@venizia/ignis 0.0.9-2 → 0.0.9-21

package/dist/components/auth/authorize/common/constants.js

@@ -1,26 +1,39 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CasbinRuleVariants = exports.CasbinEnforcerModelDrivers = exports.CasbinEnforcerCachedDrivers = exports.AuthorizationEnforcerTypes = exports.AuthorizationRoles = exports.AuthorizationDecisions = exports.AuthorizationActions = exports.Authorization = void 0;
+exports.AuthorizationPolicyVariants = exports.CasbinRuleVariants = exports.AuthorizationDomainScopes = exports.CasbinDomainMatchingFunctions = exports.CasbinEnforcerModelDrivers = exports.CasbinEnforcerCachedDrivers = exports.AuthorizationEnforcerTypes = exports.AuthorizationRoles = exports.AuthorizationDecisions = exports.AuthorizationActions = exports.Authorization = void 0;
 const authorization_role_model_1 = require("../models/authorization-role.model");
 class Authorization {
     static { this.RULES = 'authorization.rules'; }
     static { this.SKIP_AUTHORIZATION = 'authorization.skip'; }
     static { this.ENFORCER = 'authorization.enforcer'; }
+    static { this.DOMAIN = 'authorization.domain'; }
 }
 exports.Authorization = Authorization;
 class AuthorizationActions {
     static { this.CREATE = 'create'; }
-    static { this.READ = 'read'; }
     static { this.UPDATE = 'update'; }
     static { this.DELETE = 'delete'; }
     static { this.EXECUTE = 'execute'; }
+    static { this.READ = 'read'; }
+    static { this.WRITE = 'write'; }
+    static { this.MANAGE = 'manage'; }
     static { this.SCHEME_SET = new Set([
         this.CREATE,
-        this.READ,
         this.UPDATE,
         this.DELETE,
         this.EXECUTE,
+        this.READ,
+        this.WRITE,
+        this.MANAGE,
     ]); }
+    static { this.LATTICE = [
+        { child: this.READ, parent: this.MANAGE },
+        { child: this.WRITE, parent: this.MANAGE },
+        { child: this.EXECUTE, parent: this.MANAGE },
+        { child: this.CREATE, parent: this.WRITE },
+        { child: this.UPDATE, parent: this.WRITE },
+        { child: this.DELETE, parent: this.WRITE },
+    ]; }
     static isValid(input) {
         return this.SCHEME_SET.has(input);
     }
@@ -97,9 +110,8 @@ class AuthorizationEnforcerTypes {
 }
 exports.AuthorizationEnforcerTypes = AuthorizationEnforcerTypes;
 class CasbinEnforcerCachedDrivers {
-    static { this.IN_MEMORY = 'in-memory'; }
     static { this.REDIS = 'redis'; }
-    static { this.SCHEME_SET = new Set([this.IN_MEMORY, this.REDIS]); }
+    static { this.SCHEME_SET = new Set([this.REDIS]); }
     static isValid(input) {
         return this.SCHEME_SET.has(input);
     }
@@ -114,17 +126,163 @@ class CasbinEnforcerModelDrivers {
     }
 }
 exports.CasbinEnforcerModelDrivers = CasbinEnforcerModelDrivers;
-class CasbinRuleVariants {
-    static { this.POLICY = 'policy'; }
-    static { this.GROUP = 'group'; }
-    /** Casbin line prefix for policy rules. */
-    static { this.P = 'p'; }
-    /** Casbin line prefix for grouping rules. */
-    static { this.G = 'g'; }
-    static { this.SCHEME_SET = new Set([this.POLICY, this.GROUP]); }
+class CasbinDomainMatchingFunctions {
+    /** `*` is the only wildcard; exact compare otherwise. Safest for `Merchant_<uuid>` domains. */
+    static { this.KEY_MATCH = 'keyMatch'; }
+    /** Adds URL-path `:param` segment matching. */
+    static { this.KEY_MATCH_2 = 'keyMatch2'; }
+    /** Adds `{param}` segment matching. */
+    static { this.KEY_MATCH_3 = 'keyMatch3'; }
+    /** `{param}` matching with repeated-name equality checks. */
+    static { this.KEY_MATCH_4 = 'keyMatch4'; }
+    /** Treats the stored/policy value as a full regular expression. */
+    static { this.REGEX_MATCH = 'regexMatch'; }
+    static { this.SCHEME_SET = new Set([
+        this.KEY_MATCH,
+        this.KEY_MATCH_2,
+        this.KEY_MATCH_3,
+        this.KEY_MATCH_4,
+        this.REGEX_MATCH,
+    ]); }
+    static isValid(input) {
+        return this.SCHEME_SET.has(input);
+    }
+}
+exports.CasbinDomainMatchingFunctions = CasbinDomainMatchingFunctions;
+class AuthorizationDomainScopes {
+    /** Grant applies in EVERY domain the subject is a member of (checked via join_domain / g2). */
+    static { this.ANY_MEMBER = 'ANY_MEMBER'; }
+    /** Grant applies system-wide, bypassing membership — super-admin only. */
+    static { this.SYSTEM_WIDE = 'SYSTEM_WIDE'; }
+    static { this.SCHEME_SET = new Set([this.ANY_MEMBER, this.SYSTEM_WIDE]); }
     static isValid(input) {
         return this.SCHEME_SET.has(input);
     }
 }
+exports.AuthorizationDomainScopes = AuthorizationDomainScopes;
+/**
+ * Engine-level vocabulary: the relation prefixes the Casbin MODEL declares — `p` for permission
+ * policies and `g`/`g2`…`g5` for grouping relations. This is the low-level building block that
+ * {@link AuthorizationPolicyVariants} maps onto (many app edge-types → one rule, e.g. both
+ * `assign_role` and `role_inherits` use `g`). Keep these in sync with the model's `[role_definition]`.
+ */
+class CasbinRuleVariants {
+    /** Permission policy line. */
+    static { this.P = 'p'; }
+    /**
+     * Numbered in request-tuple order (`sub → dom → obj → act`) so the matcher reads left-to-right:
+     * g (sub), g2/g3 (dom), g4 (obj), g5 (act).
+     */
+    /** Grouping #1 — role membership + role inheritance (user→role, role→role). The `sub` axis. */
+    static { this.G = 'g'; }
+    /** Grouping #2 — user→domain membership (join_domain). The `dom` axis (membership). */
+    static { this.G2 = 'g2'; }
