aws-service-stack 0.18.370 → 0.18.371

package/dist/model/base.config.js

@@ -33,6 +33,9 @@ class EntityConfigImpl {
     ENDPOINT_POLICY; // Path-based permission configuration
     ADMIN_GROUP_NAME; // Admin group name for Cognito
     TRACE_CHANGE;
+    SCOPE_MAP;
+    ROLE_TABLE;
+    ROLE_PATH;
     OWNER_PARENT_ID_FIELD_NAME;
     OWNER_ID_FIELD_NAME;
     constructor(basePath, adminGroupName) {
@@ -55,6 +58,20 @@ class EntityConfigImpl {
         this.OPEN_SEARCH = new OpenSearchConfig(domain, index);
         return this;
     }
+    /** Set scope map for RBAC scope-based filtering */
+    setScopes(scopeMap) {
+        this.SCOPE_MAP = scopeMap;
+        return this;
+    }
+    /** Set the DynamoDB table name for RBAC role permissions */
+    setRoleTable(tableName) {
+        this.ROLE_TABLE = tableName;
+        return this;
+    }
+    setRolePath(path) {
+        this.ROLE_PATH = path;
+        return this;
+    }
     /** Set path-based policies */
     setPolicies(policies) {
         this.ENDPOINT_POLICY = policies;
@@ -71,6 +88,9 @@ class EntityConfigImpl {
             ADMIN_GROUP_NAME: this.ADMIN_GROUP_NAME,
             OWNER_PARENT_ID_FIELD_NAME: this.OWNER_PARENT_ID_FIELD_NAME,
             OWNER_ID_FIELD_NAME: this.OWNER_ID_FIELD_NAME,
+            SCOPE_MAP: this.SCOPE_MAP,
+            ROLE_TABLE: this.ROLE_TABLE,
+            ROLE_PATH: this.ROLE_PATH,
         };
     }
 }

