@stratal/framework 0.0.21 → 0.0.23

package/dist/guards/index.mjs

@@ -1,11 +1,9 @@
-import { n as AC_TOKENS, t as __decorateParam } from "../decorateParam-C_dJ_dIO.mjs";
-import { t as __decorateMetadata } from "../decorateMetadata-D5WUsc6Y.mjs";
-import { t as __decorate } from "../decorate-DViXs-0l.mjs";
-import { n as UserNotAuthenticatedError } from "../errors-B1vVXc1T.mjs";
-import { t as InsufficientPermissionsError } from "../insufficient-permissions.error-CRnOHYvq.mjs";
-import { DI_TOKENS, Transient } from "stratal/di";
+import { n as AC_TOKENS, t as __decorateParam } from "../decorateParam-DwV9LSPl.mjs";
+import { t as __decorate } from "../decorate-B7nr7eBl.mjs";
+import { n as UserNotAuthenticatedError } from "../errors-BvJSaUTW.mjs";
+import { t as InsufficientPermissionsError } from "../insufficient-permissions.error-DeEyZRgy.mjs";
+import { DI_TOKENS, Transient, inject } from "stratal/di";
 import { LOGGER_TOKENS } from "stratal/logger";
-import { inject as inject$1 } from "tsyringe";
 import { GUARD_METADATA_KEY, GuardExecutionService, UseGuards, getControllerGuards, getMethodGuards } from "stratal/guards";
 //#region src/guards/auth.guard.ts
 function parsePermissions(raw) {
@@ -72,7 +70,7 @@ function AuthGuard(options) {
 			const userId = this.authContext.getUserId();
 			if (!userId) {
 				this.logger.debug("Auth guard: No user ID in context");
-				throw new InsufficientPermissionsError(rawPermissions, void 0);
+				throw new InsufficientPermissionsError(rawPermissions);
 			}
 			if (this.accessService) {
 				const allowed = await this.accessService.hasPermission(userId, permissions);
@@ -88,14 +86,9 @@ function AuthGuard(options) {
 	};
 	ConfiguredAuthGuard = __decorate([
 		Transient(),
-		__decorateParam(0, inject$1(DI_TOKENS.AuthContext)),
-		__decorateParam(1, inject$1(LOGGER_TOKENS.LoggerService)),
-		__decorateParam(2, inject$1(AC_TOKENS.AccessService, { isOptional: true })),
-		__decorateMetadata("design:paramtypes", [
-			Object,
-			Object,
-			Object
-		])
+		__decorateParam(0, inject(DI_TOKENS.AuthContext)),
+		__decorateParam(1, inject(LOGGER_TOKENS.LoggerService)),
+		__decorateParam(2, inject(AC_TOKENS.AccessService, { isOptional: true }))
 	], ConfiguredAuthGuard);
 	return ConfiguredAuthGuard;
 }

package/dist/guards/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","names":["inject"],"sources":["../../src/guards/auth.guard.ts"],"sourcesContent":["import { DI_TOKENS, Transient } from 'stratal/di'\nimport type { AuthGuardOptions, CanActivate, GuardClass } from 'stratal/guards'\nimport { LOGGER_TOKENS, type LoggerService } from 'stratal/logger'\nimport type { RouterContext } from 'stratal/router'\nimport { inject } from 'tsyringe'\nimport { InsufficientPermissionsError } from '../access-control/errors/insufficient-permissions.error'\nimport type { AccessService } from '../access-control/services/access.service'\nimport { AC_TOKENS } from '../access-control/tokens'\nimport type { AuthContext } from '../context/auth-context'\nimport { UserNotAuthenticatedError } from '../context/errors'\n\nfunction parsePermissions(raw: string | string[]): Record<string, string[]> {\n  const list = Array.isArray(raw) ? raw : [raw]\n  return list.reduce<Record<string, string[]>>((acc, perm) => {\n    const colon = perm.indexOf(':')\n    const resource = colon === -1 ? perm : perm.slice(0, colon)\n    const action = colon === -1 ? '*' : perm.slice(colon + 1)\n    ;(acc[resource] ??= []).push(action)\n    return acc\n  }, {})\n}\n\n\n/**\n * AuthGuard Factory\n *\n * Creates a guard class that enforces authentication and optional authorization.\n *\n * **Authentication (no permissions):**\n * - Checks if user is authenticated via AuthContext.isAuthenticated()\n * - Throws UserNotAuthenticatedError (401) if not authenticated\n *\n * **Authorization (with permissions):**\n * - First verifies authentication\n * - Then checks permissions via AccessService (reads from AuthContext — no DB hit)\n * - Throws InsufficientPermissionsError (403) if unauthorized\n *\n * @param options - Configuration options\n * @param options.permissions - Required permissions keyed by resource\n * @returns Guard class for use with @UseGuards decorator\n *\n * @example Authentication only\n * ```typescript\n * @UseGuards(AuthGuard())\n * export class ProfileController { }\n * ```\n *\n * @example Authentication with permissions\n * ```typescript\n * @UseGuards(AuthGuard({ permissions: 'posts:update' }))\n * @UseGuards(AuthGuard({ permissions: ['posts:update', 'posts:delete'] }))\n * export class PostsController { }\n * ```\n */\nexport function AuthGuard(options?: AuthGuardOptions): GuardClass {\n  const rawPermissions = options?.permissions\n  const permissions = rawPermissions ? parsePermissions(rawPermissions) : undefined\n\n  @Transient()\n  class ConfiguredAuthGuard implements CanActivate {\n    constructor(\n      @inject(DI_TOKENS.AuthContext) private readonly authContext: AuthContext,\n      @inject(LOGGER_TOKENS.LoggerService) private readonly logger: LoggerService,\n      @inject(AC_TOKENS.AccessService, { isOptional: true }) private readonly accessService?: AccessService\n    ) { }\n\n    async canActivate(_context: RouterContext): Promise<boolean> {\n      if (!this.authContext.isAuthenticated()) {\n        this.logger.debug('Auth guard: User not authenticated')\n        throw new UserNotAuthenticatedError()\n      }\n\n      if (!permissions || Object.keys(permissions).length === 0) {\n        this.logger.debug('Auth guard: Authentication passed (no permissions required)')\n        return true\n      }\n\n      const userId = this.authContext.getUserId()\n      if (!userId) {\n        this.logger.debug('Auth guard: No user ID in context')\n        throw new InsufficientPermissionsError(rawPermissions!, undefined)\n      }\n\n      if (this.accessService) {\n        const allowed = await this.accessService.hasPermission(userId, permissions)\n\n        this.logger.debug('Auth guard: Authorization check', {\n          userId,\n          permissions,\n          allowed,\n        })\n\n        if (!allowed) {\n          throw new InsufficientPermissionsError(rawPermissions!, userId)\n        }\n      }\n\n      return true\n    }\n  }\n\n  return ConfiguredAuthGuard\n}\n"],"mappings":";;;;;;;;;;AAWA,SAAS,iBAAiB,KAAkD;CAE1E,QADa,MAAM,QAAQ,IAAI,GAAG,MAAM,CAAC,IAAI,EACjC,QAAkC,KAAK,SAAS;EAC1D,MAAM,QAAQ,KAAK,QAAQ,IAAI;EAC/B,MAAM,WAAW,UAAU,KAAK,OAAO,KAAK,MAAM,GAAG,MAAM;EAC3D,MAAM,SAAS,UAAU,KAAK,MAAM,KAAK,MAAM,QAAQ,EAAE;EACxD,CAAC,IAAI,cAAc,EAAE,EAAE,KAAK,OAAO;EACpC,OAAO;IACN,EAAE,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCR,SAAgB,UAAU,SAAwC;CAChE,MAAM,iBAAiB,SAAS;CAChC,MAAM,cAAc,iBAAiB,iBAAiB,eAAe,GAAG,KAAA;CAExE,IAAA,sBAAA,MACM,oBAA2C;EAEG;EACM;EACkB;EAH1E,YACE,aACA,QACA,eACA;GAHgD,KAAA,cAAA;GACM,KAAA,SAAA;GACkB,KAAA,gBAAA;;EAG1E,MAAM,YAAY,UAA2C;GAC3D,IAAI,CAAC,KAAK,YAAY,iBAAiB,EAAE;IACvC,KAAK,OAAO,MAAM,qCAAqC;IACvD,MAAM,IAAI,2BAA2B;;GAGvC,IAAI,CAAC,eAAe,OAAO,KAAK,YAAY,CAAC,WAAW,GAAG;IACzD,KAAK,OAAO,MAAM,8DAA8D;IAChF,OAAO;;GAGT,MAAM,SAAS,KAAK,YAAY,WAAW;GAC3C,IAAI,CAAC,QAAQ;IACX,KAAK,OAAO,MAAM,oCAAoC;IACtD,MAAM,IAAI,6BAA6B,gBAAiB,KAAA,EAAU;;GAGpE,IAAI,KAAK,eAAe;IACtB,MAAM,UAAU,MAAM,KAAK,cAAc,cAAc,QAAQ,YAAY;IAE3E,KAAK,OAAO,MAAM,mCAAmC;KACnD;KACA;KACA;KACD,CAAC;IAEF,IAAI,CAAC,SACH,MAAM,IAAI,6BAA6B,gBAAiB,OAAO;;GAInE,OAAO;;;;EAvCV,WAAW;qBAGPA,SAAO,UAAU,YAAY,CAAA;qBAC7BA,SAAO,cAAc,cAAc,CAAA;qBACnCA,SAAO,UAAU,eAAe,EAAE,YAAY,MAAM,CAAC,CAAA;;;;;;;CAsC1D,OAAO"}
+{"version":3,"file":"index.mjs","names":[],"sources":["../../src/guards/auth.guard.ts"],"sourcesContent":["import { DI_TOKENS, inject, Transient } from 'stratal/di'\nimport type { AuthGuardOptions, CanActivate, GuardClass } from 'stratal/guards'\nimport { LOGGER_TOKENS, type LoggerService } from 'stratal/logger'\nimport type { RouterContext } from 'stratal/router'\nimport { InsufficientPermissionsError } from '../access-control/errors/insufficient-permissions.error'\nimport type { AccessService } from '../access-control/services/access.service'\nimport { AC_TOKENS } from '../access-control/tokens'\nimport type { AuthContext } from '../context/auth-context'\nimport { UserNotAuthenticatedError } from '../context/errors'\n\nfunction parsePermissions(raw: string | string[]): Record<string, string[]> {\n  const list = Array.isArray(raw) ? raw : [raw]\n  return list.reduce<Record<string, string[]>>((acc, perm) => {\n    const colon = perm.indexOf(':')\n    const resource = colon === -1 ? perm : perm.slice(0, colon)\n    const action = colon === -1 ? '*' : perm.slice(colon + 1)\n    ;(acc[resource] ??= []).push(action)\n    return acc\n  }, {})\n}\n\n\n/**\n * AuthGuard Factory\n *\n * Creates a guard class that enforces authentication and optional authorization.\n *\n * **Authentication (no permissions):**\n * - Checks if user is authenticated via AuthContext.isAuthenticated()\n * - Throws UserNotAuthenticatedError (401) if not authenticated\n *\n * **Authorization (with permissions):**\n * - First verifies authentication\n * - Then checks permissions via AccessService (reads from AuthContext — no DB hit)\n * - Throws InsufficientPermissionsError (403) if unauthorized\n *\n * @param options - Configuration options\n * @param options.permissions - Required permissions keyed by resource\n * @returns Guard class for use with @UseGuards decorator\n *\n * @example Authentication only\n * ```typescript\n * @UseGuards(AuthGuard())\n * export class ProfileController { }\n * ```\n *\n * @example Authentication with permissions\n * ```typescript\n * @UseGuards(AuthGuard({ permissions: 'posts:update' }))\n * @UseGuards(AuthGuard({ permissions: ['posts:update', 'posts:delete'] }))\n * export class PostsController { }\n * ```\n */\nexport function AuthGuard(options?: AuthGuardOptions): GuardClass {\n  const rawPermissions = options?.permissions\n  const permissions = rawPermissions ? parsePermissions(rawPermissions) : undefined\n\n  @Transient()\n  class ConfiguredAuthGuard implements CanActivate {\n    constructor(\n      @inject(DI_TOKENS.AuthContext) private readonly authContext: AuthContext,\n      @inject(LOGGER_TOKENS.LoggerService) private readonly logger: LoggerService,\n      @inject(AC_TOKENS.AccessService, { isOptional: true }) private readonly accessService?: AccessService\n    ) { }\n\n    async canActivate(_context: RouterContext): Promise<boolean> {\n      if (!this.authContext.isAuthenticated()) {\n        this.logger.debug('Auth guard: User not authenticated')\n        throw new UserNotAuthenticatedError()\n      }\n\n      if (!permissions || Object.keys(permissions).length === 0) {\n        this.logger.debug('Auth guard: Authentication passed (no permissions required)')\n        return true\n      }\n\n      const userId = this.authContext.getUserId()\n      if (!userId) {\n        this.logger.debug('Auth guard: No user ID in context')\n        throw new InsufficientPermissionsError(rawPermissions!)\n      }\n\n      if (this.accessService) {\n        const allowed = await this.accessService.hasPermission(userId, permissions)\n\n        this.logger.debug('Auth guard: Authorization check', {\n          userId,\n          permissions,\n          allowed,\n        })\n\n        if (!allowed) {\n          throw new InsufficientPermissionsError(rawPermissions!, userId)\n        }\n      }\n\n      return true\n    }\n  }\n\n  return ConfiguredAuthGuard\n}\n"],"mappings":";;;;;;;;AAUA,SAAS,iBAAiB,KAAkD;CAE1E,QADa,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,GAAG,GAChC,QAAkC,KAAK,SAAS;EAC1D,MAAM,QAAQ,KAAK,QAAQ,GAAG;EAC9B,MAAM,WAAW,UAAU,KAAK,OAAO,KAAK,MAAM,GAAG,KAAK;EAC1D,MAAM,SAAS,UAAU,KAAK,MAAM,KAAK,MAAM,QAAQ,CAAC;EACvD,CAAC,IAAI,cAAc,CAAC,GAAG,KAAK,MAAM;EACnC,OAAO;CACT,GAAG,CAAC,CAAC;AACP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCA,SAAgB,UAAU,SAAwC;CAChE,MAAM,iBAAiB,SAAS;CAChC,MAAM,cAAc,iBAAiB,iBAAiB,cAAc,IAAI,KAAA;CAExE,IAAA,sBAAA,MACM,oBAA2C;EAEG;EACM;EACkB;EAH1E,YACE,aACA,QACA,eACA;GAHgD,KAAA,cAAA;GACM,KAAA,SAAA;GACkB,KAAA,gBAAA;EACtE;EAEJ,MAAM,YAAY,UAA2C;GAC3D,IAAI,CAAC,KAAK,YAAY,gBAAgB,GAAG;IACvC,KAAK,OAAO,MAAM,oCAAoC;IACtD,MAAM,IAAI,0BAA0B;GACtC;GAEA,IAAI,CAAC,eAAe,OAAO,KAAK,WAAW,EAAE,WAAW,GAAG;IACzD,KAAK,OAAO,MAAM,6DAA6D;IAC/E,OAAO;GACT;GAEA,MAAM,SAAS,KAAK,YAAY,UAAU;GAC1C,IAAI,CAAC,QAAQ;IACX,KAAK,OAAO,MAAM,mCAAmC;IACrD,MAAM,IAAI,6BAA6B,cAAe;GACxD;GAEA,IAAI,KAAK,eAAe;IACtB,MAAM,UAAU,MAAM,KAAK,cAAc,cAAc,QAAQ,WAAW;IAE1E,KAAK,OAAO,MAAM,mCAAmC;KACnD;KACA;KACA;IACF,CAAC;IAED,IAAI,CAAC,SACH,MAAM,IAAI,6BAA6B,gBAAiB,MAAM;GAElE;GAEA,OAAO;EACT;CACF;;EAzCC,UAAU;qBAGN,OAAO,UAAU,WAAW,CAAA;qBAC5B,OAAO,cAAc,aAAa,CAAA;qBAClC,OAAO,UAAU,eAAe,EAAE,YAAY,KAAK,CAAC,CAAA;;CAsCzD,OAAO;AACT"}

