toride 0.2.0 → 0.4.0

package/dist/{chunk-24PMDTLE.js → chunk-GRFSE3QO.js}

@@ -1,8 +1,56 @@
 // src/policy/schema.ts
 import * as v from "valibot";
-var AttributeTypeSchema = v.picklist(["string", "number", "boolean"]);
+var AttributeTypeSchema = v.picklist(["string", "number", "boolean", "string[]", "number[]", "boolean[]"]);
+var MAX_ATTRIBUTE_DEPTH = 3;
+function getAttributeDepth(schema, currentDepth = 0) {
+  if (typeof schema !== "object" || schema === null) {
+    return currentDepth;
+  }
+  const obj = schema;
+  if (obj.kind === "primitive") {
+    return currentDepth;
+  }
+  if (obj.kind === "object" && typeof obj.fields === "object" && obj.fields !== null) {
+    const fields = obj.fields;
+    let maxDepth = currentDepth;
+    for (const field of Object.values(fields)) {
+      const fieldDepth = getAttributeDepth(field, currentDepth + 1);
+      if (fieldDepth > maxDepth) {
+        maxDepth = fieldDepth;
+      }
+    }
+    return maxDepth;
+  }
+  if (obj.kind === "array" && typeof obj.items === "object" && obj.items !== null) {
+    return getAttributeDepth(obj.items, currentDepth);
+  }
+  return currentDepth;
+}
+function checkAttributeDepth(input) {
+  return getAttributeDepth(input) <= MAX_ATTRIBUTE_DEPTH;
+}
+var PrimitiveAttributeSchemaNodeSchema = v.object({
+  kind: v.literal("primitive"),
+  type: AttributeTypeSchema
+});
+var ObjectAttributeSchemaNodeSchema = v.object({
+  kind: v.literal("object"),
+  fields: v.record(v.string(), v.lazy(() => AttributeSchemaNodeSchema))
+});
+var ArrayAttributeSchemaNodeSchema = v.object({
+  kind: v.literal("array"),
+  items: v.lazy(() => AttributeSchemaNodeSchema)
+});
+var AttributeSchemaNodeSchema = v.pipe(
+  v.union([
+    PrimitiveAttributeSchemaNodeSchema,
+    ObjectAttributeSchemaNodeSchema,
+    ArrayAttributeSchemaNodeSchema
+  ]),
+  v.check(checkAttributeDepth, "Attribute schema exceeds maximum depth of 3")
+);
 var ActorDeclarationSchema = v.object({
-  attributes: v.record(v.string(), AttributeTypeSchema)
+  attributes: v.record(v.string(), AttributeSchemaNodeSchema)
 });
 var ConditionOperatorSchema = v.union([
   v.object({ eq: v.unknown() }),
@@ -54,7 +102,7 @@ var FieldAccessDefSchema = v.object({
 var ResourceBlockSchema = v.object({
   roles: v.array(v.string()),
   permissions: v.array(v.string()),
-  attributes: v.optional(v.record(v.string(), AttributeTypeSchema)),
+  attributes: v.optional(v.record(v.string(), AttributeSchemaNodeSchema)),
   relations: v.optional(v.record(v.string(), v.string())),
   grants: v.optional(v.record(v.string(), v.array(v.string()))),
   derived_roles: v.optional(v.array(DerivedRoleEntrySchema)),
@@ -122,6 +170,20 @@ var DepthLimitError = class extends Error {
     this.limitType = limitType;
   }
 };
+var ForbiddenError = class extends Error {
+  actor;
+  action;
+  resourceType;
+  constructor(actor, action, resourceType) {
+    super(
+      `Actor "${actor.type}:${actor.id}" is forbidden from performing "${action}" on resource type "${resourceType}"`
+    );
+    this.name = "ForbiddenError";
+    this.actor = actor;
+    this.action = action;
+    this.resourceType = resourceType;
+  }
+};
 
