snipe-auth-rbac 0.1.0

package/dist/admin/index.d.cts

@@ -0,0 +1,346 @@
+import { R as ResourceScope, F as FrontendConfig, a as ResourceDescriptor, A as Action } from '../types-BEc5SCIo.cjs';
+import * as react_jsx_runtime from 'react/jsx-runtime';
+
+/**
+ * Admin-side types — shapes returned by the admin SQL helpers.
+ * Mirrors the package's table layout so projects can ship a custom
+ * admin UI without re-defining shapes.
+ */
+
+interface AdminRole {
+    id: string;
+    scope: ResourceScope;
+    /** null = system role OR company-scope template (no specific company). */
+    company_id: string | null;
+    name: string;
+    description: string | null;
+    is_system: boolean;
+    is_super: boolean;
+    frontend_config: FrontendConfig;
+    created_at: string;
+    updated_at: string;
+}
+interface AdminRolePermission {
+    role_id: string;
+    resource: string;
+    can_read: boolean;
+    can_write: boolean;
+    can_update: boolean;
+    can_delete: boolean;
+}
+interface AdminCompany {
+    id: string;
+    name: string;
+    slug: string | null;
+    type: string | null;
+    parent_id: string | null;
+    metadata: Record<string, unknown>;
+    created_at: string;
+}
+interface AdminMember {
+    user_id: string;
+    email: string | null;
+    full_name: string | null;
+    /** Roles the member holds in the listed company. */
+    role_ids: string[];
+    invited_at: string | null;
+    /** "pending" | "accepted" — pending while Supabase Auth invite outstanding. */
+    invitation_status: "pending" | "accepted" | null;
+}
+/**
+ * Adopter-supplied transport for admin reads + writes. The default
+ * Supabase implementation is exported as `createSupabaseAdminClient`
+ * — projects with a custom backend bring their own.
+ */
+interface AdminTransport {
+    /**
+     * Upsert resource descriptors into `auth_rbac_resources`. Call
+     * once at app boot (or behind a SuperAdmin button) so the
+     * permission matrix UI mirrors the host's typed resource
+     * registry. Returns the number of rows upserted.
+     */
+    syncResources(resources: ReadonlyArray<ResourceDescriptor>): Promise<number>;
+    listRoles(args: {
+        scope: ResourceScope;
+        companyId?: string | null;
+        /** if true, returns only role TEMPLATES (company_id IS NULL). */
+        templatesOnly?: boolean;
+    }): Promise<AdminRole[]>;
+    listRolePermissions(roleId: string): Promise<AdminRolePermission[]>;
+    createRole(input: {
+        scope: ResourceScope;
+        companyId?: string | null;
+        name: string;
+        description?: string;
+        frontend_config?: FrontendConfig;
+    }): Promise<AdminRole>;
+    updateRole(id: string, patch: Partial<Pick<AdminRole, "name" | "description" | "frontend_config">>): Promise<AdminRole>;
+    deleteRole(id: string): Promise<void>;
+    setRolePermissionCell(args: {
+        role_id: string;
+        resource: string;
+        action: Action;
+        value: boolean;
+    }): Promise<void>;
+    listCompanies(): Promise<AdminCompany[]>;
+    createCompany(input: {
+        name: string;
+        slug?: string;
+        type?: string;
+    }): Promise<AdminCompany>;
+    listCompanyMembers(companyId: string): Promise<AdminMember[]>;
+    /**
+     * Sends a Supabase Auth invite. The transport encodes the assigned
+     * role(s) into the invite metadata; on accept, a backend webhook
+     * is responsible for writing the assignment row.
+     */
+    inviteCompanyMember(args: {
+        companyId: string;
+        email: string;
+        roleIds: string[];
+    }): Promise<{
+        invited: true;
+    }>;
+}
+
+/**
+ * Default Supabase implementation of the admin transport. Hits the
+ * package's tables directly via `from(...)` and the auth admin
+ * endpoint for invites.
