@byline/admin 0.9.3

package/dist/modules/admin-roles/repository.d.ts

@@ -0,0 +1,91 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * `AdminRolesRepository` — role CRUD plus role ↔ user assignments.
+ *
+ * Deliberately does *not* cover per-role ability grants — those live on
+ * `AdminPermissionsRepository` (`modules/admin-permissions/repository.ts`),
+ * which owns the `byline_admin_permissions` table. The split follows the
+ * admin UI: role identity and membership live together; ability grants
+ * are a separate editor surface driven by the ability registry.
+ *
+ * **Optimistic concurrency.** `update`, `delete`, and `reorder` take an
+ * `expectedVid` and bump the stored `vid` on success. Adapters throw
+ * `AdminRolesError(VERSION_CONFLICT)` when the stored vid differs from
+ * the expected one — typical client response is to reload the form.
+ *
+ * `machine_name` is **immutable post-create**. The `UpdateAdminRoleInput`
+ * type omits it deliberately so renaming the slug is a deliberate
+ * separate operation if it ever ships.
+ */
+export interface AdminRoleRow {
+    id: string;
+    vid: number;
+    name: string;
+    machine_name: string;
+    description: string | null;
+    order: number;
+    created_at: Date;
+    updated_at: Date;
+}
+export interface CreateAdminRoleInput {
+    name: string;
+    machine_name: string;
+    description?: string | null;
+    order?: number;
+}
+export interface UpdateAdminRoleInput {
+    name?: string;
+    description?: string | null;
+    order?: number;
+}
+export interface AdminRolesRepository {
+    create(input: CreateAdminRoleInput): Promise<AdminRoleRow>;
+    getById(id: string): Promise<AdminRoleRow | null>;
+    getByMachineName(machineName: string): Promise<AdminRoleRow | null>;
+    /** Roles ordered by their `order` column then `created_at`. No paging — the list is small by design. */
+    list(): Promise<AdminRoleRow[]>;
+    /**
+     * Content update with optimistic concurrency. Throws
+     * `AdminRolesError(VERSION_CONFLICT)` if the stored `vid` differs from
+     * `expectedVid`. Bumps `vid` on success and returns the fresh row.
+     */
+    update(id: string, expectedVid: number, patch: UpdateAdminRoleInput): Promise<AdminRoleRow>;
+    /**
+     * Delete with optimistic concurrency. Version-gated on `expectedVid` to
+     * prevent races against a concurrent update.
+     */
+    delete(id: string, expectedVid: number): Promise<void>;
+    /**
+     * Bulk reorder. The provided `ids` array fixes the new `order` value
+     * for each role to its index in the array. Runs in a single
+     * transaction. Roles not present in `ids` are left untouched.
+     *
+     * Vid-less by design — reorder mutates only the `order` column and
+     * the UX shape is always "drag, then save the whole list", which would
+     * pointlessly conflict with concurrent edits to other fields. Last
+     * writer on the order column wins.
+     */
+    reorder(ids: string[]): Promise<void>;
+    /** Assign a role to a user. Idempotent via the composite primary key. */
+    assignToUser(roleId: string, userId: string): Promise<void>;
+    unassignFromUser(roleId: string, userId: string): Promise<void>;
+    listRolesForUser(userId: string): Promise<AdminRoleRow[]>;
+    listUsersForRole(roleId: string): Promise<string[]>;
+    /**
+     * Replace the role-set for a user wholesale. Runs in a single
+     * transaction so the user is never observed mid-edit. Vid-less by
+     * design — assignments live in the join table, not on the user row,
+     * and the editor UX is "drag, save the whole list" rather than
+     * field-level concurrency. Caller is responsible for validating that
+     * `userId` and every `roleId` exist; the repo trusts its inputs and
+     * lets the FK constraint surface as the ultimate backstop.
+     */
+    setRolesForUser(userId: string, roleIds: readonly string[]): Promise<void>;
+}
+//# sourceMappingURL=repository.d.ts.map

