@vllnt/convex-permissions 0.1.0-canary.a432481

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 bntvllnt
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,114 @@
+<!-- Badges -->
+[![Convex Component](https://img.shields.io/badge/convex-component-EE342F.svg)](https://www.convex.dev/components)
+[![npm version](https://img.shields.io/npm/v/@vllnt/convex-permissions.svg)](https://www.npmjs.com/package/@vllnt/convex-permissions)
+[![CI](https://github.com/vllnt/convex-permissions/actions/workflows/ci.yml/badge.svg)](https://github.com/vllnt/convex-permissions/actions/workflows/ci.yml)
+[![License](https://img.shields.io/npm/l/@vllnt/convex-permissions.svg)](./LICENSE)
+
+# @vllnt/convex-permissions
+
+Role-based access control as a Convex component — typed, sandboxed,
+runtime-editable roles and grants keyed by opaque refs.
+
+```ts
+// Define a role, assign it, enforce it — all from host functions.
+await permissions.defineRole(ctx, { name: "editor", grants: ["doc.read", "doc.edit"] });
+await permissions.assign(ctx, { subjectRef: userId, role: "editor" });
+await permissions.require(ctx, { subjectRef: userId, action: "doc.edit" }); // throws on deny
+```
+
+## Features
+
+- **Stored, runtime-editable RBAC** — roles, grants, and assignments live in sandboxed tables; change them with a mutation, no redeploy.
+- **Typed end to end** — `Permissions<TRole, TAction>` is generic over your role and action unions.
+- **Wildcard grants** — `"doc.*"` grants every `doc.` action; `"*"` grants everything.
+- **Scoped / multi-tenant** — assign within an opaque `scopeRef`; unscoped assignments apply globally.
+- **Agnostic by construction** — opaque `subjectRef` / `scopeRef`, no auth library, no domain model, no vendor.
+- **`require` throws** — `ConvexError<PermissionDenied>` the host maps to a 403.
+- **Default-deny** — unknown subjects and unmatched actions are denied.
+- **Runs anywhere** — identical on Convex Cloud and self-hosted `convex-backend`.
+
+## Installation
+
+```bash
+npm install @vllnt/convex-permissions
+```
+
+Peer dependency: `convex@^1.36.1`.
+
+## Usage
+
+```ts
+// convex/convex.config.ts
+import { defineApp } from "convex/server";
+import permissions from "@vllnt/convex-permissions/convex.config";
+
+const app = defineApp();
+app.use(permissions);
+export default app;
+```
+
+```ts
+// convex/permissions.ts — instantiate the typed client, then define / assign / check.
+import { components } from "./_generated/api";
+import { Permissions } from "@vllnt/convex-permissions";
+
+type Role = "admin" | "editor" | "viewer";
+type Action = "doc.read" | "doc.edit" | "doc.delete";
