@byline/admin 0.9.3

package/dist/modules/admin-permissions/commands.js

@@ -0,0 +1,39 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { assertAdminActor } from '../../lib/assert-admin-actor.js';
+import { ADMIN_PERMISSIONS_ABILITIES } from './abilities.js';
+import { getRoleAbilitiesRequestSchema, getRoleAbilitiesResponseSchema, listRegisteredAbilitiesRequestSchema, listRegisteredAbilitiesResponseSchema, setRoleAbilitiesRequestSchema, setRoleAbilitiesResponseSchema, whoHasAbilityRequestSchema, whoHasAbilityResponseSchema, } from './schemas.js';
+import { AdminPermissionsService } from './service.js';
+function serviceOf(deps) {
+    return new AdminPermissionsService({ store: deps.store, abilities: deps.abilities });
+}
+export async function listRegisteredAbilitiesCommand(context, input, deps) {
+    listRegisteredAbilitiesRequestSchema.parse(input ?? {});
+    assertAdminActor(context, ADMIN_PERMISSIONS_ABILITIES.read);
+    const result = serviceOf(deps).listRegisteredAbilities();
+    return listRegisteredAbilitiesResponseSchema.parse(result);
+}
+export async function whoHasAbilityCommand(context, input, deps) {
+    const parsed = whoHasAbilityRequestSchema.parse(input);
+    assertAdminActor(context, ADMIN_PERMISSIONS_ABILITIES.read);
+    const result = await serviceOf(deps).whoHasAbility(parsed);
+    return whoHasAbilityResponseSchema.parse(result);
+}
+export async function getRoleAbilitiesCommand(context, input, deps) {
+    const parsed = getRoleAbilitiesRequestSchema.parse(input);
+    assertAdminActor(context, ADMIN_PERMISSIONS_ABILITIES.read);
+    const result = await serviceOf(deps).getRoleAbilities(parsed);
+    return getRoleAbilitiesResponseSchema.parse(result);
+}
+export async function setRoleAbilitiesCommand(context, input, deps) {
+    const parsed = setRoleAbilitiesRequestSchema.parse(input);
+    assertAdminActor(context, ADMIN_PERMISSIONS_ABILITIES.update);
+    const result = await serviceOf(deps).setRoleAbilities(parsed);
+    return setRoleAbilitiesResponseSchema.parse(result);
+}
+//# sourceMappingURL=commands.js.map

package/dist/modules/admin-permissions/commands.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"commands.js","sourceRoot":"","sources":["../../../src/modules/admin-permissions/commands.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAA;AAClE,OAAO,EAAE,2BAA2B,EAAE,MAAM,gBAAgB,CAAA;AAC5D,OAAO,EACL,6BAA6B,EAC7B,8BAA8B,EAC9B,oCAAoC,EACpC,qCAAqC,EACrC,6BAA6B,EAC7B,8BAA8B,EAC9B,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,cAAc,CAAA;AACrB,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAA;AA0BtD,SAAS,SAAS,CAAC,IAAiC;IAClD,OAAO,IAAI,uBAAuB,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAA;AACtF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,OAAmC,EACnC,KAAc,EACd,IAAiC;IAEjC,oCAAoC,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAA;IACvD,gBAAgB,CAAC,OAAO,EAAE,2BAA2B,CAAC,IAAI,CAAC,CAAA;IAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,uBAAuB,EAAE,CAAA;IACxD,OAAO,qCAAqC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAC5D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAAmC,EACnC,KAAc,EACd,IAAiC;IAEjC,MAAM,MAAM,GAAG,0BAA0B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IACtD,gBAAgB,CAAC,OAAO,EAAE,2BAA2B,CAAC,IAAI,CAAC,CAAA;IAC3D,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;IAC1D,OAAO,2BAA2B,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAClD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAmC,EACnC,KAAc,EACd,IAAiC;IAEjC,MAAM,MAAM,GAAG,6BAA6B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IACzD,gBAAgB,CAAC,OAAO,EAAE,2BAA2B,CAAC,IAAI,CAAC,CAAA;IAC3D,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAA;IAC7D,OAAO,8BAA8B,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AACrD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAmC,EACnC,KAAc,EACd,IAAiC;IAEjC,MAAM,MAAM,GAAG,6BAA6B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IACzD,gBAAgB,CAAC,OAAO,EAAE,2BAA2B,CAAC,MAAM,CAAC,CAAA;IAC7D,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAA;IAC7D,OAAO,8BAA8B,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AACrD,CAAC"}

