@jmruthers/pace-core 0.2.7 → 0.5.1

package/dist/rbac/index.js

@@ -1,3 +1,12 @@
+import {
+  useAccessLevel,
+  useCachedPermissions,
+  useCan,
+  useHasAllPermissions,
+  useHasAnyPermission,
+  useMultiplePermissions,
+  usePermissions
+} from "../chunk-AUE24LVR.js";
 import {
   CACHE_PATTERNS,
   OrganisationContextRequiredError,
@@ -28,19 +37,19 @@ import {
 } from "../chunk-7BNPOCLL.js";
 import {
   useSecureDataAccess
-} from "../chunk-TIVL4UQ7.js";
+} from "../chunk-XJK2J4N6.js";
+import "../chunk-COBPIXXQ.js";
 import {
   init_UnifiedAuthProvider,
   useUnifiedAuth
-} from "../chunk-BEZRLNK3.js";
-import "../chunk-ETEJVKYK.js";
+} from "../chunk-6CR3MRZN.js";
 import "../chunk-YDJW5XTN.js";
 import {
   getCurrentAppName,
   init_appNameResolver
 } from "../chunk-MZBUOP4P.js";
-import "../chunk-2V3Y6YBC.js";
-import "../chunk-OHXGNT3K.js";
+import "../chunk-OEGRKULD.js";
+import "../chunk-OYRY44Q2.js";
 import "../chunk-PLDDJCW6.js";
 
 // src/rbac/secureClient.ts
@@ -170,833 +179,523 @@ function fromSupabaseClient(client, organisationId, eventId, appId) {
   throw new Error("fromSupabaseClient is not supported. Use createSecureClient instead.");
 }
 
-// src/rbac/hooks.ts
-import { useState, useEffect, useCallback, useMemo } from "react";
-function usePermissions(userId, scope) {
-  const [permissions, setPermissions] = useState({});
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState(null);
-  const fetchPermissions = useCallback(async () => {
-    if (!userId) {
-      setPermissions({});
-      setIsLoading(false);
-      return;
-    }
-    try {
-      setIsLoading(true);
-      setError(null);
-      const result = await getPermissionMap({ userId, scope });
-      setPermissions(result);
-    } catch (err) {
-      setError(err instanceof Error ? err : new Error("Failed to fetch permissions"));
-    } finally {
-      setIsLoading(false);
-    }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId]);
-  useEffect(() => {
-    fetchPermissions();
-  }, [fetchPermissions]);
-  return {
-    permissions,
-    isLoading,
-    error,
-    refetch: fetchPermissions
-  };
-}
-function useCan(userId, scope, permission, pageId, useCache = true) {
-  const [can, setCan] = useState(false);
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState(null);
-  const check = useCallback(async () => {
-    console.log("[useCan] check() called with:", { userId, scope, permission, pageId });
-    console.log("[useCan] Hook parameters:", { userId, scope, permission, pageId, useCache });
-    if (!userId) {
-      console.log("[useCan] No userId, denying access");
-      setCan(false);
-      setIsLoading(false);
-      return;
-    }
-    try {
-      const { isSuperAdmin } = await import("../api-ETQ6YJ3C.js");
-      const isSuper = await isSuperAdmin(userId);
-      if (isSuper) {
-        console.log("[useCan] User is super admin, granting access");
-        setCan(true);
-        setIsLoading(false);
-        return;
-      }
-    } catch (error2) {
-      console.error("[useCan] Error checking super admin status:", error2);
-    }
-    if (!scope || !scope.organisationId || !scope.appId) {
-      console.log("[useCan] Incomplete scope, waiting for resolution:", scope);
-      setCan(false);
-      setIsLoading(true);
-      return;
-    }
-    console.log("[useCan] Scope is complete, checking permission...");
-    console.log("[useCan] Detailed scope info:", {
-      organisationId: scope.organisationId,
-      eventId: scope.eventId,
-      appId: scope.appId,
-      permission,
+// src/rbac/components/PagePermissionProvider.tsx
+init_UnifiedAuthProvider();
+import { createContext, useContext, useState, useCallback, useMemo, useEffect } from "react";
+import { jsx } from "react/jsx-runtime";
+var PagePermissionContext = createContext(null);
+function PagePermissionProvider({
+  children,
+  strictMode = true,
+  auditLog = true,
+  onPageAccess,
+  onStrictModeViolation,
+  maxHistorySize = 1e3
+}) {
+  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
+  const [pageAccessHistory, setPageAccessHistory] = useState([]);
+  const [isEnabled, setIsEnabled] = useState(true);
+  const currentScope = useMemo(() => {
+    if (!selectedOrganisationId) return null;
+    return {
+      organisationId: selectedOrganisationId,
+      eventId: selectedEventId || void 0,
+      appId: void 0
+    };
+  }, [selectedOrganisationId, selectedEventId]);
+  const hasPagePermission = useCallback((pageName, operation, pageId, scope) => {
+    if (!isEnabled) return true;
+    if (!user?.id) return false;
+    const effectiveScope = scope || currentScope;
+    if (!effectiveScope) return false;
+    const permission = `${operation}:page.${pageName}`;
+    return false;
+  }, [isEnabled, user?.id, currentScope]);
+  const getPagePermissions = useCallback(() => {
+    if (!isEnabled || !user?.id) return {};
+    return {};
+  }, [isEnabled, user?.id]);
+  const getPageAccessHistory = useCallback(() => {
+    return [...pageAccessHistory];
+  }, [pageAccessHistory]);
+  const clearPageAccessHistory = useCallback(() => {
+    setPageAccessHistory([]);
+  }, []);
+  const recordPageAccess = useCallback((pageName, operation, allowed, pageId, scope) => {
+    if (!auditLog || !user?.id) return;
+    const record = {
+      pageName,
+      operation,
+      userId: user.id,
+      scope: scope || currentScope || { organisationId: "" },
+      allowed,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       pageId
+    };
+    setPageAccessHistory((prev) => {
+      const newHistory = [record, ...prev];
+      return newHistory.slice(0, maxHistorySize);
     });
-    try {
-      setIsLoading(true);
-      setError(null);
-      console.log("[useCan] About to call isPermitted/isPermittedCached...");
-      const result = useCache ? await isPermittedCached({ userId, scope, permission, pageId }) : await isPermitted({ userId, scope, permission, pageId });
-      console.log("[useCan] Permission check result:", result);
-      console.log("[useCan] Permission check details:", {
-        userId,
-        scope,
-        permission,
-        pageId,
-        result,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-      setCan(result);
-    } catch (err) {
-      console.error("[useCan] Permission check error:", err);
-      console.error("[useCan] Error details:", {
-        userId,
-        scope,
-        permission,
-        pageId,
-        error: err instanceof Error ? err.message : "Unknown error",
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-      setError(err instanceof Error ? err : new Error("Failed to check permission"));
-      setCan(false);
-    } finally {
-      setIsLoading(false);
-    }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId, permission, pageId, useCache]);
-  useEffect(() => {
-    check();
-  }, [check]);
-  return {
-    can,
-    isLoading,
-    error,
-    check
-  };
-}
-function useAccessLevel(userId, scope) {
-  const [accessLevel, setAccessLevel] = useState(null);
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState(null);
-  const fetchAccessLevel = useCallback(async () => {
-    if (!userId) {
-      setAccessLevel(null);
-      setIsLoading(false);
-      return;
+    if (onPageAccess) {
+      onPageAccess(pageName, operation, allowed, record);
     }
-    try {
-      setIsLoading(true);
-      setError(null);
-      const result = await getAccessLevel({ userId, scope });
-      setAccessLevel(result);
-    } catch (err) {
-      setError(err instanceof Error ? err : new Error("Failed to fetch access level"));
-      setAccessLevel(null);
-    } finally {
-      setIsLoading(false);
+    if (strictMode && !allowed && onStrictModeViolation) {
+      onStrictModeViolation(pageName, operation, record);
     }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId]);
+  }, [auditLog, user?.id, currentScope, maxHistorySize, onPageAccess, onStrictModeViolation, strictMode]);
+  const contextValue = useMemo(() => ({
+    hasPagePermission,
+    getPagePermissions,
+    isEnabled,
+    isStrictMode: strictMode,
+    isAuditLogEnabled: auditLog,
+    getPageAccessHistory,
+    clearPageAccessHistory
+  }), [
+    hasPagePermission,
+    getPagePermissions,
+    isEnabled,
+    strictMode,
+    auditLog,
+    getPageAccessHistory,
+    clearPageAccessHistory
+  ]);
   useEffect(() => {
-    fetchAccessLevel();
-  }, [fetchAccessLevel]);
-  return {
-    accessLevel,
-    isLoading,
-    error,
-    refetch: fetchAccessLevel
-  };
-}
-function useMultiplePermissions(userId, scope, permissions, pageId, useCache = true) {
-  const [permissionResults, setPermissionResults] = useState({});
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState(null);
-  const fetchPermissions = useCallback(async () => {
-    if (!userId || permissions.length === 0) {
-      setPermissionResults({});
-      setIsLoading(false);
-      return;
-    }
-    try {
-      setIsLoading(true);
-      setError(null);
-      const results = {};
-      const promises = permissions.map(async (permission) => {
-        const result = useCache ? await isPermittedCached({ userId, scope, permission, pageId }) : await isPermitted({ userId, scope, permission, pageId });
-        return { permission, result };
-      });
-      const resolved = await Promise.all(promises);
-      resolved.forEach(({ permission, result }) => {
-        results[permission] = result;
-      });
-      setPermissionResults(results);
-    } catch (err) {
-      setError(err instanceof Error ? err : new Error("Failed to check permissions"));
-      setPermissionResults({});
-    } finally {
-      setIsLoading(false);
+    if (strictMode && auditLog) {
+      console.log(`[PagePermissionProvider] Strict mode enabled - all page access attempts will be logged and enforced`);
     }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, pageId, useCache]);
-  useEffect(() => {
-    fetchPermissions();
-  }, [fetchPermissions]);
-  return {
-    permissions: permissionResults,
-    isLoading,
-    error,
-    refetch: fetchPermissions
-  };
+  }, [strictMode, auditLog]);
+  return /* @__PURE__ */ jsx(PagePermissionContext.Provider, { value: contextValue, children });
 }
-function useHasAnyPermission(userId, scope, permissions, pageId) {
-  const { permissions: permissionResults, isLoading, error, refetch } = useMultiplePermissions(
-    userId,
-    scope,
-    permissions,
-    pageId
-  );
-  const hasAny = useMemo(() => {
-    return Object.values(permissionResults).some(Boolean);
-  }, [permissionResults]);
-  return {
-    hasAny,
-    isLoading,
-    error,
-    refetch
-  };
+function usePagePermissions() {
+  const context = useContext(PagePermissionContext);
+  if (!context) {
+    throw new Error("usePagePermissions must be used within a PagePermissionProvider");
+  }
+  return context;
 }
-function useHasAllPermissions(userId, scope, permissions, pageId) {
-  const { permissions: permissionResults, isLoading, error, refetch } = useMultiplePermissions(
-    userId,
-    scope,
-    permissions,
-    pageId
-  );
-  const hasAll = useMemo(() => {
-    return Object.values(permissionResults).every(Boolean);
-  }, [permissionResults]);
-  return {
-    hasAll,
-    isLoading,
-    error,
-    refetch
-  };
+
+// src/rbac/components/PagePermissionGuard.tsx
+import { useMemo as useMemo2, useEffect as useEffect2, useState as useState2 } from "react";
+init_UnifiedAuthProvider();
+
+// src/rbac/utils/eventContext.ts
+async function getOrganisationFromEvent(supabase, eventId) {
+  const { data, error } = await supabase.from("event").select("organisation_id").eq("event_id", eventId).single();
+  if (error || !data) {
+    return null;
+  }
+  return data.organisation_id;
 }
-function useCachedPermissions(userId, scope) {
-  const [permissions, setPermissions] = useState({});
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState(null);
-  const fetchCachedPermissions = useCallback(async () => {
-    if (!userId) {
-      setPermissions({});
-      setIsLoading(false);
-      return;
-    }
-    try {
-      setIsLoading(true);
-      setError(null);
-      const result = await getPermissionMap({ userId, scope });
-      setPermissions(result);
-    } catch (err) {
-      setError(err instanceof Error ? err : new Error("Failed to fetch cached permissions"));
-    } finally {
-      setIsLoading(false);
-    }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId]);
-  useEffect(() => {
-    fetchCachedPermissions();
-  }, [fetchCachedPermissions]);
