@stigmer/react 3.0.7 → 3.0.8-dev.20260612062921

package/access/ManageAccessButton.d.ts

@@ -0,0 +1,47 @@
+import type { AccessResource, AccessVisibility, AccessExtraSection } from "./types";
+/** Props for {@link ManageAccessButton}. */
+export interface ManageAccessButtonProps {
+    /** The resource whose access is managed. */
+    readonly resource: AccessResource;
+    /** General access (visibility) axis; omit for resources without visibility. */
+    readonly visibility?: AccessVisibility;
+    /** Optional resource-specific section (e.g. run observability). */
+    readonly extraSection?: AccessExtraSection;
+    /** Button label. @default "Manage access" */
+    readonly label?: string;
+    /** Additional CSS classes for the trigger button. */
+    readonly className?: string;
+}
+/**
+ * The single drop-in, visible trigger for the unified Manage access dialog —
+ * used by surfaces that render a button in a header or panel (session and
+ * workflow-execution viewers, instance panels) rather than a kebab menu (those
+ * use {@link useManageAccess}).
+ *
+ * Self-gates on `can_view_access`: the button renders only for users who may
+ * see the access list, and the dialog's sections gate editing further. Because
+ * it lives in the SDK, web and desktop hosts stop re-implementing their own
+ * share buttons — one component, every host.
+ *
+ * All visual properties flow through `--stgm-*` design tokens.
+ *
+ * @example
+ * ```tsx
+ * // A session has no visibility axis, so the dialog shows only People.
+ * <SessionViewer
+ *   sessionId={id}
+ *   headerActions={
+ *     <ManageAccessButton
+ *       resource={{
+ *         kind: ApiResourceKind.session,
+ *         kindString: "session",
+ *         id,
+ *         org: orgId,
+ *       }}
+ *     />
+ *   }
+ * />
+ * ```
+ */
+export declare function ManageAccessButton({ resource, visibility, extraSection, label, className, }: ManageAccessButtonProps): import("react/jsx-runtime").JSX.Element;
+//# sourceMappingURL=ManageAccessButton.d.ts.map

package/access/ManageAccessButton.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ManageAccessButton.d.ts","sourceRoot":"","sources":["../../src/access/ManageAccessButton.tsx"],"names":[],"mappings":"AAMA,OAAO,KAAK,EACV,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EACnB,MAAM,SAAS,CAAC;AAEjB,4CAA4C;AAC5C,MAAM,WAAW,uBAAuB;IACtC,4CAA4C;IAC5C,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,+EAA+E;IAC/E,QAAQ,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IACvC,mEAAmE;IACnE,QAAQ,CAAC,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAC3C,6CAA6C;IAC7C,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,qDAAqD;IACrD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAgB,kBAAkB,CAAC,EACjC,QAAQ,EACR,UAAU,EACV,YAAY,EACZ,KAAuB,EACvB,SAAS,GACV,EAAE,uBAAuB,2CA8BzB"}

package/access/ManageAccessButton.js

@@ -0,0 +1,45 @@
+"use client";
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useState } from "react";
+import { cn } from "@stigmer/theme";
+import { PermissionGate } from "../iam-policy/PermissionGate";
+import { ManageAccessDialog } from "./ManageAccessDialog";
+/**
+ * The single drop-in, visible trigger for the unified Manage access dialog —
+ * used by surfaces that render a button in a header or panel (session and
+ * workflow-execution viewers, instance panels) rather than a kebab menu (those
+ * use {@link useManageAccess}).
+ *
+ * Self-gates on `can_view_access`: the button renders only for users who may
+ * see the access list, and the dialog's sections gate editing further. Because
+ * it lives in the SDK, web and desktop hosts stop re-implementing their own
+ * share buttons — one component, every host.
+ *
+ * All visual properties flow through `--stgm-*` design tokens.
+ *
+ * @example
+ * ```tsx
+ * // A session has no visibility axis, so the dialog shows only People.
+ * <SessionViewer
+ *   sessionId={id}
+ *   headerActions={
+ *     <ManageAccessButton
+ *       resource={{
+ *         kind: ApiResourceKind.session,
+ *         kindString: "session",
+ *         id,
+ *         org: orgId,
+ *       }}
+ *     />
+ *   }
+ * />
+ * ```
+ */
+export function ManageAccessButton({ resource, visibility, extraSection, label = "Manage access", className, }) {
+    const [open, setOpen] = useState(false);
+    return (_jsxs(PermissionGate, { resource: { kind: resource.kindString, id: resource.id }, relation: "can_view_access", children: [_jsxs("button", { type: "button", onClick: () => setOpen(true), className: cn("inline-flex items-center gap-1.5 rounded-md px-2.5 py-1 text-xs font-medium", "border border-border text-foreground hover:bg-accent-hover", "focus:outline-none focus:ring-2 focus:ring-ring", className), children: [_jsx(ShareIcon, {}), label] }), _jsx(ManageAccessDialog, { open: open, onOpenChange: setOpen, resource: resource, visibility: visibility, extraSection: extraSection })] }));
+}
+function ShareIcon() {
+    return (_jsxs("svg", { width: "13", height: "13", viewBox: "0 0 16 16", fill: "none", stroke: "currentColor", strokeWidth: "1.5", strokeLinecap: "round", strokeLinejoin: "round", "aria-hidden": "true", children: [_jsx("circle", { cx: "12", cy: "3.5", r: "1.75" }), _jsx("circle", { cx: "4", cy: "8", r: "1.75" }), _jsx("circle", { cx: "12", cy: "12.5", r: "1.75" }), _jsx("path", { d: "M5.5 7.1l5-2.7M5.5 8.9l5 2.7" })] }));
+}
+//# sourceMappingURL=ManageAccessButton.js.map