package/dist/{index-CCDPF-1Y.d.mts → index-jILx9QXw.d.mts}

@@ -1,7 +1,6 @@
-import { a as InferConnectionSchema, i as InferConnectionExtensions, n as DefaultConnectionName, r as InferAnySchema, t as ConnectionName } from "./types-BZlcRR2M.mjs";
-import { MessageKeys } from "stratal/i18n";
+import { a as InferConnectionSchema, i as InferConnectionExtensions, n as DefaultConnectionName, r as InferAnySchema, t as ConnectionName } from "./types-CWZ9q74G.mjs";
 import { AsyncModuleOptions, DynamicModule, ModuleContext, OnInitialize, OnShutdown } from "stratal/module";
-import { ApplicationError, ErrorCode } from "stratal/errors";
+import { ApplicationError, HttpException } from "stratal/errors";
 import { Command } from "stratal/quarry";
 import { AggregateArgs, AllCrudOperations, AnyPlugin, ClientContract, ClientOptions, ComputedFieldsOptions, CountArgs, CreateArgs, CreateManyArgs, DeleteArgs, DeleteManyArgs, FindFirstArgs, FindManyArgs, FindUniqueArgs, GroupByArgs, ModelResult, RuntimePlugin, UpdateArgs, UpdateManyArgs, UpsertArgs } from "@zenstackhq/orm";
 import { SchemaDef } from "@zenstackhq/schema";
@@ -28,7 +27,7 @@ interface DatabaseModuleConfig {
 declare class DatabaseModule implements OnInitialize, OnShutdown {
   static forRoot(config: DatabaseModuleConfig): DynamicModule;
   static forRootAsync(options: AsyncModuleOptions<DatabaseModuleConfig>): DynamicModule;
-  onInitialize(context: ModuleContext): void;
+  onInitialize(context: ModuleContext): Promise<void>;
   onShutdown(context: ModuleContext): void;
 }
 //#endregion
@@ -60,101 +59,20 @@ declare function connectionSymbol(name: ConnectionName): symbol;
 //#region src/database/decorators/inject-db.decorator.d.ts
 declare function InjectDB(name: ConnectionName): ParameterDecorator;
 //#endregion
-//#region src/database/errors/database-error.d.ts
-/**
- * DatabaseError
- *
- * Generic database error thrown when a database operation fails
- * and doesn't fit into a more specific error category.
- *
- * This is the base class for all database-related errors.
- */
-declare class DatabaseError extends ApplicationError {
-  constructor(messageKey?: MessageKeys, code?: ErrorCode, metadata?: Record<string, unknown>);
-}
-//#endregion
-//#region src/database/errors/database-config.error.d.ts
-declare class DatabaseConfigError extends DatabaseError {
-  constructor(details: string);
-}
-//#endregion
-//#region src/database/errors/foreign-key-constraint.error.d.ts
-/**
- * ForeignKeyConstraintError
- *
- * Thrown when a database foreign key constraint is violated.
- * This typically occurs when:
- * - Trying to insert a record with a foreign key that doesn't exist
- * - Trying to delete a record that is referenced by other records
- * - Trying to update a foreign key to a non-existent value
- */
-declare class ForeignKeyConstraintError extends DatabaseError {
-  constructor(field?: string);
-}
-//#endregion
-//#region src/database/errors/invalid-error-code-range.error.d.ts
-/**
- * InvalidErrorCodeRangeError
- *
- * Thrown when a DatabaseError subclass is constructed with an error code
- * outside the valid database error range (2000-2999).
- * This is a developer-facing error to enforce error code conventions.
- */
-declare class InvalidErrorCodeRangeError extends ApplicationError {
-  constructor(code: number, expectedRange: string);
-}
-//#endregion
 //#region src/database/errors/record-not-found.error.d.ts
-/**
- * RecordNotFoundError
- *
- * Generic error thrown when a database record is not found.
- * This is typically thrown when a findUnique or findFirst operation
- * returns null, or when a required record doesn't exist.
- *
- * Services should catch this and optionally refine it to a more specific
- * domain error (e.g., NoteNotFoundError, UserNotFoundError).
- */
-declare class RecordNotFoundError extends DatabaseError {
-  constructor(details?: string);
+declare class RecordNotFoundError extends HttpException {
+  readonly details?: string | undefined;
+  constructor(details?: string | undefined, cause?: unknown);
 }
 //#endregion
 //#region src/database/errors/unique-constraint.error.d.ts
-/**
- * UniqueConstraintError
- *
- * Thrown when a database unique constraint is violated.
- * This typically occurs when trying to insert or update a record
- * with a value that already exists in a unique column.
- *
- * Services should catch this and optionally refine it to a more specific
- * domain error (e.g., UserEmailAlreadyExistsError).
- */
-declare class UniqueConstraintError extends DatabaseError {
-  constructor(fields?: string[]);
+declare class UniqueConstraintError extends HttpException {
+  readonly fields?: string[] | undefined;
+  constructor(fields?: string[] | undefined, cause?: unknown);
 }
 //#endregion
 //#region src/database/errors/from-zenstack-error.d.ts
-/**
- * Transform ZenStack ORM errors into ApplicationError instances
- *
- * This function maps ORMError codes to generic database error classes.
- * Services can catch these generic errors and optionally refine them to
- * more specific domain errors if needed.
- *
- * @param error - The error thrown by ZenStack ORM
- * @returns An ApplicationError instance
- *
- * @example
- * ```typescript
- * try {
- *   await db.user.create({ data: { email: 'existing@example.com' } })
- * } catch (error) {
- *   throw fromZenStackError(error) // Becomes UniqueConstraintError or other
- * }
- * ```
- */
-declare function fromZenStackError(error: unknown): DatabaseError;
+declare function fromZenStackError(error: unknown): ApplicationError;
 //#endregion
 //#region src/database/event-types.d.ts
 /**
@@ -444,5 +362,5 @@ declare class MigrateStatusCommand extends ZenStackCommand {
   handle(): Promise<number>;
 }
 //#endregion
-export { DATABASE_TOKENS as A, UniqueConstraintError as C, DatabaseConfigError as D, ForeignKeyConstraintError as E, DatabaseModuleConfig as F, DatabaseService as M, DatabaseConnectionConfig as N, DatabaseError as O, DatabaseModule as P, fromZenStackError as S, InvalidErrorCodeRangeError as T, EventPhase as _, DbPushCommand as a, ModelName as b, ZenStackCommand as c, EventEmitterPluginOptions as d, ErrorHandlerPlugin as f, DatabaseOperation as g, DatabaseEvents as h, MigrateDeployCommand as i, connectionSymbol as j, InjectDB as k, SchemaSwitcher as l, DatabaseEventName as m, MigrateResetCommand as n, DbPullCommand as o, databaseMessages as p, MigrateDevCommand as r, DbGenerateCommand as s, MigrateStatusCommand as t, EventEmitterPlugin as u, GetData as v, RecordNotFoundError as w, ParseEvent as x, GetResult as y };
-//# sourceMappingURL=index-CCDPF-1Y.d.mts.map
+export { DatabaseModule as A, UniqueConstraintError as C, connectionSymbol as D, DATABASE_TOKENS as E, DatabaseService as O, fromZenStackError as S, InjectDB as T, EventPhase as _, DbPushCommand as a, ModelName as b, ZenStackCommand as c, EventEmitterPluginOptions as d, ErrorHandlerPlugin as f, DatabaseOperation as g, DatabaseEvents as h, MigrateDeployCommand as i, DatabaseModuleConfig as j, DatabaseConnectionConfig as k, SchemaSwitcher as l, DatabaseEventName as m, MigrateResetCommand as n, DbPullCommand as o, databaseMessages as p, MigrateDevCommand as r, DbGenerateCommand as s, MigrateStatusCommand as t, EventEmitterPlugin as u, GetData as v, RecordNotFoundError as w, ParseEvent as x, GetResult as y };
+//# sourceMappingURL=index-jILx9QXw.d.mts.map

