snipe-auth-rbac 0.3.1 → 0.4.1

package/sql/0001_initial.sql

@@ -138,9 +138,44 @@ CREATE TABLE IF NOT EXISTS rbac.role_permissions (
     can_write   boolean NOT NULL DEFAULT false,
     can_update  boolean NOT NULL DEFAULT false,
     can_delete  boolean NOT NULL DEFAULT false,
+    -- 0.4.0+. Per-action origin tracking. NULL = direct admin grant;
+    -- non-NULL = name of the parent resource whose `dependsOn` edge
+    -- caused this cell to be materialised. The matrix UI reads this
+    -- to render the "Implied by …" badge; the resolver and
+    -- `rbac.user_can(...)` SQL function ignore the columns entirely
+    -- (flat matrix lookups are unchanged so RLS stays performant).
+    read_granted_via   text,
+    write_granted_via  text,
+    update_granted_via text,
+    delete_granted_via text,
     PRIMARY KEY (role_id, resource)
 );
 
+-- Backfill for adopters upgrading from 0.3.x.
+ALTER TABLE rbac.role_permissions
+    ADD COLUMN IF NOT EXISTS read_granted_via   text,
+    ADD COLUMN IF NOT EXISTS write_granted_via  text,
+    ADD COLUMN IF NOT EXISTS update_granted_via text,
+    ADD COLUMN IF NOT EXISTS delete_granted_via text;
+
+-- 0.4.0+. Dependent-read graph. One row per (parent, child, action)
+-- cascade edge. The host registry's `dependsOn` arrays get
+-- materialised here by `service.syncResources()` on app boot. The
+-- admin matrix UI consults this on every toggle-on to decide which
+-- implied rows to write alongside the parent.
+--
+-- The resolver does NOT read this table at runtime — implied rows
+-- live on `rbac.role_permissions` and look identical to direct
+-- grants at the policy layer. This keeps RLS flat and fast.
+CREATE TABLE IF NOT EXISTS rbac.resource_dependencies (
+    parent_resource text    NOT NULL REFERENCES rbac.resources(resource) ON DELETE CASCADE,
+    child_resource  text    NOT NULL REFERENCES rbac.resources(resource) ON DELETE CASCADE,
+    action          text    NOT NULL CHECK (action IN ('read','write','update','delete')),
+    created_at      timestamptz NOT NULL DEFAULT now(),
+    PRIMARY KEY (parent_resource, child_resource, action),
+    CONSTRAINT resource_dependencies_no_self CHECK (parent_resource <> child_resource)
+);
+
 CREATE OR REPLACE FUNCTION rbac.check_role_resource_scope()
 RETURNS trigger
 LANGUAGE plpgsql
@@ -289,12 +324,20 @@ AS $$
       JOIN rbac.roles r ON r.id = usr.role_id
      WHERE usr.user_id = p_user_id
   ),
+  -- 0.4.0+. Per-action direct grants are aggregated alongside the
+  -- regular permission booleans. Direct = action true AND its
+  -- granted_via is NULL on at least one of the user's roles. bool_or
+  -- across roles gives "any role grants this directly".
   system_perms AS (
     SELECT rp.resource,
            bool_or(rp.can_read)   AS can_read,
            bool_or(rp.can_write)  AS can_write,
            bool_or(rp.can_update) AS can_update,
-           bool_or(rp.can_delete) AS can_delete
+           bool_or(rp.can_delete) AS can_delete,
+           bool_or(rp.can_read   AND rp.read_granted_via   IS NULL) AS direct_read,
+           bool_or(rp.can_write  AND rp.write_granted_via  IS NULL) AS direct_write,
+           bool_or(rp.can_update AND rp.update_granted_via IS NULL) AS direct_update,
+           bool_or(rp.can_delete AND rp.delete_granted_via IS NULL) AS direct_delete
       FROM rbac.user_system_roles usr
       JOIN rbac.role_permissions rp ON rp.role_id = usr.role_id
      WHERE usr.user_id = p_user_id
@@ -320,7 +363,11 @@ AS $$
            bool_or(rp.can_read)   AS can_read,
            bool_or(rp.can_write)  AS can_write,
            bool_or(rp.can_update) AS can_update,
-           bool_or(rp.can_delete) AS can_delete
+           bool_or(rp.can_delete) AS can_delete,
+           bool_or(rp.can_read   AND rp.read_granted_via   IS NULL) AS direct_read,
+           bool_or(rp.can_write  AND rp.write_granted_via  IS NULL) AS direct_write,
+           bool_or(rp.can_update AND rp.update_granted_via IS NULL) AS direct_update,
+           bool_or(rp.can_delete AND rp.delete_granted_via IS NULL) AS direct_delete
       FROM rbac.user_company_roles ucr
       JOIN rbac.role_permissions rp ON rp.role_id = ucr.role_id
      WHERE ucr.user_id = p_user_id
@@ -340,6 +387,24 @@ AS $$
          )) FROM system_perms),
         '{}'::jsonb
     ),
+    -- 0.4.0+. Per-action direct-grant maps. Drives canAccessSection()
+    -- on the client side for top-level nav / list-page gating.
