@jmruthers/pace-core 0.2.4

package/dist/chunk-6ZQVSHKL.js

@@ -0,0 +1,1345 @@
+import {
+  createAuditManager,
+  emitAuditEvent,
+  setGlobalAuditManager
+} from "./chunk-7BNPOCLL.js";
+
+// src/rbac/types.ts
+var RBACError = class extends Error {
+  constructor(message, code, context) {
+    super(message);
+    this.code = code;
+    this.context = context;
+    this.name = "RBACError";
+  }
+};
+var OrganisationContextRequiredError = class extends RBACError {
+  constructor() {
+    super(
+      "Organisation context is required for this operation",
+      "ORGANISATION_CONTEXT_REQUIRED"
+    );
+    this.name = "OrganisationContextRequiredError";
+  }
+};
+var RBACNotInitializedError = class extends RBACError {
+  constructor() {
+    super(
+      "RBAC system not initialized. Please call setupRBAC(supabase) before using any RBAC components or hooks. See: https://docs.pace-core.dev/rbac/setup",
+      "RBAC_NOT_INITIALIZED"
+    );
+    this.name = "RBACNotInitializedError";
+  }
+};
+
+// src/rbac/cache.ts
+var RBACCache = class {
+  constructor() {
+    this.cache = /* @__PURE__ */ new Map();
+    this.TTL = 60 * 1e3;
+    // 60 seconds
+    this.invalidationCallbacks = /* @__PURE__ */ new Set();
+  }
+  /**
+   * Get a value from the cache
+   * 
+   * @param key - Cache key
+   * @returns Cached value or null if not found/expired
+   */
+  get(key) {
+    const entry = this.cache.get(key);
+    if (!entry) {
+      return null;
+    }
+    if (Date.now() > entry.expires) {
+      this.cache.delete(key);
+      return null;
+    }
+    return entry.data;
+  }
+  /**
+   * Set a value in the cache
+   * 
+   * @param key - Cache key
+   * @param data - Data to cache
+   * @param ttl - Time to live in milliseconds (defaults to 60s)
+   */
+  set(key, data, ttl = this.TTL) {
+    const expires = ttl <= 0 ? Date.now() - 1 : Date.now() + ttl;
+    this.cache.set(key, {
+      data,
+      expires
+    });
+  }
+  /**
+   * Delete a specific key from the cache
+   * 
+   * @param key - Cache key to delete
+   */
+  delete(key) {
+    this.cache.delete(key);
+  }
+  /**
+   * Invalidate cache entries matching a pattern
+   * 
+   * @param pattern - Pattern to match against cache keys
+   */
+  invalidate(pattern) {
+    const keysToDelete = [];
+    for (const key of this.cache.keys()) {
+      if (key.includes(pattern)) {
+        keysToDelete.push(key);
+      }
+    }
+    keysToDelete.forEach((key) => this.cache.delete(key));
+    this.invalidationCallbacks.forEach((callback) => callback(pattern));
+  }
+  /**
+   * Clear all cache entries
+   */
+  clear() {
+    this.cache.clear();
+  }
+  /**
+   * Get cache statistics
+   */
+  getStats() {
+    return {
+      size: this.cache.size,
+      ttl: this.TTL,
+      keys: Array.from(this.cache.keys())
+    };
+  }
+  /**
+   * Add an invalidation callback
+   * 
+   * @param callback - Function to call when cache is invalidated
+   */
+  onInvalidate(callback) {
+    this.invalidationCallbacks.add(callback);
+    return () => {
+      this.invalidationCallbacks.delete(callback);
+    };
+  }
+  /**
+   * Generate cache key for permission check
+   * 
+   * @param key - Permission cache key object
+   * @returns String cache key
+   */
+  static generatePermissionKey(key) {
+    const parts = [
+      "perm",
+      key.userId,
+      key.organisationId || "null",
+      key.eventId || "null",
+      key.appId || "null"
+    ];
+    return parts.join(":");
+  }
+  /**
+   * Generate cache key for access level
+   * 
+   * @param userId - User ID
+   * @param organisationId - Organisation ID
+   * @param eventId - Event ID (optional)
+   * @param appId - App ID (optional)
+   * @returns String cache key
+   */
+  static generateAccessLevelKey(userId, organisationId, eventId, appId) {
+    const parts = [
+      "access",
+      userId,
+      organisationId,
+      eventId || "null",
+      appId || "null"
+    ];
+    return parts.join(":");
+  }
+  /**
+   * Generate cache key for permission map
+   * 
+   * @param userId - User ID
+   * @param organisationId - Organisation ID
+   * @param eventId - Event ID (optional)
+   * @param appId - App ID (optional)
+   * @returns String cache key
+   */
+  static generatePermissionMapKey(userId, organisationId, eventId, appId) {
+    const parts = [
+      "map",
+      userId,
+      organisationId,
+      eventId || "null",
+      appId || "null"
+    ];
+    return parts.join(":");
+  }
+};
+var rbacCache = new RBACCache();
+var CACHE_PATTERNS = {
+  USER: (userId) => `user:${userId}`,
+  ORGANISATION: (organisationId) => `org:${organisationId}`,
+  EVENT: (eventId) => `event:${eventId}`,
+  APP: (appId) => `app:${appId}`,
+  PERMISSION: (userId, organisationId) => `perm:${userId}:${organisationId}`
+};
+
+// src/rbac/security.ts
+var RBACSecurityValidator = class {
+  /**
+   * Validate permission string format
+   * @param permission - Permission string to validate
+   * @returns True if valid, false otherwise
+   */
+  static validatePermission(permission) {
+    if (typeof permission !== "string" || permission.length === 0) {
+      return false;
+    }
+    const permissionRegex = /^(read|create|update|delete|manage):[a-z0-9._-]+$/;
+    return permissionRegex.test(permission);
+  }
+  /**
+   * Validate UUID format
+   * @param uuid - UUID string to validate
+   * @returns True if valid, false otherwise
+   */
