hazo_auth 10.2.3 → 10.4.0

package/dist/components/permission_denied_dialog.client.js

@@ -0,0 +1,112 @@
+// file_description: dialog component shown when a fetch response returns error.code === 'PERMISSION_DENIED'
+// Probes hazo_ui at mount time (it's a peer dep) and falls back to plain HTML if unavailable.
+'use client';
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+// section: imports
+import React, { useEffect, useState } from 'react';
+// section: ui_probe
+// Lazy-loaded hazo_ui Dialog + Accordion primitives.
+// We use dynamic import so the build never hard-requires hazo_ui to be resolvable.
+let _Dialog = null;
+let _DialogContent = null;
+let _DialogHeader = null;
+let _DialogTitle = null;
+let _DialogDescription = null;
+let _Accordion = null;
+let _AccordionItem = null;
+let _AccordionTrigger = null;
+let _AccordionContent = null;
+let _uiReady = false;
+function probeUi() {
+    if (_uiReady)
+        return Promise.resolve(true);
+    return import('hazo_ui')
+        .then((m) => {
+        _Dialog = m.HazoUiDialogRoot;
+        _DialogContent = m.HazoUiDialogContent;
+        _DialogHeader = m.HazoUiDialogHeader;
+        _DialogTitle = m.HazoUiDialogTitle;
+        _DialogDescription = m.HazoUiDialogDescription;
+        _Accordion = m.Accordion;
+        _AccordionItem = m.AccordionItem;
+        _AccordionTrigger = m.AccordionTrigger;
+        _AccordionContent = m.AccordionContent;
+        _uiReady = true;
+        return true;
+    })
+        .catch(() => false);
+}
+// section: helpers
+/** Only allow http/https/relative URLs in hrefs to prevent javascript:/data: XSS. */
+function sanitizeHref(url) {
+    try {
+        // Relative paths (starting with /) are always safe
+        if (url.startsWith('/'))
+            return url;
+        const u = new URL(url);
+        return (u.protocol === 'http:' || u.protocol === 'https:') ? url : null;
+    }
+    catch (_a) {
+        return null;
+    }
+}
+// section: component
+/**
+ * Dialog shown when a user attempts an action they don't have permission for.
+ * Uses hazo_ui primitives when available, falls back to plain HTML overlay if not.
+ */
+export function PermissionDeniedDialog({ open, onOpenChange, friendlyMessage = "You don't have permission to perform this action. A request has been sent to your administrator.", technicalDetails, }) {
+    var _a, _b, _c;
+    const [uiReady, setUiReady] = useState(false);
+    useEffect(() => {
+        probeUi().then(setUiReady);
+    }, []);
+    const hasTechnical = technicalDetails &&
+        (((_b = (_a = technicalDetails.missing_permissions) === null || _a === void 0 ? void 0 : _a.length) !== null && _b !== void 0 ? _b : 0) > 0 ||
+            technicalDetails.action_label ||
+            technicalDetails.origin_url);
+    if (!open)
+        return null;
+    // Fallback: plain HTML overlay when hazo_ui is not installed
+    if (!uiReady) {
+        return (_jsx("div", { style: {
+                position: 'fixed',
+                inset: 0,
+                background: 'rgba(0,0,0,0.5)',
+                zIndex: 9999,
+                display: 'flex',
+                alignItems: 'center',
+                justifyContent: 'center',
+            }, children: _jsxs("div", { style: {
+                    background: '#fff',
+                    borderRadius: 8,
+                    padding: 24,
+                    maxWidth: 480,
+                    width: '100%',
+                }, children: [_jsx("h2", { style: { margin: '0 0 8px', fontSize: 18, fontWeight: 600 }, children: "Access Required" }), _jsx("p", { style: { margin: '0 0 16px', color: '#555' }, children: friendlyMessage }), _jsx("button", { onClick: () => onOpenChange(false), style: {
+                            padding: '8px 16px',
+                            background: '#000',
+                            color: '#fff',
+                            border: 'none',
+                            borderRadius: 4,
+                            cursor: 'pointer',
+                        }, children: "Close" })] }) }));
+    }
+    // Full hazo_ui dialog with optional technical-details accordion
+    return React.createElement(_Dialog, { open, onOpenChange }, React.createElement(_DialogContent, { className: 'sm:max-w-[480px]' }, React.createElement(_DialogHeader, null, React.createElement(_DialogTitle, null, 'Access Required'), React.createElement(_DialogDescription, null, friendlyMessage)), hasTechnical &&
+        React.createElement(_Accordion, { type: 'single', collapsible: true, className: 'mt-4' }, React.createElement(_AccordionItem, { value: 'details' }, React.createElement(_AccordionTrigger, { className: 'text-sm text-gray-500' }, 'Technical details'), React.createElement(_AccordionContent, null, React.createElement('div', { className: 'text-xs text-gray-600 space-y-2 pt-2' }, ((_c = technicalDetails === null || technicalDetails === void 0 ? void 0 : technicalDetails.missing_permissions) === null || _c === void 0 ? void 0 : _c.length)
+            ? React.createElement('div', null, React.createElement('span', { className: 'font-medium' }, 'Missing permissions: '), technicalDetails.missing_permissions.join(', '))
+            : null, (technicalDetails === null || technicalDetails === void 0 ? void 0 : technicalDetails.action_label)
+            ? React.createElement('div', null, React.createElement('span', { className: 'font-medium' }, 'Action: '), technicalDetails.action_label)
+            : null, (technicalDetails === null || technicalDetails === void 0 ? void 0 : technicalDetails.origin_url)
+            ? React.createElement('div', null, React.createElement('span', { className: 'font-medium' }, 'Return to: '), (() => {
+                const safe = sanitizeHref(technicalDetails.origin_url);
+                return safe
+                    ? React.createElement('a', { href: safe, className: 'underline text-blue-600' }, technicalDetails.origin_url)
+                    : React.createElement('span', { className: 'text-gray-500' }, technicalDetails.origin_url);
+            })())
+            : null)))), React.createElement('div', { className: 'mt-6 flex justify-end' }, React.createElement('button', {
+        onClick: () => onOpenChange(false),
+        className: 'px-4 py-2 text-sm font-medium bg-gray-900 text-white rounded-md hover:bg-gray-800',
+    }, 'Close'))));
+}

