@venizia/ignis 0.0.9-2 → 0.0.9-21

package/dist/components/auth/authorize/enforcers/casbin.enforcer.js

@@ -18,14 +18,27 @@ const injectors_1 = require("../../../../base/metadata/injectors");
 const ignis_helpers_1 = require("@venizia/ignis-helpers");
 const common_1 = require("../common");
 // Casbin Authorization Enforcer — wraps casbin (optional peer dep)
+//
+// Each request evaluates on its OWN enforcer borrowed from a BasePoolHelper<Enforcer>. This kills the
+// shared-model concurrency race: a borrowed enforcer is clearPolicy'd + loaded with THIS user's lines +
+// buildRoleLinks'd + enforceSync'd atomically inside the same pool.use callback, and the pool destroys
+// the enforcer on any error (fail-closed). Pooled enforcers are created WITHOUT an adapter (no DB load at
+// warmup); the adapter is only used by the isolated throwaway extractor (extractUserLines).
 let CasbinAuthorizationEnforcer = CasbinAuthorizationEnforcer_1 = class CasbinAuthorizationEnforcer extends ignis_helpers_1.BaseHelper {
     constructor(options) {
         super({ scope: CasbinAuthorizationEnforcer_1.name });
         this.options = options;
         this.name = CasbinAuthorizationEnforcer_1.name;
         this.MIN_EXPIRES_IN = 10_000;
-        this.enforcer = null;
-        this.inMemoryInvalidationTimer = null;
+        this.pool = null;
+        this.helper = null;
+        // cacheKey → the in-progress line-fetch for that key. Lets concurrent misses for the SAME user
+        // share one extraction instead of all hitting the DB (see fetchLinesWithRedisCache).
+        this.pendingLineFetches = new Map();
+        // Resolved once in configure(): options.normalizePayloadFn / scoped are fixed after configure, so
+        // we memoize the payload normalizer instead of rebuilding a closure on every evaluate() (hot path).
+        // Stays `null` until configure() runs; resolves to `undefined` when not scoped + no custom fn (3-arg path).
+        this.resolvedPayloadFn = null;
     }
     // Lifecycle
     async configure() {
@@ -43,121 +56,249 @@ let CasbinAuthorizationEnforcer = CasbinAuthorizationEnforcer_1 = class CasbinAu
                 message: '[CasbinAuthorizationEnforcer] options.model is required.',
             });
         }
-        const model = this.resolveModel({ casbin, model: this.options.model });
+        this.helper = casbin.Helper;
+        // Memoize the payload normalizer once — options.{normalizePayloadFn,scoped} are fixed after configure(),
+        // so evaluate() reads this field instead of rebuilding a closure per request (hot path).
+        this.resolvedPayloadFn = this.options.normalizePayloadFn ?? this.defaultScopedPayloadFn();
         const { cached } = this.options;
-        this.enforcer = await this.resolveCasbinEnforcer({
-            casbin,
-            model,
-            adapter: this.options.adapter,
-            cached,
+        if (cached.use) {
+            this.validateExpiresIn({ expiresIn: cached.options.expiresIn });
+        }
+        this.pool = new ignis_helpers_1.BasePoolHelper({
+            scope: `${CasbinAuthorizationEnforcer_1.name}.Pool`,
+            size: this.options.poolSize ?? 16,
+            acquireTimeoutMs: this.options.poolAcquireTimeoutMs ?? 5000,
+            create: async () => {
+                const model = this.resolveModel({ casbin, model: this.options.model });
+                // NO adapter → no DB load at warmup. Policies are loaded per-request in evaluate().
+                const enforcer = await casbin.newEnforcer(model);
+                await this.registerMatchers({ enforcer, casbin });
+                this.assertMatcherCompilesSync({ enforcer });
+                return enforcer;
+            },
         });
+        await this.pool.warmup();
         this.logger
             .for(this.configure.name)
-            .info('Casbin enforcer initialized (cached: %s, driver: %s)', cached.use, cached.use ? cached.driver : 'none');
+            .info('Casbin enforcer pool ready (size: %s, cached: %s)', this.options.poolSize ?? 16, cached.use ? cached.driver : 'none');
     }
     destroy() {
-        if (!this.inMemoryInvalidationTimer) {
-            return;
+        this.pool?.destroy().catch(error => {
+            this.logger.for(this.destroy.name).warn('Pool destroy failed: %s', error);
+        });
+    }
+    /**
+     * Boot-time smoke test for the matcher. casbin compiles the matcher expression LAZILY — not in
+     * newEnforcer() or buildRoleLinks(), but on the first enforce — so a broken matcher would otherwise
+     * only surface on the first real request (a 500 for a real user). Running one dummy enforceSync here
+     * forces that compile at warmup, turning these into a fail-at-boot for an authz component:
+     *   - matcher syntax errors in the model,
+     *   - references to functions that registerMatchers() didn't register (e.g. a renamed g-relation),
+     *   - request arity mismatch (4-token scoped model vs the 3/4 args we pass).
+     * Bonus: enforceSync also throws if a matcher func is async — but every func we register is a sync
+     * built-in, so that branch is effectively unreachable; the real value is the compile/wiring check above.
+     */
+    assertMatcherCompilesSync(opts) {
+        try {
+            if (this.options.isScoped || this.options.normalizePayloadFn) {
+                opts.enforcer.enforceSync('::warmup', '::warmup', '::warmup', '::warmup');
+                return;
+            }
+            opts.enforcer.enforceSync('::warmup', '::warmup', '::warmup');
+        }
+        catch (error) {
+            throw (0, ignis_helpers_1.getError)({
+                message: `[CasbinAuthorizationEnforcer] Matcher smoke test failed at warmup — the model matcher did not compile (check matcher syntax, that every referenced function is registered, and the request arity). ${String(error)}`,
+            });
         }
-        clearInterval(this.inMemoryInvalidationTimer);
-        this.inMemoryInvalidationTimer = null;
     }
     // IAuthorizationEnforcer — public API
     async buildRules(opts) {
         const { user } = opts;
-        if (!this.enforcer) {
+        const cached = this.options.cached;
+        const lines = cached.use
+            ? await this.fetchLinesWithRedisCache({ user, cached })
+            : await this.extractUserLines({ user });
+        return { user, lines };
+    }
+    async evaluate(opts) {
+        if (!this.pool) {
             throw (0, ignis_helpers_1.getError)({
-                message: '[CasbinAuthorizationEnforcer] Enforcer not initialized. Call configure() first.',
+                message: '[CasbinAuthorizationEnforcer] Not configured. Call configure() first.',
             });
         }
-        if (!this.enforcer.loadFilteredPolicy) {
+        if (!opts.request?.action || !opts.request?.resource) {
             throw (0, ignis_helpers_1.getError)({
-                message: '[CasbinAuthorizationEnforcer] Adapter does not support loadFilteredPolicy.',
+                message: '[CasbinAuthorizationEnforcer] request.action and request.resource are required.',
             });
         }
-        const cached = this.options.cached;
-        if (!cached.use) {
-            await this.loadPoliciesFromAdapter({ user });
-            return user;
-        }
-        switch (cached.driver) {
-            case common_1.CasbinEnforcerCachedDrivers.IN_MEMORY: {
-                await this.loadPoliciesFromAdapter({ user });
-                break;
-            }
-            case common_1.CasbinEnforcerCachedDrivers.REDIS: {
-                await this.loadPoliciesWithRedisCache({ user, cached });
-                break;
-            }
-            default: {
-                throw (0, ignis_helpers_1.getError)({
-                    message: `[buildRules] Invalid cached.driver | Valids: [${common_1.CasbinEnforcerCachedDrivers.IN_MEMORY}, ${common_1.CasbinEnforcerCachedDrivers.REDIS}]`,
+        const { rules, request, context } = opts;
+        const { user, lines } = rules;
+        return this.pool.use({
+            fn: async (enforcer) => {
+                // Load THIS user's lines + buildRoleLinks BEFORE any enforceSync on the borrowed enforcer.
