@datatechsolutions/ui 2.11.80 → 2.11.82

package/dist/chunk-UHHPBREK.mjs

@@ -0,0 +1,135 @@
+"use client";
+import { HttpResponseError } from '@datatechsolutions/shared-domain/common';
+
+// src/platform/windsock-admin-client.ts
+var _adminClient = null;
+var _issuer = null;
+var _authFetch = fetch;
+function setWindsockAdminClient(client, issuer, authFetch) {
+  _adminClient = client;
+  _issuer = issuer.replace(/\/$/, "");
+  _authFetch = authFetch;
+}
+function requireClient() {
+  if (!_adminClient) {
+    throw new Error("Windsock admin client not initialized \u2014 did providers mount?");
+  }
+  return _adminClient;
+}
+async function listUsers(params) {
+  return requireClient().listUsers(params);
+}
+async function createUser(data) {
+  return requireClient().createUser(data);
+}
+async function updateUser(userId, data) {
+  return requireClient().updateUser(userId, data);
+}
+async function deleteUser(userId) {
+  return requireClient().deleteUser(userId);
+}
+async function resetUserPassword(userId, password) {
+  return requireClient().resetUserPassword(userId, password);
+}
+async function listOrganizations() {
+  return requireClient().listOrganizations();
+}
+async function createOrganization(data) {
+  return requireClient().createOrganization(data);
+}
+async function updateOrganization(organizationId, data) {
+  return requireClient().updateOrganization(organizationId, data);
+}
+async function deleteOrganization(organizationId) {
+  return requireClient().deleteOrganization(organizationId);
+}
+async function listOrganizationMembers(organizationId) {
+  return requireClient().listOrganizationMembers(organizationId);
+}
+async function addOrganizationMember(organizationId, userId, role) {
+  return requireClient().addOrganizationMember(organizationId, userId, role);
+}
+async function removeOrganizationMember(organizationId, userId) {
+  return requireClient().removeOrganizationMember(organizationId, userId);
+}
+async function listOrganizationInvitations(organizationId) {
+  return requireClient().listOrganizationInvitations(organizationId);
+}
+async function createOrganizationInvitation(organizationId, data) {
+  return requireClient().createOrganizationInvitation(organizationId, data);
+}
+async function listOrganizationDomains(organizationId) {
+  return requireClient().listOrganizationDomains(organizationId);
+}
+async function addOrganizationDomain(organizationId, domain) {
+  return requireClient().addOrganizationDomain(organizationId, domain);
+}
+async function verifyOrganizationDomain(organizationId, domain) {
+  return requireClient().verifyOrganizationDomain(organizationId, domain);
+}
+async function listPermissions() {
+  return requireClient().listPermissions();
+}
+async function createPermission(data) {
+  return requireClient().createPermission(data);
+}
+async function updatePermission(permissionId, data) {
+  return requireClient().updatePermission(permissionId, data);
+}
+async function deletePermission(permissionId) {
+  return requireClient().deletePermission(permissionId);
+}
+async function getUserPermissions(userId) {
+  return requireClient().getUserPermissions(userId);
+}
+async function setUserPermissions(userId, permissionIds) {
+  return requireClient().setUserPermissions(userId, permissionIds);
+}
+async function secretsRequest(path, init) {
+  if (!_issuer) throw new Error("Windsock issuer not initialized");
+  const response = await _authFetch(`${_issuer}${path}`, {
+    ...init,
+    credentials: init?.credentials ?? "include",
+    headers: {
+      "Content-Type": "application/json",
+      ...init?.headers
+    }
+  });
+  if (response.status === 204) return void 0;
+  const payload = await response.json().catch(() => null);
+  if (!response.ok) {
+    const message = payload?.message ?? payload?.error ?? `HTTP ${response.status}: ${response.statusText}`;
+    throw new HttpResponseError(message, response.status);
+  }
+  if (payload && typeof payload === "object" && "success" in payload && payload.success && "data" in payload) {
+    return payload.data;
+  }
+  return payload;
+}
+async function listSecrets(organizationId) {
+  return secretsRequest(`/organizations/${encodeURIComponent(organizationId)}/secrets`);
+}
+async function getSecret(organizationId, secretId) {
+  return secretsRequest(`/organizations/${encodeURIComponent(organizationId)}/secrets/${encodeURIComponent(secretId)}`);
+}
+async function createSecret(organizationId, input) {
+  return secretsRequest(`/organizations/${encodeURIComponent(organizationId)}/secrets`, {
+    method: "POST",
+    body: JSON.stringify(input)
+  });
+}
+async function rotateSecret(organizationId, secretId, input) {
+  return secretsRequest(`/organizations/${encodeURIComponent(organizationId)}/secrets/${encodeURIComponent(secretId)}`, {
+    method: "PATCH",
+    body: JSON.stringify(input)
+  });
+}
+async function disableSecret(organizationId, secretId) {
+  return secretsRequest(`/organizations/${encodeURIComponent(organizationId)}/secrets/${encodeURIComponent(secretId)}`, {
+    method: "DELETE"
+  });
+}
+
+export { addOrganizationDomain, addOrganizationMember, createOrganization, createOrganizationInvitation, createPermission, createSecret, createUser, deleteOrganization, deletePermission, deleteUser, disableSecret, getSecret, getUserPermissions, listOrganizationDomains, listOrganizationInvitations, listOrganizationMembers, listOrganizations, listPermissions, listSecrets, listUsers, removeOrganizationMember, resetUserPassword, rotateSecret, setUserPermissions, setWindsockAdminClient, updateOrganization, updatePermission, updateUser, verifyOrganizationDomain };
+//# sourceMappingURL=chunk-UHHPBREK.mjs.map
+//# sourceMappingURL=chunk-UHHPBREK.mjs.map

