@jmruthers/pace-core 0.5.190 → 0.5.193
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{AuthService-CbP_utw2.d.ts → AuthService-DjnJHDtC.d.ts} +1 -0
- package/dist/{DataTable-ON3IXISJ.js → DataTable-5FU7IESH.js} +7 -6
- package/dist/{DataTable-IVYljGJ6.d.ts → DataTable-Be6dH_dR.d.ts} +1 -1
- package/dist/{PublicPageProvider-C4uxosp6.d.ts → PublicPageProvider-C0Sm_e5k.d.ts} +4 -2
- package/dist/{UnifiedAuthProvider-BYA9qB-o.d.ts → UnifiedAuthProvider-185Ih4dj.d.ts} +2 -0
- package/dist/{UnifiedAuthProvider-X5NXANVI.js → UnifiedAuthProvider-RGJTDE2C.js} +3 -3
- package/dist/{api-I6UCQ5S6.js → api-N774RPUA.js} +2 -2
- package/dist/chunk-6C4YBBJM 5.js +628 -0
- package/dist/chunk-7D4SUZUM.js 2.map +1 -0
- package/dist/{chunk-73HSNNOQ.js → chunk-7EQTDTTJ.js} +47 -74
- package/dist/chunk-7EQTDTTJ.js 2.map +1 -0
- package/dist/chunk-7EQTDTTJ.js.map +1 -0
- package/dist/{chunk-J2XXC7R5.js → chunk-7FLMSG37.js} +409 -244
- package/dist/chunk-7FLMSG37.js 2.map +1 -0
- package/dist/chunk-7FLMSG37.js.map +1 -0
- package/dist/{chunk-NIU6J6OX.js → chunk-BC4IJKSL.js} +23 -32
- package/dist/chunk-BC4IJKSL.js.map +1 -0
- package/dist/{chunk-SDMHPX3X.js → chunk-E3SPN4VZ 5.js } +198 -53
- package/dist/chunk-E3SPN4VZ.js +12917 -0
- package/dist/{chunk-SDMHPX3X.js.map → chunk-E3SPN4VZ.js.map} +1 -1
- package/dist/chunk-E66EQZE6 5.js +37 -0
- package/dist/chunk-E66EQZE6.js 2.map +1 -0
- package/dist/{chunk-DZWK57KZ.js → chunk-G37KK66H.js} +1 -1
- package/dist/{chunk-DZWK57KZ.js.map → chunk-G37KK66H.js.map} +1 -1
- package/dist/{chunk-STYK4OH2.js → chunk-HWIIPPNI.js} +44 -225
- package/dist/chunk-HWIIPPNI.js.map +1 -0
- package/dist/chunk-I7PSE6JW 5.js +191 -0
- package/dist/chunk-I7PSE6JW.js 2.map +1 -0
- package/dist/{chunk-Y4BUBBHD.js → chunk-IIELH4DL.js} +211 -136
- package/dist/chunk-IIELH4DL.js.map +1 -0
- package/dist/{chunk-RUYZKXOD.js → chunk-KNC55RTG.js} +17 -5
- package/dist/chunk-KNC55RTG.js 5.map +1 -0
- package/dist/chunk-KNC55RTG.js.map +1 -0
- package/dist/chunk-KQCRWDSA.js 5.map +1 -0
- package/dist/{chunk-4QYC5L4K.js → chunk-LFNCN2SP.js} +26 -30
- package/dist/chunk-LFNCN2SP.js 2.map +1 -0
- package/dist/chunk-LFNCN2SP.js.map +1 -0
- package/dist/chunk-LMC26NLJ 2.js +84 -0
- package/dist/{chunk-VVBAW5A5.js → chunk-NOAYCWCX 5.js } +118 -110
- package/dist/chunk-NOAYCWCX.js +4993 -0
- package/dist/chunk-NOAYCWCX.js.map +1 -0
- package/dist/chunk-QWWZ5CAQ.js 3.map +1 -0
- package/dist/chunk-QXHPKYJV 3.js +113 -0
- package/dist/chunk-R77UEZ4E 3.js +68 -0
- package/dist/chunk-VBXEHIUJ.js 6.map +1 -0
- package/dist/{chunk-HQVPB5MZ.js → chunk-XNXXZ43G.js} +77 -33
- package/dist/chunk-XNXXZ43G.js.map +1 -0
- package/dist/chunk-ZSAAAMVR 6.js +25 -0
- package/dist/components.d.ts +4 -4
- package/dist/components.js +8 -8
- package/dist/components.js 5.map +1 -0
- package/dist/{database.generated-DI89OQeI.d.ts → database.generated-CzIvgcPu.d.ts} +165 -201
- package/dist/hooks.d.ts +12 -12
- package/dist/hooks.js +9 -9
- package/dist/index.d.ts +11 -11
- package/dist/index.js +20 -27
- package/dist/index.js.map +1 -1
- package/dist/providers.d.ts +3 -3
