@auth-gate/rbac 0.8.1 → 0.9.1

package/dist/{chunk-5YEMXO7B.mjs → chunk-5CSBBETH.mjs}

@@ -150,6 +150,21 @@ function validateRbacConfig(config) {
       }
     }
   }
+  const defaultRoles = [];
+  for (const key of roleKeys) {
+    const role = roles[key];
+    if (role.isDefault !== void 0 && typeof role.isDefault !== "boolean") {
+      throw new Error(`Role "${key}".isDefault must be a boolean.`);
+    }
+    if (role.isDefault === true) {
+      defaultRoles.push(key);
+    }
+  }
+  if (defaultRoles.length > 1) {
+    throw new Error(
+      `Only one role may have isDefault: true. Found ${defaultRoles.length}: ${defaultRoles.join(", ")}.`
+    );
+  }
   for (const key of roleKeys) {
     const role = roles[key];
     if (role.inherits !== void 0) {
@@ -258,7 +273,6 @@ var CONFIG_FILENAMES = [
   "authgate.rbac.mjs"
 ];
 async function loadRbacConfig(cwd) {
-  var _a, _b;
   let configPath = null;
   for (const filename of CONFIG_FILENAMES) {
     const candidate = resolve(cwd, filename);
@@ -273,8 +287,12 @@ async function loadRbacConfig(cwd) {
 Run \`npx @auth-gate/rbac init\` to create one.`
     );
   }
+  return loadRbacConfigFromPath(configPath, cwd);
+}
+async function loadRbacConfigFromPath(configPath, cwd) {
+  var _a, _b;
   const { createJiti } = await import("jiti");
-  const jiti = createJiti(cwd, { interopDefault: true });
+  const jiti = createJiti(cwd != null ? cwd : process.cwd(), { interopDefault: true });
   const mod = await jiti.import(configPath);
   const raw = (_b = (_a = mod.default) != null ? _a : mod.rbac) != null ? _b : mod;
   const config = raw && typeof raw === "object" && "_config" in raw ? raw._config : raw;
@@ -302,7 +320,7 @@ function hashConditionSource(fn) {
   return createHash("sha256").update(fn.toString()).digest("hex").slice(0, 16);
 }
 function computeRbacDiff(config, server, memberCounts) {
-  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l;
+  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m, _n;
   const resourceOps = [];
   const roleOps = [];
   const conditionOps = [];
@@ -393,6 +411,11 @@ function computeRbacDiff(config, server, memberCounts) {
       if (existingInherits !== configInherits) {
         changes.push("inherits changed");
       }
+      const existingDefault = (_l = existing.isDefault) != null ? _l : false;
+      const configDefault = (_m = role.isDefault) != null ? _m : false;
+      if (existingDefault !== configDefault) {
+        changes.push(`isDefault: ${existingDefault} -> ${configDefault}`);
+      }
       if (changes.length > 0) {
         roleOps.push({ type: "update", key, role, existing, changes });
       }
@@ -402,7 +425,7 @@ function computeRbacDiff(config, server, memberCounts) {
   for (const [key, role] of serverRoleByKey) {
     if (renameMap.has(key)) continue;
     if (role.isActive) {
-      const members = (_l = memberCounts[role.configKey]) != null ? _l : 0;
+      const members = (_n = memberCounts[role.configKey]) != null ? _n : 0;
       if (members > 0) hasDestructive = true;
       roleOps.push({ type: "archive", key, existing: role, assignedMembers: members });
     }
@@ -489,6 +512,9 @@ function formatRbacDiff(diff, dryRun) {
             chalk.dim(`    inherits: [${[...op.role.inherits].join(", ")}]`)
           );
         }
+        if (op.role.isDefault) {
+          lines.push(chalk.dim(`    isDefault: true`));
+        }
       } else if (op.type === "update") {
         lines.push(chalk.yellow(`  ~ UPDATE role "${op.key}"`));
         for (const change of op.changes) {
@@ -626,6 +652,7 @@ export {
   __spreadValues,
   validateRbacConfig,
   loadRbacConfig,
+  loadRbacConfigFromPath,
   hashConditionSource,
   computeRbacDiff,
   formatRbacDiff,

package/dist/cli.cjs

@@ -170,6 +170,21 @@ function validateRbacConfig(config) {
       }
     }
   }
+  const defaultRoles = [];
+  for (const key of roleKeys) {
+    const role = roles[key];
+    if (role.isDefault !== void 0 && typeof role.isDefault !== "boolean") {
+      throw new Error(`Role "${key}".isDefault must be a boolean.`);
+    }
+    if (role.isDefault === true) {
+      defaultRoles.push(key);
+    }
+  }
+  if (defaultRoles.length > 1) {
+    throw new Error(
+      `Only one role may have isDefault: true. Found ${defaultRoles.length}: ${defaultRoles.join(", ")}.`
+    );
+  }
   for (const key of roleKeys) {
     const role = roles[key];
     if (role.inherits !== void 0) {
@@ -276,7 +291,6 @@ var CONFIG_FILENAMES = [
   "authgate.rbac.mjs"
 ];
 async function loadRbacConfig(cwd) {
-  var _a, _b;
   let configPath = null;
   for (const filename of CONFIG_FILENAMES) {
     const candidate = (0, import_path.resolve)(cwd, filename);
@@ -291,8 +305,12 @@ async function loadRbacConfig(cwd) {
 Run \`npx @auth-gate/rbac init\` to create one.`
     );
   }
+  return loadRbacConfigFromPath(configPath, cwd);
+}
+async function loadRbacConfigFromPath(configPath, cwd) {
+  var _a, _b;
   const { createJiti } = await import("jiti");
-  const jiti = createJiti(cwd, { interopDefault: true });
+  const jiti = createJiti(cwd != null ? cwd : process.cwd(), { interopDefault: true });
   const mod = await jiti.import(configPath);
   const raw = (_b = (_a = mod.default) != null ? _a : mod.rbac) != null ? _b : mod;
   const config = raw && typeof raw === "object" && "_config" in raw ? raw._config : raw;
@@ -320,7 +338,7 @@ function hashConditionSource(fn) {
   return createHash("sha256").update(fn.toString()).digest("hex").slice(0, 16);
 }
 function computeRbacDiff(config, server, memberCounts) {
-  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l;
+  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m, _n;
   const resourceOps = [];
   const roleOps = [];
   const conditionOps = [];
@@ -411,6 +429,11 @@ function computeRbacDiff(config, server, memberCounts) {
       if (existingInherits !== configInherits) {
         changes.push("inherits changed");
       }
+      const existingDefault = (_l = existing.isDefault) != null ? _l : false;
+      const configDefault = (_m = role.isDefault) != null ? _m : false;
+      if (existingDefault !== configDefault) {
+        changes.push(`isDefault: ${existingDefault} -> ${configDefault}`);
+      }
       if (changes.length > 0) {
         roleOps.push({ type: "update", key, role, existing, changes });
       }
@@ -420,7 +443,7 @@ function computeRbacDiff(config, server, memberCounts) {
   for (const [key, role] of serverRoleByKey) {
     if (renameMap.has(key)) continue;
     if (role.isActive) {
-      const members = (_l = memberCounts[role.configKey]) != null ? _l : 0;
+      const members = (_n = memberCounts[role.configKey]) != null ? _n : 0;
       if (members > 0) hasDestructive = true;
       roleOps.push({ type: "archive", key, existing: role, assignedMembers: members });
     }
@@ -507,6 +530,9 @@ function formatRbacDiff(diff, dryRun) {
             import_chalk.default.dim(`    inherits: [${[...op.role.inherits].join(", ")}]`)
           );
         }
+        if (op.role.isDefault) {
+          lines.push(import_chalk.default.dim(`    isDefault: true`));
+        }
       } else if (op.type === "update") {
         lines.push(import_chalk.default.yellow(`  ~ UPDATE role "${op.key}"`));
         for (const change of op.changes) {
@@ -640,10 +666,76 @@ var RbacSyncClient = class {
   }
 };
 
