@venizia/ignis 0.0.9-8 → 0.0.9

package/dist/components/auth/authorize/common/permission-builder.js

@@ -0,0 +1,99 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationPermissionBuilder = void 0;
+const constants_1 = require("./constants");
+/**
+ * Builders for `Permission` catalog rows (the `obj` axis the scoped matcher resolves).
+ *
+ * Generic over the name/description type (`TName`) so an app with i18n `name`/`description` columns and
+ * one with plain-text names both fit. Produces the framework-owned columns
+ * (code/subject/method/action/scope/description/parentId); `description` defaults to `null`.
+ * App-specific columns are added by the caller.
+ */
+class AuthorizationPermissionBuilder {
+    /** Sentinel `method` for a coarse resource node (a grant target that is not a route). */
+    static { this.RESOURCE_NODE_METHOD = '*'; }
+    /** Standard repository method → base action. Unlisted methods (custom ops, aggregates) resolve to `execute`. */
+    static { this.METHOD_ACTIONS = {
+        find: constants_1.AuthorizationActions.READ,
+        findById: constants_1.AuthorizationActions.READ,
+        findOne: constants_1.AuthorizationActions.READ,
+        count: constants_1.AuthorizationActions.READ,
+        create: constants_1.AuthorizationActions.CREATE,
+        updateById: constants_1.AuthorizationActions.UPDATE,
+        updateBy: constants_1.AuthorizationActions.UPDATE,
+        deleteById: constants_1.AuthorizationActions.DELETE,
+        deleteBy: constants_1.AuthorizationActions.DELETE,
+    }; }
+    /** The CRUD methods {@link crud} generates by default. */
+    static { this.DEFAULT_CRUD_METHODS = [
+        'find',
+        'findById',
+        'findOne',
+        'count',
+        'create',
+        'updateById',
+        'updateBy',
+        'deleteById',
+        'deleteBy',
+    ]; }
+    /** Base action for a method: a known CRUD method maps to read/create/update/delete; anything else → `execute`. */
+    static actionForMethod(method) {
+        return AuthorizationPermissionBuilder.METHOD_ACTIONS[method] ?? constants_1.AuthorizationActions.EXECUTE;
+    }
+    /** One operation-level permission, `code = <subject>.<method>`. `action` defaults to {@link actionForMethod}. */
+    static operation(opts) {
+        return {
+            code: [opts.subject, opts.method].join('.'),
+            subject: opts.subject,
+            method: opts.method,
+            action: opts.action ?? AuthorizationPermissionBuilder.actionForMethod(opts.method),
+            scope: opts.scope,
+            description: opts.description ?? null,
+            parentId: opts.parentId ?? null,
+            name: opts.name,
+        };
+    }
+    /**
+     * A coarse resource node (module or subject) used as a grant target, e.g. `Sale` or `SaleOrder`.
+     * `code` is the bare name (no dotted method); `method` is the {@link RESOURCE_NODE_METHOD} sentinel.
+     * `action` defaults to `manage` (the broadest), though the grant on this node carries its own action.
+     */
+    static resourceNode(opts) {
+        return {
+            code: opts.code,
+            subject: opts.subject ?? opts.code,
+            method: AuthorizationPermissionBuilder.RESOURCE_NODE_METHOD,
+            action: opts.action ?? constants_1.AuthorizationActions.MANAGE,
+            scope: opts.scope,
+            description: opts.description ?? null,
+            parentId: opts.parentId ?? null,
+            name: opts.name,
+        };
+    }
+    /**
+     * The CRUD permission set for a subject. `name` (and optional `description`) are per-method formatters,
+     * so the app supplies its own labels/i18n; the framework only owns the method→action map and code shape.