package/dist/model/base.config.js.map

@@ -1 +1 @@
-{"version":3,"file":"base.config.js","sourceRoot":"","sources":["../../src/model/base.config.ts"],"names":[],"mappings":";;;AAEA,qCAAqC;AACrC,MAAa,cAAc;IACzB,IAAI,CAAS,CAAC,sBAAsB;IACpC,uBAAuB,CAAU;IACjC,gBAAgB,CAAS,CAAC,iCAAiC;IAC3D,GAAG,CAAiB;IAEpB,YAAY,SAAiB,EAAE,cAAsB,EAAE,QAAwB,EAAE,eAAwB;QACvG,IAAI,CAAC,IAAI,GAAG,SAAS,CAAC;QACtB,IAAI,CAAC,uBAAuB,GAAG,eAAe,CAAC;QAC/C,IAAI,CAAC,gBAAgB,GAAG,cAAc,CAAC;QACvC,IAAI,CAAC,GAAG,GAAG,QAAQ,CAAC;IACtB,CAAC;CACF;AAZD,wCAYC;AAED,uCAAuC;AACvC,MAAa,gBAAgB;IAC3B,MAAM,CAAS;IACf,KAAK,CAAS;IAEd,YAAY,MAAc,EAAE,SAAiB;QAC3C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,SAAS,CAAC;IACzB,CAAC;CACF;AARD,4CAQC;AAcD,0CAA0C;AAC1C,MAAa,gBAAgB;IAC3B,SAAS,CAAS,CAAC,uCAAuC;IAC1D,SAAS,CAAiB,CAAC,yBAAyB;IACpD,WAAW,CAAmB,CAAC,2BAA2B;IAC1D,eAAe,CAAmB,CAAC,sCAAsC;IACzE,gBAAgB,CAAW,CAAC,+BAA+B;IAE3D,YAAY,CAAe;IAE3B,0BAA0B,CAAU;IACpC,mBAAmB,CAAS;IAE5B,YAAY,QAAgB,EAAE,cAAyB;QACrD,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC1B,IAAI,CAAC,gBAAgB,GAAG,cAAc,IAAI,CAAC,OAAO,CAAC,CAAC;QACpD,IAAI,CAAC,eAAe,GAAG,EAAE,CAAC;IAC5B,CAAC;IAED,cAAc,CAAC,WAAwB;QACrC,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;IAClC,CAAC;IAED,iCAAiC;IACjC,WAAW,CACT,SAAiB,EACjB,cAAsB,EACtB,QAAwB,EACxB,oBAA6B;QAE7B,IAAI,CAAC,SAAS,GAAG,IAAI,cAAc,CAAC,SAAS,EAAE,cAAc,EAAE,QAAQ,EAAE,oBAAoB,CAAC,CAAC;QAC/F,IAAI,CAAC,0BAA0B,GAAG,oBAAoB,CAAC;QACvD,IAAI,CAAC,mBAAmB,GAAG,cAAc,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mCAAmC;IACnC,aAAa,CAAC,MAAc,EAAE,KAAa;QACzC,IAAI,CAAC,WAAW,GAAG,IAAI,gBAAgB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8BAA8B;IAC9B,WAAW,CAAC,QAA0B;QACpC,IAAI,CAAC,eAAe,GAAG,QAAQ,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6EAA6E;IAC7E,QAAQ;QACN,OAAO;YACL,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;YACvC,0BAA0B,EAAE,IAAI,CAAC,0BAA0B;YAC3D,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;SAC9C,CAAC;IACJ,CAAC;CACF;AA5DD,4CA4DC","sourcesContent":["import { DynamoIndexMap, EndpointPolicy, TraceChange } from \"@chinggis/core\";\n\n/** Generic DynamoDB Configuration */\nexport class DynamoDBConfig {\n  NAME: string; // DynamoDB table name\n  OWNER_PARENT_FIELD_NAME?: string;\n  OWNER_FIELD_NAME: string; // DynamoDB index map for queries\n  MAP: DynamoIndexMap;\n\n  constructor(tableName: string, ownerFieldName: string, indexMap: DynamoIndexMap, parentFieldName?: string) {\n    this.NAME = tableName;\n    this.OWNER_PARENT_FIELD_NAME = parentFieldName;\n    this.OWNER_FIELD_NAME = ownerFieldName;\n    this.MAP = indexMap;\n  }\n}\n\n/** Generic OpenSearch Configuration */\nexport class OpenSearchConfig {\n  DOMAIN: string;\n  INDEX: string;\n\n  constructor(domain: string, indexName: string) {\n    this.DOMAIN = domain;\n    this.INDEX = indexName;\n  }\n}\n\n/** Configuration interface for type safety */\nexport interface EntityConfig {\n  BASE_PATH: string;\n  DYNAMO_DB: DynamoDBConfig;\n  OPEN_SEARCH: OpenSearchConfig;\n  ENDPOINT_POLICY: EndpointPolicy[];\n  ADMIN_GROUP_NAME: string[];\n  OWNER_PARENT_ID_FIELD_NAME?: string;\n  OWNER_ID_FIELD_NAME?: string;\n  TRACE_CHANGE?: TraceChange;\n}\n\n/** Generic Entity Configuration Class **/\nexport class EntityConfigImpl implements EntityConfig {\n  BASE_PATH: string; //Entity name for logging and debugging\n  DYNAMO_DB: DynamoDBConfig; // DynamoDB configuration\n  OPEN_SEARCH: OpenSearchConfig; // OpenSearch configuration\n  ENDPOINT_POLICY: EndpointPolicy[]; // Path-based permission configuration\n  ADMIN_GROUP_NAME: string[]; // Admin group name for Cognito\n\n  TRACE_CHANGE?: TraceChange;\n\n  OWNER_PARENT_ID_FIELD_NAME?: string;\n  OWNER_ID_FIELD_NAME: string;\n\n  constructor(basePath: string, adminGroupName?: string[]) {\n    this.BASE_PATH = basePath;\n    this.ADMIN_GROUP_NAME = adminGroupName || [\"admin\"];\n    this.ENDPOINT_POLICY = [];\n  }\n\n  setTraceChange(traceChange: TraceChange): void {\n    this.TRACE_CHANGE = traceChange;\n  }\n\n  /** Set DynamoDB configuration */\n  setDynamoDB(\n    tableName: string,\n    ownerFieldName: string,\n    indexMap: DynamoIndexMap,\n    ownerParentFieldName?: string,\n  ): this {\n    this.DYNAMO_DB = new DynamoDBConfig(tableName, ownerFieldName, indexMap, ownerParentFieldName);\n    this.OWNER_PARENT_ID_FIELD_NAME = ownerParentFieldName;\n    this.OWNER_ID_FIELD_NAME = ownerFieldName;\n    return this;\n  }\n\n  /** Set OpenSearch configuration */\n  setOpenSearch(domain: string, index: string): this {\n    this.OPEN_SEARCH = new OpenSearchConfig(domain, index);\n    return this;\n  }\n\n  /** Set path-based policies */\n  setPolicies(policies: EndpointPolicy[]): this {\n    this.ENDPOINT_POLICY = policies;\n    return this;\n  }\n\n  /** Get configuration as a plain object (for BaseController compatibility) */\n  toObject(): EntityConfig {\n    return {\n      BASE_PATH: this.BASE_PATH,\n      DYNAMO_DB: this.DYNAMO_DB,\n      OPEN_SEARCH: this.OPEN_SEARCH,\n      ENDPOINT_POLICY: this.ENDPOINT_POLICY,\n      TRACE_CHANGE: this.TRACE_CHANGE,\n      ADMIN_GROUP_NAME: this.ADMIN_GROUP_NAME,\n      OWNER_PARENT_ID_FIELD_NAME: this.OWNER_PARENT_ID_FIELD_NAME,\n      OWNER_ID_FIELD_NAME: this.OWNER_ID_FIELD_NAME,\n    };\n  }\n}\n"]}
+{"version":3,"file":"base.config.js","sourceRoot":"","sources":["../../src/model/base.config.ts"],"names":[],"mappings":";;;AAEA,qCAAqC;AACrC,MAAa,cAAc;IACzB,IAAI,CAAS,CAAC,sBAAsB;IACpC,uBAAuB,CAAU;IACjC,gBAAgB,CAAS,CAAC,iCAAiC;IAC3D,GAAG,CAAiB;IAEpB,YAAY,SAAiB,EAAE,cAAsB,EAAE,QAAwB,EAAE,eAAwB;QACvG,IAAI,CAAC,IAAI,GAAG,SAAS,CAAC;QACtB,IAAI,CAAC,uBAAuB,GAAG,eAAe,CAAC;QAC/C,IAAI,CAAC,gBAAgB,GAAG,cAAc,CAAC;QACvC,IAAI,CAAC,GAAG,GAAG,QAAQ,CAAC;IACtB,CAAC;CACF;AAZD,wCAYC;AAED,uCAAuC;AACvC,MAAa,gBAAgB;IAC3B,MAAM,CAAS;IACf,KAAK,CAAS;IAEd,YAAY,MAAc,EAAE,SAAiB;QAC3C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,KAAK,GAAG,SAAS,CAAC;IACzB,CAAC;CACF;AARD,4CAQC;AAiBD,0CAA0C;AAC1C,MAAa,gBAAgB;IAC3B,SAAS,CAAS,CAAC,uCAAuC;IAC1D,SAAS,CAAiB,CAAC,yBAAyB;IACpD,WAAW,CAAmB,CAAC,2BAA2B;IAC1D,eAAe,CAAmB,CAAC,sCAAsC;IACzE,gBAAgB,CAAW,CAAC,+BAA+B;IAE3D,YAAY,CAAe;IAC3B,SAAS,CAAY;IACrB,UAAU,CAAU;IACpB,SAAS,CAAU;IAEnB,0BAA0B,CAAU;IACpC,mBAAmB,CAAS;IAE5B,YAAY,QAAgB,EAAE,cAAyB;QACrD,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC1B,IAAI,CAAC,gBAAgB,GAAG,cAAc,IAAI,CAAC,OAAO,CAAC,CAAC;QACpD,IAAI,CAAC,eAAe,GAAG,EAAE,CAAC;IAC5B,CAAC;IAED,cAAc,CAAC,WAAwB;QACrC,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;IAClC,CAAC;IAED,iCAAiC;IACjC,WAAW,CACT,SAAiB,EACjB,cAAsB,EACtB,QAAwB,EACxB,oBAA6B;QAE7B,IAAI,CAAC,SAAS,GAAG,IAAI,cAAc,CAAC,SAAS,EAAE,cAAc,EAAE,QAAQ,EAAE,oBAAoB,CAAC,CAAC;QAC/F,IAAI,CAAC,0BAA0B,GAAG,oBAAoB,CAAC;QACvD,IAAI,CAAC,mBAAmB,GAAG,cAAc,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mCAAmC;IACnC,aAAa,CAAC,MAAc,EAAE,KAAa;QACzC,IAAI,CAAC,WAAW,GAAG,IAAI,gBAAgB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mDAAmD;IACnD,SAAS,CAAC,QAAkB;QAC1B,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,4DAA4D;IAC5D,YAAY,CAAC,SAAiB;QAC5B,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,WAAW,CAAC,IAAY;QACtB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8BAA8B;IAC9B,WAAW,CAAC,QAA0B;QACpC,IAAI,CAAC,eAAe,GAAG,QAAQ,CAAC;QAChC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6EAA6E;IAC7E,QAAQ;QACN,OAAO;YACL,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;YACvC,0BAA0B,EAAE,IAAI,CAAC,0BAA0B;YAC3D,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;YAC7C,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B,CAAC;IACJ,CAAC;CACF;AAnFD,4CAmFC","sourcesContent":["import { DynamoIndexMap, EndpointPolicy, ScopeMap, TraceChange } from \"@chinggis/core\";\n\n/** Generic DynamoDB Configuration */\nexport class DynamoDBConfig {\n  NAME: string; // DynamoDB table name\n  OWNER_PARENT_FIELD_NAME?: string;\n  OWNER_FIELD_NAME: string; // DynamoDB index map for queries\n  MAP: DynamoIndexMap;\n\n  constructor(tableName: string, ownerFieldName: string, indexMap: DynamoIndexMap, parentFieldName?: string) {\n    this.NAME = tableName;\n    this.OWNER_PARENT_FIELD_NAME = parentFieldName;\n    this.OWNER_FIELD_NAME = ownerFieldName;\n    this.MAP = indexMap;\n  }\n}\n\n/** Generic OpenSearch Configuration */\nexport class OpenSearchConfig {\n  DOMAIN: string;\n  INDEX: string;\n\n  constructor(domain: string, indexName: string) {\n    this.DOMAIN = domain;\n    this.INDEX = indexName;\n  }\n}\n\n/** Configuration interface for type safety */\nexport interface EntityConfig {\n  BASE_PATH: string;\n  DYNAMO_DB: DynamoDBConfig;\n  OPEN_SEARCH: OpenSearchConfig;\n  ENDPOINT_POLICY: EndpointPolicy[];\n  ADMIN_GROUP_NAME: string[];\n  OWNER_PARENT_ID_FIELD_NAME?: string;\n  OWNER_ID_FIELD_NAME?: string;\n  TRACE_CHANGE?: TraceChange;\n  SCOPE_MAP?: ScopeMap;\n  ROLE_TABLE?: string;\n  ROLE_PATH?: string;\n}\n\n/** Generic Entity Configuration Class **/\nexport class EntityConfigImpl implements EntityConfig {\n  BASE_PATH: string; //Entity name for logging and debugging\n  DYNAMO_DB: DynamoDBConfig; // DynamoDB configuration\n  OPEN_SEARCH: OpenSearchConfig; // OpenSearch configuration\n  ENDPOINT_POLICY: EndpointPolicy[]; // Path-based permission configuration\n  ADMIN_GROUP_NAME: string[]; // Admin group name for Cognito\n\n  TRACE_CHANGE?: TraceChange;\n  SCOPE_MAP?: ScopeMap;\n  ROLE_TABLE?: string;\n  ROLE_PATH?: string;\n\n  OWNER_PARENT_ID_FIELD_NAME?: string;\n  OWNER_ID_FIELD_NAME: string;\n\n  constructor(basePath: string, adminGroupName?: string[]) {\n    this.BASE_PATH = basePath;\n    this.ADMIN_GROUP_NAME = adminGroupName || [\"admin\"];\n    this.ENDPOINT_POLICY = [];\n  }\n\n  setTraceChange(traceChange: TraceChange): void {\n    this.TRACE_CHANGE = traceChange;\n  }\n\n  /** Set DynamoDB configuration */\n  setDynamoDB(\n    tableName: string,\n    ownerFieldName: string,\n    indexMap: DynamoIndexMap,\n    ownerParentFieldName?: string,\n  ): this {\n    this.DYNAMO_DB = new DynamoDBConfig(tableName, ownerFieldName, indexMap, ownerParentFieldName);\n    this.OWNER_PARENT_ID_FIELD_NAME = ownerParentFieldName;\n    this.OWNER_ID_FIELD_NAME = ownerFieldName;\n    return this;\n  }\n\n  /** Set OpenSearch configuration */\n  setOpenSearch(domain: string, index: string): this {\n    this.OPEN_SEARCH = new OpenSearchConfig(domain, index);\n    return this;\n  }\n\n  /** Set scope map for RBAC scope-based filtering */\n  setScopes(scopeMap: ScopeMap): this {\n    this.SCOPE_MAP = scopeMap;\n    return this;\n  }\n\n  /** Set the DynamoDB table name for RBAC role permissions */\n  setRoleTable(tableName: string): this {\n    this.ROLE_TABLE = tableName;\n    return this;\n  }\n\n  setRolePath(path: string): this {\n    this.ROLE_PATH = path;\n    return this;\n  }\n\n  /** Set path-based policies */\n  setPolicies(policies: EndpointPolicy[]): this {\n    this.ENDPOINT_POLICY = policies;\n    return this;\n  }\n\n  /** Get configuration as a plain object (for BaseController compatibility) */\n  toObject(): EntityConfig {\n    return {\n      BASE_PATH: this.BASE_PATH,\n      DYNAMO_DB: this.DYNAMO_DB,\n      OPEN_SEARCH: this.OPEN_SEARCH,\n      ENDPOINT_POLICY: this.ENDPOINT_POLICY,\n      TRACE_CHANGE: this.TRACE_CHANGE,\n      ADMIN_GROUP_NAME: this.ADMIN_GROUP_NAME,\n      OWNER_PARENT_ID_FIELD_NAME: this.OWNER_PARENT_ID_FIELD_NAME,\n      OWNER_ID_FIELD_NAME: this.OWNER_ID_FIELD_NAME,\n      SCOPE_MAP: this.SCOPE_MAP,\n      ROLE_TABLE: this.ROLE_TABLE,\n      ROLE_PATH: this.ROLE_PATH,\n    };\n  }\n}\n"]}