+// src/project-config-loader.ts
+var import_path2 = require("path");
+var import_fs2 = require("fs");
+var CONFIG_FILENAMES2 = [
+  "authgate.config.ts",
+  "authgate.config.js",
+  "authgate.config.mjs"
+];
+var AUTO_ENV_FILES = [".env", ".env.local"];
+async function resolveProjectConfig(cwd) {
+  var _a, _b, _c;
+  await autoLoadEnvFiles(cwd);
+  const config = await loadProjectConfigFile(cwd);
+  if (!config) {
+    return {
+      connection: {
+        baseUrl: process.env.AUTHGATE_BASE_URL,
+        apiKey: process.env.AUTHGATE_API_KEY
+      },
+      rbacConfigPath: null,
+      billingConfigPath: null
+    };
+  }
+  const rawConnection = (_a = config.connection) != null ? _a : {};
+  const connection = {
+    baseUrl: (_b = rawConnection.baseUrl) != null ? _b : process.env.AUTHGATE_BASE_URL,
+    apiKey: (_c = rawConnection.apiKey) != null ? _c : process.env.AUTHGATE_API_KEY
+  };
+  return {
+    connection,
+    rbacConfigPath: config.rbacConfig ? (0, import_path2.resolve)(cwd, config.rbacConfig) : null,
+    billingConfigPath: config.billingConfig ? (0, import_path2.resolve)(cwd, config.billingConfig) : null
+  };
+}
+async function loadProjectConfigFile(cwd) {
+  var _a;
+  let configPath = null;
+  for (const filename of CONFIG_FILENAMES2) {
+    const candidate = (0, import_path2.resolve)(cwd, filename);
+    if ((0, import_fs2.existsSync)(candidate)) {
+      configPath = candidate;
+      break;
+    }
+  }
+  if (!configPath) return null;
+  const { createJiti } = await import("jiti");
+  const jiti = createJiti(cwd, { interopDefault: true });
+  const mod = await jiti.import(configPath);
+  const config = (_a = mod.default) != null ? _a : mod;
+  return config;
+}
+async function autoLoadEnvFiles(cwd) {
+  let dotenv;
+  try {
+    dotenv = await import("dotenv");
+  } catch (e) {
+    return;
+  }
+  for (const file of AUTO_ENV_FILES) {
+    const filePath = (0, import_path2.resolve)(cwd, file);
+    if ((0, import_fs2.existsSync)(filePath)) {
+      dotenv.config({ path: filePath });
+    }
+  }
+}
+
 // src/cli.ts
 var import_chalk2 = __toESM(require("chalk"), 1);
-var import_fs2 = require("fs");
-var import_path2 = require("path");
+var import_fs3 = require("fs");
+var import_path3 = require("path");
 var HELP = `
 Usage: @auth-gate/rbac <command> [options]
 
@@ -658,7 +750,14 @@ Options (sync):
   --strict      Treat warnings as errors (recommended for CI/CD)
   --json        Output diff as JSON
 
-Environment:
+Options (init):
+  --config      Generate a starter authgate.config.ts instead
+
+Config file:
+  If authgate.config.ts exists, env vars and connection details are
+  loaded from it automatically. See defineConfig() for the API.
+
+Environment (when no authgate.config.ts):
   AUTHGATE_API_KEY    Your project API key (required for sync)
   AUTHGATE_BASE_URL   AuthGate instance URL (required for sync)
 `;
@@ -670,7 +769,8 @@ async function main() {
     process.exit(0);
   }
   if (command === "init") {
-    await runInit();
+    const configFlag = args.includes("--config");
+    await runInit({ config: configFlag });
     return;
   }
   if (command === "check") {
@@ -689,9 +789,29 @@ async function main() {
   console.log(HELP);
   process.exit(1);
 }
-async function runInit() {
-  const configPath = (0, import_path2.resolve)(process.cwd(), "authgate.rbac.ts");
-  if ((0, import_fs2.existsSync)(configPath)) {
+async function runInit(opts) {
+  if (opts.config) {
+    const configPath2 = (0, import_path3.resolve)(process.cwd(), "authgate.config.ts");
+    if ((0, import_fs3.existsSync)(configPath2)) {
+      console.error(import_chalk2.default.yellow(`Config file already exists: ${configPath2}`));
+      process.exit(1);
+    }
+    const template2 = `import { defineConfig } from "@auth-gate/core";
+
+export default defineConfig({
+  connection: {
+    baseUrl: process.env.AUTHGATE_URL,
+    apiKey: process.env.AUTHGATE_API_KEY,
+  },
+});
+`;
+    (0, import_fs3.writeFileSync)(configPath2, template2, "utf-8");
+    console.log(import_chalk2.default.green(`Created ${configPath2}`));
+    console.log(import_chalk2.default.dim("Edit connection details, then run: npx @auth-gate/rbac sync"));
+    return;
+  }
+  const configPath = (0, import_path3.resolve)(process.cwd(), "authgate.rbac.ts");
+  if ((0, import_fs3.existsSync)(configPath)) {
     console.error(import_chalk2.default.yellow(`Config file already exists: ${configPath}`));
     process.exit(1);
   }
@@ -726,6 +846,7 @@ export const rbac = defineRbac({
     },
     viewer: {
       name: "Viewer",
+      isDefault: true,
       grants: {
         documents: { read: true },
       },
@@ -736,14 +857,16 @@ export const rbac = defineRbac({
 // Default export for CLI compatibility
 export default rbac;
 `;
-  (0, import_fs2.writeFileSync)(configPath, template, "utf-8");
+  (0, import_fs3.writeFileSync)(configPath, template, "utf-8");
   console.log(import_chalk2.default.green(`Created ${configPath}`));
   console.log(import_chalk2.default.dim("Edit your resources and roles, then run: npx @auth-gate/rbac sync"));
 }
 async function runCheck() {
+  const cwd = process.cwd();
+  const projectConfig = await resolveProjectConfig(cwd);
   let config;
   try {
-    config = await loadRbacConfig(process.cwd());
+    config = projectConfig.rbacConfigPath ? await loadRbacConfigFromPath(projectConfig.rbacConfigPath, cwd) : await loadRbacConfig(cwd);
   } catch (err) {
     console.error(import_chalk2.default.red(`Config error: ${err.message}`));
     process.exit(1);
@@ -758,19 +881,24 @@ async function runCheck() {
   console.log(import_chalk2.default.dim(`${resourceCount} resource${resourceCount > 1 ? "s" : ""}, ${roleCount} role${roleCount > 1 ? "s" : ""}, ${permCount} permission${permCount > 1 ? "s" : ""}`));
 }
 async function runSync(opts) {
-  const apiKey = process.env.AUTHGATE_API_KEY;
-  const baseUrl = process.env.AUTHGATE_BASE_URL;
+  const cwd = process.cwd();
+  const projectConfig = await resolveProjectConfig(cwd);
+  const { baseUrl, apiKey } = projectConfig.connection;
   if (!apiKey) {
-    console.error(import_chalk2.default.red("Missing AUTHGATE_API_KEY environment variable."));
+    console.error(import_chalk2.default.red(
+      "Missing API key. Set AUTHGATE_API_KEY or configure connection in authgate.config.ts."
+    ));
     process.exit(1);
   }
   if (!baseUrl) {
-    console.error(import_chalk2.default.red("Missing AUTHGATE_BASE_URL environment variable."));
+    console.error(import_chalk2.default.red(
+      "Missing base URL. Set AUTHGATE_BASE_URL or configure connection in authgate.config.ts."
+    ));
     process.exit(1);
   }
   let config;
   try {
-    config = await loadRbacConfig(process.cwd());
+    config = projectConfig.rbacConfigPath ? await loadRbacConfigFromPath(projectConfig.rbacConfigPath, cwd) : await loadRbacConfig(cwd);
   } catch (err) {
     console.error(import_chalk2.default.red(`Config error: ${err.message}`));
     process.exit(1);

