@gelabs/ovr 0.2.2 → 0.4.0

package/dist/{chunk-IB4JVGKJ.js → chunk-YGYA7KEG.js}

@@ -1,4 +1,4 @@
-import { makeOvrTicketNo, addDays, makeBillNo, makeOrderOfPaymentNo, enrich } from './chunk-B634JHKZ.js';
+import { makeOvrTicketNo, addDays, makeBillNo, makeOrderOfPaymentNo, enrich, fullName } from './chunk-BI4EGLPG.js';
 import Dexie from 'dexie';
 import { useState, useEffect } from 'react';
 import { useLiveQuery } from 'dexie-react-hooks';
@@ -186,6 +186,10 @@ async function issueTicketOffline(input, rules) {
     record.placeOfViolation = input.placeOfViolation.trim();
   if (input.remarks?.trim()) record.remarks = input.remarks.trim();
   if (input.issuedBy?.trim()) record.issuedBy = input.issuedBy.trim();
+  if (input.apprehendingEnforcerId)
+    record.apprehendingEnforcerId = input.apprehendingEnforcerId;
+  if (input.apprehendingEnforcerName?.trim())
+    record.apprehendingEnforcerName = input.apprehendingEnforcerName.trim();
   const ticket = enrich(record, now, rules.surchargeRatePerMonth);
   await db.transaction("rw", db.tickets, db.outbox, async () => {
     await db.tickets.put(ticket);
@@ -201,7 +205,9 @@ async function issueTicketOffline(input, rules) {
         ...record.placeOfViolation ? { placeOfViolation: record.placeOfViolation } : {},
         officerId: input.officerId,
         violations: input.violations,
-        ...record.remarks ? { remarks: record.remarks } : {}
+        ...record.remarks ? { remarks: record.remarks } : {},
+        ...record.apprehendingEnforcerId ? { apprehendingEnforcerId: record.apprehendingEnforcerId } : {},
+        ...record.apprehendingEnforcerName ? { apprehendingEnforcerName: record.apprehendingEnforcerName } : {}
       }
     });
   });
@@ -320,6 +326,44 @@ function useIdentity() {
     async () => (await db.meta.get("identity"))?.value
   );
 }
+function useNotifications() {
+  const tickets = useTickets();
+  if (!tickets) return [];
+  const items = [];
+  for (const t of tickets) {
+    const type = t.status === "OVERDUE" ? "overdue" : t.status === "OUTSTANDING" ? "outstanding" : null;
+    if (!type) continue;
+    items.push({
+      id: `${t.ovrTicketNo}:${type}`,
+      type,
+      ovrTicketNo: t.ovrTicketNo,
+      name: fullName(t.violator),
+      at: type === "overdue" ? t.dueDate : t.createdAt,
+      href: `/admin/tickets/${encodeURIComponent(t.ovrTicketNo)}`
+    });
+  }
+  const rank = (n) => n.type === "overdue" ? 0 : 1;
+  items.sort((a, b) => rank(a) - rank(b) || (a.at < b.at ? 1 : a.at > b.at ? -1 : 0));
+  return items;
+}
+function notifSignature(items) {
+  return items.map((n) => n.id).join("|");
+}
+function useNotificationsState() {
+  const items = useNotifications();
+  const seen = useLiveQuery(
+    async () => (await db.meta.get("notif_seen"))?.value
+  );
+  const signature = notifSignature(items);
+  return {
+    items,
+    total: items.length,
+    unseen: items.length > 0 && signature !== seen,
+    markSeen: () => {
+      void setMeta("notif_seen", signature);
+    }
+  };
+}
 function useStats() {
   return useLiveQuery(
     async () => (await db.meta.get("stats"))?.value
@@ -376,4 +420,4 @@ function useSync() {
   return { syncing, online, error };
 }
 
