ofauth-shared-core 0.1.0-alpha.0 → 0.2.0-alpha.0

package/dist/services/localProvisioning.d.ts

@@ -0,0 +1,23 @@
+import type { DbAdapter } from 'ofcore';
+type HashAdapter = {
+    hashPin?: (pin: string) => Promise<string> | string;
+};
+type ScopeRef = {
+    tenantId?: string | null;
+    branchId?: string | null;
+};
+export interface LocalIdentityProvisioningInput {
+    dbAdapter: DbAdapter;
+    principal: string;
+    secret: string;
+    roleRef: string;
+    scope?: ScopeRef;
+    platformAdapter?: HashAdapter | null;
+    source?: string;
+}
+export interface LocalIdentityProvisioningResult {
+    identityId: string;
+    assignmentId: string;
+}
+export declare function upsertLocalIdentityAndAssignment(input: LocalIdentityProvisioningInput): Promise<LocalIdentityProvisioningResult>;
+export {};

package/dist/services/responseEnvelope.d.ts

@@ -0,0 +1,10 @@
+import type { ErrorDetail, ResponseEnvelope } from 'ofcore';
+import type { AuthErrorCode } from '../contracts/AuthErrorContract';
+export declare function toAuthSuccessEnvelope<T>(data: T, requestId?: string): ResponseEnvelope<T>;
+export declare function toAuthFailureEnvelope<T = never>(code: AuthErrorCode, message: string, options?: {
+    details?: ErrorDetail[];
+    retryable?: boolean;
+    correlationId?: string;
+    requestId?: string;
+}): ResponseEnvelope<T>;
+export declare function mapAuthErrorToEnvelope<T = never>(error: unknown, fallbackCode?: AuthErrorCode, fallbackMessage?: string): ResponseEnvelope<T>;

package/package.json

@@ -1,35 +1,46 @@
 {
   "name": "ofauth-shared-core",
-  "version": "0.1.0-alpha.0",
+  "version": "0.2.0-alpha.0",
   "private": false,
   "description": "Offline-first auth shared-core (identity/session/context/assurance) for of* domain modules.",
+  "author": {
+    "name": "Agus Made",
+    "email": "krisnaparta@gmail.com"
+  },
   "main": "dist/index.js",
+  "module": "dist/index.esm.js",
   "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.esm.js",
+      "require": "./dist/index.js"
+    }
+  },
   "files": [
     "dist"
   ],
   "scripts": {
     "clean": "node -e \"require('fs').rmSync('dist',{recursive:true,force:true})\"",
-    "build": "npm run clean && tsc -p tsconfig.build.json",
+    "build": "npm run clean && tsc -p tsconfig.build.json && node esbuild.config.js",
     "typecheck": "tsc -p tsconfig.json --noEmit",
     "test": "NODE_PATH=.. npm run build && NODE_PATH=.. node --test ./tests/*.test.js",
     "verify:contract": "node ./scripts/verify-surface.js",
     "verify:surface": "node ./scripts/verify-surface.js",
+    "verify:exception-audit": "node ./scripts/verify-exception-audit.js",
     "verify:logic": "NODE_PATH=.. npm run build && NODE_PATH=.. node ./scripts/verify-logic.js",
     "verify:factory-boundary": "node ./scripts/verify-no-service-logic-in-factory.js",
-    "ci:check": "npm run typecheck && npm run verify:contract && npm run test && npm run verify:logic && npm run verify:factory-boundary",
+    "ci:check": "npm run typecheck && npm run verify:contract && npm run verify:exception-audit && npm run test && npm run verify:logic && npm run verify:factory-boundary",
     "prepublishOnly": "npm run ci:check",
-    "prepack": "npm run build"
+    "prepack": "npm run build",
+    "bundle": "node esbuild.config.js"
   },
   "dependencies": {
-    "ofcore": "0.1.0-alpha.0"
+    "ofcore": "0.2.0-alpha.0"
   },
   "devDependencies": {
-    "typescript": "^5.9.3"
-  },
-  "author": {
-    "name": "Agus Made",
-    "email": "krisnaparta@gmail.com"
+    "typescript": "^5.9.3",
+    "esbuild": "^0.25.11"
   },
   "publishConfig": {
     "access": "public"

