@venizia/ignis 0.0.9-8 → 0.0.9

package/dist/components/auth/authorize/adapters/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/adapters/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC;AAChC,cAAc,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/adapters/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC;AACxC,cAAc,SAAS,CAAC"}

package/dist/components/auth/authorize/adapters/index.js

@@ -15,5 +15,6 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./base-filtered"), exports);
-__exportStar(require("./drizzle-casbin"), exports);
+__exportStar(require("./scoped-casbin.adapter"), exports);
+__exportStar(require("./types"), exports);
 //# sourceMappingURL=index.js.map

package/dist/components/auth/authorize/adapters/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/adapters/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,kDAAgC;AAChC,mDAAiC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/adapters/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,kDAAgC;AAChC,0DAAwC;AACxC,0CAAwB"}

package/dist/components/auth/authorize/adapters/scoped-casbin.adapter.d.ts

@@ -0,0 +1,138 @@
+import { IdType } from '../../../../base';
+import { IDataSource } from '../../../../base/datasources';
+import { type Model } from 'casbin';
+import { type SQL } from 'drizzle-orm';
+import { BaseFilteredAdapter } from './base-filtered';
+import { type IScopedCasbinEntities } from './types';
+export type { IScopedCasbinEntities };
+export interface IScopedCasbinPolicyFilter {
+    principal: {
+        type: string;
+        id: IdType;
+    };
+}
+/**
+ * Filtered casbin adapter for the scoped RBAC model: loads ONE principal's edges (role assignments,
+ * memberships, grants) plus the shared structural hierarchy trees as casbin lines. Read-only.
+ */
+export declare class ScopedCasbinAdapter extends BaseFilteredAdapter<IScopedCasbinPolicyFilter> {
+    protected readonly entities: IScopedCasbinEntities;
+    constructor(opts: {
+        dataSource: IDataSource;
+        entities: IScopedCasbinEntities;
+    });
+    /**
+     * Casbin's filtered-load entry point: build the full line set for ONE principal and load it into
+     * the model. Runs in two waves —
+     *   Wave 1 (parallel): the principal's own edges (role assignments → g, memberships → g2, direct
+     *     grants → p) plus the shared structural trees (role/resource/action/domain inherits).
+     *   Wave 2: expand the assigned roles to their transitive parents (role closure over role_inherits),
+     *     then fetch the grants those roles carry — so a user inherits permissions from parent roles.
+     * The concatenated lines are handed to {@link loadLines}; the enforcer caches the result per user
+     * in Redis, so this only runs on a cache MISS.
+     */
+    loadFilteredPolicy(model: Model, filter: IScopedCasbinPolicyFilter): Promise<void>;
+    /** Schema for a table, defaulting to `public`. */
+    protected schemaOf(table: {
+        schemaName?: string;
+    }): string;
+    /** Schema-qualified table reference (`"<schema>"."<table>"`) for use after FROM/JOIN with an alias. */
+    protected qualifiedTable(opts: {
+        table: {
+            schemaName?: string;
+            tableName: string;
+        };
+    }): SQL;
+    /**
+     * `AND <alias>.<col> IS NULL` when soft-delete on; empty otherwise. The alias is emitted RAW (not
+     * quoted) so it matches the unquoted alias declared in the FROM clause (`FROM ... policyDefinition`):
+     * Postgres folds unquoted identifiers to lower-case, so a quoted `"policyDefinition"` would resolve
+     * to a DIFFERENT relation than the unquoted FROM alias → 42P01 "missing FROM-clause entry". The alias
+     * is always a hard-coded literal supplied by this adapter, never user input, so emitting it raw is
+     * safe; the (config-supplied) column name stays quoted via `sql.identifier`.
+     */
+    protected softDeleteClause(opts: {
+        alias: string;
+    }): SQL;
+    /**
+     * Fetch the principal's `assign_role` edges and emit them as casbin `g` lines (role membership).
+     * Returns both the lines AND the raw `roleIds`, which Wave 2 feeds into {@link expandRoleClosure}.
+     * A null domain widens the assignment to every domain (`*`).
+     * e.g. `g, User_u1, Role_r1, *` — "u1 holds Role r1 in any domain".
+     */
+    protected queryRoleAssignments(opts: {
+        principal: {
+            type: string;
+            id: IdType;
+        };
+    }): Promise<{
+        lines: string[];
+        roleIds: IdType[];
+    }>;
+    /**
+     * Fetch the principal's `join_domain` edges (restricted to the configured `domainTypes`) and emit
+     * them as casbin `g2` lines — the membership relation the matcher uses to scope `ANY_MEMBER` grants.
