toride 0.2.0 → 0.4.0

package/dist/index.d.ts

@@ -1,5 +1,64 @@
-import { P as Policy, T as TorideSchema, D as DefaultSchema, a as TorideOptions, A as ActorRef, R as ResourceRef, C as CheckOptions, E as ExplainResult, b as PermissionSnapshot, B as BatchCheckItem, c as TestCase, d as Resolvers } from './client-RqwW0K_-.js';
-export { e as ActorDeclaration, f as AttributeType, g as ClientResourceRef, h as ConditionExpression, i as ConditionOperator, j as ConditionValue, k as CycleError, l as DecisionEvent, m as DepthLimitError, n as DerivedRoleEntry, o as DerivedRoleTrace, p as EvaluatorFn, F as FieldAccessDef, G as GlobalRole, M as MatchedRule, Q as QueryEvent, q as ResolvedRolesDetail, r as ResourceBlock, s as ResourceResolver, t as Rule, S as SimpleConditions, u as TorideClient, V as ValidationError } from './client-RqwW0K_-.js';
+import * as v from 'valibot';
+import { P as Policy, T as TorideSchema, D as DefaultSchema, a as TorideOptions, A as ActorRef, R as ResourceRef, C as CheckOptions, E as ExplainResult, b as PermissionSnapshot, B as BatchCheckItem, c as TestCase, d as Resolvers } from './client-CBp3admQ.js';
+export { e as ActorDeclaration, f as ArrayAttributeSchema, g as AttributeSchema, h as AttributeType, i as ClientResourceRef, j as ConditionExpression, k as ConditionOperator, l as ConditionValue, m as CycleError, n as DecisionEvent, o as DepthLimitError, p as DerivedRoleEntry, q as DerivedRoleTrace, r as EvaluatorFn, F as FieldAccessDef, s as ForbiddenError, G as GlobalRole, M as MatchedRule, O as ObjectAttributeSchema, t as PayloadRelations, u as PrimitiveAttributeSchema, Q as QueryEvent, v as ResolvedRolesDetail, w as ResourceBlock, x as ResourceResolver, y as Rule, S as SimpleConditions, z as TorideClient, V as ValidationError, H as VirtualFieldMapping, I as VirtualFieldMappingFor, J as VirtualFieldsConfig } from './client-CBp3admQ.js';
+
+/**
+ * ConditionExpression: recursive type using lazy().
+ * Either simple conditions, { any: [...] }, or { all: [...] }.
+ */
+declare const ConditionExpressionSchema: v.GenericSchema<unknown>;
+declare const PolicySchema: v.ObjectSchema<{
+    readonly version: v.LiteralSchema<"1", undefined>;
+    readonly actors: v.RecordSchema<v.StringSchema<undefined>, v.ObjectSchema<{
+        readonly attributes: v.RecordSchema<v.StringSchema<undefined>, any, undefined>;
+    }, undefined>, undefined>;
+    readonly global_roles: v.OptionalSchema<v.RecordSchema<v.StringSchema<undefined>, v.ObjectSchema<{
+        readonly actor_type: v.StringSchema<undefined>;
+        readonly when: v.GenericSchema<unknown>;
+    }, undefined>, undefined>, undefined>;
+    readonly resources: v.RecordSchema<v.StringSchema<undefined>, v.ObjectSchema<{
+        readonly roles: v.ArraySchema<v.StringSchema<undefined>, undefined>;
+        readonly permissions: v.ArraySchema<v.StringSchema<undefined>, undefined>;
+        readonly attributes: v.OptionalSchema<v.RecordSchema<v.StringSchema<undefined>, any, undefined>, undefined>;
+        readonly relations: v.OptionalSchema<v.RecordSchema<v.StringSchema<undefined>, v.StringSchema<undefined>, undefined>, undefined>;
+        readonly grants: v.OptionalSchema<v.RecordSchema<v.StringSchema<undefined>, v.ArraySchema<v.StringSchema<undefined>, undefined>, undefined>, undefined>;
+        readonly derived_roles: v.OptionalSchema<v.ArraySchema<v.ObjectSchema<{
+            readonly role: v.StringSchema<undefined>;
+            readonly from_global_role: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+            readonly from_role: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+            readonly on_relation: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+            readonly from_relation: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+            readonly actor_type: v.OptionalSchema<v.StringSchema<undefined>, undefined>;
+            readonly when: v.OptionalSchema<v.GenericSchema<unknown>, undefined>;
+        }, undefined>, undefined>, undefined>;
+        readonly rules: v.OptionalSchema<v.ArraySchema<v.ObjectSchema<{
+            readonly effect: v.PicklistSchema<["permit", "forbid"], undefined>;
+            readonly roles: v.OptionalSchema<v.ArraySchema<v.StringSchema<undefined>, undefined>, undefined>;
+            readonly permissions: v.ArraySchema<v.StringSchema<undefined>, undefined>;
+            readonly when: v.GenericSchema<unknown>;
+        }, undefined>, undefined>, undefined>;
+        readonly field_access: v.OptionalSchema<v.RecordSchema<v.StringSchema<undefined>, v.ObjectSchema<{
+            readonly read: v.OptionalSchema<v.ArraySchema<v.StringSchema<undefined>, undefined>, undefined>;
+            readonly update: v.OptionalSchema<v.ArraySchema<v.StringSchema<undefined>, undefined>, undefined>;
+        }, undefined>, undefined>, undefined>;
+    }, undefined>, undefined>;
+    readonly tests: v.OptionalSchema<v.ArraySchema<v.ObjectSchema<{
+        readonly name: v.StringSchema<undefined>;
+        readonly actor: v.ObjectSchema<{
+            readonly type: v.StringSchema<undefined>;
+            readonly id: v.StringSchema<undefined>;
+            readonly attributes: v.RecordSchema<v.StringSchema<undefined>, v.UnknownSchema, undefined>;
+        }, undefined>;
+        readonly resolvers: v.OptionalSchema<v.RecordSchema<v.StringSchema<undefined>, v.RecordSchema<v.StringSchema<undefined>, v.UnknownSchema, undefined>, undefined>, undefined>;
+        readonly action: v.StringSchema<undefined>;
+        readonly resource: v.ObjectSchema<{
+            readonly type: v.StringSchema<undefined>;
+            readonly id: v.StringSchema<undefined>;
+            readonly attributes: v.OptionalSchema<v.RecordSchema<v.StringSchema<undefined>, v.UnknownSchema, undefined>, undefined>;
+        }, undefined>;
+        readonly expected: v.PicklistSchema<["allow", "deny"], undefined>;
+    }, undefined>, undefined>, undefined>;
+}, undefined>;
 