package/dist/modules/admin-roles/repository.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"repository.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-roles/repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;;;;;GAiBG;AAEH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,KAAK,EAAE,MAAM,CAAA;IACb,UAAU,EAAE,IAAI,CAAA;IAChB,UAAU,EAAE,IAAI,CAAA;CACjB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAA;IACZ,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAA;IAC1D,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAA;IACjD,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAA;IACnE,wGAAwG;IACxG,IAAI,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,CAAA;IAC/B;;;;OAIG;IACH,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAA;IAC3F;;;OAGG;IACH,MAAM,CAAC,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACtD;;;;;;;;;OASG;IACH,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAErC,yEAAyE;IACzE,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC3D,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC/D,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAAA;IACzD,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IACnD;;;;;;;;OAQG;IACH,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAC3E"}

package/dist/modules/admin-roles/repository.js

@@ -0,0 +1,9 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+export {};
+//# sourceMappingURL=repository.js.map

package/dist/modules/admin-roles/repository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"repository.js","sourceRoot":"","sources":["../../../src/modules/admin-roles/repository.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG"}

package/dist/modules/admin-roles/schemas.d.ts

@@ -0,0 +1,99 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { z } from 'zod';
+export declare const listAdminRolesRequestSchema: z.ZodOptional<z.ZodObject<{}, z.core.$strip>>;
+export type ListAdminRolesRequest = z.infer<typeof listAdminRolesRequestSchema>;
+export declare const getAdminRoleRequestSchema: z.ZodObject<{
+    id: z.ZodUUID;
+}, z.core.$strip>;
+export type GetAdminRoleRequest = z.infer<typeof getAdminRoleRequestSchema>;
+export declare const createAdminRoleRequestSchema: z.ZodObject<{
+    name: z.ZodString;
+    machine_name: z.ZodString;
+    description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    order: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>;
+export type CreateAdminRoleRequest = z.infer<typeof createAdminRoleRequestSchema>;
+export declare const updateAdminRoleRequestSchema: z.ZodObject<{
+    id: z.ZodUUID;
+    vid: z.ZodNumber;
+    patch: z.ZodObject<{
+        name: z.ZodOptional<z.ZodString>;
+        description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        order: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strip>;
+}, z.core.$strip>;
+export type UpdateAdminRoleRequest = z.infer<typeof updateAdminRoleRequestSchema>;
+export declare const deleteAdminRoleRequestSchema: z.ZodObject<{
+    id: z.ZodUUID;
+    vid: z.ZodNumber;
+}, z.core.$strip>;
+export type DeleteAdminRoleRequest = z.infer<typeof deleteAdminRoleRequestSchema>;
+export declare const reorderAdminRolesRequestSchema: z.ZodObject<{
+    ids: z.ZodArray<z.ZodUUID>;
+}, z.core.$strip>;
+export type ReorderAdminRolesRequest = z.infer<typeof reorderAdminRolesRequestSchema>;
+export declare const getRolesForUserRequestSchema: z.ZodObject<{
+    userId: z.ZodUUID;
+}, z.core.$strip>;
+export type GetRolesForUserRequest = z.infer<typeof getRolesForUserRequestSchema>;
+export declare const setRolesForUserRequestSchema: z.ZodObject<{
+    userId: z.ZodUUID;
+    roleIds: z.ZodArray<z.ZodUUID>;
+}, z.core.$strip>;
+export type SetRolesForUserRequest = z.infer<typeof setRolesForUserRequestSchema>;
+export declare const adminRoleResponseSchema: z.ZodObject<{
+    id: z.ZodString;
+    vid: z.ZodNumber;
+    name: z.ZodString;
+    machine_name: z.ZodString;
+    description: z.ZodNullable<z.ZodString>;
+    order: z.ZodNumber;
+    created_at: z.ZodDate;
+    updated_at: z.ZodDate;
+}, z.core.$strip>;
+export type AdminRoleResponse = z.infer<typeof adminRoleResponseSchema>;
+export declare const adminRoleListResponseSchema: z.ZodObject<{
+    roles: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        vid: z.ZodNumber;
+        name: z.ZodString;
+        machine_name: z.ZodString;
+        description: z.ZodNullable<z.ZodString>;
+        order: z.ZodNumber;
+        created_at: z.ZodDate;
+        updated_at: z.ZodDate;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type AdminRoleListResponse = z.infer<typeof adminRoleListResponseSchema>;
+/**
+ * User-roles editor payload. `userId` is echoed back so the caller can
+ * match async writes; `roles` is the authoritative role-set after the
+ * write, shaped as full role rows so the drawer renders names without a
+ * second fetch.
+ */
+export declare const userRolesResponseSchema: z.ZodObject<{
+    userId: z.ZodString;
+    roles: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        vid: z.ZodNumber;
+        name: z.ZodString;
+        machine_name: z.ZodString;
+        description: z.ZodNullable<z.ZodString>;
+        order: z.ZodNumber;
+        created_at: z.ZodDate;
+        updated_at: z.ZodDate;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
+export type UserRolesResponse = z.infer<typeof userRolesResponseSchema>;
+/** Empty response for void-returning mutations (delete, reorder). */
+export declare const okResponseSchema: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+}, z.core.$strip>;
+export type OkResponse = z.infer<typeof okResponseSchema>;
+//# sourceMappingURL=schemas.d.ts.map

