@jmruthers/pace-core 0.5.183 → 0.5.185

package/dist/{chunk-CSOFYHAG.js → chunk-AISXLWGZ.js}

@@ -3,21 +3,20 @@ import {
   useAccessLevel,
   useCan,
   useMultiplePermissions
-} from "./chunk-RA3JUFMW.js";
+} from "./chunk-445GEP27.js";
 import {
   RBACCache,
+  RBACNotInitializedError,
+  getRBACConfig,
   getRBACLogger,
   rbacCache
-} from "./chunk-M7W4CP3M.js";
+} from "./chunk-U6WNSFX5.js";
 import {
   useSecureDataAccess
-} from "./chunk-W22JP75J.js";
+} from "./chunk-STTZQK2I.js";
 import {
   useUnifiedAuth
-} from "./chunk-FUEYYMX5.js";
-import {
-  getCurrentAppName
-} from "./chunk-F2IMUDXZ.js";
+} from "./chunk-FXFJRTKI.js";
 import {
   createLogger,
   logger
@@ -172,10 +171,10 @@ var PagePermissionGuardComponent = ({
   onDenied,
   loading = /* @__PURE__ */ jsx2(DefaultLoading, {})
 }) => {
-  const instanceId = useMemo2(() => Math.random().toString(36).substr(2, 9), []);
   const renderCountRef = useRef(0);
   renderCountRef.current += 1;
-  const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
+  const instanceId = useMemo2(() => Math.random().toString(36).substr(2, 9), []);
+  const { user, selectedOrganisation, selectedEvent, supabase, appId: contextAppId } = useUnifiedAuth();
   const [hasChecked, setHasChecked] = useState2(false);
   const [checkError, setCheckError] = useState2(null);
   const [resolvedScope, setResolvedScope] = useState2(null);
@@ -206,48 +205,7 @@ var PagePermissionGuardComponent = ({
         safeSetCheckError(null);
         return;
       }
-      let appId = void 0;
-      if (supabaseRef.current) {
-        const appName = getCurrentAppName();
-        if (appName) {
-          try {
-            const { data: app, error: error2 } = await supabaseRef.current.from("rbac_apps").select("id, name, is_active").eq("name", appName).eq("is_active", true).single();
-            if (signal.aborted) {
-              return;
-            }
-            if (error2) {
-              const logger3 = getRBACLogger();
-              logger3.error("Database error resolving app ID:", error2);
-              if (signal.aborted) {
-                return;
-              }
-              const { data: inactiveApp } = await supabaseRef.current.from("rbac_apps").select("id, name, is_active").eq("name", appName).single();
-              if (signal.aborted) {
-                return;
-              }
-              if (inactiveApp) {
-                logger3.error(`App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
-              } else {
-                logger3.error(`App "${appName}" not found in rbac_apps table`);
-              }
-            } else if (app) {
-              appId = app.id;
-            } else {
-              const logger3 = getRBACLogger();
-              logger3.error("No app data returned for:", appName);
-            }
-          } catch (error2) {
-            if (signal.aborted) {
-              return;
-            }
-            const logger3 = getRBACLogger();
-            logger3.error("Unexpected error resolving app ID:", error2);
-          }
-        } else {
-          const logger3 = getRBACLogger();
-          logger3.error("No app name found. Make sure to call setRBACAppName() in your app setup.");
-        }
-      }
+      const appId = contextAppId;
       if (signal.aborted) {
         return;
       }
@@ -1470,7 +1428,7 @@ function withPermissionGuard(config, handler) {
     if (!userId || !organisationId) {
       throw new Error("User context required for permission check");
     }
-    const { isPermitted: isPermitted2 } = await import("./api-ROMBCNKU.js");
+    const { isPermitted: isPermitted2 } = await import("./api-BMFCXVQX.js");
     const hasPermission2 = await isPermitted2({
       userId,
       scope: { organisationId, eventId, appId },
@@ -1493,7 +1451,7 @@ function withAccessLevelGuard(minLevel, handler) {
     if (!userId || !organisationId) {
       throw new Error("User context required for access level check");