package/dist/cli.mjs

@@ -4,13 +4,80 @@ import {
   __spreadValues,
   computeRbacDiff,
   formatRbacDiff,
-  loadRbacConfig
-} from "./chunk-5YEMXO7B.mjs";
+  loadRbacConfig,
+  loadRbacConfigFromPath
+} from "./chunk-5CSBBETH.mjs";
+
+// src/project-config-loader.ts
+import { resolve } from "path";
+import { existsSync } from "fs";
+var CONFIG_FILENAMES = [
+  "authgate.config.ts",
+  "authgate.config.js",
+  "authgate.config.mjs"
+];
+var AUTO_ENV_FILES = [".env", ".env.local"];
+async function resolveProjectConfig(cwd) {
+  var _a, _b, _c;
+  await autoLoadEnvFiles(cwd);
+  const config = await loadProjectConfigFile(cwd);
+  if (!config) {
+    return {
+      connection: {
+        baseUrl: process.env.AUTHGATE_BASE_URL,
+        apiKey: process.env.AUTHGATE_API_KEY
+      },
+      rbacConfigPath: null,
+      billingConfigPath: null
+    };
+  }
+  const rawConnection = (_a = config.connection) != null ? _a : {};
+  const connection = {
+    baseUrl: (_b = rawConnection.baseUrl) != null ? _b : process.env.AUTHGATE_BASE_URL,
+    apiKey: (_c = rawConnection.apiKey) != null ? _c : process.env.AUTHGATE_API_KEY
+  };
+  return {
+    connection,
+    rbacConfigPath: config.rbacConfig ? resolve(cwd, config.rbacConfig) : null,
+    billingConfigPath: config.billingConfig ? resolve(cwd, config.billingConfig) : null
+  };
+}
+async function loadProjectConfigFile(cwd) {
+  var _a;
+  let configPath = null;
+  for (const filename of CONFIG_FILENAMES) {
+    const candidate = resolve(cwd, filename);
+    if (existsSync(candidate)) {
+      configPath = candidate;
+      break;
+    }
+  }
+  if (!configPath) return null;
+  const { createJiti } = await import("jiti");
+  const jiti = createJiti(cwd, { interopDefault: true });
+  const mod = await jiti.import(configPath);
+  const config = (_a = mod.default) != null ? _a : mod;
+  return config;
+}
+async function autoLoadEnvFiles(cwd) {
+  let dotenv;
+  try {
+    dotenv = await import("dotenv");
+  } catch (e) {
+    return;
+  }
+  for (const file of AUTO_ENV_FILES) {
+    const filePath = resolve(cwd, file);
+    if (existsSync(filePath)) {
+      dotenv.config({ path: filePath });
+    }
+  }
+}
 
 // src/cli.ts
 import chalk from "chalk";
-import { writeFileSync, existsSync } from "fs";
-import { resolve } from "path";
+import { writeFileSync, existsSync as existsSync2 } from "fs";
+import { resolve as resolve2 } from "path";
 var HELP = `
 Usage: @auth-gate/rbac <command> [options]
 
@@ -25,7 +92,14 @@ Options (sync):
   --strict      Treat warnings as errors (recommended for CI/CD)
   --json        Output diff as JSON
 
