@venizia/ignis 0.0.9-8 → 0.0.9

package/dist/components/auth/authorize/common/constants.d.ts

@@ -4,14 +4,21 @@ export declare class Authorization {
     static readonly RULES = "authorization.rules";
     static readonly SKIP_AUTHORIZATION = "authorization.skip";
     static readonly ENFORCER = "authorization.enforcer";
+    static readonly DOMAIN = "authorization.domain";
 }
 export declare class AuthorizationActions {
     static readonly CREATE = "create";
-    static readonly READ = "read";
     static readonly UPDATE = "update";
     static readonly DELETE = "delete";
     static readonly EXECUTE = "execute";
+    static readonly READ = "read";
+    static readonly WRITE = "write";
+    static readonly MANAGE = "manage";
     static readonly SCHEME_SET: Set<string>;
+    static readonly LATTICE: ReadonlyArray<{
+        child: TAuthorizationAction;
+        parent: TAuthorizationAction;
+    }>;
     static isValid(input: string): boolean;
 }
 export type TAuthorizationAction = TConstValue<typeof AuthorizationActions>;
@@ -43,7 +50,6 @@ export declare class AuthorizationEnforcerTypes {
 }
 export type TAuthorizationEnforcerType = TConstValue<typeof AuthorizationEnforcerTypes>;
 export declare class CasbinEnforcerCachedDrivers {
-    static readonly IN_MEMORY = "in-memory";
     static readonly REDIS = "redis";
     static readonly SCHEME_SET: Set<string>;
     static isValid(input: string): boolean;
@@ -56,15 +62,145 @@ export declare class CasbinEnforcerModelDrivers {
     static isValid(input: string): boolean;
 }
 export type TCasbinEnforcerModelDriver = TConstValue<typeof CasbinEnforcerModelDrivers>;
+export declare class CasbinDomainMatchingFunctions {
+    /** `*` is the only wildcard; exact compare otherwise. Safest for `Merchant_<uuid>` domains. */
+    static readonly KEY_MATCH = "keyMatch";
+    /** Adds URL-path `:param` segment matching. */
+    static readonly KEY_MATCH_2 = "keyMatch2";
+    /** Adds `{param}` segment matching. */
+    static readonly KEY_MATCH_3 = "keyMatch3";
+    /** `{param}` matching with repeated-name equality checks. */
+    static readonly KEY_MATCH_4 = "keyMatch4";
+    /** Treats the stored/policy value as a full regular expression. */
+    static readonly REGEX_MATCH = "regexMatch";
+    static readonly SCHEME_SET: Set<string>;
+    static isValid(input: string): boolean;
+}
+export type TCasbinDomainMatchingFunction = TConstValue<typeof CasbinDomainMatchingFunctions>;
+export declare class AuthorizationDomainScopes {
+    /** Grant applies in EVERY domain the subject is a member of (checked via join_domain / g2). */
+    static readonly ANY_MEMBER = "ANY_MEMBER";
+    /** Grant applies system-wide, bypassing membership — super-admin only. */
+    static readonly SYSTEM_WIDE = "SYSTEM_WIDE";
+    static readonly SCHEME_SET: Set<string>;
+    static isValid(input: string): boolean;
+}
+export type TAuthorizationDomainScope = TConstValue<typeof AuthorizationDomainScopes>;
+/**
+ * Engine-level vocabulary: the relation prefixes the Casbin MODEL declares — `p` for permission
+ * policies and `g`/`g2`…`g5` for grouping relations. This is the low-level building block that
+ * {@link AuthorizationPolicyVariants} maps onto (many app edge-types → one rule, e.g. both
+ * `assign_role` and `role_inherits` use `g`). Keep these in sync with the model's `[role_definition]`.
+ */
 export declare class CasbinRuleVariants {
-    static readonly POLICY = "policy";
-    static readonly GROUP = "group";
-    /** Casbin line prefix for policy rules. */
+    /** Permission policy line. */
     static readonly P = "p";
-    /** Casbin line prefix for grouping rules. */
+    /**
+     * Numbered in request-tuple order (`sub → dom → obj → act`) so the matcher reads left-to-right:
+     * g (sub), g2/g3 (dom), g4 (obj), g5 (act).
+     */
+    /** Grouping #1 — role membership + role inheritance (user→role, role→role). The `sub` axis. */
     static readonly G = "g";
-    static readonly SCHEME_SET: Set<string>;
-    static isValid(input: string): boolean;
+    /** Grouping #2 — user→domain membership (join_domain). The `dom` axis (membership). */
+    static readonly G2 = "g2";
+    /** Grouping #3 — domain hierarchy. The `dom` axis (nesting). */
+    static readonly G3 = "g3";
+    /** Grouping #4 — resource hierarchy. The `obj` axis. */
+    static readonly G4 = "g4";
+    /** Grouping #5 — action hierarchy. The `act` axis. */
+    static readonly G5 = "g5";
 }
 export type TCasbinRuleVariant = TConstValue<typeof CasbinRuleVariants>;
+/**
