@venizia/ignis 0.0.9-9 → 0.0.9

package/dist/components/auth/authorize/adapters/scoped-casbin.adapter.js

@@ -0,0 +1,300 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScopedCasbinAdapter = void 0;
+const drizzle_orm_1 = require("drizzle-orm");
+const common_1 = require("../common");
+const base_filtered_1 = require("./base-filtered");
+const DEFAULT_SCHEMA = 'public';
+/**
+ * Filtered casbin adapter for the scoped RBAC model: loads ONE principal's edges (role assignments,
+ * memberships, grants) plus the shared structural hierarchy trees as casbin lines. Read-only.
+ */
+class ScopedCasbinAdapter extends base_filtered_1.BaseFilteredAdapter {
+    constructor(opts) {
+        super({ scope: ScopedCasbinAdapter.name, dataSource: opts.dataSource });
+        this.entities = opts.entities;
+    }
+    /**
+     * Casbin's filtered-load entry point: build the full line set for ONE principal and load it into
+     * the model. Runs in two waves —
+     *   Wave 1 (parallel): the principal's own edges (role assignments → g, memberships → g2, direct
+     *     grants → p) plus the shared structural trees (role/resource/action/domain inherits).
+     *   Wave 2: expand the assigned roles to their transitive parents (role closure over role_inherits),
+     *     then fetch the grants those roles carry — so a user inherits permissions from parent roles.
+     * The concatenated lines are handed to {@link loadLines}; the enforcer caches the result per user
+     * in Redis, so this only runs on a cache MISS.
+     */
+    async loadFilteredPolicy(model, filter) {
+        const { principal } = filter;
+        // Wave 1 — independent per-user queries + structural trees, in parallel.
+        const [assignments, memberships, userGrants, structural] = await Promise.all([
+            this.queryRoleAssignments({ principal }),
+            this.queryMemberships({ principal }),
+            this.queryGrants({ subject: { type: principal.type, ids: [principal.id] } }),
+            this.loadStructuralTrees(),
+        ]);
+        // Wave 2 — role grants need the role closure (built from the role_inherits edges loaded above).
+        const roleClosure = this.expandRoleClosure({
+            role: {
+                ids: assignments.roleIds,
+                edges: structural.filter(line => {
+                    return line.startsWith(`${common_1.AuthorizationPolicyVariants.ROLE_INHERITS.rule}, `);
+                }),
+            },
+        });
+        const roleGrants = await this.queryGrants({
+            subject: { type: this.entities.principals.role, ids: roleClosure },
+        });
+        const lines = [
+            ...assignments.lines,
+            ...memberships,
+            ...userGrants,
+            ...roleGrants,
+            ...structural,
+        ];
+        await this.loadLines({ model, lines });
+    }
+    /** Schema for a table, defaulting to `public`. */
+    schemaOf(table) {
+        return table.schemaName ?? DEFAULT_SCHEMA;
+    }
+    /** Schema-qualified table reference (`"<schema>"."<table>"`) for use after FROM/JOIN with an alias. */
+    qualifiedTable(opts) {
+        const { table } = opts;
+        return (0, drizzle_orm_1.sql) `${drizzle_orm_1.sql.identifier(this.schemaOf(table))}.${drizzle_orm_1.sql.identifier(table.tableName)}`;
+    }
+    /**
+     * `AND <alias>.<col> IS NULL` when soft-delete on; empty otherwise. The alias is emitted RAW (not
+     * quoted) so it matches the unquoted alias declared in the FROM clause (`FROM ... policyDefinition`):
+     * Postgres folds unquoted identifiers to lower-case, so a quoted `"policyDefinition"` would resolve
+     * to a DIFFERENT relation than the unquoted FROM alias → 42P01 "missing FROM-clause entry". The alias
+     * is always a hard-coded literal supplied by this adapter, never user input, so emitting it raw is
+     * safe; the (config-supplied) column name stays quoted via `sql.identifier`.
+     */
+    softDeleteClause(opts) {
+        const sd = this.entities.softDelete;
+        if (!sd?.use) {
+            return drizzle_orm_1.sql.empty();
+        }
+        return (0, drizzle_orm_1.sql) ` AND ${drizzle_orm_1.sql.raw(opts.alias)}.${drizzle_orm_1.sql.identifier(sd.columnName)} IS NULL`;
+    }
+    /**
+     * Fetch the principal's `assign_role` edges and emit them as casbin `g` lines (role membership).
+     * Returns both the lines AND the raw `roleIds`, which Wave 2 feeds into {@link expandRoleClosure}.
+     * A null domain widens the assignment to every domain (`*`).
+     * e.g. `g, User_u1, Role_r1, *` — "u1 holds Role r1 in any domain".
+     */
+    async queryRoleAssignments(opts) {
+        const { policyDefinition, principals } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const { principal } = opts;
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT 
+        policyDefinition.target_id AS "roleId", 
+        policyDefinition.domain
+      FROM ${policyDefinitionTable} policyDefinition
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.ASSIGN_ROLE.action}
+        AND policyDefinition.subject_type = ${principal.type}
+        AND policyDefinition.subject_id = ${principal.id}
+        AND policyDefinition.target_type = ${principals.role}${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        const lines = [];
+        const roleIds = [];
+        for (const row of result.rows) {
+            roleIds.push(row.roleId);
+            const domain = row.domain ?? '*';
+            lines.push(`${common_1.AuthorizationPolicyVariants.ASSIGN_ROLE.rule}, ${principal.type}_${principal.id}, ${principals.role}_${row.roleId}, ${domain}`);
+        }
+        return { lines, roleIds };
+    }
+    /**
+     * Fetch the principal's `join_domain` edges (restricted to the configured `domainTypes`) and emit
+     * them as casbin `g2` lines — the membership relation the matcher uses to scope `ANY_MEMBER` grants.