package/dist/model/base.model.d.ts

@@ -45,3 +45,22 @@ export declare enum InclusionMode {
     INCLUDE = "include",
     EXCLUDE = "exclude"
 }
+export interface RolePermission {
+    role: string;
+    permissions: string[];
+}
+/**
+ * Map of scope name → { filterField, claimKey }.
+ * Key is scope name (e.g. "branch", "agent", "org").
+ *
+ * Usage:
+ *   new ScopeMap()
+ *     .set("branch", { filterField: "branchId", claimKey: "custom:branch" })
+ *     .set("agent",  { filterField: "agentId",  claimKey: "custom:agent" })
+ *     .set("org",    { filterField: "orgId",    claimKey: "custom:org" })
+ */
+export declare class ScopeMap extends Map<string, {
+    filterField: string;
+    claimKey?: string;
+}> {
+}

package/dist/model/base.model.js

@@ -1,9 +1,22 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.InclusionMode = void 0;
+exports.ScopeMap = exports.InclusionMode = void 0;
 var InclusionMode;
 (function (InclusionMode) {
     InclusionMode["INCLUDE"] = "include";
     InclusionMode["EXCLUDE"] = "exclude";
 })(InclusionMode || (exports.InclusionMode = InclusionMode = {}));
+/**
+ * Map of scope name → { filterField, claimKey }.
+ * Key is scope name (e.g. "branch", "agent", "org").
+ *
+ * Usage:
+ *   new ScopeMap()
+ *     .set("branch", { filterField: "branchId", claimKey: "custom:branch" })
+ *     .set("agent",  { filterField: "agentId",  claimKey: "custom:agent" })
+ *     .set("org",    { filterField: "orgId",    claimKey: "custom:org" })
+ */
+class ScopeMap extends Map {
+}
+exports.ScopeMap = ScopeMap;
 //# sourceMappingURL=base.model.js.map

package/dist/model/base.model.js.map

@@ -1 +1 @@
-{"version":3,"file":"base.model.js","sourceRoot":"","sources":["../../src/model/base.model.ts"],"names":[],"mappings":";;;AAwDA,IAAY,aAGX;AAHD,WAAY,aAAa;IACvB,oCAAmB,CAAA;IACnB,oCAAmB,CAAA;AACrB,CAAC,EAHW,aAAa,6BAAb,aAAa,QAGxB","sourcesContent":["import { RequestType } from \"./validation.model\";\nimport { Action } from \"./http.model\";\n\nexport interface BaseEntity {\n  id?: string;\n  createdAt?: string;\n  updatedAt?: string;\n\n  createdBy?: any;\n  updatedBy?: any;\n\n  ownerId?: string;\n  ownerParentId?: string;\n\n  permission?: Map<string, Permission[]>;\n\n  history?: ChangeHistory[];\n\n  year?: string;\n  yearMonth?: string;\n}\n\nexport interface ChangedField {\n  fieldName: string;\n  oldValue: string;\n  newValue: string;\n}\n\nexport interface ChangeHistory {\n  action: string;\n  user: string;\n  date: string;\n  changes?: ChangedField[];\n}\n\nexport interface Permission {\n  role: RequestType;\n  actions: Action[];\n}\n\nexport interface Attachment {\n  thumbnail: string;\n  original: string;\n}\n\nexport interface List<T> {\n  items: Array<T>;\n  total?: number;\n  lastKey?: string;\n}\n\nexport interface TraceChange {\n  fields: string[];\n  mode: InclusionMode;\n}\n\nexport enum InclusionMode {\n  INCLUDE = \"include\",\n  EXCLUDE = \"exclude\",\n}\n"]}
+{"version":3,"file":"base.model.js","sourceRoot":"","sources":["../../src/model/base.model.ts"],"names":[],"mappings":";;;AAwDA,IAAY,aAGX;AAHD,WAAY,aAAa;IACvB,oCAAmB,CAAA;IACnB,oCAAmB,CAAA;AACrB,CAAC,EAHW,aAAa,6BAAb,aAAa,QAGxB;AAOD;;;;;;;;;GASG;AACH,MAAa,QAAS,SAAQ,GAAuD;CAAG;AAAxF,4BAAwF","sourcesContent":["import { RequestType } from \"./validation.model\";\nimport { Action } from \"./http.model\";\n\nexport interface BaseEntity {\n  id?: string;\n  createdAt?: string;\n  updatedAt?: string;\n\n  createdBy?: any;\n  updatedBy?: any;\n\n  ownerId?: string;\n  ownerParentId?: string;\n\n  permission?: Map<string, Permission[]>;\n\n  history?: ChangeHistory[];\n\n  year?: string;\n  yearMonth?: string;\n}\n\nexport interface ChangedField {\n  fieldName: string;\n  oldValue: string;\n  newValue: string;\n}\n\nexport interface ChangeHistory {\n  action: string;\n  user: string;\n  date: string;\n  changes?: ChangedField[];\n}\n\nexport interface Permission {\n  role: RequestType;\n  actions: Action[];\n}\n\nexport interface Attachment {\n  thumbnail: string;\n  original: string;\n}\n\nexport interface List<T> {\n  items: Array<T>;\n  total?: number;\n  lastKey?: string;\n}\n\nexport interface TraceChange {\n  fields: string[];\n  mode: InclusionMode;\n}\n\nexport enum InclusionMode {\n  INCLUDE = \"include\",\n  EXCLUDE = \"exclude\",\n}\n\nexport interface RolePermission {\n  role: string;\n  permissions: string[];\n}\n\n/**\n * Map of scope name → { filterField, claimKey }.\n * Key is scope name (e.g. \"branch\", \"agent\", \"org\").\n *\n * Usage:\n *   new ScopeMap()\n *     .set(\"branch\", { filterField: \"branchId\", claimKey: \"custom:branch\" })\n *     .set(\"agent\",  { filterField: \"agentId\",  claimKey: \"custom:agent\" })\n *     .set(\"org\",    { filterField: \"orgId\",    claimKey: \"custom:org\" })\n */\nexport class ScopeMap extends Map<string, { filterField: string; claimKey?: string }> {}\n"]}

package/dist/model/index.d.ts

@@ -5,3 +5,4 @@ export * from "./filter.model";
 export * from "./validation.model";
 export * from "./dynamodb.model";
 export * from "./base.config";
+export { Permission as RolePermission } from "./role.model";

