@pyreon/permissions 0.10.0 → 0.11.0

package/lib/analysis/index.js.html

@@ -5386,7 +5386,7 @@ var drawChart = (function (exports) {
   </script>
   <script>
     /*<!--*/
-    const data = {"version":2,"tree":{"name":"root","children":[{"name":"index.js","children":[{"name":"src","children":[{"uid":"3a01e622-1","name":"permissions.ts"},{"uid":"3a01e622-3","name":"context.ts"},{"uid":"3a01e622-5","name":"index.ts"}]}]}],"isRoot":true},"nodeParts":{"3a01e622-1":{"renderedLength":2621,"gzipLength":1065,"brotliLength":0,"metaUid":"3a01e622-0"},"3a01e622-3":{"renderedLength":933,"gzipLength":457,"brotliLength":0,"metaUid":"3a01e622-2"},"3a01e622-5":{"renderedLength":0,"gzipLength":0,"brotliLength":0,"metaUid":"3a01e622-4"}},"nodeMetas":{"3a01e622-0":{"id":"/src/permissions.ts","moduleParts":{"index.js":"3a01e622-1"},"imported":[{"uid":"3a01e622-6"}],"importedBy":[{"uid":"3a01e622-4"}]},"3a01e622-2":{"id":"/src/context.ts","moduleParts":{"index.js":"3a01e622-3"},"imported":[{"uid":"3a01e622-7"}],"importedBy":[{"uid":"3a01e622-4"}]},"3a01e622-4":{"id":"/src/index.ts","moduleParts":{"index.js":"3a01e622-5"},"imported":[{"uid":"3a01e622-0"},{"uid":"3a01e622-2"}],"importedBy":[],"isEntry":true},"3a01e622-6":{"id":"@pyreon/reactivity","moduleParts":{},"imported":[],"importedBy":[{"uid":"3a01e622-0"}]},"3a01e622-7":{"id":"@pyreon/core","moduleParts":{},"imported":[],"importedBy":[{"uid":"3a01e622-2"}]}},"env":{"rollup":"4.23.0"},"options":{"gzip":true,"brotli":false,"sourcemap":false}};
+    const data = {"version":2,"tree":{"name":"root","children":[{"name":"index.js","children":[{"name":"src","children":[{"uid":"54dceade-1","name":"context.ts"},{"uid":"54dceade-3","name":"permissions.ts"},{"uid":"54dceade-5","name":"index.ts"}]}]}],"isRoot":true},"nodeParts":{"54dceade-1":{"renderedLength":933,"gzipLength":457,"brotliLength":0,"metaUid":"54dceade-0"},"54dceade-3":{"renderedLength":2767,"gzipLength":1113,"brotliLength":0,"metaUid":"54dceade-2"},"54dceade-5":{"renderedLength":0,"gzipLength":0,"brotliLength":0,"metaUid":"54dceade-4"}},"nodeMetas":{"54dceade-0":{"id":"/src/context.ts","moduleParts":{"index.js":"54dceade-1"},"imported":[{"uid":"54dceade-6"}],"importedBy":[{"uid":"54dceade-4"}]},"54dceade-2":{"id":"/src/permissions.ts","moduleParts":{"index.js":"54dceade-3"},"imported":[{"uid":"54dceade-7"}],"importedBy":[{"uid":"54dceade-4"}]},"54dceade-4":{"id":"/src/index.ts","moduleParts":{"index.js":"54dceade-5"},"imported":[{"uid":"54dceade-0"},{"uid":"54dceade-2"}],"importedBy":[],"isEntry":true},"54dceade-6":{"id":"@pyreon/core","moduleParts":{},"imported":[],"importedBy":[{"uid":"54dceade-0"}]},"54dceade-7":{"id":"@pyreon/reactivity","moduleParts":{},"imported":[],"importedBy":[{"uid":"54dceade-2"}]}},"env":{"rollup":"4.23.0"},"options":{"gzip":true,"brotli":false,"sourcemap":false}};
 
     const run = () => {
       const width = window.innerWidth;

package/lib/index.js

@@ -1,22 +1,69 @@
-import { computed, signal } from "@pyreon/reactivity";
 import { createContext, provide, useContext } from "@pyreon/core";
+import { computed, signal } from "@pyreon/reactivity";
 