package/dist/modules/admin-permissions/dto.d.ts

@@ -0,0 +1,18 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AbilityDescriptor } from '@byline/auth';
+import type { AbilityDescriptorResponse } from './schemas.js';
+/**
+ * Shape an `AbilityDescriptor` from the registry into its public
+ * response form. Identity-shaped today — the indirection exists so
+ * that future internal-only fields on `AbilityDescriptor` (e.g. a
+ * registration timestamp) stay opted out of the public shape by
+ * default.
+ */
+export declare function toAbilityDescriptor(descriptor: AbilityDescriptor): AbilityDescriptorResponse;
+//# sourceMappingURL=dto.d.ts.map

package/dist/modules/admin-permissions/dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dto.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-permissions/dto.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AAErD,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,cAAc,CAAA;AAE7D;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,iBAAiB,GAAG,yBAAyB,CAQ5F"}

package/dist/modules/admin-permissions/dto.js

@@ -0,0 +1,24 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Shape an `AbilityDescriptor` from the registry into its public
+ * response form. Identity-shaped today — the indirection exists so
+ * that future internal-only fields on `AbilityDescriptor` (e.g. a
+ * registration timestamp) stay opted out of the public shape by
+ * default.
+ */
+export function toAbilityDescriptor(descriptor) {
+    return {
+        key: descriptor.key,
+        label: descriptor.label,
+        description: descriptor.description ?? null,
+        group: descriptor.group,
+        source: descriptor.source ?? null,
+    };
+}
+//# sourceMappingURL=dto.js.map

package/dist/modules/admin-permissions/dto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dto.js","sourceRoot":"","sources":["../../../src/modules/admin-permissions/dto.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,UAA6B;IAC/D,OAAO;QACL,GAAG,EAAE,UAAU,CAAC,GAAG;QACnB,KAAK,EAAE,UAAU,CAAC,KAAK;QACvB,WAAW,EAAE,UAAU,CAAC,WAAW,IAAI,IAAI;QAC3C,KAAK,EAAE,UAAU,CAAC,KAAK;QACvB,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,IAAI;KAClC,CAAA;AACH,CAAC"}

package/dist/modules/admin-permissions/errors.d.ts

@@ -0,0 +1,34 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Module-local error codes for admin-permissions.
+ *
+ * `ROLE_NOT_FOUND` covers the editor (and future grant/revoke) paths;
+ * `ABILITY_UNREGISTERED` is reserved for the editor too — when a client
+ * tries to grant an ability key that no subsystem has registered. The
+ * inspector is read-only and never throws either of these.
+ */
+export declare const AdminPermissionsErrorCodes: {
+    readonly ROLE_NOT_FOUND: "admin.permissions.roleNotFound";
+    readonly ABILITY_UNREGISTERED: "admin.permissions.abilityUnregistered";
+};
+export type AdminPermissionsErrorCode = (typeof AdminPermissionsErrorCodes)[keyof typeof AdminPermissionsErrorCodes];
+export interface AdminPermissionsErrorOptions {
+    message?: string;
+    cause?: unknown;
+}
+export declare class AdminPermissionsError extends Error {
+    readonly code: AdminPermissionsErrorCode;
+    constructor(code: AdminPermissionsErrorCode, options: {
+        message: string;
+        cause?: unknown;
+    });
+}
+export declare const ERR_ADMIN_PERMISSIONS_ROLE_NOT_FOUND: (options?: AdminPermissionsErrorOptions) => AdminPermissionsError;
+export declare const ERR_ADMIN_PERMISSIONS_ABILITY_UNREGISTERED: (options?: AdminPermissionsErrorOptions) => AdminPermissionsError;
+//# sourceMappingURL=errors.d.ts.map

package/dist/modules/admin-permissions/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-permissions/errors.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;GAOG;AAEH,eAAO,MAAM,0BAA0B;;;CAG7B,CAAA;AAEV,MAAM,MAAM,yBAAyB,GACnC,CAAC,OAAO,0BAA0B,CAAC,CAAC,MAAM,OAAO,0BAA0B,CAAC,CAAA;AAE9E,MAAM,WAAW,4BAA4B;IAC3C,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,OAAO,CAAA;CAChB;AAED,qBAAa,qBAAsB,SAAQ,KAAK;IAC9C,SAAgB,IAAI,EAAE,yBAAyB,CAAA;gBAEnC,IAAI,EAAE,yBAAyB,EAAE,OAAO,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAK3F;AAUD,eAAO,MAAM,oCAAoC,aANpC,4BAA4B,KAAG,qBAS3C,CAAA;AAED,eAAO,MAAM,0CAA0C,aAX1C,4BAA4B,KAAG,qBAc3C,CAAA"}

