAM,CAAC;AAC5B;AAAA,MACF;AAEA,UAAI,WAAW,UAAU,aAAa,aAAa;AACjD,YAAI;AACJ,YAAI;AACF,gBAAM,MAAM,SAAS,KAAK,YAAY;AAAA,QACxC,SAAS,KAAK;AACZ,mBAAS,KAAK,KAAK;AAAA,YACjB,OAAO,eAAe,QAAQ,IAAI,UAAU;AAAA,UAC9C,CAAC;AACD;AAAA,QACF;AAEA,YAAI;AACJ,YAAI;AACF,iBAAO,KAAK,MAAM,GAAG;AAAA,QACvB,QAAQ;AACN,mBAAS,KAAK,KAAK,EAAE,OAAO,oBAAoB,CAAC;AACjD;AAAA,QACF;AAEA,YAAI,CAAC,KAAK,WAAW,CAAC,KAAK,UAAU,CAAC,KAAK,UAAU;AACnD,mBAAS,KAAK,KAAK;AAAA,YACjB,OAAO;AAAA,UACT,CAAC;AACD;AAAA,QACF;AAEA,YAAI,OAAO,KAAK,WAAW,YAAY,OAAO,KAAK,aAAa,UAAU;AACxE,mBAAS,KAAK,KAAK,EAAE,OAAO,sCAAsC,CAAC;AACnE;AAAA,QACF;AAEA,YACE,OAAO,KAAK,YAAY,YACxB,OAAO,KAAK,QAAQ,OAAO,YAC3B,CAAC,MAAM,QAAQ,KAAK,QAAQ,KAAK,GACjC;AACA,mBAAS,KAAK,KAAK;AAAA,YACjB,OAAO;AAAA,UACT,CAAC;AACD;AAAA,QACF;AAEA,cAAM,UAAsB,QAAQ,iBAChC,MAAM,QAAQ,eAAe,IAAI,IAChC,KAAK;AAEV,cAAM,WAAW,OAAO;AAAA,UACtB;AAAA,UACA,KAAK;AAAA,UACL,KAAK;AAAA,UACL,KAAK,mBAAmB,CAAC;AAAA,UACzB,KAAK;AAAA,QACP;AAEA,cAAM,WAA6B;AAAA,UACjC,SAAS,SAAS;AAAA,UAClB,QAAQ,SAAS;AAAA,UACjB,QAAQ,SAAS;AAAA,UACjB,eAAe,SAAS,aAAa,MAAM;AAAA,UAC3C,YAAY,SAAS;AAAA,QACvB;AACA,iBAAS,KAAK,KAAK,QAAQ;AAC3B;AAAA,MACF;AAEA,eAAS,KAAK,KAAK,EAAE,OAAO,YAAY,CAAC;AAAA,IAC3C,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,eAAS,KAAK,KAAK,EAAE,OAAO,QAAQ,CAAC;AAAA,IACvC;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,QAAuB;AACrB,aAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,eAAO,OAAO,MAAM,MAAM,MAAM;AAC9B,kBAAQ;AAAA,QACV,CAAC;AAAA,MACH,CAAC;AAAA,IACH;AAAA,IAEA,OAAsB;AACpB,aAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,eAAO,MAAM,CAAC,QAAS,MAAM,OAAO,GAAG,IAAI,QAAQ,CAAE;AAAA,MACvD,CAAC;AAAA,IACH;AAAA,IAEA,YAAY;AAAA,EACd;AACF;","names":[]}

package/dist/server.d.cts

@@ -0,0 +1,54 @@
+import * as http from 'http';
+import { IncomingMessage, ServerResponse } from 'node:http';
+import { R as ResourceContext, S as SchemaDefinition, A as AccessEngine, r as Subject } from './engine-C6IASR5F.cjs';
+
+interface ServerOptions<S extends SchemaDefinition> {
+    engine: AccessEngine<S>;
+    port?: number;
+    host?: string;
+    /**
+     * Optional hook to resolve a Subject from the request body.
+     * Defaults to using body.subject directly.
+     */
+    resolveSubject?: (body: EvalRequestBody) => Subject<S> | Promise<Subject<S>>;
+    /**
+     * Optional authentication hook. Return true to allow the request,
+     * false to reject with 401. Called before any endpoint logic.
+     * If not provided, all requests are allowed (suitable for internal networks only).