+//#region src/context.ts
+const PermissionsContext = createContext(null);
+/**
+* Provide a permissions instance to descendant components.
+* Use this for SSR isolation or testing — each request/test gets its own instance.
+*
+* @example
+* ```tsx
+* const can = createPermissions({ ... })
+*
+* <PermissionsProvider instance={can}>
+*   <App />
+* </PermissionsProvider>
+* ```
+*/
+function PermissionsProvider(props) {
+	provide(PermissionsContext, props.instance);
+	return props.children ?? null;
+}
+/**
+* Access the nearest permissions instance from context.
+* Must be used within a `<PermissionsProvider>`.
+*
+* @example
+* ```tsx
+* const can = usePermissions()
+* {() => can('posts.read') && <PostList />}
+* ```
+*/
+function usePermissions() {
+	const instance = useContext(PermissionsContext);
+	if (!instance) throw new Error("[@pyreon/permissions] usePermissions() must be used within <PermissionsProvider>.");
+	return instance;
+}
+
+//#endregion
 //#region src/permissions.ts
 /**
 * Resolve a permission key against the map.
 * Resolution order: exact match → wildcard (e.g., 'posts.*') → global wildcard ('*') → false.
 */
+/**
+* Safely evaluate a permission value. Predicates that throw are treated as denied.
+*/
+function evaluate(value, context) {
+	if (typeof value === "function") try {
+		return value(context);
+	} catch {
+		return false;
+	}
+	return value;
+}
 function resolve(map, key, context) {
 	const exact = map.get(key);
-	if (exact !== void 0) return typeof exact === "function" ? exact(context) : exact;
+	if (exact !== void 0) return evaluate(exact, context);
 	const dotIndex = key.lastIndexOf(".");
 	if (dotIndex !== -1) {
 		const prefix = key.slice(0, dotIndex);
 		const wildcard = map.get(`${prefix}.*`);
-		if (wildcard !== void 0) return typeof wildcard === "function" ? wildcard(context) : wildcard;
+		if (wildcard !== void 0) return evaluate(wildcard, context);
 	}
 	const global = map.get("*");
-	if (global !== void 0) return typeof global === "function" ? global(context) : global;
+	if (global !== void 0) return evaluate(global, context);
 	return false;
 }
 /**
@@ -91,42 +138,6 @@ function createPermissions(initial) {
 	return can;
 }
 