package/dist/modules/admin-permissions/errors.js

@@ -0,0 +1,34 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Module-local error codes for admin-permissions.
+ *
+ * `ROLE_NOT_FOUND` covers the editor (and future grant/revoke) paths;
+ * `ABILITY_UNREGISTERED` is reserved for the editor too — when a client
+ * tries to grant an ability key that no subsystem has registered. The
+ * inspector is read-only and never throws either of these.
+ */
+export const AdminPermissionsErrorCodes = {
+    ROLE_NOT_FOUND: 'admin.permissions.roleNotFound',
+    ABILITY_UNREGISTERED: 'admin.permissions.abilityUnregistered',
+};
+export class AdminPermissionsError extends Error {
+    code;
+    constructor(code, options) {
+        super(options.message, options.cause != null ? { cause: options.cause } : undefined);
+        this.name = 'AdminPermissionsError';
+        this.code = code;
+    }
+}
+const make = (code, defaultMessage) => (options) => new AdminPermissionsError(code, {
+    message: options?.message ?? defaultMessage,
+    cause: options?.cause,
+});
+export const ERR_ADMIN_PERMISSIONS_ROLE_NOT_FOUND = make(AdminPermissionsErrorCodes.ROLE_NOT_FOUND, 'admin role not found');
+export const ERR_ADMIN_PERMISSIONS_ABILITY_UNREGISTERED = make(AdminPermissionsErrorCodes.ABILITY_UNREGISTERED, 'one or more abilities are not registered');
+//# sourceMappingURL=errors.js.map

package/dist/modules/admin-permissions/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../../src/modules/admin-permissions/errors.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;GAOG;AAEH,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,cAAc,EAAE,gCAAgC;IAChD,oBAAoB,EAAE,uCAAuC;CACrD,CAAA;AAUV,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAC9B,IAAI,CAA2B;IAE/C,YAAY,IAA+B,EAAE,OAA6C;QACxF,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;QACpF,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAA;QACnC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAA;IAClB,CAAC;CACF;AAED,MAAM,IAAI,GACR,CAAC,IAA+B,EAAE,cAAsB,EAAE,EAAE,CAC5D,CAAC,OAAsC,EAAyB,EAAE,CAChE,IAAI,qBAAqB,CAAC,IAAI,EAAE;IAC9B,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,cAAc;IAC3C,KAAK,EAAE,OAAO,EAAE,KAAK;CACtB,CAAC,CAAA;AAEN,MAAM,CAAC,MAAM,oCAAoC,GAAG,IAAI,CACtD,0BAA0B,CAAC,cAAc,EACzC,sBAAsB,CACvB,CAAA;AAED,MAAM,CAAC,MAAM,0CAA0C,GAAG,IAAI,CAC5D,0BAA0B,CAAC,oBAAoB,EAC/C,0CAA0C,CAC3C,CAAA"}