package/dist/chunk-UHHPBREK.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/platform/windsock-admin-client.ts"],"names":[],"mappings":";;;AAqBA,IAAI,YAAA,GAAmC,IAAA;AACvC,IAAI,OAAA,GAAyB,IAAA;AAC7B,IAAI,UAAA,GAA2B,KAAA;AAExB,SAAS,sBAAA,CAAuB,MAAA,EAAqB,MAAA,EAAgB,SAAA,EAA+B;AACzG,EAAA,YAAA,GAAe,MAAA;AACf,EAAA,OAAA,GAAU,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AAClC,EAAA,UAAA,GAAa,SAAA;AACf;AAEA,SAAS,aAAA,GAA6B;AACpC,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,MAAM,IAAI,MAAM,mEAA8D,CAAA;AAAA,EAChF;AACA,EAAA,OAAO,YAAA;AACT;AAGA,eAAsB,UAAU,MAAA,EAAsE;AACpG,EAAA,OAAO,aAAA,EAAc,CAAE,SAAA,CAAU,MAAM,CAAA;AACzC;AACA,eAAsB,WAAW,IAAA,EAAuD;AACtF,EAAA,OAAO,aAAA,EAAc,CAAE,UAAA,CAAW,IAAI,CAAA;AACxC;AACA,eAAsB,UAAA,CAAW,QAAgB,IAAA,EAA2C;AAC1F,EAAA,OAAO,aAAA,EAAc,CAAE,UAAA,CAAW,MAAA,EAAQ,IAAI,CAAA;AAChD;AACA,eAAsB,WAAW,MAAA,EAA+B;AAC9D,EAAA,OAAO,aAAA,EAAc,CAAE,UAAA,CAAW,MAAM,CAAA;AAC1C;AACA,eAAsB,iBAAA,CAAkB,QAAgB,QAAA,EAAiC;AACvF,EAAA,OAAO,aAAA,EAAc,CAAE,iBAAA,CAAkB,MAAA,EAAQ,QAAQ,CAAA;AAC3D;AAGA,eAAsB,iBAAA,GAAiD;AACrE,EAAA,OAAO,aAAA,GAAgB,iBAAA,EAAkB;AAC3C;AACA,eAAsB,mBAAmB,IAAA,EAA+D;AACtG,EAAA,OAAO,aAAA,EAAc,CAAE,kBAAA,CAAmB,IAAI,CAAA;AAChD;AACA,eAAsB,kBAAA,CAAmB,gBAAwB,IAAA,EAA+D;AAC9H,EAAA,OAAO,aAAA,EAAc,CAAE,kBAAA,CAAmB,cAAA,EAAgB,IAAI,CAAA;AAChE;AACA,eAAsB,mBAAmB,cAAA,EAAuC;AAC9E,EAAA,OAAO,aAAA,EAAc,CAAE,kBAAA,CAAmB,cAAc,CAAA;AAC1D;AAGA,eAAsB,wBAAwB,cAAA,EAA4D;AACxG,EAAA,OAAO,aAAA,EAAc,CAAE,uBAAA,CAAwB,cAAc,CAAA;AAC/D;AACA,eAAsB,qBAAA,CAAsB,cAAA,EAAwB,MAAA,EAAgB,IAAA,EAA4C;AAC9H,EAAA,OAAO,aAAA,EAAc,CAAE,qBAAA,CAAsB,cAAA,EAAgB,QAAQ,IAAI,CAAA;AAC3E;AACA,eAAsB,wBAAA,CAAyB,gBAAwB,MAAA,EAA+B;AACpG,EAAA,OAAO,aAAA,EAAc,CAAE,wBAAA,CAAyB,cAAA,EAAgB,MAAM,CAAA;AACxE;AAGA,eAAsB,4BAA4B,cAAA,EAA+D;AAC/G,EAAA,OAAO,aAAA,EAAc,CAAE,2BAAA,CAA4B,cAAc,CAAA;AACnE;AACA,eAAsB,4BAAA,CAA6B,gBAAwB,IAAA,EAAiD;AAC1H,EAAA,OAAO,aAAA,EAAc,CAAE,4BAAA,CAA6B,cAAA,EAAgB,IAAI,CAAA;AAC1E;AAGA,eAAsB,wBAAwB,cAAA,EAA2D;AACvG,EAAA,OAAO,aAAA,EAAc,CAAE,uBAAA,CAAwB,cAAc,CAAA;AAC/D;AACA,eAAsB,qBAAA,CAAsB,gBAAwB,MAAA,EAAiD;AACnH,EAAA,OAAO,aAAA,EAAc,CAAE,qBAAA,CAAsB,cAAA,EAAgB,MAAM,CAAA;AACrE;AACA,eAAsB,wBAAA,CAAyB,gBAAwB,MAAA,EAA+B;AACpG,EAAA,OAAO,aAAA,EAAc,CAAE,wBAAA,CAAyB,cAAA,EAAgB,MAAM,CAAA;AACxE;AAGA,eAAsB,eAAA,GAA8C;AAClE,EAAA,OAAO,aAAA,GAAgB,eAAA,EAAgB;AACzC;AACA,eAAsB,iBAAiB,IAAA,EAA4D;AACjG,EAAA,OAAO,aAAA,EAAc,CAAE,gBAAA,CAAiB,IAAI,CAAA;AAC9C;AACA,eAAsB,gBAAA,CAAiB,cAAsB,IAAA,EAAiD;AAC5G,EAAA,OAAO,aAAA,EAAc,CAAE,gBAAA,CAAiB,YAAA,EAAc,IAAI,CAAA;AAC5D;AACA,eAAsB,iBAAiB,YAAA,EAAqC;AAC1E,EAAA,OAAO,aAAA,EAAc,CAAE,gBAAA,CAAiB,YAAY,CAAA;AACtD;AACA,eAAsB,mBAAmB,MAAA,EAA4C;AACnF,EAAA,OAAO,aAAA,EAAc,CAAE,kBAAA,CAAmB,MAAM,CAAA;AAClD;AACA,eAAsB,kBAAA,CAAmB,QAAgB,aAAA,EAAwC;AAC/F,EAAA,OAAO,aAAA,EAAc,CAAE,kBAAA,CAAmB,MAAA,EAAQ,aAAa,CAAA;AACjE;AAgCA,eAAe,cAAA,CAAkB,MAAc,IAAA,EAAgC;AAC7E,EAAA,IAAI,CAAC,OAAA,EAAS,MAAM,IAAI,MAAM,iCAAiC,CAAA;AAC/D,EAAA,MAAM,WAAW,MAAM,UAAA,CAAW,GAAG,OAAO,CAAA,EAAG,IAAI,CAAA,CAAA,EAAI;AAAA,IACrD,GAAG,IAAA;AAAA,IACH,WAAA,EAAa,MAAM,WAAA,IAAe,SAAA;AAAA,IAClC,OAAA,EAAS;AAAA,MACP,cAAA,EAAgB,kBAAA;AAAA,MAChB,GAAI,IAAA,EAAM;AAAA;AACZ,GACD,CAAA;AACD,EAAA,IAAI,QAAA,CAAS,MAAA,KAAW,GAAA,EAAK,OAAO,MAAA;AACpC,EAAA,MAAM,UAAU,MAAM,QAAA,CAAS,MAAK,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AACtD,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,MAAM,OAAA,GAAW,OAAA,EAAkD,OAAA,IAC7D,OAAA,EAAgC,KAAA,IACjC,QAAQ,QAAA,CAAS,MAAM,CAAA,EAAA,EAAK,QAAA,CAAS,UAAU,CAAA,CAAA;AACpD,IAAA,MAAM,IAAI,iBAAA,CAAkB,OAAA,EAAS,QAAA,CAAS,MAAM,CAAA;AAAA,EACtD;AACA,EAAA,IAAI,OAAA,IAAW,OAAO,OAAA,KAAY,QAAA,IAAY,aAAa,OAAA,IAAY,OAAA,CAAiC,OAAA,IAAW,MAAA,IAAU,OAAA,EAAS;AACpI,IAAA,OAAQ,OAAA,CAAwB,IAAA;AAAA,EAClC;AACA,EAAA,OAAO,OAAA;AACT;AAEA,eAAsB,YAAY,cAAA,EAAkD;AAClF,EAAA,OAAO,cAAA,CAAe,CAAA,eAAA,EAAkB,kBAAA,CAAmB,cAAc,CAAC,CAAA,QAAA,CAAU,CAAA;AACtF;AAEA,eAAsB,SAAA,CAAU,gBAAwB,QAAA,EAAyC;AAC/F,EAAA,OAAO,cAAA,CAAe,kBAAkB,kBAAA,CAAmB,cAAc,CAAC,CAAA,SAAA,EAAY,kBAAA,CAAmB,QAAQ,CAAC,CAAA,CAAE,CAAA;AACtH;AAEA,eAAsB,YAAA,CAAa,gBAAwB,KAAA,EAAkD;AAC3G,EAAA,OAAO,cAAA,CAAe,CAAA,eAAA,EAAkB,kBAAA,CAAmB,cAAc,CAAC,CAAA,QAAA,CAAA,EAAY;AAAA,IACpF,MAAA,EAAQ,MAAA;AAAA,IACR,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,KAAK;AAAA,GAC3B,CAAA;AACH;AAEA,eAAsB,YAAA,CAAa,cAAA,EAAwB,QAAA,EAAkB,KAAA,EAAkD;AAC7H,EAAA,OAAO,cAAA,CAAe,kBAAkB,kBAAA,CAAmB,cAAc,CAAC,CAAA,SAAA,EAAY,kBAAA,CAAmB,QAAQ,CAAC,CAAA,CAAA,EAAI;AAAA,IACpH,MAAA,EAAQ,OAAA;AAAA,IACR,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,KAAK;AAAA,GAC3B,CAAA;AACH;AAEA,eAAsB,aAAA,CAAc,gBAAwB,QAAA,EAAiC;AAC3F,EAAA,OAAO,cAAA,CAAe,kBAAkB,kBAAA,CAAmB,cAAc,CAAC,CAAA,SAAA,EAAY,kBAAA,CAAmB,QAAQ,CAAC,CAAA,CAAA,EAAI;AAAA,IACpH,MAAA,EAAQ;AAAA,GACT,CAAA;AACH","file":"chunk-UHHPBREK.mjs","sourcesContent":["import type {\n  AdminClient,\n  AdminUserSummary,\n  AdminListParams,\n  AdminListResult,\n  AdminCreateUserInput,\n  AdminUpdateUserInput,\n  AdminCreateOrganizationInput,\n  AdminUpdateOrganizationInput,\n  AdminOrganizationMember,\n  AdminCreatePermissionInput,\n  AdminUpdatePermissionInput,\n  AdminCreateInvitationInput,\n  AdminPermission,\n  AuthOrganization,\n  AuthOrganizationDomain,\n  AuthOrganizationInvitation,\n  AuthOrganizationRole,\n} from '@datatechsolutions/shared-domain'\nimport { HttpResponseError } from '@datatechsolutions/shared-domain/common'\n\nlet _adminClient: AdminClient | null = null\nlet _issuer: string | null = null\nlet _authFetch: typeof fetch = fetch\n\nexport function setWindsockAdminClient(client: AdminClient, issuer: string, authFetch: typeof fetch): void {\n  _adminClient = client\n  _issuer = issuer.replace(/\\/$/, '')\n  _authFetch = authFetch\n}\n\nfunction requireClient(): AdminClient {\n  if (!_adminClient) {\n    throw new Error('Windsock admin client not initialized — did providers mount?')