+async function createScopeFromEvent(supabase, eventId, appId) {
+  const organisationId = await getOrganisationFromEvent(supabase, eventId);
+  if (!organisationId) {
+    return null;
+  }
   return {
-    permissions,
-    isLoading,
-    error,
-    refetch: fetchCachedPermissions
+    organisationId,
+    eventId,
+    appId
   };
 }
 
-// src/rbac/adapters.tsx
-import React, { useContext } from "react";
-import { Fragment, jsx, jsxs } from "react/jsx-runtime";
-function PermissionGuard({
-  userId,
-  scope,
-  permission,
-  pageId,
+// src/rbac/components/PagePermissionGuard.tsx
+init_appNameResolver();
+import { Fragment, jsx as jsx2, jsxs } from "react/jsx-runtime";
+function PagePermissionGuard({
+  pageName,
+  operation,
   children,
-  fallback = null,
-  onDenied,
-  loading = null,
-  // NEW: Phase 1 - Enhanced Security Features
+  fallback = /* @__PURE__ */ jsx2(DefaultAccessDenied, {}),
   strictMode = true,
   auditLog = true,
-  enforceAudit = true
+  pageId,
+  scope,
+  onDenied,
+  loading = /* @__PURE__ */ jsx2(DefaultLoading, {})
 }) {
-  const logger = getRBACLogger();
-  const authContext = useContext(React.createContext(null));
-  let effectiveUserId = userId;
-  if (!effectiveUserId) {
-    try {
-      if (authContext?.user?.id) {
-        effectiveUserId = authContext.user.id;
-      } else {
-        const globalUser = window.__PACE_USER__;
-        if (globalUser?.id) {
-          effectiveUserId = globalUser.id;
+  const { user, selectedOrganisationId, selectedEventId, supabase } = useUnifiedAuth();
+  const [hasChecked, setHasChecked] = useState2(false);
+  const [checkError, setCheckError] = useState2(null);
+  const [resolvedScope, setResolvedScope] = useState2(null);
+  useEffect2(() => {
+    const resolveScope = async () => {
+      if (scope) {
+        setResolvedScope(scope);
+        return;
+      }
+      let appId = void 0;
+      if (supabase) {
+        const appName = getCurrentAppName();
+        if (appName) {
+          try {
+            console.log("[PagePermissionGuard] Resolving app name to ID:", appName);
+            const { data: app, error: error2 } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName).eq("is_active", true).single();
+            if (error2) {
+              console.error("[PagePermissionGuard] Database error resolving app ID:", error2);
+              const { data: inactiveApp } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName).single();
+              if (inactiveApp) {
+                console.error(`[PagePermissionGuard] App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
+              } else {
+                console.error(`[PagePermissionGuard] App "${appName}" not found in rbac_apps table`);
+              }
+            } else if (app) {
+              appId = app.id;
+              console.log("[PagePermissionGuard] Successfully resolved app ID:", app.id);
+            } else {
+              console.error("[PagePermissionGuard] No app data returned for:", appName);
+            }
+          } catch (error2) {
+            console.error("[PagePermissionGuard] Unexpected error resolving app ID:", error2);
+          }
+        } else {
+          console.error("[PagePermissionGuard] No app name found. Make sure to call setRBACAppName() in your app setup.");
         }
       }
-    } catch (error2) {
-      logger.debug("Could not infer userId from context:", error2);
-    }
-  }
-  const { can, isLoading, error } = useCan(effectiveUserId || "", scope, permission, pageId);
-  if (!effectiveUserId) {
-    logger.error("PermissionGuard: No userId provided and could not infer from context");
-    return /* @__PURE__ */ jsxs("div", { className: "rbac-error", role: "alert", children: [
-      /* @__PURE__ */ jsx("p", { children: "Permission check failed: User context not available" }),
-      /* @__PURE__ */ jsxs("details", { children: [
-        /* @__PURE__ */ jsx("summary", { children: "Debug info" }),
-        /* @__PURE__ */ jsx("p", { children: "Make sure to either:" }),
-        /* @__PURE__ */ jsxs("ul", { children: [
-          /* @__PURE__ */ jsx("li", { children: "Pass userId prop explicitly" }),
-          /* @__PURE__ */ jsx("li", { children: "Wrap your app with an auth provider" }),
-          /* @__PURE__ */ jsx("li", { children: "Set window.__PACE_USER__ with user data" })
-        ] })
-      ] })
-    ] });
-  }
-  if (isLoading) {
-    return loading || /* @__PURE__ */ jsx("div", { className: "rbac-loading", role: "status", "aria-live": "polite", children: /* @__PURE__ */ jsx("span", { className: "sr-only", children: "Checking permissions..." }) });
-  }
-  if (error) {
-    logger.error("Permission check failed:", error);
-    if (auditLog) {
-      logger.info(`[PermissionGuard] Permission check failed:`, {
-        userId: effectiveUserId,
-        scope,
-        permission,
-        pageId,
-        error: error.message,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
+      if (selectedOrganisationId && selectedEventId) {
+        if (!appId) {
+          if (false) {
+            console.warn("[PagePermissionGuard] App ID not resolved in test environment, proceeding without it");
+          } else {
+            console.error("[PagePermissionGuard] CRITICAL: App ID not resolved. Check console for details.");
+            setCheckError(new Error("App ID not resolved. Check console for database errors."));
+            setResolvedScope(null);
+            return;
+          }
+        }
+        if (appId) {
+          const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+          if (!uuidRegex.test(appId)) {
+            console.error("[PagePermissionGuard] CRITICAL: App ID is not a valid UUID:", appId);
+            setCheckError(new Error(`Invalid app ID format: ${appId}. Expected UUID.`));
+            setResolvedScope(null);
+            return;
+          }
+        }
+        const resolvedScope2 = {
+          organisationId: selectedOrganisationId,
+          eventId: selectedEventId,
+          appId
+        };
+        console.log("[PagePermissionGuard] Setting resolved scope:", resolvedScope2);
+        setResolvedScope(resolvedScope2);
+        return;
+      }
+      if (selectedOrganisationId) {
+        if (!appId) {
+          if (false) {
+            console.warn("[PagePermissionGuard] App ID not resolved in test environment, proceeding without it");
+          } else {
+            console.error("[PagePermissionGuard] CRITICAL: App ID not resolved. Check console for details.");
+            setCheckError(new Error("App ID not resolved. Check console for database errors."));
+            setResolvedScope(null);
+            return;
+          }
+        }
+        if (appId) {
+          const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+          if (!uuidRegex.test(appId)) {
+            console.error("[PagePermissionGuard] CRITICAL: App ID is not a valid UUID:", appId);
+            setCheckError(new Error(`Invalid app ID format: ${appId}. Expected UUID.`));
+            setResolvedScope(null);
+            return;
+          }
+        }
+        const resolvedScope2 = {
+          organisationId: selectedOrganisationId,
+          eventId: selectedEventId || void 0,
+          appId
+        };
+        console.log("[PagePermissionGuard] Setting resolved scope (org only):", resolvedScope2);
+        setResolvedScope(resolvedScope2);
+        return;
+      }
+      if (selectedEventId && supabase) {
+        try {
+          const eventScope = await createScopeFromEvent(supabase, selectedEventId);
+          if (!eventScope) {
+            setCheckError(new Error("Could not resolve organization from event context"));
+            setResolvedScope(null);
+            return;
+          }
+          setResolvedScope({
+            ...eventScope,
+            appId: appId || eventScope.appId
+          });
+        } catch (error2) {
+          setCheckError(error2);
+          setResolvedScope(null);
+        }
+        return;
+      }
+      setCheckError(new Error("Either organisation context or event context is required for page permission checking"));
+      setResolvedScope(null);
+    };
+    resolveScope();
+  }, [scope, selectedOrganisationId, selectedEventId, supabase]);
+  const effectivePageId = useMemo2(() => {
+    return pageId || pageName;
+  }, [pageId, pageName]);
+  const permission = useMemo2(() => {
+    return `${operation}:page.${pageName}`;
+  }, [operation, pageName]);
+  console.log("[PagePermissionGuard] Calling useCan with scope:", resolvedScope);
+  console.log("[PagePermissionGuard] resolvedScope:", resolvedScope);
+  console.log("[PagePermissionGuard] selectedEventId:", selectedEventId);
+  console.log("[PagePermissionGuard] About to call useCan with:", {
+    userId: user?.id || "",
+    scope: resolvedScope || { organisationId: "", appId: "", eventId: selectedEventId || void 0 },
+    permission,
+    pageId: effectivePageId,
+    useCache: true
+  });
+  const { can, isLoading: canIsLoading, error: canError } = useCan(
+    user?.id || "",
+    resolvedScope || { organisationId: "", appId: "", eventId: selectedEventId || void 0 },
+    permission,
+    effectivePageId,
+    true
+    // Use cache
+  );
+  console.log("[PagePermissionGuard] useCan returned:", { can, canIsLoading, canError });
+  const isLoading = !resolvedScope || canIsLoading;
+  const error = checkError || canError;
+  console.log("[PagePermissionGuard] Combined state:", {
+    can,
+    isLoading,
+    canIsLoading,
+    resolvedScopeExists: !!resolvedScope,
+    error: error?.message
+  });
+  useEffect2(() => {
+    if (!isLoading && !error) {
+      setHasChecked(true);
+      setCheckError(null);
+      if (!can && onDenied) {
+        onDenied(pageName, operation);
+      }
+    } else if (error) {
+      setCheckError(error);
+      setHasChecked(true);
     }
-    return fallback;
-  }
-  if (!can) {
-    if (auditLog) {
-      logger.info(`[PermissionGuard] Permission denied:`, {
-        userId: effectiveUserId,
-        scope,
-        permission,
-        pageId,
+  }, [can, isLoading, error, pageName, operation, onDenied]);
+  useEffect2(() => {
+    if (auditLog && hasChecked && !isLoading) {
+      console.log(`[PagePermissionGuard] Page access attempt:`, {
+        pageName,
+        operation,
+        userId: user?.id,
+        scope: resolvedScope,
+        allowed: can,
         timestamp: (/* @__PURE__ */ new Date()).toISOString()
       });
     }
-    if (strictMode) {
-      logger.error(`[PermissionGuard] STRICT MODE VIOLATION: User attempted to access protected resource without permission`, {
-        userId: effectiveUserId,
-        scope,
-        permission,
-        pageId,
+  }, [auditLog, hasChecked, isLoading, pageName, operation, user?.id, resolvedScope, can]);
+  useEffect2(() => {
+    if (strictMode && hasChecked && !isLoading && !can) {
+      console.error(`[PagePermissionGuard] STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
+        pageName,
+        operation,
+        userId: user?.id,
+        scope: resolvedScope,
         timestamp: (/* @__PURE__ */ new Date()).toISOString()
       });
     }
-    if (onDenied) {
-      onDenied();
-    }
-    return /* @__PURE__ */ jsx(Fragment, { children: fallback });
+  }, [strictMode, hasChecked, isLoading, can, pageName, operation, user?.id, resolvedScope]);
+  if (isLoading || !resolvedScope || !hasChecked) {
+    return /* @__PURE__ */ jsx2(Fragment, { children: loading });
   }
-  if (auditLog) {
-    logger.info(`[PermissionGuard] Permission granted:`, {
-      userId: effectiveUserId,
-      scope,
-      permission,
-      pageId,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString()
-    });
+  if (checkError) {
+    console.error(`[PagePermissionGuard] Permission check failed for page ${pageName}:`, checkError);
+    return /* @__PURE__ */ jsx2(Fragment, { children: fallback });
+  }
+  if (!can) {
+    return /* @__PURE__ */ jsx2(Fragment, { children: fallback });
   }
-  return /* @__PURE__ */ jsx(Fragment, { children });
+  return /* @__PURE__ */ jsx2(Fragment, { children });
 }
-function AccessLevelGuard({
-  userId,
-  scope,
-  minLevel,
+function DefaultAccessDenied() {
+  return /* @__PURE__ */ jsxs("div", { className: "flex flex-col items-center justify-center min-h-[200px] p-8 text-center", children: [
+    /* @__PURE__ */ jsx2("div", { className: "mb-4", children: /* @__PURE__ */ jsx2("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx2("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