+ *
+ * Projects that route admin writes through their own backend
+ * (e.g. for audit logging or extra validation) skip this and
+ * implement `AdminTransport` themselves.
+ */
+
+interface SupabaseAdmin {
+    from(table: string): {
+        select: (cols: string) => {
+            eq: (col: string, value: unknown) => any;
+            is: (col: string, value: unknown) => any;
+            order: (col: string, opts?: {
+                ascending: boolean;
+            }) => any;
+        };
+        insert: (row: Record<string, unknown>) => {
+            select: (cols: string) => {
+                single: () => any;
+            };
+        };
+        update: (patch: Record<string, unknown>) => {
+            eq: (col: string, value: unknown) => {
+                select: (cols: string) => {
+                    single: () => any;
+                };
+            };
+        };
+        upsert: (row: Record<string, unknown> | Array<Record<string, unknown>>, opts?: {
+            onConflict: string;
+        }) => Promise<{
+            error: {
+                message: string;
+            } | null;
+        }>;
+        delete: () => {
+            eq: (col: string, value: unknown) => any;
+        };
+    };
+    auth: {
+        admin: {
+            inviteUserByEmail: (email: string, opts?: {
+                data?: Record<string, unknown>;
+                redirectTo?: string;
+            }) => Promise<{
+                data: unknown;
+                error: {
+                    message: string;
+                } | null;
+            }>;
+        };
+    };
+}
+interface SupabaseAdminClientOptions {
+    supabase: SupabaseAdmin;
+    /** Where the invitee should land after setting their password. */
+    inviteRedirectUrl?: string;
+}
+declare function createSupabaseAdminClient(opts: SupabaseAdminClientOptions): AdminTransport;
+
+interface AdminTransportProviderProps {
+    transport: AdminTransport;
+    children: React.ReactNode;
+}
+declare function AdminTransportProvider(props: AdminTransportProviderProps): react_jsx_runtime.JSX.Element;
+declare function useAdminRoles(args: {
+    scope: ResourceScope;
+    companyId?: string | null;
+    templatesOnly?: boolean;
+}): {
+    refresh: () => Promise<void>;
+    data: AdminRole[] | null;
+    isLoading: boolean;
+    error: Error | null;
+};
+declare function useAdminRolePermissions(roleId: string | null): {
+    refresh: () => Promise<void>;
+    data: AdminRolePermission[] | never[] | null;
+    isLoading: boolean;
+    error: Error | null;
+};
+declare function useAdminCompanies(): {
+    refresh: () => Promise<void>;
+    data: AdminCompany[] | null;
+    isLoading: boolean;
+    error: Error | null;
+};
+declare function useAdminCompanyMembers(companyId: string | null): {
+    refresh: () => Promise<void>;
+    data: AdminMember[] | never[] | null;
+    isLoading: boolean;
+    error: Error | null;
+};
+declare function useCreateRole(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (input: {
+        scope: ResourceScope;
+        companyId?: string | null;
+        name: string;
+        description?: string;
+        frontend_config?: FrontendConfig;
+    }) => Promise<AdminRole>;
+};
+declare function useUpdateRole(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (id: string, patch: Partial<Pick<AdminRole, "name" | "description" | "frontend_config">>) => Promise<AdminRole>;
+};
+declare function useDeleteRole(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (id: string) => Promise<void>;
+};
+declare function useSetRolePermissionCell(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (args: {
+        role_id: string;
+        resource: string;
+        action: Action;
+        value: boolean;
+    }) => Promise<void>;
+};
+declare function useCreateCompany(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (input: {
+        name: string;
+        slug?: string;
+        type?: string;
+    }) => Promise<AdminCompany>;
+};
+declare function useInviteCompanyMember(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (args: {
+        companyId: string;
+        email: string;
+        roleIds: string[];
+    }) => Promise<{
