@nsxbet/admin-sdk 0.8.1 → 0.9.1

package/dist/i18n/locales/es.json

@@ -10,6 +10,7 @@
         "edit": "Editar",
         "create": "Crear",
         "search": "Buscar",
+        "retry": "Reintentar",
         "noResults": "No se encontraron resultados",
         "close": "Cerrar",
         "back": "Atrás",
@@ -42,6 +43,7 @@
         "settings": "Configuración",
         "profile": "Perfil",
         "registry": "Registro",
+        "accessControl": "Control de Acceso",
         "logout": "Cerrar Sesión",
         "pinned": "Fijados",
         "platform": "Plataforma",
@@ -219,10 +221,73 @@
         "loginButton": "Iniciar sesión con SSO Corporativo",
         "secureAuth": "Autenticación Segura"
     },
+    "accessControlPage": {
+        "title": "Control de Acceso",
+        "description": "Gestiona autorización local, inspección y auditoría.",
+        "groups": "Grupos",
+        "users": "Usuarios",
+        "audit": "Auditoría",
+        "statusAll": "Todos",
+        "statusActive": "Activos",
+        "statusInactive": "Inactivos",
+        "groupsTitle": "Grupos",
+        "groupsDescription": "Explora y gestiona grupos RBAC.",
+        "noGroupsTitle": "No se encontraron grupos",
+        "noGroupsDescription": "Ningún grupo coincide con el filtro actual.",
+        "protectedGroup": "Protegido",
+        "viewGroup": "Ver Grupo",
+        "deactivate": "Desactivar",
+        "reactivate": "Reactivar",
+        "confirmDeactivate": "¿Estás seguro de que quieres desactivar \"{{group}}\"? Los miembros de este grupo perderán todos los permisos otorgados a través de él.",
+        "confirmReactivate": "¿Estás seguro de que quieres reactivar \"{{group}}\"? Los miembros recuperarán todos los permisos asignados a este grupo.",
+        "promptCreateGroup": "Ingresa un nombre visible para el nuevo grupo",
+        "promptEditGroup": "Actualiza el nombre visible del grupo",
+        "groupDetailTitle": "Detalle del Grupo",
+        "groupDetailDescription": "Revisa miembros y permisos del grupo {{groupId}}.",
+        "membersTab": "Miembros",
+        "permissionsTab": "Permisos",
+        "noMembers": "Este grupo todavía no tiene miembros.",
+        "noPermissions": "Este grupo todavía no tiene permisos asignados.",
+        "selfRemoveTitle": "¿Eliminarte de este grupo?",
+        "selfRemoveDescription": "Estás a punto de eliminarte del grupo \"{{group}}\". Esto puede revocar tu acceso para gestionar este grupo y otras áreas de la plataforma.",
+        "selfRemovePrompt": "Escribe CONFIRM para continuar.",
+        "selfRemoveConfirmButton": "Eliminarme",
+        "userTitle": "Acceso del Usuario",
+        "userDescription": "Inspecciona el acceso resuelto del usuario {{userId}}.",
+        "userRolesTitle": "Roles Efectivos",
+        "userGroupsTitle": "Grupos Contribuyentes",
+        "noRoles": "Este usuario no tiene roles efectivos.",
+        "auditTitle": "Historial de Auditoría",
+        "auditDescription": "Explora los eventos de auditoría de Control de Acceso en modo solo lectura.",
+        "filterEventType": "Tipo de evento",
+        "filterActor": "Id del actor",
+        "filterTargetType": "Tipo de objetivo",
+        "filterTargetId": "Id del objetivo",
+        "noAuditTitle": "No se encontraron eventos de auditoría",
+        "noAuditDescription": "Ningún evento de auditoría coincide con los filtros actuales.",
+        "noAccess": "No tienes permiso para acceder al área de Control de Acceso.",
+        "columnName": "Nombre",
+        "columnProtected": "Protegido",
+        "columnEmail": "Email",
+        "columnSubject": "Sujeto",
+        "columnTimestamp": "Fecha/Hora",
+        "columnEvent": "Evento",
+        "columnActor": "Actor",
+        "columnTarget": "Objetivo",
+        "columnSummary": "Resumen",
+        "inspectUser": "Inspeccionar",
+        "usersTitle": "Usuarios",
+        "noUsersTitle": "No se encontraron usuarios",
+        "noUsersDescription": "Ningún usuario local coincide con la búsqueda."
+    },
     "breadcrumbs": {
         "home": "Inicio",
         "registry": "Registro",
         "settings": "Configuración",
-        "profile": "Perfil"
+        "profile": "Perfil",
+        "accessControl": "Control de Acceso",
+        "accessControlGroups": "Grupos",
+        "accessControlUsers": "Usuarios",
+        "accessControlAudit": "Auditoría"
     }
 }

