@usehercules/convex 0.0.0

package/dist/client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAwQ5C,yEAAyE;AACzE,uEAAuE;AACvE,+EAA+E;AAC/E,MAAM,mBAAmB,GAAG,EAAE,CAAC;AA2K/B;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,UAAU,mBAAmB,CACjC,OAA8C;IAE9C,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAE5C,OAAO;QACL,WAAW,EAAE,OAAO,CAAC,KAAK;QAC1B,cAAc,EAAE,OAAO,CAAC,QAAQ;QAChC,YAAY,EAAE,OAAO,CAAC,MAAM;QAC5B,kBAAkB,EAAE,wBAAwB,CAAC,OAAO,CAAC,KAAK,EAAE,SAAS,CAAC;QACtE,qBAAqB,EAAE,wBAAwB,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,CAAC;QAC5E,mBAAmB,EAAE,wBAAwB,CAAC,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC;QACxE,WAAW,EAAE,iBAAiB,CAAC,OAAO,CAAC,KAAK,EAAE,SAAS,CAAkC;QACzF,cAAc,EAAE,iBAAiB,CAC/B,OAAO,CAAC,QAAQ,EAChB,SAAS,CAC0B;QACrC,YAAY,EAAE,iBAAiB,CAAC,OAAO,CAAC,MAAM,EAAE,SAAS,CAAmC;QAC5F,aAAa,EAAE,iBAAiB,CAAC,SAAS,CAAC;QAC3C,iBAAiB,EAAE,qBAAqB,CAAC,SAAS,CAAC;QACnD,oBAAoB,EAAE,wBAAwB,CAAC,SAAS,CAAC;QACzD,uBAAuB,EAAE,2BAA2B,CAAC,SAAS,CAAC;QAC/D,gBAAgB,EAAE,oBAAoB,CAAC,SAAS,CAAC;QACjD,4BAA4B;QAC5B,wBAAwB,EAAE,4BAA4B,CAAC,SAAS,CAAC;QACjE,yBAAyB,EAAE,6BAA6B,CAAC,SAAS,CAAC;QACnE,iBAAiB,EAAE,qBAAqB,CAAC,SAAS,CAAC;QACnD,WAAW,EAAE,eAAe,CAAC,SAAS,CAAC;QACvC,gBAAgB,EAAE,oBAAoB,CAAC,SAAS,CAAC;QACjD,wBAAwB,EAAE,4BAA4B,CAAC,SAAS,CAAC;QACjE,4BAA4B,EAAE,gCAAgC,CAAC,SAAS,CAAC;QACzE,cAAc,EAAE,kBAAkB,CAAC,SAAS,CAAC;QAC7C,oBAAoB,EAAE,wBAAwB,CAAC,SAAS,CAAC;QACzD,6BAA6B,EAAE,iCAAiC,CAAC,SAAS,CAAC;KAC5E,CAAC;AACJ,CAAC;AAED,0EAA0E;AAC1E,0EAA0E;AAC1E,yEAAyE;AACzE,4EAA4E;AAC5E,2EAA2E;AAC3E,mBAAmB;AACnB,MAAM,CAAC,MAAM,sBAAsB,GAAG,4BAA4B,CAAC;AAEnE,MAAM,CAAC,MAAM,YAAY,GAAmC,GAAG,EAAE,CAAC,sBAAsB,CAAC;AAEzF,+EAA+E;AAC/E,4EAA4E;AAC5E,2DAA2D;AAC3D,8EAA8E;AAC9E,2EAA2E;AAC3E,gFAAgF;AAChF,8EAA8E;AAC9E,uEAAuE;AACvE,MAAM,CAAC,MAAM,iCAAiC,GAAG,uCAAuC,CAAC;AAEzF;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY,CAAmB,MAAS;IACtD,OAAO,CAAC,IAAa,EAAE,IAA6B,EAAU,EAAE;QAC9D,MAAM,KAAK,GAAG,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;QAC7B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,iBAAiB,MAAM,yCAAyC,MAAM,EAAE;aAClF,CAAC,CAAC;QACL,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;AACJ,CAAC;AAID;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAAY,EACZ,MAAS,EACT,UAGI,EAAE;IAEN,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC;IACtD,OAAO,KAAK,EACV,GAAkB,EAClB,IAA6B,EAM5B,EAAE;QACH,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;QAC1B,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YACf,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,sBAAsB,SAAS,OAAO,MAAM,YAAY,MAAM,aAAa;aACrF,CAAC,CAAC;QACL,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,sBAAsB,SAAS,OAAO,MAAM,wBAAwB;aAC9E,CAAC,CAAC;QACL,CAAC;QACD,MAAM,OAAO,GAAI,GAA+B,CAAC,UAAU,CAAC,CAAC;QAC7D,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,wBAAwB;gBAC9B,OAAO,EAAE,sBAAsB,SAAS,OAAO,MAAM,4BAA4B,UAAU,GAAG;aAC/F,CAAC,CAAC;QACL,CAAC;QACD,MAAM,SAAS,GAAG,kBAAkB,CAClC,OAAO,CAAC,gBAAgB,EAAE,CAAC,GAA8B,CAAC,EAC1D,sBAAsB,SAAS,OAAO,MAAM,IAAI,CACjD,CAAC;QACF,OAAO;YACL,OAAO;YACP,YAAY,EAAE,iCAAiC;YAC/C,UAAU,EAAE,MAAM,CAAC,EAAE,CAAC;YACtB,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACpC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,wBAAwB,CACtC,SAAY,EACZ,MAAS,EACT,UAEI,EAAE;IAEN,OAAO,KAAK,EACV,GAAkB,EAClB,IAA6B,EAM5B,EAAE;QACH,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;QAC1B,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YACf,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,6BAA6B,SAAS,OAAO,MAAM,YAAY,MAAM,aAAa;aAC5F,CAAC,CAAC;QACL,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,6BAA6B,SAAS,OAAO,MAAM,wBAAwB;aACrF,CAAC,CAAC;QACL,CAAC;QACD,MAAM,SAAS,GAAG,kBAAkB,CAClC,OAAO,CAAC,gBAAgB,EAAE,CAAC,GAA8B,CAAC,EAC1D,6BAA6B,SAAS,OAAO,MAAM,IAAI,CACxD,CAAC;QACF,OAAO;YACL,OAAO,EAAE,sBAAsB;YAC/B,YAAY,EAAE,iCAAiC;YAC/C,UAAU,EAAE,MAAM,CAAC,EAAE,CAAC;YACtB,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACpC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CACrC,SAAY,EACZ,MAAS,EACT,OAIC;IAED,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC;IACtD,OAAO,KAAK,EACV,GAAkB,EAClB,IAA6B,EAK5B,EAAE;QACH,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;QAC1B,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YACf,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,4BAA4B,SAAS,OAAO,MAAM,YAAY,MAAM,aAAa;aAC3F,CAAC,CAAC;QACL,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,4BAA4B,SAAS,OAAO,MAAM,wBAAwB;aACpF,CAAC,CAAC;QACL,CAAC;QACD,MAAM,OAAO,GAAI,GAA+B,CAAC,UAAU,CAAC,CAAC;QAC7D,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,wBAAwB;gBAC9B,OAAO,EAAE,4BAA4B,SAAS,OAAO,MAAM,4BAA4B,UAAU,GAAG;aACrG,CAAC,CAAC;QACL,CAAC;QACD,MAAM,SAAS,GAAG,kBAAkB,CAClC;YACE,EAAE,IAAI,EAAE,OAAO,CAAC,kBAAkB,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE;YACpD,GAAG,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,GAA8B,CAAC,IAAI,EAAE,CAAC;SACtE,EACD,4BAA4B,SAAS,OAAO,MAAM,IAAI,CACvD,CAAC;QACF,OAAO;YACL,OAAO;YACP,YAAY,EAAE,iCAAiC;YAC/C,SAAS,EAAE,SAAU;SACtB,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,8BAA8B,CAC5C,SAAY,EACZ,MAAS,EACT,OAGC;IAED,OAAO,KAAK,EACV,GAAkB,EAClB,IAA6B,EAK5B,EAAE;QACH,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;QAC1B,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YACf,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,mCAAmC,SAAS,OAAO,MAAM,YAAY,MAAM,aAAa;aAClG,CAAC,CAAC;QACL,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,mCAAmC,SAAS,OAAO,MAAM,wBAAwB;aAC3F,CAAC,CAAC;QACL,CAAC;QACD,MAAM,SAAS,GAAG,kBAAkB,CAClC;YACE,EAAE,IAAI,EAAE,OAAO,CAAC,kBAAkB,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,EAAE;YACpD,GAAG,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,GAA8B,CAAC,IAAI,EAAE,CAAC;SACtE,EACD,mCAAmC,SAAS,OAAO,MAAM,IAAI,CAC9D,CAAC;QACF,OAAO;YACL,OAAO,EAAE,sBAAsB;YAC/B,YAAY,EAAE,iCAAiC;YAC/C,SAAS,EAAE,SAAU;SACtB,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,OAA8C;IAE9C,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,SAAS,CAAC;IAC3B,CAAC;IAED,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,UAAU,CAAC;IAC1D,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,aAAa,CAAC,CAAC;IAEtD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,oGAAoG,CACrG,CAAC;IACJ,CAAC;IAED,OAAO,SAAmC,CAAC;AAC7C,CAAC;AAED,SAAS,wBAAwB,CAC/B,OAAiB,EACjB,SAAiC;IAEjC,OAAO,CAAC,CAAC,UAAmB,EAAE,EAAE;QAC9B,OAAQ,OAAyB,CAAC,cAAc,CAAC,UAAU,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC,CAAC;IAC5F,CAAC,CAAa,CAAC;AACjB,CAAC;AAED,SAAS,iBAAiB,CACxB,OAAiB,EACjB,SAAiC;IAEjC,OAAO,CAAC,CAAC,UAAmB,EAAE,EAAE;QAC9B,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,IAAI,IAAI,CAAC,CAAC,SAAS,IAAI,UAAU,CAAC,EAAE,CAAC;YACxF,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;QACtF,CAAC;QAED,MAAM,gBAAgB,GAAG,UAGxB,CAAC;QACF,IACE,OAAO,gBAAgB,CAAC,UAAU,KAAK,QAAQ;YAC/C,gBAAgB,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EACxC,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QACD,IAAI,gBAAgB,CAAC,KAAK,KAAK,SAAS,IAAI,OAAO,gBAAgB,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YACzF,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QACD,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,gBAAgB,EAAE,GAAG,gBAAgB,CAAC;QACpE,MAAM,cAAc,GAAG,CAAC,KAAK,IAAI,YAAY,CAA4C,CAAC;QAC1F,OAAQ,OAAyB,CAC/B,cAAc,CAAC,gBAAgB,EAAE,SAAS,EAAE,YAAY,EAAE;YACxD,UAAU;YACV,KAAK,EAAE,cAAc;SACtB,CAAC,CACH,CAAC;IACJ,CAAC,CAAa,CAAC;AACjB,CAAC;AAOD,SAAS,cAAc,CACrB,UAAmB,EACnB,SAAiC,EACjC,IAAgB,EAChB,MAAqB;IAErB,IAAI,OAAO,UAAU,KAAK,UAAU,EAAE,CAAC;QACrC,OAAO,KAAK,EAAE,GAAqB,EAAE,GAAG,IAAa,EAAE,EAAE;YACvD,MAAM,gBAAgB,CAAC,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9D,OAAQ,UAAmE,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC5F,CAAC,CAAC;IACJ,CAAC;IAED,MAAM,gBAAgB,GAAG,UAAsD,CAAC;IAChF,OAAO;QACL,GAAG,gBAAgB;QACnB,OAAO,EAAE,KAAK,EAAE,GAAqB,EAAE,GAAG,IAAa,EAAE,EAAE;YACzD,MAAM,gBAAgB,CAAC,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9D,OAAO,gBAAgB,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAChD,CAAC;KACF,CAAC;AACJ,CAAC;AAOD,SAAS,YAAY,CAAC,QAA4B;IAChD,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,YAAY,CAAC,SAA+D;IACnF,OAAO,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,kBAAkB,CACzB,SAAoD,EACpD,MAAM,GAAG,qBAAqB;IAE9B,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC3D,IAAI,SAAS,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;QAC3C,MAAM,IAAI,WAAW,CAAC;YACpB,IAAI,EAAE,mBAAmB;YACzB,OAAO,EAAE,GAAG,MAAM,sBAAsB,mBAAmB,YAAY;SACxE,CAAC,CAAC;IACL,CAAC;IACD,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE;QAChC,IAAI,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,mBAAmB;gBACzB,OAAO,EAAE,GAAG,MAAM,2CAA2C;aAC9D,CAAC,CAAC;QACL,CAAC;QACD,OAAO,EAAE,YAAY,EAAE,QAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,EAAE,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,GAAkB;IAClD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,EAAE,eAAe,IAAI,SAAS,CAAC;AAC1E,CAAC;AAED,KAAK,UAAU,4BAA4B,CACzC,GAAkB;IAElB,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC,EAAE,OAAO,IAAI,SAAS,CAAC;AAClE,CAAC;AAED,SAAS,4BAA4B,CAAC,IAAyB;IAC7D,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,OAAO;YACL,OAAO,EAAE,sBAAsB;YAC/B,UAAU,EAAE,IAAI;YAChB,QAAQ,EAAE,SAAS;YACnB,SAAS,EAAE,SAAS;SACrB,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,sBAAsB;QAC/C,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