 /**
  * Parse and validate a YAML string into a typed Policy object.
@@ -149,23 +208,30 @@ interface NeverConstraint {
 type Constraint = FieldEqConstraint | FieldNeqConstraint | FieldGtConstraint | FieldGteConstraint | FieldLtConstraint | FieldLteConstraint | FieldInConstraint | FieldNinConstraint | FieldExistsConstraint | FieldIncludesConstraint | FieldContainsConstraint | RelationConstraint | HasRoleConstraint | UnknownConstraint | AndConstraint | OrConstraint | NotConstraint | AlwaysConstraint | NeverConstraint;
 /** Leaf constraint subset for ConstraintAdapter.translate(). */
 type LeafConstraint = FieldEqConstraint | FieldNeqConstraint | FieldGtConstraint | FieldGteConstraint | FieldLtConstraint | FieldLteConstraint | FieldInConstraint | FieldNinConstraint | FieldExistsConstraint | FieldIncludesConstraint | FieldContainsConstraint;
-/** Result of partial evaluation. */
-type ConstraintResult = {
-    readonly unrestricted: true;
-} | {
-    readonly forbidden: true;
+/** Result of partial evaluation, tagged with resource type R (phantom). */
+type ConstraintResult<R extends string = string> = {
+    readonly ok: true;
+    readonly constraint: Constraint | null;
+    readonly __resource?: R;
 } | {
-    readonly constraints: Constraint;
+    readonly ok: false;
+    readonly __resource?: R;
 };
-/** User-provided adapter for translating constraint ASTs to queries. */
-interface ConstraintAdapter<TQuery> {
-    translate(constraint: LeafConstraint): TQuery;
-    relation(field: string, resourceType: string, childQuery: TQuery): TQuery;
-    hasRole(actorId: string, actorType: string, role: string): TQuery;
-    unknown(name: string): TQuery;
-    and(queries: TQuery[]): TQuery;
-    or(queries: TQuery[]): TQuery;
-    not(query: TQuery): TQuery;
+/**
+ * User-provided adapter for translating constraint ASTs to queries.
+ * TQueryMap maps resource type names to their query output types.
+ *
+ * BREAKING CHANGE: Previously ConstraintAdapter<TQuery> with a single query type.
+ * Now uses a resource-to-query-type map for per-resource output typing.
+ */
+interface ConstraintAdapter<TQueryMap extends Record<string, unknown> = Record<string, unknown>> {
+    translate(constraint: LeafConstraint): TQueryMap[string];
+    relation(field: string, resourceType: string, childQuery: TQueryMap[string]): TQueryMap[string];
+    hasRole(actorId: string, actorType: string, role: string): TQueryMap[string];
+    unknown(name: string): TQueryMap[string];
+    and(queries: TQueryMap[string][]): TQueryMap[string];
+    or(queries: TQueryMap[string][]): TQueryMap[string];
+    not(query: TQueryMap[string]): TQueryMap[string];
 }
 