package/dist/i18n/locales/pt-BR.json

@@ -10,6 +10,7 @@
         "edit": "Editar",
         "create": "Criar",
         "search": "Buscar",
+        "retry": "Tentar novamente",
         "noResults": "Nenhum resultado encontrado",
         "close": "Fechar",
         "back": "Voltar",
@@ -42,6 +43,7 @@
         "settings": "Configurações",
         "profile": "Perfil",
         "registry": "Registro",
+        "accessControl": "Controle de Acesso",
         "logout": "Sair",
         "pinned": "Fixados",
         "platform": "Plataforma",
@@ -219,10 +221,73 @@
         "loginButton": "Entrar com SSO Corporativo",
         "secureAuth": "Autenticação Segura"
     },
+    "accessControlPage": {
+        "title": "Controle de Acesso",
+        "description": "Gerencie autorização local, inspeção e auditoria.",
+        "groups": "Grupos",
+        "users": "Usuários",
+        "audit": "Auditoria",
+        "statusAll": "Todos",
+        "statusActive": "Ativos",
+        "statusInactive": "Inativos",
+        "groupsTitle": "Grupos",
+        "groupsDescription": "Navegue e gerencie grupos de RBAC.",
+        "noGroupsTitle": "Nenhum grupo encontrado",
+        "noGroupsDescription": "Nenhum grupo corresponde ao filtro atual.",
+        "protectedGroup": "Protegido",
+        "viewGroup": "Ver Grupo",
+        "deactivate": "Desativar",
+        "reactivate": "Reativar",
+        "confirmDeactivate": "Tem certeza que deseja desativar \"{{group}}\"? Os membros deste grupo perderão todas as permissões concedidas por ele.",
+        "confirmReactivate": "Tem certeza que deseja reativar \"{{group}}\"? Os membros recuperarão todas as permissões atribuídas a este grupo.",
+        "promptCreateGroup": "Digite um nome de exibição para o novo grupo",
+        "promptEditGroup": "Atualize o nome de exibição do grupo",
+        "groupDetailTitle": "Detalhes do Grupo",
+        "groupDetailDescription": "Revise membros e permissões do grupo {{groupId}}.",
+        "membersTab": "Membros",
+        "permissionsTab": "Permissões",
+        "noMembers": "Este grupo ainda não tem membros.",
+        "noPermissions": "Este grupo ainda não tem permissões atribuídas.",
+        "selfRemoveTitle": "Remover você mesmo deste grupo?",
+        "selfRemoveDescription": "Você está prestes a se remover do grupo \"{{group}}\". Isso pode revogar seu acesso para gerenciar este grupo e outras áreas da plataforma.",
+        "selfRemovePrompt": "Digite CONFIRM para prosseguir.",
+        "selfRemoveConfirmButton": "Remover a mim mesmo",
+        "userTitle": "Acesso do Usuário",
+        "userDescription": "Inspecione o acesso resolvido do usuário {{userId}}.",
+        "userRolesTitle": "Papéis Efetivos",
+        "userGroupsTitle": "Grupos Contribuintes",
+        "noRoles": "Este usuário não possui papéis efetivos.",
+        "auditTitle": "Histórico de Auditoria",
+        "auditDescription": "Navegue pelos eventos de auditoria do Controle de Acesso em modo somente leitura.",
+        "filterEventType": "Tipo de evento",
+        "filterActor": "Id do ator",
+        "filterTargetType": "Tipo de alvo",
+        "filterTargetId": "Id do alvo",
+        "noAuditTitle": "Nenhum evento de auditoria encontrado",
+        "noAuditDescription": "Nenhum evento de auditoria corresponde aos filtros atuais.",
+        "noAccess": "Você não tem permissão para acessar a área de Controle de Acesso.",
+        "columnName": "Nome",
+        "columnProtected": "Protegido",
+        "columnEmail": "Email",
+        "columnSubject": "Sujeito",
+        "columnTimestamp": "Data/Hora",
+        "columnEvent": "Evento",
+        "columnActor": "Ator",
+        "columnTarget": "Alvo",
+        "columnSummary": "Resumo",
+        "inspectUser": "Inspecionar",
+        "usersTitle": "Usuários",
+        "noUsersTitle": "Nenhum usuário encontrado",
+        "noUsersDescription": "Nenhum usuário local corresponde à pesquisa."
+    },
     "breadcrumbs": {
         "home": "Início",
         "registry": "Registro",
         "settings": "Configurações",
-        "profile": "Perfil"
+        "profile": "Perfil",
+        "accessControl": "Controle de Acesso",
+        "accessControlGroups": "Grupos",
+        "accessControlUsers": "Usuários",
+        "accessControlAudit": "Auditoria"
     }
 }

