@jmruthers/pace-core 0.2.6 → 0.4.1

package/dist/chunk-XI7QFSSC.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/rbac/types.ts","../src/rbac/cache.ts","../src/rbac/engine.ts","../src/rbac/config.ts","../src/rbac/api.ts"],"sourcesContent":["/**\n * RBAC (Role-Based Access Control) Types - Build Contract Compliant\n * @package @jmruthers/pace-core\n * @module RBAC/Types\n * @since 1.0.0\n * \n * This module defines the core types for the RBAC system that match the build contract exactly.\n * All types are designed to be framework-agnostic and provide strong typing for permission operations.\n */\n\nimport type React from 'react';\n\n// ============================================================================\n// CORE TYPES\n// ============================================================================\n\nexport type UUID = string;\n\nexport type Operation = 'read' | 'create' | 'update' | 'delete' | 'manage';\n\nexport type Permission = `${Operation}:${string}`; // e.g. \"manage:base.events\"\n\nexport type AccessLevel =\n  | 'viewer'\n  | 'participant'\n  | 'planner'\n  | 'admin'\n  | 'super';\n\nexport type Scope = {\n  organisationId?: UUID;\n  eventId?: string; // event_id is text/varchar\n  appId?: UUID;\n};\n\nexport type PermissionCheck = {\n  userId: UUID;\n  scope: Scope;\n  permission: Permission;\n  pageId?: UUID;\n};\n\nexport type PermissionMap = Record<string /* pageId */, Operation[]>;\n\n// ============================================================================\n// ROLE TYPES\n// ============================================================================\n\nexport type GlobalRole = 'super_admin';\n\nexport type OrganisationRole = 'supporter' | 'member' | 'leader' | 'org_admin';\n\nexport type EventAppRole = 'viewer' | 'participant' | 'planner' | 'event_admin';\n\n// ============================================================================\n// DATABASE TYPES\n// ============================================================================\n\nexport interface RBACGlobalRole {\n  id: UUID;\n  user_id: UUID;\n  role: GlobalRole;\n  granted_at: string;\n  granted_by: UUID | null;\n  valid_from: string;\n  valid_to: string | null;\n}\n\nexport interface RBACOrganisationRole {\n  id: UUID;\n  user_id: UUID;\n  organisation_id: UUID;\n  role: OrganisationRole;\n  status: 'active' | 'inactive' | 'suspended';\n  granted_at: string;\n  granted_by: UUID | null;\n  revoked_at: string | null;\n  revoked_by: UUID | null;\n  notes: string | null;\n  created_at: string;\n  updated_at: string;\n  valid_from: string;\n  valid_to: string | null;\n}\n\nexport interface RBACEventAppRole {\n  id: UUID;\n  user_id: UUID;\n  event_id: string;\n  role: EventAppRole;\n  status: 'active' | 'inactive' | 'suspended';\n  granted_at: string;\n  granted_by: UUID | null;\n  organisation_id: UUID;\n  app_id: UUID;\n  valid_from: string;\n  valid_to: string | null;\n}\n\nexport interface RBACPagePermission {\n  id: UUID;\n  app_page_id: UUID;\n  operation: Operation;\n  role_name: string;\n  allowed: boolean;\n  created_at: string;\n  updated_at: string;\n  organisation_id: UUID;\n}\n\nexport interface RBACAppPage {\n  id: UUID;\n  page_name: string;\n  page_description: string | null;\n  created_at: string;\n  updated_at: string;\n  created_by: UUID | null;\n  updated_by: UUID | null;\n  app_id: UUID;\n}\n\nexport interface RBACApp {\n  id: UUID;\n  name: string;\n  display_name: string;\n  description: string | null;\n  requires_event: boolean;\n  is_active: boolean;\n  created_at: string;\n  updated_at: string;\n  created_by: UUID | null;\n  updated_by: UUID | null;\n}\n\n// ============================================================================\n// AUDIT EVENT TYPES\n// ============================================================================\n\nexport type AuditEventType = \n  | 'permission_check'\n  | 'permission_denied'\n  | 'role_granted'\n  | 'role_revoked'\n  | 'rls_denied';\n\nexport type AuditEventSource = 'api' | 'ui' | 'middleware' | 'rls';\n\nexport interface RBACAuditEvent {\n  id: UUID;\n  event_type: AuditEventType;\n  user_id: UUID;\n  organisation_id: UUID;\n  event_id?: string;\n  app_id?: UUID;\n  page_id?: UUID;\n  permission?: string;\n  decision?: boolean;\n  source?: AuditEventSource;\n  bypass?: boolean;\n  duration_ms?: number;\n  metadata: Record<string, any>;\n  created_at: string;\n}\n\n// ============================================================================\n// CACHE TYPES\n// ============================================================================\n\nexport interface CacheEntry<T> {\n  data: T;\n  expires: number;\n}\n\nexport interface PermissionCacheKey {\n  userId: UUID;\n  organisationId?: UUID;\n  eventId?: string;\n  appId?: UUID;\n}\n\n// ============================================================================\n// API TYPES\n// ============================================================================\n\nexport interface GetAccessLevelInput {\n  userId: UUID;\n  scope: Scope;\n}\n\nexport interface GetPermissionMapInput {\n  userId: UUID;\n  scope: Scope;\n}\n\nexport interface IsPermittedInput extends PermissionCheck {}\n\n// ============================================================================\n// HOOK TYPES\n// ============================================================================\n\nexport interface UsePermissionsReturn {\n  permissions: PermissionMap;\n  isLoading: boolean;\n  error: Error | null;\n  refetch: () => Promise<void>;\n}\n\nexport interface UseCanReturn {\n  can: boolean;\n  isLoading: boolean;\n  error: Error | null;\n  check: () => Promise<void>;\n}\n\n// ============================================================================\n// ADAPTER TYPES\n// ============================================================================\n\nexport interface PermissionGuardConfig {\n  permission: Permission;\n  pageId?: UUID;\n}\n\nexport interface WithPermissionGuardOptions {\n  permission: Permission;\n  pageId?: UUID;\n  fallback?: React.ReactNode;\n  onDenied?: () => void;\n}\n\n// ============================================================================\n// HOOK RETURN TYPES\n// ============================================================================\n\nexport interface UserRBACContext {\n  user: any; // User from auth context\n  globalRole: GlobalRole | null;\n  organisationRole: OrganisationRole | null;\n  eventAppRole: EventAppRole | null;\n  hasPermission: (operation: Operation, targetPageId?: string) => Promise<boolean>;\n  hasGlobalPermission: (permission: Permission) => boolean;\n  isSuperAdmin: boolean;\n  isOrgAdmin: boolean;\n  isEventAdmin: boolean;\n  canManageOrganisation: boolean;\n  canManageEvent: boolean;\n  isLoading: boolean;\n  error: Error | null;\n}\n\nexport interface RBACPermission {\n  permission_type: string;\n  role_name: string;\n  [key: string]: any;\n}\n\n// ============================================================================\n// COMPONENT TYPES\n// ============================================================================\n\nexport interface RBACGuardProps {\n  children: React.ReactNode;\n  operation: Operation;\n  pageId?: UUID;\n  fallback?: React.ReactNode;\n}\n\nexport interface RoleBasedContentProps {\n  children: React.ReactNode;\n  globalRoles?: GlobalRole[];\n  organisationRoles?: OrganisationRole[];\n  eventAppRoles?: EventAppRole[];\n  fallback?: React.ReactNode;\n}\n\n// ============================================================================\n// ERROR TYPES\n// ============================================================================\n\nexport class RBACError extends Error {\n  constructor(\n    message: string,\n    public code: string,\n    public context?: Record<string, any>\n  ) {\n    super(message);\n    this.name = 'RBACError';\n  }\n}\n\nexport class PermissionDeniedError extends RBACError {\n  constructor(permission: Permission, context?: Record<string, any>) {\n    super(\n      `Permission denied: ${permission}`,\n      'PERMISSION_DENIED',\n      { permission, ...context }\n    );\n    this.name = 'PermissionDeniedError';\n  }\n}\n\nexport class OrganisationContextRequiredError extends RBACError {\n  constructor() {\n    super(\n      'Organisation context is required for this operation',\n      'ORGANISATION_CONTEXT_REQUIRED'\n    );\n    this.name = 'OrganisationContextRequiredError';\n  }\n}\n\nexport class RBACNotInitializedError extends RBACError {\n  constructor() {\n    super(\n      'RBAC system not initialized. Please call setupRBAC(supabase) before using any RBAC components or hooks. See: https://docs.pace-core.dev/rbac/setup',\n      'RBAC_NOT_INITIALIZED'\n    );\n    this.name = 'RBACNotInitializedError';\n  }\n}\n\nexport class InvalidScopeError extends RBACError {\n  constructor(scope: Scope, reason: string) {\n    super(\n      `Invalid scope provided: ${JSON.stringify(scope)}. ${reason}`,\n      'INVALID_SCOPE',\n      { scope, reason }\n    );\n    this.name = 'InvalidScopeError';\n  }\n}\n\nexport class MissingUserContextError extends RBACError {\n  constructor() {\n    super(\n      'User context is required but not available. Make sure to wrap your app with an auth provider.',\n      'MISSING_USER_CONTEXT'\n    );\n    this.name = 'MissingUserContextError';\n  }\n}\n","/**\n * RBAC Cache Implementation\n * @package @jmruthers/pace-core\n * @module RBAC/Cache\n * @since 1.0.0\n * \n * This module provides caching functionality for RBAC operations with TTL and invalidation.\n */\n\nimport { UUID } from './types';\nimport { CacheEntry, PermissionCacheKey } from './types';\n\n/**\n * In-memory cache for RBAC operations\n * \n * Provides 60-second TTL and pattern-based invalidation for permission checks.