package/dist/model/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/model/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,uDAAqC;AACrC,+CAA6B;AAC7B,+CAA6B;AAC7B,iDAA+B;AAC/B,qDAAmC;AACnC,mDAAiC;AACjC,gDAA8B","sourcesContent":["export * from \"./cognito-user.model\";\nexport * from \"./http.model\";\nexport * from \"./base.model\";\nexport * from \"./filter.model\";\nexport * from \"./validation.model\";\nexport * from \"./dynamodb.model\";\nexport * from \"./base.config\";\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/model/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,uDAAqC;AACrC,+CAA6B;AAC7B,+CAA6B;AAC7B,iDAA+B;AAC/B,qDAAmC;AACnC,mDAAiC;AACjC,gDAA8B","sourcesContent":["export * from \"./cognito-user.model\";\nexport * from \"./http.model\";\nexport * from \"./base.model\";\nexport * from \"./filter.model\";\nexport * from \"./validation.model\";\nexport * from \"./dynamodb.model\";\nexport * from \"./base.config\";\nexport { Permission as RolePermission } from \"./role.model\";\n"]}

package/dist/model/role.model.d.ts

@@ -0,0 +1,20 @@
+import { BaseEntity } from "./base.model";
+export interface Permission extends BaseEntity {
+    role: string;
+    resource: string;
+    scope: string;
+    method: {
+        get?: boolean;
+        post?: boolean;
+        patch?: boolean;
+        put?: boolean;
+        delete?: boolean;
+    };
+    permissionKey: string;
+}
+/**
+ * Build a fully-qualified permission key.
+ * Format: `${role}.${resource}.${scope}.${method}`
+ * Example: `OwnerRole.PropertyTable.BranchScope.GET`
+ */
+export declare function buildPermissionKey(role: string, resource: string, scope: string, method: string): string;

package/dist/model/role.model.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildPermissionKey = buildPermissionKey;
+/**
+ * Build a fully-qualified permission key.
+ * Format: `${role}.${resource}.${scope}.${method}`
+ * Example: `OwnerRole.PropertyTable.BranchScope.GET`
+ */
+function buildPermissionKey(role, resource, scope, method) {
+    return `${role}.${resource}.${scope}.${method}`;
+}
+//# sourceMappingURL=role.model.js.map

package/dist/model/role.model.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"role.model.js","sourceRoot":"","sources":["../../src/model/role.model.ts"],"names":[],"mappings":";;AAqBA,gDAEC;AAPD;;;;GAIG;AACH,SAAgB,kBAAkB,CAAC,IAAY,EAAE,QAAgB,EAAE,KAAa,EAAE,MAAc;IAC9F,OAAO,GAAG,IAAI,IAAI,QAAQ,IAAI,KAAK,IAAI,MAAM,EAAE,CAAC;AAClD,CAAC","sourcesContent":["import { BaseEntity } from \"./base.model\";\n\nexport interface Permission extends BaseEntity {\n  role: string; // DB Index: Manager | User etc\n  resource: string; // DB Index: Property | Profile etc\n  scope: string; // DB Index: Organization | Branch | Agent\n  method: {\n    get?: boolean;\n    post?: boolean;\n    patch?: boolean;\n    put?: boolean;\n    delete?: boolean;\n  };\n  permissionKey: string; // DB Index: role#resourse#scope Manager#Property#Branch\n}\n\n/**\n * Build a fully-qualified permission key.\n * Format: `${role}.${resource}.${scope}.${method}`\n * Example: `OwnerRole.PropertyTable.BranchScope.GET`\n */\nexport function buildPermissionKey(role: string, resource: string, scope: string, method: string): string {\n  return `${role}.${resource}.${scope}.${method}`;\n}\n"]}

package/dist/model/validation.model.d.ts

@@ -7,7 +7,7 @@ export interface ResponseFields {
 export interface EndpointPolicy {
     method: HttpMethod;
     path: string;
-    access: Access[];
+    access?: Access[];
     validator?: any;
     response?: ResponseFields;
 }

package/dist/model/validation.model.js.map

@@ -1 +1 @@
-{"version":3,"file":"validation.model.js","sourceRoot":"","sources":["../../src/model/validation.model.ts"],"names":[],"mappings":";;;AAgBA,IAAY,WAKX;AALD,WAAY,WAAW;IACrB,8BAAe,CAAA;IACf,4BAAa,CAAA;IACb,8BAAe,CAAA;IACf,gCAAiB,CAAA;AACnB,CAAC,EALW,WAAW,2BAAX,WAAW,QAKtB;AAED,IAAY,MAMX;AAND,WAAY,MAAM;IAChB,2BAAiB,CAAA;IACjB,uBAAa,CAAA;IACb,yBAAe,CAAA;IACf,yBAAe,CAAA;IACf,2BAAiB,CAAA;AACnB,CAAC,EANW,MAAM,sBAAN,MAAM,QAMjB","sourcesContent":["import { HttpMethod } from \"@chinggis/core\";\n\nexport interface ResponseFields {\n  include?: string[];\n  exclude?: string[];\n}\n\n/** Path-based permission definition */\nexport interface EndpointPolicy {\n  method: HttpMethod;\n  path: string;\n  access: Access[];\n  validator?: any;\n  response?: ResponseFields;\n}\n\nexport enum RequestType {\n  GUEST = \"guest\",\n  USER = \"user\",\n  ADMIN = \"admin\",\n  SYSTEM = \"system\",\n}\n\nexport enum Access {\n  PUBLIC = \"public\",\n  USER = \"user\",\n  OWNER = \"owner\",\n  ADMIN = \"admin\",\n  SYSTEM = \"system\",\n}\n"]}
+{"version":3,"file":"validation.model.js","sourceRoot":"","sources":["../../src/model/validation.model.ts"],"names":[],"mappings":";;;AAgBA,IAAY,WAKX;AALD,WAAY,WAAW;IACrB,8BAAe,CAAA;IACf,4BAAa,CAAA;IACb,8BAAe,CAAA;IACf,gCAAiB,CAAA;AACnB,CAAC,EALW,WAAW,2BAAX,WAAW,QAKtB;AAED,IAAY,MAMX;AAND,WAAY,MAAM;IAChB,2BAAiB,CAAA;IACjB,uBAAa,CAAA;IACb,yBAAe,CAAA;IACf,yBAAe,CAAA;IACf,2BAAiB,CAAA;AACnB,CAAC,EANW,MAAM,sBAAN,MAAM,QAMjB","sourcesContent":["import { HttpMethod } from \"@chinggis/core\";\n\nexport interface ResponseFields {\n  include?: string[];\n  exclude?: string[];\n}\n\n/** Path-based permission definition */\nexport interface EndpointPolicy {\n  method: HttpMethod;\n  path: string;\n  access?: Access[];\n  validator?: any;\n  response?: ResponseFields;\n}\n\nexport enum RequestType {\n  GUEST = \"guest\",\n  USER = \"user\",\n  ADMIN = \"admin\",\n  SYSTEM = \"system\",\n}\n\nexport enum Access {\n  PUBLIC = \"public\",\n  USER = \"user\",\n  OWNER = \"owner\",\n  ADMIN = \"admin\",\n  SYSTEM = \"system\",\n}\n"]}

package/dist/service/index.d.ts

@@ -7,3 +7,6 @@ export * from "./crud.service";
 export * from "./crud.service.interface";
 export * from "./stream.service";
 export * from "./stream.service.interface";
+export * from "./permission.cache";
+export * from "./permission.repo";
+export * from "./permission.service";

package/dist/service/index.js

@@ -23,4 +23,7 @@ __exportStar(require("./crud.service"), exports);
 __exportStar(require("./crud.service.interface"), exports);
 __exportStar(require("./stream.service"), exports);
 __exportStar(require("./stream.service.interface"), exports);
+__exportStar(require("./permission.cache"), exports);
+__exportStar(require("./permission.repo"), exports);
+__exportStar(require("./permission.service"), exports);
 //# sourceMappingURL=index.js.map

