permissions-contractx 1.0.0

package/dist/decorators/roles.decorator.js

@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RequireRoles = exports.SuperAdminOnly = exports.ProviderOnly = exports.ClientOnly = exports.AdminOnly = exports.Roles = exports.ROLES_KEY = void 0;
+const common_1 = require("@nestjs/common");
+/**
+ * Metadata key for required roles
+ */
+exports.ROLES_KEY = 'roles';
+/**
+ * Decorator to specify required roles for accessing a route.
+ * Can be applied at controller or method level.
+ * User must have at least one of the specified roles (OR logic).
+ *
+ * @param roles - Array of role names required to access the route
+ *
+ * @example
+ * ```typescript
+ * @Roles('superadmin', 'client_contract_admin')
+ * @Get('admin-data')
+ * getAdminData() {
+ *   // Only users with superadmin OR client_contract_admin role
+ * }
+ * ```
+ */
+const Roles = (...roles) => (0, common_1.SetMetadata)(exports.ROLES_KEY, roles);
+exports.Roles = Roles;
+/**
+ * Decorator for ContractX specific admin roles
+ *
+ * @example
+ * ```typescript
+ * @AdminOnly()
+ * @Delete(':id')
+ * deleteResource() {
+ *   // Only admin roles can access
+ * }
+ * ```
+ */
+const AdminOnly = () => (0, exports.Roles)('superadmin', 'client_contract_admin', 'provider_contract_admin');
+exports.AdminOnly = AdminOnly;
+/**
+ * Decorator for client-side roles only
+ *
+ * @example
+ * ```typescript
+ * @ClientOnly()
+ * @Get('client-data')
+ * getClientData() {
+ *   // Only client-side roles can access
+ * }
+ * ```
+ */
+const ClientOnly = () => (0, exports.Roles)('client_contract_admin', 'client_performance_manager', 'client_finance_manager', 'client_reports_manager', 'client_relationship_manager', 'client_risk_manager');
+exports.ClientOnly = ClientOnly;
+/**
+ * Decorator for provider-side roles only
+ *
+ * @example
+ * ```typescript
+ * @ProviderOnly()
+ * @Get('provider-data')
+ * getProviderData() {
+ *   // Only provider-side roles can access
+ * }
+ * ```
+ */
+const ProviderOnly = () => (0, exports.Roles)('provider_contract_admin', 'provider_performance_manager', 'provider_finance_manager', 'provider_reports_manager', 'provider_relationship_manager', 'provider_risk_manager');
+exports.ProviderOnly = ProviderOnly;
+/**
+ * Decorator for superadmin access only
+ *
+ * @example
+ * ```typescript
+ * @SuperAdminOnly()
+ * @Post('system/configure')
+ * configureSystem() {
+ *   // Only superadmin can access
+ * }
+ * ```
+ */
+const SuperAdminOnly = () => (0, exports.Roles)('superadmin');
+exports.SuperAdminOnly = SuperAdminOnly;
+/**
+ * Alias for Roles decorator for backward compatibility
+ * @deprecated Use Roles instead
+ */
+exports.RequireRoles = exports.Roles;

package/dist/guards/index.d.ts

@@ -0,0 +1,4 @@
+export * from './jwt-auth.guard';
+export * from './roles.guard';
+export * from './permissions.guard';
+//# sourceMappingURL=index.d.ts.map

package/dist/guards/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/guards/index.ts"],"names":[],"mappings":"AAAA,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC"}

package/dist/guards/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./jwt-auth.guard"), exports);
+__exportStar(require("./roles.guard"), exports);
+__exportStar(require("./permissions.guard"), exports);

package/dist/guards/jwt-auth.guard.d.ts

@@ -0,0 +1,21 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { JwtService } from '@nestjs/jwt';
+import { PermissionsModuleOptions } from '../interfaces';
+/**
+ * JWT Authentication Guard for ContractX
+ * Validates JWT tokens and attaches user information to requests
+ */
+export declare class JwtAuthGuard implements CanActivate {
+    private readonly jwtService;
+    private readonly reflector;
+    private readonly options;
+    private readonly logger;
+    constructor(jwtService: JwtService, reflector: Reflector, options: PermissionsModuleOptions);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    /**
+     * Extract JWT token from Authorization header
+     */
+    private extractTokenFromHeader;
+}
+//# sourceMappingURL=jwt-auth.guard.d.ts.map