-export { SessionExpired, cacheCredential, clearIdentity, db, ensureLease, getIdentity, getMeta, isOnline, issueTicketOffline, offlineApiBase, pullAll, pushOutbox, setMeta, setOfflineApiBase, sync, useAdminAuth, useCatalog, useIdentity, useOfficers, usePendingSync, useStats, useSync, useTicket, useTickets, verifyOffline };
+export { SessionExpired, cacheCredential, clearIdentity, db, ensureLease, getIdentity, getMeta, isOnline, issueTicketOffline, offlineApiBase, pullAll, pushOutbox, setMeta, setOfflineApiBase, sync, useAdminAuth, useCatalog, useIdentity, useNotifications, useNotificationsState, useOfficers, usePendingSync, useStats, useSync, useTicket, useTickets, verifyOffline };

package/dist/{chunk-GDOCD7LT.js → chunk-ZUMEOZ22.js}

@@ -1,9 +1,9 @@
-import { ViolationsTable } from './chunk-JEYT63LE.js';
-import { AmountSummary } from './chunk-BIQ2J75Y.js';
-import { Card, CardHeader, CardTitle, CardContent } from './chunk-SETIN6XP.js';
+import { ViolationsTable } from './chunk-IBZVIUNI.js';
+import { AmountSummary } from './chunk-GLIK5BHP.js';
 import { StatusBadge } from './chunk-OE525ZER.js';
-import { useFormatters } from './chunk-E2D7QT6N.js';
-import { formalName, formatAddress } from './chunk-B634JHKZ.js';
+import { Card, CardHeader, CardTitle, CardContent } from './chunk-SETIN6XP.js';
+import { useFormatters } from './chunk-TJSNVTVB.js';
+import { formalName, formatAddress } from './chunk-BI4EGLPG.js';
 import { jsxs, jsx } from 'react/jsx-runtime';
 
 function Field({ label, value }) {

package/dist/core-i18n.d.ts

@@ -1,5 +1,5 @@
-import { C as CopyOverrides, D as Dictionary } from './types-CtBC5-TW.js';
-export { b as baseCopy } from './types-CtBC5-TW.js';
+import { C as CopyOverrides, D as Dictionary } from './types-B8MopM4b.js';
+export { b as baseCopy } from './types-B8MopM4b.js';
 import { M as MunicipalityConfig } from './schema-CdsFQxIg.js';
 import 'zod';
 

package/dist/core-i18n.js

@@ -1 +1 @@
-export { baseCopy, mergeCopy } from './chunk-5YYR37CF.js';
+export { baseCopy, mergeCopy } from './chunk-DJMUW5T2.js';

package/dist/core.d.ts

@@ -73,4 +73,64 @@ interface IssuanceDraft {
 type PreviewRules = Pick<RulesConfig, "dueWindowDays" | "surchargeRatePerMonth">;
 declare function toPreviewTicket(draft: IssuanceDraft, now: Date, rules: PreviewRules): Ticket;
 
