permissions-contractx 1.0.2 → 1.2.0

package/dist/guards/roles.guard.js

@@ -41,7 +41,7 @@ let RolesGuard = RolesGuard_1 = class RolesGuard {
         const userRoles = user.role || [];
         const hasRole = requiredRoles.some((role) => userRoles.includes(role));
         if (!hasRole) {
-            const missingRoles = requiredRoles.filter(role => !userRoles.includes(role));
+            const missingRoles = requiredRoles.filter((role) => !userRoles.includes(role));
             this.logger.warn(`Access denied: User ${user.sub} (${user.fullName}) missing required roles. ` +
                 `Required: [${requiredRoles.join(', ')}], ` +
                 `User has: [${userRoles.join(', ')}], ` +

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,WAAW,CAAC;AAG1B,cAAc,UAAU,CAAC;AAGzB,cAAc,cAAc,CAAC;AAG7B,cAAc,YAAY,CAAC;AAG3B,cAAc,cAAc,CAAC;AAG7B,cAAc,aAAa,CAAC;AAG5B,YAAY,EAAE,UAAU,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC;AAC1B,cAAc,UAAU,CAAC;AACzB,cAAc,cAAc,CAAC;AAC7B,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,aAAa,CAAC;AAC5B,YAAY,EAAE,UAAU,EAAE,oBAAoB,EAAE,wBAAwB,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC"}

package/dist/index.js

@@ -14,15 +14,9 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-// Main module
 __exportStar(require("./modules"), exports);
-// Guards
 __exportStar(require("./guards"), exports);
-// Decorators
 __exportStar(require("./decorators"), exports);
-// Services
 __exportStar(require("./services"), exports);
-// Interfaces
 __exportStar(require("./interfaces"), exports);
-// Constants
 __exportStar(require("./constants"), exports);

package/dist/interfaces/index.d.ts

@@ -1,2 +1,3 @@
 export * from './jwt-payload.interface';
+export * from './permission-mode.enum';
 //# sourceMappingURL=index.d.ts.map

package/dist/interfaces/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/interfaces/index.ts"],"names":[],"mappings":"AAAA,cAAc,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/interfaces/index.ts"],"names":[],"mappings":"AAAA,cAAc,yBAAyB,CAAC;AACxC,cAAc,wBAAwB,CAAC"}

package/dist/interfaces/index.js

@@ -15,3 +15,4 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./jwt-payload.interface"), exports);
+__exportStar(require("./permission-mode.enum"), exports);

