npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@o3co/auth.policy-verifier.builtins

v0.3.1

Published

Built-in attribute collectors, rule collectors, and resource parser for auth.policy-verifier.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

yoshi49535yoshi49535

Keywords

Readme

@o3co/auth.policy-verifier.builtins

Built-in attribute collectors, rule collectors, and resource parser for auth.policy-verifier.

Runtime: Node.js 22+. This package uses node:crypto for stable rule-type hashing; browser / edge runtime support is tracked as future work.

Install

npm install @o3co/auth.policy-verifier.builtins

Attribute Collectors

All collectors implement AttributeCollector.

| Name | Reads from | Emits | Constructor args | | --- | --- | --- | --- | | PayloadScopeCollector | payload.scope (space-separated string) | ATTR_SCOPES: string[] | none | | PayloadSubjectIdCollector | payload.sub, payload.azp | ATTR_USER_ID, ATTR_CLIENT_ID | none | | StaticPermissionCollector | — | ATTR_PERMISSIONS: string[] | { permissions: string[] } | | StaticRoleCollector | — | ATTR_ROLES: Role[] | { roles: Role[] } |

StaticPermissionCollector and StaticRoleCollector always emit the values supplied at construction time, regardless of request context.

No built-in collector for requestContext

The engine does not ship a collector that expands CollectorContext.requestContext into attributes. The shape of requestContext is defined by each consuming project's transport/interceptor, so interpreting it is a project concern. Write a focused AttributeCollector for each field you need to promote — validate its shape there, and store it under a project-specific constant key. See AGENTS.md — Core Vocabulary Scope for the rationale and a worked example.

Rules

HasPermission

new HasPermission(permission: string)
  • ruleType: "permission", code: "no_permission"
  • Checks ATTR_PERMISSIONS (direct) and ATTR_ROLES[].permissions (via roles).
  • Wildcard matching (case-insensitive):
    • "*" matches any permission.
    • "foo*" matches any permission with prefix foo.
    • "*bar" matches any permission with suffix bar.
    • "foo*bar" matches any permission starting with foo and ending with bar.

HasScope

new HasScope(scope: string)
  • ruleType: "scope", code: "invalid_scope"
  • Checks ATTR_SCOPES.
  • A bare scope string "resource" in ATTR_SCOPES is normalized to "read:resource" before comparison.
  • Matching is case-insensitive exact match after normalization.

AttrMatchRule

Deprecated. Use AttrPairEqual instead. AttrMatchRule is kept as a thin wrapper class that extends AttrPairEqual and preserves the legacy ruleType (attr_match:${a}:${b}) and legacy message wording for backward compatibility. The type AttrMatchRuleConfig is a type alias of AttrPairEqualConfig. It will be removed in a future major version.

new AttrMatchRule({ a: string, b: string, group?: string })
  • code: "attr_mismatch".
  • Passes when attrs.get(a) and attrs.get(b) are both non-empty strings and equal. Any other case returns false (fail closed).
  • Pure predicate — does not read CollectorContext. Consuming projects provide the two values to compare through upstream AttributeCollectors and wire the rule through their own RuleCollector.
  • ruleType defaults to "attr_match:${a}:${b}". The evaluator ORs rules within a ruleType and ANDs across different ruleTypes, so the default ensures two independent comparisons are AND-combined (required together). Pass group explicitly when you want two comparisons to be OR-combined (for example, "identify by DID or by email") — both rules then share the provided group as their ruleType.

Attribute Comparison Rules

The attribute comparison rules form a 2 × 5 matrix over two axes: family (Literal vs. Pair) and operator (Equal, NotEqual, In, NotIn, Compare).

  • Literal rules compare a single named attribute against a static value (or set of values) supplied at construction time.
  • Pair rules compare two named attributes resolved from the Attributes map at evaluation time.
  • In / NotIn variants exist for the Literal family only. A pair-over-set operation does not generalize cleanly to a finite list, so AttrPairIn / AttrPairNotIn are intentionally absent.

| Family | Equal | NotEqual | In | NotIn | Compare | | ------- | ------------------ | --------------------- | --------------- | ------------------ | -------------------- | | Literal | AttrLiteralEqual | AttrLiteralNotEqual | AttrLiteralIn | AttrLiteralNotIn | AttrLiteralCompare | | Pair | AttrPairEqual | AttrPairNotEqual | — | — | AttrPairCompare |

AttrLiteralEqual

new AttrLiteralEqual({ a: string, v: string | number | boolean, group?: string })
  • code: "attr_not_equal".
  • Default ruleType: `attr_literal_equal:${a}:${typeof v}:${String(v)}`. The typeof v segment prevents silent collisions between distinct-type literals that stringify the same way (e.g. true vs "true").
  • Passes when attrs.get(a) is the same type and strictly equal to v. No type coercion.

AttrLiteralNotEqual

new AttrLiteralNotEqual({ a: string, v: string | number | boolean, group?: string })
  • code: "attr_equal".
  • Default ruleType: `attr_literal_not_equal:${a}:${typeof v}:${String(v)}`. The typeof v segment prevents silent collisions between distinct-type literals (same rationale as AttrLiteralEqual).
  • Passes when attrs.get(a) is the same type as v and strictly not equal to it. Missing or wrong-type attributes return false (safe-deny).

