snipe-auth-rbac 0.1.0

package/dist/react/index.cjs

@@ -0,0 +1,349 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/react/index.ts
+var react_exports = {};
+__export(react_exports, {
+  AuthRbacProvider: () => AuthRbacProvider,
+  Can: () => Can,
+  RequirePermission: () => RequirePermission,
+  createHttpFetcher: () => createHttpFetcher,
+  createSupabaseFetcher: () => createSupabaseFetcher,
+  defineAuthRbac: () => defineAuthRbac2,
+  useActiveCompany: () => useActiveCompany,
+  useAuthRbac: () => useAuthRbac,
+  useCan: () => useCan,
+  useFrontendConfig: () => useFrontendConfig
+});
+module.exports = __toCommonJS(react_exports);
+
+// src/react/AuthRbacProvider.tsx
+var import_react = require("react");
+
+// src/client.ts
+function buildPermissionResolver(resources, profile, defaultCompanyId) {
+  const scopeByResource = new Map(
+    resources.map((r) => [r.resource, r.scope])
+  );
+  const can = (resource, action, options) => {
+    if (profile.is_super_admin) {
+      return true;
+    }
+    const scope = scopeByResource.get(resource);
+    if (!scope) {
+      return false;
+    }
+    if (scope === "system") {
+      return readGrid(profile.system_permissions, resource, action);
+    }
+    const companyId = options?.companyId ?? defaultCompanyId;
+    if (!companyId) {
+      return false;
+    }
+    const membership = profile.memberships.find(
+      (m) => m.company_id === companyId
+    );
+    if (!membership) {
+      return false;
+    }
+    return readGrid(membership.permissions, resource, action);
+  };
+  return {
+    can,
+    /** Permission map for the active (or specified) company. */
+    activePermissions: (companyId) => {
+      const id = companyId ?? defaultCompanyId;
+      if (!id) {
+        return {};
+      }
+      return profile.memberships.find((m) => m.company_id === id)?.permissions ?? {};
+    },
+    systemPermissions: () => profile.system_permissions
+  };
+}
+function readGrid(map, resource, action) {
+  const grid = map[resource];
+  if (!grid) {
+    return false;
+  }
+  return grid[action];
+}
+
+// src/react/AuthRbacProvider.tsx
+var import_jsx_runtime = require("react/jsx-runtime");
+var AuthRbacContext = (0, import_react.createContext)(null);
+var STORAGE_KEY = "auth-rbac:active-company";
+var defaultPersist = (id) => {
+  if (typeof window === "undefined") {
+    return;
+  }
+  try {
+    if (id == null) {
+      window.localStorage.removeItem(STORAGE_KEY);
+    } else {
+      window.localStorage.setItem(STORAGE_KEY, id);
+    }
+  } catch {
+  }
+};
+var readPersisted = () => {
+  if (typeof window === "undefined") {
+    return null;
+  }
+  try {
+    return window.localStorage.getItem(STORAGE_KEY);
+  } catch {
+    return null;
+  }
+};
+function AuthRbacProvider(props) {
+  const { fetcher, resources, initialCompanyId, persistActiveCompany } = props;
+  const [profile, setProfile] = (0, import_react.useState)(null);
+  const [loading, setLoading] = (0, import_react.useState)(true);
+  const [error, setError] = (0, import_react.useState)(null);
+  const [activeCompanyId, setActiveCompanyState] = (0, import_react.useState)(
+    initialCompanyId ?? readPersisted()
+  );
+  const persist = (0, import_react.useMemo)(() => {
+    if (persistActiveCompany === false) {
+      return () => {
+      };
+    }
+    return persistActiveCompany ?? defaultPersist;
+  }, [persistActiveCompany]);
+  const setActiveCompany = (0, import_react.useCallback)(
+    (id) => {
+      setActiveCompanyState(id);
+      persist(id);
+    },
+    [persist]
+  );
+  const refresh = (0, import_react.useCallback)(async () => {
+    setLoading(true);
+    setError(null);
+    try {
+      const next = await fetcher.fetchProfile();
+      setProfile(next);
+      const stillMember = activeCompanyId != null && next.memberships.some((m) => m.company_id === activeCompanyId);
+      if (!stillMember) {
+        const fallback = next.memberships[0]?.company_id ?? null;
+        setActiveCompanyState(fallback);
+        persist(fallback);
+      }
+    } catch (e) {
+      setError(e instanceof Error ? e : new Error(String(e)));
+    } finally {
+      setLoading(false);
+    }
+  }, [fetcher]);
+  (0, import_react.useEffect)(() => {
+    void refresh();
+  }, [refresh]);
+  const resolver = (0, import_react.useMemo)(() => {
+    if (profile == null) {
+      return {
+        can: () => false,
+        activePermissions: () => ({}),
+        systemPermissions: () => ({})
+      };
+    }
+    return buildPermissionResolver(resources, profile, activeCompanyId);
+  }, [profile, resources, activeCompanyId]);
+  const value = (0, import_react.useMemo)(
+    () => ({
+      profile,
+      loading,
+      error,
+      resources,
+      activeCompanyId,
+      setActiveCompany,
+      refresh,
+      resolver
+    }),
+    [
+      profile,
+      loading,
+      error,
+      resources,
+      activeCompanyId,
+      setActiveCompany,
+      refresh,
+      resolver
+    ]
+  );
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(AuthRbacContext.Provider, { value, children: props.children });
+}
+function useAuthRbac() {
+  const ctx = (0, import_react.useContext)(AuthRbacContext);
+  if (!ctx) {
+    throw new Error(
+      "useAuthRbac must be used within an <AuthRbacProvider> \u2014 wrap your app at the root."
