npm - @auth-gate/rbac - Versions diffs - 0.8.0 - Mend

@auth-gate/rbac 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/cli.cjs ADDED Viewed

@@ -0,0 +1,789 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+// src/config-loader.ts
+var import_path = require("path");
+var import_fs = require("fs");
+// src/validator.ts
+var KEY_PATTERN = /^[a-z][a-z0-9_]*$/;
+function validateRbacConfig(config) {
+  if (!config || typeof config !== "object") {
+    throw new Error(
+      "RBAC config must be an object. Did you forget `export default defineRbac({ ... })`?"
+    );
+  }
+  const c = config;
+  if (!c.resources || typeof c.resources !== "object" || Array.isArray(c.resources)) {
+    throw new Error("RBAC config must have a `resources` object.");
+  }
+  if (!c.roles || typeof c.roles !== "object" || Array.isArray(c.roles)) {
+    throw new Error("RBAC config must have a `roles` object.");
+  }
+  const resources = c.resources;
+  const roles = c.roles;
+  const resourceKeys = Object.keys(resources);
+  const roleKeys = Object.keys(roles);
+  if (resourceKeys.length === 0) {
+    throw new Error("RBAC config must define at least one resource.");
+  }
+  if (roleKeys.length === 0) {
+    throw new Error("RBAC config must define at least one role.");
+  }
+  const resourceActions = /* @__PURE__ */ new Map();
+  for (const key of resourceKeys) {
+    if (!KEY_PATTERN.test(key)) {
+      throw new Error(
+        `Resource key "${key}" is invalid. Use lowercase alphanumeric with underscores (e.g., "documents", "billing_plans").`
+      );
+    }
+    const resource = resources[key];
+    if (!resource || typeof resource !== "object") {
+      throw new Error(`Resource "${key}" must be an object.`);
+    }
+    if (!Array.isArray(resource.actions) || resource.actions.length === 0) {
+      throw new Error(
+        `Resource "${key}" must have a non-empty "actions" array.`
+      );
+    }
+    for (let i = 0; i < resource.actions.length; i++) {
+      if (typeof resource.actions[i] !== "string") {
+        throw new Error(
+          `Resource "${key}".actions[${i}] must be a string.`
+        );
+      }
+    }
+    resourceActions.set(key, new Set(resource.actions));
+    if (resource.scopes !== void 0) {
+      if (!Array.isArray(resource.scopes)) {
+        throw new Error(`Resource "${key}".scopes must be an array of strings.`);
+      }
+      for (let i = 0; i < resource.scopes.length; i++) {
+        if (typeof resource.scopes[i] !== "string") {
+          throw new Error(`Resource "${key}".scopes[${i}] must be a string.`);
+        }
+      }
+    }
+  }
+  for (const key of roleKeys) {
+    if (!KEY_PATTERN.test(key)) {
+      throw new Error(
+        `Role key "${key}" is invalid. Use lowercase alphanumeric with underscores (e.g., "admin", "org_owner").`
+      );
+    }
+    const role = roles[key];
+    if (!role || typeof role !== "object") {
+      throw new Error(`Role "${key}" must be an object.`);
+    }
+    if (!role.name || typeof role.name !== "string") {
+      throw new Error(`Role "${key}" must have a "name" string.`);
+    }
+    if (!role.grants || typeof role.grants !== "object" || Array.isArray(role.grants)) {
+      throw new Error(`Role "${key}" must have a "grants" object.`);
+    }
+    const grants = role.grants;
+    for (const resourceKey of Object.keys(grants)) {
+      if (!resourceActions.has(resourceKey)) {
+        throw new Error(
+          `Role "${key}".grants references undeclared resource "${resourceKey}". Declared resources: ${[...resourceActions.keys()].join(", ")}.`
+        );
+      }
+      const actionsGrant = grants[resourceKey];
+      if (!actionsGrant || typeof actionsGrant !== "object" || Array.isArray(actionsGrant)) {
+        throw new Error(
+          `Role "${key}".grants.${resourceKey} must be an object mapping actions to grant values.`
+        );
+      }
+      const declaredActions = resourceActions.get(resourceKey);
+      for (const actionKey of Object.keys(actionsGrant)) {
