@elevasis/ui 2.35.0 → 2.37.0

package/dist/chunk-LCJQ6OWC.js

@@ -0,0 +1,348 @@
+import { useOptionalElevasisSystems } from './chunk-NYNOMAAS.js';
+import { InitializationContext } from './chunk-533DUEQY.js';
+import { DEFAULT_ORGANIZATION_MODEL, listAllSystems, getSystem } from './chunk-NWMPBG4U.js';
+import { OrganizationContext } from './chunk-DD3CCMCZ.js';
+import { STALE_TIME_DEFAULT } from './chunk-6ROXVZ3L.js';
+import { ElevasisServiceContext } from './chunk-KJ3QUBNU.js';
+import { useContext, useMemo } from 'react';
+import { useQuery } from '@tanstack/react-query';
+import { z } from 'zod';
+
+// ../core/src/auth/multi-tenancy/permissions.ts
+var PERMISSIONS = {
+  ORG_READ: "org.read",
+  ORG_MANAGE: "org.manage",
+  ORG_DELETE: "org.delete",
+  MEMBERS_MANAGE: "members.manage",
+  ROLES_MANAGE: "roles.manage",
+  SECRETS_MANAGE: "secrets.manage",
+  OPERATIONS_READ: "operations.read",
+  OPERATIONS_MANAGE: "operations.manage",
+  ACQUISITION_MANAGE: "acquisition.manage",
+  PROJECTS_MANAGE: "projects.manage",
+  CLIENTS_MANAGE: "clients.manage"
+};
+var PERMISSION_CATALOG = [
+  {
+    key: "org.read",
+    description: "Read organization profile and listings",
+    isOrgGrantable: true
+  },
+  {
+    key: "org.manage",
+    description: "Update organization settings",
+    isOrgGrantable: false
+  },
+  {
+    key: "org.delete",
+    description: "Delete the organization (owner-only)",
+    isOrgGrantable: false
+  },
+  {
+    key: "members.manage",
+    description: "Invite, remove, and reassign roles for members",
+    isOrgGrantable: false
+  },
+  {
+    key: "roles.manage",
+    description: "Grant or revoke privileged system roles (owner, admin) within the organization",
+    isOrgGrantable: false
+  },
+  {
+    key: "secrets.manage",
+    description: "Create, update, and delete API keys and credentials",
+    isOrgGrantable: false
+  },
+  {
+    key: "operations.read",
+    description: "View executions, sessions, schedules, and command queue",
+    isOrgGrantable: true
+  },
+  {
+    key: "operations.manage",
+    description: "Run and modify executions, sessions, schedules, queue",
+    isOrgGrantable: true
+  },
+  {
+    key: "acquisition.manage",
+    description: "Create, update, and delete acquisition records (acq_companies, acq_contacts, acq_deals, acq_lists*, acq_content*, acquisition storage files)",
+    isOrgGrantable: false
+  },
+  {
+    key: "projects.manage",
+    description: "Create, update, and delete project records (prj_projects, prj_milestones, prj_tasks, prj_notes)",
+    isOrgGrantable: false
+  },
+  {
+    key: "clients.manage",
+    description: "Create, update, and delete client hub records (clients, clt_* satellites)",
+    isOrgGrantable: false
+  }
+];
+new Set(PERMISSION_CATALOG.map((p) => p.key));
+var DEFAULT_ACCESS_ACTION = "view";
+var PLATFORM_ADMIN_ACCESS_KEY = "platform.admin";
+var PLATFORM_ADMIN_ACCESS_KEY_SHORTHAND = "platformAdmin";
+var AccessActionSchema = z.enum(["view", "manage"]);
+var AccessKeyObjectSchema = z.object({
+  systemPath: z.string().trim().min(1),
+  action: AccessActionSchema.default(DEFAULT_ACCESS_ACTION)
+}).strict();
+var AccessKeyInputSchema = z.union([z.string().trim().min(1), AccessKeyObjectSchema]);
+var NormalizedAccessKeySchema = AccessKeyObjectSchema;
+var DIAGNOSTIC_VIEW_ACCESS_KEYS = [
+  "diagnostic.operations.overview",
+  "diagnostic.operations.recent-executions",
+  "diagnostic.monitoring.execution-logs",
+  "diagnostic.monitoring.notifications"
+];
+var AccessKeys = {
+  platformAdmin: { systemPath: PLATFORM_ADMIN_ACCESS_KEY, action: DEFAULT_ACCESS_ACTION },
+  organizationManage: { systemPath: "permission.org", action: "manage" },