     }
-    const { getAccessLevel: getAccessLevel2 } = await import("./api-ROMBCNKU.js");
+    const { getAccessLevel: getAccessLevel2 } = await import("./api-BMFCXVQX.js");
     const accessLevel = await getAccessLevel2({
       userId,
       scope: { organisationId, eventId, appId }
@@ -1518,7 +1476,7 @@ function withRoleGuard(config, handler) {
       throw new Error("User context required for role check");
     }
     if (config.globalRoles && config.globalRoles.length > 0) {
-      const { isSuperAdmin } = await import("./api-ROMBCNKU.js");
+      const { isSuperAdmin } = await import("./api-BMFCXVQX.js");
       const isSuper = await isSuperAdmin(userId);
       if (isSuper) {
         if (organisationId) {
@@ -1544,14 +1502,14 @@ function withRoleGuard(config, handler) {
       }
     }
     if (config.organisationRoles && config.organisationRoles.length > 0) {
-      const { isOrganisationAdmin } = await import("./api-ROMBCNKU.js");
+      const { isOrganisationAdmin } = await import("./api-BMFCXVQX.js");
       const isOrgAdmin = await isOrganisationAdmin(userId, organisationId);
       if (!isOrgAdmin && config.requireAll !== false) {
         throw new Error(`Organisation admin role required`);
       }
     }
     if (config.eventAppRoles && config.eventAppRoles.length > 0 && eventId && appId) {
-      const { isEventAdmin } = await import("./api-ROMBCNKU.js");
+      const { isEventAdmin } = await import("./api-BMFCXVQX.js");
       const isEventAdminUser = await isEventAdmin(userId, { organisationId, eventId, appId });
       if (!isEventAdminUser && config.requireAll !== false) {
         throw new Error(`Event admin role required`);
@@ -1591,7 +1549,7 @@ function createRBACMiddleware(config) {
     );
     if (protectedRoute) {
       try {
-        const { isPermitted: isPermitted2 } = await import("./api-ROMBCNKU.js");
+        const { isPermitted: isPermitted2 } = await import("./api-BMFCXVQX.js");
         const hasPermission2 = await isPermitted2({
           userId,
           scope: { organisationId },
@@ -1618,7 +1576,7 @@ function createRBACExpressMiddleware(config) {
       return res.status(401).json({ error: "User context required" });
     }
     try {
-      const { isPermitted: isPermitted2 } = await import("./api-ROMBCNKU.js");
+      const { isPermitted: isPermitted2 } = await import("./api-BMFCXVQX.js");
       const hasPermission2 = await isPermitted2({
         userId,
         scope: { organisationId, eventId, appId },
@@ -1759,6 +1717,351 @@ var ALL_PERMISSIONS = {
   ...PAGE_PERMISSIONS
 };
 
+// src/rbac/compliance/setup-validator.ts
+function isRBACInitialized() {
+  try {
+    const config = getRBACConfig();
+    return config !== null && config.supabase !== null;
+  } catch (error) {
+    if (error instanceof RBACNotInitializedError) {
+      return false;
+    }
+    throw error;
+  }
+}
+function getSetupIssues() {
+  const issues = [];
+  const config = getRBACConfig();
+  if (!config) {
+    issues.push({
+      type: "not-initialized",
+      message: "RBAC system has not been initialized. setupRBAC() has not been called.",
+      recommendation: "Call setupRBAC(supabase) before using any RBAC features. This should be done in your main entry point (main.tsx or App.tsx) before rendering the app."
+    });
+    return issues;
+  }
+  if (!config.supabase) {
+    issues.push({
+      type: "missing-config",
+      message: "RBAC configuration is missing Supabase client.",
+      recommendation: "Ensure setupRBAC() is called with a valid Supabase client instance."
+    });
+  }
+  return issues;
+}
+function getProviderContextIssues() {
+  const issues = [];
+  if (!isRBACInitialized()) {
+    issues.push({
+      type: "not-initialized",
+      message: "RBAC system must be initialized before provider context can be used.",
+      recommendation: "Call setupRBAC(supabase) before rendering UnifiedAuthProvider."