 // src/policy/validator.ts
 function extractActorAttributes(condition) {
@@ -1434,7 +1496,7 @@ var OPERATOR_KEYS2 = /* @__PURE__ */ new Set([
 async function buildConstraints(actor, action, resourceType, cache, policy, options) {
   const resourceBlock = policy.resources[resourceType];
   if (!resourceBlock) {
-    return { forbidden: true };
+    return { ok: false };
   }
   const env = options?.env ?? {};
   const rolesGrantingAction = findRolesGrantingAction(action, resourceBlock);
@@ -1443,7 +1505,7 @@ async function buildConstraints(actor, action, resourceType, cache, policy, opti
       (r) => r.effect === "permit" && r.permissions.includes(action)
     );
     if (permitRules2.length === 0) {
-      return { forbidden: true };
+      return { ok: false };
     }
   }
   const roleConstraintCache = /* @__PURE__ */ new Map();
@@ -1504,7 +1566,7 @@ async function buildConstraints(actor, action, resourceType, cache, policy, opti
     }
   }
   if (pathConstraints.length === 0) {
-    return { forbidden: true };
+    return { ok: false };
   }
   let combined;
   if (pathConstraints.length === 1) {
@@ -1526,12 +1588,12 @@ async function buildConstraints(actor, action, resourceType, cache, policy, opti
   }
   combined = simplify(combined);
   if (combined.type === "always") {
-    return { unrestricted: true };
+    return { ok: true, constraint: null };
   }
   if (combined.type === "never") {
-    return { forbidden: true };
+    return { ok: false };
   }
-  return { constraints: combined };
+  return { ok: true, constraint: combined };
 }
 function findRolesGrantingAction(action, resourceBlock) {
   const grants = resourceBlock.grants ?? {};
@@ -1949,11 +2011,11 @@ function translateConstraints(constraint, adapter, _depth = 0) {
     // Terminal nodes - should not reach the translator
     case "always":
       throw new Error(
-        'Constraint node "always" should be simplified out before translation. Use buildConstraints() which returns ConstraintResult with unrestricted/forbidden sentinels.'
+        'Constraint node "always" should be simplified out before translation. Check result.ok and result.constraint before calling translateConstraints().'
       );
     case "never":
       throw new Error(
-        'Constraint node "never" should be simplified out before translation. Use buildConstraints() which returns ConstraintResult with unrestricted/forbidden sentinels.'
+        'Constraint node "never" should be simplified out before translation. Check result.ok and result.constraint before calling translateConstraints().'
       );
     default: {
       const _exhaustive = constraint;
@@ -2001,16 +2063,17 @@ async function permittedFields(engine, actor, operation, resource, fieldAccess,
   for (const fieldName of fieldNames) {
     const fieldDef = fieldAccess[fieldName];
     const allowedRoles = fieldDef?.[operation];
+    const typedFieldName = fieldName;
     if (allowedRoles) {
       if (actorRoles.some((role) => allowedRoles.includes(role))) {
-        permitted.push(fieldName);
+        permitted.push(typedFieldName);
       }
     } else {
       if (hasResourcePermission === void 0) {
         hasResourcePermission = await engine.can(actor, operation, resource, options);
       }
       if (hasResourcePermission) {
-        permitted.push(fieldName);
+        permitted.push(typedFieldName);
       }
     }
   }
@@ -2167,9 +2230,9 @@ var Toride = class {
     const a = actor;
     const sharedCache = new AttributeCache(this.resolvers);
     const results = [];
-    for (const check of checks) {
-      const r = check.resource;
-      const act = check.action;
+    for (const check2 of checks) {
+      const r = check2.resource;
+      const act = check2.action;
       const result = await this.evaluateInternal(
         a,
         act,
@@ -2209,9 +2272,13 @@ var Toride = class {
   /**
    * T064: Translate constraint AST using an adapter.
    * Dispatches each constraint node to the adapter's methods.
+   *
+   * Accepts Constraint (the AST) from buildConstraints() and returns
+   * TQueryMap[R] — the adapter's mapped output type for resource R.
+   * Callers must check result.ok and result.constraint before calling this method.
    */
-  translateConstraints(constraints, adapter) {
-    return translateConstraints(constraints, adapter);
+  translateConstraints(constraint, adapter) {
+    return translateConstraints(constraint, adapter);
   }
   /**
    * T072: Fire onDecision audit callback via microtask (non-blocking).
@@ -2250,10 +2317,10 @@ var Toride = class {
     const callback = this.options.onQuery;
     if (!callback) return;
     let resultType;
-    if ("unrestricted" in constraintResult && constraintResult.unrestricted) {
-      resultType = "unrestricted";
-    } else if ("forbidden" in constraintResult && constraintResult.forbidden) {
+    if (!constraintResult.ok) {
       resultType = "forbidden";
+    } else if (constraintResult.constraint === null) {
+      resultType = "unrestricted";
     } else {
       resultType = "constrained";
     }
@@ -2350,10 +2417,12 @@ async function runTestCases(policy, tests) {
 }
 
