feat(identity+web): R2 identity screens — users, roles, role assignment

Closes the R2 gap: an admin can now manage users and roles entirely from the SPA without touching curl or Swagger UI. Backend (pbc-identity): - New RoleService with createRole, assignRole, revokeRole, findUserRoleCodes, listRoles. Each method validates existence + idempotency (duplicate assignment rejected, missing role rejected). - New RoleController at /api/v1/identity/roles (CRUD) + /api/v1/identity/users/{userId}/roles/{roleCode} (POST assign, DELETE revoke). All permission-gated: identity.role.read, identity.role.create, identity.role.assign. - identity.yml updated: added identity.role.create permission. SPA (web/): - UsersPage — list with username link to detail, "+ New User" - CreateUserPage — username, display name, email form - UserDetailPage — shows user info + role toggle list. Each role has an Assign/Revoke button that takes effect on the user's next login (JWT carries roles from login time). - RolesPage — list with inline create form (code + name) - Sidebar gains "System" section with Users + Roles links - API client + types: identity.listUsers, getUser, createUser, listRoles, createRole, getUserRoles, assignRole, revokeRole Infrastructure: - SpaController: added /users/** and /roles/** forwarding - SecurityConfiguration: added /users/** and /roles/** to the SPA permitAll block

feat(identity+web): R2 identity screens — users, roles, role assignment
Closes the R2 gap: an admin can now manage users and roles entirely from the SPA without touching curl or Swagger UI. Backend (pbc-identity): - New RoleService with createRole, assignRole, revokeRole, findUserRoleCodes, listRoles. Each method validates existence + idempotency (duplicate assignment rejected, missing role rejected). - New RoleController at /api/v1/identity/roles (CRUD) + /api/v1/identity/users/{userId}/roles/{roleCode} (POST assign, DELETE revoke). All permission-gated: identity.role.read, identity.role.create, identity.role.assign. - identity.yml updated: added identity.role.create permission. SPA (web/): - UsersPage — list with username link to detail, "+ New User" - CreateUserPage — username, display name, email form - UserDetailPage — shows user info + role toggle list. Each role has an Assign/Revoke button that takes effect on the user's next login (JWT carries roles from login time). - RolesPage — list with inline create form (code + name) - Sidebar gains "System" section with Users + Roles links - API client + types: identity.listUsers, getUser, createUser, listRoles, createRole, getUserRoles, assignRole, revokeRole Infrastructure: - SpaController: added /users/** and /roles/** forwarding - SecurityConfiguration: added /users/** and /roles/** to the SPA permitAll block
zichun · 朱子纯
1 parent 25353240
Showing 13 changed files with 547 additions and 1 deletions
pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/application/RoleService.kt
pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/http/RoleController.kt
pbc/pbc-identity/src/main/resources/META-INF/vibe-erp/metadata/identity.yml
platform/platform-bootstrap/src/main/kotlin/org/vibeerp/platform/bootstrap/web/SpaController.kt
platform/platform-security/src/main/kotlin/org/vibeerp/platform/security/SecurityConfiguration.kt
web/src/App.tsx
web/src/api/client.ts
web/src/layout/AppLayout.tsx
web/src/pages/CreateUserPage.tsx
web/src/pages/RolesPage.tsx
web/src/pages/UserDetailPage.tsx
web/src/pages/UsersPage.tsx
web/src/types/api.ts
+package org.vibeerp.pbc.identity.application
+
+import org.springframework.stereotype.Service
+import org.springframework.transaction.annotation.Transactional
+import org.vibeerp.pbc.identity.domain.Role
+import org.vibeerp.pbc.identity.domain.UserRole
+import org.vibeerp.pbc.identity.infrastructure.RoleJpaRepository
+import org.vibeerp.pbc.identity.infrastructure.UserJpaRepository
+import org.vibeerp.pbc.identity.infrastructure.UserRoleJpaRepository
+import java.util.UUID
+
+@Service
+@Transactional
+class RoleService(
+    private val roles: RoleJpaRepository,
+    private val users: UserJpaRepository,
+    private val userRoles: UserRoleJpaRepository,
+) {
+
+    @Transactional(readOnly = true)
+    fun listRoles(): List<Role> = roles.findAll()
+
+    @Transactional(readOnly = true)
+    fun findRoleByCode(code: String): Role? = roles.findByCode(code)
+
+    fun createRole(command: CreateRoleCommand): Role {
+        require(!roles.existsByCode(command.code)) {
