@vertesia/studio-utils 1.3.0

package/src/prompts/validate.ts

@@ -0,0 +1,216 @@
+import type { JSONObject } from '@llumiverse/common';
+import { type JSONSchema, TemplateType } from '@vertesia/common';
+import { getFreeVariables, renderJsTemplate } from '@vertesia/jst';
+import { extractHandlebarsVariables } from './extract-vars.js';
+import { generateMockData } from './mock-data.js';
+import { executeHandlebars } from './render.js';
+
+export type PromptValidationIssueType =
+    | 'undeclared_template_variable'
+    | 'unused_schema_variable'
+    | 'handlebars_render_error'
+    | 'jst_unsafe_construct'
+    | 'jst_render_error';
+
+export type PromptValidationIssueSeverity = 'error' | 'warning';
+
+export interface PromptValidationIssue {
+    /** Discriminator for issue kind */
+    type: PromptValidationIssueType;
+    /** Errors should block prompt creation; warnings are informational. */
+    severity: PromptValidationIssueSeverity;
+    /** The variable name when the issue is variable-related. */
+    variable?: string;
+    /** Human-readable message; safe to surface directly to an LLM tool error. */
+    message: string;
+}
+
+export interface PromptValidationResult {
+    /** Flat list of issues found. `severity` discriminates errors (blocking) from warnings. */
+    issues: PromptValidationIssue[];
+    /** Count of `severity: 'error'` entries in `issues`. Zero ⇔ validation passed. */
+    error_count: number;
+    /** Count of `severity: 'warning'` entries in `issues`. Non-blocking informational findings. */
+    warning_count: number;
+}
+
+export interface PromptValidationInput {
+    /** The prompt's template source. */
+    content: string;
+    /** Template language. `handlebars` and `jst` are validated; `text` passes through. */
+    contentType: TemplateType;
+    /** JSON Schema declaring the variables the template expects. */
+    inputSchema?: JSONSchema;
+}
+
+// JST's renderJsTemplate auto-adds `_` (helpers object) and runtime injects `Set` and `Array`
+// — treat them as globals so they don't appear as free vars in user templates.
+// Globals always available to JST templates regardless of schema:
+//  - `_`, `Array`, `Set`: runtime-injected by `renderJsTemplate` (jst library)
+//  - `_model`: runtime-injected by the studio-server executor as `{ ..._model: run.modelId }`
+//    (see ExecutionRequest.ts:313 and executor/rendering/template.ts:13)
+// Keeping these in sync with `renderTemplate` in ./render.ts so a JST template that runs in
+// production also passes the validator.
+const JST_AUTO_GLOBALS = ['_', 'Array', 'Set', '_model'];
+
+function countSeverities(issues: PromptValidationIssue[]): { error_count: number; warning_count: number } {
+    let error_count = 0;
+    let warning_count = 0;
+    for (const issue of issues) {
+        if (issue.severity === 'error') {
+            error_count++;
+        } else if (issue.severity === 'warning') {
+            warning_count++;
+        }
+    }
+    return { error_count, warning_count };
+}
+
+function validateHandlebarsPrompt(content: string, inputSchema?: JSONSchema): PromptValidationIssue[] {
+    const issues: PromptValidationIssue[] = [];
+    const usedVars = extractHandlebarsVariables(content);
+    const declaredVars = new Set<string>(inputSchema?.properties ? Object.keys(inputSchema.properties) : []);
+
+    for (const used of usedVars) {
+        if (!declaredVars.has(used)) {
+            issues.push({
+                type: 'undeclared_template_variable',
+                severity: 'error',
+                variable: used,
+                message: `Template references variable '{{${used}}}' but it is not declared in input_schema.properties. Add '${used}' to the schema with an appropriate type.`,
+            });
+        }
+    }
+
+    for (const declared of declaredVars) {
+        if (!usedVars.has(declared)) {
+            issues.push({
+                type: 'unused_schema_variable',
+                severity: 'warning',
+                variable: declared,
+                message: `Schema declares property '${declared}' but the template never references it. Remove it from input_schema or use it via {{${declared}}}.`,
+            });
+        }
+    }
+
+    // Render-time smoke test — always runs so syntax errors and failing helper calls are
+    // surfaced even when undeclared-variable errors are already in the list. Handlebars renders
+    // missing vars as empty strings (non-strict by default), so the render check does NOT echo
+    // the var errors — anything it reports is a distinct template problem worth showing.
