snipe-auth-rbac 0.3.0 → 0.4.0

package/dist/react/index.js

@@ -1,11 +1,13 @@
 import {
+  RbacRegistryError,
   createHttpFetcher,
   createSupabaseFetcher,
+  defineAuthRbac,
   detectRbacSchema
-} from "../chunk-NRDW233A.js";
+} from "../chunk-5UAIIOKT.js";
 import {
   buildPermissionResolver
-} from "../chunk-C76JHCKM.js";
+} from "../chunk-XHPBUCFN.js";
 
 // src/react/AuthRbacProvider.tsx
 import {
@@ -89,6 +91,7 @@ function AuthRbacProvider(props) {
     if (profile == null) {
       return {
         can: () => false,
+        canAccessSection: () => false,
         activePermissions: () => ({}),
         systemPermissions: () => ({})
       };
@@ -135,6 +138,12 @@ function useCan(resource, action, options) {
   return resolver.can(resource, action, options);
 }
 
+// src/react/useCanAccessSection.ts
+function useCanAccessSection(resource, action = "read", options) {
+  const { resolver } = useAuthRbac();
+  return resolver.canAccessSection(resource, action, options);
+}
+
 // src/react/Can.tsx
 import { Fragment, jsx as jsx2 } from "react/jsx-runtime";
 function Can(props) {
@@ -194,21 +203,11 @@ function useFrontendConfig() {
   }, [profile, activeCompanyId]);
 }
 
-// src/define.ts
-function defineAuthRbac(resources, runtime) {
-  return {
-    useCan: runtime.useCan,
-    Can: runtime.Can,
-    RequirePermission: runtime.RequirePermission,
-    resources,
-    resourceNames: resources.map((r) => r.resource)
-  };
-}
-
 // src/react/index.ts
 function defineAuthRbac2(resources) {
   return defineAuthRbac(resources, {
     useCan,
+    useCanAccessSection,
     Can,
     RequirePermission
   });
@@ -216,6 +215,7 @@ function defineAuthRbac2(resources) {
 export {
   AuthRbacProvider,
   Can,
+  RbacRegistryError,
   RequirePermission,
   createHttpFetcher,
   createSupabaseFetcher,
@@ -224,6 +224,7 @@ export {
   useActiveCompany,
   useAuthRbac,
   useCan,
+  useCanAccessSection,
   useFrontendConfig
 };
 //# sourceMappingURL=index.js.map

package/dist/react/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/react/AuthRbacProvider.tsx","../../src/react/useCan.ts","../../src/react/Can.tsx","../../src/react/RequirePermission.tsx","../../src/react/useActiveCompany.ts","../../src/react/useFrontendConfig.ts","../../src/define.ts","../../src/react/index.ts"],"sourcesContent":["import {\n  createContext,\n  useCallback,\n  useContext,\n  useEffect,\n  useMemo,\n  useState,\n  type ReactNode,\n} from \"react\";\n\nimport {\n  buildPermissionResolver,\n  type AuthRbacClient,\n} from \"../client.js\";\nimport type {\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceRegistry,\n  UserProfile,\n} from \"../types.js\";\n\ninterface AuthRbacContextValue {\n  /**\n   * `null` means we haven't hydrated yet. Components should treat\n   * the not-loaded state as \"no permissions\" (fail-closed).\n   */\n  profile: UserProfile | null;\n  loading: boolean;\n  error: Error | null;\n  resources: ResourceRegistry;\n  activeCompanyId: string | null;\n  setActiveCompany: (id: string | null) => void;\n  refresh: () => Promise<void>;\n  resolver: AuthRbacClient;\n}\n\nconst AuthRbacContext = createContext<AuthRbacContextValue | null>(null);\n\nexport interface AuthRbacProviderProps {\n  fetcher: AuthRbacFetcher;\n  resources: ResourceRegistry;\n  /**\n   * Initial active company. Common patterns:\n   *  - read from URL query/path\n   *  - read from localStorage\n   *  - omit and let the user pick from the switcher\n   */\n  initialCompanyId?: string | null;\n  /**\n   * Persistence hook. Called every time the active company changes.\n   * Default: writes to `localStorage` under\n   * `auth-rbac:active-company`. Pass `false` to disable.\n   */\n  persistActiveCompany?:\n    | ((id: string | null) => void)\n    | false;\n  children: ReactNode;\n}\n\nconst STORAGE_KEY = \"auth-rbac:active-company\";\n\nconst defaultPersist = (id: string | null) => {\n  if (typeof window === \"undefined\") {\n    return;\n  }\n  try {\n    if (id == null) {\n      window.localStorage.removeItem(STORAGE_KEY);\n    } else {\n      window.localStorage.setItem(STORAGE_KEY, id);\n    }\n  } catch {\n    // localStorage may be unavailable (private browsing, SSR) —\n    // fall back to in-memory only.\n  }\n};\n\nconst readPersisted = (): string | null => {\n  if (typeof window === \"undefined\") {\n    return null;\n  }\n  try {\n    return window.localStorage.getItem(STORAGE_KEY);\n  } catch {\n    return null;\n  }\n};\n\nexport function AuthRbacProvider(props: AuthRbacProviderProps) {\n  const { fetcher, resources, initialCompanyId, persistActiveCompany } = props;\n\n  const [profile, setProfile] = useState<UserProfile | null>(null);\n  const [loading, setLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const [activeCompanyId, setActiveCompanyState] = useState<string | null>(\n    initialCompanyId ?? readPersisted(),\n  );\n\n  const persist = useMemo(() => {\n    if (persistActiveCompany === false) {\n      return () => {};\n    }\n    return persistActiveCompany ?? defaultPersist;\n  }, [persistActiveCompany]);\n\n  const setActiveCompany = useCallback(\n    (id: string | null) => {\n      setActiveCompanyState(id);\n      persist(id);\n    },\n    [persist],\n  );\n\n  const refresh = useCallback(async () => {\n    setLoading(true);\n    setError(null);\n    try {\n      const next = await fetcher.fetchProfile();\n      setProfile(next);\n      // If the persisted company isn't a membership, fall back to\n      // the first one (or null for users with no memberships).\n      const stillMember =\n        activeCompanyId != null &&\n        next.memberships.some((m) => m.company_id === activeCompanyId);\n      if (!stillMember) {\n        const fallback =\n          next.memberships[0]?.company_id ?? null;\n        setActiveCompanyState(fallback);\n        persist(fallback);\n      }\n    } catch (e) {\n      setError(e instanceof Error ? e : new Error(String(e)));\n    } finally {\n      setLoading(false);\n    }\n    // eslint-disable-next-line react-hooks/exhaustive-deps\n  }, [fetcher]);\n\n  useEffect(() => {\n    void refresh();\n  }, [refresh]);\n\n  const resolver = useMemo<AuthRbacClient>(() => {\n    if (profile == null) {\n      // Empty resolver until the profile lands. Always returns\n      // false → guards fall through to the unauthenticated branch.\n      return {\n        can: () => false,\n        activePermissions: () => ({}) as PermissionMap,\n        systemPermissions: () => ({}) as PermissionMap,\n      };\n    }\n    return buildPermissionResolver(resources, profile, activeCompanyId);\n  }, [profile, resources, activeCompanyId]);\n\n  const value = useMemo<AuthRbacContextValue>(\n    () => ({\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    }),\n    [\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    ],\n  );\n\n  return (\n    <AuthRbacContext.Provider value={value}>\n      {props.children}\n    </AuthRbacContext.Provider>\n  );\n}\n\nexport function useAuthRbac(): AuthRbacContextValue {\n  const ctx = useContext(AuthRbacContext);\n  if (!ctx) {\n    throw new Error(\n      \"useAuthRbac must be used within an <AuthRbacProvider> — wrap your app at the root.\",\n    );\n  }\n  return ctx;\n}\n","import type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Boolean permission check.