@jmruthers/pace-core 0.5.1 → 0.5.3

package/dist/rbac/index.js

@@ -1,3 +1,37 @@
+import {
+  ALL_PERMISSIONS,
+  AccessLevelGuard,
+  EVENT_APP_PERMISSIONS,
+  EnhancedNavigationMenu,
+  GLOBAL_PERMISSIONS,
+  NavigationGuard,
+  NavigationProvider,
+  ORGANISATION_PERMISSIONS,
+  PAGE_PERMISSIONS,
+  PERMISSION_GROUPS,
+  PagePermissionGuard,
+  PagePermissionProvider,
+  PermissionEnforcer,
+  PermissionGuard,
+  RoleBasedRouter,
+  SecureDataProvider,
+  SecureSupabaseClient,
+  createRBACExpressMiddleware,
+  createRBACMiddleware,
+  createSecureClient,
+  fromSupabaseClient,
+  getPermissionsForRole,
+  hasAnyPermissionCached,
+  hasPermissionCached,
+  isValidPermission,
+  useNavigationPermissions,
+  usePagePermissions,
+  useRoleBasedRouter,
+  useSecureData,
+  withAccessLevelGuard,
+  withPermissionGuard,
+  withRoleGuard
+} from "../chunk-5SIXIV7R.js";
 import {
   useAccessLevel,
   useCachedPermissions,
@@ -5,11 +39,11 @@ import {
   useHasAllPermissions,
   useHasAnyPermission,
   useMultiplePermissions,
-  usePermissions
-} from "../chunk-AUE24LVR.js";
+  usePermissions,
+  useRBAC as useRBAC2
+} from "../chunk-QVYBYGT2.js";
 import {
   CACHE_PATTERNS,
-  OrganisationContextRequiredError,
   RBACCache,
   RBACEngine,
   createRBACConfig,
@@ -27,7 +61,7 @@ import {
   isPermittedCached,
   rbacCache,
   setupRBAC
-} from "../chunk-C5G2A4PO.js";
+} from "../chunk-GWSBHC4J.js";
 import {
   RBACAuditManager,
   createAuditManager,
@@ -35,1886 +69,16 @@ import {
   getGlobalAuditManager,
   setGlobalAuditManager
 } from "../chunk-7BNPOCLL.js";
+import "../chunk-HXX35Q2M.js";
+import "../chunk-HD7PYDUV.js";
 import {
-  useSecureDataAccess
-} from "../chunk-XJK2J4N6.js";
-import "../chunk-COBPIXXQ.js";
-import {
-  init_UnifiedAuthProvider,
-  useUnifiedAuth
-} from "../chunk-6CR3MRZN.js";
+  RBACProvider,
+  useRBAC
+} from "../chunk-QKHFMQ5R.js";
 import "../chunk-YDJW5XTN.js";
-import {
-  getCurrentAppName,
-  init_appNameResolver
-} from "../chunk-MZBUOP4P.js";
-import "../chunk-OEGRKULD.js";
-import "../chunk-OYRY44Q2.js";
+import "../chunk-MZBUOP4P.js";
+import "../chunk-WJARTBCT.js";
 import "../chunk-PLDDJCW6.js";
-
-// src/rbac/secureClient.ts
-import { createClient } from "@supabase/supabase-js";
-var SecureSupabaseClient = class _SecureSupabaseClient {
-  constructor(supabaseUrl, supabaseKey, organisationId, eventId, appId) {
-    this.supabaseUrl = supabaseUrl;
-    this.supabaseKey = supabaseKey;
-    this.organisationId = organisationId;
-    this.eventId = eventId;
-    this.appId = appId;
-    this.supabase = createClient(supabaseUrl, supabaseKey, {
-      global: {
-        headers: {
-          "x-organisation-id": organisationId,
-          "x-event-id": eventId || "",
-          "x-app-id": appId || ""
-        }
-      }
-    });
-    this.setupContextInjection();
-  }
-  /**
-   * Setup context injection for all database operations
-   */
-  setupContextInjection() {
-    const originalFrom = this.supabase.from.bind(this.supabase);
-    this.supabase.from = (table) => {
-      this.validateContext();
-      const query = originalFrom(table);
-      return this.injectContext(query);
-    };
-    const originalRpc = this.supabase.rpc.bind(this.supabase);
-    this.supabase.rpc = (fn, args) => {
-      this.validateContext();
-      const contextArgs = {
-        ...args,
-        p_organisation_id: this.organisationId,
-        p_event_id: this.eventId,
-        p_app_id: this.appId
-      };
-      return originalRpc(fn, contextArgs);
-    };
-  }
-  /**
-   * Inject organisation context into a query
-   */
-  injectContext(query) {
-    const originalSelect = query.select.bind(query);
-    const originalInsert = query.insert.bind(query);
-    const originalUpdate = query.update.bind(query);
-    const originalDelete = query.delete.bind(query);
-    query.select = (columns) => {
-      const result = originalSelect(columns);
-      return this.addOrganisationFilter(result);
-    };
-    query.insert = (values) => {
-      const contextValues = Array.isArray(values) ? values.map((v) => ({ ...v, organisation_id: this.organisationId })) : { ...values, organisation_id: this.organisationId };
-      return originalInsert(contextValues);
-    };
-    query.update = (values) => {
-      const result = originalUpdate(values);
-      return this.addOrganisationFilter(result);
-    };
-    query.delete = () => {
-      const result = originalDelete();
-      return this.addOrganisationFilter(result);
-    };
-    return query;
-  }
-  /**
-   * Add organisation filter to a query
-   */
-  addOrganisationFilter(query) {
-    return query.eq("organisation_id", this.organisationId);
-  }
-  /**
-   * Validate that required context is present
-   */
-  validateContext() {
-    if (!this.organisationId) {
-      throw new OrganisationContextRequiredError();
-    }
-  }
-  /**
-   * Get the current organisation ID
-   */
-  getOrganisationId() {
-    return this.organisationId;
-  }
-  /**
-   * Get the current event ID
-   */
-  getEventId() {
-    return this.eventId;
-  }
-  /**
-   * Get the current app ID
-   */
-  getAppId() {
-    return this.appId;
-  }
-  /**
-   * Create a new client with updated context
-   */
-  withContext(updates) {
-    return new _SecureSupabaseClient(
-      this.supabaseUrl,
-      this.supabaseKey,
-      updates.organisationId || this.organisationId,
-      updates.eventId !== void 0 ? updates.eventId : this.eventId,
-      updates.appId !== void 0 ? updates.appId : this.appId
-    );
-  }
-  /**
-   * Get the underlying Supabase client (for internal use only)
-   * @internal
-   */
-  getClient() {
-    return this.supabase;
-  }
-};
-function createSecureClient(supabaseUrl, supabaseKey, organisationId, eventId, appId) {
-  return new SecureSupabaseClient(supabaseUrl, supabaseKey, organisationId, eventId, appId);
-}
-function fromSupabaseClient(client, organisationId, eventId, appId) {
-  throw new Error("fromSupabaseClient is not supported. Use createSecureClient instead.");
-}
-
-// src/rbac/components/PagePermissionProvider.tsx
-init_UnifiedAuthProvider();
-import { createContext, useContext, useState, useCallback, useMemo, useEffect } from "react";
-import { jsx } from "react/jsx-runtime";
-var PagePermissionContext = createContext(null);
-function PagePermissionProvider({
-  children,
-  strictMode = true,
-  auditLog = true,
-  onPageAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1e3
-}) {
-  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
-  const [pageAccessHistory, setPageAccessHistory] = useState([]);
-  const [isEnabled, setIsEnabled] = useState(true);
-  const currentScope = useMemo(() => {
-    if (!selectedOrganisationId) return null;
-    return {
-      organisationId: selectedOrganisationId,
-      eventId: selectedEventId || void 0,
-      appId: void 0
-    };
-  }, [selectedOrganisationId, selectedEventId]);
-  const hasPagePermission = useCallback((pageName, operation, pageId, scope) => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    const permission = `${operation}:page.${pageName}`;
-    return false;
-  }, [isEnabled, user?.id, currentScope]);
-  const getPagePermissions = useCallback(() => {
-    if (!isEnabled || !user?.id) return {};
-    return {};
-  }, [isEnabled, user?.id]);
-  const getPageAccessHistory = useCallback(() => {
-    return [...pageAccessHistory];
-  }, [pageAccessHistory]);
-  const clearPageAccessHistory = useCallback(() => {
-    setPageAccessHistory([]);
-  }, []);
-  const recordPageAccess = useCallback((pageName, operation, allowed, pageId, scope) => {
-    if (!auditLog || !user?.id) return;
-    const record = {
-      pageName,
-      operation,
-      userId: user.id,
-      scope: scope || currentScope || { organisationId: "" },
-      allowed,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      pageId
-    };
-    setPageAccessHistory((prev) => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, maxHistorySize);
-    });
-    if (onPageAccess) {
-      onPageAccess(pageName, operation, allowed, record);
-    }
-    if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(pageName, operation, record);
-    }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onPageAccess, onStrictModeViolation, strictMode]);
-  const contextValue = useMemo(() => ({
-    hasPagePermission,
-    getPagePermissions,
-    isEnabled,
-    isStrictMode: strictMode,
-    isAuditLogEnabled: auditLog,
-    getPageAccessHistory,
-    clearPageAccessHistory
-  }), [
-    hasPagePermission,
-    getPagePermissions,
-    isEnabled,
-    strictMode,
-    auditLog,
-    getPageAccessHistory,
-    clearPageAccessHistory
-  ]);
-  useEffect(() => {
-    if (strictMode && auditLog) {
-      console.log(`[PagePermissionProvider] Strict mode enabled - all page access attempts will be logged and enforced`);