package/dist/components/ui/alert-dialog.d.ts

@@ -6,11 +6,11 @@ declare const AlertDialogPortal: React.FC<AlertDialogPrimitive.AlertDialogPortal
 declare const AlertDialogOverlay: React.ForwardRefExoticComponent<Omit<AlertDialogPrimitive.AlertDialogOverlayProps & React.RefAttributes<HTMLDivElement>, "ref"> & React.RefAttributes<HTMLDivElement>>;
 declare const AlertDialogContent: React.ForwardRefExoticComponent<Omit<AlertDialogPrimitive.AlertDialogContentProps & React.RefAttributes<HTMLDivElement>, "ref"> & React.RefAttributes<HTMLDivElement>>;
 declare const AlertDialogHeader: {
-    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): import("react/jsx-runtime").JSX.Element;
+    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): React.JSX.Element;
     displayName: string;
 };
 declare const AlertDialogFooter: {
-    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): import("react/jsx-runtime").JSX.Element;
+    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): React.JSX.Element;
     displayName: string;
 };
 declare const AlertDialogTitle: React.ForwardRefExoticComponent<Omit<AlertDialogPrimitive.AlertDialogTitleProps & React.RefAttributes<HTMLHeadingElement>, "ref"> & React.RefAttributes<HTMLHeadingElement>>;

package/dist/components/ui/dialog.d.ts

@@ -7,11 +7,11 @@ declare const DialogClose: React.ForwardRefExoticComponent<DialogPrimitive.Dialo
 declare const DialogOverlay: React.ForwardRefExoticComponent<Omit<DialogPrimitive.DialogOverlayProps & React.RefAttributes<HTMLDivElement>, "ref"> & React.RefAttributes<HTMLDivElement>>;
 declare const DialogContent: React.ForwardRefExoticComponent<Omit<DialogPrimitive.DialogContentProps & React.RefAttributes<HTMLDivElement>, "ref"> & React.RefAttributes<HTMLDivElement>>;
 declare const DialogHeader: {
-    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): import("react/jsx-runtime").JSX.Element;
+    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): React.JSX.Element;
     displayName: string;
 };
 declare const DialogFooter: {
-    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): import("react/jsx-runtime").JSX.Element;
+    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): React.JSX.Element;
     displayName: string;
 };
 declare const DialogTitle: React.ForwardRefExoticComponent<Omit<DialogPrimitive.DialogTitleProps & React.RefAttributes<HTMLHeadingElement>, "ref"> & React.RefAttributes<HTMLHeadingElement>>;

package/dist/components/ui/dropdown-menu.d.ts

@@ -21,7 +21,7 @@ declare const DropdownMenuLabel: React.ForwardRefExoticComponent<Omit<DropdownMe
 } & React.RefAttributes<HTMLDivElement>>;
 declare const DropdownMenuSeparator: React.ForwardRefExoticComponent<Omit<DropdownMenuPrimitive.DropdownMenuSeparatorProps & React.RefAttributes<HTMLDivElement>, "ref"> & React.RefAttributes<HTMLDivElement>>;
 declare const DropdownMenuShortcut: {
-    ({ className, ...props }: React.HTMLAttributes<HTMLSpanElement>): import("react/jsx-runtime").JSX.Element;
+    ({ className, ...props }: React.HTMLAttributes<HTMLSpanElement>): React.JSX.Element;
     displayName: string;
 };
 export { DropdownMenu, DropdownMenuTrigger, DropdownMenuContent, DropdownMenuItem, DropdownMenuCheckboxItem, DropdownMenuRadioItem, DropdownMenuLabel, DropdownMenuSeparator, DropdownMenuShortcut, DropdownMenuGroup, DropdownMenuPortal, DropdownMenuSub, DropdownMenuSubContent, DropdownMenuSubTrigger, DropdownMenuRadioGroup, };

package/dist/components/ui/hazo_ui_tooltip.d.ts

@@ -22,5 +22,5 @@ export type HazoUITooltipProps = {
  * @param props - Component props including message, icon size, and placement
  * @returns Tooltip component with question mark icon
  */
-export declare function HazoUITooltip({ message, iconSize, iconClassName, side, }: HazoUITooltipProps): import("react/jsx-runtime").JSX.Element;
+export declare function HazoUITooltip({ message, iconSize, iconClassName, side, }: HazoUITooltipProps): import("react").JSX.Element;
 //# sourceMappingURL=hazo_ui_tooltip.d.ts.map

package/dist/components/ui/hazo_ui_tooltip.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hazo_ui_tooltip.d.ts","sourceRoot":"","sources":["../../../src/components/ui/hazo_ui_tooltip.tsx"],"names":[],"mappings":"AASA,MAAM,MAAM,kBAAkB,GAAG;IAC/B;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,IAAI,CAAC,EAAE,KAAK,GAAG,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;CAC5C,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,EAC5B,OAAO,EACP,QAAa,EACb,aAAqD,EACrD,IAAY,GACb,EAAE,kBAAkB,2CAyBpB"}
+{"version":3,"file":"hazo_ui_tooltip.d.ts","sourceRoot":"","sources":["../../../src/components/ui/hazo_ui_tooltip.tsx"],"names":[],"mappings":"AASA,MAAM,MAAM,kBAAkB,GAAG;IAC/B;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,IAAI,CAAC,EAAE,KAAK,GAAG,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;CAC5C,CAAC;AAGF;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,EAC5B,OAAO,EACP,QAAa,EACb,aAAqD,EACrD,IAAY,GACb,EAAE,kBAAkB,+BAyBpB"}