package/dist/interfaces/jwt-payload.interface.d.ts

@@ -1,5 +1,24 @@
 /**
- * JWT Payload interface for ContractX authentication system
+ * jwt-payload.interface.ts
+ * ------------------------------------------------------------------------
+ * Interfaces de autenticación del paquete permissions-contractx.
+ *
+ * [ADR-004 Fase 2 — Porte] JwtPayload portado IDÉNTICO al de Auth
+ * (Contractos-Autenticacion/src/common/interfaces/jwt-payload.interface.ts),
+ * para que el paquete refleje la verdad del token que emite Auth. Cambios
+ * frente a la versión 1.0.x del paquete:
+ *   - AÑADIDO  permissionsView?: string[]   (modo-ver 👁, solo lectura)
+ *   - AÑADIDO  providerId?, tenantContext?, key_client?
+ *   - CAMBIO   clientId: string  ->  string[]   (el token real trae array;
+ *              los consumidores ya lo manejan defensivamente)
+ *   - CAMBIO   index signature: [key: string]: any  ->  unknown
+ *
+ * Las otras 3 interfaces (AuthenticatedRequest, JwtAuthConfig,
+ * PermissionsModuleOptions) se conservan SIN cambios respecto a 1.0.x.
+ * ------------------------------------------------------------------------
+ */
+/**
+ * JWT Payload de ContractX. Refleja exactamente el token emitido por Auth.
  */
 export interface JwtPayload {
     /** User ID */
@@ -8,14 +27,29 @@ export interface JwtPayload {
     id?: string;
     /** User roles array */
     role: string[];
-    /** User permissions array */
+    /** Permisos con acceso pleno (escritura + lectura) */
     permissions: string[];
+    /**
+     * [ADR-004 Fase 2 / Bloque 1] Códigos en modo-ver (👁): solo lectura. Aditivo y
+     * backward-compatible — consumidores que solo leen `permissions` (acceso pleno)
+     * no se afectan. El AuthorizationGuard usa este conjunto para bloquear escrituras.
+     */
+    permissionsView?: string[];
     /** User's full name */
     fullName: string;
     /** User's email */
     email?: string;
-    /** Client organization ID */
-    clientId?: string;
+    /**
+     * IDs de cliente/tenant del usuario. ARRAY (el token real puede traer varios).
+     * Cambió de `string` a `string[]` en el porte ADR-004 para reflejar el token.
+     */
+    clientId?: string[];
+    /** ID de proveedor (lado proveedor) */
+    providerId?: string;
+    /** Contexto de tenant resuelto */
+    tenantContext?: 'client' | 'provider' | 'system';
+    /** Identificador primario de tenant para selección de schema */
+    key_client?: string[];
     /** Session ID for tracking */
     sessionId?: string;
     /** Token issued at timestamp */
@@ -26,17 +60,19 @@ export interface JwtPayload {
     iss?: string;
     /** Token audience */
     aud?: string;
-    /** Additional custom properties */
-    [key: string]: any;
+    /** Propiedades adicionales (tipadas como unknown: exigen comprobación antes de usar) */
+    [key: string]: unknown;
 }
 /**
- * Extended request interface with authenticated user
+ * Extended request interface with authenticated user.
+ * (Conservada sin cambios respecto a 1.0.x.)
  */
 export interface AuthenticatedRequest extends Request {
     user: JwtPayload;
 }
 /**
- * Configuration options for JWT authentication
+ * Configuration options for JWT authentication.
+ * (Conservada sin cambios respecto a 1.0.x.)
  */
 export interface JwtAuthConfig {
     /** JWT secret key */
@@ -57,7 +93,8 @@ export interface JwtAuthConfig {
     ignoreExpiration?: boolean;
 }
 /**
- * Module configuration options
+ * Module configuration options.
+ * (Conservada sin cambios respecto a 1.0.x.)
  */
 export interface PermissionsModuleOptions {
     /** JWT configuration */