-export { type ChargeInput, type ChargeResult, type IssuanceDraft, PREVIEW_PLACEHOLDER, type PreviewRules, computeCharges, enrich, makeBillNo, makeOrderOfPaymentNo, makeOvrTicketNo, makePaymentRef, round2, startedMonthsSince, toPreviewTicket };
+/**
+ * Dashboard time-range presets (GE-010): 1D / 7D / MTD / prev-MTD (+ All).
+ *
+ * Ranges are computed in the LGU's timezone (config `timeZone`) so "today" / "this
+ * month" mean the local calendar, not the server's. Stats are derived from the
+ * on-device ticket list (offline-first) — no server round-trip — by ISSUE date
+ * (`createdAt`); each card reflects the CURRENT status of tickets issued in range.
+ */
+
+type DashboardRangePreset = "1d" | "7d" | "mtd" | "prev-mtd" | "all";
+interface DashboardPreset {
+    key: DashboardRangePreset;
+    label: string;
+}
+/** The presets, in display order. */
+declare const DASHBOARD_PRESETS: DashboardPreset[];
+interface DashboardRange {
+    /** Inclusive lower bound (ISO), or null for "all time" (no lower bound). */
+    fromISO: string | null;
+    /** Inclusive upper bound (ISO). */
+    toISO: string;
+}
+interface DashboardStats {
+    issued: number;
+    outstanding: number;
+    overdue: number;
+    paid: number;
+    collected: number;
+}
+/** Resolve a preset to a concrete [from, to] range, anchored to `now` in `timeZone`. */
+declare function dashboardDateRange(preset: DashboardRangePreset, now: Date, timeZone: string): DashboardRange;
+/** A custom date range from two `YYYY-MM-DD` local dates (either may be empty:
+ *  empty `from` → no lower bound; empty `to` → up to `now`). Interpreted in
+ *  `timeZone` as [from 00:00:00, to 23:59:59]. If from > to, they're swapped. */
+declare function customDateRange(fromYMD: string | null | undefined, toYMD: string | null | undefined, now: Date, timeZone: string): DashboardRange;
+/** Compute the dashboard cards from the local ticket list, scoped to `range`
+ *  by issue date. Each card reflects each ticket's CURRENT status. */
+declare function computeDashboardStats(tickets: Ticket[], range: DashboardRange): DashboardStats;
+
+/**
+ * Philippine locations (PSGC) for the Issue-Ticket address dropdowns (GE-015).
+ *
+ * Provinces + their cities/municipalities ONLY (barangays omitted to keep the
+ * bundle small — barangay stays free-text). Bundled (no runtime API) so it works
+ * offline. NCR districts are flattened into a single "Metro Manila" province.
+ *
+ * Source (open data, CC0/public): flores-jacob/philippine-regions-provinces-
+ * cities-municipalities-barangays (2019v2, derived from PSA PSGC). Names are
+ * title-cased from the source's all-caps.
+ */
+interface PhProvince {
+    province: string;
+    cities: string[];
+}
+declare const PH_PROVINCES: PhProvince[];
+/** All province names (display order = alphabetical). */
+declare function listProvinces(): string[];
+/** Cities/municipalities of a province (case-insensitive match; [] if unknown). */
+declare function citiesOfProvince(province: string | null | undefined): string[];
+
+export { type ChargeInput, type ChargeResult, DASHBOARD_PRESETS, type DashboardPreset, type DashboardRange, type DashboardRangePreset, type DashboardStats, type IssuanceDraft, PH_PROVINCES, PREVIEW_PLACEHOLDER, type PhProvince, type PreviewRules, citiesOfProvince, computeCharges, computeDashboardStats, customDateRange, dashboardDateRange, enrich, listProvinces, makeBillNo, makeOrderOfPaymentNo, makeOvrTicketNo, makePaymentRef, round2, startedMonthsSince, toPreviewTicket };

package/dist/core.js

@@ -1 +1 @@
-export { PREVIEW_PLACEHOLDER, addDays, computeCharges, createFormatters, enrich, formalName, formatAddress, fullName, localToManilaISO, makeBillNo, makeOrderOfPaymentNo, makeOvrTicketNo, makePaymentRef, round2, startedMonthsSince, toPreviewTicket } from './chunk-B634JHKZ.js';
+export { DASHBOARD_PRESETS, PH_PROVINCES, PREVIEW_PLACEHOLDER, addDays, citiesOfProvince, computeCharges, computeDashboardStats, createFormatters, customDateRange, dashboardDateRange, enrich, formalName, formatAddress, fullName, listProvinces, localToManilaISO, makeBillNo, makeOrderOfPaymentNo, makeOvrTicketNo, makePaymentRef, round2, startedMonthsSince, toPreviewTicket } from './chunk-BI4EGLPG.js';

package/dist/data-mock-store.js

@@ -1,20 +1,37 @@
-import { round2, computeCharges, makePaymentRef, fullName, addDays, makeBillNo, makeOrderOfPaymentNo, makeOvrTicketNo, enrich } from './chunk-B634JHKZ.js';
+import { SUPER_ADMIN_LOCKED_PERMISSIONS, ALL_PERMISSIONS } from './chunk-WUNTHINH.js';
+import { round2, computeCharges, makePaymentRef, fullName, addDays, makeBillNo, makeOrderOfPaymentNo, makeOvrTicketNo, enrich } from './chunk-BI4EGLPG.js';
 import 'server-only';
 import { promises } from 'fs';
+import { randomUUID } from 'crypto';
 import os from 'os';
 import path from 'path';
 
