@iqauth/sdk 2.6.4 → 2.8.1

package/dist/next.mjs

@@ -1,19 +1,24 @@
+import {
+  sanitizeReturnTo
+} from "./chunk-JRDVUWAL.mjs";
 import {
   handleCallback,
   handleRefresh,
   handleSignout,
+  handleUserinfo,
   serializeCookie
-} from "./chunk-6TDJJER7.mjs";
+} from "./chunk-WSH4SW7F.mjs";
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 import {
   TokensModule
-} from "./chunk-UNYDG2L4.mjs";
-import "./chunk-6I6RM4MN.mjs";
+} from "./chunk-NUO2I65G.mjs";
+import "./chunk-6PJRLRB4.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 
 // src/next.ts
+var PKCE_COOKIE = "iqauth_pkce";
 function readCookieFromHeader(header, name) {
   if (!header) return void 0;
   const target = `${name}=`;
@@ -34,32 +39,100 @@ function toResponse(hr) {
   for (const c of hr.cookies) headers.append("set-cookie", serializeCookie(c));
   return new Response(JSON.stringify(hr.body), { status: hr.status, headers });
 }
+function callbackResponse(hr, requestOrigin, returnToCookieValue, returnToCookieName) {
+  const returnTo = sanitizeReturnTo(
+    returnToCookieValue || hr.body?.returnTo,
+    { currentOrigin: requestOrigin, fallback: "/" }
+  );
+  const headers = new Headers({ "Content-Type": "application/json" });
+  for (const c of hr.cookies) headers.append("set-cookie", serializeCookie(c));
+  if (hr.status < 400) {
+    headers.append("set-cookie", `${returnToCookieName}=; Path=/; Max-Age=0; SameSite=Lax`);
+  }
+  const body = { ...hr.body, returnTo };
+  return new Response(JSON.stringify(body), { status: hr.status, headers });
+}
+function callbackRedirectResponse(hr, requestOrigin, returnToCookieValue, cookieNames) {
+  const headers = new Headers();
+  for (const c of hr.cookies) headers.append("set-cookie", serializeCookie(c));
+  headers.append("set-cookie", `${cookieNames.state}=; Path=/; Max-Age=0; SameSite=Lax`);
+  headers.append("set-cookie", `${cookieNames.pkce}=; Path=/; Max-Age=0; SameSite=Lax`);
+  if (hr.status >= 400) {
+    headers.set("Location", "/");
+    return new Response(null, { status: 302, headers });
+  }
+  const dest = sanitizeReturnTo(returnToCookieValue, {
+    currentOrigin: requestOrigin,
+    fallback: "/"
+  });
+  headers.append("set-cookie", `${cookieNames.returnTo}=; Path=/; Max-Age=0; SameSite=Lax`);
+  headers.set("Location", dest);
+  return new Response(null, { status: 302, headers });
+}
 function handler(options) {
   const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/next handler" });
   const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
   const helperConfig = { ...options, issuer };
   const accessCookie = options.accessCookieName ?? "iqauth_at";
   const refreshCookie = options.refreshCookieName ?? "iqauth_rt";
+  const returnToCookie = options.returnToCookieName ?? "iqauth_return_to";
   return async (req) => {
     const url = new URL(req.url);
     const action = url.pathname.split("/").pop();
-    const body = await req.json().catch(() => ({}));
     const cookieHeader = req.headers.get("cookie");
+    if (action === "me" && req.method === "GET") {
+      if (!options.mountUserinfo) {
+        return new Response(JSON.stringify({ success: false, error: { code: "NOT_FOUND", message: "userinfo route not enabled" } }), {
+          status: 404,
+          headers: { "Content-Type": "application/json" }
+        });
+      }
+      const auth = req.headers.get("authorization");
+      const accessToken = auth && auth.replace(/^Bearer /i, "") || readCookieFromHeader(cookieHeader, accessCookie);
+      return toResponse(await handleUserinfo(helperConfig, { accessToken, req }));
+    }
+    const stateCookie = helperConfig.stateCookieName ?? "iqauth_state";
+    if (action === "callback" && req.method === "GET") {
+      const code = url.searchParams.get("code") ?? void 0;
+      const state = url.searchParams.get("state") ?? void 0;
+      const redirectUri = `${url.origin}${url.pathname}`;
+      const hr = await handleCallback(helperConfig, {
+        code,
+        codeVerifier: readCookieFromHeader(cookieHeader, PKCE_COOKIE),
+        redirectUri,
+        state,
+        expectedState: readCookieFromHeader(cookieHeader, stateCookie)
+      });
+      return callbackRedirectResponse(
+        hr,
+        url.origin,
+        readCookieFromHeader(cookieHeader, returnToCookie),
+        { returnTo: returnToCookie, state: stateCookie, pkce: PKCE_COOKIE }
+      );
+    }
+    const body = await req.json().catch(() => ({}));
     if (action === "callback") {
-      return toResponse(await handleCallback(helperConfig, {
+      const hr = await handleCallback(helperConfig, {
         code: body.code,
         codeVerifier: body.codeVerifier,
-        redirectUri: body.redirectUri
-      }));
+        redirectUri: body.redirectUri,
+        // M-2: bind callback to this browser; handleCallback fails closed.
+        state: body.state,
+        expectedState: readCookieFromHeader(cookieHeader, helperConfig.stateCookieName ?? "iqauth_state")
+      });
+      return callbackResponse(hr, url.origin, readCookieFromHeader(cookieHeader, returnToCookie), returnToCookie);
     }
     if (action === "refresh") {
       const refreshToken = body.refreshToken || readCookieFromHeader(cookieHeader, refreshCookie);
-      return toResponse(await handleRefresh(helperConfig, { refreshToken }));
+      const idempotencyToken = req.headers.get("x-iqauth-idempotency") || body.idempotencyToken;
+      return toResponse(await handleRefresh(helperConfig, { refreshToken, idempotencyToken: idempotencyToken ?? void 0 }));
     }
     if (action === "signout") {
       const auth = req.headers.get("authorization");
       const accessToken = auth && auth.replace(/^Bearer /i, "") || readCookieFromHeader(cookieHeader, accessCookie);
-      return toResponse(await handleSignout(helperConfig, { accessToken, ssoCookieHeader: cookieHeader ?? void 0 }));
+      const refreshToken = readCookieFromHeader(cookieHeader, refreshCookie);
+      const idempotencyToken = req.headers.get("x-iqauth-idempotency") ?? void 0;
+      return toResponse(await handleSignout(helperConfig, { accessToken, refreshToken, idempotencyToken, ssoCookieHeader: cookieHeader ?? void 0 }));
     }
     return new Response(JSON.stringify({ success: false, error: { code: "NOT_FOUND", message: `Unknown action: ${action}` } }), {
       status: 404,