package/dist/OfauthCore.js

@@ -1,200 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OfauthCoreBuilder = exports.OfauthCore = void 0;
-const ofcore_1 = require("ofcore");
-const ofcore_2 = require("ofcore");
-const ofcore_3 = require("ofcore");
-const createDbAdapterOfauthServices_1 = require("./services/createDbAdapterOfauthServices");
-const applyPendingMigrations_1 = require("./data/applyPendingMigrations");
-class OfauthCore {
-    constructor(runtime, runtimeStateStore) {
-        this.runtime = runtime;
-        this.runtimeStateStore = runtimeStateStore;
-        this.runtimeStore = (0, ofcore_3.asReadonlyStore)(this.runtimeStateStore);
-    }
-    static builder() {
-        return new OfauthCoreBuilder();
-    }
-    get registry() {
-        return this.runtime.registry;
-    }
-    async start(options = {}) {
-        this.runtimeStateStore.setState({
-            phase: 'starting',
-            started: false,
-            lastError: null,
-            lastTransitionAt: new Date().toISOString(),
-        });
-        try {
-            await this.runtime.start(options);
-            this.domainServices = this.runtime.domainServices;
-            this.runtimeStateStore.setState((state) => ({
-                ...state,
-                phase: 'started',
-                started: true,
-                startCount: state.startCount + 1,
-                lastError: null,
-                lastTransitionAt: new Date().toISOString(),
-            }));
-        }
-        catch (error) {
-            this.runtimeStateStore.setState({
-                phase: 'error',
-                started: false,
-                lastError: error instanceof Error ? error.message : String(error),
-                lastTransitionAt: new Date().toISOString(),
-            });
-            throw error;
-        }
-    }
-    async init(options = {}) {
-        this.runtimeStateStore.setState({
-            phase: 'starting',
-            started: false,
-            lastError: null,
-            lastTransitionAt: new Date().toISOString(),
-        });
-        try {
-            await this.runtime.init(options);
-            this.domainServices = this.runtime.domainServices;
-            this.runtimeStateStore.setState((state) => ({
-                ...state,
-                phase: 'started',
-                started: true,
-                startCount: state.startCount + 1,
-                lastError: null,
-                lastTransitionAt: new Date().toISOString(),
-            }));
-        }
-        catch (error) {
-            this.runtimeStateStore.setState({
-                phase: 'error',
-                started: false,
-                lastError: error instanceof Error ? error.message : String(error),
-                lastTransitionAt: new Date().toISOString(),
-            });
-            throw error;
-        }
-    }
-    async stop() {
-        this.runtimeStateStore.setState({
-            phase: 'stopping',
-            started: this.runtime.isStarted(),
-            lastError: null,
-            lastTransitionAt: new Date().toISOString(),
-        });
-        try {
-            await this.runtime.stop();
-            this.runtimeStateStore.setState((state) => ({
-                ...state,
-                phase: 'stopped',
-                started: false,
-                stopCount: state.stopCount + 1,
-                lastError: null,
-                lastTransitionAt: new Date().toISOString(),
-            }));
-        }
-        catch (error) {
-            this.runtimeStateStore.setState({
-                phase: 'error',
-                started: this.runtime.isStarted(),
