snipe-auth-rbac 0.1.0 → 0.2.0

package/dist/index.d.cts

@@ -1,5 +1,5 @@
-import { c as ResourceRegistry, U as UserProfile, A as Action, d as PermissionMap, b as AuthRbacFetcher, a as ResourceDescriptor } from './types-BEc5SCIo.cjs';
-export { C as CompanyMembership, F as FrontendConfig, P as PermissionGrid, R as ResourceScope, e as RoleSummary } from './types-BEc5SCIo.cjs';
+import { c as ResourceRegistry, U as UserProfile, A as Action, d as PermissionMap, b as AuthRbacFetcher, a as ResourceDescriptor } from './types-DxvFudPF.cjs';
+export { C as CompanyMembership, F as FrontendConfig, P as PermissionGrid, R as ResourceScope, e as RoleSummary } from './types-DxvFudPF.cjs';
 
 /**
  * Transport-agnostic client: turns an adopter-supplied
@@ -14,7 +14,7 @@ interface AuthRbacClientOptions {
      * The host project's full resource list. Required so the resolver
      * can look up a resource's scope without a DB round-trip per call.
      * Re-using the same array the host syncs into the
-     * `auth_rbac_resources` table at boot keeps everything in lockstep.
+     * `rbac.resources` table at boot keeps everything in lockstep.
      */
     resources: ResourceRegistry;
 }
@@ -53,15 +53,44 @@ type AuthRbacClient = ReturnType<typeof buildPermissionResolver>;
  */
 
 /**
- * Calls the package's SQL function `auth_rbac_user_profile(uuid)` via
+ * Calls the package's SQL function `rbac.user_profile(uuid)` via
  * a Supabase JS client. Easiest path when the host project already
  * uses Supabase.
  *
+ * The function lives in the dedicated `rbac` Postgres schema, so the
+ * adopter must add `rbac` to their PostgREST exposed-schemas list
+ * (Supabase Studio → Settings → API → Exposed schemas) for the
+ * `.schema('rbac')` call below to reach it.
+ *
  * @example
  * createSupabaseFetcher({ supabase, userId: session.user.id })
  */
 declare function createSupabaseFetcher(opts: {
     supabase: {
+        schema: (name: string) => {
+            rpc: (fn: string, args: Record<string, unknown>) => Promise<{
+                data: unknown;
+                error: {
+                    message: string;
+                } | null;
+            }>;
+        };
+    };
+    userId: string;
+}): AuthRbacFetcher;
+/**
+ * Cheap probe — returns true if the package's `rbac` schema looks
+ * reachable. Useful at app start to fail loudly if the migration
+ * hasn't been applied OR if `rbac` isn't in the project's PostgREST
+ * exposed-schemas list.
+ *
+ * @example
+ * if (!(await detectRbacSchema(supabase))) {
+ *   console.error("rbac schema not reachable — apply 0001_initial.sql");
+ * }
+ */
+declare function detectRbacSchema(supabase: {
+    schema: (name: string) => {
         rpc: (fn: string, args: Record<string, unknown>) => Promise<{
             data: unknown;
             error: {
@@ -69,8 +98,7 @@ declare function createSupabaseFetcher(opts: {
             } | null;
         }>;
     };
-    userId: string;
-}): AuthRbacFetcher;
+}): Promise<boolean>;
 /**
  * Calls a regular HTTP endpoint that returns a `UserProfile` JSON
  * payload. Use this when the host project has its own backend that
@@ -87,4 +115,4 @@ declare function createHttpFetcher(opts: {
     fetch?: typeof fetch;
 }): AuthRbacFetcher;
 
-export { Action, type AuthRbacClient, AuthRbacFetcher, type CanOptions, type AuthRbacClientOptions as ClientOptions, PermissionMap, ResourceDescriptor, ResourceRegistry, UserProfile, buildPermissionResolver, createHttpFetcher, createSupabaseFetcher, groupResources };
+export { Action, type AuthRbacClient, AuthRbacFetcher, type CanOptions, type AuthRbacClientOptions as ClientOptions, PermissionMap, ResourceDescriptor, ResourceRegistry, UserProfile, buildPermissionResolver, createHttpFetcher, createSupabaseFetcher, detectRbacSchema, groupResources };

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { c as ResourceRegistry, U as UserProfile, A as Action, d as PermissionMap, b as AuthRbacFetcher, a as ResourceDescriptor } from './types-BEc5SCIo.js';
-export { C as CompanyMembership, F as FrontendConfig, P as PermissionGrid, R as ResourceScope, e as RoleSummary } from './types-BEc5SCIo.js';
+import { c as ResourceRegistry, U as UserProfile, A as Action, d as PermissionMap, b as AuthRbacFetcher, a as ResourceDescriptor } from './types-DxvFudPF.js';
+export { C as CompanyMembership, F as FrontendConfig, P as PermissionGrid, R as ResourceScope, e as RoleSummary } from './types-DxvFudPF.js';
 
 /**
  * Transport-agnostic client: turns an adopter-supplied
@@ -14,7 +14,7 @@ interface AuthRbacClientOptions {
      * The host project's full resource list. Required so the resolver
      * can look up a resource's scope without a DB round-trip per call.
      * Re-using the same array the host syncs into the
-     * `auth_rbac_resources` table at boot keeps everything in lockstep.
+     * `rbac.resources` table at boot keeps everything in lockstep.
      */
     resources: ResourceRegistry;
 }
@@ -53,15 +53,44 @@ type AuthRbacClient = ReturnType<typeof buildPermissionResolver>;
  */
 
 /**
- * Calls the package's SQL function `auth_rbac_user_profile(uuid)` via
+ * Calls the package's SQL function `rbac.user_profile(uuid)` via
  * a Supabase JS client. Easiest path when the host project already
  * uses Supabase.
  *
+ * The function lives in the dedicated `rbac` Postgres schema, so the
+ * adopter must add `rbac` to their PostgREST exposed-schemas list
+ * (Supabase Studio → Settings → API → Exposed schemas) for the
+ * `.schema('rbac')` call below to reach it.
+ *
  * @example
  * createSupabaseFetcher({ supabase, userId: session.user.id })
  */
 declare function createSupabaseFetcher(opts: {
     supabase: {
+        schema: (name: string) => {
+            rpc: (fn: string, args: Record<string, unknown>) => Promise<{
+                data: unknown;
+                error: {
+                    message: string;
+                } | null;
+            }>;
+        };
+    };
+    userId: string;
+}): AuthRbacFetcher;
+/**
+ * Cheap probe — returns true if the package's `rbac` schema looks
+ * reachable. Useful at app start to fail loudly if the migration
+ * hasn't been applied OR if `rbac` isn't in the project's PostgREST
+ * exposed-schemas list.
+ *
+ * @example
+ * if (!(await detectRbacSchema(supabase))) {
+ *   console.error("rbac schema not reachable — apply 0001_initial.sql");
+ * }
+ */
+declare function detectRbacSchema(supabase: {
+    schema: (name: string) => {
         rpc: (fn: string, args: Record<string, unknown>) => Promise<{
             data: unknown;
             error: {
@@ -69,8 +98,7 @@ declare function createSupabaseFetcher(opts: {
             } | null;
         }>;
     };
-    userId: string;
-}): AuthRbacFetcher;
+}): Promise<boolean>;
 /**
  * Calls a regular HTTP endpoint that returns a `UserProfile` JSON
  * payload. Use this when the host project has its own backend that
@@ -87,4 +115,4 @@ declare function createHttpFetcher(opts: {
     fetch?: typeof fetch;
 }): AuthRbacFetcher;
 
-export { Action, type AuthRbacClient, AuthRbacFetcher, type CanOptions, type AuthRbacClientOptions as ClientOptions, PermissionMap, ResourceDescriptor, ResourceRegistry, UserProfile, buildPermissionResolver, createHttpFetcher, createSupabaseFetcher, groupResources };
+export { Action, type AuthRbacClient, AuthRbacFetcher, type CanOptions, type AuthRbacClientOptions as ClientOptions, PermissionMap, ResourceDescriptor, ResourceRegistry, UserProfile, buildPermissionResolver, createHttpFetcher, createSupabaseFetcher, detectRbacSchema, groupResources };

package/dist/index.js

@@ -1,15 +1,17 @@
 import {
   createHttpFetcher,
-  createSupabaseFetcher
-} from "./chunk-BRCJUCDG.js";
+  createSupabaseFetcher,
+  detectRbacSchema
+} from "./chunk-NRDW233A.js";
 import {
   buildPermissionResolver,
   groupResources
-} from "./chunk-4WTV6J44.js";
+} from "./chunk-C76JHCKM.js";
 export {
   buildPermissionResolver,
   createHttpFetcher,
   createSupabaseFetcher,
+  detectRbacSchema,
   groupResources
 };
 //# sourceMappingURL=index.js.map

package/dist/react/index.cjs

@@ -26,6 +26,7 @@ __export(react_exports, {
   createHttpFetcher: () => createHttpFetcher,
   createSupabaseFetcher: () => createSupabaseFetcher,
   defineAuthRbac: () => defineAuthRbac2,
+  detectRbacSchema: () => detectRbacSchema,
   useActiveCompany: () => useActiveCompany,
   useAuthRbac: () => useAuthRbac,
   useCan: () => useCan,
@@ -268,8 +269,8 @@ function useFrontendConfig() {
 function createSupabaseFetcher(opts) {
   return {
     async fetchProfile() {
-      const { data, error } = await opts.supabase.rpc(
-        "auth_rbac_user_profile",
+      const { data, error } = await opts.supabase.schema("rbac").rpc(
+        "user_profile",
         { p_user_id: opts.userId }
       );
       if (error) {
@@ -281,6 +282,19 @@ function createSupabaseFetcher(opts) {
     }
   };
 }
+async function detectRbacSchema(supabase) {
+  try {
+    const { error } = await supabase.schema("rbac").rpc("user_can", {
+      p_user_id: "00000000-0000-0000-0000-000000000000",
+      p_resource: "__rbac_self_check__",
+      p_action: "read",
+      p_company_id: null
+    });
+    return error === null;
+  } catch {
+    return false;
+  }
+}
 function createHttpFetcher(opts) {
   const fetchImpl = opts.fetch ?? globalThis.fetch;
   return {
@@ -341,6 +355,7 @@ function defineAuthRbac2(resources) {
   createHttpFetcher,
   createSupabaseFetcher,
   defineAuthRbac,
+  detectRbacSchema,
   useActiveCompany,
   useAuthRbac,
   useCan,

