@uniforge/core 0.1.0-alpha.2

package/dist/rbac/index.js

@@ -0,0 +1,267 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/rbac/index.ts
+var rbac_exports = {};
+__export(rbac_exports, {
+  DEFAULT_ROLE_PERMISSIONS: () => DEFAULT_ROLE_PERMISSIONS,
+  createRBACMiddleware: () => createRBACMiddleware,
+  createRBACService: () => createRBACService,
+  isRoleAtLeast: () => isRoleAtLeast,
+  resolvePermissions: () => resolvePermissions
+});
+module.exports = __toCommonJS(rbac_exports);
+
+// src/rbac/permissions.ts
+var import_rbac = require("@uniforge/platform-core/rbac");
+var DEFAULT_ROLE_PERMISSIONS = {
+  owner: [],
+  admin: [
+    "products:read",
+    "products:write",
+    "orders:read",
+    "orders:write",
+    "customers:read",
+    "customers:write",
+    "analytics:read",
+    "settings:read",
+    "settings:write",
+    "settings:manage",
+    "staff:read",
+    "staff:write"
+  ],
+  staff: [
+    "products:read",
+    "products:write",
+    "orders:read",
+    "orders:write",
+    "customers:read",
+    "analytics:read",
+    "settings:read"
+  ],
+  collaborator: [
+    "products:read",
+    "orders:read",
+    "analytics:read"
+  ]
+};
+function resolvePermissions(role, customPermissions) {
+  const rolePerms = DEFAULT_ROLE_PERMISSIONS[role] ?? [];
+  if (!customPermissions || customPermissions.length === 0) {
+    return [...rolePerms];
+  }
+  const combined = /* @__PURE__ */ new Set([...rolePerms, ...customPermissions]);
+  return [...combined];
+}
+function isRoleAtLeast(role, minimumRole) {
+  const roleIndex = import_rbac.ROLE_HIERARCHY.indexOf(role);
+  const minIndex = import_rbac.ROLE_HIERARCHY.indexOf(minimumRole);
+  if (roleIndex === -1 || minIndex === -1) return false;
+  return roleIndex <= minIndex;
+}
+
+// src/rbac/service.ts
+function mapShopMember(row) {
+  return {
+    id: row.id,
+    shopDomain: row.shopDomain,
+    userId: row.userId,
+    email: row.email,
+    role: row.role,
+    customPermissions: Array.isArray(row.customPermissions) ? row.customPermissions : null,
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt
+  };
+}
+function createRBACService(prisma) {
+  return {
+    async upsertMember(input) {
+      const createData = {
+        shopDomain: input.shopDomain,
+        userId: input.userId,
+        email: input.email,
+        role: input.role
+      };
+      if (input.customPermissions !== void 0) {
+        createData.customPermissions = input.customPermissions;
+      }
+      const updateData = {
+        email: input.email,
+        role: input.role
+      };
+      if (input.customPermissions !== void 0) {
+        updateData.customPermissions = input.customPermissions;
+      }
+      const row = await prisma.shopMember.upsert({
+        where: {
+          shopDomain_userId: {
+            shopDomain: input.shopDomain,
+            userId: input.userId
+          }
+        },
+        create: createData,
+        update: updateData
+      });
+      return mapShopMember(row);
+    },
+    async getMember(shopDomain, userId) {
+      const row = await prisma.shopMember.findUnique({
+        where: { shopDomain_userId: { shopDomain, userId } }
+      });
+      return row ? mapShopMember(row) : null;
+    },
+    async listMembers(shopDomain) {
+      const rows = await prisma.shopMember.findMany({
+        where: { shopDomain }
+      });
+      return rows.map(mapShopMember);
+    },
+    async updateMember(shopDomain, userId, input) {
+      const data = {};
+      if (input.role !== void 0) {
+        data.role = input.role;
+      }
+      if (input.email !== void 0) {
+        data.email = input.email;
+      }
+      if (input.customPermissions !== void 0) {
+        data.customPermissions = input.customPermissions;
+      }
+      const row = await prisma.shopMember.update({
+        where: { shopDomain_userId: { shopDomain, userId } },
+        data
+      });
+      return mapShopMember(row);
+    },
+    async removeMember(shopDomain, userId) {
+      await prisma.shopMember.delete({
+        where: { shopDomain_userId: { shopDomain, userId } }
+      });
+    },
+    async hasPermission(shopDomain, userId, permission) {
+      const row = await prisma.shopMember.findUnique({
+        where: { shopDomain_userId: { shopDomain, userId } }
+      });
+      if (!row) return false;
+      if (row.role === "owner") return true;
+      const perms = resolvePermissions(
+        row.role,
+        Array.isArray(row.customPermissions) ? row.customPermissions : null
+      );
+      return perms.includes(permission);
+    },
+    async getEffectivePermissions(shopDomain, userId) {
+      const row = await prisma.shopMember.findUnique({
+        where: { shopDomain_userId: { shopDomain, userId } }
+      });
+      if (!row) return [];
+      if (row.role === "owner") return ["*"];
+      return resolvePermissions(
+        row.role,
+        Array.isArray(row.customPermissions) ? row.customPermissions : null
+      );
+    },
+    isRoleAtLeast
+  };
+}
+
+// src/auth/route-matcher.ts
+function normalizePath(url) {
+  const questionIdx = url.indexOf("?");
+  let path = questionIdx >= 0 ? url.slice(0, questionIdx) : url;
+  if (path.length > 1 && path.endsWith("/")) {
+    path = path.slice(0, -1);
+  }
+  return path;
+}
+function matchGlob(path, pattern) {
+  if (pattern === path) {
+    return true;
+  }
+  if (pattern.endsWith("/**")) {
+    const prefix = pattern.slice(0, -3);
+    return path.startsWith(prefix + "/");
+  }
+  if (pattern.includes("*") && !pattern.includes("**")) {
+    const regex = patternToRegex(pattern);
+    return regex.test(path);
+  }
+  return false;
+}
+function patternToRegex(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, "[^/]+");
+  return new RegExp(`^${escaped}$`);
+}
+
+// src/rbac/middleware.ts
+function createRBACMiddleware(config) {
+  return {
+    async authorize(input) {
+      const { url, method, shopDomain, user } = input;
+      if (!user) {
+        return { type: "skipped", reason: "No user identity (offline session)" };
+      }
+      const normalizedPath = normalizePath(url);
+      const matchedRoute = config.routes.find(
+        (route) => matchGlob(normalizedPath, route.pattern) && (route.method === "*" || route.method.toUpperCase() === method.toUpperCase())
+      );