+    /* @__PURE__ */ jsx2("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
+    /* @__PURE__ */ jsx2("p", { className: "text-sec-600 mb-4", children: "You don't have permission to access this page." }),
+    /* @__PURE__ */ jsx2(
+      "button",
+      {
+        onClick: () => window.history.back(),
+        className: "px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors",
+        children: "Go Back"
+      }
+    )
+  ] });
+}
+function DefaultLoading() {
+  return /* @__PURE__ */ jsx2("div", { className: "flex items-center justify-center min-h-[200px] p-8", children: /* @__PURE__ */ jsxs("div", { className: "flex items-center space-x-2", children: [
+    /* @__PURE__ */ jsx2("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600" }),
+    /* @__PURE__ */ jsx2("span", { className: "text-sec-600", children: "Checking permissions..." })
+  ] }) });
+}
+
+// src/rbac/components/SecureDataProvider.tsx
+init_UnifiedAuthProvider();
+import { createContext as createContext2, useContext as useContext2, useState as useState3, useCallback as useCallback3, useMemo as useMemo3, useEffect as useEffect3 } from "react";
+import { jsx as jsx3 } from "react/jsx-runtime";
+var SecureDataContext = createContext2(null);
+function SecureDataProvider({
   children,
-  fallback = null,
-  loading = null
+  strictMode = true,
+  auditLog = true,
+  onDataAccess,
+  onStrictModeViolation,
+  maxHistorySize = 1e3,
+  enforceRLS = true
 }) {
-  const logger = getRBACLogger();
-  const authContext = useContext(React.createContext(null));
-  let effectiveUserId = userId;
-  if (!effectiveUserId) {
+  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
+  const { validateContext } = useSecureDataAccess();
+  const [dataAccessHistory, setDataAccessHistory] = useState3([]);
+  const [isEnabled, setIsEnabled] = useState3(true);
+  const currentScope = useMemo3(() => {
+    if (!selectedOrganisationId) return null;
+    return {
+      organisationId: selectedOrganisationId,
+      eventId: selectedEventId || void 0,
+      appId: void 0
+    };
+  }, [selectedOrganisationId, selectedEventId]);
+  const isDataAccessAllowed = useCallback3((table, operation, scope) => {
+    if (!isEnabled) return true;
+    if (!user?.id) return false;
+    const effectiveScope = scope || currentScope;
+    if (!effectiveScope) return false;
+    const permission = `${operation}:data.${table}`;
+    return true;
+  }, [isEnabled, user?.id, currentScope]);
+  const getDataAccessPermissions = useCallback3(() => {
+    if (!isEnabled || !user?.id) return {};
+    return {};
+  }, [isEnabled, user?.id]);
+  const getDataAccessHistory = useCallback3(() => {
+    return [...dataAccessHistory];
+  }, [dataAccessHistory]);
+  const clearDataAccessHistory = useCallback3(() => {
+    setDataAccessHistory([]);
+  }, []);
+  const validateDataAccess = useCallback3((table, operation, scope) => {
+    if (!isEnabled) return true;
+    if (!user?.id) return false;
+    const effectiveScope = scope || currentScope;
+    if (!effectiveScope) return false;
     try {
-      if (authContext?.user?.id) {
-        effectiveUserId = authContext.user.id;
-      } else {
-        const globalUser = window.__PACE_USER__;
-        if (globalUser?.id) {
-          effectiveUserId = globalUser.id;
-        }
-      }
-    } catch (error2) {
-      logger.debug("Could not infer userId from context:", error2);
+      validateContext();
+    } catch (error) {
+      console.error(`[SecureDataProvider] Organisation context validation failed:`, error);
+      return false;
     }
-  }
-  const { accessLevel, isLoading, error } = useAccessLevel(effectiveUserId || "", scope);
-  if (!effectiveUserId) {
-    logger.error("AccessLevelGuard: No userId provided and could not infer from context");
-    return /* @__PURE__ */ jsxs("div", { className: "rbac-error", role: "alert", children: [
-      /* @__PURE__ */ jsx("p", { children: "Access level check failed: User context not available" }),
-      /* @__PURE__ */ jsxs("details", { children: [
-        /* @__PURE__ */ jsx("summary", { children: "Debug info" }),
-        /* @__PURE__ */ jsx("p", { children: "Make sure to either:" }),
-        /* @__PURE__ */ jsxs("ul", { children: [
-          /* @__PURE__ */ jsx("li", { children: "Pass userId prop explicitly" }),
-          /* @__PURE__ */ jsx("li", { children: "Wrap your app with an auth provider" }),
-          /* @__PURE__ */ jsx("li", { children: "Set window.__PACE_USER__ with user data" })
-        ] })
-      ] })
-    ] });
-  }
-  if (isLoading) {
-    return loading || /* @__PURE__ */ jsx("div", { className: "rbac-loading", role: "status", "aria-live": "polite", children: /* @__PURE__ */ jsx("span", { className: "sr-only", children: "Checking access level..." }) });
-  }
-  if (error) {
-    logger.error("Access level check failed:", error);
-    return fallback;
-  }
-  const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
-  const userLevelIndex = accessLevel ? levelHierarchy.indexOf(accessLevel) : -1;
-  const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
-  if (userLevelIndex < requiredLevelIndex) {
-    return /* @__PURE__ */ jsx(Fragment, { children: fallback });
-  }
-  return /* @__PURE__ */ jsx(Fragment, { children });
-}
-function withPermissionGuard(config, handler) {
-  return async (...args) => {
-    const [req] = args;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      throw new Error("User context required for permission check");
-    }
-    const { isPermitted: isPermitted2 } = await import("../api-ETQ6YJ3C.js");
-    const hasPermission2 = await isPermitted2({
-      userId,
-      scope: { organisationId, eventId, appId },
-      permission: config.permission,
-      pageId: config.pageId
-    });
-    if (!hasPermission2) {
-      throw new Error(`Permission denied: ${config.permission}`);
-    }
-    return handler(...args);
-  };
-}
-function withAccessLevelGuard(minLevel, handler) {
-  return async (...args) => {
-    const [req] = args;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      throw new Error("User context required for access level check");
-    }
-    const { getAccessLevel: getAccessLevel2 } = await import("../api-ETQ6YJ3C.js");
-    const accessLevel = await getAccessLevel2({
-      userId,
-      scope: { organisationId, eventId, appId }
-    });
-    const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
-    const userLevelIndex = levelHierarchy.indexOf(accessLevel);
-    const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
-    if (userLevelIndex < requiredLevelIndex) {
-      throw new Error(`Access level required: ${minLevel}, got: ${accessLevel}`);
-    }
-    return handler(...args);
-  };
-}
-function withRoleGuard(config, handler) {
-  return async (...args) => {
-    const [req] = args;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      throw new Error("User context required for role check");
-    }
-    if (config.globalRoles && config.globalRoles.length > 0) {
-      const { isSuperAdmin } = await import("../api-ETQ6YJ3C.js");
-      const isSuper = await isSuperAdmin(userId);
-      if (isSuper) {
-        if (organisationId) {
-          const { emitAuditEvent: emitAuditEvent2 } = await import("../audit-BUW3LMJB.js");
-          await emitAuditEvent2({
-            type: "permission_check",
-            userId,
-            organisationId,
-            eventId,
-            appId,
-            permission: "bypass:all",
-            decision: true,
-            source: "api",
-            bypass: true,
-            duration_ms: 0,
-            metadata: {
-              operation: "role_guard",
-              reason: "super_admin_bypass"
-            }
-          });
-        }
-        return handler(...args);
-      }
-    }
-    if (config.organisationRoles && config.organisationRoles.length > 0) {
-      const { isOrganisationAdmin } = await import("../api-ETQ6YJ3C.js");
-      const isOrgAdmin = await isOrganisationAdmin(userId, organisationId);
-      if (!isOrgAdmin && config.requireAll !== false) {
-        throw new Error(`Organisation admin role required`);
-      }
-    }
-    if (config.eventAppRoles && config.eventAppRoles.length > 0 && eventId && appId) {
-      const { isEventAdmin } = await import("../api-ETQ6YJ3C.js");
-      const isEventAdminUser = await isEventAdmin(userId, { organisationId, eventId, appId });
-      if (!isEventAdminUser && config.requireAll !== false) {
-        throw new Error(`Event admin role required`);
-      }
-    }
-    if (organisationId) {
-      const { emitAuditEvent: emitAuditEvent2 } = await import("../audit-BUW3LMJB.js");
-      await emitAuditEvent2({
-        type: "permission_check",
-        userId,
-        organisationId,
-        eventId,
-        appId,
-        permission: "role:check",
-        decision: true,
-        source: "api",
-        bypass: false,
-        duration_ms: 0,
-        metadata: {
-          operation: "role_guard"
-        }
-      });
-    }
-    return handler(...args);
-  };
-}
-function createRBACMiddleware(config) {
-  return async (req, res, next) => {
-    const { pathname } = req.nextUrl;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    if (!userId || !organisationId) {
-      return res.redirect(config.fallbackUrl || "/login");
-    }
-    const protectedRoute = config.protectedRoutes.find(
-      (route) => pathname.startsWith(route.path)
-    );
-    if (protectedRoute) {
-      try {
-        const { isPermitted: isPermitted2 } = await import("../api-ETQ6YJ3C.js");
-        const hasPermission2 = await isPermitted2({
-          userId,
-          scope: { organisationId },
-          permission: protectedRoute.permission,
-          pageId: protectedRoute.pageId
-        });
-        if (!hasPermission2) {
-          return res.redirect(config.fallbackUrl || "/access-denied");
-        }
-      } catch (_error) {
-        return res.redirect(config.fallbackUrl || "/access-denied");
-      }
-    }
-    next();
-  };
-}
-function createRBACExpressMiddleware(config) {
-  return async (req, res, next) => {
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      return res.status(401).json({ error: "User context required" });
-    }
-    try {
-      const { isPermitted: isPermitted2 } = await import("../api-ETQ6YJ3C.js");
-      const hasPermission2 = await isPermitted2({
-        userId,
-        scope: { organisationId, eventId, appId },
-        permission: config.permission,
-        pageId: config.pageId
-      });
-      if (!hasPermission2) {
-        return res.status(403).json({ error: "Permission denied" });
-      }
-      next();
-    } catch (_error) {
-      return res.status(500).json({ error: "Permission check failed" });
-    }
-  };
-}
-function hasPermissionCached(userId, scope, _permission, _pageId) {
-  const cacheKey = RBACCache.generatePermissionKey({
-    userId,
-    organisationId: scope.organisationId,
-    eventId: scope.eventId,
-    appId: scope.appId
-  });
-  return rbacCache.get(cacheKey) || false;
-}
-function hasAnyPermissionCached(userId, scope, permissions, pageId) {
-  return permissions.some(
-    (permission) => hasPermissionCached(userId, scope, permission, pageId)
-  );
-}
-
-// src/rbac/components/PagePermissionProvider.tsx
-init_UnifiedAuthProvider();
-import { createContext, useContext as useContext2, useState as useState2, useCallback as useCallback2, useMemo as useMemo2, useEffect as useEffect2 } from "react";
-import { jsx as jsx2 } from "react/jsx-runtime";
-var PagePermissionContext = createContext(null);
-function PagePermissionProvider({
-  children,
-  strictMode = true,
-  auditLog = true,
-  onPageAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1e3
-}) {
-  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
-  const [pageAccessHistory, setPageAccessHistory] = useState2([]);
-  const [isEnabled, setIsEnabled] = useState2(true);
-  const currentScope = useMemo2(() => {
-    if (!selectedOrganisationId) return null;
-    return {
-      organisationId: selectedOrganisationId,
-      eventId: selectedEventId || void 0,
-      appId: void 0
-    };
-  }, [selectedOrganisationId, selectedEventId]);
-  const hasPagePermission = useCallback2((pageName, operation, pageId, scope) => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    const permission = `${operation}:page.${pageName}`;
-    return false;
-  }, [isEnabled, user?.id, currentScope]);
-  const getPagePermissions = useCallback2(() => {
-    if (!isEnabled || !user?.id) return {};
-    return {};