package/dist/react/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/react/index.ts","../../src/react/AuthRbacProvider.tsx","../../src/client.ts","../../src/react/useCan.ts","../../src/react/Can.tsx","../../src/react/RequirePermission.tsx","../../src/react/useActiveCompany.ts","../../src/react/useFrontendConfig.ts","../../src/fetchers.ts","../../src/define.ts"],"sourcesContent":["/**\n * React + Next.js entry. Import this in browser code:\n *\n *   import { AuthRbacProvider, useCan } from \"snipe-auth-rbac/react\";\n *\n * The non-React entry (`snipe-auth-rbac`) re-exports types and the\n * pure resolver, suitable for Node, edge workers, and tests.\n */\n\nexport {\n  AuthRbacProvider,\n  useAuthRbac,\n  type AuthRbacProviderProps,\n} from \"./AuthRbacProvider.js\";\n\nexport { useCan } from \"./useCan.js\";\nexport { Can, type CanProps } from \"./Can.js\";\nexport {\n  RequirePermission,\n  type RequirePermissionProps,\n} from \"./RequirePermission.js\";\nexport { useActiveCompany, type ActiveCompany } from \"./useActiveCompany.js\";\nexport { useFrontendConfig } from \"./useFrontendConfig.js\";\n\n// Re-exports for convenience so consumers don't need two imports.\nexport type {\n  Action,\n  AuthRbacFetcher,\n  CompanyMembership,\n  FrontendConfig,\n  PermissionGrid,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  RoleSummary,\n  UserProfile,\n} from \"../types.js\";\n\nexport {\n  createSupabaseFetcher,\n  createHttpFetcher,\n} from \"../fetchers.js\";\n\nimport { defineAuthRbac as _defineAuthRbac } from \"../define.js\";\nimport { Can } from \"./Can.js\";\nimport { RequirePermission } from \"./RequirePermission.js\";\nimport { useCan } from \"./useCan.js\";\n\nimport type { ResourceDescriptor } from \"../types.js\";\nimport type { TypedGuards } from \"../define.js\";\n\n/**\n * Typed factory — pass a const-asserted resource registry and get\n * back guards whose `resource` arg is constrained to the registered\n * names. Recommended at the top of every host project.\n *\n * See ../define.ts for the full doc + example.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(resources: Reg): TypedGuards<Reg[number][\"resource\"]> {\n  return _defineAuthRbac(resources, {\n    useCan,\n    Can,\n    RequirePermission,\n  });\n}\n\nexport type { TypedGuards } from \"../define.js\";\n","import {\n  createContext,\n  useCallback,\n  useContext,\n  useEffect,\n  useMemo,\n  useState,\n  type ReactNode,\n} from \"react\";\n\nimport {\n  buildPermissionResolver,\n  type AuthRbacClient,\n} from \"../client.js\";\nimport type {\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceRegistry,\n  UserProfile,\n} from \"../types.js\";\n\ninterface AuthRbacContextValue {\n  /**\n   * `null` means we haven't hydrated yet. Components should treat\n   * the not-loaded state as \"no permissions\" (fail-closed).\n   */\n  profile: UserProfile | null;\n  loading: boolean;\n  error: Error | null;\n  resources: ResourceRegistry;\n  activeCompanyId: string | null;\n  setActiveCompany: (id: string | null) => void;\n  refresh: () => Promise<void>;\n  resolver: AuthRbacClient;\n}\n\nconst AuthRbacContext = createContext<AuthRbacContextValue | null>(null);\n\nexport interface AuthRbacProviderProps {\n  fetcher: AuthRbacFetcher;\n  resources: ResourceRegistry;\n  /**\n   * Initial active company. Common patterns:\n   *  - read from URL query/path\n   *  - read from localStorage\n   *  - omit and let the user pick from the switcher\n   */\n  initialCompanyId?: string | null;\n  /**\n   * Persistence hook. Called every time the active company changes.\n   * Default: writes to `localStorage` under\n   * `auth-rbac:active-company`. Pass `false` to disable.\n   */\n  persistActiveCompany?:\n    | ((id: string | null) => void)\n    | false;\n  children: ReactNode;\n}\n\nconst STORAGE_KEY = \"auth-rbac:active-company\";\n\nconst defaultPersist = (id: string | null) => {\n  if (typeof window === \"undefined\") {\n    return;\n  }\n  try {\n    if (id == null) {\n      window.localStorage.removeItem(STORAGE_KEY);\n    } else {\n      window.localStorage.setItem(STORAGE_KEY, id);\n    }\n  } catch {\n    // localStorage may be unavailable (private browsing, SSR) —\n    // fall back to in-memory only.\n  }\n};\n\nconst readPersisted = (): string | null => {\n  if (typeof window === \"undefined\") {\n    return null;\n  }\n  try {\n    return window.localStorage.getItem(STORAGE_KEY);\n  } catch {\n    return null;\n  }\n};\n\nexport function AuthRbacProvider(props: AuthRbacProviderProps) {\n  const { fetcher, resources, initialCompanyId, persistActiveCompany } = props;\n\n  const [profile, setProfile] = useState<UserProfile | null>(null);\n  const [loading, setLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const [activeCompanyId, setActiveCompanyState] = useState<string | null>(\n    initialCompanyId ?? readPersisted(),\n  );\n\n  const persist = useMemo(() => {\n    if (persistActiveCompany === false) {\n      return () => {};\n    }\n    return persistActiveCompany ?? defaultPersist;\n  }, [persistActiveCompany]);\n\n  const setActiveCompany = useCallback(\n    (id: string | null) => {\n      setActiveCompanyState(id);\n      persist(id);\n    },\n    [persist],\n  );\n\n  const refresh = useCallback(async () => {\n    setLoading(true);\n    setError(null);\n    try {\n      const next = await fetcher.fetchProfile();\n      setProfile(next);\n      // If the persisted company isn't a membership, fall back to\n      // the first one (or null for users with no memberships).\n      const stillMember =\n        activeCompanyId != null &&\n        next.memberships.some((m) => m.company_id === activeCompanyId);\n      if (!stillMember) {\n        const fallback =\n          next.memberships[0]?.company_id ?? null;\n        setActiveCompanyState(fallback);\n        persist(fallback);\n      }\n    } catch (e) {\n      setError(e instanceof Error ? e : new Error(String(e)));\n    } finally {\n      setLoading(false);\n    }\n    // eslint-disable-next-line react-hooks/exhaustive-deps\n  }, [fetcher]);\n\n  useEffect(() => {\n    void refresh();\n  }, [refresh]);\n\n  const resolver = useMemo<AuthRbacClient>(() => {\n    if (profile == null) {\n      // Empty resolver until the profile lands. Always returns\n      // false → guards fall through to the unauthenticated branch.\n      return {\n        can: () => false,\n        activePermissions: () => ({}) as PermissionMap,\n        systemPermissions: () => ({}) as PermissionMap,\n      };\n    }\n    return buildPermissionResolver(resources, profile, activeCompanyId);\n  }, [profile, resources, activeCompanyId]);\n\n  const value = useMemo<AuthRbacContextValue>(\n    () => ({\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    }),\n    [\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    ],\n  );\n\n  return (\n    <AuthRbacContext.Provider value={value}>\n      {props.children}\n    </AuthRbacContext.Provider>\n  );\n}\n\nexport function useAuthRbac(): AuthRbacContextValue {\n  const ctx = useContext(AuthRbacContext);\n  if (!ctx) {\n    throw new Error(\n      \"useAuthRbac must be used within an <AuthRbacProvider> — wrap your app at the root.\",\n    );\n  }\n  return ctx;\n}\n","/**\n * Transport-agnostic client: turns an adopter-supplied\n * `AuthRbacFetcher` into a permission resolver. The React provider\n * wraps this; non-React consumers (Node scripts, edge functions)\n * can use it directly.\n */\n\nimport type {\n  Action,\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  UserProfile,\n} from \"./types.js\";\n\nexport interface AuthRbacClientOptions {\n  fetcher: AuthRbacFetcher;\n  /**\n   * The host project's full resource list. Required so the resolver\n   * can look up a resource's scope without a DB round-trip per call.\n   * Re-using the same array the host syncs into the\n   * `auth_rbac_resources` table at boot keeps everything in lockstep.\n   */\n  resources: ResourceRegistry;\n}\n\nexport interface CanOptions {\n  /**\n   * Override the active company. Omit to use the company the\n   * caller has currently activated (the React provider tracks\n   * this; for direct client use you must pass it).\n   */\n  companyId?: string | null;\n}\n\n/**\n * Pure resolver. Given a hydrated profile it answers boolean\n * questions instantly — no I/O. The `resourceMap` is built once at\n * construction so per-call work is two map lookups.\n */\nexport function buildPermissionResolver(\n  resources: ResourceRegistry,\n  profile: UserProfile,\n  defaultCompanyId: string | null,\n) {\n  const scopeByResource = new Map<string, ResourceScope>(\n    resources.map((r) => [r.resource, r.scope]),\n  );\n\n  const can = (\n    resource: string,\n    action: Action,\n    options?: CanOptions,\n  ): boolean => {\n    if (profile.is_super_admin) {\n      return true;\n    }\n    const scope = scopeByResource.get(resource);\n    if (!scope) {\n      // Unknown resource — fail closed.\n      return false;\n    }\n    if (scope === \"system\") {\n      return readGrid(profile.system_permissions, resource, action);\n    }\n    const companyId = options?.companyId ?? defaultCompanyId;\n    if (!companyId) {\n      return false;\n    }\n    const membership = profile.memberships.find(\n      (m) => m.company_id === companyId,\n    );\n    if (!membership) {\n      return false;\n    }\n    return readGrid(membership.permissions, resource, action);\n  };\n\n  return {\n    can,\n    /** Permission map for the active (or specified) company. */\n    activePermissions: (companyId?: string | null): PermissionMap => {\n      const id = companyId ?? defaultCompanyId;\n      if (!id) {\n        return {};\n      }\n      return (\n        profile.memberships.find((m) => m.company_id === id)?.permissions ?? {}\n      );\n    },\n    systemPermissions: (): PermissionMap => profile.system_permissions,\n  };\n}\n\nfunction readGrid(\n  map: PermissionMap,\n  resource: string,\n  action: Action,\n): boolean {\n  const grid = map[resource];\n  if (!grid) {\n    return false;\n  }\n  return grid[action];\n}\n\n/**\n * Helper: groups a resource registry by `group` for the matrix UI.\n * Returns groups in insertion order with their resources.\n */\nexport function groupResources(\n  registry: ResourceRegistry,\n): Array<{ group: string; resources: ResourceDescriptor[] }> {\n  const order: string[] = [];\n  const buckets = new Map<string, ResourceDescriptor[]>();\n  for (const r of registry) {\n    const key = r.group ?? \"Sonstige\";\n    if (!buckets.has(key)) {\n      buckets.set(key, []);\n      order.push(key);\n    }\n    buckets.get(key)!.push(r);\n  }\n  return order.map((g) => ({ group: g, resources: buckets.get(g)! }));\n}\n\nexport type AuthRbacClient = ReturnType<typeof buildPermissionResolver>;\nexport type { AuthRbacClientOptions as ClientOptions };\n","import type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Boolean permission check.\n *\n * @example\n *   const canEdit = useCan(\"properties\", \"update\");\n *   <Button disabled={!canEdit}>Speichern</Button>\n *\n * @example explicitly target a non-active company\n *   const canRead = useCan(\"payments\", \"read\", { companyId: targetId });\n */\nexport function useCan(\n  resource: string,\n  action: Action,\n  options?: CanOptions,\n): boolean {\n  const { resolver } = useAuthRbac();\n  return resolver.can(resource, action, options);\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useCan } from \"./useCan.js\";\n\nexport interface CanProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /** Rendered when the user has the permission. */\n  children: ReactNode;\n  /**\n   * Rendered when the user does NOT have the permission. Defaults\n   * to `null` (silent hide). Pass a `<NoPermissionView />` or a\n   * tooltip-wrapper to surface the denial explicitly.\n   */\n  fallback?: ReactNode;\n}\n\n/**\n * Subtree gate. Bails before children render so any data fetching\n * inside `children` is skipped for users without permission.\n */\nexport function Can(props: CanProps) {\n  const { resource, action, companyId, children, fallback = null } = props;\n  const allowed = useCan(resource, action, { companyId });\n  return <>{allowed ? children : fallback}</>;\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\nimport { useCan } from \"./useCan.js\";\n\nexport interface RequirePermissionProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /**\n   * What to render while the profile is still loading. Defaults to\n   * `null` (no flash) — pass a spinner if your routes typically\n   * mount before the profile lands.\n   */\n  loadingFallback?: ReactNode;\n  /**\n   * What to render when access is denied. Defaults to a minimal\n   * \"Sie haben keinen Zugriff\" message; pass your own component to\n   * theme it.\n   */\n  deniedFallback?: ReactNode;\n  /**\n   * For `react-router-dom v6` route-element usage, pass an `<Outlet />`\n   * here — the gate resolves to either the outlet or the denied\n   * fallback. For component-tree usage, pass any children.\n   */\n  children?: ReactNode;\n}\n\n/**\n * Route- or component-level guard. Three render branches:\n *\n *  - profile not yet loaded → `loadingFallback`\n *  - permission denied      → `deniedFallback`\n *  - permission granted     → `children`\n *\n * Drop-in replacement for the legacy `<RequireRolesRoute>` pattern.\n *\n * @example\n *   // App.tsx route table\n *   <Route element={\n *     <RequirePermission resource=\"payments\" action=\"read\">\n *       <Outlet />\n *     </RequirePermission>\n *   }>\n *     <Route path=\"/payments\" element={<PaymentsPage />} />\n *   </Route>\n */\nexport function RequirePermission(props: RequirePermissionProps) {\n  const {\n    resource,\n    action,\n    companyId,\n    loadingFallback = null,\n    deniedFallback = (\n      <div role=\"alert\" style={{ padding: 24 }}>\n        <strong>Sie haben keinen Zugriff.</strong>\n      </div>\n    ),\n    children = null,\n  } = props;\n\n  const { profile, loading } = useAuthRbac();\n  const allowed = useCan(resource, action, { companyId });\n\n  if (loading || profile == null) {\n    return <>{loadingFallback}</>;\n  }\n  if (!allowed) {\n    return <>{deniedFallback}</>;\n  }\n  return <>{children}</>;\n}\n","import { useMemo } from \"react\";\n\nimport type { CompanyMembership } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\nexport interface ActiveCompany {\n  id: string | null;\n  membership: CompanyMembership | null;\n  memberships: CompanyMembership[];\n  setActive: (id: string | null) => void;\n}\n\n/**\n * Read + switch the active company.\n *\n * @example\n *   const { id, memberships, setActive } = useActiveCompany();\n *\n *   return (\n *     <select value={id ?? \"\"} onChange={(e) => setActive(e.target.value || null)}>\n *       {memberships.map((m) => (\n *         <option key={m.company_id} value={m.company_id}>{m.company_name}</option>\n *       ))}\n *     </select>\n *   );\n */\nexport function useActiveCompany(): ActiveCompany {\n  const { profile, activeCompanyId, setActiveCompany } = useAuthRbac();\n\n  return useMemo(() => {\n    const memberships = profile?.memberships ?? [];\n    const membership =\n      memberships.find((m) => m.company_id === activeCompanyId) ?? null;\n    return {\n      id: activeCompanyId,\n      membership,\n      memberships,\n      setActive: setActiveCompany,\n    };\n  }, [profile, activeCompanyId, setActiveCompany]);\n}\n","import { useMemo } from \"react\";\n\nimport type { FrontendConfig } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Reads the merged `frontend_config` for the user. Sources in\n * priority order: active company's membership > system roles. Use\n * this to drive sidebar items, dashboard defaults, and any other\n * \"what should this role see\" UX without hardcoded role checks.\n *\n * The shape is intentionally `Record<string, unknown>` — your host\n * project owns the schema. Document your keys (e.g. `sidebar`,\n * `default_dashboard`) once and stick to them.\n */\nexport function useFrontendConfig(): FrontendConfig {\n  const { profile, activeCompanyId } = useAuthRbac();\n  return useMemo(() => {\n    if (!profile) {\n      return {};\n    }\n    const membershipConfig =\n      profile.memberships.find((m) => m.company_id === activeCompanyId)\n        ?.frontend_config ?? {};\n    return { ...profile.system_frontend_config, ...membershipConfig };\n  }, [profile, activeCompanyId]);\n}\n","/**\n * Built-in fetchers — adopters can use these or pass their own\n * implementation of `AuthRbacFetcher`.\n */\n\nimport type { AuthRbacFetcher, UserProfile } from \"./types.js\";\n\n/**\n * Calls the package's SQL function `auth_rbac_user_profile(uuid)` via\n * a Supabase JS client. Easiest path when the host project already\n * uses Supabase.\n *\n * @example\n * createSupabaseFetcher({ supabase, userId: session.user.id })\n */\nexport function createSupabaseFetcher(opts: {\n  supabase: {\n    rpc: (\n      fn: string,\n      args: Record<string, unknown>,\n    ) => Promise<{ data: unknown; error: { message: string } | null }>;\n  };\n  userId: string;\n}): AuthRbacFetcher {\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const { data, error } = await opts.supabase.rpc(\n        \"auth_rbac_user_profile\",\n        { p_user_id: opts.userId },\n      );\n      if (error) {\n        throw new Error(\n          `auth-rbac: failed to load user profile via Supabase RPC: ${error.message}`,\n        );\n      }\n      return normalizeProfile(data);\n    },\n  };\n}\n\n/**\n * Calls a regular HTTP endpoint that returns a `UserProfile` JSON\n * payload. Use this when the host project has its own backend that\n * wraps the package's Python helpers (or any equivalent).\n *\n * @example\n * createHttpFetcher({ url: \"/api/users/me/profile\" })\n */\nexport function createHttpFetcher(opts: {\n  url: string;\n  /** Forwarded as-is to `fetch`. Use this to attach auth headers. */\n  init?: RequestInit;\n  /** Override the global `fetch` if you're in a non-browser env. */\n  fetch?: typeof fetch;\n}): AuthRbacFetcher {\n  const fetchImpl = opts.fetch ?? globalThis.fetch;\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const res = await fetchImpl(opts.url, opts.init);\n      if (!res.ok) {\n        throw new Error(\n          `auth-rbac: profile endpoint ${opts.url} returned ${res.status}`,\n        );\n      }\n      const json = (await res.json()) as unknown;\n      return normalizeProfile(json);\n    },\n  };\n}\n\n/**\n * Defensive normalisation: the Supabase RPC returns whatever the SQL\n * function emitted. We coerce missing fields into the empty defaults\n * so consumers can iterate without null checks. Throws if the shape\n * is unrecognisable.\n */\nfunction normalizeProfile(raw: unknown): UserProfile {\n  if (!raw || typeof raw !== \"object\") {\n    throw new Error(\"auth-rbac: profile payload is not an object\");\n  }\n  const p = raw as Partial<UserProfile> & Record<string, unknown>;\n  if (typeof p.user_id !== \"string\") {\n    throw new Error(\"auth-rbac: profile payload missing user_id\");\n  }\n  return {\n    user_id: p.user_id,\n    is_super_admin: !!p.is_super_admin,\n    system_roles: Array.isArray(p.system_roles) ? p.system_roles : [],\n    system_permissions:\n      p.system_permissions && typeof p.system_permissions === \"object\"\n        ? (p.system_permissions as UserProfile[\"system_permissions\"])\n        : {},\n    system_frontend_config:\n      p.system_frontend_config && typeof p.system_frontend_config === \"object\"\n        ? (p.system_frontend_config as UserProfile[\"system_frontend_config\"])\n        : {},\n    memberships: Array.isArray(p.memberships)\n      ? (p.memberships as UserProfile[\"memberships\"])\n      : [],\n  };\n}\n","/**\n * Typed factory — turns a const-asserted resource registry into a\n * set of hooks/components whose `resource` arg is constrained to\n * the registered names. Typos become TypeScript errors instead of\n * silent runtime `false`.