@synnaxlabs/client 0.47.0 → 0.49.0

package/dist/src/workspace/schematic/symbol/payload.d.ts

@@ -80,7 +80,7 @@ export interface Spec extends z.infer<typeof specZ> {
 }
 export declare const symbolZ: z.ZodObject<{
     key: z.ZodUUID;
-    version: z.ZodDefault<z.ZodOptional<z.ZodLiteral<1>>>;
+    version: z.ZodDefault<z.ZodLiteral<1>>;
     name: z.ZodString;
     data: z.ZodObject<{
         svg: z.ZodString;
@@ -122,7 +122,7 @@ export declare const symbolZ: z.ZodObject<{
 }, z.core.$strip>;
 export declare const newZ: z.ZodObject<{
     key: z.ZodOptional<z.ZodUUID>;
-    version: z.ZodDefault<z.ZodOptional<z.ZodLiteral<1>>>;
+    version: z.ZodDefault<z.ZodLiteral<1>>;
     name: z.ZodString;
     data: z.ZodObject<{
         svg: z.ZodString;

package/dist/src/workspace/table/access.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=access.spec.d.ts.map

package/dist/src/workspace/table/access.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.spec.d.ts","sourceRoot":"","sources":["../../../../src/workspace/table/access.spec.ts"],"names":[],"mappings":""}

package/dist/src/workspace/table/client.d.ts

@@ -37,6 +37,13 @@ export declare class Client {
     retrieve(args: RetrieveMultipleParams): Promise<Table[]>;
     delete(keys: Params): Promise<void>;
 }
-export declare const ontologyID: (key: Key) => ontology.ID;
+export declare const ontologyID: ontology.CreateID<string>;
+export declare const TYPE_ONTOLOGY_ID: {
+    type: "status" | "label" | "log" | "builtin" | "cluster" | "channel" | "node" | "group" | "range" | "framer" | "range-alias" | "user" | "workspace" | "schematic" | "lineplot" | "rack" | "device" | "task" | "policy" | "role" | "table" | "arc" | "schematic_symbol";
+    key: string;
+} | {
+    type: "status" | "label" | "log" | "builtin" | "cluster" | "channel" | "node" | "group" | "range" | "framer" | "range-alias" | "user" | "workspace" | "schematic" | "lineplot" | "rack" | "device" | "task" | "policy" | "role" | "table" | "arc" | "schematic_symbol";
+    key: string;
+};
 export {};
 //# sourceMappingURL=client.d.ts.map

package/dist/src/workspace/table/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../../src/workspace/table/client.ts"],"names":[],"mappings":"AASA,OAAO,EAAgB,KAAK,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACvE,OAAO,EAAS,KAAK,MAAM,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,CAAC;AAE3C,OAAO,EAAE,KAAK,GAAG,IAAI,YAAY,EAAyB,MAAM,qBAAqB,CAAC;AACtF,OAAO,EACL,KAAK,GAAG,EAER,KAAK,GAAG,EAER,KAAK,MAAM,EAEX,KAAK,KAAK,EACX,MAAM,2BAA2B,CAAC;AAanC,QAAA,MAAM,YAAY;;iBAAmC,CAAC;AACtD,QAAA,MAAM,mBAAmB;;;;;;GAEmB,CAAC;AAE7C,eAAO,MAAM,aAAa;;;;;;;;mBAA+C,CAAC;AAC1E,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAC;AACzD,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AACvE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AASlE,qBAAa,MAAM;IACjB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAc;gBAEzB,MAAM,EAAE,WAAW;IAIzB,MAAM,CAAC,SAAS,EAAE,YAAY,EAAE,KAAK,EAAE,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC;IAC3D,MAAM,CAAC,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAahE,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAU7C,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAUtD,QAAQ,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,KAAK,CAAC;IACpD,QAAQ,CAAC,IAAI,EAAE,sBAAsB,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAgBxD,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAS1C;AAED,eAAO,MAAM,UAAU,GAAI,KAAK,GAAG,KAAG,QAAQ,CAAC,EAA8B,CAAC"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../../src/workspace/table/client.ts"],"names":[],"mappings":"AASA,OAAO,EAAgB,KAAK,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACvE,OAAO,EAAS,KAAK,MAAM,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEtC,OAAO,EAAE,KAAK,GAAG,IAAI,YAAY,EAAyB,MAAM,qBAAqB,CAAC;AACtF,OAAO,EACL,KAAK,GAAG,EAER,KAAK,GAAG,EAER,KAAK,MAAM,EAEX,KAAK,KAAK,EACX,MAAM,2BAA2B,CAAC;AAOnC,QAAA,MAAM,YAAY;;iBAAmC,CAAC;AACtD,QAAA,MAAM,mBAAmB;;;;;;GAEmB,CAAC;AAE7C,eAAO,MAAM,aAAa;;;;;;;;mBAA+C,CAAC;AAC1E,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAC;AACzD,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AACvE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AASlE,qBAAa,MAAM;IACjB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAc;gBAEzB,MAAM,EAAE,WAAW;IAIzB,MAAM,CAAC,SAAS,EAAE,YAAY,EAAE,KAAK,EAAE,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC;IAC3D,MAAM,CAAC,SAAS,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAahE,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAU7C,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAUtD,QAAQ,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,KAAK,CAAC;IACpD,QAAQ,CAAC,IAAI,EAAE,sBAAsB,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC;IAgBxD,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAS1C;AAED,eAAO,MAAM,UAAU,2BAAyC,CAAC;AACjE,eAAO,MAAM,gBAAgB;;;;;;CAAiB,CAAC"}

