@echothink-ui/identity 0.1.0

package/dist/index.cjs

@@ -0,0 +1,1629 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.tsx
+var index_exports = {};
+__export(index_exports, {
+  AccessReviewPanel: () => AccessReviewPanel,
+  AccountMenu: () => AccountMenu,
+  ApprovalPolicyEditor: () => ApprovalPolicyEditor,
+  AuditTrail: () => AuditTrail,
+  GroupPicker: () => GroupPicker,
+  IdentityCard: () => IdentityCard,
+  IdentityComponentNames: () => IdentityComponentNames,
+  InviteUserPanel: () => InviteUserPanel,
+  OrganizationSwitcher: () => OrganizationSwitcher,
+  PermissionMatrix: () => PermissionMatrix,
+  PolicyRuleViewer: () => PolicyRuleViewer,
+  RoleBadge: () => RoleBadge,
+  SessionStatus: () => SessionStatus,
+  TeamList: () => TeamList,
+  UserPicker: () => UserPicker
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/components/IdentityCard.tsx
+var import_core2 = require("@echothink-ui/core");
+
+// src/components/RoleBadge.tsx
+var import_core = require("@echothink-ui/core");
+var import_jsx_runtime = require("react/jsx-runtime");
+function RoleBadge({
+  role,
+  tier = "custom",
+  className,
+  "aria-label": ariaLabel,
+  "aria-labelledby": ariaLabelledBy,
+  title,
+  ...props
+}) {
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+    "span",
+    {
+      ...props,
+      "aria-label": ariaLabel ?? (ariaLabelledBy ? void 0 : `Role: ${role}`),
+      "aria-labelledby": ariaLabelledBy,
+      className: ["eth-identity-role-badge", className].filter(Boolean).join(" "),
+      "data-eth-component": "RoleBadge",
+      "data-tier": tier,
+      title: title ?? role,
+      children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(import_core.Badge, { severity: severityForTier(tier), children: role })
+    }
+  );
+}
+function severityForTier(tier) {
+  if (tier === "admin") return "danger";
+  if (tier === "editor") return "warning";
+  if (tier === "viewer") return "info";
+  return "neutral";
+}
+
+// src/components/IdentityCard.tsx
+var import_jsx_runtime2 = require("react/jsx-runtime");
+function IdentityCard({ identity, actions, className, ...props }) {
+  return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
+    import_core2.Surface,
+    {
+      ...props,
+      className: ["eth-identity-card", `eth-identity-card--${identity.kind}`, className].filter(Boolean).join(" "),
+      "data-eth-component": "IdentityCard",
+      children: /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)("div", { className: "eth-identity-card__body", children: [
+        /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(Avatar, { label: identity.label, src: identity.avatar }),
+        /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)("div", { className: "eth-identity-card__main", children: [
+          /* @__PURE__ */ (0, import_jsx_runtime2.jsx)("h3", { children: identity.label }),
+          identity.email ? /* @__PURE__ */ (0, import_jsx_runtime2.jsx)("p", { children: identity.email }) : null,
+          /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)("div", { className: "eth-identity-card__meta", children: [
+            /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core2.Badge, { severity: "neutral", children: formatIdentityKind(identity.kind) }),
+            identity.role ? /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(RoleBadge, { role: identity.role }) : null,
+            identity.status ? /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core2.StatusDot, { status: identity.status, label: formatIdentityStatus(identity.status) }) : null
+          ] })
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core2.ActionGroup, { actions })
+      ] })
+    }
+  );
+}
+function Avatar({ label, src }) {
+  if (src) return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)("img", { className: "eth-identity-card__avatar", src, alt: "", "aria-hidden": "true" });
+  return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)("span", { className: "eth-identity-card__avatar", "aria-hidden": "true", children: initials(label) });
+}
+function initials(label) {
+  return label.split(/\s+/).filter(Boolean).slice(0, 2).map((part) => part[0]?.toUpperCase()).join("");
+}
+function formatIdentityKind(kind) {
+  if (kind === "service-account") return "service account";
+  return kind;
+}
+function formatIdentityStatus(status) {
+  return status.replace(/-/g, " ");
+}
+
+// src/components/UserPicker.tsx
+var React = __toESM(require("react"), 1);
+var import_core3 = require("@echothink-ui/core");
+var import_jsx_runtime3 = require("react/jsx-runtime");
+function UserPicker({
+  value,
+  onChange,
+  onSearch,
+  suggestions = [],
+  multiple = true,
+  defaultOpen = false,
+  disabled = false,
+  loading = false,
+  className
+}) {
+  const [query, setQuery] = React.useState("");
+  const [open, setOpen] = React.useState(defaultOpen);
+  const searchRef = React.useRef(null);
+  const selected = value.map(
+    (id) => suggestions.find((item) => item.id === id) ?? { id, label: id }
+  );
+  const normalizedQuery = query.trim().toLocaleLowerCase();
+  const visibleSuggestions = normalizedQuery ? suggestions.filter(
+    (suggestion) => [suggestion.label, suggestion.email, suggestion.role, suggestion.kind].filter((field) => typeof field === "string").some((field) => field.toLocaleLowerCase().includes(normalizedQuery))
+  ) : suggestions;
+  const selectedLabel = selected.length ? `${selected.length} selected` : multiple ? "No users selected" : "No user selected";
+  const triggerLabel = multiple ? "Add users" : selected.length ? "Change user" : "Choose user";
+  const toggle = (id) => {
+    if (disabled || loading) return;
+    if (!multiple) {
+      onChange?.([id]);
+      setOpen(false);
+      return;
+    }
+    onChange?.(value.includes(id) ? value.filter((item) => item !== id) : [...value, id]);
+  };
+  return /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+    "div",
+    {
+      className: ["eth-identity-user-picker", className].filter(Boolean).join(" "),
+      "data-eth-component": "UserPicker",
+      "data-disabled": disabled || loading ? "true" : void 0,
+      "data-open": open ? "true" : void 0,
+      children: /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)("div", { className: "eth-identity-user-picker__control", children: [
+        /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("div", { className: "eth-identity-user-picker__chips", "aria-label": "Selected users", children: selected.length ? selected.map((item) => /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+          import_core3.Tag,
+          {
+            removable: !disabled && !loading,
+            onRemove: () => onChange?.(value.filter((id) => id !== item.id)),
+            children: item.label
+          },
+          item.id
+        )) : /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("span", { className: "eth-identity-user-picker__placeholder", children: multiple ? "Select users" : "Select a user" }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)(
+          "details",
+          {
+            open,
+            className: "eth-popover eth-identity-user-picker__popover",
+            onToggle: (event) => {
+              const nextOpen = event.currentTarget.open;
+              setOpen(nextOpen);
+              if (nextOpen) window.setTimeout(() => searchRef.current?.focus(), 0);
+            },
+            children: [
+              /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+                "summary",
+                {
+                  "aria-label": `${triggerLabel}. ${selectedLabel}`,
+                  "aria-disabled": disabled || loading ? true : void 0,
+                  tabIndex: disabled || loading ? -1 : void 0,
+                  onClick: (event) => {
+                    if (disabled || loading) event.preventDefault();
+                  },
+                  children: /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)("span", { className: "eth-identity-user-picker__trigger", children: [
+                    /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("span", { children: triggerLabel }),
+                    /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("span", { className: "eth-identity-user-picker__count", children: selectedLabel }),
+                    /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("span", { className: "eth-identity-user-picker__chevron", "aria-hidden": "true" })
+                  ] })
+                }
+              ),
+              /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)("div", { className: "eth-popover__content eth-identity-user-picker__content", children: [
+                /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+                  import_core3.TextInput,
+                  {
+                    ref: searchRef,
+                    type: "search",
+                    labelText: "Search users",
+                    hideLabel: true,
+                    placeholder: "Search users",
+                    value: query,
+                    disabled: disabled || loading,
+                    onChange: (event) => {
+                      setQuery(event.currentTarget.value);
+                      onSearch?.(event.currentTarget.value);
+                    }
+                  }
+                ),
+                /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+                  "div",
+                  {
+                    className: "eth-identity-user-picker__suggestions",
+                    role: "listbox",
+                    "aria-label": "User suggestions",
+                    "aria-multiselectable": multiple ? true : void 0,
+                    children: loading ? /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("div", { className: "eth-identity-user-picker__empty", role: "status", children: "Loading users..." }) : visibleSuggestions.length ? visibleSuggestions.map((suggestion) => {
+                      const isSelected = value.includes(suggestion.id);
+                      const meta = suggestion.email ?? suggestion.role ?? (suggestion.kind === "service-account" ? "Service account" : void 0);
+                      return /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)(
+                        "button",
+                        {
+                          type: "button",
+                          className: "eth-identity-user-picker__option",
+                          role: "option",
