toride 0.2.0 → 0.3.0

package/dist/{chunk-24PMDTLE.js → chunk-2AWXNP37.js}

@@ -2001,16 +2001,17 @@ async function permittedFields(engine, actor, operation, resource, fieldAccess,
   for (const fieldName of fieldNames) {
     const fieldDef = fieldAccess[fieldName];
     const allowedRoles = fieldDef?.[operation];
+    const typedFieldName = fieldName;
     if (allowedRoles) {
       if (actorRoles.some((role) => allowedRoles.includes(role))) {
-        permitted.push(fieldName);
+        permitted.push(typedFieldName);
       }
     } else {
       if (hasResourcePermission === void 0) {
         hasResourcePermission = await engine.can(actor, operation, resource, options);
       }
       if (hasResourcePermission) {
-        permitted.push(fieldName);
+        permitted.push(typedFieldName);
       }
     }
   }
@@ -2209,9 +2210,18 @@ var Toride = class {
   /**
    * T064: Translate constraint AST using an adapter.
    * Dispatches each constraint node to the adapter's methods.
+   *
+   * Accepts ConstraintResult<R> from buildConstraints() and returns
+   * TQueryMap[R] — the adapter's mapped output type for resource R.
+   * The resource type R is inferred from the ConstraintResult phantom type.
    */
   translateConstraints(constraints, adapter) {
-    return translateConstraints(constraints, adapter);
+    if ("unrestricted" in constraints || "forbidden" in constraints) {
+      throw new Error(
+        "Cannot translate unrestricted or forbidden ConstraintResult. Check for 'constraints' property before calling translateConstraints()."
+      );
+    }
+    return translateConstraints(constraints.constraints, adapter);
   }
   /**
    * T072: Fire onDecision audit callback via microtask (non-blocking).

package/dist/{chunk-475CNU63.js → chunk-S6DKDABO.js}

@@ -4,7 +4,8 @@ var TorideClient = class {
   permissions;
   constructor(snapshot) {
     this.permissions = /* @__PURE__ */ new Map();
-    for (const [key, actions] of Object.entries(snapshot)) {
+    const entries = snapshot;
+    for (const [key, actions] of Object.entries(entries)) {
       this.permissions.set(key, new Set(actions));
     }
   }

package/dist/cli.js

@@ -7,7 +7,7 @@ import {
   runTestCases,
   validatePolicyResult,
   validatePolicyStrict
-} from "./chunk-24PMDTLE.js";
+} from "./chunk-2AWXNP37.js";
 
 // src/cli.ts
 import { readFileSync, readdirSync, statSync } from "fs";

package/dist/{client-RqwW0K_-.d.ts → client-aExMng5T.d.ts}

@@ -329,14 +329,19 @@ declare class DepthLimitError extends Error {
  * A serializable map of permissions keyed by "Type:id".
  * Values are arrays of permitted action strings.
  * Suitable for JSON transport to client-side TorideClient.
+ *
+ * Generic over TorideSchema so that the type parameter flows through
+ * to TorideClient<S> on deserialization. The runtime structure is unchanged.
  */
-type PermissionSnapshot = Record<string, string[]>;
+type PermissionSnapshot<S extends TorideSchema = DefaultSchema> = Record<string, string[]> & {
+    readonly __schema?: S | undefined;
+};
 
 declare const CLIENT_VERSION = "0.0.1";
 