\n *\n * @example\n *   // src/auth/resources.ts\n *   import { defineAuthRbac } from \"snipe-auth-rbac/react\";\n *\n *   export const RESOURCES = [\n *     { resource: \"properties\", scope: \"company\", label: \"Liegenschaften\", group: \"Stammdaten\" },\n *     { resource: \"payments\",   scope: \"company\", label: \"Zahlungen\",     group: \"Finanzen\" },\n *     { resource: \"system_audit\", scope: \"system\",  label: \"Audit-Log\",    group: \"Plattform\" },\n *   ] as const;\n *\n *   export const { useCan, Can, RequirePermission } = defineAuthRbac(RESOURCES);\n *\n *   // ----- elsewhere -----\n *   useCan(\"properties\", \"update\");       // ✓\n *   useCan(\"paymetns\", \"update\");          // ✗ TS error: not assignable to type \"properties\" | \"payments\" | \"system_audit\"\n */\n\nimport type { ComponentType, ReactNode } from \"react\";\n\nimport type {\n  Action,\n  ResourceDescriptor,\n  ResourceRegistry,\n} from \"./types.js\";\n\n/**\n * Drop-in replacement signatures for the three guards, with a\n * narrowed `resource` arg.\n */\nexport interface TypedGuards<R extends string> {\n  useCan: (\n    resource: R,\n    action: Action,\n    options?: { companyId?: string | null },\n  ) => boolean;\n  Can: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    children: ReactNode;\n    fallback?: ReactNode;\n  }>;\n  RequirePermission: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    loadingFallback?: ReactNode;\n    deniedFallback?: ReactNode;\n    children?: ReactNode;\n  }>;\n  /** The const-asserted registry, re-exported so call-sites can iterate. */\n  resources: ResourceRegistry;\n  /** All registered resource names as a union — handy for typing\n   *  application-side data structures. */\n  resourceNames: ReadonlyArray<R>;\n}\n\n/**\n * Factory. Run once at module-init time in your host project; the\n * returned hooks/components are referentially stable.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(\n  resources: Reg,\n  // The runtime guards live in the React entry; we accept them\n  // here as plain refs so this module stays React-free at the type\n  // level. The `react` entry calls this factory passing its own\n  // exports so adopters never see the wiring.\n  runtime: {\n    useCan: TypedGuards<string>[\"useCan\"];\n    Can: TypedGuards<string>[\"Can\"];\n    RequirePermission: TypedGuards<string>[\"RequirePermission\"];\n  },\n): TypedGuards<Reg[number][\"resource\"]> {\n  type R = Reg[number][\"resource\"];\n  return {\n    useCan: runtime.useCan as TypedGuards<R>[\"useCan\"],\n    Can: runtime.Can as TypedGuards<R>[\"Can\"],\n    RequirePermission: runtime.RequirePermission as TypedGuards<R>[\"RequirePermission\"],\n    resources,\n    resourceNames: resources.map((r) => r.resource) as ReadonlyArray<R>,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAAA;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,mBAQO;;;ACkCA,SAAS,wBACd,WACA,SACA,kBACA;AACA,QAAM,kBAAkB,IAAI;AAAA,IAC1B,UAAU,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,KAAK,CAAC;AAAA,EAC5C;AAEA,QAAM,MAAM,CACV,UACA,QACA,YACY;AACZ,QAAI,QAAQ,gBAAgB;AAC1B,aAAO;AAAA,IACT;AACA,UAAM,QAAQ,gBAAgB,IAAI,QAAQ;AAC1C,QAAI,CAAC,OAAO;AAEV,aAAO;AAAA,IACT;AACA,QAAI,UAAU,UAAU;AACtB,aAAO,SAAS,QAAQ,oBAAoB,UAAU,MAAM;AAAA,IAC9D;AACA,UAAM,YAAY,SAAS,aAAa;AACxC,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,IACT;AACA,UAAM,aAAa,QAAQ,YAAY;AAAA,MACrC,CAAC,MAAM,EAAE,eAAe;AAAA,IAC1B;AACA,QAAI,CAAC,YAAY;AACf,aAAO;AAAA,IACT;AACA,WAAO,SAAS,WAAW,aAAa,UAAU,MAAM;AAAA,EAC1D;AAEA,SAAO;AAAA,IACL;AAAA;AAAA,IAEA,mBAAmB,CAAC,cAA6C;AAC/D,YAAM,KAAK,aAAa;AACxB,UAAI,CAAC,IAAI;AACP,eAAO,CAAC;AAAA,MACV;AACA,aACE,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,eAAe,CAAC;AAAA,IAE1E;AAAA,IACA,mBAAmB,MAAqB,QAAQ;AAAA,EAClD;AACF;AAEA,SAAS,SACP,KACA,UACA,QACS;AACT,QAAM,OAAO,IAAI,QAAQ;AACzB,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,EACT;AACA,SAAO,KAAK,MAAM;AACpB;;;AD0EI;AAhJJ,IAAM,sBAAkB,4BAA2C,IAAI;AAuBvE,IAAM,cAAc;AAEpB,IAAM,iBAAiB,CAAC,OAAsB;AAC5C,MAAI,OAAO,WAAW,aAAa;AACjC;AAAA,EACF;AACA,MAAI;AACF,QAAI,MAAM,MAAM;AACd,aAAO,aAAa,WAAW,WAAW;AAAA,IAC5C,OAAO;AACL,aAAO,aAAa,QAAQ,aAAa,EAAE;AAAA,IAC7C;AAAA,EACF,QAAQ;AAAA,EAGR;AACF;AAEA,IAAM,gBAAgB,MAAqB;AACzC,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO;AAAA,EACT;AACA,MAAI;AACF,WAAO,OAAO,aAAa,QAAQ,WAAW;AAAA,EAChD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iBAAiB,OAA8B;AAC7D,QAAM,EAAE,SAAS,WAAW,kBAAkB,qBAAqB,IAAI;AAEvE,QAAM,CAAC,SAAS,UAAU,QAAI,uBAA6B,IAAI;AAC/D,QAAM,CAAC,SAAS,UAAU,QAAI,uBAAS,IAAI;AAC3C,QAAM,CAAC,OAAO,QAAQ,QAAI,uBAAuB,IAAI;AAErD,QAAM,CAAC,iBAAiB,qBAAqB,QAAI;AAAA,IAC/C,oBAAoB,cAAc;AAAA,EACpC;AAEA,QAAM,cAAU,sBAAQ,MAAM;AAC5B,QAAI,yBAAyB,OAAO;AAClC,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AACA,WAAO,wBAAwB;AAAA,EACjC,GAAG,CAAC,oBAAoB,CAAC;AAEzB,QAAM,uBAAmB;AAAA,IACvB,CAAC,OAAsB;AACrB,4BAAsB,EAAE;AACxB,cAAQ,EAAE;AAAA,IACZ;AAAA,IACA,CAAC,OAAO;AAAA,EACV;AAEA,QAAM,cAAU,0BAAY,YAAY;AACtC,eAAW,IAAI;AACf,aAAS,IAAI;AACb,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,aAAa;AACxC,iBAAW,IAAI;AAGf,YAAM,cACJ,mBAAmB,QACnB,KAAK,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe;AAC/D,UAAI,CAAC,aAAa;AAChB,cAAM,WACJ,KAAK,YAAY,CAAC,GAAG,cAAc;AACrC,8BAAsB,QAAQ;AAC9B,gBAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,GAAG;AACV,eAAS,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO,CAAC,CAAC,CAAC;AAAA,IACxD,UAAE;AACA,iBAAW,KAAK;AAAA,IAClB;AAAA,EAEF,GAAG,CAAC,OAAO,CAAC;AAEZ,8BAAU,MAAM;AACd,SAAK,QAAQ;AAAA,EACf,GAAG,CAAC,OAAO,CAAC;AAEZ,QAAM,eAAW,sBAAwB,MAAM;AAC7C,QAAI,WAAW,MAAM;AAGnB,aAAO;AAAA,QACL,KAAK,MAAM;AAAA,QACX,mBAAmB,OAAO,CAAC;AAAA,QAC3B,mBAAmB,OAAO,CAAC;AAAA,MAC7B;AAAA,IACF;AACA,WAAO,wBAAwB,WAAW,SAAS,eAAe;AAAA,EACpE,GAAG,CAAC,SAAS,WAAW,eAAe,CAAC;AAExC,QAAM,YAAQ;AAAA,IACZ,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SACE,4CAAC,gBAAgB,UAAhB,EAAyB,OACvB,gBAAM,UACT;AAEJ;AAEO,SAAS,cAAoC;AAClD,QAAM,UAAM,yBAAW,eAAe;AACtC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;AEnLO,SAAS,OACd,UACA,QACA,SACS;AACT,QAAM,EAAE,SAAS,IAAI,YAAY;AACjC,SAAO,SAAS,IAAI,UAAU,QAAQ,OAAO;AAC/C;;;ACKS,IAAAC,sBAAA;AAHF,SAAS,IAAI,OAAiB;AACnC,QAAM,EAAE,UAAU,QAAQ,WAAW,UAAU,WAAW,KAAK,IAAI;AACnE,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AACtD,SAAO,6EAAG,oBAAU,WAAW,UAAS;AAC1C;;;AC8BQ,IAAAC,sBAAA;AARD,SAAS,kBAAkB,OAA+B;AAC/D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,IAClB,iBACE,6CAAC,SAAI,MAAK,SAAQ,OAAO,EAAE,SAAS,GAAG,GACrC,uDAAC,YAAO,uCAAyB,GACnC;AAAA,IAEF,WAAW;AAAA,EACb,IAAI;AAEJ,QAAM,EAAE,SAAS,QAAQ,IAAI,YAAY;AACzC,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AAEtD,MAAI,WAAW,WAAW,MAAM;AAC9B,WAAO,6EAAG,2BAAgB;AAAA,EAC5B;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,6EAAG,0BAAe;AAAA,EAC3B;AACA,SAAO,6EAAG,UAAS;AACrB;;;AC1EA,IAAAC,gBAAwB;AA2BjB,SAAS,mBAAkC;AAChD,QAAM,EAAE,SAAS,iBAAiB,iBAAiB,IAAI,YAAY;AAEnE,aAAO,uBAAQ,MAAM;AACnB,UAAM,cAAc,SAAS,eAAe,CAAC;AAC7C,UAAM,aACJ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,KAAK;AAC/D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ;AAAA,MACA;AAAA,MACA,WAAW;AAAA,IACb;AAAA,EACF,GAAG,CAAC,SAAS,iBAAiB,gBAAgB,CAAC;AACjD;;;ACzCA,IAAAC,gBAAwB;AAgBjB,SAAS,oBAAoC;AAClD,QAAM,EAAE,SAAS,gBAAgB,IAAI,YAAY;AACjD,aAAO,uBAAQ,MAAM;AACnB,QAAI,CAAC,SAAS;AACZ,aAAO,CAAC;AAAA,IACV;AACA,UAAM,mBACJ,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,GAC5D,mBAAmB,CAAC;AAC1B,WAAO,EAAE,GAAG,QAAQ,wBAAwB,GAAG,iBAAiB;AAAA,EAClE,GAAG,CAAC,SAAS,eAAe,CAAC;AAC/B;;;ACZO,SAAS,sBAAsB,MAQlB;AAClB,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAAS;AAAA,QAC1C;AAAA,QACA,EAAE,WAAW,KAAK,OAAO;AAAA,MAC3B;AACA,UAAI,OAAO;AACT,cAAM,IAAI;AAAA,UACR,4DAA4D,MAAM,OAAO;AAAA,QAC3E;AAAA,MACF;AACA,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAUO,SAAS,kBAAkB,MAMd;AAClB,QAAM,YAAY,KAAK,SAAS,WAAW;AAC3C,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,MAAM,MAAM,UAAU,KAAK,KAAK,KAAK,IAAI;AAC/C,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,IAAI;AAAA,UACR,+BAA+B,KAAK,GAAG,aAAa,IAAI,MAAM;AAAA,QAChE;AAAA,MACF;AACA,YAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAQA,SAAS,iBAAiB,KAA2B;AACnD,MAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,YAAY,UAAU;AACjC,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACA,SAAO;AAAA,IACL,SAAS,EAAE;AAAA,IACX,gBAAgB,CAAC,CAAC,EAAE;AAAA,IACpB,cAAc,MAAM,QAAQ,EAAE,YAAY,IAAI,EAAE,eAAe,CAAC;AAAA,IAChE,oBACE,EAAE,sBAAsB,OAAO,EAAE,uBAAuB,WACnD,EAAE,qBACH,CAAC;AAAA,IACP,wBACE,EAAE,0BAA0B,OAAO,EAAE,2BAA2B,WAC3D,EAAE,yBACH,CAAC;AAAA,IACP,aAAa,MAAM,QAAQ,EAAE,WAAW,IACnC,EAAE,cACH,CAAC;AAAA,EACP;AACF;;;ACjCO,SAAS,eAGd,WAKA,SAKsC;AAEtC,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,IACb,mBAAmB,QAAQ;AAAA,IAC3B;AAAA,IACA,eAAe,UAAU,IAAI,CAAC,MAAM,EAAE,QAAQ;AAAA,EAChD;AACF;;;AT9BO,SAASC,gBAEd,WAAsD;AACtD,SAAO,eAAgB,WAAW;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;","names":["defineAuthRbac","import_jsx_runtime","import_jsx_runtime","import_react","import_react","defineAuthRbac"]}
+{"version":3,"sources":["../../src/react/index.ts","../../src/react/AuthRbacProvider.tsx","../../src/client.ts","../../src/react/useCan.ts","../../src/react/Can.tsx","../../src/react/RequirePermission.tsx","../../src/react/useActiveCompany.ts","../../src/react/useFrontendConfig.ts","../../src/fetchers.ts","../../src/define.ts"],"sourcesContent":["/**\n * React + Next.js entry. Import this in browser code:\n *\n *   import { AuthRbacProvider, useCan } from \"snipe-auth-rbac/react\";\n *\n * The non-React entry (`snipe-auth-rbac`) re-exports types and the\n * pure resolver, suitable for Node, edge workers, and tests.\n */\n\nexport {\n  AuthRbacProvider,\n  useAuthRbac,\n  type AuthRbacProviderProps,\n} from \"./AuthRbacProvider.js\";\n\nexport { useCan } from \"./useCan.js\";\nexport { Can, type CanProps } from \"./Can.js\";\nexport {\n  RequirePermission,\n  type RequirePermissionProps,\n} from \"./RequirePermission.js\";\nexport { useActiveCompany, type ActiveCompany } from \"./useActiveCompany.js\";\nexport { useFrontendConfig } from \"./useFrontendConfig.js\";\n\n// Re-exports for convenience so consumers don't need two imports.\nexport type {\n  Action,\n  AuthRbacFetcher,\n  CompanyMembership,\n  FrontendConfig,\n  PermissionGrid,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  RoleSummary,\n  UserProfile,\n} from \"../types.js\";\n\nexport {\n  createSupabaseFetcher,\n  createHttpFetcher,\n  detectRbacSchema,\n} from \"../fetchers.js\";\n\nimport { defineAuthRbac as _defineAuthRbac } from \"../define.js\";\nimport { Can } from \"./Can.js\";\nimport { RequirePermission } from \"./RequirePermission.js\";\nimport { useCan } from \"./useCan.js\";\n\nimport type { ResourceDescriptor } from \"../types.js\";\nimport type { TypedGuards } from \"../define.js\";\n\n/**\n * Typed factory — pass a const-asserted resource registry and get\n * back guards whose `resource` arg is constrained to the registered\n * names. Recommended at the top of every host project.\n *\n * See ../define.ts for the full doc + example.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(resources: Reg): TypedGuards<Reg[number][\"resource\"]> {\n  return _defineAuthRbac(resources, {\n    useCan,\n    Can,\n    RequirePermission,\n  });\n}\n\nexport type { TypedGuards } from \"../define.js\";\n","import {\n  createContext,\n  useCallback,\n  useContext,\n  useEffect,\n  useMemo,\n  useState,\n  type ReactNode,\n} from \"react\";\n\nimport {\n  buildPermissionResolver,\n  type AuthRbacClient,\n} from \"../client.js\";\nimport type {\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceRegistry,\n  UserProfile,\n} from \"../types.js\";\n\ninterface AuthRbacContextValue {\n  /**\n   * `null` means we haven't hydrated yet. Components should treat\n   * the not-loaded state as \"no permissions\" (fail-closed).\n   */\n  profile: UserProfile | null;\n  loading: boolean;\n  error: Error | null;\n  resources: ResourceRegistry;\n  activeCompanyId: string | null;\n  setActiveCompany: (id: string | null) => void;\n  refresh: () => Promise<void>;\n  resolver: AuthRbacClient;\n}\n\nconst AuthRbacContext = createContext<AuthRbacContextValue | null>(null);\n\nexport interface AuthRbacProviderProps {\n  fetcher: AuthRbacFetcher;\n  resources: ResourceRegistry;\n  /**\n   * Initial active company. Common patterns:\n   *  - read from URL query/path\n   *  - read from localStorage\n   *  - omit and let the user pick from the switcher\n   */\n  initialCompanyId?: string | null;\n  /**\n   * Persistence hook. Called every time the active company changes.\n   * Default: writes to `localStorage` under\n   * `auth-rbac:active-company`. Pass `false` to disable.\n   */\n  persistActiveCompany?:\n    | ((id: string | null) => void)\n    | false;\n  children: ReactNode;\n}\n\nconst STORAGE_KEY = \"auth-rbac:active-company\";\n\nconst defaultPersist = (id: string | null) => {\n  if (typeof window === \"undefined\") {\n    return;\n  }\n  try {\n    if (id == null) {\n      window.localStorage.removeItem(STORAGE_KEY);\n    } else {\n      window.localStorage.setItem(STORAGE_KEY, id);\n    }\n  } catch {\n    // localStorage may be unavailable (private browsing, SSR) —\n    // fall back to in-memory only.\n  }\n};\n\nconst readPersisted = (): string | null => {\n  if (typeof window === \"undefined\") {\n    return null;\n  }\n  try {\n    return window.localStorage.getItem(STORAGE_KEY);\n  } catch {\n    return null;\n  }\n};\n\nexport function AuthRbacProvider(props: AuthRbacProviderProps) {\n  const { fetcher, resources, initialCompanyId, persistActiveCompany } = props;\n\n  const [profile, setProfile] = useState<UserProfile | null>(null);\n  const [loading, setLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const [activeCompanyId, setActiveCompanyState] = useState<string | null>(\n    initialCompanyId ?? readPersisted(),\n  );\n\n  const persist = useMemo(() => {\n    if (persistActiveCompany === false) {\n      return () => {};\n    }\n    return persistActiveCompany ?? defaultPersist;\n  }, [persistActiveCompany]);\n\n  const setActiveCompany = useCallback(\n    (id: string | null) => {\n      setActiveCompanyState(id);\n      persist(id);\n    },\n    [persist],\n  );\n\n  const refresh = useCallback(async () => {\n    setLoading(true);\n    setError(null);\n    try {\n      const next = await fetcher.fetchProfile();\n      setProfile(next);\n      // If the persisted company isn't a membership, fall back to\n      // the first one (or null for users with no memberships).\n      const stillMember =\n        activeCompanyId != null &&\n        next.memberships.some((m) => m.company_id === activeCompanyId);\n      if (!stillMember) {\n        const fallback =\n          next.memberships[0]?.company_id ?? null;\n        setActiveCompanyState(fallback);\n        persist(fallback);\n      }\n    } catch (e) {\n      setError(e instanceof Error ? e : new Error(String(e)));\n    } finally {\n      setLoading(false);\n    }\n    // eslint-disable-next-line react-hooks/exhaustive-deps\n  }, [fetcher]);\n\n  useEffect(() => {\n    void refresh();\n  }, [refresh]);\n\n  const resolver = useMemo<AuthRbacClient>(() => {\n    if (profile == null) {\n      // Empty resolver until the profile lands. Always returns\n      // false → guards fall through to the unauthenticated branch.\n      return {\n        can: () => false,\n        activePermissions: () => ({}) as PermissionMap,\n        systemPermissions: () => ({}) as PermissionMap,\n      };\n    }\n    return buildPermissionResolver(resources, profile, activeCompanyId);\n  }, [profile, resources, activeCompanyId]);\n\n  const value = useMemo<AuthRbacContextValue>(\n    () => ({\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    }),\n    [\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    ],\n  );\n\n  return (\n    <AuthRbacContext.Provider value={value}>\n      {props.children}\n    </AuthRbacContext.Provider>\n  );\n}\n\nexport function useAuthRbac(): AuthRbacContextValue {\n  const ctx = useContext(AuthRbacContext);\n  if (!ctx) {\n    throw new Error(\n      \"useAuthRbac must be used within an <AuthRbacProvider> — wrap your app at the root.\",\n    );\n  }\n  return ctx;\n}\n","/**\n * Transport-agnostic client: turns an adopter-supplied\n * `AuthRbacFetcher` into a permission resolver. The React provider\n * wraps this; non-React consumers (Node scripts, edge functions)\n * can use it directly.\n */\n\nimport type {\n  Action,\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  UserProfile,\n} from \"./types.js\";\n\nexport interface AuthRbacClientOptions {\n  fetcher: AuthRbacFetcher;\n  /**\n   * The host project's full resource list. Required so the resolver\n   * can look up a resource's scope without a DB round-trip per call.\n   * Re-using the same array the host syncs into the\n   * `rbac.resources` table at boot keeps everything in lockstep.\n   */\n  resources: ResourceRegistry;\n}\n\nexport interface CanOptions {\n  /**\n   * Override the active company. Omit to use the company the\n   * caller has currently activated (the React provider tracks\n   * this; for direct client use you must pass it).\n   */\n  companyId?: string | null;\n}\n\n/**\n * Pure resolver. Given a hydrated profile it answers boolean\n * questions instantly — no I/O. The `resourceMap` is built once at\n * construction so per-call work is two map lookups.\n */\nexport function buildPermissionResolver(\n  resources: ResourceRegistry,\n  profile: UserProfile,\n  defaultCompanyId: string | null,\n) {\n  const scopeByResource = new Map<string, ResourceScope>(\n    resources.map((r) => [r.resource, r.scope]),\n  );\n\n  const can = (\n    resource: string,\n    action: Action,\n    options?: CanOptions,\n  ): boolean => {\n    if (profile.is_super_admin) {\n      return true;\n    }\n    const scope = scopeByResource.get(resource);\n    if (!scope) {\n      // Unknown resource — fail closed.\n      return false;\n    }\n    if (scope === \"system\") {\n      return readGrid(profile.system_permissions, resource, action);\n    }\n    const companyId = options?.companyId ?? defaultCompanyId;\n    if (!companyId) {\n      return false;\n    }\n    const membership = profile.memberships.find(\n      (m) => m.company_id === companyId,\n    );\n    if (!membership) {\n      return false;\n    }\n    return readGrid(membership.permissions, resource, action);\n  };\n\n  return {\n    can,\n    /** Permission map for the active (or specified) company. */\n    activePermissions: (companyId?: string | null): PermissionMap => {\n      const id = companyId ?? defaultCompanyId;\n      if (!id) {\n        return {};\n      }\n      return (\n        profile.memberships.find((m) => m.company_id === id)?.permissions ?? {}\n      );\n    },\n    systemPermissions: (): PermissionMap => profile.system_permissions,\n  };\n}\n\nfunction readGrid(\n  map: PermissionMap,\n  resource: string,\n  action: Action,\n): boolean {\n  const grid = map[resource];\n  if (!grid) {\n    return false;\n  }\n  return grid[action];\n}\n\n/**\n * Helper: groups a resource registry by `group` for the matrix UI.\n * Returns groups in insertion order with their resources.\n */\nexport function groupResources(\n  registry: ResourceRegistry,\n): Array<{ group: string; resources: ResourceDescriptor[] }> {\n  const order: string[] = [];\n  const buckets = new Map<string, ResourceDescriptor[]>();\n  for (const r of registry) {\n    const key = r.group ?? \"Sonstige\";\n    if (!buckets.has(key)) {\n      buckets.set(key, []);\n      order.push(key);\n    }\n    buckets.get(key)!.push(r);\n  }\n  return order.map((g) => ({ group: g, resources: buckets.get(g)! }));\n}\n\nexport type AuthRbacClient = ReturnType<typeof buildPermissionResolver>;\nexport type { AuthRbacClientOptions as ClientOptions };\n","import type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Boolean permission check.