 /**
@@ -205,22 +271,22 @@ declare class Toride<S extends TorideSchema = DefaultSchema> {
      * keyed by "Type:id" with arrays of permitted action strings.
      * Suitable for serializing to the client via TorideClient.
      */
-    snapshot(actor: ActorRef<S>, resources: ResourceRef<S>[], options?: CheckOptions): Promise<PermissionSnapshot>;
+    snapshot(actor: ActorRef<S>, resources: ResourceRef<S>[], options?: CheckOptions): Promise<PermissionSnapshot<S>>;
     /**
      * T095: Check if an actor can perform a field-level operation on a specific field.
      * Restricted fields require the actor to have a role listed in field_access.
      * Unlisted fields are unrestricted: any actor with the resource-level permission can access them.
      */
-    canField<R extends S["resources"]>(actor: ActorRef<S>, operation: "read" | "update", resource: ResourceRef<S, R>, field: string, options?: CheckOptions): Promise<boolean>;
+    canField<R extends S["resources"]>(actor: ActorRef<S>, operation: "read" | "update", resource: ResourceRef<S, R>, field: keyof S["resourceAttributeMap"][R] & string, options?: CheckOptions): Promise<boolean>;
     /**
      * T095: Return the list of declared field_access field names the actor can access
      * for the given operation. Only returns explicitly declared fields.
      */
-    permittedFields<R extends S["resources"]>(actor: ActorRef<S>, operation: "read" | "update", resource: ResourceRef<S, R>, options?: CheckOptions): Promise<string[]>;
+    permittedFields<R extends S["resources"]>(actor: ActorRef<S>, operation: "read" | "update", resource: ResourceRef<S, R>, options?: CheckOptions): Promise<(keyof S["resourceAttributeMap"][R] & string)[]>;
     /**
      * T070: Return flat deduplicated list of all resolved roles (direct + derived).
      */
-    resolvedRoles<R extends S["resources"]>(actor: ActorRef<S>, resource: ResourceRef<S, R>, options?: CheckOptions): Promise<string[]>;
+    resolvedRoles<R extends S["resources"]>(actor: ActorRef<S>, resource: ResourceRef<S, R>, options?: CheckOptions): Promise<S["roleMap"][R][]>;
     /**
      * T071: Evaluate multiple checks for the same actor with a shared resolver cache.
      * Returns boolean[] in the same order as the input checks.
@@ -230,12 +296,16 @@ declare class Toride<S extends TorideSchema = DefaultSchema> {
      * T064: Build constraint AST for partial evaluation / data filtering.
      * Returns ConstraintResult with unrestricted/forbidden sentinels or constraint AST.
      */
-    buildConstraints<R extends S["resources"]>(actor: ActorRef<S>, action: S["permissionMap"][R], resourceType: R, options?: CheckOptions): Promise<ConstraintResult>;
+    buildConstraints<R extends S["resources"]>(actor: ActorRef<S>, action: S["permissionMap"][R], resourceType: R, options?: CheckOptions): Promise<ConstraintResult<R>>;
     /**
      * T064: Translate constraint AST using an adapter.
      * Dispatches each constraint node to the adapter's methods.
+     *
+     * Accepts Constraint (the AST) from buildConstraints() and returns
+     * TQueryMap[R] — the adapter's mapped output type for resource R.
+     * Callers must check result.ok and result.constraint before calling this method.
      */
-    translateConstraints<TQuery>(constraints: Constraint, adapter: ConstraintAdapter<TQuery>): TQuery;
+    translateConstraints<R extends string, TQueryMap extends Record<string, unknown>>(constraint: Constraint, adapter: ConstraintAdapter<TQueryMap>): TQueryMap[R];
     /**
      * T072: Fire onDecision audit callback via microtask (non-blocking).
      * Errors are silently swallowed to prevent audit failures from affecting authorization.
@@ -306,4 +376,4 @@ declare function runTestCases(policy: Policy, tests: TestCase[]): Promise<TestRe
 
 declare const VERSION = "0.0.1";
 
