@object-ui/permissions 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 ObjectQL
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/PermissionContext.d.ts

@@ -0,0 +1,24 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+import type { PermissionAction, PermissionCheckResult, FieldLevelPermission } from '@object-ui/types';
+export interface PermissionContextValue {
+    /** Check if action is allowed on object */
+    check: (object: string, action: PermissionAction, record?: Record<string, unknown>) => PermissionCheckResult;
+    /** Check field-level permissions */
+    checkField: (object: string, field: string, action: 'read' | 'write') => boolean;
+    /** Get field permissions for an object */
+    getFieldPermissions: (object: string) => FieldLevelPermission[];
+    /** Get row filter for an object */
+    getRowFilter: (object: string) => string | undefined;
+    /** Current user roles */
+    roles: string[];
+    /** Whether permissions are loaded */
+    isLoaded: boolean;
+}
+export declare const PermCtx: import("react").Context<PermissionContextValue | null>;
+//# sourceMappingURL=PermissionContext.d.ts.map

package/dist/PermissionContext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PermissionContext.d.ts","sourceRoot":"","sources":["../src/PermissionContext.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAEtG,MAAM,WAAW,sBAAsB;IACrC,2CAA2C;IAC3C,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,qBAAqB,CAAC;IAC7G,oCAAoC;IACpC,UAAU,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,KAAK,OAAO,CAAC;IACjF,0CAA0C;IAC1C,mBAAmB,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,oBAAoB,EAAE,CAAC;IAChE,mCAAmC;IACnC,YAAY,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;IACrD,yBAAyB;IACzB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,qCAAqC;IACrC,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,eAAO,MAAM,OAAO,wDAAqD,CAAC"}

package/dist/PermissionContext.js

@@ -0,0 +1,10 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+import { createContext } from 'react';
+export const PermCtx = createContext(null);
+PermCtx.displayName = 'PermissionContext';

package/dist/PermissionGuard.d.ts

@@ -0,0 +1,27 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+import React from 'react';
+import type { PermissionAction } from '@object-ui/types';
+export interface PermissionGuardProps {
+    /** Target object name */
+    object: string;
+    /** Required action */
+    action: PermissionAction;
+    /** Fallback behavior when denied */
+    fallback?: 'hide' | 'disable' | 'custom';
+    /** Custom fallback content */
+    fallbackContent?: React.ReactNode;
+    /** Children to render when permitted */
+    children: React.ReactNode;
+}
+/**
+ * Guard component that conditionally renders children based on permissions.
+ * Hides, disables, or shows custom content when access is denied.
+ */
+export declare function PermissionGuard({ object, action, fallback, fallbackContent, children, }: PermissionGuardProps): import("react/jsx-runtime").JSX.Element | null;
+//# sourceMappingURL=PermissionGuard.d.ts.map

package/dist/PermissionGuard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PermissionGuard.d.ts","sourceRoot":"","sources":["../src/PermissionGuard.tsx"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAGzD,MAAM,WAAW,oBAAoB;IACnC,yBAAyB;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,MAAM,EAAE,gBAAgB,CAAC;IACzB,oCAAoC;IACpC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,CAAC;IACzC,8BAA8B;IAC9B,eAAe,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC;IAClC,wCAAwC;IACxC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;CAC3B;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,EAC9B,MAAM,EACN,MAAM,EACN,QAAiB,EACjB,eAAe,EACf,QAAQ,GACT,EAAE,oBAAoB,kDAuBtB"}

package/dist/PermissionGuard.js

@@ -0,0 +1,23 @@
+import { Fragment as _Fragment, jsx as _jsx } from "react/jsx-runtime";
+import { usePermissions } from './usePermissions';
+/**
+ * Guard component that conditionally renders children based on permissions.
+ * Hides, disables, or shows custom content when access is denied.
+ */
+export function PermissionGuard({ object, action, fallback = 'hide', fallbackContent, children, }) {
+    const { can } = usePermissions();
+    const isAllowed = can(object, action);
+    if (isAllowed) {
+        return _jsx(_Fragment, { children: children });
+    }
+    switch (fallback) {
+        case 'hide':
+            return null;
+        case 'disable':
+            return (_jsx("div", { style: { opacity: 0.5, pointerEvents: 'none' }, "aria-disabled": "true", children: children }));
+        case 'custom':
+            return _jsx(_Fragment, { children: fallbackContent ?? null });
+        default:
+            return null;
+    }
+}

