import { t as IamClient } from "./client-0N6XNM6z.cjs"; import { n as IamPrimitives, t as AccessControl } from "./access-control-DVisXdFb.cjs"; import { a as RuleBuilder, l as DotPath, r as PolicyBuilder, s as When, t as RoleBuilder } from "./index-BlLbHP8y.cjs"; import { t as IamRequest } from "./request-CuQVve_Q.cjs"; import { r as Explain } from "./index-CYPpWGeN.cjs"; import { t as IamEngineTypes } from "./engine.types-wauDWMK4.cjs"; import { m as IamValidate } from "./index-BiHsxIXO.cjs"; //#region src/core/types/caches.d.ts /** Per-Engine evaluation caches; evaluators accept `caches?` to scope regex/path caches per instance. */ interface IamEvalCaches { /** Compiled-regex LRU shared by the `matches` operator. */ regex: Map; /** Resolved dot-path segment FIFO. */ path: Map; } /** * Construct a fresh pair of evaluation caches. * * @returns A new {@link IamEvalCaches} with empty maps. */ declare function iamCreateEvalCaches(): IamEvalCaches; //#endregion //#region src/core/conditions/conditions.d.ts /** * Evaluate a single operator. Exposed for explain/trace functionality. * * @param op - The operator to apply. * @param fieldValue - Left-hand side resolved from the request. * @param condValue - Right-hand side from the condition. * @returns `true` when the operator predicate holds. */ declare function evaluateOperator(op: AccessControl.Operator, fieldValue: IamPrimitives.AttributeValue, condValue: IamPrimitives.AttributeValue): boolean; /** * Resolve $-variable references in condition values against a request. * * @param req - The access request providing resolution roots. * @param value - Raw condition value (possibly `$`-prefixed reference). * @returns The resolved value, or `value` unchanged when no resolution applies. */ declare function resolveConditionValue(req: IamRequest.IAccessRequest, value: IamPrimitives.AttributeValue): IamPrimitives.AttributeValue; /** * Evaluates a condition group tree against an access request. * * Handles `all` (AND), `any` (OR), and `none` (NOT/NOR) groups recursively. * Fails closed (returns `false`) when nesting exceeds `MAX_CONDITION_DEPTH`. * * @param req - The access request providing field values * @param group - The condition group to evaluate * @param depth - Current recursion depth (internal, do not set) * @returns Whether the condition group is satisfied */ declare function evalConditionGroup(req: IamRequest.IAccessRequest, group: AccessControl.IConditionGroup, depth?: number, caches?: { regex?: Map; path?: Map; }): boolean; //#endregion //#region src/core/conditions/conditions.libs.d.ts /** * Max allowed regex pattern length to mitigate ReDoS. Catastrophic * backtracking patterns are tiny (e.g. `(a+)+$`), so a tight bound here is * appropriate - larger patterns only give attackers more rope. */ declare const MAX_REGEX_LENGTH = 128; /** * LRU cache capacity for compiled regex patterns. Shared by both the * process-wide default cache and per-instance caches an engine may pass in. */ declare const REGEX_CACHE_MAX = 256; /** * Default process-wide LRU cache for compiled regex patterns. Used when a * caller does not pass a per-instance cache. Multi-tenant deployments should * prefer per-Engine caches to prevent cross-tenant eviction. */ declare const regexCache: Map; declare function getCachedRegex(pattern: string, cache?: Map): RegExp | null; /** Record mapping every supported operator to its implementation function. */ declare const ops: Record; /** Maximum nesting depth for condition groups to prevent stack overflow. */ declare const MAX_CONDITION_DEPTH = 10; /** * Type guard that distinguishes a flat {@link AccessControl.ICondition} from a nested {@link AccessControl.IConditionGroup}. * * @param item - Either a leaf condition or a group node. * @returns `true` when `item` is a leaf `ICondition`. */ declare function isCondition(item: AccessControl.ICondition | AccessControl.IConditionGroup): item is AccessControl.ICondition; /** * Resolve a condition value, handling `$`-prefixed variable references. * e.g. `$subject.id` resolves to the request's subject.id at eval time. * * @param req - The access request providing resolution roots. * @param value - Raw condition value (possibly `$`-prefixed reference). * @returns The resolved value, or `value` unchanged when no `$` prefix is present. */ declare function resolveValue(req: IamRequest.IAccessRequest, value: IamPrimitives.AttributeValue, caches?: { path?: Map; }): IamPrimitives.AttributeValue; /** * The `matches` operator compiles the value into a