+ * The kinds of "edge" stored in the single `PolicyDefinition` table. Every row links a `subject`
+ * (type + id) to a `target` (type + id); the `variant` column says WHAT kind of link it is.
+ *
+ * Picture the whole RBAC state as a graph — nodes are User / Role / Permission / Domain, and each
+ * PolicyDefinition row is one edge. `ScopedCasbinAdapter` reads these rows and emits one casbin line
+ * per edge. Each entry below carries:
+ *   - `action` — the value stored in the DB `variant` column (what the adapter filters on).
+ *   - `rule`   — the casbin grouping/policy prefix the adapter emits for that edge (`p`, `g`, `g2`…).
+ *
+ * Per-USER edges (differ per user): GRANT, ASSIGN_ROLE, JOIN_DOMAIN.
+ * Shared HIERARCHY edges (same for everyone — describe the org structure, not a user):
+ *   ROLE_INHERITS, RESOURCE_INHERITS, ACTION_INHERITS, DOMAIN_INHERITS.
+ */
+export declare class AuthorizationPolicyVariants {
+    /**
+     * Give a Permission to a User or Role (the grant row also carries action / effect / domain).
+     * casbin `p`: `p, <Role|User>_<id>, <domain>, <permissionCode>, <action>, <allow|deny>`
+     * e.g. `p, Role_5, ANY_MEMBER, Order, read, allow` — "Role 5 may read Order in any joined domain".
+     */
+    static readonly GRANT: {
+        readonly action: "grant";
+        readonly rule: "p";
+    };
+    /**
+     * Give a User a Role (optionally scoped to a domain; no domain → `*` = every domain).
+     * casbin `g`: `g, User_<id>, Role_<id>, <domain|*>`
+     * e.g. `g, User_42, Role_5, *` — "User 42 holds Role 5 everywhere".
+     */
+    static readonly ASSIGN_ROLE: {
+        readonly action: "assign_role";
+        readonly rule: "g";
+    };
+    /**
+     * A Role inherits another Role (DAG). Shares the `g` relation with ASSIGN_ROLE so a
+     * user → role → parent-role chain resolves in one lookup. Emitted with domain `*`.
+     * casbin `g`: `g, Role_<child>, Role_<parent>, *`
+     * e.g. `g, Role_5, Role_9, *` — "Role 5 inherits everything Role 9 has".
+     */
+    static readonly ROLE_INHERITS: {
+        readonly action: "role_inherits";
+        readonly rule: "g";
+    };
+    /**
+     * A User is a member of a Domain. Powers the `ANY_MEMBER` grant scope — a grant with domain
+     * `ANY_MEMBER` applies in every domain the user joined. Matcher uses `g2(r.sub, r.dom)`.
+     * casbin `g2`: `g2, User_<id>, <Type>_<domainId>`
+     * e.g. `g2, User_42, Merchant_7` — "User 42 is a member of Merchant 7".
+     */
+    static readonly JOIN_DOMAIN: {
+        readonly action: "join_domain";
+        readonly rule: "g2";
+    };
+    /**
+     * DOMAIN axis (the `dom` of a request). One domain is nested under a parent domain.
+     * Matcher: `g3(r.dom, p.dom)` (+ self-link, so an exact domain always matches itself).
+     * casbin `g3`: `g3, <Type>_<childId>, <Type>_<parentId>`
+     * e.g. `g3, Branch_1, Company_9` — "a grant scoped to Company 9 also applies in Branch 1".
+     */
+    static readonly DOMAIN_INHERITS: {
+        readonly action: "domain_inherits";
+        readonly rule: "g3";
+    };
+    /**
+     * RESOURCE axis (the `obj` of a request). One resource is nested under a broader one — for
+     * NON-standard nesting only; dotted nesting (`Order.findById ⊂ Order`) is handled by `objectMatch`
+     * WITHOUT an edge. Matcher: `objectMatch(r.obj, p.obj) || g4(r.obj, p.obj)`.
+     * casbin `g4`: `g4, <childCode>, <parentCode>`
+     * e.g. `g4, OrderItem, Order` — "a grant on Order also covers OrderItem".
+     */
+    static readonly RESOURCE_INHERITS: {
+        readonly action: "resource_inherits";
+        readonly rule: "g4";
+    };
+    /**
+     * ACTION axis (the `act` of a request) — SAME shape as RESOURCE_INHERITS but a DIFFERENT axis: a
+     * narrow action is covered by a broader one. No dotted shortcut — needs an explicit edge.
+     * Matcher: `g5(r.act, p.act)`.
+     * casbin `g5`: `g5, <childAction>, <parentAction>`
+     * e.g. `g5, read, manage` — "a grant of manage also allows read".
+     * (g4 + g5 combine multiplicatively: a `manage Order` grant covers a `read OrderItem` request.)
+     */
+    static readonly ACTION_INHERITS: {
+        readonly action: "action_inherits";
+        readonly rule: "g5";
+    };
+    static readonly ACTION_SCHEME_SET: Set<string>;
+    static readonly RULE_SCHEME_SET: Set<string>;
+    static isValidAction(input: string): boolean;
+    static isValidRule(input: string): boolean;
+}
+export type TAuthorizationPolicyVariant = TConstValue<typeof AuthorizationPolicyVariants>;
 //# sourceMappingURL=constants.d.ts.map

