@via-profit/ability 3.2.0 → 3.4.0

package/CHANGELOG.md

@@ -1,129 +1,2 @@
 # Changelog
 
-## [3.2.0] - 2026-x3-xx
-
-### Изменено
-
-- Метод `AbilityPolicy.parseAll()` переименован в `AbilityPolicy.fromJSONAll()`
-- Метод `AbilityPolicy.parse()` переименован в `AbilityPolicy.toJSON()`
-- Метод `AbilityRule.parse()` переименован в `AbilityRule.toJSON()`
-- Метод `AbilityRuleSet.parse()` переименован в `.toJSON()`
-
-## [3.1.0] - 2026-03-20
-
-### Добавлено
-
-- Реализован кэш
-  - Добавлен кэш-провайдер `AbilityCacheProvider` для реализации кастомного кэша
-  - Реализован и включён по умолчанию `AbilityInMemoryCache` (кэш в памяти)
-- Добавлена полноценная поддержка `environment` как третьего аргумента в:
-  - `resolver.resolve(action, resource, environment)`
-  - `resolver.enforce(action, resource, environment)`
-- Введена возможность использовать пути вида `env.*` в правилах политик.
-  - Пример: `"subject": "env.time.hour"`
-- Добавлена поддержка смешанных сравнений:
-  - `resource.*` ↔ `env.*`
-  - литерал ↔ `env.*`
-  - `env.*` ↔ литерал
-
-### Breaking changes
-
-Асинхронизация механизма проверки политик.
-Все методы, участвующие в цепочке вычисления разрешений, теперь возвращают `Promise`.
-
-#### Изменено
-
-- `AbilityRule.check(resource): Promise<AbilityMatch>`  
-  Ранее возвращал `AbilityMatch` синхронно.
-
-- `AbilityRuleSet.check(resource): Promise<AbilityMatch>`  
-  Теперь выполняет правила последовательно и асинхронно.
-
-- `AbilityPolicy.check(resource): Promise<AbilityMatch>`  
-  Асинхронно проверяет ruleSet в строгом порядке.
-
-- `AbilityResolver.resolve(action, resource): Promise<AbilityResult>`  
-  Теперь асинхронный метод, который дожидается выполнения всех политик.
-
-- `AbilityResolver.enforce(action, resource): Promise<void | never>`  
-  Теперь работает асинхронно.
-
-### Миграция
-
-1. Все вызовы `check()` должны быть обновлены:
-
-```ts
-await rule.check(resource);
-await ruleSet.check(resource);
-await policy.check(resource);
-```
-
-2. Все вызовы `resolver.resolve()` и `resolver.enforce()` теперь требуют `await`:
-
-```ts
-await resolver.resolve('order.update', resource);
-await resolver.enforce('order.update', resource);
-```
-
-## [3.0.1] - 2026-03-19
-
-## Добавлено
-
-### 1. **Лицензия MIT** (`LICENSE`)
-
-- Добавлен официальный файл лицензии MIT от Via Profit
-
-### 2. **Класс `AbilityExplain.ts`**
-
-- Новый класс для получения человекочитаемых объяснений результатов проверки
-- Классы-наследники:
-    - `AbilityExplainRule` - объяснение для правила
-    - `AbilityExplainRuleSet` - объяснение для группы правил
-    - `AbilityExplainPolicy` - объяснение для политики
-- Метод `toString()` форматирует вывод с отступами и символами ✓/✗
-
----
-
-## Обновлено
-
-### **AbilityParser.ts** (полная переработка)
-
-- **Было**: Базовая генерация типов
-- **Стало**: Расширенная система генерации TypeScript типов
-- Новые методы:
-    - `determineTypeFromRule()` - определение типа на основе правила
-    - `getArrayType()` - обработка массивов
-    - `getPrimitiveType()` - определение примитивных типов
-    - `buildNestedStructure()` - трансформация плоской структуры во вложенную
-    - `formatTypeDefinitions()` - форматирование финального вывода
-    - `formatNestedObject()` - рекурсивное форматирование объектов
-
-### **AbilityRule.ts**
-
-- `id` и `name` теперь опциональные (`?`)
-- Автогенерация `id` и `name` если не предоставлены
-- **Новые статические методы** (фабричные методы):
-    - `equal()`, `notEqual()`, `in()`, `notIn()`
-    - `lessThan()`, `lessOrEqual()`, `moreThan()`, `moreOrEqual()`
-
-### **AbilityRuleSet.ts**
-
-- `id` и `name` теперь опциональные
-- Добавлены статические методы:
-    - `and()` - создание группы с логическим И
-    - `or()` - создание группы с логическим ИЛИ
-
-### **AbilityPolicy.ts**
-
-- Новый метод `explain()` - получение объяснения проверки
-- Новый статический метод `parseAll()` - парсинг массива конфигураций
-- Улучшены комментарии к полю `action`
-
-### **AbilityResolver.ts**
-
-- Новый метод `resolveWithExplain()` - проверка с детальным объяснением
-- Возвращает массив `AbilityExplain[]` для анализа результатов
-
----
-
-## Обновлена документация и примеры

