@payez/next-mvp 3.1.1 → 3.2.2

package/dist/middleware/create-middleware.js

@@ -317,7 +317,8 @@ async function checkViability(request, endpoint, log) {
                 'Cache-Control': 'no-store',
                 'Cookie': request.headers.get('cookie') || ''
             },
-            credentials: 'include'
+            credentials: 'include',
+            signal: AbortSignal.timeout(5000),
         });
         if (response.ok) {
             const data = await response.json();
@@ -359,18 +360,32 @@ async function executeDecision(request, decision, pathname, sessionPointer, sess
             return handleRefresh(request, safeCallback, opts);
     }
 }
+/** Paths that must never be RBAC-checked (they are RBAC redirect targets) */
+const RBAC_EXEMPT_PATHS = ['/error', '/unauthorized', '/service-unavailable'];
 /** Handle 'allow' decision - run RBAC if enabled */
 async function handleAllow(request, pathname, sessionPointer, sessionStatus) {
     const isPublic = (0, route_config_1.isUnauthenticatedRoute)(pathname);
-    if ((0, rbac_check_1.isRBACEnabled)() && !isPublic) {
+    if ((0, rbac_check_1.isRBACEnabled)() && !isPublic && sessionPointer.exists) {
+        // Skip RBAC for error/fallback pages to prevent redirect loops
+        if (RBAC_EXEMPT_PATHS.some(p => pathname.startsWith(p))) {
+            return server_1.NextResponse.next();
+        }
         if (!sessionPointer.clientId) {
-            console.error('[MIDDLEWARE] RBAC: No clientId');
-            return server_1.NextResponse.redirect(new URL('/error?code=no_client_id', request.url));
+            console.error('[MIDDLEWARE] RBAC: No clientId — returning 401');
+            if (pathname.startsWith('/api/')) {
+                return server_1.NextResponse.json({ error: 'Unauthorized — missing clientId for RBAC' }, { status: 401 });
+            }
+            return server_1.NextResponse.redirect(new URL('/unauthorized', request.url));
         }
         try {
             const result = await (0, rbac_check_1.checkPagePermission)(pathname, sessionPointer.roles, sessionPointer.clientId);
             if (!result.allowed) {
                 console.log('[MIDDLEWARE] RBAC denied:', { pathname, reason: result.reason });
+                // In development, fail open - RBAC API may not be fully configured
+                if (process.env.NODE_ENV !== 'production') {
+                    console.warn('[MIDDLEWARE] RBAC: Allowing in development despite denial:', result.reason);
+                    return server_1.NextResponse.next();
+                }
                 return server_1.NextResponse.redirect(new URL(result.redirect || '/unauthorized', request.url));
             }
             if (result.requires_2fa && !sessionStatus.twoFactorComplete) {
@@ -379,6 +394,11 @@ async function handleAllow(request, pathname, sessionPointer, sessionStatus) {
         }
         catch (error) {
             console.error('[MIDDLEWARE] RBAC error:', error);
+            // In development, fail open
+            if (process.env.NODE_ENV !== 'production') {
+                console.warn('[MIDDLEWARE] RBAC: Allowing in development despite error');
+                return server_1.NextResponse.next();
+            }
             return server_1.NextResponse.redirect(new URL('/error?code=rbac_error', request.url));
         }
     }
@@ -403,7 +423,8 @@ async function handleRefresh(request, safeCallback, opts) {
                 'x-session-token': request.cookies.get((0, app_slug_1.getSessionCookieName)())?.value ||
                     request.cookies.get((0, app_slug_1.getSecureSessionCookieName)())?.value || ''
             },
-            credentials: 'include'
+            credentials: 'include',
+            signal: AbortSignal.timeout(5000),
         });
         if (response.ok) {
             const data = await response.json();

