npm - @stackwright-pro/auth - Versions diffs - 0.2.0-alpha.13 → 0.2.0-alpha.15 - Mend

@stackwright-pro/auth 0.2.0-alpha.13 → 0.2.0-alpha.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/client.mjs ADDED Viewed

@@ -0,0 +1,334 @@
+"use client";
+import { createContext, useContext, useMemo } from 'react';
+import { jsx } from 'react/jsx-runtime';
+var AuthContext = createContext(null);
+function useAuth() {
+  const context = useContext(AuthContext);
+  if (!context) {
+    throw new Error("useAuth must be used within AuthProvider");
+  }
+  return context;
+}
+function useRequireAuth() {
+  const auth = useAuth();
+  if (!auth.isAuthenticated) {
+    console.warn("useRequireAuth: User is not authenticated");
+    return null;
+  }
+  return auth;
+}
+// src/rbac/rbac-engine.ts
+var RBACEngine = class {
+  config;
+  rolePermissions;
+  constructor(config) {
+    this.config = config;
+    this.rolePermissions = this.buildRolePermissionMap();
+  }
+  /**
+   * Build internal map of role → permissions for fast lookups
+   */
+  buildRolePermissionMap() {
+    const map = /* @__PURE__ */ new Map();
+    for (const role of this.config.roles) {
+      map.set(role.name, new Set(role.permissions || []));
+    }
+    return map;
+  }
+  /**
+   * Check if user has a specific role
+   */
+  hasRole(user, role) {
+    return user.roles.includes(role);
+  }
+  /**
+   * Check if user has any of the specified roles
+   */
+  hasAnyRole(user, roles) {
+    return roles.some((role) => this.hasRole(user, role));
+  }
+  /**
+   * Check if user has all of the specified roles
+   */
+  hasAllRoles(user, roles) {
+    return roles.every((role) => this.hasRole(user, role));
+  }
+  /**
+   * Check if user has a specific permission
+   * Permissions are checked both:
+   * 1. Directly in user.permissions array
+   * 2. Through role-based permissions from config
+   */
+  hasPermission(user, permission) {
+    if (user.permissions?.includes(permission)) {
+      return true;
+    }
+    for (const role of user.roles) {
+      const permissions = this.rolePermissions.get(role);
+      if (permissions?.has(permission)) {
+        return true;
+      }
+      if (permissions) {
+        for (const p of permissions) {
+          if (p.endsWith(":*")) {
+            const prefix = p.slice(0, -1);
+            if (permission.startsWith(prefix)) {
+              return true;
+            }
+          }
+        }
+      }
+    }
+    return false;
+  }
+  /**
+   * Check if user has any of the specified permissions
+   */
+  hasAnyPermission(user, permissions) {
+    return permissions.some((permission) => this.hasPermission(user, permission));
+  }
+  /**
+   * Check if user has all of the specified permissions
+   */
+  hasAllPermissions(user, permissions) {
+    return permissions.every((permission) => this.hasPermission(user, permission));
+  }
+  /**
+   * Check if route is public (no auth required)
+   */
+  isPublicRoute(path) {
+    if (!this.config.public_routes) {
+      return false;
+    }
+    return this.config.public_routes.some((publicPath) => {
+      return this.matchPath(path, publicPath);
+    });
+  }
+  /**
+   * Check if user can access a route based on protected_routes config
+   */
+  canAccessRoute(user, path) {
+    if (this.isPublicRoute(path)) {
+      return true;
+    }
+    if (!user) {
+      return false;
+    }
+    if (!this.config.protected_routes || this.config.protected_routes.length === 0) {
+      return true;
+    }
+    const matchingRoute = this.config.protected_routes.find((route) => {
+      return this.matchPath(path, route.path);
+    });
+    if (!matchingRoute) {
+      return true;
+    }
+    return this.hasAnyRole(user, matchingRoute.roles);
+  }
+  /**
+   * Check if user can access a component based on component auth config
+   */
+  canAccessComponent(user, authConfig) {
+    if (!authConfig) {
+      return true;
+    }
+    if (!user) {
+      return false;
+    }
+    if (authConfig.required_roles && authConfig.required_roles.length > 0) {
+      if (!this.hasAnyRole(user, authConfig.required_roles)) {
+        return false;
+      }
+    }
+    if (authConfig.required_permissions && authConfig.required_permissions.length > 0) {
+      if (!this.hasAllPermissions(user, authConfig.required_permissions)) {
+        return false;
+      }
+    }
+    return true;
+  }
+  // Match a path against a pattern with wildcard support
+  matchPath(path, pattern) {
+    if (path === pattern) {
+      return true;
+    }
+    if (!pattern.includes("*")) {
+      return false;
+    }
+    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    const regex = new RegExp(`^${escaped}$`);
+    return regex.test(path);
+  }
+};
+function AuthProvider({
+  user,
+  session,
+  rbacConfig,
+  isLoading = false,
+  children
+}) {
+  const rbac = useMemo(() => new RBACEngine(rbacConfig), [rbacConfig]);
+  const value = useMemo(
+    () => ({
+      user,
+      session,
+      isAuthenticated: user !== null,
+      isLoading,
+      hasRole: (role) => {
+        if (!user) return false;
+        return rbac.hasRole(user, role);
+      },
+      hasPermission: (permission) => {
+        if (!user) return false;
+        return rbac.hasPermission(user, permission);
+      },
+      hasAnyRole: (roles) => {
+        if (!user) return false;
+        return rbac.hasAnyRole(user, roles);
+      },
+      hasAllPermissions: (permissions) => {
+        if (!user) return false;
+        return rbac.hasAllPermissions(user, permissions);
+      }
+    }),
+    [user, session, isLoading, rbac]
+  );
+  return /* @__PURE__ */ jsx(AuthContext.Provider, { value, children });
+}
+var FallbackComponents = {
+  /**
+   * Hide component (render nothing)
+   */
+  hide: () => null,
+  /**
+   * Show placeholder message
+   */
+  placeholder: ({ className }) => /* @__PURE__ */ jsx(
+    "div",
+    {
+      className: className || "auth-placeholder",
+      style: {
+        padding: "1rem",
+        border: "1px dashed #ccc",
+        borderRadius: "4px",