-/** Minimal resource reference for client-side lookups. Generic over S for type narrowing. */
-interface ClientResourceRef<S extends TorideSchema = DefaultSchema> {
-    readonly type: S["resources"];
+/** Minimal resource reference for client-side lookups. Generic over S and R for type narrowing. */
+interface ClientResourceRef<S extends TorideSchema = DefaultSchema, R extends S["resources"] = S["resources"]> {
+    readonly type: R;
     readonly id: string;
 }
 /**
@@ -351,18 +356,18 @@ interface ClientResourceRef<S extends TorideSchema = DefaultSchema> {
  */
 declare class TorideClient<S extends TorideSchema = DefaultSchema> {
     private readonly permissions;
-    constructor(snapshot: PermissionSnapshot);
+    constructor(snapshot: PermissionSnapshot<S>);
     /**
      * Synchronous permission check.
      * Returns true if the action is permitted for the resource, false otherwise.
      * Unknown resources return false (default-deny).
      */
-    can(action: S["actions"], resource: ClientResourceRef<S>): boolean;
+    can<R extends S["resources"]>(action: S["permissionMap"][R], resource: ClientResourceRef<S, R>): boolean;
     /**
      * Return the list of permitted actions for a resource.
      * Returns empty array for unknown resources.
      */
-    permittedActions(resource: ClientResourceRef<S>): S["actions"][];
+    permittedActions<R extends S["resources"]>(resource: ClientResourceRef<S, R>): S["permissionMap"][R][];
 }
 
 export { type ActorRef as A, type BatchCheckItem as B, type CheckOptions as C, type DefaultSchema as D, type ExplainResult as E, type FieldAccessDef as F, type GlobalRole as G, type MatchedRule as M, type Policy as P, type QueryEvent as Q, type ResourceRef as R, type SimpleConditions as S, type TorideSchema as T, ValidationError as V, type TorideOptions as a, type PermissionSnapshot as b, type TestCase as c, type Resolvers as d, type ActorDeclaration as e, type AttributeType as f, type ClientResourceRef as g, type ConditionExpression as h, type ConditionOperator as i, type ConditionValue as j, CycleError as k, type DecisionEvent as l, DepthLimitError as m, type DerivedRoleEntry as n, type DerivedRoleTrace as o, type EvaluatorFn as p, type ResolvedRolesDetail as q, type ResourceBlock as r, type ResourceResolver as s, type Rule as t, TorideClient as u, CLIENT_VERSION as v };

package/dist/client.d.ts

@@ -1 +1 @@
-export { v as CLIENT_VERSION, g as ClientResourceRef, b as PermissionSnapshot, u as TorideClient } from './client-RqwW0K_-.js';
+export { v as CLIENT_VERSION, g as ClientResourceRef, b as PermissionSnapshot, u as TorideClient } from './client-aExMng5T.js';

package/dist/client.js

@@ -1,7 +1,7 @@
 import {
   CLIENT_VERSION,
   TorideClient
-} from "./chunk-475CNU63.js";
+} from "./chunk-S6DKDABO.js";
 export {
   CLIENT_VERSION,
   TorideClient

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { P as Policy, T as TorideSchema, D as DefaultSchema, a as TorideOptions, A as ActorRef, R as ResourceRef, C as CheckOptions, E as ExplainResult, b as PermissionSnapshot, B as BatchCheckItem, c as TestCase, d as Resolvers } from './client-RqwW0K_-.js';
-export { e as ActorDeclaration, f as AttributeType, g as ClientResourceRef, h as ConditionExpression, i as ConditionOperator, j as ConditionValue, k as CycleError, l as DecisionEvent, m as DepthLimitError, n as DerivedRoleEntry, o as DerivedRoleTrace, p as EvaluatorFn, F as FieldAccessDef, G as GlobalRole, M as MatchedRule, Q as QueryEvent, q as ResolvedRolesDetail, r as ResourceBlock, s as ResourceResolver, t as Rule, S as SimpleConditions, u as TorideClient, V as ValidationError } from './client-RqwW0K_-.js';
+import { P as Policy, T as TorideSchema, D as DefaultSchema, a as TorideOptions, A as ActorRef, R as ResourceRef, C as CheckOptions, E as ExplainResult, b as PermissionSnapshot, B as BatchCheckItem, c as TestCase, d as Resolvers } from './client-aExMng5T.js';
+export { e as ActorDeclaration, f as AttributeType, g as ClientResourceRef, h as ConditionExpression, i as ConditionOperator, j as ConditionValue, k as CycleError, l as DecisionEvent, m as DepthLimitError, n as DerivedRoleEntry, o as DerivedRoleTrace, p as EvaluatorFn, F as FieldAccessDef, G as GlobalRole, M as MatchedRule, Q as QueryEvent, q as ResolvedRolesDetail, r as ResourceBlock, s as ResourceResolver, t as Rule, S as SimpleConditions, u as TorideClient, V as ValidationError } from './client-aExMng5T.js';
 
