auth/role_schema.ts

Role system — builtin roles, role options, and extensible role schema factory.
Defines the authorization policy vocabulary: which roles exist, what
capabilities they require (daemon token, web grantability), and a factory
for extending with app-defined roles.

Declarations
#

9 declarations

view source

BUILTIN_ROLE_OPTIONS
#

auth/role_schema.ts view source

ReadonlyMap<string, Required<RoleOptions>>

Builtin role configs. Not overridable by consumers.

BUILTIN_ROLES
#

auth/role_schema.ts view source

readonly ["keeper", "admin"]

The builtin role names as a const tuple.

BuiltinRole
#

auth/role_schema.ts view source

ZodEnum<{ keeper: "keeper"; admin: "admin"; }>

Zod schema for builtin roles only.

create_role_schema
#

auth/role_schema.ts view source

<T extends string>(app_roles: Record<T, RoleOptions>): RoleSchemaResult

Create a role schema and config map that extends the builtins with app-defined roles.
Call once at server init. The returned Role schema validates role strings
at I/O boundaries (grant endpoint, permit queries). The role_options map
is used by middleware to check requires_daemon_token and by admin UI to
filter web_grantable roles.

`app_roles`

app-defined roles with optional config overrides

type Record<T, RoleOptions>

returns

RoleSchemaResult

{Role, role_options} — Zod schema and full config map

examples

// visiones
const {Role, role_options} = create_role_schema({
  teacher: {},
});
// Role validates 'keeper' | 'admin' | 'teacher'
// role_options has all 3 entries with defaults applied

ROLE_ADMIN
#

auth/role_schema.ts view source

"admin"

App-level administrative role. Web-grantable, manages users and content.

ROLE_KEEPER
#

auth/role_schema.ts view source

"keeper"

System-level role. Requires daemon token (filesystem proof). Controls the keep.

RoleName
#

auth/role_schema.ts view source

ZodString

Valid role name: lowercase letters and underscores, no leading/trailing underscore.

RoleOptions
#

auth/role_schema.ts view source

RoleOptions

Configuration for a role.
Builtin roles have fixed configs. App-defined roles get sensible defaults
(requires_daemon_token: false, web_grantable: true).

`requires_daemon_token`

If true, exercising this role requires daemon token authentication. Only keeper for now.

type boolean

`web_grantable`

If true, admins can grant this role via the web UI. Default true.

type boolean

RoleSchemaResult
#

auth/role_schema.ts view source

RoleSchemaResult

The result of create_role_schema — a Zod schema and config map for all roles.

`Role`

Zod schema that validates role strings. Use at I/O boundaries (grant endpoint, permit queries).

type z.ZodType<string>

`role_options`

Options for every role (builtins + app-defined). Keyed by role name.

type ReadonlyMap<string, Required<RoleOptions>>