+        color: "#666",
+        fontStyle: "italic",
+        textAlign: "center"
+      },
+      children: "Content requires authorization"
+    }
+  ),
+  /**
+   * Show custom message
+   */
+  message: ({ message, className }) => /* @__PURE__ */ jsx(
+    "div",
+    {
+      className: className || "auth-message",
+      style: {
+        padding: "1rem",
+        border: "1px solid #f0ad4e",
+        borderRadius: "4px",
+        backgroundColor: "#fcf8e3",
+        color: "#8a6d3b"
+      },
+      children: message || "Unauthorized"
+    }
+  )
+};
+function withAuth(Component, authConfig) {
+  if (!authConfig) {
+    return Component;
+  }
+  const WrappedComponent = (props) => {
+    const auth = useAuth();
+    if (authConfig.required_roles && authConfig.required_roles.length > 0) {
+      if (!auth.hasAnyRole(authConfig.required_roles)) {
+        return renderFallback(authConfig);
+      }
+    }
+    if (authConfig.required_permissions && authConfig.required_permissions.length > 0) {
+      if (!auth.hasAllPermissions(authConfig.required_permissions)) {
+        return renderFallback(authConfig);
+      }
+    }
+    return /* @__PURE__ */ jsx(Component, { ...props });
+  };
+  const componentName = Component.displayName || Component.name || "Component";
+  WrappedComponent.displayName = `withAuth(${componentName})`;
+  return WrappedComponent;
+}
+function renderFallback(authConfig) {
+  const fallbackType = authConfig.fallback || "hide";
+  switch (fallbackType) {
+    case "hide":
+      return FallbackComponents.hide();
+    case "placeholder":
+      return FallbackComponents.placeholder({});
+    case "message":
+      return FallbackComponents.message({
+        message: authConfig.fallback_message
+      });
+    default:
+      return null;
+  }
+}
+function withAuthFallback(Component, authConfig, FallbackComponent) {
+  const WrappedComponent = (props) => {
+    const auth = useAuth();
+    const isAuthorized = checkAuthorization(auth, authConfig);
+    if (!isAuthorized) {
+      return /* @__PURE__ */ jsx(FallbackComponent, {});
+    }
+    return /* @__PURE__ */ jsx(Component, { ...props });
+  };
+  const componentName = Component.displayName || Component.name || "Component";
+  WrappedComponent.displayName = `withAuthFallback(${componentName})`;
+  return WrappedComponent;
+}
+function checkAuthorization(auth, authConfig) {
+  if (authConfig.required_roles && authConfig.required_roles.length > 0) {
+    if (!auth.hasAnyRole(authConfig.required_roles)) {
+      return false;
+    }
+  }
+  if (authConfig.required_permissions && authConfig.required_permissions.length > 0) {
+    if (!auth.hasAllPermissions(authConfig.required_permissions)) {
+      return false;
+    }
+  }
+  return true;
+}
+// src/registration.ts
+var authDecoratorRegistry = {
+  decorator: null
+};
+function registerAuthDecorator() {
+  authDecoratorRegistry.decorator = withAuth;
+  if (typeof window !== "undefined" && window.__STACKWRIGHT_DEBUG__) {
+    console.log("\u{1F510} Auth decorator registered");
+  }
+}
+function getAuthDecorator() {
+  return authDecoratorRegistry.decorator;
+}
+function maybeWrapWithAuth(Component, authConfig) {
+  const decorator = getAuthDecorator();
+  if (!decorator || !authConfig) {
+    return Component;
+  }
+  return decorator(Component, authConfig);
+}
+function hasAuthConfig(item) {
+  if (!item || typeof item !== "object") {
+    return false;
+  }
+  return "auth" in item;
+}
+export { AuthContext, AuthProvider, getAuthDecorator, hasAuthConfig, maybeWrapWithAuth, registerAuthDecorator, useAuth, useRequireAuth, withAuth, withAuthFallback };
+//# sourceMappingURL=client.mjs.map
+//# sourceMappingURL=client.mjs.map

package/dist/client.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/context/AuthContext.tsx","../src/rbac/rbac-engine.ts","../src/context/AuthProvider.tsx","../src/decorators/withAuth.tsx","../src/registration.ts"],"names":["jsx"],"mappings":";;;AAmDO,IAAM,WAAA,GAAc,cAAuC,IAAI;AAM/D,SAAS,OAAA,GAA4B;AAC1C,EAAA,MAAM,OAAA,GAAU,WAAW,WAAW,CAAA;AAEtC,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,IAAI,MAAM,0CAA0C,CAAA;AAAA,EAC5D;AAEA,EAAA,OAAO,OAAA;AACT;AAMO,SAAS,cAAA,GAA0C;AACxD,EAAA,MAAM,OAAO,OAAA,EAAQ;AAErB,EAAA,IAAI,CAAC,KAAK,eAAA,EAAiB;AACzB,IAAA,OAAA,CAAQ,KAAK,2CAA2C,CAAA;AACxD,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,OAAO,IAAA;AACT;;;AC3EO,IAAM,aAAN,MAAiB;AAAA,EACd,MAAA;AAAA,EACA,eAAA;AAAA,EAER,YAAY,MAAA,EAAoB;AAC9B,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,eAAA,GAAkB,KAAK,sBAAA,EAAuB;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA,EAKQ,sBAAA,GAAmD;AACzD,IAAA,MAAM,GAAA,uBAAU,GAAA,EAAyB;AAEzC,IAAA,KAAA,MAAW,IAAA,IAAQ,IAAA,CAAK,MAAA,CAAO,KAAA,EAAO;AACpC,MAAA,GAAA,CAAI,GAAA,CAAI,KAAK,IAAA,EAAM,IAAI,IAAI,IAAA,CAAK,WAAA,IAAe,EAAE,CAAC,CAAA;AAAA,IACpD;AAEA,IAAA,OAAO,GAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,OAAA,CAAQ,MAAgB,IAAA,EAAuB;AAC7C,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,QAAA,CAAS,IAAI,CAAA;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,CAAW,MAAgB,KAAA,EAA0B;AACnD,IAAA,OAAO,KAAA,CAAM,KAAK,CAAC,IAAA,KAAS,KAAK,OAAA,CAAQ,IAAA,EAAM,IAAI,CAAC,CAAA;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA,CAAY,MAAgB,KAAA,EAA0B;AACpD,IAAA,OAAO,KAAA,CAAM,MAAM,CAAC,IAAA,KAAS,KAAK,OAAA,CAAQ,IAAA,EAAM,IAAI,CAAC,CAAA;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,aAAA,CAAc,MAAgB,UAAA,EAA6B;AAEzD,IAAA,IAAI,IAAA,CAAK,WAAA,EAAa,QAAA,CAAS,UAAU,CAAA,EAAG;AAC1C,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,KAAA,MAAW,IAAA,IAAQ,KAAK,KAAA,EAAO;AAC7B,MAAA,MAAM,WAAA,GAAc,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,IAAI,CAAA;AACjD,MAAA,IAAI,WAAA,EAAa,GAAA,CAAI,UAAU,CAAA,EAAG;AAChC,QAAA,OAAO,IAAA;AAAA,MACT;AAGA,MAAA,IAAI,WAAA,EAAa;AACf,QAAA,KAAA,MAAW,KAAK,WAAA,EAAa;AAC3B,UAAA,IAAI,CAAA,CAAE,QAAA,CAAS,IAAI,CAAA,EAAG;AACpB,YAAA,MAAM,MAAA,GAAS,CAAA,CAAE,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAC5B,YAAA,IAAI,UAAA,CAAW,UAAA,CAAW,MAAM,CAAA,EAAG;AACjC,cAAA,OAAO,IAAA;AAAA,YACT;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAA,CAAiB,