@venizia/ignis 0.0.9-13 → 0.0.9-15

package/dist/components/auth/authorize/common/constants.js

@@ -1,11 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CasbinDomainMatchingFunctions = exports.CasbinRuleVariants = exports.CasbinEnforcerModelDrivers = exports.CasbinEnforcerCachedDrivers = exports.AuthorizationEnforcerTypes = exports.AuthorizationRoles = exports.AuthorizationDecisions = exports.AuthorizationActions = exports.Authorization = void 0;
+exports.AuthorizationPolicyVariants = exports.CasbinRuleVariants = exports.AuthorizationDomainScopes = exports.CasbinDomainMatchingFunctions = exports.CasbinEnforcerModelDrivers = exports.CasbinEnforcerCachedDrivers = exports.AuthorizationEnforcerTypes = exports.AuthorizationRoles = exports.AuthorizationDecisions = exports.AuthorizationActions = exports.Authorization = void 0;
 const authorization_role_model_1 = require("../models/authorization-role.model");
 class Authorization {
     static { this.RULES = 'authorization.rules'; }
     static { this.SKIP_AUTHORIZATION = 'authorization.skip'; }
     static { this.ENFORCER = 'authorization.enforcer'; }
+    static { this.DOMAIN = 'authorization.domain'; }
 }
 exports.Authorization = Authorization;
 class AuthorizationActions {
@@ -97,9 +98,8 @@ class AuthorizationEnforcerTypes {
 }
 exports.AuthorizationEnforcerTypes = AuthorizationEnforcerTypes;
 class CasbinEnforcerCachedDrivers {
-    static { this.IN_MEMORY = 'in-memory'; }
     static { this.REDIS = 'redis'; }
-    static { this.SCHEME_SET = new Set([this.IN_MEMORY, this.REDIS]); }
+    static { this.SCHEME_SET = new Set([this.REDIS]); }
     static isValid(input) {
         return this.SCHEME_SET.has(input);
     }
@@ -114,19 +114,6 @@ class CasbinEnforcerModelDrivers {
     }
 }
 exports.CasbinEnforcerModelDrivers = CasbinEnforcerModelDrivers;
-class CasbinRuleVariants {
-    static { this.POLICY = 'policy'; }
-    static { this.GROUP = 'group'; }
-    /** Casbin line prefix for policy rules. */
-    static { this.P = 'p'; }
-    /** Casbin line prefix for grouping rules. */
-    static { this.G = 'g'; }
-    static { this.SCHEME_SET = new Set([this.POLICY, this.GROUP]); }
-    static isValid(input) {
-        return this.SCHEME_SET.has(input);
-    }
-}
-exports.CasbinRuleVariants = CasbinRuleVariants;
 class CasbinDomainMatchingFunctions {
     /** `*` is the only wildcard; exact compare otherwise. Safest for `Merchant_<uuid>` domains. */
     static { this.KEY_MATCH = 'keyMatch'; }
@@ -150,4 +137,140 @@ class CasbinDomainMatchingFunctions {
     }
 }
 exports.CasbinDomainMatchingFunctions = CasbinDomainMatchingFunctions;
+class AuthorizationDomainScopes {
+    /** Grant applies in EVERY domain the subject is a member of (checked via join_domain / g2). */
+    static { this.ANY_MEMBER = 'ANY_MEMBER'; }
+    /** Grant applies system-wide, bypassing membership — super-admin only. */
+    static { this.SYSTEM_WIDE = 'SYSTEM_WIDE'; }
+    static { this.SCHEME_SET = new Set([this.ANY_MEMBER, this.SYSTEM_WIDE]); }
+    static isValid(input) {
+        return this.SCHEME_SET.has(input);
+    }
+}
+exports.AuthorizationDomainScopes = AuthorizationDomainScopes;
+/**
+ * Engine-level vocabulary: the relation prefixes the Casbin MODEL declares — `p` for permission
+ * policies and `g`/`g2`…`g5` for grouping relations. This is the low-level building block that
+ * {@link AuthorizationPolicyVariants} maps onto (many app edge-types → one rule, e.g. both
+ * `assign_role` and `role_inherits` use `g`). Keep these in sync with the model's `[role_definition]`.
+ */
+class CasbinRuleVariants {
+    /** Permission policy line. */
+    static { this.P = 'p'; }
+    /**
+     * Numbered in request-tuple order (`sub → dom → obj → act`) so the matcher reads left-to-right:
+     * g (sub), g2/g3 (dom), g4 (obj), g5 (act).
+     */
+    /** Grouping #1 — role membership + role inheritance (user→role, role→role). The `sub` axis. */
+    static { this.G = 'g'; }
+    /** Grouping #2 — user→domain membership (join_domain). The `dom` axis (membership). */
+    static { this.G2 = 'g2'; }
+    /** Grouping #3 — domain hierarchy. The `dom` axis (nesting). */
+    static { this.G3 = 'g3'; }
+    /** Grouping #4 — resource hierarchy. The `obj` axis. */
+    static { this.G4 = 'g4'; }
+    /** Grouping #5 — action hierarchy. The `act` axis. */
+    static { this.G5 = 'g5'; }
+}
+exports.CasbinRuleVariants = CasbinRuleVariants;
+/**
+ * The kinds of "edge" stored in the single `PolicyDefinition` table. Every row links a `subject`
+ * (type + id) to a `target` (type + id); the `variant` column says WHAT kind of link it is.
+ *
+ * Picture the whole RBAC state as a graph — nodes are User / Role / Permission / Domain, and each
+ * PolicyDefinition row is one edge. `ScopedCasbinAdapter` reads these rows and emits one casbin line