+    const renderSchema = inputSchema ?? ({} as JSONSchema);
+    const mockData = generateMockData(renderSchema);
+    const mockObject: JSONObject =
+        typeof mockData === 'object' && mockData !== null && !Array.isArray(mockData) ? (mockData as JSONObject) : {};
+    const renderResult = executeHandlebars(content, renderSchema, mockObject);
+    if (!renderResult.success) {
+        issues.push({
+            type: 'handlebars_render_error',
+            severity: 'error',
+            message: `Handlebars rendering failed: ${renderResult.error}`,
+        });
+    }
+
+    return issues;
+}
+
+function validateJstPrompt(content: string, inputSchema?: JSONSchema): PromptValidationIssue[] {
+    const issues: PromptValidationIssue[] = [];
+    const declaredVars = new Set<string>(inputSchema?.properties ? Object.keys(inputSchema.properties) : []);
+
+    let referenced: Set<string>;
+    try {
+        const result = getFreeVariables(content, {
+            globals: JST_AUTO_GLOBALS,
+            acorn: { allowReturnOutsideFunction: true, locations: true },
+        });
+        referenced = result.vars;
+        for (const err of result.errors) {
+            issues.push({
+                type: 'jst_unsafe_construct',
+                severity: 'error',
+                message: `JST validation error at ${err.location}: ${err.message}`,
+            });
+        }
+    } catch (parseError) {
+        // Acorn parse failure — surface as render error since the template can't be compiled.
+        issues.push({
+            type: 'jst_render_error',
+            severity: 'error',
+            message: `JST parse failed: ${parseError instanceof Error ? parseError.message : String(parseError)}`,
+        });
+        return issues;
+    }
+
+    for (const used of referenced) {
+        if (!declaredVars.has(used)) {
+            issues.push({
+                type: 'undeclared_template_variable',
+                severity: 'error',
+                variable: used,
+                message: `Template references variable '${used}' but it is not declared in input_schema.properties. Add '${used}' to the schema with an appropriate type.`,
+            });
+        }
+    }
+
+    for (const declared of declaredVars) {
+        if (!referenced.has(declared)) {
+            issues.push({
+                type: 'unused_schema_variable',
+                severity: 'warning',
+                variable: declared,
+                message: `Schema declares property '${declared}' but the template never references it. Remove it from input_schema or use it in the template.`,
+            });
+        }
+    }
+
+    // Render-time smoke test — only if there are no blocking errors so far, otherwise
+    // the failure mode would just echo what we already reported.
+    const blockingSoFar = issues.some((i) => i.severity === 'error');
+    if (!blockingSoFar) {
+        const renderSchema = inputSchema ?? ({} as JSONSchema);
+        const mockData = generateMockData(renderSchema);
+        const mockObject: JSONObject =
+            typeof mockData === 'object' && mockData !== null && !Array.isArray(mockData)
+                ? (mockData as JSONObject)
+                : {};
+        try {
+            renderJsTemplate(content, [...declaredVars], mockObject);
+        } catch (renderError) {
+            issues.push({
+                type: 'jst_render_error',
+                severity: 'error',
+                message: `JST rendering failed: ${renderError instanceof Error ? renderError.message : String(renderError)}`,
+            });
+        }
+    }
+
+    return issues;
+}
+
+/**
+ * Validate a single prompt template against its declared input schema.
+ *
+ * For `handlebars` and `jst` templates, the following checks are performed:
+ *  1. Every variable referenced in the template must be declared as a top-level property
+ *     in `inputSchema.properties` (else → `undeclared_template_variable` error).
+ *  2. Every property declared in `inputSchema.properties` should be referenced by the template
+ *     (else → `unused_schema_variable` warning — non-blocking).
+ *  3. The template must render successfully against schema-derived mock data
+ *     (else → `handlebars_render_error` / `jst_render_error` error).
+ *  4. For JST only: unsafe constructs (`with`, `for`, `while`, `import`, class, `this`,
+ *     dynamic property lookup, blacklisted props) → `jst_unsafe_construct` error.
+ *
+ * `text` content type passes through with no issues.