+     * e.g. `g2, User_u1, Merchant_7` — "u1 is a member of Merchant 7".
+     */
+    protected queryMemberships(opts: {
+        principal: {
+            type: string;
+            id: IdType;
+        };
+    }): Promise<string[]>;
+    /**
+     * Fetch `grant` edges for the given subjects (a User or a set of Roles) joined to `Permission` for
+     * the object code, and emit them as casbin `p` policy lines. Used twice per load: once for the
+     * user's direct grants, once for the grants of every role in the closure. Rows with no `action` are
+     * skipped; a null effect defaults to allow, a null domain to `ANY_MEMBER`. Empty `ids` short-circuits
+     * without touching the DB.
+     * e.g. `p, Role_5, ANY_MEMBER, Order, read, allow` — "Role 5 may read Order in any joined domain".
+     */
+    protected queryGrants(opts: {
+        subject: {
+            type: string;
+            ids: IdType[];
+        };
+    }): Promise<string[]>;
+    /**
+     * Load the system-wide hierarchy edges (role/resource/action/domain inherits) — read fresh on each
+     * call. These are the same for every user, but at this scale the four queries are cheap and run in
+     * the same parallel wave as the per-user queries; the per-user `lines` are themselves cached in Redis
+     * by the enforcer, so this only runs on a cache MISS. (No in-process cache → never goes stale.)
+     */
+    protected loadStructuralTrees(): Promise<string[]>;
+    /**
+     * Shared role hierarchy: every `role_inherits` edge as a casbin `g` line with a wildcard domain.
+     * These are the SAME for all users (org structure, not a user) and also seed {@link expandRoleClosure}.
+     * e.g. `g, Role_r2, Role_r1, *` — "Role r2 inherits Role r1 in any domain".
+     */
+    protected queryRoleInherits(): Promise<string[]>;
+    /**
+     * Shared resource hierarchy: every `resource_inherits` edge as a casbin `g4` line, joining
+     * `Permission` twice (child + parent) to emit the resource CODES the `objectMatch` g4-func traverses.
+     * The `obj` axis — a permission on a parent resource also covers its children.
+     * e.g. `g4, OrderItem, Order` — "OrderItem is a child resource of Order".
+     */
+    protected queryResourceInherits(): Promise<string[]>;
+    /**
+     * Shared action hierarchy: every `action_inherits` edge as a casbin `g5` line. Same shape as
+     * resource_inherits but a DIFFERENT axis — the `act` axis (e.g. `manage` covers `read`/`update`).
+     * Kept separate so resource × action stays factored instead of exploding to R×A combined edges.
+     * e.g. `g5, read, manage` — "the read action is implied by manage".
+     */
+    protected queryActionInherits(): Promise<string[]>;
+    /**
+     * Shared domain hierarchy: every `domain_inherits` edge as a casbin `g3` line, with typed
+     * `<type>_<id>` endpoints — lets a grant in a parent domain cascade to child domains.
+     * e.g. `g3, Branch_1, Company_2` — "Branch 1 sits under Company 2".
+     */
+    protected queryDomainInherits(): Promise<string[]>;
+    /** BFS over role_inherits edges to collect a role set + all transitive parents. Cycle-safe. */
+    protected expandRoleClosure(opts: {
+        role: {
+            ids: IdType[];
+            edges: string[];
+        };
+    }): IdType[];
+}
+//# sourceMappingURL=scoped-casbin.adapter.d.ts.map

package/dist/components/auth/authorize/adapters/scoped-casbin.adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoped-casbin.adapter.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/adapters/scoped-casbin.adapter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,KAAK,KAAK,EAAE,MAAM,QAAQ,CAAC;AACpC,OAAO,EAAO,KAAK,GAAG,EAAE,MAAM,aAAa,CAAC;AAM5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,EAAE,KAAK,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAGrD,YAAY,EAAE,qBAAqB,EAAE,CAAC;AAEtC,MAAM,WAAW,yBAAyB;IACxC,SAAS,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;CACzC;AAID;;;GAGG;AACH,qBAAa,mBAAoB,SAAQ,mBAAmB,CAAC,yBAAyB,CAAC;IACrF,SAAS,CAAC,QAAQ,CAAC,QAAQ,EAAE,qBAAqB,CAAC;gBAEvC,IAAI,EAAE;QAAE,UAAU,EAAE,WAAW,CAAC;QAAC,QAAQ,EAAE,qBAAqB,CAAA;KAAE;IAK9E;;;;;;;;;OASG;IACG,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,GAAG,OAAO,CAAC,IAAI,CAAC;IAoCxF,kDAAkD;IAClD,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,MAAM;IAI1D,uGAAuG;IACvG,SAAS,CAAC,cAAc,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE;YAAE,UAAU,CAAC,EAAE,MAAM,CAAC;YAAC,SAAS,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,GAAG,GAAG;IAK1F;;;;;;;OAOG;IACH,SAAS,CAAC,gBAAgB,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,GAAG;IASxD;;;;;OAKG;cACa,oBAAoB,CAAC,IAAI,EAAE;QACzC,SAAS,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;KACzC,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAiCnD;;;;OAIG;cACa,gBAAgB,CAAC,IAAI,EAAE;QACrC,SAAS,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;KACzC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IA4BrB;;;;;;;OAOG;cACa,WAAW,CAAC,IAAI,EAAE;QAChC,OAAO,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,GAAG,EAAE,MAAM,EAAE,CAAA;SAAE,CAAC;KAC1C,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAmDrB;;;;;OAKG;cACa,mBAAmB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAWxD;;;;OAIG;cACa,iBAAiB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAoBtD;;;;;OAKG;cACa,qBAAqB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAoB1D;;;;;OAKG;cACa,mBAAmB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAiBxD;;;;OAIG;cACa,mBAAmB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAyBxD,+FAA+F;IAC/F,SAAS,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE;YAAE,GAAG,EAAE,MAAM,EAAE,CAAC;YAAC,KAAK,EAAE,MAAM,EAAE,CAAA;SAAE,CAAA;KAAE,GAAG,MAAM,EAAE;CA2C1F"}

package/dist/components/auth/authorize/adapters/scoped-casbin.adapter.js

@@ -0,0 +1,300 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScopedCasbinAdapter = void 0;
+const drizzle_orm_1 = require("drizzle-orm");
+const common_1 = require("../common");
+const base_filtered_1 = require("./base-filtered");
+const DEFAULT_SCHEMA = 'public';
+/**
+ * Filtered casbin adapter for the scoped RBAC model: loads ONE principal's edges (role assignments,
+ * memberships, grants) plus the shared structural hierarchy trees as casbin lines. Read-only.
+ */
+class ScopedCasbinAdapter extends base_filtered_1.BaseFilteredAdapter {
+    constructor(opts) {
+        super({ scope: ScopedCasbinAdapter.name, dataSource: opts.dataSource });
+        this.entities = opts.entities;
+    }
+    /**
+     * Casbin's filtered-load entry point: build the full line set for ONE principal and load it into
+     * the model. Runs in two waves —
+     *   Wave 1 (parallel): the principal's own edges (role assignments → g, memberships → g2, direct
+     *     grants → p) plus the shared structural trees (role/resource/action/domain inherits).
+     *   Wave 2: expand the assigned roles to their transitive parents (role closure over role_inherits),
+     *     then fetch the grants those roles carry — so a user inherits permissions from parent roles.
+     * The concatenated lines are handed to {@link loadLines}; the enforcer caches the result per user
+     * in Redis, so this only runs on a cache MISS.
+     */
+    async loadFilteredPolicy(model, filter) {
+        const { principal } = filter;
+        // Wave 1 — independent per-user queries + structural trees, in parallel.
+        const [assignments, memberships, userGrants, structural] = await Promise.all([
+            this.queryRoleAssignments({ principal }),
+            this.queryMemberships({ principal }),
+            this.queryGrants({ subject: { type: principal.type, ids: [principal.id] } }),
+            this.loadStructuralTrees(),
+        ]);
+        // Wave 2 — role grants need the role closure (built from the role_inherits edges loaded above).
+        const roleClosure = this.expandRoleClosure({
+            role: {
+                ids: assignments.roleIds,
+                edges: structural.filter(line => {
+                    return line.startsWith(`${common_1.AuthorizationPolicyVariants.ROLE_INHERITS.rule}, `);
+                }),
+            },
+        });
+        const roleGrants = await this.queryGrants({
+            subject: { type: this.entities.principals.role, ids: roleClosure },
+        });
+        const lines = [
+            ...assignments.lines,
+            ...memberships,
+            ...userGrants,
+            ...roleGrants,
+            ...structural,
+        ];
+        await this.loadLines({ model, lines });
+    }
+    /** Schema for a table, defaulting to `public`. */
+    schemaOf(table) {
+        return table.schemaName ?? DEFAULT_SCHEMA;
+    }
+    /** Schema-qualified table reference (`"<schema>"."<table>"`) for use after FROM/JOIN with an alias. */
+    qualifiedTable(opts) {
+        const { table } = opts;
+        return (0, drizzle_orm_1.sql) `${drizzle_orm_1.sql.identifier(this.schemaOf(table))}.${drizzle_orm_1.sql.identifier(table.tableName)}`;
+    }
+    /**
+     * `AND <alias>.<col> IS NULL` when soft-delete on; empty otherwise. The alias is emitted RAW (not
+     * quoted) so it matches the unquoted alias declared in the FROM clause (`FROM ... policyDefinition`):
+     * Postgres folds unquoted identifiers to lower-case, so a quoted `"policyDefinition"` would resolve
+     * to a DIFFERENT relation than the unquoted FROM alias → 42P01 "missing FROM-clause entry". The alias
+     * is always a hard-coded literal supplied by this adapter, never user input, so emitting it raw is
+     * safe; the (config-supplied) column name stays quoted via `sql.identifier`.
