permissions-contractx 1.0.2 → 1.1.0

package/dist/decorators/roles.decorator.js

@@ -12,72 +12,21 @@ exports.ROLES_KEY = 'roles';
  * User must have at least one of the specified roles (OR logic).
  *
  * @param roles - Array of role names required to access the route
- *
- * @example
- * ```typescript
- * @Roles('superadmin', 'client_contract_admin')
- * @Get('admin-data')
- * getAdminData() {
- *   // Only users with superadmin OR client_contract_admin role
- * }
- * ```
  */
 const Roles = (...roles) => (0, common_1.SetMetadata)(exports.ROLES_KEY, roles);
 exports.Roles = Roles;
-/**
- * Decorator for ContractX specific admin roles
- *
- * @example
- * ```typescript
- * @AdminOnly()
- * @Delete(':id')
- * deleteResource() {
- *   // Only admin roles can access
- * }
- * ```
- */
+// NOTA[reconstrucción]: los helpers de abajo hardcodean nombres de rol del vocabulario VIEJO
+// (superadmin, client_performance_manager, ...) → "se reemplaza" al portar al modelo nuevo.
+/** Decorator for ContractX specific admin roles */
 const AdminOnly = () => (0, exports.Roles)('superadmin', 'client_contract_admin', 'provider_contract_admin');
 exports.AdminOnly = AdminOnly;
-/**
- * Decorator for client-side roles only
- *
- * @example
- * ```typescript
- * @ClientOnly()
- * @Get('client-data')
- * getClientData() {
- *   // Only client-side roles can access
- * }
- * ```
- */
+/** Decorator for client-side roles only */
 const ClientOnly = () => (0, exports.Roles)('client_contract_admin', 'client_performance_manager', 'client_finance_manager', 'client_reports_manager', 'client_relationship_manager', 'client_risk_manager');
 exports.ClientOnly = ClientOnly;
-/**
- * Decorator for provider-side roles only
- *
- * @example
- * ```typescript
- * @ProviderOnly()
- * @Get('provider-data')
- * getProviderData() {
- *   // Only provider-side roles can access
- * }
- * ```
- */
+/** Decorator for provider-side roles only */
 const ProviderOnly = () => (0, exports.Roles)('provider_contract_admin', 'provider_performance_manager', 'provider_finance_manager', 'provider_reports_manager', 'provider_relationship_manager', 'provider_risk_manager');
 exports.ProviderOnly = ProviderOnly;
-/**
- * Decorator for superadmin access only
- *
- * @example
- * ```typescript
- * @SuperAdminOnly()
- * @Post('system/configure')
- * configureSystem() {
- *   // Only superadmin can access
- * }
- * ```
- */
+/** Decorator for superadmin access only */
 const SuperAdminOnly = () => (0, exports.Roles)('superadmin');
 exports.SuperAdminOnly = SuperAdminOnly;
 /**

package/dist/guards/authorization.guard.d.ts

@@ -0,0 +1,37 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+/**
+ * [ADR-004] AuthorizationGuard — guard de 4 estados portado desde Auth.
+ *
+ * Lee dos conjuntos ya resueltos del JWT (la resolución deny-wins ocurre en Auth,
+ * vía resolvePermissionEntitlements, NO aquí):
+ *   - user.permissions      = acceso pleno (write/full)
+ *   - user.permissionsView  = modo-ver (👁, solo lectura)
+ *
+ * Eje lectura/escritura (D3): por método HTTP (GET/HEAD/OPTIONS = lectura), salvo
+ * override @PermissionWrites. En lectura vale acceso pleno O modo-ver; en escritura
+ * SOLO acceso pleno (modo-ver bloquea).
+ *
+ * Doble gateo rol+permiso (D4) vía env AUTHZ_ENFORCEMENT:
+ *   - legacy (default): rol O permiso (comportamiento previo, sin cambio).
+ *   - observe: el rol decide; se loguea la discrepancia con el permiso (recolección).
+ *   - strict:  el permiso decide.
+ */
+export declare class AuthorizationGuard implements CanActivate {
+    private reflector;
+    private readonly logger;
+    constructor(reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean;
+    /**
+     * [D4] Modo de enforcement del doble gateo, vía env `AUTHZ_ENFORCEMENT`.
+     * Default 'legacy' ⇒ comportamiento previo (rol O permiso) sin cambio hasta optar in.
+     */
+    private resolveEnforcementMode;
+    /**
+     * Clasifica la petición como escritura o lectura para el eje modo-ver (D3).
+     * Override explícito @PermissionWrites(boolean) gana; si no, cae por método HTTP
+     * (GET/HEAD/OPTIONS = lectura; el resto = escritura).
+     */
+    private isWriteRequest;
+}
+//# sourceMappingURL=authorization.guard.d.ts.map