+    'system_direct_reads', coalesce(
+        (SELECT jsonb_object_agg(resource, true)
+           FROM system_perms WHERE direct_read), '{}'::jsonb
+    ),
+    'system_direct_writes', coalesce(
+        (SELECT jsonb_object_agg(resource, true)
+           FROM system_perms WHERE direct_write), '{}'::jsonb
+    ),
+    'system_direct_updates', coalesce(
+        (SELECT jsonb_object_agg(resource, true)
+           FROM system_perms WHERE direct_update), '{}'::jsonb
+    ),
+    'system_direct_deletes', coalesce(
+        (SELECT jsonb_object_agg(resource, true)
+           FROM system_perms WHERE direct_delete), '{}'::jsonb
+    ),
     'memberships', coalesce(
         (SELECT jsonb_agg(jsonb_build_object(
             'company_id', m.company_id,
@@ -354,6 +419,30 @@ AS $$
                    FROM company_perms cp
                   WHERE cp.company_id = m.company_id),
                 '{}'::jsonb
+            ),
+            'direct_reads', coalesce(
+                (SELECT jsonb_object_agg(cp.resource, true)
+                   FROM company_perms cp
+                  WHERE cp.company_id = m.company_id AND cp.direct_read),
+                '{}'::jsonb
+            ),
+            'direct_writes', coalesce(
+                (SELECT jsonb_object_agg(cp.resource, true)
+                   FROM company_perms cp
+                  WHERE cp.company_id = m.company_id AND cp.direct_write),
+                '{}'::jsonb
+            ),
+            'direct_updates', coalesce(
+                (SELECT jsonb_object_agg(cp.resource, true)
+                   FROM company_perms cp
+                  WHERE cp.company_id = m.company_id AND cp.direct_update),
+                '{}'::jsonb
+            ),
+            'direct_deletes', coalesce(
+                (SELECT jsonb_object_agg(cp.resource, true)
+                   FROM company_perms cp
+                  WHERE cp.company_id = m.company_id AND cp.direct_delete),
+                '{}'::jsonb
             )
          )) FROM memberships m),
         '[]'::jsonb
@@ -361,6 +450,52 @@ AS $$
   );
 $$;
 
+-- 0.4.0+. Matrix-UI cascade helper. Returns the (child, action) pairs
+-- that should be materialised when an admin toggles
+-- (parent_resource, p_action) on for a role.
+CREATE OR REPLACE FUNCTION rbac.list_implied_grants(
+    p_parent_resource text,
+    p_action          text
+) RETURNS TABLE (child_resource text, action text)
+LANGUAGE sql
+STABLE
+SET search_path = rbac, public
+AS $$
+    SELECT d.child_resource, d.action
+      FROM rbac.resource_dependencies d
+     WHERE d.parent_resource = p_parent_resource
+       AND d.action          = p_action;
+$$;
+
+-- 0.4.0+. Atomic replace-all for the dependency graph. The admin
+-- transport calls this on every `syncResources()` so removed
+-- `dependsOn` edges actually disappear from the table. Argument is
+-- a JSONB array of `{ parent_resource, child_resource, action }`
+-- objects.