package/dist/modules/admin-permissions/index.d.ts

@@ -0,0 +1,30 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * `@byline/admin/admin-permissions` — ability grants against roles plus
+ * the read-only inspector view.
+ *
+ * Backs the `byline_admin_permissions` table. Ability keys are
+ * registered at `initBylineCore()` time through the `AbilityRegistry`
+ * from `@byline/auth`; this module owns the per-role grant data and the
+ * inspector that surfaces it.
+ *
+ * The editor surface (`getRoleAbilities` / `setRoleAbilities`) is
+ * deliberately out of scope on this first ship — it lands with Phase B
+ * and mounts on the admin-roles role detail page.
+ */
+export { ADMIN_PERMISSIONS_ABILITIES, type AdminPermissionsAbilityKey, registerAdminPermissionsAbilities, } from './abilities.js';
+export { getRoleAbilitiesCommand, listRegisteredAbilitiesCommand, setRoleAbilitiesCommand, whoHasAbilityCommand, } from './commands.js';
+export { toAbilityDescriptor } from './dto.js';
+export { AdminPermissionsError, type AdminPermissionsErrorCode, AdminPermissionsErrorCodes, ERR_ADMIN_PERMISSIONS_ABILITY_UNREGISTERED, ERR_ADMIN_PERMISSIONS_ROLE_NOT_FOUND, } from './errors.js';
+export { abilityDescriptorResponseSchema, abilityGroupResponseSchema, abilityHolderRoleSchema, abilityHolderUserSchema, getRoleAbilitiesRequestSchema, getRoleAbilitiesResponseSchema, listRegisteredAbilitiesRequestSchema, listRegisteredAbilitiesResponseSchema, setRoleAbilitiesRequestSchema, setRoleAbilitiesResponseSchema, whoHasAbilityRequestSchema, whoHasAbilityResponseSchema, } from './schemas.js';
+export { AdminPermissionsService } from './service.js';
+export type { AdminPermissionsCommandDeps } from './commands.js';
+export type { AdminPermissionsRepository } from './repository.js';
+export type { AbilityDescriptorResponse, AbilityGroupResponse, AbilityHolderRole, AbilityHolderUser, GetRoleAbilitiesRequest, GetRoleAbilitiesResponse, ListRegisteredAbilitiesRequest, ListRegisteredAbilitiesResponse, SetRoleAbilitiesRequest, SetRoleAbilitiesResponse, WhoHasAbilityRequest, WhoHasAbilityResponse, } from './schemas.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/modules/admin-permissions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-permissions/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;GAYG;AAEH,OAAO,EACL,2BAA2B,EAC3B,KAAK,0BAA0B,EAC/B,iCAAiC,GAClC,MAAM,gBAAgB,CAAA;AACvB,OAAO,EACL,uBAAuB,EACvB,8BAA8B,EAC9B,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAA;AAC9C,OAAO,EACL,qBAAqB,EACrB,KAAK,yBAAyB,EAC9B,0BAA0B,EAC1B,0CAA0C,EAC1C,oCAAoC,GACrC,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,+BAA+B,EAC/B,0BAA0B,EAC1B,uBAAuB,EACvB,uBAAuB,EACvB,6BAA6B,EAC7B,8BAA8B,EAC9B,oCAAoC,EACpC,qCAAqC,EACrC,6BAA6B,EAC7B,8BAA8B,EAC9B,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,cAAc,CAAA;AACrB,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAA;AACtD,YAAY,EAAE,2BAA2B,EAAE,MAAM,eAAe,CAAA;AAChE,YAAY,EAAE,0BAA0B,EAAE,MAAM,iBAAiB,CAAA;AACjE,YAAY,EACV,yBAAyB,EACzB,oBAAoB,EACpB,iBAAiB,EACjB,iBAAiB,EACjB,uBAAuB,EACvB,wBAAwB,EACxB,8BAA8B,EAC9B,+BAA+B,EAC/B,uBAAuB,EACvB,wBAAwB,EACxB,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,cAAc,CAAA"}

package/dist/modules/admin-permissions/index.js

@@ -0,0 +1,27 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * `@byline/admin/admin-permissions` — ability grants against roles plus
+ * the read-only inspector view.
+ *
+ * Backs the `byline_admin_permissions` table. Ability keys are
+ * registered at `initBylineCore()` time through the `AbilityRegistry`
+ * from `@byline/auth`; this module owns the per-role grant data and the
+ * inspector that surfaces it.
+ *
+ * The editor surface (`getRoleAbilities` / `setRoleAbilities`) is
+ * deliberately out of scope on this first ship — it lands with Phase B
+ * and mounts on the admin-roles role detail page.
+ */
+export { ADMIN_PERMISSIONS_ABILITIES, registerAdminPermissionsAbilities, } from './abilities.js';
+export { getRoleAbilitiesCommand, listRegisteredAbilitiesCommand, setRoleAbilitiesCommand, whoHasAbilityCommand, } from './commands.js';
+export { toAbilityDescriptor } from './dto.js';
+export { AdminPermissionsError, AdminPermissionsErrorCodes, ERR_ADMIN_PERMISSIONS_ABILITY_UNREGISTERED, ERR_ADMIN_PERMISSIONS_ROLE_NOT_FOUND, } from './errors.js';
+export { abilityDescriptorResponseSchema, abilityGroupResponseSchema, abilityHolderRoleSchema, abilityHolderUserSchema, getRoleAbilitiesRequestSchema, getRoleAbilitiesResponseSchema, listRegisteredAbilitiesRequestSchema, listRegisteredAbilitiesResponseSchema, setRoleAbilitiesRequestSchema, setRoleAbilitiesResponseSchema, whoHasAbilityRequestSchema, whoHasAbilityResponseSchema, } from './schemas.js';
+export { AdminPermissionsService } from './service.js';
+//# sourceMappingURL=index.js.map