+    });
+  }
+  return issues;
+}
+function validateRBACSetup() {
+  const issues = getSetupIssues();
+  const providerIssues = getProviderContextIssues();
+  return {
+    isCompliant: issues.length === 0 && providerIssues.length === 0,
+    issues: [...issues, ...providerIssues]
+  };
+}
+
+// src/rbac/compliance/runtime-compliance.ts
+function checkRuntimeCompliance() {
+  const logger2 = getRBACLogger();
+  const setupValidation = validateRBACSetup();
+  const warnings = [];
+  if (!setupValidation.isCompliant) {
+    setupValidation.issues.forEach((issue) => {
+      const warning = `[RBAC Compliance] ${issue.message}
+  Recommendation: ${issue.recommendation}`;
+      warnings.push(warning);
+      logger2.warn(warning);
+    });
+  }
+  const providerContextIssues = setupValidation.issues.filter(
+    (issue) => issue.type === "missing-provider-context" || issue.type === "not-initialized"
+  );
+  const providerContext = providerContextIssues.length > 0 ? {
+    available: false,
+    message: "UnifiedAuthProvider context may not be available. Ensure your app is wrapped with UnifiedAuthProvider from @jmruthers/pace-core."
+  } : {
+    available: true
+  };
+  return {
+    setup: setupValidation,
+    warnings,
+    providerContext
+  };
+}
+function validateAndWarn() {
+  if (import.meta.env.MODE === "development" || import.meta.env.DEV) {
+    checkRuntimeCompliance();
+  }
+}
+
+// src/rbac/compliance/database-validator.ts
+async function validateDatabaseConfiguration(supabase, appName) {
+  const issues = [];
+  const recommendations = [];
+  let appConfigured = false;
+  let pagesConfigured = false;
+  let permissionsConfigured = false;
+  let rlsPoliciesActive = false;
+  let rolesConfigured = false;
+  try {
+    const { data: app, error: appError } = await supabase.from("rbac_apps").select("id, name").eq("name", appName).single();
+    if (appError || !app) {
+      issues.push({
+        type: "app-not-configured",
+        message: `App '${appName}' not found in rbac_apps table.`,
+        recommendation: `Register your app in the rbac_apps table with name '${appName}' (case-sensitive).`
+      });
+    } else {
+      appConfigured = true;
+      if (app.name !== appName) {
+        issues.push({
+          type: "app-name-mismatch",
+          message: `App name mismatch. Database has '${app.name}', but environment variable has '${appName}'.`,
+          recommendation: `Ensure VITE_APP_NAME (or NEXT_PUBLIC_APP_NAME) matches the app name in rbac_apps table exactly (case-sensitive).`
+        });
+      }
+      const { data: pages, error: pagesError } = await supabase.from("rbac_app_pages").select("id").eq("app_id", app.id).limit(1);
+      if (pagesError || !pages || pages.length === 0) {
+        issues.push({
+          type: "pages-not-configured",
+          message: `No pages found for app '${appName}' in rbac_app_pages table.`,
+          recommendation: "Register your app pages in the rbac_app_pages table. Each route/page should have an entry."
+        });
+      } else {
+        pagesConfigured = true;
+        const { data: permissions, error: permissionsError } = await supabase.from("rbac_page_permissions").select("id").in("page_id", pages.map((p) => p.id)).limit(1);
+        if (permissionsError || !permissions || permissions.length === 0) {
+          issues.push({
+            type: "permissions-not-configured",
+            message: `No permissions found for app '${appName}' pages in rbac_page_permissions table.`,
+            recommendation: "Configure permissions for your app pages in the rbac_page_permissions table. Each page should have permissions for different operations (read, create, update, delete)."