package/dist/components/ui/sheet.d.ts

@@ -10,11 +10,11 @@ declare const SheetContent: React.ForwardRefExoticComponent<Omit<SheetPrimitive.
     side?: "top" | "right" | "bottom" | "left" | null | undefined;
 } & import("class-variance-authority/types").ClassProp) | undefined) => string> & React.RefAttributes<HTMLDivElement>>;
 declare const SheetHeader: {
-    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): import("react/jsx-runtime").JSX.Element;
+    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): React.JSX.Element;
     displayName: string;
 };
 declare const SheetFooter: {
-    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): import("react/jsx-runtime").JSX.Element;
+    ({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): React.JSX.Element;
     displayName: string;
 };
 declare const SheetTitle: React.ForwardRefExoticComponent<Omit<SheetPrimitive.DialogTitleProps & React.RefAttributes<HTMLHeadingElement>, "ref"> & React.RefAttributes<HTMLHeadingElement>>;

package/dist/components/ui/skeleton.d.ts

@@ -1,3 +1,3 @@
-declare function Skeleton({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): import("react/jsx-runtime").JSX.Element;
+declare function Skeleton({ className, ...props }: React.HTMLAttributes<HTMLDivElement>): import("react").JSX.Element;
 export { Skeleton };
 //# sourceMappingURL=skeleton.d.ts.map

package/dist/components/ui/skeleton.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"skeleton.d.ts","sourceRoot":"","sources":["../../../src/components/ui/skeleton.tsx"],"names":[],"mappings":"AAEA,iBAAS,QAAQ,CAAC,EAChB,SAAS,EACT,GAAG,KAAK,EACT,EAAE,KAAK,CAAC,cAAc,CAAC,cAAc,CAAC,2CAOtC;AAED,OAAO,EAAE,QAAQ,EAAE,CAAA"}
+{"version":3,"file":"skeleton.d.ts","sourceRoot":"","sources":["../../../src/components/ui/skeleton.tsx"],"names":[],"mappings":"AAEA,iBAAS,QAAQ,CAAC,EAChB,SAAS,EACT,GAAG,KAAK,EACT,EAAE,KAAK,CAAC,cAAc,CAAC,cAAc,CAAC,+BAOtC;AAED,OAAO,EAAE,QAAQ,EAAE,CAAA"}

package/dist/components/ui/sonner.d.ts

@@ -1,5 +1,5 @@
 import { Toaster as Sonner } from "sonner";
 type ToasterProps = React.ComponentProps<typeof Sonner>;
-declare const Toaster: ({ ...props }: ToasterProps) => import("react/jsx-runtime").JSX.Element;
+declare const Toaster: ({ ...props }: ToasterProps) => import("react").JSX.Element;
 export { Toaster };
 //# sourceMappingURL=sonner.d.ts.map

package/dist/components/ui/sonner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sonner.d.ts","sourceRoot":"","sources":["../../../src/components/ui/sonner.tsx"],"names":[],"mappings":"AAGA,OAAO,EAAE,OAAO,IAAI,MAAM,EAAE,MAAM,QAAQ,CAAA;AAE1C,KAAK,YAAY,GAAG,KAAK,CAAC,cAAc,CAAC,OAAO,MAAM,CAAC,CAAA;AAEvD,QAAA,MAAM,OAAO,GAAI,cAAc,YAAY,4CAqB1C,CAAA;AAED,OAAO,EAAE,OAAO,EAAE,CAAA"}
+{"version":3,"file":"sonner.d.ts","sourceRoot":"","sources":["../../../src/components/ui/sonner.tsx"],"names":[],"mappings":"AAGA,OAAO,EAAE,OAAO,IAAI,MAAM,EAAE,MAAM,QAAQ,CAAA;AAE1C,KAAK,YAAY,GAAG,KAAK,CAAC,cAAc,CAAC,OAAO,MAAM,CAAC,CAAA;AAEvD,QAAA,MAAM,OAAO,GAAI,cAAc,YAAY,gCAqB1C,CAAA;AAED,OAAO,EAAE,OAAO,EAAE,CAAA"}

package/dist/components/ui/tree-view.d.ts

@@ -86,7 +86,7 @@ declare const TreeNode: ({ item, handleSelectChange, expandedItemIds, selectedIt
     draggedItem: TreeDataItem | null;
     renderItem?: (params: TreeRenderItemParams) => React.ReactNode;
     level?: number;
-}) => import("react/jsx-runtime").JSX.Element;
+}) => React.JSX.Element;
 declare const TreeLeaf: React.ForwardRefExoticComponent<React.HTMLAttributes<HTMLDivElement> & {
     item: TreeDataItem;
     level: number;