,SAAS,EAAE,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC;KAC9C,CAAC;AACJ,CAAC;AAED,SAAS,+BAA+B,CAAC,IAA4B;IACnE,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,OAAO;YACL,OAAO,EAAE,sBAAsB;YAC/B,WAAW,EAAE,IAAI;YACjB,QAAQ,EAAE,SAAS;YACnB,SAAS,EAAE,SAAS;SACrB,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,sBAAsB;QAC/C,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAED,SAAS,iCAAiC,CAAC,IAA0C;IACnF,OAAO;QACL,OAAO,EAAE,IAAI,EAAE,OAAO,IAAI,sBAAsB;QAChD,QAAQ,EAAE,IAAI,EAAE,QAAQ;QACxB,SAAS,EAAE,kBAAkB,CAAC,IAAI,EAAE,SAAS,CAAC;KAC/C,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,SAAiC;IAC1D,OAAO,KAAK,EAAE,GAAkB,EAAE,IAAyB,EAAoB,EAAE;QAC/E,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe;YAAE,OAAO,KAAK,CAAC;QACnC,MAAM,UAAU,GAAG,4BAA4B,CAAC,IAAI,CAAC,CAAC;QAEtD,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE;YAC9D,eAAe;YACf,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,UAAU,EAAE,UAAU,CAAC,UAAU;YACjC,GAAG,YAAY,CAAC,UAAU,CAAC,QAAQ,CAAC;YACpC,GAAG,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC;SACtC,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,OAAO,CAAC;IAC1B,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,SAAiC;IAC9D,MAAM,aAAa,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACnD,OAAO,KAAK,EAAE,GAAkB,EAAE,IAAyB,EAAiB,EAAE;QAC5E,IAAI,MAAM,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC;YAAE,OAAO;QAC3C,MAAM,IAAI,WAAW,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;IAC7E,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,SAAiC;IACjE,MAAM,aAAa,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IACnD,OAAO,KAAK,EAAE,GAAkB,EAAE,IAA4B,EAAiB,EAAE;QAC/E,MAAM,UAAU,GAAG,+BAA+B,CAAC,IAAI,CAAC,CAAC;QACzD,KAAK,MAAM,UAAU,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;YAChD,IAAI,MAAM,aAAa,CAAC,GAAG,EAAE,EAAE,GAAG,UAAU,EAAE,UAAU,EAAE,CAAC;gBAAE,OAAO;QACtE,CAAC;QACD,MAAM,IAAI,WAAW,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;IAC7E,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,2BAA2B,CAAC,SAAiC;IACpE,OAAO,KAAK,EAAE,GAAkB,EAAE,IAA+B,EAAqB,EAAE;QACtF,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe;YAAE,OAAO,EAAE,CAAC;QAChC,MAAM,UAAU,GAAG,iCAAiC,CAAC,IAAI,CAAC,CAAC;QAE3D,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,uBAAuB,EAAE;YAC3E,eAAe;YACf,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,GAAG,YAAY,CAAC,UAAU,CAAC,QAAQ,CAAC;YACpC,GAAG,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC;SACtC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,WAAW,CAAC;IAC5B,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAAC,SAAiC;IAC7D,OAAO,KAAK,EACV,GAAkB,EAClB,MAAmD,EACjB,EAAE;QACpC,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACvB,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,2BAA2B;gBACjC,OAAO,EAAE,4CAA4C;aACtD,CAAC,CAAC;QACL,CAAC;QACD,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;gBACvB,OAAO,EAAE,KAAK;gBACd,UAAU,EAAE,kBAAkB;gBAC9B,gBAAgB,EAAE,EAAE;aACrB,CAAC,CAAC,CAAC;QACN,CAAC;QAED,OAAO,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,aAAa,EAAE;YACxD,eAAe;YACf,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC3B,MAAM,UAAU,GAAG,4BAA4B,CAAC,KAAK,CAAC,CAAC;gBACvD,OAAO;oBACL,OAAO,EAAE,UAAU,CAAC,OAAO;oBAC3B,UAAU,EAAE,UAAU,CAAC,UAAU;oBACjC,GAAG,YAAY,CAAC,UAAU,CAAC,QAAQ,CAAC;oBACpC,GAAG,YAAY,CAAC,UAAU,CAAC,SAAS,CAAC;iBACtC,CAAC;YACJ,CAAC,CAAC;SACH,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,6BAA6B,CAAC,SAAiC;IACtE,OAAO,KAAK,EACV,GAAkB,EAClB,IAMC,EACa,EAAE;QAChB,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe;YAAE,OAAO,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,sBAAsB,CAAC;QAEvD,MAAM,OAAO,GAAQ,EAAE,CAAC;QACxB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAChC,MAAM,SAAS,GAAG,kBAAkB,CAClC,IAAI,CAAC,SAAS,EAAE,CAAC,IAAI,CAAC,EACtB,2BAA2B,CAC5B,CAAC;YACF,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE;gBAC9D,eAAe;gBACf,OAAO;gBACP,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,YAAY,EAAE,GAAG,CAAC,IAAI;gBACtB,UAAU,EAAE,GAAG,CAAC,EAAE;gBAClB,GAAG,YAAY,CAAC,SAAS,CAAC;aAC3B,CAAC,CAAC;YACH,IAAI,QAAQ,CAAC,OAAO;gBAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,SAAiC;IAC9D,OAAO,KAAK,EAAE,GAAkB,EAAyB,EAAE;QACzD,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe;YAAE,OAAO,EAAE,CAAC;QAEhC,OAAO,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,iBAAiB,EAAE;YAC7D,eAAe;SAChB,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,4BAA4B,CAAC,SAAiC;IACrE,OAAO,KAAK,EAAE,GAAkB,EAA8C,EAAE;QAC9E,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;QAC1D,CAAC;QAED,OAAO,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,wBAAwB,EAAE;YACpE,eAAe;SAChB,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,SAAiC;IACxD,OAAO,KAAK,EAAE,GAAkB,EAAE,OAA6B,EAAE,EAA0B,EAAE;QAC3F,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe;YAAE,OAAO,EAAE,CAAC;QAEhC,OAAO,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,EAAE;YACvD,eAAe;YACf,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,sBAAsB;SAChD,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAAC,SAAiC;IAC7D,OAAO,KAAK,EAAE,GAAkB,EAAE,OAA6B,EAAE,EAA0B,EAAE;QAC3F,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe;YAAE,OAAO,EAAE,CAAC;QAEhC,OAAO,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,gBAAgB,EAAE;YAC5D,eAAe;YACf,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,sBAAsB;SAChD,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,4BAA4B,CAAC,SAAiC;IACrE,OAAO,KAAK,EACV,GAAkB,EAClB,OAA8D,EAAE,EAC7B,EAAE;QACrC,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe;YAAE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAE7C,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,wBAAwB,EAAE;YAC5E,eAAe;YACf,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,sBAAsB;YAC/C,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC,CAAC;QACH,OAAO;YACL,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxD,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,gCAAgC,CAAC,SAAiC;IACzE,OAAO,KAAK,EACV,GAAkB,EAClB,IAIC,EAC0C,EAAE;QAC7C,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAElC,OAAO,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,4BAA4B,EAAE;YACxE,eAAe;YACf,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,sBAAsB;YAC/C,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,kBAAkB,EAAE,IAAI,CAAC,kBAAkB;SAC5C,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CAAC,SAAiC;IAC3D,OAAO,KAAK,EACV,GAAkB,EAClB,OAA6B,EAAE,EACF,EAAE;QAC/B,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe;YAAE,OAAO,EAAE,CAAC;QAEhC,OAAO,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,EAAE;YAC1D,eAAe;YACf,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,sBAAsB;SAChD,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,SAAiC;IACjE,OAAO,KAAK,EACV,GAAkB,EAClB,OAA6B,EAAE,EACI,EAAE;QACrC,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe;YAAE,OAAO,EAAE,CAAC;QAEhC,OAAO,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,oBAAoB,EAAE;YAChE,eAAe;YACf,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,sBAAsB;SAChD,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,iCAAiC,CAAC,SAAiC;IAC1E,OAAO,KAAK,EACV,GAAkB,EAClB,IAKC,EACiC,EAAE;QACpC,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe;YAAE,OAAO,EAAE,CAAC;QAEhC,OAAO,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,6BAA6B,EAAE;YACzE,eAAe;YACf,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,sBAAsB;YAC/C,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;SAC5B,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,GAAqB,EACrB,SAAiC,EACjC,IAAgB,EAChB,MAAgC,EAChC,UAAmB;IAEnB,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;IAElD,4EAA4E;IAC5E,uEAAuE;IACvE,qEAAqE;IACrE,IAAI,CAAC,QAAQ,EAAE,eAAe,EAAE,CAAC;QAC/B,MAAM,IAAI,WAAW,CAAC;YACpB,IAAI,EAAE,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,iBAAiB;YACjE,OAAO,EAAE,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,yBAAyB;YAC5E,UAAU,EAAE,kBAAkB;SAC/B,CAAC,CAAC;IACL,CAAC;IAED,IAAI,OAA2B,CAAC;IAChC,IAAI,YAAgC,CAAC;IACrC,IAAI,UAA8B,CAAC;IACnC,IAAI,SAA0E,CAAC;IAC/E,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,IAAI,YAAY,CAAC,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;YACzE,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAClC,OAAO,GAAG,SAAS,CAAC;YACtB,CAAC;iBAAM,CAAC;gBACN,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC;gBAC5B,YAAY,GAAG,SAAS,CAAC,YAAY,CAAC;gBACtC,UAAU,GAAG,SAAS,CAAC,UAAU,CAAC;gBAClC,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC;YAClC,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,WAAW;gBAAE,MAAM,KAAK,CAAC;YAC9C,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,yBAAyB;gBAClC,UAAU,EAAE,sBAAsB;aACnC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE;QAC9D,eAAe,EAAE,QAAQ,CAAC,eAAe;QACzC,OAAO;QACP,UAAU,EAAE,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,SAAS;QAClE,YAAY;QACZ,UAAU;QACV,GAAG,YAAY,CAAC,SAAS,CAAC;KAC3B,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QACtB,MAAM,IAAI,WAAW,CAAC;YACpB,IAAI,EAAE,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,iBAAiB;YACjE,OAAO,EAAE,IAAI,KAAK,YAAY,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,yBAAyB;YAC5E,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,aAAa,EAAE,QAAQ,CAAC,aAAa;SACtC,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/dist/component/authz.d.ts

