{"version":3,"sources":["../../src/server/permissions.ts","../../src/server/middleware.ts","../../src/server/inheritance.ts"],"names":["hasAllPermissions","hasAnyPermission"],"mappings":";;;AAeA,eAAsB,kBAAA,CACpB,MACA,OAAA,EACuB;AACvB,EAAA,OAAO,OAAA,CAAQ,mBAAmB,IAAI,CAAA;AACxC;AAkBA,eAAsB,aAAA,CACpB,MAAA,EACA,UAAA,EACA,OAAA,EACkB;AAClB,EAAA,MAAM,IAAA,GAAO,MAAM,OAAA,CAAQ,WAAA,CAAY,MAAM,CAAA;AAE7C,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,MAAM,WAAA,GAAc,MAAM,kBAAA,CAAmB,IAAA,EAAM,OAAO,CAAA;AAC1D,EAAA,OAAO,WAAA,CAAY,SAAS,UAAU,CAAA;AACxC;AAmBA,eAAsB,gBAAA,CACpB,MAAA,EACA,WAAA,EACA,OAAA,EACkB;AAClB,EAAA,MAAM,IAAA,GAAO,MAAM,OAAA,CAAQ,WAAA,CAAY,MAAM,CAAA;AAE7C,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,MAAM,eAAA,GAAkB,MAAM,kBAAA,CAAmB,IAAA,EAAM,OAAO,CAAA;AAC9D,EAAA,OAAO,YAAY,IAAA,CAAK,CAAA,CAAA,KAAK,eAAA,CAAgB,QAAA,CAAS,CAAC,CAAC,CAAA;AAC1D;AAmBA,eAAsB,iBAAA,CACpB,MAAA,EACA,WAAA,EACA,OAAA,EACkB;AAClB,EAAA,MAAM,IAAA,GAAO,MAAM,OAAA,CAAQ,WAAA,CAAY,MAAM,CAAA;AAE7C,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,MAAM,eAAA,GAAkB,MAAM,kBAAA,CAAmB,IAAA,EAAM,OAAO,CAAA;AAC9D,EAAA,OAAO,YAAY,KAAA,CAAM,CAAA,CAAA,KAAK,eAAA,CAAgB,QAAA,CAAS,CAAC,CAAC,CAAA;AAC3D;AAkBA,eAAsB,OAAA,CACpB,MAAA,EACA,IAAA,EACA,OAAA,EACkB;AAClB,EAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,WAAA,CAAY,MAAM,CAAA;AACjD,EAAA,OAAO,QAAA,KAAa,IAAA;AACtB;AAeA,eAAsB,UAAA,CACpB,MAAA,EACA,KAAA,EACA,OAAA,EACkB;AAClB,EAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,WAAA,CAAY,MAAM,CAAA;AACjD,EAAA,OAAO,QAAA,GAAW,KAAA,CAAM,QAAA,CAAS,QAAQ,CAAA,GAAI,KAAA;AAC/C;AAqBA,eAAsB,iBAAA,CACpB,MAAA,EACA,UAAA,EACA,OAAA,EACe;AACf,EAAA,MAAM,QAAA,GAAW,MAAM,aAAA,CAAc,MAAA,EAAQ,YAAY,OAAO,CAAA;AAEhE,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mBAAA,EAAsB,UAAU,CAAA,CAAE,CAAA;AAAA,EACpD;AACF;AAoBA,eAAsB,WAAA,CACpB,MAAA,EACA,IAAA,EACA,OAAA,EACe;AACf,EAAA,MAAM,YAAA,GAAe,MAAM,OAAA,CAAQ,MAAA,EAAQ,MAAM,OAAO,CAAA;AAExD,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,eAAA,EAAkB,IAAI,CAAA,CAAE,CAAA;AAAA,EAC1C;AACF;AAUA,eAAsB,oBAAA,CACpB,MAAA,EACA,WAAA,EACA,OAAA,EACe;AACf,EAAA,MAAM,QAAA,GAAW,MAAM,gBAAA,CAAiB,MAAA,EAAQ,aAAa,OAAO,CAAA;AAEpE,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mCAAA,EAAsC,YAAY,IAAA,CAAK,IAAI,CAAC,CAAA,CAAE,CAAA;AAAA,EAChF;AACF;AAUA,eAAsB,qBAAA,CACpB,MAAA,EACA,WAAA,EACA,OAAA,EACe;AACf,EAAA,MAAM,QAAA,GAAW,MAAM,iBAAA,CAAkB,MAAA,EAAQ,aAAa,OAAO,CAAA;AAErE,EAAA,IAAI,CAAC,QAAA,EAAU;AACb,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mCAAA,EAAsC,YAAY,IAAA,CAAK,IAAI,CAAC,CAAA,CAAE,CAAA;AAAA,EAChF;AACF;ACnKO,SAAS,qBAAqB,MAAA,EAA8B;AACjE,EAAA,MAAM;AAAA,IACJ,OAAA;AAAA,IACA,SAAA;AAAA,IACA,eAAA,GAAkB,QAAA;AAAA,IAClB,YAAA,GAAe,YAAA;AAAA,IACf;AAAA,GACF,GAAI,MAAA;AAEJ,EAAA,OAAO,eAAe,UAAA,CACpB,GAAA,EACA,eAAA,EACuB;AACvB,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,GAAA,CAAI,OAAA;AAGzB,IAAA,IAAI,aAAA,IAAiB,aAAA,CAAc,QAAQ,CAAA,EAAG;AAC5C,MAAA,OAAO,aAAa,IAAA,EAAK;AAAA,IAC3B;AAGA,IAAA,MAAM,aAAA,GAAgB,OAAO,IAAA,CAAK,eAAe,EAC9C,IAAA,CAAK,CAAC,GAAG,CAAA,KAAM,CAAA,CAAE,SAAS,CAAA,CAAE,MAAM,EAClC,IAAA,CAAK,CAAC,UAAU,QAAA,CAAS,UAAA,CAAW,KAAK,CAAC,CAAA;AAE7C,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,OAAO,aAAa,IAAA,EAAK;AAAA,IAC3B;AAEA,IAAA,MAAM,UAAA,GAAa,gBAAgB,aAAa,CAAA;AAGhD,IAAA,MAAM,MAAA,GAAS,MAAM,SAAA,CAAU,GAAG,CAAA;AAClC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,OAAO,aAAa,QAAA,CAAS,IAAI,IAAI,eAAA,EAAiB,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,IAChE;AAGA,IAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,WAAA,CAAY,MAAM,CAAA;AACjD,IAAA,IAAI,CAAC,QAAA,EAAU;AACb,MAAA,OAAO,aAAa,QAAA,CAAS,IAAI,IAAI,YAAA,EAAc,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