 export {
+  ConditionExpressionSchema,
   PolicySchema,
   ValidationError,
   CycleError,
   DepthLimitError,
+  ForbiddenError,
   validatePolicy,
   validatePolicyResult,
   validatePolicyStrict,

package/dist/{chunk-475CNU63.js → chunk-S6DKDABO.js}

@@ -4,7 +4,8 @@ var TorideClient = class {
   permissions;
   constructor(snapshot) {
     this.permissions = /* @__PURE__ */ new Map();
-    for (const [key, actions] of Object.entries(snapshot)) {
+    const entries = snapshot;
+    for (const [key, actions] of Object.entries(entries)) {
       this.permissions.set(key, new Set(actions));
     }
   }

package/dist/cli.js

@@ -7,13 +7,96 @@ import {
   runTestCases,
   validatePolicyResult,
   validatePolicyStrict
-} from "./chunk-24PMDTLE.js";
+} from "./chunk-GRFSE3QO.js";
 
 // src/cli.ts
 import { readFileSync, readdirSync, statSync } from "fs";
 import { resolve, dirname, join } from "path";
 import * as YAML from "yaml";
 import * as v from "valibot";
+function normalizeAttributeValue(raw) {
+  if (raw === null || raw === void 0) return raw;
+  if (typeof raw === "string" && ["string", "number", "boolean"].includes(raw)) {
+    return { kind: "primitive", type: raw };
+  }
+  if (typeof raw === "object" && !Array.isArray(raw)) {
+    const obj = raw;
+    if ("kind" in obj && obj.kind !== void 0) {
+      if (obj.kind === "object" && typeof obj.fields === "object" && obj.fields !== null) {
+        const normalizedFields = {};
+        for (const [key, value] of Object.entries(obj.fields)) {
+          normalizedFields[key] = normalizeAttributeValue(value);
+        }
+        return { ...obj, fields: normalizedFields };
+      }
+      if (obj.kind === "array" && "items" in obj) {
+        return { ...obj, items: normalizeAttributeValue(obj.items) };
+      }
+      return obj;
+    }
+  }
+  if (typeof raw === "object" && !Array.isArray(raw)) {
+    const obj = raw;
+    const normalized = {};
+    for (const [key, value] of Object.entries(obj)) {
+      normalized[key] = normalizeAttributeValue(value);
+    }
+    return normalized;
+  }
+  if (Array.isArray(raw)) {
+    return raw.map((item) => normalizeAttributeValue(item));
+  }
+  return raw;
+}
+function normalizeAttributeRecord(attrs) {
+  const normalizedAttrs = {};
+  for (const [attrKey, attrValue] of Object.entries(attrs)) {
+    normalizedAttrs[attrKey] = normalizeAttributeValue(attrValue);
+  }
+  return normalizedAttrs;
+}
+function normalizeAttributes(raw) {
+  if (raw === null || raw === void 0 || typeof raw !== "object" || Array.isArray(raw)) {
+    return raw;
+  }
+  const obj = raw;
+  const normalized = { ...obj };
+  if ("actors" in normalized && typeof normalized.actors === "object" && normalized.actors !== null) {
+    const actors = normalized.actors;
+    const normalizedActors = {};
+    for (const [actorName, actorDef] of Object.entries(actors)) {
+      if (typeof actorDef === "object" && actorDef !== null) {
+        const actor = actorDef;
+        const normalizedActor = { ...actor };
+        if ("attributes" in normalizedActor && typeof normalizedActor.attributes === "object" && normalizedActor.attributes !== null) {
+          normalizedActor.attributes = normalizeAttributeRecord(normalizedActor.attributes);
+        }
+        normalizedActors[actorName] = normalizedActor;
+      } else {
+        normalizedActors[actorName] = actorDef;
+      }
+    }
+    normalized.actors = normalizedActors;
+  }
+  if ("resources" in normalized && typeof normalized.resources === "object" && normalized.resources !== null) {
+    const resources = normalized.resources;
+    const normalizedResources = {};
+    for (const [resName, resDef] of Object.entries(resources)) {
+      if (typeof resDef === "object" && resDef !== null) {
+        const resource = resDef;
+        const normalizedResource = { ...resource };
+        if ("attributes" in normalizedResource && typeof normalizedResource.attributes === "object" && normalizedResource.attributes !== null) {
+          normalizedResource.attributes = normalizeAttributeRecord(normalizedResource.attributes);
+        }
+        normalizedResources[resName] = normalizedResource;
+      } else {
+        normalizedResources[resName] = resDef;
+      }
+    }
+    normalized.resources = normalizedResources;
+  }
+  return normalized;
+}
 function loadPolicyFile(filePath) {
   const absPath = resolve(filePath);
   let content;
@@ -42,7 +125,8 @@ function loadPolicyFile(filePath) {
       );
     }
   }
-  const result = v.safeParse(PolicySchema, raw);
+  const normalizedRaw = normalizeAttributes(raw);
+  const result = v.safeParse(PolicySchema, normalizedRaw);
   if (!result.success) {
     const issue = result.issues[0];
     const path = issue?.path?.map((p) => String(p.key)).join(".") ?? "";

