@stratal/framework 0.0.12 → 0.0.14

package/dist/rbac/index.mjs

@@ -0,0 +1,346 @@
+import { t as __decorate } from "../decorate-RSane8dy.mjs";
+import { t as __decorateMetadata } from "../decorateMetadata-CETItPez.mjs";
+import { t as __decorateParam } from "../decorateParam-CcTvpNsw.mjs";
+import { n as InsufficientPermissionsError, t as RBAC_TOKENS } from "../tokens-Di1ofovy.mjs";
+import { Module } from "stratal/module";
+import { DI_TOKENS, Transient } from "stratal/di";
+import { inject } from "tsyringe";
+import { Helper, newCachedEnforcer, newModelFromString } from "casbin";
+//#region src/rbac/constants.ts
+/**
+* RBAC Constants
+*/
+const RBAC_CONTEXT_KEYS = { AUTH_SCOPES: Symbol("rbac:authScopes") };
+//#endregion
+//#region src/rbac/adapters/custom-zenstack-adapter.ts
+/**
+* Custom ZenStack adapter for Casbin that works with Cloudflare Workers.
+*
+* Based on the original casbin-prisma-adapter but modified to:
+* - Work with ZenStack v3 ORM clients
+* - Avoid bundling errors in Cloudflare Workers
+* - Accept pre-connected ZenStack clients (request-scoped)
+*/
+var CustomZenStackAdapter = class CustomZenStackAdapter {
+	#db;
+	filtered = false;
+	isFiltered() {
+		return this.filtered;
+	}
+	enableFiltered(enabled) {
+		this.filtered = enabled;
+	}
+	constructor(db) {
+		this.#db = db;
+	}
+	async loadPolicy(model) {
+		const lines = await this.#db.casbinRule.findMany();
+		for (const line of lines) this.#loadPolicyLine(line, model);
+	}
+	async loadFilteredPolicy(model, filter) {
+		const whereFilter = Object.keys(filter).map((ptype) => {
+			return filter[ptype].map((policyPattern) => {
+				return {
+					ptype,
+					...policyPattern[0] && { v0: policyPattern[0] },
+					...policyPattern[1] && { v1: policyPattern[1] },
+					...policyPattern[2] && { v2: policyPattern[2] },
+					...policyPattern[3] && { v3: policyPattern[3] },
+					...policyPattern[4] && { v4: policyPattern[4] },
+					...policyPattern[5] && { v5: policyPattern[5] }
+				};
+			});
+		}).flat();
+		(await this.#db.casbinRule.findMany({ where: { OR: whereFilter } })).forEach((line) => this.#loadPolicyLine(line, model));
+		this.enableFiltered(true);
+	}
+	async savePolicy(model) {
+		await this.#db.$executeRawUnsafe("DELETE FROM casbin_rule");
+		const lines = [];
+		const savePolicyType = (ptype) => {
+			const astMap = model.model.get(ptype);
+			if (astMap) for (const [ptype, ast] of astMap) for (const rule of ast.policy) {
+				const line = this.#savePolicyLine(ptype, rule);
+				lines.push(line);
+			}
+		};
+		savePolicyType("p");
+		savePolicyType("g");
+		await this.#db.casbinRule.createMany({ data: lines });
+		return true;
+	}
+	async addPolicy(_sec, ptype, rule) {
+		const line = this.#savePolicyLine(ptype, rule);
+		await this.#db.casbinRule.create({ data: line });
+	}
+	async addPolicies(_sec, ptype, rules) {
+		const processes = [];
+		for (const rule of rules) {
+			const line = this.#savePolicyLine(ptype, rule);
+			const p = this.#db.casbinRule.create({ data: line });
+			processes.push(p);
+		}
+		await Promise.all(processes);
+	}
+	async removePolicy(_sec, ptype, rule) {
+		const line = this.#savePolicyLine(ptype, rule);
+		await this.#db.casbinRule.deleteMany({ where: line });
+	}
+	async removePolicies(_sec, ptype, rules) {
+		const processes = [];
+		for (const rule of rules) {
+			const line = this.#savePolicyLine(ptype, rule);
+			const p = this.#db.casbinRule.deleteMany({ where: line });
+			processes.push(p);
+		}
+		await Promise.all(processes);
+	}
+	async removeFilteredPolicy(_sec, ptype, fieldIndex, ...fieldValues) {
+		const line = { ptype };
+		const idx = fieldIndex + fieldValues.length;
+		if (fieldIndex <= 0 && 0 < idx) line.v0 = fieldValues[0 - fieldIndex];
+		if (fieldIndex <= 1 && 1 < idx) line.v1 = fieldValues[1 - fieldIndex];
+		if (fieldIndex <= 2 && 2 < idx) line.v2 = fieldValues[2 - fieldIndex];
+		if (fieldIndex <= 3 && 3 < idx) line.v3 = fieldValues[3 - fieldIndex];
+		if (fieldIndex <= 4 && 4 < idx) line.v4 = fieldValues[4 - fieldIndex];
+		if (fieldIndex <= 5 && 5 < idx) line.v5 = fieldValues[5 - fieldIndex];
+		await this.#db.casbinRule.deleteMany({ where: line });
+	}
+	async close() {}
+	static newAdapter(db) {
+		return new CustomZenStackAdapter(db);
+	}
+	#loadPolicyLine = (line, model) => {
+		const result = line.ptype + ", " + [
+			line.v0,
+			line.v1,
+			line.v2,
+			line.v3,
+			line.v4,
+			line.v5
+		].filter((n) => n).join(", ");
+		Helper.loadPolicyLine(result, model);
+	};
+	#savePolicyLine = (ptype, rule) => {
+		const line = { ptype };
+		if (rule.length > 0) line.v0 = rule[0];
+		if (rule.length > 1) line.v1 = rule[1];
+		if (rule.length > 2) line.v2 = rule[2];
+		if (rule.length > 3) line.v3 = rule[3];
+		if (rule.length > 4) line.v4 = rule[4];
+		if (rule.length > 5) line.v5 = rule[5];
+		return line;
+	};
+};
+//#endregion
+//#region src/rbac/services/casbin-enforcer.service.ts
+let CasbinEnforcerService = class CasbinEnforcerService {
+	enforcer = null;
+	constructor(db, options) {
+		this.db = db;
+		this.options = options;
+	}
+	/**
+	* Get or create the enforcer instance
+	*/
+	async getEnforcer() {
+		this.enforcer ??= await this.createEnforcer();
+		return this.enforcer;
+	}
+	/**
+	* Create a new enforcer instance.
+	* Can be overridden by subclasses to customize enforcer creation.