package/README.md

@@ -3,6 +3,15 @@
 > A set of services that partially implement the [Attribute Based Access Control](https://en.wikipedia.org/wiki/Attribute-based_access_control) principle.
 > The package allows you to describe rules, combine them into groups, form policies, and apply them to data to determine permissions.
 
+![npm version](https://img.shields.io/npm/v/%40via-profit/ability)
+![npm downloads](https://img.shields.io/npm/dm/%40via-profit/ability)
+![license](https://img.shields.io/github/license/via-profit/ability)
+![TypeScript](https://img.shields.io/badge/TypeScript-Ready-blue)
+![status](https://img.shields.io/badge/status-active-success)
+![issues](https://img.shields.io/github/issues/via-profit/ability)
+![stars](https://img.shields.io/github/stars/via-profit/ability?style=social)
+
+
 ## Language / Язык
 
 - [🇬🇧 English](/docs/en/README.md)
@@ -543,6 +552,34 @@ order.total
 | **length greater than** | `len >` | `tags length greater than 2` | Length greater than | array, string |
 | **length less than** | `len <` | `tags length less than 5` | Length less than | array, string |
 
+Here is the English version, keeping the structure and tone consistent with your documentation style.
+
+**Special Operators**
+
+| DSL Operator | Synonyms | Example | Description | Types |
+|--------------|----------|---------|-------------|--------|
+| **always** | — | `always` | The condition is always true. Used for global allow rules or simplifying logic. | special operator |
+| **never** | — | `never` | The condition is always false. Used for global deny rules or disabling a rule. | special operator |
+
+
+**always**
+An operator that always returns `true`.  
+Used for:
+
+- global allow (`permit permission.* if all: always`)
+- testing
+- disabling complex conditions
+- creating fallback rules
+
+**never**
+An operator that always returns `false`.  
+Used for:
+
+- global deny (`deny permission.* if all: never`)
+- temporarily disabling a rule
+- explicit unconditional rejection
+
+
 #### Value
 
 Supported values:
@@ -693,18 +730,14 @@ This allows:
 
 ## TypeScript Type Generator
 
-`AbilityParser.generateTypeDefs()` generates TypeScript types based on policies, allowing you to avoid discrepancies between types and data in policies.
+`AbilityTypeGenerator.generateTypeDefs(policies)` generates TypeScript types based on policies, allowing you to avoid inconsistencies between types and the data in the policies.
 
-**Usage Example**
+**Example usage**
 
-First, you need to prepare an array of policies. Policies can be stored in DSL or JSON and parsed into an array of ready-made policies. In this example, for clarity, policies are stored in DSL.
+Policies can be stored in DSL or JSON. This example uses a DSL file.
 
-```ts
-// scripts/policies.ts
-
-import { AbilityDSLParser } from '@via-profit/ability';
-
-const dsl = `
+_policies/policies.dsl_
+```
 # @name Update order
 permit permission.order.update if all:
 
@@ -712,25 +745,46 @@ permit permission.order.update if all:
   all of:
     # @name User is owner
     user.id = order.ownerId
-`;
+```
+
+_scripts/policies.js_
+```js
+const fs = require('node:fs');
+const path = require('node:path');
+const { AbilityTypeGenerator, AbilityDSLParser } = require('@via-profit/ability');
+
+// Prepare paths
+const dslPath = path.resolve(__dirname, '../src/policies/policies.dsl');
+const typeDefsPath = path.join(path.dirname(dslPath), 'policies.types.ts');
 
+// Read DSL as a string
+const dsl = fs.readFileSync(dslPath, {encoding: 'utf-8'});
+
+// Create policies
 const policies = new AbilityDSLParser(dsl).parse();
 