package/dist/index-jILx9QXw.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index-jILx9QXw.d.mts","names":[],"sources":["../src/database/database.module.ts","../src/database/database.service.ts","../src/database/database.tokens.ts","../src/database/decorators/inject-db.decorator.ts","../src/database/errors/record-not-found.error.ts","../src/database/errors/unique-constraint.error.ts","../src/database/errors/from-zenstack-error.ts","../src/database/event-types.ts","../src/database/i18n/en.ts","../src/database/plugins/error-handler.plugin.ts","../src/database/plugins/event-emitter.plugin.ts","../src/database/plugins/schema-switcher.ts","../src/database/commands/zenstack.command.ts","../src/database/commands/db-generate.command.ts","../src/database/commands/db-pull.command.ts","../src/database/commands/db-push.command.ts","../src/database/commands/migrate-deploy.command.ts","../src/database/commands/migrate-dev.command.ts","../src/database/commands/migrate-reset.command.ts","../src/database/commands/migrate-status.command.ts"],"mappings":";;;;;;;;;;UA0BiB,wBAAA,gBACA,SAAA,GAAY,SAAA,eACd,cAAA,GAAiB,cAAA;EAE9B,IAAA,EAAM,IAAA;EACN,MAAA,EAAQ,MAAA;EACR,OAAA,QAAe,aAAA,CAAc,SAAA;EAC7B,OAAA,GAAU,SAAA;;AAPZ;;;;EAaE,cAAA,GAAiB,qBAAA,CAAsB,MAAA;AAAA;AAAA,UAGxB,oBAAA;EACf,OAAA,EAAS,qBAAA;EACT,WAAA,EAAa,wBAAwB;AAAA;AAAA,cAiB1B,cAAA,YAA0B,YAAA,EAAc,UAAA;EAAA,OAC5C,OAAA,CAAQ,MAAA,EAAQ,oBAAA,GAAuB,aAAA;EAAA,OASvC,YAAA,CAAa,OAAA,EAAS,kBAAA,CAAmB,oBAAA,IAAwB,aAAA;EAalE,YAAA,CAAa,OAAA,EAAS,aAAA,GAAgB,OAAA;EAiB5C,UAAA,CAAW,OAAA,EAAS,aAAA;AAAA;;;;;;;;;;;AA3EtB;;;;;;;KCRY,eAAA,WACA,cAAA,GAAiB,qBAAA,IACzB,cAAA,CACF,qBAAA,CAAsB,CAAA,GACtB,aAAA,CAAc,qBAAA,CAAsB,CAAA,IACpC,yBAAA,CAA0B,CAAA,mBAC1B,yBAAA,CAA0B,CAAA,uBAE1B,yBAAA,CAA0B,CAAA;;;cC1Bf,eAAA;EAAA,SAGH,OAAA;EAAA,SAAA,QAAA;AAAA;AAAA,iBAIM,gBAAA,CAAiB,IAAoB,EAAd,cAAc;;;iBCHrC,QAAA,CAAS,IAAA,EAAM,cAAA,GAAiB,kBAAkB;;;cCFrD,mBAAA,SAA4B,aAAa;EAAA,SACxB,OAAA;cAAA,OAAA,uBAAkB,KAAA;AAAA;;;cCDnC,qBAAA,SAA8B,aAAa;EAAA,SAC1B,MAAA;cAAA,MAAA,yBAAmB,KAAA;AAAA;;;iBCEjC,iBAAA,CAAkB,KAAA,YAAiB,gBAAgB;;;;;;KCkCvD,UAAA;;;;KAKA,iBAAA,GAAoB,iBAAiB;;;;;;KAO5C,kBAAA,MAAwB,CAAA;EAAY,MAAA;AAAA,IAAoB,OAAA,OAAc,CAAA;;;;;KAM/D,SAAA,GAAY,kBAAkB,CAAC,cAAA;;;;KAS/B,iBAAA,MACL,UAAA,IAAc,SAAA,IAAa,iBAAA,QAC3B,UAAA,IAAc,SAAA,QACd,UAAA,IAAc,iBAAA,KACjB,UAAA;;;;KASC,gBAAA,WACO,SAAA,YACA,OAAA,OAAc,CAAA,+BACd,iBAAA,IAEV,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,uBAAwB,aAAA,CAAc,CAAA,EAAG,CAAA,IACzC,CAAA,sBAAuB,YAAA,CAAa,CAAA,EAAG,CAAA,IACvC,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,mBAAoB,SAAA,CAAU,CAAA,EAAG,CAAA,IACjC,CAAA,uBAAwB,aAAA,CAAc,CAAA,EAAG,CAAA,IACzC,CAAA,qBAAsB,WAAA,CAAY,CAAA,EAAG,CAAA;;;APzDQ;KO+D1C,YAAA,gCAA4C,iBAAA,IAC/C,CAAA,SAAU,SAAA,GACR,CAAA,SAAU,OAAA,OAAc,CAAA,sBACxB,gBAAA,CAAiB,CAAA,EAAG,CAAA,EAAG,CAAA;EAAa,IAAA;AAAA,IACpC,CAAA,GACA,gBAAA,CAAiB,CAAA,EAAG,CAAA,EAAG,CAAA;EAAa,KAAA;AAAA,IACpC,CAAA,GACA,gBAAA,CAAiB,CAAA,EAAG,CAAA,EAAG,CAAA;;;;;KAQf,OAAA,WAAkB,SAAA,YAAqB,iBAAA,IACjD,YAAA,CAAa,cAAA,EAAgB,CAAA,EAAG,CAAA,4BAA6B,YAAA,CAAa,cAAA,EAAgB,CAAA,EAAG,CAAA;APvE/F;;;AAAA,KO4EK,cAAA,gCAA8C,iBAAA,IACjD,CAAA,SAAU,SAAA,GACR,CAAA,SAAU,OAAA,OAAc,CAAA,sBACxB,CAAA,mEACA,WAAA,CAAY,CAAA,EAAG,CAAA,MACf,CAAA,4BAEA,WAAA,CAAY,CAAA,EAAG,CAAA;;;;;KAQP,SAAA,WAAoB,SAAA,YAAqB,iBAAA,IACnD,cAAA,CAAe,cAAA,EAAgB,CAAA,EAAG,CAAA,4BAA6B,cAAA,CAAe,cAAA,EAAgB,CAAA,EAAG,CAAA;;;;KASvF,UAAA,qBACV,CAAA,gCAAiC,UAAA,wBAAkC,SAAA,qBAA8B,iBAAA;EAC7F,KAAA,EAAO,KAAA;EAAO,KAAA,EAAO,KAAA;EAAO,SAAA,EAAW,EAAA;EAAI,IAAA;AAAA,IAC7C,CAAA,gCAAiC,UAAA,qBACjC,MAAA,SAAe,SAAA;EACb,KAAA,EAAO,KAAA;EAAO,KAAA,EAAO,MAAA;EAAQ,IAAA;AAAA,IAC/B,MAAA,SAAe,iBAAA;EACb,KAAA,EAAO,KAAA;EAAO,SAAA,EAAW,MAAA;EAAQ,IAAA;AAAA,YAEnC,CAAA,SAAU,UAAA;EACR,KAAA,EAAO,CAAA;EAAG,IAAA;AAAA;;UAQN,gBAAA;;UAIA,yBAAA,WACE,SAAA,YACA,iBAAA,gBACI,UAAA,UACN,gBAAA;EACR,IAAA,EAAM,KAAA,oBAAyB,OAAA,CAAQ,CAAA,EAAG,CAAA,IAAK,QAAA,CAAS,OAAA,CAAQ,CAAA,EAAG,CAAA;EACnE,MAAA,EAAQ,KAAA,mBAAwB,SAAA,CAAU,CAAA,EAAG,CAAA;AAAA;;UAIrC,yBAAA,eACM,UAAA,UACN,gBAAA;EACR,SAAA,EAAW,iBAAA;EACX,IAAA,EAAM,KAAA,8BAAmC,QAAA;EACzC,MAAA,EAAQ,KAAA;AAAA;;UAIA,6BAAA,eACM,UAAA,UACN,gBAAA;EACR,KAAA,EAAO,SAAA;EACP,IAAA,EAAM,KAAA,8BAAmC,QAAA;EACzC,MAAA,EAAQ,KAAA;AAAA;;UAIA,yBAAA,eACM,UAAA,UACN,gBAAA;EACR,KAAA,EAAO,SAAA;EACP,SAAA,EAAW,iBAAA;EACX,IAAA,EAAM,KAAA,8BAAmC,QAAA;EACzC,MAAA,EAAQ,KAAA;AAAA;;;;KAUL,oBAAA,qBACH,UAAA,CAAW,CAAA;EACT,KAAA,kBAAuB,UAAA;EACvB,KAAA,kBAAuB,SAAA;EACvB,SAAA,kBAA2B,iBAAA;EAC3B,IAAA;AAAA,IAEA,yBAAA,CAA0B,CAAA,EAAG,CAAA,EAAG,CAAA,IAChC,UAAA,CAAW,CAAA;EACX,KAAA,kBAAuB,UAAA;EACvB,KAAA,mBAAwB,SAAA;EACxB,IAAA;AAAA,IAEA,yBAAA,CAA0B,CAAA,IAC1B,UAAA,CAAW,CAAA;EACX,KAAA,kBAAuB,UAAA;EACvB,SAAA,mBAA4B,iBAAA;EAC5B,IAAA;AAAA,IAEA,6BAAA,CAA8B,CAAA,IAC9B,UAAA,CAAW,CAAA;EAAa,KAAA,kBAAuB,UAAA;EAAY,IAAA;AAAA,IAC3D,yBAAA,CAA0B,CAAA,IAC1B,gBAAA;;AL5OJ;;;;;AAOA;;;;AAAqD;;KKuPzC,cAAA,WACJ,iBAAA,GAAoB,oBAAA,CAAqB,CAAA;AAAA;EAAA,UAQrC,mBAAA,SAA4B,cAAc;AAAA;;;cCvQzC,gBAAA;EAAA;;;;;;;;;YAWD,oBAAA;IACR,QAAA,SAAiB,gBAAgB;EAAA;AAAA;;;;;;;;;;;ARcrC;;;cSXa,kBAAA,YAA8B,aAAA,CAAc,WAAA,EAAW,MAAA,mBAAyB,MAAA;EAAA,SAClF,EAAA;EAET,OAAA;IAAiB,IAAA;IAAA;EAAA;IACf,IAAA,EAAM,MAAA;IACN,OAAA,GAAU,IAAA,EAAM,MAAA,kCAAwC,OAAA;EAAA,MACtD,OAAA;AAAA;;;UCjBW,yBAAA;EACf,aAAA,EAAe,cAAc;AAAA;;;;;AVqB/B;;;;;;;;;;;;;;;cUCa,kBAAA,YAA8B,aAAA,CAAc,WAAA,EAAW,MAAA,mBAAyB,MAAA;EAAA,QAGvE,OAAA;EAAA,SAFX,EAAA;cAEW,OAAA,EAAS,yBAAA;EAE7B,OAAA;IAAiB,KAAA;IAAA,SAAA;IAAA,IAAA;IAAA;EAAA;IACf,KAAA;IACA,SAAA;IACA,IAAA,EAAM,MAAA;IACN,OAAA,GAAU,IAAA,EAAM,MAAA,kCAAwC,OAAA;EAAA,MACtD,OAAA;AAAA;;;;;;;;;;;;;AVXN;cWVa,cAAA;EAAA,OACJ,KAAA,IAAS,MAAA,EAAQ,CAAA,EAAG,UAAA,WAAqB,CAAC;AAAA;;;;;;;uBCX7B,eAAA,SAAwB,OAAO;EAAA,UACnC,QAAA,CAAS,IAAA,aAAiB,OAAA;AAAA;;;cCL/B,iBAAA,SAA0B,eAAe;EAAA,OAC7C,OAAA;EAAA,OACA,WAAA;EAED,MAAA,IAAU,OAAA;AAAA;;;cCJL,aAAA,SAAsB,eAAe;EAAA,OACzC,OAAA;EAAA,OACA,WAAA;EAED,MAAA,IAAU,OAAA;AAAA;;;cCJL,aAAA,SAAsB,eAAe;EAAA,OACzC,OAAA;EAAA,OACA,WAAA;EAED,MAAA,IAAU,OAAA;AAAA;;;cCJL,oBAAA,SAA6B,eAAe;EAAA,OAChD,OAAA;EAAA,OACA,WAAA;EAED,MAAA,IAAU,OAAA;AAAA;;;cCJL,iBAAA,SAA0B,eAAe;EAAA,OAC7C,OAAA;EAAA,OACA,WAAA;EAED,MAAA,IAAU,OAAA;AAAA;;;cCJL,mBAAA,SAA4B,eAAe;EAAA,OAC/C,OAAA;EAAA,OACA,WAAA;EAED,MAAA,IAAU,OAAA;AAAA;;;cCJL,oBAAA,SAA6B,eAAe;EAAA,OAChD,OAAA;EAAA,OACA,WAAA;EAED,MAAA,IAAU,OAAA;AAAA"}