+     */
+    authenticate?: (req: IncomingMessage) => boolean | Promise<boolean>;
+    /** Maximum request body size in bytes. Defaults to 1 MB. */
+    maxBodyBytes?: number;
+}
+interface EvalRequestBody {
+    subject: {
+        id: string;
+        roles: {
+            role: string;
+            tenantId?: string;
+        }[];
+        attributes?: Record<string, unknown>;
+    };
+    action: string;
+    resource: string;
+    resourceContext?: ResourceContext;
+    tenantId?: string;
+}
+/**
+ * Create a standalone HTTP authorization server.
+ *
+ * Endpoints:
+ *   POST /evaluate  — evaluate an authorization request
+ *   GET  /health    — health check + rule count
+ *   GET  /rules     — list all loaded rules (without conditions)
+ *
+ * **Security**: This server has no authentication by default.
+ * In production, provide an `authenticate` hook or run behind a VPN/service mesh.
+ */
+declare function createAuthServer<S extends SchemaDefinition>(options: ServerOptions<S>): {
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    httpServer: http.Server<typeof IncomingMessage, typeof ServerResponse>;
+};
+
+export { type EvalRequestBody, type ServerOptions, createAuthServer };

package/dist/server.d.ts

@@ -1,7 +1,8 @@
-import { type IncomingMessage, type ServerResponse } from "node:http";
-import type { AccessEngine } from "./engine.js";
-import type { SchemaDefinition, Subject, ResourceContext } from "./types.js";
-export interface ServerOptions<S extends SchemaDefinition> {
+import * as http from 'http';
+import { IncomingMessage, ServerResponse } from 'node:http';
+import { R as ResourceContext, S as SchemaDefinition, A as AccessEngine, r as Subject } from './engine-C6IASR5F.js';
+
+interface ServerOptions<S extends SchemaDefinition> {
     engine: AccessEngine<S>;
     port?: number;
     host?: string;
@@ -19,7 +20,7 @@ export interface ServerOptions<S extends SchemaDefinition> {
     /** Maximum request body size in bytes. Defaults to 1 MB. */
     maxBodyBytes?: number;
 }
-export interface EvalRequestBody {
+interface EvalRequestBody {
     subject: {
         id: string;
         roles: {
@@ -44,9 +45,10 @@ export interface EvalRequestBody {
  * **Security**: This server has no authentication by default.
  * In production, provide an `authenticate` hook or run behind a VPN/service mesh.
  */
-export declare function createAuthServer<S extends SchemaDefinition>(options: ServerOptions<S>): {
+declare function createAuthServer<S extends SchemaDefinition>(options: ServerOptions<S>): {
     start(): Promise<void>;
     stop(): Promise<void>;
-    httpServer: import("http").Server<typeof IncomingMessage, typeof ServerResponse>;
+    httpServer: http.Server<typeof IncomingMessage, typeof ServerResponse>;
 };
-//# sourceMappingURL=server.d.ts.map
+
+export { type EvalRequestBody, type ServerOptions, createAuthServer };

package/dist/server.js

@@ -1,163 +1,159 @@
-import { createServer } from "node:http";
-const DEFAULT_MAX_BODY_BYTES = 1024 * 1024; // 1 MB
+// src/server.ts
+import { createServer } from "http";
+var DEFAULT_MAX_BODY_BYTES = 1024 * 1024;
 function readBody(req, maxBytes) {
-    return new Promise((resolve, reject) => {
-        const chunks = [];
-        let received = 0;
-        let settled = false;
-        function settle(fn) {
-            if (!settled) {
-                settled = true;
-                fn();
-            }
-        }
-        req.on("data", (chunk) => {
-            if (settled)
-                return;
-            received += chunk.length;
-            if (received > maxBytes) {
-                req.resume();
-                settle(() => reject(new Error(`Request body exceeds ${maxBytes} bytes`)));
-                return;
-            }
-            chunks.push(chunk);
-        });
-        req.on("end", () => {
-            settle(() => resolve(Buffer.concat(chunks).toString("utf-8")));
-        });
-        req.on("error", (err) => {
-            settle(() => reject(err));
-        });
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let received = 0;
+    let settled = false;
+    function settle(fn) {
+      if (!settled) {
+        settled = true;
+        fn();
+      }
+    }
+    req.on("data", (chunk) => {
+      if (settled) return;
+      received += chunk.length;
+      if (received > maxBytes) {
+        req.resume();
+        settle(() => reject(new Error(`Request body exceeds ${maxBytes} bytes`)));
+        return;
+      }
+      chunks.push(chunk);
     });
+    req.on("end", () => {
+      settle(() => resolve(Buffer.concat(chunks).toString("utf-8")));
+    });
+    req.on("error", (err) => {
+      settle(() => reject(err));
+    });
+  });
 }
 function sendJson(res, status, body) {
-    const json = JSON.stringify(body);
-    res.writeHead(status, {
-        "Content-Type": "application/json",
-        "Content-Length": Buffer.byteLength(json),
-    });
-    res.end(json);
+  const json = JSON.stringify(body);
+  res.writeHead(status, {
+    "Content-Type": "application/json",
+    "Content-Length": Buffer.byteLength(json)
+  });
+  res.end(json);
 }
-/**
- * Create a standalone HTTP authorization server.