+                await this.loadPolicyLinesIntoModel({ enforcer, lines });
+                const normalizePayloadFn = this.resolvedPayloadFn;
+                if (!normalizePayloadFn) {
+                    const subject = `${user.principalType}_${user.userId}`;
+                    const isAllowed = this.enforceWithExplain({
+                        enforcer,
+                        vals: [subject, String(request.resource), String(request.action)],
+                    });
+                    return isAllowed ? common_1.AuthorizationDecisions.ALLOW : common_1.AuthorizationDecisions.DENY;
+                }
+                const normalized = normalizePayloadFn({
+                    user,
+                    action: request.action,
+                    resource: request.resource,
+                    context,
                 });
-            }
+                // Domain-aware enforcement: enforceSync(sub, dom, obj, act).
+                // In scoped mode the model is 4-token (r = sub, dom, obj, act); a request with no resolvable
+                // domain MUST still enforce with a domain — default to SYSTEM_WIDE, never fall through to the
+                // 3-arg path (which would shift args against the scoped model and silently misjudge).
+                const domain = normalized.domain ??
+                    request.domain ??
+                    (this.options.isScoped ? common_1.AuthorizationDomainScopes.SYSTEM_WIDE : undefined);
+                const vals = domain
+                    ? [normalized.subject, domain, normalized.resource, normalized.action]
+                    : [normalized.subject, normalized.resource, normalized.action];
+                const isAllowed = this.enforceWithExplain({ enforcer, vals });
+                return isAllowed ? common_1.AuthorizationDecisions.ALLOW : common_1.AuthorizationDecisions.DENY;
+            },
+        });
+    }
+    /**
+     * Run the matcher synchronously and, on DENY, log WHICH policy rule decided it. enforceExSync returns
+     * `[isAllowed, matchedPolicy]` where matchedPolicy is the deciding rule (or `[]` when nothing matched →
+     * default-deny). The explain index is computed by the effector regardless of this call, so capturing it
+     * carries no meaningful cost over enforceSync — it just surfaces the reason for a denial to the logs.
+     */
+    enforceWithExplain(opts) {
+        const [isAllowed, matchedPolicy] = opts.enforcer.enforceExSync(...opts.vals);
+        if (!isAllowed) {
+            this.logger
+                .for(this.evaluate.name)
+                .info('DENY | request: [%s] | matchedPolicy: %s', opts.vals.join(', '), matchedPolicy.length ? matchedPolicy.join(', ') : '<none — default-deny>');
         }
-        return user;
+        return isAllowed;
     }
-    async evaluate(opts) {
-        if (!this.enforcer) {
+    // Cache management — optional IAuthorizationEnforcer members (on-demand)
+    async invalidateUserCache(opts) {
+        const cached = this.requireRedisCache();
+        const cacheKey = await this.resolveCacheKey({ user: opts.user, cached });
+        const invalidatedKeys = await cached.options.connection.client.del(cacheKey);
+        this.logger
+            .for(this.invalidateUserCache.name)
+            .info('Invalidated authz cache | user: %s | key: %s | deleted: %s', opts.user.userId, cacheKey, invalidatedKeys);
+        return { invalidatedKeys };
+    }
+    async rebuildUserCache(opts) {
+        const cached = this.requireRedisCache();
+        // Resolve the key once: drop the stale entry, then re-cache warm. Extraction runs on an ISOLATED
+        // throwaway enforcer (not a serving model), so a concurrent request cannot make us cache another
+        // user's policies under this key.
+        const cacheKey = await this.resolveCacheKey({ user: opts.user, cached });
+        await cached.options.connection.client.del(cacheKey);
+        const lines = await this.extractUserLines({ user: opts.user });
+        await this.writeCachedPolicyLines({ cacheKey, lines, options: cached.options });
+        this.logger
+            .for(this.rebuildUserCache.name)
+            .info('Rebuilt authz cache | user: %s | key: %s | lines: %s', opts.user.userId, cacheKey, lines.length);
+        return { cacheKey, lineCount: lines.length };
+    }
+    /** Compute the user's cache key and reject an empty result — consistent with the read path. */
+    async resolveCacheKey(opts) {
+        const cacheKey = await opts.cached.options.keyFn({ user: opts.user });
+        if (!cacheKey) {
             throw (0, ignis_helpers_1.getError)({
-                message: '[CasbinAuthorizationEnforcer] Enforcer not initialized. Call configure() first.',
+                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_4.BadRequest,
+                message: '[CasbinAuthorizationEnforcer] keyFn returned an empty cache key.',
             });
         }
-        if (!opts.request?.action || !opts.request?.resource) {
+        return cacheKey;
+    }
+    /** Narrow `options.cached` to the redis variant; cache management is redis-only. */
+    requireRedisCache() {
+        const { cached } = this.options;
+        if (!cached.use) {
             throw (0, ignis_helpers_1.getError)({
-                message: '[CasbinAuthorizationEnforcer] request.action and request.resource are required.',
+                message: '[CasbinAuthorizationEnforcer] Cache management requires the redis cache driver, but caching is disabled.',
             });
         }
-        const { rules: user, request, context } = opts;
-        const normalizePayloadFn = this.options.normalizePayloadFn;
-        let isAllowed;
-        if (!normalizePayloadFn) {
-            const subject = `${user.principalType}_${user.userId}`;
-            isAllowed = this.enforcer.enforceSync(subject, request.resource, request.action);
-            return isAllowed ? common_1.AuthorizationDecisions.ALLOW : common_1.AuthorizationDecisions.DENY;
-        }
-        const normalized = normalizePayloadFn({
-            user,
-            action: request.action,
-            resource: request.resource,
-            context,
-        });
-        // Domain-aware enforcement: enforceSync(sub, dom, obj, act)
-        if (normalized.domain) {
-            isAllowed = this.enforcer.enforceSync(normalized.subject, normalized.domain, normalized.resource, normalized.action);
+        return cached;
+    }
+    // Matchers & model resolvers
+    async registerMatchers(opts) {
+        const { enforcer, casbin } = opts;
+        const { domainMatching, isScoped } = this.options;
+        if (domainMatching) {
+            if (!enforcer.getNamedRoleManager(domainMatching.roleDefinition)) {
+                throw (0, ignis_helpers_1.getError)({
+                    message: `[registerMatchers] Role definition "${domainMatching.roleDefinition}" is not declared in the Casbin model. Declare it under [role_definition] (e.g. \`g = _, _, _\`) before enabling domainMatching.`,
+                });
+            }
+            const matchFn = this.resolveDomainMatchingFn({ casbin, name: domainMatching.fn });
+            await enforcer.addNamedDomainMatchingFunc(domainMatching.roleDefinition, matchFn);
         }
-        else {
-            isAllowed = this.enforcer.enforceSync(normalized.subject, normalized.resource, normalized.action);
+        if (isScoped) {
+            await enforcer.addNamedDomainMatchingFunc(common_1.CasbinRuleVariants.G, casbin.Util.keyMatchFunc);
+            await enforcer.addFunction('objectMatch', common_1.objectMatch);
+            // objectMatch is the matching func for the resource hierarchy relation (g4 under the
+            // request-tuple numbering); reference the constant so it tracks any future renumber.