package/dist/components/ui/tree-view.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tree-view.d.ts","sourceRoot":"","sources":["../../../src/components/ui/tree-view.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAK,MAAM,OAAO,CAAA;AACzB,OAAO,KAAK,kBAAkB,MAAM,2BAA2B,CAAA;AAiB/D,UAAU,YAAY;IAClB,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAClD,YAAY,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC1D,QAAQ,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IACtD,QAAQ,CAAC,EAAE,YAAY,EAAE,CAAA;IACzB,OAAO,CAAC,EAAE,KAAK,CAAC,SAAS,CAAA;IACzB,OAAO,CAAC,EAAE,MAAM,IAAI,CAAA;IACpB,SAAS,CAAC,EAAE,OAAO,CAAA;IACnB,SAAS,CAAC,EAAE,OAAO,CAAA;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;CACrB;AAED,KAAK,oBAAoB,GAAG;IACxB,IAAI,EAAE,YAAY,CAAA;IAClB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,OAAO,CAAA;IACf,UAAU,EAAE,OAAO,CAAA;IACnB,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,WAAW,EAAE,OAAO,CAAA;CACvB,CAAA;AAaD,QAAA,MAAM,QAAQ;UAVJ,YAAY,EAAE,GAAG,YAAY;4BACX,MAAM;qBACb,CAAC,IAAI,EAAE,YAAY,GAAG,SAAS,KAAK,IAAI;gBAC7C,OAAO;sBACD,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;sBAC3C,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;qBAC5C,CAAC,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,KAAK,IAAI;iBAChE,CAAC,MAAM,EAAE,oBAAoB,KAAK,KAAK,CAAC,SAAS;wCAoGjE,CAAA;AAeD,QAAA,MAAM,QAAQ;UA1HJ,YAAY,EAAE,GAAG,YAAY;4BACX,MAAM;qBACb,CAAC,IAAI,EAAE,YAAY,GAAG,SAAS,KAAK,IAAI;gBAC7C,OAAO;sBACD,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;sBAC3C,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;qBAC5C,CAAC,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,KAAK,IAAI;iBAChE,CAAC,MAAM,EAAE,oBAAoB,KAAK,KAAK,CAAC,SAAS;;qBAwG7C,MAAM;wBACH,CAAC,IAAI,EAAE,YAAY,GAAG,SAAS,KAAK,IAAI;qBAC3C,MAAM,EAAE;sBACP,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;sBAC3C,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;sBAC3C,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI;iBACjC,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI;iBAC5B,YAAY,GAAG,IAAI;YACxB,MAAM;wCAmEjB,CAAA;AAGD,QAAA,MAAM,QAAQ,GAAI,+JAYf;IACC,IAAI,EAAE,YAAY,CAAA;IAClB,kBAAkB,EAAE,CAAC,IAAI,EAAE,YAAY,GAAG,SAAS,KAAK,IAAI,CAAA;IAC5D,eAAe,EAAE,MAAM,EAAE,CAAA;IACzB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,eAAe,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC7D,eAAe,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC7D,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI,CAAA;IAC9C,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI,CAAA;IACzC,WAAW,EAAE,YAAY,GAAG,IAAI,CAAA;IAChC,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,oBAAoB,KAAK,KAAK,CAAC,SAAS,CAAA;IAC9D,KAAK,CAAC,EAAE,MAAM,CAAA;CACjB,4CAqGA,CAAA;AAED,QAAA,MAAM,QAAQ;UAGA,YAAY;WACX,MAAM;qBACI,MAAM;wBACH,CAAC,IAAI,EAAE,YAAY,GAAG,SAAS,KAAK,IAAI;sBAC1C,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;sBAC3C,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI;iBACjC,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI;iBAC5B,YAAY,GAAG,IAAI;iBACnB,CAAC,MAAM,EAAE,oBAAoB,KAAK,KAAK,CAAC,SAAS;wCAoGrE,CAAA;AAGD,QAAA,MAAM,gBAAgB;eAGH,KAAK,CAAC,SAAS;wCA2BhC,CAAA;AAGF,QAAA,MAAM,gBAAgB,oKAcpB,CAAA;AAgDF,OAAO,EACH,QAAQ,EACR,KAAK,YAAY,EACjB,KAAK,oBAAoB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,QAAQ,EACR,QAAQ,EACR,QAAQ,EACX,CAAA"}
+{"version":3,"file":"tree-view.d.ts","sourceRoot":"","sources":["../../../src/components/ui/tree-view.tsx"],"names":[],"mappings":"AAEA,OAAO,KAAK,MAAM,OAAO,CAAA;AACzB,OAAO,KAAK,kBAAkB,MAAM,2BAA2B,CAAA;AAiB/D,UAAU,YAAY;IAClB,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAClD,YAAY,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC1D,QAAQ,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IACtD,QAAQ,CAAC,EAAE,YAAY,EAAE,CAAA;IACzB,OAAO,CAAC,EAAE,KAAK,CAAC,SAAS,CAAA;IACzB,OAAO,CAAC,EAAE,MAAM,IAAI,CAAA;IACpB,SAAS,CAAC,EAAE,OAAO,CAAA;IACnB,SAAS,CAAC,EAAE,OAAO,CAAA;IACnB,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;CACrB;AAED,KAAK,oBAAoB,GAAG;IACxB,IAAI,EAAE,YAAY,CAAA;IAClB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,OAAO,CAAA;IACf,UAAU,EAAE,OAAO,CAAA;IACnB,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,WAAW,EAAE,OAAO,CAAA;CACvB,CAAA;AAaD,QAAA,MAAM,QAAQ;UAVJ,YAAY,EAAE,GAAG,YAAY;4BACX,MAAM;qBACb,CAAC,IAAI,EAAE,YAAY,GAAG,SAAS,KAAK,IAAI;gBAC7C,OAAO;sBACD,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;sBAC3C,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;qBAC5C,CAAC,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,KAAK,IAAI;iBAChE,CAAC,MAAM,EAAE,oBAAoB,KAAK,KAAK,CAAC,SAAS;wCAoGjE,CAAA;AAeD,QAAA,MAAM,QAAQ;UA1HJ,YAAY,EAAE,GAAG,YAAY;4BACX,MAAM;qBACb,CAAC,IAAI,EAAE,YAAY,GAAG,SAAS,KAAK,IAAI;gBAC7C,OAAO;sBACD,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;sBAC3C,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;qBAC5C,CAAC,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,KAAK,IAAI;iBAChE,CAAC,MAAM,EAAE,oBAAoB,KAAK,KAAK,CAAC,SAAS;;qBAwG7C,MAAM;wBACH,CAAC,IAAI,EAAE,YAAY,GAAG,SAAS,KAAK,IAAI;qBAC3C,MAAM,EAAE;sBACP,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;sBAC3C,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;sBAC3C,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI;iBACjC,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI;iBAC5B,YAAY,GAAG,IAAI;YACxB,MAAM;wCAmEjB,CAAA;AAGD,QAAA,MAAM,QAAQ,GAAI,+JAYf;IACC,IAAI,EAAE,YAAY,CAAA;IAClB,kBAAkB,EAAE,CAAC,IAAI,EAAE,YAAY,GAAG,SAAS,KAAK,IAAI,CAAA;IAC5D,eAAe,EAAE,MAAM,EAAE,CAAA;IACzB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,eAAe,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC7D,eAAe,CAAC,EAAE,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAC7D,eAAe,CAAC,EAAE,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI,CAAA;IAC9C,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI,CAAA;IACzC,WAAW,EAAE,YAAY,GAAG,IAAI,CAAA;IAChC,UAAU,CAAC,EAAE,CAAC,MAAM,EAAE,oBAAoB,KAAK,KAAK,CAAC,SAAS,CAAA;IAC9D,KAAK,CAAC,EAAE,MAAM,CAAA;CACjB,sBAqGA,CAAA;AAED,QAAA,MAAM,QAAQ;UAGA,YAAY;WACX,MAAM;qBACI,MAAM;wBACH,CAAC,IAAI,EAAE,YAAY,GAAG,SAAS,KAAK,IAAI;sBAC1C,KAAK,CAAC,aAAa,CAAC;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;sBAC3C,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI;iBACjC,CAAC,IAAI,EAAE,YAAY,KAAK,IAAI;iBAC5B,YAAY,GAAG,IAAI;iBACnB,CAAC,MAAM,EAAE,oBAAoB,KAAK,KAAK,CAAC,SAAS;wCAoGrE,CAAA;AAGD,QAAA,MAAM,gBAAgB;eAGH,KAAK,CAAC,SAAS;wCA2BhC,CAAA;AAGF,QAAA,MAAM,gBAAgB,oKAcpB,CAAA;AAgDF,OAAO,EACH,QAAQ,EACR,KAAK,YAAY,EACjB,KAAK,oBAAoB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,QAAQ,EACR,QAAQ,EACR,QAAQ,EACX,CAAA"}

