feat(template)!: modern <Access> permission system (RBAC + fine-grained)

BREAKING — replaces `<PermissionWrapper>` + `requiredPermissions`
arrays with a centralised, type-safe access policy. No back-compat
shim. Migration is one find-replace per call site; the auth/ folder
docs the new pattern.

New API in `src/auth/access.tsx`:

  defineAccess(userInfo) → AccessMap     // pure factory
  useAccess()            → AccessMap     // hook reading TanStack cache
  <Access accessible fallback>           // declarative gate
  <ProtectedRoute requireAccess={fn}>    // route-level + redirect

Hybrid RBAC + ACL backend shape:

  UserInfo {
    roles?: string[]                          // coarse, drives most flags
    permissions?: Record<string, string[]>    // fine-grained overlay
  }

`defineAccess` exposes two helpers (`is(...roles)`, `can(resource, action)`)
that the policy author combines into named boolean flags
(`canViewMonitor`, `canManageContent`, `isAdmin`, …). Pages never
inspect raw roles/permissions — they only consume the booleans.

`src/routes.ts` route nodes lose `requiredPermissions`/`oneOfPerm` and
gain an `access?: (a: AccessMap) => boolean` predicate. `useRoute`
filters the tree against `defineAccess(userInfo)` and picks a
sensible default landing.

Mock backend (`src/mock/user.ts`) now ships both `roles: ['admin'|'user']`
and the legacy `permissions: {...}` overlay so the demo exercises both
code paths. Switching role at runtime (via the dropdown in the navbar
that updates `userRole` in localStorage) flips which menu items appear
just like before.

Migrated 3 call sites: `pages/list/search-table/index.tsx`,
`pages/list/card/card-block.tsx` (×2). Removed `src/components/PermissionWrapper/`
and `src/utils/authentication.ts`.

Verified:
- `tsc --noEmit` clean
- vitest 3/3
- Playwright smoke 4/4 (login, search-table, theme cycle, 404)
- CLI tests 62/63 (1 skipped, unchanged)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: wn0x00

CHANGELOG.md

@@ -5,6 +5,15 @@ Format loosely follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/);
 versions follow [SemVer](https://semver.org/). The npm registry is the
 source of truth: <https://www.npmjs.com/package/@guanzhu.me/arco-cli>.
 
+## [0.13.0] — 2026-05-21
+- **Feat (breaking, template)** Modern `<Access>` permission system. Replaces the previous `<PermissionWrapper>` + `requiredPermissions` array convention with a hybrid RBAC + fine-grained model that mirrors ant-design-pro's `<Access>` API:
+  - **`src/auth/access.tsx`** — `defineAccess(userInfo)` factory + `useAccess()` hook + `<Access accessible fallback>` component. All boolean flags consumed by the UI live in one place; backend shape changes are a one-file edit.
+  - Backend shape: `userInfo` now exposes both **`roles: string[]`** (coarse RBAC) and **`permissions?: Record<string, string[]>`** (optional fine-grained overlay). The frontend `defineAccess` uses both — most flags resolve from roles alone, occasional `can(resource, action)` checks cover "give this user one extra capability outside their role" cases.
+  - **`src/routes.ts`**: route nodes carry an `access?: (a: AccessMap) => boolean` predicate instead of `requiredPermissions: [{ resource, actions }]`. Cleaner type-checked references to central flags.
+  - **`src/auth/ProtectedRoute.tsx`** gains a `requireAccess` prop for route-level gating with redirect to `/exception/403` (override via `denyRedirect`).
+  - Migrated 3 call sites in `pages/list/{search-table,card}` to use `<Access accessible={access.canX}>`.
+  - **Removed** `src/components/PermissionWrapper/` and `src/utils/authentication.ts` — no backward-compat shim.
+
 ## [0.12.1] — 2026-05-21
 - **Security** `pages/login/form.tsx` no longer JSON.stringifies the password into localStorage when "Remember me" is checked. Only the username is persisted, and is rehydrated into the form on next visit (password field stays blank). The locale key + label changed from "Remember password" → "Remember me" / "记住账号".
 - **Fix** `/login` no longer force-sets `arco-theme=light` on mount, so dark-mode users bounced to the login page (e.g. after a 401) don't see a theme flash.
@@ -161,6 +170,7 @@ source of truth: <https://www.npmjs.com/package/@guanzhu.me/arco-cli>.
 ## [0.1.0] — 2026-05
 - **Initial fork** of the abandoned `arco-cli` under `@guanzhu.me/arco-cli`. Preserves the original interactive template selection and `init` flow; modernises packaging, types, and engines.
 
