@siremzam/sentinel 0.3.2 → 0.3.3

package/README.md

@@ -28,11 +28,11 @@ This library was built from a different starting point:
 
 ---
 
-### What's New in 0.3.2
+### What's New in 0.3.3
 
+- Hono middleware — `honoGuard()` via `@siremzam/sentinel/middleware/hono`
 - README rewrite: evaluation walkthrough, concepts glossary, patterns & recipes, migration guide, benchmark data
 - Standalone example (`examples/standalone/`) — no HTTP server needed
-- "When NOT to Use This" and "Testing Your Policies" sections
 
 See the full [CHANGELOG](./CHANGELOG.md).
 
@@ -61,7 +61,7 @@ See the full [CHANGELOG](./CHANGELOG.md).
   - [toAuditEntry()](#toauditentry)
   - [permitted() — UI Rendering](#permitted--ui-rendering)
 - [Integration](#integration)
-  - [Middleware (Express, Fastify, NestJS)](#middleware)
+  - [Middleware (Express, Fastify, Hono, NestJS)](#middleware)
   - [Server Mode](#server-mode)
   - [JSON Policy Serialization](#json-policy-serialization)
 - [Performance](#performance)
@@ -93,7 +93,7 @@ See the full [CHANGELOG](./CHANGELOG.md).
 | UI permission set | `permitted()` returns `Set` | No | `permission.filter()` | `ability.can()` per action |
 | JSON policy storage | `exportRules` / `importRules` + `ConditionRegistry` | CSV / JSON adapters | No | Via `@casl/ability/extra` |
 | Server mode (HTTP microservice) | Built-in (`createAuthServer`) | No | No | No |
-| Middleware | Express, Fastify, NestJS | Express (community) | Express (community) | Express, NestJS |
+| Middleware | Express, Fastify, Hono, NestJS | Express (community) | Express (community) | Express, NestJS |
 | Dependencies | **0** | 2+ | 2 | 1+ |
 | DSL required | **No** (pure TypeScript) | Yes (Casbin model) | No | No |
 
@@ -573,6 +573,22 @@ fastify.post("/invoices/:id/approve", {
 }, handler);
 ```
 
+**Hono:**
+
+```typescript
+import { honoGuard } from "@siremzam/sentinel/middleware/hono";
+
+app.post(
+  "/invoices/:id/approve",
+  honoGuard(engine, "invoice:approve", "invoice", {
+    getSubject: (c) => c.get("user"),
+    getResourceContext: (c) => ({ id: c.req.param("id") }),
+    getTenantId: (c) => c.req.header("x-tenant-id"),
+  }),
+  handler,
+);
+```
+
 **NestJS:**
 
 ```typescript

package/dist/middleware/hono.cjs

@@ -0,0 +1,57 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/middleware/hono.ts
+var hono_exports = {};
+__export(hono_exports, {
+  honoGuard: () => honoGuard
+});
+module.exports = __toCommonJS(hono_exports);
+function honoGuard(engine, action, resource, options) {
+  return async (c, next) => {
+    const subject = options.getSubject(c);
+    if (!subject) {
+      return c.json({ error: "Unauthorized \u2014 no subject" }, 401);
+    }
+    let decision;
+    try {
+      const resourceContext = options.getResourceContext?.(c) ?? {};
+      const tenantId = options.getTenantId?.(c);
+      decision = engine.evaluate(subject, action, resource, resourceContext, tenantId);
+    } catch {
+      return c.json({ error: "Internal authorization error" }, 500);
+    }
+    if (decision.allowed) {
+      await next();
+      return;
+    }
+    if (options.onDenied) {
+      return options.onDenied(c);
+    }
+    return c.json({
+      error: "Forbidden",
+      reason: decision.reason
+    }, 403);
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  honoGuard
+});
+//# sourceMappingURL=hono.cjs.map

