@mohasinac/appkit 2.6.5 → 2.6.6

package/dist/_internal/client/features/layout/DashboardLayoutClient.d.ts

@@ -25,6 +25,13 @@ export interface DashboardLayoutClientProps {
     variant: DashboardVariant;
     /** Grouped nav items. Shape matches all three sidebar components. */
     groups: SidebarNavGroup[];
+    /**
+     * Resolved permissions for the current user (serialised from RSC layout).
+     * When provided, nav items with `requiredPermission` are filtered server-side
+     * before reaching this component; pass `null` to skip (admin sees everything).
+     * When absent, all items are shown (backwards-compatible).
+     */
+    permissions?: string[] | null;
     /** Override active-link highlight. Defaults to usePathname(). */
     activeHref?: string;
     /** Responsive controls — currently only hideAt is honoured. */
@@ -35,4 +42,4 @@ export interface DashboardLayoutClientProps {
     className?: string;
     children: ReactNode;
 }
-export declare function DashboardLayoutClient({ variant, groups, activeHref: explicitActiveHref, responsive: _responsive, className, children, }: DashboardLayoutClientProps): import("react/jsx-runtime").JSX.Element;
+export declare function DashboardLayoutClient({ variant, groups, permissions, activeHref: explicitActiveHref, responsive: _responsive, className, children, }: DashboardLayoutClientProps): import("react/jsx-runtime").JSX.Element;

package/dist/_internal/client/features/layout/DashboardLayoutClient.js

@@ -67,9 +67,25 @@ function useResponsiveDrawer() {
     }, [registerNav, unregisterNav, open, close, toggle]);
     return { desktopOpen, mobileOpen, close, toggle };
 }
-export function DashboardLayoutClient({ variant, groups, activeHref: explicitActiveHref, responsive: _responsive, className, children, }) {
+/** Filter admin nav groups to only show items the user has permission to see. */
+function filterAdminGroups(groups, permissions) {
+    // null = admin (show everything); undefined = no filtering (backwards compat)
+    if (permissions === null || permissions === undefined)
+        return groups;
+    return groups
+        .map((group) => ({
+        ...group,
+        items: group.items.filter((item) => !item.requiredPermission ||
+            permissions.includes(item.requiredPermission)),
+    }))
+        .filter((group) => group.items.length > 0);
+}
+export function DashboardLayoutClient({ variant, groups, permissions, activeHref: explicitActiveHref, responsive: _responsive, className, children, }) {
     const pathname = usePathname();
     const activeHref = explicitActiveHref ?? pathname ?? "";
     const { desktopOpen, mobileOpen, close, toggle } = useResponsiveDrawer();
-    return (_jsxs(_Fragment, { children: [variant === "admin" && (_jsx(AdminSidebar, { variant: "sidebar", desktopOpen: desktopOpen, mobileOpen: mobileOpen, activePath: activeHref, groups: groups, onCloseMobile: close, onToggle: toggle, className: className })), variant === "store" && (_jsx(StoreSidebar, { variant: "sidebar", desktopOpen: desktopOpen, mobileOpen: mobileOpen, activeHref: activeHref, items: [], groups: groups, onCloseMobile: close, onToggle: toggle, className: className })), variant === "user" && (_jsx(UserSidebar, { variant: "sidebar", desktopOpen: desktopOpen, mobileOpen: mobileOpen, items: groups.flatMap((g) => g.items), groups: groups, onCloseMobile: close, onToggle: toggle, className: className })), children] }));
+    const adminGroups = variant === "admin"
+        ? filterAdminGroups(groups, permissions)
+        : groups;
+    return (_jsxs(_Fragment, { children: [variant === "admin" && (_jsx(AdminSidebar, { variant: "sidebar", desktopOpen: desktopOpen, mobileOpen: mobileOpen, activePath: activeHref, groups: adminGroups, onCloseMobile: close, onToggle: toggle, className: className })), variant === "store" && (_jsx(StoreSidebar, { variant: "sidebar", desktopOpen: desktopOpen, mobileOpen: mobileOpen, activeHref: activeHref, items: [], groups: groups, onCloseMobile: close, onToggle: toggle, className: className })), variant === "user" && (_jsx(UserSidebar, { variant: "sidebar", desktopOpen: desktopOpen, mobileOpen: mobileOpen, items: groups.flatMap((g) => g.items), groups: groups, onCloseMobile: close, onToggle: toggle, className: className })), children] }));
 }