package/dist/index.d.mts

@@ -1,3 +1,3 @@
-import { a as InferConnectionSchema, i as InferConnectionExtensions, n as DefaultConnectionName, r as InferAnySchema, s as StratalDatabase, t as ConnectionName } from "./types-BZlcRR2M.mjs";
+import { a as InferConnectionSchema, i as InferConnectionExtensions, n as DefaultConnectionName, r as InferAnySchema, s as StratalDatabase, t as ConnectionName } from "./types-CWZ9q74G.mjs";
 import { CustomEventRegistry, EventName } from "stratal/events";
-export { type ConnectionName, type CustomEventRegistry, type DefaultConnectionName, type EventName, type InferAnySchema, type InferConnectionExtensions, type InferConnectionSchema, type StratalDatabase };
+export type { ConnectionName, CustomEventRegistry, DefaultConnectionName, EventName, InferAnySchema, InferConnectionExtensions, InferConnectionSchema, StratalDatabase };

package/dist/insufficient-permissions.error-DeEyZRgy.mjs

@@ -0,0 +1,16 @@
+import { HttpException } from "stratal/errors";
+//#region src/access-control/errors/insufficient-permissions.error.ts
+var InsufficientPermissionsError = class extends HttpException {
+	requiredPermissions;
+	userId;
+	constructor(requiredPermissions, userId) {
+		const summary = Array.isArray(requiredPermissions) ? requiredPermissions.join(", ") : requiredPermissions;
+		super(403, "Insufficient permissions");
+		this.requiredPermissions = summary;
+		this.userId = userId;
+	}
+};
+//#endregion
+export { InsufficientPermissionsError as t };
+
+//# sourceMappingURL=insufficient-permissions.error-DeEyZRgy.mjs.map

package/dist/insufficient-permissions.error-DeEyZRgy.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"insufficient-permissions.error-DeEyZRgy.mjs","names":[],"sources":["../src/access-control/errors/insufficient-permissions.error.ts"],"sourcesContent":["import { HttpException } from 'stratal/errors'\n\nexport class InsufficientPermissionsError extends HttpException {\n  public readonly requiredPermissions: string\n  public readonly userId?: string\n\n  constructor(requiredPermissions: string | string[], userId?: string) {\n    const summary = Array.isArray(requiredPermissions) ? requiredPermissions.join(', ') : requiredPermissions\n    super(403, 'Insufficient permissions')\n    this.requiredPermissions = summary\n    this.userId = userId\n  }\n}\n"],"mappings":";;AAEA,IAAa,+BAAb,cAAkD,cAAc;CAC9D;CACA;CAEA,YAAY,qBAAwC,QAAiB;EACnE,MAAM,UAAU,MAAM,QAAQ,mBAAmB,IAAI,oBAAoB,KAAK,IAAI,IAAI;EACtF,MAAM,KAAK,0BAA0B;EACrC,KAAK,sBAAsB;EAC3B,KAAK,SAAS;CAChB;AACF"}

package/dist/{types-BZlcRR2M.d.mts → types-CWZ9q74G.d.mts}

@@ -89,4 +89,4 @@ interface InternalDatabaseEventContext {
 }
 //#endregion
 export { InferConnectionSchema as a, InferConnectionExtensions as i, DefaultConnectionName as n, InternalDatabaseEventContext as o, InferAnySchema as r, StratalDatabase as s, ConnectionName as t };
-//# sourceMappingURL=types-BZlcRR2M.d.mts.map
+//# sourceMappingURL=types-CWZ9q74G.d.mts.map

package/dist/types-CWZ9q74G.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types-CWZ9q74G.d.mts","names":[],"sources":["../src/database/types.ts"],"mappings":";;;;;;AA+BA;;;;AAAgC;AAAG;;;;;;;;;;;;;AAIiC;AAAA;;;;;;;UAJnD,eAAA;;KAGZ,sBAAA,MACH,CAAA,SAAU,aAAa,0CAA0C,CAAA;;KAG9D,0BAAA,MACH,CAAA,SAAU,aAAa,0CAA0C,CAAA;AAAC;AAAA,KAG/D,mBAAA,MACH,CAAA,SAAU,aAAa,0CAA0C,CAAA;;KAG9D,YAAA,8BACH,OAAA;EAEM,YAAA,EAAc,sBAAA,CAAuB,CAAA,IAAK,YAAA,CAAa,IAAA;EACvD,gBAAA,EAAkB,0BAAA,CAA2B,CAAA,IAAK,YAAA,CAAa,IAAA;EAC/D,SAAA,EAAW,mBAAA,CAAoB,CAAA,IAAK,YAAA,CAAa,IAAA;AAAA;EAEjD,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;;KAGpC,yBAAA,qBACV,eAAA;EAA0B,OAAA;AAAA,IACtB,CAAA,eAAgB,CAAA,GACd,CAAA,CAAE,CAAA,sBACA,YAAA,CAAa,CAAA,CAAE,CAAA;EACb,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;EAC1C,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;EAC1C,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;;KAGpC,qBAAA,qBACV,eAAA;EAA0B,OAAA;AAAA,IACtB,CAAA,eAAgB,CAAA,GAAI,CAAA,CAAE,CAAA,UAAW,SAAA,GAAY,CAAA,CAAE,CAAA,IAAK,SAAA,GAAY,SAAA,GAChE,SAAA;;KAGM,cAAA,GACV,eAAA;EAA0B,OAAA;AAAA,IACtB,CAAA,OAAQ,CAAA,UAAW,SAAA,GAAY,CAAA,OAAQ,CAAA,IAAK,SAAA,GAC5C,SAAA;;KAGM,cAAA,GACV,eAAA;EAA0B,OAAA;AAAA,UAChB,CAAA,0BAA2B,OAAA,OAAc,CAAA;;KAIzC,qBAAA,GACV,eAAe;EAAW,iBAAA;AAAA,IAA8C,CAAA;;;;;UAMzD,4BAAA;EACf,IAAA;EACA,MAAM;AAAA"}

package/dist/{types-BLyu9dAd.d.mts → types-DabF8LGz.d.mts}

@@ -8,4 +8,4 @@ interface AccessControlOptions<TStatements extends Statements = Statements, TRol
 }
 //#endregion
 export { RolePermissions as n, AccessControlOptions as t };
-//# sourceMappingURL=types-BLyu9dAd.d.mts.map
+//# sourceMappingURL=types-DabF8LGz.d.mts.map

