zap-permit-policy-authoring
Author typed authorization policies with @zap-studio/permit using createPolicy, allow/deny/when, condition combinators, has/hasRole, and mergePolicies vs mergePoliciesAny decision strategies.
Best use case
zap-permit-policy-authoring is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Author typed authorization policies with @zap-studio/permit using createPolicy, allow/deny/when, condition combinators, has/hasRole, and mergePolicies vs mergePoliciesAny decision strategies.
Teams using zap-permit-policy-authoring should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/zap-permit-policy-authoring/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How zap-permit-policy-authoring Compares
| Feature / Agent | zap-permit-policy-authoring | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Author typed authorization policies with @zap-studio/permit using createPolicy, allow/deny/when, condition combinators, has/hasRole, and mergePolicies vs mergePoliciesAny decision strategies.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# @zap-studio/permit — Policy Authoring
## Setup
```ts
import { z } from "zod";
import { createPolicy, allow, when } from "@zap-studio/permit";
import type { Resources, Actions } from "@zap-studio/permit/types";
const resources = {
post: z.object({ id: z.string(), authorId: z.string() }),
} satisfies Resources;
const actions = {
post: ["read", "write"],
} as const satisfies Actions<typeof resources>;
type AppContext = { user: { id: string; role: "user" | "admin" } };
const policy = createPolicy<AppContext>({
resources,
actions,
rules: {
post: {
read: allow(),
write: when((ctx, _action, post) => ctx.user.id === post.authorId),
},
},
});
```
## Core Patterns
### Compose conditions with `and`, `or`, and `not`
```ts
import { when, and, or, not } from "@zap-studio/permit";
const canEdit = when(
and(
(ctx, _action, post) => ctx.user.id === post.authorId,
not((_ctx, _action, post) => post.locked === true),
),
);
const canRead = when(
or(
(_ctx, _action, post) => post.visibility === "public",
(ctx, _action, post) => ctx.user.id === post.authorId,
),
);
```
### Add role inheritance checks with `hasRole`
```ts
import { when, hasRole } from "@zap-studio/permit";
const hierarchy = {
guest: [],
user: ["guest"],
admin: ["user"],
} as const;
const adminOnly = when(hasRole("admin", hierarchy));
```
### Choose merge strategy explicitly
```ts
import { mergePolicies, mergePoliciesAny } from "@zap-studio/permit";
const strict = mergePolicies(basePolicy, tenantPolicy); // all must allow
const permissive = mergePoliciesAny(basePolicy, temporaryOverridePolicy); // any can allow
```
## Common Mistakes
### HIGH Using action missing from actions map
Wrong:
```ts
await policy.can(ctx, "publish", "post", post);
```
Correct:
```ts
const actions = {
post: ["read", "write", "publish"],
} as const;
await policy.can(ctx, "publish", "post", post);
```
`can()` first checks `actions[resourceType]`; missing actions always resolve to `false`.
Source: zap-studio/monorepo:packages/permit/src/index.ts
### HIGH Assuming invalid resources still hit rule function
Wrong:
```ts
await policy.can(ctx, "write", "post", { id: 123 } as any);
```
Correct:
```ts
await policy.can(ctx, "write", "post", {
id: "123",
authorId: ctx.user.id,
});
```
Resource validation runs before policy evaluation; invalid payloads short-circuit to deny.
Source: zap-studio/monorepo:packages/permit/src/index.ts
### MEDIUM Expecting `mergePoliciesAny` to enforce deny-overrides
Wrong:
```ts
const merged = mergePoliciesAny(basePolicy, restrictivePolicy);
// expecting restrictivePolicy to always win
```
Correct:
```ts
const merged = mergePolicies(basePolicy, restrictivePolicy);
// deny-overrides behavior
```
`mergePoliciesAny` returns allowed when any policy allows; use `mergePolicies` for strict composition.
Source: zap-studio/monorepo:packages/permit/src/index.ts
See also: zap-validation-standard-schema/SKILL.md — invalid resource payload behavior.Related Skills
zap-webhooks-routing-and-verification
Build webhook ingestion with @zap-studio/webhooks using createWebhookRouter, register path keys, prefix normalization, schema validation, lifecycle hooks, createHmacVerifier, and BaseAdapter request/response mapping.
zap-validation-standard-schema
Validate unknown data with @zap-studio/validation using isStandardSchema, standardValidate/standardValidateSync, createStandardValidator, createSyncStandardValidator, and throwOnError result/exception modes.
zap-fetch-typed-http
Implement type-safe HTTP requests with @zap-studio/fetch using $fetch, api.get/post/put/patch/delete, createFetch defaults, searchParams merging, and throwOnFetchError/throwOnValidationError return modes.
doc-coauthoring
This skill provides a structured workflow for guiding users through collaborative document creation. Act as an active guide, walking users through three stages: Context Gathering, Refinement & Structure, and Reader Testing.
Policy Writer
Generate professional internal policies for any business function — HR, IT, finance, compliance, data privacy, acceptable use, and more.
Building Permit & Construction Permitting Agent
You are a construction permitting specialist. Help contractors, developers, and property owners navigate the building permit process from application through final inspection.
AI Governance Policy Builder
Build internal AI governance policies from scratch. Covers acceptable use, model selection, data handling, vendor contracts, compliance mapping, and board reporting.
hr-policy-generator
Comprehensive HR policy development covering attendance, time-off, overtime, remote work, and compliance. Generates structured policy documents, legal checklists, exception handling frameworks, and employee communication plans tailored to company size, work arrangement, and jurisdiction.
hr-policy-generator-cn
综合性 HR 政策设计工具,覆盖考勤、休假、加班、远程办公及合规要求。根据公司规模、办公模式、适用法律等输入,生成完整的政策文档、法律合规清单、例外处理机制及员工沟通方案。
doc-coauthoring
Guide users through a structured workflow for co-authoring documentation. Use when user wants to write documentation, proposals, technical specs, decision docs, or similar structured content. This workflow helps users efficiently transfer context, refine content through iteration, and verify the doc works for readers. Trigger when user mentions writing docs, creating proposals, drafting specs, or similar documentation tasks.
policy-lookup
Find and explain company policies in plain language. Trigger with "what's our PTO policy", "can I work remotely from another country", "how do expenses work", or any plain-language question about benefits, travel, leave, or handbook rules.
performing-dmarc-policy-enforcement-rollout
Execute a phased DMARC rollout from p=none monitoring through p=quarantine to p=reject enforcement, ensuring all legitimate email sources are authenticated before blocking unauthorized senders.