+	*/
+	async createEnforcer() {
+		const enforcer = await newCachedEnforcer(newModelFromString(this.options.model), CustomZenStackAdapter.newAdapter(this.db));
+		await enforcer.loadPolicy();
+		return enforcer;
+	}
+	/**
+	* Seed default policies into database
+	*/
+	async seedPolicies() {
+		const enforcer = await this.getEnforcer();
+		const policies = this.options.defaultPolicies ?? [];
+		for (const [role, resource, action] of policies) await enforcer.addPolicy(role, resource, action);
+		await enforcer.savePolicy();
+	}
+	/**
+	* Clear cached enforcer instance
+	*/
+	clearCache() {
+		this.enforcer = null;
+	}
+	/**
+	* Seed role hierarchy into database
+	*/
+	async seedRoleHierarchy() {
+		const enforcer = await this.getEnforcer();
+		const hierarchy = this.options.roleHierarchy ?? [];
+		for (const [childRole, parentRole] of hierarchy) await enforcer.addGroupingPolicy(childRole, parentRole);
+		await enforcer.savePolicy();
+	}
+};
+CasbinEnforcerService = __decorate([
+	Transient(),
+	__decorateParam(0, inject(DI_TOKENS.Database)),
+	__decorateParam(1, inject(RBAC_TOKENS.Options)),
+	__decorateMetadata("design:paramtypes", [Object, Object])
+], CasbinEnforcerService);
+//#endregion
+//#region src/rbac/services/casbin.service.ts
+var _ref;
+let CasbinService = class CasbinService {
+	constructor(context, enforcerService) {
+		this.context = context;
+		this.enforcerService = enforcerService;
+	}
+	async getEnforcer() {
+		return this.enforcerService.getEnforcer();
+	}
+	async addRoleForUser(userId, role) {
+		const enforcer = await this.getEnforcer();
+		const added = await enforcer.addRoleForUser(userId, role);
+		if (added) await enforcer.savePolicy();
+		return added;
+	}
+	async deleteRoleForUser(userId, role) {
+		const enforcer = await this.getEnforcer();
+		const deleted = await enforcer.deleteRoleForUser(userId, role);
+		if (deleted) await enforcer.savePolicy();
+		return deleted;
+	}
+	async deleteRolesForUser(userId) {
+		const enforcer = await this.getEnforcer();
+		const deleted = await enforcer.deleteRolesForUser(userId);
+		if (deleted) await enforcer.savePolicy();
+		return deleted;
+	}
+	async getRolesForUser(userId) {
+		return (await this.getEnforcer()).getRolesForUser(userId);
+	}
+	async getImplicitRolesForUser(userId) {
+		return (await this.getEnforcer()).getImplicitRolesForUser(userId);
+	}
+	async getUsersForRole(role) {
+		return (await this.getEnforcer()).getUsersForRole(role);
+	}
+	async getImplicitUsersForRole(role) {
+		return (await this.getEnforcer()).getImplicitUsersForRole(role);
+	}
+	async hasRoleForUser(userId, role) {
+		return (await this.getEnforcer()).hasRoleForUser(userId, role);
+	}
+	async addRoleInheritance(childRole, parentRole) {
+		const enforcer = await this.getEnforcer();
+		const added = await enforcer.addGroupingPolicy(childRole, parentRole);
+		if (added) await enforcer.savePolicy();
+		return added;
+	}
+	async deleteRoleInheritance(childRole, parentRole) {
+		const enforcer = await this.getEnforcer();
+		const deleted = await enforcer.removeGroupingPolicy(childRole, parentRole);
+		if (deleted) await enforcer.savePolicy();
+		return deleted;
+	}
+	async deleteUser(userId) {
+		const enforcer = await this.getEnforcer();
+		const deleted = await enforcer.deleteUser(userId);
+		if (deleted) await enforcer.savePolicy();
+		return deleted;
+	}
+	async deleteRole(role) {
+		const enforcer = await this.getEnforcer();
+		const deleted = await enforcer.deleteRole(role);
+		if (deleted) await enforcer.savePolicy();
+		return deleted;
+	}
+	async getCurrentUserRoles() {
+		const userId = this.context.getUserId();
+		if (!userId) return [];
+		return this.getImplicitRolesForUser(userId);
+	}
+	async currentUserHasRole(role) {
+		return (await this.getCurrentUserRoles()).includes(role);
+	}
+	async setRolesForUser(userId, roles) {
+		const enforcer = await this.getEnforcer();
+		await enforcer.deleteRolesForUser(userId);
+		for (const role of roles) await enforcer.addRoleForUser(userId, role);
+		await enforcer.savePolicy();
+	}
+	async hasPermission(userId, scope, action) {
+		return (await this.getEnforcer()).enforce(userId, scope, action);
+	}
+	async currentUserHasPermission(scope, action) {
+		const userId = this.context.getUserId();
+		if (!userId) return false;
+		return this.hasPermission(userId, scope, action);
+	}
+	async hasAnyPermission(userId, scopes, action) {
+		const enforcer = await this.getEnforcer();
+		const requests = scopes.map((scope) => [
+			userId,
+			scope,
+			action
+		]);
+		return (await enforcer.batchEnforce(requests)).some((allowed) => allowed);
+	}
+	async currentUserHasAnyPermission(scopes, action) {
+		const userId = this.context.getUserId();
+		if (!userId) return false;
+		return this.hasAnyPermission(userId, scopes, action);
+	}
+	async getPermissionsForUserAsCasbinJs(userId) {
+		const permissions = await (await this.getEnforcer()).getImplicitPermissionsForUser(userId);
+		const result = {};
+		for (const [_role, resource, action] of permissions) {
+			result[action] ??= [];
+			if (!result[action].includes(resource)) result[action].push(resource);
+		}
+		return result;
+	}
+	async getCurrentUserPermissionsAsCasbinJs() {
+		const userId = this.context.getUserId();
+		if (!userId) return {};
+		return this.getPermissionsForUserAsCasbinJs(userId);
+	}
+};
+CasbinService = __decorate([
+	Transient(RBAC_TOKENS.CasbinService),
+	__decorateParam(0, inject(DI_TOKENS.AuthContext)),
+	__decorateParam(1, inject(CasbinEnforcerService)),