+
+export const permissions = new Permissions<Role, Action>(components.permissions);
+
+// from any host mutation/query (gate management behind your own admin auth):
+await permissions.defineRole(ctx, { name: "editor", grants: ["doc.read", "doc.edit"] });
+await permissions.assign(ctx, { subjectRef: userId, role: "editor", scopeRef: orgId });
+const allowed = await permissions.check(ctx, { subjectRef: userId, action: "doc.edit" });
+await permissions.require(ctx, { subjectRef: userId, action: "doc.edit" }); // throws on deny
+```
+
+## API Reference
+
+| Method | Kind | Result |
+|--------|------|--------|
+| `defineRole(ctx, { name, grants, description? })` | mutation | Upsert a role (runtime-editable) |
+| `removeRole(ctx, name)` | mutation | Delete a role by name |
+| `assign(ctx, { subjectRef, role, scopeRef? })` | mutation | Grant a role to a subject |
+| `revoke(ctx, { subjectRef, role, scopeRef? })` | mutation | Remove a role from a subject |
+| `check(ctx, { subjectRef, action, scopeRef? })` | query | Boolean permission check (default-deny) |
+| `require(ctx, { subjectRef, action, scopeRef? })` | query | Enforce access — throws on deny |
+| `rolesFor(ctx, { subjectRef, scopeRef? })` | query | List role names for a subject |
+| `permissionsFor(ctx, { subjectRef, scopeRef? })` | query | List distinct grants for a subject |
+| `listRoles(ctx)` | query | All role definitions |
+
+Full reference: [docs/API.md](docs/API.md).
+
+## Security
+
+- **Host owns auth** — it authenticates the caller, resolves identity to an opaque `subjectRef`, and gates the management methods behind its own admin authorization.
+- **Opaque refs only** — `subjectRef`, `scopeRef`, and action keys are arbitrary strings; tables are sandboxed (reached only via the client).
+- **Default-deny** — no matching grant ⇒ denied; boundary validation rejects refs not matching `^[A-Za-z0-9_.:-]{1,128}$`.
+
+See [docs/API.md](docs/API.md).
+
+## Testing
+
+```bash
+pnpm test           # single run
+pnpm test:coverage  # enforced 100% on covered files
+```
+
+Tests run against the real component runtime via `convex-test` (`@edge-runtime/vm`), not mocks.
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md).
+
+## Author
+
+Built by [bntvllnt](https://github.com/bntvllnt) · [bntvllnt.com](https://bntvllnt.com) · [X @bntvllnt](https://x.com/bntvllnt)
+
+Part of the [@vllnt](https://github.com/vllnt) Convex component fleet — [vllnt.com](https://vllnt.com)
+
+If this is useful, [sponsor the work](https://github.com/sponsors/bntvllnt).
+
+## License
+
+MIT — see [LICENSE](LICENSE).

