npm - @soulbatical/tetra-core - Versions diffs - 0.1.5 → 0.1.8 - Mend

@soulbatical/tetra-core 0.1.5 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/index.d.ts +4 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +4 -0
package/dist/index.js.map +1 -1
package/dist/middleware/entitlementsMiddleware.d.ts +142 -0
package/dist/middleware/entitlementsMiddleware.d.ts.map +1 -0
package/dist/middleware/entitlementsMiddleware.js +246 -0
package/dist/middleware/entitlementsMiddleware.js.map +1 -0
package/dist/middleware/permissionsMiddleware.d.ts +181 -0
package/dist/middleware/permissionsMiddleware.d.ts.map +1 -0
package/dist/middleware/permissionsMiddleware.js +237 -0
package/dist/middleware/permissionsMiddleware.js.map +1 -0
package/package.json +1 -1

package/dist/index.d.ts CHANGED Viewed

@@ -52,6 +52,10 @@ export { validateQueryParams, sanitizeSearchTerm, validatePagination, validateSo
 export { registerFeatureValidators, batchRegisterValidators } from './middleware/autoRegisterValidators.js';
 export { configureSecurity } from './middleware/securityMiddleware.js';
 export type { SecurityConfig } from './middleware/securityMiddleware.js';
+export { configureEntitlements, requireFeature, requireWithinLimit, hasFeature, getLimit, getOrgFeatures, invalidatePlanCache } from './middleware/entitlementsMiddleware.js';
+export type { EntitlementsConfig, PlanFeatures, LimitCheckResult } from './middleware/entitlementsMiddleware.js';
+export { configurePermissions, registerFeaturePermissions, requirePermission, requireAnyPermission, checkPermission, canSeeNav, canSeeTab, canDoAction, getAllPermissionConfigs, getPermissionsForRole } from './middleware/permissionsMiddleware.js';
+export type { FeaturePermissions, RolePermissions, PermissionValue, UIPermissions } from './middleware/permissionsMiddleware.js';
 export { createLogger, rootLogger } from './utils/logger.js';
 export type { Logger } from './utils/logger.js';
 export { validateEnvironment } from './utils/validateEnvironment.js';

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,eAAe,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,UAAU,EAAE,uBAAuB,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAClY,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAC;AACtE,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AACjF,YAAY,EAAE,wBAAwB,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AACjG,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC/J,YAAY,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAC;AAG9E,OAAO,EAAE,mBAAmB,EAAE,MAAM,6CAA6C,CAAC;AAClF,OAAO,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AACxF,OAAO,EAAE,4BAA4B,EAAE,MAAM,gDAAgD,CAAC;AAG9F,OAAO,EAAE,kBAAkB,EAAE,0BAA0B,EAAE,MAAM,2CAA2C,CAAC;AAC3G,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,2CAA2C,CAAC;AACvG,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,yCAAyC,CAAC;AAC7F,OAAO,EAAE,iBAAiB,EAAE,MAAM,4CAA4C,CAAC;AAC/E,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AAGzE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4CAA4C,CAAC;AACnF,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC;AACvE,YAAY,EAAE,iBAAiB,IAAI,UAAU,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,uCAAuC,CAAC;AACzE,YAAY,EAAE,iBAAiB,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AACnH,OAAO,EAAE,YAAY,EAAE,MAAM,mCAAmC,CAAC;AAGjE,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,YAAY,EAAE,iBAAiB,EAAE,eAAe,EAAE,wBAAwB,EAAE,WAAW,EAAE,0BAA0B,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAC9N,YAAY,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AACvH,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAChJ,OAAO,EAAE,yBAAyB,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AAC5G,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAGzE,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC7D,YAAY,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AACxE,OAAO,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,eAAe,EAAE,eAAe,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,MAAM,yCAAyC,CAAC;AACpO,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,aAAa,EAAE,WAAW,EAAE,yBAAyB,EAAE,MAAM,yCAAyC,CAAC;AACtJ,OAAO,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AACpG,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACrF,OAAO,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrE,OAAO,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,mCAAmC,CAAC;AACpH,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AAGzF,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,sCAAsC,CAAC;AAC1H,OAAO,EAAE,oBAAoB,EAAE,6BAA6B,EAAE,eAAe,EAAE,MAAM,8CAA8C,CAAC;AAGpI,YAAY,EAAE,oBAAoB,EAAE,QAAQ,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAOjL,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGlE,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,YAAY,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,eAAe,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,UAAU,EAAE,uBAAuB,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAClY,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAC;AACtE,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AACjF,YAAY,EAAE,wBAAwB,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AACjG,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC/J,YAAY,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAC;AAG9E,OAAO,EAAE,mBAAmB,EAAE,MAAM,6CAA6C,CAAC;AAClF,OAAO,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AACxF,OAAO,EAAE,4BAA4B,EAAE,MAAM,gDAAgD,CAAC;AAG9F,OAAO,EAAE,kBAAkB,EAAE,0BAA0B,EAAE,MAAM,2CAA2C,CAAC;AAC3G,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,2CAA2C,CAAC;AACvG,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,yCAAyC,CAAC;AAC7F,OAAO,EAAE,iBAAiB,EAAE,MAAM,4CAA4C,CAAC;AAC/E,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AAGzE,OAAO,EAAE,qBAAqB,EAAE,MAAM,4CAA4C,CAAC;AACnF,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC;AACvE,YAAY,EAAE,iBAAiB,IAAI,UAAU,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,uCAAuC,CAAC;AACzE,YAAY,EAAE,iBAAiB,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AACnH,OAAO,EAAE,YAAY,EAAE,MAAM,mCAAmC,CAAC;AAGjE,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,YAAY,EAAE,iBAAiB,EAAE,eAAe,EAAE,wBAAwB,EAAE,WAAW,EAAE,0BAA0B,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAC9N,YAAY,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,gCAAgC,CAAC;AACvH,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAChJ,OAAO,EAAE,yBAAyB,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AAC5G,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AACvE,YAAY,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAGzE,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,kBAAkB,EAAE,UAAU,EAAE,QAAQ,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAC;AAC9K,YAAY,EAAE,kBAAkB,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,wCAAwC,CAAC;AAGjH,OAAO,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,eAAe,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,MAAM,uCAAuC,CAAC;AACtP,YAAY,EAAE,kBAAkB,EAAE,eAAe,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,uCAAuC,CAAC;AAGjI,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC7D,YAAY,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AACxE,OAAO,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,eAAe,EAAE,eAAe,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,MAAM,yCAAyC,CAAC;AACpO,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,aAAa,EAAE,WAAW,EAAE,yBAAyB,EAAE,MAAM,yCAAyC,CAAC;AACtJ,OAAO,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AACpG,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACrF,OAAO,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrE,OAAO,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,mCAAmC,CAAC;AACpH,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC;AAGzF,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,sCAAsC,CAAC;AAC1H,OAAO,EAAE,oBAAoB,EAAE,6BAA6B,EAAE,eAAe,EAAE,MAAM,8CAA8C,CAAC;AAGpI,YAAY,EAAE,oBAAoB,EAAE,QAAQ,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AAOjL,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAGlE,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,YAAY,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/index.js CHANGED Viewed

