feat(rbac): add rbac frontend

Author: jordan-umusu

frontend/src/app/organization/layout.tsx

@@ -5,6 +5,7 @@ import { AuthGuard } from "@/components/auth/auth-guard"
 import { CenteredSpinner } from "@/components/loading/spinner"
 import { OrganizationSidebar } from "@/components/sidebar/organization-sidebar"
 import { SidebarInset, SidebarProvider } from "@/components/ui/sidebar"
+import { ScopeProvider } from "@/providers/scopes"
 
 export default function OrganizationLayout({
   children,
@@ -13,18 +14,20 @@ export default function OrganizationLayout({
 }) {
   return (
     <AuthGuard requireAuth requireOrgAdmin>
-      <SidebarProvider>
-        <OrganizationSidebar />
-        <SidebarInset>
-          <div className="flex h-full flex-1 flex-col">
-            <div className="flex-1 overflow-auto">
-              <div className="container py-16">
-                <Suspense fallback={<CenteredSpinner />}>{children}</Suspense>
+      <ScopeProvider>
+        <SidebarProvider>
+          <OrganizationSidebar />
+          <SidebarInset>
+            <div className="flex h-full flex-1 flex-col">
+              <div className="flex-1 overflow-auto">
+                <div className="container py-16">
+                  <Suspense fallback={<CenteredSpinner />}>{children}</Suspense>
+                </div>
               </div>
             </div>
-          </div>
-        </SidebarInset>
-      </SidebarProvider>
+          </SidebarInset>
+        </SidebarProvider>
+      </ScopeProvider>
     </AuthGuard>
   )
 }

frontend/src/app/organization/settings/rbac/layout.tsx

@@ -0,0 +1,13 @@
+import type { Metadata } from "next"
+
+export const metadata: Metadata = {
+  title: "Access control | Organization",
+}
+
+export default function RbacLayout({
+  children,
+}: {
+  children: React.ReactNode
+}) {
+  return children
+}

frontend/src/app/organization/settings/rbac/page.tsx

@@ -0,0 +1,73 @@
+"use client"
+
+import { useState } from "react"
+import { OrgRbacAssignments } from "@/components/organization/org-rbac-assignments"
+import { OrgRbacGroups } from "@/components/organization/org-rbac-groups"
+import { OrgRbacRoles } from "@/components/organization/org-rbac-roles"
+import { OrgRbacScopes } from "@/components/organization/org-rbac-scopes"
+import { OrgRbacUserAssignments } from "@/components/organization/org-rbac-user-assignments"
+import { Tabs, TabsContent, TabsList, TabsTrigger } from "@/components/ui/tabs"
+
+type RbacTab =
+  | "roles"
+  | "groups"
+  | "scopes"
+  | "assignments"
+  | "user-assignments"
+
+export default function RbacSettingsPage() {
+  const [activeTab, setActiveTab] = useState<RbacTab>("roles")
+
+  return (
+    <div className="size-full overflow-auto">
+      <div className="container flex h-full max-w-[1200px] flex-col space-y-8 py-6">
+        <div className="flex w-full">
+          <div className="items-start space-y-3 text-left">
+            <h2 className="text-2xl font-semibold tracking-tight">
+              Access control
+            </h2>
+            <p className="text-md text-muted-foreground">
+              Manage roles, groups, and permissions for your organization.
+              Configure fine-grained access control with scopes and assign
+              permissions to users and groups.
+            </p>
+          </div>
+        </div>
+
+        <Tabs
+          value={activeTab}
+          onValueChange={(v) => setActiveTab(v as RbacTab)}
+          className="w-full"
+        >
+          <TabsList className="grid w-full max-w-[650px] grid-cols-5">
+            <TabsTrigger value="roles">Roles</TabsTrigger>
+            <TabsTrigger value="groups">Groups</TabsTrigger>
+            <TabsTrigger value="assignments">Group assignments</TabsTrigger>
+            <TabsTrigger value="user-assignments">User assignments</TabsTrigger>
+            <TabsTrigger value="scopes">Scopes</TabsTrigger>
+          </TabsList>
+
+          <TabsContent value="roles" className="mt-6">
+            <OrgRbacRoles />
+          </TabsContent>
+
+          <TabsContent value="groups" className="mt-6">
+            <OrgRbacGroups />
+          </TabsContent>
+
+          <TabsContent value="assignments" className="mt-6">
+            <OrgRbacAssignments />
+          </TabsContent>
+
+          <TabsContent value="user-assignments" className="mt-6">
+            <OrgRbacUserAssignments />
+          </TabsContent>
+
+          <TabsContent value="scopes" className="mt-6">
+            <OrgRbacScopes />
+          </TabsContent>
+        </Tabs>
+      </div>
+    </div>
+  )
+}

frontend/src/app/workspaces/layout.tsx

@@ -19,6 +19,7 @@ import { useAuth, useAuthActions } from "@/hooks/use-auth"
 import { useOrgMembership } from "@/hooks/use-org-membership"
 import { useWorkspaceManager } from "@/lib/hooks"
 import { WorkflowBuilderProvider } from "@/providers/builder"
+import { ScopeProvider } from "@/providers/scopes"
 import { WorkflowProvider } from "@/providers/workflow"
 import { WorkspaceIdProvider } from "@/providers/workspace-id"
 