\n  }\n  return _adminClient\n}\n\n// ── Users ──────────────────────────────────────────────────────────────────\nexport async function listUsers(params?: AdminListParams): Promise<AdminListResult<AdminUserSummary>> {\n  return requireClient().listUsers(params)\n}\nexport async function createUser(data: AdminCreateUserInput): Promise<AdminUserSummary> {\n  return requireClient().createUser(data)\n}\nexport async function updateUser(userId: string, data: AdminUpdateUserInput): Promise<void> {\n  return requireClient().updateUser(userId, data)\n}\nexport async function deleteUser(userId: string): Promise<void> {\n  return requireClient().deleteUser(userId)\n}\nexport async function resetUserPassword(userId: string, password: string): Promise<void> {\n  return requireClient().resetUserPassword(userId, password)\n}\n\n// ── Organizations ──────────────────────────────────────────────────────────\nexport async function listOrganizations(): Promise<AuthOrganization[]> {\n  return requireClient().listOrganizations()\n}\nexport async function createOrganization(data: AdminCreateOrganizationInput): Promise<AuthOrganization> {\n  return requireClient().createOrganization(data)\n}\nexport async function updateOrganization(organizationId: string, data: AdminUpdateOrganizationInput): Promise<AuthOrganization> {\n  return requireClient().updateOrganization(organizationId, data)\n}\nexport async function deleteOrganization(organizationId: string): Promise<void> {\n  return requireClient().deleteOrganization(organizationId)\n}\n\n// ── Organization Members ───────────────────────────────────────────────────\nexport async function listOrganizationMembers(organizationId: string): Promise<AdminOrganizationMember[]> {\n  return requireClient().listOrganizationMembers(organizationId)\n}\nexport async function addOrganizationMember(organizationId: string, userId: string, role?: AuthOrganizationRole): Promise<void> {\n  return requireClient().addOrganizationMember(organizationId, userId, role)\n}\nexport async function removeOrganizationMember(organizationId: string, userId: string): Promise<void> {\n  return requireClient().removeOrganizationMember(organizationId, userId)\n}\n\n// ── Organization Invitations ───────────────────────────────────────────────\nexport async function listOrganizationInvitations(organizationId: string): Promise<AuthOrganizationInvitation[]> {\n  return requireClient().listOrganizationInvitations(organizationId)\n}\nexport async function createOrganizationInvitation(organizationId: string, data: AdminCreateInvitationInput): Promise<void> {\n  return requireClient().createOrganizationInvitation(organizationId, data)\n}\n\n// ── Organization Domains ───────────────────────────────────────────────────\nexport async function listOrganizationDomains(organizationId: string): Promise<AuthOrganizationDomain[]> {\n  return requireClient().listOrganizationDomains(organizationId)\n}\nexport async function addOrganizationDomain(organizationId: string, domain: string): Promise<AuthOrganizationDomain> {\n  return requireClient().addOrganizationDomain(organizationId, domain)\n}\nexport async function verifyOrganizationDomain(organizationId: string, domain: string): Promise<void> {\n  return requireClient().verifyOrganizationDomain(organizationId, domain)\n}\n\n// ── Permissions ────────────────────────────────────────────────────────────\nexport async function listPermissions(): Promise<AdminPermission[]> {\n  return requireClient().listPermissions()\n}\nexport async function createPermission(data: AdminCreatePermissionInput): Promise<AdminPermission> {\n  return requireClient().createPermission(data)\n}\nexport async function updatePermission(permissionId: string, data: AdminUpdatePermissionInput): Promise<void> {\n  return requireClient().updatePermission(permissionId, data)\n}\nexport async function deletePermission(permissionId: string): Promise<void> {\n  return requireClient().deletePermission(permissionId)\n}\nexport async function getUserPermissions(userId: string): Promise<AdminPermission[]> {\n  return requireClient().getUserPermissions(userId)\n}\nexport async function setUserPermissions(userId: string, permissionIds: string[]): Promise<void> {\n  return requireClient().setUserPermissions(userId, permissionIds)\n}\n\n// ── Secrets (not in AdminClient SDK — windsock_org_secrets handler) ────────\n\nexport type SecretSummary = {\n  secretId: string\n  name: string\n  secretType: string\n  description: string | null\n  expiresAt: string | null\n  createdAt: string\n  updatedAt: string\n  disabled: boolean\n}\n\nexport type SecretDetail = SecretSummary & {\n  value?: string\n}\n\nexport type CreateSecretInput = {\n  name: string\n  value: string\n  secretType?: string\n  description?: string\n  leaseTtlSeconds?: number\n}\n\nexport type UpdateSecretInput = {\n  value: string\n  leaseTtlSeconds?: number\n}\n\nasync function secretsRequest<T>(path: string, init?: RequestInit): Promise<T> {\n  if (!_issuer) throw new Error('Windsock issuer not initialized')\n  const response = await _authFetch(`${_issuer}${path}`, {\n    ...init,\n    credentials: init?.credentials ?? 'include',\n    headers: {\n      'Content-Type': 'application/json',\n      ...(init?.headers as Record<string, string> | undefined),\n    },\n  })\n  if (response.status === 204) return undefined as T\n  const payload = await response.json().catch(() => null)\n  if (!response.ok) {\n    const message = (payload as { error?: string; message?: string })?.message\n      ?? (payload as { error?: string })?.error\n      ?? `HTTP ${response.status}: ${response.statusText}`\n    throw new HttpResponseError(message, response.status)\n  }\n  if (payload && typeof payload === 'object' && 'success' in payload && (payload as { success: boolean }).success && 'data' in payload) {\n    return (payload as { data: T }).data\n  }\n  return payload as T\n}\n\nexport async function listSecrets(organizationId: string): Promise<SecretSummary[]> {\n  return secretsRequest(`/organizations/${encodeURIComponent(organizationId)}/secrets`)\n}\n\nexport async function getSecret(organizationId: string, secretId: string): Promise<SecretDetail> {\n  return secretsRequest(`/organizations/${encodeURIComponent(organizationId)}/secrets/${encodeURIComponent(secretId)}`)\n}\n\nexport async function createSecret(organizationId: string, input: CreateSecretInput): Promise<SecretSummary> {\n  return secretsRequest(`/organizations/${encodeURIComponent(organizationId)}/secrets`, {\n    method: 'POST',\n    body: JSON.stringify(input),\n  })\n}\n\nexport async function rotateSecret(organizationId: string, secretId: string, input: UpdateSecretInput): Promise<SecretSummary> {\n  return secretsRequest(`/organizations/${encodeURIComponent(organizationId)}/secrets/${encodeURIComponent(secretId)}`, {\n    method: 'PATCH',\n    body: JSON.stringify(input),\n  })\n}\n\nexport async function disableSecret(organizationId: string, secretId: string): Promise<void> {\n  return secretsRequest(`/organizations/${encodeURIComponent(organizationId)}/secrets/${encodeURIComponent(secretId)}`, {\n    method: 'DELETE',\n  })\n}\n"]}