package/dist/{client-RqwW0K_-.d.ts → client-CBp3admQ.d.ts}

@@ -45,6 +45,58 @@ interface DefaultSchema extends TorideSchema {
     actorAttributeMap: Record<string, Record<string, unknown>>;
     relationMap: Record<string, Record<string, string>>;
 }
+/**
+ * Virtual field mapping configuration.
+ * Describes how a virtual field maps to a related resource query.
+ */
+interface VirtualFieldMapping {
+    /** The relation name to query */
+    readonly relation: string;
+    /** The field in the related resource to match against */
+    readonly matchField: string;
+    /** Optional filter to apply to the relation query */
+    readonly filter?: Record<string, unknown>;
+}
+/**
+ * Extracts keys from T whose values are arrays.
+ */
+type ArrayKeys<T> = {
+    [K in keyof T]: T[K] extends unknown[] ? K : never;
+}[keyof T];
+type ModelScalars<T> = T extends {
+    scalars: infer S extends Record<string, unknown>;
+} ? S : T extends Record<string, unknown> ? T : never;
+type UnwrapRelation<T> = T extends readonly (infer U)[] ? U : NonNullable<T>;
+type PayloadRelations<T> = T extends {
+    objects: infer O extends Record<string, unknown>;
+} ? {
+    [K in keyof O & string]: ModelScalars<UnwrapRelation<O[K]>>;
+} : Record<string, never>;
+type VirtualFieldMappingFor<TRelations extends Record<string, Record<string, unknown>>> = {
+    [R in keyof TRelations & string]: {
+        readonly relation: R;
+        readonly matchField: keyof TRelations[R] & string;
+        readonly filter?: {
+            readonly [F in keyof TRelations[R]]?: TRelations[R][F];
+        };
+    };
+}[keyof TRelations & string];
+/**
+ * Conditional type that uses model-aware detection when TModelMap is provided,
+ * falls back to ArrayKeys otherwise.
+ */
+type VirtualFieldKeysFor<S extends TorideSchema, R extends string, TModelMap> = [TModelMap] extends [never] ? S["resourceAttributeMap"][R] extends Record<string, unknown> ? Record<string, unknown> extends S["resourceAttributeMap"][R] ? string : ArrayKeys<S["resourceAttributeMap"][R]> : never : R extends keyof TModelMap ? Exclude<keyof S["resourceAttributeMap"][R] & string, keyof ModelScalars<TModelMap[R]> & string> : string;
+/**
+ * Per-resource mapping of virtual field keys to VirtualFieldMapping.
+ * When TModelMap is provided, uses model-aware detection for virtual field keys.
+ */
+type VirtualFieldsConfig<S extends TorideSchema, TModelMap = never> = {
+    [R in S["resources"]]?: {
+        [K in VirtualFieldKeysFor<S, R & string, TModelMap>]?: R extends keyof TModelMap ? TModelMap[R] extends {
+            objects: Record<string, unknown>;
+        } ? VirtualFieldMappingFor<PayloadRelations<TModelMap[R]>> : VirtualFieldMapping : VirtualFieldMapping;
+    };
+};
 /**
  * Represents an entity performing actions.
  * Generic discriminated union over actor types in S.