+            await enforcer.addNamedMatchingFunc(common_1.AuthorizationPolicyVariants.RESOURCE_INHERITS.rule, common_1.objectMatch);
         }
-        return isAllowed ? common_1.AuthorizationDecisions.ALLOW : common_1.AuthorizationDecisions.DENY;
+        await enforcer.buildRoleLinks();
     }
-    // Enforcer & model resolvers
-    async resolveCasbinEnforcer(opts) {
-        const { casbin, model, adapter, cached } = opts;
-        if (!cached.use) {
-            return casbin.newEnforcer(model, adapter);
-        }
-        switch (cached.driver) {
-            case common_1.CasbinEnforcerCachedDrivers.IN_MEMORY: {
-                this.validateExpiresIn({ expiresIn: cached.options.expiresIn });
-                const enforcer = await casbin.newCachedEnforcer(model, adapter);
-                this.inMemoryInvalidationTimer = setInterval(() => {
-                    enforcer.invalidateCache();
-                    this.logger.info('[resolveCasbinEnforcer] Enforcer cache INVALIDATED | name: %s', this.name);
-                }, cached.options.expiresIn);
-                return enforcer;
+    /** Map a CasbinDomainMatchingFunctions value to casbin's Util.*Func matcher. */
+    resolveDomainMatchingFn(opts) {
+        // `Util` is casbin's bag of built-in comparison functions. Each `*Func` takes two strings
+        // (the request value, the stored/policy value) and returns whether they "match":
+        //   keyMatchFunc   — `*` is the only wildcard. keyMatch("anything","*")=true; exact otherwise.
+        //                    (Best for domains: only treats `*` specially, never splits on `/` or `:`,
+        //                     so it can never accidentally pattern-match a `Merchant_<uuid>`.)
+        //   keyMatch2Func  — adds URL-path `:param` segments (e.g. "/u/:id" matches "/u/1").
+        //   keyMatch3Func  — adds `{param}` segments (e.g. "/u/{id}").
+        //   keyMatch4Func  — `{param}` with repeated-name equality checks.
+        //   regexMatchFunc — treats the stored value as a full regular expression.
+        const { Util } = opts.casbin;
+        switch (opts.name) {
+            case common_1.CasbinDomainMatchingFunctions.KEY_MATCH: {
+                return Util.keyMatchFunc;
             }
-            case common_1.CasbinEnforcerCachedDrivers.REDIS: {
-                this.validateExpiresIn({ expiresIn: cached.options.expiresIn });
-                return casbin.newEnforcer(model, adapter);
+            case common_1.CasbinDomainMatchingFunctions.KEY_MATCH_2: {
+                return Util.keyMatch2Func;
+            }
+            case common_1.CasbinDomainMatchingFunctions.KEY_MATCH_3: {
+                return Util.keyMatch3Func;
+            }
+            case common_1.CasbinDomainMatchingFunctions.KEY_MATCH_4: {
+                return Util.keyMatch4Func;
+            }
+            case common_1.CasbinDomainMatchingFunctions.REGEX_MATCH: {
+                return Util.regexMatchFunc;
             }
             default: {
                 throw (0, ignis_helpers_1.getError)({
-                    message: `[resolveCasbinEnforcer] Invalid cached.driver | Valids: [${common_1.CasbinEnforcerCachedDrivers.IN_MEMORY}, ${common_1.CasbinEnforcerCachedDrivers.REDIS}]`,
+                    message: `[resolveDomainMatchingFn] Unsupported func: ${opts.name} | Valids: [${[...common_1.CasbinDomainMatchingFunctions.SCHEME_SET].join(', ')}]`,
                 });
             }
         }
     }
+    /** Default (sub,dom,obj,act) payload for the scoped model; domain comes from request.domain. */
+    defaultScopedPayloadFn() {
+        if (!this.options.isScoped) {
+            return undefined;
+        }
+        return (opts) => {
+            // No domain here — evaluate() fills it from request.domain (set by the provider).
+            return {
+                subject: `${opts.user.principalType}_${opts.user.userId}`,
+                resource: String(opts.resource),
+                action: String(opts.action),
+            };
+        };
+    }
     resolveModel(opts) {
         const { casbin, model } = opts;
         switch (model.driver) {
@@ -183,67 +324,126 @@ let CasbinAuthorizationEnforcer = CasbinAuthorizationEnforcer_1 = class CasbinAu
         });
     }
     // Policy loading internals
-    async loadPoliciesFromAdapter(opts) {
-        if (!this.enforcer) {
-            throw (0, ignis_helpers_1.getError)({
-                message: '[loadPoliciesFromAdapter] Invalid state of enforcer | Enforcer is not initialized!',
-            });
+    /**
+     * Fetch the user's policy lines, collapsing concurrent cache misses for the same key onto a single
+     * extraction (via `pendingLineFetches`) instead of letting every request hit the DB at once.
+     * Note: best-effort — two misses can both get past the cache read before either records its fetch
+     * in the map, so both extract once (benign: per-user lines are identical). It collapses the common
+     * case; the fast cache-hit path stays OUTSIDE the map to avoid needless contention.
+     */
+    async fetchLinesWithRedisCache(opts) {
+        const { user, cached } = opts;
+        const cacheKey = await this.resolveCacheKey({ user, cached });
+        const redisClient = cached.options.connection.client;
+        // Cache hit — Redis owns expiry (PX on write), so a present key is fresh by definition.
+        // A corrupted/legacy entry must NOT 500 the request: discard it and fall through to refetch.
+        const raw = await redisClient.get(cacheKey);
+        if (raw) {
+            const lines = this.parseCachedPolicyLines({ raw, cacheKey });
+            if (lines) {
+                return lines;
+            }
+        }
+        const existing = this.pendingLineFetches.get(cacheKey);
+        if (existing) {
+            return existing;
         }
-        await this.enforcer.loadFilteredPolicy({
-            principalType: opts.user.principalType,
-            principalValue: opts.user.userId,
+        // Cache miss (or discarded corrupt entry) — extract from an ISOLATED enforcer so a concurrent
+        // load cannot contaminate the cache, persist it, then return the lines for THIS request.