,IAC7D;AAGA,IAAA,IAAI,UAAA,CAAW,KAAA,IAAS,UAAA,CAAW,KAAA,CAAM,SAAS,CAAA,EAAG;AACnD,MAAA,IAAI,CAAC,UAAA,CAAW,KAAA,CAAM,QAAA,CAAS,QAAQ,CAAA,EAAG;AACxC,QAAA,OAAO,aAAa,QAAA,CAAS,IAAI,IAAI,YAAA,EAAc,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,MAC7D;AAAA,IACF;AAGA,IAAA,MAAM,eAAA,GAAkB,MAAM,OAAA,CAAQ,kBAAA,CAAmB,QAAQ,CAAA;AAGjE,IAAA,IAAI,UAAA,CAAW,WAAA,IAAe,UAAA,CAAW,WAAA,CAAY,SAAS,CAAA,EAAG;AAC/D,MAAA,MAAMA,kBAAAA,GAAoB,WAAW,WAAA,CAAY,KAAA;AAAA,QAAM,CAAC,IAAA,KACtD,eAAA,CAAgB,QAAA,CAAS,IAAI;AAAA,OAC/B;AACA,MAAA,IAAI,CAACA,kBAAAA,EAAmB;AACtB,QAAA,OAAO,aAAa,QAAA,CAAS,IAAI,IAAI,YAAA,EAAc,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,MAC7D;AAAA,IACF;AAGA,IAAA,IAAI,UAAA,CAAW,cAAA,IAAkB,UAAA,CAAW,cAAA,CAAe,SAAS,CAAA,EAAG;AACrE,MAAA,MAAMC,iBAAAA,GAAmB,WAAW,cAAA,CAAe,IAAA;AAAA,QAAK,CAAC,IAAA,KACvD,eAAA,CAAgB,QAAA,CAAS,IAAI;AAAA,OAC/B;AACA,MAAA,IAAI,CAACA,iBAAAA,EAAkB;AACrB,QAAA,OAAO,aAAa,QAAA,CAAS,IAAI,IAAI,YAAA,EAAc,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,MAC7D;AAAA,IACF;AAGA,IAAA,IAAI,WAAW,MAAA,EAAQ;AACrB,MAAA,MAAM,UAAU,MAAM,UAAA,CAAW,MAAA,CAAO,GAAA,EAAK,QAAQ,OAAO,CAAA;AAC5D,MAAA,IAAI,CAAC,OAAA,EAAS;AACZ,QAAA,OAAO,aAAa,QAAA,CAAS,IAAI,IAAI,YAAA,EAAc,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,MAC7D;AAAA,IACF;AAEA,IAAA,OAAO,aAAa,IAAA,EAAK;AAAA,EAC3B,CAAA;AACF;AAcO,SAAS,qBACd,MAAA,EACA;AACA,EAAA,MAAM,EAAE,OAAA,EAAS,SAAA,EAAW,YAAA,EAAc,eAAA,EAAiB,cAAa,GAAI,MAAA;AAE5E,EAAA,OAAO,eAAe,WAAW,GAAA,EAAyC;AACxE,IAAA,MAAM,MAAA,GAAS,MAAM,SAAA,CAAU,GAAG,CAAA;AAClC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,OAAO,YAAA,CAAa,SAAS,IAAI,GAAA,CAAI,mBAAmB,QAAA,EAAU,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,IAC5E;AAEA,IAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,WAAA,CAAY,MAAM,CAAA;AACjD,IAAA,IAAI,CAAC,QAAA,IAAY,CAAC,YAAA,CAAa,QAAA,CAAS,QAAQ,CAAA,EAAG;AACjD,MAAA,OAAO,YAAA,CAAa,SAAS,IAAI,GAAA,CAAI,gBAAgB,YAAA,EAAc,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,IAC7E;AAEA,IAAA,OAAO,aAAa,IAAA,EAAK;AAAA,EAC3B,CAAA;AACF;AAcO,SAAS,2BACd,MAAA,EACA;AACA,EAAA,MAAM,EAAE,OAAA,EAAS,SAAA,EAAW,mBAAA,EAAqB,eAAA,EAAiB,cAAa,GAC7E,MAAA;AAEF,EAAA,OAAO,eAAe,WAAW,GAAA,EAAyC;AACxE,IAAA,MAAM,MAAA,GAAS,MAAM,SAAA,CAAU,GAAG,CAAA;AAClC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,OAAO,YAAA,CAAa,SAAS,IAAI,GAAA,CAAI,mBAAmB,QAAA,EAAU,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,IAC5E;AAEA,IAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,WAAA,CAAY,MAAM,CAAA;AACjD,IAAA,IAAI,CAAC,QAAA,EAAU;AACb,MAAA,OAAO,YAAA,CAAa,SAAS,IAAI,GAAA,CAAI,gBAAgB,YAAA,EAAc,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,IAC7E;AAEA,IAAA,MAAM,eAAA,GAAkB,MAAM,OAAA,CAAQ,kBAAA,CAAmB,QAAQ,CAAA;AACjE,IAAA,MAAMD,qBAAoB,mBAAA,CAAoB,KAAA;AAAA,MAAM,CAAC,IAAA,KACnD,eAAA,CAAgB,QAAA,CAAS,IAAI;AAAA,KAC/B;AAEA,IAAA,IAAI,CAACA,kBAAAA,EAAmB;AACtB,MAAA,OAAO,YAAA,CAAa,SAAS,IAAI,GAAA,CAAI,gBAAgB,YAAA,EAAc,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,IAC7E;AAEA,IAAA,OAAO,aAAa,IAAA,EAAK;AAAA,EAC3B,CAAA;AACF;;;AChOA,eAAsB,sBAAA,CACpB,OAAA,EACA,QAAA,EACA,OAAA,GAA8B,EAAC,EACR;AACvB,EAAA,MAAM,EAAE,QAAA,GAAW,EAAA,EAAG,GAAI,OAAA;AAC1B,EAAA,MAAM,OAAA,uBAAc,GAAA,EAAY;AAChC,EAAA,MAAM,cAAA,uBAAqB,GAAA,EAAgB;AAE3C,EAAA,eAAe,QAAA,CAAS,aAAmB,KAAA,EAA8B;AAEvE,IAAA,IAAI,QAAQ,QAAA,EAAU;AACpB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,gCAAA,EAAmC,QAAQ,CAAA,WAAA,EAAc,WAAW,CAAA;AAAA,OACtE;AAAA,IACF;AAGA,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA,EAAG;AAC5B,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oCAAA,EAAuC,WAAW,CAAA,CAAE,CAAA;AAAA,IACtE;AAEA,IAAA,OAAA,CAAQ,IAAI,WAAW,CAAA;AAGvB,IAAA,MAAM,IAAA,GAAO,MAAM,OAAA,CAAQ,QAAA,CAAS,WAAW,CAAA;AAC/C,