@jmruthers/pace-core 0.5.121 → 0.5.123

package/dist/chunk-WP5I5GLN 2.js

@@ -1,1564 +0,0 @@
-import {
-  createAuditManager,
-  emitAuditEvent,
-  setGlobalAuditManager
-} from "./chunk-3DBFLLLU.js";
-
-// src/rbac/types.ts
-var RBACError = class extends Error {
-  constructor(message, code, context) {
-    super(message);
-    this.code = code;
-    this.context = context;
-    this.name = "RBACError";
-  }
-};
-var PermissionDeniedError = class extends RBACError {
-  constructor(permission, context) {
-    super(
-      `Permission denied: ${permission}`,
-      "PERMISSION_DENIED",
-      { permission, ...context }
-    );
-    this.name = "PermissionDeniedError";
-  }
-};
-var OrganisationContextRequiredError = class extends RBACError {
-  constructor() {
-    super(
-      "Organisation context is required for this operation",
-      "ORGANISATION_CONTEXT_REQUIRED"
-    );
-    this.name = "OrganisationContextRequiredError";
-  }
-};
-var RBACNotInitializedError = class extends RBACError {
-  constructor() {
-    super(
-      "RBAC system not initialized. Please call setupRBAC(supabase) before using any RBAC components or hooks. See: https://docs.pace-core.dev/rbac/setup",
-      "RBAC_NOT_INITIALIZED"
-    );
-    this.name = "RBACNotInitializedError";
-  }
-};
-var InvalidScopeError = class extends RBACError {
-  constructor(scope, reason) {
-    super(
-      `Invalid scope provided: ${JSON.stringify(scope)}. ${reason}`,
-      "INVALID_SCOPE",
-      { scope, reason }
-    );
-    this.name = "InvalidScopeError";
-  }
-};
-var MissingUserContextError = class extends RBACError {
-  constructor() {
-    super(
-      "User context is required but not available. Make sure to wrap your app with an auth provider.",
-      "MISSING_USER_CONTEXT"
-    );
-    this.name = "MissingUserContextError";
-  }
-};
-
-// src/rbac/cache.ts
-var RBACCache = class {
-  constructor() {
-    this.cache = /* @__PURE__ */ new Map();
-    this.TTL = 60 * 1e3;
-    // 60 seconds
-    this.invalidationCallbacks = /* @__PURE__ */ new Set();
-  }
-  /**
-   * Get a value from the cache
-   * 
-   * @param key - Cache key
-   * @returns Cached value or null if not found/expired
-   */
-  get(key) {
-    const entry = this.cache.get(key);
-    if (!entry) {
-      return null;
-    }
-    if (Date.now() > entry.expires) {
-      this.cache.delete(key);
-      return null;
-    }
-    return entry.data;
-  }
-  /**
-   * Set a value in the cache
-   * 
-   * @param key - Cache key
-   * @param data - Data to cache
-   * @param ttl - Time to live in milliseconds (defaults to 60s)
-   */
-  set(key, data, ttl = this.TTL) {
-    const expires = ttl <= 0 ? Date.now() - 1 : Date.now() + ttl;
-    this.cache.set(key, {
-      data,
-      expires
-    });
-  }
-  /**
-   * Delete a specific key from the cache
-   * 
-   * @param key - Cache key to delete
-   */
-  delete(key) {
-    this.cache.delete(key);
-  }
-  /**
-   * Invalidate cache entries matching a pattern
-   * 
-   * @param pattern - Pattern to match against cache keys
-   */
-  invalidate(pattern) {
-    const trimmedPattern = pattern?.trim();
-    if (!trimmedPattern) {
-      return;
-    }
-    const matcher = this.createMatcher(trimmedPattern);
-    const keysToDelete = [];
-    for (const key of this.cache.keys()) {
-      if (matcher(key)) {
-        keysToDelete.push(key);
-      }
-    }
-    keysToDelete.forEach((key) => this.cache.delete(key));
-    this.invalidationCallbacks.forEach((callback) => callback(trimmedPattern));
-  }
-  createMatcher(pattern) {
-    if (pattern.includes("*")) {
-      const escapedSegments = pattern.split("*").map((segment) => segment.replace(/[|\\{}()[\]^$+?.-]/g, "\\$&"));
-      const regexPattern = escapedSegments.join(".*");
-      const regex = new RegExp(regexPattern);
-      return (key) => regex.test(key);
-    }
-    return (key) => key.includes(pattern);
-  }
-  /**
-   * Clear all cache entries
-   */
-  clear() {
-    this.cache.clear();
-  }
-  /**
-   * Get cache statistics
-   */
-  getStats() {
-    return {
-      size: this.cache.size,
-      ttl: this.TTL,
-      keys: Array.from(this.cache.keys())
-    };
-  }
-  /**
-   * Add an invalidation callback
-   * 
-   * @param callback - Function to call when cache is invalidated
-   */
-  onInvalidate(callback) {
-    this.invalidationCallbacks.add(callback);
-    return () => {
-      this.invalidationCallbacks.delete(callback);
-    };
-  }
-  /**
-   * Generate cache key for permission check (simplified signature)
-   * 
-   * @param userId - User ID
-   * @param permission - Permission string
-   * @param organisationId - Organisation ID (optional)
-   * @param eventId - Event ID (optional)
-   * @param appId - App ID (optional)
-   * @param pageId - Page ID (optional)
-   * @returns String cache key
-   */
-  static generateKey(userId, permission, organisationId, eventId, appId, pageId) {
-    const parts = [
-      "perm",
-      userId,
-      organisationId || "null",
-      eventId || "null",
-      appId || "null",
-      permission || "null",
-      pageId || "null"
-    ];
-    return parts.join(":");
-  }
-  /**
-   * Generate cache key for permission check (object signature)
-   * 
-   * @param key - Permission cache key object
-   * @returns String cache key
-   */
-  static generatePermissionKey(key) {
-    const parts = [
-      "perm",
-      key.userId,
-      key.organisationId || "null",
-      key.eventId || "null",
-      key.appId || "null",
-      key.permission || "null",
-      key.pageId || "null"
-    ];
-    return parts.join(":");
-  }
-  /**
-   * Generate cache key for access level
-   * 
-   * @param userId - User ID
-   * @param organisationId - Organisation ID
-   * @param eventId - Event ID (optional)