 /**
  * Parse and validate a YAML string into a typed Policy object.
@@ -149,23 +149,32 @@ interface NeverConstraint {
 type Constraint = FieldEqConstraint | FieldNeqConstraint | FieldGtConstraint | FieldGteConstraint | FieldLtConstraint | FieldLteConstraint | FieldInConstraint | FieldNinConstraint | FieldExistsConstraint | FieldIncludesConstraint | FieldContainsConstraint | RelationConstraint | HasRoleConstraint | UnknownConstraint | AndConstraint | OrConstraint | NotConstraint | AlwaysConstraint | NeverConstraint;
 /** Leaf constraint subset for ConstraintAdapter.translate(). */
 type LeafConstraint = FieldEqConstraint | FieldNeqConstraint | FieldGtConstraint | FieldGteConstraint | FieldLtConstraint | FieldLteConstraint | FieldInConstraint | FieldNinConstraint | FieldExistsConstraint | FieldIncludesConstraint | FieldContainsConstraint;
-/** Result of partial evaluation. */
-type ConstraintResult = {
+/** Result of partial evaluation, tagged with resource type R (phantom). */
+type ConstraintResult<R extends string = string> = {
     readonly unrestricted: true;
+    readonly __resource?: R;
 } | {
     readonly forbidden: true;
+    readonly __resource?: R;
 } | {
     readonly constraints: Constraint;
+    readonly __resource?: R;
 };
-/** User-provided adapter for translating constraint ASTs to queries. */
-interface ConstraintAdapter<TQuery> {
-    translate(constraint: LeafConstraint): TQuery;
-    relation(field: string, resourceType: string, childQuery: TQuery): TQuery;
-    hasRole(actorId: string, actorType: string, role: string): TQuery;
-    unknown(name: string): TQuery;
-    and(queries: TQuery[]): TQuery;
-    or(queries: TQuery[]): TQuery;
-    not(query: TQuery): TQuery;
+/**
+ * User-provided adapter for translating constraint ASTs to queries.
+ * TQueryMap maps resource type names to their query output types.
+ *
+ * BREAKING CHANGE: Previously ConstraintAdapter<TQuery> with a single query type.
+ * Now uses a resource-to-query-type map for per-resource output typing.
+ */
+interface ConstraintAdapter<TQueryMap extends Record<string, unknown> = Record<string, unknown>> {
+    translate(constraint: LeafConstraint): TQueryMap[string];
+    relation(field: string, resourceType: string, childQuery: TQueryMap[string]): TQueryMap[string];
+    hasRole(actorId: string, actorType: string, role: string): TQueryMap[string];
+    unknown(name: string): TQueryMap[string];
+    and(queries: TQueryMap[string][]): TQueryMap[string];
+    or(queries: TQueryMap[string][]): TQueryMap[string];
+    not(query: TQueryMap[string]): TQueryMap[string];
 }
 