package/dist/components/ui/user-type-badge.d.ts

@@ -19,5 +19,5 @@ export type UserTypeBadgeProps = {
  * // Using custom hex color
  * <UserTypeBadge label="VIP" color="#FFD700" />
  */
-export declare function UserTypeBadge({ label, color, className }: UserTypeBadgeProps): import("react/jsx-runtime").JSX.Element;
+export declare function UserTypeBadge({ label, color, className }: UserTypeBadgeProps): import("react").JSX.Element;
 //# sourceMappingURL=user-type-badge.d.ts.map

package/dist/components/ui/user-type-badge.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"user-type-badge.d.ts","sourceRoot":"","sources":["../../../src/components/ui/user-type-badge.tsx"],"names":[],"mappings":"AAiBA,MAAM,MAAM,kBAAkB,GAAG;IAC/B,kCAAkC;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,0EAA0E;IAC1E,KAAK,EAAE,MAAM,CAAC;IACd,6BAA6B;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAoBF;;;;;;;;;;;;GAYG;AACH,wBAAgB,aAAa,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,kBAAkB,2CAmC5E"}
+{"version":3,"file":"user-type-badge.d.ts","sourceRoot":"","sources":["../../../src/components/ui/user-type-badge.tsx"],"names":[],"mappings":"AAiBA,MAAM,MAAM,kBAAkB,GAAG;IAC/B,kCAAkC;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,0EAA0E;IAC1E,KAAK,EAAE,MAAM,CAAC;IACd,6BAA6B;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAoBF;;;;;;;;;;;;GAYG;AACH,wBAAgB,aAAa,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,kBAAkB,+BAmC5E"}

package/dist/consent/cookie_consent_banner.d.ts

@@ -6,6 +6,6 @@ interface CookieConsentBannerProps {
     /** Default: "bottom" */
     position?: "bottom" | "top";
 }
-export declare function CookieConsentBanner({ enableGTM, gtmContainerId, onChange, position, }: CookieConsentBannerProps): import("react/jsx-runtime").JSX.Element;
+export declare function CookieConsentBanner({ enableGTM, gtmContainerId, onChange, position, }: CookieConsentBannerProps): import("react").JSX.Element;
 export {};
 //# sourceMappingURL=cookie_consent_banner.d.ts.map

package/dist/consent/cookie_consent_banner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cookie_consent_banner.d.ts","sourceRoot":"","sources":["../../src/consent/cookie_consent_banner.tsx"],"names":[],"mappings":"AAIA,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAKpD,UAAU,wBAAwB;IAChC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,YAAY,KAAK,IAAI,CAAC;IACzC,wBAAwB;IACxB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAC;CAC7B;AAED,wBAAgB,mBAAmB,CAAC,EAClC,SAAS,EACT,cAAc,EACd,QAAQ,EACR,QAAmB,GACpB,EAAE,wBAAwB,2CA4E1B"}
+{"version":3,"file":"cookie_consent_banner.d.ts","sourceRoot":"","sources":["../../src/consent/cookie_consent_banner.tsx"],"names":[],"mappings":"AAIA,OAAO,EAAE,KAAK,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAKpD,UAAU,wBAAwB;IAChC,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,YAAY,KAAK,IAAI,CAAC;IACzC,wBAAwB;IACxB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAC;CAC7B;AAED,wBAAgB,mBAAmB,CAAC,EAClC,SAAS,EACT,cAAc,EACd,QAAQ,EACR,QAAmB,GACpB,EAAE,wBAAwB,+BA4E1B"}

package/dist/consent/manage_modal.d.ts

@@ -1,2 +1,2 @@
-export declare function ConsentManageModal(): import("react/jsx-runtime").JSX.Element;
+export declare function ConsentManageModal(): import("react").JSX.Element;
 //# sourceMappingURL=manage_modal.d.ts.map

package/dist/consent/manage_modal.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manage_modal.d.ts","sourceRoot":"","sources":["../../src/consent/manage_modal.tsx"],"names":[],"mappings":"AAOA,wBAAgB,kBAAkB,4CA0GjC"}
+{"version":3,"file":"manage_modal.d.ts","sourceRoot":"","sources":["../../src/consent/manage_modal.tsx"],"names":[],"mappings":"AAOA,wBAAgB,kBAAkB,gCA0GjC"}