+        if (!declaredActions.has(actionKey)) {
+          throw new Error(
+            `Role "${key}".grants.${resourceKey} references undeclared action "${actionKey}". Declared actions for "${resourceKey}": ${[...declaredActions].join(", ")}.`
+          );
+        }
+        const value = actionsGrant[actionKey];
+        if (value !== true && typeof value !== "string" && !(value && typeof value === "object" && "when" in value && typeof value.when === "string")) {
+          throw new Error(
+            `Role "${key}".grants.${resourceKey}.${actionKey} has invalid value. Expected true, a scope string, or { when: string }.`
+          );
+        }
+      }
+    }
+  }
+  for (const key of roleKeys) {
+    const role = roles[key];
+    if (role.inherits !== void 0) {
+      if (!Array.isArray(role.inherits)) {
+        throw new Error(`Role "${key}".inherits must be an array of role key strings.`);
+      }
+      for (const parent of role.inherits) {
+        if (typeof parent !== "string") {
+          throw new Error(`Role "${key}".inherits contains a non-string value.`);
+        }
+        if (!roleKeys.includes(parent)) {
+          throw new Error(
+            `Role "${key}".inherits references unknown role "${parent}". Declared roles: ${roleKeys.join(", ")}.`
+          );
+        }
+      }
+    }
+  }
+  function detectCycle(roleKey) {
+    const visited = /* @__PURE__ */ new Set();
+    function dfs(current, path) {
+      if (visited.has(current)) {
+        const cycleStart = path.indexOf(current);
+        const cycle = [...path.slice(cycleStart), current].join(" -> ");
+        throw new Error(
+          `Circular inheritance detected: ${cycle}. A role cannot directly or indirectly inherit from itself.`
+        );
+      }
+      visited.add(current);
+      const role = roles[current];
+      if ((role == null ? void 0 : role.inherits) && Array.isArray(role.inherits)) {
+        for (const parent of role.inherits) {
+          dfs(parent, [...path, current]);
+        }
+      }
+      visited.delete(current);
+    }
+    dfs(roleKey, []);
+  }
+  for (const key of roleKeys) {
+    detectCycle(key);
+  }
+  const renameTargets = /* @__PURE__ */ new Map();
+  for (const key of roleKeys) {
+    const role = roles[key];
+    if (role.renamedFrom !== void 0) {
+      if (typeof role.renamedFrom !== "string") {
+        throw new Error(`Role "${key}".renamedFrom must be a string.`);
+      }
+      if (role.renamedFrom === key) {
+        throw new Error(`Role "${key}".renamedFrom cannot equal its own key.`);
+      }
+      if (roleKeys.includes(role.renamedFrom)) {
+        throw new Error(
+          `Role "${key}".renamedFrom "${role.renamedFrom}" cannot reference an existing role key.`
+        );
+      }
+      if (renameTargets.has(role.renamedFrom)) {
+        throw new Error(
+          `renamedFrom "${role.renamedFrom}" is claimed by multiple roles: "${renameTargets.get(role.renamedFrom)}" and "${key}".`
+        );
+      }
+      renameTargets.set(role.renamedFrom, key);
+    }
+  }
+  if (c.conditions !== void 0) {
+    if (typeof c.conditions !== "object" || Array.isArray(c.conditions) || c.conditions === null) {
+      throw new Error("RBAC config `conditions` must be an object mapping names to functions.");
+    }
+    const conditions = c.conditions;
+    for (const [condKey, condValue] of Object.entries(conditions)) {
+      if (typeof condValue !== "function") {
+        throw new Error(
+          `Condition "${condKey}" must be a function. Got ${typeof condValue}.`
+        );
+      }
+    }
+  }
+  return config;
+}
+// src/config-loader.ts
+var CONFIG_FILENAMES = [
+  "authgate.rbac.ts",
+  "authgate.rbac.js",
+  "authgate.rbac.mjs"
+];
+async function loadRbacConfig(cwd) {
+  var _a, _b;
+  let configPath = null;
+  for (const filename of CONFIG_FILENAMES) {
+    const candidate = (0, import_path.resolve)(cwd, filename);
+    if ((0, import_fs.existsSync)(candidate)) {
+      configPath = candidate;
+      break;
+    }
+  }
