pi-kiosk-shared 2.1.51 → 2.1.54

package/dist/analyticsAnonymousIdentity.d.ts

@@ -0,0 +1,15 @@
+/**
+ * PWA pseudonymous analytics identity — client-stable opaque keys (plan §Definitions).
+ *
+ * Keys MUST NOT be derived from IP, UA, or fingerprinting. Generation uses
+ * crypto.randomUUID() only.
+ */
+export declare const ANALYTICS_ANONYMOUS_KEY_MIN_LENGTH = 8;
+export declare const ANALYTICS_ANONYMOUS_KEY_MAX_LENGTH = 128;
+export declare const ANALYTICS_ANONYMOUS_STORAGE_KEY_PREFIX = "analytics:anonymous:";
+/** Generate a new opaque anonymous key (UUID v4). */
+export declare function generateAnalyticsAnonymousKey(): string;
+/** Validate client-supplied anonymous key format (no PII-shaped values). */
+export declare function isValidAnalyticsAnonymousKey(key: string): boolean;
+export declare function analyticsAnonymousStorageKey(tenantCode: string): string;
+//# sourceMappingURL=analyticsAnonymousIdentity.d.ts.map

package/dist/analyticsAnonymousIdentity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyticsAnonymousIdentity.d.ts","sourceRoot":"","sources":["../src/analyticsAnonymousIdentity.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,kCAAkC,IAAI,CAAC;AACpD,eAAO,MAAM,kCAAkC,MAAM,CAAC;AACtD,eAAO,MAAM,sCAAsC,yBAAyB,CAAC;AAY7E,qDAAqD;AACrD,wBAAgB,6BAA6B,IAAI,MAAM,CAKtD;AAED,4EAA4E;AAC5E,wBAAgB,4BAA4B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAQjE;AAED,wBAAgB,4BAA4B,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAEvE"}

package/dist/analyticsAnonymousIdentity.js

@@ -0,0 +1,38 @@
+/**
+ * PWA pseudonymous analytics identity — client-stable opaque keys (plan §Definitions).
+ *
+ * Keys MUST NOT be derived from IP, UA, or fingerprinting. Generation uses
+ * crypto.randomUUID() only.
+ */
+export const ANALYTICS_ANONYMOUS_KEY_MIN_LENGTH = 8;
+export const ANALYTICS_ANONYMOUS_KEY_MAX_LENGTH = 128;
+export const ANALYTICS_ANONYMOUS_STORAGE_KEY_PREFIX = 'analytics:anonymous:';
+const ANONYMOUS_KEY_PATTERN = /^[a-zA-Z0-9_-]+$/;
+function uuidv4Fallback() {
+    return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, (c) => {
+        const r = Math.floor(Math.random() * 16);
+        const v = c === 'x' ? r : (r & 0x3) | 0x8;
+        return v.toString(16);
+    });
+}
+/** Generate a new opaque anonymous key (UUID v4). */
+export function generateAnalyticsAnonymousKey() {
+    if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
+        return crypto.randomUUID();
+    }
+    return uuidv4Fallback();
+}
+/** Validate client-supplied anonymous key format (no PII-shaped values). */
+export function isValidAnalyticsAnonymousKey(key) {
+    if (key.length < ANALYTICS_ANONYMOUS_KEY_MIN_LENGTH) {
+        return false;
+    }
+    if (key.length > ANALYTICS_ANONYMOUS_KEY_MAX_LENGTH) {
+        return false;
+    }
+    return ANONYMOUS_KEY_PATTERN.test(key);
+}
+export function analyticsAnonymousStorageKey(tenantCode) {
+    return `${ANALYTICS_ANONYMOUS_STORAGE_KEY_PREFIX}${tenantCode}`;
+}
+//# sourceMappingURL=analyticsAnonymousIdentity.js.map

