Runtime Validation
Both guards below run against a deliberately corrupt adapter whose getUserRoles returns [123, null] instead of string[]. Built with createGuard, so the global app config is never touched.
The decision was never produced. A corrupt role list cannot grant access.
- error
- AegisValidationError
- code
- VALIDATION_FAILED
- source
- getUserRoles
- resourceKey
- (none)
Aegis validation failed at getUserRoles. The data did not match the configured validator.
Without a validator the same corrupt data flows straight through: a decision is produced from invalid roles, no error raised.
- allowed
- false
- reason
- no-matching-role
- userRoles
- [123,null]
The corrupt [123, null] reached the engine untouched. That is the gap a validator closes.
A validator is any (data: unknown) => T that returns the value or throws. The one here is hand written; a Zod schema.parse drops in unchanged. aegis-guard depends on no validation library.