\n *\n * @example\n *   const canEdit = useCan(\"properties\", \"update\");\n *   <Button disabled={!canEdit}>Speichern</Button>\n *\n * @example explicitly target a non-active company\n *   const canRead = useCan(\"payments\", \"read\", { companyId: targetId });\n */\nexport function useCan(\n  resource: string,\n  action: Action,\n  options?: CanOptions,\n): boolean {\n  const { resolver } = useAuthRbac();\n  return resolver.can(resource, action, options);\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useCan } from \"./useCan.js\";\n\nexport interface CanProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /** Rendered when the user has the permission. */\n  children: ReactNode;\n  /**\n   * Rendered when the user does NOT have the permission. Defaults\n   * to `null` (silent hide). Pass a `<NoPermissionView />` or a\n   * tooltip-wrapper to surface the denial explicitly.\n   */\n  fallback?: ReactNode;\n}\n\n/**\n * Subtree gate. Bails before children render so any data fetching\n * inside `children` is skipped for users without permission.\n */\nexport function Can(props: CanProps) {\n  const { resource, action, companyId, children, fallback = null } = props;\n  const allowed = useCan(resource, action, { companyId });\n  return <>{allowed ? children : fallback}</>;\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\nimport { useCan } from \"./useCan.js\";\n\nexport interface RequirePermissionProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /**\n   * What to render while the profile is still loading. Defaults to\n   * `null` (no flash) — pass a spinner if your routes typically\n   * mount before the profile lands.\n   */\n  loadingFallback?: ReactNode;\n  /**\n   * What to render when access is denied. Defaults to a minimal\n   * \"Sie haben keinen Zugriff\" message; pass your own component to\n   * theme it.\n   */\n  deniedFallback?: ReactNode;\n  /**\n   * For `react-router-dom v6` route-element usage, pass an `<Outlet />`\n   * here — the gate resolves to either the outlet or the denied\n   * fallback. For component-tree usage, pass any children.\n   */\n  children?: ReactNode;\n}\n\n/**\n * Route- or component-level guard. Three render branches:\n *\n *  - profile not yet loaded → `loadingFallback`\n *  - permission denied      → `deniedFallback`\n *  - permission granted     → `children`\n *\n * Drop-in replacement for the legacy `<RequireRolesRoute>` pattern.\n *\n * @example\n *   // App.tsx route table\n *   <Route element={\n *     <RequirePermission resource=\"payments\" action=\"read\">\n *       <Outlet />\n *     </RequirePermission>\n *   }>\n *     <Route path=\"/payments\" element={<PaymentsPage />} />\n *   </Route>\n */\nexport function RequirePermission(props: RequirePermissionProps) {\n  const {\n    resource,\n    action,\n    companyId,\n    loadingFallback = null,\n    deniedFallback = (\n      <div role=\"alert\" style={{ padding: 24 }}>\n        <strong>Sie haben keinen Zugriff.</strong>\n      </div>\n    ),\n    children = null,\n  } = props;\n\n  const { profile, loading } = useAuthRbac();\n  const allowed = useCan(resource, action, { companyId });\n\n  if (loading || profile == null) {\n    return <>{loadingFallback}</>;\n  }\n  if (!allowed) {\n    return <>{deniedFallback}</>;\n  }\n  return <>{children}</>;\n}\n","import { useMemo } from \"react\";\n\nimport type { CompanyMembership } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\nexport interface ActiveCompany {\n  id: string | null;\n  membership: CompanyMembership | null;\n  memberships: CompanyMembership[];\n  setActive: (id: string | null) => void;\n}\n\n/**\n * Read + switch the active company.\n *\n * @example\n *   const { id, memberships, setActive } = useActiveCompany();\n *\n *   return (\n *     <select value={id ?? \"\"} onChange={(e) => setActive(e.target.value || null)}>\n *       {memberships.map((m) => (\n *         <option key={m.company_id} value={m.company_id}>{m.company_name}</option>\n *       ))}\n *     </select>\n *   );\n */\nexport function useActiveCompany(): ActiveCompany {\n  const { profile, activeCompanyId, setActiveCompany } = useAuthRbac();\n\n  return useMemo(() => {\n    const memberships = profile?.memberships ?? [];\n    const membership =\n      memberships.find((m) => m.company_id === activeCompanyId) ?? null;\n    return {\n      id: activeCompanyId,\n      membership,\n      memberships,\n      setActive: setActiveCompany,\n    };\n  }, [profile, activeCompanyId, setActiveCompany]);\n}\n","import { useMemo } from \"react\";\n\nimport type { FrontendConfig } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Reads the merged `frontend_config` for the user. Sources in\n * priority order: active company's membership > system roles. Use\n * this to drive sidebar items, dashboard defaults, and any other\n * \"what should this role see\" UX without hardcoded role checks.\n *\n * The shape is intentionally `Record<string, unknown>` — your host\n * project owns the schema. Document your keys (e.g. `sidebar`,\n * `default_dashboard`) once and stick to them.\n */\nexport function useFrontendConfig(): FrontendConfig {\n  const { profile, activeCompanyId } = useAuthRbac();\n  return useMemo(() => {\n    if (!profile) {\n      return {};\n    }\n    const membershipConfig =\n      profile.memberships.find((m) => m.company_id === activeCompanyId)\n        ?.frontend_config ?? {};\n    return { ...profile.system_frontend_config, ...membershipConfig };\n  }, [profile, activeCompanyId]);\n}\n","/**\n * Typed factory — turns a const-asserted resource registry into a\n * set of hooks/components whose `resource` arg is constrained to\n * the registered names. Typos become TypeScript errors instead of\n * silent runtime `false`.\n *\n * @example\n *   // src/auth/resources.ts\n *   import { defineAuthRbac } from \"snipe-auth-rbac/react\";\n *\n *   export const RESOURCES = [\n *     { resource: \"properties\", scope: \"company\", label: \"Liegenschaften\", group: \"Stammdaten\" },\n *     { resource: \"payments\",   scope: \"company\", label: \"Zahlungen\",     group: \"Finanzen\" },\n *     { resource: \"system_audit\", scope: \"system\",  label: \"Audit-Log\",    group: \"Plattform\" },\n *   ] as const;\n *\n *   export const { useCan, Can, RequirePermission } = defineAuthRbac(RESOURCES);\n *\n *   // ----- elsewhere -----\n *   useCan(\"properties\", \"update\");       // ✓\n *   useCan(\"paymetns\", \"update\");          // ✗ TS error: not assignable to type \"properties\" | \"payments\" | \"system_audit\"\n */\n\nimport type { ComponentType, ReactNode } from \"react\";\n\nimport type {\n  Action,\n  ResourceDescriptor,\n  ResourceRegistry,\n} from \"./types.js\";\n\n/**\n * Drop-in replacement signatures for the three guards, with a\n * narrowed `resource` arg.\n */\nexport interface TypedGuards<R extends string> {\n  useCan: (\n    resource: R,\n    action: Action,\n    options?: { companyId?: string | null },\n  ) => boolean;\n  Can: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    children: ReactNode;\n    fallback?: ReactNode;\n  }>;\n  RequirePermission: ComponentType<{\n    resource: R;\n    action: Action;\n    companyId?: string | null;\n    loadingFallback?: ReactNode;\n    deniedFallback?: ReactNode;\n    children?: ReactNode;\n  }>;\n  /** The const-asserted registry, re-exported so call-sites can iterate. */\n  resources: ResourceRegistry;\n  /** All registered resource names as a union — handy for typing\n   *  application-side data structures. */\n  resourceNames: ReadonlyArray<R>;\n}\n\n/**\n * Factory. Run once at module-init time in your host project; the\n * returned hooks/components are referentially stable.