package/dist/analyticsAnonymousIdentity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyticsAnonymousIdentity.js","sourceRoot":"","sources":["../src/analyticsAnonymousIdentity.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,CAAC,MAAM,kCAAkC,GAAG,CAAC,CAAC;AACpD,MAAM,CAAC,MAAM,kCAAkC,GAAG,GAAG,CAAC;AACtD,MAAM,CAAC,MAAM,sCAAsC,GAAG,sBAAsB,CAAC;AAE7E,MAAM,qBAAqB,GAAG,kBAAkB,CAAC;AAEjD,SAAS,cAAc;IACrB,OAAO,sCAAsC,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;QACnE,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACzC,MAAM,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC;QAC1C,OAAO,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,qDAAqD;AACrD,MAAM,UAAU,6BAA6B;IAC3C,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,OAAO,MAAM,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAC7E,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;IAC7B,CAAC;IACD,OAAO,cAAc,EAAE,CAAC;AAC1B,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,4BAA4B,CAAC,GAAW;IACtD,IAAI,GAAG,CAAC,MAAM,GAAG,kCAAkC,EAAE,CAAC;QACpD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,GAAG,kCAAkC,EAAE,CAAC;QACpD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,qBAAqB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,4BAA4B,CAAC,UAAkB;IAC7D,OAAO,GAAG,sCAAsC,GAAG,UAAU,EAAE,CAAC;AAClE,CAAC"}

package/dist/index.d.ts

@@ -18,6 +18,7 @@ export * from './hooks/useDatabaseHealth.js';
 export * from './analyticsEvents.js';
 export * from './analyticsExploreCaps.js';
 export * from './analyticsApiTypes.js';
+export * from './analyticsAnonymousIdentity.js';
 export * from './auditEventCodes.js';
 export * from './auditEventLabels.js';
 export * from './analyticsEventLabels.js';
@@ -32,4 +33,7 @@ export * from './complianceDevCaps.js';
 export * from './customerFailureRecovery.js';
 export * from './labels/localizedLabel.js';
 export * from './clientLogRedaction.js';
+export { PERMISSION_DOMAIN_LABELS, PERMISSION_LEVEL_LABELS, getPermissionDomainLabel, getPermissionLevelLabel, } from './permissions/permissionLabels.js';
+export { expandCapabilitiesForClientCheck, grantImpliesTarget, hasEffectiveCapability, hasAnyEffectiveCapability, ADMIN_USERS_MANAGE_BRIDGE_SOURCES, ADMIN_USERS_MANAGE_BRIDGE_TARGETS, BRIDGE_PARITY_FIXTURE_GRANTS, BRIDGE_PARITY_FIXTURE_EXPECTED_TARGETS, } from './permissions/effectiveCapabilities.js';
+export type { PermissionLevel } from './permissions/permissionLabels.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,cAAc,YAAY,CAAC;AAC3B,cAAc,8BAA8B,CAAC;AAC7C,cAAc,UAAU,CAAC;AACzB,cAAc,aAAa,CAAC;AAC5B,cAAc,qCAAqC,CAAC;AACpD,cAAc,8BAA8B,CAAC;AAC7C,cAAc,sBAAsB,CAAC;AACrC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,yBAAyB,CAAC;AACxC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iCAAiC,CAAC;AAChD,cAAc,mCAAmC,CAAC;AAClD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,cAAc,YAAY,CAAC;AAC3B,cAAc,8BAA8B,CAAC;AAC7C,cAAc,UAAU,CAAC;AACzB,cAAc,aAAa,CAAC;AAC5B,cAAc,qCAAqC,CAAC;AACpD,cAAc,8BAA8B,CAAC;AAC7C,cAAc,sBAAsB,CAAC;AACrC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,iCAAiC,CAAC;AAChD,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,yBAAyB,CAAC;AACxC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iCAAiC,CAAC;AAChD,cAAc,mCAAmC,CAAC;AAClD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC;AACxC,OAAO,EACL,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EACL,gCAAgC,EAChC,kBAAkB,EAClB,sBAAsB,EACtB,yBAAyB,EACzB,iCAAiC,EACjC,iCAAiC,EACjC,4BAA4B,EAC5B,sCAAsC,GACvC,MAAM,wCAAwC,CAAC;AAChD,YAAY,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAC"}

