feat(auth): add repository permission schema

- Implement RepoPermissionSchema with NSID validation
- Support optional actions array
- Transform to correct query string format
- Add validation for collection names

Author: bitbeckers

packages/sdk-core/src/auth/permissions.ts

@@ -183,3 +183,51 @@ export const AccountPermissionSchema = z
  * Input type for account permission (before transform).
  */
 export type AccountPermissionInput = z.input<typeof AccountPermissionSchema>;
+
+/**
+ * Zod schema for repository permission.
+ *
+ * Repository permissions control write access to records by collection type.
+ * The collection must be a valid NSID or wildcard (*).
+ *
+ * @example Without actions (all actions allowed)
+ * ```typescript
+ * const input = { type: 'repo', collection: 'app.bsky.feed.post' };
+ * RepoPermissionSchema.parse(input); // Returns: "repo:app.bsky.feed.post"
+ * ```
+ *
+ * @example With specific actions
+ * ```typescript
+ * const input = {
+ *   type: 'repo',
+ *   collection: 'app.bsky.feed.post',
+ *   actions: ['create', 'update']
+ * };
+ * RepoPermissionSchema.parse(input); // Returns: "repo:app.bsky.feed.post?action=create&action=update"
+ * ```
+ *
+ * @example With wildcard collection
+ * ```typescript
+ * const input = { type: 'repo', collection: '*', actions: ['delete'] };
+ * RepoPermissionSchema.parse(input); // Returns: "repo:*?action=delete"
+ * ```
+ */
+export const RepoPermissionSchema = z
+  .object({
+    type: z.literal("repo"),
+    collection: NsidSchema.or(z.literal("*")),
+    actions: z.array(RepoActionSchema).optional(),
+  })
+  .transform(({ collection, actions }) => {
+    let perm = `repo:${collection}`;
+    if (actions && actions.length > 0) {
+      const params = actions.map((a) => `action=${a}`).join("&");
+      perm += `?${params}`;
+    }
+    return perm;
+  });
+
+/**
+ * Input type for repository permission (before transform).
+ */
+export type RepoPermissionInput = z.input<typeof RepoPermissionSchema>;

packages/sdk-core/tests/auth/permissions.test.ts

@@ -10,6 +10,7 @@ import {
   MimeTypeSchema,
   NsidSchema,
   AccountPermissionSchema,
+  RepoPermissionSchema,
 } from "../../src/auth/permissions.js";
 
 describe("Permission Constants", () => {
@@ -228,3 +229,96 @@ describe("AccountPermissionSchema", () => {
     expect(() => AccountPermissionSchema.parse(input)).toThrow();
   });
 });
+
+describe("RepoPermissionSchema", () => {
+  it("should transform repo with NSID collection without actions", () => {
+    const input = { type: "repo" as const, collection: "app.bsky.feed.post" };
+    const result = RepoPermissionSchema.parse(input);
+    expect(result).toBe("repo:app.bsky.feed.post");
+  });
+
+  it("should transform repo with wildcard collection", () => {
+    const input = { type: "repo" as const, collection: "*" };
+    const result = RepoPermissionSchema.parse(input);
+    expect(result).toBe("repo:*");
+  });
+
+  it("should transform repo with single action", () => {
+    const input = {
+      type: "repo" as const,
+      collection: "app.bsky.feed.post",
+      actions: ["create" as const],
+    };
+    const result = RepoPermissionSchema.parse(input);
+    expect(result).toBe("repo:app.bsky.feed.post?action=create");
+  });
+
+  it("should transform repo with multiple actions", () => {
+    const input = {
+      type: "repo" as const,
+      collection: "app.bsky.feed.post",
+      actions: ["create" as const, "update" as const],
+    };
+    const result = RepoPermissionSchema.parse(input);
+    expect(result).toBe("repo:app.bsky.feed.post?action=create&action=update");
+  });
+
+  it("should transform repo with all three actions", () => {
+    const input = {
+      type: "repo" as const,
+      collection: "com.example.record",
+      actions: ["create" as const, "update" as const, "delete" as const],
+    };
+    const result = RepoPermissionSchema.parse(input);
+    expect(result).toBe("repo:com.example.record?action=create&action=update&action=delete");
+  });
+
+  it("should transform repo with wildcard and delete action", () => {
+    const input = {
+      type: "repo" as const,
+      collection: "*",
+      actions: ["delete" as const],
+    };
+    const result = RepoPermissionSchema.parse(input);
+    expect(result).toBe("repo:*?action=delete");
+  });
+
+  it("should handle empty actions array (no query params)", () => {
+    const input = {
+      type: "repo" as const,
+      collection: "app.bsky.feed.post",
+      actions: [],
+    };
+    const result = RepoPermissionSchema.parse(input);
+    expect(result).toBe("repo:app.bsky.feed.post");
+  });
+
+  it("should reject invalid NSID format", () => {
+    const input = { type: "repo" as const, collection: "InvalidNSID" };
+    expect(() => RepoPermissionSchema.parse(input)).toThrow();
+  });
+
+  it("should reject invalid action values", () => {
+    const input = {
+      type: "repo" as const,
+      collection: "app.bsky.feed.post",
+      actions: ["invalid"],
+    };
+    expect(() => RepoPermissionSchema.parse(input)).toThrow();
+  });
+
+  it("should reject missing type field", () => {
+    const input = { collection: "app.bsky.feed.post" };
+    expect(() => RepoPermissionSchema.parse(input)).toThrow();
+  });
+
+  it("should reject wrong type value", () => {
+    const input = { type: "account", collection: "app.bsky.feed.post" };
+    expect(() => RepoPermissionSchema.parse(input)).toThrow();
+  });
+
+  it("should reject missing collection field", () => {
+    const input = { type: "repo" as const };
+    expect(() => RepoPermissionSchema.parse(input)).toThrow();
+  });
+});