odgn-rights 0.1.0

package/README.md

@@ -0,0 +1,107 @@
+# ODGN Rights
+
+Tiny TypeScript library for expressing and evaluating hierarchical rights with simple glob patterns.
+
+## Install & Dev
+
+- Install: `bun install`
+- Test: `bun test` (watch: `bun test --watch`)
+
+Use in TS:
+
+```ts
+import { Flags, Right, Rights } from 'odgn-rights'; // when packaged
+
+// or locally: import { Rights, Right, Flags } from './src/index.ts';
+```
+
+## Quick Start
+
+```ts
+const rights = new Rights();
+rights.allow('/', Flags.READ);
+
+// Deny read, allow create anywhere matching /*/device/**
+rights.add(
+  new Right('/*/device/**', { allow: [Flags.CREATE], deny: [Flags.READ] })
+);
+
+// Grant everything under /system/user/*
+rights.add(new Right('/system/user/*', { allow: [Flags.ALL] }));
+
+rights.read('/system/user/1'); // true
+rights.write('/system/user/1'); // true
+rights.create('/system/device/a'); // true
+rights.read('/system/device/a'); // false (denied by more specific rule)
+```
+
+## API Overview
+
+- `Right(path, {allow?, deny?, description?})`
+  - Flags: `Flags.READ | WRITE | DELETE | CREATE | EXECUTE | ALL`
+  - Methods: `allow(flag)`, `deny(flag)`, `clear()`, `has(mask)`
+  - String form: `-denies+allows:/path` (e.g., `-d+rw:/system`)
+  - `Right.parse(str)` creates a Right from its string form
+- `Rights`
+  - `add(right)`, `allow(path, ...flags)`, `deny(path, flag)`
+  - Checks: `read|write|delete|create|execute|all(path)`
+  - Serialization: `format(separator?)`, `toJSON()`, `Rights.parse(str)`, `Rights.fromJSON(json)`
+- `Role(name, rights?)`
+  - `inheritsFrom(role)`: Inherit rights from another role.
+- `Subject`
+  - `memberOf(role)`: Assign a role to the subject.
+  - `rights`: Direct `Rights` assigned to the subject.
+  - `has(path, flag)`: Evaluates permissions across all roles and direct rights.
+- `RoleRegistry`
+  - `define(name, rights?)`: Define or update a role.
+  - `toJSON() / RoleRegistry.fromJSON(json)`: Serialization with inheritance.
+
+Matching precedence: the most specific matching rule wins; within a rule, a denied flag blocks that flag even if allowed by a less specific rule.
+
+## RBAC Example
+
+```ts
+const registry = new RoleRegistry();
+const viewer = registry.define('viewer', new Rights().allow('/', Flags.READ));
+const editor = registry.define(
+  'editor',
+  new Rights().allow('/posts', Flags.WRITE)
+);
+editor.inheritsFrom(viewer);
+
+const user = new Subject().memberOf(editor);
+user.read('/posts/1'); // true (inherited from viewer)
+user.write('/posts/1'); // true (from editor)
+user.write('/config'); // false
+```
+
+## Contextual Rights (ABAC)
+
+Rights can include a condition predicate that is evaluated at runtime with a provided context.
+
+```ts
+rights.add(
+  new Right('/posts/*', {
+    allow: [Flags.WRITE],
+    condition: ctx => ctx.userId === ctx.ownerId
+  })
+);
+
+// Provide context to the check
+rights.write('/posts/1', { userId: 'abc', ownerId: 'abc' }); // true
+rights.write('/posts/1', { userId: 'abc', ownerId: 'xyz' }); // false
+```
+
+## Glob Patterns
+
+- `*` matches within a single path segment (`/system/*/id`)
+- `**` matches across segments (`/*/device/**`)
+- `?` matches a single character (no slash)
+
+## JSON Round‑Trip
+
+```ts
+const json = rights.toJSON();
+// [ { path: '/', allow: 'r' }, { path: '/*/device/**', allow: 'c' }, ... ]
+const loaded = Rights.fromJSON(json);
+```