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA;AAAA,IACF;AAGA,IAAA,IAAA,CAAK,YAAY,OAAA,CAAQ,CAAC,SAAS,cAAA,CAAe,GAAA,CAAI,IAAI,CAAC,CAAA;AAG3D,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,MAAM,QAAA,CAAS,IAAA,CAAK,QAAA,EAAU,KAAA,GAAQ,CAAC,CAAA;AAAA,IACzC;AAAA,EACF;AAEA,EAAA,MAAM,QAAA,CAAS,UAAU,CAAC,CAAA;AAE1B,EAAA,OAAO,KAAA,CAAM,KAAK,cAAc,CAAA;AAClC;AAmBA,eAAsB,aACpB,OAAA,EACA,QAAA,EACA,UAAA,EACA,OAAA,GAA8B,EAAC,EACb;AAClB,EAAA,MAAM,EAAE,QAAA,GAAW,EAAA,EAAG,GAAI,OAAA;AAC1B,EAAA,MAAM,OAAA,uBAAc,GAAA,EAAY;AAEhC,EAAA,eAAe,QAAA,CAAS,aAAmB,KAAA,EAAiC;AAC1E,IAAA,IAAI,QAAQ,QAAA,EAAU;AACpB,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA,EAAG;AAC5B,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,OAAA,CAAQ,IAAI,WAAW,CAAA;AAEvB,IAAA,MAAM,IAAA,GAAO,MAAM,OAAA,CAAQ,QAAA,CAAS,WAAW,CAAA;AAC/C,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,IAAI,IAAA,CAAK,aAAa,UAAA,EAAY;AAChC,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI,KAAK,QAAA,EAAU;AACjB,MAAA,OAAO,QAAA,CAAS,IAAA,CAAK,QAAA,EAAU,KAAA,GAAQ,CAAC,CAAA;AAAA,IAC1C;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,OAAO,QAAA,CAAS,UAAU,CAAC,CAAA;AAC7B;AAgBA,eAAsB,gBAAA,CACpB,OAAA,EACA,QAAA,EACA,OAAA,GAA8B,EAAC,EACd;AACjB,EAAA,MAAM,EAAE,QAAA,GAAW,EAAA,EAAG,GAAI,OAAA;AAC1B,EAAA,MAAM,YAAoB,EAAC;AAC3B,EAAA,MAAM,OAAA,uBAAc,GAAA,EAAY;AAEhC,EAAA,eAAe,QAAA,CAAS,aAAmB,KAAA,EAA8B;AACvE,IAAA,IAAI,QAAQ,QAAA,EAAU;AACpB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,gCAAA,EAAmC,QAAQ,CAAA,WAAA,EAAc,WAAW,CAAA;AAAA,OACtE;AAAA,IACF;AAEA,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA,EAAG;AAC5B,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oCAAA,EAAuC,WAAW,CAAA,CAAE,CAAA;AAAA,IACtE;AAEA,IAAA,OAAA,CAAQ,IAAI,WAAW,CAAA;AACvB,IAAA,SAAA,CAAU,KAAK,WAAW,CAAA;AAE1B,IAAA,MAAM,IAAA,GAAO,MAAM,OAAA,CAAQ,QAAA,CAAS,WAAW,CAAA;AAC/C,IAAA,IAAI,MAAM,QAAA,EAAU;AAClB,MAAA,MAAM,QAAA,CAAS,IAAA,CAAK,QAAA,EAAU,KAAA,GAAQ,CAAC,CAAA;AAAA,IACzC;AAAA,EACF;AAEA,EAAA,MAAM,QAAA,CAAS,UAAU,CAAC,CAAA;AAE1B,EAAA,OAAO,SAAA;AACT","file":"index.mjs","sourcesContent":["import type { RBACAdapter, Permission, Role } from '../types';\n\n/**\n * Get all permissions for a role\n *\n * @param role - The role name\n * @param adapter - RBAC adapter instance\n * @returns Array of permissions\n *\n * @example\n * ```typescript\n * const permissions = await getRolePermissions('admin', adapter);\n * console.log(permissions); // ['users.create', 'users.delete', ...]\n * ```\n */\nexport async function getRolePermissions(\n  role: Role,\n  adapter: RBACAdapter\n): Promise<Permission[]> {\n  return adapter.getRolePermissions(role);\n}\n\n/**\n * Check if a user has a specific permission\n *\n * @param userId - User ID\n * @param permission - Permission to check\n * @param adapter - RBAC adapter instance\n * @returns Boolean indicating if user has permission\n *\n * @example\n * ```typescript\n * const canDelete = await hasPermission(userId, 'users.delete', adapter);\n * if (canDelete) {\n *   // User can delete\n * }\n * ```\n */\nexport async function hasPermission(\n  userId: string,\n  permission: Permission,\n  adapter: RBACAdapter\n): Promise<boolean> {\n  const role = await adapter.getUserRole(userId);\n\n  if (!role) {\n    return false;\n  }\n\n  const permissions = await getRolePermissions(role, adapter);\n  return permissions.includes(permission);\n}\n\n/**\n * Check if a user has any of the specified permissions\n *\n * @param userId - User ID\n * @param permissions - Array of permissions to check\n * @param adapter - RBAC adapter instance\n * @returns Boolean indicating if user has at least one permission\n *\n * @example\n * ```typescript\n * const