-    }
-  }, [strictMode, auditLog]);
-  return /* @__PURE__ */ jsx(PagePermissionContext.Provider, { value: contextValue, children });
-}
-function usePagePermissions() {
-  const context = useContext(PagePermissionContext);
-  if (!context) {
-    throw new Error("usePagePermissions must be used within a PagePermissionProvider");
-  }
-  return context;
-}
-
-// src/rbac/components/PagePermissionGuard.tsx
-import { useMemo as useMemo2, useEffect as useEffect2, useState as useState2 } from "react";
-init_UnifiedAuthProvider();
-
-// src/rbac/utils/eventContext.ts
-async function getOrganisationFromEvent(supabase, eventId) {
-  const { data, error } = await supabase.from("event").select("organisation_id").eq("event_id", eventId).single();
-  if (error || !data) {
-    return null;
-  }
-  return data.organisation_id;
-}
-async function createScopeFromEvent(supabase, eventId, appId) {
-  const organisationId = await getOrganisationFromEvent(supabase, eventId);
-  if (!organisationId) {
-    return null;
-  }
-  return {
-    organisationId,
-    eventId,
-    appId
-  };
-}
-
-// src/rbac/components/PagePermissionGuard.tsx
-init_appNameResolver();
-import { Fragment, jsx as jsx2, jsxs } from "react/jsx-runtime";
-function PagePermissionGuard({
-  pageName,
-  operation,
-  children,
-  fallback = /* @__PURE__ */ jsx2(DefaultAccessDenied, {}),
-  strictMode = true,
-  auditLog = true,
-  pageId,
-  scope,
-  onDenied,
-  loading = /* @__PURE__ */ jsx2(DefaultLoading, {})
-}) {
-  const { user, selectedOrganisationId, selectedEventId, supabase } = useUnifiedAuth();
-  const [hasChecked, setHasChecked] = useState2(false);
-  const [checkError, setCheckError] = useState2(null);
-  const [resolvedScope, setResolvedScope] = useState2(null);
-  useEffect2(() => {
-    const resolveScope = async () => {
-      if (scope) {
-        setResolvedScope(scope);
-        return;
-      }
-      let appId = void 0;
-      if (supabase) {
-        const appName = getCurrentAppName();
-        if (appName) {
-          try {
-            console.log("[PagePermissionGuard] Resolving app name to ID:", appName);
-            const { data: app, error: error2 } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName).eq("is_active", true).single();
-            if (error2) {
-              console.error("[PagePermissionGuard] Database error resolving app ID:", error2);
-              const { data: inactiveApp } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName).single();
-              if (inactiveApp) {
-                console.error(`[PagePermissionGuard] App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
-              } else {
-                console.error(`[PagePermissionGuard] App "${appName}" not found in rbac_apps table`);
-              }
-            } else if (app) {
-              appId = app.id;
-              console.log("[PagePermissionGuard] Successfully resolved app ID:", app.id);
-            } else {
-              console.error("[PagePermissionGuard] No app data returned for:", appName);
-            }
-          } catch (error2) {
-            console.error("[PagePermissionGuard] Unexpected error resolving app ID:", error2);
-          }
-        } else {
-          console.error("[PagePermissionGuard] No app name found. Make sure to call setRBACAppName() in your app setup.");
-        }
-      }
-      if (selectedOrganisationId && selectedEventId) {
-        if (!appId) {
-          if (false) {
-            console.warn("[PagePermissionGuard] App ID not resolved in test environment, proceeding without it");
-          } else {
-            console.error("[PagePermissionGuard] CRITICAL: App ID not resolved. Check console for details.");
-            setCheckError(new Error("App ID not resolved. Check console for database errors."));
-            setResolvedScope(null);
-            return;
-          }
-        }
-        if (appId) {
-          const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-          if (!uuidRegex.test(appId)) {
-            console.error("[PagePermissionGuard] CRITICAL: App ID is not a valid UUID:", appId);
-            setCheckError(new Error(`Invalid app ID format: ${appId}. Expected UUID.`));
-            setResolvedScope(null);
-            return;
-          }
-        }
-        const resolvedScope2 = {
-          organisationId: selectedOrganisationId,
-          eventId: selectedEventId,
-          appId
-        };
-        console.log("[PagePermissionGuard] Setting resolved scope:", resolvedScope2);
-        setResolvedScope(resolvedScope2);
-        return;
-      }
-      if (selectedOrganisationId) {
-        if (!appId) {
-          if (false) {
-            console.warn("[PagePermissionGuard] App ID not resolved in test environment, proceeding without it");
-          } else {
-            console.error("[PagePermissionGuard] CRITICAL: App ID not resolved. Check console for details.");
-            setCheckError(new Error("App ID not resolved. Check console for database errors."));
-            setResolvedScope(null);
-            return;
-          }
-        }
-        if (appId) {
-          const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-          if (!uuidRegex.test(appId)) {
-            console.error("[PagePermissionGuard] CRITICAL: App ID is not a valid UUID:", appId);
-            setCheckError(new Error(`Invalid app ID format: ${appId}. Expected UUID.`));
-            setResolvedScope(null);
-            return;
-          }
-        }
-        const resolvedScope2 = {
-          organisationId: selectedOrganisationId,
-          eventId: selectedEventId || void 0,
-          appId
-        };
-        console.log("[PagePermissionGuard] Setting resolved scope (org only):", resolvedScope2);
-        setResolvedScope(resolvedScope2);
-        return;
-      }
-      if (selectedEventId && supabase) {
-        try {
-          const eventScope = await createScopeFromEvent(supabase, selectedEventId);
-          if (!eventScope) {
-            setCheckError(new Error("Could not resolve organization from event context"));
-            setResolvedScope(null);
-            return;
-          }
-          setResolvedScope({
-            ...eventScope,
-            appId: appId || eventScope.appId
-          });
-        } catch (error2) {
-          setCheckError(error2);
-          setResolvedScope(null);
-        }
-        return;
-      }
-      setCheckError(new Error("Either organisation context or event context is required for page permission checking"));
-      setResolvedScope(null);
-    };
-    resolveScope();
-  }, [scope, selectedOrganisationId, selectedEventId, supabase]);
-  const effectivePageId = useMemo2(() => {
-    return pageId || pageName;
-  }, [pageId, pageName]);
-  const permission = useMemo2(() => {
-    return `${operation}:page.${pageName}`;
-  }, [operation, pageName]);
-  console.log("[PagePermissionGuard] Calling useCan with scope:", resolvedScope);
-  console.log("[PagePermissionGuard] resolvedScope:", resolvedScope);
-  console.log("[PagePermissionGuard] selectedEventId:", selectedEventId);
-  console.log("[PagePermissionGuard] About to call useCan with:", {
-    userId: user?.id || "",
-    scope: resolvedScope || { organisationId: "", appId: "", eventId: selectedEventId || void 0 },
-    permission,
-    pageId: effectivePageId,
-    useCache: true
-  });
-  const { can, isLoading: canIsLoading, error: canError } = useCan(
-    user?.id || "",
-    resolvedScope || { organisationId: "", appId: "", eventId: selectedEventId || void 0 },
-    permission,
-    effectivePageId,
-    true
-    // Use cache
-  );
-  console.log("[PagePermissionGuard] useCan returned:", { can, canIsLoading, canError });
-  const isLoading = !resolvedScope || canIsLoading;
-  const error = checkError || canError;
-  console.log("[PagePermissionGuard] Combined state:", {
-    can,
-    isLoading,
-    canIsLoading,
-    resolvedScopeExists: !!resolvedScope,
-    error: error?.message
-  });
-  useEffect2(() => {
-    if (!isLoading && !error) {
-      setHasChecked(true);
-      setCheckError(null);
-      if (!can && onDenied) {
-        onDenied(pageName, operation);
-      }
-    } else if (error) {
-      setCheckError(error);
-      setHasChecked(true);
-    }
-  }, [can, isLoading, error, pageName, operation, onDenied]);
-  useEffect2(() => {
-    if (auditLog && hasChecked && !isLoading) {
-      console.log(`[PagePermissionGuard] Page access attempt:`, {
-        pageName,
-        operation,
-        userId: user?.id,
-        scope: resolvedScope,
-        allowed: can,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [auditLog, hasChecked, isLoading, pageName, operation, user?.id, resolvedScope, can]);