-                lastError: error instanceof Error ? error.message : String(error),
-                lastTransitionAt: new Date().toISOString(),
-            });
-            throw error;
-        }
-    }
-    isStarted() {
-        return this.runtime.isStarted();
-    }
-}
-exports.OfauthCore = OfauthCore;
-class OfauthCoreBuilder {
-    constructor() {
-        this.runtimeBuilder = ofcore_1.CoreRuntime.builder();
-        this.domainServiceOverrides = {};
-        this.runtimeHooks = {};
-        this.runtimeBuilder.withDbAdapter(() => new ofcore_2.InMemoryDbAdapter());
-    }
-    withPlatformAdapter(factory) {
-        this.runtimeBuilder.withPlatformAdapter(factory);
-        return this;
-    }
-    withDbAdapter(factory) {
-        this.runtimeBuilder.withDbAdapter(factory);
-        return this;
-    }
-    withHttpAdapter(factory) {
-        this.runtimeBuilder.withHttpAdapter(factory);
-        return this;
-    }
-    withSocketAdapter(factory) {
-        this.runtimeBuilder.withSocketAdapter(factory);
-        return this;
-    }
-    withLoggerAdapter(factory) {
-        this.runtimeBuilder.withLoggerAdapter(factory);
-        return this;
-    }
-    withActivitySink(factory) {
-        this.runtimeBuilder.withActivitySink(factory);
-        return this;
-    }
-    withExtension(name, factory) {
-        this.runtimeBuilder.withExtension(name, factory);
-        return this;
-    }
-    withDomainServicesFactory(factory) {
-        this.domainServicesFactory = factory;
-        return this;
-    }
-    overrideDomainServices(overrides) {
-        this.domainServiceOverrides = { ...this.domainServiceOverrides, ...overrides };
-        return this;
-    }
-    withRuntimeHooks(hooks) {
-        this.runtimeHooks = { ...this.runtimeHooks, ...hooks };
-        return this;
-    }
-    withMigrationRunner(runner) {
-        return this.withRuntimeHooks({ runMigrations: runner });
-    }
-    withSeedRunner(runner) {
-        return this.withRuntimeHooks({ runSeed: runner });
-    }
-    build() {
-        const runtimeStateStore = (0, ofcore_3.createStore)({
-            phase: 'idle',
-            started: false,
-            startCount: 0,
-            stopCount: 0,
-            lastError: null,
-            lastTransitionAt: new Date().toISOString(),
-        });
-        const defaultRunMigrations = async (runtime) => {
-            const dbAdapter = runtime.registry?.dbAdapter;
-            if (!dbAdapter)
-                return;
-            await (0, applyPendingMigrations_1.applyPendingMigrations)(dbAdapter, runtime.registry?.loggerAdapter);
-        };
-        this.runtimeBuilder.withHooks({
-            ...this.runtimeHooks,
-            runMigrations: this.runtimeHooks.runMigrations ?? defaultRunMigrations,
-            createDomainServices: async (runtime) => {
-                const base = this.domainServicesFactory
-                    ? await this.domainServicesFactory()
-                    : await (0, createDbAdapterOfauthServices_1.createDbAdapterOfauthServices)(runtime.registry?.dbAdapter ?? new ofcore_2.InMemoryDbAdapter(), {
-                        logger: runtime.registry?.loggerAdapter,
-                        platformAdapter: runtime.registry?.platformAdapter,
-                        emitActivity: async (record) => {
-                            await runtime.emitActivity(record);
-                        },
-                    });
-                return { ...base, ...this.domainServiceOverrides };
-            },
-        });
-        const runtime = this.runtimeBuilder.build();
-        return new OfauthCore(runtime, runtimeStateStore);
-    }
-}
-exports.OfauthCoreBuilder = OfauthCoreBuilder;

