npm - @byline/admin - Versions diffs - 2.4.0 → 2.4.1 - Mend

@byline/admin 2.4.0 → 2.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (177) hide show

package/dist/abilities.js +5 -24
package/dist/index.js +8 -30
package/dist/lib/assert-admin-actor.js +13 -74
package/dist/lib/create-command.js +6 -16
package/dist/modules/admin-account/commands.js +35 -24
package/dist/modules/admin-account/components/change-password.d.ts +8 -0
package/dist/modules/admin-account/components/change-password.js +192 -0
package/dist/modules/admin-account/components/change-password.module.js +8 -0
package/dist/modules/admin-account/components/change-password_module.css +27 -0
package/dist/modules/admin-account/components/container.d.ts +29 -0
package/dist/modules/admin-account/components/container.js +298 -0
package/dist/modules/admin-account/components/container.module.js +28 -0
package/dist/modules/admin-account/components/container_module.css +106 -0
package/dist/modules/admin-account/components/update.d.ts +8 -0
package/dist/modules/admin-account/components/update.js +207 -0
package/dist/modules/admin-account/components/update.module.js +8 -0
package/dist/modules/admin-account/components/update_module.css +27 -0
package/dist/modules/admin-account/errors.js +14 -45
package/dist/modules/admin-account/index.js +4 -34
package/dist/modules/admin-account/schemas.js +25 -59
package/dist/modules/admin-account/service.js +56 -61
package/dist/modules/admin-permissions/abilities.js +6 -24
package/dist/modules/admin-permissions/commands.js +42 -28
package/dist/modules/admin-permissions/components/inspector.d.ts +4 -0
package/dist/modules/admin-permissions/components/inspector.js +284 -0
package/dist/modules/admin-permissions/components/inspector.module.js +56 -0
package/dist/modules/admin-permissions/components/inspector_module.css +238 -0
package/dist/modules/admin-permissions/dto.js +3 -16
package/dist/modules/admin-permissions/errors.js +14 -27
package/dist/modules/admin-permissions/index.js +6 -26
package/dist/modules/admin-permissions/repository.js +1 -8
package/dist/modules/admin-permissions/schemas.js +33 -70
package/dist/modules/admin-permissions/service.js +88 -92
package/dist/modules/admin-roles/abilities.js +8 -30
package/dist/modules/admin-roles/commands.js +89 -55
package/dist/modules/admin-roles/components/create.d.ts +7 -0
package/dist/modules/admin-roles/components/create.js +177 -0
package/dist/modules/admin-roles/components/create.module.js +8 -0
package/dist/modules/admin-roles/components/create_module.css +27 -0
package/dist/modules/admin-roles/components/permissions.d.ts +10 -0
package/dist/modules/admin-roles/components/permissions.js +303 -0
package/dist/modules/admin-roles/components/permissions.module.js +44 -0
package/dist/modules/admin-roles/components/permissions_module.css +192 -0
package/dist/modules/admin-roles/components/update.d.ts +8 -0
package/dist/modules/admin-roles/components/update.js +166 -0
package/dist/modules/admin-roles/components/update.module.js +8 -0
package/dist/modules/admin-roles/components/update_module.css +27 -0
package/dist/modules/admin-roles/dto.js +3 -16
package/dist/modules/admin-roles/errors.js +16 -40
package/dist/modules/admin-roles/index.js +6 -26
package/dist/modules/admin-roles/repository.js +1 -8
package/dist/modules/admin-roles/schemas.js +41 -71
package/dist/modules/admin-roles/service.js +79 -82
package/dist/modules/admin-users/abilities.js +9 -38
package/dist/modules/admin-users/commands.js +92 -50
package/dist/modules/admin-users/components/create.d.ts +8 -0
package/dist/modules/admin-users/components/create.js +268 -0
package/dist/modules/admin-users/components/create.module.js +10 -0
package/dist/modules/admin-users/components/create_module.css +45 -0
package/dist/modules/admin-users/components/roles.d.ts +11 -0
package/dist/modules/admin-users/components/roles.js +148 -0