package/eslint.config.ts

@@ -7,6 +7,8 @@
 // License, use of this software will be governed by the Apache License, Version 2.0,
 // included in the file licenses/APL.txt.
 
+import type { Linter } from "eslint";
 import synnaxConfig from "eslint-config-synnaxlabs";
 
-export default [...synnaxConfig, { ignores: ["examples"] }];
+const cfg: Linter.Config[] = [...synnaxConfig, { ignores: ["examples"] }];
+export default cfg;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@synnaxlabs/client",
-  "version": "0.47.0",
+  "version": "0.49.0",
   "description": "The Synnax Client Library",
   "keywords": [
     "synnax",
@@ -25,17 +25,17 @@
   },
   "dependencies": {
     "async-mutex": "^0.5.0",
-    "zod": "^4.1.8",
-    "@synnaxlabs/freighter": "^0.47.0",
-    "@synnaxlabs/x": "^0.47.0"
+    "zod": "^4.1.12",
+    "@synnaxlabs/freighter": "^0.49.0",
+    "@synnaxlabs/x": "^0.49.0"
   },
   "devDependencies": {
     "@vitest/coverage-v8": "^3.2.4",
-    "@types/node": "^24.4.0",
-    "eslint": "^9.37.0",
+    "@types/node": "^24.10.0",
+    "eslint": "^9.39.1",
     "madge": "^8.0.0",
-    "typescript": "^5.9.2",
-    "vite": "^7.1.5",
+    "typescript": "^5.9.3",
+    "vite": "^7.1.12",
     "vitest": "^3.2.4",
     "@synnaxlabs/tsconfig": "^0.43.0",
     "@synnaxlabs/vite-plugin": "^0.43.0",

package/src/access/client.ts

@@ -10,11 +10,14 @@
 import { type UnaryClient } from "@synnaxlabs/freighter";
 
 import { policy } from "@/access/policy";
+import { role } from "@/access/role";
 
 export class Client {
-  readonly policy: policy.Client;
+  readonly policies: policy.Client;
+  readonly roles: role.Client;
 
   constructor(client: UnaryClient) {
-    this.policy = new policy.Client(client);
+    this.policies = new policy.Client(client);
+    this.roles = new role.Client(client);
   }
 }

