npm - @jmruthers/pace-core - Versions diffs - 0.5.189 → 0.5.191 - Mend

@jmruthers/pace-core 0.5.189 → 0.5.191

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (438) hide show

package/core-usage-manifest.json +0 -4
package/dist/{AuthService-B-cd2MA4.d.ts → AuthService-CbP_utw2.d.ts} +7 -3
package/dist/{DataTable-IVYljGJ6.d.ts → DataTable-Be6dH_dR.d.ts} +1 -1
package/dist/{DataTable-GUFUNZ3N.js → DataTable-WKRZD47S.js} +8 -8
package/dist/{PublicPageProvider-B8HaLe69.d.ts → PublicPageProvider-ULXC_u6U.d.ts} +84 -25
package/dist/{UnifiedAuthProvider-BG0AL5eE.d.ts → UnifiedAuthProvider-BYA9qB-o.d.ts} +4 -3
package/dist/{UnifiedAuthProvider-643PUAIM.js → UnifiedAuthProvider-FTSG5XH7.js} +4 -2
package/dist/{api-YP7XD5L6.js → api-IHKALJZD.js} +4 -2
package/dist/{chunk-VGZZXKBR.js → chunk-6LTQQAT6.js} +351 -157
package/dist/chunk-6LTQQAT6.js.map +1 -0
package/dist/{chunk-MX64ZF6I.js → chunk-6TQDD426.js} +15 -15
package/dist/chunk-6TQDD426.js.map +1 -0
package/dist/{chunk-YHCN776L.js → chunk-G37KK66H.js} +2 -75
package/dist/chunk-G37KK66H.js.map +1 -0
package/dist/{chunk-THRPYOFK.js → chunk-HW3OVDUF.js} +5 -5
package/dist/chunk-HW3OVDUF.js.map +1 -0
package/dist/{chunk-F2IMUDXZ.js → chunk-I7PSE6JW.js} +75 -2
package/dist/chunk-I7PSE6JW.js.map +1 -0
package/dist/{chunk-IM4QE42D.js → chunk-LOMZXPSN.js} +141 -326
package/dist/chunk-LOMZXPSN.js.map +1 -0
package/dist/chunk-OETXORNB.js +614 -0
package/dist/chunk-OETXORNB.js.map +1 -0
package/dist/{chunk-HESYZWZW.js → chunk-QWWZ5CAQ.js} +2 -2
package/dist/{chunk-HEHYGYOX.js → chunk-ROXMHMY2.js} +403 -46
package/dist/chunk-ROXMHMY2.js.map +1 -0
package/dist/{chunk-2UUZZJFT.js → chunk-ULHIJK66.js} +228 -177
package/dist/{chunk-2UUZZJFT.js.map → chunk-ULHIJK66.js.map} +1 -1
package/dist/{chunk-YGPFYGA6.js → chunk-VKB2CO4Z.js} +838 -503
package/dist/chunk-VKB2CO4Z.js.map +1 -0
package/dist/{chunk-3GOZZZYH.js → chunk-VRGWKHDB.js} +238 -301
package/dist/chunk-VRGWKHDB.js.map +1 -0
package/dist/{chunk-UCQSRW7Z.js → chunk-XNYQOL3Z.js} +431 -384
package/dist/chunk-XNYQOL3Z.js.map +1 -0
package/dist/{chunk-DDM4CCYT.js → chunk-XYXSXPUK.js} +79 -59
package/dist/chunk-XYXSXPUK.js.map +1 -0
package/dist/{chunk-SAUPYVLF.js → chunk-ZSAAAMVR.js} +1 -1
package/dist/chunk-ZSAAAMVR.js.map +1 -0
package/dist/components.d.ts +5 -6
package/dist/components.js +19 -19
package/dist/components.js.map +1 -1
package/dist/{database.generated-DI89OQeI.d.ts → database.generated-CzIvgcPu.d.ts} +165 -201
package/dist/eslint-rules/pace-core-compliance.cjs +0 -2
package/dist/{file-reference-D037xOFK.d.ts → file-reference-BavO2eQj.d.ts} +13 -10
package/dist/hooks.d.ts +20 -15
package/dist/hooks.js +14 -8
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +17 -15
package/dist/index.js +86 -81
package/dist/index.js.map +1 -1
package/dist/providers.d.ts +3 -3
package/dist/providers.js +3 -1
package/dist/rbac/index.d.ts +77 -13
package/dist/rbac/index.js +12 -9
package/dist/{types-Bwgl--Xo.d.ts → types-CEpcvwwF.d.ts} +1 -1
package/dist/types.d.ts +3 -3
package/dist/types.js +1 -1
package/dist/{usePublicRouteParams-CTDELQ7H.d.ts → usePublicRouteParams-TZe0gy-4.d.ts} +17 -10
package/dist/utils.d.ts +8 -8
package/dist/utils.js +16 -16
package/docs/README.md +2 -2
package/docs/api/classes/ColumnFactory.md +1 -1
package/docs/api/classes/ErrorBoundary.md +1 -1
package/docs/api/classes/InvalidScopeError.md +2 -2
package/docs/api/classes/Logger.md +1 -1
package/docs/api/classes/MissingUserContextError.md +2 -2
package/docs/api/classes/OrganisationContextRequiredError.md +1 -1
package/docs/api/classes/PermissionDeniedError.md +1 -1
package/docs/api/classes/RBACAuditManager.md +2 -2
package/docs/api/classes/RBACCache.md +1 -1
package/docs/api/classes/RBACEngine.md +5 -5
package/docs/api/classes/RBACError.md +1 -1
package/docs/api/classes/RBACNotInitializedError.md +2 -2
package/docs/api/classes/SecureSupabaseClient.md +25 -20
package/docs/api/classes/StorageUtils.md +7 -4
package/docs/api/enums/FileCategory.md +1 -1
package/docs/api/enums/LogLevel.md +1 -1
package/docs/api/enums/RBACErrorCode.md +1 -1
package/docs/api/enums/RPCFunction.md +1 -1
package/docs/api/interfaces/AddressFieldProps.md +1 -1
package/docs/api/interfaces/AddressFieldRef.md +1 -1
package/docs/api/interfaces/AggregateConfig.md +1 -1
package/docs/api/interfaces/AutocompleteOptions.md +1 -1
package/docs/api/interfaces/AvatarProps.md +1 -1
package/docs/api/interfaces/BadgeProps.md +1 -1
package/docs/api/interfaces/ButtonProps.md +1 -1
package/docs/api/interfaces/CalendarProps.md +20 -6
package/docs/api/interfaces/CardProps.md +1 -1
package/docs/api/interfaces/ColorPalette.md +1 -1
package/docs/api/interfaces/ColorShade.md +1 -1
package/docs/api/interfaces/ComplianceResult.md +1 -1
package/docs/api/interfaces/DataAccessRecord.md +9 -9
package/docs/api/interfaces/DataRecord.md +1 -1
package/docs/api/interfaces/DataTableAction.md +1 -1
package/docs/api/interfaces/DataTableColumn.md +1 -1
package/docs/api/interfaces/DataTableProps.md +1 -1
package/docs/api/interfaces/DataTableToolbarButton.md +1 -1
package/docs/api/interfaces/DatabaseComplianceResult.md +1 -1
package/docs/api/interfaces/DatabaseIssue.md +1 -1
package/docs/api/interfaces/EmptyStateConfig.md +1 -1
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +1 -1
package/docs/api/interfaces/EventAppRoleData.md +1 -1
package/docs/api/interfaces/ExportColumn.md +1 -1
package/docs/api/interfaces/ExportOptions.md +1 -1
package/docs/api/interfaces/FileDisplayProps.md +62 -16
package/docs/api/interfaces/FileMetadata.md +1 -1
package/docs/api/interfaces/FileReference.md +2 -2
package/docs/api/interfaces/FileSizeLimits.md +1 -1
package/docs/api/interfaces/FileUploadOptions.md +26 -12
package/docs/api/interfaces/FileUploadProps.md +30 -19
package/docs/api/interfaces/FooterProps.md +1 -1
package/docs/api/interfaces/FormFieldProps.md +1 -1
package/docs/api/interfaces/FormProps.md +1 -1
package/docs/api/interfaces/GrantEventAppRoleParams.md +1 -1
package/docs/api/interfaces/InactivityWarningModalProps.md +1 -1
package/docs/api/interfaces/InputProps.md +1 -1
package/docs/api/interfaces/LabelProps.md +1 -1
package/docs/api/interfaces/LoggerConfig.md +1 -1
package/docs/api/interfaces/LoginFormProps.md +1 -1
package/docs/api/interfaces/NavigationAccessRecord.md +10 -10
package/docs/api/interfaces/NavigationContextType.md +9 -9
package/docs/api/interfaces/NavigationGuardProps.md +1 -1
package/docs/api/interfaces/NavigationItem.md +1 -1
package/docs/api/interfaces/NavigationMenuProps.md +1 -1
package/docs/api/interfaces/NavigationProviderProps.md +7 -7
package/docs/api/interfaces/Organisation.md +1 -1
package/docs/api/interfaces/OrganisationContextType.md +1 -1
package/docs/api/interfaces/OrganisationMembership.md +1 -1
package/docs/api/interfaces/OrganisationProviderProps.md +1 -1
package/docs/api/interfaces/OrganisationSecurityError.md +1 -1
package/docs/api/interfaces/PaceAppLayoutProps.md +1 -1
package/docs/api/interfaces/PaceLoginPageProps.md +1 -1
package/docs/api/interfaces/PageAccessRecord.md +8 -8
package/docs/api/interfaces/PagePermissionContextType.md +8 -8
package/docs/api/interfaces/PagePermissionGuardProps.md +1 -1
package/docs/api/interfaces/PagePermissionProviderProps.md +7 -7
package/docs/api/interfaces/PaletteData.md +1 -1
package/docs/api/interfaces/ParsedAddress.md +2 -2
package/docs/api/interfaces/PermissionEnforcerProps.md +1 -1
package/docs/api/interfaces/ProgressProps.md +3 -11
package/docs/api/interfaces/ProtectedRouteProps.md +1 -1
package/docs/api/interfaces/PublicPageFooterProps.md +1 -1
package/docs/api/interfaces/PublicPageHeaderProps.md +1 -1
package/docs/api/interfaces/PublicPageLayoutProps.md +1 -1
package/docs/api/interfaces/QuickFix.md +1 -1
package/docs/api/interfaces/RBACAccessValidateParams.md +1 -1
package/docs/api/interfaces/RBACAccessValidateResult.md +1 -1
package/docs/api/interfaces/RBACAuditLogParams.md +1 -1