-var SEED_VERSION = 1;
+var SEED_VERSION = 6;
 var norm = (s) => s.trim().toLowerCase();
+function slugRole(label) {
+  return label.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+}
+function normalizePerms(perms) {
+  const set = new Set(perms);
+  return ALL_PERMISSIONS.filter((p) => set.has(p));
+}
 function createMockStore(rules, seed) {
-  const { CATALOG, OFFICERS, SEED_TICKETS, SEED_NEXT_SEQ } = seed;
+  const { CATALOG, OFFICERS, SEED_TICKETS, SEED_NEXT_SEQ, USERS, ROLES } = seed;
   const STORE_PATH = process.env.EOVR_STORE_FILE || path.join(os.tmpdir(), "eovr-store.json");
   const enrichRec = (rec, asOf) => enrich(rec, asOf, rules.surchargeRatePerMonth);
   function seeded() {
     return {
       version: SEED_VERSION,
       counter: SEED_NEXT_SEQ,
-      tickets: structuredClone(SEED_TICKETS)
+      tickets: structuredClone(SEED_TICKETS),
+      users: structuredClone(USERS),
+      roles: structuredClone(ROLES),
+      activities: [],
+      officers: structuredClone(OFFICERS),
+      catalog: structuredClone(CATALOG).map((c) => ({
+        ...c,
+        active: c.active ?? true
+      }))
     };
   }
   async function writeStore(data) {
@@ -24,7 +41,7 @@ function createMockStore(rules, seed) {
     try {
       const raw = await promises.readFile(STORE_PATH, "utf8");
       const data = JSON.parse(raw);
-      if (!data || data.version !== SEED_VERSION || !Array.isArray(data.tickets) || typeof data.counter !== "number") {
+      if (!data || data.version !== SEED_VERSION || !Array.isArray(data.tickets) || !Array.isArray(data.users) || !Array.isArray(data.roles) || !Array.isArray(data.activities) || !Array.isArray(data.officers) || !Array.isArray(data.catalog) || typeof data.counter !== "number") {
         const fresh = seeded();
         await writeStore(fresh);
         return fresh;
@@ -38,22 +55,141 @@ function createMockStore(rules, seed) {
   }
   const store = {
     async listViolationCatalog(category) {
-      const items = category ? CATALOG.filter((c) => c.category === category) : CATALOG;
+      const data = await readStore();
+      const items = data.catalog.filter(
+        (c) => c.active !== false && (!category || c.category === category)
+      );
       return structuredClone(items);
     },
+    // ── Violation catalog management (GE-031) ──────────────────────────────
+    async listAllViolations() {
+      const data = await readStore();
+      return structuredClone(data.catalog).sort(
+        (a, b) => a.category === b.category ? a.code.localeCompare(b.code) : a.category.localeCompare(b.category)
+      );
+    },
+    async createViolation(input) {
+      const data = await readStore();
+      const code = input.code.trim();
+      if (!code) throw new Error("Violation code is required.");
+      const title = input.title.trim();
+      if (!title) throw new Error("Title is required.");
+      if (!(input.basicFine >= 0)) throw new Error("Basic fine must be \u2265 0.");
+      if (data.catalog.some((c) => norm(c.code) === norm(code))) {
+        throw new Error(`A violation with code "${code}" already exists.`);
+      }
+      const item = {
+        code,
+        title,
+        category: input.category,
+        basicFine: round2(input.basicFine),
+        legalText: input.legalText?.trim() || void 0,
+        active: true
+      };
+      data.catalog.push(item);
+      await writeStore(data);
+      return structuredClone(item);
+    },
+    async updateViolation(code, patch) {
+      const data = await readStore();
+      const c = data.catalog.find((x) => x.code === code);
+      if (!c) throw new Error("Violation not found.");
+      if (patch.title !== void 0) {
+        const title = patch.title.trim();
+        if (!title) throw new Error("Title is required.");
+        c.title = title;
+      }
+      if (patch.category !== void 0) c.category = patch.category;
+      if (patch.basicFine !== void 0) {
+        if (!(patch.basicFine >= 0)) throw new Error("Basic fine must be \u2265 0.");
+        c.basicFine = round2(patch.basicFine);
+      }
+      if (patch.legalText !== void 0) {
+        c.legalText = patch.legalText?.trim() || void 0;
+      }