package/dist/i18n/locales/ro.json

@@ -10,6 +10,7 @@
         "edit": "Editează",
         "create": "Creează",
         "search": "Caută",
+        "retry": "Reîncearcă",
         "noResults": "Nu s-au găsit rezultate",
         "close": "Închide",
         "back": "Înapoi",
@@ -42,6 +43,7 @@
         "settings": "Setări",
         "profile": "Profil",
         "registry": "Registru",
+        "accessControl": "Control Acces",
         "logout": "Deconectare",
         "pinned": "Fixate",
         "platform": "Platformă",
@@ -219,10 +221,73 @@
         "loginButton": "Autentificare cu SSO Corporativ",
         "secureAuth": "Autentificare Securizată"
     },
+    "accessControlPage": {
+        "title": "Control Acces",
+        "description": "Gestionează autorizarea locală, inspecția și auditul.",
+        "groups": "Grupuri",
+        "users": "Utilizatori",
+        "audit": "Audit",
+        "statusAll": "Toate",
+        "statusActive": "Active",
+        "statusInactive": "Inactive",
+        "groupsTitle": "Grupuri",
+        "groupsDescription": "Răsfoiește și administrează grupurile RBAC.",
+        "noGroupsTitle": "Nu au fost găsite grupuri",
+        "noGroupsDescription": "Niciun grup nu corespunde filtrului curent.",
+        "protectedGroup": "Protejat",
+        "viewGroup": "Vezi Grupul",
+        "deactivate": "Dezactivează",
+        "reactivate": "Reactivează",
+        "confirmDeactivate": "Ești sigur că vrei să dezactivezi \"{{group}}\"? Membrii acestui grup vor pierde toate permisiunile acordate prin acesta.",
+        "confirmReactivate": "Ești sigur că vrei să reactivezi \"{{group}}\"? Membrii vor recăpăta toate permisiunile atribuite acestui grup.",
+        "promptCreateGroup": "Introdu un nume afișat pentru noul grup",
+        "promptEditGroup": "Actualizează numele afișat al grupului",
+        "groupDetailTitle": "Detalii Grup",
+        "groupDetailDescription": "Revizuiește membrii și permisiunile pentru grupul {{groupId}}.",
+        "membersTab": "Membri",
+        "permissionsTab": "Permisiuni",
+        "noMembers": "Acest grup nu are încă membri.",
+        "noPermissions": "Acest grup nu are încă permisiuni atribuite.",
+        "selfRemoveTitle": "Te elimini din acest grup?",
+        "selfRemoveDescription": "Ești pe cale să te elimini din grupul \"{{group}}\". Acest lucru îți poate revoca accesul pentru gestionarea acestui grup și a altor zone ale platformei.",
+        "selfRemovePrompt": "Tastează CONFIRM pentru a continua.",
+        "selfRemoveConfirmButton": "Elimină-mă",
+        "userTitle": "Acces Utilizator",
+        "userDescription": "Inspectează accesul rezolvat pentru utilizatorul {{userId}}.",
+        "userRolesTitle": "Roluri Efective",
+        "userGroupsTitle": "Grupuri Contribuitoare",
+        "noRoles": "Acest utilizator nu are roluri efective.",
+        "auditTitle": "Istoric Audit",
+        "auditDescription": "Răsfoiește evenimentele de audit Control Acces în mod doar citire.",
+        "filterEventType": "Tip eveniment",
+        "filterActor": "Id actor",
+        "filterTargetType": "Tip țintă",
+        "filterTargetId": "Id țintă",
+        "noAuditTitle": "Nu au fost găsite evenimente de audit",
+        "noAuditDescription": "Niciun eveniment de audit nu corespunde filtrelor curente.",
+        "noAccess": "Nu ai permisiunea să accesezi zona Control Acces.",
+        "columnName": "Nume",
+        "columnProtected": "Protejat",
+        "columnEmail": "Email",
+        "columnSubject": "Subiect",
+        "columnTimestamp": "Data/Ora",
+        "columnEvent": "Eveniment",
+        "columnActor": "Actor",
+        "columnTarget": "Țintă",
+        "columnSummary": "Rezumat",
+        "inspectUser": "Inspectează",
+        "usersTitle": "Utilizatori",
+        "noUsersTitle": "Nu au fost găsiți utilizatori",
+        "noUsersDescription": "Niciun utilizator local nu corespunde căutării."
+    },
     "breadcrumbs": {
         "home": "Acasă",
         "registry": "Registru",
         "settings": "Setări",
-        "profile": "Profil"
+        "profile": "Profil",
+        "accessControl": "Control Acces",
+        "accessControlGroups": "Grupuri",
+        "accessControlUsers": "Utilizatori",
+        "accessControlAudit": "Audit"
     }
 }

package/dist/router/url-allowlist.d.ts

@@ -1,12 +1,16 @@
 /**
  * Module URL allowlist validation
  *
- * Validates module URLs against VITE_ALLOWED_MODULE_ORIGINS before
+ * Validates module URLs against ALLOWED_MODULE_ORIGINS before
  * import() or loadScript() to prevent loading code from untrusted origins.
+ *
+ * Resolution order:
+ *   1. window.__ENV__.ALLOWED_MODULE_ORIGINS  (runtime — Docker/K8s)
+ *   2. import.meta.env.VITE_ALLOWED_MODULE_ORIGINS  (build-time — local dev)
  */
 /** Options for validateModuleUrl (used by tests to override env) */
 export interface ValidateModuleUrlOptions {
-    /** Override allowlist (comma-separated patterns). Default: VITE_ALLOWED_MODULE_ORIGINS */
+    /** Override allowlist (comma-separated patterns). Default: ALLOWED_MODULE_ORIGINS */
     allowlist?: string;
     /** Override dev mode. Default: import.meta.env.DEV */
     isDev?: boolean;