package/dist/components/auth/authorize/common/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAEvE,qBAAa,aAAa;IACxB,MAAM,CAAC,QAAQ,CAAC,KAAK,yBAAyB;IAC9C,MAAM,CAAC,QAAQ,CAAC,kBAAkB,wBAAwB;IAC1D,MAAM,CAAC,QAAQ,CAAC,QAAQ,4BAA4B;CACrD;AAED,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,OAAO,aAAa;IAEpC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAMvB;IAEH,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AACD,MAAM,MAAM,oBAAoB,GAAG,WAAW,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAE5E,qBAAa,sBAAsB;IACjC,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAChC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,OAAO,aAAa;IAEpC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAkD;IAE5E,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAItC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;IAO/C,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;IAO9C,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;CAMlD;AACD,MAAM,MAAM,sBAAsB,GAAG,WAAW,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEhF,qBAAa,kBAAkB;IAC7B,MAAM,CAAC,QAAQ,CAAC,WAAW,oBAGxB;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,oBAGlB;IACH,MAAM,CAAC,QAAQ,CAAC,IAAI,oBAGjB;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,oBAGlB;IACH,MAAM,CAAC,QAAQ,CAAC,YAAY,oBAGzB;IAEH,MAAM,CAAC,QAAQ,CAAC,UAAU,cAMvB;IAEH,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,qBAAa,0BAA0B;IACrC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAElC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAuC;IAEjE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,0BAA0B,GAAG,WAAW,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAExF,qBAAa,2BAA2B;IACtC,MAAM,CAAC,QAAQ,CAAC,SAAS,eAAe;IACxC,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAEhC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAyC;IAEnE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,2BAA2B,GAAG,WAAW,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAE1F,qBAAa,0BAA0B;IACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAE9B,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAmC;IAE7D,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,0BAA0B,GAAG,WAAW,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAExF,qBAAa,kBAAkB;IAC7B,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAEhC,2CAA2C;IAC3C,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO;IACxB,6CAA6C;IAC7C,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO;IAExB,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAsC;IAEhE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,kBAAkB,GAAG,WAAW,CAAC,OAAO,kBAAkB,CAAC,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAEvE,qBAAa,aAAa;IACxB,MAAM,CAAC,QAAQ,CAAC,KAAK,yBAAyB;IAC9C,MAAM,CAAC,QAAQ,CAAC,kBAAkB,wBAAwB;IAC1D,MAAM,CAAC,QAAQ,CAAC,QAAQ,4BAA4B;IACpD,MAAM,CAAC,QAAQ,CAAC,MAAM,0BAA0B;CACjD;AAED,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,OAAO,aAAa;IAEpC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAChC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAElC,MAAM,CAAC,QAAQ,CAAC,UAAU,cASvB;IAEH,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;QACrC,KAAK,EAAE,oBAAoB,CAAC;QAC5B,MAAM,EAAE,oBAAoB,CAAC;KAC9B,CAAC,CAOA;IAEF,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AACD,MAAM,MAAM,oBAAoB,GAAG,WAAW,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAE5E,qBAAa,sBAAsB;IACjC,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAChC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,OAAO,aAAa;IAEpC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAkD;IAE5E,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAItC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;IAO/C,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;IAO9C,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;CAMlD;AACD,MAAM,MAAM,sBAAsB,GAAG,WAAW,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEhF,qBAAa,kBAAkB;IAC7B,MAAM,CAAC,QAAQ,CAAC,WAAW,oBAGxB;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,oBAGlB;IACH,MAAM,CAAC,QAAQ,CAAC,IAAI,oBAGjB;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,oBAGlB;IACH,MAAM,CAAC,QAAQ,CAAC,YAAY,oBAGzB;IAEH,MAAM,CAAC,QAAQ,CAAC,UAAU,cAMvB;IAEH,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,qBAAa,0BAA0B;IACrC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAElC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAuC;IAEjE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,0BAA0B,GAAG,WAAW,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAExF,qBAAa,2BAA2B;IACtC,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAEhC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAyB;IAEnD,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,2BAA2B,GAAG,WAAW,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAE1F,qBAAa,0BAA0B;IACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAE9B,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAmC;IAE7D,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,0BAA0B,GAAG,WAAW,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAExF,qBAAa,6BAA6B;IACxC,+FAA+F;IAC/F,MAAM,CAAC,QAAQ,CAAC,SAAS,cAAc;IAEvC,+CAA+C;IAC/C,MAAM,CAAC,QAAQ,CAAC,WAAW,eAAe;IAE1C,uCAAuC;IACvC,MAAM,CAAC,QAAQ,CAAC,WAAW,eAAe;IAE1C,6DAA6D;IAC7D,MAAM,CAAC,QAAQ,CAAC,WAAW,eAAe;IAE1C,mEAAmE;IACnE,MAAM,CAAC,QAAQ,CAAC,WAAW,gBAAgB;IAE3C,MAAM,CAAC,QAAQ,CAAC,UAAU,cAMvB;IAEH,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,6BAA6B,GAAG,WAAW,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAE9F,qBAAa,yBAAyB;IACpC,+FAA+F;IAC/F,MAAM,CAAC,QAAQ,CAAC,UAAU,gBAAgB;IAE1C,0EAA0E;IAC1E,MAAM,CAAC,QAAQ,CAAC,WAAW,iBAAiB;IAE5C,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAgD;IAE1E,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AACD,MAAM,MAAM,yBAAyB,GAAG,WAAW,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAEtF;;;;;GAKG;AACH,qBAAa,kBAAkB;IAC7B,8BAA8B;IAC9B,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO;IAExB;;;OAGG;IAEH,+FAA+F;IAC/F,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO;IAExB,uFAAuF;IACvF,MAAM,CAAC,QAAQ,CAAC,EAAE,QAAQ;IAE1B,gEAAgE;IAChE,MAAM,CAAC,QAAQ,CAAC,EAAE,QAAQ;IAE1B,wDAAwD;IACxD,MAAM,CAAC,QAAQ,CAAC,EAAE,QAAQ;IAE1B,sDAAsD;IACtD,MAAM,CAAC,QAAQ,CAAC,EAAE,QAAQ;CAC3B;AAED,MAAM,MAAM,kBAAkB,GAAG,WAAW,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAExE;;;;;;;;;;;;;GAaG;AACH,qBAAa,2BAA2B;IACtC;;;;OAIG;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK;;;MAA4D;IAEjF;;;;OAIG;IACH,MAAM,CAAC,QAAQ,CAAC,WAAW;;;MAAkE;IAE7F;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,aAAa;;;MAAoE;IAEjG;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,WAAW;;;MAAmE;IAE9F;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,eAAe;;;MAGpB;IAEX;;;;;;OAMG;IACH,MAAM,CAAC,QAAQ,CAAC,iBAAiB;;;MAGtB;IAEX;;;;;;;OAOG;IACH,MAAM,CAAC,QAAQ,CAAC,eAAe;;;MAGpB;IAEX,MAAM,CAAC,QAAQ,CAAC,iBAAiB,cAQ9B;IAEH,MAAM,CAAC,QAAQ,CAAC,eAAe,cAQ5B;IAEH,MAAM,CAAC,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAI5C,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAG3C;AACD,MAAM,MAAM,2BAA2B,GAAG,WAAW,CAAC,OAAO,2BAA2B,CAAC,CAAC"}