package/dist/client/index.d.ts

@@ -0,0 +1,125 @@
+import type { FunctionArgs, FunctionReference, FunctionReturnType } from "convex/server";
+import type { RoleDoc } from "./types.js";
+/**
+ * The component's function references, as exposed on the host via
+ * `components.permissions`. Hand-written so the client typechecks without the
+ * component's generated code — the host supplies the mounted ref.
+ */
+export interface PermissionsComponent {
+    mutations: {
+        defineRole: FunctionReference<"mutation", "internal", {
+            name: string;
+            grants: string[];
+            description?: string;
+        }, null>;
+        removeRole: FunctionReference<"mutation", "internal", {
+            name: string;
+        }, boolean>;
+        assign: FunctionReference<"mutation", "internal", {
+            subjectRef: string;
+            role: string;
+            scopeRef?: string;
+        }, boolean>;
+        revoke: FunctionReference<"mutation", "internal", {
+            subjectRef: string;
+            role: string;
+            scopeRef?: string;
+        }, boolean>;
+    };
+    queries: {
+        check: FunctionReference<"query", "internal", {
+            subjectRef: string;
+            action: string;
+            scopeRef?: string;
+        }, boolean>;
+        rolesFor: FunctionReference<"query", "internal", {
+            subjectRef: string;
+            scopeRef?: string;
+        }, string[]>;
+        permissionsFor: FunctionReference<"query", "internal", {
+            subjectRef: string;
+            scopeRef?: string;
+        }, string[]>;
+        listRoles: FunctionReference<"query", "internal", Record<string, never>, RoleDoc[]>;
+    };
+}
+interface RunQueryCtx {
+    runQuery<Q extends FunctionReference<"query", "internal">>(reference: Q, args: FunctionArgs<Q>): Promise<FunctionReturnType<Q>>;
+}
+interface RunMutationCtx {
+    runMutation<M extends FunctionReference<"mutation", "internal">>(reference: M, args: FunctionArgs<M>): Promise<FunctionReturnType<M>>;
+}
+/** Structured payload thrown by `Permissions.require` on an authorization failure. */
+export interface PermissionDenied {
+    code: "FORBIDDEN";
+    subjectRef: string;
+    action: string;
+    scopeRef?: string;
+}
+/**
+ * Consumer-facing client for the permissions component. Construct with the
+ * mounted component ref, then call from host queries / mutations. The host owns
+ * auth — it resolves identity and passes an opaque `subjectRef` in. Generic over
+ * the host's role + action unions so checks are typed end to end.
+ *
+ * @example
+ * ```ts
+ * type Role = "admin" | "editor" | "viewer";
+ * type Action = "doc.read" | "doc.edit" | "doc.delete";
+ * const permissions = new Permissions<Role, Action>(components.permissions);
+ * await permissions.require(ctx, { subjectRef: userId, action: "doc.edit" });
+ * ```
+ */
+export declare class Permissions<TRole extends string = string, TAction extends string = string> {
+    private readonly component;
+    constructor(component: PermissionsComponent);
+    /** Create or update a role definition (upsert by name). */
+    defineRole(ctx: RunMutationCtx, role: {
+        name: TRole;
+        grants: readonly (TAction | string)[];
+        description?: string;
+    }): Promise<null>;
+    /** Delete a role definition. Resolves true if a role was removed. */
+    removeRole(ctx: RunMutationCtx, name: TRole): Promise<boolean>;
+    /** Assign a role to a subject. Resolves true if newly created. */
+    assign(ctx: RunMutationCtx, args: {
+        subjectRef: string;
+        role: TRole;
+        scopeRef?: string;
+    }): Promise<boolean>;
+    /** Remove a role assignment. Resolves true if an assignment was removed. */
+    revoke(ctx: RunMutationCtx, args: {
+        subjectRef: string;
+        role: TRole;
+        scopeRef?: string;
+    }): Promise<boolean>;
+    /** Is the subject authorized to perform the action? */
+    check(ctx: RunQueryCtx, args: {
+        subjectRef: string;
+        action: TAction;
+        scopeRef?: string;
+    }): Promise<boolean>;
+    /**
+     * Enforce an action. Throws `ConvexError<PermissionDenied>` when the subject is
+     * not authorized — the host can map this to a 403.
+     */
+    require(ctx: RunQueryCtx, args: {
+        subjectRef: string;
+        action: TAction;
+        scopeRef?: string;
+    }): Promise<void>;
+    /** Role names the subject holds in the optional scope (sorted). */
+    rolesFor(ctx: RunQueryCtx, args: {
+        subjectRef: string;
+        scopeRef?: string;
+    }): Promise<string[]>;
+    /** Distinct grants the subject has in the optional scope (sorted). */
+    permissionsFor(ctx: RunQueryCtx, args: {
+        subjectRef: string;
+        scopeRef?: string;
+    }): Promise<string[]>;
+    /** All role definitions. */
+    listRoles(ctx: RunQueryCtx): Promise<RoleDoc[]>;
+}
+export type { RoleDoc };
+//# sourceMappingURL=index.d.ts.map