package/dist/chunk-ZJPNP2YW.mjs

@@ -0,0 +1,44 @@
+"use client";
+// src/platform/rbac.ts
+function matchPermission(pattern, target) {
+  if (pattern === "*") return true;
+  if (pattern === target) return true;
+  const patternParts = pattern.split(":");
+  const targetParts = target.split(":");
+  for (let i = 0; i < patternParts.length; i++) {
+    if (patternParts[i] === "*") return true;
+    if (patternParts[i] !== targetParts[i]) return false;
+  }
+  return patternParts.length === targetParts.length;
+}
+function createPlatformRbac(opts) {
+  const ROLE_DEFINITIONS = opts.roles;
+  const MODULE_PERMISSIONS = opts.modulePermissions ?? {};
+  const PERMISSION_CLAIMS_MAP = opts.permissionClaimsMap;
+  const knownRoles = Object.keys(ROLE_DEFINITIONS);
+  const fallbackRole = opts.defaultRole ?? knownRoles[0];
+  function normalizePlatformRole(input) {
+    if (typeof input === "string" && input in ROLE_DEFINITIONS) {
+      return input;
+    }
+    return fallbackRole;
+  }
+  function can(user, permission) {
+    if (!user) return false;
+    const userClaims = user.permissions ?? [];
+    const requiredClaims = PERMISSION_CLAIMS_MAP[permission] ?? [];
+    return requiredClaims.some(
+      (claim) => userClaims.some((userClaim) => matchPermission(userClaim, claim))
+    );
+  }
+  return {
+    ROLE_DEFINITIONS,
+    MODULE_PERMISSIONS,
+    normalizePlatformRole,
+    can
+  };
+}
+
+export { createPlatformRbac };
+//# sourceMappingURL=chunk-ZJPNP2YW.mjs.map
+//# sourceMappingURL=chunk-ZJPNP2YW.mjs.map