-//#endregion
-//#region src/context.ts
-const PermissionsContext = createContext(null);
-/**
-* Provide a permissions instance to descendant components.
-* Use this for SSR isolation or testing — each request/test gets its own instance.
-*
-* @example
-* ```tsx
-* const can = createPermissions({ ... })
-*
-* <PermissionsProvider instance={can}>
-*   <App />
-* </PermissionsProvider>
-* ```
-*/
-function PermissionsProvider(props) {
-	provide(PermissionsContext, props.instance);
-	return props.children ?? null;
-}
-/**
-* Access the nearest permissions instance from context.
-* Must be used within a `<PermissionsProvider>`.
-*
-* @example
-* ```tsx
-* const can = usePermissions()
-* {() => can('posts.read') && <PostList />}
-* ```
-*/
-function usePermissions() {
-	const instance = useContext(PermissionsContext);
-	if (!instance) throw new Error("[@pyreon/permissions] usePermissions() must be used within <PermissionsProvider>.");
-	return instance;
-}
-
 //#endregion
 export { PermissionsProvider, createPermissions, usePermissions };
 //# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":[],"sources":["../src/permissions.ts","../src/context.ts"],"sourcesContent":["import { computed, signal } from '@pyreon/reactivity'\nimport type { PermissionMap, PermissionValue, Permissions } from './types'\n\n/**\n * Resolve a permission key against the map.\n * Resolution order: exact match → wildcard (e.g., 'posts.*') → global wildcard ('*') → false.\n */\nfunction resolve(\n  map: Map<string, PermissionValue>,\n  key: string,\n  context?: unknown,\n): boolean {\n  // 1. Exact match\n  const exact = map.get(key)\n  if (exact !== undefined) {\n    return typeof exact === 'function' ? exact(context) : exact\n  }\n\n  // 2. Wildcard match — 'posts.read' matches 'posts.*'\n  const dotIndex = key.lastIndexOf('.')\n  if (dotIndex !== -1) {\n    const prefix = key.slice(0, dotIndex)\n    const wildcard = map.get(`${prefix}.*`)\n    if (wildcard !== undefined) {\n      return typeof wildcard === 'function' ? wildcard(context) : wildcard\n    }\n  }\n\n  // 3. Global wildcard\n  const global = map.get('*')\n  if (global !== undefined) {\n    return typeof global === 'function' ? global(context) : global\n  }\n\n  // 4. No match → denied\n  return false\n}\n\n/**\n * Create a reactive permissions instance.\n *\n * The returned `can` function checks permissions reactively —\n * reads update automatically when permissions change via `set()` or `patch()`.\n *\n * @param initial - Optional initial permission map\n * @returns A callable `Permissions` instance\n *\n * @example\n * ```tsx\n * const can = createPermissions({\n *   'posts.read': true,\n *   'posts.update': (post: Post) => post.authorId === userId(),\n *   'users.manage': false,\n * })\n *\n * // Check (reactive in effects/computeds/JSX)\n * can('posts.read')              // true\n * can('posts.update', myPost)    // evaluates predicate\n *\n * // JSX\n * {() => can('posts.delete') && <DeleteButton />}\n *\n * // Update\n * can.set({ 'posts.read': true, 'admin': true })\n * can.patch({ 'users.manage': true })\n * ```\n */\nexport function createPermissions(initial?: PermissionMap): Permissions {\n  // Internal reactive state — a signal holding the permission map\n  const store = signal(toMap(initial))\n  // Version counter — incremented on every set/patch to trigger reactive updates\n  const version = signal(0)\n\n  function toMap(obj?: PermissionMap): Map<string, PermissionValue> {\n    if (!obj) return new Map()\n    return new Map(Object.entries(obj))\n  }\n\n  // The main check function — reads `version` to subscribe in reactive contexts\n  function can(key: string, context?: unknown): boolean {\n    // Reading version subscribes this call to reactive updates\n    version()\n    return resolve(store.peek(), key, context)\n  }\n\n  can.not = (key: string, context?: unknown): boolean => {\n    return !can(key, context)\n  }\n\n  can.all = (...keys: string[]): boolean => {\n    return keys.every((key) => can(key))\n  }\n\n  can.any = (...keys: string[]): boolean => {\n    return keys.some((key) => can(key))\n  }\n\n  can.set = (permissions: PermissionMap): void => {\n    store.set(toMap(permissions))\n    version.update((v) => v + 1)\n  }\n\n  can.patch = (permissions: PermissionMap): void => {\n    const current = store.peek()\n    for (const [key, value] of Object.entries(permissions)) {\n      current.set(key, value)\n    }\n    store.set(current)\n    version.update((v) => v + 1)\n  }\n\n  can.granted = computed(() => {\n    version()\n    const keys: string[] = []\n    for (const [key, value] of store.peek()) {\n      // Static true or predicate (capability exists)\n      if (value === true || typeof value === 'function') {\n        keys.push(key)\n      }\n    }\n    return keys\n  })\n\n  can.entries = computed(() => {\n    version()\n    return [...store.peek().entries()]\n  })\n\n  return can as Permissions\n}\n","import { createContext, provide, useContext } from '@pyreon/core'\nimport type { VNodeChild } from '@pyreon/core'\nimport type { Permissions } from './types'\n\nconst PermissionsContext = createContext<Permissions | null>(null)\n\n/**\n * Provide a permissions instance to descendant components.