package/dist/router/url-allowlist.js

@@ -1,8 +1,12 @@
 /**
  * Module URL allowlist validation
  *
- * Validates module URLs against VITE_ALLOWED_MODULE_ORIGINS before
+ * Validates module URLs against ALLOWED_MODULE_ORIGINS before
  * import() or loadScript() to prevent loading code from untrusted origins.
+ *
+ * Resolution order:
+ *   1. window.__ENV__.ALLOWED_MODULE_ORIGINS  (runtime — Docker/K8s)
+ *   2. import.meta.env.VITE_ALLOWED_MODULE_ORIGINS  (build-time — local dev)
  */
 /**
  * Parse allowlist patterns from comma-separated string.
@@ -48,14 +52,16 @@ export function validateModuleUrl(url, options) {
     }
     const hostname = parsed.hostname;
     const isDev = options?.isDev ?? import.meta.env.DEV === true;
-    const rawAllowlist = options?.allowlist ?? import.meta.env.VITE_ALLOWED_MODULE_ORIGINS;
+    const rawAllowlist = options?.allowlist
+        ?? (typeof window !== 'undefined' ? window.__ENV__?.ALLOWED_MODULE_ORIGINS : undefined)
+        ?? import.meta.env.VITE_ALLOWED_MODULE_ORIGINS;
     // Dev mode: always allow localhost and 127.0.0.1
     if (isDev && (hostname === 'localhost' || hostname === '127.0.0.1')) {
         return;
     }
     const patterns = getAllowlistPatterns(rawAllowlist);
     if (patterns.length === 0) {
-        throw new Error(`[DynamicModule] Module URL "${url}" rejected: VITE_ALLOWED_MODULE_ORIGINS is not set or empty. ` +
+        throw new Error(`[DynamicModule] Module URL "${url}" rejected: ALLOWED_MODULE_ORIGINS is not set or empty. ` +
             'Configure trusted origins (e.g. *.nsx.dev,*.nsx.services) in your environment.');
     }
     const allowed = patterns.some((p) => hostnameMatchesPattern(hostname, p));

package/dist/sdk-version.js

@@ -2,4 +2,4 @@
  * Semver of @nsxbet/admin-sdk (synced from package.json by scripts/write-sdk-version.mjs).
  * Do not edit manually — run `node scripts/write-sdk-version.mjs` after version bumps.
  */
-export const SDK_PACKAGE_VERSION = "0.8.1";
+export const SDK_PACKAGE_VERSION = "0.9.1";