package/dist/modules/admin-permissions/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/modules/admin-permissions/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;GAYG;AAEH,OAAO,EACL,2BAA2B,EAE3B,iCAAiC,GAClC,MAAM,gBAAgB,CAAA;AACvB,OAAO,EACL,uBAAuB,EACvB,8BAA8B,EAC9B,uBAAuB,EACvB,oBAAoB,GACrB,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAA;AAC9C,OAAO,EACL,qBAAqB,EAErB,0BAA0B,EAC1B,0CAA0C,EAC1C,oCAAoC,GACrC,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,+BAA+B,EAC/B,0BAA0B,EAC1B,uBAAuB,EACvB,uBAAuB,EACvB,6BAA6B,EAC7B,8BAA8B,EAC9B,oCAAoC,EACpC,qCAAqC,EACrC,6BAA6B,EAC7B,8BAA8B,EAC9B,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,cAAc,CAAA;AACrB,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAA"}

package/dist/modules/admin-permissions/repository.d.ts

@@ -0,0 +1,48 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * `AdminPermissionsRepository` — ability grants against roles.
+ *
+ * Backs the `byline_admin_permissions` table — one row per (role, ability)
+ * grant. `setAbilities` is the wholesale-replace operation the role-ability
+ * editor in the admin UI will drive; `grantAbility` / `revokeAbility` are
+ * the incremental operations for programmatic callers.
+ *
+ * `listAbilitiesForUser` is the join used by `resolveActor` to build an
+ * `AdminAuth` — distinct abilities across every role the user holds.
+ *
+ * `listRolesForAbility` and `listUsersForAbility` are the inverse joins
+ * driving the admin-permissions inspector view (which roles grant a given
+ * ability, and which admin users hold those roles transitively).
+ */
+export interface AdminPermissionsRepository {
+    /** Grant an ability to a role. Idempotent via the unique constraint. */
+    grantAbility(roleId: string, ability: string): Promise<void>;
+    revokeAbility(roleId: string, ability: string): Promise<void>;
+    listAbilities(roleId: string): Promise<string[]>;
+    /** Replace the ability set for a role wholesale. Runs inside a transaction. */
+    setAbilities(roleId: string, abilities: readonly string[]): Promise<void>;
+    /**
+     * Distinct abilities granted to a user via every role they hold. Used by
+     * `resolveActor()` to build the ability set on an `AdminAuth`.
+     */
+    listAbilitiesForUser(userId: string): Promise<string[]>;
+    /**
+     * Role ids that grant the given ability. Used by the inspector to render
+     * the per-ability "granted by these roles" list.
+     */
+    listRolesForAbility(ability: string): Promise<string[]>;
+    /**
+     * Distinct admin user ids that hold a role granting the given ability.
+     * Single-query join through `byline_admin_role_admin_user` — preferred
+     * over chaining `listRolesForAbility` + `listUsersForRole` so the
+     * inspector stays O(1) queries per ability.
+     */
+    listUsersForAbility(ability: string): Promise<string[]>;
+}
+//# sourceMappingURL=repository.d.ts.map

package/dist/modules/admin-permissions/repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"repository.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-permissions/repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;;GAcG;AAEH,MAAM,WAAW,0BAA0B;IACzC,wEAAwE;IACxE,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC5D,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC7D,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IAChD,+EAA+E;IAC/E,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACzE;;;OAGG;IACH,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IACvD;;;OAGG;IACH,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IACvD;;;;;OAKG;IACH,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;CACxD"}

package/dist/modules/admin-permissions/repository.js

@@ -0,0 +1,9 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+export {};
+//# sourceMappingURL=repository.js.map

package/dist/modules/admin-permissions/repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"repository.js","sourceRoot":"","sources":["../../../src/modules/admin-permissions/repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG"}