-  }, [isEnabled, user?.id]);
-  const getPageAccessHistory = useCallback2(() => {
-    return [...pageAccessHistory];
-  }, [pageAccessHistory]);
-  const clearPageAccessHistory = useCallback2(() => {
-    setPageAccessHistory([]);
-  }, []);
-  const recordPageAccess = useCallback2((pageName, operation, allowed, pageId, scope) => {
+    return isDataAccessAllowed(table, operation, effectiveScope);
+  }, [isEnabled, user?.id, currentScope, validateContext, isDataAccessAllowed]);
+  const recordDataAccess = useCallback3((table, operation, allowed, query, filters, scope) => {
     if (!auditLog || !user?.id) return;
     const record = {
-      pageName,
+      table,
       operation,
       userId: user.id,
       scope: scope || currentScope || { organisationId: "" },
       allowed,
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      pageId
+      query,
+      filters
     };
-    setPageAccessHistory((prev) => {
+    setDataAccessHistory((prev) => {
       const newHistory = [record, ...prev];
       return newHistory.slice(0, maxHistorySize);
     });
-    if (onPageAccess) {
-      onPageAccess(pageName, operation, allowed, record);
+    if (onDataAccess) {
+      onDataAccess(table, operation, allowed, record);
     }
     if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(pageName, operation, record);
+      onStrictModeViolation(table, operation, record);
     }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onPageAccess, onStrictModeViolation, strictMode]);
-  const contextValue = useMemo2(() => ({
-    hasPagePermission,
-    getPagePermissions,
+  }, [auditLog, user?.id, currentScope, maxHistorySize, onDataAccess, onStrictModeViolation, strictMode]);
+  const contextValue = useMemo3(() => ({
+    isDataAccessAllowed,
+    getDataAccessPermissions,
     isEnabled,
     isStrictMode: strictMode,
     isAuditLogEnabled: auditLog,
-    getPageAccessHistory,
-    clearPageAccessHistory
+    getDataAccessHistory,
+    clearDataAccessHistory,
+    validateDataAccess
   }), [
-    hasPagePermission,
-    getPagePermissions,
+    isDataAccessAllowed,
+    getDataAccessPermissions,
     isEnabled,
     strictMode,
     auditLog,
-    getPageAccessHistory,
-    clearPageAccessHistory
+    getDataAccessHistory,
+    clearDataAccessHistory,
+    validateDataAccess
   ]);
-  useEffect2(() => {
+  useEffect3(() => {
     if (strictMode && auditLog) {
-      console.log(`[PagePermissionProvider] Strict mode enabled - all page access attempts will be logged and enforced`);
+      console.log(`[SecureDataProvider] Strict mode enabled - all data access attempts will be logged and enforced`);
     }
   }, [strictMode, auditLog]);
-  return /* @__PURE__ */ jsx2(PagePermissionContext.Provider, { value: contextValue, children });
+  useEffect3(() => {
+    if (enforceRLS && auditLog) {
+      console.log(`[SecureDataProvider] RLS enforcement enabled - all queries will include organisation context`);
+    }
+  }, [enforceRLS, auditLog]);
+  return /* @__PURE__ */ jsx3(SecureDataContext.Provider, { value: contextValue, children });
 }
-function usePagePermissions() {
-  const context = useContext2(PagePermissionContext);
+function useSecureData() {
+  const context = useContext2(SecureDataContext);
   if (!context) {
-    throw new Error("usePagePermissions must be used within a PagePermissionProvider");
+    throw new Error("useSecureData must be used within a SecureDataProvider");
   }
   return context;
 }
 
-// src/rbac/components/PagePermissionGuard.tsx
-import { useMemo as useMemo3, useEffect as useEffect3, useState as useState3 } from "react";
+// src/rbac/components/PermissionEnforcer.tsx
+import { useMemo as useMemo4, useEffect as useEffect4, useState as useState4 } from "react";
 init_UnifiedAuthProvider();
-
-// src/rbac/utils/eventContext.ts
-async function getOrganisationFromEvent(supabase, eventId) {
-  const { data, error } = await supabase.from("event").select("organisation_id").eq("event_id", eventId).single();
-  if (error || !data) {
-    return null;
-  }
-  return data.organisation_id;
-}
-async function createScopeFromEvent(supabase, eventId, appId) {
-  const organisationId = await getOrganisationFromEvent(supabase, eventId);
-  if (!organisationId) {
-    return null;
-  }
-  return {
-    organisationId,
-    eventId,
-    appId
-  };
-}
-
-// src/rbac/components/PagePermissionGuard.tsx
-init_appNameResolver();
-import { Fragment as Fragment2, jsx as jsx3, jsxs as jsxs2 } from "react/jsx-runtime";
-function PagePermissionGuard({
-  pageName,
+import { Fragment as Fragment2, jsx as jsx4, jsxs as jsxs2 } from "react/jsx-runtime";
+function PermissionEnforcer({
+  permissions,
   operation,
   children,
-  fallback = /* @__PURE__ */ jsx3(DefaultAccessDenied, {}),
+  fallback = /* @__PURE__ */ jsx4(DefaultAccessDenied2, {}),
   strictMode = true,
   auditLog = true,
-  pageId,
   scope,
   onDenied,
-  loading = /* @__PURE__ */ jsx3(DefaultLoading, {})
+  loading = /* @__PURE__ */ jsx4(DefaultLoading2, {}),
+  requireAll = true
 }) {
   const { user, selectedOrganisationId, selectedEventId, supabase } = useUnifiedAuth();
-  const [hasChecked, setHasChecked] = useState3(false);
-  const [checkError, setCheckError] = useState3(null);
-  const [resolvedScope, setResolvedScope] = useState3(null);
-  useEffect3(() => {
+  const [hasChecked, setHasChecked] = useState4(false);
+  const [checkError, setCheckError] = useState4(null);
+  const [permissionResults, setPermissionResults] = useState4({});
+  const [resolvedScope, setResolvedScope] = useState4(null);
+  useEffect4(() => {
     const resolveScope = async () => {
       if (scope) {
         setResolvedScope(scope);
         return;
       }
-      let appId = void 0;
-      if (supabase) {
-        const appName = getCurrentAppName();
-        if (appName) {
-          try {
-            console.log("[PagePermissionGuard] Resolving app name to ID:", appName);
-            const { data: app, error: error2 } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName).eq("is_active", true).single();
-            if (error2) {
-              console.error("[PagePermissionGuard] Database error resolving app ID:", error2);
-              const { data: inactiveApp } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName).single();
-              if (inactiveApp) {
-                console.error(`[PagePermissionGuard] App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
-              } else {
-                console.error(`[PagePermissionGuard] App "${appName}" not found in rbac_apps table`);
-              }
-            } else if (app) {
-              appId = app.id;
-              console.log("[PagePermissionGuard] Successfully resolved app ID:", app.id);
-            } else {
-              console.error("[PagePermissionGuard] No app data returned for:", appName);
-            }
-          } catch (error2) {
-            console.error("[PagePermissionGuard] Unexpected error resolving app ID:", error2);
-          }
-        } else {
-          console.error("[PagePermissionGuard] No app name found. Make sure to call setRBACAppName() in your app setup.");
-        }
-      }
       if (selectedOrganisationId && selectedEventId) {
-        if (!appId) {
-          if (false) {
-            console.warn("[PagePermissionGuard] App ID not resolved in test environment, proceeding without it");
-          } else {
-            console.error("[PagePermissionGuard] CRITICAL: App ID not resolved. Check console for details.");
-            setCheckError(new Error("App ID not resolved. Check console for database errors."));
-            setResolvedScope(null);
-            return;
-          }
-        }
-        if (appId) {
-          const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-          if (!uuidRegex.test(appId)) {
-            console.error("[PagePermissionGuard] CRITICAL: App ID is not a valid UUID:", appId);
-            setCheckError(new Error(`Invalid app ID format: ${appId}. Expected UUID.`));
-            setResolvedScope(null);
-            return;
-          }
-        }
-        const resolvedScope2 = {
+        setResolvedScope({
           organisationId: selectedOrganisationId,
           eventId: selectedEventId,
-          appId
-        };
-        console.log("[PagePermissionGuard] Setting resolved scope:", resolvedScope2);
-        setResolvedScope(resolvedScope2);
+          appId: void 0
+        });
         return;
       }
       if (selectedOrganisationId) {
-        if (!appId) {
-          if (false) {
-            console.warn("[PagePermissionGuard] App ID not resolved in test environment, proceeding without it");
-          } else {
-            console.error("[PagePermissionGuard] CRITICAL: App ID not resolved. Check console for details.");
-            setCheckError(new Error("App ID not resolved. Check console for database errors."));
-            setResolvedScope(null);
-            return;
-          }
-        }
-        if (appId) {
-          const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-          if (!uuidRegex.test(appId)) {
-            console.error("[PagePermissionGuard] CRITICAL: App ID is not a valid UUID:", appId);
-            setCheckError(new Error(`Invalid app ID format: ${appId}. Expected UUID.`));
-            setResolvedScope(null);
-            return;
-          }
-        }
-        const resolvedScope2 = {
+        setResolvedScope({
           organisationId: selectedOrganisationId,
           eventId: selectedEventId || void 0,
-          appId
-        };
-        console.log("[PagePermissionGuard] Setting resolved scope (org only):", resolvedScope2);
-        setResolvedScope(resolvedScope2);
+          appId: void 0
+        });
         return;
       }
       if (selectedEventId && supabase) {
@@ -1004,111 +703,86 @@ function PagePermissionGuard({
           const eventScope = await createScopeFromEvent(supabase, selectedEventId);
           if (!eventScope) {
             setCheckError(new Error("Could not resolve organization from event context"));
-            setResolvedScope(null);
             return;
           }
-          setResolvedScope({
-            ...eventScope,
-            appId: appId || eventScope.appId
-          });
+          setResolvedScope(eventScope);
         } catch (error2) {
           setCheckError(error2);
-          setResolvedScope(null);
         }
         return;
       }
-      setCheckError(new Error("Either organisation context or event context is required for page permission checking"));
-      setResolvedScope(null);
+      setCheckError(new Error("Either organisation context or event context is required for permission checking"));
     };
     resolveScope();
   }, [scope, selectedOrganisationId, selectedEventId, supabase]);
-  const effectivePageId = useMemo3(() => {
-    return pageId || pageName;
-  }, [pageId, pageName]);
-  const permission = useMemo3(() => {
-    return `${operation}:page.${pageName}`;
-  }, [operation, pageName]);
-  console.log("[PagePermissionGuard] Calling useCan with scope:", resolvedScope);
-  console.log("[PagePermissionGuard] resolvedScope:", resolvedScope);
-  console.log("[PagePermissionGuard] selectedEventId:", selectedEventId);
-  console.log("[PagePermissionGuard] About to call useCan with:", {
-    userId: user?.id || "",
-    scope: resolvedScope || { organisationId: "", appId: "", eventId: selectedEventId || void 0 },
-    permission,
-    pageId: effectivePageId,
-    useCache: true
-  });
-  const { can, isLoading: canIsLoading, error: canError } = useCan(
+  const representativePermission = permissions[0];
+  const { can, isLoading, error } = useCan(
     user?.id || "",
-    resolvedScope || { organisationId: "", appId: "", eventId: selectedEventId || void 0 },
-    permission,
-    effectivePageId,
+    resolvedScope || { eventId: selectedEventId || void 0 },
+    representativePermission,
+    void 0,
     true
     // Use cache
   );
-  console.log("[PagePermissionGuard] useCan returned:", { can, canIsLoading, canError });
-  const isLoading = !resolvedScope || canIsLoading;
-  const error = checkError || canError;
-  console.log("[PagePermissionGuard] Combined state:", {
-    can,
-    isLoading,
-    canIsLoading,
-    resolvedScopeExists: !!resolvedScope,
-    error: error?.message
-  });
-  useEffect3(() => {
+  const hasRequiredPermissions = useMemo4(() => {
+    if (permissions.length === 0) return true;
+    return can;
+  }, [permissions, can]);
+  useEffect4(() => {
     if (!isLoading && !error) {