package/dist/middleware/hono.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/middleware/hono.ts"],"sourcesContent":["import type { AccessEngine } from \"../engine.js\";\nimport type { SchemaDefinition, InferAction, InferResource, Subject, ResourceContext } from \"../types.js\";\n\n/**\n * Minimal Hono-compatible types so we don't depend on hono at runtime.\n */\ninterface HonoContext {\n  req: {\n    raw: Request;\n    header(name: string): string | undefined;\n    param(name: string): string | undefined;\n    [key: string]: unknown;\n  };\n  json(data: unknown, status?: number): Response;\n  get<T = unknown>(key: string): T;\n  set(key: string, value: unknown): void;\n  [key: string]: unknown;\n}\n\ntype HonoNext = () => Promise<void>;\ntype HonoMiddleware = (c: HonoContext, next: HonoNext) => Promise<Response | void>;\n\nexport interface HonoGuardOptions<S extends SchemaDefinition> {\n  /** Extract the subject from the Hono context. */\n  getSubject: (c: HonoContext) => Subject<S> | undefined;\n  /** Extract the resource context from the Hono context (optional). */\n  getResourceContext?: (c: HonoContext) => ResourceContext;\n  /** Extract the tenant ID from the Hono context (optional). */\n  getTenantId?: (c: HonoContext) => string | undefined;\n  /** Custom denial handler. Return a Response to override the default 403. */\n  onDenied?: (c: HonoContext) => Response;\n}\n\n/**\n * Hono middleware factory.\n *\n * Usage:\n *   app.post(\n *     \"/invoices/:id/approve\",\n *     honoGuard(engine, \"invoice:approve\", \"invoice\", {\n *       getSubject: (c) => c.get(\"user\"),\n *       getTenantId: (c) => c.req.header(\"x-tenant-id\"),\n *     }),\n *     handler,\n *   );\n */\nexport function honoGuard<S extends SchemaDefinition>(\n  engine: AccessEngine<S>,\n  action: InferAction<S>,\n  resource: InferResource<S>,\n  options: HonoGuardOptions<S>,\n): HonoMiddleware {\n  return async (c: HonoContext, next: HonoNext) => {\n    const subject = options.getSubject(c);\n    if (!subject) {\n      return c.json({ error: \"Unauthorized — no subject\" }, 401);\n    }\n\n    let decision;\n    try {\n      const resourceContext = options.getResourceContext?.(c) ?? {};\n      const tenantId = options.getTenantId?.(c);\n      decision = engine.evaluate(subject, action, resource, resourceContext, tenantId);\n    } catch {\n      return c.json({ error: \"Internal authorization error\" }, 500);\n    }\n\n    if (decision.allowed) {\n      await next();\n      return;\n    }\n\n    if (options.onDenied) {\n      return options.onDenied(c);\n    }\n\n    return c.json({\n      error: \"Forbidden\",\n      reason: decision.reason,\n    }, 403);\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AA8CO,SAAS,UACd,QACA,QACA,UACA,SACgB;AAChB,SAAO,OAAO,GAAgB,SAAmB;AAC/C,UAAM,UAAU,QAAQ,WAAW,CAAC;AACpC,QAAI,CAAC,SAAS;AACZ,aAAO,EAAE,KAAK,EAAE,OAAO,iCAA4B,GAAG,GAAG;AAAA,IAC3D;AAEA,QAAI;AACJ,QAAI;AACF,YAAM,kBAAkB,QAAQ,qBAAqB,CAAC,KAAK,CAAC;AAC5D,YAAM,WAAW,QAAQ,cAAc,CAAC;AACxC,iBAAW,OAAO,SAAS,SAAS,QAAQ,UAAU,iBAAiB,QAAQ;AAAA,IACjF,QAAQ;AACN,aAAO,EAAE,KAAK,EAAE,OAAO,+BAA+B,GAAG,GAAG;AAAA,IAC9D;AAEA,QAAI,SAAS,SAAS;AACpB,YAAM,KAAK;AACX;AAAA,IACF;AAEA,QAAI,QAAQ,UAAU;AACpB,aAAO,QAAQ,SAAS,CAAC;AAAA,IAC3B;AAEA,WAAO,EAAE,KAAK;AAAA,MACZ,OAAO;AAAA,MACP,QAAQ,SAAS;AAAA,IACnB,GAAG,GAAG;AAAA,EACR;AACF;","names":[]}

package/dist/middleware/hono.d.cts

@@ -0,0 +1,45 @@
+import { S as SchemaDefinition, r as Subject, R as ResourceContext, A as AccessEngine, I as InferAction, k as InferResource } from '../engine-C6IASR5F.cjs';
+
+/**
+ * Minimal Hono-compatible types so we don't depend on hono at runtime.
+ */
+interface HonoContext {
+    req: {
+        raw: Request;
+        header(name: string): string | undefined;
+        param(name: string): string | undefined;
+        [key: string]: unknown;
+    };
+    json(data: unknown, status?: number): Response;
+    get<T = unknown>(key: string): T;
+    set(key: string, value: unknown): void;
+    [key: string]: unknown;
+}
+type HonoNext = () => Promise<void>;
+type HonoMiddleware = (c: HonoContext, next: HonoNext) => Promise<Response | void>;
+interface HonoGuardOptions<S extends SchemaDefinition> {
+    /** Extract the subject from the Hono context. */
+    getSubject: (c: HonoContext) => Subject<S> | undefined;
+    /** Extract the resource context from the Hono context (optional). */
+    getResourceContext?: (c: HonoContext) => ResourceContext;
+    /** Extract the tenant ID from the Hono context (optional). */
+    getTenantId?: (c: HonoContext) => string | undefined;
+    /** Custom denial handler. Return a Response to override the default 403. */
+    onDenied?: (c: HonoContext) => Response;
+}
+/**
+ * Hono middleware factory.
+ *
+ * Usage:
+ *   app.post(
+ *     "/invoices/:id/approve",
+ *     honoGuard(engine, "invoice:approve", "invoice", {
+ *       getSubject: (c) => c.get("user"),
+ *       getTenantId: (c) => c.req.header("x-tenant-id"),
+ *     }),
+ *     handler,
+ *   );
+ */
+declare function honoGuard<S extends SchemaDefinition>(engine: AccessEngine<S>, action: InferAction<S>, resource: InferResource<S>, options: HonoGuardOptions<S>): HonoMiddleware;
+
+export { type HonoGuardOptions, honoGuard };