+      if (patch.active !== void 0) c.active = patch.active;
+      await writeStore(data);
+      return structuredClone(c);
+    },
+    async deleteViolation(code) {
+      const data = await readStore();
+      const c = data.catalog.find((x) => x.code === code);
+      if (!c) throw new Error("Violation not found.");
+      c.active = false;
+      await writeStore(data);
+    },
     async listOfficers() {
-      return structuredClone(OFFICERS);
+      const data = await readStore();
+      return structuredClone(data.officers);
     },
     async getOfficer(id) {
-      return OFFICERS.find((o) => o.id === id) ?? null;
+      const data = await readStore();
+      return data.officers.find((o) => o.id === id) ?? null;
+    },
+    async createOfficer(input) {
+      const data = await readStore();
+      const name = input.name.trim();
+      if (!name) throw new Error("Officer name is required.");
+      const office = input.office.trim();
+      if (!office) throw new Error("Office is required.");
+      const id = `off-${slugRole(name)}`;
+      if (id === "off-") {
+        throw new Error("Officer name must include letters or numbers.");
+      }
+      if (data.officers.some((o) => o.id === id)) {
+        throw new Error(`An officer "${name}" already exists.`);
+      }
+      const officer = {
+        id,
+        name,
+        badgeNo: input.badgeNo?.trim() || void 0,
+        office
+      };
+      data.officers.push(officer);
+      await writeStore(data);
+      return structuredClone(officer);
+    },
+    async updateOfficer(id, patch) {
+      const data = await readStore();
+      const o = data.officers.find((x) => x.id === id);
+      if (!o) throw new Error("Officer not found.");
+      if (patch.name !== void 0) {
+        const name = patch.name.trim();
+        if (!name) throw new Error("Officer name is required.");
+        o.name = name;
+      }
+      if (patch.office !== void 0) {
+        const office = patch.office.trim();
+        if (!office) throw new Error("Office is required.");
+        o.office = office;
+      }
+      if (patch.badgeNo !== void 0) o.badgeNo = patch.badgeNo?.trim() || void 0;
+      await writeStore(data);
+      return structuredClone(o);
+    },
+    async deleteOfficer(id) {
+      const data = await readStore();
+      const o = data.officers.find((x) => x.id === id);
+      if (!o) throw new Error("Officer not found.");
+      const ticketCount = data.tickets.filter((t) => t.officer.id === id).length;
+      if (ticketCount > 0) {
+        throw new Error(
+          `Can't remove \u2014 this officer has ${ticketCount} issued ticket(s).`
+        );
+      }
+      if (data.users.some((u) => u.officerId === id)) {
+        throw new Error("Can't remove \u2014 this officer is linked to an account.");
+      }
+      data.officers = data.officers.filter((x) => x.id !== id);
+      await writeStore(data);
     },
     async createTicket(input) {
       const store2 = await readStore();
       const now = /* @__PURE__ */ new Date();
       const seq = store2.counter;
-      const officer = OFFICERS.find((o) => o.id === input.officerId) ?? OFFICERS[0];
+      const officer = store2.officers.find((o) => o.id === input.officerId) ?? store2.officers[0];
       const violations = input.violations.map((v) => {
-        const c = CATALOG.find((x) => x.code === v.catalogCode);
+        const c = store2.catalog.find((x) => x.code === v.catalogCode);
         if (!c) throw new Error(`Unknown violation code: ${v.catalogCode}`);
         return {
           catalogCode: c.code,
@@ -83,6 +219,8 @@ function createMockStore(rules, seed) {
         violations,
         remarks: input.remarks?.trim() || void 0,
         issuedBy: input.issuedBy?.trim() || void 0,
+        apprehendingEnforcerId: input.apprehendingEnforcerId || void 0,
+        apprehendingEnforcerName: input.apprehendingEnforcerName?.trim() || void 0,
         assessedAt,
         dueDate: addDays(now, rules.dueWindowDays).toISOString(),
         basicFinesTotal,
@@ -110,9 +248,9 @@ function createMockStore(rules, seed) {
       );
       if (existing) return enrichRec(existing, /* @__PURE__ */ new Date());