-  useEffect2(() => {
-    if (strictMode && hasChecked && !isLoading && !can) {
-      console.error(`[PagePermissionGuard] STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
-        pageName,
-        operation,
-        userId: user?.id,
-        scope: resolvedScope,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [strictMode, hasChecked, isLoading, can, pageName, operation, user?.id, resolvedScope]);
-  if (isLoading || !resolvedScope || !hasChecked) {
-    return /* @__PURE__ */ jsx2(Fragment, { children: loading });
-  }
-  if (checkError) {
-    console.error(`[PagePermissionGuard] Permission check failed for page ${pageName}:`, checkError);
-    return /* @__PURE__ */ jsx2(Fragment, { children: fallback });
-  }
-  if (!can) {
-    return /* @__PURE__ */ jsx2(Fragment, { children: fallback });
-  }
-  return /* @__PURE__ */ jsx2(Fragment, { children });
-}
-function DefaultAccessDenied() {
-  return /* @__PURE__ */ jsxs("div", { className: "flex flex-col items-center justify-center min-h-[200px] p-8 text-center", children: [
-    /* @__PURE__ */ jsx2("div", { className: "mb-4", children: /* @__PURE__ */ jsx2("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx2("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
-    /* @__PURE__ */ jsx2("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
-    /* @__PURE__ */ jsx2("p", { className: "text-sec-600 mb-4", children: "You don't have permission to access this page." }),
-    /* @__PURE__ */ jsx2(
-      "button",
-      {
-        onClick: () => window.history.back(),
-        className: "px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors",
-        children: "Go Back"
-      }
-    )
-  ] });
-}
-function DefaultLoading() {
-  return /* @__PURE__ */ jsx2("div", { className: "flex items-center justify-center min-h-[200px] p-8", children: /* @__PURE__ */ jsxs("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx2("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600" }),
-    /* @__PURE__ */ jsx2("span", { className: "text-sec-600", children: "Checking permissions..." })
-  ] }) });
-}
-
-// src/rbac/components/SecureDataProvider.tsx
-init_UnifiedAuthProvider();
-import { createContext as createContext2, useContext as useContext2, useState as useState3, useCallback as useCallback3, useMemo as useMemo3, useEffect as useEffect3 } from "react";
-import { jsx as jsx3 } from "react/jsx-runtime";
-var SecureDataContext = createContext2(null);
-function SecureDataProvider({
-  children,
-  strictMode = true,
-  auditLog = true,
-  onDataAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1e3,
-  enforceRLS = true
-}) {
-  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
-  const { validateContext } = useSecureDataAccess();
-  const [dataAccessHistory, setDataAccessHistory] = useState3([]);
-  const [isEnabled, setIsEnabled] = useState3(true);
-  const currentScope = useMemo3(() => {
-    if (!selectedOrganisationId) return null;
-    return {
-      organisationId: selectedOrganisationId,
-      eventId: selectedEventId || void 0,
-      appId: void 0
-    };
-  }, [selectedOrganisationId, selectedEventId]);
-  const isDataAccessAllowed = useCallback3((table, operation, scope) => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    const permission = `${operation}:data.${table}`;
-    return true;
-  }, [isEnabled, user?.id, currentScope]);
-  const getDataAccessPermissions = useCallback3(() => {
-    if (!isEnabled || !user?.id) return {};
-    return {};
-  }, [isEnabled, user?.id]);
-  const getDataAccessHistory = useCallback3(() => {
-    return [...dataAccessHistory];
-  }, [dataAccessHistory]);
-  const clearDataAccessHistory = useCallback3(() => {
-    setDataAccessHistory([]);
-  }, []);
-  const validateDataAccess = useCallback3((table, operation, scope) => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    try {
-      validateContext();
-    } catch (error) {
-      console.error(`[SecureDataProvider] Organisation context validation failed:`, error);
-      return false;
-    }
-    return isDataAccessAllowed(table, operation, effectiveScope);
-  }, [isEnabled, user?.id, currentScope, validateContext, isDataAccessAllowed]);
-  const recordDataAccess = useCallback3((table, operation, allowed, query, filters, scope) => {
-    if (!auditLog || !user?.id) return;
-    const record = {
-      table,
-      operation,
-      userId: user.id,
-      scope: scope || currentScope || { organisationId: "" },
-      allowed,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      query,
-      filters
-    };
-    setDataAccessHistory((prev) => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, maxHistorySize);
-    });
-    if (onDataAccess) {
-      onDataAccess(table, operation, allowed, record);
-    }
-    if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(table, operation, record);
-    }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onDataAccess, onStrictModeViolation, strictMode]);
-  const contextValue = useMemo3(() => ({
-    isDataAccessAllowed,
-    getDataAccessPermissions,
-    isEnabled,
-    isStrictMode: strictMode,
-    isAuditLogEnabled: auditLog,
-    getDataAccessHistory,
-    clearDataAccessHistory,
-    validateDataAccess
-  }), [
-    isDataAccessAllowed,
-    getDataAccessPermissions,
-    isEnabled,
-    strictMode,
-    auditLog,
-    getDataAccessHistory,
-    clearDataAccessHistory,
-    validateDataAccess
-  ]);
-  useEffect3(() => {
-    if (strictMode && auditLog) {
-      console.log(`[SecureDataProvider] Strict mode enabled - all data access attempts will be logged and enforced`);
-    }
-  }, [strictMode, auditLog]);
-  useEffect3(() => {
-    if (enforceRLS && auditLog) {
-      console.log(`[SecureDataProvider] RLS enforcement enabled - all queries will include organisation context`);
-    }
-  }, [enforceRLS, auditLog]);
-  return /* @__PURE__ */ jsx3(SecureDataContext.Provider, { value: contextValue, children });
-}
-function useSecureData() {
-  const context = useContext2(SecureDataContext);
-  if (!context) {
-    throw new Error("useSecureData must be used within a SecureDataProvider");
-  }
-  return context;
-}
-
-// src/rbac/components/PermissionEnforcer.tsx
-import { useMemo as useMemo4, useEffect as useEffect4, useState as useState4 } from "react";
-init_UnifiedAuthProvider();
-import { Fragment as Fragment2, jsx as jsx4, jsxs as jsxs2 } from "react/jsx-runtime";
-function PermissionEnforcer({
-  permissions,
-  operation,
-  children,
-  fallback = /* @__PURE__ */ jsx4(DefaultAccessDenied2, {}),
-  strictMode = true,
-  auditLog = true,
-  scope,
-  onDenied,
-  loading = /* @__PURE__ */ jsx4(DefaultLoading2, {}),
-  requireAll = true
-}) {
-  const { user, selectedOrganisationId, selectedEventId, supabase } = useUnifiedAuth();
-  const [hasChecked, setHasChecked] = useState4(false);
-  const [checkError, setCheckError] = useState4(null);
-  const [permissionResults, setPermissionResults] = useState4({});
-  const [resolvedScope, setResolvedScope] = useState4(null);
-  useEffect4(() => {
-    const resolveScope = async () => {
-      if (scope) {
-        setResolvedScope(scope);
-        return;
-      }
-      if (selectedOrganisationId && selectedEventId) {
-        setResolvedScope({
-          organisationId: selectedOrganisationId,
-          eventId: selectedEventId,
-          appId: void 0
-        });
-        return;
-      }
-      if (selectedOrganisationId) {
-        setResolvedScope({
-          organisationId: selectedOrganisationId,
-          eventId: selectedEventId || void 0,
-          appId: void 0
-        });
-        return;
-      }
-      if (selectedEventId && supabase) {
-        try {
-          const eventScope = await createScopeFromEvent(supabase, selectedEventId);
-          if (!eventScope) {
-            setCheckError(new Error("Could not resolve organization from event context"));
-            return;
-          }
-          setResolvedScope(eventScope);
-        } catch (error2) {
-          setCheckError(error2);
-        }
-        return;
-      }
-      setCheckError(new Error("Either organisation context or event context is required for permission checking"));
-    };
-    resolveScope();
-  }, [scope, selectedOrganisationId, selectedEventId, supabase]);
-  const representativePermission = permissions[0];
-  const { can, isLoading, error } = useCan(
-    user?.id || "",
-    resolvedScope || { eventId: selectedEventId || void 0 },
-    representativePermission,
-    void 0,
-    true
-    // Use cache
-  );
-  const hasRequiredPermissions = useMemo4(() => {
-    if (permissions.length === 0) return true;
-    return can;
-  }, [permissions, can]);
-  useEffect4(() => {
-    if (!isLoading && !error) {
-      setHasChecked(true);
-      setCheckError(null);