+ */
+export function validatePrompt(input: PromptValidationInput): PromptValidationResult {
+    let issues: PromptValidationIssue[];
+    if (input.contentType === TemplateType.handlebars) {
+        issues = validateHandlebarsPrompt(input.content, input.inputSchema);
+    } else if (input.contentType === TemplateType.jst) {
+        issues = validateJstPrompt(input.content, input.inputSchema);
+    } else {
+        issues = [];
+    }
+    const { error_count, warning_count } = countSeverities(issues);
+    return { issues, error_count, warning_count };
+}

package/src/roles/classes.ts

@@ -0,0 +1,78 @@
+import type { AbacScope, Permission, RoleDomain } from '@vertesia/common';
+
+/**
+ * Class hierarchy and registry-bound interface for the role system. These
+ * are LOGIC — they have runtime behavior (constructors, instance methods,
+ * subclass dispatch via `instanceof`). They live in `@vertesia/studio-utils`
+ * (not common) per the package-layering contract: only types stay in common.
+ */
+
+/**
+ * A role: a named bundle of permissions that ACEs reference by name.
+ *
+ * Generic over the permission type so subclasses can tighten it:
+ *  - **System roles** declare `extends Role<Permission>` — construction time
+ *    type-checks against the central `Permission` enum.
+ *  - **ABAC roles** (`AbacRole`) declare `extends Role<string>` — permissions
+ *    are bare verbs (`'read'`, `'write'`, `'delete'`, future domain-specific
+ *    verbs) consumed by the JWT generator to form `{scope}:{verb}` keys in
+ *    `content_security`.
+ *
+ * The registry stores `Role` (defaulting to `Role<string>`) — the loose type
+ * is the lowest common denominator. Tight typing is only enforced at
+ * declaration sites of the role subclasses.
+ */
+export class Role<PermissionType extends string = string> {
+    permissions: Set<PermissionType>;
+    constructor(
+        public name: string,
+        permissions: PermissionType[],
+        public domain: RoleDomain,
+    ) {
+        this.permissions = new Set(permissions);
+    }
+
+    hasPermission(permission: PermissionType) {
+        return this.permissions.has(permission);
+    }
+}
+
+/**
+ * Base class for built-in system roles. Hardcodes `domain: 'system'` and
+ * specializes `Role<Permission>` so subclasses get compile-time type-checking
+ * against the central `Permission` enum at construction.
+ */
+export class SystemRole extends Role<Permission> {
+    constructor(name: string, permissions: Permission[]) {
+        super(name, permissions, 'system');
+    }
+}
+
+/**
+ * A role usable in ContentSet ACEs. Adds `applicableScopes` — the kinds of
+ * objects the role can be applied to at the ABAC scope level. Inherits
+ * `Role<string>` because ABAC verbs aren't constrained to the central
+ * `Permission` enum.
+ *
+ * The IAM UI filters via `listAbacRolesForScope` which checks `instanceof AbacRole`.
+ */
+export class AbacRole extends Role<string> {
+    constructor(
+        name: string,
+        permissions: string[],
+        domain: RoleDomain,
+        public applicableScopes: readonly AbacScope[],
+    ) {
+        super(name, permissions, domain);
+    }
+}
+
+/**
+ * A logical bucket of roles owned by a single domain. The registry iterates
+ * partitions in registration order — first match wins. The `system` partition
+ * is registered first so domain partitions cannot shadow built-in system roles.
+ */
+export interface RolePartition {
+    domain: RoleDomain;
+    roles: Map<string, Role>;
+}

package/src/roles/content.ts

@@ -0,0 +1,46 @@
+import type { AbacScope, RoleDomain } from '@vertesia/common';
+import { AbacRole, type Role, type RolePartition } from './classes.js';
+
+const ContentRoleDomain: RoleDomain = 'content';
+
+const APPLICABLE_SCOPES: readonly AbacScope[] = ['document', 'collection'];
+
+/**
+ * Names of roles owned by the `content` domain. Apply to ContentSet ACEs
+ * scoped to either `document` or `collection` — the semantics of "read
+ * content" are the same for both kinds.
