fastapi-rbac-authz 0.3.0__tar.gz → 0.5.0__tar.gz

{fastapi_rbac_authz-0.3.0 → fastapi_rbac_authz-0.5.0}/CLAUDE.md

@@ -30,6 +30,7 @@ poetry build
 
 **IMPORTANT:** Always run pre-commit after making any code changes:
 ```bash
+source .venv/bin/activate
 pre-commit run --all-files
 ```
 This runs ruff (linting + formatting) and mypy (type checking on fastapi_rbac).
@@ -38,29 +39,29 @@ This runs ruff (linting + formatting) and mypy (type checking on fastapi_rbac).
 
 ### Core Components
 
-**RBACAuthz[UserT]** (`core.py`) - Main configuration class that attaches to FastAPI app. Configures role-to-permission mappings, user dependency injection, and optional visualization UI.
+**RBACAuthz** (`core.py`) - Main configuration class that attaches to FastAPI app. Configures role-to-permission mappings, roles dependency injection, and optional visualization UI. Takes a `roles_dependency` that returns `set[str]`.
 
 **RBACRouter** (`router.py`) - Extended APIRouter with permission decorators (`@router.get(permissions=..., contexts=...)`). Supports default permissions at router level with per-endpoint overrides. Stores endpoint metadata for UI introspection.
 
 **Permission System** (`permissions.py`) - Two scopes: `Global` (bypasses context checks) and `Contextual` (requires context validation). Supports wildcard matching (`resource:*` matches `resource:read`). Wildcards only allowed in role grants, not endpoint requirements.
 
-**ContextualAuthz[UserT]** (`context.py`) - Abstract base class for context-specific authorization. Subclasses are FastAPI dependencies that implement `async has_permissions() -> bool`. Supports full FastAPI DI in `__init__`. Context classes should use `Annotated[User, Depends(RBACUser)]` for the user parameter.
+**ContextualAuthz** (`context.py`) - Abstract base class for context-specific authorization. Subclasses are FastAPI dependencies that implement `async has_permissions() -> bool`. Supports full FastAPI DI in `__init__`. Context classes are responsible for their own authentication via `Annotated[User, Depends(get_current_user)]`.
 
-**Dependencies** (`dependencies.py`) - Creates FastAPI dependencies for auth and authz. Uses `dependency_overrides` pattern for user dependency injection. Manipulates function signatures dynamically via `inspect.Signature`.
+**Dependencies** (`dependencies.py`) - Creates FastAPI dependencies for auth and authz. Uses `dependency_overrides` pattern for roles dependency injection. Manipulates function signatures dynamically via `inspect.Signature`.
 
 **UI System** (`ui/`) - Cytoscape.js visualization mounted at configurable path. Introspects RBAC configuration to display role → permission → endpoint ← context relationships.
 
 ### Key Patterns
 
-- **Request State**: User stored in `request.state.user`, RBAC config in `app.state.rbac`, routers in `app.state._rbac_routers_`
+- **Request State**: RBAC config in `app.state.rbac`, routers in `app.state.rbac.routers`
 - **Metadata Tracking**: Endpoints store `_rbac_metadata_` attribute; routers track `endpoint_metadata[(path, method)]`
-- **Permission Resolution**: Extract roles → resolve grants → check global permissions first → run contextual checks only if needed
-- **Type Safety**: Strict mypy with full generics (`RBACAuthz[UserT]`, `ContextualAuthz[UserT]`)
+- **Permission Resolution**: Roles dependency returns roles → resolve grants → check global permissions first → run contextual checks only if needed
+- **Simplified Auth**: The library only needs roles (`set[str]`), not a user object. Context classes handle their own auth via FastAPI DI.
 
 ### Public API (from `__init__.py`)
 
 ```python
-RBACAuthz, RBACRouter, RBACUser, ContextualAuthz
+RBACAuthz, RBACRouter, ContextualAuthz
 Global, Contextual, PermissionGrant, PermissionScope
-Forbidden, create_auth_dependency, create_authz_dependency, evaluate_permissions
+Forbidden, create_authz_dependency
 ```

{fastapi_rbac_authz-0.3.0 → fastapi_rbac_authz-0.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fastapi-rbac-authz
-Version: 0.3.0
+Version: 0.5.0
 Summary: Role-based access control with contextual authorization for FastAPI
 Project-URL: Homepage, https://github.com/parikls/fastapi-rbac
 Author-email: Dmytro Smyk <porovozls@gmail.com>
@@ -24,6 +24,14 @@ Description-Content-Type: text/markdown
 
 Role-based access control with contextual authorization for FastAPI.
 