+     * e.g. `g2, User_u1, Merchant_7` — "u1 is a member of Merchant 7".
+     */
+    async queryMemberships(opts) {
+        const { policyDefinition, domainTypes } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const { principal } = opts;
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT 
+        policyDefinition.target_type AS "domainType", 
+        policyDefinition.target_id AS "domainId"
+      FROM ${policyDefinitionTable} policyDefinition
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.JOIN_DOMAIN.action}
+        AND policyDefinition.subject_type = ${principal.type}
+        AND policyDefinition.subject_id = ${principal.id}
+        AND policyDefinition.target_type IN (${drizzle_orm_1.sql.join(domainTypes.map(t => (0, drizzle_orm_1.sql) `${t}`), (0, drizzle_orm_1.sql) `, `)})${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        return result.rows.map(row => `${common_1.AuthorizationPolicyVariants.JOIN_DOMAIN.rule}, ${principal.type}_${principal.id}, ${row.domainType}_${row.domainId}`);
+    }
+    /**
+     * Fetch `grant` edges for the given subjects (a User or a set of Roles) joined to `Permission` for
+     * the object code, and emit them as casbin `p` policy lines. Used twice per load: once for the
+     * user's direct grants, once for the grants of every role in the closure. Rows with no `action` are
+     * skipped; a null effect defaults to allow, a null domain to `ANY_MEMBER`. Empty `ids` short-circuits
+     * without touching the DB.
+     * e.g. `p, Role_5, ANY_MEMBER, Order, read, allow` — "Role 5 may read Order in any joined domain".
+     */
+    async queryGrants(opts) {
+        if (!opts.subject.ids.length) {
+            return [];
+        }
+        const { policyDefinition, permission } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const permissionTable = this.qualifiedTable({ table: permission });
+        const { subject } = opts;
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT
+        policyDefinition.subject_id AS "subjectId",
+        permission.code AS "objectCode",
+        policyDefinition.action,
+        policyDefinition.effect,
+        policyDefinition.domain
+      FROM ${policyDefinitionTable} policyDefinition
+        INNER JOIN ${permissionTable} permission
+          ON policyDefinition.target_id = permission.id${this.softDeleteClause({ alias: 'permission' })}
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.GRANT.action}
+        AND policyDefinition.subject_type = ${subject.type}
+        AND policyDefinition.subject_id IN (${drizzle_orm_1.sql.join(subject.ids.map(id => (0, drizzle_orm_1.sql) `${id}`), (0, drizzle_orm_1.sql) `, `)})${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        const lines = [];
+        for (const row of result.rows) {
+            if (!row.action) {
+                continue;
+            }
+            const domain = row.domain ?? common_1.AuthorizationDomainScopes.ANY_MEMBER;
+            const effect = row.effect ?? common_1.AuthorizationDecisions.ALLOW;
+            lines.push(`${common_1.AuthorizationPolicyVariants.GRANT.rule}, ${subject.type}_${row.subjectId}, ${domain}, ${row.objectCode}, ${row.action}, ${effect}`);
+        }
+        return lines;
+    }
+    /**
+     * Load the system-wide hierarchy edges (role/resource/action/domain inherits) — read fresh on each
+     * call. These are the same for every user, but at this scale the four queries are cheap and run in
+     * the same parallel wave as the per-user queries; the per-user `lines` are themselves cached in Redis
+     * by the enforcer, so this only runs on a cache MISS. (No in-process cache → never goes stale.)
+     */
+    async loadStructuralTrees() {
+        const [roleEdges, resourceEdges, actionEdges, domainEdges] = await Promise.all([
+            this.queryRoleInherits(),
+            this.queryResourceInherits(),
+            this.queryActionInherits(),
+            this.queryDomainInherits(),
+        ]);
+        return [...roleEdges, ...resourceEdges, ...actionEdges, ...domainEdges];
+    }
+    /**
+     * Shared role hierarchy: every `role_inherits` edge as a casbin `g` line with a wildcard domain.
+     * These are the SAME for all users (org structure, not a user) and also seed {@link expandRoleClosure}.
+     * e.g. `g, Role_r2, Role_r1, *` — "Role r2 inherits Role r1 in any domain".
+     */
+    async queryRoleInherits() {
+        const { policyDefinition, principals } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT
+        policyDefinition.subject_id AS "childId",
+        policyDefinition.target_id AS "parentId"
+      FROM ${policyDefinitionTable} policyDefinition
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.ROLE_INHERITS.action}${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        return result.rows.map(r => {
+            return `${common_1.AuthorizationPolicyVariants.ROLE_INHERITS.rule}, ${principals.role}_${r.childId}, ${principals.role}_${r.parentId}, *`;
+        });
+    }
+    /**
+     * Shared resource hierarchy: every `resource_inherits` edge as a casbin `g4` line, joining
+     * `Permission` twice (child + parent) to emit the resource CODES the `objectMatch` g4-func traverses.
+     * The `obj` axis — a permission on a parent resource also covers its children.
+     * e.g. `g4, OrderItem, Order` — "OrderItem is a child resource of Order".
