snipe-auth-rbac 0.1.0 → 0.2.0

package/sql/0001_initial.sql

@@ -0,0 +1,512 @@
+-- snipe-auth-rbac — initial schema and resolver
+--
+-- Two-layer RBAC: system roles + per-company roles, sharing one
+-- resource registry and one resolver function.
+--
+-- Schema isolation
+-- ────────────────
+-- All package objects live under a dedicated `rbac` schema instead
+-- of the `public` namespace. Adopters get a clean separation from
+-- their own tables and zero risk of name collisions.
+--
+-- For Supabase / PostgREST adopters: add `rbac` to the project's
+-- "Exposed schemas" setting (Studio → Settings → API → Exposed
+-- schemas → add `rbac`). The TS + Python clients address the
+-- functions via `supabase.schema('rbac').rpc('user_can', …)`.
+--
+-- Idempotent: every statement uses CREATE … IF NOT EXISTS or
+-- CREATE OR REPLACE so the file can be re-applied on an existing
+-- DB without errors.
+
+BEGIN;
+
+-- ─────────────────────────────────────────────────────────────────
+-- 0. The schema itself
+-- ─────────────────────────────────────────────────────────────────
+
+CREATE SCHEMA IF NOT EXISTS rbac;
+
+-- Make the rbac schema usable by Supabase's roles. anon needs
+-- USAGE so PostgREST can introspect; authenticated needs USAGE +
+-- SELECT/INSERT/UPDATE/DELETE rights are *not* granted by default
+-- — every read goes through SECURITY DEFINER functions, so the
+-- role only needs EXECUTE on those (granted at the bottom).
+DO $$ BEGIN
+    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'anon') THEN
+        EXECUTE 'GRANT USAGE ON SCHEMA rbac TO anon';
+    END IF;
+    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticated') THEN
+        EXECUTE 'GRANT USAGE ON SCHEMA rbac TO authenticated';
+    END IF;
+    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'service_role') THEN
+        EXECUTE 'GRANT ALL ON SCHEMA rbac TO service_role';
+    END IF;
+END $$;
+
+-- ─────────────────────────────────────────────────────────────────
+-- 1. Companies (the team / tenant unit)
+-- ─────────────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS rbac.companies (
+    id          uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    name        text NOT NULL,
+    slug        text UNIQUE,
+    type        text,
+    parent_id   uuid REFERENCES rbac.companies(id),
+    metadata    jsonb NOT NULL DEFAULT '{}'::jsonb,
+    created_at  timestamptz NOT NULL DEFAULT now(),
+    updated_at  timestamptz NOT NULL DEFAULT now()
+);
+
+-- ─────────────────────────────────────────────────────────────────
+-- 2. Resource registry — the only place a "permissionable thing" is
+-- declared. Two scopes: 'system' (platform-wide) or 'company'
+-- (per-tenant). The resolver and the matrix UI both read from here.
+-- ─────────────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS rbac.resources (
+    resource    text PRIMARY KEY,
+    scope       text NOT NULL CHECK (scope IN ('system', 'company')),
+    label       text NOT NULL,
+    description text,
+    group_label text,
+    created_at  timestamptz NOT NULL DEFAULT now()
+);
+
+-- ─────────────────────────────────────────────────────────────────
+-- 3. Roles — one table for both layers, distinguished by scope.
+-- system: platform-wide role (no company_id)
+-- company + company_id NOT NULL: a role inside that company
+-- company + company_id NULL: a *role template* — cloned per company
+--                            at company creation
+-- ─────────────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS rbac.roles (
+    id                  uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    scope               text NOT NULL CHECK (scope IN ('system', 'company')),
+    company_id          uuid REFERENCES rbac.companies(id) ON DELETE CASCADE,
+    name                text NOT NULL,
+    description         text,
+    is_system           boolean NOT NULL DEFAULT false,
+    is_super            boolean NOT NULL DEFAULT false,
+    frontend_config     jsonb NOT NULL DEFAULT '{}'::jsonb,
+    -- Permission template — what `apply_template_defaults(role_id)`
+    -- pre-fills when the host calls it after sync_resources(). Shape:
+    --   {
+    --     "default":   ["read"],
+    --     "groups":    { "Stammdaten": ["read","write","update"], … },
+    --     "resources": { "tenants":    ["read","write","update","delete"] }
+    --   }
+    -- Only meaningful on template rows (company_id IS NULL). Real
+    -- per-company roles ignore the column.