package/dist/_internal/server/features/auth/capabilities.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Store capabilities server helper.
+ *
+ * Reads the capabilities[] array from the store document and merges with defaults.
+ * Call this server-side only — never trust client-provided capability arrays.
+ */
+import { type StoreCapability } from "../../../../features/auth/permissions/constants";
+/**
+ * Return the resolved capability set for a store.
+ * Falls back to DEFAULT_STORE_CAPABILITIES when the store has no capabilities field.
+ */
+export declare function getStoreCapabilities(storeId: string): Promise<StoreCapability[]>;
+/**
+ * Check whether a store has a specific capability.
+ * Convenience wrapper — prefer calling `getStoreCapabilities` once when checking multiple.
+ */
+export declare function storeHasCapability(storeId: string, required: StoreCapability): Promise<boolean>;

package/dist/_internal/server/features/auth/capabilities.js

@@ -0,0 +1,31 @@
+/**
+ * Store capabilities server helper.
+ *
+ * Reads the capabilities[] array from the store document and merges with defaults.
+ * Call this server-side only — never trust client-provided capability arrays.
+ */
+import { storeRepository } from "../../../../repositories";
+import { DEFAULT_STORE_CAPABILITIES, } from "../../../../features/auth/permissions/constants";
+/**
+ * Return the resolved capability set for a store.
+ * Falls back to DEFAULT_STORE_CAPABILITIES when the store has no capabilities field.
+ */
+export async function getStoreCapabilities(storeId) {
+    if (!storeId)
+        return [...DEFAULT_STORE_CAPABILITIES];
+    const store = await storeRepository.findById(storeId);
+    if (!store)
+        return [...DEFAULT_STORE_CAPABILITIES];
+    const raw = store.capabilities;
+    if (Array.isArray(raw) && raw.length > 0)
+        return raw;
+    return [...DEFAULT_STORE_CAPABILITIES];
+}
+/**
+ * Check whether a store has a specific capability.
+ * Convenience wrapper — prefer calling `getStoreCapabilities` once when checking multiple.
+ */
+export async function storeHasCapability(storeId, required) {
+    const caps = await getStoreCapabilities(storeId);
+    return caps.includes(required);
+}

package/dist/_internal/server/features/auth/index.d.ts

@@ -1 +1,3 @@
 export * from "./actions";
+export * from "./permissions";
+export * from "./capabilities";

package/dist/_internal/server/features/auth/index.js

@@ -1 +1,3 @@
 export * from "./actions";
+export * from "./permissions";
+export * from "./capabilities";

package/dist/_internal/server/features/auth/permissions.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Server-side RBAC permission resolver.
+ *
+ * Logic lives here; consumers inject config via opts parameters.
+ *
+ * Design:
+ *  - admin role bypasses all permission checks (isAdmin: true)
+ *  - employee role is gated by permissions[] on UserDocument
+ *  - all other roles get empty permissions (no admin access)
+ */
+import type { Permission } from "../../../../features/auth/permissions/constants";
+export interface ResolvedPermissions {
+    /** true when role === "admin" — bypasses all permission checks */
+    isAdmin: boolean;
+    /** explicit permissions array; only meaningful when role === "employee" */
+    permissions: Permission[];
+}
+/**
+ * Fetch and resolve permissions for a user.
+ * Returns { isAdmin: true } for admins, explicit permissions for employees,
+ * empty for all other roles.
+ */
+export declare function getServerPermissions(uid: string): Promise<ResolvedPermissions>;
+export declare function checkPermission(resolved: ResolvedPermissions, required: Permission): boolean;
+export declare function checkAnyPermission(resolved: ResolvedPermissions, required: Permission[]): boolean;
+type GetUser = () => Promise<{
+    uid: string;
+    role: string;
+} | null>;
+export interface AdminSectionLayoutOpts {
+    getUser: GetUser;
+    loginPath?: string;
+    unauthorizedPath?: string;
+}
+/**
+ * Factory that returns a Next.js RSC layout component guarding an admin section.
+ *
+ * Usage in consumer:
+ * ```ts
+ * // src/app/[locale]/admin/blog/layout.tsx
+ * import { makeAdminSectionLayout } from "@mohasinac/appkit/server";
+ * import { getServerSessionUser } from "@/lib/firebase/auth-server";
+ * export default makeAdminSectionLayout("admin:blog:read", { getUser: getServerSessionUser });
+ * ```
+ */
+export declare function makeAdminSectionLayout(permission: Permission, opts: AdminSectionLayoutOpts): ({ children, }: {
+    children: React.ReactNode;
+}) => Promise<React.ReactNode>;
+export {};