package/dist/middleware/rbac-check.d.ts

@@ -1,11 +1,14 @@
 /**
  * Page RBAC Check Module
  *
- * Checks page-level permissions via Vibe API.
+ * Checks page-level permissions via Vibe API through the IDP Proxy.
  * Uses in-memory cache to reduce API calls.
  * Fails closed (DENY) on errors or timeout.
  *
- * @version 1.0.0
+ * All requests route through the IDP Vibe Proxy ({IDP_URL}/api/vibe/proxy)
+ * which injects proper HMAC credentials for the Vibe API.
+ *
+ * @version 2.0.0
  * @since page-rbac-2026-01
  */
 export interface RBACResult {
@@ -29,11 +32,15 @@ export declare function clearRBACCache(): void;
 /**
  * Check if user has permission to access a page.
  *
- * FAIL CLOSED: If Vibe API is unreachable or times out, access is DENIED.
+ * Routes through IDP Vibe Proxy ({IDP_URL}/api/vibe/proxy) which injects
+ * proper HMAC credentials. The Vibe RBAC endpoint requires client context
+ * that only the proxy can provide.
+ *
+ * FAIL CLOSED: If proxy is unreachable or times out, access is DENIED.
  *
  * @param path - The route path to check
  * @param userRoles - User's roles from session
- * @param clientId - Client ID for multi-tenancy
+ * @param clientId - Client slug for multi-tenancy
  * @param userClaims - Optional claims for claim-based authorization
  * @returns RBAC result with allowed/denied status
  */

