@jmruthers/pace-core 0.5.181 → 0.5.182

package/{src/utils/secureStorage.ts → dist/chunk-VBXEHIUJ.js}

@@ -1,41 +1,101 @@
+import {
+  createLogger
+} from "./chunk-PWLANIRT.js";
 
-/**
- * @file Secure Storage Utilities
- * @description Encrypted storage wrapper for sensitive data
- */
-
-export interface SecureStorageOptions {
-  encrypt?: boolean;
-  expiry?: number; // TTL in milliseconds
+// src/utils/context/organisationContext.ts
+var log = createLogger("organisationContext");
+async function setOrganisationContext(supabase, organisationId) {
+  if (!supabase || !organisationId) {
+    return;
+  }
+  try {
+    const timeoutPromise = new Promise((_, reject) => {
+      setTimeout(() => reject(new Error("RPC timeout after 3 seconds")), 3e3);
+    });
+    const rpcPromise = supabase.rpc("set_organisation_context", {
+      org_id: organisationId
+    });
+    const { error } = await Promise.race([rpcPromise, timeoutPromise]);
+    if (error) {
+      log.debug("RPC function not available or failed, continuing without database context");
+    } else {
+      log.debug("Organisation context set in database successfully");
+    }
+  } catch (error) {
+    log.debug("Failed to set database context, continuing without it:", error);
+  }
+}
+async function clearOrganisationContext(supabase) {
+  if (!supabase) {
+    return;
+  }
+  try {
+    const { error } = await supabase.rpc("rbac_audit_log", {
+      p_event_type: "organisation_switched",
+      p_metadata: { action: "clear_context" }
+    });
+    if (error) {
+    } else {
+    }
+  } catch (error) {
+  }
+}
+async function getOrganisationContext(supabase) {
+  if (!supabase) {
+    return null;
+  }
+  try {
+    const data = null;
+    const error = null;
+    if (error) {
+      return null;
+    }
+    if (typeof data === "string") {
+      return data;
+    }
+    return null;
+  } catch (error) {
+    return null;
+  }
+}
+async function isOrganisationContextAvailable(supabase) {
+  if (!supabase) {
+    return false;
+  }
+  try {
+    const { error } = await supabase.rpc("get_organisation_context");
+    if (error) {
+      return false;
+    }
+    return true;
+  } catch (error) {
+    return false;
+  }
 }
 
-/**
- * Secure storage implementation with encryption support
- */
-class SecureStorageImpl {
-  private encryptionKey: CryptoKey | null = null;
-  private initialized = false;
-
+// src/utils/security/secureStorage.ts
+var SecureStorageImpl = class {
+  constructor() {
+    this.encryptionKey = null;
+    this.initialized = false;
+  }
   /**
    * Initialize secure storage with encryption
    */
-  async init(): Promise<void> {
+  async init() {
     if (this.initialized) return;
-
     try {
-      // Check if Web Crypto API is available
       if (window.crypto && window.crypto.subtle) {
-        // Generate or retrieve encryption key
-        const keyData = localStorage.getItem('_sec_key');
+        const keyData = localStorage.getItem("_sec_key");
         if (keyData) {
           try {
             const keyBuffer = this.base64ToArrayBuffer(keyData);
             this.encryptionKey = await window.crypto.subtle.importKey(
-              'raw',
+              "raw",
               keyBuffer,
-              { name: 'AES-GCM' },
+              { name: "AES-GCM" },
               false,
-              ['encrypt', 'decrypt']
+              ["encrypt", "decrypt"]
             );
           } catch (error) {
             await this.generateNewKey();
@@ -49,189 +109,146 @@ class SecureStorageImpl {
       this.initialized = true;
     }
   }
-
   /**
    * Store item securely
    */
-  async setItem(
-    key: string,
-    value: string,
-    options: SecureStorageOptions = {}
-  ): Promise<void> {
+  async setItem(key, value, options = {}) {
     await this.init();
-
     const data = {
       value,
       timestamp: Date.now(),
-      expiry: options.expiry ? Date.now() + options.expiry : undefined,
+      expiry: options.expiry ? Date.now() + options.expiry : void 0
     };
-
     const serialized = JSON.stringify(data);
-    
     if (options.encrypt && this.encryptionKey) {
       try {
         const encrypted = await this.encrypt(serialized);
         localStorage.setItem(`_sec_${key}`, encrypted);
         return;
       } catch (error) {
-        // Silent fail - store as plain text
       }
     }
-
     localStorage.setItem(key, serialized);
   }
-
   /**
    * Retrieve item securely
    */
-  async getItem(key: string): Promise<string | null> {
+  async getItem(key) {
     await this.init();
-
-    // Try encrypted storage first
     const encryptedData = localStorage.getItem(`_sec_${key}`);
     if (encryptedData && this.encryptionKey) {
       try {
         const decrypted = await this.decrypt(encryptedData);
         const parsed = JSON.parse(decrypted);
-        
-        // Check expiry
         if (parsed.expiry && Date.now() > parsed.expiry) {
           await this.removeItem(key);
           return null;
         }
-        
         return parsed.value;
       } catch (error) {
-        // Silent fail - try plain storage
       }
     }
-
-    // Fallback to plain storage
     const plainData = localStorage.getItem(key);
     if (!plainData) return null;
-
     try {
       const parsed = JSON.parse(plainData);
-      
-      // Check expiry
       if (parsed.expiry && Date.now() > parsed.expiry) {
         await this.removeItem(key);
         return null;
       }
-      
       return parsed.value || plainData;
     } catch (error) {
-      // If parsing fails, return as-is (backward compatibility)
       return plainData;
     }
   }
-
   /**
    * Remove item
    */
-  async removeItem(key: string): Promise<void> {
+  async removeItem(key) {
     localStorage.removeItem(key);
     localStorage.removeItem(`_sec_${key}`);
   }
-
   /**
    * Clear all secure storage
    */
-  async clear(): Promise<void> {
+  async clear() {
     const keys = Object.keys(localStorage);
     for (const key of keys) {
-      if (key.startsWith('_sec_')) {
+      if (key.startsWith("_sec_")) {
         localStorage.removeItem(key);
       }
     }
   }
-
   /**
    * Generate new encryption key
    */
-  private async generateNewKey(): Promise<void> {
+  async generateNewKey() {
     if (!window.crypto?.subtle) return;
-
     try {
       this.encryptionKey = await window.crypto.subtle.generateKey(
-        { name: 'AES-GCM', length: 256 },
+        { name: "AES-GCM", length: 256 },
         true,
-        ['encrypt', 'decrypt']
+        ["encrypt", "decrypt"]
       );
-
-      // Export and store key
-      const exportedKey = await window.crypto.subtle.exportKey('raw', this.encryptionKey);
+      const exportedKey = await window.crypto.subtle.exportKey("raw", this.encryptionKey);
       const keyData = this.arrayBufferToBase64(exportedKey);
-      localStorage.setItem('_sec_key', keyData);
+      localStorage.setItem("_sec_key", keyData);
     } catch (error) {
-      // Silent fail - encryption not available
     }
   }
-
   /**
    * Encrypt data
    */
-  private async encrypt(data: string): Promise<string> {
+  async encrypt(data) {
     if (!this.encryptionKey || !window.crypto?.subtle) {
-      throw new Error('Encryption not available');
+      throw new Error("Encryption not available");
     }
-
     const encoder = new TextEncoder();
     const dataBuffer = encoder.encode(data);
     const iv = window.crypto.getRandomValues(new Uint8Array(12));
-
     const encrypted = await window.crypto.subtle.encrypt(
-      { name: 'AES-GCM', iv },
+      { name: "AES-GCM", iv },
       this.encryptionKey,
       dataBuffer
     );
-
-    // Combine IV and encrypted data
     const combined = new Uint8Array(iv.length + encrypted.byteLength);
     combined.set(iv);
     combined.set(new Uint8Array(encrypted), iv.length);
-
     return this.arrayBufferToBase64(combined.buffer);
   }
-
   /**
    * Decrypt data
    */
-  private async decrypt(encryptedData: string): Promise<string> {
+  async decrypt(encryptedData) {
     if (!this.encryptionKey || !window.crypto?.subtle) {
-      throw new Error('Decryption not available');
+      throw new Error("Decryption not available");
     }
-
     const combined = this.base64ToArrayBuffer(encryptedData);
     const iv = combined.slice(0, 12);
     const encrypted = combined.slice(12);
-
     const decrypted = await window.crypto.subtle.decrypt(
-      { name: 'AES-GCM', iv },
+      { name: "AES-GCM", iv },
       this.encryptionKey,
       encrypted
     );
-
     const decoder = new TextDecoder();
     return decoder.decode(decrypted);
   }
-
   /**
    * Convert ArrayBuffer to base64
    */
-  private arrayBufferToBase64(buffer: ArrayBuffer): string {
+  arrayBufferToBase64(buffer) {
     const bytes = new Uint8Array(buffer);
-    let binary = '';
+    let binary = "";
     for (let i = 0; i < bytes.byteLength; i++) {
       binary += String.fromCharCode(bytes[i]);
     }
     return btoa(binary);
   }
-
   /**
    * Convert base64 to ArrayBuffer
    */
-  private base64ToArrayBuffer(base64: string): ArrayBuffer {
+  base64ToArrayBuffer(base64) {
     const binary = atob(base64);
     const bytes = new Uint8Array(binary.length);
     for (let i = 0; i < binary.length; i++) {
@@ -239,6 +256,14 @@ class SecureStorageImpl {
     }
     return bytes.buffer;
   }
-}
+};
+var secureStorage = new SecureStorageImpl();
 
-export const secureStorage = new SecureStorageImpl();
+export {
+  setOrganisationContext,
+  clearOrganisationContext,
+  getOrganisationContext,
+  isOrganisationContextAvailable,
+  secureStorage
+};
+//# sourceMappingURL=chunk-VBXEHIUJ.js.map

package/dist/{chunk-7QCC6MCP.js.map → chunk-VBXEHIUJ.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/utils/context/organisationContext.ts","../src/utils/security/secureStorage.ts"],"sourcesContent":["/**\n * @file Organisation Context Utility\n * @package @jmruthers/pace-core\n * @module Utils/OrganisationContext\n * @since 0.4.0\n *\n * Utility functions for managing organisation context in database sessions.\n * Provides fallback mechanisms for when database functions are not available.\n */\n\nimport type { SupabaseClient } from '@supabase/supabase-js';\nimport { createLogger } from '../core/logger';\n\nconst log = createLogger('organisationContext');\n\n/**\n * Set organisation context in the database session\n * \n * This function attempts to set the organisation context using a database function.\n * If the function is not available, it falls back gracefully without throwing errors.