@cloud-copilot/iam-lens/dist/esm/whoCan/WhoCanMainThreadWorker.d.ts

Visibility in IAM in and across AWS accounts

import { type JobResult } from '@cloud-copilot/job';
import { IamCollectClient } from '../collect/client.js';
import { type S3AbacOverride } from '../utils/s3Abac.js';
import { PullBasedJobRunner } from '../workers/JobRunner.js';
import { type LightRequestAnalysis } from './requestAnalysis.js';
import { type WhoCanAllowed, type WhoCanDenyDetail } from './whoCan.js';
import { type WhoCanExecutionResult, type WhoCanWorkItem } from './WhoCanWorker.js';
/**
 * A work item tagged with its owning request ID, used by the main-thread
 * runner so that simulation results can be routed back to the correct request.
 */
export interface TaggedWhoCanWorkItem extends WhoCanWorkItem {
    /** The request ID this work item belongs to. */
    requestId: string;
}
/**
 * Properties attached to each job so the requestId survives through to onComplete.
 */
interface MainThreadJobProperties {
    /** The request ID this job belongs to. */
    requestId: string;
    /** Whether deny details should be collected for this work item's request. */
    collectDenyDetails: boolean;
}
/**
 * Dequeues the next tagged work item from the processor's FIFO scheduler.
 *
 * @returns the next tagged work item, or undefined if none are ready.
 */
export type DequeueWork = () => TaggedWhoCanWorkItem | undefined;
/**
 * Called when a simulation completes (allowed, denied, or error). Routes
 * the result back to the processor by requestId.
 *
 * @param requestId - The request this result belongs to.
 * @param result - The simulation result (fulfilled with WhoCanAllowed or undefined, or rejected).
 */
export type OnSimulationResult = (requestId: string, result: JobResult<WhoCanAllowed | undefined, Record<string, unknown>>) => void;
/**
 * Checks whether deny details should be included for a denied simulation.
 *
 * @param requestId - The request this check belongs to.
 * @param lightAnalysis - The light analysis for the denied simulation.
 * @returns true if deny details should be collected and delivered.
 */
export type OnCheckDenyDetails = (requestId: string, lightAnalysis: LightRequestAnalysis) => boolean;
/**
 * Called when deny details are ready to be delivered.
 *
 * @param requestId - The request this detail belongs to.
 * @param detail - The deny detail record.
 */
export type OnDenyDetail = (requestId: string, detail: WhoCanDenyDetail) => void;
/**
 * Creates a main-thread simulation runner that pulls tagged work items from
 * the processor's FIFO scheduler and routes results back by requestId.
 *
 * The requestId is threaded through the job's properties so it is available
 * in onComplete without needing the workerId.
 *
 * @param dequeueWork - Function to dequeue the next tagged work item.
 * @param onSimulationResult - Callback for simulation results.
 * @param onCheckDenyDetails - Callback to check whether to collect deny details.
 * @param onDenyDetail - Callback for deny detail delivery.
 * @param collectClient - The IAM collect client for fetching policy data.
 * @param s3AbacOverride - Optional override for S3 ABAC when checking S3 Bucket access.
 * @param collectGrantDetails - Whether to collect grant details for allowed simulations.
 * @param concurrency - The number of concurrent simulations to run on the main thread. Defaults to 50.
 * @returns a PullBasedJobRunner that processes tagged whoCan work items.
 */
export declare function createMainThreadStreamingWorkQueue(dequeueWork: DequeueWork, onSimulationResult: OnSimulationResult, onCheckDenyDetails: OnCheckDenyDetails, onDenyDetail: OnDenyDetail, collectClient: IamCollectClient, s3AbacOverride: S3AbacOverride | undefined, collectGrantDetails: boolean, concurrency?: number): PullBasedJobRunner<WhoCanExecutionResult, MainThreadJobProperties, TaggedWhoCanWorkItem>;
export {};
//# sourceMappingURL=WhoCanMainThreadWorker.d.ts.map