package/dist/contracts/AuthAuditContract.js

@@ -1,16 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isAuthAuditEventType = isAuthAuditEventType;
-function isAuthAuditEventType(value) {
-    const allowed = [
-        'LOGIN_SUCCESS',
-        'LOGIN_FAILED',
-        'LOCKOUT_TRIGGERED',
-        'SESSION_REVOKED',
-        'CONTEXT_SWITCHED',
-        'STEP_UP_CHALLENGED',
-        'STEP_UP_PASSED',
-        'STEP_UP_FAILED',
-    ];
-    return allowed.includes(value);
-}

package/dist/contracts/AuthErrorContract.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/contracts/AuthPolicyContract.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/contracts/ContextContract.js

@@ -1,8 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.hasAnyScopeDimension = hasAnyScopeDimension;
-function hasAnyScopeDimension(scope) {
-    return Boolean(scope.tenantId ||
-        scope.branchId ||
-        (scope.attributes && Object.keys(scope.attributes).length > 0));
-}

package/dist/contracts/IdentityContract.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/contracts/SessionContract.js

@@ -1,10 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isAssuranceLevelAtLeast = isAssuranceLevelAtLeast;
-function isAssuranceLevelAtLeast(current, required) {
-    const rank = {
-        basic: 1,
-        elevated: 2,
-    };
-    return rank[current] >= rank[required];
-}

package/dist/data/applyPendingMigrations.js

@@ -1,30 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.applyPendingMigrations = applyPendingMigrations;
-const migrations_1 = require("./migrations");
-const noopLogger = {
-    logInfo() { },
-    logWarn() { },
-    logError() { },
-};
-async function applyPendingMigrations(adapter, logger = noopLogger) {
-    logger.logInfo('[ofauth] starting database migration process');
-    const sorted = [...migrations_1.migrations].sort((a, b) => a.toVersion - b.toVersion);
-    const targetVersion = sorted.length > 0 ? sorted[sorted.length - 1].toVersion : 0;
-    let currentVersion = await adapter.getSchemaVersion();
-    if (currentVersion == null || currentVersion < 0)
-        currentVersion = 0;
-    if (currentVersion >= targetVersion) {
-        logger.logInfo(`[ofauth] database already up-to-date at v${currentVersion}`);
-        return;
-    }
-    for (const migration of sorted) {
-        if (migration.toVersion > currentVersion) {
-            logger.logInfo(`[ofauth] applying migration v${migration.toVersion}`);
-            await migration.up(adapter);
-            await adapter.setSchemaVersion(migration.toVersion);
-            currentVersion = migration.toVersion;
-        }
-    }
-    logger.logInfo(`[ofauth] migration completed at v${currentVersion}`);
-}

package/dist/data/migrations.js

@@ -1,47 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.migrations = void 0;
-const schemas_1 = require("./schemas");
-exports.migrations = [
-    {
-        toVersion: 1,
-        up: async (adapter) => {
-            const tables = (0, schemas_1.getOfauthTableSchemas)();
-            for (const table of tables) {
-                try {
-                    await adapter.addTable(table);
-                }
-                catch {
-                    // keep migration idempotent for adapters that throw when table exists
-                }
-            }
-        },
-    },
-    {
-        toVersion: 2,
-        up: async (adapter) => {
-            try {
-                await adapter.addColumn(schemas_1.OFAUTH_TABLES.auditEvents, {
-                    name: 'syncStatus',
-                    type: 'string',
-                    enum: ['pending', 'replayed'],
-                    isIndexed: true,
-                });
-            }
-            catch {
-                // keep migration idempotent
-            }
-            try {
-                await adapter.addColumn(schemas_1.OFAUTH_TABLES.auditEvents, {
-                    name: 'replayedAt',
-                    type: 'string',
-                    isOptional: true,
-                    isIndexed: true,
-                });
-            }
-            catch {
-                // keep migration idempotent
-            }
-        },
-    },
-];