+      if (!matchedRoute) {
+        return { type: "skipped", reason: "No matching route permission rule" };
+      }
+      const permission = matchedRoute.permission;
+      const member = await config.getMember(shopDomain, user.userId);
+      if (!member && user.isAccountOwner && config.autoProvisionOwner !== false) {
+        if (config.onAutoProvision) {
+          await config.onAutoProvision(shopDomain, user.userId, user.email);
+        }
+        return { type: "granted", role: "owner", permission };
+      }
+      if (!member) {
+        return {
+          type: "denied",
+          role: null,
+          permission,
+          reason: "User is not a member of this shop"
+        };
+      }
+      if (member.role === "owner") {
+        return { type: "granted", role: "owner", permission };
+      }
+      const effectivePerms = resolvePermissions(member.role, member.customPermissions);
+      if (effectivePerms.includes(permission)) {
+        return { type: "granted", role: member.role, permission };
+      }
+      return {
+        type: "denied",
+        role: member.role,
+        permission,
+        reason: `Role "${member.role}" does not have permission "${permission}"`
+      };
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DEFAULT_ROLE_PERMISSIONS,
+  createRBACMiddleware,
+  createRBACService,
+  isRoleAtLeast,
+  resolvePermissions
+});
+//# sourceMappingURL=index.js.map

package/dist/rbac/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/rbac/index.ts","../../src/rbac/permissions.ts","../../src/rbac/service.ts","../../src/auth/route-matcher.ts","../../src/rbac/middleware.ts"],"sourcesContent":["/**\n * @uniforge/core/rbac\n *\n * Prisma-backed RBAC implementation: role permissions, member service,\n * and route-level permission middleware.\n */\n\nexport { DEFAULT_ROLE_PERMISSIONS, resolvePermissions, isRoleAtLeast } from './permissions.js';\nexport { createRBACService } from './service.js';\nexport { createRBACMiddleware } from './middleware.js';\n","/**\n * Default role permissions and permission resolution.\n */\n\nimport type { Role, RolePermissionMap } from '@uniforge/platform-core/rbac';\nimport { ROLE_HIERARCHY } from '@uniforge/platform-core/rbac';\n\nexport const DEFAULT_ROLE_PERMISSIONS: RolePermissionMap = {\n  owner: [],\n  admin: [\n    'products:read', 'products:write',\n    'orders:read', 'orders:write',\n    'customers:read', 'customers:write',\n    'analytics:read',\n    'settings:read', 'settings:write', 'settings:manage',\n    'staff:read', 'staff:write',\n  ],\n  staff: [\n    'products:read', 'products:write',\n    'orders:read', 'orders:write',\n    'customers:read',\n    'analytics:read',\n    'settings:read',\n  ],\n  collaborator: [\n    'products:read',\n    'orders:read',\n    'analytics:read',\n  ],\n};\n\nexport function resolvePermissions(\n  role: Role,\n  customPermissions?: string[] | null,\n): string[] {\n  const rolePerms = DEFAULT_ROLE_PERMISSIONS[role] ?? [];\n  if (!customPermissions || customPermissions.length === 0) {\n    return [...rolePerms];\n  }\n  const combined = new Set([...rolePerms, ...customPermissions]);\n  return [...combined];\n}\n\nexport function isRoleAtLeast(role: Role, minimumRole: Role): boolean {\n  const roleIndex = ROLE_HIERARCHY.indexOf(role);\n  const minIndex = ROLE_HIERARCHY.indexOf(minimumRole);\n  if (roleIndex === -1 || minIndex === -1) return false;\n  return roleIndex <= minIndex;\n}\n","/**\n * Prisma-backed RBAC service for shop member management and permission checks.\n */\n\nimport type { PrismaClient, Prisma } from '@prisma/client';\nimport type {\n  RBACService,\n  Role,\n  ShopMember,\n  UpsertShopMemberInput,\n  UpdateShopMemberInput,\n} from '@uniforge/platform-core/rbac';\nimport { resolvePermissions, isRoleAtLeast as isRoleAtLeastFn } from './permissions.js';\n\ninterface ShopMemberRow {\n  id: string;\n  shopDomain: string;\n  userId: number;\n  email: string;\n  role: string;\n  customPermissions: unknown;\n  createdAt: Date;\n  updatedAt: Date;\n}\n\nfunction mapShopMember(row: ShopMemberRow): ShopMember {\n  return {\n    id: row.id,\n    shopDomain: row.shopDomain,\n    userId: row.userId,\n    email: row.email,\n    role: row.role as Role,\n    customPermissions: Array.isArray(row.customPermissions)\n      ? (row.customPermissions as string[])\n      : null,\n    createdAt: row.createdAt,\n    updatedAt: row.updatedAt,\n  };\n}\n\nexport function createRBACService(prisma: PrismaClient): RBACService {\n  return {\n    async upsertMember(input: UpsertShopMemberInput): Promise<ShopMember> {\n      const createData: Prisma.ShopMemberUncheckedCreateInput = {\n        shopDomain: input.shopDomain,\n        userId: input.userId,\n        email: input.email,\n        role: input.role,\n      };\n      if (input.customPermissions !== undefined) {\n        createData.customPermissions = input.customPermissions;\n      }\n\n      const updateData: Record<string, unknown> = {\n        email: input.email,\n        role: input.role,\n      };\n      if (input.customPermissions !== undefined) {\n        updateData.customPermissions = input.customPermissions;\n      }\n\n      const row = await prisma.shopMember.upsert({\n        where: {\n          shopDomain_userId: {\n            shopDomain: input.shopDomain,\n            userId: input.userId,\n          },\n        },\n        create: createData,\n        update: updateData,\n      });\n      return mapShopMember(row);\n    },\n\n    async getMember(shopDomain: string, userId: number): Promise<ShopMember | null> {\n      const row = await prisma.shopMember.findUnique({\n        where: { shopDomain_userId: { shopDomain, userId } },\n      });\n      return row ? mapShopMember(row) : null;\n    },\n\n    async listMembers(shopDomain: string): Promise<ShopMember[]> {\n      const rows = await prisma.shopMember.findMany({\n        where: { shopDomain },\n      });\n      return rows.map(mapShopMember);\n    },\n\n    async updateMember(\n      shopDomain: string,\n      userId: number,\n      input: UpdateShopMemberInput,\n    ): Promise<ShopMember> {\n      const data: Record<string, unknown> = {};\n      if (input.role !== undefined) {\n        data.role = input.role;\n      }\n      if (input.email !