npm - @jmruthers/pace-core - Versions diffs - 0.5.111 → 0.5.113 - Mend

@jmruthers/pace-core 0.5.111 → 0.5.113

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/dist/{DataTable-5W2HVLLV.js → DataTable-YNEB5WDK.js} RENAMED Viewed

@@ -54,10 +54,10 @@ import {
   sortHierarchicalDataWithSorting,
   validateHierarchicalData,
   validatePaginationConfig
-} from "./chunk-TD4BXGPE.js";
-import "./chunk-UGVU7L7N.js";
-import "./chunk-PXXS26G5.js";
-import "./chunk-IWJYNWXN.js";
+} from "./chunk-KISJX3XZ.js";
+import "./chunk-ZPXWJA4H.js";
+import "./chunk-QKIVSZ2O.js";
+import "./chunk-3OGQLOJM.js";
 import {
   CircuitBreaker,
   DEFAULT_FALLBACK_CONFIG,
@@ -76,9 +76,9 @@ import {
   throttle,
   useDataTablePerformance
 } from "./chunk-4OX5PXHX.js";
-import "./chunk-I5YM5BGS.js";
-import "./chunk-TDFBX7KJ.js";
-import "./chunk-MW73E7SP.js";
+import "./chunk-L36JW4KV.js";
+import "./chunk-7H75SHXZ.js";
+import "./chunk-OO3V7W4H.js";
 import "./chunk-PYUXFQJ3.js";
 import "./chunk-JCQZ6LA7.js";
 import "./chunk-BDZUMRBD.js";
@@ -157,4 +157,4 @@ export {
   validateHierarchicalData,
   validatePaginationConfig
 };
-//# sourceMappingURL=DataTable-5W2HVLLV.js.map
+//# sourceMappingURL=DataTable-YNEB5WDK.js.map

package/dist/{UnifiedAuthProvider-LUM3QLS5.js → UnifiedAuthProvider-KZZUO27W.js} RENAMED Viewed

@@ -1,10 +1,10 @@
 import {
   init_UnifiedAuthProvider
-} from "./chunk-TDFBX7KJ.js";
+} from "./chunk-7H75SHXZ.js";
 import {
   UnifiedAuthProvider,
   useUnifiedAuth
-} from "./chunk-MW73E7SP.js";
+} from "./chunk-OO3V7W4H.js";
 import "./chunk-BDZUMRBD.js";
 import "./chunk-SMJZMKYN.js";
 import "./chunk-PLDDJCW6.js";
@@ -13,4 +13,4 @@ export {
   UnifiedAuthProvider,
   useUnifiedAuth
 };
-//# sourceMappingURL=UnifiedAuthProvider-LUM3QLS5.js.map
+//# sourceMappingURL=UnifiedAuthProvider-KZZUO27W.js.map

package/dist/{api-SIZPFBFX.js → api-PKU4PUBO.js} RENAMED Viewed

@@ -20,8 +20,8 @@ import {
   isSuperAdmin,
   resolveAppContext,
   setupRBAC
-} from "./chunk-PXXS26G5.js";
-import "./chunk-IWJYNWXN.js";
+} from "./chunk-QKIVSZ2O.js";
+import "./chunk-3OGQLOJM.js";
 import "./chunk-PLDDJCW6.js";
 export {
   OrganisationContextRequiredError,
@@ -46,4 +46,4 @@ export {
   resolveAppContext,
   setupRBAC
 };
-//# sourceMappingURL=api-SIZPFBFX.js.map
+//# sourceMappingURL=api-PKU4PUBO.js.map

package/dist/{audit-5JI5T3SL.js → audit-H4YJJF7R.js} RENAMED Viewed

@@ -4,7 +4,7 @@ import {
   emitAuditEvent,
   getGlobalAuditManager,
   setGlobalAuditManager
-} from "./chunk-IWJYNWXN.js";
+} from "./chunk-3OGQLOJM.js";
 import "./chunk-PLDDJCW6.js";
 export {
   RBACAuditManager,
@@ -13,4 +13,4 @@ export {
   getGlobalAuditManager,
   setGlobalAuditManager
 };
-//# sourceMappingURL=audit-5JI5T3SL.js.map
+//# sourceMappingURL=audit-H4YJJF7R.js.map

