@asteby/metacore-runtime-react 18.13.3 → 18.14.0

package/src/__tests__/permissions-context.test.tsx

@@ -0,0 +1,102 @@
+// @vitest-environment happy-dom
+import { afterEach, describe, expect, it } from 'vitest'
+import { cleanup, render, screen } from '@testing-library/react'
+
+// Sin `globals: true` en vitest, RTL no auto-limpia entre tests.
+afterEach(cleanup)
+import {
+    PermissionsProvider,
+    useCan,
+    usePermissionsActive,
+    makeCan,
+    capabilityForActionKey,
+    modelCapability,
+} from '../permissions-context'
+
+function Probe({ capability }: { capability: string }) {
+    const can = useCan()
+    return <span data-testid="probe">{can(capability) ? 'allowed' : 'denied'}</span>
+}
+
+function ActiveProbe() {
+    const active = usePermissionsActive()
+    return <span data-testid="active">{active ? 'yes' : 'no'}</span>
+}
+
+describe('makeCan', () => {
+    it('isAdmin permite todo', () => {
+        const can = makeCan([], true)
+        expect(can('pos_orders.create')).toBe(true)
+        expect(can('cualquier.cosa')).toBe(true)
+    })
+
+    it('capability exacta en la lista → true; ausente → false', () => {
+        const can = makeCan(['pos_orders.index', 'general.work_after_hours'], false)
+        expect(can('pos_orders.index')).toBe(true)
+        expect(can('general.work_after_hours')).toBe(true)
+        expect(can('pos_orders.create')).toBe(false)
+    })
+
+    it('wildcard "*" permite todo', () => {
+        const can = makeCan(['*'], false)
+        expect(can('pos_orders.delete')).toBe(true)
+        expect(can('lo.que.sea')).toBe(true)
+    })
+})
+
+describe('useCan', () => {
+    it('sin provider → siempre true (comportamiento legacy, nada se oculta)', () => {
+        render(<Probe capability="pos_orders.create" />)
+        expect(screen.getByTestId('probe').textContent).toBe('allowed')
+    })
+
+    it('con provider no-admin: exacta permitida, resto denegado', () => {
+        render(
+            <PermissionsProvider permissions={['pos_orders.index']} isAdmin={false}>
+                <Probe capability="pos_orders.index" />
+            </PermissionsProvider>,
+        )
+        expect(screen.getByTestId('probe').textContent).toBe('allowed')
+
+        render(
+            <PermissionsProvider permissions={['pos_orders.index']} isAdmin={false}>
+                <Probe capability="pos_orders.create" />
+            </PermissionsProvider>,
+        )
+        expect(screen.getAllByTestId('probe')[1].textContent).toBe('denied')
+    })
+
+    it('con provider isAdmin → todo permitido', () => {
+        render(
+            <PermissionsProvider permissions={[]} isAdmin={true}>
+                <Probe capability="pos_orders.delete" />
+            </PermissionsProvider>,
+        )
+        expect(screen.getByTestId('probe').textContent).toBe('allowed')
+    })
+
+    it('usePermissionsActive refleja la presencia del provider', () => {
+        render(<ActiveProbe />)
+        expect(screen.getByTestId('active').textContent).toBe('no')
+        render(
+            <PermissionsProvider permissions={[]} isAdmin={false}>
+                <ActiveProbe />
+            </PermissionsProvider>,
+        )
+        expect(screen.getAllByTestId('active')[1].textContent).toBe('yes')
+    })
+})
+
+describe('capability mapping', () => {
+    it('view→index, edit→update, resto verbatim', () => {
+        expect(capabilityForActionKey('view')).toBe('index')
+        expect(capabilityForActionKey('edit')).toBe('update')
+        expect(capabilityForActionKey('delete')).toBe('delete')
+        expect(capabilityForActionKey('pagar')).toBe('pagar')
+    })
+
+    it('modelCapability lowercasea el modelo', () => {
+        expect(modelCapability('PosOrders', 'create')).toBe('posorders.create')
+        expect(modelCapability('pos_orders', 'edit')).toBe('pos_orders.update')
+    })
+})