+     */
+    async queryResourceInherits() {
+        const { policyDefinition, permission } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const permissionTable = this.qualifiedTable({ table: permission });
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT
+        child_permission.code AS "childCode",
+        parent_permission.code AS "parentCode"
+      FROM ${policyDefinitionTable} policyDefinition
+        INNER JOIN ${permissionTable} child_permission ON policyDefinition.subject_id = child_permission.id
+        INNER JOIN ${permissionTable} parent_permission ON policyDefinition.target_id = parent_permission.id
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.RESOURCE_INHERITS.action}${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        return result.rows.map(r => `${common_1.AuthorizationPolicyVariants.RESOURCE_INHERITS.rule}, ${r.childCode}, ${r.parentCode}`);
+    }
+    /**
+     * Shared action hierarchy: every `action_inherits` edge as a casbin `g5` line. Same shape as
+     * resource_inherits but a DIFFERENT axis — the `act` axis (e.g. `manage` covers `read`/`update`).
+     * Kept separate so resource × action stays factored instead of exploding to R×A combined edges.
+     * e.g. `g5, read, manage` — "the read action is implied by manage".
+     */
+    async queryActionInherits() {
+        const { policyDefinition } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT
+        policyDefinition.subject_id AS "childCode",
+        policyDefinition.target_id AS "parentCode"
+      FROM ${policyDefinitionTable} policyDefinition
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.ACTION_INHERITS.action}${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        return result.rows.map(r => `${common_1.AuthorizationPolicyVariants.ACTION_INHERITS.rule}, ${r.childCode}, ${r.parentCode}`);
+    }
+    /**
+     * Shared domain hierarchy: every `domain_inherits` edge as a casbin `g3` line, with typed
+     * `<type>_<id>` endpoints — lets a grant in a parent domain cascade to child domains.
+     * e.g. `g3, Branch_1, Company_2` — "Branch 1 sits under Company 2".
+     */
+    async queryDomainInherits() {
+        const { policyDefinition } = this.entities;
+        const policyDefinitionTable = this.qualifiedTable({ table: policyDefinition });
+        const result = await this.connector.execute((0, drizzle_orm_1.sql) `
+      SELECT
+        policyDefinition.subject_type AS "childType",
+        policyDefinition.subject_id AS "childId",
+        policyDefinition.target_type AS "parentType",
+        policyDefinition.target_id AS "parentId"
+      FROM ${policyDefinitionTable} policyDefinition
+      WHERE policyDefinition.variant = ${common_1.AuthorizationPolicyVariants.DOMAIN_INHERITS.action}${this.softDeleteClause({ alias: 'policyDefinition' })}
+    `);
+        return result.rows.map(r => `${common_1.AuthorizationPolicyVariants.DOMAIN_INHERITS.rule}, ${r.childType}_${r.childId}, ${r.parentType}_${r.parentId}`);
+    }
+    /** BFS over role_inherits edges to collect a role set + all transitive parents. Cycle-safe. */
+    expandRoleClosure(opts) {
+        const { role } = this.entities.principals;
+        const prefix = `${role}_`;
+        // Build child → parents map from "g, Role_<child>, Role_<parent>, *" lines.
+        const parentsOf = new Map();
+        for (const line of opts.role.edges) {
+            const parts = line.split(',').map(s => s.trim()); // ['g','Role_child','Role_parent','*']
+            if (parts[0] !== common_1.AuthorizationPolicyVariants.ROLE_INHERITS.rule || parts.length < 3) {
+                continue;
+            }
+            const child = parts[1].startsWith(prefix) ? parts[1].slice(prefix.length) : parts[1];
+            const parent = parts[2].startsWith(prefix) ? parts[2].slice(prefix.length) : parts[2];
+            const list = parentsOf.get(child) ?? [];
+            list.push(parent);
+            parentsOf.set(child, list);
+        }
+        const rs = new Set();
+        const queue = opts.role.ids.map(String);
+        while (queue.length) {
+            const current = queue.shift();
+            if (rs.has(current)) {
+                continue;
+            }
+            rs.add(current);
+            const parents = parentsOf.get(current) ?? [];
+            for (const parent of parents) {
+                if (!rs.has(parent)) {
+                    queue.push(parent);
+                }
+            }
+        }
+        return [...rs];
+    }
+}
+exports.ScopedCasbinAdapter = ScopedCasbinAdapter;
+//# sourceMappingURL=scoped-casbin.adapter.js.map

package/dist/components/auth/authorize/adapters/scoped-casbin.adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoped-casbin.adapter.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/adapters/scoped-casbin.adapter.ts"],"names":[],"mappings":";;;AAGA,6CAA4C;AAC5C,sCAImB;AACnB,mDAAsD;AAUtD,MAAM,cAAc,GAAG,QAAQ,CAAC;AAEhC;;;GAGG;AACH,MAAa,mBAAoB,SAAQ,mCAA8C;IAGrF,YAAY,IAAkE;QAC5E,KAAK,CAAC,EAAE,KAAK,EAAE,mBAAmB,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QACxE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAChC,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,kBAAkB,CAAC,KAAY,EAAE,MAAiC;QACtE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;QAE7B,yEAAyE;QACzE,MAAM,CAAC,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC3E,IAAI,CAAC,oBAAoB,CAAC,EAAE,SAAS,EAAE,CAAC;YACxC,IAAI,CAAC,gBAAgB,CAAC,EAAE,SAAS,EAAE,CAAC;YACpC,IAAI,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC5E,IAAI,CAAC,mBAAmB,EAAE;SAC3B,CAAC,CAAC;QAEH,gGAAgG;QAChG,