package/dist/{chunk-IWJYNWXN.js → chunk-3OGQLOJM.js} RENAMED Viewed

@@ -52,6 +52,11 @@ var RBACAuditManager = class {
           note: "Organisation context is required for RBAC operations. This may indicate a security issue or missing context derivation."
         });
       }
+      const rawPageId = "pageId" in event ? event.pageId : void 0;
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      const isValidPageIdUuid = rawPageId && uuidRegex.test(rawPageId);
+      const pageIdUuid = isValidPageIdUuid ? rawPageId : void 0;
+      const pageIdName = rawPageId && !isValidPageIdUuid ? rawPageId : void 0;
       const auditEvent = {
         event_type: event.type,
         user_id: event.userId,
@@ -61,7 +66,8 @@ var RBACAuditManager = class {
         // Explicitly null if missing
         event_id: "eventId" in event ? event.eventId : void 0,
         app_id: "appId" in event ? event.appId : void 0,
-        page_id: "pageId" in event ? event.pageId : void 0,
+        page_id: pageIdUuid,
+        // Only set if it's a valid UUID
         permission: "permission" in event ? event.permission : void 0,
         decision: "decision" in event ? event.decision : void 0,
         source: "source" in event ? event.source : "api",
@@ -73,7 +79,9 @@ var RBACAuditManager = class {
           cache_hit: "cache_hit" in event ? event.cache_hit : void 0,
           cache_source: "cache_source" in event ? event.cache_source : void 0,
           // Explicit flag indicating this event had no organisation context
-          no_organisation_context: !event.organisationId
+          no_organisation_context: !event.organisationId,
+          // Store page name/identifier in metadata if it's not a UUID
+          page_name: pageIdName
         }
       };
       const { error } = await this.supabase.from("rbac_audit_events").insert([auditEvent]);
@@ -197,4 +205,4 @@ export {
   getGlobalAuditManager,
   emitAuditEvent
 };
-//# sourceMappingURL=chunk-IWJYNWXN.js.map
+//# sourceMappingURL=chunk-3OGQLOJM.js.map