package/src/__tests__/permissions-manager.test.tsx

@@ -0,0 +1,172 @@
+// @vitest-environment happy-dom
+import { afterEach, describe, expect, it, vi } from 'vitest'
+import { cleanup, fireEvent, render, screen, waitFor } from '@testing-library/react'
+
+// Sin `globals: true` en vitest, RTL no auto-limpia entre tests.
+afterEach(cleanup)
+import {
+    PermissionsManager,
+    moduleActionCapability,
+    moduleCapabilities,
+    grantedCountForModule,
+    capabilitySetsEqual,
+    type PermissionsCatalog,
+    type RoleDef,
+} from '../permissions-manager'
+
+const catalog: PermissionsCatalog = {
+    modules: [
+        {
+            key: 'pos_orders',
+            label: 'Pedidos POS',
+            addon_key: 'pos',
+            addon_label: 'Punto de venta',
+            actions: [
+                { key: 'index', label: 'Listar', icon: 'List', kind: 'crud' },
+                { key: 'create', label: 'Crear', icon: 'Plus', kind: 'crud' },
+                { key: 'pagar', label: 'Pagar', icon: 'CreditCard', kind: 'custom' },
+            ],
+        },
+    ],
+    general: [
+        {
+            key: 'general.work_after_hours',
+            label: 'Trabajar fuera de horario',
+            description: 'Permite operar fuera del horario configurado.',
+        },
+    ],
+}
+
+const roles: RoleDef[] = [{ id: 'r1', name: 'cashier', label: 'Cajero', color: '#22c55e' }]
+
+function makeProps(overrides: Partial<Parameters<typeof PermissionsManager>[0]> = {}) {
+    return {
+        loadModules: vi.fn(async () => catalog),
+        loadRoles: vi.fn(async () => roles),
+        loadRolePermissions: vi.fn(async () => ['pos_orders.index']),
+        syncRolePermissions: vi.fn(async () => {}),
+        ...overrides,
+    }
+}
+
+describe('helpers puros', () => {
+    it('moduleActionCapability lowercasea el módulo', () => {
+        expect(moduleActionCapability('Pos_Orders', 'pagar')).toBe('pos_orders.pagar')
+    })
+
+    it('moduleCapabilities y grantedCountForModule', () => {
+        const mod = catalog.modules[0]
+        expect(moduleCapabilities(mod)).toEqual([
+            'pos_orders.index',
+            'pos_orders.create',
+            'pos_orders.pagar',
+        ])
+        expect(grantedCountForModule(new Set(['pos_orders.index', 'otra.cosa']), mod)).toBe(1)
+    })
+
+    it('capabilitySetsEqual', () => {
+        expect(capabilitySetsEqual(new Set(['a', 'b']), new Set(['b', 'a']))).toBe(true)
+        expect(capabilitySetsEqual(new Set(['a']), new Set(['a', 'b']))).toBe(false)
+    })
+})
+
+describe('PermissionsManager', () => {
+    it('renderiza catálogo con mocks, auto-selecciona rol y módulo, contador N/M', async () => {
+        const props = makeProps()
+        render(<PermissionsManager {...props} />)
+
+        // Auto-selección: primer rol + primer módulo, grid con las acciones.
+        expect(await screen.findByText('Acciones permitidas')).toBeTruthy()
+        expect(await screen.findByText('Pagar')).toBeTruthy()
+        expect(screen.getByText('1/3')).toBeTruthy()
+        expect(props.loadRolePermissions).toHaveBeenCalledWith('r1')
+
+        // Generales presentes con descripción.
+        expect(screen.getByText('Permisos Generales')).toBeTruthy()
+        expect(screen.getByText('Trabajar fuera de horario')).toBeTruthy()
+    })
+
+    it('marcar una acción + un general y guardar llama sync con el set completo correcto', async () => {
+        const props = makeProps()
+        render(<PermissionsManager {...props} />)