regex. Allowing a * `$`-prefixed value to resolve from request attributes would let any * attacker who controls a subject/resource/env attribute pin in a * catastrophic regex (ReDoS). We refuse `$`-resolved patterns for * `matches` regardless of where the attribute came from. * * @param value - Candidate operand value to inspect. * @returns `true` when the value is a `$`-prefixed string reference. */ declare function isUserSourcedValue(value: IamPrimitives.AttributeValue): boolean; /** * Evaluate a single flat condition against an access request. * * @param req - The access request providing field values. * @param cond - The condition to test. * @returns `true` when the operator predicate holds against the resolved field. */ declare function evalCondition(req: IamRequest.IAccessRequest, cond: AccessControl.ICondition, caches?: { regex?: Map; path?: Map; }): boolean; //#endregion //#region src/core/engine/engine.d.ts /** Flush process-wide regex + dot-path caches; schedule periodically in multi-tenant deployments. */ declare function iamFlushSharedCaches(): void; /** * Central runtime that evaluates access requests against RBAC roles and ABAC * policies. * * Loads roles + policies from its adapter, caches them with configurable TTL, * converts RBAC roles into ABAC rules via {@link rolesToPolicy}, and merges * decisions across all policies according to its `policyCombine` setting * (default `'and'`; see {@link AccessControl.PolicyCombine}). * * @template TAction - Union of valid action strings. * @template TResource - Union of valid resource strings. * @template TRole - Union of valid role IDs. * @template TScope - Union of valid scope strings. * @template TMode - Engine mode (`'development'` or `'production'`) that * determines whether return types are `IDecision` or plain `boolean`. * * @example * ```ts * const engine = new IamEngine({ adapter, defaultEffect: 'deny' }) * * const allowed = await engine.can('user-1', 'read', { type: 'post', attributes: {} }) * const decision = await engine.check('user-1', 'update', post) * const trace = await engine.explain('user-1', 'delete', post) * ``` */ declare class IamEngine { private _adapter; private _defaultEffect; private _mode; private _policyCombine; private _hooks; private _maxPolicies; private _maxRoles; private _adapterTimeoutMs; private _invalidator?; private _invalidatorUnsub; private _policyCache; private _roleCache; private _rbacPolicyCache; private _mergedPolicyCache; private _subjectCache; private _inFlight; /** * Per-instance evaluation caches. Multi-tenant deployments instantiate * one Engine per tenant; each owns its own regex + path caches and * cannot be evicted by hostile-tenant pattern flooding. */ private _caches; /** * Cache invalidation facet. Groups the five cache-management calls so the * Engine API surface stays focused on evaluation. Use after policy/role/ * subject mutations to drop stale entries; pass `{ broadcast: false }` * when applying an event received from another instance. * * @since 3.0.0 - replaces the flat `engine.invalidate*` methods. */ readonly cache: { /** Clear every cache + in-flight resolver. */invalidate: (opts?: { broadcast?: boolean; }) => void; /** Clear one subject's cached resolved roles + attributes. */ invalidateSubject: (subjectId: string, opts?: { broadcast?: boolean; }) => void; /** Clear cached policies (after policy CRUD). */ invalidatePolicies: (opts?: { broadcast?: boolean; }) => void; /** Clear cached roles + RBAC policy; selectively drops affected subjects. */ invalidateRoles: (roleId?: TRole, opts?: { broadcast?: boolean; }) => void; }; /** * Observability facet. Cache hit/miss/size counters plus a zero op. * * @since 3.0.0 - replaces the flat `engine.stats()` / `engine.resetStats()`. */ readonly stats: { /** Snapshot per-cache counters. Counters accumulate from construction. */get: () => { policies: { hits: number; misses: number; size: number; }; roles: { hits: number; misses: number; size: number; }; rbacPolicy: { hits: number; misses: number; size: number; }; mergedPolicies: { hits: number; misses: number; size: number; }; subjects: { hits: number; misses: number; size: number; }; }; /** Zero the counters returned by {@link stats.get}. */ reset: () => void; }; /** * Constructs a new engine wired to the given adapter and configuration. * * @param config - Engine configuration (adapter, mode, caches, hooks). */ constructor(config: IamEngineTypes.IConfig); /** * Wrap an adapter read with the engine's configured timeout. Creates a * fresh `AbortController` per