@jmruthers/pace-core 0.5.189 → 0.5.190

package/dist/{chunk-HEHYGYOX.js → chunk-RUYZKXOD.js}

@@ -35,6 +35,15 @@ var OrganisationContextRequiredError = class extends RBACError {
     this.name = "OrganisationContextRequiredError";
   }
 };
+var EventContextRequiredError = class extends RBACError {
+  constructor() {
+    super(
+      "Event context is required for this operation",
+      "EVENT_CONTEXT_REQUIRED"
+    );
+    this.name = "EventContextRequiredError";
+  }
+};
 var RBACNotInitializedError = class extends RBACError {
   constructor() {
     super(
@@ -428,19 +437,32 @@ var RBACCacheInvalidationManager = class {
       log.warn("Failed to log cache invalidation audit event:", error);
     });
   }
+  /**
+   * Cleanup subscriptions only (not all callbacks)
+   * Used internally to cleanup before setting up new subscriptions
+   */
+  cleanupSubscriptions() {
+    this.channels.forEach((channel) => {
+      try {
+        if (channel && typeof channel.unsubscribe === "function") {
+          channel.unsubscribe();
+        }
+      } catch (error) {
+        log.warn("Failed to unsubscribe from channel:", error);
+      }
+    });
+    this.channels = [];
+  }
   /**
    * Setup realtime subscriptions for automatic cache invalidation
-   * Prevents duplicate subscriptions by checking if already set up
+   * Always cleans up existing subscriptions before setting up new ones to prevent duplicates
    */
   setupRealtimeSubscriptions() {
+    this.cleanupSubscriptions();
     if (!this.supabase.channel || typeof this.supabase.channel !== "function") {
       log.debug("Realtime not available, skipping subscriptions");
       return;
     }
-    if (this.channels.length > 0) {
-      log.debug("Realtime subscriptions already set up, skipping duplicate setup");
-      return;
-    }
     const orgRolesChannel = this.supabase.channel("rbac_organisation_roles_changes").on("postgres_changes", {
       event: "*",
       schema: "public",
@@ -672,8 +694,226 @@ function mapErrorCategoryToSecurityEventType(category) {
   }
 }
 
+// src/rbac/utils/eventContext.ts
+var orgDerivationCache = /* @__PURE__ */ new Map();
+var MAX_CACHE_SIZE = 100;
+async function getOrganisationFromEvent(supabase, eventId) {
+  if (orgDerivationCache.has(eventId)) {
+    return orgDerivationCache.get(eventId) ?? null;
+  }
+  const { data, error } = await supabase.from("event").select("organisation_id").eq("event_id", eventId).single();
+  let organisationId = null;
+  if (error || !data) {
+    organisationId = null;
+  } else {
+    organisationId = data.organisation_id;
+  }
+  if (orgDerivationCache.size >= MAX_CACHE_SIZE) {
+    const firstKey = orgDerivationCache.keys().next().value;
+    if (firstKey) {
+      orgDerivationCache.delete(firstKey);
+    }
+  }
+  orgDerivationCache.set(eventId, organisationId);
+  return organisationId;
+}
+
+// src/rbac/utils/contextValidator.ts
+var log2 = createLogger("ContextValidator");
+function allowsOptionalContexts(appName) {
+  return appName === "PORTAL" || appName === "ADMIN";
+}
+var ContextValidator = class {
+  /**
+   * Validate scope against app requirements
+   * 
+   * @param scope - Current scope
+   * @param appConfig - App configuration (requires_event flag)
+   * @param appName - App name (for PORTAL/ADMIN special case)
+   * @returns Validation result with resolved scope
+   */
+  static async validateScope(scope, appConfig, appName) {
+    if (allowsOptionalContexts(appName)) {
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId: scope.organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    if (!appConfig) {
+      if (!scope.organisationId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new OrganisationContextRequiredError()
+        };
+      }
+      return {
+        isValid: true,
+        resolvedScope: scope,
+        error: null
+      };
+    }
+    if (appConfig.requires_event) {