package/docs/api/interfaces/RBACAuditLogResult.md +1 -1
package/docs/api/interfaces/RBACConfig.md +2 -2
package/docs/api/interfaces/RBACContext.md +1 -1
package/docs/api/interfaces/RBACLogger.md +1 -1
package/docs/api/interfaces/RBACPageAccessCheckParams.md +1 -1
package/docs/api/interfaces/RBACPerformanceMetrics.md +1 -1
package/docs/api/interfaces/RBACPermissionCheckParams.md +1 -1
package/docs/api/interfaces/RBACPermissionCheckResult.md +1 -1
package/docs/api/interfaces/RBACPermissionsGetParams.md +1 -1
package/docs/api/interfaces/RBACPermissionsGetResult.md +1 -1
package/docs/api/interfaces/RBACResult.md +1 -1
package/docs/api/interfaces/RBACRoleGrantParams.md +1 -1
package/docs/api/interfaces/RBACRoleGrantResult.md +1 -1
package/docs/api/interfaces/RBACRoleRevokeParams.md +1 -1
package/docs/api/interfaces/RBACRoleRevokeResult.md +1 -1
package/docs/api/interfaces/RBACRoleValidateParams.md +1 -1
package/docs/api/interfaces/RBACRoleValidateResult.md +1 -1
package/docs/api/interfaces/RBACRolesListParams.md +1 -1
package/docs/api/interfaces/RBACRolesListResult.md +1 -1
package/docs/api/interfaces/RBACSessionTrackParams.md +1 -1
package/docs/api/interfaces/RBACSessionTrackResult.md +1 -1
package/docs/api/interfaces/ResourcePermissions.md +1 -1
package/docs/api/interfaces/RevokeEventAppRoleParams.md +1 -1
package/docs/api/interfaces/RoleBasedRouterContextType.md +8 -8
package/docs/api/interfaces/RoleBasedRouterProps.md +10 -10
package/docs/api/interfaces/RoleManagementResult.md +1 -1
package/docs/api/interfaces/RouteAccessRecord.md +10 -10
package/docs/api/interfaces/RouteConfig.md +10 -10
package/docs/api/interfaces/RuntimeComplianceResult.md +1 -1
package/docs/api/interfaces/SecureDataContextType.md +9 -9
package/docs/api/interfaces/SecureDataProviderProps.md +8 -8
package/docs/api/interfaces/SessionRestorationLoaderProps.md +1 -1
package/docs/api/interfaces/SetupIssue.md +1 -1
package/docs/api/interfaces/StorageConfig.md +4 -4
package/docs/api/interfaces/StorageFileInfo.md +7 -7
package/docs/api/interfaces/StorageFileMetadata.md +25 -14
package/docs/api/interfaces/StorageListOptions.md +22 -9
package/docs/api/interfaces/StorageListResult.md +4 -4
package/docs/api/interfaces/StorageUploadOptions.md +21 -8
package/docs/api/interfaces/StorageUploadResult.md +6 -6
package/docs/api/interfaces/StorageUrlOptions.md +19 -6
package/docs/api/interfaces/StyleImport.md +1 -1
package/docs/api/interfaces/SwitchProps.md +1 -1
package/docs/api/interfaces/TabsContentProps.md +1 -1
package/docs/api/interfaces/TabsListProps.md +1 -1
package/docs/api/interfaces/TabsProps.md +1 -1
package/docs/api/interfaces/TabsTriggerProps.md +1 -1
package/docs/api/interfaces/TextareaProps.md +1 -1
package/docs/api/interfaces/ToastActionElement.md +1 -1
package/docs/api/interfaces/ToastProps.md +1 -1
package/docs/api/interfaces/UnifiedAuthContextType.md +53 -53
package/docs/api/interfaces/UnifiedAuthProviderProps.md +13 -13
package/docs/api/interfaces/UseFormDialogOptions.md +1 -1
package/docs/api/interfaces/UseFormDialogReturn.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerOptions.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventLogoOptions.md +2 -2
package/docs/api/interfaces/UsePublicEventLogoReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventOptions.md +1 -1
package/docs/api/interfaces/UsePublicEventReturn.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +2 -2
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +1 -1
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +1 -1
package/docs/api/interfaces/UseResolvedScopeOptions.md +5 -5
package/docs/api/interfaces/UseResolvedScopeReturn.md +4 -4
package/docs/api/interfaces/UseResourcePermissionsOptions.md +1 -1
package/docs/api/interfaces/UserEventAccess.md +11 -11
package/docs/api/interfaces/UserMenuProps.md +1 -1
package/docs/api/interfaces/UserProfile.md +1 -1
package/docs/api/modules.md +165 -106
package/docs/api-reference/components.md +15 -7
package/docs/api-reference/providers.md +2 -2
package/docs/api-reference/rpc-functions.md +1 -0
package/docs/best-practices/README.md +1 -1
package/docs/best-practices/deployment.md +8 -8
package/docs/getting-started/examples/README.md +2 -2
package/docs/getting-started/installation-guide.md +4 -4
package/docs/getting-started/quick-start.md +3 -3
package/docs/migration/MIGRATION_GUIDE.md +3 -3
package/docs/migration/README.md +18 -0
package/docs/migration/database-changes-december-2025.md +767 -0
package/docs/migration/person-scoped-profiles-migration-guide.md +472 -0
package/docs/rbac/compliance/compliance-guide.md +2 -2
package/docs/rbac/event-based-apps.md +2 -2
package/docs/rbac/getting-started.md +2 -2
package/docs/rbac/quick-start.md +2 -2
package/docs/security/README.md +4 -4
package/docs/standards/07-rbac-and-rls-standard.md +430 -7
package/docs/troubleshooting/README.md +2 -2
package/docs/troubleshooting/migration.md +3 -3
package/package.json +1 -3
package/scripts/check-pace-core-compliance.cjs +1 -1
package/scripts/check-pace-core-compliance.js +1 -1
package/src/__tests__/fixtures/supabase.ts +301 -0
package/src/__tests__/public-recipe-view.test.ts +19 -19
package/src/__tests__/rls-policies.test.ts +210 -74
package/src/components/AddressField/AddressField.test.tsx +42 -0
package/src/components/AddressField/AddressField.tsx +71 -60
package/src/components/AddressField/README.md +7 -6
package/src/components/Alert/Alert.test.tsx +50 -10
package/src/components/Alert/Alert.tsx +5 -3
package/src/components/Avatar/Avatar.test.tsx +95 -43
package/src/components/Avatar/Avatar.tsx +16 -16
package/src/components/Button/Button.test.tsx +2 -1
package/src/components/Button/Button.tsx +3 -3
package/src/components/Calendar/Calendar.test.tsx +53 -37
package/src/components/Calendar/Calendar.tsx +409 -82
package/src/components/Card/Card.test.tsx +7 -4
package/src/components/Card/Card.tsx +3 -6
package/src/components/Checkbox/Checkbox.tsx +2 -2
package/src/components/DataTable/components/ActionButtons.tsx +5 -5
package/src/components/DataTable/components/BulkOperationsDropdown.tsx +2 -2
package/src/components/DataTable/components/ColumnFilter.tsx +1 -1
package/src/components/DataTable/components/ColumnVisibilityDropdown.tsx +3 -3
package/src/components/DataTable/components/DataTableBody.tsx +12 -12
package/src/components/DataTable/components/DataTableCore.tsx +3 -3
package/src/components/DataTable/components/DataTableToolbar.tsx +5 -5
package/src/components/DataTable/components/DraggableColumnHeader.tsx +3 -3
package/src/components/DataTable/components/EditableRow.tsx +2 -2
package/src/components/DataTable/components/EmptyState.tsx +3 -3
package/src/components/DataTable/components/GroupHeader.tsx +2 -2
package/src/components/DataTable/components/GroupingDropdown.tsx +1 -1
package/src/components/DataTable/components/ImportModal.tsx +4 -4
package/src/components/DataTable/components/LoadingState.tsx +1 -1
package/src/components/DataTable/components/PaginationControls.tsx +11 -11
package/src/components/DataTable/components/UnifiedTableBody.tsx +9 -9
package/src/components/DataTable/components/ViewRowModal.tsx +2 -2
package/src/components/DataTable/components/__tests__/AccessDeniedPage.test.tsx +11 -37
package/src/components/DataTable/components/__tests__/DataTableToolbar.test.tsx +157 -0
package/src/components/DataTable/components/__tests__/LoadingState.test.tsx +2 -1
package/src/components/DataTable/components/__tests__/VirtualizedDataTable.test.tsx +128 -0
package/src/components/DataTable/core/__tests__/ActionManager.test.ts +19 -0
package/src/components/DataTable/core/__tests__/ColumnFactory.test.ts +51 -0
package/src/components/DataTable/core/__tests__/ColumnManager.test.ts +84 -0
package/src/components/DataTable/core/__tests__/DataManager.test.ts +14 -0
package/src/components/DataTable/core/__tests__/DataTableContext.test.tsx +136 -0
package/src/components/DataTable/core/__tests__/LocalDataAdapter.test.ts +16 -0