+        const task = async () => {
+            const lines = await this.extractUserLines({ user });
+            await this.writeCachedPolicyLines({ cacheKey, lines, options: cached.options });
+            return lines;
+        };
+        const promise = task().finally(() => {
+            this.pendingLineFetches.delete(cacheKey);
         });
+        this.pendingLineFetches.set(cacheKey, promise);
+        return promise;
     }
-    async loadPoliciesWithRedisCache(opts) {
-        const logger = this.logger.for(this.loadPoliciesWithRedisCache.name);
-        const { user, cached: { options }, } = opts;
-        const cacheKey = await options.keyFn({ user });
-        if (!cacheKey) {
-            throw (0, ignis_helpers_1.getError)({
-                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_4.BadRequest,
-                message: '[loadPoliciesWithRedisCache] Invalid cachedKey to start validate user authorization!',
-            });
+    /** Single source of truth for the Redis cache encoding. Used by miss-path and rebuild. */
+    async writeCachedPolicyLines(opts) {
+        await opts.options.connection.client.set(opts.cacheKey, JSON.stringify(opts.lines), 'PX', opts.options.expiresIn);
+    }
+    /** Decode cached policy lines; on any corruption, log and return null so the caller refetches. */
+    parseCachedPolicyLines(opts) {
+        try {
+            const parsed = JSON.parse(opts.raw);
+            if (!Array.isArray(parsed) || parsed.some(line => typeof line !== 'string')) {
+                throw (0, ignis_helpers_1.getError)({
+                    message: '[CasbinAuthorizationEnforcer] Cached payload is not an array of policy lines.',
+                });
+            }
+            return parsed;
         }
-        const redisClient = options.connection.client;
-        // Cache hit — load lines directly into model
-        const cachedData = await redisClient.get(cacheKey);
-        if (cachedData) {
-            const lines = JSON.parse(cachedData);
-            await this.loadPolicyLinesIntoModel({ lines });
-            logger.info('Loaded CACHED Policies into model | user: %s', user.userId);
-            return;
+        catch (error) {
+            this.logger
+                .for(this.parseCachedPolicyLines.name)
+                .warn('Discarding corrupted authz cache entry | key: %s | error: %s', opts.cacheKey, error);
+            return null;
         }
-        // Cache miss — load from adapter, extract lines, cache in Redis
-        await this.loadPoliciesFromAdapter({ user });
-        const lines = await this.extractPolicyLines();
-        await redisClient.set(cacheKey, JSON.stringify(lines), 'PX', options.expiresIn);
-        logger.info('Loaded ADAPTER + CACHED Policies into model | user: %s', user.userId);
     }
-    async extractPolicyLines() {
-        if (!this.enforcer) {
+    /**
+     * Extract a user's policy lines from an ISOLATED throwaway enforcer (its own model + the adapter),
+     * never a pooled serving enforcer. This is the core of the anti-poisoning design: concurrent requests
+     * on pooled enforcers can't change what we cache for this user. Used by buildRules + rebuild.
+     */
+    async extractUserLines(opts) {
+        const casbin = await import('casbin');
+        const model = this.resolveModel({ casbin, model: this.options.model });
+        const loader = await casbin.newEnforcer(model, this.options.adapter);
+        if (!loader.loadFilteredPolicy) {
             throw (0, ignis_helpers_1.getError)({
-                message: '[extractPolicyLines] Invalid state of enforcer | Enforcer is not initialized!',
+                message: '[extractUserLines] Adapter does not support loadFilteredPolicy.',
             });
         }
-        const pRules = await this.enforcer.getPolicy();
-        const ps = pRules.map(r => [common_1.CasbinRuleVariants.P, ...r].join(', '));
-        const gRules = await this.enforcer.getGroupingPolicy();
-        const gs = gRules.map(r => [common_1.CasbinRuleVariants.G, ...r].join(', '));
-        return [...ps, ...gs];
+        await loader.loadFilteredPolicy({
+            principal: { type: opts.user.principalType, id: opts.user.userId },
+        });
+        return this.extractLinesFrom(loader);
+    }
+    /**
+     * Serialize ALL policy + grouping rule types of an enforcer's model back into casbin lines.
+     * Covers every p-type (p, p2, …) and g-type (g, g2, g3, g4, g5, …) — not just `p`/`g` — so the
+     * cached payload is complete for the scoped model (resource/action/domain hierarchies + membership).
+     * Reads stored rules (independent of role-link matching funcs), so the loader needs none registered.
+     */
+    async extractLinesFrom(enforcer) {
+        const model = enforcer.getModel();
+        const lines = [];
+        const policyTypes = model.model.get(common_1.CasbinRuleVariants.P);
+        if (policyTypes) {
+            for (const ptype of policyTypes.keys()) {
+                const rules = await enforcer.getNamedPolicy(ptype);
+                for (const rule of rules) {
+                    lines.push([ptype, ...rule].join(', '));
+                }
+            }
+        }
+        const groupingTypes = model.model.get(common_1.CasbinRuleVariants.G);
+        if (groupingTypes) {
+            for (const gtype of groupingTypes.keys()) {
+                const rules = await enforcer.getNamedGroupingPolicy(gtype);
+                for (const rule of rules) {
+                    lines.push([gtype, ...rule].join(', '));
+                }
+            }
+        }
+        return lines;
     }
+    /** Atomically reset a borrowed enforcer's model to exactly `lines` + rebuild role links. */
     async loadPolicyLinesIntoModel(opts) {
-        if (!this.enforcer) {
+        if (!this.helper) {
             throw (0, ignis_helpers_1.getError)({
-                message: '[loadPolicyLinesIntoModel] Enforcer not initialized. Call configure() first.',
+                message: '[loadPolicyLinesIntoModel] Not configured. Call configure() first.',
             });
         }
-        const { Helper } = await import('casbin');
-        const model = this.enforcer.getModel();
+        const model = opts.enforcer.getModel();
         model.clearPolicy();
         for (const line of opts.lines) {
-            Helper.loadPolicyLine(line, model);
+            this.helper.loadPolicyLine(line, model);
         }
-        await this.enforcer.buildRoleLinks();