\n * Use this for SSR isolation or testing — each request/test gets its own instance.\n *\n * @example\n * ```tsx\n * const can = createPermissions({ ... })\n *\n * <PermissionsProvider instance={can}>\n *   <App />\n * </PermissionsProvider>\n * ```\n */\nexport function PermissionsProvider(props: {\n  instance: Permissions\n  children?: VNodeChild\n}): VNodeChild {\n  provide(PermissionsContext, props.instance)\n\n  return props.children ?? null\n}\n\n/**\n * Access the nearest permissions instance from context.\n * Must be used within a `<PermissionsProvider>`.\n *\n * @example\n * ```tsx\n * const can = usePermissions()\n * {() => can('posts.read') && <PostList />}\n * ```\n */\nexport function usePermissions(): Permissions {\n  const instance = useContext(PermissionsContext)\n  if (!instance) {\n    throw new Error(\n      '[@pyreon/permissions] usePermissions() must be used within <PermissionsProvider>.',\n    )\n  }\n  return instance\n}\n"],"mappings":";;;;;;;;AAOA,SAAS,QACP,KACA,KACA,SACS;CAET,MAAM,QAAQ,IAAI,IAAI,IAAI;AAC1B,KAAI,UAAU,OACZ,QAAO,OAAO,UAAU,aAAa,MAAM,QAAQ,GAAG;CAIxD,MAAM,WAAW,IAAI,YAAY,IAAI;AACrC,KAAI,aAAa,IAAI;EACnB,MAAM,SAAS,IAAI,MAAM,GAAG,SAAS;EACrC,MAAM,WAAW,IAAI,IAAI,GAAG,OAAO,IAAI;AACvC,MAAI,aAAa,OACf,QAAO,OAAO,aAAa,aAAa,SAAS,QAAQ,GAAG;;CAKhE,MAAM,SAAS,IAAI,IAAI,IAAI;AAC3B,KAAI,WAAW,OACb,QAAO,OAAO,WAAW,aAAa,OAAO,QAAQ,GAAG;AAI1D,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCT,SAAgB,kBAAkB,SAAsC;CAEtE,MAAM,QAAQ,OAAO,MAAM,QAAQ,CAAC;CAEpC,MAAM,UAAU,OAAO,EAAE;CAEzB,SAAS,MAAM,KAAmD;AAChE,MAAI,CAAC,IAAK,wBAAO,IAAI,KAAK;AAC1B,SAAO,IAAI,IAAI,OAAO,QAAQ,IAAI,CAAC;;CAIrC,SAAS,IAAI,KAAa,SAA4B;AAEpD,WAAS;AACT,SAAO,QAAQ,MAAM,MAAM,EAAE,KAAK,QAAQ;;AAG5C,KAAI,OAAO,KAAa,YAA+B;AACrD,SAAO,CAAC,IAAI,KAAK,QAAQ;;AAG3B,KAAI,OAAO,GAAG,SAA4B;AACxC,SAAO,KAAK,OAAO,QAAQ,IAAI,IAAI,CAAC;;AAGtC,KAAI,OAAO,GAAG,SAA4B;AACxC,SAAO,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC;;AAGrC,KAAI,OAAO,gBAAqC;AAC9C,QAAM,IAAI,MAAM,YAAY,CAAC;AAC7B,UAAQ,QAAQ,MAAM,IAAI,EAAE;;AAG9B,KAAI,SAAS,gBAAqC;EAChD,MAAM,UAAU,MAAM,MAAM;AAC5B,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,YAAY,CACpD,SAAQ,IAAI,KAAK,MAAM;AAEzB,QAAM,IAAI,QAAQ;AAClB,UAAQ,QAAQ,MAAM,IAAI,EAAE;;AAG9B,KAAI,UAAU,eAAe;AAC3B,WAAS;EACT,MAAM,OAAiB,EAAE;AACzB,OAAK,MAAM,CAAC,KAAK,UAAU,MAAM,MAAM,CAErC,KAAI,UAAU,QAAQ,OAAO,UAAU,WACrC,MAAK,KAAK,IAAI;AAGlB,SAAO;GACP;AAEF,KAAI,UAAU,eAAe;AAC3B,WAAS;AACT,SAAO,CAAC,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC;GAClC;AAEF,QAAO;;;;;AC5HT,MAAM,qBAAqB,cAAkC,KAAK;;;;;;;;;;;;;;AAelE,SAAgB,oBAAoB,OAGrB;AACb,SAAQ,oBAAoB,MAAM,SAAS;AAE3C,QAAO,MAAM,YAAY;;;;;;;;;;;;AAa3B,SAAgB,iBAA8B;CAC5C,MAAM,WAAW,WAAW,mBAAmB;AAC/C,KAAI,CAAC,SACH,OAAM,IAAI,MACR,oFACD;AAEH,QAAO"}
+{"version":3,"file":"index.js","names":[],"sources":["../src/context.ts","../src/permissions.ts"],"sourcesContent":["import type { VNodeChild } from \"@pyreon/core\"\nimport { createContext, provide, useContext } from \"@pyreon/core\"\nimport type { Permissions } from \"./types\"\n\nconst PermissionsContext = createContext<Permissions | null>(null)\n\n/**\n * Provide a permissions instance to descendant components.\n * Use this for SSR isolation or testing — each request/test gets its own instance.\n *\n * @example\n * ```tsx\n * const can = createPermissions({ ... })\n *\n * <PermissionsProvider instance={can}>\n *   <App />\n * </PermissionsProvider>\n * ```\n */\nexport function PermissionsProvider(props: {\n  instance: Permissions\n  children?: VNodeChild\n}): VNodeChild {\n  provide(PermissionsContext, props.instance)\n\n  return props.children ?? null\n}\n\n/**\n * Access the nearest permissions instance from context.\n * Must be used within a `<PermissionsProvider>`.\n *\n * @example\n * ```tsx\n * const can = usePermissions()\n * {() => can('posts.read') && <PostList />}\n * ```\n */\nexport function usePermissions(): Permissions {\n  const instance = useContext(PermissionsContext)\n  if (!instance) {\n    throw new Error(\n      \"[@pyreon/permissions] usePermissions() must be used within <PermissionsProvider>.\",\n    )\n  }\n  return instance\n}\n","import { computed, signal } from \"@pyreon/reactivity\"\nimport type { PermissionMap, Permissions, PermissionValue } from \"./types\"\n\n/**\n * Resolve a permission key against the map.\n * Resolution order: exact match → wildcard (e.g., 'posts.*') → global wildcard ('*') → false.\n */\n/**\n * Safely evaluate a permission value. Predicates that throw are treated as denied.\n */\nfunction evaluate(value: PermissionValue, context?: unknown): boolean {\n  if (typeof value === \"function\") {\n    try {\n      return value(context)\n    } catch {\n      return false\n    }\n  }\n  return value\n}\n\nfunction resolve(map: Map<string, PermissionValue>, key: string, context?: unknown): boolean {\n  // 1. Exact match\n  const exact = map.get(key)\n  if (exact !