+Library IS NOT responsible for authentication. You can use any authentication mechanism you want.
+
+  What you need to provide:
+  - A dependency that returns the authenticated user's roles as `set[str]`
+  - Permission definitions per role
+  - Use `RBACRouter` instead of `APIRouter` for protected routes
+  - Define permissions and context checks per endpoint
+
 ## Installation
 
 ```bash
@@ -36,16 +44,26 @@ pip install fastapi-rbac-authz
 from typing import Annotated
 from fastapi import Depends, FastAPI
 from fastapi_rbac import (
-    RBACAuthz, RBACRouter, Global, Contextual, ContextualAuthz, RBACUser
+    RBACAuthz, RBACRouter, Global, Contextual, ContextualAuthz
 )
 
-# 1. Define your user model
+# 1. You might have your user model (or you may not, we don't care)
 class User:
     def __init__(self, user_id: str, roles: set[str]):
         self.user_id = user_id
         self.roles = roles
 
-# 2. Define role permissions
+# 2. Assuming you have your own dependency that returns a user instance
+async def get_current_user() -> User:
+    # Your authentication logic here
+    return User(user_id="user-1", roles={"viewer"})
+
+# 3. Dependency that library **REQUIRES**. **MUST** return a set of user roles
+async def get_current_user_roles() -> set[str]:
+    user = await get_current_user()
+    return user.roles
+
+# 4. Define your roles permissions
 PERMISSIONS = {
     "admin": {
         Global("report:*"),         # Admin can do anything with reports
@@ -55,13 +73,12 @@ PERMISSIONS = {
     },
 }
 
-# 3. Create a context check (for contextual permissions)
-# All __init__ params are injected by FastAPI's DI system
-class ReportAccessContext(ContextualAuthz[User]):
+# 5. Create context authorization checks
+class ReportAccessContext(ContextualAuthz):
     def __init__(
         self,
         report_id: int,  # <-- Injected from path parameter
-        user: Annotated[User, Depends(RBACUser)],
+        user: Annotated[User, Depends(get_current_user)],  # Your own way how to get the user if you need it
     ):
         self.user = user
         self.report_id = report_id
@@ -71,22 +88,17 @@ class ReportAccessContext(ContextualAuthz[User]):
         allowed_reports = {1, 2, 3}  # e.g., query from database
         return self.report_id in allowed_reports
 
-# 4. Create your app and configure RBAC
+# 6. Configure RBAC
 app = FastAPI()
 
-async def get_current_user() -> User:
-    # Your authentication logic here
-    return User(user_id="user-1", roles={"viewer"})
-
 RBACAuthz(
     app,
-    get_roles=lambda u: u.roles,
     permissions=PERMISSIONS,
-    user_dependency=get_current_user,
+    roles_dependency=get_current_user_roles,  # Returns set[str]
     ui_path="/_rbac",  # Optional: mount visualization UI
 )
 
-# 5. Create protected routes
+# 7. Create protected routes
 router = RBACRouter(permissions={"report:read"}, contexts=[ReportAccessContext])
 
 @router.get("/reports/{report_id}")
@@ -136,14 +148,14 @@ PERMISSIONS = {
 
 ## Context Checks
 
-Context checks are classes that implement fine-grained authorization logic. They're regular FastAPI dependencies, so you can inject any parameters (path params, query params, request body, database sessions, etc.).
+Context checks are classes that implement fine-grained authorization logic. They're regular FastAPI dependencies, so you can inject any parameters (path params, query params, request body, database sessions, etc.). Each context class is responsible for its own authentication via FastAPI's dependency injection.
 
