@jmruthers/pace-core 0.2.4

package/dist/rbac/index.d.ts

@@ -0,0 +1,1918 @@
+import { SupabaseClient } from '@supabase/supabase-js';
+import { D as Database } from '../database-C3Szpi5J.js';
+import React__default, { ReactNode } from 'react';
+import * as react_jsx_runtime from 'react/jsx-runtime';
+
+/**
+ * RBAC (Role-Based Access Control) Types - Build Contract Compliant
+ * @package @jmruthers/pace-core
+ * @module RBAC/Types
+ * @since 1.0.0
+ *
+ * This module defines the core types for the RBAC system that match the build contract exactly.
+ * All types are designed to be framework-agnostic and provide strong typing for permission operations.
+ */
+
+type UUID = string;
+type Operation = 'read' | 'create' | 'update' | 'delete' | 'manage';
+type Permission = `${Operation}:${string}`;
+type AccessLevel = 'viewer' | 'participant' | 'planner' | 'admin' | 'super';
+type Scope = {
+    organisationId?: UUID;
+    eventId?: string;
+    appId?: UUID;
+};
+type PermissionCheck = {
+    userId: UUID;
+    scope: Scope;
+    permission: Permission;
+    pageId?: UUID | string;
+};
+type PermissionMap = Record<string, Operation[]>;
+type GlobalRole = 'super_admin';
+type OrganisationRole = 'supporter' | 'member' | 'leader' | 'org_admin';
+type EventAppRole = 'viewer' | 'participant' | 'planner' | 'event_admin';
+type AuditEventType = 'permission_check' | 'permission_denied' | 'role_granted' | 'role_denied' | 'rls_denied';
+type AuditEventSource = 'api' | 'ui' | 'middleware' | 'rls';
+interface RBACAuditEvent {
+    id: UUID;
+    event_type: AuditEventType;
+    user_id: UUID;
+    organisation_id: UUID;
+    event_id?: string;
+    app_id?: UUID;
+    page_id?: UUID;
+    permission?: string;
+    decision?: boolean;
+    source?: AuditEventSource;
+    bypass?: boolean;
+    duration_ms?: number;
+    metadata: Record<string, any>;
+    created_at: string;
+}
+interface PermissionCacheKey {
+    userId: UUID;
+    organisationId?: UUID;
+    eventId?: string;
+    appId?: UUID;
+}
+interface UsePermissionsReturn {
+    permissions: PermissionMap;
+    isLoading: boolean;
+    error: Error | null;
+    refetch: () => Promise<void>;
+}
+interface UseCanReturn {
+    can: boolean;
+    isLoading: boolean;
+    error: Error | null;
+    check: () => Promise<void>;
+}
+declare class RBACError extends Error {
+    code: string;
+    context?: Record<string, any> | undefined;
+    constructor(message: string, code: string, context?: Record<string, any> | undefined);
+}
+declare class PermissionDeniedError extends RBACError {
+    constructor(permission: Permission, context?: Record<string, any>);
+}
+declare class OrganisationContextRequiredError extends RBACError {
+    constructor();
+}
+declare class RBACNotInitializedError extends RBACError {
+    constructor();
+}
+declare class InvalidScopeError extends RBACError {
+    constructor(scope: Scope, reason: string);
+}
+declare class MissingUserContextError extends RBACError {
+    constructor();
+}
+
+/**
+ * RBAC Configuration
+ * @package @jmruthers/pace-core
+ * @module RBAC/Config
+ * @since 1.0.0
+ *
+ * This module provides configuration options for the RBAC system.
+ */
+
+type LogLevel = 'error' | 'warn' | 'info' | 'debug';
+interface RBACConfig {
+    supabase: SupabaseClient<Database>;
+    debug?: boolean;
+    logLevel?: LogLevel;
+    developmentMode?: boolean;
+    mockPermissions?: Record<string, boolean>;
+    cache?: {
+        ttl?: number;
+        enabled?: boolean;
+    };
+    audit?: {
+        enabled?: boolean;
+        logLevel?: LogLevel;
+    };
+}
+interface RBACLogger {
+    error: (message: string, ...args: unknown[]) => void;
+    warn: (message: string, ...args: unknown[]) => void;
+    info: (message: string, ...args: unknown[]) => void;
+    debug: (message: string, ...args: unknown[]) => void;
+}
+declare function createRBACConfig(config: RBACConfig): RBACConfig;
+declare function getRBACConfig(): RBACConfig | null;
+declare function getRBACLogger(): RBACLogger;
+declare function isDebugMode(): boolean;
+declare function isDevelopmentMode(): boolean;
+
+/**
+ * Secure Supabase Client for RBAC
+ * @package @jmruthers/pace-core
+ * @module RBAC/SecureClient
+ * @since 1.0.0
+ *
+ * This module provides a secure Supabase client that enforces organisation context
+ * and prevents direct database access outside of the RBAC system.
+ */
+
+/**
+ * Secure Supabase Client that enforces organisation context
+ *
+ * This client automatically injects organisation context into all requests
+ * and prevents queries that don't have the required context.
+ */
+declare class SecureSupabaseClient {
+    private supabase;
+    private supabaseUrl;
+    private supabaseKey;
+    private organisationId;
+    private eventId?;
+    private appId?;
+    constructor(supabaseUrl: string, supabaseKey: string, organisationId: UUID, eventId?: string, appId?: UUID);
+    /**
+     * Setup context injection for all database operations
+     */
+    private setupContextInjection;
+    /**
+     * Inject organisation context into a query
+     */
+    private injectContext;
+    /**
+     * Add organisation filter to a query
+     */
+    private addOrganisationFilter;
+    /**
+     * Validate that required context is present
+     */
+    private validateContext;
+    /**
+     * Get the current organisation ID
+     */
+    getOrganisationId(): UUID;
+    /**
+     * Get the current event ID
+     */
+    getEventId(): string | undefined;
+    /**
+     * Get the current app ID
+     */
+    getAppId(): UUID | undefined;
+    /**
+     * Create a new client with updated context
+     */
+    withContext(updates: {
+        organisationId?: UUID;
+        eventId?: string;
+        appId?: UUID;
+    }): SecureSupabaseClient;
+    /**
+     * Get the underlying Supabase client (for internal use only)
+     * @internal
+     */
+    getClient(): SupabaseClient<Database>;
+}
+/**
+ * Create a secure Supabase client with organisation context
+ *
+ * @param supabaseUrl - Supabase project URL
+ * @param supabaseKey - Supabase anon key
+ * @param organisationId - Required organisation ID
+ * @param eventId - Optional event ID
+ * @param appId - Optional app ID
+ * @returns SecureSupabaseClient instance
+ *
+ * @example
+ * ```typescript
+ * const client = createSecureClient(
+ *   'https://your-project.supabase.co',
+ *   'your-anon-key',
+ *   'org-123',
+ *   'event-456',
+ *   'app-789'
+ * );
+ * ```
+ */
+declare function createSecureClient(supabaseUrl: string, supabaseKey: string, organisationId: UUID, eventId?: string, appId?: UUID): SecureSupabaseClient;
+/**
+ * Create a secure client from an existing Supabase client
+ *
+ * @param client - Existing Supabase client
+ * @param organisationId - Required organisation ID
+ * @param eventId - Optional event ID
+ * @param appId - Optional app ID
+ * @returns SecureSupabaseClient instance
+ */
+declare function fromSupabaseClient(client: SupabaseClient<Database>, organisationId: UUID, eventId?: string, appId?: UUID): SecureSupabaseClient;
+
+/**
+ * RBAC Cache Implementation
+ * @package @jmruthers/pace-core
+ * @module RBAC/Cache
+ * @since 1.0.0
+ *
+ * This module provides caching functionality for RBAC operations with TTL and invalidation.
+ */
+
+/**
+ * In-memory cache for RBAC operations
+ *
+ * Provides 60-second TTL and pattern-based invalidation for permission checks.