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(\n  resources: Reg,\n  // The runtime guards live in the React entry; we accept them\n  // here as plain refs so this module stays React-free at the type\n  // level. The `react` entry calls this factory passing its own\n  // exports so adopters never see the wiring.\n  runtime: {\n    useCan: TypedGuards<string>[\"useCan\"];\n    Can: TypedGuards<string>[\"Can\"];\n    RequirePermission: TypedGuards<string>[\"RequirePermission\"];\n  },\n): TypedGuards<Reg[number][\"resource\"]> {\n  type R = Reg[number][\"resource\"];\n  return {\n    useCan: runtime.useCan as TypedGuards<R>[\"useCan\"],\n    Can: runtime.Can as TypedGuards<R>[\"Can\"],\n    RequirePermission: runtime.RequirePermission as TypedGuards<R>[\"RequirePermission\"],\n    resources,\n    resourceNames: resources.map((r) => r.resource) as ReadonlyArray<R>,\n  };\n}\n","/**\n * React + Next.js entry. Import this in browser code:\n *\n *   import { AuthRbacProvider, useCan } from \"snipe-auth-rbac/react\";\n *\n * The non-React entry (`snipe-auth-rbac`) re-exports types and the\n * pure resolver, suitable for Node, edge workers, and tests.\n */\n\nexport {\n  AuthRbacProvider,\n  useAuthRbac,\n  type AuthRbacProviderProps,\n} from \"./AuthRbacProvider.js\";\n\nexport { useCan } from \"./useCan.js\";\nexport { Can, type CanProps } from \"./Can.js\";\nexport {\n  RequirePermission,\n  type RequirePermissionProps,\n} from \"./RequirePermission.js\";\nexport { useActiveCompany, type ActiveCompany } from \"./useActiveCompany.js\";\nexport { useFrontendConfig } from \"./useFrontendConfig.js\";\n\n// Re-exports for convenience so consumers don't need two imports.\nexport type {\n  Action,\n  AuthRbacFetcher,\n  CompanyMembership,\n  FrontendConfig,\n  PermissionGrid,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  RoleSummary,\n  UserProfile,\n} from \"../types.js\";\n\nexport {\n  createSupabaseFetcher,\n  createHttpFetcher,\n  detectRbacSchema,\n} from \"../fetchers.js\";\n\nimport { defineAuthRbac as _defineAuthRbac } from \"../define.js\";\nimport { Can } from \"./Can.js\";\nimport { RequirePermission } from \"./RequirePermission.js\";\nimport { useCan } from \"./useCan.js\";\n\nimport type { ResourceDescriptor } from \"../types.js\";\nimport type { TypedGuards } from \"../define.js\";\n\n/**\n * Typed factory — pass a const-asserted resource registry and get\n * back guards whose `resource` arg is constrained to the registered\n * names. Recommended at the top of every host project.\n *\n * See ../define.ts for the full doc + example.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(resources: Reg): TypedGuards<Reg[number][\"resource\"]> {\n  return _defineAuthRbac(resources, {\n    useCan,\n    Can,\n    RequirePermission,\n  });\n}\n\nexport type { TypedGuards } from \"../define.js\";\n"],"mappings":";;;;;;;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AA4KH;AAhJJ,IAAM,kBAAkB,cAA2C,IAAI;AAuBvE,IAAM,cAAc;AAEpB,IAAM,iBAAiB,CAAC,OAAsB;AAC5C,MAAI,OAAO,WAAW,aAAa;AACjC;AAAA,EACF;AACA,MAAI;AACF,QAAI,MAAM,MAAM;AACd,aAAO,aAAa,WAAW,WAAW;AAAA,IAC5C,OAAO;AACL,aAAO,aAAa,QAAQ,aAAa,EAAE;AAAA,IAC7C;AAAA,EACF,QAAQ;AAAA,EAGR;AACF;AAEA,IAAM,gBAAgB,MAAqB;AACzC,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO;AAAA,EACT;AACA,MAAI;AACF,WAAO,OAAO,aAAa,QAAQ,WAAW;AAAA,EAChD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iBAAiB,OAA8B;AAC7D,QAAM,EAAE,SAAS,WAAW,kBAAkB,qBAAqB,IAAI;AAEvE,QAAM,CAAC,SAAS,UAAU,IAAI,SAA6B,IAAI;AAC/D,QAAM,CAAC,SAAS,UAAU,IAAI,SAAS,IAAI;AAC3C,QAAM,CAAC,OAAO,QAAQ,IAAI,SAAuB,IAAI;AAErD,QAAM,CAAC,iBAAiB,qBAAqB,IAAI;AAAA,IAC/C,oBAAoB,cAAc;AAAA,EACpC;AAEA,QAAM,UAAU,QAAQ,MAAM;AAC5B,QAAI,yBAAyB,OAAO;AAClC,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AACA,WAAO,wBAAwB;AAAA,EACjC,GAAG,CAAC,oBAAoB,CAAC;AAEzB,QAAM,mBAAmB;AAAA,IACvB,CAAC,OAAsB;AACrB,4BAAsB,EAAE;AACxB,cAAQ,EAAE;AAAA,IACZ;AAAA,IACA,CAAC,OAAO;AAAA,EACV;AAEA,QAAM,UAAU,YAAY,YAAY;AACtC,eAAW,IAAI;AACf,aAAS,IAAI;AACb,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,aAAa;AACxC,iBAAW,IAAI;AAGf,YAAM,cACJ,mBAAmB,QACnB,KAAK,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe;AAC/D,UAAI,CAAC,aAAa;AAChB,cAAM,WACJ,KAAK,YAAY,CAAC,GAAG,cAAc;AACrC,8BAAsB,QAAQ;AAC9B,gBAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,GAAG;AACV,eAAS,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO,CAAC,CAAC,CAAC;AAAA,IACxD,UAAE;AACA,iBAAW,KAAK;AAAA,IAClB;AAAA,EAEF,GAAG,CAAC,OAAO,CAAC;AAEZ,YAAU,MAAM;AACd,SAAK,QAAQ;AAAA,EACf,GAAG,CAAC,OAAO,CAAC;AAEZ,QAAM,WAAW,QAAwB,MAAM;AAC7C,QAAI,WAAW,MAAM;AAGnB,aAAO;AAAA,QACL,KAAK,MAAM;AAAA,QACX,mBAAmB,OAAO,CAAC;AAAA,QAC3B,mBAAmB,OAAO,CAAC;AAAA,MAC7B;AAAA,IACF;AACA,WAAO,wBAAwB,WAAW,SAAS,eAAe;AAAA,EACpE,GAAG,CAAC,SAAS,WAAW,eAAe,CAAC;AAExC,QAAM,QAAQ;AAAA,IACZ,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SACE,oBAAC,gBAAgB,UAAhB,EAAyB,OACvB,gBAAM,UACT;AAEJ;AAEO,SAAS,cAAoC;AAClD,QAAM,MAAM,WAAW,eAAe;AACtC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;ACnLO,SAAS,OACd,UACA,QACA,SACS;AACT,QAAM,EAAE,SAAS,IAAI,YAAY;AACjC,SAAO,SAAS,IAAI,UAAU,QAAQ,OAAO;AAC/C;;;ACKS,0BAAAA,YAAA;AAHF,SAAS,IAAI,OAAiB;AACnC,QAAM,EAAE,UAAU,QAAQ,WAAW,UAAU,WAAW,KAAK,IAAI;AACnE,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AACtD,SAAO,gBAAAA,KAAA,YAAG,oBAAU,WAAW,UAAS;AAC1C;;;AC8BQ,SAUG,YAAAC,WAVH,OAAAC,YAAA;AARD,SAAS,kBAAkB,OAA+B;AAC/D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,IAClB,iBACE,gBAAAA,KAAC,SAAI,MAAK,SAAQ,OAAO,EAAE,SAAS,GAAG,GACrC,0BAAAA,KAAC,YAAO,uCAAyB,GACnC;AAAA,IAEF,WAAW;AAAA,EACb,IAAI;AAEJ,QAAM,EAAE,SAAS,QAAQ,IAAI,YAAY;AACzC,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AAEtD,MAAI,WAAW,WAAW,MAAM;AAC9B,WAAO,gBAAAA,KAAAD,WAAA,EAAG,2BAAgB;AAAA,EAC5B;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,gBAAAC,KAAAD,WAAA,EAAG,0BAAe;AAAA,EAC3B;AACA,SAAO,gBAAAC,KAAAD,WAAA,EAAG,UAAS;AACrB;;;AC1EA,SAAS,WAAAE,gBAAe;AA2BjB,SAAS,mBAAkC;AAChD,QAAM,EAAE,SAAS,iBAAiB,iBAAiB,IAAI,YAAY;AAEnE,SAAOC,SAAQ,MAAM;AACnB,UAAM,cAAc,SAAS,eAAe,CAAC;AAC7C,UAAM,aACJ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,KAAK;AAC/D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ;AAAA,MACA;AAAA,MACA,WAAW;AAAA,IACb;AAAA,EACF,GAAG,CAAC,SAAS,iBAAiB,gBAAgB,CAAC;AACjD;;;ACzCA,SAAS,WAAAC,gBAAe;AAgBjB,SAAS,oBAAoC;AAClD,QAAM,EAAE,SAAS,gBAAgB,IAAI,YAAY;AACjD,SAAOC,SAAQ,MAAM;AACnB,QAAI,CAAC,SAAS;AACZ,aAAO,CAAC;AAAA,IACV;AACA,UAAM,mBACJ,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,GAC5D,mBAAmB,CAAC;AAC1B,WAAO,EAAE,GAAG,QAAQ,wBAAwB,GAAG,iBAAiB;AAAA,EAClE,GAAG,CAAC,SAAS,eAAe,CAAC;AAC/B;;;ACwCO,SAAS,eAGd,WAKA,SAKsC;AAEtC,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,KAAK,QAAQ;AAAA,IACb,mBAAmB,QAAQ;AAAA,IAC3B;AAAA,IACA,eAAe,UAAU,IAAI,CAAC,MAAM,EAAE,QAAQ;AAAA,EAChD;AACF;;;AC7BO,SAASC,gBAEd,WAAsD;AACtD,SAAO,eAAgB,WAAW;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;","names":["jsx","Fragment","jsx","useMemo","useMemo","useMemo","useMemo","defineAuthRbac"]}
