# shared-auth Framework-agnostic authorization primitives shared across `portal-bff` and `portal-shell` per [ADR-0025](../../../docs/decisions/0025-authorization-model-privileges-roles-scopes.md): - **Catalogues** (`authorization.types.ts`) — closed-set lists of the four privileges (`Portal.*` Entra app roles), the 24 functional roles (`apf-role-*` Entra security groups), and the six scope kinds. Adding an entry is an ADR amendment, not a code change in isolation. - **`Principal` type** — the session-resident shape consumed by route guards (`@RequirePrivilege`, `@RequireRole`, `@RequireScope`) and projected to the AI service's flat `roles[]` contract. - **`EntraGroupToRoleResolver`** — turns the tenant-specific Entra group GUIDs carried in the OIDC `groups` claim into the catalogue's role slugs. Configured at boot from `infra/-tenant.entra.json` (gitignored — GUIDs are tenant-private). ## Building Run `pnpm nx build shared-auth` to build the library. ## Running unit tests Run `pnpm nx test shared-auth` to execute the unit tests via [Vitest](https://vitest.dev/).