@vertesia/studio-utils 1.3.0 → 1.4.0-dev.20260615.051508Z

package/lib/roles/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/roles/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAiC,UAAU,EAAE,MAAM,cAAc,CAAC;AACnF,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAsB,UAAU,EAAE,MAAM,cAAc,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD;;;;GAIG;AACH,MAAM,UAAU,GAAoB,CAAC,eAAe,EAAE,gBAAgB,CAAC,CAAC;AAExE,mEAAmE;AACnE,MAAM,UAAU,aAAa,CAAC,IAAY;IACtC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;IAC1B,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,QAAQ,IAAI,YAAY,CAAC,CAAC;AAC9C,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,SAAS;IACrB,MAAM,MAAM,GAAW,EAAE,CAAC;IAC1B,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACjC,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAClB,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,iBAAiB,CAAC,MAAkB;IAChD,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;IAC9D,OAAO,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACjE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAgB;IAClD,OAAO,SAAS,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAiB,EAAE,CAAC,CAAC,YAAY,QAAQ,IAAI,CAAC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;AACjH,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,eAAe;IAC3B,OAAO,SAAS,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAmB,EAAE,CAAC,CAAC,YAAY,UAAU,CAAC,CAAC;AAC/E,CAAC;AAED,0GAA0G;AAC1G,MAAM,UAAU,eAAe;IAC3B,OAAO,SAAS,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,SAA2B;IAC9D,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IACtC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACrC,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACxC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAChC,CAAC;IACL,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,QAAQ;IACmB;IAApC,YAAoC,KAAa;QAAb,UAAK,GAAL,KAAK,CAAQ;IAAG,CAAC;IAErD,MAAM,CAAC,aAAa,CAAC,SAAmB;QACpC,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;QACrD,OAAO,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,QAAgB;QAChC,MAAM,KAAK,GAAG,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxC,OAAO,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,aAAa,CAAC,IAAY;QACtB,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/D,CAAC;CACJ"}

package/lib/roles/system.d.ts

@@ -1,3 +0,0 @@
-import { type RolePartition } from './classes.js';
-export declare const systemPartition: RolePartition;
-//# sourceMappingURL=system.d.ts.map

package/lib/roles/system.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"system.d.ts","sourceRoot":"","sources":["../../src/roles/system.ts"],"names":[],"mappings":"AACA,OAAO,EAAa,KAAK,aAAa,EAAc,MAAM,cAAc,CAAC;AAuMzE,eAAO,MAAM,eAAe,EAAE,aAG7B,CAAC"}