package/dist/{types-BLyu9dAd.d.mts.map → types-DabF8LGz.d.mts.map}

@@ -1 +1 @@
-{"version":3,"file":"types-BLyu9dAd.d.mts","names":[],"sources":["../src/access-control/types.ts"],"mappings":";;;KAEY,eAAA,qBAAoC,UAAA,kBAClC,WAAA,aAAwB,WAAA,CAAY,CAAA;AAAA,UAGjC,oBAAA,qBAAyC,UAAA,GAAa,UAAA,iBAA2B,MAAA,SAAe,eAAA,CAAgB,WAAA,KAAgB,MAAA,SAAe,eAAA,CAAgB,WAAA;EAC9K,EAAA,EAAI,aAAA;EACJ,KAAA,gBAAqB,MAAA,GAAS,IAAA;AAAA"}
+{"version":3,"file":"types-DabF8LGz.d.mts","names":[],"sources":["../src/access-control/types.ts"],"mappings":";;;KAEY,eAAA,qBAAoC,UAAA,kBAClC,WAAA,aAAwB,WAAA,CAAY,CAAA;AAAA,UAGjC,oBAAA,qBAAyC,UAAA,GAAa,UAAA,iBAA2B,MAAA,SAAe,eAAA,CAAgB,WAAA,KAAgB,MAAA,SAAe,eAAA,CAAgB,WAAA;EAC9K,EAAA,EAAI,aAAA;EACJ,KAAA,gBAAqB,MAAA,GAAS,IAAA;AAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stratal/framework",
-  "version": "0.0.21",
+  "version": "0.0.23",
   "type": "module",
   "license": "MIT",
   "author": "Temitayo Fadojutimi",
@@ -57,46 +57,49 @@
     "generate": "zenstack generate --schema=test/schema.zmodel -o test/zenstack",
     "generate:types": "wrangler types -c test/wrangler.jsonc",
     "pretest": "npx dotenv -- yarn generate && yarn generate:types",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "test:e2e": "vitest run --project e2e",
-    "test:coverage": "vitest run --coverage",
+    "test": "npx dotenv -- vitest run",
+    "test:watch": "npx dotenv -- vitest",
+    "test:e2e": "npx dotenv -- vitest run --project e2e",
+    "test:coverage": "npx dotenv -- vitest run --coverage",
     "test:db": "docker compose -f test/docker-compose.yml up -d",
     "typecheck": "yarn tsc --noEmit",
     "lint": "npx oxlint .",
     "lint:fix": "npx oxlint --fix ."
   },
   "dependencies": {
-    "@better-auth/core": "^1.6.10",
     "@faker-js/faker": "^10.4.0",
-    "@zenstackhq/cli": "^3.6.4",
-    "@zenstackhq/orm": "^3.6.4",
-    "better-auth": "^1.6.10",
-    "better-call": "2.0.3",
+    "better-call": "1.3.5",
     "postgres-array": "^3.0.4"
   },
   "peerDependencies": {
+    "@better-auth/core": ">=1.6",
+    "@zenstackhq/orm": ">=3.6",
+    "@zenstackhq/schema": ">=3.6",
+    "better-auth": ">=1.6",
     "pg": "^8.0.0",
-    "reflect-metadata": "^0.2.2",
-    "stratal": "^0.0.21"
+    "stratal": "^0.0.23"
   },
   "devDependencies": {
-    "@cloudflare/vitest-pool-workers": "^0.16.3",
-    "@cloudflare/workers-types": "4.20260510.1",
+    "@better-auth/core": "^1.6.14",
+    "@cloudflare/vitest-pool-workers": "^0.16.12",
+    "@cloudflare/workers-types": "4.20260603.1",
     "@stratal/testing": "workspace:^",
-    "@types/node": "^25.6.2",
+    "@types/node": "^25.9.1",
     "@types/pg": "^8.20.0",
-    "@vitest/coverage-istanbul": "~4.1.5",
-    "@vitest/runner": "~4.1.5",
-    "@vitest/snapshot": "~4.1.5",
-    "@zenstackhq/better-auth": "^3.6.4",
+    "@vitest/coverage-istanbul": "~4.1.8",
+    "@vitest/runner": "~4.1.8",
+    "@vitest/snapshot": "~4.1.8",
+    "@zenstackhq/better-auth": "^3.7.2",
+    "@zenstackhq/cli": "^3.7.2",
+    "@zenstackhq/orm": "^3.7.2",
+    "@zenstackhq/schema": "^3.7.2",
+    "better-auth": "^1.6.14",
     "dotenv-cli": "^11.0.0",
-    "pg": "^8.20.0",
-    "reflect-metadata": "^0.2.2",
+    "pg": "^8.21.0",
     "stratal": "workspace:*",
-    "tsdown": "^0.22.0",
+    "tsdown": "^0.22.1",
     "typescript": "^6.0.3",
-    "vitest": "~4.1.5",
-    "wrangler": "^4.90.0"
+    "vitest": "~4.1.8",
+    "wrangler": "^4.97.0"
   }
 }

package/dist/access.service-Cb99esfz.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"access.service-Cb99esfz.mjs","names":[],"sources":["../src/access-control/plugin.ts","../src/access-control/services/access.service.ts"],"sourcesContent":["import type { BetterAuthPlugin } from 'better-auth'\nimport type { AccessControlOptions } from './types'\n\n/**\n * Creates the Stratal access control Better Auth plugin.\n *\n * Ensures the `user.role` schema field exists.\n * No endpoints are added — all permission logic lives in AccessService.\n *\n * Auto-added to Better Auth options when `accessControl` is provided to\n * `AuthModule.forRootAsync()`. Users never call this directly.\n */\nexport function createStratalAcPlugin(_options: AccessControlOptions): BetterAuthPlugin {\n  return {\n    id: 'stratal-ac',\n    schema: {\n      user: {\n        fields: {\n          role: {\n            type: 'string',\n            required: false,\n            input: false,\n            defaultValue: 'user',\n          },\n        },\n      },\n    },\n  }\n}\n","import type { DatabaseService } from '@stratal/framework/database'\nimport { DI_TOKENS, inject, Transient } from 'stratal/di'\nimport type { AuthContext } from '../../context/auth-context'\nimport { AC_TOKENS } from '../tokens'\nimport type { AccessControlOptions } from '../types'\n\nfunction parseRoles(role: string | null | undefined): string[] {\n  if (!role) return []\n  return role.split(',').map(r => r.trim()).filter(Boolean)\n}\n\n/**\n * AccessService\n *\n * Request-scoped service for role and permission management.\n *\n * Roles for the current user are read from AuthContext (populated by\n * SessionVerificationMiddleware — no DB hit). Other users are resolved\n * from the database.\n *\n * Permission checks use Better Auth's `role.authorize()` locally with\n * OR logic — access is granted if any of the user's roles allows it.\n *\n * @example\n * ```typescript\n * // Check current user\n * await accessService.currentUserHasPermission({ posts: ['update'] })\n *\n * // Check arbitrary user (e.g. from an admin action)\n * await accessService.hasPermission(userId, { admin: ['access'] })\n *\n * // Assign a role\n * await accessService.setUserRole(userId, 'admin')\n *\n * // Assign multiple roles\n * await accessService.setUserRole(userId, ['editor', 'reviewer'])\n * ```\n */\n@Transient(AC_TOKENS.AccessService)\nexport class AccessService {\n  constructor(\n    @inject(DI_TOKENS.AuthContext)\n    private readonly authContext: AuthContext,\n    @inject(DI_TOKENS.Database)\n    private readonly db: DatabaseService,\n    @inject(AC_TOKENS.Options)\n    private readonly options: AccessControlOptions\n  ) { }\n\n  /**\n   * Get all roles for a user.\n   *\n   * Uses AuthContext for the current user (no DB hit).\n   * Falls back to DB for other users.\n   */\n  async getUserRoles(userId: string): Promise<string[]> {\n    if (userId === this.authContext.getUserId()) {\n      const roles = this.authContext.getRoles()\n      if (roles.length > 0) return roles\n    }\n    const user = await (this.db).user.findUnique({\n      where: { id: userId },\n      select: { role: true },\n    })\n    return parseRoles(user?.role)\n  }\n\n  /**\n   * Assign one or more roles to a user.\n   *\n   * Multiple roles are stored as a comma-separated string in `user.role`.\n   */\n  async setUserRole(userId: string, role: string | string[]): Promise<void> {\n    const roleStr = Array.isArray(role) ? role.join(',') : role\n    await this.db.user.update({\n      where: { id: userId },\n      data: { role: roleStr },\n    })\n  }\n\n  /**\n   * Check if a user has the required permissions.\n   *\n   * Returns true if any of the user's roles grants all of the requested permissions.\n   */\n  async hasPermission(userId: string, permissions: Record<string, string[]>): Promise<boolean> {\n    const roles = await this.getUserRoles(userId)\n    return this.checkPermissions(roles, permissions)\n  }\n\n  /**\n   * Get the merged permission set for a user across all their roles.\n   * Useful for sending to the frontend.\n   */\n  async getPermissionsForUser(userId: string): Promise<Record<string, string[]>> {\n    const roles = await this.getUserRoles(userId)\n    return this.mergePermissions(roles)\n  }\n\n  /**\n   * Get all roles for the currently authenticated user.\n   * Reads from AuthContext — no DB hit.\n   */\n  getCurrentUserRoles(): string[] {\n    return this.authContext.getRoles()\n  }\n\n  /**\n   * Check if the currently authenticated user has the required permissions.\n   * Reads roles from AuthContext — no DB hit.\n   */\n  currentUserHasPermission(permissions: Record<string, string[]>): boolean {\n    const roles = this.authContext.getRoles()\n    if (roles.length === 0) return false\n    return this.checkPermissions(roles, permissions)\n  }\n\n  /**\n   * Get merged permissions for the currently authenticated user.\n   * Reads roles from AuthContext — no DB hit.\n   */\n  getCurrentUserPermissions(): Record<string, string[]> {\n    const roles = this.authContext.getRoles()\n    return this.mergePermissions(roles)\n  }\n\n  private checkPermissions(roles: string[], permissions: Record<string, string[]>): boolean {\n    return roles.some(roleName => {\n      const roleObj = this.options.roles[roleName]\n      if (!roleObj) return false\n\n      const specific: Record<string, string[]> = {}\n\n      for (const [resource, actions] of Object.entries(permissions)) {\n        if (actions.includes('*')) {\n          // Wildcard: role must have at least one action defined for this resource\n          const roleActions = (roleObj.statements as Record<string, readonly string[]>)[resource]\n          if (!roleActions?.length) return false\n        } else {\n          specific[resource] = actions\n        }\n      }\n\n      return Object.keys(specific).length === 0 || roleObj.authorize(specific).success\n    })\n  }\n\n  private mergePermissions(roles: string[]): Record<string, string[]> {\n    const result: Record<string, string[]> = {}\n    for (const roleName of roles) {\n      const roleObj = this.options.roles[roleName]\n      if (!roleObj) continue\n      for (const [resource, actions] of Object.entries(roleObj.statements)) {\n        result[resource] ??= []\n        for (const action of actions as string[]) {\n          if (!result[resource].includes(action)) {\n            result[resource].push(action)\n          }\n        }\n      }\n    }\n    return result\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;AAYA,SAAgB,sBAAsB,UAAkD;CACtF,OAAO;EACL,IAAI;EACJ,QAAQ,EACN,MAAM,EACJ,QAAQ,EACN,MAAM;GACJ,MAAM;GACN,UAAU;GACV,OAAO;GACP,cAAc;GACf,EACF,EACF,EACF;EACF;;;;ACrBH,SAAS,WAAW,MAA2C;CAC7D,IAAI,CAAC,MAAM,OAAO,EAAE;CACpB,OAAO,KAAK,MAAM,IAAI,CAAC,KAAI,MAAK,EAAE,MAAM,CAAC,CAAC,OAAO,QAAQ;;AA+BpD,IAAA,gBAAA,MAAM,cAAc;CAGN;CAEA;CAEA;CANnB,YACE,aAEA,IAEA,SAEA;EALiB,KAAA,cAAA;EAEA,KAAA,KAAA;EAEA,KAAA,UAAA;;;;;;;;CASnB,MAAM,aAAa,QAAmC;EACpD,IAAI,WAAW,KAAK,YAAY,WAAW,EAAE;GAC3C,MAAM,QAAQ,KAAK,YAAY,UAAU;GACzC,IAAI,MAAM,SAAS,GAAG,OAAO;;EAM/B,OAAO,YAAW,MAJE,KAAK,GAAI,KAAK,WAAW;GAC3C,OAAO,EAAE,IAAI,QAAQ;GACrB,QAAQ,EAAE,MAAM,MAAM;GACvB,CAAC,GACsB,KAAK;;;;;;;CAQ/B,MAAM,YAAY,QAAgB,MAAwC;EACxE,MAAM,UAAU,MAAM,QAAQ,KAAK,GAAG,KAAK,KAAK,IAAI,GAAG;EACvD,MAAM,KAAK,GAAG,KAAK,OAAO;GACxB,OAAO,EAAE,IAAI,QAAQ;GACrB,MAAM,EAAE,MAAM,SAAS;GACxB,CAAC;;;;;;;CAQJ,MAAM,cAAc,QAAgB,aAAyD;EAC3F,MAAM,QAAQ,MAAM,KAAK,aAAa,OAAO;EAC7C,OAAO,KAAK,iBAAiB,OAAO,YAAY;;;;;;CAOlD,MAAM,sBAAsB,QAAmD;EAC7E,MAAM,QAAQ,MAAM,KAAK,aAAa,OAAO;EAC7C,OAAO,KAAK,iBAAiB,MAAM;;;;;;CAOrC,sBAAgC;EAC9B,OAAO,KAAK,YAAY,UAAU;;;;;;CAOpC,yBAAyB,aAAgD;EACvE,MAAM,QAAQ,KAAK,YAAY,UAAU;EACzC,IAAI,MAAM,WAAW,GAAG,OAAO;EAC/B,OAAO,KAAK,iBAAiB,OAAO,YAAY;;;;;;CAOlD,4BAAsD;EACpD,MAAM,QAAQ,KAAK,YAAY,UAAU;EACzC,OAAO,KAAK,iBAAiB,MAAM;;CAGrC,iBAAyB,OAAiB,aAAgD;EACxF,OAAO,MAAM,MAAK,aAAY;GAC5B,MAAM,UAAU,KAAK,QAAQ,MAAM;GACnC,IAAI,CAAC,SAAS,OAAO;GAErB,MAAM,WAAqC,EAAE;GAE7C,KAAK,MAAM,CAAC,UAAU,YAAY,OAAO,QAAQ,YAAY,EAC3D,IAAI,QAAQ,SAAS,IAAI;QAGnB,CADiB,QAAQ,WAAiD,WAC5D,QAAQ,OAAO;UAEjC,SAAS,YAAY;GAIzB,OAAO,OAAO,KAAK,SAAS,CAAC,WAAW,KAAK,QAAQ,UAAU,SAAS,CAAC;IACzE;;CAGJ,iBAAyB,OAA2C;EAClE,MAAM,SAAmC,EAAE;EAC3C,KAAK,MAAM,YAAY,OAAO;GAC5B,MAAM,UAAU,KAAK,QAAQ,MAAM;GACnC,IAAI,CAAC,SAAS;GACd,KAAK,MAAM,CAAC,UAAU,YAAY,OAAO,QAAQ,QAAQ,WAAW,EAAE;IACpE,OAAO,cAAc,EAAE;IACvB,KAAK,MAAM,UAAU,SACnB,IAAI,CAAC,OAAO,UAAU,SAAS,OAAO,EACpC,OAAO,UAAU,KAAK,OAAO;;;EAKrC,OAAO;;;;CA3HV,UAAU,UAAU,cAAc;oBAG9B,OAAO,UAAU,YAAY,CAAA;oBAE7B,OAAO,UAAU,SAAS,CAAA;oBAE1B,OAAO,UAAU,QAAQ,CAAA"}