-export { ActorRef, BatchCheckItem, CheckOptions, type Constraint, type ConstraintAdapter, type ConstraintResult, DefaultSchema, ExplainResult, type LeafConstraint, PermissionSnapshot, Policy, Resolvers, ResourceRef, type StrictValidationResult, TestCase, type TestFileResult, type TestResult, Toride, TorideOptions, TorideSchema, VERSION, type ValidationDiagnostic, type ValidationResult, createMockResolver, createToride, loadJson, loadYaml, mergePolicies, parseInlineTests, parseTestFile, runTestCases, validatePolicy, validatePolicyResult, validatePolicyStrict };
+export { ActorRef, BatchCheckItem, CheckOptions, ConditionExpressionSchema, type Constraint, type ConstraintAdapter, type ConstraintResult, DefaultSchema, ExplainResult, type LeafConstraint, PermissionSnapshot, Policy, PolicySchema, Resolvers, ResourceRef, type StrictValidationResult, TestCase, type TestFileResult, type TestResult, Toride, TorideOptions, TorideSchema, VERSION, type ValidationDiagnostic, type ValidationResult, createMockResolver, createToride, loadJson, loadYaml, mergePolicies, parseInlineTests, parseTestFile, runTestCases, validatePolicy, validatePolicyResult, validatePolicyStrict };

package/dist/index.js

@@ -1,6 +1,8 @@
 import {
+  ConditionExpressionSchema,
   CycleError,
   DepthLimitError,
+  ForbiddenError,
   PolicySchema,
   Toride,
   ValidationError,
@@ -12,10 +14,10 @@ import {
   validatePolicy,
   validatePolicyResult,
   validatePolicyStrict
-} from "./chunk-24PMDTLE.js";
+} from "./chunk-GRFSE3QO.js";
 import {
   TorideClient
-} from "./chunk-475CNU63.js";
+} from "./chunk-S6DKDABO.js";
 
 // src/policy/parser.ts
 import * as YAML from "yaml";
@@ -47,9 +49,114 @@ function detectOldRelationSyntax(raw) {
     }
   }
 }
-function parsePolicy(raw) {
+function normalizeAttributeValue(raw, depth = 0, format = "yaml") {
+  if (raw === null || raw === void 0) return raw;
+  if (typeof raw === "string") {
+    if (["string", "number", "boolean"].includes(raw)) {
+      return { kind: "primitive", type: raw };
+    }
+    if (format === "yaml" && raw.endsWith("[]")) {
+      const baseType = raw.slice(0, -2);
+      if (["string", "number", "boolean"].includes(baseType)) {
+        return {
+          kind: "array",
+          items: { kind: "primitive", type: baseType }
+        };
+      }
+    }
+  }
+  if (typeof raw === "object" && !Array.isArray(raw)) {
+    const obj = raw;
+    const isCanonical = obj.kind === "primitive" && "type" in obj || obj.kind === "object" && "fields" in obj || obj.kind === "array" && "items" in obj;
+    if (isCanonical) {
+      if (obj.kind === "object" && typeof obj.fields === "object" && obj.fields !== null) {
+        const normalizedFields = {};
+        for (const [key, value] of Object.entries(obj.fields)) {
+          normalizedFields[key] = normalizeAttributeValue(value, depth, format);
+        }
+        return { ...obj, fields: normalizedFields };
+      }
+      if (obj.kind === "array" && "items" in obj) {
+        return { ...obj, items: normalizeAttributeValue(obj.items, depth, format) };
+      }
+      return obj;
+    }
+    if (obj.type === "array" && "items" in obj) {
+      return {
+        kind: "array",
+        items: normalizeAttributeValue(obj.items, depth, format)
+      };
+    }
+    if (depth > 3) {
+      throw new ValidationError(
+        "Attribute nesting depth exceeds maximum of 3",
+        "attributes"
+      );
+    }
+    const normalized = {};
+    for (const [key, value] of Object.entries(obj)) {
+      normalized[key] = normalizeAttributeValue(value, depth + 1, format);
+    }
+    return { kind: "object", fields: normalized };
+  }
+  if (Array.isArray(raw)) {
+    return raw.map((item) => normalizeAttributeValue(item, depth, format));
+  }
+  return raw;
+}
+function normalizeAttributeRecord(attrs, format) {
+  const normalizedAttrs = {};
+  for (const [attrKey, attrValue] of Object.entries(attrs)) {
+    normalizedAttrs[attrKey] = normalizeAttributeValue(attrValue, 0, format);
+  }
+  return normalizedAttrs;
+}
+function normalizeAttributes(raw, format) {
+  if (raw === null || raw === void 0 || typeof raw !== "object" || Array.isArray(raw)) {
+    return raw;
+  }
+  const obj = raw;
+  const normalized = { ...obj };
+  if ("actors" in normalized && typeof normalized.actors === "object" && normalized.actors !== null) {
+    const actors = normalized.actors;
+    const normalizedActors = {};
+    for (const [actorName, actorDef] of Object.entries(actors)) {
+      if (typeof actorDef === "object" && actorDef !== null) {
+        const actor = actorDef;
+        const normalizedActor = { ...actor };
+        if ("attributes" in normalizedActor && typeof normalizedActor.attributes === "object" && normalizedActor.attributes !== null) {
+          normalizedActor.attributes = normalizeAttributeRecord(normalizedActor.attributes, format);
+        }
+        normalizedActors[actorName] = normalizedActor;
+      } else {
+        normalizedActors[actorName] = actorDef;
+      }
+    }
+    normalized.actors = normalizedActors;
+  }
+  if ("resources" in normalized && typeof normalized.resources === "object" && normalized.resources !== null) {
+    const resources = normalized.resources;
+    const normalizedResources = {};
+    for (const [resName, resDef] of Object.entries(resources)) {
+      if (typeof resDef === "object" && resDef !== null) {
+        const resource = resDef;
+        const normalizedResource = { ...resource };
+        if ("attributes" in normalizedResource && typeof normalizedResource.attributes === "object" && normalizedResource.attributes !== null) {
+          normalizedResource.attributes = normalizeAttributeRecord(normalizedResource.attributes, format);
+        }
+        normalizedResources[resName] = normalizedResource;
+      } else {
+        normalizedResources[resName] = resDef;
+      }
+    }
+    normalized.resources = normalizedResources;
+  }
+  return normalized;
+}
+function parsePolicy(raw, format) {
   detectOldRelationSyntax(raw);
-  const result = v.safeParse(PolicySchema, raw);
+  const normalizedRaw = normalizeAttributes(raw, format);
+  const result = v.safeParse(PolicySchema, normalizedRaw);
   if (!result.success) {
     const issue = result.issues[0];
     const path = issue?.path?.map((p) => String(p.key)).join(".") ?? "";
@@ -72,7 +179,7 @@ async function loadYaml(input) {
       ""
     );
   }
-  return parsePolicy(raw);
+  return parsePolicy(raw, "yaml");
 }
 async function loadJson(input) {
   let raw;
@@ -84,7 +191,7 @@ async function loadJson(input) {
       ""
     );
   }
-  return parsePolicy(raw);
+  return parsePolicy(raw, "json");
 }
 