package/dist/{provisioningBridge-88xjOS2n.d.mts → provisioningBridge-BXPMZCLe.d.ts}

@@ -1,4 +1,4 @@
-import { J as JwtClaims } from './types-DZAflmmq.mjs';
+import { J as JwtClaims } from './types-Bn8O-OEd.js';
 
 /**
  * createProvisioningBridge — server-side helper that lifts the
@@ -21,6 +21,17 @@ import { J as JwtClaims } from './types-DZAflmmq.mjs';
  * your local user table. See the JSDoc on each adapter for the contract.
  */
 
+/**
+ * Thrown when the bridge refuses to adopt a pre-existing local account because
+ * the IQAuth claims do not assert a verified email (`email_verified !== true`)
+ * and the integrator has not opted in via `allowUnverifiedEmailAdopt`. Carries
+ * a stable `.code` so callers can branch (e.g. provision a brand-new row under
+ * a different identity instead of adopting the email-matched one).
+ */
+declare class ProvisioningError extends Error {
+    code: string;
+    constructor(code: string, message: string);
+}
 interface ProvisioningContext<TUser> {
     claims: JwtClaims;
     /** The local user record, looked up or freshly inserted. */
@@ -59,6 +70,23 @@ interface ProvisioningBridgeOptions<TUser> {
      * Defaults to checking for Postgres `23505` and SQLite `SQLITE_CONSTRAINT_UNIQUE`.
      */
     isUniqueViolation?: (err: unknown) => boolean;
+    /**
+     * Security gate (H-4): adopting a pre-existing local row matched by email is
+     * only performed when the IQAuth claims assert a verified email
+     * (`claims.email_verified === true`). When the claim is absent/false and a
+     * local row matches the email, the bridge **refuses to adopt** and throws
+     * `ProvisioningError("UNVERIFIED_EMAIL_ADOPT_REFUSED")` (fail closed) so an
+     * IdP that does not assert email verification cannot silently take over an
+     * existing account.
+     *
+     * Brand-new users (no email-matched row) are unaffected — there is nothing
+     * to take over, so they are inserted regardless of verification status.
+     *
+     * Set `true` ONLY when your issuer is trusted to never emit an unverified
+     * email for adoption (or you have a compensating control). Defaults to
+     * `false` (secure).
+     */
+    allowUnverifiedEmailAdopt?: boolean;
 }
 interface ProvisioningBridge<TUser> {
     /**
@@ -83,4 +111,4 @@ interface ProvisioningBridge<TUser> {
  */
 declare function createProvisioningBridge<TUser>(options: ProvisioningBridgeOptions<TUser>): ProvisioningBridge<TUser>;
 