package/dist/contexts/hazo_auth_provider.d.ts

@@ -1,4 +1,4 @@
-import { type ReactNode } from "react";
+import React, { type ReactNode } from "react";
 import { type HazoAuthConfig } from "./hazo_auth_config.js";
 /**
  * Props for HazoAuthProvider component
@@ -48,7 +48,7 @@ export type HazoAuthProviderProps = {
  * }
  * ```
  */
-export declare function HazoAuthProvider({ apiBasePath, children }: HazoAuthProviderProps): import("react/jsx-runtime").JSX.Element;
+export declare function HazoAuthProvider({ apiBasePath, children }: HazoAuthProviderProps): React.JSX.Element;
 /**
  * Hook to access hazo_auth runtime configuration
  *

package/dist/contexts/hazo_auth_provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hazo_auth_provider.d.ts","sourceRoot":"","sources":["../../src/contexts/hazo_auth_provider.tsx"],"names":[],"mappings":"AAMA,OAAc,EAAsC,KAAK,SAAS,EAAE,MAAM,OAAO,CAAC;AAClF,OAAO,EAA4B,KAAK,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAYnF;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,QAAQ,EAAE,SAAS,CAAC;CACrB,CAAC;AAIF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,wBAAgB,gBAAgB,CAAC,EAC/B,WAAkD,EAClD,QAAQ,EACT,EAAE,qBAAqB,2CAcvB;AAID;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,CAMlD"}
+{"version":3,"file":"hazo_auth_provider.d.ts","sourceRoot":"","sources":["../../src/contexts/hazo_auth_provider.tsx"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,EAAsC,KAAK,SAAS,EAAE,MAAM,OAAO,CAAC;AAClF,OAAO,EAA4B,KAAK,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAYnF;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,QAAQ,EAAE,SAAS,CAAC;CACrB,CAAC;AAIF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,wBAAgB,gBAAgB,CAAC,EAC/B,WAAkD,EAClD,QAAQ,EACT,EAAE,qBAAqB,qBAcvB;AAID;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,CAMlD"}

package/dist/lib/auth/deny_permission.server.d.ts

@@ -0,0 +1,18 @@
+import 'server-only';
+export interface DenyPermissionInput {
+    request: Request;
+    /** HazoAuthResult | TenantAuthResult | any auth-like shape */
+    auth: any;
+    missing_permissions: string[];
+    /** Defaults to missing_permissions */
+    required_permissions?: string[];
+    permission_descriptions?: Record<string, string>;
+    /** Falls back to X-Hazo-Action-Label header, then permission join */
+    action_label?: string;
+    /** Falls back to default message */
+    user_friendly_message?: string;
+    /** Falls back to new URL(request.url).pathname */
+    api_route?: string;
+}
+export declare function denyPermission(input: DenyPermissionInput): Response;
+//# sourceMappingURL=deny_permission.server.d.ts.map

package/dist/lib/auth/deny_permission.server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deny_permission.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/deny_permission.server.ts"],"names":[],"mappings":"AACA,OAAO,aAAa,CAAC;AASrB,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,8DAA8D;IAC9D,IAAI,EAAE,GAAG,CAAC;IACV,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,sCAAsC;IACtC,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,uBAAuB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjD,qEAAqE;IACrE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,oCAAoC;IACpC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,kDAAkD;IAClD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAqBD,wBAAgB,cAAc,CAAC,KAAK,EAAE,mBAAmB,GAAG,QAAQ,CAuDnE"}

package/dist/lib/auth/deny_permission.server.js

@@ -0,0 +1,66 @@
+// file_description: standalone helper to return a 403 FORBIDDEN response and fire the permission-denied handler
+import 'server-only';
+import { buildDenialPayloadFromRequest, getPermissionDeniedHandler, } from './with_permission_issue_capture.server.js';
+function extractUserId(auth) {
+    var _a, _b;
+    return (((_a = auth === null || auth === void 0 ? void 0 : auth.user) === null || _a === void 0 ? void 0 : _a.id) ||
+        ((_b = auth === null || auth === void 0 ? void 0 : auth.tenant) === null || _b === void 0 ? void 0 : _b.user_id) ||
+        (auth === null || auth === void 0 ? void 0 : auth.user_id) ||
+        '');
+}
+function extractScopeId(auth) {
+    var _a, _b, _c, _d, _e, _f;
+    return ((_f = (_e = (_c = (_b = (_a = auth === null || auth === void 0 ? void 0 : auth.tenant) === null || _a === void 0 ? void 0 : _a.scope_id) !== null && _b !== void 0 ? _b : auth === null || auth === void 0 ? void 0 : auth.scope_id) !== null && _c !== void 0 ? _c : (_d = auth === null || auth === void 0 ? void 0 : auth.organization) === null || _d === void 0 ? void 0 : _d.id) !== null && _e !== void 0 ? _e : auth === null || auth === void 0 ? void 0 : auth.organization_id) !== null && _f !== void 0 ? _f : undefined);
+}
+export function denyPermission(input) {
+    var _a;
+    const user_id = extractUserId(input.auth);
+    const scope_id = extractScopeId(input.auth);
+    const payload = buildDenialPayloadFromRequest(input.request, {
+        user_id,
+        scope_id,
+        missing_permissions: input.missing_permissions,
+        required_permissions: input.required_permissions,
+        permission_descriptions: input.permission_descriptions,
+        action_label: input.action_label,
+        user_friendly_message: input.user_friendly_message,
+        api_route: input.api_route,
+    });
+    // Fire handler best-effort — do not await, must not delay the 403
+    Promise.resolve((_a = getPermissionDeniedHandler()) === null || _a === void 0 ? void 0 : _a(payload)).catch((e) => {
+        console.warn('[hazo_auth] denyPermission: permission denied handler failed', e);
+    });
+    // buildForbiddenResponse is async (dynamic import of hazo_api), but denyPermission must be
+    // synchronous to match the function signature. We build the fallback synchronously here
+    // and fire the async hazo_api path only when available. In practice, the caller immediately
+    // returns the Response so we use the sync fallback — consumers that need the hazo_api
+    // envelope can await a wrapping async function or use withPermissionIssueCapture instead.
+    const bodyJson = JSON.stringify({
+        ok: false,
+        error: {
+            code: 'FORBIDDEN',
+            message: payload.user_friendly_message,
+            details: {
+                missing_permissions: payload.missing_permissions,
+                permission_descriptions: payload.permission_descriptions,
+                action_label: payload.action_label,
+                origin_url: payload.origin_url,
+                user_friendly_message: payload.user_friendly_message,
+            },
+        },
+    });
+    // Kick off async hazo_api enhancement but return the sync response immediately.
+    // The returned Response object is the sync fallback; hazo_api is decorative for