+    );
+  }
+  return ctx;
+}
+
+// src/react/useCan.ts
+function useCan(resource, action, options) {
+  const { resolver } = useAuthRbac();
+  return resolver.can(resource, action, options);
+}
+
+// src/react/Can.tsx
+var import_jsx_runtime2 = require("react/jsx-runtime");
+function Can(props) {
+  const { resource, action, companyId, children, fallback = null } = props;
+  const allowed = useCan(resource, action, { companyId });
+  return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_jsx_runtime2.Fragment, { children: allowed ? children : fallback });
+}
+
+// src/react/RequirePermission.tsx
+var import_jsx_runtime3 = require("react/jsx-runtime");
+function RequirePermission(props) {
+  const {
+    resource,
+    action,
+    companyId,
+    loadingFallback = null,
+    deniedFallback = /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("div", { role: "alert", style: { padding: 24 }, children: /* @__PURE__ */ (0, import_jsx_runtime3.jsx)("strong", { children: "Sie haben keinen Zugriff." }) }),
+    children = null
+  } = props;
+  const { profile, loading } = useAuthRbac();
+  const allowed = useCan(resource, action, { companyId });
+  if (loading || profile == null) {
+    return /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(import_jsx_runtime3.Fragment, { children: loadingFallback });
+  }
+  if (!allowed) {
+    return /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(import_jsx_runtime3.Fragment, { children: deniedFallback });
+  }
+  return /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(import_jsx_runtime3.Fragment, { children });
+}
+
+// src/react/useActiveCompany.ts
+var import_react2 = require("react");
+function useActiveCompany() {
+  const { profile, activeCompanyId, setActiveCompany } = useAuthRbac();
+  return (0, import_react2.useMemo)(() => {
+    const memberships = profile?.memberships ?? [];
+    const membership = memberships.find((m) => m.company_id === activeCompanyId) ?? null;
+    return {
+      id: activeCompanyId,
+      membership,
+      memberships,
+      setActive: setActiveCompany
+    };
+  }, [profile, activeCompanyId, setActiveCompany]);
+}
+
+// src/react/useFrontendConfig.ts
+var import_react3 = require("react");
+function useFrontendConfig() {
+  const { profile, activeCompanyId } = useAuthRbac();
+  return (0, import_react3.useMemo)(() => {
+    if (!profile) {
+      return {};
+    }
+    const membershipConfig = profile.memberships.find((m) => m.company_id === activeCompanyId)?.frontend_config ?? {};
+    return { ...profile.system_frontend_config, ...membershipConfig };
+  }, [profile, activeCompanyId]);
+}
+
+// src/fetchers.ts
+function createSupabaseFetcher(opts) {
+  return {
+    async fetchProfile() {
+      const { data, error } = await opts.supabase.rpc(
+        "auth_rbac_user_profile",
+        { p_user_id: opts.userId }
+      );
+      if (error) {
+        throw new Error(
+          `auth-rbac: failed to load user profile via Supabase RPC: ${error.message}`
+        );
+      }
+      return normalizeProfile(data);
+    }
+  };
+}
+function createHttpFetcher(opts) {
+  const fetchImpl = opts.fetch ?? globalThis.fetch;
+  return {
+    async fetchProfile() {
+      const res = await fetchImpl(opts.url, opts.init);
+      if (!res.ok) {
+        throw new Error(
+          `auth-rbac: profile endpoint ${opts.url} returned ${res.status}`
+        );
+      }
+      const json = await res.json();
+      return normalizeProfile(json);
+    }
+  };
+}
+function normalizeProfile(raw) {
+  if (!raw || typeof raw !== "object") {
+    throw new Error("auth-rbac: profile payload is not an object");
+  }
+  const p = raw;
+  if (typeof p.user_id !== "string") {
+    throw new Error("auth-rbac: profile payload missing user_id");
+  }
+  return {
+    user_id: p.user_id,
+    is_super_admin: !!p.is_super_admin,
+    system_roles: Array.isArray(p.system_roles) ? p.system_roles : [],
+    system_permissions: p.system_permissions && typeof p.system_permissions === "object" ? p.system_permissions : {},
+    system_frontend_config: p.system_frontend_config && typeof p.system_frontend_config === "object" ? p.system_frontend_config : {},
+    memberships: Array.isArray(p.memberships) ? p.memberships : []
+  };
+}
+
+// src/define.ts
+function defineAuthRbac(resources, runtime) {
+  return {
+    useCan: runtime.useCan,
+    Can: runtime.Can,
+    RequirePermission: runtime.RequirePermission,
+    resources,
+    resourceNames: resources.map((r) => r.resource)
+  };
+}
+
+// src/react/index.ts
+function defineAuthRbac2(resources) {
+  return defineAuthRbac(resources, {
+    useCan,
+    Can,
+    RequirePermission
+  });
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthRbacProvider,
+  Can,
+  RequirePermission,
+  createHttpFetcher,
+  createSupabaseFetcher,
+  defineAuthRbac,
+  useActiveCompany,
+  useAuthRbac,
+  useCan,
+  useFrontendConfig
+});
+//# sourceMappingURL=index.cjs.map

package/dist/react/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/react/index.ts","../../src/react/AuthRbacProvider.tsx","../../src/client.ts","../../src/react/useCan.ts","../../src/react/Can.tsx","../../src/react/RequirePermission.tsx","../../src/react/useActiveCompany.ts","../../src/react/useFrontendConfig.ts","../../src/fetchers.ts","../../src/define.ts"],"sourcesContent":["/**\n * React + Next.js entry. Import this in browser code:\n *\n *   import { AuthRbacProvider, useCan } from \"snipe-auth-rbac/react\";\n *\n * The non-React entry (`snipe-auth-rbac`) re-exports types and the\n * pure resolver, suitable for Node, edge workers, and tests.\n */\n\nexport {\n  AuthRbacProvider,\n  useAuthRbac,\n  type AuthRbacProviderProps,\n} from \"./AuthRbacProvider.js\";\n\nexport { useCan } from \"./useCan.js\";\nexport { Can, type CanProps } from \"./Can.js\";\nexport {\n  RequirePermission,\n  type RequirePermissionProps,\n} from \"./RequirePermission.js\";\nexport { useActiveCompany, type ActiveCompany } from \"./useActiveCompany.js\";\nexport { useFrontendConfig } from \"./useFrontendConfig.js\";\n\n// Re-exports for convenience so consumers don't need two imports.