@onenomad/przm-access
v0.1.1
Published
Thin contract package for the przm-access plane: identity/tenancy types, the authorize() interface, and the Postgres RLS session helper. The only thing the przm planes import. No storage, no web framework, near-zero deps.
Readme
@onenomad/przm-access
The thin contract package for the przm platform's identity / tenancy / access-control plane. This is the only thing the planes (cortex, przm-memory, przm-voice, the agent layer) import.
It contains exactly three things and nothing else:
- Types —
Principal,TenantContext,Role,Action,Resource,Authorizer. - The authorization decision —
defaultAuthorizer(and theAuthorizerinterface to supply your own). - The Postgres RLS session helper —
withRlsSession(pool, principal, fn)andsetRlsContext(client, principal).
No storage, no web framework, no SSO, near-zero deps. The heavy lifting
(tables, tokens, SSO, admin API) lives in the private przm-access-service.
Usage
import { withRlsSession, defaultAuthorizer } from "@onenomad/przm-access";
// principal was reconstructed from a verified scoped token
await withRlsSession(pool, principal, async (client) => {
// every query here runs with app.tenant / app.user / app.role set;
// the plane's RLS policies enforce isolation.
const { rows } = await client.query("SELECT * FROM memory");
return rows;
});See ../../PLAN.md for the full design.
License
Apache-2.0. The contract surface is intentionally open (like przm-memory and
przm-voice); the proprietary value lives in the unpublished przm-access
service, not in these types.