+  static validateUUID(uuid) {
+    if (typeof uuid !== "string" || uuid.length === 0) {
+      return false;
+    }
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+    return uuidRegex.test(uuid);
+  }
+  /**
+   * Validate scope object
+   * @param scope - Scope object to validate
+   * @returns True if valid, false otherwise
+   */
+  static validateScope(scope) {
+    if (!scope || typeof scope !== "object") {
+      return false;
+    }
+    if (scope.organisationId && !this.validateUUID(scope.organisationId)) {
+      return false;
+    }
+    if (scope.eventId && typeof scope.eventId !== "string") {
+      return false;
+    }
+    if (scope.appId && !this.validateUUID(scope.appId)) {
+      return false;
+    }
+    return !!(scope.organisationId || scope.eventId || scope.appId);
+  }
+  /**
+   * Sanitize input string to prevent injection attacks
+   * @param input - Input string to sanitize
+   * @returns Sanitized string
+   */
+  static sanitizeInput(input) {
+    if (typeof input !== "string") {
+      return "";
+    }
+    return input.replace(/<[^>]*>/g, "").replace(/[<>\"'&]/g, "").replace(/[;()]/g, "").replace(/javascript:/gi, "").replace(/data:/gi, "").trim();
+  }
+  /**
+   * Validate user ID format
+   * @param userId - User ID to validate
+   * @returns True if valid, false otherwise
+   */
+  static validateUserId(userId) {
+    return this.validateUUID(userId);
+  }
+  /**
+   * Check if permission is a wildcard permission
+   * @param permission - Permission string to check
+   * @returns True if wildcard, false otherwise
+   */
+  static isWildcardPermission(permission) {
+    return permission.includes("*") || permission.endsWith(":*");
+  }
+  /**
+   * Validate permission hierarchy
+   * @param permission - Permission to validate
+   * @param requiredOperation - Required operation
+   * @returns True if permission matches or is higher in hierarchy
+   */
+  static validatePermissionHierarchy(permission, requiredOperation) {
+    if (!this.validatePermission(permission)) {
+      return false;
+    }
+    const [operation] = permission.split(":");
+    const hierarchy = ["read", "create", "update", "delete", "manage"];
+    const permissionLevel = hierarchy.indexOf(operation);
+    const requiredLevel = hierarchy.indexOf(requiredOperation);
+    if (permissionLevel === -1 || requiredLevel === -1) {
+      return false;
+    }
+    return permissionLevel >= requiredLevel;
+  }
+  /**
+   * Rate limiting check (placeholder for future implementation)
+   * @param userId - User ID
+   * @param operation - Operation being performed
+   * @returns True if within rate limit, false otherwise
+   */
+  static async checkRateLimit(userId, operation) {
+    return true;
+  }
+  /**
+   * Validate context requirements for security
+   * @param scope - Scope object
+   * @param appId - Application ID
+   * @returns True if context is valid, false otherwise
+   */
+  static validateContextRequirements(scope, appId) {
+    if (!scope.organisationId) {
+      return false;
+    }
+    if (appId && scope.appId === appId) {
+      if (!scope.eventId) {
+        return false;
+      }
+    }
+    return true;
+  }
+  /**
+   * Log security event for monitoring
+   * @param event - Security event details
+   */
+  static logSecurityEvent(event) {
+    const securityEvent = {
+      ...event,
+      timestamp: event.timestamp || /* @__PURE__ */ new Date(),
+      severity: this.getEventSeverity(event.type)
+    };
+    if (false) {
+      console.warn("[RBAC Security]", securityEvent);
+    }
+  }
+  /**
+   * Get severity level for security event
+   * @param eventType - Type of security event
+   * @returns Severity level
+   */
+  static getEventSeverity(eventType) {
+    switch (eventType) {
+      case "permission_denied":
+        return "low";
+      case "invalid_input":
+        return "medium";
+      case "rate_limit_exceeded":
+        return "medium";
+      case "suspicious_activity":
+        return "high";
+      default:
+        return "low";
+    }
+  }
+};
+var DEFAULT_SECURITY_CONFIG = {
+  enableInputValidation: true,
+  enableRateLimiting: true,
+  enableAuditLogging: true,
+  maxPermissionChecksPerMinute: 100,
+  suspiciousActivityThreshold: 10
+};
+var RBACSecurityMiddleware = class {
+  constructor(config = DEFAULT_SECURITY_CONFIG) {
+    this.config = config;
+  }
+  /**
+   * Validate input before processing
+   * @param input - Input to validate
+   * @param context - Security context
+   * @returns Validation result
+   */
+  async validateInput(input, context) {
+    const errors = [];
+    if (!this.config.enableInputValidation) {
+      return { isValid: true, errors: [] };
+    }
+    if (!RBACSecurityValidator.validateUserId(context.userId)) {
+      errors.push("Invalid user ID format");
+    }
+    if (!RBACSecurityValidator.validateUUID(context.organisationId)) {
+      errors.push("Invalid organisation ID format");
+    }
+    if (input.permission && !RBACSecurityValidator.validatePermission(input.permission)) {
+      errors.push("Invalid permission format");
+    }
+    if (input.scope && !RBACSecurityValidator.validateScope(input.scope)) {
+      errors.push("Invalid scope format");
+    }
+    if (errors.length > 0) {
+      RBACSecurityValidator.logSecurityEvent({
+        type: "invalid_input",
+        userId: context.userId,
+        details: { errors, input: this.sanitizeInput(JSON.stringify(input)) }