package/dist/guards/jwt-auth.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.guard.d.ts","sourceRoot":"","sources":["../../src/guards/jwt-auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAIjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAc,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAIrE;;;GAGG;AACH,qBACa,YAAa,YAAW,WAAW;IAI5C,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,SAAS;IAE1B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAN1B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiC;gBAGrC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS,EAEpB,OAAO,EAAE,wBAAwB;IAG9C,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;IA2E9D;;OAEG;IACH,OAAO,CAAC,sBAAsB;CAe/B"}

package/dist/guards/jwt-auth.guard.js

@@ -0,0 +1,115 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var JwtAuthGuard_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const jwt_1 = require("@nestjs/jwt");
+const decorators_1 = require("../decorators");
+const constants_1 = require("../constants");
+/**
+ * JWT Authentication Guard for ContractX
+ * Validates JWT tokens and attaches user information to requests
+ */
+let JwtAuthGuard = JwtAuthGuard_1 = class JwtAuthGuard {
+    constructor(jwtService, reflector, options) {
+        this.jwtService = jwtService;
+        this.reflector = reflector;
+        this.options = options;
+        this.logger = new common_1.Logger(JwtAuthGuard_1.name);
+    }
+    async canActivate(context) {
+        // Check if route is marked as public
+        const isPublic = this.reflector.getAllAndOverride(decorators_1.IS_PUBLIC_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (isPublic) {
+            this.logger.debug('Public route accessed, skipping authentication');
+            return true;
+        }
+        // Check if authentication is disabled in development
+        if (this.options.development?.disableAuth) {
+            this.logger.debug('Authentication disabled in development mode');
+            // Inject mock user if provided
+            if (this.options.development.mockUser) {
+                const request = context.switchToHttp().getRequest();
+                request.user = this.options.development.mockUser;
+            }
+            return true;
+        }
+        const request = context.switchToHttp().getRequest();
+        const token = this.extractTokenFromHeader(request);
+        if (!token) {
+            this.logger.warn(`Authentication failed: No token provided for ${request.method} ${request.url}`);
+            throw new common_1.UnauthorizedException('Access token is required');
+        }
+        try {
+            const payload = await this.jwtService.verifyAsync(token, {
+                secret: this.options.jwt.secret,
+                issuer: this.options.jwt.issuer,
+                audience: this.options.jwt.audience,
+                ignoreExpiration: this.options.jwt.ignoreExpiration,
+                clockTolerance: this.options.jwt.clockTolerance,
+            });
+            // Attach user to request
+            request.user = payload;
+            this.logger.debug(`Authentication successful for user: ${payload.sub} (${payload.fullName})`);
+            // Log security information if enabled
+            if (this.options.security?.enableLogging) {
+                this.logger.log(`User ${payload.sub} accessed ${request.method} ${request.url} with roles: [${payload.role?.join(', ')}]`);
+            }
+            return true;
+        }
+        catch (error) {
+            this.logger.warn(`Authentication failed: ${error.message}`);
+            // Provide specific error messages based on error type
+            if (error.name === 'TokenExpiredError') {
+                throw new common_1.UnauthorizedException('Access token has expired');
+            }
+            else if (error.name === 'JsonWebTokenError') {
+                throw new common_1.UnauthorizedException('Invalid access token');
+            }
+            else if (error.name === 'NotBeforeError') {
+                throw new common_1.UnauthorizedException('Access token not active yet');
+            }
+            else {
+                throw new common_1.UnauthorizedException('Authentication failed');
+            }
+        }
+    }
+    /**
+     * Extract JWT token from Authorization header
+     */
+    extractTokenFromHeader(request) {
+        const authHeader = request.headers.authorization;
+        if (!authHeader) {
+            return undefined;
+        }
+        // Support both "Bearer TOKEN" and "TOKEN" formats
+        if (authHeader.startsWith('Bearer ')) {
+            return authHeader.substring(7);
+        }
+        // Direct token without Bearer prefix
+        return authHeader;
+    }
+};
+exports.JwtAuthGuard = JwtAuthGuard;
+exports.JwtAuthGuard = JwtAuthGuard = JwtAuthGuard_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __param(2, (0, common_1.Inject)(constants_1.MODULE_CONSTANTS.MODULE_OPTIONS_TOKEN)),
+    __metadata("design:paramtypes", [jwt_1.JwtService,
+        core_1.Reflector, Object])
+], JwtAuthGuard);

package/dist/guards/permissions.guard.d.ts

@@ -0,0 +1,14 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+/**
+ * Permission-based Authorization Guard for ContractX
+ * Validates that user has all required permissions (AND logic)
+ * Also supports anyPermissions metadata for OR logic
+ */
+export declare class PermissionsGuard implements CanActivate {
+    private readonly reflector;
+    private readonly logger;
+    constructor(reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean;
+}
+//# sourceMappingURL=permissions.guard.d.ts.map

package/dist/guards/permissions.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.guard.d.ts","sourceRoot":"","sources":["../../src/guards/permissions.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAGjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAIzC;;;;GAIG;AACH,qBACa,gBAAiB,YAAW,WAAW;IAGtC,OAAO,CAAC,QAAQ,CAAC,SAAS;IAFtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAqC;gBAE/B,SAAS,EAAE,SAAS;IAEjD,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CAwFhD"}

package/dist/guards/permissions.guard.js

@@ -0,0 +1,77 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var PermissionsGuard_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionsGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const decorators_1 = require("../decorators");
+/**
+ * Permission-based Authorization Guard for ContractX
+ * Validates that user has all required permissions (AND logic)
+ * Also supports anyPermissions metadata for OR logic
+ */
+let PermissionsGuard = PermissionsGuard_1 = class PermissionsGuard {
+    constructor(reflector) {
+        this.reflector = reflector;
+        this.logger = new common_1.Logger(PermissionsGuard_1.name);
+    }
+    canActivate(context) {
+        // Check for required permissions (AND logic)
+        const requiredPermissions = this.reflector.getAllAndOverride(decorators_1.PERMISSIONS_KEY, [context.getHandler(), context.getClass()]);
+        // Check for any permissions (OR logic)
+        const anyPermissions = this.reflector.getAllAndOverride('anyPermissions', [context.getHandler(), context.getClass()]);
+        // If no permissions are specified, allow access
+        if ((!requiredPermissions || requiredPermissions.length === 0) &&
+            (!anyPermissions || anyPermissions.length === 0)) {
+            return true;
+        }
+        const request = context.switchToHttp().getRequest();
+        const user = request.user;
+        if (!user) {
+            this.logger.warn('Permissions guard: User not found in request context');
+            throw new common_1.ForbiddenException('Authentication required for permission-based access');
+        }
+        const userPermissions = user.permissions || [];
+        // Check anyPermissions first (OR logic - user needs at least one)
+        if (anyPermissions && anyPermissions.length > 0) {
+            const hasAnyPermission = anyPermissions.some((permission) => userPermissions.includes(permission));
+            if (!hasAnyPermission) {
+                this.logger.warn(`Access denied: User ${user.sub} (${user.fullName}) missing any required permissions. ` +
+                    `Required (any): [${anyPermissions.join(', ')}], ` +
+                    `User has: [${userPermissions.join(', ')}]`);
+                throw new common_1.ForbiddenException(`Access denied. Required permissions (any): [${anyPermissions.join(', ')}]`);
+            }
+            this.logger.debug(`Permission access granted: User ${user.sub} has at least one required permission from [${anyPermissions.join(', ')}]`);
+            return true;
+        }
+        // Check required permissions (AND logic - user needs all)
+        if (requiredPermissions && requiredPermissions.length > 0) {
+            const hasAllPermissions = requiredPermissions.every((permission) => userPermissions.includes(permission));
+            if (!hasAllPermissions) {
+                const missingPermissions = requiredPermissions.filter((permission) => !userPermissions.includes(permission));
+                this.logger.warn(`Access denied: User ${user.sub} (${user.fullName}) missing required permissions. ` +
+                    `Required (all): [${requiredPermissions.join(', ')}], ` +
+                    `User has: [${userPermissions.join(', ')}], ` +
+                    `Missing: [${missingPermissions.join(', ')}]`);
+                throw new common_1.ForbiddenException(`Access denied. Missing permissions: [${missingPermissions.join(', ')}]`);
+            }
+            this.logger.debug(`Permission access granted: User ${user.sub} has all required permissions [${requiredPermissions.join(', ')}]`);
+            return true;
+        }
+        return true;
+    }
+};
+exports.PermissionsGuard = PermissionsGuard;
+exports.PermissionsGuard = PermissionsGuard = PermissionsGuard_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [core_1.Reflector])
+], PermissionsGuard);

package/dist/guards/roles.guard.d.ts

@@ -0,0 +1,13 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+/**
+ * Role-based Authorization Guard for ContractX
+ * Validates that user has at least one of the required roles
+ */
+export declare class RolesGuard implements CanActivate {
+    private readonly reflector;
+    private readonly logger;
+    constructor(reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean;
+}
+//# sourceMappingURL=roles.guard.d.ts.map