+            "role code '${command.code}' already exists"
+        }
+        return roles.save(
+            Role(
+                code = command.code,
+                name = command.name,
+                description = command.description,
+            ),
+        )
+    }
+
+    @Transactional(readOnly = true)
+    fun findUserRoleCodes(userId: UUID): List<String> =
+        userRoles.findRoleCodesByUserId(userId)
+
+    fun assignRole(userId: UUID, roleCode: String) {
+        val user = users.findById(userId).orElseThrow {
+            NoSuchElementException("user not found: $userId")
+        }
+        val role = roles.findByCode(roleCode)
+            ?: throw NoSuchElementException("role not found: $roleCode")
+
+        require(!userRoles.existsByUserIdAndRoleId(user.id, role.id)) {
+            "user '${user.username}' already has role '$roleCode'"
+        }
+        userRoles.save(UserRole(userId = user.id, roleId = role.id))
+    }
+
+    fun revokeRole(userId: UUID, roleCode: String) {
+        val role = roles.findByCode(roleCode)
+            ?: throw NoSuchElementException("role not found: $roleCode")
+
+        val assignments = userRoles.findByUserId(userId)
+        val match = assignments.find { it.roleId == role.id }
+            ?: throw NoSuchElementException("user $userId does not have role '$roleCode'")
+
+        userRoles.delete(match)
+    }
+}
+
+data class CreateRoleCommand(
+    val code: String,
+    val name: String,
+    val description: String? = null,
+)
+package org.vibeerp.pbc.identity.http
+
+import jakarta.validation.Valid
+import jakarta.validation.constraints.NotBlank
+import jakarta.validation.constraints.Size
+import org.springframework.http.HttpStatus
+import org.springframework.web.bind.annotation.GetMapping
+import org.springframework.web.bind.annotation.PathVariable
+import org.springframework.web.bind.annotation.PostMapping
+import org.springframework.web.bind.annotation.DeleteMapping
+import org.springframework.web.bind.annotation.RequestBody
+import org.springframework.web.bind.annotation.RequestMapping
+import org.springframework.web.bind.annotation.ResponseStatus
+import org.springframework.web.bind.annotation.RestController
+import org.vibeerp.pbc.identity.application.CreateRoleCommand
+import org.vibeerp.pbc.identity.application.RoleService
+import org.vibeerp.pbc.identity.domain.Role
+import org.vibeerp.platform.security.authz.RequirePermission
+import java.util.UUID
+
+/**
+ * REST API for role management and user-role assignment.
+ *
+ * Mounted at `/api/v1/identity/roles`. The role CRUD endpoints
+ * let the SPA's identity admin screen create and list roles.
+ * The nested `/users/{userId}/roles` endpoints let an admin
+ * assign and revoke roles for a specific user.
+ */
+@RestController
+@RequestMapping("/api/v1/identity")
+class RoleController(
+    private val roleService: RoleService,
+) {
+
+    @GetMapping("/roles")
+    @RequirePermission("identity.role.read")
+    fun listRoles(): List<RoleResponse> =
+        roleService.listRoles().map { it.toResponse() }
+
+    @PostMapping("/roles")
+    @ResponseStatus(HttpStatus.CREATED)
+    @RequirePermission("identity.role.create")
+    fun createRole(@RequestBody @Valid request: CreateRoleRequest): RoleResponse =
+        roleService.createRole(
+            CreateRoleCommand(
+                code = request.code,
+                name = request.name,
+                description = request.description,
+            ),
+        ).toResponse()
+
+    @GetMapping("/users/{userId}/roles")
+    @RequirePermission("identity.user.read")
+    fun listUserRoles(@PathVariable userId: UUID): List<String> =
+        roleService.findUserRoleCodes(userId)
+
+    @PostMapping("/users/{userId}/roles/{roleCode}")
+    @ResponseStatus(HttpStatus.NO_CONTENT)
+    @RequirePermission("identity.role.assign")
+    fun assignRole(
+        @PathVariable userId: UUID,
+        @PathVariable roleCode: String,
+    ) {
+        roleService.assignRole(userId, roleCode)
+    }
+
+    @DeleteMapping("/users/{userId}/roles/{roleCode}")
+    @ResponseStatus(HttpStatus.NO_CONTENT)
+    @RequirePermission("identity.role.assign")
+    fun revokeRole(
+        @PathVariable userId: UUID,
+        @PathVariable roleCode: String,
+    ) {
+        roleService.revokeRole(userId, roleCode)
+    }
+}
+
+// ─── DTOs ────────────────────────────────────────────────────────────
+
+data class CreateRoleRequest(