+ */
+export enum ContentRoleNames {
+    content_reader = 'content_reader',
+    content_writer = 'content_writer',
+    content_manager = 'content_manager',
+}
+
+class ContentReaderRole extends AbacRole {
+    constructor() {
+        super(ContentRoleNames.content_reader, ['read'], ContentRoleDomain, APPLICABLE_SCOPES);
+    }
+}
+
+class ContentWriterRole extends AbacRole {
+    constructor() {
+        super(ContentRoleNames.content_writer, ['read', 'write'], ContentRoleDomain, APPLICABLE_SCOPES);
+    }
+}
+
+class ContentManagerRole extends AbacRole {
+    constructor() {
+        super(ContentRoleNames.content_manager, ['read', 'write', 'delete'], ContentRoleDomain, APPLICABLE_SCOPES);
+    }
+}
+
+const contentRoles: Record<ContentRoleNames, Role> = {
+    [ContentRoleNames.content_reader]: new ContentReaderRole(),
+    [ContentRoleNames.content_writer]: new ContentWriterRole(),
+    [ContentRoleNames.content_manager]: new ContentManagerRole(),
+};
+
+export const contentPartition: RolePartition = {
+    domain: ContentRoleDomain,
+    roles: new Map(Object.entries(contentRoles)),
+};

package/src/roles/index.test.ts

@@ -0,0 +1,206 @@
+import { Permission, SystemRoles } from '@vertesia/common';
+import { describe, expect, it } from 'vitest';
+import { ContentRoleNames } from './content.js';
+import {
+    AbacRole,
+    getAllRoleNames,
+    getPermissionsForRoles,
+    getRoleByName,
+    listAbacRolesForScope,
+    listRoles,
+    listRolesByDomain,
+    listSystemRoles,
+    Role,
+    RoleList,
+    SystemRole,
+} from './index.js';
+
+describe('getRoleByName', () => {
+    it('returns a system role by name', () => {
+        const role = getRoleByName(SystemRoles.owner);
+        expect(role).toBeInstanceOf(SystemRole);
+        expect(role.name).toBe('owner');
+        expect(role.domain).toBe('system');
+    });
+
+    it('returns an ABAC role by name', () => {
+        const role = getRoleByName(ContentRoleNames.content_reader);
+        expect(role).toBeInstanceOf(AbacRole);
+        expect(role.name).toBe('content_reader');
+        expect(role.domain).toBe('content');
+    });
+
+    it('throws on unknown role', () => {
+        expect(() => getRoleByName('not_a_real_role')).toThrow(/Role not_a_real_role not found/);
+    });
+
+    it('queries partitions in registration order — system first', () => {
+        // System partition is registered before content. Even if a future partition
+        // declared a role named 'owner', the system one would still win.
+        const role = getRoleByName(SystemRoles.owner);
+        expect(role.domain).toBe('system');
+    });
+});
+
+describe('listRoles', () => {
+    it('returns every role across all partitions', () => {
+        const roles = listRoles();
+        // 16 system roles + 3 content roles
+        expect(roles).toHaveLength(19);
+    });
+
+    it('lists system roles before content roles (partition registration order)', () => {
+        const roles = listRoles();
+        const systemCount = roles.filter((r) => r.domain === 'system').length;
+        const contentCount = roles.filter((r) => r.domain === 'content').length;
+        expect(systemCount).toBe(16);
+        expect(contentCount).toBe(3);
+
+        // First 16 are system, next 3 are content
+        for (let i = 0; i < 16; i++) expect(roles[i].domain).toBe('system');
+        for (let i = 16; i < 19; i++) expect(roles[i].domain).toBe('content');
+    });
+});
+
+describe('listRolesByDomain', () => {
+    it('returns only system roles for "system"', () => {
+        const roles = listRolesByDomain('system');
+        expect(roles).toHaveLength(16);
+        expect(roles.every((r) => r.domain === 'system')).toBe(true);
+    });
+
+    it('returns only content roles for "content"', () => {
+        const roles = listRolesByDomain('content');
+        expect(roles).toHaveLength(3);
+        expect(roles.every((r) => r.domain === 'content')).toBe(true);
+    });
+
+    it('returns empty for an unregistered domain', () => {
+        expect(listRolesByDomain('tasks')).toEqual([]);
+    });
+});
+
+describe('listSystemRoles', () => {
+    it('returns SystemRole instances', () => {
+        const roles = listSystemRoles();
+        expect(roles).toHaveLength(16);
+        expect(roles.every((r) => r instanceof SystemRole)).toBe(true);
+    });
+
