npm - @jmruthers/pace-core - Versions diffs - 0.5.111 → 0.5.112 - Mend

@jmruthers/pace-core 0.5.111 → 0.5.112

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

package/dist/{DataTable-5W2HVLLV.js → DataTable-3D3BUZDV.js} RENAMED Viewed

@@ -54,10 +54,10 @@ import {
   sortHierarchicalDataWithSorting,
   validateHierarchicalData,
   validatePaginationConfig
-} from "./chunk-TD4BXGPE.js";
-import "./chunk-UGVU7L7N.js";
-import "./chunk-PXXS26G5.js";
-import "./chunk-IWJYNWXN.js";
+} from "./chunk-WMPZY26G.js";
+import "./chunk-I7JC7PTJ.js";
+import "./chunk-TAJRS6YB.js";
+import "./chunk-3OGQLOJM.js";
 import {
   CircuitBreaker,
   DEFAULT_FALLBACK_CONFIG,
@@ -76,9 +76,9 @@ import {
   throttle,
   useDataTablePerformance
 } from "./chunk-4OX5PXHX.js";
-import "./chunk-I5YM5BGS.js";
-import "./chunk-TDFBX7KJ.js";
-import "./chunk-MW73E7SP.js";
+import "./chunk-L36JW4KV.js";
+import "./chunk-7H75SHXZ.js";
+import "./chunk-OO3V7W4H.js";
 import "./chunk-PYUXFQJ3.js";
 import "./chunk-JCQZ6LA7.js";
 import "./chunk-BDZUMRBD.js";
@@ -157,4 +157,4 @@ export {
   validateHierarchicalData,
   validatePaginationConfig
 };
-//# sourceMappingURL=DataTable-5W2HVLLV.js.map
+//# sourceMappingURL=DataTable-3D3BUZDV.js.map

package/dist/{UnifiedAuthProvider-LUM3QLS5.js → UnifiedAuthProvider-KZZUO27W.js} RENAMED Viewed

@@ -1,10 +1,10 @@
 import {
   init_UnifiedAuthProvider
-} from "./chunk-TDFBX7KJ.js";
+} from "./chunk-7H75SHXZ.js";
 import {
   UnifiedAuthProvider,
   useUnifiedAuth
-} from "./chunk-MW73E7SP.js";
+} from "./chunk-OO3V7W4H.js";
 import "./chunk-BDZUMRBD.js";
 import "./chunk-SMJZMKYN.js";
 import "./chunk-PLDDJCW6.js";
@@ -13,4 +13,4 @@ export {
   UnifiedAuthProvider,
   useUnifiedAuth
 };
-//# sourceMappingURL=UnifiedAuthProvider-LUM3QLS5.js.map
+//# sourceMappingURL=UnifiedAuthProvider-KZZUO27W.js.map

package/dist/{api-SIZPFBFX.js → api-QPMBZZUZ.js} RENAMED Viewed

@@ -20,8 +20,8 @@ import {
   isSuperAdmin,
   resolveAppContext,
   setupRBAC
-} from "./chunk-PXXS26G5.js";
-import "./chunk-IWJYNWXN.js";
+} from "./chunk-TAJRS6YB.js";
+import "./chunk-3OGQLOJM.js";
 import "./chunk-PLDDJCW6.js";
 export {
   OrganisationContextRequiredError,
@@ -46,4 +46,4 @@ export {
   resolveAppContext,
   setupRBAC
 };
-//# sourceMappingURL=api-SIZPFBFX.js.map
+//# sourceMappingURL=api-QPMBZZUZ.js.map

package/dist/{audit-5JI5T3SL.js → audit-H4YJJF7R.js} RENAMED Viewed

@@ -4,7 +4,7 @@ import {
   emitAuditEvent,
   getGlobalAuditManager,
   setGlobalAuditManager
-} from "./chunk-IWJYNWXN.js";
+} from "./chunk-3OGQLOJM.js";
 import "./chunk-PLDDJCW6.js";
 export {
   RBACAuditManager,
@@ -13,4 +13,4 @@ export {
   getGlobalAuditManager,
   setGlobalAuditManager
 };
-//# sourceMappingURL=audit-5JI5T3SL.js.map
+//# sourceMappingURL=audit-H4YJJF7R.js.map