 ```python
-class ReportAccessContext(ContextualAuthz[User]):
+class ReportAccessContext(ContextualAuthz):
     def __init__(
         self,
         report_id: int,  # Injected from path parameter
-        user: Annotated[User, Depends(RBACUser)],
+        user: Annotated[User, Depends(get_current_user)],  # Your auth dependency
         db: Annotated[AsyncSession, Depends(get_db)],  # Database session
     ):
         self.user = user
@@ -161,11 +173,11 @@ class ReportAccessContext(ContextualAuthz[User]):
 When a request hits an RBAC-protected endpoint:
 
 ```
-1. Authentication
-   └── user_dependency runs → User object available
+1. Role Resolution
+   └── roles_dependency runs → User's roles (set[str]) available
 
 2. Permission Check
-   └── Does user have ANY grant (global or contextual) for required permission?
+   └── Does user have ANY grant (scoped or wildcard) for required permission?
        ├── No  → 403 Forbidden
        └── Yes → Continue
 
@@ -175,7 +187,7 @@ When a request hits an RBAC-protected endpoint:
        └── No  → Continue to context checks
 
 4. Context Checks (only for Contextual grants)
-   └── Run all context classes via FastAPI DI
+   └── Run all context classes via FastAPI DI (each gets its own user via Depends)
        └── Do ALL contexts return True?
            ├── No  → 403 Forbidden
            └── Yes → Access granted
@@ -214,8 +226,8 @@ uvicorn examples.basic_app:app --reload
 
 Then open your browser:
 
-- **http://localhost:8000/docs** - OpenAPI docs to test the API
-- **http://localhost:8000/_rbac** - Authorization visualization UI
+- **http://localhost:18000/docs** - OpenAPI docs to test the API
+- **http://localhost:18000/_rbac** - Authorization visualization UI
 
 ### Test with different users
 
@@ -223,15 +235,15 @@ The example uses `X-Token` header for authentication:
 
 ```bash
 # As admin (has Global("*") - full access)
-curl -H "X-Token: admin-token" http://localhost:8000/reports
-curl -H "X-Token: admin-token" http://localhost:8000/reports/1
+curl -H "X-Token: admin-token" http://localhost:18000/reports
+curl -H "X-Token: admin-token" http://localhost:18000/reports/1
 
 # As user (has Contextual permissions - can only access own reports)
-curl -H "X-Token: user-token" http://localhost:8000/reports/1  # OK (owns report 1)
-curl -H "X-Token: user-token" http://localhost:8000/reports/3  # 403 (doesn't own report 3)
+curl -H "X-Token: user-token" http://localhost:18000/reports/1  # OK (owns report 1)
+curl -H "X-Token: user-token" http://localhost:18000/reports/3  # 403 (doesn't own report 3)
 
 # As viewer (has Contextual read - can only read own reports)
-curl -H "X-Token: viewer-token" http://localhost:8000/reports/1  # 403 (doesn't own any)
+curl -H "X-Token: viewer-token" http://localhost:18000/reports/1  # 403 (doesn't own any)
 ```
 
 ## Visualization UI

{fastapi_rbac_authz-0.3.0 → fastapi_rbac_authz-0.5.0}/README.md

@@ -2,6 +2,14 @@
 
 Role-based access control with contextual authorization for FastAPI.
 
+Library IS NOT responsible for authentication. You can use any authentication mechanism you want.
+
+  What you need to provide:
+  - A dependency that returns the authenticated user's roles as `set[str]`
+  - Permission definitions per role
+  - Use `RBACRouter` instead of `APIRouter` for protected routes
+  - Define permissions and context checks per endpoint
+
 ## Installation
 
 ```bash
@@ -14,16 +22,26 @@ pip install fastapi-rbac-authz
 from typing import Annotated
 from fastapi import Depends, FastAPI
 from fastapi_rbac import (
-    RBACAuthz, RBACRouter, Global, Contextual, ContextualAuthz, RBACUser
+    RBACAuthz, RBACRouter, Global, Contextual, ContextualAuthz
 )
 
-# 1. Define your user model
+# 1. You might have your user model (or you may not, we don't care)
 class User:
     def __init__(self, user_id: str, roles: set[str]):
         self.user_id = user_id
         self.roles = roles
 
-# 2. Define role permissions
+# 2. Assuming you have your own dependency that returns a user instance
+async def get_current_user() -> User:
+    # Your authentication logic here
+    return User(user_id="user-1", roles={"viewer"})
+
+# 3. Dependency that library **REQUIRES**. **MUST** return a set of user roles
+async def get_current_user_roles() -> set[str]:
+    user = await get_current_user()
+    return user.roles
+
+# 4. Define your roles permissions
 PERMISSIONS = {
     "admin": {
         Global("report:*"),         # Admin can do anything with reports
@@ -33,13 +51,12 @@ PERMISSIONS = {
     },
 }
 