+    default_permissions jsonb NOT NULL DEFAULT '{}'::jsonb,
+    created_by          uuid,
+    created_at          timestamptz NOT NULL DEFAULT now(),
+    updated_at          timestamptz NOT NULL DEFAULT now(),
+    CONSTRAINT roles_scope_company_chk CHECK (
+        (scope = 'system' AND company_id IS NULL)
+        OR scope = 'company'
+    ),
+    CONSTRAINT roles_super_only_system_chk CHECK (
+        NOT is_super OR scope = 'system'
+    )
+);
+
+-- Backfill for adopters running this against an existing v0.2.0 DB.
+-- The IF NOT EXISTS guard makes it safe on a fresh install too.
+DO $$ BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM information_schema.columns
+         WHERE table_schema = 'rbac' AND table_name = 'roles'
+           AND column_name  = 'default_permissions'
+    ) THEN
+        EXECUTE 'ALTER TABLE rbac.roles ADD COLUMN default_permissions jsonb NOT NULL DEFAULT ''{}''::jsonb';
+    END IF;
+END $$;
+
+CREATE UNIQUE INDEX IF NOT EXISTS roles_unique_name
+    ON rbac.roles (scope, coalesce(company_id, '00000000-0000-0000-0000-000000000000'::uuid), name);
+
+-- ─────────────────────────────────────────────────────────────────
+-- 4. Role permissions — the actual checkbox grid
+-- ─────────────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS rbac.role_permissions (
+    role_id     uuid NOT NULL REFERENCES rbac.roles(id) ON DELETE CASCADE,
+    resource    text NOT NULL REFERENCES rbac.resources(resource),
+    can_read    boolean NOT NULL DEFAULT false,
+    can_write   boolean NOT NULL DEFAULT false,
+    can_update  boolean NOT NULL DEFAULT false,
+    can_delete  boolean NOT NULL DEFAULT false,
+    PRIMARY KEY (role_id, resource)
+);
+
+CREATE OR REPLACE FUNCTION rbac.check_role_resource_scope()
+RETURNS trigger
+LANGUAGE plpgsql
+SET search_path = rbac, public
+AS $$
+DECLARE
+    v_role_scope     text;
+    v_resource_scope text;
+BEGIN
+    SELECT scope INTO v_role_scope FROM rbac.roles WHERE id = NEW.role_id;
+    SELECT scope INTO v_resource_scope FROM rbac.resources WHERE resource = NEW.resource;
+    IF v_role_scope IS DISTINCT FROM v_resource_scope THEN
+        RAISE EXCEPTION
+            'rbac: role scope (%) does not match resource scope (%) for resource %',
+            v_role_scope, v_resource_scope, NEW.resource;
+    END IF;
+    RETURN NEW;
+END $$;
+
+DROP TRIGGER IF EXISTS role_resource_scope_trg
+    ON rbac.role_permissions;
+CREATE TRIGGER role_resource_scope_trg
+    BEFORE INSERT OR UPDATE ON rbac.role_permissions
+    FOR EACH ROW EXECUTE FUNCTION rbac.check_role_resource_scope();
+
+-- ─────────────────────────────────────────────────────────────────
+-- 5. Assignments — system + company memberships
+-- ─────────────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS rbac.user_system_roles (
+    user_id     uuid NOT NULL,
+    role_id     uuid NOT NULL REFERENCES rbac.roles(id),
+    assigned_at timestamptz NOT NULL DEFAULT now(),
+    assigned_by uuid,
+    PRIMARY KEY (user_id, role_id)
+);
+
+CREATE TABLE IF NOT EXISTS rbac.user_company_roles (
+    user_id     uuid NOT NULL,
+    company_id  uuid NOT NULL REFERENCES rbac.companies(id) ON DELETE CASCADE,
+    role_id     uuid NOT NULL REFERENCES rbac.roles(id),
+    assigned_at timestamptz NOT NULL DEFAULT now(),
+    assigned_by uuid,
+    PRIMARY KEY (user_id, company_id, role_id)
+);
+
+CREATE INDEX IF NOT EXISTS user_company_roles_user_idx
+    ON rbac.user_company_roles (user_id);
+
+CREATE INDEX IF NOT EXISTS user_company_roles_company_idx
+    ON rbac.user_company_roles (company_id);
+
+-- ─────────────────────────────────────────────────────────────────
+-- 6. Resolver function — the single source of truth for "can?"
