npm - @commonpub/layer - Versions diffs - 0.29.0 → 0.31.0 - Mend

@commonpub/layer 0.29.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (101) hide show

package/server/api/admin/homepage/sections.get.ts CHANGED Viewed

@@ -5,7 +5,7 @@ import { getHomepageSections } from '@commonpub/server';
  * Returns homepage sections for admin editing.
  */
 export default defineEventHandler(async (event) => {
-  requireAdmin(event);
+  requirePermission(event, 'layout.manage');
   const db = useDB();
   return getHomepageSections(db);
 });

package/server/api/admin/homepage/sections.put.ts CHANGED Viewed

@@ -34,7 +34,7 @@ const updateSectionsSchema = z.object({
  * Save homepage section configuration.
  */
 export default defineEventHandler(async (event) => {
-  const user = requireAdmin(event);
+  const user = requirePermission(event, 'layout.manage');
   const db = useDB();
   const body = await parseBody(event, updateSectionsSchema);

package/server/api/admin/layouts/[id]/publish.post.ts CHANGED Viewed

@@ -14,7 +14,7 @@ import { invalidateLayoutsByRouteCache } from '../../../../utils/layoutCache';
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
   requireFeature('layoutEngine');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'layout.manage');
   const db = useDB();
   const id = getRouterParam(event, 'id');

package/server/api/admin/layouts/[id]/versions/[versionId]/revert.post.ts CHANGED Viewed

@@ -15,7 +15,7 @@ import { invalidateLayoutsByRouteCache } from '../../../../../../utils/layoutCac
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
   requireFeature('layoutEngine');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'layout.manage');
   const db = useDB();
   const id = getRouterParam(event, 'id');

package/server/api/admin/layouts/[id]/versions/index.get.ts CHANGED Viewed

@@ -12,7 +12,7 @@ import { getLayoutById, listLayoutVersions } from '@commonpub/server';
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
   requireFeature('layoutEngine');
-  requireAdmin(event);
+  requirePermission(event, 'layout.manage');
   const db = useDB();
   const id = getRouterParam(event, 'id');

package/server/api/admin/layouts/[id].delete.ts CHANGED Viewed

@@ -15,7 +15,7 @@ import { invalidateLayoutsByRouteCache } from '../../../utils/layoutCache';
 export default defineEventHandler(async (event): Promise<{ ok: true; id: string }> => {
   requireFeature('admin');
   requireFeature('layoutEngine');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'layout.manage');
   const db = useDB();
   const id = getRouterParam(event, 'id');

package/server/api/admin/layouts/[id].get.ts CHANGED Viewed

@@ -11,7 +11,7 @@ import { getLayoutById } from '@commonpub/server';
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
   requireFeature('layoutEngine');
-  requireAdmin(event);
+  requirePermission(event, 'layout.manage');
   const id = getRouterParam(event, 'id');
   if (!id) {

package/server/api/admin/layouts/[id].put.ts CHANGED Viewed

@@ -27,7 +27,7 @@ import { validateSectionConfigs } from '../../../utils/validateSectionConfigs';
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
   requireFeature('layoutEngine');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'layout.manage');
   const db = useDB();
   const id = getRouterParam(event, 'id');

package/server/api/admin/layouts/index.get.ts CHANGED Viewed

@@ -12,7 +12,7 @@ import { listLayouts } from '@commonpub/server';
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
   requireFeature('layoutEngine');
-  requireAdmin(event);
+  requirePermission(event, 'layout.manage');
   const db = useDB();
   const query = getQuery(event) as { scope?: string };

package/server/api/admin/layouts/index.post.ts CHANGED Viewed

@@ -19,7 +19,7 @@ import { validateSectionConfigs } from '../../../utils/validateSectionConfigs';
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
   requireFeature('layoutEngine');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'layout.manage');
   const db = useDB();
   const body = await parseBody(event, layoutCreateSchema);

package/server/api/admin/layouts/migrate-homepage.post.ts CHANGED Viewed

@@ -38,7 +38,7 @@ const bodySchema = z.object({
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
   requireFeature('layoutEngine');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'layout.manage');
   const body = await readBody(event).catch(() => ({}));
   const { force } = bodySchema.parse(body ?? {});

package/server/api/admin/layouts/seed-homepage.post.ts CHANGED Viewed

@@ -24,7 +24,7 @@ import { invalidateLayoutsByRouteCache } from '../../../utils/layoutCache';
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
   requireFeature('layoutEngine');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'layout.manage');
   const db = useDB();
   const result = await seedHomepageLayout(db, { adminId: admin.id });