-   * @param appId - App ID (optional)
-   * @returns String cache key
-   */
-  static generateAccessLevelKey(userId, organisationId, eventId, appId) {
-    const parts = [
-      "access",
-      userId,
-      organisationId,
-      eventId || "null",
-      appId || "null"
-    ];
-    return parts.join(":");
-  }
-  /**
-   * Generate cache key for permission map
-   * 
-   * @param userId - User ID
-   * @param organisationId - Organisation ID
-   * @param eventId - Event ID (optional)
-   * @param appId - App ID (optional)
-   * @returns String cache key
-   */
-  static generatePermissionMapKey(userId, organisationId, eventId, appId) {
-    const parts = [
-      "map",
-      userId,
-      organisationId,
-      eventId || "null",
-      appId || "null"
-    ];
-    return parts.join(":");
-  }
-};
-var rbacCache = new RBACCache();
-var CACHE_PATTERNS = {
-  USER: (userId) => `:${userId}:`,
-  ORGANISATION: (organisationId) => `:${organisationId}:`,
-  EVENT: (eventId) => `:${eventId}:`,
-  APP: (appId) => `:${appId}`,
-  PERMISSION: (userId, organisationId) => `perm:${userId}:${organisationId}:`
-};
-
-// src/rbac/cache-invalidation.ts
-var INVALIDATION_PATTERNS = {
-  // User-level invalidation
-  USER_ROLES_CHANGED: (userId) => [
-    CACHE_PATTERNS.USER(userId),
-    `perm:${userId}:*`,
-    `access:${userId}:*`,
-    `map:${userId}:*`
-  ],
-  // Organisation-level invalidation
-  ORGANISATION_PERMISSIONS_CHANGED: (organisationId) => [
-    CACHE_PATTERNS.ORGANISATION(organisationId),
-    `perm:*:${organisationId}:*`,
-    `access:*:${organisationId}:*`,
-    `map:*:${organisationId}:*`
-  ],
-  // Event-level invalidation
-  EVENT_PERMISSIONS_CHANGED: (eventId) => [
-    CACHE_PATTERNS.EVENT(eventId),
-    `perm:*:*:${eventId}:*`,
-    `access:*:*:${eventId}:*`,
-    `map:*:*:${eventId}:*`
-  ],
-  // App-level invalidation
-  APP_PERMISSIONS_CHANGED: (appId) => [
-    CACHE_PATTERNS.APP(appId),
-    `perm:*:*:*:${appId}:*`,
-    `access:*:*:*:${appId}`,
-    `map:*:*:*:${appId}`
-  ],
-  // Page-level invalidation
-  PAGE_PERMISSIONS_CHANGED: (pageId) => [
-    `perm:*:*:*:*:${pageId}`,
-    `map:*:*:*:*`
-  ]
-};
-var RBACCacheInvalidationManager = class {
-  constructor(supabase) {
-    this.invalidationCallbacks = /* @__PURE__ */ new Set();
-    this.supabase = supabase;
-    this.setupRealtimeSubscriptions();
-  }
-  /**
-   * Add a callback for cache invalidation events
-   * 
-   * @param callback - Function to call when cache is invalidated
-   * @returns Unsubscribe function
-   */
-  onInvalidation(callback) {
-    this.invalidationCallbacks.add(callback);
-    return () => this.invalidationCallbacks.delete(callback);
-  }
-  /**
-   * Invalidate cache for a specific user
-   * 
-   * @param userId - User ID
-   * @param reason - Reason for invalidation
-   */
-  invalidateUser(userId, reason) {
-    const patterns = INVALIDATION_PATTERNS.USER_ROLES_CHANGED(userId);
-    this.invalidatePatterns(patterns, reason);
-  }
-  /**
-   * Invalidate cache for a specific organisation
-   * 
-   * @param organisationId - Organisation ID
-   * @param reason - Reason for invalidation
-   */
-  invalidateOrganisation(organisationId, reason) {
-    const patterns = INVALIDATION_PATTERNS.ORGANISATION_PERMISSIONS_CHANGED(organisationId);
-    this.invalidatePatterns(patterns, reason);
-  }
-  /**
-   * Invalidate cache for a specific event
-   * 
-   * @param eventId - Event ID
-   * @param reason - Reason for invalidation
-   */
-  invalidateEvent(eventId, reason) {
-    const patterns = INVALIDATION_PATTERNS.EVENT_PERMISSIONS_CHANGED(eventId);
-    this.invalidatePatterns(patterns, reason);
-  }
-  /**
-   * Invalidate cache for a specific app
-   * 
-   * @param appId - App ID
-   * @param reason - Reason for invalidation
-   */
-  invalidateApp(appId, reason) {
-    const patterns = INVALIDATION_PATTERNS.APP_PERMISSIONS_CHANGED(appId);
-    this.invalidatePatterns(patterns, reason);
-  }
-  /**
-   * Invalidate cache for a specific page
-   * 
-   * @param pageId - Page ID
-   * @param reason - Reason for invalidation
-   */
-  invalidatePage(pageId, reason) {
-    const patterns = INVALIDATION_PATTERNS.PAGE_PERMISSIONS_CHANGED(pageId);
-    this.invalidatePatterns(patterns, reason);
-  }
-  /**
-   * Invalidate cache patterns and notify callbacks
-   * 
-   * @param patterns - Array of cache patterns to invalidate
-   * @param reason - Reason for invalidation
-   */
-  invalidatePatterns(patterns, reason) {
-    console.log(`[RBAC Cache] Invalidating patterns: ${patterns.join(", ")} (${reason})`);
-    patterns.forEach((pattern) => {
-      rbacCache.invalidate(pattern);
-    });
-    this.invalidationCallbacks.forEach((callback) => {
-      patterns.forEach((pattern) => callback(pattern));
-    });
-    emitAuditEvent({
-      type: "permission_check",
-      userId: "system",
-      organisationId: "00000000-0000-0000-0000-000000000000",
-      permission: "cache:invalidate",
-      decision: true,
-      source: "api",
-      duration_ms: 0,
-      metadata: {
-        reason,
-        patterns,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-        cache_invalidation: true
-      }
-    }).catch((error) => {
-      console.warn("[RBAC Cache] Failed to log cache invalidation audit event:", error);
-    });
-  }
-  /**
-   * Setup realtime subscriptions for automatic cache invalidation
-   */
-  setupRealtimeSubscriptions() {
-    if (!this.supabase.channel || typeof this.supabase.channel !== "function") {
-      console.log("[RBAC Cache] Realtime not available, skipping subscriptions");
-      return;
-    }
-    this.supabase.channel("rbac_organisation_roles_changes").on("postgres_changes", {
-      event: "*",
-      schema: "public",