-Environment:
+Options (init):
+  --config      Generate a starter authgate.config.ts instead
+
+Config file:
+  If authgate.config.ts exists, env vars and connection details are
+  loaded from it automatically. See defineConfig() for the API.
+
+Environment (when no authgate.config.ts):
   AUTHGATE_API_KEY    Your project API key (required for sync)
   AUTHGATE_BASE_URL   AuthGate instance URL (required for sync)
 `;
@@ -37,7 +111,8 @@ async function main() {
     process.exit(0);
   }
   if (command === "init") {
-    await runInit();
+    const configFlag = args.includes("--config");
+    await runInit({ config: configFlag });
     return;
   }
   if (command === "check") {
@@ -56,9 +131,29 @@ async function main() {
   console.log(HELP);
   process.exit(1);
 }
-async function runInit() {
-  const configPath = resolve(process.cwd(), "authgate.rbac.ts");
-  if (existsSync(configPath)) {
+async function runInit(opts) {
+  if (opts.config) {
+    const configPath2 = resolve2(process.cwd(), "authgate.config.ts");
+    if (existsSync2(configPath2)) {
+      console.error(chalk.yellow(`Config file already exists: ${configPath2}`));
+      process.exit(1);
+    }
+    const template2 = `import { defineConfig } from "@auth-gate/core";
+
+export default defineConfig({
+  connection: {
+    baseUrl: process.env.AUTHGATE_URL,
+    apiKey: process.env.AUTHGATE_API_KEY,
+  },
+});
+`;
+    writeFileSync(configPath2, template2, "utf-8");
+    console.log(chalk.green(`Created ${configPath2}`));
+    console.log(chalk.dim("Edit connection details, then run: npx @auth-gate/rbac sync"));
+    return;
+  }
+  const configPath = resolve2(process.cwd(), "authgate.rbac.ts");
+  if (existsSync2(configPath)) {
     console.error(chalk.yellow(`Config file already exists: ${configPath}`));
     process.exit(1);
   }
@@ -93,6 +188,7 @@ export const rbac = defineRbac({
     },
     viewer: {
       name: "Viewer",
+      isDefault: true,
       grants: {
         documents: { read: true },
       },
@@ -108,9 +204,11 @@ export default rbac;
   console.log(chalk.dim("Edit your resources and roles, then run: npx @auth-gate/rbac sync"));
 }
 async function runCheck() {
+  const cwd = process.cwd();
+  const projectConfig = await resolveProjectConfig(cwd);
   let config;
   try {
-    config = await loadRbacConfig(process.cwd());
+    config = projectConfig.rbacConfigPath ? await loadRbacConfigFromPath(projectConfig.rbacConfigPath, cwd) : await loadRbacConfig(cwd);
   } catch (err) {
     console.error(chalk.red(`Config error: ${err.message}`));
     process.exit(1);
@@ -125,19 +223,24 @@ async function runCheck() {
   console.log(chalk.dim(`${resourceCount} resource${resourceCount > 1 ? "s" : ""}, ${roleCount} role${roleCount > 1 ? "s" : ""}, ${permCount} permission${permCount > 1 ? "s" : ""}`));
 }
 async function runSync(opts) {
-  const apiKey = process.env.AUTHGATE_API_KEY;
-  const baseUrl = process.env.AUTHGATE_BASE_URL;
+  const cwd = process.cwd();
+  const projectConfig = await resolveProjectConfig(cwd);
+  const { baseUrl, apiKey } = projectConfig.connection;
   if (!apiKey) {
-    console.error(chalk.red("Missing AUTHGATE_API_KEY environment variable."));
+    console.error(chalk.red(
+      "Missing API key. Set AUTHGATE_API_KEY or configure connection in authgate.config.ts."
+    ));
     process.exit(1);
   }
   if (!baseUrl) {
-    console.error(chalk.red("Missing AUTHGATE_BASE_URL environment variable."));
+    console.error(chalk.red(
+      "Missing base URL. Set AUTHGATE_BASE_URL or configure connection in authgate.config.ts."
+    ));
     process.exit(1);
   }
   let config;
   try {
-    config = await loadRbacConfig(process.cwd());
+    config = projectConfig.rbacConfigPath ? await loadRbacConfigFromPath(projectConfig.rbacConfigPath, cwd) : await loadRbacConfig(cwd);
   } catch (err) {
     console.error(chalk.red(`Config error: ${err.message}`));
     process.exit(1);

package/dist/index.cjs

@@ -32,10 +32,13 @@ var index_exports = {};
 __export(index_exports, {
   RbacSyncClient: () => RbacSyncClient,
   computeRbacDiff: () => computeRbacDiff,
+  createRoleManagement: () => createRoleManagement,
+  defineConfig: () => import_core.defineConfig,
   defineRbac: () => defineRbac,
   formatRbacDiff: () => formatRbacDiff,
   hashConditionSource: () => hashConditionSource,
   loadRbacConfig: () => loadRbacConfig,
+  loadRbacConfigFromPath: () => loadRbacConfigFromPath,
   validateRbacConfig: () => validateRbacConfig
 });
 module.exports = __toCommonJS(index_exports);
@@ -169,6 +172,21 @@ function validateRbacConfig(config) {
       }
     }
   }
+  const defaultRoles = [];
+  for (const key of roleKeys) {
+    const role = roles[key];
+    if (role.isDefault !== void 0 && typeof role.isDefault !== "boolean") {
+      throw new Error(`Role "${key}".isDefault must be a boolean.`);
+    }
+    if (role.isDefault === true) {
+      defaultRoles.push(key);
+    }
+  }
+  if (defaultRoles.length > 1) {
+    throw new Error(
+      `Only one role may have isDefault: true. Found ${defaultRoles.length}: ${defaultRoles.join(", ")}.`
+    );
+  }
   for (const key of roleKeys) {
     const role = roles[key];
     if (role.inherits !== void 0) {
@@ -277,7 +295,6 @@ var CONFIG_FILENAMES = [
   "authgate.rbac.mjs"
 ];
 async function loadRbacConfig(cwd) {
-  var _a, _b;
   let configPath = null;
   for (const filename of CONFIG_FILENAMES) {
     const candidate = (0, import_path.resolve)(cwd, filename);
@@ -292,8 +309,12 @@ async function loadRbacConfig(cwd) {
 Run \`npx @auth-gate/rbac init\` to create one.`
     );
   }
+  return loadRbacConfigFromPath(configPath, cwd);
+}
+async function loadRbacConfigFromPath(configPath, cwd) {
+  var _a, _b;
   const { createJiti } = await import("jiti");
-  const jiti = createJiti(cwd, { interopDefault: true });
+  const jiti = createJiti(cwd != null ? cwd : process.cwd(), { interopDefault: true });
   const mod = await jiti.import(configPath);
   const raw = (_b = (_a = mod.default) != null ? _a : mod.rbac) != null ? _b : mod;
   const config = raw && typeof raw === "object" && "_config" in raw ? raw._config : raw;
@@ -321,7 +342,7 @@ function hashConditionSource(fn) {
   return createHash("sha256").update(fn.toString()).digest("hex").slice(0, 16);
 }
 function computeRbacDiff(config, server, memberCounts) {
-  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l;
+  var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m, _n;
   const resourceOps = [];
   const roleOps = [];
   const conditionOps = [];
@@ -412,6 +433,11 @@ function computeRbacDiff(config, server, memberCounts) {
       if (existingInherits !== configInherits) {
         changes.push("inherits changed");
       }
+      const existingDefault = (_l = existing.isDefault) != null ? _l : false;
+      const configDefault = (_m = role.isDefault) != null ? _m : false;
+      if (existingDefault !== configDefault) {
+        changes.push(`isDefault: ${existingDefault} -> ${configDefault}`);
+      }
       if (changes.length > 0) {
         roleOps.push({ type: "update", key, role, existing, changes });
       }
@@ -421,7 +447,7 @@ function computeRbacDiff(config, server, memberCounts) {
   for (const [key, role] of serverRoleByKey) {
     if (renameMap.has(key)) continue;
     if (role.isActive) {
-      const members = (_l = memberCounts[role.configKey]) != null ? _l : 0;
+      const members = (_n = memberCounts[role.configKey]) != null ? _n : 0;
       if (members > 0) hasDestructive = true;
       roleOps.push({ type: "archive", key, existing: role, assignedMembers: members });
     }
@@ -571,6 +597,9 @@ function formatRbacDiff(diff, dryRun) {
             import_chalk.default.dim(`    inherits: [${[...op.role.inherits].join(", ")}]`)
           );
         }
+        if (op.role.isDefault) {
+          lines.push(import_chalk.default.dim(`    isDefault: true`));
+        }
       } else if (op.type === "update") {
         lines.push(import_chalk.default.yellow(`  ~ UPDATE role "${op.key}"`));
         for (const change of op.changes) {
@@ -641,8 +670,96 @@ function formatRbacDiff(diff, dryRun) {
   return lines.join("\n");
 }
 
