/** * Access Control Manager * Enterprise-grade access control system for MARIA * Implements hierarchical RBAC with fine-grained permissions */ import { EventEmitter } from "node:events"; export interface User { id: string; email: string; name: string; roles: Role[]; permissions?: PermissionSet; organizationId: string; teamIds?: string[]; departmentId?: string; attributes?: Record; } export interface ResourceIdentifier { resource: string; id?: string; /** * Optional additional resource metadata used by enterprise compliance modules. * Keep these optional to avoid forcing all call-sites to provide them. */ type?: string; path?: string; _path?: string; classification?: { level?: string; tags?: string[]; }; } export type _ResourceIdentifier = ResourceIdentifier; export interface AccessRequest { operation: "read" | "write" | "delete" | "execute" | "share" | "admin"; resource: ResourceIdentifier; context?: Record; } export interface Role { id: string; name: string; level: "individual" | "team" | "department" | "organization"; permissions: PermissionSet; priority: number; inheritFromParent: boolean; overrideChild: boolean; } export interface PermissionSet { resources: Record; actions: string[]; conditions?: PermissionCondition[]; } export interface ResourcePermission { read: boolean; write: boolean; delete: boolean; execute: boolean; share?: boolean; admin?: boolean; } export interface PermissionCondition { type: "time" | "location" | "resource" | "custom"; operator: "equals" | "contains" | "matches" | "between"; value: unknown; } export interface HierarchyLevel { level: Role["level"]; priority: number; inheritFromParent: boolean; overrideChild: boolean; } export interface DataClassification { levels: string[]; defaultLevel: string; rules: ClassificationRule[]; } export interface ClassificationRule { pattern: string | RegExp; level: string; tags?: string[]; } export interface AccessControlConfig { organizationId: string; hierarchyLevels: HierarchyLevel[]; defaultPermissions: PermissionSet; dataClassification: DataClassification; auditEnabled: boolean; } export interface AccessDecision { allowed: boolean; reason?: string; appliedRoles?: Role[]; conditions?: PermissionCondition[]; } export declare class AccessControlManager extends EventEmitter { private config; private users; private roles; private sessions; private cache; constructor(config: AccessControlConfig); private initialize; /** * Check if a user has access to a resource */ checkAccess(userId: string, resource: string, action: string, context?: Record): Promise; /** * Grant a role to a user */ grantRole(userId: string, roleId: string): Promise; /** * Revoke a role from a user */ revokeRole(userId: string, roleId: string): Promise; /** * Register a new user */ registerUser(user: User): Promise; /** * Create a custom role */ createRole(role: Role): Promise; /** * Get classification level for data */ getDataClassification(data: string): string; /** * Collect all permissions for a user */ private collectPermissions; /** * Evaluate permissions against a resource and action */ private evaluatePermissions; /** * Map an action to resource permissions */ private mapActionToPermission; /** * Evaluate permission conditions */ private evaluateConditions; /** * Evaluate a single condition */ private evaluateCondition; /** * Find parent role in hierarchy */ private findParentRole; /** * Clear cache for a user */ private clearUserCache; /** * Get user by ID */ getUser(userId: string): User | undefined; /** * Get role by ID */ getRole(roleId: string): Role | undefined; /** * List all users */ listUsers(): User[]; /** * List all roles */ listRoles(): Role[]; } export declare const accessControlManager: AccessControlManager;