@usehercules/convex 0.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +478 -0
- package/dist/_generated/component.d.ts +184 -0
- package/dist/_generated/component.d.ts.map +1 -0
- package/dist/_generated/component.js +11 -0
- package/dist/_generated/component.js.map +1 -0
- package/dist/checker/cli.d.ts +3 -0
- package/dist/checker/cli.d.ts.map +1 -0
- package/dist/checker/cli.js +71 -0
- package/dist/checker/cli.js.map +1 -0
- package/dist/checker/index.d.ts +28 -0
- package/dist/checker/index.d.ts.map +1 -0
- package/dist/checker/index.js +1928 -0
- package/dist/checker/index.js.map +1 -0
- package/dist/client/access-admin.d.ts +818 -0
- package/dist/client/access-admin.d.ts.map +1 -0
- package/dist/client/access-admin.js +1830 -0
- package/dist/client/access-admin.js.map +1 -0
- package/dist/client/http.d.ts +19 -0
- package/dist/client/http.d.ts.map +1 -0
- package/dist/client/http.js +76 -0
- package/dist/client/http.js.map +1 -0
- package/dist/client/index.d.ts +440 -0
- package/dist/client/index.d.ts.map +1 -0
- package/dist/client/index.js +654 -0
- package/dist/client/index.js.map +1 -0
- package/dist/component/authz.d.ts +114 -0
- package/dist/component/authz.d.ts.map +1 -0
- package/dist/component/authz.js +168 -0
- package/dist/component/authz.js.map +1 -0
- package/dist/component/checks.d.ts +86 -0
- package/dist/component/checks.d.ts.map +1 -0
- package/dist/component/checks.js +184 -0
- package/dist/component/checks.js.map +1 -0
- package/dist/component/convex.config.d.ts +3 -0
- package/dist/component/convex.config.d.ts.map +1 -0
- package/dist/component/convex.config.js +3 -0
- package/dist/component/convex.config.js.map +1 -0
- package/dist/component/effective.d.ts +82 -0
- package/dist/component/effective.d.ts.map +1 -0
- package/dist/component/effective.js +757 -0
- package/dist/component/effective.js.map +1 -0
- package/dist/component/queries.d.ts +170 -0
- package/dist/component/queries.d.ts.map +1 -0
- package/dist/component/queries.js +633 -0
- package/dist/component/queries.js.map +1 -0
- package/dist/component/schema.d.ts +258 -0
- package/dist/component/schema.d.ts.map +1 -0
- package/dist/component/schema.js +222 -0
- package/dist/component/schema.js.map +1 -0
- package/dist/component/sync.d.ts +85 -0
- package/dist/component/sync.d.ts.map +1 -0
- package/dist/component/sync.js +851 -0
- package/dist/component/sync.js.map +1 -0
- package/dist/shared/projection-protocol.d.ts +1624 -0
- package/dist/shared/projection-protocol.d.ts.map +1 -0
- package/dist/shared/projection-protocol.js +561 -0
- package/dist/shared/projection-protocol.js.map +1 -0
- package/dist/shared/sync.d.ts +24 -0
- package/dist/shared/sync.d.ts.map +1 -0
- package/dist/shared/sync.js +18 -0
- package/dist/shared/sync.js.map +1 -0
- package/dist/shared/token.d.ts +5 -0
- package/dist/shared/token.d.ts.map +1 -0
- package/dist/shared/token.js +19 -0
- package/dist/shared/token.js.map +1 -0
- package/package.json +89 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"projection-protocol.d.ts","sourceRoot":"","sources":["../../src/shared/projection-protocol.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,eAAO,MAAM,4BAA4B;;;EAA4B,CAAC;AACtE,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAElF,eAAO,MAAM,mCAAmC;;;EAG9C,CAAC;AACH,MAAM,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CACjD,OAAO,mCAAmC,CAC3C,CAAC;AAEF,eAAO,MAAM,kCAAkC;;;;EAA2C,CAAC;AAC3F,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kCAAkC,CAAC,CAAC;AAE9F,eAAO,MAAM,8CAA8C;;;EAAsC,CAAC;AAClG,MAAM,MAAM,wCAAwC,GAAG,CAAC,CAAC,KAAK,CAC5D,OAAO,8CAA8C,CACtD,CAAC;AAEF,eAAO,MAAM,+BAA+B;;;;EAAsC,CAAC;AACnF,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAExF,eAAO,MAAM,iCAAiC;;;EAAiC,CAAC;AAChF,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAE5F,eAAO,MAAM,sCAAsC;;;;;EAKjD,CAAC;AACH,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CACpD,OAAO,sCAAsC,CAC9C,CAAC;AAMF,eAAO,MAAM,qCAAqC;;;;;;EAMhD,CAAC;AACH,MAAM,MAAM,+BAA+B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qCAAqC,CAAC,CAAC;AAGpG,eAAO,MAAM,oBAAoB;;;;;;;;;kBAS/B,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAKlE,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;kBAOtC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAGhF,eAAO,MAAM,iCAAiC;;;;;;;;;;;kBAQ5C,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAG5F,eAAO,MAAM,qCAAqC;;;;;;;;kBAKhD,CAAC;AACH,MAAM,MAAM,+BAA+B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qCAAqC,CAAC,CAAC;AAEpG,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAIlC,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAGxE,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;kBAQxC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAEpF,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAiClC,CAAC;AACL,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E,eAAO,MAAM,mCAAmC;;;;kBAI9C,CAAC;AACH,MAAM,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mCAAmC,CAAC,CAAC;AAIhG,eAAO,MAAM,+BAA+B;;;;;;;;kBAY1C,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAGxF,eAAO,MAAM,2CAA2C;;;;;;;;;kBAMtD,CAAC;AACH,MAAM,MAAM,qCAAqC,GAAG,CAAC,CAAC,KAAK,CACzD,OAAO,2CAA2C,CACnD,CAAC;AAIF,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;kBAqB3C,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gCAAgC,CAAC,CAAC;AAI1F,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;kBAkC/C,CAAC;AACL,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CACpD,OAAO,sCAAsC,CAC9C,CAAC;AAsCF,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAY9B,CAAC;AACL,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAMpE,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA2CvC,CAAC;AACL,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAOtF,eAAO,MAAM,+BAA+B;;;EAA+B,CAAC;AAC5E,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAExF,eAAO,MAAM,0BAA0B;;;;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAI9E,eAAO,MAAM,0BAA0B;;;;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAE9E,eAAO,MAAM,gCAAgC;;;;;;;kBAI3C,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gCAAgC,CAAC,CAAC;AAE1F,eAAO,MAAM,oCAAoC;;;;;;;;kBAK/C,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oCAAoC,CAAC,CAAC;AAElG,eAAO,MAAM,+BAA+B;;;;;;;kBAI1C,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAExF,eAAO,MAAM,+BAA+B;;;;;;;kBAI1C,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAExF,eAAO,MAAM,yCAAyC;;;;;;;;kBAKpD,CAAC;AACH,MAAM,MAAM,mCAAmC,GAAG,CAAC,CAAC,KAAK,CACvD,OAAO,yCAAyC,CACjD,CAAC;AAEF,eAAO,MAAM,4CAA4C;;;;;;;;;kBAMvD,CAAC;AACH,MAAM,MAAM,sCAAsC,GAAG,CAAC,CAAC,KAAK,CAC1D,OAAO,4CAA4C,CACpD,CAAC;AAEF,eAAO,MAAM,iCAAiC;;;;;;;kBAI5C,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAE5F,eAAO,MAAM,uCAAuC;;;;;;;kBAIlD,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CACrD,OAAO,uCAAuC,CAC/C,CAAC;AAKF,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;kCAIxC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAEpF,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAQtC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEhF,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAWjC,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AACtE,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;AAKlE,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAKvC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAGlF,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;kBAGpC,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAK5E,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAqCnC,CAAC;AACL,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAO9E,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAyDpC,CAAC;AACL,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEhF,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oBAG5C,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC"}
|
|
@@ -0,0 +1,561 @@
|
|
|
1
|
+
// Hercules Access Control projection wire protocol — v3 (schemaVersion 3).
|
|
2
|
+
//
|
|
3
|
+
// CONSUMER side. This module mirrors, as zod schemas, the producer-side source of
|
|
4
|
+
// truth at packages/backend-shared/src/access-control/projection-protocol.ts in the
|
|
5
|
+
// hercules platform repo. Shared golden fixtures prove the two agree.
|
|
6
|
+
//
|
|
7
|
+
// Two payload kinds:
|
|
8
|
+
// • snapshot — bootstrap ("initialize") or destructive rebuild ("reset"). ONE
|
|
9
|
+
// aggregate, applied atomically, default scope first.
|
|
10
|
+
// • event — normal delivery. A stored, complete, valid delta at an exact
|
|
11
|
+
// sourceVersion.