package/dist/chunk-ZJPNP2YW.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/platform/rbac.ts"],"names":[],"mappings":";AAiDA,SAAS,eAAA,CAAgB,SAAiB,MAAA,EAAyB;AACjE,EAAA,IAAI,OAAA,KAAY,KAAK,OAAO,IAAA;AAC5B,EAAA,IAAI,OAAA,KAAY,QAAQ,OAAO,IAAA;AAC/B,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,KAAA,CAAM,GAAG,CAAA;AACtC,EAAA,MAAM,WAAA,GAAc,MAAA,CAAO,KAAA,CAAM,GAAG,CAAA;AACpC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,YAAA,CAAa,QAAQ,CAAA,EAAA,EAAK;AAC5C,IAAA,IAAI,YAAA,CAAa,CAAC,CAAA,KAAM,GAAA,EAAK,OAAO,IAAA;AACpC,IAAA,IAAI,aAAa,CAAC,CAAA,KAAM,WAAA,CAAY,CAAC,GAAG,OAAO,KAAA;AAAA,EACjD;AACA,EAAA,OAAO,YAAA,CAAa,WAAW,WAAA,CAAY,MAAA;AAC7C;AAEO,SAAS,mBAGd,IAAA,EAAuF;AACvF,EAAA,MAAM,mBAAmB,IAAA,CAAK,KAAA;AAC9B,EAAA,MAAM,kBAAA,GAAqB,IAAA,CAAK,iBAAA,IAAsB,EAAC;AACvD,EAAA,MAAM,wBAAwB,IAAA,CAAK,mBAAA;AAInC,EAAA,MAAM,UAAA,GAAa,MAAA,CAAO,IAAA,CAAK,gBAAgB,CAAA;AAC/C,EAAA,MAAM,YAAA,GAAsB,IAAA,CAAK,WAAA,IAAgB,UAAA,CAAW,CAAC,CAAA;AAE7D,EAAA,SAAS,sBAAsB,KAAA,EAAuB;AACpD,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAa,KAAA,IAAmB,gBAAA,EAAkB;AACrE,MAAA,OAAO,KAAA;AAAA,IACT;AACA,IAAA,OAAO,YAAA;AAAA,EACT;AAEA,EAAA,SAAS,GAAA,CAAI,MAAuB,UAAA,EAAkC;AACpE,IAAA,IAAI,CAAC,MAAM,OAAO,KAAA;AAClB,IAAA,MAAM,UAAA,GAAc,IAAA,CAAK,WAAA,IAAe,EAAC;AAEzC,IAAA,MAAM,cAAA,GAAiB,qBAAA,CAAsB,UAAU,CAAA,IAAK,EAAC;AAC7D,IAAA,OAAO,cAAA,CAAe,IAAA;AAAA,MAAK,CAAC,UAC1B,UAAA,CAAW,IAAA,CAAK,CAAC,SAAA,KAAc,eAAA,CAAgB,SAAA,EAAW,KAAK,CAAC;AAAA,KAClE;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,gBAAA;AAAA,IACA,kBAAA;AAAA,IACA,qBAAA;AAAA,IACA;AAAA,GACF;AACF","file":"chunk-ZJPNP2YW.mjs","sourcesContent":["import type { AuthUser } from '@datatechsolutions/windsock/client'\n\n/**\n * Generic role-based access factory shared across platform apps (astrlabe,\n * kori-erp, etc). Each app instantiates this with its own role + permission\n * unions and seed-claim mapping. The factory closes over the config and\n * exports `ROLE_DEFINITIONS`, `MODULE_PERMISSIONS`, `normalizePlatformRole`,\n * and `can()` — the same surface the per-app file used to expose.\n *\n * The factory deliberately does not hardcode any specific role enum here —\n * astrlabe, kori-erp, and future apps each pick their own union (admin,\n * manager, analyst, viewer, …) and pass the role definitions in.\n */\n\nexport type PlatformRoleDefinition<TRole extends string> = {\n  id: TRole\n  label: string\n  description: string\n}\n\nexport type CreatePlatformRbacOptions<\n  TRole extends string,\n  TPermission extends string,\n> = {\n  /** Definitions for every role the app supports (id/label/description). */\n  roles: Record<TRole, PlatformRoleDefinition<TRole>>\n  /**\n   * Maps each app-level permission to one or more JWT permission claim\n   * strings. `can()` returns true when ANY of the listed claims (using\n   * wildcard matching) is present in the user's JWT permissions.\n   */\n  permissionClaimsMap: Record<TPermission, readonly string[]>\n  /** Optional map from navigation/module IDs to required permissions. */\n  modulePermissions?: Record<string, TPermission>\n  /** Role to fall back to when an unknown role string comes in. */\n  defaultRole?: TRole\n}\n\nexport type PlatformRbac<TRole extends string, TPermission extends string> = {\n  ROLE_DEFINITIONS: Record<TRole, PlatformRoleDefinition<TRole>>\n  MODULE_PERMISSIONS: Record<string, TPermission>\n  normalizePlatformRole: (input: unknown) => TRole\n  can: (user: AuthUser | null, permission: TPermission) => boolean\n}\n\n/**\n * Match a permission string against a pattern (supports wildcards).\n * Same logic as windsock's usePermissionChecker.\n */\nfunction matchPermission(pattern: string, target: string): boolean {\n  if (pattern === '*') return true\n  if (pattern === target) return true\n  const patternParts = pattern.split(':')\n  const targetParts = target.split(':')\n  for (let i = 0; i < patternParts.length; i++) {\n    if (patternParts[i] === '*') return true\n    if (patternParts[i] !== targetParts[i]) return false\n  }\n  return patternParts.length === targetParts.length\n}\n\nexport function createPlatformRbac<\n  TRole extends string,\n  TPermission extends string,\n>(opts: CreatePlatformRbacOptions<TRole, TPermission>): PlatformRbac<TRole, TPermission> {\n  const ROLE_DEFINITIONS = opts.roles\n  const MODULE_PERMISSIONS = opts.modulePermissions ?? ({} as Record<string, TPermission>)\n  const PERMISSION_CLAIMS_MAP = opts.permissionClaimsMap\n\n  // Pick the fallback role: explicit `defaultRole` first, then the first\n  // entry in the roles map. We assume there's at least one role.\n  const knownRoles = Object.keys(ROLE_DEFINITIONS) as TRole[]\n  const fallbackRole: TRole = opts.defaultRole ?? (knownRoles[0] as TRole)\n\n  function normalizePlatformRole(input: unknown): TRole {\n    if (typeof input === 'string' && (input as TRole) in ROLE_DEFINITIONS) {\n      return input as TRole\n    }\n    return fallbackRole\n  }\n\n  function can(user: AuthUser | null, permission: TPermission): boolean {\n    if (!user) return false\n    const userClaims = (user.permissions ?? []) as string[]\n\n    const requiredClaims = PERMISSION_CLAIMS_MAP[permission] ?? []\n    return requiredClaims.some((claim) =>\n      userClaims.some((userClaim) => matchPermission(userClaim, claim))\n    )\n  }\n\n  return {\n    ROLE_DEFINITIONS,\n    MODULE_PERMISSIONS,\n    normalizePlatformRole,\n    can,\n  }\n}\n"]}

