nextly 0.0.1 → 0.0.2-alpha.1

package/dist/chunk-W5KKPZT5.mjs

@@ -0,0 +1,1204 @@
+import {
+  BaseService
+} from "./chunk-2W3DVD7S.mjs";
+import {
+  getDialectTables
+} from "./chunk-TS7GHTG2.mjs";
+import {
+  getAuthLogger
+} from "./chunk-LAZXX4HR.mjs";
+import {
+  container
+} from "./chunk-D5HQBNUB.mjs";
+
+// src/schemas/validation.ts
+import { z } from "zod";
+var PaginationSchema = z.object({
+  page: z.number().int().min(1).default(1),
+  limit: z.number().int().min(1).max(100).default(10),
+  offset: z.number().int().min(0).optional()
+});
+var PaginatedResponseSchema = (dataSchema) => z.object({
+  data: z.array(dataSchema),
+  pagination: z.object({
+    page: z.number().int().min(1),
+    limit: z.number().int().min(1),
+    total: z.number().int().min(0),
+    totalPages: z.number().int().min(0),
+    hasNext: z.boolean(),
+    hasPrev: z.boolean()
+  })
+});
+var SortOrderSchema = z.enum(["asc", "desc"]).default("asc");
+var SortSchema = z.object({
+  field: z.string().min(1, "Sort field is required"),
+  order: SortOrderSchema
+});
+var DateRangeSchema = z.object({
+  from: z.date().optional(),
+  to: z.date().optional()
+}).refine((data) => !data.from || !data.to || data.from <= data.to, {
+  message: "From date must be before or equal to to date",
+  path: ["from"]
+});
+var SearchSchema = z.object({
+  query: z.string().min(1, "Search query is required").max(255, "Search query too long"),
+  fields: z.array(z.string()).optional()
+});
+var SuccessResponseSchema = z.object({
+  success: z.literal(true),
+  message: z.string().optional(),
+  data: z.any().optional()
+});
+var ErrorResponseSchema = z.object({
+  success: z.literal(false),
+  error: z.string(),
+  code: z.string().optional(),
+  details: z.any().optional()
+});
+var ValidationErrorSchema = z.object({
+  success: z.literal(false),
+  error: z.literal("Validation failed"),
+  details: z.array(
+    z.object({
+      field: z.string(),
+      message: z.string(),
+      code: z.string().optional()
+    })
+  )
+});
+var BulkOperationSchema = z.object({
+  ids: z.array(z.string()).min(1, "At least one ID is required"),
+  operation: z.enum(["delete", "update", "activate", "deactivate"])
+});
+var BulkOperationResponseSchema = z.object({
+  success: z.boolean(),
+  processed: z.number().int().min(0),
+  failed: z.number().int().min(0),
+  errors: z.array(
+    z.object({
+      id: z.string(),
+      error: z.string()
+    })
+  ).optional()
+});
+var FileUploadSchema = z.object({
+  filename: z.string().min(1, "Filename is required"),
+  mimetype: z.string().min(1, "MIME type is required"),
+  size: z.number().int().min(1, "File size must be positive"),
+  buffer: z.instanceof(Buffer).optional()
+});
+var ImageUploadSchema = FileUploadSchema.extend({
+  mimetype: z.string().regex(/^image\//, "File must be an image"),
+  size: z.number().int().max(5 * 1024 * 1024, "Image size must be less than 5MB")
+  // 5MB limit
+});
+var EmailSchema = z.string().email("Invalid email format").transform((v) => v.trim().toLowerCase());
+var PasswordSchema = z.string().min(8, "Password must be at least 8 characters").max(128, "Password must be less than 128 characters").regex(/[a-z]/, "Password must contain at least one lowercase letter").regex(/[A-Z]/, "Password must contain at least one uppercase letter").regex(/\d/, "Password must contain at least one number").regex(
+  /[^A-Za-z0-9]/,
+  "Password must contain at least one special character"
+);
+var UrlSchema = z.string().url("Invalid URL format");
+var PhoneSchema = z.string().regex(/^\+?[\d\s\-\\(\\)]+$/, "Invalid phone number format").min(10, "Phone number too short").max(20, "Phone number too long");
+
+// src/auth/password/index.ts
+import bcrypt from "bcryptjs";
+var defaultSaltRounds = 12;
+async function hashPassword(plain, saltRounds = defaultSaltRounds) {
+  if (!plain) {
+    throw new Error("hashPassword: plain must be non-empty");
+  }
+  const salt = await bcrypt.genSalt(saltRounds);
+  return bcrypt.hash(plain, salt);
+}
+async function verifyPassword(plain, hash) {
+  if (!plain || !hash) return false;
+  try {
+    return await bcrypt.compare(plain, hash);
+  } catch {
+    return false;
+  }
+}
+function validatePasswordStrength(password) {
+  const result = PasswordSchema.safeParse(password);
+  if (result.success) {
+    return { ok: true };
+  } else {
+    return {
+      ok: false,
+      errors: result.error.issues.map(
+        (issue) => issue.message
+      )
+    };
+  }
+}
+
+// src/services/lib/permissions.ts
+import { and as and3, eq as eq3, inArray as inArray3, ne } from "drizzle-orm";
+
+// src/domains/auth/services/permission-cache-service.ts
+import { and as and2, eq as eq2, gt, lt, sql } from "drizzle-orm";
+
+// src/domains/auth/services/permission-checker-service.ts
+import { inArray as inArray2 } from "drizzle-orm";
+
+// src/domains/auth/services/role-inheritance-service.ts
+import { and, eq, inArray } from "drizzle-orm";
+var MAX_ROLE_HIERARCHY_DEPTH = 2e3;
+var RoleInheritanceService = class extends BaseService {
+  constructor(adapter, logger) {
+    super(adapter, logger);
+  }
+  /**
+   * Add a parent-child role inheritance relationship.