|
|
12
|
+
//
|
|
13
|
+
// Layout rules (load-bearing): the deployment-wide catalog (reusable roles,
|
|
14
|
+
// permissions, base role permissions) and deployment-wide users live at the TOP
|
|
15
|
+
// LEVEL and are NEVER duplicated per scope. Each scope carries only its own runtime
|
|
16
|
+
// state (principals, memberships, tenant roles, per-scope overrides, role bindings,
|
|
17
|
+
// permission bindings).
|
|
18
|
+
import { z } from "zod";
|
|
19
|
+
// ── leaf enums ────────────────────────────────────────────────────────────────
|
|
20
|
+
export const accessProjectionEffectSchema = z.enum(["allow", "deny"]);
|
|
21
|
+
export const accessProjectionApplicabilitySchema = z.enum([
|
|
22
|
+
"self",
|
|
23
|
+
"self_and_descendants",
|
|
24
|
+
]);
|
|
25
|
+
export const accessProjectionWildcardModeSchema = z.enum(["none", "immutable", "default"]);
|
|
26
|
+
export const accessProjectionPermissionClassificationSchema = z.enum(["delegable", "owner_only"]);
|
|
27
|
+
export const accessProjectionScopeKindSchema = z.enum(["default", "org", "suite"]);
|
|
28
|
+
export const accessProjectionScopeStatusSchema = z.enum(["active", "disabled"]);
|
|
29
|
+
export const accessProjectionAccountEntryModeSchema = z.enum([
|
|
30
|
+
"open",
|
|
31
|
+
"allowlisted_only",
|
|
32
|
+
"invite_only",
|
|
33
|
+
"approval_required",
|
|
34
|
+
]);
|
|
35
|
+
// "blocked" and "pending_approval" are POLICY states (admission reconciliation
|
|
36
|
+
// may move principals among active/pending_approval/blocked). "suspended" and
|
|
37
|
+
// "removed" are MANUAL states (admin suspension/eviction) that reconciliation
|
|
38
|
+
// must never touch; only an explicit manual action brings such a principal back.
|
|
39
|
+
export const accessProjectionPrincipalStatusSchema = z.enum([
|
|
40
|
+
"active",
|
|
41
|
+
"blocked",
|
|
42
|
+
"suspended",
|
|
43
|
+
"pending_approval",
|
|
44
|
+
"removed",
|
|
45
|
+
]);
|
|
46
|
+
// ── deployment-wide identity ─────────────────────────────────────────────────
|
|
47
|
+
export const projectionUserSchema = z.strictObject({
|
|
48
|
+
herculesAuthUserId: z.string().min(1),
|
|
49
|
+
name: z.string(),
|
|
50
|
+
email: z.string().min(1),
|
|
51
|
+
emailVerified: z.boolean(),
|
|
52
|
+
image: z.string().optional(),
|
|
53
|
+
phone: z.string().optional(),
|
|
54
|
+
phoneVerified: z.boolean(),
|
|
55
|
+
updatedAt: z.number().int().nonnegative(),
|
|
56
|
+
});
|
|
57
|
+
// ── deployment-wide catalog (NEVER duplicated per scope) ──────────────────────
|
|
58
|
+
// `baseWildcard` is the role's INTRINSIC wildcard mode only. The EFFECTIVE
|
|
59
|
+
// wildcard is derived per scope by the consumer and is never on the wire.
|
|
60
|
+
export const projectionCatalogRoleSchema = z.strictObject({
|
|
61
|
+
roleId: z.string().min(1),
|
|
62
|
+
key: z.string().min(1),
|
|
63
|
+
source: z.enum(["system", "iam"]),
|
|
64
|
+
name: z.string().min(1),
|
|
65
|
+
baseWildcard: accessProjectionWildcardModeSchema,
|
|
66
|
+
updatedAt: z.number().int().nonnegative(),
|
|
67
|
+
});
|
|
68
|
+
// Deployment-owned permission catalog. `classification` drives owner-only gating.
|
|
69
|
+
export const projectionCatalogPermissionSchema = z.strictObject({
|
|
70
|
+
permissionId: z.string().min(1),
|
|
71
|
+
key: z.string().min(1),
|
|
72
|
+
resourceType: z.string().min(1),
|
|
73
|
+
action: z.string().min(1),
|
|
74
|
+
classification: accessProjectionPermissionClassificationSchema,
|
|
75
|
+
tenantAssignable: z.boolean(),
|
|
76
|
+
updatedAt: z.number().int().nonnegative(),
|
|
77
|
+
});
|
|
78
|
+
// Base role→permission mapping (deployment-wide; the catalog definition).
|
|
79
|
+
export const projectionCatalogRolePermissionSchema = z.strictObject({
|
|
80
|
+
roleId: z.string().min(1),
|
|
81
|
+
permissionId: z.string().min(1),
|
|
82
|
+
effect: accessProjectionEffectSchema,
|
|
83
|
+
updatedAt: z.number().int().nonnegative(),
|
|
84
|
+
});
|
|
85
|
+
export const projectionCatalogSchema = z.strictObject({
|
|
86
|
+
roles: z.array(projectionCatalogRoleSchema),
|
|
87
|
+
permissions: z.array(projectionCatalogPermissionSchema),
|
|
88
|
+
rolePermissions: z.array(projectionCatalogRolePermissionSchema),
|
|
89
|
+
});
|
|
90
|
+
// ── per-scope state ───────────────────────────────────────────────────────────
|
|
91
|
+
export const projectionScopeMetadataSchema = z.strictObject({
|
|
92
|
+
accessScopeId: z.string().min(1),
|
|
93
|
+
name: z.string().min(1),
|
|
94
|
+
kind: accessProjectionScopeKindSchema,
|
|
95
|
+
status: accessProjectionScopeStatusSchema,
|
|
96
|
+
accountEntryMode: accessProjectionAccountEntryModeSchema,
|
|
97
|
+
defaultRoleId: z.string().min(1),
|
|
98
|
+
updatedAt: z.number().int().nonnegative(),
|
|
99
|
+
});
|
|
100
|
+
export const projectionPrincipalSchema = z
|
|
101
|
+
.strictObject({
|
|
102
|
+
principalId: z.string().min(1),
|
|
103
|
+
type: z.enum(["user", "group"]),
|
|
104
|
+
herculesAuthUserId: z.string().min(1).optional(),
|
|
105
|
+
// Display name for a `group` principal (e.g. "Engineering"). A user
|
|
106
|
+
// principal's display name lives on the deployment-wide user row and is
|
|
107
|
+
// never carried here; consumers ignore this field for user principals.
|
|
108
|
+
name: z.string().min(1).optional(),
|
|
109
|
+
status: accessProjectionPrincipalStatusSchema,
|
|
110
|
+
joinedAt: z.number().int().nonnegative(),
|
|
111
|
+
updatedAt: z.number().int().nonnegative(),
|
|
112
|
+
})
|
|
113
|
+
// E1 (impersonation fence): the herculesAuthUserId is the identity key the
|
|
114
|
+
// evaluator resolves a caller to (by_scope_auth_user). A `user` principal MUST
|
|
115
|
+
// carry it; a `group` principal MUST NOT. A group principal smuggling a
|
|
116
|
+
// victim's herculesAuthUserId on a malformed payload would otherwise be
|
|
117
|
+
// resolved as that user. Fail closed at the parse boundary.
|
|
118
|
+
.superRefine((principal, ctx) => {
|
|
119
|
+
if (principal.type === "user" && principal.herculesAuthUserId === undefined) {
|
|
120
|
+
ctx.addIssue({
|
|
121
|
+
code: "custom",
|
|
122
|
+
path: ["herculesAuthUserId"],
|
|
123
|
+
message: "A user principal requires a herculesAuthUserId",
|
|
124
|
+
});
|
|
125
|
+
}
|
|
126
|
+
if (principal.type === "group" && principal.herculesAuthUserId !== undefined) {
|
|
127
|
+
ctx.addIssue({
|
|
128
|
+
code: "custom",
|
|
129
|
+
path: ["herculesAuthUserId"],
|
|
130
|
+
message: "A group principal must not carry a herculesAuthUserId",
|
|
131
|
+
});
|
|
132
|
+
}
|
|
133
|
+
});
|
|
134
|
+
export const projectionPrincipalMembershipSchema = z.strictObject({
|
|
135
|
+
groupPrincipalId: z.string().min(1),
|
|
136
|
+
memberPrincipalId: z.string().min(1),
|
|
137
|
+
updatedAt: z.number().int().nonnegative(),
|
|
138
|
+
});
|
|
139
|
+
// Org-authored role owned by THIS scope (source='tenant'). `baseWildcard` is
|
|
140
|
+
// always "none" for tenant roles; kept for shape parity with catalog roles.
|
|
141
|
+
export const projectionScopeTenantRoleSchema = z.strictObject({
|
|
142
|
+
roleId: z.string().min(1),
|
|
143
|
+
accessScopeId: z.string().min(1),
|
|
144
|
+
key: z.string().min(1),
|
|
145
|
+
source: z.literal("tenant"),
|
|
146
|
+
name: z.string().min(1),
|
|
147
|
+
// E2 (tenant role wildcard fence): a tenant (org-authored) role is ALWAYS a
|
|
148
|
+
// non-wildcard role. The effective wildcard derivation (resolvePrincipalWildcard)
|
|
149
|
+
// trusts baseWildcard, so a tenant role carrying "default"/"immutable" on a
|
|
150
|
+
// malformed payload could become Admin/Owner-equivalent. Pin it to "none".