package/dist/_internal/server/features/auth/permissions.js

@@ -0,0 +1,76 @@
+/**
+ * Server-side RBAC permission resolver.
+ *
+ * Logic lives here; consumers inject config via opts parameters.
+ *
+ * Design:
+ *  - admin role bypasses all permission checks (isAdmin: true)
+ *  - employee role is gated by permissions[] on UserDocument
+ *  - all other roles get empty permissions (no admin access)
+ */
+import { userRepository } from "../../../../repositories";
+// ── Core resolver ─────────────────────────────────────────────────────────────
+/**
+ * Fetch and resolve permissions for a user.
+ * Returns { isAdmin: true } for admins, explicit permissions for employees,
+ * empty for all other roles.
+ */
+export async function getServerPermissions(uid) {
+    if (!uid)
+        return { isAdmin: false, permissions: [] };
+    // userRepository.findById is cached per request in BaseRepository
+    const user = await userRepository.findById(uid);
+    if (!user)
+        return { isAdmin: false, permissions: [] };
+    if (user.role === "admin")
+        return { isAdmin: true, permissions: [] };
+    if (user.role === "employee") {
+        return {
+            isAdmin: false,
+            permissions: (user.permissions ?? []),
+        };
+    }
+    return { isAdmin: false, permissions: [] };
+}
+// ── Permission check helpers ──────────────────────────────────────────────────
+export function checkPermission(resolved, required) {
+    return resolved.isAdmin || resolved.permissions.includes(required);
+}
+export function checkAnyPermission(resolved, required) {
+    return resolved.isAdmin || required.some((p) => resolved.permissions.includes(p));
+}
+/**
+ * Factory that returns a Next.js RSC layout component guarding an admin section.
+ *
+ * Usage in consumer:
+ * ```ts
+ * // src/app/[locale]/admin/blog/layout.tsx
+ * import { makeAdminSectionLayout } from "@mohasinac/appkit/server";
+ * import { getServerSessionUser } from "@/lib/firebase/auth-server";
+ * export default makeAdminSectionLayout("admin:blog:read", { getUser: getServerSessionUser });
+ * ```
+ */
+export function makeAdminSectionLayout(permission, opts) {
+    return async function AdminSectionLayout({ children, }) {
+        const { redirect } = await import("next/navigation");
+        const user = await opts.getUser();
+        if (!user) {
+            redirect(opts.loginPath ?? "/auth/login");
+            return null;
+        }
+        // admin role passes without a permission check
+        if (user.role === "admin")
+            return children;
+        // non-employee non-admin roles have no business in /admin
+        if (user.role !== "employee") {
+            redirect(opts.unauthorizedPath ?? "/unauthorized");
+            return null;
+        }
+        const resolved = await getServerPermissions(user.uid);
+        if (!checkPermission(resolved, permission)) {
+            redirect(opts.unauthorizedPath ?? "/unauthorized");
+            return null;
+        }
+        return children;
+    };
+}

package/dist/configs/next.d.ts

@@ -6,7 +6,12 @@
  *
  * Notable defaults:
  * - `serverExternalPackages` includes firebase-admin + GCP deps
- * - `outputFileTracingIncludes` forces firebase-admin/lib/database/** into Lambda bundles
+ * - `outputFileTracingIncludes` uses broad org-level globs (**) so every
+ *   current and future @google-cloud/* subpackage (incl. build/protos/**) is
+ *   included in Vercel Lambda bundles without needing per-package entries.
+ * - Consumer additions to the same route key are MERGED (union), not replaced.
+ * - `images.remotePatterns` restricts to Firebase Storage + localhost; consumer
+ *   can append additional patterns via `images.remotePatterns`.
  * - `experimental.serverActions.bodySizeLimit` set to "4mb"
  * - Optional `IgnorePlugin` for optional native deps (request, fast-crc32c)
  *