-export default policies;
+// Generate TypeScript types
+const typeDefs = new AbilityTypeGenerator(policies).generateTypeDefs();
+
+// Save TypeScript types to file
+fs.writeFileSync(typeDefsPath, typeDefs, {encoding: 'utf-8'});
 ```
 
+_policies/index.ts_
 ```ts
-// scripts/generate-types.ts
-import { writeFileSync } from 'node:fs';
-import { AbilityParser } from '@via-profit/ability';
-import policies from './policies.json';
+import { AbilityDSLParser, AbilityResolver } from '@via-profit/ability';
+import type { Resources } from './policies.types';
+import dsl from './policies.dsl';
 
-const typedefs = AbilityParser.generateTypeDefs(policies);
+const policies = new AbilityDSLParser<Resources>(dsl).parse();
+
+export const policyResolver = new AbilityResolver(new AbilityDSLParser<Resources>(dsl).parse());
+
+export default policyResolver;
 
-writeFileSync('./src/ability/types.generated.ts', typedefs, 'utf8');
 ```
 
-**Generated File (example)**
+**Generated file (example)**
 
 ```ts
 // src/ability/types.generated.ts
@@ -752,12 +806,7 @@ export type Resources = {
 **Usage in code**
 
 ```ts
-import { AbilityResolver, AbilityPolicy } from '@via-profit/ability';
-import type { Resources } from './ability/types.generated';
-
-const resolver = new AbilityResolver<Resources>(
-  AbilityPolicy.parseAll(policies),
-);
+import { policyResolver } from './policies';
 
 await resolver.enforce('order.update', {
   user: { id: 'u1' },
@@ -1322,4 +1371,4 @@ Throughput (ops/s)
 
 ## License
 
-This project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.
+This project is licensed under the MIT License. See the [LICENSE](/LICENSE) file for details.

package/dist/core/AbilityCondition.d.ts

@@ -1,6 +1,6 @@
 import AbilityCode from './AbilityCode';
-export type AbilityConditionCodeType = '=' | '<>' | '>' | '<' | '>=' | '<=' | 'in' | 'not in' | 'contains' | 'not contains' | 'length greater than' | 'length less than' | 'length equals';
-export type AbilityConditionLiteralType = 'equals' | 'not_equals' | 'contains' | 'no_contains' | 'in' | 'not_in' | 'greater_than' | 'less_than' | 'less_or_equal' | 'greater_or_equal' | 'length_greater_than' | 'length_less_than' | 'length_equals';
+export type AbilityConditionCodeType = '=' | '<>' | '>' | '<' | '>=' | '<=' | 'in' | 'not in' | 'contains' | 'not contains' | 'length greater than' | 'length less than' | 'length equals' | 'always' | 'never';
+export type AbilityConditionLiteralType = 'equals' | 'not_equals' | 'contains' | 'no_contains' | 'in' | 'not_in' | 'greater_than' | 'less_than' | 'less_or_equal' | 'greater_or_equal' | 'length_greater_than' | 'length_less_than' | 'length_equals' | 'always' | 'never';
 export declare class AbilityCondition extends AbilityCode<AbilityConditionCodeType> {
     static equals: AbilityCondition;
     static not_equals: AbilityCondition;
@@ -15,6 +15,8 @@ export declare class AbilityCondition extends AbilityCode<AbilityConditionCodeTy
     static length_greater_than: AbilityCondition;
     static length_less_than: AbilityCondition;
     static length_equals: AbilityCondition;
+    static always: AbilityCondition;
+    static never: AbilityCondition;
     static fromLiteral(literal: AbilityConditionLiteralType): AbilityCondition;
     get literal(): AbilityConditionLiteralType;
 }

package/dist/core/AbilityPolicy.d.ts

@@ -3,7 +3,7 @@ import AbilityMatch from './AbilityMatch';
 import AbilityCompare, { AbilityCompareCodeType } from './AbilityCompare';
 import AbilityPolicyEffect, { AbilityPolicyEffectCodeType } from './AbilityPolicyEffect';
 import { AbilityExplain } from './AbilityExplain';
-import { ResourceObject } from './AbilityParser';
+import { ResourceObject } from './AbilityTypeGenerator';
 export type AbilityPolicyConfig = {
     readonly permission: string;
     readonly effect: AbilityPolicyEffectCodeType;

package/dist/core/AbilityResolver.d.ts

@@ -1,6 +1,6 @@
 import AbilityPolicy from './AbilityPolicy';
 import { AbilityResult } from './AbilityResult';
-import { ResourcesMap } from './AbilityParser';
+import { ResourcesMap } from './AbilityTypeGenerator';
 import { AbilityCacheAdapter } from '../cache/AbilityCacheAdapter';