package/dist/{chunk-IWJYNWXN.js → chunk-3OGQLOJM.js} RENAMED Viewed

@@ -52,6 +52,11 @@ var RBACAuditManager = class {
           note: "Organisation context is required for RBAC operations. This may indicate a security issue or missing context derivation."
         });
       }
+      const rawPageId = "pageId" in event ? event.pageId : void 0;
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      const isValidPageIdUuid = rawPageId && uuidRegex.test(rawPageId);
+      const pageIdUuid = isValidPageIdUuid ? rawPageId : void 0;
+      const pageIdName = rawPageId && !isValidPageIdUuid ? rawPageId : void 0;
       const auditEvent = {
         event_type: event.type,
         user_id: event.userId,
@@ -61,7 +66,8 @@ var RBACAuditManager = class {
         // Explicitly null if missing
         event_id: "eventId" in event ? event.eventId : void 0,
         app_id: "appId" in event ? event.appId : void 0,
-        page_id: "pageId" in event ? event.pageId : void 0,
+        page_id: pageIdUuid,
+        // Only set if it's a valid UUID
         permission: "permission" in event ? event.permission : void 0,
         decision: "decision" in event ? event.decision : void 0,
         source: "source" in event ? event.source : "api",
@@ -73,7 +79,9 @@ var RBACAuditManager = class {
           cache_hit: "cache_hit" in event ? event.cache_hit : void 0,
           cache_source: "cache_source" in event ? event.cache_source : void 0,
           // Explicit flag indicating this event had no organisation context
-          no_organisation_context: !event.organisationId
+          no_organisation_context: !event.organisationId,
+          // Store page name/identifier in metadata if it's not a UUID
+          page_name: pageIdName
         }
       };
       const { error } = await this.supabase.from("rbac_audit_events").insert([auditEvent]);
@@ -197,4 +205,4 @@ export {
   getGlobalAuditManager,
   emitAuditEvent
 };
-//# sourceMappingURL=chunk-IWJYNWXN.js.map
+//# sourceMappingURL=chunk-3OGQLOJM.js.map