MAAgB,WAAA,EAAgC;AAC/D,IAAA,OAAO,WAAA,CAAY,KAAK,CAAC,UAAA,KAAe,KAAK,aAAA,CAAc,IAAA,EAAM,UAAU,CAAC,CAAA;AAAA,EAC9E;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAA,CAAkB,MAAgB,WAAA,EAAgC;AAChE,IAAA,OAAO,WAAA,CAAY,MAAM,CAAC,UAAA,KAAe,KAAK,aAAA,CAAc,IAAA,EAAM,UAAU,CAAC,CAAA;AAAA,EAC/E;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,IAAA,EAAuB;AACnC,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,aAAA,EAAe;AAC9B,MAAA,OAAO,KAAA;AAAA,IACT;AAEA,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,IAAA,CAAK,CAAC,UAAA,KAAe;AACpD,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,IAAA,EAAM,UAAU,CAAA;AAAA,IACxC,CAAC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,cAAA,CAAe,MAAuB,IAAA,EAAuB;AAE3D,IAAA,IAAI,IAAA,CAAK,aAAA,CAAc,IAAI,CAAA,EAAG;AAC5B,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO,KAAA;AAAA,IACT;AAGA,IAAA,IAAI,CAAC,KAAK,MAAA,CAAO,gBAAA,IAAoB,KAAK,MAAA,CAAO,gBAAA,CAAiB,WAAW,CAAA,EAAG;AAC9E,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,MAAM,gBAAgB,IAAA,CAAK,MAAA,CAAO,gBAAA,CAAiB,IAAA,CAAK,CAAC,KAAA,KAAU;AACjE,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,IAAA,EAAM,KAAA,CAAM,IAAI,CAAA;AAAA,IACxC,CAAC,CAAA;AAGD,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,OAAO,IAAA,CAAK,UAAA,CAAW,IAAA,EAAM,aAAA,CAAc,KAAK,CAAA;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAA,CAAmB,MAAuB,UAAA,EAAsD;AAE9F,IAAA,IAAI,CAAC,UAAA,EAAY;AACf,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO,KAAA;AAAA,IACT;AAGA,IAAA,IAAI,UAAA,CAAW,cAAA,IAAkB,UAAA,CAAW,cAAA,CAAe,SAAS,CAAA,EAAG;AACrE,MAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,EAAM,UAAA,CAAW,cAAc,CAAA,EAAG;AACrD,QAAA,OAAO,KAAA;AAAA,MACT;AAAA,IACF;AAGA,IAAA,IAAI,UAAA,CAAW,oBAAA,IAAwB,UAAA,CAAW,oBAAA,CAAqB,SAAS,CAAA,EAAG;AACjF,MAAA,IAAI,CAAC,IAAA,CAAK,iBAAA,CAAkB,IAAA,EAAM,UAAA,CAAW,oBAAoB,CAAA,EAAG;AAClE,QAAA,OAAO,KAAA;AAAA,MACT;AAAA,IACF;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA,EAGQ,SAAA,CAAU,MAAc,OAAA,EAA0B;AAExD,IAAA,IAAI,SAAS,OAAA,EAAS;AACpB,MAAA,OAAO,IAAA;AAAA,IACT;AAGA,IAAA,IAAI,CAAC,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAAG;AAC1B,MAAA,OAAO,KAAA;AAAA,IACT;AAIA,IAAA,MAAM,OAAA,GAAU,QACb,OAAA,CAAQ,oBAAA,EAAsB,MAAM,CAAA,CACpC,OAAA,CAAQ,OAAO,IAAI,CAAA;AAEtB,IAAA,MAAM,KAAA,GAAQ,IAAI,MAAA,CAAO,CAAA,CAAA,EAAI,OAAO,CAAA,CAAA,CAAG,CAAA;AACvC,IAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AAAA,EACxB;AACF,CAAA;ACzJO,SAAS,YAAA,CAAa;AAAA,EAC3B,IAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EACA,SAAA,GAAY,KAAA;AAAA,EACZ;AACF,CAAA,EAAoC;AAElC,EAAA,MAAM,IAAA,GAAO,QAAQ,MAAM,IAAI,WAAW,UAAU,CAAA,EAAG,CAAC,UAAU,CAAC,CAAA;AAGnE,EAAA,MAAM,KAAA,GAA0B,OAAA;AAAA,IAC9B,OAAO;AAAA,MACL,IAAA;AAAA,MACA,OAAA;AAAA,MACA,iBAAiB,IAAA,KAAS,IAAA;AAAA,MAC1B,SAAA;AAAA,MAEA,OAAA,EAAS,CAAC,IAAA,KAAiB;AACzB,QAAA,IAAI,CAAC,MAAM,OAAO,KAAA;AAClB,QAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,EAAM,IAAI,CAAA;AAAA,MAChC,CAAA;AAAA,MAEA,aAAA,EAAe,CAAC,UAAA,KAAuB;AACrC,QAAA,IAAI,CAAC,MAAM,OAAO,KAAA;AAClB,QAAA,OAAO,IAAA,CAAK,aAAA,CAAc,IAAA,EAAM,UAAU,CAAA;AAAA,MAC5C,CAAA;AAAA,MAEA,UAAA,EAAY,CAAC,KAAA,KAAoB;AAC/B,QAAA,IAAI,CAAC,MAAM,OAAO,KAAA;AAClB,QAAA,OAAO,IAAA,CAAK,UAAA,CAAW,IAAA,EAAM,KAAK,CAAA;AAAA,MACpC,CAAA;AAAA,MAEA,iBAAA,EAAmB,CAAC,WAAA,KAA0B;AAC5C,QAAA,IAAI,CAAC,MAAM,OAAO,KAAA;AAClB,QAAA,OAAO,IAAA,CAAK,iBAAA,CAAkB,IAAA,EAAM,WAAW,CAAA;AAAA,MACjD;AAAA,KACF,CAAA;AAAA,IACA,CAAC,IAAA,EAAM,OAAA,EAAS,SAAA,EAAW,IAAI;AAAA,GACjC;AAEA,EAAA,uBAAO,GAAA,CAAC,WAAA,CAAY,QAAA,EAAZ,EAAqB,OAAe,QAAA,EAAS,CAAA;AACvD;AC7DA,IAAM,kBAAA,GAAqB;AAAA;AAAA;AAAA;AAAA,EAIzB,MAAM,MAAM,IAAA;AAAA;AAAA;AAAA;AAAA,EAKZ,WAAA,EAAa,CAAC,EAAE,SAAA,uBACdA,GAAAA;AAAA,IAAC,KAAA;AAAA,IAAA;AAAA,MACC,WAAW,SAAA,IAAa,kBAAA;AAAA,MACxB,KAAA,EAAO;AAAA,QACL,OAAA,EAAS,MAAA;AAAA,QACT,MAAA,EAAQ,iBAAA;AAAA,QACR,YAAA,EAAc,KAAA;AAAA,QACd,KAAA,EAAO,MAAA;AAAA,QACP,SAAA,EAAW,QAAA;AAAA,QACX,SAAA,EAAW;AAAA,OACb;AAAA,MACD,QAAA,EAAA;AAAA;AAAA,GAED;AAAA;AAAA;AAAA;AAAA,EAMF,SAAS,CAAC,EAAE,OAAA,EAAS,SAAA,uBACnBA,GAAAA;AAAA,IAAC,KAAA;AAAA,IAAA;AAAA,MACC,WAAW,SAAA,IAAa,cAAA;AAAA,MACxB,KAAA,EAAO;AAAA,QACL,OAAA,EAAS,MAAA;AAAA,QACT,MAAA,EAAQ,mBAAA;AAAA,QACR,YAAA,EAAc,KAAA;AAAA,QACd,eAAA,EAAiB,SAAA;AAAA,QACjB,KAAA,EAAO;AAAA,OACT;AAAA,MAEC,QAAA,EAAA,OAAA,IAAW;AAAA;AAAA;AAGlB,CAAA;AAkBO,SAAS,QAAA,CACd,WACA,UAAA,EACwB;AAExB,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAA,OAAO,SAAA;AAAA,EACT;AAGA,EAAA,MAAM,gBAAA,GAAmB,CAAC,KAAA,KAAa;AACrC,IAAA,MAAM,OAAO,OAAA,EAAQ;AAGrB,IAAA,IAAI,UAAA,CAAW,cAAA,IAAkB,UAAA,CAAW,cAAA,CAAe,SAAS,CAAA,EAAG;AACrE,MAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,UAAA,CAAW,cAAc,CAAA,EAAG;AAC/C,QAAA,OAAO,eAAe,UAAU,CAAA;AAAA,MAClC;AAAA,IACF;AAGA,IAAA,IAAI,UAAA,CAAW,oBAAA,IAAwB,UAAA,CAAW,oBAAA,CAAqB,SAAS,CAAA,EAAG;AACjF,MAAA,IAAI,CAAC,IAAA,CAAK,iBAAA,CAAkB,UAAA,CAAW,oBAAoB,CAAA,EAAG;AAC5D,QAAA,OAAO,eAAe,UAAU,CAAA;AAAA,MAClC;AAAA,IACF;AAGA,IAAA,uBAAOA,GAAAA,CAAC,SAAA,EAAA,EAAW,GAAG,KAAA,EAAO,CAAA;AAAA,EAC/B,CAAA;AAGA,EAAA,MAAM,aAAA,GAAgB,SAAA,CAAU,WAAA,IAAe,SAAA,CAAU,IAAA,IAAQ,WAAA;AACjE,EAAA,gBAAA,CAAiB,WAAA,GAAc,YAAY,aAAa,CAAA,CAAA,CAAA;AAExD,EAAA,OAAO,gBAAA;AACT;AAKA,SAAS,eAAe,UAAA,EAA4D;AAClF,EAAA,MAAM,YAAA,GAAe,WAAW,QAAA,IAAY,MAAA;AAE5C,EAAA,QAAQ,YAAA;AAAc,IACpB,KAAK,MAAA;AACH,MAAA,OAAO,mBAAmB,IAAA,EAAK;AAAA,IAEjC,KAAK,aAAA;AACH,MAAA,OAAO,kBAAA,CAAmB,WAAA,CAAY,EAAE,CAAA;AAAA,IAE1C,KAAK,SAAA;AACH,MAAA,OAAO,mBAAmB,OAAA,CAAQ;AAAA,QAChC,SAAS,UAAA,CAAW;AAAA,OACrB,CAAA;AAAA,IAEH;AACE,MAAA,OAAO,IAAA;AAAA;AAEb;AAKO,SAAS,gBAAA,CACd,SAAA,EACA,UAAA,EACA,iBAAA,EACwB;AACxB,EAAA,MAAM,gBAAA,GAAmB,CAAC,KAAA,KAAa;AACrC,IAAA,MAAM,OAAO,OAAA,EAAQ;AAGrB,IAAA,MAAM,YAAA,GAAe,kBAAA,CAAmB,IAAA,EAAM,UAAU,CAAA;AAExD,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,uBAAOA,IAAC,iBAAA,EAAA,EAAkB,CAAA;AAAA,IAC5B;AAEA,IAAA,uBAAOA,GAAAA,CAAC,SAAA,EAAA,EAAW,GAAG,KAAA,EAAO,CAAA;AAAA,EAC/B,CAAA;AAEA,EAAA,MAAM,aAAA,GAAgB,SAAA,CAAU,WAAA,IAAe,SAAA,CAAU,IAAA,IAAQ,WAAA;AACjE,EAAA,gBAAA,CAAiB,WAAA,GAAc,oBAAoB,aAAa,CAAA,CAAA,CAAA;AAEhE,EAAA,OAAO,gBAAA;AACT;AAKA,SAAS,kBAAA,CACP,MACA,UAAA,EACS;AAET,EAAA,IAAI,UAAA,CAAW,cAAA,IAAkB,UAAA,CAAW,cAAA,CAAe,SAAS,CAAA,EAAG;AACrE,IAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,