 export type AbilityResolverOptions = {
     readonly cache?: AbilityCacheAdapter | null;

package/dist/core/AbilityResult.d.ts

@@ -1,5 +1,5 @@
 import { AbilityExplain } from './AbilityExplain';
-import { ResourceObject } from './AbilityParser';
+import { ResourceObject } from './AbilityTypeGenerator';
 import AbilityPolicy from './AbilityPolicy';
 import AbilityPolicyEffect from './AbilityPolicyEffect';
 export declare class AbilityResult<Resource extends ResourceObject = Record<string, unknown>> {

package/dist/core/AbilityRuleSet.d.ts

@@ -1,7 +1,7 @@
 import AbilityRule, { AbilityRuleConfig } from './AbilityRule';
 import AbilityCompare, { AbilityCompareCodeType } from './AbilityCompare';
 import AbilityMatch from './AbilityMatch';
-import { ResourceObject } from './AbilityParser';
+import { ResourceObject } from './AbilityTypeGenerator';
 export type AbilityRuleSetConfig = {
     readonly id?: string | null;
     readonly name?: string | null;

package/dist/core/AbilityTypeGenerator.d.ts

@@ -0,0 +1,55 @@
+import AbilityPolicy from './AbilityPolicy';
+export type Primitive = string | number | boolean | null | undefined;
+export type NestedDict<T = Primitive> = {
+    [key: string]: NestedDict<T> | T;
+};
+export type ResourceObject = Record<string, unknown>;
+export type ResourcesMap = Record<string, ResourceObject>;
+export declare class AbilityTypeGenerator {
+    readonly policies: readonly AbilityPolicy[];
+    constructor(policies: readonly AbilityPolicy[]);
+    /**
+     * Generates TypeScript type definitions based on the provided policies.
+     * @returns A generated type definitions.
+     */
+    generateTypeDefs(): string;
+    /**
+     * Determines TypeScript type based on the rule
+     * @param rule - The rule to analyze
+     * @returns TypeScript type as string
+     */
+    private determineTypeFromRule;
+    /**
+     * Gets TypeScript type for array values
+     * @param resource - The resource value to analyze
+     * @returns TypeScript array type as string
+     */
+    private getArrayType;
+    /**
+     * Gets primitive TypeScript type for a value
+     * @param value - The value to analyze
+     * @returns TypeScript primitive type as string
+     */
+    private getPrimitiveType;
+    /**
+     * Builds nested structure from flat paths
+     * Example: 'user.profile.name' -> { user: { profile: { name: 'string' } } }
+     * @param flatStructure - Flat structure with dot notation paths
+     * @returns Nested object structure
+     */
+    private buildNestedStructure;
+    /**
+     * Formats type structure into a string
+     * @param structure - Nested type structure
+     * @returns Formatted TypeScript type definition string
+     */
+    private formatTypeDefinitions;
+    /**
+     * Recursively formats nested object
+     * @param obj - Object to format
+     * @param indent - Current indentation level
+     * @returns Formatted string
+     */
+    private formatNestedObject;
+}
+export default AbilityTypeGenerator;

package/dist/index.d.ts

@@ -3,7 +3,7 @@ export * from './core/AbilityCompare';
 export * from './core/AbilityCondition';
 export * from './core/AbilityError';
 export * from './core/AbilityMatch';
-export * from './core/AbilityParser';
+export * from './core/AbilityTypeGenerator';
 export * from './core/AbilityPolicy';
 export * from './core/AbilityPolicyEffect';
 export * from './core/AbilityResolver';

package/dist/index.js

@@ -46,6 +46,8 @@ class AbilityCondition extends AbilityCode {
     static length_greater_than = new AbilityCondition('length greater than');
     static length_less_than = new AbilityCondition('length less than');
     static length_equals = new AbilityCondition('length equals');
+    static always = new AbilityCondition('always');
+    static never = new AbilityCondition('never');
     static fromLiteral(literal) {
         switch (literal) {
             case 'equals':
@@ -72,6 +74,10 @@ class AbilityCondition extends AbilityCode {
                 return this.length_greater_than;
             case 'length_equals':
                 return this.length_equals;