+CREATE OR REPLACE FUNCTION rbac.replace_resource_dependencies(
+    p_edges jsonb
+) RETURNS int
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = rbac, public
+AS $$
+DECLARE
+    v_count int;
+BEGIN
+    DELETE FROM rbac.resource_dependencies;
+    INSERT INTO rbac.resource_dependencies (
+        parent_resource, child_resource, action
+    )
+    SELECT e->>'parent_resource',
+           e->>'child_resource',
+           e->>'action'
+      FROM jsonb_array_elements(coalesce(p_edges, '[]'::jsonb)) AS e
+     ON CONFLICT (parent_resource, child_resource, action) DO NOTHING;
+    GET DIAGNOSTICS v_count = ROW_COUNT;
+    RETURN v_count;
+END;
+$$;
+
 -- ─────────────────────────────────────────────────────────────────
 -- 7b. Template defaults — pre-fill role_permissions from a JSONB
 -- pattern carried on the role row. Run after sync_resources() so

package/dist/chunk-C76JHCKM.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/client.ts"],"sourcesContent":["/**\n * Transport-agnostic client: turns an adopter-supplied\n * `AuthRbacFetcher` into a permission resolver. The React provider\n * wraps this; non-React consumers (Node scripts, edge functions)\n * can use it directly.\n */\n\nimport type {\n  Action,\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  UserProfile,\n} from \"./types.js\";\n\nexport interface AuthRbacClientOptions {\n  fetcher: AuthRbacFetcher;\n  /**\n   * The host project's full resource list. Required so the resolver\n   * can look up a resource's scope without a DB round-trip per call.\n   * Re-using the same array the host syncs into the\n   * `rbac.resources` table at boot keeps everything in lockstep.\n   */\n  resources: ResourceRegistry;\n}\n\nexport interface CanOptions {\n  /**\n   * Override the active company. Omit to use the company the\n   * caller has currently activated (the React provider tracks\n   * this; for direct client use you must pass it).\n   */\n  companyId?: string | null;\n}\n\n/**\n * Pure resolver. Given a hydrated profile it answers boolean\n * questions instantly — no I/O. The `resourceMap` is built once at\n * construction so per-call work is two map lookups.\n */\nexport function buildPermissionResolver(\n  resources: ResourceRegistry,\n  profile: UserProfile,\n  defaultCompanyId: string | null,\n) {\n  const scopeByResource = new Map<string, ResourceScope>(\n    resources.map((r) => [r.resource, r.scope]),\n  );\n\n  const can = (\n    resource: string,\n    action: Action,\n    options?: CanOptions,\n  ): boolean => {\n    if (profile.is_super_admin) {\n      return true;\n    }\n    const scope = scopeByResource.get(resource);\n    if (!scope) {\n      // Unknown resource — fail closed.\n      return false;\n    }\n    if (scope === \"system\") {\n      return readGrid(profile.system_permissions, resource, action);\n    }\n    const companyId = options?.companyId ?? defaultCompanyId;\n    if (!companyId) {\n      return false;\n    }\n    const membership = profile.memberships.find(\n      (m) => m.company_id === companyId,\n    );\n    if (!membership) {\n      return false;\n    }\n    return readGrid(membership.permissions, resource, action);\n  };\n\n  return {\n    can,\n    /** Permission map for the active (or specified) company. */\n    activePermissions: (companyId?: string | null): PermissionMap => {\n      const id = companyId ?? defaultCompanyId;\n      if (!id) {\n        return {};\n      }\n      return (\n        profile.memberships.find((m) => m.company_id === id)?.permissions ?? {}\n      );\n    },\n    systemPermissions: (): PermissionMap => profile.system_permissions,\n  };\n}\n\nfunction readGrid(\n  map: PermissionMap,\n  resource: string,\n  action: Action,\n): boolean {\n  const grid = map[resource];\n  if (!grid) {\n    return false;\n  }\n  return grid[action];\n}\n\n/**\n * Helper: groups a resource registry by `group` for the matrix UI.