package/dist/components/auth/authorize/common/constants.js

@@ -1,26 +1,39 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CasbinRuleVariants = exports.CasbinEnforcerModelDrivers = exports.CasbinEnforcerCachedDrivers = exports.AuthorizationEnforcerTypes = exports.AuthorizationRoles = exports.AuthorizationDecisions = exports.AuthorizationActions = exports.Authorization = void 0;
+exports.AuthorizationPolicyVariants = exports.CasbinRuleVariants = exports.AuthorizationDomainScopes = exports.CasbinDomainMatchingFunctions = exports.CasbinEnforcerModelDrivers = exports.CasbinEnforcerCachedDrivers = exports.AuthorizationEnforcerTypes = exports.AuthorizationRoles = exports.AuthorizationDecisions = exports.AuthorizationActions = exports.Authorization = void 0;
 const authorization_role_model_1 = require("../models/authorization-role.model");
 class Authorization {
     static { this.RULES = 'authorization.rules'; }
     static { this.SKIP_AUTHORIZATION = 'authorization.skip'; }
     static { this.ENFORCER = 'authorization.enforcer'; }
+    static { this.DOMAIN = 'authorization.domain'; }
 }
 exports.Authorization = Authorization;
 class AuthorizationActions {
     static { this.CREATE = 'create'; }
-    static { this.READ = 'read'; }
     static { this.UPDATE = 'update'; }
     static { this.DELETE = 'delete'; }
     static { this.EXECUTE = 'execute'; }
+    static { this.READ = 'read'; }
+    static { this.WRITE = 'write'; }
+    static { this.MANAGE = 'manage'; }
     static { this.SCHEME_SET = new Set([
         this.CREATE,
-        this.READ,
         this.UPDATE,
         this.DELETE,
         this.EXECUTE,
+        this.READ,
+        this.WRITE,
+        this.MANAGE,
     ]); }
+    static { this.LATTICE = [
+        { child: this.READ, parent: this.MANAGE },
+        { child: this.WRITE, parent: this.MANAGE },
+        { child: this.EXECUTE, parent: this.MANAGE },
+        { child: this.CREATE, parent: this.WRITE },
+        { child: this.UPDATE, parent: this.WRITE },
+        { child: this.DELETE, parent: this.WRITE },
+    ]; }
     static isValid(input) {
         return this.SCHEME_SET.has(input);
     }
@@ -97,9 +110,8 @@ class AuthorizationEnforcerTypes {
 }
 exports.AuthorizationEnforcerTypes = AuthorizationEnforcerTypes;
 class CasbinEnforcerCachedDrivers {
-    static { this.IN_MEMORY = 'in-memory'; }
     static { this.REDIS = 'redis'; }
-    static { this.SCHEME_SET = new Set([this.IN_MEMORY, this.REDIS]); }
+    static { this.SCHEME_SET = new Set([this.REDIS]); }
     static isValid(input) {
         return this.SCHEME_SET.has(input);
     }
@@ -114,17 +126,163 @@ class CasbinEnforcerModelDrivers {
     }
 }
 exports.CasbinEnforcerModelDrivers = CasbinEnforcerModelDrivers;
-class CasbinRuleVariants {
-    static { this.POLICY = 'policy'; }
-    static { this.GROUP = 'group'; }
-    /** Casbin line prefix for policy rules. */
-    static { this.P = 'p'; }
-    /** Casbin line prefix for grouping rules. */
-    static { this.G = 'g'; }
-    static { this.SCHEME_SET = new Set([this.POLICY, this.GROUP]); }
+class CasbinDomainMatchingFunctions {
+    /** `*` is the only wildcard; exact compare otherwise. Safest for `Merchant_<uuid>` domains. */
+    static { this.KEY_MATCH = 'keyMatch'; }
+    /** Adds URL-path `:param` segment matching. */
+    static { this.KEY_MATCH_2 = 'keyMatch2'; }
+    /** Adds `{param}` segment matching. */
+    static { this.KEY_MATCH_3 = 'keyMatch3'; }
+    /** `{param}` matching with repeated-name equality checks. */
+    static { this.KEY_MATCH_4 = 'keyMatch4'; }
+    /** Treats the stored/policy value as a full regular expression. */
+    static { this.REGEX_MATCH = 'regexMatch'; }
+    static { this.SCHEME_SET = new Set([
+        this.KEY_MATCH,
+        this.KEY_MATCH_2,
+        this.KEY_MATCH_3,
+        this.KEY_MATCH_4,
+        this.REGEX_MATCH,
+    ]); }
+    static isValid(input) {
+        return this.SCHEME_SET.has(input);
+    }
+}
+exports.CasbinDomainMatchingFunctions = CasbinDomainMatchingFunctions;
+class AuthorizationDomainScopes {
+    /** Grant applies in EVERY domain the subject is a member of (checked via join_domain / g2). */
+    static { this.ANY_MEMBER = 'ANY_MEMBER'; }
+    /** Grant applies system-wide, bypassing membership — super-admin only. */
+    static { this.SYSTEM_WIDE = 'SYSTEM_WIDE'; }
+    static { this.SCHEME_SET = new Set([this.ANY_MEMBER, this.SYSTEM_WIDE]); }
     static isValid(input) {
         return this.SCHEME_SET.has(input);
     }
 }
+exports.AuthorizationDomainScopes = AuthorizationDomainScopes;
+/**
+ * Engine-level vocabulary: the relation prefixes the Casbin MODEL declares — `p` for permission
+ * policies and `g`/`g2`…`g5` for grouping relations. This is the low-level building block that
+ * {@link AuthorizationPolicyVariants} maps onto (many app edge-types → one rule, e.g. both
+ * `assign_role` and `role_inherits` use `g`). Keep these in sync with the model's `[role_definition]`.
+ */
+class CasbinRuleVariants {
+    /** Permission policy line. */
+    static { this.P = 'p'; }
+    /**
+     * Numbered in request-tuple order (`sub → dom → obj → act`) so the matcher reads left-to-right:
+     * g (sub), g2/g3 (dom), g4 (obj), g5 (act).
+     */
+    /** Grouping #1 — role membership + role inheritance (user→role, role→role). The `sub` axis. */
+    static { this.G = 'g'; }
+    /** Grouping #2 — user→domain membership (join_domain). The `dom` axis (membership). */
+    static { this.G2 = 'g2'; }