- *
- * Endpoints:
- *   POST /evaluate  — evaluate an authorization request
- *   GET  /health    — health check + rule count
- *   GET  /rules     — list all loaded rules (without conditions)
- *
- * **Security**: This server has no authentication by default.
- * In production, provide an `authenticate` hook or run behind a VPN/service mesh.
- */
-export function createAuthServer(options) {
-    const { engine, port = 3100, host = "0.0.0.0", maxBodyBytes = DEFAULT_MAX_BODY_BYTES, } = options;
-    const startTime = Date.now();
-    const server = createServer(async (req, res) => {
-        const pathname = new URL(req.url ?? "/", "http://localhost").pathname;
-        const method = req.method ?? "GET";
+function createAuthServer(options) {
+  const {
+    engine,
+    port = 3100,
+    host = "0.0.0.0",
+    maxBodyBytes = DEFAULT_MAX_BODY_BYTES
+  } = options;
+  const startTime = Date.now();
+  const server = createServer(async (req, res) => {
+    const pathname = new URL(req.url ?? "/", "http://localhost").pathname;
+    const method = req.method ?? "GET";
+    try {
+      if (options.authenticate) {
+        const authed = await options.authenticate(req);
+        if (authed !== true) {
+          sendJson(res, 401, { error: "Unauthorized" });
+          return;
+        }
+      }
+      if (method === "GET" && pathname === "/health") {
+        const body = {
+          status: "ok",
+          rulesLoaded: engine.getRules().length,
+          uptime: Date.now() - startTime
+        };
+        sendJson(res, 200, body);
+        return;
+      }
+      if (method === "GET" && pathname === "/rules") {
+        const rules = engine.getRules().map((r) => ({
+          id: r.id,
+          effect: r.effect,
+          roles: r.roles,
+          actions: r.actions,
+          resources: r.resources,
+          priority: r.priority,
+          description: r.description,
+          hasConditions: (r.conditions?.length ?? 0) > 0
+        }));
+        sendJson(res, 200, { rules });
+        return;
+      }
+      if (method === "POST" && pathname === "/evaluate") {
+        let raw;
+        try {
+          raw = await readBody(req, maxBodyBytes);
+        } catch (err) {
+          sendJson(res, 413, {
+            error: err instanceof Error ? err.message : "Payload too large"
+          });
+          return;
+        }
+        let body;
         try {
-            if (options.authenticate) {
-                const authed = await options.authenticate(req);
-                if (authed !== true) {
-                    sendJson(res, 401, { error: "Unauthorized" });
-                    return;
-                }
-            }
-            if (method === "GET" && pathname === "/health") {
-                const body = {
-                    status: "ok",
-                    rulesLoaded: engine.getRules().length,
-                    uptime: Date.now() - startTime,
-                };
-                sendJson(res, 200, body);
-                return;
-            }
-            if (method === "GET" && pathname === "/rules") {
-                const rules = engine.getRules().map((r) => ({
-                    id: r.id,
-                    effect: r.effect,
-                    roles: r.roles,
-                    actions: r.actions,
-                    resources: r.resources,
-                    priority: r.priority,
-                    description: r.description,
-                    hasConditions: (r.conditions?.length ?? 0) > 0,
-                }));
-                sendJson(res, 200, { rules });
-                return;
-            }
-            if (method === "POST" && pathname === "/evaluate") {
-                let raw;
-                try {
-                    raw = await readBody(req, maxBodyBytes);
-                }
-                catch (err) {
-                    sendJson(res, 413, {
-                        error: err instanceof Error ? err.message : "Payload too large",
-                    });
-                    return;