package/dist/guards/authorization.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.guard.d.ts","sourceRoot":"","sources":["../../src/guards/authorization.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAGjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAWzC;;;;;;;;;;;;;;;;GAgBG;AACH,qBACa,kBAAmB,YAAW,WAAW;IAGxC,OAAO,CAAC,SAAS;IAF7B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAuC;gBAE1C,SAAS,EAAE,SAAS;IAExC,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;IA+G/C;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAK9B;;;;OAIG;IACH,OAAO,CAAC,cAAc;CAUvB"}

package/dist/guards/authorization.guard.js

@@ -0,0 +1,150 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var AuthorizationGuard_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const permission_writes_decorator_1 = require("../decorators/permission-writes.decorator");
+const READ_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
+/**
+ * [ADR-004] AuthorizationGuard — guard de 4 estados portado desde Auth.
+ *
+ * Lee dos conjuntos ya resueltos del JWT (la resolución deny-wins ocurre en Auth,
+ * vía resolvePermissionEntitlements, NO aquí):
+ *   - user.permissions      = acceso pleno (write/full)
+ *   - user.permissionsView  = modo-ver (👁, solo lectura)
+ *
+ * Eje lectura/escritura (D3): por método HTTP (GET/HEAD/OPTIONS = lectura), salvo
+ * override @PermissionWrites. En lectura vale acceso pleno O modo-ver; en escritura
+ * SOLO acceso pleno (modo-ver bloquea).
+ *
+ * Doble gateo rol+permiso (D4) vía env AUTHZ_ENFORCEMENT:
+ *   - legacy (default): rol O permiso (comportamiento previo, sin cambio).
+ *   - observe: el rol decide; se loguea la discrepancia con el permiso (recolección).
+ *   - strict:  el permiso decide.
+ */
+let AuthorizationGuard = AuthorizationGuard_1 = class AuthorizationGuard {
+    constructor(reflector) {
+        this.reflector = reflector;
+        this.logger = new common_1.Logger(AuthorizationGuard_1.name);
+    }
+    canActivate(context) {
+        const requiredRoles = this.reflector.getAllAndOverride('roles', [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        const requiredPermissions = this.reflector.getAllAndOverride('permissions', [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if ((!requiredRoles || requiredRoles.length === 0) &&
+            (!requiredPermissions || requiredPermissions.length === 0)) {
+            return true;
+        }
+        const request = context.switchToHttp().getRequest();
+        const user = request.user;
+        if (!user) {
+            this.logger.warn('No user found in request context for authorization');
+            throw new common_1.ForbiddenException('Authentication required for access');
+        }
+        const userId = user.sub;
+        const userRoles = user.role || [];
+        // Dos conjuntos resueltos en la carga del JWT: permissions = acceso pleno;
+        // permissionsView = modo-ver (solo lectura). Las filas `deny` ya fueron retiradas
+        // en origen (resolvePermissionEntitlements), así que el guard no necesita conocer
+        // grant_type — la decisión es pertenencia a estos arrays.
+        const userPermissions = user.permissions || [];
+        const userPermissionsView = user.permissionsView || [];
+        let hasRole = true;
+        if (requiredRoles && requiredRoles.length > 0) {
+            hasRole = requiredRoles.some((role) => userRoles.includes(role));
+            if (!hasRole) {
+                this.logger.warn(`Role access denied: User ${userId} with roles [${userRoles.join(', ')}] attempted to access resource requiring [${requiredRoles.join(', ')}]`);
+            }
+        }
+        let hasPermissions = true;
+        if (requiredPermissions && requiredPermissions.length > 0) {
+            // Eje lectura/escritura (D3): por método HTTP, salvo override @PermissionWrites.
+            const isWrite = this.isWriteRequest(context, request.method);
+            // Lectura: vale acceso pleno O modo-ver. Escritura: SOLO acceso pleno (modo-ver bloquea).