-export { type ProvisioningBridge as P, type ProvisioningBridgeOptions as a, type ProvisioningStorage as b, createProvisioningBridge as c, type ProvisioningContext as d };
+export { type ProvisioningBridge as P, type ProvisioningBridgeOptions as a, type ProvisioningStorage as b, createProvisioningBridge as c, type ProvisioningContext as d, ProvisioningError as e };

package/dist/{provisioningBridge-DnTfzdZK.d.ts → provisioningBridge-IEycmsgb.d.mts}

@@ -1,4 +1,4 @@
-import { J as JwtClaims } from './types-DZAflmmq.js';
+import { J as JwtClaims } from './types-Bn8O-OEd.mjs';
 
 /**
  * createProvisioningBridge — server-side helper that lifts the
@@ -21,6 +21,17 @@ import { J as JwtClaims } from './types-DZAflmmq.js';
  * your local user table. See the JSDoc on each adapter for the contract.
  */
 
+/**
+ * Thrown when the bridge refuses to adopt a pre-existing local account because
+ * the IQAuth claims do not assert a verified email (`email_verified !== true`)
+ * and the integrator has not opted in via `allowUnverifiedEmailAdopt`. Carries
+ * a stable `.code` so callers can branch (e.g. provision a brand-new row under
+ * a different identity instead of adopting the email-matched one).
+ */
+declare class ProvisioningError extends Error {
+    code: string;
+    constructor(code: string, message: string);
+}
 interface ProvisioningContext<TUser> {
     claims: JwtClaims;
     /** The local user record, looked up or freshly inserted. */
@@ -59,6 +70,23 @@ interface ProvisioningBridgeOptions<TUser> {
      * Defaults to checking for Postgres `23505` and SQLite `SQLITE_CONSTRAINT_UNIQUE`.
      */
     isUniqueViolation?: (err: unknown) => boolean;
+    /**
+     * Security gate (H-4): adopting a pre-existing local row matched by email is
+     * only performed when the IQAuth claims assert a verified email
+     * (`claims.email_verified === true`). When the claim is absent/false and a
+     * local row matches the email, the bridge **refuses to adopt** and throws
+     * `ProvisioningError("UNVERIFIED_EMAIL_ADOPT_REFUSED")` (fail closed) so an
+     * IdP that does not assert email verification cannot silently take over an
+     * existing account.
+     *
+     * Brand-new users (no email-matched row) are unaffected — there is nothing
+     * to take over, so they are inserted regardless of verification status.
+     *
+     * Set `true` ONLY when your issuer is trusted to never emit an unverified
+     * email for adoption (or you have a compensating control). Defaults to
+     * `false` (secure).
+     */
+    allowUnverifiedEmailAdopt?: boolean;
 }
 interface ProvisioningBridge<TUser> {
     /**
@@ -83,4 +111,4 @@ interface ProvisioningBridge<TUser> {
  */
 declare function createProvisioningBridge<TUser>(options: ProvisioningBridgeOptions<TUser>): ProvisioningBridge<TUser>;
 
-export { type ProvisioningBridge as P, type ProvisioningBridgeOptions as a, type ProvisioningStorage as b, createProvisioningBridge as c, type ProvisioningContext as d };
+export { type ProvisioningBridge as P, type ProvisioningBridgeOptions as a, type ProvisioningStorage as b, createProvisioningBridge as c, type ProvisioningContext as d, ProvisioningError as e };

package/dist/{publishableKey-BaR0HoAH.d.ts → publishableKey-f2kq-rKw.d.mts}

@@ -20,7 +20,7 @@ declare function encodePublishableKey(mode: KeyMode, payload: PublishableKeyPayl
 declare function parsePublishableKey(raw: string): ParsedPublishableKey | null;
 /**
  * Strict counterpart to `parsePublishableKey` — throws a typed `IQAuthError`
- * (`code: "CONFIG_INVALID"`) with an actionable message when the key is
+ * (`code: "config_invalid"`) with an actionable message when the key is
  * missing, malformed, or encodes a non-URL `iss`. Use this at SDK init so a
  * bad key fails loudly at boot instead of cryptically at first verify.
  */