-                }
-                let body;
-                try {
-                    body = JSON.parse(raw);
-                }
-                catch {
-                    sendJson(res, 400, { error: "Invalid JSON body" });
-                    return;
-                }
-                if (!body.subject || !body.action || !body.resource) {
-                    sendJson(res, 400, {
-                        error: "Missing required fields: subject, action, resource",
-                    });
-                    return;
-                }
-                if (typeof body.action !== "string" || typeof body.resource !== "string") {
-                    sendJson(res, 400, { error: "action and resource must be strings" });
-                    return;
-                }
-                if (typeof body.subject !== "object" ||
-                    typeof body.subject.id !== "string" ||
-                    !Array.isArray(body.subject.roles)) {
-                    sendJson(res, 400, {
-                        error: "subject must have a string id and a roles array",
-                    });
-                    return;
-                }
-                const subject = options.resolveSubject
-                    ? await options.resolveSubject(body)
-                    : body.subject;
-                const decision = engine.evaluate(subject, body.action, body.resource, body.resourceContext ?? {}, body.tenantId);
-                const response = {
-                    allowed: decision.allowed,
-                    effect: decision.effect,
-                    reason: decision.reason,
-                    matchedRuleId: decision.matchedRule?.id ?? null,
-                    durationMs: decision.durationMs,
-                };
-                sendJson(res, 200, response);
-                return;
-            }
-            sendJson(res, 404, { error: "Not found" });
+          body = JSON.parse(raw);
+        } catch {
+          sendJson(res, 400, { error: "Invalid JSON body" });
+          return;
         }
-        catch (err) {
-            const message = err instanceof Error ? err.message : "Internal server error";
-            sendJson(res, 500, { error: message });
+        if (!body.subject || !body.action || !body.resource) {
+          sendJson(res, 400, {
+            error: "Missing required fields: subject, action, resource"
+          });
+          return;
         }
-    });
-    return {
-        start() {
-            return new Promise((resolve) => {
-                server.listen(port, host, () => {
-                    resolve();
-                });
-            });
-        },
-        stop() {
-            return new Promise((resolve, reject) => {
-                server.close((err) => (err ? reject(err) : resolve()));
-            });
-        },
-        httpServer: server,
-    };
+        if (typeof body.action !== "string" || typeof body.resource !== "string") {
+          sendJson(res, 400, { error: "action and resource must be strings" });
+          return;
+        }
+        if (typeof body.subject !== "object" || typeof body.subject.id !== "string" || !Array.isArray(body.subject.roles)) {
+          sendJson(res, 400, {
+            error: "subject must have a string id and a roles array"
+          });
+          return;
+        }
+        const subject = options.resolveSubject ? await options.resolveSubject(body) : body.subject;
+        const decision = engine.evaluate(
+          subject,
+          body.action,
+          body.resource,
+          body.resourceContext ?? {},
+          body.tenantId
+        );
+        const response = {
+          allowed: decision.allowed,
+          effect: decision.effect,
+          reason: decision.reason,
+          matchedRuleId: decision.matchedRule?.id ?? null,
+          durationMs: decision.durationMs
+        };
+        sendJson(res, 200, response);
+        return;
+      }
+      sendJson(res, 404, { error: "Not found" });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Internal server error";