package/src/access/enforce.spec.ts

@@ -0,0 +1,189 @@
+// Copyright 2025 Synnax Labs, Inc.
+//
+// Use of this software is governed by the Business Source License included in the file
+// licenses/BSL.txt.
+//
+// As of the Change Date specified in that file, in accordance with the Business Source
+// License, use of this software will be governed by the Apache License, Version 2.0,
+// included in the file licenses/APL.txt.
+
+import { describe, expect, it } from "vitest";
+
+import { access } from "@/access";
+import { type Policy } from "@/access/policy/payload";
+import { type ontology } from "@/ontology";
+
+const id = (type: ontology.ResourceType, key: string): ontology.ID => ({ type, key });
+
+const policy = (
+  objects: ontology.ID[],
+  actions: access.Action[],
+  key = crypto.randomUUID(),
+): Policy => ({ key, name: "test", objects, actions, internal: false });
+
+describe("allowRequest", () => {
+  describe("single object", () => {
+    it("should allow when policy has exact match", () => {
+      const policies = [policy([id("channel", "1")], ["retrieve"])];
+      const allowed = access.allowRequest(
+        {
+          subject: id("user", "u1"),
+          action: "retrieve",
+          objects: id("channel", "1"),
+        },
+        policies,
+      );
+      expect(allowed).toBe(true);
+    });
+
+    it("should allow when policy has type-level match (empty key)", () => {
+      const policies = [policy([id("channel", "")], ["retrieve"])];
+      const allowed = access.allowRequest(
+        {
+          subject: id("user", "u1"),
+          action: "retrieve",
+          objects: id("channel", "42"),
+        },
+        policies,
+      );
+      expect(allowed).toBe(true);
+    });
+
+    it("should deny when no policy matches", () => {
+      const policies = [policy([id("channel", "1")], ["retrieve"])];
+      const allowed = access.allowRequest(
+        {
+          subject: id("user", "u1"),
+          action: "retrieve",
+          objects: id("channel", "2"),
+        },
+        policies,
+      );
+      expect(allowed).toBe(false);
+    });
+
+    it("should deny when action not allowed", () => {
+      const policies = [policy([id("channel", "1")], ["retrieve"])];
+      const allowed = access.allowRequest(
+        {
+          subject: id("user", "u1"),
+          action: "delete",
+          objects: id("channel", "1"),
+        },
+        policies,
+      );
+      expect(allowed).toBe(false);
+    });
+
+    it("should deny when type does not match", () => {
+      const policies = [policy([id("channel", "1")], ["retrieve"])];
+      const allowed = access.allowRequest(
+        {
+          subject: id("user", "u1"),
+          action: "retrieve",
+          objects: id("device", "1"),
+        },
+        policies,
+      );
+      expect(allowed).toBe(false);
+    });
+  });
+
+  describe("multiple objects", () => {
+    it("should allow when all objects are covered", () => {
+      const policies = [policy([id("channel", "1"), id("channel", "2")], ["retrieve"])];
+      const allowed = access.allowRequest(
+        {
+          subject: id("user", "u1"),
+          action: "retrieve",
+          objects: [id("channel", "1"), id("channel", "2")],
+        },
+        policies,
+      );
+      expect(allowed).toBe(true);
+    });
+
+    it("should deny when some objects are not covered", () => {
+      const policies = [policy([id("channel", "1")], ["retrieve"])];
+      const allowed = access.allowRequest(
+        {
+          subject: id("user", "u1"),
+          action: "retrieve",
+          objects: [id("channel", "1"), id("channel", "2")],
+        },
+        policies,
+      );
+      expect(allowed).toBe(false);
+    });
+
+    it("should allow all objects with type-level policy", () => {
+      const policies = [policy([id("channel", "")], ["retrieve"])];
+      const allowed = access.allowRequest(
+        {
+          subject: id("user", "u1"),
+          action: "retrieve",
+          objects: [id("channel", "1"), id("channel", "2"), id("channel", "99")],
+        },
+        policies,
+      );
+      expect(allowed).toBe(true);
+    });
+  });
+
+  describe("multiple policies", () => {
+    it("should allow when different policies cover different objects", () => {
+      const policies = [
+        policy([id("channel", "1")], ["retrieve"]),
+        policy([id("channel", "2")], ["retrieve"]),
+      ];
+      const allowed = access.allowRequest(
+        {
+          subject: id("user", "u1"),
+          action: "retrieve",
+          objects: [id("channel", "1"), id("channel", "2")],
+        },
+        policies,
+      );
+      expect(allowed).toBe(true);
+    });
+
+    it("should allow when one policy covers object and another has different action", () => {
+      const policies = [
+        policy([id("channel", "1")], ["delete"]),
+        policy([id("channel", "1")], ["retrieve"]),
+      ];
+      const allowed = access.allowRequest(
+        {
+          subject: id("user", "u1"),
+          action: "retrieve",
+          objects: id("channel", "1"),
+        },
+        policies,
+      );
+      expect(allowed).toBe(true);
+    });
+  });
+
+  describe("edge cases", () => {
+    it("should deny with empty policies", () => {
+      const allowed = access.allowRequest(
+        {
+          subject: id("user", "u1"),
+          action: "retrieve",
+          objects: id("channel", "1"),
+        },
+        [],
+      );
+      expect(allowed).toBe(false);
+    });
+
+    it("should allow with empty objects", () => {
+      const policies = [policy([id("channel", "1")], ["retrieve"])];
+      const allowed = access.allowRequest(
+        { subject: id("user", "u1"), action: "retrieve", objects: [] },
+        policies,
+      );
+      expect(allowed).toBe(true);
+    });
+  });
+});