\n * Returns groups in insertion order with their resources.\n */\nexport function groupResources(\n  registry: ResourceRegistry,\n): Array<{ group: string; resources: ResourceDescriptor[] }> {\n  const order: string[] = [];\n  const buckets = new Map<string, ResourceDescriptor[]>();\n  for (const r of registry) {\n    const key = r.group ?? \"Sonstige\";\n    if (!buckets.has(key)) {\n      buckets.set(key, []);\n      order.push(key);\n    }\n    buckets.get(key)!.push(r);\n  }\n  return order.map((g) => ({ group: g, resources: buckets.get(g)! }));\n}\n\nexport type AuthRbacClient = ReturnType<typeof buildPermissionResolver>;\nexport type { AuthRbacClientOptions as ClientOptions };\n"],"mappings":";AA0CO,SAAS,wBACd,WACA,SACA,kBACA;AACA,QAAM,kBAAkB,IAAI;AAAA,IAC1B,UAAU,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,KAAK,CAAC;AAAA,EAC5C;AAEA,QAAM,MAAM,CACV,UACA,QACA,YACY;AACZ,QAAI,QAAQ,gBAAgB;AAC1B,aAAO;AAAA,IACT;AACA,UAAM,QAAQ,gBAAgB,IAAI,QAAQ;AAC1C,QAAI,CAAC,OAAO;AAEV,aAAO;AAAA,IACT;AACA,QAAI,UAAU,UAAU;AACtB,aAAO,SAAS,QAAQ,oBAAoB,UAAU,MAAM;AAAA,IAC9D;AACA,UAAM,YAAY,SAAS,aAAa;AACxC,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,IACT;AACA,UAAM,aAAa,QAAQ,YAAY;AAAA,MACrC,CAAC,MAAM,EAAE,eAAe;AAAA,IAC1B;AACA,QAAI,CAAC,YAAY;AACf,aAAO;AAAA,IACT;AACA,WAAO,SAAS,WAAW,aAAa,UAAU,MAAM;AAAA,EAC1D;AAEA,SAAO;AAAA,IACL;AAAA;AAAA,IAEA,mBAAmB,CAAC,cAA6C;AAC/D,YAAM,KAAK,aAAa;AACxB,UAAI,CAAC,IAAI;AACP,eAAO,CAAC;AAAA,MACV;AACA,aACE,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,eAAe,CAAC;AAAA,IAE1E;AAAA,IACA,mBAAmB,MAAqB,QAAQ;AAAA,EAClD;AACF;AAEA,SAAS,SACP,KACA,UACA,QACS;AACT,QAAM,OAAO,IAAI,QAAQ;AACzB,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,EACT;AACA,SAAO,KAAK,MAAM;AACpB;AAMO,SAAS,eACd,UAC2D;AAC3D,QAAM,QAAkB,CAAC;AACzB,QAAM,UAAU,oBAAI,IAAkC;AACtD,aAAW,KAAK,UAAU;AACxB,UAAM,MAAM,EAAE,SAAS;AACvB,QAAI,CAAC,QAAQ,IAAI,GAAG,GAAG;AACrB,cAAQ,IAAI,KAAK,CAAC,CAAC;AACnB,YAAM,KAAK,GAAG;AAAA,IAChB;AACA,YAAQ,IAAI,GAAG,EAAG,KAAK,CAAC;AAAA,EAC1B;AACA,SAAO,MAAM,IAAI,CAAC,OAAO,EAAE,OAAO,GAAG,WAAW,QAAQ,IAAI,CAAC,EAAG,EAAE;AACpE;","names":[]}

package/dist/chunk-NRDW233A.js

@@ -1,69 +0,0 @@
-// src/fetchers.ts
-function createSupabaseFetcher(opts) {
-  return {
-    async fetchProfile() {
-      const { data, error } = await opts.supabase.schema("rbac").rpc(
-        "user_profile",
-        { p_user_id: opts.userId }
-      );
-      if (error) {
-        throw new Error(
-          `auth-rbac: failed to load user profile via Supabase RPC: ${error.message}`
-        );
-      }
-      return normalizeProfile(data);
-    }
-  };
-}
-async function detectRbacSchema(supabase) {
-  try {
-    const { error } = await supabase.schema("rbac").rpc("user_can", {
-      p_user_id: "00000000-0000-0000-0000-000000000000",
-      p_resource: "__rbac_self_check__",
-      p_action: "read",
-      p_company_id: null
-    });
-    return error === null;
-  } catch {
-    return false;
-  }
-}
-function createHttpFetcher(opts) {
-  const fetchImpl = opts.fetch ?? globalThis.fetch;
-  return {
-    async fetchProfile() {
-      const res = await fetchImpl(opts.url, opts.init);
-      if (!res.ok) {
-        throw new Error(
-          `auth-rbac: profile endpoint ${opts.url} returned ${res.status}`
-        );
-      }
-      const json = await res.json();
-      return normalizeProfile(json);
-    }
-  };
-}
-function normalizeProfile(raw) {
-  if (!raw || typeof raw !== "object") {
-    throw new Error("auth-rbac: profile payload is not an object");
-  }
-  const p = raw;
-  if (typeof p.user_id !== "string") {
-    throw new Error("auth-rbac: profile payload missing user_id");
-  }
-  return {
-    user_id: p.user_id,