package/dist/modules/admin-users/components/roles.module.js +18 -0
package/dist/modules/admin-users/components/roles_module.css +75 -0
package/dist/modules/admin-users/components/set-password.d.ts +8 -0
package/dist/modules/admin-users/components/set-password.js +170 -0
package/dist/modules/admin-users/components/set-password.module.js +9 -0
package/dist/modules/admin-users/components/set-password_module.css +31 -0
package/dist/modules/admin-users/components/update.d.ts +8 -0
package/dist/modules/admin-users/components/update.js +254 -0
package/dist/modules/admin-users/components/update.module.js +9 -0
package/dist/modules/admin-users/components/update_module.css +34 -0
package/dist/modules/admin-users/dto.js +3 -18
package/dist/modules/admin-users/errors.js +17 -43
package/dist/modules/admin-users/index.js +7 -27
package/dist/modules/admin-users/repository.js +1 -8
package/dist/modules/admin-users/schemas.js +44 -75
package/dist/modules/admin-users/seed-super-admin.js +9 -34
package/dist/modules/admin-users/service.js +76 -91
package/dist/modules/auth/components/sign-in-form.d.ts +12 -0
package/dist/modules/auth/components/sign-in-form.js +115 -0
package/dist/modules/auth/components/sign-in-form.module.js +12 -0
package/dist/modules/auth/components/sign-in-form_module.css +41 -0
package/dist/modules/auth/index.js +3 -24
package/dist/modules/auth/jwt-session-provider.js +179 -149
package/dist/modules/auth/password.js +11 -53
package/dist/modules/auth/phc.js +21 -54
package/dist/modules/auth/refresh-tokens-repository.js +1 -8
package/dist/modules/auth/resolve-actor.js +6 -28
package/dist/services/admin-services-context.d.ts +16 -0
package/dist/services/admin-services-context.js +13 -0
package/dist/services/admin-services-types.d.ts +129 -0
package/dist/services/admin-services-types.js +1 -0
package/dist/store.js +1 -8
package/dist/vendor/noble-argon2/_blake.js +277 -45
package/dist/vendor/noble-argon2/_md.js +81 -136
package/dist/vendor/noble-argon2/_u64.js +65 -67
package/dist/vendor/noble-argon2/argon2.js +181 -342
package/dist/vendor/noble-argon2/blake2.js +252 -327
package/dist/vendor/noble-argon2/utils.js +110 -490
package/dist/vendor/noble-argon2/utils.js.LICENSE.txt +1 -0
package/package.json +89 -10
package/src/abilities.ts +32 -0
package/src/declarations.d.ts +4 -0
package/src/index.ts +39 -0
package/src/lib/assert-admin-actor.ts +90 -0
package/src/lib/create-command.ts +109 -0
package/src/modules/admin-account/commands.ts +76 -0
package/src/modules/admin-account/components/change-password.module.css +40 -0
package/src/modules/admin-account/components/change-password.tsx +232 -0
package/src/modules/admin-account/components/container.module.css +158 -0
package/src/modules/admin-account/components/container.tsx +229 -0
package/src/modules/admin-account/components/update.module.css +40 -0
package/src/modules/admin-account/components/update.tsx +263 -0
package/src/modules/admin-account/errors.ts +75 -0
package/src/modules/admin-account/index.ts +60 -0
package/src/modules/admin-account/schemas.ts +84 -0
package/src/modules/admin-account/service.ts +92 -0
package/src/modules/admin-permissions/abilities.ts +46 -0
package/src/modules/admin-permissions/commands.ts +103 -0
package/src/modules/admin-permissions/components/inspector.module.css +326 -0
package/src/modules/admin-permissions/components/inspector.tsx +298 -0
package/src/modules/admin-permissions/dto.ts +28 -0
package/src/modules/admin-permissions/errors.ts +57 -0
package/src/modules/admin-permissions/index.ts +72 -0
package/src/modules/admin-permissions/repository.ts +49 -0
package/src/modules/admin-permissions/schemas.ts +128 -0
package/src/modules/admin-permissions/service.ts +137 -0
package/src/modules/admin-roles/abilities.ts +62 -0
package/src/modules/admin-roles/commands.ts +161 -0
package/src/modules/admin-roles/components/create.module.css +40 -0
package/src/modules/admin-roles/components/create.tsx +218 -0