+   *
+   * The child role will inherit all permissions from the parent role.
+   * Multi-level inheritance is supported.
+   *
+   * @param childRoleId - Child role ID (inherits from parent)
+   * @param parentRoleId - Parent role ID (provides permissions)
+   * @throws Error if self-inheritance or cycle would be created
+   */
+  async addRoleInheritance(childRoleId, parentRoleId) {
+    if (childRoleId === parentRoleId) throw new Error("INHERIT_SELF_FORBIDDEN");
+    if (await this.willCreateCycle(childRoleId, parentRoleId))
+      throw new Error("INHERIT_CYCLE_FORBIDDEN");
+    const duplicate = await this.db.query.roleInherits.findFirst({
+      where: and(
+        eq(this.tables.roleInherits.parentRoleId, parentRoleId),
+        eq(this.tables.roleInherits.childRoleId, childRoleId)
+      ),
+      columns: {
+        id: true
+      }
+    });
+    if (!duplicate) {
+      const id = `${parentRoleId}::${childRoleId}`;
+      try {
+        const inheritanceData = {
+          id,
+          childRoleId,
+          parentRoleId
+        };
+        const insert = this.db.insert(this.tables.roleInherits).values(inheritanceData);
+        if (typeof insert.onConflictDoNothing === "function") {
+          await insert.onConflictDoNothing();
+        } else {
+          await insert;
+        }
+      } catch (e) {
+        const error = e;
+        const code = String(error?.code || "");
+        const msg = String(error?.message || "").toLowerCase();
+        if (!(code === "ER_DUP_ENTRY" || msg.includes("duplicate"))) throw e;
+      }
+    }
+    void invalidatePermissionCache({ roleId: childRoleId });
+  }
+  /**
+   * Remove a parent-child role inheritance relationship.
+   *
+   * @param childRoleId - Child role ID
+   * @param parentRoleId - Parent role ID
+   */
+  async removeRoleInheritance(childRoleId, parentRoleId) {
+    await this.db.delete(this.tables.roleInherits).where(
+      and(
+        eq(this.tables.roleInherits.childRoleId, childRoleId),
+        eq(this.tables.roleInherits.parentRoleId, parentRoleId)
+      )
+    );
+    void invalidatePermissionCache({ roleId: childRoleId });
+  }
+  /**
+   * List all ancestor roles (parents, grandparents, etc.) for a given role.
+   *
+   * Uses breadth-first traversal to find all roles in the hierarchy above this role.
+   * Note: The starting roleId is NOT included in the results - only its ancestors.
+   *
+   * Safety limit: Stops after visiting MAX_ROLE_HIERARCHY_DEPTH roles to prevent infinite loops.
+   *
+   * @param roleId - Role ID to find ancestors for
+   * @returns Array of ancestor role IDs (excluding the starting roleId)
+   */
+  async listAncestorRoles(roleId) {
+    const visited = /* @__PURE__ */ new Set();
+    const queue = [roleId];
+    while (queue.length) {
+      const batch = queue.splice(0, 50);
+      const inheritances = await this.db.query.roleInherits.findMany({
+        where: inArray(this.tables.roleInherits.childRoleId, batch),
+        columns: {
+          parentRoleId: true
+        }
+      });
+      for (const r of inheritances) {
+        const parent = String(r.parentRoleId);
+        if (!visited.has(parent)) {
+          visited.add(parent);
+          queue.push(parent);
+        }
+      }
+      if (visited.size > MAX_ROLE_HIERARCHY_DEPTH) break;
+    }
+    return Array.from(visited);
+  }
+  /**
+   * List all descendant roles (children, grandchildren, etc.) for a given role.
+   *
+   * Uses breadth-first traversal to find all roles in the hierarchy below this role.
+   * Note: The starting roleId is NOT included in the results - only its descendants.
+   *
+   * Safety limit: Stops after visiting MAX_ROLE_HIERARCHY_DEPTH roles to prevent infinite loops.
+   *
+   * @param roleId - Role ID to find descendants for
+   * @returns Array of descendant role IDs (excluding the starting roleId)
+   */
+  async listDescendantRoles(roleId) {
+    const visited = /* @__PURE__ */ new Set();
+    const queue = [roleId];
+    while (queue.length) {
+      const batch = queue.splice(0, 50);
+      const inheritances = await this.db.query.roleInherits.findMany({
+        where: inArray(this.tables.roleInherits.parentRoleId, batch),
+        columns: {
+          childRoleId: true
+        }
+      });
+      for (const r of inheritances) {
+        const child = String(r.childRoleId);
+        if (!visited.has(child)) {
+          visited.add(child);
+          queue.push(child);
+        }
+      }
+      if (visited.size > MAX_ROLE_HIERARCHY_DEPTH) break;
+    }
+    return Array.from(visited);
+  }
+  async willCreateCycle(childRoleId, parentRoleId) {
+    const ancestorsOfParent = await this.listAncestorRoles(parentRoleId);
+    return ancestorsOfParent.includes(childRoleId);
+  }
+};
+
+// src/domains/auth/services/permission-checker-service.ts
+var PermissionCheckerService = class extends BaseService {
+  roleInheritanceService;
+  constructor(adapter, logger) {
+    super(adapter, logger);
+    this.roleInheritanceService = new RoleInheritanceService(adapter, logger);
+  }
+  /**
+   * Get all permissions for a given role (direct + inherited).
