RBAC

Role-based access control with tenant roles, team roles, resource policies, and permission checking.

Enterprise RBAC provides multi-level permission checking: tenant-level roles, team-level roles, resource-level policies, and a middleware helper for API routes.

Core RBAC Guard

import { createRbacGuard } from '@lua-ai-global/governance-enterprise';

const rbac = createRbacGuard();

rbac.can('admin', 'agents:write');    // true
rbac.can('viewer', 'agents:write');   // false
rbac.can('operator', 'agents:read');  // true

Tenant Roles

Role	Permissions
owner	All permissions including billing and tenant deletion
admin	Policy management, kill switch, audit export, RBAC, agent management
operator	Register agents, enforce policies, view audit, score agents
member	Read-only access to agents, scores, and audit trail
viewer	Minimal read-only access

Permission Checking

rbac.can('admin', 'kill_switch');      // true
rbac.can('operator', 'kill_switch');   // false

rbac.assertCan('admin', 'kill_switch');    // passes
rbac.assertCan('operator', 'kill_switch'); // throws RbacError

const perms = rbac.permissionsFor('operator');
// ['agents:read', 'agents:write', 'audit:read', 'enforce', ...]

rbac.canAll('admin', ['agents:write', 'policies:write']); // true
rbac.canAny('operator', ['kill_switch', 'enforce']);       // true (has enforce)

Team-Level Roles

Teams have their own role hierarchy within a tenant:

import { teamRoleCan, effectiveCan } from '@lua-ai-global/governance-enterprise';

teamRoleCan('lead', 'agents:write');   // true
teamRoleCan('member', 'agents:write'); // true
teamRoleCan('viewer', 'agents:write'); // false

// Effective permission = highest of tenant role + team role
effectiveCan(tenantMember, teamMember, 'agents:write');

Team Role	Permissions
lead	Full team management, all team operations
member	Agent management, enforcement, audit viewing
viewer	Read-only team access

Resource Policies

Per-resource access control for fine-grained authorization:

import { createResourcePolicyStore } from '@lua-ai-global/governance-enterprise';

const store = createResourcePolicyStore();

store.set('agent', 'agent_123', {
  allowedUsers: ['user_alice', 'user_bob'],
  allowedRoles: ['admin', 'operator'],
  tenantPublic: false,
});

store.canAccess('agent', 'agent_123', {
  userId: 'user_alice',
  role: 'member',
}); // true — user is in allowedUsers

store.canAccess('agent', 'agent_123', {
  userId: 'user_eve',
  role: 'admin',
}); // true — admin role is in allowedRoles

API Middleware

import { requirePermission } from '@lua-ai-global/governance-enterprise';

async function handleRequest(ctx: AuthContext) {
  requirePermission(ctx, 'policies:write');
  // throws RbacError if ctx.member.role lacks the permission
}

Error Handling

import { RbacError } from '@lua-ai-global/governance-enterprise';

try {
  rbac.assertCan('viewer', 'kill_switch');
} catch (error) {
  if (error instanceof RbacError) {
    // error.role       → 'viewer'
    // error.permission → 'kill_switch'
    // error.message    → 'Role viewer lacks permission kill_switch'
  }
}