+      if (!scope.eventId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new EventContextRequiredError()
+        };
+      }
+      return {
+        isValid: true,
+        resolvedScope: scope,
+        error: null
+      };
+    }
+    if (!scope.organisationId) {
+      return {
+        isValid: false,
+        resolvedScope: null,
+        error: new OrganisationContextRequiredError()
+      };
+    }
+    return {
+      isValid: true,
+      resolvedScope: scope,
+      error: null
+    };
+  }
+  /**
+   * Resolve required context and derive missing values
+   * 
+   * @param scope - Current scope
+   * @param appConfig - App configuration
+   * @param appName - App name (for PORTAL/ADMIN special case)
+   * @param supabase - Supabase client (for deriving org from event)
+   * @returns Resolved scope with all required context
+   */
+  static async resolveRequiredContext(scope, appConfig, appName, supabase) {
+    if (allowsOptionalContexts(appName)) {
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId: scope.organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    if (!appConfig) {
+      if (!scope.organisationId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new OrganisationContextRequiredError()
+        };
+      }
+      return {
+        isValid: true,
+        resolvedScope: scope,
+        error: null
+      };
+    }
+    if (appConfig.requires_event) {
+      if (!scope.eventId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new EventContextRequiredError()
+        };
+      }
+      let organisationId = scope.organisationId;
+      if (!organisationId && supabase && scope.eventId) {
+        try {
+          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
+          organisationId = derivedOrgId || void 0;
+          if (!organisationId) {
+            return {
+              isValid: false,
+              resolvedScope: null,
+              error: new Error("Could not resolve organisation from event context")
+            };
+          }
+        } catch (error) {
+          log2.error("Failed to derive org from event:", error);
+          return {
+            isValid: false,
+            resolvedScope: null,
+            error: error instanceof Error ? error : new Error("Failed to derive organisation from event")
+          };
+        }
+      } else if (!organisationId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new Error("Event context requires organisationId but it could not be derived (supabase client not available)")
+        };
+      }
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    if (!scope.organisationId) {
+      return {
+        isValid: false,
+        resolvedScope: null,
+        error: new OrganisationContextRequiredError()
+      };
+    }
+    return {
+      isValid: true,
+      resolvedScope: scope,
+      error: null
+    };
+  }
+  /**
+   * Derive organisation ID from event ID
+   * 
+   * @param supabase - Supabase client
+   * @param eventId - Event ID
+   * @returns Organisation ID or null
+   */
+  static async deriveOrgFromEvent(supabase, eventId) {
+    return getOrganisationFromEvent(supabase, eventId);
+  }
+  /**
+   * Check if context is ready for permission checks
+   * 
+   * @param scope - Current scope
+   * @param appConfig - App configuration
+   * @param appName - App name
+   * @param hasSelectedEvent - Whether event is selected
+   * @param hasSelectedOrganisation - Whether organisation is selected
+   * @returns True if context is ready
+   */
+  static isContextReady(scope, appConfig, appName, hasSelectedEvent, hasSelectedOrganisation) {
+    if (allowsOptionalContexts(appName)) {
+      return true;
+    }
+    if (!appConfig) {
+      return !!hasSelectedOrganisation || !!scope.organisationId;
+    }
+    if (appConfig.requires_event) {
+      return !!hasSelectedEvent || !!scope.eventId;
+    }