+    /** Grouping #3 — domain hierarchy. The `dom` axis (nesting). */
+    static { this.G3 = 'g3'; }
+    /** Grouping #4 — resource hierarchy. The `obj` axis. */
+    static { this.G4 = 'g4'; }
+    /** Grouping #5 — action hierarchy. The `act` axis. */
+    static { this.G5 = 'g5'; }
+}
 exports.CasbinRuleVariants = CasbinRuleVariants;
+/**
+ * The kinds of "edge" stored in the single `PolicyDefinition` table. Every row links a `subject`
+ * (type + id) to a `target` (type + id); the `variant` column says WHAT kind of link it is.
+ *
+ * Picture the whole RBAC state as a graph — nodes are User / Role / Permission / Domain, and each
+ * PolicyDefinition row is one edge. `ScopedCasbinAdapter` reads these rows and emits one casbin line
+ * per edge. Each entry below carries:
+ *   - `action` — the value stored in the DB `variant` column (what the adapter filters on).
+ *   - `rule`   — the casbin grouping/policy prefix the adapter emits for that edge (`p`, `g`, `g2`…).
+ *
+ * Per-USER edges (differ per user): GRANT, ASSIGN_ROLE, JOIN_DOMAIN.
+ * Shared HIERARCHY edges (same for everyone — describe the org structure, not a user):
+ *   ROLE_INHERITS, RESOURCE_INHERITS, ACTION_INHERITS, DOMAIN_INHERITS.
+ */
+class AuthorizationPolicyVariants {
+    /**
+     * Give a Permission to a User or Role (the grant row also carries action / effect / domain).
+     * casbin `p`: `p, <Role|User>_<id>, <domain>, <permissionCode>, <action>, <allow|deny>`
+     * e.g. `p, Role_5, ANY_MEMBER, Order, read, allow` — "Role 5 may read Order in any joined domain".
+     */
+    static { this.GRANT = { action: 'grant', rule: CasbinRuleVariants.P }; }
+    /**
+     * Give a User a Role (optionally scoped to a domain; no domain → `*` = every domain).
+     * casbin `g`: `g, User_<id>, Role_<id>, <domain|*>`
+     * e.g. `g, User_42, Role_5, *` — "User 42 holds Role 5 everywhere".
+     */
+    static { this.ASSIGN_ROLE = { action: 'assign_role', rule: CasbinRuleVariants.G }; }
+    /**
+     * A Role inherits another Role (DAG). Shares the `g` relation with ASSIGN_ROLE so a
+     * user → role → parent-role chain resolves in one lookup. Emitted with domain `*`.
+     * casbin `g`: `g, Role_<child>, Role_<parent>, *`
+     * e.g. `g, Role_5, Role_9, *` — "Role 5 inherits everything Role 9 has".
+     */
+    static { this.ROLE_INHERITS = { action: 'role_inherits', rule: CasbinRuleVariants.G }; }
+    /**
+     * A User is a member of a Domain. Powers the `ANY_MEMBER` grant scope — a grant with domain
+     * `ANY_MEMBER` applies in every domain the user joined. Matcher uses `g2(r.sub, r.dom)`.
+     * casbin `g2`: `g2, User_<id>, <Type>_<domainId>`
+     * e.g. `g2, User_42, Merchant_7` — "User 42 is a member of Merchant 7".
+     */
+    static { this.JOIN_DOMAIN = { action: 'join_domain', rule: CasbinRuleVariants.G2 }; }
+    /**
+     * DOMAIN axis (the `dom` of a request). One domain is nested under a parent domain.
+     * Matcher: `g3(r.dom, p.dom)` (+ self-link, so an exact domain always matches itself).
+     * casbin `g3`: `g3, <Type>_<childId>, <Type>_<parentId>`
+     * e.g. `g3, Branch_1, Company_9` — "a grant scoped to Company 9 also applies in Branch 1".
+     */
+    static { this.DOMAIN_INHERITS = {
+        action: 'domain_inherits',
+        rule: CasbinRuleVariants.G3,
+    }; }
+    /**
+     * RESOURCE axis (the `obj` of a request). One resource is nested under a broader one — for
+     * NON-standard nesting only; dotted nesting (`Order.findById ⊂ Order`) is handled by `objectMatch`
+     * WITHOUT an edge. Matcher: `objectMatch(r.obj, p.obj) || g4(r.obj, p.obj)`.
+     * casbin `g4`: `g4, <childCode>, <parentCode>`
+     * e.g. `g4, OrderItem, Order` — "a grant on Order also covers OrderItem".
+     */
+    static { this.RESOURCE_INHERITS = {
+        action: 'resource_inherits',
+        rule: CasbinRuleVariants.G4,
+    }; }
+    /**
+     * ACTION axis (the `act` of a request) — SAME shape as RESOURCE_INHERITS but a DIFFERENT axis: a
+     * narrow action is covered by a broader one. No dotted shortcut — needs an explicit edge.
+     * Matcher: `g5(r.act, p.act)`.
+     * casbin `g5`: `g5, <childAction>, <parentAction>`
+     * e.g. `g5, read, manage` — "a grant of manage also allows read".
+     * (g4 + g5 combine multiplicatively: a `manage Order` grant covers a `read OrderItem` request.)
+     */
+    static { this.ACTION_INHERITS = {
+        action: 'action_inherits',
+        rule: CasbinRuleVariants.G5,
+    }; }
+    static { this.ACTION_SCHEME_SET = new Set([
+        this.GRANT.action.toString(),
+        this.ASSIGN_ROLE.action.toString(),
+        this.ROLE_INHERITS.action.toString(),
+        this.JOIN_DOMAIN.action.toString(),
+        this.DOMAIN_INHERITS.action.toString(),
+        this.RESOURCE_INHERITS.action.toString(),
+        this.ACTION_INHERITS.action.toString(),
+    ]); }
+    static { this.RULE_SCHEME_SET = new Set([
+        this.GRANT.rule.toString(),
+        this.ASSIGN_ROLE.rule.toString(),
+        this.ROLE_INHERITS.rule.toString(),
+        this.JOIN_DOMAIN.rule.toString(),
+        this.DOMAIN_INHERITS.rule.toString(),
+        this.RESOURCE_INHERITS.rule.toString(),
+        this.ACTION_INHERITS.rule.toString(),
+    ]); }
+    static isValidAction(input) {
+        return this.ACTION_SCHEME_SET.has(input);
+    }
+    static isValidRule(input) {
+        return this.RULE_SCHEME_SET.has(input);
+    }
+}
+exports.AuthorizationPolicyVariants = AuthorizationPolicyVariants;
 //# sourceMappingURL=constants.js.map