+     */
+    static crud(opts) {
+        const methods = opts.methods ?? AuthorizationPermissionBuilder.DEFAULT_CRUD_METHODS;
+        return methods.map(method => {
+            const action = AuthorizationPermissionBuilder.actionForMethod(method);
+            const ctx = {
+                subject: opts.subject,
+                method,
+                action,
+            };
+            return AuthorizationPermissionBuilder.operation({
+                subject: opts.subject,
+                method,
+                scope: opts.scope,
+                action,
+                name: opts.name(ctx),
+                description: opts.description ? opts.description(ctx) : undefined,
+            });
+        });
+    }
+}
+exports.AuthorizationPermissionBuilder = AuthorizationPermissionBuilder;
+//# sourceMappingURL=permission-builder.js.map

package/dist/components/auth/authorize/common/permission-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-builder.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/permission-builder.ts"],"names":[],"mappings":";;;AAEA,2CAAyE;AAEzE;;;;;;;GAOG;AACH,MAAa,8BAA8B;IACzC,yFAAyF;aACzE,yBAAoB,GAAG,GAAG,CAAC;IAE3C,gHAAgH;aAChG,mBAAc,GAAmD;QAC/E,IAAI,EAAE,gCAAoB,CAAC,IAAI;QAC/B,QAAQ,EAAE,gCAAoB,CAAC,IAAI;QACnC,OAAO,EAAE,gCAAoB,CAAC,IAAI;QAClC,KAAK,EAAE,gCAAoB,CAAC,IAAI;QAChC,MAAM,EAAE,gCAAoB,CAAC,MAAM;QACnC,UAAU,EAAE,gCAAoB,CAAC,MAAM;QACvC,QAAQ,EAAE,gCAAoB,CAAC,MAAM;QACrC,UAAU,EAAE,gCAAoB,CAAC,MAAM;QACvC,QAAQ,EAAE,gCAAoB,CAAC,MAAM;KACtC,CAAC;IAEF,0DAA0D;aAC1C,yBAAoB,GAA0B;QAC5D,MAAM;QACN,UAAU;QACV,SAAS;QACT,OAAO;QACP,QAAQ;QACR,YAAY;QACZ,UAAU;QACV,YAAY;QACZ,UAAU;KACX,CAAC;IAEF,kHAAkH;IAClH,MAAM,CAAC,eAAe,CAAC,MAAc;QACnC,OAAO,8BAA8B,CAAC,cAAc,CAAC,MAAM,CAAC,IAAI,gCAAoB,CAAC,OAAO,CAAC;IAC/F,CAAC;IAED,iHAAiH;IACjH,MAAM,CAAC,SAAS,CAAQ,IAQvB;QACC,OAAO;YACL,IAAI,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YAC3C,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,8BAA8B,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC;YAClF,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI;YACrC,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;YAC/B,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,YAAY,CAAQ,IAQ1B;QACC,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI;YAClC,MAAM,EAAE,8BAA8B,CAAC,oBAAoB;YAC3D,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,gCAAoB,CAAC,MAAM;YAClD,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI;YACrC,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;YAC/B,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAQ,IAUlB;QACC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,8BAA8B,CAAC,oBAAoB,CAAC;QAEpF,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE;YAC1B,MAAM,MAAM,GAAG,8BAA8B,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;YACtE,MAAM,GAAG,GAAsE;gBAC7E,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM;gBACN,MAAM;aACP,CAAC;YAEF,OAAO,8BAA8B,CAAC,SAAS,CAAQ;gBACrD,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,MAAM;gBACN,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,MAAM;gBACN,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;gBACpB,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS;aAClE,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;;AArHH,wEAsHC"}

package/dist/components/auth/authorize/common/policy-builder.d.ts

@@ -0,0 +1,183 @@
+import { IdType } from '../../../../base';
+import { TNullable } from '../../../../helpers';
+import { TAuthorizationAction, TAuthorizationDecision } from './constants';
+/** A grant/assignment domain: a scope literal (`SYSTEM_WIDE`/`ANY_MEMBER`) or a typed domain entity. */
+export type TPolicyDomainInput = string | {
+    type: string;
+    id: IdType;
+};
+export declare class AuthorizationPolicyBuilder {
+    static readonly ACTION_PRINCIPAL = "Action";
+    /**
+     * Serialize a domain to the casbin token the matcher compares against {@link resolveRequestDomain}'s
+     * output: a scope literal (`SYSTEM_WIDE`/`ANY_MEMBER`) passes through unchanged; a typed domain becomes
+     * `<type>_<id>` so `g3(r.dom, p.dom)` cascades; null ⇒ null (the adapter then defaults grants to `ANY_MEMBER`).