package/lib/roles/system.js

@@ -1,187 +0,0 @@
-import { Permission, SystemRoles } from '@vertesia/common';
-import { SystemRole } from './classes.js';
-class OrgMemberRole extends SystemRole {
-    constructor(name, permissions) {
-        super(name, [Permission.account_member, ...permissions]);
-    }
-}
-class OwnerRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.owner, Object.values(Permission));
-    }
-}
-class AdminRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.admin, Object.values(Permission));
-    }
-}
-class ManagerRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.manager, Object.values(Permission));
-        this.permissions.delete(Permission.account_admin);
-        this.permissions.delete(Permission.manage_billing);
-        this.permissions.delete(Permission.audit_read);
-        this.permissions.delete(Permission.agent_run_read);
-        this.permissions.delete(Permission.content_read_all);
-        this.permissions.delete(Permission.content_superadmin);
-        this.permissions.delete(Permission.workflow_superadmin);
-    }
-}
-class DeveloperRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.developer, Object.values(Permission));
-        this.permissions.delete(Permission.account_admin);
-        this.permissions.delete(Permission.project_admin);
-        this.permissions.delete(Permission.project_settings_write);
-        this.permissions.delete(Permission.env_admin);
-        this.permissions.delete(Permission.manage_billing);
-        this.permissions.delete(Permission.audit_read);
-        this.permissions.delete(Permission.agent_run_read);
-        this.permissions.delete(Permission.content_read_all);
-        this.permissions.delete(Permission.content_superadmin);
-        this.permissions.delete(Permission.workflow_superadmin);
-    }
-}
-class ApplicationRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.application, [
-            Permission.int_read,
-            Permission.int_execute,
-            Permission.int_write,
-            Permission.run_read,
-            Permission.content_write,
-            Permission.content_read,
-            Permission.content_write,
-            Permission.content_admin,
-            Permission.project_admin,
-            Permission.workflow_run,
-            Permission.project_settings_write,
-            Permission.account_write,
-        ]);
-    }
-}
-class AutomationRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.automation, [
-            Permission.content_read,
-            Permission.content_write,
-            Permission.content_admin,
-            Permission.int_read,
-            Permission.int_execute,
-            Permission.run_read,
-            Permission.workflow_run,
-            Permission.project_integration_read,
-        ]);
-    }
-}
-class ContentProcessorRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.content_processor, [
-            Permission.content_read,
-            Permission.content_write,
-            Permission.content_admin,
-            Permission.content_superadmin,
-            Permission.int_execute,
-            Permission.workflow_read,
-            Permission.workflow_run,
-            Permission.run_read,
-        ]);
-    }
-}
-class ConsumerRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.consumer, [
-            Permission.content_admin,
-            Permission.content_read,
-            Permission.content_write,
-            Permission.content_delete,
-            Permission.int_read,
-            Permission.int_execute,
-            Permission.run_read,
-            Permission.workflow_run,
-        ]);
-    }
-}
-class ExecutorRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.executor, [Permission.int_execute, Permission.run_read, Permission.workflow_run]);
-    }
-}
-class ReaderRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.reader, [Permission.int_read, Permission.run_read, Permission.content_read]);
-    }
-}
-const READ_ONLY_AUDIT_PERMISSIONS = [
-    Permission.studio_access,
-    Permission.account_read,
-    Permission.project_integration_read,
-    Permission.api_key_read,
-    Permission.billing_read,
-    Permission.audit_read,
-    Permission.int_read,
-    Permission.run_read,
-    Permission.content_read,
-    Permission.content_read_all,
-    Permission.task_read,
-    Permission.workflow_read,
-    Permission.agent_run_read,
-];
-class ReadOnlyAuditRole extends OrgMemberRole {
-    constructor(name) {
-        super(name, READ_ONLY_AUDIT_PERMISSIONS);
-    }
-}
-class BillingRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.billing, [Permission.manage_billing]);
-    }
-}
-class AppMemberRole extends OrgMemberRole {
-    constructor() {
-        super(SystemRoles.app_member, [
-            Permission.int_read,
-            Permission.int_execute,
-            Permission.int_write,
-            Permission.run_read,
-            Permission.content_write,
-            Permission.content_read,
-            Permission.content_delete,
-            Permission.workflow_run,
-        ]);
-    }
-}
-class ContentSuperAdmin extends DeveloperRole {
-    constructor() {
-        super();
-        this.name = SystemRoles.content_superadmin;
-        this.permissions.add(Permission.content_superadmin);
-    }
-}
-// The enum is still named `SystemRoles` (historical); the partition's domain
-// is `system` — the foundational built-in roles, distinct from feature domains
-// like `content` or `tasks`. Renaming the enum to `SystemRoles` is a separate
-// concern to revisit later.
-const systemRoles = {
-    [SystemRoles.owner]: new OwnerRole(),
-    [SystemRoles.admin]: new AdminRole(),
-    [SystemRoles.manager]: new ManagerRole(),
-    [SystemRoles.developer]: new DeveloperRole(),
-    [SystemRoles.application]: new ApplicationRole(),
-    [SystemRoles.automation]: new AutomationRole(),
-    [SystemRoles.content_processor]: new ContentProcessorRole(),
-    [SystemRoles.consumer]: new ConsumerRole(),
-    [SystemRoles.executor]: new ExecutorRole(),
-    [SystemRoles.reader]: new ReaderRole(),
-    [SystemRoles.auditor]: new ReadOnlyAuditRole(SystemRoles.auditor),
-    [SystemRoles.support]: new ReadOnlyAuditRole(SystemRoles.support),
-    [SystemRoles.billing]: new BillingRole(),
-    [SystemRoles.app_member]: new AppMemberRole(),
-    [SystemRoles.member]: new OrgMemberRole(SystemRoles.member, []),
-    [SystemRoles.content_superadmin]: new ContentSuperAdmin(),
-};
-export const systemPartition = {
-    domain: 'system',
-    roles: new Map(Object.entries(systemRoles)),
-};
-//# sourceMappingURL=system.js.map