package/dist/chunk-3OGQLOJM.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/rbac/audit.ts"],"sourcesContent":["/**\n * RBAC Audit Events System\n * @package @jmruthers/pace-core\n * @module RBAC/Audit\n * @since 1.0.0\n * \n * This module provides structured audit event emission for all RBAC operations.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { \n UUID, \n AuditEventSource, \n RBACAuditEvent \n} from './types';\n\n/**\n * Audit event payload for permission checks\n */\nexport interface PermissionCheckAuditEvent {\n type: 'permission_check';\n userId: UUID;\n organisationId: UUID;\n eventId?: string;\n appId?: UUID;\n pageId?: UUID;\n permission: string;\n decision: boolean;\n source: AuditEventSource;\n bypass?: boolean;\n duration_ms: number;\n cache_hit?: boolean;\n cache_source?: 'memory' | 'database' | 'rpc';\n metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for permission denied\n */\nexport interface PermissionDeniedAuditEvent {\n type: 'permission_denied';\n userId: UUID;\n organisationId: UUID;\n eventId?: string;\n appId?: UUID;\n pageId?: UUID;\n permission: string;\n source: AuditEventSource;\n metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for role granted\n */\nexport interface RoleGrantedAuditEvent {\n type: 'role_granted';\n userId: UUID;\n organisationId: UUID;\n eventId?: string;\n appId?: UUID;\n role: string;\n grantedBy: UUID;\n metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for role revoked\n */\nexport interface RoleRevokedAuditEvent {\n type: 'role_denied';\n userId: UUID;\n organisationId: UUID;\n eventId?: string;\n appId?: UUID;\n role: string;\n revokedBy: UUID;\n metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for RLS denied\n */\nexport interface RLSDeniedAuditEvent {\n type: 'rls_denied';\n userId: UUID;\n organisationId: UUID;\n table: string;\n operation: string;\n metadata?: Record<string, any>;\n}\n\n/**\n * Union type for all audit events\n */\nexport type AuditEventPayload = \n | PermissionCheckAuditEvent\n | PermissionDeniedAuditEvent\n | RoleGrantedAuditEvent\n | RoleRevokedAuditEvent\n | RLSDeniedAuditEvent;\n\n/**\n * RBAC Audit Manager\n * \n * Handles emission of structured audit events for all RBAC operations.\n */\nexport class RBACAuditManager {\n private supabase: SupabaseClient<Database>;\n private enabled: boolean = true;\n\n constructor(supabase: SupabaseClient<Database>) {\n this.supabase = supabase;\n }\n\n /**\n * Enable or disable audit logging\n * \n * @param enabled - Whether to enable audit logging\n */\n setEnabled(enabled: boolean): void {\n this.enabled = enabled;\n }\n\n /**\n * Check if audit logging is enabled\n * \n * @returns True if audit logging is enabled\n */\n isEnabled(): boolean {\n return this.enabled;\n }\n\n /**\n * Emit an audit event\n * \n * @param event - Audit event payload\n * @returns Promise that resolves when event is logged\n */\n async emitEvent(event: AuditEventPayload): Promise<void> {\n if (!this.enabled) {\n return;\n }\n\n // Validate required fields before attempting to insert\n // MANDATORY: All audit events must have userId\n if (!event.userId) {\n console.error('[RBAC Audit] CRITICAL: Cannot log audit event without userId:', {\n eventType: event.type,\n organisationId: event.organisationId\n });\n return;\n }\n\n // WARNING: Some audit events may not have organisationId (e.g., global admin operations)\n // Log these for security monitoring even if organisationId is missing\n if (!event.organisationId) {\n console.warn('[RBAC Audit] Audit event without organisation context:', {\n userId: event.userId,\n eventType: event.type,\n note: 'This should be investigated for security compliance'\n });\n }\n\n try {\n // Since organisationId is now required in SecurityContext, this should rarely happen\n // But we still handle the edge case properly without masking it\n if (!event.organisationId) {\n console.warn('[RBAC Audit] Audit event without organisation context - this should be investigated:', {\n userId: event.userId,\n eventType: event.type,\n note: 'Organisation context is required for RBAC operations. This may indicate a security issue or missing context derivation.'