== undefined) {\n        data.email = input.email;\n      }\n      if (input.customPermissions !== undefined) {\n        data.customPermissions = input.customPermissions;\n      }\n\n      const row = await prisma.shopMember.update({\n        where: { shopDomain_userId: { shopDomain, userId } },\n        data,\n      });\n      return mapShopMember(row);\n    },\n\n    async removeMember(shopDomain: string, userId: number): Promise<void> {\n      await prisma.shopMember.delete({\n        where: { shopDomain_userId: { shopDomain, userId } },\n      });\n    },\n\n    async hasPermission(\n      shopDomain: string,\n      userId: number,\n      permission: string,\n    ): Promise<boolean> {\n      const row = await prisma.shopMember.findUnique({\n        where: { shopDomain_userId: { shopDomain, userId } },\n      });\n      if (!row) return false;\n      if (row.role === 'owner') return true;\n      const perms = resolvePermissions(\n        row.role as Role,\n        Array.isArray(row.customPermissions) ? (row.customPermissions as string[]) : null,\n      );\n      return perms.includes(permission);\n    },\n\n    async getEffectivePermissions(\n      shopDomain: string,\n      userId: number,\n    ): Promise<string[]> {\n      const row = await prisma.shopMember.findUnique({\n        where: { shopDomain_userId: { shopDomain, userId } },\n      });\n      if (!row) return [];\n      if (row.role === 'owner') return ['*'];\n      return resolvePermissions(\n        row.role as Role,\n        Array.isArray(row.customPermissions) ? (row.customPermissions as string[]) : null,\n      );\n    },\n\n    isRoleAtLeast: isRoleAtLeastFn,\n  };\n}\n","/**\n * Route matcher utility for auth middleware.\n *\n * Determines whether a given URL path is public (no auth required)\n * or protected (auth required) based on glob pattern configuration.\n */\n\nimport type { RouteProtectionConfig } from '@uniforge/platform-core/auth';\n\n/** Auth callback paths that are always treated as public. */\nconst ALWAYS_PUBLIC_PATTERNS = ['/auth/callback', '/auth/*/callback'];\n\n/**\n * Check if a URL path is a public route that does not require authentication.\n *\n * Public routes take precedence over protected routes.\n * Auth callback paths (/auth/callback, /auth/STAR/callback) are always public.\n */\nexport function isPublicRoute(\n  url: string,\n  config: RouteProtectionConfig,\n): boolean {\n  const path = normalizePath(url);\n\n  // Auth callback routes are always public\n  if (matchesAny(path, ALWAYS_PUBLIC_PATTERNS)) {\n    return true;\n  }\n\n  const publicRoutes = config.publicRoutes ?? [];\n\n  // Check explicit public routes (takes precedence)\n  if (matchesAny(path, publicRoutes)) {\n    return true;\n  }\n\n  return false;\n}\n\n/**\n * Normalize a URL path by stripping query parameters and trailing slashes.\n */\nexport function normalizePath(url: string): string {\n  // Strip query string\n  const questionIdx = url.indexOf('?');\n  let path = questionIdx >= 0 ? url.slice(0, questionIdx) : url;\n\n  // Strip trailing slash (but keep root /)\n  if (path.length > 1 && path.endsWith('/')) {\n    path = path.slice(0, -1);\n  }\n\n  return path;\n}\n\n/**\n * Check if a path matches any of the given patterns.\n */\nfunction matchesAny(path: string, patterns: string[]): boolean {\n  return patterns.some((pattern) => matchGlob(path, pattern));\n}\n\n/**\n * Simple glob pattern matcher supporting:\n * - Exact matches: `/health` matches `/health`\n * - Single segment wildcard `*`: `/admin/*` matches `/admin/foo` but not `/admin/foo/bar`\n * - Multi-segment wildcard `**`: `/api/**` matches `/api/foo`, `/api/foo/bar`, etc.\n */\nexport function matchGlob(path: string, pattern: string): boolean {\n  // Exact match\n  if (pattern === path) {\n    return true;\n  }\n\n  // Handle ** (matches any number of path segments)\n  if (pattern.endsWith('/**')) {\n    const prefix = pattern.slice(0, -3); // Remove /**\n    return path.startsWith(prefix + '/');\n  }\n\n  // Handle * (matches exactly one path segment)\n  if (pattern.includes('*') && !pattern.includes('**')) {\n    const regex = patternToRegex(pattern);\n    return regex.test(path);\n  }\n\n  return false;\n}\n\n/**\n * Convert a glob pattern with single `*` wildcards to a regex.\n * `*` matches one path segment (no slashes).\n */\nfunction patternToRegex(pattern: string): RegExp {\n  const escaped = pattern\n    .replace(/[.+^${}()|[\\]\\\\]/g, '\\\\$&')\n    .replace(/\\*/g, '[^/]+');\n  return new RegExp(`^${escaped}$`);\n}\n","/**\n * RBAC middleware for route-level permission enforcement.\n */\n\nimport type {\n  RBACMiddleware,\n  RBACMiddlewareConfig,\n  RBACResult,\n  SessionUser,\n} from '@uniforge/platform-core/rbac';\nimport { matchGlob, normalizePath } from '../auth/route-matcher.js';\nimport { resolvePermissions } from './permissions.js';\n\nexport function createRBACMiddleware(config: RBACMiddlewareConfig): RBACMiddleware {\n  return {\n    async authorize(input: {\n      url: string;\n      method: string;\n      shopDomain: string;\n      user: SessionUser | null;\n    }): Promise<RBACResult> {\n      const { url, method, shopDomain, user } = input;\n\n      if (!user) {\n        return { type: 'skipped', reason: 'No user identity (offline session)' };\n      }\n\n      const normalizedPath = normalizePath(url);\n      const matchedRoute = config.routes.find(\n        (route) =>\n          matchGlob(normalizedPath, route.pattern) &&\n          (route.method === '*' || route.method.toUpperCase() === method.toUpperCase()),\n      );\n\n      if (!matchedRoute) {\n        return { type: 'skipped', reason: 'No matching route permission rule' };\n      }\n\n      const permission = matchedRoute.permission;\n      const member = await config.getMember(shopDomain, user.userId);\n\n      if (!member && user.isAccountOwner && config.autoProvisionOwner !