package/dist/service/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/service/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iDAA+B;AAC/B,iDAA+B;AAC/B,2DAAyC;AACzC,mDAAiC;AACjC,6DAA2C;AAC3C,iDAA+B;AAC/B,2DAAyC;AACzC,mDAAiC;AACjC,6DAA2C","sourcesContent":["export * from \"./api.services\";\nexport * from \"./base.service\";\nexport * from \"./base.service.interface\";\nexport * from \"./socket.service\";\nexport * from \"./socket.service.interface\";\nexport * from \"./crud.service\";\nexport * from \"./crud.service.interface\";\nexport * from \"./stream.service\";\nexport * from \"./stream.service.interface\";\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/service/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iDAA+B;AAC/B,iDAA+B;AAC/B,2DAAyC;AACzC,mDAAiC;AACjC,6DAA2C;AAC3C,iDAA+B;AAC/B,2DAAyC;AACzC,mDAAiC;AACjC,6DAA2C;AAC3C,qDAAmC;AACnC,oDAAkC;AAClC,uDAAqC","sourcesContent":["export * from \"./api.services\";\nexport * from \"./base.service\";\nexport * from \"./base.service.interface\";\nexport * from \"./socket.service\";\nexport * from \"./socket.service.interface\";\nexport * from \"./crud.service\";\nexport * from \"./crud.service.interface\";\nexport * from \"./stream.service\";\nexport * from \"./stream.service.interface\";\nexport * from \"./permission.cache\";\nexport * from \"./permission.repo\";\nexport * from \"./permission.service\";\n"]}

package/dist/service/permission.cache.d.ts

@@ -0,0 +1,24 @@
+import { Permission } from "../model/role.model";
+/**
+ * In-memory read-through cache for Permission entities.
+ *
+ * - Keyed by permissionKey (deterministic, namespaced).
+ * - TTL-based expiry per entry.
+ * - Survives across warm Lambda invocations (module-level singleton).
+ * - Handles concurrent fetches for the same key via in-flight dedup.
+ */
+export declare class PermissionCache {
+    private readonly store;
+    private readonly inflight;
+    private readonly ttlMs;
+    constructor(ttlMs?: number);
+    get(key: string): Permission | null;
+    set(key: string, value: Permission): void;
+    /**
+     * Read-through: returns cached value or calls `fetcher` exactly once.
+     * Concurrent calls for the same key share a single in-flight promise.
+     */
+    getOrFetch(key: string, fetcher: () => Promise<Permission | null>): Promise<Permission | null>;
+    invalidate(key: string): void;
+    clear(): void;
+}

package/dist/service/permission.cache.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionCache = void 0;
+const DEFAULT_TTL_MS = 15 * 60 * 1000; // 15 minutes
+/**
+ * In-memory read-through cache for Permission entities.
+ *
+ * - Keyed by permissionKey (deterministic, namespaced).
+ * - TTL-based expiry per entry.
+ * - Survives across warm Lambda invocations (module-level singleton).
+ * - Handles concurrent fetches for the same key via in-flight dedup.
+ */
+class PermissionCache {
+    store = new Map();
+    inflight = new Map();
+    ttlMs;
+    constructor(ttlMs = DEFAULT_TTL_MS) {
+        this.ttlMs = ttlMs;
+    }
+    get(key) {
+        const entry = this.store.get(key);
+        if (!entry)
+            return null;
+        if (Date.now() > entry.expiresAt) {
+            this.store.delete(key);
+            return null;
+        }
+        return entry.value;
+    }
+    set(key, value) {
+        this.store.set(key, { value, expiresAt: Date.now() + this.ttlMs });
+    }
+    /**
+     * Read-through: returns cached value or calls `fetcher` exactly once.
+     * Concurrent calls for the same key share a single in-flight promise.
+     */
+    async getOrFetch(key, fetcher) {
+        const cached = this.get(key);
+        if (cached)
+            return cached;
+        const existing = this.inflight.get(key);
+        if (existing)
+            return existing;
+        const promise = fetcher().then((result) => {
+            this.inflight.delete(key);
+            if (result)
+                this.set(key, result);
+            return result;
+        });
+        this.inflight.set(key, promise);
+        return promise;
+    }
+    invalidate(key) {
+        this.store.delete(key);
+    }
+    clear() {
+        this.store.clear();
+    }
+}
+exports.PermissionCache = PermissionCache;
+//# sourceMappingURL=permission.cache.js.map

package/dist/service/permission.cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission.cache.js","sourceRoot":"","sources":["../../src/service/permission.cache.ts"],"names":[],"mappings":";;;AAOA,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;AAEpD;;;;;;;GAOG;AACH,MAAa,eAAe;IACT,KAAK,GAAG,IAAI,GAAG,EAAsB,CAAC;IACtC,QAAQ,GAAG,IAAI,GAAG,EAAsC,CAAC;IACzD,KAAK,CAAS;IAE/B,YAAY,QAAgB,cAAc;QACxC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IAED,GAAG,CAAC,GAAW;QACb,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC,KAAK,CAAC;IACrB,CAAC;IAED,GAAG,CAAC,GAAW,EAAE,KAAiB;QAChC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IACrE,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,UAAU,CAAC,GAAW,EAAE,OAAyC;QACrE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAE9B,MAAM,OAAO,GAAG,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;YACxC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC1B,IAAI,MAAM;gBAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YAClC,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAChC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,UAAU,CAAC,GAAW;QACpB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAED,KAAK;QACH,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF;AAnDD,0CAmDC","sourcesContent":["import { Permission } from \"../model/role.model\";\n\ninterface CacheEntry {\n  value: Permission;\n  expiresAt: number;\n}\n\nconst DEFAULT_TTL_MS = 15 * 60 * 1000; // 15 minutes\n\n/**\n * In-memory read-through cache for Permission entities.\n *\n * - Keyed by permissionKey (deterministic, namespaced).\n * - TTL-based expiry per entry.\n * - Survives across warm Lambda invocations (module-level singleton).\n * - Handles concurrent fetches for the same key via in-flight dedup.\n */\nexport class PermissionCache {\n  private readonly store = new Map<string, CacheEntry>();\n  private readonly inflight = new Map<string, Promise<Permission | null>>();\n  private readonly ttlMs: number;\n\n  constructor(ttlMs: number = DEFAULT_TTL_MS) {\n    this.ttlMs = ttlMs;\n  }\n\n  get(key: string): Permission | null {\n    const entry = this.store.get(key);\n    if (!entry) return null;\n    if (Date.now() > entry.expiresAt) {\n      this.store.delete(key);\n      return null;\n    }\n    return entry.value;\n  }\n\n  set(key: string, value: Permission): void {\n    this.store.set(key, { value, expiresAt: Date.now() + this.ttlMs });\n  }\n\n  /**\n   * Read-through: returns cached value or calls `fetcher` exactly once.\n   * Concurrent calls for the same key share a single in-flight promise.\n   */\n  async getOrFetch(key: string, fetcher: () => Promise<Permission | null>): Promise<Permission | null> {\n    const cached = this.get(key);\n    if (cached) return cached;\n\n    const existing = this.inflight.get(key);\n    if (existing) return existing;\n\n    const promise = fetcher().then((result) => {\n      this.inflight.delete(key);\n      if (result) this.set(key, result);\n      return result;\n    });\n\n    this.inflight.set(key, promise);\n    return promise;\n  }\n\n  invalidate(key: string): void {\n    this.store.delete(key);\n  }\n\n  clear(): void {\n    this.store.clear();\n  }\n}\n"]}

package/dist/service/permission.repo.d.ts

@@ -0,0 +1,16 @@
+import { Permission } from "../model/role.model";
+import { List } from "../model/base.model";
+/**
+ * Repository layer for Permission table.
+ * Pure DB operations — no caching, no business logic.
+ */
+export declare class PermissionRepo {
+    private readonly db;
+    constructor(tableName: string);
+    findById(id: string): Promise<Permission | null>;
+    findByPermissionKey(permissionKey: string): Promise<Permission | null>;
+    save(permission: Partial<Permission>): Promise<Permission>;
+    update(permission: Partial<Permission>): Promise<Permission>;
+    delete(id: string): Promise<boolean>;
+    scan(): Promise<List<Partial<Permission>>>;
+}