       setHasChecked(true);
       setCheckError(null);
-      if (!can && onDenied) {
-        onDenied(pageName, operation);
+      if (!hasRequiredPermissions && onDenied) {
+        onDenied(permissions, operation);
       }
     } else if (error) {
       setCheckError(error);
       setHasChecked(true);
     }
-  }, [can, isLoading, error, pageName, operation, onDenied]);
-  useEffect3(() => {
+  }, [hasRequiredPermissions, isLoading, error, permissions, operation, onDenied]);
+  useEffect4(() => {
     if (auditLog && hasChecked && !isLoading) {
-      console.log(`[PagePermissionGuard] Page access attempt:`, {
-        pageName,
+      console.log(`[PermissionEnforcer] Permission check attempt:`, {
+        permissions,
         operation,
         userId: user?.id,
         scope: resolvedScope,
-        allowed: can,
+        allowed: hasRequiredPermissions,
+        requireAll,
         timestamp: (/* @__PURE__ */ new Date()).toISOString()
       });
     }
-  }, [auditLog, hasChecked, isLoading, pageName, operation, user?.id, resolvedScope, can]);
-  useEffect3(() => {
-    if (strictMode && hasChecked && !isLoading && !can) {
-      console.error(`[PagePermissionGuard] STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
-        pageName,
+  }, [auditLog, hasChecked, isLoading, permissions, operation, user?.id, resolvedScope, hasRequiredPermissions, requireAll]);
+  useEffect4(() => {
+    if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
+      console.error(`[PermissionEnforcer] STRICT MODE VIOLATION: User attempted to perform operation without permission`, {
+        permissions,
         operation,
         userId: user?.id,
         scope: resolvedScope,
+        requireAll,
         timestamp: (/* @__PURE__ */ new Date()).toISOString()
       });
     }
-  }, [strictMode, hasChecked, isLoading, can, pageName, operation, user?.id, resolvedScope]);
-  if (isLoading || !resolvedScope || !hasChecked) {
-    return /* @__PURE__ */ jsx3(Fragment2, { children: loading });
+  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, permissions, operation, user?.id, resolvedScope, requireAll]);
+  if (isLoading || !hasChecked) {
+    return /* @__PURE__ */ jsx4(Fragment2, { children: loading });
   }
   if (checkError) {
-    console.error(`[PagePermissionGuard] Permission check failed for page ${pageName}:`, checkError);
-    return /* @__PURE__ */ jsx3(Fragment2, { children: fallback });
+    console.error(`[PermissionEnforcer] Permission check failed for operation ${operation}:`, checkError);
+    return /* @__PURE__ */ jsx4(Fragment2, { children: fallback });
   }
-  if (!can) {
-    return /* @__PURE__ */ jsx3(Fragment2, { children: fallback });
+  if (!hasRequiredPermissions) {
+    return /* @__PURE__ */ jsx4(Fragment2, { children: fallback });
   }
-  return /* @__PURE__ */ jsx3(Fragment2, { children });
+  return /* @__PURE__ */ jsx4(Fragment2, { children });
 }
-function DefaultAccessDenied() {
+function DefaultAccessDenied2() {
   return /* @__PURE__ */ jsxs2("div", { className: "flex flex-col items-center justify-center min-h-[200px] p-8 text-center", children: [
-    /* @__PURE__ */ jsx3("div", { className: "mb-4", children: /* @__PURE__ */ jsx3("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx3("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
-    /* @__PURE__ */ jsx3("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
-    /* @__PURE__ */ jsx3("p", { className: "text-sec-600 mb-4", children: "You don't have permission to access this page." }),
-    /* @__PURE__ */ jsx3(
+    /* @__PURE__ */ jsx4("div", { className: "mb-4", children: /* @__PURE__ */ jsx4("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx4("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
+    /* @__PURE__ */ jsx4("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
+    /* @__PURE__ */ jsx4("p", { className: "text-sec-600 mb-4", children: "You don't have permission to perform this operation." }),
+    /* @__PURE__ */ jsx4(
       "button",
       {
         onClick: () => window.history.back(),
@@ -1118,32 +792,36 @@ function DefaultAccessDenied() {
     )
   ] });
 }
-function DefaultLoading() {
-  return /* @__PURE__ */ jsx3("div", { className: "flex items-center justify-center min-h-[200px] p-8", children: /* @__PURE__ */ jsxs2("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx3("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600" }),
-    /* @__PURE__ */ jsx3("span", { className: "text-sec-600", children: "Checking permissions..." })
+function DefaultLoading2() {
+  return /* @__PURE__ */ jsx4("div", { className: "flex items-center justify-center min-h-[200px] p-8", children: /* @__PURE__ */ jsxs2("div", { className: "flex items-center space-x-2", children: [
+    /* @__PURE__ */ jsx4("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600" }),
+    /* @__PURE__ */ jsx4("span", { className: "text-sec-600", children: "Checking permissions..." })
   ] }) });
 }
 
-// src/rbac/components/SecureDataProvider.tsx
+// src/rbac/components/RoleBasedRouter.tsx
+import { useMemo as useMemo5, useCallback as useCallback5, useEffect as useEffect5, useState as useState5, createContext as createContext3, useContext as useContext3 } from "react";
+import { useLocation, useNavigate, Outlet } from "react-router-dom";
 init_UnifiedAuthProvider();
-import { createContext as createContext2, useContext as useContext3, useState as useState4, useCallback as useCallback4, useMemo as useMemo4, useEffect as useEffect4 } from "react";
-import { jsx as jsx4 } from "react/jsx-runtime";
-var SecureDataContext = createContext2(null);
-function SecureDataProvider({
+import { jsx as jsx5, jsxs as jsxs3 } from "react/jsx-runtime";
+var RoleBasedRouterContext = createContext3(null);
+function RoleBasedRouter({
+  routes,
+  fallbackRoute = "/unauthorized",
   children,
   strictMode = true,
   auditLog = true,
-  onDataAccess,
+  onRouteAccess,
   onStrictModeViolation,
   maxHistorySize = 1e3,
-  enforceRLS = true
+  unauthorizedComponent: UnauthorizedComponent = DefaultUnauthorizedComponent
 }) {
   const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
-  const { validateContext } = useSecureDataAccess();
-  const [dataAccessHistory, setDataAccessHistory] = useState4([]);
-  const [isEnabled, setIsEnabled] = useState4(true);
-  const currentScope = useMemo4(() => {
+  const location = useLocation();
+  const navigate = useNavigate();
+  const [routeAccessHistory, setRouteAccessHistory] = useState5([]);
+  const [currentRoute, setCurrentRoute] = useState5("");
+  const currentScope = useMemo5(() => {
     if (!selectedOrganisationId) return null;
     return {
       organisationId: selectedOrganisationId,
@@ -1151,281 +829,14 @@ function SecureDataProvider({
       appId: void 0
     };
   }, [selectedOrganisationId, selectedEventId]);
-  const isDataAccessAllowed = useCallback4((table, operation, scope) => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    const permission = `${operation}:data.${table}`;
-    return true;
-  }, [isEnabled, user?.id, currentScope]);
-  const getDataAccessPermissions = useCallback4(() => {
-    if (!isEnabled || !user?.id) return {};
-    return {};
-  }, [isEnabled, user?.id]);
-  const getDataAccessHistory = useCallback4(() => {
-    return [...dataAccessHistory];
-  }, [dataAccessHistory]);
-  const clearDataAccessHistory = useCallback4(() => {
-    setDataAccessHistory([]);
-  }, []);
-  const validateDataAccess = useCallback4((table, operation, scope) => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    try {
-      validateContext();
-    } catch (error) {
-      console.error(`[SecureDataProvider] Organisation context validation failed:`, error);
-      return false;
-    }
-    return isDataAccessAllowed(table, operation, effectiveScope);
-  }, [isEnabled, user?.id, currentScope, validateContext, isDataAccessAllowed]);
-  const recordDataAccess = useCallback4((table, operation, allowed, query, filters, scope) => {
-    if (!auditLog || !user?.id) return;
-    const record = {
-      table,
-      operation,
-      userId: user.id,
-      scope: scope || currentScope || { organisationId: "" },
-      allowed,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      query,
-      filters
-    };
-    setDataAccessHistory((prev) => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, maxHistorySize);
-    });
-    if (onDataAccess) {
-      onDataAccess(table, operation, allowed, record);
-    }
-    if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(table, operation, record);
-    }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onDataAccess, onStrictModeViolation, strictMode]);
-  const contextValue = useMemo4(() => ({
-    isDataAccessAllowed,
-    getDataAccessPermissions,
-    isEnabled,
-    isStrictMode: strictMode,
-    isAuditLogEnabled: auditLog,
-    getDataAccessHistory,
-    clearDataAccessHistory,
-    validateDataAccess
-  }), [
-    isDataAccessAllowed,
-    getDataAccessPermissions,
-    isEnabled,
-    strictMode,
-    auditLog,
-    getDataAccessHistory,
-    clearDataAccessHistory,
-    validateDataAccess
-  ]);
-  useEffect4(() => {
-    if (strictMode && auditLog) {
-      console.log(`[SecureDataProvider] Strict mode enabled - all data access attempts will be logged and enforced`);
-    }
-  }, [strictMode, auditLog]);
-  useEffect4(() => {
-    if (enforceRLS && auditLog) {
-      console.log(`[SecureDataProvider] RLS enforcement enabled - all queries will include organisation context`);
-    }
-  }, [enforceRLS, auditLog]);
-  return /* @__PURE__ */ jsx4(SecureDataContext.Provider, { value: contextValue, children });
-}
-function useSecureData() {
-  const context = useContext3(SecureDataContext);
-  if (!context) {
-    throw new Error("useSecureData must be used within a SecureDataProvider");
-  }
-  return context;
-}
-
-// src/rbac/components/PermissionEnforcer.tsx
-import { useMemo as useMemo5, useEffect as useEffect5, useState as useState5 } from "react";
-init_UnifiedAuthProvider();
-import { Fragment as Fragment3, jsx as jsx5, jsxs as jsxs3 } from "react/jsx-runtime";
-function PermissionEnforcer({
-  permissions,
-  operation,
-  children,
-  fallback = /* @__PURE__ */ jsx5(DefaultAccessDenied2, {}),
-  strictMode = true,
-  auditLog = true,
-  scope,
-  onDenied,
-  loading = /* @__PURE__ */ jsx5(DefaultLoading2, {}),
-  requireAll = true
-}) {
-  const { user, selectedOrganisationId, selectedEventId, supabase } = useUnifiedAuth();
-  const [hasChecked, setHasChecked] = useState5(false);
-  const [checkError, setCheckError] = useState5(null);
-  const [permissionResults, setPermissionResults] = useState5({});
-  const [resolvedScope, setResolvedScope] = useState5(null);
-  useEffect5(() => {
-    const resolveScope = async () => {
-      if (scope) {
-        setResolvedScope(scope);
-        return;
-      }
-      if (selectedOrganisationId && selectedEventId) {
-        setResolvedScope({
-          organisationId: selectedOrganisationId,
-          eventId: selectedEventId,
-          appId: void 0
-        });
-        return;
-      }
-      if (selectedOrganisationId) {
-        setResolvedScope({
-          organisationId: selectedOrganisationId,
-          eventId: selectedEventId || void 0,
-          appId: void 0
-        });
-        return;
-      }
-      if (selectedEventId && supabase) {
-        try {
-          const eventScope = await createScopeFromEvent(supabase, selectedEventId);
-          if (!eventScope) {
-            setCheckError(new Error("Could not resolve organization from event context"));
-            return;
-          }
-          setResolvedScope(eventScope);
-        } catch (error2) {
-          setCheckError(error2);
-        }
-        return;
-      }
-      setCheckError(new Error("Either organisation context or event context is required for permission checking"));
-    };
-    resolveScope();
-  }, [scope, selectedOrganisationId, selectedEventId, supabase]);
-  const representativePermission = permissions[0];
-  const { can, isLoading, error } = useCan(
-    user?.id || "",
-    resolvedScope || { eventId: selectedEventId || void 0 },
-    representativePermission,
-    void 0,
-    true
-    // Use cache
-  );
-  const hasRequiredPermissions = useMemo5(() => {
-    if (permissions.length === 0) return true;
-    return can;
-  }, [permissions, can]);
-  useEffect5(() => {
-    if (!isLoading && !error) {
-      setHasChecked(true);
-      setCheckError(null);
-      if (!hasRequiredPermissions && onDenied) {