package/dist/{publishableKey-BaR0HoAH.d.mts → publishableKey-f2kq-rKw.d.ts}

@@ -20,7 +20,7 @@ declare function encodePublishableKey(mode: KeyMode, payload: PublishableKeyPayl
 declare function parsePublishableKey(raw: string): ParsedPublishableKey | null;
 /**
  * Strict counterpart to `parsePublishableKey` — throws a typed `IQAuthError`
- * (`code: "CONFIG_INVALID"`) with an actionable message when the key is
+ * (`code: "config_invalid"`) with an actionable message when the key is
  * missing, malformed, or encodes a non-URL `iss`. Use this at SDK init so a
  * bad key fails loudly at boot instead of cryptically at first verify.
  */

package/dist/react-permissions.d.mts

@@ -0,0 +1,52 @@
+import { S as SessionError } from './index-Cko-d5po.mjs';
+import 'csstype';
+import 'react/jsx-runtime';
+import 'react';
+import './signIn-CReqfXsh.mjs';
+import './publishableKey-f2kq-rKw.mjs';
+import './types-Bn8O-OEd.mjs';
+import './types-DnU2LhXR.mjs';
+
+interface UseEffectivePermissionsOptions {
+    /**
+     * App key (OIDC client_id / manifest key) the permissions should be
+     * resolved against. Required — permissions in IQAuth are app-scoped.
+     */
+    appKey: string;
+    /** Disable the network fetch (claims fallback still applies). */
+    enabled?: boolean;
+    /** Stale window in ms. Default 5min. */
+    staleTime?: number;
+    /**
+     * Override the issuer URL the hook calls. Defaults to the issuer the
+     * provider was booted with.
+     */
+    issuer?: string;
+}
+interface UseEffectivePermissionsResult {
+    /** Normalized, wildcard-collapsed set of granted permission ids. */
+    permissions: string[];
+    /** Wildcard-aware membership check. Identical semantics on server. */
+    hasPermission: (id: string) => boolean;
+    /** True only while a fetch is actively in flight (and no cached data yet). */
+    isLoading: boolean;
+    /** Last fetch error, if any. Cleared on next successful refetch. */
+    error: SessionError | null;
+    /** Force a refetch, bypassing the staleTime window. */
+    refetch: () => Promise<void>;
+}
+/**
+ * Canonical hook for resolving the *full* effective permission set of the
+ * signed-in user against a single app. Use this whenever the JWT
+ * `entitlements` claim is too small (apps with hundreds of nodes can't fit
+ * them in the token).
+ *
+ * Requires a `<QueryClientProvider>` (`@tanstack/react-query`) somewhere
+ * above this hook in the tree.
+ *
+ * Returns `{ permissions, hasPermission, isLoading, error, refetch }`.
+ * `hasPermission` honours wildcard semantics (`*`, `metrics.*`).
+ */
+declare function useEffectivePermissions(opts: UseEffectivePermissionsOptions): UseEffectivePermissionsResult;
+
+export { type UseEffectivePermissionsOptions, type UseEffectivePermissionsResult, useEffectivePermissions };