+-- ─────────────────────────────────────────────────────────────────
+
+CREATE OR REPLACE FUNCTION rbac.user_can(
+    p_user_id    uuid,
+    p_resource   text,
+    p_action     text,
+    p_company_id uuid DEFAULT NULL
+) RETURNS boolean
+LANGUAGE plpgsql
+STABLE
+SECURITY DEFINER
+SET search_path = rbac, public
+AS $$
+DECLARE
+    v_resource_scope text;
+BEGIN
+    -- Super-admin bypass: any system role with is_super=true grants
+    -- every permission everywhere.
+    IF EXISTS (
+        SELECT 1
+          FROM rbac.user_system_roles usr
+          JOIN rbac.roles r ON r.id = usr.role_id
+         WHERE usr.user_id = p_user_id
+           AND r.is_super
+    ) THEN
+        RETURN true;
+    END IF;
+
+    SELECT scope INTO v_resource_scope
+      FROM rbac.resources
+     WHERE resource = p_resource;
+
+    IF v_resource_scope IS NULL THEN
+        RETURN false;
+    END IF;
+
+    IF p_action NOT IN ('read', 'write', 'update', 'delete') THEN
+        RETURN false;
+    END IF;
+
+    IF v_resource_scope = 'system' THEN
+        RETURN EXISTS (
+            SELECT 1
+              FROM rbac.user_system_roles usr
+              JOIN rbac.role_permissions rp ON rp.role_id = usr.role_id
+             WHERE usr.user_id = p_user_id
+               AND rp.resource = p_resource
+               AND CASE p_action
+                       WHEN 'read'   THEN rp.can_read
+                       WHEN 'write'  THEN rp.can_write
+                       WHEN 'update' THEN rp.can_update
+                       WHEN 'delete' THEN rp.can_delete
+                   END
+        );
+    END IF;
+
+    IF p_company_id IS NULL THEN
+        RETURN false;
+    END IF;
+
+    RETURN EXISTS (
+        SELECT 1
+          FROM rbac.user_company_roles ucr
+          JOIN rbac.role_permissions rp ON rp.role_id = ucr.role_id
+         WHERE ucr.user_id = p_user_id
+           AND ucr.company_id = p_company_id
+           AND rp.resource = p_resource
+           AND CASE p_action
+                   WHEN 'read'   THEN rp.can_read
+                   WHEN 'write'  THEN rp.can_write
+                   WHEN 'update' THEN rp.can_update
+                   WHEN 'delete' THEN rp.can_delete
+               END
+    );
+END $$;
+
+-- ─────────────────────────────────────────────────────────────────
+-- 7. Convenience: hydrate a user's full profile in one call
+-- ─────────────────────────────────────────────────────────────────
+
+CREATE OR REPLACE FUNCTION rbac.user_profile(p_user_id uuid)
+RETURNS jsonb
+LANGUAGE sql
+STABLE
+SECURITY DEFINER
+SET search_path = rbac, public
+AS $$
+  WITH
+  system_roles AS (
+    SELECT r.id, r.name, r.is_super, r.frontend_config
+      FROM rbac.user_system_roles usr
+      JOIN rbac.roles r ON r.id = usr.role_id
+     WHERE usr.user_id = p_user_id
+  ),
+  system_perms AS (
+    SELECT rp.resource,
+           bool_or(rp.can_read)   AS can_read,
+           bool_or(rp.can_write)  AS can_write,
+           bool_or(rp.can_update) AS can_update,
+           bool_or(rp.can_delete) AS can_delete
+      FROM rbac.user_system_roles usr
+      JOIN rbac.role_permissions rp ON rp.role_id = usr.role_id
+     WHERE usr.user_id = p_user_id
+     GROUP BY rp.resource
+  ),
+  memberships AS (
+    SELECT c.id           AS company_id,
+           c.name         AS company_name,
+           c.slug         AS company_slug,
+           jsonb_agg(DISTINCT jsonb_build_object(
+               'id', r.id, 'name', r.name, 'is_system', r.is_system,
+               'frontend_config', r.frontend_config
+           )) AS roles
+      FROM rbac.user_company_roles ucr
+      JOIN rbac.companies c ON c.id = ucr.company_id
+      JOIN rbac.roles r ON r.id = ucr.role_id
+     WHERE ucr.user_id = p_user_id
+     GROUP BY c.id, c.name, c.slug
+  ),
+  company_perms AS (
+    SELECT ucr.company_id,
+           rp.resource,
+           bool_or(rp.can_read)   AS can_read,