+                          "aria-selected": isSelected,
+                          disabled: disabled || loading,
+                          onClick: () => toggle(suggestion.id),
+                          children: [
+                            /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)("span", { className: "eth-identity-user-picker__option-main", children: [
+                              /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("span", { className: "eth-identity-user-picker__option-label", children: suggestion.label }),
+                              meta ? /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("span", { className: "eth-identity-user-picker__option-meta", children: meta }) : null
+                            ] }),
+                            /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("span", { className: "eth-identity-user-picker__option-check", "aria-hidden": "true" })
+                          ]
+                        },
+                        suggestion.id
+                      );
+                    }) : /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("div", { className: "eth-identity-user-picker__empty", role: "status", children: query ? "No matching users" : "No users available" })
+                  }
+                )
+              ] })
+            ]
+          }
+        )
+      ] })
+    }
+  );
+}
+
+// src/components/GroupPicker.tsx
+var React2 = __toESM(require("react"), 1);
+var import_core4 = require("@echothink-ui/core");
+var import_jsx_runtime4 = require("react/jsx-runtime");
+function GroupPicker({
+  value,
+  onChange,
+  onSearch,
+  suggestions = [],
+  multiple = true,
+  defaultOpen = false,
+  disabled = false,
+  loading = false,
+  className
+}) {
+  const [query, setQuery] = React2.useState("");
+  const [open, setOpen] = React2.useState(defaultOpen);
+  const searchRef = React2.useRef(null);
+  const selected = value.map(
+    (id) => suggestions.find((item) => item.id === id) ?? { id, label: id }
+  );
+  const normalizedQuery = query.trim().toLocaleLowerCase();
+  const visibleSuggestions = normalizedQuery ? suggestions.filter(
+    (suggestion) => [suggestion.label, suggestion.email, suggestion.role, suggestion.kind].filter((field) => typeof field === "string").some((field) => field.toLocaleLowerCase().includes(normalizedQuery))
+  ) : suggestions;
+  const selectedLabel = selected.length ? `${selected.length} selected` : multiple ? "No groups selected" : "No group selected";
+  const triggerLabel = multiple ? "Add groups" : selected.length ? "Change group" : "Choose group";
+  const toggle = (id) => {
+    if (disabled || loading) return;
+    if (!multiple) {
+      onChange?.([id]);
+      setOpen(false);
+      return;
+    }
+    onChange?.(value.includes(id) ? value.filter((item) => item !== id) : [...value, id]);
+  };
+  return /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(
+    "div",
+    {
+      className: ["eth-identity-group-picker", className].filter(Boolean).join(" "),
+      "data-eth-component": "GroupPicker",
+      "data-disabled": disabled || loading ? "true" : void 0,
+      "data-open": open ? "true" : void 0,
+      children: /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)("div", { className: "eth-identity-group-picker__control", children: [
+        /* @__PURE__ */ (0, import_jsx_runtime4.jsx)("div", { className: "eth-identity-group-picker__chips", "aria-label": "Selected groups", children: selected.length ? selected.map((item) => /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(
+          import_core4.Tag,
+          {
+            removable: !disabled && !loading,
+            onRemove: () => onChange?.(value.filter((id) => id !== item.id)),
+            children: item.label
+          },
+          item.id
+        )) : /* @__PURE__ */ (0, import_jsx_runtime4.jsx)("span", { className: "eth-identity-group-picker__placeholder", children: multiple ? "Select groups" : "Select a group" }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)(
+          "details",
+          {
+            open,
+            className: "eth-popover eth-identity-group-picker__popover",
+            onToggle: (event) => {
+              const nextOpen = event.currentTarget.open;
+              setOpen(nextOpen);
+              if (nextOpen) window.setTimeout(() => searchRef.current?.focus(), 0);
+            },
+            children: [
+              /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(
+                "summary",
+                {
+                  "aria-label": `${triggerLabel}. ${selectedLabel}`,
+                  "aria-disabled": disabled || loading ? true : void 0,
+                  onClick: (event) => {
+                    if (disabled || loading) event.preventDefault();
+                  },
+                  children: /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)("span", { className: "eth-identity-group-picker__trigger", children: [
+                    /* @__PURE__ */ (0, import_jsx_runtime4.jsx)("span", { children: triggerLabel }),
+                    /* @__PURE__ */ (0, import_jsx_runtime4.jsx)("span", { className: "eth-identity-group-picker__count", children: selectedLabel }),
+                    /* @__PURE__ */ (0, import_jsx_runtime4.jsx)("span", { className: "eth-identity-group-picker__chevron", "aria-hidden": "true" })
+                  ] })
+                }
+              ),
+              /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)("div", { className: "eth-popover__content eth-identity-group-picker__content", children: [
+                /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(
+                  import_core4.TextInput,
+                  {
+                    ref: searchRef,
+                    type: "search",
+                    placeholder: "Search groups",
+                    value: query,
+                    disabled: disabled || loading,
+                    onChange: (event) => {
+                      setQuery(event.currentTarget.value);
+                      onSearch?.(event.currentTarget.value);
+                    }
+                  }
+                ),
+                /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(
+                  "div",
+                  {
+                    className: "eth-identity-group-picker__suggestions",
+                    role: "listbox",
+                    "aria-label": "Group suggestions",
+                    "aria-multiselectable": multiple ? true : void 0,
+                    children: loading ? /* @__PURE__ */ (0, import_jsx_runtime4.jsx)("div", { className: "eth-identity-group-picker__empty", role: "status", children: "Loading groups..." }) : visibleSuggestions.length ? visibleSuggestions.map((suggestion) => {
+                      const isSelected = value.includes(suggestion.id);
+                      const meta = suggestion.role ?? suggestion.email ?? (suggestion.kind === "group" ? "Group" : void 0);
+                      return /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)(
+                        "button",
+                        {
+                          type: "button",
+                          className: "eth-identity-group-picker__option",
+                          role: "option",
+                          "aria-selected": isSelected,
+                          onClick: () => toggle(suggestion.id),
+                          children: [
+                            /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)("span", { className: "eth-identity-group-picker__option-main", children: [
+                              /* @__PURE__ */ (0, import_jsx_runtime4.jsx)("span", { className: "eth-identity-group-picker__option-label", children: suggestion.label }),
+                              meta ? /* @__PURE__ */ (0, import_jsx_runtime4.jsx)("span", { className: "eth-identity-group-picker__option-meta", children: meta }) : null
+                            ] }),
+                            /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(
+                              "span",
+                              {
+                                className: "eth-identity-group-picker__option-check",
+                                "aria-hidden": "true"
+                              }
+                            )
+                          ]
+                        },
+                        suggestion.id
+                      );
+                    }) : /* @__PURE__ */ (0, import_jsx_runtime4.jsx)("div", { className: "eth-identity-group-picker__empty", role: "status", children: query ? "No matching groups" : "No groups available" })
+                  }
+                )
+              ] })
+            ]
+          }
+        )
+      ] })
+    }
+  );
+}
+
+// src/components/TeamList.tsx
+var import_core5 = require("@echothink-ui/core");
+var import_jsx_runtime5 = require("react/jsx-runtime");
+function TeamList({ teams, onSelect, title, className, ...props }) {
+  const listLabel = typeof title === "string" && title.trim() ? title : "Teams";
+  const totalMembers = teams.reduce((total, team) => total + team.memberCount, 0);
+  return /* @__PURE__ */ (0, import_jsx_runtime5.jsx)(
+    import_core5.Surface,
+    {
+      ...props,
+      title,
+      className: ["eth-identity-team-list", className].filter(Boolean).join(" "),
+      "data-eth-component": "TeamList",
+      children: teams.length ? /* @__PURE__ */ (0, import_jsx_runtime5.jsxs)(import_jsx_runtime5.Fragment, { children: [
+        /* @__PURE__ */ (0, import_jsx_runtime5.jsxs)("dl", { className: "eth-identity-team-list__summary", "aria-label": "Team summary", children: [
+          /* @__PURE__ */ (0, import_jsx_runtime5.jsxs)("div", { children: [
+            /* @__PURE__ */ (0, import_jsx_runtime5.jsx)("dt", { children: "Teams" }),
+            /* @__PURE__ */ (0, import_jsx_runtime5.jsx)("dd", { children: teams.length })
+          ] }),
+          /* @__PURE__ */ (0, import_jsx_runtime5.jsxs)("div", { children: [
+            /* @__PURE__ */ (0, import_jsx_runtime5.jsx)("dt", { children: "Members" }),
+            /* @__PURE__ */ (0, import_jsx_runtime5.jsx)("dd", { children: totalMembers })
+          ] })
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime5.jsx)("div", { className: "eth-identity-team-list__items", role: "list", "aria-label": listLabel, children: teams.map((team) => /* @__PURE__ */ (0, import_jsx_runtime5.jsxs)("article", { className: "eth-identity-team-list__item", role: "listitem", children: [