== false) {\n        if (config.onAutoProvision) {\n          await config.onAutoProvision(shopDomain, user.userId, user.email);\n        }\n        return { type: 'granted', role: 'owner', permission };\n      }\n\n      if (!member) {\n        return {\n          type: 'denied',\n          role: null,\n          permission,\n          reason: 'User is not a member of this shop',\n        };\n      }\n\n      if (member.role === 'owner') {\n        return { type: 'granted', role: 'owner', permission };\n      }\n\n      const effectivePerms = resolvePermissions(member.role, member.customPermissions);\n      if (effectivePerms.includes(permission)) {\n        return { type: 'granted', role: member.role, permission };\n      }\n\n      return {\n        type: 'denied',\n        role: member.role,\n        permission,\n        reason: `Role \"${member.role}\" does not have permission \"${permission}\"`,\n      };\n    },\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACKA,kBAA+B;AAExB,IAAM,2BAA8C;AAAA,EACzD,OAAO,CAAC;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IAAiB;AAAA,IACjB;AAAA,IAAe;AAAA,IACf;AAAA,IAAkB;AAAA,IAClB;AAAA,IACA;AAAA,IAAiB;AAAA,IAAkB;AAAA,IACnC;AAAA,IAAc;AAAA,EAChB;AAAA,EACA,OAAO;AAAA,IACL;AAAA,IAAiB;AAAA,IACjB;AAAA,IAAe;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cAAc;AAAA,IACZ;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,mBACd,MACA,mBACU;AACV,QAAM,YAAY,yBAAyB,IAAI,KAAK,CAAC;AACrD,MAAI,CAAC,qBAAqB,kBAAkB,WAAW,GAAG;AACxD,WAAO,CAAC,GAAG,SAAS;AAAA,EACtB;AACA,QAAM,WAAW,oBAAI,IAAI,CAAC,GAAG,WAAW,GAAG,iBAAiB,CAAC;AAC7D,SAAO,CAAC,GAAG,QAAQ;AACrB;AAEO,SAAS,cAAc,MAAY,aAA4B;AACpE,QAAM,YAAY,2BAAe,QAAQ,IAAI;AAC7C,QAAM,WAAW,2BAAe,QAAQ,WAAW;AACnD,MAAI,cAAc,MAAM,aAAa,GAAI,QAAO;AAChD,SAAO,aAAa;AACtB;;;ACvBA,SAAS,cAAc,KAAgC;AACrD,SAAO;AAAA,IACL,IAAI,IAAI;AAAA,IACR,YAAY,IAAI;AAAA,IAChB,QAAQ,IAAI;AAAA,IACZ,OAAO,IAAI;AAAA,IACX,MAAM,IAAI;AAAA,IACV,mBAAmB,MAAM,QAAQ,IAAI,iBAAiB,IACjD,IAAI,oBACL;AAAA,IACJ,WAAW,IAAI;AAAA,IACf,WAAW,IAAI;AAAA,EACjB;AACF;AAEO,SAAS,kBAAkB,QAAmC;AACnE,SAAO;AAAA,IACL,MAAM,aAAa,OAAmD;AACpE,YAAM,aAAoD;AAAA,QACxD,YAAY,MAAM;AAAA,QAClB,QAAQ,MAAM;AAAA,QACd,OAAO,MAAM;AAAA,QACb,MAAM,MAAM;AAAA,MACd;AACA,UAAI,MAAM,sBAAsB,QAAW;AACzC,mBAAW,oBAAoB,MAAM;AAAA,MACvC;AAEA,YAAM,aAAsC;AAAA,QAC1C,OAAO,MAAM;AAAA,QACb,MAAM,MAAM;AAAA,MACd;AACA,UAAI,MAAM,sBAAsB,QAAW;AACzC,mBAAW,oBAAoB,MAAM;AAAA,MACvC;AAEA,YAAM,MAAM,MAAM,OAAO,WAAW,OAAO;AAAA,QACzC,OAAO;AAAA,UACL,mBAAmB;AAAA,YACjB,YAAY,MAAM;AAAA,YAClB,QAAQ,MAAM;AAAA,UAChB;AAAA,QACF;AAAA,QACA,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AACD,aAAO,cAAc,GAAG;AAAA,IAC1B;AAAA,IAEA,MAAM,UAAU,YAAoB,QAA4C;AAC9E,YAAM,MAAM,MAAM,OAAO,WAAW,WAAW;AAAA,QAC7C,OAAO,EAAE,mBAAmB,EAAE,YAAY,OAAO,EAAE;AAAA,MACrD,CAAC;AACD,aAAO,MAAM,cAAc,GAAG,IAAI;AAAA,IACpC;AAAA,IAEA,MAAM,YAAY,YAA2C;AAC3D,YAAM,OAAO,MAAM,OAAO,WAAW,SAAS;AAAA,QAC5C,OAAO,EAAE,WAAW;AAAA,MACtB,CAAC;AACD,aAAO,KAAK,IAAI,aAAa;AAAA,IAC/B;AAAA,IAEA,MAAM,aACJ,YACA,QACA,OACqB;AACrB,YAAM,OAAgC,CAAC;AACvC,UAAI,MAAM,SAAS,QAAW;AAC5B,aAAK,OAAO,MAAM;AAAA,MACpB;AACA,UAAI,MAAM,UAAU,QAAW;AAC7B,aAAK,QAAQ,MAAM;AAAA,MACrB;AACA,UAAI,MAAM,sBAAsB,QAAW;AACzC,aAAK,oBAAoB,MAAM;AAAA,MACjC;AAEA,YAAM,MAAM,MAAM,OAAO,WAAW,OAAO;AAAA,QACzC,OAAO,EAAE,mBAAmB,EAAE,YAAY,OAAO,EAAE;AAAA,QACnD;AAAA,MACF,CAAC;AACD,aAAO,cAAc,GAAG;AAAA,IAC1B;AAAA,IAEA,MAAM,aAAa,YAAoB,QAA+B;AACpE,YAAM,OAAO,WAAW,OAAO;AAAA,QAC7B,OAAO,EAAE,mBAAmB,EAAE,YAAY,OAAO,EAAE;AAAA,MACrD,CAAC;AAAA,IACH;AAAA,IAEA,MAAM,cACJ,YACA,QACA,YACkB;AAClB,YAAM,MAAM,MAAM,OAAO,WAAW,WAAW;AAAA,QAC7C,OAAO,EAAE,mBAAmB,EAAE,YAAY,OAAO,EAAE;AAAA,MACrD,CAAC;AACD,UAAI,CAAC,IAAK,QAAO;AACjB,UAAI,IAAI,SAAS,QAAS,QAAO;AACjC,YAAM,QAAQ;AAAA,QACZ,IAAI;AAAA,QACJ,MAAM,QAAQ,IAAI,iBAAiB,IAAK,IAAI,oBAAiC;AAAA,MAC/E;AACA,aAAO,MAAM,SAAS,UAAU;AAAA,IAClC;AAAA,IAEA,MAAM,wBACJ,YACA,QACmB;AACnB,YAAM,MAAM,MAAM,OAAO,WAAW,WAAW;AAAA,QAC7C,OAAO,EAAE,mBAAmB,EAAE,YAAY,OAAO,EAAE;AAAA,MACrD,CAAC;AACD,UAAI,CAAC,IAAK,QAAO,CAAC;AAClB,UAAI,IAAI,SAAS,QAAS,QAAO,CAAC,GAAG;AACrC,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,MAAM,QAAQ,IAAI,iBAAiB,IAAK,IAAI,oBAAiC;AAAA,MAC/E;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AACF;;;AC7GO,SAAS,cAAc,KAAqB;AAEjD,QAAM,cAAc,IAAI,QAAQ,GAAG;AACnC,MAAI,OAAO,eAAe,IAAI,IAAI,MAAM,GAAG,WAAW,IAAI;AAG1D,MAAI,KAAK,SAAS,KAAK,KAAK,SAAS,GAAG,GAAG;AACzC,WAAO,KAAK,MAAM,GAAG,EAAE;AAAA,EACzB;AAEA,SAAO;AACT;AAeO,SAAS,UAAU,MAAc,SAA0B;AAEhE,MAAI,YAAY,MAAM;AACpB,WAAO;AAAA,EACT;AAGA,MAAI,QAAQ,SAAS,KAAK,GAAG;AAC3B,UAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,WAAO,KAAK,WAAW,SAAS,GAAG;AAAA,EACrC;AAGA,MAAI,QAAQ,SAAS,GAAG,KAAK,CAAC,QAAQ,SAAS,IAAI,GAAG;AACpD,UAAM,QAAQ,eAAe,OAAO;AACpC,WAAO,MAAM,KAAK,IAAI;AAAA,EACxB;AAEA,SAAO;AACT;AAMA,SAAS,eAAe,SAAyB;AAC/C,QAAM,UAAU,QACb,QAAQ,qBAAqB,MAAM,EACnC,QAAQ,OAAO,OAAO;AACzB,SAAO,IAAI,OAAO,IAAI,OAAO,GAAG;AAClC;;;ACrFO,SAAS,qBAAqB,QAA8C;AACjF,SAAO;AAAA,IACL,MAAM,UAAU,OAKQ;AACtB,YAAM,EAAE,KAAK,QAAQ,YAAY,KAAK,IAAI;AAE1C,UAAI,CAAC,MAAM;AACT,eAAO,EAAE,MAAM,WAAW,QAAQ,qCAAqC;AAAA,MACzE;AAEA,YAAM,iBAAiB,cAAc,GAAG;AACxC,YAAM,eAAe,OAAO,OAAO;AAAA,QACjC,CAAC,UACC,UAAU,gBAAgB,MAAM,OAAO,MACtC,MAAM,WAAW,OAAO,MAAM,OAAO,YAAY,MAAM,OAAO,YAAY;AAAA,MAC/E;AAEA,UAAI,CAAC,cAAc;AACjB,eAAO,EAAE,MAAM,WAAW,QAAQ,oCAAoC;AAAA,MACxE;AAEA,YAAM,aAAa,aAAa;AAChC,YAAM,SAAS,MAAM,OAAO,UAAU,YAAY,KAAK,MAAM;AAE7D,UAAI,CAAC,UAAU,KAAK,kBAAkB,OAAO,uBAAuB,OAAO;AACzE,YAAI,OAAO,iBAAiB;AAC1B,gBAAM,OAAO,gBAAgB,YAAY,KAAK,QAAQ,KAAK,KAAK;AAAA,QAClE;AACA,eAAO,EAAE,MAAM,WAAW,MAAM,SAAS,WAAW;AAAA,MACtD;AAEA,UAAI,CAAC,QAAQ;AACX,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN;AAAA,UACA,QAAQ;AAAA,QACV;AAAA,MACF;AAEA,UAAI,OAAO,SAAS,SAAS;AAC3B,eAAO,EAAE,MAAM,WAAW,MAAM,SAAS,WAAW;AAAA,MACtD;AAEA,YAAM,iBAAiB,mBAAmB,OAAO,MAAM,OAAO,iBAAiB;AAC/E,UAAI,eAAe,SAAS,UAAU,GAAG;AACvC,eAAO,EAAE,MAAM,WAAW,MAAM,OAAO,MAAM,WAAW;AAAA,MAC1D;AAEA,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM,OAAO;AAAA,QACb;AAAA,QACA,QAAQ,SAAS,OAAO,IAAI,+BAA+B,UAAU;AAAA,MACvE;AAAA,IACF;AAAA,EACF;AACF;","names":[]}

package/dist/rbac/index.mjs

@@ -0,0 +1,236 @@
+// src/rbac/permissions.ts
+import { ROLE_HIERARCHY } from "@uniforge/platform-core/rbac";
+var DEFAULT_ROLE_PERMISSIONS = {
+  owner: [],
+  admin: [
+    "products:read",
+    "products:write",
+    "orders:read",
+    "orders:write",
+    "customers:read",
+    "customers:write",
+    "analytics:read",
+    "settings:read",
+    "settings:write",
+    "settings:manage",
+    "staff:read",
+    "staff:write"
+  ],
+  staff: [
+    "products:read",
+    "products:write",
+    "orders:read",
+    "orders:write",
+    "customers:read",
+    "analytics:read",
+    "settings:read"
+  ],
+  collaborator: [
+    "products:read",
+    "orders:read",
+    "analytics:read"
+  ]
+};
+function resolvePermissions(role, customPermissions) {
+  const rolePerms = DEFAULT_ROLE_PERMISSIONS[role] ?? [];