package/dist/middleware/hono.d.ts

@@ -0,0 +1,45 @@
+import { S as SchemaDefinition, r as Subject, R as ResourceContext, A as AccessEngine, I as InferAction, k as InferResource } from '../engine-C6IASR5F.js';
+
+/**
+ * Minimal Hono-compatible types so we don't depend on hono at runtime.
+ */
+interface HonoContext {
+    req: {
+        raw: Request;
+        header(name: string): string | undefined;
+        param(name: string): string | undefined;
+        [key: string]: unknown;
+    };
+    json(data: unknown, status?: number): Response;
+    get<T = unknown>(key: string): T;
+    set(key: string, value: unknown): void;
+    [key: string]: unknown;
+}
+type HonoNext = () => Promise<void>;
+type HonoMiddleware = (c: HonoContext, next: HonoNext) => Promise<Response | void>;
+interface HonoGuardOptions<S extends SchemaDefinition> {
+    /** Extract the subject from the Hono context. */
+    getSubject: (c: HonoContext) => Subject<S> | undefined;
+    /** Extract the resource context from the Hono context (optional). */
+    getResourceContext?: (c: HonoContext) => ResourceContext;
+    /** Extract the tenant ID from the Hono context (optional). */
+    getTenantId?: (c: HonoContext) => string | undefined;
+    /** Custom denial handler. Return a Response to override the default 403. */
+    onDenied?: (c: HonoContext) => Response;
+}
+/**
+ * Hono middleware factory.
+ *
+ * Usage:
+ *   app.post(
+ *     "/invoices/:id/approve",
+ *     honoGuard(engine, "invoice:approve", "invoice", {
+ *       getSubject: (c) => c.get("user"),
+ *       getTenantId: (c) => c.req.header("x-tenant-id"),
+ *     }),
+ *     handler,
+ *   );
+ */
+declare function honoGuard<S extends SchemaDefinition>(engine: AccessEngine<S>, action: InferAction<S>, resource: InferResource<S>, options: HonoGuardOptions<S>): HonoMiddleware;
+
+export { type HonoGuardOptions, honoGuard };

package/dist/middleware/hono.js

@@ -0,0 +1,32 @@
+// src/middleware/hono.ts
+function honoGuard(engine, action, resource, options) {
+  return async (c, next) => {
+    const subject = options.getSubject(c);
+    if (!subject) {
+      return c.json({ error: "Unauthorized \u2014 no subject" }, 401);
+    }
+    let decision;
+    try {
+      const resourceContext = options.getResourceContext?.(c) ?? {};
+      const tenantId = options.getTenantId?.(c);
+      decision = engine.evaluate(subject, action, resource, resourceContext, tenantId);
+    } catch {
+      return c.json({ error: "Internal authorization error" }, 500);
+    }
+    if (decision.allowed) {
+      await next();
+      return;
+    }
+    if (options.onDenied) {
+      return options.onDenied(c);
+    }
+    return c.json({
+      error: "Forbidden",
+      reason: decision.reason
+    }, 403);
+  };
+}
+export {
+  honoGuard
+};
+//# sourceMappingURL=hono.js.map