-        onDenied(permissions, operation);
-      }
-    } else if (error) {
-      setCheckError(error);
-      setHasChecked(true);
-    }
-  }, [hasRequiredPermissions, isLoading, error, permissions, operation, onDenied]);
-  useEffect5(() => {
-    if (auditLog && hasChecked && !isLoading) {
-      console.log(`[PermissionEnforcer] Permission check attempt:`, {
-        permissions,
-        operation,
-        userId: user?.id,
-        scope: resolvedScope,
-        allowed: hasRequiredPermissions,
-        requireAll,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [auditLog, hasChecked, isLoading, permissions, operation, user?.id, resolvedScope, hasRequiredPermissions, requireAll]);
-  useEffect5(() => {
-    if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
-      console.error(`[PermissionEnforcer] STRICT MODE VIOLATION: User attempted to perform operation without permission`, {
-        permissions,
-        operation,
-        userId: user?.id,
-        scope: resolvedScope,
-        requireAll,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, permissions, operation, user?.id, resolvedScope, requireAll]);
-  if (isLoading || !hasChecked) {
-    return /* @__PURE__ */ jsx5(Fragment3, { children: loading });
-  }
-  if (checkError) {
-    console.error(`[PermissionEnforcer] Permission check failed for operation ${operation}:`, checkError);
-    return /* @__PURE__ */ jsx5(Fragment3, { children: fallback });
-  }
-  if (!hasRequiredPermissions) {
-    return /* @__PURE__ */ jsx5(Fragment3, { children: fallback });
-  }
-  return /* @__PURE__ */ jsx5(Fragment3, { children });
-}
-function DefaultAccessDenied2() {
-  return /* @__PURE__ */ jsxs3("div", { className: "flex flex-col items-center justify-center min-h-[200px] p-8 text-center", children: [
-    /* @__PURE__ */ jsx5("div", { className: "mb-4", children: /* @__PURE__ */ jsx5("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx5("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
-    /* @__PURE__ */ jsx5("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
-    /* @__PURE__ */ jsx5("p", { className: "text-sec-600 mb-4", children: "You don't have permission to perform this operation." }),
-    /* @__PURE__ */ jsx5(
-      "button",
-      {
-        onClick: () => window.history.back(),
-        className: "px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors",
-        children: "Go Back"
-      }
-    )
-  ] });
-}
-function DefaultLoading2() {
-  return /* @__PURE__ */ jsx5("div", { className: "flex items-center justify-center min-h-[200px] p-8", children: /* @__PURE__ */ jsxs3("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx5("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600" }),
-    /* @__PURE__ */ jsx5("span", { className: "text-sec-600", children: "Checking permissions..." })
-  ] }) });
-}
-
-// src/rbac/components/RoleBasedRouter.tsx
-import { useMemo as useMemo6, useCallback as useCallback6, useEffect as useEffect6, useState as useState6, createContext as createContext3, useContext as useContext4 } from "react";
-import { useLocation, useNavigate, Outlet } from "react-router-dom";
-init_UnifiedAuthProvider();
-import { jsx as jsx6, jsxs as jsxs4 } from "react/jsx-runtime";
-var RoleBasedRouterContext = createContext3(null);
-function RoleBasedRouter({
-  routes,
-  fallbackRoute = "/unauthorized",
-  children,
-  strictMode = true,
-  auditLog = true,
-  onRouteAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1e3,
-  unauthorizedComponent: UnauthorizedComponent = DefaultUnauthorizedComponent
-}) {
-  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
-  const location = useLocation();
-  const navigate = useNavigate();
-  const [routeAccessHistory, setRouteAccessHistory] = useState6([]);
-  const [currentRoute, setCurrentRoute] = useState6("");
-  const currentScope = useMemo6(() => {
-    if (!selectedOrganisationId) return null;
-    return {
-      organisationId: selectedOrganisationId,
-      eventId: selectedEventId || void 0,
-      appId: void 0
-    };
-  }, [selectedOrganisationId, selectedEventId]);
-  const currentRouteConfig = useMemo6(() => {
-    const currentPath = location.pathname;
-    return routes.find((route) => route.path === currentPath) || null;
-  }, [routes, location.pathname]);
-  const canAccessRoute = useCallback6((path) => {
-    if (!user?.id || !currentScope) return false;
-    const routeConfig = routes.find((route) => route.path === path);
-    if (!routeConfig) return false;
+  const currentRouteConfig = useMemo5(() => {
+    const currentPath = location.pathname;
+    return routes.find((route) => route.path === currentPath) || null;
+  }, [routes, location.pathname]);
+  const canAccessRoute = useCallback5((path) => {
+    if (!user?.id || !currentScope) return false;
+    const routeConfig = routes.find((route) => route.path === path);
+    if (!routeConfig) return false;
     return true;
   }, [user?.id, currentScope, routes]);
   const { can: canAccessCurrentRoute, isLoading: permissionLoading } = useCan(
@@ -1437,20 +848,20 @@ function RoleBasedRouter({
   const hasPermissions = currentRouteConfig?.permissions && currentRouteConfig.permissions.length > 0;
   const finalCanAccess = hasPermissions ? canAccessCurrentRoute : false;
   const finalLoading = hasPermissions ? permissionLoading : false;
-  const getAccessibleRoutes = useCallback6(() => {
+  const getAccessibleRoutes = useCallback5(() => {
     if (!user?.id || !currentScope) return [];
     return routes.filter((route) => canAccessRoute(route.path));
   }, [user?.id, currentScope, routes, canAccessRoute]);
-  const getRouteConfig = useCallback6((path) => {
+  const getRouteConfig = useCallback5((path) => {
     return routes.find((route) => route.path === path) || null;
   }, [routes]);
-  const getRouteAccessHistory = useCallback6(() => {
+  const getRouteAccessHistory = useCallback5(() => {
     return [...routeAccessHistory];
   }, [routeAccessHistory]);
-  const clearRouteAccessHistory = useCallback6(() => {
+  const clearRouteAccessHistory = useCallback5(() => {
     setRouteAccessHistory([]);
   }, []);
-  const recordRouteAccess = useCallback6((route, allowed, routeConfig) => {
+  const recordRouteAccess = useCallback5((route, allowed, routeConfig) => {
     if (!auditLog || !user?.id || !currentScope) return;
     const record = {
       route,
@@ -1474,7 +885,7 @@ function RoleBasedRouter({
       onStrictModeViolation(route, record);
     }
   }, [auditLog, user?.id, currentScope, maxHistorySize, onRouteAccess, onStrictModeViolation, strictMode]);
-  useEffect6(() => {
+  useEffect5(() => {
     const currentPath = location.pathname;
     setCurrentRoute(currentPath);
     if (!currentRouteConfig) {
@@ -1503,7 +914,7 @@ function RoleBasedRouter({
       navigate(fallbackRoute, { replace: true });
     }
   }, [location.pathname, currentRouteConfig, canAccessCurrentRoute, recordRouteAccess, strictMode, user?.id, currentScope, onStrictModeViolation, navigate, fallbackRoute]);
-  const contextValue = useMemo6(() => ({
+  const contextValue = useMemo5(() => ({
     getAccessibleRoutes,
     canAccessRoute,
     getRouteConfig,
@@ -1521,13 +932,13 @@ function RoleBasedRouter({
     auditLog
   ]);
   if (finalLoading) {
-    return /* @__PURE__ */ jsx6("div", { className: "flex items-center justify-center min-h-screen", children: /* @__PURE__ */ jsxs4("div", { className: "text-center", children: [
-      /* @__PURE__ */ jsx6("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600 mx-auto mb-4" }),
-      /* @__PURE__ */ jsx6("p", { className: "text-sec-600", children: "Checking permissions..." })
+    return /* @__PURE__ */ jsx5("div", { className: "flex items-center justify-center min-h-screen", children: /* @__PURE__ */ jsxs3("div", { className: "text-center", children: [
+      /* @__PURE__ */ jsx5("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600 mx-auto mb-4" }),
+      /* @__PURE__ */ jsx5("p", { className: "text-sec-600", children: "Checking permissions..." })
     ] }) });
   }
   if (currentRouteConfig && !finalCanAccess) {
-    return /* @__PURE__ */ jsx6(
+    return /* @__PURE__ */ jsx5(
       UnauthorizedComponent,
       {
         route: currentRoute,
@@ -1535,31 +946,31 @@ function RoleBasedRouter({
       }
     );
   }
-  return /* @__PURE__ */ jsxs4(RoleBasedRouterContext.Provider, { value: contextValue, children: [
+  return /* @__PURE__ */ jsxs3(RoleBasedRouterContext.Provider, { value: contextValue, children: [
     children,
-    /* @__PURE__ */ jsx6(Outlet, {})
+    /* @__PURE__ */ jsx5(Outlet, {})
   ] });
 }
 function useRoleBasedRouter() {
-  const context = useContext4(RoleBasedRouterContext);
+  const context = useContext3(RoleBasedRouterContext);
   if (!context) {
     throw new Error("useRoleBasedRouter must be used within a RoleBasedRouter");
   }
   return context;
 }
 function DefaultUnauthorizedComponent({ route, reason }) {
-  return /* @__PURE__ */ jsxs4("div", { className: "flex flex-col items-center justify-center min-h-screen p-8 text-center", children: [
-    /* @__PURE__ */ jsx6("div", { className: "mb-4", children: /* @__PURE__ */ jsx6("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx6("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
-    /* @__PURE__ */ jsx6("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
-    /* @__PURE__ */ jsxs4("p", { className: "text-sec-600 mb-4", children: [
+  return /* @__PURE__ */ jsxs3("div", { className: "flex flex-col items-center justify-center min-h-screen p-8 text-center", children: [
+    /* @__PURE__ */ jsx5("div", { className: "mb-4", children: /* @__PURE__ */ jsx5("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx5("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
+    /* @__PURE__ */ jsx5("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
+    /* @__PURE__ */ jsxs3("p", { className: "text-sec-600 mb-4", children: [
       "You don't have permission to access ",
-      /* @__PURE__ */ jsx6("code", { className: "bg-sec-100 px-2 py-1 rounded", children: route })
+      /* @__PURE__ */ jsx5("code", { className: "bg-sec-100 px-2 py-1 rounded", children: route })
     ] }),
-    /* @__PURE__ */ jsxs4("p", { className: "text-sm text-sec-500 mb-4", children: [
+    /* @__PURE__ */ jsxs3("p", { className: "text-sm text-sec-500 mb-4", children: [
       "Reason: ",
       reason
     ] }),
-    /* @__PURE__ */ jsx6(
+    /* @__PURE__ */ jsx5(
       "button",
       {
         onClick: () => window.history.back(),
@@ -1572,8 +983,8 @@ function DefaultUnauthorizedComponent({ route, reason }) {
 
 // src/rbac/components/NavigationProvider.tsx
 init_UnifiedAuthProvider();
-import { createContext as createContext4, useContext as useContext5, useState as useState7, useCallback as useCallback7, useMemo as useMemo7, useEffect as useEffect7 } from "react";
-import { jsx as jsx7 } from "react/jsx-runtime";
+import { createContext as createContext4, useContext as useContext4, useState as useState6, useCallback as useCallback6, useMemo as useMemo6, useEffect as useEffect6 } from "react";
+import { jsx as jsx6 } from "react/jsx-runtime";
 var NavigationContext = createContext4(null);
 function NavigationProvider({
   children,
@@ -1584,9 +995,9 @@ function NavigationProvider({
   maxHistorySize = 1e3
 }) {
   const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
-  const [navigationAccessHistory, setNavigationAccessHistory] = useState7([]);
-  const [isEnabled, setIsEnabled] = useState7(true);
-  const currentScope = useMemo7(() => {
+  const [navigationAccessHistory, setNavigationAccessHistory] = useState6([]);
+  const [isEnabled, setIsEnabled] = useState6(true);
+  const currentScope = useMemo6(() => {
     if (!selectedOrganisationId) return null;
     return {
       organisationId: selectedOrganisationId,
@@ -1594,27 +1005,27 @@ function NavigationProvider({
       appId: void 0
     };
   }, [selectedOrganisationId, selectedEventId]);
-  const hasNavigationPermission = useCallback7((item) => {
+  const hasNavigationPermission = useCallback6((item) => {
     if (!isEnabled) return true;
     if (!user?.id) return false;
     if (!currentScope) return false;
     return true;
   }, [isEnabled, user?.id, currentScope]);
-  const getNavigationPermissions = useCallback7(() => {
+  const getNavigationPermissions = useCallback6(() => {
     if (!isEnabled || !user?.id) return {};
     return {};
   }, [isEnabled, user?.id]);
-  const getFilteredNavigationItems = useCallback7((items) => {