-# 3. Create a context check (for contextual permissions)
-# All __init__ params are injected by FastAPI's DI system
-class ReportAccessContext(ContextualAuthz[User]):
+# 5. Create context authorization checks
+class ReportAccessContext(ContextualAuthz):
     def __init__(
         self,
         report_id: int,  # <-- Injected from path parameter
-        user: Annotated[User, Depends(RBACUser)],
+        user: Annotated[User, Depends(get_current_user)],  # Your own way how to get the user if you need it
     ):
         self.user = user
         self.report_id = report_id
@@ -49,22 +66,17 @@ class ReportAccessContext(ContextualAuthz[User]):
         allowed_reports = {1, 2, 3}  # e.g., query from database
         return self.report_id in allowed_reports
 
-# 4. Create your app and configure RBAC
+# 6. Configure RBAC
 app = FastAPI()
 
-async def get_current_user() -> User:
-    # Your authentication logic here
-    return User(user_id="user-1", roles={"viewer"})
-
 RBACAuthz(
     app,
-    get_roles=lambda u: u.roles,
     permissions=PERMISSIONS,
-    user_dependency=get_current_user,
+    roles_dependency=get_current_user_roles,  # Returns set[str]
     ui_path="/_rbac",  # Optional: mount visualization UI
 )
 
-# 5. Create protected routes
+# 7. Create protected routes
 router = RBACRouter(permissions={"report:read"}, contexts=[ReportAccessContext])
 
 @router.get("/reports/{report_id}")
@@ -114,14 +126,14 @@ PERMISSIONS = {
 
 ## Context Checks
 
-Context checks are classes that implement fine-grained authorization logic. They're regular FastAPI dependencies, so you can inject any parameters (path params, query params, request body, database sessions, etc.).
+Context checks are classes that implement fine-grained authorization logic. They're regular FastAPI dependencies, so you can inject any parameters (path params, query params, request body, database sessions, etc.). Each context class is responsible for its own authentication via FastAPI's dependency injection.
 
 ```python
-class ReportAccessContext(ContextualAuthz[User]):
+class ReportAccessContext(ContextualAuthz):
     def __init__(
         self,
         report_id: int,  # Injected from path parameter
-        user: Annotated[User, Depends(RBACUser)],
+        user: Annotated[User, Depends(get_current_user)],  # Your auth dependency
         db: Annotated[AsyncSession, Depends(get_db)],  # Database session
     ):
         self.user = user
@@ -139,11 +151,11 @@ class ReportAccessContext(ContextualAuthz[User]):
 When a request hits an RBAC-protected endpoint:
 
 ```
-1. Authentication
-   └── user_dependency runs → User object available
+1. Role Resolution
+   └── roles_dependency runs → User's roles (set[str]) available
 
 2. Permission Check
-   └── Does user have ANY grant (global or contextual) for required permission?
+   └── Does user have ANY grant (scoped or wildcard) for required permission?
        ├── No  → 403 Forbidden
        └── Yes → Continue
 
@@ -153,7 +165,7 @@ When a request hits an RBAC-protected endpoint:
        └── No  → Continue to context checks
 
 4. Context Checks (only for Contextual grants)
-   └── Run all context classes via FastAPI DI
+   └── Run all context classes via FastAPI DI (each gets its own user via Depends)
        └── Do ALL contexts return True?
            ├── No  → 403 Forbidden
            └── Yes → Access granted
@@ -192,8 +204,8 @@ uvicorn examples.basic_app:app --reload
 
 Then open your browser:
 
-- **http://localhost:8000/docs** - OpenAPI docs to test the API
-- **http://localhost:8000/_rbac** - Authorization visualization UI
+- **http://localhost:18000/docs** - OpenAPI docs to test the API
+- **http://localhost:18000/_rbac** - Authorization visualization UI
 