package/dist/modules/admin-roles/schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-roles/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AA2CvB,eAAO,MAAM,2BAA2B,+CAA0B,CAAA;AAClE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAE/E,eAAO,MAAM,yBAAyB;;iBAEpC,CAAA;AACF,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAA;AAE3E,eAAO,MAAM,4BAA4B;;;;;iBAKvC,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAA;AAEjF,eAAO,MAAM,4BAA4B;;;;;;;;iBAUvC,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAA;AAEjF,eAAO,MAAM,4BAA4B;;;iBAGvC,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAA;AAEjF,eAAO,MAAM,8BAA8B;;iBAEzC,CAAA;AACF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAA;AAErF,eAAO,MAAM,4BAA4B;;iBAEvC,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAA;AAEjF,eAAO,MAAM,4BAA4B;;;iBAGvC,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAA;AAMjF,eAAO,MAAM,uBAAuB;;;;;;;;;iBASlC,CAAA;AACF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAEvE,eAAO,MAAM,2BAA2B;;;;;;;;;;;iBAEtC,CAAA;AACF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAE/E;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;iBAGlC,CAAA;AACF,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAEvE,qEAAqE;AACrE,eAAO,MAAM,gBAAgB;;iBAAoC,CAAA;AACjE,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA"}

package/dist/modules/admin-roles/schemas.js

@@ -0,0 +1,105 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { uuidSchema } from '@byline/core/validation';
+import { z } from 'zod';
+/**
+ * Zod request/response schemas for the admin-roles commands.
+ *
+ * `vid` gates writes for optimistic concurrency; `machine_name` is
+ * accepted only at create time and validated as a slug-shaped string.
+ *
+ * Reorder takes the full ordered id list — the index in the array
+ * becomes each role's new `order` value. The list-view UX is "drag,
+ * then save the whole order" so a partial-update payload would add no
+ * value and complicate atomicity.
+ */
+// ---------------------------------------------------------------------------
+// Field-level schemas
+// ---------------------------------------------------------------------------
+const idSchema = uuidSchema;
+const vidSchema = z
+    .number({ message: 'vid is required' })
+    .int({ message: 'vid must be an integer' })
+    .positive({ message: 'vid must be positive' });
+const nameSchema = z.string().min(1).max(128);
+const machineNameSchema = z
+    .string()
+    .min(1)
+    .max(128)
+    .regex(/^[a-z0-9][a-z0-9_-]*$/, {
+    message: 'machine_name may contain lowercase letters, numbers, hyphens, and underscores only',
+});
+const descriptionSchema = z.string().max(2000).nullish();
+const orderSchema = z.number().int().min(0);
+// ---------------------------------------------------------------------------
+// Requests
+// ---------------------------------------------------------------------------
+export const listAdminRolesRequestSchema = z.object({}).optional();
+export const getAdminRoleRequestSchema = z.object({
+    id: idSchema,
+});
+export const createAdminRoleRequestSchema = z.object({
+    name: nameSchema,
+    machine_name: machineNameSchema,
+    description: descriptionSchema,
+    order: orderSchema.optional(),
+});
+export const updateAdminRoleRequestSchema = z.object({
+    id: idSchema,
+    vid: vidSchema,
+    patch: z
+        .object({
+        name: nameSchema.optional(),
+        description: descriptionSchema,
+        order: orderSchema.optional(),
+    })
+        .refine((p) => Object.keys(p).length > 0, { message: 'patch cannot be empty' }),
+});
+export const deleteAdminRoleRequestSchema = z.object({
+    id: idSchema,
+    vid: vidSchema,
+});
+export const reorderAdminRolesRequestSchema = z.object({
+    ids: z.array(idSchema).min(1, { message: 'at least one id is required' }),
+});
+export const getRolesForUserRequestSchema = z.object({
+    userId: idSchema,
+});
+export const setRolesForUserRequestSchema = z.object({
+    userId: idSchema,
+    roleIds: z.array(idSchema),
+});
+// ---------------------------------------------------------------------------
+// Responses
+// ---------------------------------------------------------------------------
+export const adminRoleResponseSchema = z.object({
+    id: z.string(),
+    vid: z.number().int(),
+    name: z.string(),
+    machine_name: z.string(),
+    description: z.string().nullable(),
+    order: z.number().int(),
+    created_at: z.date(),
+    updated_at: z.date(),
+});
+export const adminRoleListResponseSchema = z.object({
+    roles: z.array(adminRoleResponseSchema),
+});
+/**
+ * User-roles editor payload. `userId` is echoed back so the caller can
+ * match async writes; `roles` is the authoritative role-set after the
+ * write, shaped as full role rows so the drawer renders names without a
+ * second fetch.
+ */
+export const userRolesResponseSchema = z.object({
+    userId: z.string(),
+    roles: z.array(adminRoleResponseSchema),
+});
+/** Empty response for void-returning mutations (delete, reorder). */
+export const okResponseSchema = z.object({ ok: z.literal(true) });
+//# sourceMappingURL=schemas.js.map