+     */
+    private static serializeDomain;
+    /**
+     * A grant (casbin `p`): role/user → permission, carrying action + effect + domain.
+     * `domain` null ⇒ `ANY_MEMBER` (adapter default). Pass a scope literal or a typed `{ type, id }` domain.
+     */
+    static grant(opts: {
+        subject: {
+            type: string;
+            id: IdType;
+        };
+        permission: {
+            type: string;
+            id: IdType;
+        };
+        action: string;
+        domain?: TNullable<TPolicyDomainInput>;
+        effect: TAuthorizationDecision;
+    }): {
+        variant: "grant";
+        subjectType: string;
+        subjectId: IdType;
+        targetType: string;
+        targetId: IdType;
+        action: string;
+        effect: string;
+        domain: TNullable<string>;
+    };
+    /** Assign a role to a user (casbin `g`). `domain` null ⇒ `*` (every domain). */
+    static assignRole(opts: {
+        user: {
+            type: string;
+            id: IdType;
+        };
+        role: {
+            type: string;
+            id: IdType;
+        };
+        domain?: TNullable<TPolicyDomainInput>;
+    }): {
+        variant: "assign_role";
+        subjectType: string;
+        subjectId: IdType;
+        targetType: string;
+        targetId: IdType;
+        domain: TNullable<string>;
+    };
+    /** A user joins a domain (casbin `g2`) — backs the `ANY_MEMBER` grant scope. */
+    static joinDomain(opts: {
+        user: {
+            type: string;
+            id: IdType;
+        };
+        domain: {
+            type: string;
+            id: IdType;
+        };
+    }): {
+        variant: "join_domain";
+        subjectType: string;
+        subjectId: IdType;
+        targetType: string;
+        targetId: IdType;
+    };
+    /** A role inherits another role (casbin `g`, shared relation with assign_role). */
+    static roleInherits(opts: {
+        child: {
+            type: string;
+            id: IdType;
+        };
+        parent: {
+            type: string;
+            id: IdType;
+        };
+    }): {
+        variant: "role_inherits";
+        subjectType: string;
+        subjectId: IdType;
+        targetType: string;
+        targetId: IdType;
+    };
+    /**
+     * A resource inherits another (casbin `g4`): a grant on the PARENT covers the CHILD.
+     * e.g. `{ child: SaleOrder, parent: Sale }` — grant on module `Sale` covers subject `SaleOrder`.
+     * Many-to-many: a subject may inherit several module parents (add one edge each).
+     */
+    static resourceInherits(opts: {
+        child: {
+            type: string;
+            id: IdType;
+        };
+        parent: {
+            type: string;
+            id: IdType;
+        };
+    }): {
+        variant: "resource_inherits";
+        subjectType: string;
+        subjectId: IdType;
+        targetType: string;
+        targetId: IdType;
+    };
+    /** An action inherits another (casbin `g5`): the child action is implied by the parent, e.g. read ⊂ manage. */
+    static actionInherits(opts: {
+        child: TAuthorizationAction;
+        parent: TAuthorizationAction;
+    }): {
+        variant: "action_inherits";
+        subjectType: string;
+        subjectId: string;
+        targetType: string;
+        targetId: string;
+    };
+    /** All `action_inherits` rows for the standard {@link AuthorizationActions.LATTICE}. Seed once, idempotently. */
+    static actionLattice(): {
+        variant: "action_inherits";
+        subjectType: string;
+        subjectId: string;
+        targetType: string;
+        targetId: string;
+    }[];
+    /** A domain inherits another (casbin `g3`): a grant in the parent domain cascades to the child. e.g. Merchant ⊂ Organizer. */
+    static domainInherits(opts: {
+        child: {
+            type: string;
+            id: IdType;
+        };
+        parent: {
+            type: string;
+            id: IdType;
+        };
+    }): {
+        variant: "domain_inherits";
+        subjectType: string;
+        subjectId: IdType;
+        targetType: string;
+        targetId: IdType;
+    };
+    /**
+     * Build a role's coarse grant rows from resolved permission ids. The caller resolves each
+     * `resourceCode` (subject/module) to a `Permission` and supplies the lookup; unresolved codes are skipped.