\n */\nexport class RBACCache {\n  private cache = new Map<string, CacheEntry<any>>();\n  private readonly TTL = 60 * 1000; // 60 seconds\n  private invalidationCallbacks: Set<(pattern: string) => void> = new Set();\n\n  /**\n   * Get a value from the cache\n   * \n   * @param key - Cache key\n   * @returns Cached value or null if not found/expired\n   */\n  get<T>(key: string): T | null {\n    const entry = this.cache.get(key);\n    \n    if (!entry) {\n      return null;\n    }\n\n    if (Date.now() > entry.expires) {\n      this.cache.delete(key);\n      return null;\n    }\n\n    return entry.data as T;\n  }\n\n  /**\n   * Set a value in the cache\n   * \n   * @param key - Cache key\n   * @param data - Data to cache\n   * @param ttl - Time to live in milliseconds (defaults to 60s)\n   */\n  set<T>(key: string, data: T, ttl: number = this.TTL): void {\n    // For zero or negative TTL, set expires to current time to make it immediately expired\n    const expires = ttl <= 0 ? Date.now() - 1 : Date.now() + ttl;\n    this.cache.set(key, {\n      data,\n      expires,\n    });\n  }\n\n  /**\n   * Delete a specific key from the cache\n   * \n   * @param key - Cache key to delete\n   */\n  delete(key: string): void {\n    this.cache.delete(key);\n  }\n\n  /**\n   * Invalidate cache entries matching a pattern\n   * \n   * @param pattern - Pattern to match against cache keys\n   */\n  invalidate(pattern: string): void {\n    const keysToDelete: string[] = [];\n    \n    for (const key of this.cache.keys()) {\n      if (key.includes(pattern)) {\n        keysToDelete.push(key);\n      }\n    }\n\n    keysToDelete.forEach(key => this.cache.delete(key));\n    \n    // Notify invalidation callbacks\n    this.invalidationCallbacks.forEach(callback => callback(pattern));\n  }\n\n  /**\n   * Clear all cache entries\n   */\n  clear(): void {\n    this.cache.clear();\n  }\n\n  /**\n   * Get cache statistics\n   */\n  getStats(): {\n    size: number;\n    ttl: number;\n    keys: string[];\n  } {\n    return {\n      size: this.cache.size,\n      ttl: this.TTL,\n      keys: Array.from(this.cache.keys()),\n    };\n  }\n\n  /**\n   * Add an invalidation callback\n   * \n   * @param callback - Function to call when cache is invalidated\n   */\n  onInvalidate(callback: (pattern: string) => void): () => void {\n    this.invalidationCallbacks.add(callback);\n    \n    // Return unsubscribe function\n    return () => {\n      this.invalidationCallbacks.delete(callback);\n    };\n  }\n\n  /**\n   * Generate cache key for permission check\n   * \n   * @param key - Permission cache key object\n   * @returns String cache key\n   */\n  static generatePermissionKey(key: PermissionCacheKey): string {\n    const parts = [\n      'perm',\n      key.userId,\n      key.organisationId || 'null',\n      key.eventId || 'null',\n      key.appId || 'null',\n    ];\n    \n    return parts.join(':');\n  }\n\n  /**\n   * Generate cache key for access level\n   * \n   * @param userId - User ID\n   * @param organisationId - Organisation ID\n   * @param eventId - Event ID (optional)\n   * @param appId - App ID (optional)\n   * @returns String cache key\n   */\n  static generateAccessLevelKey(\n    userId: UUID,\n    organisationId: UUID,\n    eventId?: string,\n    appId?: UUID\n  ): string {\n    const parts = [\n      'access',\n      userId,\n      organisationId,\n      eventId || 'null',\n      appId || 'null',\n    ];\n    \n    return parts.join(':');\n  }\n\n  /**\n   * Generate cache key for permission map\n   * \n   * @param userId - User ID\n   * @param organisationId - Organisation ID\n   * @param eventId - Event ID (optional)\n   * @param appId - App ID (optional)\n   * @returns String cache key\n   */\n  static generatePermissionMapKey(\n    userId: UUID,\n    organisationId: UUID,\n    eventId?: string,\n    appId?: UUID\n  ): string {\n    const parts = [\n      'map',\n      userId,\n      organisationId,\n      eventId || 'null',\n      appId || 'null',\n    ];\n    \n    return parts.join(':');\n  }\n}\n\n/**\n * Global cache instance\n * \n * This is the default cache instance used by the RBAC system.\n * You can create additional instances if needed for different contexts.\n */\nexport const rbacCache = new RBACCache();\n\n/**\n * Cache key patterns for invalidation\n */\nexport const CACHE_PATTERNS = {\n  USER: (userId: UUID) => `user:${userId}`,\n  ORGANISATION: (organisationId: UUID) => `org:${organisationId}`,\n  EVENT: (eventId: string) => `event:${eventId}`,\n  APP: (appId: UUID) => `app:${appId}`,\n  PERMISSION: (userId: UUID, organisationId: UUID) => `perm:${userId}:${organisationId}`,\n} as const;\n","/**\n * RBAC Core Engine\n * @package @jmruthers/pace-core\n * @module RBAC/Engine\n * @since 1.0.0\n * \n * This module implements the core RBAC permission algorithm with deny-overrides-allow precedence.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { \n  UUID, \n  Permission, \n  Scope, \n  PermissionCheck, \n  AccessLevel, \n  PermissionMap,\n  Operation,\n  OrganisationRole,\n  EventAppRole\n} from './types';\nimport { rbacCache, RBACCache } from './cache';\nimport { emitAuditEvent } from './audit';\n\n/**\n * Grant type for permission resolution\n */\ninterface Grant {\n  type: 'allow' | 'deny';\n  permission: Permission;\n  scope: 'global' | 'organisation' | 'eventApp' | 'page';\n  source: string;\n}\n\n/**\n * RBAC Engine\n * \n * Implements the core permission algorithm with deny-overrides-allow precedence.\n */\nexport class RBACEngine {\n  private supabase: SupabaseClient<Database>;\n\n  constructor(supabase: SupabaseClient<Database>) {\n    this.supabase = supabase;\n  }\n\n  /**\n   * Check if a user has a specific permission\n   * \n   * @param input - Permission check input\n   * @returns Promise resolving to permission result\n   */\n  async isPermitted(input: PermissionCheck): Promise<boolean> {\n    const startTime = Date.now();\n    const { userId, permission, scope, pageId } = input;\n\n    try {\n      // 1) If GlobalRole == 'super_admin' → allow (log bypass:true)\n      const isSuperAdmin = await this.checkSuperAdmin(userId);\n      if (isSuperAdmin) {\n        const duration = Date.now() - startTime;\n        await emitAuditEvent({\n          type: 'permission_check',\n          userId,\n          organisationId: scope.organisationId!,\n          eventId: scope.eventId,\n          appId: scope.appId,\n          pageId,\n          permission,\n          decision: true,\n          source: 'api',\n          bypass: true,\n          duration_ms: duration,\n        });\n        return true;\n      }\n\n      // 2) Collect active grants at page → eventApp → organisation → global\n      const grants = await this.collectActiveGrants(userId, scope, pageId);\n\n      // 3) Apply explicit denies at the closest scope first (deny overrides allow)\n      const denies = grants.filter(g => g.type === 'deny');\n      for (const deny of denies) {\n        if (this.permissionMatches(deny.permission, permission)) {\n          const duration = Date.now() - startTime;\n          await emitAuditEvent({\n            type: 'permission_denied',\n            userId,\n            organisationId: scope.organisationId!,\n            eventId: scope.eventId,\n            appId: scope.appId,\n            pageId,\n            permission,\n            source: 'api',\n          });\n          return false;\n        }\n      }\n\n      // 4) If no deny, check allows from closest to widest scope\n      const allows = grants.filter(g => g.type === 'allow');\n      let hasPermission = false;\n      \n      // Check allows in precedence order: page → eventApp → organisation → global\n      const scopeOrder: Array<'page' | 'eventApp' | 'organisation' | 'global'> = ['page', 'eventApp', 'organisation', 'global'];\n      \n      for (const scopeType of scopeOrder) {\n        const scopeAllows = allows.filter(g => g.scope === scopeType);\n        for (const allow of scopeAllows) {\n          const matches = this.permissionMatches(allow.permission, permission);\n          if (matches) {\n            hasPermission = true;\n            break;\n          }\n        }\n        if (hasPermission) break;\n      }\n\n      // 5) Return final decision; emit audit event\n      const finalDecision = hasPermission;\n      const _duration = Date.now() - startTime;\n\n      await emitAuditEvent({\n        type: 'permission_check',\n        userId,\n        organisationId: scope.organisationId!,\n        eventId: scope.eventId,\n        appId: scope.appId,\n        pageId,\n        permission,\n        decision: finalDecision,\n        source: 'api',\n        duration_ms: _duration,\n      });\n\n      return finalDecision;\n    } catch (_error) {\n      // Permission check failed - error logged via RBAC logger\n      return false;\n    }\n  }\n\n  /**\n   * Get user's access level in a scope\n   * \n   * @param input - Access level input\n   * @returns Promise resolving to access level\n   */\n  async getAccessLevel(input: { userId: UUID; scope: Scope }): Promise<AccessLevel> {\n    const { userId, scope } = input;\n\n    // Check cache first\n    const cacheKey = RBACCache.generateAccessLevelKey(\n      userId,\n      scope.organisationId!,\n      scope.eventId,\n      scope.appId\n    );\n    \n    const cached = rbacCache.get<AccessLevel>(cacheKey);\n    if (cached) {\n      return cached;\n    }\n\n    // Check super admin first\n    const isSuperAdmin = await this.checkSuperAdmin(userId);\n    if (isSuperAdmin) {\n      rbacCache.set(cacheKey, 'super');\n      return 'super';\n    }\n\n    // Check organisation role\n    const orgRole = await this.getOrganisationRole(userId, scope.organisationId!);\n    if (orgRole === 'org_admin') {\n      rbacCache.set(cacheKey, 'admin');\n      return 'admin';\n    }\n\n    // Check event-app role\n    if (scope.eventId && scope.appId) {\n      const eventRole = await this.getEventAppRole(userId, scope.eventId, scope.appId);\n      if (eventRole === 'event_admin') {\n        rbacCache.set(cacheKey, 'admin');\n        return 'admin';\n      }\n      if (eventRole === 'planner') {\n        rbacCache.set(cacheKey, 'planner');\n        return 'planner';\n      }\n      if (eventRole === 'participant') {\n        rbacCache.set(cacheKey, 'participant');\n        