\n * \n * @param supabase - Supabase client instance\n * @param organisationId - The organisation ID to set as context\n * @returns Promise that resolves when context is set (or falls back gracefully)\n */\nexport async function setOrganisationContext(\n  supabase: SupabaseClient,\n  organisationId: string\n): Promise<void> {\n  if (!supabase || !organisationId) {\n    // TODO: Replace with proper logging service integration\n    return;\n  }\n\n  try {\n    // Add timeout to prevent hanging RPC calls\n    const timeoutPromise = new Promise((_, reject) => {\n      setTimeout(() => reject(new Error('RPC timeout after 3 seconds')), 3000);\n    });\n    \n    // Call the database function to set organisation context\n    const rpcPromise = supabase.rpc('set_organisation_context', {\n      org_id: organisationId\n    });\n\n    const { error } = await Promise.race([rpcPromise, timeoutPromise]) as any;\n\n    if (error) {\n      // Function might not exist yet - this is expected during migration\n      // Silent fail - will fall back to client-side filtering\n      log.debug('RPC function not available or failed, continuing without database context');\n    } else {\n      log.debug('Organisation context set in database successfully');\n    }\n  } catch (error) {\n    // Handle any other errors gracefully\n    // Silent fail - will fall back to client-side filtering\n    log.debug('Failed to set database context, continuing without it:', error);\n  }\n}\n\n/**\n * Clear organisation context from the database session\n * \n * @param supabase - Supabase client instance\n * @returns Promise that resolves when context is cleared\n */\nexport async function clearOrganisationContext(\n  supabase: SupabaseClient\n): Promise<void> {\n  if (!supabase) {\n    // TODO: Replace with proper logging service integration\n    return;\n  }\n\n  try {\n    const { error } = await supabase.rpc('rbac_audit_log', {\n      p_event_type: 'organisation_switched',\n      p_metadata: { action: 'clear_context' }\n    });\n    \n    if (error) {\n      // Silent fail - function not available\n      // TODO: Replace with proper logging service integration\n    } else {\n      // TODO: Replace with proper logging service integration\n    }\n  } catch (error) {\n    // Silent fail - error occurred\n    // TODO: Replace with proper logging service integration\n  }\n}\n\n/**\n * Get current organisation context from the database session\n * \n * @param supabase - Supabase client instance\n * @returns Promise that resolves to the current organisation ID or null\n */\nexport async function getOrganisationContext(\n  supabase: SupabaseClient\n): Promise<string | null> {\n  if (!supabase) {\n    // TODO: Replace with proper logging service integration\n    return null;\n  }\n\n  try {\n    // For now, return null since we're not using database context\n    // This will be replaced with proper context management\n    const data = null;\n    const error = null;\n    \n    if (error) {\n      // TODO: Replace with proper logging service integration\n      return null;\n    }\n    \n    // Validate that data is a string (allow empty strings)\n    if (typeof data === 'string') {\n      return data;\n    }\n    \n    // Return null for invalid data formats\n    return null;\n  } catch (error) {\n    // TODO: Replace with proper logging service integration\n    return null;\n  }\n}\n\n/**\n * Check if organisation context functions are available in the database\n * \n * @param supabase - Supabase client instance\n * @returns Promise that resolves to true if functions are available\n */\nexport async function isOrganisationContextAvailable(\n  supabase: SupabaseClient\n): Promise<boolean> {\n  if (!supabase) {\n    return false;\n  }\n\n  try {\n    const { error } = await supabase.rpc('get_organisation_context');\n    \n    if (error) {\n      return false;\n    }\n    \n    return true;\n  } catch (error) {\n    return false;\n  }\n} ","\n/**\n * @file Secure Storage Utilities\n * @description Encrypted storage wrapper for sensitive data\n */\n\nexport interface SecureStorageOptions {\n  encrypt?: boolean;\n  expiry?: number; // TTL in milliseconds\n}\n\n/**\n * Secure storage implementation with encryption support\n */\nclass SecureStorageImpl {\n  private encryptionKey: CryptoKey | null = null;\n  private initialized = false;\n\n  /**\n   * Initialize secure storage with encryption\n   */\n  async init(): Promise<void> {\n    if (this.initialized) return;\n\n    try {\n      // Check if Web Crypto API is available\n      if (window.crypto && window.crypto.subtle) {\n        // Generate or retrieve encryption key\n        const keyData = localStorage.getItem('_sec_key');\n        if (keyData) {\n          try {\n            const keyBuffer = this.base64ToArrayBuffer(keyData);\n            this.encryptionKey = await window.crypto.subtle.importKey(\n              'raw',\n              keyBuffer,\n              { name: 'AES-GCM' },\n              false,\n              ['encrypt', 'decrypt']\n            );\n          } catch (error) {\n            await this.generateNewKey();\n          }\n        } else {\n          await this.generateNewKey();\n        }\n      }\n      this.initialized = true;\n    } catch (error) {\n      this.initialized = true;\n    }\n  }\n\n  /**\n   * Store item securely\n   */\n  async setItem(\n    key: string,\n    value: string,\n    options: SecureStorageOptions = {}\n  ): Promise<void> {\n    await this.init();\n\n    const data = {\n      value,\n      timestamp: Date.now(),\n      expiry: options.expiry ? Date.now() + options.expiry : undefined,\n    };\n\n    const serialized = JSON.stringify(data);\n    \n    if (options.encrypt && this.encryptionKey) {\n      try {\n        const encrypted = await this.encrypt(serialized);\n        localStorage.setItem(`_sec_${key}`, encrypted);\n        return;\n      } catch (error) {\n        // Silent fail - store as plain text\n      }\n    }\n\n    localStorage.setItem(key, serialized);\n  }\n\n  /**\n   * Retrieve item securely\n   */\n  async getItem(key: string): Promise<string | null> {\n    await this.init();\n\n    // Try encrypted storage first\n    const encryptedData = localStorage.getItem(`_sec_${key}`);\n    if (encryptedData && this.encryptionKey) {\n      try {\n        const decrypted = await this.decrypt(encryptedData);\n        const parsed = JSON.parse(decrypted);\n        \n        // Check expiry\n        if (parsed.expiry && Date.now() > parsed.expiry) {\n          await this.removeItem(key);\n          return null;\n        }\n        \n        return parsed.value;\n      } catch (error) {\n        // Silent fail - try plain storage\n      }\n    }\n\n    // Fallback to plain storage\n    const plainData = localStorage.getItem(key);\n    if (!plainData) return null;\n\n    try {\n      const parsed = JSON.parse(plainData);\n      \n      // Check expiry\n      if (parsed.expiry && Date.now() > parsed.expiry) {\n        await this.removeItem(key);\n        return null;\n      }\n      \n      return parsed.value || plainData;\n    } catch (error) {\n      // If parsing fails, return as-is (backward compatibility)\n      return plainData;\n    }\n  }\n\n  /**\n   * Remove item\n   */\n  async removeItem(key: string): Promise<void> {\n    localStorage.removeItem(key);\n    localStorage.removeItem(`_sec_${key}`);\n  }\n\n  /**\n   * Clear all secure storage\n   */\n  async clear(): Promise<void> {\n    const keys = Object.keys(localStorage);\n    for (const key of keys) {\n      if (key.startsWith('_sec_')) {\n        localStorage.removeItem(key);\n      }\n    }\n  }\n\n  /**\n   * Generate new encryption key\n   */\n  private async generateNewKey(): Promise<void> {\n    if (!window.crypto?.subtle) return;\n\n    try {\n      this.encryptionKey = await window.crypto.subtle.generateKey(\n        { name: 'AES-GCM', length: 256 },\n        true,\n        ['encrypt', 'decrypt']\n      );\n\n      // Export and store key\n      const exportedKey = await window.crypto.subtle.exportKey('raw', this.encryptionKey);\n      const keyData = this.arrayBufferToBase64(exportedKey);\n      localStorage.setItem('_sec_key', keyData);\n    } catch (error) {\n      // Silent fail - encryption not available\n    }\n  }\n\n  /**\n   * Encrypt data\n   */\n  private async encrypt(data: string): Promise<string> {\n    if (!this.encryptionKey || !window.crypto?.subtle) {\n      throw new Error('Encryption not available');\n    }\n\n    const encoder = new TextEncoder();\n    const dataBuffer = encoder.encode(data);\n    const iv = window.crypto.getRandomValues(new Uint8Array(12));\n\n    const encrypted = await window.crypto.subtle.encrypt(\n      { name: 'AES-GCM', iv },\n      this.encryptionKey,\n      dataBuffer\n    );\n\n    // Combine IV and encrypted data\n    const combined = new Uint8Array(iv.length + encrypted.byteLength);\n    combined.set(iv);\n    combined.set(new Uint8Array(encrypted), iv.length);\n\n    return this.arrayBufferToBase64(combined.buffer);\n  }\n\n  /**\n   * Decrypt data\n   */\n  private async decrypt(encryptedData: string): Promise<string> {\n    if (!this.encryptionKey || !window.crypto?.subtle) {\n      throw new Error('Decryption not available');\n    }\n\n    const combined = this.base64ToArrayBuffer(encryptedData);\n    const iv = combined.slice(0, 12);\n    const encrypted = combined.slice(12);\n\n    const decrypted = await window.crypto.subtle.decrypt(\n      { name: 'AES-GCM', iv },\n      this.encryptionKey,\n      encrypted\n    );\n\n    const decoder = new TextDecoder();\n    return decoder.decode(decrypted);\n  }\n\n  /**\n   * Convert ArrayBuffer to base64\n   */\n  private arrayBufferToBase64(buffer: ArrayBuffer): string {\n    const bytes = new Uint8Array(buffer);\n    let binary = '';\n    for (let i = 0; i < bytes.byteLength; i++) {\n      binary += String.fromCharCode(bytes[i]);\n    }\n    return btoa(binary);\n  }\n\n  /**\n   * Convert base64 to ArrayBuffer\n   */\n  private base64ToArrayBuffer(base64: string): ArrayBuffer {\n    const binary = atob(base64);\n    const bytes = new Uint8Array(binary.length);\n    for (let i = 0; i < binary.length; i++) {\n      bytes[i] = binary.charCodeAt(i);\n    }\n    return bytes.buffer;\n  }\n}\n\nexport const secureStorage = new SecureStorageImpl();\n"],"mappings":";;;;;;;;;AAyBA,eAAsB,uBACpB,UACA,gBACe;AACf,MAAI,CAAC,YAAY,CAAC,gBAAgB;AAEhC;AAAA,EACF;AAEA,MAAI;AAEF,UAAM,iBAAiB,IAAI,QAAQ,CAAC,GAAG,WAAW;AAChD,iBAAW,MAAM,OAAO,IAAI,MAAM,6BAA6B,CAAC,GAAG,GAAI;AAAA,IACzE,CAAC;AAGD,UAAM,aAAa,SAAS,IAAI,4BAA4B;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,EAAE,MAAM,IAAI,MAAM,QAAQ,KAAK,CAAC,YAAY,cAAc,CAAC;AAEjE,QAAI,OAAO;AAGT,UAAI,MAAM,2EAA2E;AAAA,IACvF,OAAO;AACL,UAAI,MAAM,mDAAmD;AAAA,IAC/D;AAAA,EACF,SAAS,OAAO;AAGd,QAAI,MAAM,0DAA0D,KAAK;AAAA,EAC3E;AACF;AAQA,eAAsB,yBACpB,UACe;AACf,MAAI,CAAC,UAAU;AAEb;AAAA,EACF;AAEA,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,SAAS,IAAI,kBAAkB;AAAA,MACrD,cAAc;AAAA,MACd,YAAY,EAAE,QAAQ,gBAAgB;AAAA,IACxC,CAAC;AAED,QAAI,OAAO;AAAA,IAGX,OAAO;AAAA,IAEP;AAAA,EACF,SAAS,OAAO;AAAA,EAGhB;AACF;AAQA,eAAsB,uBACpB,UACwB;AACxB,MAAI,CAAC,UAAU;AAEb,WAAO;AAAA,EACT;AAEA,MAAI;AAGF,UAAM,OAAO;AACb,UAAM,QAAQ;AAEd,QAAI,OAAO;AAET,aAAO;AAAA,IACT;AAGA,QAAI,OAAO,SAAS,UAAU;AAC5B,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT,SAAS,OAAO;AAEd,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,+BACpB,UACkB;AAClB,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,SAAS,IAAI,0BAA0B;AAE/D,QAAI,OAAO;AACT,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,WAAO;AAAA,EACT;AACF;AA3JA,IAaM;AAbN;AAAA;AAAA;AAWA;AAEA,IAAM,MAAM,aAAa,qBAAqB;AAAA;AAAA;;;ACb9C,IAcM,mBAqOO;AAnPb;AAAA;AAAA;AAcA,IAAM,oBAAN,MAAwB;AAAA,MAAxB;AACE,aAAQ,gBAAkC;AAC1C,aAAQ,cAAc;AAAA;AAAA;AAAA;AAAA;AAAA,MAKtB,MAAM,OAAsB;AAC1B,YAAI,KAAK,YAAa;AAEtB,YAAI;AAEF,cAAI,OAAO,UAAU,OAAO,OAAO,QAAQ;AAEzC,kBAAM,UAAU,aAAa,QAAQ,UAAU;AAC/C,gBAAI,SAAS;AACX,kBAAI;AACF,sBAAM,YAAY,KAAK,oBAAoB,OAAO;AAClD,qBAAK,gBAAgB,MAAM,OAAO,OAAO,OAAO;AAAA,kBAC9C;AAAA,kBACA;AAAA,kBACA,EAAE,MAAM,UAAU;AAAA,kBAClB;AAAA,kBACA,CAAC,WAAW,SAAS;AAAA,gBACvB;AAAA,cACF,SAAS,OAAO;AACd,sBAAM,KAAK,eAAe;AAAA,cAC5B;AAAA,YACF,OAAO;AACL,oBAAM,KAAK,eAAe;AAAA,YAC5B;AAAA,UACF;AACA,eAAK,cAAc;AAAA,QACrB,SAAS,OAAO;AACd,eAAK,cAAc;AAAA,QACrB;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,QACJ,KACA,OACA,UAAgC,CAAC,GAClB;AACf,cAAM,KAAK,KAAK;AAEhB,cAAM,OAAO;AAAA,UACX;AAAA,UACA,WAAW,KAAK,IAAI;AAAA,UACpB,QAAQ,QAAQ,SAAS,KAAK,IAAI,IAAI,QAAQ,SAAS;AAAA,QACzD;AAEA,cAAM,aAAa,KAAK,UAAU,IAAI;AAEtC,YAAI,QAAQ,WAAW,KAAK,eAAe;AACzC,cAAI;AACF,kBAAM,YAAY,MAAM,KAAK,QAAQ,UAAU;AAC/C,yBAAa,QAAQ,QAAQ,GAAG,IAAI,SAAS;AAC7C;AAAA,UACF,SAAS,OAAO;AAAA,UAEhB;AAAA,QACF;AAEA,qBAAa,QAAQ,KAAK,UAAU;AAAA,MACtC;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,QAAQ,KAAqC;AACjD,cAAM,KAAK,KAAK;AAGhB,cAAM,gBAAgB,aAAa,QAAQ,QAAQ,GAAG,EAAE;AACxD,YAAI,iBAAiB,KAAK,eAAe;AACvC,cAAI;AACF,kBAAM,YAAY,MAAM,KAAK,QAAQ,aAAa;AAClD,kBAAM,SAAS,KAAK,MAAM,SAAS;AAGnC,gBAAI,OAAO,UAAU,KAAK,IAAI,IAAI,OAAO,QAAQ;AAC/C,oBAAM,KAAK,WAAW,GAAG;AACzB,qBAAO;AAAA,YACT;AAEA,mBAAO,OAAO;AAAA,UAChB,SAAS,OAAO;AAAA,UAEhB;AAAA,QACF;AAGA,cAAM,YAAY,aAAa,QAAQ,GAAG;AAC1C,YAAI,CAAC,UAAW,QAAO;AAEvB,YAAI;AACF,gBAAM,SAAS,KAAK,MAAM,SAAS;AAGnC,cAAI,OAAO,UAAU,KAAK,IAAI,IAAI,OAAO,QAAQ;AAC/C,kBAAM,KAAK,WAAW,GAAG;AACzB,mBAAO;AAAA,UACT;AAEA,iBAAO,OAAO,SAAS;AAAA,QACzB,SAAS,OAAO;AAEd,iBAAO;AAAA,QACT;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,WAAW,KAA4B;AAC3C,qBAAa,WAAW,GAAG;AAC3B,qBAAa,WAAW,QAAQ,GAAG,EAAE;AAAA,MACvC;AAAA;AAAA;AAAA;AAAA,MAKA,MAAM,QAAuB;AAC3B,cAAM,OAAO,OAAO,KAAK,YAAY;AACrC,mBAAW,OAAO,MAAM;AACtB,cAAI,IAAI,WAAW,OAAO,GAAG;AAC3B,yBAAa,WAAW,GAAG;AAAA,UAC7B;AAAA,QACF;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAc,iBAAgC;AAC5C,YAAI,CAAC,OAAO,QAAQ,OAAQ;AAE5B,YAAI;AACF,eAAK,gBAAgB,MAAM,OAAO,OAAO,OAAO;AAAA,YAC9C,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,YAC/B;AAAA,YACA,CAAC,WAAW,SAAS;AAAA,UACvB;AAGA,gBAAM,cAAc,MAAM,OAAO,OAAO,OAAO,UAAU,OAAO,KAAK,aAAa;AAClF,gBAAM,UAAU,KAAK,oBAAoB,WAAW;AACpD,uBAAa,QAAQ,YAAY,OAAO;AAAA,QAC1C,SAAS,OAAO;AAAA,QAEhB;AAAA,MACF;AAAA;AAAA;AAAA;AAAA,MAKA,MAAc,QAAQ,MAA+B;AACnD,YAAI,CAAC,KAAK,iBAAiB,CAAC,OAAO,QAAQ,QAAQ;AACjD,gBAAM,IAAI,MAAM,0BAA0B;AAAA,QAC5C;AAEA,cAAM,UAAU,IAAI,YAAY;AAChC,cAAM,aAAa,QAAQ,OAAO,IAAI;AACtC,cAAM,KAAK,OAAO,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAE3D,cAAM,YAAY,MAAM,OAAO,OAAO,OAAO;AAAA,UAC3C,EAAE,MAAM,WAAW,GAAG;AAAA,UACtB,KAAK;AAAA,UACL;AAAA,QACF;AAGA,cAAM,WAAW,IAAI,WAAW,GAAG,SAAS,UAAU,UAAU;AAChE,iBAAS,IAAI,EAAE;AACf,iBAAS,IAAI,IAAI,WAAW,SAAS,GAAG,GAAG,MAAM;AAEjD,eAAO,KAAK,oBAAoB,SAAS,MAAM;AAAA,MACjD;AAAA;AAAA;AAAA;AAAA,MAKA,MAAc,QAAQ,eAAwC;AAC5D,YAAI,CAAC,KAAK,iBAAiB,CAAC,OAAO,QAAQ,QAAQ;AACjD,gBAAM,IAAI,MAAM,0BAA0B;AAAA,QAC5C;AAEA,cAAM,WAAW,KAAK,oBAAoB,aAAa;AACvD,cAAM,KAAK,SAAS,MAAM,GAAG,EAAE;AAC/B,cAAM,YAAY,SAAS,MAAM,EAAE;AAEnC,cAAM,YAAY,MAAM,OAAO,OAAO,OAAO;AAAA,UAC3C,EAAE,MAAM,WAAW,GAAG;AAAA,UACtB,KAAK;AAAA,UACL;AAAA,QACF;AAEA,cAAM,UAAU,IAAI,YAAY;AAChC,eAAO,QAAQ,OAAO,SAAS;AAAA,MACjC;AAAA;AAAA;AAAA;AAAA,MAKQ,oBAAoB,QAA6B;AACvD,cAAM,QAAQ,IAAI,WAAW,MAAM;AACnC,YAAI,SAAS;AACb,iBAAS,IAAI,GAAG,IAAI,MAAM,YAAY,KAAK;AACzC,oBAAU,OAAO,aAAa,MAAM,CAAC,CAAC;AAAA,QACxC;AACA,eAAO,KAAK,MAAM;AAAA,MACpB;AAAA;AAAA;AAAA;AAAA,MAKQ,oBAAoB,QAA6B;AACvD,cAAM,SAAS,KAAK,MAAM;AAC1B,cAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,iBAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,gBAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,QAChC;AACA,eAAO,MAAM;AAAA,MACf;AAAA,IACF;AAEO,IAAM,gBAAgB,IAAI,kBAAkB;AAAA;AAAA;","names":[]}