+        invited: true;
+    }>;
+};
+interface RolePermissionGrid {
+    [resource: string]: {
+        [A in Action]: boolean;
+    };
+}
+declare function useRolePermissionGrid(roleId: string | null): {
+    grid: RolePermissionGrid;
+    isLoading: boolean;
+    error: Error | null;
+    refresh: () => Promise<void>;
+    updateCell: (resource: string, action: Action, value: boolean) => Promise<void>;
+    isUpdating: boolean;
+    updateError: Error | null;
+};
+
+interface MatrixGroup {
+    group: string;
+    resources: ResourceDescriptor[];
+}
+interface MatrixRenderArgs {
+    /** Resources grouped by their `group` label, original insertion order. */
+    groups: MatrixGroup[];
+    /** Read a single cell from the current grid. */
+    isCellEnabled: (resource: string, action: Action) => boolean;
+    /** Write a single cell. Optimistic in the local cache + writes through. */
+    setCell: (resource: string, action: Action, value: boolean) => Promise<void>;
+    isLoading: boolean;
+    isUpdating: boolean;
+    error: Error | null;
+    /** All four actions, exposed for the consumer to render headers. */
+    actions: ReadonlyArray<Action>;
+}
+interface PermissionsMatrixProps {
+    roleId: string | null;
+    resources: ReadonlyArray<ResourceDescriptor>;
+    children: (args: MatrixRenderArgs) => React.ReactNode;
+}
+declare function PermissionsMatrix(props: PermissionsMatrixProps): react_jsx_runtime.JSX.Element;
+
+interface RolesListRenderArgs {
+    roles: AdminRole[];
+    isLoading: boolean;
+    error: Error | null;
+    selectedRoleId: string | null;
+    selectRole: (id: string | null) => void;
+    createRole: (input: {
+        name: string;
+        description?: string;
+    }) => Promise<AdminRole>;
+    isCreating: boolean;
+    createError: Error | null;
+    deleteRole: (id: string) => Promise<void>;
+    isDeleting: boolean;
+    deleteError: Error | null;
+    refresh: () => Promise<void>;
+}
+interface RolesListProps {
+    scope: ResourceScope;
+    /** Required for company-scope. Pass `null` for templates. */
+    companyId?: string | null;
+    /** Pre-select the first role on load. Default: true. */
+    autoSelectFirst?: boolean;
+    children: (args: RolesListRenderArgs) => React.ReactNode;
+}
+declare function RolesList(props: RolesListProps): react_jsx_runtime.JSX.Element;
+
+interface InviteMemberFormRenderArgs {
+    email: string;
+    setEmail: (v: string) => void;
+    selectedRoleIds: Set<string>;
+    toggleRole: (roleId: string) => void;
+    resetForm: () => void;
+    roles: AdminRole[];
+    rolesLoading: boolean;
+    rolesError: Error | null;
+    submit: () => Promise<void>;
+    isSubmitting: boolean;
+    submitError: Error | null;
+    submittedSuccessfully: boolean;
+    isValid: boolean;
+    errors: {
+        email?: string;
+        roles?: string;
+    };
+}
+interface InviteMemberFormProps {
+    companyId: string;
+    /** Called after a successful invite — typically clears a dialog. */
+    onSuccess?: () => void;
+    children: (args: InviteMemberFormRenderArgs) => React.ReactNode;
+}
+declare function InviteMemberForm(props: InviteMemberFormProps): react_jsx_runtime.JSX.Element;
+
+export { type AdminCompany, type AdminMember, type AdminRole, type AdminRolePermission, type AdminTransport, AdminTransportProvider, type AdminTransportProviderProps, InviteMemberForm, type InviteMemberFormProps, type InviteMemberFormRenderArgs, type MatrixGroup, type MatrixRenderArgs, PermissionsMatrix, type PermissionsMatrixProps, type RolePermissionGrid, RolesList, type RolesListProps, type RolesListRenderArgs, type SupabaseAdminClientOptions, createSupabaseAdminClient, useAdminCompanies, useAdminCompanyMembers, useAdminRolePermissions, useAdminRoles, useCreateCompany, useCreateRole, useDeleteRole, useInviteCompanyMember, useRolePermissionGrid, useSetRolePermissionCell, useUpdateRole };

package/dist/admin/index.d.ts

@@ -0,0 +1,346 @@
+import { R as ResourceScope, F as FrontendConfig, a as ResourceDescriptor, A as Action } from '../types-BEc5SCIo.js';
+import * as react_jsx_runtime from 'react/jsx-runtime';
+
+/**
+ * Admin-side types — shapes returned by the admin SQL helpers.