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,CAAC;YACzC,IAAI,EAAE;gBACJ,GAAG,EAAE,WAAW,CAAC,OAAO;gBACxB,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE;oBAC9B,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,oCAA2B,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,CAAC;gBAChF,CAAC,CAAC;aACH;SACF,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC;YACxC,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,EAAE,WAAW,EAAE;SACnE,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG;YACZ,GAAG,WAAW,CAAC,KAAK;YACpB,GAAG,WAAW;YACd,GAAG,UAAU;YACb,GAAG,UAAU;YACb,GAAG,UAAU;SACd,CAAC;QAEF,MAAM,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,kDAAkD;IACxC,QAAQ,CAAC,KAA8B;QAC/C,OAAO,KAAK,CAAC,UAAU,IAAI,cAAc,CAAC;IAC5C,CAAC;IAED,uGAAuG;IAC7F,cAAc,CAAC,IAA2D;QAClF,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;QACvB,OAAO,IAAA,iBAAG,EAAA,GAAG,iBAAG,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,IAAI,iBAAG,CAAC,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;IACzF,CAAC;IAED;;;;;;;OAOG;IACO,gBAAgB,CAAC,IAAuB;QAChD,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QACpC,IAAI,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC;YACb,OAAO,iBAAG,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;QAED,OAAO,IAAA,iBAAG,EAAA,QAAQ,iBAAG,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,iBAAG,CAAC,UAAU,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC;IACnF,CAAC;IAED;;;;;OAKG;IACO,KAAK,CAAC,oBAAoB,CAAC,IAEpC;QACC,MAAM,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACvD,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC/E,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;QAE3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAGxC,IAAA,iBAAG,EAAA;;;;aAIG,qBAAqB;yCACO,oCAA2B,CAAC,WAAW,CAAC,MAAM;8CACzC,SAAS,CAAC,IAAI;4CAChB,SAAS,CAAC,EAAE;6CACX,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC9G,CAAC,CAAC;QAEH,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACzB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC;YAEjC,KAAK,CAAC,IAAI,CACR,GAAG,oCAA2B,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,EAAE,KAAK,UAAU,CAAC,IAAI,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CAClI,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAC5B,CAAC;IAED;;;;OAIG;IACO,KAAK,CAAC,gBAAgB,CAAC,IAEhC;QACC,MAAM,EAAE,gBAAgB,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACxD,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC/E,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;QAE3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAGxC,IAAA,iBAAG,EAAA;;;;aAIG,qBAAqB;yCACO,oCAA2B,CAAC,WAAW,CAAC,MAAM;8CACzC,SAAS,CAAC,IAAI;4CAChB,SAAS,CAAC,EAAE;+CACT,iBAAG,CAAC,IAAI,CAC7C,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAA,iBAAG,EAAA,GAAG,CAAC,EAAE,CAAC,EAC/B,IAAA,iBAAG,EAAA,IAAI,CACR,IAAI,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC5D,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CACpB,GAAG,CAAC,EAAE,CACJ,GAAG,oCAA2B,CAAC,WAAW,CAAC,IAAI,KAAK,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,EAAE,KAAK,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,QAAQ,EAAE,CAC1H,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACO,KAAK,CAAC,WAAW,CAAC,IAE3B;QACC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;YAC7B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACvD,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC/E,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;QACnE,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;QAEzB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAMxC,IAAA,iBAAG,EAAA;;;;;;;aAOG,qBAAqB;qBACb,eAAe;yDACqB,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;yCAC9D,oCAA2B,CAAC,KAAK,CAAC,MAAM;8CACnC,OAAO,CAAC,IAAI;8CACZ,iBAAG,CAAC,IAAI,CAC5C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,IAAA,iBAAG,EAAA,GAAG,EAAE,EAAE,CAAC,EACjC,IAAA,iBAAG,EAAA,IAAI,CACR,IAAI,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC5D,CAAC,CAAC;QAEH,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YAC9B,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;gBAChB,SAAS;YACX,CAAC;YAED,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,kCAAyB,CAAC,UAAU,CAAC;YAClE,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,+BAAsB,CAAC,KAAK,CAAC;YAE1D,KAAK,CAAC,IAAI,CACR,GAAG,oCAA2B,CAAC,KAAK,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,IAAI,GAAG,CAAC,SAAS,KAAK,MAAM,KAAK,GAAG,CAAC,UAAU,KAAK,GAAG,CAAC,MAAM,KAAK,MAAM,EAAE,CACtI,CAAC;QACJ,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;OAKG;IACO,KAAK,CAAC,mBAAmB;QACjC,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,WAAW,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC7E,IAAI,CAAC,iBAAiB,EAAE;YACxB,IAAI,CAAC,qBAAqB,EAAE;YAC5B,IAAI,CAAC,mBAAmB,EAAE;YAC1B,IAAI,CAAC,mBAAmB,EAAE;SAC3B,CAAC,CAAC;QAEH,OAAO,CAAC,GAAG,SAAS,EAAE,GAAG,aAAa,EAAE,GAAG,WAAW,EAAE,GAAG,WAAW,CAAC,CAAC;IAC1E,CAAC;IAED;;;;OAIG;IACO,KAAK,CAAC,iBAAiB;QAC/B,MAAM,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACvD,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAE/E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAGxC,IAAA,iBAAG,EAAA;;;;aAIG,qBAAqB;yCACO,oCAA2B,CAAC,aAAa,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC3I,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YACzB,OAAO,GAAG,oCAA2B,CAAC,aAAa,CAAC,IAAI,KAAK,UAAU,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,UAAU,CAAC,IAAI,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC;QACnI,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACO,KAAK,CAAC,qBAAqB;QACnC,MAAM,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACvD,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC/E,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