@@ -77,13 +78,18 @@ export default function WorkspaceLayout({
 
   return (
     <WorkspaceIdProvider workspaceId={selectedWorkspaceId}>
-      {workflowId ? (
-        <WorkflowView workspaceId={selectedWorkspaceId} workflowId={workflowId}>
+      <ScopeProvider>
+        {workflowId ? (
+          <WorkflowView
+            workspaceId={selectedWorkspaceId}
+            workflowId={workflowId}
+          >
+            <WorkspaceChildren>{children}</WorkspaceChildren>
+          </WorkflowView>
+        ) : (
           <WorkspaceChildren>{children}</WorkspaceChildren>
-        </WorkflowView>
-      ) : (
-        <WorkspaceChildren>{children}</WorkspaceChildren>
-      )}
+        )}
+      </ScopeProvider>
     </WorkspaceIdProvider>
   )
 }

frontend/src/components/auth/scope-guard.tsx

@@ -0,0 +1,142 @@
+"use client"
+
+import type { ReactNode } from "react"
+import { CenteredSpinner } from "@/components/loading/spinner"
+import { useScopes } from "@/providers/scopes"
+
+interface ScopeGuardProps {
+  /**
+   * Single scope to check. If both `scope` and `scopes` are provided,
+   * this is added to the scopes array.
+   */
+  scope?: string
+  /**
+   * Array of scopes to check against.
+   */
+  scopes?: string[]
+  /**
+   * If true, requires all scopes to be present.
+   * If false or undefined, requires any one of the scopes.
+   * @default false
+   */
+  all?: boolean
+  /**
+   * Content to render if the user has the required scope(s).
+   */
+  children: ReactNode
+  /**
+   * Content to render if the user doesn't have the required scope(s).
+   * If not provided, nothing is rendered when access is denied.
+   */
+  fallback?: ReactNode
+  /**
+   * Content to render while loading scope information.
+   * Defaults to a centered spinner.
+   */
+  loading?: ReactNode
+}
+
+/**
+ * A component that conditionally renders its children based on user scopes.
+ *
+ * @example
+ * // Single scope check
+ * <ScopeGuard scope="workflow:create" fallback={<DisabledButton />}>
+ *   <CreateWorkflowButton />
+ * </ScopeGuard>
+ *
+ * @example
+ * // Multiple scopes, any match
+ * <ScopeGuard scopes={["workflow:read", "workflow:create"]} fallback={null}>
+ *   <WorkflowSection />
+ * </ScopeGuard>
+ *
+ * @example
+ * // Multiple scopes, all required
+ * <ScopeGuard scopes={["workflow:read", "workflow:execute"]} all fallback={<Disabled />}>
+ *   <RunWorkflowButton />
+ * </ScopeGuard>
+ */
+export function ScopeGuard({
+  scope,
+  scopes: scopesProp,
+  all = false,
+  children,
+  fallback = null,
+  loading,
+}: ScopeGuardProps) {
+  const { hasScope, hasAnyScope, hasAllScopes, isLoading } = useScopes()
+
+  // Combine scope and scopes into a single array
+  const requiredScopes: string[] = [
+    ...(scope ? [scope] : []),
+    ...(scopesProp ?? []),
+  ]
+
+  // If no scopes specified, render children (no restriction)
+  if (requiredScopes.length === 0) {
+    return <>{children}</>
+  }
+
+  // Show loading state
+  if (isLoading) {
+    return <>{loading ?? <CenteredSpinner />}</>
+  }
+
+  // Check scopes
+  let hasAccess: boolean
+  if (requiredScopes.length === 1) {
+    hasAccess = hasScope(requiredScopes[0])
+  } else if (all) {
+    hasAccess = hasAllScopes(requiredScopes)
+  } else {
+    hasAccess = hasAnyScope(requiredScopes)
+  }
+
+  if (!hasAccess) {
+    return <>{fallback}</>
+  }
+
+  return <>{children}</>
+}
+
+/**
+ * A hook-based alternative to ScopeGuard for cases where you need
+ * programmatic access to the permission check result.
+ *
+ * @example
+ * const canCreate = useScopeCheck("workflow:create")
+ * if (canCreate) {
+ *   // Show create button
+ * }
+ */
+export function useScopeCheck(
+  scope?: string,
+  scopes?: string[],
+  options?: { all?: boolean }
+): boolean | undefined {
+  const { hasScope, hasAnyScope, hasAllScopes, isLoading } = useScopes()
+
+  const requiredScopes: string[] = [
+    ...(scope ? [scope] : []),
+    ...(scopes ?? []),
+  ]
+
+  if (isLoading) {
+    return undefined
+  }
+
+  if (requiredScopes.length === 0) {
+    return true
+  }
+
+  if (requiredScopes.length === 1) {
+    return hasScope(requiredScopes[0])
+  }
+
+  if (options?.all) {
+    return hasAllScopes(requiredScopes)
+  }
+
+  return hasAnyScope(requiredScopes)
+}