feat(examples): global-RBAC authz examples (Dioxus + Leptos)

#16 in tonybierman/arium — merged 2026-05-27

What

A matched pair of minimal examples demonstrating arium's global RBAC authorization axis (flat permission tokens) — the companion to the existing per-resource membership examples (dioxus/leptos-authz-example).

• examples/dioxus-rbac-example
• examples/leptos-rbac-example

The three pieces (each example)

1. A demo editor role seeded at startup carrying one capability token, newsletter:publish. A self-service "Grant me the editor role" toggle (grant_role/revoke_role) stands in for an admin assigning roles, so one fresh account can exercise both the allow and deny paths.
2. PermissionGate — a cosmetic UI gate that shows/hides the publish control from the client's cached token snapshot.
3. publish_newsletter — the server fn that re-checks the token per request against the live permission set (list_permissions_for_user). This is the real boundary; the "Attempt publish anyway" button proves the server rejects unauthorized calls, gate or no gate.

Simpler than the membership siblings: no ResourceAuthority/async-trait — global RBAC reads the session's own permission set.

CI wiring

Like the other single-axis examples, both build the adapter without mail (so signup auto-logs-in and AuthConfig::builder is the 1-arg form), which can't be unified into one workspace build alongside the mail-on fullstack examples. They're therefore excluded from the --workspace test/doc/clippy commands and verified standalone. Added to workspace members + Cargo.lock.

Verification

• Dioxus: cargo check (server) + wasm client check, cargo clippy -- -D warnings, cargo fmt --check
• Leptos: cargo check SSR + hydrate (wasm), cargo clippy -- -D warnings, cargo fmt --check

🤖 Generated with Claude Code