+    @field:NotBlank @field:Size(max = 64) val code: String,
+    @field:NotBlank @field:Size(max = 256) val name: String,
+    val description: String? = null,
+)
+
+data class RoleResponse(
+    val id: UUID,
+    val code: String,
+    val name: String,
+    val description: String?,
+)
+
+private fun Role.toResponse() = RoleResponse(
+    id = this.id,
+    code = this.code,
+    name = this.name,
+    description = this.description,
+)
@@ -28,8 +28,10 @@ permissions:
     description: Disable a user (soft-delete; row is preserved for audit)
   - key: identity.role.read
     description: Read role records
+  - key: identity.role.create
+    description: Create new roles
   - key: identity.role.assign
-    description: Assign a role to a user
+    description: Assign or revoke a role for a user
 menus:
   - path: /identity/users
@@ -83,6 +83,10 @@ class SpaController {
             // Finance
             "/journal-entries", "/journal-entries/", "/journal-entries/**",
+
+            // System / identity
+            "/users", "/users/", "/users/**",
+            "/roles", "/roles/", "/roles/**",
         ],
     )
     fun spa(): String = "forward:/index.html"
@@ -110,6 +110,8 @@ class SecurityConfiguration {
                     "/work-orders", "/work-orders/**",
                     "/shop-floor", "/shop-floor/**",
                     "/journal-entries", "/journal-entries/**",
+                    "/users", "/users/**",
+                    "/roles", "/roles/**",
                 ).permitAll()
                 // Anything else — return 401 so a typoed deep link
@@ -13,6 +13,10 @@ import { AppLayout } from &#39;@/layout/AppLayout&#39;
 import { ProtectedRoute } from '@/components/ProtectedRoute'
 import { LoginPage } from '@/pages/LoginPage'
 import { DashboardPage } from '@/pages/DashboardPage'
+import { UsersPage } from '@/pages/UsersPage'
+import { CreateUserPage } from '@/pages/CreateUserPage'
+import { UserDetailPage } from '@/pages/UserDetailPage'
+import { RolesPage } from '@/pages/RolesPage'
 import { ItemsPage } from '@/pages/ItemsPage'
 import { CreateItemPage } from '@/pages/CreateItemPage'
 import { UomsPage } from '@/pages/UomsPage'
@@ -46,6 +50,10 @@ export default function App() {
         }
       >
         <Route index element={<DashboardPage />} />
+        <Route path="users" element={<UsersPage />} />
+        <Route path="users/new" element={<CreateUserPage />} />
+        <Route path="users/:id" element={<UserDetailPage />} />
+        <Route path="roles" element={<RolesPage />} />
         <Route path="items" element={<ItemsPage />} />
         <Route path="items/new" element={<CreateItemPage />} />
         <Route path="uoms" element={<UomsPage />} />
@@ -31,12 +31,14 @@ import type {
   MetaInfo,
   Partner,
   PurchaseOrder,
+  Role,
   SalesOrder,
   ShopFloorEntry,
   StockBalance,
   StockMovement,
   TokenPair,
   Uom,
+  User,
   WorkOrder,
 } from '@/types/api'
@@ -131,6 +133,25 @@ export const auth = {
     }),
 }
+// ─── Identity ────────────────────────────────────────────────────────
+
+export const identity = {
+  listUsers: () => apiFetch<User[]>('/api/v1/identity/users'),
+  getUser: (id: string) => apiFetch<User>(`/api/v1/identity/users/${id}`),
+  createUser: (body: {
+    username: string; displayName: string; email?: string | null
+  }) => apiFetch<User>('/api/v1/identity/users', { method: 'POST', body: JSON.stringify(body) }),
+  listRoles: () => apiFetch<Role[]>('/api/v1/identity/roles'),
+  createRole: (body: {
+    code: string; name: string; description?: string | null
+  }) => apiFetch<Role>('/api/v1/identity/roles', { method: 'POST', body: JSON.stringify(body) }),
+  getUserRoles: (userId: string) => apiFetch<string[]>(`/api/v1/identity/users/${userId}/roles`),
+  assignRole: (userId: string, roleCode: string) =>
+    apiFetch<void>(`/api/v1/identity/users/${userId}/roles/${roleCode}`, { method: 'POST' }, false),
+  revokeRole: (userId: string, roleCode: string) =>
+    apiFetch<void>(`/api/v1/identity/users/${userId}/roles/${roleCode}`, { method: 'DELETE' }, false),
+}
+
 // ─── Catalog ─────────────────────────────────────────────────────────
 export const catalog = {
@@ -65,6 +65,13 @@ const NAV: NavGroup[] = [
     heading: 'Finance',
     items: [{ to: '/journal-entries', label: 'Journal Entries' }],
   },
+  {
+    heading: 'System',
+    items: [
+      { to: '/users', label: 'Users' },
+      { to: '/roles', label: 'Roles' },
+    ],
+  },