+      });
+    }
+    return {
+      isValid: errors.length === 0,
+      errors
+    };
+  }
+  /**
+   * Check rate limiting
+   * @param context - Security context
+   * @returns Rate limit check result
+   */
+  async checkRateLimit(context) {
+    if (!this.config.enableRateLimiting) {
+      return { isAllowed: true, remaining: this.config.maxPermissionChecksPerMinute };
+    }
+    const isAllowed = await RBACSecurityValidator.checkRateLimit(
+      context.userId,
+      "permission_check"
+    );
+    return {
+      isAllowed,
+      remaining: this.config.maxPermissionChecksPerMinute
+    };
+  }
+  /**
+   * Sanitize input data
+   * @param input - Input to sanitize
+   * @returns Sanitized input
+   */
+  sanitizeInput(input) {
+    return RBACSecurityValidator.sanitizeInput(input);
+  }
+};
+
+// src/rbac/engine.ts
+var RBACEngine = class {
+  constructor(supabase) {
+    this.supabase = supabase;
+    this.securityMiddleware = new RBACSecurityMiddleware(DEFAULT_SECURITY_CONFIG);
+  }
+  /**
+   * Check if a user has a specific permission
+   * 
+   * @param input - Permission check input
+   * @param securityContext - Optional security context for enhanced validation
+   * @returns Promise resolving to permission result
+   */
+  async isPermitted(input, securityContext) {
+    const startTime = Date.now();
+    const { userId, permission, scope, pageId } = input;
+    try {
+      if (securityContext) {
+        const validation = await this.securityMiddleware.validateInput(input, securityContext);
+        if (!validation.isValid) {
+          RBACSecurityValidator.logSecurityEvent({
+            type: "invalid_input",
+            userId,
+            details: { errors: validation.errors, input: JSON.stringify(input) }
+          });
+          return false;
+        }
+        const rateLimit = await this.securityMiddleware.checkRateLimit(securityContext);
+        if (!rateLimit.isAllowed) {
+          RBACSecurityValidator.logSecurityEvent({
+            type: "rate_limit_exceeded",
+            userId,
+            details: { remaining: rateLimit.remaining }
+          });
+          return false;
+        }
+      }
+      if (securityContext) {
+        if (!RBACSecurityValidator.validateUserId(userId)) {
+          RBACSecurityValidator.logSecurityEvent({
+            type: "invalid_input",
+            userId,
+            details: { error: "Invalid user ID format" }
+          });
+          return false;
+        }
+        if (!RBACSecurityValidator.validatePermission(permission)) {
+          RBACSecurityValidator.logSecurityEvent({
+            type: "invalid_input",
+            userId,
+            details: { error: "Invalid permission format", permission }
+          });
+          return false;
+        }
+        if (!RBACSecurityValidator.validateScope(scope)) {
+          RBACSecurityValidator.logSecurityEvent({
+            type: "invalid_input",
+            userId,
+            details: { error: "Invalid scope format", scope }
+          });
+          return false;
+        }
+      }
+      const isSuperAdmin2 = await this.checkSuperAdmin(userId);
+      if (isSuperAdmin2) {
+        const duration = Date.now() - startTime;
+        if (scope.organisationId) {
+          const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
+          await emitAuditEvent({
+            type: "permission_check",
+            userId,
+            organisationId: scope.organisationId,
+            eventId: scope.eventId,
+            appId: scope.appId,
+            pageId: resolvedPageId,
+            permission,
+            decision: true,
+            source: "api",
+            bypass: true,
+            duration_ms: duration
+          });
+        }
+        return true;
+      }
+      const validatedScope = await this.validateContextRequirements(scope, scope.appId);
+      if (!validatedScope) {
+        const duration = Date.now() - startTime;
+        if (scope.organisationId) {
+          const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
+          await emitAuditEvent({
+            type: "permission_denied",
+            userId,
+            organisationId: scope.organisationId,
+            eventId: scope.eventId,
+            appId: scope.appId,
+            pageId: resolvedPageId,
+            permission,
+            source: "api",
+            metadata: {
+              reason: "invalid_context_requirements",
+              app_requires_event: scope.appId ? await this.getAppConfig(scope.appId).then((config) => config?.requires_event) : null
+            }
+          });
+        }
+        return false;
+      }
+      const grants = await this.collectActiveGrants(userId, validatedScope, pageId);
+      console.log("[RBACEngine] Collected grants:", grants);
+      const denies = grants.filter((g) => g.type === "deny");
+      console.log("[RBACEngine] Deny grants:", denies);
+      for (const deny of denies) {
+        const matches = this.permissionMatches(deny.permission, permission);
+        console.log("[RBACEngine] Checking deny:", {
+          denyPermission: deny.permission,
+          requestedPermission: permission,
+          matches
+        });
+        if (matches) {
+          const duration = Date.now() - startTime;
+          console.log("[RBACEngine] Permission DENIED by explicit deny rule");
+          if (scope.organisationId) {
