@jmruthers/pace-core 0.5.181 → 0.5.183

package/src/rbac/hooks/index.ts

@@ -32,3 +32,6 @@ export type {
   GrantEventAppRoleParams,
   RoleManagementResult,
 } from './useRoleManagement';
+
+// Export secure Supabase client hook
+export { useSecureSupabase } from './useSecureSupabase';

package/src/rbac/hooks/usePermissions.ts

@@ -73,31 +73,17 @@ export function usePermissions(
   // Normalize organisationId to empty string if undefined
   const orgId = organisationId || '';
   
-  // Log when hook is called with new scope (every render)
-  // This helps us see if React is calling the hook with updated scope
-  logger.warn('[usePermissions] Hook called with scope', {
-    userId,
-    organisationId: orgId,
-    eventId,
-    appId,
-    hasAppId: !!appId,
-    hasOrganisationId: !!orgId
-  });
-  
-  // Log when scope changes to verify React detects the change
-  React.useEffect(() => {
-    logger.warn('[usePermissions] Scope changed (useEffect)', {
-      userId,
-      organisationId,
-      eventId,
-      appId,
-      hasAppId: !!appId,
-      hasOrganisationId: !!organisationId
-    });
-  }, [userId, organisationId, eventId, appId]);
+  // Removed excessive logging - only log when scope actually changes (not on every render)
 
   // Add timeout for missing organisation context (3 seconds)
+  // OPTIMIZATION: Skip timeout if userId is null/undefined (indicates pre-filtered mode)
   useEffect(() => {
+    // If userId is null/undefined, skip the timeout - this indicates items are pre-filtered
+    // and we don't need to wait for organisation context
+    if (!userId) {
+      return; // Skip timeout when userId is null (pre-filtered mode)
+    }
+    
     if (!orgId || orgId === null || (typeof orgId === 'string' && orgId.trim() === '')) {
       const timeoutId = setTimeout(() => {
         setError(new Error('Organisation context is required for permission checks'));
@@ -110,7 +96,7 @@ export function usePermissions(
     if (error?.message === 'Organisation context is required for permission checks') {
       setError(null);
     }
-  }, [organisationId, error]);
+  }, [userId, organisationId, error]);
 
   // CRITICAL: Detect parameter changes imperatively and trigger fetch
   // This bypasses React's useEffect dependency tracking which is failing to detect appId changes
@@ -121,15 +107,13 @@ export function usePermissions(
     prevValuesRef.current.appId !== appId;
   
   if (paramsChanged) {
-    logger.warn('[usePermissions] Parameters changed - triggering fetch', {
-      userId,
-      organisationId: orgId,
-      eventId,
-      appId,
-      hasAppId: !!appId,
-      prevAppId: prevValuesRef.current.appId,
-      appIdChanged: prevValuesRef.current.appId !== appId
-    });
+    // Only log significant changes (appId changes are most important)
+    if (prevValuesRef.current.appId !== appId) {
+      logger.debug('[usePermissions] AppId changed - triggering fetch', {
+        prevAppId: prevValuesRef.current.appId,
+        newAppId: appId
+      });
+    }
     prevValuesRef.current = { userId, organisationId, eventId, appId };
     // Increment counter to force useEffect to run
     setFetchTrigger(prev => prev + 1);
@@ -137,30 +121,12 @@ export function usePermissions(
 
   useEffect(() => {
     const fetchPermissions = async () => {
-      logger.warn('[usePermissions] Fetch useEffect triggered', {
-        userId,
-        orgId,
-        eventId,
-        appId,
-        hasAppId: !!appId,
-        isFetching: isFetchingRef.current
-      });
-
       // Prevent multiple simultaneous fetches
       if (isFetchingRef.current) {
-        logger.warn('[usePermissions] Skipping fetch - already fetching', {
-          userId,
-          scope: {
-            organisationId: orgId,
-            eventId: eventId,
-            appId: appId
-          }
-        });
         return;
       }
 