package/dist/constants.d.ts

@@ -0,0 +1,11 @@
+export declare const Flags: {
+    readonly EXECUTE: 16;
+    readonly READ: 1;
+    readonly DELETE: 4;
+    readonly CREATE: 8;
+    readonly WRITE: 2;
+    readonly ALL: 31;
+};
+export type Flags = (typeof Flags)[keyof typeof Flags];
+export declare const ALL_BITS: Flags[];
+export declare const hasBit: (mask: number, bit: number) => boolean;

package/dist/constants.js

@@ -0,0 +1,17 @@
+/* eslint-disable perfectionist/sort-objects */
+export const Flags = {
+    EXECUTE: 16,
+    READ: 1,
+    DELETE: 4,
+    CREATE: 8,
+    WRITE: 2,
+    ALL: 31
+};
+export const ALL_BITS = [
+    Flags.READ,
+    Flags.WRITE,
+    Flags.DELETE,
+    Flags.CREATE,
+    Flags.EXECUTE
+];
+export const hasBit = (mask, bit) => (mask & bit) === bit;

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export * from './constants';
+export * from './right';
+export * from './rights';
+export * from './role';
+export * from './role-registry';
+export * from './subject';
+export * from './utils';

package/dist/index.js

@@ -0,0 +1,7 @@
+export * from './constants';
+export * from './right';
+export * from './rights';
+export * from './role';
+export * from './role-registry';
+export * from './subject';
+export * from './utils';

package/dist/right.d.ts

@@ -0,0 +1,36 @@
+import { Flags } from './constants';
+export type ConditionContext = unknown;
+export type Condition = (context?: ConditionContext) => boolean;
+export type RightInit = {
+    allow?: Flags[];
+    condition?: Condition;
+    deny?: Flags[];
+    description?: string;
+};
+export declare class Right {
+    readonly path: string;
+    private allowMask;
+    private denyMask;
+    readonly description?: string;
+    readonly condition?: Condition;
+    private readonly _specificity;
+    private readonly _re?;
+    constructor(path: string, init?: RightInit);
+    allow(flag: Flags): this;
+    deny(flag: Flags): this;
+    clear(): this;
+    has(flag: Flags): boolean;
+    get allowMaskValue(): number;
+    get denyMaskValue(): number;
+    toString(): string;
+    toJSON(): {
+        allow: string;
+        description?: string;
+        path: string;
+    };
+    matches(targetPath: string): boolean;
+    specificity(): number;
+    private calculateSpecificity;
+    private static globToRegExp;
+    static parse(input: string): Right;
+}