+            const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
+            await emitAuditEvent({
+              type: "permission_denied",
+              userId,
+              organisationId: scope.organisationId,
+              eventId: scope.eventId,
+              appId: scope.appId,
+              pageId: resolvedPageId,
+              permission,
+              source: "api"
+            });
+          }
+          return false;
+        }
+      }
+      const allows = grants.filter((g) => g.type === "allow");
+      console.log("[RBACEngine] Allow grants:", allows);
+      let hasPermission2 = false;
+      const scopeOrder = ["page", "eventApp", "organisation", "global"];
+      for (const scopeType of scopeOrder) {
+        const scopeAllows = allows.filter((g) => g.scope === scopeType);
+        console.log(`[RBACEngine] Checking ${scopeType} allows:`, scopeAllows);
+        for (const allow of scopeAllows) {
+          console.log(`[RBACEngine] About to check permission match for ${scopeType}:`, {
+            allowPermission: allow.permission,
+            requestedPermission: permission,
+            scopeType
+          });
+          const matches = this.permissionMatches(allow.permission, permission);
+          console.log(`[RBACEngine] Permission match result:`, {
+            scopeType,
+            allowPermission: allow.permission,
+            requestedPermission: permission,
+            matches
+          });
+          if (matches) {
+            console.log(`[RBACEngine] Permission GRANTED by ${scopeType} allow rule`);
+            hasPermission2 = true;
+            break;
+          }
+        }
+        if (hasPermission2) break;
+      }
+      const finalDecision = hasPermission2;
+      const _duration = Date.now() - startTime;
+      console.log("[RBACEngine] Final decision:", {
+        userId,
+        permission,
+        pageId,
+        hasPermission: hasPermission2,
+        grantsCount: grants.length,
+        allowsCount: allows.length,
+        deniesCount: denies.length,
+        duration: _duration
+      });
+      if (scope.organisationId) {
+        const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
+        await emitAuditEvent({
+          type: "permission_check",
+          userId,
+          organisationId: scope.organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId,
+          pageId: resolvedPageId,
+          permission,
+          decision: finalDecision,
+          source: "api",
+          duration_ms: _duration
+        });
+      }
+      return finalDecision;
+    } catch (error) {
+      RBACSecurityValidator.logSecurityEvent({
+        type: "suspicious_activity",
+        userId,
+        details: {
+          error: error instanceof Error ? error.message : "Unknown error",
+          permission,
+          scope: JSON.stringify(scope)
+        }
+      });
+      return false;
+    }
+  }
+  /**
+   * Get user's access level in a scope
+   * 
+   * @param input - Access level input
+   * @returns Promise resolving to access level
+   */
+  async getAccessLevel(input) {
+    const { userId, scope } = input;
+    const isSuperAdmin2 = await this.checkSuperAdmin(userId);
+    if (isSuperAdmin2) {
+      return "super";
+    }
+    const validatedScope = await this.validateContextRequirements(scope, scope.appId);
+    if (!validatedScope) {
+      return "viewer";
+    }
+    const cacheKey = RBACCache.generateAccessLevelKey(
+      userId,
+      validatedScope.organisationId,
+      validatedScope.eventId,
+      validatedScope.appId
+    );
+    const cached = rbacCache.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+    const orgRole = await this.getOrganisationRole(userId, validatedScope.organisationId);
+    if (orgRole === "org_admin") {
+      rbacCache.set(cacheKey, "admin");
+      return "admin";
+    }
+    if (validatedScope.eventId && validatedScope.appId) {
+      const eventRole = await this.getEventAppRole(userId, validatedScope.eventId, validatedScope.appId);
+      if (eventRole === "event_admin") {
+        rbacCache.set(cacheKey, "admin");
+        return "admin";
+      }
+      if (eventRole === "planner") {
+        rbacCache.set(cacheKey, "planner");
+        return "planner";
+      }
+      if (eventRole === "participant") {
+        rbacCache.set(cacheKey, "participant");
+        return "participant";
+      }
+    }
+    rbacCache.set(cacheKey, "viewer");
+    return "viewer";
+  }
+  /**
+   * Get user's permission map for a scope
+   * 
+   * @param input - Permission map input
+   * @returns Promise resolving to permission map
+   */
+  async getPermissionMap(input) {
+    const { userId, scope } = input;
+    const isSuperAdmin2 = await this.checkSuperAdmin(userId);
+    if (isSuperAdmin2) {
+      return {};
+    }
+    const validatedScope = await this.validateContextRequirements(scope, scope.appId);
+    if (!validatedScope) {
+      return {};
+    }
+    const cacheKey = RBACCache.generatePermissionMapKey(
+      userId,
+      validatedScope.organisationId,
+      validatedScope.eventId,
+      validatedScope.appId
+    );
+    const cached = rbacCache.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+    const permissionMap = {};
+    if (validatedScope.appId) {
+      const { data: pages } = await this.supabase.from("rbac_app_pages").select("id, page_name").eq("app_id", validatedScope.appId);