+        await screen.findByText('Pagar')
+
+        fireEvent.click(screen.getByRole('checkbox', { name: /Pagar/ }))
+        fireEvent.click(screen.getByRole('checkbox', { name: /Trabajar fuera de horario/ }))
+
+        // Dirty visible y guardar habilitado.
+        expect(screen.getByText('Cambios sin guardar')).toBeTruthy()
+        fireEvent.click(screen.getByRole('button', { name: /Guardar permisos/ }))
+
+        await waitFor(() =>
+            expect(props.syncRolePermissions).toHaveBeenCalledWith('r1', [
+                'general.work_after_hours',
+                'pos_orders.index',
+                'pos_orders.pagar',
+            ]),
+        )
+        // Tras guardar, baseline = draft → dirty desaparece.
+        await waitFor(() => expect(screen.queryByText('Cambios sin guardar')).toBeNull())
+    })
+
+    it('desmarcar una otorgada también entra al delta', async () => {
+        const props = makeProps()
+        render(<PermissionsManager {...props} />)
+        await screen.findByText('Pagar')
+
+        fireEvent.click(screen.getByRole('checkbox', { name: /Listar/ }))
+        fireEvent.click(screen.getByRole('button', { name: /Guardar permisos/ }))
+        await waitFor(() => expect(props.syncRolePermissions).toHaveBeenCalledWith('r1', []))
+    })
+
+    it('marcar todo / limpiar operan sobre el módulo activo', async () => {
+        const props = makeProps()
+        render(<PermissionsManager {...props} />)
+        await screen.findByText('Pagar')
+
+        fireEvent.click(screen.getByRole('button', { name: /Marcar todo/ }))
+        expect(screen.getByText('3/3')).toBeTruthy()
+
+        fireEvent.click(screen.getByRole('button', { name: /Guardar permisos/ }))
+        await waitFor(() =>
+            expect(props.syncRolePermissions).toHaveBeenCalledWith('r1', [
+                'pos_orders.create',
+                'pos_orders.index',
+                'pos_orders.pagar',
+            ]),
+        )
+
+        fireEvent.click(screen.getByRole('button', { name: /Limpiar/ }))
+        expect(screen.getByText('0/3')).toBeTruthy()
+    })
+
+    it('guardar deshabilitado sin cambios', async () => {
+        const props = makeProps()
+        render(<PermissionsManager {...props} />)
+        await screen.findByText('Pagar')
+        const save = screen.getByRole('button', { name: /Guardar permisos/ }) as HTMLButtonElement
+        expect(save.disabled).toBe(true)
+    })
+
+    it('oculta Nuevo rol / Editar / Eliminar cuando no hay mutators de rol', async () => {
+        const props = makeProps()
+        render(<PermissionsManager {...props} />)
+        await screen.findByText('Pagar')
+        expect(screen.queryByRole('button', { name: /Nuevo rol/ })).toBeNull()
+        expect(screen.queryByRole('button', { name: 'Editar rol' })).toBeNull()
+        expect(screen.queryByRole('button', { name: 'Eliminar rol' })).toBeNull()
+    })
+
+    it('muestra los CRUD de rol cuando los mutators existen', async () => {
+        const props = makeProps({
+            createRole: vi.fn(async () => {}),
+            updateRole: vi.fn(async () => {}),
+            deleteRole: vi.fn(async () => {}),
+        })
+        render(<PermissionsManager {...props} />)
+        await screen.findByText('Pagar')
+        expect(screen.getByRole('button', { name: /Nuevo rol/ })).toBeTruthy()
+        expect(screen.getByRole('button', { name: 'Editar rol' })).toBeTruthy()
+        expect(screen.getByRole('button', { name: 'Eliminar rol' })).toBeTruthy()
+    })
+})