package/dist/{workflow-canvas-NSxfr5dy.d.ts → index-AioB90qq.d.mts}

@@ -1,7 +1,4 @@
-import * as react_jsx_runtime from 'react/jsx-runtime';
-import { ComponentProps } from 'react';
-import { NodeTypes } from '@xyflow/react';
-import { AgentConfig, AnswerNodeConfig, CodeNodeConfig, DocumentExtractorNodeConfig, EndNodeConfig, EntityNodeConfig, GroupNodeConfig, HttpRequestNodeConfig, IfElseNodeConfig, IterationNodeConfig, IterationStartNodeConfig, KnowledgeBaseNodeConfig, ListOperatorNodeConfig, ModelProviderNodeConfig, NoteNodeConfig, ParameterExtractorNodeConfig, QuestionClassifierNodeConfig, AgentRule, RuleNodeConfig, StartNodeConfig, TemplateTransformNodeConfig, WorkflowTool, VariableAggregatorNodeConfig, VariableAssignerNodeConfig, AgentModel, AgentTool, WorkflowGraph, LogicNodeConfig } from './astrlabe/contracts.js';
+import { AgentConfig, AnswerNodeConfig, CodeNodeConfig, DocumentExtractorNodeConfig, EndNodeConfig, EntityNodeConfig, GroupNodeConfig, HttpRequestNodeConfig, IfElseNodeConfig, IterationNodeConfig, IterationStartNodeConfig, KnowledgeBaseNodeConfig, ListOperatorNodeConfig, ModelProviderNodeConfig, NoteNodeConfig, ParameterExtractorNodeConfig, QuestionClassifierNodeConfig, AgentRule, RuleNodeConfig, StartNodeConfig, TemplateTransformNodeConfig, WorkflowTool, VariableAggregatorNodeConfig, VariableAssignerNodeConfig } from './astrlabe/contracts.mjs';
 
 type WorkflowCardDisplayMode = 'detailed' | 'compact';
 type WorkflowEntityDefinition = {
@@ -208,66 +205,4 @@ type GroupNodeData = {
     onRemoveFromCanvas?: (nodeId: string) => void;
 };
 
-type AgentModalRenderProps = {
-    agent: AgentWithPrompts | null;
-    models: AgentModel[];
-    open: boolean;
-    isCreateMode: boolean;
-    onClose: () => void;
-    onSaved: () => void;
-};
-type LogicNodeModalRenderProps = {
-    nodeId: string | null;
-    nodeLabel: string;
-    config: LogicNodeConfig | null;
-    open: boolean;
-    onClose: () => void;
-    onSave: (nodeId: string, updatedConfig: LogicNodeConfig) => void;
-    entities: WorkflowEntityDefinition[];
-};
-type WorkflowCanvasProps = {
-    agents: AgentWithPrompts[];
-    models: AgentModel[];
-    tools?: WorkflowTool[];
-    agentTools?: AgentTool[];
-    rules?: AgentRule[];
-    entities?: WorkflowEntityDefinition[];
-    datasources?: Array<{
-        id: string;
-        name: string;
-        dialect: string;
-    }>;
-    onLoadTables?: (datasourceId: string) => Promise<string[]>;
-    onLoadSchema?: (datasourceId: string, table: string) => Promise<Array<{
-        name: string;
-        type: string;
-        nullable?: boolean;
-    }>>;
-    initialGraph?: WorkflowGraph | null;
-    onGraphChange?: (graph: WorkflowGraph) => void;
-    onEditTool?: (tool: WorkflowTool) => void;
-    onToggleTool?: (tool: WorkflowTool) => void;
-    onEditRule?: (rule: AgentRule) => void;
-    onToggleRule?: (rule: AgentRule) => void;
-    onCancelCreateAgent?: () => void;
-    onAgentSaved?: () => void;
-    isCreatingAgent?: boolean;
-    /** Custom node type components — merged with built-in edge types */
-    nodeTypes?: NodeTypes;
-    /** Optional: render the AgentModal externally (frontend provides the component) */
-    renderAgentModal?: (props: AgentModalRenderProps) => React.ReactNode;
-    /** Optional: render a custom LogicNodeModal; defaults to internal modal */
-    renderLogicNodeModal?: (props: LogicNodeModalRenderProps) => React.ReactNode;
-};
-declare function WorkflowCanvas(props: WorkflowCanvasProps): react_jsx_runtime.JSX.Element;
-
-type BuilderCanvasProps = ComponentProps<typeof WorkflowCanvas>;
-type WorkspaceProps = {
-    locale?: string;
-    messages?: Record<string, unknown>;
-    className?: string;
-    workflowId?: string;
-} & Partial<BuilderCanvasProps>;
-declare function Workspace({ locale, messages, className, workflowId, ...canvasProps }: WorkspaceProps): react_jsx_runtime.JSX.Element;
-
-export { type AgentWithPrompts as A, type CodeNodeData as C, type DocumentExtractorNodeData as D, type EntityNodeData as E, type GroupNodeData as G, type HttpRequestNodeData as H, type IfElseNodeData as I, type KnowledgeBaseNodeData as K, type ListOperatorNodeData as L, type ModelProviderNodeData as M, type NoteNodeData as N, type ParameterExtractorNodeData as P, type QuestionClassifierNodeData as Q, type RuleNodeData as R, type StartNodeData as S, type ToolCanvasData as T, type VariableAssignerNodeData as V, type WorkflowEntityDefinition as W, type AgentNodeData as a, type EndNodeData as b, type TemplateTransformNodeData as c, type IterationNodeData as d, type AnswerNodeData as e, type VariableAggregatorNodeData as f, type IterationStartNodeData as g, type WorkspaceProps as h, type AgentNodeTool as i, Workspace as j };
+export type { AgentWithPrompts as A, CodeNodeData as C, DocumentExtractorNodeData as D, EntityNodeData as E, GroupNodeData as G, HttpRequestNodeData as H, IfElseNodeData as I, KnowledgeBaseNodeData as K, ListOperatorNodeData as L, ModelProviderNodeData as M, NoteNodeData as N, ParameterExtractorNodeData as P, QuestionClassifierNodeData as Q, RuleNodeData as R, StartNodeData as S, ToolCanvasData as T, VariableAssignerNodeData as V, WorkflowEntityDefinition as W, AgentNodeData as a, EndNodeData as b, TemplateTransformNodeData as c, IterationNodeData as d, AnswerNodeData as e, VariableAggregatorNodeData as f, IterationStartNodeData as g, AgentNodeTool as h };