+    /** Grouping #3 — domain hierarchy. The `dom` axis (nesting). */
+    static { this.G3 = 'g3'; }
+    /** Grouping #4 — resource hierarchy. The `obj` axis. */
+    static { this.G4 = 'g4'; }
+    /** Grouping #5 — action hierarchy. The `act` axis. */
+    static { this.G5 = 'g5'; }
+}
 exports.CasbinRuleVariants = CasbinRuleVariants;
+/**
+ * The kinds of "edge" stored in the single `PolicyDefinition` table. Every row links a `subject`
+ * (type + id) to a `target` (type + id); the `variant` column says WHAT kind of link it is.
+ *
+ * Picture the whole RBAC state as a graph — nodes are User / Role / Permission / Domain, and each
+ * PolicyDefinition row is one edge. `ScopedCasbinAdapter` reads these rows and emits one casbin line
+ * per edge. Each entry below carries:
+ *   - `action` — the value stored in the DB `variant` column (what the adapter filters on).
+ *   - `rule`   — the casbin grouping/policy prefix the adapter emits for that edge (`p`, `g`, `g2`…).
+ *
+ * Per-USER edges (differ per user): GRANT, ASSIGN_ROLE, JOIN_DOMAIN.
+ * Shared HIERARCHY edges (same for everyone — describe the org structure, not a user):
+ *   ROLE_INHERITS, RESOURCE_INHERITS, ACTION_INHERITS, DOMAIN_INHERITS.
+ */
+class AuthorizationPolicyVariants {
+    /**
+     * Give a Permission to a User or Role (the grant row also carries action / effect / domain).
+     * casbin `p`: `p, <Role|User>_<id>, <domain>, <permissionCode>, <action>, <allow|deny>`
+     * e.g. `p, Role_5, ANY_MEMBER, Order, read, allow` — "Role 5 may read Order in any joined domain".
+     */
+    static { this.GRANT = { action: 'grant', rule: CasbinRuleVariants.P }; }
+    /**
+     * Give a User a Role (optionally scoped to a domain; no domain → `*` = every domain).
+     * casbin `g`: `g, User_<id>, Role_<id>, <domain|*>`
+     * e.g. `g, User_42, Role_5, *` — "User 42 holds Role 5 everywhere".
+     */
+    static { this.ASSIGN_ROLE = { action: 'assign_role', rule: CasbinRuleVariants.G }; }
+    /**
+     * A Role inherits another Role (DAG). Shares the `g` relation with ASSIGN_ROLE so a
+     * user → role → parent-role chain resolves in one lookup. Emitted with domain `*`.
+     * casbin `g`: `g, Role_<child>, Role_<parent>, *`
+     * e.g. `g, Role_5, Role_9, *` — "Role 5 inherits everything Role 9 has".
+     */
+    static { this.ROLE_INHERITS = { action: 'role_inherits', rule: CasbinRuleVariants.G }; }
+    /**
+     * A User is a member of a Domain. Powers the `ANY_MEMBER` grant scope — a grant with domain
+     * `ANY_MEMBER` applies in every domain the user joined. Matcher uses `g2(r.sub, r.dom)`.
+     * casbin `g2`: `g2, User_<id>, <Type>_<domainId>`
+     * e.g. `g2, User_42, Merchant_7` — "User 42 is a member of Merchant 7".
+     */
+    static { this.JOIN_DOMAIN = { action: 'join_domain', rule: CasbinRuleVariants.G2 }; }
+    /**
+     * DOMAIN axis (the `dom` of a request). One domain is nested under a parent domain.
+     * Matcher: `g3(r.dom, p.dom)` (+ self-link, so an exact domain always matches itself).
+     * casbin `g3`: `g3, <Type>_<childId>, <Type>_<parentId>`
+     * e.g. `g3, Branch_1, Company_9` — "a grant scoped to Company 9 also applies in Branch 1".
+     */
+    static { this.DOMAIN_INHERITS = {
+        action: 'domain_inherits',
+        rule: CasbinRuleVariants.G3,
+    }; }
+    /**
+     * RESOURCE axis (the `obj` of a request). One resource is nested under a broader one — for
+     * NON-standard nesting only; dotted nesting (`Order.findById ⊂ Order`) is handled by `objectMatch`
+     * WITHOUT an edge. Matcher: `objectMatch(r.obj, p.obj) || g4(r.obj, p.obj)`.
+     * casbin `g4`: `g4, <childCode>, <parentCode>`
+     * e.g. `g4, OrderItem, Order` — "a grant on Order also covers OrderItem".
+     */
+    static { this.RESOURCE_INHERITS = {
+        action: 'resource_inherits',
+        rule: CasbinRuleVariants.G4,
+    }; }
+    /**
+     * ACTION axis (the `act` of a request) — SAME shape as RESOURCE_INHERITS but a DIFFERENT axis: a
+     * narrow action is covered by a broader one. No dotted shortcut — needs an explicit edge.
+     * Matcher: `g5(r.act, p.act)`.
+     * casbin `g5`: `g5, <childAction>, <parentAction>`
+     * e.g. `g5, read, manage` — "a grant of manage also allows read".
+     * (g4 + g5 combine multiplicatively: a `manage Order` grant covers a `read OrderItem` request.)
+     */
+    static { this.ACTION_INHERITS = {
+        action: 'action_inherits',
+        rule: CasbinRuleVariants.G5,
+    }; }
+    static { this.ACTION_SCHEME_SET = new Set([
+        this.GRANT.action.toString(),
+        this.ASSIGN_ROLE.action.toString(),
+        this.ROLE_INHERITS.action.toString(),
+        this.JOIN_DOMAIN.action.toString(),
+        this.DOMAIN_INHERITS.action.toString(),
+        this.RESOURCE_INHERITS.action.toString(),
+        this.ACTION_INHERITS.action.toString(),
+    ]); }
+    static { this.RULE_SCHEME_SET = new Set([
+        this.GRANT.rule.toString(),
+        this.ASSIGN_ROLE.rule.toString(),
+        this.ROLE_INHERITS.rule.toString(),
+        this.JOIN_DOMAIN.rule.toString(),
+        this.DOMAIN_INHERITS.rule.toString(),
+        this.RESOURCE_INHERITS.rule.toString(),
+        this.ACTION_INHERITS.rule.toString(),
+    ]); }
+    static isValidAction(input) {
+        return this.ACTION_SCHEME_SET.has(input);
+    }
+    static isValidRule(input) {
+        return this.RULE_SCHEME_SET.has(input);
+    }
+}
+exports.AuthorizationPolicyVariants = AuthorizationPolicyVariants;
 //# sourceMappingURL=constants.js.map

