pi-kiosk-shared 2.1.59 → 2.1.60
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1,9 +1,12 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Shared capability bridge rules — single source for client JWT fallback checks.
|
|
3
3
|
* Server uses the same helpers from pi-kiosk-shared in PermissionInheritanceResolver.
|
|
4
|
+
* Forward-only: legacy → canonical; never canonical view → manage cluster.
|
|
4
5
|
*/
|
|
5
6
|
export declare const ADMIN_USERS_MANAGE_BRIDGE_SOURCES: readonly string[];
|
|
6
7
|
export declare const ADMIN_USERS_MANAGE_BRIDGE_TARGETS: readonly string[];
|
|
8
|
+
export declare const DEV_COMPLIANCE_AUDIT_BRIDGE_SOURCES: readonly string[];
|
|
9
|
+
export declare const DEV_COMPLIANCE_GDPR_BRIDGE_SOURCES: readonly string[];
|
|
7
10
|
/**
|
|
8
11
|
* Forward-only implication used by client expansion and server bridge checks.
|
|
9
12
|
*/
|
|
@@ -13,6 +16,6 @@ export declare function grantImpliesTarget(granted: string, target: string): boo
|
|
|
13
16
|
*/
|
|
14
17
|
export declare function expandCapabilitiesForClientCheck(grants: readonly string[]): Set<string>;
|
|
15
18
|
/** Parity fixture — both backend and shared tests must satisfy. */
|
|
16
|
-
export declare const BRIDGE_PARITY_FIXTURE_GRANTS: readonly ["users:admins:create"];
|
|
17
|
-
export declare const BRIDGE_PARITY_FIXTURE_EXPECTED_TARGETS: readonly ["tenant.adminUserCapabilities.view", "tenant.adminUserCapabilities.manage", "tenant.adminUsers.manage"];
|
|
19
|
+
export declare const BRIDGE_PARITY_FIXTURE_GRANTS: readonly ["users:admins:create", "dev:workers:read", "dev:workers:run", "dev:aggregates:read", "dev:aggregates:run", "dev:compliance:audit:read", "dev:compliance:gdpr:read"];
|
|
20
|
+
export declare const BRIDGE_PARITY_FIXTURE_EXPECTED_TARGETS: readonly ["tenant.adminUserCapabilities.view", "tenant.adminUserCapabilities.manage", "tenant.adminUsers.manage", "platform.retentionWorkers.view", "platform.retentionWorkers.manage", "platform.aggregates.view", "platform.aggregates.manage", "platform.complianceAudit.view", "platform.complianceGdpr.view"];
|
|
18
21
|
//# sourceMappingURL=capabilityBridgeRules.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"capabilityBridgeRules.d.ts","sourceRoot":"","sources":["../../src/permissions/capabilityBridgeRules.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"capabilityBridgeRules.d.ts","sourceRoot":"","sources":["../../src/permissions/capabilityBridgeRules.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,eAAO,MAAM,iCAAiC,EAAE,SAAS,MAAM,EAG9D,CAAC;AAEF,eAAO,MAAM,iCAAiC,EAAE,SAAS,MAAM,EAM9D,CAAC;AAEF,eAAO,MAAM,mCAAmC,EAAE,SAAS,MAAM,EAEhE,CAAC;AAEF,eAAO,MAAM,kCAAkC,EAAE,SAAS,MAAM,EAE/D,CAAC;AAgBF;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CA2B3E;AAkBD;;GAEG;AACH,wBAAgB,gCAAgC,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAkBvF;AAED,mEAAmE;AACnE,eAAO,MAAM,4BAA4B,+KAQ/B,CAAC;AAEX,eAAO,MAAM,sCAAsC,oTAUzC,CAAC"}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Shared capability bridge rules — single source for client JWT fallback checks.
|
|
3
3
|
* Server uses the same helpers from pi-kiosk-shared in PermissionInheritanceResolver.
|
|
4
|
+
* Forward-only: legacy → canonical; never canonical view → manage cluster.