+    // middleware use cases that don't need the exact envelope.
+    void import('hazo_api')
+        .then((m) => {
+        if (typeof (m === null || m === void 0 ? void 0 : m.fail) === 'function') {
+            // No-op: we already returned — this is a fire-and-forget; nothing to do with the result.
+        }
+    })
+        .catch(() => undefined);
+    return new Response(bodyJson, {
+        status: 403,
+        headers: { 'Content-Type': 'application/json' },
+    });
+}

package/dist/lib/auth/index.d.ts

@@ -12,4 +12,6 @@ export { withAuth, withOptionalAuth, hasPermission, hasAllPermissions, hasAnyPer
 export type { AuthenticatedTenantAuth, AuthenticatedTenantAuthWithOrg, WithAuthOptions, } from "./with_auth.server";
 export { get_auth_cache, reset_auth_cache } from "./auth_cache.js";
 export { get_rate_limiter, reset_rate_limiter } from "./auth_rate_limiter.js";
+export { withPermissionIssueCapture, setPermissionDeniedHandler, getPermissionDeniedHandler, } from "./with_permission_issue_capture.server.js";
+export type { PermissionDeniedPayload } from "./with_permission_issue_capture.server";
 //# sourceMappingURL=index.d.ts.map

package/dist/lib/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/index.ts"],"names":[],"mappings":"AAEA,cAAc,cAAc,CAAC;AAG7B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACtE,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAGhE,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAGzD,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,6BAA6B,GAC9B,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,aAAa,EACb,2BAA2B,EAC3B,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACrD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAGtD,OAAO,EACL,QAAQ,EACR,gBAAgB,EAChB,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,uBAAuB,EACvB,8BAA8B,EAC9B,eAAe,GAChB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGhE,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/index.ts"],"names":[],"mappings":"AAEA,cAAc,cAAc,CAAC;AAG7B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACtE,OAAO,EACL,sBAAsB,EACtB,YAAY,EACZ,gBAAgB,GACjB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAGhE,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAGzD,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,6BAA6B,GAC9B,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,wBAAwB,GACzB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,aAAa,EACb,2BAA2B,EAC3B,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACrD,YAAY,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAGtD,OAAO,EACL,QAAQ,EACR,gBAAgB,EAChB,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EACV,uBAAuB,EACvB,8BAA8B,EAC9B,eAAe,GAChB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAGhE,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAG3E,OAAO,EACL,0BAA0B,EAC1B,0BAA0B,EAC1B,0BAA0B,GAC3B,MAAM,wCAAwC,CAAC;AAChD,YAAY,EAAE,uBAAuB,EAAE,MAAM,wCAAwC,CAAC"}

package/dist/lib/auth/index.js

@@ -17,3 +17,5 @@ export { withAuth, withOptionalAuth, hasPermission, hasAllPermissions, hasAnyPer
 export { get_auth_cache, reset_auth_cache } from "./auth_cache.js";
 // section: rate_limiter_exports
 export { get_rate_limiter, reset_rate_limiter } from "./auth_rate_limiter.js";
+// section: permission_issue_capture_exports
+export { withPermissionIssueCapture, setPermissionDeniedHandler, getPermissionDeniedHandler, } from "./with_permission_issue_capture.server.js";

package/dist/lib/auth/with_permission_issue_capture.server.d.ts

@@ -0,0 +1,49 @@
+import 'server-only';
+import { type NextRequest } from 'next/server';
+export interface PermissionDeniedPayload {
+    user_id: string;
+    scope_id?: string;
+    missing_permissions: string[];
+    required_permissions: string[];
+    user_permissions: string[];
+    permission_descriptions: Record<string, string>;
+    user_friendly_message: string;
+    action_label: string;
+    origin_url: string;
+    api_route: string;
+}
+export declare function setPermissionDeniedHandler(fn: (payload: PermissionDeniedPayload) => void | Promise<void>): void;
+export declare function getPermissionDeniedHandler(): ((payload: PermissionDeniedPayload) => void | Promise<void>) | null;
+export interface BuildDenialPayloadParts {
+    user_id: string;
+    scope_id?: string;
+    missing_permissions: string[];
+    required_permissions?: string[];
+    permission_descriptions?: Record<string, string>;
+    action_label?: string;
+    user_friendly_message?: string;
+    api_route?: string;
+    user_permissions?: string[];
+}
+/**
+ * Shared helper: builds a PermissionDeniedPayload from a request + explicit parts.
+ * Called by both withPermissionIssueCapture and denyPermission.
+ */
+export declare function buildDenialPayloadFromRequest(request: Request, parts: BuildDenialPayloadParts): PermissionDeniedPayload;
+/** Builds the 403 Response, using hazo_api.fail() if available, otherwise hand-built. */
+export declare function buildForbiddenResponse(payload: PermissionDeniedPayload): Promise<Response>;
+/**
+ * Wraps a Next.js route handler. On PermissionError, returns a structured
+ * hazo_api fail() 403 with code FORBIDDEN and fires the registered
+ * onPermissionDenied callback best-effort.
+ *
+ * Usage:
+ *   export const POST = withPermissionIssueCapture(
+ *     async (request) => { ... },
+ *     { required_permissions: ['edit_config'] }
+ *   );
+ */
+export declare function withPermissionIssueCapture(handler: (request: NextRequest) => Promise<Response>, opts: {
+    required_permissions: string[];
+}): (request: NextRequest) => Promise<Response>;
+//# sourceMappingURL=with_permission_issue_capture.server.d.ts.map

package/dist/lib/auth/with_permission_issue_capture.server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"with_permission_issue_capture.server.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/with_permission_issue_capture.server.ts"],"names":[],"mappings":"AAEA,OAAO,aAAa,CAAC;AAGrB,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,aAAa,CAAC;AAS/C,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,uBAAuB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChD,qBAAqB,EAAE,MAAM,CAAC;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAUD,wBAAgB,0BAA0B,CACxC,EAAE,EAAE,CAAC,OAAO,EAAE,uBAAuB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,GAC7D,IAAI,CAEN;AAED,wBAAgB,0BAA0B,eARN,uBAAuB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,SAUnF;AAID,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,uBAAuB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,CAC3C,OAAO,EAAE,OAAO,EAChB,KAAK,EAAE,uBAAuB,GAC7B,uBAAuB,CAoCzB;AAID,yFAAyF;AACzF,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAsChG;AAID;;;;;;;;;;GAUG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,EACpD,IAAI,EAAE;IAAE,oBAAoB,EAAE,MAAM,EAAE,CAAA;CAAE,GACvC,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CA0D7C"}

