@jmruthers/pace-core 0.2.4

package/dist/rbac/index.js

@@ -0,0 +1,2212 @@
+import {
+  CACHE_PATTERNS,
+  OrganisationContextRequiredError,
+  RBACCache,
+  RBACEngine,
+  createRBACConfig,
+  createRBACEngine,
+  getAccessLevel,
+  getPermissionMap,
+  getRBACConfig,
+  getRBACLogger,
+  hasAllPermissions,
+  hasAnyPermission,
+  hasPermission,
+  isDebugMode,
+  isDevelopmentMode,
+  isPermitted,
+  isPermittedCached,
+  rbacCache,
+  setupRBAC
+} from "../chunk-6ZQVSHKL.js";
+import {
+  RBACAuditManager,
+  createAuditManager,
+  emitAuditEvent,
+  getGlobalAuditManager,
+  setGlobalAuditManager
+} from "../chunk-7BNPOCLL.js";
+import {
+  useSecureDataAccess
+} from "../chunk-PFRRIDYA.js";
+import {
+  init_UnifiedAuthProvider,
+  useUnifiedAuth
+} from "../chunk-DY5E3AT7.js";
+import "../chunk-ETEJVKYK.js";
+import "../chunk-YDJW5XTN.js";
+import {
+  getCurrentAppName,
+  init_appNameResolver
+} from "../chunk-MZBUOP4P.js";
+import "../chunk-2V3Y6YBC.js";
+import "../chunk-OHXGNT3K.js";
+import "../chunk-PLDDJCW6.js";
+
+// src/rbac/secureClient.ts
+import { createClient } from "@supabase/supabase-js";
+var SecureSupabaseClient = class _SecureSupabaseClient {
+  constructor(supabaseUrl, supabaseKey, organisationId, eventId, appId) {
+    this.supabaseUrl = supabaseUrl;
+    this.supabaseKey = supabaseKey;
+    this.organisationId = organisationId;
+    this.eventId = eventId;
+    this.appId = appId;
+    this.supabase = createClient(supabaseUrl, supabaseKey, {
+      global: {
+        headers: {
+          "x-organisation-id": organisationId,
+          "x-event-id": eventId || "",
+          "x-app-id": appId || ""
+        }
+      }
+    });
+    this.setupContextInjection();
+  }
+  /**
+   * Setup context injection for all database operations
+   */
+  setupContextInjection() {
+    const originalFrom = this.supabase.from.bind(this.supabase);
+    this.supabase.from = (table) => {
+      this.validateContext();
+      const query = originalFrom(table);
+      return this.injectContext(query);
+    };
+    const originalRpc = this.supabase.rpc.bind(this.supabase);
+    this.supabase.rpc = (fn, args) => {
+      this.validateContext();
+      const contextArgs = {
+        ...args,
+        p_organisation_id: this.organisationId,
+        p_event_id: this.eventId,
+        p_app_id: this.appId
+      };
+      return originalRpc(fn, contextArgs);
+    };
+  }
+  /**
+   * Inject organisation context into a query
+   */
+  injectContext(query) {
+    const originalSelect = query.select.bind(query);
+    const originalInsert = query.insert.bind(query);
+    const originalUpdate = query.update.bind(query);
+    const originalDelete = query.delete.bind(query);
+    query.select = (columns) => {
+      const result = originalSelect(columns);
+      return this.addOrganisationFilter(result);
+    };
+    query.insert = (values) => {
+      const contextValues = Array.isArray(values) ? values.map((v) => ({ ...v, organisation_id: this.organisationId })) : { ...values, organisation_id: this.organisationId };
+      return originalInsert(contextValues);
+    };
+    query.update = (values) => {
+      const result = originalUpdate(values);
+      return this.addOrganisationFilter(result);
+    };
+    query.delete = () => {
+      const result = originalDelete();
+      return this.addOrganisationFilter(result);
+    };
+    return query;
+  }
+  /**
+   * Add organisation filter to a query
+   */
+  addOrganisationFilter(query) {
+    return query.eq("organisation_id", this.organisationId);
+  }
+  /**
+   * Validate that required context is present
+   */
+  validateContext() {
+    if (!this.organisationId) {
+      throw new OrganisationContextRequiredError();
+    }
+  }
+  /**
+   * Get the current organisation ID
+   */
+  getOrganisationId() {
+    return this.organisationId;
+  }
+  /**
+   * Get the current event ID
+   */
+  getEventId() {
+    return this.eventId;
+  }
+  /**
+   * Get the current app ID
+   */
+  getAppId() {
+    return this.appId;
+  }
+  /**
+   * Create a new client with updated context
+   */
+  withContext(updates) {
+    return new _SecureSupabaseClient(
+      this.supabaseUrl,
+      this.supabaseKey,
+      updates.organisationId || this.organisationId,
+      updates.eventId !== void 0 ? updates.eventId : this.eventId,
+      updates.appId !== void 0 ? updates.appId : this.appId
+    );
+  }
+  /**
+   * Get the underlying Supabase client (for internal use only)
+   * @internal
+   */
+  getClient() {
+    return this.supabase;
+  }
+};
+function createSecureClient(supabaseUrl, supabaseKey, organisationId, eventId, appId) {
+  return new SecureSupabaseClient(supabaseUrl, supabaseKey, organisationId, eventId, appId);
+}
+function fromSupabaseClient(client, organisationId, eventId, appId) {
+  throw new Error("fromSupabaseClient is not supported. Use createSecureClient instead.");
+}
+
+// src/rbac/hooks.ts
+import { useState, useEffect, useCallback, useMemo } from "react";
+function usePermissions(userId, scope) {
+  const [permissions, setPermissions] = useState({});
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const fetchPermissions = useCallback(async () => {
+    if (!userId) {
+      setPermissions({});
+      setIsLoading(false);
+      return;
+    }
+    try {
+      setIsLoading(true);
+      setError(null);
+      const result = await getPermissionMap({ userId, scope });
+      setPermissions(result);
+    } catch (err) {
+      setError(err instanceof Error ? err : new Error("Failed to fetch permissions"));
+    } finally {
+      setIsLoading(false);
+    }
+  }, [userId, scope.organisationId, scope.eventId, scope.appId]);
+  useEffect(() => {
+    fetchPermissions();
+  }, [fetchPermissions]);
+  return {
+    permissions,
+    isLoading,
+    error,
+    refetch: fetchPermissions
+  };
+}
+function useCan(userId, scope, permission, pageId, useCache = true) {
+  const [can, setCan] = useState(false);
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const check = useCallback(async () => {
+    console.log("[useCan] check() called with:", { userId, scope, permission, pageId });
+    console.log("[useCan] Hook parameters:", { userId, scope, permission, pageId, useCache });
+    if (!userId) {
+      console.log("[useCan] No userId, denying access");
+      setCan(false);
+      setIsLoading(false);
+      return;
+    }
+    if (!scope || !scope.organisationId || !scope.appId) {
+      console.log("[useCan] Incomplete scope, waiting for resolution:", scope);
+      setCan(false);
+      setIsLoading(true);
+      return;
+    }
+    console.log("[useCan] Scope is complete, checking permission...");
+    console.log("[useCan] Detailed scope info:", {
+      organisationId: scope.organisationId,
+      eventId: scope.eventId,
+      appId: scope.appId,
+      permission,
+      pageId
+    });
+    try {
+      setIsLoading(true);
+      setError(null);
+      console.log("[useCan] About to call isPermitted/isPermittedCached...");
+      const result = useCache ? await isPermittedCached({ userId, scope, permission, pageId }) : await isPermitted({ userId, scope, permission, pageId });
+      console.log("[useCan] Permission check result:", result);
+      console.log("[useCan] Permission check details:", {
+        userId,
+        scope,
+        permission,
+        pageId,
+        result,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      setCan(result);
+    } catch (err) {
+      console.error("[useCan] Permission check error:", err);
+      console.error("[useCan] Error details:", {
+        userId,
+        scope,
+        permission,
+        pageId,
+        error: err instanceof Error ? err.message : "Unknown error",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      setError(err instanceof Error ? err : new Error("Failed to check permission"));
+      setCan(false);
+    } finally {
+      setIsLoading(false);
+    }
+  }, [userId, scope.organisationId, scope.eventId, scope.appId, permission, pageId, useCache]);
+  useEffect(() => {
+    check();
+  }, [check]);
+  return {
+    can,
+    isLoading,
+    error,
+    check
+  };
+}
+function useAccessLevel(userId, scope) {
+  const [accessLevel, setAccessLevel] = useState(null);
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const fetchAccessLevel = useCallback(async () => {
+    if (!userId) {
+      setAccessLevel(null);
+      setIsLoading(false);
+      return;
+    }
+    try {
+      setIsLoading(true);
+      setError(null);
+      const result = await getAccessLevel({ userId, scope });
+      setAccessLevel(result);
+    } catch (err) {
+      setError(err instanceof Error ? err : new Error("Failed to fetch access level"));
+      setAccessLevel(null);
+    } finally {
+      setIsLoading(false);
+    }
+  }, [userId, scope.organisationId, scope.eventId, scope.appId]);
+  useEffect(() => {
+    fetchAccessLevel();
+  }, [fetchAccessLevel]);
+  return {
+    accessLevel,
+    isLoading,
+    error,
+    refetch: fetchAccessLevel
+  };
+}
+function useMultiplePermissions(userId, scope, permissions, pageId, useCache = true) {
+  const [permissionResults, setPermissionResults] = useState({});
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const fetchPermissions = useCallback(async () => {
+    if (!userId || permissions.length === 0) {
+      setPermissionResults({});
+      setIsLoading(false);
+      return;
+    }
+    try {
+      setIsLoading(true);
+      setError(null);
+      const results = {};
+      const promises = permissions.map(async (permission) => {
+        const result = useCache ? await isPermittedCached({ userId, scope, permission, pageId }) : await isPermitted({ userId, scope, permission, pageId });
+        return { permission, result };
+      });