== undefined) {\n    return evaluate(exact, context)\n  }\n\n  // 2. Wildcard match — 'posts.read' matches 'posts.*'\n  const dotIndex = key.lastIndexOf(\".\")\n  if (dotIndex !== -1) {\n    const prefix = key.slice(0, dotIndex)\n    const wildcard = map.get(`${prefix}.*`)\n    if (wildcard !== undefined) {\n      return evaluate(wildcard, context)\n    }\n  }\n\n  // 3. Global wildcard\n  const global = map.get(\"*\")\n  if (global !== undefined) {\n    return evaluate(global, context)\n  }\n\n  // 4. No match → denied\n  return false\n}\n\n/**\n * Create a reactive permissions instance.\n *\n * The returned `can` function checks permissions reactively —\n * reads update automatically when permissions change via `set()` or `patch()`.\n *\n * @param initial - Optional initial permission map\n * @returns A callable `Permissions` instance\n *\n * @example\n * ```tsx\n * const can = createPermissions({\n *   'posts.read': true,\n *   'posts.update': (post: Post) => post.authorId === userId(),\n *   'users.manage': false,\n * })\n *\n * // Check (reactive in effects/computeds/JSX)\n * can('posts.read')              // true\n * can('posts.update', myPost)    // evaluates predicate\n *\n * // JSX\n * {() => can('posts.delete') && <DeleteButton />}\n *\n * // Update\n * can.set({ 'posts.read': true, 'admin': true })\n * can.patch({ 'users.manage': true })\n * ```\n */\nexport function createPermissions(initial?: PermissionMap): Permissions {\n  // Internal reactive state — a signal holding the permission map\n  const store = signal(toMap(initial))\n  // Version counter — incremented on every set/patch to trigger reactive updates\n  const version = signal(0)\n\n  function toMap(obj?: PermissionMap): Map<string, PermissionValue> {\n    if (!obj) return new Map()\n    return new Map(Object.entries(obj))\n  }\n\n  // The main check function — reads `version` to subscribe in reactive contexts\n  function can(key: string, context?: unknown): boolean {\n    // Reading version subscribes this call to reactive updates\n    version()\n    return resolve(store.peek(), key, context)\n  }\n\n  can.not = (key: string, context?: unknown): boolean => {\n    return !can(key, context)\n  }\n\n  can.all = (...keys: string[]): boolean => {\n    return keys.every((key) => can(key))\n  }\n\n  can.any = (...keys: string[]): boolean => {\n    return keys.some((key) => can(key))\n  }\n\n  can.set = (permissions: PermissionMap): void => {\n    store.set(toMap(permissions))\n    version.update((v) => v + 1)\n  }\n\n  can.patch = (permissions: PermissionMap): void => {\n    const current = store.peek()\n    for (const [key, value] of Object.entries(permissions)) {\n      current.set(key, value)\n    }\n    store.set(current)\n    version.update((v) => v + 1)\n  }\n\n  can.granted = computed(() => {\n    version()\n    const keys: string[] = []\n    for (const [key, value] of store.peek()) {\n      // Static true or predicate (capability exists)\n      if (value === true || typeof value === \"function\") {\n        keys.push(key)\n      }\n    }\n    return keys\n  })\n\n  can.entries = computed(() => {\n    version()\n    return [...store.peek().entries()]\n  })\n\n  return can as Permissions\n}\n"],"mappings":";;;;AAIA,MAAM,qBAAqB,cAAkC,KAAK;;;;;;;;;;;;;;AAelE,SAAgB,oBAAoB,OAGrB;AACb,SAAQ,oBAAoB,MAAM,SAAS;AAE3C,QAAO,MAAM,YAAY;;;;;;;;;;;;AAa3B,SAAgB,iBAA8B;CAC5C,MAAM,WAAW,WAAW,mBAAmB;AAC/C,KAAI,CAAC,SACH,OAAM,IAAI,MACR,oFACD;AAEH,QAAO;;;;;;;;;;;;ACnCT,SAAS,SAAS,OAAwB,SAA4B;AACpE,KAAI,OAAO,UAAU,WACnB,KAAI;AACF,SAAO,MAAM,QAAQ;SACf;AACN,SAAO;;AAGX,QAAO;;AAGT,SAAS,QAAQ,KAAmC,KAAa,SAA4B;CAE3F,MAAM,QAAQ,IAAI,IAAI,IAAI;AAC1B,KAAI,UAAU,OACZ,QAAO,SAAS,OAAO,QAAQ;CAIjC,MAAM,WAAW,IAAI,YAAY,IAAI;AACrC,KAAI,aAAa,IAAI;EACnB,MAAM,SAAS,IAAI,MAAM,GAAG,SAAS;EACrC,MAAM,WAAW,IAAI,IAAI,GAAG,OAAO,IAAI;AACvC,MAAI,aAAa,OACf,QAAO,SAAS,UAAU,QAAQ;;CAKtC,MAAM,SAAS,IAAI,IAAI,IAAI;AAC3B,KAAI,WAAW,OACb,QAAO,SAAS,QAAQ,QAAQ;AAIlC,QAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCT,SAAgB,kBAAkB,SAAsC;CAEtE,MAAM,QAAQ,OAAO,MAAM,QAAQ,CAAC;CAEpC,MAAM,UAAU,OAAO,EAAE;CAEzB,SAAS,MAAM,KAAmD;AAChE,MAAI,CAAC,IAAK,wBAAO,IAAI,KAAK;AAC1B,SAAO,IAAI,IAAI,OAAO,QAAQ,IAAI,CAAC;;CAIrC,SAAS,IAAI,KAAa,SAA4B;AAEpD,WAAS;AACT,SAAO,QAAQ,MAAM,MAAM,EAAE,KAAK,QAAQ;;AAG5C,KAAI,OAAO,KAAa,YAA+B;AACrD,SAAO,CAAC,IAAI,KAAK,QAAQ;;AAG3B,KAAI,OAAO,GAAG,SAA4B;AACxC,SAAO,KAAK,OAAO,QAAQ,IAAI,IAAI,CAAC;;AAGtC,KAAI,OAAO,GAAG,SAA4B;AACxC,SAAO,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC;;AAGrC,KAAI,OAAO,gBAAqC;AAC9C,QAAM,IAAI,MAAM,YAAY,CAAC;AAC7B,UAAQ,QAAQ,MAAM,IAAI,EAAE;;AAG9B,KAAI,SAAS,gBAAqC;EAChD,MAAM,UAAU,MAAM,MAAM;AAC5B,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,YAAY,CACpD,SAAQ,IAAI,KAAK,MAAM;AAEzB,QAAM,IAAI,QAAQ;AAClB,UAAQ,QAAQ,MAAM,IAAI,EAAE;;AAG9B,KAAI,UAAU,eAAe;AAC3B,WAAS;EACT,MAAM,OAAiB,EAAE;AACzB,OAAK,MAAM,CAAC,KAAK,UAAU,MAAM,MAAM,CAErC,KAAI,UAAU,QAAQ,OAAO,UAAU,WACrC,MAAK,KAAK,IAAI;AAGlB,SAAO;GACP;AAEF,KAAI,UAAU,eAAe;AAC3B,WAAS;AACT,SAAO,CAAC,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC;GAClC;AAEF,QAAO"}