package/dist/components/auth/authorize/common/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/constants.ts"],"names":[],"mappings":";;;AACA,iFAAuE;AAEvE,MAAa,aAAa;aACR,UAAK,GAAG,qBAAqB,CAAC;aAC9B,uBAAkB,GAAG,oBAAoB,CAAC;aAC1C,aAAQ,GAAG,wBAAwB,CAAC;;AAHtD,sCAIC;AAED,MAAa,oBAAoB;aACf,WAAM,GAAG,QAAQ,CAAC;aAClB,SAAI,GAAG,MAAM,CAAC;aACd,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAClB,YAAO,GAAG,SAAS,CAAC;aAEpB,eAAU,GAAG,IAAI,GAAG,CAAC;QACnC,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,IAAI;QACT,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,OAAO;KACb,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAjBH,oDAkBC;AAGD,MAAa,sBAAsB;aACjB,UAAK,GAAG,OAAO,CAAC;aAChB,SAAI,GAAG,MAAM,CAAC;aACd,YAAO,GAAG,SAAS,CAAC;aAEpB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAE5E,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,KAAsB;QACnC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,KAAK,CAAC;IAC5C,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,KAAsB;QAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED,MAAM,CAAC,SAAS,CAAC,KAAsB;QACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,OAAO,CAAC;IAC9C,CAAC;;AA9BH,wDA+BC;AAGD,MAAa,kBAAkB;aACb,gBAAW,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACpD,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,SAAI,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC7C,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,EAAE;KACb,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aACa,iBAAY,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACrD,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aAEa,eAAU,GAAG,IAAI,GAAG,CAAS;QAC3C,IAAI,CAAC,WAAW,CAAC,UAAU;QAC3B,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,IAAI,CAAC,UAAU;QACpB,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,YAAY,CAAC,UAAU;KAC7B,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAhCH,gDAiCC;AAED,MAAa,0BAA0B;aACrB,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAElB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAEjE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,2BAA2B;aACtB,cAAS,GAAG,WAAW,CAAC;aACxB,UAAK,GAAG,OAAO,CAAC;aAEhB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAEnE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,kEASC;AAID,MAAa,0BAA0B;aACrB,SAAI,GAAG,MAAM,CAAC;aACd,SAAI,GAAG,MAAM,CAAC;aAEd,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAE7D,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,kBAAkB;aACb,WAAM,GAAG,QAAQ,CAAC;aAClB,UAAK,GAAG,OAAO,CAAC;IAEhC,2CAA2C;aAC3B,MAAC,GAAG,GAAG,CAAC;IACxB,6CAA6C;aAC7B,MAAC,GAAG,GAAG,CAAC;aAER,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAEhE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAbH,gDAcC"}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/constants.ts"],"names":[],"mappings":";;;AACA,iFAAuE;AAEvE,MAAa,aAAa;aACR,UAAK,GAAG,qBAAqB,CAAC;aAC9B,uBAAkB,GAAG,oBAAoB,CAAC;aAC1C,aAAQ,GAAG,wBAAwB,CAAC;aACpC,WAAM,GAAG,sBAAsB,CAAC;;AAJlD,sCAKC;AAED,MAAa,oBAAoB;aACf,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAClB,YAAO,GAAG,SAAS,CAAC;aAEpB,SAAI,GAAG,MAAM,CAAC;aACd,UAAK,GAAG,OAAO,CAAC;aAChB,WAAM,GAAG,QAAQ,CAAC;aAElB,eAAU,GAAG,IAAI,GAAG,CAAC;QACnC,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,OAAO;QAEZ,IAAI,CAAC,IAAI;QACT,IAAI,CAAC,KAAK;QACV,IAAI,CAAC,MAAM;KACZ,CAAC,CAAC;aAEa,YAAO,GAGlB;QACH,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE;QACzC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE;QAC1C,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE;QAC5C,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE;QAC1C,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE;QAC1C,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE;KAC3C,CAAC;IAEF,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAnCH,oDAoCC;AAGD,MAAa,sBAAsB;aACjB,UAAK,GAAG,OAAO,CAAC;aAChB,SAAI,GAAG,MAAM,CAAC;aACd,YAAO,GAAG,SAAS,CAAC;aAEpB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAE5E,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,KAAsB;QACnC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,KAAK,CAAC;IAC5C,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,KAAsB;QAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED,MAAM,CAAC,SAAS,CAAC,KAAsB;QACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,OAAO,CAAC;IAC9C,CAAC;;AA9BH,wDA+BC;AAGD,MAAa,kBAAkB;aACb,gBAAW,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACpD,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,SAAI,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC7C,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,EAAE;KACb,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aACa,iBAAY,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACrD,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aAEa,eAAU,GAAG,IAAI,GAAG,CAAS;QAC3C,IAAI,CAAC,WAAW,CAAC,UAAU;QAC3B,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,IAAI,CAAC,UAAU;QACpB,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,YAAY,CAAC,UAAU;KAC7B,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAhCH,gDAiCC;AAED,MAAa,0BAA0B;aACrB,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAElB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAEjE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,2BAA2B;aACtB,UAAK,GAAG,OAAO,CAAC;aAEhB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAEnD,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAPH,kEAQC;AAID,MAAa,0BAA0B;aACrB,SAAI,GAAG,MAAM,CAAC;aACd,SAAI,GAAG,MAAM,CAAC;aAEd,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAE7D,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,6BAA6B;IACxC,+FAA+F;aAC/E,cAAS,GAAG,UAAU,CAAC;IAEvC,+CAA+C;aAC/B,gBAAW,GAAG,WAAW,CAAC;IAE1C,uCAAuC;aACvB,gBAAW,GAAG,WAAW,CAAC;IAE1C,6DAA6D;aAC7C,gBAAW,GAAG,WAAW,CAAC;IAE1C,mEAAmE;aACnD,gBAAW,GAAG,YAAY,CAAC;aAE3B,eAAU,GAAG,IAAI,GAAG,CAAC;QACnC,IAAI,CAAC,SAAS;QACd,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;KACjB,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AA1BH,sEA2BC;AAID,MAAa,yBAAyB;IACpC,+FAA+F;aAC/E,eAAU,GAAG,YAAY,CAAC;IAE1C,0EAA0E;aAC1D,gBAAW,GAAG,aAAa,CAAC;aAE5B,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAE1E,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAXH,8DAYC;AAGD;;;;;GAKG;AACH,MAAa,kBAAkB;IAC7B,8BAA8B;aACd,MAAC,GAAG,GAAG,CAAC;IAExB;;;OAGG;IAEH,+FAA+F;aAC/E,MAAC,GAAG,GAAG,CAAC;IAExB,uFAAuF;aACvE,OAAE,GAAG,IAAI,CAAC;IAE1B,gEAAgE;aAChD,OAAE,GAAG,IAAI,CAAC;IAE1B,wDAAwD;aACxC,OAAE,GAAG,IAAI,CAAC;IAE1B,sDAAsD;aACtC,OAAE,GAAG,IAAI,CAAC;;AAtB5B,gDAuBC;AAID;;;;;;;;;;;;;GAaG;AACH,MAAa,2BAA2B;IACtC;;;;OAIG;aACa,UAAK,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAW,CAAC;IAEjF;;;;OAIG;aACa,gBAAW,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAW,CAAC;IAE7F;;;;;OAKG;aACa,kBAAa,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAW,CAAC;IAEjG;;;;;OAKG;aACa,gBAAW,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,kBAAkB,CAAC,EAAE,EAAW,CAAC;IAE9F;;;;;OAKG;aACa,oBAAe,GAAG;QAChC,MAAM,EAAE,iBAAiB;QACzB,IAAI,EAAE,kBAAkB,CAAC,EAAE;KACnB,CAAC;IAEX;;;;;;OAMG;aACa,sBAAiB,GAAG;QAClC,MAAM,EAAE,mBAAmB;QAC3B,IAAI,EAAE,kBAAkB,CAAC,EAAE;KACnB,CAAC;IAEX;;;;;;;OAOG;aACa,oBAAe,GAAG;QAChC,MAAM,EAAE,iBAAiB;QACzB,IAAI,EAAE,kBAAkB,CAAC,EAAE;KACnB,CAAC;aAEK,sBAAiB,GAAG,IAAI,GAAG,CAAC;QAC1C,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE;QAC5B,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE;QAClC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE;QACpC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE;QAClC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE;QACtC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,EAAE;QACxC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE;KACvC,CAAC,CAAC;aAEa,oBAAe,GAAG,IAAI,GAAG,CAAC;QACxC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE;QAC1B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE;QAChC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE;QAClC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE;QAChC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE;QACpC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE;QACtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE;KACrC,CAAC,CAAC;IAEH,MAAM,CAAC,aAAa,CAAC,KAAa;QAChC,OAAO,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,CAAC,WAAW,CAAC,KAAa;QAC9B,OAAO,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;;AA7FH,kEA8FC"}