+      if (pages) {
+        for (const page of pages) {
+          const operations = [];
+          for (const operation of ["read", "create", "update", "delete", "manage"]) {
+            const hasPermission2 = await this.isPermitted({
+              userId,
+              scope: validatedScope,
+              permission: `${operation}:${page.page_name}`,
+              pageId: page.id
+            });
+            if (hasPermission2) {
+              operations.push(operation);
+            }
+          }
+          permissionMap[page.id] = operations;
+        }
+      }
+    }
+    rbacCache.set(cacheKey, permissionMap);
+    return permissionMap;
+  }
+  /**
+   * Check if user is super admin
+   * 
+   * @param userId - User ID
+   * @returns Promise resolving to super admin status
+   */
+  async checkSuperAdmin(userId) {
+    const cacheKey = `super_admin:${userId}`;
+    const cached = rbacCache.get(cacheKey);
+    if (cached !== null) {
+      return cached;
+    }
+    const { data, error } = await this.supabase.from("rbac_global_roles").select("id").eq("user_id", userId).eq("role", "super_admin").is("valid_to", null).single();
+    const isSuperAdmin2 = !error && !!data;
+    rbacCache.set(cacheKey, isSuperAdmin2, 6e4);
+    return isSuperAdmin2;
+  }
+  /**
+   * Get app configuration including requires_event setting
+   * 
+   * @param appId - App ID
+   * @returns Promise resolving to app configuration
+   */
+  async getAppConfig(appId) {
+    const { data, error } = await this.supabase.from("rbac_apps").select("requires_event").eq("id", appId).eq("is_active", true).single();
+    if (error || !data) {
+      return null;
+    }
+    return { requires_event: data.requires_event };
+  }
+  /**
+   * Resolve organisation ID from event ID
+   * 
+   * @param eventId - Event ID
+   * @returns Promise resolving to organisation ID
+   */
+  async resolveOrganisationFromEvent(eventId) {
+    const { data, error } = await this.supabase.from("event").select("organisation_id").eq("id", eventId).single();
+    if (error || !data) {
+      return null;
+    }
+    return data.organisation_id;
+  }
+  /**
+   * Validate context requirements based on app configuration
+   * 
+   * @param scope - Permission scope
+   * @param appId - Optional app ID
+   * @returns Promise resolving to validated scope with resolved organisation ID
+   */
+  async validateContextRequirements(scope, appId) {
+    if (appId) {
+      const appConfig = await this.getAppConfig(appId);
+      if (!appConfig) {
+        return null;
+      }
+      if (appConfig.requires_event) {
+        if (!scope.eventId) {
+          return null;
+        }
+        if (!scope.organisationId) {
+          const resolvedOrgId = await this.resolveOrganisationFromEvent(scope.eventId);
+          if (!resolvedOrgId) {
+            return null;
+          }
+          return {
+            ...scope,
+            organisationId: resolvedOrgId
+          };
+        }
+        return scope;
+      } else {
+        if (!scope.organisationId) {
+          return null;
+        }
+        return scope;
+      }
+    }
+    if (!scope.organisationId) {
+      return null;
+    }
+    return scope;
+  }
+  /**
+   * Collect active grants for a user in a scope
+   * 
+   * @param userId - User ID
+   * @param scope - Permission scope
+   * @param pageId - Optional page ID
+   * @returns Promise resolving to grants array
+   * 
+   * PRECEDENCE ORDER (closest scope first): page → eventApp → organisation → global
+   */
+  async collectActiveGrants(userId, scope, pageId) {
+    const grants = [];
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const userRoles = [];
+    if (scope.eventId && scope.appId) {
+      const { data: eventRoles } = await this.supabase.from("rbac_event_app_roles").select("role, status, valid_from, valid_to").eq("user_id", userId).eq("event_id", scope.eventId).eq("app_id", scope.appId).eq("status", "active").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`);
+      if (eventRoles) {
+        userRoles.push(...eventRoles.map((r) => r.role));
+        for (const role of eventRoles) {
+          grants.push({
+            type: "allow",
+            permission: this.getPermissionForEventRole(role.role),
+            scope: "eventApp",
+            source: "rbac_event_app_roles"
+          });
+        }
+      }
+    }
+    if (scope.organisationId) {
+      const { data: orgRoles } = await this.supabase.from("rbac_organisation_roles").select("role, status, valid_from, valid_to").eq("user_id", userId).eq("organisation_id", scope.organisationId).eq("status", "active").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`);
+      if (orgRoles) {
+        userRoles.push(...orgRoles.map((r) => r.role));
+        for (const role of orgRoles) {
+          grants.push({
+            type: "allow",
+            permission: this.getPermissionForOrgRole(role.role),
+            scope: "organisation",
+            source: "rbac_organisation_roles"
+          });
+        }
+      }
+    }
+    console.log("[collectActiveGrants] User roles:", userRoles);
+    if (pageId) {
+      let resolvedPageId = null;
+      if (typeof pageId === "string") {
+        const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+        if (uuidRegex.test(pageId)) {
+          resolvedPageId = pageId;
+        } else {
+          const appId = scope.appId;