package/src/modules/admin-roles/components/permissions.module.css +279 -0
package/src/modules/admin-roles/components/permissions.tsx +396 -0
package/src/modules/admin-roles/components/update.module.css +40 -0
package/src/modules/admin-roles/components/update.tsx +218 -0
package/src/modules/admin-roles/dto.ts +30 -0
package/src/modules/admin-roles/errors.ts +76 -0
package/src/modules/admin-roles/index.ts +81 -0
package/src/modules/admin-roles/repository.ts +96 -0
package/src/modules/admin-roles/schemas.ts +139 -0
package/src/modules/admin-roles/service.ts +136 -0
package/src/modules/admin-users/abilities.ts +76 -0
package/src/modules/admin-users/commands.ts +157 -0
package/src/modules/admin-users/components/create.module.css +63 -0
package/src/modules/admin-users/components/create.tsx +323 -0
package/src/modules/admin-users/components/roles.module.css +119 -0
package/src/modules/admin-users/components/roles.tsx +172 -0
package/src/modules/admin-users/components/set-password.module.css +46 -0
package/src/modules/admin-users/components/set-password.tsx +199 -0
package/src/modules/admin-users/components/update.module.css +49 -0
package/src/modules/admin-users/components/update.tsx +328 -0
package/src/modules/admin-users/dto.ts +39 -0
package/src/modules/admin-users/errors.ts +84 -0
package/src/modules/admin-users/index.ts +91 -0
package/src/modules/admin-users/repository.ts +161 -0
package/src/modules/admin-users/schemas.ts +168 -0
package/src/modules/admin-users/seed-super-admin.ts +102 -0
package/src/modules/admin-users/service.ts +166 -0
package/src/modules/auth/components/sign-in-form.module.css +62 -0
package/src/modules/auth/components/sign-in-form.tsx +132 -0
package/src/modules/auth/index.ts +31 -0
package/src/modules/auth/jwt-session-provider.ts +301 -0
package/src/modules/auth/password.ts +94 -0
package/src/modules/auth/phc.ts +121 -0
package/src/modules/auth/refresh-tokens-repository.ts +74 -0
package/src/modules/auth/resolve-actor.ts +42 -0
package/src/services/admin-services-context.tsx +52 -0
package/src/services/admin-services-types.ts +177 -0
package/src/store.ts +32 -0
package/src/vendor/noble-argon2/LICENSE +21 -0
package/src/vendor/noble-argon2/README.md +87 -0
package/src/vendor/noble-argon2/_blake.ts +58 -0
package/src/vendor/noble-argon2/_md.ts +223 -0
package/src/vendor/noble-argon2/_u64.ts +118 -0
package/src/vendor/noble-argon2/argon2.ts +668 -0
package/src/vendor/noble-argon2/blake2.ts +583 -0
package/src/vendor/noble-argon2/utils.ts +849 -0

package/src/modules/admin-roles/components/permissions.module.css ADDED Viewed

@@ -0,0 +1,279 @@
+/**
+ * RolePermissions — inline per-role ability editor.
+ *
+ * Override handles:
+ *   .byline-role-permissions-wrap         — outer column container
+ *   .byline-role-permissions-toolbar      — top toolbar (mode toggle + count + actions)
+ *   .byline-role-permissions-counter      — "n of m selected/granted" line
+ *   .byline-role-permissions-counter-num  — bold number span
+ *   .byline-role-permissions-actions      — Cancel/Save cluster (right-aligned)
+ *   .byline-role-permissions-action       — Cancel/Save buttons
+ *   .byline-role-permissions-groups       — vertical group stack
+ *   .byline-role-permissions-group        — group card
+ *   .byline-role-permissions-group-head   — group header row
+ *   .byline-role-permissions-group-title  — group name + count line
+ *   .byline-role-permissions-group-name   — group display name
+ *   .byline-role-permissions-group-count  — n-of-m count text
+ *   .byline-role-permissions-group-buttons — Select-all/Clear cluster
+ *   .byline-role-permissions-grid         — ability checkbox grid
+ *   .byline-role-permissions-row          — single ability row
+ *   .byline-role-permissions-label        — clickable label
+ *   .byline-role-permissions-label-edit   — edit-mode cursor variant