package/access/ManageAccessButton.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ManageAccessButton.js","sourceRoot":"","sources":["../../src/access/ManageAccessButton.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;;AAEb,OAAO,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AACjC,OAAO,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAC;AACpC,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAqB1D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,UAAU,kBAAkB,CAAC,EACjC,QAAQ,EACR,UAAU,EACV,YAAY,EACZ,KAAK,GAAG,eAAe,EACvB,SAAS,GACe;IACxB,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAExC,OAAO,CACL,MAAC,cAAc,IACb,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,CAAC,UAAU,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,EACxD,QAAQ,EAAC,iBAAiB,aAE1B,kBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAC5B,SAAS,EAAE,EAAE,CACX,6EAA6E,EAC7E,4DAA4D,EAC5D,iDAAiD,EACjD,SAAS,CACV,aAED,KAAC,SAAS,KAAG,EACZ,KAAK,IACC,EACT,KAAC,kBAAkB,IACjB,IAAI,EAAE,IAAI,EACV,YAAY,EAAE,OAAO,EACrB,QAAQ,EAAE,QAAQ,EAClB,UAAU,EAAE,UAAU,EACtB,YAAY,EAAE,YAAY,GAC1B,IACa,CAClB,CAAC;AACJ,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,CACL,eACE,KAAK,EAAC,IAAI,EACV,MAAM,EAAC,IAAI,EACX,OAAO,EAAC,WAAW,EACnB,IAAI,EAAC,MAAM,EACX,MAAM,EAAC,cAAc,EACrB,WAAW,EAAC,KAAK,EACjB,aAAa,EAAC,OAAO,EACrB,cAAc,EAAC,OAAO,iBACV,MAAM,aAElB,iBAAQ,EAAE,EAAC,IAAI,EAAC,EAAE,EAAC,KAAK,EAAC,CAAC,EAAC,MAAM,GAAG,EACpC,iBAAQ,EAAE,EAAC,GAAG,EAAC,EAAE,EAAC,GAAG,EAAC,CAAC,EAAC,MAAM,GAAG,EACjC,iBAAQ,EAAE,EAAC,IAAI,EAAC,EAAE,EAAC,MAAM,EAAC,CAAC,EAAC,MAAM,GAAG,EACrC,eAAM,CAAC,EAAC,8BAA8B,GAAG,IACrC,CACP,CAAC;AACJ,CAAC"}

package/access/ManageAccessDialog.d.ts

@@ -0,0 +1,60 @@
+import type { AccessResource, AccessVisibility, AccessExtraSection } from "./types";
+/** Props for {@link ManageAccessDialog}. */
+export interface ManageAccessDialogProps {
+    /** Whether the dialog is open. */
+    readonly open: boolean;
+    /** Called when the dialog should open or close. */
+    readonly onOpenChange: (open: boolean) => void;
+    /** The resource whose access is managed. */
+    readonly resource: AccessResource;
+    /**
+     * General access (visibility) axis. Omit for resources without visibility
+     * (e.g. sessions, workflow executions).
+     */
+    readonly visibility?: AccessVisibility;
+    /**
+     * An optional resource-specific section appended below People (e.g.
+     * workflow-instance run observability).
+     */
+    readonly extraSection?: AccessExtraSection;
+}
+/**
+ * The one canonical "Manage access" dialog, mounted identically across every
+ * resource with a detail surface. Composes the platform's two access axes into
+ * a single Drive/GitHub-style modal: *General access* (visibility) over
+ * *People with access* (explicit grants), plus an optional resource-specific
+ * section.
+ *
+ * Each section renders only when it applies:
+ * - **General access** — only when {@link ManageAccessDialogProps.visibility}
+ *   is provided. Delegates to {@link ResourceVisibilityControl}, which owns
+ *   level selection and the `can_edit` gate.
+ * - **People with access** — only when the resource kind has grantable roles
+ *   (`hasGrantableRoles`, proto-generated single source of truth). Delegates
+ *   to {@link PeopleWithAccess}, which gates grant/revoke on `can_grant_access`.
+ * - **Extra section** — only when provided.
+ *
+ * The body mounts lazily (only while `open`) so its access-list fetch never
+ * fires on a closed dialog. Built on the native `<dialog>` element for focus
+ * trapping and escape handling, matching the SDK's modal convention. All
+ * visual properties flow through `--stgm-*` design tokens.
+ *
+ * Most hosts mount it indirectly via {@link ManageAccessButton} (a visible
+ * trigger) or {@link useManageAccess} (a kebab-menu action). Render it directly
+ * only when you own the open-state.
+ *
+ * @example
+ * ```tsx
+ * const [open, setOpen] = useState(false);
+ *
+ * // A blueprint has both axes: General access (visibility) over People.
+ * <ManageAccessDialog
+ *   open={open}
+ *   onOpenChange={setOpen}
+ *   resource={{ kind: ApiResourceKind.agent, kindString: "agent", id, org, name }}
+ *   visibility={{ kind: "agent", current: visibility, org, onChanged: refetch }}
+ * />
+ * ```
+ */
+export declare function ManageAccessDialog({ open, onOpenChange, resource, visibility, extraSection, }: ManageAccessDialogProps): import("react/jsx-runtime").JSX.Element;
+//# sourceMappingURL=ManageAccessDialog.d.ts.map

package/access/ManageAccessDialog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ManageAccessDialog.d.ts","sourceRoot":"","sources":["../../src/access/ManageAccessDialog.tsx"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EACnB,MAAM,SAAS,CAAC;AAEjB,4CAA4C;AAC5C,MAAM,WAAW,uBAAuB;IACtC,kCAAkC;IAClC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,mDAAmD;IACnD,QAAQ,CAAC,YAAY,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,CAAC;IAC/C,4CAA4C;IAC5C,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC;;;OAGG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IACvC;;;OAGG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,kBAAkB,CAAC;CAC5C;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,wBAAgB,kBAAkB,CAAC,EACjC,IAAI,EACJ,YAAY,EACZ,QAAQ,EACR,UAAU,EACV,YAAY,GACb,EAAE,uBAAuB,2CA+HzB"}

package/access/ManageAccessDialog.js

@@ -0,0 +1,83 @@
+"use client";
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useCallback, useRef } from "react";
+import { cn } from "@stigmer/theme";
+import { hasGrantableRoles } from "@stigmer/sdk";
+import { PeopleWithAccess } from "../iam-policy/PeopleWithAccess";
+import { ResourceVisibilityControl } from "../library/ResourceVisibilityControl";
+/**
+ * The one canonical "Manage access" dialog, mounted identically across every
+ * resource with a detail surface. Composes the platform's two access axes into
+ * a single Drive/GitHub-style modal: *General access* (visibility) over
+ * *People with access* (explicit grants), plus an optional resource-specific
+ * section.
+ *
+ * Each section renders only when it applies:
+ * - **General access** — only when {@link ManageAccessDialogProps.visibility}
+ *   is provided. Delegates to {@link ResourceVisibilityControl}, which owns
+ *   level selection and the `can_edit` gate.
+ * - **People with access** — only when the resource kind has grantable roles
+ *   (`hasGrantableRoles`, proto-generated single source of truth). Delegates
+ *   to {@link PeopleWithAccess}, which gates grant/revoke on `can_grant_access`.
+ * - **Extra section** — only when provided.
+ *
+ * The body mounts lazily (only while `open`) so its access-list fetch never
+ * fires on a closed dialog. Built on the native `<dialog>` element for focus
+ * trapping and escape handling, matching the SDK's modal convention. All
+ * visual properties flow through `--stgm-*` design tokens.
+ *
+ * Most hosts mount it indirectly via {@link ManageAccessButton} (a visible
+ * trigger) or {@link useManageAccess} (a kebab-menu action). Render it directly
+ * only when you own the open-state.
+ *
+ * @example
+ * ```tsx
+ * const [open, setOpen] = useState(false);
+ *
+ * // A blueprint has both axes: General access (visibility) over People.
+ * <ManageAccessDialog
+ *   open={open}
+ *   onOpenChange={setOpen}
+ *   resource={{ kind: ApiResourceKind.agent, kindString: "agent", id, org, name }}
+ *   visibility={{ kind: "agent", current: visibility, org, onChanged: refetch }}
+ * />
+ * ```
+ */
+export function ManageAccessDialog({ open, onOpenChange, resource, visibility, extraSection, }) {
+    const dialogRef = useRef(null);
+    const handleClose = useCallback(() => {
+        dialogRef.current?.close();
+        onOpenChange(false);
+    }, [onOpenChange]);
+    // Sync native dialog open state (matches the SDK dialog convention).
+    const prevOpenRef = useRef(false);
+    if (open !== prevOpenRef.current) {
+        prevOpenRef.current = open;
+        if (open) {
+            requestAnimationFrame(() => {
+                if (dialogRef.current && !dialogRef.current.open) {
+                    dialogRef.current.showModal();
+                }
+            });
+        }
+        else if (dialogRef.current?.open) {
+            dialogRef.current.close();
+        }
+    }
+    const showPeople = hasGrantableRoles(resource.kind);
+    return (_jsx("dialog", { ref: dialogRef, onClose: handleClose, className: cn("fixed inset-0 m-auto w-full max-w-md rounded-xl border border-border bg-popover p-0 shadow-xl", "backdrop:bg-black/50"), "aria-labelledby": "manage-access-title", children: open && (_jsxs("div", { className: "flex flex-col", children: [_jsxs("div", { className: "flex items-start justify-between border-b border-border px-6 py-4", children: [_jsxs("div", { className: "min-w-0", children: [_jsx("h2", { id: "manage-access-title", className: "text-base font-semibold text-foreground", children: "Manage access" }), resource.name && (_jsx("p", { className: "mt-0.5 truncate text-xs text-muted-foreground", children: resource.name }))] }), _jsx("button", { type: "button", onClick: handleClose, "aria-label": "Close", className: cn("rounded-md p-1 text-muted-foreground", "hover:text-foreground hover:bg-accent-hover", "focus:outline-none focus:ring-2 focus:ring-ring"), children: _jsx(CloseIcon, {}) })] }), _jsxs("div", { className: "flex flex-col divide-y divide-border", children: [visibility && (_jsx(AccessSection, { title: "General access", description: "Who can find and open this resource.", children: _jsx(ResourceVisibilityControl, { kind: visibility.kind, resourceId: resource.id, visibility: visibility.current, org: visibility.org, onChanged: visibility.onChanged }) })), showPeople && (_jsx(AccessSection, { title: "People with access", children: _jsx(PeopleWithAccess, { resource: {
+                                    kind: resource.kindString,
+                                    id: resource.id,
+                                    resourceKind: resource.kind,
+                                }, resourceKindString: resource.kindString, resourceKind: resource.kind, orgId: resource.org }) })), extraSection && (_jsx(AccessSection, { title: extraSection.title, description: extraSection.description, children: extraSection.content }))] }), _jsx("div", { className: "flex items-center justify-end border-t border-border px-6 py-3", children: _jsx("button", { type: "button", onClick: handleClose, className: cn("rounded-md px-3 py-1.5 text-sm font-medium", "bg-primary text-primary-foreground hover:bg-primary-hover", "focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2"), children: "Done" }) })] })) }));
+}
+// ---------------------------------------------------------------------------
+// Internal section chrome
+// ---------------------------------------------------------------------------
+function AccessSection({ title, description, children, }) {
+    return (_jsxs("section", { className: "px-6 py-4", children: [_jsx("h3", { className: "text-xs font-medium text-muted-foreground", children: title }), description && (_jsx("p", { className: "mt-0.5 text-[0.65rem] text-muted-foreground", children: description })), _jsx("div", { className: "mt-2.5", children: children })] }));
+}
+function CloseIcon() {
+    return (_jsx("svg", { width: "16", height: "16", viewBox: "0 0 16 16", fill: "none", "aria-hidden": "true", children: _jsx("path", { d: "M4 4l8 8M12 4l-8 8", stroke: "currentColor", strokeWidth: "1.5", strokeLinecap: "round" }) }));
+}
+//# sourceMappingURL=ManageAccessDialog.js.map

package/access/ManageAccessDialog.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ManageAccessDialog.js","sourceRoot":"","sources":["../../src/access/ManageAccessDialog.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;;AAEb,OAAO,EAAE,WAAW,EAAE,MAAM,EAAkB,MAAM,OAAO,CAAC;AAC5D,OAAO,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAC;AACpC,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,gCAAgC,CAAC;AAClE,OAAO,EAAE,yBAAyB,EAAE,MAAM,sCAAsC,CAAC;AA2BjF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,MAAM,UAAU,kBAAkB,CAAC,EACjC,IAAI,EACJ,YAAY,EACZ,QAAQ,EACR,UAAU,EACV,YAAY,GACY;IACxB,MAAM,SAAS,GAAG,MAAM,CAAoB,IAAI,CAAC,CAAC;IAElD,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,EAAE;QACnC,SAAS,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;QAC3B,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC;IAEnB,qEAAqE;IACrE,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,IAAI,KAAK,WAAW,CAAC,OAAO,EAAE,CAAC;QACjC,WAAW,CAAC,OAAO,GAAG,IAAI,CAAC;QAC3B,IAAI,IAAI,EAAE,CAAC;YACT,qBAAqB,CAAC,GAAG,EAAE;gBACzB,IAAI,SAAS,CAAC,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;oBACjD,SAAS,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;gBAChC,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;YACnC,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,iBAAiB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEpD,OAAO,CACL,iBACE,GAAG,EAAE,SAAS,EACd,OAAO,EAAE,WAAW,EACpB,SAAS,EAAE,EAAE,CACX,+FAA+F,EAC/F,sBAAsB,CACvB,qBACe,qBAAqB,YAGpC,IAAI,IAAI,CACP,eAAK,SAAS,EAAC,eAAe,aAE5B,eAAK,SAAS,EAAC,mEAAmE,aAChF,eAAK,SAAS,EAAC,SAAS,aACtB,aACE,EAAE,EAAC,qBAAqB,EACxB,SAAS,EAAC,yCAAyC,8BAGhD,EACJ,QAAQ,CAAC,IAAI,IAAI,CAChB,YAAG,SAAS,EAAC,+CAA+C,YACzD,QAAQ,CAAC,IAAI,GACZ,CACL,IACG,EACN,iBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,WAAW,gBACT,OAAO,EAClB,SAAS,EAAE,EAAE,CACX,sCAAsC,EACtC,6CAA6C,EAC7C,iDAAiD,CAClD,YAED,KAAC,SAAS,KAAG,GACN,IACL,EAGN,eAAK,SAAS,EAAC,sCAAsC,aAClD,UAAU,IAAI,CACb,KAAC,aAAa,IACZ,KAAK,EAAC,gBAAgB,EACtB,WAAW,EAAC,sCAAsC,YAElD,KAAC,yBAAyB,IACxB,IAAI,EAAE,UAAU,CAAC,IAAI,EACrB,UAAU,EAAE,QAAQ,CAAC,EAAE,EACvB,UAAU,EAAE,UAAU,CAAC,OAAO,EAC9B,GAAG,EAAE,UAAU,CAAC,GAAG,EACnB,SAAS,EAAE,UAAU,CAAC,SAAS,GAC/B,GACY,CACjB,EAEA,UAAU,IAAI,CACb,KAAC,aAAa,IAAC,KAAK,EAAC,oBAAoB,YACvC,KAAC,gBAAgB,IACf,QAAQ,EAAE;oCACR,IAAI,EAAE,QAAQ,CAAC,UAAU;oCACzB,EAAE,EAAE,QAAQ,CAAC,EAAE;oCACf,YAAY,EAAE,QAAQ,CAAC,IAAI;iCAC5B,EACD,kBAAkB,EAAE,QAAQ,CAAC,UAAU,EACvC,YAAY,EAAE,QAAQ,CAAC,IAAI,EAC3B,KAAK,EAAE,QAAQ,CAAC,GAAG,GACnB,GACY,CACjB,EAEA,YAAY,IAAI,CACf,KAAC,aAAa,IACZ,KAAK,EAAE,YAAY,CAAC,KAAK,EACzB,WAAW,EAAE,YAAY,CAAC,WAAW,YAEpC,YAAY,CAAC,OAAO,GACP,CACjB,IACG,EAGN,cAAK,SAAS,EAAC,gEAAgE,YAC7E,iBACE,IAAI,EAAC,QAAQ,EACb,OAAO,EAAE,WAAW,EACpB,SAAS,EAAE,EAAE,CACX,4CAA4C,EAC5C,2DAA2D,EAC3D,qEAAqE,CACtE,qBAGM,GACL,IACF,CACP,GACM,CACV,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,0BAA0B;AAC1B,8EAA8E;AAE9E,SAAS,aAAa,CAAC,EACrB,KAAK,EACL,WAAW,EACX,QAAQ,GAKT;IACC,OAAO,CACL,mBAAS,SAAS,EAAC,WAAW,aAC5B,aAAI,SAAS,EAAC,2CAA2C,YAAE,KAAK,GAAM,EACrE,WAAW,IAAI,CACd,YAAG,SAAS,EAAC,6CAA6C,YACvD,WAAW,GACV,CACL,EACD,cAAK,SAAS,EAAC,QAAQ,YAAE,QAAQ,GAAO,IAChC,CACX,CAAC;AACJ,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,CACL,cAAK,KAAK,EAAC,IAAI,EAAC,MAAM,EAAC,IAAI,EAAC,OAAO,EAAC,WAAW,EAAC,IAAI,EAAC,MAAM,iBAAa,MAAM,YAC5E,eAAM,CAAC,EAAC,oBAAoB,EAAC,MAAM,EAAC,cAAc,EAAC,WAAW,EAAC,KAAK,EAAC,aAAa,EAAC,OAAO,GAAG,GACzF,CACP,CAAC;AACJ,CAAC"}

package/access/index.d.ts

@@ -0,0 +1,5 @@
+export { ManageAccessDialog, type ManageAccessDialogProps, } from "./ManageAccessDialog";
+export { ManageAccessButton, type ManageAccessButtonProps, } from "./ManageAccessButton";
+export { useManageAccess, type UseManageAccessArgs, type UseManageAccessReturn, } from "./useManageAccess";
+export type { AccessResource, AccessVisibility, AccessExtraSection, } from "./types";
+//# sourceMappingURL=index.d.ts.map

package/access/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/access/index.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,kBAAkB,EAClB,KAAK,uBAAuB,GAC7B,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,kBAAkB,EAClB,KAAK,uBAAuB,GAC7B,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,eAAe,EACf,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EACV,cAAc,EACd,gBAAgB,EAChB,kBAAkB,GACnB,MAAM,SAAS,CAAC"}

package/access/index.js

@@ -0,0 +1,7 @@
+// Access — the unified "Manage access" experience composing visibility
+// (library) and explicit grants (iam-policy) into one dialog, with a kebab
+// hook and a visible-button trigger for the surfaces that mount it.
+export { ManageAccessDialog, } from "./ManageAccessDialog";
+export { ManageAccessButton, } from "./ManageAccessButton";
+export { useManageAccess, } from "./useManageAccess";
+//# sourceMappingURL=index.js.map

package/access/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/access/index.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,2EAA2E;AAC3E,oEAAoE;AACpE,OAAO,EACL,kBAAkB,GAEnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,kBAAkB,GAEnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,eAAe,GAGhB,MAAM,mBAAmB,CAAC"}

package/access/types.d.ts

@@ -0,0 +1,56 @@
+import type { ReactNode } from "react";
+import type { ApiResourceKind } from "@stigmer/protos/ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind_pb";
+import type { ApiResourceVisibility } from "@stigmer/protos/ai/stigmer/commons/apiresource/enum_pb";
+import type { VisibilityResourceKind } from "../library/useUpdateVisibility";
+/**
+ * The resource whose access is being managed. Carries everything the People
+ * section needs: the enum {@link ApiResourceKind} (for grantable-role lookup),
+ * the FGA/API kind string (for IAM refs and permission checks), the id, and
+ * the owning org (drives the org-member typeahead).
+ */
+export interface AccessResource {
+    /** ApiResourceKind enum — drives grantable-role lookup and capability. */
+    readonly kind: ApiResourceKind;
+    /** FGA/API kind string (e.g. "mcp_server", "session", "workflow_execution"). */
+    readonly kindString: string;
+    /** Resource id. */
+    readonly id: string;
+    /** Slug of the owning organization (`metadata.org`). */
+    readonly org: string;
+    /** Optional display name, shown as the dialog subtitle for context. */
+    readonly name?: string;
+}
+/**
+ * Describes the "General access" (visibility) axis for the Manage access
+ * dialog. Optional because not every resource has visibility (e.g. sessions
+ * and workflow executions do not). When present, the dialog renders the
+ * shared `ResourceVisibilityControl`, which owns level selection and
+ * the `can_edit` gate.
+ */
+export interface AccessVisibility {
+    /** Resource kind, selecting both the updateVisibility RPC and FGA type. */
+    readonly kind: VisibilityResourceKind;
+    /** Current visibility of the resource. */
+    readonly current: ApiResourceVisibility;
+    /**
+     * Slug of the owning org (`metadata.org`); gates the Platform option for
+     * blueprints. Omit for instances and where Platform should not be offered.
+     */
+    readonly org?: string;
+    /** Called after a successful visibility change so the host can refetch. */
+    readonly onChanged?: () => void;
+}
+/**
+ * A generic, resource-specific access section appended below People — the
+ * escape hatch for the rare per-kind axis (today: workflow-instance run
+ * observability) without baking that knowledge into a generic dialog.
+ */
+export interface AccessExtraSection {
+    /** Section heading. */
+    readonly title: string;
+    /** Optional one-line explanation under the heading. */
+    readonly description?: string;
+    /** The section body (e.g. a `<RunVisibilityControl />`). */
+    readonly content: ReactNode;
+}
+//# sourceMappingURL=types.d.ts.map

package/access/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/access/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AACvC,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qFAAqF,CAAC;AAC3H,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,wDAAwD,CAAC;AACpG,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AAE7E;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,0EAA0E;IAC1E,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC;IAC/B,gFAAgF;IAChF,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,mBAAmB;IACnB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,wDAAwD;IACxD,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,uEAAuE;IACvE,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,gBAAgB;IAC/B,2EAA2E;IAC3E,QAAQ,CAAC,IAAI,EAAE,sBAAsB,CAAC;IACtC,0CAA0C;IAC1C,QAAQ,CAAC,OAAO,EAAE,qBAAqB,CAAC;IACxC;;;OAGG;IACH,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,2EAA2E;IAC3E,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,IAAI,CAAC;CACjC;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,uBAAuB;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,uDAAuD;IACvD,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,4DAA4D;IAC5D,QAAQ,CAAC,OAAO,EAAE,SAAS,CAAC;CAC7B"}

package/access/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/access/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/access/types.ts"],"names":[],"mappings":""}

package/access/useManageAccess.d.ts

@@ -0,0 +1,60 @@
+import { type ReactNode } from "react";
+import type { DetailAction } from "../resource-detail/types";
+import type { AccessResource, AccessVisibility, AccessExtraSection } from "./types";
+/** Arguments for {@link useManageAccess}. */
+export interface UseManageAccessArgs {
+    /**
+     * The resource whose access is managed, or `null` while it is still
+     * loading. When `null`, {@link UseManageAccessReturn.action} is `null` and
+     * the dialog renders nothing — safe to call before the resource is ready.
+     */
+    readonly resource: AccessResource | null;
+    /** General access (visibility) axis; omit for resources without visibility. */
+    readonly visibility?: AccessVisibility;
+    /** Optional resource-specific section (e.g. run observability). */
+    readonly extraSection?: AccessExtraSection;
+    /** Menu-item label. @default "Manage access" */
+    readonly label?: string;
+}
+/** Return value of {@link useManageAccess}. */
+export interface UseManageAccessReturn {
+    /**
+     * A ready-to-spread {@link DetailAction} for a kebab/overflow menu, or
+     * `null` when the resource is unavailable or the user lacks
+     * `can_view_access`. Lives in the `"sharing"` group.
+     */
+    readonly action: DetailAction | null;
+    /** The {@link ManageAccessDialog} node — render it once in the host tree. */
+    readonly dialog: ReactNode;
+    /** Imperatively open the dialog. */
+    readonly open: () => void;
+    /** Whether the dialog is currently open. */
+    readonly isOpen: boolean;
+}
+/**
+ * Wires the unified Manage access dialog to a kebab/overflow menu — the
+ * trigger shape used by static resource detail views (agent, skill,
+ * mcp_server, workflow), whose actions live in {@link ResourceActionBar}'s
+ * menu rather than as a standalone button.
+ *
+ * Owns the open-state and the `can_view_access` gate (a viewer may open the
+ * dialog to read general access and the people list; the dialog's own sections
+ * gate editing). Returns a `null` action when the resource is still loading or
+ * the user cannot view access — so the host can unconditionally fold
+ * `action` into its actions array.
+ *
+ * Surfaces that want a *visible* trigger instead use {@link ManageAccessButton}.
+ *
+ * @example
+ * ```tsx
+ * const access = useManageAccess({
+ *   resource: meta ? { kind: ApiResourceKind.agent, kindString: "agent", id: meta.id, org: meta.org } : null,
+ *   visibility: meta ? { kind: "agent", current: meta.visibility, org: meta.org, onChanged: refetch } : undefined,
+ * });
+ * // ...
+ * <ResourceDetailShell actions={access.action ? [...actions, access.action] : actions} ... />
+ * {access.dialog}
+ * ```
+ */
+export declare function useManageAccess({ resource, visibility, extraSection, label, }: UseManageAccessArgs): UseManageAccessReturn;
+//# sourceMappingURL=useManageAccess.d.ts.map

package/access/useManageAccess.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"useManageAccess.d.ts","sourceRoot":"","sources":["../../src/access/useManageAccess.tsx"],"names":[],"mappings":"AAEA,OAAO,EAAyB,KAAK,SAAS,EAAE,MAAM,OAAO,CAAC;AAE9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAE7D,OAAO,KAAK,EACV,cAAc,EACd,gBAAgB,EAChB,kBAAkB,EACnB,MAAM,SAAS,CAAC;AAEjB,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,EAAE,cAAc,GAAG,IAAI,CAAC;IACzC,+EAA+E;IAC/E,QAAQ,CAAC,UAAU,CAAC,EAAE,gBAAgB,CAAC;IACvC,mEAAmE;IACnE,QAAQ,CAAC,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAC3C,gDAAgD;IAChD,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,+CAA+C;AAC/C,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,QAAQ,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAAC;IACrC,6EAA6E;IAC7E,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC;IAC3B,oCAAoC;IACpC,QAAQ,CAAC,IAAI,EAAE,MAAM,IAAI,CAAC;IAC1B,4CAA4C;IAC5C,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,eAAe,CAAC,EAC9B,QAAQ,EACR,UAAU,EACV,YAAY,EACZ,KAAuB,GACxB,EAAE,mBAAmB,GAAG,qBAAqB,CA0B7C"}

package/access/useManageAccess.js

@@ -0,0 +1,41 @@
+"use client";
+import { jsx as _jsx } from "react/jsx-runtime";
+import { useCallback, useState } from "react";
+import { useCheckPermission } from "../iam-policy/useCheckPermission";
+import { ManageAccessDialog } from "./ManageAccessDialog";
+/**
+ * Wires the unified Manage access dialog to a kebab/overflow menu — the
+ * trigger shape used by static resource detail views (agent, skill,
+ * mcp_server, workflow), whose actions live in {@link ResourceActionBar}'s
+ * menu rather than as a standalone button.
+ *
+ * Owns the open-state and the `can_view_access` gate (a viewer may open the
+ * dialog to read general access and the people list; the dialog's own sections
+ * gate editing). Returns a `null` action when the resource is still loading or
+ * the user cannot view access — so the host can unconditionally fold
+ * `action` into its actions array.
+ *
+ * Surfaces that want a *visible* trigger instead use {@link ManageAccessButton}.
+ *
+ * @example
+ * ```tsx
+ * const access = useManageAccess({
+ *   resource: meta ? { kind: ApiResourceKind.agent, kindString: "agent", id: meta.id, org: meta.org } : null,
+ *   visibility: meta ? { kind: "agent", current: meta.visibility, org: meta.org, onChanged: refetch } : undefined,
+ * });
+ * // ...
+ * <ResourceDetailShell actions={access.action ? [...actions, access.action] : actions} ... />
+ * {access.dialog}
+ * ```
+ */
+export function useManageAccess({ resource, visibility, extraSection, label = "Manage access", }) {
+    const [isOpen, setIsOpen] = useState(false);
+    const { allowed: canView } = useCheckPermission(resource ? { kind: resource.kindString, id: resource.id } : null, "can_view_access");
+    const open = useCallback(() => setIsOpen(true), []);
+    const action = resource && canView
+        ? { id: "manage-access", label, group: "sharing", onAction: open }
+        : null;
+    const dialog = resource ? (_jsx(ManageAccessDialog, { open: isOpen, onOpenChange: setIsOpen, resource: resource, visibility: visibility, extraSection: extraSection })) : null;
+    return { action, dialog, open, isOpen };
+}
+//# sourceMappingURL=useManageAccess.js.map

package/access/useManageAccess.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"useManageAccess.js","sourceRoot":"","sources":["../../src/access/useManageAccess.tsx"],"names":[],"mappings":"AAAA,YAAY,CAAC;;AAEb,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAkB,MAAM,OAAO,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,MAAM,kCAAkC,CAAC;AAEtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAuC1D;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,eAAe,CAAC,EAC9B,QAAQ,EACR,UAAU,EACV,YAAY,EACZ,KAAK,GAAG,eAAe,GACH;IACpB,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAE5C,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,kBAAkB,CAC7C,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,CAAC,UAAU,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAChE,iBAAiB,CAClB,CAAC;IAEF,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;IAEpD,MAAM,MAAM,GACV,QAAQ,IAAI,OAAO;QACjB,CAAC,CAAC,EAAE,EAAE,EAAE,eAAe,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE;QAClE,CAAC,CAAC,IAAI,CAAC;IAEX,MAAM,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,CACxB,KAAC,kBAAkB,IACjB,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,SAAS,EACvB,QAAQ,EAAE,QAAQ,EAClB,UAAU,EAAE,UAAU,EACtB,YAAY,EAAE,YAAY,GAC1B,CACH,CAAC,CAAC,CAAC,IAAI,CAAC;IAET,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC1C,CAAC"}

package/agent/AgentDetailView.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AgentDetailView.d.ts","sourceRoot":"","sources":["../../src/agent/AgentDetailView.tsx"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4DAA4D,CAAC;AAShG,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAsB,MAAM,0BAA0B,CAAC;AAkBhG,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACnC,6CAA6C;IAC7C,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,kEAAkE;IAClE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC,GAAG,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IACzE;;;OAGG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IACrE;;;;;;;OAOG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IACvE;;;OAGG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,YAAY,CAAC;IACtC;;;OAGG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,YAAY,EAAE,CAAC;IAC3C;;;;;;;;;;;;;;;;;;OAkBG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,SAAS,aAAa,EAAE,CAAC;IACnD;;;;OAIG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B;;;OAGG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/C;;;OAGG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;IAC5B;;;OAGG;IACH,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,oDAAoD,EAAE,KAAK,KAAK,IAAI,CAAC;IACjH;;;OAGG;IACH,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,IAAI,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,QAAQ,EAAE,aAAa,KAAK,IAAI,CAAC;IAC7D;;;OAGG;IACH,QAAQ,CAAC,2BAA2B,CAAC,EAAE,CAAC,QAAQ,EAAE,aAAa,KAAK,IAAI,CAAC;IACzE;;OAEG;IACH,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC,QAAQ,EAAE,aAAa,KAAK,IAAI,CAAC;IACnE;;;OAGG;IACH,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IACtC,qDAAqD;IACrD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,wBAAgB,eAAe,CAAC,EAC9B,GAAG,EACH,IAAI,EACJ,gBAAgB,EAChB,YAAY,EACZ,cAAc,EACd,aAAa,EACb,OAAO,EACP,cAAc,EACd,SAAS,EACT,WAAW,EACX,UAAU,EACV,QAAgB,EAChB,iBAAiB,EACjB,qBAAqB,EACrB,eAAe,EACf,2BAA2B,EAC3B,qBAAqB,EACrB,mBAAmB,EACnB,SAAS,GACV,EAAE,oBAAoB,2CAuKtB"}
+{"version":3,"file":"AgentDetailView.d.ts","sourceRoot":"","sources":["../../src/agent/AgentDetailView.tsx"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4DAA4D,CAAC;AAWhG,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAsB,MAAM,0BAA0B,CAAC;AAkBhG,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACnC,6CAA6C;IAC7C,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,kEAAkE;IAClE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC,GAAG,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IACzE;;;OAGG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IACrE;;;;;;;OAOG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,EAAE,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IACvE;;;OAGG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,YAAY,CAAC;IACtC;;;OAGG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,YAAY,EAAE,CAAC;IAC3C;;;;;;;;;;;;;;;;;;OAkBG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,SAAS,aAAa,EAAE,CAAC;IACnD;;;;OAIG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B;;;OAGG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/C;;;OAGG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;IAC5B;;;OAGG;IACH,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,oDAAoD,EAAE,KAAK,KAAK,IAAI,CAAC;IACjH;;;OAGG;IACH,QAAQ,CAAC,qBAAqB,CAAC,EAAE,MAAM,IAAI,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,QAAQ,EAAE,aAAa,KAAK,IAAI,CAAC;IAC7D;;;OAGG;IACH,QAAQ,CAAC,2BAA2B,CAAC,EAAE,CAAC,QAAQ,EAAE,aAAa,KAAK,IAAI,CAAC;IACzE;;OAEG;IACH,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC,QAAQ,EAAE,aAAa,KAAK,IAAI,CAAC;IACnE;;;OAGG;IACH,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IACtC,qDAAqD;IACrD,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,wBAAgB,eAAe,CAAC,EAC9B,GAAG,EACH,IAAI,EACJ,gBAAgB,EAChB,YAAY,EACZ,cAAc,EACd,aAAa,EACb,OAAO,EACP,cAAc,EACd,SAAS,EACT,WAAW,EACX,UAAU,EACV,QAAgB,EAChB,iBAAiB,EACjB,qBAAqB,EACrB,eAAe,EACf,2BAA2B,EAC3B,qBAAqB,EACrB,mBAAmB,EACnB,SAAS,GACV,EAAE,oBAAoB,2CAkMtB"}

package/agent/AgentDetailView.js

@@ -1,13 +1,15 @@
 "use client";
-import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { jsx as _jsx, Fragment as _Fragment, jsxs as _jsxs } from "react/jsx-runtime";
 import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { cn } from "@stigmer/theme";
 import { timestampDate } from "@bufbuild/protobuf/wkt";
+import { ApiResourceKind } from "@stigmer/protos/ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind_pb";
 import { useAgent } from "./useAgent";
 import { useUpdateAgent } from "./useUpdateAgent";
 import { agentToInput } from "./internal/agentToInput";
 import { ErrorMessage } from "../error/ErrorMessage";
-import { ResourceVisibilityControl } from "../library/ResourceVisibilityControl";
+import { VisibilityBadge } from "../library/VisibilitySelector";
+import { useManageAccess } from "../access/useManageAccess";
 import { ResourceDetailShell } from "../resource-detail/ResourceDetailShell";
 import { Section } from "../resource-detail/Section";
 import { useDetailTabs } from "../resource-detail/useDetailTabs";
@@ -112,6 +114,29 @@ export function AgentDetailView({ org, slug, onMcpServerClick, onSkillClick, onR
             onResourceLoadRef.current?.({ name: agent.metadata.name, id: agent.metadata.id });
         }
     }, [agent]);
+    // Unified Manage access — visibility (General access) over explicit grants
+    // (People), opened from the kebab. Derived from the loaded metadata, so the
+    // action stays null until the resource is ready (and folds harmlessly into
+    // the actions array meanwhile).
+    const access = useManageAccess({
+        resource: agent?.metadata
+            ? {
+                kind: ApiResourceKind.agent,
+                kindString: "agent",
+                id: agent.metadata.id,
+                org: agent.metadata.org,
+                name: agent.metadata.name,
+            }
+            : null,
+        visibility: agent?.metadata
+            ? {
+                kind: "agent",
+                current: agent.metadata.visibility,
+                org: agent.metadata.org,
+                onChanged: refetch,
+            }
+            : undefined,
+    });
     if (isLoading)
         return _jsx(LoadingSkeleton, { className: className });
     if (error)
@@ -135,7 +160,12 @@ export function AgentDetailView({ org, slug, onMcpServerClick, onSkillClick, onR
         createdAt: specAudit?.createdAt ? timestampDate(specAudit.createdAt) : null,
         updatedAt: specAudit?.updatedAt ? timestampDate(specAudit.updatedAt) : null,
     };
-    const visibilityControl = meta ? (_jsx(ResourceVisibilityControl, { kind: "agent", resourceId: meta.id, visibility: meta.visibility, org: meta.org || org, onChanged: refetch })) : undefined;
+    // Inline visibility is read-only (at-a-glance); editing lives in the
+    // Manage access dialog, the single writer for both access axes.
+    const visibilityControl = meta ? (_jsx(VisibilityBadge, { visibility: meta.visibility })) : undefined;
+    const mergedActions = access.action
+        ? [...(actions ?? []), access.action]
+        : actions;
     let tabContent;
     if (activeAdditionalTab) {
         tabContent = activeAdditionalTab.content;
@@ -149,7 +179,7 @@ export function AgentDetailView({ org, slug, onMcpServerClick, onSkillClick, onR
     else {
         tabContent = (_jsx(AgentOverview, { spec: spec, agentOrg: agentOrg, description: spec?.description, onMcpServerClick: onMcpServerClick, onSkillClick: onSkillClick, editable: editable, isSaving: isUpdating, saveField: saveField }));
     }
-    return (_jsx(ResourceDetailShell, { header: headerMeta, visibilityControl: visibilityControl, primaryAction: primaryAction, actions: actions, tabs: effectiveTabs, activeTab: effectiveTabs ? effectiveActiveTab : undefined, onTabChange: effectiveTabs ? effectiveOnTabChange : undefined, tabsAriaLabel: "Agent detail sections", className: className, children: tabContent }));
+    return (_jsxs(_Fragment, { children: [_jsx(ResourceDetailShell, { header: headerMeta, visibilityControl: visibilityControl, primaryAction: primaryAction, actions: mergedActions, tabs: effectiveTabs, activeTab: effectiveTabs ? effectiveActiveTab : undefined, onTabChange: effectiveTabs ? effectiveOnTabChange : undefined, tabsAriaLabel: "Agent detail sections", className: className, children: tabContent }), access.dialog] }));
 }
 // ---------------------------------------------------------------------------
 // Overview content — the agent's configuration sections