+	__decorateMetadata("design:paramtypes", [Object, typeof (_ref = typeof CasbinEnforcerService !== "undefined" && CasbinEnforcerService) === "function" ? _ref : Object])
+], CasbinService);
+//#endregion
+//#region src/rbac/rbac.module.ts
+var _RbacModule;
+let RbacModule = _RbacModule = class RbacModule {
+	static forRoot(options) {
+		return {
+			module: _RbacModule,
+			providers: [{
+				provide: RBAC_TOKENS.Options,
+				useValue: options
+			}]
+		};
+	}
+	static forRootAsync(options) {
+		return {
+			module: _RbacModule,
+			providers: [{
+				provide: RBAC_TOKENS.Options,
+				useFactory: options.useFactory,
+				inject: options.inject
+			}]
+		};
+	}
+};
+RbacModule = _RbacModule = __decorate([Module({ providers: [CasbinEnforcerService, {
+	provide: RBAC_TOKENS.CasbinService,
+	useClass: CasbinService
+}] })], RbacModule);
+//#endregion
+export { CasbinEnforcerService, CasbinService, CustomZenStackAdapter, InsufficientPermissionsError, RBAC_CONTEXT_KEYS, RBAC_TOKENS, RbacModule };
+
+//# sourceMappingURL=index.mjs.map

package/dist/rbac/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":["#db","#loadPolicyLine","#savePolicyLine"],"sources":["../../src/rbac/constants.ts","../../src/rbac/adapters/custom-zenstack-adapter.ts","../../src/rbac/services/casbin-enforcer.service.ts","../../src/rbac/services/casbin.service.ts","../../src/rbac/rbac.module.ts"],"sourcesContent":["/**\n * RBAC Constants\n */\nexport const RBAC_CONTEXT_KEYS = {\n  /** Key for storing required authorization scopes (permissions) in context */\n  AUTH_SCOPES: Symbol('rbac:authScopes'),\n} as const\n","import type { Adapter, Model } from 'casbin'\n\nimport { Helper } from 'casbin'\n\n/**\n * Minimal interface for the database client used by the adapter.\n * The actual DatabaseService extends ZenStackClient which provides these methods\n * when the schema includes a `casbinRule` model.\n */\nexport interface CasbinDbClient {\n  casbinRule: {\n    findMany(args?: { where?: Record<string, unknown> }): Promise<unknown[]>\n    create(args: { data: CasbinRuleCreateInput }): Promise<unknown>\n    createMany(args: { data: CasbinRuleCreateInput[] }): Promise<unknown>\n    deleteMany(args: { where: CasbinRuleCreateInput }): Promise<{ count: number }>\n  }\n  $executeRawUnsafe(query: string, ...values: unknown[]): Promise<unknown>\n}\n\ninterface CasbinRuleCreateInput {\n  ptype: string\n  v0?: string | null\n  v1?: string | null\n  v2?: string | null\n  v3?: string | null\n  v4?: string | null\n  v5?: string | null\n}\n\ninterface CasbinRuleRecord {\n  id: number\n  ptype: string\n  v0: string | null\n  v1: string | null\n  v2: string | null\n  v3: string | null\n  v4: string | null\n  v5: string | null\n}\n\n/**\n * Custom ZenStack adapter for Casbin that works with Cloudflare Workers.\n *\n * Based on the original casbin-prisma-adapter but modified to:\n * - Work with ZenStack v3 ORM clients\n * - Avoid bundling errors in Cloudflare Workers\n * - Accept pre-connected ZenStack clients (request-scoped)\n */\nexport class CustomZenStackAdapter implements Adapter {\n  #db: CasbinDbClient\n\n  filtered = false\n\n  public isFiltered(): boolean {\n    return this.filtered\n  }\n\n  public enableFiltered(enabled: boolean): void {\n    this.filtered = enabled\n  }\n\n  constructor(db: CasbinDbClient) {\n    this.#db = db\n  }\n\n  async loadPolicy(model: Model): Promise<void> {\n    const lines = await this.#db.casbinRule.findMany()\n\n    for (const line of lines) {\n      this.#loadPolicyLine(line as CasbinRuleRecord, model)\n    }\n  }\n\n  async loadFilteredPolicy(\n    model: Model,\n    filter: Record<string, string[][]>\n  ): Promise<void> {\n    const whereFilter = Object.keys(filter)\n      .map((ptype) => {\n        const policyPatterns = filter[ptype]\n        return policyPatterns.map((policyPattern) => {\n          return {\n            ptype,\n            ...(policyPattern[0] && { v0: policyPattern[0] }),\n            ...(policyPattern[1] && { v1: policyPattern[1] }),\n            ...(policyPattern[2] && { v2: policyPattern[2] }),\n            ...(policyPattern[3] && { v3: policyPattern[3] }),\n            ...(policyPattern[4] && { v4: policyPattern[4] }),\n            ...(policyPattern[5] && { v5: policyPattern[5] }),\n          }\n        })\n      })\n      .flat()\n    const lines = await this.#db.casbinRule.findMany({\n      where: {\n        OR: whereFilter,\n      },\n    })\n    lines.forEach((line) => this.#loadPolicyLine(line as CasbinRuleRecord, model))\n    this.enableFiltered(true)\n  }\n\n  async savePolicy(model: Model): Promise<boolean> {\n    await this.#db.$executeRawUnsafe('DELETE FROM casbin_rule')\n\n    const lines: CasbinRuleCreateInput[] = []\n\n    const savePolicyType = (ptype: string): void => {\n      const astMap = model.model.get(ptype)\n      if (astMap) {\n        for (const [ptype, ast] of astMap) {\n          for (const rule of ast.policy) {\n            const line = this.#savePolicyLine(ptype, rule)\n            lines.push(line)\n          }\n        }\n      }\n    }\n\n    savePolicyType('p')\n    savePolicyType('g')\n\n    await this.#db.casbinRule.createMany({ data: lines })\n\n    return true\n  }\n\n  async addPolicy(_sec: string, ptype: string, rule: string[]): Promise<void> {\n    const line = this.#savePolicyLine(ptype, rule)\n    await this.#db.casbinRule.create({ data: line })\n  }\n\n  async addPolicies(\n    _sec: string,\n    ptype: string,\n    rules: string[][]\n  ): Promise<void> {\n    const processes: Promise<CasbinRuleRecord>[] = []\n    for (const rule of rules) {\n      const line = this.