+      const resolved = await Promise.all(promises);
+      resolved.forEach(({ permission, result }) => {
+        results[permission] = result;
+      });
+      setPermissionResults(results);
+    } catch (err) {
+      setError(err instanceof Error ? err : new Error("Failed to check permissions"));
+      setPermissionResults({});
+    } finally {
+      setIsLoading(false);
+    }
+  }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, pageId, useCache]);
+  useEffect(() => {
+    fetchPermissions();
+  }, [fetchPermissions]);
+  return {
+    permissions: permissionResults,
+    isLoading,
+    error,
+    refetch: fetchPermissions
+  };
+}
+function useHasAnyPermission(userId, scope, permissions, pageId) {
+  const { permissions: permissionResults, isLoading, error, refetch } = useMultiplePermissions(
+    userId,
+    scope,
+    permissions,
+    pageId
+  );
+  const hasAny = useMemo(() => {
+    return Object.values(permissionResults).some(Boolean);
+  }, [permissionResults]);
+  return {
+    hasAny,
+    isLoading,
+    error,
+    refetch
+  };
+}
+function useHasAllPermissions(userId, scope, permissions, pageId) {
+  const { permissions: permissionResults, isLoading, error, refetch } = useMultiplePermissions(
+    userId,
+    scope,
+    permissions,
+    pageId
+  );
+  const hasAll = useMemo(() => {
+    return Object.values(permissionResults).every(Boolean);
+  }, [permissionResults]);
+  return {
+    hasAll,
+    isLoading,
+    error,
+    refetch
+  };
+}
+function useCachedPermissions(userId, scope) {
+  const [permissions, setPermissions] = useState({});
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const fetchCachedPermissions = useCallback(async () => {
+    if (!userId) {
+      setPermissions({});
+      setIsLoading(false);
+      return;
+    }
+    try {
+      setIsLoading(true);
+      setError(null);
+      const result = await getPermissionMap({ userId, scope });
+      setPermissions(result);
+    } catch (err) {
+      setError(err instanceof Error ? err : new Error("Failed to fetch cached permissions"));
+    } finally {
+      setIsLoading(false);
+    }
+  }, [userId, scope.organisationId, scope.eventId, scope.appId]);
+  useEffect(() => {
+    fetchCachedPermissions();
+  }, [fetchCachedPermissions]);
+  return {
+    permissions,
+    isLoading,
+    error,
+    refetch: fetchCachedPermissions
+  };
+}
+
+// src/rbac/adapters.tsx
+import React, { useContext } from "react";
+import { Fragment, jsx, jsxs } from "react/jsx-runtime";
+function PermissionGuard({
+  userId,
+  scope,
+  permission,
+  pageId,
+  children,
+  fallback = null,
+  onDenied,
+  loading = null,
+  // NEW: Phase 1 - Enhanced Security Features
+  strictMode = true,
+  auditLog = true,
+  enforceAudit = true
+}) {
+  const logger = getRBACLogger();
+  const authContext = useContext(React.createContext(null));
+  let effectiveUserId = userId;
+  if (!effectiveUserId) {
+    try {
+      if (authContext?.user?.id) {
+        effectiveUserId = authContext.user.id;
+      } else {
+        const globalUser = window.__PACE_USER__;
+        if (globalUser?.id) {
+          effectiveUserId = globalUser.id;
+        }
+      }
+    } catch (error2) {
+      logger.debug("Could not infer userId from context:", error2);
+    }
+  }
+  const { can, isLoading, error } = useCan(effectiveUserId || "", scope, permission, pageId);
+  if (!effectiveUserId) {
+    logger.error("PermissionGuard: No userId provided and could not infer from context");
+    return /* @__PURE__ */ jsxs("div", { className: "rbac-error", role: "alert", children: [
+      /* @__PURE__ */ jsx("p", { children: "Permission check failed: User context not available" }),
+      /* @__PURE__ */ jsxs("details", { children: [
+        /* @__PURE__ */ jsx("summary", { children: "Debug info" }),
+        /* @__PURE__ */ jsx("p", { children: "Make sure to either:" }),
+        /* @__PURE__ */ jsxs("ul", { children: [
+          /* @__PURE__ */ jsx("li", { children: "Pass userId prop explicitly" }),
+          /* @__PURE__ */ jsx("li", { children: "Wrap your app with an auth provider" }),
+          /* @__PURE__ */ jsx("li", { children: "Set window.__PACE_USER__ with user data" })
+        ] })
+      ] })
+    ] });
+  }
+  if (isLoading) {
+    return loading || /* @__PURE__ */ jsx("div", { className: "rbac-loading", role: "status", "aria-live": "polite", children: /* @__PURE__ */ jsx("span", { className: "sr-only", children: "Checking permissions..." }) });
+  }
+  if (error) {
+    logger.error("Permission check failed:", error);
+    if (auditLog) {
+      logger.info(`[PermissionGuard] Permission check failed:`, {
+        userId: effectiveUserId,
+        scope,
+        permission,
+        pageId,
+        error: error.message,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    return fallback;
+  }
+  if (!can) {
+    if (auditLog) {
+      logger.info(`[PermissionGuard] Permission denied:`, {
+        userId: effectiveUserId,
+        scope,
+        permission,
+        pageId,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    if (strictMode) {
+      logger.error(`[PermissionGuard] STRICT MODE VIOLATION: User attempted to access protected resource without permission`, {
+        userId: effectiveUserId,
+        scope,
+        permission,
+        pageId,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    if (onDenied) {
+      onDenied();
+    }
+    return /* @__PURE__ */ jsx(Fragment, { children: fallback });
+  }
+  if (auditLog) {
+    logger.info(`[PermissionGuard] Permission granted:`, {
+      userId: effectiveUserId,
+      scope,
+      permission,
+      pageId,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+  return /* @__PURE__ */ jsx(Fragment, { children });
+}
+function AccessLevelGuard({
+  userId,
+  scope,
+  minLevel,
+  children,
+  fallback = null,
+  loading = null
+}) {
+  const logger = getRBACLogger();
+  const authContext = useContext(React.createContext(null));
+  let effectiveUserId = userId;
+  if (!effectiveUserId) {
+    try {
+      if (authContext?.user?.id) {
+        effectiveUserId = authContext.user.id;
+      } else {
+        const globalUser = window.__PACE_USER__;
+        if (globalUser?.id) {
+          effectiveUserId = globalUser.id;
+        }
+      }
+    } catch (error2) {
+      logger.debug("Could not infer userId from context:", error2);
+    }
+  }
+  const { accessLevel, isLoading, error } = useAccessLevel(effectiveUserId || "", scope);
+  if (!effectiveUserId) {
+    logger.error("AccessLevelGuard: No userId provided and could not infer from context");
+    return /* @__PURE__ */ jsxs("div", { className: "rbac-error", role: "alert", children: [
+      /* @__PURE__ */ jsx("p", { children: "Access level check failed: User context not available" }),
+      /* @__PURE__ */ jsxs("details", { children: [
+        /* @__PURE__ */ jsx("summary", { children: "Debug info" }),
+        /* @__PURE__ */ jsx("p", { children: "Make sure to either:" }),
+        /* @__PURE__ */ jsxs("ul", { children: [
+          /* @__PURE__ */ jsx("li", { children: "Pass userId prop explicitly" }),
+          /* @__PURE__ */ jsx("li", { children: "Wrap your app with an auth provider" }),
+          /* @__PURE__ */ jsx("li", { children: "Set window.__PACE_USER__ with user data" })
+        ] })
+      ] })
+    ] });
+  }
+  if (isLoading) {
+    return loading || /* @__PURE__ */ jsx("div", { className: "rbac-loading", role: "status", "aria-live": "polite", children: /* @__PURE__ */ jsx("span", { className: "sr-only", children: "Checking access level..." }) });
+  }
+  if (error) {
+    logger.error("Access level check failed:", error);
+    return fallback;
+  }
+  const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
+  const userLevelIndex = accessLevel ? levelHierarchy.indexOf(accessLevel) : -1;
+  const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
+  if (userLevelIndex < requiredLevelIndex) {
+    return /* @__PURE__ */ jsx(Fragment, { children: fallback });
+  }
+  return /* @__PURE__ */ jsx(Fragment, { children });
+}
+function withPermissionGuard(config, handler) {
+  return async (...args) => {
+    const [req] = args;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      throw new Error("User context required for permission check");
+    }
+    const { isPermitted: isPermitted2 } = await import("../api-GZHIDA4X.js");
+    const hasPermission2 = await isPermitted2({
+      userId,
+      scope: { organisationId, eventId, appId },
+      permission: config.permission,
+      pageId: config.pageId
+    });
+    if (!hasPermission2) {
+      throw new Error(`Permission denied: ${config.permission}`);
+    }
+    return handler(...args);
+  };
+}
+function withAccessLevelGuard(minLevel, handler) {
+  return async (...args) => {
+    const [req] = args;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      throw new Error("User context required for access level check");
+    }
+    const { getAccessLevel: getAccessLevel2 } = await import("../api-GZHIDA4X.js");
+    const accessLevel = await getAccessLevel2({
+      userId,
+      scope: { organisationId, eventId, appId }
+    });
+    const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
+    const userLevelIndex = levelHierarchy.indexOf(accessLevel);
+    const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
+    if (userLevelIndex < requiredLevelIndex) {
+      throw new Error(`Access level required: ${minLevel}, got: ${accessLevel}`);
+    }
+    return handler(...args);
+  };
+}
+function withRoleGuard(config, handler) {
+  return async (...args) => {
+    const [req] = args;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      throw new Error("User context required for role check");
+    }