package/src/components/DataTable/core/__tests__/PluginRegistry.test.ts +18 -0
package/src/components/DataTable/hooks/useDataTablePermissions.ts +28 -7
package/src/components/DataTable/utils/__tests__/hierarchicalUtils.test.ts +30 -1
package/src/components/DataTable/utils/hierarchicalUtils.ts +38 -10
package/src/components/DatePickerWithTimezone/DatePickerWithTimezone.test.tsx +8 -3
package/src/components/DatePickerWithTimezone/DatePickerWithTimezone.tsx +4 -4
package/src/components/Dialog/Dialog.tsx +2 -2
package/src/components/EventSelector/EventSelector.tsx +7 -7
package/src/components/FileDisplay/FileDisplay.tsx +291 -179
package/src/components/FileUpload/FileUpload.tsx +7 -4
package/src/components/Header/Header.test.tsx +28 -0
package/src/components/Header/Header.tsx +22 -9
package/src/components/InactivityWarningModal/InactivityWarningModal.tsx +2 -2
package/src/components/LoadingSpinner/LoadingSpinner.test.tsx +19 -14
package/src/components/LoadingSpinner/LoadingSpinner.tsx +5 -5
package/src/components/NavigationMenu/NavigationMenu.test.tsx +127 -1
package/src/components/OrganisationSelector/OrganisationSelector.tsx +42 -22
package/src/components/PaceAppLayout/PaceAppLayout.integration.test.tsx +4 -0
package/src/components/PaceAppLayout/PaceAppLayout.performance.test.tsx +3 -0
package/src/components/PaceAppLayout/PaceAppLayout.security.test.tsx +3 -0
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +16 -6
package/src/components/PaceAppLayout/PaceAppLayout.tsx +37 -3
package/src/components/PaceAppLayout/test-setup.tsx +1 -0
package/src/components/PaceLoginPage/PaceLoginPage.test.tsx +66 -45
package/src/components/PaceLoginPage/PaceLoginPage.tsx +6 -4
package/src/components/Progress/Progress.test.tsx +18 -19
package/src/components/Progress/Progress.tsx +31 -32
package/src/components/PublicLayout/PublicLayout.test.tsx +6 -6
package/src/components/PublicLayout/PublicPageProvider.tsx +5 -3
package/src/components/Select/Select.test.tsx +4 -1
package/src/components/Select/Select.tsx +65 -20
package/src/components/Switch/Switch.test.tsx +2 -1
package/src/components/Switch/Switch.tsx +1 -1
package/src/components/Toast/Toast.tsx +1 -1
package/src/components/Tooltip/Tooltip.test.tsx +8 -2
package/src/components/UserMenu/UserMenu.tsx +3 -3
package/src/eslint-rules/pace-core-compliance.cjs +0 -2
package/src/eslint-rules/pace-core-compliance.js +0 -2
package/src/hooks/__tests__/hooks.integration.test.tsx +4 -1
package/src/hooks/__tests__/useAppConfig.unit.test.ts +76 -5
package/src/hooks/__tests__/useDataTableState.test.ts +76 -0
package/src/hooks/__tests__/useFileUrl.unit.test.ts +25 -69
package/src/hooks/__tests__/useFileUrlCache.test.ts +129 -0
package/src/hooks/__tests__/usePreventTabReload.test.ts +88 -0
package/src/hooks/__tests__/usePublicEvent.simple.test.ts +1 -1
package/src/hooks/__tests__/usePublicEvent.test.ts +608 -0
package/src/hooks/__tests__/useQueryCache.test.ts +144 -0
package/src/hooks/__tests__/useSecureDataAccess.unit.test.tsx +67 -24
package/src/hooks/index.ts +1 -1
package/src/hooks/public/usePublicEvent.ts +10 -10
package/src/hooks/public/usePublicFileDisplay.ts +173 -87
package/src/hooks/useAppConfig.ts +24 -5
package/src/hooks/useFileDisplay.ts +298 -36
package/src/hooks/useFileReference.ts +56 -11
package/src/hooks/useFileUrl.ts +1 -1
package/src/hooks/useInactivityTracker.ts +16 -7
package/src/hooks/usePermissionCache.test.ts +85 -8
package/src/hooks/useQueryCache.ts +27 -6
package/src/hooks/useSecureDataAccess.test.ts +87 -42
package/src/hooks/useSecureDataAccess.ts +95 -48
package/src/providers/__tests__/OrganisationProvider.test.tsx +27 -21
package/src/providers/services/EventServiceProvider.tsx +37 -17
package/src/providers/services/InactivityServiceProvider.tsx +4 -4
package/src/providers/services/OrganisationServiceProvider.tsx +8 -1
package/src/providers/services/UnifiedAuthProvider.tsx +115 -29
package/src/rbac/__tests__/auth-rbac.e2e.test.tsx +451 -0
package/src/rbac/__tests__/engine.comprehensive.test.ts +12 -0
package/src/rbac/__tests__/rbac-engine-core-logic.test.ts +8 -0
package/src/rbac/__tests__/rbac-engine-simplified.test.ts +4 -0
package/src/rbac/api.ts +240 -36
package/src/rbac/cache-invalidation.ts +21 -7
package/src/rbac/compliance/quick-fix-suggestions.ts +1 -1
package/src/rbac/components/NavigationGuard.tsx +23 -63
package/src/rbac/components/NavigationProvider.test.tsx +52 -23
package/src/rbac/components/NavigationProvider.tsx +13 -11
package/src/rbac/components/PagePermissionGuard.tsx +77 -203
package/src/rbac/components/PagePermissionProvider.tsx +13 -11
package/src/rbac/components/PermissionEnforcer.tsx +24 -62
package/src/rbac/components/RoleBasedRouter.tsx +14 -12
package/src/rbac/components/SecureDataProvider.tsx +13 -11
package/src/rbac/components/__tests__/NavigationGuard.test.tsx +104 -41
package/src/rbac/components/__tests__/NavigationProvider.test.tsx +49 -12
package/src/rbac/components/__tests__/PagePermissionGuard.race-condition.test.tsx +22 -1
package/src/rbac/components/__tests__/PagePermissionGuard.test.tsx +161 -82
package/src/rbac/components/__tests__/PagePermissionGuard.verification.test.tsx +22 -1
package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx +77 -30
package/src/rbac/components/__tests__/RoleBasedRouter.test.tsx +39 -5
package/src/rbac/components/__tests__/SecureDataProvider.test.tsx +47 -4
package/src/rbac/engine.ts +4 -2
package/src/rbac/hooks/__tests__/useSecureSupabase.test.ts +144 -52
package/src/rbac/hooks/index.ts +3 -0
package/src/rbac/hooks/useCan.test.ts +101 -53
package/src/rbac/hooks/usePermissions.ts +108 -41
package/src/rbac/hooks/useRBAC.test.ts +11 -3
package/src/rbac/hooks/useRBAC.ts +83 -40
package/src/rbac/hooks/useResolvedScope.test.ts +189 -63
package/src/rbac/hooks/useResolvedScope.ts +128 -70
package/src/rbac/hooks/useSecureSupabase.ts +36 -19
package/src/rbac/hooks/useSuperAdminBypass.ts +126 -0
package/src/rbac/request-deduplication.ts +1 -1
package/src/rbac/secureClient.ts +72 -12
package/src/rbac/security.ts +29 -23
package/src/rbac/types.ts +10 -0
package/src/rbac/utils/__tests__/contextValidator.test.ts +150 -0
package/src/rbac/utils/__tests__/deep-equal.test.ts +53 -0
package/src/rbac/utils/__tests__/eventContext.test.ts +8 -3
package/src/rbac/utils/__tests__/eventContext.unit.test.ts +74 -12
package/src/rbac/utils/contextValidator.ts +288 -0
package/src/rbac/utils/eventContext.ts +52 -3
package/src/services/AuthService.ts +37 -8
package/src/services/EventService.ts +165 -21
package/src/services/OrganisationService.ts +125 -137
package/src/services/__tests__/EventService.test.ts +26 -21
package/src/services/__tests__/OrganisationService.pagination.test.ts +34 -8
package/src/services/__tests__/OrganisationService.test.ts +218 -86
package/src/types/database.generated.ts +166 -201
package/src/types/file-reference.ts +13 -10
package/src/types/supabase.ts +2 -2
package/src/utils/__tests__/secureDataAccess.unit.test.ts +3 -2
package/src/utils/app/appNameResolver.test.ts +346 -73
package/src/utils/context/superAdminOverride.ts +58 -0
package/src/utils/file-reference/index.ts +65 -37
package/src/utils/google-places/googlePlacesUtils.test.ts +98 -0
package/src/utils/google-places/googlePlacesUtils.ts +1 -1
package/src/utils/google-places/loadGoogleMapsScript.test.ts +83 -0
package/src/utils/google-places/types.ts +1 -1
package/src/utils/request-deduplication.ts +4 -4
package/src/utils/security/secureDataAccess.test.ts +1 -1
package/src/utils/security/secureDataAccess.ts +7 -4
package/src/utils/storage/README.md +1 -1
package/src/utils/storage/helpers.test.ts +1 -1
package/src/utils/storage/helpers.ts +38 -19
package/src/utils/storage/types.ts +15 -8
package/src/utils/validation/__tests__/csrf.test.ts +105 -0
package/src/utils/validation/__tests__/sqlInjectionProtection.test.ts +92 -0
package/src/vite-env.d.ts +2 -2
package/dist/chunk-3GOZZZYH.js.map +0 -1
package/dist/chunk-DDM4CCYT.js.map +0 -1