+   *
+   * @param roleId - Role ID to get permissions for
+   * @returns Array of permission IDs (deduplicated)
+   */
+  async getAllPermissionsForRole(roleId) {
+    const childRoleIds = await this.roleInheritanceService.listDescendantRoles(roleId);
+    const allRoleIds = [roleId, ...childRoleIds];
+    const allPermissions = await this.db.select({
+      permissionId: this.tables.rolePermissions.permissionId
+    }).from(this.tables.rolePermissions).where(inArray2(this.tables.rolePermissions.roleId, allRoleIds));
+    const permissionSet = /* @__PURE__ */ new Set();
+    for (const perm of allPermissions) {
+      permissionSet.add(String(perm.permissionId));
+    }
+    return Array.from(permissionSet);
+  }
+};
+
+// src/domains/auth/services/permission-cache-service.ts
+var errorLogRateLimiter = /* @__PURE__ */ new Map();
+var ERROR_LOG_INTERVAL_MS = 6e4;
+function shouldLogError(errorKey) {
+  const now = Date.now();
+  const lastLogged = errorLogRateLimiter.get(errorKey);
+  if (!lastLogged || now - lastLogged > ERROR_LOG_INTERVAL_MS) {
+    errorLogRateLimiter.set(errorKey, now);
+    return true;
+  }
+  return false;
+}
+var PermissionCacheService = class extends BaseService {
+  permissionChecker;
+  cacheTtlMs;
+  constructor(adapter, logger, options) {
+    super(adapter, logger);
+    this.permissionChecker = new PermissionCheckerService(adapter, logger);
+    const ttlSeconds = options?.cacheTtlSeconds ?? 86400;
+    this.cacheTtlMs = ttlSeconds * 1e3;
+  }
+  /**
+   * Serialize a `roleIds` array for the user_permission_cache.role_ids
+   * column.
+   *
+   * The column type differs by dialect:
+   *   - PostgreSQL: jsonb (Drizzle stringifies the JS array)
+   *   - MySQL:      json  (Drizzle stringifies the JS array)
+   *   - SQLite:     text  (no automatic serialization; a raw array
+   *                        coerces via `String([a, b])` to "a,b" which
+   *                        is not valid JSON, breaking the
+   *                        `json_each(role_ids)` invalidation query)
+   *
+   * Match the column type per dialect so PG/MySQL keep the structured
+   * value and SQLite gets a JSON-parseable string.
+   */
+  serializeRoleIdsForDb(roleIds) {
+    return this.dialect === "sqlite" ? JSON.stringify(roleIds) : roleIds;
+  }
+  /**
+   * Pre-compute and store all permissions for a user (cache warming).
+   *
+   * This method is called on:
+   * - User login
+   * - Role assignment changes
+   * - Permission changes affecting user's roles
+   *
+   * Performance: O(n) where n = number of possible permission checks (~20-50 typically)
+   *
+   * @param userId - User ID to warm cache for
+   * @returns Promise that resolves when cache is warmed
+   */
+  async warmCacheForUser(userId) {
+    if (!userId) {
+      getAuthLogger()?.log?.("warn", {
+        category: "auth",
+        op: "cache",
+        message: "warmCacheForUser called with empty userId"
+      });
+      return;
+    }
+    try {
+      const { permissions, userPermissionCache } = this.tables;
+      const allPermissions = await this.db.select({
+        id: permissions.id,
+        action: permissions.action,
+        resource: permissions.resource
+      }).from(permissions);
+      if (allPermissions.length === 0) {
+        return;
+      }
+      const roleIds = await this.permissionChecker.getAllPermissionsForRole(userId);
+      const expiresAt = new Date(Date.now() + this.cacheTtlMs);
+      const entries = [];
+      const serializedRoleIds = this.serializeRoleIdsForDb(Array.from(roleIds));
+      for (const perm of allPermissions) {
+        const hasPermission2 = roleIds.includes(perm.id);
+        const cacheKey = `${userId}|${perm.action}|${perm.resource}`;
+        entries.push({
+          id: cacheKey,
+          userId,
+          action: perm.action,
+          resource: perm.resource,
+          hasPermission: hasPermission2,
+          roleIds: serializedRoleIds,
+          expiresAt,
+          createdAt: /* @__PURE__ */ new Date()
+        });
+      }
+      if (entries.length > 0) {
+        await this.db.insert(userPermissionCache).values(entries).onConflictDoUpdate({
+          target: userPermissionCache.id,
+          set: {
+            hasPermission: sql`EXCLUDED.has_permission`,
+            roleIds: sql`EXCLUDED.role_ids`,
+            expiresAt: sql`EXCLUDED.expires_at`,
+            createdAt: sql`EXCLUDED.created_at`
+          }
+        });
+      }
+      if (process.env.DEBUG_CACHE === "1") {
+        console.log("[cache][dbg] warmCacheForUser", {
+          userId,
+          entriesCount: entries.length,
+          ttlMs: this.cacheTtlMs
+        });
+      }
+    } catch (error) {
+      getAuthLogger()?.log?.("error", {
+        category: "auth",
+        op: "cache",
+        message: "warmCacheForUser failed",
+        userId,
+        error: String(error)
+      });
+      throw error;
+    }
+  }
+  /**
+   * Get cached permission result from database.