@@ -0,0 +1,114 @@
+/** The canonical CRUD-ish core. `list` is intentionally distinct from `read`. */
+export declare const CANONICAL_ACTIONS: readonly ["read", "create", "update", "delete", "list"];
+export type CanonicalAction = (typeof CANONICAL_ACTIONS)[number];
+/** `manage` is the formal CRUD superset, expanded at eval time — never stored. */
+export declare const MANAGE_ACTION = "manage";
+/** `*` is all verbs (canonical + custom) on the resource type. */
+export declare const WILDCARD_ACTION = "*";
+/** Access-administration actions that product wildcards must never confer. */
+export declare const RESERVED_ACCESS_CONTROL_ACTIONS: ReadonlySet<string>;
+/**
+ * Expand a granted action token into the verbs it covers. `manage` expands to
+ * the canonical CRUD set; every other token (canonical verb, custom verb, or
+ * `*`) passes through unchanged. `*` is handled by {@link actionMatches} rather
+ * than expanded to a finite list here (the universe of custom verbs is open).
+ */
+export declare function expandAction(action: string): string[];
+/**
+ * Does a granted action satisfy a requested action?
+ *   identical → always matches (incl. `manage` granted for a `manage` request).
+ *   `*`       → matches any non-reserved requested verb.
+ *   `manage`  → also matches any canonical CRUD verb.
+ *   else      → matches only the identical verb.
+ */
+export declare function actionMatches(grantedAction: string, requestedAction: string): boolean;
+/**
+ * - `immutable` — Owner: implicit all-permissions-including-future; cannot be
+ *   edited or narrowed; the evaluator short-circuits ALLOW before any lookup.
+ * - `default`   — Admin: all-permissions-including-future by default, but
+ *   builder-narrowable and fenced from the Owner-only levers
+ *   ({@link OWNER_ONLY_LEVERS}). Once narrowed, the producer downgrades the
+ *   role to `none` (see snapshot narrowed-admin detection).
+ * - `none`      — Member / custom: enumerated grants govern.
+ */
+export type WildcardMode = "none" | "immutable" | "default";
+/**
+ * Owner-only levers — powers that a `default`-wildcard (Admin) principal is
+ * fenced out of, even though it otherwise has everything. These are canonical
+ * keys but are NOT seeded as permissions in Wave 1 (they are an algebra
+ * constant). The fence is enforced purely in {@link evaluateAccess}.
+ *
+ * Each lever's `action` is matched against a request via {@link actionMatches}
+ * (the same grant-side superset rule). A lever with action `manage` therefore
+ * fences ALL canonical CRUD on that `resourceType`, not just a literal
+ * `:manage` request — and since requests never carry `manage`/`*` (see
+ * {@link RequestedAccess}), the `manage` levers must expand or they would be
+ * dead. The two all-or-nothing Owner domains (billing, owner management) use
+ * `manage` so every operation on them is fenced; the two single-verb levers
+ * (delete app, transfer ownership) use their concrete verb.
+ */
+export declare const OWNER_ONLY_LEVERS: ReadonlyArray<{
+    resourceType: string;
+    action: string;
+}>;
+/**
+ * Is a requested access an Owner-only lever (Admin-fenced)? Matches by
+ * `resourceType` + action-superset, so a `manage` lever fences every canonical
+ * CRUD verb on its resourceType while a concrete-verb lever fences only that
+ * verb. This is what makes the billing / owner-management fences effective for
+ * the real CRUD requests that reach the evaluator.
+ */
+export declare function isOwnerOnlyLever(request: {
+    resourceType: string;
+    action: string;
+    classification?: "delegable" | "owner_only";
+}): boolean;
+export type Effect = "allow" | "deny";
+export type RequestedAccess = {
+    /** Canonical resourceType, e.g. `app.loans`. */
+    resourceType: string;
+    /** Requested verb (canonical or custom), e.g. `disburse`. Not `manage`/`*`. */
+    action: string;
+    /** Whether the catalog permits this permission to be delegated. */
+    classification?: "delegable" | "owner_only";
+    /** Specific instance id, when the request targets a single resource. */
+    objectId?: string;
+};
+export type ApplicableEntry = {
+    effect: Effect;
+    /** Granted resourceType; `*` matches any resourceType. */
+    resourceType: string;
+    /** Granted verb: a concrete verb, `manage`, or `*`. */
+    action: string;
+    /**
+     * `scope`/type-level entry matches any instance of its resourceType;
+     * `resource` instance-level entry matches only its own `objectId`.
+     */
+    objectType: "scope" | "resource";
+    objectId?: string;
+};
+export declare function hasExplicitDeny(entries: ApplicableEntry[], request: RequestedAccess): boolean;
+/**
+ * Resolve a single access request to allow/deny per §0.4:
+ *
+ *   1. Owner (`immutable`) → ALLOW before any entry scan.
+ *   2. Gather matching entries (resourceType + action + object).
+ *   3. Explicit deny wins → DENY. (Instance-allow never beats type-deny: a
+ *      type-level deny is in the matched set and short-circuits here.)
+ *   4. Admin (`default`) and request is NOT an Owner-only lever → ALLOW
+ *      (after the deny check, so an explicit narrowing deny still wins).
+ *   5. Any matching allow that is NOT an Owner-only lever → ALLOW (role +
+ *      direct grants union on allow). Owner-only levers are conferrable only by
+ *      the immutable Owner at step 1.
+ *   6. Else implicit DENY.
+ *
+ * `entries` must already be filtered to the principal, scope, and to
+ * non-expired / non-revoked rows. Scope/rule denylists are fed in as `deny`
+ * entries so they short-circuit at step 3 (intersection guardrail).
+ */
+export declare function evaluateAccess(args: {
+    wildcard: WildcardMode;
+    entries: ApplicableEntry[];
+    request: RequestedAccess;
+}): Effect;
+//# sourceMappingURL=authz.d.ts.map