@@ -46,6 +46,10 @@ export { authenticateToken, authenticateTokenOnly, optionalAuth, requireSuperAdm
 export { validateQueryParams, sanitizeSearchTerm, validatePagination, validateSort, validateFields } from './middleware/validateQueryParams.js';
 export { registerFeatureValidators, batchRegisterValidators } from './middleware/autoRegisterValidators.js';
 export { configureSecurity } from './middleware/securityMiddleware.js';
+// Entitlements (plan-based feature gating)
+export { configureEntitlements, requireFeature, requireWithinLimit, hasFeature, getLimit, getOrgFeatures, invalidatePlanCache } from './middleware/entitlementsMiddleware.js';
+// Permissions (config-driven RBAC)
+export { configurePermissions, registerFeaturePermissions, requirePermission, requireAnyPermission, checkPermission, canSeeNav, canSeeTab, canDoAction, getAllPermissionConfigs, getPermissionsForRole } from './middleware/permissionsMiddleware.js';
 // ─── Utils ──────────────────────────────────────────────────
 export { createLogger, rootLogger } from './utils/logger.js';
 export { validateEnvironment } from './utils/validateEnvironment.js';

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAIH,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAC;AAMtE,+DAA+D;AAC/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,6CAA6C,CAAC;AAClF,OAAO,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AACxF,OAAO,EAAE,4BAA4B,EAAE,MAAM,gDAAgD,CAAC;AAE9F,+DAA+D;AAC/D,OAAO,EAAE,kBAAkB,EAAE,0BAA0B,EAAE,MAAM,2CAA2C,CAAC;AAE3G,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,yCAAyC,CAAC;AAC7F,OAAO,EAAE,iBAAiB,EAAE,MAAM,4CAA4C,CAAC;AAC/E,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AAEzE,+DAA+D;AAC/D,OAAO,EAAE,qBAAqB,EAAE,MAAM,4CAA4C,CAAC;AACnF,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC;AAEvE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uCAAuC,CAAC;AAEzE,OAAO,EAAE,YAAY,EAAE,MAAM,mCAAmC,CAAC;AAEjE,gEAAgE;AAChE,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,YAAY,EAAE,iBAAiB,EAAE,eAAe,EAAE,wBAAwB,EAAE,WAAW,EAAE,0BAA0B,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAE9N,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAChJ,OAAO,EAAE,yBAAyB,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AAC5G,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAGvE,+DAA+D;AAC/D,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AACxE,OAAO,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,eAAe,EAAE,eAAe,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,MAAM,yCAAyC,CAAC;AAEpO,OAAO,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AACpG,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACrF,OAAO,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrE,OAAO,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,mCAAmC,CAAC;AAGpH,+DAA+D;AAC/D,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,sCAAsC,CAAC;AAC1H,OAAO,EAAE,oBAAoB,EAAE,6BAA6B,EAAE,eAAe,EAAE,MAAM,8CAA8C,CAAC;AAKpI,gEAAgE;AAChE,wEAAwE;AACxE,uFAAuF;AAEvF,8DAA8D;AAC9D,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAElE,+DAA+D;AAC/D,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAIH,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAC;AAMtE,+DAA+D;AAC/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,6CAA6C,CAAC;AAClF,OAAO,EAAE,sBAAsB,EAAE,MAAM,gDAAgD,CAAC;AACxF,OAAO,EAAE,4BAA4B,EAAE,MAAM,gDAAgD,CAAC;AAE9F,+DAA+D;AAC/D,OAAO,EAAE,kBAAkB,EAAE,0BAA0B,EAAE,MAAM,2CAA2C,CAAC;AAE3G,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,yCAAyC,CAAC;AAC7F,OAAO,EAAE,iBAAiB,EAAE,MAAM,4CAA4C,CAAC;AAC/E,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAC;AAEzE,+DAA+D;AAC/D,OAAO,EAAE,qBAAqB,EAAE,MAAM,4CAA4C,CAAC;AACnF,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC;AAEvE,OAAO,EAAE,gBAAgB,EAAE,MAAM,uCAAuC,CAAC;AAEzE,OAAO,EAAE,YAAY,EAAE,MAAM,mCAAmC,CAAC;AAEjE,gEAAgE;AAChE,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,YAAY,EAAE,iBAAiB,EAAE,eAAe,EAAE,wBAAwB,EAAE,WAAW,EAAE,0BAA0B,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAE9N,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAChJ,OAAO,EAAE,yBAAyB,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC;AAC5G,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAGvE,2CAA2C;AAC3C,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,kBAAkB,EAAE,UAAU,EAAE,QAAQ,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAC;AAG9K,mCAAmC;AACnC,OAAO,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,eAAe,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,MAAM,uCAAuC,CAAC;AAGtP,+DAA+D;AAC/D,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AACxE,OAAO,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,eAAe,EAAE,eAAe,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,MAAM,yCAAyC,CAAC;AAEpO,OAAO,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAC;AACpG,OAAO,EAAE,iBAAiB,EAAE,MAAM,gCAAgC,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AACrF,OAAO,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrE,OAAO,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,mCAAmC,CAAC;AAGpH,+DAA+D;AAC/D,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,sCAAsC,CAAC;AAC1H,OAAO,EAAE,oBAAoB,EAAE,6BAA6B,EAAE,eAAe,EAAE,MAAM,8CAA8C,CAAC;AAKpI,gEAAgE;AAChE,wEAAwE;AACxE,uFAAuF;AAEvF,8DAA8D;AAC9D,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAElE,+DAA+D;AAC/D,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/middleware/entitlementsMiddleware.d.ts ADDED Viewed