+  if (!configPath) {
+    throw new Error(
+      `No RBAC config found. Expected one of: ${CONFIG_FILENAMES.join(", ")}
+Run \`npx @auth-gate/rbac init\` to create one.`
+    );
+  }
+  const { createJiti } = await import("jiti");
+  const jiti = createJiti(cwd, { interopDefault: true });
+  const mod = await jiti.import(configPath);
+  const raw = (_b = (_a = mod.default) != null ? _a : mod.rbac) != null ? _b : mod;
+  const config = raw && typeof raw === "object" && "_config" in raw ? raw._config : raw;
+  return validateRbacConfig(config);
+}
+// src/diff.ts
+function hashConditionSource(fn) {
+  const src = fn.toString();
+  let hash = 0;
+  for (let i = 0; i < src.length; i++) {
+    const ch = src.charCodeAt(i);
+    hash = (hash << 5) - hash + ch | 0;
+  }
+  return hash.toString(36);
+}
+function computeRbacDiff(config, server, memberCounts) {
+  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k;
+  const resourceOps = [];
+  const roleOps = [];
+  const conditionOps = [];
+  let hasDestructive = false;
+  const serverResourceByKey = /* @__PURE__ */ new Map();
+  for (const res of server.resources) {
+    if (res.managedBy === "config") {
+      serverResourceByKey.set(res.key, res);
+    }
+  }
+  for (const [key, resource] of Object.entries(config.resources)) {
+    const existing = serverResourceByKey.get(key);
+    if (!existing) {
+      resourceOps.push({ type: "create", key, resource });
+    } else {
+      const changes = [];
+      const existingActions = [...existing.actions].sort().join(",");
+      const configActions = [...resource.actions].sort().join(",");
+      if (existingActions !== configActions) {
+        changes.push(`actions: [${existing.actions.join(", ")}] -> [${[...resource.actions].join(", ")}]`);
+      }
+      const existingScopes = [...(_a = existing.scopes) != null ? _a : []].sort().join(",");
+      const configScopes = [...(_b = resource.scopes) != null ? _b : []].sort().join(",");
+      if (existingScopes !== configScopes) {
+        changes.push("scopes changed");
+      }
+      if (changes.length > 0) {
+        resourceOps.push({ type: "update", key, resource, existing, changes });
+      }
+    }
+    serverResourceByKey.delete(key);
+  }
+  for (const [key, resource] of serverResourceByKey) {
+    if (resource.isActive) {
+      resourceOps.push({ type: "archive", key, existing: resource });
+    }
+  }
+  const serverRoleByKey = /* @__PURE__ */ new Map();
+  const serverRoleByPreviousKey = /* @__PURE__ */ new Map();
+  for (const role of server.roles) {
+    if (role.managedBy === "config") {
+      serverRoleByKey.set(role.configKey, role);
+    }
+    for (const prevKey of (_c = role.previousConfigKeys) != null ? _c : []) {
+      serverRoleByPreviousKey.set(prevKey, role);
+    }
+  }
+  const renameMap = /* @__PURE__ */ new Map();
+  for (const [key, role] of Object.entries(config.roles)) {
+    if (role.renamedFrom) {
+      renameMap.set(role.renamedFrom, key);
+    }
+  }
+  for (const [key, role] of Object.entries(config.roles)) {
+    let existing = serverRoleByKey.get(key);
+    if (!existing && role.renamedFrom) {
+      existing = (_d = serverRoleByKey.get(role.renamedFrom)) != null ? _d : serverRoleByPreviousKey.get(role.renamedFrom);
+      if (existing) {
+        const members = (_e = memberCounts[existing.id]) != null ? _e : 0;
+        roleOps.push({
+          type: "rename",
+          key,
+          oldKey: role.renamedFrom,
+          role,
+          existing,
+          assignedMembers: members
+        });
+        serverRoleByKey.delete(existing.configKey);
+        serverRoleByKey.delete(key);
+        continue;
+      }
+    }
+    if (!existing) {
+      roleOps.push({ type: "create", key, role });
+    } else {
+      const changes = [];
+      if (existing.name !== role.name) {
+        changes.push(`name: "${existing.name}" -> "${role.name}"`);
+      }
+      if (((_f = existing.description) != null ? _f : void 0) !== ((_g = role.description) != null ? _g : void 0)) {