package/dist/middleware/hono.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/middleware/hono.ts"],"sourcesContent":["import type { AccessEngine } from \"../engine.js\";\nimport type { SchemaDefinition, InferAction, InferResource, Subject, ResourceContext } from \"../types.js\";\n\n/**\n * Minimal Hono-compatible types so we don't depend on hono at runtime.\n */\ninterface HonoContext {\n  req: {\n    raw: Request;\n    header(name: string): string | undefined;\n    param(name: string): string | undefined;\n    [key: string]: unknown;\n  };\n  json(data: unknown, status?: number): Response;\n  get<T = unknown>(key: string): T;\n  set(key: string, value: unknown): void;\n  [key: string]: unknown;\n}\n\ntype HonoNext = () => Promise<void>;\ntype HonoMiddleware = (c: HonoContext, next: HonoNext) => Promise<Response | void>;\n\nexport interface HonoGuardOptions<S extends SchemaDefinition> {\n  /** Extract the subject from the Hono context. */\n  getSubject: (c: HonoContext) => Subject<S> | undefined;\n  /** Extract the resource context from the Hono context (optional). */\n  getResourceContext?: (c: HonoContext) => ResourceContext;\n  /** Extract the tenant ID from the Hono context (optional). */\n  getTenantId?: (c: HonoContext) => string | undefined;\n  /** Custom denial handler. Return a Response to override the default 403. */\n  onDenied?: (c: HonoContext) => Response;\n}\n\n/**\n * Hono middleware factory.\n *\n * Usage:\n *   app.post(\n *     \"/invoices/:id/approve\",\n *     honoGuard(engine, \"invoice:approve\", \"invoice\", {\n *       getSubject: (c) => c.get(\"user\"),\n *       getTenantId: (c) => c.req.header(\"x-tenant-id\"),\n *     }),\n *     handler,\n *   );\n */\nexport function honoGuard<S extends SchemaDefinition>(\n  engine: AccessEngine<S>,\n  action: InferAction<S>,\n  resource: InferResource<S>,\n  options: HonoGuardOptions<S>,\n): HonoMiddleware {\n  return async (c: HonoContext, next: HonoNext) => {\n    const subject = options.getSubject(c);\n    if (!subject) {\n      return c.json({ error: \"Unauthorized — no subject\" }, 401);\n    }\n\n    let decision;\n    try {\n      const resourceContext = options.getResourceContext?.(c) ?? {};\n      const tenantId = options.getTenantId?.(c);\n      decision = engine.evaluate(subject, action, resource, resourceContext, tenantId);\n    } catch {\n      return c.json({ error: \"Internal authorization error\" }, 500);\n    }\n\n    if (decision.allowed) {\n      await next();\n      return;\n    }\n\n    if (options.onDenied) {\n      return options.onDenied(c);\n    }\n\n    return c.json({\n      error: \"Forbidden\",\n      reason: decision.reason,\n    }, 403);\n  };\n}\n"],"mappings":";AA8CO,SAAS,UACd,QACA,QACA,UACA,SACgB;AAChB,SAAO,OAAO,GAAgB,SAAmB;AAC/C,UAAM,UAAU,QAAQ,WAAW,CAAC;AACpC,QAAI,CAAC,SAAS;AACZ,aAAO,EAAE,KAAK,EAAE,OAAO,iCAA4B,GAAG,GAAG;AAAA,IAC3D;AAEA,QAAI;AACJ,QAAI;AACF,YAAM,kBAAkB,QAAQ,qBAAqB,CAAC,KAAK,CAAC;AAC5D,YAAM,WAAW,QAAQ,cAAc,CAAC;AACxC,iBAAW,OAAO,SAAS,SAAS,QAAQ,UAAU,iBAAiB,QAAQ;AAAA,IACjF,QAAQ;AACN,aAAO,EAAE,KAAK,EAAE,OAAO,+BAA+B,GAAG,GAAG;AAAA,IAC9D;AAEA,QAAI,SAAS,SAAS;AACpB,YAAM,KAAK;AACX;AAAA,IACF;AAEA,QAAI,QAAQ,UAAU;AACpB,aAAO,QAAQ,SAAS,CAAC;AAAA,IAC3B;AAEA,WAAO,EAAE,KAAK;AAAA,MACZ,OAAO;AAAA,MACP,QAAQ,SAAS;AAAA,IACnB,GAAG,GAAG;AAAA,EACR;AACF;","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@siremzam/sentinel",
-  "version": "0.3.2",
+  "version": "0.3.3",
   "description": "TypeScript-first, domain-driven authorization engine for modern SaaS apps",
   "type": "module",
   "main": "./dist/index.js",
@@ -30,6 +30,12 @@
       "require": "./dist/middleware/nestjs.cjs",
       "default": "./dist/middleware/nestjs.js"
     },
+    "./middleware/hono": {
+      "types": "./dist/middleware/hono.d.ts",
+      "import": "./dist/middleware/hono.js",
+      "require": "./dist/middleware/hono.cjs",
+      "default": "./dist/middleware/hono.js"
+    },
     "./server": {
       "types": "./dist/server.d.ts",
       "import": "./dist/server.js",