package/dist/auth-context-DXSTlnQH.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-context-DXSTlnQH.d.mts","names":[],"sources":["../src/context/auth-context.ts"],"mappings":";;;;;AA8BA;;;;;AAEA;;;;;AAIA;;;;;;;;;;;UANiB,QAAA,SAAiB,QAAA;AAAA,UAEjB,QAAA;EACf,IAAA,EAAM,QAAA;AAAA;AAAA,cAIK,WAAA;EAAA,UACD,IAAA,GAAO,QAAA;EAqBF;;;;EAff,cAAA,CAAe,IAAA,EAAM,QAAA;EAsDrB;;;;EA9CA,OAAA,CAAA,GAAW,QAAA;EAuEK;;;EAhEhB,WAAA,CAAA,GAAe,QAAA;;;;;EAWf,SAAA,CAAA;;;;;EAQA,aAAA,CAAA;;;;EAOA,WAAA,CAAA,GAAe,QAAA;;;;;;;EAaf,OAAA,CAAA;;;;;EAQA,QAAA,CAAA;;;;EASA,eAAA,CAAA;;;;;EAQA,gBAAA,CAAA;AAAA"}

package/dist/auth-context-HLwuOl51.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-context-HLwuOl51.mjs","names":[],"sources":["../src/context/auth-context.ts"],"sourcesContent":["import type { BaseUser } from '@better-auth/core/db'\nimport { Transient, DI_TOKENS } from 'stratal/di'\nimport {\n  ContextNotInitializedError,\n  UserNotAuthenticatedError\n} from './errors'\n\n/**\n * Authenticated user shape stored in {@link AuthContext}.\n *\n * Inherits Better Auth's base user fields. Apps whose schema stores\n * `firstName`/`lastName` instead of a `name` column should expose a `name`\n * via a ZenStack result extension (see\n * https://zenstack.dev/docs/orm/plugins/extending-orm-client#adding-fields-to-query-results)\n * so reads return a populated `name` for free.\n *\n * Augment via TypeScript module declaration to add app-specific fields. Match\n * the augmentation to whatever your Better Auth `user.additionalFields` /\n * plugins are configured to return:\n *\n * @example\n * ```ts\n * declare module '@stratal/framework/context' {\n *   interface AuthUser {\n *     role: string\n *     locale: string\n *   }\n * }\n * ```\n */\nexport interface AuthUser extends BaseUser {}\n\nexport interface AuthInfo {\n  user: AuthUser\n}\n\n@Transient(DI_TOKENS.AuthContext)\nexport class AuthContext {\n  protected user?: AuthUser\n\n  /**\n   * Set authentication context.\n   * This should be called once per request with the authenticated user.\n   */\n  setAuthContext(info: AuthInfo): void {\n    this.user = info.user\n  }\n\n  /**\n   * Get the authenticated user if available.\n   * Returns undefined if no user is authenticated.\n   */\n  getUser(): AuthUser | undefined {\n    return this.user\n  }\n\n  /**\n   * Get the authenticated user or throw if not authenticated.\n   */\n  requireUser(): AuthUser {\n    if (!this.user) {\n      throw new UserNotAuthenticatedError()\n    }\n    return this.user\n  }\n\n  /**\n   * Get user ID if available.\n   * Returns undefined if no user is authenticated.\n   */\n  getUserId(): string | undefined {\n    return this.user?.id\n  }\n\n  /**\n   * Get user ID or throw if not authenticated.\n   * Use this when authentication is required.\n   */\n  requireUserId(): string {\n    return this.requireUser().id\n  }\n\n  /**\n   * Get full authentication context or throw if not initialized.\n   */\n  getAuthInfo(): AuthInfo {\n    if (!this.user) {\n      throw new ContextNotInitializedError('Authentication')\n    }\n    return { user: this.user }\n  }\n\n  /**\n   * Get the raw role string from the authenticated user.\n   *\n   * Reads from `user.role` — apps that use roles should augment {@link AuthUser}\n   * with `role: string` (or similar) so this returns a typed value.\n   */\n  getRole(): string | undefined {\n    return (this.user as { role?: string } | undefined)?.role\n  }\n\n  /**\n   * Get the user's roles as an array.\n   * Returns an empty array if no role is set or user is not authenticated.\n   */\n  getRoles(): string[] {\n    const role = this.getRole()\n    if (!role) return []\n    return role.split(',').map(r => r.trim()).filter(Boolean)\n  }\n\n  /**\n   * Check if user is authenticated.\n   */\n  isAuthenticated(): boolean {\n    return !!this.user\n  }\n\n  /**\n   * Clear authentication context.\n   * Useful for testing or cleanup.\n   */\n  clearAuthContext(): void {\n    this.user = undefined\n  }\n}\n"],"mappings":";;;;AAqCO,IAAA,cAAA,MAAM,YAAY;CACvB;;;;;CAMA,eAAe,MAAsB;EACnC,KAAK,OAAO,KAAK;;;;;;CAOnB,UAAgC;EAC9B,OAAO,KAAK;;;;;CAMd,cAAwB;EACtB,IAAI,CAAC,KAAK,MACR,MAAM,IAAI,2BAA2B;EAEvC,OAAO,KAAK;;;;;;CAOd,YAAgC;EAC9B,OAAO,KAAK,MAAM;;;;;;CAOpB,gBAAwB;EACtB,OAAO,KAAK,aAAa,CAAC;;;;;CAM5B,cAAwB;EACtB,IAAI,CAAC,KAAK,MACR,MAAM,IAAI,2BAA2B,iBAAiB;EAExD,OAAO,EAAE,MAAM,KAAK,MAAM;;;;;;;;CAS5B,UAA8B;EAC5B,OAAQ,KAAK,MAAwC;;;;;;CAOvD,WAAqB;EACnB,MAAM,OAAO,KAAK,SAAS;EAC3B,IAAI,CAAC,MAAM,OAAO,EAAE;EACpB,OAAO,KAAK,MAAM,IAAI,CAAC,KAAI,MAAK,EAAE,MAAM,CAAC,CAAC,OAAO,QAAQ;;;;;CAM3D,kBAA2B;EACzB,OAAO,CAAC,CAAC,KAAK;;;;;;CAOhB,mBAAyB;EACvB,KAAK,OAAO,KAAA;;;0BAxFf,UAAU,UAAU,YAAY,CAAA,EAAA,YAAA"}