-      if (!hasRequiredPermissions && onDenied) {
-        onDenied(permissions, operation);
-      }
-    } else if (error) {
-      setCheckError(error);
-      setHasChecked(true);
-    }
-  }, [hasRequiredPermissions, isLoading, error, permissions, operation, onDenied]);
-  useEffect4(() => {
-    if (auditLog && hasChecked && !isLoading) {
-      console.log(`[PermissionEnforcer] Permission check attempt:`, {
-        permissions,
-        operation,
-        userId: user?.id,
-        scope: resolvedScope,
-        allowed: hasRequiredPermissions,
-        requireAll,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [auditLog, hasChecked, isLoading, permissions, operation, user?.id, resolvedScope, hasRequiredPermissions, requireAll]);
-  useEffect4(() => {
-    if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
-      console.error(`[PermissionEnforcer] STRICT MODE VIOLATION: User attempted to perform operation without permission`, {
-        permissions,
-        operation,
-        userId: user?.id,
-        scope: resolvedScope,
-        requireAll,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, permissions, operation, user?.id, resolvedScope, requireAll]);
-  if (isLoading || !hasChecked) {
-    return /* @__PURE__ */ jsx4(Fragment2, { children: loading });
-  }
-  if (checkError) {
-    console.error(`[PermissionEnforcer] Permission check failed for operation ${operation}:`, checkError);
-    return /* @__PURE__ */ jsx4(Fragment2, { children: fallback });
-  }
-  if (!hasRequiredPermissions) {
-    return /* @__PURE__ */ jsx4(Fragment2, { children: fallback });
-  }
-  return /* @__PURE__ */ jsx4(Fragment2, { children });
-}
-function DefaultAccessDenied2() {
-  return /* @__PURE__ */ jsxs2("div", { className: "flex flex-col items-center justify-center min-h-[200px] p-8 text-center", children: [
-    /* @__PURE__ */ jsx4("div", { className: "mb-4", children: /* @__PURE__ */ jsx4("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx4("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
-    /* @__PURE__ */ jsx4("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
-    /* @__PURE__ */ jsx4("p", { className: "text-sec-600 mb-4", children: "You don't have permission to perform this operation." }),
-    /* @__PURE__ */ jsx4(
-      "button",
-      {
-        onClick: () => window.history.back(),
-        className: "px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors",
-        children: "Go Back"
-      }
-    )
-  ] });
-}
-function DefaultLoading2() {
-  return /* @__PURE__ */ jsx4("div", { className: "flex items-center justify-center min-h-[200px] p-8", children: /* @__PURE__ */ jsxs2("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx4("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600" }),
-    /* @__PURE__ */ jsx4("span", { className: "text-sec-600", children: "Checking permissions..." })
-  ] }) });
-}
-
-// src/rbac/components/RoleBasedRouter.tsx
-import { useMemo as useMemo5, useCallback as useCallback5, useEffect as useEffect5, useState as useState5, createContext as createContext3, useContext as useContext3 } from "react";
-import { useLocation, useNavigate, Outlet } from "react-router-dom";
-init_UnifiedAuthProvider();
-import { jsx as jsx5, jsxs as jsxs3 } from "react/jsx-runtime";
-var RoleBasedRouterContext = createContext3(null);
-function RoleBasedRouter({
-  routes,
-  fallbackRoute = "/unauthorized",
-  children,
-  strictMode = true,
-  auditLog = true,
-  onRouteAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1e3,
-  unauthorizedComponent: UnauthorizedComponent = DefaultUnauthorizedComponent
-}) {
-  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
-  const location = useLocation();
-  const navigate = useNavigate();
-  const [routeAccessHistory, setRouteAccessHistory] = useState5([]);
-  const [currentRoute, setCurrentRoute] = useState5("");
-  const currentScope = useMemo5(() => {
-    if (!selectedOrganisationId) return null;
-    return {
-      organisationId: selectedOrganisationId,
-      eventId: selectedEventId || void 0,
-      appId: void 0
-    };
-  }, [selectedOrganisationId, selectedEventId]);
-  const currentRouteConfig = useMemo5(() => {
-    const currentPath = location.pathname;
-    return routes.find((route) => route.path === currentPath) || null;
-  }, [routes, location.pathname]);
-  const canAccessRoute = useCallback5((path) => {
-    if (!user?.id || !currentScope) return false;
-    const routeConfig = routes.find((route) => route.path === path);
-    if (!routeConfig) return false;
-    return true;
-  }, [user?.id, currentScope, routes]);
-  const { can: canAccessCurrentRoute, isLoading: permissionLoading } = useCan(
-    user?.id || "",
-    currentScope || { organisationId: "", eventId: void 0, appId: void 0 },
-    currentRouteConfig?.permissions?.[0] || "read:page",
-    currentRouteConfig?.pageId
-  );
-  const hasPermissions = currentRouteConfig?.permissions && currentRouteConfig.permissions.length > 0;
-  const finalCanAccess = hasPermissions ? canAccessCurrentRoute : false;
-  const finalLoading = hasPermissions ? permissionLoading : false;
-  const getAccessibleRoutes = useCallback5(() => {
-    if (!user?.id || !currentScope) return [];
-    return routes.filter((route) => canAccessRoute(route.path));
-  }, [user?.id, currentScope, routes, canAccessRoute]);
-  const getRouteConfig = useCallback5((path) => {
-    return routes.find((route) => route.path === path) || null;
-  }, [routes]);
-  const getRouteAccessHistory = useCallback5(() => {
-    return [...routeAccessHistory];
-  }, [routeAccessHistory]);
-  const clearRouteAccessHistory = useCallback5(() => {
-    setRouteAccessHistory([]);
-  }, []);
-  const recordRouteAccess = useCallback5((route, allowed, routeConfig) => {
-    if (!auditLog || !user?.id || !currentScope) return;
-    const record = {
-      route,
-      permissions: routeConfig.permissions,
-      userId: user.id,
-      scope: currentScope,
-      allowed,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      pageId: routeConfig.pageId,
-      roles: routeConfig.roles,
-      accessLevel: routeConfig.accessLevel
-    };
-    setRouteAccessHistory((prev) => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, maxHistorySize);
-    });
-    if (onRouteAccess) {
-      onRouteAccess(route, allowed, record);
-    }
-    if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(route, record);
-    }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onRouteAccess, onStrictModeViolation, strictMode]);
-  useEffect5(() => {
-    const currentPath = location.pathname;
-    setCurrentRoute(currentPath);
-    if (!currentRouteConfig) {
-      if (strictMode) {
-        console.error(`[RoleBasedRouter] STRICT MODE VIOLATION: Route not found in configuration`, {
-          route: currentPath,
-          userId: user?.id,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        });
-        if (onStrictModeViolation) {
-          onStrictModeViolation(currentPath, {
-            route: currentPath,
-            permissions: [],
-            userId: user?.id || "",
-            scope: currentScope || { organisationId: "" },
-            allowed: false,
-            timestamp: (/* @__PURE__ */ new Date()).toISOString()
-          });
-        }
-      }
-      return;
-    }
-    const allowed = finalCanAccess;
-    recordRouteAccess(currentPath, allowed, currentRouteConfig);
-    if (!allowed) {
-      navigate(fallbackRoute, { replace: true });
-    }
-  }, [location.pathname, currentRouteConfig, canAccessCurrentRoute, recordRouteAccess, strictMode, user?.id, currentScope, onStrictModeViolation, navigate, fallbackRoute]);
-  const contextValue = useMemo5(() => ({
-    getAccessibleRoutes,
-    canAccessRoute,
-    getRouteConfig,
-    getRouteAccessHistory,
-    clearRouteAccessHistory,
-    isStrictMode: strictMode,
-    isAuditLogEnabled: auditLog
-  }), [
-    getAccessibleRoutes,
-    canAccessRoute,
-    getRouteConfig,
-    getRouteAccessHistory,
-    clearRouteAccessHistory,
-    strictMode,
-    auditLog
-  ]);
-  if (finalLoading) {
-    return /* @__PURE__ */ jsx5("div", { className: "flex items-center justify-center min-h-screen", children: /* @__PURE__ */ jsxs3("div", { className: "text-center", children: [
-      /* @__PURE__ */ jsx5("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-main-600 mx-auto mb-4" }),
-      /* @__PURE__ */ jsx5("p", { className: "text-sec-600", children: "Checking permissions..." })
-    ] }) });
-  }
-  if (currentRouteConfig && !finalCanAccess) {
-    return /* @__PURE__ */ jsx5(
-      UnauthorizedComponent,
-      {
-        route: currentRoute,
-        reason: "Insufficient permissions"
-      }
-    );
-  }
-  return /* @__PURE__ */ jsxs3(RoleBasedRouterContext.Provider, { value: contextValue, children: [