package/src/dynamic-crud-page.tsx

@@ -37,6 +37,7 @@ import { ExportDialog } from './dialogs/export'
 import { ImportDialog } from './dialogs/import'
 import { getModelExtension } from './model-extension-registry'
 import { ModelActionToolbar } from './model-action-toolbar'
+import { useCan, modelCapability } from './permissions-context'
 import type { TableMetadata } from './types'
 
 export interface DynamicCRUDPageStrings {
@@ -165,9 +166,13 @@ export function DynamicCRUDPage(props: DynamicCRUDPageProps) {
     // showing one in the page chrome is just visual duplication. Apps that
     // want it back can pass `hideRefresh={false}`.
     const effectiveHideRefresh = hideRefresh ?? ext?.hideRefresh ?? true
-    const showCreate = enableCRUD && !effectiveHideCreate
-    const showImport = enableCRUD && !effectiveHideImport
-    const showExport = !effectiveHideExport
+    // Capability gating — no-op unless the host mounts <PermissionsProvider>
+    // (useCan defaults to always-true), in which case create/export/import
+    // require `lowercase(model).create|export|import`.
+    const can = useCan()
+    const showCreate = enableCRUD && !effectiveHideCreate && can(modelCapability(model, 'create'))
+    const showImport = enableCRUD && !effectiveHideImport && can(modelCapability(model, 'import'))
+    const showExport = !effectiveHideExport && can(modelCapability(model, 'export'))
     const showRefresh = !effectiveHideRefresh
 
     const handleRefresh = useCallback(() => {

package/src/dynamic-table.tsx

@@ -71,6 +71,7 @@ import { OptionsContext } from './options-context'
 import { ActionModalDispatcher } from './action-modal-dispatcher'
 import type { TableMetadata, ApiResponse, ActionMetadata } from './types'
 import { getSearchableColumnKeys } from './column-visibility'
+import { useCan, usePermissionsActive, gateTableMetadata } from './permissions-context'
 import { DynamicRecordDialog } from './dialogs/dynamic-record'
 import { ExportDialog } from './dialogs/export'
 import { ImportDialog } from './dialogs/import'
@@ -369,6 +370,18 @@ export function DynamicTable({
         [metadata],
     )
 
+    // Permission gating — only active when the host mounts <PermissionsProvider>.
+    // Without it `viewMetadata === metadata` and nothing changes (everything
+    // stays visible, exactly the legacy behaviour). With it, export/import
+    // buttons and row actions (incl. the implicit View/Edit/Delete trio) are
+    // filtered by `can(lowercase(model).<action>)`.
+    const can = useCan()
+    const permissionsActive = usePermissionsActive()
+    const viewMetadata = useMemo(() => {
+        if (!metadata || !permissionsActive) return metadata
+        return gateTableMetadata(metadata, model, can, (key, fallback) => t(key, { defaultValue: fallback }))
+    }, [metadata, permissionsActive, can, model, t])
+
     const buildFilterParams = useCallback(() => {
         const params: Record<string, any> = {}
         if (sorting.length > 0) {
@@ -640,19 +653,19 @@ export function DynamicTable({
     }, [metadata, filterOptionsMap, dynamicFilters, handleDynamicFilterChange])
 