+ * per edge. Each entry below carries:
+ *   - `action` — the value stored in the DB `variant` column (what the adapter filters on).
+ *   - `rule`   — the casbin grouping/policy prefix the adapter emits for that edge (`p`, `g`, `g2`…).
+ *
+ * Per-USER edges (differ per user): GRANT, ASSIGN_ROLE, JOIN_DOMAIN.
+ * Shared HIERARCHY edges (same for everyone — describe the org structure, not a user):
+ *   ROLE_INHERITS, RESOURCE_INHERITS, ACTION_INHERITS, DOMAIN_INHERITS.
+ */
+class AuthorizationPolicyVariants {
+    /**
+     * Give a Permission to a User or Role (the grant row also carries action / effect / domain).
+     * casbin `p`: `p, <Role|User>_<id>, <domain>, <permissionCode>, <action>, <allow|deny>`
+     * e.g. `p, Role_5, ANY_MEMBER, Order, read, allow` — "Role 5 may read Order in any joined domain".
+     */
+    static { this.GRANT = { action: 'grant', rule: CasbinRuleVariants.P }; }
+    /**
+     * Give a User a Role (optionally scoped to a domain; no domain → `*` = every domain).
+     * casbin `g`: `g, User_<id>, Role_<id>, <domain|*>`
+     * e.g. `g, User_42, Role_5, *` — "User 42 holds Role 5 everywhere".
+     */
+    static { this.ASSIGN_ROLE = { action: 'assign_role', rule: CasbinRuleVariants.G }; }
+    /**
+     * A Role inherits another Role (DAG). Shares the `g` relation with ASSIGN_ROLE so a
+     * user → role → parent-role chain resolves in one lookup. Emitted with domain `*`.
+     * casbin `g`: `g, Role_<child>, Role_<parent>, *`
+     * e.g. `g, Role_5, Role_9, *` — "Role 5 inherits everything Role 9 has".
+     */
+    static { this.ROLE_INHERITS = { action: 'role_inherits', rule: CasbinRuleVariants.G }; }
+    /**
+     * A User is a member of a Domain. Powers the `ANY_MEMBER` grant scope — a grant with domain
+     * `ANY_MEMBER` applies in every domain the user joined. Matcher uses `g2(r.sub, r.dom)`.
+     * casbin `g2`: `g2, User_<id>, <Type>_<domainId>`
+     * e.g. `g2, User_42, Merchant_7` — "User 42 is a member of Merchant 7".
+     */
+    static { this.JOIN_DOMAIN = { action: 'join_domain', rule: CasbinRuleVariants.G2 }; }
+    /**
+     * DOMAIN axis (the `dom` of a request). One domain is nested under a parent domain.
+     * Matcher: `g3(r.dom, p.dom)` (+ self-link, so an exact domain always matches itself).
+     * casbin `g3`: `g3, <Type>_<childId>, <Type>_<parentId>`
+     * e.g. `g3, Branch_1, Company_9` — "a grant scoped to Company 9 also applies in Branch 1".
+     */
+    static { this.DOMAIN_INHERITS = {
+        action: 'domain_inherits',
+        rule: CasbinRuleVariants.G3,
+    }; }
+    /**
+     * RESOURCE axis (the `obj` of a request). One resource is nested under a broader one — for
+     * NON-standard nesting only; dotted nesting (`Order.findById ⊂ Order`) is handled by `objectMatch`
+     * WITHOUT an edge. Matcher: `objectMatch(r.obj, p.obj) || g4(r.obj, p.obj)`.
+     * casbin `g4`: `g4, <childCode>, <parentCode>`
+     * e.g. `g4, OrderItem, Order` — "a grant on Order also covers OrderItem".
+     */
+    static { this.RESOURCE_INHERITS = {
+        action: 'resource_inherits',
+        rule: CasbinRuleVariants.G4,
+    }; }
+    /**
+     * ACTION axis (the `act` of a request) — SAME shape as RESOURCE_INHERITS but a DIFFERENT axis: a
+     * narrow action is covered by a broader one. No dotted shortcut — needs an explicit edge.
+     * Matcher: `g5(r.act, p.act)`.
+     * casbin `g5`: `g5, <childAction>, <parentAction>`
+     * e.g. `g5, read, manage` — "a grant of manage also allows read".
+     * (g4 + g5 combine multiplicatively: a `manage Order` grant covers a `read OrderItem` request.)
+     */
+    static { this.ACTION_INHERITS = {
+        action: 'action_inherits',
+        rule: CasbinRuleVariants.G5,
+    }; }
+    static { this.ACTION_SCHEME_SET = new Set([
+        this.GRANT.action.toString(),
+        this.ASSIGN_ROLE.action.toString(),
+        this.ROLE_INHERITS.action.toString(),
+        this.JOIN_DOMAIN.action.toString(),
+        this.DOMAIN_INHERITS.action.toString(),
+        this.RESOURCE_INHERITS.action.toString(),
+        this.ACTION_INHERITS.action.toString(),
+    ]); }
+    static { this.RULE_SCHEME_SET = new Set([
+        this.GRANT.rule.toString(),
+        this.ASSIGN_ROLE.rule.toString(),
+        this.ROLE_INHERITS.rule.toString(),
+        this.JOIN_DOMAIN.rule.toString(),
+        this.DOMAIN_INHERITS.rule.toString(),
+        this.RESOURCE_INHERITS.rule.toString(),
+        this.ACTION_INHERITS.rule.toString(),
+    ]); }
+    static isValidAction(input) {
+        return this.ACTION_SCHEME_SET.has(input);
+    }
+    static isValidRule(input) {
+        return this.RULE_SCHEME_SET.has(input);
+    }
+}
+exports.AuthorizationPolicyVariants = AuthorizationPolicyVariants;
 //# sourceMappingURL=constants.js.map