+           bool_or(rp.can_write)  AS can_write,
+           bool_or(rp.can_update) AS can_update,
+           bool_or(rp.can_delete) AS can_delete
+      FROM rbac.user_company_roles ucr
+      JOIN rbac.role_permissions rp ON rp.role_id = ucr.role_id
+     WHERE ucr.user_id = p_user_id
+     GROUP BY ucr.company_id, rp.resource
+  )
+  SELECT jsonb_build_object(
+    'user_id', p_user_id,
+    'is_super_admin', EXISTS (SELECT 1 FROM system_roles WHERE is_super),
+    'system_roles', coalesce(
+        (SELECT jsonb_agg(jsonb_build_object('id', id, 'name', name)) FROM system_roles),
+        '[]'::jsonb
+    ),
+    'system_permissions', coalesce(
+        (SELECT jsonb_object_agg(resource, jsonb_build_object(
+            'read', can_read, 'write', can_write,
+            'update', can_update, 'delete', can_delete
+         )) FROM system_perms),
+        '{}'::jsonb
+    ),
+    'memberships', coalesce(
+        (SELECT jsonb_agg(jsonb_build_object(
+            'company_id', m.company_id,
+            'company_name', m.company_name,
+            'company_slug', m.company_slug,
+            'roles', m.roles,
+            'permissions', coalesce(
+                (SELECT jsonb_object_agg(cp.resource, jsonb_build_object(
+                    'read', cp.can_read, 'write', cp.can_write,
+                    'update', cp.can_update, 'delete', cp.can_delete
+                 ))
+                   FROM company_perms cp
+                  WHERE cp.company_id = m.company_id),
+                '{}'::jsonb
+            )
+         )) FROM memberships m),
+        '[]'::jsonb
+    )
+  );
+$$;
+
+-- ─────────────────────────────────────────────────────────────────
+-- 7b. Template defaults — pre-fill role_permissions from a JSONB
+-- pattern carried on the role row. Run after sync_resources() so
+-- newly registered resources pick up the right cells without an
+-- admin opening the matrix UI.
+-- ─────────────────────────────────────────────────────────────────
+
+CREATE OR REPLACE FUNCTION rbac.apply_template_defaults(
+    p_role_id      uuid,
+    p_only_missing boolean DEFAULT true
+) RETURNS int
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = rbac, public
+AS $$
+DECLARE
+    v_role         rbac.roles;
+    v_dp           jsonb;
+    v_default      jsonb;
+    v_groups       jsonb;
+    v_resources    jsonb;
+    v_resource     record;
+    v_actions      jsonb;
+    v_count        int := 0;
+BEGIN
+    SELECT * INTO v_role FROM rbac.roles WHERE id = p_role_id;
+    IF NOT FOUND THEN
+        RETURN 0;
+    END IF;
+
+    v_dp        := COALESCE(v_role.default_permissions, '{}'::jsonb);
+    v_default   := COALESCE(v_dp -> 'default',   '[]'::jsonb);
+    v_groups    := COALESCE(v_dp -> 'groups',    '{}'::jsonb);
+    v_resources := COALESCE(v_dp -> 'resources', '{}'::jsonb);
+
+    FOR v_resource IN
+        SELECT resource, group_label
+          FROM rbac.resources
+         WHERE scope = v_role.scope
+    LOOP
+        -- Skip if the matrix already has any cell for this (role, resource)
+        IF p_only_missing AND EXISTS (
+            SELECT 1 FROM rbac.role_permissions
+             WHERE role_id = p_role_id
+               AND resource = v_resource.resource
+        ) THEN
+            CONTINUE;
+        END IF;
+
+        -- Pick action set: explicit resource override → group default → fallback default
+        v_actions := COALESCE(
+            v_resources -> v_resource.resource,
+            CASE WHEN v_resource.group_label IS NOT NULL
+                 THEN v_groups -> v_resource.group_label
+                 ELSE NULL END,
+            v_default
+        );
+
+        IF v_actions IS NULL OR jsonb_array_length(v_actions) = 0 THEN
+            CONTINUE;
+        END IF;
+
+        INSERT INTO rbac.role_permissions
+            (role_id, resource, can_read, can_write, can_update, can_delete)
+        VALUES (
+            p_role_id,
+            v_resource.resource,