\nexport type {\n  Action,\n  AuthRbacFetcher,\n  CompanyMembership,\n  FrontendConfig,\n  PermissionGrid,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  RoleSummary,\n  UserProfile,\n} from \"../types.js\";\n\nexport {\n  createSupabaseFetcher,\n  createHttpFetcher,\n} from \"../fetchers.js\";\n\nimport { defineAuthRbac as _defineAuthRbac } from \"../define.js\";\nimport { Can } from \"./Can.js\";\nimport { RequirePermission } from \"./RequirePermission.js\";\nimport { useCan } from \"./useCan.js\";\n\nimport type { ResourceDescriptor } from \"../types.js\";\nimport type { TypedGuards } from \"../define.js\";\n\n/**\n * Typed factory — pass a const-asserted resource registry and get\n * back guards whose `resource` arg is constrained to the registered\n * names. Recommended at the top of every host project.\n *\n * See ../define.ts for the full doc + example.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(resources: Reg): TypedGuards<Reg[number][\"resource\"]> {\n  return _defineAuthRbac(resources, {\n    useCan,\n    Can,\n    RequirePermission,\n  });\n}\n\nexport type { TypedGuards } from \"../define.js\";\n","import {\n  createContext,\n  useCallback,\n  useContext,\n  useEffect,\n  useMemo,\n  useState,\n  type ReactNode,\n} from \"react\";\n\nimport {\n  buildPermissionResolver,\n  type AuthRbacClient,\n} from \"../client.js\";\nimport type {\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceRegistry,\n  UserProfile,\n} from \"../types.js\";\n\ninterface AuthRbacContextValue {\n  /**\n   * `null` means we haven't hydrated yet. Components should treat\n   * the not-loaded state as \"no permissions\" (fail-closed).\n   */\n  profile: UserProfile | null;\n  loading: boolean;\n  error: Error | null;\n  resources: ResourceRegistry;\n  activeCompanyId: string | null;\n  setActiveCompany: (id: string | null) => void;\n  refresh: () => Promise<void>;\n  resolver: AuthRbacClient;\n}\n\nconst AuthRbacContext = createContext<AuthRbacContextValue | null>(null);\n\nexport interface AuthRbacProviderProps {\n  fetcher: AuthRbacFetcher;\n  resources: ResourceRegistry;\n  /**\n   * Initial active company. Common patterns:\n   *  - read from URL query/path\n   *  - read from localStorage\n   *  - omit and let the user pick from the switcher\n   */\n  initialCompanyId?: string | null;\n  /**\n   * Persistence hook. Called every time the active company changes.\n   * Default: writes to `localStorage` under\n   * `auth-rbac:active-company`. Pass `false` to disable.\n   */\n  persistActiveCompany?:\n    | ((id: string | null) => void)\n    | false;\n  children: ReactNode;\n}\n\nconst STORAGE_KEY = \"auth-rbac:active-company\";\n\nconst defaultPersist = (id: string | null) => {\n  if (typeof window === \"undefined\") {\n    return;\n  }\n  try {\n    if (id == null) {\n      window.localStorage.removeItem(STORAGE_KEY);\n    } else {\n      window.localStorage.setItem(STORAGE_KEY, id);\n    }\n  } catch {\n    // localStorage may be unavailable (private browsing, SSR) —\n    // fall back to in-memory only.\n  }\n};\n\nconst readPersisted = (): string | null => {\n  if (typeof window === \"undefined\") {\n    return null;\n  }\n  try {\n    return window.localStorage.getItem(STORAGE_KEY);\n  } catch {\n    return null;\n  }\n};\n\nexport function AuthRbacProvider(props: AuthRbacProviderProps) {\n  const { fetcher, resources, initialCompanyId, persistActiveCompany } = props;\n\n  const [profile, setProfile] = useState<UserProfile | null>(null);\n  const [loading, setLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const [activeCompanyId, setActiveCompanyState] = useState<string | null>(\n    initialCompanyId ?? readPersisted(),\n  );\n\n  const persist = useMemo(() => {\n    if (persistActiveCompany === false) {\n      return () => {};\n    }\n    return persistActiveCompany ?? defaultPersist;\n  }, [persistActiveCompany]);\n\n  const setActiveCompany = useCallback(\n    (id: string | null) => {\n      setActiveCompanyState(id);\n      persist(id);\n    },\n    [persist],\n  );\n\n  const refresh = useCallback(async () => {\n    setLoading(true);\n    setError(null);\n    try {\n      const next = await fetcher.fetchProfile();\n      setProfile(next);\n      // If the persisted company isn't a membership, fall back to\n      // the first one (or null for users with no memberships).\n      const stillMember =\n        activeCompanyId != null &&\n        next.memberships.some((m) => m.company_id === activeCompanyId);\n      if (!stillMember) {\n        const fallback =\n          next.memberships[0]?.company_id ?? null;\n        setActiveCompanyState(fallback);\n        persist(fallback);\n      }\n    } catch (e) {\n      setError(e instanceof Error ? e : new Error(String(e)));\n    } finally {\n      setLoading(false);\n    }\n    // eslint-disable-next-line react-hooks/exhaustive-deps\n  }, [fetcher]);\n\n  useEffect(() => {\n    void refresh();\n  }, [refresh]);\n\n  const resolver = useMemo<AuthRbacClient>(() => {\n    if (profile == null) {\n      // Empty resolver until the profile lands. Always returns\n      // false → guards fall through to the unauthenticated branch.\n      return {\n        can: () => false,\n        activePermissions: () => ({}) as PermissionMap,\n        systemPermissions: () => ({}) as PermissionMap,\n      };\n    }\n    return buildPermissionResolver(resources, profile, activeCompanyId);\n  }, [profile, resources, activeCompanyId]);\n\n  const value = useMemo<AuthRbacContextValue>(\n    () => ({\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    }),\n    [\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    ],\n  );\n\n  return (\n    <AuthRbacContext.Provider value={value}>\n      {props.children}\n    </AuthRbacContext.Provider>\n  );\n}\n\nexport function useAuthRbac(): AuthRbacContextValue {\n  const ctx = useContext(AuthRbacContext);\n  if (!ctx) {\n    throw new Error(\n      \"useAuthRbac must be used within an <AuthRbacProvider> — wrap your app at the root.