-      table: "rbac_organisation_roles"
-    }, (payload) => {
-      const { organisation_id, user_id } = payload.new || payload.old || {};
-      if (organisation_id) {
-        this.invalidateOrganisation(organisation_id, `organisation_role_${payload.eventType}`);
-      }
-      if (user_id) {
-        this.invalidateUser(user_id, `organisation_role_${payload.eventType}`);
-      }
-    }).subscribe();
-    this.supabase.channel("rbac_event_app_roles_changes").on("postgres_changes", {
-      event: "*",
-      schema: "public",
-      table: "rbac_event_app_roles"
-    }, (payload) => {
-      const { organisation_id, user_id, event_id, app_id } = payload.new || payload.old || {};
-      if (organisation_id) {
-        this.invalidateOrganisation(organisation_id, `event_app_role_${payload.eventType}`);
-      }
-      if (user_id) {
-        this.invalidateUser(user_id, `event_app_role_${payload.eventType}`);
-      }
-      if (event_id) {
-        this.invalidateEvent(event_id, `event_app_role_${payload.eventType}`);
-      }
-      if (app_id) {
-        this.invalidateApp(app_id, `event_app_role_${payload.eventType}`);
-      }
-    }).subscribe();
-    this.supabase.channel("rbac_global_roles_changes").on("postgres_changes", {
-      event: "*",
-      schema: "public",
-      table: "rbac_global_roles"
-    }, (payload) => {
-      const { user_id } = payload.new || payload.old || {};
-      if (user_id) {
-        this.invalidateUser(user_id, `global_role_${payload.eventType}`);
-      }
-    }).subscribe();
-    this.supabase.channel("rbac_page_permissions_changes").on("postgres_changes", {
-      event: "*",
-      schema: "public",
-      table: "rbac_page_permissions"
-    }, (payload) => {
-      const { organisation_id, app_page_id, role_id } = payload.new || payload.old || {};
-      if (organisation_id) {
-        this.invalidateOrganisation(organisation_id, `page_permission_${payload.eventType}`);
-      }
-      if (app_page_id) {
-        this.invalidatePage(app_page_id, `page_permission_${payload.eventType}`);
-      }
-    }).subscribe();
-  }
-  /**
-   * Manually trigger cache invalidation for all users in an organisation
-   * 
-   * @param organisationId - Organisation ID
-   * @param reason - Reason for invalidation
-   */
-  async invalidateAllUsersInOrganisation(organisationId, reason) {
-    const { data: users } = await this.supabase.from("rbac_organisation_roles").select("user_id").eq("organisation_id", organisationId).eq("is_active", true);
-    if (users) {
-      users.forEach(({ user_id }) => {
-        this.invalidateUser(user_id, reason);
-      });
-    }
-  }
-  /**
-   * Clear all cache entries
-   */
-  clearAllCache() {
-    console.log("[RBAC Cache] Clearing all cache entries");
-    rbacCache.clear();
-  }
-};
-var globalCacheInvalidationManager = null;
-function initializeCacheInvalidation(supabase) {
-  globalCacheInvalidationManager = new RBACCacheInvalidationManager(supabase);
-  return globalCacheInvalidationManager;
-}
-
-// src/rbac/errors.ts
-var RATE_LIMIT_STATUS_CODES = /* @__PURE__ */ new Set([429]);
-var AUTH_STATUS_CODES = /* @__PURE__ */ new Set([401]);
-var AUTHZ_STATUS_CODES = /* @__PURE__ */ new Set([403]);
-function normalize(value) {
-  if (!value) {
-    return "";
-  }
-  if (typeof value === "string") {
-    return value.toLowerCase();
-  }
-  if (value instanceof Error && typeof value.message === "string") {
-    return value.message.toLowerCase();
-  }
-  return String(value).toLowerCase();
-}
-function categorizeError(error) {
-  if (error instanceof PermissionDeniedError) {
-    return "authorization_error" /* AUTHORIZATION */;
-  }
-  if (error instanceof OrganisationContextRequiredError || error instanceof InvalidScopeError) {
-    return "validation_error" /* VALIDATION */;
-  }
-  if (error instanceof MissingUserContextError) {
-    return "authentication_error" /* AUTHENTICATION */;
-  }
-  if (error instanceof RBACError) {
-    switch (error.code) {
-      case "PERMISSION_DENIED":
-        return "authorization_error" /* AUTHORIZATION */;
-      case "ORGANISATION_CONTEXT_REQUIRED":
-      case "INVALID_SCOPE":
-        return "validation_error" /* VALIDATION */;
-      case "MISSING_USER_CONTEXT":
-        return "authentication_error" /* AUTHENTICATION */;
-      default:
-        break;
-    }
-  }
-  if (error && typeof error === "object") {
-    const status = error.status;
-    if (typeof status === "number") {
-      if (RATE_LIMIT_STATUS_CODES.has(status)) {
-        return "rate_limit_error" /* RATE_LIMIT */;
-      }
-      if (AUTH_STATUS_CODES.has(status)) {
-        return "authentication_error" /* AUTHENTICATION */;
-      }
-      if (AUTHZ_STATUS_CODES.has(status)) {
-        return "authorization_error" /* AUTHORIZATION */;
-      }
-      if (status >= 500) {
-        return "database_error" /* DATABASE */;
-      }
-    }
-    const codeValue = normalize(error.code);
-    if (codeValue) {
-      if (codeValue.includes("network")) {
-        return "network_error" /* NETWORK */;
-      }
-      if (codeValue.includes("postgres") || codeValue.includes("database") || codeValue.includes("db")) {
-        return "database_error" /* DATABASE */;
-      }
-      if (codeValue.includes("rate")) {
-        return "rate_limit_error" /* RATE_LIMIT */;
-      }
-      if (codeValue.includes("auth")) {
-        return "authentication_error" /* AUTHENTICATION */;
-      }
-      if (codeValue.includes("permission")) {
-        return "authorization_error" /* AUTHORIZATION */;
-      }
-      if (codeValue.includes("scope") || codeValue.includes("invalid")) {
-        return "validation_error" /* VALIDATION */;
-      }
-    }
-  }
-  const message = normalize(error);