package/dist/index.js

@@ -18,6 +18,7 @@ export * from './hooks/useDatabaseHealth.js';
 export * from './analyticsEvents.js';
 export * from './analyticsExploreCaps.js';
 export * from './analyticsApiTypes.js';
+export * from './analyticsAnonymousIdentity.js';
 export * from './auditEventCodes.js';
 export * from './auditEventLabels.js';
 export * from './analyticsEventLabels.js';
@@ -32,4 +33,6 @@ export * from './complianceDevCaps.js';
 export * from './customerFailureRecovery.js';
 export * from './labels/localizedLabel.js';
 export * from './clientLogRedaction.js';
+export { PERMISSION_DOMAIN_LABELS, PERMISSION_LEVEL_LABELS, getPermissionDomainLabel, getPermissionLevelLabel, } from './permissions/permissionLabels.js';
+export { expandCapabilitiesForClientCheck, grantImpliesTarget, hasEffectiveCapability, hasAnyEffectiveCapability, ADMIN_USERS_MANAGE_BRIDGE_SOURCES, ADMIN_USERS_MANAGE_BRIDGE_TARGETS, BRIDGE_PARITY_FIXTURE_GRANTS, BRIDGE_PARITY_FIXTURE_EXPECTED_TARGETS, } from './permissions/effectiveCapabilities.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,cAAc,YAAY,CAAC;AAC3B,cAAc,8BAA8B,CAAC;AAC7C,cAAc,UAAU,CAAC;AACzB,cAAc,aAAa,CAAC;AAC5B,cAAc,qCAAqC,CAAC;AACpD,cAAc,8BAA8B,CAAC;AAC7C,cAAc,sBAAsB,CAAC;AACrC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,yBAAyB,CAAC;AACxC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iCAAiC,CAAC;AAChD,cAAc,mCAAmC,CAAC;AAClD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,cAAc,YAAY,CAAC;AAC3B,cAAc,8BAA8B,CAAC;AAC7C,cAAc,UAAU,CAAC;AACzB,cAAc,aAAa,CAAC;AAC5B,cAAc,qCAAqC,CAAC;AACpD,cAAc,8BAA8B,CAAC;AAC7C,cAAc,sBAAsB,CAAC;AACrC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,wBAAwB,CAAC;AACvC,cAAc,iCAAiC,CAAC;AAChD,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,2BAA2B,CAAC;AAC1C,cAAc,yBAAyB,CAAC;AACxC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iCAAiC,CAAC;AAChD,cAAc,mCAAmC,CAAC;AAClD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,+BAA+B,CAAC;AAC9C,cAAc,iCAAiC,CAAC;AAChD,cAAc,wBAAwB,CAAC;AACvC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,4BAA4B,CAAC;AAC3C,cAAc,yBAAyB,CAAC;AACxC,OAAO,EACL,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,uBAAuB,GACxB,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EACL,gCAAgC,EAChC,kBAAkB,EAClB,sBAAsB,EACtB,yBAAyB,EACzB,iCAAiC,EACjC,iCAAiC,EACjC,4BAA4B,EAC5B,sCAAsC,GACvC,MAAM,wCAAwC,CAAC"}