package/dist/chunk-3OGQLOJM.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/rbac/audit.ts"],"sourcesContent":["/**\n * RBAC Audit Events System\n * @package @jmruthers/pace-core\n * @module RBAC/Audit\n * @since 1.0.0\n * \n * This module provides structured audit event emission for all RBAC operations.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { \n UUID, \n AuditEventSource, \n RBACAuditEvent \n} from './types';\n\n/**\n * Audit event payload for permission checks\n */\nexport interface PermissionCheckAuditEvent {\n type: 'permission_check';\n userId: UUID;\n organisationId: UUID;\n eventId?: string;\n appId?: UUID;\n pageId?: UUID;\n permission: string;\n decision: boolean;\n source: AuditEventSource;\n bypass?: boolean;\n duration_ms: number;\n cache_hit?: boolean;\n cache_source?: 'memory' | 'database' | 'rpc';\n metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for permission denied\n */\nexport interface PermissionDeniedAuditEvent {\n type: 'permission_denied';\n userId: UUID;\n organisationId: UUID;\n eventId?: string;\n appId?: UUID;\n pageId?: UUID;\n permission: string;\n source: AuditEventSource;\n metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for role granted\n */\nexport interface RoleGrantedAuditEvent {\n type: 'role_granted';\n userId: UUID;\n organisationId: UUID;\n eventId?: string;\n appId?: UUID;\n role: string;\n grantedBy: UUID;\n metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for role revoked\n */\nexport interface RoleRevokedAuditEvent {\n type: 'role_denied';\n userId: UUID;\n organisationId: UUID;\n eventId?: string;\n appId?: UUID;\n role: string;\n revokedBy: UUID;\n metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for RLS denied\n */\nexport interface RLSDeniedAuditEvent {\n type: 'rls_denied';\n userId: UUID;\n organisationId: UUID;\n table: string;\n operation: string;\n metadata?: Record<string, any>;\n}\n\n/**\n * Union type for all audit events\n */\nexport type AuditEventPayload = \n | PermissionCheckAuditEvent\n | PermissionDeniedAuditEvent\n | RoleGrantedAuditEvent\n | RoleRevokedAuditEvent\n | RLSDeniedAuditEvent;\n\n/**\n * RBAC Audit Manager\n * \n * Handles emission of structured audit events for all RBAC operations.\n */\nexport class RBACAuditManager {\n private supabase: SupabaseClient<Database>;\n private enabled: boolean = true;\n\n constructor(supabase: SupabaseClient<Database>) {\n this.supabase = supabase;\n }\n\n /**\n * Enable or disable audit logging\n * \n * @param enabled - Whether to enable audit logging\n */\n setEnabled(enabled: boolean): void {\n this.enabled = enabled;\n }\n\n /**\n * Check if audit logging is enabled\n * \n * @returns True if audit logging is enabled\n */\n isEnabled(): boolean {\n return this.enabled;\n }\n\n /**\n * Emit an audit event\n * \n * @param event - Audit event payload\n * @returns Promise that resolves when event is logged\n */\n async emitEvent(event: AuditEventPayload): Promise<void> {\n if (!this.enabled) {\n return;\n }\n\n // Validate required fields before attempting to insert\n // MANDATORY: All audit events must have userId\n if (!event.userId) {\n console.error('[RBAC Audit] CRITICAL: Cannot log audit event without userId:', {\n eventType: event.type,\n organisationId: event.organisationId\n });\n return;\n }\n\n // WARNING: Some audit events may not have organisationId (e.g., global admin operations)\n // Log these for security monitoring even if organisationId is missing\n if (!event.organisationId) {\n console.warn('[RBAC Audit] Audit event without organisation context:', {\n userId: event.userId,\n eventType: event.type,\n note: 'This should be investigated for security compliance'\n });\n }\n\n try {\n // Since organisationId is now required in SecurityContext, this should rarely happen\n // But we still handle the edge case properly without masking it\n if (!event.organisationId) {\n console.warn('[RBAC Audit] Audit event without organisation context - this should be investigated:', {\n userId: event.userId,\n eventType: event.type,\n note: 'Organisation context is required for RBAC operations. This may indicate a security issue or missing context derivation.'