\",\n    );\n  }\n  return ctx;\n}\n","/**\n * Transport-agnostic client: turns an adopter-supplied\n * `AuthRbacFetcher` into a permission resolver. The React provider\n * wraps this; non-React consumers (Node scripts, edge functions)\n * can use it directly.\n */\n\nimport type {\n  Action,\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  UserProfile,\n} from \"./types.js\";\n\nexport interface AuthRbacClientOptions {\n  fetcher: AuthRbacFetcher;\n  /**\n   * The host project's full resource list. Required so the resolver\n   * can look up a resource's scope without a DB round-trip per call.\n   * Re-using the same array the host syncs into the\n   * `auth_rbac_resources` table at boot keeps everything in lockstep.\n   */\n  resources: ResourceRegistry;\n}\n\nexport interface CanOptions {\n  /**\n   * Override the active company. Omit to use the company the\n   * caller has currently activated (the React provider tracks\n   * this; for direct client use you must pass it).\n   */\n  companyId?: string | null;\n}\n\n/**\n * Pure resolver. Given a hydrated profile it answers boolean\n * questions instantly — no I/O. The `resourceMap` is built once at\n * construction so per-call work is two map lookups.\n */\nexport function buildPermissionResolver(\n  resources: ResourceRegistry,\n  profile: UserProfile,\n  defaultCompanyId: string | null,\n) {\n  const scopeByResource = new Map<string, ResourceScope>(\n    resources.map((r) => [r.resource, r.scope]),\n  );\n\n  const can = (\n    resource: string,\n    action: Action,\n    options?: CanOptions,\n  ): boolean => {\n    if (profile.is_super_admin) {\n      return true;\n    }\n    const scope = scopeByResource.get(resource);\n    if (!scope) {\n      // Unknown resource — fail closed.\n      return false;\n    }\n    if (scope === \"system\") {\n      return readGrid(profile.system_permissions, resource, action);\n    }\n    const companyId = options?.companyId ?? defaultCompanyId;\n    if (!companyId) {\n      return false;\n    }\n    const membership = profile.memberships.find(\n      (m) => m.company_id === companyId,\n    );\n    if (!membership) {\n      return false;\n    }\n    return readGrid(membership.permissions, resource, action);\n  };\n\n  return {\n    can,\n    /** Permission map for the active (or specified) company. */\n    activePermissions: (companyId?: string | null): PermissionMap => {\n      const id = companyId ?? defaultCompanyId;\n      if (!id) {\n        return {};\n      }\n      return (\n        profile.memberships.find((m) => m.company_id === id)?.permissions ?? {}\n      );\n    },\n    systemPermissions: (): PermissionMap => profile.system_permissions,\n  };\n}\n\nfunction readGrid(\n  map: PermissionMap,\n  resource: string,\n  action: Action,\n): boolean {\n  const grid = map[resource];\n  if (!grid) {\n    return false;\n  }\n  return grid[action];\n}\n\n/**\n * Helper: groups a resource registry by `group` for the matrix UI.\n * Returns groups in insertion order with their resources.\n */\nexport function groupResources(\n  registry: ResourceRegistry,\n): Array<{ group: string; resources: ResourceDescriptor[] }> {\n  const order: string[] = [];\n  const buckets = new Map<string, ResourceDescriptor[]>();\n  for (const r of registry) {\n    const key = r.group ?? \"Sonstige\";\n    if (!buckets.has(key)) {\n      buckets.set(key, []);\n      order.push(key);\n    }\n    buckets.get(key)!.push(r);\n  }\n  return order.map((g) => ({ group: g, resources: buckets.get(g)! }));\n}\n\nexport type AuthRbacClient = ReturnType<typeof buildPermissionResolver>;\nexport type { AuthRbacClientOptions as ClientOptions };\n","import type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Boolean permission check.\n *\n * @example\n *   const canEdit = useCan(\"properties\", \"update\");\n *   <Button disabled={!canEdit}>Speichern</Button>\n *\n * @example explicitly target a non-active company\n *   const canRead = useCan(\"payments\", \"read\", { companyId: targetId });\n */\nexport function useCan(\n  resource: string,\n  action: Action,\n  options?: CanOptions,\n): boolean {\n  const { resolver } = useAuthRbac();\n  return resolver.can(resource, action, options);\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useCan } from \"./useCan.js\";\n\nexport interface CanProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /** Rendered when the user has the permission. */\n  children: ReactNode;\n  /**\n   * Rendered when the user does NOT have the permission. Defaults\n   * to `null` (silent hide). Pass a `<NoPermissionView />` or a\n   * tooltip-wrapper to surface the denial explicitly.\n   */\n  fallback?: ReactNode;\n}\n\n/**\n * Subtree gate. Bails before children render so any data fetching\n * inside `children` is skipped for users without permission.\n */\nexport function Can(props: CanProps) {\n  const { resource, action, companyId, children, fallback = null } = props;\n  const allowed = useCan(resource, action, { companyId });\n  return <>{allowed ? children : fallback}</>;\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\nimport { useCan } from \"./useCan.js\";\n\nexport interface RequirePermissionProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /**\n   * What to render while the profile is still loading. Defaults to\n   * `null` (no flash) — pass a spinner if your routes typically\n   * mount before the profile lands.\n   */\n  loadingFallback?: ReactNode;\n  /**\n   * What to render when access is denied. Defaults to a minimal\n   * \"Sie haben keinen Zugriff\" message; pass your own component to\n   * theme it.