call so a slow upstream gets hard-cancelled * once `adapterTimeoutMs` elapses; the timeout error routes through * `authorize`'s catch and produces a fail-closed deny. * * Returns the adapter call result. Throws on timeout. Adapters that don't * honor `signal` still get their result discarded - the engine just * doesn't wait for them. */ private _withTimeout; /** @internal Build the cache-bag the helper modules use to mutate state. */ private _cacheBag; /** Apply a cross-instance invalidate event to local caches. */ private _applyInvalidateEvent; /** Release the invalidator subscription. Call when discarding the engine. */ dispose(): void; /** Load all policies from the adapter, using the cache if available. */ /** @internal Build the loader deps. */ private _loaderDeps; private _resolveSubject; private _loadAllPolicies; /** * Bridges the runtime `this._mode` branch to the static `AccessControl.ModeResult` * conditional type. Centralized so the assertion is named and grep-able * instead of scattered across each return statement. */ private _asResult; /** * Full authorization check with a complete {@link IamRequest.IAccessRequest}. * * In `'production'` mode, returns a plain `boolean`. * In `'development'` mode, returns a full {@link AccessControl.IDecision}. * * @param request - The access request to evaluate. * @returns The decision shape determined by the engine's mode. */ authorize(request: IamRequest.IAccessRequest): Promise>; /** * Invoke a hook safely. Sync or async throws are caught and routed to * console.error so a buggy operator hook cannot escape into the caller's * path or rewrite a finalised decision. Returning void is intentional - * the engine never surfaces hook bugs as authz failures. */ private _safeHookCall; /** * Fires the `onMetrics` hook if configured. Synchronous; takes the start * timestamp captured at the top of `authorize` so the caller doesn't pay * `performance.now()` cost when no hook is wired. */ private _emitMetrics; /** * Simple boolean check: can this user do this action on this resource? * Always returns a plain `boolean` regardless of engine mode. * * @param subjectId - Subject ID to resolve via the adapter. * @param action - Action the subject wants to perform. * @param resource - Target resource. * @param environment - Optional request-time environment. * @param scope - Optional scope for multi-tenant checks. * @returns `true` when the subject is authorized to perform the action. */ can(subjectId: string, action: TAction, resource: IamRequest.IResource, environment?: IamRequest.IAccessRequest['environment'], scope?: TScope): Promise; /** * Same as `can` but returns the full {@link AccessControl.IDecision} in development mode, * or a plain boolean in production mode. * * @param subjectId - Subject ID to resolve via the adapter. * @param action - Action the subject wants to perform. * @param resource - Target resource. * @param environment - Optional request-time environment. * @param scope - Optional scope for multi-tenant checks. * @returns Mode-dependent result: `boolean` in production, `IDecision` in development. */ check(subjectId: string, action: TAction, resource: IamRequest.IResource, environment?: IamRequest.IAccessRequest['environment'], scope?: TScope): Promise>; /** * Returns a full evaluation trace showing why a permission was granted or * denied. Shows which policies matched, which rules fired, which conditions * passed/failed with actual vs expected values, and a human-readable summary. * * Only available in `'development'` mode. Throws in `'production'` mode. * * Does NOT trigger afterEvaluate/onDeny/onError hooks (read-only). * Does apply beforeEvaluate hook since it affects the evaluation. * * @param subjectId - Subject ID to resolve via the adapter. * @param action - Action the subject wants to perform. * @param resource - Target resource. * @param environment - Optional request-time environment. * @param scope - Optional scope for multi-tenant checks. * @returns A full {@link Explain.IResult} describing the evaluation. */ explain(this: IamEngine, subjectId: string, action: TAction, resource: IamRequest.IResource, environment?: IamRequest.IAccessRequest['environment'], scope?: TScope): Promise; /** * Batch check: evaluate many permissions at once for a single subject. * Returns a map keyed by "action:resource" or "scope:action:resource". * Loads adapter data once, then evaluates each check. * Each check goes through scoped role enrichment and hooks, consistent with authorize(). * * In `'production'` mode, returns `Record`. * In `'development'` mode, returns the full typed {@link IamClient.PermissionMap}. * * @param subjectId - Subject ID to resolve via the adapter. * @param checks - Array of {@link IamClient.IPermissionCheck} descriptors. * @param environment - Optional request-time environment shared by all checks. * @returns Mode-dependent permission map. */ permissions(subjectId: string, checks: readonly IamClient.IPermissionCheck[], environment?: IamRequest.IAccessRequest['environment'], opts?: { telemetry?: boolean; }): Promise>; private _admin?; /** Lazily-built admin interface for CRUD operations on policies, roles, subjects. */ get admin(): IamEngineTypes.IAdmin; /** @internal Cache references for the stats helper. */ private _cachesForStats; /** @internal Snapshot per-cache counters. Reached via {@link stats.get}. */ private _statsSnapshot; /** @internal Zero per-cache counters. Reached via {@link stats.reset}. */ private _resetStats; /** @internal Clear all caches + in-flight resolvers. Reached via {@link cache.invalidate}. */ private _invalidateAll; /** @internal Clear one subject's cached data. Reached via {@link cache.invalidateSubject}. */ private _invalidateSubject; /** @internal Clear cached policies. Reached via {@link cache.invalidatePolicies}. */ private _invalidatePolicies; /** @internal Clear cached roles + selectively drop affected subjects. Reached via {@link cache.invalidateRoles}. */ private _invalidateRoles; /** * Warm `mergedPolicyCache` so the first request after boot doesn't pay the * full load + index cost. Bench shows ~15x speedup on the first call vs * cold. Recommended to call once at app startup. * * Pass `{ validator: true }` to also eagerly load the lazy validator * chunk (12 KB gzipped). Useful for operators who want to front-load * every cost at boot instead of paying it on first admin write. Read-only * services can leave it off. */ preload(opts?: { validator?: boolean; }): Promise; /** * Liveness + readiness probe. Performs one timed-out adapter round-trip * (`listPolicies`) and snapshots cache hit rates. Cheap enough to wire to * a `/healthz` route at the configured interval; returns `ok: false` if the * adapter is unreachable so an orchestrator can pull the instance out of * rotation. * * @returns A {@link IamEngineTypes.IHealth} snapshot. */ healthCheck(): Promise; } //#endregion //#region src/core/config/config.types.d.ts declare namespace IamConfig { /** * Input shape for {@link createIam}. Pass `as const` arrays so the * factory extracts union types from each array and threads them through * every builder method. * * @template TActions - Tuple of action strings declared `as const`. * @template TResources - Tuple of resource strings declared `as const`. * @template TScopes - Tuple of scope strings declared `as const`. * @template TRoles - Tuple of role ID strings declared `as const`. * @template TContext - Shape of the evaluation context for typed dot-paths. * @example * ```ts * const input: IamConfig.IAccessConfigInput<['read'], ['post']> = { * actions: ['read'] as const, * resources: ['post'] as const, * } * ``` */ interface IAccessConfigInput { /** Actions your application supports (`['create', 'read', ...]`). `as const`. */ readonly actions: TActions; /** Resource types your application manages. `as const`. */ readonly resources: TResources; /** Scope strings for multi-tenant authorization. `as const`. */ readonly scopes?: TScopes; /** Role IDs to constrain role builders. `as const`. */ readonly roles?: TRoles; /** * Phantom field for context type inference. * * Pass `{} as unknown as YourContext` to enable typed dot-path * intellisense on `.attr()`, `.resourceAttr()`, `.env()`, `.check()`. * Runtime value is never used - only the type information flows through. */ readonly context?: TContext; } /** * Typed configuration object returned by {@link createIam}. Every * builder method is constrained to the declared action / resource / scope / * role unions. Misspelling produces a compile-time error. * * @template TAction - Union of valid action strings. * @template TResource - Union of valid resource strings. * @template TScope - Union of valid scope strings. * @template TRole - Union of valid role ID strings. * @template TContext - Shape of the evaluation context for typed dot-paths. */ interface IAccessConfig { readonly actions: readonly TAction[]; readonly resources: readonly TResource[]; /** Empty array if no scopes were declared. */ readonly scopes: readonly TScope[]; /** Empty array