\n });\n }\n\n // Validate pageId: only include in page_id column if it's a valid UUID\n // Otherwise, store it in metadata to avoid database errors\n const rawPageId = 'pageId' in event ? event.pageId : undefined;\n const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n const isValidPageIdUuid = rawPageId && uuidRegex.test(rawPageId);\n const pageIdUuid: UUID | undefined = isValidPageIdUuid ? (rawPageId as UUID) : undefined;\n const pageIdName: string | undefined = rawPageId && !isValidPageIdUuid ? rawPageId : undefined;\n\n const auditEvent: Omit<RBACAuditEvent, 'id' | 'created_at'> = {\n event_type: event.type,\n user_id: event.userId,\n // Store organisationId - nullable to properly track missing context cases\n // Do NOT use fallback UUID as it masks security issues\n organisation_id: event.organisationId || null, // Explicitly null if missing\n event_id: 'eventId' in event ? event.eventId : undefined,\n app_id: 'appId' in event ? event.appId : undefined,\n page_id: pageIdUuid, // Only set if it's a valid UUID\n permission: 'permission' in event ? event.permission : undefined,\n decision: 'decision' in event ? event.decision : undefined,\n source: 'source' in event ? event.source : 'api', // Default to 'api' if not provided\n bypass: 'bypass' in event ? event.bypass : undefined,\n duration_ms: 'duration_ms' in event ? event.duration_ms : undefined,\n metadata: {\n ...event.metadata,\n cache_hit: 'cache_hit' in event ? event.cache_hit : undefined,\n cache_source: 'cache_source' in event ? event.cache_source : undefined,\n // Explicit flag indicating this event had no organisation context\n no_organisation_context: !event.organisationId,\n // Store page name/identifier in metadata if it's not a UUID\n page_name: pageIdName,\n },\n };\n\n const { error } = await (this.supabase as any)\n .from('rbac_audit_events')\n .insert([auditEvent]);\n\n if (error) {\n // Log the error for debugging but don't throw\n console.warn('[RBAC Audit] Failed to insert audit event:', {\n error: error.message,\n code: error.code,\n details: error.details,\n hint: error.hint,\n event: auditEvent\n });\n }\n } catch (error) {\n // Log unexpected errors but don't throw\n console.error('[RBAC Audit] Unexpected error during audit logging:', error);\n }\n }\n\n /**\n * Emit a permission check audit event\n * \n * @param event - Permission check event data\n */\n async emitPermissionCheck(event: Omit<PermissionCheckAuditEvent, 'type'>): Promise<void> {\n await this.emitEvent({\n type: 'permission_check',\n ...event,\n });\n }\n\n /**\n * Emit a permission denied audit event\n * \n * @param event - Permission denied event data\n */\n async emitPermissionDenied(event: Omit<PermissionDeniedAuditEvent, 'type'>): Promise<void> {\n await this.emitEvent({\n type: 'permission_denied',\n ...event,\n });\n }\n\n /**\n * Emit a role granted audit event\n * \n * @param event - Role granted event data\n */\n async emitRoleGranted(event: Omit<RoleGrantedAuditEvent, 'type'>): Promise<void> {\n await this.emitEvent({\n type: 'role_granted',\n ...event,\n });\n }\n\n /**\n * Emit a role revoked audit event\n * \n * @param event - Role revoked event data\n */\n async emitRoleRevoked(event: Omit<RoleRevokedAuditEvent, 'type'>): Promise<void> {\n await this.emitEvent({\n type: 'role_denied',\n ...event,\n });\n }\n\n /**\n * Emit an RLS denied audit event\n * \n * @param event - RLS denied event data\n */\n async emitRLSDenied(event: Omit<RLSDeniedAuditEvent, 'type'>): Promise<void> {\n await this.emitEvent({\n type: 'rls_denied',\n ...event,\n });\n }\n\n /**\n * Get audit events for a user\n * \n * @param userId - User ID\n * @param limit - Maximum number of events to return\n * @returns Promise resolving to audit events\n */\n async getUserAuditEvents(userId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {\n const { data, error } = await this.supabase\n .from('rbac_audit_events')\n .select('*')\n .eq('user_id', userId)\n .order('created_at', { ascending: false })\n .limit(limit);\n\n if (error) {\n throw new Error(`Failed to get audit events: ${error.message}`);\n }\n\n return data || [];\n }\n\n /**\n * Get audit events for an organisation\n * \n * @param organisationId - Organisation ID\n * @param limit - Maximum number of events to return\n * @returns Promise resolving to audit events\n */\n async getOrganisationAuditEvents(organisationId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {\n const { data, error } = await this.supabase\n .from('rbac_audit_events')\n .select('*')\n .eq('organisation_id', organisationId)\n .order('created_at', { ascending: false })\n .limit(limit);\n\n if (error) {\n throw new Error(`Failed to get audit events: ${error.message}`);\n }\n\n return data || [];\n }\n}\n\n/**\n * Create an audit manager instance\n * \n * @param supabase - Supabase client\n * @returns RBACAuditManager instance\n */\nexport function createAuditManager(supabase: SupabaseClient<Database>): RBACAuditManager {\n return new RBACAuditManager(supabase);\n}\n\n/**\n * Global audit manager instance\n * \n * This is set by the RBAC engine when it initializes.