+    it('excludes ABAC roles', () => {
+        const roles = listSystemRoles();
+        expect(roles.some((r) => r instanceof AbacRole)).toBe(false);
+    });
+});
+
+describe('listAbacRolesForScope', () => {
+    it('returns content roles for "document" scope', () => {
+        const roles = listAbacRolesForScope('document');
+        expect(roles).toHaveLength(3);
+        expect(roles.map((r) => r.name).sort()).toEqual(['content_manager', 'content_reader', 'content_writer']);
+    });
+
+    it('returns content roles for "collection" scope (same roles, applicableScopes covers both)', () => {
+        const roles = listAbacRolesForScope('collection');
+        expect(roles).toHaveLength(3);
+        expect(roles.every((r) => r.applicableScopes.includes('collection'))).toBe(true);
+    });
+
+    it('returns empty for "task" scope (no task partition registered)', () => {
+        expect(listAbacRolesForScope('task')).toEqual([]);
+    });
+
+    it('returns AbacRole instances only — no system roles bleed through', () => {
+        const roles = listAbacRolesForScope('document');
+        expect(roles.every((r) => r instanceof AbacRole)).toBe(true);
+    });
+});
+
+describe('getAllRoleNames', () => {
+    it('returns names of every registered role', () => {
+        const names = getAllRoleNames();
+        expect(names).toHaveLength(19);
+        expect(names).toContain('owner');
+        expect(names).toContain('content_reader');
+    });
+
+    it('produces a flat list suited for mongoose enum constraints', () => {
+        const names = getAllRoleNames();
+        expect(names.every((n) => typeof n === 'string')).toBe(true);
+    });
+});
+
+describe('getPermissionsForRoles', () => {
+    it('merges permissions across multiple roles, deduped', () => {
+        // content_reader: ['read']
+        // content_writer: ['read', 'write']
+        const merged = getPermissionsForRoles([ContentRoleNames.content_reader, ContentRoleNames.content_writer]);
+        expect(merged.sort()).toEqual(['read', 'write']);
+    });
+
+    it('returns system Permission values for system roles', () => {
+        const merged = getPermissionsForRoles([SystemRoles.reader]);
+        // reader role has: int_read, run_read, content_read + account_member (via OrgMemberRole)
+        expect(merged).toContain(Permission.int_read);
+        expect(merged).toContain(Permission.content_read);
+        expect(merged).toContain(Permission.account_member);
+    });
+});
+
+describe('Role instances', () => {
+    it('SystemRole hasPermission for granted Permission', () => {
+        const owner = getRoleByName(SystemRoles.owner);
+        expect(owner.hasPermission(Permission.content_read)).toBe(true);
+        expect(owner.hasPermission(Permission.manage_billing)).toBe(true);
+    });
+
+    it('SystemRole hasPermission false for arbitrary string', () => {
+        const reader = getRoleByName(SystemRoles.reader);
+        expect(reader.hasPermission('not_a_real_perm')).toBe(false);
+    });
+
+    it('AbacRole carries applicableScopes', () => {
+        const reader = getRoleByName(ContentRoleNames.content_reader) as AbacRole;
+        expect(reader.applicableScopes).toEqual(['document', 'collection']);
+    });
+
+    it('AbacRole permissions are bare verbs, not Permission enum values', () => {
+        const manager = getRoleByName(ContentRoleNames.content_manager);
+        expect(Array.from(manager.permissions).sort()).toEqual(['delete', 'read', 'write']);
+    });
+});
+
+describe('SystemRole vs AbacRole discrimination', () => {
+    it('SystemRole instanceof Role', () => {
+        const owner = getRoleByName(SystemRoles.owner);
+        expect(owner).toBeInstanceOf(Role);
+        expect(owner).toBeInstanceOf(SystemRole);
+        expect(owner).not.toBeInstanceOf(AbacRole);
+    });
+
+    it('AbacRole instanceof Role', () => {
+        const reader = getRoleByName(ContentRoleNames.content_reader);
+        expect(reader).toBeInstanceOf(Role);
+        expect(reader).toBeInstanceOf(AbacRole);
+        expect(reader).not.toBeInstanceOf(SystemRole);
+    });
+});
+
+describe('RoleList', () => {
+    it('fromRoleNames composes a list checkable for permissions', () => {
+        const list = RoleList.fromRoleNames([SystemRoles.reader, SystemRoles.executor]);