|
|
4
5
|
*/
|
|
5
6
|
export const ADMIN_USERS_MANAGE_BRIDGE_SOURCES = [
|
|
6
7
|
'users:admins:create',
|
|
@@ -13,7 +14,24 @@ export const ADMIN_USERS_MANAGE_BRIDGE_TARGETS = [
|
|
|
13
14
|
'tenant.adminUserCapabilities.view',
|
|
14
15
|
'tenant.adminUserCapabilities.manage',
|
|
15
16
|
];
|
|
16
|
-
const
|
|
17
|
+
export const DEV_COMPLIANCE_AUDIT_BRIDGE_SOURCES = [
|
|
18
|
+
'dev:compliance:audit:read',
|
|
19
|
+
];
|
|
20
|
+
export const DEV_COMPLIANCE_GDPR_BRIDGE_SOURCES = [
|
|
21
|
+
'dev:compliance:gdpr:read',
|
|
22
|
+
];
|
|
23
|
+
const ADMIN_BRIDGE_SOURCE_SET = new Set(ADMIN_USERS_MANAGE_BRIDGE_SOURCES);
|
|
24
|
+
/** Forward-only legacy → canonical (no canonical → full cluster). */
|
|
25
|
+
const BRIDGE_TARGET_BY_SOURCE = new Map([
|
|
26
|
+
['users:admins:create', ADMIN_USERS_MANAGE_BRIDGE_TARGETS],
|
|
27
|
+
['tenant.adminUsers.manage', ADMIN_USERS_MANAGE_BRIDGE_TARGETS],
|
|
28
|
+
['dev:workers:read', ['platform.retentionWorkers.view']],
|
|
29
|
+
['dev:workers:run', ['platform.retentionWorkers.manage', 'platform.retentionWorkers.view']],
|
|
30
|
+
['dev:aggregates:read', ['platform.aggregates.view']],
|
|
31
|
+
['dev:aggregates:run', ['platform.aggregates.manage', 'platform.aggregates.view']],
|
|
32
|
+
['dev:compliance:audit:read', ['platform.complianceAudit.view']],
|
|
33
|
+
['dev:compliance:gdpr:read', ['platform.complianceGdpr.view']],
|
|
34
|
+
]);
|
|
17
35
|
/**
|
|
18
36
|
* Forward-only implication used by client expansion and server bridge checks.
|
|
19
37
|
*/
|
|
@@ -21,7 +39,11 @@ export function grantImpliesTarget(granted, target) {
|
|
|
21
39
|
if (granted === target) {
|
|
22
40
|
return true;
|
|
23
41
|
}
|
|
24
|
-
|
|
42
|
+
const bridgeTargets = BRIDGE_TARGET_BY_SOURCE.get(granted);
|
|
43
|
+
if (bridgeTargets?.includes(target)) {
|
|
44
|
+
return true;
|
|
45
|
+
}
|
|
46
|
+
if (ADMIN_BRIDGE_SOURCE_SET.has(granted) && ADMIN_USERS_MANAGE_BRIDGE_TARGETS.includes(target)) {
|
|
25
47
|
return true;
|
|
26
48
|
}
|
|
27
49
|
if (granted.endsWith('.manage') && target === `${granted.slice(0, -'.manage'.length)}.view`) {
|
|
@@ -37,10 +59,9 @@ export function grantImpliesTarget(granted, target) {
|
|
|
37
59
|
}
|
|
38
60
|
function impliedTargetsFromGrant(grant) {
|
|
39
61
|
const implied = [];
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
}
|
|
62
|
+
const bridgeTargets = BRIDGE_TARGET_BY_SOURCE.get(grant);
|
|
63
|
+
if (bridgeTargets) {
|
|
64
|
+
implied.push(...bridgeTargets);
|
|
44
65
|
}
|
|
45
66
|
if (grant.endsWith(':manage')) {
|
|
46
67
|
implied.push(grant.replace(/:manage$/, ':read'));
|
|
@@ -74,10 +95,24 @@ export function expandCapabilitiesForClientCheck(grants) {
|
|
|
74
95
|
return result;
|
|
75
96
|
}
|
|
76
97
|
/** Parity fixture — both backend and shared tests must satisfy. */
|
|
77
|
-
export const BRIDGE_PARITY_FIXTURE_GRANTS = [
|
|
98
|
+
export const BRIDGE_PARITY_FIXTURE_GRANTS = [
|
|
99
|
+
'users:admins:create',
|
|
100
|
+
'dev:workers:read',
|
|
101
|
+
'dev:workers:run',
|
|
102
|
+
'dev:aggregates:read',
|
|
103
|
+
'dev:aggregates:run',
|
|
104
|
+
'dev:compliance:audit:read',
|
|
105
|
+
'dev:compliance:gdpr:read',
|
|
106
|
+
];
|
|
78
107
|
export const BRIDGE_PARITY_FIXTURE_EXPECTED_TARGETS = [
|
|
79
108
|
'tenant.adminUserCapabilities.view',
|
|
80
109
|
'tenant.adminUserCapabilities.manage',
|
|
81
110
|
'tenant.adminUsers.manage',
|
|
111
|
+
'platform.retentionWorkers.view',
|
|
112
|
+
'platform.retentionWorkers.manage',
|
|
113
|
+
'platform.aggregates.view',
|
|
114
|
+
'platform.aggregates.manage',
|
|
115
|
+
'platform.complianceAudit.view',
|
|
116
|
+
'platform.complianceGdpr.view',
|
|
82
117
|
];
|
|
83
118
|