package/dist/permissions/capabilityBridgeRules.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Shared capability bridge rules — single source for client JWT fallback checks.
+ * Server uses the same helpers from pi-kiosk-shared in PermissionInheritanceResolver.
+ */
+export declare const ADMIN_USERS_MANAGE_BRIDGE_SOURCES: readonly string[];
+export declare const ADMIN_USERS_MANAGE_BRIDGE_TARGETS: readonly string[];
+/**
+ * Forward-only implication used by client expansion and server bridge checks.
+ */
+export declare function grantImpliesTarget(granted: string, target: string): boolean;
+/**
+ * Expands grants with bridge rules and manage→view / manage→read (no reverse implications).
+ */
+export declare function expandCapabilitiesForClientCheck(grants: readonly string[]): Set<string>;
+/** Parity fixture — both backend and shared tests must satisfy. */
+export declare const BRIDGE_PARITY_FIXTURE_GRANTS: readonly ["users:admins:create"];
+export declare const BRIDGE_PARITY_FIXTURE_EXPECTED_TARGETS: readonly ["tenant.adminUserCapabilities.view", "tenant.adminUserCapabilities.manage", "tenant.adminUsers.manage"];
+//# sourceMappingURL=capabilityBridgeRules.d.ts.map

package/dist/permissions/capabilityBridgeRules.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capabilityBridgeRules.d.ts","sourceRoot":"","sources":["../../src/permissions/capabilityBridgeRules.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,eAAO,MAAM,iCAAiC,EAAE,SAAS,MAAM,EAG9D,CAAC;AAEF,eAAO,MAAM,iCAAiC,EAAE,SAAS,MAAM,EAM9D,CAAC;AAIF;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAsB3E;AAmBD;;GAEG;AACH,wBAAgB,gCAAgC,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAkBvF;AAED,mEAAmE;AACnE,eAAO,MAAM,4BAA4B,kCAAmC,CAAC;AAE7E,eAAO,MAAM,sCAAsC,mHAIzC,CAAC"}

package/dist/permissions/capabilityBridgeRules.js

@@ -0,0 +1,83 @@
+/**
+ * Shared capability bridge rules — single source for client JWT fallback checks.
+ * Server uses the same helpers from pi-kiosk-shared in PermissionInheritanceResolver.
+ */
+export const ADMIN_USERS_MANAGE_BRIDGE_SOURCES = [
+    'users:admins:create',
+    'tenant.adminUsers.manage',
+];
+export const ADMIN_USERS_MANAGE_BRIDGE_TARGETS = [
+    'users:admins:create',
+    'tenant.adminUsers.manage',
+    'tenant.adminUsers.view',
+    'tenant.adminUserCapabilities.view',
+    'tenant.adminUserCapabilities.manage',
+];
+const BRIDGE_SOURCE_SET = new Set(ADMIN_USERS_MANAGE_BRIDGE_SOURCES);
+/**
+ * Forward-only implication used by client expansion and server bridge checks.
+ */
+export function grantImpliesTarget(granted, target) {
+    if (granted === target) {
+        return true;
+    }
+    if (BRIDGE_SOURCE_SET.has(granted) && ADMIN_USERS_MANAGE_BRIDGE_TARGETS.includes(target)) {
+        return true;
+    }
+    if (granted.endsWith('.manage') && target === `${granted.slice(0, -'.manage'.length)}.view`) {
+        return true;
+    }
+    if (granted.endsWith(':manage') && target === granted.replace(/:manage$/, ':read')) {
+        return true;
+    }
+    if (granted.endsWith(':write') && target === granted.replace(/:write$/, ':read')) {
+        return true;
+    }
+    return false;
+}
+function impliedTargetsFromGrant(grant) {
+    const implied = [];
+    for (const target of ADMIN_USERS_MANAGE_BRIDGE_TARGETS) {
+        if (grantImpliesTarget(grant, target)) {
+            implied.push(target);
+        }
+    }
+    if (grant.endsWith(':manage')) {
+        implied.push(grant.replace(/:manage$/, ':read'));
+    }
+    else if (grant.endsWith(':write')) {
+        implied.push(grant.replace(/:write$/, ':read'));
+    }
+    else if (grant.endsWith('.manage')) {
+        implied.push(`${grant.slice(0, -'.manage'.length)}.view`);
+    }
+    return implied;
+}
+/**
+ * Expands grants with bridge rules and manage→view / manage→read (no reverse implications).
+ */
+export function expandCapabilitiesForClientCheck(grants) {
+    const result = new Set();
+    const pending = [...grants];
+    while (pending.length > 0) {
+        const grant = pending.pop();
+        if (grant === undefined || result.has(grant)) {
+            continue;
+        }
+        result.add(grant);
+        for (const target of impliedTargetsFromGrant(grant)) {
+            if (!result.has(target)) {
+                pending.push(target);
+            }
+        }
+    }
+    return result;
+}
+/** Parity fixture — both backend and shared tests must satisfy. */
+export const BRIDGE_PARITY_FIXTURE_GRANTS = ['users:admins:create'];
+export const BRIDGE_PARITY_FIXTURE_EXPECTED_TARGETS = [
+    'tenant.adminUserCapabilities.view',
+    'tenant.adminUserCapabilities.manage',
+    'tenant.adminUsers.manage',
+];
+//# sourceMappingURL=capabilityBridgeRules.js.map

