npm - @zero-server/sdk - Versions diffs - 0.9.0 → 0.9.2 - Mend

@zero-server/sdk 0.9.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (126) hide show

package/LICENSE +21 -21
package/README.md +460 -437
package/index.js +414 -412
package/lib/app.js +1172 -1172
package/lib/auth/authorize.js +399 -399
package/lib/auth/enrollment.js +367 -367
package/lib/auth/index.js +57 -57
package/lib/auth/jwt.js +731 -731
package/lib/auth/oauth.js +362 -362
package/lib/auth/session.js +588 -588
package/lib/auth/trustedDevice.js +409 -409
package/lib/auth/twoFactor.js +1150 -1150
package/lib/auth/webauthn.js +946 -946
package/lib/body/index.js +14 -14
package/lib/body/json.js +109 -109
package/lib/body/multipart.js +440 -440
package/lib/body/raw.js +71 -71
package/lib/body/rawBuffer.js +160 -160
package/lib/body/sendError.js +25 -25
package/lib/body/text.js +75 -75
package/lib/body/typeMatch.js +41 -41
package/lib/body/urlencoded.js +235 -235
package/lib/cli.js +845 -845
package/lib/cluster.js +666 -666
package/lib/debug.js +372 -372
package/lib/env/index.js +460 -460
package/lib/errors.js +683 -683
package/lib/fetch/index.js +256 -256
package/lib/grpc/balancer.js +378 -378
package/lib/grpc/call.js +708 -708
package/lib/grpc/client.js +764 -764
package/lib/grpc/codec.js +1221 -1221
package/lib/grpc/credentials.js +398 -398
package/lib/grpc/frame.js +262 -262
package/lib/grpc/health.js +287 -287
package/lib/grpc/index.js +121 -121
package/lib/grpc/metadata.js +461 -461
package/lib/grpc/proto.js +821 -821
package/lib/grpc/reflection.js +590 -590
package/lib/grpc/server.js +445 -445
package/lib/grpc/status.js +118 -118
package/lib/grpc/watch.js +173 -173
package/lib/http/index.js +10 -10
package/lib/http/request.js +727 -727
package/lib/http/response.js +799 -799
package/lib/lifecycle.js +557 -557
package/lib/middleware/compress.js +230 -230
package/lib/middleware/cookieParser.js +237 -237
package/lib/middleware/cors.js +93 -93
package/lib/middleware/csrf.js +136 -136
package/lib/middleware/errorHandler.js +101 -101
package/lib/middleware/helmet.js +175 -175
package/lib/middleware/index.js +19 -17
package/lib/middleware/logger.js +74 -74
package/lib/middleware/rateLimit.js +88 -88
package/lib/middleware/requestId.js +53 -53
package/lib/middleware/static.js +326 -326
package/lib/middleware/timeout.js +71 -71
package/lib/middleware/validator.js +254 -254
package/lib/observe/health.js +326 -326
package/lib/observe/index.js +50 -50
package/lib/observe/logger.js +359 -359
package/lib/observe/metrics.js +805 -805
package/lib/observe/tracing.js +592 -592
package/lib/orm/adapters/json.js +290 -290
package/lib/orm/adapters/memory.js +764 -764
package/lib/orm/adapters/mongo.js +764 -764
package/lib/orm/adapters/mysql.js +933 -933
package/lib/orm/adapters/postgres.js +1144 -1144
package/lib/orm/adapters/redis.js +1534 -1534
package/lib/orm/adapters/sql-base.js +212 -212
package/lib/orm/adapters/sqlite.js +858 -858
package/lib/orm/audit.js +649 -649
package/lib/orm/cache.js +394 -394
package/lib/orm/geo.js +387 -387
package/lib/orm/index.js +784 -784
package/lib/orm/migrate.js +432 -432
package/lib/orm/model.js +1706 -1706
package/lib/orm/plugin.js +375 -375
package/lib/orm/procedures.js +836 -836
package/lib/orm/profiler.js +233 -233
package/lib/orm/query.js +1772 -1772
package/lib/orm/replicas.js +241 -241
package/lib/orm/schema.js +307 -307
package/lib/orm/search.js +380 -380
package/lib/orm/seed/data/commerce.js +136 -136
package/lib/orm/seed/data/internet.js +111 -111
package/lib/orm/seed/data/locations.js +204 -204
package/lib/orm/seed/data/names.js +338 -338
package/lib/orm/seed/data/person.js +128 -128
package/lib/orm/seed/data/phone.js +211 -211
package/lib/orm/seed/data/words.js +134 -134
package/lib/orm/seed/factory.js +178 -178