package/lib/roles/system.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"system.js","sourceRoot":"","sources":["../../src/roles/system.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAiC,UAAU,EAAE,MAAM,cAAc,CAAC;AAEzE,MAAM,aAAc,SAAQ,UAAU;IAClC,YAAY,IAAY,EAAE,WAAyB;QAC/C,KAAK,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,cAAc,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC;IAC7D,CAAC;CACJ;AAED,MAAM,SAAU,SAAQ,aAAa;IACjC;QACI,KAAK,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;IACxD,CAAC;CACJ;AAED,MAAM,SAAU,SAAQ,aAAa;IACjC;QACI,KAAK,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;IACxD,CAAC;CACJ;AAED,MAAM,WAAY,SAAQ,aAAa;IACnC;QACI,KAAK,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;QACtD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAClD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;QACnD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;QACnD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;QACrD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;QACvD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,CAAC;IAC5D,CAAC;CACJ;AAED,MAAM,aAAc,SAAQ,aAAa;IACrC;QACI,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;QACxD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAClD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAClD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,sBAAsB,CAAC,CAAC;QAC3D,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QAC9C,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;QACnD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;QACnD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC;QACrD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;QACvD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,CAAC;IAC5D,CAAC;CACJ;AAED,MAAM,eAAgB,SAAQ,aAAa;IACvC;QACI,KAAK,CAAC,WAAW,CAAC,WAAW,EAAE;YAC3B,UAAU,CAAC,QAAQ;YACnB,UAAU,CAAC,WAAW;YACtB,UAAU,CAAC,SAAS;YACpB,UAAU,CAAC,QAAQ;YACnB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,YAAY;YACvB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,YAAY;YACvB,UAAU,CAAC,sBAAsB;YACjC,UAAU,CAAC,aAAa;SAC3B,CAAC,CAAC;IACP,CAAC;CACJ;AAED,MAAM,cAAe,SAAQ,aAAa;IACtC;QACI,KAAK,CAAC,WAAW,CAAC,UAAU,EAAE;YAC1B,UAAU,CAAC,YAAY;YACvB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,QAAQ;YACnB,UAAU,CAAC,WAAW;YACtB,UAAU,CAAC,QAAQ;YACnB,UAAU,CAAC,YAAY;YACvB,UAAU,CAAC,wBAAwB;SACtC,CAAC,CAAC;IACP,CAAC;CACJ;AAED,MAAM,oBAAqB,SAAQ,aAAa;IAC5C;QACI,KAAK,CAAC,WAAW,CAAC,iBAAiB,EAAE;YACjC,UAAU,CAAC,YAAY;YACvB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,kBAAkB;YAC7B,UAAU,CAAC,WAAW;YACtB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,YAAY;YACvB,UAAU,CAAC,QAAQ;SACtB,CAAC,CAAC;IACP,CAAC;CACJ;AAED,MAAM,YAAa,SAAQ,aAAa;IACpC;QACI,KAAK,CAAC,WAAW,CAAC,QAAQ,EAAE;YACxB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,YAAY;YACvB