+          if (appId) {
+            const { data: page } = await this.supabase.from("rbac_app_pages").select("id").eq("app_id", appId).eq("page_name", pageId).single();
+            resolvedPageId = page?.id || null;
+          }
+        }
+      } else {
+        resolvedPageId = pageId;
+      }
+      if (resolvedPageId && scope.appId) {
+        console.log("[collectActiveGrants] Fetching page permissions via RPC for page:", resolvedPageId);
+        let pageName = null;
+        if (typeof pageId === "string" && !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(pageId)) {
+          pageName = pageId;
+        } else {
+          const { data: page } = await this.supabase.from("rbac_app_pages").select("page_name").eq("id", resolvedPageId).single();
+          pageName = page?.page_name || null;
+        }
+        const rpcResult = await this.supabase.rpc("get_rbac_permissions", {
+          p_user_id: userId,
+          p_app_id: scope.appId,
+          p_event_id: scope.eventId || null,
+          p_organisation_id: scope.organisationId || null,
+          p_page_id: resolvedPageId
+        });
+        const { data: rpcPermissions } = rpcResult;
+        console.log("[collectActiveGrants] RPC page permissions:", rpcPermissions);
+        if (rpcPermissions && pageName) {
+          const pagePerms = rpcPermissions.filter(
+            (p) => p.permission_type !== "all_permissions" && p.permission_type !== "organisation_access" && p.permission_type !== "event_app_access"
+          );
+          for (const perm of pagePerms) {
+            if (userRoles.includes(perm.role_name)) {
+              console.log("[collectActiveGrants] Adding page grant:", { operation: perm.permission_type, role: perm.role_name, allowed: perm.has_permission, pageName });
+              grants.push({
+                type: perm.has_permission ? "allow" : "deny",
+                // Use page.${pageName} format for specific page permissions
+                permission: `${perm.permission_type}:page.${pageName}`,
+                scope: "page",
+                source: "rbac_page_permissions"
+              });
+            }
+          }
+        }
+      }
+    }
+    const { data: globalRoles } = await this.supabase.from("rbac_global_roles").select("role, valid_from, valid_to").eq("user_id", userId).lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`);
+    if (globalRoles) {
+      for (const role of globalRoles) {
+        if (role.role === "super_admin") {
+          grants.push({
+            type: "allow",
+            permission: "manage:*",
+            scope: "global",
+            source: "rbac_global_roles"
+          });
+        }
+      }
+    }
+    console.log("[collectActiveGrants] Final grants:", grants);
+    return grants;
+  }
+  /**
+   * Check page-specific permissions
+   * 
+   * @param userId - User ID
+   * @param pageId - Page ID
+   * @param permission - Permission to check
+   * @param scope - Permission scope
+   * @returns Promise resolving to page permission result
+   */
+  async checkPagePermissions(userId, pageId, permission, scope) {
+    if (!pageId) {
+      return true;
+    }
+    const [operation] = permission.split(":");
+    const userRoles = [];
+    if (scope.organisationId) {
+      const orgRole = await this.getOrganisationRole(userId, scope.organisationId);
+      if (orgRole) {
+        userRoles.push(orgRole);
+      }
+    }
+    if (scope.eventId && scope.appId) {
+      const eventRole = await this.getEventAppRole(userId, scope.eventId, scope.appId);
+      if (eventRole) {
+        userRoles.push(eventRole);
+      }
+    }
+    let resolvedPageId = null;
+    if (typeof pageId === "string") {
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      if (uuidRegex.test(pageId)) {
+        resolvedPageId = pageId;
+      } else {
+        let appId = scope.appId;
+        if (!appId) {
+          const appName = process.env.VITE_APP_NAME || process.env.REACT_APP_NAME;
+          if (appName) {
+            const { data: app } = await this.supabase.from("rbac_apps").select("id").eq("name", appName).eq("is_active", true).single();
+            if (app) {
+              appId = app.id;
+            }
+          }
+        }
+        if (appId) {
+          const { data: page } = await this.supabase.from("rbac_app_pages").select("id").eq("app_id", appId).eq("page_name", pageId).single();
+          resolvedPageId = page?.id || null;
+        }
+      }
+    } else {
+      resolvedPageId = pageId;
+    }
+    if (!resolvedPageId) {
+      return false;
+    }
+    const { data: pagePermissions } = await this.supabase.from("rbac_page_permissions").select("allowed").eq("app_page_id", resolvedPageId).eq("operation", operation).in("role_name", userRoles).single();
+    return pagePermissions?.allowed ?? false;
+  }
+  /**
+   * Get organisation role for a user
+   * 
+   * @param userId - User ID
+   * @param organisationId - Organisation ID
+   * @returns Promise resolving to organisation role
+   */
+  async getOrganisationRole(userId, organisationId) {
+    const { data, error } = await this.supabase.from("rbac_organisation_roles").select("role").eq("user_id", userId).eq("organisation_id", organisationId).eq("status", "active").single();
+    return error ? null : data?.role || null;
+  }
+  /**
+   * Get event-app role for a user
+   * 
+   * @param userId - User ID