+{"version":3,"sources":["../src/utils/context/organisationContext.ts","../src/utils/security/secureStorage.ts"],"sourcesContent":["/**\n * @file Organisation Context Utility\n * @package @jmruthers/pace-core\n * @module Utils/OrganisationContext\n * @since 0.4.0\n *\n * Utility functions for managing organisation context in database sessions.\n * Provides fallback mechanisms for when database functions are not available.\n */\n\nimport type { SupabaseClient } from '@supabase/supabase-js';\nimport { createLogger } from '../core/logger';\n\nconst log = createLogger('organisationContext');\n\n/**\n * Set organisation context in the database session\n * \n * This function attempts to set the organisation context using a database function.\n * If the function is not available, it falls back gracefully without throwing errors.\n * \n * @param supabase - Supabase client instance\n * @param organisationId - The organisation ID to set as context\n * @returns Promise that resolves when context is set (or falls back gracefully)\n */\nexport async function setOrganisationContext(\n  supabase: SupabaseClient,\n  organisationId: string\n): Promise<void> {\n  if (!supabase || !organisationId) {\n    // TODO: Replace with proper logging service integration\n    return;\n  }\n\n  try {\n    // Add timeout to prevent hanging RPC calls\n    const timeoutPromise = new Promise((_, reject) => {\n      setTimeout(() => reject(new Error('RPC timeout after 3 seconds')), 3000);\n    });\n    \n    // Call the database function to set organisation context\n    const rpcPromise = supabase.rpc('set_organisation_context', {\n      org_id: organisationId\n    });\n\n    const { error } = await Promise.race([rpcPromise, timeoutPromise]) as any;\n\n    if (error) {\n      // Function might not exist yet - this is expected during migration\n      // Silent fail - will fall back to client-side filtering\n      log.debug('RPC function not available or failed, continuing without database context');\n    } else {\n      log.debug('Organisation context set in database successfully');\n    }\n  } catch (error) {\n    // Handle any other errors gracefully\n    // Silent fail - will fall back to client-side filtering\n    log.debug('Failed to set database context, continuing without it:', error);\n  }\n}\n\n/**\n * Clear organisation context from the database session\n * \n * @param supabase - Supabase client instance\n * @returns Promise that resolves when context is cleared\n */\nexport async function clearOrganisationContext(\n  supabase: SupabaseClient\n): Promise<void> {\n  if (!supabase) {\n    // TODO: Replace with proper logging service integration\n    return;\n  }\n\n  try {\n    const { error } = await supabase.rpc('rbac_audit_log', {\n      p_event_type: 'organisation_switched',\n      p_metadata: { action: 'clear_context' }\n    });\n    \n    if (error) {\n      // Silent fail - function not available\n      // TODO: Replace with proper logging service integration\n    } else {\n      // TODO: Replace with proper logging service integration\n    }\n  } catch (error) {\n    // Silent fail - error occurred\n    // TODO: Replace with proper logging service integration\n  }\n}\n\n/**\n * Get current organisation context from the database session\n * \n * @param supabase - Supabase client instance\n * @returns Promise that resolves to the current organisation ID or null\n */\nexport async function getOrganisationContext(\n  supabase: SupabaseClient\n): Promise<string | null> {\n  if (!supabase) {\n    // TODO: Replace with proper logging service integration\n    return null;\n  }\n\n  try {\n    // For now, return null since we're not using database context\n    // This will be replaced with proper context management\n    const data = null;\n    const error = null;\n    \n    if (error) {\n      // TODO: Replace with proper logging service integration\n      return null;\n    }\n    \n    // Validate that data is a string (allow empty strings)\n    if (typeof data === 'string') {\n      return data;\n    }\n    \n    // Return null for invalid data formats\n    return null;\n  } catch (error) {\n    // TODO: Replace with proper logging service integration\n    return null;\n  }\n}\n\n/**\n * Check if organisation context functions are available in the database\n * \n * @param supabase - Supabase client instance\n * @returns Promise that resolves to true if functions are available\n */\nexport async function isOrganisationContextAvailable(\n  supabase: SupabaseClient\n): Promise<boolean> {\n  if (!supabase) {\n    return false;\n  }\n\n  try {\n    const { error } = await supabase.rpc('get_organisation_context');\n    \n    if (error) {\n      return false;\n    }\n    \n    return true;\n  } catch (error) {\n    return false;\n  }\n} ","\n/**\n * @file Secure Storage Utilities\n * @description Encrypted storage wrapper for sensitive data\n */\n\nexport interface SecureStorageOptions {\n  encrypt?: boolean;\n  expiry?: number; // TTL in milliseconds\n}\n\n/**\n * Secure storage implementation with encryption support\n */\nclass SecureStorageImpl {\n  private encryptionKey: CryptoKey | null = null;\n  private initialized = false;\n\n  /**\n   * Initialize secure storage with encryption\n   */\n  async init(): Promise<void> {\n    if (this.initialized) return;\n\n    try {\n      // Check if Web Crypto API is available\n      if (window.crypto && window.crypto.subtle) {\n        // Generate or retrieve encryption key\n        const keyData = localStorage.getItem('_sec_key');\n        if (keyData) {\n          try {\n            const keyBuffer = this.base64ToArrayBuffer(keyData);\n            this.encryptionKey = await window.crypto.subtle.importKey(\n              'raw',\n              keyBuffer,\n              { name: 'AES-GCM' },\n              false,\n              ['encrypt', 'decrypt']\n            );\n          } catch (error) {\n            await this.generateNewKey();\n          }\n        } else {\n          await this.generateNewKey();\n        }\n      }\n      this.initialized = true;\n    } catch (error) {\n      this.initialized = true;\n    }\n  }\n\n  /**\n   * Store item securely\n   */\n  async setItem(\n    key: string,\n    value: string,\n    options: SecureStorageOptions = {}\n  ): Promise<void> {\n    await this.init();\n\n    const data = {\n      value,\n      timestamp: Date.now(),\n      expiry: options.expiry ? Date.now() + options.expiry : undefined,\n    };\n\n    const serialized = JSON.stringify(data);\n    \n    if (options.encrypt && this.encryptionKey) {\n      try {\n        const encrypted = await this.encrypt(serialized);\n        localStorage.setItem(`_sec_${key}`, encrypted);\n        return;\n      } catch (error) {\n        // Silent fail - store as plain text\n      }\n    }\n\n    localStorage.setItem(key, serialized);\n  }\n\n  /**\n   * Retrieve item securely\n   */\n  async getItem(key: string): Promise<string | null> {\n    await this.init();\n\n    // Try encrypted storage first\n    const encryptedData = localStorage.getItem(`_sec_${key}`);\n    if (encryptedData && this.encryptionKey) {\n      try {\n        const decrypted = await this.decrypt(encryptedData);\n        const parsed = JSON.parse(decrypted);\n        \n        // Check expiry\n        if (parsed.expiry && Date.now() > parsed.expiry) {\n          await this.removeItem(key);\n          return null;\n        }\n        \n        return parsed.value;\n      } catch (error) {\n        // Silent fail - try plain storage\n      }\n    }\n\n    // Fallback to plain storage\n    const plainData = localStorage.getItem(key);\n    if (!plainData) return null;\n\n    try {\n      const parsed = JSON.parse(plainData);\n      \n      // Check expiry\n      if (parsed.expiry && Date.now() > parsed.expiry) {\n        await this.removeItem(key);\n        return null;\n      }\n      \n      return parsed.value || plainData;\n    } catch (error) {\n      // If parsing fails, return as-is (backward compatibility)\n      return plainData;\n    }\n  }\n\n  /**\n   * Remove item\n   */\n  async removeItem(key: string): Promise<void> {\n    localStorage.removeItem(key);\n    localStorage.removeItem(`_sec_${key}`);\n  }\n\n  /**\n   * Clear all secure storage\n   */\n  async clear(): Promise<void> {\n    const keys = Object.keys(localStorage);\n    for (const key of keys) {\n      if (key.startsWith('_sec_')) {\n        localStorage.removeItem(key);\n      }\n    }\n  }\n\n  /**\n   * Generate new encryption key\n   */\n  private async generateNewKey(): Promise<void> {\n    if (!window.crypto?.subtle) return;\n\n    try {\n      this.encryptionKey = await window.crypto.subtle.generateKey(\n        { name: 'AES-GCM', length: 256 },\n        true,\n        ['encrypt', 'decrypt']\n      );\n\n      // Export and store key\n      const exportedKey = await window.crypto.subtle.exportKey('raw', this.encryptionKey);\n      const keyData = this.arrayBufferToBase64(exportedKey);\n      localStorage.setItem('_sec_key', keyData);\n    } catch (error) {\n      // Silent fail - encryption not available\n    }\n  }\n\n  /**\n   * Encrypt data\n   */\n  private async encrypt(data: string): Promise<string> {\n    if (!this.encryptionKey || !window.crypto?.subtle) {\n      throw new Error('Encryption not available');\n    }\n\n    const encoder = new TextEncoder();\n    const dataBuffer = encoder.encode(data);\n    const iv = window.crypto.getRandomValues(new Uint8Array(12));\n\n    const encrypted = await window.crypto.subtle.encrypt(\n      { name: 'AES-GCM', iv },\n      this.encryptionKey,\n      dataBuffer\n    );\n\n    // Combine IV and encrypted data\n    const combined = new Uint8Array(iv.length + encrypted.byteLength);\n    combined.set(iv);\n    combined.set(new Uint8Array(encrypted), iv.length);\n\n    return this.arrayBufferToBase64(combined.buffer);\n  }\n\n  /**\n   * Decrypt data\n   */\n  private async decrypt(encryptedData: string): Promise<string> {\n    if (!this.encryptionKey || !window.crypto?.subtle) {\n      throw new Error('Decryption not available');\n    }\n\n    const combined = this.base64ToArrayBuffer(encryptedData);\n    const iv = combined.slice(0, 12);\n    const encrypted = combined.slice(12);\n\n    const decrypted = await window.crypto.subtle.decrypt(\n      { name: 'AES-GCM', iv },\n      this.encryptionKey,\n      encrypted\n    );\n\n    const decoder = new TextDecoder();\n    return decoder.decode(decrypted);\n  }\n\n  /**\n   * Convert ArrayBuffer to base64\n   */\n  private arrayBufferToBase64(buffer: ArrayBuffer): string {\n    const bytes = new Uint8Array(buffer);\n    let binary = '';\n    for (let i = 0; i < bytes.byteLength; i++) {\n      binary += String.fromCharCode(bytes[i]);\n    }\n    return btoa(binary);\n  }\n\n  /**\n   * Convert base64 to ArrayBuffer\n   */\n  private base64ToArrayBuffer(base64: string): ArrayBuffer {\n    const binary = atob(base64);\n    const bytes = new