+ * Mirrors the package's table layout so projects can ship a custom
+ * admin UI without re-defining shapes.
+ */
+
+interface AdminRole {
+    id: string;
+    scope: ResourceScope;
+    /** null = system role OR company-scope template (no specific company). */
+    company_id: string | null;
+    name: string;
+    description: string | null;
+    is_system: boolean;
+    is_super: boolean;
+    frontend_config: FrontendConfig;
+    created_at: string;
+    updated_at: string;
+}
+interface AdminRolePermission {
+    role_id: string;
+    resource: string;
+    can_read: boolean;
+    can_write: boolean;
+    can_update: boolean;
+    can_delete: boolean;
+}
+interface AdminCompany {
+    id: string;
+    name: string;
+    slug: string | null;
+    type: string | null;
+    parent_id: string | null;
+    metadata: Record<string, unknown>;
+    created_at: string;
+}
+interface AdminMember {
+    user_id: string;
+    email: string | null;
+    full_name: string | null;
+    /** Roles the member holds in the listed company. */
+    role_ids: string[];
+    invited_at: string | null;
+    /** "pending" | "accepted" — pending while Supabase Auth invite outstanding. */
+    invitation_status: "pending" | "accepted" | null;
+}
+/**
+ * Adopter-supplied transport for admin reads + writes. The default
+ * Supabase implementation is exported as `createSupabaseAdminClient`
+ * — projects with a custom backend bring their own.
+ */
+interface AdminTransport {
+    /**
+     * Upsert resource descriptors into `auth_rbac_resources`. Call
+     * once at app boot (or behind a SuperAdmin button) so the
+     * permission matrix UI mirrors the host's typed resource
+     * registry. Returns the number of rows upserted.
+     */
+    syncResources(resources: ReadonlyArray<ResourceDescriptor>): Promise<number>;
+    listRoles(args: {
+        scope: ResourceScope;
+        companyId?: string | null;
+        /** if true, returns only role TEMPLATES (company_id IS NULL). */
+        templatesOnly?: boolean;
+    }): Promise<AdminRole[]>;
+    listRolePermissions(roleId: string): Promise<AdminRolePermission[]>;
+    createRole(input: {
+        scope: ResourceScope;
+        companyId?: string | null;
+        name: string;
+        description?: string;
+        frontend_config?: FrontendConfig;
+    }): Promise<AdminRole>;
+    updateRole(id: string, patch: Partial<Pick<AdminRole, "name" | "description" | "frontend_config">>): Promise<AdminRole>;
+    deleteRole(id: string): Promise<void>;
+    setRolePermissionCell(args: {
+        role_id: string;
+        resource: string;
+        action: Action;
+        value: boolean;
+    }): Promise<void>;
+    listCompanies(): Promise<AdminCompany[]>;
+    createCompany(input: {
+        name: string;
+        slug?: string;
+        type?: string;
+    }): Promise<AdminCompany>;
+    listCompanyMembers(companyId: string): Promise<AdminMember[]>;
+    /**
+     * Sends a Supabase Auth invite. The transport encodes the assigned
+     * role(s) into the invite metadata; on accept, a backend webhook
+     * is responsible for writing the assignment row.
+     */
+    inviteCompanyMember(args: {
+        companyId: string;
+        email: string;
+        roleIds: string[];
+    }): Promise<{
+        invited: true;
+    }>;
+}
+
+/**
+ * Default Supabase implementation of the admin transport. Hits the
+ * package's tables directly via `from(...)` and the auth admin
+ * endpoint for invites.
+ *
+ * Projects that route admin writes through their own backend
+ * (e.g. for audit logging or extra validation) skip this and
+ * implement `AdminTransport` themselves.