+    if (config.globalRoles && config.globalRoles.length > 0) {
+      const { isSuperAdmin } = await import("../api-GZHIDA4X.js");
+      const isSuper = await isSuperAdmin(userId);
+      if (isSuper) {
+        if (organisationId) {
+          const { emitAuditEvent: emitAuditEvent2 } = await import("../audit-BUW3LMJB.js");
+          await emitAuditEvent2({
+            type: "permission_check",
+            userId,
+            organisationId,
+            eventId,
+            appId,
+            permission: "bypass:all",
+            decision: true,
+            source: "api",
+            bypass: true,
+            duration_ms: 0,
+            metadata: {
+              operation: "role_guard",
+              reason: "super_admin_bypass"
+            }
+          });
+        }
+        return handler(...args);
+      }
+    }
+    if (config.organisationRoles && config.organisationRoles.length > 0) {
+      const { isOrganisationAdmin } = await import("../api-GZHIDA4X.js");
+      const isOrgAdmin = await isOrganisationAdmin(userId, organisationId);
+      if (!isOrgAdmin && config.requireAll !== false) {
+        throw new Error(`Organisation admin role required`);
+      }
+    }
+    if (config.eventAppRoles && config.eventAppRoles.length > 0 && eventId && appId) {
+      const { isEventAdmin } = await import("../api-GZHIDA4X.js");
+      const isEventAdminUser = await isEventAdmin(userId, { organisationId, eventId, appId });
+      if (!isEventAdminUser && config.requireAll !== false) {
+        throw new Error(`Event admin role required`);
+      }
+    }
+    if (organisationId) {
+      const { emitAuditEvent: emitAuditEvent2 } = await import("../audit-BUW3LMJB.js");
+      await emitAuditEvent2({
+        type: "permission_check",
+        userId,
+        organisationId,
+        eventId,
+        appId,
+        permission: "role:check",
+        decision: true,
+        source: "api",
+        bypass: false,
+        duration_ms: 0,
+        metadata: {
+          operation: "role_guard"
+        }
+      });
+    }
+    return handler(...args);
+  };
+}
+function createRBACMiddleware(config) {
+  return async (req, res, next) => {
+    const { pathname } = req.nextUrl;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    if (!userId || !organisationId) {
+      return res.redirect(config.fallbackUrl || "/login");
+    }
+    const protectedRoute = config.protectedRoutes.find(
+      (route) => pathname.startsWith(route.path)
+    );
+    if (protectedRoute) {
+      try {
+        const { isPermitted: isPermitted2 } = await import("../api-GZHIDA4X.js");
+        const hasPermission2 = await isPermitted2({
+          userId,
+          scope: { organisationId },
+          permission: protectedRoute.permission,
+          pageId: protectedRoute.pageId
+        });
+        if (!hasPermission2) {
+          return res.redirect(config.fallbackUrl || "/access-denied");
+        }
+      } catch (_error) {
+        return res.redirect(config.fallbackUrl || "/access-denied");
+      }
+    }
+    next();
+  };
+}
+function createRBACExpressMiddleware(config) {
+  return async (req, res, next) => {
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      return res.status(401).json({ error: "User context required" });
+    }
+    try {
+      const { isPermitted: isPermitted2 } = await import("../api-GZHIDA4X.js");
+      const hasPermission2 = await isPermitted2({
+        userId,
+        scope: { organisationId, eventId, appId },
+        permission: config.permission,
+        pageId: config.pageId
+      });
+      if (!hasPermission2) {
+        return res.status(403).json({ error: "Permission denied" });
+      }
+      next();
+    } catch (_error) {
+      return res.status(500).json({ error: "Permission check failed" });
+    }
+  };
+}
+function hasPermissionCached(userId, scope, _permission, _pageId) {
+  const cacheKey = RBACCache.generatePermissionKey({
+    userId,
+    organisationId: scope.organisationId,
+    eventId: scope.eventId,
+    appId: scope.appId
+  });
+  return rbacCache.get(cacheKey) || false;
+}
+function hasAnyPermissionCached(userId, scope, permissions, pageId) {
+  return permissions.some(
+    (permission) => hasPermissionCached(userId, scope, permission, pageId)
+  );
+}
+
+// src/rbac/components/PagePermissionProvider.tsx
+init_UnifiedAuthProvider();
+import { createContext, useContext as useContext2, useState as useState2, useCallback as useCallback2, useMemo as useMemo2, useEffect as useEffect2 } from "react";
+import { jsx as jsx2 } from "react/jsx-runtime";
+var PagePermissionContext = createContext(null);
+function PagePermissionProvider({
+  children,
+  strictMode = true,
+  auditLog = true,
+  onPageAccess,
+  onStrictModeViolation,
+  maxHistorySize = 1e3
+}) {
+  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
+  const [pageAccessHistory, setPageAccessHistory] = useState2([]);
+  const [isEnabled, setIsEnabled] = useState2(true);
+  const currentScope = useMemo2(() => {
+    if (!selectedOrganisationId) return null;
+    return {
+      organisationId: selectedOrganisationId,
+      eventId: selectedEventId || void 0,
+      appId: void 0
+    };
+  }, [selectedOrganisationId, selectedEventId]);
+  const hasPagePermission = useCallback2((pageName, operation, pageId, scope) => {
+    if (!isEnabled) return true;
+    if (!user?.id) return false;
+    const effectiveScope = scope || currentScope;
+    if (!effectiveScope) return false;
+    const permission = `${operation}:page.${pageName}`;
+    return false;
+  }, [isEnabled, user?.id, currentScope]);
+  const getPagePermissions = useCallback2(() => {
+    if (!isEnabled || !user?.id) return {};
+    return {};
+  }, [isEnabled, user?.id]);
+  const getPageAccessHistory = useCallback2(() => {
+    return [...pageAccessHistory];
+  }, [pageAccessHistory]);
+  const clearPageAccessHistory = useCallback2(() => {
+    setPageAccessHistory([]);
+  }, []);
+  const recordPageAccess = useCallback2((pageName, operation, allowed, pageId, scope) => {
+    if (!auditLog || !user?.id) return;
+    const record = {
+      pageName,
+      operation,
+      userId: user.id,
+      scope: scope || currentScope || { organisationId: "" },
+      allowed,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      pageId
+    };
+    setPageAccessHistory((prev) => {
+      const newHistory = [record, ...prev];
+      return newHistory.slice(0, maxHistorySize);
+    });
+    if (onPageAccess) {
+      onPageAccess(pageName, operation, allowed, record);
+    }
+    if (strictMode && !allowed && onStrictModeViolation) {
+      onStrictModeViolation(pageName, operation, record);
+    }
+  }, [auditLog, user?.id, currentScope, maxHistorySize, onPageAccess, onStrictModeViolation, strictMode]);
+  const contextValue = useMemo2(() => ({
+    hasPagePermission,
+    getPagePermissions,
+    isEnabled,
+    isStrictMode: strictMode,
+    isAuditLogEnabled: auditLog,
+    getPageAccessHistory,
+    clearPageAccessHistory
+  }), [
+    hasPagePermission,
+    getPagePermissions,
+    isEnabled,
+    strictMode,
+    auditLog,
+    getPageAccessHistory,
+    clearPageAccessHistory
+  ]);
+  useEffect2(() => {
+    if (strictMode && auditLog) {
+      console.log(`[PagePermissionProvider] Strict mode enabled - all page access attempts will be logged and enforced`);
+    }
+  }, [strictMode, auditLog]);
+  return /* @__PURE__ */ jsx2(PagePermissionContext.Provider, { value: contextValue, children });
+}
+function usePagePermissions() {
+  const context = useContext2(PagePermissionContext);
+  if (!context) {
+    throw new Error("usePagePermissions must be used within a PagePermissionProvider");
+  }
+  return context;
+}
+
+// src/rbac/components/PagePermissionGuard.tsx
+import { useMemo as useMemo3, useEffect as useEffect3, useState as useState3 } from "react";
+init_UnifiedAuthProvider();
+
+// src/rbac/utils/eventContext.ts
+async function getOrganisationFromEvent(supabase, eventId) {
+  const { data, error } = await supabase.from("event").select("organisation_id").eq("event_id", eventId).single();
+  if (error || !data) {
+    return null;
+  }
+  return data.organisation_id;
+}
+async function createScopeFromEvent(supabase, eventId, appId) {
+  const organisationId = await getOrganisationFromEvent(supabase, eventId);
+  if (!organisationId) {
+    return null;
+  }
+  return {
+    organisationId,
+    eventId,
+    appId
+  };
+}
+
+// src/rbac/components/PagePermissionGuard.tsx
+init_appNameResolver();
+import { Fragment as Fragment2, jsx as jsx3, jsxs as jsxs2 } from "react/jsx-runtime";
+function PagePermissionGuard({
+  pageName,
+  operation,
+  children,
+  fallback = /* @__PURE__ */ jsx3(DefaultAccessDenied, {}),
+  strictMode = true,
+  auditLog = true,
+  pageId,
+  scope,
+  onDenied,
+  loading = /* @__PURE__ */ jsx3(DefaultLoading, {})
+}) {
+  const { user, selectedOrganisationId, selectedEventId, supabase } = useUnifiedAuth();
+  const [hasChecked, setHasChecked] = useState3(false);
+  const [checkError, setCheckError] = useState3(null);
+  const [resolvedScope, setResolvedScope] = useState3(null);
+  useEffect3(() => {
+    const resolveScope = async () => {
+      if (scope) {
+        setResolvedScope(scope);
+        return;
+      }
+      let appId = void 0;
+      if (supabase) {
+        const appName = getCurrentAppName();
+        if (appName) {
+          try {
+            console.log("[PagePermissionGuard] Resolving app name to ID:", appName);
+            const { data: app, error: error2 } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName).eq("is_active", true).single();
+            if (error2) {
+              console.error("[PagePermissionGuard] Database error resolving app ID:", error2);