package/dist/lib/auth/with_permission_issue_capture.server.js

@@ -0,0 +1,152 @@
+// file_description: Route handler wrapper that catches PermissionError and returns a structured hazo_api fail() 403
+// section: server-only-guard
+import 'server-only';
+import { createLogger } from 'hazo_core';
+import { PermissionError } from './auth_types.js';
+import { hazo_get_auth } from './hazo_get_auth.server.js';
+const log = createLogger('hazo_auth:permission_capture');
+// section: global_callback
+/**
+ * Global callback, set once at app boot by the consuming app.
+ * DI: hazo_auth does NOT import hazo_admin; the app passes createOrBumpIssue here.
+ */
+let _onPermissionDenied = null;
+export function setPermissionDeniedHandler(fn) {
+    _onPermissionDenied = fn;
+}
+export function getPermissionDeniedHandler() {
+    return _onPermissionDenied;
+}
+/**
+ * Shared helper: builds a PermissionDeniedPayload from a request + explicit parts.
+ * Called by both withPermissionIssueCapture and denyPermission.
+ */
+export function buildDenialPayloadFromRequest(request, parts) {
+    var _a, _b, _c, _d, _e;
+    const originUrl = request.headers.get('x-hazo-origin-url') ||
+        request.headers.get('referer') ||
+        '';
+    const actionLabelFromHeader = request.headers.get('x-hazo-action-label') || '';
+    const descriptions = (_a = parts.permission_descriptions) !== null && _a !== void 0 ? _a : {};
+    const actionLabel = parts.action_label ||
+        actionLabelFromHeader ||
+        parts.missing_permissions.map((p) => descriptions[p] || p).join(', ');
+    let apiRoute = (_b = parts.api_route) !== null && _b !== void 0 ? _b : '';
+    if (!apiRoute) {
+        try {
+            apiRoute = new URL(request.url).pathname;
+        }
+        catch (_f) {
+            /* ignore */
+        }
+    }
+    return {
+        user_id: parts.user_id,
+        scope_id: parts.scope_id,
+        missing_permissions: parts.missing_permissions,
+        required_permissions: (_c = parts.required_permissions) !== null && _c !== void 0 ? _c : parts.missing_permissions,
+        user_permissions: (_d = parts.user_permissions) !== null && _d !== void 0 ? _d : [],
+        permission_descriptions: descriptions,
+        user_friendly_message: (_e = parts.user_friendly_message) !== null && _e !== void 0 ? _e : "You don't have permission to perform this action.",
+        action_label: actionLabel,
+        origin_url: originUrl,
+        api_route: apiRoute,
+    };
+}
+// section: response_helper
+/** Builds the 403 Response, using hazo_api.fail() if available, otherwise hand-built. */
+export async function buildForbiddenResponse(payload) {
+    const apiMod = (await import('hazo_api').catch(() => null));
+    if (apiMod === null || apiMod === void 0 ? void 0 : apiMod.fail) {
+        return apiMod.fail('FORBIDDEN', payload.user_friendly_message, {
+            status: 403,
+            details: {
+                missing_permissions: payload.missing_permissions,
+                user_friendly_message: payload.user_friendly_message,
+                permission_descriptions: payload.permission_descriptions,
+                action_label: payload.action_label,
+                origin_url: payload.origin_url,
+            },
+        });
+    }
+    return new Response(JSON.stringify({
+        ok: false,
+        error: {
+            code: 'FORBIDDEN',
+            message: payload.user_friendly_message,
+            details: {
+                missing_permissions: payload.missing_permissions,
+                permission_descriptions: payload.permission_descriptions,
+                action_label: payload.action_label,
+                origin_url: payload.origin_url,
+            },
+        },
+    }), { status: 403, headers: { 'Content-Type': 'application/json' } });
+}
+// section: wrapper
+/**
+ * Wraps a Next.js route handler. On PermissionError, returns a structured
+ * hazo_api fail() 403 with code FORBIDDEN and fires the registered
+ * onPermissionDenied callback best-effort.
+ *
+ * Usage:
+ *   export const POST = withPermissionIssueCapture(
+ *     async (request) => { ... },
+ *     { required_permissions: ['edit_config'] }
+ *   );
+ */
+export function withPermissionIssueCapture(handler, opts) {
+    return async (request) => {
+        try {
+            // Run hazo_get_auth with strict=true so PermissionError is thrown on denial
+            await hazo_get_auth(request, {
+                required_permissions: opts.required_permissions,
+                strict: true,
+            });
+            // On success, hand off to the original handler
+            return await handler(request);
+        }
+        catch (err) {
+            if (err instanceof PermissionError) {
+                // Convert PermissionError.permission_descriptions Map → plain object
+                const descriptions = {};
+                if (err.permission_descriptions) {
+                    err.permission_descriptions.forEach((v, k) => {
+                        descriptions[k] = v;
+                    });
+                }
+                // Try to extract user_id from session — best-effort, non-strict re-call
+                let userId = '';
+                try {
+                    const lax = await hazo_get_auth(request, {
+                        required_permissions: [],
+                        strict: false,
+                    });
+                    if (lax.authenticated) {
+                        userId = lax.user.id;
+                    }
+                }
+                catch (_a) {
+                    /* ignore — user_id stays '' */
+                }
+                const payload = buildDenialPayloadFromRequest(request, {
+                    user_id: userId,
+                    missing_permissions: err.missing_permissions,
+                    required_permissions: err.required_permissions,
+                    user_permissions: err.user_permissions,
+                    permission_descriptions: descriptions,
+                    user_friendly_message: err.user_friendly_message,
+                });
+                // Fire callback best-effort (do NOT await — must not delay the 403 response)
+                if (_onPermissionDenied) {
+                    Promise.resolve(_onPermissionDenied(payload)).catch((cbErr) => {
+                        log.warn('onPermissionDenied callback failed', { error: cbErr });
+                    });
+                }
+                return buildForbiddenResponse(payload);
+            }
+            // Re-throw non-permission errors
+            throw err;
+        }
+    };
+}