package/dist/chunk-E7UAOUMY.js +0 -75
package/dist/chunk-E7UAOUMY.js.map +0 -1
package/dist/chunk-F2IMUDXZ.js.map +0 -1
package/dist/chunk-HEHYGYOX.js.map +0 -1
package/dist/chunk-IM4QE42D.js.map +0 -1
package/dist/chunk-MX64ZF6I.js.map +0 -1
package/dist/chunk-SAUPYVLF.js.map +0 -1
package/dist/chunk-THRPYOFK.js.map +0 -1
package/dist/chunk-UCQSRW7Z.js.map +0 -1
package/dist/chunk-VGZZXKBR.js.map +0 -1
package/dist/chunk-YGPFYGA6.js.map +0 -1
package/dist/chunk-YHCN776L.js.map +0 -1
/package/dist/{DataTable-GUFUNZ3N.js.map → DataTable-WKRZD47S.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-643PUAIM.js.map → UnifiedAuthProvider-FTSG5XH7.js.map} +0 -0
/package/dist/{api-YP7XD5L6.js.map → api-IHKALJZD.js.map} +0 -0
/package/dist/{chunk-HESYZWZW.js.map → chunk-QWWZ5CAQ.js.map} +0 -0

package/dist/{chunk-3GOZZZYH.js → chunk-VRGWKHDB.js} RENAMED Viewed

@@ -1,4 +1,15 @@
 import {
+  useAppConfig,
+  useEvents,
+  useResolvedScope,
+  useSuperAdminBypass
+} from "./chunk-OETXORNB.js";
+import {
+  useOrganisations,
+  useUnifiedAuth
+} from "./chunk-6LTQQAT6.js";
+import {
+  ContextValidator,
   OrganisationContextRequiredError,
   getAccessLevel,
   getPermissionMap,
@@ -7,32 +18,22 @@ import {
   isPermitted,
   isPermittedCached,
   resolveAppContext
-} from "./chunk-HEHYGYOX.js";
-import {
-  useEvents,
-  useOrganisations
-} from "./chunk-E7UAOUMY.js";
-import {
-  useUnifiedAuth
-} from "./chunk-VGZZXKBR.js";
-import {
-  getCurrentAppName
-} from "./chunk-F2IMUDXZ.js";
+} from "./chunk-ROXMHMY2.js";
 import {
-  createLogger,
   logger
 } from "./chunk-PWLANIRT.js";
 // src/rbac/secureClient.ts
 import { createClient } from "@supabase/supabase-js";
 var SecureSupabaseClient = class _SecureSupabaseClient {
-  constructor(supabaseUrl, supabaseKey, organisationId, eventId, appId) {
+  constructor(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin = false) {
     this.edgeFunctionClient = null;
     this.supabaseUrl = supabaseUrl;
     this.supabaseKey = supabaseKey;
     this.organisationId = organisationId;
     this.eventId = eventId;
     this.appId = appId;
+    this.isSuperAdmin = isSuperAdmin;
     this.supabase = createClient(supabaseUrl, supabaseKey, {
       global: {
         headers: {
@@ -53,7 +54,8 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
     this.supabase.from = (table) => {
       this.validateContext();
       const query = originalFrom(table);
-      return this.injectContext(query);
+      query._tableName = table;
+      return this.injectContext(query, table);
     };
     const originalRpc = this.supabase.rpc.bind(this.supabase);
     this.supabase.rpc = (fn, args, options) => {
@@ -90,33 +92,60 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
   /**
    * Inject organisation context into a query
    */
-  injectContext(query) {
+  injectContext(query, tableName) {
     const originalSelect = query.select.bind(query);
     const originalInsert = query.insert.bind(query);
     const originalUpdate = query.update.bind(query);
     const originalDelete = query.delete.bind(query);
     query.select = (columns) => {
       const result = originalSelect(columns);
-      return this.addOrganisationFilter(result);
+      return this.addOrganisationFilter(result, tableName);
     };
     query.insert = (values) => {
+      if (tableName === "rbac_user_profiles") {
+        if (this.isSuperAdmin) {
+          return originalInsert(values);
+        }
+        const contextValues2 = Array.isArray(values) ? values.map((v) => ({ ...v, organisation_id: this.organisationId })) : { ...values, organisation_id: this.organisationId };
+        return originalInsert(contextValues2);
+      }
       const contextValues = Array.isArray(values) ? values.map((v) => ({ ...v, organisation_id: this.organisationId })) : { ...values, organisation_id: this.organisationId };
       return originalInsert(contextValues);
     };
     query.update = (values) => {
       const result = originalUpdate(values);
-      return this.addOrganisationFilter(result);
+      return this.addOrganisationFilter(result, tableName);
     };
     query.delete = () => {
       const result = originalDelete();
-      return this.addOrganisationFilter(result);
+      return this.addOrganisationFilter(result, tableName);
     };
     return query;
   }
   /**
    * Add organisation filter to a query
+   *
+   * Defense in depth strategy:
+   * - RLS policies are the primary security layer (cannot be bypassed)
+   * - Application-level filtering adds an additional layer of protection
+   *
+   * For rbac_user_profiles:
+   * - Super admins: No org filter (see all users) - RLS will allow access
+   * - Non-super-admins: Apply org filter as defense in depth - RLS will also filter
+   *
+   * For other tables:
+   * - Always apply org filter unless super admin bypasses it
    */
-  addOrganisationFilter(query) {
+  addOrganisationFilter(query, tableName) {
+    if (tableName === "rbac_user_profiles") {
+      if (this.isSuperAdmin) {
+        return query;
+      }
+      return query.eq("organisation_id", this.organisationId);
+    }
+    if (this.isSuperAdmin) {
+      return query.eq("organisation_id", this.organisationId);
+    }
     return query.eq("organisation_id", this.organisationId);
   }
   /**
@@ -154,7 +183,8 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
       this.supabaseKey,
       updates.organisationId || this.organisationId,
       updates.eventId !== void 0 ? updates.eventId : this.eventId,
-      updates.appId !== void 0 ? updates.appId : this.appId
+      updates.appId !== void 0 ? updates.appId : this.appId,
+      updates.isSuperAdmin !== void 0 ? updates.isSuperAdmin : this.isSuperAdmin
     );
   }
   /**
@@ -172,8 +202,8 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
     });
   }
 };
-function createSecureClient(supabaseUrl, supabaseKey, organisationId, eventId, appId) {
-  return new SecureSupabaseClient(supabaseUrl, supabaseKey, organisationId, eventId, appId);
+function createSecureClient(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin = false) {
+  return new SecureSupabaseClient(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin);
 }
 function fromSupabaseClient(client, organisationId, eventId, appId) {
   throw new Error("fromSupabaseClient is not supported. Use createSecureClient instead.");
@@ -201,15 +231,16 @@ function useRBAC(pageId) {
   const {
     user,
     session,
+    supabase,
     appName,
     appConfig,
+    appId: contextAppId,
     selectedOrganisation,
     isContextReady: orgContextReady,
     organisationLoading: orgLoading,
     selectedEvent,
     eventLoading
   } = useUnifiedAuth();
-  const requiresEvent = appConfig?.requires_event ?? (appConfig === null ? true : false);
   const [globalRole, setGlobalRole] = useState(null);
   const [organisationRole, setOrganisationRole] = useState(null);
   const [eventAppRole, setEventAppRole] = useState(null);
@@ -230,59 +261,91 @@ function useRBAC(pageId) {
       setIsLoading(false);
       return;
     }
-    if (orgLoading || !orgContextReady || !selectedOrganisation?.id) {
+    const initialScope = {
+      organisationId: appConfig?.requires_event ? selectedEvent?.organisation_id || selectedOrganisation?.id : selectedOrganisation?.id,
+      eventId: selectedEvent?.event_id || void 0,
+      appId: void 0
+    };
+    const contextReady = ContextValidator.isContextReady(
+      initialScope,
+      appConfig,
+      appName,
+      !!selectedEvent,
+      !!selectedOrganisation
+    );
+    if (appName !== "PORTAL" && appName !== "ADMIN" && !contextReady) {
       setIsLoading(true);
       return;
     }
-    if (requiresEvent) {
-      if (eventLoading || !selectedEvent) {
-        setIsLoading(true);
-        return;
-      }
-    }
     setIsLoading(true);
     setError(null);
     logger2.debug("[useRBAC] Loading RBAC context", {