package/dist/middleware/rbac-check.js

@@ -2,18 +2,44 @@
 /**
  * Page RBAC Check Module
  *
- * Checks page-level permissions via Vibe API.
+ * Checks page-level permissions via Vibe API through the IDP Proxy.
  * Uses in-memory cache to reduce API calls.
  * Fails closed (DENY) on errors or timeout.
  *
- * @version 1.0.0
+ * All requests route through the IDP Vibe Proxy ({IDP_URL}/api/vibe/proxy)
+ * which injects proper HMAC credentials for the Vibe API.
+ *
+ * @version 2.0.0
  * @since page-rbac-2026-01
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.clearRBACCache = clearRBACCache;
 exports.checkPagePermission = checkPagePermission;
 exports.isRBACEnabled = isRBACEnabled;
-const crypto_1 = require("crypto");
+// ============================================================================
+// WEB CRYPTO HELPERS (Edge Runtime compatible)
+// ============================================================================
+const encoder = new TextEncoder();
+async function sha256Hex(input) {
+    const data = encoder.encode(input);
+    const hash = await crypto.subtle.digest('SHA-256', data);
+    return Array.from(new Uint8Array(hash))
+        .map(b => b.toString(16).padStart(2, '0'))
+        .join('');
+}
+async function hmacSha256Base64(key, message) {
+    const cryptoKey = await crypto.subtle.importKey('raw', key, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const signature = await crypto.subtle.sign('HMAC', cryptoKey, encoder.encode(message));
+    return btoa(String.fromCharCode(...new Uint8Array(signature)));
+}
+function base64ToUint8Array(base64) {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
 // ============================================================================
 // CACHE
 // ============================================================================
@@ -25,10 +51,11 @@ const MAX_CACHE_SIZE = 1000;
  * Generate cache key for RBAC result.
  * Uses SHA-256 hash to avoid key collisions and limit key size.
  */
-function getCacheKey(clientId, path, roles) {
+async function getCacheKey(clientId, path, roles) {
     const sortedRoles = [...roles].sort().join(',');
     const input = JSON.stringify({ clientId, path, roles: sortedRoles });
-    return (0, crypto_1.createHash)('sha256').update(input).digest('hex').substring(0, 32);
+    const hash = await sha256Hex(input);
+    return hash.substring(0, 32);
 }
 /**
  * Get cached RBAC result if valid.
@@ -68,99 +95,100 @@ function clearRBACCache() {
     rbacCache.clear();
 }
 // ============================================================================
-// SIGNATURE
-// ============================================================================
-/**
- * Generate HMAC-SHA256 signature for Vibe API request.
- * SECURITY: Signing key is required in production.
- */
-function generateSignature(path, clientId, timestamp) {
-    const signingKey = process.env.VIBE_SIGNING_KEY;
-    // SECURITY: Require signing key in production
-    if (!signingKey) {
-        if (process.env.NODE_ENV === 'production') {
-            throw new Error('[RBAC] VIBE_SIGNING_KEY is required in production');
-        }
-        return ''; // Signature optional in dev only
-    }
-    const stringToSign = `${timestamp}|GET|/api/v1/rbac/check|${path}|${clientId}`;
-    return (0, crypto_1.createHmac)('sha256', Buffer.from(signingKey, 'base64'))
-        .update(stringToSign)
-        .digest('base64');
-}
-// ============================================================================
-// RBAC CHECK
+// RBAC CHECK (via IDP Proxy)
 // ============================================================================
 /**
  * Check if user has permission to access a page.
  *
- * FAIL CLOSED: If Vibe API is unreachable or times out, access is DENIED.
+ * Routes through IDP Vibe Proxy ({IDP_URL}/api/vibe/proxy) which injects
+ * proper HMAC credentials. The Vibe RBAC endpoint requires client context
+ * that only the proxy can provide.
+ *
+ * FAIL CLOSED: If proxy is unreachable or times out, access is DENIED.
  *
  * @param path - The route path to check
  * @param userRoles - User's roles from session
- * @param clientId - Client ID for multi-tenancy
+ * @param clientId - Client slug for multi-tenancy
  * @param userClaims - Optional claims for claim-based authorization
  * @returns RBAC result with allowed/denied status
  */
 async function checkPagePermission(path, userRoles, clientId, userClaims) {
     // Check cache first
-    const cacheKey = getCacheKey(clientId, path, userRoles);
+    const cacheKey = await getCacheKey(clientId, path, userRoles);
     const cached = getCachedResult(cacheKey);
     if (cached) {
         return cached;
     }
-    const vibeApiUrl = process.env.VIBE_API_URL;
-    if (!vibeApiUrl) {
-        console.error('[RBAC] VIBE_API_URL not configured');
+    const idpUrl = process.env.NEXT_PUBLIC_IDP_URL || process.env.IDP_URL;
+    const vibeClientId = process.env.VIBE_CLIENT_ID;
+    const hmacKey = process.env.VIBE_HMAC_KEY || process.env.IDP_SIGNING_KEY;
+    if (!idpUrl) {
+        console.error('[RBAC] IDP_URL not configured');
         return {
             allowed: false,
             reason: 'rbac_not_configured',
             redirect: '/error?code=rbac_not_configured',
         };
     }
-    // Build request URL
-    const url = new URL('/api/v1/rbac/check', vibeApiUrl);
-    url.searchParams.set('path', path);
-    url.searchParams.set('roles', userRoles.join(','));
-    // Add claims if provided
+    // Build RBAC endpoint with query params
+    // Vibe route is /v1/rbac/check (no /api/ prefix)
+    const params = new URLSearchParams();
+    params.set('path', path);
+    params.set('roles', userRoles.join(','));
     if (userClaims && Object.keys(userClaims).length > 0) {
         const claimsParam = Object.entries(userClaims)
             .map(([type, value]) => `${type}:${value}`)
             .join(',');
-        url.searchParams.set('claims', claimsParam);
+        params.set('claims', claimsParam);
     }
-    // Generate signature
+    const rbacEndpoint = `/v1/rbac/check?${params.toString()}`;
+    // Build proxy request
+    const proxyUrl = `${idpUrl}/api/vibe/proxy`;
     const timestamp = Math.floor(Date.now() / 1000);
-    const signature = generateSignature(path, clientId, timestamp);
-    // Build headers
     const headers = {
+        'Content-Type': 'application/json',
         'Accept': 'application/json',
-        'X-Client-Id': clientId,
-        'X-Vibe-Client-Id': clientId,
     };
-    if (signature) {
+    if (vibeClientId) {
+        headers['X-Vibe-Client-Id'] = vibeClientId;
+    }
+    // Sign with HMAC (same format as vibe-client: timestamp|method|endpoint)
+    if (hmacKey && vibeClientId) {
+        const stringToSign = `${timestamp}|GET|${rbacEndpoint}`;
+        const keyBuffer = base64ToUint8Array(hmacKey);
+        const signature = await hmacSha256Base64(keyBuffer, stringToSign);
         headers['X-Vibe-Timestamp'] = String(timestamp);
         headers['X-Vibe-Signature'] = signature;
     }
+    // Proxy body format: { endpoint, method, data }
+    const proxyBody = {
+        endpoint: rbacEndpoint,
+        method: 'GET',
+        data: null,
+    };
     try {
         // 2 second timeout - fail closed
         const controller = new AbortController();
         const timeoutId = setTimeout(() => controller.abort(), 2000);
-        const response = await fetch(url.toString(), {
-            method: 'GET',
+        const response = await fetch(proxyUrl, {
+            method: 'POST',
             headers,
+            body: JSON.stringify(proxyBody),
             signal: controller.signal,
         });
         clearTimeout(timeoutId);
         if (!response.ok) {
-            console.error('[RBAC] Vibe API error:', response.status, response.statusText);
+            console.error('[RBAC] Proxy error:', response.status, response.statusText);
             return {
                 allowed: false,
                 reason: 'rbac_api_error',
                 redirect: '/error?code=rbac_error',
             };
         }
-        const result = await response.json();
+        const body = await response.json();
+        // Vibe API wraps responses: { success: true, data: { allowed, reason, ... } }
+        // Unwrap the .data property if present, otherwise use body directly
+        const result = body?.data ?? body;
         // Cache the result
         setCachedResult(cacheKey, result);
         return result;
@@ -168,14 +196,14 @@ async function checkPagePermission(path, userRoles, clientId, userClaims) {
     catch (error) {
         // Fail closed on any error
         if (error.name === 'AbortError') {
-            console.error('[RBAC] Vibe API timeout (2s exceeded)');
+            console.error('[RBAC] Proxy timeout (2s exceeded)');
             return {
                 allowed: false,
                 reason: 'rbac_timeout',
                 redirect: '/error?code=rbac_timeout',
             };
         }
-        console.error('[RBAC] Vibe API error:', error);
+        console.error('[RBAC] Proxy error:', error);
         return {
             allowed: false,
             reason: 'rbac_service_unavailable',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@payez/next-mvp",
-  "version": "3.1.1",
+  "version": "3.2.2",
   "sideEffects": false,
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/middleware/create-middleware.ts