return 'participant';\n      }\n    }\n\n    // Default to viewer\n    rbacCache.set(cacheKey, 'viewer');\n    return 'viewer';\n  }\n\n  /**\n   * Get user's permission map for a scope\n   * \n   * @param input - Permission map input\n   * @returns Promise resolving to permission map\n   */\n  async getPermissionMap(input: { userId: UUID; scope: Scope }): Promise<PermissionMap> {\n    const { userId, scope } = input;\n\n    // Check cache first\n    const cacheKey = RBACCache.generatePermissionMapKey(\n      userId,\n      scope.organisationId!,\n      scope.eventId,\n      scope.appId\n    );\n    \n    const cached = rbacCache.get<PermissionMap>(cacheKey);\n    if (cached) {\n      return cached;\n    }\n\n    const permissionMap: PermissionMap = {};\n\n    // Get all pages for the app\n    if (scope.appId) {\n      const { data: pages } = await this.supabase\n        .from('rbac_app_pages')\n        .select('id, page_name')\n        .eq('app_id', scope.appId);\n\n      if (pages) {\n        for (const page of pages) {\n          const operations: Operation[] = [];\n          \n          // Check each operation\n          for (const operation of ['read', 'create', 'update', 'delete', 'manage'] as Operation[]) {\n            const hasPermission = await this.isPermitted({\n              userId,\n              scope,\n              permission: `${operation}:${page.page_name}`,\n              pageId: page.id,\n            });\n            \n            if (hasPermission) {\n              operations.push(operation);\n            }\n          }\n          \n          permissionMap[page.id] = operations;\n        }\n      }\n    }\n\n    rbacCache.set(cacheKey, permissionMap);\n    return permissionMap;\n  }\n\n  /**\n   * Check if user is super admin\n   * \n   * @param userId - User ID\n   * @returns Promise resolving to super admin status\n   */\n  private async checkSuperAdmin(userId: UUID): Promise<boolean> {\n    const { data, error } = await this.supabase\n      .from('rbac_global_roles')\n      .select('id')\n      .eq('user_id', userId)\n      .eq('role', 'super_admin')\n      .is('valid_to', null)\n      .single();\n\n    return !error && !!data;\n  }\n\n  /**\n   * Collect active grants for a user in a scope\n   * \n   * @param userId - User ID\n   * @param scope - Permission scope\n   * @param pageId - Optional page ID\n   * @returns Promise resolving to grants array\n   * \n   * PRECEDENCE ORDER (closest scope first): page → eventApp → organisation → global\n   */\n  private async collectActiveGrants(\n    userId: UUID, \n    scope: Scope, \n    pageId?: UUID\n  ): Promise<Grant[]> {\n    const grants: Grant[] = [];\n    const now = new Date().toISOString();\n\n    // 1. PAGE GRANTS (closest scope first)\n    if (pageId) {\n      const { data: pagePermissions } = await this.supabase\n        .from('rbac_page_permissions')\n        .select('operation, role_name, allowed')\n        .eq('app_page_id', pageId);\n\n      if (pagePermissions) {\n        for (const perm of pagePermissions) {\n          grants.push({\n            type: perm.allowed ? 'allow' : 'deny',\n            permission: `${perm.operation}:*` as Permission,\n            scope: 'page',\n            source: 'rbac_page_permissions',\n          });\n        }\n      }\n    }\n\n    // 2. EVENT-APP GRANTS\n    if (scope.eventId && scope.appId) {\n      const { data: eventRoles } = await this.supabase\n        .from('rbac_event_app_roles')\n        .select('role, status, valid_from, valid_to')\n        .eq('user_id', userId)\n        .eq('event_id', scope.eventId)\n        .eq('app_id', scope.appId)\n        .eq('status', 'active')\n        .lte('valid_from', now)\n        .or(`valid_to.is.null,valid_to.gte.${now}`);\n\n      if (eventRoles) {\n        for (const role of eventRoles) {\n          grants.push({\n            type: 'allow',\n            permission: this.getPermissionForEventRole(role.role),\n            scope: 'eventApp',\n            source: 'rbac_event_app_roles',\n          });\n        }\n      }\n    }\n\n    // 3. ORGANISATION GRANTS\n    if (scope.organisationId) {\n      const { data: orgRoles } = await this.supabase\n        .from('rbac_organisation_roles')\n        .select('role, status, valid_from, valid_to')\n        .eq('user_id', userId)\n        .eq('organisation_id', scope.organisationId)\n        .eq('status', 'active')\n        .lte('valid_from', now)\n        .or(`valid_to.is.null,valid_to.gte.${now}`);\n\n      if (orgRoles) {\n        for (const role of orgRoles) {\n          grants.push({\n            type: 'allow',\n            permission: this.getPermissionForOrgRole(role.role),\n            scope: 'organisation',\n            source: 'rbac_organisation_roles',\n          });\n        }\n      }\n    }\n\n    // 4. GLOBAL GRANTS (widest scope last)\n    const { data: globalRoles } = await this.supabase\n      .from('rbac_global_roles')\n      .select('role, valid_from, valid_to')\n      .eq('user_id', userId)\n      .lte('valid_from', now)\n      .or(`valid_to.is.null,valid_to.gte.${now}`);\n\n    if (globalRoles) {\n      for (const role of globalRoles) {\n        if (role.role === 'super_admin') {\n          grants.push({\n            type: 'allow',\n            permission: 'manage:*' as Permission,\n            scope: 'global',\n            source: 'rbac_global_roles',\n          });\n        }\n      }\n    }\n\n    return grants;\n  }\n\n  /**\n   * Check page-specific permissions\n   * \n   * @param userId - User ID\n   * @param pageId - Page ID\n   * @param permission - Permission to check\n   * @param scope - Permission scope\n   * @returns Promise resolving to page permission result\n   */\n  private async checkPagePermissions(\n    userId: UUID,\n    pageId: UUID | undefined,\n    permission: Permission,\n    scope: Scope\n  ): Promise<boolean> {\n    if (!pageId) {\n      return true; // No page restrictions\n    }\n\n    const [operation] = permission.split(':') as [Operation, string];\n\n    // Get user's roles in this scope\n    const userRoles: string[] = [];\n\n    // Add organisation role\n    if (scope.organisationId) {\n      const orgRole = await this.getOrganisationRole(userId, scope.organisationId);\n      if (orgRole) {\n        userRoles.push(orgRole);\n      }\n    }\n\n    // Add event-app role\n    if (scope.eventId && scope.appId) {\n      const eventRole = await this.getEventAppRole(userId, scope.eventId, scope.appId);\n      if (eventRole) {\n        userRoles.push(eventRole);\n      }\n    }\n\n    // Check page permissions\n    const { data: pagePermissions } = await this.supabase\n      .from('rbac_page_permissions')\n      .select('allowed')\n      .eq('app_page_id', pageId)\n      .eq('operation', operation)\n      .in('role_name', userRoles)\n      .single();\n\n    return pagePermissions?.allowed ?? false;\n  }\n\n  /**\n   * Get organisation role for a user\n   * \n   * @param userId - User ID\n   * @param organisationId - Organisation ID\n   * @returns Promise resolving to organisation role\n   */\n  private async getOrganisationRole(userId: UUID, organisationId: UUID): Promise<OrganisationRole | null> {\n    const { data, error } = await this.supabase\n      .from('rbac_organisation_roles')\n      .select('role')\n      .eq('user_id', userId)\n      .eq('organisation_id', organisationId)\n      .eq('status', 'active')\n      .single();\n\n    return error ? null : data?.role || null;\n  }\n\n  /**\n   * Get event-app role for a user\n   * \n   * @param userId - User ID\n   * @param eventId - Event ID\n   * @param appId - App ID\n   * @returns Promise resolving to event-app role\n   */\n  private async getEventAppRole(userId: UUID, eventId: string, appId: UUID): Promise<EventAppRole | null> {\n    const { data, error } = await this.supabase\n      .from('rbac_event_app_roles')\n      .select('role, status, valid_from, valid_to')\n      .eq('user_id', userId)\n      .eq('event_id', eventId)\n      .eq('app_id', appId)\n      .eq('status', 'active')\n      .lte('valid_from', new Date().toISOString())\n      .or(`valid_to.is.null,valid_to.gte.${new Date().toISOString()}`)\n      .single();\n\n    return error ? null : data?.role || null;\n  }\n\n  /**\n   * Get permission for organisation role\n   * \n   * @param role - Organisation role\n   * @returns Permission string\n   */\n  private getPermissionForOrgRole(role: OrganisationRole): Permission {\n    switch (role) {\n      case 'org_admin':\n        return 'manage:*' as Permission;\n      case 'leader':\n        return 'manage:organisation.*' as Permission;\n      case 'member':\n        return 'read:organisation.*' as Permission;\n      case 'supporter':\n        return 'read:organisation.public' as Permission;\n      default:\n        return 'read:organisation.public' as Permission;\n    }\n  }\n\n  /**\n   * Get permission for event-app role\n   * \n   * @param role - Event-app role\n   * @returns Permission string\n   */\n  private getPermissionForEventRole(role: EventAppRole): Permission {\n    switch (role) {\n      case 'event_admin':\n        return 'manage:event.*' as Permission;\n      case 'planner':\n        return 'manage:event.planning' as Permission;\n      case 'participant':\n        return 'read:event.*' as Permission;\n      case 'viewer':\n        return 'read:event.public' as Permission;\n      default:\n        return 'read:event.public' as Permission;\n    }\n  }\n\n  /**\n   * Check if a permission matches another permission\n   * \n   * @param grantPermission - Permission from grant\n   * @param requestedPermission - Requested permission\n   * @returns True if permissions match\n   */\n  private permissionMatches(grantPermission: Permission, requestedPermission: Permission): boolean {\n    // Exact match\n    if (grantPermission === requestedPermission) {\n      return true;\n    }\n\n    // Wildcard match\n    if (grantPermission.endsWith(':*') || grantPermission.endsWith('.