package/dist/PermissionProvider.d.ts

@@ -0,0 +1,26 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+import React from 'react';
+import type { RoleDefinition, ObjectPermissionConfig } from '@object-ui/types';
+export interface PermissionProviderProps {
+    /** Role definitions */
+    roles: RoleDefinition[];
+    /** Object permission configurations */
+    permissions: ObjectPermissionConfig[];
+    /** Current user's role names */
+    userRoles: string[];
+    /** Current user context */
+    user?: {
+        id: string;
+        [key: string]: unknown;
+    };
+    /** Children */
+    children: React.ReactNode;
+}
+export declare function PermissionProvider({ roles, permissions, userRoles, user, children, }: PermissionProviderProps): import("react/jsx-runtime").JSX.Element;
+//# sourceMappingURL=PermissionProvider.d.ts.map

package/dist/PermissionProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PermissionProvider.d.ts","sourceRoot":"","sources":["../src/PermissionProvider.tsx"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAA+B,MAAM,OAAO,CAAC;AACpD,OAAO,KAAK,EACV,cAAc,EACd,sBAAsB,EAIvB,MAAM,kBAAkB,CAAC;AAI1B,MAAM,WAAW,uBAAuB;IACtC,uBAAuB;IACvB,KAAK,EAAE,cAAc,EAAE,CAAC;IACxB,uCAAuC;IACvC,WAAW,EAAE,sBAAsB,EAAE,CAAC;IACtC,gCAAgC;IAChC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,2BAA2B;IAC3B,IAAI,CAAC,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAC;IAC9C,eAAe;IACf,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;CAC3B;AAED,wBAAgB,kBAAkB,CAAC,EACjC,KAAK,EACL,WAAW,EACX,SAAS,EACT,IAAI,EACJ,QAAQ,GACT,EAAE,uBAAuB,2CA0FzB"}

package/dist/PermissionProvider.js

@@ -0,0 +1,80 @@
+import { jsx as _jsx } from "react/jsx-runtime";
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+import { useMemo, useCallback } from 'react';
+import { PermCtx } from './PermissionContext';
+import { evaluatePermission } from './evaluator';
+export function PermissionProvider({ roles, permissions, userRoles, user, children, }) {
+    const check = useCallback((object, action, record) => {
+        return evaluatePermission({
+            roles,
+            permissions,
+            userRoles,
+            user: user ? { ...user, roles: userRoles } : { id: '', roles: userRoles },
+            object,
+            action,
+            record,
+        });
+    }, [roles, permissions, userRoles, user]);
+    const checkField = useCallback((object, field, action) => {
+        const objectConfig = permissions.find((p) => p.object === object);
+        if (!objectConfig)
+            return true; // No config means no restrictions
+        for (const role of userRoles) {
+            const roleConfig = objectConfig.roles[role];
+            if (roleConfig?.fieldPermissions) {
+                const fieldPerm = roleConfig.fieldPermissions.find((fp) => fp.field === field);
+                if (fieldPerm) {
+                    return action === 'read' ? fieldPerm.read !== false : fieldPerm.write !== false;
+                }
+            }
+        }
+        // Check defaults
+        if (objectConfig.fieldDefaults) {
+            const defaultPerm = objectConfig.fieldDefaults.find((fp) => fp.field === field);
+            if (defaultPerm) {
+                return action === 'read' ? defaultPerm.read !== false : defaultPerm.write !== false;
+            }
+        }
+        return true; // Default allow
+    }, [permissions, userRoles]);
+    const getFieldPermissions = useCallback((object) => {
+        const objectConfig = permissions.find((p) => p.object === object);
+        if (!objectConfig)
+            return [];
+        const fieldPerms = [];
+        for (const role of userRoles) {
+            const roleConfig = objectConfig.roles[role];
+            if (roleConfig?.fieldPermissions) {
+                fieldPerms.push(...roleConfig.fieldPermissions);
+            }
+        }
+        return fieldPerms;
+    }, [permissions, userRoles]);
+    const getRowFilter = useCallback((object) => {
+        const objectConfig = permissions.find((p) => p.object === object);
+        if (!objectConfig)
+            return undefined;
+        for (const role of userRoles) {
+            const roleConfig = objectConfig.roles[role];
+            if (roleConfig?.rowPermissions?.length) {
+                return roleConfig.rowPermissions[0].filter;
+            }
+        }
+        return undefined;
+    }, [permissions, userRoles]);
+    const value = useMemo(() => ({
+        check,
+        checkField,
+        getFieldPermissions,
+        getRowFilter,
+        roles: userRoles,
+        isLoaded: true,
+    }), [check, checkField, getFieldPermissions, getRowFilter, userRoles]);
+    return _jsx(PermCtx.Provider, { value: value, children: children });
+}