-    is_super_admin: !!p.is_super_admin,
-    system_roles: Array.isArray(p.system_roles) ? p.system_roles : [],
-    system_permissions: p.system_permissions && typeof p.system_permissions === "object" ? p.system_permissions : {},
-    system_frontend_config: p.system_frontend_config && typeof p.system_frontend_config === "object" ? p.system_frontend_config : {},
-    memberships: Array.isArray(p.memberships) ? p.memberships : []
-  };
-}
-
-export {
-  createSupabaseFetcher,
-  detectRbacSchema,
-  createHttpFetcher
-};
-//# sourceMappingURL=chunk-NRDW233A.js.map

package/dist/chunk-NRDW233A.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/fetchers.ts"],"sourcesContent":["/**\n * Built-in fetchers — adopters can use these or pass their own\n * implementation of `AuthRbacFetcher`.\n */\n\nimport type { AuthRbacFetcher, UserProfile } from \"./types.js\";\n\n/**\n * Calls the package's SQL function `rbac.user_profile(uuid)` via\n * a Supabase JS client. Easiest path when the host project already\n * uses Supabase.\n *\n * The function lives in the dedicated `rbac` Postgres schema, so the\n * adopter must add `rbac` to their PostgREST exposed-schemas list\n * (Supabase Studio → Settings → API → Exposed schemas) for the\n * `.schema('rbac')` call below to reach it.\n *\n * @example\n * createSupabaseFetcher({ supabase, userId: session.user.id })\n */\nexport function createSupabaseFetcher(opts: {\n  supabase: {\n    schema: (name: string) => {\n      rpc: (\n        fn: string,\n        args: Record<string, unknown>,\n      ) => Promise<{ data: unknown; error: { message: string } | null }>;\n    };\n  };\n  userId: string;\n}): AuthRbacFetcher {\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const { data, error } = await opts.supabase.schema(\"rbac\").rpc(\n        \"user_profile\",\n        { p_user_id: opts.userId },\n      );\n      if (error) {\n        throw new Error(\n          `auth-rbac: failed to load user profile via Supabase RPC: ${error.message}`,\n        );\n      }\n      return normalizeProfile(data);\n    },\n  };\n}\n\n/**\n * Cheap probe — returns true if the package's `rbac` schema looks\n * reachable. Useful at app start to fail loudly if the migration\n * hasn't been applied OR if `rbac` isn't in the project's PostgREST\n * exposed-schemas list.\n *\n * @example\n * if (!(await detectRbacSchema(supabase))) {\n *   console.error(\"rbac schema not reachable — apply 0001_initial.sql\");\n * }\n */\nexport async function detectRbacSchema(supabase: {\n  schema: (name: string) => {\n    rpc: (\n      fn: string,\n      args: Record<string, unknown>,\n    ) => Promise<{ data: unknown; error: { message: string } | null }>;\n  };\n}): Promise<boolean> {\n  try {\n    const { error } = await supabase.schema(\"rbac\").rpc(\"user_can\", {\n      p_user_id: \"00000000-0000-0000-0000-000000000000\",\n      p_resource: \"__rbac_self_check__\",\n      p_action: \"read\",\n      p_company_id: null,\n    });\n    return error === null;\n  } catch {\n    return false;\n  }\n}\n\n/**\n * Calls a regular HTTP endpoint that returns a `UserProfile` JSON\n * payload. Use this when the host project has its own backend that\n * wraps the package's Python helpers (or any equivalent).\n *\n * @example\n * createHttpFetcher({ url: \"/api/users/me/profile\" })\n */\nexport function createHttpFetcher(opts: {\n  url: string;\n  /** Forwarded as-is to `fetch`. Use this to attach auth headers. */\n  init?: RequestInit;\n  /** Override the global `fetch` if you're in a non-browser env. */\n  fetch?: typeof fetch;\n}): AuthRbacFetcher {\n  const fetchImpl = opts.fetch ?? globalThis.fetch;\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const res = await fetchImpl(opts.url, opts.init);\n      if (!res.ok) {\n        throw new Error(\n          `auth-rbac: profile endpoint ${opts.url} returned ${res.status}`,\n        );\n      }\n      const json = (await res.json()) as unknown;\n      return normalizeProfile(json);\n    },\n  };\n}\n\n/**\n * Defensive normalisation: the Supabase RPC returns whatever the SQL\n * function emitted. We coerce missing fields into the empty defaults\n * so consumers can iterate without null checks. Throws if the shape\n * is unrecognisable.