@@ -439,7 +439,8 @@ async function checkViability(
         'Cache-Control': 'no-store',
         'Cookie': request.headers.get('cookie') || ''
       },
-      credentials: 'include'
+      credentials: 'include',
+      signal: AbortSignal.timeout(5000),
     });
 
     if (response.ok) {
@@ -503,6 +504,9 @@ async function executeDecision(
   }
 }
 
+/** Paths that must never be RBAC-checked (they are RBAC redirect targets) */
+const RBAC_EXEMPT_PATHS = ['/error', '/unauthorized', '/service-unavailable'];
+
 /** Handle 'allow' decision - run RBAC if enabled */
 async function handleAllow(
   request: NextRequest,
@@ -512,10 +516,21 @@ async function handleAllow(
 ): Promise<NextResponse> {
   const isPublic = isUnauthenticatedRoute(pathname);
 
-  if (isRBACEnabled() && !isPublic) {
+  if (isRBACEnabled() && !isPublic && sessionPointer.exists) {
+    // Skip RBAC for error/fallback pages to prevent redirect loops
+    if (RBAC_EXEMPT_PATHS.some(p => pathname.startsWith(p))) {
+      return NextResponse.next();
+    }
+
     if (!sessionPointer.clientId) {
-      console.error('[MIDDLEWARE] RBAC: No clientId');
-      return NextResponse.redirect(new URL('/error?code=no_client_id', request.url));
+      console.error('[MIDDLEWARE] RBAC: No clientId — returning 401');
+      if (pathname.startsWith('/api/')) {
+        return NextResponse.json(
+          { error: 'Unauthorized — missing clientId for RBAC' },
+          { status: 401 }
+        );
+      }
+      return NextResponse.redirect(new URL('/unauthorized', request.url));
     }
 
     try {
@@ -523,6 +538,13 @@ async function handleAllow(
 
       if (!result.allowed) {
         console.log('[MIDDLEWARE] RBAC denied:', { pathname, reason: result.reason });
+
+        // In development, fail open - RBAC API may not be fully configured
+        if (process.env.NODE_ENV !== 'production') {
+          console.warn('[MIDDLEWARE] RBAC: Allowing in development despite denial:', result.reason);
+          return NextResponse.next();
+        }
+
         return NextResponse.redirect(new URL(result.redirect || '/unauthorized', request.url));
       }
 
@@ -533,6 +555,13 @@ async function handleAllow(
       }
     } catch (error) {
       console.error('[MIDDLEWARE] RBAC error:', error);
+
+      // In development, fail open
+      if (process.env.NODE_ENV !== 'production') {
+        console.warn('[MIDDLEWARE] RBAC: Allowing in development despite error');
+        return NextResponse.next();
+      }
+
       return NextResponse.redirect(new URL('/error?code=rbac_error', request.url));
     }
   }
@@ -569,7 +598,8 @@ async function handleRefresh(
         'x-session-token': request.cookies.get(getSessionCookieName())?.value ||
                            request.cookies.get(getSecureSessionCookieName())?.value || ''
       },
-      credentials: 'include'
+      credentials: 'include',
+      signal: AbortSignal.timeout(5000),
     });
 
     if (response.ok) {

package/src/middleware/rbac-check.ts

@@ -1,15 +1,51 @@
 /**
  * Page RBAC Check Module
  *
- * Checks page-level permissions via Vibe API.
+ * Checks page-level permissions via Vibe API through the IDP Proxy.
  * Uses in-memory cache to reduce API calls.
  * Fails closed (DENY) on errors or timeout.
  *
- * @version 1.0.0
+ * All requests route through the IDP Vibe Proxy ({IDP_URL}/api/vibe/proxy)
+ * which injects proper HMAC credentials for the Vibe API.
+ *
+ * @version 2.0.0
  * @since page-rbac-2026-01
  */
 