canManageUsers = await hasAnyPermission(\n *   userId,\n *   ['users.create', 'users.update', 'users.delete'],\n *   adapter\n * );\n * ```\n */\nexport async function hasAnyPermission(\n  userId: string,\n  permissions: Permission[],\n  adapter: RBACAdapter\n): Promise<boolean> {\n  const role = await adapter.getUserRole(userId);\n\n  if (!role) {\n    return false;\n  }\n\n  const userPermissions = await getRolePermissions(role, adapter);\n  return permissions.some(p => userPermissions.includes(p));\n}\n\n/**\n * Check if a user has all of the specified permissions\n *\n * @param userId - User ID\n * @param permissions - Array of permissions to check\n * @param adapter - RBAC adapter instance\n * @returns Boolean indicating if user has all permissions\n *\n * @example\n * ```typescript\n * const canFullyManageUsers = await hasAllPermissions(\n *   userId,\n *   ['users.create', 'users.update', 'users.delete'],\n *   adapter\n * );\n * ```\n */\nexport async function hasAllPermissions(\n  userId: string,\n  permissions: Permission[],\n  adapter: RBACAdapter\n): Promise<boolean> {\n  const role = await adapter.getUserRole(userId);\n\n  if (!role) {\n    return false;\n  }\n\n  const userPermissions = await getRolePermissions(role, adapter);\n  return permissions.every(p => userPermissions.includes(p));\n}\n\n/**\n * Check if a user has a specific role\n *\n * @param userId - User ID\n * @param role - Role to check\n * @param adapter - RBAC adapter instance\n * @returns Boolean indicating if user has role\n *\n * @example\n * ```typescript\n * const isAdmin = await hasRole(userId, 'admin', adapter);\n * if (isAdmin) {\n *   // User is admin\n * }\n * ```\n */\nexport async function hasRole(\n  userId: string,\n  role: Role,\n  adapter: RBACAdapter\n): Promise<boolean> {\n  const userRole = await adapter.getUserRole(userId);\n  return userRole === role;\n}\n\n/**\n * Check if a user has any of the specified roles\n *\n * @param userId - User ID\n * @param roles - Array of roles to check\n * @param adapter - RBAC adapter instance\n * @returns Boolean indicating if user has at least one role\n *\n * @example\n * ```typescript\n * const canManage = await hasAnyRole(userId, ['admin', 'manager'], adapter);\n * ```\n */\nexport async function hasAnyRole(\n  userId: string,\n  roles: Role[],\n  adapter: RBACAdapter\n): Promise<boolean> {\n  const userRole = await adapter.getUserRole(userId);\n  return userRole ? roles.includes(userRole) : false;\n}\n\n/**\n * Require a specific permission or throw an error\n *\n * @param userId - User ID\n * @param permission - Permission to require\n * @param adapter - RBAC adapter instance\n * @throws Error if user lacks permission\n *\n * @example\n * ```typescript\n * // In API route\n * export async function POST(request: Request) {\n *   const session = await auth();\n *   await requirePermission(session.user.id, 'users.create', adapter);\n *\n *   // User has permission, proceed...\n * }\n * ```\n */\nexport async function requirePermission(\n  userId: string,\n  permission: Permission,\n  adapter: RBACAdapter\n): Promise<void> {\n  const hasPerms = await hasPermission(userId, permission, adapter);\n\n  if (!hasPerms) {\n    throw new Error(`Permission denied: ${permission}`);\n  }\n}\n\n/**\n * Require a specific role or throw an error\n *\n * @param userId - User ID\n * @param role - Role to require\n * @param adapter - RBAC adapter instance\n * @throws Error if user lacks role\n *\n * @example\n * ```typescript\n * export async function POST(request: Request) {\n *   const session = await auth();\n *   await requireRole(session.user.id, 'admin', adapter);\n *\n *   // User is admin, proceed...