package/server/api/admin/navigation/items.get.ts CHANGED Viewed

@@ -5,7 +5,7 @@ import { getNavItems } from '@commonpub/server';
  * Returns navigation items for admin editing.
  */
 export default defineEventHandler(async (event) => {
-  requireAdmin(event);
+  requirePermission(event, 'navigation.manage');
   const db = useDB();
   return getNavItems(db);
 });

package/server/api/admin/navigation/items.put.ts CHANGED Viewed

@@ -26,7 +26,7 @@ const updateNavSchema = z.object({
  * Save navigation item configuration.
  */
 export default defineEventHandler(async (event) => {
-  const user = requireAdmin(event);
+  const user = requirePermission(event, 'navigation.manage');
   const db = useDB();
   const body = await parseBody(event, updateNavSchema);

package/server/api/admin/reports/[id]/resolve.post.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import { resolveReportSchema } from '@commonpub/schema';
 export default defineEventHandler(async (event): Promise<void> => {
   requireFeature('admin');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'reports.review');
   const db = useDB();
   const { id } = parseParams(event, { id: 'uuid' });
   const input = await parseBody(event, resolveReportSchema);

package/server/api/admin/reports.get.ts CHANGED Viewed

@@ -10,7 +10,7 @@ const reportsQuerySchema = z.object({
 export default defineEventHandler(async (event): Promise<PaginatedResponse<ReportListItem>> => {
   requireFeature('admin');
-  requireAdmin(event);
+  requirePermission(event, 'reports.review');
   const db = useDB();
   const filters = parseQueryParams(event, reportsQuerySchema);

package/server/api/admin/search/reindex.post.ts CHANGED Viewed

@@ -10,7 +10,7 @@ import type { MeiliClient } from '@commonpub/server';
  */
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event);
-  requireAdmin(event);
+  requirePermission(event, 'search.manage');
   const meiliUrl = process.env.MEILI_URL;
   const meiliKey = process.env.MEILI_MASTER_KEY;

package/server/api/admin/settings.get.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { getInstanceSettings } from '@commonpub/server';
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
-  requireAdmin(event);
+  requirePermission(event, 'settings.manage');
   const db = useDB();
   const config = useConfig();

package/server/api/admin/settings.put.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import { adminSettingSchema } from '@commonpub/schema';
 export default defineEventHandler(async (event): Promise<void> => {
   requireFeature('admin');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'settings.manage');
   const db = useDB();
   const input = await parseBody(event, adminSettingSchema);

package/server/api/admin/stats.get.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import type { PlatformStats } from '@commonpub/server';
 export default defineEventHandler(async (event): Promise<PlatformStats> => {
   requireFeature('admin');
-  requireAdmin(event);
+  requirePermission(event, 'audit.read');
   const db = useDB();
   return getPlatformStats(db);
 });

package/server/api/admin/storage/backfill-cdn-urls.post.ts CHANGED Viewed

@@ -34,7 +34,7 @@ function spacesHosts(): { origin: string; cdn: string } | null {
 export default defineEventHandler(async (event) => {
   requireAuth(event);
-  requireAdmin(event);
+  requirePermission(event, 'storage.manage');
   const hosts = spacesHosts();
   if (!hosts) {

package/server/api/admin/themes/[id].delete.ts CHANGED Viewed

@@ -13,7 +13,7 @@ import {
 export default defineEventHandler(async (event): Promise<{ ok: true; resetDefault: boolean }> => {
   requireFeature('admin');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'theme.manage');
   const db = useDB();
   const { id } = parseParams(event, { id: 'string' });

package/server/api/admin/themes/[id].get.ts CHANGED Viewed

@@ -7,7 +7,7 @@ import { getCustomTheme } from '@commonpub/server';
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
-  requireAdmin(event);
+  requirePermission(event, 'theme.manage');
   const db = useDB();
   const { id } = parseParams(event, { id: 'string' });

package/server/api/admin/themes/[id].put.ts CHANGED Viewed

@@ -9,7 +9,7 @@ import { getCustomTheme, saveCustomTheme } from '@commonpub/server';
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'theme.manage');
   const db = useDB();
   const { id } = parseParams(event, { id: 'string' });

package/server/api/admin/themes/discover.get.ts CHANGED Viewed

@@ -21,7 +21,7 @@ import { TOKEN_SPECS } from '@commonpub/ui';
 export default defineEventHandler((event) => {
   requireFeature('admin');
-  requireAdmin(event);
+  requirePermission(event, 'theme.manage');
   const defaults: Record<string, string> = {};
   for (const spec of TOKEN_SPECS) {