package/dist/components/auth/authorize/common/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/constants.ts"],"names":[],"mappings":";;;AACA,iFAAuE;AAEvE,MAAa,aAAa;aACR,UAAK,GAAG,qBAAqB,CAAC;aAC9B,uBAAkB,GAAG,oBAAoB,CAAC;aAC1C,aAAQ,GAAG,wBAAwB,CAAC;;AAHtD,sCAIC;AAED,MAAa,oBAAoB;aACf,WAAM,GAAG,QAAQ,CAAC;aAClB,SAAI,GAAG,MAAM,CAAC;aACd,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAClB,YAAO,GAAG,SAAS,CAAC;aAEpB,eAAU,GAAG,IAAI,GAAG,CAAC;QACnC,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,IAAI;QACT,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,OAAO;KACb,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAjBH,oDAkBC;AAGD,MAAa,sBAAsB;aACjB,UAAK,GAAG,OAAO,CAAC;aAChB,SAAI,GAAG,MAAM,CAAC;aACd,YAAO,GAAG,SAAS,CAAC;aAEpB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAE5E,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,KAAsB;QACnC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,KAAK,CAAC;IAC5C,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,KAAsB;QAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED,MAAM,CAAC,SAAS,CAAC,KAAsB;QACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,OAAO,CAAC;IAC9C,CAAC;;AA9BH,wDA+BC;AAGD,MAAa,kBAAkB;aACb,gBAAW,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACpD,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,SAAI,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC7C,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,EAAE;KACb,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aACa,iBAAY,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACrD,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aAEa,eAAU,GAAG,IAAI,GAAG,CAAS;QAC3C,IAAI,CAAC,WAAW,CAAC,UAAU;QAC3B,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,IAAI,CAAC,UAAU;QACpB,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,YAAY,CAAC,UAAU;KAC7B,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAhCH,gDAiCC;AAED,MAAa,0BAA0B;aACrB,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAElB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAEjE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,2BAA2B;aACtB,cAAS,GAAG,WAAW,CAAC;aACxB,UAAK,GAAG,OAAO,CAAC;aAEhB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAEnE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,kEASC;AAID,MAAa,0BAA0B;aACrB,SAAI,GAAG,MAAM,CAAC;aACd,SAAI,GAAG,MAAM,CAAC;aAEd,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAE7D,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,kBAAkB;aACb,WAAM,GAAG,QAAQ,CAAC;aAClB,UAAK,GAAG,OAAO,CAAC;IAEhC,2CAA2C;aAC3B,MAAC,GAAG,GAAG,CAAC;IACxB,6CAA6C;aAC7B,MAAC,GAAG,GAAG,CAAC;aAER,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAEhE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAbH,gDAcC;AAID,MAAa,6BAA6B;IACxC,+FAA+F;aAC/E,cAAS,GAAG,UAAU,CAAC;IAEvC,+CAA+C;aAC/B,gBAAW,GAAG,WAAW,CAAC;IAE1C,uCAAuC;aACvB,gBAAW,GAAG,WAAW,CAAC;IAE1C,6DAA6D;aAC7C,gBAAW,GAAG,WAAW,CAAC;IAE1C,mEAAmE;aACnD,gBAAW,GAAG,YAAY,CAAC;aAE3B,eAAU,GAAG,IAAI,GAAG,CAAC;QACnC,IAAI,CAAC,SAAS;QACd,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;KACjB,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AA1BH,sEA2BC"}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/constants.ts"],"names":[],"mappings":";;;AACA,iFAAuE;AAEvE,MAAa,aAAa;aACR,UAAK,GAAG,qBAAqB,CAAC;aAC9B,uBAAkB,GAAG,oBAAoB,CAAC;aAC1C,aAAQ,GAAG,wBAAwB,CAAC;aACpC,WAAM,GAAG,sBAAsB,CAAC;;AAJlD,sCAKC;AAED,MAAa,oBAAoB;aACf,WAAM,GAAG,QAAQ,CAAC;aAClB,SAAI,GAAG,MAAM,CAAC;aACd,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAClB,YAAO,GAAG,SAAS,CAAC;aAEpB,eAAU,GAAG,IAAI,GAAG,CAAC;QACnC,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,IAAI;QACT,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,OAAO;KACb,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAjBH,oDAkBC;AAGD,MAAa,sBAAsB;aACjB,UAAK,GAAG,OAAO,CAAC;aAChB,SAAI,GAAG,MAAM,CAAC;aACd,YAAO,GAAG,SAAS,CAAC;aAEpB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAE5E,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,KAAsB;QACnC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,KAAK,CAAC;IAC5C,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,KAAsB;QAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED,MAAM,CAAC,SAAS,CAAC,KAAsB;QACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,OAAO,CAAC;IAC9C,CAAC;;AA9BH,wDA+BC;AAGD,MAAa,kBAAkB;aACb,gBAAW,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACpD,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,SAAI,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC7C,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,EAAE;KACb,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aACa,iBAAY,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACrD,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aAEa,eAAU,GAAG,IAAI,GAAG,CAAS;QAC3C,IAAI,CAAC,WAAW,CAAC,UAAU;QAC3B,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,IAAI,CAAC,UAAU;QACpB,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,YAAY,CAAC,UAAU;KAC7B,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAhCH,gDAiCC;AAED,MAAa,0BAA0B;aACrB,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAElB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAEjE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,2BAA2B;aACtB,UAAK,GAAG,OAAO,CAAC;aAEhB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAEnD,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAPH,kEAQC;AAID,MAAa,0BAA0B;aACrB,SAAI,GAAG,MAAM,CAAC;aACd,SAAI,GAAG,MAAM,CAAC;aAEd,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAE7D,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,6BAA6B;IACxC,+FAA+F;aAC/E,cAAS,GAAG,UAAU,CAAC;IAEvC,+CAA+C;aAC/B,gBAAW,GAAG,WAAW,CAAC;IAE1C,uCAAuC;aACvB,gBAAW,GAAG,WAAW,CAAC;IAE1C,6DAA6D;aAC7C,gBAAW,GAAG,WAAW,CAAC;IAE1C,mEAAmE;aACnD,gBAAW,GAAG,YAAY,CAAC;aAE3B,eAAU,GAAG,IAAI,GAAG,CAAC;QACnC,IAAI,CAAC,SAAS;QACd,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;KACjB,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AA1BH,sEA2BC;AAID,MAAa,yBAAyB;IACpC,+FAA+F;aAC/E,eAAU,GAAG,YAAY,CAAC;IAE1C,0EAA0E;aAC1D,gBAAW,GAAG,aAAa,CAAC;aAE5B,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAE1E,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAXH,8DAYC;AAGD;;;;;GAKG;AACH,MAAa,kBAAkB;IAC7B,8BAA8B;aACd,MAAC,GAAG,GAAG,CAAC;IAExB;;;OAGG;IAEH,+FAA+F;aAC/E,MAAC,GAAG,GAAG,CAAC;IAExB,uFAAuF;aACvE,OAAE,GAAG,IAAI,CAAC;IAE1B,gEAAgE;aAChD,OAAE,GAAG,IAAI,CAAC;IAE1B,wDAAwD;aACxC,OAAE,GAAG,IAAI,CAAC;IAE1B,sDAAsD;aACtC,OAAE,GAAG,IAAI,CAAC;;AAtB5B,gDAuBC;AAID;;;;;;;;;;;;;GAaG;AACH,MAAa,2BAA2B;IACtC;;;;OAIG;aACa,UAAK,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAW,CAAC;IAEjF;;;;OAIG;aACa,gBAAW,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAW,CAAC;IAE7F;;;;;OAKG;aACa,kBAAa,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAW,CAAC;IAEjG;;;;;OAKG;aACa,gBAAW,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,kBAAkB,CAAC,EAAE,EAAW,CAAC;IAE9F;;;;;OAKG;aACa,oBAAe,GAAG;QAChC,MAAM,EAAE,iBAAiB;QACzB,IAAI,EAAE,kBAAkB,CAAC,EAAE;KACnB,CAAC;IAEX;;;;;;OAMG;aACa,sBAAiB,GAAG;QAClC,MAAM,EAAE,mBAAmB;QAC3B,IAAI,EAAE,kBAAkB,CAAC,EAAE;KACnB,CAAC;IAEX;;;;;;;OAOG;aACa,oBAAe,GAAG;QAChC,MAAM,EAAE,iBAAiB;QACzB,IAAI,EAAE,kBAAkB,CAAC,EAAE;KACnB,CAAC;aAEK,sBAAiB,GAAG,IAAI,GAAG,CAAC;QAC1C,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE;QAC5B,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE;QAClC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE;QACpC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE;QAClC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE;QACtC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,EAAE;QACxC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE;KACvC,CAAC,CAAC;aAEa,oBAAe,GAAG,IAAI,GAAG,CAAC;QACxC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE;QAC1B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE;QAChC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE;QAClC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE;QAChC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE;QACpC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE;QACtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE;KACrC,CAAC,CAAC;IAEH,MAAM,CAAC,aAAa,CAAC,KAAa;QAChC,OAAO,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,CAAC,WAAW,CAAC,KAAa;QAC9B,OAAO,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;;AA7FH,kEA8FC"}