package/dist/shell/AdminShell.js

@@ -13,6 +13,7 @@ import { ProfilePage } from "./components/ProfilePage";
 import { SettingsPage } from "./components/SettingsPage";
 import { RegistryPage } from "./components/RegistryPage";
 import { HomePage } from "./components/HomePage";
+import { AccessControlLayout, AccessControlGroupsPage, AccessControlGroupDetailPage, AccessControlUsersListPage, AccessControlUserPage, AccessControlAuditPage, } from "./components/access-control";
 import { AuthProvider, useAuthContext } from "../components/AuthProvider";
 import { createInMemoryAuthClient, createMockUsersFromRoles, } from "../auth/client/in-memory";
 import { createBffAuthClient } from "../auth/client/bff";
@@ -216,7 +217,7 @@ function ShellContent({ modules, children, environment, locale, onLocaleChange,
             // Ignore
         }
     };
-    return (_jsxs(_Fragment, { children: [hasUpdates && (_jsx(UpdateBanner, { onReload: () => window.location.reload(), onDismiss: onDismissUpdate })), _jsxs(SidebarProvider, { open: sidebarOpen, onOpenChange: handleSidebarChange, children: [_jsx(LeftNav, { modules: modules }), _jsxs(SidebarInset, { className: "flex flex-col", children: [_jsx(TopBar, { onSearchClick: onSearchClick, environment: environment, locale: locale, onLocaleChange: onLocaleChange, timezoneMode: timezoneMode, onTimezoneToggle: onTimezoneToggle }), cacheStatus.state !== "fresh" && cacheStatus.state !== "unavailable" && (_jsx("div", { className: "px-4 pt-2", children: _jsx(RegistryStatusBanner, { status: cacheStatus, onRetry: onRetry }) })), _jsxs(Routes, { children: [_jsx(Route, { path: "/", element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: _jsx(HomePage, {}) }) }), _jsx(Route, { path: "/_profile", element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: _jsx(ProfilePage, {}) }) }), _jsx(Route, { path: "/_settings", element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: _jsx(SettingsPage, {}) }) }), _jsx(Route, { path: "/_registry", element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: _jsx(RegistryPage, { apiUrl: apiUrl, registryClient: registryClient }) }) }), _jsx(Route, { path: "/_modules/*", element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: _jsx(ModuleOverview, { modules: modules }) }) }), isStandaloneMode
+    return (_jsxs(_Fragment, { children: [hasUpdates && (_jsx(UpdateBanner, { onReload: () => window.location.reload(), onDismiss: onDismissUpdate })), _jsxs(SidebarProvider, { open: sidebarOpen, onOpenChange: handleSidebarChange, children: [_jsx(LeftNav, { modules: modules }), _jsxs(SidebarInset, { className: "flex flex-col", children: [_jsx(TopBar, { onSearchClick: onSearchClick, environment: environment, locale: locale, onLocaleChange: onLocaleChange, timezoneMode: timezoneMode, onTimezoneToggle: onTimezoneToggle }), cacheStatus.state !== "fresh" && cacheStatus.state !== "unavailable" && (_jsx("div", { className: "px-4 pt-2", children: _jsx(RegistryStatusBanner, { status: cacheStatus, onRetry: onRetry }) })), _jsxs(Routes, { children: [_jsx(Route, { path: "/", element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: _jsx(HomePage, {}) }) }), _jsx(Route, { path: "/_profile", element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: _jsx(ProfilePage, {}) }) }), _jsx(Route, { path: "/_settings", element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: _jsx(SettingsPage, {}) }) }), _jsx(Route, { path: "/_registry", element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: _jsx(RegistryPage, { apiUrl: apiUrl, registryClient: registryClient }) }) }), _jsxs(Route, { path: "/_access-control", element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: _jsx(AccessControlLayout, { apiUrl: apiUrl }) }), children: [_jsx(Route, { path: "groups", element: _jsx(AccessControlGroupsPage, {}) }), _jsx(Route, { path: "groups/:groupId", element: _jsx(AccessControlGroupDetailPage, {}) }), _jsx(Route, { path: "users", element: _jsx(AccessControlUsersListPage, {}) }), _jsx(Route, { path: "users/:userId", element: _jsx(AccessControlUserPage, {}) }), _jsx(Route, { path: "audit", element: _jsx(AccessControlAuditPage, {}) })] }), _jsx(Route, { path: "/_modules/*", element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: _jsx(ModuleOverview, { modules: modules }) }) }), isStandaloneMode
                                         ? // Standalone mode: render children (module is imported directly)
                                             modules.map((module) => (_jsx(Route, { path: `${module.routeBase}/*`, element: _jsx(MainContent, { modules: modules, moduleBreadcrumbs: moduleBreadcrumbs, children: children }) }, module.id)))
                                         : // Shell mode: load modules dynamically via React.lazy
@@ -296,19 +297,23 @@ export function AdminShell({ modules: manifests = [], children, bff, authClient:
                 'admin.users.view',
                 'admin.users.edit',
                 'admin.users.delete',
-                'admin.platform.view',
-                'admin.platform.edit',
-                'admin.platform.delete',
+                'admin.platform.registry.view',
+                'admin.platform.registry.edit',
+                'admin.platform.registry.delete',
+                'admin.platform.access-control.groups.view',
+                'admin.platform.access-control.groups.manage',
+                'admin.platform.access-control.users.view',
+                'admin.platform.access-control.audit.view',
             ],
             editor: [
                 'admin.tasks.view',
                 'admin.tasks.edit',
                 'admin.users.view',
                 'admin.users.edit',
-                'admin.platform.view',
-                'admin.platform.edit',
+                'admin.platform.registry.view',
+                'admin.platform.registry.edit',
             ],
-            viewer: ['admin.tasks.view', 'admin.users.view', 'admin.platform.view'],
+            viewer: ['admin.tasks.view', 'admin.users.view', 'admin.platform.registry.view'],
             noAccess: [],
         });
         return createInMemoryAuthClient({ users: defaultMockUsers });
@@ -422,5 +427,5 @@ export function AdminShell({ modules: manifests = [], children, bff, authClient:
     else {
         shellContent = (_jsx(ShellContent, { modules: modules, environment: environment, locale: locale, onLocaleChange: handleLocaleChange, onSearchClick: handleSearchClick, catalog: catalog, commandPaletteOpen: commandPaletteOpen, onCommandPaletteChange: setCommandPaletteOpen, apiUrl: apiUrl, registryClient: registryClient, isStandaloneMode: isStandaloneMode, cacheStatus: cacheStatus, onRetry: handleRetry, hasUpdates: hasUpdates, onDismissUpdate: dismissUpdate, localeCallbacksRef: localeCallbacksRef, timezoneMode: timezoneMode, onTimezoneToggle: handleTimezoneToggle, timezoneCallbacksRef: timezoneCallbacksRef, children: children }));
     }
-    return (_jsx(BrowserRouter, { children: _jsx(I18nextProvider, { i18n: i18n, children: _jsx(ThemeProvider, { children: _jsx(AuthProvider, { authClient: authClient, children: shellContent }) }) }) }));
+    return (_jsx(BrowserRouter, { children: _jsx(I18nextProvider, { i18n: i18n, children: _jsx(ThemeProvider, { children: _jsx(AuthProvider, { authClient: authClient, apiUrl: apiUrl, children: shellContent }) }) }) }));
 }

package/dist/shell/components/HomePage.js

@@ -25,7 +25,7 @@ const quickActions = [
         descriptionKey: "registryPage.description",
         route: "/_registry",
         color: "text-purple-500",
-        permission: "admin.platform.view",
+        permission: "admin.platform.registry.view",
     },
 ];
 export function HomePage() {