 ]
 export function AppLayout() {
+import { useState, type FormEvent } from 'react'
+import { useNavigate } from 'react-router-dom'
+import { identity } from '@/api/client'
+import { PageHeader } from '@/components/PageHeader'
+import { ErrorBox } from '@/components/ErrorBox'
+
+export function CreateUserPage() {
+  const navigate = useNavigate()
+  const [username, setUsername] = useState('')
+  const [displayName, setDisplayName] = useState('')
+  const [email, setEmail] = useState('')
+  const [submitting, setSubmitting] = useState(false)
+  const [error, setError] = useState<Error | null>(null)
+
+  const onSubmit = async (e: FormEvent) => {
+    e.preventDefault()
+    setError(null)
+    setSubmitting(true)
+    try {
+      const user = await identity.createUser({
+        username, displayName, email: email || null,
+      })
+      navigate(`/users/${user.id}`)
+    } catch (err: unknown) {
+      setError(err instanceof Error ? err : new Error(String(err)))
+    } finally {
+      setSubmitting(false)
+    }
+  }
+
+  return (
+    <div>
+      <PageHeader
+        title="New User"
+        subtitle="Create a user account. Assign roles on the detail page after creation."
+        actions={<button className="btn-secondary" onClick={() => navigate('/users')}>Cancel</button>}
+      />
+      <form onSubmit={onSubmit} className="card p-6 space-y-4 max-w-lg">
+        <div>
+          <label className="block text-sm font-medium text-slate-700">Username</label>
+          <input type="text" required value={username} onChange={(e) => setUsername(e.target.value)}
+            placeholder="jdoe" className="mt-1 w-full rounded-md border border-slate-300 px-3 py-2 text-sm" />
+        </div>
+        <div>
+          <label className="block text-sm font-medium text-slate-700">Display name</label>
+          <input type="text" required value={displayName} onChange={(e) => setDisplayName(e.target.value)}
+            placeholder="Jane Doe" className="mt-1 w-full rounded-md border border-slate-300 px-3 py-2 text-sm" />
+        </div>
+        <div>
+          <label className="block text-sm font-medium text-slate-700">Email (optional)</label>
+          <input type="email" value={email} onChange={(e) => setEmail(e.target.value)}
+            className="mt-1 w-full rounded-md border border-slate-300 px-3 py-2 text-sm" />
+        </div>
+        {error && <ErrorBox error={error} />}
+        <button type="submit" className="btn-primary" disabled={submitting}>
+          {submitting ? 'Creating...' : 'Create User'}
+        </button>
+      </form>
+    </div>
+  )
+}
+import { useEffect, useState, type FormEvent } from 'react'
+import { identity } from '@/api/client'
+import type { Role } from '@/types/api'
+import { PageHeader } from '@/components/PageHeader'
+import { Loading } from '@/components/Loading'
+import { ErrorBox } from '@/components/ErrorBox'
+import { DataTable, type Column } from '@/components/DataTable'
+
+export function RolesPage() {
+  const [rows, setRows] = useState<Role[]>([])
+  const [error, setError] = useState<Error | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [showCreate, setShowCreate] = useState(false)
+  const [code, setCode] = useState('')
+  const [name, setName] = useState('')
+  const [creating, setCreating] = useState(false)
+
+  const load = () => {
+    identity
+      .listRoles()
+      .then(setRows)
+      .catch((e: unknown) => setError(e instanceof Error ? e : new Error(String(e))))
+      .finally(() => setLoading(false))
+  }
+
+  useEffect(() => { load() }, []) // eslint-disable-line react-hooks/exhaustive-deps
+
+  const onCreate = async (e: FormEvent) => {
+    e.preventDefault()
+    setCreating(true)
+    setError(null)
+    try {
+      await identity.createRole({ code, name })
+      setCode('')
+      setName('')
+      setShowCreate(false)
+      load()
+    } catch (err: unknown) {
+      setError(err instanceof Error ? err : new Error(String(err)))
+    } finally {
+      setCreating(false)
+    }
+  }
+
+  const columns: Column<Role>[] = [
+    { header: 'Code', key: 'code', render: (r) => <span className="font-mono">{r.code}</span> },
+    { header: 'Name', key: 'name' },
+    { header: 'Description', key: 'description', render: (r) => r.description ?? '—' },
+  ]
+
+  return (
+    <div>
+      <PageHeader
+        title="Roles"
+        subtitle="Named bundles of permissions. The 'admin' role has all permissions by default."