package/dist/modules/admin-roles/schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../../src/modules/admin-roles/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB;;;;;;;;;;GAUG;AAEH,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,MAAM,QAAQ,GAAG,UAAU,CAAA;AAE3B,MAAM,SAAS,GAAG,CAAC;KAChB,MAAM,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;KACtC,GAAG,CAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;KAC1C,QAAQ,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC,CAAA;AAEhD,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;AAE7C,MAAM,iBAAiB,GAAG,CAAC;KACxB,MAAM,EAAE;KACR,GAAG,CAAC,CAAC,CAAC;KACN,GAAG,CAAC,GAAG,CAAC;KACR,KAAK,CAAC,uBAAuB,EAAE;IAC9B,OAAO,EAAE,oFAAoF;CAC9F,CAAC,CAAA;AAEJ,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAA;AAExD,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;AAE3C,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAA;AAGlE,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChD,EAAE,EAAE,QAAQ;CACb,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,IAAI,EAAE,UAAU;IAChB,YAAY,EAAE,iBAAiB;IAC/B,WAAW,EAAE,iBAAiB;IAC9B,KAAK,EAAE,WAAW,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,EAAE,EAAE,QAAQ;IACZ,GAAG,EAAE,SAAS;IACd,KAAK,EAAE,CAAC;SACL,MAAM,CAAC;QACN,IAAI,EAAE,UAAU,CAAC,QAAQ,EAAE;QAC3B,WAAW,EAAE,iBAAiB;QAC9B,KAAK,EAAE,WAAW,CAAC,QAAQ,EAAE;KAC9B,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;CAClF,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,EAAE,EAAE,QAAQ;IACZ,GAAG,EAAE,SAAS;CACf,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAAC,CAAC,MAAM,CAAC;IACrD,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;CAC1E,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,MAAM,EAAE,QAAQ;CACjB,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,MAAM,EAAE,QAAQ;IAChB,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC;CAC3B,CAAC,CAAA;AAGF,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACrB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;IACxB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACvB,UAAU,EAAE,CAAC,CAAC,IAAI,EAAE;IACpB,UAAU,EAAE,CAAC,CAAC,IAAI,EAAE;CACrB,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IAClD,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC;CACxC,CAAC,CAAA;AAGF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC;CACxC,CAAC,CAAA;AAGF,qEAAqE;AACrE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA"}