*')) {\n      const [grantOp, grantResource] = grantPermission.split(':');\n      const [requestedOp, requestedResource] = requestedPermission.split(':');\n      \n      if (grantOp === requestedOp) {\n        // For wildcard permissions like \"read:*\" or \"read:organisation.*\", grantResource is \"*\" or \"organisation.*\"\n        // We need to check if the requested resource starts with the prefix before \"*\"\n        const prefix = grantResource.slice(0, -1); // Remove the \"*\"\n        return prefix === '' || requestedResource.startsWith(prefix);\n      }\n    }\n\n    // Check for other wildcard patterns\n    if (grantPermission.includes('*')) {\n      const [grantOp, grantResource] = grantPermission.split(':');\n      const [requestedOp, requestedResource] = requestedPermission.split(':');\n      \n      if (grantOp === requestedOp) {\n        // For wildcard permissions like \"read:event*\", grantResource is \"event*\"\n        const prefix = grantResource.replace('*', '');\n        return requestedResource.startsWith(prefix);\n      }\n    }\n\n    return false;\n  }\n}\n\n/**\n * Create an RBAC engine instance\n * \n * @param supabase - Supabase client\n * @returns RBACEngine instance\n */\nexport function createRBACEngine(supabase: SupabaseClient<Database>): RBACEngine {\n  return new RBACEngine(supabase);\n}\n","/**\n * RBAC Configuration\n * @package @jmruthers/pace-core\n * @module RBAC/Config\n * @since 1.0.0\n * \n * This module provides configuration options for the RBAC system.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\n\nexport type LogLevel = 'error' | 'warn' | 'info' | 'debug';\n\nexport interface RBACConfig {\n  supabase: SupabaseClient<Database>;\n  debug?: boolean;\n  logLevel?: LogLevel;\n  developmentMode?: boolean;\n  mockPermissions?: Record<string, boolean>;\n  cache?: {\n    ttl?: number;\n    enabled?: boolean;\n  };\n  audit?: {\n    enabled?: boolean;\n    logLevel?: LogLevel;\n  };\n}\n\nexport interface RBACLogger {\n  error: (message: string, ...args: unknown[]) => void;\n  warn: (message: string, ...args: unknown[]) => void;\n  info: (message: string, ...args: unknown[]) => void;\n  debug: (message: string, ...args: unknown[]) => void;\n}\n\nclass RBACConfigManager {\n  private config: RBACConfig | null = null;\n  private logger: RBACLogger | null = null;\n\n  setConfig(config: RBACConfig): void {\n    this.config = config;\n    this.setupLogger();\n  }\n\n  getConfig(): RBACConfig | null {\n    return this.config;\n  }\n\n  getLogger(): RBACLogger {\n    if (!this.logger) {\n      this.logger = this.createDefaultLogger();\n    }\n    return this.logger;\n  }\n\n  private setupLogger(): void {\n    if (!this.config) return;\n\n    const { debug = false, logLevel = 'warn' } = this.config;\n    \n    this.logger = {\n      error: (message: string, ...args: unknown[]) => {\n        console.error(`[RBAC ERROR] ${message}`, ...args);\n      },\n      warn: (message: string, ...args: unknown[]) => {\n        if (logLevel === 'warn' || logLevel === 'info' || logLevel === 'debug') {\n          console.warn(`[RBAC WARN] ${message}`, ...args);\n        }\n      },\n      info: (message: string, ...args: unknown[]) => {\n        if (logLevel === 'info' || logLevel === 'debug') {\n          console.info(`[RBAC INFO] ${message}`, ...args);\n        }\n      },\n      debug: (message: string, ...args: unknown[]) => {\n        if (debug && logLevel === 'debug') {\n          console.debug(`[RBAC DEBUG] ${message}`, ...args);\n        }\n      },\n    };\n  }\n\n  private createDefaultLogger(): RBACLogger {\n    return {\n      error: (message: string, ...args: unknown[]) => console.error(`[RBAC ERROR] ${message}`, ...args),\n      warn: (message: string, ...args: unknown[]) => console.warn(`[RBAC WARN] ${message}`, ...args),\n      info: (message: string, ...args: unknown[]) => console.info(`[RBAC INFO] ${message}`, ...args),\n      debug: (message: string, ...args: unknown[]) => console.debug(`[RBAC DEBUG] ${message}`, ...args),\n    };\n  }\n\n  isDebugMode(): boolean {\n    return this.config?.debug ?? false;\n  }\n\n  isDevelopmentMode(): boolean {\n    return this.config?.developmentMode ?? false;\n  }\n\n  getMockPermissions(): Record<string, boolean> | null {\n    return this.config?.mockPermissions ?? null;\n  }\n}\n\n// Global config manager instance\nconst configManager = new RBACConfigManager();\n\nexport function createRBACConfig(config: RBACConfig): RBACConfig {\n  configManager.setConfig(config);\n  return config;\n}\n\nexport function getRBACConfig(): RBACConfig | null {\n  return configManager.getConfig();\n}\n\nexport function getRBACLogger(): RBACLogger {\n  return configManager.getLogger();\n}\n\nexport function isDebugMode(): boolean {\n  return configManager.isDebugMode();\n}\n\nexport function isDevelopmentMode(): boolean {\n  return configManager.isDevelopmentMode();\n}\n\nexport function getMockPermissions(): Record<string, boolean> | null {\n  return configManager.getMockPermissions();\n}\n","/**\n * RBAC Main API Functions\n * @package @jmruthers/pace-core\n * @module RBAC/API\n * @since 1.0.0\n * \n * This module provides the main API functions for the RBAC system.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { \n  UUID, \n  Scope, \n  Permission, \n  AccessLevel, \n  PermissionMap, \n  PermissionCheck,\n  RBACNotInitializedError\n} from './types';\nimport { createRBACEngine, RBACEngine } from './engine';\nimport { createAuditManager, setGlobalAuditManager } from './audit';\nimport { rbacCache, RBACCache, CACHE_PATTERNS } from './cache';\nimport { createRBACConfig, RBACConfig, getRBACLogger } from './config';\n\n// Global engine instance\nlet globalEngine: RBACEngine | null = null;\n\n/**\n * Setup RBAC system\n * \n * @param supabase - Supabase client\n * @param config - Optional configuration\n */\nexport function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<RBACConfig>): void {\n  const logger = getRBACLogger();\n  \n  // Create full config\n  const fullConfig: RBACConfig = {\n    supabase,\n    debug: process.env.NODE_ENV === 'development',\n    logLevel: 'warn',\n    developmentMode: process.env.NODE_ENV === 'development',\n    ...config,\n  };\n  \n  createRBACConfig(fullConfig);\n  \n  globalEngine = createRBACEngine(supabase);\n  \n  // Setup audit manager\n  const auditManager = createAuditManager(supabase);\n  setGlobalAuditManager(auditManager);\n  \n  logger.info('RBAC system initialized successfully');\n}\n\n/**\n * Get the global RBAC engine\n * \n * @returns Global RBAC engine\n * @throws Error if RBAC not initialized\n */\nfunction getEngine(): RBACEngine {\n  if (!globalEngine) {\n    throw new RBACNotInitializedError();\n  }\n  return globalEngine;\n}\n\n/**\n * Get user's access level in a scope\n * \n * @param input - Access level input\n * @returns Promise resolving to access level\n * \n * @example\n * ```typescript\n * const accessLevel = await getAccessLevel({\n *   userId: 'user-123',\n *   scope: { organisationId: 'org-456' }\n * });\n * ```\n */\nexport async function getAccessLevel(input: {\n  userId: UUID;\n  scope: Scope;\n}): Promise<AccessLevel> {\n  const engine = getEngine();\n  return engine.getAccessLevel(input);\n}\n\n/**\n * Get user's permission map for a scope\n * \n * @param input - Permission map input\n * @returns Promise resolving to permission map\n * \n * @example\n * ```typescript\n * const permissions = await getPermissionMap({\n *   userId: 'user-123',\n *   scope: { \n *     organisationId: 'org-456',\n *     eventId: 'event-789',\n *     appId: 'app-101'\n *   }\n * });\n * ```\n */\nexport async function getPermissionMap(input: {\n  userId: UUID;\n  scope: Scope;\n}): Promise<PermissionMap> {\n  const engine = getEngine();\n  return engine.getPermissionMap(input);\n}\n\n/**\n * Check if user has a specific permission\n * \n * @param input - Permission check input\n * @returns Promise resolving to permission result\n * \n * @example\n * ```typescript\n * const canManage = await isPermitted({\n *   userId: 'user-123',\n *   scope: { organisationId: 'org-456' },\n *   permission: 'manage:events',\n *   pageId: 'page-789'\n * });\n * ```\n */\nexport async function isPermitted(input: PermissionCheck): Promise<boolean> {\n  const engine = getEngine();\n  return engine.isPermitted(input);\n}\n\n/**\n * Check if user has a specific permission (cached version)\n * \n * @param input - Permission check input\n * @returns Promise resolving to permission result\n */\nexport async function isPermittedCached(input: PermissionCheck): Promise<boolean> {\n  const { userId, scope, permission, pageId } = input;\n  \n  // Check cache first\n  const cacheKey = RBACCache.generatePermissionKey({\n    userId,\n    organisationId: scope.organisationId!,\n    eventId: scope.eventId,\n    appId: scope.appId,\n  });\n  \n  const cached = rbacCache.get<boolean>(cacheKey);\n  if (cached !