+            case 'always':
+                return this.always;
+            case 'never':
+                return this.never;
             default:
                 throw new AbilityParserError(`Literal ${literal} does not found in AbilityCondition class`);
         }
@@ -94,56 +100,20 @@ class AbilityMatch extends AbilityCode {
     static mismatch = new AbilityMatch('mismatch');
 }
 
-class AbilityParser {
-    /**
-     * Sets a value in a nested object structure based on a dot/bracket notation path.
-     * @param object - The target object to modify.
-     * @param path - The path to the property in dot/bracket notation.
-     * @param value - The value to set at the specified path.
-     */
-    static setValueDotValue(object, path, value) {
-        if (!path || path.trim().length === 0) {
-            throw new AbilityParserError(`Invalid path provided on a [${path}]`);
-        }
-        const way = path.replace(/\[/g, '.').replace(/]/g, '').split('.');
-        const last = way.pop();
-        if (!last) {
-            throw new AbilityParserError(`Invalid path provided on a [${path}]`);
-        }
-        const lastObj = way.reduce((acc, key, index, array) => {
-            const currentValue = acc[key];
-            const nextKey = array[index + 1];
-            const shouldBeArray = nextKey !== undefined && isFinite(Number(nextKey));
-            if (currentValue === undefined || currentValue === null) {
-                // Create missing property
-                const newValue = shouldBeArray ? [] : {};
-                acc[key] = newValue;
-                return newValue;
-            }
-            if (typeof currentValue !== 'object') {
-                throw new AbilityParserError(`Cannot set property '${key}' on non-object value at path: ${path}`);
-            }
-            return currentValue;
-        }, object);
-        const existingValue = lastObj[last];
-        if (existingValue !== undefined &&
-            typeof existingValue === 'object' &&
-            existingValue !== null &&
-            !Array.isArray(existingValue)) {
-            throw new AbilityParserError(`Cannot set primitive value on existing object at path: ${path}`);
-        }
-        lastObj[last] = value;
+class AbilityTypeGenerator {
+    policies;
+    constructor(policies) {
+        this.policies = policies;
     }
     /**
      * Generates TypeScript type definitions based on the provided policies.
-     * @param policies - An array of AbilityPolicy instances.
      * @returns A generated type definitions.
      */
-    static generateTypeDefs(policies) {
+    generateTypeDefs() {
         // Structure to store types: { [action]: { [subjectPath]: type } }
         const typeStructure = {};
         // Iterate through all policies
-        policies.forEach(policy => {
+        this.policies.forEach(policy => {
             const action = policy.permission;
             // Initialize object for action if it doesn't exist
             if (!typeStructure[action]) {
@@ -175,7 +145,7 @@ class AbilityParser {
      * @param rule - The rule to analyze
      * @returns TypeScript type as string
      */
-    static determineTypeFromRule(rule) {
+    determineTypeFromRule(rule) {
         // Numeric comparisons - always number
         if (rule.condition.isEqual(AbilityCondition.greater_than) ||
             rule.condition.isEqual(AbilityCondition.less_than) ||
@@ -200,7 +170,7 @@ class AbilityParser {
      * @param resource - The resource value to analyze
      * @returns TypeScript array type as string
      */
-    static getArrayType(resource) {
+    getArrayType(resource) {
         if (Array.isArray(resource)) {
             if (resource.length === 0)
                 return 'any[]';
@@ -209,18 +179,18 @@ class AbilityParser {
             const elementType = elementTypes.size === 1
                 ? Array.from(elementTypes)[0]
                 : `(${Array.from(elementTypes).join(' | ')})`;
-            return `${elementType}[]`;
+            return `readonly ${elementType}[]`;
         }
         // If resource is not an array but condition is in/not_in,