package/dist/react-permissions.d.ts

@@ -0,0 +1,52 @@
+import { S as SessionError } from './index-RNqwEcmY.js';
+import 'csstype';
+import 'react/jsx-runtime';
+import 'react';
+import './signIn-Cfa1GTpO.js';
+import './publishableKey-f2kq-rKw.js';
+import './types-Bn8O-OEd.js';
+import './types-DnU2LhXR.js';
+
+interface UseEffectivePermissionsOptions {
+    /**
+     * App key (OIDC client_id / manifest key) the permissions should be
+     * resolved against. Required — permissions in IQAuth are app-scoped.
+     */
+    appKey: string;
+    /** Disable the network fetch (claims fallback still applies). */
+    enabled?: boolean;
+    /** Stale window in ms. Default 5min. */
+    staleTime?: number;
+    /**
+     * Override the issuer URL the hook calls. Defaults to the issuer the
+     * provider was booted with.
+     */
+    issuer?: string;
+}
+interface UseEffectivePermissionsResult {
+    /** Normalized, wildcard-collapsed set of granted permission ids. */
+    permissions: string[];
+    /** Wildcard-aware membership check. Identical semantics on server. */
+    hasPermission: (id: string) => boolean;
+    /** True only while a fetch is actively in flight (and no cached data yet). */
+    isLoading: boolean;
+    /** Last fetch error, if any. Cleared on next successful refetch. */
+    error: SessionError | null;
+    /** Force a refetch, bypassing the staleTime window. */
+    refetch: () => Promise<void>;
+}
+/**
+ * Canonical hook for resolving the *full* effective permission set of the
+ * signed-in user against a single app. Use this whenever the JWT
+ * `entitlements` claim is too small (apps with hundreds of nodes can't fit
+ * them in the token).
+ *
+ * Requires a `<QueryClientProvider>` (`@tanstack/react-query`) somewhere
+ * above this hook in the tree.
+ *
+ * Returns `{ permissions, hasPermission, isLoading, error, refetch }`.
+ * `hasPermission` honours wildcard semantics (`*`, `metrics.*`).
+ */
+declare function useEffectivePermissions(opts: UseEffectivePermissionsOptions): UseEffectivePermissionsResult;
+
+export { type UseEffectivePermissionsOptions, type UseEffectivePermissionsResult, useEffectivePermissions };