+  if (!customPermissions || customPermissions.length === 0) {
+    return [...rolePerms];
+  }
+  const combined = /* @__PURE__ */ new Set([...rolePerms, ...customPermissions]);
+  return [...combined];
+}
+function isRoleAtLeast(role, minimumRole) {
+  const roleIndex = ROLE_HIERARCHY.indexOf(role);
+  const minIndex = ROLE_HIERARCHY.indexOf(minimumRole);
+  if (roleIndex === -1 || minIndex === -1) return false;
+  return roleIndex <= minIndex;
+}
+
+// src/rbac/service.ts
+function mapShopMember(row) {
+  return {
+    id: row.id,
+    shopDomain: row.shopDomain,
+    userId: row.userId,
+    email: row.email,
+    role: row.role,
+    customPermissions: Array.isArray(row.customPermissions) ? row.customPermissions : null,
+    createdAt: row.createdAt,
+    updatedAt: row.updatedAt
+  };
+}
+function createRBACService(prisma) {
+  return {
+    async upsertMember(input) {
+      const createData = {
+        shopDomain: input.shopDomain,
+        userId: input.userId,
+        email: input.email,
+        role: input.role
+      };
+      if (input.customPermissions !== void 0) {
+        createData.customPermissions = input.customPermissions;
+      }
+      const updateData = {
+        email: input.email,
+        role: input.role
+      };
+      if (input.customPermissions !== void 0) {
+        updateData.customPermissions = input.customPermissions;
+      }
+      const row = await prisma.shopMember.upsert({
+        where: {
+          shopDomain_userId: {
+            shopDomain: input.shopDomain,
+            userId: input.userId
+          }
+        },
+        create: createData,
+        update: updateData
+      });
+      return mapShopMember(row);
+    },
+    async getMember(shopDomain, userId) {
+      const row = await prisma.shopMember.findUnique({
+        where: { shopDomain_userId: { shopDomain, userId } }
+      });
+      return row ? mapShopMember(row) : null;
+    },
+    async listMembers(shopDomain) {
+      const rows = await prisma.shopMember.findMany({
+        where: { shopDomain }
+      });
+      return rows.map(mapShopMember);
+    },
+    async updateMember(shopDomain, userId, input) {
+      const data = {};
+      if (input.role !== void 0) {
+        data.role = input.role;
+      }
+      if (input.email !== void 0) {
+        data.email = input.email;
+      }
+      if (input.customPermissions !== void 0) {
+        data.customPermissions = input.customPermissions;
+      }
+      const row = await prisma.shopMember.update({
+        where: { shopDomain_userId: { shopDomain, userId } },
+        data
+      });
+      return mapShopMember(row);
+    },
+    async removeMember(shopDomain, userId) {
+      await prisma.shopMember.delete({
+        where: { shopDomain_userId: { shopDomain, userId } }
+      });
+    },
+    async hasPermission(shopDomain, userId, permission) {
+      const row = await prisma.shopMember.findUnique({
+        where: { shopDomain_userId: { shopDomain, userId } }
+      });
+      if (!row) return false;
+      if (row.role === "owner") return true;
+      const perms = resolvePermissions(
+        row.role,
+        Array.isArray(row.customPermissions) ? row.customPermissions : null
+      );
+      return perms.includes(permission);
+    },
+    async getEffectivePermissions(shopDomain, userId) {
+      const row = await prisma.shopMember.findUnique({
+        where: { shopDomain_userId: { shopDomain, userId } }
+      });
+      if (!row) return [];
+      if (row.role === "owner") return ["*"];
+      return resolvePermissions(
+        row.role,
+        Array.isArray(row.customPermissions) ? row.customPermissions : null
+      );
+    },
+    isRoleAtLeast
+  };
+}
+
+// src/auth/route-matcher.ts
+function normalizePath(url) {
+  const questionIdx = url.indexOf("?");
+  let path = questionIdx >= 0 ? url.slice(0, questionIdx) : url;
+  if (path.length > 1 && path.endsWith("/")) {
+    path = path.slice(0, -1);
+  }
+  return path;
+}
+function matchGlob(path, pattern) {
+  if (pattern === path) {
+    return true;
+  }
+  if (pattern.endsWith("/**")) {
+    const prefix = pattern.slice(0, -3);
+    return path.startsWith(prefix + "/");
+  }
+  if (pattern.includes("*") && !pattern.includes("**")) {
+    const regex = patternToRegex(pattern);
+    return regex.test(path);
+  }
+  return false;
+}
+function patternToRegex(pattern) {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, "[^/]+");
+  return new RegExp(`^${escaped}$`);
+}
+
+// src/rbac/middleware.ts
+function createRBACMiddleware(config) {
+  return {
+    async authorize(input) {
+      const { url, method, shopDomain, user } = input;
+      if (!user) {
+        return { type: "skipped", reason: "No user identity (offline session)" };
+      }
+      const normalizedPath = normalizePath(url);
+      const matchedRoute = config.routes.find(
+        (route) => matchGlob(normalizedPath, route.pattern) && (route.method === "*" || route.method.toUpperCase() === method.toUpperCase())
+      );
+      if (!matchedRoute) {
+        return { type: "skipped", reason: "No matching route permission rule" };
+      }
+      const permission = matchedRoute.permission;
+      const member = await config.getMember(shopDomain, user.userId);
+      if (!member && user.isAccountOwner && config.autoProvisionOwner !== false) {
+        if (config.onAutoProvision) {
+          await config.onAutoProvision(shopDomain, user.userId, user.email);
+        }
+        return { type: "granted", role: "owner", permission };
+      }
+      if (!member) {
+        return {
+          type: "denied",
+          role: null,
+          permission,
+          reason: "User is not a member of this shop"
+        };
+      }
+      if (member.role === "owner") {
+        return { type: "granted", role: "owner", permission };
+      }
+      const effectivePerms = resolvePermissions(member.role, member.customPermissions);
+      if (effectivePerms.includes(permission)) {
+        return { type: "granted", role: member.role, permission };
+      }
+      return {
+        type: "denied",
+        role: member.role,
+        permission,
+        reason: `Role "${member.role}" does not have permission "${permission}"`
+      };
+    }
+  };
+}
+export {
+  DEFAULT_ROLE_PERMISSIONS,
+  createRBACMiddleware,