Uint8Array(binary.length);\n    for (let i = 0; i < binary.length; i++) {\n      bytes[i] = binary.charCodeAt(i);\n    }\n    return bytes.buffer;\n  }\n}\n\nexport const secureStorage = new SecureStorageImpl();\n"],"mappings":";;;;;AAaA,IAAM,MAAM,aAAa,qBAAqB;AAY9C,eAAsB,uBACpB,UACA,gBACe;AACf,MAAI,CAAC,YAAY,CAAC,gBAAgB;AAEhC;AAAA,EACF;AAEA,MAAI;AAEF,UAAM,iBAAiB,IAAI,QAAQ,CAAC,GAAG,WAAW;AAChD,iBAAW,MAAM,OAAO,IAAI,MAAM,6BAA6B,CAAC,GAAG,GAAI;AAAA,IACzE,CAAC;AAGD,UAAM,aAAa,SAAS,IAAI,4BAA4B;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,EAAE,MAAM,IAAI,MAAM,QAAQ,KAAK,CAAC,YAAY,cAAc,CAAC;AAEjE,QAAI,OAAO;AAGT,UAAI,MAAM,2EAA2E;AAAA,IACvF,OAAO;AACL,UAAI,MAAM,mDAAmD;AAAA,IAC/D;AAAA,EACF,SAAS,OAAO;AAGd,QAAI,MAAM,0DAA0D,KAAK;AAAA,EAC3E;AACF;AAQA,eAAsB,yBACpB,UACe;AACf,MAAI,CAAC,UAAU;AAEb;AAAA,EACF;AAEA,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,SAAS,IAAI,kBAAkB;AAAA,MACrD,cAAc;AAAA,MACd,YAAY,EAAE,QAAQ,gBAAgB;AAAA,IACxC,CAAC;AAED,QAAI,OAAO;AAAA,IAGX,OAAO;AAAA,IAEP;AAAA,EACF,SAAS,OAAO;AAAA,EAGhB;AACF;AAQA,eAAsB,uBACpB,UACwB;AACxB,MAAI,CAAC,UAAU;AAEb,WAAO;AAAA,EACT;AAEA,MAAI;AAGF,UAAM,OAAO;AACb,UAAM,QAAQ;AAEd,QAAI,OAAO;AAET,aAAO;AAAA,IACT;AAGA,QAAI,OAAO,SAAS,UAAU;AAC5B,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT,SAAS,OAAO;AAEd,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,+BACpB,UACkB;AAClB,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,SAAS,IAAI,0BAA0B;AAE/D,QAAI,OAAO;AACT,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,WAAO;AAAA,EACT;AACF;;;AC7IA,IAAM,oBAAN,MAAwB;AAAA,EAAxB;AACE,SAAQ,gBAAkC;AAC1C,SAAQ,cAAc;AAAA;AAAA;AAAA;AAAA;AAAA,EAKtB,MAAM,OAAsB;AAC1B,QAAI,KAAK,YAAa;AAEtB,QAAI;AAEF,UAAI,OAAO,UAAU,OAAO,OAAO,QAAQ;AAEzC,cAAM,UAAU,aAAa,QAAQ,UAAU;AAC/C,YAAI,SAAS;AACX,cAAI;AACF,kBAAM,YAAY,KAAK,oBAAoB,OAAO;AAClD,iBAAK,gBAAgB,MAAM,OAAO,OAAO,OAAO;AAAA,cAC9C;AAAA,cACA;AAAA,cACA,EAAE,MAAM,UAAU;AAAA,cAClB;AAAA,cACA,CAAC,WAAW,SAAS;AAAA,YACvB;AAAA,UACF,SAAS,OAAO;AACd,kBAAM,KAAK,eAAe;AAAA,UAC5B;AAAA,QACF,OAAO;AACL,gBAAM,KAAK,eAAe;AAAA,QAC5B;AAAA,MACF;AACA,WAAK,cAAc;AAAA,IACrB,SAAS,OAAO;AACd,WAAK,cAAc;AAAA,IACrB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QACJ,KACA,OACA,UAAgC,CAAC,GAClB;AACf,UAAM,KAAK,KAAK;AAEhB,UAAM,OAAO;AAAA,MACX;AAAA,MACA,WAAW,KAAK,IAAI;AAAA,MACpB,QAAQ,QAAQ,SAAS,KAAK,IAAI,IAAI,QAAQ,SAAS;AAAA,IACzD;AAEA,UAAM,aAAa,KAAK,UAAU,IAAI;AAEtC,QAAI,QAAQ,WAAW,KAAK,eAAe;AACzC,UAAI;AACF,cAAM,YAAY,MAAM,KAAK,QAAQ,UAAU;AAC/C,qBAAa,QAAQ,QAAQ,GAAG,IAAI,SAAS;AAC7C;AAAA,MACF,SAAS,OAAO;AAAA,MAEhB;AAAA,IACF;AAEA,iBAAa,QAAQ,KAAK,UAAU;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAQ,KAAqC;AACjD,UAAM,KAAK,KAAK;AAGhB,UAAM,gBAAgB,aAAa,QAAQ,QAAQ,GAAG,EAAE;AACxD,QAAI,iBAAiB,KAAK,eAAe;AACvC,UAAI;AACF,cAAM,YAAY,MAAM,KAAK,QAAQ,aAAa;AAClD,cAAM,SAAS,KAAK,MAAM,SAAS;AAGnC,YAAI,OAAO,UAAU,KAAK,IAAI,IAAI,OAAO,QAAQ;AAC/C,gBAAM,KAAK,WAAW,GAAG;AACzB,iBAAO;AAAA,QACT;AAEA,eAAO,OAAO;AAAA,MAChB,SAAS,OAAO;AAAA,MAEhB;AAAA,IACF;AAGA,UAAM,YAAY,aAAa,QAAQ,GAAG;AAC1C,QAAI,CAAC,UAAW,QAAO;AAEvB,QAAI;AACF,YAAM,SAAS,KAAK,MAAM,SAAS;AAGnC,UAAI,OAAO,UAAU,KAAK,IAAI,IAAI,OAAO,QAAQ;AAC/C,cAAM,KAAK,WAAW,GAAG;AACzB,eAAO;AAAA,MACT;AAEA,aAAO,OAAO,SAAS;AAAA,IACzB,SAAS,OAAO;AAEd,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAW,KAA4B;AAC3C,iBAAa,WAAW,GAAG;AAC3B,iBAAa,WAAW,QAAQ,GAAG,EAAE;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAuB;AAC3B,UAAM,OAAO,OAAO,KAAK,YAAY;AACrC,eAAW,OAAO,MAAM;AACtB,UAAI,IAAI,WAAW,OAAO,GAAG;AAC3B,qBAAa,WAAW,GAAG;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,iBAAgC;AAC5C,QAAI,CAAC,OAAO,QAAQ,OAAQ;AAE5B,QAAI;AACF,WAAK,gBAAgB,MAAM,OAAO,OAAO,OAAO;AAAA,QAC9C,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,QAC/B;AAAA,QACA,CAAC,WAAW,SAAS;AAAA,MACvB;AAGA,YAAM,cAAc,MAAM,OAAO,OAAO,OAAO,UAAU,OAAO,KAAK,aAAa;AAClF,YAAM,UAAU,KAAK,oBAAoB,WAAW;AACpD,mBAAa,QAAQ,YAAY,OAAO;AAAA,IAC1C,SAAS,OAAO;AAAA,IAEhB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QAAQ,MAA+B;AACnD,QAAI,CAAC,KAAK,iBAAiB,CAAC,OAAO,QAAQ,QAAQ;AACjD,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC5C;AAEA,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,aAAa,QAAQ,OAAO,IAAI;AACtC,UAAM,KAAK,OAAO,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAE3D,UAAM,YAAY,MAAM,OAAO,OAAO,OAAO;AAAA,MAC3C,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB,KAAK;AAAA,MACL;AAAA,IACF;AAGA,UAAM,WAAW,IAAI,WAAW,GAAG,SAAS,UAAU,UAAU;AAChE,aAAS,IAAI,EAAE;AACf,aAAS,IAAI,IAAI,WAAW,SAAS,GAAG,GAAG,MAAM;AAEjD,WAAO,KAAK,oBAAoB,SAAS,MAAM;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QAAQ,eAAwC;AAC5D,QAAI,CAAC,KAAK,iBAAiB,CAAC,OAAO,QAAQ,QAAQ;AACjD,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC5C;AAEA,UAAM,WAAW,KAAK,oBAAoB,aAAa;AACvD,UAAM,KAAK,SAAS,MAAM,GAAG,EAAE;AAC/B,UAAM,YAAY,SAAS,MAAM,EAAE;AAEnC,UAAM,YAAY,MAAM,OAAO,OAAO,OAAO;AAAA,MAC3C,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB,KAAK;AAAA,MACL;AAAA,IACF;AAEA,UAAM,UAAU,IAAI,YAAY;AAChC,WAAO,QAAQ,OAAO,SAAS;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAoB,QAA6B;AACvD,UAAM,QAAQ,IAAI,WAAW,MAAM;AACnC,QAAI,SAAS;AACb,aAAS,IAAI,GAAG,IAAI,MAAM,YAAY,KAAK;AACzC,gBAAU,OAAO,aAAa,MAAM,CAAC,CAAC;AAAA,IACxC;AACA,WAAO,KAAK,MAAM;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAoB,QAA6B;AACvD,UAAM,SAAS,KAAK,MAAM;AAC1B,UAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,aAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,YAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,IAChC;AACA,WAAO,MAAM;AAAA,EACf;AACF;AAEO,IAAM,gBAAgB,IAAI,kBAAkB;","names":[]}

package/dist/{chunk-VZ4VDGTB.js → chunk-W22JP75J.js}

@@ -1,27 +1,19 @@
 import {
-  init_useOrganisations,
   useOrganisations
-} from "./chunk-LIMSTKYD.js";
+} from "./chunk-QCDXODCA.js";
 import {
   EventServiceContext,
-  init_EventServiceProvider,
   useUnifiedAuth
-} from "./chunk-3JI76CYK.js";
+} from "./chunk-FUEYYMX5.js";
 import {
-  init_organisationContext,
   setOrganisationContext
-} from "./chunk-7QCC6MCP.js";
+} from "./chunk-VBXEHIUJ.js";
 import {
-  init_logger,
   logger
-} from "./chunk-XDNLUEXI.js";
+} from "./chunk-PWLANIRT.js";
 
 // src/hooks/useSecureDataAccess.ts
 import { useCallback, useState, useContext } from "react";
-init_useOrganisations();
-init_EventServiceProvider();
-init_organisationContext();
-init_logger();
 function useSecureDataAccess() {
   const { supabase, user, session } = useUnifiedAuth();
   const { ensureOrganisationContext } = useOrganisations();
@@ -394,4 +386,4 @@ function useSecureDataAccess() {
 export {
   useSecureDataAccess
 };
-//# sourceMappingURL=chunk-VZ4VDGTB.js.map
+//# sourceMappingURL=chunk-W22JP75J.js.map

package/dist/{chunk-VZ4VDGTB.js.map → chunk-W22JP75J.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/hooks/useSecureDataAccess.ts"],"sourcesContent":["/**\n * @file useSecureDataAccess Hook\n * @package @jmruthers/pace-core\n * @module Hooks/useSecureDataAccess\n * @since 0.4.0\n *\n * Hook for secure database operations with mandatory organisation context.\n * Ensures all data access is properly scoped to the user's current organisation.\n *\n * @example\n * ```tsx\n * function DataComponent() {\n *   const { secureQuery, secureInsert, secureUpdate, secureDelete } = useSecureDataAccess();\n *   \n *   const loadData = async () => {\n *     try {\n *       // Automatically includes organisation_id filter\n *       const events = await secureQuery('event', '*', { is_visible: true });\n *       console.log('Organisation events:', events);\n *     } catch (error) {\n *       console.error('Failed to load data:', error);\n *     }\n *   };\n *   \n *   const createEvent = async (eventData) => {\n *     try {\n *       // Automatically sets organisation_id\n *       const newEvent = await secureInsert('event', eventData);\n *       console.log('Created event:', newEvent);\n *     } catch (error) {\n *       console.error('Failed to create event:', error);\n *     }\n *   };\n *   \n *   return (\n *     <div>\n *       <button onClick={loadData}>Load Data</button>\n *       <button onClick={() => createEvent({ event_name: 'New Event' })}>\n *         Create Event\n *       </button>\n *     </div>\n *   );\n * }\n * ```\n *\n * @security\n * - All queries automatically include organisation_id filter\n * - Validates organisation context before any operation\n * - Prevents data leaks between organisations\n * - Error handling for security violations\n * - Type-safe database operations\n */\n\nimport { useCallback, useState, useContext } from 'react';\nimport { useUnifiedAuth } from '../providers';\nimport { useOrganisations } from './useOrganisations';\nimport { EventServiceContext } from '../providers/services/EventServiceProvider';\nimport { setOrganisationContext } from '../utils/context/organisationContext';\nimport { logger } from '../utils/core/logger';\nimport type { Permission } from '../rbac/types';\nimport type { OrganisationSecurityError } from '../types/organisation';\n\nexport interface SecureDataAccessReturn {\n  /** Execute a secure query with organisation filtering */\n  secureQuery: <T = any>(\n    table: string,\n    columns: string,\n    filters?: Record<string, any>,\n    options?: {\n      orderBy?: string;\n      ascending?: boolean;\n      limit?: number;\n      offset?: number;\n    }\n  ) => Promise<T[]>;\n  \n  /** Execute a secure insert with organisation context */\n  secureInsert: <T = any>(\n    table: string,\n    data: Record<string, any>\n  ) => Promise<T>;\n  \n  /** Execute a secure update with organisation filtering */\n  secureUpdate: <T = any>(\n    table: string,\n    data: Record<string, any>,\n    filters: Record<string, any>\n  ) => Promise<T[]>;\n  \n  /** Execute a secure delete with organisation filtering */\n  secureDelete: (\n    table: string,\n    filters: Record<string, any>\n  ) => Promise<void>;\n  \n  /** Execute a secure RPC call with organisation context */\n  secureRpc: <T = any>(\n    functionName: string,\n    params?: Record<string, any>\n  ) => Promise<T>;\n  \n  /** Get current organisation ID */\n  getCurrentOrganisationId: () => string;\n  \n  /** Validate organisation context */\n  validateContext: () => void;\n  \n  // NEW: Phase 1 - Enhanced Security Features\n  /** Check if data access is allowed for a table and operation */\n  isDataAccessAllowed: (table: string, operation: string) => boolean;\n  \n  /** Get all data access permissions for current user */\n  getDataAccessPermissions: () => Record<string, string[]>;\n  \n  /** Check if strict mode is enabled */\n  isStrictMode: boolean;\n  \n  /** Check if audit logging is enabled */\n  isAuditLogEnabled: boolean;\n  \n  /** Get data access history */\n  getDataAccessHistory: () => DataAccessRecord[];\n  \n  /** Clear data access history */\n  clearDataAccessHistory: () => void;\n  \n  /** Validate data access attempt */\n  validateDataAccess: (table: string, operation: string) => boolean;\n}\n\nexport interface DataAccessRecord {\n  table: string;\n  operation: string;\n  userId: string;\n  organisationId: string;\n  allowed: boolean;\n  timestamp: string;\n  query?: string;\n  filters?: Record<string, any>;\n}\n\n/**\n * Hook for secure data access with automatic organisation filtering\n * \n * All database operations automatically include organisation context:\n * - Queries filter by organisation_id\n * - Inserts include organisation_id\n * - Updates/deletes are scoped to organisation\n * - RPC calls include organisation_id parameter\n */\nexport function useSecureDataAccess(): SecureDataAccessReturn {\n  const { supabase, user, session } = useUnifiedAuth();\n  const { ensureOrganisationContext } = useOrganisations();\n  \n  // Get selected event for event-scoped RPC calls\n  // Use useContext directly to safely check if EventServiceProvider is available\n  const eventServiceContext = useContext(EventServiceContext);\n  const selectedEvent = eventServiceContext?.eventService?.getSelectedEvent() || null;\n\n  const validateContext = useCallback((): void => {\n    if (!supabase) {\n      throw new Error('No Supabase client available') as OrganisationSecurityError;\n    }\n    if (!user || !session) {\n      throw new Error('User must be authenticated with valid session') as OrganisationSecurityError;\n    }\n    \n    try {\n      ensureOrganisationContext();\n    } catch (error) {\n      throw new Error('Organisation context is required for data access') as OrganisationSecurityError;\n    }\n  }, [supabase, user, session, ensureOrganisationContext]);\n\n  const getCurrentOrganisationId = useCallback((): string => {\n    validateContext();\n    const currentOrg = ensureOrganisationContext();\n    return currentOrg.id;\n  }, [validateContext, ensureOrganisationContext]);\n\n  // Set organisation context in database session\n  const setOrganisationContextInSession = useCallback(async (organisationId: string): Promise<void> => {\n    if (!supabase) {\n      throw new Error('No Supabase client available') as OrganisationSecurityError;\n    }\n\n    await setOrganisationContext(supabase, organisationId);\n  }, [supabase]);\n\n  const secureQuery = useCallback(async <T = any>(\n    table: string,\n    columns: string,\n    filters: Record<string, any> = {},\n    options: {\n      orderBy?: string;\n      ascending?: boolean;\n      limit?: number;\n      offset?: number;\n    } = {}\n  ): Promise<T[]> => {\n    validateContext();\n    const organisationId = getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Build query with organisation filter\n    let query = supabase!