package/dist/interfaces/jwt-payload.interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-payload.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/jwt-payload.interface.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,cAAc;IACd,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IAErB,gCAAgC;IAChC,EAAE,CAAC,EAAE,MAAM,CAAC;IAEZ,uBAAuB;IACvB,IAAI,EAAE,MAAM,EAAE,CAAC;IAEf,6BAA6B;IAC7B,WAAW,EAAE,MAAM,EAAE,CAAC;IAEtB,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAC;IAEjB,mBAAmB;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,6BAA6B;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,8BAA8B;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,gCAAgC;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,mBAAmB;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,qBAAqB;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,mCAAmC;IACnC,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,EAAE,UAAU,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,qBAAqB;IACrB,MAAM,EAAE,MAAM,CAAC;IAEf,mBAAmB;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,qBAAqB;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,4BAA4B;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,2BAA2B;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,oCAAoC;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,wCAAwC;IACxC,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,wBAAwB;IACxB,GAAG,EAAE,aAAa,CAAC;IAEnB,kCAAkC;IAClC,MAAM,CAAC,EAAE;QACP,0CAA0C;QAC1C,gBAAgB,CAAC,EAAE,OAAO,CAAC;QAE3B,iCAAiC;QACjC,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAE5B,uCAAuC;QACvC,uBAAuB,CAAC,EAAE,OAAO,CAAC;KACnC,CAAC;IAEF,6BAA6B;IAC7B,QAAQ,CAAC,EAAE;QACT,6BAA6B;QAC7B,aAAa,CAAC,EAAE,OAAO,CAAC;QAExB,2BAA2B;QAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;QAE1B,wCAAwC;QACxC,eAAe,CAAC,EAAE,MAAM,CAAC;QAEzB,kCAAkC;QAClC,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;IAEF,gCAAgC;IAChC,WAAW,CAAC,EAAE;QACZ,4CAA4C;QAC5C,WAAW,CAAC,EAAE,OAAO,CAAC;QAEtB,gCAAgC;QAChC,QAAQ,CAAC,EAAE,UAAU,CAAC;KACvB,CAAC;CACH"}
+{"version":3,"file":"jwt-payload.interface.d.ts","sourceRoot":"","sources":["../../src/interfaces/jwt-payload.interface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,cAAc;IACd,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IACrB,gCAAgC;IAChC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,uBAAuB;IACvB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,sDAAsD;IACtD,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,mBAAmB;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,uCAAuC;IACvC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kCAAkC;IAClC,aAAa,CAAC,EAAE,QAAQ,GAAG,UAAU,GAAG,QAAQ,CAAC;IACjD,gEAAgE;IAChE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,8BAA8B;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,qBAAqB;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,wFAAwF;IACxF,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,IAAI,EAAE,UAAU,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,qBAAqB;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,mBAAmB;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qBAAqB;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,4BAA4B;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2BAA2B;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oCAAoC;IACpC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,2CAA2C;IAC3C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,wCAAwC;IACxC,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;;GAGG;AACH,MAAM,WAAW,wBAAwB;IACvC,wBAAwB;IACxB,GAAG,EAAE,aAAa,CAAC;IACnB,kCAAkC;IAClC,MAAM,CAAC,EAAE;QACP,0CAA0C;QAC1C,gBAAgB,CAAC,EAAE,OAAO,CAAC;QAC3B,iCAAiC;QACjC,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAC5B,uCAAuC;QACvC,uBAAuB,CAAC,EAAE,OAAO,CAAC;KACnC,CAAC;IACF,6BAA6B;IAC7B,QAAQ,CAAC,EAAE;QACT,6BAA6B;QAC7B,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,2BAA2B;QAC3B,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,wCAAwC;QACxC,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,kCAAkC;QAClC,YAAY,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,gCAAgC;IAChC,WAAW,CAAC,EAAE;QACZ,4CAA4C;QAC5C,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,gCAAgC;QAChC,QAAQ,CAAC,EAAE,UAAU,CAAC;KACvB,CAAC;CACH"}