-  if (message.includes("timeout") || message.includes("network") || message.includes("fetch")) {
-    return "network_error" /* NETWORK */;
-  }
-  if (message.includes("postgres") || message.includes("database") || message.includes("connection")) {
-    return "database_error" /* DATABASE */;
-  }
-  if (message.includes("rate limit") || message.includes("too many requests")) {
-    return "rate_limit_error" /* RATE_LIMIT */;
-  }
-  if (message.includes("permission") || message.includes("forbidden")) {
-    return "authorization_error" /* AUTHORIZATION */;
-  }
-  if (message.includes("auth") || message.includes("token") || message.includes("session")) {
-    return "authentication_error" /* AUTHENTICATION */;
-  }
-  if (message.includes("invalid") || message.includes("scope") || message.includes("validation")) {
-    return "validation_error" /* VALIDATION */;
-  }
-  return "unknown_error" /* UNKNOWN */;
-}
-function mapErrorCategoryToSecurityEventType(category) {
-  switch (category) {
-    case "authorization_error" /* AUTHORIZATION */:
-      return "permission_denied";
-    case "network_error" /* NETWORK */:
-      return "network_error";
-    case "database_error" /* DATABASE */:
-      return "database_error";
-    case "validation_error" /* VALIDATION */:
-      return "validation_error";
-    case "rate_limit_error" /* RATE_LIMIT */:
-      return "rate_limit_error";
-    case "authentication_error" /* AUTHENTICATION */:
-      return "authentication_error";
-    case "unknown_error" /* UNKNOWN */:
-    default:
-      return "unknown_error";
-  }
-}
-
-// src/rbac/security.ts
-var RBACSecurityValidator = class {
-  /**
-   * Validate permission string format
-   * @param permission - Permission string to validate
-   * @returns True if valid, false otherwise
-   */
-  static validatePermission(permission) {
-    if (typeof permission !== "string" || permission.length === 0) {
-      return false;
-    }
-    const permissionRegex = /^(read|create|update|delete):[a-z0-9._-]+$/;
-    return permissionRegex.test(permission);
-  }
-  /**
-   * Validate UUID format
-   * @param uuid - UUID string to validate
-   * @returns True if valid, false otherwise
-   */
-  static validateUUID(uuid) {
-    if (typeof uuid !== "string" || uuid.length === 0) {
-      return false;
-    }
-    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-    return uuidRegex.test(uuid);
-  }
-  /**
-   * Validate scope object
-   * @param scope - Scope object to validate
-   * @returns True if valid, false otherwise
-   */
-  static validateScope(scope) {
-    if (!scope || typeof scope !== "object") {
-      return false;
-    }
-    if (scope.organisationId !== void 0) {
-      if (typeof scope.organisationId === "string" && scope.organisationId.trim() === "") {
-        return false;
-      }
-      if (scope.organisationId && !this.validateUUID(scope.organisationId)) {
-        return false;
-      }
-    }
-    if (scope.eventId && typeof scope.eventId !== "string") {
-      return false;
-    }
-    if (scope.appId && !this.validateUUID(scope.appId)) {
-      return false;
-    }
-    return !!(scope.organisationId || scope.eventId || scope.appId);
-  }
-  /**
-   * Sanitize input string to prevent injection attacks
-   * @param input - Input string to sanitize
-   * @returns Sanitized string
-   */
-  static sanitizeInput(input) {
-    if (typeof input !== "string") {
-      return "";
-    }
-    return input.replace(/<[^>]*>/g, "").replace(/[<>\"'&]/g, "").replace(/[;()]/g, "").replace(/javascript:/gi, "").replace(/data:/gi, "").trim();
-  }
-  /**
-   * Validate user ID format
-   * @param userId - User ID to validate
-   * @returns True if valid, false otherwise
-   */
-  static validateUserId(userId) {
-    return this.validateUUID(userId);
-  }
-  /**
-   * Check if permission is a wildcard permission
-   * @param permission - Permission string to check
-   * @returns True if wildcard, false otherwise
-   */
-  static isWildcardPermission(permission) {
-    return permission.includes("*") || permission.endsWith(":*");
-  }
-  /**
-   * Validate permission hierarchy
-   * @param permission - Permission to validate
-   * @param requiredOperation - Required operation
-   * @returns True if permission matches or is higher in hierarchy
-   */
-  static validatePermissionHierarchy(permission, requiredOperation) {
-    if (!this.validatePermission(permission)) {
-      return false;
-    }
-    const [operation] = permission.split(":");
-    const hierarchy = ["read", "create", "update", "delete"];
-    const permissionLevel = hierarchy.indexOf(operation);
-    const requiredLevel = hierarchy.indexOf(requiredOperation);
-    if (permissionLevel === -1 || requiredLevel === -1) {
-      return false;
-    }
-    return permissionLevel >= requiredLevel;
-  }
-  /**
-   * Rate limiting check (placeholder for future implementation)
-   * @param userId - User ID
-   * @param operation - Operation being performed
-   * @returns True if within rate limit, false otherwise
-   */
-  static async checkRateLimit(userId, operation) {
-    return true;
-  }
-  /**
-   * Validate context requirements for security
-   * @param scope - Scope object
-   * @param appId - Application ID
-   * @returns True if context is valid, false otherwise
-   */
-  static validateContextRequirements(scope, appId) {
-    if (!scope.organisationId) {
-      return false;
-    }
-    if (appId && scope.appId === appId) {
-      if (!scope.eventId) {
-        return false;
-      }
-    }
-    return true;
-  }
-  /**
-   * Log security event for monitoring
-   * @param event - Security event details
-   */
-  static logSecurityEvent(event) {
-    const securityEvent = {
-      ...event,
-      timestamp: event.timestamp || /* @__PURE__ */ new Date(),