-import { createHmac, createHash } from 'crypto';
+// ============================================================================
+// WEB CRYPTO HELPERS (Edge Runtime compatible)
+// ============================================================================
+
+const encoder = new TextEncoder();
+
+async function sha256Hex(input: string): Promise<string> {
+  const data = encoder.encode(input);
+  const hash = await crypto.subtle.digest('SHA-256', data);
+  return Array.from(new Uint8Array(hash))
+    .map(b => b.toString(16).padStart(2, '0'))
+    .join('');
+}
+
+async function hmacSha256Base64(key: Uint8Array, message: string): Promise<string> {
+  const cryptoKey = await crypto.subtle.importKey(
+    'raw',
+    key as BufferSource,
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+  const signature = await crypto.subtle.sign('HMAC', cryptoKey, encoder.encode(message));
+  return btoa(String.fromCharCode(...new Uint8Array(signature)));
+}
+
+function base64ToUint8Array(base64: string): Uint8Array {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
 
 // ============================================================================
 // TYPES
@@ -45,10 +81,11 @@ const MAX_CACHE_SIZE = 1000;
  * Generate cache key for RBAC result.
  * Uses SHA-256 hash to avoid key collisions and limit key size.
  */
-function getCacheKey(clientId: string, path: string, roles: string[]): string {
+async function getCacheKey(clientId: string, path: string, roles: string[]): Promise<string> {
   const sortedRoles = [...roles].sort().join(',');
   const input = JSON.stringify({ clientId, path, roles: sortedRoles });
-  return createHash('sha256').update(input).digest('hex').substring(0, 32);
+  const hash = await sha256Hex(input);
+  return hash.substring(0, 32);
 }
 
 /**
@@ -93,46 +130,21 @@ export function clearRBACCache(): void {
 }
 
 // ============================================================================
-// SIGNATURE
-// ============================================================================
-
-/**
- * Generate HMAC-SHA256 signature for Vibe API request.
- * SECURITY: Signing key is required in production.
- */
-function generateSignature(
-  path: string,
-  clientId: string,
-  timestamp: number
-): string {
-  const signingKey = process.env.VIBE_SIGNING_KEY;
-
-  // SECURITY: Require signing key in production
-  if (!signingKey) {
-    if (process.env.NODE_ENV === 'production') {
-      throw new Error('[RBAC] VIBE_SIGNING_KEY is required in production');
-    }
-    return ''; // Signature optional in dev only
-  }
-
-  const stringToSign = `${timestamp}|GET|/api/v1/rbac/check|${path}|${clientId}`;
-  return createHmac('sha256', Buffer.from(signingKey, 'base64'))
-    .update(stringToSign)
-    .digest('base64');
-}
-
-// ============================================================================
-// RBAC CHECK
+// RBAC CHECK (via IDP Proxy)
 // ============================================================================
 
 /**
  * Check if user has permission to access a page.
  *
- * FAIL CLOSED: If Vibe API is unreachable or times out, access is DENIED.
+ * Routes through IDP Vibe Proxy ({IDP_URL}/api/vibe/proxy) which injects
+ * proper HMAC credentials. The Vibe RBAC endpoint requires client context
+ * that only the proxy can provide.
+ *
+ * FAIL CLOSED: If proxy is unreachable or times out, access is DENIED.
  *
  * @param path - The route path to check
  * @param userRoles - User's roles from session
- * @param clientId - Client ID for multi-tenancy
+ * @param clientId - Client slug for multi-tenancy
  * @param userClaims - Optional claims for claim-based authorization
  * @returns RBAC result with allowed/denied status
  */
@@ -143,15 +155,18 @@ export async function checkPagePermission(
   userClaims?: Record<string, string>
 ): Promise<RBACResult> {
   // Check cache first
-  const cacheKey = getCacheKey(clientId, path, userRoles);
+  const cacheKey = await getCacheKey(clientId, path, userRoles);
   const cached = getCachedResult(cacheKey);
   if (cached) {
     return cached;
   }
 