+   *
+   * Returns:
+   * - `true` if permission is cached and granted
+   * - `false` if permission is cached and denied
+   * - `null` if cache miss (not cached or expired)
+   *
+   * Performance: <5ms (indexed lookup on composite key)
+   *
+   * @param userId - User ID
+   * @param action - Permission action (create, read, update, delete)
+   * @param resource - Permission resource (users, roles, permissions, etc.)
+   * @returns Promise resolving to boolean if cached, null if miss
+   */
+  async getCachedPermission(userId, action, resource) {
+    if (!userId || !action || !resource) {
+      return null;
+    }
+    try {
+      const { userPermissionCache } = this.tables;
+      const cacheKey = `${userId}|${action}|${resource}`;
+      const now = /* @__PURE__ */ new Date();
+      const result = await this.db.select({
+        hasPermission: userPermissionCache.hasPermission,
+        expiresAt: userPermissionCache.expiresAt
+      }).from(userPermissionCache).where(
+        and2(
+          eq2(userPermissionCache.id, cacheKey),
+          // gt() lets Drizzle convert `now` (Date) to the column's typed
+          // representation (epoch seconds for SQLite mode:"timestamp",
+          // native timestamp for PG/MySQL). Raw `sql\`${col} > ${now}\``
+          // bypassed that conversion and SQLite drivers refused to bind
+          // a Date object — `TypeError: SQLite3 can only bind numbers,
+          // strings, bigints, buffers, and null` on every authed request.
+          // Mirrors the same-file `cleanupExpired` pattern at line 481.
+          gt(userPermissionCache.expiresAt, now)
+        )
+      ).limit(1);
+      if (result.length === 0) {
+        return null;
+      }
+      const cached = result[0];
+      if (process.env.DEBUG_CACHE === "1") {
+        console.log("[cache][dbg] getCachedPermission HIT", {
+          userId,
+          action,
+          resource,
+          hasPermission: cached.hasPermission,
+          expiresAt: cached.expiresAt
+        });
+      }
+      return cached.hasPermission;
+    } catch (error) {
+      getAuthLogger()?.log?.("error", {
+        category: "auth",
+        op: "cache",
+        message: "getCachedPermission failed",
+        userId,
+        action,
+        resource,
+        error: String(error)
+      });
+      return null;
+    }
+  }
+  /**
+   * Store permission result in database cache.
+   *
+   * Uses UPSERT (INSERT ON CONFLICT) to handle concurrent writes.
+   *
+   * Performance: <3ms (single indexed insert with ON CONFLICT)
+   *
+   * @param userId - User ID
+   * @param action - Permission action
+   * @param resource - Permission resource
+   * @param hasPermission - Whether user has the permission
+   * @param roleIds - Role IDs involved (for invalidation)
+   * @returns Promise that resolves when cache is updated
+   */
+  async setCachedPermission(userId, action, resource, hasPermission2, roleIds) {
+    if (!userId || !action || !resource) {
+      return;
+    }
+    try {
+      const { userPermissionCache } = this.tables;
+      const cacheKey = `${userId}|${action}|${resource}`;
+      const expiresAt = new Date(Date.now() + this.cacheTtlMs);
+      await this.db.insert(userPermissionCache).values({
+        id: cacheKey,
+        userId,
+        action,
+        resource,
+        hasPermission: hasPermission2,
+        roleIds: this.serializeRoleIdsForDb(roleIds),
+        expiresAt,
+        createdAt: /* @__PURE__ */ new Date()
+      }).onConflictDoUpdate({
+        target: userPermissionCache.id,
+        set: {
+          hasPermission: sql`EXCLUDED.has_permission`,
+          roleIds: sql`EXCLUDED.role_ids`,
+          expiresAt: sql`EXCLUDED.expires_at`,
+          createdAt: sql`EXCLUDED.created_at`
+        }
+      });
+      if (process.env.DEBUG_CACHE === "1") {
+        console.log("[cache][dbg] setCachedPermission", {
+          userId,
+          action,
+          resource,
+          hasPermission: hasPermission2,
+          roleIds,
+          expiresAt
+        });
+      }
+    } catch (error) {
+      const errorKey = `setCachedPermission:${userId}`;
+      if (shouldLogError(errorKey)) {
+        getAuthLogger()?.log?.("error", {
+          category: "auth",
+          op: "cache",
+          message: "setCachedPermission failed (rate-limited, showing 1/min max)",
+          userId,
+          action,
+          resource,
+          error: String(error)
+        });
+      }
+    }
+  }
+  /**
+   * Invalidate all cached permissions for a user.