package/dist/{workflow-canvas-D4928AfA.d.mts → index-D5ai0cGZ.d.ts}

@@ -1,7 +1,4 @@
-import * as react_jsx_runtime from 'react/jsx-runtime';
-import { ComponentProps } from 'react';
-import { NodeTypes } from '@xyflow/react';
-import { AgentConfig, AnswerNodeConfig, CodeNodeConfig, DocumentExtractorNodeConfig, EndNodeConfig, EntityNodeConfig, GroupNodeConfig, HttpRequestNodeConfig, IfElseNodeConfig, IterationNodeConfig, IterationStartNodeConfig, KnowledgeBaseNodeConfig, ListOperatorNodeConfig, ModelProviderNodeConfig, NoteNodeConfig, ParameterExtractorNodeConfig, QuestionClassifierNodeConfig, AgentRule, RuleNodeConfig, StartNodeConfig, TemplateTransformNodeConfig, WorkflowTool, VariableAggregatorNodeConfig, VariableAssignerNodeConfig, AgentModel, AgentTool, WorkflowGraph, LogicNodeConfig } from './astrlabe/contracts.mjs';
+import { AgentConfig, AnswerNodeConfig, CodeNodeConfig, DocumentExtractorNodeConfig, EndNodeConfig, EntityNodeConfig, GroupNodeConfig, HttpRequestNodeConfig, IfElseNodeConfig, IterationNodeConfig, IterationStartNodeConfig, KnowledgeBaseNodeConfig, ListOperatorNodeConfig, ModelProviderNodeConfig, NoteNodeConfig, ParameterExtractorNodeConfig, QuestionClassifierNodeConfig, AgentRule, RuleNodeConfig, StartNodeConfig, TemplateTransformNodeConfig, WorkflowTool, VariableAggregatorNodeConfig, VariableAssignerNodeConfig } from './astrlabe/contracts.js';
 
 type WorkflowCardDisplayMode = 'detailed' | 'compact';
 type WorkflowEntityDefinition = {
@@ -208,66 +205,4 @@ type GroupNodeData = {
     onRemoveFromCanvas?: (nodeId: string) => void;
 };
 
-type AgentModalRenderProps = {
-    agent: AgentWithPrompts | null;
-    models: AgentModel[];
-    open: boolean;
-    isCreateMode: boolean;
-    onClose: () => void;
-    onSaved: () => void;
-};
-type LogicNodeModalRenderProps = {
-    nodeId: string | null;
-    nodeLabel: string;
-    config: LogicNodeConfig | null;
-    open: boolean;
-    onClose: () => void;
-    onSave: (nodeId: string, updatedConfig: LogicNodeConfig) => void;
-    entities: WorkflowEntityDefinition[];
-};
-type WorkflowCanvasProps = {
-    agents: AgentWithPrompts[];
-    models: AgentModel[];
-    tools?: WorkflowTool[];
-    agentTools?: AgentTool[];
-    rules?: AgentRule[];
-    entities?: WorkflowEntityDefinition[];
-    datasources?: Array<{
-        id: string;
-        name: string;
-        dialect: string;
-    }>;
-    onLoadTables?: (datasourceId: string) => Promise<string[]>;
-    onLoadSchema?: (datasourceId: string, table: string) => Promise<Array<{
-        name: string;
-        type: string;
-        nullable?: boolean;
-    }>>;
-    initialGraph?: WorkflowGraph | null;
-    onGraphChange?: (graph: WorkflowGraph) => void;
-    onEditTool?: (tool: WorkflowTool) => void;
-    onToggleTool?: (tool: WorkflowTool) => void;
-    onEditRule?: (rule: AgentRule) => void;
-    onToggleRule?: (rule: AgentRule) => void;
-    onCancelCreateAgent?: () => void;
-    onAgentSaved?: () => void;
-    isCreatingAgent?: boolean;
-    /** Custom node type components — merged with built-in edge types */
-    nodeTypes?: NodeTypes;
-    /** Optional: render the AgentModal externally (frontend provides the component) */
-    renderAgentModal?: (props: AgentModalRenderProps) => React.ReactNode;
-    /** Optional: render a custom LogicNodeModal; defaults to internal modal */
-    renderLogicNodeModal?: (props: LogicNodeModalRenderProps) => React.ReactNode;
-};
-declare function WorkflowCanvas(props: WorkflowCanvasProps): react_jsx_runtime.JSX.Element;
-
-type BuilderCanvasProps = ComponentProps<typeof WorkflowCanvas>;
-type WorkspaceProps = {
-    locale?: string;
-    messages?: Record<string, unknown>;
-    className?: string;
-    workflowId?: string;
-} & Partial<BuilderCanvasProps>;
-declare function Workspace({ locale, messages, className, workflowId, ...canvasProps }: WorkspaceProps): react_jsx_runtime.JSX.Element;
-
-export { type AgentWithPrompts as A, type CodeNodeData as C, type DocumentExtractorNodeData as D, type EntityNodeData as E, type GroupNodeData as G, type HttpRequestNodeData as H, type IfElseNodeData as I, type KnowledgeBaseNodeData as K, type ListOperatorNodeData as L, type ModelProviderNodeData as M, type NoteNodeData as N, type ParameterExtractorNodeData as P, type QuestionClassifierNodeData as Q, type RuleNodeData as R, type StartNodeData as S, type ToolCanvasData as T, type VariableAssignerNodeData as V, type WorkflowEntityDefinition as W, type AgentNodeData as a, type EndNodeData as b, type TemplateTransformNodeData as c, type IterationNodeData as d, type AnswerNodeData as e, type VariableAggregatorNodeData as f, type IterationStartNodeData as g, type WorkspaceProps as h, type AgentNodeTool as i, Workspace as j };
+export type { AgentWithPrompts as A, CodeNodeData as C, DocumentExtractorNodeData as D, EntityNodeData as E, GroupNodeData as G, HttpRequestNodeData as H, IfElseNodeData as I, KnowledgeBaseNodeData as K, ListOperatorNodeData as L, ModelProviderNodeData as M, NoteNodeData as N, ParameterExtractorNodeData as P, QuestionClassifierNodeData as Q, RuleNodeData as R, StartNodeData as S, ToolCanvasData as T, VariableAssignerNodeData as V, WorkflowEntityDefinition as W, AgentNodeData as a, EndNodeData as b, TemplateTransformNodeData as c, IterationNodeData as d, AnswerNodeData as e, VariableAggregatorNodeData as f, IterationStartNodeData as g, AgentNodeTool as h };