package/dist/shell/components/LeftNav.js

@@ -182,16 +182,57 @@ export function LeftNav({ modules }) {
             newValue: JSON.stringify(updated),
         }));
     }, [pinnedCommands]);
+    const hasAnyAccessControlPermission = useMemo(() => {
+        const acPermissions = [
+            "admin.platform.access-control.groups.view",
+            "admin.platform.access-control.groups.manage",
+            "admin.platform.access-control.users.view",
+            "admin.platform.access-control.audit.view",
+        ];
+        return acPermissions.some((p) => auth.hasPermission(p));
+    }, [auth]);
+    const accessControlVirtualModule = useMemo(() => {
+        if (!hasAnyAccessControlPermission)
+            return null;
+        return {
+            id: "@platform/access-control",
+            title: { "en-US": "Access Control", "pt-BR": "Controle de Acesso", es: "Control de Acceso", ro: "Control Acces" },
+            description: { "en-US": "Manage authorization", "pt-BR": "Gerencie autorização", es: "Gestiona autorización", ro: "Gestionează autorizarea" },
+            category: "Platform",
+            routeBase: "/_access-control",
+            keywords: [],
+            permissions: { view: [] },
+            owners: { team: "Platform", supportChannel: "#platform" },
+            status: "active",
+            sdkVersion: "",
+            icon: "shield",
+            navigation: { style: "stacked" },
+            commands: [
+                ...(auth.hasPermission("admin.platform.access-control.groups.view") || auth.hasPermission("admin.platform.access-control.groups.manage")
+                    ? [{ id: "groups", title: { "en-US": "Groups", "pt-BR": "Grupos", es: "Grupos", ro: "Grupuri" }, route: "/_access-control/groups", icon: "users" }]
+                    : []),
+                ...(auth.hasPermission("admin.platform.access-control.users.view")
+                    ? [{ id: "users", title: { "en-US": "Users", "pt-BR": "Usuários", es: "Usuarios", ro: "Utilizatori" }, route: "/_access-control/users", icon: "user-search" }]
+                    : []),
+                ...(auth.hasPermission("admin.platform.access-control.audit.view")
+                    ? [{ id: "audit", title: { "en-US": "Audit", "pt-BR": "Auditoria", es: "Auditoría", ro: "Audit" }, route: "/_access-control/audit", icon: "file-clock" }]
+                    : []),
+            ],
+        };
+    }, [auth, hasAnyAccessControlPermission]);
+    const allModulesWithVirtual = useMemo(() => {
+        return accessControlVirtualModule ? [...modules, accessControlVirtualModule] : modules;
+    }, [modules, accessControlVirtualModule]);
     // URL-driven stacked panel detection
     const activeStackedModule = useMemo(() => {
-        return modules.find((m) => m.navigation?.style === "stacked" &&
+        return allModulesWithVirtual.find((m) => m.navigation?.style === "stacked" &&
             m.status === "active" &&
             (location.pathname === m.routeBase ||
                 location.pathname.startsWith(m.routeBase + "/"))) ?? null;
-    }, [modules, location.pathname]);
+    }, [allModulesWithVirtual, location.pathname]);
     const isStacked = activeStackedModule !== null;
     const isStackedModule = (module) => module.navigation?.style === "stacked";
-    const userFooter = (_jsx(SidebarFooter, { className: `border-t border-sidebar-border ${isCollapsed ? "items-center" : ""}`, children: _jsx(SidebarMenu, { children: _jsx(SidebarMenuItem, { children: _jsxs(DropdownMenu, { children: [_jsx(DropdownMenuTrigger, { asChild: true, children: _jsxs(SidebarMenuButton, { size: "lg", tooltip: user?.displayName || "User", "data-testid": "user-menu-trigger", className: "data-[state=open]:bg-sidebar-accent data-[state=open]:text-sidebar-accent-foreground", children: [_jsx("div", { className: "flex aspect-square size-8 items-center justify-center rounded-lg bg-primary text-primary-foreground", children: user?.displayName?.charAt(0).toUpperCase() || "U" }), _jsxs("div", { className: "grid flex-1 text-left text-sm leading-tight", children: [_jsx("span", { className: "truncate font-semibold", children: user?.displayName || "User" }), _jsx("span", { className: "truncate text-xs text-muted-foreground", children: user?.email || "" })] }), _jsx(ChevronUp, { className: "ml-auto" })] }) }), _jsxs(DropdownMenuContent, { side: isCollapsed ? "right" : "top", align: isCollapsed ? "end" : "start", className: "w-[--radix-dropdown-menu-trigger-width] min-w-56 rounded-lg", children: [_jsxs(DropdownMenuItem, { onClick: () => navigate("/_profile"), className: isRouteActive("/_profile") ? "bg-accent" : "", "data-testid": "nav-profile", children: [_jsx(Icon, { name: "user", className: "h-4 w-4 mr-2" }), t('navigation.profile')] }), _jsxs(DropdownMenuItem, { onClick: () => navigate("/_settings"), className: isRouteActive("/_settings") ? "bg-accent" : "", "data-testid": "nav-settings", children: [_jsx(Icon, { name: "settings", className: "h-4 w-4 mr-2" }), t('navigation.settings')] }), auth.hasPermission('admin.platform.view') && (_jsxs(DropdownMenuItem, { onClick: () => navigate("/_registry"), className: isRouteActive("/_registry") ? "bg-accent" : "", "data-testid": "nav-registry", children: [_jsx(Icon, { name: "package", className: "h-4 w-4 mr-2" }), t('navigation.registry')] })), _jsx(DropdownMenuSeparator, {}), _jsxs(DropdownMenuItem, { onClick: () => logout(), "data-testid": "nav-logout", children: [_jsx(Icon, { name: "log-out", className: "h-4 w-4 mr-2" }), t('navigation.logout')] })] })] }) }) }) }));