package/dist/components/auth/authorize/common/index.d.ts

@@ -1,4 +1,8 @@
 export * from './constants';
 export * from './keys';
+export * from './object-match';
+export * from './permission-builder';
+export * from './policy-builder';
+export * from './resolve-request-domain';
 export * from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/components/auth/authorize/common/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,QAAQ,CAAC;AACvB,cAAc,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,QAAQ,CAAC;AACvB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC;AACjC,cAAc,0BAA0B,CAAC;AACzC,cAAc,SAAS,CAAC"}

package/dist/components/auth/authorize/common/index.js

@@ -16,5 +16,9 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./constants"), exports);
 __exportStar(require("./keys"), exports);
+__exportStar(require("./object-match"), exports);
+__exportStar(require("./permission-builder"), exports);
+__exportStar(require("./policy-builder"), exports);
+__exportStar(require("./resolve-request-domain"), exports);
 __exportStar(require("./types"), exports);
 //# sourceMappingURL=index.js.map

package/dist/components/auth/authorize/common/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8CAA4B;AAC5B,yCAAuB;AACvB,0CAAwB"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8CAA4B;AAC5B,yCAAuB;AACvB,iDAA+B;AAC/B,uDAAqC;AACrC,mDAAiC;AACjC,2DAAyC;AACzC,0CAAwB"}

package/dist/components/auth/authorize/common/object-match.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Resource-hierarchy matcher for casbin `g4`. Decides whether a requested resource node
+ * falls under a granted resource node WITHOUT storing the "standard" edges
+ * (endpoint ⊂ subject ⊂ *), which are derivable from the dotted `code`.
+ *
+ * Non-standard edges (e.g. `OrderItem ⊂ Order`) are NOT covered here — those are stored as
+ * explicit `resource_inherits` (g4) links and resolved by casbin's role manager.
+ *
+ * Registered in TWO ways by the enforcer (both required):
+ *   1. `enforcer.addFunction('objectMatch', objectMatch)` — lets the matcher call
+ *      `objectMatch(r.obj, p.obj)` directly for "graph-free" prefix/wildcard matching. casbin's
+ *      role-manager `hasLink` only traverses stored nodes, so a `g4(...)`-only call can't match
+ *      `p.obj = '*'` or a subject that isn't a stored g4 vertex — the direct call covers those.
+ *   2. `enforcer.addNamedMatchingFunc('g4', objectMatch)` — applies the same semantics when
+ *      traversing explicit stored `resource_inherits` (g4) edges.
+ *
+ * @param requested the resource on the request (r.obj), e.g. `Activation.findById`
+ * @param granted   the resource on the policy (p.obj), e.g. `Activation` or `*`
+ */
+export declare const objectMatch: (requested: string, granted: string) => boolean;
+//# sourceMappingURL=object-match.d.ts.map