package/dist/modules/admin-roles/service.d.ts

@@ -0,0 +1,49 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AdminStore } from '../../store.js';
+import type { AdminRoleListResponse, AdminRoleResponse, CreateAdminRoleRequest, DeleteAdminRoleRequest, GetAdminRoleRequest, GetRolesForUserRequest, ReorderAdminRolesRequest, SetRolesForUserRequest, UpdateAdminRoleRequest, UserRolesResponse } from './schemas.js';
+/**
+ * Business logic for administering admin roles.
+ *
+ * Owns four concerns the repository deliberately avoids:
+ *
+ *   1. **Domain invariants.** `machine_name` uniqueness pre-check on
+ *      create — the unique index is the ultimate backstop, but the
+ *      pre-check produces a clean domain error rather than a raw
+ *      Postgres code.
+ *   2. **DTO shaping.** Raw rows are shaped through `toAdminRole` so
+ *      the response contract is owned in one place.
+ *   3. **Optimistic-concurrency plumbing.** The repo gates writes on
+ *      `expectedVid`; the service threads it from the validated request
+ *      shape. Version conflicts surface as
+ *      `AdminRolesError(VERSION_CONFLICT)` from the adapter; the service
+ *      does not catch them.
+ *   4. **Cross-table validation.** The user-roles editor validates the
+ *      user and every referenced role exists before mutating the join
+ *      table — clean errors over raw FK violations.
+ *
+ * Roles do not need a self-target invariant the way users do
+ * (no "self-delete" concept), so role-CRUD service methods are
+ * actor-agnostic and the ability check at the command boundary is the
+ * only authorisation.
+ */
+export declare class AdminRolesService {
+    #private;
+    constructor(deps: {
+        store: AdminStore;
+    });
+    listRoles(): Promise<AdminRoleListResponse>;
+    getRole(request: GetAdminRoleRequest): Promise<AdminRoleResponse>;
+    createRole(request: CreateAdminRoleRequest): Promise<AdminRoleResponse>;
+    updateRole(request: UpdateAdminRoleRequest): Promise<AdminRoleResponse>;
+    deleteRole(request: DeleteAdminRoleRequest): Promise<void>;
+    reorderRoles(request: ReorderAdminRolesRequest): Promise<void>;
+    getRolesForUser(request: GetRolesForUserRequest): Promise<UserRolesResponse>;
+    setRolesForUser(request: SetRolesForUserRequest): Promise<UserRolesResponse>;
+}
+//# sourceMappingURL=service.d.ts.map

package/dist/modules/admin-roles/service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-roles/service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAQH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAChD,OAAO,KAAK,EACV,qBAAqB,EACrB,iBAAiB,EACjB,sBAAsB,EACtB,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,EACtB,wBAAwB,EACxB,sBAAsB,EACtB,sBAAsB,EACtB,iBAAiB,EAClB,MAAM,cAAc,CAAA;AAErB;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,iBAAiB;;gBAGhB,IAAI,EAAE;QAAE,KAAK,EAAE,UAAU,CAAA;KAAE;IAIjC,SAAS,IAAI,OAAO,CAAC,qBAAqB,CAAC;IAK3C,OAAO,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAMjE,UAAU,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAevE,UAAU,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAOvE,UAAU,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,IAAI,CAAC;IAM1D,YAAY,CAAC,OAAO,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC;IAI9D,eAAe,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAO5E,eAAe,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,iBAAiB,CAAC;CAyBnF"}