         // it expects an array of such elements
-        return `${this.getPrimitiveType(resource)}[]`;
+        return `readonly ${this.getPrimitiveType(resource)}[]`;
     }
     /**
      * Gets primitive TypeScript type for a value
      * @param value - The value to analyze
      * @returns TypeScript primitive type as string
      */
-    static getPrimitiveType(value) {
+    getPrimitiveType(value) {
         if (value === null)
             return 'null';
         if (value === undefined)
@@ -247,7 +217,7 @@ class AbilityParser {
      * @param flatStructure - Flat structure with dot notation paths
      * @returns Nested object structure
      */
-    static buildNestedStructure(flatStructure) {
+    buildNestedStructure(flatStructure) {
         const result = {};
         Object.entries(flatStructure).forEach(([action, paths]) => {
             result[action] = {};
@@ -279,10 +249,9 @@ class AbilityParser {
      * @param structure - Nested type structure
      * @returns Formatted TypeScript type definition string
      */
-    static formatTypeDefinitions(structure) {
+    formatTypeDefinitions(structure) {
         let output = '// Automatically generated by via-profit/ability\n';
         output += '// Do not edit manually\n';
-        output += '\n/* eslint-disable */\n\n';
         output += 'export type Resources = {\n';
         // Sort actions for stable output
         const sortedActions = Object.keys(structure).sort();
@@ -300,7 +269,7 @@ class AbilityParser {
      * @param indent - Current indentation level
      * @returns Formatted string
      */
-    static formatNestedObject(obj, indent) {
+    formatNestedObject(obj, indent) {
         const spaces = ' '.repeat(indent);
         let output = '';
         // Sort keys for stable output
@@ -587,8 +556,12 @@ class AbilityResolver {
     async enforce(permission, resource, environment) {
         const result = await this.resolve(permission, resource, environment);
         if (result.isDenied()) {
-            const policyName = result.getLastMatchedPolicy()?.name?.toString() || 'unknown';
-            throw new AbilityError(`Permission denied by policy "${policyName}"`);
+            const lastPolicy = result.getLastMatchedPolicy();
+            if (lastPolicy) {
+                throw new AbilityError(`Permission denied by policy "${lastPolicy.name.toString()}"`);
+            }
+            // No policy matched → implicit deny
+            throw new AbilityError(`Permission denied: no matching policy found (implicit deny)`);
         }
     }
     /**
@@ -660,6 +633,10 @@ class AbilityRule {
         let is = false;
         const [subjectValue, resourceValue] = this.extractValues(resource, environment);
         const isValue = (v) => typeof v === 'string' || typeof v === 'number' || typeof v === 'boolean' || v === null;
+        // always
+        if (AbilityCondition.always.isEqual(this.condition)) {
+            is = true;
+        }
         // equals
         if (AbilityCondition.equals.isEqual(this.condition)) {
             is = subjectValue === resourceValue;
@@ -1254,6 +1231,8 @@ class AbilityDSLToken extends AbilityCode {
     static LEN_LT = 'LEN_LT';
     static LEN_EQ = 'LEN_EQ';
     static NOT_EQ = 'NOT_EQ';
+    static ALWAYS = 'ALWAYS';
+    static NEVER = 'NEVER';
     static STRING = 'STRING';
     static NUMBER = 'NUMBER';
     static BOOLEAN = 'BOOLEAN';
@@ -1296,6 +1275,8 @@ class AbilityDSLLexer {
         'is',
         'or',
         'than',
+        'always',
+        'never',
     ]);
     constructor(input) {
         this.input = input;
@@ -1441,6 +1422,12 @@ class AbilityDSLLexer {
             }
         }
         const word = this.input.slice(start, this.pos);
+        if (word === 'always') {
+            return new AbilityDSLToken(AbilityDSLToken.ALWAYS, word, startLine, startColumn);
+        }
+        if (word === 'never') {
+            return new AbilityDSLToken(AbilityDSLToken.NEVER, word, startLine, startColumn);
+        }
         // Если есть точка — это путь (identifier или permission)
         if (word.includes('.')) {