       appName,
-      requiresEvent,
+      appConfig,
       hasSelectedEvent: !!selectedEvent,
       selectedEventId: selectedEvent?.event_id,
       organisationId: selectedOrganisation?.id
     });
     try {
-      let appId;
-      if (appName) {
+      let appId = contextAppId;
+      if (appName && !appId) {
         try {
           const resolved = await resolveAppContext({ userId: user.id, appName });
-          if (!resolved || !resolved.hasAccess) {
+          if (!resolved) {
+            if (appName === "PORTAL" || appName === "ADMIN") {
+              logger2.debug(`[useRBAC] ${appName} app context not resolved, attempting direct lookup`);
+              try {
+                const { getAppConfigByName } = await import("./api-IHKALJZD.js");
+                const config = await getAppConfigByName(appName);
+                logger2.debug(`[useRBAC] ${appName} app - proceeding without appId for page-level permissions`);
+              } catch (err) {
+                logger2.debug(`[useRBAC] ${appName} app - proceeding without appId for page-level permissions`);
+              }
+            } else {
+              throw new Error(`User does not have access to app "${appName}"`);
+            }
+          } else if (!resolved.hasAccess && appName !== "PORTAL" && appName !== "ADMIN") {
             throw new Error(`User does not have access to app "${appName}"`);
+          } else {
+            appId = resolved.appId;
           }
-          appId = resolved.appId;
         } catch (rpcError) {
           if (rpcError?.message?.includes("NetworkError") || rpcError?.message?.includes("fetch")) {
             logger2.warn("[useRBAC] NetworkError resolving app context - may be timing issue, will retry when context is ready", {
               appName,
               error: rpcError.message,
-              requiresEvent,
               eventLoading,
               hasSelectedEvent: !!selectedEvent
             });
             setIsLoading(false);
             return;
           }
-          throw rpcError;
+          if (appName === "PORTAL" || appName === "ADMIN") {
+            logger2.debug(`[useRBAC] ${appName} app - allowing access despite app context resolution failure`);
+          } else {
+            throw rpcError;
+          }
         }
       }
       const scope = {
-        organisationId: selectedOrganisation?.id,
-        eventId: selectedEvent?.event_id || void 0,
-        appId
+        ...initialScope,
+        appId: appId || contextAppId
       };
-      setCurrentScope(scope);
+      const validation = await ContextValidator.resolveRequiredContext(
+        scope,
+        appConfig,
+        appName,
+        supabase || null
+      );
+      if (!validation.isValid || !validation.resolvedScope) {
+        throw validation.error || new Error("Context validation failed");
+      }
+      const resolvedScope = validation.resolvedScope;
+      setCurrentScope(resolvedScope);
       const [map, roleContext, accessLevel] = await Promise.all([
-        getPermissionMap({ userId: user.id, scope }),
-        getRoleContext({ userId: user.id, scope }),
-        getAccessLevel({ userId: user.id, scope })
+        getPermissionMap({ userId: user.id, scope: resolvedScope }, appConfig, appName),
+        getRoleContext({ userId: user.id, scope: resolvedScope }, appConfig, appName),
+        getAccessLevel({ userId: user.id, scope: resolvedScope }, appConfig, appName)
       ]);
       setPermissionMap(map);
       setGlobalRole(roleContext.globalRole);
@@ -292,8 +355,8 @@ function useRBAC(pageId) {
       if (permissionCount === 0) {
         logger2.warn("[useRBAC] RBAC context loaded but returned 0 permissions", {
           appName,
-          organisationId: selectedOrganisation.id,
-          eventId: selectedEvent?.event_id
+          organisationId: resolvedScope.organisationId,
+          eventId: resolvedScope.eventId
         });
       }
     } catch (err) {
@@ -304,7 +367,7 @@ function useRBAC(pageId) {
     } finally {
       setIsLoading(false);
     }
-  }, [appName, logger2, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user, requiresEvent, eventLoading, appConfig, orgContextReady, orgLoading]);
+  }, [appName, logger2, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user, eventLoading, appConfig, orgContextReady, orgLoading]);
   const hasGlobalPermission = useCallback(
     (permission) => {
       if (globalRole === "super_admin" || permissionMap["*"]) {
@@ -327,7 +390,7 @@ function useRBAC(pageId) {
   const canManageEvent = useMemo(() => isSuperAdmin || eventAppRole === "event_admin", [isSuperAdmin, eventAppRole]);
   useEffect(() => {
     loadRBACContext();
-  }, [loadRBACContext, appName, requiresEvent, eventLoading, selectedEvent?.event_id, user, session, selectedOrganisation?.id, orgContextReady, orgLoading]);
+  }, [loadRBACContext, appName, appConfig, eventLoading, selectedEvent?.event_id, user, session, selectedOrganisation?.id, orgContextReady, orgLoading]);
   return {
     user,
     globalRole,
@@ -344,176 +407,8 @@ function useRBAC(pageId) {
   };
 }
-// src/rbac/hooks/useResolvedScope.ts
-import { useEffect as useEffect2, useState as useState2, useRef } from "react";
-// src/rbac/utils/eventContext.ts
-async function getOrganisationFromEvent(supabase, eventId) {
-  const { data, error } = await supabase.from("event").select("organisation_id").eq("event_id", eventId).single();
-  if (error || !data) {
-    return null;
-  }
-  return data.organisation_id;
-}
-async function createScopeFromEvent(supabase, eventId, appId) {
-  const organisationId = await getOrganisationFromEvent(supabase, eventId);
-  if (!organisationId) {
-    return null;
-  }
-  return {
-    organisationId,
-    eventId,
-    appId
-  };
-}
-// src/rbac/hooks/useResolvedScope.ts
-var log = createLogger("useResolvedScope");
-function useResolvedScope({
-  supabase,
-  selectedOrganisationId,
-  selectedEventId
-}) {
-  const [resolvedScope, setResolvedScope] = useState2(null);
-  const [isLoading, setIsLoading] = useState2(true);
-  const [error, setError] = useState2(null);
-  const stableScopeRef = useRef({
-    organisationId: "",
-    appId: "",
-    eventId: void 0
-  });
-  useEffect2(() => {
-    if (resolvedScope && resolvedScope.organisationId) {
-      const newScope = {
-        organisationId: resolvedScope.organisationId,
-        appId: resolvedScope.appId,
-        eventId: resolvedScope.eventId
-      };
-      if (stableScopeRef.current.organisationId !== newScope.organisationId || stableScopeRef.current.eventId !== newScope.eventId || stableScopeRef.current.appId !== newScope.appId) {
-        stableScopeRef.current = {
-          organisationId: newScope.organisationId,
-          appId: newScope.appId || "",
-          eventId: newScope.eventId
-        };
-      }
-    } else if (!resolvedScope) {
-      stableScopeRef.current = { organisationId: "", appId: "", eventId: void 0 };
-    }
-  }, [resolvedScope]);
-  const stableScope = stableScopeRef.current;
-  useEffect2(() => {
-    let cancelled = false;
-    const resolveScope = async () => {
-      if (!supabase && !selectedOrganisationId && !selectedEventId) {
-        if (!cancelled) {
-          setResolvedScope(null);
-          setIsLoading(false);
-          setError(null);
-        }
-        return;
-      }
-      setIsLoading(true);
-      setError(null);
-      try {
-        let appId = void 0;
-        if (supabase) {
-          const appName = getCurrentAppName();
-          if (appName) {
-            try {
-              const { data: app, error: error2 } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName).eq("is_active", true).single();
-              if (error2) {
-                const { data: inactiveApp } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName).single();
-                if (inactiveApp) {