if no roles were declared. */ readonly roles: readonly TRole[]; /** Typed {@link RoleBuilder}; role ID constrained to declared roles. */ defineRole: (id: TRole) => RoleBuilder; /** Typed {@link PolicyBuilder}; rules constrained to declared actions/resources/roles. */ definePolicy: (id: string) => PolicyBuilder; /** Typed standalone {@link RuleBuilder} for composing rules across policies. */ defineRule: (id: string) => RuleBuilder; /** Typed {@link When} builder for reusable condition groups. */ when: () => When; /** * Typed {@link IamEngine} instance. Permission checks are constrained to the * declared actions / resources / scopes. */ createEngine: (config: IamEngineTypes.IConfig) => IamEngine; /** Compile-time-typed pass-through for `engine.permissions()` inputs. */ checks: []>(checks: T) => T; /** Role validation: duplicate IDs, dangling inherits, circular inheritance, empty roles. */ validateRoles: (roles: readonly AccessControl.IRole[]) => IamValidate.IResult; /** * IamValidate a policy object from an untrusted source (database, API, JSON). * Deep shape + semantic checks. */ validatePolicy: (input: unknown) => IamValidate.IResult; } } //#endregion //#region src/core/config/config.d.ts /** * Creates a type-safe access configuration for your application. * * The primary entry point for duck-iam. Pass your permission schema * using `as const` arrays and get back an {@link IamConfig.IAccessConfig} with fully typed * builder methods. * * @template TActions - Tuple of action strings, declared `as const`. * @template TResources - Tuple of resource strings, declared `as const`. * @template TScopes - Tuple of scope strings, declared `as const`. * @template TRoles - Tuple of role ID strings, declared `as const`. * @template TContext - Shape of the evaluation context for typed dot-paths. * * @param input - Your permission schema: actions, resources, and optionally scopes, roles, and context. * @returns A typed {@link IamConfig.IAccessConfig} with constrained builder methods. * * @example * ```ts * const iam = createIam({ * actions: ['create', 'read', 'update', 'delete'] as const, * resources: ['post', 'comment', 'user'] as const, * roles: ['viewer', 'editor', 'admin'] as const, * context: {} as unknown as AppContext, * }) * * // All builders are now type-safe: * iam.defineRole('viewer').grant('read', 'post') // OK * iam.defineRole('viewer').grant('raed', 'post') // compile error * ``` */ declare function createIam(input: IamConfig.IAccessConfigInput): IamConfig.IAccessConfig; //#endregion //#region src/core/evaluate/evaluate.d.ts /** * Evaluates a single policy against an access request. * * Pure function with no side effects. Checks policy targets first, then * evaluates matching rules using the policy's combining algorithm. * * @param policy - The policy to evaluate * @param request - The access request to evaluate against * @param defaultEffect - Effect to use when no rules match (defaults to `'deny'`) * @returns An {@link AccessControl.IDecision} with the evaluation result */ declare function evaluatePolicy(policy: AccessControl.IPolicy, request: IamRequest.IAccessRequest, defaultEffect?: AccessControl.Effect, caches?: { regex?: Map; path?: Map; }): AccessControl.IDecision; /** * Combine decisions across multiple policies per `combine` (`'and'` | `'allow-overrides'` | `'first-applicable'`). * * @param policies All policies to evaluate. * @param request The access request. * @param defaultEffect Effect when no rule fires within a policy. * @param combine Cross-policy combine strategy (defaults to `'and'`). * @param onPolicyError Invoked when a single policy throws; offender treated as NotApplicable. * @returns The merged {@link AccessControl.IDecision} across all policies. */ declare function evaluate(policies: AccessControl.IPolicy[], request: IamRequest.IAccessRequest, defaultEffect?: AccessControl.Effect, combine?: AccessControl.PolicyCombine, onPolicyError?: (err: Error, policy: AccessControl.IPolicy) => void, signals?: IEvalSignals, caches?: { regex?: Map; path?: Map; }): AccessControl.IDecision; /** * Fast (production-mode) single-policy evaluation; allocation-light combiner shell. * * @param policy The policy to evaluate. * @param request The access request. * @param defaultEffect Effect to use when no rules match (defaults to `'deny'`). * @returns `true` / `false` for an applicable allow / deny, `null` when NotApplicable. */ declare function evaluatePolicyFast(policy: AccessControl.IPolicy, request: IamRequest.IAccessRequest, defaultEffect?: AccessControl.Effect, caches?: { regex?: Map; path?: Map; }): boolean | null; /** * Fast multi-policy evaluation returning a boolean; mirrors {@link evaluate}'s `combine` modes (no `first-applicable`). * * @param policies All policies to evaluate. * @param request The access request. * @param defaultEffect Effect to use when no rules fire (defaults to `'deny'`). * @param combine Cross-policy combine strategy (defaults to `'and'`). * @param onPolicyError Invoked when a single policy throws; offender treated as NotApplicable. * @returns `true` when the final verdict is allow, `false` otherwise. */ declare function evaluateFast(policies: AccessControl.IPolicy[], request: IamRequest.IAccessRequest, defaultEffect?: AccessControl.Effect, combine?: AccessControl.PolicyCombine, onPolicyError?: (err: Error, policy: AccessControl.IPolicy) => void, signals?: IEvalSignals, caches?: { regex?: Map; path?: Map; }): boolean; /** * Out-parameter shape for {@link evaluateFast}. Callers pass an empty object; * the evaluator mutates fields as side-effects are observed. Useful for * metrics that need details the boolean return cannot carry. */ interface IEvalSignals { /** * Set to `true` only when the engine returned `allow` because the * `defaultEffect` fallback was triggered - i.e. no applicable policy fired. * Never set when an explicit allow rule matched. Operators chart this to * detect silent failures of the policy set (broken adapter, mass deletion, * etc.) that the boolean verdict alone hides. */ failOpen?: boolean; } //#endregion //#region src/core/evaluate/evaluate.types.d.ts declare namespace Evaluate { /** * Signature of a combining-algorithm implementation. Takes an array of * matched rules (paired with their effect) plus a default effect, and * returns the winning rule (if any), the final effect, and a reason string. */ type Combiner = (matched: Array<{ rule: AccessControl.IRule; effect: AccessControl.Effect; }>, defaultEffect: AccessControl.Effect) => { rule?: AccessControl.IRule; effect: AccessControl.Effect; reason: string; }; /** * Rule + its `action` / `resource` pattern sets, as held inside a * {@link IPolicyRuleIndex}. */ interface IIndexedRule { readonly rule: AccessControl.IRule; readonly actions: Set; readonly resources: Set; readonly hasWildcardAction: boolean; readonly hasWildcardResource: boolean; /** Pre-computed `('all' in cond || 'any' in cond || 'none' in cond)`. Avoids three `in` checks per hot-path entry. */ readonly hasConditions: boolean; } /** * Pre-computed index over a policy's rules. Lookup is O(1) on the exact key, * O(wildcardAny) on the expansive fallback. Built once per policy reference * and cached in a {@link WeakMap}. */ interface IPolicyRuleIndex { /** Literal `action\0resource` keys; covers rules with no expansive patterns. */ readonly byActionResource: Map; /** Rules with `*` / `foo:*` / `foo.*` in actions or resources; matched by scan. */ readonly wildcardAny: IIndexedRule[]; /** * `action -> resource -> effect` for unconditional rules in a wildcardless * policy. Lets the fast path return without scanning. Empty otherwise. */ readonly precomputed: Map>; } } //#endregion //#region src/core/evaluate/evaluate.libs.d.ts /** * Build (or retrieve from cache) a rule index for a policy. * * @param policy - The policy whose rules should be indexed. * @returns The cached or freshly built {@link Evaluate.IPolicyRuleIndex}. */ declare function indexPolicy(policy: AccessControl.IPolicy): Evaluate.IPolicyRuleIndex; //#endregion //#region src/core/rbac/rbac.d.ts /** * Maximum depth of the inheritance chain walked by {@link collectPermissions} * and {@link resolveEffectiveRoles}. Cycles are cut by the `visited` set, but * a linear N-deep chain (or a malformed import) would still blow the stack - * the bound makes traversal cost predictable. * * Roles past this depth are silently dropped from the resolved set. Override * is intentionally not exposed: a single hard limit keeps every adapter and * validator in agreement. Bump here if your role graph legitimately exceeds 32. */ declare const MAX_INHERITANCE_DEPTH = 32; /** * Convert RBAC role definitions into an ABAC policy. * * Each permission becomes a rule with a condition that checks * `subject.roles` contains the role ID. This lets RBAC and ABAC * coexist in the same evaluation pipeline. * * @param roles - Every role definition (resolved separately of subject assignment). * @returns A synthetic {@link AccessControl.IPolicy} with one allow rule per permission. */ declare function