\n */\nlet globalAuditManager: RBACAuditManager | null = null;\n\n/**\n * Set the global audit manager\n * \n * @param manager - Audit manager instance\n */\nexport function setGlobalAuditManager(manager: RBACAuditManager): void {\n globalAuditManager = manager;\n}\n\n/**\n * Get the global audit manager\n * \n * @returns Global audit manager or null if not set\n */\nexport function getGlobalAuditManager(): RBACAuditManager | null {\n return globalAuditManager;\n}\n\n/**\n * Emit an audit event using the global audit manager\n * \n * @param event - Audit event payload\n */\nexport async function emitAuditEvent(event: AuditEventPayload): Promise<void> {\n if (globalAuditManager) {\n await globalAuditManager.emitEvent(event);\n }\n}\n"],"mappings":";AA2GO,IAAM,mBAAN,MAAuB;AAAA,EAI5B,YAAY,UAAoC;AAFhD,SAAQ,UAAmB;AAGzB,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAW,SAAwB;AACjC,SAAK,UAAU;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAqB;AACnB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,UAAU,OAAyC;AACvD,QAAI,CAAC,KAAK,SAAS;AACjB;AAAA,IACF;AAIA,QAAI,CAAC,MAAM,QAAQ;AACjB,cAAQ,MAAM,iEAAiE;AAAA,QAC7E,WAAW,MAAM;AAAA,QACjB,gBAAgB,MAAM;AAAA,MACxB,CAAC;AACD;AAAA,IACF;AAIA,QAAI,CAAC,MAAM,gBAAgB;AACzB,cAAQ,KAAK,0DAA0D;AAAA,QACrE,QAAQ,MAAM;AAAA,QACd,WAAW,MAAM;AAAA,QACjB,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,QAAI;AAGF,UAAI,CAAC,MAAM,gBAAgB;AACzB,gBAAQ,KAAK,wFAAwF;AAAA,UACnG,QAAQ,MAAM;AAAA,UACd,WAAW,MAAM;AAAA,UACjB,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAIA,YAAM,YAAY,YAAY,QAAQ,MAAM,SAAS;AACrD,YAAM,YAAY;AAClB,YAAM,oBAAoB,aAAa,UAAU,KAAK,SAAS;AAC/D,YAAM,aAA+B,oBAAqB,YAAqB;AAC/E,YAAM,aAAiC,aAAa,CAAC,oBAAoB,YAAY;AAErF,YAAM,aAAwD;AAAA,QAC5D,YAAY,MAAM;AAAA,QAClB,SAAS,MAAM;AAAA;AAAA;AAAA,QAGf,iBAAiB,MAAM,kBAAkB;AAAA;AAAA,QACzC,UAAU,aAAa,QAAQ,MAAM,UAAU;AAAA,QAC/C,QAAQ,WAAW,QAAQ,MAAM,QAAQ;AAAA,QACzC,SAAS;AAAA;AAAA,QACT,YAAY,gBAAgB,QAAQ,MAAM,aAAa;AAAA,QACvD,UAAU,cAAc,QAAQ,MAAM,WAAW;AAAA,QACjD,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA;AAAA,QAC3C,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA,QAC3C,aAAa,iBAAiB,QAAQ,MAAM,cAAc;AAAA,QAC1D,UAAU;AAAA,UACR,GAAG,MAAM;AAAA,UACT,WAAW,eAAe,QAAQ,MAAM,YAAY;AAAA,UACpD,cAAc,kBAAkB,QAAQ,MAAM,eAAe;AAAA;AAAA,UAE7D,yBAAyB,CAAC,MAAM;AAAA;AAAA,UAEhC,WAAW;AAAA,QACb;AAAA,MACF;AAEA,YAAM,EAAE,MAAM,IAAI,MAAO,KAAK,SAC3B,KAAK,mBAAmB,EACxB,OAAO,CAAC,UAAU,CAAC;AAEtB,UAAI,OAAO;AAET,gBAAQ,KAAK,8CAA8C;AAAA,UACzD,OAAO,MAAM;AAAA,UACb,MAAM,MAAM;AAAA,UACZ,SAAS,MAAM;AAAA,UACf,MAAM,MAAM;AAAA,UACZ,OAAO;AAAA,QACT,CAAC;AAAA,MACH;AAAA,IACF,SAAS,OAAO;AAEd,cAAQ,MAAM,uDAAuD,KAAK;AAAA,IAC5E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,oBAAoB,OAA+D;AACvF,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,qBAAqB,OAAgE;AACzF,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,OAA2D;AAC/E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,OAA2D;AAC/E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,cAAc,OAAyD;AAC3E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,mBAAmB,QAAc,QAAgB,KAAgC;AACrF,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,GAAG,EACV,GAAG,WAAW,MAAM,EACpB,MAAM,cAAc,EAAE,WAAW,MAAM,CAAC,EACxC,MAAM,KAAK;AAEd,QAAI,OAAO;AACT,YAAM,IAAI,MAAM,+BAA+B,MAAM,OAAO,EAAE;AAAA,IAChE;AAEA,WAAO,QAAQ,CAAC;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,2BAA2B,gBAAsB,QAAgB,KAAgC;AACrG,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,GAAG,EACV,GAAG,mBAAmB,cAAc,EACpC,MAAM,cAAc,EAAE,WAAW,MAAM,CAAC,EACxC,MAAM,KAAK;AAEd,QAAI,OAAO;AACT,YAAM,IAAI,MAAM,+BAA+B,MAAM,OAAO,EAAE;AAAA,IAChE;AAEA,WAAO,QAAQ,CAAC;AAAA,EAClB;AACF;AAQO,SAAS,mBAAmB,UAAsD;AACvF,SAAO,IAAI,iBAAiB,QAAQ;AACtC;AAOA,IAAI,qBAA8C;AAO3C,SAAS,sBAAsB,SAAiC;AACrE,uBAAqB;AACvB;AAOO,SAAS,wBAAiD;AAC/D,SAAO;AACT;AAOA,eAAsB,eAAe,OAAyC;AAC5E,MAAI,oBAAoB;AACtB,UAAM,mBAAmB,UAAU,KAAK;AAAA,EAC1C;AACF;","names":[]}