package/dist/component/authz.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz.d.ts","sourceRoot":"","sources":["../../src/component/authz.ts"],"names":[],"mappings":"AA0BA,iFAAiF;AACjF,eAAO,MAAM,iBAAiB,yDAMpB,CAAC;AACX,MAAM,MAAM,eAAe,GAAG,CAAC,OAAO,iBAAiB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEjE,kFAAkF;AAClF,eAAO,MAAM,aAAa,WAAW,CAAC;AAEtC,kEAAkE;AAClE,eAAO,MAAM,eAAe,MAAM,CAAC;AAEnC,8EAA8E;AAC9E,eAAO,MAAM,+BAA+B,EAAE,WAAW,CAAC,MAAM,CAG9D,CAAC;AAEH;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAErD;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAC3B,aAAa,EAAE,MAAM,EACrB,eAAe,EAAE,MAAM,GACtB,OAAO,CAYT;AAMD;;;;;;;;GAQG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,WAAW,GAAG,SAAS,CAAC;AAE5D;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,iBAAiB,EAAE,aAAa,CAAC;IAC5C,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;CAChB,CAKS,CAAC;AAEX;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE;IACxC,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,WAAW,GAAG,YAAY,CAAC;CAC7C,GAAG,OAAO,CASV;AAMD,MAAM,MAAM,MAAM,GAAG,OAAO,GAAG,MAAM,CAAC;AAEtC,MAAM,MAAM,eAAe,GAAG;IAC5B,gDAAgD;IAChD,YAAY,EAAE,MAAM,CAAC;IACrB,+EAA+E;IAC/E,MAAM,EAAE,MAAM,CAAC;IACf,mEAAmE;IACnE,cAAc,CAAC,EAAE,WAAW,GAAG,YAAY,CAAC;IAC5C,wEAAwE;IACxE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,0DAA0D;IAC1D,YAAY,EAAE,MAAM,CAAC;IACrB,uDAAuD;IACvD,MAAM,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,UAAU,EAAE,OAAO,GAAG,UAAU,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAuBF,wBAAgB,eAAe,CAC7B,OAAO,EAAE,eAAe,EAAE,EAC1B,OAAO,EAAE,eAAe,GACvB,OAAO,CAIT;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE;IACnC,QAAQ,EAAE,YAAY,CAAC;IACvB,OAAO,EAAE,eAAe,EAAE,CAAC;IAC3B,OAAO,EAAE,eAAe,CAAC;CAC1B,GAAG,MAAM,CA8BT"}