package/lib/types/index.d.ts

@@ -1,5 +1,5 @@
-import { Computed } from "@pyreon/reactivity";
 import { VNodeChild } from "@pyreon/core";
+import { Computed } from "@pyreon/reactivity";
 
 //#region src/types.d.ts
 /**
@@ -103,6 +103,36 @@ interface Permissions {
   entries: Computed<[string, PermissionValue][]>;
 }
 //#endregion
+//#region src/context.d.ts
+/**
+ * Provide a permissions instance to descendant components.
+ * Use this for SSR isolation or testing — each request/test gets its own instance.
+ *
+ * @example
+ * ```tsx
+ * const can = createPermissions({ ... })
+ *
+ * <PermissionsProvider instance={can}>
+ *   <App />
+ * </PermissionsProvider>
+ * ```
+ */
+declare function PermissionsProvider(props: {
+  instance: Permissions;
+  children?: VNodeChild;
+}): VNodeChild;
+/**
+ * Access the nearest permissions instance from context.
+ * Must be used within a `<PermissionsProvider>`.
+ *
+ * @example
+ * ```tsx
+ * const can = usePermissions()
+ * {() => can('posts.read') && <PostList />}
+ * ```
+ */
+declare function usePermissions(): Permissions;
+//#endregion
 //#region src/permissions.d.ts
 /**
  * Create a reactive permissions instance.
@@ -135,35 +165,5 @@ interface Permissions {
  */
 declare function createPermissions(initial?: PermissionMap): Permissions;
 //#endregion
-//#region src/context.d.ts
-/**
- * Provide a permissions instance to descendant components.
- * Use this for SSR isolation or testing — each request/test gets its own instance.
- *
- * @example
- * ```tsx
- * const can = createPermissions({ ... })
- *
- * <PermissionsProvider instance={can}>
- *   <App />
- * </PermissionsProvider>
- * ```
- */
-declare function PermissionsProvider(props: {
-  instance: Permissions;
-  children?: VNodeChild;
-}): VNodeChild;
-/**
- * Access the nearest permissions instance from context.
- * Must be used within a `<PermissionsProvider>`.
- *
- * @example
- * ```tsx
- * const can = usePermissions()
- * {() => can('posts.read') && <PostList />}
- * ```
- */
-declare function usePermissions(): Permissions;
-//#endregion
 export { type PermissionMap, type PermissionPredicate, type PermissionValue, type Permissions, PermissionsProvider, createPermissions, usePermissions };
 //# sourceMappingURL=index2.d.ts.map