+            v_actions ? 'read',
+            v_actions ? 'write',
+            v_actions ? 'update',
+            v_actions ? 'delete'
+        )
+        ON CONFLICT (role_id, resource) DO UPDATE
+        SET can_read   = EXCLUDED.can_read   OR rbac.role_permissions.can_read,
+            can_write  = EXCLUDED.can_write  OR rbac.role_permissions.can_write,
+            can_update = EXCLUDED.can_update OR rbac.role_permissions.can_update,
+            can_delete = EXCLUDED.can_delete OR rbac.role_permissions.can_delete;
+
+        v_count := v_count + 1;
+    END LOOP;
+
+    RETURN v_count;
+END $$;
+
+-- ─────────────────────────────────────────────────────────────────
+-- 8. Block delete/rename of system rows
+-- ─────────────────────────────────────────────────────────────────
+
+CREATE OR REPLACE FUNCTION rbac.protect_system_role()
+RETURNS trigger
+LANGUAGE plpgsql
+SET search_path = rbac, public
+AS $$
+BEGIN
+    IF TG_OP = 'DELETE' THEN
+        IF OLD.is_system THEN
+            RAISE EXCEPTION 'rbac: cannot delete system role %', OLD.name;
+        END IF;
+        RETURN OLD;
+    END IF;
+    IF OLD.is_system AND OLD.name IS DISTINCT FROM NEW.name THEN
+        RAISE EXCEPTION 'rbac: cannot rename system role %', OLD.name;
+    END IF;
+    IF OLD.is_super AND NOT NEW.is_super THEN
+        RAISE EXCEPTION 'rbac: cannot revoke super-admin flag';
+    END IF;
+    RETURN NEW;
+END $$;
+
+DROP TRIGGER IF EXISTS protect_system_role_trg ON rbac.roles;
+CREATE TRIGGER protect_system_role_trg
+    BEFORE UPDATE OR DELETE ON rbac.roles
+    FOR EACH ROW EXECUTE FUNCTION rbac.protect_system_role();
+
+-- ─────────────────────────────────────────────────────────────────
+-- 9. updated_at touchers
+-- ─────────────────────────────────────────────────────────────────
+
+CREATE OR REPLACE FUNCTION rbac.touch_updated_at()
+RETURNS trigger
+LANGUAGE plpgsql AS $$
+BEGIN
+    NEW.updated_at = now();
+    RETURN NEW;
+END $$;
+
+DROP TRIGGER IF EXISTS companies_touch_trg ON rbac.companies;
+CREATE TRIGGER companies_touch_trg
+    BEFORE UPDATE ON rbac.companies
+    FOR EACH ROW EXECUTE FUNCTION rbac.touch_updated_at();
+
+DROP TRIGGER IF EXISTS roles_touch_trg ON rbac.roles;
+CREATE TRIGGER roles_touch_trg
+    BEFORE UPDATE ON rbac.roles
+    FOR EACH ROW EXECUTE FUNCTION rbac.touch_updated_at();
+
+-- ─────────────────────────────────────────────────────────────────
+-- 10. EXECUTE on the resolver/hydrator for authenticated users
+-- ─────────────────────────────────────────────────────────────────
+
+DO $$ BEGIN
+    IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'authenticated') THEN
+        EXECUTE 'GRANT EXECUTE ON FUNCTION rbac.user_can(uuid, text, text, uuid) TO authenticated';
+        EXECUTE 'GRANT EXECUTE ON FUNCTION rbac.user_profile(uuid) TO authenticated';
+        EXECUTE 'GRANT EXECUTE ON FUNCTION rbac.apply_template_defaults(uuid, boolean) TO authenticated';
+    END IF;
+END $$;
+
+COMMIT;

package/sql/0002_seed_defaults.sql

@@ -0,0 +1,57 @@
+-- snipe-auth-rbac — optional default seed
+--
+-- Companion to 0001_initial.sql that seeds:
+--   * Two system roles (System Admin with is_super=true, System Support).
+--   * Four generic company-role templates (Owner / Manager / Member /
+--     Viewer) with sensible default_permissions patterns.
+--
+-- The four templates use only the `default` action set — they don't
+-- reference specific resources or groups, since those are defined by
+-- the host. After registering host resources, run
+-- ``rbac.apply_template_defaults(role_id)`` to materialise the matrix.
+--
+-- Domain-specific templates (Property Manager, Tenant Manager,
+-- Sales, …) belong in the host's own seed migration where their
+-- group/resource defaults can reference real registered resources.
+--
+-- Idempotent: every INSERT uses ON CONFLICT DO NOTHING. Re-running
+-- the file leaves an existing deployment untouched.