@@ -0,0 +1,142 @@
+/**
+ * @tetra/core — Entitlements Middleware (Plan-Based Feature Gating)
+ *
+ * Controls what an ORGANIZATION can do based on their subscription plan.
+ * This is separate from auth/RBAC (what a USER can do based on their role).
+ *
+ * Evaluation order per request:
+ *   1. Auth        → Is there a valid JWT?
+ *   2. Entitlement → Does this ORG's plan include this feature?
+ *   3. RBAC        → Does this USER's role allow this action?
+ *
+ * Projects call configureEntitlements() once at startup with their plan definitions
+ * and a getPlanId function that reads the org's current plan from the database.
+ *
+ * @example
+ * ```typescript
+ * configureEntitlements({
+ *   plans: {
+ *     free:  { max_active_tracks: 3,  calendar_sync: false },
+ *     pro:   { max_active_tracks: -1, calendar_sync: true },
+ *   },
+ *   getPlanId: async (orgId) => {
+ *     const { data } = await systemDB('entitlements')
+ *       .from('organizations').select('plan').eq('id', orgId).single();
+ *     return data?.plan ?? 'free';
+ *   },
+ * });
+ *
+ * // In routes:
+ * router.post('/upload', requireFeature('calendar_sync'), handler);
+ * router.post('/', requireWithinLimit('max_active_tracks', countFn), handler);
+ * ```
+ */
+import { Response, NextFunction } from 'express';
+import type { AuthenticatedRequest } from './authMiddleware.js';
+/**
+ * Plan features map. Keys are feature names, values are:
+ * - boolean: feature is on/off
+ * - number:  numeric limit (-1 = unlimited, 0 = disabled)
+ */
+export type PlanFeatures = Record<string, boolean | number>;
+/**
+ * Configuration for the entitlements system.
+ */
+export interface EntitlementsConfig {
+    /**
+     * Plan definitions. Key is the plan ID (e.g., 'free', 'pro').
+     * Values are feature maps.
+     *
+     * @example
+     * plans: {
+     *   free: { max_projects: 3, ai_autofix: false },
+     *   pro:  { max_projects: -1, ai_autofix: true },
+     * }
+     */
+    plans: Record<string, PlanFeatures>;
+    /**
+     * Async function to get the current plan ID for an organization.
+     * Called on each entitlement check (results are cached per request).
+     *
+     * @example
+     * getPlanId: async (orgId) => {
+     *   const { data } = await db.from('organizations').select('plan').eq('id', orgId).single();
+     *   return data?.plan ?? 'free';
+     * }
+     */
+    getPlanId: (organizationId: string) => Promise<string>;
+    /**
+     * Default plan ID when org has no plan or plan is unknown.
+     * Defaults to 'free'.
+     */
+    defaultPlanId?: string;
+    /**
+     * Cache TTL in milliseconds for plan lookups.
+     * Defaults to 60000 (1 minute).
+     */
+    cacheTtlMs?: number;
+}
+/**
+ * Result of a limit check.
+ */
+export interface LimitCheckResult {
+    allowed: boolean;
+    current: number;
+    limit: number;
+    planId: string;
+}
+/**
+ * Configure the entitlements system. Call once at app startup.
+ */
+export declare function configureEntitlements(entitlementsConfig: EntitlementsConfig): void;
+/**
+ * Check if a plan has a specific feature enabled.
+ *
+ * - Boolean features: returns the boolean value
+ * - Numeric features: returns true if value !== 0
+ * - Unknown features: returns false (fail closed)
+ */
+export declare function hasFeature(planId: string, feature: string): boolean;
+/**
+ * Get the numeric limit for a feature on a plan.
+ * Returns -1 for unlimited, 0 for disabled.
+ */
+export declare function getLimit(planId: string, feature: string): number;
+/**
+ * Get all features for an organization (resolved from their plan).
+ * Useful for frontend: GET /api/org/entitlements
+ */
+export declare function getOrgFeatures(organizationId: string): Promise<{
+    planId: string;
+    features: PlanFeatures;
+}>;
+/**
+ * Invalidate the plan cache for an organization.
+ * Call this after plan changes (e.g., Stripe webhook).
+ */
+export declare function invalidatePlanCache(organizationId?: string): void;
+/**
+ * Express middleware: require a feature to be enabled on the org's plan.
+ *
+ * @param feature - The feature key to check (must match a key in plan features)
+ *
+ * @example
+ * router.post('/upload', requireFeature('chat_attachments'), handler);
+ */
+export declare function requireFeature(feature: string): (req: AuthenticatedRequest, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+/**
+ * Express middleware: enforce a numeric limit before creating a resource.
+ *
+ * @param feature - The feature key for the limit (e.g., 'max_active_tracks')
+ * @param countFn - Async function that returns the current usage count for the org
+ *
+ * @example
+ * const countTracks = async (orgId: string) => {
+ *   const { count } = await db.from('tracks').select('id', { count: 'exact', head: true })
+ *     .eq('organization_id', orgId).eq('status', 'active');
+ *   return count ?? 0;
+ * };
+ * router.post('/', requireWithinLimit('max_active_tracks', countTracks), handler);
+ */
+export declare function requireWithinLimit(feature: string, countFn: (organizationId: string) => Promise<number>): (req: AuthenticatedRequest, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+//# sourceMappingURL=entitlementsMiddleware.d.ts.map

package/dist/middleware/entitlementsMiddleware.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"entitlementsMiddleware.d.ts","sourceRoot":"","sources":["../../src/middleware/entitlementsMiddleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAGjD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAMhE;;;;GAIG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;;;;;;;OASG;IACH,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IAEpC;;;;;;;;;OASG;IACH,SAAS,EAAE,CAAC,cAAc,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAEvD;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB;AAWD;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,kBAAkB,EAAE,kBAAkB,GAAG,IAAI,CAOlF;AAgDD;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAOnE;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAOhE;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,YAAY,CAAA;CAAE,CAAC,CAGhH;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAMjE;AAID;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,IAC9B,KAAK,oBAAoB,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,wDAiC3E;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,CAAC,cAAc,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,IAEtC,KAAK,oBAAoB,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,wDA6D3E"}