 // src/policy/merger.ts
@@ -155,6 +262,7 @@ function mergeResourceBlock(resourceName, base, overlay) {
   const derived_roles = appendArrays(base.derived_roles, overlay.derived_roles);
   const rules = appendArrays(base.rules, overlay.rules);
   const field_access = mergeFieldAccess(base.field_access, overlay.field_access);
+  const attributes = mergeAttributes(base.attributes, overlay.attributes);
   const result = {
     roles,
     permissions,
@@ -162,10 +270,17 @@ function mergeResourceBlock(resourceName, base, overlay) {
     ...relations && Object.keys(relations).length > 0 ? { relations } : {},
     ...derived_roles && derived_roles.length > 0 ? { derived_roles } : {},
     ...rules && rules.length > 0 ? { rules } : {},
-    ...field_access && Object.keys(field_access).length > 0 ? { field_access } : {}
+    ...field_access && Object.keys(field_access).length > 0 ? { field_access } : {},
+    ...attributes && Object.keys(attributes).length > 0 ? { attributes } : {}
   };
   return result;
 }
+function mergeAttributes(base, overlay) {
+  if (!base && !overlay) return void 0;
+  if (base) assertNoDangerousKeys(base, "base attributes");
+  if (overlay) assertNoDangerousKeys(overlay, "overlay attributes");
+  return { ...base ?? {}, ...overlay ?? {} };
+}
 function unionArrays(a, b) {
   return [.../* @__PURE__ */ new Set([...a, ...b])];
 }
@@ -226,8 +341,11 @@ function mergeFieldAccess(base, overlay) {
 // src/index.ts
 var VERSION = "0.0.1";
 export {
+  ConditionExpressionSchema,
   CycleError,
   DepthLimitError,
+  ForbiddenError,
+  PolicySchema,
   Toride,
   TorideClient,
   VERSION,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "toride",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "description": "Relation-aware authorization engine for TypeScript",
   "type": "module",
   "exports": {
@@ -19,7 +19,8 @@
     "toride": "./dist/cli.js"
   },
   "files": [
-    "dist"
+    "dist",
+    "schema"
   ],
   "nx": {
     "tags": [