- package/dist/providers.js +2 -2
- package/dist/rbac/index.d.ts +2 -20
- package/dist/rbac/index.js +7 -9
- package/dist/styles/index 2.js +12 -0
- package/dist/styles/index.js 5.map +1 -0
- package/dist/theming/runtime 5.js +19 -0
- package/dist/theming/runtime.js 5.map +1 -0
- package/dist/{types-Bwgl--Xo.d.ts → types-CEpcvwwF.d.ts} +1 -1
- package/dist/types.d.ts +2 -2
- package/dist/{usePublicRouteParams-DxIDS4bC.d.ts → usePublicRouteParams-TZe0gy-4.d.ts} +1 -1
- package/dist/utils.d.ts +8 -8
- package/dist/utils.js +2 -2
- package/docs/api/classes/ColumnFactory.md +1 -1
- package/docs/api/classes/ErrorBoundary.md +1 -1
- package/docs/api/classes/InvalidScopeError.md +1 -1
- package/docs/api/classes/Logger.md +1 -1
- package/docs/api/classes/MissingUserContextError.md +1 -1
- package/docs/api/classes/OrganisationContextRequiredError.md +1 -1
- package/docs/api/classes/PermissionDeniedError.md +2 -2
- package/docs/api/classes/RBACAuditManager.md +2 -2
- package/docs/api/classes/RBACCache.md +1 -1
- package/docs/api/classes/RBACEngine.md +2 -2
- package/docs/api/classes/RBACError.md +1 -1
- package/docs/api/classes/RBACNotInitializedError.md +1 -1
- package/docs/api/classes/SecureSupabaseClient.md +10 -10
- package/docs/api/classes/StorageUtils.md +1 -1
- package/docs/api/enums/FileCategory.md +1 -1
- package/docs/api/enums/LogLevel.md +1 -1
- package/docs/api/enums/RBACErrorCode.md +1 -1
- package/docs/api/enums/RPCFunction.md +1 -1
- package/docs/api/interfaces/AddressFieldProps.md +1 -1
- package/docs/api/interfaces/AddressFieldRef.md +1 -1
- package/docs/api/interfaces/AggregateConfig.md +1 -1
- package/docs/api/interfaces/AutocompleteOptions.md +1 -1
- package/docs/api/interfaces/AvatarProps.md +1 -1
- package/docs/api/interfaces/BadgeProps.md +1 -1
- package/docs/api/interfaces/ButtonProps.md +1 -1
- package/docs/api/interfaces/CalendarProps.md +1 -1
- package/docs/api/interfaces/CardProps.md +1 -1
- package/docs/api/interfaces/ColorPalette.md +1 -1
- package/docs/api/interfaces/ColorShade.md +1 -1
- package/docs/api/interfaces/ComplianceResult.md +1 -1
- package/docs/api/interfaces/DataAccessRecord.md +1 -1
- package/docs/api/interfaces/DataRecord.md +1 -1
- package/docs/api/interfaces/DataTableAction.md +1 -1
- package/docs/api/interfaces/DataTableColumn.md +1 -1
- package/docs/api/interfaces/DataTableProps.md +1 -1
- package/docs/api/interfaces/DataTableToolbarButton.md +1 -1
- package/docs/api/interfaces/DatabaseComplianceResult.md +1 -1
- package/docs/api/interfaces/DatabaseIssue.md +1 -1
- package/docs/api/interfaces/EmptyStateConfig.md +1 -1
- package/docs/api/interfaces/EnhancedNavigationMenuProps.md +1 -1
- package/docs/api/interfaces/EventAppRoleData.md +1 -1
- package/docs/api/interfaces/ExportColumn.md +1 -1
- package/docs/api/interfaces/ExportOptions.md +1 -1
- package/docs/api/interfaces/FileDisplayProps.md +24 -11
- package/docs/api/interfaces/FileMetadata.md +1 -1
- package/docs/api/interfaces/FileReference.md +1 -1
- package/docs/api/interfaces/FileSizeLimits.md +1 -1
- package/docs/api/interfaces/FileUploadOptions.md +1 -1