package/src/access/enforce.ts

@@ -0,0 +1,84 @@
+// Copyright 2025 Synnax Labs, Inc.
+//
+// Use of this software is governed by the Business Source License included in the file
+// licenses/BSL.txt.
+//
+// As of the Change Date specified in that file, in accordance with the Business Source
+// License, use of this software will be governed by the Apache License, Version 2.0,
+// included in the file licenses/APL.txt.
+
+import { array } from "@synnaxlabs/x";
+
+import { type Action } from "@/access/payload";
+import { type Policy } from "@/access/policy/payload";
+import { type ontology } from "@/ontology";
+
+/**
+ * Request represents an access control request to check if a subject
+ * can perform an action on one or more objects.
+ */
+export interface Request {
+  /** The subject making the request (typically a user) */
+  subject: ontology.ID;
+  /** The action being requested */
+  action: Action;
+  /** The objects being accessed */
+  objects: ontology.ID | ontology.ID[];
+}
+
+/**
+ * Checks if a request is allowed based on the provided policies.
+ * This is the client-side equivalent of the Go allowRequest function.
+ *
+ * @param req - The access request to check
+ * @param policies - The policies to check against
+ * @returns true if the request is allowed, false otherwise
+ *
+ * @remarks
+ * This function implements the following logic:
+ * - For each requested object, check if any policy allows the action
+ * - A policy allows an action if:
+ *   1. The policy's actions include the requested action or "all"
+ *   2. The policy's objects include the requested object, either:
+ *      - Type-level match: policy object has empty key and matching type
+ *      - Instance-level match: policy object has matching type and key
+ * - ALL requested objects must be allowed for the request to succeed
+ */
+export const allowRequest = (req: Request, policies: Policy[]): boolean => {
+  const objs = array.toArray(req.objects);
+  const { action } = req;
+  for (const requestedObj of objs) {
+    let allowed = false;
+
+    for (const policy of policies) {
+      // Check if every requested action is allowed by this policy
+      const actionAllowed = policy.actions.includes(action);
+      if (!actionAllowed) continue;
+
+      // Check if any object in the policy matches the requested object
+      // Type-level match: empty key means the policy applies to all instances of this type
+      for (const policyObj of policy.objects)
+        if (policyObj.key === "") {
+          if (policyObj.type === requestedObj.type) {
+            allowed = true;
+            break;
+          }
+        } else if (
+          policyObj.type === requestedObj.type &&
+          policyObj.key === requestedObj.key
+        ) {
+          // Instance-level match: both type and key must match
+          allowed = true;
+          break;
+        }
+
+      if (allowed) break;
+    }
+
+    // If any object is not allowed, the entire request fails
+    if (!allowed) return false;
+  }
+
+  // All objects are allowed
+  return true;
+};

package/src/access/external.ts

@@ -8,4 +8,7 @@
 // included in the file licenses/APL.txt.
 
 export * from "@/access/client";
+export * from "@/access/enforce";
 export * from "@/access/payload";
+export * from "@/access/policy";
+export * from "@/access/role";

package/src/access/payload.ts

@@ -9,17 +9,5 @@
 
 import { z } from "zod";
 
-export const ALL_ACTION = "all";
-export const CREATE_ACTION = "create";
-export const DELETE_ACTION = "delete";
-export const RETRIEVE_ACTION = "retrieve";
-export const UPDATE_ACTION = "update";
-
-export const actionZ = z.enum([
-  ALL_ACTION,
-  CREATE_ACTION,
-  DELETE_ACTION,
-  RETRIEVE_ACTION,
-  UPDATE_ACTION,
-]);
+export const actionZ = z.enum(["create", "delete", "retrieve", "update"]);
 export type Action = z.infer<typeof actionZ>;