package/dist/configs/next.js

@@ -6,7 +6,12 @@
  *
  * Notable defaults:
  * - `serverExternalPackages` includes firebase-admin + GCP deps
- * - `outputFileTracingIncludes` forces firebase-admin/lib/database/** into Lambda bundles
+ * - `outputFileTracingIncludes` uses broad org-level globs (**) so every
+ *   current and future @google-cloud/* subpackage (incl. build/protos/**) is
+ *   included in Vercel Lambda bundles without needing per-package entries.
+ * - Consumer additions to the same route key are MERGED (union), not replaced.
+ * - `images.remotePatterns` restricts to Firebase Storage + localhost; consumer
+ *   can append additional patterns via `images.remotePatterns`.
  * - `experimental.serverActions.bodySizeLimit` set to "4mb"
  * - Optional `IgnorePlugin` for optional native deps (request, fast-crc32c)
  *
@@ -72,25 +77,34 @@ export function defineNextConfig(override = {}) {
         ...consumerExperimental,
     };
     // Next 16 moved `outputFileTracingIncludes` out of `experimental` to the
-    // top-level config. Keep the same firebase-admin/lib/database forcing the
-    // old position used, and merge consumer overrides if provided.
+    // top-level config. Use broad org-level globs (**) so protos/, build/cjs/,
+    // build/esm/, and any future subpackages are always included — no more
+    // per-subdirectory entries that silently miss e.g. build/protos/admin_v1.json.
+    // Consumer additions for the same route key are MERGED (array union), not replaced.
     const defaultOutputFileTracingIncludes = {
         "/api/**": [
-            "./node_modules/firebase-admin/lib/database/**",
-            "./node_modules/firebase-admin/lib/esm/database/**",
-            "./node_modules/firebase-admin/lib/firestore/**",
-            "./node_modules/firebase-admin/lib/esm/firestore/**",
-            "./node_modules/firebase-admin/lib/auth/**",
-            "./node_modules/firebase-admin/lib/esm/auth/**",
-            "./node_modules/firebase-admin/lib/app/**",
-            "./node_modules/firebase-admin/lib/esm/app/**",
-            "./node_modules/@google-cloud/firestore/build/src/**",
+            // Firebase Admin — entire package (lib/ + esm/, all sub-SDKs)
+            "./node_modules/firebase-admin/**",
+            // All @google-cloud packages: firestore (incl. protos/**), storage, paginator, etc.
+            "./node_modules/@google-cloud/**",
+            // Auth libraries used by Firebase Admin token verification
+            "./node_modules/google-auth-library/**",
+            "./node_modules/google-gax/**",
+            "./node_modules/gtoken/**",
+            "./node_modules/jws/**",
+            "./node_modules/gaxios/**",
         ],
     };
     const mergedOutputFileTracingIncludes = {
         ...defaultOutputFileTracingIncludes,
-        ...consumerOutputFileTracingIncludes,
     };
+    for (const [route, patterns] of Object.entries(consumerOutputFileTracingIncludes)) {
+        const existing = mergedOutputFileTracingIncludes[route] ?? [];
+        mergedOutputFileTracingIncludes[route] = [
+            ...existing,
+            ...patterns.filter((p) => !existing.includes(p)),
+        ];
+    }
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     function mergedWebpack(config, ctx) {
         const { isServer, webpack } = ctx;
@@ -112,13 +126,26 @@ export function defineNextConfig(override = {}) {
         }
         return consumerWebpack ? consumerWebpack(config, ctx) : config;
     }
+    // Default remotePatterns: Firebase Storage + localhost only.
+    // External URLs are watermarked via /api/media/ext — they must never be
+    // loaded directly by next/image. Consumer can append additional patterns.
+    const defaultRemotePatterns = [
+        { protocol: "https", hostname: "firebasestorage.googleapis.com" },
+        { protocol: "https", hostname: "*.firebasestorage.googleapis.com" },
+        { protocol: "http", hostname: "localhost" },
+        { protocol: "http", hostname: "127.0.0.1" },
+    ];
+    const consumerImages = override.images ?? {};
+    const consumerRemotePatterns = consumerImages.remotePatterns ?? [];
+    const mergedRemotePatterns = [
+        ...defaultRemotePatterns,
+        ...consumerRemotePatterns.filter((p) => !defaultRemotePatterns.some((d) => d.hostname ===
+            p.hostname)),
+    ];
     return {
         images: {
-            remotePatterns: [
-                { protocol: "https", hostname: "**" },
-                { protocol: "http", hostname: "**" },
-            ],
-            ...(override.images ?? {}),
+            ...consumerImages,
+            remotePatterns: mergedRemotePatterns,
         },
         ...rest,
         serverExternalPackages: mergedExternal,