+   * @param eventId - Event ID
+   * @param appId - App ID
+   * @returns Promise resolving to event-app role
+   */
+  async getEventAppRole(userId, eventId, appId) {
+    const { data, error } = await this.supabase.from("rbac_event_app_roles").select("role, status, valid_from, valid_to").eq("user_id", userId).eq("event_id", eventId).eq("app_id", appId).eq("status", "active").lte("valid_from", (/* @__PURE__ */ new Date()).toISOString()).or(`valid_to.is.null,valid_to.gte.${(/* @__PURE__ */ new Date()).toISOString()}`).single();
+    return error ? null : data?.role || null;
+  }
+  /**
+   * Get permission for organisation role
+   * 
+   * @param role - Organisation role
+   * @returns Permission string
+   */
+  getPermissionForOrgRole(role) {
+    switch (role) {
+      case "org_admin":
+        return "manage:*";
+      case "leader":
+        return "manage:organisation.*";
+      case "member":
+        return "read:organisation.*";
+      case "supporter":
+        return "read:organisation.public";
+      default:
+        return "read:organisation.public";
+    }
+  }
+  /**
+   * Get permission for event-app role
+   * 
+   * @param role - Event-app role
+   * @returns Permission string
+   */
+  getPermissionForEventRole(role) {
+    switch (role) {
+      case "event_admin":
+        return "manage:event.*";
+      case "planner":
+        return "manage:event.planning";
+      case "participant":
+        return "read:event.*";
+      case "viewer":
+        return "read:event.public";
+      default:
+        return "read:event.public";
+    }
+  }
+  /**
+   * Check if a permission matches another permission
+   * 
+   * @param grantPermission - Permission from grant
+   * @param requestedPermission - Requested permission
+   * @returns True if permissions match
+   */
+  permissionMatches(grantPermission, requestedPermission) {
+    console.log("[permissionMatches] Checking:", { grantPermission, requestedPermission });
+    if (grantPermission === requestedPermission) {
+      console.log("[permissionMatches] Exact match found");
+      return true;
+    }
+    if (grantPermission.endsWith(":*") || grantPermission.endsWith(".*")) {
+      const [grantOp, grantResource] = grantPermission.split(":");
+      const [requestedOp, requestedResource] = requestedPermission.split(":");
+      console.log("[permissionMatches] Wildcard check:", {
+        grantOp,
+        grantResource,
+        requestedOp,
+        requestedResource,
+        operationsMatch: grantOp === requestedOp
+      });
+      if (grantOp === requestedOp) {
+        const prefix = grantResource.slice(0, -1);
+        const matches = prefix === "" || requestedResource.startsWith(prefix);
+        console.log("[permissionMatches] Wildcard match result:", { prefix, matches });
+        return matches;
+      }
+    }
+    if (grantPermission.includes("*")) {
+      const [grantOp, grantResource] = grantPermission.split(":");
+      const [requestedOp, requestedResource] = requestedPermission.split(":");
+      console.log("[permissionMatches] Other wildcard check:", {
+        grantOp,
+        grantResource,
+        requestedOp,
+        requestedResource,
+        operationsMatch: grantOp === requestedOp
+      });
+      if (grantOp === requestedOp) {
+        const prefix = grantResource.replace("*", "");
+        const matches = requestedResource.startsWith(prefix);
+        console.log("[permissionMatches] Other wildcard match result:", { prefix, matches });
+        return matches;
+      }
+    }
+    console.log("[permissionMatches] No match found");
+    return false;
+  }
+  /**
+   * Resolve a page ID to UUID if it's a page name
+   * 
+   * @param pageId - Page ID (UUID) or page name (string)
+   * @param appId - App ID to look up the page
+   * @returns Resolved page ID (UUID) or original pageId if it's already a UUID or can't be resolved
+   */
+  async resolvePageId(pageId, appId) {
+    if (!pageId) {
+      return void 0;
+    }
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+    if (uuidRegex.test(pageId)) {
+      return pageId;
+    }
+    if (!appId) {
+      return pageId;
+    }
+    try {
+      const { data: page } = await this.supabase.from("rbac_app_pages").select("id").eq("app_id", appId).eq("page_name", pageId).single();
+      return page?.id || pageId;
+    } catch (error) {
+      console.warn("[RBAC Engine] Failed to resolve page name to UUID:", { pageId, appId, error });
+      return pageId;
+    }
+  }
+};
+function createRBACEngine(supabase) {
+  return new RBACEngine(supabase);
+}
+
+// src/rbac/config.ts
+var RBACConfigManager = class {
+  constructor() {
+    this.config = null;
+    this.logger = null;
+  }
+  setConfig(config) {
+    this.config = config;
+    this.setupLogger();
+  }
+  getConfig() {
+    return this.config;
+  }
+  getLogger() {
+    if (!this.logger) {
+      this.logger = this.createDefaultLogger();
+    }
+    return this.logger;
+  }
+  setupLogger() {
+    if (!this.config) return;
+    const { debug = false, logLevel = "warn" } = this.config;
+    this.logger = {
+      error: (message, ...args) => {
+        console.error(`[RBAC ERROR] ${message}`, ...args);
+      },
+      warn: (message, ...args) => {
+        if (logLevel === "warn" || logLevel === "info" || logLevel === "debug") {
+          console.warn(`[RBAC WARN] ${message}`, ...args);
+        }
+      },
