feat: add supertokens

modules/identity/cerbos/policies/identity.yaml

@@ -0,0 +1,23 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
+
+apiVersion: api.cerbos.dev/v1
+resourcePolicy:
+  resource: identity
+  version: default
+  rules:
+
+    # Admins can read any identity with limited fields
+
+    - actions: ["read", "update"]
+      effect: EFFECT_ALLOW
+      roles: ["admin"]
+
+    # Users can fully read, update, or delete their own identity
+
+    - actions: ["read", "update", "delete"]
+      effect: EFFECT_ALLOW
+      roles: ["user"]
+      condition:
+        match:
+          expr: request.resource.id == request.principal.id

modules/identity/cerbos/policies/role.yaml

@@ -0,0 +1,14 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
+
+apiVersion: api.cerbos.dev/v1
+resourcePolicy:
+  resource: role
+  version: default
+  rules:
+
+    # Admin can manage roles
+
+    - actions: ["manage"]
+      effect: EFFECT_ALLOW
+      roles: ["admin"]

modules/identity/cerbos/resources.ts

@@ -0,0 +1,11 @@
+/*
+export const resources = new ResourceRegistry([
+  {
+    kind: "identity",
+    actions: ["read", "update", "delete"],
+    attr: {},
+  },
+] as const);
+
+export type Resource = typeof resources.$resource;
+*/