+  membersManage: { systemPath: "permission.members", action: "manage" },
+  rolesManage: { systemPath: "permission.roles", action: "manage" },
+  secretsManage: { systemPath: "permission.secrets", action: "manage" },
+  operationsRead: { systemPath: "permission.operations", action: DEFAULT_ACCESS_ACTION },
+  operationsManage: { systemPath: "permission.operations", action: "manage" },
+  acquisitionManage: { systemPath: "permission.acquisition", action: "manage" },
+  projectsManage: { systemPath: "permission.projects", action: "manage" },
+  clientsManage: { systemPath: "permission.clients", action: "manage" },
+  operationsOverview: { systemPath: "diagnostic.operations.overview", action: DEFAULT_ACCESS_ACTION },
+  operationsRecentExecutions: { systemPath: "diagnostic.operations.recent-executions", action: DEFAULT_ACCESS_ACTION },
+  monitoringExecutionLogs: { systemPath: "diagnostic.monitoring.execution-logs", action: DEFAULT_ACCESS_ACTION },
+  monitoringNotifications: { systemPath: "diagnostic.monitoring.notifications", action: DEFAULT_ACCESS_ACTION }
+};
+var PERMISSION_ACCESS_KEY_DEFINITIONS = [
+  { key: AccessKeys.organizationManage, rolePermission: PERMISSIONS.ORG_MANAGE },
+  { key: AccessKeys.membersManage, rolePermission: PERMISSIONS.MEMBERS_MANAGE },
+  { key: AccessKeys.rolesManage, rolePermission: PERMISSIONS.ROLES_MANAGE },
+  { key: AccessKeys.secretsManage, rolePermission: PERMISSIONS.SECRETS_MANAGE },
+  { key: AccessKeys.operationsRead, rolePermission: PERMISSIONS.OPERATIONS_READ },
+  { key: AccessKeys.operationsManage, rolePermission: PERMISSIONS.OPERATIONS_MANAGE },
+  { key: AccessKeys.acquisitionManage, rolePermission: PERMISSIONS.ACQUISITION_MANAGE },
+  { key: AccessKeys.projectsManage, rolePermission: PERMISSIONS.PROJECTS_MANAGE },
+  { key: AccessKeys.clientsManage, rolePermission: PERMISSIONS.CLIENTS_MANAGE }
+];
+function normalizeAccessKey(input) {
+  const parsed = AccessKeyInputSchema.parse(input);
+  const normalized = typeof parsed === "string" ? {
+    systemPath: parsed === PLATFORM_ADMIN_ACCESS_KEY_SHORTHAND ? PLATFORM_ADMIN_ACCESS_KEY : parsed,
+    action: DEFAULT_ACCESS_ACTION
+  } : parsed;
+  return NormalizedAccessKeySchema.parse(normalized);
+}
+function rolePermissionForAccessKey(key) {
+  if (key.action === DEFAULT_ACCESS_ACTION) return void 0;
+  return `${key.systemPath}.${key.action}`;
+}
+function groupCatalogEntries(entries) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const entry of entries) {
+    const existing = grouped.get(entry.key.systemPath) ?? [];
+    existing.push(entry);
+    grouped.set(entry.key.systemPath, existing);
+  }
+  return grouped;
+}
+function buildCatalogEntry(systemPath, action, source) {
+  const key = normalizeAccessKey({ systemPath, action });
+  return {
+    key,
+    source,
+    rolePermission: rolePermissionForAccessKey(key)
+  };
+}
+function deriveAccessKeyCatalog(organizationModel, options = {}) {
+  const { diagnosticKeys = DIAGNOSTIC_VIEW_ACCESS_KEYS, includeManageActions = true } = options;
+  const entries = [
+    buildCatalogEntry(PLATFORM_ADMIN_ACCESS_KEY, DEFAULT_ACCESS_ACTION, "platform")
+  ];
+  for (const { path } of listAllSystems(organizationModel)) {
+    entries.push(buildCatalogEntry(path, DEFAULT_ACCESS_ACTION, "om-system"));
+    if (includeManageActions) {
+      entries.push(buildCatalogEntry(path, "manage", "om-system"));
+    }
+  }
+  for (const { key, rolePermission } of PERMISSION_ACCESS_KEY_DEFINITIONS) {
+    entries.push({
+      key,
+      source: "permission",
+      rolePermission
+    });
+  }
+  for (const systemPath of diagnosticKeys) {