+        await opts.enforcer.buildRoleLinks();
     }
 };
 exports.CasbinAuthorizationEnforcer = CasbinAuthorizationEnforcer;

package/dist/components/auth/authorize/enforcers/casbin.enforcer.js.map

@@ -1 +1 @@
-{"version":3,"file":"casbin.enforcer.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/enforcers/casbin.enforcer.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AACA,yDAAmD;AACnD,0DAA+E;AAO/E,sCAamB;AAEnB,mEAAmE;AAEnE,IAAa,2BAA2B,mCAAxC,MAAa,2BAKX,SAAQ,0BAAU;IASlB,YAEE,OAA8D;QAE9D,KAAK,CAAC,EAAE,KAAK,EAAE,6BAA2B,CAAC,IAAI,EAAE,CAAC,CAAC;QAF3C,YAAO,GAAP,OAAO,CAA+C;QARhE,SAAI,GAAG,6BAA2B,CAAC,IAAI,CAAC;QACvB,mBAAc,GAAG,MAAM,CAAC;QAEjC,aAAQ,GAA6D,IAAI,CAAC;QAC1E,8BAAyB,GAA8B,IAAI,CAAC;IAOpE,CAAC;IAED,YAAY;IAEZ,KAAK,CAAC,SAAS;QACb,IAAI,MAA+B,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,yDAAyD;aACnE,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACxB,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,0DAA0D;aACpE,CAAC,CAAC;QACL,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QACvE,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAEhC,IAAI,CAAC,QAAQ,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC;YAC/C,MAAM;YACN,KAAK;YACL,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO;YAC7B,MAAM;SACP,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM;aACR,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;aACxB,IAAI,CACH,sDAAsD,EACtD,MAAM,CAAC,GAAG,EACV,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CACpC,CAAC;IACN,CAAC;IAED,OAAO;QACL,IAAI,CAAC,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACpC,OAAO;QACT,CAAC;QAED,aAAa,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QAC9C,IAAI,CAAC,yBAAyB,GAAG,IAAI,CAAC;IACxC,CAAC;IAED,sCAAsC;IAEtC,KAAK,CAAC,UAAU,CAAC,IAGhB;QACC,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC;QAEtB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,iFAAiF;aAC3F,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,EAAE,CAAC;YACtC,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,4EAA4E;aACtF,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QAEnC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,uBAAuB,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YAC7C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,QAAQ,MAAM,CAAC,MAAM,EAAE,CAAC;YACtB,KAAK,oCAA2B,CAAC,SAAS,CAAC,CAAC,CAAC;gBAC3C,MAAM,IAAI,CAAC,uBAAuB,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC7C,MAAM;YACR,CAAC;YACD,KAAK,oCAA2B,CAAC,KAAK,CAAC,CAAC,CAAC;gBACvC,MAAM,IAAI,CAAC,0BAA0B,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;gBACxD,MAAM;YACR,CAAC;YACD,OAAO,CAAC,CAAC,CAAC;gBACR,MAAM,IAAA,wBAAQ,EAAC;oBACb,OAAO,EAAE,iDAAiD,oCAA2B,CAAC,SAAS,KAAK,oCAA2B,CAAC,KAAK,GAAG;iBACzI,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,IAId;QACC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,iFAAiF;aAC3F,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,CAAC;YACrD,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,iFAAiF;aAC3F,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;QAC/C,MAAM,kBAAkB,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,CAAC;QAE3D,IAAI,SAAkB,CAAC;QAEvB,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACvD,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YACjF,OAAO,SAAS,CAAC,CAAC,CAAC,+BAAsB,CAAC,KAAK,CAAC,CAAC,CAAC,+BAAsB,CAAC,IAAI,CAAC;QAChF,CAAC;QAED,MAAM,UAAU,GAAG,kBAAkB,CAAC;YACpC,IAAI;YACJ,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,OAAO;SACR,CAAC,CAAC;QAEH,4DAA4D;QAC5D,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;YACtB,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CACnC,UAAU,CAAC,OAAO,EAClB,UAAU,CAAC,MAAM,EACjB,UAAU,CAAC,QAAQ,EACnB,UAAU,CAAC,MAAM,CAClB,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,WAAW,CACnC,UAAU,CAAC,OAAO,EAClB,UAAU,CAAC,QAAQ,EACnB,UAAU,CAAC,MAAM,CAClB,CAAC;QACJ,CAAC;QAED,OAAO,SAAS,CAAC,CAAC,CAAC,+BAAsB,CAAC,KAAK,CAAC,CAAC,CAAC,+BAAsB,CAAC,IAAI,CAAC;IAChF,CAAC;IAED,6BAA6B;IAEnB,KAAK,CAAC,qBAAqB,CAAC,IAKrC;QACC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;QAEhD,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAChB,OAAO,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAC5C,CAAC;QAED,QAAQ,MAAM,CAAC,MAAM,EAAE,CAAC;YACtB,KAAK,oCAA2B,CAAC,SAAS,CAAC,CAAC,CAAC;gBAC3C,IAAI,CAAC,iBAAiB,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;gBAEhE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;gBAEhE,IAAI,CAAC,yBAAyB,GAAG,WAAW,CAAC,GAAG,EAAE;oBAChD,QAAQ,CAAC,eAAe,EAAE,CAAC;oBAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,+DAA+D,EAC/D,IAAI,CAAC,IAAI,CACV,CAAC;gBACJ,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBAE7B,OAAO,QAAQ,CAAC;YAClB,CAAC;YACD,KAAK,oCAA2B,CAAC,KAAK,CAAC,CAAC,CAAC;gBACvC,IAAI,CAAC,iBAAiB,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;gBAChE,OAAO,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YAC5C,CAAC;YACD,OAAO,CAAC,CAAC,CAAC;gBACR,MAAM,IAAA,wBAAQ,EAAC;oBACb,OAAO,EAAE,4DAA4D,oCAA2B,CAAC,SAAS,KAAK,oCAA2B,CAAC,KAAK,GAAG;iBACpJ,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAES,YAAY,CAAC,IAGtB;QACC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;QAE/B,QAAQ,KAAK,CAAC,MAAM,EAAE,CAAC;YACrB,KAAK,mCAA0B,CAAC,IAAI,CAAC,CAAC,CAAC;gBACrC,OAAO,MAAM,CAAC,gBAAgB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YACnD,CAAC;YACD,KAAK,mCAA0B,CAAC,IAAI,CAAC,CAAC,CAAC;gBACrC,OAAO,MAAM,CAAC,kBAAkB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YACrD,CAAC;YACD,OAAO,CAAC,CAAC,CAAC;gBACR,MAAM,IAAA,wBAAQ,EAAC;oBACb,OAAO,EAAE,kDAAkD,mCAA0B,CAAC,IAAI,KAAK,mCAA0B,CAAC,IAAI,GAAG;iBAClI,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAES,iBAAiB,CAAC,IAA2B;QACrD,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,MAAM,IAAA,wBAAQ,EAAC;YACb,OAAO,EAAE,qEAAqE,IAAI,CAAC,cAAc,qBAAqB,IAAI,CAAC,SAAS,EAAE;SACvI,CAAC,CAAC;IACL,CAAC;IAED,2BAA2B;IAEjB,KAAK,CAAC,uBAAuB,CAAC,IAAqD;QAC3F,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EACL,oFAAoF;aACvF,CAAC,CAAC;QACL,CAAC;QAED,MAAM,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC;YACrC,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,aAAa;YACtC,cAAc,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM;SACjC,CAAC,CAAC;IACL,CAAC;IAES,KAAK,CAAC,0BAA0B,CAAC,IAG1C;QACC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,CAAC;QACrE,MAAM,EACJ,IAAI,EACJ,MAAM,EAAE,EAAE,OAAO,EAAE,GACpB,GAAG,IAAI,CAAC;QAET,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QAE/C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU;gBAC5C,OAAO,EACL,sFAAsF;aACzF,CAAC,CAAC;QACL,CAAC;QAED,MAAM,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;QAE9C,6CAA6C;QAC