- package/docs/api/interfaces/FileUploadProps.md +1 -1
- package/docs/api/interfaces/FooterProps.md +1 -1
- package/docs/api/interfaces/FormFieldProps.md +1 -1
- package/docs/api/interfaces/FormProps.md +1 -1
- package/docs/api/interfaces/GrantEventAppRoleParams.md +1 -1
- package/docs/api/interfaces/InactivityWarningModalProps.md +1 -1
- package/docs/api/interfaces/InputProps.md +1 -1
- package/docs/api/interfaces/LabelProps.md +1 -1
- package/docs/api/interfaces/LoggerConfig.md +1 -1
- package/docs/api/interfaces/LoginFormProps.md +1 -1
- package/docs/api/interfaces/NavigationAccessRecord.md +2 -2
- package/docs/api/interfaces/NavigationContextType.md +1 -1
- package/docs/api/interfaces/NavigationGuardProps.md +1 -1
- package/docs/api/interfaces/NavigationItem.md +1 -1
- package/docs/api/interfaces/NavigationMenuProps.md +1 -1
- package/docs/api/interfaces/NavigationProviderProps.md +1 -1
- package/docs/api/interfaces/Organisation.md +1 -1
- package/docs/api/interfaces/OrganisationContextType.md +1 -1
- package/docs/api/interfaces/OrganisationMembership.md +1 -1
- package/docs/api/interfaces/OrganisationProviderProps.md +1 -1
- package/docs/api/interfaces/OrganisationSecurityError.md +1 -1
- package/docs/api/interfaces/PaceAppLayoutProps.md +1 -1
- package/docs/api/interfaces/PaceLoginPageProps.md +1 -1
- package/docs/api/interfaces/PageAccessRecord.md +1 -1
- package/docs/api/interfaces/PagePermissionContextType.md +1 -1
- package/docs/api/interfaces/PagePermissionGuardProps.md +2 -2
- package/docs/api/interfaces/PagePermissionProviderProps.md +1 -1
- package/docs/api/interfaces/PaletteData.md +1 -1
- package/docs/api/interfaces/ParsedAddress.md +2 -2
- package/docs/api/interfaces/PermissionEnforcerProps.md +4 -4
- package/docs/api/interfaces/ProgressProps.md +1 -1
- package/docs/api/interfaces/ProtectedRouteProps.md +1 -1
- package/docs/api/interfaces/PublicPageFooterProps.md +1 -1
- package/docs/api/interfaces/PublicPageHeaderProps.md +1 -1
- package/docs/api/interfaces/PublicPageLayoutProps.md +1 -1
- package/docs/api/interfaces/QuickFix.md +1 -1
- package/docs/api/interfaces/RBACAccessValidateParams.md +1 -1
- package/docs/api/interfaces/RBACAccessValidateResult.md +1 -1
- package/docs/api/interfaces/RBACAuditLogParams.md +1 -1
- package/docs/api/interfaces/RBACAuditLogResult.md +1 -1
- package/docs/api/interfaces/RBACConfig.md +2 -2
- package/docs/api/interfaces/RBACContext.md +1 -1
- package/docs/api/interfaces/RBACLogger.md +1 -1
- package/docs/api/interfaces/RBACPageAccessCheckParams.md +1 -1
- package/docs/api/interfaces/RBACPerformanceMetrics.md +1 -1
- package/docs/api/interfaces/RBACPermissionCheckParams.md +1 -1
- package/docs/api/interfaces/RBACPermissionCheckResult.md +2 -2
- package/docs/api/interfaces/RBACPermissionsGetParams.md +1 -1
- package/docs/api/interfaces/RBACPermissionsGetResult.md +1 -1
- package/docs/api/interfaces/RBACResult.md +1 -1
- package/docs/api/interfaces/RBACRoleGrantParams.md +2 -2
- package/docs/api/interfaces/RBACRoleGrantResult.md +1 -1
- package/docs/api/interfaces/RBACRoleRevokeParams.md +2 -2