\n });\n }\n\n // Validate pageId: only include in page_id column if it's a valid UUID\n // Otherwise, store it in metadata to avoid database errors\n const rawPageId = 'pageId' in event ? event.pageId : undefined;\n const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n const isValidPageIdUuid = rawPageId && uuidRegex.test(rawPageId);\n const pageIdUuid: UUID | undefined = isValidPageIdUuid ? (rawPageId as UUID) : undefined;\n const pageIdName: string | undefined = rawPageId && !isValidPageIdUuid ? rawPageId : undefined;\n\n const auditEvent: Omit<RBACAuditEvent, 'id' | 'created_at'> = {\n event_type: event.type,\n user_id: event.userId,\n // Store organisationId - nullable to properly track missing context cases\n // Do NOT use fallback UUID as it masks security issues\n organisation_id: event.organisationId || null, // Explicitly null if missing\n event_id: 'eventId' in event ? event.eventId : undefined,\n app_id: 'appId' in event ? event.appId : undefined,\n page_id: pageIdUuid, // Only set if it's a valid UUID\n permission: 'permission' in event ? event.permission : undefined,\n decision: 'decision' in event ? event.decision : undefined,\n source: 'source' in event ? event.source : 'api', // Default to 'api' if not provided\n bypass: 'bypass' in event ? event.bypass : undefined,\n duration_ms: 'duration_ms' in event ? event.duration_ms : undefined,\n metadata: {\n ...event.metadata,\n cache_hit: 'cache_hit' in event ? event.cache_hit : undefined,\n cache_source: 'cache_source' in event ? event.cache_source : undefined,\n // Explicit flag indicating this event had no organisation context\n no_organisation_context: !event.organisationId,\n // Store page name/identifier in metadata if it's not a UUID\n page_name: pageIdName,\n },\n };\n\n const { error } = await (this.supabase as any)\n .from('rbac_audit_events')\n .insert([auditEvent]);\n\n if (error) {\n // Log the error for debugging but don't throw\n console.warn('[RBAC Audit] Failed to insert audit event:', {\n error: error.message,\n code: error.code,\n details: error.details,\n hint: error.hint,\n event: auditEvent\n });\n }\n } catch (error) {\n // Log unexpected errors but don't throw\n console.error('[RBAC Audit] Unexpected error during audit logging:', error);\n }\n }\n\n /**\n * Emit a permission check audit event\n * \n * @param event - Permission check event data\n */\n async emitPermissionCheck(event: Omit<PermissionCheckAuditEvent, 'type'>): Promise<void> {\n await this.emitEvent({\n type: 'permission_check',\n ...event,\n });\n }\n\n /**\n * Emit a permission denied audit event\n * \n * @param event - Permission denied event data\n */\n async emitPermissionDenied(event: Omit<PermissionDeniedAuditEvent, 'type'>): Promise<void> {\n await this.emitEvent({\n type: 'permission_denied',\n ...event,\n });\n }\n\n /**\n * Emit a role granted audit event\n * \n * @param event - Role granted event data\n */\n async emitRoleGranted(event: Omit<RoleGrantedAuditEvent, 'type'>): Promise<void> {\n await this.emitEvent({\n type: 'role_granted',\n ...event,\n });\n }\n\n /**\n * Emit a role revoked audit event\n * \n * @param event - Role revoked event data\n */\n async emitRoleRevoked(event: Omit<RoleRevokedAuditEvent, 'type'>): Promise<void> {\n await this.emitEvent({\n type: 'role_denied',\n ...event,\n });\n }\n\n /**\n * Emit an RLS denied audit event\n * \n * @param event - RLS denied event data\n */\n async emitRLSDenied(event: Omit<RLSDeniedAuditEvent, 'type'>): Promise<void> {\n await this.emitEvent({\n type: 'rls_denied',\n ...event,\n });\n }\n\n /**\n * Get audit events for a user\n * \n * @param userId - User ID\n * @param limit - Maximum number of events to return\n * @returns Promise resolving to audit events\n */\n async getUserAuditEvents(userId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {\n const { data, error } = await this.supabase\n .from('rbac_audit_events')\n .select('*')\n .eq('user_id', userId)\n .order('created_at', { ascending: false })\n .limit(limit);\n\n if (error) {\n throw new Error(`Failed to get audit events: ${error.message}`);\n }\n\n return data || [];\n }\n\n /**\n * Get audit events for an organisation\n * \n * @param organisationId - Organisation ID\n * @param limit - Maximum number of events to return\n * @returns Promise resolving to audit events\n */\n async getOrganisationAuditEvents(organisationId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {\n const { data, error } = await this.supabase\n .from('rbac_audit_events')\n .select('*')\n .eq('organisation_id', organisationId)\n .order('created_at', { ascending: false })\n .limit(limit);\n\n if (error) {\n throw new Error(`Failed to get audit events: ${error.message}`);\n }\n\n return data || [];\n }\n}\n\n/**\n * Create an audit manager instance\n * \n * @param supabase - Supabase client\n * @returns RBACAuditManager instance\n */\nexport function createAuditManager(supabase: SupabaseClient<Database>): RBACAuditManager {\n return new RBACAuditManager(supabase);\n}\n\n/**\n * Global audit manager instance\n * \n * This is set by the RBAC engine when it initializes.