-    children,
-    /* @__PURE__ */ jsx5(Outlet, {})
-  ] });
-}
-function useRoleBasedRouter() {
-  const context = useContext3(RoleBasedRouterContext);
-  if (!context) {
-    throw new Error("useRoleBasedRouter must be used within a RoleBasedRouter");
-  }
-  return context;
-}
-function DefaultUnauthorizedComponent({ route, reason }) {
-  return /* @__PURE__ */ jsxs3("div", { className: "flex flex-col items-center justify-center min-h-screen p-8 text-center", children: [
-    /* @__PURE__ */ jsx5("div", { className: "mb-4", children: /* @__PURE__ */ jsx5("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx5("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
-    /* @__PURE__ */ jsx5("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
-    /* @__PURE__ */ jsxs3("p", { className: "text-sec-600 mb-4", children: [
-      "You don't have permission to access ",
-      /* @__PURE__ */ jsx5("code", { className: "bg-sec-100 px-2 py-1 rounded", children: route })
-    ] }),
-    /* @__PURE__ */ jsxs3("p", { className: "text-sm text-sec-500 mb-4", children: [
-      "Reason: ",
-      reason
-    ] }),
-    /* @__PURE__ */ jsx5(
-      "button",
-      {
-        onClick: () => window.history.back(),
-        className: "px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors",
-        children: "Go Back"
-      }
-    )
-  ] });
-}
-
-// src/rbac/components/NavigationProvider.tsx
-init_UnifiedAuthProvider();
-import { createContext as createContext4, useContext as useContext4, useState as useState6, useCallback as useCallback6, useMemo as useMemo6, useEffect as useEffect6 } from "react";
-import { jsx as jsx6 } from "react/jsx-runtime";
-var NavigationContext = createContext4(null);
-function NavigationProvider({
-  children,
-  strictMode = true,
-  auditLog = true,
-  onNavigationAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1e3
-}) {
-  const { user, selectedOrganisationId, selectedEventId } = useUnifiedAuth();
-  const [navigationAccessHistory, setNavigationAccessHistory] = useState6([]);
-  const [isEnabled, setIsEnabled] = useState6(true);
-  const currentScope = useMemo6(() => {
-    if (!selectedOrganisationId) return null;
-    return {
-      organisationId: selectedOrganisationId,
-      eventId: selectedEventId || void 0,
-      appId: void 0
-    };
-  }, [selectedOrganisationId, selectedEventId]);
-  const hasNavigationPermission = useCallback6((item) => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    if (!currentScope) return false;
-    return true;
-  }, [isEnabled, user?.id, currentScope]);
-  const getNavigationPermissions = useCallback6(() => {
-    if (!isEnabled || !user?.id) return {};
-    return {};
-  }, [isEnabled, user?.id]);
-  const getFilteredNavigationItems = useCallback6((items) => {
-    if (!isEnabled) return items;
-    return items.filter((item) => hasNavigationPermission(item));
-  }, [isEnabled, hasNavigationPermission]);
-  const getNavigationAccessHistory = useCallback6(() => {
-    return [...navigationAccessHistory];
-  }, [navigationAccessHistory]);
-  const clearNavigationAccessHistory = useCallback6(() => {
-    setNavigationAccessHistory([]);
-  }, []);
-  const recordNavigationAccess = useCallback6((item, allowed) => {
-    if (!auditLog || !user?.id || !currentScope) return;
-    const record = {
-      navigationItem: item.id,
-      permissions: item.permissions,
-      userId: user.id,
-      scope: currentScope,
-      allowed,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      pageId: item.pageId,
-      roles: item.roles,
-      accessLevel: item.accessLevel
-    };
-    setNavigationAccessHistory((prev) => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, maxHistorySize);
-    });
-    if (onNavigationAccess) {
-      onNavigationAccess(item, allowed, record);
-    }
-    if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(item, record);
-    }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onNavigationAccess, onStrictModeViolation, strictMode]);
-  const contextValue = useMemo6(() => ({
-    hasNavigationPermission,
-    getNavigationPermissions,
-    getFilteredNavigationItems,
-    isEnabled,
-    isStrictMode: strictMode,
-    isAuditLogEnabled: auditLog,
-    getNavigationAccessHistory,
-    clearNavigationAccessHistory
-  }), [
-    hasNavigationPermission,
-    getNavigationPermissions,
-    getFilteredNavigationItems,
-    isEnabled,
-    strictMode,
-    auditLog,
-    getNavigationAccessHistory,
-    clearNavigationAccessHistory
-  ]);
-  useEffect6(() => {
-    if (strictMode && auditLog) {
-      console.log(`[NavigationProvider] Strict mode enabled - all navigation access attempts will be logged and enforced`);
-    }
-  }, [strictMode, auditLog]);
-  return /* @__PURE__ */ jsx6(NavigationContext.Provider, { value: contextValue, children });
-}
-function useNavigationPermissions() {
-  const context = useContext4(NavigationContext);
-  if (!context) {
-    throw new Error("useNavigationPermissions must be used within a NavigationProvider");
-  }
-  return context;
-}
-
-// src/rbac/components/NavigationGuard.tsx
-import { useMemo as useMemo7, useEffect as useEffect7, useState as useState7 } from "react";
-init_UnifiedAuthProvider();
-import { Fragment as Fragment3, jsx as jsx7, jsxs as jsxs4 } from "react/jsx-runtime";
-function NavigationGuard({
-  navigationItem,
-  children,
-  fallback = /* @__PURE__ */ jsx7(DefaultAccessDenied3, {}),
-  strictMode = true,
-  auditLog = true,
-  scope,
-  onDenied,
-  loading = /* @__PURE__ */ jsx7(DefaultLoading3, {}),
-  requireAll = true
-}) {
-  const { user, selectedOrganisationId, selectedEventId, supabase } = useUnifiedAuth();
-  const [hasChecked, setHasChecked] = useState7(false);
-  const [checkError, setCheckError] = useState7(null);
-  const [resolvedScope, setResolvedScope] = useState7(null);
-  useEffect7(() => {
-    const resolveScope = async () => {
-      if (scope) {
-        setResolvedScope(scope);
-        return;
-      }
-      if (selectedOrganisationId && selectedEventId) {
-        setResolvedScope({
-          organisationId: selectedOrganisationId,
-          eventId: selectedEventId,
-          appId: void 0
-        });
-        return;
-      }
-      if (selectedOrganisationId) {
-        setResolvedScope({
-          organisationId: selectedOrganisationId,
-          eventId: selectedEventId || void 0,
-          appId: void 0
-        });
-        return;
-      }
-      if (selectedEventId && supabase) {
-        try {
-          const eventScope = await createScopeFromEvent(supabase, selectedEventId);
-          if (!eventScope) {
-            setCheckError(new Error("Could not resolve organization from event context"));
-            return;
-          }
-          setResolvedScope(eventScope);
-        } catch (error2) {
-          setCheckError(error2);
-        }
-        return;
-      }
-      setCheckError(new Error("Either organisation context or event context is required for navigation permission checking"));
-    };
-    resolveScope();
-  }, [scope, selectedOrganisationId, selectedEventId, supabase]);
-  const representativePermission = navigationItem.permissions[0];
-  const { can, isLoading, error } = useCan(
-    user?.id || "",
-    resolvedScope || { eventId: selectedEventId || void 0 },
-    representativePermission,
-    navigationItem.pageId,
-    true
-    // Use cache
-  );
-  const hasRequiredPermissions = useMemo7(() => {
-    if (navigationItem.permissions.length === 0) return true;
-    return can;
-  }, [navigationItem.permissions, can]);
-  useEffect7(() => {
-    if (!isLoading && !error) {
-      setHasChecked(true);
-      setCheckError(null);
-      if (!hasRequiredPermissions && onDenied) {
-        onDenied(navigationItem);
-      }
-    } else if (error) {
-      setCheckError(error);
-      setHasChecked(true);
-    }
-  }, [hasRequiredPermissions, isLoading, error, navigationItem, onDenied]);
-  useEffect7(() => {
-    if (auditLog && hasChecked && !isLoading) {
-      console.log(`[NavigationGuard] Navigation access attempt:`, {
-        navigationItem: navigationItem.id,
-        permissions: navigationItem.permissions,
-        userId: user?.id,
-        scope: resolvedScope,
-        allowed: hasRequiredPermissions,
-        requireAll,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [auditLog, hasChecked, isLoading, navigationItem, user?.id, resolvedScope, hasRequiredPermissions, requireAll]);
-  useEffect7(() => {
-    if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
-      console.error(`[NavigationGuard] STRICT MODE VIOLATION: User attempted to access protected navigation item without permission`, {
-        navigationItem: navigationItem.id,
-        permissions: navigationItem.permissions,