package/dist/component/authz.js

@@ -0,0 +1,168 @@
+// Canonical access-control authorization algebra (ported from the monorepo).
+//
+// SOURCE OF TRUTH: packages/backend-shared/src/access-control/authz.ts in the
+// herculesai monorepo. This file is a near-verbatim copy of the PURE algebra
+// (the monorepo header explicitly anticipates this hercules-js port). The
+// platform projection builder and this Convex runtime must resolve
+// `can(principal, action, resource)` IDENTICALLY, so the algebra below must be
+// kept byte-identical with the canonical module. Any divergence is a silent
+// authorization bug.
+//
+// The slug-grammar parser/regex (`parseAccessPermissionKey`, etc.) and the
+// seed-default `roleWildcardMode` helper from the canonical file are
+// intentionally omitted: the runtime never parses keys (it resolves a
+// request's structured `(resourceType, action)` via catalog lookup — see
+// component/checks.ts), and the producer already computes and ships each
+// role's `wildcard` mode (incl. the narrowed-Admin downgrade) in the
+// projection snapshot, so re-deriving it here would be a second source of
+// truth.
+//
+// See ACCESS_CONTROL_UX_DECISION.md §0 (authorization model) and §0b (roles &
+// defaults) for the locked design this implements.
+// ---------------------------------------------------------------------------
+// §0.2 Canonical action taxonomy
+// ---------------------------------------------------------------------------
+/** The canonical CRUD-ish core. `list` is intentionally distinct from `read`. */
+export const CANONICAL_ACTIONS = [
+    "read",
+    "create",
+    "update",
+    "delete",
+    "list",
+];
+/** `manage` is the formal CRUD superset, expanded at eval time — never stored. */
+export const MANAGE_ACTION = "manage";
+/** `*` is all verbs (canonical + custom) on the resource type. */
+export const WILDCARD_ACTION = "*";
+/** Access-administration actions that product wildcards must never confer. */
+export const RESERVED_ACCESS_CONTROL_ACTIONS = new Set([
+    "manage_members",
+    "manage_access",
+]);
+/**
+ * Expand a granted action token into the verbs it covers. `manage` expands to
+ * the canonical CRUD set; every other token (canonical verb, custom verb, or
+ * `*`) passes through unchanged. `*` is handled by {@link actionMatches} rather
+ * than expanded to a finite list here (the universe of custom verbs is open).
+ */
+export function expandAction(action) {
+    return action === MANAGE_ACTION ? [...CANONICAL_ACTIONS] : [action];
+}
+/**
+ * Does a granted action satisfy a requested action?
+ *   identical → always matches (incl. `manage` granted for a `manage` request).
+ *   `*`       → matches any non-reserved requested verb.
+ *   `manage`  → also matches any canonical CRUD verb.
+ *   else      → matches only the identical verb.
+ */
+export function actionMatches(grantedAction, requestedAction) {
+    // Identity first: a grant of an action always satisfies a request for that
+    // same action — including `manage` for a `manage`-action permission, which
+    // the CRUD-only manage branch below would otherwise reject.
+    if (grantedAction === requestedAction)
+        return true;
+    if (grantedAction === WILDCARD_ACTION) {
+        return !RESERVED_ACCESS_CONTROL_ACTIONS.has(requestedAction);
+    }
+    if (grantedAction === MANAGE_ACTION) {
+        return CANONICAL_ACTIONS.includes(requestedAction);
+    }
+    return false;
+}
+/**
+ * Owner-only levers — powers that a `default`-wildcard (Admin) principal is
+ * fenced out of, even though it otherwise has everything. These are canonical
+ * keys but are NOT seeded as permissions in Wave 1 (they are an algebra
+ * constant). The fence is enforced purely in {@link evaluateAccess}.
+ *
+ * Each lever's `action` is matched against a request via {@link actionMatches}
+ * (the same grant-side superset rule). A lever with action `manage` therefore
+ * fences ALL canonical CRUD on that `resourceType`, not just a literal
+ * `:manage` request — and since requests never carry `manage`/`*` (see
+ * {@link RequestedAccess}), the `manage` levers must expand or they would be
+ * dead. The two all-or-nothing Owner domains (billing, owner management) use
+ * `manage` so every operation on them is fenced; the two single-verb levers
+ * (delete app, transfer ownership) use their concrete verb.
+ */
+export const OWNER_ONLY_LEVERS = [
+    { resourceType: "system.app", action: "delete" }, // delete app
+    { resourceType: "system.ownership", action: "transfer" }, // transfer ownership
+    { resourceType: "system.billing", action: MANAGE_ACTION }, // billing (all operations)
+    { resourceType: "system.access.owner", action: MANAGE_ACTION }, // add/remove/demote Owner (all operations)
+];
+/**
+ * Is a requested access an Owner-only lever (Admin-fenced)? Matches by
+ * `resourceType` + action-superset, so a `manage` lever fences every canonical
+ * CRUD verb on its resourceType while a concrete-verb lever fences only that
+ * verb. This is what makes the billing / owner-management fences effective for
+ * the real CRUD requests that reach the evaluator.
+ */
+export function isOwnerOnlyLever(request) {
+    return (request.classification === "owner_only" ||
+        OWNER_ONLY_LEVERS.some((lever) => lever.resourceType === request.resourceType &&
+            actionMatches(lever.action, request.action)));
+}
+function entryMatches(entry, request) {
+    // resourceType: exact match or wildcard resourceType.
+    if (entry.resourceType !== WILDCARD_ACTION &&
+        entry.resourceType !== request.resourceType) {
+        return false;
+    }
+    // action: after manage/wildcard expansion.
+    if (!actionMatches(entry.action, request.action))
+        return false;
+    // object: an instance-level (resource) entry only matches its own object.
+    // A scope/type-level entry matches any instance of the type.
+    if (entry.objectType === "resource") {
+        return entry.objectId !== undefined && entry.objectId === request.objectId;
+    }
+    return true;
+}
+export function hasExplicitDeny(entries, request) {
+    return entries.some((entry) => entry.effect === "deny" && entryMatches(entry, request));
+}
+/**
+ * Resolve a single access request to allow/deny per §0.4:
+ *
+ *   1. Owner (`immutable`) → ALLOW before any entry scan.
+ *   2. Gather matching entries (resourceType + action + object).
+ *   3. Explicit deny wins → DENY. (Instance-allow never beats type-deny: a
+ *      type-level deny is in the matched set and short-circuits here.)
+ *   4. Admin (`default`) and request is NOT an Owner-only lever → ALLOW
+ *      (after the deny check, so an explicit narrowing deny still wins).
+ *   5. Any matching allow that is NOT an Owner-only lever → ALLOW (role +
+ *      direct grants union on allow). Owner-only levers are conferrable only by
+ *      the immutable Owner at step 1.
+ *   6. Else implicit DENY.
+ *
+ * `entries` must already be filtered to the principal, scope, and to
+ * non-expired / non-revoked rows. Scope/rule denylists are fed in as `deny`
+ * entries so they short-circuit at step 3 (intersection guardrail).
+ */
+export function evaluateAccess(args) {
+    const { wildcard, entries, request } = args;
+    // 1. Owner short-circuit.
+    if (wildcard === "immutable")
+        return "allow";
+    // 2. Gather matching entries.
+    const matching = entries.filter((entry) => entryMatches(entry, request));
+    // 3. Explicit deny wins.
+    if (matching.some((entry) => entry.effect === "deny"))
+        return "deny";
+    // 4. Admin wildcard default (fenced from Owner-only levers).
+    if (wildcard === "default") {
+        if (!isOwnerOnlyLever(request))
+            return "allow";
+    }
+    // 5. Explicit allow. Owner-only levers are conferrable ONLY by the immutable
+    // Owner (step 1) — never by an explicit allow grant, mirroring the Admin
+    // wildcard fence in step 4. This keeps the invariant even if such a permission
+    // is somehow created and granted.
+    if (!isOwnerOnlyLever(request) &&
+        matching.some((entry) => entry.effect === "allow")) {
+        return "allow";
+    }
+    // 6. Implicit deny.
+    return "deny";
+}
+//# sourceMappingURL=authz.js.map