+{"version":3,"sources":["../../src/react/AuthRbacProvider.tsx","../../src/react/useCan.ts","../../src/react/useCanAccessSection.ts","../../src/react/Can.tsx","../../src/react/RequirePermission.tsx","../../src/react/useActiveCompany.ts","../../src/react/useFrontendConfig.ts","../../src/react/index.ts"],"sourcesContent":["import {\n  createContext,\n  useCallback,\n  useContext,\n  useEffect,\n  useMemo,\n  useState,\n  type ReactNode,\n} from \"react\";\n\nimport {\n  buildPermissionResolver,\n  type AuthRbacClient,\n} from \"../client.js\";\nimport type {\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceRegistry,\n  UserProfile,\n} from \"../types.js\";\n\ninterface AuthRbacContextValue {\n  /**\n   * `null` means we haven't hydrated yet. Components should treat\n   * the not-loaded state as \"no permissions\" (fail-closed).\n   */\n  profile: UserProfile | null;\n  loading: boolean;\n  error: Error | null;\n  resources: ResourceRegistry;\n  activeCompanyId: string | null;\n  setActiveCompany: (id: string | null) => void;\n  refresh: () => Promise<void>;\n  resolver: AuthRbacClient;\n}\n\nconst AuthRbacContext = createContext<AuthRbacContextValue | null>(null);\n\nexport interface AuthRbacProviderProps {\n  fetcher: AuthRbacFetcher;\n  resources: ResourceRegistry;\n  /**\n   * Initial active company. Common patterns:\n   *  - read from URL query/path\n   *  - read from localStorage\n   *  - omit and let the user pick from the switcher\n   */\n  initialCompanyId?: string | null;\n  /**\n   * Persistence hook. Called every time the active company changes.\n   * Default: writes to `localStorage` under\n   * `auth-rbac:active-company`. Pass `false` to disable.\n   */\n  persistActiveCompany?:\n    | ((id: string | null) => void)\n    | false;\n  children: ReactNode;\n}\n\nconst STORAGE_KEY = \"auth-rbac:active-company\";\n\nconst defaultPersist = (id: string | null) => {\n  if (typeof window === \"undefined\") {\n    return;\n  }\n  try {\n    if (id == null) {\n      window.localStorage.removeItem(STORAGE_KEY);\n    } else {\n      window.localStorage.setItem(STORAGE_KEY, id);\n    }\n  } catch {\n    // localStorage may be unavailable (private browsing, SSR) —\n    // fall back to in-memory only.\n  }\n};\n\nconst readPersisted = (): string | null => {\n  if (typeof window === \"undefined\") {\n    return null;\n  }\n  try {\n    return window.localStorage.getItem(STORAGE_KEY);\n  } catch {\n    return null;\n  }\n};\n\nexport function AuthRbacProvider(props: AuthRbacProviderProps) {\n  const { fetcher, resources, initialCompanyId, persistActiveCompany } = props;\n\n  const [profile, setProfile] = useState<UserProfile | null>(null);\n  const [loading, setLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const [activeCompanyId, setActiveCompanyState] = useState<string | null>(\n    initialCompanyId ?? readPersisted(),\n  );\n\n  const persist = useMemo(() => {\n    if (persistActiveCompany === false) {\n      return () => {};\n    }\n    return persistActiveCompany ?? defaultPersist;\n  }, [persistActiveCompany]);\n\n  const setActiveCompany = useCallback(\n    (id: string | null) => {\n      setActiveCompanyState(id);\n      persist(id);\n    },\n    [persist],\n  );\n\n  const refresh = useCallback(async () => {\n    setLoading(true);\n    setError(null);\n    try {\n      const next = await fetcher.fetchProfile();\n      setProfile(next);\n      // If the persisted company isn't a membership, fall back to\n      // the first one (or null for users with no memberships).\n      const stillMember =\n        activeCompanyId != null &&\n        next.memberships.some((m) => m.company_id === activeCompanyId);\n      if (!stillMember) {\n        const fallback =\n          next.memberships[0]?.company_id ?? null;\n        setActiveCompanyState(fallback);\n        persist(fallback);\n      }\n    } catch (e) {\n      setError(e instanceof Error ? e : new Error(String(e)));\n    } finally {\n      setLoading(false);\n    }\n    // eslint-disable-next-line react-hooks/exhaustive-deps\n  }, [fetcher]);\n\n  useEffect(() => {\n    void refresh();\n  }, [refresh]);\n\n  const resolver = useMemo<AuthRbacClient>(() => {\n    if (profile == null) {\n      // Empty resolver until the profile lands. Always returns\n      // false → guards fall through to the unauthenticated branch.\n      return {\n        can: () => false,\n        canAccessSection: () => false,\n        activePermissions: () => ({}) as PermissionMap,\n        systemPermissions: () => ({}) as PermissionMap,\n      };\n    }\n    return buildPermissionResolver(resources, profile, activeCompanyId);\n  }, [profile, resources, activeCompanyId]);\n\n  const value = useMemo<AuthRbacContextValue>(\n    () => ({\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    }),\n    [\n      profile,\n      loading,\n      error,\n      resources,\n      activeCompanyId,\n      setActiveCompany,\n      refresh,\n      resolver,\n    ],\n  );\n\n  return (\n    <AuthRbacContext.Provider value={value}>\n      {props.children}\n    </AuthRbacContext.Provider>\n  );\n}\n\nexport function useAuthRbac(): AuthRbacContextValue {\n  const ctx = useContext(AuthRbacContext);\n  if (!ctx) {\n    throw new Error(\n      \"useAuthRbac must be used within an <AuthRbacProvider> — wrap your app at the root.\",\n    );\n  }\n  return ctx;\n}\n","import type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Boolean permission check.\n *\n * @example\n *   const canEdit = useCan(\"properties\", \"update\");\n *   <Button disabled={!canEdit}>Speichern</Button>\n *\n * @example explicitly target a non-active company\n *   const canRead = useCan(\"payments\", \"read\", { companyId: targetId });\n */\nexport function useCan(\n  resource: string,\n  action: Action,\n  options?: CanOptions,\n): boolean {\n  const { resolver } = useAuthRbac();\n  return resolver.can(resource, action, options);\n}\n","import type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Direct-grant check, for sidebar items and list-page route guards.\n *\n * Returns `true` only when the action is granted on the resource as\n * a **direct** admin grant (no `<action>_granted_via`). Rows that\n * exist only because a parent resource's `dependsOn` cascade\n * materialised them return `false` here — even though\n * `useCan(resource, action)` would return `true` for the same role.\n *\n * Use case: a Verwalter with only `leases:read` direct should see\n * Mietverträge in the sidebar but **not** Mieter / Einheiten /\n * Liegenschaften — those reads are implied so the lease detail page\n * can render, not because the role should navigate to them as\n * top-level sections.\n *\n * @example sidebar item filtering\n *   const showLeasesInSidebar = useCanAccessSection(\"leases\");\n *   const showUnitsInSidebar  = useCanAccessSection(\"units\");\n *\n * @example list-route gating\n *   if (!useCanAccessSection(\"units\")) return <Forbidden />;\n *\n * Available since 0.4.0. With older SQL that doesn't return\n * `direct_*` maps, this always answers `false` — adopters still on\n * pre-0.4.0 SQL should keep using `useCan`.