+  createRBACService,
+  isRoleAtLeast,
+  resolvePermissions
+};
+//# sourceMappingURL=index.mjs.map

package/dist/rbac/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/rbac/permissions.ts","../../src/rbac/service.ts","../../src/auth/route-matcher.ts","../../src/rbac/middleware.ts"],"sourcesContent":["/**\n * Default role permissions and permission resolution.\n */\n\nimport type { Role, RolePermissionMap } from '@uniforge/platform-core/rbac';\nimport { ROLE_HIERARCHY } from '@uniforge/platform-core/rbac';\n\nexport const DEFAULT_ROLE_PERMISSIONS: RolePermissionMap = {\n  owner: [],\n  admin: [\n    'products:read', 'products:write',\n    'orders:read', 'orders:write',\n    'customers:read', 'customers:write',\n    'analytics:read',\n    'settings:read', 'settings:write', 'settings:manage',\n    'staff:read', 'staff:write',\n  ],\n  staff: [\n    'products:read', 'products:write',\n    'orders:read', 'orders:write',\n    'customers:read',\n    'analytics:read',\n    'settings:read',\n  ],\n  collaborator: [\n    'products:read',\n    'orders:read',\n    'analytics:read',\n  ],\n};\n\nexport function resolvePermissions(\n  role: Role,\n  customPermissions?: string[] | null,\n): string[] {\n  const rolePerms = DEFAULT_ROLE_PERMISSIONS[role] ?? [];\n  if (!customPermissions || customPermissions.length === 0) {\n    return [...rolePerms];\n  }\n  const combined = new Set([...rolePerms, ...customPermissions]);\n  return [...combined];\n}\n\nexport function isRoleAtLeast(role: Role, minimumRole: Role): boolean {\n  const roleIndex = ROLE_HIERARCHY.indexOf(role);\n  const minIndex = ROLE_HIERARCHY.indexOf(minimumRole);\n  if (roleIndex === -1 || minIndex === -1) return false;\n  return roleIndex <= minIndex;\n}\n","/**\n * Prisma-backed RBAC service for shop member management and permission checks.\n */\n\nimport type { PrismaClient, Prisma } from '@prisma/client';\nimport type {\n  RBACService,\n  Role,\n  ShopMember,\n  UpsertShopMemberInput,\n  UpdateShopMemberInput,\n} from '@uniforge/platform-core/rbac';\nimport { resolvePermissions, isRoleAtLeast as isRoleAtLeastFn } from './permissions.js';\n\ninterface ShopMemberRow {\n  id: string;\n  shopDomain: string;\n  userId: number;\n  email: string;\n  role: string;\n  customPermissions: unknown;\n  createdAt: Date;\n  updatedAt: Date;\n}\n\nfunction mapShopMember(row: ShopMemberRow): ShopMember {\n  return {\n    id: row.id,\n    shopDomain: row.shopDomain,\n    userId: row.userId,\n    email: row.email,\n    role: row.role as Role,\n    customPermissions: Array.isArray(row.customPermissions)\n      ? (row.customPermissions as string[])\n      : null,\n    createdAt: row.createdAt,\n    updatedAt: row.updatedAt,\n  };\n}\n\nexport function createRBACService(prisma: PrismaClient): RBACService {\n  return {\n    async upsertMember(input: UpsertShopMemberInput): Promise<ShopMember> {\n      const createData: Prisma.ShopMemberUncheckedCreateInput = {\n        shopDomain: input.shopDomain,\n        userId: input.userId,\n        email: input.email,\n        role: input.role,\n      };\n      if (input.customPermissions !== undefined) {\n        createData.customPermissions = input.customPermissions;\n      }\n\n      const updateData: Record<string, unknown> = {\n        email: input.email,\n        role: input.role,\n      };\n      if (input.customPermissions !== undefined) {\n        updateData.customPermissions = input.customPermissions;\n      }\n\n      const row = await prisma.shopMember.upsert({\n        where: {\n          shopDomain_userId: {\n            shopDomain: input.shopDomain,\n            userId: input.userId,\n          },\n        },\n        create: createData,\n        update: updateData,\n      });\n      return mapShopMember(row);\n    },\n\n    async getMember(shopDomain: string, userId: number): Promise<ShopMember | null> {\n      const row = await prisma.shopMember.findUnique({\n        where: { shopDomain_userId: { shopDomain, userId } },\n      });\n      return row ? mapShopMember(row) : null;\n    },\n\n    async listMembers(shopDomain: string): Promise<ShopMember[]> {\n      const rows = await prisma.shopMember.findMany({\n        where: { shopDomain },\n      });\n      return rows.map(mapShopMember);\n    },\n\n    async updateMember(\n      shopDomain: string,\n      userId: number,\n      input: UpdateShopMemberInput,\n    ): Promise<ShopMember> {\n      const data: Record<string, unknown> = {};\n      if (input.role !== undefined) {\n        data.role = input.role;\n      }\n      if (input.email !== undefined) {\n        data.email = input.email;\n      }\n      if (input.customPermissions !== undefined) {\n        data.customPermissions = input.customPermissions;\n      }\n\n      const row = await prisma.shopMember.update({\n        where: { shopDomain_userId: { shopDomain, userId } },\n        data,\n      });\n      return mapShopMember(row);\n    },\n\n    async removeMember(shopDomain: string, userId: number): Promise<void> {\n      await prisma.shopMember.delete({\n        where: { shopDomain_userId: { shopDomain, userId } },\n      });\n    },\n\n    async hasPermission(\n      shopDomain: string,\n      userId: number,\n      permission: string,\n    ): Promise<boolean> {\n      const row = await prisma.shopMember.findUnique({\n        where: { shopDomain_userId: { shopDomain, userId } },\n      });\n      if (!row) return false;\n      if (row.role === 'owner') return true;\n      const perms = resolvePermissions(\n        row.role as Role,\n        Array.isArray(row.customPermissions) ? (row.customPermissions as string[]) : null,\n      );\n      return perms.includes(permission);\n    },\n\n    async getEffectivePermissions(\n      shopDomain: string,\n      userId: number,\n    ): Promise<string[]> {\n      const row = await prisma.shopMember.findUnique({\n        where: { shopDomain_userId: { shopDomain, userId } },\n      });\n      if (!row) return [];\n      if (row.role === 'owner') return ['*'];\n      return resolvePermissions(\n        row.role as Role,\n        Array.isArray(row.customPermissions) ? (row.customPermissions as string[]) : null,\n      );\n    },\n\n    isRoleAtLeast: isRoleAtLeastFn,\n  };\n}\n","/**\n * Route matcher utility for auth middleware.