+ */
+declare class RBACCache {
+    private cache;
+    private readonly TTL;
+    private invalidationCallbacks;
+    /**
+     * Get a value from the cache
+     *
+     * @param key - Cache key
+     * @returns Cached value or null if not found/expired
+     */
+    get<T>(key: string): T | null;
+    /**
+     * Set a value in the cache
+     *
+     * @param key - Cache key
+     * @param data - Data to cache
+     * @param ttl - Time to live in milliseconds (defaults to 60s)
+     */
+    set<T>(key: string, data: T, ttl?: number): void;
+    /**
+     * Delete a specific key from the cache
+     *
+     * @param key - Cache key to delete
+     */
+    delete(key: string): void;
+    /**
+     * Invalidate cache entries matching a pattern
+     *
+     * @param pattern - Pattern to match against cache keys
+     */
+    invalidate(pattern: string): void;
+    /**
+     * Clear all cache entries
+     */
+    clear(): void;
+    /**
+     * Get cache statistics
+     */
+    getStats(): {
+        size: number;
+        ttl: number;
+        keys: string[];
+    };
+    /**
+     * Add an invalidation callback
+     *
+     * @param callback - Function to call when cache is invalidated
+     */
+    onInvalidate(callback: (pattern: string) => void): () => void;
+    /**
+     * Generate cache key for permission check
+     *
+     * @param key - Permission cache key object
+     * @returns String cache key
+     */
+    static generatePermissionKey(key: PermissionCacheKey): string;
+    /**
+     * Generate cache key for access level
+     *
+     * @param userId - User ID
+     * @param organisationId - Organisation ID
+     * @param eventId - Event ID (optional)
+     * @param appId - App ID (optional)
+     * @returns String cache key
+     */
+    static generateAccessLevelKey(userId: UUID, organisationId: UUID, eventId?: string, appId?: UUID): string;
+    /**
+     * Generate cache key for permission map
+     *
+     * @param userId - User ID
+     * @param organisationId - Organisation ID
+     * @param eventId - Event ID (optional)
+     * @param appId - App ID (optional)
+     * @returns String cache key
+     */
+    static generatePermissionMapKey(userId: UUID, organisationId: UUID, eventId?: string, appId?: UUID): string;
+}
+/**
+ * Global cache instance
+ *
+ * This is the default cache instance used by the RBAC system.
+ * You can create additional instances if needed for different contexts.
+ */
+declare const rbacCache: RBACCache;
+/**
+ * Cache key patterns for invalidation
+ */
+declare const CACHE_PATTERNS: {
+    readonly USER: (userId: UUID) => string;
+    readonly ORGANISATION: (organisationId: UUID) => string;
+    readonly EVENT: (eventId: string) => string;
+    readonly APP: (appId: UUID) => string;
+    readonly PERMISSION: (userId: UUID, organisationId: UUID) => string;
+};
+
+/**
+ * RBAC Audit Events System
+ * @package @jmruthers/pace-core
+ * @module RBAC/Audit
+ * @since 1.0.0
+ *
+ * This module provides structured audit event emission for all RBAC operations.
+ */
+
+/**
+ * Audit event payload for permission checks
+ */
+interface PermissionCheckAuditEvent {
+    type: 'permission_check';
+    userId: UUID;
+    organisationId: UUID;
+    eventId?: string;
+    appId?: UUID;
+    pageId?: UUID;
+    permission: string;
+    decision: boolean;
+    source: AuditEventSource;
+    bypass?: boolean;
+    duration_ms: number;
+    metadata?: Record<string, any>;
+}
+/**
+ * Audit event payload for permission denied
+ */
+interface PermissionDeniedAuditEvent {
+    type: 'permission_denied';
+    userId: UUID;
+    organisationId: UUID;
+    eventId?: string;
+    appId?: UUID;
+    pageId?: UUID;
+    permission: string;
+    source: AuditEventSource;
+    metadata?: Record<string, any>;
+}
+/**
+ * Audit event payload for role granted
+ */
+interface RoleGrantedAuditEvent {
+    type: 'role_granted';
+    userId: UUID;
+    organisationId: UUID;
+    eventId?: string;
+    appId?: UUID;
+    role: string;
+    grantedBy: UUID;
+    metadata?: Record<string, any>;
+}
+/**
+ * Audit event payload for role revoked
+ */
+interface RoleRevokedAuditEvent {
+    type: 'role_denied';
+    userId: UUID;
+    organisationId: UUID;
+    eventId?: string;
+    appId?: UUID;
+    role: string;
+    revokedBy: UUID;
+    metadata?: Record<string, any>;
+}
+/**
+ * Audit event payload for RLS denied
+ */
+interface RLSDeniedAuditEvent {
+    type: 'rls_denied';
+    userId: UUID;
+    organisationId: UUID;
+    table: string;
+    operation: string;
+    metadata?: Record<string, any>;
+}
+/**
+ * Union type for all audit events
+ */
+type AuditEventPayload = PermissionCheckAuditEvent | PermissionDeniedAuditEvent | RoleGrantedAuditEvent | RoleRevokedAuditEvent | RLSDeniedAuditEvent;
+/**
+ * RBAC Audit Manager
+ *
+ * Handles emission of structured audit events for all RBAC operations.
+ */
+declare class RBACAuditManager {
+    private supabase;
+    private enabled;
+    constructor(supabase: SupabaseClient<Database>);
+    /**
+     * Enable or disable audit logging
+     *
+     * @param enabled - Whether to enable audit logging
+     */
+    setEnabled(enabled: boolean): void;
+    /**
+     * Check if audit logging is enabled
+     *
+     * @returns True if audit logging is enabled
+     */
+    isEnabled(): boolean;
+    /**
+     * Emit an audit event
+     *
+     * @param event - Audit event payload
+     * @returns Promise that resolves when event is logged
+     */
+    emitEvent(event: AuditEventPayload): Promise<void>;
+    /**
+     * Emit a permission check audit event
+     *
+     * @param event - Permission check event data
+     */
+    emitPermissionCheck(event: Omit<PermissionCheckAuditEvent, 'type'>): Promise<void>;
+    /**
+     * Emit a permission denied audit event
+     *
+     * @param event - Permission denied event data
+     */
+    emitPermissionDenied(event: Omit<PermissionDeniedAuditEvent, 'type'>): Promise<void>;
+    /**
+     * Emit a role granted audit event
+     *
+     * @param event - Role granted event data
+     */
+    emitRoleGranted(event: Omit<RoleGrantedAuditEvent, 'type'>): Promise<void>;
+    /**
+     * Emit a role revoked audit event
+     *
+     * @param event - Role revoked event data
+     */
+    emitRoleRevoked(event: Omit<RoleRevokedAuditEvent, 'type'>): Promise<void>;
+    /**
+     * Emit an RLS denied audit event
+     *
+     * @param event - RLS denied event data
+     */
+    emitRLSDenied(event: Omit<RLSDeniedAuditEvent, 'type'>): Promise<void>;
+    /**
+     * Get audit events for a user
+     *
+     * @param userId - User ID
+     * @param limit - Maximum number of events to return
+     * @returns Promise resolving to audit events
+     */
+    getUserAuditEvents(userId: UUID, limit?: number): Promise<RBACAuditEvent[]>;
+    /**
+     * Get audit events for an organisation
+     *
+     * @param organisationId - Organisation ID
+     * @param limit - Maximum number of events to return
+     * @returns Promise resolving to audit events
+     */
+    getOrganisationAuditEvents(organisationId: UUID, limit?: number): Promise<RBACAuditEvent[]>;
+}
+/**
+ * Create an audit manager instance
+ *
+ * @param supabase - Supabase client
+ * @returns RBACAuditManager instance
+ */
+declare function createAuditManager(supabase: SupabaseClient<Database>): RBACAuditManager;
+/**
+ * Set the global audit manager
+ *
+ * @param manager - Audit manager instance
+ */
+declare function setGlobalAuditManager(manager: RBACAuditManager): void;
+/**
+ * Get the global audit manager
+ *
+ * @returns Global audit manager or null if not set
+ */
+declare function getGlobalAuditManager(): RBACAuditManager | null;
+/**
+ * Emit an audit event using the global audit manager
+ *
+ * @param event - Audit event payload
+ */
+declare function emitAuditEvent(event: AuditEventPayload): Promise<void>;
+
+/**
+ * RBAC Security Enhancements
+ * @package @jmruthers/pace-core
+ * @module RBAC/Security
+ * @since 1.0.0
+ *
+ * Additional security measures for the RBAC system
+ */
+
+/**
+ * Security context for RBAC operations
+ */
+interface SecurityContext {
+    userId: UUID;
+    organisationId: UUID;
+    ipAddress?: string;
+    userAgent?: string;
+    timestamp: Date;
+}
+
+/**
+ * RBAC Core Engine
+ * @package @jmruthers/pace-core
+ * @module RBAC/Engine
+ * @since 1.0.0
+ *
+ * This module implements the core RBAC permission algorithm with deny-overrides-allow precedence.