\n *\n * @example\n *   const canEdit = useCan(\"properties\", \"update\");\n *   <Button disabled={!canEdit}>Speichern</Button>\n *\n * @example explicitly target a non-active company\n *   const canRead = useCan(\"payments\", \"read\", { companyId: targetId });\n */\nexport function useCan(\n  resource: string,\n  action: Action,\n  options?: CanOptions,\n): boolean {\n  const { resolver } = useAuthRbac();\n  return resolver.can(resource, action, options);\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useCan } from \"./useCan.js\";\n\nexport interface CanProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /** Rendered when the user has the permission. */\n  children: ReactNode;\n  /**\n   * Rendered when the user does NOT have the permission. Defaults\n   * to `null` (silent hide). Pass a `<NoPermissionView />` or a\n   * tooltip-wrapper to surface the denial explicitly.\n   */\n  fallback?: ReactNode;\n}\n\n/**\n * Subtree gate. Bails before children render so any data fetching\n * inside `children` is skipped for users without permission.\n */\nexport function Can(props: CanProps) {\n  const { resource, action, companyId, children, fallback = null } = props;\n  const allowed = useCan(resource, action, { companyId });\n  return <>{allowed ? children : fallback}</>;\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\nimport { useCan } from \"./useCan.js\";\n\nexport interface RequirePermissionProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /**\n   * What to render while the profile is still loading. Defaults to\n   * `null` (no flash) — pass a spinner if your routes typically\n   * mount before the profile lands.\n   */\n  loadingFallback?: ReactNode;\n  /**\n   * What to render when access is denied. Defaults to a minimal\n   * \"Sie haben keinen Zugriff\" message; pass your own component to\n   * theme it.\n   */\n  deniedFallback?: ReactNode;\n  /**\n   * For `react-router-dom v6` route-element usage, pass an `<Outlet />`\n   * here — the gate resolves to either the outlet or the denied\n   * fallback. For component-tree usage, pass any children.\n   */\n  children?: ReactNode;\n}\n\n/**\n * Route- or component-level guard. Three render branches:\n *\n *  - profile not yet loaded → `loadingFallback`\n *  - permission denied      → `deniedFallback`\n *  - permission granted     → `children`\n *\n * Drop-in replacement for the legacy `<RequireRolesRoute>` pattern.\n *\n * @example\n *   // App.tsx route table\n *   <Route element={\n *     <RequirePermission resource=\"payments\" action=\"read\">\n *       <Outlet />\n *     </RequirePermission>\n *   }>\n *     <Route path=\"/payments\" element={<PaymentsPage />} />\n *   </Route>\n */\nexport function RequirePermission(props: RequirePermissionProps) {\n  const {\n    resource,\n    action,\n    companyId,\n    loadingFallback = null,\n    deniedFallback = (\n      <div role=\"alert\" style={{ padding: 24 }}>\n        <strong>Sie haben keinen Zugriff.</strong>\n      </div>\n    ),\n    children = null,\n  } = props;\n\n  const { profile, loading } = useAuthRbac();\n  const allowed = useCan(resource, action, { companyId });\n\n  if (loading || profile == null) {\n    return <>{loadingFallback}</>;\n  }\n  if (!allowed) {\n    return <>{deniedFallback}</>;\n  }\n  return <>{children}</>;\n}\n","import { useMemo } from \"react\";\n\nimport type { CompanyMembership } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\nexport interface ActiveCompany {\n  id: string | null;\n  membership: CompanyMembership | null;\n  memberships: CompanyMembership[];\n  setActive: (id: string | null) => void;\n}\n\n/**\n * Read + switch the active company.\n *\n * @example\n *   const { id, memberships, setActive } = useActiveCompany();\n *\n *   return (\n *     <select value={id ?? \"\"} onChange={(e) => setActive(e.target.value || null)}>\n *       {memberships.map((m) => (\n *         <option key={m.company_id} value={m.company_id}>{m.company_name}</option>\n *       ))}\n *     </select>\n *   );\n */\nexport function useActiveCompany(): ActiveCompany {\n  const { profile, activeCompanyId, setActiveCompany } = useAuthRbac();\n\n  return useMemo(() => {\n    const memberships = profile?.memberships ?? [];\n    const membership =\n      memberships.find((m) => m.company_id === activeCompanyId) ?? null;\n    return {\n      id: activeCompanyId,\n      membership,\n      memberships,\n      setActive: setActiveCompany,\n    };\n  }, [profile, activeCompanyId, setActiveCompany]);\n}\n","import { useMemo } from \"react\";\n\nimport type { FrontendConfig } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Reads the merged `frontend_config` for the user. Sources in\n * priority order: active company's membership > system roles. Use\n * this to drive sidebar items, dashboard defaults, and any other\n * \"what should this role see\" UX without hardcoded role checks.\n *\n * The shape is intentionally `Record<string, unknown>` — your host\n * project owns the schema. Document your keys (e.g. `sidebar`,\n * `default_dashboard`) once and stick to them.\n */\nexport function useFrontendConfig(): FrontendConfig {\n  const { profile, activeCompanyId } = useAuthRbac();\n  return useMemo(() => {\n    if (!profile) {\n      return {};\n    }\n    const membershipConfig =\n      profile.memberships.find((m) => m.company_id === activeCompanyId)\n        ?.frontend_config ?? {};\n    return { ...profile.system_frontend_config, ...membershipConfig };\n  }, [profile, activeCompanyId]);\n}\n","/**\n * Built-in fetchers — adopters can use these or pass their own\n * implementation of `AuthRbacFetcher`.\n */\n\nimport type { AuthRbacFetcher, UserProfile } from \"./types.js\";\n\n/**\n * Calls the package's SQL function `rbac.user_profile(uuid)` via\n * a Supabase JS client. Easiest path when the host project already\n * uses Supabase.\n *\n * The function lives in the dedicated `rbac` Postgres schema, so the\n * adopter must add `rbac` to their PostgREST exposed-schemas list\n * (Supabase Studio → Settings → API → Exposed schemas) for the\n * `.schema('rbac')` call below to reach it.\n *\n * @example\n * createSupabaseFetcher({ supabase, userId: session.user.id })\n */\nexport function createSupabaseFetcher(opts: {\n  supabase: {\n    schema: (name: string) => {\n      rpc: (\n        fn: string,\n        args: Record<string, unknown>,\n      ) => Promise<{ data: unknown; error: { message: string } | null }>;\n    };\n  };\n  userId: string;\n}): AuthRbacFetcher {\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const { data, error } = await opts.supabase.schema(\"rbac\").rpc(\n        \"user_profile\",\n        { p_user_id: opts.userId },\n      );\n      if (error) {\n        throw new Error(\n          `auth-rbac: failed to load user profile via Supabase RPC: ${error.message}`,\n        );\n      }\n      return normalizeProfile(data);\n    },\n  };\n}\n\n/**\n * Cheap probe — returns true if the package's `rbac` schema looks\n * reachable. Useful at app start to fail loudly if the migration\n * hasn't been applied OR if `rbac` isn't in the project's PostgREST\n * exposed-schemas list.\n *\n * @example\n * if (!(await detectRbacSchema(supabase))) {\n *   console.error(\"rbac schema not reachable — apply 0001_initial.sql\");\n * }\n */\nexport async function detectRbacSchema(supabase: {\n  schema: (name: string) => {\n    rpc: (\n      fn: string,\n      args: Record<string, unknown>,\n    ) => Promise<{ data: unknown; error: { message: string } | null }>;\n  };\n}): Promise<boolean> {\n  try {\n    const { error } = await supabase.schema(\"rbac\").rpc(\"user_can\", {\n      p_user_id: \"00000000-0000-0000-0000-000000000000\",\n      p_resource: \"__rbac_self_check__\",\n      p_action: \"read\",\n      p_company_id: null,\n    });\n    return error === null;\n  } catch {\n    return false;\n  }\n}\n\n/**\n * Calls a regular HTTP endpoint that returns a `UserProfile` JSON\n * payload. Use this when the host project has its own backend that\n * wraps the package's Python helpers (or any equivalent).\n *\n * @example\n * createHttpFetcher({ url: \"/api/users/me/profile\" })\n */\nexport function createHttpFetcher(opts: {\n  url: string;\n  /** Forwarded as-is to `fetch`. Use this to attach auth headers. */\n  init?: RequestInit;\n  /** Override the global `fetch` if you're in a non-browser env. */\n  fetch?: typeof fetch;\n}): AuthRbacFetcher {\n  const fetchImpl = opts.fetch ?? globalThis.fetch;\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const res = await fetchImpl(opts.url, opts.init);\n      if (!res.ok) {\n        throw new Error(\n          `auth-rbac: profile endpoint ${opts.url} returned ${res.status}`,\n        );\n      }\n      const json = (await res.json()) as unknown;\n      return normalizeProfile(json);\n    },\n  };\n}\n\n/**\n * Defensive normalisation: the Supabase RPC returns whatever the SQL\n * function emitted. We coerce missing fields into the empty defaults\n * so consumers can iterate without null checks. Throws if the shape\n * is unrecognisable.\n */\nfunction normalizeProfile(raw: unknown): UserProfile {\n  if (!raw || typeof raw !== \"object\") {\n    throw new Error(\"auth-rbac: profile payload is not an object\");\n  }\n  const p = raw as Partial<UserProfile> & Record<string, unknown>;\n  if (typeof p.user_id !== \"string\") {\n    throw new Error(\"auth-rbac: profile payload missing user_id\");\n  }\n  return {\n    user_id: p.user_id,\n    is_super_admin: !!p.is_super_admin,\n    system_roles: Array.isArray(p.system_roles) ? p.system_roles : [],\n    system_permissions:\n      p.system_permissions && typeof p.system_permissions === \"object\"\n        ? (p.system_permissions as UserProfile[\"system_permissions\"])\n        : {},\n    system_frontend_config:\n      p.system_frontend_config && typeof p.system_frontend_config === \"object\"\n        ? (p.system_frontend_config as UserProfile[\"system_frontend_config\"])\n        : {},\n    memberships: Array.isArray(p.memberships)\n      ? (p.memberships as UserProfile[\"memberships\"])\n      : [],\n  };\n}\n","/**\n * Typed factory — turns a const-asserted resource registry into a\n * set of hooks/components whose `resource` arg is constrained to\n * the registered names. Typos become TypeScript errors instead of\n * silent runtime `false`.\n *\n * @example\n *   // src/auth/resources.ts\n *   import { defineAuthRbac } from \"snipe-auth-rbac/react\";\n *\n *   export const RESOURCES = [\n *     { resource: \"properties\", scope: \"company\", label: \"Liegenschaften\", group: \"Stammdaten\" },\n *     { resource: \"payments\",   scope: \"company\", label: \"Zahlungen\",     group: \"Finanzen\" },\n *     { resource: \"system_audit\", scope: \"system\",  label: \"Audit-Log\",    group: \"Plattform\" },\n *   ] as const;\n *\n *   export const { useCan, Can, RequirePermission } = defineAuthRbac(RESOURCES);\n *\n *   // ----- elsewhere -----\n *   useCan(\"properties\", \"update\");       // ✓\n *   useCan(\"paymetns\", \"update\");          // ✗ TS error: not assignable to type \"properties\" | \"payments\" | \"system_audit\"\n */\n\nimport type { ComponentType, ReactNode } from \"react\";\n\nimport type {\n  Action,\n  ResourceDescriptor,\n  ResourceRegistry,\n} from \"./types.js\";\n\n/**\n * Drop-in replacement signatures for the three guards, with a\n * narrowed `resource` arg.\n */\nexport interface TypedGuards<R extends string> {\n  useCan: (\n    resource: R,\n    action: Action,\n    options?: { companyId?: string | null },\n  ) => boolean;\n  Can: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    children: ReactNode;\n    fallback?: ReactNode;\n  }>;\n  RequirePermission: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    loadingFallback?: ReactNode;\n    deniedFallback?: ReactNode;\n    children?: ReactNode;\n  }>;\n  /** The const-asserted registry, re-exported so call-sites can iterate. */\n  resources: ResourceRegistry;\n  /** All registered resource names as a union — handy for typing\n   *  application-side data structures. */\n  resourceNames: ReadonlyArray<R>;\n}\n\n/**\n * Factory. Run once at module-init time in your host project; the\n * returned hooks/components are referentially stable.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(\n  resources: Reg,\n  // The runtime guards live in the React entry; we accept them\n  // here as plain refs so this module stays React-free at the type\n  // level. The `react` entry calls this factory passing its own\n  // exports so adopters never see the wiring.\n  runtime: {\n    useCan: TypedGuards<string>[\"useCan\"];\n    Can: TypedGuards<string>[\"Can\"];\n    RequirePermission: TypedGuards<string>[\"RequirePermission\"];\n  },\n): TypedGuards<Reg[number][\"resource\"]> {\n  type R = Reg[number][\"resource\"];\n  return {\n    useCan: runtime.useCan as TypedGuards<R>[\"useCan\"],\n    Can: runtime.Can as TypedGuards<R>[\"Can\"],\n    RequirePermission: runtime.RequirePermission as TypedGuards<R>[\"RequirePermission\"],\n    resources,\n    resourceNames: resources.map((r) => r.resource) as ReadonlyArray<R>,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAAA;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,mBAQO;;;ACkCA,SAAS,wBACd,WACA,SACA,kBACA;AACA,QAAM,kBAAkB,IAAI;AAAA,IAC1B,UAAU,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,KAAK,CAAC;AAAA,EAC5C;AAEA,QAAM,MAAM,CACV,UACA,QACA,YACY;AACZ,QAAI,QAAQ,gBAAgB;AAC1B,aAAO;AAAA,IACT;AACA,UAAM,QAAQ,gBAAgB,IAAI,QAAQ;AAC1C,QAAI,CAAC,OAAO;AAEV,aAAO;AAAA,IACT;AACA,QAAI,UAAU,UAAU;AACtB,aAAO,SAAS,QAAQ,oBAAoB,UAAU,MAAM;AAAA,IAC9D;AACA,UAAM,YAAY,SAAS,aAAa;AACxC,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,IACT;AACA,UAAM,aAAa,QAAQ,YAAY;AAAA,MACrC,CAAC,MAAM,EAAE,eAAe;AAAA,IAC1B;AACA,QAAI,CAAC,YAAY;AACf,aAAO;AAAA,IACT;AACA,WAAO,SAAS,WAAW,aAAa,UAAU,MAAM;AAAA,EAC1D;AAEA,SAAO;AAAA,IACL;AAAA;AAAA,IAEA,mBAAmB,CAAC,cAA6C;AAC/D,YAAM,KAAK,aAAa;AACxB,UAAI,CAAC,IAAI;AACP,eAAO,CAAC;AAAA,MACV;AACA,aACE,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,eAAe,CAAC;AAAA,IAE1E;AAAA,IACA,mBAAmB,MAAqB,QAAQ;AAAA,EAClD;AACF;AAEA,SAAS,SACP,KACA,UACA,QACS;AACT,QAAM,OAAO,IAAI,QAAQ;AACzB,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,EACT;AACA,SAAO,KAAK,MAAM;AACpB;;;AD0EI;AAhJJ,IAAM,sBAAkB,4BAA2C,IAAI;AAuBvE,IAAM,cAAc;AAEpB,IAAM,iBAAiB,CAAC,OAAsB;AAC5C,MAAI,OAAO,WAAW,aAAa;AACjC;AAAA,EACF;AACA,MAAI;AACF,QAAI,MAAM,MAAM;AACd,aAAO,aAAa,WAAW,WAAW;AAAA,IAC5C,OAAO;AACL,aAAO,aAAa,QAAQ,aAAa,EAAE;AAAA,IAC7C;AAAA,EACF,QAAQ;AAAA,EAGR;AACF;AAEA,IAAM,gBAAgB,MAAqB;AACzC,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO;AAAA,EACT;AACA,MAAI;AACF,WAAO,OAAO,aAAa,QAAQ,WAAW;AAAA,EAChD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iBAAiB,OAA8B;AAC7D,QAAM,EAAE,SAAS,WAAW,kBAAkB,qBAAqB,IAAI;AAEvE,QAAM,CAAC,SAAS,UAAU,QAAI,uBAA6B,IAAI;AAC/D,QAAM,CAAC,SAAS,UAAU,QAAI,uBAAS,IAAI;AAC3C,QAAM,CAAC,OAAO,QAAQ,QAAI,uBAAuB,IAAI;AAErD,QAAM,CAAC,iBAAiB,qBAAqB,QAAI;AAAA,IAC/C,oBAAoB,cAAc;AAAA,EACpC;AAEA,QAAM,cAAU,sBAAQ,MAAM;AAC5B,QAAI,yBAAyB,OAAO;AAClC,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AACA,WAAO,wBAAwB;AAAA,EACjC,GAAG,CAAC,oBAAoB,CAAC;AAEzB,QAAM,uBAAmB;AAAA,IACvB,CAAC,OAAsB;AACrB,4BAAsB,EAAE;AACxB,cAAQ,EAAE;AAAA,IACZ;AAAA,IACA,CAAC,OAAO;AAAA,EACV;AAEA,QAAM,cAAU,0BAAY,YAAY;AACtC,eAAW,IAAI;AACf,aAAS,IAAI;AACb,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,aAAa;AACxC,iBAAW,IAAI;AAGf,YAAM,cACJ,mBAAmB,QACnB,KAAK,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe;AAC/D,UAAI,CAAC,aAAa;AAChB,cAAM,WACJ,KAAK,YAAY,CAAC,GAAG,cAAc;AACrC,8BAAsB,QAAQ;AAC9B,gBAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,GAAG;AACV,eAAS,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO,CAAC,CAAC,CAAC;AAAA,IACxD,UAAE;AACA,iBAAW,KAAK;AAAA,IAClB;AAAA,EAEF,GAAG,CAAC,OAAO,CAAC;AAEZ,8BAAU,MAAM;AACd,SAAK,QAAQ;AAAA,EACf,GAAG,CAAC,OAAO,CAAC;AAEZ,QAAM,eAAW,sBAAwB,MAAM;AAC7C,QAAI,WAAW,MAAM;AAGnB,aAAO;AAAA,QACL,KAAK,MAAM;AAAA,QACX,mBAAmB,OAAO,CAAC;AAAA,QAC3B,mBAAmB,OAAO,CAAC;AAAA,MAC7B;AAAA,IACF;AACA,WAAO,wBAAwB,WAAW,SAAS,eAAe;AAAA,EACpE,GAAG,CAAC,SAAS,WAAW,eAAe,CAAC;AAExC,QAAM,YAAQ;AAAA,IACZ,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SACE,4CAAC,gBAAgB,UAAhB,EAAyB,OACvB,gBAAM,UACT;AAEJ;AAEO,SAAS,cAAoC;AAClD,QAAM,UAAM,yBAAW,eAAe;AACtC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;AEnLO,SAAS,OACd,UACA,QACA,SACS;AACT,QAAM,EAAE,SAAS,IAAI,YAAY;AACjC,SAAO,SAAS,IAAI,UAAU,QAAQ,OAAO;AAC/C;;;ACKS,IAAAC,sBAAA;AAHF,SAAS,IAAI,OAAiB;AACnC,QAAM,EAAE,UAAU,QAAQ,WAAW,UAAU,WAAW,KAAK,IAAI;AACnE,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AACtD,SAAO,6EAAG,oBAAU,WAAW,UAAS;AAC1C;;;AC8BQ,IAAAC,sBAAA;AARD,SAAS,kBAAkB,OAA+B;AAC/D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,IAClB,iBACE,6CAAC,SAAI,MAAK,SAAQ,OAAO,EAAE,SAAS,GAAG,GACrC,uDAAC,YAAO,uCAAyB,GACnC;AAAA,IAEF,WAAW;AAAA,EACb,IAAI;AAEJ,QAAM,EAAE,SAAS,QAAQ,IAAI,YAAY;AACzC,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AAEtD,MAAI,WAAW,WAAW,MAAM;AAC9B,WAAO,6EAAG,2BAAgB;AAAA,EAC5B;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,6EAAG,0BAAe;AAAA,EAC3B;AACA,SAAO,6EAAG,UAAS;AACrB;;;AC1EA,IAAAC,gBAAwB;AA2BjB,SAAS,mBAAkC;AAChD,QAAM,EAAE,SAAS,iBAAiB,iBAAiB,IAAI,YAAY;AAEnE,aAAO,uBAAQ,MAAM;AACnB,UAAM,cAAc,SAAS,eAAe,CAAC;AAC7C,UAAM,aACJ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,KAAK;AAC/D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ;AAAA,MACA;AAAA,MACA,WAAW;AAAA,IACb;AAAA,EACF,GAAG,CAAC,SAAS,iBAAiB,gBAAgB,CAAC;AACjD;;;ACzCA,IAAAC,gBAAwB;AAgBjB,SAAS,oBAAoC;AAClD,QAAM,EAAE,SAAS,gBAAgB,IAAI,YAAY;AACjD,aAAO,uBAAQ,MAAM;AACnB,QAAI,CAAC,SAAS;AACZ,aAAO,CAAC;AAAA,IACV;AACA,UAAM,mBACJ,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,GAC5D,mBAAmB,CAAC;AAC1B,WAAO,EAAE,GAAG,QAAQ,wBAAwB,GAAG,iBAAiB;AAAA,EAClE,GAAG,CAAC,SAAS,eAAe,CAAC;AAC/B;;;ACPO,SAAS,sBAAsB,MAUlB;AAClB,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAAS,OAAO,MAAM,EAAE;AAAA,QACzD;AAAA,QACA,EAAE,WAAW,KAAK,OAAO;AAAA,MAC3B;AACA,UAAI,OAAO;AACT,cAAM,IAAI;AAAA,UACR,4DAA4D,MAAM,OAAO;AAAA,QAC3E;AAAA,MACF;AACA,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAaA,eAAsB,iBAAiB,UAOlB;AACnB,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,SAAS,OAAO,MAAM,EAAE,IAAI,YAAY;AAAA,MAC9D,WAAW;AAAA,MACX,YAAY;AAAA,MACZ,UAAU;AAAA,MACV,cAAc;AAAA,IAChB,CAAC;AACD,WAAO,UAAU;AAAA,EACnB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAUO,SAAS,kBAAkB,MAMd;AAClB,QAAM,YAAY,KAAK,SAAS,WAAW;AAC3C,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,MAAM,MAAM,UAAU,KAAK,KAAK,KAAK,IAAI;AAC/C,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,IAAI;AAAA,UACR,+BAA+B,KAAK,GAAG,aAAa,IAAI,MAAM;AAAA,QAChE;AAAA,MACF;AACA,YAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAQA,SAAS,iBAAiB,KAA2B;AACnD,MAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,YAAY,UAAU;AACjC,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACA,SAAO;AAAA,IACL,SAAS,EAAE;AAAA,IACX,gBAAgB,CAAC,CAAC,EAAE;AAAA,IACpB,cAAc,MAAM,QAAQ,EAAE,YAAY,IAAI,EAAE,eAAe,CAAC;AAAA,IAChE,oBACE,EAAE,sBAAsB,OAAO,EAAE,uBAAuB,WACnD,EAAE,qBACH,CAAC;AAAA,IACP,wBACE,EAAE,0BAA0B,OAAO,EAAE,2BAA2B,WAC3D,EAAE,yBACH,CAAC;AAAA,IACP,aAAa,MAAM,QAAQ,EAAE,WAAW,IACnC,EAAE,cACH,CAAC;AAAA,EACP;AACF;;;ACxEO,SAAS,eAGd,WAKA,SAKsC;AAEtC,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,IACb,mBAAmB,QAAQ;AAAA,IAC3B;AAAA,IACA,eAAe,UAAU,IAAI,CAAC,MAAM,EAAE,QAAQ;AAAA,EAChD;AACF;;;AT7BO,SAASC,gBAEd,WAAsD;AACtD,SAAO,eAAgB,WAAW;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;","names":["defineAuthRbac","import_jsx_runtime","import_jsx_runtime","import_react","import_react","defineAuthRbac"]}