|
|
151
|
+
baseWildcard: z.literal("none"),
|
|
152
|
+
updatedAt: z.number().int().nonnegative(),
|
|
153
|
+
});
|
|
154
|
+
// One scope's override of a reusable role's base mapping. Layered over the base map.
|
|
155
|
+
export const projectionScopeRolePermissionOverrideSchema = z.strictObject({
|
|
156
|
+
accessScopeId: z.string().min(1),
|
|
157
|
+
roleId: z.string().min(1),
|
|
158
|
+
permissionId: z.string().min(1),
|
|
159
|
+
effect: accessProjectionEffectSchema,
|
|
160
|
+
updatedAt: z.number().int().nonnegative(),
|
|
161
|
+
});
|
|
162
|
+
// A role assigned to a principal. (resourceType, resourceId) target:
|
|
163
|
+
// (∅,∅)=scope, (type,∅)=type-wide, (type,id)=one exact resource.
|
|
164
|
+
export const projectionScopeRoleBindingSchema = z.strictObject({
|
|
165
|
+
bindingId: z.string().min(1),
|
|
166
|
+
subjectPrincipalId: z.string().min(1),
|
|
167
|
+
roleId: z.string().min(1),
|
|
168
|
+
accessScopeId: z.string().min(1),
|
|
169
|
+
resourceType: z.string().min(1).optional(),
|
|
170
|
+
resourceId: z.string().min(1).optional(),
|
|
171
|
+
appliesTo: accessProjectionApplicabilitySchema.default("self"),
|
|
172
|
+
expiresAt: z.number().int().nonnegative().optional(),
|
|
173
|
+
updatedAt: z.number().int().nonnegative(),
|
|
174
|
+
}).superRefine((binding, ctx) => {
|
|
175
|
+
if (binding.appliesTo === "self_and_descendants" &&
|
|
176
|
+
(binding.resourceType === undefined || binding.resourceId === undefined)) {
|
|
177
|
+
ctx.addIssue({
|
|
178
|
+
code: "custom",
|
|
179
|
+
path: ["appliesTo"],
|
|
180
|
+
message: "Descendant applicability requires an exact resource",
|
|
181
|
+
});
|
|
182
|
+
}
|
|
183
|
+
});
|
|
184
|
+
// Direct permission authority. Exactly one subject: subjectPrincipalId XOR
|
|
185
|
+
// subjectRoleId. Same nullable (resourceType, resourceId) target shape.
|
|
186
|
+
export const projectionScopePermissionBindingSchema = z
|
|
187
|
+
.strictObject({
|
|
188
|
+
bindingId: z.string().min(1),
|
|
189
|
+
subjectPrincipalId: z.string().min(1).optional(),
|
|
190
|
+
subjectRoleId: z.string().min(1).optional(),
|
|
191
|
+
permissionId: z.string().min(1),
|
|
192
|
+
effect: accessProjectionEffectSchema,
|
|
193
|
+
accessScopeId: z.string().min(1),
|
|
194
|
+
resourceType: z.string().min(1).optional(),
|
|
195
|
+
resourceId: z.string().min(1).optional(),
|
|
196
|
+
appliesTo: accessProjectionApplicabilitySchema.default("self"),
|
|
197
|
+
expiresAt: z.number().int().nonnegative().optional(),
|
|
198
|
+
updatedAt: z.number().int().nonnegative(),
|
|
199
|
+
})
|
|
200
|
+
.superRefine((binding, ctx) => {
|
|
201
|
+
const subjectCount = [binding.subjectPrincipalId, binding.subjectRoleId].filter((value) => value !== undefined).length;
|
|
202
|
+
if (subjectCount !== 1) {
|
|
203
|
+
ctx.addIssue({
|
|
204
|
+
code: "custom",
|
|
205
|
+
message: "Exactly one permission binding subject is required (principal XOR role)",
|
|
206
|
+
});
|
|
207
|
+
}
|
|
208
|
+
if (binding.appliesTo === "self_and_descendants" &&
|
|
209
|
+
(binding.resourceType === undefined || binding.resourceId === undefined)) {
|
|
210
|
+
ctx.addIssue({
|
|
211
|
+
code: "custom",
|
|
212
|
+
path: ["appliesTo"],
|
|
213
|
+
message: "Descendant applicability requires an exact resource",
|
|
214
|
+
});
|
|
215
|
+
}
|
|
216
|
+
});
|
|
217
|
+
// E4 (cross-scope escalation fence): every embedded row that names an
|
|
218
|
+
// accessScopeId (tenant roles, role-permission overrides, role bindings,
|
|
219
|
+
// permission bindings) MUST belong to the enclosing scope. A scope-A block that
|
|
220
|
+
// nests a scope-B-targeted binding would otherwise be applied verbatim and grant
|
|
221
|
+
// authority in scope B (the apply pins to the enclosing scope after this fix, but
|
|
222
|
+
// we ALSO reject the malformed payload at the parse boundary). Reused by both the
|
|
223
|
+
// snapshot scope and the scope delta.
|
|
224
|
+
function assertEmbeddedScopePinned(enclosingScopeId, embedded, ctx) {
|
|
225
|
+
const checkArray = (field) => {
|
|
226
|
+
for (const [index, row] of embedded[field].entries()) {
|
|
227
|
+
if (row.accessScopeId !== enclosingScopeId) {
|
|
228
|
+
ctx.addIssue({
|
|
229
|
+
code: "custom",
|
|
230
|
+
path: [field, index, "accessScopeId"],
|
|
231
|
+
message: `Embedded ${field} accessScopeId must equal the enclosing scope`,
|
|
232
|
+
});
|
|
233
|
+
}
|
|
234
|
+
}
|
|
235
|
+
};
|
|
236
|
+
checkArray("roles");
|
|
237
|
+
checkArray("rolePermissionOverrides");
|
|
238
|
+
checkArray("roleBindings");
|
|
239
|
+
checkArray("permissionBindings");
|
|
240
|
+
}
|
|
241
|
+
export const projectionScopeSchema = z
|
|
242
|
+
.strictObject({
|
|
243
|
+
scope: projectionScopeMetadataSchema,
|
|
244
|
+
principals: z.array(projectionPrincipalSchema),
|
|
245
|
+
principalMemberships: z.array(projectionPrincipalMembershipSchema),
|
|
246
|
+
roles: z.array(projectionScopeTenantRoleSchema),
|
|
247
|
+
rolePermissionOverrides: z.array(projectionScopeRolePermissionOverrideSchema),
|
|
248
|
+
roleBindings: z.array(projectionScopeRoleBindingSchema),
|
|
249
|
+
permissionBindings: z.array(projectionScopePermissionBindingSchema),
|
|
250
|
+
})
|
|
251
|
+
.superRefine((entry, ctx) => {
|
|
252
|
+
assertEmbeddedScopePinned(entry.scope.accessScopeId, entry, ctx);
|
|
253
|
+
});
|
|
254
|
+
// ── snapshot (bootstrap / reset) ──────────────────────────────────────────────
|
|
255
|
+
// Top-level order: metadata, deployment-wide catalog, deployment-wide users, then
|
|
256
|
+
// scopes (default scope first, then every organization/suite scope). Applied
|
|
257
|
+
// atomically: no scope becomes visible before the whole snapshot commits.
|
|
258
|
+
export const accessProjectionSnapshotSchema = z
|
|
259
|
+
.strictObject({
|
|
260
|
+
type: z.literal("access.projection.snapshot"),
|
|
261
|
+
schemaVersion: z.literal(3),
|
|
262
|
+
eventId: z.string().min(1),
|
|
263
|
+
mode: z.enum(["initialize", "reset"]),
|
|
264
|
+
sourceVersion: z.number().int().nonnegative(),
|
|
265
|
+
expectedIssuer: z.string().min(1),
|
|
266
|
+
catalog: projectionCatalogSchema,
|
|
267
|
+
users: z.array(projectionUserSchema),
|
|
268
|
+
scopes: z.array(projectionScopeSchema).min(1),
|
|
269
|
+
})
|
|
270
|
+
.superRefine((payload, ctx) => {
|
|
271
|
+
const scopeIds = new Set();
|
|
272
|
+
let defaultScopeCount = 0;
|
|
273
|
+
for (const [index, entry] of payload.scopes.entries()) {
|
|
274
|
+
const scopeId = entry.scope.accessScopeId;
|
|
275
|
+
if (scopeIds.has(scopeId)) {
|
|
276
|
+
ctx.addIssue({
|
|
277
|
+
code: "custom",
|
|
278
|
+
path: ["scopes", index, "scope", "accessScopeId"],
|
|
279
|
+
message: "Projection snapshot scope ids must be unique",
|
|
280
|
+
});
|
|
281
|
+
}
|
|
282
|
+
scopeIds.add(scopeId);
|
|
283
|
+
if (entry.scope.kind === "default") {
|
|
284
|
+
defaultScopeCount += 1;
|
|
285
|
+
if (index !== 0) {
|
|
286
|
+
ctx.addIssue({
|
|
287
|
+
code: "custom",
|
|
288
|
+
path: ["scopes", index, "scope", "kind"],
|
|
289
|
+
message: "The default scope must be first",
|
|
290
|
+
});
|
|
291
|
+
}
|
|
292
|
+
}
|
|
293
|
+
}
|
|
294
|
+
if (defaultScopeCount !== 1) {
|
|
295
|
+
ctx.addIssue({
|
|
296
|
+
code: "custom",
|
|
297
|
+
path: ["scopes"],
|
|
298
|
+
message: "Exactly one default scope is required",
|
|
299
|
+
});
|
|
300
|
+
}
|
|
301
|
+
});
|
|
302
|
+
// ── event change identities (discriminated by entityType) ─────────────────────
|
|
303
|
+
// A change identity is the entity's STABLE natural key — never an opaque composite
|
|
304
|
+
// string, and never a mutable column. role_permission identity is (roleId,
|
|
305
|
+
// permissionId), NOT effect; override identity excludes effect; membership identity
|
|
306
|
+
// is the pair of principal ids.