+ */
+
+/**
+ * RBAC Engine
+ *
+ * Implements the core permission algorithm with deny-overrides-allow precedence.
+ */
+declare class RBACEngine {
+    private supabase;
+    private securityMiddleware;
+    constructor(supabase: SupabaseClient<Database>);
+    /**
+     * Check if a user has a specific permission
+     *
+     * @param input - Permission check input
+     * @param securityContext - Optional security context for enhanced validation
+     * @returns Promise resolving to permission result
+     */
+    isPermitted(input: PermissionCheck, securityContext?: SecurityContext): Promise<boolean>;
+    /**
+     * Get user's access level in a scope
+     *
+     * @param input - Access level input
+     * @returns Promise resolving to access level
+     */
+    getAccessLevel(input: {
+        userId: UUID;
+        scope: Scope;
+    }): Promise<AccessLevel>;
+    /**
+     * Get user's permission map for a scope
+     *
+     * @param input - Permission map input
+     * @returns Promise resolving to permission map
+     */
+    getPermissionMap(input: {
+        userId: UUID;
+        scope: Scope;
+    }): Promise<PermissionMap>;
+    /**
+     * Check if user is super admin
+     *
+     * @param userId - User ID
+     * @returns Promise resolving to super admin status
+     */
+    private checkSuperAdmin;
+    /**
+     * Get app configuration including requires_event setting
+     *
+     * @param appId - App ID
+     * @returns Promise resolving to app configuration
+     */
+    getAppConfig(appId: UUID): Promise<{
+        requires_event: boolean;
+    } | null>;
+    /**
+     * Resolve organisation ID from event ID
+     *
+     * @param eventId - Event ID
+     * @returns Promise resolving to organisation ID
+     */
+    private resolveOrganisationFromEvent;
+    /**
+     * Validate context requirements based on app configuration
+     *
+     * @param scope - Permission scope
+     * @param appId - Optional app ID
+     * @returns Promise resolving to validated scope with resolved organisation ID
+     */
+    private validateContextRequirements;
+    /**
+     * Collect active grants for a user in a scope
+     *
+     * @param userId - User ID
+     * @param scope - Permission scope
+     * @param pageId - Optional page ID
+     * @returns Promise resolving to grants array
+     *
+     * PRECEDENCE ORDER (closest scope first): page → eventApp → organisation → global
+     */
+    private collectActiveGrants;
+    /**
+     * Check page-specific permissions
+     *
+     * @param userId - User ID
+     * @param pageId - Page ID
+     * @param permission - Permission to check
+     * @param scope - Permission scope
+     * @returns Promise resolving to page permission result
+     */
+    private checkPagePermissions;
+    /**
+     * Get organisation role for a user
+     *
+     * @param userId - User ID
+     * @param organisationId - Organisation ID
+     * @returns Promise resolving to organisation role
+     */
+    private getOrganisationRole;
+    /**
+     * Get event-app role for a user
+     *
+     * @param userId - User ID
+     * @param eventId - Event ID
+     * @param appId - App ID
+     * @returns Promise resolving to event-app role
+     */
+    private getEventAppRole;
+    /**
+     * Get permission for organisation role
+     *
+     * @param role - Organisation role
+     * @returns Permission string
+     */
+    private getPermissionForOrgRole;
+    /**
+     * Get permission for event-app role
+     *
+     * @param role - Event-app role
+     * @returns Permission string
+     */
+    private getPermissionForEventRole;
+    /**
+     * Check if a permission matches another permission
+     *
+     * @param grantPermission - Permission from grant
+     * @param requestedPermission - Requested permission
+     * @returns True if permissions match
+     */
+    private permissionMatches;
+    /**
+     * Resolve a page ID to UUID if it's a page name
+     *
+     * @param pageId - Page ID (UUID) or page name (string)
+     * @param appId - App ID to look up the page
+     * @returns Resolved page ID (UUID) or original pageId if it's already a UUID or can't be resolved
+     */
+    private resolvePageId;
+}
+/**
+ * Create an RBAC engine instance
+ *
+ * @param supabase - Supabase client
+ * @returns RBACEngine instance
+ */
+declare function createRBACEngine(supabase: SupabaseClient<Database>): RBACEngine;
+
+/**
+ * RBAC React Hooks
+ * @package @jmruthers/pace-core
+ * @module RBAC/Hooks
+ * @since 1.0.0
+ *
+ * This module provides React hooks for RBAC functionality.
+ */
+
+/**
+ * Hook to get user's permissions in a scope
+ *
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @returns Permission data and loading state
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { permissions, isLoading, error } = usePermissions(
+ *     'user-123',
+ *     { organisationId: 'org-456' }
+ *   );
+ *
+ *   if (isLoading) return <div>Loading...</div>;
+ *   if (error) return <div>Error: {error.message}</div>;
+ *
+ *   return (
+ *     <div>
+ *       {permissions['page-1']?.includes('read') && <ReadButton />}
+ *       {permissions['page-1']?.includes('manage') && <ManageButton />}
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+declare function usePermissions(userId: UUID, scope: Scope): UsePermissionsReturn;
+/**
+ * Hook to check if user has a specific permission
+ *
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @param permission - Permission to check
+ * @param pageId - Optional page ID
+ * @param useCache - Whether to use cached results (default: true)
+ * @returns Permission check result and loading state
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { can, isLoading } = useCan(
+ *     'user-123',
+ *     { organisationId: 'org-456' },
+ *     'manage:events',
+ *     'page-789'
+ *   );
+ *
+ *   if (isLoading) return <div>Checking permission...</div>;
+ *
+ *   return (
+ *     <div>
+ *       {can ? <AdminPanel /> : <AccessDenied />}
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+declare function useCan(userId: UUID, scope: Scope, permission: Permission, pageId?: UUID, useCache?: boolean): UseCanReturn;
+/**
+ * Hook to get user's access level in a scope
+ *
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @returns Access level and loading state
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { accessLevel, isLoading } = useAccessLevel(
+ *     'user-123',
+ *     { organisationId: 'org-456' }
+ *   );
+ *
+ *   if (isLoading) return <div>Loading...</div>;
+ *
+ *   return (
+ *     <div>
+ *       {accessLevel === 'super' && <SuperAdminPanel />}
+ *       {accessLevel === 'admin' && <AdminPanel />}
+ *       {accessLevel === 'planner' && <PlannerPanel />}
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+declare function useAccessLevel(userId: UUID, scope: Scope): {
+    accessLevel: AccessLevel | null;
+    isLoading: boolean;
+    error: Error | null;
+    refetch: () => Promise<void>;
+};
+/**
+ * Hook to check multiple permissions at once
+ *
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @param permissions - Array of permissions to check
+ * @param pageId - Optional page ID
+ * @param useCache - Whether to use cached results (default: true)
+ * @returns Object with permission results and loading state
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { permissions, isLoading } = useMultiplePermissions(
+ *     'user-123',
+ *     { organisationId: 'org-456' },
+ *     ['read:events', 'manage:events', 'delete:events']
+ *   );
+ *
+ *   return (
+ *     <div>
+ *       {permissions['read:events'] && <ReadButton />}
+ *       {permissions['manage:events'] && <ManageButton />}
+ *       {permissions['delete:events'] && <DeleteButton />}
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+declare function useMultiplePermissions(userId: UUID, scope: Scope, permissions: Permission[], pageId?: UUID, useCache?: boolean): {
+    permissions: Record<Permission, boolean>;
+    isLoading: boolean;
+    error: Error | null;
+    refetch: () => Promise<void>;
+};
+/**
+ * Hook to check if user has any of the specified permissions
+ *
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @param permissions - Array of permissions to check
+ * @param pageId - Optional page ID
+ * @returns True if user has any permission and loading state
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { hasAny, isLoading } = useHasAnyPermission(
+ *     'user-123',
+ *     { organisationId: 'org-456' },
+ *     ['read:events', 'manage:events']
+ *   );
+ *
+ *   return (
+ *     <div>
+ *       {hasAny ? <EventContent /> : <AccessDenied />}
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+declare function useHasAnyPermission(userId: UUID, scope: Scope, permissions: Permission[], pageId?: UUID): {
+    hasAny: boolean;
+    isLoading: boolean;
+    error: Error | null;
+    refetch: () => Promise<void>;
+};
+/**
+ * Hook to check if user has all of the specified permissions
+ *
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @param permissions - Array of permissions to check
+ * @param pageId - Optional page ID
+ * @returns True if user has all permissions and loading state
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { hasAll, isLoading } = useHasAllPermissions(
+ *     'user-123',
+ *     { organisationId: 'org-456' },
+ *     ['read:events', 'manage:events']
+ *   );
+ *
+ *   return (
+ *     <div>
+ *       {hasAll ? <FullAccessPanel /> : <LimitedAccessPanel />}
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+declare function useHasAllPermissions(userId: UUID, scope: Scope, permissions: Permission[], pageId?: UUID): {
+    hasAll: boolean;
+    isLoading: boolean;
+    error: Error | null;
+    refetch: () => Promise<void>;
+};
+/**
+ * Hook to read cached permissions (contract requirement)
+ *
+ * This hook only reads from the core cache and does not perform
+ * any bespoke caching as per the contract requirements.