\n *\n * Determines whether a given URL path is public (no auth required)\n * or protected (auth required) based on glob pattern configuration.\n */\n\nimport type { RouteProtectionConfig } from '@uniforge/platform-core/auth';\n\n/** Auth callback paths that are always treated as public. */\nconst ALWAYS_PUBLIC_PATTERNS = ['/auth/callback', '/auth/*/callback'];\n\n/**\n * Check if a URL path is a public route that does not require authentication.\n *\n * Public routes take precedence over protected routes.\n * Auth callback paths (/auth/callback, /auth/STAR/callback) are always public.\n */\nexport function isPublicRoute(\n  url: string,\n  config: RouteProtectionConfig,\n): boolean {\n  const path = normalizePath(url);\n\n  // Auth callback routes are always public\n  if (matchesAny(path, ALWAYS_PUBLIC_PATTERNS)) {\n    return true;\n  }\n\n  const publicRoutes = config.publicRoutes ?? [];\n\n  // Check explicit public routes (takes precedence)\n  if (matchesAny(path, publicRoutes)) {\n    return true;\n  }\n\n  return false;\n}\n\n/**\n * Normalize a URL path by stripping query parameters and trailing slashes.\n */\nexport function normalizePath(url: string): string {\n  // Strip query string\n  const questionIdx = url.indexOf('?');\n  let path = questionIdx >= 0 ? url.slice(0, questionIdx) : url;\n\n  // Strip trailing slash (but keep root /)\n  if (path.length > 1 && path.endsWith('/')) {\n    path = path.slice(0, -1);\n  }\n\n  return path;\n}\n\n/**\n * Check if a path matches any of the given patterns.\n */\nfunction matchesAny(path: string, patterns: string[]): boolean {\n  return patterns.some((pattern) => matchGlob(path, pattern));\n}\n\n/**\n * Simple glob pattern matcher supporting:\n * - Exact matches: `/health` matches `/health`\n * - Single segment wildcard `*`: `/admin/*` matches `/admin/foo` but not `/admin/foo/bar`\n * - Multi-segment wildcard `**`: `/api/**` matches `/api/foo`, `/api/foo/bar`, etc.\n */\nexport function matchGlob(path: string, pattern: string): boolean {\n  // Exact match\n  if (pattern === path) {\n    return true;\n  }\n\n  // Handle ** (matches any number of path segments)\n  if (pattern.endsWith('/**')) {\n    const prefix = pattern.slice(0, -3); // Remove /**\n    return path.startsWith(prefix + '/');\n  }\n\n  // Handle * (matches exactly one path segment)\n  if (pattern.includes('*') && !pattern.includes('**')) {\n    const regex = patternToRegex(pattern);\n    return regex.test(path);\n  }\n\n  return false;\n}\n\n/**\n * Convert a glob pattern with single `*` wildcards to a regex.\n * `*` matches one path segment (no slashes).\n */\nfunction patternToRegex(pattern: string): RegExp {\n  const escaped = pattern\n    .replace(/[.+^${}()|[\\]\\\\]/g, '\\\\$&')\n    .replace(/\\*/g, '[^/]+');\n  return new RegExp(`^${escaped}$`);\n}\n","/**\n * RBAC middleware for route-level permission enforcement.\n */\n\nimport type {\n  RBACMiddleware,\n  RBACMiddlewareConfig,\n  RBACResult,\n  SessionUser,\n} from '@uniforge/platform-core/rbac';\nimport { matchGlob, normalizePath } from '../auth/route-matcher.js';\nimport { resolvePermissions } from './permissions.js';\n\nexport function createRBACMiddleware(config: RBACMiddlewareConfig): RBACMiddleware {\n  return {\n    async authorize(input: {\n      url: string;\n      method: string;\n      shopDomain: string;\n      user: SessionUser | null;\n    }): Promise<RBACResult> {\n      const { url, method, shopDomain, user } = input;\n\n      if (!user) {\n        return { type: 'skipped', reason: 'No user identity (offline session)' };\n      }\n\n      const normalizedPath = normalizePath(url);\n      const matchedRoute = config.routes.find(\n        (route) =>\n          matchGlob(normalizedPath, route.pattern) &&\n          (route.method === '*' || route.method.toUpperCase() === method.toUpperCase()),\n      );\n\n      if (!matchedRoute) {\n        return { type: 'skipped', reason: 'No matching route permission rule' };\n      }\n\n      const permission = matchedRoute.permission;\n      const member = await config.getMember(shopDomain, user.userId);\n\n      if (!member && user.isAccountOwner && config.autoProvisionOwner !== false) {\n        if (config.onAutoProvision) {\n          await config.onAutoProvision(shopDomain, user.userId, user.email);\n        }\n        return { type: 'granted', role: 'owner', permission };\n      }\n\n      if (!member) {\n        return {\n          type: 'denied',\n          role: null,\n          permission,\n          reason: 'User is not a member of this shop',\n        };\n      }\n\n      if (member.role === 'owner') {\n        return { type: 'granted', role: 'owner', permission };\n      }\n\n      const effectivePerms = resolvePermissions(member.role, member.customPermissions);\n      if (effectivePerms.includes(permission)) {\n        return { type: 'granted', role: member.role, permission };\n      }\n\n      return {\n        type: 'denied',\n        role: member.role,\n        permission,\n        reason: `Role \"${member.role}\" does not have permission \"${permission}\"`,\n      };\n    },\n  };\n}\n"],"mappings":";AAKA,SAAS,sBAAsB;AAExB,IAAM,2BAA8C;AAAA,EACzD,OAAO,CAAC;AAAA,EACR,OAAO;AAAA,IACL;AAAA,IAAiB;AAAA,IACjB;AAAA,IAAe;AAAA,IACf;AAAA,IAAkB;AAAA,IAClB;AAAA,IACA;AAAA,IAAiB;AAAA,IAAkB;AAAA,IACnC;AAAA,IAAc;AAAA,EAChB;AAAA,EACA,OAAO;AAAA,IACL;AAAA,IAAiB;AAAA,IACjB;AAAA,IAAe;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,cAAc;AAAA,IACZ;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,mBACd,MACA,mBACU;AACV,QAAM,YAAY,yBAAyB,IAAI,KAAK,CAAC;AACrD,MAAI,CAAC,qBAAqB,kBAAkB,WAAW,GAAG;AACxD,WAAO,CAAC,GAAG,SAAS;AAAA,EACtB;AACA,QAAM,WAAW,oBAAI,IAAI,CAAC,GAAG,WAAW,GAAG,iBAAiB,CAAC;AAC7D,SAAO,CAAC,GAAG,QAAQ;AACrB;AAEO,SAAS,cAAc,MAAY,aAA4B;AACpE,QAAM,YAAY,eAAe,QAAQ,IAAI;AAC7C,QAAM,WAAW,eAAe,QAAQ,WAAW;AACnD,MAAI,cAAc,MAAM,aAAa,GAAI,QAAO;AAChD,SAAO,aAAa;AACtB;;;ACvBA,SAAS,cAAc,KAAgC;AACrD,SAAO;AAAA,IACL,IAAI,IAAI;AAAA,IACR,YAAY,IAAI;AAAA,IAChB,QAAQ,IAAI;AAAA,IACZ,OAAO,IAAI;AAAA,IACX,MAAM,IAAI;AAAA,IACV,mBAAmB,MAAM,QAAQ,IAAI,iBAAiB,IACjD,IAAI,oBACL;AAAA,IACJ,WAAW,IAAI;AAAA,IACf,WAAW,IAAI;AAAA,EACjB;AACF;AAEO,SAAS,kBAAkB,QAAmC;AACnE,SAAO;AAAA,IACL,MAAM,aAAa,OAAmD;AACpE,YAAM,aAAoD;AAAA,QACxD,YAAY,MAAM;AAAA,QAClB,QAAQ,MAAM;AAAA,QACd,OAAO,MAAM;AAAA,QACb,MAAM,MAAM;AAAA,MACd;AACA,UAAI,MAAM,sBAAsB,QAAW;AACzC,mBAAW,oBAAoB,MAAM;AAAA,MACvC;AAEA,YAAM,aAAsC;AAAA,QAC1C,OAAO,MAAM;AAAA,QACb,MAAM,MAAM;AAAA,MACd;AACA,UAAI,MAAM,sBAAsB,QAAW;AACzC,mBAAW,oBAAoB,MAAM;AAAA,MACvC;AAEA,YAAM,MAAM,MAAM,OAAO,WAAW,OAAO;AAAA,QACzC,OAAO;AAAA,UACL,mBAAmB;AAAA,YACjB,YAAY,MAAM;AAAA,YAClB,QAAQ,MAAM;AAAA,UAChB;AAAA,QACF;AAAA,QACA,QAAQ;AAAA,QACR,QAAQ;AAAA,MACV,CAAC;AACD,aAAO,cAAc,GAAG;AAAA,IAC1B;AAAA,IAEA,MAAM,UAAU,YAAoB,QAA4C;AAC9E,YAAM,MAAM,MAAM,OAAO,WAAW,WAAW;AAAA,QAC7C,OAAO,EAAE,mBAAmB,EAAE,YAAY,OAAO,EAAE;AAAA,MACrD,CAAC;AACD,aAAO,MAAM,cAAc,GAAG,IAAI;AAAA,IACpC;AAAA,IAEA,MAAM,YAAY,YAA2C;AAC3D,YAAM,OAAO,MAAM,OAAO,WAAW,SAAS;AAAA,QAC5C,OAAO,EAAE,WAAW;AAAA,MACtB,CAAC;AACD,aAAO,KAAK,IAAI,aAAa;AAAA,IAC/B;AAAA,IAEA,MAAM,aACJ,YACA,QACA,OACqB;AACrB,YAAM,OAAgC,CAAC;AACvC,UAAI,MAAM,SAAS,QAAW;AAC5B,aAAK,OAAO,MAAM;AAAA,MACpB;AACA,UAAI,MAAM,UAAU,QAAW;AAC7B,aAAK,QAAQ,MAAM;AAAA,MACrB;AACA,UAAI,MAAM,sBAAsB,QAAW;AACzC,aAAK,oBAAoB,MAAM;AAAA,MACjC;AAEA,YAAM,MAAM,MAAM,OAAO,WAAW,OAAO;AAAA,QACzC,OAAO,EAAE,mBAAmB,EAAE,YAAY,OAAO,EAAE;AAAA,QACnD;AAAA,MACF,CAAC;AACD,aAAO,cAAc,GAAG;AAAA,IAC1B;AAAA,IAEA,MAAM,aAAa,YAAoB,QAA+B;AACpE,YAAM,OAAO,WAAW,OAAO;AAAA,QAC7B,OAAO,EAAE,mBAAmB,EAAE,YAAY,OAAO,EAAE;AAAA,MACrD,CAAC;AAAA,IACH;AAAA,IAEA,MAAM,cACJ,YACA,QACA,YACkB;AAClB,YAAM,MAAM,MAAM,OAAO,WAAW,WAAW;AAAA,QAC7C,OAAO,EAAE,mBAAmB,EAAE,YAAY,OAAO,EAAE;AAAA,MACrD,CAAC;AACD,UAAI,CAAC,IAAK,QAAO;AACjB,UAAI,IAAI,SAAS,QAAS,QAAO;AACjC,YAAM,QAAQ;AAAA,QACZ,IAAI;AAAA,QACJ,MAAM,QAAQ,IAAI,iBAAiB,IAAK,IAAI,oBAAiC;AAAA,MAC/E;AACA,aAAO,MAAM,SAAS,UAAU;AAAA,IAClC;AAAA,IAEA,MAAM,wBACJ,YACA,QACmB;AACnB,YAAM,MAAM,MAAM,OAAO,WAAW,WAAW;AAAA,QAC7C,OAAO,EAAE,mBAAmB,EAAE,YAAY,OAAO,EAAE;AAAA,MACrD,CAAC;AACD,UAAI,CAAC,IAAK,QAAO,CAAC;AAClB,UAAI,IAAI,SAAS,QAAS,QAAO,CAAC,GAAG;AACrC,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,MAAM,QAAQ,IAAI,iBAAiB,IAAK,IAAI,oBAAiC;AAAA,MAC/E;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AACF;;;AC7GO,SAAS,cAAc,KAAqB;AAEjD,QAAM,cAAc,IAAI,QAAQ,GAAG;AACnC,MAAI,OAAO,eAAe,IAAI,IAAI,MAAM,GAAG,WAAW,IAAI;AAG1D,MAAI,KAAK,SAAS,KAAK,KAAK,SAAS,GAAG,GAAG;AACzC,WAAO,KAAK,MAAM,GAAG,EAAE;AAAA,EACzB;AAEA,SAAO;AACT;AAeO,SAAS,UAAU,MAAc,SAA0B;AAEhE,MAAI,YAAY,MAAM;AACpB,WAAO;AAAA,EACT;AAGA,MAAI,QAAQ,SAAS,KAAK,GAAG;AAC3B,UAAM,SAAS,QAAQ,MAAM,GAAG,EAAE;AAClC,WAAO,KAAK,WAAW,SAAS,GAAG;AAAA,EACrC;AAGA,MAAI,QAAQ,SAAS,GAAG,KAAK,CAAC,QAAQ,SAAS,IAAI,GAAG;AACpD,UAAM,QAAQ,eAAe,OAAO;AACpC,WAAO,MAAM,KAAK,IAAI;AAAA,EACxB;AAEA,SAAO;AACT;AAMA,SAAS,eAAe,SAAyB;AAC/C,QAAM,UAAU,QACb,QAAQ,qBAAqB,MAAM,EACnC,QAAQ,OAAO,OAAO;AACzB,SAAO,IAAI,OAAO,IAAI,OAAO,GAAG;AAClC;;;ACrFO,SAAS,qBAAqB,QAA8C;AACjF,SAAO;AAAA,IACL,MAAM,UAAU,OAKQ;AACtB,YAAM,EAAE,KAAK,QAAQ,YAAY,KAAK,IAAI;AAE1C,UAAI,CAAC,MAAM;AACT,eAAO,EAAE,MAAM,WAAW,QAAQ,qCAAqC;AAAA,MACzE;AAEA,YAAM,iBAAiB,cAAc,GAAG;AACxC,YAAM,eAAe,OAAO,OAAO;AAAA,QACjC,CAAC,UACC,UAAU,gBAAgB,MAAM,OAAO,MACtC,MAAM,WAAW,OAAO,MAAM,OAAO,YAAY,MAAM,OAAO,YAAY;AAAA,MAC/E;AAEA,UAAI,CAAC,cAAc;AACjB,eAAO,EAAE,MAAM,WAAW,QAAQ,oCAAoC;AAAA,MACxE;AAEA,YAAM,aAAa,aAAa;AAChC,YAAM,SAAS,MAAM,OAAO,UAAU,YAAY,KAAK,MAAM;AAE7D,UAAI,CAAC,UAAU,KAAK,kBAAkB,OAAO,uBAAuB,OAAO;AACzE,YAAI,OAAO,iBAAiB;AAC1B,gBAAM,OAAO,gBAAgB,YAAY,KAAK,QAAQ,KAAK,KAAK;AAAA,QAClE;AACA,eAAO,EAAE,MAAM,WAAW,MAAM,SAAS,WAAW;AAAA,MACtD;AAEA,UAAI,CAAC,QAAQ;AACX,eAAO;AAAA,UACL,MAAM;AAAA,UACN,MAAM;AAAA,UACN;AAAA,UACA,QAAQ;AAAA,QACV;AAAA,MACF;AAEA,UAAI,OAAO,SAAS,SAAS;AAC3B,eAAO,EAAE,MAAM,WAAW,MAAM,SAAS,WAAW;AAAA,MACtD;AAEA,YAAM,iBAAiB,mBAAmB,OAAO,MAAM,OAAO,iBAAiB;AAC/E,UAAI,eAAe,SAAS,UAAU,GAAG;AACvC,eAAO,EAAE,MAAM,WAAW,MAAM,OAAO,MAAM,WAAW;AAAA,MAC1D;AAEA,aAAO;AAAA,QACL,MAAM;AAAA,QACN,MAAM,OAAO;AAAA,QACb;AAAA,QACA,QAAQ,SAAS,OAAO,IAAI,+BAA+B,UAAU;AAAA,MACvE;AAAA,IACF;AAAA,EACF;AACF;","names":[]}

package/dist/schema-CM7mHj_H.d.cts

@@ -0,0 +1,53 @@
+interface UniforgeConfig {
+    appName: string;
+    shopify: {
+        apiKey: string;
+        apiSecretKey: string;
+        scopes: string[];
+        hostName: string;
+        apiVersion: string;
+        isEmbeddedApp: boolean;
+    };
+    database: {
+        url: string;
+    };
+    redis: {
+        url: string;
+    };
+    features: {
+        encryption: boolean;
+        dualSessionStorage: boolean;
+    };
+    multiStore?: {
+        enabled: boolean;
+        defaultAccountType: 'individual' | 'enterprise';
+        autoProvisionAccount: boolean;
+        basePrice: number;
+        includedStores: number;
+    };
+    billing?: {
+        returnUrl: string;
+        trialDays?: number;
+    };
+    platform?: {
+        id: string;
+        autoRegister: boolean;
+    };
+    security?: {
+        rateLimiting: boolean;
+        inputValidation: boolean;
+        securityHeaders: boolean;
+        csp: boolean;
+        auditEnabled: boolean;
+    };
+    performance?: {
+        cacheEnabled: boolean;
+        cacheTTL: number;
+        cacheMaxEntries: number;
+        queryCostTracking: boolean;
+        queryBatching: boolean;
+    };
+}
+declare const defaultConfig: Partial<UniforgeConfig>;
+
+export { type UniforgeConfig as U, defaultConfig as d };

package/dist/schema-CM7mHj_H.d.ts

@@ -0,0 +1,53 @@
+interface UniforgeConfig {
+    appName: string;
+    shopify: {
+        apiKey: string;
+        apiSecretKey: string;
+        scopes: string[];
+        hostName: string;
+        apiVersion: string;
+        isEmbeddedApp: boolean;
+    };
+    database: {
+        url: string;
+    };
+    redis: {
+        url: string;
+    };
+    features: {
+        encryption: boolean;
+        dualSessionStorage: boolean;
+    };
+    multiStore?: {
+        enabled: boolean;
+        defaultAccountType: 'individual' | 'enterprise';
+        autoProvisionAccount: boolean;
+        basePrice: number;
+        includedStores: number;
+    };
+    billing?: {
+        returnUrl: string;
+        trialDays?: number;
+    };
+    platform?: {
+        id: string;
+        autoRegister: boolean;
+    };
+    security?: {
+        rateLimiting: boolean;
+        inputValidation: boolean;
+        securityHeaders: boolean;
+        csp: boolean;
+        auditEnabled: boolean;
+    };
+    performance?: {
+        cacheEnabled: boolean;
+        cacheTTL: number;
+        cacheMaxEntries: number;
+        queryCostTracking: boolean;
+        queryBatching: boolean;
+    };
+}
+declare const defaultConfig: Partial<UniforgeConfig>;
+
+export { type UniforgeConfig as U, defaultConfig as d };