+   *
+   * Called on:
+   * - Role assignment/removal
+   * - User deactivation
+   * - Manual cache clear
+   *
+   * Uses write-through invalidation (tombstone pattern) to prevent race conditions:
+   * 1. Mark entries as expired (expiresAt = now) - creates tombstone
+   * 2. Any concurrent reads will see expired entries and recompute
+   * 3. Concurrent writes will overwrite tombstones with fresh data
+   *
+   * Performance: <10ms (indexed update by userId)
+   *
+   * @param userId - User ID to invalidate
+   * @returns Promise resolving to number of entries invalidated
+   */
+  async invalidateByUser(userId) {
+    if (!userId) {
+      return 0;
+    }
+    try {
+      const { userPermissionCache } = this.tables;
+      const result = await this.db.update(userPermissionCache).set({ expiresAt: /* @__PURE__ */ new Date() }).where(eq2(userPermissionCache.userId, userId));
+      const invalidatedCount = result.rowCount ?? 0;
+      if (process.env.DEBUG_CACHE === "1") {
+        console.log("[cache][dbg] invalidateByUser", {
+          userId,
+          invalidatedCount,
+          method: "tombstone"
+        });
+      }
+      return invalidatedCount;
+    } catch (error) {
+      getAuthLogger()?.log?.("error", {
+        category: "auth",
+        op: "cache",
+        message: "invalidateByUser failed",
+        userId,
+        error: String(error)
+      });
+      return 0;
+    }
+  }
+  /**
+   * Invalidate cached permissions for all users with a specific role.
+   *
+   * Called on:
+   * - Role permission changes
+   * - Role deletion
+   * - Permission changes
+   *
+   * Uses write-through invalidation (tombstone pattern) to prevent race conditions:
+   * 1. Mark entries as expired (expiresAt = now) - creates tombstone
+   * 2. Any concurrent reads will see expired entries and recompute
+   * 3. Concurrent writes will overwrite tombstones with fresh data
+   *
+   * Uses JSONB contains operator to find affected users.
+   *
+   * Performance: O(n) where n = users with role (~10-500ms depending on data)
+   *
+   * @param roleId - Role ID to invalidate
+   * @returns Promise resolving to number of entries invalidated
+   */
+  async invalidateByRole(roleId) {
+    if (!roleId) {
+      return 0;
+    }
+    try {
+      const { userPermissionCache } = this.tables;
+      const containsRoleClause = this.dialect === "postgresql" ? sql`${userPermissionCache.roleIds} @> ${JSON.stringify([roleId])}` : this.dialect === "mysql" ? sql`JSON_CONTAINS(${userPermissionCache.roleIds}, ${JSON.stringify(roleId)})` : sql`EXISTS (SELECT 1 FROM json_each(${userPermissionCache.roleIds}) WHERE value = ${roleId})`;
+      const result = await this.db.update(userPermissionCache).set({ expiresAt: /* @__PURE__ */ new Date() }).where(containsRoleClause);
+      const invalidatedCount = result.rowCount ?? 0;
+      if (process.env.DEBUG_CACHE === "1") {
+        console.log("[cache][dbg] invalidateByRole", {
+          roleId,
+          invalidatedCount,
+          method: "tombstone"
+        });
+      }
+      return invalidatedCount;
+    } catch (error) {
+      getAuthLogger()?.log?.("error", {
+        category: "auth",
+        op: "cache",
+        message: "invalidateByRole failed",
+        roleId,
+        error: String(error)
+      });
+      return 0;
+    }
+  }
+  /**
+   * Remove expired cache entries (background maintenance).
+   *
+   * Should run periodically via cron job (recommended: daily).
+   *
+   * Performance: <100ms for 10k entries, uses indexed scan on expiresAt
+   *
+   * @returns Promise resolving to number of entries deleted
+   */
+  async cleanupExpired() {
+    try {
+      const { userPermissionCache } = this.tables;
+      const now = /* @__PURE__ */ new Date();
+      const result = await this.db.delete(userPermissionCache).where(lt(userPermissionCache.expiresAt, now));
+      const deletedCount = result.rowCount ?? 0;
+      if (process.env.DEBUG_CACHE === "1" || deletedCount > 0) {
+        console.log("[cache][info] cleanupExpired", {
+          deletedCount,
+          timestamp: now.toISOString()
+        });
+      }
+      return deletedCount;
+    } catch (error) {
+      getAuthLogger()?.log?.("error", {
+        category: "auth",
+        op: "cache",
+        message: "cleanupExpired failed",
+        error: String(error)
+      });
+      return 0;
+    }
+  }
+};
+
+// src/services/lib/permissions.ts
+if (typeof window !== "undefined") {
+  throw new Error(
+    "[nextly] Direct API permissions module loaded in a browser context. Direct API is server-only \u2014 import only from Server Components, Route Handlers, or Server Actions, never from client components."
