@jmruthers/pace-core 0.5.185 → 0.5.187

package/dist/{chunk-U6WNSFX5.js → chunk-HEHYGYOX.js}

@@ -2,7 +2,7 @@ import {
   createAuditManager,
   emitAuditEvent,
   setGlobalAuditManager
-} from "./chunk-FSFQFJCU.js";
+} from "./chunk-63FOKYGO.js";
 import {
   createLogger
 } from "./chunk-PWLANIRT.js";
@@ -68,26 +68,41 @@ var MissingUserContextError = class extends RBACError {
 var RBACCache = class {
   constructor() {
     this.cache = /* @__PURE__ */ new Map();
-    this.TTL = 60 * 1e3;
-    // 60 seconds
+    this.sessionCache = /* @__PURE__ */ new Map();
+    this.TTL = 120 * 1e3;
+    // 120 seconds (short-term) - increased from 60s
+    this.SESSION_TTL = 15 * 60 * 1e3;
+    // 15 minutes (session-level) - increased from 5min
     this.invalidationCallbacks = /* @__PURE__ */ new Set();
   }
   /**
    * Get a value from the cache
    * 
+   * Checks both short-term cache and session cache.
+   * 
    * @param key - Cache key
+   * @param useSessionCache - Whether to check session cache (default: true)
    * @returns Cached value or null if not found/expired
    */
-  get(key) {
+  get(key, useSessionCache = true) {
+    const now = Date.now();
     const entry = this.cache.get(key);
-    if (!entry) {
-      return null;
+    if (entry && now <= entry.expires) {
+      return entry.data;
     }
-    if (Date.now() > entry.expires) {
+    if (entry && now > entry.expires) {
       this.cache.delete(key);
-      return null;
     }
-    return entry.data;
+    if (useSessionCache) {
+      const sessionEntry = this.sessionCache.get(key);
+      if (sessionEntry && now <= sessionEntry.expires) {
+        return sessionEntry.data;
+      }
+      if (sessionEntry && now > sessionEntry.expires) {
+        this.sessionCache.delete(key);
+      }
+    }
+    return null;
   }
   /**
    * Set a value in the cache
@@ -95,13 +110,22 @@ var RBACCache = class {
    * @param key - Cache key
    * @param data - Data to cache
    * @param ttl - Time to live in milliseconds (defaults to 60s)
+   * @param useSessionCache - Whether to also store in session cache (default: false for page-level checks)
    */
-  set(key, data, ttl = this.TTL) {
-    const expires = ttl <= 0 ? Date.now() - 1 : Date.now() + ttl;
+  set(key, data, ttl = this.TTL, useSessionCache = false) {
+    const now = Date.now();
+    const expires = ttl <= 0 ? now - 1 : now + ttl;
     this.cache.set(key, {
       data,
       expires
     });
+    if (useSessionCache) {
+      const sessionExpires = ttl <= 0 ? now - 1 : now + this.SESSION_TTL;
+      this.sessionCache.set(key, {
+        data,
+        expires: sessionExpires
+      });
+    }
   }
   /**
    * Delete a specific key from the cache
@@ -110,6 +134,7 @@ var RBACCache = class {
    */
   delete(key) {
     this.cache.delete(key);
+    this.sessionCache.delete(key);
   }
   /**
    * Invalidate cache entries matching a pattern
@@ -128,7 +153,15 @@ var RBACCache = class {
         keysToDelete.push(key);
       }
     }
-    keysToDelete.forEach((key) => this.cache.delete(key));
+    for (const key of this.sessionCache.keys()) {
+      if (matcher(key) && !keysToDelete.includes(key)) {
+        keysToDelete.push(key);
+      }
+    }
+    keysToDelete.forEach((key) => {
+      this.cache.delete(key);
+      this.sessionCache.delete(key);
+    });
     this.invalidationCallbacks.forEach((callback) => callback(trimmedPattern));
   }
   createMatcher(pattern) {
@@ -145,6 +178,7 @@ var RBACCache = class {
    */
   clear() {
     this.cache.clear();
+    this.sessionCache.clear();
   }
   /**
    * Get cache statistics
@@ -152,7 +186,9 @@ var RBACCache = class {
   getStats() {
     return {
       size: this.cache.size,
+      sessionSize: this.sessionCache.size,
       ttl: this.TTL,
+      sessionTtl: this.SESSION_TTL,
       keys: Array.from(this.cache.keys())
     };
   }
@@ -296,6 +332,7 @@ var INVALIDATION_PATTERNS = {