== null) {\n    return cached;\n  }\n\n  // Check permission\n  const result = await isPermitted(input);\n  \n  // Cache result\n  rbacCache.set(cacheKey, result);\n  \n  return result;\n}\n\n/**\n * Check if a user has a specific permission (alias for isPermitted)\n * \n * @param input - Permission check parameters\n * @returns Promise<boolean> - True if user has permission\n */\nexport async function hasPermission(input: PermissionCheck): Promise<boolean> {\n  return isPermitted(input);\n}\n\n/**\n * Check if user has any of the specified permissions\n * \n * @param input - Permission check input with array of permissions\n * @returns Promise resolving to true if user has any permission\n */\nexport async function hasAnyPermission(input: {\n  userId: UUID;\n  scope: Scope;\n  permissions: Permission[];\n  pageId?: UUID;\n}): Promise<boolean> {\n  const { permissions, ...baseInput } = input;\n  \n  for (const permission of permissions) {\n    const hasPermission = await isPermitted({\n      ...baseInput,\n      permission,\n    });\n    \n    if (hasPermission) {\n      return true;\n    }\n  }\n  \n  return false;\n}\n\n/**\n * Check if user has all of the specified permissions\n * \n * @param input - Permission check input with array of permissions\n * @returns Promise resolving to true if user has all permissions\n */\nexport async function hasAllPermissions(input: {\n  userId: UUID;\n  scope: Scope;\n  permissions: Permission[];\n  pageId?: UUID;\n}): Promise<boolean> {\n  const { permissions, ...baseInput } = input;\n  \n  for (const permission of permissions) {\n    const hasPermission = await isPermitted({\n      ...baseInput,\n      permission,\n    });\n    \n    if (!hasPermission) {\n      return false;\n    }\n  }\n  \n  return true;\n}\n\n/**\n * Check if user is super admin\n * \n * @param userId - User ID\n * @returns Promise resolving to super admin status\n */\nexport async function isSuperAdmin(userId: UUID): Promise<boolean> {\n  const engine = getEngine();\n  return engine['checkSuperAdmin'](userId);\n}\n\n/**\n * Check if user is organisation admin\n * \n * @param userId - User ID\n * @param organisationId - Organisation ID\n * @returns Promise resolving to organisation admin status\n */\nexport async function isOrganisationAdmin(userId: UUID, organisationId: UUID): Promise<boolean> {\n  const accessLevel = await getAccessLevel({\n    userId,\n    scope: { organisationId },\n  });\n  \n  return accessLevel === 'admin' || accessLevel === 'super';\n}\n\n/**\n * Check if user is event admin\n * \n * @param userId - User ID\n * @param scope - Permission scope with eventId and appId\n * @returns Promise resolving to event admin status\n */\nexport async function isEventAdmin(userId: UUID, scope: Scope): Promise<boolean> {\n  if (!scope.eventId || !scope.appId) {\n    return false;\n  }\n  \n  const accessLevel = await getAccessLevel({ userId, scope });\n  return accessLevel === 'admin' || accessLevel === 'super';\n}\n\n/**\n * Invalidate user's permission cache\n * \n * @param userId - User ID\n * @param organisationId - Organisation ID (optional)\n */\nexport function invalidateUserCache(userId: UUID, organisationId?: UUID): void {\n  if (organisationId) {\n    rbacCache.invalidate(CACHE_PATTERNS.PERMISSION(userId, organisationId));\n  } else {\n    rbacCache.invalidate(CACHE_PATTERNS.USER(userId));\n  }\n}\n\n/**\n * Invalidate organisation's permission cache\n * \n * @param organisationId - Organisation ID\n */\nexport function invalidateOrganisationCache(organisationId: UUID): void {\n  rbacCache.invalidate(CACHE_PATTERNS.ORGANISATION(organisationId));\n}\n\n/**\n * Invalidate event's permission cache\n * \n * @param eventId - Event ID\n */\nexport function invalidateEventCache(eventId: string): void {\n  rbacCache.invalidate(CACHE_PATTERNS.EVENT(eventId));\n}\n\n/**\n * Invalidate app's permission cache\n * \n * @param appId - App ID\n */\nexport function invalidateAppCache(appId: UUID): void {\n  rbacCache.invalidate(CACHE_PATTERNS.APP(appId));\n}\n\n/**\n * Clear all permission cache\n */\nexport function clearCache(): void {\n  rbacCache.clear();\n}\n"],"mappings":";;;;;;;AAuRO,IAAM,YAAN,cAAwB,MAAM;AAAA,EACnC,YACE,SACO,MACA,SACP;AACA,UAAM,OAAO;AAHN;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAaO,IAAM,mCAAN,cAA+C,UAAU;AAAA,EAC9D,cAAc;AACZ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,0BAAN,cAAsC,UAAU;AAAA,EACrD,cAAc;AACZ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;;;AC9SO,IAAM,YAAN,MAAgB;AAAA,EAAhB;AACL,SAAQ,QAAQ,oBAAI,IAA6B;AACjD,SAAiB,MAAM,KAAK;AAC5B;AAAA,SAAQ,wBAAwD,oBAAI,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQxE,IAAO,KAAuB;AAC5B,UAAM,QAAQ,KAAK,MAAM,IAAI,GAAG;AAEhC,QAAI,CAAC,OAAO;AACV,aAAO;AAAA,IACT;AAEA,QAAI,KAAK,IAAI,IAAI,MAAM,SAAS;AAC9B,WAAK,MAAM,OAAO,GAAG;AACrB,aAAO;AAAA,IACT;AAEA,WAAO,MAAM;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,IAAO,KAAa,MAAS,MAAc,KAAK,KAAW;AAEzD,UAAM,UAAU,OAAO,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI;AACzD,SAAK,MAAM,IAAI,KAAK;AAAA,MAClB;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,KAAmB;AACxB,SAAK,MAAM,OAAO,GAAG;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAW,SAAuB;AAChC,UAAM,eAAyB,CAAC;AAEhC,eAAW,OAAO,KAAK,MAAM,KAAK,GAAG;AACnC,UAAI,IAAI,SAAS,OAAO,GAAG;AACzB,qBAAa,KAAK,GAAG;AAAA,MACvB;AAAA,IACF;AAEA,iBAAa,QAAQ,SAAO,KAAK,MAAM,OAAO,GAAG,CAAC;AAGlD,SAAK,sBAAsB,QAAQ,cAAY,SAAS,OAAO,CAAC;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA,EAKA,QAAc;AACZ,SAAK,MAAM,MAAM;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,WAIE;AACA,WAAO;AAAA,MACL,MAAM,KAAK,MAAM;AAAA,MACjB,KAAK,KAAK;AAAA,MACV,MAAM,MAAM,KAAK,KAAK,MAAM,KAAK,CAAC;AAAA,IACpC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,UAAiD;AAC5D,SAAK,sBAAsB,IAAI,QAAQ;AAGvC,WAAO,MAAM;AACX,WAAK,sBAAsB,OAAO,QAAQ;AAAA,IAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAO,sBAAsB,KAAiC;AAC5D,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,MACJ,IAAI,kBAAkB;AAAA,MACtB,IAAI,WAAW;AAAA,MACf,IAAI,SAAS;AAAA,IACf;AAEA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,uBACL,QACA,gBACA,SACA,OACQ;AACR,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,MACA,WAAW;AAAA,MACX,SAAS;AAAA,IACX;AAEA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,yBACL,QACA,gBACA,SACA,OACQ;AACR,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,MACA,WAAW;AAAA,MACX,SAAS;AAAA,IACX;AAEA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AACF;AAQO,IAAM,YAAY,IAAI,UAAU;AAKhC,IAAM,iBAAiB;AAAA,EAC5B,MAAM,CAAC,WAAiB,QAAQ,MAAM;AAAA,EACtC,cAAc,CAAC,mBAAyB,OAAO,cAAc;AAAA,EAC7D,OAAO,CAAC,YAAoB,SAAS,OAAO;AAAA,EAC5C,KAAK,CAAC,UAAgB,OAAO,KAAK;AAAA,EAClC,YAAY,CAAC,QAAc,mBAAyB,QAAQ,MAAM,IAAI,cAAc;AACtF;;;AC5KO,IAAM,aAAN,MAAiB;AAAA,EAGtB,YAAY,UAAoC;AAC9C,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,YAAY,OAA0C;AAC1D,UAAM,YAAY,KAAK,IAAI;AAC3B,UAAM,EAAE,QAAQ,YAAY,OAAO,OAAO,IAAI;AAE9C,QAAI;AAEF,YAAMA,gBAAe,MAAM,KAAK,gBAAgB,MAAM;AACtD,UAAIA,eAAc;AAChB,cAAM,WAAW,KAAK,IAAI,IAAI;AAC9B,cAAM,eAAe;AAAA,UACnB,MAAM;AAAA,UACN;AAAA,UACA,gBAAgB,MAAM;AAAA,UACtB,SAAS,MAAM;AAAA,UACf,OAAO,MAAM;AAAA,UACb;AAAA,UACA;AAAA,UACA,UAAU;AAAA,UACV,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,aAAa;AAAA,QACf,CAAC;AACD,eAAO;AAAA,MACT;AAGA,YAAM,SAAS,MAAM,KAAK,oBAAoB,QAAQ,OAAO,MAAM;AAGnE,YAAM,SAAS,OAAO,OAAO,OAAK,EAAE,SAAS,MAAM;AACnD,iBAAW,QAAQ,QAAQ;AACzB,YAAI,KAAK,kBAAkB,KAAK,YAAY,UAAU,GAAG;AACvD,gBAAM,WAAW,KAAK,IAAI,IAAI;AAC9B,gBAAM,eAAe;AAAA,YACnB,MAAM;AAAA,YACN;AAAA,YACA,gBAAgB,MAAM;AAAA,YACtB,SAAS,MAAM;AAAA,YACf,OAAO,MAAM;AAAA,YACb;AAAA,YACA;AAAA,YACA,QAAQ;AAAA,UACV,CAAC;AACD,iBAAO;AAAA,QACT;AAAA,MACF;AAGA,YAAM,SAAS,OAAO,OAAO,OAAK,EAAE,SAAS,OAAO;AACpD,UAAIC,iBAAgB;AAGpB,YAAM,aAAqE,CAAC,QAAQ,YAAY,gBAAgB,QAAQ;AAExH,iBAAW,aAAa,YAAY;AAClC,cAAM,cAAc,OAAO,OAAO,OAAK,EAAE,UAAU,SAAS;AAC5D,mBAAW,SAAS,aAAa;AAC/B,gBAAM,UAAU,KAAK,kBAAkB,MAAM,YAAY,UAAU;AACnE,cAAI,SAAS;AACX,YAAAA,iBAAgB;AAChB;AAAA,UACF;AAAA,QACF;AACA,YAAIA,eAAe;AAAA,MACrB;AAGA,YAAM,gBAAgBA;AACtB,YAAM,YAAY,KAAK,IAAI,IAAI;AAE/B,YAAM,eAAe;AAAA,QACnB,MAAM;AAAA,QACN;AAAA,QACA,gBAAgB,MAAM;AAAA,QACtB,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,QACb;AAAA,QACA;AAAA,QACA,UAAU;AAAA,QACV,QAAQ;AAAA,QACR,aAAa;AAAA,MACf,CAAC;AAED,aAAO;AAAA,IACT,SAAS,QAAQ;AAEf,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,eAAe,OAA6D;AAChF,UAAM,EAAE,QAAQ,MAAM,IAAI;AAG1B,UAAM,WAAW,UAAU;AAAA,MACzB;AAAA,MACA,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,IACR;AAEA,UAAM,SAAS,UAAU,IAAiB,QAAQ;AAClD,QAAI,QAAQ;AACV,aAAO;AAAA,IACT;AAGA,UAAMD,gBAAe,MAAM,KAAK,gBAAgB,MAAM;AACtD,QAAIA,eAAc;AAChB,gBAAU,IAAI,UAAU,OAAO;AAC/B,aAAO;AAAA,IACT;AAGA,UAAM,UAAU,MAAM,KAAK,oBAAoB,QAAQ,MAAM,cAAe;AAC5E,QAAI,YAAY,aAAa;AAC3B,gBAAU,IAAI,UAAU,OAAO;AAC/B,aAAO;AAAA,IACT;AAGA,QAAI,MAAM,WAAW,MAAM,OAAO;AAChC,YAAM,YAAY,MAAM,KAAK,gBAAgB,QAAQ,MAAM,SAAS,MAAM,KAAK;AAC/E,UAAI,cAAc,eAAe;AAC/B,kBAAU,IAAI,UAAU,OAAO;AAC/B,eAAO;AAAA,MACT;AACA,UAAI,cAAc,WAAW;AAC3B,kBAAU,IAAI,UAAU,SAAS;AACjC,eAAO;AAAA,MACT;AACA,UAAI,cAAc,eAAe;AAC/B,kBAAU,IAAI,UAAU,aAAa;AACrC,eAAO;AAAA,MACT;AAAA,IACF;AAGA,cAAU,IAAI,UAAU,QAAQ;AAChC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iBAAiB,OAA+D;AACpF,UAAM,EAAE,QAAQ,MAAM,IAAI;AAG1B,UAAM,WAAW,UAAU;AAAA,MACzB;AAAA,MACA,MAAM;AAAA,MACN,MAAM;AAAA,MACN,MAAM;AAAA,IACR;AAEA,UAAM,SAAS,UAAU,IAAmB,QAAQ;AACpD,QAAI,QAAQ;AACV,aAAO;AAAA,IACT;AAEA,UAAM,gBAA+B,CAAC;AAGtC,QAAI,MAAM,OAAO;AACf,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,gBAAgB,EACrB,OAAO,eAAe,EACtB,GAAG,UAAU,MAAM,KAAK;AAE3B,UAAI,OAAO;AACT,mBAAW,QAAQ,OAAO;AACxB,gBAAM,aAA0B,CAAC;AAGjC,qBAAW,aAAa,CAAC,QAAQ,UAAU,UAAU,UAAU,QAAQ,GAAkB;AACvF,kBAAMC,iBAAgB,MAAM,KAAK,YAAY;AAAA,cAC3C;AAAA,cACA;AAAA,cACA,YAAY,GAAG,SAAS,IAAI,KAAK,SAAS;AAAA,cAC1C,QAAQ,KAAK;AAAA,YACf,CAAC;AAED,gBAAIA,gBAAe;AACjB,yBAAW,KAAK,SAAS;AAAA,YAC3B;AAAA,UACF;AAEA,wBAAc,KAAK,EAAE,IAAI;AAAA,QAC3B;AAAA,MACF;AAAA,IACF;AAEA,cAAU,IAAI,UAAU,aAAa;AACrC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,gBAAgB,QAAgC;AAC5D,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,IAAI,EACX,GAAG,WAAW,MAAM,EACpB,GAAG,QAAQ,aAAa,EACxB,GAAG,YAAY,IAAI,EACnB,OAAO;AAEV,WAAO,CAAC,SAAS,CAAC,CAAC;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAc,oBACZ,QACA,OACA,QACkB;AAClB,UAAM,SAAkB,CAAC;AACzB,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AAGnC,QAAI,QAAQ;AACV,YAAM,EAAE,MAAM,gBAAgB,IAAI,MAAM,KAAK,SAC1C,KAAK,uBAAuB,EAC5B,OAAO,+BAA+B,EACtC,GAAG,eAAe,MAAM;AAE3B,UAAI,iBAAiB;AACnB,mBAAW,QAAQ,iBAAiB;AAClC,iBAAO,KAAK;AAAA,YACV,MAAM,KAAK,UAAU,UAAU;AAAA,YAC/B,YAAY,GAAG,KAAK,SAAS;AAAA,YAC7B,OAAO;AAAA,YACP,QAAQ;AAAA,UACV,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAGA,QAAI,MAAM,WAAW,MAAM,OAAO;AAChC,YAAM,EAAE,MAAM,WAAW,IAAI,MAAM,KAAK,SACrC,KAAK,sBAAsB,EAC3B,OAAO,oCAAoC,EAC3C,GAAG,WAAW,MAAM,EACpB,GAAG,YAAY,MAAM,OAAO,EAC5B,GAAG,UAAU,MAAM,KAAK,EACxB,GAAG,UAAU,QAAQ,EACrB,IAAI,cAAc,GAAG,EACrB,GAAG,iCAAiC,GAAG,EAAE;AAE5C,UAAI,YAAY;AACd,mBAAW,QAAQ,YAAY;AAC7B,iBAAO,KAAK;AAAA,YACV,MAAM;AAAA,YACN,YAAY,KAAK,0BAA0B,KAAK,IAAI;AAAA,YACpD,OAAO;AAAA,YACP,QAAQ;AAAA,UACV,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAGA,QAAI,MAAM,gBAAgB;AACxB,YAAM,EAAE,MAAM,SAAS,IAAI,MAAM,KAAK,SACnC,KAAK,yBAAyB,EAC9B,OAAO,oCAAoC,EAC3C,GAAG,WAAW,MAAM,EACpB,GAAG,mBAAmB,MAAM,cAAc,EAC1C,GAAG,UAAU,QAAQ,EACrB,IAAI,cAAc,GAAG,EACrB,GAAG,iCAAiC,GAAG,EAAE;AAE5C,UAAI,UAAU;AACZ,