rolesToPolicy(roles: AccessControl.IRole[]): AccessControl.IPolicy; /** * Walks `inherits` chains from each assigned role and returns the closed set * of effective role IDs. Cycles are cut by the `effective` set; depth is * bounded by {@link MAX_INHERITANCE_DEPTH} so a runaway chain can't recurse * past the JS stack. * * @param assignedRoles Role IDs directly assigned to the subject. * @param allRoles Every role definition, used to resolve `inherits`. * @returns Closed set of effective role IDs (assigned + inherited). */ declare function resolveEffectiveRoles(assignedRoles: string[], allRoles: AccessControl.IRole[]): string[]; //#endregion //#region src/core/resolve/resolve.d.ts /** Top-level path prefixes accepted by {@link resolve}. */ declare const ALLOWED_ROOTS: Set; /** * Hard cap for path-segment caches. Each entry is at most ~200 bytes * (path string + segment array), so 10k entries ~ 2 MB worst case. * Insertion-order eviction (FIFO) when the cap is hit. */ declare const PATH_CACHE_MAX = 10000; /** * Process-wide default path-segment cache. Used when a caller does not pass * a per-instance cache. Multi-tenant deployments should prefer per-Engine * caches to prevent cross-tenant eviction. */ declare const pathCache: Map; /** * Drop every entry in the process-wide path cache. Intended for multi-tenant * operators who flush periodically to bound any single tenant's eviction * influence. */ declare function clearPathCache(): void; /** * Resolve a dot-path field against an {@link IamRequest.IAccessRequest}; blocks `__proto__` / `constructor` / `prototype`. * * @param request - The access request providing root data. * @param path - Dot-path string starting with an allowed root or shorthand. * @returns The resolved attribute value, or `null` when the path is invalid or missing. */ declare function resolve(request: IamRequest.IAccessRequest, path: string, caches?: { path?: Map; }): IamPrimitives.AttributeValue; /** * Tests if an action matches a pattern. * Supports wildcards: "*" matches all, "posts:*" matches "posts:read", "posts:write" * * @param pattern - Action pattern from a rule (may include `'*'` or `'foo:*'`). * @param action - The literal action from the request. * @returns `true` when the request action matches the pattern. */ declare function matchesAction(pattern: string, action: string): boolean; /** * Match a resource type against a pattern. Bare = literal; `:*` / `.*` suffixes match recursively under the separator. * * @param pattern - Resource pattern from a rule. * @param resourceType - The literal resource type from the request. * @returns `true` when the request resource type matches the pattern. */ declare function matchesResource(pattern: string, resourceType: string): boolean; /** * Match a resource type against a dot-notation hierarchical pattern; `*` global, `prefix.*` recursive subtree. * * @param pattern - Resource pattern from a rule (dot-notation). * @param resourceType - The literal resource type from the request. * @returns `true` when the request resource type matches the pattern. */ declare function matchesResourceHierarchical(pattern: string, resourceType: string): boolean; /** * Tests if a scope matches a pattern. * * - undefined/null pattern or "*" matches any scope (global permission) * - If request has no scope, only global patterns match * - Otherwise exact match * * @param pattern - Scope pattern from a rule (may be `undefined`, `null`, or `'*'`). * @param scope - The request's scope (may be `undefined` or `null`). * @returns `true` when the request scope matches the pattern. */ declare function matchesScope(pattern: string | undefined | null, scope: string | undefined | null): boolean; //#endregion export { ops as A, MAX_CONDITION_DEPTH as C, getCachedRegex as D, evalCondition as E, resolveConditionValue as F, IamEvalCaches as I, iamCreateEvalCaches as L, resolveValue as M, evalConditionGroup as N, isCondition as O, evaluateOperator as P, iamFlushSharedCaches as S, REGEX_CACHE_MAX as T, evaluatePolicy as _, matchesResource as a, IamConfig as b, pathCache as c, resolveEffectiveRoles as d, rolesToPolicy as f, evaluateFast as g, evaluate as h, matchesAction as i, regexCache as j, isUserSourcedValue as k, resolve as l, Evaluate as m, PATH_CACHE_MAX as n, matchesResourceHierarchical as o, indexPolicy as p, clearPathCache as r, matchesScope as s, ALLOWED_ROOTS as t, MAX_INHERITANCE_DEPTH as u, evaluatePolicyFast as v, MAX_REGEX_LENGTH as w, IamEngine as x, createIam as y }; //# sourceMappingURL=index-FAZKS-3M.d.cts.map