+    entries.push(buildCatalogEntry(systemPath, DEFAULT_ACCESS_ACTION, "diagnostic"));
+  }
+  return {
+    bySystemPath: groupCatalogEntries(entries),
+    entries
+  };
+}
+function findAccessCatalogEntry(catalog, key) {
+  return catalog.bySystemPath.get(key.systemPath)?.find((entry) => entry.key.action === key.action);
+}
+
+// ../core/src/auth/access-model.ts
+var ALLOWED = { allowed: true, restrictedBy: null, reason: "allowed" };
+var PLATFORM_ADMIN_BYPASS = {
+  allowed: true,
+  restrictedBy: null,
+  reason: "platform-admin-bypass"
+};
+function deny(restrictedBy, reason) {
+  return { allowed: false, restrictedBy, reason };
+}
+function isPlatformAdmin(profile) {
+  return profile?.isPlatformAdmin === true || profile?.is_platform_admin === true;
+}
+function diagnosticAllowlistHas(allowlist, systemPath) {
+  if (allowlist === void 0) return false;
+  return "has" in allowlist ? allowlist.has(systemPath) : allowlist.includes(systemPath);
+}
+function lifecycleAllowsAccess(lifecycle, ctx) {
+  if (lifecycle === "active") return true;
+  if (lifecycle === "beta") return ctx.betaAccessEnabled === true || ctx.isDevelopment === true;
+  return false;
+}
+function getPermissionSource(ctx) {
+  return ctx.permissions ?? ctx.membership?.effectivePermissions;
+}
+function hasRequiredPermission(key, rolePermission, ctx) {
+  const permissionSource = getPermissionSource(ctx);
+  if (permissionSource === void 0 || permissionSource === null) return true;
+  const requiredPermission = rolePermission ?? `${key.systemPath}.${key.action}`;
+  return permissionSource.includes(requiredPermission);
+}
+function hasExplicitRequiredPermission(rolePermission, ctx) {
+  const permissionSource = getPermissionSource(ctx);
+  return rolePermission !== void 0 && permissionSource !== void 0 && permissionSource !== null ? permissionSource.includes(rolePermission) : false;
+}
+function checkAccess(input, ctx) {
+  if (isPlatformAdmin(ctx.profile)) return PLATFORM_ADMIN_BYPASS;
+  const parsed = (() => {
+    try {
+      return normalizeAccessKey(input);
+    } catch {
+      return null;
+    }
+  })();
+  if (parsed === null) return deny("catalog", "invalid-access-key");
+  const catalog = ctx.accessCatalog ?? deriveAccessKeyCatalog(ctx.organizationModel);
+  const catalogEntry = findAccessCatalogEntry(catalog, parsed);
+  if (catalogEntry === void 0) return deny("catalog", "unknown-access-key");
+  const membership = ctx.membership;
+  if (membership === void 0 || membership === null) return deny("membership", "missing-membership");
+  if (membership.organizationId !== ctx.organizationId) return deny("membership", "organization-mismatch");
+  if (parsed.systemPath === PLATFORM_ADMIN_ACCESS_KEY) {
+    return deny("role-permission", "role-permission-denied");
+  }
+  if (catalogEntry.source === "diagnostic") {
+    if (!diagnosticAllowlistHas(ctx.diagnosticAllowlist, parsed.systemPath)) {
+      return deny("diagnostic-allowlist", "diagnostic-key-not-allowed");
+    }
+    if (parsed.action !== DEFAULT_ACCESS_ACTION && !hasRequiredPermission(parsed, catalogEntry.rolePermission, ctx)) {
+      return deny("role-permission", "role-permission-denied");
+    }
+    return ALLOWED;
+  }
+  if (catalogEntry.source === "permission") {
+    if (!hasExplicitRequiredPermission(catalogEntry.rolePermission, ctx)) {
+      return deny("role-permission", "role-permission-denied");
+    }
+    return ALLOWED;
+  }
+  const system = getSystem(ctx.organizationModel, parsed.systemPath);
+  if (system === void 0 || !lifecycleAllowsAccess(system.lifecycle, ctx)) {
+    return deny("system-lifecycle", "system-not-active");
+  }