package/dist/decorateMetadata-D5WUsc6Y.mjs

@@ -1,6 +0,0 @@
-//#region \0@oxc-project+runtime@0.129.0/helpers/decorateMetadata.js
-function __decorateMetadata(k, v) {
-	if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-}
-//#endregion
-export { __decorateMetadata as t };

package/dist/errors-B1vVXc1T.mjs

@@ -1,25 +0,0 @@
-import { ApplicationError, ERROR_CODES } from "stratal/errors";
-//#region src/context/errors/context-not-initialized.error.ts
-var ContextNotInitializedError = class extends ApplicationError {
-	constructor(contextType = "Context") {
-		super("errors.contextNotInitialized", ERROR_CODES.AUTH.CONTEXT_NOT_INITIALIZED, { contextType });
-	}
-};
-//#endregion
-//#region src/context/errors/user-not-authenticated.error.ts
-var UserNotAuthenticatedError = class extends ApplicationError {
-	constructor() {
-		super("errors.userNotAuthenticated", ERROR_CODES.AUTH.USER_NOT_AUTHENTICATED);
-	}
-};
-//#endregion
-//#region src/context/errors/user-not-authorized.error.ts
-var UserNotAuthorizedError = class extends ApplicationError {
-	constructor() {
-		super("errors.unauthorized", ERROR_CODES.AUTHZ.FORBIDDEN);
-	}
-};
-//#endregion
-export { UserNotAuthenticatedError as n, ContextNotInitializedError as r, UserNotAuthorizedError as t };
-
-//# sourceMappingURL=errors-B1vVXc1T.mjs.map

package/dist/errors-B1vVXc1T.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"errors-B1vVXc1T.mjs","names":[],"sources":["../src/context/errors/context-not-initialized.error.ts","../src/context/errors/user-not-authenticated.error.ts","../src/context/errors/user-not-authorized.error.ts"],"sourcesContent":["import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class ContextNotInitializedError extends ApplicationError {\n  constructor(contextType = 'Context') {\n    super(\n      'errors.contextNotInitialized',\n      ERROR_CODES.AUTH.CONTEXT_NOT_INITIALIZED,\n      { contextType }\n    )\n  }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class UserNotAuthenticatedError extends ApplicationError {\n  constructor() {\n    super(\n      'errors.userNotAuthenticated',\n      ERROR_CODES.AUTH.USER_NOT_AUTHENTICATED\n    )\n  }\n}\n","import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\nexport class UserNotAuthorizedError extends ApplicationError {\n  constructor() {\n    super(\n      'errors.unauthorized',\n      ERROR_CODES.AUTHZ.FORBIDDEN\n    )\n  }\n}\n"],"mappings":";;AAEA,IAAa,6BAAb,cAAgD,iBAAiB;CAC/D,YAAY,cAAc,WAAW;EACnC,MACE,gCACA,YAAY,KAAK,yBACjB,EAAE,aAAa,CAChB;;;;;ACNL,IAAa,4BAAb,cAA+C,iBAAiB;CAC9D,cAAc;EACZ,MACE,+BACA,YAAY,KAAK,uBAClB;;;;;ACLL,IAAa,yBAAb,cAA4C,iBAAiB;CAC3D,cAAc;EACZ,MACE,uBACA,YAAY,MAAM,UACnB"}

package/dist/index-CCDPF-1Y.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index-CCDPF-1Y.d.mts","names":[],"sources":["../src/database/database.module.ts","../src/database/database.service.ts","../src/database/database.tokens.ts","../src/database/decorators/inject-db.decorator.ts","../src/database/errors/database-error.ts","../src/database/errors/database-config.error.ts","../src/database/errors/foreign-key-constraint.error.ts","../src/database/errors/invalid-error-code-range.error.ts","../src/database/errors/record-not-found.error.ts","../src/database/errors/unique-constraint.error.ts","../src/database/errors/from-zenstack-error.ts","../src/database/event-types.ts","../src/database/i18n/en.ts","../src/database/plugins/error-handler.plugin.ts","../src/database/plugins/event-emitter.plugin.ts","../src/database/plugins/schema-switcher.ts","../src/database/commands/zenstack.command.ts","../src/database/commands/db-generate.command.ts","../src/database/commands/db-pull.command.ts","../src/database/commands/db-push.command.ts","../src/database/commands/migrate-deploy.command.ts","../src/database/commands/migrate-dev.command.ts","../src/database/commands/migrate-reset.command.ts","../src/database/commands/migrate-status.command.ts"],"mappings":";;;;;;;;;;;UA0BiB,wBAAA,gBACA,SAAA,GAAY,SAAA,eACd,cAAA,GAAiB,cAAA;EAE9B,IAAA,EAAM,IAAA;EACN,MAAA,EAAQ,MAAA;EACR,OAAA,QAAe,aAAA,CAAc,SAAA;EAC7B,OAAA,GAAU,SAAA;;;AAPZ;;;EAaE,cAAA,GAAiB,qBAAA,CAAsB,MAAA;AAAA;AAAA,UAGxB,oBAAA;EACf,OAAA,EAAS,qBAAA;EACT,WAAA,EAAa,wBAAA;AAAA;AAAA,cAiBF,cAAA,YAA0B,YAAA,EAAc,UAAA;EAAA,OAC5C,OAAA,CAAQ,MAAA,EAAQ,oBAAA,GAAuB,aAAA;EAAA,OASvC,YAAA,CAAa,OAAA,EAAS,kBAAA,CAAmB,oBAAA,IAAwB,aAAA;EAaxE,YAAA,CAAa,OAAA,EAAS,aAAA;EAmBtB,UAAA,CAAW,OAAA,EAAS,aAAA;AAAA;;;;;;;;;;;;AA7EtB;;;;;;KCRY,eAAA,WACA,cAAA,GAAiB,qBAAA,IACzB,cAAA,CACF,qBAAA,CAAsB,CAAA,GACtB,aAAA,CAAc,qBAAA,CAAsB,CAAA,IACpC,yBAAA,CAA0B,CAAA,mBAC1B,yBAAA,CAA0B,CAAA,uBAE1B,yBAAA,CAA0B,CAAA;;;cC1Bf,eAAA;EAAA,SAGH,OAAA;EAAA,SAAA,QAAA;AAAA;AAAA,iBAIM,gBAAA,CAAiB,IAAA,EAAM,cAAA;;;iBCHvB,QAAA,CAAS,IAAA,EAAM,cAAA,GAAiB,kBAAA;;;;;;;;;;;cCQnC,aAAA,SAAsB,gBAAA;cAE/B,UAAA,GAAY,WAAA,EACZ,IAAA,GAAM,SAAA,EACN,QAAA,GAAW,MAAA;AAAA;;;cCbF,mBAAA,SAA4B,aAAA;cAC3B,OAAA;AAAA;;;;;;;;;;;;cCQD,yBAAA,SAAkC,aAAA;cACjC,KAAA;AAAA;;;;;;;;;;cCJD,0BAAA,SAAmC,gBAAA;cAClC,IAAA,UAAc,aAAA;AAAA;;;;;;;;;;;;;cCGf,mBAAA,SAA4B,aAAA;cAC3B,OAAA;AAAA;;;;;;;;;;;;;cCDD,qBAAA,SAA8B,aAAA;cAC7B,MAAA;AAAA;;;;;;;;;;;;;ATYd;;;;;;;;;iBUAgB,iBAAA,CAAkB,KAAA,YAAiB,aAAA;;;;;;KCavC,UAAA;;;;KAKA,iBAAA,GAAoB,iBAAA;;;;;;KAO3B,kBAAA,MAAwB,CAAA;EAAY,MAAA;AAAA,IAAoB,OAAA,OAAc,CAAA;;;;;KAM/D,SAAA,GAAY,kBAAA,CAAmB,cAAA;;;;KAS/B,iBAAA,MACL,UAAA,IAAc,SAAA,IAAa,iBAAA,QAC3B,UAAA,IAAc,SAAA,QACd,UAAA,IAAc,iBAAA,KACjB,UAAA;;;;KASC,gBAAA,WACO,SAAA,YACA,OAAA,OAAc,CAAA,+BACd,iBAAA,IAEV,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,wBAAyB,cAAA,CAAe,CAAA,EAAG,CAAA,IAC3C,CAAA,uBAAwB,aAAA,CAAc,CAAA,EAAG,CAAA,IACzC,CAAA,sBAAuB,YAAA,CAAa,CAAA,EAAG,CAAA,IACvC,CAAA,oBAAqB,UAAA,CAAW,CAAA,EAAG,CAAA,IACnC,CAAA,mBAAoB,SAAA,CAAU,CAAA,EAAG,CAAA,IACjC,CAAA,uBAAwB,aAAA,CAAc,CAAA,EAAG,CAAA,IACzC,CAAA,qBAAsB,WAAA,CAAY,CAAA,EAAG,CAAA;;;;KAMlC,YAAA,gCAA4C,iBAAA,IAC/C,CAAA,SAAU,SAAA,GACR,CAAA,SAAU,OAAA,OAAc,CAAA,sBACxB,gBAAA,CAAiB,CAAA,EAAG,CAAA,EAAG,CAAA;EAAa,IAAA;AAAA,IACpC,CAAA,GACA,gBAAA,CAAiB,CAAA,EAAG,CAAA,EAAG,CAAA;EAAa,KAAA;AAAA,IACpC,CAAA,GACA,gBAAA,CAAiB,CAAA,EAAG,CAAA,EAAG,CAAA;;;;;KAQf,OAAA,WAAkB,SAAA,YAAqB,iBAAA,IACjD,YAAA,CAAa,cAAA,EAAgB,CAAA,EAAG,CAAA,4BAA6B,YAAA,CAAa,cAAA,EAAgB,CAAA,EAAG,CAAA;;AXvE/F;;KW4EK,cAAA,gCAA8C,iBAAA,IACjD,CAAA,SAAU,SAAA,GACR,CAAA,SAAU,OAAA,OAAc,CAAA,sBACxB,CAAA,mEACA,WAAA,CAAY,CAAA,EAAG,CAAA,MACf,CAAA,4BAEA,WAAA,CAAY,CAAA,EAAG,CAAA;;;;;KAQP,SAAA,WAAoB,SAAA,YAAqB,iBAAA,IACnD,cAAA,CAAe,cAAA,EAAgB,CAAA,EAAG,CAAA,4BAA6B,cAAA,CAAe,cAAA,EAAgB,CAAA,EAAG,CAAA;;;;KASvF,UAAA,qBACV,CAAA,gCAAiC,UAAA,wBAAkC,SAAA,qBAA8B,iBAAA;EAC7F,KAAA,EAAO,KAAA;EAAO,KAAA,EAAO,KAAA;EAAO,SAAA,EAAW,EAAA;EAAI,IAAA;AAAA,IAC7C,CAAA,gCAAiC,UAAA,qBACjC,MAAA,SAAe,SAAA;EACb,KAAA,EAAO,KAAA;EAAO,KAAA,EAAO,MAAA;EAAQ,IAAA;AAAA,IAC/B,MAAA,SAAe,iBAAA;EACb,KAAA,EAAO,KAAA;EAAO,SAAA,EAAW,MAAA;EAAQ,IAAA;AAAA,YAEnC,CAAA,SAAU,UAAA;EACR,KAAA,EAAO,CAAA;EAAG,IAAA;AAAA;;UAQN,gBAAA;;UAIA,yBAAA,WACE,SAAA,YACA,iBAAA,gBACI,UAAA,UACN,gBAAA;EACR,IAAA,EAAM,KAAA,oBAAyB,OAAA,CAAQ,CAAA,EAAG,CAAA,IAAK,QAAA,CAAS,OAAA,CAAQ,CAAA,EAAG,CAAA;EACnE,MAAA,EAAQ,KAAA,mBAAwB,SAAA,CAAU,CAAA,EAAG,CAAA;AAAA;AV9J/C;AAAA,UUkKU,yBAAA,eACM,UAAA,UACN,gBAAA;EACR,SAAA,EAAW,iBAAA;EACX,IAAA,EAAM,KAAA,8BAAmC,QAAA;EACzC,MAAA,EAAQ,KAAA;AAAA;;UAIA,6BAAA,eACM,UAAA,UACN,gBAAA;EACR,KAAA,EAAO,SAAA;EACP,IAAA,EAAM,KAAA,8BAAmC,QAAA;EACzC,MAAA,EAAQ,KAAA;AAAA;;UAIA,yBAAA,eACM,UAAA,UACN,gBAAA;EACR,KAAA,EAAO,SAAA;EACP,SAAA,EAAW,iBAAA;EACX,IAAA,EAAM,KAAA,8BAAmC,QAAA;EACzC,MAAA,EAAQ,KAAA;AAAA;;;;KAUL,oBAAA,qBACH,UAAA,CAAW,CAAA;EACT,KAAA,kBAAuB,UAAA;EACvB,KAAA,kBAAuB,SAAA;EACvB,SAAA,kBAA2B,iBAAA;EAC3B,IAAA;AAAA,IAEA,yBAAA,CAA0B,CAAA,EAAG,CAAA,EAAG,CAAA,IAChC,UAAA,CAAW,CAAA;EACX,KAAA,kBAAuB,UAAA;EACvB,KAAA,mBAAwB,SAAA;EACxB,IAAA;AAAA,IAEA,yBAAA,CAA0B,CAAA,IAC1B,UAAA,CAAW,CAAA;EACX,KAAA,kBAAuB,UAAA;EACvB,SAAA,mBAA4B,iBAAA;EAC5B,IAAA;AAAA,IAEA,6BAAA,CAA8B,CAAA,IAC9B,UAAA,CAAW,CAAA;EAAa,KAAA,kBAAuB,UAAA;EAAY,IAAA;AAAA,IAC3D,yBAAA,CAA0B,CAAA,IAC1B,gBAAA;AT5OJ;;;;;AAOA;;;;;;;AAPA,KS8PY,cAAA,WACJ,iBAAA,GAAoB,oBAAA,CAAqB,CAAA;AAAA;EAAA,UAQrC,mBAAA,SAA4B,cAAA;AAAA;;;cCvQ3B,gBAAA;EAAA;;;;;;;;;YAWD,oBAAA;IACR,QAAA,SAAiB,gBAAA;EAAA;AAAA;;;;;;;;;;;;AZcrB;;caXa,kBAAA,YAA8B,aAAA,CAAc,WAAA,EAAW,MAAA,mBAAyB,MAAA;EAAA,SAClF,EAAA;EAET,OAAA;IAAiB,IAAA;IAAA;EAAA;IACf,IAAA,EAAM,MAAA;IACN,OAAA,GAAU,IAAA,EAAM,MAAA,kCAAwC,OAAA;EAAA,MACtD,OAAA;AAAA;;;UCjBW,yBAAA;EACf,aAAA,EAAe,cAAA;AAAA;;;;;;AdqBjB;;;;;;;;;;;;;;ccCa,kBAAA,YAA8B,aAAA,CAAc,WAAA,EAAW,MAAA,mBAAyB,MAAA;EAAA,QAGvE,OAAA;EAAA,SAFX,EAAA;cAEW,OAAA,EAAS,yBAAA;EAE7B,OAAA;IAAiB,KAAA;IAAA,SAAA;IAAA,IAAA;IAAA;EAAA;IACf,KAAA;IACA,SAAA;IACA,IAAA,EAAM,MAAA;IACN,OAAA,GAAU,IAAA,EAAM,MAAA,kCAAwC,OAAA;EAAA,MACtD,OAAA;AAAA;;;;;;;;;;;;;;cCrBO,cAAA;EAAA,OACJ,KAAA,GAAA,CAAS,MAAA,EAAQ,CAAA,EAAG,UAAA,WAAqB,CAAA;AAAA;;;;;;;uBCX5B,eAAA,SAAwB,OAAA;EAAA,UAC5B,QAAA,CAAS,IAAA,aAAiB,OAAA;AAAA;;;cCL/B,iBAAA,SAA0B,eAAA;EAAA,OAC9B,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,aAAA,SAAsB,eAAA;EAAA,OAC1B,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,aAAA,SAAsB,eAAA;EAAA,OAC1B,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,oBAAA,SAA6B,eAAA;EAAA,OACjC,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,iBAAA,SAA0B,eAAA;EAAA,OAC9B,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,mBAAA,SAA4B,eAAA;EAAA,OAChC,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA;;;cCJL,oBAAA,SAA6B,eAAA;EAAA,OACjC,OAAA;EAAA,OACA,WAAA;EAED,MAAA,CAAA,GAAU,OAAA;AAAA"}