+
+BEGIN;
+
+-- System roles
+INSERT INTO rbac.roles (id, scope, company_id, name, description, is_system, is_super, default_permissions)
+VALUES
+  (gen_random_uuid(), 'system', NULL, 'System Admin',
+   'Plattform-Vollzugriff. Setzt jede Berechtigungsprüfung außer Kraft.',
+   true, true,
+   '{"default": ["read", "write", "update", "delete"]}'::jsonb),
+  (gen_random_uuid(), 'system', NULL, 'System Support',
+   'Lesezugriff auf systemweite Ressourcen für Support-Aufgaben.',
+   true, false,
+   '{"default": ["read"]}'::jsonb)
+ON CONFLICT DO NOTHING;
+
+-- Company-role templates (company_id IS NULL = template).
+-- Generic shapes only; domain-specific defaults are the host's job.
+INSERT INTO rbac.roles (id, scope, company_id, name, description, is_system, is_super, default_permissions)
+VALUES
+  (gen_random_uuid(), 'company', NULL, 'Owner',
+   'Vollzugriff innerhalb der eigenen Company.',
+   true, false,
+   '{"default": ["read", "write", "update", "delete"]}'::jsonb),
+  (gen_random_uuid(), 'company', NULL, 'Manager',
+   'Verwaltet Daten der Company, kann Rollen ändern. Kein Löschen.',
+   true, false,
+   '{"default": ["read", "write", "update"]}'::jsonb),
+  (gen_random_uuid(), 'company', NULL, 'Member',
+   'Standard-Mitarbeiter mit Lese- und Schreibzugriff.',
+   true, false,
+   '{"default": ["read", "write"]}'::jsonb),
+  (gen_random_uuid(), 'company', NULL, 'Viewer',
+   'Nur Lesezugriff.',
+   true, false,
+   '{"default": ["read"]}'::jsonb)
+ON CONFLICT DO NOTHING;
+
+COMMIT;

package/dist/chunk-4WTV6J44.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/client.ts"],"sourcesContent":["/**\n * Transport-agnostic client: turns an adopter-supplied\n * `AuthRbacFetcher` into a permission resolver. The React provider\n * wraps this; non-React consumers (Node scripts, edge functions)\n * can use it directly.\n */\n\nimport type {\n  Action,\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  UserProfile,\n} from \"./types.js\";\n\nexport interface AuthRbacClientOptions {\n  fetcher: AuthRbacFetcher;\n  /**\n   * The host project's full resource list. Required so the resolver\n   * can look up a resource's scope without a DB round-trip per call.\n   * Re-using the same array the host syncs into the\n   * `auth_rbac_resources` table at boot keeps everything in lockstep.\n   */\n  resources: ResourceRegistry;\n}\n\nexport interface CanOptions {\n  /**\n   * Override the active company. Omit to use the company the\n   * caller has currently activated (the React provider tracks\n   * this; for direct client use you must pass it).\n   */\n  companyId?: string | null;\n}\n\n/**\n * Pure resolver. Given a hydrated profile it answers boolean\n * questions instantly — no I/O. The `resourceMap` is built once at\n * construction so per-call work is two map lookups.\n */\nexport function buildPermissionResolver(\n  resources: ResourceRegistry,\n  profile: UserProfile,\n  defaultCompanyId: string | null,\n) {\n  const scopeByResource = new Map<string, ResourceScope>(\n    resources.map((r) => [r.resource, r.scope]),\n  );\n\n  const can = (\n    resource: string,\n    action: Action,\n    options?: CanOptions,\n  ): boolean => {\n    if (profile.is_super_admin) {\n      return true;\n    }\n    const scope = scopeByResource.get(resource);\n    if (!scope) {\n      // Unknown resource — fail closed.