package/dist/interfaces/jwt-payload.interface.js

@@ -1,2 +1,21 @@
 "use strict";
+/**
+ * jwt-payload.interface.ts
+ * ------------------------------------------------------------------------
+ * Interfaces de autenticación del paquete permissions-contractx.
+ *
+ * [ADR-004 Fase 2 — Porte] JwtPayload portado IDÉNTICO al de Auth
+ * (Contractos-Autenticacion/src/common/interfaces/jwt-payload.interface.ts),
+ * para que el paquete refleje la verdad del token que emite Auth. Cambios
+ * frente a la versión 1.0.x del paquete:
+ *   - AÑADIDO  permissionsView?: string[]   (modo-ver 👁, solo lectura)
+ *   - AÑADIDO  providerId?, tenantContext?, key_client?
+ *   - CAMBIO   clientId: string  ->  string[]   (el token real trae array;
+ *              los consumidores ya lo manejan defensivamente)
+ *   - CAMBIO   index signature: [key: string]: any  ->  unknown
+ *
+ * Las otras 3 interfaces (AuthenticatedRequest, JwtAuthConfig,
+ * PermissionsModuleOptions) se conservan SIN cambios respecto a 1.0.x.
+ * ------------------------------------------------------------------------
+ */
 Object.defineProperty(exports, "__esModule", { value: true });

package/dist/interfaces/permission-mode.enum.d.ts

@@ -0,0 +1,22 @@
+/**
+ * permission-mode.enum.ts
+ * ------------------------------------------------------------------------
+ * [ADR-004 Fase 2 — Porte] Espejo IDÉNTICO del enum definido en Auth
+ * (Contractos-Autenticacion/src/modules/roles-permissions/domain/constants/
+ *  permissions.constants.ts).
+ *
+ * Modo de una asignación rol→permiso:
+ *   - WRITE: acceso pleno (lectura + escritura).
+ *   - READ:  modo-ver (👁) — solo lecturas; el AuthorizationGuard bloquea escrituras.
+ *
+ * Default WRITE ⇒ las asignaciones existentes no cambian de comportamiento.
+ *
+ * Fuente única: a futuro Auth debería importar este enum del paquete en lugar de
+ * mantener su propia copia, para no divergir. (No se toca Auth en este porte.)
+ * ------------------------------------------------------------------------
+ */
+export declare enum PermissionMode {
+    WRITE = "write",
+    READ = "read"
+}
+//# sourceMappingURL=permission-mode.enum.d.ts.map