+          });
+        } else {
+          permissionsConfigured = true;
+        }
+      }
+    }
+    try {
+      const { data: rbacTables, error: rlsError } = await supabase.rpc("rbac_check_rls_status");
+      if (rlsError) {
+        rlsPoliciesActive = true;
+        recommendations.push("Consider adding an RLS status check function to validate RLS policies are active.");
+      } else {
+        rlsPoliciesActive = true;
+      }
+    } catch (error) {
+      rlsPoliciesActive = true;
+      recommendations.push("Consider adding an RLS status check function to validate RLS policies are active.");
+    }
+    const { data: orgRoles, error: rolesError } = await supabase.from("rbac_organisation_roles").select("id").limit(1);
+    if (rolesError) {
+      issues.push({
+        type: "roles-not-configured",
+        message: "Unable to query rbac_organisation_roles table. RLS might be blocking access or table might not exist.",
+        recommendation: "Ensure rbac_organisation_roles table exists and RLS policies allow read access for authenticated users."
+      });
+    } else {
+      rolesConfigured = true;
+    }
+  } catch (error) {
+    issues.push({
+      type: "app-not-configured",
+      message: `Error validating database configuration: ${error instanceof Error ? error.message : "Unknown error"}`,
+      recommendation: "Check your Supabase connection and ensure you have the necessary permissions to query RBAC tables."
+    });
+  }
+  return {
+    appConfigured,
+    pagesConfigured,
+    permissionsConfigured,
+    rlsPoliciesActive,
+    rolesConfigured,
+    issues,
+    recommendations
+  };
+}
+
+// src/rbac/compliance/quick-fix-suggestions.ts
+function getCustomAuthCodeFixes(customCodeName, type) {
+  const fixes = {
+    "useAuth": {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with useUnifiedAuth from pace-core`,
+      codeExample: `// Before
+import { useAuth } from './hooks/useAuth';
+
+// After
+import { useUnifiedAuth } from '@jmruthers/pace-core';`,
+      migrationSteps: [
+        "Remove custom useAuth hook",
+        "Import useUnifiedAuth from @jmruthers/pace-core",
+        "Update all usages to use useUnifiedAuth",
+        "Ensure UnifiedAuthProvider wraps your app"
+      ]
+    },
+    "usePermissions": {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with usePermissions from pace-core`,
+      codeExample: `// Before
+import { usePermissions } from './hooks/usePermissions';
+
+// After
+import { usePermissions } from '@jmruthers/pace-core/rbac';`,
+      migrationSteps: [
+        "Remove custom usePermissions hook",
+        "Import usePermissions from @jmruthers/pace-core/rbac",
+        "Update all usages - ensure setupRBAC() has been called",
+        "Verify provider hierarchy is correct"
+      ]
+    },
+    "PermissionGuard": {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with PagePermissionGuard from pace-core`,
+      codeExample: `// Before
+import { PermissionGuard } from './components/PermissionGuard';
+
+// After
+import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';`,
+      migrationSteps: [
+        "Remove custom PermissionGuard component",
+        "Import PagePermissionGuard from @jmruthers/pace-core/rbac",
+        "Wrap pages with PagePermissionGuard",
+        "Use pageName and operation props instead of custom permission strings"
+      ]
+    },
+    "checkPermission": {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with isPermitted from pace-core`,
+      codeExample: `// Before
+import { checkPermission } from './utils/permissions';
+
+// After
+import { isPermitted } from '@jmruthers/pace-core/rbac';`,
+      migrationSteps: [
+        "Remove custom checkPermission utility",
+        "Import isPermitted from @jmruthers/pace-core/rbac",
+        "Update all usages to use isPermitted with proper scope",
+        "Ensure setupRBAC() has been called"
+      ]
+    }
+  };
+  return fixes[customCodeName] || {
+    issue: `Custom ${type} '${customCodeName}' detected`,