+          /* @__PURE__ */ (0, import_jsx_runtime5.jsx)("span", { className: "eth-identity-team-list__avatar", "aria-hidden": "true", children: initials2(team.label) }),
+          /* @__PURE__ */ (0, import_jsx_runtime5.jsxs)("div", { className: "eth-identity-team-list__main", children: [
+            /* @__PURE__ */ (0, import_jsx_runtime5.jsxs)("div", { className: "eth-identity-team-list__heading", children: [
+              /* @__PURE__ */ (0, import_jsx_runtime5.jsx)("h3", { children: team.label }),
+              /* @__PURE__ */ (0, import_jsx_runtime5.jsx)(import_core5.Badge, { severity: "neutral", children: formatMemberCount(team.memberCount) })
+            ] }),
+            /* @__PURE__ */ (0, import_jsx_runtime5.jsx)(
+              "dl",
+              {
+                className: "eth-identity-team-list__meta",
+                "aria-label": `${team.label} membership summary`,
+                children: /* @__PURE__ */ (0, import_jsx_runtime5.jsxs)("div", { children: [
+                  /* @__PURE__ */ (0, import_jsx_runtime5.jsx)("dt", { children: "Lead" }),
+                  /* @__PURE__ */ (0, import_jsx_runtime5.jsx)("dd", { children: team.lead?.label ?? "Unassigned" })
+                ] })
+              }
+            )
+          ] }),
+          onSelect ? /* @__PURE__ */ (0, import_jsx_runtime5.jsx)(
+            import_core5.Button,
+            {
+              type: "button",
+              intent: "secondary",
+              density: "compact",
+              "aria-label": `Open ${team.label} team`,
+              onClick: () => onSelect(team.id),
+              children: "Open"
+            }
+          ) : null
+        ] }, team.id)) })
+      ] }) : /* @__PURE__ */ (0, import_jsx_runtime5.jsxs)("div", { className: "eth-identity-team-list__empty", role: "status", children: [
+        /* @__PURE__ */ (0, import_jsx_runtime5.jsx)("h3", { children: "No teams available" }),
+        /* @__PURE__ */ (0, import_jsx_runtime5.jsx)("p", { children: "Add teams to see membership summaries." })
+      ] })
+    }
+  );
+}
+function formatMemberCount(count) {
+  return `${count} ${count === 1 ? "member" : "members"}`;
+}
+function initials2(label) {
+  const value = label.split(/\s+/).filter(Boolean).slice(0, 2).map((part) => part[0]?.toUpperCase()).join("");
+  return value || "TM";
+}
+
+// src/components/PermissionMatrix.tsx
+var import_core6 = require("@echothink-ui/core");
+var import_jsx_runtime6 = require("react/jsx-runtime");
+function PermissionMatrix({
+  subjects,
+  actions,
+  assignments,
+  onChange,
+  mode = "read",
+  title,
+  description,
+  metadata,
+  className,
+  "aria-label": ariaLabel,
+  ...props
+}) {
+  const groups = groupActions(actions);
+  const permissionCounts = countPermissionValues(subjects, actions, assignments);
+  const resourceCount = countResources(actions);
+  const tableLabel = ariaLabel ?? matrixLabelForTitle(title);
+  const matrixMetadata = [
+    { label: "Subjects", value: countLabel(subjects.length, "subject") },
+    { label: "Actions", value: countLabel(actions.length, "action") },
+    { label: "Resources", value: countLabel(resourceCount, "resource") },
+    ...metadata ?? []
+  ];
+  return /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(
+    import_core6.Surface,
+    {
+      ...props,
+      title,
+      description,
+      metadata: matrixMetadata,
+      className: ["eth-identity-permission-matrix", className].filter(Boolean).join(" "),
+      "data-eth-component": "PermissionMatrix",
+      children: subjects.length > 0 && actions.length > 0 ? /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(import_jsx_runtime6.Fragment, { children: [
+        /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)("div", { className: "eth-identity-permission-matrix__summary", "aria-label": "Permission summary", children: [
+          /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(SummaryItem, { value: permissionCounts.allow, label: "Allowed", tone: "allow" }),
+          /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(SummaryItem, { value: permissionCounts.deny, label: "Denied", tone: "deny" }),
+          /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(SummaryItem, { value: permissionCounts.inherit, label: "Inherited", tone: "inherit" }),
+          /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("span", { className: "eth-identity-permission-matrix__mode", children: mode === "edit" ? "Editable" : "Read only" })
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("div", { className: "eth-identity-permission-matrix__table-wrap", children: /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)("table", { "aria-label": tableLabel, className: "eth-identity-permission-matrix__table", children: [
+          /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("caption", { className: "eth-identity-permission-matrix__caption", children: "Permission assignments across subjects, resources, scopes, and actions." }),
+          /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)("thead", { children: [
+            /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)("tr", { children: [
+              /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(
+                "th",
+                {
+                  scope: "col",
+                  rowSpan: 2,
+                  className: [
+                    "eth-identity-permission-matrix__subject-col",
+                    "eth-identity-permission-matrix__subject-heading"
+                  ].join(" "),
+                  children: "Subject"
+                }
+              ),
+              groups.map((group) => /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("th", { scope: "colgroup", colSpan: group.actions.length, children: group.label }, group.label))
+            ] }),
+            /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("tr", { children: groups.flatMap(
+              (group) => group.actions.map((action) => /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)("th", { scope: "col", children: [
+                /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("span", { className: "eth-identity-permission-matrix__action-label", children: action.label }),
+                action.resource || action.scope ? /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)("span", { className: "eth-identity-permission-matrix__action-meta", children: [
+                  action.resource ? /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("span", { children: action.resource }) : null,
+                  action.scope ? /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("span", { children: action.scope }) : null
+                ] }) : null
+              ] }, action.id))
+            ) })
+          ] }),
+          /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("tbody", { children: subjects.map((subject) => {
+            const subjectMeta = formatSubjectMeta(subject);
+            return /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)("tr", { children: [
+              /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)("th", { scope: "row", className: "eth-identity-permission-matrix__subject", children: [
+                /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("span", { className: "eth-identity-permission-matrix__subject-label", children: subject.label }),
+                subjectMeta ? /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("small", { children: subjectMeta }) : null
+              ] }),
+              actions.map((action) => {
+                const value = assignments[subject.id]?.[action.id] ?? "inherit";
+                const valueLabel = labelForPermission(value);
+                return /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(
+                  "td",
+                  {
+                    className: "eth-identity-permission-matrix__cell",
+                    "data-permission": value,
+                    "data-permission-value": value,
+                    title: `${subject.label} / ${action.label}: ${valueLabel}`,
+                    children: mode === "edit" ? /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(
+                      import_core6.Select,
+                      {
+                        "aria-label": `${subject.label} ${action.label} permission`,
+                        className: [
+                          "eth-identity-permission-matrix__select",
+                          `eth-identity-permission-matrix__select--${value}`
+                        ].join(" "),
+                        density: "compact",
+                        disabled: !onChange,
+                        value,
+                        options: permissionOptions,
+                        onChange: (event) => onChange?.(
+                          subject.id,
+                          action.id,
+                          event.currentTarget.value
+                        )
+                      }
+                    ) : /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(
+                      import_core6.Badge,
+                      {
+                        severity: severityForPermission(value),
+                        "aria-label": `${subject.label} ${action.label}: ${valueLabel}`,
+                        className: [
+                          "eth-identity-permission-matrix__badge",
+                          `eth-identity-permission-matrix__badge--${value}`
+                        ].join(" "),
+                        children: [
+                          /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(
+                            "span",
+                            {
+                              className: "eth-identity-permission-matrix__status-mark",
+                              "aria-hidden": "true"
+                            }
+                          ),
+                          valueLabel
+                        ]
+                      }
+                    )
+                  },
+                  action.id
+                );
+              })
+            ] }, subject.id);
+          }) })
+        ] }) })
+      ] }) : /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(
+        import_core6.EmptyState,
+        {
+          title: "No permissions configured",
+          description: "Add at least one subject and one action to render the permission matrix."