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,cAAc;YACzB,UAAU,CAAC,QAAQ;YACnB,UAAU,CAAC,WAAW;YACtB,UAAU,CAAC,QAAQ;YACnB,UAAU,CAAC,YAAY;SAC1B,CAAC,CAAC;IACP,CAAC;CACJ;AAED,MAAM,YAAa,SAAQ,aAAa;IACpC;QACI,KAAK,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,UAAU,CAAC,WAAW,EAAE,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC;IACxG,CAAC;CACJ;AAED,MAAM,UAAW,SAAQ,aAAa;IAClC;QACI,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC;IACnG,CAAC;CACJ;AAED,MAAM,2BAA2B,GAAG;IAChC,UAAU,CAAC,aAAa;IACxB,UAAU,CAAC,YAAY;IACvB,UAAU,CAAC,wBAAwB;IACnC,UAAU,CAAC,YAAY;IACvB,UAAU,CAAC,YAAY;IACvB,UAAU,CAAC,UAAU;IACrB,UAAU,CAAC,QAAQ;IACnB,UAAU,CAAC,QAAQ;IACnB,UAAU,CAAC,YAAY;IACvB,UAAU,CAAC,gBAAgB;IAC3B,UAAU,CAAC,SAAS;IACpB,UAAU,CAAC,aAAa;IACxB,UAAU,CAAC,cAAc;CAC5B,CAAC;AAEF,MAAM,iBAAkB,SAAQ,aAAa;IACzC,YAAY,IAA+C;QACvD,KAAK,CAAC,IAAI,EAAE,2BAA2B,CAAC,CAAC;IAC7C,CAAC;CACJ;AAED,MAAM,WAAY,SAAQ,aAAa;IACnC;QACI,KAAK,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC;IAC5D,CAAC;CACJ;AAED,MAAM,aAAc,SAAQ,aAAa;IACrC;QACI,KAAK,CAAC,WAAW,CAAC,UAAU,EAAE;YAC1B,UAAU,CAAC,QAAQ;YACnB,UAAU,CAAC,WAAW;YACtB,UAAU,CAAC,SAAS;YACpB,UAAU,CAAC,QAAQ;YACnB,UAAU,CAAC,aAAa;YACxB,UAAU,CAAC,YAAY;YACvB,UAAU,CAAC,cAAc;YACzB,UAAU,CAAC,YAAY;SAC1B,CAAC,CAAC;IACP,CAAC;CACJ;AAED,MAAM,iBAAkB,SAAQ,aAAa;IACzC;QACI,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC,kBAAkB,CAAC;QAC3C,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;IACxD,CAAC;CACJ;AAED,6EAA6E;AAC7E,+EAA+E;AAC/E,8EAA8E;AAC9E,4BAA4B;AAC5B,MAAM,WAAW,GAA8B;IAC3C,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,IAAI,SAAS,EAAE;IACpC,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,IAAI,SAAS,EAAE;IACpC,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,IAAI,WAAW,EAAE;IACxC,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,IAAI,aAAa,EAAE;IAC5C,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,IAAI,eAAe,EAAE;IAChD,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE,IAAI,cAAc,EAAE;IAC9C,CAAC,WAAW,CAAC,iBAAiB,CAAC,EAAE,IAAI,oBAAoB,EAAE;IAC3D,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,IAAI,YAAY,EAAE;IAC1C,CAAC,WAAW,CAAC,QAAQ,CAAC,EAAE,IAAI,YAAY,EAAE;IAC1C,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,IAAI,UAAU,EAAE;IACtC,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,IAAI,iBAAiB,CAAC,WAAW,CAAC,OAAO,CAAC;IACjE,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,IAAI,iBAAiB,CAAC,WAAW,CAAC,OAAO,CAAC;IACjE,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,IAAI,WAAW,EAAE;IACxC,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE,IAAI,aAAa,EAAE;IAC7C,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,IAAI,aAAa,CAAC,WAAW,CAAC,MAAM,EAAE,EAAE,CAAC;IAC/D,CAAC,WAAW,CAAC,kBAAkB,CAAC,EAAE,IAAI,iBAAiB,EAAE;CAC5D,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAkB;IAC1C,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;CAC9C,CAAC"}