@@ -145,10 +197,27 @@ interface TorideOptions<S extends TorideSchema = DefaultSchema> {
     readonly onQuery?: (event: QueryEvent) => void;
 }
 /** Attribute type for actor declarations. */
-type AttributeType = "string" | "number" | "boolean";
+type AttributeType = "string" | "number" | "boolean" | "string[]" | "number[]" | "boolean[]";
+/** Schema for a primitive attribute. */
+interface PrimitiveAttributeSchema {
+    readonly kind: "primitive";
+    readonly type: AttributeType;
+}
+/** Schema for a nested object attribute. */
+interface ObjectAttributeSchema {
+    readonly kind: "object";
+    readonly fields: Record<string, AttributeSchema>;
+}
+/** Schema for an array attribute. */
+interface ArrayAttributeSchema {
+    readonly kind: "array";
+    readonly items: AttributeSchema;
+}
+/** Discriminated union of all attribute schema types. */
+type AttributeSchema = PrimitiveAttributeSchema | ObjectAttributeSchema | ArrayAttributeSchema;
 /** Actor type declaration with attribute schema. */
 interface ActorDeclaration {
-    readonly attributes: Record<string, AttributeType>;
+    readonly attributes: Record<string, AttributeSchema>;
 }
 /** Global role definition derived from actor attributes. */
 interface GlobalRole {
@@ -190,7 +259,7 @@ interface ResourceBlock {
     readonly roles: string[];
     readonly permissions: string[];
     /** Optional typed attribute declarations for this resource type. */
-    readonly attributes?: Record<string, AttributeType>;
+    readonly attributes?: Record<string, AttributeSchema>;
     /** Relations map field names to target resource type names (simplified). */
     readonly relations?: Record<string, string>;
     readonly grants?: Record<string, string[]>;
@@ -324,19 +393,31 @@ declare class DepthLimitError extends Error {
     readonly limitType: "condition" | "derivation";
     constructor(message: string, limit: number, limitType: "condition" | "derivation");
 }
+/** Thrown when an actor is forbidden from performing an action. */
+declare class ForbiddenError extends Error {
+    readonly actor: ActorRef;
+    readonly action: string;
+    readonly resourceType: string;
+    constructor(actor: ActorRef, action: string, resourceType: string);
+}
 
 /**
  * A serializable map of permissions keyed by "Type:id".
  * Values are arrays of permitted action strings.
  * Suitable for JSON transport to client-side TorideClient.
+ *
+ * Generic over TorideSchema so that the type parameter flows through
+ * to TorideClient<S> on deserialization. The runtime structure is unchanged.
  */
-type PermissionSnapshot = Record<string, string[]>;
+type PermissionSnapshot<S extends TorideSchema = DefaultSchema> = Record<string, string[]> & {
+    readonly __schema?: S | undefined;
+};
 
 declare const CLIENT_VERSION = "0.0.1";
 