\n      .from(table)\n      .select(columns);\n\n    // Add organisation filter only if table has organisation_id column\n    const tablesWithOrganisation = [\n      'event',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member',\n      // SECURITY: Phase 3A additions - medical and personal data\n      'medi_profile', 'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',\n      'pace_consent', 'pace_contact', 'pace_id_documents', 'pace_qualifications',\n      'form_responses', 'form_response_values', 'forms',\n      // SECURITY: Phase 3B additions - remaining critical tables\n      'invoice', 'line_item', 'credit_balance', 'payment_method',\n      'form_contexts', 'form_field_config', 'form_fields',\n      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', \n      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', \n      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'\n    ];\n    \n    if (tablesWithOrganisation.includes(table)) {\n      query = query.eq('organisation_id', organisationId);\n    }\n\n    // Apply additional filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        // Handle qualified column names (e.g., 'users.role')\n        const columnName = key.includes('.') ? key.split('.').pop()! : key;\n        query = query.eq(columnName, value);\n      }\n    });\n\n    // Apply options\n    if (options.orderBy) {\n      // Only use the column name, not a qualified name\n      const orderByColumn = options.orderBy.split('.').pop();\n      if (orderByColumn) {\n        query = query.order(orderByColumn, { ascending: options.ascending ?? true });\n      }\n    }\n    \n    if (options.limit) {\n      query = query.limit(options.limit);\n    }\n    \n    if (options.offset) {\n      query = query.range(options.offset, options.offset + (options.limit || 100) - 1);\n    }\n\n    const { data, error } = await query;\n    \n    if (error) {\n      logger.error('useSecureDataAccess', 'Query failed', { table, columns, filters, error });\n      // NEW: Phase 1 - Record failed data access attempt\n      recordDataAccess(table, 'read', false, `SELECT ${columns} FROM ${table}`, filters);\n      throw error;\n    }\n\n    // NEW: Phase 1 - Record successful data access attempt\n    recordDataAccess(table, 'read', true, `SELECT ${columns} FROM ${table}`, filters);\n\n    return (data as T[]) || [];\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);\n\n  const secureInsert = useCallback(async <T = any>(\n    table: string,\n    data: Record<string, any>\n  ): Promise<T> => {\n    validateContext();\n    const organisationId = getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Ensure organisation_id is set\n    const secureData = {\n      ...data,\n      organisation_id: organisationId\n    };\n\n    const { data: insertData, error } = await supabase!\n      .from(table)\n      .insert(secureData)\n      .select()\n      .single();\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Insert failed', { table, data: secureData, error });\n      throw error;\n    }\n\n    return insertData as T;\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);\n\n  const secureUpdate = useCallback(async <T = any>(\n    table: string,\n    data: Record<string, any>,\n    filters: Record<string, any>\n  ): Promise<T[]> => {\n    validateContext();\n    const organisationId = getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Filter out organisation_id from data to prevent manipulation\n    const { organisation_id, ...secureData } = data;\n    \n    // Build update query with organisation filter\n    let query = supabase!\n      .from(table)\n      .update(secureData);\n\n    // Add organisation filter only if table has organisation_id column\n    const tablesWithOrganisation = [\n      'event',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member'\n    ];\n    \n    if (tablesWithOrganisation.includes(table)) {\n      query = query.eq('organisation_id', organisationId);\n    }\n\n    // Apply filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        query = query.eq(key, value);\n      }\n    });\n\n    const { data: updateData, error } = await query.select();\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Update failed', { table, data: secureData, filters, error });\n      throw error;\n    }\n\n    return (updateData as T[]) || [];\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);\n\n  const secureDelete = useCallback(async (\n    table: string,\n    filters: Record<string, any>\n  ): Promise<void> => {\n    validateContext();\n    const organisationId = getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Build delete query with organisation filter\n    let query = supabase!\n      .from(table)\n      .delete();\n\n    // Add organisation filter only if table has organisation_id column\n    const tablesWithOrganisation = [\n      'event',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member',\n      // SECURITY: Phase 3A additions - medical and personal data\n      'medi_profile', 'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',\n      'pace_consent', 'pace_contact', 'pace_id_documents', 'pace_qualifications',\n      'form_responses', 'form_response_values', 'forms',\n      // SECURITY: Phase 3B additions - remaining critical tables\n      'invoice', 'line_item', 'credit_balance', 'payment_method',\n      'form_contexts', 'form_field_config', 'form_fields',\n      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', \n      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', \n      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'\n    ];\n    \n    if (tablesWithOrganisation.includes(table)) {\n      query = query.eq('organisation_id', organisationId);\n    }\n\n    // Apply filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        query = query.eq(key, value);\n      }\n    });\n\n    const { error } = await query;\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Delete failed', { table, filters, error });\n      throw error;\n    }\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);\n\n  const secureRpc = useCallback(async <T = any>(\n    functionName: string,\n    params: Record<string, any> = {}\n  ): Promise<T> => {\n    validateContext();\n    const organisationId = getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Include organisation_id in RPC parameters\n    // Some functions use p_organisation_id instead of organisation_id (to avoid conflicts with RETURNS TABLE columns)\n    const functionsWithPOrganisationId = [\n      'data_cake_diners_list',\n      'data_cake_mealplans_list'\n    ];\n    \n    const paramName = functionsWithPOrganisationId.includes(functionName) \n      ? 'p_organisation_id' \n      : 'organisation_id';\n    \n    // Functions that need p_event_id for event-app role permission checks\n    // Note: Even org-scoped functions (like items, packages, suppliers) need event_id\n    //       for permission checks when users have event-app roles\n    const functionsNeedingEventId = [\n      'data_cake_items_list',\n      'data_cake_packages_list',\n      'data_cake_suppliers_list',\n      'data_cake_diettypes_list',\n      'data_cake_mealtypes_list',\n      'data_cake_diners_list',\n      'data_cake_mealplans_list',\n      'data_cake_dishes_list',\n      'data_cake_recipes_list',\n      'data_cake_meals_list',\n      'data_cake_units_list',\n      'data_cake_orders_list',\n      'app_cake_item_create',\n      'app_cake_item_update',\n      'app_cake_package_create',\n      'app_cake_package_update',\n      'app_cake_supplier_create',\n      'app_cake_supplier_update',\n      'app_cake_supplier_delete',\n      'app_cake_meal_create',\n      'app_cake_meal_update',\n      'app_cake_meal_delete',\n      'app_cake_unit_create',\n      'app_cake_unit_update',\n      'app_cake_unit_delete',\n      'app_cake_delivery_upsert'\n    ];\n    \n    // Build secureParams with correct parameter order\n    // For functions that require p_event_id as first parameter, ensure it's first\n    const secureParams: Record<string, any> = {};\n    \n    // Functions where p_event_id is the FIRST required parameter (no default)\n    const functionsWithEventIdFirst = [\n      'data_cake_meals_list',\n      'data_cake_units_list'\n    ];\n    \n    // Add p_user_id explicitly for functions that need it (even though it has a default)\n    // This ensures parameter matching works correctly\n    if (user?.id) {\n      secureParams.p_user_id = user.id;\n    }\n    \n    // Add organisation_id parameter\n    secureParams[paramName] = organisationId;\n    \n    // Add p_event_id if function needs it and event is selected\n    // CRITICAL: This must be added AFTER organisation_id but BEFORE caller params\n    // to ensure it's not overwritten. For data_cake_items_list, p_event_id is the 3rd param.\n    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {\n      secureParams.p_event_id = selectedEvent.event_id;\n    }\n    \n    // Add any other params passed by caller (limit, offset, etc.)\n    // NOTE: This will NOT overwrite p_event_id if caller passes it, but we want to ensure\n    // our value takes precedence if event is selected\n    Object.assign(secureParams, params);\n    \n    // Ensure p_event_id is set if needed (after Object.assign, so it overrides caller params)\n    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {\n      secureParams.p_event_id = selectedEvent.event_id;\n    }\n\n    const { data, error } = await supabase!.rpc(functionName, secureParams);\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'RPC failed', { functionName, params: secureParams, error });\n      throw error;\n    }\n\n    return data as T;\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, selectedEvent?.event_id, user?.id]);\n\n  // NEW: Phase 1 - Enhanced Security Features\n  const [dataAccessHistory, setDataAccessHistory] = useState<DataAccessRecord[]>([]);\n  const [isStrictMode] = useState(true); // Always enabled in Phase 1\n  const [isAuditLogEnabled] = useState(true); // Always enabled in Phase 1\n\n  // Check if data access is allowed for a table and operation\n  const isDataAccessAllowed = useCallback((table: string, operation: string): boolean => {\n    if (!user?.id) return false;\n    \n    // Use the existing RBAC system to check data access permissions\n    // This is a synchronous check for the context - actual permission checking\n    // happens in the secure data operations using the RBAC engine\n    const permission = `${operation}:data.