package/dist/right.js

@@ -0,0 +1,191 @@
+import { ALL_BITS, Flags, hasBit } from './constants';
+import { lettersFromMask, normalizePath } from './utils';
+export class Right {
+    constructor(path, init) {
+        this.allowMask = 0;
+        this.denyMask = 0;
+        this.path = normalizePath(path);
+        this.description = init?.description;
+        this.condition = init?.condition;
+        this._specificity = this.calculateSpecificity();
+        if (this.path.includes('*') || this.path.includes('?')) {
+            this._re = Right.globToRegExp(this.path);
+        }
+        if (init?.allow) {
+            init.allow.forEach(f => this.allow(f));
+        }
+        if (init?.deny) {
+            init.deny.forEach(f => this.deny(f));
+        }
+    }
+    allow(flag) {
+        this.allowMask |= flag;
+        // allowing a flag clears it from deny
+        this.denyMask &= ~flag;
+        return this;
+    }
+    deny(flag) {
+        this.denyMask |= flag;
+        // denying a flag clears it from allow
+        this.allowMask &= ~flag;
+        return this;
+    }
+    clear() {
+        this.allowMask = 0;
+        this.denyMask = 0;
+        return this;
+    }
+    has(flag) {
+        // For composite masks, require all bits
+        let remaining = flag;
+        for (const bit of ALL_BITS) {
+            if (!hasBit(remaining, bit)) {
+                continue;
+            }
+            if (hasBit(this.denyMask, bit)) {
+                return false;
+            }
+            if (!hasBit(this.allowMask, bit)) {
+                return false;
+            }
+            remaining &= ~bit;
+        }
+        return true;
+    }
+    get allowMaskValue() {
+        return this.allowMask;
+    }
+    get denyMaskValue() {
+        return this.denyMask;
+    }
+    toString() {
+        const denyLetters = lettersFromMask(this.denyMask);
+        const allowLetters = lettersFromMask(this.allowMask);
+        const parts = [];
+        if (denyLetters) {
+            parts.push(`-${denyLetters}`);
+        }
+        if (allowLetters) {
+            parts.push(`+${allowLetters}`);
+        }
+        const left = parts.join('');
+        return `${left}:${this.path}`;
+    }
+    toJSON() {
+        const allow = lettersFromMask(this.allowMask);
+        const out = {
+            allow,
+            path: this.path
+        };
+        if (this.description) {
+            out.description = this.description;
+        }
+        return out;
+    }
+    // Pattern match helper
+    matches(targetPath) {
+        const t = normalizePath(targetPath);
+        if (this._re) {
+            return this._re.test(t);
+        }
+        // No wildcard: segment-aware prefix match
+        if (this.path === '/') {
+            return true;
+        }
+        return t === this.path || t.startsWith(this.path + '/');
+    }
+    // Specificity score: more non-wildcard chars => more specific
+    specificity() {
+        return this._specificity;
+    }
+    calculateSpecificity() {
+        const parts = this.path.split('/').filter(p => p.length > 0);
+        let literalCount = 0;
+        let literalLen = 0;
+        for (const p of parts) {
+            if (!p.includes('*')) {
+                literalCount += 1;
+                literalLen += p.length;
+            }
+        }
+        // Prioritize by number of literal segments, then by total literal length
+        return literalCount * 1000 + literalLen;
+    }
+    static globToRegExp(pattern) {
+        // Convert a path glob with '**', '*', '?' into a safe anchored RegExp
+        let out = '^';
+        for (let i = 0; i < pattern.length; i++) {
+            const ch = pattern[i];
+            if (!ch) {
+                continue;
+            }
+            if (ch === '*') {
+                let starCount = 1;
+                while (i + 1 < pattern.length && pattern[i + 1] === '*') {
+                    starCount++;
+                    i++;
+                }
+                out += starCount >= 2 ? '.*' : '[^/]*';
+                continue;
+            }
+            if (ch === '?') {
+                out += '[^/]';
+                continue;
+            }
+            // Escape regex specials
+            out += String.raw `\^$+.?()|{}[]`.includes(ch) ? '\\' + ch : ch;
+        }
+        out += '$';
+        return new RegExp(out);
+    }
+    static parse(input) {
+        const s = input.trim();
+        const idx = s.indexOf(':');
+        if (idx === -1) {
+            return new Right(s);
+        }
+        const groups = s.slice(0, idx);
+        const path = s.slice(idx + 1);
+        const r = new Right(path);
+        // parse groups like '-abc+xyz' or '+xyz-abc'
+        let i = 0;
+        while (i < groups.length) {
+            const sign = groups[i];
+            if (sign !== '+' && sign !== '-') {
+                i++;
+                continue;
+            }
+            i++;
+            let letters = '';
+            while (i < groups.length && groups[i] !== '+' && groups[i] !== '-') {
+                letters += groups[i];
+                i++;
+            }
+            const apply = sign === '+' ? (f) => r.allow(f) : (f) => r.deny(f);
+            if (letters === '*') {
+                apply(Flags.ALL);
+                continue;
+            }
+            for (const ch of letters) {
+                switch (ch) {
+                    case 'r':
+                        apply(Flags.READ);
+                        break;
+                    case 'w':
+                        apply(Flags.WRITE);
+                        break;
+                    case 'c':
+                        apply(Flags.CREATE);
+                        break;
+                    case 'd':
+                        apply(Flags.DELETE);
+                        break;
+                    case 'x':
+                        apply(Flags.EXECUTE);
+                        break;
+                }
+            }
+        }
+        return r;
+    }
+}