+     */
+    softDeleteClause(opts) {
+        const sd = this.entities.softDelete;
+        if (!sd?.use) {
+            return drizzle_orm_1.sql.empty();
+        }
+        return (0, drizzle_orm_1.sql) ` AND ${drizzle_orm_1.sql.raw(opts.alias)}.${drizzle_orm_1.sql.identifier(sd.columnName)} IS NULL`;
+    }
+    /**
+     * Fetch the principal's `assign_role` edges and emit them as casbin `g` lines (role membership).
+     * Returns both the lines AND the raw `roleIds`, which Wave 2 feeds into {@link expandRoleClosure}.
+     * A null domain widens the assignment to every domain (`*`).
+     * e.g. `g, User_u1, Role_r1, *` — "u1 holds Role r1 in any domain".
+     */
+    async queryRoleAssignments(opts) {
+        const { policyDefinition, principals } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const { principal } = opts;
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT 
+        policyDefinition.target_id AS "roleId", 
+        policyDefinition.domain
+      FROM ${policyDefinitionTable} policyDefinition
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.ASSIGN_ROLE.action}
+        AND policyDefinition.subject_type = ${principal.type}
+        AND policyDefinition.subject_id = ${principal.id}
+        AND policyDefinition.target_type = ${principals.role}${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        const lines = [];
+        const roleIds = [];
+        for (const row of result.rows) {
+            roleIds.push(row.roleId);
+            const domain = row.domain ?? '*';
+            lines.push(`${common_1.AuthorizationPolicyVariants.ASSIGN_ROLE.rule}, ${principal.type}_${principal.id}, ${principals.role}_${row.roleId}, ${domain}`);
+        }
+        return { lines, roleIds };
+    }
+    /**
+     * Fetch the principal's `join_domain` edges (restricted to the configured `domainTypes`) and emit
+     * them as casbin `g2` lines — the membership relation the matcher uses to scope `ANY_MEMBER` grants.
+     * e.g. `g2, User_u1, Merchant_7` — "u1 is a member of Merchant 7".
+     */
+    async queryMemberships(opts) {
+        const { policyDefinition, domainTypes } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const { principal } = opts;
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT 
+        policyDefinition.target_type AS "domainType", 
+        policyDefinition.target_id AS "domainId"
+      FROM ${policyDefinitionTable} policyDefinition
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.JOIN_DOMAIN.action}
+        AND policyDefinition.subject_type = ${principal.type}
+        AND policyDefinition.subject_id = ${principal.id}
+        AND policyDefinition.target_type IN (${drizzle_orm_1.sql.join(domainTypes.map(t => (0, drizzle_orm_1.sql) `${t}`), (0, drizzle_orm_1.sql) `, `)})${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        return result.rows.map(row => `${common_1.AuthorizationPolicyVariants.JOIN_DOMAIN.rule}, ${principal.type}_${principal.id}, ${row.domainType}_${row.domainId}`);
+    }
+    /**
+     * Fetch `grant` edges for the given subjects (a User or a set of Roles) joined to `Permission` for
+     * the object code, and emit them as casbin `p` policy lines. Used twice per load: once for the
+     * user's direct grants, once for the grants of every role in the closure. Rows with no `action` are
+     * skipped; a null effect defaults to allow, a null domain to `ANY_MEMBER`. Empty `ids` short-circuits
+     * without touching the DB.
+     * e.g. `p, Role_5, ANY_MEMBER, Order, read, allow` — "Role 5 may read Order in any joined domain".