     const columns = useMemo(() => {
-        if (!metadata) return []
+        if (!viewMetadata) return []
         // Row-action column only renders per-row actions. Table-level placements
         // ("table"/"create") are surfaced by <ModelActionToolbar> at the page
         // level, so strip them here to avoid a meaningless per-row button.
-        const rowMetadata = metadata.actions?.some((a) => a.placement === 'table' || a.placement === 'create')
-            ? { ...metadata, actions: metadata.actions.filter((a) => !a.placement || a.placement === 'row') }
-            : metadata
+        const rowMetadata = viewMetadata.actions?.some((a) => a.placement === 'table' || a.placement === 'create')
+            ? { ...viewMetadata, actions: viewMetadata.actions.filter((a) => !a.placement || a.placement === 'row') }
+            : viewMetadata
         const baseColumns = getDynamicColumns(rowMetadata, handleInternalAction, t, i18n.language, columnFilterConfigs, timeZone, currency)
         const filteredBase = baseColumns.filter((col: ColumnDef<any>) => !hiddenColumns.includes(col.id as string))
         const actionsCol = filteredBase.find((c: ColumnDef<any>) => c.id === 'actions')
         const otherCols = filteredBase.filter((c: ColumnDef<any>) => c.id !== 'actions')
         return [...otherCols, ...extraColumns, ...(actionsCol ? [actionsCol] : [])]
-    }, [metadata, handleInternalAction, hiddenColumns, extraColumns, t, i18n.language, columnFilterConfigs, getDynamicColumns, timeZone, currency])
+    }, [viewMetadata, handleInternalAction, hiddenColumns, extraColumns, t, i18n.language, columnFilterConfigs, getDynamicColumns, timeZone, currency])
 
     const filters = useMemo(() => [], [])
 
@@ -745,12 +758,12 @@ export function DynamicTable({
                         onBulkDelete={() => setShowBulkDeleteConfirm(true)}
                         extraActions={
                             <>
-                                {metadata.canExport && (
+                                {viewMetadata?.canExport && (
                                     <Button variant="outline" size="sm" className="h-8" onClick={() => setExportOpen(true)}>
                                         <Download className="h-4 w-4 mr-1" /> Exportar
                                     </Button>
                                 )}
-                                {metadata.canImport && (
+                                {viewMetadata?.canImport && (
                                     <Button variant="outline" size="sm" className="h-8" onClick={() => setImportOpen(true)}>
                                         <Upload className="h-4 w-4 mr-1" /> Importar
                                     </Button>
@@ -997,10 +1010,10 @@ export function DynamicTable({
                 onSaved={handleRefresh}
             />
 
-            {metadata.canExport && (
+            {viewMetadata?.canExport && (
                 <ExportDialog open={exportOpen} onOpenChange={setExportOpen} model={model} metadata={metadata} currentFilters={buildFilterParams()} hasActiveFilters={hasActiveFilters} />
             )}
-            {metadata.canImport && (
+            {viewMetadata?.canImport && (
                 <ImportDialog open={importOpen} onOpenChange={setImportOpen} model={model} metadata={metadata} onImported={handleRefresh} />
             )}
             {actionModal.action && (

package/src/index.ts

@@ -28,6 +28,32 @@ export {
 } from './addon-layout-context'
 export * from './slot'
 export * from './capability-gate'
+export {
+    PermissionsProvider,
+    useCan,
+    usePermissionsActive,
+    makeCan,
+    capabilityForActionKey,
+    modelCapability,
+    gateTableMetadata,
+    type CanFn,
+    type PermissionsProviderProps,
+} from './permissions-context'
+export {
+    PermissionsManager,
+    moduleActionCapability,
+    moduleCapabilities,
+    grantedCountForModule,
+    capabilitySetsEqual,
+    defaultActionIcon,
+    type PermissionsManagerProps,
+    type PermissionsCatalog,
+    type PermissionModuleDef,
+    type PermissionActionDef,
+    type GeneralPermissionDef,
+    type RoleDef,
+    type RoleInput,
+} from './permissions-manager'
 export * from './org-runtime-context'
 export * from './org-runtime-provider'
 export * from './navigation-builder'

package/src/model-action-toolbar.tsx

@@ -23,6 +23,7 @@ import { useApi } from './api-context'
 import { useMetadataCache } from './metadata-cache'
 import { DynamicIcon } from './dynamic-icon'
 import { ActionModalDispatcher } from './action-modal-dispatcher'
+import { useCan, modelCapability } from './permissions-context'
 import type { ActionDefinition, ActionMetadata, TableMetadata } from './types'
 