+  );
+}
+function getDb() {
+  const adapter = container.get("adapter");
+  return adapter.getDrizzle();
+}
+function getAdapter() {
+  return container.get("adapter");
+}
+function getLogger() {
+  return container.has("logger") ? container.get("logger") : console;
+}
+var CACHE_ENABLED = process.env.PERMISSION_CACHE_ENABLED !== "false" && process.env.PERMISSION_CACHE_ENABLED !== "0";
+var CACHE_TTL_SECONDS = parseInt(
+  process.env.PERMISSION_CACHE_TTL_SECONDS || "86400",
+  10
+);
+var _dialectTables = null;
+function getTablesLazy() {
+  if (!_dialectTables) {
+    _dialectTables = getDialectTables();
+  }
+  return _dialectTables;
+}
+var PermissionChecker = class {
+  memo = /* @__PURE__ */ new Map();
+  t = getTablesLazy();
+  cacheService = null;
+  constructor() {
+    this.t = getTablesLazy();
+    if (CACHE_ENABLED) {
+      try {
+        this.cacheService = new PermissionCacheService(
+          getAdapter(),
+          getLogger(),
+          {
+            cacheTtlSeconds: CACHE_TTL_SECONDS
+          }
+        );
+      } catch (error) {
+        getAuthLogger()?.log?.("warn", {
+          category: "auth",
+          op: "cache",
+          message: "Failed to initialize PermissionCacheService",
+          error: String(error)
+        });
+      }
+    }
+  }
+  async hasPermission(userId, action, resource) {
+    if (!userId || !action || !resource) {
+      getAuthLogger()?.log?.("debug", {
+        category: "auth",
+        op: "error",
+        userId,
+        action,
+        resource
+      });
+      return false;
+    }
+    const key = `${userId}|${action}|${resource}`;
+    const cached = this.memo.get(key);
+    if (typeof cached === "boolean") return cached;
+    const hit = cache.get(key);
+    if (hit) {
+      if (hit.expiresAt > Date.now()) {
+        this.memo.set(key, hit.value);
+        cache.delete(key);
+        cache.set(key, hit);
+        return hit.value;
+      }
+      cache.delete(key);
+      const rids = keyToRoleIds.get(key);
+      keyToRoleIds.delete(key);
+      if (rids) for (const rid of rids) roleIdToKeys.get(rid)?.delete(key);
+      userIdToKeys.get(userId)?.delete(key);
+    }
+    if (this.cacheService) {
+      try {
+        const dbCached = await this.cacheService.getCachedPermission(
+          userId,
+          action,
+          resource
+        );
+        if (dbCached !== null) {
+          this.memo.set(key, dbCached);
+          setCacheEntry(key, dbCached, userId, []);
+          return dbCached;
+        }
+      } catch (error) {
+        getAuthLogger()?.log?.("warn", {
+          category: "auth",
+          op: "cache",
+          message: "DB cache lookup failed, falling back to fresh computation",
+          userId,
+          action,
+          resource,
+          error: String(error)
+        });
+      }
+    }
+    try {
+      const roleIds = await this.getAllRoleIdsForUser(userId);
+      if (roleIds.size === 0) {
+        this.memo.set(key, false);
+        if (this.cacheService) {
+          void this.cacheService.setCachedPermission(
+            userId,
+            action,
+            resource,
+            false,
+            []
+          );
+        }
+        return false;
+      }
+      const allowed = await this.roleSetHasPermission(
+        Array.from(roleIds),
+        action,
+        resource
+      );
+      this.memo.set(key, allowed);
+      setCacheEntry(key, allowed, userId, Array.from(roleIds));
+      if (this.cacheService) {
+        void this.cacheService.setCachedPermission(
+          userId,
+          action,
+          resource,
+          allowed,
+          Array.from(roleIds)
+        );
+      }
+      return allowed;
+    } catch {
+      getAuthLogger()?.log?.("error", {
+        category: "auth",
+        op: "error",
+        userId,
+        action,
+        resource
+      });
+      return false;
+    }
+  }
+  async hasAnyPermission(userId, checks) {
+    if (!userId || !Array.isArray(checks) || checks.length === 0) return false;
+    for (const c of checks) {
+      if (await this.hasPermission(userId, c.action, c.resource)) return true;
+    }
+    return false;
+  }
+  async hasAllPermissions(userId, checks) {
+    if (!userId || !Array.isArray(checks) || checks.length === 0) return false;
+    for (const c of checks) {
+      if (!await this.hasPermission(userId, c.action, c.resource))
+        return false;
+    }
+    return true;
+  }
+  async getAllRoleIdsForUser(userId) {
+    const direct = await this.getDirectRoleIds(userId);
+    if (direct.size === 0) return direct;
+    const all = new Set(direct);
+    const queue = Array.from(direct);
+    const visited = new Set(queue);
+    const { roleInherits } = this.t;
+    while (queue.length > 0) {
+      const batch = queue.splice(0, 50);
+      const parentRows = await getDb().select({ parentRoleId: roleInherits.parentRoleId }).from(roleInherits).where(inArray3(roleInherits.childRoleId, batch));
+      for (const r of parentRows) {
+        const parentRoleId = String(r.parentRoleId);
+        if (!visited.has(parentRoleId)) {
+          visited.add(parentRoleId);
+          all.add(parentRoleId);
+          queue.push(parentRoleId);
+        }
+      }