package/dist/{chunk-TDFBX7KJ.js → chunk-7H75SHXZ.js} RENAMED Viewed

@@ -2,7 +2,7 @@ import {
   UnifiedAuthProvider,
   init_UnifiedAuthProvider,
   useUnifiedAuth
-} from "./chunk-MW73E7SP.js";
+} from "./chunk-OO3V7W4H.js";
 import {
   __esm,
   __export
@@ -24,4 +24,4 @@ export {
   UnifiedAuthProvider_exports,
   init_UnifiedAuthProvider2 as init_UnifiedAuthProvider
 };
-//# sourceMappingURL=chunk-TDFBX7KJ.js.map
+//# sourceMappingURL=chunk-7H75SHXZ.js.map

package/dist/{chunk-EFVQBYFN.js → chunk-BUN7NMV7.js} RENAMED Viewed

@@ -4,7 +4,7 @@ import {
   init_InactivityServiceProvider,
   init_OrganisationServiceProvider,
   init_UnifiedAuthProvider
-} from "./chunk-MW73E7SP.js";
+} from "./chunk-OO3V7W4H.js";
 // src/providers/index.ts
 init_UnifiedAuthProvider();
@@ -12,4 +12,4 @@ init_EventServiceProvider();
 init_OrganisationServiceProvider();
 init_InactivityServiceProvider();
 init_AuthServiceProvider();
-//# sourceMappingURL=chunk-EFVQBYFN.js.map
+//# sourceMappingURL=chunk-BUN7NMV7.js.map

package/dist/{chunk-ACYQNYHB.js → chunk-C5RN4TE5.js} RENAMED Viewed

@@ -1,15 +1,15 @@
 import {
   init_OrganisationProvider,
   usePublicPageContext
-} from "./chunk-X7SPKHYZ.js";
+} from "./chunk-F6QB26OS.js";
 import {
   init_useOrganisations,
   useEvents,
   useOrganisations
-} from "./chunk-I5YM5BGS.js";
+} from "./chunk-L36JW4KV.js";
 import {
   useUnifiedAuth
-} from "./chunk-MW73E7SP.js";
+} from "./chunk-OO3V7W4H.js";
 import {
   applyPalette,
   clearPalette,
@@ -96,7 +96,7 @@ var useOrganisationSecurity = () => {
     const targetOrgId = orgId || selectedOrganisation?.id;
     if (!targetOrgId || !user) return false;
     try {
-      const { isPermitted } = await import("./api-SIZPFBFX.js");
+      const { isPermitted } = await import("./api-QPMBZZUZ.js");
       const scope = {
         organisationId: targetOrgId,
         eventId: user.user_metadata?.eventId || user.app_metadata?.eventId,
@@ -119,7 +119,7 @@ var useOrganisationSecurity = () => {
     const targetOrgId = orgId || selectedOrganisation?.id;
     if (!targetOrgId || !user) return [];
     try {
-      const { getPermissionMap } = await import("./api-SIZPFBFX.js");
+      const { getPermissionMap } = await import("./api-QPMBZZUZ.js");
       const scope = {
         organisationId: targetOrgId,
         eventId: user.user_metadata?.eventId || user.app_metadata?.eventId,
@@ -140,7 +140,7 @@ var useOrganisationSecurity = () => {
     if (!user || !selectedOrganisation) return;
     try {
       if (selectedOrganisation.id) {
-        const { emitAuditEvent } = await import("./audit-5JI5T3SL.js");
+        const { emitAuditEvent } = await import("./audit-H4YJJF7R.js");
         await emitAuditEvent({
           type: "permission_check",
           userId: user.id,
@@ -706,4 +706,4 @@ export {
   generatePublicRoutePath,
   extractEventCodeFromPath
 };
-//# sourceMappingURL=chunk-ACYQNYHB.js.map
+//# sourceMappingURL=chunk-C5RN4TE5.js.map