+  if (parsed.action !== DEFAULT_ACCESS_ACTION && !hasRequiredPermission(parsed, catalogEntry.rolePermission, ctx)) {
+    return deny("role-permission", "role-permission-denied");
+  }
+  return ALLOWED;
+}
+function createAccessModel(organizationModel) {
+  const catalog = deriveAccessKeyCatalog(organizationModel);
+  return {
+    catalog,
+    checkAccess: (key, ctx) => checkAccess(key, { ...ctx, organizationModel, accessCatalog: catalog })
+  };
+}
+
+// src/hooks/access/useAccess.ts
+var MISSING_CONTEXT_ANSWER = {
+  allowed: false,
+  restrictedBy: "membership",
+  reason: "missing-membership"
+};
+function readStringArray(value) {
+  return Array.isArray(value) && value.every((item) => typeof item === "string") ? value : void 0;
+}
+function membershipPermissions(membership) {
+  if (!membership || typeof membership !== "object") return void 0;
+  const record = membership;
+  return readStringArray(record.effectivePermissions) ?? readStringArray(record.effective_permissions);
+}
+function resolveOrganizationId(organization) {
+  const membership = organization?.currentMembership;
+  return organization?.currentSupabaseOrganizationId ?? membership?.organizationId ?? membership?.organization?.id ?? null;
+}
+function toAccessMembership(membership, organizationId, permissions) {
+  if (!membership || !organizationId) return null;
+  return {
+    id: membership.id,
+    organizationId: membership.organizationId ?? organizationId,
+    role: membership.role?.slug ?? null,
+    effectivePermissions: permissions
+  };
+}
+function useAccess(key) {
+  const initialization = useContext(InitializationContext);
+  const organization = useContext(OrganizationContext);
+  const services = useContext(ElevasisServiceContext);
+  const systems = useOptionalElevasisSystems();
+  const profile = initialization?.profile ?? null;
+  const isPlatformAdmin2 = profile?.is_platform_admin === true;
+  const organizationId = resolveOrganizationId(organization);
+  const membership = organization?.currentMembership ?? null;
+  const organizationModel = systems?.organizationModel ?? DEFAULT_ORGANIZATION_MODEL;
+  const permissionsFromMembership = useMemo(() => membershipPermissions(membership), [membership]);
+  const shouldFetchPermissions = Boolean(services?.isReady && organizationId && !isPlatformAdmin2);
+  const permissionsQuery = useQuery({
+    queryKey: ["access-permissions", organizationId],
+    queryFn: () => services.apiRequest(`/memberships/my-permissions/${organizationId}`),
+    enabled: shouldFetchPermissions,
+    staleTime: STALE_TIME_DEFAULT
+  });
+  const permissions = useMemo(
+    () => isPlatformAdmin2 ? Object.values(PERMISSIONS) : permissionsQuery.data?.permissions ?? permissionsFromMembership ?? [],
+    [isPlatformAdmin2, permissionsFromMembership, permissionsQuery.data?.permissions]
+  );
+  const accessMembership = useMemo(
+    () => toAccessMembership(membership, organizationId, permissions),
+    [membership, organizationId, permissions]
+  );
+  const accessModel = useMemo(() => createAccessModel(organizationModel), [organizationModel]);
+  const answer = useMemo(() => {
+    if (!organizationId && !isPlatformAdmin2) return MISSING_CONTEXT_ANSWER;
+    return accessModel.checkAccess(key, {
+      organizationId: organizationId ?? "",
+      organizationModel,
+      membership: accessMembership,
+      profile,
+      permissions,
+      diagnosticAllowlist: DIAGNOSTIC_VIEW_ACCESS_KEYS,
+      isDevelopment: import.meta.env?.DEV ?? false
+    });
+  }, [accessMembership, accessModel, isPlatformAdmin2, key, organizationId, organizationModel, permissions, profile]);
+  const providerReady = initialization?.organizationReady ?? Boolean(organizationId && accessMembership && systems?.organizationModel);