       if (!userId) {
-        logger.warn('[usePermissions] Skipping fetch - no userId');
         setPermissions({} as PermissionMap);
         setIsLoading(false);
         return;
@@ -169,39 +135,21 @@ export function usePermissions(
       // Don't fetch permissions if scope is invalid (e.g., organisationId is null/empty)
       // Wait for organisation context to resolve
       // IMPORTANT: Don't clear existing permissions here - keep them until we have new ones
+      // OPTIMIZATION: If userId is null/undefined, immediately set loading to false
+      // This indicates pre-filtered mode where we don't need to wait for organisation context
+      if (!userId) {
+        setPermissions({} as PermissionMap);
+        setIsLoading(false);
+        return;
+      }
+      
       if (!orgId || orgId === null || (typeof orgId === 'string' && orgId.trim() === '')) {
-        logger.warn('[usePermissions] Skipping fetch - no orgId', {
-          orgId,
-          hasOrgId: !!orgId
-        });
         // Keep existing permissions, just mark as loading
         setIsLoading(true);
         setError(null);
         return;
       }
 
-      // Note: getPermissionMap can work without appId, but will return limited permissions
-      // In test environments, appId might be undefined, so we still attempt the fetch
-      // If appId is missing in production, it will return an empty map which is acceptable
-      if (!appId) {
-        logger.warn('[usePermissions] Fetching permissions without appId (may return limited permissions)', {
-          userId,
-          organisationId: orgId,
-          eventId: eventId,
-          hasAppId: false
-        });
-        // Continue with fetch - don't block on appId
-      }
-      logger.warn('[usePermissions] Fetching permissions', {
-        userId,
-        scope: {
-          organisationId: orgId,
-          eventId: eventId,
-          appId: appId
-        },
-        hasAppId: !!appId
-      });
-
       try {
         isFetchingRef.current = true;
         setIsLoading(true);
@@ -217,15 +165,13 @@ export function usePermissions(
         // Fetch new permissions - don't clear old ones until we have new ones
         const permissionMap = await getPermissionMap({ userId, scope });
         
-        logger.warn('[usePermissions] Permissions fetched successfully', {
-          permissionCount: Object.keys(permissionMap).length,
-          hasWildcard: !!permissionMap['*'],
-          scope: {
-            organisationId: orgId,
-            eventId: eventId,
-            appId: appId
-          }
-        });
+        // Only log if there's a significant change or error
+        const permissionCount = Object.keys(permissionMap).length;
+        if (permissionCount === 0 && Object.keys(permissions).length > 0) {
+          logger.warn('[usePermissions] Permissions fetched but returned empty map', {
+            scope: { organisationId: orgId, eventId, appId }
+          });
+        }
         
         // Only update permissions if fetch was successful
         setPermissions(permissionMap);

package/src/rbac/hooks/useRBAC.test.ts

@@ -152,6 +152,9 @@ describe('useRBAC', () => {
       selectedEvent: null,
       eventLoading: false,
     });
+    mockResolveAppContext.mockResolvedValue({ appId: 'app-123' as any, hasAccess: true });
+    mockGetPermissionMap.mockResolvedValue({});
+    mockGetAccessLevel.mockResolvedValue('viewer');
     mockGetRoleContext.mockResolvedValue({
       globalRole: 'super_admin',
       organisationRole: null,
@@ -160,8 +163,17 @@ describe('useRBAC', () => {
 
     const { result } = renderHook(() => useRBAC());
 
-    await waitFor(() => expect(result.current.isLoading).toBe(false));
+    await waitFor(() => {
+      expect(mockResolveAppContext).toHaveBeenCalled();
+      expect(mockGetRoleContext).toHaveBeenCalled();
+    });
+
+    await waitFor(() => {
+      expect(result.current.isLoading).toBe(false);
+      expect(result.current.globalRole).toBe('super_admin');
+    });
 
+    expect(result.current.globalRole).toBe('super_admin');
     expect(result.current.isSuperAdmin).toBe(true);
     expect(result.current.hasGlobalPermission('any')).toBe(true);
   });

package/src/rbac/hooks/useRBAC.ts

@@ -69,28 +69,7 @@ export function useRBAC(pageId?: string): UserRBACContext {
   // This prevents premature loading when appConfig hasn't loaded yet
   const requiresEvent = appConfig?.requires_event ?? (appConfig === null ? true : false);
   
