Types
Main TypeScript shapes from authorization checks. Define AppSchema once; these types follow from that generic through AccessEngine and Subject.
How they relate: evaluate() → Decision. explain() → ExplainResult (a Decision plus a per-rule trace). toAuditEntry() → AuditEntry (a JSON-safe slice of a Decision for logging).
SchemaDefinition
The base interface every app schema extends. Defines the unions for roles, resources, and actions.
interface SchemaDefinition {
roles: string;
resources: string;
actions: `${string}:${string}`;
tenantId?: string;
}See The schema for how to define and evolve AppSchema.
Subject
Who is requesting access. Built in your auth layer and passed to every evaluation.
interface Subject<S> {
id: string;
roles: RoleAssignment<S>[];
attributes?: Record<string, unknown>;
}const user: Subject<AppSchema> = {
id: "user-42",
roles: [{ role: "admin", tenantId: "acme" }],
attributes: { department: "finance" },
};Decision
The outcome of one authorization check — from evaluate() / evaluateAsync():
| Field | Description |
|---|---|
allowed | Whether access was granted |
effect | "allow", "deny", or "default-deny" |
matchedRule | The rule that decided, or null |
reason | Human-readable explanation |
durationMs, timestamp | Timing metadata |
subject, action, resource, resourceContext, tenantId | Echo of the request |
Use decision.allowed in application code. Use reason and matchedRule when logging or debugging.
ExplainResult
Same fields as a Decision, plus a per-rule trace — from explain() / explainAsync():
evaluatedRules: RuleEvaluation[]— per-rule trace withroleMatched,actionMatched,resourceMatched,conditionResults, andmatched
AuditEntry
JSON-safe slice of a Decision for log pipelines — from toAuditEntry(), not returned directly by the engine:
{
allowed: true,
effect: "allow",
matchedRuleId: "admin-all",
matchedRuleDescription: "Full admin access",
subjectId: "user-42",
action: "invoice:approve",
resource: "invoice",
tenantId: "acme",
timestamp: 1716499200000,
durationMs: 0.012,
reason: "Matched rule: Full admin access",
}