\n   */\n  deniedFallback?: ReactNode;\n  /**\n   * For `react-router-dom v6` route-element usage, pass an `<Outlet />`\n   * here — the gate resolves to either the outlet or the denied\n   * fallback. For component-tree usage, pass any children.\n   */\n  children?: ReactNode;\n}\n\n/**\n * Route- or component-level guard. Three render branches:\n *\n *  - profile not yet loaded → `loadingFallback`\n *  - permission denied      → `deniedFallback`\n *  - permission granted     → `children`\n *\n * Drop-in replacement for the legacy `<RequireRolesRoute>` pattern.\n *\n * @example\n *   // App.tsx route table\n *   <Route element={\n *     <RequirePermission resource=\"payments\" action=\"read\">\n *       <Outlet />\n *     </RequirePermission>\n *   }>\n *     <Route path=\"/payments\" element={<PaymentsPage />} />\n *   </Route>\n */\nexport function RequirePermission(props: RequirePermissionProps) {\n  const {\n    resource,\n    action,\n    companyId,\n    loadingFallback = null,\n    deniedFallback = (\n      <div role=\"alert\" style={{ padding: 24 }}>\n        <strong>Sie haben keinen Zugriff.</strong>\n      </div>\n    ),\n    children = null,\n  } = props;\n\n  const { profile, loading } = useAuthRbac();\n  const allowed = useCan(resource, action, { companyId });\n\n  if (loading || profile == null) {\n    return <>{loadingFallback}</>;\n  }\n  if (!allowed) {\n    return <>{deniedFallback}</>;\n  }\n  return <>{children}</>;\n}\n","import { useMemo } from \"react\";\n\nimport type { CompanyMembership } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\nexport interface ActiveCompany {\n  id: string | null;\n  membership: CompanyMembership | null;\n  memberships: CompanyMembership[];\n  setActive: (id: string | null) => void;\n}\n\n/**\n * Read + switch the active company.\n *\n * @example\n *   const { id, memberships, setActive } = useActiveCompany();\n *\n *   return (\n *     <select value={id ?? \"\"} onChange={(e) => setActive(e.target.value || null)}>\n *       {memberships.map((m) => (\n *         <option key={m.company_id} value={m.company_id}>{m.company_name}</option>\n *       ))}\n *     </select>\n *   );\n */\nexport function useActiveCompany(): ActiveCompany {\n  const { profile, activeCompanyId, setActiveCompany } = useAuthRbac();\n\n  return useMemo(() => {\n    const memberships = profile?.memberships ?? [];\n    const membership =\n      memberships.find((m) => m.company_id === activeCompanyId) ?? null;\n    return {\n      id: activeCompanyId,\n      membership,\n      memberships,\n      setActive: setActiveCompany,\n    };\n  }, [profile, activeCompanyId, setActiveCompany]);\n}\n","import { useMemo } from \"react\";\n\nimport type { FrontendConfig } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Reads the merged `frontend_config` for the user. Sources in\n * priority order: active company's membership > system roles. Use\n * this to drive sidebar items, dashboard defaults, and any other\n * \"what should this role see\" UX without hardcoded role checks.\n *\n * The shape is intentionally `Record<string, unknown>` — your host\n * project owns the schema. Document your keys (e.g. `sidebar`,\n * `default_dashboard`) once and stick to them.\n */\nexport function useFrontendConfig(): FrontendConfig {\n  const { profile, activeCompanyId } = useAuthRbac();\n  return useMemo(() => {\n    if (!profile) {\n      return {};\n    }\n    const membershipConfig =\n      profile.memberships.find((m) => m.company_id === activeCompanyId)\n        ?.frontend_config ?? {};\n    return { ...profile.system_frontend_config, ...membershipConfig };\n  }, [profile, activeCompanyId]);\n}\n","/**\n * Built-in fetchers — adopters can use these or pass their own\n * implementation of `AuthRbacFetcher`.\n */\n\nimport type { AuthRbacFetcher, UserProfile } from \"./types.js\";\n\n/**\n * Calls the package's SQL function `auth_rbac_user_profile(uuid)` via\n * a Supabase JS client. Easiest path when the host project already\n * uses Supabase.\n *\n * @example\n * createSupabaseFetcher({ supabase, userId: session.user.id })\n */\nexport function createSupabaseFetcher(opts: {\n  supabase: {\n    rpc: (\n      fn: string,\n      args: Record<string, unknown>,\n    ) => Promise<{ data: unknown; error: { message: string } | null }>;\n  };\n  userId: string;\n}): AuthRbacFetcher {\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const { data, error } = await opts.supabase.rpc(\n        \"auth_rbac_user_profile\",\n        { p_user_id: opts.userId },\n      );\n      if (error) {\n        throw new Error(\n          `auth-rbac: failed to load user profile via Supabase RPC: ${error.message}`,\n        );\n      }\n      return normalizeProfile(data);\n    },\n  };\n}\n\n/**\n * Calls a regular HTTP endpoint that returns a `UserProfile` JSON\n * payload. Use this when the host project has its own backend that\n * wraps the package's Python helpers (or any equivalent).\n *\n * @example\n * createHttpFetcher({ url: \"/api/users/me/profile\" })\n */\nexport function createHttpFetcher(opts: {\n  url: string;\n  /** Forwarded as-is to `fetch`. Use this to attach auth headers. */\n  init?: RequestInit;\n  /** Override the global `fetch` if you're in a non-browser env. */\n  fetch?: typeof fetch;\n}): AuthRbacFetcher {\n  const fetchImpl = opts.fetch ?? globalThis.fetch;\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const res = await fetchImpl(opts.url, opts.init);\n      if (!res.ok) {\n        throw new Error(\n          `auth-rbac: profile endpoint ${opts.url} returned ${res.status}`,\n        );\n      }\n      const json = (await res.json()) as unknown;\n      return normalizeProfile(json);\n    },\n  };\n}\n\n/**\n * Defensive normalisation: the Supabase RPC returns whatever the SQL\n * function emitted. We coerce missing fields into the empty defaults\n * so consumers can iterate without null checks. Throws if the shape\n * is unrecognisable.\n */\nfunction normalizeProfile(raw: unknown): UserProfile {\n  if (!raw || typeof raw !