package/dist/evaluator.d.ts

@@ -0,0 +1,33 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+import type { RoleDefinition, ObjectPermissionConfig, PermissionAction, PermissionCheckResult, PermissionCondition } from '@object-ui/types';
+interface EvaluatePermissionParams {
+    roles: RoleDefinition[];
+    permissions: ObjectPermissionConfig[];
+    userRoles: string[];
+    user: {
+        id: string;
+        roles: string[];
+        [key: string]: unknown;
+    };
+    object: string;
+    action: PermissionAction;
+    record?: Record<string, unknown>;
+    field?: string;
+}
+/**
+ * Evaluates whether an action is permitted based on RBAC configuration.
+ * Supports role inheritance, field-level, and row-level permissions.
+ */
+export declare function evaluatePermission({ roles, permissions, userRoles, object, action, record, }: EvaluatePermissionParams): PermissionCheckResult;
+/**
+ * Evaluates a permission condition against a record.
+ */
+export declare function evaluateCondition(condition: PermissionCondition, record: Record<string, unknown>): boolean;
+export {};
+//# sourceMappingURL=evaluator.d.ts.map

package/dist/evaluator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluator.d.ts","sourceRoot":"","sources":["../src/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,EACrB,mBAAmB,EACpB,MAAM,kBAAkB,CAAC;AAE1B,UAAU,wBAAwB;IAChC,KAAK,EAAE,cAAc,EAAE,CAAC;IACxB,WAAW,EAAE,sBAAsB,EAAE,CAAC;IACtC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,IAAI,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,EAAE,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAC;IAC9D,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,gBAAgB,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,EACjC,KAAK,EACL,WAAW,EACX,SAAS,EACT,MAAM,EACN,MAAM,EACN,MAAM,GACP,EAAE,wBAAwB,GAAG,qBAAqB,CA0ClD;AAyBD;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,SAAS,EAAE,mBAAmB,EAC9B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,OAAO,CAkCT"}