+ *   .byline-role-permissions-label-head   — name + key pill row
+ *   .byline-role-permissions-label-name   — ability display name
+ *   .byline-role-permissions-key          — code pill (ability key)
+ *   .byline-role-permissions-description  — ability description
+ *   .byline-role-permissions-mode-toggle  — segmented View/Edit toggle
+ *   .byline-role-permissions-mode-button  — toggle button base
+ *   .byline-role-permissions-mode-button-active — active toggle button
+ *   .byline-role-permissions-mode-button-divider — left-border separator on the second button
+ *   .byline-role-permissions-mode-button-disabled — disabled-cursor modifier
+ */
+.wrap,
+:global(.byline-role-permissions-wrap) {
+  display: flex;
+  flex-direction: column;
+  gap: var(--spacing-12);
+  margin-bottom: var(--spacing-48);
+}
+.toolbar,
+:global(.byline-role-permissions-toolbar) {
+  display: flex;
+  flex-wrap: wrap;
+  align-items: center;
+  gap: var(--spacing-12);
+  padding: var(--spacing-12);
+  border: var(--border-width-thin) var(--border-style-solid) var(--gray-100);
+  background-color: var(--canvas-25);
+  border-radius: var(--border-radius-sm);
+}
+.counter,
+:global(.byline-role-permissions-counter) {
+  margin: 0;
+  font-size: var(--font-size-sm);
+}
+.counter-num,
+:global(.byline-role-permissions-counter-num) {
+  font-weight: var(--font-weight-medium);
+}
+.actions,
+:global(.byline-role-permissions-actions) {
+  margin-left: auto;
+  display: flex;
+  align-items: center;
+  gap: var(--spacing-8);
+}
+.action,
+:global(.byline-role-permissions-action) {
+  min-width: 4rem;
+}
+/*
+ * Checkbox shrink-fit — overrides the uikit Checkbox's `width: 100%`
+ * default container so the external label sits flush against the
+ * checkbox button. Replaces the `!w-auto` Tailwind utility we used
+ * pre-lift; with the component now in a published package, Tailwind's
+ * source scanner no longer sees that class string in the host so the
+ * rule was never generated and the label was being pushed to the right.
+ *
+ * `!important` is required — the uikit Checkbox sets `width: 100%`
+ * at the same specificity, so a plain rule loses to source-order. The
+ * pre-lift Tailwind class `!w-auto` carried `!important` via Tailwind's
+ * `!` prefix; this is the same effect, expressed in a CSS module.
+ */
+.checkbox-auto,
+:global(.byline-role-permissions-checkbox-auto) {
+  /* biome-ignore lint/complexity/noImportantStyles: see comment above */
+  width: auto !important;
+}
+.groups,
+:global(.byline-role-permissions-groups) {
+  display: flex;
+  flex-direction: column;
+  gap: var(--spacing-8);
+}
+.group,
+:global(.byline-role-permissions-group) {
+  border: var(--border-width-thin) var(--border-style-solid) var(--gray-100);
+  border-radius: var(--border-radius-sm);
+}
+.group-head,
+:global(.byline-role-permissions-group-head) {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: var(--spacing-12);
+  border-bottom: var(--border-width-thin) var(--border-style-solid) var(--gray-100);
+}
+.group-name,
+:global(.byline-role-permissions-group-name) {
+  font-weight: var(--font-weight-medium);
+}
+.group-count,
+:global(.byline-role-permissions-group-count) {
+  margin-left: var(--spacing-8);
+  font-size: var(--font-size-xs);
+}
+.group-buttons,
+:global(.byline-role-permissions-group-buttons) {
+  display: flex;
+  align-items: center;
+  gap: var(--spacing-4);
+}
+.grid,
+:global(.byline-role-permissions-grid) {
+  display: grid;
+  grid-template-columns: 1fr;
+  gap: var(--spacing-4);
+  padding: var(--spacing-12);
+}
+@media (min-width: 40rem) {
+  .grid,
+  :global(.byline-role-permissions-grid) {
+    grid-template-columns: 1fr 1fr;
+  }
+}
+.row,
+:global(.byline-role-permissions-row) {
+  display: flex;
+  align-items: flex-start;
+  gap: var(--spacing-8);
+  padding: var(--spacing-4) 0;
+}
+.label,
+:global(.byline-role-permissions-label) {