package/dist/constants/api-endpoints.d.ts

@@ -122,6 +122,16 @@ export declare const ADMIN_ENDPOINTS: {
     readonly SUBLISTING_CATEGORY_BY_ID: (id: string) => string;
     readonly PRODUCT_FEATURES: "/api/admin/features";
     readonly PRODUCT_FEATURE_BY_ID: (id: string) => string;
+    readonly TEAM: "/api/admin/team";
+    readonly TEAM_MEMBER: (uid: string) => string;
+    readonly USER_HARD_BAN: (uid: string) => string;
+    readonly USER_UNBAN: (uid: string) => string;
+    readonly USER_SOFT_BAN: (uid: string) => string;
+    readonly USER_SOFT_BAN_LIFT: (uid: string, action: string) => string;
+    readonly SUPPORT_TICKETS: "/api/admin/support-tickets";
+    readonly SUPPORT_TICKET_BY_ID: (id: string) => string;
+    readonly SCAMMERS: "/api/admin/scammers";
+    readonly SCAMMER_BY_ID: (id: string) => string;
 };
 export declare const CHAT_ENDPOINTS: {
     readonly LIST: "/api/chat";
@@ -200,6 +210,9 @@ export declare const MEDIA_ENDPOINTS: {
     readonly CROP: "/api/media/crop";
     readonly TRIM: "/api/media/trim";
     readonly DELETE: (url: string) => string;
+    /** Watermark-proxy for external (non-Firebase-Storage) image URLs. */
+    readonly EXT: "/api/media/ext";
+    readonly EXT_URL: (url: string) => string;
 };
 export declare const ORDER_ENDPOINTS: {
     readonly LIST: "/api/orders";
@@ -270,6 +283,16 @@ export declare const PROFILE_STATS_ENDPOINTS: {
     readonly PRODUCTS: (sellerId: string) => string;
     readonly REVIEWS: (userId: string) => string;
 };
+export declare const SUPPORT_ENDPOINTS: {
+    readonly TICKETS: "/api/support/tickets";
+    readonly TICKET_BY_ID: (id: string) => string;
+    readonly TICKET_MESSAGES: (id: string) => string;
+};
+export declare const SCAMMER_ENDPOINTS: {
+    readonly LIST: "/api/scammers";
+    readonly BY_SLUG: (slug: string) => string;
+    readonly REPORT: "/api/scammers/report";
+};
 export declare const BEFORE_AFTER_ENDPOINTS: {
     readonly LIST: "/api/before-after";
 };
@@ -397,6 +420,16 @@ export declare const API_ENDPOINTS: {
         readonly SUBLISTING_CATEGORY_BY_ID: (id: string) => string;
         readonly PRODUCT_FEATURES: "/api/admin/features";
         readonly PRODUCT_FEATURE_BY_ID: (id: string) => string;
+        readonly TEAM: "/api/admin/team";
+        readonly TEAM_MEMBER: (uid: string) => string;
+        readonly USER_HARD_BAN: (uid: string) => string;
+        readonly USER_UNBAN: (uid: string) => string;
+        readonly USER_SOFT_BAN: (uid: string) => string;
+        readonly USER_SOFT_BAN_LIFT: (uid: string, action: string) => string;
+        readonly SUPPORT_TICKETS: "/api/admin/support-tickets";
+        readonly SUPPORT_TICKET_BY_ID: (id: string) => string;
+        readonly SCAMMERS: "/api/admin/scammers";
+        readonly SCAMMER_BY_ID: (id: string) => string;
     };
     readonly CHAT: {
         readonly LIST: "/api/chat";
@@ -478,6 +511,9 @@ export declare const API_ENDPOINTS: {
         readonly CROP: "/api/media/crop";