+        expect(list.hasPermission(Permission.content_read)).toBe(true); // from reader
+        expect(list.hasPermission(Permission.int_execute)).toBe(true); // from executor
+        expect(list.hasPermission(Permission.manage_billing)).toBe(false); // neither has it
+    });
+
+    it('fromRoleName composes a single-role list', () => {
+        const list = RoleList.fromRoleName(SystemRoles.billing);
+        expect(list.hasPermission(Permission.manage_billing)).toBe(true);
+        expect(list.hasPermission(Permission.content_write)).toBe(false);
+    });
+
+    it('throws on unknown role name', () => {
+        expect(() => RoleList.fromRoleNames(['not_real'])).toThrow(/Role not_real not found/);
+    });
+});

package/src/roles/index.ts

@@ -0,0 +1,96 @@
+import type { AbacScope, RoleDomain } from '@vertesia/common';
+import { AbacRole, type Role, type RolePartition, SystemRole } from './classes.js';
+import { contentPartition } from './content.js';
+import { systemPartition } from './system.js';
+
+export { AbacRole, Role, type RolePartition, SystemRole } from './classes.js';
+export { ContentRoleNames } from './content.js';
+
+/**
+ * The ordered partition registry. Partitions are queried in this order — first
+ * match wins. The `system` partition is registered first so domain-specific
+ * partitions (added later) cannot shadow built-in system roles.
+ */
+const partitions: RolePartition[] = [systemPartition, contentPartition];
+
+/** Look up a role by its name across all registered partitions. */
+export function getRoleByName(name: string): Role {
+    for (const partition of partitions) {
+        const role = partition.roles.get(name);
+        if (role) return role;
+    }
+    throw new Error(`Role ${name} not found`);
+}
+
+/** List every role across all partitions, in partition registration order. */
+export function listRoles(): Role[] {
+    const result: Role[] = [];
+    for (const partition of partitions) {
+        for (const role of partition.roles.values()) {
+            result.push(role);
+        }
+    }
+    return result;
+}
+
+/** Roles owned by a specific domain (e.g. `'system'`, `'content'`). */
+export function listRolesByDomain(domain: RoleDomain): Role[] {
+    const partition = partitions.find((p) => p.domain === domain);
+    return partition ? Array.from(partition.roles.values()) : [];
+}
+
+/**
+ * ABAC roles applicable to a given ContentSet scope (e.g. `'document'`,
+ * `'collection'`). System roles are excluded — they don't carry scope semantics.
+ */
+export function listAbacRolesForScope(scope: AbacScope): AbacRole[] {
+    return listRoles().filter((r): r is AbacRole => r instanceof AbacRole && r.applicableScopes.includes(scope));
+}
+
+/** Shortcut for the system partition: returns only `SystemRole` instances. */
+export function listSystemRoles(): SystemRole[] {
+    return listRoles().filter((r): r is SystemRole => r instanceof SystemRole);
+}
+
+/** Names of every registered role across all partitions — suited for mongoose schema enum constraints. */
+export function getAllRoleNames(): string[] {
+    return listRoles().map((r) => r.name);
+}
+
+/**
+ * Merge the permissions granted by a set of roles into a single array.
+ * Intended for the system-role gating path. For ABAC roles, the bare-verb
+ * permissions returned here aren't directly meaningful — use the JWT
+ * `content_security` pathway instead.
+ */
+export function getPermissionsForRoles(roleNames: Iterable<string>): string[] {
+    const permissions = new Set<string>();
+    for (const roleName of roleNames) {
+        const role = getRoleByName(roleName);
+        for (const permission of role.permissions) {
+            permissions.add(permission);
+        }
+    }
+    return Array.from(permissions);
+}
+
+/**
+ * A list of roles with a unified `hasPermission` check across them.
+ */
+export class RoleList {
+    private constructor(public readonly roles: Role[]) {}
+
+    static fromRoleNames(roleNames: string[]): RoleList {
+        const roles = roleNames.map((r) => getRoleByName(r));
+        return new RoleList(roles);
+    }
+
+    static fromRoleName(roleName: string): RoleList {
+        const roles = [getRoleByName(roleName)];
+        return new RoleList(roles);
+    }
+
+    hasPermission(perm: string): boolean {
+        return this.roles.some((role) => role.hasPermission(perm));
+    }
+}