+[0.13.0]: https://github.com/wn0x00/arco-cli/releases/tag/v0.13.0
 [0.12.1]: https://github.com/wn0x00/arco-cli/releases/tag/v0.12.1
 [0.12.0]: https://github.com/wn0x00/arco-cli/releases/tag/v0.12.0
 [0.11.2]: https://github.com/wn0x00/arco-cli/releases/tag/v0.11.2

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@guanzhu.me/arco-cli",
-  "version": "0.12.1",
+  "version": "0.13.0",
   "description": "Scaffold a modern Arco Design admin (Vite 7 + React 18 + strict TS) — community-maintained CLI with a bundled, modernized arco-design-pro starter.",
   "keywords": [
     "arco",

templates/arco-pro-recommend-full/src/api/user.ts

@@ -17,6 +17,17 @@ export interface UserInfo {
   phoneNumber?: string;
   accountId?: string;
   registrationTime?: string;
+  /**
+   * Role keys assigned to the user (RBAC). The frontend's
+   * `defineAccess` (`src/auth/access.ts`) computes most permission
+   * flags by checking membership in this list.
+   */
+  roles?: string[];
+  /**
+   * Optional fine-grained permission overlay — `{ resource: actions[] }`.
+   * Used for "give *this* user one extra capability outside their
+   * role" cases. Most apps will leave this empty and rely on `roles`.
+   */
   permissions?: Record<string, string[]>;
 }
 

templates/arco-pro-recommend-full/src/auth/ProtectedRoute.tsx

@@ -1,17 +1,49 @@
 import { Navigate, useLocation } from 'react-router-dom';
 import { useAuth } from './useAuth';
+import { useAccess, type AccessMap } from './access';
+
+interface ProtectedRouteProps {
+  children: React.ReactNode;
+  /**
+   * Optional access check on top of authentication. Receives the flags
+   * from `useAccess()` and returns `true` to allow rendering. When
+   * false, the user is sent to `/exception/403` (override via
+   * `denyRedirect`).
+   *
+   * ```tsx
+   * <ProtectedRoute requireAccess={(a) => a.isAdmin}>
+   *   <AdminPage />
+   * </ProtectedRoute>
+   * ```
+   */
+  requireAccess?: (access: AccessMap) => boolean;
+  /** Where to send the user when `requireAccess` returns false. */
+  denyRedirect?: string;
+}
 
 /**
- * Gate the rendered children behind authentication. Unauthenticated
- * users get bounced to `/login` with the original destination tucked
- * into history state so the login form can route them back on success
- * (consumer can read `location.state.from` in the post-login redirect).
+ * Two-layer gate: authentication first, then optional access policy.
+ *
+ * - Unauthenticated visitors get bounced to `/login` with the original
+ *   destination tucked into `location.state.from` so the login form
+ *   can route them back on success.
+ * - Authenticated users without the required access land on a 403 —
+ *   the standard "you are logged in but cannot see this" signal.
  */
-export function ProtectedRoute({ children }: { children: React.ReactNode }) {
+export function ProtectedRoute({
+  children,
+  requireAccess,
+  denyRedirect = '/exception/403',
+}: ProtectedRouteProps) {
   const { isAuthenticated } = useAuth();
+  const access = useAccess();
   const location = useLocation();
+
   if (!isAuthenticated) {
     return <Navigate to="/login" replace state={{ from: location }} />;
   }
+  if (requireAccess && !requireAccess(access)) {
+    return <Navigate to={denyRedirect} replace />;
+  }
   return <>{children}</>;
 }