package/dist/components/auth/authorize/common/object-match.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"object-match.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/object-match.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,WAAW,GAAI,WAAW,MAAM,EAAE,SAAS,MAAM,KAAG,OAUhE,CAAC"}

package/dist/components/auth/authorize/common/object-match.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.objectMatch = void 0;
+/**
+ * Resource-hierarchy matcher for casbin `g4`. Decides whether a requested resource node
+ * falls under a granted resource node WITHOUT storing the "standard" edges
+ * (endpoint ⊂ subject ⊂ *), which are derivable from the dotted `code`.
+ *
+ * Non-standard edges (e.g. `OrderItem ⊂ Order`) are NOT covered here — those are stored as
+ * explicit `resource_inherits` (g4) links and resolved by casbin's role manager.
+ *
+ * Registered in TWO ways by the enforcer (both required):
+ *   1. `enforcer.addFunction('objectMatch', objectMatch)` — lets the matcher call
+ *      `objectMatch(r.obj, p.obj)` directly for "graph-free" prefix/wildcard matching. casbin's
+ *      role-manager `hasLink` only traverses stored nodes, so a `g4(...)`-only call can't match
+ *      `p.obj = '*'` or a subject that isn't a stored g4 vertex — the direct call covers those.
+ *   2. `enforcer.addNamedMatchingFunc('g4', objectMatch)` — applies the same semantics when
+ *      traversing explicit stored `resource_inherits` (g4) edges.
+ *
+ * @param requested the resource on the request (r.obj), e.g. `Activation.findById`
+ * @param granted   the resource on the policy (p.obj), e.g. `Activation` or `*`
+ */
+const objectMatch = (requested, granted) => {
+    if (granted === '*') {
+        return true;
+    }
+    if (requested === granted) {
+        return true;
+    }
+    return requested.startsWith(`${granted}.`);
+};
+exports.objectMatch = objectMatch;
+//# sourceMappingURL=object-match.js.map

package/dist/components/auth/authorize/common/object-match.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"object-match.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/object-match.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACI,MAAM,WAAW,GAAG,CAAC,SAAiB,EAAE,OAAe,EAAW,EAAE;IACzE,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,SAAS,CAAC,UAAU,CAAC,GAAG,OAAO,GAAG,CAAC,CAAC;AAC7C,CAAC,CAAC;AAVW,QAAA,WAAW,eAUtB"}

package/dist/components/auth/authorize/common/permission-builder.d.ts

@@ -0,0 +1,92 @@
+import { IdType } from '../../../../base';
+import { TNullable } from '../../../../helpers';
+import { TAuthorizationAction } from './constants';
+/**
+ * Builders for `Permission` catalog rows (the `obj` axis the scoped matcher resolves).
+ *
+ * Generic over the name/description type (`TName`) so an app with i18n `name`/`description` columns and
+ * one with plain-text names both fit. Produces the framework-owned columns
+ * (code/subject/method/action/scope/description/parentId); `description` defaults to `null`.
+ * App-specific columns are added by the caller.
+ */
+export declare class AuthorizationPermissionBuilder {
+    /** Sentinel `method` for a coarse resource node (a grant target that is not a route). */
+    static readonly RESOURCE_NODE_METHOD = "*";
+    /** Standard repository method → base action. Unlisted methods (custom ops, aggregates) resolve to `execute`. */
+    static readonly METHOD_ACTIONS: Readonly<Record<string, TAuthorizationAction>>;
+    /** The CRUD methods {@link crud} generates by default. */
+    static readonly DEFAULT_CRUD_METHODS: ReadonlyArray<string>;
+    /** Base action for a method: a known CRUD method maps to read/create/update/delete; anything else → `execute`. */
+    static actionForMethod(method: string): TAuthorizationAction;
+    /** One operation-level permission, `code = <subject>.<method>`. `action` defaults to {@link actionForMethod}. */
+    static operation<TName>(opts: {
+        subject: string;
+        method: string;
+        scope: string;
+        name: TName;
+        description?: TNullable<TName>;
+        action?: TAuthorizationAction;
+        parentId?: TNullable<IdType>;
+    }): {
+        code: string;
+        subject: string;
+        method: string;
+        action: string;
+        scope: string;
+        description: NonNullable<TName> | null;
+        parentId: IdType | null;
+        name: TName;
+    };
+    /**
+     * A coarse resource node (module or subject) used as a grant target, e.g. `Sale` or `SaleOrder`.
+     * `code` is the bare name (no dotted method); `method` is the {@link RESOURCE_NODE_METHOD} sentinel.
+     * `action` defaults to `manage` (the broadest), though the grant on this node carries its own action.
+     */
+    static resourceNode<TName>(opts: {
+        code: string;
+        subject?: string;
+        scope: string;
+        name: TName;
+        description?: TNullable<TName>;
+        action?: TAuthorizationAction;
+        parentId?: TNullable<IdType>;
+    }): {
+        code: string;
+        subject: string;
+        method: string;
+        action: string;
+        scope: string;
+        description: NonNullable<TName> | null;
+        parentId: IdType | null;
+        name: TName;
+    };
+    /**
+     * The CRUD permission set for a subject. `name` (and optional `description`) are per-method formatters,
+     * so the app supplies its own labels/i18n; the framework only owns the method→action map and code shape.
+     */
+    static crud<TName>(opts: {
+        subject: string;
+        scope: string;
+        name: (ctx: {
+            subject: string;
+            method: string;
+            action: TAuthorizationAction;
+        }) => TName;
+        description?: (ctx: {
+            subject: string;
+            method: string;
+            action: TAuthorizationAction;
+        }) => TNullable<TName>;
+        methods?: ReadonlyArray<string>;
+    }): {
+        code: string;
+        subject: string;
+        method: string;
+        action: string;
+        scope: string;
+        description: NonNullable<TName> | null;
+        parentId: IdType | null;
+        name: TName;
+    }[];
+}
+//# sourceMappingURL=permission-builder.d.ts.map

