Skip to content

IResolveOptions

Defined in: src/types/IAccessControlOptions.ts:163

Internal, fully-resolved options threaded into a permission check (engine policy + the merged context). Not part of the public authoring surface.

Properties

pathPrefix?

optional pathPrefix?: string

Defined in: src/types/IAccessControlOptions.ts:165

Notation path sentinel (default '$').

context?

optional context?: UnknownObject

Defined in: src/types/IAccessControlOptions.ts:167

Merged check context (ambient + per-check).

ownerField?

optional ownerField?: string

Defined in: src/types/IAccessControlOptions.ts:169

Resource owner field.

owner?

optional owner?: OwnerResolver

Defined in: src/types/IAccessControlOptions.ts:171

Custom ownership resolver.

strictChecks?

optional strictChecks?: boolean

Defined in: src/types/IAccessControlOptions.ts:173

strict.checks resolved value (default true).

strictRoles?

optional strictRoles?: boolean

Defined in: src/types/IAccessControlOptions.ts:175

strict.roles resolved value (default true).

strictActions?

optional strictActions?: boolean

Defined in: src/types/IAccessControlOptions.ts:177

strict.actions resolved value (default false).

strictResources?

optional strictResources?: boolean

Defined in: src/types/IAccessControlOptions.ts:179

strict.resources resolved value (default false).

allowRegex?

optional allowRegex?: boolean

Defined in: src/types/IAccessControlOptions.ts:181

Whether the matches regex operator is permitted (default false).

charset?

optional charset?: RegExp

Defined in: src/types/IAccessControlOptions.ts:183

Resolved allowed-name pattern (engine.charset), default ASCII.

safeErrors?

optional safeErrors?: boolean

Defined in: src/types/IAccessControlOptions.ts:185

engine.safeErrors resolved value (default true).

errorCodePrefix?

optional errorCodePrefix?: string

Defined in: src/types/IAccessControlOptions.ts:187

engine.errorCodePrefix resolved value (default '').

policyActions?

optional policyActions?: string[]

Defined in: src/types/IAccessControlOptions.ts:189

Explicit action allow-list, merged into the strict known-actions set.

policyResources?

optional policyResources?: string[]

Defined in: src/types/IAccessControlOptions.ts:191

Explicit resource allow-list, merged into the strict known-resources set.

vocabRoles?

optional vocabRoles?: string[]

Defined in: src/types/IAccessControlOptions.ts:196

Declared role vocabulary — qualified members + group names. Used to resolve dynamic group inheritance and as the strict known-roles set.

vocabResources?

optional vocabResources?: string[]

Defined in: src/types/IAccessControlOptions.ts:198

Declared resource vocabulary — qualified members + category names.

vocabActions?

optional vocabActions?: string[]

Defined in: src/types/IAccessControlOptions.ts:200

Declared action vocabulary, feeds the strict known-actions set.

requirements?

optional requirements?: IRequirements

Defined in: src/types/IAccessControlOptions.ts:206

Mandatory restriction gates, keyed by scope. Every applicable gate (global + the resource’s category + the resource itself) must pass or the check is denied — require() can only restrict, never grant.

conditions?

optional conditions?: Record<string, ConditionFunction>

Defined in: src/types/IAccessControlOptions.ts:211

Registered custom condition functions by name, used by the async resolver to evaluate { fn, args } conditions.

emitter?

optional emitter?: Emitter

Defined in: src/types/IAccessControlOptions.ts:213

The instance event emitter; used to emit access/error on a check.

safe?

optional safe?: boolean

Defined in: src/types/IAccessControlOptions.ts:220

Fail-closed mode (set by AccessControl#tryCan). When true, any error during a check — invalid query, strict violation, async-required on the sync path — resolves to a denial (granted:false, attributes:[]) instead of throwing. The error event still fires for observability.