//# sourceMappingURL=capabilityBridgeRules.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"capabilityBridgeRules.js","sourceRoot":"","sources":["../../src/permissions/capabilityBridgeRules.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"capabilityBridgeRules.js","sourceRoot":"","sources":["../../src/permissions/capabilityBridgeRules.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,CAAC,MAAM,iCAAiC,GAAsB;IAClE,qBAAqB;IACrB,0BAA0B;CAC3B,CAAC;AAEF,MAAM,CAAC,MAAM,iCAAiC,GAAsB;IAClE,qBAAqB;IACrB,0BAA0B;IAC1B,wBAAwB;IACxB,mCAAmC;IACnC,qCAAqC;CACtC,CAAC;AAEF,MAAM,CAAC,MAAM,mCAAmC,GAAsB;IACpE,2BAA2B;CAC5B,CAAC;AAEF,MAAM,CAAC,MAAM,kCAAkC,GAAsB;IACnE,0BAA0B;CAC3B,CAAC;AAEF,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,iCAAiC,CAAC,CAAC;AAEnF,qEAAqE;AACrE,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAA4B;IACjE,CAAC,qBAAqB,EAAE,iCAAiC,CAAC;IAC1D,CAAC,0BAA0B,EAAE,iCAAiC,CAAC;IAC/D,CAAC,kBAAkB,EAAE,CAAC,gCAAgC,CAAC,CAAC;IACxD,CAAC,iBAAiB,EAAE,CAAC,kCAAkC,EAAE,gCAAgC,CAAC,CAAC;IAC3F,CAAC,qBAAqB,EAAE,CAAC,0BAA0B,CAAC,CAAC;IACrD,CAAC,oBAAoB,EAAE,CAAC,4BAA4B,EAAE,0BAA0B,CAAC,CAAC;IAClF,CAAC,2BAA2B,EAAE,CAAC,+BAA+B,CAAC,CAAC;IAChE,CAAC,0BAA0B,EAAE,CAAC,8BAA8B,CAAC,CAAC;CAC/D,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe,EAAE,MAAc;IAChE,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,aAAa,GAAG,uBAAuB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAC3D,IAAI,aAAa,EAAE,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACpC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,uBAAuB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,iCAAiC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/F,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QAC5F,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,EAAE,CAAC;QACnF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC;QACjF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAa;IAC5C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,aAAa,GAAG,uBAAuB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACzD,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;IACjC,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IACnD,CAAC;SAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IAClD,CAAC;SAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC5D,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gCAAgC,CAAC,MAAyB;IACxE,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,MAAM,OAAO,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IAE5B,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC5B,IAAI,KAAK,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7C,SAAS;QACX,CAAC;QACD,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAClB,KAAK,MAAM,MAAM,IAAI,uBAAuB,CAAC,KAAK,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACxB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,mEAAmE;AACnE,MAAM,CAAC,MAAM,4BAA4B,GAAG;IAC1C,qBAAqB;IACrB,kBAAkB;IAClB,iBAAiB;IACjB,qBAAqB;IACrB,oBAAoB;IACpB,2BAA2B;IAC3B,0BAA0B;CAClB,CAAC;AAEX,MAAM,CAAC,MAAM,sCAAsC,GAAG;IACpD,mCAAmC;IACnC,qCAAqC;IACrC,0BAA0B;IAC1B,gCAAgC;IAChC,kCAAkC;IAClC,0BAA0B;IAC1B,4BAA4B;IAC5B,+BAA+B;IAC/B,8BAA8B;CACtB,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "pi-kiosk-shared",
|
|
3
|
-
"version": "2.1.
|
|
3
|
+
"version": "2.1.60",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"private": false,
|
|
6
6
|
"description": "Shared types, API contracts, and error classes for Pi Kiosk system",
|
|
@@ -83,6 +83,8 @@
|
|
|
83
83
|
"scripts": {
|
|
84
84
|
"build": "npm run clean && tsc",
|
|
85
85
|
"dev": "tsc --watch",
|
|
86
|
+
"type-check": "tsc --noEmit",
|
|
87
|
+
"lint": "npm run type-check",
|
|
86
88
|
"test": "jest --config jest.config.cjs --passWithNoTests",
|
|
87
89
|
"test:watch": "jest --config jest.config.cjs --watch",
|
|
88
90
|
"test:coverage": "jest --config jest.config.cjs --coverage",
|