+    return !!hasSelectedOrganisation || !!scope.organisationId;
+  }
+};
+
 // src/rbac/security.ts
-var log2 = createLogger("RBACSecurity");
+var log3 = createLogger("RBACSecurity");
 var RBACSecurityValidator = class {
   /**
    * Validate permission string format
@@ -782,19 +1022,13 @@ var RBACSecurityValidator = class {
   /**
    * Validate context requirements for security
    * @param scope - Scope object
-   * @param appId - Application ID
+   * @param appConfig - App configuration
+   * @param appName - App name (for PORTAL special case)
    * @returns True if context is valid, false otherwise
    */
-  static validateContextRequirements(scope, appId) {
-    if (!scope.organisationId) {
-      return false;
-    }
-    if (appId && scope.appId === appId) {
-      if (!scope.eventId) {
-        return false;
-      }
-    }
-    return true;
+  static async validateContextRequirements(scope, appConfig, appName) {
+    const validation = await ContextValidator.validateScope(scope, appConfig || null, appName);
+    return validation.isValid;
   }
   // Only warn once per 5 seconds per user
   static logSecurityEvent(event) {
@@ -813,7 +1047,7 @@ var RBACSecurityValidator = class {
           this.rateLimitWarningCount.set(event.userId, userWarning);
           return;
         } else {
-          log2.warn("Security event (throttled):", {
+          log3.warn("Security event (throttled):", {
             ...securityEvent,
             details: {
               ...securityEvent.details,
@@ -826,11 +1060,11 @@ var RBACSecurityValidator = class {
         }
       } else {
         this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });
-        log2.warn("Security event:", securityEvent);
+        log3.warn("Security event:", securityEvent);
         return;
       }
     }
-    log2.warn("Security event:", securityEvent);
+    log3.warn("Security event:", securityEvent);
   }
   /**
    * Get severity level for security event
@@ -902,10 +1136,18 @@ var RBACSecurityMiddleware = class {
     if (!RBACSecurityValidator.validateUserId(context.userId)) {
       errors.push("Invalid user ID format");
     }
-    if (!context.organisationId) {
-      errors.push("Organisation ID is required");
-    } else if (!RBACSecurityValidator.validateUUID(context.organisationId)) {
-      errors.push("Invalid organisation ID format");
+    const isPagePermission = input.permission?.includes(":page.") || !!input.pageId;
+    const requiresOrgId = !isPagePermission;
+    if (requiresOrgId) {
+      if (!context.organisationId) {
+        errors.push("Organisation ID is required for resource-level permissions");
+      } else if (!RBACSecurityValidator.validateUUID(context.organisationId)) {
+        errors.push("Invalid organisation ID format");
+      }
+    } else {
+      if (context.organisationId && !RBACSecurityValidator.validateUUID(context.organisationId)) {
+        errors.push("Invalid organisation ID format");
+      }
     }
     if (input.permission && !RBACSecurityValidator.validatePermission(input.permission)) {
       errors.push("Invalid permission format");
@@ -1252,7 +1494,8 @@ var RBACEngine = class {
       return "super";
     }
     if (scope.organisationId) {
-      const { data: orgRole } = await this.supabase.from("rbac_organisation_roles").select("role").eq("user_id", userId).eq("organisation_id", scope.organisationId).eq("status", "active").is("revoked_at", null).lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).single();
+      const { data: orgRoles } = await this.supabase.from("rbac_organisation_roles").select("role").eq("user_id", userId).eq("organisation_id", scope.organisationId).eq("status", "active").is("revoked_at", null).lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).limit(1);
+      const orgRole = orgRoles?.[0];
       if (orgRole?.role === "org_admin") {
         rbacCache.set(cacheKey, "admin", 6e4);