 var RBACCacheInvalidationManager = class {
   constructor(supabase) {
     this.invalidationCallbacks = /* @__PURE__ */ new Set();
+    this.channels = [];
     this.supabase = supabase;
     this.setupRealtimeSubscriptions();
   }
@@ -393,13 +430,18 @@ var RBACCacheInvalidationManager = class {
   }
   /**
    * Setup realtime subscriptions for automatic cache invalidation
+   * Prevents duplicate subscriptions by checking if already set up
    */
   setupRealtimeSubscriptions() {
     if (!this.supabase.channel || typeof this.supabase.channel !== "function") {
       log.debug("Realtime not available, skipping subscriptions");
       return;
     }
-    this.supabase.channel("rbac_organisation_roles_changes").on("postgres_changes", {
+    if (this.channels.length > 0) {
+      log.debug("Realtime subscriptions already set up, skipping duplicate setup");
+      return;
+    }
+    const orgRolesChannel = this.supabase.channel("rbac_organisation_roles_changes").on("postgres_changes", {
       event: "*",
       schema: "public",
       table: "rbac_organisation_roles"
@@ -411,8 +453,10 @@ var RBACCacheInvalidationManager = class {
       if (user_id) {
         this.invalidateUser(user_id, `organisation_role_${payload.eventType}`);
       }
-    }).subscribe();
-    this.supabase.channel("rbac_event_app_roles_changes").on("postgres_changes", {
+    });
+    const orgRolesSubscription = orgRolesChannel.subscribe();
+    this.channels.push(orgRolesSubscription);
+    const eventAppRolesChannel = this.supabase.channel("rbac_event_app_roles_changes").on("postgres_changes", {
       event: "*",
       schema: "public",
       table: "rbac_event_app_roles"
@@ -430,8 +474,10 @@ var RBACCacheInvalidationManager = class {
       if (app_id) {
         this.invalidateApp(app_id, `event_app_role_${payload.eventType}`);
       }
-    }).subscribe();
-    this.supabase.channel("rbac_global_roles_changes").on("postgres_changes", {
+    });
+    const eventAppRolesSubscription = eventAppRolesChannel.subscribe();
+    this.channels.push(eventAppRolesSubscription);
+    const globalRolesChannel = this.supabase.channel("rbac_global_roles_changes").on("postgres_changes", {
       event: "*",
       schema: "public",
       table: "rbac_global_roles"
@@ -440,8 +486,10 @@ var RBACCacheInvalidationManager = class {
       if (user_id) {
         this.invalidateUser(user_id, `global_role_${payload.eventType}`);
       }
-    }).subscribe();
-    this.supabase.channel("rbac_page_permissions_changes").on("postgres_changes", {
+    });
+    const globalRolesSubscription = globalRolesChannel.subscribe();
+    this.channels.push(globalRolesSubscription);
+    const pagePermissionsChannel = this.supabase.channel("rbac_page_permissions_changes").on("postgres_changes", {
       event: "*",
       schema: "public",
       table: "rbac_page_permissions"
@@ -453,7 +501,26 @@ var RBACCacheInvalidationManager = class {
       if (app_page_id) {
         this.invalidatePage(app_page_id, `page_permission_${payload.eventType}`);
       }
-    }).subscribe();
+    });
+    const pagePermissionsSubscription = pagePermissionsChannel.subscribe();
+    this.channels.push(pagePermissionsSubscription);
+  }
+  /**
+   * Cleanup all realtime subscriptions
+   * Call this when the manager is no longer needed to prevent memory leaks
+   */
+  cleanup() {
+    this.channels.forEach((channel) => {
+      try {
+        if (channel && typeof channel.unsubscribe === "function") {
+          channel.unsubscribe();
+        }
+      } catch (error) {
+        log.warn("Failed to unsubscribe from channel:", error);
+      }
+    });
+    this.channels = [];
+    this.invalidationCallbacks.clear();
   }
   /**
    * Manually trigger cache invalidation for all users in an organisation
@@ -479,6 +546,10 @@ var RBACCacheInvalidationManager = class {
 };
 var globalCacheInvalidationManager = null;
