feat(admin): add IA shell and protected section skeleton routes

apps/admin/src/lib/route-guards.ts

@@ -0,0 +1,30 @@
+import { hasPermission, type Permission, type PermissionScope, type Role } from "@cms/content/rbac"
+import { redirect } from "next/navigation"
+
+import { resolveRoleFromServerContext } from "@/lib/access-server"
+
+type RequirePermissionParams = {
+  nextPath: string
+  permission: Permission
+  scope: PermissionScope
+}
+
+export async function requireRoleForRoute(nextPath: string): Promise<Role> {
+  const role = await resolveRoleFromServerContext()
+
+  if (!role) {
+    redirect(`/login?next=${encodeURIComponent(nextPath)}`)
+  }
+
+  return role
+}
+
+export async function requirePermissionForRoute(params: RequirePermissionParams): Promise<Role> {
+  const role = await requireRoleForRoute(params.nextPath)
+
+  if (!hasPermission(role, params.permission, params.scope)) {
+    redirect(`/unauthorized?required=${params.permission}&scope=${params.scope}`)
+  }
+
+  return role
+}