;QAEnE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAA4C,IAAA,iBAAG,EAAA;;;;aAIjF,qBAAqB;qBACb,eAAe;qBACf,eAAe;yCACK,oCAA2B,CAAC,iBAAiB,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC/I,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CACpB,CAAC,CAAC,EAAE,CAAC,GAAG,oCAA2B,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,UAAU,EAAE,CAC9F,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACO,KAAK,CAAC,mBAAmB;QACjC,MAAM,EAAE,gBAAgB,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC3C,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAE/E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAA4C,IAAA,iBAAG,EAAA;;;;aAIjF,qBAAqB;yCACO,oCAA2B,CAAC,eAAe,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC7I,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CACpB,CAAC,CAAC,EAAE,CAAC,GAAG,oCAA2B,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,UAAU,EAAE,CAC5F,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACO,KAAK,CAAC,mBAAmB;QACjC,MAAM,EAAE,gBAAgB,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC3C,MAAM,qBAAqB,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAE/E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAKxC,IAAA,iBAAG,EAAA;;;;;;aAMG,qBAAqB;yCACO,oCAA2B,CAAC,eAAe,CAAC,MAAM,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;KAC7I,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CACpB,CAAC,CAAC,EAAE,CACF,GAAG,oCAA2B,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,EAAE,CACpH,CAAC;IACJ,CAAC;IAED,+FAA+F;IACrF,iBAAiB,CAAC,IAAkD;QAC5E,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QAC1C,MAAM,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC;QAE1B,4EAA4E;QAC5E,MAAM,SAAS,GAAG,IAAI,GAAG,EAAoB,CAAC;QAE9C,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,uCAAuC;YACzF,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,oCAA2B,CAAC,aAAa,CAAC,IAAI,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpF,SAAS;YACX,CAAC;YAED,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACrF,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACtF,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAExC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAClB,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAC7B,CAAC;QAED,MAAM,EAAE,GAAG,IAAI,GAAG,EAAU,CAAC;QAE7B,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACxC,OAAO,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;YAE/B,IAAI,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACpB,SAAS;YACX,CAAC;YAED,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAEhB,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAC7C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBACpB,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACrB,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IACjB,CAAC;CACF;AAhYD,kDAgYC"}

package/dist/components/auth/authorize/adapters/types.d.ts

@@ -0,0 +1,31 @@
+/** Maps a logical table onto its physical name + schema. */
+export interface IScopedCasbinTable {
+    tableName: string;
+    schemaName?: string;
+}
+/** All physical mapping the ScopedCasbinAdapter needs. App provides this; framework stays decoupled. */
+export interface IScopedCasbinEntities {
+    /**
+     * The single edge table: each row links a subject (type+id) to a target (type+id), with a `variant`
+     * column saying what kind of edge it is (grant / assign_role / *_inherits …) plus optional
+     * action / effect / domain.
+     */
+    policyDefinition: IScopedCasbinTable;
+    /** Permission catalog (id, code, ...). */
+    permission: IScopedCasbinTable;
+    /** Principal type labels used as casbin name prefixes. */
+    principals: {
+        user: string;
+        role: string;
+    };
+    /** Domain type labels (e.g. ['Merchant', 'Organizer']). */
+    domainTypes: string[];
+    /** Soft-delete handling for both tables. */
+    softDelete?: {
+        use: false;
+    } | {
+        use: true;
+        columnName: string;
+    };
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/components/auth/authorize/adapters/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/adapters/types.ts"],"names":[],"mappings":"AAAA,4DAA4D;AAC5D,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wGAAwG;AACxG,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,gBAAgB,EAAE,kBAAkB,CAAC;IAErC,0CAA0C;IAC1C,UAAU,EAAE,kBAAkB,CAAC;IAE/B,0DAA0D;IAC1D,UAAU,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAE3C,2DAA2D;IAC3D,WAAW,EAAE,MAAM,EAAE,CAAC;IAEtB,4CAA4C;IAC5C,UAAU,CAAC,EAAE;QAAE,GAAG,EAAE,KAAK,CAAA;KAAE,GAAG;QAAE,GAAG,EAAE,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;CACjE"}

package/dist/components/auth/authorize/adapters/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/components/auth/authorize/adapters/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/adapters/types.ts"],"names":[],"mappings":""}

package/dist/components/auth/authorize/common/constants.d.ts

@@ -4,14 +4,21 @@ export declare class Authorization {
     static readonly RULES = "authorization.rules";
     static readonly SKIP_AUTHORIZATION = "authorization.skip";
     static readonly ENFORCER = "authorization.enforcer";
+    static readonly DOMAIN = "authorization.domain";
 }
 export declare class AuthorizationActions {
     static readonly CREATE = "create";
-    static readonly READ = "read";
     static readonly UPDATE = "update";
     static readonly DELETE = "delete";
     static readonly EXECUTE = "execute";
+    static readonly READ = "read";
+    static readonly WRITE = "write";
+    static readonly MANAGE = "manage";
     static readonly SCHEME_SET: Set<string>;
+    static readonly LATTICE: ReadonlyArray<{