package/dist/middleware/entitlementsMiddleware.js ADDED Viewed

@@ -0,0 +1,246 @@
+/**
+ * @tetra/core — Entitlements Middleware (Plan-Based Feature Gating)
+ *
+ * Controls what an ORGANIZATION can do based on their subscription plan.
+ * This is separate from auth/RBAC (what a USER can do based on their role).
+ *
+ * Evaluation order per request:
+ *   1. Auth        → Is there a valid JWT?
+ *   2. Entitlement → Does this ORG's plan include this feature?
+ *   3. RBAC        → Does this USER's role allow this action?
+ *
+ * Projects call configureEntitlements() once at startup with their plan definitions
+ * and a getPlanId function that reads the org's current plan from the database.
+ *
+ * @example
+ * ```typescript
+ * configureEntitlements({
+ *   plans: {
+ *     free:  { max_active_tracks: 3,  calendar_sync: false },
+ *     pro:   { max_active_tracks: -1, calendar_sync: true },
+ *   },
+ *   getPlanId: async (orgId) => {
+ *     const { data } = await systemDB('entitlements')
+ *       .from('organizations').select('plan').eq('id', orgId).single();
+ *     return data?.plan ?? 'free';
+ *   },
+ * });
+ *
+ * // In routes:
+ * router.post('/upload', requireFeature('calendar_sync'), handler);
+ * router.post('/', requireWithinLimit('max_active_tracks', countFn), handler);
+ * ```
+ */
+import { createLogger } from '../utils/logger.js';
+import { RFC7807ErrorResponse } from '../shared/rfc7807ErrorResponse.js';
+const logger = createLogger('middleware:entitlements');
+// ─── State ──────────────────────────────────────────────────
+let config = null;
+// Simple in-memory cache: orgId → { planId, expiresAt }
+const planCache = new Map();
+// ─── Configure ──────────────────────────────────────────────
+/**
+ * Configure the entitlements system. Call once at app startup.
+ */
+export function configureEntitlements(entitlementsConfig) {
+    config = entitlementsConfig;
+    planCache.clear();
+    logger.info({ planCount: Object.keys(entitlementsConfig.plans).length }, 'Entitlements configured');
+}
+// ─── Helpers ────────────────────────────────────────────────
+function getDefaultPlanId() {
+    return config?.defaultPlanId ?? 'free';
+}
+function getCacheTtl() {
+    return config?.cacheTtlMs ?? 60_000;
+}
+/**
+ * Get the plan ID for an organization, with caching.
+ */
+async function getOrgPlanId(organizationId) {
+    if (!config)
+        return getDefaultPlanId();
+    const cached = planCache.get(organizationId);
+    if (cached && cached.expiresAt > Date.now()) {
+        return cached.planId;
+    }
+    try {
+        const planId = await config.getPlanId(organizationId);
+        const resolvedPlanId = planId && config.plans[planId] ? planId : getDefaultPlanId();
+        planCache.set(organizationId, {
+            planId: resolvedPlanId,
+            expiresAt: Date.now() + getCacheTtl(),
+        });
+        return resolvedPlanId;
+    }
+    catch (error) {
+        logger.error({ error, organizationId }, 'Failed to get org plan, falling back to default');
+        return getDefaultPlanId();
+    }
+}
+/**
+ * Get the features for a plan ID.
+ */
+function getPlanFeatures(planId) {
+    return config?.plans[planId] ?? config?.plans[getDefaultPlanId()] ?? {};
+}
+// ─── Public API ─────────────────────────────────────────────
+/**
+ * Check if a plan has a specific feature enabled.
+ *
+ * - Boolean features: returns the boolean value
+ * - Numeric features: returns true if value !== 0
+ * - Unknown features: returns false (fail closed)
+ */
+export function hasFeature(planId, feature) {
+    const features = getPlanFeatures(planId);
+    const value = features[feature];
+    if (value === undefined)
+        return false;
+    if (typeof value === 'boolean')
+        return value;
+    return value !== 0;
+}
+/**
+ * Get the numeric limit for a feature on a plan.
+ * Returns -1 for unlimited, 0 for disabled.
+ */
+export function getLimit(planId, feature) {
+    const features = getPlanFeatures(planId);
+    const value = features[feature];
+    if (value === undefined)
+        return 0;
+    if (typeof value === 'boolean')
+        return value ? -1 : 0;
+    return value;
+}
+/**
+ * Get all features for an organization (resolved from their plan).
+ * Useful for frontend: GET /api/org/entitlements
+ */
+export async function getOrgFeatures(organizationId) {
+    const planId = await getOrgPlanId(organizationId);
+    return { planId, features: getPlanFeatures(planId) };
+}
+/**
+ * Invalidate the plan cache for an organization.
+ * Call this after plan changes (e.g., Stripe webhook).
+ */
+export function invalidatePlanCache(organizationId) {
+    if (organizationId) {
+        planCache.delete(organizationId);
+    }
+    else {
+        planCache.clear();
+    }
+}
+// ─── Middleware ──────────────────────────────────────────────
+/**
+ * Express middleware: require a feature to be enabled on the org's plan.
+ *
+ * @param feature - The feature key to check (must match a key in plan features)
+ *
+ * @example
+ * router.post('/upload', requireFeature('chat_attachments'), handler);
+ */
+export function requireFeature(feature) {
+    return async (req, res, next) => {
+        if (!config) {
+            logger.warn('requireFeature called but entitlements not configured');
+            return next();
+        }
+        const orgId = req.user?.organizationId || req.user?.active_organization_id;
+        if (!orgId) {
+            return RFC7807ErrorResponse.unauthorized(res, 'Authentication with organization required');
+        }
+        // Superadmins bypass entitlement checks
+        if (req.user?.is_superadmin || req.user?.isSuperAdmin || req.user?.isSuperadmin) {
+            return next();
+        }
+        const planId = await getOrgPlanId(orgId);
+        const allowed = hasFeature(planId, feature);
+        if (!allowed) {
+            return res.status(403).json({
+                type: 'about:blank',
+                title: 'Feature not available on your plan',
+                detail: `The feature "${feature}" is not included in the "${planId}" plan. Please upgrade.`,
+                status: 403,
+                instance: req.originalUrl,
+                feature,
+                currentPlan: planId,
+            });
+        }
+        next();
+    };
+}
+/**
+ * Express middleware: enforce a numeric limit before creating a resource.
+ *
+ * @param feature - The feature key for the limit (e.g., 'max_active_tracks')
+ * @param countFn - Async function that returns the current usage count for the org
+ *
+ * @example
+ * const countTracks = async (orgId: string) => {
+ *   const { count } = await db.from('tracks').select('id', { count: 'exact', head: true })
+ *     .eq('organization_id', orgId).eq('status', 'active');
+ *   return count ?? 0;
+ * };
+ * router.post('/', requireWithinLimit('max_active_tracks', countTracks), handler);
+ */
+export function requireWithinLimit(feature, countFn) {
+    return async (req, res, next) => {
+        if (!config) {
+            logger.warn('requireWithinLimit called but entitlements not configured');
+            return next();
+        }
+        const orgId = req.user?.organizationId || req.user?.active_organization_id;
+        if (!orgId) {
+            return RFC7807ErrorResponse.unauthorized(res, 'Authentication with organization required');
+        }
+        // Superadmins bypass limit checks
+        if (req.user?.is_superadmin || req.user?.isSuperAdmin || req.user?.isSuperadmin) {
+            return next();
+        }
+        const planId = await getOrgPlanId(orgId);
+        const limit = getLimit(planId, feature);
+        // -1 means unlimited
+        if (limit === -1) {
+            return next();
+        }
+        // 0 means disabled
+        if (limit === 0) {
+            return res.status(403).json({
+                type: 'about:blank',
+                title: 'Feature not available on your plan',
+                detail: `The feature "${feature}" is not included in the "${planId}" plan. Please upgrade.`,
+                status: 403,
+                instance: req.originalUrl,
+                feature,
+                currentPlan: planId,
+            });
+        }
+        try {
+            const current = await countFn(orgId);
+            if (current >= limit) {
+                return res.status(403).json({
+                    type: 'about:blank',
+                    title: 'Plan limit reached',
+                    detail: `You have reached the limit of ${limit} for "${feature}" on the "${planId}" plan.`,
+                    status: 403,
+                    instance: req.originalUrl,
+                    feature,
+                    currentPlan: planId,
+                    current,
+                    limit,
+                });
+            }
+            next();
+        }
+        catch (error) {
+            logger.error({ error, orgId, feature }, 'Failed to check usage limit');
+            // Fail open for count errors — the DB will catch any real violations
+            next();
+        }
+    };
+}
+//# sourceMappingURL=entitlementsMiddleware.js.map