+     */
+    async queryGrants(opts) {
+        if (!opts.subject.ids.length) {
+            return [];
+        }
+        const { policyDefinition, permission } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const permissionTable = this.qualifiedTable({ table: permission });
+        const { subject } = opts;
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT
+        policyDefinition.subject_id AS "subjectId",
+        permission.code AS "objectCode",
+        policyDefinition.action,
+        policyDefinition.effect,
+        policyDefinition.domain
+      FROM ${policyDefinitionTable} policyDefinition
+        INNER JOIN ${permissionTable} permission
+          ON policyDefinition.target_id = permission.id${this.softDeleteClause({ alias: 'permission' })}
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.GRANT.action}
+        AND policyDefinition.subject_type = ${subject.type}
+        AND policyDefinition.subject_id IN (${drizzle_orm_1.sql.join(subject.ids.map(id => (0, drizzle_orm_1.sql) `${id}`), (0, drizzle_orm_1.sql) `, `)})${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        const lines = [];
+        for (const row of result.rows) {
+            if (!row.action) {
+                continue;
+            }
+            const domain = row.domain ?? common_1.AuthorizationDomainScopes.ANY_MEMBER;
+            const effect = row.effect ?? common_1.AuthorizationDecisions.ALLOW;
+            lines.push(`${common_1.AuthorizationPolicyVariants.GRANT.rule}, ${subject.type}_${row.subjectId}, ${domain}, ${row.objectCode}, ${row.action}, ${effect}`);
+        }
+        return lines;
+    }
+    /**
+     * Load the system-wide hierarchy edges (role/resource/action/domain inherits) — read fresh on each
+     * call. These are the same for every user, but at this scale the four queries are cheap and run in
+     * the same parallel wave as the per-user queries; the per-user `lines` are themselves cached in Redis
+     * by the enforcer, so this only runs on a cache MISS. (No in-process cache → never goes stale.)
+     */
+    async loadStructuralTrees() {
+        const [roleEdges, resourceEdges, actionEdges, domainEdges] = await Promise.all([
+            this.queryRoleInherits(),
+            this.queryResourceInherits(),
+            this.queryActionInherits(),
+            this.queryDomainInherits(),
+        ]);
+        return [...roleEdges, ...resourceEdges, ...actionEdges, ...domainEdges];
+    }
+    /**
+     * Shared role hierarchy: every `role_inherits` edge as a casbin `g` line with a wildcard domain.
+     * These are the SAME for all users (org structure, not a user) and also seed {@link expandRoleClosure}.
+     * e.g. `g, Role_r2, Role_r1, *` — "Role r2 inherits Role r1 in any domain".
+     */
+    async queryRoleInherits() {
+        const { policyDefinition, principals } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT
+        policyDefinition.subject_id AS "childId",
+        policyDefinition.target_id AS "parentId"
+      FROM ${policyDefinitionTable} policyDefinition
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.ROLE_INHERITS.action}${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        return result.rows.map(r => {
+            return `${common_1.AuthorizationPolicyVariants.ROLE_INHERITS.rule}, ${principals.role}_${r.childId}, ${principals.role}_${r.parentId}, *`;
+        });
+    }
+    /**
+     * Shared resource hierarchy: every `resource_inherits` edge as a casbin `g4` line, joining
+     * `Permission` twice (child + parent) to emit the resource CODES the `objectMatch` g4-func traverses.
+     * The `obj` axis — a permission on a parent resource also covers its children.
+     * e.g. `g4, OrderItem, Order` — "OrderItem is a child resource of Order".
+     */
+    async queryResourceInherits() {
+        const { policyDefinition, permission } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const permissionTable = this.qualifiedTable({ table: permission });
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT
+        child_permission.code AS "childCode",
+        parent_permission.code AS "parentCode"
+      FROM ${policyDefinitionTable} policyDefinition
+        INNER JOIN ${permissionTable} child_permission ON policyDefinition.subject_id = child_permission.id
+        INNER JOIN ${permissionTable} parent_permission ON policyDefinition.target_id = parent_permission.id
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.RESOURCE_INHERITS.action}${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        return result.rows.map(r => `${common_1.AuthorizationPolicyVariants.RESOURCE_INHERITS.rule}, ${r.childCode}, ${r.parentCode}`);
+    }
+    /**
+     * Shared action hierarchy: every `action_inherits` edge as a casbin `g5` line. Same shape as
+     * resource_inherits but a DIFFERENT axis — the `act` axis (e.g. `manage` covers `read`/`update`).
+     * Kept separate so resource × action stays factored instead of exploding to R×A combined edges.
+     * e.g. `g5, read, manage` — "the read action is implied by manage".