+     */
+    static roleGrants(opts: {
+        role: {
+            type: string;
+            id: IdType;
+        };
+        permission: {
+            type: string;
+            idByCode: ReadonlyMap<string, string>;
+        };
+        grants: ReadonlyArray<{
+            resourceCode: string;
+            action: string;
+            domain?: TNullable<TPolicyDomainInput>;
+            effect: TAuthorizationDecision;
+        }>;
+    }): {
+        variant: "grant";
+        subjectType: string;
+        subjectId: IdType;
+        targetType: string;
+        targetId: IdType;
+        action: string;
+        effect: string;
+        domain: TNullable<string>;
+    }[];
+}
+//# sourceMappingURL=policy-builder.d.ts.map

package/dist/components/auth/authorize/common/policy-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-builder.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/policy-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAGL,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,aAAa,CAAC;AAErB,wGAAwG;AACxG,MAAM,MAAM,kBAAkB,GAAG,MAAM,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvE,qBAAa,0BAA0B;IACrC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,YAAY;IAE5C;;;;OAIG;IACH,OAAO,CAAC,MAAM,CAAC,eAAe;IAY9B;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE;QACjB,OAAO,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;QACtC,UAAU,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;QACzC,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,SAAS,CAAC,kBAAkB,CAAC,CAAC;QACvC,MAAM,EAAE,sBAAsB,CAAC;KAChC;;;;;;;;;;IAaD,gFAAgF;IAChF,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE;QACtB,IAAI,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;QACnC,IAAI,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;QACnC,MAAM,CAAC,EAAE,SAAS,CAAC,kBAAkB,CAAC,CAAC;KACxC;;;;;;;;IAWD,gFAAgF;IAChF,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE;QACtB,IAAI,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;QACnC,MAAM,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;KACtC;;;;;;;IAUD,mFAAmF;IACnF,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE;QACxB,KAAK,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;QACpC,MAAM,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;KACtC;;;;;;;IAUD;;;;OAIG;IACH,MAAM,CAAC,gBAAgB,CAAC,IAAI,EAAE;QAC5B,KAAK,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;QACpC,MAAM,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;KACtC;;;;;;;IAUD,+GAA+G;IAC/G,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,oBAAoB,CAAC;QAAC,MAAM,EAAE,oBAAoB,CAAA;KAAE;;;;;;;IAUzF,iHAAiH;IACjH,MAAM,CAAC,aAAa;;;;;;;IAIpB,8HAA8H;IAC9H,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE;QAC1B,KAAK,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;QACpC,MAAM,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;KACtC;;;;;;;IAUD;;;OAGG;IACH,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE;QACtB,IAAI,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAA;SAAE,CAAC;QACnC,UAAU,EAAE;YACV,IAAI,EAAE,MAAM,CAAC;YACb,QAAQ,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;SACvC,CAAC;QAEF,MAAM,EAAE,aAAa,CAAC;YACpB,YAAY,EAAE,MAAM,CAAC;YACrB,MAAM,EAAE,MAAM,CAAC;YACf,MAAM,CAAC,EAAE,SAAS,CAAC,kBAAkB,CAAC,CAAC;YACvC,MAAM,EAAE,sBAAsB,CAAC;SAChC,CAAC,CAAC;KACJ;;;;;;;;;;CAsBF"}

package/dist/components/auth/authorize/common/policy-builder.js

@@ -0,0 +1,130 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationPolicyBuilder = void 0;
+const constants_1 = require("./constants");
+class AuthorizationPolicyBuilder {
+    static { this.ACTION_PRINCIPAL = 'Action'; }
+    /**
+     * Serialize a domain to the casbin token the matcher compares against {@link resolveRequestDomain}'s
+     * output: a scope literal (`SYSTEM_WIDE`/`ANY_MEMBER`) passes through unchanged; a typed domain becomes
+     * `<type>_<id>` so `g3(r.dom, p.dom)` cascades; null ⇒ null (the adapter then defaults grants to `ANY_MEMBER`).