== \"object\") {\n    throw new Error(\"auth-rbac: profile payload is not an object\");\n  }\n  const p = raw as Partial<UserProfile> & Record<string, unknown>;\n  if (typeof p.user_id !== \"string\") {\n    throw new Error(\"auth-rbac: profile payload missing user_id\");\n  }\n  return {\n    user_id: p.user_id,\n    is_super_admin: !!p.is_super_admin,\n    system_roles: Array.isArray(p.system_roles) ? p.system_roles : [],\n    system_permissions:\n      p.system_permissions && typeof p.system_permissions === \"object\"\n        ? (p.system_permissions as UserProfile[\"system_permissions\"])\n        : {},\n    system_frontend_config:\n      p.system_frontend_config && typeof p.system_frontend_config === \"object\"\n        ? (p.system_frontend_config as UserProfile[\"system_frontend_config\"])\n        : {},\n    memberships: Array.isArray(p.memberships)\n      ? (p.memberships as UserProfile[\"memberships\"])\n      : [],\n  };\n}\n","/**\n * Typed factory — turns a const-asserted resource registry into a\n * set of hooks/components whose `resource` arg is constrained to\n * the registered names. Typos become TypeScript errors instead of\n * silent runtime `false`.\n *\n * @example\n *   // src/auth/resources.ts\n *   import { defineAuthRbac } from \"snipe-auth-rbac/react\";\n *\n *   export const RESOURCES = [\n *     { resource: \"properties\", scope: \"company\", label: \"Liegenschaften\", group: \"Stammdaten\" },\n *     { resource: \"payments\",   scope: \"company\", label: \"Zahlungen\",     group: \"Finanzen\" },\n *     { resource: \"system_audit\", scope: \"system\",  label: \"Audit-Log\",    group: \"Plattform\" },\n *   ] as const;\n *\n *   export const { useCan, Can, RequirePermission } = defineAuthRbac(RESOURCES);\n *\n *   // ----- elsewhere -----\n *   useCan(\"properties\", \"update\");       // ✓\n *   useCan(\"paymetns\", \"update\");          // ✗ TS error: not assignable to type \"properties\" | \"payments\" | \"system_audit\"\n */\n\nimport type { ComponentType, ReactNode } from \"react\";\n\nimport type {\n  Action,\n  ResourceDescriptor,\n  ResourceRegistry,\n} from \"./types.js\";\n\n/**\n * Drop-in replacement signatures for the three guards, with a\n * narrowed `resource` arg.\n */\nexport interface TypedGuards<R extends string> {\n  useCan: (\n    resource: R,\n    action: Action,\n    options?: { companyId?: string | null },\n  ) => boolean;\n  Can: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    children: ReactNode;\n    fallback?: ReactNode;\n  }>;\n  RequirePermission: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    loadingFallback?: ReactNode;\n    deniedFallback?: ReactNode;\n    children?: ReactNode;\n  }>;\n  /** The const-asserted registry, re-exported so call-sites can iterate. */\n  resources: ResourceRegistry;\n  /** All registered resource names as a union — handy for typing\n   *  application-side data structures. */\n  resourceNames: ReadonlyArray<R>;\n}\n\n/**\n * Factory. Run once at module-init time in your host project; the\n * returned hooks/components are referentially stable.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(\n  resources: Reg,\n  // The runtime guards live in the React entry; we accept them\n  // here as plain refs so this module stays React-free at the type\n  // level. The `react` entry calls this factory passing its own\n  // exports so adopters never see the wiring.\n  runtime: {\n    useCan: TypedGuards<string>[\"useCan\"];\n    Can: TypedGuards<string>[\"Can\"];\n    RequirePermission: TypedGuards<string>[\"RequirePermission\"];\n  },\n): TypedGuards<Reg[number][\"resource\"]> {\n  type R = Reg[number][\"resource\"];\n  return {\n    useCan: runtime.useCan as TypedGuards<R>[\"useCan\"],\n    Can: runtime.Can as TypedGuards<R>[\"Can\"],\n    RequirePermission: runtime.RequirePermission as TypedGuards<R>[\"RequirePermission\"],\n    resources,\n    resourceNames: resources.map((r) => r.resource) as ReadonlyArray<R>,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAAA;AAAA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,mBAQO;;;ACkCA,SAAS,wBACd,WACA,SACA,kBACA;AACA,QAAM,kBAAkB,IAAI;AAAA,IAC1B,UAAU,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,KAAK,CAAC;AAAA,EAC5C;AAEA,QAAM,MAAM,CACV,UACA,QACA,YACY;AACZ,QAAI,QAAQ,gBAAgB;AAC1B,aAAO;AAAA,IACT;AACA,UAAM,QAAQ,gBAAgB,IAAI,QAAQ;AAC1C,QAAI,CAAC,OAAO;AAEV,aAAO;AAAA,IACT;AACA,QAAI,UAAU,UAAU;AACtB,aAAO,SAAS,QAAQ,oBAAoB,UAAU,MAAM;AAAA,IAC9D;AACA,UAAM,YAAY,SAAS,aAAa;AACxC,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,IACT;AACA,UAAM,aAAa,QAAQ,YAAY;AAAA,MACrC,CAAC,MAAM,EAAE,eAAe;AAAA,IAC1B;AACA,QAAI,CAAC,YAAY;AACf,aAAO;AAAA,IACT;AACA,WAAO,SAAS,WAAW,aAAa,UAAU,MAAM;AAAA,EAC1D;AAEA,SAAO;AAAA,IACL;AAAA;AAAA,IAEA,mBAAmB,CAAC,cAA6C;AAC/D,YAAM,KAAK,aAAa;AACxB,UAAI,CAAC,IAAI;AACP,eAAO,CAAC;AAAA,MACV;AACA,aACE,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,eAAe,CAAC;AAAA,IAE1E;AAAA,IACA,mBAAmB,MAAqB,QAAQ;AAAA,EAClD;AACF;AAEA,SAAS,SACP,KACA,UACA,QACS;AACT,QAAM,OAAO,IAAI,QAAQ;AACzB,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,EACT;AACA,SAAO,KAAK,MAAM;AACpB;;;AD0EI;AAhJJ,IAAM,sBAAkB,4BAA2C,IAAI;AAuBvE,IAAM,cAAc;AAEpB,IAAM,iBAAiB,CAAC,OAAsB;AAC5C,MAAI,OAAO,WAAW,aAAa;AACjC;AAAA,EACF;AACA,MAAI;AACF,QAAI,MAAM,MAAM;AACd,aAAO,aAAa,WAAW,WAAW;AAAA,IAC5C,OAAO;AACL,aAAO,aAAa,QAAQ,aAAa,EAAE;AAAA,IAC7C;AAAA,EACF,QAAQ;AAAA,EAGR;AACF;AAEA,IAAM,gBAAgB,MAAqB;AACzC,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO;AAAA,EACT;AACA,MAAI;AACF,WAAO,OAAO,aAAa,QAAQ,WAAW;AAAA,EAChD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iBAAiB,OAA8B;AAC7D,QAAM,EAAE,SAAS,WAAW,kBAAkB,qBAAqB,IAAI;AAEvE,QAAM,CAAC,SAAS,UAAU,QAAI,uBAA6B,IAAI;AAC/D,QAAM,CAAC,SAAS,UAAU,QAAI,uBAAS,IAAI;AAC3C,QAAM,CAAC,OAAO,QAAQ,QAAI,uBAAuB,IAAI;AAErD,QAAM,CAAC,iBAAiB,qBAAqB,QAAI;AAAA,IAC/C,oBAAoB,cAAc;AAAA,EACpC;AAEA,QAAM,cAAU,sBAAQ,MAAM;AAC5B,QAAI,yBAAyB,OAAO;AAClC,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AACA,WAAO,wBAAwB;AAAA,EACjC,GAAG,CAAC,oBAAoB,CAAC;AAEzB,QAAM,uBAAmB;AAAA,IACvB,CAAC,OAAsB;AACrB,4BAAsB,EAAE;AACxB,cAAQ,EAAE;AAAA,IACZ;AAAA,IACA,CAAC,OAAO;AAAA,EACV;AAEA,QAAM,cAAU,0BAAY,YAAY;AACtC,eAAW,IAAI;AACf,aAAS,IAAI;AACb,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,aAAa;AACxC,iBAAW,IAAI;AAGf,YAAM,cACJ,mBAAmB,QACnB,KAAK,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe;AAC/D,UAAI,CAAC,aAAa;AAChB,cAAM,WACJ,KAAK,YAAY,CAAC,GAAG,cAAc;AACrC,8BAAsB,QAAQ;AAC9B,gBAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,GAAG;AACV,eAAS,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO,CAAC,CAAC,CAAC;AAAA,IACxD,UAAE;AACA,iBAAW,KAAK;AAAA,IAClB;AAAA,EAEF,GAAG,CAAC,OAAO,CAAC;AAEZ,8BAAU,MAAM;AACd,SAAK,QAAQ;AAAA,EACf,GAAG,CAAC,OAAO,CAAC;AAEZ,QAAM,eAAW,sBAAwB,MAAM;AAC7C,QAAI,WAAW,MAAM;AAGnB,aAAO;AAAA,QACL,KAAK,MAAM;AAAA,QACX,mBAAmB,OAAO,CAAC;AAAA,QAC3B,mBAAmB,OAAO,CAAC;AAAA,MAC7B;AAAA,IACF;AACA,WAAO,wBAAwB,WAAW,SAAS,eAAe;AAAA,EACpE,GAAG,CAAC,SAAS,WAAW,eAAe,CAAC;AAExC,QAAM,YAAQ;AAAA,IACZ,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SACE,4CAAC,gBAAgB,UAAhB,EAAyB,OACvB,gBAAM,UACT;AAEJ;AAEO,SAAS,cAAoC;AAClD,QAAM,UAAM,yBAAW,eAAe;AACtC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;AEnLO,SAAS,OACd,UACA,QACA,SACS;AACT,QAAM,EAAE,SAAS,IAAI,YAAY;AACjC,SAAO,SAAS,IAAI,UAAU,QAAQ,OAAO;AAC/C;;;ACKS,IAAAC,sBAAA;AAHF,SAAS,IAAI,OAAiB;AACnC,QAAM,EAAE,UAAU,QAAQ,WAAW,UAAU,WAAW,KAAK,IAAI;AACnE,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AACtD,SAAO,6EAAG,oBAAU,WAAW,UAAS;AAC1C;;;AC8BQ,IAAAC,sBAAA;AARD,SAAS,kBAAkB,OAA+B;AAC/D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,IAClB,iBACE,6CAAC,SAAI,MAAK,SAAQ,OAAO,EAAE,SAAS,GAAG,GACrC,uDAAC,YAAO,uCAAyB,GACnC;AAAA,IAEF,WAAW;AAAA,EACb,IAAI;AAEJ,QAAM,EAAE,SAAS,QAAQ,IAAI,YAAY;AACzC,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AAEtD,MAAI,WAAW,WAAW,MAAM;AAC9B,WAAO,6EAAG,2BAAgB;AAAA,EAC5B;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,6EAAG,0BAAe;AAAA,EAC3B;AACA,SAAO,6EAAG,UAAS;AACrB;;;AC1EA,IAAAC,gBAAwB;AA2BjB,SAAS,mBAAkC;AAChD,QAAM,EAAE,SAAS,iBAAiB,iBAAiB,IAAI,YAAY;AAEnE,aAAO,uBAAQ,MAAM;AACnB,UAAM,cAAc,SAAS,eAAe,CAAC;AAC7C,UAAM,aACJ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,KAAK;AAC/D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ;AAAA,MACA;AAAA,MACA,WAAW;AAAA,IACb;AAAA,EACF,GAAG,CAAC,SAAS,iBAAiB,gBAAgB,CAAC;AACjD;;;ACzCA,IAAAC,gBAAwB;AAgBjB,SAAS,oBAAoC;AAClD,QAAM,EAAE,SAAS,gBAAgB,IAAI,YAAY;AACjD,aAAO,uBAAQ,MAAM;AACnB,QAAI,CAAC,SAAS;AACZ,aAAO,CAAC;AAAA,IACV;AACA,UAAM,mBACJ,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,GAC5D,mBAAmB,CAAC;AAC1B,WAAO,EAAE,GAAG,QAAQ,wBAAwB,GAAG,iBAAiB;AAAA,EAClE,GAAG,CAAC,SAAS,eAAe,CAAC;AAC/B;;;ACZO,SAAS,sBAAsB,MAQlB;AAClB,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAAS;AAAA,QAC1C;AAAA,QACA,EAAE,WAAW,KAAK,OAAO;AAAA,MAC3B;AACA,UAAI,OAAO;AACT,cAAM,IAAI;AAAA,UACR,4DAA4D,MAAM,OAAO;AAAA,QAC3E;AAAA,MACF;AACA,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAUO,SAAS,kBAAkB,MAMd;AAClB,QAAM,YAAY,KAAK,SAAS,WAAW;AAC3C,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,MAAM,MAAM,UAAU,KAAK,KAAK,KAAK,IAAI;AAC/C,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,IAAI;AAAA,UACR,+BAA+B,KAAK,GAAG,aAAa,IAAI,MAAM;AAAA,QAChE;AAAA,MACF;AACA,YAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAQA,SAAS,iBAAiB,KAA2B;AACnD,MAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,YAAY,UAAU;AACjC,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACA,SAAO;AAAA,IACL,SAAS,EAAE;AAAA,IACX,gBAAgB,CAAC,CAAC,EAAE;AAAA,IACpB,cAAc,MAAM,QAAQ,EAAE,YAAY,IAAI,EAAE,eAAe,CAAC;AAAA,IAChE,oBACE,EAAE,sBAAsB,OAAO,EAAE,uBAAuB,WACnD,EAAE,qBACH,CAAC;AAAA,IACP,wBACE,EAAE,0BAA0B,OAAO,EAAE,2BAA2B,WAC3D,EAAE,yBACH,CAAC;AAAA,IACP,aAAa,MAAM,QAAQ,EAAE,WAAW,IACnC,EAAE,cACH,CAAC;AAAA,EACP;AACF;;;ACjCO,SAAS,eAGd,WAKA,SAKsC;AAEtC,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,IACb,mBAAmB,QAAQ;AAAA,IAC3B;AAAA,IACA,eAAe,UAAU,IAAI,CAAC,MAAM,EAAE,QAAQ;AAAA,EAChD;AACF;;;AT9BO,SAASC,gBAEd,WAAsD;AACtD,SAAO,eAAgB,WAAW;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;","names":["defineAuthRbac","import_jsx_runtime","import_jsx_runtime","import_react","import_react","defineAuthRbac"]}

package/dist/react/index.d.cts

@@ -0,0 +1,221 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { ReactNode, ComponentType } from 'react';
+import { AuthRbacClient, CanOptions } from '../index.cjs';
+export { createHttpFetcher, createSupabaseFetcher } from '../index.cjs';
+import { b as AuthRbacFetcher, c as ResourceRegistry, U as UserProfile, A as Action, C as CompanyMembership, F as FrontendConfig, a as ResourceDescriptor } from '../types-BEc5SCIo.cjs';
+export { P as PermissionGrid, d as PermissionMap, R as ResourceScope, e as RoleSummary } from '../types-BEc5SCIo.cjs';
+
+interface AuthRbacContextValue {
+    /**
+     * `null` means we haven't hydrated yet. Components should treat
+     * the not-loaded state as "no permissions" (fail-closed).
+     */
+    profile: UserProfile | null;
+    loading: boolean;
+    error: Error | null;
+    resources: ResourceRegistry;
+    activeCompanyId: string | null;
+    setActiveCompany: (id: string | null) => void;
+    refresh: () => Promise<void>;
+    resolver: AuthRbacClient;
+}
+interface AuthRbacProviderProps {
+    fetcher: AuthRbacFetcher;
+    resources: ResourceRegistry;
+    /**
+     * Initial active company. Common patterns:
+     *  - read from URL query/path
+     *  - read from localStorage
+     *  - omit and let the user pick from the switcher
+     */
+    initialCompanyId?: string | null;
+    /**
+     * Persistence hook. Called every time the active company changes.
+     * Default: writes to `localStorage` under
+     * `auth-rbac:active-company`. Pass `false` to disable.
+     */
+    persistActiveCompany?: ((id: string | null) => void) | false;
+    children: ReactNode;
+}
+declare function AuthRbacProvider(props: AuthRbacProviderProps): react_jsx_runtime.JSX.Element;
+declare function useAuthRbac(): AuthRbacContextValue;
+
+/**
+ * Boolean permission check.