+  min-width: 0;
+  flex: 1 1 0;
+  cursor: default;
+}
+.label-edit,
+:global(.byline-role-permissions-label-edit) {
+  cursor: pointer;
+}
+.label-head,
+:global(.byline-role-permissions-label-head) {
+  display: flex;
+  align-items: center;
+  gap: var(--spacing-8);
+}
+.label-name,
+:global(.byline-role-permissions-label-name) {
+  font-size: var(--font-size-sm);
+  font-weight: var(--font-weight-medium);
+}
+.key,
+:global(.byline-role-permissions-key) {
+  background-color: var(--gray-100);
+  padding: 0.125rem 0.375rem;
+  font-size: var(--font-size-xs);
+  border-radius: var(--border-radius-sm);
+}
+.description,
+:global(.byline-role-permissions-description) {
+  margin-bottom: 0;
+  font-size: var(--font-size-xs);
+}
+.mode-toggle,
+:global(.byline-role-permissions-mode-toggle) {
+  display: inline-flex;
+  overflow: hidden;
+  border: var(--border-width-thin) var(--border-style-solid) var(--gray-200);
+  border-radius: var(--border-radius-sm);
+}
+.mode-button,
+:global(.byline-role-permissions-mode-button) {
+  padding: 0.125rem 0.625rem;
+  font-size: var(--font-size-xs);
+  background-color: transparent;
+  border: 0;
+  cursor: pointer;
+  transition: background-color 150ms ease;
+}
+.mode-button:hover,
+:global(.byline-role-permissions-mode-button):hover {
+  background-color: var(--gray-50);
+}
+.mode-button-active,
+:global(.byline-role-permissions-mode-button-active) {
+  background-color: var(--gray-100);
+  font-weight: var(--font-weight-medium);
+}
+.mode-button-divider,
+:global(.byline-role-permissions-mode-button-divider) {
+  border-left: var(--border-width-thin) var(--border-style-solid) var(--gray-200);
+}
+.mode-button-disabled,
+:global(.byline-role-permissions-mode-button-disabled) {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+:is([data-theme="dark"], :global(.dark)) {
+  .toolbar,
+  :global(.byline-role-permissions-toolbar) {
+    border-color: var(--gray-700);
+    background-color: var(--canvas-800);
+  }
+  .group,
+  :global(.byline-role-permissions-group) {
+    border-color: var(--gray-700);
+  }
+  .group-head,
+  :global(.byline-role-permissions-group-head) {
+    border-bottom-color: var(--gray-700);
+  }
+  .key,
+  :global(.byline-role-permissions-key) {
+    background-color: var(--canvas-800);
+  }
+  .mode-toggle,
+  :global(.byline-role-permissions-mode-toggle) {
+    border-color: var(--gray-700);
+  }
+  .mode-button:hover,
+  :global(.byline-role-permissions-mode-button):hover {
+    background-color: var(--canvas-700);
+  }
+  .mode-button-active,
+  :global(.byline-role-permissions-mode-button-active) {
+    background-color: var(--canvas-700);
+  }
+  .mode-button-divider,
+  :global(.byline-role-permissions-mode-button-divider) {
+    border-left-color: var(--gray-700);
+  }
+}

package/src/modules/admin-roles/components/permissions.tsx ADDED Viewed

@@ -0,0 +1,396 @@
+'use client'
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Inline per-role ability editor. Renders below the role-details
+ * header on the role detail page — full-width, no drawer.
+ *
+ * Mode-switched: defaults to **view** (checkboxes disabled, no edit
+ * affordances). Click Edit to switch to **edit** mode — checkboxes
+ * become interactive, per-group "Select all / Clear" buttons appear,
+ * and a Save button materialises once the selection diverges from the
+ * stored set. Cancel reverts the local set and returns to view mode.
+ *
+ * The View toggle is disabled while there are unsaved changes — this
+ * is the explicit-intent equivalent of a confirm dialog and keeps the
+ * UX honest about whether changes have been persisted.
+ *
+ * Vid-less by design (see Phase B notes): abilities live in
+ * `byline_admin_permissions`, not on the role row, so editing them
+ * does not bump the role's `vid`. Last-writer-wins on a per-role basis.
+ *
+ * Stable override handles: see `permissions.module.css`.