         return "admin";
@@ -1598,6 +1841,7 @@ function generateDeduplicationKey(input) {
   return RBACCache.generatePermissionKey({
     userId: input.userId,
     organisationId: input.scope.organisationId,
+    // Can be undefined for page-level permissions
     eventId: input.scope.eventId,
     appId: input.scope.appId,
     permission: input.permission,
@@ -1624,7 +1868,7 @@ function getInFlightRequestCount() {
 }
 
 // src/rbac/api.ts
-var log3 = createLogger("RBACAPI");
+var log4 = createLogger("RBACAPI");
 var globalEngine = null;
 function setupRBAC(supabase, config) {
   const logger = getRBACLogger();
@@ -1662,37 +1906,116 @@ function getEngine() {
   }
   return globalEngine;
 }
-async function getAccessLevel(input) {
+async function getAccessLevel(input, appConfig, appName) {
   const engine = getEngine();
-  return engine.getAccessLevel(input);
+  const isSuperAdminUser = await engine["checkSuperAdmin"](input.userId);
+  if (isSuperAdminUser) {
+    return "super";
+  }
+  let resolvedAppConfig = appConfig ?? null;
+  let resolvedAppName = appName;
+  if (!resolvedAppConfig && input.scope.appId) {
+    resolvedAppConfig = await getAppConfig(input.scope.appId);
+  }
+  const validation = await ContextValidator.resolveRequiredContext(
+    input.scope,
+    resolvedAppConfig,
+    resolvedAppName,
+    engine["supabase"]
+  );
+  if (!validation.isValid || !validation.resolvedScope) {
+    throw validation.error || new OrganisationContextRequiredError();
+  }
+  return engine.getAccessLevel({
+    ...input,
+    scope: validation.resolvedScope
+  });
 }
-async function getPermissionMap(input) {
+async function getPermissionMap(input, appConfig, appName) {
   const engine = getEngine();
-  return engine.getPermissionMap(input);
+  let resolvedAppConfig = appConfig ?? null;
+  let resolvedAppName = appName;
+  if (!resolvedAppConfig && input.scope.appId) {
+    resolvedAppConfig = await getAppConfig(input.scope.appId);
+  }
+  const validation = await ContextValidator.resolveRequiredContext(
+    input.scope,
+    resolvedAppConfig,
+    resolvedAppName,
+    engine["supabase"]
+  );
+  if (!validation.isValid || !validation.resolvedScope) {
+    throw validation.error || new OrganisationContextRequiredError();
+  }
+  return engine.getPermissionMap({
+    ...input,
+    scope: validation.resolvedScope
+  });
 }
 async function resolveAppContext(input) {
   const engine = getEngine();
   return engine.resolveAppContext(input);
 }
-async function getRoleContext(input) {
+async function getRoleContext(input, appConfig, appName) {
   const engine = getEngine();
-  return engine.getRoleContext(input);
+  let resolvedAppConfig = appConfig ?? null;
+  let resolvedAppName = appName;
+  if (!resolvedAppConfig && input.scope.appId) {
+    resolvedAppConfig = await getAppConfig(input.scope.appId);
+  }
+  const validation = await ContextValidator.resolveRequiredContext(
+    input.scope,
+    resolvedAppConfig,
+    resolvedAppName,
+    engine["supabase"]
+  );
+  if (!validation.isValid || !validation.resolvedScope) {
+    throw validation.error || new OrganisationContextRequiredError();
+  }
+  return engine.getRoleContext({
+    ...input,
+    scope: validation.resolvedScope
+  });
 }
-async function isPermitted(input) {
+async function isPermitted(input, appConfig, appName) {
   const engine = getEngine();
-  if (!input.scope.organisationId) {
-    throw new OrganisationContextRequiredError();
+  let resolvedAppConfig = appConfig ?? null;
+  let resolvedAppName = appName;
+  if (!resolvedAppConfig && input.scope.appId) {
+    resolvedAppConfig = await getAppConfig(input.scope.appId);
   }
+  if (!resolvedAppName && input.scope.appId) {
+    try {
+      const { data } = await engine["supabase"].from("rbac_apps").select("name").eq("id", input.scope.appId).eq("is_active", true).single();
+      if (data) {