-  const vibeApiUrl = process.env.VIBE_API_URL;
-  if (!vibeApiUrl) {
-    console.error('[RBAC] VIBE_API_URL not configured');
+  const idpUrl = process.env.NEXT_PUBLIC_IDP_URL || process.env.IDP_URL;
+  const vibeClientId = process.env.VIBE_CLIENT_ID;
+  const hmacKey = process.env.VIBE_HMAC_KEY || process.env.IDP_SIGNING_KEY;
+
+  if (!idpUrl) {
+    console.error('[RBAC] IDP_URL not configured');
     return {
       allowed: false,
       reason: 'rbac_not_configured',
@@ -159,50 +174,66 @@ export async function checkPagePermission(
     };
   }
 
-  // Build request URL
-  const url = new URL('/api/v1/rbac/check', vibeApiUrl);
-  url.searchParams.set('path', path);
-  url.searchParams.set('roles', userRoles.join(','));
+  // Build RBAC endpoint with query params
+  // Vibe route is /v1/rbac/check (no /api/ prefix)
+  const params = new URLSearchParams();
+  params.set('path', path);
+  params.set('roles', userRoles.join(','));
 
-  // Add claims if provided
   if (userClaims && Object.keys(userClaims).length > 0) {
     const claimsParam = Object.entries(userClaims)
       .map(([type, value]) => `${type}:${value}`)
       .join(',');
-    url.searchParams.set('claims', claimsParam);
+    params.set('claims', claimsParam);
   }
 
-  // Generate signature
+  const rbacEndpoint = `/v1/rbac/check?${params.toString()}`;
+
+  // Build proxy request
+  const proxyUrl = `${idpUrl}/api/vibe/proxy`;
   const timestamp = Math.floor(Date.now() / 1000);
-  const signature = generateSignature(path, clientId, timestamp);
 
-  // Build headers
   const headers: Record<string, string> = {
+    'Content-Type': 'application/json',
     'Accept': 'application/json',
-    'X-Client-Id': clientId,
-    'X-Vibe-Client-Id': clientId,
   };
 
-  if (signature) {
+  if (vibeClientId) {
+    headers['X-Vibe-Client-Id'] = vibeClientId;
+  }
+
+  // Sign with HMAC (same format as vibe-client: timestamp|method|endpoint)
+  if (hmacKey && vibeClientId) {
+    const stringToSign = `${timestamp}|GET|${rbacEndpoint}`;
+    const keyBuffer = base64ToUint8Array(hmacKey);
+    const signature = await hmacSha256Base64(keyBuffer, stringToSign);
     headers['X-Vibe-Timestamp'] = String(timestamp);
     headers['X-Vibe-Signature'] = signature;
   }
 
+  // Proxy body format: { endpoint, method, data }
+  const proxyBody = {
+    endpoint: rbacEndpoint,
+    method: 'GET',
+    data: null,
+  };
+
   try {
     // 2 second timeout - fail closed
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), 2000);
 
-    const response = await fetch(url.toString(), {
-      method: 'GET',
+    const response = await fetch(proxyUrl, {
+      method: 'POST',
       headers,
+      body: JSON.stringify(proxyBody),
       signal: controller.signal,
     });
 
     clearTimeout(timeoutId);
 
     if (!response.ok) {
-      console.error('[RBAC] Vibe API error:', response.status, response.statusText);
+      console.error('[RBAC] Proxy error:', response.status, response.statusText);
       return {
         allowed: false,
         reason: 'rbac_api_error',
@@ -210,7 +241,11 @@ export async function checkPagePermission(
       };
     }
 
-    const result: RBACResult = await response.json();
+    const body = await response.json();
+
+    // Vibe API wraps responses: { success: true, data: { allowed, reason, ... } }
+    // Unwrap the .data property if present, otherwise use body directly
+    const result: RBACResult = body?.data ?? body;
 
     // Cache the result
     setCachedResult(cacheKey, result);
@@ -219,7 +254,7 @@ export async function checkPagePermission(
   } catch (error: any) {
     // Fail closed on any error
     if (error.name === 'AbortError') {
-      console.error('[RBAC] Vibe API timeout (2s exceeded)');
+      console.error('[RBAC] Proxy timeout (2s exceeded)');
       return {
         allowed: false,
         reason: 'rbac_timeout',
@@ -227,7 +262,7 @@ export async function checkPagePermission(
       };
     }
 
-    console.error('[RBAC] Vibe API error:', error);
+    console.error('[RBAC] Proxy error:', error);
     return {
       allowed: false,
       reason: 'rbac_service_unavailable',