package/lib/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index2.d.ts","names":[],"sources":["../../../src/types.ts","../../../src/permissions.ts","../../../src/context.ts"],"mappings":";;;;;;;AAQA;KAAY,mBAAA,wBACV,OAAA,GAAU,QAAA;;;;;;KAQA,eAAA,iCAER,mBAAA,CAAoB,QAAA;;AAFxB;;;;KAWY,aAAA,GAAgB,MAAA,SAAe,eAAA;;;;;UAQ1B,WAAA;EARQ;;;;AAQzB;;;;;;;;;;EARyB,CAuBtB,GAAA,UAAa,OAAA;EAAA;;;;;;;;EAUd,GAAA,GAAM,GAAA,UAAa,OAAA;EA8BA;;;;;;;;EApBnB,GAAA,MAAS,IAAA;EAiDkB;;;;;;ACrD7B;;EDcE,GAAA,MAAS,IAAA;ECd4D;;;;;;;;EDwBrE,GAAA,GAAM,WAAA,EAAa,aAAA;EExEL;;;;;;;;;EFmFd,KAAA,GAAQ,WAAA,EAAa,aAAA;EEjFrB;;;;;;AAiBF;;;;EF4EE,OAAA,EAAS,QAAA;;;;;EAMT,OAAA,EAAS,QAAA,UAAkB,eAAA;AAAA;;;;;;AAhH7B;;;;;;;;;AASA;;;;;;;;;AAWA;;;;;AAQA;;;iBC+BgB,iBAAA,CAAkB,OAAA,GAAU,aAAA,GAAgB,WAAA;;;;;AD3D5D;;;;;;;;;AASA;;iBEEgB,mBAAA,CAAoB,KAAA;EAClC,QAAA,EAAU,WAAA;EACV,QAAA,GAAW,UAAA;AAAA,IACT,UAAA;;;;AFMJ;;;;;AAQA;;iBEEgB,cAAA,CAAA,GAAkB,WAAA"}
+{"version":3,"file":"index2.d.ts","names":[],"sources":["../../../src/types.ts","../../../src/context.ts","../../../src/permissions.ts"],"mappings":";;;;;;;AAQA;KAAY,mBAAA,wBAA2C,OAAA,GAAU,QAAA;;;;;;KAOrD,eAAA,iCAAgD,mBAAA,CAAoB,QAAA;;AAAhF;;;;KASY,aAAA,GAAgB,MAAA,SAAe,eAAA;;;;;UAQ1B,WAAA;EARQ;;;;AAQzB;;;;;;;;;;EARyB,CAuBtB,GAAA,UAAa,OAAA;EAAA;;;;;;;;EAUd,GAAA,GAAM,GAAA,UAAa,OAAA;EA8BA;;;;;;;;EApBnB,GAAA,MAAS,IAAA;EAiDkB;;;;;;ACjG7B;;ED0DE,GAAA,MAAS,IAAA;ECzDC;;;;;;;;EDmEV,GAAA,GAAM,WAAA,EAAa,aAAA;ECpEe;;;;AAmBpC;;;;;ED4DE,KAAA,GAAQ,WAAA,EAAa,aAAA;;;AErBvB;;;;;;;;EFiCE,OAAA,EAAS,QAAA;;;;;EAMT,OAAA,EAAS,QAAA,UAAkB,eAAA;AAAA;;;;;AA5G7B;;;;;;;;;AAOA;;iBCIgB,mBAAA,CAAoB,KAAA;EAClC,QAAA,EAAU,WAAA;EACV,QAAA,GAAW,UAAA;AAAA,IACT,UAAA;;;;ADEJ;;;;;AAQA;;iBCMgB,cAAA,CAAA,GAAkB,WAAA;;;;;;AD9BlC;;;;;;;;;AAOA;;;;;;;;;AASA;;;;;AAQA;;;iBE6CgB,iBAAA,CAAkB,OAAA,GAAU,aAAA,GAAgB,WAAA"}