package/dist/rights.d.ts

@@ -0,0 +1,38 @@
+import { Flags } from './constants';
+import { Right, type ConditionContext } from './right';
+export type RightJSON = {
+    allow: string;
+    description?: string;
+    path: string;
+};
+export declare class Rights {
+    private list;
+    private matchCache;
+    add(right: Right): this;
+    allRights(): Right[];
+    allow(path: string, ...flags: Flags[]): this;
+    deny(path: string, flag: Flags): this;
+    private matchOrdered;
+    has(path: string, flag: Flags, context?: ConditionContext): boolean;
+    explain(path: string, flag: Flags, context?: ConditionContext): {
+        allowed: boolean;
+        details: Array<{
+            allowed: boolean;
+            bit: Flags;
+            right?: Right;
+        }>;
+    };
+    private hasSingle;
+    private explainSingle;
+    all(path: string, context?: ConditionContext): boolean;
+    read(path: string, context?: ConditionContext): boolean;
+    write(path: string, context?: ConditionContext): boolean;
+    delete(path: string, context?: ConditionContext): boolean;
+    create(path: string, context?: ConditionContext): boolean;
+    execute(path: string, context?: ConditionContext): boolean;
+    toString(): string;
+    toJSON(): RightJSON[];
+    static fromJSON(arr: RightJSON[]): Rights;
+    static parse(input: string): Rights;
+    format(separator?: string): string;
+}

package/dist/rights.js

@@ -0,0 +1,189 @@
+import { ALL_BITS, Flags, hasBit } from './constants';
+import { Right } from './right';
+import { lettersFromMask, normalizePath } from './utils';
+export class Rights {
+    constructor() {
+        this.list = [];
+        this.matchCache = new Map();
+    }
+    add(right) {
+        this.list.push(right);
+        this.matchCache.clear();
+        return this;
+    }
+    allRights() {
+        return [...this.list];
+    }
+    allow(path, ...flags) {
+        const p = normalizePath(path);
+        let r = this.list.find(x => x.path === p);
+        if (!r) {
+            r = new Right(p);
+            this.add(r);
+        }
+        else {
+            // Invalidate cache if we update an existing right
+            this.matchCache.clear();
+        }
+        // Support spreading an array: allow(path, [Flags.READ] as any)
+        const flat = [].concat(...flags);
+        for (const f of flat) {
+            r.allow(f);
+        }
+        return this;
+    }
+    deny(path, flag) {
+        const p = normalizePath(path);
+        let r = this.list.find(x => x.path === p);
+        if (!r) {
+            r = new Right(p);
+            this.add(r);
+        }
+        else {
+            // Invalidate cache if we update an existing right
+            this.matchCache.clear();
+        }
+        r.deny(flag);
+        return this;
+    }
+    matchOrdered(path) {
+        const cached = this.matchCache.get(path);
+        if (cached) {
+            return cached;
+        }
+        const result = this.list
+            .filter(r => r.matches(path))
+            .sort((a, b) => b.specificity() - a.specificity());
+        this.matchCache.set(path, result);
+        return result;
+    }
+    has(path, flag, context) {
+        // For composite masks, all bits must succeed
+        let remaining = flag;
+        for (const bit of ALL_BITS) {
+            if (!hasBit(remaining, bit)) {
+                continue;
+            }
+            const ok = this.hasSingle(path, bit, context);
+            if (!ok) {
+                return false;
+            }
+            remaining &= ~bit;
+        }
+        return true;
+    }
+    explain(path, flag, context) {
+        const p = normalizePath(path);
+        const details = [];
+        let allAllowed = true;
+        for (const bit of ALL_BITS) {
+            if (!hasBit(flag, bit)) {
+                continue;
+            }
+            const res = this.explainSingle(p, bit, context);
+            if (!res.allowed) {
+                allAllowed = false;
+            }
+            details.push({ bit, ...res });
+        }
+        return { allowed: allAllowed, details };
+    }
+    hasSingle(path, bit, context) {
+        return this.explainSingle(path, bit, context).allowed;
+    }
+    explainSingle(path, bit, context) {
+        const matches = this.matchOrdered(normalizePath(path));
+        for (const r of matches) {
+            if (r.condition && !r.condition(context)) {
+                continue;
+            }
+            if (hasBit(r.denyMaskValue, bit)) {
+                return { allowed: false, right: r };
+            }
+            if (hasBit(r.allowMaskValue, bit)) {
+                return { allowed: true, right: r };
+            }
+        }
+        return { allowed: false };
+    }
+    // Convenience helpers
+    all(path, context) {
+        return this.has(path, Flags.ALL, context);
+    }
+    read(path, context) {
+        return this.has(path, Flags.READ, context);
+    }
+    write(path, context) {
+        return this.has(path, Flags.WRITE, context);
+    }
+    delete(path, context) {
+        return this.has(path, Flags.DELETE, context);
+    }
+    create(path, context) {
+        return this.has(path, Flags.CREATE, context);
+    }
+    execute(path, context) {
+        return this.has(path, Flags.EXECUTE, context);
+    }
+    toString() {
+        return this.list
+            .map(r => `+${lettersFromMask(r.allowMaskValue)}:${r.path}`)
+            .join(', ');
+    }
+    toJSON() {
+        return this.list.map(r => r.toJSON());
+    }
+    static fromJSON(arr) {
+        const rights = new Rights();
+        for (const item of arr) {
+            const p = normalizePath(item.path);
+            const r = new Right(p, { description: item.description });
+            const allowStr = item.allow;
+            if (allowStr === '*') {
+                r.allow(Flags.ALL);
+            }
+            else {
+                for (const ch of allowStr) {
+                    switch (ch) {
+                        case 'r':
+                            r.allow(Flags.READ);
+                            break;
+                        case 'w':
+                            r.allow(Flags.WRITE);
+                            break;
+                        case 'c':
+                            r.allow(Flags.CREATE);
+                            break;
+                        case 'd':
+                            r.allow(Flags.DELETE);
+                            break;
+                        case 'x':
+                            r.allow(Flags.EXECUTE);
+                            break;
+                    }
+                }
+            }
+            rights.add(r);
+        }
+        return rights;
+    }
+    static parse(input) {
+        const rights = new Rights();
+        if (!input) {
+            return rights;
+        }
+        const parts = input.split(/[\n\r,?]+/);
+        for (const part of parts) {
+            const trimmed = part.trim();
+            if (!trimmed) {
+                continue;
+            }
+            const r = Right.parse(trimmed);
+            rights.add(r);
+        }
+        return rights;
+    }
+    format(separator = ', ') {
+        return this.list.map(r => r.toString()).join(separator);
+    }
+}