\n */\nexport function useCanAccessSection(\n  resource: string,\n  action: Action = \"read\",\n  options?: CanOptions,\n): boolean {\n  const { resolver } = useAuthRbac();\n  return resolver.canAccessSection(resource, action, options);\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useCan } from \"./useCan.js\";\n\nexport interface CanProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /** Rendered when the user has the permission. */\n  children: ReactNode;\n  /**\n   * Rendered when the user does NOT have the permission. Defaults\n   * to `null` (silent hide). Pass a `<NoPermissionView />` or a\n   * tooltip-wrapper to surface the denial explicitly.\n   */\n  fallback?: ReactNode;\n}\n\n/**\n * Subtree gate. Bails before children render so any data fetching\n * inside `children` is skipped for users without permission.\n */\nexport function Can(props: CanProps) {\n  const { resource, action, companyId, children, fallback = null } = props;\n  const allowed = useCan(resource, action, { companyId });\n  return <>{allowed ? children : fallback}</>;\n}\n","import type { ReactNode } from \"react\";\n\nimport type { Action } from \"../types.js\";\nimport type { CanOptions } from \"../client.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\nimport { useCan } from \"./useCan.js\";\n\nexport interface RequirePermissionProps extends CanOptions {\n  resource: string;\n  action: Action;\n  /**\n   * What to render while the profile is still loading. Defaults to\n   * `null` (no flash) — pass a spinner if your routes typically\n   * mount before the profile lands.\n   */\n  loadingFallback?: ReactNode;\n  /**\n   * What to render when access is denied. Defaults to a minimal\n   * \"Sie haben keinen Zugriff\" message; pass your own component to\n   * theme it.\n   */\n  deniedFallback?: ReactNode;\n  /**\n   * For `react-router-dom v6` route-element usage, pass an `<Outlet />`\n   * here — the gate resolves to either the outlet or the denied\n   * fallback. For component-tree usage, pass any children.\n   */\n  children?: ReactNode;\n}\n\n/**\n * Route- or component-level guard. Three render branches:\n *\n *  - profile not yet loaded → `loadingFallback`\n *  - permission denied      → `deniedFallback`\n *  - permission granted     → `children`\n *\n * Drop-in replacement for the legacy `<RequireRolesRoute>` pattern.\n *\n * @example\n *   // App.tsx route table\n *   <Route element={\n *     <RequirePermission resource=\"payments\" action=\"read\">\n *       <Outlet />\n *     </RequirePermission>\n *   }>\n *     <Route path=\"/payments\" element={<PaymentsPage />} />\n *   </Route>\n */\nexport function RequirePermission(props: RequirePermissionProps) {\n  const {\n    resource,\n    action,\n    companyId,\n    loadingFallback = null,\n    deniedFallback = (\n      <div role=\"alert\" style={{ padding: 24 }}>\n        <strong>Sie haben keinen Zugriff.</strong>\n      </div>\n    ),\n    children = null,\n  } = props;\n\n  const { profile, loading } = useAuthRbac();\n  const allowed = useCan(resource, action, { companyId });\n\n  if (loading || profile == null) {\n    return <>{loadingFallback}</>;\n  }\n  if (!allowed) {\n    return <>{deniedFallback}</>;\n  }\n  return <>{children}</>;\n}\n","import { useMemo } from \"react\";\n\nimport type { CompanyMembership } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\nexport interface ActiveCompany {\n  id: string | null;\n  membership: CompanyMembership | null;\n  memberships: CompanyMembership[];\n  setActive: (id: string | null) => void;\n}\n\n/**\n * Read + switch the active company.\n *\n * @example\n *   const { id, memberships, setActive } = useActiveCompany();\n *\n *   return (\n *     <select value={id ?? \"\"} onChange={(e) => setActive(e.target.value || null)}>\n *       {memberships.map((m) => (\n *         <option key={m.company_id} value={m.company_id}>{m.company_name}</option>\n *       ))}\n *     </select>\n *   );\n */\nexport function useActiveCompany(): ActiveCompany {\n  const { profile, activeCompanyId, setActiveCompany } = useAuthRbac();\n\n  return useMemo(() => {\n    const memberships = profile?.memberships ?? [];\n    const membership =\n      memberships.find((m) => m.company_id === activeCompanyId) ?? null;\n    return {\n      id: activeCompanyId,\n      membership,\n      memberships,\n      setActive: setActiveCompany,\n    };\n  }, [profile, activeCompanyId, setActiveCompany]);\n}\n","import { useMemo } from \"react\";\n\nimport type { FrontendConfig } from \"../types.js\";\n\nimport { useAuthRbac } from \"./AuthRbacProvider.js\";\n\n/**\n * Reads the merged `frontend_config` for the user. Sources in\n * priority order: active company's membership > system roles. Use\n * this to drive sidebar items, dashboard defaults, and any other\n * \"what should this role see\" UX without hardcoded role checks.\n *\n * The shape is intentionally `Record<string, unknown>` — your host\n * project owns the schema. Document your keys (e.g. `sidebar`,\n * `default_dashboard`) once and stick to them.\n */\nexport function useFrontendConfig(): FrontendConfig {\n  const { profile, activeCompanyId } = useAuthRbac();\n  return useMemo(() => {\n    if (!profile) {\n      return {};\n    }\n    const membershipConfig =\n      profile.memberships.find((m) => m.company_id === activeCompanyId)\n        ?.frontend_config ?? {};\n    return { ...profile.system_frontend_config, ...membershipConfig };\n  }, [profile, activeCompanyId]);\n}\n","/**\n * React + Next.js entry. Import this in browser code:\n *\n *   import { AuthRbacProvider, useCan } from \"snipe-auth-rbac/react\";\n *\n * The non-React entry (`snipe-auth-rbac`) re-exports types and the\n * pure resolver, suitable for Node, edge workers, and tests.\n */\n\nexport {\n  AuthRbacProvider,\n  useAuthRbac,\n  type AuthRbacProviderProps,\n} from \"./AuthRbacProvider.js\";\n\nexport { useCan } from \"./useCan.js\";\nexport { useCanAccessSection } from \"./useCanAccessSection.js\";\nexport { Can, type CanProps } from \"./Can.js\";\nexport {\n  RequirePermission,\n  type RequirePermissionProps,\n} from \"./RequirePermission.js\";\nexport { useActiveCompany, type ActiveCompany } from \"./useActiveCompany.js\";\nexport { useFrontendConfig } from \"./useFrontendConfig.js\";\n\n// Re-exports for convenience so consumers don't need two imports.\nexport type {\n  Action,\n  AuthRbacFetcher,\n  CompanyMembership,\n  DependencyEdge,\n  DirectGrantMap,\n  FrontendConfig,\n  PermissionGrid,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  RoleSummary,\n  UserProfile,\n} from \"../types.js\";\n\nexport { RbacRegistryError } from \"../define.js\";\n\nexport {\n  createSupabaseFetcher,\n  createHttpFetcher,\n  detectRbacSchema,\n} from \"../fetchers.js\";\n\nimport { defineAuthRbac as _defineAuthRbac } from \"../define.js\";\nimport { Can } from \"./Can.js\";\nimport { RequirePermission } from \"./RequirePermission.js\";\nimport { useCan } from \"./useCan.js\";\nimport { useCanAccessSection } from \"./useCanAccessSection.js\";\n\nimport type { ResourceDescriptor } from \"../types.js\";\nimport type { TypedGuards } from \"../define.js\";\n\n/**\n * Typed factory — pass a const-asserted resource registry and get\n * back guards whose `resource` arg is constrained to the registered\n * names. Recommended at the top of every host project.\n *\n * See ../define.ts for the full doc + example.