\n      return false;\n    }\n    if (scope === \"system\") {\n      return readGrid(profile.system_permissions, resource, action);\n    }\n    const companyId = options?.companyId ?? defaultCompanyId;\n    if (!companyId) {\n      return false;\n    }\n    const membership = profile.memberships.find(\n      (m) => m.company_id === companyId,\n    );\n    if (!membership) {\n      return false;\n    }\n    return readGrid(membership.permissions, resource, action);\n  };\n\n  return {\n    can,\n    /** Permission map for the active (or specified) company. */\n    activePermissions: (companyId?: string | null): PermissionMap => {\n      const id = companyId ?? defaultCompanyId;\n      if (!id) {\n        return {};\n      }\n      return (\n        profile.memberships.find((m) => m.company_id === id)?.permissions ?? {}\n      );\n    },\n    systemPermissions: (): PermissionMap => profile.system_permissions,\n  };\n}\n\nfunction readGrid(\n  map: PermissionMap,\n  resource: string,\n  action: Action,\n): boolean {\n  const grid = map[resource];\n  if (!grid) {\n    return false;\n  }\n  return grid[action];\n}\n\n/**\n * Helper: groups a resource registry by `group` for the matrix UI.\n * Returns groups in insertion order with their resources.\n */\nexport function groupResources(\n  registry: ResourceRegistry,\n): Array<{ group: string; resources: ResourceDescriptor[] }> {\n  const order: string[] = [];\n  const buckets = new Map<string, ResourceDescriptor[]>();\n  for (const r of registry) {\n    const key = r.group ?? \"Sonstige\";\n    if (!buckets.has(key)) {\n      buckets.set(key, []);\n      order.push(key);\n    }\n    buckets.get(key)!.push(r);\n  }\n  return order.map((g) => ({ group: g, resources: buckets.get(g)! }));\n}\n\nexport type AuthRbacClient = ReturnType<typeof buildPermissionResolver>;\nexport type { AuthRbacClientOptions as ClientOptions };\n"],"mappings":";AA0CO,SAAS,wBACd,WACA,SACA,kBACA;AACA,QAAM,kBAAkB,IAAI;AAAA,IAC1B,UAAU,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,KAAK,CAAC;AAAA,EAC5C;AAEA,QAAM,MAAM,CACV,UACA,QACA,YACY;AACZ,QAAI,QAAQ,gBAAgB;AAC1B,aAAO;AAAA,IACT;AACA,UAAM,QAAQ,gBAAgB,IAAI,QAAQ;AAC1C,QAAI,CAAC,OAAO;AAEV,aAAO;AAAA,IACT;AACA,QAAI,UAAU,UAAU;AACtB,aAAO,SAAS,QAAQ,oBAAoB,UAAU,MAAM;AAAA,IAC9D;AACA,UAAM,YAAY,SAAS,aAAa;AACxC,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,IACT;AACA,UAAM,aAAa,QAAQ,YAAY;AAAA,MACrC,CAAC,MAAM,EAAE,eAAe;AAAA,IAC1B;AACA,QAAI,CAAC,YAAY;AACf,aAAO;AAAA,IACT;AACA,WAAO,SAAS,WAAW,aAAa,UAAU,MAAM;AAAA,EAC1D;AAEA,SAAO;AAAA,IACL;AAAA;AAAA,IAEA,mBAAmB,CAAC,cAA6C;AAC/D,YAAM,KAAK,aAAa;AACxB,UAAI,CAAC,IAAI;AACP,eAAO,CAAC;AAAA,MACV;AACA,aACE,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,eAAe,CAAC;AAAA,IAE1E;AAAA,IACA,mBAAmB,MAAqB,QAAQ;AAAA,EAClD;AACF;AAEA,SAAS,SACP,KACA,UACA,QACS;AACT,QAAM,OAAO,IAAI,QAAQ;AACzB,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,EACT;AACA,SAAO,KAAK,MAAM;AACpB;AAMO,SAAS,eACd,UAC2D;AAC3D,QAAM,QAAkB,CAAC;AACzB,QAAM,UAAU,oBAAI,IAAkC;AACtD,aAAW,KAAK,UAAU;AACxB,UAAM,MAAM,EAAE,SAAS;AACvB,QAAI,CAAC,QAAQ,IAAI,GAAG,GAAG;AACrB,cAAQ,IAAI,KAAK,CAAC,CAAC;AACnB,YAAM,KAAK,GAAG;AAAA,IAChB;AACA,YAAQ,IAAI,GAAG,EAAG,KAAK,CAAC;AAAA,EAC1B;AACA,SAAO,MAAM,IAAI,CAAC,OAAO,EAAE,OAAO,GAAG,WAAW,QAAQ,IAAI,CAAC,EAAG,EAAE;AACpE;","names":[]}

package/dist/chunk-BRCJUCDG.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/fetchers.ts"],"sourcesContent":["/**\n * Built-in fetchers — adopters can use these or pass their own\n * implementation of `AuthRbacFetcher`.\n */\n\nimport type { AuthRbacFetcher, UserProfile } from \"./types.js\";\n\n/**\n * Calls the package's SQL function `auth_rbac_user_profile(uuid)` via\n * a Supabase JS client. Easiest path when the host project already\n * uses Supabase.