package/dist/components/auth/authorize/common/index.d.ts

@@ -1,4 +1,6 @@
 export * from './constants';
 export * from './keys';
+export * from './object-match';
+export * from './resolve-request-domain';
 export * from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/components/auth/authorize/common/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,QAAQ,CAAC;AACvB,cAAc,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,QAAQ,CAAC;AACvB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,0BAA0B,CAAC;AACzC,cAAc,SAAS,CAAC"}

package/dist/components/auth/authorize/common/index.js

@@ -16,5 +16,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./constants"), exports);
 __exportStar(require("./keys"), exports);
+__exportStar(require("./object-match"), exports);
+__exportStar(require("./resolve-request-domain"), exports);
 __exportStar(require("./types"), exports);
 //# sourceMappingURL=index.js.map

package/dist/components/auth/authorize/common/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8CAA4B;AAC5B,yCAAuB;AACvB,0CAAwB"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8CAA4B;AAC5B,yCAAuB;AACvB,iDAA+B;AAC/B,2DAAyC;AACzC,0CAAwB"}

package/dist/components/auth/authorize/common/object-match.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Resource-hierarchy matcher for casbin `g4`. Decides whether a requested resource node
+ * falls under a granted resource node WITHOUT storing the "standard" edges
+ * (endpoint ⊂ subject ⊂ *), which are derivable from the dotted `code`.
+ *
+ * Non-standard edges (e.g. `OrderItem ⊂ Order`) are NOT covered here — those are stored as
+ * explicit `resource_inherits` (g4) links and resolved by casbin's role manager.
+ *
+ * Registered in TWO ways by the enforcer (both required):
+ *   1. `enforcer.addFunction('objectMatch', objectMatch)` — lets the matcher call
+ *      `objectMatch(r.obj, p.obj)` directly for "graph-free" prefix/wildcard matching. casbin's
+ *      role-manager `hasLink` only traverses stored nodes, so a `g4(...)`-only call can't match
+ *      `p.obj = '*'` or a subject that isn't a stored g4 vertex — the direct call covers those.
+ *   2. `enforcer.addNamedMatchingFunc('g4', objectMatch)` — applies the same semantics when
+ *      traversing explicit stored `resource_inherits` (g4) edges.
+ *
+ * @param requested the resource on the request (r.obj), e.g. `Activation.findById`
+ * @param granted   the resource on the policy (p.obj), e.g. `Activation` or `*`
+ */
+export declare const objectMatch: (requested: string, granted: string) => boolean;
+//# sourceMappingURL=object-match.d.ts.map

package/dist/components/auth/authorize/common/object-match.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"object-match.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/object-match.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,WAAW,GAAI,WAAW,MAAM,EAAE,SAAS,MAAM,KAAG,OAUhE,CAAC"}

package/dist/components/auth/authorize/common/object-match.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.objectMatch = void 0;
+/**
+ * Resource-hierarchy matcher for casbin `g4`. Decides whether a requested resource node
+ * falls under a granted resource node WITHOUT storing the "standard" edges
+ * (endpoint ⊂ subject ⊂ *), which are derivable from the dotted `code`.
+ *
+ * Non-standard edges (e.g. `OrderItem ⊂ Order`) are NOT covered here — those are stored as
+ * explicit `resource_inherits` (g4) links and resolved by casbin's role manager.
+ *
+ * Registered in TWO ways by the enforcer (both required):
+ *   1. `enforcer.addFunction('objectMatch', objectMatch)` — lets the matcher call
+ *      `objectMatch(r.obj, p.obj)` directly for "graph-free" prefix/wildcard matching. casbin's
+ *      role-manager `hasLink` only traverses stored nodes, so a `g4(...)`-only call can't match
+ *      `p.obj = '*'` or a subject that isn't a stored g4 vertex — the direct call covers those.
+ *   2. `enforcer.addNamedMatchingFunc('g4', objectMatch)` — applies the same semantics when
+ *      traversing explicit stored `resource_inherits` (g4) edges.
+ *
+ * @param requested the resource on the request (r.obj), e.g. `Activation.findById`
+ * @param granted   the resource on the policy (p.obj), e.g. `Activation` or `*`
+ */
+const objectMatch = (requested, granted) => {
+    if (granted === '*') {
+        return true;
+    }
+    if (requested === granted) {
+        return true;
+    }
+    return requested.startsWith(`${granted}.`);
+};
+exports.objectMatch = objectMatch;
+//# sourceMappingURL=object-match.js.map

package/dist/components/auth/authorize/common/object-match.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"object-match.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/object-match.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACI,MAAM,WAAW,GAAG,CAAC,SAAiB,EAAE,OAAe,EAAW,EAAE;IACzE,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,SAAS,CAAC,UAAU,CAAC,GAAG,OAAO,GAAG,CAAC,CAAC;AAC7C,CAAC,CAAC;AAVW,QAAA,WAAW,eAUtB"}