+        actions={
+          <button className="btn-primary" onClick={() => setShowCreate(!showCreate)}>
+            {showCreate ? 'Cancel' : '+ New Role'}
+          </button>
+        }
+      />
+      {showCreate && (
+        <form onSubmit={onCreate} className="card p-4 mb-4 max-w-lg flex items-end gap-3">
+          <div className="flex-1">
+            <label className="block text-xs font-medium text-slate-700">Code</label>
+            <input type="text" required value={code} onChange={(e) => setCode(e.target.value)}
+              placeholder="sales-clerk" className="mt-1 w-full rounded-md border border-slate-300 px-2 py-1.5 text-sm" />
+          </div>
+          <div className="flex-1">
+            <label className="block text-xs font-medium text-slate-700">Name</label>
+            <input type="text" required value={name} onChange={(e) => setName(e.target.value)}
+              placeholder="Sales Clerk" className="mt-1 w-full rounded-md border border-slate-300 px-2 py-1.5 text-sm" />
+          </div>
+          <button type="submit" className="btn-primary" disabled={creating}>
+            {creating ? '...' : 'Create'}
+          </button>
+        </form>
+      )}
+      {loading && <Loading />}
+      {error && <ErrorBox error={error} />}
+      {!loading && !error && <DataTable rows={rows} columns={columns} />}
+    </div>
+  )
+}
+// User detail page with role assignment.
+//
+// Displays user info and lets an admin assign/revoke roles in one
+// click. The role changes take effect on the user's NEXT login
+// (the JWT carries the roles claim from login time).
+
+import { useCallback, useEffect, useState } from 'react'
+import { useNavigate, useParams } from 'react-router-dom'
+import { identity } from '@/api/client'
+import type { Role, User } from '@/types/api'
+import { PageHeader } from '@/components/PageHeader'
+import { Loading } from '@/components/Loading'
+import { ErrorBox } from '@/components/ErrorBox'
+
+export function UserDetailPage() {
+  const { id = '' } = useParams<{ id: string }>()
+  const navigate = useNavigate()
+  const [user, setUser] = useState<User | null>(null)
+  const [allRoles, setAllRoles] = useState<Role[]>([])
+  const [userRoleCodes, setUserRoleCodes] = useState<string[]>([])
+  const [loading, setLoading] = useState(true)
+  const [acting, setActing] = useState(false)
+  const [error, setError] = useState<Error | null>(null)
+
+  const refresh = useCallback(async () => {
+    const [u, roles, uRoles] = await Promise.all([
+      identity.getUser(id),
+      identity.listRoles(),
+      identity.getUserRoles(id),
+    ])
+    setUser(u)
+    setAllRoles(roles)
+    setUserRoleCodes(uRoles)
+  }, [id])
+
+  useEffect(() => {
+    refresh()
+      .catch((e: unknown) => setError(e instanceof Error ? e : new Error(String(e))))
+      .finally(() => setLoading(false))
+  }, [refresh])
+
+  const toggle = async (roleCode: string, has: boolean) => {
+    setActing(true)
+    setError(null)
+    try {
+      if (has) {
+        await identity.revokeRole(id, roleCode)
+      } else {
+        await identity.assignRole(id, roleCode)
+      }
+      await refresh()
+    } catch (e: unknown) {
+      setError(e instanceof Error ? e : new Error(String(e)))
+    } finally {
+      setActing(false)
+    }
+  }
+
+  if (loading) return <Loading />
+  if (error && !user) return <ErrorBox error={error} />
+  if (!user) return <ErrorBox error="User not found" />
+
+  return (
+    <div>
+      <PageHeader
+        title={user.displayName}
+        subtitle={`@${user.username} · ${user.enabled ? 'Active' : 'Disabled'}${user.email ? ' · ' + user.email : ''}`}
+        actions={
+          <button className="btn-secondary" onClick={() => navigate('/users')}>
+            ← Back
+          </button>
+        }
+      />
+
+      {error && <ErrorBox error={error} />}
+
+      <div className="card p-5 max-w-lg">
+        <h2 className="mb-3 text-base font-semibold text-slate-800">Roles</h2>
+        <p className="mb-4 text-xs text-slate-400">
+          Toggle roles on/off. Changes take effect on the user's next login.