+        }
+      )
+    }
+  );
+}
+function SummaryItem({
+  value,
+  label,
+  tone
+}) {
+  return /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(
+    "span",
+    {
+      className: `eth-identity-permission-matrix__summary-item eth-identity-permission-matrix__summary-item--${tone}`,
+      children: [
+        /* @__PURE__ */ (0, import_jsx_runtime6.jsx)("strong", { children: value }),
+        label
+      ]
+    }
+  );
+}
+var permissionOptions = [
+  { value: "inherit", label: "Inherit" },
+  { value: "allow", label: "Allow" },
+  { value: "deny", label: "Deny" }
+];
+function groupActions(actions) {
+  const labels = Array.from(new Set(actions.map((action) => action.group ?? "Permissions")));
+  return labels.map((label) => ({
+    label,
+    actions: actions.filter((action) => (action.group ?? "Permissions") === label)
+  }));
+}
+function severityForPermission(value) {
+  if (value === "allow") return "success";
+  if (value === "deny") return "danger";
+  return "neutral";
+}
+function labelForPermission(value) {
+  return permissionOptions.find((option) => option.value === value)?.label ?? value;
+}
+function countPermissionValues(subjects, actions, assignments) {
+  return subjects.reduce(
+    (counts, subject) => {
+      actions.forEach((action) => {
+        const value = assignments[subject.id]?.[action.id] ?? "inherit";
+        counts[value] += 1;
+      });
+      return counts;
+    },
+    { allow: 0, deny: 0, inherit: 0 }
+  );
+}
+function countResources(actions) {
+  return new Set(actions.map((action) => action.resource ?? action.group ?? action.label)).size;
+}
+function countLabel(value, noun) {
+  return `${value} ${value === 1 ? noun : `${noun}s`}`;
+}
+function formatSubjectKind(kind) {
+  return kind.replace(/-/g, " ");
+}
+function formatSubjectMeta(subject) {
+  return [formatSubjectKind(subject.kind), subject.role, subject.description].filter(Boolean).join(" / ");
+}
+function nodeToText(node, fallback) {
+  if (typeof node === "string") return node;
+  if (typeof node === "number") return String(node);
+  return fallback;
+}
+function matrixLabelForTitle(title) {
+  const label = nodeToText(title, "Permission");
+  return label.toLowerCase().includes("matrix") ? label : `${label} matrix`;
+}
+
+// src/components/AccessReviewPanel.tsx
+var import_core7 = require("@echothink-ui/core");
+var import_jsx_runtime7 = require("react/jsx-runtime");
+function AccessReviewPanel({
+  subjects,
+  findings,
+  onApprove,
+  onRevoke,
+  title,
+  className,
+  ...props
+}) {
+  return /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)(
+    import_core7.Surface,
+    {
+      ...props,
+      title,
+      className: ["eth-identity-access-review", className].filter(Boolean).join(" "),
+      "data-eth-component": "AccessReviewPanel",
+      children: [
+        subjects.map((subject) => {
+          const subjectFindings = findings.filter((finding) => finding.subjectId === subject.id);
+          const subjectMeta = [subject.kind, subject.role].filter(Boolean).join(" / ");
+          return /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)("section", { className: "eth-identity-access-review__subject", children: [
+            /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)("header", { className: "eth-identity-access-review__subject-header", children: [
+              /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)("div", { className: "eth-identity-access-review__identity", children: [
+                /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("span", { className: "eth-identity-access-review__avatar", "aria-hidden": "true", children: initialsForSubject(subject.label) }),
+                /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)("div", { className: "eth-identity-access-review__identity-main", children: [
+                  /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("h3", { children: subject.label }),
+                  subject.email ? /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("p", { children: subject.email }) : null,
+                  subjectMeta ? /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("small", { children: subjectMeta }) : null
+                ] })
+              ] }),
+              /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(
+                "div",
+                {
+                  className: "eth-identity-access-review__findings",
+                  "aria-label": `${subject.label} access findings`,
+                  children: subjectFindings.length ? subjectFindings.map((finding) => /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(import_core7.Badge, { severity: severityForFinding(finding.severity), children: finding.reason }, finding.id)) : /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(import_core7.Badge, { severity: "neutral", children: "No findings" })
+                }
+              )
+            ] }),
+            /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("div", { className: "eth-identity-access-review__table-wrap", children: /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)("table", { className: "eth-identity-access-review__table", children: [
+              /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("thead", { children: /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)("tr", { children: [
+                /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("th", { scope: "col", children: "Resource" }),
+                /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("th", { scope: "col", children: "Permissions" }),
+                /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("th", { scope: "col", children: "Last used" }),
+                /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("th", { scope: "col", children: "Decision" })
+              ] }) }),
+              /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("tbody", { children: subject.accessTo.length ? subject.accessTo.map((resource) => /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)("tr", { children: [
+                /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("th", { scope: "row", children: resource.resourceLabel }),
+                /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("td", { children: resource.permissions.length ? /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("span", { className: "eth-identity-access-review__permissions", children: resource.permissions.map((permission) => /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(import_core7.Badge, { severity: "neutral", children: permission }, permission)) }) : /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("span", { className: "eth-identity-access-review__muted", children: "No permissions" }) }),
+                /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("td", { children: /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(
+                  "span",
+                  {
+                    className: resource.lastUsedAt ? void 0 : "eth-identity-access-review__muted",
+                    children: resource.lastUsedAt ?? "Never"
+                  }
+                ) }),
+                /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("td", { children: /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)("div", { className: "eth-identity-access-review__decision-actions", children: [
+                  /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(
+                    import_core7.Button,
+                    {
+                      type: "button",
+                      intent: "success",
+                      density: "compact",
+                      disabled: !onApprove,
+                      "aria-label": `Approve ${subject.label} access to ${resource.resourceLabel}`,
+                      onClick: () => onApprove?.(subject.id, resource.resourceId),
+                      children: "Approve"
+                    }
+                  ),
+                  /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(
+                    import_core7.Button,
+                    {
+                      type: "button",
+                      intent: "danger",
+                      density: "compact",
+                      disabled: !onRevoke,
+                      "aria-label": `Revoke ${subject.label} access to ${resource.resourceLabel}`,
+                      onClick: () => onRevoke?.(subject.id, resource.resourceId),
+                      children: "Revoke"
+                    }
+                  )
+                ] }) })
+              ] }, resource.resourceId)) : /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("tr", { children: /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("td", { colSpan: 4, className: "eth-identity-access-review__empty-cell", children: "No resource access assigned." }) }) })
+            ] }) })
+          ] }, subject.id);
+        }),
+        !subjects.length ? /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(
+          import_core7.EmptyState,
+          {
+            title: "No access to review",
+            description: "Subjects with assigned resources will appear here when a review is ready."