7C,MAAM,UAAU,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YACrC,MAAM,IAAI,CAAC,wBAAwB,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,8CAA8C,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YACzE,OAAO;QACT,CAAC;QAED,gEAAgE;QAChE,MAAM,IAAI,CAAC,uBAAuB,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC9C,MAAM,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,CAAC,IAAI,CAAC,wDAAwD,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACrF,CAAC;IAES,KAAK,CAAC,kBAAkB;QAChC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,+EAA+E;aACzF,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QAC/C,MAAM,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,2BAAkB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAEpE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,iBAAiB,EAAE,CAAC;QACvD,MAAM,EAAE,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,2BAAkB,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAEpE,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;IACxB,CAAC;IAES,KAAK,CAAC,wBAAwB,CAAC,IAAyB;QAChE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,8EAA8E;aACxF,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QAE1C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvC,KAAK,CAAC,WAAW,EAAE,CAAC;QAEpB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACrC,CAAC;QAED,MAAM,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;IACvC,CAAC;CACF,CAAA;AAxUY,kEAA2B;sCAA3B,2BAA2B;IAenC,WAAA,IAAA,kBAAM,EAAC,EAAE,GAAG,EAAE,6BAAoB,CAAC,eAAe,CAAC,mCAA0B,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;;GAfhF,2BAA2B,CAwUvC"}
+{"version":3,"file":"casbin.enforcer.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/enforcers/casbin.enforcer.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AACA,yDAAmD;AACnD,0DAA+F;AAG/F,sCAkBmB;AAUnB,mEAAmE;AACnE,EAAE;AACF,sGAAsG;AACtG,wGAAwG;AACxG,uGAAuG;AACvG,0GAA0G;AAC1G,4FAA4F;AAE5F,IAAa,2BAA2B,mCAAxC,MAAa,2BAKX,SAAQ,0BAAU;IAiBlB,YAEE,OAA8D;QAE9D,KAAK,CAAC,EAAE,KAAK,EAAE,6BAA2B,CAAC,IAAI,EAAE,CAAC,CAAC;QAF3C,YAAO,GAAP,OAAO,CAA+C;QAhBhE,SAAI,GAAG,6BAA2B,CAAC,IAAI,CAAC;QACvB,mBAAc,GAAG,MAAM,CAAC;QAEjC,SAAI,GAAkD,IAAI,CAAC;QAC3D,WAAM,GAAuC,IAAI,CAAC;QAC1D,+FAA+F;QAC/F,qFAAqF;QACpE,uBAAkB,GAAG,IAAI,GAAG,EAA6B,CAAC;QAE3E,kGAAkG;QAClG,oGAAoG;QACpG,4GAA4G;QACpG,sBAAiB,GAA0D,IAAI,CAAC;IAOxF,CAAC;IAED,YAAY;IAEZ,KAAK,CAAC,SAAS;QACb,IAAI,MAA+B,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,yDAAyD;aACnE,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACxB,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,0DAA0D;aACpE,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAE5B,yGAAyG;QACzG,yFAAyF;QACzF,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,IAAI,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAE1F,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAChC,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;YACf,IAAI,CAAC,iBAAiB,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;QAClE,CAAC;QAED,IAAI,CAAC,IAAI,GAAG,IAAI,8BAAc,CAAqB;YACjD,KAAK,EAAE,GAAG,6BAA2B,CAAC,IAAI,OAAO;YACjD,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE;YACjC,gBAAgB,EAAE,IAAI,CAAC,OAAO,CAAC,oBAAoB,IAAI,IAAI;YAC3D,MAAM,EAAE,KAAK,IAAI,EAAE;gBACjB,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;gBAEvE,oFAAoF;gBACpF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;gBACjD,MAAM,IAAI,CAAC,gBAAgB,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;gBAClD,IAAI,CAAC,yBAAyB,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAE7C,OAAO,QAAQ,CAAC;YAClB,CAAC;SACF,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QAEzB,IAAI,CAAC,MAAM;aACR,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;aACxB,IAAI,CACH,mDAAmD,EACnD,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,EAC3B,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CACpC,CAAC;IACN,CAAC;IAED,OAAO;QACL,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;YACjC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;QAC5E,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;OAUG;IACO,yBAAyB,CAAC,IAAsC;QACxE,IAAI,CAAC;YACH,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;gBAC7D,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;gBAC1E,OAAO;YACT,CAAC;YAED,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,UAAU,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAChE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,sMAAsM,MAAM,CAAC,KAAK,CAAC,EAAE;aAC/N,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,sCAAsC;IAEtC,KAAK,CAAC,UAAU,CAAC,IAGhB;QACC,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC;QACtB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;QAEnC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG;YACtB,CAAC,CAAC,MAAM,IAAI,CAAC,wBAAwB,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;YACvD,CAAC,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QAE1C,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,IAId;QACC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,uEAAuE;aACjF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,CAAC;YACrD,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,iFAAiF;aAC3F,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;QACzC,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;QAE9B,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;YACnB,EAAE,EAAE,KAAK,EAAC,QAAQ,EAAC,EAAE;gBACnB,2FAA2F;gBAC3F,MAAM,IAAI,CAAC,wBAAwB,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;gBAEzD,MAAM,kBAAkB,GAAG,IAAI,CAAC,iBAAiB,CAAC;gBAElD,IAAI,CAAC,kBAAkB,EAAE,CAAC;oBACxB,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;oBACvD,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC;wBACxC,QAAQ;wBACR,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;qBAClE,CAAC,CAAC;oBACH,OAAO,SAAS,CAAC,CAAC,CAAC,+BAAsB,CAAC,KAAK,CAAC,CAAC,CAAC,+BAAsB,CAAC,IAAI,CAAC;gBAChF,CAAC;gBAED,MAAM,UAAU,GAAG,kBAAkB,CAAC;oBACpC,IAAI;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,OAAO;iBACR,CAAC,CAAC;gBAEH,6DAA6D;gBAC7D,6FAA6F;gBAC7F,8FAA8F;gBAC9F,sFAAsF;gBACtF,MAAM,MAAM,GACV,UAAU,CAAC,MAAM;oBACjB,OAAO,CAAC,MAAM;oBACd,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,kCAAyB,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;gBAE9E,MAAM,IAAI,GAAG,MAAM;oBACjB,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,MAAM,CAAC;oBACtE,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;gBACjE,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;gBAE9D,OAAO,SAAS,CAAC,CAAC,CAAC,+BAAsB,CAAC,KAAK,CAAC,CAAC,CAAC,+BAAsB,CAAC,IAAI,CAAC;YAChF,CAAC;SACF,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACO,kBAAkB