${table}` as Permission;\n    \n    // For now, we'll return true and let the secure data operations\n    // handle the actual permission checking asynchronously\n    // This context is mainly for tracking and audit purposes\n    return true;\n  }, [user?.id]);\n\n  // Get all data access permissions for current user\n  const getDataAccessPermissions = useCallback((): Record<string, string[]> => {\n    if (!user?.id) return {};\n    \n    // For now, return empty object - this will be enhanced with actual permission checking\n    // when we integrate with the existing RBAC system\n    return {};\n  }, [user?.id]);\n\n  // Get data access history\n  const getDataAccessHistory = useCallback((): DataAccessRecord[] => {\n    return [...dataAccessHistory];\n  }, [dataAccessHistory]);\n\n  // Clear data access history\n  const clearDataAccessHistory = useCallback(() => {\n    setDataAccessHistory([]);\n  }, []);\n\n  // Validate data access attempt\n  const validateDataAccess = useCallback((table: string, operation: string): boolean => {\n    if (!user?.id) return false;\n    \n    // Validate organisation context\n    try {\n      validateContext();\n    } catch (error) {\n      logger.error('useSecureDataAccess', 'Organisation context validation failed', { table, operation, error });\n      return false;\n    }\n    \n    return isDataAccessAllowed(table, operation);\n  }, [user?.id, validateContext, isDataAccessAllowed]);\n\n  // Record data access attempt\n  const recordDataAccess = useCallback((\n    table: string,\n    operation: string,\n    allowed: boolean,\n    query?: string,\n    filters?: Record<string, any>\n  ) => {\n    if (!isAuditLogEnabled || !user?.id) return;\n    \n    const record: DataAccessRecord = {\n      table,\n      operation,\n      userId: user.id,\n      organisationId: getCurrentOrganisationId(),\n      allowed,\n      timestamp: new Date().toISOString(),\n      query,\n      filters\n    };\n    \n    setDataAccessHistory(prev => {\n      const newHistory = [record, ...prev];\n      return newHistory.slice(0, 1000); // Keep last 1000 records\n    });\n    \n    if (isStrictMode && !allowed) {\n      logger.error('useSecureDataAccess', 'STRICT MODE VIOLATION: User attempted data access without permission', {\n        table,\n        operation,\n        userId: user.id,\n        organisationId: getCurrentOrganisationId(),\n        timestamp: new Date().toISOString()\n      });\n    }\n  }, [isAuditLogEnabled, isStrictMode, user?.id, getCurrentOrganisationId]);\n\n  return {\n    secureQuery,\n    secureInsert,\n    secureUpdate,\n    secureDelete,\n    secureRpc,\n    getCurrentOrganisationId,\n    validateContext,\n    // NEW: Phase 1 - Enhanced Security Features\n    isDataAccessAllowed,\n    getDataAccessPermissions,\n    isStrictMode,\n    isAuditLogEnabled,\n    getDataAccessHistory,\n    clearDataAccessHistory,\n    validateDataAccess\n  };\n} "],"mappings":";;;;;;;;;;;;;;;;;;;AAqDA,SAAS,aAAa,UAAU,kBAAkB;AAElD;AACA;AACA;AACA;AA4FO,SAAS,sBAA8C;AAC5D,QAAM,EAAE,UAAU,MAAM,QAAQ,IAAI,eAAe;AACnD,QAAM,EAAE,0BAA0B,IAAI,iBAAiB;AAIvD,QAAM,sBAAsB,WAAW,mBAAmB;AAC1D,QAAM,gBAAgB,qBAAqB,cAAc,iBAAiB,KAAK;AAE/E,QAAM,kBAAkB,YAAY,MAAY;AAC9C,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AACA,QAAI,CAAC,QAAQ,CAAC,SAAS;AACrB,YAAM,IAAI,MAAM,+CAA+C;AAAA,IACjE;AAEA,QAAI;AACF,gCAA0B;AAAA,IAC5B,SAAS,OAAO;AACd,YAAM,IAAI,MAAM,kDAAkD;AAAA,IACpE;AAAA,EACF,GAAG,CAAC,UAAU,MAAM,SAAS,yBAAyB,CAAC;AAEvD,QAAM,2BAA2B,YAAY,MAAc;AACzD,oBAAgB;AAChB,UAAM,aAAa,0BAA0B;AAC7C,WAAO,WAAW;AAAA,EACpB,GAAG,CAAC,iBAAiB,yBAAyB,CAAC;AAG/C,QAAM,kCAAkC,YAAY,OAAO,mBAA0C;AACnG,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AAEA,UAAM,uBAAuB,UAAU,cAAc;AAAA,EACvD,GAAG,CAAC,QAAQ,CAAC;AAEb,QAAM,cAAc,YAAY,OAC9B,OACA,SACA,UAA+B,CAAC,GAChC,UAKI,CAAC,MACY;AACjB,oBAAgB;AAChB,UAAM,iBAAiB,yBAAyB;AAGhD,UAAM,gCAAgC,cAAc;AAGpD,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO,OAAO;AAGjB,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAU;AAAA,MACV;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA,MAAiB;AAAA,MAAe;AAAA;AAAA,MAE7C;AAAA,MAAgB;AAAA,MAAkB;AAAA,MAAa;AAAA,MAAoB;AAAA,MACnE;AAAA,MAAgB;AAAA,MAAgB;AAAA,MAAqB;AAAA,MACrD;AAAA,MAAkB;AAAA,MAAwB;AAAA;AAAA,MAE1C;AAAA,MAAW;AAAA,MAAa;AAAA,MAAkB;AAAA,MAC1C;AAAA,MAAiB;AAAA,MAAqB;AAAA,MACtC;AAAA,MAAiB;AAAA,MAAiB;AAAA,MAAc;AAAA,MAAa;AAAA,MAC7D;AAAA,MAAkB;AAAA,MAAiB;AAAA,MAAgB;AAAA,MAAe;AAAA,MAClE;AAAA,MAAe;AAAA,MAAa;AAAA,MAAoB;AAAA,MAAoB;AAAA,IACtE;AAEA,QAAI,uBAAuB,SAAS,KAAK,GAAG;AAC1C,cAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,IACpD;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AAEzC,cAAM,aAAa,IAAI,SAAS,GAAG,IAAI,IAAI,MAAM,GAAG,EAAE,IAAI,IAAK;AAC/D,gBAAQ,MAAM,GAAG,YAAY,KAAK;AAAA,MACpC;AAAA,IACF,CAAC;AAGD,QAAI,QAAQ,SAAS;AAEnB,YAAM,gBAAgB,QAAQ,QAAQ,MAAM,GAAG,EAAE,IAAI;AACrD,UAAI,eAAe;AACjB,gBAAQ,MAAM,MAAM,eAAe,EAAE,WAAW,QAAQ,aAAa,KAAK,CAAC;AAAA,MAC7E;AAAA,IACF;AAEA,QAAI,QAAQ,OAAO;AACjB,cAAQ,MAAM,MAAM,QAAQ,KAAK;AAAA,IACnC;AAEA,QAAI,QAAQ,QAAQ;AAClB,cAAQ,MAAM,MAAM,QAAQ,QAAQ,QAAQ,UAAU,QAAQ,SAAS,OAAO,CAAC;AAAA,IACjF;AAEA,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM;AAE9B,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,gBAAgB,EAAE,OAAO,SAAS,SAAS,MAAM,CAAC;AAEtF,uBAAiB,OAAO,QAAQ,OAAO,UAAU,OAAO,SAAS,KAAK,IAAI,OAAO;AACjF,YAAM;AAAA,IACR;AAGA,qBAAiB,OAAO,QAAQ,MAAM,UAAU,OAAO,SAAS,KAAK,IAAI,OAAO;AAEhF,WAAQ,QAAgB,CAAC;AAAA,EAC3B,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,QAAQ,CAAC;AAEzF,QAAM,eAAe,YAAY,OAC/B,OACA,SACe;AACf,oBAAgB;AAChB,UAAM,iBAAiB,yBAAyB;AAGhD,UAAM,gCAAgC,cAAc;AAGpD,UAAM,aAAa;AAAA,MACjB,GAAG;AAAA,MACH,iBAAiB;AAAA,IACnB;AAEA,UAAM,EAAE,MAAM,YAAY,MAAM,IAAI,MAAM,SACvC,KAAK,KAAK,EACV,OAAO,UAAU,EACjB,OAAO,EACP,OAAO;AAEV,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,MAAM,YAAY,MAAM,CAAC;AACvF,YAAM;AAAA,IACR;AAEA,WAAO;AAAA,EACT,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,QAAQ,CAAC;AAEzF,QAAM,eAAe,YAAY,OAC/B,OACA,MACA,YACiB;AACjB,oBAAgB;AAChB,UAAM,iBAAiB,yBAAyB;AAGhD,UAAM,gCAAgC,cAAc;AAGpD,UAAM,EAAE,iBAAiB,GAAG,WAAW,IAAI;AAG3C,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO,UAAU;AAGpB,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAU;AAAA,MACV;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA,MAAiB;AAAA,MAAe;AAAA,IAC/C;AAEA,QAAI,uBAAuB,SAAS,KAAK,GAAG;AAC1C,cAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,IACpD;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AACzC,gBAAQ,MAAM,GAAG,KAAK,KAAK;AAAA,MAC7B;AAAA,IACF,CAAC;AAED,UAAM,EAAE,MAAM,YAAY,MAAM,IAAI,MAAM,MAAM,OAAO;AAEvD,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,MAAM,YAAY,SAAS,MAAM,CAAC;AAChG,YAAM;AAAA,IACR;AAEA,WAAQ,cAAsB,CAAC;AAAA,EACjC,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,QAAQ,CAAC;AAEzF,QAAM,eAAe,YAAY,OAC/B,OACA,YACkB;AAClB,oBAAgB;AAChB,UAAM,iBAAiB,yBAAyB;AAGhD,UAAM,gCAAgC,cAAc;AAGpD,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO;AAGV,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAU;AAAA,MACV;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA,MAAiB;AAAA,MAAe;AAAA;AAAA,MAE7C;AAAA,MAAgB;AAAA,MAAkB;AAAA,MAAa;AAAA,MAAoB;AAAA,MACnE;AAAA,MAAgB;AAAA,MAAgB;AAAA,MAAqB;AAAA,MACrD;AAAA,MAAkB;AAAA,MAAwB;AAAA;AAAA,MAE1C;AAAA,MAAW;AAAA,MAAa;AAAA,MAAkB;AAAA,MAC1C;AAAA,MAAiB;AAAA,MAAqB;AAAA,MACtC;AAAA,MAAiB;AAAA,MAAiB;AAAA,MAAc;AAAA,MAAa;AAAA,MAC7D;AAAA,MAAkB;AAAA,MAAiB;AAAA,MAAgB;AAAA,MAAe;AAAA,MAClE;AAAA,MAAe;AAAA,MAAa;AAAA,MAAoB;AAAA,MAAoB;AAAA,IACtE;AAEA,QAAI,uBAAuB,SAAS,KAAK,GAAG;AAC1C,cAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,IACpD;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AACzC,gBAAQ,MAAM,GAAG,KAAK,KAAK;AAAA,MAC7B;AAAA,IACF,CAAC;AAED,UAAM,EAAE,MAAM,IAAI,MAAM;AAExB,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,SAAS,MAAM,CAAC;AAC9E,YAAM;AAAA,IACR;AAAA,EACF,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,QAAQ,CAAC;AAEzF,QAAM,YAAY,YAAY,OAC5B,cACA,SAA8B,CAAC,MAChB;AACf,oBAAgB;AAChB,UAAM,iBAAiB,yBAAyB;AAGhD,UAAM,gCAAgC,cAAc;AAIpD,UAAM,+BAA+B;AAAA,MACnC;AAAA,MACA;AAAA,IACF;AAEA,UAAM,YAAY,6BAA6B,SAAS,YAAY,IAChE,sBACA;AAKJ,UAAM,0BAA0B;AAAA,MAC9B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAIA,UAAM,eAAoC,CAAC;AAG3C,UAAM,4BAA4B;AAAA,MAChC;AAAA,MACA;AAAA,IACF;AAIA,QAAI,MAAM,IAAI;AACZ,mBAAa,YAAY,KAAK;AAAA,IAChC;AAGA,iBAAa,SAAS,IAAI;AAK1B,QAAI,wBAAwB,SAAS,YAAY,KAAK,eAAe,UAAU;AAC7E,mBAAa,aAAa,cAAc;AAAA,IAC1C;AAKA,WAAO,OAAO,cAAc,MAAM;AAGlC,QAAI,wBAAwB,SAAS,YAAY,KAAK,eAAe,UAAU;AAC7E,mBAAa,aAAa,cAAc;AAAA,IAC1C;AAEA,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,SAAU,IAAI,cAAc,YAAY;AAEtE,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,cAAc,EAAE,cAAc,QAAQ,cAAc,MAAM,CAAC;AAC/F,YAAM;AAAA,IACR;AAEA,WAAO;AAAA,EACT,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,eAAe,UAAU,MAAM,EAAE,CAAC;AAG5H,QAAM,CAAC,mBAAmB,oBAAoB,IAAI,SAA6B,CAAC,CAAC;AACjF,QAAM,CAAC,YAAY,IAAI,SAAS,IAAI;AACpC,QAAM,CAAC,iBAAiB,IAAI,SAAS,IAAI;AAGzC,QAAM,sBAAsB,YAAY,CAAC,OAAe,cAA+B;AACrF,QAAI,CAAC,MAAM,GAAI,QAAO;AAKtB,UAAM,aAAa,GAAG,SAAS,SAAS,KAAK;AAK7C,WAAO;AAAA,EACT,GAAG,CAAC,MAAM,EAAE,CAAC;AAGb,QAAM,2BAA2B,YAAY,MAAgC;AAC3E,QAAI,CAAC,MAAM,GAAI,QAAO,CAAC;AAIvB,WAAO,CAAC;AAAA,EACV,GAAG,CAAC,MAAM,EAAE,CAAC;AAGb,QAAM,uBAAuB,YAAY,MAA0B;AACjE,WAAO,CAAC,GAAG,iBAAiB;AAAA,EAC9B,GAAG,CAAC,iBAAiB,CAAC;AAGtB,QAAM,yBAAyB,YAAY,MAAM;AAC/C,yBAAqB,CAAC,CAAC;AAAA,EACzB,GAAG,CAAC,CAAC;AAGL,QAAM,qBAAqB,YAAY,CAAC,OAAe,cAA+B;AACpF,QAAI,CAAC,MAAM,GAAI,QAAO;AAGtB,QAAI;AACF,sBAAgB;AAAA,IAClB,SAAS,OAAO;AACd,aAAO,MAAM,uBAAuB,0CAA0C,EAAE,OAAO,WAAW,MAAM,CAAC;AACzG,aAAO;AAAA,IACT;AAEA,WAAO,oBAAoB,OAAO,SAAS;AAAA,EAC7C,GAAG,CAAC,MAAM,IAAI,iBAAiB,mBAAmB,CAAC;AAGnD,QAAM,mBAAmB,YAAY,CACnC,OACA,WACA,SACA,OACA,YACG;AACH,QAAI,CAAC,qBAAqB,CAAC,MAAM,GAAI;AAErC,UAAM,SAA2B;AAAA,MAC/B;AAAA,MACA;AAAA,MACA,QAAQ,KAAK;AAAA,MACb,gBAAgB,yBAAyB;AAAA,MACzC;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MAClC;AAAA,MACA;AAAA,IACF;AAEA,yBAAqB,UAAQ;AAC3B,YAAM,aAAa,CAAC,QAAQ,GAAG,IAAI;AACnC,aAAO,WAAW,MAAM,GAAG,GAAI;AAAA,IACjC,CAAC;AAED,QAAI,gBAAgB,CAAC,SAAS;AAC5B,aAAO,MAAM,uBAAuB,wEAAwE;AAAA,QAC1G;AAAA,QACA;AAAA,QACA,QAAQ,KAAK;AAAA,QACb,gBAAgB,yBAAyB;AAAA,QACzC,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MACpC,CAAC;AAAA,IACH;AAAA,EACF,GAAG,CAAC,mBAAmB,cAAc,MAAM,IAAI,wBAAwB,CAAC;AAExE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA;AAAA,IAEA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":["../src/hooks/useSecureDataAccess.ts"],"sourcesContent":["/**\n * @file useSecureDataAccess Hook\n * @package @jmruthers/pace-core\n * @module Hooks/useSecureDataAccess\n * @since 0.4.0\n *\n * Hook for secure database operations with mandatory organisation context.\n * Ensures all data access is properly scoped to the user's current organisation.\n *\n * @example\n * ```tsx\n * function DataComponent() {\n *   const { secureQuery, secureInsert, secureUpdate, secureDelete } = useSecureDataAccess();\n *   \n *   const loadData = async () => {\n *     try {\n *       // Automatically includes organisation_id filter\n *       const events = await secureQuery('event', '*', { is_visible: true });\n *       console.log('Organisation events:', events);\n *     } catch (error) {\n *       console.error('Failed to load data:', error);\n *     }\n *   };\n *   \n *   const createEvent = async (eventData) => {\n *     try {\n *       // Automatically sets organisation_id\n *       const newEvent = await secureInsert('event', eventData);\n *       console.log('Created event:', newEvent);\n *     } catch (error) {\n *       console.error('Failed to create event:', error);\n *     }\n *   };\n *   \n *   return (\n *     <div>\n *       <button onClick={loadData}>Load Data</button>\n *       <button onClick={() => createEvent({ event_name: 'New Event' })}>\n *         Create Event\n *       </button>\n *     </div>\n *   );\n * }\n * ```\n *\n * @security\n * - All queries automatically include organisation_id filter\n * - Validates organisation context before any operation\n * - Prevents data leaks between organisations\n * - Error handling for security violations\n * - Type-safe database operations\n */\n\nimport { useCallback, useState, useContext } from 'react';\nimport { useUnifiedAuth } from '../providers';\nimport { useOrganisations } from './useOrganisations';\nimport { EventServiceContext } from '../providers/services/EventServiceProvider';\nimport { setOrganisationContext } from '../utils/context/organisationContext';\nimport { logger } from '../utils/core/logger';\nimport type { Permission } from '../rbac/types';\nimport type { OrganisationSecurityError } from '../types/organisation';\n\nexport interface SecureDataAccessReturn {\n  /** Execute a secure query with organisation filtering */\n  secureQuery: <T = any>(\n    table: string,\n    columns: string,\n    filters?: Record<string, any>,\n    options?: {\n      orderBy?: string;\n      ascending?: boolean;\n      limit?: number;\n      offset?: number;\n    }\n  ) => Promise<T[]>;\n  \n  /** Execute a secure insert with organisation context */\n  secureInsert: <T = any>(\n    table: string,\n    data: Record<string, any>\n  ) => Promise<T>;\n  \n  /** Execute a secure update with organisation filtering */\n  secureUpdate: <T = any>(\n    table: string,\n    data: Record<string, any>,\n    