-      severity: this.getEventSeverity(event.type)
-    };
-    if (import.meta.env.MODE === "development") {
-      console.warn("[RBAC Security]", securityEvent);
-    }
-  }
-  /**
-   * Get severity level for security event
-   * @param eventType - Type of security event
-   * @returns Severity level
-   */
-  static getEventSeverity(eventType) {
-    switch (eventType) {
-      case "permission_denied":
-        return "low";
-      case "invalid_input":
-      case "rate_limit_exceeded":
-      case "rate_limit_error":
-      case "network_error":
-        return "medium";
-      case "validation_error":
-        return "high";
-      case "authentication_error":
-      case "database_error":
-        return "critical";
-      case "suspicious_activity":
-      case "unknown_error":
-        return "high";
-      default:
-        return "low";
-    }
-  }
-};
-var DEFAULT_SECURITY_CONFIG = {
-  enableInputValidation: true,
-  enableRateLimiting: true,
-  enableAuditLogging: true,
-  maxPermissionChecksPerMinute: 1e3,
-  // Increased from 100 to 1000 for normal app usage
-  suspiciousActivityThreshold: 10
-};
-var RBACSecurityMiddleware = class {
-  constructor(config = DEFAULT_SECURITY_CONFIG) {
-    /**
-     * In-memory rate limiting cache (sliding window)
-     * Note: For production, this should use Redis or Supabase Edge Functions
-     */
-    this.rateLimitCache = /* @__PURE__ */ new Map();
-    this.config = config;
-    this._startCleanupInterval();
-  }
-  /**
-   * Start periodic cleanup of expired entries
-   */
-  _startCleanupInterval() {
-    setInterval(() => {
-      this.clearExpiredEntries();
-    }, 5 * 60 * 1e3);
-  }
-  /**
-   * Validate input before processing
-   * @param input - Input to validate
-   * @param context - Security context
-   * @returns Validation result
-   */
-  async validateInput(input, context) {
-    const errors = [];
-    if (!RBACSecurityValidator.validateUserId(context.userId)) {
-      errors.push("Invalid user ID format");
-    }
-    if (!context.organisationId) {
-      errors.push("Organisation ID is required");
-    } else if (!RBACSecurityValidator.validateUUID(context.organisationId)) {
-      errors.push("Invalid organisation ID format");
-    }
-    if (input.permission && !RBACSecurityValidator.validatePermission(input.permission)) {
-      errors.push("Invalid permission format");
-    }
-    if (input.scope && !RBACSecurityValidator.validateScope(input.scope)) {
-      errors.push("Invalid scope format");
-    }
-    if (this.config.enableInputValidation) {
-      if (context.ipAddress && typeof context.ipAddress !== "string") {
-        errors.push("Invalid IP address format");
-      }
-      if (context.userAgent && typeof context.userAgent !== "string") {
-        errors.push("Invalid user agent format");
-      }
-    }
-    if (errors.length > 0) {
-      RBACSecurityValidator.logSecurityEvent({
-        type: "invalid_input",
-        userId: context.userId,
-        details: { errors, input: this.sanitizeInput(JSON.stringify(input)) }
-      });
-    }
-    return {
-      isValid: errors.length === 0,
-      errors
-    };
-  }
-  /**
-   * Check rate limiting
-   * @param context - Security context
-   * @returns Rate limit check result
-   */
-  async checkRateLimit(context) {
-    if (!this.config.enableRateLimiting) {
-      return { isAllowed: true, remaining: this.config.maxPermissionChecksPerMinute };
-    }
-    const isAllowed = await this._checkRateLimitInternal(context.userId);
-    const remaining = isAllowed ? this.config.maxPermissionChecksPerMinute - this._getRequestCount(context.userId) : 0;
-    return {
-      isAllowed,
-      remaining: Math.max(0, remaining)
-    };
-  }
-  async _checkRateLimitInternal(userId) {
-    const now = Date.now();
-    const windowMs = 60 * 1e3;
-    const entries = this.rateLimitCache.get(userId) || [];
-    const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
-    const requestCount = validEntries.length;
-    const isAllowed = requestCount < this.config.maxPermissionChecksPerMinute;
-    if (isAllowed) {
-      validEntries.push({ timestamp: now });
-    }
-    this.rateLimitCache.set(userId, validEntries);
-    return isAllowed;
-  }
-  _getRequestCount(userId) {
-    const now = Date.now();
-    const windowMs = 60 * 1e3;
-    const entries = this.rateLimitCache.get(userId) || [];
-    const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
-    return validEntries.length;
-  }
-  /**
-   * Clear old rate limit entries to prevent memory leaks
-   * Should be called periodically (e.g., every 5 minutes)
-   */
-  clearExpiredEntries() {
-    const now = Date.now();
-    const windowMs = 60 * 1e3;
-    for (const [userId, entries] of this.rateLimitCache.entries()) {
-      const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
-      if (validEntries.length === 0) {
-        this.rateLimitCache.delete(userId);
-      } else {
-        this.rateLimitCache.set(userId, validEntries);
-      }
-    }
-  }
-  /**
-   * Sanitize input data
-   * @param input - Input to sanitize
-   * @returns Sanitized input
-   */
-  sanitizeInput(input) {
-    return RBACSecurityValidator.sanitizeInput(input);
-  }
-};
-
-// src/rbac/engine.ts
-var RBACEngine = class {
-  constructor(supabase, securityConfig) {
-    this.supabase = supabase;
-    const mergedSecurityConfig = {
-      ...DEFAULT_SECURITY_CONFIG,
-      ...securityConfig
-    };
-    this.securityMiddleware = new RBACSecurityMiddleware(mergedSecurityConfig);
-    initializeCacheInvalidation(supabase);
-  }
-  /**
-   * Check if a user has a specific permission
-   * 
-   * This method now delegates to the database RPC function for all the heavy lifting.