package/dist/modules/admin-permissions/schemas.d.ts

@@ -0,0 +1,137 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { z } from 'zod';
+export declare const listRegisteredAbilitiesRequestSchema: z.ZodOptional<z.ZodObject<{}, z.core.$strip>>;
+export type ListRegisteredAbilitiesRequest = z.infer<typeof listRegisteredAbilitiesRequestSchema>;
+export declare const whoHasAbilityRequestSchema: z.ZodObject<{
+    ability: z.ZodString;
+}, z.core.$strip>;
+export type WhoHasAbilityRequest = z.infer<typeof whoHasAbilityRequestSchema>;
+export declare const getRoleAbilitiesRequestSchema: z.ZodObject<{
+    id: z.ZodUUID;
+}, z.core.$strip>;
+export type GetRoleAbilitiesRequest = z.infer<typeof getRoleAbilitiesRequestSchema>;
+export declare const setRoleAbilitiesRequestSchema: z.ZodObject<{
+    id: z.ZodUUID;
+    abilities: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+export type SetRoleAbilitiesRequest = z.infer<typeof setRoleAbilitiesRequestSchema>;
+export declare const abilityDescriptorResponseSchema: z.ZodObject<{
+    key: z.ZodString;
+    label: z.ZodString;
+    description: z.ZodNullable<z.ZodString>;
+    group: z.ZodString;
+    source: z.ZodNullable<z.ZodEnum<{
+        admin: "admin";
+        collection: "collection";
+        plugin: "plugin";
+        core: "core";
+    }>>;
+}, z.core.$strip>;
+export type AbilityDescriptorResponse = z.infer<typeof abilityDescriptorResponseSchema>;
+export declare const abilityGroupResponseSchema: z.ZodObject<{
+    group: z.ZodString;
+    abilities: z.ZodArray<z.ZodObject<{
+        key: z.ZodString;
+        label: z.ZodString;
+        description: z.ZodNullable<z.ZodString>;
+        group: z.ZodString;
+        source: z.ZodNullable<z.ZodEnum<{
+            admin: "admin";
+            collection: "collection";
+            plugin: "plugin";
+            core: "core";
+        }>>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type AbilityGroupResponse = z.infer<typeof abilityGroupResponseSchema>;
+/**
+ * Inspector list payload. Returns both the flat list and the grouped
+ * buckets so the UI can render either shape without re-bucketing.
+ */
+export declare const listRegisteredAbilitiesResponseSchema: z.ZodObject<{
+    abilities: z.ZodArray<z.ZodObject<{
+        key: z.ZodString;
+        label: z.ZodString;
+        description: z.ZodNullable<z.ZodString>;
+        group: z.ZodString;
+        source: z.ZodNullable<z.ZodEnum<{
+            admin: "admin";
+            collection: "collection";
+            plugin: "plugin";
+            core: "core";
+        }>>;
+    }, z.core.$strip>>;
+    groups: z.ZodArray<z.ZodObject<{
+        group: z.ZodString;
+        abilities: z.ZodArray<z.ZodObject<{
+            key: z.ZodString;
+            label: z.ZodString;
+            description: z.ZodNullable<z.ZodString>;
+            group: z.ZodString;
+            source: z.ZodNullable<z.ZodEnum<{
+                admin: "admin";
+                collection: "collection";
+                plugin: "plugin";
+                core: "core";
+            }>>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    total: z.ZodNumber;
+}, z.core.$strip>;
+export type ListRegisteredAbilitiesResponse = z.infer<typeof listRegisteredAbilitiesResponseSchema>;
+/**
+ * Who-has-ability matrix entry. Roles and users are surfaced in the
+ * same response so the inline-expand row in the inspector renders in
+ * one round-trip.
+ */
+export declare const abilityHolderRoleSchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    machine_name: z.ZodString;
+}, z.core.$strip>;
+export type AbilityHolderRole = z.infer<typeof abilityHolderRoleSchema>;
+export declare const abilityHolderUserSchema: z.ZodObject<{
+    id: z.ZodString;
+    email: z.ZodString;
+    given_name: z.ZodNullable<z.ZodString>;
+    family_name: z.ZodNullable<z.ZodString>;
+}, z.core.$strip>;
+export type AbilityHolderUser = z.infer<typeof abilityHolderUserSchema>;
+export declare const whoHasAbilityResponseSchema: z.ZodObject<{
+    ability: z.ZodString;
+    roles: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        name: z.ZodString;
+        machine_name: z.ZodString;
+    }, z.core.$strip>>;
+    users: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        email: z.ZodString;
+        given_name: z.ZodNullable<z.ZodString>;
+        family_name: z.ZodNullable<z.ZodString>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type WhoHasAbilityResponse = z.infer<typeof whoHasAbilityResponseSchema>;
+/**
+ * Editor payloads. `roleId` is echoed back on both responses so the
+ * caller can match async writes against the role they were editing
+ * without holding the id separately. `abilities` is the authoritative
+ * stored set after the write.
+ */
+export declare const getRoleAbilitiesResponseSchema: z.ZodObject<{
+    roleId: z.ZodString;
+    abilities: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+export type GetRoleAbilitiesResponse = z.infer<typeof getRoleAbilitiesResponseSchema>;
+export declare const setRoleAbilitiesResponseSchema: z.ZodObject<{
+    roleId: z.ZodString;
+    abilities: z.ZodArray<z.ZodString>;
+}, z.core.$strip>;
+export type SetRoleAbilitiesResponse = z.infer<typeof setRoleAbilitiesResponseSchema>;
+//# sourceMappingURL=schemas.d.ts.map