|
|
307
|
+
export const projectionChangeOperationSchema = z.enum(["upsert", "delete"]);
|
|
308
|
+
export const projectionUserChangeSchema = z.strictObject({
|
|
309
|
+
entityType: z.literal("user"),
|
|
310
|
+
herculesAuthUserId: z.string().min(1),
|
|
311
|
+
operation: projectionChangeOperationSchema,
|
|
312
|
+
});
|
|
313
|
+
// Catalog (reusable) role in a catalog delta; tenant role in a scope delta. Same
|
|
314
|
+
// identity (roleId); the enclosing block selects which role table it matches.
|
|
315
|
+
export const projectionRoleChangeSchema = z.strictObject({
|
|
316
|
+
entityType: z.literal("role"),
|
|
317
|
+
roleId: z.string().min(1),
|
|
318
|
+
operation: projectionChangeOperationSchema,
|
|
319
|
+
});
|
|
320
|
+
export const projectionPermissionChangeSchema = z.strictObject({
|
|
321
|
+
entityType: z.literal("permission"),
|
|
322
|
+
permissionId: z.string().min(1),
|
|
323
|
+
operation: projectionChangeOperationSchema,
|
|
324
|
+
});
|
|
325
|
+
export const projectionRolePermissionChangeSchema = z.strictObject({
|
|
326
|
+
entityType: z.literal("role_permission"),
|
|
327
|
+
roleId: z.string().min(1),
|
|
328
|
+
permissionId: z.string().min(1),
|
|
329
|
+
operation: projectionChangeOperationSchema,
|
|
330
|
+
});
|
|
331
|
+
export const projectionScopeMetaChangeSchema = z.strictObject({
|
|
332
|
+
entityType: z.literal("scope"),
|
|
333
|
+
accessScopeId: z.string().min(1),
|
|
334
|
+
operation: projectionChangeOperationSchema,
|
|
335
|
+
});
|
|
336
|
+
export const projectionPrincipalChangeSchema = z.strictObject({
|
|
337
|
+
entityType: z.literal("principal"),
|
|
338
|
+
principalId: z.string().min(1),
|
|
339
|
+
operation: projectionChangeOperationSchema,
|
|
340
|
+
});
|
|
341
|
+
export const projectionPrincipalMembershipChangeSchema = z.strictObject({
|
|
342
|
+
entityType: z.literal("principal_membership"),
|
|
343
|
+
groupPrincipalId: z.string().min(1),
|
|
344
|
+
memberPrincipalId: z.string().min(1),
|
|
345
|
+
operation: projectionChangeOperationSchema,
|
|
346
|
+
});
|
|
347
|
+
export const projectionRolePermissionOverrideChangeSchema = z.strictObject({
|
|
348
|
+
entityType: z.literal("role_permission_override"),
|
|
349
|
+
accessScopeId: z.string().min(1),
|
|
350
|
+
roleId: z.string().min(1),
|
|
351
|
+
permissionId: z.string().min(1),
|
|
352
|
+
operation: projectionChangeOperationSchema,
|
|
353
|
+
});
|
|
354
|
+
export const projectionRoleBindingChangeSchema = z.strictObject({
|
|
355
|
+
entityType: z.literal("role_binding"),
|
|
356
|
+
bindingId: z.string().min(1),
|
|
357
|
+
operation: projectionChangeOperationSchema,
|
|
358
|
+
});
|
|
359
|
+
export const projectionPermissionBindingChangeSchema = z.strictObject({
|
|
360
|
+
entityType: z.literal("permission_binding"),
|
|
361
|
+
bindingId: z.string().min(1),
|
|
362
|
+
operation: projectionChangeOperationSchema,
|
|
363
|
+
});
|
|
364
|
+
// Each delta block accepts only its own entity kinds (contract point 3, enforced at
|
|
365
|
+
// the type level here by the discriminated union; revalidated at runtime by the
|
|
366
|
+
// integrity superRefine below).
|
|
367
|
+
export const projectionCatalogChangeSchema = z.discriminatedUnion("entityType", [
|
|
368
|
+
projectionRoleChangeSchema,
|
|
369
|
+
projectionPermissionChangeSchema,
|
|
370
|
+
projectionRolePermissionChangeSchema,
|
|
371
|
+
]);
|
|
372
|
+
export const projectionScopeChangeSchema = z.discriminatedUnion("entityType", [
|
|
373
|
+
projectionScopeMetaChangeSchema,
|
|
374
|
+
projectionPrincipalChangeSchema,
|
|
375
|
+
projectionPrincipalMembershipChangeSchema,
|
|
376
|
+
projectionRoleChangeSchema,
|
|
377
|
+
projectionRolePermissionOverrideChangeSchema,
|
|
378
|
+
projectionRoleBindingChangeSchema,
|
|
379
|
+
projectionPermissionBindingChangeSchema,
|
|
380
|
+
]);
|
|
381
|
+
export const projectionChangeSchema = z.discriminatedUnion("entityType", [
|
|
382
|
+
projectionUserChangeSchema,
|
|
383
|
+
projectionRoleChangeSchema,
|
|
384
|
+
projectionPermissionChangeSchema,
|
|
385
|
+
projectionRolePermissionChangeSchema,
|
|
386
|
+
projectionScopeMetaChangeSchema,
|
|
387
|
+
projectionPrincipalChangeSchema,
|
|
388
|
+
projectionPrincipalMembershipChangeSchema,
|
|
389
|
+
projectionRolePermissionOverrideChangeSchema,
|
|
390
|
+
projectionRoleBindingChangeSchema,
|
|
391
|
+
projectionPermissionBindingChangeSchema,
|
|
392
|
+
]);
|
|
393
|
+
// ── event delta blocks ────────────────────────────────────────────────────────
|
|
394
|
+
// Deployment-wide catalog delta (e.g. an iam.jsonc apply). `changes` only names
|
|
395
|
+
// catalog entity types (role/permission/role_permission).
|
|
396
|
+
export const projectionCatalogDeltaSchema = z.strictObject({
|
|
397
|
+
changes: z.array(projectionCatalogChangeSchema),
|
|
398
|
+
roles: z.array(projectionCatalogRoleSchema),
|
|
399
|
+
permissions: z.array(projectionCatalogPermissionSchema),
|
|
400
|
+
rolePermissions: z.array(projectionCatalogRolePermissionSchema),
|
|
401
|
+
});
|
|
402
|
+
// Deployment-wide user delta (profile changes). `changes` only names `user`.
|
|
403
|
+
export const projectionUserDeltaSchema = z.strictObject({
|
|
404
|
+
changes: z.array(projectionUserChangeSchema),
|
|
405
|
+
users: z.array(projectionUserSchema),
|
|
406
|
+
});
|
|
407
|
+
// One scope's delta. `scope` is present when the scope metadata is upserted
|
|
408
|
+
// (including scope creation); a scope deletion is a `changes` entry with
|
|
409
|
+
// entityType `scope`, operation `delete`, and the scope's accessScopeId.
|
|
410
|
+
export const projectionScopeDeltaSchema = z
|
|
411
|
+
.strictObject({
|
|
412
|
+
accessScopeId: z.string().min(1),
|
|
413
|
+
scope: projectionScopeMetadataSchema.optional(),
|
|
414
|
+
changes: z.array(projectionScopeChangeSchema),
|
|
415
|
+
principals: z.array(projectionPrincipalSchema),
|
|
416
|
+
principalMemberships: z.array(projectionPrincipalMembershipSchema),
|
|
417
|
+
roles: z.array(projectionScopeTenantRoleSchema),
|
|
418
|
+
rolePermissionOverrides: z.array(projectionScopeRolePermissionOverrideSchema),
|
|
419
|
+
roleBindings: z.array(projectionScopeRoleBindingSchema),
|
|
420
|
+
permissionBindings: z.array(projectionScopePermissionBindingSchema),
|
|
421
|
+
})
|
|
422
|
+
// E4 (cross-scope escalation fence): the delta names one enclosing scope, and
|
|
423
|
+
// every embedded row plus every scope-change identity that carries an
|
|
424
|
+
// accessScopeId MUST equal it. The `scope` metadata row (when present) must
|
|
425
|
+
// describe this same scope.