+     */
+    static serializeDomain(domain) {
+        if (domain == null) {
+            return null;
+        }
+        if (typeof domain === 'string') {
+            return domain;
+        }
+        return [domain.type, domain.id].join('_');
+    }
+    /**
+     * A grant (casbin `p`): role/user → permission, carrying action + effect + domain.
+     * `domain` null ⇒ `ANY_MEMBER` (adapter default). Pass a scope literal or a typed `{ type, id }` domain.
+     */
+    static grant(opts) {
+        return {
+            variant: constants_1.AuthorizationPolicyVariants.GRANT.action,
+            subjectType: opts.subject.type,
+            subjectId: opts.subject.id,
+            targetType: opts.permission.type,
+            targetId: opts.permission.id,
+            action: opts.action,
+            effect: opts.effect,
+            domain: AuthorizationPolicyBuilder.serializeDomain(opts.domain),
+        };
+    }
+    /** Assign a role to a user (casbin `g`). `domain` null ⇒ `*` (every domain). */
+    static assignRole(opts) {
+        return {
+            variant: constants_1.AuthorizationPolicyVariants.ASSIGN_ROLE.action,
+            subjectType: opts.user.type,
+            subjectId: opts.user.id,
+            targetType: opts.role.type,
+            targetId: opts.role.id,
+            domain: AuthorizationPolicyBuilder.serializeDomain(opts.domain),
+        };
+    }
+    /** A user joins a domain (casbin `g2`) — backs the `ANY_MEMBER` grant scope. */
+    static joinDomain(opts) {
+        return {
+            variant: constants_1.AuthorizationPolicyVariants.JOIN_DOMAIN.action,
+            subjectType: opts.user.type,
+            subjectId: opts.user.id,
+            targetType: opts.domain.type,
+            targetId: opts.domain.id,
+        };
+    }
+    /** A role inherits another role (casbin `g`, shared relation with assign_role). */
+    static roleInherits(opts) {
+        return {
+            variant: constants_1.AuthorizationPolicyVariants.ROLE_INHERITS.action,
+            subjectType: opts.child.type,
+            subjectId: opts.child.id,
+            targetType: opts.parent.type,
+            targetId: opts.parent.id,
+        };
+    }
+    /**
+     * A resource inherits another (casbin `g4`): a grant on the PARENT covers the CHILD.
+     * e.g. `{ child: SaleOrder, parent: Sale }` — grant on module `Sale` covers subject `SaleOrder`.
+     * Many-to-many: a subject may inherit several module parents (add one edge each).