package/dist/client/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,YAAY,EACZ,iBAAiB,EACjB,kBAAkB,EACnB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE1C;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE;QACT,UAAU,EAAE,iBAAiB,CAC3B,UAAU,EACV,UAAU,EACV;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,EAAE,CAAC;YAAC,WAAW,CAAC,EAAE,MAAM,CAAA;SAAE,EACxD,IAAI,CACL,CAAC;QACF,UAAU,EAAE,iBAAiB,CAAC,UAAU,EAAE,UAAU,EAAE;YAAE,IAAI,EAAE,MAAM,CAAA;SAAE,EAAE,OAAO,CAAC,CAAC;QACjF,MAAM,EAAE,iBAAiB,CACvB,UAAU,EACV,UAAU,EACV;YAAE,UAAU,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,EACvD,OAAO,CACR,CAAC;QACF,MAAM,EAAE,iBAAiB,CACvB,UAAU,EACV,UAAU,EACV;YAAE,UAAU,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,EACvD,OAAO,CACR,CAAC;KACH,CAAC;IACF,OAAO,EAAE;QACP,KAAK,EAAE,iBAAiB,CACtB,OAAO,EACP,UAAU,EACV;YAAE,UAAU,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,EACzD,OAAO,CACR,CAAC;QACF,QAAQ,EAAE,iBAAiB,CACzB,OAAO,EACP,UAAU,EACV;YAAE,UAAU,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,EACzC,MAAM,EAAE,CACT,CAAC;QACF,cAAc,EAAE,iBAAiB,CAC/B,OAAO,EACP,UAAU,EACV;YAAE,UAAU,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,EACzC,MAAM,EAAE,CACT,CAAC;QACF,SAAS,EAAE,iBAAiB,CAC1B,OAAO,EACP,UAAU,EACV,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EACrB,OAAO,EAAE,CACV,CAAC;KACH,CAAC;CACH;AAED,UAAU,WAAW;IACnB,QAAQ,CAAC,CAAC,SAAS,iBAAiB,CAAC,OAAO,EAAE,UAAU,CAAC,EACvD,SAAS,EAAE,CAAC,EACZ,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC,GACpB,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC;CACnC;AAED,UAAU,cAAc;IACtB,WAAW,CAAC,CAAC,SAAS,iBAAiB,CAAC,UAAU,EAAE,UAAU,CAAC,EAC7D,SAAS,EAAE,CAAC,EACZ,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC,GACpB,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAC;CACnC;AAED,sFAAsF;AACtF,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,WAAW,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;GAaG;AACH,qBAAa,WAAW,CACtB,KAAK,SAAS,MAAM,GAAG,MAAM,EAC7B,OAAO,SAAS,MAAM,GAAG,MAAM;IAEnB,OAAO,CAAC,QAAQ,CAAC,SAAS;gBAAT,SAAS,EAAE,oBAAoB;IAE5D,2DAA2D;IAC3D,UAAU,CACR,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE;QAAE,IAAI,EAAE,KAAK,CAAC;QAAC,MAAM,EAAE,SAAS,CAAC,OAAO,GAAG,MAAM,CAAC,EAAE,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GACjF,OAAO,CAAC,IAAI,CAAC;IAQhB,qEAAqE;IACrE,UAAU,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC;IAI9D,kEAAkE;IAClE,MAAM,CACJ,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,KAAK,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAC3D,OAAO,CAAC,OAAO,CAAC;IAInB,4EAA4E;IAC5E,MAAM,CACJ,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,KAAK,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAC3D,OAAO,CAAC,OAAO,CAAC;IAInB,uDAAuD;IACvD,KAAK,CACH,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAC/D,OAAO,CAAC,OAAO,CAAC;IAInB;;;OAGG;IACG,OAAO,CACX,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAC/D,OAAO,CAAC,IAAI,CAAC;IAehB,mEAAmE;IACnE,QAAQ,CACN,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAC9C,OAAO,CAAC,MAAM,EAAE,CAAC;IAIpB,sEAAsE;IACtE,cAAc,CACZ,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAC9C,OAAO,CAAC,MAAM,EAAE,CAAC;IAIpB,4BAA4B;IAC5B,SAAS,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;CAGhD;AAED,YAAY,EAAE,OAAO,EAAE,CAAC"}