UAAA,CAAW,cAAc,CAAA,EAAG;AAC/C,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AAGA,EAAA,IAAI,UAAA,CAAW,oBAAA,IAAwB,UAAA,CAAW,oBAAA,CAAqB,SAAS,CAAA,EAAG;AACjF,IAAA,IAAI,CAAC,IAAA,CAAK,iBAAA,CAAkB,UAAA,CAAW,oBAAoB,CAAA,EAAG;AAC5D,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AAEA,EAAA,OAAO,IAAA;AACT;;;ACpLA,IAAM,qBAAA,GAEF;AAAA,EACF,SAAA,EAAW;AACb,CAAA;AAwBO,SAAS,qBAAA,GAA8B;AAC5C,EAAA,qBAAA,CAAsB,SAAA,GAAY,QAAA;AAGlC,EAAA,IAAI,OAAO,MAAA,KAAW,WAAA,IAAgB,MAAA,CAAe,qBAAA,EAAuB;AAC1E,IAAA,OAAA,CAAQ,IAAI,qCAA8B,CAAA;AAAA,EAC5C;AACF;AAUO,SAAS,gBAAA,GAA2C;AACzD,EAAA,OAAO,qBAAA,CAAsB,SAAA;AAC/B;AAyBO,SAAS,iBAAA,CACd,WACA,UAAA,EACwB;AACxB,EAAA,MAAM,YAAY,gBAAA,EAAiB;AAInC,EAAA,IAAI,CAAC,SAAA,IAAa,CAAC,UAAA,EAAY;AAC7B,IAAA,OAAO,SAAA;AAAA,EACT;AAGA,EAAA,OAAO,SAAA,CAAU,WAAW,UAAU,CAAA;AACxC;AAgBO,SAAS,cAAc,IAAA,EAAkD;AAE9E,EAAA,IAAI,CAAC,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,EAAU;AACrC,IAAA,OAAO,KAAA;AAAA,EACT;AACA,EAAA,OAAO,MAAA,IAAU,IAAA;AACnB","file":"client.mjs","sourcesContent":["import { createContext, useContext } from 'react';\nimport type { AuthUser, AuthSession } from '../types/index.js';\n\n/**\n * Auth context value provided to component tree\n */\nexport interface AuthContextValue {\n /**\n * Currently authenticated user (null if not authenticated)\n */\n user: AuthUser | null;\n\n /**\n * Current session (null if not authenticated)\n */\n session: AuthSession | null;\n\n /**\n * Whether user is authenticated\n */\n isAuthenticated: boolean;\n\n /**\n * Whether auth is still loading\n */\n isLoading: boolean;\n\n /**\n * Check if user has a specific role\n */\n hasRole: (role: string) => boolean;\n\n /**\n * Check if user has a specific permission\n */\n hasPermission: (permission: string) => boolean;\n\n /**\n * Check if user has any of the specified roles\n */\n hasAnyRole: (roles: string[]) => boolean;\n\n /**\n * Check if user has all of the specified permissions\n */\n hasAllPermissions: (permissions: string[]) => boolean;\n}\n\n/**\n * Auth context - provides authentication state to components\n */\nexport const AuthContext = createContext<AuthContextValue | null>(null);\n\n/**\n * Hook to access auth context\n * Throws error if used outside AuthProvider\n */\nexport function useAuth(): AuthContextValue {\n const context = useContext(AuthContext);\n\n if (!context) {\n throw new Error('useAuth must be used within AuthProvider');\n }\n\n return context;\n}\n\n/**\n * Hook to require authentication\n * Returns null and logs warning if not authenticated\n */\nexport function useRequireAuth(): AuthContextValue | null {\n const auth = useAuth();\n\n if (!auth.isAuthenticated) {\n console.warn('useRequireAuth: User is not authenticated');\n return null;\n }\n\n return auth;\n}\n","import type { AuthUser, RBACConfig, ComponentAuthConfig } from '../types/index.js';\n\n/**\n * RBAC Engine for checking roles and permissions\n */\nexport class RBACEngine {\n private config: RBACConfig;\n private rolePermissions: Map<string, Set<string>>;\n\n constructor(config: RBACConfig) {\n this.config = config;\n this.rolePermissions = this.buildRolePermissionMap();\n }\n\n /**\n * Build internal map of role → permissions for fast lookups\n */\n private buildRolePermissionMap(): Map<string, Set<string>> {\n const map = new Map<string, Set<string>>();\n\n for (const role of this.config.roles) {\n map.set(role.name, new Set(role.permissions || []));\n }\n\n return map;\n }\n\n /**\n * Check if user has a specific role\n */\n hasRole(user: AuthUser, role: string): boolean {\n return user.roles.includes(role);\n }\n\n /**\n * Check if user has any of the specified roles\n */\n hasAnyRole(user: AuthUser, roles: string[]): boolean {\n return roles.some((role) => this.hasRole(user, role));\n }\n\n /**\n * Check if user has all of the specified roles\n */\n hasAllRoles(user: AuthUser, roles: string[]): boolean {\n return roles.every((role) => this.hasRole(user, role));\n }\n\n /**\n * Check if user has a specific permission\n * Permissions are checked both:\n * 1. Directly in user.permissions array\n * 2. Through role-based permissions from config\n */\n hasPermission(user: AuthUser, permission: string): boolean {\n // Check direct permissions\n if (user.permissions?.includes(permission)) {\n return true;\n }\n\n // Check role-based permissions\n for (const role of user.roles) {\n const permissions = this.rolePermissions.get(role);\n if (permissions?.has(permission)) {\n return true;\n }\n\n // Check wildcard permissions (e.g., admin:* grants admin:read, admin:write)\n if (permissions) {\n for (const p of permissions) {\n if (p.endsWith(':*')) {\n const prefix = p.slice(0, -1); // Remove the *\n if (permission.startsWith(prefix)) {\n return true;\n }\n }\n }\n }\n }\n\n return false;\n }\n\n /**\n * Check if user has any of the specified permissions\n */\n hasAnyPermission(user: AuthUser, permissions: string[]): boolean {\n return permissions.some((permission) => this.hasPermission(user, permission));\n }\n\n /**\n * Check if user has all of the specified permissions\n */\n hasAllPermissions(user: AuthUser, permissions: string[]): boolean {\n return permissions.every((permission) => this.hasPermission(user, permission));\n }\n\n /**\n * Check if route is public (no auth required)\n */\n isPublicRoute(path: string): boolean {\n if (!this.config.public_routes) {\n return false;\n }\n\n return this.config.public_routes.some((publicPath) => {\n return this.matchPath(path, publicPath);\n });\n }\n\n /**\n * Check if user can access a route based on protected_routes config\n */\n canAccessRoute(user: AuthUser | null, path: string): boolean {\n // Check if route is public\n if (this.isPublicRoute(path)) {\n return true;\n }\n\n // No user = can't access protected routes\n if (!user) {\n return false;\n }\n\n // If no protected routes configured, allow by default\n if (!this.config.protected_routes || this.config.protected_routes.length === 0) {\n return true;\n }\n\n // Find matching protected route\n const matchingRoute = this.config.protected_routes.find((route) => {\n