package/dist/react/index.d.cts

@@ -1,9 +1,9 @@
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import { ReactNode, ComponentType } from 'react';
 import { AuthRbacClient, CanOptions } from '../index.cjs';
-export { createHttpFetcher, createSupabaseFetcher } from '../index.cjs';
-import { b as AuthRbacFetcher, c as ResourceRegistry, U as UserProfile, A as Action, C as CompanyMembership, F as FrontendConfig, a as ResourceDescriptor } from '../types-BEc5SCIo.cjs';
-export { P as PermissionGrid, d as PermissionMap, R as ResourceScope, e as RoleSummary } from '../types-BEc5SCIo.cjs';
+export { createHttpFetcher, createSupabaseFetcher, detectRbacSchema } from '../index.cjs';
+import { b as AuthRbacFetcher, c as ResourceRegistry, U as UserProfile, A as Action, C as CompanyMembership, F as FrontendConfig, a as ResourceDescriptor } from '../types-DxvFudPF.cjs';
+export { P as PermissionGrid, d as PermissionMap, R as ResourceScope, e as RoleSummary } from '../types-DxvFudPF.cjs';
 
 interface AuthRbacContextValue {
     /**

package/dist/react/index.d.ts

@@ -1,9 +1,9 @@
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import { ReactNode, ComponentType } from 'react';
 import { AuthRbacClient, CanOptions } from '../index.js';
-export { createHttpFetcher, createSupabaseFetcher } from '../index.js';
-import { b as AuthRbacFetcher, c as ResourceRegistry, U as UserProfile, A as Action, C as CompanyMembership, F as FrontendConfig, a as ResourceDescriptor } from '../types-BEc5SCIo.js';
-export { P as PermissionGrid, d as PermissionMap, R as ResourceScope, e as RoleSummary } from '../types-BEc5SCIo.js';
+export { createHttpFetcher, createSupabaseFetcher, detectRbacSchema } from '../index.js';
+import { b as AuthRbacFetcher, c as ResourceRegistry, U as UserProfile, A as Action, C as CompanyMembership, F as FrontendConfig, a as ResourceDescriptor } from '../types-DxvFudPF.js';
+export { P as PermissionGrid, d as PermissionMap, R as ResourceScope, e as RoleSummary } from '../types-DxvFudPF.js';
 
 interface AuthRbacContextValue {
     /**

package/dist/react/index.js

@@ -1,10 +1,11 @@
 import {
   createHttpFetcher,
-  createSupabaseFetcher
-} from "../chunk-BRCJUCDG.js";
+  createSupabaseFetcher,
+  detectRbacSchema
+} from "../chunk-NRDW233A.js";
 import {
   buildPermissionResolver
-} from "../chunk-4WTV6J44.js";
+} from "../chunk-C76JHCKM.js";
 