package/src/roles/classes.ts

@@ -1,78 +0,0 @@
-import type { AbacScope, Permission, RoleDomain } from '@vertesia/common';
-
-/**
- * Class hierarchy and registry-bound interface for the role system. These
- * are LOGIC — they have runtime behavior (constructors, instance methods,
- * subclass dispatch via `instanceof`). They live in `@vertesia/studio-utils`
- * (not common) per the package-layering contract: only types stay in common.
- */
-
-/**
- * A role: a named bundle of permissions that ACEs reference by name.
- *
- * Generic over the permission type so subclasses can tighten it:
- *  - **System roles** declare `extends Role<Permission>` — construction time
- *    type-checks against the central `Permission` enum.
- *  - **ABAC roles** (`AbacRole`) declare `extends Role<string>` — permissions
- *    are bare verbs (`'read'`, `'write'`, `'delete'`, future domain-specific
- *    verbs) consumed by the JWT generator to form `{scope}:{verb}` keys in
- *    `content_security`.
- *
- * The registry stores `Role` (defaulting to `Role<string>`) — the loose type
- * is the lowest common denominator. Tight typing is only enforced at
- * declaration sites of the role subclasses.
- */
-export class Role<PermissionType extends string = string> {
-    permissions: Set<PermissionType>;
-    constructor(
-        public name: string,
-        permissions: PermissionType[],
-        public domain: RoleDomain,
-    ) {
-        this.permissions = new Set(permissions);
-    }
-
-    hasPermission(permission: PermissionType) {
-        return this.permissions.has(permission);
-    }
-}
-
-/**
- * Base class for built-in system roles. Hardcodes `domain: 'system'` and
- * specializes `Role<Permission>` so subclasses get compile-time type-checking
- * against the central `Permission` enum at construction.
- */
-export class SystemRole extends Role<Permission> {
-    constructor(name: string, permissions: Permission[]) {
-        super(name, permissions, 'system');
-    }
-}
-
-/**
- * A role usable in ContentSet ACEs. Adds `applicableScopes` — the kinds of
- * objects the role can be applied to at the ABAC scope level. Inherits
- * `Role<string>` because ABAC verbs aren't constrained to the central
- * `Permission` enum.
- *
- * The IAM UI filters via `listAbacRolesForScope` which checks `instanceof AbacRole`.
- */
-export class AbacRole extends Role<string> {
-    constructor(
-        name: string,
-        permissions: string[],
-        domain: RoleDomain,
-        public applicableScopes: readonly AbacScope[],
-    ) {
-        super(name, permissions, domain);
-    }
-}
-
-/**
- * A logical bucket of roles owned by a single domain. The registry iterates
- * partitions in registration order — first match wins. The `system` partition
- * is registered first so domain partitions cannot shadow built-in system roles.
- */
-export interface RolePartition {
-    domain: RoleDomain;
-    roles: Map<string, Role>;
-}

package/src/roles/content.ts

@@ -1,46 +0,0 @@
-import type { AbacScope, RoleDomain } from '@vertesia/common';
-import { AbacRole, type Role, type RolePartition } from './classes.js';
-
-const ContentRoleDomain: RoleDomain = 'content';
-
-const APPLICABLE_SCOPES: readonly AbacScope[] = ['document', 'collection'];
-
-/**
- * Names of roles owned by the `content` domain. Apply to ContentSet ACEs
- * scoped to either `document` or `collection` — the semantics of "read
- * content" are the same for both kinds.
- */
-export enum ContentRoleNames {
-    content_reader = 'content_reader',
-    content_writer = 'content_writer',
-    content_manager = 'content_manager',
-}
-
-class ContentReaderRole extends AbacRole {
-    constructor() {
-        super(ContentRoleNames.content_reader, ['read'], ContentRoleDomain, APPLICABLE_SCOPES);
-    }
-}
-
-class ContentWriterRole extends AbacRole {
-    constructor() {
-        super(ContentRoleNames.content_writer, ['read', 'write'], ContentRoleDomain, APPLICABLE_SCOPES);
-    }
-}
-
-class ContentManagerRole extends AbacRole {
-    constructor() {
-        super(ContentRoleNames.content_manager, ['read', 'write', 'delete'], ContentRoleDomain, APPLICABLE_SCOPES);
-    }
-}
-
-const contentRoles: Record<ContentRoleNames, Role> = {
-    [ContentRoleNames.content_reader]: new ContentReaderRole(),
-    [ContentRoleNames.content_writer]: new ContentWriterRole(),
-    [ContentRoleNames.content_manager]: new ContentManagerRole(),
-};
-
-export const contentPartition: RolePartition = {
-    domain: ContentRoleDomain,
-    roles: new Map(Object.entries(contentRoles)),
-};