+    suggestion: `Use pace-core's equivalent instead. Check @jmruthers/pace-core documentation for the correct import.`,
+    migrationSteps: [
+      `Remove custom ${customCodeName} ${type}`,
+      "Find equivalent in pace-core",
+      "Import from @jmruthers/pace-core or @jmruthers/pace-core/rbac",
+      "Update all usages"
+    ]
+  };
+}
+function getDuplicateConfigFixes() {
+  return {
+    issue: "Multiple Supabase client instantiations found",
+    suggestion: "Consolidate to a single Supabase client configuration",
+    codeExample: `// Before - Multiple createClient calls
+// src/lib/supabase.ts
+export const supabase = createClient(url, key);
+
+// src/utils/api.ts
+export const supabase = createClient(url, key);
+
+// After - Single configuration
+// src/lib/supabase.ts
+export const supabase = createClient(
+  import.meta.env.VITE_SUPABASE_URL,
+  import.meta.env.VITE_SUPABASE_ANON_KEY
+);
+
+// src/utils/api.ts
+import { supabase } from '../lib/supabase';`,
+    migrationSteps: [
+      "Create a single supabase.ts file in a shared location (e.g., src/lib/supabase.ts)",
+      "Move all Supabase client creation to this file",
+      "Export the client instance",
+      "Update all files to import from the shared location",
+      "Remove duplicate createClient calls"
+    ]
+  };
+}
+function getUnprotectedPageFixes() {
+  return {
+    issue: "Route/page found without PagePermissionGuard",
+    suggestion: "Wrap all routes with PagePermissionGuard",
+    codeExample: `// Before
+<Route path="/dashboard" element={<Dashboard />} />
+
+// After
+<Route 
+  path="/dashboard" 
+  element={
+    <PagePermissionGuard pageName="dashboard" operation="read">
+      <Dashboard />
+    </PagePermissionGuard>
+  } 
+/>`,
+    migrationSteps: [
+      "Import PagePermissionGuard from @jmruthers/pace-core/rbac",
+      "Wrap each route/page component with PagePermissionGuard",
+      "Set pageName prop to match your page name in rbac_app_pages table",
+      "Set operation prop (read, create, update, or delete)",
+      "Ensure setupRBAC() has been called and providers are set up correctly"
+    ]
+  };
+}
+function getDirectSupabaseAuthFixes() {
+  return {
+    issue: "Direct Supabase auth usage detected",
+    suggestion: "Use UnifiedAuthProvider and useUnifiedAuth from pace-core",
+    codeExample: `// Before
+import { createClient } from '@supabase/supabase-js';
+const supabase = createClient(url, key);
+await supabase.auth.signInWithPassword({ email, password });
+
+// After
+import { useUnifiedAuth } from '@jmruthers/pace-core';
+const { signIn } = useUnifiedAuth();
+await signIn({ email, password });`,
+    migrationSteps: [
+      "Remove direct Supabase auth calls",
+      "Import useUnifiedAuth from @jmruthers/pace-core",
+      "Use the auth methods from useUnifiedAuth hook",
+      "Ensure UnifiedAuthProvider wraps your app",
+      "Update all auth-related code to use pace-core hooks"
+    ]
+  };
+}
+function getQuickFixes(issueType, details) {
+  const fixes = [];
+  switch (issueType) {
+    case "custom-auth-code":
+      if (details?.name && details?.type) {
+        fixes.push(getCustomAuthCodeFixes(details.name, details.type));
+      }
+      break;
+    case "duplicate-config":
+      fixes.push(getDuplicateConfigFixes());
+      break;
+    case "unprotected-pages":
+      fixes.push(getUnprotectedPageFixes());
+      break;
+    case "direct-supabase-auth":
+      fixes.push(getDirectSupabaseAuthFixes());
+      break;
+  }
+  return fixes;
+}
+
 export {
   RPCFunction,
   RBACErrorCode,
@@ -1789,6 +2092,17 @@ export {
   PAGE_PERMISSIONS,
   isValidPermission,
   getPermissionsForRole,
-  ALL_PERMISSIONS
+  ALL_PERMISSIONS,
+  isRBACInitialized,
+  getSetupIssues,
+  validateRBACSetup,
+  checkRuntimeCompliance,
+  validateAndWarn,
+  validateDatabaseConfiguration,
+  getCustomAuthCodeFixes,
+  getDuplicateConfigFixes,
+  getUnprotectedPageFixes,
+  getDirectSupabaseAuthFixes,
+  getQuickFixes
 };
-//# sourceMappingURL=chunk-CSOFYHAG.js.map
+//# sourceMappingURL=chunk-AISXLWGZ.js.map