+ *
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @returns Cached permission data and loading state
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { permissions, isLoading, error } = useCachedPermissions(
+ *     'user-123',
+ *     { organisationId: 'org-456' }
+ *   );
+ *
+ *   if (isLoading) return <div>Loading cached permissions...</div>;
+ *   if (error) return <div>Error: {error.message}</div>;
+ *
+ *   return (
+ *     <div>
+ *       {permissions['page-1']?.includes('read') && <ReadButton />}
+ *       {permissions['page-1']?.includes('manage') && <ManageButton />}
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+declare function useCachedPermissions(userId: UUID, scope: Scope): {
+    permissions: PermissionMap;
+    isLoading: boolean;
+    error: Error | null;
+    refetch: () => Promise<void>;
+};
+
+/**
+ * RBAC Adapters
+ * @package @jmruthers/pace-core
+ * @module RBAC/Adapters
+ * @since 1.0.0
+ *
+ * This module provides adapters for different frameworks and server runtimes.
+ */
+
+/**
+ * Permission Guard Component
+ *
+ * A React component that conditionally renders children based on permissions.
+ * Can auto-infer userId from context if not provided.
+ *
+ * @example
+ * ```tsx
+ * // With explicit userId and scope
+ * <PermissionGuard
+ *   userId="user-123"
+ *   scope={{ organisationId: 'org-456' }}
+ *   permission="manage:events"
+ *   pageId="page-789"
+ *   fallback={<AccessDenied />}
+ * >
+ *   <AdminPanel />
+ * </PermissionGuard>
+ *
+ * // With context inference (requires auth context)
+ * <PermissionGuard
+ *   permission="manage:events"
+ *   scope={{ organisationId: 'org-456' }}
+ *   fallback={<AccessDenied />}
+ * >
+ *   <AdminPanel />
+ * </PermissionGuard>
+ * ```
+ */
+declare function PermissionGuard({ userId, scope, permission, pageId, children, fallback, onDenied, loading, strictMode, auditLog, enforceAudit, }: {
+    userId?: UUID;
+    scope: {
+        organisationId: UUID;
+        eventId?: string;
+        appId?: UUID;
+    };
+    permission: Permission;
+    pageId?: UUID;
+    children: ReactNode;
+    fallback?: ReactNode;
+    onDenied?: () => void;
+    loading?: ReactNode;
+    strictMode?: boolean;
+    auditLog?: boolean;
+    enforceAudit?: boolean;
+}): React__default.ReactNode;
+/**
+ * Access Level Guard Component
+ *
+ * A React component that conditionally renders children based on access level.
+ * Can auto-infer userId from context if not provided.
+ *
+ * @example
+ * ```tsx
+ * // With explicit userId and scope
+ * <AccessLevelGuard
+ *   userId="user-123"
+ *   scope={{ organisationId: 'org-456' }}
+ *   minLevel="admin"
+ *   fallback={<AccessDenied />}
+ * >
+ *   <AdminPanel />
+ * </AccessLevelGuard>
+ *
+ * // With context inference (requires auth context)
+ * <AccessLevelGuard
+ *   minLevel="admin"
+ *   scope={{ organisationId: 'org-456' }}
+ *   fallback={<AccessDenied />}
+ * >
+ *   <AdminPanel />
+ * </AccessLevelGuard>
+ * ```
+ */
+declare function AccessLevelGuard({ userId, scope, minLevel, children, fallback, loading, }: {
+    userId?: UUID;
+    scope: {
+        organisationId: UUID;
+        eventId?: string;
+        appId?: UUID;
+    };
+    minLevel: 'viewer' | 'participant' | 'planner' | 'admin' | 'super';
+    children: ReactNode;
+    fallback?: ReactNode;
+    loading?: ReactNode;
+}): React__default.ReactNode;
+/**
+ * Permission Guard for Server Handlers
+ *
+ * Wraps a server handler with permission checking.
+ *
+ * @param config - Permission guard configuration
+ * @param handler - Handler function to wrap
+ * @returns Wrapped handler function
+ *
+ * @example
+ * ```typescript
+ * const protectedHandler = withPermissionGuard(
+ *   { permission: 'manage:events', pageId: 'page-789' },
+ *   async (req, res) => {
+ *     // Handler logic here
+ *     res.json({ success: true });
+ *   }
+ * );
+ * ```
+ */
+declare function withPermissionGuard<T extends any[]>(config: {
+    permission: Permission;
+    pageId?: UUID;
+}, handler: (...args: T) => Promise<any>): (...args: T) => Promise<any>;
+/**
+ * Access Level Guard for Server Handlers
+ *
+ * Wraps a server handler with access level checking.
+ *
+ * @param minLevel - Minimum access level required
+ * @param handler - Handler function to wrap
+ * @returns Wrapped handler function
+ *
+ * @example
+ * ```typescript
+ * const adminHandler = withAccessLevelGuard(
+ *   'admin',
+ *   async (req, res) => {
+ *     // Admin-only logic here
+ *     res.json({ success: true });
+ *   }
+ * );
+ * ```
+ */
+declare function withAccessLevelGuard<T extends any[]>(minLevel: 'viewer' | 'participant' | 'planner' | 'admin' | 'super', handler: (...args: T) => Promise<any>): (...args: T) => Promise<any>;
+/**
+ * Role Guard for Server Handlers
+ *
+ * Wraps a server handler with role-based access control.
+ * This is the primary middleware for routing protection as specified in the contract.
+ *
+ * @param config - Role guard configuration
+ * @param handler - Handler function to wrap
+ * @returns Wrapped handler function
+ *
+ * @example
+ * ```typescript
+ * const adminHandler = withRoleGuard(
+ *   {
+ *     globalRoles: ['super_admin'],
+ *     organisationRoles: ['org_admin', 'leader'],
+ *     eventAppRoles: ['event_admin', 'planner']
+ *   },
+ *   async (req, res) => {
+ *     // Admin-only logic here
+ *     res.json({ success: true });
+ *   }
+ * );
+ * ```
+ */
+declare function withRoleGuard<T extends any[]>(config: {
+    globalRoles?: string[];
+    organisationRoles?: string[];
+    eventAppRoles?: string[];
+    requireAll?: boolean;
+}, handler: (...args: T) => Promise<any>): (...args: T) => Promise<any>;
+/**
+ * Next.js Middleware for RBAC
+ *
+ * Middleware that checks permissions before allowing access to pages.
