npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@nzelajs/authorizer-kengela

v0.1.0

Published

Nzela Authorizer adapter delegating the access decision to Kengela (@kengela/authz-core#isAuthorized), with an org-chart relation resolver.

Readme

@nzelajs/authorizer-kengela

English below - Version francaise plus bas.

The Kengela-backed Authorizer for the Nzela engine. It makes authorization REAL: at its public entry points the engine hands this adapter an AuthorizationAttempt (who, on which instance, which action, at the transition or task level) and stays agnostic - it invents NO permission string. THIS adapter owns the convention that maps the attempt to a Kengela permission (overridable), then delegates the decision to Kengela (@kengela/authz-core#isAuthorized). Nzela never reimplements the permission algebra; it only wires the seam.

English

Install

npm add @nzelajs/authorizer-kengela

What it provides

  • KengelaAuthorizer (implements Authorizer): on authorize(repos, attempt) it (1) maps the attempt to a permission string, (2) loads the actor's effective grants via the tenant-scoped repos.authz store, (3) resolves the org relation of the actor to the instance, (4) calls Kengela's isAuthorized(grants, permission, relation, now) and throws AuthorizationDeniedError when the decision is deny. Deny-by-default: if no repos.authz store is wired, it fails closed (relation = "no-authz-store"). Construct it with new KengelaAuthorizer({ relations, clock?, permissionFor? }).
  • The attempt -> permission convention is the DEFAULT of this adapter (the engine core is agnostic and no longer carries it): a case transition maps to data.case.submit / data.case.withdraw / data.case.dispatch, a task decision to data.approval.visa / data.approval.decide; an app-declared transition.permission or node.permission wins over the convention. Pass permissionFor: (attempt) => string to replace it wholesale - so a Kengela user with different permission names plugs their own mapping without touching the core. defaultPermissionFor is exported so a custom mapper can fall back to the convention.
  • OrgRelationResolver (implements RelationResolver): classifies the actor/instance relation as self (actor is requester or beneficiary), unit (same primary org unit), subtree (the subject's unit is in the actor unit's subtree) or tenant (same tenant, nothing narrower provable). It reads repos.org and returns tenant whenever a narrower relation cannot be proven (fail-closed). The result is passed through Kengela's tenantScopedRelation for cross-tenant isolation (defense-in-depth): a resource outside the actor's tenant collapses to none, which only a global grant can cover.

The decision is Kengela's. The scope order (own subset unit subset subtree subset tenant subset global) lives in @kengela/authz-core; the permission NAMES (e.g. data.case.dispatch) are this adapter's default convention, not the engine's; this package is the wiring that maps the attempt and feeds Kengela grants and a relation.

Francais

Installation

npm add @nzelajs/authorizer-kengela

Ce que ca fournit

  • KengelaAuthorizer (implemente Authorizer) : sur authorize(repos, attempt), il (1) mappe la tentative vers une chaine de permission, (2) charge les droits effectifs de l'acteur via le store tenant-scope repos.authz, (3) resout la relation org de l'acteur a l'instance, (4) appelle isAuthorized(grants, permission, relation, now) de Kengela et leve AuthorizationDeniedError quand la decision est un refus. Deny-by-default : sans store repos.authz, il echoue ferme (relation = "no-authz-store"). Construction : new KengelaAuthorizer({ relations, clock?, permissionFor? }).
  • La convention tentative -> permission est le DEFAUT de cet adapter (le coeur du moteur est agnostique et ne la porte plus) : une transition de dossier mappe vers data.case.submit / data.case.withdraw / data.case.dispatch, une decision de tache vers data.approval.visa / data.approval.decide ; un transition.permission ou node.permission declare par l'app prime sur la convention. Fournir permissionFor: (attempt) => string pour la remplacer entierement - ainsi un utilisateur de Kengela avec d'autres noms de permission branche sa correspondance sans toucher au coeur. defaultPermissionFor est exporte pour qu'un mappeur personnalise puisse retomber sur la convention.
  • OrgRelationResolver (implemente RelationResolver) : classe la relation acteur/instance en self (l'acteur est le demandeur ou le beneficiaire), unit (meme unite primaire), subtree (l'unite du sujet est dans le sous-arbre de l'unite de l'acteur) ou tenant (meme tenant, rien de plus etroit prouvable). Il lit repos.org et renvoie tenant des qu'une relation plus etroite n'est pas prouvable (fail-closed). Le resultat passe par tenantScopedRelation de Kengela pour l'isolation cross-tenant (defense en profondeur) : une ressource hors du tenant de l'acteur s'effondre en none, que seul un droit global peut couvrir.

La decision appartient a Kengela. L'ordre des portees (own subset unit subset subtree subset tenant subset global) vit dans @kengela/authz-core ; les NOMS de permission (ex. data.case.dispatch) sont la convention par defaut de cet adapter, pas celle du moteur ; ce paquet n'est que le cablage qui mappe la tentative et fournit a Kengela droits et relation.

License

Apache-2.0