+        resolvedAppName = data.name;
+      }
+    } catch (err) {
+    }
+  }
+  const validation = await ContextValidator.resolveRequiredContext(
+    input.scope,
+    resolvedAppConfig,
+    resolvedAppName,
+    engine["supabase"]
+  );
+  if (!validation.isValid || !validation.resolvedScope) {
+    throw validation.error || new OrganisationContextRequiredError();
+  }
+  const validatedScope = validation.resolvedScope;
   const securityContext = {
     userId: input.userId,
-    organisationId: input.scope.organisationId,
-    // Required - no fallback
+    organisationId: validatedScope.organisationId || null,
     timestamp: /* @__PURE__ */ new Date()
     // Optional fields can be omitted
   };
-  return engine.isPermitted(input, securityContext);
+  const validatedInput = {
+    ...input,
+    scope: validatedScope
+  };
+  return engine.isPermitted(validatedInput, securityContext);
 }
-async function isPermittedCached(input) {
+async function isPermittedCached(input, appConfig, appName) {
   const { userId, scope, permission, pageId } = input;
   const cacheKey = RBACCache.generatePermissionKey({
     userId,
@@ -1707,7 +2030,7 @@ async function isPermittedCached(input) {
     return cached;
   }
   return getOrCreateRequest(input, async (checkInput) => {
-    const result = await isPermitted(checkInput);
+    const result = await isPermitted(checkInput, appConfig, appName);
     const isPageLevelCheck = !!pageId || permission.includes("page.");
     rbacCache.set(cacheKey, result, void 0, isPageLevelCheck);
     return result;
@@ -1747,18 +2070,48 @@ async function isSuperAdmin(userId) {
   return engine["checkSuperAdmin"](userId);
 }
 async function getAppConfig(appId) {
-  log3.warn("getAppConfig called without Supabase client - returning null");
-  return null;
+  try {
+    const engine = getEngine();
+    return getAppConfigWithClient(engine["supabase"], appId);
+  } catch (err) {
+    if (err instanceof RBACNotInitializedError) {
+      return null;
+    }
+    throw err;
+  }
 }
 async function getAppConfigWithClient(client, appId) {
+  if (!client) {
+    return null;
+  }
+  const cacheKey = `app_config:${appId}`;
+  const cached = rbacCache.get(cacheKey, true);
+  if (cached !== null) {
+    return cached;
+  }
+  try {
+    const { data, error } = await client.from("rbac_apps").select("requires_event, name").eq("id", appId).eq("is_active", true).single();
+    if (error || !data) {
+      return null;
+    }
+    const appConfig = { requires_event: data.requires_event ?? false };
+    rbacCache.set(cacheKey, appConfig, 5 * 60 * 1e3, true);
+    return appConfig;
+  } catch (err) {
+    log4.error("Error fetching app config:", err);
+    return null;
+  }
+}
+async function getAppConfigByName(appName) {
+  const engine = getEngine();
   try {
-    const { data, error } = await client.from("rbac_apps").select("requires_event").eq("id", appId).eq("is_active", true).single();
+    const { data, error } = await engine["supabase"].from("rbac_apps").select("requires_event, name").eq("name", appName).eq("is_active", true).single();
     if (error || !data) {
       return null;
     }
-    return { requires_event: data.requires_event };
+    return { requires_event: data.requires_event ?? false };
   } catch (err) {
-    log3.error("Error fetching app config:", err);
+    log4.error("Error fetching app config by name:", err);
     return null;
   }
 }
@@ -1807,6 +2160,7 @@ export {
   RBACCache,
   rbacCache,
   CACHE_PATTERNS,
+  ContextValidator,
   createRBACConfig,
   getRBACConfig,
   getRBACLogger,
@@ -1837,6 +2191,7 @@ export {
   isSuperAdmin,
   getAppConfig,
   getAppConfigWithClient,
+  getAppConfigByName,
   isOrganisationAdmin,
   isEventAdmin,
   invalidateUserCache,
@@ -1845,4 +2200,4 @@ export {
   invalidateAppCache,
   clearCache
 };
-//# sourceMappingURL=chunk-HEHYGYOX.js.map
+//# sourceMappingURL=chunk-RUYZKXOD.js.map