+        </p>
+        {allRoles.length === 0 && (
+          <p className="text-sm text-slate-400">No roles defined yet. Create one on the Roles page.</p>
+        )}
+        <div className="space-y-2">
+          {allRoles.map((role) => {
+            const has = userRoleCodes.includes(role.code)
+            return (
+              <div
+                key={role.id}
+                className="flex items-center justify-between rounded-md border border-slate-200 px-3 py-2"
+              >
+                <div>
+                  <span className="font-mono text-sm font-medium text-slate-700">{role.code}</span>
+                  <span className="ml-2 text-xs text-slate-400">{role.name}</span>
+                </div>
+                <button
+                  className={has ? 'btn-danger text-xs' : 'btn-primary text-xs'}
+                  disabled={acting}
+                  onClick={() => toggle(role.code, has)}
+                >
+                  {has ? 'Revoke' : 'Assign'}
+                </button>
+              </div>
+            )
+          })}
+        </div>
+      </div>
+    </div>
+  )
+}
+import { useEffect, useState } from 'react'
+import { Link } from 'react-router-dom'
+import { identity } from '@/api/client'
+import type { User } from '@/types/api'
+import { PageHeader } from '@/components/PageHeader'
+import { Loading } from '@/components/Loading'
+import { ErrorBox } from '@/components/ErrorBox'
+import { DataTable, type Column } from '@/components/DataTable'
+
+export function UsersPage() {
+  const [rows, setRows] = useState<User[]>([])
+  const [error, setError] = useState<Error | null>(null)
+  const [loading, setLoading] = useState(true)
+
+  useEffect(() => {
+    identity
+      .listUsers()
+      .then(setRows)
+      .catch((e: unknown) => setError(e instanceof Error ? e : new Error(String(e))))
+      .finally(() => setLoading(false))
+  }, [])
+
+  const columns: Column<User>[] = [
+    {
+      header: 'Username',
+      key: 'username',
+      render: (r) => (
+        <Link to={`/users/${r.id}`} className="font-mono text-brand-600 hover:underline">
+          {r.username}
+        </Link>
+      ),
+    },
+    { header: 'Display name', key: 'displayName' },
+    { header: 'Email', key: 'email', render: (r) => r.email ?? '—' },
+    {
+      header: 'Enabled',
+      key: 'enabled',
+      render: (r) =>
+        r.enabled ? (
+          <span className="text-emerald-600">Active</span>
+        ) : (
+          <span className="text-slate-400">Disabled</span>
+        ),
+    },
+  ]
+
+  return (
+    <div>
+      <PageHeader
+        title="Users"
+        subtitle="User accounts in this instance. The admin role has all permissions."
+        actions={<Link to="/users/new" className="btn-primary">+ New User</Link>}
+      />
+      {loading && <Loading />}
+      {error && <ErrorBox error={error} />}
+      {!loading && !error && <DataTable rows={rows} columns={columns} />}
+    </div>
+  )
+}
@@ -40,6 +40,23 @@ export interface TokenPair {
   tokenType: string
 }
+// ─── Identity (pbc-identity) ─────────────────────────────────────────
+
+export interface User {
+  id: string
+  username: string
+  displayName: string
+  email: string | null
+  enabled: boolean
+}
+
+export interface Role {
+  id: string
+  code: string
+  name: string
+  description: string | null
+}
+
 // ─── Catalog (pbc-catalog) ───────────────────────────────────────────
 export type ItemType = 'GOOD' | 'SERVICE' | 'DIGITAL'