+              const { data: inactiveApp } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName).single();
+              if (inactiveApp) {
+                console.error(`[PagePermissionGuard] App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
+              } else {
+                console.error(`[PagePermissionGuard] App "${appName}" not found in rbac_apps table`);
+              }
+            } else if (app) {
+              appId = app.id;
+              console.log("[PagePermissionGuard] Successfully resolved app ID:", app.id);
+            } else {
+              console.error("[PagePermissionGuard] No app data returned for:", appName);
+            }
+          } catch (error2) {
+            console.error("[PagePermissionGuard] Unexpected error resolving app ID:", error2);
+          }
+        } else {
+          console.error("[PagePermissionGuard] No app name found. Make sure to call setRBACAppName() in your app setup.");
+        }
+      }
+      if (selectedOrganisationId && selectedEventId) {
+        if (!appId) {
+          if (false) {
+            console.warn("[PagePermissionGuard] App ID not resolved in test environment, proceeding without it");
+          } else {
+            console.error("[PagePermissionGuard] CRITICAL: App ID not resolved. Check console for details.");
+            setCheckError(new Error("App ID not resolved. Check console for database errors."));
+            setResolvedScope(null);
+            return;
+          }
+        }
+        if (appId) {
+          const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+          if (!uuidRegex.test(appId)) {
+            console.error("[PagePermissionGuard] CRITICAL: App ID is not a valid UUID:", appId);
+            setCheckError(new Error(`Invalid app ID format: ${appId}. Expected UUID.`));
+            setResolvedScope(null);
+            return;
+          }
+        }
+        const resolvedScope2 = {
+          organisationId: selectedOrganisationId,
+          eventId: selectedEventId,
+          appId
+        };
+        console.log("[PagePermissionGuard] Setting resolved scope:", resolvedScope2);
+        setResolvedScope(resolvedScope2);
+        return;
+      }
+      if (selectedOrganisationId) {
+        if (!appId) {
+          if (false) {
+            console.warn("[PagePermissionGuard] App ID not resolved in test environment, proceeding without it");
+          } else {
+            console.error("[PagePermissionGuard] CRITICAL: App ID not resolved. Check console for details.");
+            setCheckError(new Error("App ID not resolved. Check console for database errors."));
+            setResolvedScope(null);
+            return;
+          }
+        }
+        if (appId) {
+          const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+          if (!uuidRegex.test(appId)) {
+            console.error("[PagePermissionGuard] CRITICAL: App ID is not a valid UUID:", appId);
+            setCheckError(new Error(`Invalid app ID format: ${appId}. Expected UUID.`));
+            setResolvedScope(null);
+            return;
+          }
+        }
+        const resolvedScope2 = {
+          organisationId: selectedOrganisationId,
+          eventId: selectedEventId || void 0,
+          appId
+        };
+        console.log("[PagePermissionGuard] Setting resolved scope (org only):", resolvedScope2);
+        setResolvedScope(resolvedScope2);
+        return;
+      }
+      if (selectedEventId && supabase) {
+        try {
+          const eventScope = await createScopeFromEvent(supabase, selectedEventId);
+          if (!eventScope) {
+            setCheckError(new Error("Could not resolve organization from event context"));
+            setResolvedScope(null);
+            return;
+          }
+          setResolvedScope({
+            ...eventScope,
+            appId: appId || eventScope.appId
+          });
+        } catch (error2) {
+          setCheckError(error2);
+          setResolvedScope(null);
+        }
+        return;
+      }
+      setCheckError(new Error("Either organisation context or event context is required for page permission checking"));
+      setResolvedScope(null);
+    };
+    resolveScope();
+  }, [scope, selectedOrganisationId, selectedEventId, supabase]);
+  const effectivePageId = useMemo3(() => {
+    return pageId || pageName;
+  }, [pageId, pageName]);
+  const permission = useMemo3(() => {
+    return `${operation}:page.${pageName}`;
+  }, [operation, pageName]);
+  console.log("[PagePermissionGuard] Calling useCan with scope:", resolvedScope);
+  console.log("[PagePermissionGuard] resolvedScope:", resolvedScope);
+  console.log("[PagePermissionGuard] selectedEventId:", selectedEventId);
+  console.log("[PagePermissionGuard] About to call useCan with:", {
+    userId: user?.id || "",
+    scope: resolvedScope || { organisationId: "", appId: "", eventId: selectedEventId || void 0 },
+    permission,
+    pageId: effectivePageId,
+    useCache: true
+  });
+  const { can, isLoading: canIsLoading, error: canError } = useCan(
+    user?.id || "",
+    resolvedScope || { organisationId: "", appId: "", eventId: selectedEventId || void 0 },
+    permission,
+    effectivePageId,
+    true
+    // Use cache
+  );
+  console.log("[PagePermissionGuard] useCan returned:", { can, canIsLoading, canError });
+  const isLoading = !resolvedScope || canIsLoading;
+  const error = checkError || canError;
+  console.log("[PagePermissionGuard] Combined state:", {
+    can,
+    isLoading,
+    canIsLoading,
+    resolvedScopeExists: !!resolvedScope,
+    error: error?.message
+  });
+  useEffect3(() => {
+    if (!isLoading && !error) {
+      setHasChecked(true);
+      setCheckError(null);
+      if (!can && onDenied) {
+        onDenied(pageName, operation);
+      }
+    } else if (error) {
+      setCheckError(error);
+      setHasChecked(true);
+    }
+  }, [can, isLoading, error, pageName, operation, onDenied]);
+  useEffect3(() => {
+    if (auditLog && hasChecked && !isLoading) {
+      console.log(`[PagePermissionGuard] Page access attempt:`, {
+        pageName,
+        operation,
+        userId: user?.id,
+        scope: resolvedScope,
+        allowed: can,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [auditLog, hasChecked, isLoading, pageName, operation, user?.id, resolvedScope, can]);
+  useEffect3(() => {
+    if (strictMode && hasChecked && !isLoading && !can) {
+      console.error(`[PagePermissionGuard] STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
+        pageName,
+        operation,
+        userId: user?.id,
+        scope: resolvedScope,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [strictMode, hasChecked, isLoading, can, pageName, operation, user?.id, resolvedScope]);
+  if (isLoading || !resolvedScope || !hasChecked) {
+    return /* @__PURE__ */ jsx3(Fragment2, { children: loading });
+  }
+  if (checkError) {
+    console.error(`[PagePermissionGuard] Permission check failed for page ${pageName}:`, checkError);
+    return /* @__PURE__ */ jsx3(Fragment2, { children: fallback });
+  }
+  if (!can) {
+    return /* @__PURE__ */ jsx3(Fragment2, { children: fallback });
+  }
+  return /* @__PURE__ */ jsx3(Fragment2, { children });
+}
+function DefaultAccessDenied() {
+  return /* @__PURE__ */ jsxs2("div", { className: "flex flex-col items-center justify-center min-h-[200px] p-8 text-center", children: [
+    /* @__PURE__ */ jsx3("div", { className: "mb-4", children: /* @__PURE__ */ jsx3("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx3("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
+    /* @__PURE__ */ jsx3("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
+    /* @__PURE__ */ jsx3("p", { className: "text-sec-600 mb-4", children: "You don't have permission to access this page." }),
+    /* @__PURE__ */ jsx3(
+      "button",
+      {
+        onClick: () => window.history.back(),
+        className: "px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors",
+        children: "Go Back"
+      }
+    )
+  ] });
+}
+function DefaultLoading() {
+  return /* @__PURE__ */ jsx3("div", { className: "flex items-center justify-center min-h-[200px] p-8", children: /* @__PURE__ */ jsxs2("div", { className: "flex items-center space-x-2", children: [
+    /* @__PURE__ */ jsx3("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600" }),
+    /* @__PURE__ */ jsx3("span", { className: "text-sec-600", children: "Checking permissions..." })
+  ] }) });
+}
+
+// src/rbac/components/SecureDataProvider.tsx
+init_UnifiedAuthProvider();
+import { createContext as createContext2, useContext as useContext3, useState as useState4, useCallback as useCallback4, useMemo as useMemo4, useEffect as useEffect4 } from "react";
+import { jsx as jsx4 } from "react/jsx-runtime";
+var SecureDataContext = createContext2(null);
+function SecureDataProvider({
+  children,
+  strictMode = true,
+  auditLog = true,
+  onDataAccess,
+  onStrictModeViolation,
+  maxHistorySize = 1e3,
+  enforceRLS = true
+}) {
+  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
+  const { validateContext } = useSecureDataAccess();
+  const [dataAccessHistory, setDataAccessHistory] = useState4([]);
+  const [isEnabled, setIsEnabled] = useState4(true);
+  const currentScope = useMemo4(() => {
+    if (!selectedOrganisationId) return null;
+    return {
+      organisationId: selectedOrganisationId,
+      eventId: selectedEventId || void 0,
+      appId: void 0
+    };
+  }, [selectedOrganisationId, selectedEventId]);
+  const isDataAccessAllowed = useCallback4((table, operation, scope) => {
+    if (!isEnabled) return true;
+    if (!user?.id) return false;
+    const effectiveScope = scope || currentScope;
+    if (!effectiveScope) return false;