package/dist/service/permission.repo.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionRepo = void 0;
+const base_db_repo_1 = require("../repositories/base-db.repo");
+const dynamodb_model_1 = require("../model/dynamodb.model");
+const dynamodb_utils_1 = require("../utils/dynamodb.utils");
+function createPermissionIndexMap() {
+    const map = new dynamodb_model_1.DynamoIndexMap();
+    map.partitionKey = "id";
+    map.set("byPermissionKey", { field: "permissionKey", rFields: ["role", "resource", "scope"], fieldSeparator: "#" });
+    map.mapFields = ["method"];
+    return map;
+}
+/**
+ * Repository layer for Permission table.
+ * Pure DB operations — no caching, no business logic.
+ */
+class PermissionRepo {
+    db;
+    constructor(tableName) {
+        this.db = new base_db_repo_1.BaseRepoDBImpl();
+        this.db.setTable(tableName);
+        this.db.setIndexMap(createPermissionIndexMap());
+    }
+    async findById(id) {
+        return this.db.findById(id);
+    }
+    async findByPermissionKey(permissionKey) {
+        return this.db.findOne({
+            indexName: "byPermissionKey",
+            indexValue: permissionKey,
+        });
+    }
+    async save(permission) {
+        if (!permission.id)
+            permission.id = (0, dynamodb_utils_1.generateUUID)();
+        const now = new Date().toISOString();
+        if (!permission.createdAt)
+            permission.createdAt = now;
+        permission.updatedAt = now;
+        // Build composite key: role#resource#scope
+        if (permission.role && permission.resource && permission.scope) {
+            permission.permissionKey = `${permission.role}#${permission.resource}#${permission.scope}`;
+        }
+        return this.db.save(permission);
+    }
+    async update(permission) {
+        permission.updatedAt = new Date().toISOString();
+        // Rebuild composite key if components changed
+        if (permission.role && permission.resource && permission.scope) {
+            permission.permissionKey = `${permission.role}#${permission.resource}#${permission.scope}`;
+        }
+        return this.db.update(permission);
+    }
+    async delete(id) {
+        return this.db.delete(id);
+    }
+    async scan() {
+        return this.db.scan({});
+    }
+}
+exports.PermissionRepo = PermissionRepo;
+//# sourceMappingURL=permission.repo.js.map

package/dist/service/permission.repo.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission.repo.js","sourceRoot":"","sources":["../../src/service/permission.repo.ts"],"names":[],"mappings":";;;AAAA,+DAA8D;AAC9D,4DAAyD;AAEzD,4DAAuD;AAGvD,SAAS,wBAAwB;IAC/B,MAAM,GAAG,GAAG,IAAI,+BAAc,EAAE,CAAC;IACjC,GAAG,CAAC,YAAY,GAAG,IAAI,CAAC;IACxB,GAAG,CAAC,GAAG,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,cAAc,EAAE,GAAG,EAAE,CAAC,CAAC;IACpH,GAAG,CAAC,SAAS,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC3B,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAa,cAAc;IACR,EAAE,CAA6B;IAEhD,YAAY,SAAiB;QAC3B,IAAI,CAAC,EAAE,GAAG,IAAI,6BAAc,EAAc,CAAC;QAC3C,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC5B,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,wBAAwB,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,EAAU;QACvB,OAAO,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,aAAqB;QAC7C,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;YACrB,SAAS,EAAE,iBAAiB;YAC5B,UAAU,EAAE,aAAa;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,UAA+B;QACxC,IAAI,CAAC,UAAU,CAAC,EAAE;YAAE,UAAU,CAAC,EAAE,GAAG,IAAA,6BAAY,GAAE,CAAC;QAEnD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,IAAI,CAAC,UAAU,CAAC,SAAS;YAAE,UAAU,CAAC,SAAS,GAAG,GAAG,CAAC;QACtD,UAAU,CAAC,SAAS,GAAG,GAAG,CAAC;QAE3B,2CAA2C;QAC3C,IAAI,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YAC/D,UAAU,CAAC,aAAa,GAAG,GAAG,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;QAC7F,CAAC;QAED,OAAO,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,UAA+B;QAC1C,UAAU,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAEhD,8CAA8C;QAC9C,IAAI,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;YAC/D,UAAU,CAAC,aAAa,GAAG,GAAG,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;QAC7F,CAAC;QAED,OAAO,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,OAAO,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,IAAI;QACR,OAAO,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC1B,CAAC;CACF;AArDD,wCAqDC","sourcesContent":["import { BaseRepoDBImpl } from \"../repositories/base-db.repo\";\nimport { DynamoIndexMap } from \"../model/dynamodb.model\";\nimport { Permission } from \"../model/role.model\";\nimport { generateUUID } from \"../utils/dynamodb.utils\";\nimport { List } from \"../model/base.model\";\n\nfunction createPermissionIndexMap(): DynamoIndexMap {\n  const map = new DynamoIndexMap();\n  map.partitionKey = \"id\";\n  map.set(\"byPermissionKey\", { field: \"permissionKey\", rFields: [\"role\", \"resource\", \"scope\"], fieldSeparator: \"#\" });\n  map.mapFields = [\"method\"];\n  return map;\n}\n\n/**\n * Repository layer for Permission table.\n * Pure DB operations — no caching, no business logic.\n */\nexport class PermissionRepo {\n  private readonly db: BaseRepoDBImpl<Permission>;\n\n  constructor(tableName: string) {\n    this.db = new BaseRepoDBImpl<Permission>();\n    this.db.setTable(tableName);\n    this.db.setIndexMap(createPermissionIndexMap());\n  }\n\n  async findById(id: string): Promise<Permission | null> {\n    return this.db.findById(id);\n  }\n\n  async findByPermissionKey(permissionKey: string): Promise<Permission | null> {\n    return this.db.findOne({\n      indexName: \"byPermissionKey\",\n      indexValue: permissionKey,\n    });\n  }\n\n  async save(permission: Partial<Permission>): Promise<Permission> {\n    if (!permission.id) permission.id = generateUUID();\n\n    const now = new Date().toISOString();\n    if (!permission.createdAt) permission.createdAt = now;\n    permission.updatedAt = now;\n\n    // Build composite key: role#resource#scope\n    if (permission.role && permission.resource && permission.scope) {\n      permission.permissionKey = `${permission.role}#${permission.resource}#${permission.scope}`;\n    }\n\n    return this.db.save(permission);\n  }\n\n  async update(permission: Partial<Permission>): Promise<Permission> {\n    permission.updatedAt = new Date().toISOString();\n\n    // Rebuild composite key if components changed\n    if (permission.role && permission.resource && permission.scope) {\n      permission.permissionKey = `${permission.role}#${permission.resource}#${permission.scope}`;\n    }\n\n    return this.db.update(permission);\n  }\n\n  async delete(id: string): Promise<boolean> {\n    return this.db.delete(id);\n  }\n\n  async scan(): Promise<List<Partial<Permission>>> {\n    return this.db.scan({});\n  }\n}\n"]}

package/dist/service/permission.service.d.ts

@@ -0,0 +1,39 @@
+import { Permission } from "../model/role.model";
+/**
+ * PermissionService — cache + orchestration layer for Permission entities.
+ *
+ * Design decisions:
+ * - Read-through cache via PermissionCache (in-flight dedup, TTL).
+ * - Repository handles only DB I/O.
+ * - Cache invalidation on every mutation.
+ * - ~100 roles total, read-heavy → caching makes sense.
+ * - Cache keyed by `perm:{permissionKey}` for deterministic, namespaced lookup.
+ */
+export declare class PermissionService {
+    private readonly repo;
+    private readonly cache;
+    constructor(tableName: string, cacheTtlMs?: number);
+    /** Fetch Permission by composite key (role#resource#scope). Read-through cached. */
+    getPermissionByKey(permissionKey: string): Promise<Permission | null>;
+    /** Fetch Permission by id. Read-through cached. */
+    getPermissionById(id: string): Promise<Permission | null>;
+    /**
+     * Check if the given role+resource+scope has a specific HTTP method allowed.
+     *
+     * Builds the permissionKey `role#resource#scope`, fetches the Permission,
+     * and checks the method map.
+     *
+     * @returns `true` if allowed, `false` otherwise.
+     */
+    hasPermission(role: string, resource: string, scope: string, method: string): Promise<boolean>;
+    createPermission(input: {
+        role: string;
+        resource: string;
+        scope: string;
+        method: Permission["method"];
+    }): Promise<Permission>;
+    updatePermission(id: string, updates: Partial<Pick<Permission, "role" | "resource" | "scope" | "method">>): Promise<Permission>;
+    deletePermission(id: string): Promise<boolean>;
+    listPermissions(): Promise<Permission[]>;
+    clearCache(): void;
+}