+            const allowsCode = (permission) => isWrite
+                ? userPermissions.includes(permission)
+                : userPermissions.includes(permission) || userPermissionsView.includes(permission);
+            hasPermissions = requiredPermissions.every(allowsCode);
+            if (!hasPermissions) {
+                const missingPermissions = requiredPermissions.filter((permission) => !allowsCode(permission));
+                const viewOnlyBlocked = requiredPermissions.filter((permission) => isWrite && userPermissionsView.includes(permission) && !userPermissions.includes(permission));
+                this.logger.warn(`Permission access denied: User ${userId} (${isWrite ? 'write' : 'read'}) missing [${missingPermissions.join(', ')}]` +
+                    (viewOnlyBlocked.length ? ` — view-only on [${viewOnlyBlocked.join(', ')}] cannot write` : ''));
+            }
+        }
+        const bothPresent = requiredRoles && requiredRoles.length > 0 && requiredPermissions && requiredPermissions.length > 0;
+        let hasAccess;
+        if (bothPresent) {
+            const mode = this.resolveEnforcementMode();
+            if (mode === 'observe') {
+                if (hasRole !== hasPermissions) {
+                    this.logger.warn(`AUTHZ_DISCREPANCY user=${userId} ${request.method ?? '?'} ${request.url ?? '?'} ` +
+                        `role_decides=${hasRole} permission_would=${hasPermissions} ` +
+                        `roles=[${(requiredRoles ?? []).join(', ')}] perms=[${(requiredPermissions ?? []).join(', ')}]`);
+                }
+                hasAccess = hasRole;
+            }
+            else if (mode === 'strict') {
+                hasAccess = hasPermissions;
+            }
+            else {
+                hasAccess = hasRole || hasPermissions;
+            }
+        }
+        else {
+            // Solo uno presente → ése decide (el ausente quedó en true por defecto).
+            hasAccess = hasRole && hasPermissions;
+        }
+        if (!hasAccess) {
+            const roleMsg = requiredRoles?.length > 0 ? `roles: [${requiredRoles.join(', ')}]` : '';
+            const permMsg = requiredPermissions?.length > 0 ? `permissions: [${requiredPermissions.join(', ')}]` : '';
+            const requirements = [roleMsg, permMsg].filter(Boolean).join(' or ');
+            throw new common_1.ForbiddenException(`Access denied. Required ${requirements}`);
+        }
+        this.logger.debug(`Authorization granted: User ${userId} accessing resource with roles [${userRoles.join(', ')}] and permissions [${userPermissions.join(', ')}]`);
+        return true;
+    }
+    /**
+     * [D4] Modo de enforcement del doble gateo, vía env `AUTHZ_ENFORCEMENT`.
+     * Default 'legacy' ⇒ comportamiento previo (rol O permiso) sin cambio hasta optar in.
+     */
+    resolveEnforcementMode() {
+        const v = (process.env.AUTHZ_ENFORCEMENT ?? 'legacy').toLowerCase();
+        return v === 'observe' || v === 'strict' ? v : 'legacy';
+    }
+    /**
+     * Clasifica la petición como escritura o lectura para el eje modo-ver (D3).
+     * Override explícito @PermissionWrites(boolean) gana; si no, cae por método HTTP
+     * (GET/HEAD/OPTIONS = lectura; el resto = escritura).
+     */
+    isWriteRequest(context, method) {
+        const override = this.reflector.getAllAndOverride(permission_writes_decorator_1.PERMISSION_WRITES_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (typeof override === 'boolean') {
+            return override;
+        }
+        return !READ_METHODS.has((method ?? '').toUpperCase());
+    }
+};
+exports.AuthorizationGuard = AuthorizationGuard;
+exports.AuthorizationGuard = AuthorizationGuard = AuthorizationGuard_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [core_1.Reflector])
+], AuthorizationGuard);

package/dist/guards/index.d.ts

@@ -1,4 +1,5 @@
 export * from './jwt-auth.guard';
 export * from './roles.guard';
 export * from './permissions.guard';
+export * from './authorization.guard';
 //# sourceMappingURL=index.d.ts.map