package/dist/interfaces/permission-mode.enum.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-mode.enum.d.ts","sourceRoot":"","sources":["../../src/interfaces/permission-mode.enum.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,oBAAY,cAAc;IACxB,KAAK,UAAU;IACf,IAAI,SAAS;CACd"}

package/dist/interfaces/permission-mode.enum.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionMode = void 0;
+/**
+ * permission-mode.enum.ts
+ * ------------------------------------------------------------------------
+ * [ADR-004 Fase 2 — Porte] Espejo IDÉNTICO del enum definido en Auth
+ * (Contractos-Autenticacion/src/modules/roles-permissions/domain/constants/
+ *  permissions.constants.ts).
+ *
+ * Modo de una asignación rol→permiso:
+ *   - WRITE: acceso pleno (lectura + escritura).
+ *   - READ:  modo-ver (👁) — solo lecturas; el AuthorizationGuard bloquea escrituras.
+ *
+ * Default WRITE ⇒ las asignaciones existentes no cambian de comportamiento.
+ *
+ * Fuente única: a futuro Auth debería importar este enum del paquete en lugar de
+ * mantener su propia copia, para no divergir. (No se toca Auth en este porte.)
+ * ------------------------------------------------------------------------
+ */
+var PermissionMode;
+(function (PermissionMode) {
+    PermissionMode["WRITE"] = "write";
+    PermissionMode["READ"] = "read";
+})(PermissionMode || (exports.PermissionMode = PermissionMode = {}));

package/dist/modules/permissions-contractx.module.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permissions-contractx.module.d.ts","sourceRoot":"","sources":["../../src/modules/permissions-contractx.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAU,aAAa,EAAU,MAAM,gBAAgB,CAAC;AAK/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AASzD;;;GAGG;AACH,qBAKa,0BAA0B;IACrC;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,wBAAwB,GAAG,aAAa;IAsEjE;;;;;OAKG;IACH,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE;QAC5B,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;QAChB,UAAU,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,wBAAwB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;QAC7F,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC;KAChB,GAAG,aAAa;IAgEjB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,OAAO,IAAI,aAAa;CA2BhC"}
+{"version":3,"file":"permissions-contractx.module.d.ts","sourceRoot":"","sources":["../../src/modules/permissions-contractx.module.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAkB,MAAM,gBAAgB,CAAC;AAO/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAEzD;;;GAGG;AACH,qBAKa,0BAA0B;IACrC;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,wBAAwB,GAAG,aAAa;IAwEjE;;;;;OAKG;IACH,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE;QAC5B,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;QAChB,UAAU,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,wBAAwB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;QAC7F,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC;KAChB,GAAG,aAAa;IAgEjB;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,OAAO,IAAI,aAAa;CA2BhC"}

package/dist/modules/permissions-contractx.module.js

@@ -34,7 +34,9 @@ let PermissionsContractXModule = PermissionsContractXModule_1 = class Permission
                 jwt_1.JwtModule.register({
                     secret: options.jwt.secret,
                     signOptions: {
-                        expiresIn: options.jwt.expiresIn || '15m',
+                        // [PASO 3] cast: @nestjs/jwt v11 tipa expiresIn como number|StringValue (más estricto
+                        // que la versión original). El paquete nuevo fijará la versión; cast para verificación.
+                        expiresIn: (options.jwt.expiresIn || '15m'),
                         issuer: options.jwt.issuer,
                         audience: options.jwt.audience,
                     },
@@ -113,7 +115,7 @@ let PermissionsContractXModule = PermissionsContractXModule_1 = class Permission
                         return {
                             secret: moduleOptions.jwt.secret,
                             signOptions: {
-                                expiresIn: moduleOptions.jwt.expiresIn || '15m',
+                                expiresIn: (moduleOptions.jwt.expiresIn || '15m'),
                                 issuer: moduleOptions.jwt.issuer,
                                 audience: moduleOptions.jwt.audience,
                             },