package/dist/client/index.js

@@ -0,0 +1,76 @@
+import { ConvexError } from "convex/values";
+/**
+ * Consumer-facing client for the permissions component. Construct with the
+ * mounted component ref, then call from host queries / mutations. The host owns
+ * auth — it resolves identity and passes an opaque `subjectRef` in. Generic over
+ * the host's role + action unions so checks are typed end to end.
+ *
+ * @example
+ * ```ts
+ * type Role = "admin" | "editor" | "viewer";
+ * type Action = "doc.read" | "doc.edit" | "doc.delete";
+ * const permissions = new Permissions<Role, Action>(components.permissions);
+ * await permissions.require(ctx, { subjectRef: userId, action: "doc.edit" });
+ * ```
+ */
+export class Permissions {
+    component;
+    constructor(component) {
+        this.component = component;
+    }
+    /** Create or update a role definition (upsert by name). */
+    defineRole(ctx, role) {
+        return ctx.runMutation(this.component.mutations.defineRole, {
+            name: role.name,
+            grants: [...role.grants],
+            description: role.description,
+        });
+    }
+    /** Delete a role definition. Resolves true if a role was removed. */
+    removeRole(ctx, name) {
+        return ctx.runMutation(this.component.mutations.removeRole, { name });
+    }
+    /** Assign a role to a subject. Resolves true if newly created. */
+    assign(ctx, args) {
+        return ctx.runMutation(this.component.mutations.assign, args);
+    }
+    /** Remove a role assignment. Resolves true if an assignment was removed. */
+    revoke(ctx, args) {
+        return ctx.runMutation(this.component.mutations.revoke, args);
+    }
+    /** Is the subject authorized to perform the action? */
+    check(ctx, args) {
+        return ctx.runQuery(this.component.queries.check, args);
+    }
+    /**
+     * Enforce an action. Throws `ConvexError<PermissionDenied>` when the subject is
+     * not authorized — the host can map this to a 403.
+     */
+    async require(ctx, args) {
+        const allowed = await this.check(ctx, args);
+        if (!allowed) {
+            // `ConvexError` data must be a Convex `Value`; an inline object literal
+            // satisfies that (a named interface would not, lacking an index signature).
+            // The shape matches `PermissionDenied`, which consumers use to type catches.
+            throw new ConvexError({
+                code: "FORBIDDEN",
+                subjectRef: args.subjectRef,
+                action: args.action,
+                scopeRef: args.scopeRef,
+            });
+        }
+    }
+    /** Role names the subject holds in the optional scope (sorted). */
+    rolesFor(ctx, args) {
+        return ctx.runQuery(this.component.queries.rolesFor, args);
+    }
+    /** Distinct grants the subject has in the optional scope (sorted). */
+    permissionsFor(ctx, args) {
+        return ctx.runQuery(this.component.queries.permissionsFor, args);
+    }
+    /** All role definitions. */
+    listRoles(ctx) {
+        return ctx.runQuery(this.component.queries.listRoles, {});
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAqF5C;;;;;;;;;;;;;GAaG;AACH,MAAM,OAAO,WAAW;IAIO;IAA7B,YAA6B,SAA+B;QAA/B,cAAS,GAAT,SAAS,CAAsB;IAAG,CAAC;IAEhE,2DAA2D;IAC3D,UAAU,CACR,GAAmB,EACnB,IAAkF;QAElF,OAAO,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,UAAU,EAAE;YAC1D,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC;YACxB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC,CAAC;IACL,CAAC;IAED,qEAAqE;IACrE,UAAU,CAAC,GAAmB,EAAE,IAAW;QACzC,OAAO,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,kEAAkE;IAClE,MAAM,CACJ,GAAmB,EACnB,IAA4D;QAE5D,OAAO,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAChE,CAAC;IAED,4EAA4E;IAC5E,MAAM,CACJ,GAAmB,EACnB,IAA4D;QAE5D,OAAO,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAChE,CAAC;IAED,uDAAuD;IACvD,KAAK,CACH,GAAgB,EAChB,IAAgE;QAEhE,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC1D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,OAAO,CACX,GAAgB,EAChB,IAAgE;QAEhE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,wEAAwE;YACxE,4EAA4E;YAC5E,6EAA6E;YAC7E,MAAM,IAAI,WAAW,CAAC;gBACpB,IAAI,EAAE,WAAW;gBACjB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACxB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,QAAQ,CACN,GAAgB,EAChB,IAA+C;QAE/C,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC7D,CAAC;IAED,sEAAsE;IACtE,cAAc,CACZ,GAAgB,EAChB,IAA+C;QAE/C,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;IACnE,CAAC;IAED,4BAA4B;IAC5B,SAAS,CAAC,GAAgB;QACxB,OAAO,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAC5D,CAAC;CACF"}

package/dist/client/types.d.ts

@@ -0,0 +1,11 @@
+/** Public TypeScript surface for `@vllnt/convex-permissions`. */
+/** A stored role definition, as returned by `Permissions.listRoles`. */
+export interface RoleDoc {
+    _id: string;
+    _creationTime: number;
+    name: string;
+    grants: string[];
+    description?: string;
+    updatedAt: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/client/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/client/types.ts"],"names":[],"mappings":"AAAA,iEAAiE;AAEjE,wEAAwE;AACxE,MAAM,WAAW,OAAO;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB"}

package/dist/client/types.js

@@ -0,0 +1,3 @@
+/** Public TypeScript surface for `@vllnt/convex-permissions`. */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/client/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/client/types.ts"],"names":[],"mappings":"AAAA,iEAAiE"}