package/dist/service/permission.service.js

@@ -0,0 +1,151 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionService = void 0;
+const exception_1 = require("../exception");
+const permission_cache_1 = require("./permission.cache");
+const permission_repo_1 = require("./permission.repo");
+/**
+ * PermissionService — cache + orchestration layer for Permission entities.
+ *
+ * Design decisions:
+ * - Read-through cache via PermissionCache (in-flight dedup, TTL).
+ * - Repository handles only DB I/O.
+ * - Cache invalidation on every mutation.
+ * - ~100 roles total, read-heavy → caching makes sense.
+ * - Cache keyed by `perm:{permissionKey}` for deterministic, namespaced lookup.
+ */
+class PermissionService {
+    repo;
+    cache;
+    constructor(tableName, cacheTtlMs) {
+        this.repo = new permission_repo_1.PermissionRepo(tableName);
+        this.cache = new permission_cache_1.PermissionCache(cacheTtlMs);
+    }
+    // ---------------------------------------------------------------------------
+    // Core lookup
+    // ---------------------------------------------------------------------------
+    /** Fetch Permission by composite key (role#resource#scope). Read-through cached. */
+    async getPermissionByKey(permissionKey) {
+        if (!permissionKey)
+            return null;
+        return this.cache.getOrFetch(`perm:${permissionKey}`, () => this.repo.findByPermissionKey(permissionKey));
+    }
+    /** Fetch Permission by id. Read-through cached. */
+    async getPermissionById(id) {
+        if (!id)
+            return null;
+        return this.cache.getOrFetch(`id:${id}`, () => this.repo.findById(id));
+    }
+    // ---------------------------------------------------------------------------
+    // Permission check
+    // ---------------------------------------------------------------------------
+    /**
+     * Check if the given role+resource+scope has a specific HTTP method allowed.
+     *
+     * Builds the permissionKey `role#resource#scope`, fetches the Permission,
+     * and checks the method map.
+     *
+     * @returns `true` if allowed, `false` otherwise.
+     */
+    async hasPermission(role, resource, scope, method) {
+        if (!role || !resource || !scope || !method)
+            return false;
+        const permissionKey = `${role}#${resource}#${scope}`;
+        const permission = await this.getPermissionByKey(permissionKey);
+        if (!permission?.method)
+            return false;
+        const methodLower = method.toUpperCase();
+        return permission.method[methodLower] === true;
+    }
+    // ---------------------------------------------------------------------------
+    // CRUD — create
+    // ---------------------------------------------------------------------------
+    async createPermission(input) {
+        if (!input.role?.trim()) {
+            throw new exception_1.ErrorHttp({ code: 400, error: "BadRequest" }, "Role is required");
+        }
+        if (!input.resource?.trim()) {
+            throw new exception_1.ErrorHttp({ code: 400, error: "BadRequest" }, "Resource is required");
+        }
+        if (!input.scope?.trim()) {
+            throw new exception_1.ErrorHttp({ code: 400, error: "BadRequest" }, "Scope is required");
+        }
+        // Duplicate check
+        const permissionKey = `${input.role}#${input.resource}#${input.scope}`;
+        const existing = await this.repo.findByPermissionKey(permissionKey);
+        if (existing) {
+            throw new exception_1.ErrorHttp({ code: 409, error: "Conflict" }, `Permission "${permissionKey}" already exists`);
+        }
+        const saved = await this.repo.save({
+            role: input.role.trim(),
+            resource: input.resource.trim(),
+            scope: input.scope.trim(),
+            method: input.method ?? {},
+            permissionKey,
+        });
+        this.cache.clear();
+        return saved;
+    }
+    // ---------------------------------------------------------------------------
+    // CRUD — update
+    // ---------------------------------------------------------------------------
+    async updatePermission(id, updates) {
+        if (!id)
+            throw new exception_1.ErrorHttp({ code: 400, error: "BadRequest" }, "Permission id is required");
+        const existing = await this.repo.findById(id);
+        if (!existing)
+            throw new exception_1.ErrorHttp({ code: 404, error: "NotFound" }, `Permission "${id}" not found`);
+        const data = { id };
+        if (updates.role !== undefined)
+            data.role = updates.role.trim();
+        if (updates.resource !== undefined)
+            data.resource = updates.resource.trim();
+        if (updates.scope !== undefined)
+            data.scope = updates.scope.trim();
+        if (updates.method !== undefined)
+            data.method = updates.method;
+        // Rebuild key if any key component changed
+        const role = data.role ?? existing.role;
+        const resource = data.resource ?? existing.resource;
+        const scope = data.scope ?? existing.scope;
+        data.permissionKey = `${role}#${resource}#${scope}`;
+        // Check for duplicate key if components changed
+        if (data.permissionKey !== existing.permissionKey) {
+            const conflict = await this.repo.findByPermissionKey(data.permissionKey);
+            if (conflict) {
+                throw new exception_1.ErrorHttp({ code: 409, error: "Conflict" }, `Permission "${data.permissionKey}" already exists`);
+            }
+        }
+        const updated = await this.repo.update(data);
+        this.cache.clear();
+        return updated;
+    }
+    // ---------------------------------------------------------------------------
+    // CRUD — delete
+    // ---------------------------------------------------------------------------
+    async deletePermission(id) {
+        if (!id)
+            throw new exception_1.ErrorHttp({ code: 400, error: "BadRequest" }, "Permission id is required");
+        const existing = await this.repo.findById(id);
+        if (!existing)
+            throw new exception_1.ErrorHttp({ code: 404, error: "NotFound" }, `Permission "${id}" not found`);
+        const result = await this.repo.delete(id);
+        this.cache.clear();
+        return result;
+    }
+    // ---------------------------------------------------------------------------
+    // CRUD — list
+    // ---------------------------------------------------------------------------
+    async listPermissions() {
+        const result = await this.repo.scan();
+        return (result.items ?? []);
+    }
+    // ---------------------------------------------------------------------------
+    // Cache control (for testing)
+    // ---------------------------------------------------------------------------
+    clearCache() {
+        this.cache.clear();
+    }
+}
+exports.PermissionService = PermissionService;
+//# sourceMappingURL=permission.service.js.map