package/dist/middleware/entitlementsMiddleware.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"entitlementsMiddleware.js","sourceRoot":"","sources":["../../src/middleware/entitlementsMiddleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AAGzE,MAAM,MAAM,GAAG,YAAY,CAAC,yBAAyB,CAAC,CAAC;AA8DvD,+DAA+D;AAE/D,IAAI,MAAM,GAA8B,IAAI,CAAC;AAE7C,wDAAwD;AACxD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAiD,CAAC;AAE3E,+DAA+D;AAE/D;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,kBAAsC;IAC1E,MAAM,GAAG,kBAAkB,CAAC;IAC5B,SAAS,CAAC,KAAK,EAAE,CAAC;IAClB,MAAM,CAAC,IAAI,CACT,EAAE,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,MAAM,EAAE,EAC3D,yBAAyB,CAC1B,CAAC;AACJ,CAAC;AAED,+DAA+D;AAE/D,SAAS,gBAAgB;IACvB,OAAO,MAAM,EAAE,aAAa,IAAI,MAAM,CAAC;AACzC,CAAC;AAED,SAAS,WAAW;IAClB,OAAO,MAAM,EAAE,UAAU,IAAI,MAAM,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,YAAY,CAAC,cAAsB;IAChD,IAAI,CAAC,MAAM;QAAE,OAAO,gBAAgB,EAAE,CAAC;IAEvC,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC7C,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC5C,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QACtD,MAAM,cAAc,GAAG,MAAM,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,gBAAgB,EAAE,CAAC;QAEpF,SAAS,CAAC,GAAG,CAAC,cAAc,EAAE;YAC5B,MAAM,EAAE,cAAc;YACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,EAAE;SACtC,CAAC,CAAC;QAEH,OAAO,cAAc,CAAC;IACxB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE,iDAAiD,CAAC,CAAC;QAC3F,OAAO,gBAAgB,EAAE,CAAC;IAC5B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAc;IACrC,OAAO,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,MAAM,EAAE,KAAK,CAAC,gBAAgB,EAAE,CAAC,IAAI,EAAE,CAAC;AAC1E,CAAC;AAED,+DAA+D;AAE/D;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CAAC,MAAc,EAAE,OAAe;IACxD,MAAM,QAAQ,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAEhC,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,OAAO,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC7C,OAAO,KAAK,KAAK,CAAC,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,MAAc,EAAE,OAAe;IACtD,MAAM,QAAQ,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAEhC,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,CAAC,CAAC;IAClC,IAAI,OAAO,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,cAAsB;IACzD,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,cAAc,CAAC,CAAC;IAClD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;AACvD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,cAAuB;IACzD,IAAI,cAAc,EAAE,CAAC;QACnB,SAAS,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,SAAS,CAAC,KAAK,EAAE,CAAC;IACpB,CAAC;AACH,CAAC;AAED,gEAAgE;AAEhE;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,OAAO,KAAK,EAAE,GAAyB,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC5E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;YACrE,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,cAAc,IAAI,GAAG,CAAC,IAAI,EAAE,sBAAsB,CAAC;QAC3E,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,oBAAoB,CAAC,YAAY,CAAC,GAAG,EAAE,2CAA2C,CAAC,CAAC;QAC7F,CAAC;QAED,wCAAwC;QACxC,IAAI,GAAG,CAAC,IAAI,EAAE,aAAa,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;YAChF,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAE5C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,oCAAoC;gBAC3C,MAAM,EAAE,gBAAgB,OAAO,6BAA6B,MAAM,yBAAyB;gBAC3F,MAAM,EAAE,GAAG;gBACX,QAAQ,EAAE,GAAG,CAAC,WAAW;gBACzB,OAAO;gBACP,WAAW,EAAE,MAAM;aACpB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,OAAoD;IAEpD,OAAO,KAAK,EAAE,GAAyB,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC5E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAC;YACzE,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,EAAE,cAAc,IAAI,GAAG,CAAC,IAAI,EAAE,sBAAsB,CAAC;QAC3E,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,oBAAoB,CAAC,YAAY,CAAC,GAAG,EAAE,2CAA2C,CAAC,CAAC;QAC7F,CAAC;QAED,kCAAkC;QAClC,IAAI,GAAG,CAAC,IAAI,EAAE,aAAa,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;YAChF,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAExC,qBAAqB;QACrB,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;YACjB,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,mBAAmB;QACnB,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;YAChB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,oCAAoC;gBAC3C,MAAM,EAAE,gBAAgB,OAAO,6BAA6B,MAAM,yBAAyB;gBAC3F,MAAM,EAAE,GAAG;gBACX,QAAQ,EAAE,GAAG,CAAC,WAAW;gBACzB,OAAO;gBACP,WAAW,EAAE,MAAM;aACpB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC;YAErC,IAAI,OAAO,IAAI,KAAK,EAAE,CAAC;gBACrB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAC1B,IAAI,EAAE,aAAa;oBACnB,KAAK,EAAE,oBAAoB;oBAC3B,MAAM,EAAE,iCAAiC,KAAK,SAAS,OAAO,aAAa,MAAM,SAAS;oBAC1F,MAAM,EAAE,GAAG;oBACX,QAAQ,EAAE,GAAG,CAAC,WAAW;oBACzB,OAAO;oBACP,WAAW,EAAE,MAAM;oBACnB,OAAO;oBACP,KAAK;iBACN,CAAC,CAAC;YACL,CAAC;YAED,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,6BAA6B,CAAC,CAAC;YACvE,qEAAqE;YACrE,IAAI,EAAE,CAAC;QACT,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/permissionsMiddleware.d.ts ADDED Viewed