package/dist/services/contractx-authorization.service.d.ts

@@ -1,4 +1,4 @@
-import { ContractXValidationService, ValidationResult } from './contractx-validation.service';
+import { ContractXValidationService } from './contractx-validation.service';
 export interface AuthorizationContext {
     userRoles: string[];
     userPermissions: string[];
@@ -29,79 +29,250 @@ export declare class ContractXAuthorizationService {
     /**
      * Authorize a user for a specific action on a resource
      */
-    authorize(context: AuthorizationContext): AuthorizationResult;
+    authorize(context: any): {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            requiredPermission: string;
+            wildcardPermission?: undefined;
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            wildcardPermission: string;
+            requiredPermission?: undefined;
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata?: undefined;
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            roleValidation: {
+                roleInfos: any[];
+                tenantCount: number;
+            };
+            permissionValidation: {
+                moduleCount: number;
+                actionCount: number;
+                modules: any[];
+                actions: any[];
+            };
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            systemRole: boolean;
+            hasModuleAccess?: undefined;
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            hasModuleAccess: boolean;
+            systemRole?: undefined;
+        };
+    };
     /**
      * Check if user has system-level access
      */
-    private hasSystemLevelAccess;
+    hasSystemLevelAccess(userRoles: any): any;
     /**
      * Check role-based access for a resource and action
      */
-    private checkRoleBasedAccess;
+    checkRoleBasedAccess(userRoles: any, resource: any, action: any): {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            requiredPermission: string;
+            effectivePermissions: number;
+            wildcardPermission?: undefined;
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            wildcardPermission: string;
+            requiredPermission?: undefined;
+            effectivePermissions?: undefined;
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata?: undefined;
+    };
     /**
      * Check permission-based access for a resource and action
      */
-    private checkPermissionBasedAccess;
+    checkPermissionBasedAccess(userPermissions: any, resource: any, action: any): {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            requiredPermission: string;
+            wildcardPermission?: undefined;
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            wildcardPermission: string;
+            requiredPermission?: undefined;
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata?: undefined;
+    };
     /**
      * Check if user has any access to a module
      */
-    private checkModuleAccess;
+    checkModuleAccess(userPermissions: any, module: any): any;
     /**
      * Generate an access matrix for the user
      */
-    generateAccessMatrix(context: AuthorizationContext): AccessMatrix;
+    generateAccessMatrix(context: any): {
+        hasSystemAccess: any;
+        hasClientAccess: any;
+        hasProviderAccess: any;
+        hasAdminAccess: any;
+        accessibleModules: unknown[];
+        highestRoleLevel: number;
+        effectivePermissions: any[];
+    };
     /**
      * Check if user can access a specific tenant
      */
-    canAccessTenant(userRoles: string[], tenantType: 'client' | 'provider'): boolean;
+    canAccessTenant(userRoles: any, tenantType: any): any;
     /**
      * Get user's accessible tenant types
      */
-    getAccessibleTenants(userRoles: string[]): ('client' | 'provider' | 'system')[];
+    getAccessibleTenants(userRoles: any): unknown[];
     /**
      * Filter resources based on user permissions
      */
-    filterAccessibleResources(userPermissions: string[], resources: string[], requiredAction?: string): string[];
+    filterAccessibleResources(userPermissions: any, resources: any, requiredAction?: string): any;
     /**
      * Get user's permissions for a specific module
      */
-    getModulePermissions(userPermissions: string[], module: string): string[];
+    getModulePermissions(userPermissions: any, module: any): any;
     /**
      * Check if user has administrative access to a resource
      */
-    hasAdministrativeAccess(userRoles: string[], _resource?: string): boolean;
+    hasAdministrativeAccess(userRoles: any, _resource: any): any;
     /**
      * Validate user context for multi-tenant environment
      */
-    validateMultiTenantAccess(context: AuthorizationContext): ValidationResult;
+    validateMultiTenantAccess(context: any): {
+        isValid: boolean;
+        errors: any[];
+        warnings: any[];
+    };
     /**
      * Get permission summary for logging/audit purposes
      */
-    getPermissionSummary(context: AuthorizationContext): Record<string, any>;
+    getPermissionSummary(context: any): {
+        userId: any;
+        roles: any;
+        permissionCount: any;
+        effectivePermissionCount: number;
+        accessLevel: number;
+        tenants: unknown[];
+        modules: unknown[];
+        hasSystemAccess: any;
+        hasAdminAccess: any;
+    };
     /**
      * Check if authorization is required for a resource
      */
-    isAuthorizationRequired(resource: string, action: string): boolean;
+    isAuthorizationRequired(resource: any, action: any): boolean;
     /**
      * Get minimum required role for a resource/action combination
      */
-    getMinimumRequiredRole(resource: string, action: string): string[];
+    getMinimumRequiredRole(resource: any, action: any): any;
     /**
      * Check permission for a user (simpler interface for admin service)
      */
-    checkPermission(user: {
-        role: string[];
-        permissions: string[];
-    }, permission: string, context?: {
-        tenantId?: string;
-        resourceId?: string;
-    }): AuthorizationResult;
+    checkPermission(user: any, permission: any, context: any): {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            requiredPermission: string;
+            wildcardPermission?: undefined;
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            wildcardPermission: string;
+            requiredPermission?: undefined;
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata?: undefined;
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            roleValidation: {
+                roleInfos: any[];
+                tenantCount: number;
+            };
+            permissionValidation: {
+                moduleCount: number;
+                actionCount: number;
+                modules: any[];
+                actions: any[];
+            };
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            systemRole: boolean;
+            hasModuleAccess?: undefined;
+        };
+    } | {
+        granted: boolean;
+        reason: string;
+        level: string;
+        metadata: {
+            hasModuleAccess: boolean;
+            systemRole?: undefined;
+        };
+    };
     /**
      * Generate access matrix for a user object (simpler interface)
      */
-    generateAccessMatrixForUser(user: {
-        role: string[];
-        permissions: string[];
-    }): AccessMatrix;
+    generateAccessMatrixForUser(user: any): {
+        hasSystemAccess: any;
+        hasClientAccess: any;
+        hasProviderAccess: any;
+        hasAdminAccess: any;
+        accessibleModules: unknown[];
+        highestRoleLevel: number;
+        effectivePermissions: any[];
+    };
 }
 //# sourceMappingURL=contractx-authorization.service.d.ts.map