+        changes.push("description changed");
+      }
+      const existingGrants = JSON.stringify((_h = existing.grants) != null ? _h : null);
+      const configGrants = JSON.stringify(role.grants);
+      if (existingGrants !== configGrants) {
+        changes.push("grants changed");
+      }
+      const existingInherits = [...(_i = existing.inherits) != null ? _i : []].sort().join(",");
+      const configInherits = [...(_j = role.inherits) != null ? _j : []].sort().join(",");
+      if (existingInherits !== configInherits) {
+        changes.push("inherits changed");
+      }
+      if (changes.length > 0) {
+        roleOps.push({ type: "update", key, role, existing, changes });
+      }
+    }
+    serverRoleByKey.delete(key);
+  }
+  for (const [key, role] of serverRoleByKey) {
+    if (renameMap.has(key)) continue;
+    if (role.isActive) {
+      const members = (_k = memberCounts[role.id]) != null ? _k : 0;
+      if (members > 0) hasDestructive = true;
+      roleOps.push({ type: "archive", key, existing: role, assignedMembers: members });
+    }
+  }
+  const serverConditionByKey = /* @__PURE__ */ new Map();
+  for (const cond of server.conditions) {
+    serverConditionByKey.set(cond.key, cond);
+  }
+  if (config.conditions) {
+    for (const [key, condFn] of Object.entries(config.conditions)) {
+      const existing = serverConditionByKey.get(key);
+      const newHash = hashConditionSource(condFn);
+      if (!existing) {
+        conditionOps.push({ type: "create", key });
+      } else {
+        if (existing.sourceHash !== newHash) {
+          conditionOps.push({ type: "update", key, changes: ["source changed"] });
+        }
+      }
+      serverConditionByKey.delete(key);
+    }
+  }
+  for (const [key, cond] of serverConditionByKey) {
+    if (cond.isActive) {
+      conditionOps.push({ type: "archive", key, existing: cond });
+    }
+  }
+  return { resourceOps, roleOps, conditionOps, hasDestructive };
+}
+// src/formatter.ts
+var import_chalk = __toESM(require("chalk"), 1);
+function formatRbacDiff(diff, dryRun) {
+  const lines = [];
+  if (dryRun) {
+    lines.push(
+      import_chalk.default.bold("AuthGate RBAC Sync \u2014 DRY RUN") + import_chalk.default.dim(" (use --apply to execute)")
+    );
+  } else {
+    lines.push(import_chalk.default.bold("AuthGate RBAC Sync \u2014 APPLYING CHANGES"));
+  }
+  lines.push("");
+  const totalOps = diff.resourceOps.length + diff.roleOps.length + diff.conditionOps.length;
+  if (totalOps === 0) {
+    lines.push(import_chalk.default.green("  Everything is in sync. No changes needed."));
+    return lines.join("\n");
+  }
+  if (diff.resourceOps.length > 0) {
+    lines.push(import_chalk.default.bold.underline("  Resources"));
+    lines.push("");
+    for (const op of diff.resourceOps) {
+      if (op.type === "create") {
+        lines.push(import_chalk.default.green(`  + CREATE resource "${op.key}"`));
+        lines.push(
+          import_chalk.default.dim(`    actions: [${[...op.resource.actions].join(", ")}]`)
+        );
+        if (op.resource.scopes && op.resource.scopes.length > 0) {
+          lines.push(
+            import_chalk.default.dim(`    scopes: [${[...op.resource.scopes].join(", ")}]`)
+          );
+        }
+      } else if (op.type === "update") {
+        lines.push(import_chalk.default.yellow(`  ~ UPDATE resource "${op.key}"`));
+        for (const change of op.changes) {
+          lines.push(import_chalk.default.yellow(`    ${change}`));
+        }
+      } else if (op.type === "archive") {
+        lines.push(import_chalk.default.red(`  - ARCHIVE resource "${op.key}"`));
+      }
+    }
+    lines.push("");
+  }
+  if (diff.roleOps.length > 0) {
+    lines.push(import_chalk.default.bold.underline("  Roles"));
+    lines.push("");
+    for (const op of diff.roleOps) {
+      if (op.type === "create") {
+        lines.push(import_chalk.default.green(`  + CREATE role "${op.key}"`));
+        if (op.role.description) {
+          lines.push(import_chalk.default.dim(`    ${op.role.description}`));