-                  log.error(`App "${appName}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
-                } else {
-                  log.error(`App "${appName}" not found in rbac_apps table`);
-                }
-              } else if (app) {
-                appId = app.id;
-              }
-            } catch (error2) {
-              log.error("Unexpected error resolving app ID:", error2);
-            }
-          }
-        }
-        if (selectedOrganisationId && selectedEventId) {
-          if (!cancelled) {
-            setResolvedScope({
-              organisationId: selectedOrganisationId,
-              eventId: selectedEventId,
-              appId
-            });
-            setIsLoading(false);
-          }
-          return;
-        }
-        if (selectedOrganisationId) {
-          if (!cancelled) {
-            setResolvedScope({
-              organisationId: selectedOrganisationId,
-              eventId: selectedEventId || void 0,
-              appId
-            });
-            setIsLoading(false);
-          }
-          return;
-        }
-        if (selectedEventId && supabase) {
-          try {
-            const eventScope = await createScopeFromEvent(supabase, selectedEventId, appId);
-            if (!eventScope) {
-              log.error("Could not resolve organization from event context");
-              if (!cancelled) {
-                setResolvedScope(null);
-                setError(new Error("Could not resolve organisation from event context"));
-                setIsLoading(false);
-              }
-              return;
-            }
-            if (!cancelled) {
-              setResolvedScope({
-                ...eventScope,
-                appId: appId || eventScope.appId
-              });
-              setIsLoading(false);
-            }
-          } catch (err) {
-            log.error("Error resolving scope from event:", err);
-            if (!cancelled) {
-              setResolvedScope(null);
-              setError(err);
-              setIsLoading(false);
-            }
-          }
-          return;
-        }
-        log.error("No organisation or event context available");
-        if (!cancelled) {
-          setResolvedScope(null);
-          setError(new Error("No organisation or event context available"));
-          setIsLoading(false);
-        }
-      } catch (err) {
-        if (!cancelled) {
-          setError(err);
-          setIsLoading(false);
-        }
-      }
-    };
-    resolveScope();
-    return () => {
-      cancelled = true;
-    };
-  }, [selectedOrganisationId, selectedEventId, supabase]);
-  return {
-    resolvedScope: stableScope.organisationId ? stableScope : null,
-    isLoading,
-    error
-  };
-}
 // src/rbac/hooks/usePermissions.ts
-import { useState as useState3, useEffect as useEffect3, useCallback as useCallback2, useMemo as useMemo2, useRef as useRef2 } from "react";
+import { useState as useState2, useEffect as useEffect2, useCallback as useCallback2, useMemo as useMemo2, useRef } from "react";
 // src/rbac/utils/deep-equal.ts
 function scopeEqual(a, b) {
@@ -528,15 +423,15 @@ function scopeEqual(a, b) {
 // src/rbac/hooks/usePermissions.ts
 function usePermissions(userId, organisationId, eventId, appId) {
-  const [permissions, setPermissions] = useState3({});
-  const [isLoading, setIsLoading] = useState3(true);
-  const [error, setError] = useState3(null);
-  const [fetchTrigger, setFetchTrigger] = useState3(0);
-  const isFetchingRef = useRef2(false);
+  const [permissions, setPermissions] = useState2({});
+  const [isLoading, setIsLoading] = useState2(true);
+  const [error, setError] = useState2(null);
+  const [fetchTrigger, setFetchTrigger] = useState2(0);
+  const isFetchingRef = useRef(false);
   const logger2 = getRBACLogger();
-  const prevValuesRef = useRef2({ userId, organisationId, eventId, appId });
+  const prevValuesRef = useRef({ userId, organisationId, eventId, appId });
   const orgId = organisationId || "";
-  useEffect3(() => {
+  useEffect2(() => {
     if (!userId) {
       return;
     }
@@ -550,19 +445,21 @@ function usePermissions(userId, organisationId, eventId, appId) {
     if (error?.message === "Organisation context is required for permission checks") {
       setError(null);
     }
-  }, [userId, organisationId, error]);
-  const paramsChanged = prevValuesRef.current.userId !== userId || prevValuesRef.current.organisationId !== organisationId || prevValuesRef.current.eventId !== eventId || prevValuesRef.current.appId !== appId;
-  if (paramsChanged) {
-    if (prevValuesRef.current.appId !== appId) {
-      logger2.debug("[usePermissions] AppId changed - triggering fetch", {
-        prevAppId: prevValuesRef.current.appId,
-        newAppId: appId
-      });
+  }, [userId, organisationId, error, orgId]);
+  useEffect2(() => {
+    const paramsChanged = prevValuesRef.current.userId !== userId || prevValuesRef.current.organisationId !== organisationId || prevValuesRef.current.eventId !== eventId || prevValuesRef.current.appId !== appId;
+    if (paramsChanged) {
+      if (prevValuesRef.current.appId !== appId) {
+        logger2.debug("[usePermissions] AppId changed - triggering fetch", {
+          prevAppId: prevValuesRef.current.appId,
+          newAppId: appId
+        });
+      }
+      prevValuesRef.current = { userId, organisationId, eventId, appId };
+      setFetchTrigger((prev) => prev + 1);
     }
-    prevValuesRef.current = { userId, organisationId, eventId, appId };
-    setFetchTrigger((prev) => prev + 1);
-  }
-  useEffect3(() => {
+  }, [userId, organisationId, eventId, appId, logger2]);
+  useEffect2(() => {
     const fetchPermissions = async () => {
       if (isFetchingRef.current) {
         return;
@@ -671,16 +568,18 @@ function usePermissions(userId, organisationId, eventId, appId) {
     refetch
   }), [permissions, isLoading, error, hasPermission, hasAnyPermission, hasAllPermissions, refetch]);
 }
-function useCan(userId, scope, permission, pageId, useCache = true) {
-  const [can, setCan] = useState3(false);
-  const [isLoading, setIsLoading] = useState3(true);
-  const [error, setError] = useState3(null);
+function useCan(userId, scope, permission, pageId, useCache = true, appName) {
+  const [can, setCan] = useState2(false);
+  const [isLoading, setIsLoading] = useState2(true);
+  const [error, setError] = useState2(null);
   const isValidScope = scope && typeof scope === "object";
   const organisationId = isValidScope ? scope.organisationId : void 0;
   const eventId = isValidScope ? scope.eventId : void 0;
   const appId = isValidScope ? scope.appId : void 0;
-  useEffect3(() => {
-    if (!isValidScope || !organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "") {
+  useEffect2(() => {
+    const isPagePermission = permission.includes(":page.") || !!pageId;
+    const requiresOrgId = !isPagePermission;
+    if (requiresOrgId && (!isValidScope || !organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "")) {
       const timeoutId = setTimeout(() => {
         setError(new Error("Organisation context is required for permission checks"));
         setIsLoading(false);
@@ -691,12 +590,12 @@ function useCan(userId, scope, permission, pageId, useCache = true) {
     if (error?.message === "Organisation context is required for permission checks") {
       setError(null);
     }
-  }, [isValidScope, organisationId, error]);
-  const lastUserIdRef = useRef2(null);
-  const lastScopeRef = useRef2(null);
-  const lastPermissionRef = useRef2(null);
-  const lastPageIdRef = useRef2(null);
-  const lastUseCacheRef = useRef2(null);
+  }, [isValidScope, organisationId, error, permission, pageId]);
+  const lastUserIdRef = useRef(null);
+  const lastScopeRef = useRef(null);
+  const lastPermissionRef = useRef(null);
+  const lastPageIdRef = useRef(null);
+  const lastUseCacheRef = useRef(null);
   const stableScope = useMemo2(() => {