+  const permissionsReady = !shouldFetchPermissions || !permissionsQuery.isPending;
+  const isReady = isPlatformAdmin2 ? initialization?.userReady ?? true : providerReady && permissionsReady;
+  return {
+    ...answer,
+    isReady,
+    isPlatformAdmin: isPlatformAdmin2,
+    permissions
+  };
+}
+
+export { AccessKeys, useAccess };

package/dist/chunk-LNC6PZAE.js

@@ -0,0 +1,85 @@
+import { useRouterContext } from './chunk-Q7DJKLEN.js';
+import { useOptionalElevasisSystems } from './chunk-NYNOMAAS.js';
+import { useMemo } from 'react';
+
+var useBreadcrumbs = (options = {}) => {
+  const { currentPath } = useRouterContext();
+  const systemContext = useOptionalElevasisSystems();
+  const { labelsByPath = {} } = options;
+  return useMemo(() => {
+    const shellModel = systemContext?.shellModel;
+    const overriddenLabel = labelsByPath[currentPath];
+    if (overriddenLabel) {
+      return [{ label: overriddenLabel, isActive: true }];
+    }
+    if (shellModel) {
+      const matchedNode = shellModel.findByPath(currentPath);
+      if (matchedNode) {
+        return shellModel.ancestorsOf(matchedNode.id).map((node, index, items) => ({
+          label: labelsByPath[node.path ?? ""] ?? node.label,
+          path: index === items.length - 1 ? void 0 : node.path,
+          isActive: index === items.length - 1
+        }));
+      }
+    }
+    const segments = currentPath.split("/").filter(Boolean);
+    if (segments.length === 0) {
+      return [{ label: "Dashboard", isActive: true }];
+    }
+    const breadcrumbs = [{ label: "Dashboard", path: "/" }];
+    let currentSegmentPath = "";
+    for (let i = 0; i < segments.length; i++) {
+      currentSegmentPath += `/${segments[i]}`;
+      const isLast = i === segments.length - 1;
+      const label = labelsByPath[currentSegmentPath] ?? formatSegmentLabel(segments[i]);
+      breadcrumbs.push({
+        label,
+        path: isLast ? void 0 : currentSegmentPath,
+        isActive: isLast
+      });
+    }
+    return breadcrumbs;
+  }, [currentPath, systemContext, labelsByPath]);
+};
+function formatSegmentLabel(segment) {
+  const decodedSegment = safeDecodeURIComponent(segment);
+  const routeLabel = formatRouteIdLabel(decodedSegment);
+  if (routeLabel) return routeLabel;
+  return titleCaseSegment(decodedSegment);
+}
+function safeDecodeURIComponent(value) {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+}
+function formatRouteIdLabel(segment) {
+  if (segment.startsWith("group:")) {
+    const groupKey = segment.slice("group:".length);
+    return groupKey === "graph" ? "Ontology" : titleCaseSegment(groupKey);
+  }
+  if (segment.startsWith("domain:")) {
+    return titleCaseSegment(segment.slice("domain:".length));
+  }
+  if (segment.startsWith("item:")) {
+    const rest = segment.slice("item:".length);
+    const separatorIndex = rest.indexOf(":");
+    const itemId = separatorIndex === -1 ? rest : rest.slice(separatorIndex + 1);
+    return formatOntologyOrIdLabel(itemId);
+  }
+  if (segment.startsWith("ontology:")) {
+    return formatOntologyOrIdLabel(segment);
+  }
+  return void 0;
+}
+function formatOntologyOrIdLabel(value) {
+  const localId = value.includes("/") ? value.slice(value.lastIndexOf("/") + 1) : value;
+  const suffix = localId.includes(":") ? localId.slice(localId.lastIndexOf(":") + 1) : localId;
+  return titleCaseSegment(suffix);
+}
+function titleCaseSegment(segment) {
+  return segment.split("-").flatMap((part) => part.split("_")).flatMap((part) => part.split(".")).map((word) => word.charAt(0).toUpperCase() + word.slice(1)).join(" ");
+}
+
+export { useBreadcrumbs };