+          }
+        ) : null
+      ]
+    }
+  );
+}
+function initialsForSubject(label) {
+  return label.split(/\s+/).filter(Boolean).slice(0, 2).map((part) => part.charAt(0).toUpperCase()).join("") || "ID";
+}
+function severityForFinding(severity) {
+  if (severity === "critical" || severity === "error") return "danger";
+  if (severity === "warning") return "warning";
+  return "info";
+}
+
+// src/components/InviteUserPanel.tsx
+var React3 = __toESM(require("react"), 1);
+var import_core8 = require("@echothink-ui/core");
+var import_jsx_runtime8 = require("react/jsx-runtime");
+function isValidInviteEmail(email) {
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
+}
+function InviteUserPanel({
+  roles,
+  onInvite,
+  title = "Invite user",
+  description = "Send a workspace invitation and assign the recipient's initial access role.",
+  defaultEmail = "",
+  defaultRole,
+  inviteLabel = "Send invite",
+  className,
+  ...props
+}) {
+  const options = React3.useMemo(
+    () => roles.map(
+      (role2) => typeof role2 === "string" ? { value: role2, label: role2 } : { value: role2.id, label: role2.label }
+    ),
+    [roles]
+  );
+  const preferredRole = options.some((option) => option.value === defaultRole) ? defaultRole : options[0]?.value;
+  const [email, setEmail] = React3.useState(defaultEmail);
+  const [emailTouched, setEmailTouched] = React3.useState(false);
+  const [role, setRole] = React3.useState(preferredRole ?? "");
+  const [roleTouched, setRoleTouched] = React3.useState(false);
+  const baseId = React3.useId();
+  const emailId = `${baseId}-email`;
+  const roleId = `${baseId}-role`;
+  const trimmedEmail = email.trim();
+  const emailIsValid = isValidInviteEmail(trimmedEmail);
+  const selectedRole = options.find((option) => option.value === role);
+  const emailError = emailTouched ? trimmedEmail ? emailIsValid ? void 0 : "Enter a valid email address." : "Email is required." : void 0;
+  const roleError = roleTouched && !role ? "Select a role." : void 0;
+  const canInvite = Boolean(onInvite && emailIsValid && role);
+  const inviteStatus = onInvite ? canInvite ? "Ready to send" : "Needs required fields" : "Unavailable";
+  React3.useEffect(() => {
+    if (!options.some((option) => option.value === role)) {
+      setRole(preferredRole ?? "");
+    }
+  }, [options, preferredRole, role]);
+  return /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(
+    import_core8.Surface,
+    {
+      ...props,
+      title,
+      description,
+      className: ["eth-identity-invite-user", className].filter(Boolean).join(" "),
+      "data-eth-component": "InviteUserPanel",
+      children: /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)(
+        "form",
+        {
+          noValidate: true,
+          onSubmit: (event) => {
+            event.preventDefault();
+            setEmailTouched(true);
+            setRoleTouched(true);
+            if (emailIsValid && role) onInvite?.(trimmedEmail, role);
+          },
+          children: [
+            /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)("div", { className: "eth-identity-invite-user__layout", children: [
+              /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)("div", { className: "eth-identity-invite-user__fields", children: [
+                /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(
+                  import_core8.FormField,
+                  {
+                    id: emailId,
+                    label: "Email",
+                    helperText: "Use the recipient's managed workspace email address.",
+                    error: emailError,
+                    required: true,
+                    children: /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(
+                      import_core8.TextInput,
+                      {
+                        id: emailId,
+                        type: "email",
+                        value: email,
+                        placeholder: "name@company.com",
+                        autoComplete: "email",
+                        onBlur: () => setEmailTouched(true),
+                        onChange: (event) => setEmail(event.currentTarget.value)
+                      }
+                    )
+                  }
+                ),
+                /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(
+                  import_core8.FormField,
+                  {
+                    id: roleId,
+                    label: "Role",
+                    helperText: "Choose the initial permission set for this invite.",
+                    error: roleError,
+                    required: true,
+                    children: /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(
+                      import_core8.Select,
+                      {
+                        id: roleId,
+                        value: role,
+                        options,
+                        disabled: !options.length,
+                        onBlur: () => setRoleTouched(true),
+                        onChange: (event) => {
+                          setRoleTouched(true);
+                          setRole(event.currentTarget.value);
+                        }
+                      }
+                    )
+                  }
+                )
+              ] }),
+              /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)("div", { className: "eth-identity-invite-user__summary", "aria-live": "polite", children: [
+                /* @__PURE__ */ (0, import_jsx_runtime8.jsx)("span", { className: "eth-identity-invite-user__summary-label", children: "Invitation summary" }),
+                /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)("dl", { children: [
+                  /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)("div", { children: [
+                    /* @__PURE__ */ (0, import_jsx_runtime8.jsx)("dt", { children: "Recipient" }),
+                    /* @__PURE__ */ (0, import_jsx_runtime8.jsx)("dd", { children: trimmedEmail || "Waiting for email" })
+                  ] }),
+                  /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)("div", { children: [
+                    /* @__PURE__ */ (0, import_jsx_runtime8.jsx)("dt", { children: "Initial role" }),
+                    /* @__PURE__ */ (0, import_jsx_runtime8.jsx)("dd", { children: selectedRole?.label ?? "No role selected" })
+                  ] }),
+                  /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)("div", { children: [
+                    /* @__PURE__ */ (0, import_jsx_runtime8.jsx)("dt", { children: "Status" }),
+                    /* @__PURE__ */ (0, import_jsx_runtime8.jsx)("dd", { children: inviteStatus })
+                  ] })
+                ] })
+              ] })
+            ] }),
+            /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)("div", { className: "eth-identity-invite-user__actions", children: [
+              /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core8.Button, { type: "submit", disabled: !canInvite, children: inviteLabel }),
+              /* @__PURE__ */ (0, import_jsx_runtime8.jsx)("p", { children: "Access can be reviewed after the recipient accepts the invitation." })
+            ] })
+          ]
+        }
+      )
+    }
+  );
+}
+
+// src/components/OrganizationSwitcher.tsx
+var React4 = __toESM(require("react"), 1);
+var import_core9 = require("@echothink-ui/core");
+var import_jsx_runtime9 = require("react/jsx-runtime");
+function OrganizationSwitcher({
+  organizations,
+  activeId,
+  defaultOpen = false,
+  onSwitch,
+  className
+}) {
+  const [open, setOpen] = React4.useState(defaultOpen);
+  const [selectedId, setSelectedId] = React4.useState(activeId ?? organizations[0]?.id);
+  const detailsRef = React4.useRef(null);
+  const listRef = React4.useRef(null);
+  const active = organizations.find((organization) => organization.id === (activeId ?? selectedId)) ?? organizations[0];
+  const triggerLabel = active ? `Switch organization, current organization ${active.label}` : "Switch organization";
+  React4.useEffect(() => {
+    if (activeId !== void 0) setSelectedId(activeId);
+  }, [activeId]);
+  React4.useEffect(() => {
+    if (!organizations.some((organization) => organization.id === selectedId)) {
+      setSelectedId(organizations[0]?.id);
+    }
+  }, [organizations, selectedId]);
+  const closeMenu = React4.useCallback(() => {
+    setOpen(false);
+    detailsRef.current?.querySelector("summary")?.focus();
+  }, []);
+  const selectOrganization = (organization) => {
+    if (activeId === void 0) setSelectedId(organization.id);
+    onSwitch?.(organization.id);
+    closeMenu();
+  };
+  return /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(
+    "div",
+    {
+      className: ["eth-identity-organization-switcher", className].filter(Boolean).join(" "),
+      "data-eth-component": "OrganizationSwitcher",
+      children: /* @__PURE__ */ (0, import_jsx_runtime9.jsxs)(
+        "details",
+        {
+          ref: detailsRef,
+          className: "eth-popover",
+          open,
+          onToggle: (event) => {
+            const nextOpen = event.currentTarget.open;
+            setOpen(nextOpen);
+            if (nextOpen) window.setTimeout(() => listRef.current?.focus(), 0);
+          },
+          children: [
+            /* @__PURE__ */ (0, import_jsx_runtime9.jsx)("summary", { "aria-haspopup": "menu", "aria-expanded": open, "aria-label": triggerLabel, children: /* @__PURE__ */ (0, import_jsx_runtime9.jsxs)("span", { className: "eth-identity-organization-switcher__trigger", children: [
+              /* @__PURE__ */ (0, import_jsx_runtime9.jsx)("span", { className: "eth-identity-organization-switcher__avatar", "aria-hidden": "true", children: active ? initials3(active.label) : "ORG" }),
+              /* @__PURE__ */ (0, import_jsx_runtime9.jsxs)("span", { className: "eth-identity-organization-switcher__copy", children: [
+                /* @__PURE__ */ (0, import_jsx_runtime9.jsx)("span", { className: "eth-identity-organization-switcher__label", children: active?.label ?? "Select organization" }),
+                /* @__PURE__ */ (0, import_jsx_runtime9.jsx)("span", { className: "eth-identity-organization-switcher__meta", children: active?.description ?? `${organizations.length} organizations` })