 ### Test with different users
 
@@ -201,15 +213,15 @@ The example uses `X-Token` header for authentication:
 
 ```bash
 # As admin (has Global("*") - full access)
-curl -H "X-Token: admin-token" http://localhost:8000/reports
-curl -H "X-Token: admin-token" http://localhost:8000/reports/1
+curl -H "X-Token: admin-token" http://localhost:18000/reports
+curl -H "X-Token: admin-token" http://localhost:18000/reports/1
 
 # As user (has Contextual permissions - can only access own reports)
-curl -H "X-Token: user-token" http://localhost:8000/reports/1  # OK (owns report 1)
-curl -H "X-Token: user-token" http://localhost:8000/reports/3  # 403 (doesn't own report 3)
+curl -H "X-Token: user-token" http://localhost:18000/reports/1  # OK (owns report 1)
+curl -H "X-Token: user-token" http://localhost:18000/reports/3  # 403 (doesn't own report 3)
 
 # As viewer (has Contextual read - can only read own reports)
-curl -H "X-Token: viewer-token" http://localhost:8000/reports/1  # 403 (doesn't own any)
+curl -H "X-Token: viewer-token" http://localhost:18000/reports/1  # 403 (doesn't own any)
 ```
 
 ## Visualization UI

{fastapi_rbac_authz-0.3.0 → fastapi_rbac_authz-0.5.0}/examples/basic_app.py

@@ -20,7 +20,6 @@ from fastapi_rbac import (
     Global,
     RBACAuthz,
     RBACRouter,
-    RBACUser,
 )
 
 
@@ -67,8 +66,10 @@ PERMISSIONS = {
 
 
 # =============================================================================
-# Authentication Dependency
+# Authentication Dependencies
 # =============================================================================
+
+
 async def get_current_user(x_token: Annotated[str, Header()]) -> User:
     """Simulate authentication via X-Token header."""
     user = USERS.get(x_token)
@@ -77,16 +78,29 @@ async def get_current_user(x_token: Annotated[str, Header()]) -> User:
     return user
 
 
+async def get_current_user_roles(user: User = Depends(get_current_user)) -> set[str]:
+    """Get the roles for the current user.
+
+    This dependency returns only the roles - the library doesn't need
+    the full user object for authorization checks.
+    """
+    return user.roles
+
+
 # =============================================================================
 # Context Check
 # =============================================================================
-class ReportOwnerContext(ContextualAuthz[User]):
-    """Check if user owns the report or is allowed to access it."""
+class ReportOwnerContext(ContextualAuthz):
+    """Check if user owns the report or is allowed to access it.
+
+    Context classes are responsible for their own authentication.
+    They use FastAPI's Depends() to get the user via your auth dependency.
+    """
 
     def __init__(
         self,
         report_id: int,
-        user: Annotated[User, Depends(RBACUser)],
+        user: Annotated[User, Depends(get_current_user)],
     ):
         self.user = user
         self.report_id = report_id
@@ -109,9 +123,8 @@ app = FastAPI(
 
 RBACAuthz(
     app,
-    get_roles=lambda user: user.roles,
     permissions=PERMISSIONS,
-    user_dependency=get_current_user,
+    roles_dependency=get_current_user_roles,
     ui_path="/_rbac",
 )
 
@@ -147,7 +160,7 @@ async def update_report(report_id: int, title: str):
 
 
 @router.post("", permissions={"report:create"}, contexts=[])
-async def create_report(title: str, user: Annotated[User, Depends(RBACUser)]):
+async def create_report(title: str, user: Annotated[User, Depends(get_current_user)]):
     """Create a new report. Requires report:create permission (no context check)."""
     new_id = max(REPORTS.keys()) + 1
     REPORTS[new_id] = {"title": title, "owner_id": user.user_id}

{fastapi_rbac_authz-0.3.0 → fastapi_rbac_authz-0.5.0}/fastapi_rbac/__init__.py

@@ -4,13 +4,8 @@ __version__ = "0.1.0"
 
 from fastapi_rbac.context import ContextualAuthz
 from fastapi_rbac.core import RBACAuthz
-from fastapi_rbac.dependencies import (
-    RBACUser,
-    create_auth_dependency,
-    create_authz_dependency,
-    evaluate_permissions,
-)
-from fastapi_rbac.exceptions import Forbidden
+from fastapi_rbac.dependencies import create_authz_dependency
+from fastapi_rbac.errors import Forbidden
 from fastapi_rbac.permissions import (
     Contextual,
     Global,
@@ -22,14 +17,11 @@ from fastapi_rbac.router import RBACRouter
 __all__ = [
     "RBACAuthz",
     "RBACRouter",
-    "RBACUser",
     "ContextualAuthz",
     "Global",
     "Contextual",
     "PermissionGrant",
     "PermissionScope",
     "Forbidden",
-    "create_auth_dependency",
     "create_authz_dependency",
-    "evaluate_permissions",
 ]

