import { t as AccessControl } from "../../access-control-CxeWQI64.js"; import { x as IamEngine } from "../../index-DiOdpz0c.js"; import { t as IamRequest } from "../../request-BouexCSW.js"; import { IamAdminAudit } from "../generic/index.js"; //#region src/server/nest/index.d.ts /** Minimal NestJS request shape. */ interface NestRequest { user?: { id?: string; sub?: string; [key: string]: unknown; }; params?: Record; method: string; path?: string; route?: { path?: string; }; headers?: Record; ip?: string; [key: string]: unknown; } /** Minimal NestJS execution context. */ interface NestExecutionContext { switchToHttp(): { getRequest(): NestRequest; }; getHandler(): object; } /** Metadata key for the @IamAuthorize decorator. */ declare const IAM_ACCESS_METADATA_KEY = "duck-iam:authorize"; /** NestJS server integration types. Type-only namespace - zero bundle cost. */ declare namespace IamNest { /** * Describes the metadata payload attached by the {@link IamAuthorize} decorator. * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TScope - Constrains valid scope strings. */ interface IAuthorizeMeta { /** Specifies the required action (e.g. `'delete'`, `'manage'`). */ action?: TAction; /** Specifies the target resource type (e.g. `'post'`, `'user'`). */ resource?: TResource; /** Optional scope constraint applied to the check. */ scope?: TScope; /** When `true`, infers action from HTTP method and resource from route path. */ infer?: boolean; } /** * Describes options for {@link iamNestAccessGuard}. * * Each extractor has a sensible default. * * @template TScope - Constrains valid scope strings. */ interface IGuardOptions { /** Extracts the current user ID from the request. */ getUserId?: (request: NestRequest) => string | null; /** Extracts environment context (IP, user-agent, etc.) from the request. */ getEnvironment?: (request: NestRequest) => IamRequest.IEnvironment; /** Extracts the resource ID from the request. */ getResourceId?: (request: NestRequest) => string | undefined; /** Determines the scope used for the access check. */ getScope?: (request: NestRequest) => TScope | undefined; /** Handles thrown errors during evaluation; return `true` to allow, `false` to deny. */ onError?: (err: Error, request: NestRequest) => boolean; } /** Required guard callback for the admin controller methods. */ type IAdminAuthorize = (request: NestRequest) => boolean | Promise; /** Describes options for {@link createIamAdminOperations}. `authorize` is required. */ interface IAdminOptions extends IamAdminAudit.IOptions { /** Required. Runs before every admin operation. */ authorize: IAdminAuthorize; /** * Optional audit hook fired AFTER every mutation handler (savePolicy/ * saveRole/assignRole/revokeRole) completes - success or failure. The * hook is fire-and-forget: a slow or throwing implementation never * blocks the request and can never alter the response. `listPolicies` / * `listRoles` (reads) do not fire it. * * See {@link IamAdminAudit.IOptions} for additional hardening knobs: * `redactPath`, `onAuditHookError`, and `includeErrorMessage`. */ onAdminMutation?: IamAdminAudit.Hook; } } /** * Marks a controller method with access requirements. * * Stores metadata via `reflect-metadata` when available and also attaches * `__accessMeta` so the guard works without that package. * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TScope - Constrains valid scope strings. * @param meta - Configures the access metadata; defaults to `{ infer: true }`. * @returns A NestJS `MethodDecorator`. */ declare function IamAuthorize(meta?: IamNest.IAuthorizeMeta): MethodDecorator; /** * Builds a NestJS `canActivate` function that reads {@link IamAuthorize} metadata * off the handler and runs `engine.can(...)`. * * Handlers without metadata pass through (allow). * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TRole - Constrains valid role strings. * @template TScope - Constrains valid scope strings. * @param engine - Provides the access engine to consult. * @param opts - Configures optional extractors and error handler. * @returns A function suitable as a NestJS guard's `canActivate` body. * @example * ```ts * @Injectable() * class AccessGuard implements CanActivate { * canActivate = iamNestAccessGuard(engine) * } * ``` */ declare function iamNestAccessGuard(engine: IamEngine, opts?: IamNest.IGuardOptions): (context: NestExecutionContext) => Promise; /** * Builds a pre-typed `IamAuthorize` decorator constrained to your app's * action/resource/scope unions. * * Typos like `@IamAuthorize({ action: 'craete' })` become compile errors. * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TScope - Constrains valid scope strings. * @returns A typed wrapper around {@link IamAuthorize}. */ declare function createIamTypedAuthorize(): (meta?: IamNest.IAuthorizeMeta) => MethodDecorator; /** DI token for the access Engine in NestJS. */ declare const IAM_ACCESS_ENGINE_TOKEN = "ACCESS_ENGINE"; /** * Builds a NestJS provider descriptor bound to {@link IAM_ACCESS_ENGINE_TOKEN}. * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TRole - Constrains valid role strings. * @template TScope - Constrains valid scope strings. * @param factory - Provides the sync or async engine factory. * @returns A `{ provide, useFactory }` descriptor for NestJS DI. */ declare function createIamEngineProvider(factory: () => IamEngine | Promise>): { provide: string; useFactory: () => IamEngine | Promise>; }; /** * Builds framework-agnostic admin operations for use inside a NestJS controller. * * IamNest's decorator-driven routing means we do not ship a router factory; * instead this returns a record of admin handlers the user wires into their * `@Controller` methods. Enforces `authorize` at construction time so the * controller cannot be instantiated unguarded. * * @template TAction - Constrains valid action strings. * @template TResource - Constrains valid resource strings. * @template TRole - Constrains valid role strings. * @template TScope - Constrains valid scope strings. * @param engine - Provides the access engine whose `admin` operations are exposed. * @param opts - Must include `authorize`. * @returns A record of `(req, ...args) => Promise` admin handlers. * @throws Error when `opts.authorize` is not a function. * @example * ```ts * @Controller('admin') * class IamAdminController { * private h = createIamAdminOperations(engine, { * authorize: (req) => isAdmin(req.user), * onAdminMutation: (e) => auditLog.write(e), * }) * @Get('policies') listPolicies(@Req() req) { return this.h.listPolicies(req) } * } * ``` * @example * Rate limiting is out of scope; compose with IamNest's `@nestjs/throttler` or a * global guard. Pseudocode: * ```ts * @UseGuards(ThrottlerGuard) * @Throttle({ default: { limit: 30, ttl: 60_000 } }) * @Controller('admin') class IamAdminController { ... } * ``` */ declare function createIamAdminOperations(engine: IamEngine, opts: IamNest.IAdminOptions): { listPolicies(req: NestRequest): Promise[]>; listRoles(req: NestRequest): Promise[]>; savePolicy(req: NestRequest, body: AccessControl.IPolicy): Promise<{ ok: true; }>; saveRole(req: NestRequest, body: AccessControl.IRole): Promise<{ ok: true; }>; assignRole(req: NestRequest, subjectId: string, body: { roleId: TRole; scope?: TScope; }): Promise<{ ok: true; }>; revokeRole(req: NestRequest, subjectId: string, roleId: TRole): Promise<{ ok: true; }>; }; //#endregion export { IAM_ACCESS_ENGINE_TOKEN, IAM_ACCESS_METADATA_KEY, IamAuthorize, IamNest, createIamAdminOperations, createIamEngineProvider, createIamTypedAuthorize, iamNestAccessGuard }; //# sourceMappingURL=index.d.ts.map