🧠 Tired of bloated ACLs? Meet scode-acl: A minimal, schema-driven, token-friendly access control system

“Permissions shouldn't feel like building a nuclear reactor.”

— Every developer buried in JSON access trees

---

🔥 What's the problem?

In every project with users, roles, and permissions, you eventually hit something like this:

{
  "user": {
    "profile": {
      "read": true,
      "edit": false
    },
    "settings": {
      "change": true
    }
  },
  "order": {
    "delivery": {
      "cancel": true
    }
  }
}

😵‍💫 Massive, nested JSON

🤯 Redundant data (false/null/undefined)

🧩 Pain to store in JWTs, sessions, or URLs

🧨 Breaks when schema changes

---

🚀 Enter scode-acl

scode-acl (Structured Compressed ACL) is a schema-driven, ultra-compact access control tool built with TypeScript. It compresses permission data into string-encoded indexes like "0 3 7", verifiable by schema hash.

🛡 Core ideas:

• ✅ Schema → dot paths → compressed string

• ✅ Only stores true permissions

• ✅ Validates schema with crc32 or sha256

• ✅ Works great in JWTs, cookies, URLs, mobile apps

• ✅ Full access check API

---

⚙️ Flat Mode Example

import { createFlatSCode } from "scode-acl";

const schema = {
  user: {
    profile: ["read", "update"],
    settings: ["change"],
  },
  order: {
    delivery: ["cancel"],
  },
};

const access = {
  user: {
    profile: { read: true },
    settings: { change: true },
  },
  order: {
    delivery: { cancel: true },
  },
};

const formatter = createFlatSCode(schema);
const { access: accessString, schemaHash } = formatter.encodeAccess(access);

console.log(accessString); // → "0 3 5"

---

🔍 Parse access string

formatter.parseAccess(accessString, schemaHash);
// → ['user.profile.read', 'user.settings.change', 'order.delivery.cancel']

---

✅ Check a permission

formatter.hasAccess("user.profile.read", accessString);
// → true

---

⚡ Performance Comparison

Format

Encode Time

Size (30+ permissions)

JSON

~8ms

~300 bytes

scode-acl

~1.2ms

~16–28 bytes

It’s basically JWT-safe and sessionStorage-ready.

---

🔌 Use Cases

• ✅ JWT tokens — fits easily in payload

• ✅ GraphQL/REST auth guards

• ✅ Admin panels — cleaner than boolean spaghetti

• ✅ Mobile/web apps — tiny access footprint

• ✅ Firebase custom claims / access tokens

---

🔮 Why is it useful?

• Only true permissions are stored

• Schema hash ensures backward compatibility

• Tiny strings — easier to debug than full JSON

• Supports Flat and Nested encoding

• 100% TypeScript — type-safe, fast, and portable

---

🛠 Install

npm install scode-acl

---

🛣 Roadmap

• Wildcard permissions (user.profile.*)

• Role groups (admin, viewer)

• GUI schema editor (Web playground)

• Schema → TS type generator

---

🔗 Links

• 🧠 GitHub Repo

• 📦 NPM Package

• 🤝 Maintainer: @diyor-dev on LinkedIn

---

🧠 Final thoughts

Most ACL systems are heavy, bloated, or overcomplicated.

scode-acl is a minimalistic alternative designed to be:

🧩 Small enough to fit in a token.

🔍 Clear enough to read as a dot path.

🧠 Smart enough to validate itself.

---

If you're building systems that deal with auth, access control, roles, or modular UIs — try scode-acl.

Use it, fork it, improve it.

And if you’ve been burned by ACL complexity before —

you’ll probably find this very refreshing.

Comments

[Fazliddin Quvatboyev]

very nice