templates/arco-pro-recommend-full/src/auth/access.tsx

@@ -0,0 +1,113 @@
+import { useMemo, type ReactNode } from 'react';
+import { useUserInfoQuery, type UserInfo } from '@/api/user';
+
+/**
+ * Central permission policy.
+ *
+ * The backend ships **both** structures on `userInfo`:
+ *   - `roles: string[]`                     — coarse, RBAC-style
+ *   - `permissions: Record<string, string[]>` — optional fine-grained overlay
+ *
+ * Most flags are computed from roles alone. A handful of "give *this*
+ * user a specific extra capability" overrides come from `permissions`.
+ * Pages and components only consume the resolved booleans returned by
+ * `defineAccess` / `useAccess` — they never touch the raw structures.
+ *
+ * When the backend renames a role or restructures permissions, the
+ * fix is one edit to this file. When a new feature needs a gate, add
+ * a flag here and consume it via `useAccess()` from any component.
+ *
+ * `userInfo` is `undefined` while the first fetch is in flight — every
+ * flag defaults to `false` (fail closed) so sensitive UI never flashes
+ * visible before permissions resolve.
+ */
+export function defineAccess(userInfo: UserInfo | undefined) {
+  const roles = userInfo?.roles ?? [];
+  const perms = userInfo?.permissions ?? {};
+
+  /** Has at least one of the listed roles. */
+  const is = (...roleKeys: string[]): boolean =>
+    roleKeys.some((r) => roles.includes(r));
+
+  /** Has `action` on `resource` (or the wildcard `'*'`) via permissions overlay. */
+  const can = (resource: string, action: string): boolean => {
+    const granted = perms[resource];
+    if (!granted) return false;
+    return granted.includes('*') || granted.includes(action);
+  };
+
+  return {
+    // ─── Role-based (mirrors the mock's 'admin' / 'user' seed) ─────
+    isAdmin: is('admin'),
+
+    // ─── Feature gates (role OR explicit permission grant) ─────────
+    // Most apps lean almost entirely on roles and sprinkle `can(...)`
+    // overrides only when a single user needs a capability outside
+    // their role.
+    canViewMonitor: is('admin') || can('menu.dashboard.monitor', 'write'),
+    canViewAnalytics:
+      is('admin', 'analyst') || can('menu.visualization.dataAnalysis', 'read'),
+    canViewMultiDim:
+      is('admin') ||
+      can('menu.visualization.dataAnalysis', 'write') ||
+      can('menu.visualization.multiDimensionDataAnalysis', 'write'),
+    canUseGroupForm: is('admin') || can('menu.form.group', 'write'),
+    canUseStepForm: is('admin', 'user') || can('menu.form.step', 'read'),
+
+    // ─── Element-level (used by buttons inside pages) ──────────────
+    canViewLists:
+      is('admin', 'user', 'editor') ||
+      can('menu.list.searchTable', 'read') ||
+      can('menu.list.cardList', 'read'),
+    canManageContent: is('admin', 'editor') || can('menu.list.searchTable', 'write'),
+  };
+}
+
+export type AccessMap = ReturnType<typeof defineAccess>;
+
+/**
+ * Pre-computed permission flags for the current user. Pages read these
+ * via `access.canX` and pass them to `<Access>` or use them directly
+ * for non-rendering logic (disabled state, tab visibility, etc.).
+ *
+ * The underlying `useUserInfoQuery` is cached by TanStack Query so
+ * calling `useAccess()` in many components is cheap — they all share
+ * the one userInfo fetch.
+ */
+export function useAccess(): AccessMap {
+  const { data: userInfo } = useUserInfoQuery();
+  return useMemo(() => defineAccess(userInfo), [userInfo]);
+}
+
+interface AccessProps {
+  /** Boolean flag, usually `access.canX` from `useAccess()`. */
+  accessible: boolean;
+  /**
+   * Rendered when `accessible` is false. Default: `null` (hide).
+   * Pass a disabled-but-visible variant (Tooltip + disabled Button)
+   * when "no permission" needs to be discoverable rather than silent.
+   */
+  fallback?: ReactNode;
+  children: ReactNode;
+}
+
+/**
+ * Declarative permission gate. Mirrors ant-design-pro's `<Access>` API
+ * so the muscle memory transfers.
+ *
+ * ```tsx
+ * const access = useAccess();
+ * return (
+ *   <Access accessible={access.canEditUser}>
+ *     <Button onClick={onEdit}>Edit</Button>
+ *   </Access>
+ * );
+ * ```
+ *
+ * For route-level gating use `<ProtectedRoute requireAccess={…}>`
+ * instead — it can redirect to `/exception/403` rather than just
+ * hiding the children.
+ */
+export function Access({ accessible, fallback = null, children }: AccessProps) {
+  return <>{accessible ? children : fallback}</>;
+}

templates/arco-pro-recommend-full/src/components/PermissionWrapper/index.tsx

@@ -63,7 +63,7 @@ function PageLayout() {
     bindNavigator((path, opts) => navigate(path, opts));
   }, [navigate]);
 