package/dist/components/auth/authorize/common/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/constants.ts"],"names":[],"mappings":";;;AACA,iFAAuE;AAEvE,MAAa,aAAa;aACR,UAAK,GAAG,qBAAqB,CAAC;aAC9B,uBAAkB,GAAG,oBAAoB,CAAC;aAC1C,aAAQ,GAAG,wBAAwB,CAAC;;AAHtD,sCAIC;AAED,MAAa,oBAAoB;aACf,WAAM,GAAG,QAAQ,CAAC;aAClB,SAAI,GAAG,MAAM,CAAC;aACd,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAClB,YAAO,GAAG,SAAS,CAAC;aAEpB,eAAU,GAAG,IAAI,GAAG,CAAC;QACnC,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,IAAI;QACT,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,OAAO;KACb,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAjBH,oDAkBC;AAGD,MAAa,sBAAsB;aACjB,UAAK,GAAG,OAAO,CAAC;aAChB,SAAI,GAAG,MAAM,CAAC;aACd,YAAO,GAAG,SAAS,CAAC;aAEpB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAE5E,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,KAAsB;QACnC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,KAAK,CAAC;IAC5C,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,KAAsB;QAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED,MAAM,CAAC,SAAS,CAAC,KAAsB;QACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,OAAO,CAAC;IAC9C,CAAC;;AA9BH,wDA+BC;AAGD,MAAa,kBAAkB;aACb,gBAAW,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACpD,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,SAAI,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC7C,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,EAAE;KACb,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aACa,iBAAY,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACrD,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aAEa,eAAU,GAAG,IAAI,GAAG,CAAS;QAC3C,IAAI,CAAC,WAAW,CAAC,UAAU;QAC3B,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,IAAI,CAAC,UAAU;QACpB,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,YAAY,CAAC,UAAU;KAC7B,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAhCH,gDAiCC;AAED,MAAa,0BAA0B;aACrB,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAElB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAEjE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,2BAA2B;aACtB,cAAS,GAAG,WAAW,CAAC;aACxB,UAAK,GAAG,OAAO,CAAC;aAEhB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAEnE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,kEASC;AAID,MAAa,0BAA0B;aACrB,SAAI,GAAG,MAAM,CAAC;aACd,SAAI,GAAG,MAAM,CAAC;aAEd,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAE7D,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,kBAAkB;aACb,WAAM,GAAG,QAAQ,CAAC;aAClB,UAAK,GAAG,OAAO,CAAC;IAEhC,2CAA2C;aAC3B,MAAC,GAAG,GAAG,CAAC;IACxB,6CAA6C;aAC7B,MAAC,GAAG,GAAG,CAAC;aAER,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAEhE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAbH,gDAcC"}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/constants.ts"],"names":[],"mappings":";;;AACA,iFAAuE;AAEvE,MAAa,aAAa;aACR,UAAK,GAAG,qBAAqB,CAAC;aAC9B,uBAAkB,GAAG,oBAAoB,CAAC;aAC1C,aAAQ,GAAG,wBAAwB,CAAC;aACpC,WAAM,GAAG,sBAAsB,CAAC;;AAJlD,sCAKC;AAED,MAAa,oBAAoB;aACf,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAClB,YAAO,GAAG,SAAS,CAAC;aAEpB,SAAI,GAAG,MAAM,CAAC;aACd,UAAK,GAAG,OAAO,CAAC;aAChB,WAAM,GAAG,QAAQ,CAAC;aAElB,eAAU,GAAG,IAAI,GAAG,CAAC;QACnC,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,MAAM;QACX,IAAI,CAAC,OAAO;QAEZ,IAAI,CAAC,IAAI;QACT,IAAI,CAAC,KAAK;QACV,IAAI,CAAC,MAAM;KACZ,CAAC,CAAC;aAEa,YAAO,GAGlB;QACH,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE;QACzC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE;QAC1C,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE;QAC5C,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE;QAC1C,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE;QAC1C,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE;KAC3C,CAAC;IAEF,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAnCH,oDAoCC;AAGD,MAAa,sBAAsB;aACjB,UAAK,GAAG,OAAO,CAAC;aAChB,SAAI,GAAG,MAAM,CAAC;aACd,YAAO,GAAG,SAAS,CAAC;aAEpB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAE5E,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,KAAsB;QACnC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,KAAK,CAAC;IAC5C,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,KAAsB;QAClC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,IAAI,CAAC;IAC3C,CAAC;IAED,MAAM,CAAC,SAAS,CAAC,KAAsB;QACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,KAAK,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,OAAO,CAAC;IAC9C,CAAC;;AA9BH,wDA+BC;AAGD,MAAa,kBAAkB;aACb,gBAAW,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACpD,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,GAAG;KACd,CAAC,CAAC;aACa,SAAI,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC7C,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,EAAE;KACb,CAAC,CAAC;aACa,UAAK,GAAG,4CAAiB,CAAC,KAAK,CAAC;QAC9C,IAAI,EAAE,OAAO;QACb,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aACa,iBAAY,GAAG,4CAAiB,CAAC,KAAK,CAAC;QACrD,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,CAAC;KACZ,CAAC,CAAC;aAEa,eAAU,GAAG,IAAI,GAAG,CAAS;QAC3C,IAAI,CAAC,WAAW,CAAC,UAAU;QAC3B,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,IAAI,CAAC,UAAU;QACpB,IAAI,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,YAAY,CAAC,UAAU;KAC7B,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAhCH,gDAiCC;AAED,MAAa,0BAA0B;aACrB,WAAM,GAAG,QAAQ,CAAC;aAClB,WAAM,GAAG,QAAQ,CAAC;aAElB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAEjE,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,2BAA2B;aACtB,UAAK,GAAG,OAAO,CAAC;aAEhB,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAEnD,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAPH,kEAQC;AAID,MAAa,0BAA0B;aACrB,SAAI,GAAG,MAAM,CAAC;aACd,SAAI,GAAG,MAAM,CAAC;aAEd,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAE7D,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AARH,gEASC;AAID,MAAa,6BAA6B;IACxC,+FAA+F;aAC/E,cAAS,GAAG,UAAU,CAAC;IAEvC,+CAA+C;aAC/B,gBAAW,GAAG,WAAW,CAAC;IAE1C,uCAAuC;aACvB,gBAAW,GAAG,WAAW,CAAC;IAE1C,6DAA6D;aAC7C,gBAAW,GAAG,WAAW,CAAC;IAE1C,mEAAmE;aACnD,gBAAW,GAAG,YAAY,CAAC;aAE3B,eAAU,GAAG,IAAI,GAAG,CAAC;QACnC,IAAI,CAAC,SAAS;QACd,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW;KACjB,CAAC,CAAC;IAEH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AA1BH,sEA2BC;AAID,MAAa,yBAAyB;IACpC,+FAA+F;aAC/E,eAAU,GAAG,YAAY,CAAC;IAE1C,0EAA0E;aAC1D,gBAAW,GAAG,aAAa,CAAC;aAE5B,eAAU,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAE1E,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;;AAXH,8DAYC;AAGD;;;;;GAKG;AACH,MAAa,kBAAkB;IAC7B,8BAA8B;aACd,MAAC,GAAG,GAAG,CAAC;IAExB;;;OAGG;IAEH,+FAA+F;aAC/E,MAAC,GAAG,GAAG,CAAC;IAExB,uFAAuF;aACvE,OAAE,GAAG,IAAI,CAAC;IAE1B,gEAAgE;aAChD,OAAE,GAAG,IAAI,CAAC;IAE1B,wDAAwD;aACxC,OAAE,GAAG,IAAI,CAAC;IAE1B,sDAAsD;aACtC,OAAE,GAAG,IAAI,CAAC;;AAtB5B,gDAuBC;AAID;;;;;;;;;;;;;GAaG;AACH,MAAa,2BAA2B;IACtC;;;;OAIG;aACa,UAAK,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAW,CAAC;IAEjF;;;;OAIG;aACa,gBAAW,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAW,CAAC;IAE7F;;;;;OAKG;aACa,kBAAa,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAW,CAAC;IAEjG;;;;;OAKG;aACa,gBAAW,GAAG,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,kBAAkB,CAAC,EAAE,EAAW,CAAC;IAE9F;;;;;OAKG;aACa,oBAAe,GAAG;QAChC,MAAM,EAAE,iBAAiB;QACzB,IAAI,EAAE,kBAAkB,CAAC,EAAE;KACnB,CAAC;IAEX;;;;;;OAMG;aACa,sBAAiB,GAAG;QAClC,MAAM,EAAE,mBAAmB;QAC3B,IAAI,EAAE,kBAAkB,CAAC,EAAE;KACnB,CAAC;IAEX;;;;;;;OAOG;aACa,oBAAe,GAAG;QAChC,MAAM,EAAE,iBAAiB;QACzB,IAAI,EAAE,kBAAkB,CAAC,EAAE;KACnB,CAAC;aAEK,sBAAiB,GAAG,IAAI,GAAG,CAAC;QAC1C,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE;QAC5B,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE;QAClC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE;QACpC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE;QAClC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE;QACtC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,QAAQ,EAAE;QACxC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE;KACvC,CAAC,CAAC;aAEa,oBAAe,GAAG,IAAI,GAAG,CAAC;QACxC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE;QAC1B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE;QAChC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE;QAClC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE;QAChC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE;QACpC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,EAAE;QACtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE;KACrC,CAAC,CAAC;IAEH,MAAM,CAAC,aAAa,CAAC,KAAa;QAChC,OAAO,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,CAAC,WAAW,CAAC,KAAa;QAC9B,OAAO,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;;AA7FH,kEA8FC"}