package/server/api/admin/themes/index.get.ts CHANGED Viewed

@@ -17,7 +17,7 @@ import { listCustomThemes } from '@commonpub/server';
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
-  requireAdmin(event);
+  requirePermission(event, 'theme.manage');
   const db = useDB();
   const config = useConfig();

package/server/api/admin/themes/index.post.ts CHANGED Viewed

@@ -12,7 +12,7 @@ const BUILT_IN_IDS = new Set(BUILT_IN_THEMES.map((t) => t.id));
 export default defineEventHandler(async (event) => {
   requireFeature('admin');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'theme.manage');
   const db = useDB();
   const input = await parseBody(event, customThemeSchema);

package/server/api/admin/users/[id]/role.put.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import { adminUpdateRoleSchema } from '@commonpub/schema';
 export default defineEventHandler(async (event): Promise<void> => {
   requireFeature('admin');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'users.manage');
   const db = useDB();
   const { id } = parseParams(event, { id: 'uuid' });
   const input = await parseBody(event, adminUpdateRoleSchema);

package/server/api/admin/users/[id]/status.put.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import { adminUpdateStatusSchema } from '@commonpub/schema';
 export default defineEventHandler(async (event): Promise<void> => {
   requireFeature('admin');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'users.manage');
   const db = useDB();
   const { id } = parseParams(event, { id: 'uuid' });
   const input = await parseBody(event, adminUpdateStatusSchema);

package/server/api/admin/users/[id].delete.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { deleteUser } from '@commonpub/server';
 export default defineEventHandler(async (event): Promise<void> => {
   requireFeature('admin');
-  const admin = requireAdmin(event);
+  const admin = requirePermission(event, 'users.delete');
   const db = useDB();
   const { id } = parseParams(event, { id: 'uuid' });

package/server/api/admin/users.get.ts CHANGED Viewed

@@ -10,7 +10,7 @@ const adminUsersQuerySchema = z.object({
 export default defineEventHandler(async (event): Promise<PaginatedResponse<UserListItem>> => {
   requireFeature('admin');
-  requireAdmin(event);
+  requirePermission(event, 'users.read');
   const db = useDB();
   const filters = parseQueryParams(event, adminUsersQuerySchema);

package/server/api/contests/[slug]/entries.get.ts CHANGED Viewed

@@ -6,6 +6,7 @@ const entriesQuerySchema = z.object({
   limit: z.coerce.number().int().min(1).max(100).optional(),
   offset: z.coerce.number().int().min(0).optional(),
   includeJudgeScores: z.coerce.boolean().optional(),
+  order: z.enum(['recent', 'rank']).optional(),
 });
 export default defineEventHandler(async (event): Promise<{ items: ContestEntryItem[]; total: number }> => {
@@ -29,13 +30,14 @@ export default defineEventHandler(async (event): Promise<{ items: ContestEntryIt
   if (user) {
     privileged =
       user.id === contest.createdById ||
-      user.role === 'admin' ||
+      hasPermission(event, 'contest.manage') ||
       (await isContestJudge(db, contest.id, user.id));
   }
   return listContestEntries(db, contest.id, {
     limit: query.limit,
     offset: query.offset,
+    orderBy: query.order,
     includeJudgeScores: privileged && query.includeJudgeScores,
     revealScores: shouldRevealScores(contest.judgingVisibility, contest.status, privileged),
   });

package/server/api/contests/[slug]/index.delete.ts CHANGED Viewed

@@ -12,7 +12,10 @@ export default defineEventHandler(async (event): Promise<{ deleted: boolean }> =
     throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
   }
-  const deleted = await deleteContest(db, contest.id, user.id);
+  // Owner OR a contest.manage holder (RBAC Phase 1) may delete. Flag-off this is
+  // owner-or-admin, byte-identical to before; flag-on a custom managing role works.
+  const canManage = ownerOrPermission(event, contest.createdById, 'contest.manage');
+  const deleted = await deleteContest(db, contest.id, user.id, canManage);
   if (!deleted) {
     throw createError({ statusCode: 403, statusMessage: 'Not authorized to delete this contest' });
   }

package/server/api/contests/[slug]/judges/[userId].delete.ts CHANGED Viewed

@@ -15,7 +15,7 @@ export default defineEventHandler(async (event) => {
   const contest = await getContestBySlug(db, slug);
   if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
-  if (contest.createdById !== user.id && user.role !== 'admin') {
+  if (!ownerOrPermission(event, contest.createdById, 'contest.manage')) {
     throw createError({ statusCode: 403, statusMessage: 'Only contest owner or admin can manage judges' });
   }

package/server/api/contests/[slug]/judges/index.post.ts CHANGED Viewed

@@ -21,7 +21,7 @@ export default defineEventHandler(async (event) => {
   const contest = await getContestBySlug(db, slug);
   if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
-  if (contest.createdById !== user.id && user.role !== 'admin') {
+  if (!ownerOrPermission(event, contest.createdById, 'contest.manage')) {
     throw createError({ statusCode: 403, statusMessage: 'Only contest owner or admin can manage judges' });
   }

package/server/api/contests/[slug]/stakeholders/[userId].delete.ts CHANGED Viewed