#savePolicyLine(ptype, rule)\n      const p = this.#db.casbinRule.create({ data: line }) as Promise<CasbinRuleRecord>\n      processes.push(p)\n    }\n\n    await Promise.all(processes)\n  }\n\n  async removePolicy(\n    _sec: string,\n    ptype: string,\n    rule: string[]\n  ): Promise<void> {\n    const line = this.#savePolicyLine(ptype, rule)\n    await this.#db.casbinRule.deleteMany({ where: line })\n  }\n\n  async removePolicies(\n    _sec: string,\n    ptype: string,\n    rules: string[][]\n  ): Promise<void> {\n    const processes: Promise<{ count: number }>[] = []\n    for (const rule of rules) {\n      const line = this.#savePolicyLine(ptype, rule)\n      const p = this.#db.casbinRule.deleteMany({ where: line })\n      processes.push(p)\n    }\n\n    await Promise.all(processes)\n  }\n\n  async removeFilteredPolicy(\n    _sec: string,\n    ptype: string,\n    fieldIndex: number,\n    ...fieldValues: string[]\n  ): Promise<void> {\n    const line: CasbinRuleCreateInput = { ptype }\n\n    const idx = fieldIndex + fieldValues.length\n    if (fieldIndex <= 0 && 0 < idx) {\n      line.v0 = fieldValues[0 - fieldIndex]\n    }\n    if (fieldIndex <= 1 && 1 < idx) {\n      line.v1 = fieldValues[1 - fieldIndex]\n    }\n    if (fieldIndex <= 2 && 2 < idx) {\n      line.v2 = fieldValues[2 - fieldIndex]\n    }\n    if (fieldIndex <= 3 && 3 < idx) {\n      line.v3 = fieldValues[3 - fieldIndex]\n    }\n    if (fieldIndex <= 4 && 4 < idx) {\n      line.v4 = fieldValues[4 - fieldIndex]\n    }\n    if (fieldIndex <= 5 && 5 < idx) {\n      line.v5 = fieldValues[5 - fieldIndex]\n    }\n\n    await this.#db.casbinRule.deleteMany({ where: line })\n  }\n\n  async close(): Promise<void> {\n    // No-op: ZenStack uses pg.Pool for connection management\n  }\n\n  static newAdapter(db: CasbinDbClient): CustomZenStackAdapter {\n    const adapter = new CustomZenStackAdapter(db)\n    return adapter\n  }\n\n  #loadPolicyLine = (line: CasbinRuleRecord, model: Model): void => {\n    const result =\n      line.ptype +\n      ', ' +\n      [line.v0, line.v1, line.v2, line.v3, line.v4, line.v5]\n        .filter((n) => n)\n        .join(', ')\n    Helper.loadPolicyLine(result, model)\n  }\n\n  #savePolicyLine = (\n    ptype: string,\n    rule: string[]\n  ): CasbinRuleCreateInput => {\n    const line: CasbinRuleCreateInput = { ptype }\n\n    if (rule.length > 0) {\n      line.v0 = rule[0]\n    }\n    if (rule.length > 1) {\n      line.v1 = rule[1]\n    }\n    if (rule.length > 2) {\n      line.v2 = rule[2]\n    }\n    if (rule.length > 3) {\n      line.v3 = rule[3]\n    }\n    if (rule.length > 4) {\n      line.v4 = rule[4]\n    }\n    if (rule.length > 5) {\n      line.v5 = rule[5]\n    }\n\n    return line\n  }\n}\n","import { newCachedEnforcer, newModelFromString, type Enforcer } from 'casbin'\nimport { DI_TOKENS, Transient } from 'stratal/di'\nimport { inject } from 'tsyringe'\nimport { CustomZenStackAdapter, type CasbinDbClient } from '../adapters/custom-zenstack-adapter'\nimport { RBAC_TOKENS } from '../tokens'\nimport type { RbacModuleOptions } from '../types'\n\n/**\n * CasbinEnforcerService\n *\n * Manages the Casbin enforcer instance for authorization.\n * Model, default policies, and role hierarchy are provided via DI options.\n */\n@Transient()\nexport class CasbinEnforcerService {\n  protected enforcer: Enforcer | null = null\n\n  constructor(\n    @inject(DI_TOKENS.Database)\n    protected readonly db: CasbinDbClient,\n    @inject(RBAC_TOKENS.Options)\n    protected readonly options: RbacModuleOptions,\n  ) { }\n\n  /**\n   * Get or create the enforcer instance\n   */\n  async getEnforcer(): Promise<Enforcer> {\n    this.enforcer ??= await this.createEnforcer();\n    return this.enforcer\n  }\n\n  /**\n   * Create a new enforcer instance.\n   * Can be overridden by subclasses to customize enforcer creation.\n   */\n  protected async createEnforcer(): Promise<Enforcer> {\n    const model = newModelFromString(this.options.model)\n\n    const adapter = CustomZenStackAdapter.newAdapter(this.db)\n    const enforcer = await newCachedEnforcer(model, adapter)\n    await enforcer.loadPolicy()\n    return enforcer\n  }\n\n  /**\n   * Seed default policies into database\n   */\n  async seedPolicies(): Promise<void> {\n    const enforcer = await this.getEnforcer()\n    const policies = this.options.defaultPolicies ?? []\n\n    for (const [role, resource, action] of policies) {\n      await enforcer.addPolicy(role, resource, action)\n    }\n\n    await enforcer.savePolicy()\n  }\n\n  /**\n   * Clear cached enforcer instance\n   */\n  clearCache(): void {\n    this.enforcer = null\n  }\n\n  /**\n   * Seed role hierarchy into database\n   */\n  async seedRoleHierarchy(): Promise<void> {\n    const enforcer = await this.getEnforcer()\n    const hierarchy = this.options.roleHierarchy ?? []\n\n    for (const [childRole, parentRole] of hierarchy) {\n      await enforcer.addGroupingPolicy(childRole, parentRole)\n    }\n\n    await enforcer.savePolicy()\n  }\n}\n","import type { Enforcer } from 'casbin'\nimport { inject } from 'tsyringe'\nimport { Transient, DI_TOKENS } from 'stratal/di'\nimport type { AuthContext } from '../../context/auth-context'\nimport { RBAC_TOKENS } from '../tokens'\nimport { CasbinEnforcerService } from './casbin-enforcer.service'\n\n/**\n * CasbinService\n *\n * Request-scoped service that provides the full Casbin RBAC API.\n * Uses AuthContext to get the current user.