mBAAW,QAAQ,UAAU;AAC3B,iBAAO,KAAK;AAAA,YACV,MAAM;AAAA,YACN,YAAY,KAAK,wBAAwB,KAAK,IAAI;AAAA,YAClD,OAAO;AAAA,YACP,QAAQ;AAAA,UACV,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAGA,UAAM,EAAE,MAAM,YAAY,IAAI,MAAM,KAAK,SACtC,KAAK,mBAAmB,EACxB,OAAO,4BAA4B,EACnC,GAAG,WAAW,MAAM,EACpB,IAAI,cAAc,GAAG,EACrB,GAAG,iCAAiC,GAAG,EAAE;AAE5C,QAAI,aAAa;AACf,iBAAW,QAAQ,aAAa;AAC9B,YAAI,KAAK,SAAS,eAAe;AAC/B,iBAAO,KAAK;AAAA,YACV,MAAM;AAAA,YACN,YAAY;AAAA,YACZ,OAAO;AAAA,YACP,QAAQ;AAAA,UACV,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAc,qBACZ,QACA,QACA,YACA,OACkB;AAClB,QAAI,CAAC,QAAQ;AACX,aAAO;AAAA,IACT;AAEA,UAAM,CAAC,SAAS,IAAI,WAAW,MAAM,GAAG;AAGxC,UAAM,YAAsB,CAAC;AAG7B,QAAI,MAAM,gBAAgB;AACxB,YAAM,UAAU,MAAM,KAAK,oBAAoB,QAAQ,MAAM,cAAc;AAC3E,UAAI,SAAS;AACX,kBAAU,KAAK,OAAO;AAAA,MACxB;AAAA,IACF;AAGA,QAAI,MAAM,WAAW,MAAM,OAAO;AAChC,YAAM,YAAY,MAAM,KAAK,gBAAgB,QAAQ,MAAM,SAAS,MAAM,KAAK;AAC/E,UAAI,WAAW;AACb,kBAAU,KAAK,SAAS;AAAA,MAC1B;AAAA,IACF;AAGA,UAAM,EAAE,MAAM,gBAAgB,IAAI,MAAM,KAAK,SAC1C,KAAK,uBAAuB,EAC5B,OAAO,SAAS,EAChB,GAAG,eAAe,MAAM,EACxB,GAAG,aAAa,SAAS,EACzB,GAAG,aAAa,SAAS,EACzB,OAAO;AAEV,WAAO,iBAAiB,WAAW;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,oBAAoB,QAAc,gBAAwD;AACtG,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,yBAAyB,EAC9B,OAAO,MAAM,EACb,GAAG,WAAW,MAAM,EACpB,GAAG,mBAAmB,cAAc,EACpC,GAAG,UAAU,QAAQ,EACrB,OAAO;AAEV,WAAO,QAAQ,OAAO,MAAM,QAAQ;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAc,gBAAgB,QAAc,SAAiB,OAA2C;AACtG,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,sBAAsB,EAC3B,OAAO,oCAAoC,EAC3C,GAAG,WAAW,MAAM,EACpB,GAAG,YAAY,OAAO,EACtB,GAAG,UAAU,KAAK,EAClB,GAAG,UAAU,QAAQ,EACrB,IAAI,eAAc,oBAAI,KAAK,GAAE,YAAY,CAAC,EAC1C,GAAG,kCAAiC,oBAAI,KAAK,GAAE,YAAY,CAAC,EAAE,EAC9D,OAAO;AAEV,WAAO,QAAQ,OAAO,MAAM,QAAQ;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,wBAAwB,MAAoC;AAClE,YAAQ,MAAM;AAAA,MACZ,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,0BAA0B,MAAgC;AAChE,YAAQ,MAAM;AAAA,MACZ,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASQ,kBAAkB,iBAA6B,qBAA0C;AAE/F,QAAI,oBAAoB,qBAAqB;AAC3C,aAAO;AAAA,IACT;AAGA,QAAI,gBAAgB,SAAS,IAAI,KAAK,gBAAgB,SAAS,IAAI,GAAG;AACpE,YAAM,CAAC,SAAS,aAAa,IAAI,gBAAgB,MAAM,GAAG;AAC1D,YAAM,CAAC,aAAa,iBAAiB,IAAI,oBAAoB,MAAM,GAAG;AAEtE,UAAI,YAAY,aAAa;AAG3B,cAAM,SAAS,cAAc,MAAM,GAAG,EAAE;AACxC,eAAO,WAAW,MAAM,kBAAkB,WAAW,MAAM;AAAA,MAC7D;AAAA,IACF;AAGA,QAAI,gBAAgB,SAAS,GAAG,GAAG;AACjC,YAAM,CAAC,SAAS,aAAa,IAAI,gBAAgB,MAAM,GAAG;AAC1D,YAAM,CAAC,aAAa,iBAAiB,IAAI,oBAAoB,MAAM,GAAG;AAEtE,UAAI,YAAY,aAAa;AAE3B,cAAM,SAAS,cAAc,QAAQ,KAAK,EAAE;AAC5C,eAAO,kBAAkB,WAAW,MAAM;AAAA,MAC5C;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;AAQO,SAAS,iBAAiB,UAAgD;AAC/E,SAAO,IAAI,WAAW,QAAQ;AAChC;;;ACthBA,IAAM,oBAAN,MAAwB;AAAA,EAAxB;AACE,SAAQ,SAA4B;AACpC,SAAQ,SAA4B;AAAA;AAAA,EAEpC,UAAU,QAA0B;AAClC,SAAK,SAAS;AACd,SAAK,YAAY;AAAA,EACnB;AAAA,EAEA,YAA+B;AAC7B,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,YAAwB;AACtB,QAAI,CAAC,KAAK,QAAQ;AAChB,WAAK,SAAS,KAAK,oBAAoB;AAAA,IACzC;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,cAAoB;AAC1B,QAAI,CAAC,KAAK,OAAQ;AAElB,UAAM,EAAE,QAAQ,OAAO,WAAW,OAAO,IAAI,KAAK;AAElD,SAAK,SAAS;AAAA,MACZ,OAAO,CAAC,YAAoB,SAAoB;AAC9C,gBAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,MAClD;AAAA,MACA,MAAM,CAAC,YAAoB,SAAoB;AAC7C,YAAI,aAAa,UAAU,aAAa,UAAU,aAAa,SAAS;AACtE,kBAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,QAChD;AAAA,MACF;AAAA,MACA,MAAM,CAAC,YAAoB,SAAoB;AAC7C,YAAI,aAAa,UAAU,aAAa,SAAS;AAC/C,kBAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,QAChD;AAAA,MACF;AAAA,MACA,OAAO,CAAC,YAAoB,SAAoB;AAC9C,YAAI,SAAS,aAAa,SAAS;AACjC,kBAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,QAClD;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,sBAAkC;AACxC,WAAO;AAAA,MACL,OAAO,CAAC,YAAoB,SAAoB,QAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,MAChG,MAAM,CAAC,YAAoB,SAAoB,QAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,MAC7F,MAAM,CAAC,YAAoB,SAAoB,QAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,MAC7F,OAAO,CAAC,YAAoB,SAAoB,QAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,IAClG;AAAA,EACF;AAAA,EAEA,cAAuB;AACrB,WAAO,KAAK,QAAQ,SAAS;AAAA,EAC/B;AAAA,EAEA,oBAA6B;AAC3B,WAAO,KAAK,QAAQ,mBAAmB;AAAA,EACzC;AAAA,EAEA,qBAAqD;AACnD,WAAO,KAAK,QAAQ,mBAAmB;AAAA,EACzC;AACF;AAGA,IAAM,gBAAgB,IAAI,kBAAkB;AAErC,SAAS,iBAAiB,QAAgC;AAC/D,gBAAc,UAAU,MAAM;AAC9B,SAAO;AACT;AAEO,SAAS,gBAAmC;AACjD,SAAO,cAAc,UAAU;AACjC;AAEO,SAAS,gBAA4B;AAC1C,SAAO,cAAc,UAAU;AACjC;AAEO,SAAS,cAAuB;AACrC,SAAO,cAAc,YAAY;AACnC;AAEO,SAAS,oBAA6B;AAC3C,SAAO,cAAc,kBAAkB;AACzC;;;ACtGA,IAAI,eAAkC;AAQ/B,SAAS,UAAU,UAAoC,QAAoC;AAChG,QAAM,SAAS,cAAc;AAG7B,QAAM,aAAyB;AAAA,IAC7B;AAAA,IACA,OAAO;AAAA,IACP,UAAU;AAAA,IACV,iBAAiB;AAAA,IACjB,GAAG;AAAA,EACL;AAEA,mBAAiB,UAAU;AAE3B,iBAAe,iBAAiB,QAAQ;AAGxC,QAAM,eAAe,mBAAmB,QAAQ;AAChD,wBAAsB,YAAY;AAElC,SAAO,KAAK,sCAAsC;AACpD;AAQA,SAAS,YAAwB;AAC/B,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,wBAAwB;AAAA,EACpC;AACA,SAAO;AACT;AAgBA,eAAsB,eAAe,OAGZ;AACvB,QAAM,SAAS,UAAU;AACzB,SAAO,OAAO,eAAe,KAAK;AACpC;AAoBA,eAAsB,iBAAiB,OAGZ;AACzB,QAAM,SAAS,UAAU;AACzB,SAAO,OAAO,iBAAiB,KAAK;AACtC;AAkBA,eAAsB,YAAY,OAA0C;AAC1E,QAAM,SAAS,UAAU;AACzB,SAAO,OAAO,YAAY,KAAK;AACjC;AAQA,eAAsB,kBAAkB,OAA0C;AAChF,QAAM,EAAE,QAAQ,OAAO,YAAY,OAAO,IAAI;AAG9C,QAAM,WAAW,UAAU,sBAAsB;AAAA,IAC/C;AAAA,IACA,gBAAgB,MAAM;AAAA,IACtB,SAAS,MAAM;AAAA,IACf,OAAO,MAAM;AAAA,EACf,CAAC;AAED,QAAM,SAAS,UAAU,IAAa,QAAQ;AAC9C,MAAI,WAAW,MAAM;AACnB,WAAO;AAAA,EACT;AAGA,QAAM,SAAS,MAAM,YAAY,KAAK;AAGtC,YAAU,IAAI,UAAU,MAAM;AAE9B,SAAO;AACT;AAQA,eAAsB,cAAc,OAA0C;AAC5E,SAAO,YAAY,KAAK;AAC1B;AAQA,eAAsB,iBAAiB,OAKlB;AACnB,QAAM,EAAE,aAAa,GAAG,UAAU,IAAI;AAEtC,aAAW,cAAc,aAAa;AACpC,UAAMC,iBAAgB,MAAM,YAAY;AAAA,MACtC,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAED,QAAIA,gBAAe;AACjB,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAQA,eAAsB,kBAAkB,OAKnB;AACnB,QAAM,EAAE,aAAa,GAAG,UAAU,IAAI;AAEtC,aAAW,cAAc,aAAa;AACpC,UAAMA,iBAAgB,MAAM,YAAY;AAAA,MACtC,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAED,QAAI,CAACA,gBAAe;AAClB,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAQA,eAAsB,aAAa,QAAgC;AACjE,QAAM,SAAS,UAAU;AACzB,SAAO,OAAO,iBAAiB,EAAE,MAAM;AACzC;AASA,eAAsB,oBAAoB,QAAc,gBAAwC;AAC9F,QAAM,cAAc,MAAM,eAAe;AAAA,IACvC;AAAA,IACA,OAAO,EAAE,eAAe;AAAA,EAC1B,CAAC;AAED,SAAO,gBAAgB,WAAW,gBAAgB;AACpD;AASA,eAAsB,aAAa,QAAc,OAAgC;AAC/E,MAAI,CAAC,MAAM,WAAW,CAAC,MAAM,OAAO;AAClC,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,MAAM,eAAe,EAAE,QAAQ,MAAM,CAAC;AAC1D,SAAO,gBAAgB,WAAW,gBAAgB;AACpD;AAQO,SAAS,oBAAoB,QAAc,gBAA6B;AAC7E,MAAI,gBAAgB;AAClB,cAAU,WAAW,eAAe,WAAW,QAAQ,cAAc,CAAC;AAAA,EACxE,OAAO;AACL,cAAU,WAAW,eAAe,KAAK,MAAM,CAAC;AAAA,EAClD;AACF;AAOO,SAAS,4BAA4B,gBAA4B;AACtE,YAAU,WAAW,eAAe,aAAa,cAAc,CAAC;AAClE;AAOO,SAAS,qBAAqB,SAAuB;AAC1D,YAAU,WAAW,eAAe,MAAM,OAAO,CAAC;AACpD;AAOO,SAAS,mBAAmB,OAAmB;AACpD,YAAU,WAAW,eAAe,IAAI,KAAK,CAAC;AAChD;AAKO,SAAS,aAAmB;AACjC,YAAU,MAAM;AAClB;","names":["isSuperAdmin","hasPermission","hasPermission"]}

package/dist/chunk-XIJMMBDD.js

@@ -0,0 +1,73 @@
+// src/types/unified.ts
+var AuthErrorCode = /* @__PURE__ */ ((AuthErrorCode2) => {
+  AuthErrorCode2["UNKNOWN_ERROR"] = "UNKNOWN_ERROR";
+  AuthErrorCode2["INVALID_CREDENTIALS"] = "INVALID_CREDENTIALS";
+  AuthErrorCode2["USER_NOT_FOUND"] = "USER_NOT_FOUND";
+  AuthErrorCode2["EMAIL_NOT_CONFIRMED"] = "EMAIL_NOT_CONFIRMED";
+  AuthErrorCode2["PASSWORD_TOO_WEAK"] = "PASSWORD_TOO_WEAK";
+  AuthErrorCode2["WEAK_PASSWORD"] = "WEAK_PASSWORD";
+  AuthErrorCode2["RATE_LIMITED"] = "RATE_LIMITED";
+  AuthErrorCode2["RATE_LIMIT_EXCEEDED"] = "RATE_LIMIT_EXCEEDED";
+  AuthErrorCode2["SESSION_EXPIRED"] = "SESSION_EXPIRED";
+  AuthErrorCode2["PERMISSION_DENIED"] = "PERMISSION_DENIED";
+  AuthErrorCode2["NETWORK_ERROR"] = "NETWORK_ERROR";
+  return AuthErrorCode2;
+})(AuthErrorCode || {});
+var PermissionErrorCode = /* @__PURE__ */ ((PermissionErrorCode2) => {
+  PermissionErrorCode2["INSUFFICIENT_PERMISSIONS"] = "INSUFFICIENT_PERMISSIONS";
+  PermissionErrorCode2["INVALID_PERMISSION"] = "INVALID_PERMISSION";
+  PermissionErrorCode2["PERMISSION_CHECK_FAILED"] = "PERMISSION_CHECK_FAILED";
+  PermissionErrorCode2["ACCESS_DENIED"] = "ACCESS_DENIED";
+  return PermissionErrorCode2;
+})(PermissionErrorCode || {});
+var AccessLevel = /* @__PURE__ */ ((AccessLevel2) => {
+  AccessLevel2["NONE"] = "none";
+  AccessLevel2["VIEWER"] = "viewer";
+  AccessLevel2["PARTICIPANT"] = "participant";
+  AccessLevel2["EDITOR"] = "editor";
+  AccessLevel2["PLANNER"] = "planner";
+  AccessLevel2["ADMIN"] = "admin";
+  AccessLevel2["SUPER_ADMIN"] = "super_admin";
+  AccessLevel2["SUPER"] = "super";
+  return AccessLevel2;
+})(AccessLevel || {});
+function createUserId(id) {
+  return id;
+}
+function createSessionToken(token) {
+  return token;
+}
+function createPermissionString(permission) {
+  return permission;
+}
+function createRequestId(id) {
+  return id;
+}
+function isUserId(value) {
+  return typeof value === "string" && value.length > 0;
+}
+function isSessionToken(value) {
+  return typeof value === "string" && value.length > 0;
+}
+function isPermissionString(value) {
+  if (typeof value !== "string" || value.length === 0) return false;
+  return value.includes(":") && value.split(":").length === 2;
+}
+function isRequestId(value) {
+  return typeof value === "string" && value.length > 0;
+}
+
+export {
+  AuthErrorCode,
+  PermissionErrorCode,
+  AccessLevel,
+  createUserId,
+  createSessionToken,
+  createPermissionString,
+  createRequestId,
+  isUserId,
+  isSessionToken,
+  isPermissionString,
+  isRequestId
+};
+//# sourceMappingURL=chunk-XIJMMBDD.js.map