+     */
+    static resourceInherits(opts) {
+        return {
+            variant: constants_1.AuthorizationPolicyVariants.RESOURCE_INHERITS.action,
+            subjectType: opts.child.type,
+            subjectId: opts.child.id,
+            targetType: opts.parent.type,
+            targetId: opts.parent.id,
+        };
+    }
+    /** An action inherits another (casbin `g5`): the child action is implied by the parent, e.g. read ⊂ manage. */
+    static actionInherits(opts) {
+        return {
+            variant: constants_1.AuthorizationPolicyVariants.ACTION_INHERITS.action,
+            subjectType: this.ACTION_PRINCIPAL,
+            subjectId: opts.child,
+            targetType: this.ACTION_PRINCIPAL,
+            targetId: opts.parent,
+        };
+    }
+    /** All `action_inherits` rows for the standard {@link AuthorizationActions.LATTICE}. Seed once, idempotently. */
+    static actionLattice() {
+        return constants_1.AuthorizationActions.LATTICE.map(action => this.actionInherits(action));
+    }
+    /** A domain inherits another (casbin `g3`): a grant in the parent domain cascades to the child. e.g. Merchant ⊂ Organizer. */
+    static domainInherits(opts) {
+        return {
+            variant: constants_1.AuthorizationPolicyVariants.DOMAIN_INHERITS.action,
+            subjectType: opts.child.type,
+            subjectId: opts.child.id,
+            targetType: opts.parent.type,
+            targetId: opts.parent.id,
+        };
+    }
+    /**
+     * Build a role's coarse grant rows from resolved permission ids. The caller resolves each
+     * `resourceCode` (subject/module) to a `Permission` and supplies the lookup; unresolved codes are skipped.
+     */
+    static roleGrants(opts) {
+        const rows = [];
+        for (const grant of opts.grants) {
+            const permissionId = opts.permission.idByCode.get(grant.resourceCode);
+            if (!permissionId) {
+                continue;
+            }
+            const policy = AuthorizationPolicyBuilder.grant({
+                subject: { type: opts.role.type, id: opts.role.id },
+                permission: { type: opts.permission.type, id: permissionId },
+                action: grant.action,
+                domain: grant.domain,
+                effect: grant.effect,
+            });
+            rows.push(policy);
+        }
+        return rows;
+    }
+}
+exports.AuthorizationPolicyBuilder = AuthorizationPolicyBuilder;
+//# sourceMappingURL=policy-builder.js.map

package/dist/components/auth/authorize/common/policy-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-builder.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/policy-builder.ts"],"names":[],"mappings":";;;AAEA,2CAKqB;AAKrB,MAAa,0BAA0B;aACrB,qBAAgB,GAAG,QAAQ,CAAC;IAE5C;;;;OAIG;IACK,MAAM,CAAC,eAAe,CAAC,MAAsC;QACnE,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,IAMZ;QACC,OAAO;YACL,OAAO,EAAE,uCAA2B,CAAC,KAAK,CAAC,MAAM;YACjD,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI;YAC9B,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE;YAC1B,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI;YAChC,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,EAAE;YAC5B,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,0BAA0B,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC;SAChE,CAAC;IACJ,CAAC;IAED,gFAAgF;IAChF,MAAM,CAAC,UAAU,CAAC,IAIjB;QACC,OAAO;YACL,OAAO,EAAE,uCAA2B,CAAC,WAAW,CAAC,MAAM;YACvD,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;YAC3B,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE;YACvB,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;YAC1B,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE;YACtB,MAAM,EAAE,0BAA0B,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC;SAChE,CAAC;IACJ,CAAC;IAED,gFAAgF;IAChF,MAAM,CAAC,UAAU,CAAC,IAGjB;QACC,OAAO;YACL,OAAO,EAAE,uCAA2B,CAAC,WAAW,CAAC,MAAM;YACvD,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;YAC3B,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE;YACvB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YAC5B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE;SACzB,CAAC;IACJ,CAAC;IAED,mFAAmF;IACnF,MAAM,CAAC,YAAY,CAAC,IAGnB;QACC,OAAO;YACL,OAAO,EAAE,uCAA2B,CAAC,aAAa,CAAC,MAAM;YACzD,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI;YAC5B,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,EAAE;YACxB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YAC5B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE;SACzB,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,gBAAgB,CAAC,IAGvB;QACC,OAAO;YACL,OAAO,EAAE,uCAA2B,CAAC,iBAAiB,CAAC,MAAM;YAC7D,