\n *\n * @example\n * createSupabaseFetcher({ supabase, userId: session.user.id })\n */\nexport function createSupabaseFetcher(opts: {\n  supabase: {\n    rpc: (\n      fn: string,\n      args: Record<string, unknown>,\n    ) => Promise<{ data: unknown; error: { message: string } | null }>;\n  };\n  userId: string;\n}): AuthRbacFetcher {\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const { data, error } = await opts.supabase.rpc(\n        \"auth_rbac_user_profile\",\n        { p_user_id: opts.userId },\n      );\n      if (error) {\n        throw new Error(\n          `auth-rbac: failed to load user profile via Supabase RPC: ${error.message}`,\n        );\n      }\n      return normalizeProfile(data);\n    },\n  };\n}\n\n/**\n * Calls a regular HTTP endpoint that returns a `UserProfile` JSON\n * payload. Use this when the host project has its own backend that\n * wraps the package's Python helpers (or any equivalent).\n *\n * @example\n * createHttpFetcher({ url: \"/api/users/me/profile\" })\n */\nexport function createHttpFetcher(opts: {\n  url: string;\n  /** Forwarded as-is to `fetch`. Use this to attach auth headers. */\n  init?: RequestInit;\n  /** Override the global `fetch` if you're in a non-browser env. */\n  fetch?: typeof fetch;\n}): AuthRbacFetcher {\n  const fetchImpl = opts.fetch ?? globalThis.fetch;\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const res = await fetchImpl(opts.url, opts.init);\n      if (!res.ok) {\n        throw new Error(\n          `auth-rbac: profile endpoint ${opts.url} returned ${res.status}`,\n        );\n      }\n      const json = (await res.json()) as unknown;\n      return normalizeProfile(json);\n    },\n  };\n}\n\n/**\n * Defensive normalisation: the Supabase RPC returns whatever the SQL\n * function emitted. We coerce missing fields into the empty defaults\n * so consumers can iterate without null checks. Throws if the shape\n * is unrecognisable.\n */\nfunction normalizeProfile(raw: unknown): UserProfile {\n  if (!raw || typeof raw !== \"object\") {\n    throw new Error(\"auth-rbac: profile payload is not an object\");\n  }\n  const p = raw as Partial<UserProfile> & Record<string, unknown>;\n  if (typeof p.user_id !== \"string\") {\n    throw new Error(\"auth-rbac: profile payload missing user_id\");\n  }\n  return {\n    user_id: p.user_id,\n    is_super_admin: !!p.is_super_admin,\n    system_roles: Array.isArray(p.system_roles) ? p.system_roles : [],\n    system_permissions:\n      p.system_permissions && typeof p.system_permissions === \"object\"\n        ? (p.system_permissions as UserProfile[\"system_permissions\"])\n        : {},\n    system_frontend_config:\n      p.system_frontend_config && typeof p.system_frontend_config === \"object\"\n        ? (p.system_frontend_config as UserProfile[\"system_frontend_config\"])\n        : {},\n    memberships: Array.isArray(p.memberships)\n      ? (p.memberships as UserProfile[\"memberships\"])\n      : [],\n  };\n}\n"],"mappings":";AAeO,SAAS,sBAAsB,MAQlB;AAClB,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAAS;AAAA,QAC1C;AAAA,QACA,EAAE,WAAW,KAAK,OAAO;AAAA,MAC3B;AACA,UAAI,OAAO;AACT,cAAM,IAAI;AAAA,UACR,4DAA4D,MAAM,OAAO;AAAA,QAC3E;AAAA,MACF;AACA,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAUO,SAAS,kBAAkB,MAMd;AAClB,QAAM,YAAY,KAAK,SAAS,WAAW;AAC3C,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,MAAM,MAAM,UAAU,KAAK,KAAK,KAAK,IAAI;AAC/C,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,IAAI;AAAA,UACR,+BAA+B,KAAK,GAAG,aAAa,IAAI,MAAM;AAAA,QAChE;AAAA,MACF;AACA,YAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAQA,SAAS,iBAAiB,KAA2B;AACnD,MAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,YAAY,UAAU;AACjC,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACA,SAAO;AAAA,IACL,SAAS,EAAE;AAAA,IACX,gBAAgB,CAAC,CAAC,EAAE;AAAA,IACpB,cAAc,MAAM,QAAQ,EAAE,YAAY,IAAI,EAAE,eAAe,CAAC;AAAA,IAChE,oBACE,EAAE,sBAAsB,OAAO,EAAE,uBAAuB,WACnD,EAAE,qBACH,CAAC;AAAA,IACP,wBACE,EAAE,0BAA0B,OAAO,EAAE,2BAA2B,WAC3D,EAAE,yBACH,CAAC;AAAA,IACP,aAAa,MAAM,QAAQ,EAAE,WAAW,IACnC,EAAE,cACH,CAAC;AAAA,EACP;AACF;","names":[]}