package/dist/service/permission.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission.service.js","sourceRoot":"","sources":["../../src/service/permission.service.ts"],"names":[],"mappings":";;;AACA,4CAAyC;AACzC,yDAAqD;AACrD,uDAAmD;AAEnD;;;;;;;;;GASG;AACH,MAAa,iBAAiB;IACX,IAAI,CAAiB;IACrB,KAAK,CAAkB;IAExC,YAAY,SAAiB,EAAE,UAAmB;QAChD,IAAI,CAAC,IAAI,GAAG,IAAI,gCAAc,CAAC,SAAS,CAAC,CAAC;QAC1C,IAAI,CAAC,KAAK,GAAG,IAAI,kCAAe,CAAC,UAAU,CAAC,CAAC;IAC/C,CAAC;IAED,8EAA8E;IAC9E,cAAc;IACd,8EAA8E;IAE9E,oFAAoF;IACpF,KAAK,CAAC,kBAAkB,CAAC,aAAqB;QAC5C,IAAI,CAAC,aAAa;YAAE,OAAO,IAAI,CAAC;QAEhC,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,aAAa,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC,CAAC,CAAC;IAC5G,CAAC;IAED,mDAAmD;IACnD,KAAK,CAAC,iBAAiB,CAAC,EAAU;QAChC,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAErB,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;IACzE,CAAC;IAED,8EAA8E;IAC9E,mBAAmB;IACnB,8EAA8E;IAE9E;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CAAC,IAAY,EAAE,QAAgB,EAAE,KAAa,EAAE,MAAc;QAC/E,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAE1D,MAAM,aAAa,GAAG,GAAG,IAAI,IAAI,QAAQ,IAAI,KAAK,EAAE,CAAC;QACrD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;QAChE,IAAI,CAAC,UAAU,EAAE,MAAM;YAAE,OAAO,KAAK,CAAC;QAEtC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAgC,CAAC;QAEvE,OAAO,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,KAAK,IAAI,CAAC;IACjD,CAAC;IAED,8EAA8E;IAC9E,gBAAgB;IAChB,8EAA8E;IAE9E,KAAK,CAAC,gBAAgB,CAAC,KAKtB;QACC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC;YACxB,MAAM,IAAI,qBAAS,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,kBAAkB,CAAC,CAAC;QAC9E,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,qBAAS,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,sBAAsB,CAAC,CAAC;QAClF,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC;YACzB,MAAM,IAAI,qBAAS,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,mBAAmB,CAAC,CAAC;QAC/E,CAAC;QAED,kBAAkB;QAClB,MAAM,aAAa,GAAG,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QACvE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC,CAAC;QACpE,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,IAAI,qBAAS,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,eAAe,aAAa,kBAAkB,CAAC,CAAC;QACxG,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;YACjC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE;YACvB,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE;YAC/B,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE;YACzB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,EAAE;YAC1B,aAAa;SACd,CAAC,CAAC;QAEH,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,8EAA8E;IAC9E,gBAAgB;IAChB,8EAA8E;IAE9E,KAAK,CAAC,gBAAgB,CACpB,EAAU,EACV,OAA4E;QAE5E,IAAI,CAAC,EAAE;YAAE,MAAM,IAAI,qBAAS,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,2BAA2B,CAAC,CAAC;QAE9F,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,qBAAS,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,eAAe,EAAE,aAAa,CAAC,CAAC;QAErG,MAAM,IAAI,GAAwB,EAAE,EAAE,EAAE,CAAC;QACzC,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS;YAAE,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAChE,IAAI,OAAO,CAAC,QAAQ,KAAK,SAAS;YAAE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC5E,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS;YAAE,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACnE,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;YAAE,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAE/D,2CAA2C;QAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC;QACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAC;QAC3C,IAAI,CAAC,aAAa,GAAG,GAAG,IAAI,IAAI,QAAQ,IAAI,KAAK,EAAE,CAAC;QAEpD,gDAAgD;QAChD,IAAI,IAAI,CAAC,aAAa,KAAK,QAAQ,CAAC,aAAa,EAAE,CAAC;YAClD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YACzE,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,IAAI,qBAAS,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,eAAe,IAAI,CAAC,aAAa,kBAAkB,CAAC,CAAC;YAC7G,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAE7C,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,8EAA8E;IAC9E,gBAAgB;IAChB,8EAA8E;IAE9E,KAAK,CAAC,gBAAgB,CAAC,EAAU;QAC/B,IAAI,CAAC,EAAE;YAAE,MAAM,IAAI,qBAAS,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,2BAA2B,CAAC,CAAC;QAE9F,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,qBAAS,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,eAAe,EAAE,aAAa,CAAC,CAAC;QAErG,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAE1C,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,8EAA8E;IAC9E,cAAc;IACd,8EAA8E;IAE9E,KAAK,CAAC,eAAe;QACnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QACtC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAiB,CAAC;IAC9C,CAAC;IAED,8EAA8E;IAC9E,8BAA8B;IAC9B,8EAA8E;IAE9E,UAAU;QACR,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF;AAjKD,8CAiKC","sourcesContent":["import { Permission } from \"../model/role.model\";\nimport { ErrorHttp } from \"../exception\";\nimport { PermissionCache } from \"./permission.cache\";\nimport { PermissionRepo } from \"./permission.repo\";\n\n/**\n * PermissionService — cache + orchestration layer for Permission entities.\n *\n * Design decisions:\n * - Read-through cache via PermissionCache (in-flight dedup, TTL).\n * - Repository handles only DB I/O.\n * - Cache invalidation on every mutation.\n * - ~100 roles total, read-heavy → caching makes sense.\n * - Cache keyed by `perm:{permissionKey}` for deterministic, namespaced lookup.\n */\nexport class PermissionService {\n  private readonly repo: PermissionRepo;\n  private readonly cache: PermissionCache;\n\n  constructor(tableName: string, cacheTtlMs?: number) {\n    this.repo = new PermissionRepo(tableName);\n    this.cache = new PermissionCache(cacheTtlMs);\n  }\n\n  // ---------------------------------------------------------------------------\n  // Core lookup\n  // ---------------------------------------------------------------------------\n\n  /** Fetch Permission by composite key (role#resource#scope). Read-through cached. */\n  async getPermissionByKey(permissionKey: string): Promise<Permission | null> {\n    if (!permissionKey) return null;\n\n    return this.cache.getOrFetch(`perm:${permissionKey}`, () => this.repo.findByPermissionKey(permissionKey));\n  }\n\n  /** Fetch Permission by id. Read-through cached. */\n  async getPermissionById(id: string): Promise<Permission | null> {\n    if (!id) return null;\n\n    return this.cache.getOrFetch(`id:${id}`, () => this.repo.findById(id));\n  }\n\n  // ---------------------------------------------------------------------------\n  // Permission check\n  // ---------------------------------------------------------------------------\n\n  /**\n   * Check if the given role+resource+scope has a specific HTTP method allowed.\n   *\n   * Builds the permissionKey `role#resource#scope`, fetches the Permission,\n   * and checks the method map.\n   *\n   * @returns `true` if allowed, `false` otherwise.\n   */\n  async hasPermission(role: string, resource: string, scope: string, method: string): Promise<boolean> {\n    if (!role || !resource || !scope || !method) return false;\n\n    const permissionKey = `${role}#${resource}#${scope}`;\n    const permission = await this.getPermissionByKey(permissionKey);\n    if (!permission?.method) return false;\n\n    const methodLower = method.toUpperCase() as keyof Permission[\"method\"];\n\n    return permission.method[methodLower] === true;\n  }\n\n  // ---------------------------------------------------------------------------\n  // CRUD — create\n  // ---------------------------------------------------------------------------\n\n  async createPermission(input: {\n    role: string;\n    resource: string;\n    scope: string;\n    method: Permission[\"method\"];\n  }): Promise<Permission> {\n    if (!input.role?.trim()) {\n      throw new ErrorHttp({ code: 400, error: \"BadRequest\" }, \"Role is required\");\n    }\n    if (!input.resource?.trim()) {\n      throw new ErrorHttp({ code: 400, error: \"BadRequest\" }, \"Resource is required\");\n    }\n    if (!input.scope?.trim()) {\n      throw new ErrorHttp({ code: 400, error: \"BadRequest\" }, \"Scope is required\");\n    }\n\n    // Duplicate check\n    const permissionKey = `${input.role}#${input.resource}#${input.scope}`;\n    const existing = await this.repo.findByPermissionKey(permissionKey);\n    if (existing) {\n      throw new ErrorHttp({ code: 409, error: \"Conflict\" }, `Permission \"${permissionKey}\" already exists`);\n    }\n\n    const saved = await this.repo.save({\n      role: input.role.trim(),\n      resource: input.resource.trim(),\n      scope: input.scope.trim(),\n      method: input.method ?? {},\n      permissionKey,\n    });\n\n    this.cache.clear();\n    return saved;\n  }\n\n  // ---------------------------------------------------------------------------\n  // CRUD — update\n  // ---------------------------------------------------------------------------\n\n  async updatePermission(\n    id: string,\n    updates: Partial<Pick<Permission, \"role\" | \"resource\" | \"scope\" | \"method\">>,\n  ): Promise<Permission> {\n    if (!id) throw new ErrorHttp({ code: 400, error: \"BadRequest\" }, \"Permission id is required\");\n\n    const existing = await this.repo.findById(id);\n    if (!existing) throw new ErrorHttp({ code: 404, error: \"NotFound\" }, `Permission \"${id}\" not found`);\n\n    const data: Partial<Permission> = { id };\n    if (updates.role !== undefined) data.role = updates.role.trim();\n    if (updates.resource !== undefined) data.resource = updates.resource.trim();\n    if (updates.scope !== undefined) data.scope = updates.scope.trim();\n    if (updates.method !== undefined) data.method = updates.method;\n\n    // Rebuild key if any key component changed\n    const role = data.role ?? existing.role;\n    const resource = data.resource ?? existing.resource;\n    const scope = data.scope ?? existing.scope;\n    data.permissionKey = `${role}#${resource}#${scope}`;\n\n    // Check for duplicate key if components changed\n    if (data.permissionKey !== existing.permissionKey) {\n      const conflict = await this.repo.findByPermissionKey(data.permissionKey);\n      if (conflict) {\n        throw new ErrorHttp({ code: 409, error: \"Conflict\" }, `Permission \"${data.permissionKey}\" already exists`);\n      }\n    }\n\n    const updated = await this.repo.update(data);\n\n    this.cache.clear();\n    return updated;\n  }\n\n  // ---------------------------------------------------------------------------\n  // CRUD — delete\n  // ---------------------------------------------------------------------------\n\n  async deletePermission(id: string): Promise<boolean> {\n    if (!id) throw new ErrorHttp({ code: 400, error: \"BadRequest\" }, \"Permission id is required\");\n\n    const existing = await this.repo.findById(id);\n    if (!existing) throw new ErrorHttp({ code: 404, error: \"NotFound\" }, `Permission \"${id}\" not found`);\n\n    const result = await this.repo.delete(id);\n\n    this.cache.clear();\n    return result;\n  }\n\n  // ---------------------------------------------------------------------------\n  // CRUD — list\n  // ---------------------------------------------------------------------------\n\n  async listPermissions(): Promise<Permission[]> {\n    const result = await this.repo.scan();\n    return (result.items ?? []) as Permission[];\n  }\n\n  // ---------------------------------------------------------------------------\n  // Cache control (for testing)\n  // ---------------------------------------------------------------------------\n\n  clearCache(): void {\n    this.cache.clear();\n  }\n}\n"]}