 function initializeCacheInvalidation(supabase) {
+  if (globalCacheInvalidationManager) {
+    log.debug("Cleaning up existing cache invalidation manager before creating new one");
+    globalCacheInvalidationManager.cleanup();
+  }
   globalCacheInvalidationManager = new RBACCacheInvalidationManager(supabase);
   return globalCacheInvalidationManager;
 }
@@ -1083,24 +1154,6 @@ var RBACEngine = class {
       if (cached !== null) {
         cacheHit = true;
         cacheSource = "memory";
-        const duration2 = Date.now() - startTime;
-        if (scope.organisationId) {
-          const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
-          await emitAuditEvent({
-            type: "permission_check",
-            userId,
-            organisationId: scope.organisationId,
-            eventId: scope.eventId,
-            appId: scope.appId,
-            pageId: resolvedPageId,
-            permission,
-            decision: cached,
-            source: "api",
-            duration_ms: duration2,
-            cache_hit: true,
-            cache_source: "memory"
-          });
-        }
         return cached;
       }
       const { data, error } = await this.supabase.rpc("rbac_check_permission_simplified", {
@@ -1409,6 +1462,167 @@ function createRBACEngine(supabase, securityConfig) {
   return new RBACEngine(supabase, securityConfig);
 }
 
+// src/rbac/performance.ts
+var RBACPerformanceMonitor = class {
+  constructor() {
+    this.metrics = {
+      totalChecks: 0,
+      cacheHits: 0,
+      cacheMisses: 0,
+      cacheHitRate: 0,
+      deduplicatedRequests: 0,
+      networkRequests: 0,
+      averageResponseTime: 0,
+      totalResponseTime: 0,
+      batchedAuditEvents: 0,
+      individualAuditEvents: 0
+    };
+    this.enabled = false;
+  }
+  /**
+   * Enable or disable performance monitoring
+   */
+  setEnabled(enabled) {
+    this.enabled = enabled;
+  }
+  /**
+   * Check if performance monitoring is enabled
+   */
+  isEnabled() {
+    return this.enabled;
+  }
+  /**
+   * Record a permission check
+   */
+  recordCheck(cacheHit, responseTime, wasDeduplicated = false) {
+    if (!this.enabled) {
+      return;
+    }
+    this.metrics.totalChecks++;
+    if (cacheHit) {
+      this.metrics.cacheHits++;
+    } else {
+      this.metrics.cacheMisses++;
+      this.metrics.networkRequests++;
+    }
+    if (wasDeduplicated) {
+      this.metrics.deduplicatedRequests++;
+    }
+    this.metrics.totalResponseTime += responseTime;
+    this.metrics.averageResponseTime = this.metrics.totalResponseTime / this.metrics.totalChecks;
+    this.metrics.cacheHitRate = this.metrics.cacheHits / this.metrics.totalChecks;
+  }
+  /**
+   * Record an audit event
+   */
+  recordAuditEvent(batched) {
+    if (!this.enabled) {
+      return;
+    }
+    if (batched) {
+      this.metrics.batchedAuditEvents++;
+    } else {
+      this.metrics.individualAuditEvents++;
+    }
+  }
+  /**
+   * Get current metrics
+   */
+  getMetrics() {
+    return { ...this.metrics };
+  }
+  /**
+   * Reset all metrics
+   */
+  reset() {
+    this.metrics = {
+      totalChecks: 0,
+      cacheHits: 0,
+      cacheMisses: 0,
+      cacheHitRate: 0,
+      deduplicatedRequests: 0,
+      networkRequests: 0,
+      averageResponseTime: 0,
+      totalResponseTime: 0,
+      batchedAuditEvents: 0,
+      individualAuditEvents: 0
+    };
+  }
+  /**
+   * Get metrics summary as a formatted string
+   */
+  getSummary() {
+    const m = this.metrics;
+    return `
+RBAC Performance Metrics:
+  Total Checks: ${m.totalChecks}
+  Cache Hits: ${m.cacheHits} (${(m.cacheHitRate * 100).toFixed(1)}%)
+  Cache Misses: ${m.cacheMisses}
+  Deduplicated Requests: ${m.deduplicatedRequests}
+  Network Requests: ${m.networkRequests}
+  Average Response Time: ${m.averageResponseTime.toFixed(2)}ms
+  Batched Audit Events: ${m.batchedAuditEvents}
