import { t as IamClient } from "./client-0N6XNM6z.cjs"; //#region src/core/types/primitives.d.ts declare namespace IamPrimitives { /** * Single scalar value: every JSON-compatible primitive the condition engine * can compare. Leaf of the duck-iam type system. */ type Scalar = string | number | boolean | null; /** * Any value storable in an attribute map or usable as a condition operand - * a single {@link Scalar} or an array of scalars. Arrays drive set operators * (`in`, `nin`, `subset_of`, `superset_of`). */ type AttributeValue = Scalar | Scalar[] | Record; /** * String-keyed record of {@link AttributeValue} entries. Used for subject * attributes, resource attributes, environment, and metadata bags. */ type Attributes = Record; } //#endregion //#region src/core/types/access-control.d.ts declare namespace AccessControl { /** * The outcome a rule produces when it matches: grant or block access. * * @example * ```ts * const allow: AccessControl.Effect = 'allow' * const deny: AccessControl.Effect = 'deny' * ``` */ type Effect = 'allow' | 'deny'; /** * Comparison operators supported by the condition engine. * * | Operator | Meaning | * |---|---| * | `eq` / `neq` | Equals / not equals | * | `gt` / `gte` / `lt` / `lte` | Numeric comparisons | * | `in` / `nin` | Value is / is not in the given array | * | `contains` / `not_contains` | Array contains / does not contain the value | * | `starts_with` / `ends_with` | String prefix / suffix | * | `matches` | String matches a regex pattern | * | `exists` / `not_exists` | Field is / is not defined | * | `subset_of` / `superset_of` | Array subset / superset check | */ type Operator = 'eq' | 'neq' | 'gt' | 'gte' | 'lt' | 'lte' | 'in' | 'nin' | 'contains' | 'not_contains' | 'starts_with' | 'ends_with' | 'matches' | 'exists' | 'not_exists' | 'subset_of' | 'superset_of'; /** * Leaf condition: compares a dot-path field against a value via an * {@link Operator}. Building block of {@link IConditionGroup} trees. */ interface ICondition { /** Dot-path to the attribute being tested (e.g. `'subject.attributes.status'`). */ readonly field: string; /** Comparison operator to apply. */ readonly operator: Operator; /** Right-hand side value. Omit for unary operators like `exists`. */ readonly value?: IamPrimitives.AttributeValue; } /** * Recursive tree of conditions combined with boolean logic. Exactly one key * must be present: `all` (AND), `any` (OR), or `none` (NOT / NOR). */ type IConditionGroup = { readonly all: ReadonlyArray; } | { readonly any: ReadonlyArray; } | { readonly none: ReadonlyArray; }; /** * Atomic unit of an ABAC policy. Declares an {@link Effect}, the actions / * resources it covers, an optional priority, and a condition tree that must * hold for the rule to fire. * * @template TAction - Union of valid action strings. * @template TResource - Union of valid resource strings. */ interface IRule { readonly id: string; readonly effect: Effect; /** Human-readable description for audit logs and explain output. */ readonly description?: string; /** Higher values evaluated first under `highest-priority` and `first-match`. */ readonly priority: number; /** Actions this rule applies to. `'*'` matches all actions. */ readonly actions: readonly (TAction | '*')[]; /** Resources this rule applies to. `'*'` matches all resources. */ readonly resources: readonly (TResource | '*')[]; readonly conditions: IConditionGroup; /** Arbitrary metadata for admin dashboards, audit logs, or app bookkeeping. */ readonly metadata?: Readonly; } /** * Intra-policy rule conflict resolution. * * | Algorithm | Behavior | * |---|---| * | `deny-overrides` | Any deny wins. Default. | * | `allow-overrides` | Any allow wins. Best for RBAC / permissive rules. | * | `first-match` | Highest-priority match wins; ties resolved by source order. | * | `highest-priority` | Rule with the highest priority number wins. | */ type CombiningAlgorithm = 'deny-overrides' | 'allow-overrides' | 'first-match' | 'highest-priority'; /** * Cross-policy combine strategy. * * | Mode | Behavior | * |---|---| * | `and` | Every policy must allow. Any deny is final. Default. | * | `allow-overrides` | Any policy that allows wins. | * | `first-applicable` | First policy whose targets+rules produce a non-default decision wins. | */ type PolicyCombine = 'and' | 'allow-overrides' | 'first-applicable'; /** * An ABAC policy: named collection of {@link IRule} objects plus a * {@link CombiningAlgorithm}. Cross-policy