package/src/access/policy/access.spec.ts

@@ -0,0 +1,147 @@
+// Copyright 2025 Synnax Labs, Inc.
+//
+// Use of this software is governed by the Business Source License included in the file
+// licenses/BSL.txt.
+//
+// As of the Change Date specified in that file, in accordance with the Business Source
+// License, use of this software will be governed by the Apache License, Version 2.0,
+// included in the file licenses/APL.txt.
+
+import { describe, expect, it } from "vitest";
+
+import { policy } from "@/access/policy";
+import { AuthError, NotFoundError } from "@/errors";
+import { createTestClientWithPolicy } from "@/testutil/access";
+import { createTestClient } from "@/testutil/client";
+
+const client = createTestClient();
+
+describe("policy", () => {
+  describe("retrieve", () => {
+    it("should filter by internal flag when retrieving policies", async () => {
+      // Create a non-internal policy
+      const created = await client.access.policies.create({
+        name: "test-non-internal",
+        objects: [],
+        actions: ["retrieve"],
+      });
+
+      // Retrieve only internal policies (built-in system policies)
+      const internalPolicies = await client.access.policies.retrieve({
+        internal: true,
+      });
+      expect(internalPolicies.length).toBeGreaterThan(0);
+      expect(internalPolicies.every((p) => p.internal === true)).toBe(true);
+      expect(internalPolicies.find((p) => p.key === created.key)).toBeUndefined();
+
+      // Retrieve only non-internal policies
+      const nonInternalPolicies = await client.access.policies.retrieve({
+        internal: false,
+      });
+      expect(nonInternalPolicies.every((p) => p.internal !== true)).toBe(true);
+      expect(nonInternalPolicies.find((p) => p.key === created.key)).toBeDefined();
+    });
+  });
+
+  describe("access control", () => {
+    it("should deny access when no matching policy exists", async () => {
+      // Create a user with no policy for retrieving policies
+      const userClient = await createTestClientWithPolicy(client, {
+        name: "test",
+        objects: [],
+        actions: [],
+      });
+      const randomPolicy = await client.access.policies.create({
+        name: "test",
+        objects: [],
+        actions: ["retrieve"],
+      });
+      await expect(
+        userClient.access.policies.retrieve({ key: randomPolicy.key }),
+      ).rejects.toThrow(AuthError);
+    });
+
+    it("should allow the caller to retrieve policies with the correct policy", async () => {
+      const userClient = await createTestClientWithPolicy(client, {
+        name: "test",
+        objects: [policy.ontologyID("")],
+        actions: ["retrieve"],
+      });
+      const randomPolicy = await client.access.policies.create({
+        name: "test",
+        objects: [],
+        actions: ["retrieve"],
+      });
+      const retrieved = await userClient.access.policies.retrieve({
+        key: randomPolicy.key,
+      });
+      expect(retrieved.key).toBe(randomPolicy.key);
+      expect(retrieved.name).toBe(randomPolicy.name);
+      expect(retrieved.objects).toEqual(randomPolicy.objects);
+      expect(retrieved.actions).toEqual(randomPolicy.actions);
+    });
+
+    it("should allow the caller to create policies with the correct policy", async () => {
+      const userClient = await createTestClientWithPolicy(client, {
+        name: "test",
+        objects: [policy.ontologyID("")],
+        actions: ["create"],
+      });
+      await userClient.access.policies.create({
+        name: "test",
+        objects: [],
+        actions: ["retrieve"],
+      });
+    });
+
+    it("should deny access when no create policy exists", async () => {
+      // Create a user with no create policy for policies
+      const userClient = await createTestClientWithPolicy(client, {
+        name: "test",
+        objects: [policy.ontologyID("")],
+        actions: ["retrieve"],
+      });
+      await expect(
+        userClient.access.policies.create({
+          name: "test",
+          objects: [],
+          actions: ["retrieve"],
+        }),
+      ).rejects.toThrow(AuthError);
+    });
+
+    it("should allow the caller to delete policies with the correct policy", async () => {
+      const userClient = await createTestClientWithPolicy(client, {
+        name: "test",
+        objects: [policy.ontologyID("")],
+        actions: ["delete"],
+      });
+      const randomPolicy = await client.access.policies.create({
+        name: "test",
+        objects: [],
+        actions: ["retrieve"],
+      });
+      await userClient.access.policies.delete(randomPolicy.key);
+      await expect(
+        userClient.access.policies.retrieve({ key: randomPolicy.key }),
+      ).rejects.toThrow(NotFoundError);
+    });
+
+    it("should deny access when no delete policy exists", async () => {
+      // Create a user with no delete policy for policies
+      const userClient = await createTestClientWithPolicy(client, {
+        name: "test",
+        objects: [policy.ontologyID("")],
+        actions: ["retrieve"],
+      });
+      const randomPolicy = await client.access.policies.create({
+        name: "test",
+        objects: [],
+        actions: ["retrieve"],
+      });
+      await expect(userClient.access.policies.delete(randomPolicy.key)).rejects.toThrow(
+        AuthError,
+      );
+    });
+  });
+});