package/dist/{chunk-2BIDKXQU.js → chunk-EKVVTPIF.js} RENAMED Viewed

@@ -25,16 +25,16 @@ import {
   SelectSeparator,
   SelectTrigger,
   SelectValue
-} from "./chunk-TD4BXGPE.js";
+} from "./chunk-WMPZY26G.js";
 import {
   useCan,
   usePermissions,
   useRBAC,
   useResolvedScope
-} from "./chunk-UGVU7L7N.js";
+} from "./chunk-I7JC7PTJ.js";
 import {
   isSuperAdmin
-} from "./chunk-PXXS26G5.js";
+} from "./chunk-TAJRS6YB.js";
 import {
   OrganisationProvider_exports,
   PublicErrorBoundary,
@@ -49,7 +49,7 @@ import {
   useIsPublicPage,
   usePublicFileDisplay,
   usePublicPageContext
-} from "./chunk-X7SPKHYZ.js";
+} from "./chunk-F6QB26OS.js";
 import {
   useToast
 } from "./chunk-4OX5PXHX.js";
@@ -57,11 +57,11 @@ import {
   init_useOrganisations,
   useEvents,
   useOrganisations
-} from "./chunk-I5YM5BGS.js";
+} from "./chunk-L36JW4KV.js";
 import {
   UnifiedAuthProvider_exports,
   init_UnifiedAuthProvider as init_UnifiedAuthProvider2
-} from "./chunk-TDFBX7KJ.js";
+} from "./chunk-7H75SHXZ.js";
 import {
   EventServiceContext,
   EventServiceProvider,
@@ -71,7 +71,7 @@ import {
   useEventService,
   useSessionRestoration,
   useUnifiedAuth
-} from "./chunk-MW73E7SP.js";
+} from "./chunk-OO3V7W4H.js";
 import {
   LoadingSpinner
 } from "./chunk-CDQ3PX7L.js";
@@ -585,7 +585,23 @@ function EventSelector({
     return [...events].sort((a, b) => getTime(b) - getTime(a));
   }, [events]);
   useEffect(() => {
-    if (!selectedEvent && events.length > 0) {
+    if (!selectedEvent && events.length > 0 && !isLoading) {
+      const persistedEventId = localStorage.getItem("pace-core-selected-event") || sessionStorage.getItem("pace-core-selected-event");
+      if (persistedEventId) {
+        const persistedEvent = events.find((e) => e.event_id === persistedEventId);
+        if (persistedEvent) {
+          console.debug("[EventSelector] Persisted event found in storage but not selected:", persistedEventId);
+          return;
+        } else {
+          localStorage.removeItem("pace-core-selected-event");
+          sessionStorage.removeItem("pace-core-selected-event");
+          autoSelectEvent();
+        }
+      } else {
+        autoSelectEvent();
+      }
+    }
+    function autoSelectEvent() {
       const today = /* @__PURE__ */ new Date();
       const startOfToday = new Date(today.getFullYear(), today.getMonth(), today.getDate()).getTime();
       const next = [...events].filter((e) => e.event_date && new Date(e.event_date).getTime() >= startOfToday).sort((a, b) => new Date(a.event_date).getTime() - new Date(b.event_date).getTime())[0];
@@ -605,7 +621,7 @@ function EventSelector({
         }
       }
     }
-  }, [events, selectedEvent, setSelectedEvent, onEventChange]);
+  }, [events, selectedEvent, setSelectedEvent, onEventChange, isLoading]);
   if (isLoading) {
     return /* @__PURE__ */ jsxs4("div", { className: `flex items-center gap-2 ${className}`, children: [
       /* @__PURE__ */ jsx8(LoadingSpinner, { size: "sm" }),
@@ -920,14 +936,50 @@ var NavigationMenu = React9.forwardRef(({
     selectedOrganisationId: selectedOrganisation?.id || null,
     selectedEventId: selectedEvent?.event_id || null
   });
+  const stableScopeRef = React9.useRef({
+    organisationId: "",
+    eventId: void 0,
+    appId: void 0
+  });
+  if (resolvedScope?.organisationId) {
+    const newOrgId = resolvedScope.organisationId;
+    const newEventId = resolvedScope.eventId;
+    const newAppId = resolvedScope.appId;
+    if (stableScopeRef.current.organisationId !== newOrgId || stableScopeRef.current.eventId !== newEventId || stableScopeRef.current.appId !== newAppId) {
+      stableScopeRef.current = {
+        organisationId: newOrgId,
+        eventId: newEventId,
+        appId: newAppId
+      };
+    }
+  } else if (!resolvedScope) {
+    if (stableScopeRef.current.organisationId !== "") {
+      stableScopeRef.current = {
+        organisationId: "",
+        eventId: void 0,
+        appId: void 0
+      };
+    }
+  }
+  const stableScope = stableScopeRef.current;
   const userId = authContext?.user?.id || "";
-  const scope = resolvedScope || { organisationId: "", eventId: void 0, appId: void 0 };
-  const { permissions: permissionMap, hasAnyPermission, isLoading: permissionsLoading } = usePermissions(
+  const { permissions: permissionMap, hasAnyPermission, isLoading: permissionsLoading, error: permissionsError } = usePermissions(
     userId,
-    scope
+    stableScope
   );