+    const permission = `${operation}:data.${table}`;
+    return true;
+  }, [isEnabled, user?.id, currentScope]);
+  const getDataAccessPermissions = useCallback4(() => {
+    if (!isEnabled || !user?.id) return {};
+    return {};
+  }, [isEnabled, user?.id]);
+  const getDataAccessHistory = useCallback4(() => {
+    return [...dataAccessHistory];
+  }, [dataAccessHistory]);
+  const clearDataAccessHistory = useCallback4(() => {
+    setDataAccessHistory([]);
+  }, []);
+  const validateDataAccess = useCallback4((table, operation, scope) => {
+    if (!isEnabled) return true;
+    if (!user?.id) return false;
+    const effectiveScope = scope || currentScope;
+    if (!effectiveScope) return false;
+    try {
+      validateContext();
+    } catch (error) {
+      console.error(`[SecureDataProvider] Organisation context validation failed:`, error);
+      return false;
+    }
+    return isDataAccessAllowed(table, operation, effectiveScope);
+  }, [isEnabled, user?.id, currentScope, validateContext, isDataAccessAllowed]);
+  const recordDataAccess = useCallback4((table, operation, allowed, query, filters, scope) => {
+    if (!auditLog || !user?.id) return;
+    const record = {
+      table,
+      operation,
+      userId: user.id,
+      scope: scope || currentScope || { organisationId: "" },
+      allowed,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      query,
+      filters
+    };
+    setDataAccessHistory((prev) => {
+      const newHistory = [record, ...prev];
+      return newHistory.slice(0, maxHistorySize);
+    });
+    if (onDataAccess) {
+      onDataAccess(table, operation, allowed, record);
+    }
+    if (strictMode && !allowed && onStrictModeViolation) {
+      onStrictModeViolation(table, operation, record);
+    }
+  }, [auditLog, user?.id, currentScope, maxHistorySize, onDataAccess, onStrictModeViolation, strictMode]);
+  const contextValue = useMemo4(() => ({
+    isDataAccessAllowed,
+    getDataAccessPermissions,
+    isEnabled,
+    isStrictMode: strictMode,
+    isAuditLogEnabled: auditLog,
+    getDataAccessHistory,
+    clearDataAccessHistory,
+    validateDataAccess
+  }), [
+    isDataAccessAllowed,
+    getDataAccessPermissions,
+    isEnabled,
+    strictMode,
+    auditLog,
+    getDataAccessHistory,
+    clearDataAccessHistory,
+    validateDataAccess
+  ]);
+  useEffect4(() => {
+    if (strictMode && auditLog) {
+      console.log(`[SecureDataProvider] Strict mode enabled - all data access attempts will be logged and enforced`);
+    }
+  }, [strictMode, auditLog]);
+  useEffect4(() => {
+    if (enforceRLS && auditLog) {
+      console.log(`[SecureDataProvider] RLS enforcement enabled - all queries will include organisation context`);
+    }
+  }, [enforceRLS, auditLog]);
+  return /* @__PURE__ */ jsx4(SecureDataContext.Provider, { value: contextValue, children });
+}
+function useSecureData() {
+  const context = useContext3(SecureDataContext);
+  if (!context) {
+    throw new Error("useSecureData must be used within a SecureDataProvider");
+  }
+  return context;
+}
+
+// src/rbac/components/PermissionEnforcer.tsx
+import { useMemo as useMemo5, useEffect as useEffect5, useState as useState5 } from "react";
+init_UnifiedAuthProvider();
+import { Fragment as Fragment3, jsx as jsx5, jsxs as jsxs3 } from "react/jsx-runtime";
+function PermissionEnforcer({
+  permissions,
+  operation,
+  children,
+  fallback = /* @__PURE__ */ jsx5(DefaultAccessDenied2, {}),
+  strictMode = true,
+  auditLog = true,
+  scope,
+  onDenied,
+  loading = /* @__PURE__ */ jsx5(DefaultLoading2, {}),
+  requireAll = true
+}) {
+  const { user, selectedOrganisationId, selectedEventId, supabase } = useUnifiedAuth();
+  const [hasChecked, setHasChecked] = useState5(false);
+  const [checkError, setCheckError] = useState5(null);
+  const [permissionResults, setPermissionResults] = useState5({});
+  const [resolvedScope, setResolvedScope] = useState5(null);
+  useEffect5(() => {
+    const resolveScope = async () => {
+      if (scope) {
+        setResolvedScope(scope);
+        return;
+      }
+      if (selectedOrganisationId && selectedEventId) {
+        setResolvedScope({
+          organisationId: selectedOrganisationId,
+          eventId: selectedEventId,
+          appId: void 0
+        });
+        return;
+      }
+      if (selectedOrganisationId) {
+        setResolvedScope({
+          organisationId: selectedOrganisationId,
+          eventId: selectedEventId || void 0,
+          appId: void 0
+        });
+        return;
+      }
+      if (selectedEventId && supabase) {
+        try {
+          const eventScope = await createScopeFromEvent(supabase, selectedEventId);
+          if (!eventScope) {
+            setCheckError(new Error("Could not resolve organization from event context"));
+            return;
+          }
+          setResolvedScope(eventScope);
+        } catch (error2) {
+          setCheckError(error2);
+        }
+        return;
+      }
+      setCheckError(new Error("Either organisation context or event context is required for permission checking"));
+    };
+    resolveScope();
+  }, [scope, selectedOrganisationId, selectedEventId, supabase]);
+  const representativePermission = permissions[0];
+  const { can, isLoading, error } = useCan(
+    user?.id || "",
+    resolvedScope || { eventId: selectedEventId || void 0 },
+    representativePermission,
+    void 0,
+    true
+    // Use cache
+  );
+  const hasRequiredPermissions = useMemo5(() => {
+    if (permissions.length === 0) return true;
+    return can;
+  }, [permissions, can]);
+  useEffect5(() => {
+    if (!isLoading && !error) {
+      setHasChecked(true);
+      setCheckError(null);
+      if (!hasRequiredPermissions && onDenied) {
+        onDenied(permissions, operation);
+      }
+    } else if (error) {
+      setCheckError(error);
+      setHasChecked(true);
+    }
+  }, [hasRequiredPermissions, isLoading, error, permissions, operation, onDenied]);
+  useEffect5(() => {
+    if (auditLog && hasChecked && !isLoading) {
+      console.log(`[PermissionEnforcer] Permission check attempt:`, {
+        permissions,
+        operation,
+        userId: user?.id,
+        scope: resolvedScope,
+        allowed: hasRequiredPermissions,
+        requireAll,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [auditLog, hasChecked, isLoading, permissions, operation, user?.id, resolvedScope, hasRequiredPermissions, requireAll]);
+  useEffect5(() => {
+    if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
+      console.error(`[PermissionEnforcer] STRICT MODE VIOLATION: User attempted to perform operation without permission`, {
+        permissions,
+        operation,
+        userId: user?.id,
+        scope: resolvedScope,
+        requireAll,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, permissions, operation, user?.id, resolvedScope, requireAll]);
+  if (isLoading || !hasChecked) {
+    return /* @__PURE__ */ jsx5(Fragment3, { children: loading });
+  }
+  if (checkError) {
+    console.error(`[PermissionEnforcer] Permission check failed for operation ${operation}:`, checkError);
+    return /* @__PURE__ */ jsx5(Fragment3, { children: fallback });
+  }
+  if (!hasRequiredPermissions) {
+    return /* @__PURE__ */ jsx5(Fragment3, { children: fallback });
+  }
+  return /* @__PURE__ */ jsx5(Fragment3, { children });
+}
+function DefaultAccessDenied2() {
+  return /* @__PURE__ */ jsxs3("div", { className: "flex flex-col items-center justify-center min-h-[200px] p-8 text-center", children: [
+    /* @__PURE__ */ jsx5("div", { className: "mb-4", children: /* @__PURE__ */ jsx5("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx5("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
+    /* @__PURE__ */ jsx5("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
+    /* @__PURE__ */ jsx5("p", { className: "text-sec-600 mb-4", children: "You don't have permission to perform this operation." }),
+    /* @__PURE__ */ jsx5(
+      "button",
+      {
+        onClick: () => window.history.back(),
+        className: "px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors",
+        children: "Go Back"
+      }
+    )
+  ] });
+}
+function DefaultLoading2() {
+  return /* @__PURE__ */ jsx5("div", { className: "flex items-center justify-center min-h-[200px] p-8", children: /* @__PURE__ */ jsxs3("div", { className: "flex items-center space-x-2", children: [
+    /* @__PURE__ */ jsx5("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600" }),
+    /* @__PURE__ */ jsx5("span", { className: "text-sec-600", children: "Checking permissions..." })
+  ] }) });
+}
+
+// src/rbac/components/RoleBasedRouter.tsx
+import { useMemo as useMemo6, useCallback as useCallback6, useEffect as useEffect6, useState as useState6, createContext as createContext3, useContext as useContext4 } from "react";
+import { useLocation, useNavigate, Outlet } from "react-router-dom";
+init_UnifiedAuthProvider();
+import { jsx as jsx6, jsxs as jsxs4 } from "react/jsx-runtime";
+var RoleBasedRouterContext = createContext3(null);
+function RoleBasedRouter({
+  routes,
+  fallbackRoute = "/unauthorized",
+  children,
+  strictMode = true,
+  auditLog = true,
+  onRouteAccess,
+  onStrictModeViolation,
+  maxHistorySize = 1e3,
+  unauthorizedComponent: UnauthorizedComponent = DefaultUnauthorizedComponent
+}) {
+  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
+  const location = useLocation();
+  const navigate = useNavigate();
+  const [routeAccessHistory, setRouteAccessHistory] = useState6([]);
+  const [currentRoute, setCurrentRoute] = useState6("");
+  const currentScope = useMemo6(() => {
+    if (!selectedOrganisationId) return null;
+    return {
+      organisationId: selectedOrganisationId,
+      eventId: selectedEventId || void 0,