         readonly TRIM: "/api/media/trim";
         readonly DELETE: (url: string) => string;
+        /** Watermark-proxy for external (non-Firebase-Storage) image URLs. */
+        readonly EXT: "/api/media/ext";
+        readonly EXT_URL: (url: string) => string;
     };
     readonly ORDERS: {
         readonly LIST: "/api/orders";
@@ -555,6 +591,16 @@ export declare const API_ENDPOINTS: {
         readonly SETTINGS: "/api/store/whatsapp-settings";
         readonly CATALOG_SYNC: "/api/store/whatsapp-settings/catalog-sync";
     };
+    readonly SUPPORT: {
+        readonly TICKETS: "/api/support/tickets";
+        readonly TICKET_BY_ID: (id: string) => string;
+        readonly TICKET_MESSAGES: (id: string) => string;
+    };
+    readonly SCAMMERS: {
+        readonly LIST: "/api/scammers";
+        readonly BY_SLUG: (slug: string) => string;
+        readonly REPORT: "/api/scammers/report";
+    };
 };
 /** Canonical alias — prefer API_ROUTES over API_ENDPOINTS in new code. */
 export declare const API_ROUTES: {
@@ -674,6 +720,16 @@ export declare const API_ROUTES: {
         readonly SUBLISTING_CATEGORY_BY_ID: (id: string) => string;
         readonly PRODUCT_FEATURES: "/api/admin/features";
         readonly PRODUCT_FEATURE_BY_ID: (id: string) => string;
+        readonly TEAM: "/api/admin/team";
+        readonly TEAM_MEMBER: (uid: string) => string;
+        readonly USER_HARD_BAN: (uid: string) => string;
+        readonly USER_UNBAN: (uid: string) => string;
+        readonly USER_SOFT_BAN: (uid: string) => string;
+        readonly USER_SOFT_BAN_LIFT: (uid: string, action: string) => string;
+        readonly SUPPORT_TICKETS: "/api/admin/support-tickets";
+        readonly SUPPORT_TICKET_BY_ID: (id: string) => string;
+        readonly SCAMMERS: "/api/admin/scammers";
+        readonly SCAMMER_BY_ID: (id: string) => string;
     };
     readonly CHAT: {
         readonly LIST: "/api/chat";
@@ -755,6 +811,9 @@ export declare const API_ROUTES: {
         readonly CROP: "/api/media/crop";
         readonly TRIM: "/api/media/trim";
         readonly DELETE: (url: string) => string;
+        /** Watermark-proxy for external (non-Firebase-Storage) image URLs. */
+        readonly EXT: "/api/media/ext";
+        readonly EXT_URL: (url: string) => string;
     };
     readonly ORDERS: {
         readonly LIST: "/api/orders";
@@ -832,4 +891,14 @@ export declare const API_ROUTES: {
         readonly SETTINGS: "/api/store/whatsapp-settings";
         readonly CATALOG_SYNC: "/api/store/whatsapp-settings/catalog-sync";
     };
+    readonly SUPPORT: {
+        readonly TICKETS: "/api/support/tickets";
+        readonly TICKET_BY_ID: (id: string) => string;
+        readonly TICKET_MESSAGES: (id: string) => string;
+    };
+    readonly SCAMMERS: {
+        readonly LIST: "/api/scammers";
+        readonly BY_SLUG: (slug: string) => string;
+        readonly REPORT: "/api/scammers/report";
+    };
 };