,CAAC,IAAsD;QACjF,MAAM,CAAC,SAAS,EAAE,aAAa,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;QAE7E,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,CAAC,MAAM;iBACR,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;iBACvB,IAAI,CACH,0CAA0C,EAC1C,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EACpB,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAC1E,CAAC;QACN,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,yEAAyE;IACzE,KAAK,CAAC,mBAAmB,CAAC,IAEzB;QACC,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACxC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QACzE,MAAM,eAAe,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE7E,IAAI,CAAC,MAAM;aACR,GAAG,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC;aAClC,IAAI,CACH,4DAA4D,EAC5D,IAAI,CAAC,IAAI,CAAC,MAAM,EAChB,QAAQ,EACR,eAAe,CAChB,CAAC;QAEJ,OAAO,EAAE,eAAe,EAAE,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,IAEtB;QACC,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAExC,iGAAiG;QACjG,iGAAiG;QACjG,kCAAkC;QAClC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QACzE,MAAM,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAErD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAC/D,MAAM,IAAI,CAAC,sBAAsB,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;QAEhF,IAAI,CAAC,MAAM;aACR,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC;aAC/B,IAAI,CACH,sDAAsD,EACtD,IAAI,CAAC,IAAI,CAAC,MAAM,EAChB,QAAQ,EACR,KAAK,CAAC,MAAM,CACb,CAAC;QAEJ,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;IAC/C,CAAC;IAED,+FAA+F;IACrF,KAAK,CAAC,eAAe,CAAC,IAG/B;QACC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACtE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU;gBAC5C,OAAO,EAAE,kEAAkE;aAC5E,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,oFAAoF;IAC1E,iBAAiB;QACzB,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAEhC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAChB,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EACL,0GAA0G;aAC7G,CAAC,CAAC;QACL,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,6BAA6B;IAEnB,KAAK,CAAC,gBAAgB,CAAC,IAGhC;QACC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;QAClC,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAElD,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,cAAc,CAAC,cAAc,CAAC,EAAE,CAAC;gBACjE,MAAM,IAAA,wBAAQ,EAAC;oBACb,OAAO,EAAE,uCAAuC,cAAc,CAAC,cAAc,kIAAkI;iBAChN,CAAC,CAAC;YACL,CAAC;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,uBAAuB,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,EAAE,CAAC,CAAC;YAClF,MAAM,QAAQ,CAAC,0BAA0B,CAAC,cAAc,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QACpF,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,QAAQ,CAAC,0BAA0B,CAAC,2BAAkB,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC1F,MAAM,QAAQ,CAAC,WAAW,CAAC,aAAa,EAAE,oBAAW,CAAC,CAAC;YAEvD,qFAAqF;YACrF,qFAAqF;YACrF,MAAM,QAAQ,CAAC,oBAAoB,CACjC,oCAA2B,CAAC,iBAAiB,CAAC,IAAI,EAClD,oBAAW,CACZ,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAC;IAClC,CAAC;IAED,gFAAgF;IACtE,uBAAuB,CAAC,IAGjC;QACC,0FAA0F;QAC1F,iFAAiF;QACjF,+FAA+F;QAC/F,+FAA+F;QAC/F,uFAAuF;QACvF,qFAAqF;QACrF,+DAA+D;QAC/D,mEAAmE;QACnE,2EAA2E;QAC3E,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QAC7B,QAAQ,IAAI,CAAC,IAAI,EAAE,CAAC;YAClB,KAAK,sCAA6B,CAAC,SAAS,CAAC,CAAC,CAAC;gBAC7C,OAAO,IAAI,CAAC,YAAY,CAAC;YAC3B,CAAC;YACD,KAAK,sCAA6B,CAAC,WAAW,CAAC,CAAC,CAAC;gBAC/C,OAAO,IAAI,CAAC,aAAa,CAAC;YAC5B,CAAC;YACD,KAAK,sCAA6B,CAAC,WAAW,CAAC,CAAC,CAAC;gBAC/C,OAAO,IAAI,CAAC,aAAa,CAAC;YAC5B,CAAC;YACD,KAAK,sCAA6B,CAAC,WAAW,CAAC,CAAC,CAAC;gBAC/C,OAAO,IAAI,CAAC,aAAa,CAAC;YAC5B,CAAC;YACD,KAAK,sCAA6B,CAAC,WAAW,CAAC,CAAC,CAAC;gBAC/C,OAAO,IAAI,CAAC,cAAc,CAAC;YAC7B,CAAC;YACD,OAAO,CAAC,CAAC,CAAC;gBACR,MAAM,IAAA,wBAAQ,EAAC;oBACb,OAAO,EAAE,+CAA+C,IAAI,CAAC,IAAI,eAAe,CAAC,GAAG,sCAA6B,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;iBAC5I,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,gGAAgG;IACtF,sBAAsB;QAC9B,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YAC3B,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,CAAC,IAIP,EAA0E,EAAE;YAC3E,kFAAkF;YAClF,OAAO;gBACL,OAAO,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;gBACzD,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAC/B,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;aAC5B,CAAC;QACJ,CAAC,CAAC;IACJ,CAAC;IAES,YAAY,CAAC,IAGtB;QACC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;QAE/B,QAAQ,KAAK,CAAC,MAAM,EAAE,CAAC;YACrB,KAAK,mCAA0B,CAAC,IAAI,CAAC,CAAC,CAAC;gBACrC,OAAO,MAAM,CAAC,gBAAgB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YACnD,CAAC;YACD,KAAK,mCAA0B,CAAC,IAAI,CAAC,CAAC,CAAC;gBACrC,OAAO,MAAM,CAAC,kBAAkB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YACrD,CAAC;YACD,OAAO,CAAC,CAAC,CAAC;gBACR,MAAM,IAAA,wBAAQ,EAAC;oBACb,OAAO,EAAE,kDAAkD,mCAA0B,CAAC,IAAI,KAAK,mCAA0B,CAAC,IAAI,GAAG;iBAClI,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAES,iBAAiB,CAAC,IAA2B;QACrD,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YAC1C,OAAO;QACT,CAAC;QAED,MAAM,IAAA,wBAAQ,EAAC;YACb,OAAO,EAAE,qEAAqE,IAAI,CAAC,cAAc,qBAAqB,IAAI,CAAC,SAAS,EAAE;SACvI,CAAC,CAAC;IACL,CAAC;IAED,2BAA2B;IAE3B;;;;;;OAMG;IACO,KAAK,CAAC,wBAAwB,CAAC,IAGxC;QACC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;QAC9B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9D,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC;QAErD,wFAAwF;QACxF,6FAA6F;QAC7F,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,KAAK,GAAG,IAAI,CAAC,sBAAsB,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;YAE7D,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACvD,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,8FAA8F;QAC9F,yFAAyF;QACzF,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;YACtB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YACpD,MAAM,IAAI,CAAC,sBAAsB,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;YAChF,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QAEF,MAAM,OAAO,GAAG,IAAI,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE;YAClC,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC/C,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,0FAA0F;IAChF,KAAK,CAAC,sBAAsB,CAAC,IAItC;QACC,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CACtC,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,EAC1B,IAAI,EACJ,IAAI,CAAC,OAAO,CAAC,SAAS,CACvB,CAAC;IACJ,CAAC;IAED,kGAAkG;IACxF,sBAAsB,CAAC,IAAuC;QACtE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAEpC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;gBAC5E,MAAM,IAAA,wBAAQ,EAAC;oBACb,OAAO,EAAE,+EAA+E;iBACzF,CAAC,CAAC;YACL,CAAC;YAED,OAAO,MAAkB,CAAC;QAC5B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM;iBACR,GAAG,CAAC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC;iBACrC,IAAI,CAAC,8DAA8D,EAAE,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;YAC9F,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;OAIG;IACO,KAAK,CAAC,gBAAgB,CAAC,IAAkC;QACjE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACtC,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAErE,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YAC/B,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,iEAAiE;aAC3E,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,CAAC,kBAAkB,CAAC;YAC9B,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;SACnE,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAED;;;;;OAKG;IACO,KAAK,CAAC,gBAAgB,CAAC,QAA4B;QAC3D,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAClC,MAAM,KAAK,GAAa,EAAE,CAAC;QAE3B,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,2BAAkB,CAAC,CAAC,CAAC,CAAC;QAC1D,IAAI,WAAW,EAAE,CAAC;YAChB,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC;gBACvC,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;gBACnD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;oBACzB,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC1C,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,2BAAkB,CAAC,CAAC,CAAC,CAAC;QAC5D,IAAI,aAAa,EAAE,CAAC;YAClB,KAAK,MAAM,KAAK,IAAI,aAAa,CAAC,IAAI,EAAE,EAAE,CAAC;gBACzC,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC;gBAC3D,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;oBACzB,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;gBAC1C,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4FAA4F;IAClF,KAAK,CAAC,wBAAwB,CAAC,IAGxC;QACC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,IAAA,wBAAQ,EAAC;gBACb,OAAO,EAAE,oEAAoE;aAC9E,CAAC,CAAC;QACL,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvC,KAAK,CAAC,WAAW,EAAE,CAAC;QAEpB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;IACvC,CAAC;CACF,CAAA;AAjkBY,kEAA2B;sCAA3B,2BAA2B;IAuBnC,WAAA,IAAA,kBAAM,EAAC,EAAE,GAAG,EAAE,6BAAoB,CAAC,eAAe,CAAC,mCAA0B,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;;GAvBhF,2BAA2B,CAikBvC"}

package/dist/components/auth/authorize/enforcers/enforcer-registry.d.ts

@@ -1,7 +1,8 @@
 import { Container } from '../../../../helpers/inversion/container';
 import { TClass } from '@venizia/ignis-helpers';
+import { IAuthUser } from '../../authenticate';
 import { AbstractAuthRegistry } from '../../base';
-import { AuthorizationEnforcerTypes, IAuthorizationEnforcer, IAuthorizeOptions, ICasbinEnforcerOptions } from '../common';
+import { AuthorizationEnforcerTypes, IAuthorizationEnforcer, IAuthorizationUser, IAuthorizeOptions, ICasbinEnforcerOptions } from '../common';
 export declare class AuthorizationEnforcerRegistry extends AbstractAuthRegistry<IAuthorizationEnforcer> {
     private static instance;
     private configuredEnforcers;
@@ -28,6 +29,23 @@ export declare class AuthorizationEnforcerRegistry extends AbstractAuthRegistry<
     resolveEnforcer(opts: {
         name: string;
     }): Promise<IAuthorizationEnforcer>;
+    /** Drop a user's cached policies on the resolved enforcer. Lazy — next request rebuilds. */
+    invalidateUserCache(opts: {
+        user: IAuthorizationUser;
+        enforcerName?: string;
+    }): Promise<{
+        invalidatedKeys: number;
+    }>;
+    /** Drop then immediately rebuild + re-cache a user's policies on the resolved enforcer. */
+    rebuildUserCache(opts: {
+        user: {
+            principalType: string;
+        } & IAuthUser;
+        enforcerName?: string;
+    }): Promise<{
+        cacheKey: string;
+        lineCount: number;
+    }>;
     resolveOptions(): IAuthorizeOptions | undefined;
 }
 //# sourceMappingURL=enforcer-registry.d.ts.map

package/dist/components/auth/authorize/enforcers/enforcer-registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"enforcer-registry.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/enforcers/enforcer-registry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAC1D,OAAO,EAAY,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAEL,0BAA0B,EAE1B,sBAAsB,EACtB,iBAAiB,EACjB,sBAAsB,EACvB,MAAM,WAAW,CAAC;AAInB,qBAAa,6BAA8B,SAAQ,oBAAoB,CAAC,sBAAsB,CAAC;IAC7F,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAgC;IAEvD,OAAO,CAAC,mBAAmB,CAAc;;IAOzC,MAAM,CAAC,WAAW;IAQT,KAAK,IAAI,IAAI;IAKtB,SAAS,CAAC,gBAAgB,IAAI,MAAM;IAIpC,QAAQ,CAAC,IAAI,EAAE;QACb,SAAS,EAAE,SAAS,CAAC;QACrB,SAAS,EAAE,KAAK,CACZ;YACE,QAAQ,EAAE,MAAM,CAAC,sBAAsB,CAAC,CAAC;YACzC,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,EAAE,OAAO,0BAA0B,CAAC,MAAM,CAAC;YAC/C,OAAO,CAAC,EAAE,sBAAsB,CAAC;SAClC,GACD;YACE,QAAQ,EAAE,MAAM,CAAC,sBAAsB,CAAC,CAAC;YACzC,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,EAAE,OAAO,0BAA0B,CAAC,MAAM,CAAC;YAC/C,OAAO,CAAC,EAAE,OAAO,CAAC;SACnB,CACJ,CAAC;KACH;IA8BD,YAAY,IAAI,OAAO;IAIvB,sBAAsB,IAAI,MAAM;IAI1B,eAAe,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAW9E,cAAc,IAAI,iBAAiB,GAAG,SAAS;CAahD"}
+{"version":3,"file":"enforcer-registry.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/enforcers/enforcer-registry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAC1D,OAAO,EAAY,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAEL,0BAA0B,EAE1B,sBAAsB,EACtB,kBAAkB,EAClB,iBAAiB,EACjB,sBAAsB,EACvB,MAAM,WAAW,CAAC;AAInB,qBAAa,6BAA8B,SAAQ,oBAAoB,CAAC,sBAAsB,CAAC;IAC7F,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAgC;IAEvD,OAAO,CAAC,mBAAmB,CAAc;;IAOzC,MAAM,CAAC,WAAW;IAQT,KAAK,IAAI,IAAI;IAKtB,SAAS,CAAC,gBAAgB,IAAI,MAAM;IAIpC,QAAQ,CAAC,IAAI,EAAE;QACb,SAAS,EAAE,SAAS,CAAC;QACrB,SAAS,EAAE,KAAK,CACZ;YACE,QAAQ,EAAE,MAAM,CAAC,sBAAsB,CAAC,CAAC;YACzC,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,EAAE,OAAO,0BAA0B,CAAC,MAAM,CAAC;YAC/C,OAAO,CAAC,EAAE,sBAAsB,CAAC;SAClC,GACD;YACE,QAAQ,EAAE,MAAM,CAAC,sBAAsB,CAAC,CAAC;YACzC,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,EAAE,OAAO,0BAA0B,CAAC,MAAM,CAAC;YAC/C,OAAO,CAAC,EAAE,OAAO,CAAC;SACnB,CACJ,CAAC;KACH;IA8BD,YAAY,IAAI,OAAO;IAIvB,sBAAsB,IAAI,MAAM;IAI1B,eAAe,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAW9E,4FAA4F;IACtF,mBAAmB,CAAC,IAAI,EAAE;QAC9B,IAAI,EAAE,kBAAkB,CAAC;QACzB,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,GAAG,OAAO,CAAC;QAAE,eAAe,EAAE,MAAM,CAAA;KAAE,CAAC;IAcxC,2FAA2F;IACrF,gBAAgB,CAAC,IAAI,EAAE;QAC3B,IAAI,EAAE;YAAE,aAAa,EAAE,MAAM,CAAA;SAAE,GAAG,SAAS,CAAC;QAC5C,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,GAAG,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAapD,cAAc,IAAI,iBAAiB,GAAG,SAAS;CAahD"}