+      const childRows = await getDb().select({ childRoleId: roleInherits.childRoleId }).from(roleInherits).where(inArray3(roleInherits.parentRoleId, batch));
+      for (const r of childRows) {
+        const childRoleId = String(r.childRoleId);
+        if (!visited.has(childRoleId)) {
+          visited.add(childRoleId);
+          all.add(childRoleId);
+          queue.push(childRoleId);
+        }
+      }
+      if (visited.size > 2e3) {
+        getAuthLogger()?.log?.("warn", {
+          category: "auth",
+          op: "error",
+          userId
+        });
+        break;
+      }
+    }
+    return all;
+  }
+  async getDirectRoleIds(userId) {
+    const { userRoles } = this.t;
+    const rows = await getDb().select({ roleId: userRoles.roleId }).from(userRoles).where(eq3(userRoles.userId, userId));
+    return new Set(
+      rows.map((r) => String(r.roleId))
+    );
+  }
+  async roleSetHasPermission(roleIds, action, resource) {
+    if (roleIds.length === 0) return false;
+    const { roles, rolePermissions, permissions } = this.t;
+    try {
+      const superAdmin = await getDb().select({ id: roles.id }).from(roles).where(and3(inArray3(roles.id, roleIds), eq3(roles.slug, "super-admin"))).limit(1);
+      if (superAdmin.length > 0) return true;
+      const perm = await getDb().select({ id: permissions.id }).from(permissions).where(
+        and3(
+          eq3(permissions.action, action),
+          eq3(permissions.resource, resource)
+        )
+      ).limit(1);
+      const permId = perm?.[0]?.id ?? null;
+      if (!permId) return false;
+      const rows = await getDb().select({ id: rolePermissions.id }).from(rolePermissions).where(
+        and3(
+          inArray3(rolePermissions.roleId, roleIds),
+          eq3(rolePermissions.permissionId, permId)
+        )
+      ).limit(1);
+      return rows.length > 0;
+    } catch {
+      return false;
+    }
+  }
+};
+var cacheTtlMs = 6e4;
+var cacheMaxEntries = parseInt(process.env.PERMISSION_CACHE_MEMORY_SIZE ?? "10000", 10) || 1e4;
+var cache = /* @__PURE__ */ new Map();
+var keyToRoleIds = /* @__PURE__ */ new Map();
+var roleIdToKeys = /* @__PURE__ */ new Map();
+var userIdToKeys = /* @__PURE__ */ new Map();
+function setCacheEntry(key, value, userId, roleIds) {
+  if (cache.size >= cacheMaxEntries) {
+    const oldest = cache.keys().next().value;
+    if (oldest) {
+      cache.delete(oldest);
+      const rids = keyToRoleIds.get(oldest);
+      keyToRoleIds.delete(oldest);
+      if (rids) for (const rid of rids) roleIdToKeys.get(rid)?.delete(oldest);
+      const u = oldest.split("|", 1)[0];
+      userIdToKeys.get(u)?.delete(oldest);
+      if (userIdToKeys.get(u)?.size === 0) userIdToKeys.delete(u);
+    }
+  }
+  cache.set(key, { value, expiresAt: Date.now() + cacheTtlMs });
+  const roleSet = new Set(roleIds);
+  keyToRoleIds.set(key, roleSet);
+  for (const rid of roleSet) {
+    if (!roleIdToKeys.has(rid)) roleIdToKeys.set(rid, /* @__PURE__ */ new Set());
+    roleIdToKeys.get(rid).add(key);
+  }
+  if (!userIdToKeys.has(userId)) userIdToKeys.set(userId, /* @__PURE__ */ new Set());
+  userIdToKeys.get(userId).add(key);
+}
+async function hasPermission(userId, action, resource) {
+  try {
+    const checker = new PermissionChecker();
+    return await checker.hasPermission(userId, action, resource);
+  } catch {
+    getAuthLogger()?.log?.("error", {
+      category: "auth",
+      op: "error",
+      userId,
+      action,
+      resource
+    });
+    return false;
+  }
+}
+async function hasAnyPermission(userId, checks) {
+  try {
+    const checker = new PermissionChecker();
+    return await checker.hasAnyPermission(userId, checks);
+  } catch {
+    getAuthLogger()?.log?.("error", { category: "auth", op: "error", userId });
+    return false;
+  }
+}
+async function listEffectivePermissions(userId) {
+  if (!userId) {
+    getAuthLogger()?.log?.("debug", {
+      category: "auth",
+      op: "permissions",
+      error: "missing userId"
+    });
+    return [];
+  }
+  try {
+    const checker = new PermissionChecker();
+    const roleIds = await checker.getAllRoleIdsForUser(userId);
+    if (roleIds.size === 0) {
+      return [];
+    }
+    const t = getTablesLazy();
+    const { rolePermissions, permissions } = t;
+    const rows = await getDb().select({
+      action: permissions.action,
+      resource: permissions.resource
+    }).from(rolePermissions).innerJoin(permissions, eq3(rolePermissions.permissionId, permissions.id)).where(inArray3(rolePermissions.roleId, Array.from(roleIds)));
+    const permissionStrings = /* @__PURE__ */ new Set();
+    for (const row of rows) {
+      permissionStrings.add(`${row.resource}:${row.action}`);
+    }
+    const result = Array.from(permissionStrings).sort();
+    if (process.env.DEBUG_RBAC === "1") {
+      console.log("[permissions][dbg] listEffectivePermissions", {
+        userId,
+        roleCount: roleIds.size,
+        permissionCount: result.length,
+        permissions: result
+      });
+    }
+    return result;
+  } catch (error) {
+    getAuthLogger()?.log?.("error", {
+      category: "auth",
+      op: "permissions",
+      userId,
+      error: String(error)
+    });
+    return [];
+  }
+}
+async function invalidatePermissionCache(_hint = {}) {
+  const { userId, roleId } = _hint || {};
+  if (userId) {