+ */
+import { useMemo, useState } from 'react'
+import { Alert, Button, Checkbox, LoaderEllipsis } from '@byline/ui/react'
+import cx from 'classnames'
+import { useBylineAdminServices } from '../../../services/admin-services-context.js'
+import styles from './permissions.module.css'
+import type {
+  AbilityDescriptorResponse,
+  AbilityGroupResponse,
+  ListRegisteredAbilitiesResponse,
+  SetRoleAbilitiesResponse,
+} from '../../admin-permissions/index.js'
+import type { AdminRoleResponse } from '../index.js'
+type Mode = 'view' | 'edit'
+interface RolePermissionsProps {
+  role: AdminRoleResponse
+  registered: ListRegisteredAbilitiesResponse
+  initialAbilities: string[]
+  onSaved?: (response: SetRoleAbilitiesResponse) => void
+}
+function setsEqual(a: ReadonlySet<string>, b: ReadonlySet<string>): boolean {
+  if (a.size !== b.size) return false
+  for (const item of a) if (!b.has(item)) return false
+  return true
+}
+interface GroupSectionProps {
+  group: AbilityGroupResponse
+  selected: ReadonlySet<string>
+  mode: Mode
+  saving: boolean
+  onToggle: (key: string, checked: boolean) => void
+  onSelectAll: (groupKeys: readonly string[]) => void
+  onClearAll: (groupKeys: readonly string[]) => void
+}
+function GroupSection({
+  group,
+  selected,
+  mode,
+  saving,
+  onToggle,
+  onSelectAll,
+  onClearAll,
+}: GroupSectionProps) {
+  const groupKeys = useMemo(() => group.abilities.map((a) => a.key), [group.abilities])
+  const selectedInGroup = groupKeys.filter((key) => selected.has(key)).length
+  const isEdit = mode === 'edit'
+  return (
+    <div className={cx('byline-role-permissions-group', styles.group)}>
+      <div className={cx('byline-role-permissions-group-head', styles['group-head'])}>
+        <div>
+          <span className={cx('byline-role-permissions-group-name', styles['group-name'])}>
+            {group.group}
+          </span>
+          <span
+            className={cx('muted', 'byline-role-permissions-group-count', styles['group-count'])}
+          >
+            {selectedInGroup} of {group.abilities.length} {isEdit ? 'selected' : 'granted'}
+          </span>
+        </div>
+        {isEdit ? (
+          <div className={cx('byline-role-permissions-group-buttons', styles['group-buttons'])}>
+            <Button
+              size="xs"
+              intent="secondary"
+              type="button"
+              disabled={saving || selectedInGroup === group.abilities.length}
+              onClick={() => onSelectAll(groupKeys)}
+            >
+              Select all
+            </Button>
+            <Button
+              size="xs"
+              intent="secondary"
+              type="button"
+              disabled={saving || selectedInGroup === 0}
+              onClick={() => onClearAll(groupKeys)}
+            >
+              Clear
+            </Button>
+          </div>
+        ) : null}
+      </div>
+      <div className={cx('byline-role-permissions-grid', styles.grid)}>
+        {group.abilities.map((ability: AbilityDescriptorResponse) => (
+          <div key={ability.key} className={cx('byline-role-permissions-row', styles.row)}>
+            <Checkbox
+              id={`ability-${ability.key}`}
+              name={`ability-${ability.key}`}
+              checked={selected.has(ability.key)}
+              disabled={!isEdit || saving}
+              onCheckedChange={(checked) => onToggle(ability.key, checked === true)}
+              // Override the uikit Checkbox container's `width: 100%` so it
+              // shrinks to its button width — otherwise the external label
+              // is pushed away by an empty 100%-wide container.