 export type ActionPlacement = 'row' | 'table' | 'create'
@@ -108,7 +109,14 @@ export function ModelActionToolbar({
     onChange,
     className,
 }: ModelActionToolbarProps) {
-    const surfaced = useModelActions(model, placements, actions)
+    const all = useModelActions(model, placements, actions)
+    // Capability gating — always-true without a <PermissionsProvider>. Custom
+    // table/create actions map onto `lowercase(model).<action_key>`.
+    const can = useCan()
+    const surfaced = useMemo(
+        () => all.filter((a) => can(modelCapability(model, a.key))),
+        [all, can, model],
+    )
     const [active, setActive] = useState<ActionMetadata | null>(null)
     const dataEndpoint = endpoint ?? `/data/${model}/me`
 

package/src/permissions-context.tsx

@@ -0,0 +1,158 @@
+// permissions-context — runtime permission primitives for dynamic hosts.
+//
+// The host loads the session's capability set (e.g. ops `GET /permissions/me`)
+// and mounts <PermissionsProvider permissions={caps} isAdmin={me.is_admin}>
+// once at the root. Any SDK component (or host code) then calls `useCan()` to
+// gate UI by capability:
+//
+//   const can = useCan()
+//   can('pos_orders.create')  // → boolean
+//
+// Capability format is the canonical `lowercase(<model_table>).<action_key>`
+// derived from installed manifests (CRUD: index|create|update|delete|export|
+// import; custom actions use their own key, e.g. `pos_orders.pagar`). General
+// flags live under the `general` module (`general.work_after_hours`).
+//
+// Semantics:
+//   - isAdmin → every capability allowed (superrole bypass mirror).
+//   - the list contains the exact capability or the `*` wildcard → allowed.
+//   - NO provider mounted → `useCan()` returns an always-true function, so
+//     every existing host keeps its current behaviour (nothing is hidden).
+//     Deny-by-default only kicks in once the host opts in by mounting the
+//     provider; the backend enforcement remains the source of truth.
+import React, { createContext, useContext, useMemo } from 'react'
+import type { TableMetadata, ActionDefinition } from './types'
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+/** Predicate answering "can the current user use this capability?". */
+export type CanFn = (capability: string) => boolean
+
+export interface PermissionsProviderProps {
+    /** Granted capabilities (`"pos_orders.create"`, `"general.x"`, or `"*"`). */
+    permissions: string[]
+    /** Superrole bypass — admins/owners see everything, no filtering at all. */
+    isAdmin: boolean
+    children: React.ReactNode
+}
+
+// ---------------------------------------------------------------------------
+// Core
+// ---------------------------------------------------------------------------
+
+/**
+ * Builds the capability predicate from a raw permission list. Pure — exported
+ * so hosts/tests can evaluate permissions outside React.
+ */
+export function makeCan(permissions: string[], isAdmin: boolean): CanFn {
+    if (isAdmin) return () => true
+    const set = new Set(permissions)
+    if (set.has('*')) return () => true
+    return (capability) => set.has(capability)
+}
+
+const ALWAYS_ALLOW: CanFn = () => true
+
+const PermissionsContext = createContext<CanFn | null>(null)
+
+export function PermissionsProvider({ permissions, isAdmin, children }: PermissionsProviderProps) {
+    const can = useMemo(() => makeCan(permissions, isAdmin), [permissions, isAdmin])
+    return <PermissionsContext.Provider value={can}>{children}</PermissionsContext.Provider>
+}
+
+/**
+ * Returns the capability predicate. Without a <PermissionsProvider> ancestor
+ * it returns an always-true function — existing hosts that never mount the
+ * provider keep today's "everything visible" behaviour.
+ */
+export function useCan(): CanFn {
+    return useContext(PermissionsContext) ?? ALWAYS_ALLOW