+// src/role-management.ts
+function createRoleManagement(config) {
+  const baseUrl = config.baseUrl.replace(/\/$/, "");
+  const apiKey = config.apiKey;
+  async function request(method, path, body) {
+    var _a, _b;
+    const url = `${baseUrl}${path}`;
+    const headers = {
+      Authorization: `Bearer ${apiKey}`,
+      "Content-Type": "application/json"
+    };
+    const res = await fetch(url, {
+      method,
+      headers,
+      body: body ? JSON.stringify(body) : void 0
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      let message;
+      try {
+        const json = JSON.parse(text);
+        message = (_b = (_a = json.error) != null ? _a : json.message) != null ? _b : "Unknown error";
+      } catch (e) {
+        message = text.length > 500 ? text.slice(0, 500) + "..." : text;
+      }
+      if (apiKey) {
+        message = message.replaceAll(apiKey, "[REDACTED]");
+      }
+      throw new Error(`API error (${res.status}): ${message}`);
+    }
+    return res.json();
+  }
+  return {
+    async listRoles() {
+      const result = await request("GET", "/api/v1/roles");
+      return result.data.map(toRole);
+    },
+    async createRole(input) {
+      var _a, _b;
+      const result = await request("POST", "/api/v1/roles", {
+        key: input.key,
+        name: input.name,
+        description: input.description,
+        is_default: (_a = input.isDefault) != null ? _a : false,
+        permissions: (_b = input.permissions) != null ? _b : []
+      });
+      return toRole(result.role);
+    },
+    async updateRole(roleId, input) {
+      const body = {};
+      if (input.name !== void 0) body.name = input.name;
+      if (input.description !== void 0) body.description = input.description;
+      if (input.permissions !== void 0) body.permissions = input.permissions;
+      if (input.isDefault !== void 0) body.is_default = input.isDefault;
+      const result = await request(
+        "PATCH",
+        `/api/v1/roles/${encodeURIComponent(roleId)}`,
+        body
+      );
+      return toRole(result.role);
+    },
+    async deleteRole(roleId) {
+      await request(
+        "DELETE",
+        `/api/v1/roles/${encodeURIComponent(roleId)}`
+      );
+    },
+    async setDefaultRole(roleId) {
+      return this.updateRole(roleId, { isDefault: true });
+    }
+  };
+}
+function toRole(raw) {
+  return {
+    id: raw.id,
+    projectId: raw.project_id,
+    key: raw.key,
+    name: raw.name,
+    description: raw.description,
+    isDefault: raw.is_default,
+    permissions: raw.permissions,
+    createdAt: raw.created_at,
+    updatedAt: raw.updated_at
+  };
+}
+
 // src/index.ts
+var import_core = require("@auth-gate/core");
 function defineRbac(config, opts) {
+  var _a;
   if ((opts == null ? void 0 : opts.validate) !== false) {
     validateRbacConfig(config);
   }
@@ -656,7 +773,7 @@ function defineRbac(config, opts) {
   }
   const roles = {};
   for (const [key, role] of Object.entries(config.roles)) {
-    roles[key] = { key, name: role.name, grants: role.grants };
+    roles[key] = { key, name: role.name, grants: role.grants, isDefault: (_a = role.isDefault) != null ? _a : false };
   }
   const permissions = {};
   for (const [key, resource] of Object.entries(config.resources)) {
@@ -679,9 +796,12 @@ function defineRbac(config, opts) {
 0 && (module.exports = {
   RbacSyncClient,
   computeRbacDiff,
+  createRoleManagement,
+  defineConfig,
   defineRbac,
   formatRbacDiff,
   hashConditionSource,
   loadRbacConfig,
+  loadRbacConfigFromPath,
   validateRbacConfig
 });

package/dist/index.d.cts

@@ -1,3 +1,5 @@
+export { AuthGateConnection, AuthGateProjectConfig, defineConfig } from '@auth-gate/core';
+
 /** A resource definition: declares available actions and optional scopes. */
 interface ResourceConfig {
     actions: readonly string[];
@@ -39,6 +41,8 @@ interface RoleConfig {
     description?: string;
     inherits?: readonly string[];
     grants: Record<string, Record<string, GrantValue>>;
+    /** Mark this role as the default for new org members. Only one role may be default. */
+    isDefault?: boolean;
     /** Previous config key if this role was renamed. */
     renamedFrom?: string;
 }
@@ -80,6 +84,63 @@ type InferScopes<T, Resource extends string> = T extends {
 type InferConditionKeys<T> = T extends {
     conditions: infer C;
 } ? keyof C & string : never;
+/** Extract role keys that have `isDefault: true`. */
+type DefaultRoleKeys<Roles> = {
+    [K in keyof Roles]: Roles[K] extends {
+        isDefault: true;
+    } ? K : never;
+}[keyof Roles];
+type UnionToIntersection<U> = (U extends any ? (k: U) => void : never) extends (k: infer I) => void ? I : never;
+type IsUnion<T> = [T] extends [UnionToIntersection<T>] ? false : true;
+/**
+ * Compile-time constraint: if more than one role has `isDefault: true`,
+ * intersect those roles' `isDefault` with an error string so TypeScript
+ * produces a descriptive message.
+ *
+ * Error reads: Type 'true' is not assignable to type '"ERROR: ..."'.
+ */
+type ValidateSingleDefault<T> = T extends {
+    roles: infer Roles;
+} ? IsUnion<DefaultRoleKeys<Roles>> extends true ? {
+    roles: {
+        [K in DefaultRoleKeys<Roles> & keyof Roles]: {
+            isDefault: "ERROR: Only one role may have isDefault: true";
+        };
+    };
+} : {} : {};
+/** Extract valid action string literals from a resource config. */
+type ValidActions<R> = R extends {
+    actions: readonly (infer U)[];
+} ? U & string : never;
+/**
+ * Compile-time constraint: validates grant resource/action keys against
+ * declared resources at the type level.
+ *
+ * - **Invalid resource key** → descriptive error naming the resource.
+ * - **Invalid action key** → descriptive error listing valid actions.
+ * - **Valid grants** → passes through original types transparently.
+ *
+ * Used as `T & ValidateConfig<T>` in the `defineRbac()` parameter type.
+ *
+ * @note Extra properties on role objects (e.g. `isFakeProp`) are caught
+ * by the runtime `validateRbacConfig()` which runs by default.
+ */
+type ValidateConfig<T> = T extends {
+    resources: infer R extends Record<string, ResourceConfig>;
+    roles: infer Roles;
+} ? {
+    roles: {
+        [RK in keyof Roles]: Roles[RK] extends {
+            grants: infer G;
+        } ? {
+            grants: {
+                [ResK in keyof G]: ResK extends keyof R ? keyof G[ResK] extends ValidActions<R[ResK & keyof R]> ? {
+                    [ActK in keyof G[ResK]]: G[ResK][ActK];
+                } : `ERROR: invalid action(s) in "${ResK & string}" grants. Valid actions: ${ValidActions<R[ResK & keyof R]>}` : `ERROR: resource "${ResK & string}" is not declared in resources`;
+            };
+        } : Roles[RK];
+    };
+} : {};
 /** A structured resource with a `key` constant and an `actions` map of `"resource:action"` strings. */
 type StructuredResource<T, K extends string> = {
     readonly key: K;
@@ -91,7 +152,7 @@ type StructuredResource<T, K extends string> = {
 type StructuredResources<T> = {
     readonly [K in InferResourceKeys<T>]: StructuredResource<T, K>;
 };
-/** A structured role with `key`, `name`, and `grants` from the config. */
+/** A structured role with `key`, `name`, `grants`, and optional `isDefault` from the config. */
 type StructuredRole<T, K extends string> = {
     readonly key: K;
     readonly name: T extends {
@@ -104,6 +165,11 @@ type StructuredRole<T, K extends string> = {
     } ? K extends keyof R ? R[K] extends {
         grants: infer G;
     } ? Readonly<G> : {} : {} : {};
+    readonly isDefault: T extends {
+        roles: infer R;
+    } ? K extends keyof R ? R[K] extends {
+        isDefault: infer D;
+    } ? D : false : false : false;
 };
 /** Map of all roles as structured objects: `roles.admin.key` -> `"admin"`. */
 type StructuredRoles<T> = {
@@ -121,7 +187,7 @@ type StructuredPermissions<T> = {
  * Carries phantom types that downstream factories use to constrain
  * permission/role string parameters -- enabling full IDE autocomplete.
  */
-interface TypedRbac<T extends RbacConfig> {
+interface TypedRbac<T> {
     /** The raw RBAC config. Access resources, roles, etc. via `rbac._config`. */
     readonly _config: T;
     /**
@@ -155,6 +221,11 @@ type ResourceKey<A> = A extends TypedRbac<infer T> ? InferResourceKeys<T> : stri
 declare function validateRbacConfig(config: unknown): RbacConfig;
 