package/src/roles/index.test.ts

@@ -1,206 +0,0 @@
-import { Permission, SystemRoles } from '@vertesia/common';
-import { describe, expect, it } from 'vitest';
-import { ContentRoleNames } from './content.js';
-import {
-    AbacRole,
-    getAllRoleNames,
-    getPermissionsForRoles,
-    getRoleByName,
-    listAbacRolesForScope,
-    listRoles,
-    listRolesByDomain,
-    listSystemRoles,
-    Role,
-    RoleList,
-    SystemRole,
-} from './index.js';
-
-describe('getRoleByName', () => {
-    it('returns a system role by name', () => {
-        const role = getRoleByName(SystemRoles.owner);
-        expect(role).toBeInstanceOf(SystemRole);
-        expect(role.name).toBe('owner');
-        expect(role.domain).toBe('system');
-    });
-
-    it('returns an ABAC role by name', () => {
-        const role = getRoleByName(ContentRoleNames.content_reader);
-        expect(role).toBeInstanceOf(AbacRole);
-        expect(role.name).toBe('content_reader');
-        expect(role.domain).toBe('content');
-    });
-
-    it('throws on unknown role', () => {
-        expect(() => getRoleByName('not_a_real_role')).toThrow(/Role not_a_real_role not found/);
-    });
-
-    it('queries partitions in registration order — system first', () => {
-        // System partition is registered before content. Even if a future partition
-        // declared a role named 'owner', the system one would still win.
-        const role = getRoleByName(SystemRoles.owner);
-        expect(role.domain).toBe('system');
-    });
-});
-
-describe('listRoles', () => {
-    it('returns every role across all partitions', () => {
-        const roles = listRoles();
-        // 16 system roles + 3 content roles
-        expect(roles).toHaveLength(19);
-    });
-
-    it('lists system roles before content roles (partition registration order)', () => {
-        const roles = listRoles();
-        const systemCount = roles.filter((r) => r.domain === 'system').length;
-        const contentCount = roles.filter((r) => r.domain === 'content').length;
-        expect(systemCount).toBe(16);
-        expect(contentCount).toBe(3);
-
-        // First 16 are system, next 3 are content
-        for (let i = 0; i < 16; i++) expect(roles[i].domain).toBe('system');
-        for (let i = 16; i < 19; i++) expect(roles[i].domain).toBe('content');
-    });
-});
-
-describe('listRolesByDomain', () => {
-    it('returns only system roles for "system"', () => {
-        const roles = listRolesByDomain('system');
-        expect(roles).toHaveLength(16);
-        expect(roles.every((r) => r.domain === 'system')).toBe(true);
-    });
-
-    it('returns only content roles for "content"', () => {
-        const roles = listRolesByDomain('content');
-        expect(roles).toHaveLength(3);
-        expect(roles.every((r) => r.domain === 'content')).toBe(true);
-    });
-
-    it('returns empty for an unregistered domain', () => {
-        expect(listRolesByDomain('tasks')).toEqual([]);
-    });
-});
-
-describe('listSystemRoles', () => {
-    it('returns SystemRole instances', () => {
-        const roles = listSystemRoles();
-        expect(roles).toHaveLength(16);
-        expect(roles.every((r) => r instanceof SystemRole)).toBe(true);
-    });
-
-    it('excludes ABAC roles', () => {
-        const roles = listSystemRoles();
-        expect(roles.some((r) => r instanceof AbacRole)).toBe(false);
-    });
-});
-
-describe('listAbacRolesForScope', () => {
-    it('returns content roles for "document" scope', () => {
-        const roles = listAbacRolesForScope('document');
-        expect(roles).toHaveLength(3);
-        expect(roles.map((r) => r.name).sort()).toEqual(['content_manager', 'content_reader', 'content_writer']);
-    });
-
-    it('returns content roles for "collection" scope (same roles, applicableScopes covers both)', () => {
-        const roles = listAbacRolesForScope('collection');
-        expect(roles).toHaveLength(3);
-        expect(roles.every((r) => r.applicableScopes.includes('collection'))).toBe(true);
-    });
-
-    it('returns empty for "task" scope (no task partition registered)', () => {