package/lib/orm/seed/fake.js +1186 -1186
package/lib/orm/seed/index.js +18 -18
package/lib/orm/seed/rng.js +70 -70
package/lib/orm/seed/seeder.js +124 -124
package/lib/orm/seed/unique.js +68 -68
package/lib/orm/snapshot.js +366 -366
package/lib/orm/tenancy.js +605 -605
package/lib/orm/views.js +350 -350
package/lib/router/index.js +436 -436
package/lib/sse/index.js +8 -8
package/lib/sse/stream.js +349 -349
package/lib/ws/connection.js +451 -451
package/lib/ws/handshake.js +125 -125
package/lib/ws/index.js +14 -14
package/lib/ws/room.js +223 -223
package/package.json +73 -73
package/types/app.d.ts +223 -223
package/types/auth.d.ts +520 -520
package/types/cluster.d.ts +75 -75
package/types/env.d.ts +80 -80
package/types/errors.d.ts +316 -316
package/types/fetch.d.ts +43 -43
package/types/grpc.d.ts +432 -432
package/types/index.d.ts +384 -384
package/types/lifecycle.d.ts +60 -60
package/types/middleware.d.ts +320 -320
package/types/observe.d.ts +304 -304
package/types/orm.d.ts +1887 -1887
package/types/request.d.ts +109 -109
package/types/response.d.ts +157 -157
package/types/router.d.ts +78 -78
package/types/sse.d.ts +78 -78
package/types/websocket.d.ts +126 -126

package/lib/auth/authorize.js CHANGED Viewed

@@ -1,399 +1,399 @@
-/**
- * @module auth/authorize
- * @description Authorization helpers — role-based access control (RBAC),
- *              permission-based access, and policy classes.
- *
- *              Works with any authentication middleware that sets `req.user`.
- *
- * @example
- *   const { createApp, jwt, authorize, can, canAny, Policy, gate,
- *       attachUserHelpers, Router } = require('@zero-server/sdk');
- *   const app = createApp();
- *
- *   app.use(jwt({ secret: process.env.JWT_SECRET }));
- *   app.use(attachUserHelpers());
- *
- *   // Role-based — only admins and editors can modify posts
- *   app.put('/posts/:id', authorize('admin', 'editor'), (req, res) => {
- *       res.json({ updated: true });
- *   });
- *
- *   // Permission-based — require ALL listed permissions
- *   app.delete('/users/:id', can('users:read', 'users:delete'), (req, res) => {
- *       res.json({ deleted: true });
- *   });
- *
- *   // ANY permission — useful for overlapping access
- *   app.get('/reports', canAny('reports:read', 'admin:read'), (req, res) => {
- *       res.json({ reports: [] });
- *   });
- *
- *   // Policy class — resource-level authorization
- *   class PostPolicy extends Policy {
- *       before(user) { if (user.role === 'superadmin') return true; }
- *       update(user, post) { return user.id === post.authorId || user.role === 'admin'; }
- *       delete(user, post) { return user.role === 'admin'; }
- *   }
- *
- *   app.put('/posts/:id', gate(new PostPolicy(), 'update', async (req) => {
- *       return await Post.findById(req.params.id);
- *   }), (req, res) => {
- *       // req.resource is auto-populated by gate()
- *       res.json({ updated: req.resource });
- *   });
- *
- *   // Inline checks via attachUserHelpers()
- *   app.get('/dashboard', (req, res) => {
- *       const data = { user: req.user.sub };
- *       if (req.user.is('admin')) data.adminPanel = true;
- *       if (req.user.can('reports:export')) data.canExport = true;
- *       res.json(data);
- *   });
- */
-const log = require('../debug')('zero:auth');
-// -- Role-Based Access Control ------------------------------------
-/**
- * Role-based authorization middleware.
- * Checks `req.user.role` or `req.user.roles` against allowed roles.
- *
- * Returns 401 if `req.user` is missing (not authenticated).
- * Returns 403 if the user's role is not in the allowed list.
- *
- * @param {...string} roles - Allowed roles.
- * @returns {Function} Middleware `(req, res, next) => void`.
