/** * Validator for authorizer expressions. * * Validates that: * - Model field references exist on the parent model * - Auth field references are valid AuthContext properties * - Role names exist in project config (warning only) */ import type { PluginSpecStore } from '#src/plugins/index.js'; import type { RefExpressionWarning } from '#src/references/expression-types.js'; import type { AuthorizerExpressionNode } from './authorizer-expression-ast.js'; /** * Information about a model relation for nested authorizer validation. */ export interface RelationValidationInfo { /** Number of foreign key references (must be 1 for nested authorizer support) */ referenceCount: number; /** Foreign model name (for error messages) */ foreignModelName: string; /** Set of role names defined on the foreign model's authorizer */ foreignAuthorizerRoleNames: Set; /** Scalar field names on the foreign model (for relation filter condition validation) */ foreignScalarFieldNames?: Set; /** Field type map for the foreign model (for type-checking relation filter condition values) */ foreignFieldTypes?: Map; /** Whether this is a local relation (FK on this model) or foreign/reverse (FK on the other model) */ direction: 'local' | 'foreign'; } /** * Model information needed for validation. */ export interface ModelValidationContext { /** The model name (for error messages) */ modelName: string; /** Set of valid scalar field names on the model */ scalarFieldNames: Set; /** Map of field name → field type (for literal type-checking) */ fieldTypes: Map; /** Map of relation name → relation validation info (for nested authorizer checks) */ relationInfo?: Map; } /** * Validate an authorizer expression AST against model and project context. * * @param ast - The parsed expression AST * @param modelContext - Information about the parent model * @param pluginStore - The plugin spec store for accessing auth config * @param definition - The raw project definition data * @returns Array of warnings (errors are thrown, warnings are returned) * * @example * ```typescript * const warnings = validateAuthorizerExpression( * ast, * { modelName: 'User', scalarFieldNames: new Set(['id', 'email']) }, * pluginStore, * definition, * ); * ``` */ export declare function validateAuthorizerExpression(ast: AuthorizerExpressionNode, modelContext: ModelValidationContext, pluginStore: PluginSpecStore, definition: unknown): RefExpressionWarning[]; /** * Shape of a model for expression context building. * Uses structural typing so both raw JSON shapes and typed `ModelConfig` objects * can be passed directly. */ interface ExpressionContextModel { id?: string; name: string; authorizer?: { roles?: readonly { name: string; }[]; }; /** Top-level fields (used by raw JSON shapes) */ fields?: readonly { name: string; type?: string; }[]; model?: { /** Nested fields (used by typed ModelConfig objects) */ fields?: readonly { name: string; type?: string; }[]; relations?: readonly { name: string; modelRef: string; foreignRelationName?: string; references?: readonly unknown[]; }[]; }; } /** * Build complete model expression context from a model and all project models. * * This is the primary entry point for building validation and autocomplete context. * It discovers both local relations (FK on this model) and foreign/reverse relations * (FK on other models pointing to this model) for use with `hasRole()`, `exists()`, `all()`, etc. * * @param model - The current model (structural typing: works with both typed ModelConfig and raw JSON) * @param allModels - All models in the project * @returns Complete model validation context including all relations */ export declare function buildModelExpressionContext(model: ExpressionContextModel, allModels: readonly ExpressionContextModel[]): ModelValidationContext; export {}; //# sourceMappingURL=authorizer-expression-validator.d.ts.map