package/dist/constants/api-endpoints.js

@@ -141,6 +141,16 @@ export const ADMIN_ENDPOINTS = {
     SUBLISTING_CATEGORY_BY_ID: (id) => `/api/admin/sublisting-categories/${id}`,
     PRODUCT_FEATURES: "/api/admin/features",
     PRODUCT_FEATURE_BY_ID: (id) => `/api/admin/features/${id}`,
+    TEAM: "/api/admin/team",
+    TEAM_MEMBER: (uid) => `/api/admin/team/${uid}`,
+    USER_HARD_BAN: (uid) => `/api/admin/users/${uid}/hard-ban`,
+    USER_UNBAN: (uid) => `/api/admin/users/${uid}/unban`,
+    USER_SOFT_BAN: (uid) => `/api/admin/users/${uid}/soft-ban`,
+    USER_SOFT_BAN_LIFT: (uid, action) => `/api/admin/users/${uid}/soft-ban/${encodeURIComponent(action)}`,
+    SUPPORT_TICKETS: "/api/admin/support-tickets",
+    SUPPORT_TICKET_BY_ID: (id) => `/api/admin/support-tickets/${id}`,
+    SCAMMERS: "/api/admin/scammers",
+    SCAMMER_BY_ID: (id) => `/api/admin/scammers/${id}`,
 };
 // ---------------------------------------------------------------------------
 // Chat
@@ -268,6 +278,9 @@ export const MEDIA_ENDPOINTS = {
     CROP: "/api/media/crop",
     TRIM: "/api/media/trim",
     DELETE: (url) => `/api/media?url=${encodeURIComponent(url)}`,
+    /** Watermark-proxy for external (non-Firebase-Storage) image URLs. */
+    EXT: "/api/media/ext",
+    EXT_URL: (url) => `/api/media/ext?url=${encodeURIComponent(url)}`,
 };
 // ---------------------------------------------------------------------------
 // Orders
@@ -374,6 +387,25 @@ export const PROFILE_STATS_ENDPOINTS = {
 // ---------------------------------------------------------------------------
 // Before / After
 // ---------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// Support Tickets (user-facing)
+// ---------------------------------------------------------------------------
+export const SUPPORT_ENDPOINTS = {
+    TICKETS: "/api/support/tickets",
+    TICKET_BY_ID: (id) => `/api/support/tickets/${id}`,
+    TICKET_MESSAGES: (id) => `/api/support/tickets/${id}/messages`,
+};
+// ---------------------------------------------------------------------------
+// Scammers (public)
+// ---------------------------------------------------------------------------
+export const SCAMMER_ENDPOINTS = {
+    LIST: "/api/scammers",
+    BY_SLUG: (slug) => `/api/scammers/${slug}`,
+    REPORT: "/api/scammers/report",
+};
+// ---------------------------------------------------------------------------
+// Before / After
+// ---------------------------------------------------------------------------
 export const BEFORE_AFTER_ENDPOINTS = {
     LIST: "/api/before-after",
 };
@@ -430,6 +462,8 @@ export const API_ENDPOINTS = {
     PROFILE_STATS: PROFILE_STATS_ENDPOINTS,
     DEMO: DEMO_ENDPOINTS,
     WHATSAPP_SELLER: WHATSAPP_SELLER_ENDPOINTS,
+    SUPPORT: SUPPORT_ENDPOINTS,
+    SCAMMERS: SCAMMER_ENDPOINTS,
 };
 /** Canonical alias — prefer API_ROUTES over API_ENDPOINTS in new code. */
 export const API_ROUTES = API_ENDPOINTS;

package/dist/contracts/registry.d.ts

@@ -7,6 +7,12 @@ import type { ISearchProvider } from "./search";
 import type { ICacheProvider, IQueueProvider, IEventBus } from "./infra";
 import type { IStyleAdapter } from "./style";
 import type { IDbProvider } from "./repository";
+export interface IRbacProvider {
+    /** Resolve the permission list for a user UID. Admin role returns []. */
+    getPermissions: (uid: string) => Promise<string[]>;
+    /** True when the user has the admin role (bypasses all permission checks). */
+    isAdmin: (uid: string) => Promise<boolean>;
+}
 export interface ProviderRegistry {
     auth: IAuthProvider;
     session: ISessionProvider;
@@ -20,6 +26,7 @@ export interface ProviderRegistry {
     cache?: ICacheProvider;
     queue?: IQueueProvider;
     eventBus?: IEventBus;
+    rbac?: IRbacProvider;
 }
 export declare function registerProviders(registry: ProviderRegistry): void;
 export declare function getProviders(): ProviderRegistry;

package/dist/features/admin/components/AdminEmployeeEditorView.d.ts

@@ -0,0 +1,10 @@
+export interface AdminEmployeeEditorViewProps {
+    open: boolean;
+    onClose: () => void;
+    mode: "invite" | "edit";
+    userId?: string;
+    displayName?: string;
+    currentPermissionGroup?: string;
+    currentPermissions?: string[];
+}
+export declare function AdminEmployeeEditorView({ open, onClose, mode, userId, displayName, currentPermissionGroup, currentPermissions, }: AdminEmployeeEditorViewProps): import("react/jsx-runtime").JSX.Element;