package/dist/components/auth/authorize/common/permission-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-builder.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/permission-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAwB,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEzE;;;;;;;GAOG;AACH,qBAAa,8BAA8B;IACzC,yFAAyF;IACzF,MAAM,CAAC,QAAQ,CAAC,oBAAoB,OAAO;IAE3C,gHAAgH;IAChH,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC,CAU5E;IAEF,0DAA0D;IAC1D,MAAM,CAAC,QAAQ,CAAC,oBAAoB,EAAE,aAAa,CAAC,MAAM,CAAC,CAUzD;IAEF,kHAAkH;IAClH,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,oBAAoB;IAI5D,iHAAiH;IACjH,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;QAC5B,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,KAAK,CAAC;QACZ,WAAW,CAAC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QAC/B,MAAM,CAAC,EAAE,oBAAoB,CAAC;QAC9B,QAAQ,CAAC,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;KAC9B;;;;;;;;;;IAaD;;;;OAIG;IACH,MAAM,CAAC,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE;QAC/B,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,KAAK,CAAC;QACZ,WAAW,CAAC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QAC/B,MAAM,CAAC,EAAE,oBAAoB,CAAC;QAC9B,QAAQ,CAAC,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;KAC9B;;;;;;;;;;IAaD;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE;QACvB,OAAO,EAAE,MAAM,CAAC;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,CAAC,GAAG,EAAE;YAAE,OAAO,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,oBAAoB,CAAA;SAAE,KAAK,KAAK,CAAC;QACxF,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE;YAClB,OAAO,EAAE,MAAM,CAAC;YAChB,MAAM,EAAE,MAAM,CAAC;YACf,MAAM,EAAE,oBAAoB,CAAC;SAC9B,KAAK,SAAS,CAAC,KAAK,CAAC,CAAC;QACvB,OAAO,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;KACjC;;;;;;;;;;CAqBF"}

package/dist/components/auth/authorize/common/permission-builder.js

@@ -0,0 +1,99 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationPermissionBuilder = void 0;
+const constants_1 = require("./constants");
+/**
+ * Builders for `Permission` catalog rows (the `obj` axis the scoped matcher resolves).
+ *
+ * Generic over the name/description type (`TName`) so an app with i18n `name`/`description` columns and
+ * one with plain-text names both fit. Produces the framework-owned columns
+ * (code/subject/method/action/scope/description/parentId); `description` defaults to `null`.
+ * App-specific columns are added by the caller.
+ */
+class AuthorizationPermissionBuilder {
+    /** Sentinel `method` for a coarse resource node (a grant target that is not a route). */
+    static { this.RESOURCE_NODE_METHOD = '*'; }
+    /** Standard repository method → base action. Unlisted methods (custom ops, aggregates) resolve to `execute`. */
+    static { this.METHOD_ACTIONS = {
+        find: constants_1.AuthorizationActions.READ,
+        findById: constants_1.AuthorizationActions.READ,
+        findOne: constants_1.AuthorizationActions.READ,
+        count: constants_1.AuthorizationActions.READ,
+        create: constants_1.AuthorizationActions.CREATE,
+        updateById: constants_1.AuthorizationActions.UPDATE,
+        updateBy: constants_1.AuthorizationActions.UPDATE,
+        deleteById: constants_1.AuthorizationActions.DELETE,
+        deleteBy: constants_1.AuthorizationActions.DELETE,
+    }; }
+    /** The CRUD methods {@link crud} generates by default. */
+    static { this.DEFAULT_CRUD_METHODS = [
+        'find',
+        'findById',
+        'findOne',
+        'count',
+        'create',
+        'updateById',
+        'updateBy',
+        'deleteById',
+        'deleteBy',
+    ]; }
+    /** Base action for a method: a known CRUD method maps to read/create/update/delete; anything else → `execute`. */
+    static actionForMethod(method) {
+        return AuthorizationPermissionBuilder.METHOD_ACTIONS[method] ?? constants_1.AuthorizationActions.EXECUTE;
+    }
+    /** One operation-level permission, `code = <subject>.<method>`. `action` defaults to {@link actionForMethod}. */
+    static operation(opts) {
+        return {
+            code: [opts.subject, opts.method].join('.'),
+            subject: opts.subject,
+            method: opts.method,
+            action: opts.action ?? AuthorizationPermissionBuilder.actionForMethod(opts.method),
+            scope: opts.scope,
+            description: opts.description ?? null,
+            parentId: opts.parentId ?? null,
+            name: opts.name,
+        };
+    }
+    /**
+     * A coarse resource node (module or subject) used as a grant target, e.g. `Sale` or `SaleOrder`.
+     * `code` is the bare name (no dotted method); `method` is the {@link RESOURCE_NODE_METHOD} sentinel.
+     * `action` defaults to `manage` (the broadest), though the grant on this node carries its own action.
+     */
+    static resourceNode(opts) {
+        return {
+            code: opts.code,
+            subject: opts.subject ?? opts.code,
+            method: AuthorizationPermissionBuilder.RESOURCE_NODE_METHOD,
+            action: opts.action ?? constants_1.AuthorizationActions.MANAGE,
+            scope: opts.scope,
+            description: opts.description ?? null,
+            parentId: opts.parentId ?? null,
+            name: opts.name,
+        };
+    }
+    /**
+     * The CRUD permission set for a subject. `name` (and optional `description`) are per-method formatters,
+     * so the app supplies its own labels/i18n; the framework only owns the method→action map and code shape.
+     */
+    static crud(opts) {
+        const methods = opts.methods ?? AuthorizationPermissionBuilder.DEFAULT_CRUD_METHODS;
+        return methods.map(method => {
+            const action = AuthorizationPermissionBuilder.actionForMethod(method);
+            const ctx = {
+                subject: opts.subject,
+                method,
+                action,
+            };
+            return AuthorizationPermissionBuilder.operation({
+                subject: opts.subject,
+                method,
+                scope: opts.scope,
+                action,
+                name: opts.name(ctx),
+                description: opts.description ? opts.description(ctx) : undefined,
+            });
+        });
+    }
+}
+exports.AuthorizationPermissionBuilder = AuthorizationPermissionBuilder;
+//# sourceMappingURL=permission-builder.js.map