return this.matchPath(path, route.path);\n });\n\n // If no matching protected route, allow (route not explicitly protected)\n if (!matchingRoute) {\n return true;\n }\n\n // Check if user has required role for this route\n return this.hasAnyRole(user, matchingRoute.roles);\n }\n\n /**\n * Check if user can access a component based on component auth config\n */\n canAccessComponent(user: AuthUser | null, authConfig: ComponentAuthConfig | undefined): boolean {\n // No auth config = public component\n if (!authConfig) {\n return true;\n }\n\n // No user = can't access protected component\n if (!user) {\n return false;\n }\n\n // Check required roles\n if (authConfig.required_roles && authConfig.required_roles.length > 0) {\n if (!this.hasAnyRole(user, authConfig.required_roles)) {\n return false;\n }\n }\n\n // Check required permissions\n if (authConfig.required_permissions && authConfig.required_permissions.length > 0) {\n if (!this.hasAllPermissions(user, authConfig.required_permissions)) {\n return false;\n }\n }\n\n return true;\n }\n\n // Match a path against a pattern with wildcard support\n private matchPath(path: string, pattern: string): boolean {\n // Exact match\n if (path === pattern) {\n return true;\n }\n\n // No wildcards in pattern — only exact match applies\n if (!pattern.includes('*')) {\n return false;\n }\n\n // Escape ALL regex metacharacters, then convert glob * to .*\n // This prevents ReDoS from crafted route patterns in YAML config\n const escaped = pattern\n .replace(/[.+?^${}()|[\\]\\\\]/g, '\\\\$&') // Escape regex specials\n .replace(/\\*/g, '.*'); // Convert glob * to .*\n\n const regex = new RegExp(`^${escaped}$`);\n return regex.test(path);\n }\n}\n","import React, { useMemo, type ReactNode, type ReactElement } from 'react';\nimport { AuthContext, type AuthContextValue } from './AuthContext.js';\nimport { RBACEngine } from '../rbac/rbac-engine.js';\nimport type { AuthUser, AuthSession, RBACConfig } from '../types/index.js';\n\nexport interface AuthProviderProps {\n /**\n * Current authenticated user (null if not authenticated)\n */\n user: AuthUser | null;\n\n /**\n * Current session (null if not authenticated)\n */\n session: AuthSession | null;\n\n /**\n * RBAC configuration for role/permission checking\n */\n rbacConfig: RBACConfig;\n\n /**\n * Whether auth is still loading\n */\n isLoading?: boolean;\n\n /**\n * Child components\n */\n children: ReactNode;\n}\n\n/**\n * AuthProvider - Provides authentication state to component tree\n *\n * @example\n * ```tsx\n * <AuthProvider user={user} session={session} rbacConfig={config}>\n * <App />\n * </AuthProvider>\n * ```\n */\nexport function AuthProvider({\n user,\n session,\n rbacConfig,\n isLoading = false,\n children,\n}: AuthProviderProps): ReactElement {\n // Create RBAC engine for role/permission checking\n const rbac = useMemo(() => new RBACEngine(rbacConfig), [rbacConfig]);\n\n // Build context value with helper functions\n const value: AuthContextValue = useMemo(\n () => ({\n user,\n session,\n isAuthenticated: user !== null,\n isLoading,\n\n hasRole: (role: string) => {\n if (!user) return false;\n return rbac.hasRole(user, role);\n },\n\n hasPermission: (permission: string) => {\n if (!user) return false;\n return rbac.hasPermission(user, permission);\n },\n\n hasAnyRole: (roles: string[]) => {\n if (!user) return false;\n return rbac.hasAnyRole(user, roles);\n },\n\n hasAllPermissions: (permissions: string[]) => {\n if (!user) return false;\n return rbac.hasAllPermissions(user, permissions);\n },\n }),\n [user, session, isLoading, rbac]\n );\n\n return <AuthContext.Provider value={value}>{children}</AuthContext.Provider>;\n}\n","import React from 'react';\nimport { useAuth } from '../context/AuthContext.js';\nimport type { ComponentAuthConfig } from '../types/index.js';\n\n/**\n * Props that any component wrapped with withAuth will receive\n */\nexport interface ComponentProps {\n id?: string;\n [key: string]: any;\n}\n\n/**\n * Fallback component props\n */\ninterface FallbackProps {\n message?: string;\n className?: string;\n}\n\n/**\n * Default fallback components for unauthorized access\n */\nconst FallbackComponents = {\n /**\n * Hide component (render nothing)\n */\n hide: () => null,\n\n /**\n * Show placeholder message\n */\n placeholder: ({ className }: FallbackProps) => (\n <div\n className={className || 'auth-placeholder'}\n style={{\n padding: '1rem',\n border: '1px dashed #ccc',\n borderRadius: '4px',\n color: '#666',\n fontStyle: 'italic',\n textAlign: 'center',\n }}\n >\n Content requires authorization\n </div>\n ),\n\n /**\n * Show custom message\n */\n message: ({ message, className }: FallbackProps) => (\n <div\n className={className || 'auth-message'}\n style={{\n padding: '1rem',\n border: '1px solid #f0ad4e',\n borderRadius: '4px',\n backgroundColor: '#fcf8e3',\n color: '#8a6d3b',\n }}\n >\n {message || 'Unauthorized'}\n </div>\n ),\n};\n\n/**\n * Higher-order component that wraps a component with authentication checks\n *\n * @example\n * ```tsx\n * const ProtectedButton = withAuth(Button, {\n * required_roles: ['ADMIN'],\n * fallback: 'message',\n * fallback_message: 'Only admins can see this button'\n * });\n * ```\n *\n * @param Component - The component to wrap\n * @param authConfig - Authentication requirements from YAML\n * @returns Wrapped component with auth enforcement\n */\nexport function withAuth<P extends ComponentProps>(\n Component: React.ComponentType<P>,\n authConfig?: ComponentAuthConfig\n): React.ComponentType<P> {\n // If no auth config, return component unchanged\n if (!authConfig) {\n return Component;\n }\n\n // Create wrapped component with display name for debugging\n const WrappedComponent = (props: P) => {\n const auth = useAuth();\n\n // Check role requirements\n if (authConfig.required_roles && authConfig.required_roles.length > 0) {\n if (!auth.hasAnyRole(authConfig.required_roles)) {\n return renderFallback(authConfig);\n }\n }\n\n // Check permission requirements (must have ALL permissions)\n if (authConfig.required_permissions && authConfig.required_permissions.length > 0) {\n if (!auth.hasAllPermissions(authConfig.required_permissions)) {\n return renderFallback(authConfig);\n }\n }\n\n // User authorized - render component\n return <Component {...props} />;\n };\n\n // Set display name for React DevTools\n const componentName = Component.displayName || Component.name || 'Component';\n WrappedComponent.displayName = `withAuth(${componentName})`;\n\n return WrappedComponent;\n}\n\n/**\n * Render fallback component based on configuration\n */\nfunction renderFallback(authConfig: ComponentAuthConfig): React.ReactElement | null {\n const fallbackType = authConfig.fallback || 'hide';\n\n switch (fallbackType) {\n case 'hide':\n return FallbackComponents.hide();\n\n case 'placeholder':\n return FallbackComponents.placeholder({});\n\n case 'message':\n return FallbackComponents.message({\n message: authConfig.fallback_message,\n });\n\n default:\n return null;\n }\n}\n\n/**\n * Custom fallback component (for advanced use cases)\n */\nexport function withAuthFallback<P extends ComponentProps>(\n Component: React.ComponentType<P>,\n authConfig: ComponentAuthConfig,\n FallbackComponent: React.ComponentType<any>\n): React.ComponentType<P> {\n const WrappedComponent = (props: P) => {\n const auth = useAuth();\n\n // Check authorization\n const isAuthorized = checkAuthorization(auth, authConfig);\n\n if (!isAuthorized) {\n return <FallbackComponent />;\n }\n\n return <Component {...props} />;\n };\n\n const componentName = Component.displayName || Component.name || 'Component';\n WrappedComponent.displayName = `withAuthFallback(${componentName})`;\n\n return WrappedComponent;\n}\n\n/**\n * Check if user is authorized based on auth config\n */\nfunction checkAuthorization(\n auth: ReturnType<typeof useAuth>,\n authConfig: ComponentAuthConfig\n): boolean {\n // Check roles\n if (authConfig.required_roles && authConfig.required_roles.length > 0) {\n if (!auth.hasAnyRole(authConfig.required_roles)) {\n return false;\n }\n }\n\n // Check permissions\n if (authConfig.required_permissions && authConfig.required_permissions.length > 0) {\n if (!auth.hasAllPermissions(authConfig.required_permissions)) {\n return false;\n }\n }\n\n return true;\n}\n","import { withAuth } from './decorators/withAuth.js';\nimport type { ComponentAuthConfig } from './types/index.js';\nimport type React from 'react';\n\n/**\n * Global registry for auth decorator function\n * This allows OSS packages to optionally use auth without depending on it\n *\n * Design principle: No hard dependencies!\n * - OSS core never imports from pro packages\n * - Pro package registers itself at runtime\n * - User app is the glue that connects them\n */\nconst authDecoratorRegistry: {\n decorator: typeof withAuth | null;\n} = {\n decorator: null,\n};\n\n/**\n * Register the auth decorator for use by content renderers\n *\n * This should be called once in your app's initialization (e.g., _app.tsx)\n * to enable auth-aware component rendering.\n *\n * @example\n * ```tsx\n * // In pages/_app.tsx\n * import { registerAuthDecorator } from '@stackwright-pro/auth';\n *\n * registerAuthDecorator();\n *\n * function MyApp({ Component, pageProps }: AppProps) {\n * return (\n * <AuthProvider {...authProps}>\n * <Component {...pageProps} />\n * </AuthProvider>\n * );\n * }\n * ```\n */\nexport function registerAuthDecorator(): void {\n authDecoratorRegistry.decorator = withAuth;\n\n // Debug logging (only in browser with debug flag)\n if (typeof window !== 'undefined' && (window as any).__STACKWRIGHT_DEBUG__) {\n console.log('🔐 Auth decorator registered');\n }\n}\n\n/**\n * Get the registered auth decorator (for use by content renderers)\n *\n * Returns null if auth is not registered, allowing graceful degradation.\n * This is the function that OSS core would call to check if auth is available.\n *\n * @returns The withAuth decorator function, or null if not registered\n */\nexport function getAuthDecorator(): typeof withAuth | null {\n return authDecoratorRegistry.decorator;\n}\n\n/**\n * Wrap a component with auth if decorator is registered and config exists\n *\n * This is a safe wrapper that OSS packages can use without depending on auth.\n * If auth is not registered, returns the original component unchanged.\n * If auth config is missing/undefined, returns the original component unchanged.\n *\n * @example\n * ```tsx\n * // In content renderer (can live in OSS core!)\\n * function renderContentItem(item: ContentItem) {\n * const Component = getComponentFromRegistry(item.type);\n *\n * // Apply auth if available\n * const WrappedComponent = maybeWrapWithAuth(Component, item.auth);\n *\n * return <WrappedComponent {...item} />;\n * }\n * ```\n *\n * @param Component - Component to wrap\n * @param authConfig - Auth configuration from YAML (optional)\n * @returns Wrapped component if auth is registered, original component otherwise\n */\nexport function maybeWrapWithAuth<P extends { id?: string; [key: string]: any }>(\n Component: React.ComponentType<P>,\n authConfig?: ComponentAuthConfig\n): React.ComponentType<P> {\n const decorator = getAuthDecorator();\n\n // No decorator registered or no auth config = return unwrapped\n // This ensures graceful degradation when auth isn't installed\n if (!decorator || !authConfig) {\n return Component;\n }\n\n // Wrap with auth\n return decorator(Component, authConfig);\n}\n\n/**\n * Type guard to check if content item has auth config\n *\n * Useful for conditionally applying auth in renderers without\n * needing to import auth types.\n *\n * @example\n * ```tsx\n * if (hasAuthConfig(item)) {\n * // TypeScript knows item.auth exists\n * WrappedComponent = maybeWrapWithAuth(Component, item.auth);\n * }\n * ```\n */\nexport function hasAuthConfig(item: any): item is { auth: ComponentAuthConfig } {\n // Explicitly return boolean to handle null/undefined properly\n if (!item || typeof item !== 'object') {\n return false;\n }\n return 'auth' in item;\n}\n"]}

package/dist/index.d.mts CHANGED Viewed