+}
+
+/** True when a <PermissionsProvider> is mounted above (permission gating active). */
+export function usePermissionsActive(): boolean {
+    return useContext(PermissionsContext) !== null
+}
+
+// ---------------------------------------------------------------------------
+// Table-metadata gating (consumed by DynamicTable / DynamicCRUDPage /
+// ModelActionToolbar — exported for hosts with bespoke tables)
+// ---------------------------------------------------------------------------
+
+/**
+ * Maps a row/table action key onto the capability action segment. The UI's
+ * legacy `view`/`edit` keys correspond to the kernel's `index`/`update`
+ * capabilities; everything else (delete, custom keys) maps verbatim.
+ */
+export function capabilityForActionKey(actionKey: string): string {
+    if (actionKey === 'view') return 'index'
+    if (actionKey === 'edit') return 'update'
+    return actionKey
+}
+
+/** Canonical capability for an action on a model: `lowercase(model).<action>`. */
+export function modelCapability(model: string, actionKey: string): string {
+    return `${model.toLowerCase()}.${capabilityForActionKey(actionKey)}`
+}
+
+const DEFAULT_TRIO: { key: string; i18nKey: string; fallback: string; icon: string }[] = [
+    { key: 'view', i18nKey: 'datatable.view', fallback: 'Ver', icon: 'Eye' },
+    { key: 'edit', i18nKey: 'datatable.edit', fallback: 'Editar', icon: 'Pencil' },
+    { key: 'delete', i18nKey: 'datatable.delete', fallback: 'Eliminar', icon: 'Trash2' },
+]
+
+/**
+ * Applies the capability predicate to a model's table metadata:
+ *   - `canExport` / `canImport` are ANDed with `can(model.export|import)`.
+ *   - explicit row/table actions are filtered by `can(model.<key>)` (with the
+ *     view→index / edit→update mapping above).
+ *   - when the metadata has NO explicit actions but `enableCRUDActions` is on,
+ *     the implicit View/Edit/Delete trio is materialized here as explicit
+ *     actions so individual entries can be dropped; `tx` resolves their labels
+ *     (defaults to the Spanish fallbacks used by the column factory).
+ *
+ * Pure + idempotent. Callers should only invoke it when a provider is active
+ * (`usePermissionsActive()`), otherwise pass the metadata through untouched.
+ */
+export function gateTableMetadata(
+    metadata: TableMetadata,
+    model: string,
+    can: CanFn,
+    tx: (i18nKey: string, fallback: string) => string = (_k, fallback) => fallback,
+): TableMetadata {
+    const allowed = (key: string) => can(modelCapability(model, key))
+
+    const explicit = metadata.actions ?? []
+    const hasExplicit = (metadata.hasActions ?? explicit.length > 0) && explicit.length > 0
+    const base: ActionDefinition[] = hasExplicit
+        ? explicit
+        : metadata.enableCRUDActions
+          ? DEFAULT_TRIO.map(
+                (a) =>
+                    ({
+                        key: a.key,
+                        name: a.key,
+                        label: tx(a.i18nKey, a.fallback),
+                        icon: a.icon,
+                    }) as ActionDefinition,
+            )
+          : []
+    const actions = base.filter((a) => allowed(a.key))
+
+    return {
+        ...metadata,
+        actions,
+        hasActions: actions.length > 0,
+        // The column factory synthesizes the implicit CRUD trio whenever the
+        // action list is empty and this flag is on — turn it off once gating
+        // has materialized (and possibly emptied) the list so nothing leaks
+        // back in.
+        enableCRUDActions: metadata.enableCRUDActions && actions.length > 0,
+        canExport: Boolean(metadata.canExport) && allowed('export'),
+        canImport: Boolean(metadata.canImport) && allowed('import'),
+        canCreate:
+            metadata.canCreate === undefined ? undefined : metadata.canCreate && allowed('create'),
+    }
+}