\n */\nfunction normalizeProfile(raw: unknown): UserProfile {\n  if (!raw || typeof raw !== \"object\") {\n    throw new Error(\"auth-rbac: profile payload is not an object\");\n  }\n  const p = raw as Partial<UserProfile> & Record<string, unknown>;\n  if (typeof p.user_id !== \"string\") {\n    throw new Error(\"auth-rbac: profile payload missing user_id\");\n  }\n  return {\n    user_id: p.user_id,\n    is_super_admin: !!p.is_super_admin,\n    system_roles: Array.isArray(p.system_roles) ? p.system_roles : [],\n    system_permissions:\n      p.system_permissions && typeof p.system_permissions === \"object\"\n        ? (p.system_permissions as UserProfile[\"system_permissions\"])\n        : {},\n    system_frontend_config:\n      p.system_frontend_config && typeof p.system_frontend_config === \"object\"\n        ? (p.system_frontend_config as UserProfile[\"system_frontend_config\"])\n        : {},\n    memberships: Array.isArray(p.memberships)\n      ? (p.memberships as UserProfile[\"memberships\"])\n      : [],\n  };\n}\n"],"mappings":";AAoBO,SAAS,sBAAsB,MAUlB;AAClB,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAAS,OAAO,MAAM,EAAE;AAAA,QACzD;AAAA,QACA,EAAE,WAAW,KAAK,OAAO;AAAA,MAC3B;AACA,UAAI,OAAO;AACT,cAAM,IAAI;AAAA,UACR,4DAA4D,MAAM,OAAO;AAAA,QAC3E;AAAA,MACF;AACA,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAaA,eAAsB,iBAAiB,UAOlB;AACnB,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,SAAS,OAAO,MAAM,EAAE,IAAI,YAAY;AAAA,MAC9D,WAAW;AAAA,MACX,YAAY;AAAA,MACZ,UAAU;AAAA,MACV,cAAc;AAAA,IAChB,CAAC;AACD,WAAO,UAAU;AAAA,EACnB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAUO,SAAS,kBAAkB,MAMd;AAClB,QAAM,YAAY,KAAK,SAAS,WAAW;AAC3C,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,MAAM,MAAM,UAAU,KAAK,KAAK,KAAK,IAAI;AAC/C,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,IAAI;AAAA,UACR,+BAA+B,KAAK,GAAG,aAAa,IAAI,MAAM;AAAA,QAChE;AAAA,MACF;AACA,YAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAQA,SAAS,iBAAiB,KAA2B;AACnD,MAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,YAAY,UAAU;AACjC,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACA,SAAO;AAAA,IACL,SAAS,EAAE;AAAA,IACX,gBAAgB,CAAC,CAAC,EAAE;AAAA,IACpB,cAAc,MAAM,QAAQ,EAAE,YAAY,IAAI,EAAE,eAAe,CAAC;AAAA,IAChE,oBACE,EAAE,sBAAsB,OAAO,EAAE,uBAAuB,WACnD,EAAE,qBACH,CAAC;AAAA,IACP,wBACE,EAAE,0BAA0B,OAAO,EAAE,2BAA2B,WAC3D,EAAE,yBACH,CAAC;AAAA,IACP,aAAa,MAAM,QAAQ,EAAE,WAAW,IACnC,EAAE,cACH,CAAC;AAAA,EACP;AACF;","names":[]}

package/dist/types-DxvFudPF.d.cts

@@ -1,69 +0,0 @@
-/**
- * Core types — used by both the transport-agnostic client and the
- * React layer. Adopters that don't use React only need to depend on
- * the `index` entry; the `react` entry's types extend these.
- */
-type Action = "read" | "write" | "update" | "delete";
-type ResourceScope = "system" | "company";
-interface ResourceDescriptor {
-    resource: string;
-    scope: ResourceScope;
-    label: string;
-    description?: string;
-    group?: string;
-}
-interface RoleSummary {
-    id: string;
-    name: string;
-    is_system?: boolean;
-    is_super?: boolean;
-    frontend_config?: FrontendConfig;
-}
-/**
- * Free-form per-role config that the host project can interpret as
- * it sees fit. A typical shape includes `sidebar` (list of section
- * keys), `default_dashboard` (string), `home_route` (string).