@@ -14,7 +14,7 @@ export default defineEventHandler(async (event) => {
   const contest = await getContestBySlug(db, slug);
   if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
-  if (contest.createdById !== user.id && user.role !== 'admin') {
+  if (!ownerOrPermission(event, contest.createdById, 'contest.manage')) {
     throw createError({ statusCode: 403, statusMessage: 'Only the contest owner or admin can manage stakeholders' });
   }

package/server/api/contests/[slug]/stakeholders/index.get.ts CHANGED Viewed

@@ -13,7 +13,7 @@ export default defineEventHandler(async (event) => {
   const contest = await getContestBySlug(db, slug);
   if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
-  if (contest.createdById !== user.id && user.role !== 'admin') {
+  if (!ownerOrPermission(event, contest.createdById, 'contest.manage')) {
     throw createError({ statusCode: 403, statusMessage: 'Only the contest owner or admin can view stakeholders' });
   }

package/server/api/contests/[slug]/stakeholders/index.post.ts CHANGED Viewed

@@ -16,7 +16,7 @@ export default defineEventHandler(async (event) => {
   const contest = await getContestBySlug(db, slug);
   if (!contest) throw createError({ statusCode: 404, statusMessage: 'Contest not found' });
-  if (contest.createdById !== user.id && user.role !== 'admin') {
+  if (!ownerOrPermission(event, contest.createdById, 'contest.manage')) {
     throw createError({ statusCode: 403, statusMessage: 'Only the contest owner or admin can manage stakeholders' });
   }

package/server/api/docs/migrate-content.post.ts CHANGED Viewed

@@ -16,7 +16,7 @@ import { docsPages } from '@commonpub/schema';
 import { eq } from 'drizzle-orm';
 export default defineEventHandler(async (event) => {
-  requireAdmin(event);
+  requirePermission(event, 'content.editorial');
   const db = useDB();
   // Fetch all pages

package/server/api/events/[slug].delete.ts CHANGED Viewed

@@ -14,7 +14,7 @@ export default defineEventHandler(async (event) => {
   const existing = await getEventBySlug(db, slug);
   if (!existing) throw createError({ statusCode: 404, statusMessage: 'Event not found' });
-  const isAdmin = user.role === 'admin';
+  const isAdmin = hasPermission(event, 'event.manage');
   const deleted = await deleteEvent(db, existing.id, user.id, isAdmin);
   if (!deleted) throw createError({ statusCode: 403, statusMessage: 'Unauthorized' });

package/server/api/events/[slug].put.ts CHANGED Viewed

@@ -29,7 +29,7 @@ export default defineEventHandler(async (event) => {
   if (!slug) throw createError({ statusCode: 400, statusMessage: 'Missing slug' });
   const body = await parseBody(event, updateEventSchema);
-  const isAdmin = user.role === 'admin';
+  const isAdmin = hasPermission(event, 'event.manage');
   const result = await updateEvent(db, slug, user.id, body, isAdmin);
   if (!result) throw createError({ statusCode: 404, statusMessage: 'Event not found or unauthorized' });

package/server/api/layouts/by-route.get.ts CHANGED Viewed

@@ -71,7 +71,7 @@ export default defineEventHandler(async (event): Promise<PublicLayoutSlice | nul
   // requester's access tier so a layout served to a higher tier can't
   // leak via cache to a lower tier on the same path.
   const user = getOptionalUser(event);
-  const isAdmin = user?.role === 'admin';
+  const isAdmin = hasPermission(event, 'layout.manage');
   const tier: 'admin' | 'members' | 'anon' = isAdmin ? 'admin' : user ? 'members' : 'anon';
   const cacheKey = `${tier}:${path}`;

package/server/api/products/[id].delete.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { deleteProduct } from '@commonpub/server';
 export default defineEventHandler(async (event): Promise<{ deleted: boolean }> => {
   const db = useDB();
-  requireAdmin(event);
+  requirePermission(event, 'content.moderate');
   const { id } = parseParams(event, { id: 'uuid' });
   const deleted = await deleteProduct(db, id);