package/dist/components/auth/authorize/common/resolve-request-domain.d.ts

@@ -0,0 +1,20 @@
+import { TContext } from '../../../../base/controllers/common/types';
+import { TNullable } from '@venizia/ignis-helpers';
+import { Env } from 'hono';
+import { IAuthorizationDomainSource, IAuthorizationSpec, IAuthorizeOptions } from './types';
+/** Read a domain value from a declarative source on the Hono context. */
+export declare const readDeclarative: (opts: {
+    source: IAuthorizationDomainSource;
+    context: TContext<Env, string>;
+}) => TNullable<string>;
+/**
+ * Resolve the request domain scope with precedence:
+ *   spec.domain (method | declarative) → options.domainResolver → SYSTEM_WIDE.
+ * Returns a casbin domain string ("<type>_<id>") or the SYSTEM_WIDE sentinel.
+ */
+export declare const resolveRequestDomain: (opts: {
+    spec: IAuthorizationSpec;
+    context: TContext<Env, string>;
+    options: TNullable<IAuthorizeOptions>;
+}) => Promise<string>;
+//# sourceMappingURL=resolve-request-domain.d.ts.map

package/dist/components/auth/authorize/common/resolve-request-domain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-request-domain.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/resolve-request-domain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,iCAAiC,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAE3B,OAAO,EAAE,0BAA0B,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAE5F,yEAAyE;AACzE,eAAO,MAAM,eAAe,GAAI,MAAM;IACpC,MAAM,EAAE,0BAA0B,CAAC;IACnC,OAAO,EAAE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;CAChC,KAAG,SAAS,CAAC,MAAM,CAoBnB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,GAAU,MAAM;IAC/C,IAAI,EAAE,kBAAkB,CAAC;IACzB,OAAO,EAAE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC/B,OAAO,EAAE,SAAS,CAAC,iBAAiB,CAAC,CAAC;CACvC,KAAG,OAAO,CAAC,MAAM,CA4BjB,CAAC"}

package/dist/components/auth/authorize/common/resolve-request-domain.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveRequestDomain = exports.readDeclarative = void 0;
+const constants_1 = require("./constants");
+/** Read a domain value from a declarative source on the Hono context. */
+const readDeclarative = (opts) => {
+    const { source, context } = opts;
+    switch (source.from) {
+        case 'param': {
+            return context.req.param(source.key) ?? null;
+        }
+        case 'header': {
+            return context.req.header(source.key) ?? null;
+        }
+        case 'query': {
+            return context.req.query(source.key) ?? null;
+        }
+        case 'context': {
+            const value = context.get(source.key);
+            return value == null ? null : String(value);
+        }
+        default: {
+            return null;
+        }
+    }
+};
+exports.readDeclarative = readDeclarative;
+/**
+ * Resolve the request domain scope with precedence:
+ *   spec.domain (method | declarative) → options.domainResolver → SYSTEM_WIDE.
+ * Returns a casbin domain string ("<type>_<id>") or the SYSTEM_WIDE sentinel.
+ */
+const resolveRequestDomain = async (opts) => {
+    const { spec, context, options } = opts;
+    // (1) spec.domain as a method
+    if (typeof spec.domain === 'function') {
+        const resolved = await spec.domain({ context });
+        return resolved
+            ? [resolved.type, resolved.id].join('_')
+            : constants_1.AuthorizationDomainScopes.SYSTEM_WIDE;
+    }
+    // (2) spec.domain as declarative
+    if (spec.domain) {
+        const id = (0, exports.readDeclarative)({ source: spec.domain, context });
+        return id ? [spec.domain.type, id].join('_') : constants_1.AuthorizationDomainScopes.SYSTEM_WIDE;
+    }
+    // (3) global resolver
+    const globalResolver = options?.domainResolver ?? null;
+    if (globalResolver) {
+        const resolved = await globalResolver({ context });
+        return resolved
+            ? [resolved.type, resolved.id].join('_')
+            : constants_1.AuthorizationDomainScopes.SYSTEM_WIDE;
+    }
+    // (4) nothing → SYSTEM_WIDE
+    return constants_1.AuthorizationDomainScopes.SYSTEM_WIDE;
+};
+exports.resolveRequestDomain = resolveRequestDomain;
+//# sourceMappingURL=resolve-request-domain.js.map

package/dist/components/auth/authorize/common/resolve-request-domain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-request-domain.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/resolve-request-domain.ts"],"names":[],"mappings":";;;AAGA,2CAAwD;AAGxD,yEAAyE;AAClE,MAAM,eAAe,GAAG,CAAC,IAG/B,EAAqB,EAAE;IACtB,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IACjC,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,OAAO,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;QAC/C,CAAC;QACD,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;QAChD,CAAC;QACD,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,OAAO,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;QAC/C,CAAC;QACD,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAY,CAAC,CAAC;YAC/C,OAAO,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,CAAC,CAAC,CAAC;YACR,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;AACH,CAAC,CAAC;AAvBW,QAAA,eAAe,mBAuB1B;AAEF;;;;GAIG;AACI,MAAM,oBAAoB,GAAG,KAAK,EAAE,IAI1C,EAAmB,EAAE;IACpB,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAExC,8BAA8B;IAC9B,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,QAAQ;YACb,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YACxC,CAAC,CAAC,qCAAyB,CAAC,WAAW,CAAC;IAC5C,CAAC;IAED,iCAAiC;IACjC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,EAAE,GAAG,IAAA,uBAAe,EAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QAC7D,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,qCAAyB,CAAC,WAAW,CAAC;IACvF,CAAC;IAED,sBAAsB;IACtB,MAAM,cAAc,GAAG,OAAO,EAAE,cAAc,IAAI,IAAI,CAAC;IACvD,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QACnD,OAAO,QAAQ;YACb,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YACxC,CAAC,CAAC,qCAAyB,CAAC,WAAW,CAAC;IAC5C,CAAC;IAED,4BAA4B;IAC5B,OAAO,qCAAyB,CAAC,WAAW,CAAC;AAC/C,CAAC,CAAC;AAhCW,QAAA,oBAAoB,wBAgC/B"}