\n */\nexport function defineAuthRbac<\n  const Reg extends ReadonlyArray<ResourceDescriptor>,\n>(resources: Reg): TypedGuards<Reg[number][\"resource\"]> {\n  return _defineAuthRbac(resources, {\n    useCan,\n    useCanAccessSection,\n    Can,\n    RequirePermission,\n  });\n}\n\nexport type { TypedGuards } from \"../define.js\";\n"],"mappings":";;;;;;;;;;;;AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AA6KH;AAjJJ,IAAM,kBAAkB,cAA2C,IAAI;AAuBvE,IAAM,cAAc;AAEpB,IAAM,iBAAiB,CAAC,OAAsB;AAC5C,MAAI,OAAO,WAAW,aAAa;AACjC;AAAA,EACF;AACA,MAAI;AACF,QAAI,MAAM,MAAM;AACd,aAAO,aAAa,WAAW,WAAW;AAAA,IAC5C,OAAO;AACL,aAAO,aAAa,QAAQ,aAAa,EAAE;AAAA,IAC7C;AAAA,EACF,QAAQ;AAAA,EAGR;AACF;AAEA,IAAM,gBAAgB,MAAqB;AACzC,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO;AAAA,EACT;AACA,MAAI;AACF,WAAO,OAAO,aAAa,QAAQ,WAAW;AAAA,EAChD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,iBAAiB,OAA8B;AAC7D,QAAM,EAAE,SAAS,WAAW,kBAAkB,qBAAqB,IAAI;AAEvE,QAAM,CAAC,SAAS,UAAU,IAAI,SAA6B,IAAI;AAC/D,QAAM,CAAC,SAAS,UAAU,IAAI,SAAS,IAAI;AAC3C,QAAM,CAAC,OAAO,QAAQ,IAAI,SAAuB,IAAI;AAErD,QAAM,CAAC,iBAAiB,qBAAqB,IAAI;AAAA,IAC/C,oBAAoB,cAAc;AAAA,EACpC;AAEA,QAAM,UAAU,QAAQ,MAAM;AAC5B,QAAI,yBAAyB,OAAO;AAClC,aAAO,MAAM;AAAA,MAAC;AAAA,IAChB;AACA,WAAO,wBAAwB;AAAA,EACjC,GAAG,CAAC,oBAAoB,CAAC;AAEzB,QAAM,mBAAmB;AAAA,IACvB,CAAC,OAAsB;AACrB,4BAAsB,EAAE;AACxB,cAAQ,EAAE;AAAA,IACZ;AAAA,IACA,CAAC,OAAO;AAAA,EACV;AAEA,QAAM,UAAU,YAAY,YAAY;AACtC,eAAW,IAAI;AACf,aAAS,IAAI;AACb,QAAI;AACF,YAAM,OAAO,MAAM,QAAQ,aAAa;AACxC,iBAAW,IAAI;AAGf,YAAM,cACJ,mBAAmB,QACnB,KAAK,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe;AAC/D,UAAI,CAAC,aAAa;AAChB,cAAM,WACJ,KAAK,YAAY,CAAC,GAAG,cAAc;AACrC,8BAAsB,QAAQ;AAC9B,gBAAQ,QAAQ;AAAA,MAClB;AAAA,IACF,SAAS,GAAG;AACV,eAAS,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO,CAAC,CAAC,CAAC;AAAA,IACxD,UAAE;AACA,iBAAW,KAAK;AAAA,IAClB;AAAA,EAEF,GAAG,CAAC,OAAO,CAAC;AAEZ,YAAU,MAAM;AACd,SAAK,QAAQ;AAAA,EACf,GAAG,CAAC,OAAO,CAAC;AAEZ,QAAM,WAAW,QAAwB,MAAM;AAC7C,QAAI,WAAW,MAAM;AAGnB,aAAO;AAAA,QACL,KAAK,MAAM;AAAA,QACX,kBAAkB,MAAM;AAAA,QACxB,mBAAmB,OAAO,CAAC;AAAA,QAC3B,mBAAmB,OAAO,CAAC;AAAA,MAC7B;AAAA,IACF;AACA,WAAO,wBAAwB,WAAW,SAAS,eAAe;AAAA,EACpE,GAAG,CAAC,SAAS,WAAW,eAAe,CAAC;AAExC,QAAM,QAAQ;AAAA,IACZ,OAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,IACA;AAAA,MACE;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SACE,oBAAC,gBAAgB,UAAhB,EAAyB,OACvB,gBAAM,UACT;AAEJ;AAEO,SAAS,cAAoC;AAClD,QAAM,MAAM,WAAW,eAAe;AACtC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;ACpLO,SAAS,OACd,UACA,QACA,SACS;AACT,QAAM,EAAE,SAAS,IAAI,YAAY;AACjC,SAAO,SAAS,IAAI,UAAU,QAAQ,OAAO;AAC/C;;;ACSO,SAAS,oBACd,UACA,SAAiB,QACjB,SACS;AACT,QAAM,EAAE,SAAS,IAAI,YAAY;AACjC,SAAO,SAAS,iBAAiB,UAAU,QAAQ,OAAO;AAC5D;;;ACXS,0BAAAA,YAAA;AAHF,SAAS,IAAI,OAAiB;AACnC,QAAM,EAAE,UAAU,QAAQ,WAAW,UAAU,WAAW,KAAK,IAAI;AACnE,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AACtD,SAAO,gBAAAA,KAAA,YAAG,oBAAU,WAAW,UAAS;AAC1C;;;AC8BQ,SAUG,YAAAC,WAVH,OAAAC,YAAA;AARD,SAAS,kBAAkB,OAA+B;AAC/D,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,IAClB,iBACE,gBAAAA,KAAC,SAAI,MAAK,SAAQ,OAAO,EAAE,SAAS,GAAG,GACrC,0BAAAA,KAAC,YAAO,uCAAyB,GACnC;AAAA,IAEF,WAAW;AAAA,EACb,IAAI;AAEJ,QAAM,EAAE,SAAS,QAAQ,IAAI,YAAY;AACzC,QAAM,UAAU,OAAO,UAAU,QAAQ,EAAE,UAAU,CAAC;AAEtD,MAAI,WAAW,WAAW,MAAM;AAC9B,WAAO,gBAAAA,KAAAD,WAAA,EAAG,2BAAgB;AAAA,EAC5B;AACA,MAAI,CAAC,SAAS;AACZ,WAAO,gBAAAC,KAAAD,WAAA,EAAG,0BAAe;AAAA,EAC3B;AACA,SAAO,gBAAAC,KAAAD,WAAA,EAAG,UAAS;AACrB;;;AC1EA,SAAS,WAAAE,gBAAe;AA2BjB,SAAS,mBAAkC;AAChD,QAAM,EAAE,SAAS,iBAAiB,iBAAiB,IAAI,YAAY;AAEnE,SAAOC,SAAQ,MAAM;AACnB,UAAM,cAAc,SAAS,eAAe,CAAC;AAC7C,UAAM,aACJ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,KAAK;AAC/D,WAAO;AAAA,MACL,IAAI;AAAA,MACJ;AAAA,MACA;AAAA,MACA,WAAW;AAAA,IACb;AAAA,EACF,GAAG,CAAC,SAAS,iBAAiB,gBAAgB,CAAC;AACjD;;;ACzCA,SAAS,WAAAC,gBAAe;AAgBjB,SAAS,oBAAoC;AAClD,QAAM,EAAE,SAAS,gBAAgB,IAAI,YAAY;AACjD,SAAOC,SAAQ,MAAM;AACnB,QAAI,CAAC,SAAS;AACZ,aAAO,CAAC;AAAA,IACV;AACA,UAAM,mBACJ,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,eAAe,GAC5D,mBAAmB,CAAC;AAC1B,WAAO,EAAE,GAAG,QAAQ,wBAAwB,GAAG,iBAAiB;AAAA,EAClE,GAAG,CAAC,SAAS,eAAe,CAAC;AAC/B;;;ACuCO,SAASC,gBAEd,WAAsD;AACtD,SAAO,eAAgB,WAAW;AAAA,IAChC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACH;","names":["jsx","Fragment","jsx","useMemo","useMemo","useMemo","useMemo","defineAuthRbac"]}

package/dist/types-Oj9yfWvz.d.cts

@@ -0,0 +1,132 @@
+/**
+ * Core types — used by both the transport-agnostic client and the
+ * React layer. Adopters that don't use React only need to depend on
+ * the `index` entry; the `react` entry's types extend these.
+ */
+type Action = "read" | "write" | "update" | "delete";
+type ResourceScope = "system" | "company";
+/**
+ * One edge in a resource's `dependsOn` graph. When the parent
+ * resource has `<action>` granted to a role in the admin matrix UI,
+ * the matrix materialises a row on the child carrying the same
+ * action, with the parent's name recorded in `<action>_granted_via`
+ * on `rbac.role_permissions`.
+ *
+ * `actions` defaults to `['read']` when omitted. The shorthand
+ * `dependsOn: ['tenants']` is equivalent to
+ * `dependsOn: [{ resource: 'tenants', actions: ['read'] }]`.
+ *
+ * Available since 0.4.0.
+ */
+interface DependencyEdge {
+    resource: string;
+    actions?: ReadonlyArray<Action>;
+}
+interface ResourceDescriptor {
+    resource: string;
+    scope: ResourceScope;
+    label: string;
+    description?: string;
+    group?: string;
+    /**
+     * Per-edge action cascade. Granting `<this>:<action>` in the admin
+     * matrix automatically grants `<edge.resource>:<action>` for every
+     * edge whose `actions` array includes `<action>`. Useful for
+     * "granting `leases:read` should also let me read the tenant +
+     * unit + property that the lease joins to" — declare those edges
+     * here and the matrix UI handles the rest.
+     *
+     * Implied rows are real rows on `rbac.role_permissions` and look
+     * identical to direct grants at the resolver / RLS layer. The
+     * `<action>_granted_via` column distinguishes them, which lets
+     * `canAccessSection(resource)` answer "is this a direct grant?"
+     * for top-level navigation gating.
+     *
+     * Only edges whose `actions` include the toggled action cascade.
+     * Read is the default — declare `actions` explicitly if you want
+     * the cascade to apply to write/update/delete as well.
+     *
+     * `defineAuthRbac()` rejects cyclic dependency graphs at boot.
+     *
+     * Available since 0.4.0.
+     */
+    dependsOn?: ReadonlyArray<string | DependencyEdge>;
+}
+interface RoleSummary {
+    id: string;
+    name: string;
+    is_system?: boolean;
+    is_super?: boolean;
+    frontend_config?: FrontendConfig;
+}
+/**
+ * Free-form per-role config that the host project can interpret as
+ * it sees fit. A typical shape includes `sidebar` (list of section
+ * keys), `default_dashboard` (string), `home_route` (string).
+ */
+type FrontendConfig = Record<string, unknown>;
+interface PermissionGrid {
+    read: boolean;
+    write: boolean;
+    update: boolean;
+    delete: boolean;
+}
+type PermissionMap = Record<string, PermissionGrid>;
+/**
+ * Map of `resource → true` for resources whose given action is
+ * granted **directly** to a role (i.e. with `<action>_granted_via`
+ * NULL on `rbac.role_permissions`). Implied rows do not appear here.