     if (!isValidScope) {
       return null;
@@ -707,8 +606,8 @@ function useCan(userId, scope, permission, pageId, useCache = true) {
       appId
     };
   }, [isValidScope, organisationId, eventId, appId]);
-  const prevScopeRef = useRef2(null);
-  useEffect3(() => {
+  const prevScopeRef = useRef(null);
+  useEffect2(() => {
     const scopeChanged = !scopeEqual(prevScopeRef.current, stableScope);
     if (lastUserIdRef.current !== userId || scopeChanged || lastPermissionRef.current !== permission || lastPageIdRef.current !== pageId || lastUseCacheRef.current !== useCache) {
       lastUserIdRef.current = userId;
@@ -728,7 +627,17 @@ function useCan(userId, scope, permission, pageId, useCache = true) {
           setError(null);
           return;
         }
-        if (!organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "") {
+        const isPagePermission = permission.includes(":page.") || !!pageId;
+        const requiresOrgId = !isPagePermission;
+        const isPageName = pageId && typeof pageId === "string" && !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(pageId);
+        const needsAppIdForPageName = isPagePermission && isPageName;
+        if (requiresOrgId && (!organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "")) {
+          setIsLoading(true);
+          setCan(false);
+          setError(null);
+          return;
+        }
+        if (needsAppIdForPageName && (!appId || appId === null || typeof appId === "string" && appId.trim() === "")) {
           setIsLoading(true);
           setCan(false);
           setError(null);
@@ -738,11 +647,11 @@ function useCan(userId, scope, permission, pageId, useCache = true) {
           setIsLoading(true);
           setError(null);
           const validScope = {
-            organisationId,
+            ...organisationId ? { organisationId } : {},
             ...eventId ? { eventId } : {},
             ...appId ? { appId } : {}
           };
-          const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }) : await isPermitted({ userId, scope: validScope, permission, pageId });
+          const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, void 0, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, void 0, appName);
           setCan(result);
         } catch (err) {
           const logger2 = getRBACLogger();
@@ -755,7 +664,7 @@ function useCan(userId, scope, permission, pageId, useCache = true) {
       };
       checkPermission();
     }
-  }, [userId, stableScope, permission, pageId, useCache]);
+  }, [userId, stableScope, permission, pageId, useCache, appName]);
   const refetch = useCallback2(async () => {
     if (!userId) {
       setCan(false);
@@ -768,7 +677,9 @@ function useCan(userId, scope, permission, pageId, useCache = true) {
       setError(null);
       return;
     }
-    if (!organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "") {
+    const isPagePermission = permission.includes(":page.") || !!pageId;
+    const requiresOrgId = !isPagePermission;
+    if (requiresOrgId && (!organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "")) {
       setCan(false);
       setIsLoading(true);
       setError(null);
@@ -778,11 +689,11 @@ function useCan(userId, scope, permission, pageId, useCache = true) {
       setIsLoading(true);
       setError(null);
       const validScope = {
-        organisationId,
+        ...organisationId ? { organisationId } : {},
         ...eventId ? { eventId } : {},
         ...appId ? { appId } : {}
       };
-      const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }) : await isPermitted({ userId, scope: validScope, permission, pageId });
+      const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, void 0, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, void 0, appName);
       setCan(result);
     } catch (err) {
       setError(err instanceof Error ? err : new Error("Failed to check permission"));
@@ -790,7 +701,7 @@ function useCan(userId, scope, permission, pageId, useCache = true) {
     } finally {
       setIsLoading(false);
     }
-  }, [userId, isValidScope, organisationId, eventId, appId, permission, pageId, useCache]);
+  }, [userId, isValidScope, organisationId, eventId, appId, permission, pageId, useCache, appName]);
   return useMemo2(() => ({
     can,
     isLoading,
@@ -799,9 +710,15 @@ function useCan(userId, scope, permission, pageId, useCache = true) {
   }), [can, isLoading, error, refetch]);
 }
 function useAccessLevel(userId, scope) {
-  const [accessLevel, setAccessLevel] = useState3("viewer");
-  const [isLoading, setIsLoading] = useState3(true);
-  const [error, setError] = useState3(null);
+  const [accessLevel, setAccessLevel] = useState2("viewer");
+  const [isLoading, setIsLoading] = useState2(true);
+  const [error, setError] = useState2(null);
+  let appName;
+  try {
+    const { appName: contextAppName } = useAppConfig();
+    appName = contextAppName;
+  } catch {
+  }
   const fetchAccessLevel = useCallback2(async () => {
     if (!userId) {
       setAccessLevel("viewer");
@@ -811,16 +728,31 @@ function useAccessLevel(userId, scope) {
     try {
       setIsLoading(true);
       setError(null);
-      const level = await getAccessLevel({ userId, scope });
+      const { isSuperAdmin: checkSuperAdmin } = await import("./api-IHKALJZD.js");
+      const isSuperAdminUser = await checkSuperAdmin(userId);
+      if (isSuperAdminUser) {
+        setAccessLevel("super");
+        setIsLoading(false);
+        return;
+      }
+      if (appName !== "PORTAL" && appName !== "ADMIN" && !scope.organisationId && !scope.eventId) {
+        const orgError = new OrganisationContextRequiredError();
+        setError(orgError);
+        setAccessLevel("viewer");
+        setIsLoading(false);
+        return;
+      }
+      const level = await getAccessLevel({ userId, scope }, null, appName);
       setAccessLevel(level);
     } catch (err) {
-      setError(err instanceof Error ? err : new Error("Failed to fetch access level"));
+      const error2 = err instanceof Error ? err : new Error("Failed to fetch access level");
+      setError(error2);
       setAccessLevel("viewer");
     } finally {
       setIsLoading(false);
     }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId]);
-  useEffect3(() => {
+  }, [userId, scope.organisationId, scope.eventId, scope.appId, appName]);
+  useEffect2(() => {
     fetchAccessLevel();
   }, [fetchAccessLevel]);
   return useMemo2(() => ({
@@ -831,9 +763,9 @@ function useAccessLevel(userId, scope) {
   }), [accessLevel, isLoading, error, fetchAccessLevel]);
 }
 function useMultiplePermissions(userId, scope, permissions, useCache = true) {
-  const [results, setResults] = useState3({});
-  const [isLoading, setIsLoading] = useState3(true);
-  const [error, setError] = useState3(null);
+  const [results, setResults] = useState2({});
+  const [isLoading, setIsLoading] = useState2(true);
+  const [error, setError] = useState2(null);
   const checkPermissions = useCallback2(async () => {
     if (!userId || permissions.length === 0) {
       setResults({});
@@ -856,7 +788,7 @@ function useMultiplePermissions(userId, scope, permissions, useCache = true) {
       setIsLoading(false);
     }
   }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);
-  useEffect3(() => {
+  useEffect2(() => {
     checkPermissions();
   }, [checkPermissions]);
   return useMemo2(() => ({
@@ -867,9 +799,9 @@ function useMultiplePermissions(userId, scope, permissions, useCache = true) {
   }), [results, isLoading, error, checkPermissions]);
 }
 function useHasAnyPermission(userId, scope, permissions, useCache = true) {
-  const [hasAny, setHasAny] = useState3(false);
-  const [isLoading, setIsLoading] = useState3(true);
-  const [error, setError] = useState3(null);
+  const [hasAny, setHasAny] = useState2(false);
+  const [isLoading, setIsLoading] = useState2(true);