\n */\nlet globalAuditManager: RBACAuditManager | null = null;\n\n/**\n * Set the global audit manager\n * \n * @param manager - Audit manager instance\n */\nexport function setGlobalAuditManager(manager: RBACAuditManager): void {\n globalAuditManager = manager;\n}\n\n/**\n * Get the global audit manager\n * \n * @returns Global audit manager or null if not set\n */\nexport function getGlobalAuditManager(): RBACAuditManager | null {\n return globalAuditManager;\n}\n\n/**\n * Emit an audit event using the global audit manager\n * \n * @param event - Audit event payload\n */\nexport async function emitAuditEvent(event: AuditEventPayload): Promise<void> {\n if (globalAuditManager) {\n await globalAuditManager.emitEvent(event);\n }\n}\n"],"mappings":";AA2GO,IAAM,mBAAN,MAAuB;AAAA,EAI5B,YAAY,UAAoC;AAFhD,SAAQ,UAAmB;AAGzB,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAW,SAAwB;AACjC,SAAK,UAAU;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAqB;AACnB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,UAAU,OAAyC;AACvD,QAAI,CAAC,KAAK,SAAS;AACjB;AAAA,IACF;AAIA,QAAI,CAAC,MAAM,QAAQ;AACjB,cAAQ,MAAM,iEAAiE;AAAA,QAC7E,WAAW,MAAM;AAAA,QACjB,gBAAgB,MAAM;AAAA,MACxB,CAAC;AACD;AAAA,IACF;AAIA,QAAI,CAAC,MAAM,gBAAgB;AACzB,cAAQ,KAAK,0DAA0D;AAAA,QACrE,QAAQ,MAAM;AAAA,QACd,WAAW,MAAM;AAAA,QACjB,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,QAAI;AAGF,UAAI,CAAC,MAAM,gBAAgB;AACzB,gBAAQ,KAAK,wFAAwF;AAAA,UACnG,QAAQ,MAAM;AAAA,UACd,WAAW,MAAM;AAAA,UACjB,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAIA,YAAM,YAAY,YAAY,QAAQ,MAAM,SAAS;AACrD,YAAM,YAAY;AAClB,YAAM,oBAAoB,aAAa,UAAU,KAAK,SAAS;AAC/D,YAAM,aAA+B,oBAAqB,YAAqB;AAC/E,YAAM,aAAiC,aAAa,CAAC,oBAAoB,YAAY;AAErF,YAAM,aAAwD;AAAA,QAC5D,YAAY,MAAM;AAAA,QAClB,SAAS,MAAM;AAAA;AAAA;AAAA,QAGf,iBAAiB,MAAM,kBAAkB;AAAA;AAAA,QACzC,UAAU,aAAa,QAAQ,MAAM,UAAU;AAAA,QAC/C,QAAQ,WAAW,QAAQ,MAAM,QAAQ;AAAA,QACzC,SAAS;AAAA;AAAA,QACT,YAAY,gBAAgB,QAAQ,MAAM,aAAa;AAAA,QACvD,UAAU,cAAc,QAAQ,MAAM,WAAW;AAAA,QACjD,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA;AAAA,QAC3C,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA,QAC3C,aAAa,iBAAiB,QAAQ,MAAM,cAAc;AAAA,QAC1D,UAAU;AAAA,UACR,GAAG,MAAM;AAAA,UACT,WAAW,eAAe,QAAQ,MAAM,YAAY;AAAA,UACpD,cAAc,kBAAkB,QAAQ,MAAM,eAAe;AAAA;AAAA,UAE7D,yBAAyB,CAAC,MAAM;AAAA;AAAA,UAEhC,WAAW;AAAA,QACb;AAAA,MACF;AAEA,YAAM,EAAE,MAAM,IAAI,MAAO,KAAK,SAC3B,KAAK,mBAAmB,EACxB,OAAO,CAAC,UAAU,CAAC;AAEtB,UAAI,OAAO;AAET,gBAAQ,KAAK,8CAA8C;AAAA,UACzD,OAAO,MAAM;AAAA,UACb,MAAM,MAAM;AAAA,UACZ,SAAS,MAAM;AAAA,UACf,MAAM,MAAM;AAAA,UACZ,OAAO;AAAA,QACT,CAAC;AAAA,MACH;AAAA,IACF,SAAS,OAAO;AAEd,cAAQ,MAAM,uDAAuD,KAAK;AAAA,IAC5E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,oBAAoB,OAA+D;AACvF,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,qBAAqB,OAAgE;AACzF,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,OAA2D;AAC/E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,OAA2D;AAC/E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,cAAc,OAAyD;AAC3E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,mBAAmB,QAAc,QAAgB,KAAgC;AACrF,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,GAAG,EACV,GAAG,WAAW,MAAM,EACpB,MAAM,cAAc,EAAE,WAAW,MAAM,CAAC,EACxC,MAAM,KAAK;AAEd,QAAI,OAAO;AACT,YAAM,IAAI,MAAM,+BAA+B,MAAM,OAAO,EAAE;AAAA,IAChE;AAEA,WAAO,QAAQ,CAAC;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,2BAA2B,gBAAsB,QAAgB,KAAgC;AACrG,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,GAAG,EACV,GAAG,mBAAmB,cAAc,EACpC,MAAM,cAAc,EAAE,WAAW,MAAM,CAAC,EACxC,MAAM,KAAK;AAEd,QAAI,OAAO;AACT,YAAM,IAAI,MAAM,+BAA+B,MAAM,OAAO,EAAE;AAAA,IAChE;AAEA,WAAO,QAAQ,CAAC;AAAA,EAClB;AACF;AAQO,SAAS,mBAAmB,UAAsD;AACvF,SAAO,IAAI,iBAAiB,QAAQ;AACtC;AAOA,IAAI,qBAA8C;AAO3C,SAAS,sBAAsB,SAAiC;AACrE,uBAAqB;AACvB;AAOO,SAAS,wBAAiD;AAC/D,SAAO;AACT;AAOA,eAAsB,eAAe,OAAyC;AAC5E,MAAI,oBAAoB;AACtB,UAAM,mBAAmB,UAAU,KAAK;AAAA,EAC1C;AACF;","names":[]}