-        expect(listAbacRolesForScope('task')).toEqual([]);
-    });
-
-    it('returns AbacRole instances only — no system roles bleed through', () => {
-        const roles = listAbacRolesForScope('document');
-        expect(roles.every((r) => r instanceof AbacRole)).toBe(true);
-    });
-});
-
-describe('getAllRoleNames', () => {
-    it('returns names of every registered role', () => {
-        const names = getAllRoleNames();
-        expect(names).toHaveLength(19);
-        expect(names).toContain('owner');
-        expect(names).toContain('content_reader');
-    });
-
-    it('produces a flat list suited for mongoose enum constraints', () => {
-        const names = getAllRoleNames();
-        expect(names.every((n) => typeof n === 'string')).toBe(true);
-    });
-});
-
-describe('getPermissionsForRoles', () => {
-    it('merges permissions across multiple roles, deduped', () => {
-        // content_reader: ['read']
-        // content_writer: ['read', 'write']
-        const merged = getPermissionsForRoles([ContentRoleNames.content_reader, ContentRoleNames.content_writer]);
-        expect(merged.sort()).toEqual(['read', 'write']);
-    });
-
-    it('returns system Permission values for system roles', () => {
-        const merged = getPermissionsForRoles([SystemRoles.reader]);
-        // reader role has: int_read, run_read, content_read + account_member (via OrgMemberRole)
-        expect(merged).toContain(Permission.int_read);
-        expect(merged).toContain(Permission.content_read);
-        expect(merged).toContain(Permission.account_member);
-    });
-});
-
-describe('Role instances', () => {
-    it('SystemRole hasPermission for granted Permission', () => {
-        const owner = getRoleByName(SystemRoles.owner);
-        expect(owner.hasPermission(Permission.content_read)).toBe(true);
-        expect(owner.hasPermission(Permission.manage_billing)).toBe(true);
-    });
-
-    it('SystemRole hasPermission false for arbitrary string', () => {
-        const reader = getRoleByName(SystemRoles.reader);
-        expect(reader.hasPermission('not_a_real_perm')).toBe(false);
-    });
-
-    it('AbacRole carries applicableScopes', () => {
-        const reader = getRoleByName(ContentRoleNames.content_reader) as AbacRole;
-        expect(reader.applicableScopes).toEqual(['document', 'collection']);
-    });
-
-    it('AbacRole permissions are bare verbs, not Permission enum values', () => {
-        const manager = getRoleByName(ContentRoleNames.content_manager);
-        expect(Array.from(manager.permissions).sort()).toEqual(['delete', 'read', 'write']);
-    });
-});
-
-describe('SystemRole vs AbacRole discrimination', () => {
-    it('SystemRole instanceof Role', () => {
-        const owner = getRoleByName(SystemRoles.owner);
-        expect(owner).toBeInstanceOf(Role);
-        expect(owner).toBeInstanceOf(SystemRole);
-        expect(owner).not.toBeInstanceOf(AbacRole);
-    });
-
-    it('AbacRole instanceof Role', () => {
-        const reader = getRoleByName(ContentRoleNames.content_reader);
-        expect(reader).toBeInstanceOf(Role);
-        expect(reader).toBeInstanceOf(AbacRole);
-        expect(reader).not.toBeInstanceOf(SystemRole);
-    });
-});
-
-describe('RoleList', () => {
-    it('fromRoleNames composes a list checkable for permissions', () => {
-        const list = RoleList.fromRoleNames([SystemRoles.reader, SystemRoles.executor]);
-        expect(list.hasPermission(Permission.content_read)).toBe(true); // from reader
-        expect(list.hasPermission(Permission.int_execute)).toBe(true); // from executor
-        expect(list.hasPermission(Permission.manage_billing)).toBe(false); // neither has it
-    });
-
-    it('fromRoleName composes a single-role list', () => {
-        const list = RoleList.fromRoleName(SystemRoles.billing);
-        expect(list.hasPermission(Permission.manage_billing)).toBe(true);
-        expect(list.hasPermission(Permission.content_write)).toBe(false);
-    });
-
-    it('throws on unknown role name', () => {
-        expect(() => RoleList.fromRoleNames(['not_real'])).toThrow(/Role not_real not found/);
-    });
-});