 // src/react/AuthRbacProvider.tsx
 import {
@@ -219,6 +220,7 @@ export {
   createHttpFetcher,
   createSupabaseFetcher,
   defineAuthRbac2 as defineAuthRbac,
+  detectRbacSchema,
   useActiveCompany,
   useAuthRbac,
   useCan,

package/dist/react/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/react/AuthRbacProvider.tsx","../../src/react/useCan.ts","../../src/react/Can.tsx","../../src/react/RequirePermission.tsx","../../src/react/useActiveCompany.ts","../../src/react/useFrontendConfig.ts","../../src/define.ts","../../src/react/index.ts"],"sourcesContent":["import {\n  createContext,\n  useCallback,\n  useContext,\n  useEffect,\n  useMemo,\n  useState,\n  type ReactNode,\n} from \"react\";\n\nimport {\n  buildPermissionResolver,\n  type AuthRbacClient,\n} from \"../client.js\";\nimport type {\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceRegistry,\n  UserProfile,\n} from \"../types.js\";\n\ninterface AuthRbacContextValue {\n  /**\n   * `null` means we haven't hydrated yet. Components should treat\n   * the not-loaded state as \"no permissions\" (fail-closed).\n   */\n  profile: UserProfile | null;\n  loading: boolean;\n  error: Error | null;\n  resources: ResourceRegistry;\n  activeCompanyId: string | null;\n  setActiveCompany: (id: string | null) => void;\n  refresh: () => Promise<void>;\n  resolver: AuthRbacClient;\n}\n\nconst AuthRbacContext = createContext<AuthRbacContextValue | null>(null);\n\nexport interface AuthRbacProviderProps {\n  fetcher: AuthRbacFetcher;\n  resources: ResourceRegistry;\n  /**\n   * Initial active company. Common patterns:\n   *  - read from URL query/path\n   *  - read from localStorage\n   *  - omit and let the user pick from the switcher\n   */\n  initialCompanyId?: string | null;\n  /**\n   * Persistence hook. Called every time the active company changes.\n   * Default: writes to `localStorage` under\n   * `auth-rbac:active-company`. Pass `false` to disable.\n   */\n  persistActiveCompany?:\n    | ((id: string | null) => void)\n    | false;\n  children: ReactNode;\n}\n\nconst STORAGE_KEY = \"auth-rbac:active-company\";\n\nconst defaultPersist = (id: string | null) => {\n  if (typeof window === \"undefined\") {\n    return;\n  }\n  try {\n    if (id == null) {\n      window.localStorage.removeItem(STORAGE_KEY);\n    } else {\n      window.localStorage.setItem(STORAGE_KEY, id);\n    }\n  } catch {\n    // localStorage may be unavailable (private browsing, SSR) —\n    // fall back to in-memory only.\n  }\n};\n\nconst readPersisted = (): string | null => {\n  if (typeof window === \"undefined\") {\n    return null;\n  }\n  try {\n    return window.localStorage.getItem(STORAGE_KEY);\n  } catch {\n    return null;\n  }\n};\n\nexport function AuthRbacProvider(props: AuthRbacProviderProps) {\n  const { fetcher, resources, initialCompanyId, persistActiveCompany } = props;\n\n  const [profile, setProfile] = useState<UserProfile | null>(null);\n  const [loading, setLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const [activeCompanyId, setActiveCompanyState] = useState<string | null>(\n    initialCompanyId ?? readPersisted(),\n  );\n\n  const persist = useMemo(() => {\n    if (persistActiveCompany === false) {\n      return () => {};\n    }\n    return persistActiveCompany ?? defaultPersist;\n  }, [persistActiveCompany]);\n\n  const setActiveCompany = useCallback(\n    (id: string | null) => {\n      setActiveCompanyState(id);\n      persist(id);\n    },\n    [persist],\n  );\n\n  const refresh = useCallback(async () => {\n    setLoading(true);\n    setError(null);\n    try {\n      const next = await fetcher.fetchProfile();\n      setProfile(next);\n      // If the persisted company isn't a membership, fall back to\n      // the first one (or null for users with no memberships).\n      const stillMember =\n        activeCompanyId != null &&\n        next.memberships.some((m) => m.company_id === activeCompanyId);\n      if (!stillMember) {\n        const fallback =\n          next.memberships[0]?.company_id ?? null;\n        setActiveCompanyState(fallback);\n        persist(fallback);\n      }\n    } catch (e) {\n      setError(e instanceof Error ? e : new Error(String(e)));\n    } finally {\n      setLoading(false);\n    }\n    // eslint-disable-next-line react-hooks/exhaustive-deps\n  }, [fetcher]);\n\n  useEffect(() => {\n    void refresh();\n  }, [refresh]);\n\n  const resolver = useMemo<AuthRbacClient>(() => {\n    if (profile == null) {\n      // Empty resolver until the profile lands. Always returns\n      // false → guards fall through to the unauthenticated branch.\n      return {\n        can: () => false,\n        activePermissions: () => ({}) as PermissionMap,\n        systemPermissions: () => ({}) as PermissionMap,\n      };\n    }\n    return buildPermissionResolver(resources, profile, activeCompanyId);\n  }, [profile, resources, activeCompanyId]);\n\n  const value = useMemo<AuthRbacContextValue>(\n    () => ({\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    }),\n    [\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    ],\n  );\n\n  return (\n    <AuthRbacContext.Provider value={value}>\n      {props.children}\n    </AuthRbacContext.Provider>\n  );\n}\n\nexport function useAuthRbac(): AuthRbacContextValue {\n  const ctx = useContext(AuthRbacContext);\n  if (!ctx) {\n    throw new Error(\n      \"useAuthRbac must be used within an <AuthRbacProvider> — wrap your app at the root.\",\n    );\n  }\n  return ctx;\n}\n","import type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Boolean permission check.\n *\n * @example\n *   const canEdit = useCan(\"properties\", \"update\");\n *   <Button disabled={!canEdit}>Speichern</Button>\n *\n * @example explicitly target a non-active company\n *   const canRead = useCan(\"payments\", \"read\", { companyId: targetId });\n */\nexport function useCan(\n  resource: string,\n  action: Action,\n  options?: CanOptions,\n): boolean {\n  const { resolver } = useAuthRbac();\n  return resolver.can(resource, action, options);\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useCan } from \"./useCan.js\";\n\nexport interface CanProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /** Rendered when the user has the permission. */\n  children: ReactNode;\n  /**\n   * Rendered when the user does NOT have the permission. Defaults\n   * to `null` (silent hide). Pass a `<NoPermissionView />` or a\n   * tooltip-wrapper to surface the denial explicitly.\n   */\n  fallback?: ReactNode;\n}\n\n/**\n * Subtree gate. Bails before children render so any data fetching\n * inside `children` is skipped for users without permission.\n */\nexport function Can(props: CanProps) {\n  const { resource, action, companyId, children, fallback = null } = props;\n  const allowed = useCan(resource, action, { companyId });\n  return <>{allowed ? children : fallback}</>;\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\nimport { useCan } from \"./useCan.js\";\n\nexport interface RequirePermissionProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /**\n   * What to render while the profile is still loading. Defaults to\n   * `null` (no flash) — pass a spinner if your routes typically\n   * mount before the profile lands.\n   */\n  loadingFallback?: ReactNode;\n  /**\n   * What to render when access is denied. Defaults to a minimal\n   * \"Sie haben keinen Zugriff\" message; pass your own component to\n   * theme it.\n   */\n  deniedFallback?: ReactNode;\n  /**\n   * For `react-router-dom v6` route-element usage, pass an `<Outlet />`\n   * here — the gate resolves to either the outlet or the denied\n   * fallback. For component-tree usage, pass any children.\n   */\n  children?: ReactNode;\n}\n\n/**\n * Route- or component-level guard. Three render branches:\n *\n *  - profile not yet loaded → `loadingFallback`\n *  - permission denied      → `deniedFallback`\n *  - permission granted     → `children`\n *\n * Drop-in replacement for the legacy `<RequireRolesRoute>` pattern.\n *\n * @example\n *   // App.tsx route table\n *   <Route element={\n *     <RequirePermission resource=\"payments\" action=\"read\">\n *       <Outlet />\n *     </RequirePermission>\n *   }>\n *     <Route path=\"/payments\" element={<PaymentsPage />} />\n *   </Route>\n */\nexport function RequirePermission(props: RequirePermissionProps) {\n  const {\n    resource,\n    action,\n    companyId,\n    loadingFallback = null,\n    deniedFallback = (\n      <div role=\"alert\" style={{ padding: 24 }}>\n        <strong>Sie haben keinen Zugriff.</strong>\n      </div>\n    ),\n    children = null,\n  } = props;\n\n  const { profile, loading } = useAuthRbac();\n  const allowed = useCan(resource, action, { companyId });\n\n  if (loading || profile == null) {\n    return <>{loadingFallback}</>;\n  }\n  if (!allowed) {\n    return <>{deniedFallback}</>;\n  }\n  return <>{children}</>;\n}\n","import { useMemo } from \"react\";\n\nimport type { CompanyMembership } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\nexport interface ActiveCompany {\n  id: string | null;\n  membership: CompanyMembership | null;\n  memberships: CompanyMembership[];\n  setActive: (id: string | null) => void;\n}\n\n/**\n * Read + switch the active company.\n *\n * @example\n *   const { id, memberships, setActive } = useActiveCompany();\n *\n *   return (\n *     <select value={id ?? \"\"} onChange={(e) => setActive(e.target.value || null)}>\n *       {memberships.map((m) => (\n *         <option key={m.company_id} value={m.company_id}>{m.company_name}</option>\n *       ))}\n *     </select>\n *   );\n */\nexport function useActiveCompany(): ActiveCompany {\n  const { profile, activeCompanyId, setActiveCompany } = useAuthRbac();\n\n  return useMemo(() => {\n    const memberships = profile?.memberships ?? [];\n    const membership =\n      memberships.find((m) => m.company_id === activeCompanyId) ?? null;\n    return {\n      id: activeCompanyId,\n      membership,\n      memberships,\n      setActive: setActiveCompany,\n    };\n  }, [profile, activeCompanyId, setActiveCompany]);\n}\n","import { useMemo } from \"react\";\n\nimport type { FrontendConfig } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Reads the merged `frontend_config` for the user. Sources in\n * priority order: active company's membership > system roles. Use\n * this to drive sidebar items, dashboard defaults, and any other\n * \"what should this role see\" UX without hardcoded role checks.\n *\n * The shape is intentionally `Record<string, unknown>` — your host\n * project owns the schema. Document your keys (e.g. `sidebar`,\n * `default_dashboard`) once and stick to them.\n */\nexport function useFrontendConfig(): FrontendConfig {\n  const { profile, activeCompanyId } = useAuthRbac();\n  return useMemo(() => {\n    if (!profile) {\n      return {};\n    }\n    const membershipConfig =\n      profile.memberships.find((m) => m.company_id === activeCompanyId)\n        ?.frontend_config ?? {};\n    return { ...profile.system_frontend_config, ...membershipConfig };\n  }, [profile, activeCompanyId]);\n}\n","/**\n * Typed factory — turns a const-asserted resource registry into a\n * set of hooks/components whose `resource` arg is constrained to\n * the registered names. Typos become TypeScript errors instead of\n * silent runtime `false`.\n *\n * @example\n *   // src/auth/resources.ts\n *   import { defineAuthRbac } from \"snipe-auth-rbac/react\";\n *\n *   export const RESOURCES = [\n *     { resource: \"properties\", scope: \"company\", label: \"Liegenschaften\", group: \"Stammdaten\" },\n *     { resource: \"payments\",   scope: \"company\", label: \"Zahlungen\",     group: \"Finanzen\" },\n *     { resource: \"system_audit\", scope: \"system\",  label: \"Audit-Log\",    group: \"Plattform\" },\n *   ] as const;\n *\n *   export const { useCan, Can, RequirePermission } = defineAuthRbac(RESOURCES);\n *\n *   // ----- elsewhere -----\n *   useCan(\"properties\", \"update\");       // ✓\n *   useCan(\"paymetns\", \"update\");          // ✗ TS error: not assignable to type \"properties\" | \"payments\" | \"system_audit\"\n */\n\nimport type { ComponentType, ReactNode } from \"react\";\n\nimport type {\n  Action,\n  ResourceDescriptor,\n  ResourceRegistry,\n} from \"./types.js\";\n\n/**\n * Drop-in replacement signatures for the three guards, with a\n * narrowed `resource` arg.\n */\nexport interface TypedGuards<R extends string> {\n  useCan: (\n    resource: R,\n    action: Action,\n    options?: { companyId?: string | null },\n  ) => boolean;\n  Can: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    children: ReactNode;\n    fallback?: ReactNode;\n  }>;\n  RequirePermission: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    loadingFallback?: ReactNode;\n    deniedFallback?: ReactNode;\n    children?: ReactNode;\n  }>;\n  /** The const-asserted registry, re-exported so call-sites can iterate. */\n  resources: ResourceRegistry;\n  /** All registered resource names as a union — handy for typing\n   *  application-side data structures. */\n  resourceNames: ReadonlyArray<R>;\n}\n\n/**\n * Factory. Run once at module-init time in your host project; the\n * returned hooks/components are referentially stable.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(\n  resources: Reg,\n  // The runtime guards live in the React entry; we accept them\n  // here as plain refs so this module stays React-free at the type\n  // level. The `react` entry calls this factory passing its own\n  // exports so adopters never see the wiring.\n  runtime: {\n    useCan: TypedGuards<string>[\"useCan\"];\n    Can: TypedGuards<string>[\"Can\"];\n    RequirePermission: TypedGuards<string>[\"RequirePermission\"];\n  },\n): TypedGuards<Reg[number][\"resource\"]> {\n  type R = Reg[number][\"resource\"];\n  return {\n    useCan: runtime.useCan as TypedGuards<R>[\"useCan\"],\n    Can: runtime.Can as TypedGuards<R>[\"Can\"],\n    RequirePermission: runtime.RequirePermission as TypedGuards<R>[\"RequirePermission\"],\n    resources,\n    resourceNames: resources.map((r) => r.resource) as ReadonlyArray<R>,\n  };\n}\n","/**\n * React + Next.js entry. Import this in browser code:\n *\n *   import { AuthRbacProvider, useCan } from \"snipe-auth-rbac/react\";\n *\n * The non-React entry (`snipe-auth-rbac`) re-exports types and the\n * pure resolver, suitable for Node, edge workers, and tests.\n */\n\nexport {\n  AuthRbacProvider,\n  useAuthRbac,\n  type AuthRbacProviderProps,\n} from \"./AuthRbacProvider.js\";\n\nexport { useCan } from \"./useCan.js\";\nexport { Can, type CanProps } from \"./Can.js\";\nexport {\n  RequirePermission,\n  type RequirePermissionProps,\n} from \"./RequirePermission.js\";\nexport { useActiveCompany, type ActiveCompany } from \"./useActiveCompany.js\";\nexport { useFrontendConfig } from \"./useFrontendConfig.js\";\n\n// Re-exports for convenience so consumers don't need two imports.\nexport type {\n  Action,\n  AuthRbacFetcher,\n  CompanyMembership,\n  FrontendConfig,\n  PermissionGrid,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  RoleSummary,\n  UserProfile,\n} from \"../types.js\";\n\nexport {\n  createSupabaseFetcher,\n  createHttpFetcher,\n} from \"../fetchers.js\";\n\nimport { defineAuthRbac as _defineAuthRbac } from \"../define.js\";\nimport { Can } from \"./Can.js\";\nimport { RequirePermission } from \"./RequirePermission.js\";\nimport { useCan } from \"./useCan.js\";\n\nimport type { ResourceDescriptor } from \"../types.js\";\nimport type { TypedGuards } from \"../define.js\";\n\n/**\n * Typed factory — pass a const-asserted resource registry and get\n * back guards whose `resource` arg is constrained to the registered\n * names. Recommended at the top of every host project.\n *\n * See ../define.ts for the full doc + example.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(resources: Reg): TypedGuards<Reg[number][\"resource\"]> {\n  return _defineAuthRbac(resources, {\n    useCan,\n    Can,\n    RequirePermission,\n  });\n}\n\nexport type { TypedGuards } from \"../define.js\";\n"],"mappings":";;;;;;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AA4KH;AAhJJ,IAAM,kBAAkB,cAA2C,IAAI;AAuBvE,IAAM,cAAc;AAEpB,IAAM,iBAAiB,CAAC,OAAsB;AAC5C,MAAI,OAAO,WAAW,aAAa;AACjC;AAAA,EACF;AACA,MAAI;AACF,QAAI,MAAM,MAAM;AACd,aAAO,aAAa,WAAW,WAAW;AAAA,IAC5C,OAAO;AACL,aAAO,aAAa,QAAQ,aAAa,EAAE;AAAA,IAC7C;AAAA,EACF,QAAQ;AAAA,EAGR;AACF;AAEA,IAAM,gBAAgB,MAAqB;AACzC,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO;AAAA,EACT;AACA,MAAI;AACF,WAAO,OAAO,aAAa,QAAQ,WAAW;AAAA,EAChD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iBAAiB,OAA8B;AAC7D,QAAM,EAAE,SAAS,WAAW,kBAAkB,qBAAqB,IAAI;AAEvE,QAAM,CAAC,SAAS,UAAU,IAAI,SAA6B,IAAI;AAC/D,QAAM,CAAC,SAAS,UAAU,IAAI,SAAS,IAAI;AAC3C,QAAM,CAAC,OAAO,QAAQ,IAAI,SAAuB,IAAI;AAErD,QAAM,CAAC,iBAAiB,qBAAqB,IAAI;AAAA,IAC/C,oBAAoB,cAAc;AAAA,EACpC;AAEA,QAAM,UAAU,QAAQ,MAAM;AAC5B,QAAI,yBAAyB,OAAO;AAClC,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AACA,WAAO,wBAAwB;AAAA,EACjC,GAAG,CAAC,oBAAoB,CAAC;AAEzB,QAAM,mBAAmB;AAAA,IACvB,CAAC,OAAsB;AACrB,4BAAsB,EAAE;AACxB,cAAQ,EAAE;AAAA,IACZ;AAAA,IACA,CAAC,OAAO;AAAA,EACV;AAEA,QAAM,UAAU,YAAY,YAAY;AACtC,eAAW,IAAI;AACf,aAAS,IAAI;AACb,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,aAAa;AACxC,iBAAW,IAAI;AAGf,YAAM,cACJ,mBAAmB,QACnB,KAAK,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe;AAC/D,UAAI,CAAC,aAAa;AAChB,cAAM,WACJ,KAAK,YAAY,CAAC,GAAG,cAAc;AACrC,8BAAsB,QAAQ;AAC9B,gBAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,GAAG;AACV,eAAS,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO,CAAC,CAAC,CAAC;AAAA,IACxD,UAAE;AACA,iBAAW,KAAK;AAAA,IAClB;AAAA,EAEF,GAAG,CAAC,OAAO,CAAC;AAEZ,YAAU,MAAM;AACd,SAAK,QAAQ;AAAA,EACf,GAAG,CAAC,OAAO,CAAC;AAEZ,QAAM,WAAW,QAAwB,MAAM;AAC7C,QAAI,WAAW,MAAM;AAGnB,aAAO;AAAA,QACL,KAAK,MAAM;AAAA,QACX,mBAAmB,OAAO,CAAC;AAAA,QAC3B,mBAAmB,OAAO,CAAC;AAAA,MAC7B;AAAA,IACF;AACA,WAAO,wBAAwB,WAAW,SAAS,eAAe;AAAA,EACpE,GAAG,CAAC,SAAS,WAAW,eAAe,CAAC;AAExC,QAAM,QAAQ;AAAA,IACZ,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SACE,oBAAC,gBAAgB,UAAhB,EAAyB,OACvB,gBAAM,UACT;AAEJ;AAEO,SAAS,cAAoC;AAClD,QAAM,MAAM,WAAW,eAAe;AACtC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;ACnLO,SAAS,OACd,UACA,QACA,SACS;AACT,QAAM,EAAE,SAAS,IAAI,YAAY;AACjC,SAAO,SAAS,IAAI,UAAU,QAAQ,OAAO;AAC/C;;;ACKS,0BAAAA,YAAA;AAHF,SAAS,IAAI,OAAiB;AACnC,QAAM,EAAE,UAAU,QAAQ,WAAW,UAAU,WAAW,KAAK,IAAI;AACnE,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AACtD,SAAO,gBAAAA,KAAA,YAAG,oBAAU,WAAW,UAAS;AAC1C;;;AC8BQ,SAUG,YAAAC,WAVH,OAAAC,YAAA;AARD,SAAS,kBAAkB,OAA+B;AAC/D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,IAClB,iBACE,gBAAAA,KAAC,SAAI,MAAK,SAAQ,OAAO,EAAE,SAAS,GAAG,GACrC,0BAAAA,KAAC,YAAO,uCAAyB,GACnC;AAAA,IAEF,WAAW;AAAA,EACb,IAAI;AAEJ,QAAM,EAAE,SAAS,QAAQ,IAAI,YAAY;AACzC,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AAEtD,MAAI,WAAW,WAAW,MAAM;AAC9B,WAAO,gBAAAA,KAAAD,WAAA,EAAG,2BAAgB;AAAA,EAC5B;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,gBAAAC,KAAAD,WAAA,EAAG,0BAAe;AAAA,EAC3B;AACA,SAAO,gBAAAC,KAAAD,WAAA,EAAG,UAAS;AACrB;;;AC1EA,SAAS,WAAAE,gBAAe;AA2BjB,SAAS,mBAAkC;AAChD,QAAM,EAAE,SAAS,iBAAiB,iBAAiB,IAAI,YAAY;AAEnE,SAAOC,SAAQ,MAAM;AACnB,UAAM,cAAc,SAAS,eAAe,CAAC;AAC7C,UAAM,aACJ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,KAAK;AAC/D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ;AAAA,MACA;AAAA,MACA,WAAW;AAAA,IACb;AAAA,EACF,GAAG,CAAC,SAAS,iBAAiB,gBAAgB,CAAC;AACjD;;;ACzCA,SAAS,WAAAC,gBAAe;AAgBjB,SAAS,oBAAoC;AAClD,QAAM,EAAE,SAAS,gBAAgB,IAAI,YAAY;AACjD,SAAOC,SAAQ,MAAM;AACnB,QAAI,CAAC,SAAS;AACZ,aAAO,CAAC;AAAA,IACV;AACA,UAAM,mBACJ,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,GAC5D,mBAAmB,CAAC;AAC1B,WAAO,EAAE,GAAG,QAAQ,wBAAwB,GAAG,iBAAiB;AAAA,EAClE,GAAG,CAAC,SAAS,eAAe,CAAC;AAC/B;;;ACwCO,SAAS,eAGd,WAKA,SAKsC;AAEtC,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,IACb,mBAAmB,QAAQ;AAAA,IAC3B;AAAA,IACA,eAAe,UAAU,IAAI,CAAC,MAAM,EAAE,QAAQ;AAAA,EAChD;AACF;;;AC9BO,SAASC,gBAEd,WAAsD;AACtD,SAAO,eAAgB,WAAW;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;","names":["jsx","Fragment","jsx","useMemo","useMemo","useMemo","useMemo","defineAuthRbac"]}