\n * }\n * ```\n */\nexport async function requireRole(\n  userId: string,\n  role: Role,\n  adapter: RBACAdapter\n): Promise<void> {\n  const hasRoleCheck = await hasRole(userId, role, adapter);\n\n  if (!hasRoleCheck) {\n    throw new Error(`Role required: ${role}`);\n  }\n}\n\n/**\n * Require any of the specified permissions or throw an error\n *\n * @param userId - User ID\n * @param permissions - Array of permissions (user needs at least one)\n * @param adapter - RBAC adapter instance\n * @throws Error if user lacks all permissions\n */\nexport async function requireAnyPermission(\n  userId: string,\n  permissions: Permission[],\n  adapter: RBACAdapter\n): Promise<void> {\n  const hasPerms = await hasAnyPermission(userId, permissions, adapter);\n\n  if (!hasPerms) {\n    throw new Error(`Permission denied: requires one of ${permissions.join(', ')}`);\n  }\n}\n\n/**\n * Require all of the specified permissions or throw an error\n *\n * @param userId - User ID\n * @param permissions - Array of permissions (user needs all)\n * @param adapter - RBAC adapter instance\n * @throws Error if user lacks any permission\n */\nexport async function requireAllPermissions(\n  userId: string,\n  permissions: Permission[],\n  adapter: RBACAdapter\n): Promise<void> {\n  const hasPerms = await hasAllPermissions(userId, permissions, adapter);\n\n  if (!hasPerms) {\n    throw new Error(`Permission denied: requires all of ${permissions.join(', ')}`);\n  }\n}\n","import { NextRequest, NextResponse } from 'next/server';\r\nimport type { RBACAdapter, Permission, Role } from '../types';\r\n\r\n/**\r\n * Configuration for RBAC middleware\r\n */\r\nexport interface RBACMiddlewareConfig {\r\n  /**\r\n   * RBAC adapter instance\r\n   */\r\n  adapter: RBACAdapter;\r\n\r\n  /**\r\n   * Function to get user ID from request\r\n   * This should extract the user ID from session/token/cookies\r\n   *\r\n   * @example\r\n   * ```typescript\r\n   * getUserId: async (req) => {\r\n   *   const session = await getSession(req);\r\n   *   return session?.user?.id || null;\r\n   * }\r\n   * ```\r\n   */\r\n  getUserId: (req: NextRequest) => Promise<string | null>;\r\n\r\n  /**\r\n   * Optional: URL to redirect to when user is not authenticated\r\n   * @default '/login'\r\n   */\r\n  unauthorizedUrl?: string;\r\n\r\n  /**\r\n   * Optional: URL to redirect to when user lacks permission\r\n   * @default '/forbidden'\r\n   */\r\n  forbiddenUrl?: string;\r\n\r\n  /**\r\n   * Optional: Function to check if route should be public\r\n   */\r\n  isPublicRoute?: (pathname: string) => boolean;\r\n}\r\n\r\n/**\r\n * Route protection configuration\r\n */\r\nexport interface RouteProtection {\r\n  /**\r\n   * Required permissions (user must have ALL of these)\r\n   */\r\n  permissions?: Permission[];\r\n\r\n  /**\r\n   * Required permissions (user must have ANY of these)\r\n   */\r\n  anyPermissions?: Permission[];\r\n\r\n  /**\r\n   * Required roles (user must have ANY of these)\r\n   */\r\n  roles?: Role[];\r\n\r\n  /**\r\n   * Custom check function\r\n   */\r\n  custom?: (req: NextRequest, userId: string, adapter: RBACAdapter) => Promise<boolean>;\r\n}\r\n\r\n/**\r\n * Creates an RBAC middleware for Next.js\r\n *\r\n * @example\r\n * ```typescript\r\n * // middleware.ts\r\n * import { createRBACMiddleware } from '@khannara/next-rbac/server';\r\n * import { getAdapter } from './lib/rbac';\r\n * import { getSession } from './lib/auth';\r\n *\r\n * const rbacMiddleware = createRBACMiddleware({\r\n *   adapter: getAdapter(),\r\n *   getUserId: async (req) => {\r\n *     const