package/dist/role-registry.d.ts

@@ -0,0 +1,14 @@
+import { Rights, type RightJSON } from './rights';
+import { Role } from './role';
+export type RoleJSON = {
+    inherits?: string[];
+    name: string;
+    rights: RightJSON[];
+};
+export declare class RoleRegistry {
+    private roles;
+    define(name: string, rights?: Rights): Role;
+    get(name: string): Role | undefined;
+    toJSON(): RoleJSON[];
+    static fromJSON(data: RoleJSON[]): RoleRegistry;
+}

package/dist/role-registry.js

@@ -0,0 +1,46 @@
+import { Rights } from './rights';
+import { Role } from './role';
+export class RoleRegistry {
+    constructor() {
+        this.roles = new Map();
+    }
+    define(name, rights) {
+        let role = this.roles.get(name);
+        if (!role) {
+            role = new Role(name, rights);
+            this.roles.set(name, role);
+        }
+        else if (rights) {
+            for (const r of rights.allRights()) {
+                role.rights.add(r);
+            }
+        }
+        return role;
+    }
+    get(name) {
+        return this.roles.get(name);
+    }
+    toJSON() {
+        return Array.from(this.roles.values()).map(r => r.toJSON());
+    }
+    static fromJSON(data) {
+        const registry = new RoleRegistry();
+        // First pass: create all roles
+        for (const item of data) {
+            registry.define(item.name, item.rights ? Rights.fromJSON(item.rights) : undefined);
+        }
+        // Second pass: resolve inheritance
+        for (const item of data) {
+            const role = registry.get(item.name);
+            if (item.inherits) {
+                for (const parentName of item.inherits) {
+                    const parent = registry.get(parentName);
+                    if (parent) {
+                        role.inheritsFrom(parent);
+                    }
+                }
+            }
+        }
+        return registry;
+    }
+}