package/dist/guards/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/guards/index.ts"],"names":[],"mappings":"AAAA,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/guards/index.ts"],"names":[],"mappings":"AAAA,cAAc,kBAAkB,CAAC;AACjC,cAAc,eAAe,CAAC;AAC9B,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC"}

package/dist/guards/index.js

@@ -17,3 +17,4 @@ Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./jwt-auth.guard"), exports);
 __exportStar(require("./roles.guard"), exports);
 __exportStar(require("./permissions.guard"), exports);
+__exportStar(require("./authorization.guard"), exports);

package/dist/guards/jwt-auth.guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-auth.guard.d.ts","sourceRoot":"","sources":["../../src/guards/jwt-auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAIjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAc,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAIrE;;;GAGG;AACH,qBACa,YAAa,YAAW,WAAW;IAI5C,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,SAAS;IAE1B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAN1B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiC;gBAGrC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS,EAEpB,OAAO,EAAE,wBAAwB;IAG9C,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;IA2E9D;;OAEG;IACH,OAAO,CAAC,sBAAsB;CAe/B"}
+{"version":3,"file":"jwt-auth.guard.d.ts","sourceRoot":"","sources":["../../src/guards/jwt-auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAqD,MAAM,gBAAgB,CAAC;AAClH,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,OAAO,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAEzD;;;GAGG;AACH,qBACa,YAAa,YAAW,WAAW;IAI5C,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,SAAS;IAE1B,OAAO,CAAC,QAAQ,CAAC,OAAO;IAN1B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiC;gBAGrC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS,EAEpB,OAAO,EAAE,wBAAwB;IAG9C,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;IA2D9D;;OAEG;IACH,OAAO,CAAC,sBAAsB;CAY/B"}

package/dist/guards/permissions.guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permissions.guard.d.ts","sourceRoot":"","sources":["../../src/guards/permissions.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAGjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAIzC;;;;GAIG;AACH,qBACa,gBAAiB,YAAW,WAAW;IAGtC,OAAO,CAAC,QAAQ,CAAC,SAAS;IAFtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAqC;gBAE/B,SAAS,EAAE,SAAS;IAEjD,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CAwFhD"}
+{"version":3,"file":"permissions.guard.d.ts","sourceRoot":"","sources":["../../src/guards/permissions.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAA0C,MAAM,gBAAgB,CAAC;AACvG,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAGzC;;;;GAIG;AACH,qBACa,gBAAiB,YAAW,WAAW;IAGtC,OAAO,CAAC,QAAQ,CAAC,SAAS;IAFtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAqC;gBAE/B,SAAS,EAAE,SAAS;IAEjD,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CA6DhD"}

package/dist/guards/permissions.guard.js

@@ -26,9 +26,15 @@ let PermissionsGuard = PermissionsGuard_1 = class PermissionsGuard {
     }
     canActivate(context) {
         // Check for required permissions (AND logic)
-        const requiredPermissions = this.reflector.getAllAndOverride(decorators_1.PERMISSIONS_KEY, [context.getHandler(), context.getClass()]);
+        const requiredPermissions = this.reflector.getAllAndOverride(decorators_1.PERMISSIONS_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
         // Check for any permissions (OR logic)
-        const anyPermissions = this.reflector.getAllAndOverride('anyPermissions', [context.getHandler(), context.getClass()]);
+        const anyPermissions = this.reflector.getAllAndOverride('anyPermissions', [
+            context.getHandler(),
+            context.getClass(),
+        ]);
         // If no permissions are specified, allow access
         if ((!requiredPermissions || requiredPermissions.length === 0) &&
             (!anyPermissions || anyPermissions.length === 0)) {

package/dist/guards/roles.guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"roles.guard.d.ts","sourceRoot":"","sources":["../../src/guards/roles.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAGjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAIzC;;;GAGG;AACH,qBACa,UAAW,YAAW,WAAW;IAGhC,OAAO,CAAC,QAAQ,CAAC,SAAS;IAFtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA+B;gBAEzB,SAAS,EAAE,SAAS;IAEjD,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CA2ChD"}
+{"version":3,"file":"roles.guard.d.ts","sourceRoot":"","sources":["../../src/guards/roles.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAA0C,MAAM,gBAAgB,CAAC;AACvG,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAGzC;;;GAGG;AACH,qBACa,UAAW,YAAW,WAAW;IAGhC,OAAO,CAAC,QAAQ,CAAC,SAAS;IAFtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA+B;gBAEzB,SAAS,EAAE,SAAS;IAEjD,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO;CA8BhD"}