package/dist/component/_generated/api.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Generated `api` utility.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+import type * as mutations from "../mutations.js";
+import type * as queries from "../queries.js";
+import type * as validators from "../validators.js";
+import type { ApiFromModules, FilterApi, FunctionReference } from "convex/server";
+declare const fullApi: ApiFromModules<{
+    mutations: typeof mutations;
+    queries: typeof queries;
+    validators: typeof validators;
+}>;
+/**
+ * A utility for referencing Convex functions in your app's public API.
+ *
+ * Usage:
+ * ```js
+ * const myFunctionReference = api.myModule.myFunction;
+ * ```
+ */
+export declare const api: FilterApi<typeof fullApi, FunctionReference<any, "public">>;
+/**
+ * A utility for referencing Convex functions in your app's internal API.
+ *
+ * Usage:
+ * ```js
+ * const myFunctionReference = internal.myModule.myFunction;
+ * ```
+ */
+export declare const internal: FilterApi<typeof fullApi, FunctionReference<any, "internal">>;
+export declare const components: {};
+export {};
+//# sourceMappingURL=api.d.ts.map

package/dist/component/_generated/api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../../../src/component/_generated/api.ts"],"names":[],"mappings":"AACA;;;;;;;GAOG;AAEH,OAAO,KAAK,KAAK,SAAS,MAAM,iBAAiB,CAAC;AAClD,OAAO,KAAK,KAAK,OAAO,MAAM,eAAe,CAAC;AAC9C,OAAO,KAAK,KAAK,UAAU,MAAM,kBAAkB,CAAC;AAEpD,OAAO,KAAK,EACV,cAAc,EACd,SAAS,EACT,iBAAiB,EAClB,MAAM,eAAe,CAAC;AAGvB,QAAA,MAAM,OAAO,EAAE,cAAc,CAAC;IAC5B,SAAS,EAAE,OAAO,SAAS,CAAC;IAC5B,OAAO,EAAE,OAAO,OAAO,CAAC;IACxB,UAAU,EAAE,OAAO,UAAU,CAAC;CAC/B,CAAiB,CAAC;AAEnB;;;;;;;GAOG;AACH,eAAO,MAAM,GAAG,EAAE,SAAS,CACzB,OAAO,OAAO,EACd,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CACjB,CAAC;AAElB;;;;;;;GAOG;AACH,eAAO,MAAM,QAAQ,EAAE,SAAS,CAC9B,OAAO,OAAO,EACd,iBAAiB,CAAC,GAAG,EAAE,UAAU,CAAC,CACnB,CAAC;AAElB,eAAO,MAAM,UAAU,EAAqC,EAAE,CAAC"}

package/dist/component/_generated/api.js

@@ -0,0 +1,31 @@
+/* eslint-disable */
+/**
+ * Generated `api` utility.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+import { anyApi, componentsGeneric } from "convex/server";
+const fullApi = anyApi;
+/**
+ * A utility for referencing Convex functions in your app's public API.
+ *
+ * Usage:
+ * ```js
+ * const myFunctionReference = api.myModule.myFunction;
+ * ```
+ */
+export const api = anyApi;
+/**
+ * A utility for referencing Convex functions in your app's internal API.
+ *
+ * Usage:
+ * ```js
+ * const myFunctionReference = internal.myModule.myFunction;
+ * ```
+ */
+export const internal = anyApi;
+export const components = componentsGeneric();
+//# sourceMappingURL=api.js.map

package/dist/component/_generated/api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../../../src/component/_generated/api.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB;;;;;;;GAOG;AAWH,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAE1D,MAAM,OAAO,GAIR,MAAa,CAAC;AAEnB;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,GAAG,GAGZ,MAAa,CAAC;AAElB;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,QAAQ,GAGjB,MAAa,CAAC;AAElB,MAAM,CAAC,MAAM,UAAU,GAAG,iBAAiB,EAAmB,CAAC"}