package/dist/data/schemas.js

@@ -1,109 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ofauthSchema = exports.OFAUTH_TABLES = void 0;
-exports.getOfauthTableSchemas = getOfauthTableSchemas;
-exports.OFAUTH_TABLES = {
-    identities: 'ofauth_identities',
-    assignments: 'ofauth_assignments',
-    sessions: 'ofauth_sessions',
-    policyProfiles: 'ofauth_policy_profiles',
-    policyStepups: 'ofauth_policy_stepups',
-    auditEvents: 'ofauth_audit_events',
-};
-const tableSchemas = [
-    {
-        name: exports.OFAUTH_TABLES.identities,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'principal', type: 'string', isIndexed: true },
-            { name: 'secretHash', type: 'string' },
-            { name: 'verifyMethod', type: 'string', enum: ['pin', 'password', 'custom'] },
-            { name: 'status', type: 'string', enum: ['active', 'disabled', 'locked'], isIndexed: true },
-            { name: 'failedAttempts', type: 'number' },
-            { name: 'lockoutUntil', type: 'string', isOptional: true },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-    {
-        name: exports.OFAUTH_TABLES.assignments,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'identityId', type: 'string', isIndexed: true },
-            { name: 'roleRef', type: 'string', isIndexed: true },
-            { name: 'tenantId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'branchId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'scopeAttributes', type: 'json', isOptional: true },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-    {
-        name: exports.OFAUTH_TABLES.sessions,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'identityId', type: 'string', isIndexed: true },
-            { name: 'activeAssignmentId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'assuranceLevel', type: 'string', enum: ['basic', 'elevated'], isIndexed: true },
-            { name: 'issuedAt', type: 'string' },
-            { name: 'expiresAt', type: 'string', isIndexed: true },
-            { name: 'revokedAt', type: 'string', isOptional: true },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-    {
-        name: exports.OFAUTH_TABLES.policyProfiles,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'profileId', type: 'string', isIndexed: true },
-            { name: 'defaultAssuranceLevel', type: 'string', enum: ['basic', 'elevated'] },
-            { name: 'lockoutPolicyRef', type: 'string' },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-    {
-        name: exports.OFAUTH_TABLES.policyStepups,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'actionRef', type: 'string', isIndexed: true },
-            { name: 'requiredAssuranceLevel', type: 'string', enum: ['basic', 'elevated'] },
-            { name: 'reauthWindowSeconds', type: 'number', isOptional: true },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-    {
-        name: exports.OFAUTH_TABLES.auditEvents,
-        columns: [
-            { name: 'id', type: 'string' },
-            { name: 'eventType', type: 'string', isIndexed: true },
-            { name: 'identityId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'sessionId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'tenantId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'branchId', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'scopeAttributes', type: 'json', isOptional: true },
-            { name: 'result', type: 'string', enum: ['success', 'failed'], isIndexed: true },
-            { name: 'reasonCode', type: 'string', isOptional: true },
-            { name: 'timestamp', type: 'string', isIndexed: true },
-            { name: 'syncStatus', type: 'string', enum: ['pending', 'replayed'], isIndexed: true },
-            { name: 'replayedAt', type: 'string', isOptional: true, isIndexed: true },
-            { name: 'version', type: 'number' },
-            { name: 'lastModified', type: 'string' },
-            { name: 'deleted', type: 'boolean', isIndexed: true },
-        ],
-    },
-];
-exports.ofauthSchema = {
-    version: 2,
-    tables: tableSchemas,
-};
-function getOfauthTableSchemas() {
-    return exports.ofauthSchema.tables;
-}

package/dist/runtime/ContractStage.js

@@ -1,4 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.OFAUTH_CONTRACT_STAGE = void 0;
-exports.OFAUTH_CONTRACT_STAGE = 'phase1-contract-only';

package/dist/services/AuthAuditService.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/services/AuthHostComposition.js