package/dist/guards/roles.guard.js

@@ -41,7 +41,7 @@ let RolesGuard = RolesGuard_1 = class RolesGuard {
         const userRoles = user.role || [];
         const hasRole = requiredRoles.some((role) => userRoles.includes(role));
         if (!hasRole) {
-            const missingRoles = requiredRoles.filter(role => !userRoles.includes(role));
+            const missingRoles = requiredRoles.filter((role) => !userRoles.includes(role));
             this.logger.warn(`Access denied: User ${user.sub} (${user.fullName}) missing required roles. ` +
                 `Required: [${requiredRoles.join(', ')}], ` +
                 `User has: [${userRoles.join(', ')}], ` +

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,WAAW,CAAC;AAG1B,cAAc,UAAU,CAAC;AAGzB,cAAc,cAAc,CAAC;AAG7B,cAAc,YAAY,CAAC;AAG3B,cAAc,cAAc,CAAC;AAG7B,cAAc,aAAa,CAAC;AAG5B,YAAY,EAAE,UAAU,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC;AAC1B,cAAc,UAAU,CAAC;AACzB,cAAc,cAAc,CAAC;AAC7B,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,aAAa,CAAC;AAC5B,YAAY,EAAE,UAAU,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC"}

package/dist/index.js

@@ -14,15 +14,9 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-// Main module
 __exportStar(require("./modules"), exports);
-// Guards
 __exportStar(require("./guards"), exports);
-// Decorators
 __exportStar(require("./decorators"), exports);
-// Services
 __exportStar(require("./services"), exports);
-// Interfaces
 __exportStar(require("./interfaces"), exports);
-// Constants
 __exportStar(require("./constants"), exports);

package/dist/interfaces/index.d.ts

@@ -1,2 +1,3 @@
 export * from './jwt-payload.interface';
+export * from './permission-mode.enum';
 //# sourceMappingURL=index.d.ts.map

package/dist/interfaces/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/interfaces/index.ts"],"names":[],"mappings":"AAAA,cAAc,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/interfaces/index.ts"],"names":[],"mappings":"AAAA,cAAc,yBAAyB,CAAC;AACxC,cAAc,wBAAwB,CAAC"}

package/dist/interfaces/index.js

@@ -15,3 +15,4 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./jwt-payload.interface"), exports);
+__exportStar(require("./permission-mode.enum"), exports);