-  // Only log hook initialization if user is authenticated to avoid noise during login
-  // Log hook initialization for debugging (use warn level so it's always visible)
-  // Also use direct console.log as fallback to ensure visibility
-  if (user && session) {
-    const hookInitLog = {
-      appName,
-      requiresEvent,
-      appConfig: appConfig ? JSON.stringify(appConfig) : 'null',
-      hasUser: !!user,
-      hasSession: !!session,
-      hasSelectedEvent: !!selectedEvent,
-      eventLoading,
-      selectedEventId: selectedEvent?.event_id,
-      hasSelectedOrganisation: !!selectedOrganisation,
-      organisationId: selectedOrganisation?.id,
-      orgContextReady,
-      orgLoading
-    };
-    logger.warn('[useRBAC] Hook initialized', hookInitLog);
-    // Direct console.log as fallback to ensure we can see if hook is called
-    console.warn('[useRBAC] Hook initialized (direct log)', hookInitLog);
-  }
+  // Removed excessive logging - hook initialization logged only on first mount or significant changes
 
   const [globalRole, setGlobalRole] = useState<GlobalRole | null>(null);
   const [organisationRole, setOrganisationRole] = useState<OrganisationRole | null>(null);
@@ -120,13 +99,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
     // This is critical - without organisation ID, RPC calls can't resolve permissions
     if (orgLoading || !orgContextReady || !selectedOrganisation?.id) {
       setIsLoading(true);
-      logger.warn('[useRBAC] Waiting for organisation context before loading RBAC context', {
-        orgLoading,
-        orgContextReady,
-        hasSelectedOrganisation: !!selectedOrganisation,
-        organisationId: selectedOrganisation?.id,
-        appName
-      });
       return;
     }
 
@@ -138,13 +110,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
         // This prevents premature RPC calls that can cause NetworkError
         // Set loading state so React knows we're waiting
         setIsLoading(true);
-        logger.warn('[useRBAC] Waiting for event context before loading RBAC context', {
-          eventLoading,
-          hasSelectedEvent: !!selectedEvent,
-          appName,
-          selectedEventId: selectedEvent?.event_id,
-          organisationId: selectedOrganisation?.id
-        });
         return;
       }
     }
@@ -152,7 +117,9 @@ export function useRBAC(pageId?: string): UserRBACContext {
     setIsLoading(true);
     setError(null);
 
-    logger.warn('[useRBAC] Loading RBAC context', {
+    // Only log at debug level - loading RBAC context is normal operation
+    // Changed from warn to debug to reduce console noise
+    logger.debug('[useRBAC] Loading RBAC context', {
       appName,
       requiresEvent,
       hasSelectedEvent: !!selectedEvent,
@@ -195,15 +162,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
         appId,
       };
       
-      // Log scope to verify it's built correctly
-      logger.warn('[useRBAC] Building scope for RBAC context', {
-        organisationId: scope.organisationId,
-        eventId: scope.eventId,
-        appId: scope.appId,
-        hasOrganisationId: !!scope.organisationId,
-        hasEventId: !!scope.eventId
-      });
-      
       setCurrentScope(scope);
 
       const [map, roleContext, accessLevel] = await Promise.all([
@@ -217,13 +175,15 @@ export function useRBAC(pageId?: string): UserRBACContext {
       setOrganisationRole(roleContext.organisationRole);
       setEventAppRole(roleContext.eventAppRole || mapAccessLevelToEventRole(accessLevel));
       
-      logger.warn('[useRBAC] RBAC context loaded successfully', {
-        appName,
-        permissionCount: Object.keys(map).length,
-        globalRole: roleContext.globalRole,
-        organisationRole: roleContext.organisationRole,
-        eventAppRole: roleContext.eventAppRole || mapAccessLevelToEventRole(accessLevel)
-      });
+      // Only log on first successful load or if there's an issue
+      const permissionCount = Object.keys(map).length;
+      if (permissionCount === 0) {
+        logger.warn('[useRBAC] RBAC context loaded but returned 0 permissions', {
+          appName,
+          organisationId: selectedOrganisation.id,
+          eventId: selectedEvent?.event_id
+        });
+      }
     } catch (err) {
       const handledError = err instanceof Error ? err : new Error('Failed to load RBAC context');
       logger.error('[useRBAC] Error loading RBAC context:', handledError);
@@ -260,20 +220,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
   const canManageEvent = useMemo(() => isSuperAdmin || eventAppRole === 'event_admin', [isSuperAdmin, eventAppRole]);
 