\n */\n@Transient(RBAC_TOKENS.CasbinService)\nexport class CasbinService {\n  constructor(\n    @inject(DI_TOKENS.AuthContext)\n    protected readonly context: AuthContext,\n    @inject(CasbinEnforcerService)\n    protected readonly enforcerService: CasbinEnforcerService\n  ) {}\n\n  protected async getEnforcer(): Promise<Enforcer> {\n    return this.enforcerService.getEnforcer()\n  }\n\n  // ==================== USER-ROLE MANAGEMENT ====================\n\n  async addRoleForUser(userId: string, role: string): Promise<boolean> {\n    const enforcer = await this.getEnforcer()\n    const added = await enforcer.addRoleForUser(userId, role)\n    if (added) await enforcer.savePolicy()\n    return added\n  }\n\n  async deleteRoleForUser(userId: string, role: string): Promise<boolean> {\n    const enforcer = await this.getEnforcer()\n    const deleted = await enforcer.deleteRoleForUser(userId, role)\n    if (deleted) await enforcer.savePolicy()\n    return deleted\n  }\n\n  async deleteRolesForUser(userId: string): Promise<boolean> {\n    const enforcer = await this.getEnforcer()\n    const deleted = await enforcer.deleteRolesForUser(userId)\n    if (deleted) await enforcer.savePolicy()\n    return deleted\n  }\n\n  async getRolesForUser(userId: string): Promise<string[]> {\n    const enforcer = await this.getEnforcer()\n    return enforcer.getRolesForUser(userId)\n  }\n\n  async getImplicitRolesForUser(userId: string): Promise<string[]> {\n    const enforcer = await this.getEnforcer()\n    return enforcer.getImplicitRolesForUser(userId)\n  }\n\n  async getUsersForRole(role: string): Promise<string[]> {\n    const enforcer = await this.getEnforcer()\n    return enforcer.getUsersForRole(role)\n  }\n\n  async getImplicitUsersForRole(role: string): Promise<string[]> {\n    const enforcer = await this.getEnforcer()\n    return enforcer.getImplicitUsersForRole(role)\n  }\n\n  async hasRoleForUser(userId: string, role: string): Promise<boolean> {\n    const enforcer = await this.getEnforcer()\n    return enforcer.hasRoleForUser(userId, role)\n  }\n\n  // ==================== ROLE HIERARCHY MANAGEMENT ====================\n\n  async addRoleInheritance(childRole: string, parentRole: string): Promise<boolean> {\n    const enforcer = await this.getEnforcer()\n    const added = await enforcer.addGroupingPolicy(childRole, parentRole)\n    if (added) await enforcer.savePolicy()\n    return added\n  }\n\n  async deleteRoleInheritance(childRole: string, parentRole: string): Promise<boolean> {\n    const enforcer = await this.getEnforcer()\n    const deleted = await enforcer.removeGroupingPolicy(childRole, parentRole)\n    if (deleted) await enforcer.savePolicy()\n    return deleted\n  }\n\n  // ==================== USER/ROLE DELETION ====================\n\n  async deleteUser(userId: string): Promise<boolean> {\n    const enforcer = await this.getEnforcer()\n    const deleted = await enforcer.deleteUser(userId)\n    if (deleted) await enforcer.savePolicy()\n    return deleted\n  }\n\n  async deleteRole(role: string): Promise<boolean> {\n    const enforcer = await this.getEnforcer()\n    const deleted = await enforcer.deleteRole(role)\n    if (deleted) await enforcer.savePolicy()\n    return deleted\n  }\n\n  // ==================== CONVENIENCE METHODS ====================\n\n  async getCurrentUserRoles(): Promise<string[]> {\n    const userId = this.context.getUserId()\n    if (!userId) return []\n    return this.getImplicitRolesForUser(userId)\n  }\n\n  async currentUserHasRole(role: string): Promise<boolean> {\n    const roles = await this.getCurrentUserRoles()\n    return roles.includes(role)\n  }\n\n  async setRolesForUser(userId: string, roles: string[]): Promise<void> {\n    const enforcer = await this.getEnforcer()\n    await enforcer.deleteRolesForUser(userId)\n    for (const role of roles) {\n      await enforcer.addRoleForUser(userId, role)\n    }\n    await enforcer.savePolicy()\n  }\n\n  // ==================== PERMISSION CHECKING ====================\n\n  async hasPermission(userId: string, scope: string, action: string): Promise<boolean> {\n    const enforcer = await this.getEnforcer()\n    return enforcer.enforce(userId, scope, action)\n  }\n\n  async currentUserHasPermission(scope: string, action: string): Promise<boolean> {\n    const userId = this.context.getUserId()\n    if (!userId) return false\n    return this.hasPermission(userId, scope, action)\n  }\n\n  async hasAnyPermission(userId: string, scopes: string[], action: string): Promise<boolean> {\n    const enforcer = await this.getEnforcer()\n    const requests = scopes.map(scope => [userId, scope, action])\n    const results = await enforcer.batchEnforce(requests)\n    return results.some(allowed => allowed)\n  }\n\n  async currentUserHasAnyPermission(scopes: string[], action: string): Promise<boolean> {\n    const userId = this.context.getUserId()\n    if (!userId) return false\n    return this.hasAnyPermission(userId, scopes, action)\n  }\n\n  // ==================== CASBIN.JS FRONTEND SUPPORT ====================\n\n  async getPermissionsForUserAsCasbinJs(userId: string): Promise<Record<string, string[]>> {\n    const enforcer = await this.getEnforcer()\n    const permissions = await enforcer.getImplicitPermissionsForUser(userId)\n\n    const result: Record<string, string[]> = {}\n    for (const [_role, resource, action] of permissions) {\n      result[action] ??