+        child: TAuthorizationAction;
+        parent: TAuthorizationAction;
+    }>;
     static isValid(input: string): boolean;
 }
 export type TAuthorizationAction = TConstValue<typeof AuthorizationActions>;
@@ -43,7 +50,6 @@ export declare class AuthorizationEnforcerTypes {
 }
 export type TAuthorizationEnforcerType = TConstValue<typeof AuthorizationEnforcerTypes>;
 export declare class CasbinEnforcerCachedDrivers {
-    static readonly IN_MEMORY = "in-memory";
     static readonly REDIS = "redis";
     static readonly SCHEME_SET: Set<string>;
     static isValid(input: string): boolean;
@@ -56,15 +62,145 @@ export declare class CasbinEnforcerModelDrivers {
     static isValid(input: string): boolean;
 }
 export type TCasbinEnforcerModelDriver = TConstValue<typeof CasbinEnforcerModelDrivers>;
+export declare class CasbinDomainMatchingFunctions {
+    /** `*` is the only wildcard; exact compare otherwise. Safest for `Merchant_<uuid>` domains. */
+    static readonly KEY_MATCH = "keyMatch";
+    /** Adds URL-path `:param` segment matching. */
+    static readonly KEY_MATCH_2 = "keyMatch2";
+    /** Adds `{param}` segment matching. */
+    static readonly KEY_MATCH_3 = "keyMatch3";
+    /** `{param}` matching with repeated-name equality checks. */
+    static readonly KEY_MATCH_4 = "keyMatch4";
+    /** Treats the stored/policy value as a full regular expression. */
+    static readonly REGEX_MATCH = "regexMatch";
+    static readonly SCHEME_SET: Set<string>;
+    static isValid(input: string): boolean;
+}
+export type TCasbinDomainMatchingFunction = TConstValue<typeof CasbinDomainMatchingFunctions>;
+export declare class AuthorizationDomainScopes {
+    /** Grant applies in EVERY domain the subject is a member of (checked via join_domain / g2). */
+    static readonly ANY_MEMBER = "ANY_MEMBER";
+    /** Grant applies system-wide, bypassing membership — super-admin only. */
+    static readonly SYSTEM_WIDE = "SYSTEM_WIDE";
+    static readonly SCHEME_SET: Set<string>;
+    static isValid(input: string): boolean;
+}
+export type TAuthorizationDomainScope = TConstValue<typeof AuthorizationDomainScopes>;
+/**
+ * Engine-level vocabulary: the relation prefixes the Casbin MODEL declares — `p` for permission
+ * policies and `g`/`g2`…`g5` for grouping relations. This is the low-level building block that
+ * {@link AuthorizationPolicyVariants} maps onto (many app edge-types → one rule, e.g. both
+ * `assign_role` and `role_inherits` use `g`). Keep these in sync with the model's `[role_definition]`.
+ */
 export declare class CasbinRuleVariants {
-    static readonly POLICY = "policy";
-    static readonly GROUP = "group";
-    /** Casbin line prefix for policy rules. */
+    /** Permission policy line. */
     static readonly P = "p";
-    /** Casbin line prefix for grouping rules. */
+    /**
+     * Numbered in request-tuple order (`sub → dom → obj → act`) so the matcher reads left-to-right:
+     * g (sub), g2/g3 (dom), g4 (obj), g5 (act).
+     */
+    /** Grouping #1 — role membership + role inheritance (user→role, role→role). The `sub` axis. */
     static readonly G = "g";
-    static readonly SCHEME_SET: Set<string>;
-    static isValid(input: string): boolean;
+    /** Grouping #2 — user→domain membership (join_domain). The `dom` axis (membership). */
+    static readonly G2 = "g2";
+    /** Grouping #3 — domain hierarchy. The `dom` axis (nesting). */
+    static readonly G3 = "g3";
+    /** Grouping #4 — resource hierarchy. The `obj` axis. */
+    static readonly G4 = "g4";
+    /** Grouping #5 — action hierarchy. The `act` axis. */
+    static readonly G5 = "g5";
 }
 export type TCasbinRuleVariant = TConstValue<typeof CasbinRuleVariants>;
+/**
+ * The kinds of "edge" stored in the single `PolicyDefinition` table. Every row links a `subject`
+ * (type + id) to a `target` (type + id); the `variant` column says WHAT kind of link it is.
+ *
+ * Picture the whole RBAC state as a graph — nodes are User / Role / Permission / Domain, and each
+ * PolicyDefinition row is one edge. `ScopedCasbinAdapter` reads these rows and emits one casbin line
+ * per edge. Each entry below carries:
+ *   - `action` — the value stored in the DB `variant` column (what the adapter filters on).
+ *   - `rule`   — the casbin grouping/policy prefix the adapter emits for that edge (`p`, `g`, `g2`…).
+ *
+ * Per-USER edges (differ per user): GRANT, ASSIGN_ROLE, JOIN_DOMAIN.
+ * Shared HIERARCHY edges (same for everyone — describe the org structure, not a user):
+ *   ROLE_INHERITS, RESOURCE_INHERITS, ACTION_INHERITS, DOMAIN_INHERITS.
+ */
+export declare class AuthorizationPolicyVariants {
+    /**
+     * Give a Permission to a User or Role (the grant row also carries action / effect / domain).
+     * casbin `p`: `p, <Role|User>_<id>, <domain>, <permissionCode>, <action>, <allow|deny>`
+     * e.g. `p, Role_5, ANY_MEMBER, Order, read, allow` — "Role 5 may read Order in any joined domain".
+     */
+    static readonly GRANT: {
+        readonly action: "grant";
+        readonly rule: "p";
+    };
+    /**
+     * Give a User a Role (optionally scoped to a domain; no domain → `*` = every domain).
+     * casbin `g`: `g, User_<id>, Role_<id>, <domain|*>`
+     * e.g. `g, User_42, Role_5, *` — "User 42 holds Role 5 everywhere".
+     */
+    static readonly ASSIGN_ROLE: {
+        readonly action: "assign_role";
+        readonly rule: "g";
+    };
+    /**
+     * A Role inherits another Role (DAG). Shares the `g` relation with ASSIGN_ROLE so a
+     * user → role → parent-role chain resolves in one lookup. Emitted with domain `*`.