package/dist/modules/admin-permissions/schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-permissions/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAwBvB,eAAO,MAAM,oCAAoC,+CAA0B,CAAA;AAC3E,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oCAAoC,CAAC,CAAA;AAEjG,eAAO,MAAM,0BAA0B;;iBAErC,CAAA;AACF,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA;AAE7E,eAAO,MAAM,6BAA6B;;iBAExC,CAAA;AACF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAA;AAEnF,eAAO,MAAM,6BAA6B;;;iBAGxC,CAAA;AACF,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAA;AAQnF,eAAO,MAAM,+BAA+B;;;;;;;;;;;iBAM1C,CAAA;AACF,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAA;AAEvF,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;iBAGrC,CAAA;AACF,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA;AAE7E;;;GAGG;AACH,eAAO,MAAM,qCAAqC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAIhD,CAAA;AACF,MAAM,MAAM,+BAA+B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qCAAqC,CAAC,CAAA;AAEnG;;;;GAIG;AACH,eAAO,MAAM,uBAAuB;;;;iBAIlC,CAAA;AACF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAEvE,eAAO,MAAM,uBAAuB;;;;;iBAKlC,CAAA;AACF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAEvE,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;iBAItC,CAAA;AACF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAE/E;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B;;;iBAGzC,CAAA;AACF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAA;AAErF,eAAO,MAAM,8BAA8B;;;iBAGzC,CAAA;AACF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAA"}

package/dist/modules/admin-permissions/schemas.js

@@ -0,0 +1,99 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { uuidSchema } from '@byline/core/validation';
+import { z } from 'zod';
+/**
+ * Zod request/response schemas for the admin-permissions inspector.
+ *
+ * The inspector ships two endpoints:
+ *
+ *   - `listRegisteredAbilities` — flat list + grouped buckets straight
+ *     out of the `AbilityRegistry`. No DB read.
+ *   - `whoHasAbility` — for a given ability key, the list of roles that
+ *     grant it and the distinct list of admin users transitively
+ *     holding it. Two DB joins.
+ *
+ * Phase B will add `getRoleAbilities` / `setRoleAbilities` for the
+ * per-role editor on the admin-roles detail page; both are deliberately
+ * out of scope here.
+ */
+const abilityKeySchema = z.string().min(1).max(128);
+// ---------------------------------------------------------------------------
+// Requests
+// ---------------------------------------------------------------------------
+export const listRegisteredAbilitiesRequestSchema = z.object({}).optional();
+export const whoHasAbilityRequestSchema = z.object({
+    ability: abilityKeySchema,
+});
+export const getRoleAbilitiesRequestSchema = z.object({
+    id: uuidSchema,
+});
+export const setRoleAbilitiesRequestSchema = z.object({
+    id: uuidSchema,
+    abilities: z.array(abilityKeySchema),
+});
+// ---------------------------------------------------------------------------
+// Responses
+// ---------------------------------------------------------------------------
+const abilitySourceSchema = z.enum(['collection', 'plugin', 'core', 'admin']).nullable();
+export const abilityDescriptorResponseSchema = z.object({
+    key: z.string(),
+    label: z.string(),
+    description: z.string().nullable(),
+    group: z.string(),
+    source: abilitySourceSchema,
+});
+export const abilityGroupResponseSchema = z.object({
+    group: z.string(),
+    abilities: z.array(abilityDescriptorResponseSchema),
+});
+/**
+ * Inspector list payload. Returns both the flat list and the grouped
+ * buckets so the UI can render either shape without re-bucketing.
+ */
+export const listRegisteredAbilitiesResponseSchema = z.object({
+    abilities: z.array(abilityDescriptorResponseSchema),
+    groups: z.array(abilityGroupResponseSchema),
+    total: z.number().int().min(0),
+});
+/**
+ * Who-has-ability matrix entry. Roles and users are surfaced in the
+ * same response so the inline-expand row in the inspector renders in
+ * one round-trip.
+ */
+export const abilityHolderRoleSchema = z.object({
+    id: z.string(),
+    name: z.string(),
+    machine_name: z.string(),
+});
+export const abilityHolderUserSchema = z.object({
+    id: z.string(),
+    email: z.string(),
+    given_name: z.string().nullable(),
+    family_name: z.string().nullable(),
+});
+export const whoHasAbilityResponseSchema = z.object({
+    ability: z.string(),
+    roles: z.array(abilityHolderRoleSchema),
+    users: z.array(abilityHolderUserSchema),
+});
+/**
+ * Editor payloads. `roleId` is echoed back on both responses so the
+ * caller can match async writes against the role they were editing
+ * without holding the id separately. `abilities` is the authoritative
+ * stored set after the write.
+ */
+export const getRoleAbilitiesResponseSchema = z.object({
+    roleId: z.string(),
+    abilities: z.array(z.string()),
+});
+export const setRoleAbilitiesResponseSchema = z.object({
+    roleId: z.string(),
+    abilities: z.array(z.string()),
+});
+//# sourceMappingURL=schemas.js.map