-   * 
-   * @param input - Permission check input
-   * @param securityContext - Security context for validation (required)
-   * @returns Promise resolving to permission result
-   */
-  async isPermitted(input, securityContext) {
-    const startTime = Date.now();
-    const { userId, permission, scope, pageId } = input;
-    let cacheHit = false;
-    let cacheSource = "rpc";
-    try {
-      const validation = await this.securityMiddleware.validateInput(input, securityContext);
-      if (!validation.isValid) {
-        RBACSecurityValidator.logSecurityEvent({
-          type: "invalid_input",
-          userId,
-          details: { errors: validation.errors, input: JSON.stringify(input) }
-        });
-        return false;
-      }
-      const rateLimit = await this.securityMiddleware.checkRateLimit(securityContext);
-      if (!rateLimit.isAllowed) {
-        RBACSecurityValidator.logSecurityEvent({
-          type: "rate_limit_exceeded",
-          userId,
-          details: { remaining: rateLimit.remaining }
-        });
-        return false;
-      }
-      if (!RBACSecurityValidator.validateUserId(userId)) {
-        RBACSecurityValidator.logSecurityEvent({
-          type: "invalid_input",
-          userId,
-          details: { error: "Invalid user ID format" }
-        });
-        return false;
-      }
-      if (!RBACSecurityValidator.validatePermission(permission)) {
-        RBACSecurityValidator.logSecurityEvent({
-          type: "invalid_input",
-          userId,
-          details: { error: "Invalid permission format", permission }
-        });
-        return false;
-      }
-      if (!RBACSecurityValidator.validateScope(scope)) {
-        RBACSecurityValidator.logSecurityEvent({
-          type: "invalid_input",
-          userId,
-          details: { error: "Invalid scope format", scope }
-        });
-        return false;
-      }
-      const cacheKey = RBACCache.generateKey(
-        userId,
-        permission,
-        scope.organisationId,
-        scope.eventId,
-        scope.appId,
-        pageId
-      );
-      const cached = rbacCache.get(cacheKey);
-      if (cached !== null) {
-        cacheHit = true;
-        cacheSource = "memory";
-        const duration2 = Date.now() - startTime;
-        if (scope.organisationId) {
-          const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
-          await emitAuditEvent({
-            type: "permission_check",
-            userId,
-            organisationId: scope.organisationId,
-            eventId: scope.eventId,
-            appId: scope.appId,
-            pageId: resolvedPageId,
-            permission,
-            decision: cached,
-            source: "api",
-            duration_ms: duration2,
-            cache_hit: true,
-            cache_source: "memory"
-          });
-        }
-        return cached;
-      }
-      const { data, error } = await this.supabase.rpc("rbac_check_permission_simplified", {
-        p_user_id: userId,
-        p_permission: permission,
-        p_organisation_id: scope.organisationId || void 0,
-        p_event_id: scope.eventId || void 0,
-        p_app_id: scope.appId || void 0,
-        p_page_id: pageId || void 0
-      });
-      if (error) {
-        console.error("[RBACEngine] RPC error:", error);
-        const category = categorizeError(error);
-        const eventType = mapErrorCategoryToSecurityEventType(category);
-        const errorDetails = error;
-        RBACSecurityValidator.logSecurityEvent({
-          type: eventType,
-          userId,
-          details: {
-            error: errorDetails?.message || "RPC call failed",
-            code: errorDetails?.code,
-            hint: errorDetails?.hint,
-            details: errorDetails?.details,
-            permission,
-            scope: JSON.stringify(scope),
-            category
-          }
-        });
-        return false;
-      }
-      const hasPermission2 = data === true;
-      rbacCache.set(cacheKey, hasPermission2, 6e4);
-      const duration = Date.now() - startTime;
-      if (scope.organisationId) {
-        const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
-        await emitAuditEvent({
-          type: hasPermission2 ? "permission_check" : "permission_denied",
-          userId,
-          organisationId: scope.organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId,
-          pageId: resolvedPageId,
-          permission,
-          decision: hasPermission2,
-          source: "api",
-          duration_ms: duration,
-          cache_hit: cacheHit,
-          cache_source: cacheSource
-        });
-      }
-      return hasPermission2;
-    } catch (error) {
-      const category = categorizeError(error);
-      const eventType = mapErrorCategoryToSecurityEventType(category);
-      const errorMessage = error instanceof Error ? error.message : "Unknown error";
-      RBACSecurityValidator.logSecurityEvent({
-        type: eventType,
-        userId,
-        details: {
-          error: errorMessage,
-          permission,
-          scope: JSON.stringify(scope),
-          category
-        }
-      });
-      console.error("[RBACEngine] Permission check failed:", error);
-      return false;
-    }
-  }
-  /**
-   * Get user's access level in a scope
-   * 
-   * This is derived from roles, not permissions.
-   * 
-   * @param input - Access level input
-   * @returns Promise resolving to access level
-   */
-  async getAccessLevel(input) {
-    const { userId, scope } = input;
-    const cacheKey = RBACCache.generateAccessLevelKey(
-      userId,
-      scope.organisationId || "",
-      scope.eventId,
-      scope.appId
-    );
-    const cached = rbacCache.get(cacheKey);
-    if (cached) {
-      return cached;
-    }
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const isSuperAdmin2 = await this.checkSuperAdmin(userId);
-    if (isSuperAdmin2) {
-      rbacCache.set(cacheKey, "super", 6e4);
-      return "super";
-    }
-    if (scope.organisationId) {
-      const { data: orgRole } = await this.supabase.from("rbac_organisation_roles").select("role").eq("user_id", userId).eq("organisation_id", scope.organisationId).eq("status", "active").is("revoked_at", null).lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).single();
-      if (orgRole?.role === "org_admin") {
-        rbacCache.set(cacheKey, "admin", 6e4);
-        return "admin";
-      }
-    }
-    if (scope.eventId && scope.appId) {
-      const { data: eventRole } = await this.supabase.from("rbac_event_app_roles").select("role").eq("user_id", userId).eq("event_id", scope.eventId).eq("app_id", scope.appId).eq("status", "active").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).single();
-      if (eventRole?.role === "event_admin") {
-        rbacCache.set(cacheKey, "admin", 6e4);
-        return "admin";
-      }
-      if (eventRole?.role === "planner") {
-        rbacCache.set(cacheKey, "planner", 6e4);
-        return "planner";
-      }
-      if (eventRole?.role === "participant") {
-        rbacCache.set(cacheKey, "participant", 6e4);
-        return "participant";
-      }
-    }
-    rbacCache.set(cacheKey, "viewer", 6e4);
-    return "viewer";
-  }
-  /**
-   * Get user's permission map for a scope
-   * 
-   * This builds a map of page IDs to allowed operations.
-   * Uses the simplified RPC for each permission check.