session = await getSession(req);\r\n *     return session?.user?.id || null;\r\n *   },\r\n * });\r\n *\r\n * export async function middleware(req: NextRequest) {\r\n *   return rbacMiddleware(req, {\r\n *     '/admin': { roles: ['admin'] },\r\n *     '/api/users': { permissions: ['users.read'] },\r\n *     '/settings': { anyPermissions: ['settings.update', 'admin.access'] },\r\n *   });\r\n * }\r\n *\r\n * export const config = {\r\n *   matcher: ['/admin/:path*', '/api/:path*', '/settings/:path*'],\r\n * };\r\n * ```\r\n */\r\nexport function createRBACMiddleware(config: RBACMiddlewareConfig) {\r\n  const {\r\n    adapter,\r\n    getUserId,\r\n    unauthorizedUrl = '/login',\r\n    forbiddenUrl = '/forbidden',\r\n    isPublicRoute,\r\n  } = config;\r\n\r\n  return async function middleware(\r\n    req: NextRequest,\r\n    protectedRoutes: Record<string, RouteProtection>\r\n  ): Promise<NextResponse> {\r\n    const { pathname } = req.nextUrl;\r\n\r\n    // Check if route is public\r\n    if (isPublicRoute && isPublicRoute(pathname)) {\r\n      return NextResponse.next();\r\n    }\r\n\r\n    // Find matching protection rule\r\n    const matchingRoute = Object.keys(protectedRoutes)\r\n      .sort((a, b) => b.length - a.length) // Match most specific route first\r\n      .find((route) => pathname.startsWith(route));\r\n\r\n    if (!matchingRoute) {\r\n      return NextResponse.next();\r\n    }\r\n\r\n    const protection = protectedRoutes[matchingRoute];\r\n\r\n    // Get user ID\r\n    const userId = await getUserId(req);\r\n    if (!userId) {\r\n      return NextResponse.redirect(new URL(unauthorizedUrl, req.url));\r\n    }\r\n\r\n    // Get user's role\r\n    const userRole = await adapter.getUserRole(userId);\r\n    if (!userRole) {\r\n      return NextResponse.redirect(new URL(forbiddenUrl, req.url));\r\n    }\r\n\r\n    // Check role requirements\r\n    if (protection.roles && protection.roles.length > 0) {\r\n      if (!protection.roles.includes(userRole)) {\r\n        return NextResponse.redirect(new URL(forbiddenUrl, req.url));\r\n      }\r\n    }\r\n\r\n    // Get user's permissions\r\n    const userPermissions = await adapter.getRolePermissions(userRole);\r\n\r\n    // Check permission requirements (all required)\r\n    if (protection.permissions && protection.permissions.length > 0) {\r\n      const hasAllPermissions = protection.permissions.every((perm) =>\r\n        userPermissions.includes(perm)\r\n      );\r\n      if (!hasAllPermissions) {\r\n        return NextResponse.redirect(new URL(forbiddenUrl, req.url));\r\n      }\r\n    }\r\n\r\n    // Check permission requirements (any required)\r\n    if (protection.anyPermissions && protection.anyPermissions.length > 0) {\r\n      const hasAnyPermission = protection.anyPermissions.some((perm) =>\r\n        userPermissions.includes(perm)\r\n      );\r\n      if (!hasAnyPermission) {\r\n        return NextResponse.redirect(new URL(forbiddenUrl, req.url));\r\n      }\r\n    }\r\n\r\n    // Custom check\r\n    if (protection.custom) {\r\n      const allowed = await protection.custom(req, userId, adapter);\r\n      if (!allowed) {\r\n        return NextResponse.redirect(new URL(forbiddenUrl, req.url));\r\n      }\r\n    }\r\n\r\n    return NextResponse.next();\r\n  };\r\n}\r\n\r\n/**\r\n * Helper to create a simple role-based middleware\r\n *\r\n * @example\r\n * ```typescript\r\n * export const middleware = createRoleMiddleware({\r\n *   adapter: getAdapter(),\r\n *   getUserId: getUserIdFromSession,\r\n *   allowedRoles: ['admin', 'manager'],\r\n * });\r\n * ```\r\n */\r\nexport function createRoleMiddleware(\r\n  