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI;YAC5B,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,EAAE;YACxB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YAC5B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE;SACzB,CAAC;IACJ,CAAC;IAED,+GAA+G;IAC/G,MAAM,CAAC,cAAc,CAAC,IAAmE;QACvF,OAAO;YACL,OAAO,EAAE,uCAA2B,CAAC,eAAe,CAAC,MAAM;YAC3D,WAAW,EAAE,IAAI,CAAC,gBAAgB;YAClC,SAAS,EAAE,IAAI,CAAC,KAAK;YACrB,UAAU,EAAE,IAAI,CAAC,gBAAgB;YACjC,QAAQ,EAAE,IAAI,CAAC,MAAM;SACtB,CAAC;IACJ,CAAC;IAED,iHAAiH;IACjH,MAAM,CAAC,aAAa;QAClB,OAAO,gCAAoB,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC;IACjF,CAAC;IAED,8HAA8H;IAC9H,MAAM,CAAC,cAAc,CAAC,IAGrB;QACC,OAAO;YACL,OAAO,EAAE,uCAA2B,CAAC,eAAe,CAAC,MAAM;YAC3D,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI;YAC5B,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,EAAE;YACxB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YAC5B,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE;SACzB,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,UAAU,CAAC,IAajB;QACC,MAAM,IAAI,GAA+D,EAAE,CAAC;QAE5E,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChC,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YACtE,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,0BAA0B,CAAC,KAAK,CAAC;gBAC9C,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE;gBACnD,UAAU,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,EAAE,YAAY,EAAE;gBAC5D,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,MAAM,EAAE,KAAK,CAAC,MAAM;aACrB,CAAC,CAAC;YAEH,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACpB,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;;AA7KH,gEA8KC"}

package/dist/components/auth/authorize/common/resolve-request-domain.d.ts

@@ -0,0 +1,20 @@
+import { TContext } from '../../../../base/controllers/common/types';
+import { TNullable } from '@venizia/ignis-helpers';
+import { Env } from 'hono';
+import { IAuthorizationDomainSource, IAuthorizationSpec, IAuthorizeOptions } from './types';
+/** Read a domain value from a declarative source on the Hono context. */
+export declare const readDeclarative: (opts: {
+    source: IAuthorizationDomainSource;
+    context: TContext<Env, string>;
+}) => TNullable<string>;
+/**
+ * Resolve the request domain scope with precedence:
+ *   spec.domain (method | declarative) → options.domainResolver → SYSTEM_WIDE.
+ * Returns a casbin domain string ("<type>_<id>") or the SYSTEM_WIDE sentinel.
+ */
+export declare const resolveRequestDomain: (opts: {
+    spec: IAuthorizationSpec;
+    context: TContext<Env, string>;
+    options: TNullable<IAuthorizeOptions>;
+}) => Promise<string>;
+//# sourceMappingURL=resolve-request-domain.d.ts.map

package/dist/components/auth/authorize/common/resolve-request-domain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-request-domain.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/resolve-request-domain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,iCAAiC,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACnD,OAAO,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAE3B,OAAO,EAAE,0BAA0B,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAE5F,yEAAyE;AACzE,eAAO,MAAM,eAAe,GAAI,MAAM;IACpC,MAAM,EAAE,0BAA0B,CAAC;IACnC,OAAO,EAAE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;CAChC,KAAG,SAAS,CAAC,MAAM,CAoBnB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,GAAU,MAAM;IAC/C,IAAI,EAAE,kBAAkB,CAAC;IACzB,OAAO,EAAE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC/B,OAAO,EAAE,SAAS,CAAC,iBAAiB,CAAC,CAAC;CACvC,KAAG,OAAO,CAAC,MAAM,CA4BjB,CAAC"}

package/dist/components/auth/authorize/common/resolve-request-domain.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveRequestDomain = exports.readDeclarative = void 0;
+const constants_1 = require("./constants");
+/** Read a domain value from a declarative source on the Hono context. */
+const readDeclarative = (opts) => {
+    const { source, context } = opts;
+    switch (source.from) {
+        case 'param': {
+            return context.req.param(source.key) ?? null;
+        }
+        case 'header': {
+            return context.req.header(source.key) ?? null;
+        }
+        case 'query': {
+            return context.req.query(source.key) ?? null;
+        }
+        case 'context': {
+            const value = context.get(source.key);
+            return value == null ? null : String(value);
+        }
+        default: {
+            return null;
+        }
+    }
+};
+exports.readDeclarative = readDeclarative;
+/**
+ * Resolve the request domain scope with precedence:
+ *   spec.domain (method | declarative) → options.domainResolver → SYSTEM_WIDE.