package/dist/components/auth/authorize/common/index.d.ts

@@ -1,4 +1,8 @@
 export * from './constants';
 export * from './keys';
+export * from './object-match';
+export * from './permission-builder';
+export * from './policy-builder';
+export * from './resolve-request-domain';
 export * from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/components/auth/authorize/common/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,QAAQ,CAAC;AACvB,cAAc,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,QAAQ,CAAC;AACvB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,sBAAsB,CAAC;AACrC,cAAc,kBAAkB,CAAC;AACjC,cAAc,0BAA0B,CAAC;AACzC,cAAc,SAAS,CAAC"}

package/dist/components/auth/authorize/common/index.js

@@ -16,5 +16,9 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./constants"), exports);
 __exportStar(require("./keys"), exports);
+__exportStar(require("./object-match"), exports);
+__exportStar(require("./permission-builder"), exports);
+__exportStar(require("./policy-builder"), exports);
+__exportStar(require("./resolve-request-domain"), exports);
 __exportStar(require("./types"), exports);
 //# sourceMappingURL=index.js.map

package/dist/components/auth/authorize/common/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8CAA4B;AAC5B,yCAAuB;AACvB,0CAAwB"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8CAA4B;AAC5B,yCAAuB;AACvB,iDAA+B;AAC/B,uDAAqC;AACrC,mDAAiC;AACjC,2DAAyC;AACzC,0CAAwB"}

package/dist/components/auth/authorize/common/object-match.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Resource-hierarchy matcher for casbin `g4`. Decides whether a requested resource node
+ * falls under a granted resource node WITHOUT storing the "standard" edges
+ * (endpoint ⊂ subject ⊂ *), which are derivable from the dotted `code`.
+ *
+ * Non-standard edges (e.g. `OrderItem ⊂ Order`) are NOT covered here — those are stored as
+ * explicit `resource_inherits` (g4) links and resolved by casbin's role manager.
+ *
+ * Registered in TWO ways by the enforcer (both required):
+ *   1. `enforcer.addFunction('objectMatch', objectMatch)` — lets the matcher call
+ *      `objectMatch(r.obj, p.obj)` directly for "graph-free" prefix/wildcard matching. casbin's
+ *      role-manager `hasLink` only traverses stored nodes, so a `g4(...)`-only call can't match
+ *      `p.obj = '*'` or a subject that isn't a stored g4 vertex — the direct call covers those.
+ *   2. `enforcer.addNamedMatchingFunc('g4', objectMatch)` — applies the same semantics when
+ *      traversing explicit stored `resource_inherits` (g4) edges.
+ *
+ * @param requested the resource on the request (r.obj), e.g. `Activation.findById`
+ * @param granted   the resource on the policy (p.obj), e.g. `Activation` or `*`
+ */
+export declare const objectMatch: (requested: string, granted: string) => boolean;
+//# sourceMappingURL=object-match.d.ts.map

package/dist/components/auth/authorize/common/object-match.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"object-match.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/object-match.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,WAAW,GAAI,WAAW,MAAM,EAAE,SAAS,MAAM,KAAG,OAUhE,CAAC"}

package/dist/components/auth/authorize/common/object-match.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.objectMatch = void 0;
+/**
+ * Resource-hierarchy matcher for casbin `g4`. Decides whether a requested resource node
+ * falls under a granted resource node WITHOUT storing the "standard" edges
+ * (endpoint ⊂ subject ⊂ *), which are derivable from the dotted `code`.
+ *
+ * Non-standard edges (e.g. `OrderItem ⊂ Order`) are NOT covered here — those are stored as
+ * explicit `resource_inherits` (g4) links and resolved by casbin's role manager.
+ *
+ * Registered in TWO ways by the enforcer (both required):
+ *   1. `enforcer.addFunction('objectMatch', objectMatch)` — lets the matcher call
+ *      `objectMatch(r.obj, p.obj)` directly for "graph-free" prefix/wildcard matching. casbin's
+ *      role-manager `hasLink` only traverses stored nodes, so a `g4(...)`-only call can't match
+ *      `p.obj = '*'` or a subject that isn't a stored g4 vertex — the direct call covers those.
+ *   2. `enforcer.addNamedMatchingFunc('g4', objectMatch)` — applies the same semantics when
+ *      traversing explicit stored `resource_inherits` (g4) edges.
+ *
+ * @param requested the resource on the request (r.obj), e.g. `Activation.findById`
+ * @param granted   the resource on the policy (p.obj), e.g. `Activation` or `*`
+ */
+const objectMatch = (requested, granted) => {
+    if (granted === '*') {
+        return true;
+    }
+    if (requested === granted) {
+        return true;
+    }
+    return requested.startsWith(`${granted}.`);
+};
+exports.objectMatch = objectMatch;
+//# sourceMappingURL=object-match.js.map