AttrLiteralIn

new AttrLiteralIn({ a: string, values: (string | number | boolean)[], group?: string })
  • code: "attr_not_in_set".
  • Default ruleType: `attr_literal_in:${a}:${type}:${count}:${hashPrefix}` — where count is the post-deduplication element count and hashPrefix is the first 8 hex characters of a SHA-256 over the deduplicated, sorted, stringified values. Two instances with the same a and logically equivalent values (duplicates and order do not matter) share the same ruleType and are OR-combined by the evaluator.
  • values must be a non-empty, homogeneous array (string[], number[], or boolean[]). Passes when attrs.get(a) is in the set. Duplicate elements in values are ignored (the rule uses Set semantics internally).

AttrLiteralNotIn

new AttrLiteralNotIn({ a: string, values: (string | number | boolean)[], group?: string })
  • code: "attr_in_set".
  • Default ruleType: `attr_literal_not_in:${a}:${type}:${count}:${hashPrefix}` — same stable, deduplication-aware hash scheme as AttrLiteralIn.
  • values must be a non-empty, homogeneous array. Passes when attrs.get(a) is NOT in the set. Duplicate elements in values are ignored.

AttrLiteralCompare

new AttrLiteralCompare({ a: string, op: "lt" | "le" | "gt" | "ge", v: number, group?: string })
  • code: "attr_compare_violated".
  • Default ruleType: `attr_literal_compare:${a}:${op}:${String(v)}`.
  • Passes when attrs.get(a) is a number satisfying a op v. NaN as v is rejected at construction time. NaN attributes always return false.

AttrPairEqual

new AttrPairEqual({ a: string, b: string, group?: string })
  • code: "attr_mismatch".
  • Default ruleType: `attr_pair_equal:${a}:${b}`.
  • Passes when both attrs.get(a) and attrs.get(b) are non-empty strings and strictly equal. This is the successor to the deprecated AttrMatchRule.

AttrPairNotEqual

new AttrPairNotEqual({ a: string, b: string, group?: string })
  • code: "attr_match".
  • Default ruleType: `attr_pair_not_equal:${a}:${b}`.
  • Passes when both attrs.get(a) and attrs.get(b) are non-empty strings and strictly not equal. Missing, empty, or non-string attributes return false (safe-deny).

AttrPairCompare

new AttrPairCompare({ a: string, op: "lt" | "le" | "gt" | "ge", b: string, group?: string })
  • code: "attr_compare_violated".
  • Default ruleType: `attr_pair_compare:${a}:${op}:${b}`.
  • Passes when both attrs.get(a) and attrs.get(b) are numbers satisfying a op b. NaN on either side returns false (JS comparison semantics).

Grouping: AND by default, group for OR

All attribute comparison rules follow the same grouping semantics described for AttrMatchRule above. By default, each rule's ruleType is derived from its distinguishing parameters so that distinct requirements are AND-combined by the evaluator. Pass the same group string to two rules to give them the same ruleType — the evaluator then OR-combines them (either condition satisfies the requirement).

Rule Collectors

| Name | Derives permission/scope | Returns | | --- | --- | --- | | ResourceActionPermissionRuleCollector | "<resource.raw>.perm:<action>" | [HasPermission(...)] | | ResourceActionScopeRuleCollector | "<action>:<resource.resourceType>" | [HasScope(...)] |

Both collectors take no constructor arguments.

Resource Parser

DotNotationResourceParser

Parses a dot-notation string into a Resource.

new DotNotationResourceParser()

Input format: "<type>[:<id>].<type>[:<id>]..."

Example: "foo.bar:123"{ raw: "foo.bar:123", resourceType: "foo_bar", resourceId: "123" }

  • Segments are split by .. Each segment may include :id.
  • resourceType is the segment types joined with _.
  • resourceId is the id of the last segment, if present.

builtinCollectorsModule

builtinCollectorsModule is a Module (name: "builtin-collectors") that registers all built-in implementations into their respective registries.

import { builtinCollectorsModule } from "@o3co/auth.policy-verifier.builtins";

| Registry | Name | Factory | | --- | --- | --- | | attributeCollector | "PayloadScopeCollector" | () => new PayloadScopeCollector() | | attributeCollector | "PayloadSubjectIdCollector" | () => new PayloadSubjectIdCollector() | | attributeCollector | "StaticPermissionCollector" | (config) => new StaticPermissionCollector(config) | | attributeCollector | "StaticRoleCollector" | (config) => new StaticRoleCollector(config) | | ruleCollector | "ResourceActionScopeRuleCollector" | () => new ResourceActionScopeRuleCollector() | | ruleCollector | "ResourceActionPermissionRuleCollector" | () => new ResourceActionPermissionRuleCollector() | | resourceParser | "DotNotationResourceParser" | () => new DotNotationResourceParser() |

See Also