-  const [routes, defaultRoute] = useRoute(userInfo?.permissions);
+  const [routes, defaultRoute] = useRoute(userInfo);
   const defaultSelectedKeys = [currentComponent || defaultRoute];
   const paths = (currentComponent || defaultRoute).split('/');
   const defaultOpenKeys = paths.slice(0, paths.length - 1);

templates/arco-pro-recommend-full/src/layout/index.tsx

@@ -2,6 +2,14 @@ import { http, HttpResponse } from 'msw';
 import { random } from './random';
 import { generatePermission } from '@/routes';
 
+// Demo permission seed. A real backend would derive these from the
+// user's DB record + their org's role definitions. Here we hardcode
+// two profiles so the access.ts examples have something to read.
+const ROLE_GRANTS: Record<string, string[]> = {
+  admin: ['admin'],
+  user: ['user'],
+};
+
 const userInfo = (userRole: string) => ({
   name: 'admin',
   avatar: 'https://avatars.githubusercontent.com/u/8186665?s=200&v=4',
@@ -18,6 +26,9 @@ const userInfo = (userRole: string) => ({
   phoneNumber: `177${random.fromCharClass('digit', 6).replace(/./g, '*')}${random.fromCharClass('digit', 2)}`,
   accountId: `${random.fromCharClass('lower', 4)}-${random.fromCharClass('digit', 8)}`,
   registrationTime: random.datetime(),
+  // Hybrid shape: coarse RBAC roles + optional fine-grained overlay.
+  // Frontend's `defineAccess` consumes both.
+  roles: ROLE_GRANTS[userRole] ?? ['user'],
   permissions: generatePermission(userRole),
 });
 

templates/arco-pro-recommend-full/src/mock/user.ts

@@ -21,7 +21,7 @@ import {
   IconCloseCircleFill,
   IconMore,
 } from '@arco-design/web-react/icon';
-import PermissionWrapper from '@/components/PermissionWrapper';
+import { Access, useAccess } from '@/auth/access';
 import useLocale from '@/utils/useLocale';
 import locale from './locale';
 import { QualityInspection, BasicCard } from './interface';
@@ -50,6 +50,7 @@ function CardBlock(props: CardBlockType) {
   const [loading, setLoading] = useState(props.loading);
 
   const t = useLocale(locale);
+  const access = useAccess();
   const changeStatus = async () => {
     setLoading(true);
     await new Promise((resolve) =>
@@ -85,27 +86,19 @@ function CardBlock(props: CardBlockType) {
     if (type === 'quality') {
       return (
         <>
-          <PermissionWrapper
-            requiredPermissions={[
-              { resource: /^menu.list.*/, actions: ['read'] },
-            ]}
-          >
+          <Access accessible={access.canViewLists}>
             <Button
               type="primary"
               style={{ marginLeft: '12px' }}
               loading={loading}
             >
               {t['cardList.options.qualityInspection']}
             </Button>
-          </PermissionWrapper>
+          </Access>
 
-          <PermissionWrapper
-            requiredPermissions={[
-              { resource: /^menu.list.*/, actions: ['write'] },
-            ]}
-          >
+          <Access accessible={access.canManageContent}>
             <Button loading={loading}>{t['cardList.options.remove']}</Button>
-          </PermissionWrapper>
+          </Access>
         </>
       );
     }

templates/arco-pro-recommend-full/src/pages/list/card/card-block.tsx

@@ -7,7 +7,7 @@ import {
   Space,
   Typography,
 } from '@arco-design/web-react';
-import PermissionWrapper from '@/components/PermissionWrapper';
+import { Access, useAccess } from '@/auth/access';
 import { IconDownload, IconPlus } from '@arco-design/web-react/icon';
 import { useSearchTableQuery } from '@/api/list';
 import useLocale from '@/utils/useLocale';
@@ -24,6 +24,7 @@ export const Status = ['已上线', '未上线'];
 
 function SearchTable() {
   const t = useLocale(locale);
+  const access = useAccess();
 
   const tableCallback = async (
     _record: Record<string, unknown>,
@@ -75,11 +76,7 @@ function SearchTable() {
     <Card>
       <Title heading={6}>{t['menu.list.searchTable']}</Title>
       <SearchForm onSearch={handleSearch} />
-      <PermissionWrapper
-        requiredPermissions={[
-          { resource: 'menu.list.searchTable', actions: ['write'] },
-        ]}
-      >
+      <Access accessible={access.canManageContent}>
         <div className={styles['button-group']}>
           <Space>
             <Button type="primary" icon={<IconPlus />}>
@@ -93,7 +90,7 @@ function SearchTable() {
             </Button>
           </Space>
         </div>
-      </PermissionWrapper>
+      </Access>
       <Table
         rowKey="id"
         loading={loading}