+    const keys = userIdToKeys.get(userId);
+    if (keys) {
+      for (const k of keys) {
+        cache.delete(k);
+        const rids = keyToRoleIds.get(k);
+        keyToRoleIds.delete(k);
+        if (rids) for (const rid of rids) roleIdToKeys.get(rid)?.delete(k);
+      }
+      userIdToKeys.delete(userId);
+    }
+  }
+  if (roleId) {
+    const keys = roleIdToKeys.get(roleId);
+    if (keys) {
+      for (const k of keys) {
+        cache.delete(k);
+        const rids = keyToRoleIds.get(k);
+        keyToRoleIds.delete(k);
+        if (rids) for (const rid of rids) roleIdToKeys.get(rid)?.delete(k);
+        const uid = k.split("|", 1)[0];
+        userIdToKeys.get(uid)?.delete(k);
+        if (userIdToKeys.get(uid)?.size === 0) userIdToKeys.delete(uid);
+      }
+      roleIdToKeys.delete(roleId);
+    }
+  }
+  if (CACHE_ENABLED) {
+    try {
+      const cacheService = new PermissionCacheService(
+        getAdapter(),
+        getLogger(),
+        {
+          cacheTtlSeconds: CACHE_TTL_SECONDS
+        }
+      );
+      if (userId) {
+        await cacheService.invalidateByUser(userId);
+      }
+      if (roleId) {
+        await cacheService.invalidateByRole(roleId);
+      }
+    } catch (error) {
+      getAuthLogger()?.log?.("error", {
+        category: "auth",
+        op: "cache",
+        message: "DB cache invalidation failed",
+        userId,
+        roleId,
+        error: String(error)
+      });
+    }
+  }
+}
+var superAdminCache = /* @__PURE__ */ new Map();
+var SUPER_ADMIN_CACHE_TTL_MS = 6e4;
+async function isSuperAdmin(userId) {
+  if (!userId) return false;
+  const cached = superAdminCache.get(userId);
+  if (cached && cached.expiresAt > Date.now()) {
+    return cached.value;
+  }
+  try {
+    const checker = new PermissionChecker();
+    const roleIds = await checker.getAllRoleIdsForUser(userId);
+    if (roleIds.size === 0) {
+      superAdminCache.set(userId, {
+        value: false,
+        expiresAt: Date.now() + SUPER_ADMIN_CACHE_TTL_MS
+      });
+      return false;
+    }
+    const t = getTablesLazy();
+    const { roles } = t;
+    const superAdmin = await getDb().select({ id: roles.id }).from(roles).where(
+      and3(
+        inArray3(roles.id, Array.from(roleIds)),
+        eq3(roles.slug, "super-admin")
+      )
+    ).limit(1);
+    const result = superAdmin.length > 0;
+    superAdminCache.set(userId, {
+      value: result,
+      expiresAt: Date.now() + SUPER_ADMIN_CACHE_TTL_MS
+    });
+    if (superAdminCache.size > 1e3) {
+      const oldest = superAdminCache.keys().next().value;
+      if (oldest) superAdminCache.delete(oldest);
+    }
+    return result;
+  } catch (error) {
+    getAuthLogger()?.log?.("error", {
+      category: "auth",
+      op: "permissions",
+      userId,
+      error: String(error)
+    });
+    return false;
+  }
+}
+async function hasSuperAdminExcluding(excludeUserId) {
+  if (!excludeUserId) return false;
+  try {
+    const t = getTablesLazy();
+    const { roles, userRoles } = t;
+    const superAdminRole = await getDb().select({ id: roles.id }).from(roles).where(eq3(roles.slug, "super-admin")).limit(1);
+    if (superAdminRole.length === 0) return false;
+    const superAdminRoleId = superAdminRole[0].id;
+    const otherSuperAdmins = await getDb().select({ userId: userRoles.userId }).from(userRoles).where(
+      and3(
+        eq3(userRoles.roleId, superAdminRoleId),
+        ne(userRoles.userId, excludeUserId)
+      )
+    ).limit(1);
+    return otherSuperAdmins.length > 0;
+  } catch {
+    return true;
+  }
+}
+async function containsSuperAdminRole(roleIds) {
+  if (!roleIds || roleIds.length === 0) return false;
+  try {
+    const t = getTablesLazy();
+    const { roles } = t;
+    const rows = await getDb().select({ id: roles.id }).from(roles).where(and3(inArray3(roles.id, roleIds), eq3(roles.slug, "super-admin"))).limit(1);
+    return rows.length > 0;
+  } catch {
+    return false;
+  }
+}
+async function listRoleSlugsForUser(userId) {
+  if (!userId) return [];
+  try {
+    const checker = new PermissionChecker();
+    const roleIds = await checker.getAllRoleIdsForUser(userId);
+    if (roleIds.size === 0) return [];
+    const t = getTablesLazy();
+    const { roles } = t;
+    const rows = await getDb().select({ slug: roles.slug }).from(roles).where(inArray3(roles.id, Array.from(roleIds)));
+    return rows.map((r) => r.slug);
+  } catch (error) {
+    getAuthLogger()?.log?.("error", {
+      category: "auth",
+      op: "permissions",
+      userId,
+      error: String(error)
+    });
+    return [];
+  }
+}
+
+export {
+  PaginationSchema,
+  PaginatedResponseSchema,
+  SortOrderSchema,
+  SortSchema,
+  DateRangeSchema,
+  SearchSchema,
+  SuccessResponseSchema,
+  ErrorResponseSchema,
+  ValidationErrorSchema,
+  BulkOperationSchema,
+  BulkOperationResponseSchema,
+  FileUploadSchema,
+  ImageUploadSchema,
+  EmailSchema,
+  PasswordSchema,
+  UrlSchema,
+  PhoneSchema,
+  hashPassword,
+  verifyPassword,
+  validatePasswordStrength,
+  hasPermission,
+  hasAnyPermission,
+  listEffectivePermissions,
+  invalidatePermissionCache,
+  isSuperAdmin,
+  hasSuperAdminExcluding,
+  containsSuperAdminRole,
+  listRoleSlugsForUser,
+  RoleInheritanceService,
+  PermissionCheckerService
+};