-   * 
-   * @param input - Permission map input
-   * @returns Promise resolving to permission map
-   */
-  async getPermissionMap(input) {
-    const { userId, scope } = input;
-    const cacheKey = RBACCache.generatePermissionMapKey(
-      userId,
-      scope.organisationId || "",
-      scope.eventId,
-      scope.appId
-    );
-    const isSuperAdmin2 = await this.checkSuperAdmin(userId);
-    if (isSuperAdmin2) {
-      const wildcardMap = { "*": true };
-      rbacCache.set(cacheKey, wildcardMap, 6e4);
-      return wildcardMap;
-    }
-    if (!scope.organisationId) {
-      return {};
-    }
-    const cached = rbacCache.get(cacheKey);
-    if (cached) {
-      return cached;
-    }
-    const permissionMap = {};
-    if (scope.appId) {
-      const { data: pages } = await this.supabase.from("rbac_app_pages").select("id, page_name").eq("app_id", scope.appId);
-      if (pages) {
-        if (!scope.organisationId) {
-          rbacCache.set(cacheKey, permissionMap, 6e4);
-          return permissionMap;
-        }
-        const securityContext = {
-          userId,
-          organisationId: scope.organisationId,
-          // Required
-          timestamp: /* @__PURE__ */ new Date()
-        };
-        for (const page of pages) {
-          for (const operation of ["read", "create", "update", "delete"]) {
-            const permissionString = `${operation}:page.${page.page_name}`;
-            const hasPermission2 = await this.isPermitted(
-              {
-                userId,
-                scope,
-                permission: permissionString,
-                pageId: page.id
-              },
-              securityContext
-            );
-            const permissionKey = permissionString;
-            permissionMap[permissionKey] = hasPermission2;
-          }
-        }
-      }
-    }
-    rbacCache.set(cacheKey, permissionMap, 6e4);
-    return permissionMap;
-  }
-  async resolveAppContext(input) {
-    try {
-      const { userId, appName } = input;
-      const { data, error } = await this.supabase.rpc("util_app_resolve", {
-        p_user_id: userId,
-        p_app_name: appName
-      });
-      if (error) {
-        console.error("[RBACEngine] Failed to resolve app context:", error);
-        return null;
-      }
-      if (!data || data.length === 0) {
-        return null;
-      }
-      const appData = data[0];
-      if (!appData?.app_id) {
-        return null;
-      }
-      return {
-        appId: appData.app_id,
-        hasAccess: appData.has_access !== false
-      };
-    } catch (error) {
-      console.error("[RBACEngine] Unexpected error resolving app context:", error);
-      return null;
-    }
-  }
-  async getRoleContext(input) {
-    const result = {
-      globalRole: null,
-      organisationRole: null,
-      eventAppRole: null
-    };
-    try {
-      const { userId, scope } = input;
-      const { data, error } = await this.supabase.rpc("rbac_permissions_get", {
-        p_user_id: userId,
-        p_organisation_id: scope.organisationId || null,
-        p_event_id: scope.eventId || null,
-        p_app_id: scope.appId || null,
-        p_page_id: null
-        // Optional: can filter to specific page if needed
-      });
-      if (error) {
-        console.error("[RBACEngine] Failed to load role context:", error);
-        return result;
-      }
-      if (!Array.isArray(data)) {
-        return result;
-      }
-      for (const permission of data) {
-        if (permission.permission_type === "all_permissions") {
-          result.globalRole = "super_admin";
-        }
-        if (permission.permission_type === "organisation_access") {
-          result.organisationRole = permission.role_name;
-        }
-        if (permission.permission_type === "event_app_access") {
-          result.eventAppRole = permission.role_name;
-        }
-      }
-      return result;
-    } catch (error) {
-      console.error("[RBACEngine] Unexpected error loading role context:", error);
-      return result;
-    }
-  }
-  /**
-   * Check if user is super admin
-   * 
-   * @param userId - User ID
-   * @returns Promise resolving to super admin status
-   */
-  async checkSuperAdmin(userId) {
-    const cacheKey = `super_admin:${userId}`;
-    const cached = rbacCache.get(cacheKey);
-    if (cached !== null) {
-      return cached;
-    }
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const { data, error } = await this.supabase.from("rbac_global_roles").select("role").eq("user_id", userId).eq("role", "super_admin").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).limit(1);
-    const isSuperAdmin2 = !error && data && data.length > 0;
-    rbacCache.set(cacheKey, isSuperAdmin2, 6e4);
-    return Boolean(isSuperAdmin2);
-  }
-  /**
-   * Resolve a page ID to UUID if it's a page name
-   * 
-   * @param pageId - Page ID (UUID) or page name (string)
-   * @param appId - App ID to look up the page
-   * @returns Resolved page ID (UUID) or original pageId
-   */
-  async resolvePageId(pageId, appId) {
-    if (!pageId) {
-      return void 0;
-    }
-    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-    if (uuidRegex.test(pageId)) {
-      return pageId;
-    }
-    if (!appId) {
-      return pageId;
-    }
-    try {
-      const { data: page } = await this.supabase.from("rbac_app_pages").select("id").eq("app_id", appId).eq("page_name", pageId).single();
-      return page?.id || pageId;
-    } catch (error) {
-      console.warn("[RBAC Engine] Failed to resolve page name to UUID:", { pageId, appId, error });
-      return pageId;
-    }
-  }
-};
-function createRBACEngine(supabase, securityConfig) {
-  return new RBACEngine(supabase, securityConfig);
-}
-
-// src/rbac/config.ts
-var RBACConfigManager = class {
-  constructor() {
-    this.config = null;
-    this.logger = null;
-  }
-  setConfig(config) {
-    this.config = config;
-    this.setupLogger();
-  }
-  getConfig() {
-    return this.config;
-  }
-  getLogger() {
-    if (!this.logger) {
-      this.logger = this.createDefaultLogger();
-    }
-    return this.logger;
-  }
-  setupLogger() {
-    if (!this.config) return;
-    const { debug = false, logLevel = "warn" } = this.config;
-    this.logger = {
-      error: (message, ...args) => {
-        console.error(`[RBAC ERROR] ${message}`, ...args);
-      },
-      warn: (message, ...args) => {
-        if (logLevel === "warn" || logLevel === "info" || logLevel === "debug") {
-          console.warn(`[RBAC WARN] ${message}`, ...args);
-        }
-      },
-      info: (message, ...args) => {
-        if (logLevel === "info" || logLevel === "debug") {