package/server/api/videos/categories/[id].delete.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import { deleteVideoCategory } from '@commonpub/server';
 export default defineEventHandler(async (event): Promise<{ success: boolean }> => {
-  requireAdmin(event);
+  requirePermission(event, 'categories.manage');
   const { id } = parseParams(event, { id: 'uuid' });

package/server/api/videos/categories/[id].put.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import type { VideoCategoryItem } from '@commonpub/server';
 import { createVideoCategorySchema } from '@commonpub/schema';
 export default defineEventHandler(async (event): Promise<VideoCategoryItem> => {
-  requireAdmin(event);
+  requirePermission(event, 'categories.manage');
   const { id } = parseParams(event, { id: 'uuid' });
   const input = await parseBody(event, createVideoCategorySchema.partial());

package/server/api/videos/categories.post.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import type { VideoCategoryItem } from '@commonpub/server';
 import { createVideoCategorySchema } from '@commonpub/schema';
 export default defineEventHandler(async (event): Promise<VideoCategoryItem> => {
-  requireAdmin(event);
+  requirePermission(event, 'categories.manage');
   const db = useDB();
   const input = await parseBody(event, createVideoCategorySchema);

package/server/middleware/auth.ts CHANGED Viewed

@@ -55,6 +55,26 @@ declare module 'h3' {
   }
 }
+/**
+ * Attach the user's resolved permissions to the request context (RBAC Phase 0).
+ * One cached Map hit on the hot path (30s TTL), like feature-flags-prime. Reads
+ * the userId from the already-enriched auth user. Fail-closed: on any error the
+ * context stays unset and the guards default-deny — but the admin floor still
+ * holds because `requirePermission` falls back to the enriched `user.role`
+ * (INV-2). No-op for anon requests. `resolvePermissions` is a Nitro auto-import.
+ */
+async function attachPermissions(event: import('h3').H3Event, auth: AuthLocals): Promise<void> {
+  if (!auth?.user?.id) return;
+  try {
+    // Pass the enriched role so the resolver skips its own users query (admin +
+    // flag-off paths do zero extra DB work) and stays consistent with enrichUser.
+    const primaryRole = (auth.user as unknown as { role?: string }).role;
+    event.context.cpubPermissions = await resolvePermissions(auth.user.id, primaryRole);
+  } catch {
+    // Leave unset — guards default-deny; admin floor survives via user.role.
+  }
+}
 /**
  * Enrich the session user with custom DB columns (role, username, status)
  * that Better Auth doesn't include by default.
@@ -89,6 +109,7 @@ export default defineEventHandler(async (event) => {
       const webHeaders = new Headers(headers as Record<string, string>);
       event.context.auth = await middleware.resolveSession(webHeaders);
       await enrichUser(event.context.auth);
+      await attachPermissions(event, event.context.auth);
     } catch {
       event.context.auth = { user: null, session: null };
     }
@@ -143,6 +164,7 @@ export default defineEventHandler(async (event) => {
     const webHeaders = new Headers(headers as Record<string, string>);
     event.context.auth = await middleware.resolveSession(webHeaders);
     await enrichUser(event.context.auth);
+    await attachPermissions(event, event.context.auth);
   } catch (err: unknown) {
     // DB error during session resolution — don't silently eat it for API routes
     if (pathname.startsWith('/api/')) {

package/server/utils/auth.ts CHANGED Viewed

@@ -22,12 +22,19 @@ export function requireAuth(event: H3Event): AuthUser {
   return auth.user as AuthUser;
 }
+/**
+ * Admin gate — the linchpin reimplemented (session 175, RBAC Phase 0) as
+ * `requirePermission(event, 'admin.access')`, routing all ~73 call sites through
+ * the permission machinery without changing any of them. `admin.access` is
+ * seeded ONLY to the admin role, and the resolver's admin-floor + flag-off
+ * legacy mapping make this bit-identical to the old `user.role === 'admin'`
+ * check (INV-1). The legacy 403 message is preserved verbatim.
+ *
+ * `requirePermission` is a Nitro auto-import (sibling util) — referenced without
+ * a static import so there's no import cycle with requirePermission.ts.
+ */
 export function requireAdmin(event: H3Event): AuthUser {
-  const user = requireAuth(event);
-  if (user.role !== 'admin') {
-    throw createError({ statusCode: 403, statusMessage: 'Admin access required' });
-  }
-  return user;
+  return requirePermission(event, 'admin.access', 'Admin access required');
 }
 export function getOptionalUser(event: H3Event): AuthUser | null {