@@ -1,100 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.loginWithResolvedContext = loginWithResolvedContext;
-exports.refreshResolvedContext = refreshResolvedContext;
-exports.switchContextWithResolvedState = switchContextWithResolvedState;
-exports.evaluateProtectedRouteGate = evaluateProtectedRouteGate;
-const SessionContract_1 = require("../contracts/SessionContract");
-function findAssignment(assignments, assignmentId) {
-    if (!assignmentId)
-        return undefined;
-    return assignments.find((row) => row.assignmentId === assignmentId);
-}
-function isScopeAllowed(scope, policy) {
-    if (policy.requiredTenantId && scope.tenantId !== policy.requiredTenantId)
-        return false;
-    if (policy.requiredBranchId && scope.branchId !== policy.requiredBranchId)
-        return false;
-    if (policy.requiredScopeAttributes) {
-        const attrs = scope.attributes ?? {};
-        for (const [key, value] of Object.entries(policy.requiredScopeAttributes)) {
-            if (attrs[key] !== value)
-                return false;
-        }
-    }
-    return true;
-}
-async function buildResolvedContext(services, input) {
-    const session = await services.sessionService.getActiveSession(input.sessionId);
-    if (!session)
-        return null;
-    const assignments = await services.contextService.listAssignments(input.identityId);
-    let activeContext = await services.contextService.getActiveContext(input.sessionId);
-    if (!activeContext && assignments[0]) {
-        const switched = await services.contextService.switchContext({
-            sessionId: input.sessionId,
-            targetAssignmentId: assignments[0].assignmentId,
-            ...(input.assignmentFallbackReason ? { reasonCode: input.assignmentFallbackReason } : {}),
-        });
-        activeContext = switched.activeContext;
-    }
-    const activeAssignment = findAssignment(assignments, activeContext?.assignmentId);
-    return {
-        sessionId: input.sessionId,
-        identityId: input.identityId,
-        principal: input.principal,
-        assignments,
-        activeContextAssignmentId: activeContext?.assignmentId,
-        activeAssignment,
-        scopeRef: activeContext?.scopeRef ?? activeAssignment?.scopeRef ?? session.activeScopeRef ?? {},
-        roleRef: activeAssignment?.roleRef,
-        assuranceLevel: session.assuranceLevel,
-    };
-}
-async function loginWithResolvedContext(services, input) {
-    const login = await services.identityService.login(input);
-    const resolved = await buildResolvedContext(services, {
-        sessionId: login.sessionId,
-        identityId: login.identity.identityId,
-        principal: login.identity.principal,
-        assignmentFallbackReason: 'AUTO_CONTEXT_AFTER_LOGIN',
-    });
-    if (!resolved) {
-        throw new Error('session is not active after login');
-    }
-    return resolved;
-}
-async function refreshResolvedContext(services, input) {
-    return buildResolvedContext(services, input);
-}
-async function switchContextWithResolvedState(services, input) {
-    await services.contextService.switchContext({
-        sessionId: input.sessionId,
-        targetAssignmentId: input.targetAssignmentId,
-        ...(input.reasonCode ? { reasonCode: input.reasonCode } : {}),
-    });
-    const resolved = await buildResolvedContext(services, input);
-    if (!resolved) {
-        throw new Error('session is not active while switching context');
-    }
-    return resolved;
-}
-function evaluateProtectedRouteGate(resolved, policy = {}) {
-    if (!resolved) {
-        return { allowed: false, reasonCode: 'NO_SESSION' };
-    }
-    const minimumAssurance = policy.minimumAssuranceLevel ?? 'basic';
-    if (!(0, SessionContract_1.isAssuranceLevelAtLeast)(resolved.assuranceLevel, minimumAssurance)) {
-        return { allowed: false, reasonCode: 'ASSURANCE_TOO_LOW' };
-    }
-    if (policy.requiredRoleRefs?.length) {
-        const hasRole = !!resolved.roleRef && policy.requiredRoleRefs.includes(resolved.roleRef);
-        if (!hasRole) {
-            return { allowed: false, reasonCode: 'ROLE_FORBIDDEN' };
-        }
-    }
-    if (!isScopeAllowed(resolved.scopeRef, policy)) {
-        return { allowed: false, reasonCode: 'SCOPE_FORBIDDEN' };
-    }
-    return { allowed: true };
-}

package/dist/services/AuthPolicyService.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/services/ContextService.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/services/IdentityService.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/dist/services/SessionService.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });