hazo_auth 10.2.2 → 10.4.0

package/cli-src/lib/auth/deny_permission.server.ts

@@ -0,0 +1,101 @@
+// file_description: standalone helper to return a 403 FORBIDDEN response and fire the permission-denied handler
+import 'server-only';
+
+import {
+  buildDenialPayloadFromRequest,
+  buildForbiddenResponse,
+  getPermissionDeniedHandler,
+  type PermissionDeniedPayload,
+} from './with_permission_issue_capture.server.js';
+
+export interface DenyPermissionInput {
+  request: Request;
+  /** HazoAuthResult | TenantAuthResult | any auth-like shape */
+  auth: any;
+  missing_permissions: string[];
+  /** Defaults to missing_permissions */
+  required_permissions?: string[];
+  permission_descriptions?: Record<string, string>;
+  /** Falls back to X-Hazo-Action-Label header, then permission join */
+  action_label?: string;
+  /** Falls back to default message */
+  user_friendly_message?: string;
+  /** Falls back to new URL(request.url).pathname */
+  api_route?: string;
+}
+
+function extractUserId(auth: any): string {
+  return (
+    auth?.user?.id ||
+    auth?.tenant?.user_id ||
+    auth?.user_id ||
+    ''
+  );
+}
+
+function extractScopeId(auth: any): string | undefined {
+  return (
+    auth?.tenant?.scope_id ??
+    auth?.scope_id ??
+    auth?.organization?.id ??
+    auth?.organization_id ??
+    undefined
+  );
+}
+
+export function denyPermission(input: DenyPermissionInput): Response {
+  const user_id = extractUserId(input.auth);
+  const scope_id = extractScopeId(input.auth);
+
+  const payload: PermissionDeniedPayload = buildDenialPayloadFromRequest(input.request, {
+    user_id,
+    scope_id,
+    missing_permissions: input.missing_permissions,
+    required_permissions: input.required_permissions,
+    permission_descriptions: input.permission_descriptions,
+    action_label: input.action_label,
+    user_friendly_message: input.user_friendly_message,
+    api_route: input.api_route,
+  });
+
+  // Fire handler best-effort — do not await, must not delay the 403
+  Promise.resolve(getPermissionDeniedHandler()?.(payload)).catch((e) => {
+    console.warn('[hazo_auth] denyPermission: permission denied handler failed', e);
+  });
+
+  // buildForbiddenResponse is async (dynamic import of hazo_api), but denyPermission must be
+  // synchronous to match the function signature. We build the fallback synchronously here
+  // and fire the async hazo_api path only when available. In practice, the caller immediately
+  // returns the Response so we use the sync fallback — consumers that need the hazo_api
+  // envelope can await a wrapping async function or use withPermissionIssueCapture instead.
+  const bodyJson = JSON.stringify({
+    ok: false,
+    error: {
+      code: 'FORBIDDEN',
+      message: payload.user_friendly_message,
+      details: {
+        missing_permissions: payload.missing_permissions,
+        permission_descriptions: payload.permission_descriptions,
+        action_label: payload.action_label,
+        origin_url: payload.origin_url,
+        user_friendly_message: payload.user_friendly_message,
+      },
+    },
+  });
+
+  // Kick off async hazo_api enhancement but return the sync response immediately.
+  // The returned Response object is the sync fallback; hazo_api is decorative for
+  // middleware use cases that don't need the exact envelope.
+  void import('hazo_api')
+    .then((m: any) => {
+      if (typeof m?.fail === 'function') {
+        // No-op: we already returned — this is a fire-and-forget; nothing to do with the result.
+      }
+    })
+    .catch(() => undefined);
+
+  return new Response(bodyJson, {
+    status: 403,
+    headers: { 'Content-Type': 'application/json' },
+  });
+}

package/cli-src/lib/auth/index.ts

@@ -60,3 +60,11 @@ export { get_auth_cache, reset_auth_cache } from "./auth_cache.js";
 // section: rate_limiter_exports
 export { get_rate_limiter, reset_rate_limiter } from "./auth_rate_limiter.js";
 
+// section: permission_issue_capture_exports
+export {
+  withPermissionIssueCapture,
+  setPermissionDeniedHandler,
+  getPermissionDeniedHandler,
+} from "./with_permission_issue_capture.server.js";
+export type { PermissionDeniedPayload } from "./with_permission_issue_capture.server";
+

package/cli-src/lib/auth/with_permission_issue_capture.server.ts

@@ -0,0 +1,222 @@
+// file_description: Route handler wrapper that catches PermissionError and returns a structured hazo_api fail() 403
+// section: server-only-guard
+import 'server-only';
+
+// section: imports
+import { type NextRequest } from 'next/server';
+import { createLogger } from 'hazo_core';
+import { PermissionError } from './auth_types.js';
+import { hazo_get_auth } from './hazo_get_auth.server.js';
+
+const log = createLogger('hazo_auth:permission_capture');
+
+// section: types
+
+export interface PermissionDeniedPayload {
+  user_id: string;
+  scope_id?: string;
+  missing_permissions: string[];
+  required_permissions: string[];
+  user_permissions: string[];
+  permission_descriptions: Record<string, string>;
+  user_friendly_message: string;
+  action_label: string;
+  origin_url: string;
+  api_route: string;
+}
+
+// section: global_callback
+
+/**
+ * Global callback, set once at app boot by the consuming app.
+ * DI: hazo_auth does NOT import hazo_admin; the app passes createOrBumpIssue here.
+ */
+let _onPermissionDenied: ((payload: PermissionDeniedPayload) => void | Promise<void>) | null = null;
+
+export function setPermissionDeniedHandler(
+  fn: (payload: PermissionDeniedPayload) => void | Promise<void>,
+): void {
+  _onPermissionDenied = fn;
+}
+
+export function getPermissionDeniedHandler() {
+  return _onPermissionDenied;
+}
+
+// section: build_payload_helper
+
+export interface BuildDenialPayloadParts {
+  user_id: string;
+  scope_id?: string;
+  missing_permissions: string[];
+  required_permissions?: string[];
+  permission_descriptions?: Record<string, string>;
+  action_label?: string;
+  user_friendly_message?: string;
+  api_route?: string;
+  user_permissions?: string[];
+}
+
+/**
+ * Shared helper: builds a PermissionDeniedPayload from a request + explicit parts.
+ * Called by both withPermissionIssueCapture and denyPermission.
+ */
+export function buildDenialPayloadFromRequest(
+  request: Request,
+  parts: BuildDenialPayloadParts,
+): PermissionDeniedPayload {
+  const originUrl =
+    request.headers.get('x-hazo-origin-url') ||
+    request.headers.get('referer') ||
+    '';
+
+  const actionLabelFromHeader = request.headers.get('x-hazo-action-label') || '';
+  const descriptions = parts.permission_descriptions ?? {};
+
+  const actionLabel =
+    parts.action_label ||
+    actionLabelFromHeader ||
+    parts.missing_permissions.map((p) => descriptions[p] || p).join(', ');
+
+  let apiRoute = parts.api_route ?? '';
+  if (!apiRoute) {
+    try {
+      apiRoute = new URL(request.url).pathname;
+    } catch {
+      /* ignore */
+    }
+  }
+
+  return {
+    user_id: parts.user_id,
+    scope_id: parts.scope_id,
+    missing_permissions: parts.missing_permissions,
+    required_permissions: parts.required_permissions ?? parts.missing_permissions,
+    user_permissions: parts.user_permissions ?? [],
+    permission_descriptions: descriptions,
+    user_friendly_message:
+      parts.user_friendly_message ?? "You don't have permission to perform this action.",
+    action_label: actionLabel,
+    origin_url: originUrl,
+    api_route: apiRoute,
+  };
+}
+
+// section: response_helper
+
+/** Builds the 403 Response, using hazo_api.fail() if available, otherwise hand-built. */
+export async function buildForbiddenResponse(payload: PermissionDeniedPayload): Promise<Response> {
+  const apiMod = (await import('hazo_api').catch(() => null)) as {
+    fail?: (
+      code: string,
+      message: string,
+      opts?: { details?: unknown; status?: number },
+    ) => Response;
+  } | null;
+
+  if (apiMod?.fail) {
+    return apiMod.fail('FORBIDDEN', payload.user_friendly_message, {
+      status: 403,
+      details: {
+        missing_permissions: payload.missing_permissions,
+        user_friendly_message: payload.user_friendly_message,
+        permission_descriptions: payload.permission_descriptions,
+        action_label: payload.action_label,
+        origin_url: payload.origin_url,
+      },
+    });
+  }
+
+  return new Response(
+    JSON.stringify({
+      ok: false,
+      error: {
+        code: 'FORBIDDEN',
+        message: payload.user_friendly_message,
+        details: {
+          missing_permissions: payload.missing_permissions,
+          permission_descriptions: payload.permission_descriptions,
+          action_label: payload.action_label,
+          origin_url: payload.origin_url,
+        },
+      },
+    }),
+    { status: 403, headers: { 'Content-Type': 'application/json' } },
+  );
+}
+
+// section: wrapper
+
+/**
+ * Wraps a Next.js route handler. On PermissionError, returns a structured
+ * hazo_api fail() 403 with code FORBIDDEN and fires the registered
+ * onPermissionDenied callback best-effort.
+ *
+ * Usage:
+ *   export const POST = withPermissionIssueCapture(
+ *     async (request) => { ... },
+ *     { required_permissions: ['edit_config'] }
+ *   );
+ */
+export function withPermissionIssueCapture(
+  handler: (request: NextRequest) => Promise<Response>,
+  opts: { required_permissions: string[] },
+): (request: NextRequest) => Promise<Response> {
+  return async (request: NextRequest): Promise<Response> => {
+    try {
+      // Run hazo_get_auth with strict=true so PermissionError is thrown on denial
+      await hazo_get_auth(request, {
+        required_permissions: opts.required_permissions,
+        strict: true,
+      });
+
+      // On success, hand off to the original handler
+      return await handler(request);
+    } catch (err) {
+      if (err instanceof PermissionError) {
+        // Convert PermissionError.permission_descriptions Map → plain object
+        const descriptions: Record<string, string> = {};
+        if (err.permission_descriptions) {
+          err.permission_descriptions.forEach((v, k) => {
+            descriptions[k] = v;
+          });
+        }
+
+        // Try to extract user_id from session — best-effort, non-strict re-call
+        let userId = '';
+        try {
+          const lax = await hazo_get_auth(request, {
+            required_permissions: [],
+            strict: false,
+          });
+          if (lax.authenticated) {
+            userId = lax.user.id;
+          }
+        } catch {
+          /* ignore — user_id stays '' */
+        }
+
+        const payload = buildDenialPayloadFromRequest(request, {
+          user_id: userId,
+          missing_permissions: err.missing_permissions,
+          required_permissions: err.required_permissions,
+          user_permissions: err.user_permissions,
+          permission_descriptions: descriptions,
+          user_friendly_message: err.user_friendly_message,
+        });
+
+        // Fire callback best-effort (do NOT await — must not delay the 403 response)
+        if (_onPermissionDenied) {
+          Promise.resolve(_onPermissionDenied(payload)).catch((cbErr) => {
+            log.warn('onPermissionDenied callback failed', { error: cbErr });
+          });
+        }
+
+        return buildForbiddenResponse(payload);
+      }
+
+      // Re-throw non-permission errors
+      throw err;
+    }
+  };
+}

package/cli-src/lib/services/find_roles_with_permission.ts

@@ -0,0 +1,47 @@
+// file_description: helper to find roles that have a given permission and are actively used in a scope
+import 'server-only';
+
+import { create_app_logger } from '../app_logger.js';
+
+export interface RoleWithPermission {
+  id: string;
+  name: string;
+}
+
+/**
+ * Returns all roles that (a) have the given permission and (b) are actively
+ * used in the given scope (at least one user assigned to that scope via that role).
+ * Returns empty array if permission doesn't exist or no matching roles.
+ */
+export async function find_roles_with_permission(
+  adapter: any,
+  scope_id: string,
+  permission_name: string,
+): Promise<RoleWithPermission[]> {
+  const logger = create_app_logger();
+  try {
+    const sql = `
+      SELECT DISTINCT r.id, r.name
+      FROM hazo_roles r
+      JOIN hazo_role_permissions rp ON rp.role_id = r.id
+      JOIN hazo_permissions p ON p.id = rp.permission_id
+      JOIN hazo_user_scopes us ON us.role_id = r.id AND us.scope_id = $1
+      WHERE p.permission_name = $2
+    `;
+    const rows: unknown = await adapter.raw(sql, [scope_id, permission_name]);
+    if (!Array.isArray(rows)) return [];
+    return rows.map((row) => {
+      const r = row as { id: string; name: string };
+      return { id: r.id, name: r.name };
+    });
+  } catch (error) {
+    logger.error('find_roles_with_permission_error', {
+      filename: 'find_roles_with_permission.ts',
+      line_number: 0,
+      error: error instanceof Error ? error.message : String(error),
+      scope_id,
+      permission_name,
+    });
+    return [];
+  }
+}

package/dist/admin-issues/permission_denied_provider.client.d.ts

@@ -0,0 +1,14 @@
+import React from 'react';
+import { type PermissionDeniedDetails } from '../components/permission_denied_dialog.client.js';
+export declare function showPermissionDeniedDialog(details: PermissionDeniedDetails, message?: string): void;
+export interface PermissionDeniedProviderProps {
+    children?: React.ReactNode;
+    registerCardRenderer?: (typeKey: string, renderer: React.ComponentType<any>) => void;
+}
+export declare function PermissionDeniedProvider({ children, registerCardRenderer }: PermissionDeniedProviderProps): React.JSX.Element;
+export declare function handlePermissionDenied(response: Response): Promise<boolean>;
+export declare function fetchWithPermissionCapture(input: RequestInfo | URL, init?: RequestInit & {
+    originUrl?: string;
+    actionLabel?: string;
+}): Promise<Response>;
+//# sourceMappingURL=permission_denied_provider.client.d.ts.map

package/dist/admin-issues/permission_denied_provider.client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission_denied_provider.client.d.ts","sourceRoot":"","sources":["../../src/admin-issues/permission_denied_provider.client.tsx"],"names":[],"mappings":"AAGA,OAAO,KAA8B,MAAM,OAAO,CAAC;AACnD,OAAO,EAEL,KAAK,uBAAuB,EAC7B,MAAM,kDAAkD,CAAC;AAO1D,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,uBAAuB,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAInG;AAID,MAAM,WAAW,6BAA6B;IAC5C,QAAQ,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC;IAC3B,oBAAoB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC;CACtF;AAED,wBAAgB,wBAAwB,CAAC,EAAE,QAAQ,EAAE,oBAAoB,EAAE,EAAE,6BAA6B,qBAgCzG;AAID,wBAAsB,sBAAsB,CAAC,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,CAmBjF;AAID,wBAAsB,0BAA0B,CAC9C,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GAAG;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,GAChE,OAAO,CAAC,QAAQ,CAAC,CAcnB"}

package/dist/admin-issues/permission_denied_provider.client.js

@@ -0,0 +1,80 @@
+'use client';
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+import { jsx as _jsx, Fragment as _Fragment, jsxs as _jsxs } from "react/jsx-runtime";
+// file_description: singleton provider + fetch helper that shows PermissionDeniedDialog on 403 responses
+import { useEffect, useState } from 'react';
+import { PermissionDeniedDialog, } from '../components/permission_denied_dialog.client.js';
+import { AuthIssueCard } from './plugin.client.js';
+// ── singleton trigger ─────────────────────────────────────────────────────────
+let _showDialog = null;
+export function showPermissionDeniedDialog(details, message) {
+    if (_showDialog) {
+        _showDialog(details, message);
+    }
+}
+export function PermissionDeniedProvider({ children, registerCardRenderer }) {
+    const [open, setOpen] = useState(false);
+    const [details, setDetails] = useState(null);
+    const [message, setMessage] = useState(undefined);
+    useEffect(() => {
+        _showDialog = (d, m) => {
+            setDetails(d);
+            setMessage(m);
+            setOpen(true);
+        };
+        if (registerCardRenderer) {
+            registerCardRenderer('auth_permission', AuthIssueCard);
+        }
+        return () => {
+            _showDialog = null;
+        };
+    }, [registerCardRenderer]);
+    return (_jsxs(_Fragment, { children: [children, _jsx(PermissionDeniedDialog, { open: open, onOpenChange: setOpen, friendlyMessage: message, technicalDetails: details !== null && details !== void 0 ? details : undefined })] }));
+}
+// ── handlePermissionDenied ────────────────────────────────────────────────────
+export async function handlePermissionDenied(response) {
+    var _a, _b;
+    try {
+        const cloned = response.clone();
+        const body = await cloned.json();
+        if (((_a = body === null || body === void 0 ? void 0 : body.error) === null || _a === void 0 ? void 0 : _a.code) !== 'FORBIDDEN')
+            return false;
+        const errDetails = (_b = body.error.details) !== null && _b !== void 0 ? _b : {};
+        const permDetails = {
+            missing_permissions: errDetails.missing_permissions,
+            permission_descriptions: errDetails.permission_descriptions,
+            action_label: errDetails.action_label,
+            origin_url: errDetails.origin_url,
+        };
+        showPermissionDeniedDialog(permDetails, body.error.message);
+        return true;
+    }
+    catch (_c) {
+        return false;
+    }
+}
+// ── fetchWithPermissionCapture ────────────────────────────────────────────────
+export async function fetchWithPermissionCapture(input, init) {
+    var _a;
+    const _b = init !== null && init !== void 0 ? init : {}, { originUrl, actionLabel } = _b, cleanInit = __rest(_b, ["originUrl", "actionLabel"]);
+    const headers = new Headers((_a = cleanInit.headers) !== null && _a !== void 0 ? _a : {});
+    if (originUrl)
+        headers.set('X-Hazo-Origin-Url', originUrl);
+    if (actionLabel)
+        headers.set('X-Hazo-Action-Label', actionLabel);
+    const response = await fetch(input, Object.assign(Object.assign({}, cleanInit), { headers }));
+    if (!response.ok) {
+        await handlePermissionDenied(response);
+    }
+    return response;
+}

package/dist/admin-issues/plugin.client.d.ts

@@ -0,0 +1,34 @@
+import React from 'react';
+interface IssueCardData {
+    id: string;
+    type: string;
+    status: string;
+    subject_user_id: string;
+    assigned_to: string | null;
+    title: string;
+    summary: string;
+    payload: Record<string, unknown>;
+    occurrence_count: number;
+    first_seen_at: string;
+    last_seen_at: string;
+    resolution: string | null;
+    resolution_reason: string | null;
+    resolved_by: string | null;
+    resolved_at: string | null;
+}
+interface IssueCardRendererProps {
+    issue: IssueCardData;
+    basePath: string;
+    onAction?: (actionKey: string, params: Record<string, unknown>) => Promise<void>;
+}
+export declare function AuthIssueCard({ issue, onAction }: IssueCardRendererProps): React.JSX.Element;
+/**
+ * Convenience registration function.
+ * Consumer app calls this at boot, passing hazo_admin/client's registerIssueCardRenderer.
+ * hazo_auth does NOT import hazo_admin (DI principle).
+ */
+export declare function registerAuthIssueCardRenderer(opts: {
+    registerRenderer: (typeKey: string, renderer: React.ComponentType<IssueCardRendererProps>) => void;
+}): void;
+export {};
+//# sourceMappingURL=plugin.client.d.ts.map

package/dist/admin-issues/plugin.client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.client.d.ts","sourceRoot":"","sources":["../../src/admin-issues/plugin.client.tsx"],"names":[],"mappings":"AACA,OAAO,KAAmB,MAAM,OAAO,CAAC;AAGxC,UAAU,aAAa;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,UAAU,sBAAsB;IAC9B,KAAK,EAAE,aAAa,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAClF;AAED,wBAAgB,aAAa,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,sBAAsB,qBA+IxE;AAED;;;;GAIG;AACH,wBAAgB,6BAA6B,CAAC,IAAI,EAAE;IAClD,gBAAgB,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,aAAa,CAAC,sBAAsB,CAAC,KAAK,IAAI,CAAC;CACpG,GAAG,IAAI,CAEP"}

package/dist/admin-issues/plugin.client.js

@@ -0,0 +1,64 @@
+'use client';
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useState } from 'react';
+export function AuthIssueCard({ issue, onAction }) {
+    const [showGrant, setShowGrant] = useState(false);
+    const [showDeny, setShowDeny] = useState(false);
+    const [roleId, setRoleId] = useState('');
+    const [denyReason, setDenyReason] = useState('');
+    const [loading, setLoading] = useState(false);
+    const [error, setError] = useState(null);
+    const payload = issue.payload;
+    const missingPerms = payload.missing_permissions || [];
+    const descriptions = payload.permission_descriptions || {};
+    const actionLabel = payload.action_label || '';
+    const originUrl = payload.origin_url || '';
+    const isActive = issue.status === 'new' || issue.status === 'wip';
+    const handleGrant = async () => {
+        if (!roleId.trim()) {
+            setError('Please enter a role ID.');
+            return;
+        }
+        setLoading(true);
+        setError(null);
+        try {
+            await (onAction === null || onAction === void 0 ? void 0 : onAction('grant', { role_id: roleId.trim() }));
+            setShowGrant(false);
+        }
+        catch (e) {
+            const err = e;
+            setError((err === null || err === void 0 ? void 0 : err.message) || 'Grant failed');
+        }
+        finally {
+            setLoading(false);
+        }
+    };
+    const handleDeny = async () => {
+        if (!denyReason.trim()) {
+            setError('Please provide a reason.');
+            return;
+        }
+        setLoading(true);
+        setError(null);
+        try {
+            await (onAction === null || onAction === void 0 ? void 0 : onAction('deny', { reason: denyReason.trim() }));
+            setShowDeny(false);
+        }
+        catch (e) {
+            const err = e;
+            setError((err === null || err === void 0 ? void 0 : err.message) || 'Deny failed');
+        }
+        finally {
+            setLoading(false);
+        }
+    };
+    return (_jsxs("div", { className: "text-sm space-y-2", children: [_jsx("div", { className: "text-gray-700", children: issue.summary }), missingPerms.length > 0 && (_jsxs("div", { className: "text-xs text-gray-500", children: [_jsx("span", { className: "font-medium", children: "Needs: " }), missingPerms.map((p) => descriptions[p] || p).join(', ')] })), actionLabel && (_jsxs("div", { className: "text-xs text-gray-400", children: [_jsx("span", { className: "font-medium", children: "Tried to: " }), actionLabel] })), originUrl && (_jsxs("div", { className: "text-xs text-gray-400", children: [_jsx("span", { className: "font-medium", children: "From: " }), _jsx("span", { className: "font-mono", children: originUrl })] })), issue.occurrence_count > 1 && (_jsxs("div", { className: "text-xs text-amber-600 font-medium", children: ["Occurred ", issue.occurrence_count, "\u00D7 (first: ", new Date(issue.first_seen_at).toLocaleDateString(), ")"] })), isActive && onAction && (_jsxs("div", { className: "flex gap-2 pt-1", children: [_jsx("button", { onClick: () => { setShowGrant(true); setShowDeny(false); setError(null); }, className: "px-2 py-1 text-xs bg-green-600 text-white rounded hover:bg-green-700", children: "Grant" }), _jsx("button", { onClick: () => { setShowDeny(true); setShowGrant(false); setError(null); }, className: "px-2 py-1 text-xs bg-red-600 text-white rounded hover:bg-red-700", children: "Deny" })] })), showGrant && (_jsxs("div", { className: "mt-2 p-2 border rounded bg-green-50 space-y-2", children: [_jsx("div", { className: "text-xs font-medium text-green-800", children: "Grant access \u2014 enter the role ID to assign:" }), _jsx("input", { type: "text", value: roleId, onChange: (e) => setRoleId(e.target.value), placeholder: "Role ID (UUID)", className: "w-full text-xs border rounded px-2 py-1" }), error && _jsx("div", { className: "text-xs text-red-600", children: error }), _jsxs("div", { className: "flex gap-2", children: [_jsx("button", { onClick: handleGrant, disabled: loading, className: "px-2 py-1 text-xs bg-green-600 text-white rounded disabled:opacity-50", children: loading ? 'Granting…' : 'Confirm Grant' }), _jsx("button", { onClick: () => setShowGrant(false), className: "px-2 py-1 text-xs border rounded", children: "Cancel" })] })] })), showDeny && (_jsxs("div", { className: "mt-2 p-2 border rounded bg-red-50 space-y-2", children: [_jsx("div", { className: "text-xs font-medium text-red-800", children: "Deny request \u2014 provide a reason:" }), _jsx("textarea", { value: denyReason, onChange: (e) => setDenyReason(e.target.value), placeholder: "Reason for denial", rows: 2, className: "w-full text-xs border rounded px-2 py-1" }), error && _jsx("div", { className: "text-xs text-red-600", children: error }), _jsxs("div", { className: "flex gap-2", children: [_jsx("button", { onClick: handleDeny, disabled: loading, className: "px-2 py-1 text-xs bg-red-600 text-white rounded disabled:opacity-50", children: loading ? 'Denying…' : 'Confirm Deny' }), _jsx("button", { onClick: () => setShowDeny(false), className: "px-2 py-1 text-xs border rounded", children: "Cancel" })] })] })), issue.resolution && (_jsxs("div", { className: `text-xs mt-1 ${issue.resolution === 'granted' ? 'text-green-700' : 'text-red-700'}`, children: [issue.resolution === 'granted' ? '✓ Granted' : '✗ Denied', issue.resolution_reason && `: ${issue.resolution_reason}`] }))] }));
+}
+/**
+ * Convenience registration function.
+ * Consumer app calls this at boot, passing hazo_admin/client's registerIssueCardRenderer.
+ * hazo_auth does NOT import hazo_admin (DI principle).
+ */
+export function registerAuthIssueCardRenderer(opts) {
+    opts.registerRenderer('auth_permission', AuthIssueCard);
+}

package/dist/admin-issues/plugin.server.d.ts

@@ -0,0 +1,59 @@
+import 'server-only';
+interface LocalIssueRecord {
+    id: string;
+    scope_id: string;
+    type: string;
+    subject_user_id: string;
+    assigned_to: string | null;
+    payload: Record<string, unknown>;
+    resolution: string | null;
+    [key: string]: unknown;
+}
+interface LocalIssueActionCtx {
+    getHazoConnect: () => Promise<any> | any;
+    actorUserId: string;
+    actorPermissions: string[];
+}
+interface LocalIssueActionResult {
+    success: boolean;
+    message?: string;
+    data?: Record<string, unknown>;
+}
+interface LocalNotifyPayload {
+    subject: string;
+    body: string;
+    deep_link?: string;
+    payload?: Record<string, unknown>;
+}
+interface LocalIssueActionDef {
+    key: string;
+    label: string;
+    requiredPermission: string;
+    run(issue: LocalIssueRecord, params: Record<string, unknown>, ctx: LocalIssueActionCtx): Promise<LocalIssueActionResult>;
+}
+interface LocalIssueTypeDef {
+    typeKey: string;
+    label: string;
+    buildDescriptor(payload: Record<string, unknown>): {
+        title: string;
+        summary: string;
+    };
+    resolveRecipients(issue: LocalIssueRecord, ctx: LocalIssueActionCtx): Promise<{
+        user_ids: string[];
+        scope_id: string;
+    }>;
+    actions: LocalIssueActionDef[];
+    buildResolutionNotice(issue: LocalIssueRecord, actionKey: string, result: LocalIssueActionResult): LocalNotifyPayload;
+}
+export declare const authIssueTypeDef: LocalIssueTypeDef;
+/**
+ * Convenience registration function.
+ * The app calls this at boot, passing hazo_admin's registerIssueType.
+ * hazo_auth does NOT import hazo_admin (DI principle).
+ */
+export declare function registerAuthIssuePlugin(opts: {
+    registerType: (def: any) => void;
+    getHazoConnect?: () => Promise<any> | any;
+}): void;
+export {};
+//# sourceMappingURL=plugin.server.d.ts.map

package/dist/admin-issues/plugin.server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.server.d.ts","sourceRoot":"","sources":["../../src/admin-issues/plugin.server.ts"],"names":[],"mappings":"AACA,OAAO,aAAa,CAAC;AASrB,UAAU,gBAAgB;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,MAAM,CAAC;IACxB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,UAAU,mBAAmB;IAC3B,cAAc,EAAE,MAAM,OAAO,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACzC,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,UAAU,sBAAsB;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AAED,UAAU,kBAAkB;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,UAAU,mBAAmB;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB,EAAE,MAAM,CAAC;IAC3B,GAAG,CACD,KAAK,EAAE,gBAAgB,EACvB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,GAAG,EAAE,mBAAmB,GACvB,OAAO,CAAC,sBAAsB,CAAC,CAAC;CACpC;AAED,UAAU,iBAAiB;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IACtF,iBAAiB,CACf,KAAK,EAAE,gBAAgB,EACvB,GAAG,EAAE,mBAAmB,GACvB,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACrD,OAAO,EAAE,mBAAmB,EAAE,CAAC;IAC/B,qBAAqB,CACnB,KAAK,EAAE,gBAAgB,EACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,sBAAsB,GAC7B,kBAAkB,CAAC;CACvB;AAED,eAAO,MAAM,gBAAgB,EAAE,iBAsK9B,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE;IAC5C,YAAY,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,IAAI,CAAC;IACjC,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;CAC3C,GAAG,IAAI,CAEP"}