+    const userFooter = (_jsx(SidebarFooter, { className: `border-t border-sidebar-border ${isCollapsed ? "items-center" : ""}`, children: _jsx(SidebarMenu, { children: _jsx(SidebarMenuItem, { children: _jsxs(DropdownMenu, { children: [_jsx(DropdownMenuTrigger, { asChild: true, children: _jsxs(SidebarMenuButton, { size: "lg", tooltip: user?.displayName || "User", "data-testid": "user-menu-trigger", className: "data-[state=open]:bg-sidebar-accent data-[state=open]:text-sidebar-accent-foreground", children: [_jsx("div", { className: "flex aspect-square size-8 items-center justify-center rounded-lg bg-primary text-primary-foreground", children: user?.displayName?.charAt(0).toUpperCase() || "U" }), _jsxs("div", { className: "grid flex-1 text-left text-sm leading-tight", children: [_jsx("span", { className: "truncate font-semibold", children: user?.displayName || "User" }), _jsx("span", { className: "truncate text-xs text-muted-foreground", children: user?.email || "" })] }), _jsx(ChevronUp, { className: "ml-auto" })] }) }), _jsxs(DropdownMenuContent, { side: isCollapsed ? "right" : "top", align: isCollapsed ? "end" : "start", className: "w-[--radix-dropdown-menu-trigger-width] min-w-56 rounded-lg", children: [_jsxs(DropdownMenuItem, { onClick: () => navigate("/_profile"), className: isRouteActive("/_profile") ? "bg-accent" : "", "data-testid": "nav-profile", children: [_jsx(Icon, { name: "user", className: "h-4 w-4 mr-2" }), t('navigation.profile')] }), _jsxs(DropdownMenuItem, { onClick: () => navigate("/_settings"), className: isRouteActive("/_settings") ? "bg-accent" : "", "data-testid": "nav-settings", children: [_jsx(Icon, { name: "settings", className: "h-4 w-4 mr-2" }), t('navigation.settings')] }), auth.hasPermission('admin.platform.registry.view') && (_jsxs(DropdownMenuItem, { onClick: () => navigate("/_registry"), className: isRouteActive("/_registry") ? "bg-accent" : "", "data-testid": "nav-registry", children: [_jsx(Icon, { name: "package", className: "h-4 w-4 mr-2" }), t('navigation.registry')] })), accessControlVirtualModule && (_jsxs(DropdownMenuItem, { onClick: () => navigate("/_access-control/groups"), className: isRouteActive("/_access-control") ? "bg-accent" : "", "data-testid": "nav-access-control", children: [_jsx(Icon, { name: "shield", className: "h-4 w-4 mr-2" }), t('navigation.accessControl')] })), _jsx(DropdownMenuSeparator, {}), _jsxs(DropdownMenuItem, { onClick: () => logout(), "data-testid": "nav-logout", children: [_jsx(Icon, { name: "log-out", className: "h-4 w-4 mr-2" }), t('navigation.logout')] })] })] }) }) }) }));
     return (_jsx(Sidebar, { collapsible: "icon", "data-testid": "left-nav", children: _jsxs("div", { className: "flex h-full flex-col overflow-hidden", children: [_jsx(SidebarHeader, { children: _jsx(SidebarMenu, { children: _jsx(SidebarMenuItem, { children: _jsx(SidebarTrigger, { "data-testid": "sidebar-toggle" }) }) }) }), _jsxs("div", { className: "flex flex-1 min-h-0 transition-transform duration-200 ease-in-out motion-reduce:transition-none", style: {
                         width: "200%",
                         transform: isStacked && !isCollapsed ? "translateX(-50%)" : "translateX(0)",
@@ -241,5 +282,6 @@ export function LeftNav({ modules }) {
                                                                                                         ? "text-primary hover:text-destructive hover:bg-sidebar-accent opacity-100"
                                                                                                         : "text-muted-foreground hover:text-primary hover:bg-sidebar-accent opacity-0 group-hover/command:opacity-100"}`, title: isPinned ? "Unpin" : "Pin", "data-testid": `pin-toggle-${command.id}`, children: _jsx(Pin, { className: `h-3.5 w-3.5 ${isPinned ? "fill-current" : ""}` }) }))] }) }, command.id));
                                                                                 })] }) })] }) }, module.id));
-                                                    }) }) })] }, category))), auth.hasPermission('admin.platform.view') && (_jsxs(SidebarGroup, { children: [_jsx(SidebarGroupLabel, { className: "text-sidebar-foreground/90 font-semibold uppercase text-[10px] tracking-wider", children: t('navigation.platform') }), _jsx(SidebarGroupContent, { children: _jsx(SidebarMenu, { children: _jsx(SidebarMenuItem, { children: _jsxs(SidebarMenuButton, { onClick: () => navigate("/_registry"), isActive: isRouteActive("/_registry"), tooltip: t('navigation.registry'), "data-testid": "nav-registry-sidebar", children: [_jsx(Icon, { name: "package", className: "h-4 w-4" }), _jsx("span", { className: "truncate", children: t('navigation.registry') })] }) }) }) })] }))] }) }), _jsx("div", { className: "w-1/2 flex flex-col min-h-0", children: activeStackedModule ? (_jsx(StackedPanel, { module: activeStackedModule, showPinned: showPinned, isCommandPinned: isCommandPinned, togglePin: togglePin })) : null })] }), userFooter] }) }));
+                                                    }) }) })] }, category))), (auth.hasPermission('admin.platform.registry.view') ||
+                                        accessControlVirtualModule) && (_jsxs(SidebarGroup, { children: [_jsx(SidebarGroupLabel, { className: "text-sidebar-foreground/90 font-semibold uppercase text-[10px] tracking-wider", children: t('navigation.platform') }), _jsx(SidebarGroupContent, { children: _jsxs(SidebarMenu, { children: [auth.hasPermission('admin.platform.registry.view') && (_jsx(SidebarMenuItem, { children: _jsxs(SidebarMenuButton, { onClick: () => navigate("/_registry"), isActive: isRouteActive("/_registry"), tooltip: t('navigation.registry'), "data-testid": "nav-registry-sidebar", children: [_jsx(Icon, { name: "package", className: "h-4 w-4" }), _jsx("span", { className: "truncate", children: t('navigation.registry') })] }) })), accessControlVirtualModule && (_jsx(SidebarMenuItem, { children: _jsxs(SidebarMenuButton, { onClick: () => navigate("/_access-control/groups"), isActive: isRouteActive("/_access-control"), tooltip: t('navigation.accessControl'), "data-testid": "nav-access-control-sidebar", children: [_jsx(Icon, { name: "shield", className: "h-4 w-4" }), _jsx("span", { className: "truncate", children: t('navigation.accessControl') }), _jsx(ChevronRight, { className: "ml-auto h-4 w-4" })] }) }))] }) })] }))] }) }), _jsx("div", { className: "w-1/2 flex flex-col min-h-0", children: activeStackedModule ? (_jsx(StackedPanel, { module: activeStackedModule, showPinned: showPinned, isCommandPinned: isCommandPinned, togglePin: togglePin })) : null })] }), userFooter] }) }));
 }