+        }
+        if (op.role.inherits && op.role.inherits.length > 0) {
+          lines.push(
+            import_chalk.default.dim(`    inherits: [${[...op.role.inherits].join(", ")}]`)
+          );
+        }
+      } else if (op.type === "update") {
+        lines.push(import_chalk.default.yellow(`  ~ UPDATE role "${op.key}"`));
+        for (const change of op.changes) {
+          lines.push(import_chalk.default.yellow(`    ${change}`));
+        }
+      } else if (op.type === "archive") {
+        lines.push(import_chalk.default.red(`  - ARCHIVE role "${op.key}"`));
+        if (op.assignedMembers > 0) {
+          lines.push(
+            import_chalk.default.red.bold(
+              `    WARNING: ${op.assignedMembers} assigned member${op.assignedMembers > 1 ? "s" : ""} will lose this role`
+            )
+          );
+        }
+      } else if (op.type === "rename") {
+        lines.push(
+          import_chalk.default.cyan(`  ~ RENAME role "${op.oldKey}" -> "${op.key}"`)
+        );
+        if (op.assignedMembers > 0) {
+          lines.push(
+            import_chalk.default.dim(
+              `    ${op.assignedMembers} member${op.assignedMembers > 1 ? "s" : ""} preserved`
+            )
+          );
+        }
+      }
+    }
+    lines.push("");
+  }
+  if (diff.conditionOps.length > 0) {
+    lines.push(import_chalk.default.bold.underline("  Conditions"));
+    lines.push("");
+    for (const op of diff.conditionOps) {
+      if (op.type === "create") {
+        lines.push(import_chalk.default.green(`  + CREATE condition "${op.key}"`));
+      } else if (op.type === "update") {
+        lines.push(import_chalk.default.yellow(`  ~ UPDATE condition "${op.key}"`));
+        for (const change of op.changes) {
+          lines.push(import_chalk.default.yellow(`    ${change}`));
+        }
+      } else if (op.type === "archive") {
+        lines.push(import_chalk.default.red(`  - ARCHIVE condition "${op.key}"`));
+      }
+    }
+    lines.push("");
+  }
+  const allOps = [
+    ...diff.resourceOps.map((o) => o.type),
+    ...diff.roleOps.map((o) => o.type),
+    ...diff.conditionOps.map((o) => o.type)
+  ];
+  const creates = allOps.filter((t) => t === "create").length;
+  const updates = allOps.filter((t) => t === "update").length;
+  const renames = allOps.filter((t) => t === "rename").length;
+  const archives = allOps.filter((t) => t === "archive").length;
+  lines.push(
+    import_chalk.default.dim(
+      `  Summary: ${creates} create, ${updates} update, ${renames} rename, ${archives} archive.`
+    ) + (dryRun ? import_chalk.default.dim(" Run with --apply to execute.") : "")
+  );
+  if (diff.hasDestructive && dryRun) {
+    lines.push(
+      import_chalk.default.red.bold(
+        "\n  WARNING: Destructive changes detected (roles with assigned members)."
+      ) + import_chalk.default.red(" Use --apply --force to proceed.")
+    );
+  }
+  return lines.join("\n");
+}
+// src/sync.ts
+var RbacSyncClient = class {
+  constructor(config) {
+    this.baseUrl = config.baseUrl.replace(/\/$/, "");
+    this.apiKey = config.apiKey;
+  }
+  async request(method, path, body) {
+    var _a, _b;
+    const url = `${this.baseUrl}${path}`;
+    const headers = {
+      Authorization: `Bearer ${this.apiKey}`,
+      "Content-Type": "application/json"
+    };
+    const res = await fetch(url, {
+      method,
+      headers,
+      body: body ? JSON.stringify(body) : void 0
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      let message;
+      try {
+        const json = JSON.parse(text);
+        message = (_b = (_a = json.error) != null ? _a : json.message) != null ? _b : text;
+      } catch (e) {
+        message = text;
+      }
+      throw new Error(`API error (${res.status}): ${message}`);
+    }
+    return res.json();
+  }
+  async getState() {
+    return this.request("GET", "/api/v1/rbac/sync/state");
+  }
+  async getMemberCounts() {
+    return this.request(
+      "GET",
+      "/api/v1/rbac/sync/member-counts"