decisions are merged by the * engine according to its `policyCombine` setting (default `'and'`). * * @template TAction - Union of valid action strings. * @template TResource - Union of valid resource strings. * @template TRole - Union of valid role IDs targeted by `targets.roles`. */ interface IPolicy { readonly id: string; readonly name: string; readonly description?: string; /** Version for tracking policy changes over time. */ readonly version?: number; readonly algorithm: CombiningAlgorithm; readonly rules: readonly IRule[]; /** * Optional target constraints. The policy is skipped (NotApplicable) when * any specified dimension does not match the request. */ readonly targets?: { readonly actions?: readonly (TAction | '*')[]; readonly resources?: readonly (TResource | '*')[]; readonly roles?: readonly TRole[]; }; } /** * A single action/resource permission entry within an {@link IRole}. RBAC * primitive - at evaluation time `rolesToPolicy()` turns each permission * into an allow rule that flows through the ABAC engine. * * @template TAction - Union of valid action strings. * @template TResource - Union of valid resource strings. * @template TScope - Union of valid scope strings. */ interface IPermission { /** Action this permission grants, or `'*'` for all. */ readonly action: TAction | '*'; /** Resource this permission applies to, or `'*'` for all. */ readonly resource: TResource | '*'; /** Optional scope restriction. */ readonly scope?: TScope | '*'; /** Optional conditions (used by `grantWhen`). */ readonly conditions?: IConditionGroup; } /** * An RBAC role: named set of {@link IPermission} entries with optional * inheritance. `rolesToPolicy()` converts every role into ABAC rules so * RBAC + ABAC compose through the same engine. * * @template TAction - Union of valid action strings. * @template TResource - Union of valid resource strings. * @template TId - Literal string type of the role ID. * @template TScope - Union of valid scope strings. */ interface IRole { readonly id: TId; readonly name: string; readonly description?: string; readonly permissions: readonly IPermission[]; /** Parent role IDs to inherit permissions from (resolved recursively). */ readonly inherits?: readonly string[]; /** Default scope applied to all permissions in this role. */ readonly scope?: TScope; readonly metadata?: Readonly; } /** * Result of an authorization evaluation. Final verdict plus diagnostic info * about which rule and policy produced the decision. */ interface IDecision { readonly allowed: boolean; readonly effect: Effect; readonly rule?: IRule; /** ID of the policy that produced this decision (if any). */ readonly policy?: string; readonly reason: string; /** Time in milliseconds the evaluation took. */ readonly duration: number; /** Unix timestamp (ms) when the decision was made. */ readonly timestamp: number; /** * `false` when the policy's targets did not match the request - the policy * is NotApplicable and contributes nothing to the cross-policy combine. * Omitted (or `true`) for applicable decisions. */ readonly applicable?: boolean; } /** * Engine execution mode. * * - `'development'` returns rich {@link IDecision} objects with timing, * reasons, rule references, and the full explain/debug API. Default. * - `'production'` returns plain booleans. No timing overhead, no * allocation, no reason strings. Enables dead-code elimination of debug paths. */ type Mode = 'development' | 'production'; /** * Conditional return type based on engine mode. Production -> `boolean`, * development -> {@link IDecision}. * * @template M - The engine {@link Mode}. */ type ModeResult = M extends 'production' ? boolean : IDecision; /** * Conditional permission map type based on engine mode. Production -> * `Record`, development -> typed {@link IamClient.PermissionMap}. * * @template M - The engine {@link Mode}. * @template TAction - Union of valid action strings. * @template TResource - Union of valid resource strings. * @template TScope - Union of valid scope strings. */ type ModePermissionMap = M extends 'production' ? Record : IamClient.PermissionMap; /** * Function signature for a single operator implementation evaluating a * `(field, value)` pair from a condition. */ type OpFn = (field: IamPrimitives.AttributeValue, value: IamPrimitives.AttributeValue) => boolean; } //#endregion export { IamPrimitives as n, AccessControl as t }; //# sourceMappingURL=access-control-DVisXdFb.d.cts.map