-/** Minimal resource reference for client-side lookups. Generic over S for type narrowing. */
-interface ClientResourceRef<S extends TorideSchema = DefaultSchema> {
-    readonly type: S["resources"];
+/** Minimal resource reference for client-side lookups. Generic over S and R for type narrowing. */
+interface ClientResourceRef<S extends TorideSchema = DefaultSchema, R extends S["resources"] = S["resources"]> {
+    readonly type: R;
     readonly id: string;
 }
 /**
@@ -351,18 +432,18 @@ interface ClientResourceRef<S extends TorideSchema = DefaultSchema> {
  */
 declare class TorideClient<S extends TorideSchema = DefaultSchema> {
     private readonly permissions;
-    constructor(snapshot: PermissionSnapshot);
+    constructor(snapshot: PermissionSnapshot<S>);
     /**
      * Synchronous permission check.
      * Returns true if the action is permitted for the resource, false otherwise.
      * Unknown resources return false (default-deny).
      */
-    can(action: S["actions"], resource: ClientResourceRef<S>): boolean;
+    can<R extends S["resources"]>(action: S["permissionMap"][R], resource: ClientResourceRef<S, R>): boolean;
     /**
      * Return the list of permitted actions for a resource.
      * Returns empty array for unknown resources.
      */
-    permittedActions(resource: ClientResourceRef<S>): S["actions"][];
+    permittedActions<R extends S["resources"]>(resource: ClientResourceRef<S, R>): S["permissionMap"][R][];
 }
 
-export { type ActorRef as A, type BatchCheckItem as B, type CheckOptions as C, type DefaultSchema as D, type ExplainResult as E, type FieldAccessDef as F, type GlobalRole as G, type MatchedRule as M, type Policy as P, type QueryEvent as Q, type ResourceRef as R, type SimpleConditions as S, type TorideSchema as T, ValidationError as V, type TorideOptions as a, type PermissionSnapshot as b, type TestCase as c, type Resolvers as d, type ActorDeclaration as e, type AttributeType as f, type ClientResourceRef as g, type ConditionExpression as h, type ConditionOperator as i, type ConditionValue as j, CycleError as k, type DecisionEvent as l, DepthLimitError as m, type DerivedRoleEntry as n, type DerivedRoleTrace as o, type EvaluatorFn as p, type ResolvedRolesDetail as q, type ResourceBlock as r, type ResourceResolver as s, type Rule as t, TorideClient as u, CLIENT_VERSION as v };
+export { type ActorRef as A, type BatchCheckItem as B, type CheckOptions as C, type DefaultSchema as D, type ExplainResult as E, type FieldAccessDef as F, type GlobalRole as G, type VirtualFieldMapping as H, type VirtualFieldMappingFor as I, type VirtualFieldsConfig as J, CLIENT_VERSION as K, type MatchedRule as M, type ObjectAttributeSchema as O, type Policy as P, type QueryEvent as Q, type ResourceRef as R, type SimpleConditions as S, type TorideSchema as T, ValidationError as V, type TorideOptions as a, type PermissionSnapshot as b, type TestCase as c, type Resolvers as d, type ActorDeclaration as e, type ArrayAttributeSchema as f, type AttributeSchema as g, type AttributeType as h, type ClientResourceRef as i, type ConditionExpression as j, type ConditionOperator as k, type ConditionValue as l, CycleError as m, type DecisionEvent as n, DepthLimitError as o, type DerivedRoleEntry as p, type DerivedRoleTrace as q, type EvaluatorFn as r, ForbiddenError as s, type PayloadRelations as t, type PrimitiveAttributeSchema as u, type ResolvedRolesDetail as v, type ResourceBlock as w, type ResourceResolver as x, type Rule as y, TorideClient as z };

package/dist/client.d.ts

@@ -1 +1 @@
-export { v as CLIENT_VERSION, g as ClientResourceRef, b as PermissionSnapshot, u as TorideClient } from './client-RqwW0K_-.js';
+export { K as CLIENT_VERSION, i as ClientResourceRef, b as PermissionSnapshot, z as TorideClient } from './client-CBp3admQ.js';

package/dist/client.js

@@ -1,7 +1,7 @@
 import {
   CLIENT_VERSION,
   TorideClient
-} from "./chunk-475CNU63.js";
+} from "./chunk-S6DKDABO.js";
 export {
   CLIENT_VERSION,
   TorideClient