@@ -0,0 +1,181 @@
+/**
+ * @tetra/core — Permissions Middleware (Config-Driven RBAC)
+ *
+ * Controls what a USER can do based on their role within a feature.
+ * This is separate from entitlements (what an ORG can do based on their plan).
+ *
+ * Projects call configurePermissions() once at startup with their feature
+ * permission configs. Each feature defines which roles can create/read/update/delete.
+ *
+ * @example
+ * ```typescript
+ * configurePermissions({
+ *   notes: {
+ *     resource: 'notes',
+ *     roles: {
+ *       admin:  { create: true, read: true, update: true, delete: true },
+ *       coach:  { create: true, read: true, update: 'own',  delete: 'own' },
+ *       client: { create: false, read: true, update: false, delete: false },
+ *     },
+ *     ui: {
+ *       nav: ['admin', 'coach'],
+ *       tabs: { notities: ['admin', 'coach'] },
+ *       actions: { create_note: ['admin', 'coach'] },
+ *     },
+ *   },
+ * });
+ *
+ * // In routes:
+ * router.post('/', requirePermission('notes', 'create'), handler);
+ * router.delete('/:id', requirePermission('notes', 'delete'), handler);
+ * ```
+ */
+import { Response, NextFunction } from 'express';
+import type { AuthenticatedRequest } from './authMiddleware.js';
+/**
+ * Permission value for a role on a specific action.
+ * - true:   allowed (all records)
+ * - false:  denied
+ * - 'own':  allowed on own records only (ownerField must match user id)
+ * - 'track_member': allowed on records within tracks the user is a member of
+ * - string: custom scope (project-specific, middleware passes through)
+ */
+export type PermissionValue = boolean | 'own' | 'track_member' | string;
+/**
+ * CRUD permissions for a role on a feature.
+ */
+export interface RolePermissions {
+    create?: PermissionValue;
+    read?: PermissionValue;
+    update?: PermissionValue;
+    delete?: PermissionValue;
+    list?: PermissionValue;
+    /** Custom actions beyond CRUD */
+    [action: string]: PermissionValue | undefined;
+}
+/**
+ * UI visibility config for a feature.
+ * Used by frontend usePermissions() hook.
+ */
+export interface UIPermissions {
+    /** Which roles see this feature in the nav/sidebar */
+    nav?: string[];
+    /** Per-tab visibility: { tabId: [roles] } */
+    tabs?: Record<string, string[]>;
+    /** Per-action visibility: { actionId: [roles] } */
+    actions?: Record<string, string[]>;
+    /** Per-field visibility: { fieldName: [roles] } */
+    fields?: Record<string, string[]>;
+}
+/**
+ * Permission config for a single feature.
+ */
+export interface FeaturePermissions {
+    /** The resource name (e.g., 'notes', 'tracks', 'messages') */
+    resource: string;
+    /** Permission matrix: role → action → permission value */
+    roles: Record<string, RolePermissions>;
+    /** UI visibility rules (consumed by frontend) */
+    ui?: UIPermissions;
+}
+/**
+ * Register permission configs for features. Call once at app startup.
+ * Can be called multiple times to add more features.
+ *
+ * @param configs - Map of resource name → FeaturePermissions
+ *
+ * @example
+ * configurePermissions({
+ *   notes: notesPermissions,
+ *   tracks: tracksPermissions,
+ * });
+ */
+export declare function configurePermissions(configs: Record<string, FeaturePermissions>): void;
+/**
+ * Register a single feature's permissions.
+ */
+export declare function registerFeaturePermissions(config: FeaturePermissions): void;
+/**
+ * Check if a role is allowed to perform an action on a resource.
+ *
+ * Returns the PermissionValue:
+ * - true:   allowed
+ * - false:  denied
+ * - 'own':  allowed with scope restriction
+ * - string: custom scope
+ *
+ * Unknown roles/resources/actions default to false (fail closed).
+ */
+export declare function checkPermission(resource: string, action: string, role: string): PermissionValue;
+/**
+ * Check if a role can see a nav item for a resource.
+ */
+export declare function canSeeNav(resource: string, role: string): boolean;
+/**
+ * Check if a role can see a specific tab within a resource.
+ */
+export declare function canSeeTab(resource: string, tabId: string, role: string): boolean;
+/**
+ * Check if a role can perform a specific UI action.
+ */
+export declare function canDoAction(resource: string, actionId: string, role: string): boolean;
+/**
+ * Get all permission configs. Useful for:
+ * - Frontend: GET /api/permissions → returns all UI permissions for the user's role
+ * - Documentation: generate permission matrices
+ */
+export declare function getAllPermissionConfigs(): Record<string, FeaturePermissions>;
+/**
+ * Get the resolved permissions for a specific role across all features.
+ * Returns only UI-relevant data for the frontend.
+ */
+export declare function getPermissionsForRole(role: string): Record<string, {
+    nav: boolean;
+    tabs: Record<string, boolean>;
+    actions: Record<string, boolean>;
+    crud: Record<string, PermissionValue>;
+}>;
+/**
+ * Express middleware: require a specific permission on a resource.
+ *
+ * Checks the user's role against the registered permission config.
+ * Superadmins bypass all permission checks.
+ *
+ * When the permission value is 'own' or another scope string,
+ * the middleware allows the request but attaches `req.permissionScope`
+ * so the controller can apply the appropriate filter.
+ *
+ * @param resource - The resource name (must match a registered config)
+ * @param action - The action to check (create, read, update, delete, or custom)
+ *
+ * @example
+ * router.post('/', requirePermission('notes', 'create'), handler);
+ * router.delete('/:id', requirePermission('notes', 'delete'), handler);
+ *
+ * // In controller, check scope:
+ * if (req.permissionScope === 'own') {
+ *   query = query.eq('author_id', req.user.id);
+ * }
+ */
+export declare function requirePermission(resource: string, action: string): (req: AuthenticatedRequest, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
+/**
+ * Express middleware: require ANY of the listed permissions.
+ *
+ * @example
+ * router.get('/feed', requireAnyPermission([
+ *   { resource: 'notes', action: 'read' },
+ *   { resource: 'messages', action: 'read' },
+ * ]), handler);
+ */
+export declare function requireAnyPermission(permissions: Array<{
+    resource: string;
+    action: string;
+}>): (req: AuthenticatedRequest, res: Response, next: NextFunction) => void | Response<any, Record<string, any>>;
+declare global {
+    namespace Express {
+        interface Request {
+            permissionScope?: string;
+        }
+    }
+}
+//# sourceMappingURL=permissionsMiddleware.d.ts.map

package/dist/middleware/permissionsMiddleware.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permissionsMiddleware.d.ts","sourceRoot":"","sources":["../../src/middleware/permissionsMiddleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAGjD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAMhE;;;;;;;GAOG;AACH,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,KAAK,GAAG,cAAc,GAAG,MAAM,CAAC;AAExE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,IAAI,CAAC,EAAE,eAAe,CAAC;IACvB,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,IAAI,CAAC,EAAE,eAAe,CAAC;IACvB,iCAAiC;IACjC,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAAC;CAC/C;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,sDAAsD;IACtD,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,6CAA6C;IAC7C,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAChC,mDAAmD;IACnD,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACnC,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,8DAA8D;IAC9D,QAAQ,EAAE,MAAM,CAAC;IACjB,0DAA0D;IAC1D,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IACvC,iDAAiD;IACjD,EAAE,CAAC,EAAE,aAAa,CAAC;CACpB;AAQD;;;;;;;;;;;GAWG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,GAAG,IAAI,CAQtF;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,kBAAkB,GAAG,IAAI,CAE3E;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,GACX,eAAe,CAajB;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAIjE;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAIhF;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAIrF;AAED;;;;GAIG;AACH,wBAAgB,uBAAuB,IAAI,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAE5E;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE;IAClE,GAAG,EAAE,OAAO,CAAC;IACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;CACvC,CAAC,CAyBD;AAID;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,IACxD,KAAK,oBAAoB,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,+CAqCrE;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAClC,WAAW,EAAE,KAAK,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,IAEhD,KAAK,oBAAoB,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,+CA6BrE;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,eAAe,CAAC,EAAE,MAAM,CAAC;SAC1B;KACF;CACF"}