package/dist/interfaces/jwt-payload.interface.d.ts

@@ -1,5 +1,24 @@
 /**
- * JWT Payload interface for ContractX authentication system
+ * jwt-payload.interface.ts
+ * ------------------------------------------------------------------------
+ * Interfaces de autenticación del paquete permissions-contractx.
+ *
+ * [ADR-004 Fase 2 — Porte] JwtPayload portado IDÉNTICO al de Auth
+ * (Contractos-Autenticacion/src/common/interfaces/jwt-payload.interface.ts),
+ * para que el paquete refleje la verdad del token que emite Auth. Cambios
+ * frente a la versión 1.0.x del paquete:
+ *   - AÑADIDO  permissionsView?: string[]   (modo-ver 👁, solo lectura)
+ *   - AÑADIDO  providerId?, tenantContext?, key_client?
+ *   - CAMBIO   clientId: string  ->  string[]   (el token real trae array;
+ *              los consumidores ya lo manejan defensivamente)
+ *   - CAMBIO   index signature: [key: string]: any  ->  unknown
+ *
+ * Las otras 3 interfaces (AuthenticatedRequest, JwtAuthConfig,
+ * PermissionsModuleOptions) se conservan SIN cambios respecto a 1.0.x.
+ * ------------------------------------------------------------------------
+ */
+/**
+ * JWT Payload de ContractX. Refleja exactamente el token emitido por Auth.
  */
 export interface JwtPayload {
     /** User ID */
@@ -8,14 +27,29 @@ export interface JwtPayload {
     id?: string;
     /** User roles array */
     role: string[];
-    /** User permissions array */
+    /** Permisos con acceso pleno (escritura + lectura) */
     permissions: string[];
+    /**
+     * [ADR-004 Fase 2 / Bloque 1] Códigos en modo-ver (👁): solo lectura. Aditivo y
+     * backward-compatible — consumidores que solo leen `permissions` (acceso pleno)
+     * no se afectan. El AuthorizationGuard usa este conjunto para bloquear escrituras.
+     */
+    permissionsView?: string[];
     /** User's full name */
     fullName: string;
     /** User's email */
     email?: string;
-    /** Client organization ID */
-    clientId?: string;
+    /**
+     * IDs de cliente/tenant del usuario. ARRAY (el token real puede traer varios).
+     * Cambió de `string` a `string[]` en el porte ADR-004 para reflejar el token.
+     */
+    clientId?: string[];
+    /** ID de proveedor (lado proveedor) */
+    providerId?: string;
+    /** Contexto de tenant resuelto */
+    tenantContext?: 'client' | 'provider' | 'system';
+    /** Identificador primario de tenant para selección de schema */
+    key_client?: string[];
     /** Session ID for tracking */
     sessionId?: string;
     /** Token issued at timestamp */
@@ -26,17 +60,19 @@ export interface JwtPayload {
     iss?: string;
     /** Token audience */
     aud?: string;
-    /** Additional custom properties */
-    [key: string]: any;
+    /** Propiedades adicionales (tipadas como unknown: exigen comprobación antes de usar) */
+    [key: string]: unknown;
 }
 /**
- * Extended request interface with authenticated user
+ * Extended request interface with authenticated user.
+ * (Conservada sin cambios respecto a 1.0.x.)
  */
 export interface AuthenticatedRequest extends Request {
     user: JwtPayload;
 }
 /**
- * Configuration options for JWT authentication
+ * Configuration options for JWT authentication.
+ * (Conservada sin cambios respecto a 1.0.x.)
  */
 export interface JwtAuthConfig {
     /** JWT secret key */
@@ -57,7 +93,8 @@ export interface JwtAuthConfig {
     ignoreExpiration?: boolean;
 }
 /**
- * Module configuration options
+ * Module configuration options.
+ * (Conservada sin cambios respecto a 1.0.x.)
  */
 export interface PermissionsModuleOptions {
     /** JWT configuration */