package/dist/chunk-XIJMMBDD.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/types/unified.ts"],"sourcesContent":["/**\n * @file Unified types for PACE Core\n * @package @jmruthers/pace-core\n * @module unified\n * @since 0.1.0\n */\n\n/**\n * @file Unified Types for DataTable\n * @package @jmruthers/pace-core\n * @module Types\n * @since 0.3.0\n */\n\n// Authentication Error Codes\nexport enum AuthErrorCode {\n  UNKNOWN_ERROR = 'UNKNOWN_ERROR',\n  INVALID_CREDENTIALS = 'INVALID_CREDENTIALS',\n  USER_NOT_FOUND = 'USER_NOT_FOUND',\n  EMAIL_NOT_CONFIRMED = 'EMAIL_NOT_CONFIRMED',\n  PASSWORD_TOO_WEAK = 'PASSWORD_TOO_WEAK',\n  WEAK_PASSWORD = 'WEAK_PASSWORD',\n  RATE_LIMITED = 'RATE_LIMITED',\n  RATE_LIMIT_EXCEEDED = 'RATE_LIMIT_EXCEEDED',\n  SESSION_EXPIRED = 'SESSION_EXPIRED',\n  PERMISSION_DENIED = 'PERMISSION_DENIED',\n  NETWORK_ERROR = 'NETWORK_ERROR'\n}\n\n// Permission Error Codes\nexport enum PermissionErrorCode {\n  INSUFFICIENT_PERMISSIONS = 'INSUFFICIENT_PERMISSIONS',\n  INVALID_PERMISSION = 'INVALID_PERMISSION',\n  PERMISSION_CHECK_FAILED = 'PERMISSION_CHECK_FAILED',\n  ACCESS_DENIED = 'ACCESS_DENIED'\n}\n\n// Access Levels - using lowercase to match test expectations\nexport enum AccessLevel {\n  NONE = 'none',\n  VIEWER = 'viewer',\n  PARTICIPANT = 'participant',\n  EDITOR = 'editor',\n  PLANNER = 'planner',\n  ADMIN = 'admin',\n  SUPER_ADMIN = 'super_admin',\n  SUPER = 'super'\n}\n\n// Branded Types\nexport type UserId = string & { __brand: 'UserId' };\nexport type SessionToken = string & { __brand: 'SessionToken' };\nexport type PermissionString = string & { __brand: 'PermissionString' };\nexport type RequestId = string & { __brand: 'RequestId' };\n\n// Branded Type Creators\nexport function createUserId(id: string): UserId {\n  return id as UserId;\n}\n\nexport function createSessionToken(token: string): SessionToken {\n  return token as SessionToken;\n}\n\nexport function createPermissionString(permission: string): PermissionString {\n  return permission as PermissionString;\n}\n\nexport function createRequestId(id: string): RequestId {\n  return id as RequestId;\n}\n\n// Type Guards for branded types\nexport function isUserId(value: unknown): value is UserId {\n  return typeof value === 'string' && value.length > 0;\n}\n\nexport function isSessionToken(value: unknown): value is SessionToken {\n  return typeof value === 'string' && value.length > 0;\n}\n\nexport function isPermissionString(value: unknown): value is PermissionString {\n  if (typeof value !== 'string' || value.length === 0) return false;\n  // Basic validation for permission format (resource:action)\n  return value.includes(':') && value.split(':').length === 2;\n}\n\nexport function isRequestId(value: unknown): value is RequestId {\n  return typeof value === 'string' && value.length > 0;\n}\n\n// Permission Types\nexport type PermissionMap = Record<string, boolean>;\n\n// Permission Context\nexport interface PermissionContext {\n  eventId?: string;\n  appName?: string;\n  userId?: string;\n}\n\n// Auth Error Interface - Define locally to avoid circular dependency\nexport interface AuthError extends Error {\n  __isAuthError: true;\n  name: 'AuthError';\n  message: string;\n  code: AuthErrorCode;\n  user_message: string;\n  timestamp: number;\n}\n\n// Permission Error Interface\nexport interface PermissionError extends Error {\n  __isPermissionError: true;\n  name: 'PermissionError';\n  message: string;\n  code: PermissionErrorCode;\n  timestamp: number;\n}\n\n// Theme Types - Consolidated from theme.ts\nexport interface ThemeColors {\n  primary: string;\n  secondary: string;\n  hover?: string;\n  active?: string;\n  bgSoft?: string;\n}\n\nexport interface EventTheme {\n  dark: ThemeColors;\n  mid: ThemeColors;\n  light: ThemeColors;\n}\n\n// Event Types - Updated to match database schema exactly with organisation context\nexport interface Event {\n  // Primary identification\n  id: string;\n  event_id: string;\n  event_name: string;\n  event_code?: string;\n  \n  // Organisation context - MANDATORY for security\n  organisation_id: string;\n  \n  // Event details\n  event_date?: string; // Use event_date from database for proper sorting\n  event_days?: number;\n  event_venue?: string;\n  event_participants?: number;\n  is_visible?: boolean;\n  \n  // Visual branding\n  event_logo?: string;\n  event_colours?: Record<string, unknown> | null; // JSONB field for theme colors\n  event_col_d1?: string;\n  event_col_d2?: string;\n  event_col_m1?: string;\n  event_col_m2?: string;\n  event_col_l1?: string;\n  event_col_l2?: string;\n  \n  // Additional metadata\n  event_news?: string;\n  event_billing?: string;\n  event_catering_email?: string;\n  event_email?: string;\n  event_footer?: string;\n  event_rounddown?: number;\n  event_youthmultiplier?: number;\n  event_typicalunit?: number;\n  \n  // Timestamps\n  created_at: string;\n  updated_at: string;\n  created_by?: string;\n  updated_by?: string;\n  \n  // Legacy compatibility\n  name?: string; // Alias for event_name\n  description?: string;\n  start_date?: string; // Alias for event_date\n  end_date?: string;\n  theme_colors?: EventTheme;\n}\n\n// Event Context Type\nexport interface EventContextType {\n  selectedEvent: Event | null;\n  currentEvent: Event | null; // Added missing property\n  events: Event[];\n  isLoading: boolean;\n  error: string | null;\n  selectEvent: (event: Event) => void;\n  setCurrentEvent: (event: Event | null) => void; // Added missing property\n  clearSelection: () => void;\n  refreshEvents: () => Promise<void>;\n  createEvent: (event: Partial<Event>) => Promise<Event>;\n  updateEvent: (id: string, updates: Partial<Event>) => Promise<Event>;\n  deleteEvent: (id: string) => Promise<void>;\n}\n\n// RBAC Types\nexport interface UserPermissions {\n  user_id: UserId;\n  accessLevel: AccessLevel;\n  permissions: PermissionMap;\n  roles: string[];\n}\n\n// Re-export standard Supabase types for consistency\n// Note: These are the same as what's in @supabase/supabase-js\nexport interface User {\n  id: string;\n  email?: string;\n  created_at: string;\n  updated_at: string;\n  email_confirmed_at?: string;\n  last_sign_in_at?: string;\n  user_metadata?: Record<string, unknown>;\n  app_metadata?: Record<string, unknown>;\n}\n\nexport interface Session {\n  access_token: string;\n  refresh_token?: string;\n  expires_in: number;\n  expires_at: number;\n  token_type: string;\n  user: User;\n  provider_token?: string;\n  provider_refresh_token?: string;\n}\n\nexport interface DataRecord {\n  id: string | number;\n  [key: string]: unknown;\n}\n\nexport interface DataTableAction<T = unknown> {\n  label: string;\n  onClick: (row: T) => void;\n  testId?: string;\n  disabled?: boolean | ((row: T) => boolean);\n  variant?: 'primary' | 'secondary' | 'destructive';\n}\n\nexport interface DataTableColumn<T = unknown> {\n  id?: string;\n  key: string;\n  label: string;\n  sortable?: boolean;\n  filterable?: boolean;\n  accessorKey?: keyof T;\n  accessorFn?: (row: T) => unknown;\n  cell?: (value: unknown, row: T) => React.ReactNode;\n  header?: React.ReactNode;\n  enableSorting?: boolean;\n  enableColumnFilter?: boolean;\n  enableGrouping?: boolean;\n  enableHiding?: boolean;\n}\n"],"mappings":";AAeO,IAAK,gBAAL,kBAAKA,mBAAL;AACL,EAAAA,eAAA,mBAAgB;AAChB,EAAAA,eAAA,yBAAsB;AACtB,EAAAA,eAAA,oBAAiB;AACjB,EAAAA,eAAA,yBAAsB;AACtB,EAAAA,eAAA,uBAAoB;AACpB,EAAAA,eAAA,mBAAgB;AAChB,EAAAA,eAAA,kBAAe;AACf,EAAAA,eAAA,yBAAsB;AACtB,EAAAA,eAAA,qBAAkB;AAClB,EAAAA,eAAA,uBAAoB;AACpB,EAAAA,eAAA,mBAAgB;AAXN,SAAAA;AAAA,GAAA;AAeL,IAAK,sBAAL,kBAAKC,yBAAL;AACL,EAAAA,qBAAA,8BAA2B;AAC3B,EAAAA,qBAAA,wBAAqB;AACrB,EAAAA,qBAAA,6BAA0B;AAC1B,EAAAA,qBAAA,mBAAgB;AAJN,SAAAA;AAAA,GAAA;AAQL,IAAK,cAAL,kBAAKC,iBAAL;AACL,EAAAA,aAAA,UAAO;AACP,EAAAA,aAAA,YAAS;AACT,EAAAA,aAAA,iBAAc;AACd,EAAAA,aAAA,YAAS;AACT,EAAAA,aAAA,aAAU;AACV,EAAAA,aAAA,WAAQ;AACR,EAAAA,aAAA,iBAAc;AACd,EAAAA,aAAA,WAAQ;AARE,SAAAA;AAAA,GAAA;AAkBL,SAAS,aAAa,IAAoB;AAC/C,SAAO;AACT;AAEO,SAAS,mBAAmB,OAA6B;AAC9D,SAAO;AACT;AAEO,SAAS,uBAAuB,YAAsC;AAC3E,SAAO;AACT;AAEO,SAAS,gBAAgB,IAAuB;AACrD,SAAO;AACT;AAGO,SAAS,SAAS,OAAiC;AACxD,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS;AACrD;AAEO,SAAS,eAAe,OAAuC;AACpE,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS;AACrD;AAEO,SAAS,mBAAmB,OAA2C;AAC5E,MAAI,OAAO,UAAU,YAAY,MAAM,WAAW,EAAG,QAAO;AAE5D,SAAO,MAAM,SAAS,GAAG,KAAK,MAAM,MAAM,GAAG,EAAE,WAAW;AAC5D;AAEO,SAAS,YAAY,OAAoC;AAC9D,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS;AACrD;","names":["AuthErrorCode","PermissionErrorCode","AccessLevel"]}

package/dist/{chunk-7BNPOCLL.js → chunk-YNU5QJ4S.js}

@@ -30,14 +30,6 @@ var RBACAuditManager = class {
     if (!this.enabled) {
       return;
     }
-    if (!event.userId || !event.organisationId) {
-      console.warn("[RBAC Audit] Skipping audit event - missing required fields:", {
-        userId: event.userId,
-        organisationId: event.organisationId,
-        eventType: event.type
-      });
-      return;
-    }
     try {
       const auditEvent = {
         event_type: event.type,
@@ -48,24 +40,15 @@ var RBACAuditManager = class {
         page_id: "pageId" in event ? event.pageId : void 0,
         permission: "permission" in event ? event.permission : void 0,
         decision: "decision" in event ? event.decision : void 0,
-        source: "source" in event ? event.source : "api",
-        // Default to 'api' if not provided
+        source: "source" in event ? event.source : void 0,
         bypass: "bypass" in event ? event.bypass : void 0,
         duration_ms: "duration_ms" in event ? event.duration_ms : void 0,
         metadata: event.metadata || {}
       };
-      const { error } = await this.supabase.from("rbac_audit_events").insert([auditEvent]);
+      const { error } = await this.supabase.from("rbac_audit_events").insert(auditEvent);
       if (error) {
-        console.warn("[RBAC Audit] Failed to insert audit event:", {
-          error: error.message,
-          code: error.code,
-          details: error.details,
-          hint: error.hint,
-          event: auditEvent
-        });
       }
-    } catch (error) {
-      console.error("[RBAC Audit] Unexpected error during audit logging:", error);
+    } catch (_error) {
     }
   }
   /**
@@ -108,7 +91,7 @@ var RBACAuditManager = class {
    */
   async emitRoleRevoked(event) {
     await this.emitEvent({
-      type: "role_denied",
+      type: "role_revoked",
       ...event
     });
   }
@@ -175,4 +158,4 @@ export {
   getGlobalAuditManager,
   emitAuditEvent
 };
-//# sourceMappingURL=chunk-7BNPOCLL.js.map
+//# sourceMappingURL=chunk-YNU5QJ4S.js.map