- *
- * @example
- *   app.get('/admin', authorize('admin'), (req, res) => {
- *       res.json({ message: 'Welcome, admin!' });
- *   });
- *
- * @example | Multiple Roles
- *   app.put('/posts/:id', authorize('admin', 'editor'), (req, res) => {
- *       res.json({ updated: true });
- *   });
- */
-function authorize(...roles)
-{
-    const allowed = new Set(roles.flat());
-    return function authorizeMiddleware(req, res, next)
-    {
-        if (!req.user)
-        {
-            return res.status(401).json({
-                error: 'Authentication required',
-                code: 'NOT_AUTHENTICATED',
-                statusCode: 401,
-            });
-        }
-        const userRoles = _extractRoles(req.user);
-        const hasRole = userRoles.some(r => allowed.has(r));
-        if (!hasRole)
-        {
-            log.debug('access denied: user roles [%s] not in [%s]', userRoles.join(', '), [...allowed].join(', '));
-            return res.status(403).json({
-                error: 'Insufficient permissions',
-                code: 'FORBIDDEN',
-                statusCode: 403,
-            });
-        }
-        log.debug('authorized: role=%s', userRoles.find(r => allowed.has(r)));
-        next();
-    };
-}
-// -- Permission-Based Access Control --------------------------------
-/**
- * Permission-based authorization middleware.
- * Checks `req.user.permissions` (array or Set) for the required permission(s).
- *
- * Permission strings follow a `resource:action` convention:
- *   - `'posts:write'` — write access to posts
- *   - `'users:delete'` — delete users
- *   - `'*'` — superuser wildcard
- *
- * @param {...string} permissions - Required permissions (ALL must be present unless `opts.any` is true).
- * @returns {Function} Middleware `(req, res, next) => void`.
- *
- * @example | Require Specific Permission
- *   app.post('/posts', can('posts:write'), (req, res) => {
- *       res.status(201).json(req.body);
- *   });
- *
- * @example | Require ALL Permissions
- *   app.put('/users/:id', can('users:read', 'users:write'), (req, res) => {
- *       res.json({ updated: true });
- *   });
- *
- * @example | Require ANY Permission
- *   app.get('/dashboard', canAny('admin:read', 'reports:read'), (req, res) => {
- *       res.json({ dashboard: true });
- *   });
- */
-function can(...permissions)
-{
-    return _permissionMiddleware(permissions.flat(), false);
-}
-/**
- * Like `can()`, but passes if the user has ANY of the listed permissions.
- *
- * @param {...string} permissions - Permissions to check (any one is sufficient).
- * @returns {Function} Middleware.
- *
- * @example
- *   app.get('/reports', canAny('reports:read', 'admin:read'), (req, res) => {
- *       res.json({ reports: [] });
- *   });
- */
-function canAny(...permissions)
-{
-    return _permissionMiddleware(permissions.flat(), true);
-}
-/** @private */
-function _permissionMiddleware(required, anyMode)
-{
-    return function permissionMiddleware(req, res, next)
-    {
-        if (!req.user)
-        {
-            return res.status(401).json({
-                error: 'Authentication required',
-                code: 'NOT_AUTHENTICATED',
-                statusCode: 401,
-            });
-        }
-        const userPerms = _extractPermissions(req.user);
-        // Wildcard superuser
-        if (userPerms.has('*'))
-        {
-            log.debug('wildcard permission granted');
-            return next();
-        }
-        const check = anyMode
-            ? required.some(p => userPerms.has(p))
-            : required.every(p => userPerms.has(p));
-        if (!check)
-        {
-            log.debug('permission denied: required [%s] (mode=%s)', required.join(', '), anyMode ? 'any' : 'all');
-            return res.status(403).json({
-                error: 'Insufficient permissions',
-                code: 'FORBIDDEN',
-                statusCode: 403,
-            });
-        }
-        next();
-    };
-}
-// -- Policy Classes -----------------------------------------------
-/**
- * Base policy class for resource-level authorization.
- * Subclass and define methods matching action names.
- * Each method receives `(user, resource)` and returns `boolean`.
- *
- * @example
- *   class PostPolicy extends Policy {
- *       view()                 { return true; }          // anyone can view
- *       update(user, post)     { return user.id === post.authorId; }
- *       delete(user, post)     { return user.role === 'admin'; }
- *       publish(user, post)    { return ['admin', 'editor'].includes(user.role); }
- *   }
- */
-class Policy
-{
-    /**
-     * Check if an action is allowed.