+     * casbin `g`: `g, Role_<child>, Role_<parent>, *`
+     * e.g. `g, Role_5, Role_9, *` — "Role 5 inherits everything Role 9 has".
+     */
+    static readonly ROLE_INHERITS: {
+        readonly action: "role_inherits";
+        readonly rule: "g";
+    };
+    /**
+     * A User is a member of a Domain. Powers the `ANY_MEMBER` grant scope — a grant with domain
+     * `ANY_MEMBER` applies in every domain the user joined. Matcher uses `g2(r.sub, r.dom)`.
+     * casbin `g2`: `g2, User_<id>, <Type>_<domainId>`
+     * e.g. `g2, User_42, Merchant_7` — "User 42 is a member of Merchant 7".
+     */
+    static readonly JOIN_DOMAIN: {
+        readonly action: "join_domain";
+        readonly rule: "g2";
+    };
+    /**
+     * DOMAIN axis (the `dom` of a request). One domain is nested under a parent domain.
+     * Matcher: `g3(r.dom, p.dom)` (+ self-link, so an exact domain always matches itself).
+     * casbin `g3`: `g3, <Type>_<childId>, <Type>_<parentId>`
+     * e.g. `g3, Branch_1, Company_9` — "a grant scoped to Company 9 also applies in Branch 1".
+     */
+    static readonly DOMAIN_INHERITS: {
+        readonly action: "domain_inherits";
+        readonly rule: "g3";
+    };
+    /**
+     * RESOURCE axis (the `obj` of a request). One resource is nested under a broader one — for
+     * NON-standard nesting only; dotted nesting (`Order.findById ⊂ Order`) is handled by `objectMatch`
+     * WITHOUT an edge. Matcher: `objectMatch(r.obj, p.obj) || g4(r.obj, p.obj)`.
+     * casbin `g4`: `g4, <childCode>, <parentCode>`
+     * e.g. `g4, OrderItem, Order` — "a grant on Order also covers OrderItem".
+     */
+    static readonly RESOURCE_INHERITS: {
+        readonly action: "resource_inherits";
+        readonly rule: "g4";
+    };
+    /**
+     * ACTION axis (the `act` of a request) — SAME shape as RESOURCE_INHERITS but a DIFFERENT axis: a
+     * narrow action is covered by a broader one. No dotted shortcut — needs an explicit edge.
+     * Matcher: `g5(r.act, p.act)`.
+     * casbin `g5`: `g5, <childAction>, <parentAction>`
+     * e.g. `g5, read, manage` — "a grant of manage also allows read".
+     * (g4 + g5 combine multiplicatively: a `manage Order` grant covers a `read OrderItem` request.)
+     */
+    static readonly ACTION_INHERITS: {
+        readonly action: "action_inherits";
+        readonly rule: "g5";
+    };
+    static readonly ACTION_SCHEME_SET: Set<string>;
+    static readonly RULE_SCHEME_SET: Set<string>;
+    static isValidAction(input: string): boolean;
+    static isValidRule(input: string): boolean;
+}
+export type TAuthorizationPolicyVariant = TConstValue<typeof AuthorizationPolicyVariants>;
 //# sourceMappingURL=constants.d.ts.map

package/dist/components/auth/authorize/common/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAEvE,qBAAa,aAAa;IACxB,MAAM,CAAC,QAAQ,CAAC,KAAK,yBAAyB;IAC9C,MAAM,CAAC,QAAQ,CAAC,kBAAkB,wBAAwB;IAC1D,MAAM,CAAC,QAAQ,CAAC,QAAQ,4BAA4B;CACrD;AAED,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,OAAO,aAAa;IAEpC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAMvB;IAEH,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AACD,MAAM,MAAM,oBAAoB,GAAG,WAAW,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAE5E,qBAAa,sBAAsB;IACjC,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAChC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,OAAO,aAAa;IAEpC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAkD;IAE5E,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAItC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;IAO/C,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;IAO9C,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;CAMlD;AACD,MAAM,MAAM,sBAAsB,GAAG,WAAW,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEhF,qBAAa,kBAAkB;IAC7B,MAAM,CAAC,QAAQ,CAAC,WAAW,oBAGxB;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,oBAGlB;IACH,MAAM,CAAC,QAAQ,CAAC,IAAI,oBAGjB;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,oBAGlB;IACH,MAAM,CAAC,QAAQ,CAAC,YAAY,oBAGzB;IAEH,MAAM,CAAC,QAAQ,CAAC,UAAU,cAMvB;IAEH,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,qBAAa,0BAA0B;IACrC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAElC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAuC;IAEjE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,0BAA0B,GAAG,WAAW,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAExF,qBAAa,2BAA2B;IACtC,MAAM,CAAC,QAAQ,CAAC,SAAS,eAAe;IACxC,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAEhC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAyC;IAEnE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,2BAA2B,GAAG,WAAW,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAE1F,qBAAa,0BAA0B;IACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAE9B,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAmC;IAE7D,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,0BAA0B,GAAG,WAAW,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAExF,qBAAa,kBAAkB;IAC7B,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAEhC,2CAA2C;IAC3C,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO;IACxB,6CAA6C;IAC7C,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO;IAExB,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAsC;IAEhE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,kBAAkB,GAAG,WAAW,CAAC,OAAO,kBAAkB,CAAC,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../../../src/components/auth/authorize/common/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAEvE,qBAAa,aAAa;IACxB,MAAM,CAAC,QAAQ,CAAC,KAAK,yBAAyB;IAC9C,MAAM,CAAC,QAAQ,CAAC,kBAAkB,wBAAwB;IAC1D,MAAM,CAAC,QAAQ,CAAC,QAAQ,4BAA4B;IACpD,MAAM,CAAC,QAAQ,CAAC,MAAM,0BAA0B;CACjD;AAED,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,OAAO,aAAa;IAEpC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAChC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAElC,MAAM,CAAC,QAAQ,CAAC,UAAU,cASvB;IAEH,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;QACrC,KAAK,EAAE,oBAAoB,CAAC;QAC5B,MAAM,EAAE,oBAAoB,CAAC;KAC9B,CAAC,CAOA;IAEF,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AACD,MAAM,MAAM,oBAAoB,GAAG,WAAW,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAE5E,qBAAa,sBAAsB;IACjC,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAChC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,OAAO,aAAa;IAEpC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAkD;IAE5E,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAItC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;IAO/C,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;IAO9C,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO;CAMlD;AACD,MAAM,MAAM,sBAAsB,GAAG,WAAW,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAEhF,qBAAa,kBAAkB;IAC7B,MAAM,CAAC,QAAQ,CAAC,WAAW,oBAGxB;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,oBAGlB;IACH,MAAM,CAAC,QAAQ,CAAC,IAAI,oBAGjB;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,oBAGlB;IACH,MAAM,CAAC,QAAQ,CAAC,YAAY,oBAGzB;IAEH,MAAM,CAAC,QAAQ,CAAC,UAAU,cAMvB;IAEH,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,qBAAa,0BAA0B;IACrC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAClC,MAAM,CAAC,QAAQ,CAAC,MAAM,YAAY;IAElC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAuC;IAEjE,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,0BAA0B,GAAG,WAAW,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAExF,qBAAa,2BAA2B;IACtC,MAAM,CAAC,QAAQ,CAAC,KAAK,WAAW;IAEhC,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAyB;IAEnD,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,2BAA2B,GAAG,WAAW,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAE1F,qBAAa,0BAA0B;IACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAC9B,MAAM,CAAC,QAAQ,CAAC,IAAI,UAAU;IAE9B,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAmC;IAE7D,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,0BAA0B,GAAG,WAAW,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAExF,qBAAa,6BAA6B;IACxC,+FAA+F;IAC/F,MAAM,CAAC,QAAQ,CAAC,SAAS,cAAc;IAEvC,+CAA+C;IAC/C,MAAM,CAAC,QAAQ,CAAC,WAAW,eAAe;IAE1C,uCAAuC;IACvC,MAAM,CAAC,QAAQ,CAAC,WAAW,eAAe;IAE1C,6DAA6D;IAC7D,MAAM,CAAC,QAAQ,CAAC,WAAW,eAAe;IAE1C,mEAAmE;IACnE,MAAM,CAAC,QAAQ,CAAC,WAAW,gBAAgB;IAE3C,MAAM,CAAC,QAAQ,CAAC,UAAU,cAMvB;IAEH,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AAED,MAAM,MAAM,6BAA6B,GAAG,WAAW,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAE9F,qBAAa,yBAAyB;IACpC,+FAA+F;IAC/F,MAAM,CAAC,QAAQ,CAAC,UAAU,gBAAgB;IAE1C,0EAA0E;IAC1E,MAAM,CAAC,QAAQ,CAAC,WAAW,iBAAiB;IAE5C,MAAM,CAAC,QAAQ,CAAC,UAAU,cAAgD;IAE1E,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAGvC;AACD,MAAM,MAAM,yBAAyB,GAAG,WAAW,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAEtF;;;;;GAKG;AACH,qBAAa,kBAAkB;IAC7B,8BAA8B;IAC9B,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO;IAExB;;;OAGG;IAEH,+FAA+F;IAC/F,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO;IAExB,uFAAuF;IACvF,MAAM,CAAC,QAAQ,CAAC,EAAE,QAAQ;IAE1B,gEAAgE;IAChE,MAAM,CAAC,QAAQ,CAAC,EAAE,QAAQ;IAE1B,wDAAwD;IACxD,MAAM,CAAC,QAAQ,CAAC,EAAE,QAAQ;IAE1B,sDAAsD;IACtD,MAAM,CAAC,QAAQ,CAAC,EAAE,QAAQ;CAC3B;AAED,MAAM,MAAM,kBAAkB,GAAG,WAAW,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAExE;;;;;;;;;;;;;GAaG;AACH,qBAAa,2BAA2B;IACtC;;;;OAIG;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK;;;MAA4D;IAEjF;;;;OAIG;IACH,MAAM,CAAC,QAAQ,CAAC,WAAW;;;MAAkE;IAE7F;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,aAAa;;;MAAoE;IAEjG;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,WAAW;;;MAAmE;IAE9F;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,eAAe;;;MAGpB;IAEX;;;;;;OAMG;IACH,MAAM,CAAC,QAAQ,CAAC,iBAAiB;;;MAGtB;IAEX;;;;;;;OAOG;IACH,MAAM,CAAC,QAAQ,CAAC,eAAe;;;MAGpB;IAEX,MAAM,CAAC,QAAQ,CAAC,iBAAiB,cAQ9B;IAEH,MAAM,CAAC,QAAQ,CAAC,eAAe,cAQ5B;IAEH,MAAM,CAAC,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAI5C,MAAM,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;CAG3C;AACD,MAAM,MAAM,2BAA2B,GAAG,WAAW,CAAC,OAAO,2BAA2B,CAAC,CAAC"}