fastapi_rbac_authz-0.5.0/fastapi_rbac/context.py

@@ -0,0 +1,34 @@
+from abc import ABC, abstractmethod
+
+
+class ContextualAuthz(ABC):
+    """Base class for contextual authorization checks.
+
+    Subclasses can use FastAPI dependencies in the __init__ method.
+
+    Example:
+
+    >>> class MyContext(ContextualAuthz):
+    >>>     def __init__(
+    >>>         self,
+    >>>         user: Annotated[User, Depends(get_current_user)],  # your auth dep
+    >>>         request: Request,  # fastapi dep
+    >>>         db: AsyncSession = Depends(get_db),  # your database dep
+    >>>     ):
+    >>>         self.user = user
+    >>>         self.request = request
+    >>>         self.db = db
+    >>>
+    >>>     async def has_permissions(self) -> bool:
+    >>>         # Check access using self.user, self.request, self.db
+    >>>         return True
+    """
+
+    @abstractmethod
+    async def has_permissions(self) -> bool:
+        """Check if the user has permission in this context.
+
+        Returns:
+            True if access should be granted, False otherwise.
+        """
+        raise NotImplementedError()

fastapi_rbac_authz-0.5.0/fastapi_rbac/core.py

@@ -0,0 +1,85 @@
+from collections.abc import Awaitable, Callable
+from typing import Any
+
+from fastapi import APIRouter, FastAPI
+
+from fastapi_rbac.dependencies import _rbac_roles_dependency_placeholder
+from fastapi_rbac.permissions import PermissionGrant
+from fastapi_rbac.router import RBACRouter
+from fastapi_rbac.ui.routes import create_ui_router
+
+
+class RBACAuthz:
+    """Main RBAC authorization configuration.
+
+    Attaches to a FastAPI application and provides authorization
+    configuration for RBACRouter endpoints.
+
+    Args:
+        app: The FastAPI application instance.
+        permissions: Mapping of role names to sets of permission grants.
+        roles_dependency: FastAPI dependency that returns the user's roles as set[str].
+            This dependency is injected into all RBAC-protected endpoints via
+            FastAPI's dependency_overrides mechanism, and will be evaluated before RBAC checks
+        ui_path: Optional path to mount the authorization UI (e.g., "/_rbac").
+    """
+
+    def __init__(
+        self,
+        app: FastAPI,
+        permissions: dict[str, set[PermissionGrant]],
+        roles_dependency: Callable[..., set[str]] | Callable[..., Awaitable[set[str]]],
+        ui_path: str | None = None,
+    ) -> None:
+        self.app = app
+        self.permissions = permissions
+        self.roles_dependency = roles_dependency
+        self.ui_path = ui_path
+
+        # Instance attributes for state management
+        self.routers: list[tuple[str, RBACRouter]] = []
+        self._include_router_wrapped: bool = False
+
+        # Attach to app state for access from routers
+        app.state.rbac = self
+
+        # Override the placeholder dependency with user's roles dependency
+        # This allows the roles dependency to be injected into all
+        # RBAC-protected endpoints with proper FastAPI dependency resolution
+        app.dependency_overrides[_rbac_roles_dependency_placeholder] = roles_dependency
+        self._wrap_app_include_router()
+
+        if ui_path:
+            self._mount_ui()
+
+    def _wrap_app_include_router(self) -> None:
+        """Wrap the app's include_router method to track RBACRouters."""
+        if self._include_router_wrapped:
+            return
+
+        original_include_router = self.app.include_router
+        self.app.include_router = self._create_wrapped_include_router(original_include_router)  # type: ignore[method-assign]
+        self._include_router_wrapped = True
+
+    def _create_wrapped_include_router(self, original_include_router: Callable[..., None]) -> Callable[..., None]:
+        """Create a wrapped include_router that tracks RBACRouters."""
+
+        def wrapped_include_router(
+            router: APIRouter,
+            *,
+            prefix: str = "",
+            **kwargs: Any,
+        ) -> None:
+            if isinstance(router, RBACRouter):
+                self.routers.append((prefix, router))
+            return original_include_router(router, prefix=prefix, **kwargs)
+
+        return wrapped_include_router
+
+    def _mount_ui(self) -> None:
+        """Mount the authorization visualization UI."""
+        if not self.ui_path:
+            return
+
+        ui_router = create_ui_router(self.ui_path)
+        self.app.include_router(ui_router, prefix=self.ui_path)