package/dist/component/_generated/component.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Generated `ComponentApi` utility.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+import type { FunctionReference } from "convex/server";
+/**
+ * A utility for referencing a Convex component's exposed API.
+ *
+ * Useful when expecting a parameter like `components.myComponent`.
+ * Usage:
+ * ```ts
+ * async function myFunction(ctx: QueryCtx, component: ComponentApi) {
+ *   return ctx.runQuery(component.someFile.someQuery, { ...args });
+ * }
+ * ```
+ */
+export type ComponentApi<Name extends string | undefined = string | undefined> = {
+    mutations: {
+        assign: FunctionReference<"mutation", "internal", {
+            role: string;
+            scopeRef?: string;
+            subjectRef: string;
+        }, boolean, Name>;
+        defineRole: FunctionReference<"mutation", "internal", {
+            description?: string;
+            grants: Array<string>;
+            name: string;
+        }, null, Name>;
+        removeRole: FunctionReference<"mutation", "internal", {
+            name: string;
+        }, boolean, Name>;
+        revoke: FunctionReference<"mutation", "internal", {
+            role: string;
+            scopeRef?: string;
+            subjectRef: string;
+        }, boolean, Name>;
+    };
+    queries: {
+        check: FunctionReference<"query", "internal", {
+            action: string;
+            scopeRef?: string;
+            subjectRef: string;
+        }, boolean, Name>;
+        listRoles: FunctionReference<"query", "internal", {}, Array<{
+            _creationTime: number;
+            _id: string;
+            description?: string;
+            grants: Array<string>;
+            name: string;
+            updatedAt: number;
+        }>, Name>;
+        permissionsFor: FunctionReference<"query", "internal", {
+            scopeRef?: string;
+            subjectRef: string;
+        }, Array<string>, Name>;
+        rolesFor: FunctionReference<"query", "internal", {
+            scopeRef?: string;
+            subjectRef: string;
+        }, Array<string>, Name>;
+    };
+};
+//# sourceMappingURL=component.d.ts.map

package/dist/component/_generated/component.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"component.d.ts","sourceRoot":"","sources":["../../../src/component/_generated/component.ts"],"names":[],"mappings":"AACA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAEvD;;;;;;;;;;GAUG;AACH,MAAM,MAAM,YAAY,CAAC,IAAI,SAAS,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,IAC3E;IACE,SAAS,EAAE;QACT,MAAM,EAAE,iBAAiB,CACvB,UAAU,EACV,UAAU,EACV;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;YAAC,UAAU,EAAE,MAAM,CAAA;SAAE,EACvD,OAAO,EACP,IAAI,CACL,CAAC;QACF,UAAU,EAAE,iBAAiB,CAC3B,UAAU,EACV,UAAU,EACV;YAAE,WAAW,CAAC,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,EAC7D,IAAI,EACJ,IAAI,CACL,CAAC;QACF,UAAU,EAAE,iBAAiB,CAC3B,UAAU,EACV,UAAU,EACV;YAAE,IAAI,EAAE,MAAM,CAAA;SAAE,EAChB,OAAO,EACP,IAAI,CACL,CAAC;QACF,MAAM,EAAE,iBAAiB,CACvB,UAAU,EACV,UAAU,EACV;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;YAAC,UAAU,EAAE,MAAM,CAAA;SAAE,EACvD,OAAO,EACP,IAAI,CACL,CAAC;KACH,CAAC;IACF,OAAO,EAAE;QACP,KAAK,EAAE,iBAAiB,CACtB,OAAO,EACP,UAAU,EACV;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;YAAC,UAAU,EAAE,MAAM,CAAA;SAAE,EACzD,OAAO,EACP,IAAI,CACL,CAAC;QACF,SAAS,EAAE,iBAAiB,CAC1B,OAAO,EACP,UAAU,EACV,EAAE,EACF,KAAK,CAAC;YACJ,aAAa,EAAE,MAAM,CAAC;YACtB,GAAG,EAAE,MAAM,CAAC;YACZ,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;YACtB,IAAI,EAAE,MAAM,CAAC;YACb,SAAS,EAAE,MAAM,CAAC;SACnB,CAAC,EACF,IAAI,CACL,CAAC;QACF,cAAc,EAAE,iBAAiB,CAC/B,OAAO,EACP,UAAU,EACV;YAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;YAAC,UAAU,EAAE,MAAM,CAAA;SAAE,EACzC,KAAK,CAAC,MAAM,CAAC,EACb,IAAI,CACL,CAAC;QACF,QAAQ,EAAE,iBAAiB,CACzB,OAAO,EACP,UAAU,EACV;YAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;YAAC,UAAU,EAAE,MAAM,CAAA;SAAE,EACzC,KAAK,CAAC,MAAM,CAAC,EACb,IAAI,CACL,CAAC;KACH,CAAC;CACH,CAAC"}