package/dist/permissions/capabilityBridgeRules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capabilityBridgeRules.js","sourceRoot":"","sources":["../../src/permissions/capabilityBridgeRules.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,CAAC,MAAM,iCAAiC,GAAsB;IAClE,qBAAqB;IACrB,0BAA0B;CAC3B,CAAC;AAEF,MAAM,CAAC,MAAM,iCAAiC,GAAsB;IAClE,qBAAqB;IACrB,0BAA0B;IAC1B,wBAAwB;IACxB,mCAAmC;IACnC,qCAAqC;CACtC,CAAC;AAEF,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAS,iCAAiC,CAAC,CAAC;AAE7E;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe,EAAE,MAAc;IAChE,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,iCAAiC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACzF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QAC5F,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,EAAE,CAAC;QACnF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC;QACjF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAa;IAC5C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,MAAM,IAAI,iCAAiC,EAAE,CAAC;QACvD,IAAI,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,CAAC;YACtC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IACnD,CAAC;SAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;IAClD,CAAC;SAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC5D,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gCAAgC,CAAC,MAAyB;IACxE,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,MAAM,OAAO,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IAE5B,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC5B,IAAI,KAAK,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC7C,SAAS;QACX,CAAC;QACD,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAClB,KAAK,MAAM,MAAM,IAAI,uBAAuB,CAAC,KAAK,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACxB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,mEAAmE;AACnE,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,qBAAqB,CAAU,CAAC;AAE7E,MAAM,CAAC,MAAM,sCAAsC,GAAG;IACpD,mCAAmC;IACnC,qCAAqC;IACrC,0BAA0B;CAClB,CAAC"}

package/dist/permissions/effectiveCapabilities.d.ts

@@ -0,0 +1,5 @@
+export { expandCapabilitiesForClientCheck } from './capabilityBridgeRules.js';
+export { ADMIN_USERS_MANAGE_BRIDGE_SOURCES, ADMIN_USERS_MANAGE_BRIDGE_TARGETS, BRIDGE_PARITY_FIXTURE_EXPECTED_TARGETS, BRIDGE_PARITY_FIXTURE_GRANTS, grantImpliesTarget, } from './capabilityBridgeRules.js';
+export declare function hasEffectiveCapability(grants: readonly string[], required: string): boolean;
+export declare function hasAnyEffectiveCapability(grants: readonly string[], required: readonly string[]): boolean;
+//# sourceMappingURL=effectiveCapabilities.d.ts.map

package/dist/permissions/effectiveCapabilities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"effectiveCapabilities.d.ts","sourceRoot":"","sources":["../../src/permissions/effectiveCapabilities.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,gCAAgC,EAAE,MAAM,4BAA4B,CAAC;AAE9E,OAAO,EACL,iCAAiC,EACjC,iCAAiC,EACjC,sCAAsC,EACtC,4BAA4B,EAC5B,kBAAkB,GACnB,MAAM,4BAA4B,CAAC;AAEpC,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,SAAS,MAAM,EAAE,EACzB,QAAQ,EAAE,MAAM,GACf,OAAO,CAWT;AAED,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,SAAS,MAAM,EAAE,EACzB,QAAQ,EAAE,SAAS,MAAM,EAAE,GAC1B,OAAO,CAET"}