+ */
+
+interface SupabaseAdmin {
+    from(table: string): {
+        select: (cols: string) => {
+            eq: (col: string, value: unknown) => any;
+            is: (col: string, value: unknown) => any;
+            order: (col: string, opts?: {
+                ascending: boolean;
+            }) => any;
+        };
+        insert: (row: Record<string, unknown>) => {
+            select: (cols: string) => {
+                single: () => any;
+            };
+        };
+        update: (patch: Record<string, unknown>) => {
+            eq: (col: string, value: unknown) => {
+                select: (cols: string) => {
+                    single: () => any;
+                };
+            };
+        };
+        upsert: (row: Record<string, unknown> | Array<Record<string, unknown>>, opts?: {
+            onConflict: string;
+        }) => Promise<{
+            error: {
+                message: string;
+            } | null;
+        }>;
+        delete: () => {
+            eq: (col: string, value: unknown) => any;
+        };
+    };
+    auth: {
+        admin: {
+            inviteUserByEmail: (email: string, opts?: {
+                data?: Record<string, unknown>;
+                redirectTo?: string;
+            }) => Promise<{
+                data: unknown;
+                error: {
+                    message: string;
+                } | null;
+            }>;
+        };
+    };
+}
+interface SupabaseAdminClientOptions {
+    supabase: SupabaseAdmin;
+    /** Where the invitee should land after setting their password. */
+    inviteRedirectUrl?: string;
+}
+declare function createSupabaseAdminClient(opts: SupabaseAdminClientOptions): AdminTransport;
+
+interface AdminTransportProviderProps {
+    transport: AdminTransport;
+    children: React.ReactNode;
+}
+declare function AdminTransportProvider(props: AdminTransportProviderProps): react_jsx_runtime.JSX.Element;
+declare function useAdminRoles(args: {
+    scope: ResourceScope;
+    companyId?: string | null;
+    templatesOnly?: boolean;
+}): {
+    refresh: () => Promise<void>;
+    data: AdminRole[] | null;
+    isLoading: boolean;
+    error: Error | null;
+};
+declare function useAdminRolePermissions(roleId: string | null): {
+    refresh: () => Promise<void>;
+    data: AdminRolePermission[] | never[] | null;
+    isLoading: boolean;
+    error: Error | null;
+};
+declare function useAdminCompanies(): {
+    refresh: () => Promise<void>;
+    data: AdminCompany[] | null;
+    isLoading: boolean;
+    error: Error | null;
+};
+declare function useAdminCompanyMembers(companyId: string | null): {
+    refresh: () => Promise<void>;
+    data: AdminMember[] | never[] | null;
+    isLoading: boolean;
+    error: Error | null;
+};
+declare function useCreateRole(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (input: {
+        scope: ResourceScope;
+        companyId?: string | null;
+        name: string;
+        description?: string;
+        frontend_config?: FrontendConfig;
+    }) => Promise<AdminRole>;
+};
+declare function useUpdateRole(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (id: string, patch: Partial<Pick<AdminRole, "name" | "description" | "frontend_config">>) => Promise<AdminRole>;
+};
+declare function useDeleteRole(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (id: string) => Promise<void>;
+};
+declare function useSetRolePermissionCell(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (args: {
+        role_id: string;
+        resource: string;
+        action: Action;
+        value: boolean;
+    }) => Promise<void>;
+};
+declare function useCreateCompany(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (input: {
+        name: string;
+        slug?: string;
+        type?: string;
+    }) => Promise<AdminCompany>;
+};
+declare function useInviteCompanyMember(): {
+    isPending: boolean;
+    error: Error | null;
+    mutate: (args: {
+        companyId: string;