= []\n      if (!result[action].includes(resource)) {\n        result[action].push(resource)\n      }\n    }\n\n    return result\n  }\n\n  async getCurrentUserPermissionsAsCasbinJs(): Promise<Record<string, string[]>> {\n    const userId = this.context.getUserId()\n    if (!userId) return {}\n    return this.getPermissionsForUserAsCasbinJs(userId)\n  }\n}\n","import { Module } from 'stratal/module'\nimport type { AsyncModuleOptions, DynamicModule } from 'stratal/module'\nimport { CasbinEnforcerService } from './services/casbin-enforcer.service'\nimport { CasbinService } from './services/casbin.service'\nimport { RBAC_TOKENS } from './tokens'\nimport type { RbacModuleOptions } from './types'\n\n/**\n * RBAC Module\n *\n * Provides role-based access control using Casbin.\n * Fully configurable — no hardcoded roles, policies, or model.\n *\n * @example\n * ```typescript\n * @Module({\n *   imports: [\n *     RbacModule.forRoot({\n *       model: MY_RBAC_MODEL,\n *       defaultPolicies: [['admin', 'users:*', '.*']],\n *       roleHierarchy: [['super_admin', 'admin']],\n *     })\n *   ]\n * })\n * ```\n */\n@Module({\n  providers: [\n    CasbinEnforcerService,\n    { provide: RBAC_TOKENS.CasbinService, useClass: CasbinService },\n  ],\n})\nexport class RbacModule {\n  static forRoot(options: RbacModuleOptions): DynamicModule {\n    return {\n      module: RbacModule,\n      providers: [\n        { provide: RBAC_TOKENS.Options, useValue: options as unknown as object },\n      ],\n    }\n  }\n\n  static forRootAsync(options: AsyncModuleOptions<RbacModuleOptions>): DynamicModule {\n    return {\n      module: RbacModule,\n      providers: [\n        {\n          provide: RBAC_TOKENS.Options,\n          useFactory: options.useFactory,\n          inject: options.inject,\n        },\n      ],\n    }\n  }\n}\n"],"mappings":";;;;;;;;;;;;AAGA,MAAa,oBAAoB,EAE/B,aAAa,OAAO,kBAAkB,EACvC;;;;;;;;;;;AC0CD,IAAa,wBAAb,MAAa,sBAAyC;CACpD;CAEA,WAAW;CAEX,aAA6B;AAC3B,SAAO,KAAK;;CAGd,eAAsB,SAAwB;AAC5C,OAAK,WAAW;;CAGlB,YAAY,IAAoB;AAC9B,QAAA,KAAW;;CAGb,MAAM,WAAW,OAA6B;EAC5C,MAAM,QAAQ,MAAM,MAAA,GAAS,WAAW,UAAU;AAElD,OAAK,MAAM,QAAQ,MACjB,OAAA,eAAqB,MAA0B,MAAM;;CAIzD,MAAM,mBACJ,OACA,QACe;EACf,MAAM,cAAc,OAAO,KAAK,OAAO,CACpC,KAAK,UAAU;AAEd,UADuB,OAAO,OACR,KAAK,kBAAkB;AAC3C,WAAO;KACL;KACA,GAAI,cAAc,MAAM,EAAE,IAAI,cAAc,IAAI;KAChD,GAAI,cAAc,MAAM,EAAE,IAAI,cAAc,IAAI;KAChD,GAAI,cAAc,MAAM,EAAE,IAAI,cAAc,IAAI;KAChD,GAAI,cAAc,MAAM,EAAE,IAAI,cAAc,IAAI;KAChD,GAAI,cAAc,MAAM,EAAE,IAAI,cAAc,IAAI;KAChD,GAAI,cAAc,MAAM,EAAE,IAAI,cAAc,IAAI;KACjD;KACD;IACF,CACD,MAAM;AAMT,GALc,MAAM,MAAA,GAAS,WAAW,SAAS,EAC/C,OAAO,EACL,IAAI,aACL,EACF,CAAC,EACI,SAAS,SAAS,MAAA,eAAqB,MAA0B,MAAM,CAAC;AAC9E,OAAK,eAAe,KAAK;;CAG3B,MAAM,WAAW,OAAgC;AAC/C,QAAM,MAAA,GAAS,kBAAkB,0BAA0B;EAE3D,MAAM,QAAiC,EAAE;EAEzC,MAAM,kBAAkB,UAAwB;GAC9C,MAAM,SAAS,MAAM,MAAM,IAAI,MAAM;AACrC,OAAI,OACF,MAAK,MAAM,CAAC,OAAO,QAAQ,OACzB,MAAK,MAAM,QAAQ,IAAI,QAAQ;IAC7B,MAAM,OAAO,MAAA,eAAqB,OAAO,KAAK;AAC9C,UAAM,KAAK,KAAK;;;AAMxB,iBAAe,IAAI;AACnB,iBAAe,IAAI;AAEnB,QAAM,MAAA,GAAS,WAAW,WAAW,EAAE,MAAM,OAAO,CAAC;AAErD,SAAO;;CAGT,MAAM,UAAU,MAAc,OAAe,MAA+B;EAC1E,MAAM,OAAO,MAAA,eAAqB,OAAO,KAAK;AAC9C,QAAM,MAAA,GAAS,WAAW,OAAO,EAAE,MAAM,MAAM,CAAC;;CAGlD,MAAM,YACJ,MACA,OACA,OACe;EACf,MAAM,YAAyC,EAAE;AACjD,OAAK,MAAM,QAAQ,OAAO;GACxB,MAAM,OAAO,MAAA,eAAqB,OAAO,KAAK;GAC9C,MAAM,IAAI,MAAA,GAAS,WAAW,OAAO,EAAE,MAAM,MAAM,CAAC;AACpD,aAAU,KAAK,EAAE;;AAGnB,QAAM,QAAQ,IAAI,UAAU;;CAG9B,MAAM,aACJ,MACA,OACA,MACe;EACf,MAAM,OAAO,MAAA,eAAqB,OAAO,KAAK;AAC9C,QAAM,MAAA,GAAS,WAAW,WAAW,EAAE,OAAO,MAAM,CAAC;;CAGvD,MAAM,eACJ,MACA,OACA,OACe;EACf,MAAM,YAA0C,EAAE;AAClD,OAAK,MAAM,QAAQ,OAAO;GACxB,MAAM,OAAO,MAAA,eAAqB,OAAO,KAAK;GAC9C,MAAM,IAAI,MAAA,GAAS,WAAW,WAAW,EAAE,OAAO,MAAM,CAAC;AACzD,aAAU,KAAK,EAAE;;AAGnB,QAAM,QAAQ,IAAI,UAAU;;CAG9B,MAAM,qBACJ,MACA,OACA,YACA,GAAG,aACY;EACf,MAAM,OAA8B,EAAE,OAAO;EAE7C,MAAM,MAAM,aAAa,YAAY;AACrC,MAAI,cAAc,KAAK,IAAI,IACzB,MAAK,KAAK,YAAY,IAAI;AAE5B,MAAI,cAAc,KAAK,IAAI,IACzB,MAAK,KAAK,YAAY,IAAI;AAE5B,MAAI,cAAc,KAAK,IAAI,IACzB,MAAK,KAAK,YAAY,IAAI;AAE5B,MAAI,cAAc,KAAK,IAAI,IACzB,MAAK,KAAK,YAAY,IAAI;AAE5B,MAAI,cAAc,KAAK,IAAI,IACzB,MAAK,KAAK,YAAY,IAAI;AAE5B,MAAI,cAAc,KAAK,IAAI,IACzB,MAAK,KAAK,YAAY,IAAI;AAG5B,QAAM,MAAA,GAAS,WAAW,WAAW,EAAE,OAAO,MAAM,CAAC;;CAGvD,MAAM,QAAuB;CAI7B,OAAO,WAAW,IAA2C;AAE3D,SADgB,IAAI,sBAAsB,GAAG;;CAI/C,mBAAmB,MAAwB,UAAuB;EAChE,MAAM,SACJ,KAAK,QACL,OACA;GAAC,KAAK;GAAI,KAAK;GAAI,KAAK;GAAI,KAAK;GAAI,KAAK;GAAI,KAAK;GAAG,CACnD,QAAQ,MAAM,EAAE,CAChB,KAAK,KAAK;AACf,SAAO,eAAe,QAAQ,MAAM;;CAGtC,mBACE,OACA,SAC0B;EAC1B,MAAM,OAA8B,EAAE,OAAO;AAE7C,MAAI,KAAK,SAAS,EAChB,MAAK,KAAK,KAAK;AAEjB,MAAI,KAAK,SAAS,EAChB,MAAK,KAAK,KAAK;AAEjB,MAAI,KAAK,SAAS,EAChB,MAAK,KAAK,KAAK;AAEjB,MAAI,KAAK,SAAS,EAChB,MAAK,KAAK,KAAK;AAEjB,MAAI,KAAK,SAAS,EAChB,MAAK,KAAK,KAAK;AAEjB,MAAI,KAAK,SAAS,EAChB,MAAK,KAAK,KAAK;AAGjB,SAAO;;;;;ACxOJ,IAAA,wBAAA,MAAM,sBAAsB;CACjC,WAAsC;CAEtC,YACE,IAEA,SAEA;AAHmB,OAAA,KAAA;AAEA,OAAA,UAAA;;;;;CAMrB,MAAM,cAAiC;AACrC,OAAK,aAAa,MAAM,KAAK,gBAAgB;AAC7C,SAAO,KAAK;;;;;;CAOd,MAAgB,iBAAoC;EAIlD,MAAM,WAAW,MAAM,kBAHT,mBAAmB,KAAK,QAAQ,MAAM,EAEpC,sBAAsB,WAAW,KAAK,GAAG,CACD;AACxD,QAAM,SAAS,YAAY;AAC3B,SAAO;;;;;CAMT,MAAM,eAA8B;EAClC,MAAM,WAAW,MAAM,KAAK,aAAa;EACzC,MAAM,WAAW,KAAK,QAAQ,mBAAmB,EAAE;AAEnD,OAAK,MAAM,CAAC,MAAM,UAAU,WAAW,SACrC,OAAM,SAAS,UAAU,MAAM,UAAU,OAAO;AAGlD,QAAM,SAAS,YAAY;;;;;CAM7B,aAAmB;AACjB,OAAK,WAAW;;;;;CAMlB,MAAM,oBAAmC;EACvC,MAAM,WAAW,MAAM,KAAK,aAAa;EACzC,MAAM,YAAY,KAAK,QAAQ,iBAAiB,EAAE;AAElD,OAAK,MAAM,CAAC,WAAW,eAAe,UACpC,OAAM,SAAS,kBAAkB,WAAW,WAAW;AAGzD,QAAM,SAAS,YAAY;;;;CAhE9B,WAAW;oBAKP,OAAO,UAAU,SAAS,CAAA;oBAE1B,OAAO,YAAY,QAAQ,CAAA;;;;;;ACNzB,IAAA,gBAAA,MAAM,cAAc;CACzB,YACE,SAEA,iBAEA;AAHmB,OAAA,UAAA;AAEA,OAAA,kBAAA;;CAGrB,MAAgB,cAAiC;AAC/C,SAAO,KAAK,gBAAgB,aAAa;;CAK3C,MAAM,eAAe,QAAgB,MAAgC;EACnE,MAAM,WAAW,MAAM,KAAK,aAAa;EACzC,MAAM,QAAQ,MAAM,SAAS,eAAe,QAAQ,KAAK;AACzD,MAAI,MAAO,OAAM,SAAS,YAAY;AACtC,SAAO;;CAGT,MAAM,kBAAkB,QAAgB,MAAgC;EACtE,MAAM,WAAW,MAAM,KAAK,aAAa;EACzC,MAAM,UAAU,MAAM