package/dist/{chunk-TDFBX7KJ.js → chunk-7H75SHXZ.js} RENAMED Viewed

@@ -2,7 +2,7 @@ import {
   UnifiedAuthProvider,
   init_UnifiedAuthProvider,
   useUnifiedAuth
-} from "./chunk-MW73E7SP.js";
+} from "./chunk-OO3V7W4H.js";
 import {
   __esm,
   __export
@@ -24,4 +24,4 @@ export {
   UnifiedAuthProvider_exports,
   init_UnifiedAuthProvider2 as init_UnifiedAuthProvider
 };
-//# sourceMappingURL=chunk-TDFBX7KJ.js.map
+//# sourceMappingURL=chunk-7H75SHXZ.js.map

package/dist/{chunk-EFVQBYFN.js → chunk-BUN7NMV7.js} RENAMED Viewed

@@ -4,7 +4,7 @@ import {
   init_InactivityServiceProvider,
   init_OrganisationServiceProvider,
   init_UnifiedAuthProvider
-} from "./chunk-MW73E7SP.js";
+} from "./chunk-OO3V7W4H.js";
 // src/providers/index.ts
 init_UnifiedAuthProvider();
@@ -12,4 +12,4 @@ init_EventServiceProvider();
 init_OrganisationServiceProvider();
 init_InactivityServiceProvider();
 init_AuthServiceProvider();
-//# sourceMappingURL=chunk-EFVQBYFN.js.map
+//# sourceMappingURL=chunk-BUN7NMV7.js.map