package/dist/shell/components/MainContent.js

@@ -26,6 +26,31 @@ export function MainContent({ modules, children, moduleBreadcrumbs }) {
             setBreadcrumbs([{ label: t('breadcrumbs.home'), href: "/" }, { label: t('breadcrumbs.registry') }]);
             return;
         }
+        if (currentPath.startsWith("/_access-control")) {
+            const crumbs = [
+                { label: t('breadcrumbs.home'), href: "/" },
+                { label: t('breadcrumbs.accessControl'), href: "/_access-control" },
+            ];
+            if (currentPath === "/_access-control/groups") {
+                crumbs.push({ label: t('breadcrumbs.accessControlGroups') });
+            }
+            else if (currentPath.startsWith("/_access-control/groups/")) {
+                crumbs.push({ label: t('breadcrumbs.accessControlGroups'), href: "/_access-control/groups" });
+                crumbs.push({ label: t('accessControlPage.groupDetailTitle') });
+            }
+            else if (currentPath === "/_access-control/users") {
+                crumbs.push({ label: t('breadcrumbs.accessControlUsers') });
+            }
+            else if (currentPath.startsWith("/_access-control/users/")) {
+                crumbs.push({ label: t('breadcrumbs.accessControlUsers'), href: "/_access-control/users" });
+                crumbs.push({ label: t('accessControlPage.userTitle') });
+            }
+            else if (currentPath === "/_access-control/audit") {
+                crumbs.push({ label: t('breadcrumbs.accessControlAudit') });
+            }
+            setBreadcrumbs(crumbs);
+            return;
+        }
         // Find module that matches current path (for module routes)
         const module = modules.find((m) => m.status === "active" &&
             (currentPath === m.routeBase ||

package/dist/shell/components/RegistryPage.js

@@ -27,9 +27,9 @@ export function RegistryPage({ apiUrl, registryClient }) {
     const [modules, setModules] = useState([]);
     const [isLoading, setIsLoading] = useState(true);
     const [error, setError] = useState(null);
-    const canView = auth.hasPermission("admin.platform.view");
-    const canEdit = auth.hasPermission("admin.platform.edit");
-    const canDelete = auth.hasPermission("admin.platform.delete");
+    const canView = auth.hasPermission("admin.platform.registry.view");
+    const canEdit = auth.hasPermission("admin.platform.registry.edit");
+    const canDelete = auth.hasPermission("admin.platform.registry.delete");
     const [disableTarget, setDisableTarget] = useState(null);
     const [historyTarget, setHistoryTarget] = useState(null);
     const [versionHistory, setVersionHistory] = useState([]);

package/dist/shell/components/access-control/AccessControlAuditPage.d.ts

@@ -0,0 +1 @@
+export declare function AccessControlAuditPage(): import("react/jsx-runtime").JSX.Element;