 /**
@@ -205,22 +214,22 @@ declare class Toride<S extends TorideSchema = DefaultSchema> {
      * keyed by "Type:id" with arrays of permitted action strings.
      * Suitable for serializing to the client via TorideClient.
      */
-    snapshot(actor: ActorRef<S>, resources: ResourceRef<S>[], options?: CheckOptions): Promise<PermissionSnapshot>;
+    snapshot(actor: ActorRef<S>, resources: ResourceRef<S>[], options?: CheckOptions): Promise<PermissionSnapshot<S>>;
     /**
      * T095: Check if an actor can perform a field-level operation on a specific field.
      * Restricted fields require the actor to have a role listed in field_access.
      * Unlisted fields are unrestricted: any actor with the resource-level permission can access them.
      */
-    canField<R extends S["resources"]>(actor: ActorRef<S>, operation: "read" | "update", resource: ResourceRef<S, R>, field: string, options?: CheckOptions): Promise<boolean>;
+    canField<R extends S["resources"]>(actor: ActorRef<S>, operation: "read" | "update", resource: ResourceRef<S, R>, field: keyof S["resourceAttributeMap"][R] & string, options?: CheckOptions): Promise<boolean>;
     /**
      * T095: Return the list of declared field_access field names the actor can access
      * for the given operation. Only returns explicitly declared fields.
      */
-    permittedFields<R extends S["resources"]>(actor: ActorRef<S>, operation: "read" | "update", resource: ResourceRef<S, R>, options?: CheckOptions): Promise<string[]>;
+    permittedFields<R extends S["resources"]>(actor: ActorRef<S>, operation: "read" | "update", resource: ResourceRef<S, R>, options?: CheckOptions): Promise<(keyof S["resourceAttributeMap"][R] & string)[]>;
     /**
      * T070: Return flat deduplicated list of all resolved roles (direct + derived).
      */
-    resolvedRoles<R extends S["resources"]>(actor: ActorRef<S>, resource: ResourceRef<S, R>, options?: CheckOptions): Promise<string[]>;
+    resolvedRoles<R extends S["resources"]>(actor: ActorRef<S>, resource: ResourceRef<S, R>, options?: CheckOptions): Promise<S["roleMap"][R][]>;
     /**
      * T071: Evaluate multiple checks for the same actor with a shared resolver cache.
      * Returns boolean[] in the same order as the input checks.
@@ -230,12 +239,16 @@ declare class Toride<S extends TorideSchema = DefaultSchema> {
      * T064: Build constraint AST for partial evaluation / data filtering.
      * Returns ConstraintResult with unrestricted/forbidden sentinels or constraint AST.
      */
-    buildConstraints<R extends S["resources"]>(actor: ActorRef<S>, action: S["permissionMap"][R], resourceType: R, options?: CheckOptions): Promise<ConstraintResult>;
+    buildConstraints<R extends S["resources"]>(actor: ActorRef<S>, action: S["permissionMap"][R], resourceType: R, options?: CheckOptions): Promise<ConstraintResult<R>>;
     /**
      * T064: Translate constraint AST using an adapter.
      * Dispatches each constraint node to the adapter's methods.
+     *
+     * Accepts ConstraintResult<R> from buildConstraints() and returns
+     * TQueryMap[R] — the adapter's mapped output type for resource R.
+     * The resource type R is inferred from the ConstraintResult phantom type.
      */
-    translateConstraints<TQuery>(constraints: Constraint, adapter: ConstraintAdapter<TQuery>): TQuery;
+    translateConstraints<R extends string, TQueryMap extends Record<string, unknown>>(constraints: ConstraintResult<R>, adapter: ConstraintAdapter<TQueryMap>): TQueryMap[R];
     /**
      * T072: Fire onDecision audit callback via microtask (non-blocking).
      * Errors are silently swallowed to prevent audit failures from affecting authorization.

package/dist/index.js

@@ -12,10 +12,10 @@ import {
   validatePolicy,
   validatePolicyResult,
   validatePolicyStrict
-} from "./chunk-24PMDTLE.js";
+} from "./chunk-2AWXNP37.js";
 import {
   TorideClient
-} from "./chunk-475CNU63.js";
+} from "./chunk-S6DKDABO.js";
 
 // src/policy/parser.ts
 import * as YAML from "yaml";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "toride",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Relation-aware authorization engine for TypeScript",
   "type": "module",
   "exports": {