+  Individual Audit Events: ${m.individualAuditEvents}
+`;
+  }
+};
+var performanceMonitor = new RBACPerformanceMonitor();
+function enablePerformanceMonitoring() {
+  performanceMonitor.setEnabled(true);
+}
+function disablePerformanceMonitoring() {
+  performanceMonitor.setEnabled(false);
+}
+function isPerformanceMonitoringEnabled() {
+  return performanceMonitor.isEnabled();
+}
+function recordPermissionCheck(cacheHit, responseTime, wasDeduplicated = false) {
+  performanceMonitor.recordCheck(cacheHit, responseTime, wasDeduplicated);
+}
+function recordAuditEvent(batched) {
+  performanceMonitor.recordAuditEvent(batched);
+}
+function getPerformanceMetrics() {
+  return performanceMonitor.getMetrics();
+}
+function resetPerformanceMetrics() {
+  performanceMonitor.reset();
+}
+function getPerformanceSummary() {
+  return performanceMonitor.getSummary();
+}
+
+// src/rbac/request-deduplication.ts
+var inFlightRequests = /* @__PURE__ */ new Map();
+function generateDeduplicationKey(input) {
+  return RBACCache.generatePermissionKey({
+    userId: input.userId,
+    organisationId: input.scope.organisationId,
+    eventId: input.scope.eventId,
+    appId: input.scope.appId,
+    permission: input.permission,
+    pageId: input.pageId
+  });
+}
+async function getOrCreateRequest(input, checkFn) {
+  const key = generateDeduplicationKey(input);
+  const existingRequest = inFlightRequests.get(key);
+  if (existingRequest) {
+    return existingRequest;
+  }
+  const requestPromise = checkFn(input).finally(() => {
+    inFlightRequests.delete(key);
+  });
+  inFlightRequests.set(key, requestPromise);
+  return requestPromise;
+}
+function clearInFlightRequests() {
+  inFlightRequests.clear();
+}
+function getInFlightRequestCount() {
+  return inFlightRequests.size;
+}
+
 // src/rbac/api.ts
 var log3 = createLogger("RBACAPI");
 var globalEngine = null;
@@ -1430,8 +1644,16 @@ function setupRBAC(supabase, config) {
     ...config?.security
   };
   globalEngine = createRBACEngine(supabase, securityConfig);
-  const auditManager = createAuditManager(supabase);
+  const useBatchedAudit = config?.audit?.batched !== false && config?.performance?.enableBatchedAuditLogging !== false;
+  const batchConfig = useBatchedAudit ? {
+    batchWindow: config?.audit?.batchWindow,
+    batchSize: config?.audit?.batchSize
+  } : void 0;
+  const auditManager = createAuditManager(supabase, useBatchedAudit, batchConfig);
   setGlobalAuditManager(auditManager);
+  if (config?.performance?.enablePerformanceTracking) {
+    enablePerformanceMonitoring();
+  }
   logger.info("RBAC system initialized successfully");
 }
 function getEngine() {
@@ -1480,13 +1702,16 @@ async function isPermittedCached(input) {
     permission,
     pageId
   });
-  const cached = rbacCache.get(cacheKey);
+  const cached = rbacCache.get(cacheKey, true);
   if (cached !== null) {
     return cached;
   }
-  const result = await isPermitted(input);
-  rbacCache.set(cacheKey, result);
-  return result;
+  return getOrCreateRequest(input, async (checkInput) => {
+    const result = await isPermitted(checkInput);
+    const isPageLevelCheck = !!pageId || permission.includes("page.");
+    rbacCache.set(cacheKey, result, void 0, isPageLevelCheck);
+    return result;
+  });
 }
 async function hasPermission(input) {
   return isPermitted(input);
@@ -1589,6 +1814,16 @@ export {
   isDevelopmentMode,
   RBACEngine,
   createRBACEngine,
+  enablePerformanceMonitoring,
+  disablePerformanceMonitoring,
+  isPerformanceMonitoringEnabled,
+  recordPermissionCheck,
+  recordAuditEvent,
+  getPerformanceMetrics,
+  resetPerformanceMetrics,
+  getPerformanceSummary,
+  clearInFlightRequests,
+  getInFlightRequestCount,
   setupRBAC,
   getAccessLevel,
   getPermissionMap,
@@ -1610,4 +1845,4 @@ export {
   invalidateAppCache,
   clearCache
 };
-//# sourceMappingURL=chunk-U6WNSFX5.js.map
+//# sourceMappingURL=chunk-HEHYGYOX.js.map