package/dist/services/contractx-authorization.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"contractx-authorization.service.d.ts","sourceRoot":"","sources":["../../src/services/contractx-authorization.service.ts"],"names":[],"mappings":"AACA,OAAO,EACL,0BAA0B,EAC1B,gBAAgB,EACjB,MAAM,gCAAgC,CAAC;AAgBxC,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,QAAQ,GAAG,UAAU,CAAC;IACnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,QAAQ,GAAG,QAAQ,CAAC;IACnD,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAChC;AAED,MAAM,WAAW,YAAY;IAC3B,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,cAAc,EAAE,OAAO,CAAC;IACxB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,gBAAgB,EAAE,MAAM,CAAC;IACzB,oBAAoB,EAAE,MAAM,EAAE,CAAC;CAChC;AAED,qBACa,6BAA6B;IAE5B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;gBAAjB,iBAAiB,EAAE,0BAA0B;IAE1E;;OAEG;IACH,SAAS,CAAC,OAAO,EAAE,oBAAoB,GAAG,mBAAmB;IA4E7D;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAQ5B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAqC5B;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAkClC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAIzB;;OAEG;IACH,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,YAAY;IAgCjE;;OAEG;IACH,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,QAAQ,GAAG,UAAU,GAAG,OAAO;IAchF;;OAEG;IACH,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC,QAAQ,GAAG,UAAU,GAAG,QAAQ,CAAC,EAAE;IAmB/E;;OAEG;IACH,yBAAyB,CACvB,eAAe,EAAE,MAAM,EAAE,EACzB,SAAS,EAAE,MAAM,EAAE,EACnB,cAAc,GAAE,MAAe,GAC9B,MAAM,EAAE;IAOX;;OAEG;IACH,oBAAoB,CAAC,eAAe,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE;IAUzE;;OAEG;IACH,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAAE,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO;IAezE;;OAEG;IACH,yBAAyB,CAAC,OAAO,EAAE,oBAAoB,GAAG,gBAAgB;IA6B1E;;OAEG;IACH,oBAAoB,CAAC,OAAO,EAAE,oBAAoB,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;IAiBxE;;OAEG;IACH,uBAAuB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO;IAYlE;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE;IAoBlE;;OAEG;IACH,eAAe,CACb,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAAC,WAAW,EAAE,MAAM,EAAE,CAAA;KAAE,EAC/C,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,GACnD,mBAAmB;IAetB;;OAEG;IACH,2BAA2B,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QAAC,WAAW,EAAE,MAAM,EAAE,CAAA;KAAE,GAAG,YAAY;CAQ3F"}
+{"version":3,"file":"contractx-authorization.service.d.ts","sourceRoot":"","sources":["../../src/services/contractx-authorization.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,0BAA0B,EAAE,MAAM,gCAAgC,CAAC;AAM5E,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,QAAQ,GAAG,UAAU,CAAC;IACnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AACD,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,YAAY,GAAG,QAAQ,GAAG,QAAQ,CAAC;IACnD,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAChC;AACD,MAAM,WAAW,YAAY;IAC3B,eAAe,EAAE,OAAO,CAAC;IACzB,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,cAAc,EAAE,OAAO,CAAC;IACxB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,gBAAgB,EAAE,MAAM,CAAC;IACzB,oBAAoB,EAAE,MAAM,EAAE,CAAC;CAChC;AAED,qBACa,6BAA6B;IAC1B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;gBAAjB,iBAAiB,EAAE,0BAA0B;IAG1E;;OAEG;IACH,SAAS,CAAC,OAAO,KAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA+DjB;;OAEG;IACH,oBAAoB,CAAC,SAAS,KAAA;IAK9B;;OAEG;IACH,oBAAoB,CAAC,SAAS,KAAA,EAAE,QAAQ,KAAA,EAAE,MAAM,KAAA;;;;;;;;;;;;;;;;;;;;;;;;IA6BhD;;OAEG;IACH,0BAA0B,CAAC,eAAe,KAAA,EAAE,QAAQ,KAAA,EAAE,MAAM,KAAA;;;;;;;;;;;;;;;;;;;;;;IA0B5D;;OAEG;IACH,iBAAiB,CAAC,eAAe,KAAA,EAAE,MAAM,KAAA;IAGzC;;OAEG;IACH,oBAAoB,CAAC,OAAO,KAAA;;;;;;;;;IA0B5B;;OAEG;IACH,eAAe,CAAC,SAAS,KAAA,EAAE,UAAU,KAAA;IAarC;;OAEG;IACH,oBAAoB,CAAC,SAAS,KAAA;IAiB9B;;OAEG;IACH,yBAAyB,CAAC,eAAe,KAAA,EAAE,SAAS,KAAA,EAAE,cAAc,SAAS;IAI7E;;OAEG;IACH,oBAAoB,CAAC,eAAe,KAAA,EAAE,MAAM,KAAA;IAS5C;;OAEG;IACH,uBAAuB,CAAC,SAAS,KAAA,EAAE,SAAS,KAAA;IAY5C;;OAEG;IACH,yBAAyB,CAAC,OAAO,KAAA;;;;;IAwBjC;;OAEG;IACH,oBAAoB,CAAC,OAAO,KAAA;;;;;;;;;;;IAe5B;;OAEG;IACH,uBAAuB,CAAC,QAAQ,KAAA,EAAE,MAAM,KAAA;IASxC;;OAEG;IACH,sBAAsB,CAAC,QAAQ,KAAA,EAAE,MAAM,KAAA;IAkBvC;;OAEG;IACH,eAAe,CAAC,IAAI,KAAA,EAAE,UAAU,KAAA,EAAE,OAAO,KAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAYzC;;OAEG;IACH,2BAA2B,CAAC,IAAI,KAAA;;;;;;;;;CAOnC"}

package/dist/services/contractx-authorization.service.js

@@ -17,6 +17,7 @@ const contractx_permissions_constants_1 = require("../constants/contractx-permis
 let ContractXAuthorizationService = class ContractXAuthorizationService {
     constructor(validationService) {
         this.validationService = validationService;
+        this.validationService = validationService;
     }
     /**
      * Authorize a user for a specific action on a resource
@@ -367,3 +368,4 @@ exports.ContractXAuthorizationService = ContractXAuthorizationService = __decora
     (0, common_1.Injectable)(),
     __metadata("design:paramtypes", [contractx_validation_service_1.ContractXValidationService])
 ], ContractXAuthorizationService);
+;