 declare function loadRbacConfig(cwd: string): Promise<RbacConfig>;
+/**
+ * Load RBAC config from a specific file path.
+ * Used when `authgate.config.ts` specifies `rbacConfig`.
+ */
+declare function loadRbacConfigFromPath(configPath: string, cwd?: string): Promise<RbacConfig>;
 
 interface ServerResource {
     id: string;
@@ -172,6 +243,7 @@ interface ServerRole {
     grants: Record<string, Record<string, GrantValue>> | null;
     inherits: string[];
     resolvedPermissions: string[];
+    isDefault: boolean;
     isActive: boolean;
     managedBy: string;
     version: number;
@@ -272,12 +344,61 @@ declare class RbacSyncClient {
 
 declare function formatRbacDiff(diff: DiffResult, dryRun: boolean): string;
 
+interface RoleManagementConfig {
+    baseUrl: string;
+    apiKey: string;
+}
+interface Role {
+    id: string;
+    projectId: string;
+    key: string;
+    name: string;
+    description: string | null;
+    isDefault: boolean;
+    permissions: string[];
+    createdAt: string;
+    updatedAt: string;
+}
+interface CreateRoleInput {
+    key: string;
+    name: string;
+    description?: string;
+    isDefault?: boolean;
+    permissions?: string[];
+}
+interface UpdateRoleInput {
+    name?: string;
+    description?: string | null;
+    permissions?: string[];
+    isDefault?: boolean;
+}
+interface RoleManagementClient {
+    listRoles(): Promise<Role[]>;
+    createRole(input: CreateRoleInput): Promise<Role>;
+    updateRole(roleId: string, input: UpdateRoleInput): Promise<Role>;
+    deleteRole(roleId: string): Promise<void>;
+    setDefaultRole(roleId: string): Promise<Role>;
+}
+declare function createRoleManagement(config: RoleManagementConfig): RoleManagementClient;
+
+/** Base config shape used as the generic constraint for `defineRbac()`. */
+type DefineRbacConfig = {
+    resources: Record<string, ResourceConfig>;
+    conditions?: Record<string, ConditionFn>;
+    roles: Record<string, {
+        name: string;
+        description?: string;
+        inherits?: readonly string[];
+        isDefault?: boolean;
+        renamedFrom?: string;
+        grants: Record<string, Record<string, GrantValue>>;
+    }>;
+};
 /**
  * Define your RBAC config. Use this in your `authgate.rbac.ts` config file.
  *
- * Returns a `TypedRbac<T>` object with structured resource, role, and permission
- * objects -- enabling full IDE autocomplete via dot-notation across hooks, helpers,
- * and server-side checks.
+ * Grants are validated at compile-time: if a role references an undeclared
+ * resource or action, TypeScript flags it as a type error.
  *
  * @example
  * ```ts
@@ -310,8 +431,8 @@ declare function formatRbacDiff(diff: DiffResult, dryRun: boolean): string;
  * rbac.permissions.documents.write       // "documents:write"
  * ```
  */
-declare function defineRbac<const T extends RbacConfig>(config: T, opts?: {
+declare function defineRbac<const T extends DefineRbacConfig>(config: T & ValidateConfig<T> & ValidateSingleDefault<T>, opts?: {
     validate?: boolean;
 }): TypedRbac<T>;
 
-export { type ApplyResult, type ConditionContext, type ConditionFn, type ConditionOp, type DiffResult, type GrantValue, type InferActions, type InferConditionKeys, type InferPermissions, type InferResourceKeys, type InferRoleKeys, type InferScopes, type Permission, type RbacConfig, RbacSyncClient, type RbacSyncClientConfig, type ResourceConfig, type ResourceKey, type ResourceOp, type RoleConfig, type RoleKey, type RoleOp, type ServerCondition, type ServerResource, type ServerRole, type ServerState, type TypedRbac, computeRbacDiff, defineRbac, formatRbacDiff, hashConditionSource, loadRbacConfig, validateRbacConfig };
+export { type ApplyResult, type ConditionContext, type ConditionFn, type ConditionOp, type CreateRoleInput, type DiffResult, type GrantValue, type InferActions, type InferConditionKeys, type InferPermissions, type InferResourceKeys, type InferRoleKeys, type InferScopes, type Permission, type RbacConfig, RbacSyncClient, type RbacSyncClientConfig, type ResourceConfig, type ResourceKey, type ResourceOp, type Role, type RoleConfig, type RoleKey, type RoleManagementClient, type RoleManagementConfig, type RoleOp, type ServerCondition, type ServerResource, type ServerRole, type ServerState, type TypedRbac, type UpdateRoleInput, computeRbacDiff, createRoleManagement, defineRbac, formatRbacDiff, hashConditionSource, loadRbacConfig, loadRbacConfigFromPath, validateRbacConfig };