+ *
+ * Used to distinguish list-page access (direct grant required) from
+ * detail-page access (direct OR implied) — see `canAccessSection`.
+ *
+ * Available since 0.4.0. Returned by `rbac.user_profile()`; older
+ * SQL versions omit these fields, in which case the client treats
+ * them as empty objects (back-compat).
+ */
+type DirectGrantMap = Readonly<Record<string, boolean>>;
+interface CompanyMembership {
+    company_id: string;
+    company_name: string;
+    company_slug?: string | null;
+    roles: RoleSummary[];
+    permissions: PermissionMap;
+    /** Merged frontend_config across all roles the user holds in this company. */
+    frontend_config: FrontendConfig;
+    /** Per-action direct-grant maps for this company. 0.4.0+ */
+    direct_reads?: DirectGrantMap;
+    direct_writes?: DirectGrantMap;
+    direct_updates?: DirectGrantMap;
+    direct_deletes?: DirectGrantMap;
+}
+interface UserProfile {
+    user_id: string;
+    is_super_admin: boolean;
+    system_roles: RoleSummary[];
+    system_permissions: PermissionMap;
+    /** Merged frontend_config across all of the user's system roles. */
+    system_frontend_config: FrontendConfig;
+    memberships: CompanyMembership[];
+    /** Per-action direct-grant maps at system scope. 0.4.0+ */
+    system_direct_reads?: DirectGrantMap;
+    system_direct_writes?: DirectGrantMap;
+    system_direct_updates?: DirectGrantMap;
+    system_direct_deletes?: DirectGrantMap;
+}
+/**
+ * Adopter-supplied transport. Two flavours are supported out of the
+ * box:
+ *
+ *  1. Pass a Supabase client + a JWT-derived `user_id` and the
+ *     library calls the package's SQL RPC `rbac.user_profile`.
+ *  2. Pass a plain `fetcher` (anything that resolves a `UserProfile`)
+ *     and the library calls that. Use this when your backend serves
+ *     a custom `/api/users/me/profile` endpoint or when you don't
+ *     run Supabase at all.
+ */
+interface AuthRbacFetcher {
+    fetchProfile(): Promise<UserProfile>;
+}
+type ResourceRegistry = ReadonlyArray<ResourceDescriptor>;
+
+export type { Action as A, CompanyMembership as C, DependencyEdge as D, FrontendConfig as F, PermissionGrid as P, ResourceScope as R, UserProfile as U, ResourceDescriptor as a, AuthRbacFetcher as b, ResourceRegistry as c, DirectGrantMap as d, PermissionMap as e, RoleSummary as f };

package/dist/types-Oj9yfWvz.d.ts

@@ -0,0 +1,132 @@
+/**
+ * Core types — used by both the transport-agnostic client and the
+ * React layer. Adopters that don't use React only need to depend on
+ * the `index` entry; the `react` entry's types extend these.
+ */
+type Action = "read" | "write" | "update" | "delete";
+type ResourceScope = "system" | "company";
+/**
+ * One edge in a resource's `dependsOn` graph. When the parent
+ * resource has `<action>` granted to a role in the admin matrix UI,
+ * the matrix materialises a row on the child carrying the same
+ * action, with the parent's name recorded in `<action>_granted_via`
+ * on `rbac.role_permissions`.
+ *
+ * `actions` defaults to `['read']` when omitted. The shorthand
+ * `dependsOn: ['tenants']` is equivalent to
+ * `dependsOn: [{ resource: 'tenants', actions: ['read'] }]`.
+ *
+ * Available since 0.4.0.
+ */
+interface DependencyEdge {
+    resource: string;
+    actions?: ReadonlyArray<Action>;
+}
+interface ResourceDescriptor {
+    resource: string;
+    scope: ResourceScope;
+    label: string;
+    description?: string;
+    group?: string;
+    /**
+     * Per-edge action cascade. Granting `<this>:<action>` in the admin
+     * matrix automatically grants `<edge.resource>:<action>` for every
+     * edge whose `actions` array includes `<action>`. Useful for
+     * "granting `leases:read` should also let me read the tenant +
+     * unit + property that the lease joins to" — declare those edges
+     * here and the matrix UI handles the rest.
+     *
+     * Implied rows are real rows on `rbac.role_permissions` and look
+     * identical to direct grants at the resolver / RLS layer. The
+     * `<action>_granted_via` column distinguishes them, which lets
+     * `canAccessSection(resource)` answer "is this a direct grant?"
+     * for top-level navigation gating.
+     *
+     * Only edges whose `actions` include the toggled action cascade.
+     * Read is the default — declare `actions` explicitly if you want
+     * the cascade to apply to write/update/delete as well.
+     *
+     * `defineAuthRbac()` rejects cyclic dependency graphs at boot.
+     *
+     * Available since 0.4.0.
+     */
+    dependsOn?: ReadonlyArray<string | DependencyEdge>;
+}
+interface RoleSummary {
+    id: string;
+    name: string;
+    is_system?: boolean;
+    is_super?: boolean;
+    frontend_config?: FrontendConfig;
+}
+/**
+ * Free-form per-role config that the host project can interpret as
+ * it sees fit. A typical shape includes `sidebar` (list of section
+ * keys), `default_dashboard` (string), `home_route` (string).
+ */
+type FrontendConfig = Record<string, unknown>;
+interface PermissionGrid {
+    read: boolean;
+    write: boolean;
+    update: boolean;
+    delete: boolean;
+}
+type PermissionMap = Record<string, PermissionGrid>;
+/**
+ * Map of `resource → true` for resources whose given action is
+ * granted **directly** to a role (i.e. with `<action>_granted_via`
+ * NULL on `rbac.role_permissions`). Implied rows do not appear here.
+ *
+ * Used to distinguish list-page access (direct grant required) from
+ * detail-page access (direct OR implied) — see `canAccessSection`.
+ *
+ * Available since 0.4.0. Returned by `rbac.user_profile()`; older
+ * SQL versions omit these fields, in which case the client treats
+ * them as empty objects (back-compat).
+ */
+type DirectGrantMap = Readonly<Record<string, boolean>>;
+interface CompanyMembership {
+    company_id: string;
+    company_name: string;
+    company_slug?: string | null;
+    roles: RoleSummary[];
+    permissions: PermissionMap;
+    /** Merged frontend_config across all roles the user holds in this company. */
+    frontend_config: FrontendConfig;
+    /** Per-action direct-grant maps for this company. 0.4.0+ */
+    direct_reads?: DirectGrantMap;
+    direct_writes?: DirectGrantMap;
+    direct_updates?: DirectGrantMap;
+    direct_deletes?: DirectGrantMap;
+}
+interface UserProfile {
+    user_id: string;
+    is_super_admin: boolean;
+    system_roles: RoleSummary[];
+    system_permissions: PermissionMap;
+    /** Merged frontend_config across all of the user's system roles. */
+    system_frontend_config: FrontendConfig;
+    memberships: CompanyMembership[];
+    /** Per-action direct-grant maps at system scope. 0.4.0+ */
+    system_direct_reads?: DirectGrantMap;
+    system_direct_writes?: DirectGrantMap;
+    system_direct_updates?: DirectGrantMap;
+    system_direct_deletes?: DirectGrantMap;
+}
+/**
+ * Adopter-supplied transport. Two flavours are supported out of the
+ * box:
+ *
+ *  1. Pass a Supabase client + a JWT-derived `user_id` and the
+ *     library calls the package's SQL RPC `rbac.user_profile`.
+ *  2. Pass a plain `fetcher` (anything that resolves a `UserProfile`)
+ *     and the library calls that. Use this when your backend serves
+ *     a custom `/api/users/me/profile` endpoint or when you don't
+ *     run Supabase at all.
+ */
+interface AuthRbacFetcher {
+    fetchProfile(): Promise<UserProfile>;
+}
+type ResourceRegistry = ReadonlyArray<ResourceDescriptor>;
+
+export type { Action as A, CompanyMembership as C, DependencyEdge as D, FrontendConfig as F, PermissionGrid as P, ResourceScope as R, UserProfile as U, ResourceDescriptor as a, AuthRbacFetcher as b, ResourceRegistry as c, DirectGrantMap as d, PermissionMap as e, RoleSummary as f };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "snipe-auth-rbac",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "Two-layer RBAC (system + company) for React, Next.js, and any modern TS app — paired with the Python sibling.",
   "license": "MIT",
   "type": "module",

package/sql/0001_initial.sql

@@ -138,9 +138,44 @@ CREATE TABLE IF NOT EXISTS rbac.role_permissions (
     can_write   boolean NOT NULL DEFAULT false,
     can_update  boolean NOT NULL DEFAULT false,
     can_delete  boolean NOT NULL DEFAULT false,
+    -- 0.4.0+. Per-action origin tracking. NULL = direct admin grant;
+    -- non-NULL = name of the parent resource whose `dependsOn` edge
+    -- caused this cell to be materialised. The matrix UI reads this
+    -- to render the "Implied by …" badge; the resolver and
+    -- `rbac.user_can(...)` SQL function ignore the columns entirely
+    -- (flat matrix lookups are unchanged so RLS stays performant).