package/dist/permissions/effectiveCapabilities.js

@@ -0,0 +1,23 @@
+/**
+ * Client-side effective capability checks — mirrors server JWT expansion for UI gates.
+ * Prefer capabilities from GET /admin/me (server-expanded); use this as fallback only.
+ */
+import { expandCapabilitiesForClientCheck, grantImpliesTarget, } from './capabilityBridgeRules.js';
+export { expandCapabilitiesForClientCheck } from './capabilityBridgeRules.js';
+export { ADMIN_USERS_MANAGE_BRIDGE_SOURCES, ADMIN_USERS_MANAGE_BRIDGE_TARGETS, BRIDGE_PARITY_FIXTURE_EXPECTED_TARGETS, BRIDGE_PARITY_FIXTURE_GRANTS, grantImpliesTarget, } from './capabilityBridgeRules.js';
+export function hasEffectiveCapability(grants, required) {
+    const expanded = expandCapabilitiesForClientCheck(grants);
+    if (expanded.has(required)) {
+        return true;
+    }
+    for (const grant of expanded) {
+        if (grantImpliesTarget(grant, required)) {
+            return true;
+        }
+    }
+    return false;
+}
+export function hasAnyEffectiveCapability(grants, required) {
+    return required.some((cap) => hasEffectiveCapability(grants, cap));
+}
+//# sourceMappingURL=effectiveCapabilities.js.map

package/dist/permissions/effectiveCapabilities.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"effectiveCapabilities.js","sourceRoot":"","sources":["../../src/permissions/effectiveCapabilities.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EACL,gCAAgC,EAChC,kBAAkB,GACnB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EAAE,gCAAgC,EAAE,MAAM,4BAA4B,CAAC;AAE9E,OAAO,EACL,iCAAiC,EACjC,iCAAiC,EACjC,sCAAsC,EACtC,4BAA4B,EAC5B,kBAAkB,GACnB,MAAM,4BAA4B,CAAC;AAEpC,MAAM,UAAU,sBAAsB,CACpC,MAAyB,EACzB,QAAgB;IAEhB,MAAM,QAAQ,GAAG,gCAAgC,CAAC,MAAM,CAAC,CAAC;IAC1D,IAAI,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;QAC7B,IAAI,kBAAkB,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,MAAyB,EACzB,QAA2B;IAE3B,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,sBAAsB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;AACrE,CAAC"}

package/dist/permissions/permissionLabels.d.ts

@@ -0,0 +1,7 @@
+import type { LabelLocale, LocalizedLabel } from '../labels/localizedLabel.js';
+export type PermissionLevel = 'view' | 'manage';
+export declare const PERMISSION_LEVEL_LABELS: Record<PermissionLevel, LocalizedLabel>;
+export declare const PERMISSION_DOMAIN_LABELS: Record<string, LocalizedLabel>;
+export declare function getPermissionLevelLabel(level: PermissionLevel, locale: LabelLocale): string;
+export declare function getPermissionDomainLabel(domain: string, locale: LabelLocale): string;
+//# sourceMappingURL=permissionLabels.d.ts.map

package/dist/permissions/permissionLabels.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionLabels.d.ts","sourceRoot":"","sources":["../../src/permissions/permissionLabels.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE/E,MAAM,MAAM,eAAe,GAAG,MAAM,GAAG,QAAQ,CAAC;AAEhD,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAAC,eAAe,EAAE,cAAc,CAG3E,CAAC;AAEF,eAAO,MAAM,wBAAwB,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAQnE,CAAC;AAEF,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,WAAW,GAAG,MAAM,CAE3F;AAED,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,GAAG,MAAM,CAWpF"}