-        userId: user?.id,
-        scope: resolvedScope,
-        requireAll,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, navigationItem, user?.id, resolvedScope, requireAll]);
-  if (isLoading || !resolvedScope || !hasChecked) {
-    return /* @__PURE__ */ jsx7(Fragment3, { children: loading });
-  }
-  if (checkError) {
-    console.error(`[NavigationGuard] Permission check failed for navigation item ${navigationItem.id}:`, checkError);
-    return /* @__PURE__ */ jsx7(Fragment3, { children: fallback });
-  }
-  if (!hasRequiredPermissions) {
-    return /* @__PURE__ */ jsx7(Fragment3, { children: fallback });
-  }
-  return /* @__PURE__ */ jsx7(Fragment3, { children });
-}
-function DefaultAccessDenied3() {
-  return /* @__PURE__ */ jsx7("div", { className: "flex items-center justify-center p-2 text-center", children: /* @__PURE__ */ jsxs4("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx7("svg", { className: "w-4 h-4 text-acc-500", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx7("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }),
-    /* @__PURE__ */ jsx7("span", { className: "text-sm text-sec-600", children: "Access Denied" })
-  ] }) });
-}
-function DefaultLoading3() {
-  return /* @__PURE__ */ jsx7("div", { className: "flex items-center justify-center p-2", children: /* @__PURE__ */ jsxs4("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx7("div", { className: "animate-spin rounded-full h-4 w-4 border-b-2 border-main-600" }),
-    /* @__PURE__ */ jsx7("span", { className: "text-sm text-sec-600", children: "Checking..." })
-  ] }) });
-}
-var NavigationGuard_default = NavigationGuard;
-
-// src/rbac/components/EnhancedNavigationMenu.tsx
-import { useMemo as useMemo8, useCallback as useCallback8, useEffect as useEffect8, useState as useState8 } from "react";
-import { jsx as jsx8, jsxs as jsxs5 } from "react/jsx-runtime";
-function EnhancedNavigationMenu({
-  items,
-  strictMode = true,
-  auditLog = true,
-  onNavigationAccess,
-  onStrictModeViolation,
-  className = "flex flex-col space-y-1",
-  itemClassName = "px-3 py-2 rounded-md text-sm font-medium transition-colors",
-  activeItemClassName = "bg-main-100 text-main-700",
-  disabledItemClassName = "text-sec-400 cursor-not-allowed",
-  hideUnauthorizedItems = false,
-  renderItem,
-  activePath,
-  onItemClick
-}) {
-  const {
-    hasNavigationPermission,
-    getFilteredNavigationItems,
-    isEnabled,
-    isStrictMode,
-    isAuditLogEnabled
-  } = useNavigationPermissions();
-  const [navigationHistory, setNavigationHistory] = useState8([]);
-  const filteredItems = useMemo8(() => {
-    if (!isEnabled) return items;
-    return getFilteredNavigationItems(items);
-  }, [isEnabled, items, getFilteredNavigationItems]);
-  const handleItemClick = useCallback8((item) => {
-    if (onItemClick) {
-      onItemClick(item);
-    }
-    if (auditLog) {
-      console.log(`[EnhancedNavigationMenu] Navigation item clicked:`, {
-        item: item.id,
-        path: item.path,
-        permissions: item.permissions,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-    setNavigationHistory((prev) => {
-      const newHistory = [item, ...prev.filter((i) => i.id !== item.id)];
-      return newHistory.slice(0, 10);
-    });
-  }, [onItemClick, auditLog]);
-  const handleNavigationAccess = useCallback8((item, allowed) => {
-    if (onNavigationAccess) {
-      onNavigationAccess(item, allowed);
-    }
-    if (auditLog) {
-      console.log(`[EnhancedNavigationMenu] Navigation access attempt:`, {
-        item: item.id,
-        allowed,
-        strictMode,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [onNavigationAccess, auditLog, strictMode]);
-  const handleStrictModeViolation = useCallback8((item) => {
-    if (onStrictModeViolation) {
-      onStrictModeViolation(item);
-    }
-    if (strictMode) {
-      console.error(`[EnhancedNavigationMenu] STRICT MODE VIOLATION: User attempted to access protected navigation item without permission`, {
-        item: item.id,
-        path: item.path,
-        permissions: item.permissions,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [onStrictModeViolation, strictMode]);
-  const defaultRenderItem = useCallback8((item, isAuthorized) => {
-    const isActive = activePath === item.path;
-    const isDisabled = !isAuthorized;
-    return /* @__PURE__ */ jsx8(
-      NavigationGuard_default,
-      {
-        navigationItem: item,
-        strictMode,
-        auditLog,
-        onDenied: handleStrictModeViolation,
-        fallback: hideUnauthorizedItems ? null : /* @__PURE__ */ jsx8("div", { className: `${itemClassName} ${disabledItemClassName}`, children: /* @__PURE__ */ jsxs5("div", { className: "flex items-center space-x-2", children: [
-          item.meta?.icon && /* @__PURE__ */ jsx8("span", { className: "text-sm", children: item.meta.icon }),
-          /* @__PURE__ */ jsx8("span", { children: item.label }),
-          /* @__PURE__ */ jsx8("span", { className: "text-xs text-sec-400", children: "(Access Denied)" })
-        ] }) }),
-        children: /* @__PURE__ */ jsx8(
-          "button",
-          {
-            onClick: () => handleItemClick(item),
-            className: `${itemClassName} ${isActive ? activeItemClassName : ""} ${isDisabled ? disabledItemClassName : "hover:bg-sec-100"}`,
-            disabled: isDisabled,
-            children: /* @__PURE__ */ jsxs5("div", { className: "flex items-center space-x-2", children: [
-              item.meta?.icon && /* @__PURE__ */ jsx8("span", { className: "text-sm", children: item.meta.icon }),
-              /* @__PURE__ */ jsx8("span", { children: item.label }),
-              item.meta?.description && /* @__PURE__ */ jsx8("span", { className: "text-xs text-sec-500 ml-auto", children: item.meta.description })
-            ] })
-          }
-        )
-      },
-      item.id
-    );
-  }, [
-    activePath,
-    itemClassName,
-    activeItemClassName,
-    disabledItemClassName,
-    hideUnauthorizedItems,
-    strictMode,
-    auditLog,
-    handleStrictModeViolation,
-    handleItemClick
-  ]);
-  useEffect8(() => {
-    if (strictMode && auditLog) {
-      console.log(`[EnhancedNavigationMenu] Strict mode enabled - all navigation access attempts will be logged and enforced`);
-    }
-  }, [strictMode, auditLog]);
-  useEffect8(() => {
-    if (auditLog) {
-      console.log(`[EnhancedNavigationMenu] Navigation menu initialized:`, {
-        totalItems: items.length,
-        filteredItems: filteredItems.length,
-        strictMode,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [items.length, filteredItems.length, strictMode, auditLog]);
-  return /* @__PURE__ */ jsx8("nav", { className, children: filteredItems.map((item) => {
-    const isAuthorized = hasNavigationPermission(item);
-    if (renderItem) {
-      return renderItem(item, isAuthorized);
-    }
-    return defaultRenderItem(item, isAuthorized);
-  }) });
-}
-
-// src/rbac/adapters.tsx
-import React9, { useContext as useContext5 } from "react";
-import { Fragment as Fragment4, jsx as jsx9, jsxs as jsxs6 } from "react/jsx-runtime";
-function PermissionGuard({
-  userId,
-  scope,
-  permission,
-  pageId,
-  children,
-  fallback = null,
-  onDenied,
-  loading = null,
-  // NEW: Phase 1 - Enhanced Security Features
-  strictMode = true,
-  auditLog = true,
-  enforceAudit = true
-}) {
-  const logger = getRBACLogger();
-  const authContext = useContext5(React9.createContext(null));
-  let effectiveUserId = userId;
-  if (!effectiveUserId) {
-    try {
-      if (authContext?.user?.id) {
-        effectiveUserId = authContext.user.id;
-      } else {
-        const globalUser = window.__PACE_USER__;
-        if (globalUser?.id) {
-          effectiveUserId = globalUser.id;
-        }
-      }
-    } catch (error2) {
-      logger.debug("Could not infer userId from context:", error2);
-    }
-  }
-  const { can, isLoading, error } = useCan(effectiveUserId || "", scope, permission, pageId);
-  if (!effectiveUserId) {
-    logger.error("PermissionGuard: No userId provided and could not infer from context");
-    return /* @__PURE__ */ jsxs6("div", { className: "rbac-error", role: "alert", children: [
-      /* @__PURE__ */ jsx9("p", { children: "Permission check failed: User context not available" }),
-      /* @__PURE__ */ jsxs6("details", { children: [
-        /* @__PURE__ */ jsx9("summary", { children: "Debug info" }),
-        /* @__PURE__ */ jsx9("p", { children: "Make sure to either:" }),
-        /* @__PURE__ */ jsxs6("ul", { children: [
-          /* @__PURE__ */ jsx9("li", { children: "Pass userId prop explicitly" }),
-          /* @__PURE__ */ jsx9("li", { children: "Wrap your app with an auth provider" }),
-          /* @__PURE__ */ jsx9("li", { children: "Set window.__PACE_USER__ with user data" })