+              containerClasses={cx(
+                'byline-role-permissions-checkbox-auto',
+                styles['checkbox-auto']
+              )}
+              componentClasses={cx(
+                'byline-role-permissions-checkbox-auto',
+                styles['checkbox-auto']
+              )}
+            />
+            <label
+              htmlFor={`ability-${ability.key}`}
+              className={cx(
+                'byline-role-permissions-label',
+                styles.label,
+                isEdit && ['byline-role-permissions-label-edit', styles['label-edit']]
+              )}
+            >
+              <div className={cx('byline-role-permissions-label-head', styles['label-head'])}>
+                <span className={cx('byline-role-permissions-label-name', styles['label-name'])}>
+                  {ability.label}
+                </span>
+                <code className={cx('byline-role-permissions-key', styles.key)}>{ability.key}</code>
+              </div>
+              {ability.description ? (
+                <p
+                  className={cx('muted', 'byline-role-permissions-description', styles.description)}
+                >
+                  {ability.description}
+                </p>
+              ) : null}
+            </label>
+          </div>
+        ))}
+      </div>
+    </div>
+  )
+}
+export function RolePermissions({
+  role,
+  registered,
+  initialAbilities,
+  onSaved,
+}: RolePermissionsProps) {
+  const { setRoleAbilities } = useBylineAdminServices()
+  const [mode, setMode] = useState<Mode>('view')
+  const [initialSet, setInitialSet] = useState<ReadonlySet<string>>(() => new Set(initialAbilities))
+  const [selected, setSelected] = useState<Set<string>>(() => new Set(initialAbilities))
+  const [saving, setSaving] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+  const isDirty = !setsEqual(selected, initialSet)
+  const totalSelected = selected.size
+  function handleToggle(key: string, checked: boolean): void {
+    if (mode !== 'edit') return
+    setSelected((current) => {
+      const next = new Set(current)
+      if (checked) next.add(key)
+      else next.delete(key)
+      return next
+    })
+  }
+  function handleSelectAll(groupKeys: readonly string[]): void {
+    setSelected((current) => {
+      const next = new Set(current)
+      for (const key of groupKeys) next.add(key)
+      return next
+    })
+  }
+  function handleClearAll(groupKeys: readonly string[]): void {
+    setSelected((current) => {
+      const next = new Set(current)
+      for (const key of groupKeys) next.delete(key)
+      return next
+    })
+  }
+  function handleCancel(): void {
+    setSelected(new Set(initialSet))
+    setError(null)
+    setMode('view')
+  }
+  function handleEnterEdit(): void {
+    setError(null)
+    setMode('edit')
+  }
+  function handleEnterView(): void {
+    // Disabled while dirty (the toggle's `disabled` prop guards this) —
+    // belt-and-suspenders so a stray click can't slip through.
+    if (isDirty) return
+    setError(null)
+    setMode('view')
+  }
+  async function handleSave(): Promise<void> {
+    if (saving) return
+    setSaving(true)
+    setError(null)
+    try {
+      const response = await setRoleAbilities({
+        data: { id: role.id, abilities: Array.from(selected) },
+      })
+      // Reset baseline to the authoritative stored set — guards against
+      // any dedupe/normalisation the server might apply.
+      const storedSet = new Set(response.abilities)
+      setInitialSet(storedSet)
+      setSelected(new Set(storedSet))
+      onSaved?.(response)
+    } catch (err) {
+      const code = getErrorCode(err)
+      if (code === 'admin.permissions.roleNotFound') {
+        setError('This role no longer exists.')
+      } else if (code === 'admin.permissions.abilityUnregistered') {
+        setError(
+          'One or more selected abilities are no longer registered. Reload the page and try again.'
+        )
+      } else {
+        setError('Could not save permissions. Please try again.')