+ *
+ * @example
+ *   const canEdit = useCan("properties", "update");
+ *   <Button disabled={!canEdit}>Speichern</Button>
+ *
+ * @example explicitly target a non-active company
+ *   const canRead = useCan("payments", "read", { companyId: targetId });
+ */
+declare function useCan(resource: string, action: Action, options?: CanOptions): boolean;
+
+interface CanProps extends CanOptions {
+    resource: string;
+    action: Action;
+    /** Rendered when the user has the permission. */
+    children: ReactNode;
+    /**
+     * Rendered when the user does NOT have the permission. Defaults
+     * to `null` (silent hide). Pass a `<NoPermissionView />` or a
+     * tooltip-wrapper to surface the denial explicitly.
+     */
+    fallback?: ReactNode;
+}
+/**
+ * Subtree gate. Bails before children render so any data fetching
+ * inside `children` is skipped for users without permission.
+ */
+declare function Can(props: CanProps): react_jsx_runtime.JSX.Element;
+
+interface RequirePermissionProps extends CanOptions {
+    resource: string;
+    action: Action;
+    /**
+     * What to render while the profile is still loading. Defaults to
+     * `null` (no flash) — pass a spinner if your routes typically
+     * mount before the profile lands.
+     */
+    loadingFallback?: ReactNode;
+    /**
+     * What to render when access is denied. Defaults to a minimal
+     * "Sie haben keinen Zugriff" message; pass your own component to
+     * theme it.
+     */
+    deniedFallback?: ReactNode;
+    /**
+     * For `react-router-dom v6` route-element usage, pass an `<Outlet />`
+     * here — the gate resolves to either the outlet or the denied
+     * fallback. For component-tree usage, pass any children.
+     */
+    children?: ReactNode;
+}
+/**
+ * Route- or component-level guard. Three render branches:
+ *
+ *  - profile not yet loaded → `loadingFallback`
+ *  - permission denied      → `deniedFallback`
+ *  - permission granted     → `children`
+ *
+ * Drop-in replacement for the legacy `<RequireRolesRoute>` pattern.
+ *
+ * @example
+ *   // App.tsx route table
+ *   <Route element={
+ *     <RequirePermission resource="payments" action="read">
+ *       <Outlet />
+ *     </RequirePermission>
+ *   }>
+ *     <Route path="/payments" element={<PaymentsPage />} />
+ *   </Route>
+ */
+declare function RequirePermission(props: RequirePermissionProps): react_jsx_runtime.JSX.Element;
+
+interface ActiveCompany {
+    id: string | null;
+    membership: CompanyMembership | null;
+    memberships: CompanyMembership[];
+    setActive: (id: string | null) => void;
+}
+/**
+ * Read + switch the active company.
+ *
+ * @example
+ *   const { id, memberships, setActive } = useActiveCompany();
+ *
+ *   return (
+ *     <select value={id ?? ""} onChange={(e) => setActive(e.target.value || null)}>
+ *       {memberships.map((m) => (
+ *         <option key={m.company_id} value={m.company_id}>{m.company_name}</option>
+ *       ))}
+ *     </select>
+ *   );
+ */
+declare function useActiveCompany(): ActiveCompany;
+
+/**
+ * Reads the merged `frontend_config` for the user. Sources in
+ * priority order: active company's membership > system roles. Use
+ * this to drive sidebar items, dashboard defaults, and any other
+ * "what should this role see" UX without hardcoded role checks.
+ *
+ * The shape is intentionally `Record<string, unknown>` — your host
+ * project owns the schema. Document your keys (e.g. `sidebar`,
+ * `default_dashboard`) once and stick to them.
+ */
+declare function useFrontendConfig(): FrontendConfig;
+
+/**
+ * Typed factory — turns a const-asserted resource registry into a
+ * set of hooks/components whose `resource` arg is constrained to
+ * the registered names. Typos become TypeScript errors instead of
+ * silent runtime `false`.
+ *
+ * @example
+ *   // src/auth/resources.ts
+ *   import { defineAuthRbac } from "snipe-auth-rbac/react";
+ *
+ *   export const RESOURCES = [
+ *     { resource: "properties", scope: "company", label: "Liegenschaften", group: "Stammdaten" },
+ *     { resource: "payments",   scope: "company", label: "Zahlungen",     group: "Finanzen" },
+ *     { resource: "system_audit", scope: "system",  label: "Audit-Log",    group: "Plattform" },
+ *   ] as const;
+ *
+ *   export const { useCan, Can, RequirePermission } = defineAuthRbac(RESOURCES);
+ *
+ *   // ----- elsewhere -----
+ *   useCan("properties", "update");       // ✓
+ *   useCan("paymetns", "update");          // ✗ TS error: not assignable to type "properties" | "payments" | "system_audit"
+ */
+
+/**
+ * Drop-in replacement signatures for the three guards, with a
+ * narrowed `resource` arg.
+ */
+interface TypedGuards<R extends string> {
+    useCan: (resource: R, action: Action, options?: {
+        companyId?: string | null;
+    }) => boolean;
+    Can: ComponentType<{
+        resource: R;
+        action: Action;
+        companyId?: string | null;
+        children: ReactNode;
+        fallback?: ReactNode;
+    }>;
+    RequirePermission: ComponentType<{
+        resource: R;
+        action: Action;
+        companyId?: string | null;
+        loadingFallback?: ReactNode;
+        deniedFallback?: ReactNode;
+        children?: ReactNode;
+    }>;
+    /** The const-asserted registry, re-exported so call-sites can iterate. */
+    resources: ResourceRegistry;
+    /** All registered resource names as a union — handy for typing
+     *  application-side data structures. */
+    resourceNames: ReadonlyArray<R>;
+}
+
+/**
+ * React + Next.js entry. Import this in browser code:
+ *
+ *   import { AuthRbacProvider, useCan } from "snipe-auth-rbac/react";
+ *
+ * The non-React entry (`snipe-auth-rbac`) re-exports types and the
+ * pure resolver, suitable for Node, edge workers, and tests.
+ */
+
+/**
+ * Typed factory — pass a const-asserted resource registry and get
+ * back guards whose `resource` arg is constrained to the registered
+ * names. Recommended at the top of every host project.
+ *
+ * See ../define.ts for the full doc + example.
+ */
+declare function defineAuthRbac<const Reg extends ReadonlyArray<ResourceDescriptor>>(resources: Reg): TypedGuards<Reg[number]["resource"]>;
+
+export { Action, type ActiveCompany, AuthRbacFetcher, AuthRbacProvider, type AuthRbacProviderProps, Can, type CanProps, CompanyMembership, FrontendConfig, RequirePermission, type RequirePermissionProps, ResourceDescriptor, ResourceRegistry, type TypedGuards, UserProfile, defineAuthRbac, useActiveCompany, useAuthRbac, useCan, useFrontendConfig };