package/dist/interfaces/jwt-payload.interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-payload.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/jwt-payload.interface.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,cAAc;IACd,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IAErB,gCAAgC;IAChC,EAAE,CAAC,EAAE,MAAM,CAAC;IAEZ,uBAAuB;IACvB,IAAI,EAAE,MAAM,EAAE,CAAC;IAEf,6BAA6B;IAC7B,WAAW,EAAE,MAAM,EAAE,CAAC;IAEtB,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAC;IAEjB,mBAAmB;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,6BAA6B;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,8BAA8B;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,gCAAgC;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,mBAAmB;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,qBAAqB;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,mCAAmC;IACnC,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,EAAE,UAAU,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,qBAAqB;IACrB,MAAM,EAAE,MAAM,CAAC;IAEf,mBAAmB;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,qBAAqB;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,4BAA4B;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,2BAA2B;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,oCAAoC;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,wCAAwC;IACxC,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,wBAAwB;IACxB,GAAG,EAAE,aAAa,CAAC;IAEnB,kCAAkC;IAClC,MAAM,CAAC,EAAE;QACP,0CAA0C;QAC1C,gBAAgB,CAAC,EAAE,OAAO,CAAC;QAE3B,iCAAiC;QACjC,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAE5B,uCAAuC;QACvC,uBAAuB,CAAC,EAAE,OAAO,CAAC;KACnC,CAAC;IAEF,6BAA6B;IAC7B,QAAQ,CAAC,EAAE;QACT,6BAA6B;QAC7B,aAAa,CAAC,EAAE,OAAO,CAAC;QAExB,2BAA2B;QAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;QAE1B,wCAAwC;QACxC,eAAe,CAAC,EAAE,MAAM,CAAC;QAEzB,kCAAkC;QAClC,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;IAEF,gCAAgC;IAChC,WAAW,CAAC,EAAE;QACZ,4CAA4C;QAC5C,WAAW,CAAC,EAAE,OAAO,CAAC;QAEtB,gCAAgC;QAChC,QAAQ,CAAC,EAAE,UAAU,CAAC;KACvB,CAAC;CACH"}
+{"version":3,"file":"jwt-payload.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/jwt-payload.interface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,cAAc;IACd,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IACrB,gCAAgC;IAChC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,uBAAuB;IACvB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,sDAAsD;IACtD,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,mBAAmB;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,uCAAuC;IACvC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,aAAa,CAAC,EAAE,QAAQ,GAAG,UAAU,GAAG,QAAQ,CAAC;IACjD,gEAAgE;IAChE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,8BAA8B;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,qBAAqB;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wFAAwF;IACxF,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,EAAE,UAAU,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,qBAAqB;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,mBAAmB;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qBAAqB;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,4BAA4B;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2BAA2B;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oCAAoC;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wCAAwC;IACxC,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;;GAGG;AACH,MAAM,WAAW,wBAAwB;IACvC,wBAAwB;IACxB,GAAG,EAAE,aAAa,CAAC;IACnB,kCAAkC;IAClC,MAAM,CAAC,EAAE;QACP,0CAA0C;QAC1C,gBAAgB,CAAC,EAAE,OAAO,CAAC;QAC3B,iCAAiC;QACjC,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAC5B,uCAAuC;QACvC,uBAAuB,CAAC,EAAE,OAAO,CAAC;KACnC,CAAC;IACF,6BAA6B;IAC7B,QAAQ,CAAC,EAAE;QACT,6BAA6B;QAC7B,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,2BAA2B;QAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,wCAAwC;QACxC,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,kCAAkC;QAClC,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,gCAAgC;IAChC,WAAW,CAAC,EAAE;QACZ,4CAA4C;QAC5C,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,gCAAgC;QAChC,QAAQ,CAAC,EAAE,UAAU,CAAC;KACvB,CAAC;CACH"}

package/dist/interfaces/jwt-payload.interface.js

@@ -1,2 +1,21 @@
 "use strict";
+/**
+ * jwt-payload.interface.ts
+ * ------------------------------------------------------------------------
+ * Interfaces de autenticación del paquete permissions-contractx.
+ *
+ * [ADR-004 Fase 2 — Porte] JwtPayload portado IDÉNTICO al de Auth
+ * (Contractos-Autenticacion/src/common/interfaces/jwt-payload.interface.ts),
+ * para que el paquete refleje la verdad del token que emite Auth. Cambios
+ * frente a la versión 1.0.x del paquete:
+ *   - AÑADIDO  permissionsView?: string[]   (modo-ver 👁, solo lectura)
+ *   - AÑADIDO  providerId?, tenantContext?, key_client?
+ *   - CAMBIO   clientId: string  ->  string[]   (el token real trae array;
+ *              los consumidores ya lo manejan defensivamente)
+ *   - CAMBIO   index signature: [key: string]: any  ->  unknown
+ *
+ * Las otras 3 interfaces (AuthenticatedRequest, JwtAuthConfig,
+ * PermissionsModuleOptions) se conservan SIN cambios respecto a 1.0.x.
+ * ------------------------------------------------------------------------
+ */
 Object.defineProperty(exports, "__esModule", { value: true });

package/dist/interfaces/permission-mode.enum.d.ts

@@ -0,0 +1,22 @@
+/**
+ * permission-mode.enum.ts
+ * ------------------------------------------------------------------------
+ * [ADR-004 Fase 2 — Porte] Espejo IDÉNTICO del enum definido en Auth
+ * (Contractos-Autenticacion/src/modules/roles-permissions/domain/constants/
+ *  permissions.constants.ts).
+ *
+ * Modo de una asignación rol→permiso:
+ *   - WRITE: acceso pleno (lectura + escritura).
+ *   - READ:  modo-ver (👁) — solo lecturas; el AuthorizationGuard bloquea escrituras.
+ *
+ * Default WRITE ⇒ las asignaciones existentes no cambian de comportamiento.
+ *
+ * Fuente única: a futuro Auth debería importar este enum del paquete en lugar de
+ * mantener su propia copia, para no divergir. (No se toca Auth en este porte.)
+ * ------------------------------------------------------------------------
+ */
+export declare enum PermissionMode {
+    WRITE = "write",
+    READ = "read"
+}
+//# sourceMappingURL=permission-mode.enum.d.ts.map