package/dist/component/authz.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz.js","sourceRoot":"","sources":["../../src/component/authz.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAC7E,EAAE;AACF,8EAA8E;AAC9E,6EAA6E;AAC7E,0EAA0E;AAC1E,mEAAmE;AACnE,+EAA+E;AAC/E,4EAA4E;AAC5E,qBAAqB;AACrB,EAAE;AACF,2EAA2E;AAC3E,qEAAqE;AACrE,sEAAsE;AACtE,yEAAyE;AACzE,yEAAyE;AACzE,qEAAqE;AACrE,0EAA0E;AAC1E,SAAS;AACT,EAAE;AACF,8EAA8E;AAC9E,mDAAmD;AAEnD,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E,iFAAiF;AACjF,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,MAAM;CACE,CAAC;AAGX,kFAAkF;AAClF,MAAM,CAAC,MAAM,aAAa,GAAG,QAAQ,CAAC;AAEtC,kEAAkE;AAClE,MAAM,CAAC,MAAM,eAAe,GAAG,GAAG,CAAC;AAEnC,8EAA8E;AAC9E,MAAM,CAAC,MAAM,+BAA+B,GAAwB,IAAI,GAAG,CAAC;IAC1E,gBAAgB;IAChB,eAAe;CAChB,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,MAAc;IACzC,OAAO,MAAM,KAAK,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;AACtE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAC3B,aAAqB,EACrB,eAAuB;IAEvB,2EAA2E;IAC3E,2EAA2E;IAC3E,4DAA4D;IAC5D,IAAI,aAAa,KAAK,eAAe;QAAE,OAAO,IAAI,CAAC;IACnD,IAAI,aAAa,KAAK,eAAe,EAAE,CAAC;QACtC,OAAO,CAAC,+BAA+B,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,aAAa,KAAK,aAAa,EAAE,CAAC;QACpC,OAAQ,iBAAuC,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;IAC5E,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAiBD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAGzB;IACH,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,aAAa;IAC/D,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,qBAAqB;IAC/E,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,EAAE,aAAa,EAAE,EAAE,2BAA2B;IACtF,EAAE,YAAY,EAAE,qBAAqB,EAAE,MAAM,EAAE,aAAa,EAAE,EAAE,2CAA2C;CACnG,CAAC;AAEX;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAIhC;IACC,OAAO,CACL,OAAO,CAAC,cAAc,KAAK,YAAY;QACvC,iBAAiB,CAAC,IAAI,CACpB,CAAC,KAAK,EAAE,EAAE,CACR,KAAK,CAAC,YAAY,KAAK,OAAO,CAAC,YAAY;YAC3C,aAAa,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAC9C,CACF,CAAC;AACJ,CAAC;AAiCD,SAAS,YAAY,CACnB,KAAsB,EACtB,OAAwB;IAExB,sDAAsD;IACtD,IACE,KAAK,CAAC,YAAY,KAAK,eAAe;QACtC,KAAK,CAAC,YAAY,KAAK,OAAO,CAAC,YAAY,EAC3C,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,2CAA2C;IAC3C,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/D,0EAA0E;IAC1E,6DAA6D;IAC7D,IAAI,KAAK,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QACpC,OAAO,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,KAAK,CAAC,QAAQ,KAAK,OAAO,CAAC,QAAQ,CAAC;IAC7E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,OAA0B,EAC1B,OAAwB;IAExB,OAAO,OAAO,CAAC,IAAI,CACjB,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,IAAI,YAAY,CAAC,KAAK,EAAE,OAAO,CAAC,CACnE,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,cAAc,CAAC,IAI9B;IACC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAE5C,0BAA0B;IAC1B,IAAI,QAAQ,KAAK,WAAW;QAAE,OAAO,OAAO,CAAC;IAE7C,8BAA8B;IAC9B,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;IAEzE,yBAAyB;IACzB,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IAErE,6DAA6D;IAC7D,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC;YAAE,OAAO,OAAO,CAAC;IACjD,CAAC;IAED,6EAA6E;IAC7E,yEAAyE;IACzE,+EAA+E;IAC/E,kCAAkC;IAClC,IACE,CAAC,gBAAgB,CAAC,OAAO,CAAC;QAC1B,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,OAAO,CAAC,EAClD,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,oBAAoB;IACpB,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/component/checks.d.ts

@@ -0,0 +1,86 @@
+import { type DataModelFromSchemaDefinition, type GenericQueryCtx } from "convex/server";
+import { type AuthorizationAncestor } from "./effective";
+import schema from "./schema";
+type DataModel = DataModelFromSchemaDefinition<typeof schema>;
+export declare const authorize: import("convex/server").RegisteredQuery<"public", {
+    resourceType?: string | undefined;
+    resourceId?: string | undefined;
+    permission?: string | undefined;
+    tokenIdentifier?: string | undefined;
+    scopeId?: string | undefined;
+    ancestors?: {
+        resourceType: string;
+        resourceId: string;
+    }[] | undefined;
+}, Promise<{
+    allowed: false;
+    reasonCode: string;
+    explicitDeny: boolean;
+    sourceVersion: number | undefined;
+    principalId: string | undefined;
+    effectiveRoleIds: string[];
+} | {
+    allowed: true;
+    reasonCode: string;
+    explicitDeny: boolean;
+    sourceVersion: number;
+    principalId: string | undefined;
+    effectiveRoleIds: string[];
+}>>;
+export declare const authorizeMany: import("convex/server").RegisteredQuery<"public", {
+    tokenIdentifier?: string | undefined;
+    checks: {
+        resourceType?: string | undefined;
+        resourceId?: string | undefined;
+        scopeId?: string | undefined;
+        ancestors?: {
+            resourceType: string;
+            resourceId: string;
+        }[] | undefined;
+        permission: string;
+    }[];
+}, Promise<({
+    allowed: false;
+    reasonCode: string;
+    explicitDeny: boolean;
+    sourceVersion: number | undefined;
+    principalId: string | undefined;
+    effectiveRoleIds: string[];
+} | {
+    allowed: true;
+    reasonCode: string;
+    explicitDeny: boolean;
+    sourceVersion: number;
+    principalId: string | undefined;
+    effectiveRoleIds: string[];
+})[]>>;
+/**
+ * Resolve a single permission request to an allow/deny decision. This is the
+ * canonical permission gate, shared by the `authorize` query (the hot can()
+ * path) and the scope-admin list queries, so both apply identical wildcard,
+ * deny-override, and owner-only-lever semantics. Reads only the local mirror.
+ */
+export declare function evaluatePermissionDecision(ctx: GenericQueryCtx<DataModel>, args: {
+    tokenIdentifier?: string;
+    scopeId?: string;
+    permission: string;
+    resourceType?: string;
+    resourceId?: string;
+    ancestors?: AuthorizationAncestor[];
+}): Promise<{
+    allowed: false;
+    reasonCode: string;
+    explicitDeny: boolean;
+    sourceVersion: number | undefined;
+    principalId: string | undefined;
+    effectiveRoleIds: string[];
+} | {
+    allowed: true;
+    reasonCode: string;
+    explicitDeny: boolean;
+    sourceVersion: number;
+    principalId: string | undefined;
+    effectiveRoleIds: string[];
+}>;
+export {};
+//# sourceMappingURL=checks.d.ts.map

package/dist/component/checks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"checks.d.ts","sourceRoot":"","sources":["../../src/component/checks.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,6BAA6B,EAClC,KAAK,eAAe,EAErB,MAAM,eAAe,CAAC;AAGvB,OAAO,EAIL,KAAK,qBAAqB,EAC3B,MAAM,aAAa,CAAC;AAErB,OAAO,MAAM,MAAM,UAAU,CAAC;AAE9B,KAAK,SAAS,GAAG,6BAA6B,CAAC,OAAO,MAAM,CAAC,CAAC;AAwB9D,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;GA8CpB,CAAC;AAEH,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;MAmBxB,CAAC;AAEH;;;;;GAKG;AACH,wBAAsB,0BAA0B,CAC9C,GAAG,EAAE,eAAe,CAAC,SAAS,CAAC,EAC/B,IAAI,EAAE;IACJ,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,qBAAqB,EAAE,CAAC;CACrC;;;;;;;;;;;;;;GA+FF"}