+    read_granted_via   text,
+    write_granted_via  text,
+    update_granted_via text,
+    delete_granted_via text,
     PRIMARY KEY (role_id, resource)
 );
 
+-- Backfill for adopters upgrading from 0.3.x.
+ALTER TABLE rbac.role_permissions
+    ADD COLUMN IF NOT EXISTS read_granted_via   text,
+    ADD COLUMN IF NOT EXISTS write_granted_via  text,
+    ADD COLUMN IF NOT EXISTS update_granted_via text,
+    ADD COLUMN IF NOT EXISTS delete_granted_via text;
+
+-- 0.4.0+. Dependent-read graph. One row per (parent, child, action)
+-- cascade edge. The host registry's `dependsOn` arrays get
+-- materialised here by `service.syncResources()` on app boot. The
+-- admin matrix UI consults this on every toggle-on to decide which
+-- implied rows to write alongside the parent.
+--
+-- The resolver does NOT read this table at runtime — implied rows
+-- live on `rbac.role_permissions` and look identical to direct
+-- grants at the policy layer. This keeps RLS flat and fast.
+CREATE TABLE IF NOT EXISTS rbac.resource_dependencies (
+    parent_resource text    NOT NULL REFERENCES rbac.resources(resource) ON DELETE CASCADE,
+    child_resource  text    NOT NULL REFERENCES rbac.resources(resource) ON DELETE CASCADE,
+    action          text    NOT NULL CHECK (action IN ('read','write','update','delete')),
+    created_at      timestamptz NOT NULL DEFAULT now(),
+    PRIMARY KEY (parent_resource, child_resource, action),
+    CONSTRAINT resource_dependencies_no_self CHECK (parent_resource <> child_resource)
+);
+
 CREATE OR REPLACE FUNCTION rbac.check_role_resource_scope()
 RETURNS trigger
 LANGUAGE plpgsql
@@ -289,12 +324,20 @@ AS $$
       JOIN rbac.roles r ON r.id = usr.role_id
      WHERE usr.user_id = p_user_id
   ),
+  -- 0.4.0+. Per-action direct grants are aggregated alongside the
+  -- regular permission booleans. Direct = action true AND its
+  -- granted_via is NULL on at least one of the user's roles. bool_or
+  -- across roles gives "any role grants this directly".
   system_perms AS (
     SELECT rp.resource,
            bool_or(rp.can_read)   AS can_read,
            bool_or(rp.can_write)  AS can_write,
            bool_or(rp.can_update) AS can_update,
-           bool_or(rp.can_delete) AS can_delete
+           bool_or(rp.can_delete) AS can_delete,
+           bool_or(rp.can_read   AND rp.read_granted_via   IS NULL) AS direct_read,
+           bool_or(rp.can_write  AND rp.write_granted_via  IS NULL) AS direct_write,
+           bool_or(rp.can_update AND rp.update_granted_via IS NULL) AS direct_update,
+           bool_or(rp.can_delete AND rp.delete_granted_via IS NULL) AS direct_delete
       FROM rbac.user_system_roles usr
       JOIN rbac.role_permissions rp ON rp.role_id = usr.role_id
      WHERE usr.user_id = p_user_id
@@ -320,7 +363,11 @@ AS $$
            bool_or(rp.can_read)   AS can_read,
            bool_or(rp.can_write)  AS can_write,
            bool_or(rp.can_update) AS can_update,
-           bool_or(rp.can_delete) AS can_delete
+           bool_or(rp.can_delete) AS can_delete,
+           bool_or(rp.can_read   AND rp.read_granted_via   IS NULL) AS direct_read,
+           bool_or(rp.can_write  AND rp.write_granted_via  IS NULL) AS direct_write,
+           bool_or(rp.can_update AND rp.update_granted_via IS NULL) AS direct_update,
+           bool_or(rp.can_delete AND rp.delete_granted_via IS NULL) AS direct_delete
       FROM rbac.user_company_roles ucr
       JOIN rbac.role_permissions rp ON rp.role_id = ucr.role_id
      WHERE ucr.user_id = p_user_id
@@ -340,6 +387,24 @@ AS $$
          )) FROM system_perms),
         '{}'::jsonb
     ),
+    -- 0.4.0+. Per-action direct-grant maps. Drives canAccessSection()
+    -- on the client side for top-level nav / list-page gating.
+    'system_direct_reads', coalesce(
+        (SELECT jsonb_object_agg(resource, true)
+           FROM system_perms WHERE direct_read), '{}'::jsonb
+    ),
+    'system_direct_writes', coalesce(
+        (SELECT jsonb_object_agg(resource, true)
+           FROM system_perms WHERE direct_write), '{}'::jsonb
+    ),
+    'system_direct_updates', coalesce(
+        (SELECT jsonb_object_agg(resource, true)
+           FROM system_perms WHERE direct_update), '{}'::jsonb
+    ),
+    'system_direct_deletes', coalesce(
+        (SELECT jsonb_object_agg(resource, true)
+           FROM system_perms WHERE direct_delete), '{}'::jsonb
+    ),
     'memberships', coalesce(
         (SELECT jsonb_agg(jsonb_build_object(
             'company_id', m.company_id,
@@ -354,6 +419,30 @@ AS $$
                    FROM company_perms cp
                   WHERE cp.company_id = m.company_id),
                 '{}'::jsonb
+            ),
+            'direct_reads', coalesce(
+                (SELECT jsonb_object_agg(cp.resource, true)
+                   FROM company_perms cp
+                  WHERE cp.company_id = m.company_id AND cp.direct_read),
+                '{}'::jsonb
+            ),
+            'direct_writes', coalesce(
+                (SELECT jsonb_object_agg(cp.resource, true)
+                   FROM company_perms cp
+                  WHERE cp.company_id = m.company_id AND cp.direct_write),
+                '{}'::jsonb
+            ),
+            'direct_updates', coalesce(
+                (SELECT jsonb_object_agg(cp.resource, true)
+                   FROM company_perms cp
+                  WHERE cp.company_id = m.company_id AND cp.direct_update),
+                '{}'::jsonb
+            ),
+            'direct_deletes', coalesce(
+                (SELECT jsonb_object_agg(cp.resource, true)
+                   FROM company_perms cp
+                  WHERE cp.company_id = m.company_id AND cp.direct_delete),
+                '{}'::jsonb
             )
          )) FROM memberships m),
         '[]'::jsonb
@@ -361,6 +450,52 @@ AS $$
   );
 $$;
 
+-- 0.4.0+. Matrix-UI cascade helper. Returns the (child, action) pairs
+-- that should be materialised when an admin toggles
+-- (parent_resource, p_action) on for a role.
+CREATE OR REPLACE FUNCTION rbac.list_implied_grants(
+    p_parent_resource text,
+    p_action          text
+) RETURNS TABLE (child_resource text, action text)
+LANGUAGE sql
+STABLE
+SET search_path = rbac, public
+AS $$
+    SELECT d.child_resource, d.action
+      FROM rbac.resource_dependencies d
+     WHERE d.parent_resource = p_parent_resource
+       AND d.action          = p_action;
+$$;
+
+-- 0.4.0+. Atomic replace-all for the dependency graph. The admin
+-- transport calls this on every `syncResources()` so removed
+-- `dependsOn` edges actually disappear from the table. Argument is
+-- a JSONB array of `{ parent_resource, child_resource, action }`
+-- objects.
+CREATE OR REPLACE FUNCTION rbac.replace_resource_dependencies(
+    p_edges jsonb
+) RETURNS int
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = rbac, public
+AS $$
+DECLARE
+    v_count int;
+BEGIN
+    DELETE FROM rbac.resource_dependencies;
+    INSERT INTO rbac.resource_dependencies (
+        parent_resource, child_resource, action
+    )
+    SELECT e->>'parent_resource',
+           e->>'child_resource',
+           e->>'action'
+      FROM jsonb_array_elements(coalesce(p_edges, '[]'::jsonb)) AS e
+     ON CONFLICT (parent_resource, child_resource, action) DO NOTHING;
+    GET DIAGNOSTICS v_count = ROW_COUNT;
+    RETURN v_count;
+END;
+$$;
+
 -- ─────────────────────────────────────────────────────────────────
 -- 7b. Template defaults — pre-fill role_permissions from a JSONB
 -- pattern carried on the role row. Run after sync_resources() so