@@ -1,8 +1,6 @@
-import { AuthProvider as AuthProvider$1, PKIConfig, AuthContext as AuthContext$1, AuthUser, AuthSession, OIDCConfig, RBACConfig, ComponentAuthConfig, CertRevocationConfig } from '@stackwright-pro/types';
+import { AuthProvider, PKIConfig, AuthContext, AuthUser, AuthSession, OIDCConfig, RBACConfig, ComponentAuthConfig, CertRevocationConfig } from '@stackwright-pro/types';
 export { AuthConfig, AuthSession, AuthUser, CertRevocationConfig, ComponentAuthConfig, OIDCConfig, PKIConfig, RBACConfig, authConfigSchema, authSessionSchema, authUserSchema, componentAuthSchema, oidcConfigSchema, pkiConfigSchema, rbacConfigSchema } from '@stackwright-pro/types';
 import { X509Certificate } from '@peculiar/x509';
-import * as React from 'react';
-import React__default, { ReactNode, ReactElement } from 'react';
 /**
  * Authentication Audit Logging
@@ -107,12 +105,12 @@ declare function createAuditEvent(type: AuditEventType, outcome: 'success' | 'fa
  * - Pluggable audit logging for SIEM integration
  */
-declare class PKIProvider implements AuthProvider$1 {
+declare class PKIProvider implements AuthProvider {
     private config;
     private auditLogger?;
     private revocationChecker;
     constructor(config: PKIConfig, auditLogger?: AuditLogger);
-    authenticate(context: AuthContext$1): Promise<AuthUser | null>;
+    authenticate(context: AuthContext): Promise<AuthUser | null>;
     validate(session: AuthSession): Promise<boolean>;
     /**
      * Extract roles from certificate based on organizational units
@@ -160,7 +158,7 @@ interface AuthorizationRequest {
  * - Session refresh
  * - Provider-specific quirks (Keycloak, Cognito, etc.)
  */
-declare class OIDCProvider implements AuthProvider$1 {
+declare class OIDCProvider implements AuthProvider {
     private config;
     private metadata;
     private auditLogger?;
@@ -190,7 +188,7 @@ declare class OIDCProvider implements AuthProvider$1 {
      * @returns Authenticated user or null if no code present
      * @throws Error if state mismatch (CSRF) or token exchange/validation fails
      */
-    authenticate(context: AuthContext$1): Promise<AuthUser | null>;
+    authenticate(context: AuthContext): Promise<AuthUser | null>;
     /**
      * Validate session (check if token is still valid)
      *
@@ -771,92 +769,6 @@ declare class RBACEngine {
     private matchPath;
 }
-/**
- * Auth context value provided to component tree
- */
-interface AuthContextValue {
-    /**
-     * Currently authenticated user (null if not authenticated)
-     */
-    user: AuthUser | null;
-    /**
-     * Current session (null if not authenticated)
-     */
-    session: AuthSession | null;
-    /**
-     * Whether user is authenticated
-     */
-    isAuthenticated: boolean;
-    /**
-     * Whether auth is still loading
-     */
-    isLoading: boolean;
-    /**
-     * Check if user has a specific role
-     */
-    hasRole: (role: string) => boolean;
-    /**
-     * Check if user has a specific permission
-     */
-    hasPermission: (permission: string) => boolean;
-    /**
-     * Check if user has any of the specified roles
-     */
-    hasAnyRole: (roles: string[]) => boolean;
-    /**
-     * Check if user has all of the specified permissions
-     */
-    hasAllPermissions: (permissions: string[]) => boolean;
-}
-/**
- * Auth context - provides authentication state to components
- */
-declare const AuthContext: React.Context<AuthContextValue | null>;
-/**
- * Hook to access auth context
- * Throws error if used outside AuthProvider
- */
-declare function useAuth(): AuthContextValue;
-/**
- * Hook to require authentication
- * Returns null and logs warning if not authenticated
- */
-declare function useRequireAuth(): AuthContextValue | null;
-interface AuthProviderProps {
-    /**
-     * Current authenticated user (null if not authenticated)
-     */
-    user: AuthUser | null;
-    /**
-     * Current session (null if not authenticated)
-     */
-    session: AuthSession | null;
-    /**
-     * RBAC configuration for role/permission checking
-     */
-    rbacConfig: RBACConfig;
-    /**
-     * Whether auth is still loading
-     */
-    isLoading?: boolean;
-    /**
-     * Child components
-     */
-    children: ReactNode;
-}
-/**
- * AuthProvider - Provides authentication state to component tree
- *
- * @example
- * ```tsx
- * <AuthProvider user={user} session={session} rbacConfig={config}>
- *   <App />
- * </AuthProvider>
- * ```
- */
-declare function AuthProvider({ user, session, rbacConfig, isLoading, children, }: AuthProviderProps): ReactElement;
 /**
  * HMAC Header Signing for PKI Gateway Authentication
  *
@@ -1072,110 +984,4 @@ declare function createDoDCACConfig(overrides?: Partial<PKIConfig>): PKIConfig;
  */
 declare function createDoDCACDevConfig(): PKIConfig;
-/**
- * Props that any component wrapped with withAuth will receive
- */
-interface ComponentProps {
-    id?: string;
-    [key: string]: any;
-}
-/**
- * Higher-order component that wraps a component with authentication checks
- *
- * @example
- * ```tsx
- * const ProtectedButton = withAuth(Button, {
- *   required_roles: ['ADMIN'],
- *   fallback: 'message',
- *   fallback_message: 'Only admins can see this button'
- * });
- * ```
- *
- * @param Component - The component to wrap
- * @param authConfig - Authentication requirements from YAML
- * @returns Wrapped component with auth enforcement
- */
-declare function withAuth<P extends ComponentProps>(Component: React__default.ComponentType<P>, authConfig?: ComponentAuthConfig): React__default.ComponentType<P>;
-/**
- * Custom fallback component (for advanced use cases)
- */
-declare function withAuthFallback<P extends ComponentProps>(Component: React__default.ComponentType<P>, authConfig: ComponentAuthConfig, FallbackComponent: React__default.ComponentType<any>): React__default.ComponentType<P>;
-/**
- * Register the auth decorator for use by content renderers
- *
- * This should be called once in your app's initialization (e.g., _app.tsx)
- * to enable auth-aware component rendering.