+    );
+  }
+  async apply(config, force) {
+    return this.request("POST", "/api/v1/rbac/sync/apply", {
+      resources: config.resources,
+      roles: config.roles,
+      conditions: config.conditions ? Object.fromEntries(
+        Object.entries(config.conditions).map(([k]) => [k, { key: k }])
+      ) : void 0,
+      force
+    });
+  }
+};
+// src/cli.ts
+var import_chalk2 = __toESM(require("chalk"), 1);
+var import_fs2 = require("fs");
+var import_path2 = require("path");
+var HELP = `
+Usage: @auth-gate/rbac <command> [options]
+Commands:
+  sync          Preview or apply RBAC config changes
+  init          Create a starter authgate.rbac.ts config file
+  check         Validate config locally (no server round-trip)
+Options (sync):
+  --apply       Apply changes (default: dry-run only)
+  --force       Allow archiving roles with assigned members
+  --strict      Treat warnings as errors (recommended for CI/CD)
+  --json        Output diff as JSON
+Environment:
+  AUTHGATE_API_KEY    Your project API key (required for sync)
+  AUTHGATE_BASE_URL   AuthGate instance URL (required for sync)
+`;
+async function main() {
+  const args = process.argv.slice(2);
+  const command = args[0];
+  if (!command || command === "--help" || command === "-h") {
+    console.log(HELP);
+    process.exit(0);
+  }
+  if (command === "init") {
+    await runInit();
+    return;
+  }
+  if (command === "check") {
+    await runCheck();
+    return;
+  }
+  if (command === "sync") {
+    const apply = args.includes("--apply");
+    const force = args.includes("--force");
+    const strict = args.includes("--strict");
+    const json = args.includes("--json");
+    await runSync({ apply, force, strict, json });
+    return;
+  }
+  console.error(import_chalk2.default.red(`Unknown command: ${command}`));
+  console.log(HELP);
+  process.exit(1);
+}
+async function runInit() {
+  const configPath = (0, import_path2.resolve)(process.cwd(), "authgate.rbac.ts");
+  if ((0, import_fs2.existsSync)(configPath)) {
+    console.error(import_chalk2.default.yellow(`Config file already exists: ${configPath}`));
+    process.exit(1);
+  }
+  const template = `import { defineRbac } from "@auth-gate/rbac";
+/**
+ * RBAC config \u2014 resource/role/permission keys provide full IDE autocomplete.
+ *
+ * Sync: npx @auth-gate/rbac sync --apply
+ */
+export const rbac = defineRbac({
+  resources: {
+    documents: { actions: ["read", "write", "delete", "share"] },
+    billing:   { actions: ["read", "manage"] },
+    members:   { actions: ["invite", "remove", "update_role"] },
+  },
+  roles: {
+    admin: {
+      name: "Administrator",
+      grants: {
+        documents: { read: true, write: true, delete: true, share: true },
+        billing:   { read: true, manage: true },
+        members:   { invite: true, remove: true, update_role: true },
+      },
+    },
+    editor: {
+      name: "Editor",
+      grants: {
+        documents: { read: true, write: true },
+        billing:   { read: true },
+      },
+    },
+    viewer: {
+      name: "Viewer",
+      grants: {
+        documents: { read: true },
+      },
+    },
+  },
+});
+// Default export for CLI compatibility
+export default rbac;
+`;
+  (0, import_fs2.writeFileSync)(configPath, template, "utf-8");
+  console.log(import_chalk2.default.green(`Created ${configPath}`));
+  console.log(import_chalk2.default.dim("Edit your resources and roles, then run: npx @auth-gate/rbac sync"));
+}
+async function runCheck() {
+  let config;
+  try {
+    config = await loadRbacConfig(process.cwd());
+  } catch (err) {
+    console.error(import_chalk2.default.red(`Config error: ${err.message}`));
+    process.exit(1);
+  }
+  const resourceCount = Object.keys(config.resources).length;
+  const roleCount = Object.keys(config.roles).length;
+  let permCount = 0;
+  for (const resource of Object.values(config.resources)) {
+    permCount += resource.actions.length;
+  }
+  console.log(import_chalk2.default.green("Config valid!"));