+ *
+ * @param config - Middleware configuration
+ * @returns Next.js middleware function
+ *
+ * @example
+ * ```typescript
+ * // middleware.ts
+ * import { createRBACMiddleware } from '@jmruthers/pace-core/rbac';
+ *
+ * export default createRBACMiddleware({
+ *   protectedRoutes: [
+ *     { path: '/admin', permission: 'manage:admin' },
+ *     { path: '/events', permission: 'read:events' },
+ *   ],
+ *   fallbackUrl: '/access-denied',
+ * });
+ * ```
+ */
+declare function createRBACMiddleware(config: {
+    protectedRoutes: Array<{
+        path: string;
+        permission: Permission;
+        pageId?: UUID;
+    }>;
+    fallbackUrl?: string;
+}): (req: {
+    nextUrl: {
+        pathname: string;
+    };
+    user?: {
+        id: string;
+    };
+    organisationId?: string;
+}, res: {
+    redirect: (url: string) => void;
+}, next: () => void) => Promise<void>;
+/**
+ * Express Middleware for RBAC
+ *
+ * Middleware that checks permissions for Express routes.
+ *
+ * @param config - Middleware configuration
+ * @returns Express middleware function
+ *
+ * @example
+ * ```typescript
+ * import { createRBACExpressMiddleware } from '@jmruthers/pace-core/rbac';
+ *
+ * app.use(createRBACExpressMiddleware({
+ *   permission: 'read:api',
+ *   pageId: 'api-page-123',
+ * }));
+ * ```
+ */
+declare function createRBACExpressMiddleware(config: {
+    permission: Permission;
+    pageId?: UUID;
+}): (req: {
+    user?: {
+        id: string;
+    };
+    organisationId?: string;
+    eventId?: string;
+    appId?: string;
+}, res: {
+    status: (code: number) => {
+        json: (data: object) => void;
+    };
+}, next: () => void) => Promise<void>;
+/**
+ * Check if a user has a permission (synchronous cache check only)
+ *
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @param permission - Permission to check
+ * @param pageId - Optional page ID
+ * @returns True if permission is cached and granted
+ */
+declare function hasPermissionCached(userId: UUID, scope: {
+    organisationId: UUID;
+    eventId?: string;
+    appId?: UUID;
+}, _permission: Permission, _pageId?: UUID): boolean;
+/**
+ * Check if a user has any of the specified permissions (synchronous cache check only)
+ *
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @param permissions - Array of permissions to check
+ * @param pageId - Optional page ID
+ * @returns True if any permission is cached and granted
+ */
+declare function hasAnyPermissionCached(userId: UUID, scope: {
+    organisationId: UUID;
+    eventId?: string;
+    appId?: UUID;
+}, permissions: Permission[], pageId?: UUID): boolean;
+
+interface PagePermissionContextType {
+    /** Check if user has permission for a page */
+    hasPagePermission: (pageName: string, operation: string, pageId?: string, scope?: Scope) => boolean;
+    /** Get all page permissions for current user */
+    getPagePermissions: () => Record<string, string[]>;
+    /** Check if page permission checking is enabled */
+    isEnabled: boolean;
+    /** Check if strict mode is enabled */
+    isStrictMode: boolean;
+    /** Check if audit logging is enabled */
+    isAuditLogEnabled: boolean;
+    /** Get page access history */
+    getPageAccessHistory: () => PageAccessRecord[];
+    /** Clear page access history */
+    clearPageAccessHistory: () => void;
+}
+interface PageAccessRecord {
+    pageName: string;
+    operation: string;
+    userId: UUID;
+    scope: Scope;
+    allowed: boolean;
+    timestamp: string;
+    pageId?: string;
+}
+interface PagePermissionProviderProps {
+    /** Child components */
+    children: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Enable audit logging (default: true) */
+    auditLog?: boolean;
+    /** Callback when page access is attempted */
+    onPageAccess?: (pageName: string, operation: string, allowed: boolean, record: PageAccessRecord) => void;
+    /** Callback when strict mode violation occurs */
+    onStrictModeViolation?: (pageName: string, operation: string, record: PageAccessRecord) => void;
+    /** Maximum number of access records to keep in history */
+    maxHistorySize?: number;
+}
+/**
+ * PagePermissionProvider - Manages page-level permissions across the app
+ *
+ * This provider ensures that all pages are properly protected and provides
+ * centralized page permission management with strict enforcement.
+ *
+ * @param props - Provider props
+ * @returns React element with page permission context
+ */
+declare function PagePermissionProvider({ children, strictMode, auditLog, onPageAccess, onStrictModeViolation, maxHistorySize }: PagePermissionProviderProps): react_jsx_runtime.JSX.Element;
+/**
+ * Hook to use page permission context
+ *
+ * @returns Page permission context
+ * @throws Error if used outside of PagePermissionProvider
+ */
+declare function usePagePermissions(): PagePermissionContextType;
+
+interface PagePermissionGuardProps {
+    /** Name of the page being protected */
+    pageName: string;
+    /** Operation being performed on the page */
+    operation: 'read' | 'create' | 'update' | 'delete';
+    /** Content to render when user has permission */
+    children: React__default.ReactNode;
+    /** Content to render when user lacks permission */
+    fallback?: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Force audit logging for this page access (default: true) */
+    auditLog?: boolean;
+    /** Custom page ID for permission checking */
+    pageId?: string;
+    /** Custom scope for permission checking */
+    scope?: Scope;
+    /** Callback when access is denied */
+    onDenied?: (pageName: string, operation: string) => void;
+    /** Loading state content */
+    loading?: React__default.ReactNode;
+}
+/**
+ * PagePermissionGuard - Enforces page-level permissions
+ *
+ * This component ensures that users can only access pages they have permission for.
+ * It integrates with the existing RBAC system and provides strict enforcement to
+ * prevent apps from bypassing permission checks.
+ *
+ * @param props - Component props
+ * @returns React element with permission enforcement
+ */
+declare function PagePermissionGuard({ pageName, operation, children, fallback, strictMode, auditLog, pageId, scope, onDenied, loading }: PagePermissionGuardProps): react_jsx_runtime.JSX.Element;
+
+interface DataAccessRecord {
+    table: string;
+    operation: string;
+    userId: UUID;
+    scope: Scope;
+    allowed: boolean;
+    timestamp: string;
+    query?: string;
+    filters?: Record<string, any>;
+}
+interface SecureDataContextType {
+    /** Check if data access is allowed for a table and operation */
+    isDataAccessAllowed: (table: string, operation: string, scope?: Scope) => boolean;
+    /** Get all data access permissions for current user */
+    getDataAccessPermissions: () => Record<string, string[]>;
+    /** Check if secure data access is enabled */
+    isEnabled: boolean;
+    /** Check if strict mode is enabled */
+    isStrictMode: boolean;
+    /** Check if audit logging is enabled */
+    isAuditLogEnabled: boolean;
+    /** Get data access history */
+    getDataAccessHistory: () => DataAccessRecord[];
+    /** Clear data access history */
+    clearDataAccessHistory: () => void;
+    /** Validate data access attempt */
+    validateDataAccess: (table: string, operation: string, scope?: Scope) => boolean;
+}
+interface SecureDataProviderProps {
+    /** Child components */
+    children: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Enable audit logging (default: true) */
+    auditLog?: boolean;
+    /** Callback when data access is attempted */
+    onDataAccess?: (table: string, operation: string, allowed: boolean, record: DataAccessRecord) => void;
+    /** Callback when strict mode violation occurs */
+    onStrictModeViolation?: (table: string, operation: string, record: DataAccessRecord) => void;
+    /** Maximum number of access records to keep in history */
+    maxHistorySize?: number;
+    /** Enable RLS enforcement (default: true) */
+    enforceRLS?: boolean;
+}
+/**
+ * SecureDataProvider - Prevents direct Supabase access and enforces secure data patterns
+ *
+ * This provider ensures that all data access goes through the secure RBAC system
+ * and prevents apps from bypassing data access controls.