-     * Falls through to the action method if defined, otherwise denies.
-     *
-     * @param {string} action - The action name (method name).
-     * @param {object} user - The authenticated user.
-     * @param {object} [resource] - The resource being accessed.
-     * @returns {boolean|Promise<boolean>}
-     */
-    check(action, user, resource)
-    {
-        if (typeof this.before === 'function')
-        {
-            const beforeResult = this.before(user, action, resource);
-            if (beforeResult === true) return true;
-            if (beforeResult === false) return false;
-            // undefined = continue to action method
-        }
-        if (typeof this[action] !== 'function') return false;
-        return this[action](user, resource);
-    }
-}
-/**
- * Policy gate middleware.
- * Runs a policy check against a resource loaded from the request.
- *
- * @param {Policy} policy - Policy instance.
- * @param {string} action - Action name to check.
- * @param {Function} [getResource] - `async (req) => resource` loader. If omitted, passes `null`.
- * @returns {Function} Middleware `(req, res, next) => void`.
- *
- * @example
- *   const postPolicy = new PostPolicy();
- *
- *   // With resource loader
- *   app.put('/posts/:id', gate(postPolicy, 'update', async (req) => {
- *       return await Post.findById(req.params.id);
- *   }), (req, res) => {
- *       res.json({ updated: req.resource });
- *   });
- *
- *   // Without resource (for create/list actions)
- *   app.post('/posts', gate(postPolicy, 'create'), (req, res) => {
- *       res.status(201).json(req.body);
- *   });
- */
-function gate(policy, action, getResource)
-{
-    return async function gateMiddleware(req, res, next)
-    {
-        if (!req.user)
-        {
-            return res.status(401).json({
-                error: 'Authentication required',
-                code: 'NOT_AUTHENTICATED',
-                statusCode: 401,
-            });
-        }
-        let resource = null;
-        if (typeof getResource === 'function')
-        {
-            resource = await getResource(req);
-        }
-        const allowed = await policy.check(action, req.user, resource);
-        if (!allowed)
-        {
-            log.debug('policy denied: action=%s', action);
-            return res.status(403).json({
-                error: 'Action not allowed',
-                code: 'POLICY_DENIED',
-                statusCode: 403,
-            });
-        }
-        // Attach resource if loaded — saves a redundant DB query in the handler
-        if (resource && !req.resource) req.resource = resource;
-        next();
-    };
-}
-// -- req.user helpers (mixed in by middleware barrel) ----------------
-/**
- * Attach convenience authorization methods to `req.user`.
- * Call this middleware after JWT/session middleware.
- *
- * Adds:
- *   - `req.user.is(...roles)` — check roles
- *   - `req.user.can(...perms)` — check permissions
- *
- * @returns {Function} Middleware.
- *
- * @example
- *   app.use(jwt({ secret }));
- *   app.use(attachUserHelpers());
- *
- *   app.get('/dashboard', (req, res) => {
- *       if (req.user.is('admin')) {
- *           // admin view
- *       }
- *       if (req.user.can('reports:export')) {
- *           // show export button
- *       }
- *   });
- */
-function attachUserHelpers()
-{
-    return function userHelpersMiddleware(req, res, next)
-    {
-        if (!req.user) return next();
-        if (!req.user.is)
-        {
-            req.user.is = (...roles) =>
-            {
-                const userRoles = _extractRoles(req.user);
-                return roles.flat().some(r => userRoles.includes(r));
-            };
-        }
-        if (!req.user.can)
-        {
-            req.user.can = (...perms) =>
-            {
-                const userPerms = _extractPermissions(req.user);
-                if (userPerms.has('*')) return true;
-                return perms.flat().every(p => userPerms.has(p));
-            };
-        }
-        next();
-    };
-}
-// -- Internal Helpers -----------------------------------------------
-/**
- * Normalise user roles from various formats.
- * Supports `user.role` (string), `user.roles` (array), and `user.role` (array).
- *
- * @param {object} user
- * @returns {string[]}
- * @private
- */
-function _extractRoles(user)
-{
-    if (!user) return [];
-    if (Array.isArray(user.roles)) return user.roles;
-    if (Array.isArray(user.role)) return user.role;
-    if (typeof user.role === 'string') return [user.role];
-    return [];
-}
-/**
- * Normalise user permissions from various formats.