+      sendJson(res, 500, { error: message });
+    }
+  });
+  return {
+    start() {
+      return new Promise((resolve) => {
+        server.listen(port, host, () => {
+          resolve();
+        });
+      });
+    },
+    stop() {
+      return new Promise((resolve, reject) => {
+        server.close((err) => err ? reject(err) : resolve());
+      });
+    },
+    httpServer: server
+  };
 }
+export {
+  createAuthServer
+};
 //# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAA6C,MAAM,WAAW,CAAC;AAIpF,MAAM,sBAAsB,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AAmDnD,SAAS,QAAQ,CAAC,GAAoB,EAAE,QAAgB;IACtD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,SAAS,MAAM,CAAC,EAAc;YAC5B,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,IAAI,CAAC;gBACf,EAAE,EAAE,CAAC;YACP,CAAC;QACH,CAAC;QAED,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC/B,IAAI,OAAO;gBAAE,OAAO;YACpB,QAAQ,IAAI,KAAK,CAAC,MAAM,CAAC;YACzB,IAAI,QAAQ,GAAG,QAAQ,EAAE,CAAC;gBACxB,GAAG,CAAC,MAAM,EAAE,CAAC;gBACb,MAAM,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,QAAQ,QAAQ,CAAC,CAAC,CAAC,CAAC;gBAC1E,OAAO;YACT,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACtB,MAAM,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CAAC,GAAmB,EAAE,MAAc,EAAE,IAAa;IAClE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAClC,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE;QACpB,cAAc,EAAE,kBAAkB;QAClC,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;KAC1C,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAyB;IAEzB,MAAM,EACJ,MAAM,EACN,IAAI,GAAG,IAAI,EACX,IAAI,GAAG,SAAS,EAChB,YAAY,GAAG,sBAAsB,GACtC,GAAG,OAAO,CAAC;IACZ,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC7C,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;QACtE,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC;QAEnC,IAAI,CAAC;YACH,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;gBAC/C,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;oBACpB,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;oBAC9C,OAAO;gBACT,CAAC;YACH,CAAC;YAED,IAAI,MAAM,KAAK,KAAK,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC/C,MAAM,IAAI,GAAmB;oBAC3B,MAAM,EAAE,IAAI;oBACZ,WAAW,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,MAAM;oBACrC,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBAC/B,CAAC;gBACF,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;gBACzB,OAAO;YACT,CAAC;YAED,IAAI,MAAM,KAAK,KAAK,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC1C,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,KAAK,EAAE,CAAC,CAAC,KAAK;oBACd,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,SAAS,EAAE,CAAC,CAAC,SAAS;oBACtB,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,WAAW,EAAE,CAAC,CAAC,WAAW;oBAC1B,aAAa,EAAE,CAAC,CAAC,CAAC,UAAU,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC;iBAC/C,CAAC,CAAC,CAAC;gBACJ,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;gBAC9B,OAAO;YACT,CAAC;YAED,IAAI,MAAM,KAAK,MAAM,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;gBAClD,IAAI,GAAW,CAAC;gBAChB,IAAI,CAAC;oBACH,GAAG,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;gBAC1C,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE;wBACjB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB;qBAChE,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,IAAI,IAAqB,CAAC;gBAC1B,IAAI,CAAC;oBACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACzB,CAAC;gBAAC,MAAM,CAAC;oBACP,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;oBACnD,OAAO;gBACT,CAAC;gBAED,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACpD,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE;wBACjB,KAAK,EAAE,oDAAoD;qBAC5D,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBACzE,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,qCAAqC,EAAE,CAAC,CAAC;oBACrE,OAAO;gBACT,CAAC;gBAED,IACE,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;oBAChC,OAAO,IAAI,CAAC,OAAO,CAAC,EAAE,KAAK,QAAQ;oBACnC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAClC,CAAC;oBACD,