             const last = this.tokens[this.tokens.length - 1];
@@ -1703,7 +1690,9 @@ class AbilityDSLParser {
                 if (this.isStartOfGroup() || this.isStartOfPolicy()) {
                     break;
                 }
-                if (this.check(AbilityDSLToken.IDENTIFIER)) {
+                if (this.check(AbilityDSLToken.IDENTIFIER) ||
+                    this.check(AbilityDSLToken.ALWAYS) ||
+                    this.check(AbilityDSLToken.NEVER)) {
                     group.addRule(this.parseRule());
                 }
                 else {
@@ -1720,7 +1709,7 @@ class AbilityDSLParser {
     parseGroup() {
         this.consumeLeadingComments();
         const meta = this.takeAnnotations();
-        const compareToken = this.consumeOneOf([AbilityDSLToken.ALL, AbilityDSLToken.ANY], 'Expected "all" or "any"');
+        const compareToken = this.consumeOneOf([AbilityDSLToken.ALL, AbilityDSLToken.ANY, AbilityDSLToken.ALWAYS, AbilityDSLToken.NEVER], 'Expected "all" or "any" or "always" or "never"');
         const compareMethod = compareToken.code === AbilityDSLToken.ALL ? AbilityCompare.and : AbilityCompare.or;
         if (this.check(AbilityDSLToken.OF)) {
             this.advance();
@@ -1750,11 +1739,26 @@ class AbilityDSLParser {
     parseRule() {
         this.consumeLeadingComments();
         const meta = this.takeAnnotations();
-        if (!this.check(AbilityDSLToken.IDENTIFIER)) {
-            this.syntaxError(`Expected identifier, got ${this.peek().code}`, this.peek());
+        // if (this.check(AbilityDSLToken.ALWAYS) || this.check(AbilityDSLToken.NEVER)) {
+        //   // Checking that there are no extra tokens after the value
+        //   // (skip comments)
+        //   this.consumeLeadingComments();
+        //   const specOperator = this.consume();
+        //   // return new AbilityRule({
+        //   //   subject: '',
+        //   //   resource,
+        //   //   condition,
+        //   //   name: meta.name,
+        //   // });
+        // }
+        const isNeverAlways = this.check(AbilityDSLToken.ALWAYS) || this.check(AbilityDSLToken.NEVER);
+        if (!isNeverAlways && !this.check(AbilityDSLToken.IDENTIFIER)) {
+            this.syntaxError(`Expected identifier, but got ${this.peek().code}`, this.peek());
         }
         // Subject (e.g., "user.roles")
-        const subject = this.consume(AbilityDSLToken.IDENTIFIER, 'Expected field').value;
+        const subject = isNeverAlways
+            ? ''
+            : this.consume(AbilityDSLToken.IDENTIFIER, 'Expected field').value;
         // Operator (e.g., "contains", "equals", "is not null")
         const { condition, operator } = this.parseConditionOperator();
         let resource;
@@ -1762,7 +1766,9 @@ class AbilityDSLParser {
         // Special operators that don't consume a value token.
         if (operator === AbilityDSLToken.EQ_NULL ||
             operator === AbilityDSLToken.NOT_EQ_NULL ||
-            operator === AbilityDSLToken.NULL) {
+            operator === AbilityDSLToken.NULL ||
+            operator === AbilityDSLToken.ALWAYS ||
+            operator === AbilityDSLToken.NEVER) {
             resource = null;
         }
         else {
@@ -1794,6 +1800,16 @@ class AbilityDSLParser {
      */
     parseConditionOperator() {
         const savedPos = this.pos;
+        // "always"
+        if (this.matchWord('always')) {
+            return { condition: AbilityCondition.always, operator: AbilityDSLToken.ALWAYS };
+        }
+        this.pos = savedPos;
+        // "never"
+        if (this.matchWord('never')) {
+            return { condition: AbilityCondition.never, operator: AbilityDSLToken.NEVER };
+        }
+        this.pos = savedPos;
         // "length equals"
         if (this.matchWord('length') && this.matchWord('equals')) {
             return { condition: AbilityCondition.length_equals, operator: AbilityDSLToken.LEN_EQ };
@@ -1989,7 +2005,10 @@ class AbilityDSLParser {
             return false;
         }
         const token = this.peek();
-        if ((token.code === AbilityDSLToken.KEYWORD || token.code === AbilityDSLToken.IDENTIFIER) &&