package/dist/guards/roles.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles.guard.d.ts","sourceRoot":"","sources":["../../src/guards/roles.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAGjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAIzC;;;GAGG;AACH,qBACa,UAAW,YAAW,WAAW;IAGhC,OAAO,CAAC,QAAQ,CAAC,SAAS;IAFtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA+B;gBAEzB,SAAS,EAAE,SAAS;IAEjD,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CA2ChD"}

package/dist/guards/roles.guard.js

@@ -0,0 +1,59 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var RolesGuard_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RolesGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const decorators_1 = require("../decorators");
+/**
+ * Role-based Authorization Guard for ContractX
+ * Validates that user has at least one of the required roles
+ */
+let RolesGuard = RolesGuard_1 = class RolesGuard {
+    constructor(reflector) {
+        this.reflector = reflector;
+        this.logger = new common_1.Logger(RolesGuard_1.name);
+    }
+    canActivate(context) {
+        const requiredRoles = this.reflector.getAllAndOverride(decorators_1.ROLES_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        // If no roles are specified, allow access
+        if (!requiredRoles || requiredRoles.length === 0) {
+            return true;
+        }
+        const request = context.switchToHttp().getRequest();
+        const user = request.user;
+        if (!user) {
+            this.logger.warn('Roles guard: User not found in request context');
+            throw new common_1.ForbiddenException('Authentication required for role-based access');
+        }
+        const userRoles = user.role || [];
+        const hasRole = requiredRoles.some((role) => userRoles.includes(role));
+        if (!hasRole) {
+            const missingRoles = requiredRoles.filter(role => !userRoles.includes(role));
+            this.logger.warn(`Access denied: User ${user.sub} (${user.fullName}) missing required roles. ` +
+                `Required: [${requiredRoles.join(', ')}], ` +
+                `User has: [${userRoles.join(', ')}], ` +
+                `Missing: [${missingRoles.join(', ')}]`);
+            throw new common_1.ForbiddenException(`Access denied. Required roles: [${requiredRoles.join(', ')}]`);
+        }
+        this.logger.debug(`Role access granted: User ${user.sub} has required role(s) [${requiredRoles.join(', ')}]`);
+        return true;
+    }
+};
+exports.RolesGuard = RolesGuard;
+exports.RolesGuard = RolesGuard = RolesGuard_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [core_1.Reflector])
+], RolesGuard);

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+export * from './modules';
+export * from './guards';
+export * from './decorators';
+export * from './services';
+export * from './interfaces';
+export * from './constants';
+export type { JwtPayload, AuthenticatedRequest, PermissionsModuleOptions, JwtAuthConfig } from './interfaces';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,WAAW,CAAC;AAG1B,cAAc,UAAU,CAAC;AAGzB,cAAc,cAAc,CAAC;AAG7B,cAAc,YAAY,CAAC;AAG3B,cAAc,cAAc,CAAC;AAG7B,cAAc,aAAa,CAAC;AAG5B,YAAY,EAAE,UAAU,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,28 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// Main module
+__exportStar(require("./modules"), exports);
+// Guards
+__exportStar(require("./guards"), exports);
+// Decorators
+__exportStar(require("./decorators"), exports);
+// Services
+__exportStar(require("./services"), exports);
+// Interfaces
+__exportStar(require("./interfaces"), exports);
+// Constants
+__exportStar(require("./constants"), exports);

package/dist/interfaces/index.d.ts

@@ -0,0 +1,2 @@
+export * from './jwt-payload.interface';
+//# sourceMappingURL=index.d.ts.map

package/dist/interfaces/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/interfaces/index.ts"],"names":[],"mappings":"AAAA,cAAc,yBAAyB,CAAC"}

package/dist/interfaces/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./jwt-payload.interface"), exports);