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE;wBACjB,KAAK,EAAE,iDAAiD;qBACzD,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,MAAM,OAAO,GAAe,OAAO,CAAC,cAAc;oBAChD,CAAC,CAAC,MAAM,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC;oBACpC,CAAC,CAAE,IAAI,CAAC,OAAiC,CAAC;gBAE5C,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAC9B,OAAO,EACP,IAAI,CAAC,MAA+C,EACpD,IAAI,CAAC,QAAiD,EACtD,IAAI,CAAC,eAAe,IAAI,EAAE,EAC1B,IAAI,CAAC,QAAQ,CACd,CAAC;gBAEF,MAAM,QAAQ,GAAqB;oBACjC,OAAO,EAAE,QAAQ,CAAC,OAAO;oBACzB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,aAAa,EAAE,QAAQ,CAAC,WAAW,EAAE,EAAE,IAAI,IAAI;oBAC/C,UAAU,EAAE,QAAQ,CAAC,UAAU;iBAChC,CAAC;gBACF,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;gBAC7B,OAAO;YACT,CAAC;YAED,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC;YAC7E,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,KAAK;YACH,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;gBAC7B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;oBAC7B,OAAO,EAAE,CAAC;gBACZ,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QAED,IAAI;YACF,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACrC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACzD,CAAC,CAAC,CAAC;QACL,CAAC;QAED,UAAU,EAAE,MAAM;KACnB,CAAC;AACJ,CAAC"}
+{"version":3,"sources":["../src/server.ts"],"sourcesContent":["import { createServer, type IncomingMessage, type ServerResponse } from \"node:http\";\nimport type { AccessEngine } from \"./engine.js\";\nimport type { SchemaDefinition, Subject, ResourceContext } from \"./types.js\";\n\nconst DEFAULT_MAX_BODY_BYTES = 1024 * 1024; // 1 MB\n\n// ---------------------------------------------------------------------------\n// Standalone HTTP authorization server\n// ---------------------------------------------------------------------------\n\nexport interface ServerOptions<S extends SchemaDefinition> {\n  engine: AccessEngine<S>;\n  port?: number;\n  host?: string;\n  /**\n   * Optional hook to resolve a Subject from the request body.\n   * Defaults to using body.subject directly.\n   */\n  resolveSubject?: (body: EvalRequestBody) => Subject<S> | Promise<Subject<S>>;\n  /**\n   * Optional authentication hook. Return true to allow the request,\n   * false to reject with 401. Called before any endpoint logic.\n   * If not provided, all requests are allowed (suitable for internal networks only).\n   */\n  authenticate?: (req: IncomingMessage) => boolean | Promise<boolean>;\n  /** Maximum request body size in bytes. Defaults to 1 MB. */\n  maxBodyBytes?: number;\n}\n\nexport interface EvalRequestBody {\n  subject: {\n    id: string;\n    roles: { role: string; tenantId?: string }[];\n    attributes?: Record<string, unknown>;\n  };\n  action: string;\n  resource: string;\n  resourceContext?: ResourceContext;\n  tenantId?: string;\n}\n\ninterface EvalResponseBody {\n  allowed: boolean;\n  effect: string;\n  reason: string;\n  matchedRuleId: string | null;\n  durationMs: number;\n}\n\ninterface HealthResponse {\n  status: \"ok\";\n  rulesLoaded: number;\n  uptime: number;\n}\n\nfunction readBody(req: IncomingMessage, maxBytes: number): Promise<string> {\n  return new Promise((resolve, reject) => {\n    const chunks: Buffer[] = [];\n    let received = 0;\n    let settled = false;\n\n    function settle(fn: () => void) {\n      if (!settled) {\n        settled = true;\n        fn();\n      }\n    }\n\n    req.on(\"data\", (chunk: Buffer) => {\n      if (settled) return;\n      received += chunk.length;\n      if (received > maxBytes) {\n        req.resume();\n        settle(() => reject(new Error(`Request body exceeds ${maxBytes} bytes`)));\n        return;\n      }\n      chunks.push(chunk);\n    });\n    req.on(\"end\", () => {\n      settle(() => resolve(Buffer.concat(chunks).toString(\"utf-8\")));\n    });\n    req.on(\"error\", (err) => {\n      settle(() => reject(err));\n    });\n  });\n}\n\nfunction sendJson(res: ServerResponse, status: number, body: unknown): void {\n  const json = JSON.stringify(body);\n  res.writeHead(status, {\n    \"Content-Type\": \"application/json\",\n    \"Content-Length\": Buffer.byteLength(json),\n  });\n  res.end(json);\n}\n\n/**\n * Create a standalone HTTP authorization server.\n *\n * Endpoints:\n *   POST /evaluate  — evaluate an authorization request\n *   GET  /health    — health check + rule count\n *   GET  /rules     — list all loaded rules (without conditions)\n *\n * **Security**: This server has no authentication by default.\n * In production, provide an `authenticate` hook or run behind a VPN/service mesh.\n */\nexport function createAuthServer<S extends SchemaDefinition>(\n  options: ServerOptions<S>,\n) {\n  const {\n    engine,\n    port = 3100,\n    host = \"0.0.0.0\",\n    maxBodyBytes = DEFAULT_MAX_BODY_BYTES,\n  } = options;\n  const startTime = Date.now();\n\n  const server = createServer(async (req, res) => {\n    const pathname = new URL(req.url ?? \"/\", \"http://localhost\").pathname;\n    const method = req.method ?? \"GET\";\n\n    try {\n      if (options.authenticate) {\n        const authed = await options.authenticate(req);\n        if (authed !== true) {\n          sendJson(res, 401, { error: \"Unauthorized\" });\n          return;\n        }\n      }\n\n      if (method === \"GET\" && pathname === \"/health\") {\n        const body: HealthResponse = {\n          status: \"ok\",\n          rulesLoaded: engine.getRules().length,\n          uptime: Date.now() - startTime,\n        };\n        sendJson(res, 200, body);\n        return;\n      }\n\n      if (method === \"GET\" && pathname === \"/rules\") {\n        const rules = engine.getRules().map((r) => ({\n          id: r.id,\n          effect: r.effect,\n          roles: r.roles,\n          actions: r.actions,\n          resources: r.resources,\n          priority: r.priority,\n          description: r.description,\n          hasConditions: (r.conditions?.length ?? 0) > 0,\n        }));\n        sendJson(res, 200, { rules });\n        return;\n      }\n\n      if (method === \"POST\" && pathname === \"/evaluate\") {\n        let raw: string;\n        try {\n          raw = await readBody(req, maxBodyBytes);\n        } catch (err) {\n          sendJson(res, 413, {\n            error: err instanceof Error ? err.message : \"Payload too large\",\n          });\n          return;\n        }\n\n        let body: EvalRequestBody;\n        try {\n          body = JSON.parse(raw);\n        } catch {\n          sendJson(res, 400, { error: \"Invalid JSON body\" });\n          return;\n        }\n\n        if (!body.subject || !body.action || !body.resource) {\n          sendJson(res, 400, {\n            error: \"Missing required fields: subject, action, resource\",\n          });\n          return;\n        }\n\n        if (typeof body.action !== \"string\" || typeof body.resource !== \"string\") {\n          sendJson(res, 400, { error: \"action and resource must be strings\" });\n          return;\n        }\n\n        if (\n          typeof body.subject !== \"object\" ||\n          typeof body.subject.id !== \"string\" ||\n          !Array.isArray(body.subject.roles)\n        ) {\n          sendJson(res, 400, {\n            error: \"subject must have a string id and a roles array\",\n          });\n          return;\n        }\n\n        const subject: Subject<S> = options.resolveSubject\n          ? await options.resolveSubject(body)\n          : (body.subject as unknown as Subject<S>);\n\n        const decision = engine.evaluate(\n          subject,\n          body.action as Parameters<typeof engine.evaluate>[1],\n          body.resource as Parameters<typeof engine.evaluate>[2],\n          body.resourceContext ?? {},\n          body.tenantId,\n        );\n\n        const response: EvalResponseBody = {\n          allowed: decision.allowed,\n          effect: decision.effect,\n          reason: decision.reason,\n          matchedRuleId: decision.matchedRule?.id ?? null,\n          durationMs: decision.durationMs,\n        };\n        sendJson(res, 200, response);\n        return;\n      }\n\n      sendJson(res, 404, { error: \"Not found\" });\n    } catch (err) {\n      const message = err instanceof Error ? err.message : \"Internal server error\";\n      sendJson(res, 500, { error: message });\n    }\n  });\n\n  return {\n    start(): Promise<void> {\n      return new Promise((resolve) => {\n        server.listen(port, host, () => {\n          resolve();\n        });\n      });\n    },\n\n    stop(): Promise<void> {\n      return new Promise((resolve, reject) => {\n        server.close((err) => (err ? reject(err) : resolve()));\n      });\n    },\n\n    httpServer: server,\n  };\n}\n"],"mappings":";AAAA,SAAS,oBAA+D;AAIxE,IAAM,yBAAyB,OAAO;AAmDtC,SAAS,SAAS,KAAsB,UAAmC;AACzE,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAM,SAAmB,CAAC;AAC1B,QAAI,WAAW;AACf,QAAI,UAAU;AAEd,aAAS,OAAO,IAAgB;AAC9B,UAAI,CAAC,SAAS;AACZ,kBAAU;AACV,WAAG;AAAA,MACL;AAAA,IACF;AAEA,QAAI,GAAG,QAAQ,CAAC,UAAkB;AAChC,UAAI,QAAS;AACb,kBAAY,MAAM;AAClB,UAAI,WAAW,UAAU;AACvB,YAAI,OAAO;AACX,eAAO,MAAM,OAAO,IAAI,MAAM,wBAAwB,QAAQ,QAAQ,CAAC,CAAC;AACxE;AAAA,MACF;AACA,aAAO,KAAK,KAAK;AAAA,IACnB,CAAC;AACD,QAAI,GAAG,OAAO,MAAM;AAClB,aAAO,MAAM,QAAQ,OAAO,OAAO,MAAM,EAAE,SAAS,OAAO,CAAC,CAAC;AAAA,IAC/D,CAAC;AACD,QAAI,GAAG,SAAS,CAAC,QAAQ;AACvB,aAAO,MAAM,OAAO,GAAG,CAAC;AAAA,IAC1B,CAAC;AAAA,EACH,CAAC;AACH;AAEA,SAAS,SAAS,KAAqB,QAAgB,MAAqB;AAC1E,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,MAAI,UAAU,QAAQ;AAAA,IACpB,gBAAgB;AAAA,IAChB,kBAAkB,OAAO,WAAW,IAAI;AAAA,EAC1C,CAAC;AACD,MAAI,IAAI,IAAI;AACd;AAaO,SAAS,iBACd,SACA;AACA,QAAM;AAAA,IACJ;AAAA,IACA,OAAO;AAAA,IACP,OAAO;AAAA,IACP,eAAe;AAAA,EACjB,IAAI;AACJ,QAAM,YAAY,KAAK,IAAI;AAE3B,QAAM,SAAS,aAAa,OAAO,KAAK,QAAQ;AAC9C,UAAM,WAAW,IAAI,IAAI,IAAI,OAAO,KAAK,kBAAkB,EAAE;AAC7D,UAAM,SAAS,IAAI,UAAU;AAE7B,QAAI;AACF,UAAI,QAAQ,cAAc;AACxB,cAAM,SAAS,MAAM,QAAQ,aAAa,GAAG;AAC7C,YAAI,WAAW,MAAM;AACnB,mBAAS,KAAK,KAAK,EAAE,OAAO,eAAe,CAAC;AAC5C;AAAA,QACF;AAAA,MACF;AAEA,UAAI,WAAW,SAAS,aAAa,WAAW;AAC9C,cAAM,OAAuB;AAAA,UAC3B,QAAQ;AAAA,UACR,aAAa,OAAO,SAAS,EAAE;AAAA,UAC/B,QAAQ,KAAK,IAAI,IAAI;AAAA,QACvB;AACA,iBAAS,KAAK,KAAK,IAAI;AACvB;AAAA,MACF;AAEA,UAAI,WAAW,SAAS,aAAa,UAAU;AAC7C,cAAM,QAAQ,OAAO,SAAS,EAAE,IAAI,CAAC,OAAO;AAAA,UAC1C,IAAI,EAAE;AAAA,UACN,QAAQ,EAAE;AAAA,UACV,OAAO,EAAE;AAAA,UACT,SAAS,EAAE;AAAA,UACX,WAAW,EAAE;AAAA,UACb,UAAU,EAAE;AAAA,UACZ,aAAa,EAAE;AAAA,UACf,gBAAgB,EAAE,YAAY,UAAU,KAAK;AAAA,QAC/C,EAAE;AACF,iBAAS,KAAK,KAAK,EAAE,MAAM,CAAC;AAC5B;AAAA,MACF;AAEA,UAAI,WAAW,UAAU,aAAa,aAAa;AACjD,YAAI;AACJ,YAAI;AACF,gBAAM,MAAM,SAAS,KAAK,YAAY;AAAA,QACxC,SAAS,KAAK;AACZ,mBAAS,KAAK,KAAK;AAAA,YACjB,OAAO,eAAe,QAAQ,IAAI,UAAU;AAAA,UAC9C,CAAC;AACD;AAAA,QACF;AAEA,YAAI;AACJ,YAAI;AACF,iBAAO,KAAK,MAAM,GAAG;AAAA,QACvB,QAAQ;AACN,mBAAS,KAAK,KAAK,EAAE,OAAO,oBAAoB,CAAC;AACjD;AAAA,QACF;AAEA,YAAI,CAAC,KAAK,WAAW,CAAC,KAAK,UAAU,CAAC,KAAK,UAAU;AACnD,mBAAS,KAAK,KAAK;AAAA,YACjB,OAAO;AAAA,UACT,CAAC;AACD;AAAA,QACF;AAEA,YAAI,OAAO,KAAK,WAAW,YAAY,OAAO,KAAK,aAAa,UAAU;AACxE,mBAAS,KAAK,KAAK,EAAE,OAAO,sCAAsC,CAAC;AACnE;AAAA,QACF;AAEA,YACE,OAAO,KAAK,YAAY,YACxB,OAAO,KAAK,QAAQ,OAAO,YAC3B,CAAC,MAAM,QAAQ,KAAK,QAAQ,KAAK,GACjC;AACA,mBAAS,KAAK,KAAK;AAAA,YACjB,OAAO;AAAA,UACT,CAAC;AACD;AAAA,QACF;AAEA,cAAM,UAAsB,QAAQ,iBAChC,MAAM,QAAQ,eAAe,IAAI,IAChC,KAAK;AAEV,cAAM,WAAW,OAAO;AAAA,UACtB;AAAA,UACA,KAAK;AAAA,UACL,KAAK;AAAA,UACL,KAAK,mBAAmB,CAAC;AAAA,UACzB,KAAK;AAAA,QACP;AAEA,cAAM,WAA6B;AAAA,UACjC,SAAS,SAAS;AAAA,UAClB,QAAQ,SAAS;AAAA,UACjB,QAAQ,SAAS;AAAA,UACjB,eAAe,SAAS,aAAa,MAAM;AAAA,UAC3C,YAAY,SAAS;AAAA,QACvB;AACA,iBAAS,KAAK,KAAK,QAAQ;AAC3B;AAAA,MACF;AAEA,eAAS,KAAK,KAAK,EAAE,OAAO,YAAY,CAAC;AAAA,IAC3C,SAAS,KAAK;AACZ,YAAM,UAAU,eAAe,QAAQ,IAAI,UAAU;AACrD,eAAS,KAAK,KAAK,EAAE,OAAO,QAAQ,CAAC;AAAA,IACvC;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,QAAuB;AACrB,aAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,eAAO,OAAO,MAAM,MAAM,MAAM;AAC9B,kBAAQ;AAAA,QACV,CAAC;AAAA,MACH,CAAC;AAAA,IACH;AAAA,IAEA,OAAsB;AACpB,aAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,eAAO,MAAM,CAAC,QAAS,MAAM,OAAO,GAAG,IAAI,QAAQ,CAAE;AAAA,MACvD,CAAC;AAAA,IACH;AAAA,IAEA,YAAY;AAAA,EACd;AACF;","names":[]}