package/dist/middleware/permissionsMiddleware.js ADDED Viewed

@@ -0,0 +1,237 @@
+/**
+ * @tetra/core — Permissions Middleware (Config-Driven RBAC)
+ *
+ * Controls what a USER can do based on their role within a feature.
+ * This is separate from entitlements (what an ORG can do based on their plan).
+ *
+ * Projects call configurePermissions() once at startup with their feature
+ * permission configs. Each feature defines which roles can create/read/update/delete.
+ *
+ * @example
+ * ```typescript
+ * configurePermissions({
+ *   notes: {
+ *     resource: 'notes',
+ *     roles: {
+ *       admin:  { create: true, read: true, update: true, delete: true },
+ *       coach:  { create: true, read: true, update: 'own',  delete: 'own' },
+ *       client: { create: false, read: true, update: false, delete: false },
+ *     },
+ *     ui: {
+ *       nav: ['admin', 'coach'],
+ *       tabs: { notities: ['admin', 'coach'] },
+ *       actions: { create_note: ['admin', 'coach'] },
+ *     },
+ *   },
+ * });
+ *
+ * // In routes:
+ * router.post('/', requirePermission('notes', 'create'), handler);
+ * router.delete('/:id', requirePermission('notes', 'delete'), handler);
+ * ```
+ */
+import { createLogger } from '../utils/logger.js';
+import { RFC7807ErrorResponse } from '../shared/rfc7807ErrorResponse.js';
+const logger = createLogger('middleware:permissions');
+// ─── State ──────────────────────────────────────────────────
+const permissionConfigs = new Map();
+// ─── Configure ──────────────────────────────────────────────
+/**
+ * Register permission configs for features. Call once at app startup.
+ * Can be called multiple times to add more features.
+ *
+ * @param configs - Map of resource name → FeaturePermissions
+ *
+ * @example
+ * configurePermissions({
+ *   notes: notesPermissions,
+ *   tracks: tracksPermissions,
+ * });
+ */
+export function configurePermissions(configs) {
+    for (const [key, config] of Object.entries(configs)) {
+        permissionConfigs.set(key, config);
+    }
+    logger.info({ features: Object.keys(configs) }, `Permissions configured for ${Object.keys(configs).length} feature(s)`);
+}
+/**
+ * Register a single feature's permissions.
+ */
+export function registerFeaturePermissions(config) {
+    permissionConfigs.set(config.resource, config);
+}
+// ─── Public API ─────────────────────────────────────────────
+/**
+ * Check if a role is allowed to perform an action on a resource.
+ *
+ * Returns the PermissionValue:
+ * - true:   allowed
+ * - false:  denied
+ * - 'own':  allowed with scope restriction
+ * - string: custom scope
+ *
+ * Unknown roles/resources/actions default to false (fail closed).
+ */
+export function checkPermission(resource, action, role) {
+    const config = permissionConfigs.get(resource);
+    if (!config)
+        return false;
+    const rolePerms = config.roles[role];
+    if (!rolePerms)
+        return false;
+    const value = rolePerms[action];
+    // Fallback: 'list' inherits from 'read' if not explicitly defined
+    if (value === undefined && action === 'list') {
+        return rolePerms['read'] ?? false;
+    }
+    return value ?? false;
+}
+/**
+ * Check if a role can see a nav item for a resource.
+ */
+export function canSeeNav(resource, role) {
+    const config = permissionConfigs.get(resource);
+    if (!config?.ui?.nav)
+        return true; // No nav config = visible to all
+    return config.ui.nav.includes(role);
+}
+/**
+ * Check if a role can see a specific tab within a resource.
+ */
+export function canSeeTab(resource, tabId, role) {
+    const config = permissionConfigs.get(resource);
+    if (!config?.ui?.tabs?.[tabId])
+        return true; // No tab config = visible to all
+    return config.ui.tabs[tabId].includes(role);
+}
+/**
+ * Check if a role can perform a specific UI action.
+ */
+export function canDoAction(resource, actionId, role) {
+    const config = permissionConfigs.get(resource);
+    if (!config?.ui?.actions?.[actionId])
+        return true; // No action config = visible to all
+    return config.ui.actions[actionId].includes(role);
+}
+/**
+ * Get all permission configs. Useful for:
+ * - Frontend: GET /api/permissions → returns all UI permissions for the user's role
+ * - Documentation: generate permission matrices
+ */
+export function getAllPermissionConfigs() {
+    return Object.fromEntries(permissionConfigs);
+}
+/**
+ * Get the resolved permissions for a specific role across all features.
+ * Returns only UI-relevant data for the frontend.
+ */
+export function getPermissionsForRole(role) {
+    const result = {};
+    for (const [resource, config] of permissionConfigs) {
+        const rolePerms = config.roles[role] ?? {};
+        result[resource] = {
+            nav: config.ui?.nav ? config.ui.nav.includes(role) : true,
+            tabs: Object.fromEntries(Object.entries(config.ui?.tabs ?? {}).map(([tabId, roles]) => [tabId, roles.includes(role)])),
+            actions: Object.fromEntries(Object.entries(config.ui?.actions ?? {}).map(([actionId, roles]) => [actionId, roles.includes(role)])),
+            crud: {
+                create: rolePerms.create ?? false,
+                read: rolePerms.read ?? false,
+                update: rolePerms.update ?? false,
+                delete: rolePerms.delete ?? false,
+                list: rolePerms.list ?? rolePerms.read ?? false,
+            },
+        };
+    }
+    return result;
+}
+// ─── Middleware ──────────────────────────────────────────────
+/**
+ * Express middleware: require a specific permission on a resource.
+ *
+ * Checks the user's role against the registered permission config.
+ * Superadmins bypass all permission checks.
+ *
+ * When the permission value is 'own' or another scope string,
+ * the middleware allows the request but attaches `req.permissionScope`
+ * so the controller can apply the appropriate filter.
+ *
+ * @param resource - The resource name (must match a registered config)
+ * @param action - The action to check (create, read, update, delete, or custom)
+ *
+ * @example
+ * router.post('/', requirePermission('notes', 'create'), handler);
+ * router.delete('/:id', requirePermission('notes', 'delete'), handler);
+ *
+ * // In controller, check scope:
+ * if (req.permissionScope === 'own') {
+ *   query = query.eq('author_id', req.user.id);
+ * }
+ */
+export function requirePermission(resource, action) {
+    return (req, res, next) => {
+        // Superadmins bypass all permission checks
+        if (req.user?.is_superadmin || req.user?.isSuperAdmin || req.user?.isSuperadmin) {
+            return next();
+        }
+        const role = req.user?.role;
+        if (!role) {
+            return RFC7807ErrorResponse.forbidden(res, 'No role assigned. Cannot check permissions.');
+        }
+        const permission = checkPermission(resource, action, role);
+        if (permission === false) {
+            return res.status(403).json({
+                type: 'about:blank',
+                title: 'Permission denied',
+                detail: `Role "${role}" is not allowed to "${action}" on "${resource}".`,
+                status: 403,
+                instance: req.originalUrl,
+                resource,
+                action,
+                role,
+            });
+        }
+        // If permission is a scope string (e.g., 'own', 'track_member'),
+        // attach it to the request so controllers can filter accordingly.
+        if (typeof permission === 'string') {
+            req.permissionScope = permission;
+        }
+        next();
+    };
+}
+/**
+ * Express middleware: require ANY of the listed permissions.
+ *
+ * @example
+ * router.get('/feed', requireAnyPermission([
+ *   { resource: 'notes', action: 'read' },
+ *   { resource: 'messages', action: 'read' },
+ * ]), handler);
+ */
+export function requireAnyPermission(permissions) {
+    return (req, res, next) => {
+        if (req.user?.is_superadmin || req.user?.isSuperAdmin || req.user?.isSuperadmin) {
+            return next();
+        }
+        const role = req.user?.role;
+        if (!role) {
+            return RFC7807ErrorResponse.forbidden(res, 'No role assigned.');
+        }
+        const hasAny = permissions.some(({ resource, action }) => {
+            const perm = checkPermission(resource, action, role);
+            return perm !== false;
+        });
+        if (!hasAny) {
+            return res.status(403).json({
+                type: 'about:blank',
+                title: 'Permission denied',
+                detail: `Role "${role}" lacks all required permissions.`,
+                status: 403,
+                instance: req.originalUrl,
+                required: permissions,
+                role,
+            });
+        }
+        next();
+    };
+}
+//# sourceMappingURL=permissionsMiddleware.js.map