+      appId: void 0
+    };
+  }, [selectedOrganisationId, selectedEventId]);
+  const currentRouteConfig = useMemo6(() => {
+    const currentPath = location.pathname;
+    return routes.find((route) => route.path === currentPath) || null;
+  }, [routes, location.pathname]);
+  const canAccessRoute = useCallback6((path) => {
+    if (!user?.id || !currentScope) return false;
+    const routeConfig = routes.find((route) => route.path === path);
+    if (!routeConfig) return false;
+    return true;
+  }, [user?.id, currentScope, routes]);
+  const { can: canAccessCurrentRoute, isLoading: permissionLoading } = useCan(
+    user?.id || "",
+    currentScope || { organisationId: "", eventId: void 0, appId: void 0 },
+    currentRouteConfig?.permissions?.[0] || "read:page",
+    currentRouteConfig?.pageId
+  );
+  const hasPermissions = currentRouteConfig?.permissions && currentRouteConfig.permissions.length > 0;
+  const finalCanAccess = hasPermissions ? canAccessCurrentRoute : false;
+  const finalLoading = hasPermissions ? permissionLoading : false;
+  const getAccessibleRoutes = useCallback6(() => {
+    if (!user?.id || !currentScope) return [];
+    return routes.filter((route) => canAccessRoute(route.path));
+  }, [user?.id, currentScope, routes, canAccessRoute]);
+  const getRouteConfig = useCallback6((path) => {
+    return routes.find((route) => route.path === path) || null;
+  }, [routes]);
+  const getRouteAccessHistory = useCallback6(() => {
+    return [...routeAccessHistory];
+  }, [routeAccessHistory]);
+  const clearRouteAccessHistory = useCallback6(() => {
+    setRouteAccessHistory([]);
+  }, []);
+  const recordRouteAccess = useCallback6((route, allowed, routeConfig) => {
+    if (!auditLog || !user?.id || !currentScope) return;
+    const record = {
+      route,
+      permissions: routeConfig.permissions,
+      userId: user.id,
+      scope: currentScope,
+      allowed,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      pageId: routeConfig.pageId,
+      roles: routeConfig.roles,
+      accessLevel: routeConfig.accessLevel
+    };
+    setRouteAccessHistory((prev) => {
+      const newHistory = [record, ...prev];
+      return newHistory.slice(0, maxHistorySize);
+    });
+    if (onRouteAccess) {
+      onRouteAccess(route, allowed, record);
+    }
+    if (strictMode && !allowed && onStrictModeViolation) {
+      onStrictModeViolation(route, record);
+    }
+  }, [auditLog, user?.id, currentScope, maxHistorySize, onRouteAccess, onStrictModeViolation, strictMode]);
+  useEffect6(() => {
+    const currentPath = location.pathname;
+    setCurrentRoute(currentPath);
+    if (!currentRouteConfig) {
+      if (strictMode) {
+        console.error(`[RoleBasedRouter] STRICT MODE VIOLATION: Route not found in configuration`, {
+          route: currentPath,
+          userId: user?.id,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        });
+        if (onStrictModeViolation) {
+          onStrictModeViolation(currentPath, {
+            route: currentPath,
+            permissions: [],
+            userId: user?.id || "",
+            scope: currentScope || { organisationId: "" },
+            allowed: false,
+            timestamp: (/* @__PURE__ */ new Date()).toISOString()
+          });
+        }
+      }
+      return;
+    }
+    const allowed = finalCanAccess;
+    recordRouteAccess(currentPath, allowed, currentRouteConfig);
+    if (!allowed) {
+      navigate(fallbackRoute, { replace: true });
+    }
+  }, [location.pathname, currentRouteConfig, canAccessCurrentRoute, recordRouteAccess, strictMode, user?.id, currentScope, onStrictModeViolation, navigate, fallbackRoute]);
+  const contextValue = useMemo6(() => ({
+    getAccessibleRoutes,
+    canAccessRoute,
+    getRouteConfig,
+    getRouteAccessHistory,
+    clearRouteAccessHistory,
+    isStrictMode: strictMode,
+    isAuditLogEnabled: auditLog
+  }), [
+    getAccessibleRoutes,
+    canAccessRoute,
+    getRouteConfig,
+    getRouteAccessHistory,
+    clearRouteAccessHistory,
+    strictMode,
+    auditLog
+  ]);
+  if (finalLoading) {
+    return /* @__PURE__ */ jsx6("div", { className: "flex items-center justify-center min-h-screen", children: /* @__PURE__ */ jsxs4("div", { className: "text-center", children: [
+      /* @__PURE__ */ jsx6("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600 mx-auto mb-4" }),
+      /* @__PURE__ */ jsx6("p", { className: "text-sec-600", children: "Checking permissions..." })
+    ] }) });
+  }
+  if (currentRouteConfig && !finalCanAccess) {
+    return /* @__PURE__ */ jsx6(
+      UnauthorizedComponent,
+      {
+        route: currentRoute,
+        reason: "Insufficient permissions"
+      }
+    );
+  }
+  return /* @__PURE__ */ jsxs4(RoleBasedRouterContext.Provider, { value: contextValue, children: [
+    children,
+    /* @__PURE__ */ jsx6(Outlet, {})
+  ] });
+}
+function useRoleBasedRouter() {
+  const context = useContext4(RoleBasedRouterContext);
+  if (!context) {
+    throw new Error("useRoleBasedRouter must be used within a RoleBasedRouter");
+  }
+  return context;
+}
+function DefaultUnauthorizedComponent({ route, reason }) {
+  return /* @__PURE__ */ jsxs4("div", { className: "flex flex-col items-center justify-center min-h-screen p-8 text-center", children: [
+    /* @__PURE__ */ jsx6("div", { className: "mb-4", children: /* @__PURE__ */ jsx6("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx6("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
+    /* @__PURE__ */ jsx6("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
+    /* @__PURE__ */ jsxs4("p", { className: "text-sec-600 mb-4", children: [
+      "You don't have permission to access ",
+      /* @__PURE__ */ jsx6("code", { className: "bg-sec-100 px-2 py-1 rounded", children: route })
+    ] }),
+    /* @__PURE__ */ jsxs4("p", { className: "text-sm text-sec-500 mb-4", children: [
+      "Reason: ",
+      reason
+    ] }),
+    /* @__PURE__ */ jsx6(
+      "button",
+      {
+        onClick: () => window.history.back(),
+        className: "px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors",
+        children: "Go Back"
+      }
+    )
+  ] });
+}
+
+// src/rbac/components/NavigationProvider.tsx
+init_UnifiedAuthProvider();
+import { createContext as createContext4, useContext as useContext5, useState as useState7, useCallback as useCallback7, useMemo as useMemo7, useEffect as useEffect7 } from "react";
+import { jsx as jsx7 } from "react/jsx-runtime";
+var NavigationContext = createContext4(null);
+function NavigationProvider({
+  children,
+  strictMode = true,
+  auditLog = true,
+  onNavigationAccess,
+  onStrictModeViolation,
+  maxHistorySize = 1e3
+}) {
+  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
+  const [navigationAccessHistory, setNavigationAccessHistory] = useState7([]);
+  const [isEnabled, setIsEnabled] = useState7(true);
+  const currentScope = useMemo7(() => {
+    if (!selectedOrganisationId) return null;
+    return {
+      organisationId: selectedOrganisationId,
+      eventId: selectedEventId || void 0,
+      appId: void 0
+    };
+  }, [selectedOrganisationId, selectedEventId]);
+  const hasNavigationPermission = useCallback7((item) => {
+    if (!isEnabled) return true;
+    if (!user?.id) return false;
+    if (!currentScope) return false;
+    return true;
+  }, [isEnabled, user?.id, currentScope]);
+  const getNavigationPermissions = useCallback7(() => {
+    if (!isEnabled || !user?.id) return {};
+    return {};
+  }, [isEnabled, user?.id]);
+  const getFilteredNavigationItems = useCallback7((items) => {
+    if (!isEnabled) return items;
+    return items.filter((item) => hasNavigationPermission(item));
+  }, [isEnabled, hasNavigationPermission]);
+  const getNavigationAccessHistory = useCallback7(() => {
+    return [...navigationAccessHistory];
+  }, [navigationAccessHistory]);
+  const clearNavigationAccessHistory = useCallback7(() => {
+    setNavigationAccessHistory([]);
+  }, []);
+  const recordNavigationAccess = useCallback7((item, allowed) => {
+    if (!auditLog || !user?.id || !currentScope) return;
+    const record = {
+      navigationItem: item.id,
+      permissions: item.permissions,
+      userId: user.id,
+      scope: currentScope,
+      allowed,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      pageId: item.pageId,
+      roles: item.roles,
+      accessLevel: item.accessLevel
+    };
+    setNavigationAccessHistory((prev) => {
+      const newHistory = [record, ...prev];
+      return newHistory.slice(0, maxHistorySize);
+    });
+    if (onNavigationAccess) {
+      onNavigationAccess(item, allowed, record);
+    }
+    if (strictMode && !allowed && onStrictModeViolation) {
+      onStrictModeViolation(item, record);
+    }
+  }, [auditLog, user?.id, currentScope, maxHistorySize, onNavigationAccess, onStrictModeViolation, strictMode]);
+  const contextValue = useMemo7(() => ({
+    hasNavigationPermission,
+    getNavigationPermissions,
+    getFilteredNavigationItems,
+    isEnabled,
+    isStrictMode: strictMode,
+    isAuditLogEnabled: auditLog,
+    getNavigationAccessHistory,
+    clearNavigationAccessHistory
+  }), [
+    hasNavigationPermission,
+    getNavigationPermissions,
+    getFilteredNavigationItems,
+    isEnabled,
+    strictMode,
+    auditLog,
+    getNavigationAccessHistory,
+    clearNavigationAccessHistory
+  ]);
+  useEffect7(() => {
+    if (strictMode && auditLog) {
+      console.log(`[NavigationProvider] Strict mode enabled - all navigation access attempts will be logged and enforced`);
+    }
+  }, [strictMode, auditLog]);
+  return /* @__PURE__ */ jsx7(NavigationContext.Provider, { value: contextValue, children });
+}
+function useNavigationPermissions() {
+  const context = useContext5(NavigationContext);