package/src/access/policy/client.ts

@@ -21,9 +21,15 @@ import {
 } from "@/access/policy/payload";
 import { ontology } from "@/ontology";
 
+export const SET_CHANNEL_NAME = "sy_policy_set";
+export const DELETE_CHANNEL_NAME = "sy_policy_delete";
+
 const retrieveRequestZ = z.object({
   keys: keyZ.array().optional(),
   subjects: ontology.idZ.array().optional(),
+  limit: z.number().optional(),
+  offset: z.number().optional(),
+  internal: z.boolean().optional(),
 });
 
 const keyRetrieveRequestZ = z
@@ -49,15 +55,18 @@ export type RetrieveArgs = z.input<typeof retrieveArgsZ>;
 
 const retrieveResZ = z.object({ policies: array.nullableZ(policyZ) });
 
-const createReqZ = z.object({ policies: policyZ.partial({ key: true }).array() });
+const singleCreateArgsZ = newZ.transform((p) => ({ policies: [p] }));
+export type SingleCreateArgs = z.input<typeof singleCreateArgsZ>;
+
+export const multipleCreateArgsZ = newZ.array().transform((policies) => ({ policies }));
+
+export const createArgsZ = z.union([singleCreateArgsZ, multipleCreateArgsZ]);
+export type CreateArgs = z.input<typeof createArgsZ>;
+
 const createResZ = z.object({ policies: policyZ.array() });
 const deleteReqZ = z.object({ keys: keyZ.array() });
 const deleteResZ = z.object({});
 
-const RETRIEVE_ENDPOINT = "/access/policy/retrieve";
-const CREATE_ENDPOINT = "/access/policy/create";
-const DELETE_ENDPOINT = "/access/policy/delete";
-
 export class Client {
   private readonly client: UnaryClient;
 
@@ -67,19 +76,13 @@ export class Client {
 
   async create(policy: New): Promise<Policy>;
   async create(policies: New[]): Promise<Policy[]>;
-  async create(policies: New | New[]): Promise<Policy | Policy[]> {
+  async create(policies: CreateArgs): Promise<Policy | Policy[]> {
     const isMany = Array.isArray(policies);
-    const parsedPolicies = newZ.array().parse(array.toArray(policies));
-    const req = parsedPolicies.map((policy) => ({
-      objects: array.toArray(policy.objects),
-      actions: array.toArray(policy.actions),
-      subjects: array.toArray(policy.subjects),
-    }));
-    const res = await sendRequired<typeof createReqZ, typeof createResZ>(
+    const res = await sendRequired<typeof createArgsZ, typeof createResZ>(
       this.client,
-      CREATE_ENDPOINT,
-      { policies: req },
-      createReqZ,
+      "/access/policy/create",
+      policies,
+      createArgsZ,
       createResZ,
     );
     return isMany ? res.policies : res.policies[0];
@@ -91,7 +94,7 @@ export class Client {
     const isSingle = "key" in args;
     const res = await sendRequired<typeof retrieveArgsZ, typeof retrieveResZ>(
       this.client,
-      RETRIEVE_ENDPOINT,
+      "/access/policy/retrieve",
       args,
       retrieveArgsZ,
       retrieveResZ,
@@ -104,17 +107,10 @@ export class Client {
   async delete(keys: Key | Key[]): Promise<void> {
     await sendRequired<typeof deleteReqZ, typeof deleteResZ>(
       this.client,
-      DELETE_ENDPOINT,
+      "/access/policy/delete",
       { keys: array.toArray(keys) },
       deleteReqZ,
       deleteResZ,
     );
   }
 }
-
-export const ontologyID = (key: Key): ontology.ID => ({ type: "policy", key });
-
-export const ALLOW_ALL_ONTOLOGY_ID: ontology.ID = {
-  type: "allow_all",
-  key: "",
-};