- * Supports `user.permissions` (array or Set), `user.scopes` (array).
- *
- * @param {object} user
- * @returns {Set<string>}
- * @private
- */
-function _extractPermissions(user)
-{
-    if (!user) return new Set();
-    if (user.permissions instanceof Set) return user.permissions;
-    if (Array.isArray(user.permissions)) return new Set(user.permissions);
-    if (Array.isArray(user.scopes)) return new Set(user.scopes);
-    return new Set();
-}
-module.exports = {
-    authorize,
-    can,
-    canAny,
-    Policy,
-    gate,
-    attachUserHelpers,
-};
+/**
+ * @module auth/authorize
+ * @description Authorization helpers — role-based access control (RBAC),
+ *              permission-based access, and policy classes.
+ *
+ *              Works with any authentication middleware that sets `req.user`.
+ *
+ * @example
+ *   const { createApp, jwt, authorize, can, canAny, Policy, gate,
+ *       attachUserHelpers, Router } = require('@zero-server/sdk');
+ *   const app = createApp();
+ *
+ *   app.use(jwt({ secret: process.env.JWT_SECRET }));
+ *   app.use(attachUserHelpers());
+ *
+ *   // Role-based — only admins and editors can modify posts
+ *   app.put('/posts/:id', authorize('admin', 'editor'), (req, res) => {
+ *       res.json({ updated: true });
+ *   });
+ *
+ *   // Permission-based — require ALL listed permissions
+ *   app.delete('/users/:id', can('users:read', 'users:delete'), (req, res) => {
+ *       res.json({ deleted: true });
+ *   });
+ *
+ *   // ANY permission — useful for overlapping access
+ *   app.get('/reports', canAny('reports:read', 'admin:read'), (req, res) => {
+ *       res.json({ reports: [] });
+ *   });
+ *
+ *   // Policy class — resource-level authorization
+ *   class PostPolicy extends Policy {
+ *       before(user) { if (user.role === 'superadmin') return true; }
+ *       update(user, post) { return user.id === post.authorId || user.role === 'admin'; }
+ *       delete(user, post) { return user.role === 'admin'; }
+ *   }
+ *
+ *   app.put('/posts/:id', gate(new PostPolicy(), 'update', async (req) => {
+ *       return await Post.findById(req.params.id);
+ *   }), (req, res) => {
+ *       // req.resource is auto-populated by gate()
+ *       res.json({ updated: req.resource });
+ *   });
+ *
+ *   // Inline checks via attachUserHelpers()
+ *   app.get('/dashboard', (req, res) => {
+ *       const data = { user: req.user.sub };
+ *       if (req.user.is('admin')) data.adminPanel = true;
+ *       if (req.user.can('reports:export')) data.canExport = true;
+ *       res.json(data);
+ *   });
+ */
+const log = require('../debug')('zero:auth');
+// -- Role-Based Access Control ------------------------------------
+/**
+ * Role-based authorization middleware.
+ * Checks `req.user.role` or `req.user.roles` against allowed roles.
+ *
+ * Returns 401 if `req.user` is missing (not authenticated).
+ * Returns 403 if the user's role is not in the allowed list.
+ *
+ * @param {...string} roles - Allowed roles.
+ * @returns {Function} Middleware `(req, res, next) => void`.
+ *
+ * @example
+ *   app.get('/admin', authorize('admin'), (req, res) => {
+ *       res.json({ message: 'Welcome, admin!' });
+ *   });
+ *
+ * @example | Multiple Roles
+ *   app.put('/posts/:id', authorize('admin', 'editor'), (req, res) => {
+ *       res.json({ updated: true });
+ *   });
+ */
+function authorize(...roles)
+{
+    const allowed = new Set(roles.flat());
+    return function authorizeMiddleware(req, res, next)
+    {
+        if (!req.user)
+        {
+            return res.status(401).json({
+                error: 'Authentication required',
+                code: 'NOT_AUTHENTICATED',
+                statusCode: 401,
+            });
+        }
+        const userRoles = _extractRoles(req.user);
+        const hasRole = userRoles.some(r => allowed.has(r));
+        if (!hasRole)
+        {
+            log.debug('access denied: user roles [%s] not in [%s]', userRoles.join(', '), [...allowed].join(', '));
+            return res.status(403).json({
+                error: 'Insufficient permissions',
+                code: 'FORBIDDEN',
+                statusCode: 403,
+            });
+        }
+        log.debug('authorized: role=%s', userRoles.find(r => allowed.has(r)));
+        next();
+    };
+}
+// -- Permission-Based Access Control --------------------------------
+/**
+ * Permission-based authorization middleware.