+        email: string;
+        roleIds: string[];
+    }) => Promise<{
+        invited: true;
+    }>;
+};
+interface RolePermissionGrid {
+    [resource: string]: {
+        [A in Action]: boolean;
+    };
+}
+declare function useRolePermissionGrid(roleId: string | null): {
+    grid: RolePermissionGrid;
+    isLoading: boolean;
+    error: Error | null;
+    refresh: () => Promise<void>;
+    updateCell: (resource: string, action: Action, value: boolean) => Promise<void>;
+    isUpdating: boolean;
+    updateError: Error | null;
+};
+
+interface MatrixGroup {
+    group: string;
+    resources: ResourceDescriptor[];
+}
+interface MatrixRenderArgs {
+    /** Resources grouped by their `group` label, original insertion order. */
+    groups: MatrixGroup[];
+    /** Read a single cell from the current grid. */
+    isCellEnabled: (resource: string, action: Action) => boolean;
+    /** Write a single cell. Optimistic in the local cache + writes through. */
+    setCell: (resource: string, action: Action, value: boolean) => Promise<void>;
+    isLoading: boolean;
+    isUpdating: boolean;
+    error: Error | null;
+    /** All four actions, exposed for the consumer to render headers. */
+    actions: ReadonlyArray<Action>;
+}
+interface PermissionsMatrixProps {
+    roleId: string | null;
+    resources: ReadonlyArray<ResourceDescriptor>;
+    children: (args: MatrixRenderArgs) => React.ReactNode;
+}
+declare function PermissionsMatrix(props: PermissionsMatrixProps): react_jsx_runtime.JSX.Element;
+
+interface RolesListRenderArgs {
+    roles: AdminRole[];
+    isLoading: boolean;
+    error: Error | null;
+    selectedRoleId: string | null;
+    selectRole: (id: string | null) => void;
+    createRole: (input: {
+        name: string;
+        description?: string;
+    }) => Promise<AdminRole>;
+    isCreating: boolean;
+    createError: Error | null;
+    deleteRole: (id: string) => Promise<void>;
+    isDeleting: boolean;
+    deleteError: Error | null;
+    refresh: () => Promise<void>;
+}
+interface RolesListProps {
+    scope: ResourceScope;
+    /** Required for company-scope. Pass `null` for templates. */
+    companyId?: string | null;
+    /** Pre-select the first role on load. Default: true. */
+    autoSelectFirst?: boolean;
+    children: (args: RolesListRenderArgs) => React.ReactNode;
+}
+declare function RolesList(props: RolesListProps): react_jsx_runtime.JSX.Element;
+
+interface InviteMemberFormRenderArgs {
+    email: string;
+    setEmail: (v: string) => void;
+    selectedRoleIds: Set<string>;
+    toggleRole: (roleId: string) => void;
+    resetForm: () => void;
+    roles: AdminRole[];
+    rolesLoading: boolean;
+    rolesError: Error | null;
+    submit: () => Promise<void>;
+    isSubmitting: boolean;
+    submitError: Error | null;
+    submittedSuccessfully: boolean;
+    isValid: boolean;
+    errors: {
+        email?: string;
+        roles?: string;
+    };
+}
+interface InviteMemberFormProps {
+    companyId: string;
+    /** Called after a successful invite — typically clears a dialog. */
+    onSuccess?: () => void;
+    children: (args: InviteMemberFormRenderArgs) => React.ReactNode;
+}
+declare function InviteMemberForm(props: InviteMemberFormProps): react_jsx_runtime.JSX.Element;
+
+export { type AdminCompany, type AdminMember, type AdminRole, type AdminRolePermission, type AdminTransport, AdminTransportProvider, type AdminTransportProviderProps, InviteMemberForm, type InviteMemberFormProps, type InviteMemberFormRenderArgs, type MatrixGroup, type MatrixRenderArgs, PermissionsMatrix, type PermissionsMatrixProps, type RolePermissionGrid, RolesList, type RolesListProps, type RolesListRenderArgs, type SupabaseAdminClientOptions, createSupabaseAdminClient, useAdminCompanies, useAdminCompanyMembers, useAdminRolePermissions, useAdminRoles, useCreateCompany, useCreateRole, useDeleteRole, useInviteCompanyMember, useRolePermissionGrid, useSetRolePermissionCell, useUpdateRole };