package/dist/insufficient-permissions.error-CRnOHYvq.mjs

@@ -1,23 +0,0 @@
-import { ApplicationError, ERROR_CODES } from "stratal/errors";
-//#region src/access-control/errors/insufficient-permissions.error.ts
-/**
-* InsufficientPermissionsError
-*
-* Thrown when a user attempts to perform an action without the required permissions.
-* Used by AuthGuard after an authorization check fails.
-*
-* HTTP Status: 403 Forbidden
-*/
-var InsufficientPermissionsError = class extends ApplicationError {
-	constructor(requiredPermissions, userId) {
-		const summary = Array.isArray(requiredPermissions) ? requiredPermissions.join(", ") : requiredPermissions;
-		super("errors.insufficientPermissions", ERROR_CODES.AUTHZ.INSUFFICIENT_PERMISSIONS, {
-			requiredPermissions: summary,
-			userId: userId ?? "unknown"
-		});
-	}
-};
-//#endregion
-export { InsufficientPermissionsError as t };
-
-//# sourceMappingURL=insufficient-permissions.error-CRnOHYvq.mjs.map

package/dist/insufficient-permissions.error-CRnOHYvq.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"insufficient-permissions.error-CRnOHYvq.mjs","names":[],"sources":["../src/access-control/errors/insufficient-permissions.error.ts"],"sourcesContent":["import { ApplicationError, ERROR_CODES } from 'stratal/errors'\n\n/**\n * InsufficientPermissionsError\n *\n * Thrown when a user attempts to perform an action without the required permissions.\n * Used by AuthGuard after an authorization check fails.\n *\n * HTTP Status: 403 Forbidden\n */\nexport class InsufficientPermissionsError extends ApplicationError {\n  constructor(requiredPermissions: string | string[], userId?: string) {\n    const summary = Array.isArray(requiredPermissions)\n      ? requiredPermissions.join(', ')\n      : requiredPermissions\n    super('errors.insufficientPermissions', ERROR_CODES.AUTHZ.INSUFFICIENT_PERMISSIONS, {\n      requiredPermissions: summary,\n      userId: userId ?? 'unknown',\n    })\n  }\n}\n"],"mappings":";;;;;;;;;;AAUA,IAAa,+BAAb,cAAkD,iBAAiB;CACjE,YAAY,qBAAwC,QAAiB;EACnE,MAAM,UAAU,MAAM,QAAQ,oBAAoB,GAC9C,oBAAoB,KAAK,KAAK,GAC9B;EACJ,MAAM,kCAAkC,YAAY,MAAM,0BAA0B;GAClF,qBAAqB;GACrB,QAAQ,UAAU;GACnB,CAAC"}

package/dist/types-BZlcRR2M.d.mts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types-BZlcRR2M.d.mts","names":[],"sources":["../src/database/types.ts"],"mappings":";;;;;;AA+BA;;;;;AAAmC;;;;;;;;;;;;;;AAIiC;;;;;;;UAJnD,eAAA;;KAGZ,sBAAA,MACH,CAAA,SAAU,aAAA,0CAAuD,CAAA;;KAG9D,0BAAA,MACH,CAAA,SAAU,aAAA,0CAAuD,CAAA;;KAG9D,mBAAA,MACH,CAAA,SAAU,aAAA,0CAAuD,CAAA;;KAG9D,YAAA,8BACH,OAAA;EAEM,YAAA,EAAc,sBAAA,CAAuB,CAAA,IAAK,YAAA,CAAa,IAAA;EACvD,gBAAA,EAAkB,0BAAA,CAA2B,CAAA,IAAK,YAAA,CAAa,IAAA;EAC/D,SAAA,EAAW,mBAAA,CAAoB,CAAA,IAAK,YAAA,CAAa,IAAA;AAAA;EAEjD,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;;KAGpC,yBAAA,qBACV,eAAA;EAA0B,OAAA;AAAA,IACtB,CAAA,eAAgB,CAAA,GACd,CAAA,CAAE,CAAA,sBACA,YAAA,CAAa,CAAA,CAAE,CAAA;EACb,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;EAC1C,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;EAC1C,YAAA;EAAkB,gBAAA;EAAsB,SAAA;AAAA;;KAGpC,qBAAA,qBACV,eAAA;EAA0B,OAAA;AAAA,IACtB,CAAA,eAAgB,CAAA,GAAI,CAAA,CAAE,CAAA,UAAW,SAAA,GAAY,CAAA,CAAE,CAAA,IAAK,SAAA,GAAY,SAAA,GAChE,SAAA;;KAGM,cAAA,GACV,eAAA;EAA0B,OAAA;AAAA,IACtB,CAAA,OAAQ,CAAA,UAAW,SAAA,GAAY,CAAA,OAAQ,CAAA,IAAK,SAAA,GAC5C,SAAA;;KAGM,cAAA,GACV,eAAA;EAA0B,OAAA;AAAA,UAChB,CAAA,0BAA2B,OAAA,OAAc,CAAA;;KAIzC,qBAAA,GACV,eAAA;EAA0B,iBAAA;AAAA,IAA8C,CAAA;;;;;UAMzD,4BAAA;EACf,IAAA;EACA,MAAA;AAAA"}