// Limitations: Mutually exclusive roles must be implemented by developer, similarly to resolution
const RBAC = Kilpi.rbac.create({
// Subject automatically inferred, also subject roles as generic `TRole`
// This allows for sessions
async getRoles(subject) {
// Always denies: Marks as unauthenticated
if (!subject) return null;
// Infers as authenticated with specified roles
return { subject, roles: subject.roles };
// Setup optional role inheritance
// Note: Resolve roles using BFS to avoid circular dependencies (they are allowed, however any
// role in a circular dependency role will automatically grant ALL other roles in the loop).
export const policies = {
return subject && RBAC.has(subject, "reader") ? grant(subject) : deny();
write: RBAC.policy("reader", "editor"),