+ *
+ * @param props - Provider props
+ * @returns React element with secure data context
+ */
+declare function SecureDataProvider({ children, strictMode, auditLog, onDataAccess, onStrictModeViolation, maxHistorySize, enforceRLS }: SecureDataProviderProps): react_jsx_runtime.JSX.Element;
+/**
+ * Hook to use secure data context
+ *
+ * @returns Secure data context
+ * @throws Error if used outside of SecureDataProvider
+ */
+declare function useSecureData(): SecureDataContextType;
+
+interface PermissionEnforcerProps {
+    /** Permissions required for access */
+    permissions: Permission[];
+    /** Operation being performed */
+    operation: string;
+    /** Content to render when user has permission */
+    children: React__default.ReactNode;
+    /** Content to render when user lacks permission */
+    fallback?: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Force audit logging for this operation (default: true) */
+    auditLog?: boolean;
+    /** Custom scope for permission checking */
+    scope?: Scope;
+    /** Callback when access is denied */
+    onDenied?: (permissions: Permission[], operation: string) => void;
+    /** Loading state content */
+    loading?: React__default.ReactNode;
+    /** Require all permissions (AND) or any permission (OR) */
+    requireAll?: boolean;
+}
+/**
+ * PermissionEnforcer - Enforces permissions for operations
+ *
+ * This component ensures that users can only perform operations they have permission for.
+ * It integrates with the existing RBAC system and provides strict enforcement to
+ * prevent apps from bypassing permission checks.
+ *
+ * @param props - Component props
+ * @returns React element with permission enforcement
+ */
+declare function PermissionEnforcer({ permissions, operation, children, fallback, strictMode, auditLog, scope, onDenied, loading, requireAll }: PermissionEnforcerProps): react_jsx_runtime.JSX.Element;
+
+interface RouteConfig {
+    /** Route path */
+    path: string;
+    /** React component to render */
+    component: React__default.ComponentType;
+    /** Permissions required for this route */
+    permissions: Permission[];
+    /** Roles that can access this route */
+    roles?: string[];
+    /** Minimum access level required */
+    accessLevel?: AccessLevel;
+    /** Page ID for permission checking */
+    pageId?: string;
+    /** Enable strict mode for this route */
+    strictMode?: boolean;
+    /** Route metadata */
+    meta?: {
+        title?: string;
+        description?: string;
+        requiresAuth?: boolean;
+        hidden?: boolean;
+    };
+}
+interface RouteAccessRecord {
+    route: string;
+    permissions: Permission[];
+    userId: UUID;
+    scope: Scope;
+    allowed: boolean;
+    timestamp: string;
+    pageId?: string;
+    roles?: string[];
+    accessLevel?: AccessLevel;
+}
+interface RoleBasedRouterContextType {
+    /** Get all accessible routes for current user */
+    getAccessibleRoutes: () => RouteConfig[];
+    /** Check if user can access a specific route */
+    canAccessRoute: (path: string) => boolean;
+    /** Get route configuration for a path */
+    getRouteConfig: (path: string) => RouteConfig | null;
+    /** Get route access history */
+    getRouteAccessHistory: () => RouteAccessRecord[];
+    /** Clear route access history */
+    clearRouteAccessHistory: () => void;
+    /** Check if strict mode is enabled */
+    isStrictMode: boolean;
+    /** Check if audit logging is enabled */
+    isAuditLogEnabled: boolean;
+}
+interface RoleBasedRouterProps {
+    /** Route configuration */
+    routes: RouteConfig[];
+    /** Fallback route for unauthorized access */
+    fallbackRoute?: string;
+    /** Child components */
+    children: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Enable audit logging (default: true) */
+    auditLog?: boolean;
+    /** Callback when route access is attempted */
+    onRouteAccess?: (route: string, allowed: boolean, record: RouteAccessRecord) => void;
+    /** Callback when strict mode violation occurs */
+    onStrictModeViolation?: (route: string, record: RouteAccessRecord) => void;
+    /** Maximum number of access records to keep in history */
+    maxHistorySize?: number;
+    /** Custom unauthorized component */
+    unauthorizedComponent?: React__default.ComponentType<{
+        route: string;
+        reason: string;
+    }>;
+}
+/**
+ * RoleBasedRouter - Centralized routing control with role-based protection
+ *
+ * This component ensures that all routes are properly protected and provides
+ * centralized routing control to prevent apps from bypassing route protection.
+ *
+ * @param props - Router props
+ * @returns React element with role-based routing
+ */
+declare function RoleBasedRouter({ routes, fallbackRoute, children, strictMode, auditLog, onRouteAccess, onStrictModeViolation, maxHistorySize, unauthorizedComponent: UnauthorizedComponent }: RoleBasedRouterProps): react_jsx_runtime.JSX.Element;
+/**
+ * Hook to use role-based router context
+ *
+ * @returns Role-based router context
+ * @throws Error if used outside of RoleBasedRouter
+ */
+declare function useRoleBasedRouter(): RoleBasedRouterContextType;
+
+interface NavigationItem {
+    /** Unique identifier for the navigation item */
+    id: string;
+    /** Display label for the navigation item */
+    label: string;
+    /** Navigation path/URL */
+    path: string;
+    /** Permissions required for this navigation item */
+    permissions: Permission[];
+    /** Roles that can access this navigation item */
+    roles?: string[];
+    /** Minimum access level required */
+    accessLevel?: 'viewer' | 'participant' | 'planner' | 'admin' | 'super';
+    /** Page ID for permission checking */
+    pageId?: string;
+    /** Enable strict mode for this navigation item */
+    strictMode?: boolean;
+    /** Navigation item metadata */
+    meta?: {
+        icon?: string;
+        description?: string;
+        hidden?: boolean;
+        order?: number;
+    };
+}
+interface NavigationAccessRecord {
+    navigationItem: string;
+    permissions: Permission[];
+    userId: UUID;
+    scope: Scope;
+    allowed: boolean;
+    timestamp: string;
+    pageId?: string;
+    roles?: string[];
+    accessLevel?: string;
+}
+interface NavigationContextType {
+    /** Check if user has permission for a navigation item */
+    hasNavigationPermission: (item: NavigationItem) => boolean;
+    /** Get all navigation permissions for current user */
+    getNavigationPermissions: () => Record<string, string[]>;
+    /** Get filtered navigation items based on permissions */
+    getFilteredNavigationItems: (items: NavigationItem[]) => NavigationItem[];
+    /** Check if navigation permission checking is enabled */
+    isEnabled: boolean;
+    /** Check if strict mode is enabled */
+    isStrictMode: boolean;
+    /** Check if audit logging is enabled */
+    isAuditLogEnabled: boolean;
+    /** Get navigation access history */
+    getNavigationAccessHistory: () => NavigationAccessRecord[];
+    /** Clear navigation access history */
+    clearNavigationAccessHistory: () => void;
+}
+interface NavigationProviderProps {
+    /** Child components */
+    children: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Enable audit logging (default: true) */
+    auditLog?: boolean;
+    /** Callback when navigation access is attempted */
+    onNavigationAccess?: (item: NavigationItem, allowed: boolean, record: NavigationAccessRecord) => void;
+    /** Callback when strict mode violation occurs */
+    onStrictModeViolation?: (item: NavigationItem, record: NavigationAccessRecord) => void;
+    /** Maximum number of access records to keep in history */
+    maxHistorySize?: number;
+}
+/**
+ * NavigationProvider - Manages navigation-level permissions across the app
+ *
+ * This provider ensures that all navigation items are properly protected and provides
+ * centralized navigation permission management with strict enforcement.
+ *
+ * @param props - Provider props
+ * @returns React element with navigation permission context
+ */
+declare function NavigationProvider({ children, strictMode, auditLog, onNavigationAccess, onStrictModeViolation, maxHistorySize }: NavigationProviderProps): react_jsx_runtime.JSX.Element;
+/**
+ * Hook to use navigation permission context
+ *
+ * @returns Navigation permission context
+ * @throws Error if used outside of NavigationProvider
+ */
+declare function useNavigationPermissions(): NavigationContextType;
+
+interface NavigationGuardProps {
+    /** Navigation item being protected */
+    navigationItem: NavigationItem;
+    /** Content to render when user has permission */
+    children: React__default.ReactNode;
+    /** Content to render when user lacks permission */
+    fallback?: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Force audit logging for this navigation access (default: true) */
+    auditLog?: boolean;
+    /** Custom scope for permission checking */
+    scope?: Scope;
+    /** Callback when access is denied */
+    onDenied?: (item: NavigationItem) => void;
+    /** Loading state content */
+    loading?: React__default.ReactNode;
+    /** Require all permissions (AND) or any permission (OR) */
+    requireAll?: boolean;
+}
+/**
+ * NavigationGuard - Enforces navigation-level permissions
+ *
+ * This component ensures that users can only access navigation items they have permission for.