package/dist/chunk-YNU5QJ4S.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/rbac/audit.ts"],"sourcesContent":["/**\n * RBAC Audit Events System\n * @package @jmruthers/pace-core\n * @module RBAC/Audit\n * @since 1.0.0\n * \n * This module provides structured audit event emission for all RBAC operations.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { \n  UUID, \n  AuditEventSource, \n  RBACAuditEvent \n} from './types';\n\n/**\n * Audit event payload for permission checks\n */\nexport interface PermissionCheckAuditEvent {\n  type: 'permission_check';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  pageId?: UUID;\n  permission: string;\n  decision: boolean;\n  source: AuditEventSource;\n  bypass?: boolean;\n  duration_ms: number;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for permission denied\n */\nexport interface PermissionDeniedAuditEvent {\n  type: 'permission_denied';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  pageId?: UUID;\n  permission: string;\n  source: AuditEventSource;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for role granted\n */\nexport interface RoleGrantedAuditEvent {\n  type: 'role_granted';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  role: string;\n  grantedBy: UUID;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for role revoked\n */\nexport interface RoleRevokedAuditEvent {\n  type: 'role_revoked';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  role: string;\n  revokedBy: UUID;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for RLS denied\n */\nexport interface RLSDeniedAuditEvent {\n  type: 'rls_denied';\n  userId: UUID;\n  organisationId: UUID;\n  table: string;\n  operation: string;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Union type for all audit events\n */\nexport type AuditEventPayload = \n  | PermissionCheckAuditEvent\n  | PermissionDeniedAuditEvent\n  | RoleGrantedAuditEvent\n  | RoleRevokedAuditEvent\n  | RLSDeniedAuditEvent;\n\n/**\n * RBAC Audit Manager\n * \n * Handles emission of structured audit events for all RBAC operations.\n */\nexport class RBACAuditManager {\n  private supabase: SupabaseClient<Database>;\n  private enabled: boolean = true;\n\n  constructor(supabase: SupabaseClient<Database>) {\n    this.supabase = supabase;\n  }\n\n  /**\n   * Enable or disable audit logging\n   * \n   * @param enabled - Whether to enable audit logging\n   */\n  setEnabled(enabled: boolean): void {\n    this.enabled = enabled;\n  }\n\n  /**\n   * Check if audit logging is enabled\n   * \n   * @returns True if audit logging is enabled\n   */\n  isEnabled(): boolean {\n    return this.enabled;\n  }\n\n  /**\n   * Emit an audit event\n   * \n   * @param event - Audit event payload\n   * @returns Promise that resolves when event is logged\n   */\n  async emitEvent(event: AuditEventPayload): Promise<void> {\n    if (!this.enabled) {\n      return;\n    }\n\n    try {\n      const auditEvent: Omit<RBACAuditEvent, 'id' | 'created_at'> = {\n        event_type: event.type,\n        user_id: event.userId,\n        organisation_id: event.organisationId,\n        event_id: 'eventId' in event ? event.eventId : undefined,\n        app_id: 'appId' in event ? event.appId : undefined,\n        page_id: 'pageId' in event ? event.pageId : undefined,\n        permission: 'permission' in event ? event.permission : undefined,\n        decision: 'decision' in event ? event.decision : undefined,\n        source: 'source' in event ? event.source : undefined,\n        bypass: 'bypass' in event ? event.bypass : undefined,\n        duration_ms: 'duration_ms' in event ? event.duration_ms : undefined,\n        metadata: event.metadata || {},\n      };\n\n      const { error } = await this.supabase\n        .from('rbac_audit_events')\n        .insert(auditEvent);\n\n      if (error) {\n        // Failed to emit audit event - error logged via RBAC logger\n        // Don't throw - audit failures shouldn't break the main flow\n      }\n    } catch (_error) {\n      // Error emitting audit event - error logged via RBAC logger\n      // Don't throw - audit failures shouldn't break the main flow\n    }\n  }\n\n  /**\n   * Emit a permission check audit event\n   * \n   * @param event - Permission check event data\n   */\n  async emitPermissionCheck(event: Omit<PermissionCheckAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'permission_check',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit a permission denied audit event\n   * \n   * @param event - Permission denied event data\n   */\n  async emitPermissionDenied(event: Omit<PermissionDeniedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'permission_denied',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit a role granted audit event\n   * \n   * @param event - Role granted event data\n   */\n  async emitRoleGranted(event: Omit<RoleGrantedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'role_granted',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit a role revoked audit event\n   * \n   * @param event - Role revoked event data\n   */\n  async emitRoleRevoked(event: Omit<RoleRevokedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'role_revoked',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit an RLS denied audit event\n   * \n   * @param event - RLS denied event data\n   */\n  async emitRLSDenied(event: Omit<RLSDeniedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'rls_denied',\n      ...event,\n    });\n  }\n\n  /**\n   * Get audit events for a user\n   * \n   * @param userId - User ID\n   * @param limit - Maximum number of events to return\n   * @returns Promise resolving to audit events\n   */\n  async getUserAuditEvents(userId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {\n    const { data, error } = await this.supabase\n      .from('rbac_audit_events')\n      .select('*')\n      .eq('user_id', userId)\n      .order('created_at', { ascending: false })\n      .limit(limit);\n\n    if (error) {\n      throw new Error(`Failed to get audit events: ${error.message}`);\n    }\n\n    return data || [];\n  }\n\n  /**\n   * Get audit events for an organisation\n   * \n   * @param organisationId - Organisation ID\n   * @param limit - Maximum number of events to return\n   * @returns Promise resolving to audit events\n   */\n  async getOrganisationAuditEvents(organisationId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {\n    const { data, error } = await this.supabase\n      .from('rbac_audit_events')\n      .select('*')\n      .eq('organisation_id', organisationId)\n      .order('created_at', { ascending: false })\n      .limit(limit);\n\n    if (error) {\n      throw new Error(`Failed to get audit events: ${error.message}`);\n    }\n\n    return data || [];\n  }\n}\n\n/**\n * Create an audit manager instance\n * \n * @param supabase - Supabase client\n * @returns RBACAuditManager instance\n */\nexport function createAuditManager(supabase: SupabaseClient<Database>): RBACAuditManager {\n  return new RBACAuditManager(supabase);\n}\n\n/**\n * Global audit manager instance\n * \n * This is set by the RBAC engine when it initializes.\n */\nlet globalAuditManager: RBACAuditManager | null = null;\n\n/**\n * Set the global audit manager\n * \n * @param manager - Audit manager instance\n */\nexport function setGlobalAuditManager(manager: RBACAuditManager): void {\n  globalAuditManager = manager;\n}\n\n/**\n * Get the global audit manager\n * \n * @returns Global audit manager or null if not set\n */\nexport function getGlobalAuditManager(): RBACAuditManager | null {\n  return globalAuditManager;\n}\n\n/**\n * Emit an audit event using the global audit manager\n * \n * @param event - Audit event payload\n */\nexport async function emitAuditEvent(event: AuditEventPayload): Promise<void> {\n  if (globalAuditManager) {\n    await globalAuditManager.emitEvent(event);\n  }\n}\n"],"mappings":";AAyGO,IAAM,mBAAN,MAAuB;AAAA,EAI5B,YAAY,UAAoC;AAFhD,SAAQ,UAAmB;AAGzB,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAW,SAAwB;AACjC,SAAK,UAAU;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAqB;AACnB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,UAAU,OAAyC;AACvD,QAAI,CAAC,KAAK,SAAS;AACjB;AAAA,IACF;AAEA,QAAI;AACF,YAAM,aAAwD;AAAA,QAC5D,YAAY,MAAM;AAAA,QAClB,SAAS,MAAM;AAAA,QACf,iBAAiB,MAAM;AAAA,QACvB,UAAU,aAAa,QAAQ,MAAM,UAAU;AAAA,QAC/C,QAAQ,WAAW,QAAQ,MAAM,QAAQ;AAAA,QACzC,SAAS,YAAY,QAAQ,MAAM,SAAS;AAAA,QAC5C,YAAY,gBAAgB,QAAQ,MAAM,aAAa;AAAA,QACvD,UAAU,cAAc,QAAQ,MAAM,WAAW;AAAA,QACjD,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA,QAC3C,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA,QAC3C,aAAa,iBAAiB,QAAQ,MAAM,cAAc;AAAA,QAC1D,UAAU,MAAM,YAAY,CAAC;AAAA,MAC/B;AAEA,YAAM,EAAE,MAAM,IAAI,MAAM,KAAK,SAC1B,KAAK,mBAAmB,EACxB,OAAO,UAAU;AAEpB,UAAI,OAAO;AAAA,MAGX;AAAA,IACF,SAAS,QAAQ;AAAA,IAGjB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,oBAAoB,OAA+D;AACvF,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,qBAAqB,OAAgE;AACzF,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,OAA2D;AAC/E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,OAA2D;AAC/E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,cAAc,OAAyD;AAC3E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,mBAAmB,QAAc,QAAgB,KAAgC;AACrF,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,GAAG,EACV,GAAG,WAAW,MAAM,EACpB,MAAM,cAAc,EAAE,WAAW,MAAM,CAAC,EACxC,MAAM,KAAK;AAEd,QAAI,OAAO;AACT,YAAM,IAAI,MAAM,+BAA+B,MAAM,OAAO,EAAE;AAAA,IAChE;AAEA,WAAO,QAAQ,CAAC;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,2BAA2B,gBAAsB,QAAgB,KAAgC;AACrG,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,GAAG,EACV,GAAG,mBAAmB,cAAc,EACpC,MAAM,cAAc,EAAE,WAAW,MAAM,CAAC,EACxC,MAAM,KAAK;AAEd,QAAI,OAAO;AACT,YAAM,IAAI,MAAM,+BAA+B,MAAM,OAAO,EAAE;AAAA,IAChE;AAEA,WAAO,QAAQ,CAAC;AAAA,EAClB;AACF;AAQO,SAAS,mBAAmB,UAAsD;AACvF,SAAO,IAAI,iBAAiB,QAAQ;AACtC;AAOA,IAAI,qBAA8C;AAO3C,SAAS,sBAAsB,SAAiC;AACrE,uBAAqB;AACvB;AAOO,SAAS,wBAAiD;AAC/D,SAAO;AACT;AAOA,eAAsB,eAAe,OAAyC;AAC5E,MAAI,oBAAoB;AACtB,UAAM,mBAAmB,UAAU,KAAK;AAAA,EAC1C;AACF;","names":[]}