+              ] }),
+              active?.status ? /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(import_core9.StatusDot, { status: active.status, label: formatStatus(active.status) }) : null,
+              /* @__PURE__ */ (0, import_jsx_runtime9.jsx)("span", { className: "eth-identity-organization-switcher__chevron", "aria-hidden": "true" })
+            ] }) }),
+            /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(
+              "div",
+              {
+                ref: listRef,
+                tabIndex: -1,
+                className: "eth-identity-organization-switcher__list",
+                role: "menu",
+                "aria-label": "Organizations",
+                onKeyDown: (event) => {
+                  if (event.key === "Escape") closeMenu();
+                },
+                children: organizations.length ? organizations.map((organization) => {
+                  const selected = organization.id === active?.id;
+                  return /* @__PURE__ */ (0, import_jsx_runtime9.jsxs)(
+                    "button",
+                    {
+                      type: "button",
+                      className: "eth-identity-organization-switcher__option",
+                      role: "menuitemradio",
+                      "aria-checked": selected,
+                      "aria-current": selected ? "true" : void 0,
+                      onClick: () => selectOrganization(organization),
+                      children: [
+                        /* @__PURE__ */ (0, import_jsx_runtime9.jsxs)("span", { className: "eth-identity-organization-switcher__option-main", children: [
+                          /* @__PURE__ */ (0, import_jsx_runtime9.jsx)("span", { className: "eth-identity-organization-switcher__option-label", children: organization.label }),
+                          organization.description ? /* @__PURE__ */ (0, import_jsx_runtime9.jsx)("span", { className: "eth-identity-organization-switcher__option-meta", children: organization.description }) : null
+                        ] }),
+                        /* @__PURE__ */ (0, import_jsx_runtime9.jsxs)("span", { className: "eth-identity-organization-switcher__option-state", children: [
+                          organization.status ? /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(
+                            import_core9.StatusDot,
+                            {
+                              status: organization.status,
+                              label: formatStatus(organization.status)
+                            }
+                          ) : null,
+                          /* @__PURE__ */ (0, import_jsx_runtime9.jsx)(
+                            "span",
+                            {
+                              className: "eth-identity-organization-switcher__option-check",
+                              "aria-hidden": "true"
+                            }
+                          )
+                        ] })
+                      ]
+                    },
+                    organization.id
+                  );
+                }) : /* @__PURE__ */ (0, import_jsx_runtime9.jsx)("div", { className: "eth-identity-organization-switcher__empty", role: "none", children: "No organizations available" })
+              }
+            )
+          ]
+        }
+      )
+    }
+  );
+}
+function initials3(label) {
+  const value = label.split(/\s+/).filter(Boolean).slice(0, 2).map((part) => part[0]?.toUpperCase()).join("");
+  return value || "ORG";
+}
+function formatStatus(status) {
+  return status.split("-").map((part) => `${part.slice(0, 1).toUpperCase()}${part.slice(1)}`).join(" ");
+}
+
+// src/components/AccountMenu.tsx
+var React5 = __toESM(require("react"), 1);
+var import_core10 = require("@echothink-ui/core");
+var import_jsx_runtime10 = require("react/jsx-runtime");
+function AccountMenu({ user, actions, defaultOpen = false, className }) {
+  const [open, setOpen] = React5.useState(defaultOpen);
+  const detailsRef = React5.useRef(null);
+  const contentRef = React5.useRef(null);
+  const userDescriptor = user.email ?? user.role ?? user.kind;
+  const closeMenu = React5.useCallback(() => {
+    setOpen(false);
+    detailsRef.current?.querySelector("summary")?.focus();
+  }, []);
+  return /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(
+    "div",
+    {
+      className: ["eth-identity-account-menu", className].filter(Boolean).join(" "),
+      "data-eth-component": "AccountMenu",
+      children: /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(
+        "details",
+        {
+          ref: detailsRef,
+          className: "eth-popover",
+          open,
+          onToggle: (event) => {
+            const nextOpen = event.currentTarget.open;
+            setOpen(nextOpen);
+            if (nextOpen) window.setTimeout(() => contentRef.current?.focus(), 0);
+          },
+          children: [
+            /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(
+              "summary",
+              {
+                "aria-haspopup": "menu",
+                "aria-expanded": open,
+                "aria-label": `Account menu for ${user.label}`,
+                children: /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)("span", { className: "eth-identity-account-menu__trigger", children: [
+                  /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(Avatar2, { label: user.label, src: user.avatar }),
+                  /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)("span", { className: "eth-identity-account-menu__trigger-copy", children: [
+                    /* @__PURE__ */ (0, import_jsx_runtime10.jsx)("span", { className: "eth-identity-account-menu__trigger-label", children: user.label }),
+                    userDescriptor ? /* @__PURE__ */ (0, import_jsx_runtime10.jsx)("span", { className: "eth-identity-account-menu__trigger-meta", children: userDescriptor }) : null
+                  ] }),
+                  /* @__PURE__ */ (0, import_jsx_runtime10.jsx)("span", { className: "eth-identity-account-menu__chevron", "aria-hidden": "true" })
+                ] })
+              }
+            ),
+            /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(
+              "div",
+              {
+                ref: contentRef,
+                tabIndex: -1,
+                className: "eth-identity-account-menu__content",
+                onKeyDown: (event) => {
+                  if (event.key === "Escape") closeMenu();
+                },
+                children: [
+                  /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)("div", { className: "eth-identity-account-menu__profile", children: [
+                    /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(Avatar2, { label: user.label, src: user.avatar }),
+                    /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)("div", { className: "eth-identity-account-menu__profile-copy", children: [
+                      /* @__PURE__ */ (0, import_jsx_runtime10.jsx)("strong", { children: user.label }),
+                      user.email ? /* @__PURE__ */ (0, import_jsx_runtime10.jsx)("p", { children: user.email }) : null,
+                      /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)("div", { className: "eth-identity-account-menu__meta", children: [
+                        user.role ? /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(RoleBadge, { role: user.role }) : null,
+                        user.status ? /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(import_core10.StatusDot, { status: user.status, label: user.status }) : null
+                      ] })
+                    ] })
+                  ] }),
+                  /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(
+                    "div",
+                    {
+                      className: "eth-identity-account-menu__actions",
+                      role: "menu",
+                      "aria-label": `Actions for ${user.label}`,
+                      children: actions.map((action) => /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(AccountMenuAction, { action, onClose: closeMenu }, action.id))
+                    }
+                  )
+                ]
+              }
+            )
+          ]
+        }
+      )
+    }
+  );
+}
+function AccountMenuAction({ action, onClose }) {
+  const className = [
+    "eth-identity-account-menu__action",
+    action.intent === "danger" ? "eth-identity-account-menu__action--danger" : null
+  ].filter(Boolean).join(" ");
+  if (action.href && !action.disabled) {
+    return /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(
+      "a",
+      {
+        className,
+        href: action.href,
+        role: "menuitem",
+        onClick: () => {
+          action.onSelect?.();
+          onClose();
+        },
+        children: action.label
+      }
+    );
+  }
+  return /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(
+    "button",
+    {
+      className,
+      type: "button",
+      disabled: action.disabled,
+      role: "menuitem",
+      onClick: () => {
+        action.onSelect?.();
+        onClose();
+      },
+      children: action.label
+    }
+  );
+}
+function Avatar2({ label, src }) {
+  if (src) return /* @__PURE__ */ (0, import_jsx_runtime10.jsx)("img", { className: "eth-identity-account-menu__avatar", src, alt: "" });
+  return /* @__PURE__ */ (0, import_jsx_runtime10.jsx)("span", { className: "eth-identity-account-menu__avatar", "aria-hidden": "true", children: initials4(label) });
+}
+function initials4(label) {
+  return label.split(/\s+/).filter(Boolean).slice(0, 2).map((part) => part[0]?.toUpperCase()).join("");
+}
+
+// src/components/SessionStatus.tsx
+var import_core11 = require("@echothink-ui/core");
+var import_jsx_runtime11 = require("react/jsx-runtime");
+var EXPIRING_SOON_MS = 24 * 60 * 60 * 1e3;
+function SessionStatus({
+  session,
+  title,
+  description,
+  className,
+  severity,
+  status,
+  ...props
+}) {
+  const expires = new Date(session.expiresAt);
+  const hasValidExpiration = Number.isFinite(expires.valueOf());
+  const expiresAt = hasValidExpiration ? expires.getTime() : null;
+  const now = Date.now();
