@suluk/hono - v0.1.5
    Preparing search index...

    Interface EnforceAccessConfig

    Read identity from a request — the app supplies these (it owns its principal/scope model).

    interface EnforceAccessConfig {
        principal: (c: Context) => string | null | undefined;
        isAdmin?: (c: Context) => boolean;
        scopes?: (c: Context) => string[] | undefined;
        operationOf: (c: Context) => string | undefined;
        accessOf: (operation: string) => AccessFacet | undefined;
        defaultRequires?: AccessRequires;
    }

    Hierarchy (View Summary)

    Index

    Properties

    principal: (c: Context) => string | null | undefined

    the caller's verified principal id, or null/undefined for anonymous.

    isAdmin?: (c: Context) => boolean

    fast-path admin check (verified). If omitted, the literal "admin" scope is used.

    scopes?: (c: Context) => string[] | undefined

    the caller's granted scopes (e.g. ["admin"], ["org:1:read"]). Default: none.

    operationOf: (c: Context) => string | undefined

    the operation name for this request, or undefined for non-contract paths (static/auth/docs → allowed).

    accessOf: (operation: string) => AccessFacet | undefined

    the declared access facet for an operation (e.g. from the document's x-suluk-access).

    defaultRequires?: AccessRequires

    what an operation that declares NO access facet requires. Defaults to "authenticated" — DENY BY DEFAULT, so a dropped/missing facet is a 401 in tests, NEVER a silent public route (a fail-open default is how an annotation gap becomes a live breach). Mark genuinely-public ops explicitly requires:"anyone".