+  console.log(import_chalk2.default.dim(`${resourceCount} resource${resourceCount > 1 ? "s" : ""}, ${roleCount} role${roleCount > 1 ? "s" : ""}, ${permCount} permission${permCount > 1 ? "s" : ""}`));
+}
+async function runSync(opts) {
+  const apiKey = process.env.AUTHGATE_API_KEY;
+  const baseUrl = process.env.AUTHGATE_BASE_URL;
+  if (!apiKey) {
+    console.error(import_chalk2.default.red("Missing AUTHGATE_API_KEY environment variable."));
+    process.exit(1);
+  }
+  if (!baseUrl) {
+    console.error(import_chalk2.default.red("Missing AUTHGATE_BASE_URL environment variable."));
+    process.exit(1);
+  }
+  let config;
+  try {
+    config = await loadRbacConfig(process.cwd());
+  } catch (err) {
+    console.error(import_chalk2.default.red(`Config error: ${err.message}`));
+    process.exit(1);
+  }
+  const resourceCount = Object.keys(config.resources).length;
+  const roleCount = Object.keys(config.roles).length;
+  console.log(import_chalk2.default.dim(`Loaded config: ${resourceCount} resource${resourceCount > 1 ? "s" : ""}, ${roleCount} role${roleCount > 1 ? "s" : ""}`));
+  const client = new RbacSyncClient({ baseUrl, apiKey });
+  let serverState;
+  let memberCounts;
+  try {
+    [serverState, memberCounts] = await Promise.all([
+      client.getState(),
+      client.getMemberCounts()
+    ]);
+  } catch (err) {
+    console.error(import_chalk2.default.red(`Failed to fetch server state: ${err.message}`));
+    process.exit(1);
+  }
+  const diff = computeRbacDiff(config, serverState, memberCounts);
+  if (opts.json) {
+    console.log(JSON.stringify({
+      dryRun: !opts.apply,
+      resourceOps: diff.resourceOps.map((op) => ({ type: op.type, key: op.key })),
+      roleOps: diff.roleOps.map((op) => __spreadValues(__spreadValues({
+        type: op.type,
+        key: op.key
+      }, op.type === "rename" ? { oldKey: op.oldKey } : {}), op.type === "archive" ? { assignedMembers: op.assignedMembers } : {})),
+      conditionOps: diff.conditionOps.map((op) => ({ type: op.type, key: op.key })),
+      hasDestructive: diff.hasDestructive
+    }, null, 2));
+    process.exit(diff.hasDestructive && opts.strict ? 1 : 0);
+  }
+  console.log("");
+  console.log(formatRbacDiff(diff, !opts.apply));
+  if (!opts.apply) {
+    if (opts.strict && diff.hasDestructive) {
+      console.error(import_chalk2.default.red.bold("\n  --strict: destructive changes detected. Failing."));
+      process.exit(1);
+    }
+    process.exit(0);
+  }
+  if (diff.hasDestructive && !opts.force) {
+    console.error(import_chalk2.default.red("\nDestructive changes require --force flag."));
+    process.exit(1);
+  }
+  const totalOps = diff.resourceOps.length + diff.roleOps.length + diff.conditionOps.length;
+  if (totalOps === 0) {
+    process.exit(0);
+  }
+  try {
+    console.log("");
+    const result = await client.apply(config, opts.force);
+    console.log(import_chalk2.default.green.bold("Sync complete!"));
+    if (result.created.length) console.log(import_chalk2.default.green(`  Created: ${result.created.join(", ")}`));
+    if (result.updated.length) console.log(import_chalk2.default.yellow(`  Updated: ${result.updated.join(", ")}`));
+    if (result.renamed.length) console.log(import_chalk2.default.cyan(`  Renamed: ${result.renamed.join(", ")}`));
+    if (result.archived.length) console.log(import_chalk2.default.red(`  Archived: ${result.archived.join(", ")}`));
+    if (result.warnings.length) {
+      for (const w of result.warnings) {
+        console.log(import_chalk2.default.yellow(`  Warning: ${w}`));
+      }
+      if (opts.strict) {
+        console.error(import_chalk2.default.red.bold(`
+  --strict: ${result.warnings.length} warning${result.warnings.length > 1 ? "s" : ""} treated as errors.`));
+        process.exit(1);
+      }
+    }
+  } catch (err) {
+    console.error(import_chalk2.default.red(`Sync failed: ${err.message}`));
+    process.exit(1);
+  }
+}
+main().catch((err) => {
+  console.error(import_chalk2.default.red(err.message));
+  process.exit(1);
+});