package/dist/evaluator.js

@@ -0,0 +1,103 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+/**
+ * Evaluates whether an action is permitted based on RBAC configuration.
+ * Supports role inheritance, field-level, and row-level permissions.
+ */
+export function evaluatePermission({ roles, permissions, userRoles, object, action, record, }) {
+    const objectConfig = permissions.find((p) => p.object === object);
+    // If no config exists for the object, allow by default
+    if (!objectConfig) {
+        return { allowed: true };
+    }
+    // Check public access
+    if (objectConfig.publicAccess?.includes(action)) {
+        return { allowed: true };
+    }
+    // Resolve all effective roles (including inherited)
+    const effectiveRoles = resolveRoles(userRoles, roles);
+    // Check role-based permissions
+    for (const roleName of effectiveRoles) {
+        const roleConfig = objectConfig.roles[roleName];
+        if (!roleConfig)
+            continue;
+        if (roleConfig.actions.includes(action)) {
+            // Check row-level permissions if record is provided
+            if (record && roleConfig.rowPermissions?.length) {
+                const rowAllowed = roleConfig.rowPermissions.some((rp) => rp.actions.includes(action));
+                if (!rowAllowed)
+                    continue;
+            }
+            return {
+                allowed: true,
+                fieldRestrictions: roleConfig.fieldPermissions,
+                rowFilter: roleConfig.rowPermissions?.[0]?.filter,
+            };
+        }
+    }
+    return {
+        allowed: false,
+        reason: `Action '${action}' on '${object}' is not permitted for roles: ${userRoles.join(', ')}`,
+    };
+}
+/**
+ * Resolves all effective roles including inherited roles.
+ */
+function resolveRoles(userRoles, roleDefinitions) {
+    const resolved = new Set(userRoles);
+    const queue = [...userRoles];
+    while (queue.length > 0) {
+        const current = queue.shift();
+        const roleDef = roleDefinitions.find((r) => r.name === current);
+        if (roleDef?.inherits) {
+            for (const parent of roleDef.inherits) {
+                if (!resolved.has(parent)) {
+                    resolved.add(parent);
+                    queue.push(parent);
+                }
+            }
+        }
+    }
+    return Array.from(resolved);
+}
+/**
+ * Evaluates a permission condition against a record.
+ */
+export function evaluateCondition(condition, record) {
+    // Prevent prototype pollution via dangerous property access
+    if (['__proto__', 'constructor', 'prototype'].includes(condition.field)) {
+        return false;
+    }
+    const value = Object.prototype.hasOwnProperty.call(record, condition.field) ? record[condition.field] : undefined;
+    switch (condition.operator) {
+        case 'eq':
+            return value === condition.value;
+        case 'neq':
+            return value !== condition.value;
+        case 'gt':
+            return typeof value === 'number' && typeof condition.value === 'number' && value > condition.value;
+        case 'gte':
+            return typeof value === 'number' && typeof condition.value === 'number' && value >= condition.value;
+        case 'lt':
+            return typeof value === 'number' && typeof condition.value === 'number' && value < condition.value;
+        case 'lte':
+            return typeof value === 'number' && typeof condition.value === 'number' && value <= condition.value;
+        case 'in':
+            return Array.isArray(condition.value) && condition.value.includes(value);
+        case 'not_in':
+            return Array.isArray(condition.value) && !condition.value.includes(value);
+        case 'contains':
+            return typeof value === 'string' && typeof condition.value === 'string' && value.includes(condition.value);
+        case 'is_null':
+            return value === null || value === undefined;
+        case 'is_not_null':
+            return value !== null && value !== undefined;
+        default:
+            return false;
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+/**
+ * @object-ui/permissions
+ *
+ * RBAC permission system for Object UI providing:
+ * - PermissionProvider context for React apps
+ * - usePermissions hook for checking access
+ * - PermissionGuard component for conditional rendering
+ * - Permission evaluation engine
+ * - Field-level and row-level permission support
+ *
+ * @packageDocumentation
+ */
+export { PermissionProvider, type PermissionProviderProps } from './PermissionProvider';
+export { usePermissions } from './usePermissions';
+export { useFieldPermissions } from './useFieldPermissions';
+export { PermissionGuard, type PermissionGuardProps } from './PermissionGuard';
+export { evaluatePermission } from './evaluator';
+export { createPermissionStore, type PermissionStore } from './store';
+export type { PermissionAction, PermissionEffect, RoleDefinition, ObjectLevelPermission, FieldLevelPermission, RowLevelPermission, PermissionCondition, ObjectPermissionConfig, SharingRuleConfig, PermissionCheckResult, PermissionContext, PermissionGuardConfig, } from '@object-ui/types';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,kBAAkB,EAAE,KAAK,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AACxF,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,KAAK,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAC/E,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,qBAAqB,EAAE,KAAK,eAAe,EAAE,MAAM,SAAS,CAAC;AAGtE,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,qBAAqB,EACrB,oBAAoB,EACpB,kBAAkB,EAClB,mBAAmB,EACnB,sBAAsB,EACtB,iBAAiB,EACjB,qBAAqB,EACrB,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC"}