+  if (!context) {
+    throw new Error("useNavigationPermissions must be used within a NavigationProvider");
+  }
+  return context;
+}
+
+// src/rbac/components/NavigationGuard.tsx
+import { useMemo as useMemo8, useEffect as useEffect8, useState as useState8 } from "react";
+init_UnifiedAuthProvider();
+import { Fragment as Fragment4, jsx as jsx8, jsxs as jsxs5 } from "react/jsx-runtime";
+function NavigationGuard({
+  navigationItem,
+  children,
+  fallback = /* @__PURE__ */ jsx8(DefaultAccessDenied3, {}),
+  strictMode = true,
+  auditLog = true,
+  scope,
+  onDenied,
+  loading = /* @__PURE__ */ jsx8(DefaultLoading3, {}),
+  requireAll = true
+}) {
+  const { user, selectedOrganisationId, selectedEventId, supabase } = useUnifiedAuth();
+  const [hasChecked, setHasChecked] = useState8(false);
+  const [checkError, setCheckError] = useState8(null);
+  const [resolvedScope, setResolvedScope] = useState8(null);
+  useEffect8(() => {
+    const resolveScope = async () => {
+      if (scope) {
+        setResolvedScope(scope);
+        return;
+      }
+      if (selectedOrganisationId && selectedEventId) {
+        setResolvedScope({
+          organisationId: selectedOrganisationId,
+          eventId: selectedEventId,
+          appId: void 0
+        });
+        return;
+      }
+      if (selectedOrganisationId) {
+        setResolvedScope({
+          organisationId: selectedOrganisationId,
+          eventId: selectedEventId || void 0,
+          appId: void 0
+        });
+        return;
+      }
+      if (selectedEventId && supabase) {
+        try {
+          const eventScope = await createScopeFromEvent(supabase, selectedEventId);
+          if (!eventScope) {
+            setCheckError(new Error("Could not resolve organization from event context"));
+            return;
+          }
+          setResolvedScope(eventScope);
+        } catch (error2) {
+          setCheckError(error2);
+        }
+        return;
+      }
+      setCheckError(new Error("Either organisation context or event context is required for navigation permission checking"));
+    };
+    resolveScope();
+  }, [scope, selectedOrganisationId, selectedEventId, supabase]);
+  const representativePermission = navigationItem.permissions[0];
+  const { can, isLoading, error } = useCan(
+    user?.id || "",
+    resolvedScope || { eventId: selectedEventId || void 0 },
+    representativePermission,
+    navigationItem.pageId,
+    true
+    // Use cache
+  );
+  const hasRequiredPermissions = useMemo8(() => {
+    if (navigationItem.permissions.length === 0) return true;
+    return can;
+  }, [navigationItem.permissions, can]);
+  useEffect8(() => {
+    if (!isLoading && !error) {
+      setHasChecked(true);
+      setCheckError(null);
+      if (!hasRequiredPermissions && onDenied) {
+        onDenied(navigationItem);
+      }
+    } else if (error) {
+      setCheckError(error);
+      setHasChecked(true);
+    }
+  }, [hasRequiredPermissions, isLoading, error, navigationItem, onDenied]);
+  useEffect8(() => {
+    if (auditLog && hasChecked && !isLoading) {
+      console.log(`[NavigationGuard] Navigation access attempt:`, {
+        navigationItem: navigationItem.id,
+        permissions: navigationItem.permissions,
+        userId: user?.id,
+        scope: resolvedScope,
+        allowed: hasRequiredPermissions,
+        requireAll,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [auditLog, hasChecked, isLoading, navigationItem, user?.id, resolvedScope, hasRequiredPermissions, requireAll]);
+  useEffect8(() => {
+    if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
+      console.error(`[NavigationGuard] STRICT MODE VIOLATION: User attempted to access protected navigation item without permission`, {
+        navigationItem: navigationItem.id,
+        permissions: navigationItem.permissions,
+        userId: user?.id,
+        scope: resolvedScope,
+        requireAll,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, navigationItem, user?.id, resolvedScope, requireAll]);
+  if (isLoading || !resolvedScope || !hasChecked) {
+    return /* @__PURE__ */ jsx8(Fragment4, { children: loading });
+  }
+  if (checkError) {
+    console.error(`[NavigationGuard] Permission check failed for navigation item ${navigationItem.id}:`, checkError);
+    return /* @__PURE__ */ jsx8(Fragment4, { children: fallback });
+  }
+  if (!hasRequiredPermissions) {
+    return /* @__PURE__ */ jsx8(Fragment4, { children: fallback });
+  }
+  return /* @__PURE__ */ jsx8(Fragment4, { children });
+}
+function DefaultAccessDenied3() {
+  return /* @__PURE__ */ jsx8("div", { className: "flex items-center justify-center p-2 text-center", children: /* @__PURE__ */ jsxs5("div", { className: "flex items-center space-x-2", children: [
+    /* @__PURE__ */ jsx8("svg", { className: "w-4 h-4 text-acc-500", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx8("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }),
+    /* @__PURE__ */ jsx8("span", { className: "text-sm text-sec-600", children: "Access Denied" })
+  ] }) });
+}
+function DefaultLoading3() {
+  return /* @__PURE__ */ jsx8("div", { className: "flex items-center justify-center p-2", children: /* @__PURE__ */ jsxs5("div", { className: "flex items-center space-x-2", children: [
+    /* @__PURE__ */ jsx8("div", { className: "animate-spin rounded-full h-4 w-4 border-b-2 border-main-600" }),
+    /* @__PURE__ */ jsx8("span", { className: "text-sm text-sec-600", children: "Checking..." })
+  ] }) });
+}
+var NavigationGuard_default = NavigationGuard;
+
+// src/rbac/components/EnhancedNavigationMenu.tsx
+import { useMemo as useMemo9, useCallback as useCallback9, useEffect as useEffect9, useState as useState9 } from "react";
+import { jsx as jsx9, jsxs as jsxs6 } from "react/jsx-runtime";
+function EnhancedNavigationMenu({
+  items,
+  strictMode = true,
+  auditLog = true,
+  onNavigationAccess,
+  onStrictModeViolation,
+  className = "flex flex-col space-y-1",
+  itemClassName = "px-3 py-2 rounded-md text-sm font-medium transition-colors",
+  activeItemClassName = "bg-main-100 text-main-700",
+  disabledItemClassName = "text-sec-400 cursor-not-allowed",
+  hideUnauthorizedItems = false,
+  renderItem,
+  activePath,
+  onItemClick
+}) {
+  const {
+    hasNavigationPermission,
+    getFilteredNavigationItems,
+    isEnabled,
+    isStrictMode,
+    isAuditLogEnabled
+  } = useNavigationPermissions();
+  const [navigationHistory, setNavigationHistory] = useState9([]);
+  const filteredItems = useMemo9(() => {
+    if (!isEnabled) return items;
+    return getFilteredNavigationItems(items);
+  }, [isEnabled, items, getFilteredNavigationItems]);
+  const handleItemClick = useCallback9((item) => {
+    if (onItemClick) {
+      onItemClick(item);
+    }
+    if (auditLog) {
+      console.log(`[EnhancedNavigationMenu] Navigation item clicked:`, {
+        item: item.id,
+        path: item.path,
+        permissions: item.permissions,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    setNavigationHistory((prev) => {
+      const newHistory = [item, ...prev.filter((i) => i.id !== item.id)];
+      return newHistory.slice(0, 10);
+    });
+  }, [onItemClick, auditLog]);
+  const handleNavigationAccess = useCallback9((item, allowed) => {
+    if (onNavigationAccess) {
+      onNavigationAccess(item, allowed);
+    }
+    if (auditLog) {
+      console.log(`[EnhancedNavigationMenu] Navigation access attempt:`, {
+        item: item.id,
+        allowed,
+        strictMode,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [onNavigationAccess, auditLog, strictMode]);
+  const handleStrictModeViolation = useCallback9((item) => {
+    if (onStrictModeViolation) {
+      onStrictModeViolation(item);
+    }
+    if (strictMode) {
+      console.error(`[EnhancedNavigationMenu] STRICT MODE VIOLATION: User attempted to access protected navigation item without permission`, {
+        item: item.id,
+        path: item.path,
+        permissions: item.permissions,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [onStrictModeViolation, strictMode]);
+  const defaultRenderItem = useCallback9((item, isAuthorized) => {
+    const isActive = activePath === item.path;
+    const isDisabled = !isAuthorized;
+    return /* @__PURE__ */ jsx9(
+      NavigationGuard_default,
+      {
+        navigationItem: item,
+        strictMode,
+        auditLog,
+        onDenied: handleStrictModeViolation,
+        fallback: hideUnauthorizedItems ? null : /* @__PURE__ */ jsx9("div", { className: `${itemClassName} ${disabledItemClassName}`, children: /* @__PURE__ */ jsxs6("div", { className: "flex items-center space-x-2", children: [
+          item.meta?.icon && /* @__PURE__ */ jsx9("span", { className: "text-sm", children: item.meta.icon }),
+          /* @__PURE__ */ jsx9("span", { children: item.label }),
+          /* @__PURE__ */ jsx9("span", { className: "text-xs text-sec-400", children: "(Access Denied)" })
+        ] }) }),
+        children: /* @__PURE__ */ jsx9(
+          "button",
+          {
+            onClick: () => handleItemClick(item),
+            className: `${itemClassName} ${isActive ? activeItemClassName : ""} ${isDisabled ? disabledItemClassName : "hover:bg-sec-100"}`,
+            disabled: isDisabled,
+            children: /* @__PURE__ */ jsxs6("div", { className: "flex items-center space-x-2", children: [
+              item.meta?.icon && /* @__PURE__ */ jsx9("span", { className: "text-sm", children: item.meta.icon }),
+              /* @__PURE__ */ jsx9("span", { children: item.label }),
+              item.meta?.description && /* @__PURE__ */ jsx9("span", { className: "text-xs text-sec-500 ml-auto", children: item.meta.description })
+            ] })
+          }
+        )