package/dist/modules/admin-roles/service.js

@@ -0,0 +1,110 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { toAdminRole } from './dto.js';
+import { ERR_ADMIN_ROLE_MACHINE_NAME_IN_USE, ERR_ADMIN_ROLE_NOT_FOUND, ERR_ADMIN_ROLE_USER_NOT_FOUND, } from './errors.js';
+/**
+ * Business logic for administering admin roles.
+ *
+ * Owns four concerns the repository deliberately avoids:
+ *
+ *   1. **Domain invariants.** `machine_name` uniqueness pre-check on
+ *      create — the unique index is the ultimate backstop, but the
+ *      pre-check produces a clean domain error rather than a raw
+ *      Postgres code.
+ *   2. **DTO shaping.** Raw rows are shaped through `toAdminRole` so
+ *      the response contract is owned in one place.
+ *   3. **Optimistic-concurrency plumbing.** The repo gates writes on
+ *      `expectedVid`; the service threads it from the validated request
+ *      shape. Version conflicts surface as
+ *      `AdminRolesError(VERSION_CONFLICT)` from the adapter; the service
+ *      does not catch them.
+ *   4. **Cross-table validation.** The user-roles editor validates the
+ *      user and every referenced role exists before mutating the join
+ *      table — clean errors over raw FK violations.
+ *
+ * Roles do not need a self-target invariant the way users do
+ * (no "self-delete" concept), so role-CRUD service methods are
+ * actor-agnostic and the ability check at the command boundary is the
+ * only authorisation.
+ */
+export class AdminRolesService {
+    #store;
+    constructor(deps) {
+        this.#store = deps.store;
+    }
+    async listRoles() {
+        const rows = await this.#store.adminRoles.list();
+        return { roles: rows.map(toAdminRole) };
+    }
+    async getRole(request) {
+        const row = await this.#store.adminRoles.getById(request.id);
+        if (!row)
+            throw ERR_ADMIN_ROLE_NOT_FOUND();
+        return toAdminRole(row);
+    }
+    async createRole(request) {
+        // Pre-check for machine_name conflict so the common case returns a
+        // domain-specific error rather than the raw unique-violation code.
+        const existing = await this.#store.adminRoles.getByMachineName(request.machine_name);
+        if (existing)
+            throw ERR_ADMIN_ROLE_MACHINE_NAME_IN_USE();
+        const row = await this.#store.adminRoles.create({
+            name: request.name,
+            machine_name: request.machine_name,
+            description: request.description ?? null,
+            order: request.order,
+        });
+        return toAdminRole(row);
+    }
+    async updateRole(request) {
+        const current = await this.#store.adminRoles.getById(request.id);
+        if (!current)
+            throw ERR_ADMIN_ROLE_NOT_FOUND();
+        const row = await this.#store.adminRoles.update(request.id, request.vid, request.patch);
+        return toAdminRole(row);
+    }
+    async deleteRole(request) {
+        const exists = await this.#store.adminRoles.getById(request.id);
+        if (!exists)
+            throw ERR_ADMIN_ROLE_NOT_FOUND();
+        await this.#store.adminRoles.delete(request.id, request.vid);
+    }
+    async reorderRoles(request) {
+        await this.#store.adminRoles.reorder(request.ids);
+    }
+    async getRolesForUser(request) {
+        const user = await this.#store.adminUsers.getById(request.userId);
+        if (!user)
+            throw ERR_ADMIN_ROLE_USER_NOT_FOUND();
+        const rows = await this.#store.adminRoles.listRolesForUser(request.userId);
+        return { userId: request.userId, roles: rows.map(toAdminRole) };
+    }
+    async setRolesForUser(request) {
+        const user = await this.#store.adminUsers.getById(request.userId);
+        if (!user)
+            throw ERR_ADMIN_ROLE_USER_NOT_FOUND();
+        // Validate every referenced role exists. N round-trips, but role
+        // assignment payloads are small by design (typically < 10 roles)
+        // and surfacing a clean `notFound` beats a raw FK violation.
+        if (request.roleIds.length > 0) {
+            const found = await Promise.all(request.roleIds.map((id) => this.#store.adminRoles.getById(id)));
+            const missing = request.roleIds.filter((_, i) => found[i] == null);
+            if (missing.length > 0) {
+                throw ERR_ADMIN_ROLE_NOT_FOUND({
+                    message: `One or more referenced roles do not exist: ${missing.join(', ')}`,
+                });
+            }
+        }
+        await this.#store.adminRoles.setRolesForUser(request.userId, request.roleIds);
+        // Return the freshly stored set, shaped — saves the editor a second
+        // round-trip and guards against any normalisation the repo might apply.
+        const stored = await this.#store.adminRoles.listRolesForUser(request.userId);
+        return { userId: request.userId, roles: stored.map(toAdminRole) };
+    }
+}
+//# sourceMappingURL=service.js.map