+ * It integrates with the existing RBAC system and provides strict enforcement to
+ * prevent apps from bypassing navigation permission checks.
+ *
+ * @param props - Component props
+ * @returns React element with navigation permission enforcement
+ */
+declare function NavigationGuard({ navigationItem, children, fallback, strictMode, auditLog, scope, onDenied, loading, requireAll }: NavigationGuardProps): react_jsx_runtime.JSX.Element;
+
+interface EnhancedNavigationMenuProps {
+    /** Navigation items to display */
+    items: NavigationItem[];
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Enable audit logging (default: true) */
+    auditLog?: boolean;
+    /** Callback when navigation access is attempted */
+    onNavigationAccess?: (item: NavigationItem, allowed: boolean) => void;
+    /** Callback when strict mode violation occurs */
+    onStrictModeViolation?: (item: NavigationItem) => void;
+    /** Custom className for the navigation menu */
+    className?: string;
+    /** Custom className for navigation items */
+    itemClassName?: string;
+    /** Custom className for active navigation items */
+    activeItemClassName?: string;
+    /** Custom className for disabled navigation items */
+    disabledItemClassName?: string;
+    /** Show/hide navigation items that user doesn't have permission for */
+    hideUnauthorizedItems?: boolean;
+    /** Custom render function for navigation items */
+    renderItem?: (item: NavigationItem, isAuthorized: boolean) => React__default.ReactNode;
+    /** Current active path for highlighting */
+    activePath?: string;
+    /** Navigation item click handler */
+    onItemClick?: (item: NavigationItem) => void;
+}
+/**
+ * EnhancedNavigationMenu - Secure navigation menu with RBAC integration
+ *
+ * This component provides a navigation menu that automatically filters items based on
+ * user permissions and enforces strict security controls.
+ *
+ * @param props - Component props
+ * @returns React element with enhanced navigation menu
+ */
+declare function EnhancedNavigationMenu({ items, strictMode, auditLog, onNavigationAccess, onStrictModeViolation, className, itemClassName, activeItemClassName, disabledItemClassName, hideUnauthorizedItems, renderItem, activePath, onItemClick }: EnhancedNavigationMenuProps): react_jsx_runtime.JSX.Element;
+
+/**
+ * RBAC Main API Functions
+ * @package @jmruthers/pace-core
+ * @module RBAC/API
+ * @since 1.0.0
+ *
+ * This module provides the main API functions for the RBAC system.
+ */
+
+/**
+ * Setup RBAC system
+ *
+ * @param supabase - Supabase client
+ * @param config - Optional configuration
+ */
+declare function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<RBACConfig>): void;
+/**
+ * Get user's access level in a scope
+ *
+ * @param input - Access level input
+ * @returns Promise resolving to access level
+ *
+ * @example
+ * ```typescript
+ * const accessLevel = await getAccessLevel({
+ *   userId: 'user-123',
+ *   scope: { organisationId: 'org-456' }
+ * });
+ * ```
+ */
+declare function getAccessLevel(input: {
+    userId: UUID;
+    scope: Scope;
+}): Promise<AccessLevel>;
+/**
+ * Get user's permission map for a scope
+ *
+ * @param input - Permission map input
+ * @returns Promise resolving to permission map
+ *
+ * @example
+ * ```typescript
+ * const permissions = await getPermissionMap({
+ *   userId: 'user-123',
+ *   scope: {
+ *     organisationId: 'org-456',
+ *     eventId: 'event-789',
+ *     appId: 'app-101'
+ *   }
+ * });
+ * ```
+ */
+declare function getPermissionMap(input: {
+    userId: UUID;
+    scope: Scope;
+}): Promise<PermissionMap>;
+/**
+ * Check if user has a specific permission
+ *
+ * @param input - Permission check input
+ * @returns Promise resolving to permission result
+ *
+ * @example
+ * ```typescript
+ * const canManage = await isPermitted({
+ *   userId: 'user-123',
+ *   scope: { organisationId: 'org-456' },
+ *   permission: 'manage:events',
+ *   pageId: 'page-789'
+ * });
+ * ```
+ */
+declare function isPermitted(input: PermissionCheck): Promise<boolean>;
+/**
+ * Check if user has a specific permission (cached version)
+ *
+ * @param input - Permission check input
+ * @returns Promise resolving to permission result
+ */
+declare function isPermittedCached(input: PermissionCheck): Promise<boolean>;
+/**
+ * Check if a user has a specific permission (alias for isPermitted)
+ *
+ * @param input - Permission check parameters
+ * @returns Promise<boolean> - True if user has permission
+ */
+declare function hasPermission(input: PermissionCheck): Promise<boolean>;
+/**
+ * Check if user has any of the specified permissions
+ *
+ * @param input - Permission check input with array of permissions
+ * @returns Promise resolving to true if user has any permission
+ */
+declare function hasAnyPermission(input: {
+    userId: UUID;
+    scope: Scope;
+    permissions: Permission[];
+    pageId?: UUID;
+}): Promise<boolean>;
+/**
+ * Check if user has all of the specified permissions
+ *
+ * @param input - Permission check input with array of permissions
+ * @returns Promise resolving to true if user has all permissions
+ */
+declare function hasAllPermissions(input: {
+    userId: UUID;
+    scope: Scope;
+    permissions: Permission[];
+    pageId?: UUID;
+}): Promise<boolean>;
+
+/**
+ * RBAC Permissions Definitions
+ * @package @jmruthers/pace-core
+ * @module RBAC/Permissions
+ * @since 1.0.0
+ *
+ * This module defines all permissions used in the RBAC system.
+ * All permission strings must be imported from this file to ensure consistency.