+     */
+    async queryActionInherits() {
+        const { policyDefinition } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT
+        policyDefinition.subject_id AS "childCode",
+        policyDefinition.target_id AS "parentCode"
+      FROM ${policyDefinitionTable} policyDefinition
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.ACTION_INHERITS.action}${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        return result.rows.map(r => `${common_1.AuthorizationPolicyVariants.ACTION_INHERITS.rule}, ${r.childCode}, ${r.parentCode}`);
+    }
+    /**
+     * Shared domain hierarchy: every `domain_inherits` edge as a casbin `g3` line, with typed
+     * `<type>_<id>` endpoints — lets a grant in a parent domain cascade to child domains.
+     * e.g. `g3, Branch_1, Company_2` — "Branch 1 sits under Company 2".
+     */
+    async queryDomainInherits() {
+        const { policyDefinition } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT
+        policyDefinition.subject_type AS "childType",
+        policyDefinition.subject_id AS "childId",
+        policyDefinition.target_type AS "parentType",
+        policyDefinition.target_id AS "parentId"
+      FROM ${policyDefinitionTable} policyDefinition
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.DOMAIN_INHERITS.action}${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        return result.rows.map(r => `${common_1.AuthorizationPolicyVariants.DOMAIN_INHERITS.rule}, ${r.childType}_${r.childId}, ${r.parentType}_${r.parentId}`);
+    }
+    /** BFS over role_inherits edges to collect a role set + all transitive parents. Cycle-safe. */
+    expandRoleClosure(opts) {
+        const { role } = this.entities.principals;
+        const prefix = `${role}_`;
+        // Build child → parents map from "g, Role_<child>, Role_<parent>, *" lines.
+        const parentsOf = new Map();
+        for (const line of opts.role.edges) {
+            const parts = line.split(',').map(s => s.trim()); // ['g','Role_child','Role_parent','*']
+            if (parts[0] !== common_1.AuthorizationPolicyVariants.ROLE_INHERITS.rule || parts.length < 3) {
+                continue;
+            }
+            const child = parts[1].startsWith(prefix) ? parts[1].slice(prefix.length) : parts[1];
+            const parent = parts[2].startsWith(prefix) ? parts[2].slice(prefix.length) : parts[2];
+            const list = parentsOf.get(child) ?? [];
+            list.push(parent);
+            parentsOf.set(child, list);
+        }
+        const rs = new Set();
+        const queue = opts.role.ids.map(String);
+        while (queue.length) {
+            const current = queue.shift();
+            if (rs.has(current)) {
+                continue;
+            }
+            rs.add(current);
+            const parents = parentsOf.get(current) ?? [];
+            for (const parent of parents) {
+                if (!rs.has(parent)) {
+                    queue.push(parent);
+                }
+            }
+        }
+        return [...rs];
+    }
+}
+exports.ScopedCasbinAdapter = ScopedCasbinAdapter;
+//# sourceMappingURL=scoped-casbin.adapter.js.map

package/dist/components/auth/authorize/adapters/scoped-casbin.adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoped-casbin.adapter.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/adapters/scoped-casbin.adapter.ts"],"names":[],"mappings":";;;AAGA,6CAA4C;AAC5C,sCAImB;AACnB,mDAAsD;AAUtD,MAAM,cAAc,GAAG,QAAQ,CAAC;AAEhC;;;GAGG;AACH,MAAa,mBAAoB,SAAQ,mCAA8C;IAGrF,YAAY,IAAkE;QAC5E,KAAK,CAAC,EAAE,KAAK,EAAE,mBAAmB,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QACxE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAChC,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,kBAAkB,CAAC,KAAY,EAAE,MAAiC;QACtE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;QAE7B,yEAAyE;QACzE,MAAM,CAAC,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC3E,IAAI,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC;YACxC,IAAI,CAAC,gBAAgB,CAAC,EAAE,SAAS,EAAE,CAAC;YACpC,IAAI,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5E,IAAI,CAAC,mBAAmB,EAAE;SAC3B,CAAC,CAAC;QAEH,gGAAgG;QAChG,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,CAAC;YACzC,IAAI,EAAE;gBACJ,GAAG,EAAE,WAAW,CAAC,OAAO;gBACxB,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;oBAC9B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,oCAA2B,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,CAAC;gBAChF,CAAC,CAAC;aACH;SACF,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC;YACxC,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,EAAE,WAAW,EAAE;SACnE,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG;YACZ,GAAG,WAAW,CAAC,KAAK;YACpB,GAAG,WAAW;YACd,GAAG,UAAU;YACb,GAAG,UAAU;YACb,GAAG,UAAU;SACd,CAAC;QAEF,MAAM,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,kDAAkD;IACxC,QAAQ,CAAC,KAA8B;QAC/C,OAAO,KAAK,CAAC,UAAU,IAAI,cAAc,CAAC;IAC5C,CAAC;IAED,uGAAuG;IAC7F,cAAc,CAAC,IAA2D;QAClF,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;QACvB,OAAO,IAAA,iBAAG,EAAA,GAAG,iBAAG,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,IAAI,iBAAG,CAAC,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;IACzF,CAAC;IAED;;;;;;;OAOG;IACO,gBAAgB,CAAC,IAAuB;QAChD,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QACpC,IAAI,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC;YACb,OAAO,iBAAG,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;QAED,OAAO,IAAA,iBAAG,EAAA,QAAQ,iBAAG,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,iBAAG,CAAC,UAAU,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;IACnF,CAAC;IAED;;;;;OAKG;IACO,KAAK,CAAC,oBAAoB,CAAC,IAEpC;QACC,MAAM,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACvD,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC/E,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;QAE3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAGxC,IAAA,iBAAG,EAAA;;;;aAIG,qBAAqB;yCACO,oCAA2B,CAAC,WAAW,CAAC,MAAM;8CACzC,SAAS,CAAC,IAAI;4CAChB,SAAS,CAAC,EAAE;6CACX,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC9G,CAAC,CAAC;QAEH,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACzB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC;YAEjC,KAAK,CAAC,IAAI,CACR,GAAG,oCAA2B,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,EAAE,KAAK,UAAU,CAAC,IAAI,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAClI,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAC5B,CAAC;IAED;;;;OAIG;IACO,KAAK,CAAC,gBAAgB,CAAC,IAEhC;QACC,MAAM,EAAE,gBAAgB,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACxD,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC/E,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;QAE3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAGxC,IAAA,iBAAG,EAAA;;;;aAIG,qBAAqB;yCACO,oCAA2B,CAAC,WAAW,CAAC,MAAM;8CACzC,SAAS,CAAC,IAAI;4CAChB,SAAS,CAAC,EAAE;+CACT,iBAAG,CAAC,IAAI,CAC7C,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAA,iBAAG,EAAA,GAAG,CAAC,EAAE,CAAC,EAC/B,IAAA,iBAAG,EAAA,IAAI,CACR,IAAI,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC5D,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CACpB,GAAG,CAAC,EAAE,CACJ,GAAG,oCAA2B,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,EAAE,KAAK,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,QAAQ,EAAE,CAC1H,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACO,KAAK,CAAC,WAAW,CAAC,IAE3B;QACC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;YAC7B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACvD,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC/E,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;QACnE,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;QAEzB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAMxC,IAAA,iBAAG,EAAA;;;;;;;aAOG,qBAAqB;qBACb,eAAe;yDACqB,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;yCAC9D,oCAA2B,CAAC,KAAK,CAAC,MAAM;8CACnC,OAAO,CAAC,IAAI;8CACZ,iBAAG,CAAC,IAAI,CAC5C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,IAAA,iBAAG,EAAA,GAAG,EAAE,EAAE,CAAC,EACjC,IAAA,iBAAG,EAAA,IAAI,CACR,IAAI,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC5D,CAAC,CAAC;QAEH,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YAC9B,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;gBAChB,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,kCAAyB,CAAC,UAAU,CAAC;YAClE,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,+BAAsB,CAAC,KAAK,CAAC;YAE1D,KAAK,CAAC,IAAI,CACR,GAAG,oCAA2B,CAAC,KAAK,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,IAAI,GAAG,CAAC,SAAS,KAAK,MAAM,KAAK,GAAG,CAAC,UAAU,KAAK,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CACtI,CAAC;QACJ,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;OAKG;IACO,KAAK,CAAC,mBAAmB;QACjC,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,WAAW,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC7E,IAAI,CAAC,iBAAiB,EAAE;YACxB,IAAI,CAAC,qBAAqB,EAAE;YAC5B,IAAI,CAAC,mBAAmB,EAAE;YAC1B,IAAI,CAAC,mBAAmB,EAAE;SAC3B,CAAC,CAAC;QAEH,OAAO,CAAC,GAAG,SAAS,EAAE,GAAG,aAAa,EAAE,GAAG,WAAW,EAAE,GAAG,WAAW,CAAC,CAAC;IAC1E,CAAC;IAED;;;;OAIG;IACO,KAAK,CAAC,iBAAiB;QAC/B,MAAM,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACvD,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAE/E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAGxC,IAAA,iBAAG,EAAA;;;;aAIG,qBAAqB;yCACO,oCAA2B,CAAC,aAAa,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC3I,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YACzB,OAAO,GAAG,oCAA2B,CAAC,aAAa,CAAC,IAAI,KAAK,UAAU,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,UAAU,CAAC,IAAI,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC;QACnI,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACO,KAAK,CAAC,qBAAqB;QACnC,MAAM,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACvD,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC/E,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;QAEnE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAA4C,IAAA,iBAAG,EAAA;;;;aAIjF,qBAAqB;qBACb,eAAe;qBACf,eAAe;yCACK,oCAA2B,CAAC,iBAAiB,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC/I,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CACpB,CAAC,CAAC,EAAE,CAAC,GAAG,oCAA2B,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,UAAU,EAAE,CAC9F,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACO,KAAK,CAAC,mBAAmB;QACjC,MAAM,EAAE,gBAAgB,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC3C,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAE/E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAA4C,IAAA,iBAAG,EAAA;;;;aAIjF,qBAAqB;yCACO,oCAA2B,CAAC,eAAe,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC7I,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CACpB,CAAC,CAAC,EAAE,CAAC,GAAG,oCAA2B,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,UAAU,EAAE,CAC5F,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACO,KAAK,CAAC,mBAAmB;QACjC,MAAM,EAAE,gBAAgB,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC3C,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAE/E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAKxC,IAAA,iBAAG,EAAA;;;;;;aAMG,qBAAqB;yCACO,oCAA2B,CAAC,eAAe,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC7I,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CACpB,CAAC,CAAC,EAAE,CACF,GAAG,oCAA2B,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,EAAE,CACpH,CAAC;IACJ,CAAC;IAED,+FAA+F;IACrF,iBAAiB,CAAC,IAAkD;QAC5E,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QAC1C,MAAM,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC;QAE1B,4EAA4E;QAC5E,MAAM,SAAS,GAAG,IAAI,GAAG,EAAoB,CAAC;QAE9C,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,uCAAuC;YACzF,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,oCAA2B,CAAC,aAAa,CAAC,IAAI,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpF,SAAS;YACX,CAAC;YAED,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACrF,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACtF,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAExC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAClB,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAC7B,CAAC;QAED,MAAM,EAAE,GAAG,IAAI,GAAG,EAAU,CAAC;QAE7B,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACxC,OAAO,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;YAE/B,IAAI,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACpB,SAAS;YACX,CAAC;YAED,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAEhB,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAC7C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBACpB,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACrB,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IACjB,CAAC;CACF;AAhYD,kDAgYC"}

package/dist/components/auth/authorize/adapters/types.d.ts

@@ -0,0 +1,31 @@
+/** Maps a logical table onto its physical name + schema. */
+export interface IScopedCasbinTable {
+    tableName: string;
+    schemaName?: string;
+}
+/** All physical mapping the ScopedCasbinAdapter needs. App provides this; framework stays decoupled. */
+export interface IScopedCasbinEntities {
+    /**
+     * The single edge table: each row links a subject (type+id) to a target (type+id), with a `variant`
+     * column saying what kind of edge it is (grant / assign_role / *_inherits …) plus optional
+     * action / effect / domain.
+     */
+    policyDefinition: IScopedCasbinTable;
+    /** Permission catalog (id, code, ...). */
+    permission: IScopedCasbinTable;
+    /** Principal type labels used as casbin name prefixes. */
+    principals: {
+        user: string;
+        role: string;
+    };
+    /** Domain type labels (e.g. ['Merchant', 'Organizer']). */
+    domainTypes: string[];
+    /** Soft-delete handling for both tables. */
+    softDelete?: {
+        use: false;
+    } | {
+        use: true;
+        columnName: string;
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/components/auth/authorize/adapters/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/adapters/types.ts"],"names":[],"mappings":"AAAA,4DAA4D;AAC5D,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wGAAwG;AACxG,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,gBAAgB,EAAE,kBAAkB,CAAC;IAErC,0CAA0C;IAC1C,UAAU,EAAE,kBAAkB,CAAC;IAE/B,0DAA0D;IAC1D,UAAU,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAE3C,2DAA2D;IAC3D,WAAW,EAAE,MAAM,EAAE,CAAC;IAEtB,4CAA4C;IAC5C,UAAU,CAAC,EAAE;QAAE,GAAG,EAAE,KAAK,CAAA;KAAE,GAAG;QAAE,GAAG,EAAE,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;CACjE"}

package/dist/components/auth/authorize/adapters/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/components/auth/authorize/adapters/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/adapters/types.ts"],"names":[],"mappings":""}