+        if ((token.code === AbilityDSLToken.KEYWORD ||
+            token.code === AbilityDSLToken.IDENTIFIER ||
+            token.code === AbilityDSLToken.ALWAYS ||
+            token.code === AbilityDSLToken.NEVER) &&
             token.value === word) {
             this.advance();
             return true;
@@ -2134,9 +2153,6 @@ class AbilityDSLParser {
         }
         throw new AbilityDSLSyntaxError(token.line, token.column, context + '\n', finalDetails);
     }
-    getLine(lineNumber) {
-        return this.dsl.split(/\r?\n/)[lineNumber - 1] ?? '';
-    }
     suggest(actual, expectedTypes) {
         const candidates = [];
         for (const type of expectedTypes) {
@@ -2235,7 +2251,6 @@ exports.AbilityExplainRuleSet = AbilityExplainRuleSet;
 exports.AbilityInMemoryCache = AbilityInMemoryCache;
 exports.AbilityJSONParser = AbilityJSONParser;
 exports.AbilityMatch = AbilityMatch;
-exports.AbilityParser = AbilityParser;
 exports.AbilityParserError = AbilityParserError;
 exports.AbilityPolicy = AbilityPolicy;
 exports.AbilityPolicyEffect = AbilityPolicyEffect;
@@ -2243,3 +2258,4 @@ exports.AbilityResolver = AbilityResolver;
 exports.AbilityResult = AbilityResult;
 exports.AbilityRule = AbilityRule;
 exports.AbilityRuleSet = AbilityRuleSet;
+exports.AbilityTypeGenerator = AbilityTypeGenerator;

package/dist/parsers/dsl/AbilityDSLParser.d.ts

@@ -1,5 +1,5 @@
 import AbilityPolicy from '../../core/AbilityPolicy';
-import { ResourceObject } from '../../core/AbilityParser';
+import { ResourceObject } from '../../core/AbilityTypeGenerator';
 /**
  * Parser for the Ability DSL.
  *
@@ -72,7 +72,6 @@ export declare class AbilityDSLParser<Resource extends ResourceObject = Record<s
     private processCommentToken;
     private takeAnnotations;
     private syntaxError;
-    private getLine;
     private suggest;
     private levenshteinDistance;
     private consumeOneOf;

package/dist/parsers/dsl/AbilityDSLToken.d.ts

@@ -1,5 +1,5 @@
 import AbilityCode from '../../core/AbilityCode';
-export type TokenType = 'EFFECT' | 'IF' | 'PERMISSION' | 'IDENTIFIER' | 'COLON' | 'COMMA' | 'DOT' | 'LBRACKET' | 'RBRACKET' | 'ALL' | 'ANY' | 'OF' | 'EOF' | 'COMMENT' | 'EQ' | 'CONTAINS' | 'IN' | 'NOT_IN' | 'NOT_CONTAINS' | 'GT' | 'GTE' | 'LT' | 'LTE' | 'NULL' | 'EQ_NULL' | 'NOT_EQ_NULL' | 'NOT_EQ' | 'LEN_GT' | 'LEN_LT' | 'LEN_EQ' | 'STRING' | 'NUMBER' | 'BOOLEAN' | 'SYMBOL' | 'KEYWORD' | 'UNKNOWN';
+export type TokenType = 'EFFECT' | 'IF' | 'PERMISSION' | 'IDENTIFIER' | 'COLON' | 'COMMA' | 'DOT' | 'LBRACKET' | 'RBRACKET' | 'ALL' | 'ANY' | 'OF' | 'EOF' | 'COMMENT' | 'EQ' | 'CONTAINS' | 'IN' | 'NOT_IN' | 'NOT_CONTAINS' | 'GT' | 'GTE' | 'LT' | 'LTE' | 'NULL' | 'EQ_NULL' | 'NOT_EQ_NULL' | 'NOT_EQ' | 'LEN_GT' | 'LEN_LT' | 'LEN_EQ' | 'ALWAYS' | 'NEVER' | 'STRING' | 'NUMBER' | 'BOOLEAN' | 'SYMBOL' | 'KEYWORD' | 'UNKNOWN';
 /**
  * Represents a single token produced by the Ability DSL lexer.
  * Each token carries a type (e.g., EFFECT, IDENTIFIER, STRING) and its raw string value.
@@ -47,6 +47,8 @@ export declare class AbilityDSLToken<Code extends TokenType = TokenType> extends
     static readonly LEN_LT: TokenType;
     static readonly LEN_EQ: TokenType;
     static readonly NOT_EQ: TokenType;
+    static readonly ALWAYS: TokenType;
+    static readonly NEVER: TokenType;
     static readonly STRING: TokenType;
     static readonly NUMBER: TokenType;
     static readonly BOOLEAN: TokenType;

package/dist/parsers/json/AbilityJSONParser.d.ts

@@ -1,6 +1,6 @@
 import { AbilityRule, AbilityRuleConfig } from '../../core/AbilityRule';
 import { AbilityRuleSet, AbilityRuleSetConfig } from '../../core/AbilityRuleSet';
-import { ResourceObject } from '../../core/AbilityParser';
+import { ResourceObject } from '../../core/AbilityTypeGenerator';
 import { AbilityPolicy, AbilityPolicyConfig } from '../../core/AbilityPolicy';
 export declare class AbilityJSONParser {
     /**

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@via-profit/ability",
   "support": "https://via-profit.ru",
-  "version": "3.2.0",
+  "version": "3.4.0",
   "description": "Via-Profit Ability service",
   "keywords": [
     "ability",