package/dist/components/auth/authorize/common/permission-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-builder.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/permission-builder.ts"],"names":[],"mappings":";;;AAEA,2CAAyE;AAEzE;;;;;;;GAOG;AACH,MAAa,8BAA8B;IACzC,yFAAyF;aACzE,yBAAoB,GAAG,GAAG,CAAC;IAE3C,gHAAgH;aAChG,mBAAc,GAAmD;QAC/E,IAAI,EAAE,gCAAoB,CAAC,IAAI;QAC/B,QAAQ,EAAE,gCAAoB,CAAC,IAAI;QACnC,OAAO,EAAE,gCAAoB,CAAC,IAAI;QAClC,KAAK,EAAE,gCAAoB,CAAC,IAAI;QAChC,MAAM,EAAE,gCAAoB,CAAC,MAAM;QACnC,UAAU,EAAE,gCAAoB,CAAC,MAAM;QACvC,QAAQ,EAAE,gCAAoB,CAAC,MAAM;QACrC,UAAU,EAAE,gCAAoB,CAAC,MAAM;QACvC,QAAQ,EAAE,gCAAoB,CAAC,MAAM;KACtC,CAAC;IAEF,0DAA0D;aAC1C,yBAAoB,GAA0B;QAC5D,MAAM;QACN,UAAU;QACV,SAAS;QACT,OAAO;QACP,QAAQ;QACR,YAAY;QACZ,UAAU;QACV,YAAY;QACZ,UAAU;KACX,CAAC;IAEF,kHAAkH;IAClH,MAAM,CAAC,eAAe,CAAC,MAAc;QACnC,OAAO,8BAA8B,CAAC,cAAc,CAAC,MAAM,CAAC,IAAI,gCAAoB,CAAC,OAAO,CAAC;IAC/F,CAAC;IAED,iHAAiH;IACjH,MAAM,CAAC,SAAS,CAAQ,IAQvB;QACC,OAAO;YACL,IAAI,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YAC3C,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,8BAA8B,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC;YAClF,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI;YACrC,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;YAC/B,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,YAAY,CAAQ,IAQ1B;QACC,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI;YAClC,MAAM,EAAE,8BAA8B,CAAC,oBAAoB;YAC3D,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,gCAAoB,CAAC,MAAM;YAClD,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI;YACrC,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;YAC/B,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAQ,IAUlB;QACC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,8BAA8B,CAAC,oBAAoB,CAAC;QAEpF,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE;YAC1B,MAAM,MAAM,GAAG,8BAA8B,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;YACtE,MAAM,GAAG,GAAsE;gBAC7E,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM;gBACN,MAAM;aACP,CAAC;YAEF,OAAO,8BAA8B,CAAC,SAAS,CAAQ;gBACrD,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM;gBACN,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,MAAM;gBACN,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;gBACpB,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS;aAClE,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;;AArHH,wEAsHC"}