package/dist/{chunk-X7SPKHYZ.js → chunk-F6QB26OS.js} RENAMED Viewed

@@ -1,17 +1,17 @@
 import {
   init_useOrganisations,
   useOrganisations
-} from "./chunk-I5YM5BGS.js";
+} from "./chunk-L36JW4KV.js";
 import {
   init_UnifiedAuthProvider
-} from "./chunk-TDFBX7KJ.js";
+} from "./chunk-7H75SHXZ.js";
 import {
   OrganisationServiceContext,
   OrganisationServiceProvider,
   init_OrganisationServiceProvider,
   useOrganisationService,
   useUnifiedAuth
-} from "./chunk-MW73E7SP.js";
+} from "./chunk-OO3V7W4H.js";
 import {
   init_organisationContext,
   setOrganisationContext
@@ -1572,4 +1572,4 @@ export {
   clearPublicFileDisplayCache,
   getPublicFileDisplayCacheStats
 };
-//# sourceMappingURL=chunk-X7SPKHYZ.js.map
+//# sourceMappingURL=chunk-F6QB26OS.js.map

package/dist/{chunk-ZL45MG76.js → chunk-HKWQN44G.js} RENAMED Viewed

@@ -3,22 +3,22 @@ import {
   useAccessLevel,
   useCan,
   useMultiplePermissions
-} from "./chunk-UGVU7L7N.js";
+} from "./chunk-ZPXWJA4H.js";
 import {
   OrganisationContextRequiredError,
   RBACCache,
   getRBACLogger,
   rbacCache
-} from "./chunk-PXXS26G5.js";
+} from "./chunk-QKIVSZ2O.js";
 import {
   useSecureDataAccess
-} from "./chunk-JE2GFA3O.js";
+} from "./chunk-NEONKMTU.js";
 import {
   init_UnifiedAuthProvider
-} from "./chunk-TDFBX7KJ.js";
+} from "./chunk-7H75SHXZ.js";
 import {
   useUnifiedAuth
-} from "./chunk-MW73E7SP.js";
+} from "./chunk-OO3V7W4H.js";
 import {
   getCurrentAppName
 } from "./chunk-JCQZ6LA7.js";
@@ -1539,7 +1539,7 @@ function withPermissionGuard(config, handler) {
     if (!userId || !organisationId) {
       throw new Error("User context required for permission check");
     }
-    const { isPermitted: isPermitted2 } = await import("./api-SIZPFBFX.js");
+    const { isPermitted: isPermitted2 } = await import("./api-PKU4PUBO.js");
     const hasPermission2 = await isPermitted2({
       userId,
       scope: { organisationId, eventId, appId },
@@ -1562,7 +1562,7 @@ function withAccessLevelGuard(minLevel, handler) {
     if (!userId || !organisationId) {
       throw new Error("User context required for access level check");
     }
-    const { getAccessLevel: getAccessLevel2 } = await import("./api-SIZPFBFX.js");
+    const { getAccessLevel: getAccessLevel2 } = await import("./api-PKU4PUBO.js");
     const accessLevel = await getAccessLevel2({
       userId,
       scope: { organisationId, eventId, appId }
@@ -1587,11 +1587,11 @@ function withRoleGuard(config, handler) {
       throw new Error("User context required for role check");
     }
     if (config.globalRoles && config.globalRoles.length > 0) {
-      const { isSuperAdmin } = await import("./api-SIZPFBFX.js");
+      const { isSuperAdmin } = await import("./api-PKU4PUBO.js");
       const isSuper = await isSuperAdmin(userId);
       if (isSuper) {
         if (organisationId) {
-          const { emitAuditEvent: emitAuditEvent2 } = await import("./audit-5JI5T3SL.js");
+          const { emitAuditEvent: emitAuditEvent2 } = await import("./audit-H4YJJF7R.js");
           await emitAuditEvent2({
             type: "permission_check",
             userId,
@@ -1613,21 +1613,21 @@ function withRoleGuard(config, handler) {
       }
     }
     if (config.organisationRoles && config.organisationRoles.length > 0) {
-      const { isOrganisationAdmin } = await import("./api-SIZPFBFX.js");
+      const { isOrganisationAdmin } = await import("./api-PKU4PUBO.js");
       const isOrgAdmin = await isOrganisationAdmin(userId, organisationId);
       if (!isOrgAdmin && config.requireAll !== false) {
         throw new Error(`Organisation admin role required`);
       }
     }
     if (config.eventAppRoles && config.eventAppRoles.length > 0 && eventId && appId) {
-      const { isEventAdmin } = await import("./api-SIZPFBFX.js");
+      const { isEventAdmin } = await import("./api-PKU4PUBO.js");
       const isEventAdminUser = await isEventAdmin(userId, { organisationId, eventId, appId });
       if (!isEventAdminUser && config.requireAll !== false) {
         throw new Error(`Event admin role required`);
       }
     }
     if (organisationId) {
-      const { emitAuditEvent: emitAuditEvent2 } = await import("./audit-5JI5T3SL.js");
+      const { emitAuditEvent: emitAuditEvent2 } = await import("./audit-H4YJJF7R.js");
       await emitAuditEvent2({
         type: "permission_check",
         userId,
@@ -1660,7 +1660,7 @@ function createRBACMiddleware(config) {
     );
     if (protectedRoute) {
       try {
-        const { isPermitted: isPermitted2 } = await import("./api-SIZPFBFX.js");
+        const { isPermitted: isPermitted2 } = await import("./api-PKU4PUBO.js");
         const hasPermission2 = await isPermitted2({
           userId,
           scope: { organisationId },
@@ -1687,7 +1687,7 @@ function createRBACExpressMiddleware(config) {
       return res.status(401).json({ error: "User context required" });
     }
     try {
-      const { isPermitted: isPermitted2 } = await import("./api-SIZPFBFX.js");
+      const { isPermitted: isPermitted2 } = await import("./api-PKU4PUBO.js");
       const hasPermission2 = await isPermitted2({
         userId,
         scope: { organisationId, eventId, appId },
@@ -1860,4 +1860,4 @@ export {
   getPermissionsForRole,
   ALL_PERMISSIONS
 };
-//# sourceMappingURL=chunk-ZL45MG76.js.map
+//# sourceMappingURL=chunk-HKWQN44G.js.map