+  const getFilteredNavigationItems = useCallback6((items) => {
     if (!isEnabled) return items;
     return items.filter((item) => hasNavigationPermission(item));
   }, [isEnabled, hasNavigationPermission]);
-  const getNavigationAccessHistory = useCallback7(() => {
+  const getNavigationAccessHistory = useCallback6(() => {
     return [...navigationAccessHistory];
   }, [navigationAccessHistory]);
-  const clearNavigationAccessHistory = useCallback7(() => {
+  const clearNavigationAccessHistory = useCallback6(() => {
     setNavigationAccessHistory([]);
   }, []);
-  const recordNavigationAccess = useCallback7((item, allowed) => {
+  const recordNavigationAccess = useCallback6((item, allowed) => {
     if (!auditLog || !user?.id || !currentScope) return;
     const record = {
       navigationItem: item.id,
@@ -1638,7 +1049,7 @@ function NavigationProvider({
       onStrictModeViolation(item, record);
     }
   }, [auditLog, user?.id, currentScope, maxHistorySize, onNavigationAccess, onStrictModeViolation, strictMode]);
-  const contextValue = useMemo7(() => ({
+  const contextValue = useMemo6(() => ({
     hasNavigationPermission,
     getNavigationPermissions,
     getFilteredNavigationItems,
@@ -1657,15 +1068,15 @@ function NavigationProvider({
     getNavigationAccessHistory,
     clearNavigationAccessHistory
   ]);
-  useEffect7(() => {
+  useEffect6(() => {
     if (strictMode && auditLog) {
       console.log(`[NavigationProvider] Strict mode enabled - all navigation access attempts will be logged and enforced`);
     }
   }, [strictMode, auditLog]);
-  return /* @__PURE__ */ jsx7(NavigationContext.Provider, { value: contextValue, children });
+  return /* @__PURE__ */ jsx6(NavigationContext.Provider, { value: contextValue, children });
 }
 function useNavigationPermissions() {
-  const context = useContext5(NavigationContext);
+  const context = useContext4(NavigationContext);
   if (!context) {
     throw new Error("useNavigationPermissions must be used within a NavigationProvider");
   }
@@ -1673,25 +1084,25 @@ function useNavigationPermissions() {
 }
 
 // src/rbac/components/NavigationGuard.tsx
-import { useMemo as useMemo8, useEffect as useEffect8, useState as useState8 } from "react";
+import { useMemo as useMemo7, useEffect as useEffect7, useState as useState7 } from "react";
 init_UnifiedAuthProvider();
-import { Fragment as Fragment4, jsx as jsx8, jsxs as jsxs5 } from "react/jsx-runtime";
+import { Fragment as Fragment3, jsx as jsx7, jsxs as jsxs4 } from "react/jsx-runtime";
 function NavigationGuard({
   navigationItem,
   children,
-  fallback = /* @__PURE__ */ jsx8(DefaultAccessDenied3, {}),
+  fallback = /* @__PURE__ */ jsx7(DefaultAccessDenied3, {}),
   strictMode = true,
   auditLog = true,
   scope,
   onDenied,
-  loading = /* @__PURE__ */ jsx8(DefaultLoading3, {}),
+  loading = /* @__PURE__ */ jsx7(DefaultLoading3, {}),
   requireAll = true
 }) {
   const { user, selectedOrganisationId, selectedEventId, supabase } = useUnifiedAuth();
-  const [hasChecked, setHasChecked] = useState8(false);
-  const [checkError, setCheckError] = useState8(null);
-  const [resolvedScope, setResolvedScope] = useState8(null);
-  useEffect8(() => {
+  const [hasChecked, setHasChecked] = useState7(false);
+  const [checkError, setCheckError] = useState7(null);
+  const [resolvedScope, setResolvedScope] = useState7(null);
+  useEffect7(() => {
     const resolveScope = async () => {
       if (scope) {
         setResolvedScope(scope);
@@ -1739,11 +1150,11 @@ function NavigationGuard({
     true
     // Use cache
   );
-  const hasRequiredPermissions = useMemo8(() => {
+  const hasRequiredPermissions = useMemo7(() => {
     if (navigationItem.permissions.length === 0) return true;
     return can;
   }, [navigationItem.permissions, can]);
-  useEffect8(() => {
+  useEffect7(() => {
     if (!isLoading && !error) {
       setHasChecked(true);
       setCheckError(null);
@@ -1755,7 +1166,7 @@ function NavigationGuard({
       setHasChecked(true);
     }
   }, [hasRequiredPermissions, isLoading, error, navigationItem, onDenied]);
-  useEffect8(() => {
+  useEffect7(() => {
     if (auditLog && hasChecked && !isLoading) {
       console.log(`[NavigationGuard] Navigation access attempt:`, {
         navigationItem: navigationItem.id,
@@ -1768,7 +1179,7 @@ function NavigationGuard({
       });
     }
   }, [auditLog, hasChecked, isLoading, navigationItem, user?.id, resolvedScope, hasRequiredPermissions, requireAll]);
-  useEffect8(() => {
+  useEffect7(() => {
     if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
       console.error(`[NavigationGuard] STRICT MODE VIOLATION: User attempted to access protected navigation item without permission`, {
         navigationItem: navigationItem.id,
@@ -1781,34 +1192,34 @@ function NavigationGuard({
     }
   }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, navigationItem, user?.id, resolvedScope, requireAll]);
   if (isLoading || !resolvedScope || !hasChecked) {
-    return /* @__PURE__ */ jsx8(Fragment4, { children: loading });
+    return /* @__PURE__ */ jsx7(Fragment3, { children: loading });
   }
   if (checkError) {
     console.error(`[NavigationGuard] Permission check failed for navigation item ${navigationItem.id}:`, checkError);
-    return /* @__PURE__ */ jsx8(Fragment4, { children: fallback });
+    return /* @__PURE__ */ jsx7(Fragment3, { children: fallback });
   }
   if (!hasRequiredPermissions) {
-    return /* @__PURE__ */ jsx8(Fragment4, { children: fallback });
+    return /* @__PURE__ */ jsx7(Fragment3, { children: fallback });
   }
-  return /* @__PURE__ */ jsx8(Fragment4, { children });
+  return /* @__PURE__ */ jsx7(Fragment3, { children });
 }
 function DefaultAccessDenied3() {
-  return /* @__PURE__ */ jsx8("div", { className: "flex items-center justify-center p-2 text-center", children: /* @__PURE__ */ jsxs5("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx8("svg", { className: "w-4 h-4 text-acc-500", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx8("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }),
-    /* @__PURE__ */ jsx8("span", { className: "text-sm text-sec-600", children: "Access Denied" })
+  return /* @__PURE__ */ jsx7("div", { className: "flex items-center justify-center p-2 text-center", children: /* @__PURE__ */ jsxs4("div", { className: "flex items-center space-x-2", children: [
+    /* @__PURE__ */ jsx7("svg", { className: "w-4 h-4 text-acc-500", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx7("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }),
+    /* @__PURE__ */ jsx7("span", { className: "text-sm text-sec-600", children: "Access Denied" })
   ] }) });
 }
 function DefaultLoading3() {
-  return /* @__PURE__ */ jsx8("div", { className: "flex items-center justify-center p-2", children: /* @__PURE__ */ jsxs5("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx8("div", { className: "animate-spin rounded-full h-4 w-4 border-b-2 border-main-600" }),
-    /* @__PURE__ */ jsx8("span", { className: "text-sm text-sec-600", children: "Checking..." })
+  return /* @__PURE__ */ jsx7("div", { className: "flex items-center justify-center p-2", children: /* @__PURE__ */ jsxs4("div", { className: "flex items-center space-x-2", children: [
+    /* @__PURE__ */ jsx7("div", { className: "animate-spin rounded-full h-4 w-4 border-b-2 border-main-600" }),
+    /* @__PURE__ */ jsx7("span", { className: "text-sm text-sec-600", children: "Checking..." })
   ] }) });
 }
 var NavigationGuard_default = NavigationGuard;
 
 // src/rbac/components/EnhancedNavigationMenu.tsx
-import { useMemo as useMemo9, useCallback as useCallback9, useEffect as useEffect9, useState as useState9 } from "react";
-import { jsx as jsx9, jsxs as jsxs6 } from "react/jsx-runtime";
+import { useMemo as useMemo8, useCallback as useCallback8, useEffect as useEffect8, useState as useState8 } from "react";
+import { jsx as jsx8, jsxs as jsxs5 } from "react/jsx-runtime";
 function EnhancedNavigationMenu({
   items,
   strictMode = true,
@@ -1831,12 +1242,12 @@ function EnhancedNavigationMenu({
     isStrictMode,
     isAuditLogEnabled
   } = useNavigationPermissions();
-  const [navigationHistory, setNavigationHistory] = useState9([]);
-  const filteredItems = useMemo9(() => {
+  const [navigationHistory, setNavigationHistory] = useState8([]);
+  const filteredItems = useMemo8(() => {
     if (!isEnabled) return items;
     return getFilteredNavigationItems(items);
   }, [isEnabled, items, getFilteredNavigationItems]);
-  const handleItemClick = useCallback9((item) => {
+  const handleItemClick = useCallback8((item) => {
     if (onItemClick) {
       onItemClick(item);
     }
@@ -1853,7 +1264,7 @@ function EnhancedNavigationMenu({
       return newHistory.slice(0, 10);
     });
   }, [onItemClick, auditLog]);
-  const handleNavigationAccess = useCallback9((item, allowed) => {
+  const handleNavigationAccess = useCallback8((item, allowed) => {
     if (onNavigationAccess) {
       onNavigationAccess(item, allowed);
     }
@@ -1866,7 +1277,7 @@ function EnhancedNavigationMenu({
       });
     }
   }, [onNavigationAccess, auditLog, strictMode]);
-  const handleStrictModeViolation = useCallback9((item) => {
+  const handleStrictModeViolation = useCallback8((item) => {
     if (onStrictModeViolation) {
       onStrictModeViolation(item);
     }
@@ -1879,31 +1290,31 @@ function EnhancedNavigationMenu({
       });
     }
   }, [onStrictModeViolation, strictMode]);
-  const defaultRenderItem = useCallback9((item, isAuthorized) => {
+  const defaultRenderItem = useCallback8((item, isAuthorized) => {
     const isActive = activePath === item.path;
     const isDisabled = !isAuthorized;
-    return /* @__PURE__ */ jsx9(
+    return /* @__PURE__ */ jsx8(
       NavigationGuard_default,
       {
         navigationItem: item,
         strictMode,
         auditLog,
         onDenied: handleStrictModeViolation,
-        fallback: hideUnauthorizedItems ? null : /* @__PURE__ */ jsx9("div", { className: `${itemClassName} ${disabledItemClassName}`, children: /* @__PURE__ */ jsxs6("div", { className: "flex items-center space-x-2", children: [
-          item.meta?.icon && /* @__PURE__ */ jsx9("span", { className: "text-sm", children: item.meta.icon }),
-          /* @__PURE__ */ jsx9("span", { children: item.label }),
-          /* @__PURE__ */ jsx9("span", { className: "text-xs text-sec-400", children: "(Access Denied)" })
+        fallback: hideUnauthorizedItems ? null : /* @__PURE__ */ jsx8("div", { className: `${itemClassName} ${disabledItemClassName}`, children: /* @__PURE__ */ jsxs5("div", { className: "flex items-center space-x-2", children: [
+          item.meta?.icon && /* @__PURE__ */ jsx8("span", { className: "text-sm", children: item.meta.icon }),
+          /* @__PURE__ */ jsx8("span", { children: item.label }),
+          /* @__PURE__ */ jsx8("span", { className: "text-xs text-sec-400", children: "(Access Denied)" })
         ] }) }),
-        children: /* @__PURE__ */ jsx9(
+        children: /* @__PURE__ */ jsx8(
           "button",
           {
             onClick: () => handleItemClick(item),
             className: `${itemClassName} ${isActive ? activeItemClassName : ""} ${isDisabled ? disabledItemClassName : "hover:bg-sec-100"}`,
             disabled: isDisabled,
-            children: /* @__PURE__ */ jsxs6("div", { className: "flex items-center space-x-2", children: [
-              item.meta?.icon && /* @__PURE__ */ jsx9("span", { className: "text-sm", children: item.meta.icon }),
-              /* @__PURE__ */ jsx9("span", { children: item.label }),
-              item.meta?.description && /* @__PURE__ */ jsx9("span", { className: "text-xs text-sec-500 ml-auto", children: item.meta.description })
+            children: /* @__PURE__ */ jsxs5("div", { className: "flex items-center space-x-2", children: [
+              item.meta?.icon && /* @__PURE__ */ jsx8("span", { className: "text-sm", children: item.meta.icon }),
+              /* @__PURE__ */ jsx8("span", { children: item.label }),
+              item.meta?.description && /* @__PURE__ */ jsx8("span", { className: "text-xs text-sec-500 ml-auto", children: item.meta.description })
             ] })
           }
         )
@@ -1921,12 +1332,12 @@ function EnhancedNavigationMenu({
     handleStrictModeViolation,
     handleItemClick
   ]);
-  useEffect9(() => {
+  useEffect8(() => {
     if (strictMode && auditLog) {
       console.log(`[EnhancedNavigationMenu] Strict mode enabled - all navigation access attempts will be logged and enforced`);
     }