package/dist/middleware/permissionsMiddleware.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permissionsMiddleware.js","sourceRoot":"","sources":["../../src/middleware/permissionsMiddleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AAGzE,MAAM,MAAM,GAAG,YAAY,CAAC,wBAAwB,CAAC,CAAC;AAsDtD,+DAA+D;AAE/D,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAA8B,CAAC;AAEhE,+DAA+D;AAE/D;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA2C;IAC9E,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpD,iBAAiB,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IACD,MAAM,CAAC,IAAI,CACT,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,EAClC,8BAA8B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,aAAa,CACvE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B,CAAC,MAA0B;IACnE,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;AACjD,CAAC;AAED,+DAA+D;AAE/D;;;;;;;;;;GAUG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAgB,EAChB,MAAc,EACd,IAAY;IAEZ,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE1B,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAE7B,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IAChC,kEAAkE;IAClE,IAAI,KAAK,KAAK,SAAS,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QAC7C,OAAO,SAAS,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC;IACpC,CAAC;IACD,OAAO,KAAK,IAAI,KAAK,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,QAAgB,EAAE,IAAY;IACtD,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,GAAG;QAAE,OAAO,IAAI,CAAC,CAAC,iCAAiC;IACpE,OAAO,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,QAAgB,EAAE,KAAa,EAAE,IAAY;IACrE,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,iCAAiC;IAC9E,OAAO,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,QAAgB,EAAE,QAAgB,EAAE,IAAY;IAC1E,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC/C,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,oCAAoC;IACvF,OAAO,MAAM,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,MAAM,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAMhD,MAAM,MAAM,GAAwB,EAAE,CAAC;IAEvC,KAAK,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC;QACnD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAE3C,MAAM,CAAC,QAAQ,CAAC,GAAG;YACjB,GAAG,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI;YACzD,IAAI,EAAE,MAAM,CAAC,WAAW,CACtB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAC7F;YACD,OAAO,EAAE,MAAM,CAAC,WAAW,CACzB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CACtG;YACD,IAAI,EAAE;gBACJ,MAAM,EAAE,SAAS,CAAC,MAAM,IAAI,KAAK;gBACjC,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,KAAK;gBAC7B,MAAM,EAAE,SAAS,CAAC,MAAM,IAAI,KAAK;gBACjC,MAAM,EAAE,SAAS,CAAC,MAAM,IAAI,KAAK;gBACjC,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,IAAI,IAAI,KAAK;aAChD;SACF,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gEAAgE;AAEhE;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,MAAc;IAChE,OAAO,CAAC,GAAyB,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACtE,2CAA2C;QAC3C,IAAI,GAAG,CAAC,IAAI,EAAE,aAAa,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;YAChF,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,oBAAoB,CAAC,SAAS,CACnC,GAAG,EACH,6CAA6C,CAC9C,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;QAE3D,IAAI,UAAU,KAAK,KAAK,EAAE,CAAC;YACzB,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,mBAAmB;gBAC1B,MAAM,EAAE,SAAS,IAAI,wBAAwB,MAAM,SAAS,QAAQ,IAAI;gBACxE,MAAM,EAAE,GAAG;gBACX,QAAQ,EAAE,GAAG,CAAC,WAAW;gBACzB,QAAQ;gBACR,MAAM;gBACN,IAAI;aACL,CAAC,CAAC;QACL,CAAC;QAED,iEAAiE;QACjE,kEAAkE;QAClE,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YAClC,GAAW,CAAC,eAAe,GAAG,UAAU,CAAC;QAC5C,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAClC,WAAwD;IAExD,OAAO,CAAC,GAAyB,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACtE,IAAI,GAAG,CAAC,IAAI,EAAE,aAAa,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;YAChF,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC;QAC5B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,oBAAoB,CAAC,SAAS,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC;QAClE,CAAC;QAED,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE;YACvD,MAAM,IAAI,GAAG,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;YACrD,OAAO,IAAI,KAAK,KAAK,CAAC;QACxB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC1B,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,mBAAmB;gBAC1B,MAAM,EAAE,SAAS,IAAI,mCAAmC;gBACxD,MAAM,EAAE,GAAG;gBACX,QAAQ,EAAE,GAAG,CAAC,WAAW;gBACzB,QAAQ,EAAE,WAAW;gBACrB,IAAI;aACL,CAAC,CAAC;QACL,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@soulbatical/tetra-core",
-  "version": "0.1.5",
+  "version": "0.1.8",
   "publishConfig": {
     "access": "restricted"
   },