   useEffect(() => {
-    // Log when effect runs to help debug
-    logger.warn('[useRBAC] useEffect triggered - calling loadRBACContext', {
-      appName,
-      requiresEvent,
-      eventLoading,
-      hasSelectedEvent: !!selectedEvent,
-      selectedEventId: selectedEvent?.event_id,
-      hasUser: !!user,
-      hasSession: !!session,
-      hasSelectedOrganisation: !!selectedOrganisation,
-      organisationId: selectedOrganisation?.id,
-      orgContextReady,
-      orgLoading
-    });
     loadRBACContext();
   }, [loadRBACContext, appName, requiresEvent, eventLoading, selectedEvent?.event_id, user, session, selectedOrganisation?.id, orgContextReady, orgLoading]);
 

package/src/rbac/hooks/useResolvedScope.ts

@@ -108,6 +108,17 @@ export function useResolvedScope({
     let cancelled = false;
     
     const resolveScope = async () => {
+      // OPTIMIZATION: If all inputs are null/undefined, immediately return empty scope
+      // This indicates pre-filtered mode where we don't need to resolve scope
+      if (!supabase && !selectedOrganisationId && !selectedEventId) {
+        if (!cancelled) {
+          setResolvedScope(null);
+          setIsLoading(false);
+          setError(null);
+        }
+        return;
+      }
+      
       setIsLoading(true);
       setError(null);
       