package/dist/{chunk-TD4BXGPE.js → chunk-KISJX3XZ.js} RENAMED Viewed

@@ -1,17 +1,17 @@
 import {
   useCan,
   useResolvedScope
-} from "./chunk-UGVU7L7N.js";
+} from "./chunk-ZPXWJA4H.js";
 import {
   toast,
   useDataTablePerformance
 } from "./chunk-4OX5PXHX.js";
 import {
   init_UnifiedAuthProvider
-} from "./chunk-TDFBX7KJ.js";
+} from "./chunk-7H75SHXZ.js";
 import {
   useUnifiedAuth
-} from "./chunk-MW73E7SP.js";
+} from "./chunk-OO3V7W4H.js";
 import {
   cn
 } from "./chunk-PYUXFQJ3.js";
@@ -12093,6 +12093,10 @@ function DataTableInternal({
   if (!user) {
     throw new Error("DataTable requires authenticated user for RBAC");
   }
+  if (permissions.canRead.isLoading) {
+    console.log("[DataTable] \u23F3 Permission check in progress - showing loading state");
+    return /* @__PURE__ */ jsx24(LoadingComponent, {});
+  }
   if (!permissions.canRead.can) {
     console.warn("[DataTable] \u{1F6AB} Access denied - no read permission:", {
       canRead: permissions.canRead,
@@ -12703,4 +12707,4 @@ lodash/lodash.js:
    * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors
    *)
 */
-//# sourceMappingURL=chunk-TD4BXGPE.js.map
+//# sourceMappingURL=chunk-KISJX3XZ.js.map