package/dist/index.d.ts

@@ -1,3 +1,5 @@
+export { AuthGateConnection, AuthGateProjectConfig, defineConfig } from '@auth-gate/core';
+
 /** A resource definition: declares available actions and optional scopes. */
 interface ResourceConfig {
     actions: readonly string[];
@@ -39,6 +41,8 @@ interface RoleConfig {
     description?: string;
     inherits?: readonly string[];
     grants: Record<string, Record<string, GrantValue>>;
+    /** Mark this role as the default for new org members. Only one role may be default. */
+    isDefault?: boolean;
     /** Previous config key if this role was renamed. */
     renamedFrom?: string;
 }
@@ -80,6 +84,63 @@ type InferScopes<T, Resource extends string> = T extends {
 type InferConditionKeys<T> = T extends {
     conditions: infer C;
 } ? keyof C & string : never;
+/** Extract role keys that have `isDefault: true`. */
+type DefaultRoleKeys<Roles> = {
+    [K in keyof Roles]: Roles[K] extends {
+        isDefault: true;
+    } ? K : never;
+}[keyof Roles];
+type UnionToIntersection<U> = (U extends any ? (k: U) => void : never) extends (k: infer I) => void ? I : never;
+type IsUnion<T> = [T] extends [UnionToIntersection<T>] ? false : true;
+/**
+ * Compile-time constraint: if more than one role has `isDefault: true`,
+ * intersect those roles' `isDefault` with an error string so TypeScript
+ * produces a descriptive message.
+ *
+ * Error reads: Type 'true' is not assignable to type '"ERROR: ..."'.
+ */
+type ValidateSingleDefault<T> = T extends {
+    roles: infer Roles;
+} ? IsUnion<DefaultRoleKeys<Roles>> extends true ? {
+    roles: {
+        [K in DefaultRoleKeys<Roles> & keyof Roles]: {
+            isDefault: "ERROR: Only one role may have isDefault: true";
+        };
+    };
+} : {} : {};
+/** Extract valid action string literals from a resource config. */
+type ValidActions<R> = R extends {
+    actions: readonly (infer U)[];
+} ? U & string : never;
+/**
+ * Compile-time constraint: validates grant resource/action keys against
+ * declared resources at the type level.
+ *
+ * - **Invalid resource key** → descriptive error naming the resource.
+ * - **Invalid action key** → descriptive error listing valid actions.
+ * - **Valid grants** → passes through original types transparently.
+ *
+ * Used as `T & ValidateConfig<T>` in the `defineRbac()` parameter type.
+ *
+ * @note Extra properties on role objects (e.g. `isFakeProp`) are caught
+ * by the runtime `validateRbacConfig()` which runs by default.
+ */
+type ValidateConfig<T> = T extends {
+    resources: infer R extends Record<string, ResourceConfig>;
+    roles: infer Roles;
+} ? {
+    roles: {
+        [RK in keyof Roles]: Roles[RK] extends {
+            grants: infer G;
+        } ? {
+            grants: {
+                [ResK in keyof G]: ResK extends keyof R ? keyof G[ResK] extends ValidActions<R[ResK & keyof R]> ? {
+                    [ActK in keyof G[ResK]]: G[ResK][ActK];
+                } : `ERROR: invalid action(s) in "${ResK & string}" grants. Valid actions: ${ValidActions<R[ResK & keyof R]>}` : `ERROR: resource "${ResK & string}" is not declared in resources`;
+            };
+        } : Roles[RK];
+    };
+} : {};
 /** A structured resource with a `key` constant and an `actions` map of `"resource:action"` strings. */
 type StructuredResource<T, K extends string> = {
     readonly key: K;
@@ -91,7 +152,7 @@ type StructuredResource<T, K extends string> = {
 type StructuredResources<T> = {
     readonly [K in InferResourceKeys<T>]: StructuredResource<T, K>;
 };
-/** A structured role with `key`, `name`, and `grants` from the config. */
+/** A structured role with `key`, `name`, `grants`, and optional `isDefault` from the config. */
 type StructuredRole<T, K extends string> = {
     readonly key: K;
     readonly name: T extends {
@@ -104,6 +165,11 @@ type StructuredRole<T, K extends string> = {
     } ? K extends keyof R ? R[K] extends {
         grants: infer G;
     } ? Readonly<G> : {} : {} : {};
+    readonly isDefault: T extends {
+        roles: infer R;
+    } ? K extends keyof R ? R[K] extends {
+        isDefault: infer D;
+    } ? D : false : false : false;
 };
 /** Map of all roles as structured objects: `roles.admin.key` -> `"admin"`. */
 type StructuredRoles<T> = {
@@ -121,7 +187,7 @@ type StructuredPermissions<T> = {
  * Carries phantom types that downstream factories use to constrain
  * permission/role string parameters -- enabling full IDE autocomplete.
  */
-interface TypedRbac<T extends RbacConfig> {
+interface TypedRbac<T> {
     /** The raw RBAC config. Access resources, roles, etc. via `rbac._config`. */
     readonly _config: T;
     /**
@@ -155,6 +221,11 @@ type ResourceKey<A> = A extends TypedRbac<infer T> ? InferResourceKeys<T> : stri
 declare function validateRbacConfig(config: unknown): RbacConfig;
 
 declare function loadRbacConfig(cwd: string): Promise<RbacConfig>;
+/**
+ * Load RBAC config from a specific file path.
+ * Used when `authgate.config.ts` specifies `rbacConfig`.
+ */
+declare function loadRbacConfigFromPath(configPath: string, cwd?: string): Promise<RbacConfig>;
 
 interface ServerResource {
     id: string;
@@ -172,6 +243,7 @@ interface ServerRole {
     grants: Record<string, Record<string, GrantValue>> | null;
     inherits: string[];
     resolvedPermissions: string[];
+    isDefault: boolean;
     isActive: boolean;
     managedBy: string;
     version: number;
@@ -272,12 +344,61 @@ declare class RbacSyncClient {
 
 declare function formatRbacDiff(diff: DiffResult, dryRun: boolean): string;
 
+interface RoleManagementConfig {
+    baseUrl: string;
+    apiKey: string;
+}
+interface Role {
+    id: string;
+    projectId: string;
+    key: string;
+    name: string;
+    description: string | null;
+    isDefault: boolean;
+    permissions: string[];
+    createdAt: string;
+    updatedAt: string;
+}
+interface CreateRoleInput {
+    key: string;
+    name: string;
+    description?: string;
+    isDefault?: boolean;
+    permissions?: string[];
+}
+interface UpdateRoleInput {
+    name?: string;
+    description?: string | null;
+    permissions?: string[];
+    isDefault?: boolean;
+}
+interface RoleManagementClient {
+    listRoles(): Promise<Role[]>;
+    createRole(input: CreateRoleInput): Promise<Role>;
+    updateRole(roleId: string, input: UpdateRoleInput): Promise<Role>;
+    deleteRole(roleId: string): Promise<void>;
+    setDefaultRole(roleId: string): Promise<Role>;
+}
+declare function createRoleManagement(config: RoleManagementConfig): RoleManagementClient;
+
+/** Base config shape used as the generic constraint for `defineRbac()`. */
+type DefineRbacConfig = {
+    resources: Record<string, ResourceConfig>;
+    conditions?: Record<string, ConditionFn>;
+    roles: Record<string, {
+        name: string;
+        description?: string;
+        inherits?: readonly string[];
+        isDefault?: boolean;
+        renamedFrom?: string;
+        grants: Record<string, Record<string, GrantValue>>;
+    }>;
+};
 /**
  * Define your RBAC config. Use this in your `authgate.rbac.ts` config file.
  *
- * Returns a `TypedRbac<T>` object with structured resource, role, and permission
- * objects -- enabling full IDE autocomplete via dot-notation across hooks, helpers,
- * and server-side checks.
+ * Grants are validated at compile-time: if a role references an undeclared
+ * resource or action, TypeScript flags it as a type error.
  *
  * @example
  * ```ts
@@ -310,8 +431,8 @@ declare function formatRbacDiff(diff: DiffResult, dryRun: boolean): string;
  * rbac.permissions.documents.write       // "documents:write"
  * ```
  */
-declare function defineRbac<const T extends RbacConfig>(config: T, opts?: {
+declare function defineRbac<const T extends DefineRbacConfig>(config: T & ValidateConfig<T> & ValidateSingleDefault<T>, opts?: {
     validate?: boolean;
 }): TypedRbac<T>;
 