package/package.json

@@ -1,16 +1,16 @@
 {
   "name": "@pyreon/permissions",
-  "version": "0.10.0",
+  "version": "0.11.0",
   "description": "Reactive permissions for Pyreon — type-safe, signal-driven, universal",
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/pyreon/fundamentals.git",
-    "directory": "packages/permissions"
+    "url": "https://github.com/pyreon/pyreon.git",
+    "directory": "packages/fundamentals/permissions"
   },
   "homepage": "https://github.com/pyreon/fundamentals/tree/main/packages/permissions#readme",
   "bugs": {
-    "url": "https://github.com/pyreon/fundamentals/issues"
+    "url": "https://github.com/pyreon/pyreon/issues"
   },
   "publishConfig": {
     "access": "public"
@@ -37,10 +37,17 @@
     "build": "vl_rolldown_build",
     "dev": "vl_rolldown_build-watch",
     "test": "vitest run",
-    "typecheck": "tsc --noEmit"
+    "typecheck": "tsc --noEmit",
+    "lint": "biome check ."
   },
   "peerDependencies": {
-    "@pyreon/core": ">=0.7.0 <0.8.0",
-    "@pyreon/reactivity": ">=0.7.0 <0.8.0"
+    "@pyreon/core": "^0.11.0",
+    "@pyreon/reactivity": "^0.11.0"
+  },
+  "devDependencies": {
+    "@happy-dom/global-registrator": "^20.8.3",
+    "@pyreon/core": "^0.11.0",
+    "@pyreon/reactivity": "^0.11.0",
+    "@vitus-labs/tools-lint": "^1.11.0"
   }
 }

package/src/context.ts

@@ -1,6 +1,6 @@
-import { createContext, provide, useContext } from '@pyreon/core'
-import type { VNodeChild } from '@pyreon/core'
-import type { Permissions } from './types'
+import type { VNodeChild } from "@pyreon/core"
+import { createContext, provide, useContext } from "@pyreon/core"
+import type { Permissions } from "./types"
 
 const PermissionsContext = createContext<Permissions | null>(null)
 
@@ -40,7 +40,7 @@ export function usePermissions(): Permissions {
   const instance = useContext(PermissionsContext)
   if (!instance) {
     throw new Error(
-      '[@pyreon/permissions] usePermissions() must be used within <PermissionsProvider>.',
+      "[@pyreon/permissions] usePermissions() must be used within <PermissionsProvider>.",
     )
   }
   return instance

package/src/index.ts

@@ -23,13 +23,13 @@
  * ```
  */
 
-export { createPermissions } from './permissions'
-export { PermissionsProvider, usePermissions } from './context'
+export { PermissionsProvider, usePermissions } from "./context"
+export { createPermissions } from "./permissions"
 
 // Types
 export type {
   PermissionMap,
   PermissionPredicate,
-  PermissionValue,
   Permissions,
-} from './types'
+  PermissionValue,
+} from "./types"

package/src/permissions.ts

@@ -1,35 +1,45 @@
-import { computed, signal } from '@pyreon/reactivity'
-import type { PermissionMap, PermissionValue, Permissions } from './types'
+import { computed, signal } from "@pyreon/reactivity"
+import type { PermissionMap, Permissions, PermissionValue } from "./types"
 
 /**
  * Resolve a permission key against the map.
  * Resolution order: exact match → wildcard (e.g., 'posts.*') → global wildcard ('*') → false.
  */
-function resolve(
-  map: Map<string, PermissionValue>,
-  key: string,
-  context?: unknown,
-): boolean {
+/**
+ * Safely evaluate a permission value. Predicates that throw are treated as denied.
+ */
+function evaluate(value: PermissionValue, context?: unknown): boolean {
+  if (typeof value === "function") {
+    try {
+      return value(context)
+    } catch {
+      return false
+    }
+  }
+  return value
+}
+
+function resolve(map: Map<string, PermissionValue>, key: string, context?: unknown): boolean {
   // 1. Exact match
   const exact = map.get(key)
   if (exact !== undefined) {
-    return typeof exact === 'function' ? exact(context) : exact
+    return evaluate(exact, context)
   }
 
   // 2. Wildcard match — 'posts.read' matches 'posts.*'
-  const dotIndex = key.lastIndexOf('.')
+  const dotIndex = key.lastIndexOf(".")
   if (dotIndex !== -1) {
     const prefix = key.slice(0, dotIndex)
     const wildcard = map.get(`${prefix}.*`)
     if (wildcard !== undefined) {
-      return typeof wildcard === 'function' ? wildcard(context) : wildcard
+      return evaluate(wildcard, context)
     }
   }
 
   // 3. Global wildcard
-  const global = map.get('*')
+  const global = map.get("*")
   if (global !== undefined) {
-    return typeof global === 'function' ? global(context) : global
+    return evaluate(global, context)
   }
 
   // 4. No match → denied
@@ -114,7 +124,7 @@ export function createPermissions(initial?: PermissionMap): Permissions {
     const keys: string[] = []
     for (const [key, value] of store.peek()) {
       // Static true or predicate (capability exists)
-      if (value === true || typeof value === 'function') {
+      if (value === true || typeof value === "function") {
         keys.push(key)
       }
     }