package/src/rbac/hooks/useSecureSupabase.ts

@@ -0,0 +1,308 @@
+/**
+ * @file Secure Supabase Client Hook
+ * @package @jmruthers/pace-core
+ * @module RBAC/Hooks
+ * @since 1.0.0
+ *
+ * React hook for getting a secure Supabase client with automatic context injection
+ * and caching to prevent multiple client instances.
+ *
+ * ## Overview
+ *
+ * This hook provides a secure Supabase client that automatically injects
+ * organisation and event context for all database operations, while preventing
+ * the creation of multiple Supabase client instances (which causes the
+ * "Multiple GoTrueClient instances" warning).
+ *
+ * ## Features
+ *
+ * - **Automatic Context Injection**: Organisation, event, and app context are
+ *   automatically injected into all database queries
+ * - **Client Instance Caching**: Prevents creating duplicate Supabase clients
+ *   for the same context, eliminating the "Multiple GoTrueClient instances" warning
+ * - **Automatic Fallback**: Falls back to base client when context is unavailable
+ * - **Type-Safe**: Full TypeScript support with proper type inference
+ *
+ * ## Usage
+ *
+ * ### Basic Usage
+ *
+ * ```tsx
+ * import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+ *
+ * function MyComponent() {
+ *   const supabase = useSecureSupabase();
+ *
+ *   if (!supabase) {
+ *     return <div>Loading context...</div>;
+ *   }
+ *
+ *   const fetchData = async () => {
+ *     const { data, error } = await supabase
+ *       .from('users')
+ *       .select('*');
+ *     // Organisation context is automatically injected
+ *   };
+ *
+ *   return <div>...</div>;
+ * }
+ * ```
+ *
+ * ### With Base Client Fallback
+ *
+ * ```tsx
+ * import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+ * import { supabase } from './lib/supabase';
+ *
+ * function MyComponent() {
+ *   // Provide base client as fallback
+ *   const secureSupabase = useSecureSupabase(supabase);
+ *
+ *   // secureSupabase will be the secure client when context is available,
+ *   // or the base client when context is unavailable
+ * }
+ * ```
+ *
+ * ## How It Works
+ *
+ * 1. **Context Resolution**: The hook uses `useResolvedScope` to get the current
+ *    organisation, event, and app context
+ * 2. **Client Caching**: Clients are cached by context key (organisationId-eventId-appId)
+ *    to prevent duplicate instances
+ * 3. **Automatic Injection**: The secure client automatically injects context headers
+ *    into all database operations
+ * 4. **Fallback Behavior**: When context is unavailable or event is loading, the hook
+ *    returns the base client (or null if no base client provided)
+ *
+ * ## Security
+ *
+ * - **Organisation Context Enforcement**: All queries automatically include organisation
+ *   context, preventing cross-organisation data access
+ * - **Event Context Injection**: Event context is automatically included when available
+ * - **App Context Support**: App context is included when resolved from scope
+ *
+ * ## Performance
+ *
+ * - **Client Instance Caching**: Prevents creating multiple Supabase clients for the
+ *   same context, reducing memory usage and eliminating the "Multiple GoTrueClient
+ *   instances" warning
+ * - **Cache Management**: Automatically cleans up old cache entries (keeps last 5)
+ *   to prevent memory leaks
+ * - **Stable References**: Returns stable client references to prevent unnecessary
+ *   re-renders in consuming components
+ *
+ * ## Requirements
+ *
+ * - Must be used within `UnifiedAuthProvider` context
+ * - Requires `useOrganisations` and `useEvents` hooks to be available
+ * - Environment variables `VITE_SUPABASE_URL` and `VITE_SUPABASE_ANON_KEY` must be set
+ *   (or `NEXT_PUBLIC_SUPABASE_URL` and `NEXT_PUBLIC_SUPABASE_ANON_KEY` for Next.js)
+ *
+ * ## See Also
+ *
+ * - {@link SecureSupabaseClient} - The underlying secure client class
+ * - {@link createSecureClient} - Function to create secure clients manually
+ * - {@link useResolvedScope} - Hook for resolving RBAC scope
+ *
+ * @security
+ * - Enforces organisation context on all queries
+ * - Prevents cross-organisation data access
+ * - Automatic context injection
+ *
+ * @performance
+ * - Client instance caching prevents duplicate creation
+ * - Reuses cached clients for same context
+ * - Automatic cache cleanup
+ */
+
+import { useMemo, useRef } from 'react';
+import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
+import { useOrganisations } from '../../hooks/useOrganisations';
+import { useEvents } from '../../hooks/useEvents';
+import { useResolvedScope } from './useResolvedScope';
+import { createSecureClient, SecureSupabaseClient } from '../secureClient';
+import type { Database } from '../../types/database';
+import type { SupabaseClient } from '@supabase/supabase-js';
+import { logger } from '../../utils/core/logger';
+
+// Cache secure clients by context to prevent creating multiple instances
+// This prevents the "Multiple GoTrueClient instances" warning
+const secureClientCache = new Map<string, SecureSupabaseClient>();
+
+// Maximum cache size to prevent memory leaks
+const MAX_CACHE_SIZE = 5;
+
+/**
+ * Get cache key for secure client based on context
+ */
+function getCacheKey(
+  organisationId: string,
+  eventId: string | undefined,
+  appId: string | undefined
+): string {
+  return `${organisationId}-${eventId || 'no-event'}-${appId || 'no-app'}`;
+}
+
+/**
+ * Get Supabase URL and key from environment
+ */
+function getSupabaseConfig(): { url: string; key: string } | null {
+  // Try to get from environment variables