package/src/roles/index.ts

@@ -1,96 +0,0 @@
-import type { AbacScope, RoleDomain } from '@vertesia/common';
-import { AbacRole, type Role, type RolePartition, SystemRole } from './classes.js';
-import { contentPartition } from './content.js';
-import { systemPartition } from './system.js';
-
-export { AbacRole, Role, type RolePartition, SystemRole } from './classes.js';
-export { ContentRoleNames } from './content.js';
-
-/**
- * The ordered partition registry. Partitions are queried in this order — first
- * match wins. The `system` partition is registered first so domain-specific
- * partitions (added later) cannot shadow built-in system roles.
- */
-const partitions: RolePartition[] = [systemPartition, contentPartition];
-
-/** Look up a role by its name across all registered partitions. */
-export function getRoleByName(name: string): Role {
-    for (const partition of partitions) {
-        const role = partition.roles.get(name);
-        if (role) return role;
-    }
-    throw new Error(`Role ${name} not found`);
-}
-
-/** List every role across all partitions, in partition registration order. */
-export function listRoles(): Role[] {
-    const result: Role[] = [];
-    for (const partition of partitions) {
-        for (const role of partition.roles.values()) {
-            result.push(role);
-        }
-    }
-    return result;
-}
-
-/** Roles owned by a specific domain (e.g. `'system'`, `'content'`). */
-export function listRolesByDomain(domain: RoleDomain): Role[] {
-    const partition = partitions.find((p) => p.domain === domain);
-    return partition ? Array.from(partition.roles.values()) : [];
-}
-
-/**
- * ABAC roles applicable to a given ContentSet scope (e.g. `'document'`,
- * `'collection'`). System roles are excluded — they don't carry scope semantics.
- */
-export function listAbacRolesForScope(scope: AbacScope): AbacRole[] {
-    return listRoles().filter((r): r is AbacRole => r instanceof AbacRole && r.applicableScopes.includes(scope));
-}
-
-/** Shortcut for the system partition: returns only `SystemRole` instances. */
-export function listSystemRoles(): SystemRole[] {
-    return listRoles().filter((r): r is SystemRole => r instanceof SystemRole);
-}
-
-/** Names of every registered role across all partitions — suited for mongoose schema enum constraints. */
-export function getAllRoleNames(): string[] {
-    return listRoles().map((r) => r.name);
-}
-
-/**
- * Merge the permissions granted by a set of roles into a single array.
- * Intended for the system-role gating path. For ABAC roles, the bare-verb
- * permissions returned here aren't directly meaningful — use the JWT
- * `content_security` pathway instead.
- */
-export function getPermissionsForRoles(roleNames: Iterable<string>): string[] {
-    const permissions = new Set<string>();
-    for (const roleName of roleNames) {
-        const role = getRoleByName(roleName);
-        for (const permission of role.permissions) {
-            permissions.add(permission);
-        }
-    }
-    return Array.from(permissions);
-}
-
-/**
- * A list of roles with a unified `hasPermission` check across them.
- */
-export class RoleList {
-    private constructor(public readonly roles: Role[]) {}
-
-    static fromRoleNames(roleNames: string[]): RoleList {
-        const roles = roleNames.map((r) => getRoleByName(r));
-        return new RoleList(roles);
-    }
-
-    static fromRoleName(roleName: string): RoleList {
-        const roles = [getRoleByName(roleName)];
-        return new RoleList(roles);
-    }
-
-    hasPermission(perm: string): boolean {
-        return this.roles.some((role) => role.hasPermission(perm));
-    }
-}