package/dist/platform/index.d.mts

@@ -0,0 +1,41 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { SessionSwitcherProps, ManagedUser, Organization } from '@datatechsolutions/shared-domain/common';
+import { ReactNode } from 'react';
+import { AuthUser } from '@datatechsolutions/windsock/client';
+export { CreatePlatformRbacOptions, PlatformRbac, PlatformRoleDefinition, createPlatformRbac } from './rbac.mjs';
+export { CreateSecretInput, SecretDetail, SecretSummary, UpdateSecretInput, addOrganizationDomain, addOrganizationMember, createOrganization, createOrganizationInvitation, createPermission, createSecret, createUser, deleteOrganization, deletePermission, deleteUser, disableSecret, getSecret, getUserPermissions, listOrganizationDomains, listOrganizationInvitations, listOrganizationMembers, listOrganizations, listPermissions, listSecrets, listUsers, removeOrganizationMember, resetUserPassword, rotateSecret, setUserPermissions, setWindsockAdminClient, updateOrganization, updatePermission, updateUser, verifyOrganizationDomain } from './windsock-admin-client.mjs';
+import { AdminUserSummary, AuthOrganization } from '@datatechsolutions/shared-domain';
+
+declare function SessionSwitcher({ organizations, users, organizationId, userEmail, onOrganizationChange, onUserChange, }: SessionSwitcherProps): react_jsx_runtime.JSX.Element;
+
+type PlatformState = {
+    currentOrganizationId: string;
+    actor: AuthUser | null;
+};
+type PlatformStateProviderProps = {
+    children: ReactNode;
+    /**
+     * Function that converts a JWT role claim to the app's canonical role
+     * union (the same `normalizePlatformRole` produced by
+     * `createPlatformRbac()` in this app). Lifted out as a prop because
+     * each consuming app uses its own role enum.
+     */
+    normalizeRole: (input: unknown) => string;
+};
+declare function PlatformStateProvider({ children, normalizeRole }: PlatformStateProviderProps): react_jsx_runtime.JSX.Element;
+declare function usePlatformState(): PlatformState;
+
+/** Maps a windsock AuthOrganization to the app-level Organization shape used by UI pages. */
+declare function mapAuthOrg(raw: AuthOrganization): Organization;
+/**
+ * Maps a windsock AdminUserSummary to the app-level ManagedUser shape.
+ * Takes `normalizeRole` as a parameter so each consuming app can plug in
+ * the role normalizer produced by its own `createPlatformRbac()` call —
+ * we deliberately don't hardcode an app-specific role enum here.
+ */
+declare function mapAdminUser(row: AdminUserSummary, normalizeRole: (input: unknown) => string): ManagedUser;
+/** Maps an app-level UserRole to a windsock AuthOrganizationRole. */
+declare const ORG_ROLE_MAP: Record<string, 'owner' | 'admin' | 'member' | 'viewer'>;
+declare function mapRoleToOrgRole(role: string): 'owner' | 'admin' | 'member' | 'viewer';
+
+export { ORG_ROLE_MAP, PlatformStateProvider, type PlatformStateProviderProps, SessionSwitcher, mapAdminUser, mapAuthOrg, mapRoleToOrgRole, usePlatformState };

package/dist/platform/index.d.ts

@@ -0,0 +1,41 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { SessionSwitcherProps, ManagedUser, Organization } from '@datatechsolutions/shared-domain/common';
+import { ReactNode } from 'react';
+import { AuthUser } from '@datatechsolutions/windsock/client';
+export { CreatePlatformRbacOptions, PlatformRbac, PlatformRoleDefinition, createPlatformRbac } from './rbac.js';
+export { CreateSecretInput, SecretDetail, SecretSummary, UpdateSecretInput, addOrganizationDomain, addOrganizationMember, createOrganization, createOrganizationInvitation, createPermission, createSecret, createUser, deleteOrganization, deletePermission, deleteUser, disableSecret, getSecret, getUserPermissions, listOrganizationDomains, listOrganizationInvitations, listOrganizationMembers, listOrganizations, listPermissions, listSecrets, listUsers, removeOrganizationMember, resetUserPassword, rotateSecret, setUserPermissions, setWindsockAdminClient, updateOrganization, updatePermission, updateUser, verifyOrganizationDomain } from './windsock-admin-client.js';
+import { AdminUserSummary, AuthOrganization } from '@datatechsolutions/shared-domain';
+
+declare function SessionSwitcher({ organizations, users, organizationId, userEmail, onOrganizationChange, onUserChange, }: SessionSwitcherProps): react_jsx_runtime.JSX.Element;
+
+type PlatformState = {
+    currentOrganizationId: string;
+    actor: AuthUser | null;
+};
+type PlatformStateProviderProps = {
+    children: ReactNode;
+    /**
+     * Function that converts a JWT role claim to the app's canonical role
+     * union (the same `normalizePlatformRole` produced by
+     * `createPlatformRbac()` in this app). Lifted out as a prop because
+     * each consuming app uses its own role enum.
+     */
+    normalizeRole: (input: unknown) => string;
+};
+declare function PlatformStateProvider({ children, normalizeRole }: PlatformStateProviderProps): react_jsx_runtime.JSX.Element;
+declare function usePlatformState(): PlatformState;
+
+/** Maps a windsock AuthOrganization to the app-level Organization shape used by UI pages. */
+declare function mapAuthOrg(raw: AuthOrganization): Organization;
+/**
+ * Maps a windsock AdminUserSummary to the app-level ManagedUser shape.
+ * Takes `normalizeRole` as a parameter so each consuming app can plug in
+ * the role normalizer produced by its own `createPlatformRbac()` call —
+ * we deliberately don't hardcode an app-specific role enum here.
+ */
+declare function mapAdminUser(row: AdminUserSummary, normalizeRole: (input: unknown) => string): ManagedUser;
+/** Maps an app-level UserRole to a windsock AuthOrganizationRole. */
+declare const ORG_ROLE_MAP: Record<string, 'owner' | 'admin' | 'member' | 'viewer'>;
+declare function mapRoleToOrgRole(role: string): 'owner' | 'admin' | 'member' | 'viewer';
+
+export { ORG_ROLE_MAP, PlatformStateProvider, type PlatformStateProviderProps, SessionSwitcher, mapAdminUser, mapAuthOrg, mapRoleToOrgRole, usePlatformState };