+      info: (message, ...args) => {
+        if (logLevel === "info" || logLevel === "debug") {
+          console.info(`[RBAC INFO] ${message}`, ...args);
+        }
+      },
+      debug: (message, ...args) => {
+        if (debug && logLevel === "debug") {
+          console.debug(`[RBAC DEBUG] ${message}`, ...args);
+        }
+      }
+    };
+  }
+  createDefaultLogger() {
+    return {
+      error: (message, ...args) => console.error(`[RBAC ERROR] ${message}`, ...args),
+      warn: (message, ...args) => console.warn(`[RBAC WARN] ${message}`, ...args),
+      info: (message, ...args) => console.info(`[RBAC INFO] ${message}`, ...args),
+      debug: (message, ...args) => console.debug(`[RBAC DEBUG] ${message}`, ...args)
+    };
+  }
+  isDebugMode() {
+    return this.config?.debug ?? false;
+  }
+  isDevelopmentMode() {
+    return this.config?.developmentMode ?? false;
+  }
+  getMockPermissions() {
+    return this.config?.mockPermissions ?? null;
+  }
+};
+var configManager = new RBACConfigManager();
+function createRBACConfig(config) {
+  configManager.setConfig(config);
+  return config;
+}
+function getRBACConfig() {
+  return configManager.getConfig();
+}
+function getRBACLogger() {
+  return configManager.getLogger();
+}
+function isDebugMode() {
+  return configManager.isDebugMode();
+}
+function isDevelopmentMode() {
+  return configManager.isDevelopmentMode();
+}
+
+// src/rbac/api.ts
+var globalEngine = null;
+function setupRBAC(supabase, config) {
+  const logger = getRBACLogger();
+  const fullConfig = {
+    supabase,
+    debug: false,
+    logLevel: "warn",
+    developmentMode: false,
+    ...config
+  };
+  createRBACConfig(fullConfig);
+  globalEngine = createRBACEngine(supabase);
+  const auditManager = createAuditManager(supabase);
+  setGlobalAuditManager(auditManager);
+  logger.info("RBAC system initialized successfully");
+}
+function getEngine() {
+  if (!globalEngine) {
+    throw new RBACNotInitializedError();
+  }
+  return globalEngine;
+}
+async function getAccessLevel(input) {
+  const engine = getEngine();
+  return engine.getAccessLevel(input);
+}
+async function getPermissionMap(input) {
+  const engine = getEngine();
+  return engine.getPermissionMap(input);
+}
+async function isPermitted(input) {
+  const engine = getEngine();
+  return engine.isPermitted(input);
+}
+async function isPermittedCached(input) {
+  const { userId, scope, permission, pageId } = input;
+  const cacheKey = RBACCache.generatePermissionKey({
+    userId,
+    organisationId: scope.organisationId,
+    eventId: scope.eventId,
+    appId: scope.appId
+  });
+  const cached = rbacCache.get(cacheKey);
+  if (cached !== null) {
+    return cached;
+  }
+  const result = await isPermitted(input);
+  rbacCache.set(cacheKey, result);
+  return result;
+}
+async function hasPermission(input) {
+  return isPermitted(input);
+}
+async function hasAnyPermission(input) {
+  const { permissions, ...baseInput } = input;
+  for (const permission of permissions) {
+    const hasPermission2 = await isPermitted({
+      ...baseInput,
+      permission
+    });
+    if (hasPermission2) {
+      return true;
+    }
+  }
+  return false;
+}
+async function hasAllPermissions(input) {
+  const { permissions, ...baseInput } = input;
+  for (const permission of permissions) {
+    const hasPermission2 = await isPermitted({
+      ...baseInput,
+      permission
+    });
+    if (!hasPermission2) {
+      return false;
+    }
+  }
+  return true;
+}
+async function isSuperAdmin(userId) {
+  const engine = getEngine();
+  return engine["checkSuperAdmin"](userId);
+}
+async function getAppConfig(appId) {
+  const engine = getEngine();
+  return engine["getAppConfig"](appId);
+}
+async function isOrganisationAdmin(userId, organisationId) {
+  const accessLevel = await getAccessLevel({
+    userId,
+    scope: { organisationId }
+  });
+  return accessLevel === "admin" || accessLevel === "super";
+}
+async function isEventAdmin(userId, scope) {
+  if (!scope.eventId || !scope.appId) {
+    return false;
+  }
+  const accessLevel = await getAccessLevel({ userId, scope });
+  return accessLevel === "admin" || accessLevel === "super";
+}
+function invalidateUserCache(userId, organisationId) {
+  if (organisationId) {
+    rbacCache.invalidate(CACHE_PATTERNS.PERMISSION(userId, organisationId));
+  } else {
+    rbacCache.invalidate(CACHE_PATTERNS.USER(userId));
+  }
+}
+function invalidateOrganisationCache(organisationId) {
+  rbacCache.invalidate(CACHE_PATTERNS.ORGANISATION(organisationId));
+}
+function invalidateEventCache(eventId) {
+  rbacCache.invalidate(CACHE_PATTERNS.EVENT(eventId));
+}
+function invalidateAppCache(appId) {
+  rbacCache.invalidate(CACHE_PATTERNS.APP(appId));
+}
+function clearCache() {
+  rbacCache.clear();
+}
+
+export {
+  OrganisationContextRequiredError,
+  RBACCache,
+  rbacCache,
+  CACHE_PATTERNS,
+  RBACEngine,
+  createRBACEngine,
+  createRBACConfig,
+  getRBACConfig,
+  getRBACLogger,
+  isDebugMode,
+  isDevelopmentMode,
+  setupRBAC,
+  getAccessLevel,
+  getPermissionMap,
+  isPermitted,
+  isPermittedCached,
+  hasPermission,
+  hasAnyPermission,
+  hasAllPermissions,
+  isSuperAdmin,
+  getAppConfig,
+  isOrganisationAdmin,
+  isEventAdmin,
+  invalidateUserCache,
+  invalidateOrganisationCache,
+  invalidateEventCache,
+  invalidateAppCache,
+  clearCache
+};
+//# sourceMappingURL=chunk-6ZQVSHKL.js.map