+  const expired = expiresAt !== null && expiresAt < now;
+  const expiringSoon = expiresAt !== null && !expired && expiresAt - now <= EXPIRING_SOON_MS;
+  const needsReview = !session.mfaEnabled || expiringSoon || !hasValidExpiration;
+  const tone = expired ? "danger" : needsReview ? "warning" : "success";
+  const resolvedStatus = status ?? (expired ? "stale" : needsReview ? "warning" : "active");
+  const sessionState = expired ? "Expired" : expiringSoon ? "Expiring soon" : "Active";
+  const summaryTitle = summaryTitleForSession({ expired, needsReview });
+  const summaryDetail = summaryForSession({
+    expired,
+    expiringSoon,
+    hasValidExpiration,
+    mfaEnabled: session.mfaEnabled
+  });
+  const summaryClassName = [
+    "eth-identity-session-status__summary",
+    `eth-identity-session-status__summary--${tone}`
+  ].join(" ");
+  return /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)(
+    import_core11.Surface,
+    {
+      ...props,
+      title: title === void 0 ? "Session security" : title,
+      description: description === void 0 ? "Authentication freshness and recent access signal." : description,
+      severity,
+      status: resolvedStatus,
+      className: ["eth-identity-session-status", className].filter(Boolean).join(" "),
+      "data-eth-component": "SessionStatus",
+      children: [
+        /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)("div", { className: summaryClassName, children: [
+          /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { className: "eth-identity-session-status__summary-mark", "aria-hidden": "true" }),
+          /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)("div", { className: "eth-identity-session-status__summary-copy", children: [
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("strong", { children: summaryTitle }),
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { children: summaryDetail })
+          ] })
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)("dl", { "aria-label": "Session details", children: [
+          /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)("div", { children: [
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("dt", { children: "Session" }),
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)("dd", { className: "eth-identity-session-status__value", children: [
+              /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { className: "eth-identity-session-status__value-main", children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(import_core11.Badge, { severity: tone, children: sessionState }) }),
+              /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { className: "eth-identity-session-status__detail", children: expired ? "Credentials are no longer valid." : "Authenticated session lifecycle." })
+            ] })
+          ] }),
+          /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)("div", { children: [
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("dt", { children: "Expires" }),
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)("dd", { className: "eth-identity-session-status__value", children: [
+              /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { className: "eth-identity-session-status__value-main", children: hasValidExpiration ? /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(
+                "time",
+                {
+                  "aria-label": "Session expiration",
+                  dateTime: session.expiresAt,
+                  title: session.expiresAt,
+                  children: formatSessionDate(expires)
+                }
+              ) : /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { children: "Unknown" }) }),
+              /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { className: "eth-identity-session-status__detail", children: expirationDetail({ expired, expiringSoon, hasValidExpiration }) })
+            ] })
+          ] }),
+          /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)("div", { children: [
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("dt", { children: "MFA" }),
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)("dd", { className: "eth-identity-session-status__value", children: [
+              /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { className: "eth-identity-session-status__value-main", children: /* @__PURE__ */ (0, import_jsx_runtime11.jsx)(import_core11.Badge, { severity: session.mfaEnabled ? "success" : "warning", children: session.mfaEnabled ? "Enabled" : "Disabled" }) }),
+              /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { className: "eth-identity-session-status__detail", children: session.mfaEnabled ? "Second factor challenge is enforced." : "No second factor is enforced for this session." })
+            ] })
+          ] }),
+          /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)("div", { children: [
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("dt", { children: "Last IP" }),
+            /* @__PURE__ */ (0, import_jsx_runtime11.jsxs)("dd", { className: "eth-identity-session-status__value", children: [
+              /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { className: "eth-identity-session-status__value-main", children: session.lastIp ? /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("code", { className: "eth-identity-session-status__code", children: session.lastIp }) : /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { className: "eth-identity-session-status__muted", children: "Not recorded" }) }),
+              /* @__PURE__ */ (0, import_jsx_runtime11.jsx)("span", { className: "eth-identity-session-status__detail", children: "Latest network signal captured for the session." })
+            ] })
+          ] })
+        ] })
+      ]
+    }
+  );
+}
+function formatSessionDate(value) {
+  return new Intl.DateTimeFormat(void 0, {
+    day: "2-digit",
+    hour: "2-digit",
+    minute: "2-digit",
+    month: "short",
+    timeZoneName: "short",
+    year: "numeric"
+  }).format(value);
+}
+function summaryTitleForSession({
+  expired,
+  needsReview
+}) {
+  if (expired) return "Session expired";
+  if (needsReview) return "Review required";
+  return "Session active";
+}
+function summaryForSession({
+  expired,
+  expiringSoon,
+  hasValidExpiration,
+  mfaEnabled
+}) {
+  if (!hasValidExpiration) return "Expiration could not be verified from the provided timestamp.";
+  if (expired) return "Access should be refreshed or revoked before more work continues.";
+  if (!mfaEnabled) return "MFA is disabled, so this session needs security review.";
+  if (expiringSoon) return "The session is valid but expires within the next 24 hours.";
+  return "MFA is enabled and the session remains within its validity window.";
+}
+function expirationDetail({
+  expired,
+  expiringSoon,
+  hasValidExpiration
+}) {
+  if (!hasValidExpiration) return "Timestamp could not be parsed.";
+  if (expired) return "Past the identity provider expiry.";
+  if (expiringSoon) return "Expires within 24 hours.";
+  return "Valid until scheduled expiry.";
+}
+
+// src/components/AuditTrail.tsx
+var import_core12 = require("@echothink-ui/core");
+var import_data = require("@echothink-ui/data");
+var import_jsx_runtime12 = require("react/jsx-runtime");
+function AuditTrail({
+  entries,
+  title = "Audit trail",
+  subtitle,
+  description = "Identity and access audit history ordered by latest event.",
+  density = "compact",
+  metadata,
+  className,
+  role,
+  "aria-label": ariaLabel,
+  ...props
+}) {
+  const rows = entries.map((entry) => ({ ...entry }));
+  const successCount = entries.filter((entry) => entry.outcome === "success").length;
+  const failureCount = entries.length - successCount;
+  const resolvedSubtitle = subtitle ?? `${entries.length} ${entries.length === 1 ? "event" : "events"}`;
+  const resolvedMetadata = metadata ?? [
+    { label: "Events", value: entries.length },
+    { label: "Successful", value: successCount },
+    { label: "Failures", value: failureCount }
+  ];
+  const columns = [
+    {
+      key: "timestamp",
+      header: "Time",
+      width: "8.5rem",
+      render: (row) => /* @__PURE__ */ (0, import_jsx_runtime12.jsx)("time", { className: "eth-identity-audit-trail__time", children: row.timestamp })
+    },
+    {
+      key: "actor",
+      header: "Actor",
+      width: "9rem",
+      render: (row) => /* @__PURE__ */ (0, import_jsx_runtime12.jsx)("span", { className: "eth-identity-audit-trail__actor", children: row.actor })
+    },
+    {
+      key: "action",
+      header: "Action",
+      width: "11rem",
+      render: (row) => /* @__PURE__ */ (0, import_jsx_runtime12.jsx)("span", { className: "eth-identity-audit-trail__action", children: row.action })
+    },
+    {
+      key: "resource",
+      header: "Resource",
+      render: (row) => /* @__PURE__ */ (0, import_jsx_runtime12.jsx)("span", { className: "eth-identity-audit-trail__resource", children: row.resource })
+    },
+    {
+      key: "outcome",
+      header: "Outcome",
+      width: "8rem",
+      render: (row) => /* @__PURE__ */ (0, import_jsx_runtime12.jsx)("span", { className: "eth-identity-audit-trail__outcome", children: /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(import_core12.Badge, { severity: outcomeSeverity(row.outcome), children: outcomeLabel(row.outcome) }) })
+    }
+  ];
+  return /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(
+    import_core12.Surface,
+    {
+      ...props,
+      title,
+      subtitle: resolvedSubtitle,
+      description,
+      density,
+      metadata: resolvedMetadata,
+      className: ["eth-identity-audit-trail", className].filter(Boolean).join(" "),
+      "data-eth-component": "AuditTrail",
+      role: role ?? "region",
+      "aria-label": ariaLabel ?? (typeof title === "string" ? title : "Audit trail"),
+      children: /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(
+        import_data.DataTable,
+        {
+          rows,
+          columns,
+          density,
+          emptyState: /* @__PURE__ */ (0, import_jsx_runtime12.jsx)(
+            import_core12.EmptyState,
+            {
+              title: "No audit events",
+              description: "Identity and access events will appear here when they are recorded."