- */
-type FrontendConfig = Record<string, unknown>;
-interface PermissionGrid {
-    read: boolean;
-    write: boolean;
-    update: boolean;
-    delete: boolean;
-}
-type PermissionMap = Record<string, PermissionGrid>;
-interface CompanyMembership {
-    company_id: string;
-    company_name: string;
-    company_slug?: string | null;
-    roles: RoleSummary[];
-    permissions: PermissionMap;
-    /** Merged frontend_config across all roles the user holds in this company. */
-    frontend_config: FrontendConfig;
-}
-interface UserProfile {
-    user_id: string;
-    is_super_admin: boolean;
-    system_roles: RoleSummary[];
-    system_permissions: PermissionMap;
-    /** Merged frontend_config across all of the user's system roles. */
-    system_frontend_config: FrontendConfig;
-    memberships: CompanyMembership[];
-}
-/**
- * Adopter-supplied transport. Two flavours are supported out of the
- * box:
- *
- *  1. Pass a Supabase client + a JWT-derived `user_id` and the
- *     library calls the package's SQL RPC `rbac.user_profile`.
- *  2. Pass a plain `fetcher` (anything that resolves a `UserProfile`)
- *     and the library calls that. Use this when your backend serves
- *     a custom `/api/users/me/profile` endpoint or when you don't
- *     run Supabase at all.
- */
-interface AuthRbacFetcher {
-    fetchProfile(): Promise<UserProfile>;
-}
-type ResourceRegistry = ReadonlyArray<ResourceDescriptor>;
-
-export type { Action as A, CompanyMembership as C, FrontendConfig as F, PermissionGrid as P, ResourceScope as R, UserProfile as U, ResourceDescriptor as a, AuthRbacFetcher as b, ResourceRegistry as c, PermissionMap as d, RoleSummary as e };

package/dist/types-DxvFudPF.d.ts

@@ -1,69 +0,0 @@
-/**
- * Core types — used by both the transport-agnostic client and the
- * React layer. Adopters that don't use React only need to depend on
- * the `index` entry; the `react` entry's types extend these.
- */
-type Action = "read" | "write" | "update" | "delete";
-type ResourceScope = "system" | "company";
-interface ResourceDescriptor {
-    resource: string;
-    scope: ResourceScope;
-    label: string;
-    description?: string;
-    group?: string;
-}
-interface RoleSummary {
-    id: string;
-    name: string;
-    is_system?: boolean;
-    is_super?: boolean;
-    frontend_config?: FrontendConfig;
-}
-/**
- * Free-form per-role config that the host project can interpret as
- * it sees fit. A typical shape includes `sidebar` (list of section
- * keys), `default_dashboard` (string), `home_route` (string).
- */
-type FrontendConfig = Record<string, unknown>;
-interface PermissionGrid {
-    read: boolean;
-    write: boolean;
-    update: boolean;
-    delete: boolean;
-}
-type PermissionMap = Record<string, PermissionGrid>;
-interface CompanyMembership {
-    company_id: string;
-    company_name: string;
-    company_slug?: string | null;
-    roles: RoleSummary[];
-    permissions: PermissionMap;
-    /** Merged frontend_config across all roles the user holds in this company. */
-    frontend_config: FrontendConfig;
-}
-interface UserProfile {
-    user_id: string;
-    is_super_admin: boolean;
-    system_roles: RoleSummary[];
-    system_permissions: PermissionMap;
-    /** Merged frontend_config across all of the user's system roles. */
-    system_frontend_config: FrontendConfig;
-    memberships: CompanyMembership[];
-}
-/**
- * Adopter-supplied transport. Two flavours are supported out of the
- * box:
- *
- *  1. Pass a Supabase client + a JWT-derived `user_id` and the
- *     library calls the package's SQL RPC `rbac.user_profile`.
- *  2. Pass a plain `fetcher` (anything that resolves a `UserProfile`)
- *     and the library calls that. Use this when your backend serves
- *     a custom `/api/users/me/profile` endpoint or when you don't
- *     run Supabase at all.
- */
-interface AuthRbacFetcher {
-    fetchProfile(): Promise<UserProfile>;
-}
-type ResourceRegistry = ReadonlyArray<ResourceDescriptor>;
-
-export type { Action as A, CompanyMembership as C, FrontendConfig as F, PermissionGrid as P, ResourceScope as R, UserProfile as U, ResourceDescriptor as a, AuthRbacFetcher as b, ResourceRegistry as c, PermissionMap as d, RoleSummary as e };