+      }
+    } finally {
+      setSaving(false)
+    }
+  }
+  const isEdit = mode === 'edit'
+  return (
+    <div className={cx('byline-role-permissions-wrap', styles.wrap)}>
+      <div className={cx('byline-role-permissions-toolbar', styles.toolbar)}>
+        <ModeToggle
+          mode={mode}
+          dirty={isDirty}
+          saving={saving}
+          onView={handleEnterView}
+          onEdit={handleEnterEdit}
+        />
+        <p className={cx('muted', 'byline-role-permissions-counter', styles.counter)}>
+          <span className={cx('byline-role-permissions-counter-num', styles['counter-num'])}>
+            {totalSelected}
+          </span>{' '}
+          of{' '}
+          <span className={cx('byline-role-permissions-counter-num', styles['counter-num'])}>
+            {registered.total}
+          </span>{' '}
+          {isEdit ? 'selected' : 'granted'} for {role.name}
+        </p>
+        {isEdit && isDirty ? (
+          <div className={cx('byline-role-permissions-actions', styles.actions)}>
+            <Button
+              type="button"
+              intent="secondary"
+              size="xs"
+              onClick={handleCancel}
+              disabled={saving}
+              className={cx('byline-role-permissions-action', styles.action)}
+            >
+              Cancel
+            </Button>
+            <Button
+              type="button"
+              intent="primary"
+              size="xs"
+              onClick={() => void handleSave()}
+              disabled={saving}
+              className={cx('byline-role-permissions-action', styles.action)}
+            >
+              {saving ? <LoaderEllipsis size={30} /> : 'Save'}
+            </Button>
+          </div>
+        ) : null}
+      </div>
+      {error ? <Alert intent="danger">{error}</Alert> : null}
+      <div className={cx('byline-role-permissions-groups', styles.groups)}>
+        {registered.groups.map((group) => (
+          <GroupSection
+            key={group.group}
+            group={group}
+            selected={selected}
+            mode={mode}
+            saving={saving}
+            onToggle={handleToggle}
+            onSelectAll={handleSelectAll}
+            onClearAll={handleClearAll}
+          />
+        ))}
+      </div>
+    </div>
+  )
+}
+interface ModeToggleProps {
+  mode: Mode
+  dirty: boolean
+  saving: boolean
+  onView: () => void
+  onEdit: () => void
+}
+function ModeToggle({ mode, dirty, saving, onView, onEdit }: ModeToggleProps) {
+  // Segmented two-state toggle. View is disabled while dirty so the
+  // user has to commit to Save or Cancel — avoids accidentally
+  // discarding a draft selection.
+  const isView = mode === 'view'
+  const isEdit = mode === 'edit'
+  const viewDisabled = dirty || saving
+  const editDisabled = saving
+  return (
+    <div
+      role="group"
+      aria-label="Permissions mode"
+      className={cx('byline-role-permissions-mode-toggle', styles['mode-toggle'])}
+    >
+      <button
+        type="button"
+        onClick={onView}
+        disabled={viewDisabled}
+        className={cx(
+          'byline-role-permissions-mode-button',
+          styles['mode-button'],
+          isView && ['byline-role-permissions-mode-button-active', styles['mode-button-active']],
+          viewDisabled &&
+            !isView && [
+              'byline-role-permissions-mode-button-disabled',
+              styles['mode-button-disabled'],
+            ]
+        )}
+      >
+        View
+      </button>
+      <button
+        type="button"
+        onClick={onEdit}
+        disabled={editDisabled}
+        className={cx(
+          'byline-role-permissions-mode-button',
+          'byline-role-permissions-mode-button-divider',
+          styles['mode-button'],
+          styles['mode-button-divider'],
+          isEdit && ['byline-role-permissions-mode-button-active', styles['mode-button-active']],
+          editDisabled &&
+            !isEdit && [
+              'byline-role-permissions-mode-button-disabled',
+              styles['mode-button-disabled'],
+            ]
+        )}
+      >
+        Edit
+      </button>
+    </div>
+  )
+}
+function getErrorCode(err: unknown): string | null {
+  return typeof (err as { code?: unknown })?.code === 'string'
+    ? (err as { code: string }).code
+    : null
+}

package/src/modules/admin-roles/components/update.module.css ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * UpdateAdminRole — drawer form for editing an existing role.
+ *
+ * Override handles:
+ *   .byline-role-update-wrap     — outer container
+ *   .byline-role-update-form     — vertical-stack form element
+ *   .byline-role-update-actions  — Cancel/Save row
+ *   .byline-role-update-action   — buttons in the actions row
+ */
+.wrap,
+:global(.byline-role-update-wrap) {
+  display: flex;
+  flex-direction: column;
+  gap: var(--spacing-8);
+  padding: var(--spacing-4);
+  margin-top: var(--spacing-4);
+}
+.form,
+:global(.byline-role-update-form) {
+  display: flex;
+  flex-direction: column;
+  gap: var(--spacing-16);
+  padding-top: var(--spacing-8);
+}
+.actions,
+:global(.byline-role-update-actions) {
+  display: flex;
+  align-items: center;
+  justify-content: flex-end;
+  gap: var(--spacing-8);
+  margin-top: var(--spacing-16);
+}
+.action,
+:global(.byline-role-update-action) {
+  min-width: 4rem;
+}