+ * Returns a casbin domain string ("<type>_<id>") or the SYSTEM_WIDE sentinel.
+ */
+const resolveRequestDomain = async (opts) => {
+    const { spec, context, options } = opts;
+    // (1) spec.domain as a method
+    if (typeof spec.domain === 'function') {
+        const resolved = await spec.domain({ context });
+        return resolved
+            ? [resolved.type, resolved.id].join('_')
+            : constants_1.AuthorizationDomainScopes.SYSTEM_WIDE;
+    }
+    // (2) spec.domain as declarative
+    if (spec.domain) {
+        const id = (0, exports.readDeclarative)({ source: spec.domain, context });
+        return id ? [spec.domain.type, id].join('_') : constants_1.AuthorizationDomainScopes.SYSTEM_WIDE;
+    }
+    // (3) global resolver
+    const globalResolver = options?.domainResolver ?? null;
+    if (globalResolver) {
+        const resolved = await globalResolver({ context });
+        return resolved
+            ? [resolved.type, resolved.id].join('_')
+            : constants_1.AuthorizationDomainScopes.SYSTEM_WIDE;
+    }
+    // (4) nothing → SYSTEM_WIDE
+    return constants_1.AuthorizationDomainScopes.SYSTEM_WIDE;
+};
+exports.resolveRequestDomain = resolveRequestDomain;
+//# sourceMappingURL=resolve-request-domain.js.map

package/dist/components/auth/authorize/common/resolve-request-domain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-request-domain.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/resolve-request-domain.ts"],"names":[],"mappings":";;;AAGA,2CAAwD;AAGxD,yEAAyE;AAClE,MAAM,eAAe,GAAG,CAAC,IAG/B,EAAqB,EAAE;IACtB,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IACjC,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,OAAO,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;QAC/C,CAAC;QACD,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;QAChD,CAAC;QACD,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,OAAO,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;QAC/C,CAAC;QACD,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAY,CAAC,CAAC;YAC/C,OAAO,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,CAAC,CAAC,CAAC;YACR,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;AACH,CAAC,CAAC;AAvBW,QAAA,eAAe,mBAuB1B;AAEF;;;;GAIG;AACI,MAAM,oBAAoB,GAAG,KAAK,EAAE,IAI1C,EAAmB,EAAE;IACpB,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAExC,8BAA8B;IAC9B,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,QAAQ;YACb,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YACxC,CAAC,CAAC,qCAAyB,CAAC,WAAW,CAAC;IAC5C,CAAC;IAED,iCAAiC;IACjC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,EAAE,GAAG,IAAA,uBAAe,EAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QAC7D,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,qCAAyB,CAAC,WAAW,CAAC;IACvF,CAAC;IAED,sBAAsB;IACtB,MAAM,cAAc,GAAG,OAAO,EAAE,cAAc,IAAI,IAAI,CAAC;IACvD,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;QACnD,OAAO,QAAQ;YACb,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;YACxC,CAAC,CAAC,qCAAyB,CAAC,WAAW,CAAC;IAC5C,CAAC;IAED,4BAA4B;IAC5B,OAAO,qCAAyB,CAAC,WAAW,CAAC;AAC/C,CAAC,CAAC;AAhCW,QAAA,oBAAoB,wBAgC/B"}