filters: Record<string, any>\n  ) => Promise<T[]>;\n  \n  /** Execute a secure delete with organisation filtering */\n  secureDelete: (\n    table: string,\n    filters: Record<string, any>\n  ) => Promise<void>;\n  \n  /** Execute a secure RPC call with organisation context */\n  secureRpc: <T = any>(\n    functionName: string,\n    params?: Record<string, any>\n  ) => Promise<T>;\n  \n  /** Get current organisation ID */\n  getCurrentOrganisationId: () => string;\n  \n  /** Validate organisation context */\n  validateContext: () => void;\n  \n  // NEW: Phase 1 - Enhanced Security Features\n  /** Check if data access is allowed for a table and operation */\n  isDataAccessAllowed: (table: string, operation: string) => boolean;\n  \n  /** Get all data access permissions for current user */\n  getDataAccessPermissions: () => Record<string, string[]>;\n  \n  /** Check if strict mode is enabled */\n  isStrictMode: boolean;\n  \n  /** Check if audit logging is enabled */\n  isAuditLogEnabled: boolean;\n  \n  /** Get data access history */\n  getDataAccessHistory: () => DataAccessRecord[];\n  \n  /** Clear data access history */\n  clearDataAccessHistory: () => void;\n  \n  /** Validate data access attempt */\n  validateDataAccess: (table: string, operation: string) => boolean;\n}\n\nexport interface DataAccessRecord {\n  table: string;\n  operation: string;\n  userId: string;\n  organisationId: string;\n  allowed: boolean;\n  timestamp: string;\n  query?: string;\n  filters?: Record<string, any>;\n}\n\n/**\n * Hook for secure data access with automatic organisation filtering\n * \n * All database operations automatically include organisation context:\n * - Queries filter by organisation_id\n * - Inserts include organisation_id\n * - Updates/deletes are scoped to organisation\n * - RPC calls include organisation_id parameter\n */\nexport function useSecureDataAccess(): SecureDataAccessReturn {\n  const { supabase, user, session } = useUnifiedAuth();\n  const { ensureOrganisationContext } = useOrganisations();\n  \n  // Get selected event for event-scoped RPC calls\n  // Use useContext directly to safely check if EventServiceProvider is available\n  const eventServiceContext = useContext(EventServiceContext);\n  const selectedEvent = eventServiceContext?.eventService?.getSelectedEvent() || null;\n\n  const validateContext = useCallback((): void => {\n    if (!supabase) {\n      throw new Error('No Supabase client available') as OrganisationSecurityError;\n    }\n    if (!user || !session) {\n      throw new Error('User must be authenticated with valid session') as OrganisationSecurityError;\n    }\n    \n    try {\n      ensureOrganisationContext();\n    } catch (error) {\n      throw new Error('Organisation context is required for data access') as OrganisationSecurityError;\n    }\n  }, [supabase, user, session, ensureOrganisationContext]);\n\n  const getCurrentOrganisationId = useCallback((): string => {\n    validateContext();\n    const currentOrg = ensureOrganisationContext();\n    return currentOrg.id;\n  }, [validateContext, ensureOrganisationContext]);\n\n  // Set organisation context in database session\n  const setOrganisationContextInSession = useCallback(async (organisationId: string): Promise<void> => {\n    if (!supabase) {\n      throw new Error('No Supabase client available') as OrganisationSecurityError;\n    }\n\n    await setOrganisationContext(supabase, organisationId);\n  }, [supabase]);\n\n  const secureQuery = useCallback(async <T = any>(\n    table: string,\n    columns: string,\n    filters: Record<string, any> = {},\n    options: {\n      orderBy?: string;\n      ascending?: boolean;\n      limit?: number;\n      offset?: number;\n    } = {}\n  ): Promise<T[]> => {\n    validateContext();\n    const organisationId = getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Build query with organisation filter\n    let query = supabase!\n      .from(table)\n      .select(columns);\n\n    // Add organisation filter only if table has organisation_id column\n    const tablesWithOrganisation = [\n      'event',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member',\n      // SECURITY: Phase 3A additions - medical and personal data\n      'medi_profile', 'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',\n      'pace_consent', 'pace_contact', 'pace_id_documents', 'pace_qualifications',\n      'form_responses', 'form_response_values', 'forms',\n      // SECURITY: Phase 3B additions - remaining critical tables\n      'invoice', 'line_item', 'credit_balance', 'payment_method',\n      'form_contexts', 'form_field_config', 'form_fields',\n      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', \n      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', \n      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'\n    ];\n    \n    if (tablesWithOrganisation.includes(table)) {\n      query = query.eq('organisation_id', organisationId);\n    }\n\n    // Apply additional filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        // Handle qualified column names (e.g., 'users.role')\n        const columnName = key.includes('.') ? key.split('.').pop()! : key;\n        query = query.eq(columnName, value);\n      }\n    });\n\n    // Apply options\n    if (options.orderBy) {\n      // Only use the column name, not a qualified name\n      const orderByColumn = options.orderBy.split('.').pop();\n      if (orderByColumn) {\n        query = query.order(orderByColumn, { ascending: options.ascending ?? true });\n      }\n    }\n    \n    if (options.limit) {\n      query = query.limit(options.limit);\n    }\n    \n    if (options.offset) {\n      query = query.range(options.offset, options.offset + (options.limit || 100) - 1);\n    }\n\n    const { data, error } = await query;\n    \n    if (error) {\n      logger.error('useSecureDataAccess', 'Query failed', { table, columns, filters, error });\n      // NEW: Phase 1 - Record failed data access attempt\n      recordDataAccess(table, 'read', false, `SELECT ${columns} FROM ${table}`, filters);\n      throw error;\n    }\n\n    // NEW: Phase 1 - Record successful data access attempt\n    recordDataAccess(table, 'read', true, `SELECT ${columns} FROM ${table}`, filters);\n\n    return (data as T[]) || [];\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);\n\n  const secureInsert = useCallback(async <T = any>(\n    table: string,\n    data: Record<string, any>\n  ): Promise<T> => {\n    validateContext();\n    const organisationId = getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Ensure organisation_id is set\n    const secureData = {\n      ...data,\n      organisation_id: organisationId\n    };\n\n    const { data: insertData, error } = await supabase!\n      .from(table)\n      .insert(secureData)\n      .select()\n      .single();\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Insert failed', { table, data: secureData, error });\n      throw error;\n    }\n\n    return insertData as T;\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);\n\n  const secureUpdate = useCallback(async <T = any>(\n    table: string,\n    data: Record<string, any>,\n    filters: Record<string, any>\n  ): Promise<T[]> => {\n    validateContext();\n    const organisationId = getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Filter out organisation_id from data to prevent manipulation\n    const { organisation_id, ...secureData } = data;\n    \n    // Build update query with organisation filter\n    let query = supabase!\n      .from(table)\n      .update(secureData);\n\n    // Add organisation filter only if table has organisation_id column\n    const tablesWithOrganisation = [\n      'event',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member'\n    ];\n    \n    if (tablesWithOrganisation.includes(table)) {\n      query = query.eq('organisation_id', organisationId);\n    }\n\n    // Apply filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        query = query.eq(key, value);\n      }\n    });\n\n    const { data: updateData, error } = await query.select();\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Update failed', { table, data: secureData, filters, error });\n      throw error;\n    }\n\n    return (updateData as T[]) || [];\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);\n\n  const secureDelete = useCallback(async (\n    table: string,\n    filters: Record<string, any>\n  ): Promise<void> => {\n    validateContext();\n    const organisationId = getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Build delete query with organisation filter\n    let query = supabase!\n      .from(table)\n      .delete();\n\n    // Add organisation filter only if table has organisation_id column\n    const tablesWithOrganisation = [\n      'event',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member',\n      // SECURITY: Phase 3A additions - medical and personal data\n      'medi_profile', 'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',\n      'pace_consent', 'pace_contact', 'pace_id_documents', 'pace_qualifications',\n      'form_responses', 'form_response_values', 'forms',\n      // SECURITY: Phase 3B additions - remaining critical tables\n      'invoice', 'line_item', 'credit_balance', 'payment_method',\n      'form_contexts', 'form_field_config', 'form_fields',\n      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', \n      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', \n      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'\n    ];\n    \n    if (tablesWithOrganisation.includes(table)) {\n      query = query.eq('organisation_id', organisationId);\n    }\n\n    // Apply filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        query = query.eq(key, value);\n      }\n    });\n\n    const { error } = await query;\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Delete failed', { table, filters, error });\n      throw error;\n    }\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase]);\n\n  const secureRpc = useCallback(async <T = any>(\n    functionName: string,\n    params: Record<string, any> = {}\n  ): Promise<T> => {\n    validateContext();\n    const organisationId = getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Include organisation_id in RPC parameters\n    // Some functions use p_organisation_id instead of organisation_id (to avoid conflicts with RETURNS TABLE columns)\n    const functionsWithPOrganisationId = [\n      'data_cake_diners_list',\n      'data_cake_mealplans_list'\n    ];\n    \n    const paramName = functionsWithPOrganisationId.includes(functionName) \n      ? 'p_organisation_id' \n      : 'organisation_id';\n    \n    // Functions that need p_event_id for event-app role permission checks\n    // Note: Even org-scoped functions (like items, packages, suppliers) need event_id\n    //       for permission checks when users have event-app roles\n    const functionsNeedingEventId = [\n      'data_cake_items_list',\n      'data_cake_packages_list',\n      'data_cake_suppliers_list',\n      'data_cake_diettypes_list',\n      'data_cake_mealtypes_list',\n      'data_cake_diners_list',\n      'data_cake_mealplans_list',\n      'data_cake_dishes_list',\n      'data_cake_recipes_list',\n      'data_cake_meals_list',\n      'data_cake_units_list',\n      'data_cake_orders_list',\n      'app_cake_item_create',\n      'app_cake_item_update',\n      'app_cake_package_create',\n      'app_cake_package_update',\n      'app_cake_supplier_create',\n      'app_cake_supplier_update',\n      'app_cake_supplier_delete',\n      'app_cake_meal_create',\n      'app_cake_meal_update',\n      'app_cake_meal_delete',\n      'app_cake_unit_create',\n      'app_cake_unit_update',\n      'app_cake_unit_delete',\n      'app_cake_delivery_upsert'\n    ];\n    \n    // Build secureParams with correct parameter order\n    // For functions that require p_event_id as first parameter, ensure it's first\n    const secureParams: Record<string, any> = {};\n    \n    // Functions where p_event_id is the FIRST required parameter (no default)\n    const functionsWithEventIdFirst = [\n      'data_cake_meals_list',\n      'data_cake_units_list'\n    ];\n    \n    // Add p_user_id explicitly for functions that need it (even though it has a default)\n    // This ensures parameter matching works correctly\n    if (user?.id) {\n      secureParams.p_user_id = user.id;\n    }\n    \n    // Add organisation_id parameter\n    secureParams[paramName] = organisationId;\n    \n    // Add p_event_id if function needs it and event is selected\n    // CRITICAL: This must be added AFTER organisation_id but BEFORE caller params\n    // to ensure it's not overwritten. For data_cake_items_list, p_event_id is the 3rd param.