       const created = new Date(input.createdAt);
-      const officer = OFFICERS.find((o) => o.id === input.officerId) ?? OFFICERS[0];
+      const officer = data.officers.find((o) => o.id === input.officerId) ?? data.officers[0];
       const violations = input.violations.map((v) => {
-        const c = CATALOG.find((x) => x.code === v.catalogCode);
+        const c = data.catalog.find((x) => x.code === v.catalogCode);
         if (!c) throw new Error(`Unknown violation code: ${v.catalogCode}`);
         return {
           catalogCode: c.code,
@@ -137,6 +275,8 @@ function createMockStore(rules, seed) {
         violations,
         remarks: input.remarks?.trim() || void 0,
         issuedBy: input.issuedBy?.trim() || void 0,
+        apprehendingEnforcerId: input.apprehendingEnforcerId || void 0,
+        apprehendingEnforcerName: input.apprehendingEnforcerName?.trim() || void 0,
         assessedAt: input.createdAt,
         dueDate: addDays(created, rules.dueWindowDays).toISOString(),
         basicFinesTotal,
@@ -222,6 +362,184 @@ function createMockStore(rules, seed) {
           }) === todayKey
         ).length
       };
+    },
+    // ── Accounts (GE-013 RBAC) ──────────────────────────────────────────────
+    // Mock mode has no real credential store (login is the demo cookie); these
+    // back the accounts UI so it's fully browsable without Postgres.
+    async listUsers() {
+      const data = await readStore();
+      return structuredClone(data.users).sort(
+        (a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime()
+      );
+    },
+    async createUser(input) {
+      const data = await readStore();
+      const username = input.username.trim();
+      if (!username) throw new Error("Username is required.");
+      const role = data.roles.find((r) => r.name === input.role);
+      if (!role) throw new Error(`Unknown role: ${input.role}`);
+      if (data.users.some((u) => norm(u.username) === norm(username))) {
+        throw new Error(`Username "${username}" is already taken.`);
+      }
+      const officer = input.officerId ? data.officers.find((o) => o.id === input.officerId) : void 0;
+      const account = {
+        id: `usr-${randomUUID()}`,
+        username,
+        role: role.name,
+        roleLabel: role.label,
+        active: true,
+        officerId: input.officerId ?? null,
+        officerName: officer?.name,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      data.users.unshift(account);
+      await writeStore(data);
+      return structuredClone(account);
+    },
+    async setUserActive(id, active) {
+      const data = await readStore();
+      const u = data.users.find((x) => x.id === id);
+      if (!u) throw new Error("Account not found.");
+      u.active = active;
+      await writeStore(data);
+      return structuredClone(u);
+    },
+    async setUserRole(id, role) {
+      const data = await readStore();
+      const u = data.users.find((x) => x.id === id);
+      if (!u) throw new Error("Account not found.");
+      const roleDef = data.roles.find((r) => r.name === role);
+      if (!roleDef) throw new Error(`Unknown role: ${role}`);
+      u.role = roleDef.name;
+      u.roleLabel = roleDef.label;
+      await writeStore(data);
+      return structuredClone(u);
+    },
+    async updateUser(id, patch) {
+      const data = await readStore();
+      const u = data.users.find((x) => x.id === id);
+      if (!u) throw new Error("Account not found.");
+      if (patch.username !== void 0) {
+        const username = patch.username.trim();
+        if (!username) throw new Error("Username is required.");
+        if (data.users.some((x) => x.id !== id && norm(x.username) === norm(username))) {
+          throw new Error(`Username "${username}" is already taken.`);
+        }
+        u.username = username;
+      }
+      if (patch.role !== void 0) {
+        const roleDef = data.roles.find((r) => r.name === patch.role);
+        if (!roleDef) throw new Error(`Unknown role: ${patch.role}`);
+        u.role = roleDef.name;
+        u.roleLabel = roleDef.label;
+      }
+      if (patch.officerId !== void 0) {
+        u.officerId = patch.officerId ?? null;