   }, [strictMode, auditLog]);
-  useEffect9(() => {
+  useEffect8(() => {
     if (auditLog) {
       console.log(`[EnhancedNavigationMenu] Navigation menu initialized:`, {
         totalItems: items.length,
@@ -1936,7 +1347,7 @@ function EnhancedNavigationMenu({
       });
     }
   }, [items.length, filteredItems.length, strictMode, auditLog]);
-  return /* @__PURE__ */ jsx9("nav", { className, children: filteredItems.map((item) => {
+  return /* @__PURE__ */ jsx8("nav", { className, children: filteredItems.map((item) => {
     const isAuthorized = hasNavigationPermission(item);
     if (renderItem) {
       return renderItem(item, isAuthorized);
@@ -1945,6 +1356,353 @@ function EnhancedNavigationMenu({
   }) });
 }
 
+// src/rbac/adapters.tsx
+import React9, { useContext as useContext5 } from "react";
+import { Fragment as Fragment4, jsx as jsx9, jsxs as jsxs6 } from "react/jsx-runtime";
+function PermissionGuard({
+  userId,
+  scope,
+  permission,
+  pageId,
+  children,
+  fallback = null,
+  onDenied,
+  loading = null,
+  // NEW: Phase 1 - Enhanced Security Features
+  strictMode = true,
+  auditLog = true,
+  enforceAudit = true
+}) {
+  const logger = getRBACLogger();
+  const authContext = useContext5(React9.createContext(null));
+  let effectiveUserId = userId;
+  if (!effectiveUserId) {
+    try {
+      if (authContext?.user?.id) {
+        effectiveUserId = authContext.user.id;
+      } else {
+        const globalUser = window.__PACE_USER__;
+        if (globalUser?.id) {
+          effectiveUserId = globalUser.id;
+        }
+      }
+    } catch (error2) {
+      logger.debug("Could not infer userId from context:", error2);
+    }
+  }
+  const { can, isLoading, error } = useCan(effectiveUserId || "", scope, permission, pageId);
+  if (!effectiveUserId) {
+    logger.error("PermissionGuard: No userId provided and could not infer from context");
+    return /* @__PURE__ */ jsxs6("div", { className: "rbac-error", role: "alert", children: [
+      /* @__PURE__ */ jsx9("p", { children: "Permission check failed: User context not available" }),
+      /* @__PURE__ */ jsxs6("details", { children: [
+        /* @__PURE__ */ jsx9("summary", { children: "Debug info" }),
+        /* @__PURE__ */ jsx9("p", { children: "Make sure to either:" }),
+        /* @__PURE__ */ jsxs6("ul", { children: [
+          /* @__PURE__ */ jsx9("li", { children: "Pass userId prop explicitly" }),
+          /* @__PURE__ */ jsx9("li", { children: "Wrap your app with an auth provider" }),
+          /* @__PURE__ */ jsx9("li", { children: "Set window.__PACE_USER__ with user data" })
+        ] })
+      ] })
+    ] });
+  }
+  if (isLoading) {
+    return loading || /* @__PURE__ */ jsx9("div", { className: "rbac-loading", role: "status", "aria-live": "polite", children: /* @__PURE__ */ jsx9("span", { className: "sr-only", children: "Checking permissions..." }) });
+  }
+  if (error) {
+    logger.error("Permission check failed:", error);
+    if (auditLog) {
+      logger.info(`[PermissionGuard] Permission check failed:`, {
+        userId: effectiveUserId,
+        scope,
+        permission,
+        pageId,
+        error: error.message,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    return fallback;
+  }
+  if (!can) {
+    if (auditLog) {
+      logger.info(`[PermissionGuard] Permission denied:`, {
+        userId: effectiveUserId,
+        scope,
+        permission,
+        pageId,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    if (strictMode) {
+      logger.error(`[PermissionGuard] STRICT MODE VIOLATION: User attempted to access protected resource without permission`, {
+        userId: effectiveUserId,
+        scope,
+        permission,
+        pageId,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+    if (onDenied) {
+      onDenied();
+    }
+    return /* @__PURE__ */ jsx9(Fragment4, { children: fallback });
+  }
+  if (auditLog) {
+    logger.info(`[PermissionGuard] Permission granted:`, {
+      userId: effectiveUserId,
+      scope,
+      permission,
+      pageId,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+  return /* @__PURE__ */ jsx9(Fragment4, { children });
+}
+function AccessLevelGuard({
+  userId,
+  scope,
+  minLevel,
+  children,
+  fallback = null,
+  loading = null
+}) {
+  const logger = getRBACLogger();
+  const authContext = useContext5(React9.createContext(null));
+  let effectiveUserId = userId;
+  if (!effectiveUserId) {
+    try {
+      if (authContext?.user?.id) {
+        effectiveUserId = authContext.user.id;
+      } else {
+        const globalUser = window.__PACE_USER__;
+        if (globalUser?.id) {
+          effectiveUserId = globalUser.id;
+        }
+      }
+    } catch (error2) {
+      logger.debug("Could not infer userId from context:", error2);
+    }
+  }
+  const { accessLevel, isLoading, error } = useAccessLevel(effectiveUserId || "", scope);
+  if (!effectiveUserId) {
+    logger.error("AccessLevelGuard: No userId provided and could not infer from context");
+    return /* @__PURE__ */ jsxs6("div", { className: "rbac-error", role: "alert", children: [
+      /* @__PURE__ */ jsx9("p", { children: "Access level check failed: User context not available" }),
+      /* @__PURE__ */ jsxs6("details", { children: [
+        /* @__PURE__ */ jsx9("summary", { children: "Debug info" }),
+        /* @__PURE__ */ jsx9("p", { children: "Make sure to either:" }),
+        /* @__PURE__ */ jsxs6("ul", { children: [
+          /* @__PURE__ */ jsx9("li", { children: "Pass userId prop explicitly" }),
+          /* @__PURE__ */ jsx9("li", { children: "Wrap your app with an auth provider" }),
+          /* @__PURE__ */ jsx9("li", { children: "Set window.__PACE_USER__ with user data" })
+        ] })
+      ] })
+    ] });
+  }
+  if (isLoading) {
+    return loading || /* @__PURE__ */ jsx9("div", { className: "rbac-loading", role: "status", "aria-live": "polite", children: /* @__PURE__ */ jsx9("span", { className: "sr-only", children: "Checking access level..." }) });
+  }
+  if (error) {
+    logger.error("Access level check failed:", error);
+    return fallback;
+  }
+  const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
+  const userLevelIndex = accessLevel ? levelHierarchy.indexOf(accessLevel) : -1;
+  const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
+  if (userLevelIndex < requiredLevelIndex) {
+    return /* @__PURE__ */ jsx9(Fragment4, { children: fallback });
+  }
+  return /* @__PURE__ */ jsx9(Fragment4, { children });
+}
+function withPermissionGuard(config, handler) {
+  return async (...args) => {
+    const [req] = args;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      throw new Error("User context required for permission check");
+    }
+    const { isPermitted: isPermitted2 } = await import("../api-ETQ6YJ3C.js");
+    const hasPermission2 = await isPermitted2({
+      userId,
+      scope: { organisationId, eventId, appId },
+      permission: config.permission,
+      pageId: config.pageId
+    });
+    if (!hasPermission2) {
+      throw new Error(`Permission denied: ${config.permission}`);
+    }
+    return handler(...args);
+  };
+}
+function withAccessLevelGuard(minLevel, handler) {
+  return async (...args) => {
+    const [req] = args;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      throw new Error("User context required for access level check");
+    }
+    const { getAccessLevel: getAccessLevel2 } = await import("../api-ETQ6YJ3C.js");
+    const accessLevel = await getAccessLevel2({
+      userId,
+      scope: { organisationId, eventId, appId }
+    });
+    const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
+    const userLevelIndex = levelHierarchy.indexOf(accessLevel);
+    const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
+    if (userLevelIndex < requiredLevelIndex) {
+      throw new Error(`Access level required: ${minLevel}, got: ${accessLevel}`);
+    }
+    return handler(...args);
+  };
+}
+function withRoleGuard(config, handler) {
+  return async (...args) => {
+    const [req] = args;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      throw new Error("User context required for role check");
+    }
+    if (config.globalRoles && config.globalRoles.length > 0) {
+      const { isSuperAdmin } = await import("../api-ETQ6YJ3C.js");
+      const isSuper = await isSuperAdmin(userId);
+      if (isSuper) {
+        if (organisationId) {
+          const { emitAuditEvent: emitAuditEvent2 } = await import("../audit-BUW3LMJB.js");
+          await emitAuditEvent2({
+            type: "permission_check",
+            userId,
+            organisationId,
+            eventId,
+            appId,
+            permission: "bypass:all",
+            decision: true,
+            source: "api",
+            bypass: true,
+            duration_ms: 0,
+            metadata: {
+              operation: "role_guard",
+              reason: "super_admin_bypass"
+            }
+          });
+        }
+        return handler(...args);
+      }
+    }
+    if (config.organisationRoles && config.organisationRoles.length > 0) {
+      const { isOrganisationAdmin } = await import("../api-ETQ6YJ3C.js");
+      const isOrgAdmin = await isOrganisationAdmin(userId, organisationId);
+      if (!isOrgAdmin && config.requireAll !== false) {
+        throw new Error(`Organisation admin role required`);
+      }
+    }
+    if (config.eventAppRoles && config.eventAppRoles.length > 0 && eventId && appId) {
+      const { isEventAdmin } = await import("../api-ETQ6YJ3C.js");
+      const isEventAdminUser = await isEventAdmin(userId, { organisationId, eventId, appId });
+      if (!isEventAdminUser && config.requireAll !== false) {
+        throw new Error(`Event admin role required`);
+      }
+    }
+    if (organisationId) {
+      const { emitAuditEvent: emitAuditEvent2 } = await import("../audit-BUW3LMJB.js");
+      await emitAuditEvent2({
+        type: "permission_check",
+        userId,
+        organisationId,
+        eventId,
+        appId,
+        permission: "role:check",
+        decision: true,
+        source: "api",
+        bypass: false,
+        duration_ms: 0,
+        metadata: {
+          operation: "role_guard"
+        }
+      });
+    }
+    return handler(...args);
+  };
+}
+function createRBACMiddleware(config) {
+  return async (req, res, next) => {
+    const { pathname } = req.nextUrl;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    if (!userId || !organisationId) {
+      return res.redirect(config.fallbackUrl || "/login");
+    }
+    const protectedRoute = config.protectedRoutes.find(
+      (route) => pathname.startsWith(route.path)
+    );
+    if (protectedRoute) {
+      try {
+        const { isPermitted: isPermitted2 } = await import("../api-ETQ6YJ3C.js");
+        const hasPermission2 = await isPermitted2({
+          userId,
+          scope: { organisationId },
+          permission: protectedRoute.permission,
+          pageId: protectedRoute.pageId
+        });
+        if (!hasPermission2) {
+          return res.redirect(config.fallbackUrl || "/access-denied");
+        }
+      } catch (_error) {
+        return res.redirect(config.fallbackUrl || "/access-denied");
+      }
+    }
+    next();
+  };
+}
+function createRBACExpressMiddleware(config) {
+  return async (req, res, next) => {
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      return res.status(401).json({ error: "User context required" });
+    }
+    try {
+      const { isPermitted: isPermitted2 } = await import("../api-ETQ6YJ3C.js");
+      const hasPermission2 = await isPermitted2({
+        userId,
+        scope: { organisationId, eventId, appId },
+        permission: config.permission,
+        pageId: config.pageId
+      });
+      if (!hasPermission2) {
+        return res.status(403).json({ error: "Permission denied" });
+      }
+      next();
+    } catch (_error) {
+      return res.status(500).json({ error: "Permission check failed" });
+    }
+  };
+}
+function hasPermissionCached(userId, scope, _permission, _pageId) {
+  const cacheKey = RBACCache.generatePermissionKey({
+    userId,
+    organisationId: scope.organisationId,
+    eventId: scope.eventId,
+    appId: scope.appId
+  });
+  return rbacCache.get(cacheKey) || false;
+}
+function hasAnyPermissionCached(userId, scope, permissions, pageId) {
+  return permissions.some(
+    (permission) => hasPermissionCached(userId, scope, permission, pageId)
+  );
+}
+
 // src/rbac/permissions.ts
 var GLOBAL_PERMISSIONS = {
   MANAGE_ALL: "manage:*",