|
|
426
|
+
.superRefine((delta, ctx) => {
|
|
427
|
+
assertEmbeddedScopePinned(delta.accessScopeId, delta, ctx);
|
|
428
|
+
if (delta.scope !== undefined && delta.scope.accessScopeId !== delta.accessScopeId) {
|
|
429
|
+
ctx.addIssue({
|
|
430
|
+
code: "custom",
|
|
431
|
+
path: ["scope", "accessScopeId"],
|
|
432
|
+
message: "Embedded scope metadata accessScopeId must equal the enclosing scope",
|
|
433
|
+
});
|
|
434
|
+
}
|
|
435
|
+
for (const [index, change] of delta.changes.entries()) {
|
|
436
|
+
if ((change.entityType === "scope" || change.entityType === "role_permission_override") &&
|
|
437
|
+
change.accessScopeId !== delta.accessScopeId) {
|
|
438
|
+
ctx.addIssue({
|
|
439
|
+
code: "custom",
|
|
440
|
+
path: ["changes", index, "accessScopeId"],
|
|
441
|
+
message: "Scope change accessScopeId must equal the enclosing scope",
|
|
442
|
+
});
|
|
443
|
+
}
|
|
444
|
+
}
|
|
445
|
+
});
|
|
446
|
+
// ── event (normal delivery) ──────────────────────────────────────────────────
|
|
447
|
+
// A stored event is ALWAYS complete and valid: every `upsert` change ships its full
|
|
448
|
+
// row in the matching array; every `delete` change ships only its id. At least one
|
|
449
|
+
// of catalog/users/scopes is present, and the integrity rule (contract point C3) is
|
|
450
|
+
// enforced by the superRefine, mirroring `assertProjectionEventIntegrity`.
|
|
451
|
+
export const accessProjectionEventSchema = z
|
|
452
|
+
.strictObject({
|
|
453
|
+
type: z.literal("access.projection.event"),
|
|
454
|
+
schemaVersion: z.literal(3),
|
|
455
|
+
eventId: z.string().min(1),
|
|
456
|
+
sourceVersion: z.number().int().nonnegative(),
|
|
457
|
+
catalog: projectionCatalogDeltaSchema.optional(),
|
|
458
|
+
users: projectionUserDeltaSchema.optional(),
|
|
459
|
+
scopes: z.array(projectionScopeDeltaSchema).optional(),
|
|
460
|
+
})
|
|
461
|
+
.superRefine((event, ctx) => {
|
|
462
|
+
if (event.catalog === undefined && event.users === undefined && event.scopes === undefined) {
|
|
463
|
+
ctx.addIssue({
|
|
464
|
+
code: "custom",
|
|
465
|
+
message: "event has no catalog, users, or scopes delta block",
|
|
466
|
+
});
|
|
467
|
+
}
|
|
468
|
+
const checkRows = (path, change, matches) => {
|
|
469
|
+
if (change.operation === "upsert" && matches !== 1) {
|
|
470
|
+
ctx.addIssue({
|
|
471
|
+
code: "custom",
|
|
472
|
+
path,
|
|
473
|
+
message: `upsert ${changeKey(change)} expected exactly 1 row, found ${matches}`,
|
|
474
|
+
});
|
|
475
|
+
}
|
|
476
|
+
if (change.operation === "delete" && matches !== 0) {
|
|
477
|
+
ctx.addIssue({
|
|
478
|
+
code: "custom",
|
|
479
|
+
path,
|
|
480
|
+
message: `delete ${changeKey(change)} expected 0 rows, found ${matches}`,
|
|
481
|
+
});
|
|
482
|
+
}
|
|
483
|
+
};
|
|
484
|
+
if (event.catalog) {
|
|
485
|
+
for (const [index, change] of event.catalog.changes.entries()) {
|
|
486
|
+
checkRows(["catalog", "changes", index], change, countCatalogRows(event.catalog, change));
|
|
487
|
+
}
|
|
488
|
+
}
|
|
489
|
+
if (event.users) {
|
|
490
|
+
for (const [index, change] of event.users.changes.entries()) {
|
|
491
|
+
const matches = event.users.users.filter((u) => u.herculesAuthUserId === change.herculesAuthUserId).length;
|
|
492
|
+
checkRows(["users", "changes", index], change, matches);
|
|
493
|
+
}
|
|
494
|
+
}
|
|
495
|
+
for (const [scopeIndex, scope] of (event.scopes ?? []).entries()) {
|
|
496
|
+
for (const [index, change] of scope.changes.entries()) {
|
|
497
|
+
checkRows(["scopes", scopeIndex, "changes", index], change, countScopeRows(scope, change));
|
|
498
|
+
}
|
|
499
|
+
}
|
|
500
|
+
});
|
|
501
|
+
export const accessProjectionSyncPayloadSchema = z.union([
|
|
502
|
+
accessProjectionSnapshotSchema,
|
|
503
|
+
accessProjectionEventSchema,
|
|
504
|
+
]);
|
|
505
|
+
// ── integrity helpers (mirror of producer assertProjectionEventIntegrity) ──────
|
|
506
|
+
function changeKey(change) {
|
|
507
|
+
switch (change.entityType) {
|
|
508
|
+
case "user":
|
|
509
|
+
return `user:${change.herculesAuthUserId}`;
|
|
510
|
+
case "role":
|
|
511
|
+
return `role:${change.roleId}`;
|
|
512
|
+
case "permission":
|
|
513
|
+
return `permission:${change.permissionId}`;
|
|
514
|
+
case "role_permission":
|
|
515
|
+
return `role_permission:${change.roleId}/${change.permissionId}`;
|
|
516
|
+
case "scope":
|
|
517
|
+
return `scope:${change.accessScopeId}`;
|
|
518
|
+
case "principal":
|
|
519
|
+
return `principal:${change.principalId}`;
|
|
520
|
+
case "principal_membership":
|
|
521
|
+
return `principal_membership:${change.groupPrincipalId}/${change.memberPrincipalId}`;
|
|
522
|
+
case "role_permission_override":
|
|
523
|
+
return `role_permission_override:${change.accessScopeId}/${change.roleId}/${change.permissionId}`;
|
|
524
|
+
case "role_binding":
|
|
525
|
+
return `role_binding:${change.bindingId}`;
|
|
526
|
+
case "permission_binding":
|
|
527
|
+
return `permission_binding:${change.bindingId}`;
|
|
528
|
+
}
|
|
529
|
+
}
|
|
530
|
+
function countCatalogRows(catalog, change) {
|
|
531
|
+
switch (change.entityType) {
|
|
532
|
+
case "role":
|
|
533
|
+
return catalog.roles.filter((r) => r.roleId === change.roleId).length;
|
|
534
|
+
case "permission":
|
|
535
|
+
return catalog.permissions.filter((p) => p.permissionId === change.permissionId).length;
|
|
536
|
+
case "role_permission":
|
|
537
|
+
return catalog.rolePermissions.filter((rp) => rp.roleId === change.roleId && rp.permissionId === change.permissionId).length;
|
|
538
|
+
}
|
|
539
|
+
}
|
|
540
|
+
function countScopeRows(scope, change) {
|
|
541
|
+
switch (change.entityType) {
|
|
542
|
+
case "scope":
|
|
543
|
+
return scope.scope !== undefined && scope.accessScopeId === change.accessScopeId ? 1 : 0;
|
|
544
|
+
case "principal":
|
|
545
|
+
return scope.principals.filter((p) => p.principalId === change.principalId).length;
|
|
546
|
+
case "principal_membership":
|
|
547
|
+
return scope.principalMemberships.filter((m) => m.groupPrincipalId === change.groupPrincipalId &&
|
|
548
|
+
m.memberPrincipalId === change.memberPrincipalId).length;
|
|
549
|
+
case "role":
|
|
550
|
+
return scope.roles.filter((r) => r.roleId === change.roleId).length;
|
|
551
|
+
case "role_permission_override":
|
|
552
|
+
return scope.rolePermissionOverrides.filter((o) => o.accessScopeId === change.accessScopeId &&
|
|
553
|
+
o.roleId === change.roleId &&
|
|
554
|
+
o.permissionId === change.permissionId).length;
|
|
555
|
+
case "role_binding":
|
|
556
|
+
return scope.roleBindings.filter((b) => b.bindingId === change.bindingId).length;
|
|
557
|
+
case "permission_binding":
|
|
558
|
+
return scope.permissionBindings.filter((b) => b.bindingId === change.bindingId).length;
|
|
559
|
+
}
|
|
560
|
+
}
|
|
561
|
+
//# sourceMappingURL=projection-protocol.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"projection-protocol.js","sourceRoot":"","sources":["../../src/shared/projection-protocol.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAC3E,EAAE;AACF,kFAAkF;AAClF,oFAAoF;AACpF,sEAAsE;AACtE,EAAE;AACF,qBAAqB;AACrB,gFAAgF;AAChF,0DAA0D;AAC1D,2EAA2E;AAC3E,qBAAqB;AACrB,EAAE;AACF,4EAA4E;AAC5E,gFAAgF;AAChF,oFAAoF;AACpF,oFAAoF;AACpF,wBAAwB;AACxB,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,iFAAiF;AACjF,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;AAGtE,MAAM,CAAC,MAAM,mCAAmC,GAAG,CAAC,CAAC,IAAI,CAAC;IACxD,MAAM;IACN,sBAAsB;CACvB,CAAC,CAAC;AAKH,MAAM,CAAC,MAAM,kCAAkC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC;AAG3F,MAAM,CAAC,MAAM,8CAA8C,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC;AAKlG,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC;AAGnF,MAAM,CAAC,MAAM,iCAAiC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC;AAGhF,MAAM,CAAC,MAAM,sCAAsC,GAAG,CAAC,CAAC,IAAI,CAAC;IAC3D,MAAM;IACN,kBAAkB;IAClB,aAAa;IACb,mBAAmB;CACpB,CAAC,CAAC;AAKH,+EAA+E;AAC/E,8EAA8E;AAC9E,8EAA8E;AAC9E,iFAAiF;AACjF,MAAM,CAAC,MAAM,qCAAqC,GAAG,CAAC,CAAC,IAAI,CAAC;IAC1D,QAAQ;IACR,SAAS;IACT,WAAW;IACX,kBAAkB;IAClB,SAAS;CACV,CAAC,CAAC;AAGH,gFAAgF;AAChF,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,YAAY,CAAC;IACjD,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE;IAC1B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE;IAC1B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;CAC1C,CAAC,CAAC;AAGH,iFAAiF;AACjF,2EAA2E;AAC3E,0EAA0E;AAC1E,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,YAAY,CAAC;IACxD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACjC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,YAAY,EAAE,kCAAkC;IAChD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;CAC1C,CAAC,CAAC;AAGH,kFAAkF;AAClF,MAAM,CAAC,MAAM,iCAAiC,GAAG,CAAC,CAAC,YAAY,CAAC;IAC9D,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,cAAc,EAAE,8CAA8C;IAC9D,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;CAC1C,CAAC,CAAC;AAGH,0EAA0E;AAC1E,MAAM,CAAC,MAAM,qCAAqC,GAAG,CAAC,CAAC,YAAY,CAAC;IAClE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/B,MAAM,EAAE,4BAA4B;IACpC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;CAC1C,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,YAAY,CAAC;IACpD,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,2BAA2B,CAAC;IAC3C,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,iCAAiC,CAAC;IACvD,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,qCAAqC,CAAC;CAChE,CAAC,CAAC;AAGH,iFAAiF;AACjF,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,YAAY,CAAC;IAC1D,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,IAAI,EAAE,+BAA+B;IACrC,MAAM,EAAE,iCAAiC;IACzC,gBAAgB,EAAE,sCAAsC;IACxD,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;CAC1C,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC;KACvC,YAAY,CAAC;IACZ,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAChD,oEAAoE;IACpE,wEAAwE;IACxE,uEAAuE;IACvE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClC,MAAM,EAAE,qCAAqC;IAC7C,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;IACxC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;CAC1C,CAAC;IACF,2EAA2E;IAC3E,+EAA+E;IAC/E,wEAAwE;IACxE,wEAAwE;IACxE,4DAA4D;KAC3D,WAAW,CAAC,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE;IAC9B,IAAI,SAAS,CAAC,IAAI,KAAK,MAAM,IAAI,SAAS,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;QAC5E,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,oBAAoB,CAAC;YAC5B,OAAO,EAAE,gDAAgD;SAC1D,CAAC,CAAC;IACL,CAAC;IACD,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO,IAAI,SAAS,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;QAC7E,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,oBAAoB,CAAC;YAC5B,OAAO,EAAE,uDAAuD;SACjE,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAGL,MAAM,CAAC,MAAM,mCAAmC,GAAG,CAAC,CAAC,YAAY,CAAC;IAChE,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;CAC1C,CAAC,CAAC;AAGH,6EAA6E;AAC7E,4EAA4E;AAC5E,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAAC,CAAC,YAAY,CAAC;IAC5D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC;IAC3B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,4EAA4E;IAC5E,kFAAkF;IAClF,4EAA4E;IAC5E,2EAA2E;IAC3E,YAAY,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC/B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;CAC1C,CAAC,CAAC;AAGH,qFAAqF;AACrF,MAAM,CAAC,MAAM,2CAA2C,GAAG,CAAC,CAAC,YAAY,CAAC;IACxE,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/B,MAAM,EAAE,4BAA4B;IACpC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;CAC1C,CAAC,CAAC;AAKH,qEAAqE;AACrE,iEAAiE;AACjE,MAAM,CAAC,MAAM,gCAAgC,GAAG,CAAC,CAAC,YAAY,CAAC;IAC7D,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC1C,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACxC,SAAS,EAAE,mCAAmC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC9D,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IACpD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;CAC1C,CAAC,CAAC,WAAW,CAAC,CAAC,OAAO,EAAE,GAAG,EAAE,EAAE;IAC9B,IACE,OAAO,CAAC,SAAS,KAAK,sBAAsB;QAC5C,CAAC,OAAO,CAAC,YAAY,KAAK,SAAS,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS,CAAC,EACxE,CAAC;QACD,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,WAAW,CAAC;YACnB,OAAO,EAAE,qDAAqD;SAC/D,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAGH,2EAA2E;AAC3E,wEAAwE;AACxE,MAAM,CAAC,MAAM,sCAAsC,GAAG,CAAC;KACpD,YAAY,CAAC;IACZ,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAChD,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC3C,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/B,MAAM,EAAE,4BAA4B;IACpC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC1C,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACxC,SAAS,EAAE,mCAAmC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC9D,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;IACpD,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;CAC1C,CAAC;KACD,WAAW,CAAC,CAAC,OAAO,EAAE,GAAG,EAAE,EAAE;IAC5B,MAAM,YAAY,GAAG,CAAC,OAAO,CAAC,kBAAkB,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC,MAAM,CAC7E,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,SAAS,CAC/B,CAAC,MAAM,CAAC;IACT,IAAI,YAAY,KAAK,CAAC,EAAE,CAAC;QACvB,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,yEAAyE;SACnF,CAAC,CAAC;IACL,CAAC;IACD,IACE,OAAO,CAAC,SAAS,KAAK,sBAAsB;QAC5C,CAAC,OAAO,CAAC,YAAY,KAAK,SAAS,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS,CAAC,EACxE,CAAC;QACD,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,WAAW,CAAC;YACnB,OAAO,EAAE,qDAAqD;SAC/D,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAKL,sEAAsE;AACtE,yEAAyE;AACzE,gFAAgF;AAChF,iFAAiF;AACjF,kFAAkF;AAClF,kFAAkF;AAClF,sCAAsC;AACtC,SAAS,yBAAyB,CAChC,gBAAwB,EACxB,QAKC,EACD,GAAoB;IAEpB,MAAM,UAAU,GAAG,CACjB,KAAkF,EAC5E,EAAE;QACR,KAAK,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;YACrD,IAAI,GAAG,CAAC,aAAa,KAAK,gBAAgB,EAAE,CAAC;gBAC3C,GAAG,CAAC,QAAQ,CAAC;oBACX,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,eAAe,CAAC;oBACrC,OAAO,EAAE,YAAY,KAAK,+CAA+C;iBAC1E,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC;IACF,UAAU,CAAC,OAAO,CAAC,CAAC;IACpB,UAAU,CAAC,yBAAyB,CAAC,CAAC;IACtC,UAAU,CAAC,cAAc,CAAC,CAAC;IAC3B,UAAU,CAAC,oBAAoB,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC;KACnC,YAAY,CAAC;IACZ,KAAK,EAAE,6BAA6B;IACpC,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,yBAAyB,CAAC;IAC9C,oBAAoB,EAAE,CAAC,CAAC,KAAK,CAAC,mCAAmC,CAAC;IAClE,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,+BAA+B,CAAC;IAC/C,uBAAuB,EAAE,CAAC,CAAC,KAAK,CAAC,2CAA2C,CAAC;IAC7E,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,gCAAgC,CAAC;IACvD,kBAAkB,EAAE,CAAC,CAAC,KAAK,CAAC,sCAAsC,CAAC;CACpE,CAAC;KACD,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC1B,yBAAyB,CAAC,KAAK,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;AACnE,CAAC,CAAC,CAAC;AAGL,iFAAiF;AACjF,kFAAkF;AAClF,6EAA6E;AAC7E,0EAA0E;AAC1E,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC;KAC5C,YAAY,CAAC;IACZ,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,4BAA4B,CAAC;IAC7C,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IACrC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;IAC7C,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACjC,OAAO,EAAE,uBAAuB;IAChC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC;IACpC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;CAC9C,CAAC;KACD,WAAW,CAAC,CAAC,OAAO,EAAE,GAAG,EAAE,EAAE;IAC5B,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,IAAI,iBAAiB,GAAG,CAAC,CAAC;IAC1B,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;QACtD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,aAAa,CAAC;QAC1C,IAAI,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,eAAe,CAAC;gBACjD,OAAO,EAAE,8CAA8C;aACxD,CAAC,CAAC;QACL,CAAC;QACD,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtB,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACnC,iBAAiB,IAAI,CAAC,CAAC;YACvB,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;gBAChB,GAAG,CAAC,QAAQ,CAAC;oBACX,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC;oBACxC,OAAO,EAAE,iCAAiC;iBAC3C,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,iBAAiB,KAAK,CAAC,EAAE,CAAC;QAC5B,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,QAAQ,CAAC;YAChB,OAAO,EAAE,uCAAuC;SACjD,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC,CAAC;AAGL,iFAAiF;AACjF,mFAAmF;AACnF,2EAA2E;AAC3E,oFAAoF;AACpF,gCAAgC;AAChC,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;AAG5E,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,YAAY,CAAC;IACvD,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrC,SAAS,EAAE,+BAA+B;CAC3C,CAAC,CAAC;AAGH,iFAAiF;AACjF,8EAA8E;AAC9E,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,YAAY,CAAC;IACvD,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,SAAS,EAAE,+BAA+B;CAC3C,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,gCAAgC,GAAG,CAAC,CAAC,YAAY,CAAC;IAC7D,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IACnC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/B,SAAS,EAAE,+BAA+B;CAC3C,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,oCAAoC,GAAG,CAAC,CAAC,YAAY,CAAC;IACjE,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC;IACxC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/B,SAAS,EAAE,+BAA+B;CAC3C,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAAC,CAAC,YAAY,CAAC;IAC5D,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IAC9B,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,SAAS,EAAE,+BAA+B;CAC3C,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAAC,CAAC,YAAY,CAAC;IAC5D,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;IAClC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,SAAS,EAAE,+BAA+B;CAC3C,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,yCAAyC,GAAG,CAAC,CAAC,YAAY,CAAC;IACtE,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,sBAAsB,CAAC;IAC7C,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACnC,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpC,SAAS,EAAE,+BAA+B;CAC3C,CAAC,CAAC;AAKH,MAAM,CAAC,MAAM,4CAA4C,GAAG,CAAC,CAAC,YAAY,CAAC;IACzE,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,0BAA0B,CAAC;IACjD,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/B,SAAS,EAAE,+BAA+B;CAC3C,CAAC,CAAC;AAKH,MAAM,CAAC,MAAM,iCAAiC,GAAG,CAAC,CAAC,YAAY,CAAC;IAC9D,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC;IACrC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,SAAS,EAAE,+BAA+B;CAC3C,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,uCAAuC,GAAG,CAAC,CAAC,YAAY,CAAC;IACpE,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC;IAC3C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,SAAS,EAAE,+BAA+B;CAC3C,CAAC,CAAC;AAKH,oFAAoF;AACpF,gFAAgF;AAChF,gCAAgC;AAChC,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,kBAAkB,CAAC,YAAY,EAAE;IAC9E,0BAA0B;IAC1B,gCAAgC;IAChC,oCAAoC;CACrC,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,kBAAkB,CAAC,YAAY,EAAE;IAC5E,+BAA+B;IAC/B,+BAA+B;IAC/B,yCAAyC;IACzC,0BAA0B;IAC1B,4CAA4C;IAC5C,iCAAiC;IACjC,uCAAuC;CACxC,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,kBAAkB,CAAC,YAAY,EAAE;IACvE,0BAA0B;IAC1B,0BAA0B;IAC1B,gCAAgC;IAChC,oCAAoC;IACpC,+BAA+B;IAC/B,+BAA+B;IAC/B,yCAAyC;IACzC,4CAA4C;IAC5C,iCAAiC;IACjC,uCAAuC;CACxC,CAAC,CAAC;AAIH,iFAAiF;AACjF,gFAAgF;AAChF,0DAA0D;AAC1D,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,YAAY,CAAC;IACzD,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,6BAA6B,CAAC;IAC/C,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,2BAA2B,CAAC;IAC3C,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,iCAAiC,CAAC;IACvD,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,qCAAqC,CAAC;CAChE,CAAC,CAAC;AAGH,6EAA6E;AAC7E,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,YAAY,CAAC;IACtD,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,0BAA0B,CAAC;IAC5C,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,oBAAoB,CAAC;CACrC,CAAC,CAAC;AAGH,4EAA4E;AAC5E,yEAAyE;AACzE,yEAAyE;AACzE,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC;KACxC,YAAY,CAAC;IACZ,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAChC,KAAK,EAAE,6BAA6B,CAAC,QAAQ,EAAE;IAC/C,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,2BAA2B,CAAC;IAC7C,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,yBAAyB,CAAC;IAC9C,oBAAoB,EAAE,CAAC,CAAC,KAAK,CAAC,mCAAmC,CAAC;IAClE,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,+BAA+B,CAAC;IAC/C,uBAAuB,EAAE,CAAC,CAAC,KAAK,CAAC,2CAA2C,CAAC;IAC7E,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,gCAAgC,CAAC;IACvD,kBAAkB,EAAE,CAAC,CAAC,KAAK,CAAC,sCAAsC,CAAC;CACpE,CAAC;IACF,8EAA8E;IAC9E,sEAAsE;IACtE,4EAA4E;IAC5E,4BAA4B;KAC3B,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC1B,yBAAyB,CAAC,KAAK,CAAC,aAAa,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;IAC3D,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,CAAC,aAAa,KAAK,KAAK,CAAC,aAAa,EAAE,CAAC;QACnF,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,OAAO,EAAE,eAAe,CAAC;YAChC,OAAO,EAAE,sEAAsE;SAChF,CAAC,CAAC;IACL,CAAC;IACD,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;QACtD,IACE,CAAC,MAAM,CAAC,UAAU,KAAK,OAAO,IAAI,MAAM,CAAC,UAAU,KAAK,0BAA0B,CAAC;YACnF,MAAM,CAAC,aAAa,KAAK,KAAK,CAAC,aAAa,EAC5C,CAAC;YACD,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,eAAe,CAAC;gBACzC,OAAO,EAAE,2DAA2D;aACrE,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAGL,gFAAgF;AAChF,oFAAoF;AACpF,mFAAmF;AACnF,oFAAoF;AACpF,2EAA2E;AAC3E,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC;KACzC,YAAY,CAAC;IACZ,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,yBAAyB,CAAC;IAC1C,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE;IAC7C,OAAO,EAAE,4BAA4B,CAAC,QAAQ,EAAE;IAChD,KAAK,EAAE,yBAAyB,CAAC,QAAQ,EAAE;IAC3C,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC,QAAQ,EAAE;CACvD,CAAC;KACD,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC1B,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC3F,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,oDAAoD;SAC9D,CAAC,CAAC;IACL,CAAC;IAED,MAAM,SAAS,GAAG,CAChB,IAAyB,EACzB,MAAwB,EACxB,OAAe,EACT,EAAE;QACR,IAAI,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;YACnD,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,QAAQ;gBACd,IAAI;gBACJ,OAAO,EAAE,UAAU,SAAS,CAAC,MAAM,CAAC,kCAAkC,OAAO,EAAE;aAChF,CAAC,CAAC;QACL,CAAC;QACD,IAAI,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;YACnD,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,QAAQ;gBACd,IAAI;gBACJ,OAAO,EAAE,UAAU,SAAS,CAAC,MAAM,CAAC,2BAA2B,OAAO,EAAE;aACzE,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;IAEF,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YAC9D,SAAS,CAAC,CAAC,SAAS,EAAE,SAAS,EAAE,KAAK,CAAC,EAAE,MAAM,EAAE,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;QAC5F,CAAC;IACH,CAAC;IACD,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YAC5D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CACtC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,kBAAkB,KAAK,MAAM,CAAC,kBAAkB,CAC1D,CAAC,MAAM,CAAC;YACT,SAAS,CAAC,CAAC,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IACD,KAAK,MAAM,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;QACjE,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YACtD,SAAS,CAAC,CAAC,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC,EAAE,MAAM,EAAE,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAGL,MAAM,CAAC,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC;IACvD,8BAA8B;IAC9B,2BAA2B;CAC5B,CAAC,CAAC;AAGH,kFAAkF;AAClF,SAAS,SAAS,CAAC,MAAwB;IACzC,QAAQ,MAAM,CAAC,UAAU,EAAE,CAAC;QAC1B,KAAK,MAAM;YACT,OAAO,QAAQ,MAAM,CAAC,kBAAkB,EAAE,CAAC;QAC7C,KAAK,MAAM;YACT,OAAO,QAAQ,MAAM,CAAC,MAAM,EAAE,CAAC;QACjC,KAAK,YAAY;YACf,OAAO,cAAc,MAAM,CAAC,YAAY,EAAE,CAAC;QAC7C,KAAK,iBAAiB;YACpB,OAAO,mBAAmB,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACnE,KAAK,OAAO;YACV,OAAO,SAAS,MAAM,CAAC,aAAa,EAAE,CAAC;QACzC,KAAK,WAAW;YACd,OAAO,aAAa,MAAM,CAAC,WAAW,EAAE,CAAC;QAC3C,KAAK,sBAAsB;YACzB,OAAO,wBAAwB,MAAM,CAAC,gBAAgB,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;QACvF,KAAK,0BAA0B;YAC7B,OAAO,4BAA4B,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACpG,KAAK,cAAc;YACjB,OAAO,gBAAgB,MAAM,CAAC,SAAS,EAAE,CAAC;QAC5C,KAAK,oBAAoB;YACvB,OAAO,sBAAsB,MAAM,CAAC,SAAS,EAAE,CAAC;IACpD,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CACvB,OAA+B,EAC/B,MAA+B;IAE/B,QAAQ,MAAM,CAAC,UAAU,EAAE,CAAC;QAC1B,KAAK,MAAM;YACT,OAAO,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QACxE,KAAK,YAAY;YACf,OAAO,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC;QAC1F,KAAK,iBAAiB;YACpB,OAAO,OAAO,CAAC,eAAe,CAAC,MAAM,CACnC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC,YAAY,KAAK,MAAM,CAAC,YAAY,CAC/E,CAAC,MAAM,CAAC;IACb,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAA2B,EAAE,MAA6B;IAChF,QAAQ,MAAM,CAAC,UAAU,EAAE,CAAC;QAC1B,KAAK,OAAO;YACV,OAAO,KAAK,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,aAAa,KAAK,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3F,KAAK,WAAW;YACd,OAAO,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;QACrF,KAAK,sBAAsB;YACzB,OAAO,KAAK,CAAC,oBAAoB,CAAC,MAAM,CACtC,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,gBAAgB,KAAK,MAAM,CAAC,gBAAgB;gBAC9C,CAAC,CAAC,iBAAiB,KAAK,MAAM,CAAC,iBAAiB,CACnD,CAAC,MAAM,CAAC;QACX,KAAK,MAAM;YACT,OAAO,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;QACtE,KAAK,0BAA0B;YAC7B,OAAO,KAAK,CAAC,uBAAuB,CAAC,MAAM,CACzC,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,aAAa,KAAK,MAAM,CAAC,aAAa;gBACxC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;gBAC1B,CAAC,CAAC,YAAY,KAAK,MAAM,CAAC,YAAY,CACzC,CAAC,MAAM,CAAC;QACX,KAAK,cAAc;YACjB,OAAO,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;QACnF,KAAK,oBAAoB;YACvB,OAAO,KAAK,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;IAC3F,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
export declare const ACCESS_CONTROL_SYNC_PATH = "/_hercules/access-control/sync";
|
|
2
|
+
export { accessProjectionSyncPayloadSchema, accessProjectionSnapshotSchema, accessProjectionEventSchema, accessProjectionEffectSchema, accessProjectionApplicabilitySchema, accessProjectionWildcardModeSchema, accessProjectionPermissionClassificationSchema, accessProjectionScopeKindSchema, accessProjectionScopeStatusSchema, accessProjectionAccountEntryModeSchema, accessProjectionPrincipalStatusSchema, projectionUserSchema, projectionCatalogRoleSchema, projectionCatalogPermissionSchema, projectionCatalogRolePermissionSchema, projectionCatalogSchema, projectionScopeMetadataSchema, projectionPrincipalSchema, projectionPrincipalMembershipSchema, projectionScopeTenantRoleSchema, projectionScopeRolePermissionOverrideSchema, projectionScopeRoleBindingSchema, projectionScopePermissionBindingSchema, projectionScopeSchema, projectionScopeDeltaSchema, projectionCatalogDeltaSchema, projectionUserDeltaSchema, } from "./projection-protocol";
|
|
3
|
+
export type { AccessProjectionSyncPayload, AccessProjectionSnapshot, AccessProjectionEvent, AccessProjectionEffect, AccessProjectionApplicability, AccessProjectionWildcardMode, AccessProjectionPermissionClassification, AccessProjectionScopeKind, AccessProjectionScopeStatus, AccessProjectionAccountEntryMode, AccessProjectionPrincipalStatus, ProjectionUser, ProjectionCatalogRole, ProjectionCatalogPermission, ProjectionCatalogRolePermission, ProjectionCatalog, ProjectionScopeMetadata, ProjectionPrincipal, ProjectionPrincipalMembership, ProjectionScopeTenantRole, ProjectionScopeRolePermissionOverride, ProjectionScopeRoleBinding, ProjectionScopePermissionBinding, ProjectionScope, ProjectionScopeDelta, ProjectionCatalogDelta, ProjectionUserDelta, ProjectionChange, ProjectionChangeOperation, ProjectionEntityType, ProjectionCatalogChange, ProjectionScopeChange, } from "./projection-protocol";
|
|
4
|
+
import type { AccessProjectionScopeKind } from "./projection-protocol";
|
|
5
|
+
export type ScopeKind = AccessProjectionScopeKind;
|
|
6
|
+
export type SyncResponse = {
|
|
7
|
+
ok: true;
|
|
8
|
+
status: "applied" | "duplicate";
|
|
9
|
+
acknowledgedVersion: number;
|
|
10
|
+
} | {
|
|
11
|
+
ok: false;
|
|
12
|
+
status: "version_gap";
|
|
13
|
+
currentVersion: number;
|
|
14
|
+
expectedVersion: number;
|
|
15
|
+
receivedVersion: number;
|
|
16
|
+
} | {
|
|
17
|
+
ok: false;
|
|
18
|
+
status: "invalid_signature" | "invalid_payload" | "unsupported_schema" | "issuer_mismatch" | "default_scope_required";
|
|
19
|
+
} | {
|
|
20
|
+
ok: false;
|
|
21
|
+
status: "not_ready" | "reset_required";
|
|
22
|
+
currentVersion: number;
|
|
23
|
+
};
|
|
24
|
+
//# sourceMappingURL=sync.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sync.d.ts","sourceRoot":"","sources":["../../src/shared/sync.ts"],"names":[],"mappings":"AAeA,eAAO,MAAM,wBAAwB,mCAAmC,CAAC;AAGzE,OAAO,EACL,iCAAiC,EACjC,8BAA8B,EAC9B,2BAA2B,EAC3B,4BAA4B,EAC5B,mCAAmC,EACnC,kCAAkC,EAClC,8CAA8C,EAC9C,+BAA+B,EAC/B,iCAAiC,EACjC,sCAAsC,EACtC,qCAAqC,EACrC,oBAAoB,EACpB,2BAA2B,EAC3B,iCAAiC,EACjC,qCAAqC,EACrC,uBAAuB,EACvB,6BAA6B,EAC7B,yBAAyB,EACzB,mCAAmC,EACnC,+BAA+B,EAC/B,2CAA2C,EAC3C,gCAAgC,EAChC,sCAAsC,EACtC,qBAAqB,EACrB,0BAA0B,EAC1B,4BAA4B,EAC5B,yBAAyB,GAC1B,MAAM,uBAAuB,CAAC;AAE/B,YAAY,EACV,2BAA2B,EAC3B,wBAAwB,EACxB,qBAAqB,EACrB,sBAAsB,EACtB,6BAA6B,EAC7B,4BAA4B,EAC5B,wCAAwC,EACxC,yBAAyB,EACzB,2BAA2B,EAC3B,gCAAgC,EAChC,+BAA+B,EAC/B,cAAc,EACd,qBAAqB,EACrB,2BAA2B,EAC3B,+BAA+B,EAC/B,iBAAiB,EACjB,uBAAuB,EACvB,mBAAmB,EACnB,6BAA6B,EAC7B,yBAAyB,EACzB,qCAAqC,EACrC,0BAA0B,EAC1B,gCAAgC,EAChC,eAAe,EACf,oBAAoB,EACpB,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,yBAAyB,EACzB,oBAAoB,EACpB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,uBAAuB,CAAC;AAM/B,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAC;AACvE,MAAM,MAAM,SAAS,GAAG,yBAAyB,CAAC;AAOlD,MAAM,MAAM,YAAY,GACpB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,SAAS,GAAG,WAAW,CAAC;IAAC,mBAAmB,EAAE,MAAM,CAAA;CAAE,GAC1E;IACE,EAAE,EAAE,KAAK,CAAC;IACV,MAAM,EAAE,aAAa,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;CACzB,GACD;IACE,EAAE,EAAE,KAAK,CAAC;IACV,MAAM,EACF,mBAAmB,GACnB,iBAAiB,GACjB,oBAAoB,GACpB,iBAAiB,GACjB,wBAAwB,CAAC;CAC9B,GACD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,WAAW,GAAG,gBAAgB,CAAC;IAAC,cAAc,EAAE,MAAM,CAAA;CAAE,CAAC"}
|