-          console.info(`[RBAC INFO] ${message}`, ...args);
-        }
-      },
-      debug: (message, ...args) => {
-        if (debug && logLevel === "debug") {
-          console.debug(`[RBAC DEBUG] ${message}`, ...args);
-        }
-      }
-    };
-  }
-  createDefaultLogger() {
-    return {
-      error: (message, ...args) => console.error(`[RBAC ERROR] ${message}`, ...args),
-      warn: (message, ...args) => console.warn(`[RBAC WARN] ${message}`, ...args),
-      info: (message, ...args) => console.info(`[RBAC INFO] ${message}`, ...args),
-      debug: (message, ...args) => console.debug(`[RBAC DEBUG] ${message}`, ...args)
-    };
-  }
-  isDebugMode() {
-    return this.config?.debug ?? false;
-  }
-  isDevelopmentMode() {
-    return this.config?.developmentMode ?? false;
-  }
-  getMockPermissions() {
-    return this.config?.mockPermissions ?? null;
-  }
-};
-var configManager = new RBACConfigManager();
-function createRBACConfig(config) {
-  configManager.setConfig(config);
-  return config;
-}
-function getRBACConfig() {
-  return configManager.getConfig();
-}
-function getRBACLogger() {
-  return configManager.getLogger();
-}
-function isDebugMode() {
-  return configManager.isDebugMode();
-}
-function isDevelopmentMode() {
-  return configManager.isDevelopmentMode();
-}
-
-// src/rbac/api.ts
-var globalEngine = null;
-function setupRBAC(supabase, config) {
-  const logger = getRBACLogger();
-  const fullConfig = {
-    supabase,
-    debug: import.meta.env.MODE === "development",
-    logLevel: "warn",
-    developmentMode: import.meta.env.MODE === "development",
-    ...config
-  };
-  createRBACConfig(fullConfig);
-  globalEngine = createRBACEngine(supabase, config?.security);
-  const auditManager = createAuditManager(supabase);
-  setGlobalAuditManager(auditManager);
-  logger.info("RBAC system initialized successfully");
-}
-function getEngine() {
-  if (!globalEngine) {
-    throw new RBACNotInitializedError();
-  }
-  return globalEngine;
-}
-async function getAccessLevel(input) {
-  const engine = getEngine();
-  return engine.getAccessLevel(input);
-}
-async function getPermissionMap(input) {
-  const engine = getEngine();
-  return engine.getPermissionMap(input);
-}
-async function resolveAppContext(input) {
-  const engine = getEngine();
-  return engine.resolveAppContext(input);
-}
-async function getRoleContext(input) {
-  const engine = getEngine();
-  return engine.getRoleContext(input);
-}
-async function isPermitted(input) {
-  const engine = getEngine();
-  if (!input.scope.organisationId) {
-    throw new OrganisationContextRequiredError();
-  }
-  const securityContext = {
-    userId: input.userId,
-    organisationId: input.scope.organisationId,
-    // Required - no fallback
-    timestamp: /* @__PURE__ */ new Date()
-    // Optional fields can be omitted
-  };
-  return engine.isPermitted(input, securityContext);
-}
-async function isPermittedCached(input) {
-  const { userId, scope, permission, pageId } = input;
-  const cacheKey = RBACCache.generatePermissionKey({
-    userId,
-    organisationId: scope.organisationId,
-    eventId: scope.eventId,
-    appId: scope.appId,
-    permission,
-    pageId
-  });
-  const cached = rbacCache.get(cacheKey);
-  if (cached !== null) {
-    return cached;
-  }
-  const result = await isPermitted(input);
-  rbacCache.set(cacheKey, result);
-  return result;
-}
-async function hasPermission(input) {
-  return isPermitted(input);
-}
-async function hasAnyPermission(input) {
-  const { permissions, ...baseInput } = input;
-  for (const permission of permissions) {
-    const hasPermission2 = await isPermitted({
-      ...baseInput,
-      permission
-    });
-    if (hasPermission2) {
-      return true;
-    }
-  }
-  return false;
-}
-async function hasAllPermissions(input) {
-  const { permissions, ...baseInput } = input;
-  for (const permission of permissions) {
-    const hasPermission2 = await isPermitted({
-      ...baseInput,
-      permission
-    });
-    if (!hasPermission2) {
-      return false;
-    }
-  }
-  return true;
-}
-async function isSuperAdmin(userId) {
-  const engine = getEngine();
-  return engine["checkSuperAdmin"](userId);
-}
-async function getAppConfig(appId) {
-  console.warn("[RBAC] getAppConfig called without Supabase client - returning null");
-  return null;
-}
-async function getAppConfigWithClient(client, appId) {
-  try {
-    const { data, error } = await client.from("rbac_apps").select("requires_event").eq("id", appId).eq("is_active", true).single();
-    if (error || !data) {
-      return null;
-    }
-    return { requires_event: data.requires_event };
-  } catch (err) {
-    console.error("[RBAC] Error fetching app config:", err);
-    return null;
-  }
-}
-async function isOrganisationAdmin(userId, organisationId) {
-  const accessLevel = await getAccessLevel({
-    userId,
-    scope: { organisationId }
-  });
-  return accessLevel === "admin" || accessLevel === "super";
-}
-async function isEventAdmin(userId, scope) {
-  if (!scope.eventId || !scope.appId) {
-    return false;
-  }
-  const accessLevel = await getAccessLevel({ userId, scope });
-  return accessLevel === "admin" || accessLevel === "super";
-}
-function invalidateUserCache(userId, organisationId) {
-  const patterns = organisationId ? [
-    CACHE_PATTERNS.PERMISSION(userId, organisationId),
-    `access:${userId}:${organisationId}:`,
-    `map:${userId}:${organisationId}:`
-  ] : [
-    `perm:${userId}:`,
-    `access:${userId}:`,
-    `map:${userId}:`
-  ];
-  patterns.forEach((pattern) => rbacCache.invalidate(pattern));
-}
-function invalidateOrganisationCache(organisationId) {
-  rbacCache.invalidate(CACHE_PATTERNS.ORGANISATION(organisationId));
-}
-function invalidateEventCache(eventId) {
-  rbacCache.invalidate(CACHE_PATTERNS.EVENT(eventId));
-}
-function invalidateAppCache(appId) {
-  rbacCache.invalidate(CACHE_PATTERNS.APP(appId));
-}
-function clearCache() {
-  rbacCache.clear();
-}
-
-export {
-  createRBACConfig,
-  getRBACConfig,
-  getRBACLogger,
-  isDebugMode,
-  isDevelopmentMode,
-  OrganisationContextRequiredError,
-  RBACCache,
-  rbacCache,
-  CACHE_PATTERNS,
-  RBACEngine,
-  createRBACEngine,
-  setupRBAC,
-  getAccessLevel,
-  getPermissionMap,
-  resolveAppContext,
-  getRoleContext,
-  isPermitted,
-  isPermittedCached,
-  hasPermission,
-  hasAnyPermission,
-  hasAllPermissions,
-  isSuperAdmin,
-  getAppConfig,
-  getAppConfigWithClient,
-  isOrganisationAdmin,
-  isEventAdmin,
-  invalidateUserCache,
-  invalidateOrganisationCache,
-  invalidateEventCache,
-  invalidateAppCache,
-  clearCache
-};
-//# sourceMappingURL=chunk-WP5I5GLN.js.map