\n    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {\n      secureParams.p_event_id = selectedEvent.event_id;\n    }\n    \n    // Add any other params passed by caller (limit, offset, etc.)\n    // NOTE: This will NOT overwrite p_event_id if caller passes it, but we want to ensure\n    // our value takes precedence if event is selected\n    Object.assign(secureParams, params);\n    \n    // Ensure p_event_id is set if needed (after Object.assign, so it overrides caller params)\n    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {\n      secureParams.p_event_id = selectedEvent.event_id;\n    }\n\n    const { data, error } = await supabase!.rpc(functionName, secureParams);\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'RPC failed', { functionName, params: secureParams, error });\n      throw error;\n    }\n\n    return data as T;\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, selectedEvent?.event_id, user?.id]);\n\n  // NEW: Phase 1 - Enhanced Security Features\n  const [dataAccessHistory, setDataAccessHistory] = useState<DataAccessRecord[]>([]);\n  const [isStrictMode] = useState(true); // Always enabled in Phase 1\n  const [isAuditLogEnabled] = useState(true); // Always enabled in Phase 1\n\n  // Check if data access is allowed for a table and operation\n  const isDataAccessAllowed = useCallback((table: string, operation: string): boolean => {\n    if (!user?.id) return false;\n    \n    // Use the existing RBAC system to check data access permissions\n    // This is a synchronous check for the context - actual permission checking\n    // happens in the secure data operations using the RBAC engine\n    const permission = `${operation}:data.${table}` as Permission;\n    \n    // For now, we'll return true and let the secure data operations\n    // handle the actual permission checking asynchronously\n    // This context is mainly for tracking and audit purposes\n    return true;\n  }, [user?.id]);\n\n  // Get all data access permissions for current user\n  const getDataAccessPermissions = useCallback((): Record<string, string[]> => {\n    if (!user?.id) return {};\n    \n    // For now, return empty object - this will be enhanced with actual permission checking\n    // when we integrate with the existing RBAC system\n    return {};\n  }, [user?.id]);\n\n  // Get data access history\n  const getDataAccessHistory = useCallback((): DataAccessRecord[] => {\n    return [...dataAccessHistory];\n  }, [dataAccessHistory]);\n\n  // Clear data access history\n  const clearDataAccessHistory = useCallback(() => {\n    setDataAccessHistory([]);\n  }, []);\n\n  // Validate data access attempt\n  const validateDataAccess = useCallback((table: string, operation: string): boolean => {\n    if (!user?.id) return false;\n    \n    // Validate organisation context\n    try {\n      validateContext();\n    } catch (error) {\n      logger.error('useSecureDataAccess', 'Organisation context validation failed', { table, operation, error });\n      return false;\n    }\n    \n    return isDataAccessAllowed(table, operation);\n  }, [user?.id, validateContext, isDataAccessAllowed]);\n\n  // Record data access attempt\n  const recordDataAccess = useCallback((\n    table: string,\n    operation: string,\n    allowed: boolean,\n    query?: string,\n    filters?: Record<string, any>\n  ) => {\n    if (!isAuditLogEnabled || !user?.id) return;\n    \n    const record: DataAccessRecord = {\n      table,\n      operation,\n      userId: user.id,\n      organisationId: getCurrentOrganisationId(),\n      allowed,\n      timestamp: new Date().toISOString(),\n      query,\n      filters\n    };\n    \n    setDataAccessHistory(prev => {\n      const newHistory = [record, ...prev];\n      return newHistory.slice(0, 1000); // Keep last 1000 records\n    });\n    \n    if (isStrictMode && !allowed) {\n      logger.error('useSecureDataAccess', 'STRICT MODE VIOLATION: User attempted data access without permission', {\n        table,\n        operation,\n        userId: user.id,\n        organisationId: getCurrentOrganisationId(),\n        timestamp: new Date().toISOString()\n      });\n    }\n  }, [isAuditLogEnabled, isStrictMode, user?.id, getCurrentOrganisationId]);\n\n  return {\n    secureQuery,\n    secureInsert,\n    secureUpdate,\n    secureDelete,\n    secureRpc,\n    getCurrentOrganisationId,\n    validateContext,\n    // NEW: Phase 1 - Enhanced Security Features\n    isDataAccessAllowed,\n    getDataAccessPermissions,\n    isStrictMode,\n    isAuditLogEnabled,\n    getDataAccessHistory,\n    clearDataAccessHistory,\n    validateDataAccess\n  };\n} "],"mappings":";;;;;;;;;;;;;;;AAqDA,SAAS,aAAa,UAAU,kBAAkB;AAiG3C,SAAS,sBAA8C;AAC5D,QAAM,EAAE,UAAU,MAAM,QAAQ,IAAI,eAAe;AACnD,QAAM,EAAE,0BAA0B,IAAI,iBAAiB;AAIvD,QAAM,sBAAsB,WAAW,mBAAmB;AAC1D,QAAM,gBAAgB,qBAAqB,cAAc,iBAAiB,KAAK;AAE/E,QAAM,kBAAkB,YAAY,MAAY;AAC9C,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AACA,QAAI,CAAC,QAAQ,CAAC,SAAS;AACrB,YAAM,IAAI,MAAM,+CAA+C;AAAA,IACjE;AAEA,QAAI;AACF,gCAA0B;AAAA,IAC5B,SAAS,OAAO;AACd,YAAM,IAAI,MAAM,kDAAkD;AAAA,IACpE;AAAA,EACF,GAAG,CAAC,UAAU,MAAM,SAAS,yBAAyB,CAAC;AAEvD,QAAM,2BAA2B,YAAY,MAAc;AACzD,oBAAgB;AAChB,UAAM,aAAa,0BAA0B;AAC7C,WAAO,WAAW;AAAA,EACpB,GAAG,CAAC,iBAAiB,yBAAyB,CAAC;AAG/C,QAAM,kCAAkC,YAAY,OAAO,mBAA0C;AACnG,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AAEA,UAAM,uBAAuB,UAAU,cAAc;AAAA,EACvD,GAAG,CAAC,QAAQ,CAAC;AAEb,QAAM,cAAc,YAAY,OAC9B,OACA,SACA,UAA+B,CAAC,GAChC,UAKI,CAAC,MACY;AACjB,oBAAgB;AAChB,UAAM,iBAAiB,yBAAyB;AAGhD,UAAM,gCAAgC,cAAc;AAGpD,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO,OAAO;AAGjB,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAU;AAAA,MACV;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA,MAAiB;AAAA,MAAe;AAAA;AAAA,MAE7C;AAAA,MAAgB;AAAA,MAAkB;AAAA,MAAa;AAAA,MAAoB;AAAA,MACnE;AAAA,MAAgB;AAAA,MAAgB;AAAA,MAAqB;AAAA,MACrD;AAAA,MAAkB;AAAA,MAAwB;AAAA;AAAA,MAE1C;AAAA,MAAW;AAAA,MAAa;AAAA,MAAkB;AAAA,MAC1C;AAAA,MAAiB;AAAA,MAAqB;AAAA,MACtC;AAAA,MAAiB;AAAA,MAAiB;AAAA,MAAc;AAAA,MAAa;AAAA,MAC7D;AAAA,MAAkB;AAAA,MAAiB;AAAA,MAAgB;AAAA,MAAe;AAAA,MAClE;AAAA,MAAe;AAAA,MAAa;AAAA,MAAoB;AAAA,MAAoB;AAAA,IACtE;AAEA,QAAI,uBAAuB,SAAS,KAAK,GAAG;AAC1C,cAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,IACpD;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AAEzC,cAAM,aAAa,IAAI,SAAS,GAAG,IAAI,IAAI,MAAM,GAAG,EAAE,IAAI,IAAK;AAC/D,gBAAQ,MAAM,GAAG,YAAY,KAAK;AAAA,MACpC;AAAA,IACF,CAAC;AAGD,QAAI,QAAQ,SAAS;AAEnB,YAAM,gBAAgB,QAAQ,QAAQ,MAAM,GAAG,EAAE,IAAI;AACrD,UAAI,eAAe;AACjB,gBAAQ,MAAM,MAAM,eAAe,EAAE,WAAW,QAAQ,aAAa,KAAK,CAAC;AAAA,MAC7E;AAAA,IACF;AAEA,QAAI,QAAQ,OAAO;AACjB,cAAQ,MAAM,MAAM,QAAQ,KAAK;AAAA,IACnC;AAEA,QAAI,QAAQ,QAAQ;AAClB,cAAQ,MAAM,MAAM,QAAQ,QAAQ,QAAQ,UAAU,QAAQ,SAAS,OAAO,CAAC;AAAA,IACjF;AAEA,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM;AAE9B,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,gBAAgB,EAAE,OAAO,SAAS,SAAS,MAAM,CAAC;AAEtF,uBAAiB,OAAO,QAAQ,OAAO,UAAU,OAAO,SAAS,KAAK,IAAI,OAAO;AACjF,YAAM;AAAA,IACR;AAGA,qBAAiB,OAAO,QAAQ,MAAM,UAAU,OAAO,SAAS,KAAK,IAAI,OAAO;AAEhF,WAAQ,QAAgB,CAAC;AAAA,EAC3B,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,QAAQ,CAAC;AAEzF,QAAM,eAAe,YAAY,OAC/B,OACA,SACe;AACf,oBAAgB;AAChB,UAAM,iBAAiB,yBAAyB;AAGhD,UAAM,gCAAgC,cAAc;AAGpD,UAAM,aAAa;AAAA,MACjB,GAAG;AAAA,MACH,iBAAiB;AAAA,IACnB;AAEA,UAAM,EAAE,MAAM,YAAY,MAAM,IAAI,MAAM,SACvC,KAAK,KAAK,EACV,OAAO,UAAU,EACjB,OAAO,EACP,OAAO;AAEV,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,MAAM,YAAY,MAAM,CAAC;AACvF,YAAM;AAAA,IACR;AAEA,WAAO;AAAA,EACT,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,QAAQ,CAAC;AAEzF,QAAM,eAAe,YAAY,OAC/B,OACA,MACA,YACiB;AACjB,oBAAgB;AAChB,UAAM,iBAAiB,yBAAyB;AAGhD,UAAM,gCAAgC,cAAc;AAGpD,UAAM,EAAE,iBAAiB,GAAG,WAAW,IAAI;AAG3C,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO,UAAU;AAGpB,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAU;AAAA,MACV;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA,MAAiB;AAAA,MAAe;AAAA,IAC/C;AAEA,QAAI,uBAAuB,SAAS,KAAK,GAAG;AAC1C,cAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,IACpD;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AACzC,gBAAQ,MAAM,GAAG,KAAK,KAAK;AAAA,MAC7B;AAAA,IACF,CAAC;AAED,UAAM,EAAE,MAAM,YAAY,MAAM,IAAI,MAAM,MAAM,OAAO;AAEvD,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,MAAM,YAAY,SAAS,MAAM,CAAC;AAChG,YAAM;AAAA,IACR;AAEA,WAAQ,cAAsB,CAAC;AAAA,EACjC,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,QAAQ,CAAC;AAEzF,QAAM,eAAe,YAAY,OAC/B,OACA,YACkB;AAClB,oBAAgB;AAChB,UAAM,iBAAiB,yBAAyB;AAGhD,UAAM,gCAAgC,cAAc;AAGpD,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO;AAGV,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAU;AAAA,MACV;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA,MAAiB;AAAA,MAAe;AAAA;AAAA,MAE7C;AAAA,MAAgB;AAAA,MAAkB;AAAA,MAAa;AAAA,MAAoB;AAAA,MACnE;AAAA,MAAgB;AAAA,MAAgB;AAAA,MAAqB;AAAA,MACrD;AAAA,MAAkB;AAAA,MAAwB;AAAA;AAAA,MAE1C;AAAA,MAAW;AAAA,MAAa;AAAA,MAAkB;AAAA,MAC1C;AAAA,MAAiB;AAAA,MAAqB;AAAA,MACtC;AAAA,MAAiB;AAAA,MAAiB;AAAA,MAAc;AAAA,MAAa;AAAA,MAC7D;AAAA,MAAkB;AAAA,MAAiB;AAAA,MAAgB;AAAA,MAAe;AAAA,MAClE;AAAA,MAAe;AAAA,MAAa;AAAA,MAAoB;AAAA,MAAoB;AAAA,IACtE;AAEA,QAAI,uBAAuB,SAAS,KAAK,GAAG;AAC1C,cAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,IACpD;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AACzC,gBAAQ,MAAM,GAAG,KAAK,KAAK;AAAA,MAC7B;AAAA,IACF,CAAC;AAED,UAAM,EAAE,MAAM,IAAI,MAAM;AAExB,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,SAAS,MAAM,CAAC;AAC9E,YAAM;AAAA,IACR;AAAA,EACF,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,QAAQ,CAAC;AAEzF,QAAM,YAAY,YAAY,OAC5B,cACA,SAA8B,CAAC,MAChB;AACf,oBAAgB;AAChB,UAAM,iBAAiB,yBAAyB;AAGhD,UAAM,gCAAgC,cAAc;AAIpD,UAAM,+BAA+B;AAAA,MACnC;AAAA,MACA;AAAA,IACF;AAEA,UAAM,YAAY,6BAA6B,SAAS,YAAY,IAChE,sBACA;AAKJ,UAAM,0BAA0B;AAAA,MAC9B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAIA,UAAM,eAAoC,CAAC;AAG3C,UAAM,4BAA4B;AAAA,MAChC;AAAA,MACA;AAAA,IACF;AAIA,QAAI,MAAM,IAAI;AACZ,mBAAa,YAAY,KAAK;AAAA,IAChC;AAGA,iBAAa,SAAS,IAAI;AAK1B,QAAI,wBAAwB,SAAS,YAAY,KAAK,eAAe,UAAU;AAC7E,mBAAa,aAAa,cAAc;AAAA,IAC1C;AAKA,WAAO,OAAO,cAAc,MAAM;AAGlC,QAAI,wBAAwB,SAAS,YAAY,KAAK,eAAe,UAAU;AAC7E,mBAAa,aAAa,cAAc;AAAA,IAC1C;AAEA,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,SAAU,IAAI,cAAc,YAAY;AAEtE,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,cAAc,EAAE,cAAc,QAAQ,cAAc,MAAM,CAAC;AAC/F,YAAM;AAAA,IACR;AAEA,WAAO;AAAA,EACT,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,eAAe,UAAU,MAAM,EAAE,CAAC;AAG5H,QAAM,CAAC,mBAAmB,oBAAoB,IAAI,SAA6B,CAAC,CAAC;AACjF,QAAM,CAAC,YAAY,IAAI,SAAS,IAAI;AACpC,QAAM,CAAC,iBAAiB,IAAI,SAAS,IAAI;AAGzC,QAAM,sBAAsB,YAAY,CAAC,OAAe,cAA+B;AACrF,QAAI,CAAC,MAAM,GAAI,QAAO;AAKtB,UAAM,aAAa,GAAG,SAAS,SAAS,KAAK;AAK7C,WAAO;AAAA,EACT,GAAG,CAAC,MAAM,EAAE,CAAC;AAGb,QAAM,2BAA2B,YAAY,MAAgC;AAC3E,QAAI,CAAC,MAAM,GAAI,QAAO,CAAC;AAIvB,WAAO,CAAC;AAAA,EACV,GAAG,CAAC,MAAM,EAAE,CAAC;AAGb,QAAM,uBAAuB,YAAY,MAA0B;AACjE,WAAO,CAAC,GAAG,iBAAiB;AAAA,EAC9B,GAAG,CAAC,iBAAiB,CAAC;AAGtB,QAAM,yBAAyB,YAAY,MAAM;AAC/C,yBAAqB,CAAC,CAAC;AAAA,EACzB,GAAG,CAAC,CAAC;AAGL,QAAM,qBAAqB,YAAY,CAAC,OAAe,cAA+B;AACpF,QAAI,CAAC,MAAM,GAAI,QAAO;AAGtB,QAAI;AACF,sBAAgB;AAAA,IAClB,SAAS,OAAO;AACd,aAAO,MAAM,uBAAuB,0CAA0C,EAAE,OAAO,WAAW,MAAM,CAAC;AACzG,aAAO;AAAA,IACT;AAEA,WAAO,oBAAoB,OAAO,SAAS;AAAA,EAC7C,GAAG,CAAC,MAAM,IAAI,iBAAiB,mBAAmB,CAAC;AAGnD,QAAM,mBAAmB,YAAY,CACnC,OACA,WACA,SACA,OACA,YACG;AACH,QAAI,CAAC,qBAAqB,CAAC,MAAM,GAAI;AAErC,UAAM,SAA2B;AAAA,MAC/B;AAAA,MACA;AAAA,MACA,QAAQ,KAAK;AAAA,MACb,gBAAgB,yBAAyB;AAAA,MACzC;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MAClC;AAAA,MACA;AAAA,IACF;AAEA,yBAAqB,UAAQ;AAC3B,YAAM,aAAa,CAAC,QAAQ,GAAG,IAAI;AACnC,aAAO,WAAW,MAAM,GAAG,GAAI;AAAA,IACjC,CAAC;AAED,QAAI,gBAAgB,CAAC,SAAS;AAC5B,aAAO,MAAM,uBAAuB,wEAAwE;AAAA,QAC1G;AAAA,QACA;AAAA,QACA,QAAQ,KAAK;AAAA,QACb,gBAAgB,yBAAyB;AAAA,QACzC,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MACpC,CAAC;AAAA,IACH;AAAA,EACF,GAAG,CAAC,mBAAmB,cAAc,MAAM,IAAI,wBAAwB,CAAC;AAExE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA;AAAA,IAEA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":[]}