package/dist/interfaces/permission-mode.enum.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-mode.enum.d.ts","sourceRoot":"","sources":["../../src/interfaces/permission-mode.enum.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,oBAAY,cAAc;IACxB,KAAK,UAAU;IACf,IAAI,SAAS;CACd"}

package/dist/interfaces/permission-mode.enum.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionMode = void 0;
+/**
+ * permission-mode.enum.ts
+ * ------------------------------------------------------------------------
+ * [ADR-004 Fase 2 — Porte] Espejo IDÉNTICO del enum definido en Auth
+ * (Contractos-Autenticacion/src/modules/roles-permissions/domain/constants/
+ *  permissions.constants.ts).
+ *
+ * Modo de una asignación rol→permiso:
+ *   - WRITE: acceso pleno (lectura + escritura).
+ *   - READ:  modo-ver (👁) — solo lecturas; el AuthorizationGuard bloquea escrituras.
+ *
+ * Default WRITE ⇒ las asignaciones existentes no cambian de comportamiento.
+ *
+ * Fuente única: a futuro Auth debería importar este enum del paquete en lugar de
+ * mantener su propia copia, para no divergir. (No se toca Auth en este porte.)
+ * ------------------------------------------------------------------------
+ */
+var PermissionMode;
+(function (PermissionMode) {
+    PermissionMode["WRITE"] = "write";
+    PermissionMode["READ"] = "read";
+})(PermissionMode || (exports.PermissionMode = PermissionMode = {}));

package/dist/modules/permissions-contractx.module.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permissions-contractx.module.d.ts","sourceRoot":"","sources":["../../src/modules/permissions-contractx.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,aAAa,EAAU,MAAM,gBAAgB,CAAC;AAK/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AASzD;;;GAGG;AACH,qBAKa,0BAA0B;IACrC;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,wBAAwB,GAAG,aAAa;IAsEjE;;;;;OAKG;IACH,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE;QAC5B,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;QAChB,UAAU,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,wBAAwB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;QAC7F,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC;KAChB,GAAG,aAAa;IAgEjB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,OAAO,IAAI,aAAa;CA2BhC"}
+{"version":3,"file":"permissions-contractx.module.d.ts","sourceRoot":"","sources":["../../src/modules/permissions-contractx.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAkB,MAAM,gBAAgB,CAAC;AAO/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAEzD;;;GAGG;AACH,qBAKa,0BAA0B;IACrC;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,wBAAwB,GAAG,aAAa;IAwEjE;;;;;OAKG;IACH,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE;QAC5B,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;QAChB,UAAU,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,wBAAwB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;QAC7F,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC;KAChB,GAAG,aAAa;IAgEjB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,OAAO,IAAI,aAAa;CA2BhC"}

package/dist/modules/permissions-contractx.module.js

@@ -34,7 +34,9 @@ let PermissionsContractXModule = PermissionsContractXModule_1 = class Permission
                 jwt_1.JwtModule.register({
                     secret: options.jwt.secret,
                     signOptions: {
-                        expiresIn: options.jwt.expiresIn || '15m',
+                        // [PASO 3] cast: @nestjs/jwt v11 tipa expiresIn como number|StringValue (más estricto
+                        // que la versión original). El paquete nuevo fijará la versión; cast para verificación.
+                        expiresIn: (options.jwt.expiresIn || '15m'),
                         issuer: options.jwt.issuer,
                         audience: options.jwt.audience,
                     },
@@ -113,7 +115,7 @@ let PermissionsContractXModule = PermissionsContractXModule_1 = class Permission
                         return {
                             secret: moduleOptions.jwt.secret,
                             signOptions: {
-                                expiresIn: moduleOptions.jwt.expiresIn || '15m',
+                                expiresIn: (moduleOptions.jwt.expiresIn || '15m'),
                                 issuer: moduleOptions.jwt.issuer,
                                 audience: moduleOptions.jwt.audience,
                             },