+{"version":3,"sources":["../../src/react/AuthRbacProvider.tsx","../../src/react/useCan.ts","../../src/react/Can.tsx","../../src/react/RequirePermission.tsx","../../src/react/useActiveCompany.ts","../../src/react/useFrontendConfig.ts","../../src/define.ts","../../src/react/index.ts"],"sourcesContent":["import {\n  createContext,\n  useCallback,\n  useContext,\n  useEffect,\n  useMemo,\n  useState,\n  type ReactNode,\n} from \"react\";\n\nimport {\n  buildPermissionResolver,\n  type AuthRbacClient,\n} from \"../client.js\";\nimport type {\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceRegistry,\n  UserProfile,\n} from \"../types.js\";\n\ninterface AuthRbacContextValue {\n  /**\n   * `null` means we haven't hydrated yet. Components should treat\n   * the not-loaded state as \"no permissions\" (fail-closed).\n   */\n  profile: UserProfile | null;\n  loading: boolean;\n  error: Error | null;\n  resources: ResourceRegistry;\n  activeCompanyId: string | null;\n  setActiveCompany: (id: string | null) => void;\n  refresh: () => Promise<void>;\n  resolver: AuthRbacClient;\n}\n\nconst AuthRbacContext = createContext<AuthRbacContextValue | null>(null);\n\nexport interface AuthRbacProviderProps {\n  fetcher: AuthRbacFetcher;\n  resources: ResourceRegistry;\n  /**\n   * Initial active company. Common patterns:\n   *  - read from URL query/path\n   *  - read from localStorage\n   *  - omit and let the user pick from the switcher\n   */\n  initialCompanyId?: string | null;\n  /**\n   * Persistence hook. Called every time the active company changes.\n   * Default: writes to `localStorage` under\n   * `auth-rbac:active-company`. Pass `false` to disable.\n   */\n  persistActiveCompany?:\n    | ((id: string | null) => void)\n    | false;\n  children: ReactNode;\n}\n\nconst STORAGE_KEY = \"auth-rbac:active-company\";\n\nconst defaultPersist = (id: string | null) => {\n  if (typeof window === \"undefined\") {\n    return;\n  }\n  try {\n    if (id == null) {\n      window.localStorage.removeItem(STORAGE_KEY);\n    } else {\n      window.localStorage.setItem(STORAGE_KEY, id);\n    }\n  } catch {\n    // localStorage may be unavailable (private browsing, SSR) —\n    // fall back to in-memory only.\n  }\n};\n\nconst readPersisted = (): string | null => {\n  if (typeof window === \"undefined\") {\n    return null;\n  }\n  try {\n    return window.localStorage.getItem(STORAGE_KEY);\n  } catch {\n    return null;\n  }\n};\n\nexport function AuthRbacProvider(props: AuthRbacProviderProps) {\n  const { fetcher, resources, initialCompanyId, persistActiveCompany } = props;\n\n  const [profile, setProfile] = useState<UserProfile | null>(null);\n  const [loading, setLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const [activeCompanyId, setActiveCompanyState] = useState<string | null>(\n    initialCompanyId ?? readPersisted(),\n  );\n\n  const persist = useMemo(() => {\n    if (persistActiveCompany === false) {\n      return () => {};\n    }\n    return persistActiveCompany ?? defaultPersist;\n  }, [persistActiveCompany]);\n\n  const setActiveCompany = useCallback(\n    (id: string | null) => {\n      setActiveCompanyState(id);\n      persist(id);\n    },\n    [persist],\n  );\n\n  const refresh = useCallback(async () => {\n    setLoading(true);\n    setError(null);\n    try {\n      const next = await fetcher.fetchProfile();\n      setProfile(next);\n      // If the persisted company isn't a membership, fall back to\n      // the first one (or null for users with no memberships).\n      const stillMember =\n        activeCompanyId != null &&\n        next.memberships.some((m) => m.company_id === activeCompanyId);\n      if (!stillMember) {\n        const fallback =\n          next.memberships[0]?.company_id ?? null;\n        setActiveCompanyState(fallback);\n        persist(fallback);\n      }\n    } catch (e) {\n      setError(e instanceof Error ? e : new Error(String(e)));\n    } finally {\n      setLoading(false);\n    }\n    // eslint-disable-next-line react-hooks/exhaustive-deps\n  }, [fetcher]);\n\n  useEffect(() => {\n    void refresh();\n  }, [refresh]);\n\n  const resolver = useMemo<AuthRbacClient>(() => {\n    if (profile == null) {\n      // Empty resolver until the profile lands. Always returns\n      // false → guards fall through to the unauthenticated branch.\n      return {\n        can: () => false,\n        activePermissions: () => ({}) as PermissionMap,\n        systemPermissions: () => ({}) as PermissionMap,\n      };\n    }\n    return buildPermissionResolver(resources, profile, activeCompanyId);\n  }, [profile, resources, activeCompanyId]);\n\n  const value = useMemo<AuthRbacContextValue>(\n    () => ({\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    }),\n    [\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    ],\n  );\n\n  return (\n    <AuthRbacContext.Provider value={value}>\n      {props.children}\n    </AuthRbacContext.Provider>\n  );\n}\n\nexport function useAuthRbac(): AuthRbacContextValue {\n  const ctx = useContext(AuthRbacContext);\n  if (!ctx) {\n    throw new Error(\n      \"useAuthRbac must be used within an <AuthRbacProvider> — wrap your app at the root.\",\n    );\n  }\n  return ctx;\n}\n","import type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Boolean permission check.\n *\n * @example\n *   const canEdit = useCan(\"properties\", \"update\");\n *   <Button disabled={!canEdit}>Speichern</Button>\n *\n * @example explicitly target a non-active company\n *   const canRead = useCan(\"payments\", \"read\", { companyId: targetId });\n */\nexport function useCan(\n  resource: string,\n  action: Action,\n  options?: CanOptions,\n): boolean {\n  const { resolver } = useAuthRbac();\n  return resolver.can(resource, action, options);\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useCan } from \"./useCan.js\";\n\nexport interface CanProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /** Rendered when the user has the permission. */\n  children: ReactNode;\n  /**\n   * Rendered when the user does NOT have the permission. Defaults\n   * to `null` (silent hide). Pass a `<NoPermissionView />` or a\n   * tooltip-wrapper to surface the denial explicitly.\n   */\n  fallback?: ReactNode;\n}\n\n/**\n * Subtree gate. Bails before children render so any data fetching\n * inside `children` is skipped for users without permission.\n */\nexport function Can(props: CanProps) {\n  const { resource, action, companyId, children, fallback = null } = props;\n  const allowed = useCan(resource, action, { companyId });\n  return <>{allowed ? children : fallback}</>;\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\nimport { useCan } from \"./useCan.js\";\n\nexport interface RequirePermissionProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /**\n   * What to render while the profile is still loading. Defaults to\n   * `null` (no flash) — pass a spinner if your routes typically\n   * mount before the profile lands.\n   */\n  loadingFallback?: ReactNode;\n  /**\n   * What to render when access is denied. Defaults to a minimal\n   * \"Sie haben keinen Zugriff\" message; pass your own component to\n   * theme it.\n   */\n  deniedFallback?: ReactNode;\n  /**\n   * For `react-router-dom v6` route-element usage, pass an `<Outlet />`\n   * here — the gate resolves to either the outlet or the denied\n   * fallback. For component-tree usage, pass any children.\n   */\n  children?: ReactNode;\n}\n\n/**\n * Route- or component-level guard. Three render branches:\n *\n *  - profile not yet loaded → `loadingFallback`\n *  - permission denied      → `deniedFallback`\n *  - permission granted     → `children`\n *\n * Drop-in replacement for the legacy `<RequireRolesRoute>` pattern.\n *\n * @example\n *   // App.tsx route table\n *   <Route element={\n *     <RequirePermission resource=\"payments\" action=\"read\">\n *       <Outlet />\n *     </RequirePermission>\n *   }>\n *     <Route path=\"/payments\" element={<PaymentsPage />} />\n *   </Route>\n */\nexport function RequirePermission(props: RequirePermissionProps) {\n  const {\n    resource,\n    action,\n    companyId,\n    loadingFallback = null,\n    deniedFallback = (\n      <div role=\"alert\" style={{ padding: 24 }}>\n        <strong>Sie haben keinen Zugriff.</strong>\n      </div>\n    ),\n    children = null,\n  } = props;\n\n  const { profile, loading } = useAuthRbac();\n  const allowed = useCan(resource, action, { companyId });\n\n  if (loading || profile == null) {\n    return <>{loadingFallback}</>;\n  }\n  if (!allowed) {\n    return <>{deniedFallback}</>;\n  }\n  return <>{children}</>;\n}\n","import { useMemo } from \"react\";\n\nimport type { CompanyMembership } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\nexport interface ActiveCompany {\n  id: string | null;\n  membership: CompanyMembership | null;\n  memberships: CompanyMembership[];\n  setActive: (id: string | null) => void;\n}\n\n/**\n * Read + switch the active company.\n *\n * @example\n *   const { id, memberships, setActive } = useActiveCompany();\n *\n *   return (\n *     <select value={id ?? \"\"} onChange={(e) => setActive(e.target.value || null)}>\n *       {memberships.map((m) => (\n *         <option key={m.company_id} value={m.company_id}>{m.company_name}</option>\n *       ))}\n *     </select>\n *   );\n */\nexport function useActiveCompany(): ActiveCompany {\n  const { profile, activeCompanyId, setActiveCompany } = useAuthRbac();\n\n  return useMemo(() => {\n    const memberships = profile?.memberships ?? [];\n    const membership =\n      memberships.find((m) => m.company_id === activeCompanyId) ?? null;\n    return {\n      id: activeCompanyId,\n      membership,\n      memberships,\n      setActive: setActiveCompany,\n    };\n  }, [profile, activeCompanyId, setActiveCompany]);\n}\n","import { useMemo } from \"react\";\n\nimport type { FrontendConfig } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Reads the merged `frontend_config` for the user. Sources in\n * priority order: active company's membership > system roles. Use\n * this to drive sidebar items, dashboard defaults, and any other\n * \"what should this role see\" UX without hardcoded role checks.\n *\n * The shape is intentionally `Record<string, unknown>` — your host\n * project owns the schema. Document your keys (e.g. `sidebar`,\n * `default_dashboard`) once and stick to them.\n */\nexport function useFrontendConfig(): FrontendConfig {\n  const { profile, activeCompanyId } = useAuthRbac();\n  return useMemo(() => {\n    if (!profile) {\n      return {};\n    }\n    const membershipConfig =\n      profile.memberships.find((m) => m.company_id === activeCompanyId)\n        ?.frontend_config ?? {};\n    return { ...profile.system_frontend_config, ...membershipConfig };\n  }, [profile, activeCompanyId]);\n}\n","/**\n * Typed factory — turns a const-asserted resource registry into a\n * set of hooks/components whose `resource` arg is constrained to\n * the registered names. Typos become TypeScript errors instead of\n * silent runtime `false`.\n *\n * @example\n *   // src/auth/resources.ts\n *   import { defineAuthRbac } from \"snipe-auth-rbac/react\";\n *\n *   export const RESOURCES = [\n *     { resource: \"properties\", scope: \"company\", label: \"Liegenschaften\", group: \"Stammdaten\" },\n *     { resource: \"payments\",   scope: \"company\", label: \"Zahlungen\",     group: \"Finanzen\" },\n *     { resource: \"system_audit\", scope: \"system\",  label: \"Audit-Log\",    group: \"Plattform\" },\n *   ] as const;\n *\n *   export const { useCan, Can, RequirePermission } = defineAuthRbac(RESOURCES);\n *\n *   // ----- elsewhere -----\n *   useCan(\"properties\", \"update\");       // ✓\n *   useCan(\"paymetns\", \"update\");          // ✗ TS error: not assignable to type \"properties\" | \"payments\" | \"system_audit\"\n */\n\nimport type { ComponentType, ReactNode } from \"react\";\n\nimport type {\n  Action,\n  ResourceDescriptor,\n  ResourceRegistry,\n} from \"./types.js\";\n\n/**\n * Drop-in replacement signatures for the three guards, with a\n * narrowed `resource` arg.\n */\nexport interface TypedGuards<R extends string> {\n  useCan: (\n    resource: R,\n    action: Action,\n    options?: { companyId?: string | null },\n  ) => boolean;\n  Can: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    children: ReactNode;\n    fallback?: ReactNode;\n  }>;\n  RequirePermission: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    loadingFallback?: ReactNode;\n    deniedFallback?: ReactNode;\n    children?: ReactNode;\n  }>;\n  /** The const-asserted registry, re-exported so call-sites can iterate. */\n  resources: ResourceRegistry;\n  /** All registered resource names as a union — handy for typing\n   *  application-side data structures. */\n  resourceNames: ReadonlyArray<R>;\n}\n\n/**\n * Factory. Run once at module-init time in your host project; the\n * returned hooks/components are referentially stable.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(\n  resources: Reg,\n  // The runtime guards live in the React entry; we accept them\n  // here as plain refs so this module stays React-free at the type\n  // level. The `react` entry calls this factory passing its own\n  // exports so adopters never see the wiring.\n  runtime: {\n    useCan: TypedGuards<string>[\"useCan\"];\n    Can: TypedGuards<string>[\"Can\"];\n    RequirePermission: TypedGuards<string>[\"RequirePermission\"];\n  },\n): TypedGuards<Reg[number][\"resource\"]> {\n  type R = Reg[number][\"resource\"];\n  return {\n    useCan: runtime.useCan as TypedGuards<R>[\"useCan\"],\n    Can: runtime.Can as TypedGuards<R>[\"Can\"],\n    RequirePermission: runtime.RequirePermission as TypedGuards<R>[\"RequirePermission\"],\n    resources,\n    resourceNames: resources.map((r) => r.resource) as ReadonlyArray<R>,\n  };\n}\n","/**\n * React + Next.js entry. Import this in browser code:\n *\n *   import { AuthRbacProvider, useCan } from \"snipe-auth-rbac/react\";\n *\n * The non-React entry (`snipe-auth-rbac`) re-exports types and the\n * pure resolver, suitable for Node, edge workers, and tests.\n */\n\nexport {\n  AuthRbacProvider,\n  useAuthRbac,\n  type AuthRbacProviderProps,\n} from \"./AuthRbacProvider.js\";\n\nexport { useCan } from \"./useCan.js\";\nexport { Can, type CanProps } from \"./Can.js\";\nexport {\n  RequirePermission,\n  type RequirePermissionProps,\n} from \"./RequirePermission.js\";\nexport { useActiveCompany, type ActiveCompany } from \"./useActiveCompany.js\";\nexport { useFrontendConfig } from \"./useFrontendConfig.js\";\n\n// Re-exports for convenience so consumers don't need two imports.\nexport type {\n  Action,\n  AuthRbacFetcher,\n  CompanyMembership,\n  FrontendConfig,\n  PermissionGrid,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  RoleSummary,\n  UserProfile,\n} from \"../types.js\";\n\nexport {\n  createSupabaseFetcher,\n  createHttpFetcher,\n  detectRbacSchema,\n} from \"../fetchers.js\";\n\nimport { defineAuthRbac as _defineAuthRbac } from \"../define.js\";\nimport { Can } from \"./Can.js\";\nimport { RequirePermission } from \"./RequirePermission.js\";\nimport { useCan } from \"./useCan.js\";\n\nimport type { ResourceDescriptor } from \"../types.js\";\nimport type { TypedGuards } from \"../define.js\";\n\n/**\n * Typed factory — pass a const-asserted resource registry and get\n * back guards whose `resource` arg is constrained to the registered\n * names. Recommended at the top of every host project.\n *\n * See ../define.ts for the full doc + example.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(resources: Reg): TypedGuards<Reg[number][\"resource\"]> {\n  return _defineAuthRbac(resources, {\n    useCan,\n    Can,\n    RequirePermission,\n  });\n}\n\nexport type { TypedGuards } from \"../define.js\";\n"],"mappings":";;;;;;;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AA4KH;AAhJJ,IAAM,kBAAkB,cAA2C,IAAI;AAuBvE,IAAM,cAAc;AAEpB,IAAM,iBAAiB,CAAC,OAAsB;AAC5C,MAAI,OAAO,WAAW,aAAa;AACjC;AAAA,EACF;AACA,MAAI;AACF,QAAI,MAAM,MAAM;AACd,aAAO,aAAa,WAAW,WAAW;AAAA,IAC5C,OAAO;AACL,aAAO,aAAa,QAAQ,aAAa,EAAE;AAAA,IAC7C;AAAA,EACF,QAAQ;AAAA,EAGR;AACF;AAEA,IAAM,gBAAgB,MAAqB;AACzC,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO;AAAA,EACT;AACA,MAAI;AACF,WAAO,OAAO,aAAa,QAAQ,WAAW;AAAA,EAChD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iBAAiB,OAA8B;AAC7D,QAAM,EAAE,SAAS,WAAW,kBAAkB,qBAAqB,IAAI;AAEvE,QAAM,CAAC,SAAS,UAAU,IAAI,SAA6B,IAAI;AAC/D,QAAM,CAAC,SAAS,UAAU,IAAI,SAAS,IAAI;AAC3C,QAAM,CAAC,OAAO,QAAQ,IAAI,SAAuB,IAAI;AAErD,QAAM,CAAC,iBAAiB,qBAAqB,IAAI;AAAA,IAC/C,oBAAoB,cAAc;AAAA,EACpC;AAEA,QAAM,UAAU,QAAQ,MAAM;AAC5B,QAAI,yBAAyB,OAAO;AAClC,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AACA,WAAO,wBAAwB;AAAA,EACjC,GAAG,CAAC,oBAAoB,CAAC;AAEzB,QAAM,mBAAmB;AAAA,IACvB,CAAC,OAAsB;AACrB,4BAAsB,EAAE;AACxB,cAAQ,EAAE;AAAA,IACZ;AAAA,IACA,CAAC,OAAO;AAAA,EACV;AAEA,QAAM,UAAU,YAAY,YAAY;AACtC,eAAW,IAAI;AACf,aAAS,IAAI;AACb,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,aAAa;AACxC,iBAAW,IAAI;AAGf,YAAM,cACJ,mBAAmB,QACnB,KAAK,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe;AAC/D,UAAI,CAAC,aAAa;AAChB,cAAM,WACJ,KAAK,YAAY,CAAC,GAAG,cAAc;AACrC,8BAAsB,QAAQ;AAC9B,gBAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,GAAG;AACV,eAAS,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO,CAAC,CAAC,CAAC;AAAA,IACxD,UAAE;AACA,iBAAW,KAAK;AAAA,IAClB;AAAA,EAEF,GAAG,CAAC,OAAO,CAAC;AAEZ,YAAU,MAAM;AACd,SAAK,QAAQ;AAAA,EACf,GAAG,CAAC,OAAO,CAAC;AAEZ,QAAM,WAAW,QAAwB,MAAM;AAC7C,QAAI,WAAW,MAAM;AAGnB,aAAO;AAAA,QACL,KAAK,MAAM;AAAA,QACX,mBAAmB,OAAO,CAAC;AAAA,QAC3B,mBAAmB,OAAO,CAAC;AAAA,MAC7B;AAAA,IACF;AACA,WAAO,wBAAwB,WAAW,SAAS,eAAe;AAAA,EACpE,GAAG,CAAC,SAAS,WAAW,eAAe,CAAC;AAExC,QAAM,QAAQ;AAAA,IACZ,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SACE,oBAAC,gBAAgB,UAAhB,EAAyB,OACvB,gBAAM,UACT;AAEJ;AAEO,SAAS,cAAoC;AAClD,QAAM,MAAM,WAAW,eAAe;AACtC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;ACnLO,SAAS,OACd,UACA,QACA,SACS;AACT,QAAM,EAAE,SAAS,IAAI,YAAY;AACjC,SAAO,SAAS,IAAI,UAAU,QAAQ,OAAO;AAC/C;;;ACKS,0BAAAA,YAAA;AAHF,SAAS,IAAI,OAAiB;AACnC,QAAM,EAAE,UAAU,QAAQ,WAAW,UAAU,WAAW,KAAK,IAAI;AACnE,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AACtD,SAAO,gBAAAA,KAAA,YAAG,oBAAU,WAAW,UAAS;AAC1C;;;AC8BQ,SAUG,YAAAC,WAVH,OAAAC,YAAA;AARD,SAAS,kBAAkB,OAA+B;AAC/D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,IAClB,iBACE,gBAAAA,KAAC,SAAI,MAAK,SAAQ,OAAO,EAAE,SAAS,GAAG,GACrC,0BAAAA,KAAC,YAAO,uCAAyB,GACnC;AAAA,IAEF,WAAW;AAAA,EACb,IAAI;AAEJ,QAAM,EAAE,SAAS,QAAQ,IAAI,YAAY;AACzC,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AAEtD,MAAI,WAAW,WAAW,MAAM;AAC9B,WAAO,gBAAAA,KAAAD,WAAA,EAAG,2BAAgB;AAAA,EAC5B;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,gBAAAC,KAAAD,WAAA,EAAG,0BAAe;AAAA,EAC3B;AACA,SAAO,gBAAAC,KAAAD,WAAA,EAAG,UAAS;AACrB;;;AC1EA,SAAS,WAAAE,gBAAe;AA2BjB,SAAS,mBAAkC;AAChD,QAAM,EAAE,SAAS,iBAAiB,iBAAiB,IAAI,YAAY;AAEnE,SAAOC,SAAQ,MAAM;AACnB,UAAM,cAAc,SAAS,eAAe,CAAC;AAC7C,UAAM,aACJ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,KAAK;AAC/D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ;AAAA,MACA;AAAA,MACA,WAAW;AAAA,IACb;AAAA,EACF,GAAG,CAAC,SAAS,iBAAiB,gBAAgB,CAAC;AACjD;;;ACzCA,SAAS,WAAAC,gBAAe;AAgBjB,SAAS,oBAAoC;AAClD,QAAM,EAAE,SAAS,gBAAgB,IAAI,YAAY;AACjD,SAAOC,SAAQ,MAAM;AACnB,QAAI,CAAC,SAAS;AACZ,aAAO,CAAC;AAAA,IACV;AACA,UAAM,mBACJ,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,GAC5D,mBAAmB,CAAC;AAC1B,WAAO,EAAE,GAAG,QAAQ,wBAAwB,GAAG,iBAAiB;AAAA,EAClE,GAAG,CAAC,SAAS,eAAe,CAAC;AAC/B;;;ACwCO,SAAS,eAGd,WAKA,SAKsC;AAEtC,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,IACb,mBAAmB,QAAQ;AAAA,IAC3B;AAAA,IACA,eAAe,UAAU,IAAI,CAAC,MAAM,EAAE,QAAQ;AAAA,EAChD;AACF;;;AC7BO,SAASC,gBAEd,WAAsD;AACtD,SAAO,eAAgB,WAAW;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;","names":["jsx","Fragment","jsx","useMemo","useMemo","useMemo","useMemo","defineAuthRbac"]}