package/dist/components/auth/authorize/common/object-match.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"object-match.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/object-match.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;;;;;;;;;;GAkBG;AACI,MAAM,WAAW,GAAG,CAAC,SAAiB,EAAE,OAAe,EAAW,EAAE;IACzE,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,SAAS,CAAC,UAAU,CAAC,GAAG,OAAO,GAAG,CAAC,CAAC;AAC7C,CAAC,CAAC;AAVW,QAAA,WAAW,eAUtB"}

package/dist/components/auth/authorize/common/permission-builder.d.ts

@@ -0,0 +1,92 @@
+import { IdType } from '../../../../base';
+import { TNullable } from '../../../../helpers';
+import { TAuthorizationAction } from './constants';
+/**
+ * Builders for `Permission` catalog rows (the `obj` axis the scoped matcher resolves).
+ *
+ * Generic over the name/description type (`TName`) so an app with i18n `name`/`description` columns and
+ * one with plain-text names both fit. Produces the framework-owned columns
+ * (code/subject/method/action/scope/description/parentId); `description` defaults to `null`.
+ * App-specific columns are added by the caller.
+ */
+export declare class AuthorizationPermissionBuilder {
+    /** Sentinel `method` for a coarse resource node (a grant target that is not a route). */
+    static readonly RESOURCE_NODE_METHOD = "*";
+    /** Standard repository method → base action. Unlisted methods (custom ops, aggregates) resolve to `execute`. */
+    static readonly METHOD_ACTIONS: Readonly<Record<string, TAuthorizationAction>>;
+    /** The CRUD methods {@link crud} generates by default. */
+    static readonly DEFAULT_CRUD_METHODS: ReadonlyArray<string>;
+    /** Base action for a method: a known CRUD method maps to read/create/update/delete; anything else → `execute`. */
+    static actionForMethod(method: string): TAuthorizationAction;
+    /** One operation-level permission, `code = <subject>.<method>`. `action` defaults to {@link actionForMethod}. */
+    static operation<TName>(opts: {
+        subject: string;
+        method: string;
+        scope: string;
+        name: TName;
+        description?: TNullable<TName>;
+        action?: TAuthorizationAction;
+        parentId?: TNullable<IdType>;
+    }): {
+        code: string;
+        subject: string;
+        method: string;
+        action: string;
+        scope: string;
+        description: NonNullable<TName> | null;
+        parentId: IdType | null;
+        name: TName;
+    };
+    /**
+     * A coarse resource node (module or subject) used as a grant target, e.g. `Sale` or `SaleOrder`.
+     * `code` is the bare name (no dotted method); `method` is the {@link RESOURCE_NODE_METHOD} sentinel.
+     * `action` defaults to `manage` (the broadest), though the grant on this node carries its own action.
+     */
+    static resourceNode<TName>(opts: {
+        code: string;
+        subject?: string;
+        scope: string;
+        name: TName;
+        description?: TNullable<TName>;
+        action?: TAuthorizationAction;
+        parentId?: TNullable<IdType>;
+    }): {
+        code: string;
+        subject: string;
+        method: string;
+        action: string;
+        scope: string;
+        description: NonNullable<TName> | null;
+        parentId: IdType | null;
+        name: TName;
+    };
+    /**
+     * The CRUD permission set for a subject. `name` (and optional `description`) are per-method formatters,
+     * so the app supplies its own labels/i18n; the framework only owns the method→action map and code shape.
+     */
+    static crud<TName>(opts: {
+        subject: string;
+        scope: string;
+        name: (ctx: {
+            subject: string;
+            method: string;
+            action: TAuthorizationAction;
+        }) => TName;
+        description?: (ctx: {
+            subject: string;
+            method: string;
+            action: TAuthorizationAction;
+        }) => TNullable<TName>;
+        methods?: ReadonlyArray<string>;
+    }): {
+        code: string;
+        subject: string;
+        method: string;
+        action: string;
+        scope: string;
+        description: NonNullable<TName> | null;
+        parentId: IdType | null;
+        name: TName;
+    }[];
+}
+//# sourceMappingURL=permission-builder.d.ts.map

package/dist/components/auth/authorize/common/permission-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-builder.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/permission-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAwB,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEzE;;;;;;;GAOG;AACH,qBAAa,8BAA8B;IACzC,yFAAyF;IACzF,MAAM,CAAC,QAAQ,CAAC,oBAAoB,OAAO;IAE3C,gHAAgH;IAChH,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC,CAU5E;IAEF,0DAA0D;IAC1D,MAAM,CAAC,QAAQ,CAAC,oBAAoB,EAAE,aAAa,CAAC,MAAM,CAAC,CAUzD;IAEF,kHAAkH;IAClH,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,oBAAoB;IAI5D,iHAAiH;IACjH,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE;QAC5B,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,KAAK,CAAC;QACZ,WAAW,CAAC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QAC/B,MAAM,CAAC,EAAE,oBAAoB,CAAC;QAC9B,QAAQ,CAAC,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;KAC9B;;;;;;;;;;IAaD;;;;OAIG;IACH,MAAM,CAAC,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE;QAC/B,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,KAAK,CAAC;QACZ,WAAW,CAAC,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QAC/B,MAAM,CAAC,EAAE,oBAAoB,CAAC;QAC9B,QAAQ,CAAC,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;KAC9B;;;;;;;;;;IAaD;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE;QACvB,OAAO,EAAE,MAAM,CAAC;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,CAAC,GAAG,EAAE;YAAE,OAAO,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,oBAAoB,CAAA;SAAE,KAAK,KAAK,CAAC;QACxF,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE;YAClB,OAAO,EAAE,MAAM,CAAC;YAChB,MAAM,EAAE,MAAM,CAAC;YACf,MAAM,EAAE,oBAAoB,CAAC;SAC9B,KAAK,SAAS,CAAC,KAAK,CAAC,CAAC;QACvB,OAAO,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;KACjC;;;;;;;;;;CAqBF"}