package/dist/modules/admin-roles/service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.js","sourceRoot":"","sources":["../../../src/modules/admin-roles/service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAA;AACtC,OAAO,EACL,kCAAkC,EAClC,wBAAwB,EACxB,6BAA6B,GAC9B,MAAM,aAAa,CAAA;AAepB;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,OAAO,iBAAiB;IACnB,MAAM,CAAY;IAE3B,YAAY,IAA2B;QACrC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAA;IAC1B,CAAC;IAED,KAAK,CAAC,SAAS;QACb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,CAAA;QAChD,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAA;IACzC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,OAA4B;QACxC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QAC5D,IAAI,CAAC,GAAG;YAAE,MAAM,wBAAwB,EAAE,CAAA;QAC1C,OAAO,WAAW,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAA+B;QAC9C,mEAAmE;QACnE,mEAAmE;QACnE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,OAAO,CAAC,YAAY,CAAC,CAAA;QACpF,IAAI,QAAQ;YAAE,MAAM,kCAAkC,EAAE,CAAA;QAExD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;YAC9C,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI;YACxC,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAA;QACF,OAAO,WAAW,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAA+B;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QAChE,IAAI,CAAC,OAAO;YAAE,MAAM,wBAAwB,EAAE,CAAA;QAC9C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;QACvF,OAAO,WAAW,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAA+B;QAC9C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QAC/D,IAAI,CAAC,MAAM;YAAE,MAAM,wBAAwB,EAAE,CAAA;QAC7C,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CAAA;IAC9D,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAiC;QAClD,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACnD,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,OAA+B;QACnD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;QACjE,IAAI,CAAC,IAAI;YAAE,MAAM,6BAA6B,EAAE,CAAA;QAChD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;QAC1E,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAA;IACjE,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,OAA+B;QACnD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;QACjE,IAAI,CAAC,IAAI;YAAE,MAAM,6BAA6B,EAAE,CAAA;QAEhD,iEAAiE;QACjE,iEAAiE;QACjE,6DAA6D;QAC7D,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAC7B,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAChE,CAAA;YACD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAA;YAClE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACvB,MAAM,wBAAwB,CAAC;oBAC7B,OAAO,EAAE,8CAA8C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBAC5E,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,eAAe,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,CAAA;QAC7E,oEAAoE;QACpE,wEAAwE;QACxE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;QAC5E,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAA;IACnE,CAAC;CACF"}

package/dist/modules/admin-users/abilities.d.ts

@@ -0,0 +1,41 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AbilityRegistry } from '@byline/auth';
+/**
+ * Ability keys for the admin-users module.
+ *
+ * Dot-notation rather than Modulus' colon-notation — keeps one consistent
+ * hierarchy across the whole platform alongside `collections.<path>.<verb>`
+ * from core.
+ *
+ * `changePassword` is split out from `update` deliberately: setting
+ * someone else's password is a higher-trust operation than editing their
+ * profile fields, and the role editor UI benefits from naming it
+ * explicitly. A role can grant `update` without implicitly granting
+ * `changePassword`.
+ *
+ * Self-service (changing *own* password, email, etc.) does **not** use
+ * any of these keys. That flow lives in the separate `account` module
+ * where the actor is the target by definition; the `admin.users.*` keys
+ * are strictly for administering other admin users.
+ */
+export declare const ADMIN_USERS_ABILITIES: {
+    readonly read: "admin.users.read";
+    readonly create: "admin.users.create";
+    readonly update: "admin.users.update";
+    readonly delete: "admin.users.delete";
+    readonly changePassword: "admin.users.changePassword";
+};
+export type AdminUsersAbilityKey = (typeof ADMIN_USERS_ABILITIES)[keyof typeof ADMIN_USERS_ABILITIES];
+/**
+ * Register every admin-users ability with the framework's `AbilityRegistry`.
+ * Called from `registerAdminAbilities(registry)` at package level, which
+ * the webapp wires into `initBylineCore()`.
+ */
+export declare function registerAdminUsersAbilities(registry: AbilityRegistry): void;
+//# sourceMappingURL=abilities.d.ts.map

package/dist/modules/admin-users/abilities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"abilities.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-users/abilities.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAEnD;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,qBAAqB;;;;;;CAMxB,CAAA;AAEV,MAAM,MAAM,oBAAoB,GAC9B,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,OAAO,qBAAqB,CAAC,CAAA;AAEpE;;;;GAIG;AACH,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,eAAe,GAAG,IAAI,CA+B3E"}