package/dist/react-permissions.js

@@ -0,0 +1,239 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/errors.ts
+var init_errors = __esm({
+  "src/errors.ts"() {
+    "use strict";
+  }
+});
+
+// src/browser/storage.ts
+var init_storage = __esm({
+  "src/browser/storage.ts"() {
+    "use strict";
+  }
+});
+
+// src/browser/pkce.ts
+var init_pkce = __esm({
+  "src/browser/pkce.ts"() {
+    "use strict";
+  }
+});
+
+// src/browser/signIn.ts
+var init_signIn = __esm({
+  "src/browser/signIn.ts"() {
+    "use strict";
+    init_pkce();
+    init_storage();
+  }
+});
+
+// src/react-permissions.ts
+var react_permissions_exports = {};
+__export(react_permissions_exports, {
+  useEffectivePermissions: () => useEffectivePermissions
+});
+module.exports = __toCommonJS(react_permissions_exports);
+
+// src/react/permissions.tsx
+var import_react2 = require("react");
+var import_react_query = require("@tanstack/react-query");
+
+// src/permissions/wildcard.ts
+var SUFFIX = ".*";
+function wildcardPrefix(pattern) {
+  return pattern.slice(0, -SUFFIX.length);
+}
+function hasPermission(set, id) {
+  if (!id) return false;
+  if (!set) return false;
+  if (id === "*") {
+    for (const entry of set) if (entry === "*") return true;
+    return false;
+  }
+  const queryIsWildcard = id.endsWith(SUFFIX);
+  const queryPrefix = queryIsWildcard ? wildcardPrefix(id) : null;
+  for (const entry of set) {
+    if (!entry) continue;
+    if (entry === "*") return true;
+    if (entry === id) return true;
+    if (entry.endsWith(SUFFIX)) {
+      const prefix = wildcardPrefix(entry);
+      if (!queryIsWildcard) {
+        if (id === prefix) return true;
+        if (id.startsWith(prefix + ".")) return true;
+      } else {
+        if (queryPrefix === prefix) return true;
+        if (queryPrefix !== null && queryPrefix.startsWith(prefix + ".")) return true;
+      }
+    }
+  }
+  return false;
+}
+function expandPermissions(set) {
+  if (!set) return [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const raw of set) {
+    if (typeof raw !== "string" || raw.length === 0) continue;
+    seen.add(raw);
+  }
+  if (seen.has("*")) return ["*"];
+  const wildcards = [];
+  for (const entry of seen) if (entry.endsWith(SUFFIX)) wildcards.push(entry);
+  const out = [];
+  for (const entry of seen) {
+    let covered = false;
+    for (const w of wildcards) {
+      if (w === entry) continue;
+      const prefix = wildcardPrefix(w);
+      if (entry === prefix) {
+        covered = true;
+        break;
+      }
+      if (entry.startsWith(prefix + ".")) {
+        covered = true;
+        break;
+      }
+    }
+    if (!covered) out.push(entry);
+  }
+  out.sort();
+  return out;
+}
+
+// src/react/index.tsx
+var import_react = require("react");
+
+// src/browser/sessionManager.ts
+init_errors();
+
+// src/publishableKey.ts
+init_errors();
+
+// src/browser/sessionManager.ts
+init_storage();
+
+// src/react/index.tsx
+init_signIn();
+
+// src/browser/accountRegistry.ts
+init_storage();
+var COOKIE_MAX_AGE = 60 * 60 * 24 * 30;
+
+// src/react/index.tsx
+var import_jsx_runtime = require("react/jsx-runtime");
+var IQAuthContext = (0, import_react.createContext)(null);
+function __useIQAuthInternal() {
+  return useCtx();
+}
+function useCtx() {
+  const ctx = (0, import_react.useContext)(IQAuthContext);
+  if (!ctx) throw new Error("IQAuth hooks must be used inside <IQAuthProvider>");
+  return ctx;
+}
+var MultisessionContext = (0, import_react.createContext)(null);
+var SDK_CSS_MAX_LEN = 50 * 1024;
+
+// src/react/permissions.tsx
+var DEFAULT_PERMS_STALE_MS = 5 * 60 * 1e3;
+function projectAllowedScopes(rows) {
+  if (!Array.isArray(rows)) return [];
+  const allowed = [];
+  const denied = /* @__PURE__ */ new Set();
+  for (const r of rows) {
+    if (!r || typeof r.scope !== "string" || !r.scope) continue;
+    if (r.effect === "deny") denied.add(r.scope);
+    else allowed.push(r.scope);
+  }
+  return expandPermissions(allowed.filter((s) => !denied.has(s)));
+}
+function useEffectivePermissions(opts) {
+  const { manager, snapshot } = __useIQAuthInternal();
+  const { appKey, enabled = true, staleTime = DEFAULT_PERMS_STALE_MS, issuer } = opts;
+  const claims = snapshot.claims;
+  const isPlatformAdmin = Array.isArray(claims?.roles) && claims.roles.includes("platform_admin");
+  const userId = snapshot.user?.sub ?? null;
+  const tenantId = snapshot.tenantId ?? claims?.tenantId ?? null;
+  const issuerUrl = (issuer ?? manager.issuerUrl).replace(/\/$/, "");
+  const queryEnabled = enabled && !!userId && !!tenantId && !!appKey && !isPlatformAdmin;
+  const query = (0, import_react_query.useQuery)({
+    queryKey: ["iqauth", "effective-permissions", issuerUrl, tenantId, userId, appKey],
+    queryFn: async () => {
+      const url = `${issuerUrl}/api/v1/tenants/${encodeURIComponent(tenantId)}/users/${encodeURIComponent(userId)}/permissions/effective?appKey=${encodeURIComponent(appKey)}`;
+      const res = await manager.fetch(url);
+      const json = await res.json().catch(() => ({}));
+      if (!res.ok) {
+        const code = json?.error?.code || `HTTP_${res.status}`;
+        const message = json?.error?.message || `HTTP ${res.status}`;
+        const e = { code, message };
+        throw e;
+      }
+      const rows = Array.isArray(json) ? json : json?.data ?? [];
+      return projectAllowedScopes(rows);
+    },
+    enabled: queryEnabled,
+    staleTime,
+    refetchOnWindowFocus: false,
+    retry: false
+  });
+  const refetch = (0, import_react2.useCallback)(async () => {
+    if (!queryEnabled) return;
+    await query.refetch();
+  }, [query, queryEnabled]);
+  return (0, import_react2.useMemo)(() => {
+    if (isPlatformAdmin) {
+      return {
+        permissions: ["*"],
+        hasPermission: () => true,
+        isLoading: false,
+        error: null,
+        refetch
+      };
+    }
+    const fetched = query.data;
+    const perms = fetched ?? expandPermissions(claims?.entitlements ?? []);
+    const isLoading = queryEnabled && query.isLoading;
+    const error = query.error ? "code" in query.error && typeof query.error.code === "string" ? query.error : { code: "PERMISSIONS_FETCH_FAILED", message: query.error.message || "Failed to fetch permissions" } : null;
+    return {
+      permissions: perms,
+      hasPermission: (id) => hasPermission(perms, id),
+      isLoading,
+      error,
+      refetch
+    };
+  }, [
+    isPlatformAdmin,
+    queryEnabled,
+    query.data,
+    query.isLoading,
+    query.error,
+    claims?.entitlements,
+    refetch
+  ]);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  useEffectivePermissions
+});