   const filteredItems = React9.useMemo(() => {
-    if (!filterByPermissions || !authContext || !rbacContext || scopeLoading || permissionsLoading || !resolvedScope?.organisationId) {
+    if (filterByPermissions) {
+      if (!authContext || !rbacContext || scopeLoading || permissionsLoading || !resolvedScope?.organisationId) {
+        return [];
+      }
+      if (permissionsError || !permissionMap || Object.keys(permissionMap).length === 0) {
+        console.warn("[NavigationMenu] Permission map is empty or has error - showing no items for security", {
+          permissionsError: permissionsError?.message,
+          permissionMapSize: permissionMap ? Object.keys(permissionMap).length : 0
+        });
+        return [];
+      }
+    } else {
       return (items || []).filter((item) => !item.meta?.hidden);
     }
     const getPageIdFromHref = (href) => {
@@ -991,19 +1043,25 @@ var NavigationMenu = React9.forwardRef(({
           }
         }
       }
-      if (item.href && !item.permissions && !item.roles && !item.accessLevel) {
+      if (item.href) {
         const pageId = item.pageId || getPageIdFromHref(item.href);
         if (pageId) {
           const pagePermission = `read:page.${pageId}`;
-          const hasPagePermission = permissionMap["*"] === true || permissionMap[pagePermission] === true;
-          if (!hasPagePermission) {
+          const isSuperAdmin2 = permissionMap["*"] === true;
+          const hasPagePermission = permissionMap[pagePermission] === true;
+          const finalHasPermission = isSuperAdmin2 || hasPagePermission;
+          if (!finalHasPermission) {
             if (auditLog) {
               console.log(`[NavigationMenu] Filtering out navigation item "${item.label}" - no page permission:`, {
                 itemId: item.id,
                 href: item.href,
                 pageId,
                 permission: pagePermission,
-                hasPermission: hasPagePermission
+                hasPermission: finalHasPermission,
+                isSuperAdmin: isSuperAdmin2,
+                permissionMapValue: permissionMap[pagePermission],
+                permissionMapKeys: Object.keys(permissionMap).slice(0, 10)
+                // Show first 10 keys for debugging
               });
             }
             return false;
@@ -1027,7 +1085,8 @@ var NavigationMenu = React9.forwardRef(({
         children: filteredChildren
       };
     };
-    return (items || []).map((item) => filterItem(item)).filter((item) => item !== null);
+    const filtered = (items || []).map((item) => filterItem(item)).filter((item) => item !== null);
+    return filtered;
   }, [
     items,
     filterByPermissions,
@@ -1518,7 +1577,7 @@ function PaceAppLayout({
         appId: user.user_metadata?.appId || user.app_metadata?.appId
       };
       try {
-        const { isSuperAdmin: isSuperAdmin2 } = await import("./api-SIZPFBFX.js");
+        const { isSuperAdmin: isSuperAdmin2 } = await import("./api-QPMBZZUZ.js");
         const isSuper = await isSuperAdmin2(user.id);
         if (isSuper) {
           if (isMounted) {
@@ -1539,7 +1598,7 @@ function PaceAppLayout({
         return;
       }
       try {
-        const { getPermissionMap } = await import("./api-SIZPFBFX.js");
+        const { getPermissionMap } = await import("./api-QPMBZZUZ.js");
         const permissionMap = await getPermissionMap({
           userId: user.id,
           scope: scope2
@@ -1598,7 +1657,7 @@ function PaceAppLayout({
       let hasAccess = true;
       if (currentRoute.pageId && currentRoute.permissions && currentRoute.permissions.length > 0) {
         try {
-          const { isPermittedCached } = await import("./api-SIZPFBFX.js");
+          const { isPermittedCached } = await import("./api-QPMBZZUZ.js");
           const hasPagePermission = await isPermittedCached({
             userId: user?.id || "",
             scope,
@@ -1614,7 +1673,7 @@ function PaceAppLayout({
         }
       }
       if (hasAccess && currentRoute.roles && currentRoute.roles.length > 0 && user?.id) {
-        const { useUnifiedAuth: useUnifiedAuth2 } = await import("./UnifiedAuthProvider-LUM3QLS5.js");
+        const { useUnifiedAuth: useUnifiedAuth2 } = await import("./UnifiedAuthProvider-KZZUO27W.js");
         hasAccess = true;
       }
       if (!isMounted) return;
@@ -4450,4 +4509,4 @@ export {
   PublicPageDiagnostic,
   PublicPageContextChecker
 };
-//# sourceMappingURL=chunk-2BIDKXQU.js.map
+//# sourceMappingURL=chunk-EKVVTPIF.js.map