package/dist/modules/admin-users/abilities.js

@@ -0,0 +1,70 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Ability keys for the admin-users module.
+ *
+ * Dot-notation rather than Modulus' colon-notation — keeps one consistent
+ * hierarchy across the whole platform alongside `collections.<path>.<verb>`
+ * from core.
+ *
+ * `changePassword` is split out from `update` deliberately: setting
+ * someone else's password is a higher-trust operation than editing their
+ * profile fields, and the role editor UI benefits from naming it
+ * explicitly. A role can grant `update` without implicitly granting
+ * `changePassword`.
+ *
+ * Self-service (changing *own* password, email, etc.) does **not** use
+ * any of these keys. That flow lives in the separate `account` module
+ * where the actor is the target by definition; the `admin.users.*` keys
+ * are strictly for administering other admin users.
+ */
+export const ADMIN_USERS_ABILITIES = {
+    read: 'admin.users.read',
+    create: 'admin.users.create',
+    update: 'admin.users.update',
+    delete: 'admin.users.delete',
+    changePassword: 'admin.users.changePassword',
+};
+/**
+ * Register every admin-users ability with the framework's `AbilityRegistry`.
+ * Called from `registerAdminAbilities(registry)` at package level, which
+ * the webapp wires into `initBylineCore()`.
+ */
+export function registerAdminUsersAbilities(registry) {
+    registry.register({
+        key: ADMIN_USERS_ABILITIES.read,
+        label: 'Read admin users',
+        group: 'admin.users',
+        source: 'admin',
+    });
+    registry.register({
+        key: ADMIN_USERS_ABILITIES.create,
+        label: 'Create admin users',
+        group: 'admin.users',
+        source: 'admin',
+    });
+    registry.register({
+        key: ADMIN_USERS_ABILITIES.update,
+        label: 'Update admin users',
+        group: 'admin.users',
+        source: 'admin',
+    });
+    registry.register({
+        key: ADMIN_USERS_ABILITIES.delete,
+        label: 'Delete admin users',
+        group: 'admin.users',
+        source: 'admin',
+    });
+    registry.register({
+        key: ADMIN_USERS_ABILITIES.changePassword,
+        label: "Change an admin user's password",
+        group: 'admin.users',
+        source: 'admin',
+    });
+}
+//# sourceMappingURL=abilities.js.map

package/dist/modules/admin-users/abilities.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"abilities.js","sourceRoot":"","sources":["../../../src/modules/admin-users/abilities.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,IAAI,EAAE,kBAAkB;IACxB,MAAM,EAAE,oBAAoB;IAC5B,MAAM,EAAE,oBAAoB;IAC5B,MAAM,EAAE,oBAAoB;IAC5B,cAAc,EAAE,4BAA4B;CACpC,CAAA;AAKV;;;;GAIG;AACH,MAAM,UAAU,2BAA2B,CAAC,QAAyB;IACnE,QAAQ,CAAC,QAAQ,CAAC;QAChB,GAAG,EAAE,qBAAqB,CAAC,IAAI;QAC/B,KAAK,EAAE,kBAAkB;QACzB,KAAK,EAAE,aAAa;QACpB,MAAM,EAAE,OAAO;KAChB,CAAC,CAAA;IACF,QAAQ,CAAC,QAAQ,CAAC;QAChB,GAAG,EAAE,qBAAqB,CAAC,MAAM;QACjC,KAAK,EAAE,oBAAoB;QAC3B,KAAK,EAAE,aAAa;QACpB,MAAM,EAAE,OAAO;KAChB,CAAC,CAAA;IACF,QAAQ,CAAC,QAAQ,CAAC;QAChB,GAAG,EAAE,qBAAqB,CAAC,MAAM;QACjC,KAAK,EAAE,oBAAoB;QAC3B,KAAK,EAAE,aAAa;QACpB,MAAM,EAAE,OAAO;KAChB,CAAC,CAAA;IACF,QAAQ,CAAC,QAAQ,CAAC;QAChB,GAAG,EAAE,qBAAqB,CAAC,MAAM;QACjC,KAAK,EAAE,oBAAoB;QAC3B,KAAK,EAAE,aAAa;QACpB,MAAM,EAAE,OAAO;KAChB,CAAC,CAAA;IACF,QAAQ,CAAC,QAAQ,CAAC;QAChB,GAAG,EAAE,qBAAqB,CAAC,cAAc;QACzC,KAAK,EAAE,iCAAiC;QACxC,KAAK,EAAE,aAAa;QACpB,MAAM,EAAE,OAAO;KAChB,CAAC,CAAA;AACJ,CAAC"}