import { t as AccessControl } from "./access-control-DVisXdFb.cjs"; //#region src/core/validate/validate.types.d.ts declare namespace IamValidate { /** * Closed set of machine-readable codes the validator can emit. Switch on this * to drive UI / telemetry; the compiler enforces exhaustiveness. */ type ValidationCode = 'BROAD_ALLOW' | 'CIRCULAR_INHERIT' | 'DANGLING_INHERIT' | 'DUPLICATE_ROLE_ID' | 'DUPLICATE_RULE_ID' | 'EMPTY_ROLE' | 'ERR_REGEX_CATASTROPHIC' | 'INHERITANCE_TOO_DEEP' | 'INVALID_ALGORITHM' | 'INVALID_CONDITION' | 'INVALID_EFFECT' | 'INVALID_OPERATOR' | 'INVALID_RULE' | 'INVALID_TYPE' | 'LIMIT_EXCEEDED' | 'MISSING_FIELD' | 'UNRESOLVABLE_FIELD' | 'UNRESOLVABLE_VALUE'; /** * A single issue produced by validation. * * Errors flip {@link IResult.valid} to `false`; warnings do not. */ interface IIssue { /** `'error'` blocks usage, `'warning'` is informational. */ readonly type: 'error' | 'warning'; /** Machine-readable code - see {@link ValidationCode}. */ readonly code: ValidationCode; /** Human-readable description. */ readonly message: string; /** Role ID involved, when emitted by role validation. */ readonly roleId?: string; /** Dot-path into the offending field, when emitted by policy validation. */ readonly path?: string; } /** * The result of a validation operation. * * `valid` is `true` when there are no error-level issues. * Warning-level issues do not affect `valid`. */ interface IResult { /** Whether the validated input is free of errors. */ readonly valid: boolean; /** All issues found during validation (both errors and warnings). */ readonly issues: readonly IIssue[]; } } //#endregion //#region src/core/validate/validate.d.ts /** * IamValidate role defs: duplicate ids, dangling/circular inherits, empty roles. * * @param roles - The role definitions to validate. * @returns A {@link IamValidate.IResult} listing any issues found. */ declare function validateRoles(roles: readonly AccessControl.IRole[]): IamValidate.IResult; /** * Deep-validate an untrusted policy (id, name, algorithm, rules, conditions). * * @param input - The candidate policy object (typically parsed JSON or an admin form payload). * @returns A {@link IamValidate.IResult} with `valid: false` when any error issue was emitted. */ declare function validatePolicy(input: unknown): IamValidate.IResult; /** * Shape guard for a single Role: `id` non-empty, `permissions` array, optional `inherits: string[]`. * * @param input - The candidate role object (typically parsed JSON). * @returns A {@link IamValidate.IResult} with `valid: false` when any error issue was emitted. */ declare function validateRole(input: unknown): IamValidate.IResult; /** * Parse a single policy row from `unknown`; returns the typed row or `null` on validation failure. * * @template TAction - Action string union (TS-only constraint; trusted at the adapter boundary). * @template TResource - Resource string union (TS-only constraint; trusted at the adapter boundary). * @template TRole - Role string union (TS-only constraint; trusted at the adapter boundary). */ declare function parsePolicyRow(raw: unknown): AccessControl.IPolicy | null; /** Parse a single role row. Mirror of {@link parsePolicyRow}. */ declare function parseRoleRow(raw: unknown): AccessControl.IRole | null; //#endregion //#region src/core/validate/validate.libs.d.ts /** * Maximum number of unbounded quantifiers (`+`, `*`, `{n,}`) allowed in a * single `matches` pattern. Beyond this the surface area for catastrophic * backtracking gets impractical to reason about, so we refuse outright. */ declare const MAX_UNBOUNDED_QUANTIFIERS = 4; /** * Cheap heuristic for catastrophic-backtracking regex (nested quantifiers, large bounds, backref-quantifier, etc). * * @param pattern - Raw regex source. * @returns `{ safe: true }` when the pattern looks benign, otherwise `{ safe: false, reason }`. */ declare function detectCatastrophicRegex(pattern: string): { safe: boolean; reason?: string; }; /** * Field paths longer than this are refused. The runtime DotPath resolver * splits on dots, so an enormous field string would cost O(length) work * per evaluation with no upside. */ declare const MAX_FIELD_LENGTH = 256; /** Max allowed length for a string `value` on a condition. */ declare const MAX_CONDITION_VALUE_LENGTH = 1024; /** Valid combining algorithm names. */ declare const VALID_ALGORITHMS: Set; /** Valid rule effect values. */ declare const VALID_EFFECTS: Set; /** * IamValidate-time policy size caps. * * `indexPolicy()` builds an `actions x resources` cartesian per rule, so an * unbounded policy can stall the event loop. Limits also cap memory growth * in {@link IamEngine}'s LRU caches. */ declare const POLICY_LIMITS: { readonly rulesPerPolicy: 1000; readonly actionsPerRule: 100; readonly resourcesPerRule: 100; /** Worst-case cartesian product per rule. */ readonly cartesianPerRule: 1000; }; /** Set of valid condition operator names supported by the condition evaluator. */ declare const VALID_OPERATORS: Set; //#endregion export { VALID_ALGORITHMS as a, detectCatastrophicRegex as c, validatePolicy as d, validateRole as f, POLICY_LIMITS as i, parsePolicyRow as l, IamValidate as m, MAX_FIELD_LENGTH as n, VALID_EFFECTS as o, validateRoles as p, MAX_UNBOUNDED_QUANTIFIERS as r, VALID_OPERATORS as s, MAX_CONDITION_VALUE_LENGTH as t, parseRoleRow as u }; //# sourceMappingURL=index-BiHsxIXO.d.cts.map