+ * Checks `req.user.permissions` (array or Set) for the required permission(s).
+ *
+ * Permission strings follow a `resource:action` convention:
+ *   - `'posts:write'` — write access to posts
+ *   - `'users:delete'` — delete users
+ *   - `'*'` — superuser wildcard
+ *
+ * @param {...string} permissions - Required permissions (ALL must be present unless `opts.any` is true).
+ * @returns {Function} Middleware `(req, res, next) => void`.
+ *
+ * @example | Require Specific Permission
+ *   app.post('/posts', can('posts:write'), (req, res) => {
+ *       res.status(201).json(req.body);
+ *   });
+ *
+ * @example | Require ALL Permissions
+ *   app.put('/users/:id', can('users:read', 'users:write'), (req, res) => {
+ *       res.json({ updated: true });
+ *   });
+ *
+ * @example | Require ANY Permission
+ *   app.get('/dashboard', canAny('admin:read', 'reports:read'), (req, res) => {
+ *       res.json({ dashboard: true });
+ *   });
+ */
+function can(...permissions)
+{
+    return _permissionMiddleware(permissions.flat(), false);
+}
+/**
+ * Like `can()`, but passes if the user has ANY of the listed permissions.
+ *
+ * @param {...string} permissions - Permissions to check (any one is sufficient).
+ * @returns {Function} Middleware.
+ *
+ * @example
+ *   app.get('/reports', canAny('reports:read', 'admin:read'), (req, res) => {
+ *       res.json({ reports: [] });
+ *   });
+ */
+function canAny(...permissions)
+{
+    return _permissionMiddleware(permissions.flat(), true);
+}
+/** @private */
+function _permissionMiddleware(required, anyMode)
+{
+    return function permissionMiddleware(req, res, next)
+    {
+        if (!req.user)
+        {
+            return res.status(401).json({
+                error: 'Authentication required',
+                code: 'NOT_AUTHENTICATED',
+                statusCode: 401,
+            });
+        }
+        const userPerms = _extractPermissions(req.user);
+        // Wildcard superuser
+        if (userPerms.has('*'))
+        {
+            log.debug('wildcard permission granted');
+            return next();
+        }
+        const check = anyMode
+            ? required.some(p => userPerms.has(p))
+            : required.every(p => userPerms.has(p));
+        if (!check)
+        {
+            log.debug('permission denied: required [%s] (mode=%s)', required.join(', '), anyMode ? 'any' : 'all');
+            return res.status(403).json({
+                error: 'Insufficient permissions',
+                code: 'FORBIDDEN',
+                statusCode: 403,
+            });
+        }
+        next();
+    };
+}
+// -- Policy Classes -----------------------------------------------
+/**
+ * Base policy class for resource-level authorization.
+ * Subclass and define methods matching action names.
+ * Each method receives `(user, resource)` and returns `boolean`.
+ *
+ * @example
+ *   class PostPolicy extends Policy {
+ *       view()                 { return true; }          // anyone can view
+ *       update(user, post)     { return user.id === post.authorId; }
+ *       delete(user, post)     { return user.role === 'admin'; }
+ *       publish(user, post)    { return ['admin', 'editor'].includes(user.role); }
+ *   }
+ */
+class Policy
+{
+    /**
+     * Check if an action is allowed.
+     * Falls through to the action method if defined, otherwise denies.
+     *
+     * @param {string} action - The action name (method name).
+     * @param {object} user - The authenticated user.
+     * @param {object} [resource] - The resource being accessed.
+     * @returns {boolean|Promise<boolean>}
+     */
+    check(action, user, resource)
+    {
+        if (typeof this.before === 'function')
+        {
+            const beforeResult = this.before(user, action, resource);
+            if (beforeResult === true) return true;
+            if (beforeResult === false) return false;
+            // undefined = continue to action method
+        }
+        if (typeof this[action] !== 'function') return false;
+        return this[action](user, resource);
+    }
+}
+/**
+ * Policy gate middleware.