package/dist/permissions/permissionLabels.js

@@ -0,0 +1,29 @@
+export const PERMISSION_LEVEL_LABELS = {
+    view: { en: 'View', cs: 'Zobrazení' },
+    manage: { en: 'Manage', cs: 'Správa' },
+};
+export const PERMISSION_DOMAIN_LABELS = {
+    principal: { en: 'Account access', cs: 'Přístup k účtu' },
+    account: { en: 'Account', cs: 'Účet' },
+    permissions: { en: 'Permissions catalog', cs: 'Katalog oprávnění' },
+    tenant: { en: 'Tenant operations', cs: 'Provoz tenantu' },
+    platform: { en: 'Platform administration', cs: 'Správa platformy' },
+    exceptions: { en: 'High-risk exceptions', cs: 'Vysoce rizikové výjimky' },
+    compliance: { en: 'Compliance', cs: 'Compliance' },
+};
+export function getPermissionLevelLabel(level, locale) {
+    return PERMISSION_LEVEL_LABELS[level][locale];
+}
+export function getPermissionDomainLabel(domain, locale) {
+    const known = PERMISSION_DOMAIN_LABELS[domain];
+    if (known !== undefined) {
+        return known[locale];
+    }
+    const fallback = domain
+        .split(/[._-]/)
+        .filter(Boolean)
+        .map((segment) => segment.charAt(0).toUpperCase() + segment.slice(1))
+        .join(' ');
+    return fallback.length > 0 ? fallback : 'Permissions';
+}
+//# sourceMappingURL=permissionLabels.js.map

package/dist/permissions/permissionLabels.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionLabels.js","sourceRoot":"","sources":["../../src/permissions/permissionLabels.ts"],"names":[],"mappings":"AAIA,MAAM,CAAC,MAAM,uBAAuB,GAA4C;IAC9E,IAAI,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE;IACrC,MAAM,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE;CACvC,CAAC;AAEF,MAAM,CAAC,MAAM,wBAAwB,GAAmC;IACtE,SAAS,EAAE,EAAE,EAAE,EAAE,gBAAgB,EAAE,EAAE,EAAE,gBAAgB,EAAE;IACzD,OAAO,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE;IACtC,WAAW,EAAE,EAAE,EAAE,EAAE,qBAAqB,EAAE,EAAE,EAAE,mBAAmB,EAAE;IACnE,MAAM,EAAE,EAAE,EAAE,EAAE,mBAAmB,EAAE,EAAE,EAAE,gBAAgB,EAAE;IACzD,QAAQ,EAAE,EAAE,EAAE,EAAE,yBAAyB,EAAE,EAAE,EAAE,kBAAkB,EAAE;IACnE,UAAU,EAAE,EAAE,EAAE,EAAE,sBAAsB,EAAE,EAAE,EAAE,yBAAyB,EAAE;IACzE,UAAU,EAAE,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE;CACnD,CAAC;AAEF,MAAM,UAAU,uBAAuB,CAAC,KAAsB,EAAE,MAAmB;IACjF,OAAO,uBAAuB,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,MAAc,EAAE,MAAmB;IAC1E,MAAM,KAAK,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;IAC/C,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM;SACpB,KAAK,CAAC,OAAO,CAAC;SACd,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;SACpE,IAAI,CAAC,GAAG,CAAC,CAAC;IACb,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC;AACxD,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-kiosk-shared",
-  "version": "2.1.51",
+  "version": "2.1.54",
   "type": "module",
   "private": false,
   "description": "Shared types, API contracts, and error classes for Pi Kiosk system",
@@ -60,6 +60,11 @@
       "require": "./dist/analyticsConsentAllowlist.js",
       "types": "./dist/analyticsConsentAllowlist.d.ts"
     },
+    "./analyticsAnonymousIdentity": {
+      "import": "./dist/analyticsAnonymousIdentity.js",
+      "require": "./dist/analyticsAnonymousIdentity.js",
+      "types": "./dist/analyticsAnonymousIdentity.d.ts"
+    },
     "./clientLogRedaction": {
       "import": "./dist/clientLogRedaction.js",
       "require": "./dist/clientLogRedaction.js",