-        ] })
-      ] })
-    ] });
-  }
-  if (isLoading) {
-    return loading || /* @__PURE__ */ jsx9("div", { className: "rbac-loading", role: "status", "aria-live": "polite", children: /* @__PURE__ */ jsx9("span", { className: "sr-only", children: "Checking permissions..." }) });
-  }
-  if (error) {
-    logger.error("Permission check failed:", error);
-    if (auditLog) {
-      logger.info(`[PermissionGuard] Permission check failed:`, {
-        userId: effectiveUserId,
-        scope,
-        permission,
-        pageId,
-        error: error.message,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-    return fallback;
-  }
-  if (!can) {
-    if (auditLog) {
-      logger.info(`[PermissionGuard] Permission denied:`, {
-        userId: effectiveUserId,
-        scope,
-        permission,
-        pageId,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-    if (strictMode) {
-      logger.error(`[PermissionGuard] STRICT MODE VIOLATION: User attempted to access protected resource without permission`, {
-        userId: effectiveUserId,
-        scope,
-        permission,
-        pageId,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-    if (onDenied) {
-      onDenied();
-    }
-    return /* @__PURE__ */ jsx9(Fragment4, { children: fallback });
-  }
-  if (auditLog) {
-    logger.info(`[PermissionGuard] Permission granted:`, {
-      userId: effectiveUserId,
-      scope,
-      permission,
-      pageId,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString()
-    });
-  }
-  return /* @__PURE__ */ jsx9(Fragment4, { children });
-}
-function AccessLevelGuard({
-  userId,
-  scope,
-  minLevel,
-  children,
-  fallback = null,
-  loading = null
-}) {
-  const logger = getRBACLogger();
-  const authContext = useContext5(React9.createContext(null));
-  let effectiveUserId = userId;
-  if (!effectiveUserId) {
-    try {
-      if (authContext?.user?.id) {
-        effectiveUserId = authContext.user.id;
-      } else {
-        const globalUser = window.__PACE_USER__;
-        if (globalUser?.id) {
-          effectiveUserId = globalUser.id;
-        }
-      }
-    } catch (error2) {
-      logger.debug("Could not infer userId from context:", error2);
-    }
-  }
-  const { accessLevel, isLoading, error } = useAccessLevel(effectiveUserId || "", scope);
-  if (!effectiveUserId) {
-    logger.error("AccessLevelGuard: No userId provided and could not infer from context");
-    return /* @__PURE__ */ jsxs6("div", { className: "rbac-error", role: "alert", children: [
-      /* @__PURE__ */ jsx9("p", { children: "Access level check failed: User context not available" }),
-      /* @__PURE__ */ jsxs6("details", { children: [
-        /* @__PURE__ */ jsx9("summary", { children: "Debug info" }),
-        /* @__PURE__ */ jsx9("p", { children: "Make sure to either:" }),
-        /* @__PURE__ */ jsxs6("ul", { children: [
-          /* @__PURE__ */ jsx9("li", { children: "Pass userId prop explicitly" }),
-          /* @__PURE__ */ jsx9("li", { children: "Wrap your app with an auth provider" }),
-          /* @__PURE__ */ jsx9("li", { children: "Set window.__PACE_USER__ with user data" })
-        ] })
-      ] })
-    ] });
-  }
-  if (isLoading) {
-    return loading || /* @__PURE__ */ jsx9("div", { className: "rbac-loading", role: "status", "aria-live": "polite", children: /* @__PURE__ */ jsx9("span", { className: "sr-only", children: "Checking access level..." }) });
-  }
-  if (error) {
-    logger.error("Access level check failed:", error);
-    return fallback;
-  }
-  const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
-  const userLevelIndex = accessLevel ? levelHierarchy.indexOf(accessLevel) : -1;
-  const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
-  if (userLevelIndex < requiredLevelIndex) {
-    return /* @__PURE__ */ jsx9(Fragment4, { children: fallback });
-  }
-  return /* @__PURE__ */ jsx9(Fragment4, { children });
-}
-function withPermissionGuard(config, handler) {
-  return async (...args) => {
-    const [req] = args;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      throw new Error("User context required for permission check");
-    }
-    const { isPermitted: isPermitted2 } = await import("../api-ETQ6YJ3C.js");
-    const hasPermission2 = await isPermitted2({
-      userId,
-      scope: { organisationId, eventId, appId },
-      permission: config.permission,
-      pageId: config.pageId
-    });
-    if (!hasPermission2) {
-      throw new Error(`Permission denied: ${config.permission}`);
-    }
-    return handler(...args);
-  };
-}
-function withAccessLevelGuard(minLevel, handler) {
-  return async (...args) => {
-    const [req] = args;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      throw new Error("User context required for access level check");
-    }
-    const { getAccessLevel: getAccessLevel2 } = await import("../api-ETQ6YJ3C.js");
-    const accessLevel = await getAccessLevel2({
-      userId,
-      scope: { organisationId, eventId, appId }
-    });
-    const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
-    const userLevelIndex = levelHierarchy.indexOf(accessLevel);
-    const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
-    if (userLevelIndex < requiredLevelIndex) {
-      throw new Error(`Access level required: ${minLevel}, got: ${accessLevel}`);
-    }
-    return handler(...args);
-  };
-}
-function withRoleGuard(config, handler) {
-  return async (...args) => {
-    const [req] = args;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      throw new Error("User context required for role check");
-    }
-    if (config.globalRoles && config.globalRoles.length > 0) {
-      const { isSuperAdmin } = await import("../api-ETQ6YJ3C.js");
-      const isSuper = await isSuperAdmin(userId);
-      if (isSuper) {
-        if (organisationId) {
-          const { emitAuditEvent: emitAuditEvent2 } = await import("../audit-BUW3LMJB.js");
-          await emitAuditEvent2({
-            type: "permission_check",
-            userId,
-            organisationId,
-            eventId,
-            appId,
-            permission: "bypass:all",
-            decision: true,
-            source: "api",
-            bypass: true,
-            duration_ms: 0,
-            metadata: {
-              operation: "role_guard",
-              reason: "super_admin_bypass"
-            }
-          });
-        }
-        return handler(...args);
-      }
-    }
-    if (config.organisationRoles && config.organisationRoles.length > 0) {
-      const { isOrganisationAdmin } = await import("../api-ETQ6YJ3C.js");
-      const isOrgAdmin = await isOrganisationAdmin(userId, organisationId);
-      if (!isOrgAdmin && config.requireAll !== false) {
-        throw new Error(`Organisation admin role required`);
-      }
-    }
-    if (config.eventAppRoles && config.eventAppRoles.length > 0 && eventId && appId) {
-      const { isEventAdmin } = await import("../api-ETQ6YJ3C.js");
-      const isEventAdminUser = await isEventAdmin(userId, { organisationId, eventId, appId });
-      if (!isEventAdminUser && config.requireAll !== false) {
-        throw new Error(`Event admin role required`);
-      }
-    }
-    if (organisationId) {
-      const { emitAuditEvent: emitAuditEvent2 } = await import("../audit-BUW3LMJB.js");
-      await emitAuditEvent2({
-        type: "permission_check",
-        userId,
-        organisationId,
-        eventId,
-        appId,
-        permission: "role:check",
-        decision: true,
-        source: "api",
-        bypass: false,
-        duration_ms: 0,
-        metadata: {
-          operation: "role_guard"
-        }
-      });
-    }
-    return handler(...args);
-  };
-}
-function createRBACMiddleware(config) {
-  return async (req, res, next) => {
-    const { pathname } = req.nextUrl;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    if (!userId || !organisationId) {
-      return res.redirect(config.fallbackUrl || "/login");
-    }
-    const protectedRoute = config.protectedRoutes.find(
-      (route) => pathname.startsWith(route.path)
-    );
-    if (protectedRoute) {
-      try {
-        const { isPermitted: isPermitted2 } = await import("../api-ETQ6YJ3C.js");
-        const hasPermission2 = await isPermitted2({
-          userId,
-          scope: { organisationId },
-          permission: protectedRoute.permission,
-          pageId: protectedRoute.pageId
-        });
-        if (!hasPermission2) {
-          return res.redirect(config.fallbackUrl || "/access-denied");
-        }
-      } catch (_error) {
-        return res.redirect(config.fallbackUrl || "/access-denied");
-      }
-    }
-    next();
-  };
-}
-function createRBACExpressMiddleware(config) {
-  return async (req, res, next) => {