package/dist/component/checks.js

@@ -0,0 +1,184 @@
+import { queryGeneric, } from "convex/server";
+import { v } from "convex/values";
+import { evaluateAccess, hasExplicitDeny } from "./authz";
+import { evaluateEffectiveAccess, isSupersetAction, normalizeAuthorizationAncestors, } from "./effective";
+import { parseTokenIdentifier } from "../shared/token";
+import schema from "./schema";
+// Public WITHIN the component boundary: a component's functions are never
+// client-callable; only public functions are exported to the parent app, and
+// these checks are exactly the parent-facing API (internal builders are NOT
+// exported, so the SDK's runQuery would fail with "does not export").
+const query = queryGeneric;
+// Mirrors client/index.ts PERMISSION_RESOURCE_TYPE_SENTINEL: the SDK's
+// scopeFromResource extractor cannot know the canonical catalog resource type
+// of the checked permission, so it sends this sentinel and the gate below
+// substitutes the resolved permission's resourceType.
+const PERMISSION_RESOURCE_TYPE_SENTINEL = "__hercules_permission_resource_type__";
+const authorizationAncestorValidator = v.object({
+    resourceType: v.string(),
+    resourceId: v.string(),
+});
+const authorizationCheckValidator = v.object({
+    scopeId: v.optional(v.string()),
+    permission: v.string(),
+    resourceType: v.optional(v.string()),
+    resourceId: v.optional(v.string()),
+    ancestors: v.optional(v.array(authorizationAncestorValidator)),
+});
+export const authorize = query({
+    args: {
+        tokenIdentifier: v.optional(v.string()),
+        scopeId: v.optional(v.string()),
+        permission: v.optional(v.string()),
+        // DL16 resource grant support. When provided, authorize also walks
+        // resource-object grants targeting this resource. App code passes these
+        // via a scope extractor when the permission applies to a specific row.
+        resourceType: v.optional(v.string()),
+        resourceId: v.optional(v.string()),
+        ancestors: v.optional(v.array(authorizationAncestorValidator)),
+    },
+    handler: async (ctx, args) => {
+        if (!args.tokenIdentifier) {
+            return deny("missing_identity");
+        }
+        const token = parseTokenIdentifier(args.tokenIdentifier);
+        if (!token) {
+            return deny("invalid_identity");
+        }
+        const state = await ctx.db.query("sync_state").unique();
+        // Authenticated mode (no permission requested): the SDK already
+        // verified the JWT via Convex's auth provider before reaching us. If
+        // the mirror has not bootstrapped yet (no projection sync delivered),
+        // accept on token presence so cold-start flows like updateCurrentUser
+        // work. The issuer-match sanity check kicks in as soon as the first
+        // projection populates sync_state.
+        if (!args.permission) {
+            if (state && token.issuer !== state.expectedIssuer) {
+                return deny("unexpected_issuer");
+            }
+            return allow(state?.sourceVersion ?? 0, undefined, []);
+        }
+        return evaluatePermissionDecision(ctx, {
+            tokenIdentifier: args.tokenIdentifier,
+            scopeId: args.scopeId,
+            permission: args.permission,
+            resourceType: args.resourceType,
+            resourceId: args.resourceId,
+            ancestors: args.ancestors,
+        });
+    },
+});
+export const authorizeMany = query({
+    args: {
+        tokenIdentifier: v.optional(v.string()),
+        checks: v.array(authorizationCheckValidator),
+    },
+    handler: async (ctx, args) => {
+        if (args.checks.length > 50) {
+            throw new Error("authorizeMany accepts at most 50 checks");
+        }
+        return await Promise.all(args.checks.map((check) => evaluatePermissionDecision(ctx, {
+            tokenIdentifier: args.tokenIdentifier,
+            ...check,
+        })));
+    },
+});
+/**
+ * Resolve a single permission request to an allow/deny decision. This is the
+ * canonical permission gate, shared by the `authorize` query (the hot can()
+ * path) and the scope-admin list queries, so both apply identical wildcard,
+ * deny-override, and owner-only-lever semantics. Reads only the local mirror.
+ */
+export async function evaluatePermissionDecision(ctx, args) {
+    // Resolve the requested permission's canonical (resourceType, action) by
+    // catalog lookup rather than parsing the key string. The producer ships
+    // the structured columns verbatim, so this works for canonical
+    // (app.appointments:create), dot-action (reports.export), and namespaced
+    // keys alike without the runtime having to agree on slug grammar.
+    // Catalog permissions always live in the default scope (DL15). Resolved
+    // BEFORE the effective-access evaluation so the sentinel substitution below
+    // feeds the canonical type into the resource-grant walk.
+    const resolvedPermission = await findCatalogPermissionByKey(ctx, args.permission);
+    // scopeFromResource defers its resource type to the checked permission (it
+    // only sees the table row, not the catalog), so substitute the canonical
+    // catalog resourceType for the sentinel. Explicit resource refs keep their
+    // caller-provided type and the mismatch fence below.
+    const resourceType = args.resourceType === PERMISSION_RESOURCE_TYPE_SENTINEL
+        ? resolvedPermission?.resourceType
+        : args.resourceType;
+    const ancestors = normalizeAuthorizationAncestors(args.ancestors);
+    if (ancestors === null) {
+        return deny("invalid_request");
+    }
+    const evaluation = await evaluateEffectiveAccess(ctx, {
+        tokenIdentifier: args.tokenIdentifier,
+        scopeId: args.scopeId,
+        resourceType,
+        resourceId: args.resourceId,
+        ancestors,
+    });
+    if (!evaluation.allowed) {
+        return deny(evaluation.reasonCode, evaluation.sourceVersion, evaluation.principalId, evaluation.effectiveRoleIds);
+    }
+    if (!resolvedPermission) {
+        return deny("permission_missing", evaluation.sourceVersion, evaluation.principalId, evaluation.effectiveRoleIds);
+    }
+    // Requests carry concrete verbs only. A catalog permission whose action is
+    // manage/* would map a request onto a superset token, which the algebra
+    // does not special-case on the request side. Reject rather than evaluate.
+    // enumeratePermissions filters the same keys out of getEffectivePermissions
+    // (shared isSupersetAction), so the runtime never advertises a key this
+    // gate would then deny.
+    if (isSupersetAction(resolvedPermission.action) ||
+        (resourceType !== undefined && resourceType !== resolvedPermission.resourceType)) {
+        return deny("invalid_request", evaluation.sourceVersion, evaluation.principalId, evaluation.effectiveRoleIds);
+    }
+    const request = {
+        resourceType: resolvedPermission.resourceType,
+        action: resolvedPermission.action,
+        classification: resolvedPermission.classification,
+        objectId: args.resourceId,
+    };
+    const decision = evaluateAccess({
+        wildcard: evaluation.wildcard,
+        entries: evaluation.entries,
+        request,
+    });
+    if (decision === "allow") {
+        return allow(evaluation.sourceVersion ?? 0, evaluation.principalId, evaluation.effectiveRoleIds);
+    }
+    return deny("permission_denied", evaluation.sourceVersion, evaluation.principalId, evaluation.effectiveRoleIds, hasExplicitDeny(evaluation.entries, request));
+}
+async function findCatalogPermissionByKey(ctx, key) {
+    const defaultScope = await ctx.db
+        .query("scopes")
+        .withIndex("by_kind", (q) => q.eq("kind", "default"))
+        .unique();
+    if (!defaultScope)
+        return null;
+    return await ctx.db
+        .query("permissions")
+        .withIndex("by_scope_key", (q) => q.eq("accessScopeId", defaultScope.accessScopeId).eq("key", key))
+        .unique();
+}
+function allow(sourceVersion, principalId, effectiveRoleIds) {
+    return {
+        allowed: true,
+        reasonCode: "allowed",
+        explicitDeny: false,
+        sourceVersion,
+        principalId,
+        effectiveRoleIds,
+    };
+}
+function deny(reasonCode, sourceVersion, principalId, effectiveRoleIds, explicitDeny = false) {
+    return {
+        allowed: false,
+        reasonCode,
+        explicitDeny,
+        sourceVersion,
+        principalId,
+        effectiveRoleIds: effectiveRoleIds ?? [],
+    };
+}
+//# sourceMappingURL=checks.js.map