package/dist/interfaces/jwt-payload.interface.d.ts

@@ -0,0 +1,93 @@
+/**
+ * JWT Payload interface for ContractX authentication system
+ */
+export interface JwtPayload {
+    /** User ID */
+    sub: string | number;
+    /** Alternative user ID field */
+    id?: string;
+    /** User roles array */
+    role: string[];
+    /** User permissions array */
+    permissions: string[];
+    /** User's full name */
+    fullName: string;
+    /** User's email */
+    email?: string;
+    /** Client organization ID */
+    clientId?: string;
+    /** Session ID for tracking */
+    sessionId?: string;
+    /** Token issued at timestamp */
+    iat?: number;
+    /** Token expiration timestamp */
+    exp?: number;
+    /** Token issuer */
+    iss?: string;
+    /** Token audience */
+    aud?: string;
+    /** Additional custom properties */
+    [key: string]: any;
+}
+/**
+ * Extended request interface with authenticated user
+ */
+export interface AuthenticatedRequest extends Request {
+    user: JwtPayload;
+}
+/**
+ * Configuration options for JWT authentication
+ */
+export interface JwtAuthConfig {
+    /** JWT secret key */
+    secret: string;
+    /** Token issuer */
+    issuer?: string;
+    /** Token audience */
+    audience?: string;
+    /** Token expiration time */
+    expiresIn?: string;
+    /** Refresh token secret */
+    refreshSecret?: string;
+    /** Refresh token expiration time */
+    refreshExpiresIn?: string;
+    /** Clock tolerance for token validation */
+    clockTolerance?: number;
+    /** Ignore expiration for development */
+    ignoreExpiration?: boolean;
+}
+/**
+ * Module configuration options
+ */
+export interface PermissionsModuleOptions {
+    /** JWT configuration */
+    jwt: JwtAuthConfig;
+    /** Global guards configuration */
+    guards?: {
+        /** Apply authentication guard globally */
+        enableGlobalAuth?: boolean;
+        /** Apply roles guard globally */
+        enableGlobalRoles?: boolean;
+        /** Apply permissions guard globally */
+        enableGlobalPermissions?: boolean;
+    };
+    /** Security configuration */
+    security?: {
+        /** Enable request logging */
+        enableLogging?: boolean;
+        /** Enable rate limiting */
+        enableRateLimit?: boolean;
+        /** Rate limit window in milliseconds */
+        rateLimitWindow?: number;
+        /** Maximum requests per window */
+        rateLimitMax?: number;
+    };
+    /** Development mode settings */
+    development?: {
+        /** Disable authentication in development */
+        disableAuth?: boolean;
+        /** Mock user for development */
+        mockUser?: JwtPayload;
+    };
+}
+//# sourceMappingURL=jwt-payload.interface.d.ts.map

package/dist/interfaces/jwt-payload.interface.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-payload.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/jwt-payload.interface.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,cAAc;IACd,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IAErB,gCAAgC;IAChC,EAAE,CAAC,EAAE,MAAM,CAAC;IAEZ,uBAAuB;IACvB,IAAI,EAAE,MAAM,EAAE,CAAC;IAEf,6BAA6B;IAC7B,WAAW,EAAE,MAAM,EAAE,CAAC;IAEtB,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAC;IAEjB,mBAAmB;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,6BAA6B;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,8BAA8B;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,gCAAgC;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,mBAAmB;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,qBAAqB;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,mCAAmC;IACnC,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,EAAE,UAAU,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,qBAAqB;IACrB,MAAM,EAAE,MAAM,CAAC;IAEf,mBAAmB;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,qBAAqB;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,4BAA4B;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,2BAA2B;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,oCAAoC;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,wCAAwC;IACxC,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,wBAAwB;IACxB,GAAG,EAAE,aAAa,CAAC;IAEnB,kCAAkC;IAClC,MAAM,CAAC,EAAE;QACP,0CAA0C;QAC1C,gBAAgB,CAAC,EAAE,OAAO,CAAC;QAE3B,iCAAiC;QACjC,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAE5B,uCAAuC;QACvC,uBAAuB,CAAC,EAAE,OAAO,CAAC;KACnC,CAAC;IAEF,6BAA6B;IAC7B,QAAQ,CAAC,EAAE;QACT,6BAA6B;QAC7B,aAAa,CAAC,EAAE,OAAO,CAAC;QAExB,2BAA2B;QAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;QAE1B,wCAAwC;QACxC,eAAe,CAAC,EAAE,MAAM,CAAC;QAEzB,kCAAkC;QAClC,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;IAEF,gCAAgC;IAChC,WAAW,CAAC,EAAE;QACZ,4CAA4C;QAC5C,WAAW,CAAC,EAAE,OAAO,CAAC;QAEtB,gCAAgC;QAChC,QAAQ,CAAC,EAAE,UAAU,CAAC;KACvB,CAAC;CACH"}

package/dist/interfaces/jwt-payload.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/modules/index.d.ts

@@ -0,0 +1,2 @@
+export * from './permissions-contractx.module';
+//# sourceMappingURL=index.d.ts.map

package/dist/modules/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/modules/index.ts"],"names":[],"mappings":"AAAA,cAAc,gCAAgC,CAAC"}

package/dist/modules/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./permissions-contractx.module"), exports);