package/dist/components/auth/authorize/common/types.d.ts

@@ -1,5 +1,6 @@
+import { IdType } from '../../../../base';
 import { TContext } from '../../../../base/controllers/common/types';
-import { type DefaultRedisHelper, type ValueOrPromise } from '@venizia/ignis-helpers';
+import { type DefaultRedisHelper, type TNullable, type ValueOrPromise } from '@venizia/ignis-helpers';
 import { type Adapter } from 'casbin';
 import { Env, type MiddlewareHandler } from 'hono';
 import { IAuthUser } from '../../authenticate';
@@ -11,24 +12,49 @@ export interface IAuthorizationRole {
 }
 /** Key-value conditions for attribute-based access control. Values compared with strict equality. */
 export type TAuthorizationConditions<KeyType extends string | symbol = string | symbol, ValueType = string | number | boolean | null> = Record<KeyType, ValueType>;
-export interface IAuthorizationComparable<TElement = string, TCompareResult = number> {
-    value: TElement;
-    compare(other: TElement): TCompareResult;
-    isEqual(other: TElement): boolean;
-}
 export interface IAuthorizationRequest<TAction = string, TResource = string> {
     action: TAction;
     resource: TResource;
     conditions?: TAuthorizationConditions;
+    /**
+     * Resolved domain scope for this request, as a casbin domain string `"<DomainType>_<id>"`
+     * (e.g. `"Merchant_7"`), or the `"SYSTEM_WIDE"` sentinel to enforce across all domains.
+     */
+    domain?: string;
+}
+export interface IAuthorizationUser extends IAuthUser {
+    principalType: string;
+}
+/** What CasbinAuthorizationEnforcer.buildRules returns and evaluate consumes. */
+export interface ICasbinRules {
+    user: IAuthorizationUser;
+    lines: string[];
 }
-/** Authorization enforcer that builds rules and evaluates authorization requests. */
+/** Declarative description of where to read the request domain from. */
+export interface IAuthorizationDomainSource {
+    from: 'param' | 'header' | 'query' | 'context';
+    key: string;
+    type: string;
+}
+/** Returns the current request domain; null = no domain (→ SYSTEM_WIDE). */
+export type TAuthorizationDomainResolver<E extends Env = Env> = (opts: {
+    context: TContext<E, string>;
+}) => ValueOrPromise<TNullable<{
+    type: string;
+    id: IdType;
+}>>;
+/**
+ * Authorization enforcer: builds rules and evaluates requests.
+ *
+ * Cache management (`invalidateUserCache`/`rebuildUserCache`) is OPTIONAL — present only on enforcers
+ * that cache per-user policies (e.g. the Casbin enforcer with the Redis driver). The registry
+ * feature-detects them at runtime before invoking.
+ */
 export interface IAuthorizationEnforcer<E extends Env = Env, TAction = string, TResource = string, TRules = unknown, TBuildRulesReturn = ValueOrPromise<TRules>, TEvaluateReturn = ValueOrPromise<TAuthorizationDecision>> {
     name: string;
     configure(): ValueOrPromise<void>;
     buildRules(opts: {
-        user: {
-            principalType: string;
-        } & IAuthUser;
+        user: IAuthorizationUser;
         context: TContext<E, string>;
     }): TBuildRulesReturn;
     evaluate(opts: {
@@ -36,6 +62,19 @@ export interface IAuthorizationEnforcer<E extends Env = Env, TAction = string, T
         request: IAuthorizationRequest<TAction, TResource>;
         context: TContext<E, string>;
     }): TEvaluateReturn;
+    /** Drop a user's cached policies. Implemented only by caching enforcers. */
+    invalidateUserCache?(opts: {
+        user: IAuthorizationUser;
+    }): Promise<{
+        invalidatedKeys: number;
+    }>;
+    /** Drop + rebuild a user's cached policies. Implemented only by caching enforcers. */
+    rebuildUserCache?(opts: {
+        user: IAuthorizationUser;
+    }): Promise<{
+        cacheKey: string;
+        lineCount: number;
+    }>;
 }
 export type TAuthorizationVoter<E extends Env = Env, TAction = string, TResource = string> = (opts: {
     user: IAuthUser;
@@ -49,26 +88,20 @@ export interface IAuthorizationSpec<E extends Env = Env, TAction = string, TReso
     conditions?: TAuthorizationConditions;
     allowedRoles?: string[];
     voters?: TAuthorizationVoter<E, TAction, TResource>[];
+    /** Optional per-route domain: declarative source OR a resolver method. Omitted → global resolver. */
+    domain?: IAuthorizationDomainSource | TAuthorizationDomainResolver<E>;
 }
 export type TAuthorizeFn<E extends Env = Env, TAction = string, TResource = string> = (opts: {
     spec: IAuthorizationSpec<E, TAction, TResource>;
     enforcerName?: string;
 }) => MiddlewareHandler;
-export interface ICasbinEnforcerCachedMemory {
-    driver: typeof CasbinEnforcerCachedDrivers.IN_MEMORY;
-    options: {
-        expiresIn: number;
-    };
-}
 export interface ICasbinEnforcerCachedRedis {
     driver: typeof CasbinEnforcerCachedDrivers.REDIS;
     options: {
         connection: DefaultRedisHelper;
         expiresIn: number;
         keyFn: (opts: {
-            user: {
-                principalType: string;
-            } & IAuthUser;
+            user: IAuthorizationUser;
         }) => ValueOrPromise<string>;
     };
 }
@@ -82,9 +115,7 @@ export interface ICasbinEnforcerOptions<E extends Env = Env, TAction = string, T
     };
     cached: {
         use: false;
-    } | (ICasbinEnforcerCachedMemory & {
-        use: true;
-    }) | (ICasbinEnforcerCachedRedis & {
+    } | (ICasbinEnforcerCachedRedis & {
         use: true;
     });
     adapter?: TAdapter;
@@ -103,9 +134,21 @@ export interface ICasbinEnforcerOptions<E extends Env = Env, TAction = string, T
         action: string;
         domain?: string;
     };
+    /**
+     * Turn on the domain-scoped RBAC model. Requests become 4-token `(subject, domain, object, action)`
+     * instead of 3-token, and the enforcer registers the domain matcher (`keyMatch` on `g`) and the
+     * resource matcher (`objectMatch`) needed by that model.
+     */
+    isScoped?: boolean;
+    /** Number of pooled enforcers (each request enforces on its own). Default 16. */
+    poolSize?: number;
+    /** Max ms to wait for a free pooled enforcer before failing closed. Default 5000. */
+    poolAcquireTimeoutMs?: number;
 }
 export interface IAuthorizeOptions {
     defaultDecision: TAuthorizationDecision;
     alwaysAllowRoles?: string[];
+    /** Fallback domain resolver used when a route's spec has no `domain`. */
+    domainResolver?: TAuthorizationDomainResolver;
 }
 //# sourceMappingURL=types.d.ts.map

package/dist/components/auth/authorize/common/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,iCAAiC,CAAC;AAC3D,OAAO,EAAE,KAAK,kBAAkB,EAAE,KAAK,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACtF,OAAO,EAAE,KAAK,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,EAAE,GAAG,EAAE,KAAK,iBAAiB,EAAE,MAAM,MAAM,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EACL,2BAA2B,EAC3B,0BAA0B,EAC1B,sBAAsB,EACtB,6BAA6B,EAC9B,MAAM,aAAa,CAAC;AACrB,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED,qGAAqG;AACrG,MAAM,MAAM,wBAAwB,CAClC,OAAO,SAAS,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,EACjD,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,IAC1C,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAE/B,MAAM,WAAW,wBAAwB,CAAC,QAAQ,GAAG,MAAM,EAAE,cAAc,GAAG,MAAM;IAClF,KAAK,EAAE,QAAQ,CAAC;IAChB,OAAO,CAAC,KAAK,EAAE,QAAQ,GAAG,cAAc,CAAC;IACzC,OAAO,CAAC,KAAK,EAAE,QAAQ,GAAG,OAAO,CAAC;CACnC;AAED,MAAM,WAAW,qBAAqB,CAAC,OAAO,GAAG,MAAM,EAAE,SAAS,GAAG,MAAM;IACzE,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,SAAS,CAAC;IACpB,UAAU,CAAC,EAAE,wBAAwB,CAAC;CACvC;AAED,qFAAqF;AACrF,MAAM,WAAW,sBAAsB,CACrC,CAAC,SAAS,GAAG,GAAG,GAAG,EACnB,OAAO,GAAG,MAAM,EAChB,SAAS,GAAG,MAAM,EAClB,MAAM,GAAG,OAAO,EAChB,iBAAiB,GAAG,cAAc,CAAC,MAAM,CAAC,EAC1C,eAAe,GAAG,cAAc,CAAC,sBAAsB,CAAC;IAExD,IAAI,EAAE,MAAM,CAAC;IAEb,SAAS,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC;IAElC,UAAU,CAAC,IAAI,EAAE;QACf,IAAI,EAAE;YAAE,aAAa,EAAE,MAAM,CAAA;SAAE,GAAG,SAAS,CAAC;QAC5C,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;KAC9B,GAAG,iBAAiB,CAAC;IAEtB,QAAQ,CAAC,IAAI,EAAE;QACb,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,qBAAqB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QACnD,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;KAC9B,GAAG,eAAe,CAAC;CACrB;AAED,MAAM,MAAM,mBAAmB,CAC7B,CAAC,SAAS,GAAG,GAAG,GAAG,EACnB,OAAO,GAAG,MAAM,EAChB,SAAS,GAAG,MAAM,IAChB,CAAC,IAAI,EAAE;IACT,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;CAC9B,KAAK,cAAc,CAAC,sBAAsB,CAAC,CAAC;AAE7C,MAAM,WAAW,kBAAkB,CAAC,CAAC,SAAS,GAAG,GAAG,GAAG,EAAE,OAAO,GAAG,MAAM,EAAE,SAAS,GAAG,MAAM;IAC3F,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,SAAS,CAAC;IACpB,UAAU,CAAC,EAAE,wBAAwB,CAAC;IACtC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,CAAC,EAAE,mBAAmB,CAAC,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;CACvD;AAED,MAAM,MAAM,YAAY,CAAC,CAAC,SAAS,GAAG,GAAG,GAAG,EAAE,OAAO,GAAG,MAAM,EAAE,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE;IAC3F,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IAChD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,KAAK,iBAAiB,CAAC;AAExB,MAAM,WAAW,2BAA2B;IAC1C,MAAM,EAAE,OAAO,2BAA2B,CAAC,SAAS,CAAC;IACrD,OAAO,EAAE;QACP,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH;AAED,MAAM,WAAW,0BAA0B;IACzC,MAAM,EAAE,OAAO,2BAA2B,CAAC,KAAK,CAAC;IACjD,OAAO,EAAE;QACP,UAAU,EAAE,kBAAkB,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,EAAE,CAAC,IAAI,EAAE;YAAE,IAAI,EAAE;gBAAE,aAAa,EAAE,MAAM,CAAA;aAAE,GAAG,SAAS,CAAA;SAAE,KAAK,cAAc,CAAC,MAAM,CAAC,CAAC;KAC1F,CAAC;CACH;AAED,MAAM,WAAW,sBAAsB,CACrC,CAAC,SAAS,GAAG,GAAG,GAAG,EACnB,OAAO,GAAG,MAAM,EAChB,SAAS,GAAG,MAAM,EAClB,QAAQ,GAAG,OAAO;IAElB,KAAK,EACD;QAAE,MAAM,EAAE,OAAO,0BAA0B,CAAC,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GACtE;QAAE,MAAM,EAAE,OAAO,0BAA0B,CAAC,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAC3E,MAAM,EACF;QAAE,GAAG,EAAE,KAAK,CAAA;KAAE,GACd,CAAC,2BAA2B,GAAG;QAAE,GAAG,EAAE,IAAI,CAAA;KAAE,CAAC,GAC7C,CAAC,0BAA0B,GAAG;QAAE,GAAG,EAAE,IAAI,CAAA;KAAE,CAAC,CAAC;IACjD,OAAO,CAAC,EAAE,QAAQ,CAAC;IAEnB,cAAc,CAAC,EAAE;QACf,cAAc,EAAE,MAAM,CAAC;QACvB,EAAE,EAAE,6BAA6B,CAAC;KACnC,CAAC;IAEF,kBAAkB,CAAC,CAAC,IAAI,EAAE;QACxB,IAAI,EAAE,SAAS,CAAC;QAChB,MAAM,EAAE,OAAO,CAAC;QAChB,QAAQ,EAAE,SAAS,CAAC;QACpB,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;KAC9B,GAAG;QACF,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED,MAAM,WAAW,iBAAiB;IAChC,eAAe,EAAE,sBAAsB,CAAC;IACxC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChC,OAAO,EAAE,QAAQ,EAAE,MAAM,iCAAiC,CAAC;AAC3D,OAAO,EACL,KAAK,kBAAkB,EACvB,KAAK,SAAS,EACd,KAAK,cAAc,EACpB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,KAAK,OAAO,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,EAAE,GAAG,EAAE,KAAK,iBAAiB,EAAE,MAAM,MAAM,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EACL,2BAA2B,EAC3B,0BAA0B,EAC1B,sBAAsB,EACtB,6BAA6B,EAC9B,MAAM,aAAa,CAAC;AACrB,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED,qGAAqG;AACrG,MAAM,MAAM,wBAAwB,CAClC,OAAO,SAAS,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,EACjD,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,IAC1C,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAE/B,MAAM,WAAW,qBAAqB,CAAC,OAAO,GAAG,MAAM,EAAE,SAAS,GAAG,MAAM;IACzE,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,SAAS,CAAC;IACpB,UAAU,CAAC,EAAE,wBAAwB,CAAC;IACtC;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAmB,SAAQ,SAAS;IACnD,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,iFAAiF;AACjF,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,kBAAkB,CAAC;IACzB,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,wEAAwE;AACxE,MAAM,WAAW,0BAA0B;IACzC,IAAI,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,GAAG,SAAS,CAAC;IAC/C,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;CACd;AAED,4EAA4E;AAC5E,MAAM,MAAM,4BAA4B,CAAC,CAAC,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE;IACrE,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;CAC9B,KAAK,cAAc,CAAC,SAAS,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC,CAAC;AAE9D;;;;;;GAMG;AACH,MAAM,WAAW,sBAAsB,CACrC,CAAC,SAAS,GAAG,GAAG,GAAG,EACnB,OAAO,GAAG,MAAM,EAChB,SAAS,GAAG,MAAM,EAClB,MAAM,GAAG,OAAO,EAChB,iBAAiB,GAAG,cAAc,CAAC,MAAM,CAAC,EAC1C,eAAe,GAAG,cAAc,CAAC,sBAAsB,CAAC;IAExD,IAAI,EAAE,MAAM,CAAC;IAEb,SAAS,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC;IAElC,UAAU,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,kBAAkB,CAAC;QAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;KAAE,GAAG,iBAAiB,CAAC;IAEhG,QAAQ,CAAC,IAAI,EAAE;QACb,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,qBAAqB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QACnD,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;KAC9B,GAAG,eAAe,CAAC;IAEpB,4EAA4E;IAC5E,mBAAmB,CAAC,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,kBAAkB,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,eAAe,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAE/F,sFAAsF;IACtF,gBAAgB,CAAC,CAAC,IAAI,EAAE;QACtB,IAAI,EAAE,kBAAkB,CAAC;KAC1B,GAAG,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACtD;AAED,MAAM,MAAM,mBAAmB,CAC7B,CAAC,SAAS,GAAG,GAAG,GAAG,EACnB,OAAO,GAAG,MAAM,EAChB,SAAS,GAAG,MAAM,IAChB,CAAC,IAAI,EAAE;IACT,IAAI,EAAE,SAAS,CAAC;IAChB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;CAC9B,KAAK,cAAc,CAAC,sBAAsB,CAAC,CAAC;AAE7C,MAAM,WAAW,kBAAkB,CAAC,CAAC,SAAS,GAAG,GAAG,GAAG,EAAE,OAAO,GAAG,MAAM,EAAE,SAAS,GAAG,MAAM;IAC3F,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,SAAS,CAAC;IACpB,UAAU,CAAC,EAAE,wBAAwB,CAAC;IACtC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,CAAC,EAAE,mBAAmB,CAAC,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,EAAE,CAAC;IACtD,qGAAqG;IACrG,MAAM,CAAC,EAAE,0BAA0B,GAAG,4BAA4B,CAAC,CAAC,CAAC,CAAC;CACvE;AAED,MAAM,MAAM,YAAY,CAAC,CAAC,SAAS,GAAG,GAAG,GAAG,EAAE,OAAO,GAAG,MAAM,EAAE,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE;IAC3F,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IAChD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,KAAK,iBAAiB,CAAC;AAExB,MAAM,WAAW,0BAA0B;IACzC,MAAM,EAAE,OAAO,2BAA2B,CAAC,KAAK,CAAC;IACjD,OAAO,EAAE;QACP,UAAU,EAAE,kBAAkB,CAAC;QAC/B,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,EAAE,CAAC,IAAI,EAAE;YAAE,IAAI,EAAE,kBAAkB,CAAA;SAAE,KAAK,cAAc,CAAC,MAAM,CAAC,CAAC;KACvE,CAAC;CACH;AAED,MAAM,WAAW,sBAAsB,CACrC,CAAC,SAAS,GAAG,GAAG,GAAG,EACnB,OAAO,GAAG,MAAM,EAChB,SAAS,GAAG,MAAM,EAClB,QAAQ,GAAG,OAAO;IAElB,KAAK,EACD;QAAE,MAAM,EAAE,OAAO,0BAA0B,CAAC,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GACtE;QAAE,MAAM,EAAE,OAAO,0BAA0B,CAAC,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAC3E,MAAM,EAAE;QAAE,GAAG,EAAE,KAAK,CAAA;KAAE,GAAG,CAAC,0BAA0B,GAAG;QAAE,GAAG,EAAE,IAAI,CAAA;KAAE,CAAC,CAAC;IACtE,OAAO,CAAC,EAAE,QAAQ,CAAC;IAEnB,cAAc,CAAC,EAAE;QACf,cAAc,EAAE,MAAM,CAAC;QACvB,EAAE,EAAE,6BAA6B,CAAC;KACnC,CAAC;IAEF,kBAAkB,CAAC,CAAC,IAAI,EAAE;QACxB,IAAI,EAAE,SAAS,CAAC;QAChB,MAAM,EAAE,OAAO,CAAC;QAChB,QAAQ,EAAE,SAAS,CAAC;QACpB,OAAO,EAAE,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;KAC9B,GAAG;QACF,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IAEF;;;;OAIG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB,iFAAiF;IACjF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,qFAAqF;IACrF,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,iBAAiB;IAChC,eAAe,EAAE,sBAAsB,CAAC;IACxC,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,yEAAyE;IACzE,cAAc,CAAC,EAAE,4BAA4B,CAAC;CAC/C"}