package/dist/modules/admin-permissions/schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../../src/modules/admin-permissions/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB;;;;;;;;;;;;;;GAcG;AAEH,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;AAEnD,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E,MAAM,CAAC,MAAM,oCAAoC,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAA;AAG3E,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,OAAO,EAAE,gBAAgB;CAC1B,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC;IACpD,EAAE,EAAE,UAAU;CACf,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC;IACpD,EAAE,EAAE,UAAU;IACd,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC;CACrC,CAAC,CAAA;AAGF,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,mBAAmB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAA;AAExF,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAAC,CAAC,MAAM,CAAC;IACtD,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,MAAM,EAAE,mBAAmB;CAC5B,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,+BAA+B,CAAC;CACpD,CAAC,CAAA;AAGF;;;GAGG;AACH,MAAM,CAAC,MAAM,qCAAqC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5D,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,+BAA+B,CAAC;IACnD,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,0BAA0B,CAAC;IAC3C,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC/B,CAAC,CAAA;AAGF;;;;GAIG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;CACzB,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACnC,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAClD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACnB,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC;IACvC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC;CACxC,CAAC,CAAA;AAGF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC,CAAC,MAAM,CAAC;IACrD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;CAC/B,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC,CAAC,MAAM,CAAC;IACrD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;CAC/B,CAAC,CAAA"}

package/dist/modules/admin-permissions/service.d.ts

@@ -0,0 +1,42 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AbilityRegistry } from '@byline/auth';
+import type { AdminStore } from '../../store.js';
+import type { GetRoleAbilitiesRequest, GetRoleAbilitiesResponse, ListRegisteredAbilitiesResponse, SetRoleAbilitiesRequest, SetRoleAbilitiesResponse, WhoHasAbilityRequest, WhoHasAbilityResponse } from './schemas.js';
+/**
+ * Read-only inspector service for admin-permissions.
+ *
+ * Two responsibilities:
+ *
+ *   1. **Enumerate registered abilities.** Pure registry read — no DB
+ *      access. The registry is populated at `initBylineCore()` time
+ *      by collection auto-registration plus subsystem registrars
+ *      (`registerAdminAbilities`).
+ *   2. **Resolve the who-has matrix.** For a given ability key, list
+ *      the roles that grant it and the distinct admin users
+ *      transitively holding it. Backed by two single-query joins on
+ *      the permissions repository, then resolved against the roles
+ *      and users repositories so the inspector can render names
+ *      without further round-trips.
+ *
+ * The editor surface (`getRoleAbilities` / `setRoleAbilities`) is
+ * deliberately not on this service yet — it lands with Phase B and
+ * will live alongside these methods.
+ */
+export declare class AdminPermissionsService {
+    #private;
+    constructor(deps: {
+        store: AdminStore;
+        abilities: AbilityRegistry;
+    });
+    listRegisteredAbilities(): ListRegisteredAbilitiesResponse;
+    getRoleAbilities(request: GetRoleAbilitiesRequest): Promise<GetRoleAbilitiesResponse>;
+    setRoleAbilities(request: SetRoleAbilitiesRequest): Promise<SetRoleAbilitiesResponse>;
+    whoHasAbility(request: WhoHasAbilityRequest): Promise<WhoHasAbilityResponse>;
+}
+//# sourceMappingURL=service.d.ts.map

package/dist/modules/admin-permissions/service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-permissions/service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAOnD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAChD,OAAO,KAAK,EACV,uBAAuB,EACvB,wBAAwB,EACxB,+BAA+B,EAC/B,uBAAuB,EACvB,wBAAwB,EACxB,oBAAoB,EACpB,qBAAqB,EACtB,MAAM,cAAc,CAAA;AAErB;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,uBAAuB;;gBAItB,IAAI,EAAE;QAAE,KAAK,EAAE,UAAU,CAAC;QAAC,SAAS,EAAE,eAAe,CAAA;KAAE;IAKnE,uBAAuB,IAAI,+BAA+B;IAkBpD,gBAAgB,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,wBAAwB,CAAC;IAOrF,gBAAgB,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,wBAAwB,CAAC;IAwBrF,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,qBAAqB,CAAC;CAgCnF"}