+      },
+      item.id
+    );
+  }, [
+    activePath,
+    itemClassName,
+    activeItemClassName,
+    disabledItemClassName,
+    hideUnauthorizedItems,
+    strictMode,
+    auditLog,
+    handleStrictModeViolation,
+    handleItemClick
+  ]);
+  useEffect9(() => {
+    if (strictMode && auditLog) {
+      console.log(`[EnhancedNavigationMenu] Strict mode enabled - all navigation access attempts will be logged and enforced`);
+    }
+  }, [strictMode, auditLog]);
+  useEffect9(() => {
+    if (auditLog) {
+      console.log(`[EnhancedNavigationMenu] Navigation menu initialized:`, {
+        totalItems: items.length,
+        filteredItems: filteredItems.length,
+        strictMode,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [items.length, filteredItems.length, strictMode, auditLog]);
+  return /* @__PURE__ */ jsx9("nav", { className, children: filteredItems.map((item) => {
+    const isAuthorized = hasNavigationPermission(item);
+    if (renderItem) {
+      return renderItem(item, isAuthorized);
+    }
+    return defaultRenderItem(item, isAuthorized);
+  }) });
+}
+
+// src/rbac/permissions.ts
+var GLOBAL_PERMISSIONS = {
+  MANAGE_ALL: "manage:*",
+  READ_ALL: "read:*",
+  CREATE_ALL: "create:*",
+  UPDATE_ALL: "update:*",
+  DELETE_ALL: "delete:*"
+};
+var ORGANISATION_PERMISSIONS = {
+  // Organisation management
+  MANAGE_ORGANISATION: "manage:organisation",
+  READ_ORGANISATION: "read:organisation",
+  UPDATE_ORGANISATION: "update:organisation",
+  // User management
+  MANAGE_USERS: "manage:users",
+  READ_USERS: "read:users",
+  CREATE_USERS: "create:users",
+  UPDATE_USERS: "update:users",
+  DELETE_USERS: "delete:users",
+  // Role management
+  MANAGE_ROLES: "manage:roles",
+  READ_ROLES: "read:roles",
+  CREATE_ROLES: "create:roles",
+  UPDATE_ROLES: "update:roles",
+  DELETE_ROLES: "delete:roles",
+  // Event management
+  MANAGE_EVENTS: "manage:events",
+  READ_EVENTS: "read:events",
+  CREATE_EVENTS: "create:events",
+  UPDATE_EVENTS: "update:events",
+  DELETE_EVENTS: "delete:events",
+  // App management
+  MANAGE_APPS: "manage:apps",
+  READ_APPS: "read:apps",
+  CREATE_APPS: "create:apps",
+  UPDATE_APPS: "update:apps",
+  DELETE_APPS: "delete:apps"
+};
+var EVENT_APP_PERMISSIONS = {
+  // Event management
+  MANAGE_EVENT: "manage:event",
+  READ_EVENT: "read:event",
+  UPDATE_EVENT: "update:event",
+  // App management
+  MANAGE_APP: "manage:app",
+  READ_APP: "read:app",
+  UPDATE_APP: "update:app",
+  // Team management
+  MANAGE_TEAM: "manage:team",
+  READ_TEAM: "read:team",
+  CREATE_TEAM: "create:team",
+  UPDATE_TEAM: "update:team",
+  DELETE_TEAM: "delete:team",
+  // Team members
+  MANAGE_TEAM_MEMBERS: "manage:team.members",
+  READ_TEAM_MEMBERS: "read:team.members",
+  CREATE_TEAM_MEMBERS: "create:team.members",
+  UPDATE_TEAM_MEMBERS: "update:team.members",
+  DELETE_TEAM_MEMBERS: "delete:team.members",
+  // Event content
+  MANAGE_EVENT_CONTENT: "manage:event.content",
+  READ_EVENT_CONTENT: "read:event.content",
+  CREATE_EVENT_CONTENT: "create:event.content",
+  UPDATE_EVENT_CONTENT: "update:event.content",
+  DELETE_EVENT_CONTENT: "delete:event.content",
+  // Event settings
+  MANAGE_EVENT_SETTINGS: "manage:event.settings",
+  READ_EVENT_SETTINGS: "read:event.settings",
+  UPDATE_EVENT_SETTINGS: "update:event.settings"
+};
+var PAGE_PERMISSIONS = {
+  // General page access
+  READ_PAGE: "read:page",
+  MANAGE_PAGE: "manage:page",
+  // Admin pages
+  READ_ADMIN: "read:admin",
+  MANAGE_ADMIN: "manage:admin",
+  // Dashboard pages
+  READ_DASHBOARD: "read:dashboard",
+  MANAGE_DASHBOARD: "manage:dashboard",
+  // Settings pages
+  READ_SETTINGS: "read:settings",
+  MANAGE_SETTINGS: "manage:settings",
+  // Reports pages
+  READ_REPORTS: "read:reports",
+  MANAGE_REPORTS: "manage:reports"
+};
+var PERMISSION_GROUPS = {
+  // Global admin permissions
+  GLOBAL_ADMIN: [
+    GLOBAL_PERMISSIONS.MANAGE_ALL,
+    GLOBAL_PERMISSIONS.READ_ALL,
+    GLOBAL_PERMISSIONS.CREATE_ALL,
+    GLOBAL_PERMISSIONS.UPDATE_ALL,
+    GLOBAL_PERMISSIONS.DELETE_ALL
+  ],
+  // Organisation admin permissions
+  ORG_ADMIN: [
+    ORGANISATION_PERMISSIONS.MANAGE_ORGANISATION,
+    ORGANISATION_PERMISSIONS.READ_ORGANISATION,
+    ORGANISATION_PERMISSIONS.UPDATE_ORGANISATION,
+    ORGANISATION_PERMISSIONS.MANAGE_USERS,
+    ORGANISATION_PERMISSIONS.READ_USERS,
+    ORGANISATION_PERMISSIONS.CREATE_USERS,
+    ORGANISATION_PERMISSIONS.UPDATE_USERS,
+    ORGANISATION_PERMISSIONS.DELETE_USERS,
+    ORGANISATION_PERMISSIONS.MANAGE_ROLES,
+    ORGANISATION_PERMISSIONS.READ_ROLES,
+    ORGANISATION_PERMISSIONS.CREATE_ROLES,
+    ORGANISATION_PERMISSIONS.UPDATE_ROLES,
+    ORGANISATION_PERMISSIONS.DELETE_ROLES,
+    ORGANISATION_PERMISSIONS.MANAGE_EVENTS,
+    ORGANISATION_PERMISSIONS.READ_EVENTS,
+    ORGANISATION_PERMISSIONS.CREATE_EVENTS,
+    ORGANISATION_PERMISSIONS.UPDATE_EVENTS,
+    ORGANISATION_PERMISSIONS.DELETE_EVENTS,
+    ORGANISATION_PERMISSIONS.MANAGE_APPS,
+    ORGANISATION_PERMISSIONS.READ_APPS,
+    ORGANISATION_PERMISSIONS.CREATE_APPS,
+    ORGANISATION_PERMISSIONS.UPDATE_APPS,
+    ORGANISATION_PERMISSIONS.DELETE_APPS
+  ],
+  // Event admin permissions
+  EVENT_ADMIN: [
+    EVENT_APP_PERMISSIONS.MANAGE_EVENT,
+    EVENT_APP_PERMISSIONS.READ_EVENT,
+    EVENT_APP_PERMISSIONS.UPDATE_EVENT,
+    EVENT_APP_PERMISSIONS.MANAGE_APP,
+    EVENT_APP_PERMISSIONS.READ_APP,
+    EVENT_APP_PERMISSIONS.UPDATE_APP,
+    EVENT_APP_PERMISSIONS.MANAGE_TEAM,
+    EVENT_APP_PERMISSIONS.READ_TEAM,
+    EVENT_APP_PERMISSIONS.CREATE_TEAM,
+    EVENT_APP_PERMISSIONS.UPDATE_TEAM,
+    EVENT_APP_PERMISSIONS.DELETE_TEAM,
+    EVENT_APP_PERMISSIONS.MANAGE_TEAM_MEMBERS,
+    EVENT_APP_PERMISSIONS.READ_TEAM_MEMBERS,
+    EVENT_APP_PERMISSIONS.CREATE_TEAM_MEMBERS,
+    EVENT_APP_PERMISSIONS.UPDATE_TEAM_MEMBERS,
+    EVENT_APP_PERMISSIONS.DELETE_TEAM_MEMBERS,
+    EVENT_APP_PERMISSIONS.MANAGE_EVENT_CONTENT,
+    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT,
+    EVENT_APP_PERMISSIONS.CREATE_EVENT_CONTENT,
+    EVENT_APP_PERMISSIONS.UPDATE_EVENT_CONTENT,
+    EVENT_APP_PERMISSIONS.DELETE_EVENT_CONTENT,
+    EVENT_APP_PERMISSIONS.MANAGE_EVENT_SETTINGS,
+    EVENT_APP_PERMISSIONS.READ_EVENT_SETTINGS,
+    EVENT_APP_PERMISSIONS.UPDATE_EVENT_SETTINGS
+  ],
+  // Planner permissions
+  PLANNER: [
+    EVENT_APP_PERMISSIONS.READ_EVENT,
+    EVENT_APP_PERMISSIONS.UPDATE_EVENT,
+    EVENT_APP_PERMISSIONS.READ_APP,
+    EVENT_APP_PERMISSIONS.UPDATE_APP,
+    EVENT_APP_PERMISSIONS.READ_TEAM,
+    EVENT_APP_PERMISSIONS.CREATE_TEAM,
+    EVENT_APP_PERMISSIONS.UPDATE_TEAM,
+    EVENT_APP_PERMISSIONS.READ_TEAM_MEMBERS,
+    EVENT_APP_PERMISSIONS.CREATE_TEAM_MEMBERS,
+    EVENT_APP_PERMISSIONS.UPDATE_TEAM_MEMBERS,
+    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT,
+    EVENT_APP_PERMISSIONS.CREATE_EVENT_CONTENT,
+    EVENT_APP_PERMISSIONS.UPDATE_EVENT_CONTENT,
+    EVENT_APP_PERMISSIONS.READ_EVENT_SETTINGS,
+    EVENT_APP_PERMISSIONS.UPDATE_EVENT_SETTINGS
+  ],
+  // Participant permissions
+  PARTICIPANT: [
+    EVENT_APP_PERMISSIONS.READ_EVENT,
+    EVENT_APP_PERMISSIONS.READ_APP,
+    EVENT_APP_PERMISSIONS.READ_TEAM,
+    EVENT_APP_PERMISSIONS.READ_TEAM_MEMBERS,
+    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT,
+    EVENT_APP_PERMISSIONS.READ_EVENT_SETTINGS
+  ],
+  // Viewer permissions
+  VIEWER: [
+    EVENT_APP_PERMISSIONS.READ_EVENT,
+    EVENT_APP_PERMISSIONS.READ_APP,
+    EVENT_APP_PERMISSIONS.READ_TEAM,
+    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT
+  ]
+};
+function isValidPermission(permission) {
+  const pattern = /^(read|create|update|delete|manage):[a-z0-9._-]+$|^(read|create|update|delete|manage):\*$/;
+  return pattern.test(permission);
+}
+function getPermissionsForRole(role) {
+  switch (role) {
+    case "super_admin":
+      return [...PERMISSION_GROUPS.GLOBAL_ADMIN];
+    case "org_admin":
+      return [...PERMISSION_GROUPS.ORG_ADMIN];
+    case "event_admin":
+      return [...PERMISSION_GROUPS.EVENT_ADMIN];
+    case "planner":
+      return [...PERMISSION_GROUPS.PLANNER];
+    case "participant":
+      return [...PERMISSION_GROUPS.PARTICIPANT];
+    case "viewer":
+      return [...PERMISSION_GROUPS.VIEWER];
+    default:
+      return [];
+  }
+}
+var ALL_PERMISSIONS = {
+  ...GLOBAL_PERMISSIONS,
+  ...ORGANISATION_PERMISSIONS,
+  ...EVENT_APP_PERMISSIONS,
+  ...PAGE_PERMISSIONS
+};
+export {
+  ALL_PERMISSIONS,
+  AccessLevelGuard,
+  CACHE_PATTERNS,
+  EVENT_APP_PERMISSIONS,
+  EnhancedNavigationMenu,
+  GLOBAL_PERMISSIONS,
+  NavigationGuard,
+  NavigationProvider,
+  ORGANISATION_PERMISSIONS,
+  PAGE_PERMISSIONS,
+  PERMISSION_GROUPS,
+  PagePermissionGuard,
+  PagePermissionProvider,
+  PermissionEnforcer,
+  PermissionGuard,
+  RBACAuditManager,
+  RBACCache,
+  RBACEngine,
+  RoleBasedRouter,
+  SecureDataProvider,
+  SecureSupabaseClient,
+  createAuditManager,
+  createRBACConfig,
+  createRBACEngine,
+  createRBACExpressMiddleware,
+  createRBACMiddleware,
+  createSecureClient,
+  emitAuditEvent,
+  fromSupabaseClient,
+  getAccessLevel,
+  getGlobalAuditManager,
+  getPermissionMap,
+  getPermissionsForRole,
+  getRBACConfig,
+  getRBACLogger,
+  hasAllPermissions,
+  hasAnyPermission,
+  hasAnyPermissionCached,
+  hasPermission,
+  hasPermissionCached,
+  isDebugMode,
+  isDevelopmentMode,
+  isPermitted,
+  isPermittedCached,
+  isValidPermission,
+  rbacCache,
+  setGlobalAuditManager,
+  setupRBAC,
+  useAccessLevel,
+  useCachedPermissions,
+  useCan,
+  useHasAllPermissions,
+  useHasAnyPermission,
+  useMultiplePermissions,
+  useNavigationPermissions,
+  usePagePermissions,
+  usePermissions,
+  useRoleBasedRouter,
+  useSecureData,
+  withAccessLevelGuard,
+  withPermissionGuard,
+  withRoleGuard
+};
+//# sourceMappingURL=index.js.map