,SAAS,kBAAkB,QAAQ,KAAK;AAC9D,MAAI,QAAS,OAAM,SAAS,YAAY;AACxC,SAAO;;CAGT,MAAM,mBAAmB,QAAkC;EACzD,MAAM,WAAW,MAAM,KAAK,aAAa;EACzC,MAAM,UAAU,MAAM,SAAS,mBAAmB,OAAO;AACzD,MAAI,QAAS,OAAM,SAAS,YAAY;AACxC,SAAO;;CAGT,MAAM,gBAAgB,QAAmC;AAEvD,UADiB,MAAM,KAAK,aAAa,EACzB,gBAAgB,OAAO;;CAGzC,MAAM,wBAAwB,QAAmC;AAE/D,UADiB,MAAM,KAAK,aAAa,EACzB,wBAAwB,OAAO;;CAGjD,MAAM,gBAAgB,MAAiC;AAErD,UADiB,MAAM,KAAK,aAAa,EACzB,gBAAgB,KAAK;;CAGvC,MAAM,wBAAwB,MAAiC;AAE7D,UADiB,MAAM,KAAK,aAAa,EACzB,wBAAwB,KAAK;;CAG/C,MAAM,eAAe,QAAgB,MAAgC;AAEnE,UADiB,MAAM,KAAK,aAAa,EACzB,eAAe,QAAQ,KAAK;;CAK9C,MAAM,mBAAmB,WAAmB,YAAsC;EAChF,MAAM,WAAW,MAAM,KAAK,aAAa;EACzC,MAAM,QAAQ,MAAM,SAAS,kBAAkB,WAAW,WAAW;AACrE,MAAI,MAAO,OAAM,SAAS,YAAY;AACtC,SAAO;;CAGT,MAAM,sBAAsB,WAAmB,YAAsC;EACnF,MAAM,WAAW,MAAM,KAAK,aAAa;EACzC,MAAM,UAAU,MAAM,SAAS,qBAAqB,WAAW,WAAW;AAC1E,MAAI,QAAS,OAAM,SAAS,YAAY;AACxC,SAAO;;CAKT,MAAM,WAAW,QAAkC;EACjD,MAAM,WAAW,MAAM,KAAK,aAAa;EACzC,MAAM,UAAU,MAAM,SAAS,WAAW,OAAO;AACjD,MAAI,QAAS,OAAM,SAAS,YAAY;AACxC,SAAO;;CAGT,MAAM,WAAW,MAAgC;EAC/C,MAAM,WAAW,MAAM,KAAK,aAAa;EACzC,MAAM,UAAU,MAAM,SAAS,WAAW,KAAK;AAC/C,MAAI,QAAS,OAAM,SAAS,YAAY;AACxC,SAAO;;CAKT,MAAM,sBAAyC;EAC7C,MAAM,SAAS,KAAK,QAAQ,WAAW;AACvC,MAAI,CAAC,OAAQ,QAAO,EAAE;AACtB,SAAO,KAAK,wBAAwB,OAAO;;CAG7C,MAAM,mBAAmB,MAAgC;AAEvD,UADc,MAAM,KAAK,qBAAqB,EACjC,SAAS,KAAK;;CAG7B,MAAM,gBAAgB,QAAgB,OAAgC;EACpE,MAAM,WAAW,MAAM,KAAK,aAAa;AACzC,QAAM,SAAS,mBAAmB,OAAO;AACzC,OAAK,MAAM,QAAQ,MACjB,OAAM,SAAS,eAAe,QAAQ,KAAK;AAE7C,QAAM,SAAS,YAAY;;CAK7B,MAAM,cAAc,QAAgB,OAAe,QAAkC;AAEnF,UADiB,MAAM,KAAK,aAAa,EACzB,QAAQ,QAAQ,OAAO,OAAO;;CAGhD,MAAM,yBAAyB,OAAe,QAAkC;EAC9E,MAAM,SAAS,KAAK,QAAQ,WAAW;AACvC,MAAI,CAAC,OAAQ,QAAO;AACpB,SAAO,KAAK,cAAc,QAAQ,OAAO,OAAO;;CAGlD,MAAM,iBAAiB,QAAgB,QAAkB,QAAkC;EACzF,MAAM,WAAW,MAAM,KAAK,aAAa;EACzC,MAAM,WAAW,OAAO,KAAI,UAAS;GAAC;GAAQ;GAAO;GAAO,CAAC;AAE7D,UADgB,MAAM,SAAS,aAAa,SAAS,EACtC,MAAK,YAAW,QAAQ;;CAGzC,MAAM,4BAA4B,QAAkB,QAAkC;EACpF,MAAM,SAAS,KAAK,QAAQ,WAAW;AACvC,MAAI,CAAC,OAAQ,QAAO;AACpB,SAAO,KAAK,iBAAiB,QAAQ,QAAQ,OAAO;;CAKtD,MAAM,gCAAgC,QAAmD;EAEvF,MAAM,cAAc,OADH,MAAM,KAAK,aAAa,EACN,8BAA8B,OAAO;EAExE,MAAM,SAAmC,EAAE;AAC3C,OAAK,MAAM,CAAC,OAAO,UAAU,WAAW,aAAa;AACnD,UAAO,YAAY,EAAE;AACrB,OAAI,CAAC,OAAO,QAAQ,SAAS,SAAS,CACpC,QAAO,QAAQ,KAAK,SAAS;;AAIjC,SAAO;;CAGT,MAAM,sCAAyE;EAC7E,MAAM,SAAS,KAAK,QAAQ,WAAW;AACvC,MAAI,CAAC,OAAQ,QAAO,EAAE;AACtB,SAAO,KAAK,gCAAgC,OAAO;;;;CAjKtD,UAAU,YAAY,cAAc;oBAGhC,OAAO,UAAU,YAAY,CAAA;oBAE7B,OAAO,sBAAsB,CAAA;;;;;;ACc3B,IAAA,aAAA,cAAA,MAAM,WAAW;CACtB,OAAO,QAAQ,SAA2C;AACxD,SAAO;GACL,QAAA;GACA,WAAW,CACT;IAAE,SAAS,YAAY;IAAS,UAAU;IAA8B,CACzE;GACF;;CAGH,OAAO,aAAa,SAA+D;AACjF,SAAO;GACL,QAAA;GACA,WAAW,CACT;IACE,SAAS,YAAY;IACrB,YAAY,QAAQ;IACpB,QAAQ,QAAQ;IACjB,CACF;GACF;;;uCA1BJ,OAAO,EACN,WAAW,CACT,uBACA;CAAE,SAAS,YAAY;CAAe,UAAU;CAAe,CAChE,EACF,CAAC,CAAA,EAAA,WAAA"}

package/dist/tokens-Di1ofovy.mjs

@@ -0,0 +1,32 @@
+import { ApplicationError, ERROR_CODES } from "stratal/errors";
+//#region src/rbac/errors/insufficient-permissions.error.ts
+/**
+* InsufficientPermissionsError
+*
+* Thrown when a user attempts to perform an action without the required permissions.
+* This error is used by the auth guard after authorization check fails.
+*
+* HTTP Status: 403 Forbidden
+* Error Code: 3102 (AUTHZ.INSUFFICIENT_PERMISSIONS)
+*/
+var InsufficientPermissionsError = class extends ApplicationError {
+	constructor(requiredScopes, userId) {
+		super("errors.insufficientPermissions", ERROR_CODES.AUTHZ.INSUFFICIENT_PERMISSIONS, {
+			requiredScopes: requiredScopes.join(", "),
+			userId: userId ?? "unknown"
+		});
+	}
+};
+//#endregion
+//#region src/rbac/tokens.ts
+/**
+* RBAC DI Tokens
+*/
+const RBAC_TOKENS = {
+	CasbinService: Symbol.for("stratal:rbac:casbin:service"),
+	Options: Symbol.for("stratal:rbac:options")
+};
+//#endregion
+export { InsufficientPermissionsError as n, RBAC_TOKENS as t };
+
+//# sourceMappingURL=tokens-Di1ofovy.mjs.map

package/dist/tokens-Di1ofovy.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens-Di1ofovy.mjs","names":[],"sources":["../src/rbac/errors/insufficient-permissions.error.ts","../src/rbac/tokens.ts"],"sourcesContent":["import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\n/**\n * InsufficientPermissionsError\n *\n * Thrown when a user attempts to perform an action without the required permissions.\n * This error is used by the auth guard after authorization check fails.\n *\n * HTTP Status: 403 Forbidden\n * Error Code: 3102 (AUTHZ.INSUFFICIENT_PERMISSIONS)\n */\nexport class InsufficientPermissionsError extends ApplicationError {\n  constructor(requiredScopes: string[], userId?: string) {\n    super('errors.insufficientPermissions', ERROR_CODES.AUTHZ.INSUFFICIENT_PERMISSIONS, {\n      requiredScopes: requiredScopes.join(', '),\n      userId: userId ?? 'unknown',\n    })\n  }\n}\n","/**\n * RBAC DI Tokens\n */\nexport const RBAC_TOKENS = {\n  /** Request-scoped Casbin service with auto context resolution */\n  CasbinService: Symbol.for('stratal:rbac:casbin:service'),\n  /** RBAC module options (model, policies, hierarchy) */\n  Options: Symbol.for('stratal:rbac:options'),\n} as const\n"],"mappings":";;;;;;;;;;;AAWA,IAAa,+BAAb,cAAkD,iBAAiB;CACjE,YAAY,gBAA0B,QAAiB;AACrD,QAAM,kCAAkC,YAAY,MAAM,0BAA0B;GAClF,gBAAgB,eAAe,KAAK,KAAK;GACzC,QAAQ,UAAU;GACnB,CAAC;;;;;;;;ACbN,MAAa,cAAc;CAEzB,eAAe,OAAO,IAAI,8BAA8B;CAExD,SAAS,OAAO,IAAI,uBAAuB;CAC5C"}

package/dist/{database/types.d.ts → types-Gjk0d2qB.d.mts}

@@ -1,4 +1,6 @@
-import type { SchemaDef } from '@zenstackhq/schema';
+import { SchemaDef } from "@zenstackhq/schema";
+
+//#region src/database/types.d.ts
 /**
  * Augment with per-connection schemas and default connection.