package/dist/component/_generated/component.js

@@ -0,0 +1,11 @@
+/* eslint-disable */
+/**
+ * Generated `ComponentApi` utility.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+export {};
+//# sourceMappingURL=component.js.map

package/dist/component/_generated/component.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"component.js","sourceRoot":"","sources":["../../../src/component/_generated/component.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB;;;;;;;GAOG"}

package/dist/component/_generated/dataModel.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Generated data model types.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+import type { DataModelFromSchemaDefinition, DocumentByName, TableNamesInDataModel, SystemTableNames } from "convex/server";
+import type { GenericId } from "convex/values";
+import schema from "../schema.js";
+/**
+ * The names of all of your Convex tables.
+ */
+export type TableNames = TableNamesInDataModel<DataModel>;
+/**
+ * The type of a document stored in Convex.
+ *
+ * @typeParam TableName - A string literal type of the table name (like "users").
+ */
+export type Doc<TableName extends TableNames> = DocumentByName<DataModel, TableName>;
+/**
+ * An identifier for a document in Convex.
+ *
+ * Convex documents are uniquely identified by their `Id`, which is accessible
+ * on the `_id` field. To learn more, see [Document IDs](https://docs.convex.dev/using/document-ids).
+ *
+ * Documents can be loaded using `db.get(tableName, id)` in query and mutation functions.
+ *
+ * IDs are just strings at runtime, but this type can be used to distinguish them from other
+ * strings when type checking.
+ *
+ * @typeParam TableName - A string literal type of the table name (like "users").
+ */
+export type Id<TableName extends TableNames | SystemTableNames> = GenericId<TableName>;
+/**
+ * A type describing your Convex data model.
+ *
+ * This type includes information about what tables you have, the type of
+ * documents stored in those tables, and the indexes defined on them.
+ *
+ * This type is used to parameterize methods like `queryGeneric` and
+ * `mutationGeneric` to make them type-safe.
+ */
+export type DataModel = DataModelFromSchemaDefinition<typeof schema>;
+//# sourceMappingURL=dataModel.d.ts.map

package/dist/component/_generated/dataModel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dataModel.d.ts","sourceRoot":"","sources":["../../../src/component/_generated/dataModel.ts"],"names":[],"mappings":"AACA;;;;;;;GAOG;AAEH,OAAO,KAAK,EACV,6BAA6B,EAC7B,cAAc,EACd,qBAAqB,EACrB,gBAAgB,EACjB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,MAAM,MAAM,cAAc,CAAC;AAElC;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG,qBAAqB,CAAC,SAAS,CAAC,CAAC;AAE1D;;;;GAIG;AACH,MAAM,MAAM,GAAG,CAAC,SAAS,SAAS,UAAU,IAAI,cAAc,CAC5D,SAAS,EACT,SAAS,CACV,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,EAAE,CAAC,SAAS,SAAS,UAAU,GAAG,gBAAgB,IAC5D,SAAS,CAAC,SAAS,CAAC,CAAC;AAEvB;;;;;;;;GAQG;AACH,MAAM,MAAM,SAAS,GAAG,6BAA6B,CAAC,OAAO,MAAM,CAAC,CAAC"}

package/dist/component/_generated/dataModel.js

@@ -0,0 +1,11 @@
+/* eslint-disable */
+/**
+ * Generated data model types.
+ *
+ * THIS CODE IS AUTOMATICALLY GENERATED.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+export {};
+//# sourceMappingURL=dataModel.js.map

package/dist/component/_generated/dataModel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dataModel.js","sourceRoot":"","sources":["../../../src/component/_generated/dataModel.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB;;;;;;;GAOG"}