+ * Runs a policy check against a resource loaded from the request.
+ *
+ * @param {Policy} policy - Policy instance.
+ * @param {string} action - Action name to check.
+ * @param {Function} [getResource] - `async (req) => resource` loader. If omitted, passes `null`.
+ * @returns {Function} Middleware `(req, res, next) => void`.
+ *
+ * @example
+ *   const postPolicy = new PostPolicy();
+ *
+ *   // With resource loader
+ *   app.put('/posts/:id', gate(postPolicy, 'update', async (req) => {
+ *       return await Post.findById(req.params.id);
+ *   }), (req, res) => {
+ *       res.json({ updated: req.resource });
+ *   });
+ *
+ *   // Without resource (for create/list actions)
+ *   app.post('/posts', gate(postPolicy, 'create'), (req, res) => {
+ *       res.status(201).json(req.body);
+ *   });
+ */
+function gate(policy, action, getResource)
+{
+    return async function gateMiddleware(req, res, next)
+    {
+        if (!req.user)
+        {
+            return res.status(401).json({
+                error: 'Authentication required',
+                code: 'NOT_AUTHENTICATED',
+                statusCode: 401,
+            });
+        }
+        let resource = null;
+        if (typeof getResource === 'function')
+        {
+            resource = await getResource(req);
+        }
+        const allowed = await policy.check(action, req.user, resource);
+        if (!allowed)
+        {
+            log.debug('policy denied: action=%s', action);
+            return res.status(403).json({
+                error: 'Action not allowed',
+                code: 'POLICY_DENIED',
+                statusCode: 403,
+            });
+        }
+        // Attach resource if loaded — saves a redundant DB query in the handler
+        if (resource && !req.resource) req.resource = resource;
+        next();
+    };
+}
+// -- req.user helpers (mixed in by middleware barrel) ----------------
+/**
+ * Attach convenience authorization methods to `req.user`.
+ * Call this middleware after JWT/session middleware.
+ *
+ * Adds:
+ *   - `req.user.is(...roles)` — check roles
+ *   - `req.user.can(...perms)` — check permissions
+ *
+ * @returns {Function} Middleware.
+ *
+ * @example
+ *   app.use(jwt({ secret }));
+ *   app.use(attachUserHelpers());
+ *
+ *   app.get('/dashboard', (req, res) => {
+ *       if (req.user.is('admin')) {
+ *           // admin view
+ *       }
+ *       if (req.user.can('reports:export')) {
+ *           // show export button
+ *       }
+ *   });
+ */
+function attachUserHelpers()
+{
+    return function userHelpersMiddleware(req, res, next)
+    {
+        if (!req.user) return next();
+        if (!req.user.is)
+        {
+            req.user.is = (...roles) =>
+            {
+                const userRoles = _extractRoles(req.user);
+                return roles.flat().some(r => userRoles.includes(r));
+            };
+        }
+        if (!req.user.can)
+        {
+            req.user.can = (...perms) =>
+            {
+                const userPerms = _extractPermissions(req.user);
+                if (userPerms.has('*')) return true;
+                return perms.flat().every(p => userPerms.has(p));
+            };
+        }
+        next();
+    };
+}
+// -- Internal Helpers -----------------------------------------------
+/**
+ * Normalise user roles from various formats.
+ * Supports `user.role` (string), `user.roles` (array), and `user.role` (array).
+ *
+ * @param {object} user
+ * @returns {string[]}
+ * @private
+ */
+function _extractRoles(user)
+{
+    if (!user) return [];
+    if (Array.isArray(user.roles)) return user.roles;
+    if (Array.isArray(user.role)) return user.role;
+    if (typeof user.role === 'string') return [user.role];
+    return [];
+}
+/**
+ * Normalise user permissions from various formats.
+ * Supports `user.permissions` (array or Set), `user.scopes` (array).
+ *
+ * @param {object} user
+ * @returns {Set<string>}
+ * @private
+ */
+function _extractPermissions(user)
+{
+    if (!user) return new Set();
+    if (user.permissions instanceof Set) return user.permissions;
+    if (Array.isArray(user.permissions)) return new Set(user.permissions);
+    if (Array.isArray(user.scopes)) return new Set(user.scopes);
+    return new Set();
+}
+module.exports = {
+    authorize,
+    can,
+    canAny,
+    Policy,
+    gate,
+    attachUserHelpers,
+};