package/dist/index.js

@@ -0,0 +1,25 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+/**
+ * @object-ui/permissions
+ *
+ * RBAC permission system for Object UI providing:
+ * - PermissionProvider context for React apps
+ * - usePermissions hook for checking access
+ * - PermissionGuard component for conditional rendering
+ * - Permission evaluation engine
+ * - Field-level and row-level permission support
+ *
+ * @packageDocumentation
+ */
+export { PermissionProvider } from './PermissionProvider';
+export { usePermissions } from './usePermissions';
+export { useFieldPermissions } from './useFieldPermissions';
+export { PermissionGuard } from './PermissionGuard';
+export { evaluatePermission } from './evaluator';
+export { createPermissionStore } from './store';

package/dist/store.d.ts

@@ -0,0 +1,33 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+import type { RoleDefinition, ObjectPermissionConfig, PermissionAction, PermissionCheckResult } from '@object-ui/types';
+/**
+ * Permission store for non-React contexts (e.g., API handlers, middleware).
+ * Provides the same permission evaluation as the React hooks.
+ */
+export interface PermissionStore {
+    /** Check if action is allowed */
+    check: (object: string, action: PermissionAction, record?: Record<string, unknown>) => PermissionCheckResult;
+    /** Update user roles */
+    setUserRoles: (roles: string[]) => void;
+    /** Update permissions configuration */
+    setPermissions: (permissions: ObjectPermissionConfig[]) => void;
+}
+/**
+ * Creates a permission store for non-React contexts.
+ */
+export declare function createPermissionStore(config: {
+    roles: RoleDefinition[];
+    permissions: ObjectPermissionConfig[];
+    userRoles: string[];
+    user?: {
+        id: string;
+        [key: string]: unknown;
+    };
+}): PermissionStore;
+//# sourceMappingURL=store.d.ts.map

package/dist/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,sBAAsB,EACtB,gBAAgB,EAChB,qBAAqB,EACtB,MAAM,kBAAkB,CAAC;AAG1B;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,iCAAiC;IACjC,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,qBAAqB,CAAC;IAC7G,wBAAwB;IACxB,YAAY,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,IAAI,CAAC;IACxC,uCAAuC;IACvC,cAAc,EAAE,CAAC,WAAW,EAAE,sBAAsB,EAAE,KAAK,IAAI,CAAC;CACjE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE;IAC5C,KAAK,EAAE,cAAc,EAAE,CAAC;IACxB,WAAW,EAAE,sBAAsB,EAAE,CAAC;IACtC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,IAAI,CAAC,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAC;CAC/C,GAAG,eAAe,CAsBlB"}

package/dist/store.js

@@ -0,0 +1,32 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+import { evaluatePermission } from './evaluator';
+/**
+ * Creates a permission store for non-React contexts.
+ */
+export function createPermissionStore(config) {
+    const { roles, user } = config;
+    let { permissions, userRoles } = config;
+    return {
+        check: (object, action, record) => evaluatePermission({
+            roles,
+            permissions,
+            userRoles,
+            user: user ? { ...user, roles: userRoles } : { id: '', roles: userRoles },
+            object,
+            action,
+            record,
+        }),
+        setUserRoles: (newRoles) => {
+            userRoles = newRoles;
+        },
+        setPermissions: (newPermissions) => {
+            permissions = newPermissions;
+        },
+    };
+}

package/dist/useFieldPermissions.d.ts

@@ -0,0 +1,24 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+/**
+ * Hook to get field-level permissions for a specific object.
+ * Returns utilities for checking individual field access.
+ */
+export declare function useFieldPermissions(objectName: string): {
+    /** All field permissions for this object */
+    permissions: import("@object-ui/types").FieldLevelPermission[];
+    /** Check if a field is readable */
+    canRead: (field: string) => boolean;
+    /** Check if a field is writable */
+    canWrite: (field: string) => boolean;
+    /** Get fields that are readable */
+    readableFields: (fields: string[]) => string[];
+    /** Get fields that are writable */
+    writableFields: (fields: string[]) => string[];
+};
+//# sourceMappingURL=useFieldPermissions.d.ts.map

package/dist/useFieldPermissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useFieldPermissions.d.ts","sourceRoot":"","sources":["../src/useFieldPermissions.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM;IAUhD,4CAA4C;;IAE5C,mCAAmC;qBAClB,MAAM;IACvB,mCAAmC;sBACjB,MAAM;IACxB,mCAAmC;6BACV,MAAM,EAAE;IACjC,mCAAmC;6BACV,MAAM,EAAE;EAItC"}