  *
@@ -15,30 +17,31 @@ import type { SchemaDef } from '@zenstackhq/schema';
  * }
  * ```
  */
-export interface StratalDatabase {
-}
+interface StratalDatabase {}
 /** Infer schema type for a specific connection */
-export type InferConnectionSchema<K extends string> = StratalDatabase extends {
-    schemas: infer R;
+type InferConnectionSchema<K extends string> = StratalDatabase extends {
+  schemas: infer R;
 } ? K extends keyof R ? R[K] extends SchemaDef ? R[K] : SchemaDef : SchemaDef : SchemaDef;
 /** Union of ALL schemas across connections (for events) */
-export type InferAnySchema = StratalDatabase extends {
-    schemas: infer R;
+type InferAnySchema = StratalDatabase extends {
+  schemas: infer R;
 } ? R[keyof R] extends SchemaDef ? R[keyof R] : SchemaDef : SchemaDef;
 /** Connection name — derived from schemas keys */
-export type ConnectionName = StratalDatabase extends {
-    schemas: infer R;
+type ConnectionName = StratalDatabase extends {
+  schemas: infer R;
 } ? keyof R extends never ? string : Extract<keyof R, string> : string;
 /** Default connection name */
-export type DefaultConnectionName = StratalDatabase extends {
-    defaultConnection: infer N extends string;
+type DefaultConnectionName = StratalDatabase extends {
+  defaultConnection: infer N extends string;
 } ? N : string;
 /**
  * Internal context used by database service for dynamic event emission
  * @internal
  */
-export interface InternalDatabaseEventContext {
-    data: unknown;
-    result?: unknown;
+interface InternalDatabaseEventContext {
+  data: unknown;
+  result?: unknown;
 }
-//# sourceMappingURL=types.d.ts.map
+//#endregion
+export { InternalDatabaseEventContext as a, InferConnectionSchema as i, DefaultConnectionName as n, StratalDatabase as o, InferAnySchema as r, ConnectionName as t };
+//# sourceMappingURL=types-Gjk0d2qB.d.mts.map

package/dist/types-Gjk0d2qB.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types-Gjk0d2qB.d.mts","names":[],"sources":["../src/database/types.ts"],"mappings":";;;;;AAkBA;;;;;AAGA;;;;;;;;;UAHiB,eAAA;;KAGL,qBAAA,qBACV,eAAA;EAA0B,OAAA;AAAA,IACtB,CAAA,eAAgB,CAAA,GAAI,CAAA,CAAE,CAAA,UAAW,SAAA,GAAY,CAAA,CAAE,CAAA,IAAK,SAAA,GAAY,SAAA,GAChE,SAAA;;KAGM,cAAA,GACV,eAAA;EAA0B,OAAA;AAAA,IACtB,CAAA,OAAQ,CAAA,UAAW,SAAA,GAAY,CAAA,OAAQ,CAAA,IAAK,SAAA,GAC5C,SAAA;;KAGM,cAAA,GACV,eAAA;EAA0B,OAAA;AAAA,UAChB,CAAA,0BAA2B,OAAA,OAAc,CAAA;;KAIzC,qBAAA,GACV,eAAA;EAA0B,iBAAA;AAAA,IAA8C,CAAA;;;;;UAMzD,4BAAA;EACf,IAAA;EACA,MAAA;AAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stratal/framework",
-  "version": "0.0.12",
+  "version": "0.0.14",
   "type": "module",
   "license": "MIT",
   "author": "Temitayo Fadojutimi",
@@ -23,41 +23,40 @@
   ],
   "exports": {
     ".": {
-      "types": "./dist/index.d.ts",
-      "import": "./dist/index.js"
+      "types": "./dist/index.d.mts",
+      "import": "./dist/index.mjs"
     },
     "./auth": {
-      "types": "./dist/auth/index.d.ts",
-      "import": "./dist/auth/index.js"
+      "types": "./dist/auth/index.d.mts",
+      "import": "./dist/auth/index.mjs"
     },
     "./context": {
-      "types": "./dist/context/index.d.ts",
-      "import": "./dist/context/index.js"
+      "types": "./dist/context/index.d.mts",
+      "import": "./dist/context/index.mjs"
     },
     "./database": {
-      "types": "./dist/database/index.d.ts",
-      "import": "./dist/database/index.js"
+      "types": "./dist/database/index.d.mts",
+      "import": "./dist/database/index.mjs"
     },
     "./factory": {
-      "types": "./dist/factory/index.d.ts",
-      "import": "./dist/factory/index.js"
+      "types": "./dist/factory/index.d.mts",
+      "import": "./dist/factory/index.mjs"
     },
     "./guards": {
-      "types": "./dist/guards/index.d.ts",
-      "import": "./dist/guards/index.js"
+      "types": "./dist/guards/index.d.mts",
+      "import": "./dist/guards/index.mjs"
     },
     "./rbac": {
-      "types": "./dist/rbac/index.d.ts",
-      "import": "./dist/rbac/index.js"
-    }
+      "types": "./dist/rbac/index.d.mts",
+      "import": "./dist/rbac/index.mjs"
+    },
+    "./package.json": "./package.json"
   },
   "scripts": {
-    "build": "yarn prebuild && tsc -p tsconfig.build.json",
-    "clean": "rm -rf dist",
-    "prebuild": "yarn clean",
+    "build": "tsdown",
     "generate": "zenstack generate --schema=test/schema.zmodel -o test/zenstack",
     "generate:types": "wrangler types -c test/wrangler.jsonc",
-    "pretest": "yarn generate && yarn generate:types",
+    "pretest": "npx dotenv -- yarn generate && yarn generate:types",
     "test": "vitest run",
     "test:watch": "vitest",
     "test:e2e": "vitest run --project e2e",
@@ -78,7 +77,7 @@
     "better-auth": "^1.4.9",
     "casbin": "^5.41.0",
     "pg": "^8.0.0",
-    "stratal": "0.0.12"
+    "stratal": "0.0.14"
   },
   "peerDependenciesMeta": {
     "@better-auth/core": {
@@ -99,8 +98,8 @@
   },
   "devDependencies": {
     "@better-auth/core": "^1.5.5",
-    "@cloudflare/vitest-pool-workers": "patch:@cloudflare/vitest-pool-workers@npm%3A0.13.0#~/.yarn/patches/@cloudflare-vitest-pool-workers-npm-0.13.0-47105599c6.patch",
-    "@cloudflare/workers-types": "4.20260313.1",
+    "@cloudflare/vitest-pool-workers": "^0.13.2",
+    "@cloudflare/workers-types": "4.20260317.1",
     "@faker-js/faker": "^10.3.0",
     "@stratal/testing": "workspace:^",
     "@types/node": "^25.5.0",
@@ -113,11 +112,13 @@
     "@zenstackhq/orm": "^3.4.6",
     "better-auth": "^1.5.5",
     "casbin": "^5.49.0",
+    "dotenv-cli": "^11.0.0",
     "pg": "^8.20.0",
     "reflect-metadata": "^0.2.2",
     "stratal": "workspace:*",
+    "tsdown": "^0.21.4",
     "typescript": "^5.9.3",
     "vitest": "~4.1.0",
-    "wrangler": "^4.73.0"
+    "wrangler": "^4.75.0"
   }
 }

package/dist/auth/auth.module.d.ts

@@ -1,37 +0,0 @@
-/**
- * Auth Module
- *
- * Provides configurable authentication using Better Auth.
- * Use `forRootAsync` to configure Better Auth options from the application layer.
- *
- * @example
- * ```typescript
- * @Module({
- *   imports: [
- *     AuthModule.forRootAsync({
- *       inject: [DI_TOKENS.Database, CONFIG_TOKENS.ConfigService],
- *       useFactory: (db, config) => createAuthOptions(db, config)
- *     })
- *   ]
- * })
- * export class AppModule {}
- * ```
- */
-import type { BetterAuthOptions } from 'better-auth';
-import type { MiddlewareConfigurable, MiddlewareConsumer } from 'stratal/middleware';
-import type { AsyncModuleOptions, DynamicModule } from 'stratal/module';
-export declare class AuthModule implements MiddlewareConfigurable {
-    /**
-     * Configure auth middleware.
-     *
-     * Registers middlewares in order:
-     * 1. AuthContextMiddleware - Creates and registers AuthContext in request container
-     * 2. SessionVerificationMiddleware - Verifies session and populates AuthContext with userId
-     */
-    configure(consumer: MiddlewareConsumer): void;
-    /**
-     * Configure AuthModule with async options factory
-     */
-    static forRootAsync<TOptions extends BetterAuthOptions>(options: AsyncModuleOptions<TOptions>): DynamicModule;
-}
-//# sourceMappingURL=auth.module.d.ts.map

package/dist/auth/auth.module.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth.module.d.ts","sourceRoot":"","sources":["../../src/auth/auth.module.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAA;AACpD,OAAO,KAAK,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AAEpF,OAAO,KAAK,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAMvE,qBAGa,UAAW,YAAW,sBAAsB;IACvD;;;;;;OAMG;IACH,SAAS,CAAC,QAAQ,EAAE,kBAAkB,GAAG,IAAI;IAU7C;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,QAAQ,SAAS,iBAAiB,EACpD,OAAO,EAAE,kBAAkB,CAAC,QAAQ,CAAC,GACpC,aAAa;CAgBjB"}