config: RBACMiddlewareConfig & { allowedRoles: Role[] }\r\n) {\r\n  const { adapter, getUserId, allowedRoles, unauthorizedUrl, forbiddenUrl } = config;\r\n\r\n  return async function middleware(req: NextRequest): Promise<NextResponse> {\r\n    const userId = await getUserId(req);\r\n    if (!userId) {\r\n      return NextResponse.redirect(new URL(unauthorizedUrl || '/login', req.url));\r\n    }\r\n\r\n    const userRole = await adapter.getUserRole(userId);\r\n    if (!userRole || !allowedRoles.includes(userRole)) {\r\n      return NextResponse.redirect(new URL(forbiddenUrl || '/forbidden', req.url));\r\n    }\r\n\r\n    return NextResponse.next();\r\n  };\r\n}\r\n\r\n/**\r\n * Helper to create a permission-based middleware\r\n *\r\n * @example\r\n * ```typescript\r\n * export const middleware = createPermissionMiddleware({\r\n *   adapter: getAdapter(),\r\n *   getUserId: getUserIdFromSession,\r\n *   requiredPermissions: ['users.read', 'users.update'],\r\n * });\r\n * ```\r\n */\r\nexport function createPermissionMiddleware(\r\n  config: RBACMiddlewareConfig & { requiredPermissions: Permission[] }\r\n) {\r\n  const { adapter, getUserId, requiredPermissions, unauthorizedUrl, forbiddenUrl } =\r\n    config;\r\n\r\n  return async function middleware(req: NextRequest): Promise<NextResponse> {\r\n    const userId = await getUserId(req);\r\n    if (!userId) {\r\n      return NextResponse.redirect(new URL(unauthorizedUrl || '/login', req.url));\r\n    }\r\n\r\n    const userRole = await adapter.getUserRole(userId);\r\n    if (!userRole) {\r\n      return NextResponse.redirect(new URL(forbiddenUrl || '/forbidden', req.url));\r\n    }\r\n\r\n    const userPermissions = await adapter.getRolePermissions(userRole);\r\n    const hasAllPermissions = requiredPermissions.every((perm) =>\r\n      userPermissions.includes(perm)\r\n    );\r\n\r\n    if (!hasAllPermissions) {\r\n      return NextResponse.redirect(new URL(forbiddenUrl || '/forbidden', req.url));\r\n    }\r\n\r\n    return NextResponse.next();\r\n  };\r\n}\r\n","import type { RBACAdapter, Role, Permission } from '../types';\r\n\r\n/**\r\n * Options for resolving role inheritance\r\n */\r\nexport interface InheritanceOptions {\r\n  /**\r\n   * Maximum depth to traverse role hierarchy (prevents infinite loops)\r\n   * @default 10\r\n   */\r\n  maxDepth?: number;\r\n}\r\n\r\n/**\r\n * Resolves all permissions for a role including inherited permissions\r\n *\r\n * @param adapter - RBAC adapter instance\r\n * @param roleName - Name of the role\r\n * @param options - Inheritance options\r\n * @returns Array of all permissions (deduplicated)\r\n *\r\n * @example\r\n * ```typescript\r\n * // Role hierarchy:\r\n * // super-admin (no permissions, inherits from admin)\r\n * // admin (users.delete, inherits from manager)\r\n * // manager (users.update, inherits from user)\r\n * // user (users.read)\r\n *\r\n * const permissions = await resolveRolePermissions(adapter, 'super-admin');\r\n * // Returns: ['users.read', 'users.update', 'users.delete']\r\n * ```\r\n */\r\nexport async function resolveRolePermissions(\r\n  adapter: RBACAdapter,\r\n  roleName: Role,\r\n  options: InheritanceOptions = {}\r\n): Promise<Permission[]> {\r\n  const { maxDepth = 10 } = options;\r\n  const visited = new Set<string>();\r\n  const allPermissions = new Set<Permission>();\r\n\r\n  async function traverse(currentRole: Role, depth: number): Promise<void> {\r\n    // Prevent infinite loops\r\n    if (depth > maxDepth) {\r\n      throw new Error(\r\n        `Role inheritance depth exceeded ${maxDepth} for role: ${currentRole}`\r\n      );\r\n    }\r\n\r\n    // Prevent circular inheritance\r\n    if (visited.has(currentRole)) {\r\n      throw new Error(`Circular role inheritance detected: ${currentRole}`);\r\n    }\r\n\r\n    visited.add(currentRole);\r\n\r\n    // Get role document\r\n    const role = await adapter.findRole(currentRole);\r\n    if (!role) {\r\n      return;\r\n    }\r\n\r\n    // Add this role's permissions\r\n    role.permissions.forEach((perm) => allPermissions.add(perm));\r\n\r\n    // Recursively get parent permissions\r\n    if (role.inherits) {\r\n      await traverse(role.inherits, depth + 1);\r\n    }\r\n  }\r\n\r\n  await traverse(roleName, 0);\r\n\r\n  return Array.from(allPermissions);\r\n}\r\n\r\n/**\r\n * Checks if a role inherits from another role (directly or indirectly)\r\n *\r\n * @param adapter - RBAC adapter instance\r\n * @param roleName - Name of the role to check\r\n * @param parentRole - Name of the potential parent role\r\n * @param options - Inheritance options\r\n * @returns True if roleName inherits from parentRole\r\n *\r\n * @example\r\n * ```typescript\r\n * // super-admin → admin → manager → user\r\n * await inheritsFrom(adapter, 'super-admin', 'user'); // true\r\n * await inheritsFrom(adapter, 'super-admin', 'admin'); // true\r\n * await inheritsFrom(adapter, 'admin', 'super-admin'); // false\r\n * ```\r\n */\r\nexport async function inheritsFrom(\r\n  adapter: RBACAdapter,\r\n  roleName: Role,\r\n  parentRole: Role,\r\n  options: InheritanceOptions = {}\r\n): Promise<boolean> {\r\n  const { maxDepth = 10 } = options;\r\n  const visited = new Set<string>();\r\n\r\n  async function traverse(currentRole: Role, depth: number): Promise<boolean> {\r\n    if (depth > maxDepth) {\r\n      return false;\r\n    }\r\n\r\n    if (visited.has(currentRole)) {\r\n      return false;\r\n    }\r\n\r\n    visited.add(currentRole);\r\n\r\n    const role = await adapter.findRole(currentRole);\r\n    if (!role) {\r\n      return false;\r\n    }\r\n\r\n    if (role.inherits === parentRole) {\r\n      return true;\r\n    }\r\n\r\n    if (role.inherits) {\r\n      return traverse(role.inherits, depth + 1);\r\n    }\r\n\r\n    return false;\r\n  }\r\n\r\n  return traverse(roleName, 0);\r\n}\r\n\r\n/**\r\n * Gets the complete role hierarchy for a role\r\n *\r\n * @param adapter - RBAC adapter instance\r\n * @param roleName - Name of the role\r\n * @param options - Inheritance options\r\n * @returns Array of role names from current to root (e.g., ['super-admin', 'admin', 'manager', 'user'])\r\n *\r\n * @example\r\n * ```typescript\r\n * const hierarchy = await getRoleHierarchy(adapter, 'super-admin');\r\n * // Returns: ['super-admin', 'admin', 'manager', 'user']\r\n * ```\r\n */\r\nexport async function getRoleHierarchy(\r\n  adapter: RBACAdapter,\r\n  roleName: Role,\r\n  options: InheritanceOptions = {}\r\n): Promise<Role[]> {\r\n  const { maxDepth = 10 } = options;\r\n  const hierarchy: Role[] = [];\r\n  const visited = new Set<string>();\r\n\r\n  async function traverse(currentRole: Role, depth: number): Promise<void> {\r\n    if (depth > maxDepth) {\r\n      throw new Error(\r\n        `Role inheritance depth exceeded ${maxDepth} for role: ${currentRole}`\r\n      );\r\n    }\r\n\r\n    if (visited.has(currentRole)) {\r\n      throw new Error(`Circular role inheritance detected: ${currentRole}`);\r\n    }\r\n\r\n    visited.add(currentRole);\r\n    hierarchy.push(currentRole);\r\n\r\n    const role = await adapter.findRole(currentRole);\r\n    if (role?.inherits) {\r\n      await traverse(role.inherits, depth + 1);\r\n    }\r\n  }\r\n\r\n  await traverse(roleName, 0);\r\n\r\n  return hierarchy;\r\n}\r\n"]}