package/dist/useFieldPermissions.js

@@ -0,0 +1,29 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+import { useMemo } from 'react';
+import { usePermissions } from './usePermissions';
+/**
+ * Hook to get field-level permissions for a specific object.
+ * Returns utilities for checking individual field access.
+ */
+export function useFieldPermissions(objectName) {
+    const { checkField, getFieldPermissions } = usePermissions();
+    const fieldPermissions = useMemo(() => getFieldPermissions(objectName), [getFieldPermissions, objectName]);
+    return useMemo(() => ({
+        /** All field permissions for this object */
+        permissions: fieldPermissions,
+        /** Check if a field is readable */
+        canRead: (field) => checkField(objectName, field, 'read'),
+        /** Check if a field is writable */
+        canWrite: (field) => checkField(objectName, field, 'write'),
+        /** Get fields that are readable */
+        readableFields: (fields) => fields.filter((f) => checkField(objectName, f, 'read')),
+        /** Get fields that are writable */
+        writableFields: (fields) => fields.filter((f) => checkField(objectName, f, 'write')),
+    }), [fieldPermissions, checkField, objectName]);
+}

package/dist/usePermissions.d.ts

@@ -0,0 +1,20 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+import type { PermissionAction } from '@object-ui/types';
+import { type PermissionContextValue } from './PermissionContext';
+/**
+ * Hook to access the permission system.
+ * Must be used within a PermissionProvider.
+ */
+export declare function usePermissions(): PermissionContextValue & {
+    /** Convenience: check if action is allowed */
+    can: (object: string, action: PermissionAction) => boolean;
+    /** Convenience: check if action is denied */
+    cannot: (object: string, action: PermissionAction) => boolean;
+};
+//# sourceMappingURL=usePermissions.d.ts.map

package/dist/usePermissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"usePermissions.d.ts","sourceRoot":"","sources":["../src/usePermissions.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAyB,MAAM,kBAAkB,CAAC;AAChF,OAAO,EAAW,KAAK,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAE3E;;;GAGG;AACH,wBAAgB,cAAc,IAAI,sBAAsB,GAAG;IACzD,8CAA8C;IAC9C,GAAG,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,KAAK,OAAO,CAAC;IAC3D,6CAA6C;IAC7C,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,KAAK,OAAO,CAAC;CAC/D,CAsBA"}

package/dist/usePermissions.js

@@ -0,0 +1,34 @@
+/**
+ * ObjectUI
+ * Copyright (c) 2024-present ObjectStack Inc.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+import { useContext } from 'react';
+import { PermCtx } from './PermissionContext';
+/**
+ * Hook to access the permission system.
+ * Must be used within a PermissionProvider.
+ */
+export function usePermissions() {
+    const ctx = useContext(PermCtx);
+    if (!ctx) {
+        // Return a permissive default when no provider exists
+        return {
+            check: () => ({ allowed: true }),
+            checkField: () => true,
+            getFieldPermissions: () => [],
+            getRowFilter: () => undefined,
+            roles: [],
+            isLoaded: false,
+            can: () => true,
+            cannot: () => false,
+        };
+    }
+    return {
+        ...ctx,
+        can: (object, action) => ctx.check(object, action).allowed,
+        cannot: (object, action) => !ctx.check(object, action).allowed,
+    };
+}

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@object-ui/permissions",
+  "version": "0.1.0",
+  "type": "module",
+  "license": "MIT",
+  "description": "RBAC permission system for Object UI with object/field/row-level access control, permission guards, and hooks.",
+  "homepage": "https://www.objectui.org",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/objectstack-ai/objectui.git",
+    "directory": "packages/permissions"
+  },
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "peerDependencies": {
+    "react": "^18.0.0 || ^19.0.0"
+  },
+  "dependencies": {
+    "@object-ui/types": "0.5.0"
+  },
+  "devDependencies": {
+    "@types/react": "^19.2.13",
+    "react": "^19.1.0",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
+  },
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist",
+    "test": "vitest run",
+    "type-check": "tsc --noEmit",
+    "lint": "eslint ."
+  }
+}