- *
- * @example
- * ```tsx
- * // In pages/_app.tsx
- * import { registerAuthDecorator } from '@stackwright-pro/auth';
- *
- * registerAuthDecorator();
- *
- * function MyApp({ Component, pageProps }: AppProps) {
- *   return (
- *     <AuthProvider {...authProps}>
- *       <Component {...pageProps} />
- *     </AuthProvider>
- *   );
- * }
- * ```
- */
-declare function registerAuthDecorator(): void;
-/**
- * Get the registered auth decorator (for use by content renderers)
- *
- * Returns null if auth is not registered, allowing graceful degradation.
- * This is the function that OSS core would call to check if auth is available.
- *
- * @returns The withAuth decorator function, or null if not registered
- */
-declare function getAuthDecorator(): typeof withAuth | null;
-/**
- * Wrap a component with auth if decorator is registered and config exists
- *
- * This is a safe wrapper that OSS packages can use without depending on auth.
- * If auth is not registered, returns the original component unchanged.
- * If auth config is missing/undefined, returns the original component unchanged.
- *
- * @example
- * ```tsx
- * // In content renderer (can live in OSS core!)\n * function renderContentItem(item: ContentItem) {
- *   const Component = getComponentFromRegistry(item.type);
- *
- *   // Apply auth if available
- *   const WrappedComponent = maybeWrapWithAuth(Component, item.auth);
- *
- *   return <WrappedComponent {...item} />;
- * }
- * ```
- *
- * @param Component - Component to wrap
- * @param authConfig - Auth configuration from YAML (optional)
- * @returns Wrapped component if auth is registered, original component otherwise
- */
-declare function maybeWrapWithAuth<P extends {
-    id?: string;
-    [key: string]: any;
-}>(Component: React__default.ComponentType<P>, authConfig?: ComponentAuthConfig): React__default.ComponentType<P>;
-/**
- * Type guard to check if content item has auth config
- *
- * Useful for conditionally applying auth in renderers without
- * needing to import auth types.
- *
- * @example
- * ```tsx
- * if (hasAuthConfig(item)) {
- *   // TypeScript knows item.auth exists
- *   WrappedComponent = maybeWrapWithAuth(Component, item.auth);
- * }
- * ```
- */
-declare function hasAuthConfig(item: any): item is {
-    auth: ComponentAuthConfig;
-};
-export { type AuditEvent, AuditEventType, type AuditLogger, AuthContext, type AuthContextValue, AuthProvider, type AuthProviderProps, type AuthorizationRequest, type BuildAuthorizationUrlOptions, CRLRevocationChecker, type CertRevocationChecker, type ComponentProps, CompositeAuditLogger, CompositeRevocationChecker, ConsoleAuditLogger, type CookieOptions, DOD_CAC_PROFILE, type HeaderSigningConfig, InMemoryRevocationStore, KeycloakAdapter, NoopAuditLogger, OCSPRevocationChecker, type OIDCMetadata, OIDCProvider, PKIProvider, type ParsedCertificate, RBACEngine, RevocationCache, type RevocationInput, type RevocationStatus, type RevocationStore, SessionManager, type SessionManagerConfig, SkipRevocationChecker, type TokenSet, buildAuthorizationUrl, clearCookie, createAuditEvent, createDoDCACConfig, createDoDCACDevConfig, createRevocationChecker, decryptToken, deriveEncryptionKey, discoverOIDC, encryptToken, exchangeCodeForTokens, extractEDIPI, generateCodeChallenge, generateCodeVerifier, generateJti, generateNonce, generateState, getAuthDecorator, hasAuthConfig, maybeWrapWithAuth, normalizeSerial, parseCertFromHeaders, parseCertificate, parseCookies, refreshAccessToken, registerAuthDecorator, serializeCookie, signCertHeaders, useAuth, useRequireAuth, validateDoDCAC, validateIdToken, verifyCertHeaders, verifyState, withAuth, withAuthFallback };
+export { type AuditEvent, AuditEventType, type AuditLogger, type AuthorizationRequest, type BuildAuthorizationUrlOptions, CRLRevocationChecker, type CertRevocationChecker, CompositeAuditLogger, CompositeRevocationChecker, ConsoleAuditLogger, type CookieOptions, DOD_CAC_PROFILE, type HeaderSigningConfig, InMemoryRevocationStore, KeycloakAdapter, NoopAuditLogger, OCSPRevocationChecker, type OIDCMetadata, OIDCProvider, PKIProvider, type ParsedCertificate, RBACEngine, RevocationCache, type RevocationInput, type RevocationStatus, type RevocationStore, SessionManager, type SessionManagerConfig, SkipRevocationChecker, type TokenSet, buildAuthorizationUrl, clearCookie, createAuditEvent, createDoDCACConfig, createDoDCACDevConfig, createRevocationChecker, decryptToken, deriveEncryptionKey, discoverOIDC, encryptToken, exchangeCodeForTokens, extractEDIPI, generateCodeChallenge, generateCodeVerifier, generateJti, generateNonce, generateState, normalizeSerial, parseCertFromHeaders, parseCertificate, parseCookies, refreshAccessToken, serializeCookie, signCertHeaders, validateDoDCAC, validateIdToken, verifyCertHeaders, verifyState };