+  const getEnvVar = (key: string): string | undefined => {
+    if (typeof import.meta !== 'undefined' && (import.meta as any).env) {
+      return (import.meta as any).env[key];
+    }
+    if (typeof process !== 'undefined' && process.env) {
+      return process.env[key];
+    }
+    return undefined;
+  };
+
+  const supabaseUrl = getEnvVar('VITE_SUPABASE_URL') || 
+                     getEnvVar('NEXT_PUBLIC_SUPABASE_URL') || 
+                     null;
+                     
+  const supabaseKey = getEnvVar('VITE_SUPABASE_ANON_KEY') || 
+                     getEnvVar('NEXT_PUBLIC_SUPABASE_ANON_KEY') || 
+                     null;
+
+  if (!supabaseUrl || !supabaseKey) {
+    return null;
+  }
+
+  return { url: supabaseUrl, key: supabaseKey };
+}
+
+/**
+ * Hook to get a secure Supabase client with automatic context injection
+ * 
+ * Returns a secure client when organisation context is available,
+ * otherwise returns null. The client automatically injects organisation
+ * and event context into all database operations.
+ * 
+ * Uses caching to prevent creating multiple Supabase client instances,
+ * which causes the "Multiple GoTrueClient instances" warning.
+ * 
+ * @param baseClient - Optional base Supabase client to use as fallback
+ * @returns Secure Supabase client or null if context is not available
+ * 
+ * @example
+ * ```tsx
+ * import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+ * 
+ * function MyComponent() {
+ *   const supabase = useSecureSupabase();
+ *   
+ *   if (!supabase) {
+ *     return <div>Loading context...</div>;
+ *   }
+ *   
+ *   // Use supabase client - organisation context is automatically injected
+ *   const { data } = await supabase.from('users').select('*');
+ * }
+ * ```
+ */
+export function useSecureSupabase(
+  baseClient?: SupabaseClient<Database> | null
+): SupabaseClient<Database> | null {
+  const { user, supabase: authSupabase } = useUnifiedAuth();
+  const { selectedOrganisation } = useOrganisations();
+  const eventsContext = useEvents();
+  const { selectedEvent } = eventsContext;
+  const eventLoading = 'eventLoading' in eventsContext ? eventsContext.eventLoading : false;
+
+  // Resolve scope to get appId
+  const { resolvedScope } = useResolvedScope({
+    supabase: authSupabase || null,
+    selectedOrganisationId: selectedOrganisation?.id || null,
+    selectedEventId: selectedEvent?.event_id || null
+  });
+
+  // Track previous context to detect changes
+  const prevContextRef = useRef<{
+    organisationId: string | undefined;
+    eventId: string | undefined;
+    appId: string | undefined;
+  }>({
+    organisationId: undefined,
+    eventId: undefined,
+    appId: undefined
+  });
+
+  return useMemo(() => {
+    // If event is loading, return base client or null to avoid recreating client unnecessarily
+    if (eventLoading) {
+      return baseClient || authSupabase || null;
+    }
+    
+    // If we have organisation context, create or reuse a secure client
+    if (selectedOrganisation?.id && user?.id) {
+      const organisationId = selectedOrganisation.id;
+      const eventId = selectedEvent?.event_id;
+      
+      // Get appId from resolved scope if available
+      const appId = resolvedScope?.appId;
+
+      // Update previous context
+      prevContextRef.current = { organisationId, eventId, appId };
+
+      // Check cache first
+      const cacheKey = getCacheKey(organisationId, eventId, appId);
+      const cachedClient = secureClientCache.get(cacheKey);
+
+      if (cachedClient) {
+        // Reuse cached client - prevents creating multiple instances
+        return cachedClient.getClient();
+      }
+
+      // Get Supabase configuration
+      const config = getSupabaseConfig();
+      if (!config || !config.url || !config.key) {
+        logger.warn('useSecureSupabase', 'Missing Supabase environment variables. Falling back to base client.', {
+          note: 'Ensure VITE_SUPABASE_URL and VITE_SUPABASE_ANON_KEY are set in your environment.'
+        });
+        return baseClient || authSupabase || null;
+      }
+
+      try {
+        const secureClient = createSecureClient(
+          config.url,
+          config.key,
+          organisationId as any, // organisationId is string, UUID is string alias
+          eventId,
+          appId as any // appId is string | undefined, UUID is string alias
+        );
+
+        // Cache the client for reuse
+        secureClientCache.set(cacheKey, secureClient);
+
+        // Clean up old cache entries to prevent memory leaks
+        if (secureClientCache.size > MAX_CACHE_SIZE) {
+          const firstKey = secureClientCache.keys().next().value;
+          if (firstKey) {
+            secureClientCache.delete(firstKey);
+          }
+        }
+
+        // Return the underlying client for compatibility
+        return secureClient.getClient();
+      } catch (error) {
+        logger.error('useSecureSupabase', 'Failed to create secure client', error);
+        // Fallback to base client
+        return baseClient || authSupabase || null;
+      }
+    }
+
+    // Fallback to base client when context is not available
+    return baseClient || authSupabase || null;
+  }, [
+    selectedOrganisation?.id,
+    selectedEvent?.event_id,
+    user?.id,
+    eventLoading,
+    resolvedScope?.appId,
+    baseClient,
+    authSupabase
+  ]);
+}
+

package/src/rbac/index.ts

@@ -27,6 +27,9 @@ export type {
   MissingUserContextError,
 } from './types';
 
+// Function types (RPC function parameters and results)
+export * from './types/functions';
+
 // Configuration
 export type {
   RBACConfig,