package/dist/role.d.ts

@@ -0,0 +1,23 @@
+import { Right } from './right';
+import { Rights } from './rights';
+import type { RoleJSON } from './role-registry';
+export declare class Role {
+    readonly name: string;
+    readonly rights: Rights;
+    private parents;
+    private _cachedAllRights;
+    constructor(name: string, rights?: Rights);
+    inheritsFrom(role: Role): this;
+    /**
+     * Returns all rights associated with this role, including inherited ones.
+     */
+    allRights(): Array<{
+        right: Right;
+        source?: {
+            name: string;
+            type: 'role';
+        };
+    }>;
+    invalidateCache(): void;
+    toJSON(): RoleJSON;
+}

package/dist/role.js

@@ -0,0 +1,50 @@
+import { Right } from './right';
+import { Rights } from './rights';
+export class Role {
+    constructor(name, rights) {
+        this.parents = [];
+        this._cachedAllRights = null;
+        this.name = name;
+        this.rights = rights ?? new Rights();
+    }
+    inheritsFrom(role) {
+        if (role === this) {
+            throw new Error(`Role ${this.name} cannot inherit from itself`);
+        }
+        if (!this.parents.includes(role)) {
+            this.parents.push(role);
+            this.invalidateCache();
+        }
+        return this;
+    }
+    /**
+     * Returns all rights associated with this role, including inherited ones.
+     */
+    allRights() {
+        if (this._cachedAllRights) {
+            return this._cachedAllRights;
+        }
+        const list = this.rights.allRights().map(r => ({
+            right: r,
+            source: { name: this.name, type: 'role' }
+        }));
+        for (const parent of this.parents) {
+            list.push(...parent.allRights());
+        }
+        this._cachedAllRights = list;
+        return list;
+    }
+    invalidateCache() {
+        this._cachedAllRights = null;
+    }
+    toJSON() {
+        const out = {
+            name: this.name,
+            rights: this.rights.toJSON()
+        };
+        if (this.parents.length > 0) {
+            out.inherits = this.parents.map(p => p.name);
+        }
+        return out;
+    }
+}

package/dist/subject.d.ts

@@ -0,0 +1,31 @@
+import { Flags } from './constants';
+import { Right, type ConditionContext } from './right';
+import { Rights } from './rights';
+import { Role } from './role';
+export declare class Subject {
+    private roles;
+    readonly rights: Rights;
+    private _aggregate;
+    private _aggregateMeta;
+    memberOf(role: Role): this;
+    invalidateCache(): void;
+    has(path: string, flag: Flags, context?: ConditionContext): boolean;
+    explain(path: string, flag: Flags, context?: ConditionContext): {
+        allowed: boolean;
+        details: Array<{
+            allowed: boolean;
+            bit: Flags;
+            right?: Right;
+            source?: {
+                name?: string;
+                type: 'direct' | 'role';
+            };
+        }>;
+    };
+    all(path: string, context?: ConditionContext): boolean;
+    read(path: string, context?: ConditionContext): boolean;
+    write(path: string, context?: ConditionContext): boolean;
+    delete(path: string, context?: ConditionContext): boolean;
+    create(path: string, context?: ConditionContext): boolean;
+    execute(path: string, context?: ConditionContext): boolean;
+}