+  const [error, setError] = useState2(null);
   const checkAnyPermission = useCallback2(async () => {
     if (!userId || permissions.length === 0) {
       setHasAny(false);
@@ -895,7 +827,7 @@ function useHasAnyPermission(userId, scope, permissions, useCache = true) {
       setIsLoading(false);
     }
   }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);
-  useEffect3(() => {
+  useEffect2(() => {
     checkAnyPermission();
   }, [checkAnyPermission]);
   return useMemo2(() => ({
@@ -906,9 +838,9 @@ function useHasAnyPermission(userId, scope, permissions, useCache = true) {
   }), [hasAny, isLoading, error, checkAnyPermission]);
 }
 function useHasAllPermissions(userId, scope, permissions, useCache = true) {
-  const [hasAll, setHasAll] = useState3(false);
-  const [isLoading, setIsLoading] = useState3(true);
-  const [error, setError] = useState3(null);
+  const [hasAll, setHasAll] = useState2(false);
+  const [isLoading, setIsLoading] = useState2(true);
+  const [error, setError] = useState2(null);
   const checkAllPermissions = useCallback2(async () => {
     if (!userId || permissions.length === 0) {
       setHasAll(false);
@@ -934,7 +866,7 @@ function useHasAllPermissions(userId, scope, permissions, useCache = true) {
       setIsLoading(false);
     }
   }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);
-  useEffect3(() => {
+  useEffect2(() => {
     checkAllPermissions();
   }, [checkAllPermissions]);
   return useMemo2(() => ({
@@ -945,9 +877,9 @@ function useHasAllPermissions(userId, scope, permissions, useCache = true) {
   }), [hasAll, isLoading, error, checkAllPermissions]);
 }
 function useCachedPermissions(userId, scope) {
-  const [permissions, setPermissions] = useState3({});
-  const [isLoading, setIsLoading] = useState3(true);
-  const [error, setError] = useState3(null);
+  const [permissions, setPermissions] = useState2({});
+  const [isLoading, setIsLoading] = useState2(true);
+  const [error, setError] = useState2(null);
   const fetchCachedPermissions = useCallback2(async () => {
     if (!userId) {
       setPermissions({});
@@ -968,7 +900,7 @@ function useCachedPermissions(userId, scope) {
   const invalidateCache = useCallback2(() => {
     fetchCachedPermissions();
   }, [fetchCachedPermissions]);
-  useEffect3(() => {
+  useEffect2(() => {
     fetchCachedPermissions();
   }, [fetchCachedPermissions]);
   return useMemo2(() => ({
@@ -1095,11 +1027,11 @@ function useResourcePermissions(resource, options = {}) {
 }
 // src/rbac/hooks/useRoleManagement.ts
-import { useState as useState4, useCallback as useCallback3 } from "react";
+import { useState as useState3, useCallback as useCallback3 } from "react";
 function useRoleManagement() {
   const { user, supabase } = useUnifiedAuth();
-  const [isLoading, setIsLoading] = useState4(false);
-  const [error, setError] = useState4(null);
+  const [isLoading, setIsLoading] = useState3(false);
+  const [error, setError] = useState3(null);
   if (!supabase) {
     throw new Error("useRoleManagement requires a Supabase client. Ensure UnifiedAuthProvider is configured.");
   }
@@ -1369,11 +1301,11 @@ function useRoleManagement() {
 }
 // src/rbac/hooks/useSecureSupabase.ts
-import { useMemo as useMemo4, useRef as useRef3 } from "react";
+import { useMemo as useMemo4, useRef as useRef2 } from "react";
 var secureClientCache = /* @__PURE__ */ new Map();
 var MAX_CACHE_SIZE = 5;
-function getCacheKey(organisationId, eventId, appId) {
-  return `${organisationId}-${eventId || "no-event"}-${appId || "no-app"}`;
+function getCacheKey(organisationId, eventId, appId, isSuperAdmin) {
+  return `${organisationId}-${eventId || "no-event"}-${appId || "no-app"}-${isSuperAdmin ? "super" : "regular"}`;
 }
 function getSupabaseConfig() {
   const getEnvVar = (key) => {
@@ -1386,7 +1318,7 @@ function getSupabaseConfig() {
     return void 0;
   };
   const supabaseUrl = getEnvVar("VITE_SUPABASE_URL") || getEnvVar("NEXT_PUBLIC_SUPABASE_URL") || null;
-  const supabaseKey = getEnvVar("VITE_SUPABASE_ANON_KEY") || getEnvVar("NEXT_PUBLIC_SUPABASE_ANON_KEY") || null;
+  const supabaseKey = getEnvVar("VITE_SUPABASE_PUBLISHABLE_KEY") || getEnvVar("NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY") || null;
   if (!supabaseUrl || !supabaseKey) {
     return null;
   }
@@ -1398,12 +1330,15 @@ function useSecureSupabase(baseClient) {
   const eventsContext = useEvents();
   const { selectedEvent } = eventsContext;
   const eventLoading = "eventLoading" in eventsContext ? eventsContext.eventLoading : false;
+  const { isSuperAdmin: verifiedIsSuperAdmin, isLoading: isVerifyingSuperAdmin } = useSuperAdminBypass();
+  const metadataHint = Boolean(user?.app_metadata?.is_super_admin) || Boolean(user?.user_metadata?.is_super_admin);
+  const isSuperAdmin = verifiedIsSuperAdmin || isVerifyingSuperAdmin && metadataHint;
   const { resolvedScope } = useResolvedScope({
     supabase: authSupabase || null,
     selectedOrganisationId: selectedOrganisation?.id || null,
     selectedEventId: selectedEvent?.event_id || null
   });
-  const prevContextRef = useRef3({
+  const prevContextRef = useRef2({
     organisationId: void 0,
     eventId: void 0,
     appId: void 0
@@ -1412,12 +1347,12 @@ function useSecureSupabase(baseClient) {
     if (eventLoading) {
       return baseClient || authSupabase || null;
     }
-    if (selectedOrganisation?.id && user?.id) {
-      const organisationId = selectedOrganisation.id;
-      const eventId = selectedEvent?.event_id;
-      const appId = resolvedScope?.appId;
+    const organisationId = resolvedScope?.organisationId;
+    const eventId = resolvedScope?.eventId || selectedEvent?.event_id;
+    const appId = resolvedScope?.appId;
+    if (organisationId && user?.id) {
       prevContextRef.current = { organisationId, eventId, appId };
-      const cacheKey = getCacheKey(organisationId, eventId, appId);
+      const cacheKey = getCacheKey(organisationId, eventId, appId, isSuperAdmin);
       const cachedClient = secureClientCache.get(cacheKey);
       if (cachedClient) {
         return cachedClient.getClient();
@@ -1425,7 +1360,7 @@ function useSecureSupabase(baseClient) {
       const config = getSupabaseConfig();
       if (!config || !config.url || !config.key) {
         logger.warn("useSecureSupabase", "Missing Supabase environment variables. Falling back to base client.", {
-          note: "Ensure VITE_SUPABASE_URL and VITE_SUPABASE_ANON_KEY are set in your environment."
+          note: "Ensure VITE_SUPABASE_URL and VITE_SUPABASE_PUBLISHABLE_KEY are set in your environment."
         });
         return baseClient || authSupabase || null;
       }
@@ -1436,8 +1371,10 @@ function useSecureSupabase(baseClient) {
           organisationId,
           // organisationId is string, UUID is string alias
           eventId,
-          appId
+          appId,
           // appId is string | undefined, UUID is string alias
+          isSuperAdmin
+          // Pass super admin status for conditional filtering
         );
         secureClientCache.set(cacheKey, secureClient);
         if (secureClientCache.size > MAX_CACHE_SIZE) {
@@ -1454,11 +1391,13 @@ function useSecureSupabase(baseClient) {
     }
     return baseClient || authSupabase || null;
   }, [
-    selectedOrganisation?.id,
+    resolvedScope?.organisationId,
+    resolvedScope?.eventId,
+    resolvedScope?.appId,
     selectedEvent?.event_id,
     user?.id,
     eventLoading,
-    resolvedScope?.appId,
+    isSuperAdmin,
     baseClient,
     authSupabase
   ]);
@@ -1469,8 +1408,6 @@ export {
   createSecureClient,
   fromSupabaseClient,
   useRBAC,
-  createScopeFromEvent,
-  useResolvedScope,
   scopeEqual,
   usePermissions,
   useCan,
@@ -1483,4 +1420,4 @@ export {
   useRoleManagement,
   useSecureSupabase
 };
-//# sourceMappingURL=chunk-3GOZZZYH.js.map
+//# sourceMappingURL=chunk-VRGWKHDB.js.map