package/dist/component/checks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"checks.js","sourceRoot":"","sources":["../../src/component/checks.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,GAIb,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,CAAC,EAAE,MAAM,eAAe,CAAC;AAClC,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAChB,+BAA+B,GAEhC,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,MAAM,MAAM,UAAU,CAAC;AAG9B,0EAA0E;AAC1E,6EAA6E;AAC7E,4EAA4E;AAC5E,sEAAsE;AACtE,MAAM,KAAK,GAAG,YAAiD,CAAC;AAEhE,uEAAuE;AACvE,8EAA8E;AAC9E,0EAA0E;AAC1E,sDAAsD;AACtD,MAAM,iCAAiC,GAAG,uCAAuC,CAAC;AAClF,MAAM,8BAA8B,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;IACxB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;CACvB,CAAC,CAAC;AACH,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAC/B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;IACtB,YAAY,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACpC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAClC,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;CAC/D,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,SAAS,GAAG,KAAK,CAAC;IAC7B,IAAI,EAAE;QACJ,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACvC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/B,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAClC,mEAAmE;QACnE,wEAAwE;QACxE,uEAAuE;QACvE,YAAY,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACpC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAClC,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;KAC/D;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC3B,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAClC,CAAC;QAED,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAClC,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,CAAC;QAExD,gEAAgE;QAChE,qEAAqE;QACrE,sEAAsE;QACtE,sEAAsE;QACtE,oEAAoE;QACpE,mCAAmC;QACnC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,cAAc,EAAE,CAAC;gBACnD,OAAO,IAAI,CAAC,mBAAmB,CAAC,CAAC;YACnC,CAAC;YACD,OAAO,KAAK,CAAC,KAAK,EAAE,aAAa,IAAI,CAAC,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,0BAA0B,CAAC,GAAG,EAAE;YACrC,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,CAAC;IACjC,IAAI,EAAE;QACJ,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACvC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,2BAA2B,CAAC;KAC7C;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC3B,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO,MAAM,OAAO,CAAC,GAAG,CACtB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CACxB,0BAA0B,CAAC,GAAG,EAAE;YAC9B,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,GAAG,KAAK;SACT,CAAC,CACH,CACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,GAA+B,EAC/B,IAOC;IAED,yEAAyE;IACzE,wEAAwE;IACxE,+DAA+D;IAC/D,yEAAyE;IACzE,kEAAkE;IAClE,wEAAwE;IACxE,4EAA4E;IAC5E,yDAAyD;IACzD,MAAM,kBAAkB,GAAG,MAAM,0BAA0B,CAAC,GAAG,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAElF,2EAA2E;IAC3E,yEAAyE;IACzE,2EAA2E;IAC3E,qDAAqD;IACrD,MAAM,YAAY,GAChB,IAAI,CAAC,YAAY,KAAK,iCAAiC;QACrD,CAAC,CAAC,kBAAkB,EAAE,YAAY;QAClC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC;IACxB,MAAM,SAAS,GAAG,+BAA+B,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAClE,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACjC,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAAC,GAAG,EAAE;QACpD,eAAe,EAAE,IAAI,CAAC,eAAe;QACrC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,YAAY;QACZ,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,SAAS;KACV,CAAC,CAAC;IACH,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,OAAO,IAAI,CACT,UAAU,CAAC,UAAU,EACrB,UAAU,CAAC,aAAa,EACxB,UAAU,CAAC,WAAW,EACtB,UAAU,CAAC,gBAAgB,CAC5B,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,OAAO,IAAI,CACT,oBAAoB,EACpB,UAAU,CAAC,aAAa,EACxB,UAAU,CAAC,WAAW,EACtB,UAAU,CAAC,gBAAgB,CAC5B,CAAC;IACJ,CAAC;IAED,2EAA2E;IAC3E,wEAAwE;IACxE,0EAA0E;IAC1E,4EAA4E;IAC5E,wEAAwE;IACxE,wBAAwB;IACxB,IACE,gBAAgB,CAAC,kBAAkB,CAAC,MAAM,CAAC;QAC3C,CAAC,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,kBAAkB,CAAC,YAAY,CAAC,EAChF,CAAC;QACD,OAAO,IAAI,CACT,iBAAiB,EACjB,UAAU,CAAC,aAAa,EACxB,UAAU,CAAC,WAAW,EACtB,UAAU,CAAC,gBAAgB,CAC5B,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG;QACd,YAAY,EAAE,kBAAkB,CAAC,YAAY;QAC7C,MAAM,EAAE,kBAAkB,CAAC,MAAM;QACjC,cAAc,EAAE,kBAAkB,CAAC,cAAc;QACjD,QAAQ,EAAE,IAAI,CAAC,UAAU;KAC1B,CAAC;IACF,MAAM,QAAQ,GAAG,cAAc,CAAC;QAC9B,QAAQ,EAAE,UAAU,CAAC,QAAQ;QAC7B,OAAO,EAAE,UAAU,CAAC,OAAO;QAC3B,OAAO;KACR,CAAC,CAAC;IAEH,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,KAAK,CACV,UAAU,CAAC,aAAa,IAAI,CAAC,EAC7B,UAAU,CAAC,WAAW,EACtB,UAAU,CAAC,gBAAgB,CAC5B,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CACT,mBAAmB,EACnB,UAAU,CAAC,aAAa,EACxB,UAAU,CAAC,WAAW,EACtB,UAAU,CAAC,gBAAgB,EAC3B,eAAe,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAC7C,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,0BAA0B,CAAC,GAA+B,EAAE,GAAW;IACpF,MAAM,YAAY,GAAG,MAAM,GAAG,CAAC,EAAE;SAC9B,KAAK,CAAC,QAAQ,CAAC;SACf,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;SACpD,MAAM,EAAE,CAAC;IACZ,IAAI,CAAC,YAAY;QAAE,OAAO,IAAI,CAAC;IAC/B,OAAO,MAAM,GAAG,CAAC,EAAE;SAChB,KAAK,CAAC,aAAa,CAAC;SACpB,SAAS,CAAC,cAAc,EAAE,CAAC,CAAC,EAAE,EAAE,CAC/B,CAAC,CAAC,EAAE,CAAC,eAAe,EAAE,YAAY,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,CACjE;SACA,MAAM,EAAE,CAAC;AACd,CAAC;AAED,SAAS,KAAK,CAAC,aAAqB,EAAE,WAA+B,EAAE,gBAA0B;IAC/F,OAAO;QACL,OAAO,EAAE,IAAa;QACtB,UAAU,EAAE,SAAS;QACrB,YAAY,EAAE,KAAK;QACnB,aAAa;QACb,WAAW;QACX,gBAAgB;KACjB,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CACX,UAAkB,EAClB,aAAsB,EACtB,WAAoB,EACpB,gBAA2B,EAC3B,YAAY,GAAG,KAAK;IAEpB,OAAO;QACL,OAAO,EAAE,KAAc;QACvB,UAAU;QACV,YAAY;QACZ,aAAa;QACb,WAAW;QACX,gBAAgB,EAAE,gBAAgB,IAAI,EAAE;KACzC,CAAC;AACJ,CAAC"}

package/dist/component/convex.config.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("convex/server").ComponentDefinition<any>;
+export default _default;
+//# sourceMappingURL=convex.config.d.ts.map

package/dist/component/convex.config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"convex.config.d.ts","sourceRoot":"","sources":["../../src/component/convex.config.ts"],"names":[],"mappings":";AAEA,wBAA2C"}

package/dist/component/convex.config.js

@@ -0,0 +1,3 @@
+import { defineComponent } from "convex/server";
+export default defineComponent("hercules");
+//# sourceMappingURL=convex.config.js.map

package/dist/component/convex.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"convex.config.js","sourceRoot":"","sources":["../../src/component/convex.config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEhD,eAAe,eAAe,CAAC,UAAU,CAAC,CAAC"}