+ */
+
+declare const GLOBAL_PERMISSIONS: {
+    readonly MANAGE_ALL: Permission;
+    readonly READ_ALL: Permission;
+    readonly CREATE_ALL: Permission;
+    readonly UPDATE_ALL: Permission;
+    readonly DELETE_ALL: Permission;
+};
+declare const ORGANISATION_PERMISSIONS: {
+    readonly MANAGE_ORGANISATION: Permission;
+    readonly READ_ORGANISATION: Permission;
+    readonly UPDATE_ORGANISATION: Permission;
+    readonly MANAGE_USERS: Permission;
+    readonly READ_USERS: Permission;
+    readonly CREATE_USERS: Permission;
+    readonly UPDATE_USERS: Permission;
+    readonly DELETE_USERS: Permission;
+    readonly MANAGE_ROLES: Permission;
+    readonly READ_ROLES: Permission;
+    readonly CREATE_ROLES: Permission;
+    readonly UPDATE_ROLES: Permission;
+    readonly DELETE_ROLES: Permission;
+    readonly MANAGE_EVENTS: Permission;
+    readonly READ_EVENTS: Permission;
+    readonly CREATE_EVENTS: Permission;
+    readonly UPDATE_EVENTS: Permission;
+    readonly DELETE_EVENTS: Permission;
+    readonly MANAGE_APPS: Permission;
+    readonly READ_APPS: Permission;
+    readonly CREATE_APPS: Permission;
+    readonly UPDATE_APPS: Permission;
+    readonly DELETE_APPS: Permission;
+};
+declare const EVENT_APP_PERMISSIONS: {
+    readonly MANAGE_EVENT: Permission;
+    readonly READ_EVENT: Permission;
+    readonly UPDATE_EVENT: Permission;
+    readonly MANAGE_APP: Permission;
+    readonly READ_APP: Permission;
+    readonly UPDATE_APP: Permission;
+    readonly MANAGE_TEAM: Permission;
+    readonly READ_TEAM: Permission;
+    readonly CREATE_TEAM: Permission;
+    readonly UPDATE_TEAM: Permission;
+    readonly DELETE_TEAM: Permission;
+    readonly MANAGE_TEAM_MEMBERS: Permission;
+    readonly READ_TEAM_MEMBERS: Permission;
+    readonly CREATE_TEAM_MEMBERS: Permission;
+    readonly UPDATE_TEAM_MEMBERS: Permission;
+    readonly DELETE_TEAM_MEMBERS: Permission;
+    readonly MANAGE_EVENT_CONTENT: Permission;
+    readonly READ_EVENT_CONTENT: Permission;
+    readonly CREATE_EVENT_CONTENT: Permission;
+    readonly UPDATE_EVENT_CONTENT: Permission;
+    readonly DELETE_EVENT_CONTENT: Permission;
+    readonly MANAGE_EVENT_SETTINGS: Permission;
+    readonly READ_EVENT_SETTINGS: Permission;
+    readonly UPDATE_EVENT_SETTINGS: Permission;
+};
+declare const PAGE_PERMISSIONS: {
+    readonly READ_PAGE: Permission;
+    readonly MANAGE_PAGE: Permission;
+    readonly READ_ADMIN: Permission;
+    readonly MANAGE_ADMIN: Permission;
+    readonly READ_DASHBOARD: Permission;
+    readonly MANAGE_DASHBOARD: Permission;
+    readonly READ_SETTINGS: Permission;
+    readonly MANAGE_SETTINGS: Permission;
+    readonly READ_REPORTS: Permission;
+    readonly MANAGE_REPORTS: Permission;
+};
+declare const PERMISSION_GROUPS: {
+    readonly GLOBAL_ADMIN: readonly [`read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`];
+    readonly ORG_ADMIN: readonly [`read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`];
+    readonly EVENT_ADMIN: readonly [`read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`];
+    readonly PLANNER: readonly [`read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`];
+    readonly PARTICIPANT: readonly [`read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`];
+    readonly VIEWER: readonly [`read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`, `read:${string}` | `create:${string}` | `update:${string}` | `delete:${string}` | `manage:${string}`];
+};
+/**
+ * Validate that a permission string is properly formatted
+ *
+ * @param permission - Permission string to validate
+ * @returns True if valid, false otherwise
+ */
+declare function isValidPermission(permission: string): permission is Permission;
+/**
+ * Get all permissions for a role
+ *
+ * @param role - Role name
+ * @returns Array of permissions for the role
+ */
+declare function getPermissionsForRole(role: string): Permission[];
+declare const ALL_PERMISSIONS: {
+    readonly READ_PAGE: Permission;
+    readonly MANAGE_PAGE: Permission;
+    readonly READ_ADMIN: Permission;
+    readonly MANAGE_ADMIN: Permission;
+    readonly READ_DASHBOARD: Permission;
+    readonly MANAGE_DASHBOARD: Permission;
+    readonly READ_SETTINGS: Permission;
+    readonly MANAGE_SETTINGS: Permission;
+    readonly READ_REPORTS: Permission;
+    readonly MANAGE_REPORTS: Permission;
+    readonly MANAGE_EVENT: Permission;
+    readonly READ_EVENT: Permission;
+    readonly UPDATE_EVENT: Permission;
+    readonly MANAGE_APP: Permission;
+    readonly READ_APP: Permission;
+    readonly UPDATE_APP: Permission;
+    readonly MANAGE_TEAM: Permission;
+    readonly READ_TEAM: Permission;
+    readonly CREATE_TEAM: Permission;
+    readonly UPDATE_TEAM: Permission;
+    readonly DELETE_TEAM: Permission;
+    readonly MANAGE_TEAM_MEMBERS: Permission;
+    readonly READ_TEAM_MEMBERS: Permission;
+    readonly CREATE_TEAM_MEMBERS: Permission;
+    readonly UPDATE_TEAM_MEMBERS: Permission;
+    readonly DELETE_TEAM_MEMBERS: Permission;
+    readonly MANAGE_EVENT_CONTENT: Permission;
+    readonly READ_EVENT_CONTENT: Permission;
+    readonly CREATE_EVENT_CONTENT: Permission;
+    readonly UPDATE_EVENT_CONTENT: Permission;
+    readonly DELETE_EVENT_CONTENT: Permission;
+    readonly MANAGE_EVENT_SETTINGS: Permission;
+    readonly READ_EVENT_SETTINGS: Permission;
+    readonly UPDATE_EVENT_SETTINGS: Permission;
+    readonly MANAGE_ORGANISATION: Permission;
+    readonly READ_ORGANISATION: Permission;
+    readonly UPDATE_ORGANISATION: Permission;
+    readonly MANAGE_USERS: Permission;
+    readonly READ_USERS: Permission;
+    readonly CREATE_USERS: Permission;
+    readonly UPDATE_USERS: Permission;
+    readonly DELETE_USERS: Permission;
+    readonly MANAGE_ROLES: Permission;
+    readonly READ_ROLES: Permission;
+    readonly CREATE_ROLES: Permission;
+    readonly UPDATE_ROLES: Permission;
+    readonly DELETE_ROLES: Permission;
+    readonly MANAGE_EVENTS: Permission;
+    readonly READ_EVENTS: Permission;
+    readonly CREATE_EVENTS: Permission;
+    readonly UPDATE_EVENTS: Permission;
+    readonly DELETE_EVENTS: Permission;
+    readonly MANAGE_APPS: Permission;
+    readonly READ_APPS: Permission;
+    readonly CREATE_APPS: Permission;
+    readonly UPDATE_APPS: Permission;
+    readonly DELETE_APPS: Permission;
+    readonly MANAGE_ALL: Permission;
+    readonly READ_ALL: Permission;
+    readonly CREATE_ALL: Permission;
+    readonly UPDATE_ALL: Permission;
+    readonly DELETE_ALL: Permission;
+};
+type AllPermissions = typeof ALL_PERMISSIONS;
+
+export { ALL_PERMISSIONS, type AccessLevel, AccessLevelGuard, type AllPermissions, CACHE_PATTERNS, type DataAccessRecord, EVENT_APP_PERMISSIONS, EnhancedNavigationMenu, type EnhancedNavigationMenuProps, type EventAppRole, GLOBAL_PERMISSIONS, type GlobalRole, InvalidScopeError, type LogLevel, MissingUserContextError, type NavigationAccessRecord, type NavigationContextType, NavigationGuard, type NavigationGuardProps, type NavigationItem, NavigationProvider, type NavigationProviderProps, ORGANISATION_PERMISSIONS, type Operation, OrganisationContextRequiredError, type OrganisationRole, PAGE_PERMISSIONS, PERMISSION_GROUPS, type PageAccessRecord, type PagePermissionContextType, PagePermissionGuard, type PagePermissionGuardProps, PagePermissionProvider, type PagePermissionProviderProps, type Permission, type PermissionCheck, PermissionDeniedError, PermissionEnforcer, type PermissionEnforcerProps, PermissionGuard, type PermissionMap, RBACAuditManager, RBACCache, type RBACConfig, RBACEngine, RBACError, type RBACLogger, RBACNotInitializedError, RoleBasedRouter, type RoleBasedRouterContextType, type RoleBasedRouterProps, type RouteAccessRecord, type RouteConfig, type Scope, type SecureDataContextType, SecureDataProvider, type SecureDataProviderProps, SecureSupabaseClient, type UUID, createAuditManager, createRBACConfig, createRBACEngine, createRBACExpressMiddleware, createRBACMiddleware, createSecureClient, emitAuditEvent, fromSupabaseClient, getAccessLevel, getGlobalAuditManager, getPermissionMap, getPermissionsForRole, getRBACConfig, getRBACLogger, hasAllPermissions, hasAnyPermission, hasAnyPermissionCached, hasPermission, hasPermissionCached, isDebugMode, isDevelopmentMode, isPermitted, isPermittedCached, isValidPermission, rbacCache, setGlobalAuditManager, setupRBAC, useAccessLevel, useCachedPermissions, useCan, useHasAllPermissions, useHasAnyPermission, useMultiplePermissions, useNavigationPermissions, usePagePermissions, usePermissions, useRoleBasedRouter, useSecureData, withAccessLevelGuard, withPermissionGuard, withRoleGuard };