package/dist/subject.js

@@ -0,0 +1,73 @@
+import { Flags } from './constants';
+import { Right } from './right';
+import { Rights } from './rights';
+import { Role } from './role';
+export class Subject {
+    constructor() {
+        this.roles = [];
+        this.rights = new Rights();
+        this._aggregate = null;
+        this._aggregateMeta = null;
+    }
+    memberOf(role) {
+        if (!this.roles.includes(role)) {
+            this.roles.push(role);
+            this.invalidateCache();
+        }
+        return this;
+    }
+    invalidateCache() {
+        this._aggregate = null;
+        this._aggregateMeta = null;
+    }
+    has(path, flag, context) {
+        return this.explain(path, flag, context).allowed;
+    }
+    explain(path, flag, context) {
+        if (!this._aggregate) {
+            this._aggregate = new Rights();
+            this._aggregateMeta = new Map();
+            // Add rights from roles
+            for (const role of this.roles) {
+                for (const entry of role.allRights()) {
+                    this._aggregate.add(entry.right);
+                    if (entry.source) {
+                        this._aggregateMeta.set(entry.right, entry.source);
+                    }
+                }
+            }
+            // Add direct rights
+            for (const r of this.rights.allRights()) {
+                this._aggregate.add(r);
+                this._aggregateMeta.set(r, { type: 'direct' });
+            }
+        }
+        const res = this._aggregate.explain(path, flag, context);
+        return {
+            allowed: res.allowed,
+            details: res.details.map(d => ({
+                ...d,
+                source: d.right ? this._aggregateMeta.get(d.right) : undefined
+            }))
+        };
+    }
+    // Convenience helpers
+    all(path, context) {
+        return this.has(path, Flags.ALL, context);
+    }
+    read(path, context) {
+        return this.has(path, Flags.READ, context);
+    }
+    write(path, context) {
+        return this.has(path, Flags.WRITE, context);
+    }
+    delete(path, context) {
+        return this.has(path, Flags.DELETE, context);
+    }
+    create(path, context) {
+        return this.has(path, Flags.CREATE, context);
+    }
+    execute(path, context) {
+        return this.has(path, Flags.EXECUTE, context);
+    }
+}

package/dist/utils.d.ts

@@ -0,0 +1,2 @@
+export declare const normalizePath: (p: string) => string;
+export declare const lettersFromMask: (mask: number) => string;

package/dist/utils.js

@@ -0,0 +1,38 @@
+import { Flags, hasBit } from './constants';
+export const normalizePath = (p) => {
+    if (!p) {
+        return '/';
+    }
+    let out = p.trim();
+    if (!out.startsWith('/')) {
+        out = '/' + out;
+    }
+    out = out.replace(/\/+/, '/');
+    out = out.replaceAll(/\/+/g, '/');
+    if (out.length > 1 && out.endsWith('/')) {
+        out = out.slice(0, -1);
+    }
+    return out;
+};
+export const lettersFromMask = (mask) => {
+    if (mask === Flags.ALL) {
+        return '*';
+    }
+    const letters = [];
+    if (hasBit(mask, Flags.READ)) {
+        letters.push('r');
+    }
+    if (hasBit(mask, Flags.WRITE)) {
+        letters.push('w');
+    }
+    if (hasBit(mask, Flags.CREATE)) {
+        letters.push('c');
+    }
+    if (hasBit(mask, Flags.DELETE)) {
+        letters.push('d');
+    }
+    if (hasBit(mask, Flags.EXECUTE)) {
+        letters.push('x');
+    }
+    return letters.join('');
+};

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "odgn-rights",
+  "version": "0.1.0",
+  "description": "Tiny TypeScript library for expressing and evaluating hierarchical rights with simple glob patterns.",
+  "keywords": [
+    "rights",
+    "permissions",
+    "glob",
+    "typescript"
+  ],
+  "author": "Alex Veenendaal",
+  "repository": {
+    "type": "git",
+    "url": "https://tangled.sh:alex.veenenda.al/odgn-rights"
+  },
+  "license": "MIT",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "type": "module",
+  "scripts": {
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "lint": "eslint --cache .",
+    "lint:fix": "eslint --fix .",
+    "outdated": "bunx npm-check-updates --interactive --format group",
+    "test": "bun test",
+    "test:coverage": "bun test --coverage",
+    "unused": "knip",
+    "clean": "rm -rf dist",
+    "build": "tsc -p tsconfig.build.json",
+    "prepublishOnly": "bun run clean && bun run build && bun run test && bun run lint:fix && bun run format:check"
+  },
+  "devDependencies": {
+    "@ianvs/prettier-plugin-sort-imports": "^4.7.0",
+    "@nkzw/eslint-config": "^3.3.0",
+    "@types/bun": "latest",
+    "eslint": "^9",
+    "knip": "^5.76.3",
+    "prettier": "^3"
+  },
+  "peerDependencies": {
+    "typescript": "^5"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "sideEffects": false
+}