+            }
+          )
+        }
+      )
+    }
+  );
+}
+function outcomeSeverity(outcome) {
+  return outcome === "success" ? "success" : "danger";
+}
+function outcomeLabel(outcome) {
+  return outcome === "success" ? "Success" : "Failure";
+}
+
+// src/components/PolicyRuleViewer.tsx
+var import_core13 = require("@echothink-ui/core");
+var import_jsx_runtime13 = require("react/jsx-runtime");
+function effectLabel(effect) {
+  return effect === "allow" ? "Allow" : "Deny";
+}
+function renderRuleValues(values, label) {
+  if (!values.length) {
+    return /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("span", { className: "eth-identity-policy-rule-viewer__empty", children: "Not specified" });
+  }
+  return /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("ul", { className: "eth-identity-policy-rule-viewer__values", "aria-label": `${label} list`, children: values.map((value) => /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("li", { children: /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("code", { children: value }) }, value)) });
+}
+function PolicyRuleViewer({ rule, title, className, ...props }) {
+  const effect = effectLabel(rule.effect);
+  return /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(
+    import_core13.Surface,
+    {
+      ...props,
+      title: title ?? `Policy rule ${rule.id}`,
+      className: ["eth-identity-policy-rule-viewer", className].filter(Boolean).join(" "),
+      "data-eth-component": "PolicyRuleViewer",
+      children: /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)("dl", { className: "eth-identity-policy-rule-viewer__facet-list", children: [
+        /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)(
+          "div",
+          {
+            className: "eth-identity-policy-rule-viewer__facet eth-identity-policy-rule-viewer__facet--effect",
+            children: [
+              /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("dt", { children: "Effect" }),
+              /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("dd", { children: /* @__PURE__ */ (0, import_jsx_runtime13.jsx)(
+                import_core13.Badge,
+                {
+                  "aria-label": `Rule effect: ${effect}`,
+                  className: "eth-identity-policy-rule-viewer__effect",
+                  severity: rule.effect === "allow" ? "success" : "danger",
+                  children: effect
+                }
+              ) })
+            ]
+          }
+        ),
+        /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)("div", { children: [
+          /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("dt", { children: "Subjects" }),
+          /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("dd", { children: renderRuleValues(rule.subjects, "Subjects") })
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)("div", { children: [
+          /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("dt", { children: "Actions" }),
+          /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("dd", { children: renderRuleValues(rule.actions, "Actions") })
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)("div", { children: [
+          /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("dt", { children: "Resources" }),
+          /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("dd", { children: renderRuleValues(rule.resources, "Resources") })
+        ] }),
+        rule.conditions ? /* @__PURE__ */ (0, import_jsx_runtime13.jsxs)("div", { children: [
+          /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("dt", { children: "Conditions" }),
+          /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("dd", { children: /* @__PURE__ */ (0, import_jsx_runtime13.jsx)("code", { className: "eth-identity-policy-rule-viewer__condition", children: rule.conditions }) })
+        ] }) : null
+      ] })
+    }
+  );
+}
+
+// src/components/ApprovalPolicyEditor.tsx
+var import_react = require("react");
+var import_core14 = require("@echothink-ui/core");
+var import_forms = require("@echothink-ui/forms");
+var import_jsx_runtime14 = require("react/jsx-runtime");
+function ApprovalPolicyEditor({
+  policy,
+  schema,
+  onChange,
+  title,
+  description,
+  actions,
+  className,
+  ...props
+}) {
+  const generatedId = (0, import_react.useId)().replace(/[^a-zA-Z0-9_-]/g, "");
+  const policyDomId = `eth-identity-policy-${String(policy.id ?? generatedId).replace(/[^a-zA-Z0-9_-]/g, "-")}`;
+  const variables = schema.variables ?? Object.keys(schema.properties ?? {});
+  const rules = policy.rules ?? [];
+  const approvers = policy.approvers ?? [];
+  const requiredApprovals = policy.requiredApprovals ?? 1;
+  const update = (patch) => onChange?.({ ...policy, ...patch });
+  return /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)(
+    import_core14.Surface,
+    {
+      ...props,
+      title: title ?? "Approval policy",
+      description: description ?? schema.description ?? "Configure approval thresholds, reviewers, and workflow rules for governed actions.",
+      actions: actions ?? policy.actions,
+      className: ["eth-identity-approval-policy-editor", className].filter(Boolean).join(" "),
+      "data-eth-component": "ApprovalPolicyEditor",
+      children: [
+        /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)("div", { className: "eth-identity-approval-policy-editor__layout", children: [
+          /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)("div", { className: "eth-identity-approval-policy-editor__fields", children: [
+            /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(import_core14.FormField, { id: `${policyDomId}-name`, label: "Policy name", required: true, children: /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(
+              import_core14.TextInput,
+              {
+                id: `${policyDomId}-name`,
+                value: policy.name ?? "",
+                onChange: (event) => update({ name: event.currentTarget.value })
+              }
+            ) }),
+            /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(import_core14.FormField, { id: `${policyDomId}-description`, label: "Description", children: /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(
+              import_core14.Textarea,
+              {
+                id: `${policyDomId}-description`,
+                value: policy.description ?? "",
+                onChange: (event) => update({ description: event.currentTarget.value })
+              }
+            ) }),
+            /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(
+              import_core14.FormField,
+              {
+                id: `${policyDomId}-required`,
+                label: "Required approvals",
+                helperText: "Minimum number of reviewers who must approve before the workflow can continue.",
+                children: /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(
+                  import_core14.NumberInput,
+                  {
+                    id: `${policyDomId}-required`,
+                    min: 1,
+                    value: requiredApprovals,
+                    onChange: (event) => update({ requiredApprovals: Number(event.currentTarget.value) })
+                  }
+                )
+              }
+            )
+          ] }),
+          /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)(
+            "aside",
+            {
+              className: "eth-identity-approval-policy-editor__summary",
+              "aria-label": "Approval policy summary",
+              children: [
+                /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)("div", { className: "eth-identity-approval-policy-editor__summary-header", children: [
+                  /* @__PURE__ */ (0, import_jsx_runtime14.jsx)("h3", { children: "Workflow gates" }),
+                  /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(import_core14.Badge, { severity: rules.length ? "success" : "warning", children: rules.length ? "Configured" : "Needs rules" })
+                ] }),
+                /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)("dl", { className: "eth-identity-approval-policy-editor__summary-grid", children: [
+                  /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)("div", { children: [
+                    /* @__PURE__ */ (0, import_jsx_runtime14.jsx)("dt", { children: "Required approvals" }),
+                    /* @__PURE__ */ (0, import_jsx_runtime14.jsx)("dd", { children: requiredApprovals })
+                  ] }),
+                  /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)("div", { children: [
+                    /* @__PURE__ */ (0, import_jsx_runtime14.jsx)("dt", { children: "Rules" }),
+                    /* @__PURE__ */ (0, import_jsx_runtime14.jsx)("dd", { children: rules.length })
+                  ] }),
+                  /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)("div", { children: [
+                    /* @__PURE__ */ (0, import_jsx_runtime14.jsx)("dt", { children: "Approvers" }),
+                    /* @__PURE__ */ (0, import_jsx_runtime14.jsx)("dd", { children: approvers.length ? approvers.length : "Unassigned" })
+                  ] })
+                ] }),
+                /* @__PURE__ */ (0, import_jsx_runtime14.jsxs)("div", { className: "eth-identity-approval-policy-editor__approvers", children: [
+                  /* @__PURE__ */ (0, import_jsx_runtime14.jsx)("span", { children: "Reviewer pool" }),
+                  approvers.length ? /* @__PURE__ */ (0, import_jsx_runtime14.jsx)("div", { className: "eth-identity-approval-policy-editor__approver-list", children: approvers.map((approver) => /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(import_core14.Tag, { children: approver.label }, approver.id)) }) : /* @__PURE__ */ (0, import_jsx_runtime14.jsx)("p", { children: "No approvers assigned to this policy." })
+                ] })
+              ]
+            }
+          )
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime14.jsx)(
+          import_forms.RuleBuilder,
+          {
+            className: "eth-identity-approval-policy-editor__rules",
+            rules,
+            variables,
+            onChange: (nextRules) => update({ rules: nextRules })
+          }
+        )
+      ]
+    }
+  );
+}
+
+// src/index.tsx
+var IdentityComponentNames = [
+  "IdentityCard",
+  "UserPicker",
+  "GroupPicker",
+  "TeamList",
+  "RoleBadge",
+  "PermissionMatrix",
+  "AccessReviewPanel",
+  "InviteUserPanel",
+  "OrganizationSwitcher",
+  "AccountMenu",
+  "SessionStatus",
+  "AuditTrail",
+  "PolicyRuleViewer",
+  "ApprovalPolicyEditor"
+];
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AccessReviewPanel,
+  AccountMenu,
+  ApprovalPolicyEditor,
+  AuditTrail,
+  GroupPicker,
+  IdentityCard,
+  IdentityComponentNames,
+  InviteUserPanel,
+  OrganizationSwitcher,
+  PermissionMatrix,
+  PolicyRuleViewer,
+  RoleBadge,
+  SessionStatus,
+  TeamList,
+  UserPicker
+});
+//# sourceMappingURL=index.cjs.map