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      return res.status(401).json({ error: "User context required" });
-    }
-    try {
-      const { isPermitted: isPermitted2 } = await import("../api-ETQ6YJ3C.js");
-      const hasPermission2 = await isPermitted2({
-        userId,
-        scope: { organisationId, eventId, appId },
-        permission: config.permission,
-        pageId: config.pageId
-      });
-      if (!hasPermission2) {
-        return res.status(403).json({ error: "Permission denied" });
-      }
-      next();
-    } catch (_error) {
-      return res.status(500).json({ error: "Permission check failed" });
-    }
-  };
-}
-function hasPermissionCached(userId, scope, _permission, _pageId) {
-  const cacheKey = RBACCache.generatePermissionKey({
-    userId,
-    organisationId: scope.organisationId,
-    eventId: scope.eventId,
-    appId: scope.appId
-  });
-  return rbacCache.get(cacheKey) || false;
-}
-function hasAnyPermissionCached(userId, scope, permissions, pageId) {
-  return permissions.some(
-    (permission) => hasPermissionCached(userId, scope, permission, pageId)
-  );
-}
-
-// src/rbac/permissions.ts
-var GLOBAL_PERMISSIONS = {
-  MANAGE_ALL: "manage:*",
-  READ_ALL: "read:*",
-  CREATE_ALL: "create:*",
-  UPDATE_ALL: "update:*",
-  DELETE_ALL: "delete:*"
-};
-var ORGANISATION_PERMISSIONS = {
-  // Organisation management
-  MANAGE_ORGANISATION: "manage:organisation",
-  READ_ORGANISATION: "read:organisation",
-  UPDATE_ORGANISATION: "update:organisation",
-  // User management
-  MANAGE_USERS: "manage:users",
-  READ_USERS: "read:users",
-  CREATE_USERS: "create:users",
-  UPDATE_USERS: "update:users",
-  DELETE_USERS: "delete:users",
-  // Role management
-  MANAGE_ROLES: "manage:roles",
-  READ_ROLES: "read:roles",
-  CREATE_ROLES: "create:roles",
-  UPDATE_ROLES: "update:roles",
-  DELETE_ROLES: "delete:roles",
-  // Event management
-  MANAGE_EVENTS: "manage:events",
-  READ_EVENTS: "read:events",
-  CREATE_EVENTS: "create:events",
-  UPDATE_EVENTS: "update:events",
-  DELETE_EVENTS: "delete:events",
-  // App management
-  MANAGE_APPS: "manage:apps",
-  READ_APPS: "read:apps",
-  CREATE_APPS: "create:apps",
-  UPDATE_APPS: "update:apps",
-  DELETE_APPS: "delete:apps"
-};
-var EVENT_APP_PERMISSIONS = {
-  // Event management
-  MANAGE_EVENT: "manage:event",
-  READ_EVENT: "read:event",
-  UPDATE_EVENT: "update:event",
-  // App management
-  MANAGE_APP: "manage:app",
-  READ_APP: "read:app",
-  UPDATE_APP: "update:app",
-  // Team management
-  MANAGE_TEAM: "manage:team",
-  READ_TEAM: "read:team",
-  CREATE_TEAM: "create:team",
-  UPDATE_TEAM: "update:team",
-  DELETE_TEAM: "delete:team",
-  // Team members
-  MANAGE_TEAM_MEMBERS: "manage:team.members",
-  READ_TEAM_MEMBERS: "read:team.members",
-  CREATE_TEAM_MEMBERS: "create:team.members",
-  UPDATE_TEAM_MEMBERS: "update:team.members",
-  DELETE_TEAM_MEMBERS: "delete:team.members",
-  // Event content
-  MANAGE_EVENT_CONTENT: "manage:event.content",
-  READ_EVENT_CONTENT: "read:event.content",
-  CREATE_EVENT_CONTENT: "create:event.content",
-  UPDATE_EVENT_CONTENT: "update:event.content",
-  DELETE_EVENT_CONTENT: "delete:event.content",
-  // Event settings
-  MANAGE_EVENT_SETTINGS: "manage:event.settings",
-  READ_EVENT_SETTINGS: "read:event.settings",
-  UPDATE_EVENT_SETTINGS: "update:event.settings"
-};
-var PAGE_PERMISSIONS = {
-  // General page access
-  READ_PAGE: "read:page",
-  MANAGE_PAGE: "manage:page",
-  // Admin pages
-  READ_ADMIN: "read:admin",
-  MANAGE_ADMIN: "manage:admin",
-  // Dashboard pages
-  READ_DASHBOARD: "read:dashboard",
-  MANAGE_DASHBOARD: "manage:dashboard",
-  // Settings pages
-  READ_SETTINGS: "read:settings",
-  MANAGE_SETTINGS: "manage:settings",
-  // Reports pages
-  READ_REPORTS: "read:reports",
-  MANAGE_REPORTS: "manage:reports"
-};
-var PERMISSION_GROUPS = {
-  // Global admin permissions
-  GLOBAL_ADMIN: [
-    GLOBAL_PERMISSIONS.MANAGE_ALL,
-    GLOBAL_PERMISSIONS.READ_ALL,
-    GLOBAL_PERMISSIONS.CREATE_ALL,
-    GLOBAL_PERMISSIONS.UPDATE_ALL,
-    GLOBAL_PERMISSIONS.DELETE_ALL
-  ],
-  // Organisation admin permissions
-  ORG_ADMIN: [
-    ORGANISATION_PERMISSIONS.MANAGE_ORGANISATION,
-    ORGANISATION_PERMISSIONS.READ_ORGANISATION,
-    ORGANISATION_PERMISSIONS.UPDATE_ORGANISATION,
-    ORGANISATION_PERMISSIONS.MANAGE_USERS,
-    ORGANISATION_PERMISSIONS.READ_USERS,
-    ORGANISATION_PERMISSIONS.CREATE_USERS,
-    ORGANISATION_PERMISSIONS.UPDATE_USERS,
-    ORGANISATION_PERMISSIONS.DELETE_USERS,
-    ORGANISATION_PERMISSIONS.MANAGE_ROLES,
-    ORGANISATION_PERMISSIONS.READ_ROLES,
-    ORGANISATION_PERMISSIONS.CREATE_ROLES,
-    ORGANISATION_PERMISSIONS.UPDATE_ROLES,
-    ORGANISATION_PERMISSIONS.DELETE_ROLES,
-    ORGANISATION_PERMISSIONS.MANAGE_EVENTS,
-    ORGANISATION_PERMISSIONS.READ_EVENTS,
-    ORGANISATION_PERMISSIONS.CREATE_EVENTS,
-    ORGANISATION_PERMISSIONS.UPDATE_EVENTS,
-    ORGANISATION_PERMISSIONS.DELETE_EVENTS,
-    ORGANISATION_PERMISSIONS.MANAGE_APPS,
-    ORGANISATION_PERMISSIONS.READ_APPS,
-    ORGANISATION_PERMISSIONS.CREATE_APPS,
-    ORGANISATION_PERMISSIONS.UPDATE_APPS,
-    ORGANISATION_PERMISSIONS.DELETE_APPS
-  ],
-  // Event admin permissions
-  EVENT_ADMIN: [
-    EVENT_APP_PERMISSIONS.MANAGE_EVENT,
-    EVENT_APP_PERMISSIONS.READ_EVENT,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT,
-    EVENT_APP_PERMISSIONS.MANAGE_APP,
-    EVENT_APP_PERMISSIONS.READ_APP,
-    EVENT_APP_PERMISSIONS.UPDATE_APP,
-    EVENT_APP_PERMISSIONS.MANAGE_TEAM,
-    EVENT_APP_PERMISSIONS.READ_TEAM,
-    EVENT_APP_PERMISSIONS.CREATE_TEAM,
-    EVENT_APP_PERMISSIONS.UPDATE_TEAM,
-    EVENT_APP_PERMISSIONS.DELETE_TEAM,
-    EVENT_APP_PERMISSIONS.MANAGE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.READ_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.CREATE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.UPDATE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.DELETE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.MANAGE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.CREATE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.DELETE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.MANAGE_EVENT_SETTINGS,
-    EVENT_APP_PERMISSIONS.READ_EVENT_SETTINGS,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT_SETTINGS
-  ],
-  // Planner permissions
-  PLANNER: [
-    EVENT_APP_PERMISSIONS.READ_EVENT,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT,
-    EVENT_APP_PERMISSIONS.READ_APP,
-    EVENT_APP_PERMISSIONS.UPDATE_APP,
-    EVENT_APP_PERMISSIONS.READ_TEAM,
-    EVENT_APP_PERMISSIONS.CREATE_TEAM,
-    EVENT_APP_PERMISSIONS.UPDATE_TEAM,
-    EVENT_APP_PERMISSIONS.READ_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.CREATE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.UPDATE_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.CREATE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.READ_EVENT_SETTINGS,
-    EVENT_APP_PERMISSIONS.UPDATE_EVENT_SETTINGS
-  ],
-  // Participant permissions
-  PARTICIPANT: [
-    EVENT_APP_PERMISSIONS.READ_EVENT,
-    EVENT_APP_PERMISSIONS.READ_APP,
-    EVENT_APP_PERMISSIONS.READ_TEAM,
-    EVENT_APP_PERMISSIONS.READ_TEAM_MEMBERS,
-    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT,
-    EVENT_APP_PERMISSIONS.READ_EVENT_SETTINGS
-  ],
-  // Viewer permissions
-  VIEWER: [
-    EVENT_APP_PERMISSIONS.READ_EVENT,
-    EVENT_APP_PERMISSIONS.READ_APP,
-    EVENT_APP_PERMISSIONS.READ_TEAM,
-    EVENT_APP_PERMISSIONS.READ_EVENT_CONTENT
-  ]
-};
-function isValidPermission(permission) {
-  const pattern = /^(read|create|update|delete|manage):[a-z0-9._-]+$|^(read|create|update|delete|manage):\*$/;
-  return pattern.test(permission);
-}
-function getPermissionsForRole(role) {
-  switch (role) {
-    case "super_admin":
-      return [...PERMISSION_GROUPS.GLOBAL_ADMIN];
-    case "org_admin":
-      return [...PERMISSION_GROUPS.ORG_ADMIN];
-    case "event_admin":
-      return [...PERMISSION_GROUPS.EVENT_ADMIN];
-    case "planner":
-      return [...PERMISSION_GROUPS.PLANNER];
-    case "participant":
-      return [...PERMISSION_GROUPS.PARTICIPANT];
-    case "viewer":
-      return [...PERMISSION_GROUPS.VIEWER];
-    default:
-      return [];
-  }
-}
-var ALL_PERMISSIONS = {
-  ...GLOBAL_PERMISSIONS,
-  ...ORGANISATION_PERMISSIONS,
-  ...EVENT_APP_PERMISSIONS,
-  ...PAGE_PERMISSIONS
-};
 export {
   ALL_PERMISSIONS,
   AccessLevelGuard,
@@ -1934,6 +98,7 @@ export {
   RBACAuditManager,
   RBACCache,
   RBACEngine,
+  RBACProvider,
   RoleBasedRouter,
   SecureDataProvider,
   SecureSupabaseClient,
@@ -1973,6 +138,8 @@ export {
   useNavigationPermissions,
   usePagePermissions,
   usePermissions,
+  useRBAC2 as useRBAC,
+  useRBAC as useRBACProvider,
   useRoleBasedRouter,
   useSecureData,
   withAccessLevelGuard,