-export { type ApplyResult, type ConditionContext, type ConditionFn, type ConditionOp, type DiffResult, type GrantValue, type InferActions, type InferConditionKeys, type InferPermissions, type InferResourceKeys, type InferRoleKeys, type InferScopes, type Permission, type RbacConfig, RbacSyncClient, type RbacSyncClientConfig, type ResourceConfig, type ResourceKey, type ResourceOp, type RoleConfig, type RoleKey, type RoleOp, type ServerCondition, type ServerResource, type ServerRole, type ServerState, type TypedRbac, computeRbacDiff, defineRbac, formatRbacDiff, hashConditionSource, loadRbacConfig, validateRbacConfig };
+export { type ApplyResult, type ConditionContext, type ConditionFn, type ConditionOp, type CreateRoleInput, type DiffResult, type GrantValue, type InferActions, type InferConditionKeys, type InferPermissions, type InferResourceKeys, type InferRoleKeys, type InferScopes, type Permission, type RbacConfig, RbacSyncClient, type RbacSyncClientConfig, type ResourceConfig, type ResourceKey, type ResourceOp, type Role, type RoleConfig, type RoleKey, type RoleManagementClient, type RoleManagementConfig, type RoleOp, type ServerCondition, type ServerResource, type ServerRole, type ServerState, type TypedRbac, type UpdateRoleInput, computeRbacDiff, createRoleManagement, defineRbac, formatRbacDiff, hashConditionSource, loadRbacConfig, loadRbacConfigFromPath, validateRbacConfig };

package/dist/index.mjs

@@ -4,11 +4,100 @@ import {
   formatRbacDiff,
   hashConditionSource,
   loadRbacConfig,
+  loadRbacConfigFromPath,
   validateRbacConfig
-} from "./chunk-5YEMXO7B.mjs";
+} from "./chunk-5CSBBETH.mjs";
+
+// src/role-management.ts
+function createRoleManagement(config) {
+  const baseUrl = config.baseUrl.replace(/\/$/, "");
+  const apiKey = config.apiKey;
+  async function request(method, path, body) {
+    var _a, _b;
+    const url = `${baseUrl}${path}`;
+    const headers = {
+      Authorization: `Bearer ${apiKey}`,
+      "Content-Type": "application/json"
+    };
+    const res = await fetch(url, {
+      method,
+      headers,
+      body: body ? JSON.stringify(body) : void 0
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      let message;
+      try {
+        const json = JSON.parse(text);
+        message = (_b = (_a = json.error) != null ? _a : json.message) != null ? _b : "Unknown error";
+      } catch (e) {
+        message = text.length > 500 ? text.slice(0, 500) + "..." : text;
+      }
+      if (apiKey) {
+        message = message.replaceAll(apiKey, "[REDACTED]");
+      }
+      throw new Error(`API error (${res.status}): ${message}`);
+    }
+    return res.json();
+  }
+  return {
+    async listRoles() {
+      const result = await request("GET", "/api/v1/roles");
+      return result.data.map(toRole);
+    },
+    async createRole(input) {
+      var _a, _b;
+      const result = await request("POST", "/api/v1/roles", {
+        key: input.key,
+        name: input.name,
+        description: input.description,
+        is_default: (_a = input.isDefault) != null ? _a : false,
+        permissions: (_b = input.permissions) != null ? _b : []
+      });
+      return toRole(result.role);
+    },
+    async updateRole(roleId, input) {
+      const body = {};
+      if (input.name !== void 0) body.name = input.name;
+      if (input.description !== void 0) body.description = input.description;
+      if (input.permissions !== void 0) body.permissions = input.permissions;
+      if (input.isDefault !== void 0) body.is_default = input.isDefault;
+      const result = await request(
+        "PATCH",
+        `/api/v1/roles/${encodeURIComponent(roleId)}`,
+        body
+      );
+      return toRole(result.role);
+    },
+    async deleteRole(roleId) {
+      await request(
+        "DELETE",
+        `/api/v1/roles/${encodeURIComponent(roleId)}`
+      );
+    },
+    async setDefaultRole(roleId) {
+      return this.updateRole(roleId, { isDefault: true });
+    }
+  };
+}
+function toRole(raw) {
+  return {
+    id: raw.id,
+    projectId: raw.project_id,
+    key: raw.key,
+    name: raw.name,
+    description: raw.description,
+    isDefault: raw.is_default,
+    permissions: raw.permissions,
+    createdAt: raw.created_at,
+    updatedAt: raw.updated_at
+  };
+}
 
 // src/index.ts
+import { defineConfig } from "@auth-gate/core";
 function defineRbac(config, opts) {
+  var _a;
   if ((opts == null ? void 0 : opts.validate) !== false) {
     validateRbacConfig(config);
   }
@@ -22,7 +111,7 @@ function defineRbac(config, opts) {
   }
   const roles = {};
   for (const [key, role] of Object.entries(config.roles)) {
-    roles[key] = { key, name: role.name, grants: role.grants };
+    roles[key] = { key, name: role.name, grants: role.grants, isDefault: (_a = role.isDefault) != null ? _a : false };
   }
   const permissions = {};
   for (const [key, resource] of Object.entries(config.resources)) {
@@ -44,9 +133,12 @@ function defineRbac(config, opts) {
 export {
   RbacSyncClient,
   computeRbacDiff,
+  createRoleManagement,
+  defineConfig,
   defineRbac,
   formatRbacDiff,
   hashConditionSource,
   loadRbacConfig,
+  loadRbacConfigFromPath,
   validateRbacConfig
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@auth-gate/rbac",
-  "version": "0.8.1",
+  "version": "0.9.1",
   "type": "module",
   "exports": {
     ".": {
@@ -20,7 +20,9 @@
   ],
   "dependencies": {
     "chalk": "^5.4.0",
-    "jiti": "^2.4.0"
+    "dotenv": "^17.2.4",
+    "jiti": "^2.4.0",
+    "@auth-gate/core": "0.9.1"
   },
   "devDependencies": {
     "tsup": "^8.0.0",