package/dist/{types-BEc5SCIo.d.cts → types-DxvFudPF.d.cts}

@@ -55,7 +55,7 @@ interface UserProfile {
  * box:
  *
  *  1. Pass a Supabase client + a JWT-derived `user_id` and the
- *     library calls the package's SQL RPC `auth_rbac_user_profile`.
+ *     library calls the package's SQL RPC `rbac.user_profile`.
  *  2. Pass a plain `fetcher` (anything that resolves a `UserProfile`)
  *     and the library calls that. Use this when your backend serves
  *     a custom `/api/users/me/profile` endpoint or when you don't

package/dist/{types-BEc5SCIo.d.ts → types-DxvFudPF.d.ts}

@@ -55,7 +55,7 @@ interface UserProfile {
  * box:
  *
  *  1. Pass a Supabase client + a JWT-derived `user_id` and the
- *     library calls the package's SQL RPC `auth_rbac_user_profile`.
+ *     library calls the package's SQL RPC `rbac.user_profile`.
  *  2. Pass a plain `fetcher` (anything that resolves a `UserProfile`)
  *     and the library calls that. Use this when your backend serves
  *     a custom `/api/users/me/profile` endpoint or when you don't

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "snipe-auth-rbac",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Two-layer RBAC (system + company) for React, Next.js, and any modern TS app — paired with the Python sibling.",
   "license": "MIT",
   "type": "module",
@@ -26,14 +26,20 @@
   },
   "files": [
     "dist",
+    "sql",
+    "bin",
     "README.md",
     "CHANGELOG.md"
   ],
+  "bin": {
+    "snipe-auth-rbac": "./bin/cli.mjs"
+  },
   "scripts": {
     "build": "tsup",
     "dev": "tsup --watch",
     "lint": "tsc --noEmit",
-    "clean": "rm -rf dist"
+    "clean": "rm -rf dist sql",
+    "prepack": "rm -rf sql && mkdir -p sql && cp ../sql/*.sql sql/"
   },
   "peerDependencies": {
     "react": ">=18",