+        const officer = patch.officerId ? data.officers.find((o) => o.id === patch.officerId) : void 0;
+        u.officerName = officer?.name;
+      }
+      await writeStore(data);
+      return structuredClone(u);
+    },
+    async resetUserPassword() {
+    },
+    // ── Roles (GE-013 RBAC) ─────────────────────────────────────────────────
+    async listRoles() {
+      const data = await readStore();
+      return structuredClone(data.roles).sort(
+        (a, b) => a.isSystem === b.isSystem ? a.label.localeCompare(b.label) : a.isSystem ? -1 : 1
+      );
+    },
+    async getRolePermissions(name) {
+      const data = await readStore();
+      const r = data.roles.find((x) => x.name === name);
+      return r ? normalizePerms(r.permissions) : [];
+    },
+    async createRole(input) {
+      const data = await readStore();
+      const label = input.label.trim();
+      if (!label) throw new Error("Role name is required.");
+      const name = slugRole(label);
+      if (!name) throw new Error("Role name must include letters or numbers.");
+      if (data.roles.some((r) => r.name === name)) {
+        throw new Error(`A role named "${label}" already exists.`);
+      }
+      const role = {
+        name,
+        label,
+        isSystem: false,
+        permissions: normalizePerms(input.permissions)
+      };
+      data.roles.push(role);
+      await writeStore(data);
+      return structuredClone(role);
+    },
+    async updateRole(name, patch) {
+      const data = await readStore();
+      const role = data.roles.find((r) => r.name === name);
+      if (!role) throw new Error("Role not found.");
+      if (patch.label !== void 0 && !role.isSystem) {
+        const label = patch.label.trim();
+        if (!label) throw new Error("Role name is required.");
+        role.label = label;
+      }
+      if (patch.permissions !== void 0) {
+        let perms = normalizePerms(patch.permissions);
+        if (name === "SUPER_ADMIN") {
+          perms = normalizePerms([...perms, ...SUPER_ADMIN_LOCKED_PERMISSIONS]);
+        }
+        role.permissions = perms;
+      }
+      await writeStore(data);
+      return structuredClone(role);
+    },
+    async deleteRole(name) {
+      const data = await readStore();
+      const role = data.roles.find((r) => r.name === name);
+      if (!role) throw new Error("Role not found.");
+      if (role.isSystem) throw new Error("System roles can't be deleted.");
+      const inUse = data.users.filter((u) => u.role === name).length;
+      if (inUse > 0) {
+        throw new Error(
+          `Can't delete "${role.label}" \u2014 it's assigned to ${inUse} account(s).`
+        );
+      }
+      data.roles = data.roles.filter((r) => r.name !== name);
+      await writeStore(data);
+    },
+    // ── Activity log (GE-022) ───────────────────────────────────────────────
+    async logActivity(entry) {
+      const data = await readStore();
+      data.activities.push({
+        id: `act-${randomUUID()}`,
+        actorId: entry.actorId ?? null,
+        actorUsername: entry.actorUsername ?? null,
+        action: entry.action,
+        summary: entry.summary,
+        targetType: entry.targetType,
+        targetId: entry.targetId,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      await writeStore(data);
+    },
+    async listActivity(filter) {
+      const data = await readStore();
+      let items = [...data.activities].sort(
+        (a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime()
+      );
+      if (filter?.action) items = items.filter((a) => a.action === filter.action);
+      if (filter?.actorId)
+        items = items.filter((a) => a.actorId === filter.actorId);
+      if (filter?.fromISO) {
+        const lo = Date.parse(filter.fromISO);
+        items = items.filter((a) => Date.parse(a.createdAt) >= lo);
+      }
+      if (filter?.toISO) {
+        const hi = Date.parse(filter.toISO);
+        items = items.filter((a) => Date.parse(a.createdAt) <= hi);
+      }
+      const limit = Math.min(Math.max(filter?.limit ?? 200, 1), 1e3);
+      return structuredClone(items.slice(0, limit));
     }
   };
   return store;