- package/docs/api/interfaces/RBACRoleRevokeResult.md +1 -1
- package/docs/api/interfaces/RBACRoleValidateParams.md +2 -2
- package/docs/api/interfaces/RBACRoleValidateResult.md +1 -1
- package/docs/api/interfaces/RBACRolesListParams.md +1 -1
- package/docs/api/interfaces/RBACRolesListResult.md +2 -2
- package/docs/api/interfaces/RBACSessionTrackParams.md +1 -1
- package/docs/api/interfaces/RBACSessionTrackResult.md +1 -1
- package/docs/api/interfaces/ResourcePermissions.md +1 -1
- package/docs/api/interfaces/RevokeEventAppRoleParams.md +1 -1
- package/docs/api/interfaces/RoleBasedRouterContextType.md +1 -1
- package/docs/api/interfaces/RoleBasedRouterProps.md +1 -1
- package/docs/api/interfaces/RoleManagementResult.md +1 -1
- package/docs/api/interfaces/RouteAccessRecord.md +2 -2
- package/docs/api/interfaces/RouteConfig.md +2 -2
- package/docs/api/interfaces/RuntimeComplianceResult.md +1 -1
- package/docs/api/interfaces/SecureDataContextType.md +1 -1
- package/docs/api/interfaces/SecureDataProviderProps.md +1 -1
- package/docs/api/interfaces/SessionRestorationLoaderProps.md +1 -1
- package/docs/api/interfaces/SetupIssue.md +1 -1
- package/docs/api/interfaces/StorageConfig.md +1 -1
- package/docs/api/interfaces/StorageFileInfo.md +1 -1
- package/docs/api/interfaces/StorageFileMetadata.md +1 -1
- package/docs/api/interfaces/StorageListOptions.md +1 -1
- package/docs/api/interfaces/StorageListResult.md +1 -1
- package/docs/api/interfaces/StorageUploadOptions.md +1 -1
- package/docs/api/interfaces/StorageUploadResult.md +1 -1
- package/docs/api/interfaces/StorageUrlOptions.md +1 -1
- package/docs/api/interfaces/StyleImport.md +1 -1
- package/docs/api/interfaces/SwitchProps.md +1 -1
- package/docs/api/interfaces/TabsContentProps.md +1 -1
- package/docs/api/interfaces/TabsListProps.md +1 -1
- package/docs/api/interfaces/TabsProps.md +1 -1
- package/docs/api/interfaces/TabsTriggerProps.md +1 -1
- package/docs/api/interfaces/TextareaProps.md +1 -1
- package/docs/api/interfaces/ToastActionElement.md +1 -1
- package/docs/api/interfaces/ToastProps.md +1 -1
- package/docs/api/interfaces/UnifiedAuthContextType.md +60 -38
- package/docs/api/interfaces/UnifiedAuthProviderProps.md +13 -13
- package/docs/api/interfaces/UseFormDialogOptions.md +1 -1
- package/docs/api/interfaces/UseFormDialogReturn.md +1 -1
- package/docs/api/interfaces/UseInactivityTrackerOptions.md +1 -1
- package/docs/api/interfaces/UseInactivityTrackerReturn.md +1 -1
- package/docs/api/interfaces/UsePublicEventLogoOptions.md +2 -2
- package/docs/api/interfaces/UsePublicEventLogoReturn.md +1 -1
- package/docs/api/interfaces/UsePublicEventOptions.md +1 -1
- package/docs/api/interfaces/UsePublicEventReturn.md +1 -1
- package/docs/api/interfaces/UsePublicFileDisplayOptions.md +2 -2
- package/docs/api/interfaces/UsePublicFileDisplayReturn.md +1 -1
- package/docs/api/interfaces/UsePublicRouteParamsReturn.md +1 -1
- package/docs/api/interfaces/UseResolvedScopeOptions.md +2 -2
- package/docs/api/interfaces/UseResolvedScopeReturn.md +1 -1
- package/docs/api/interfaces/UseResourcePermissionsOptions.md +1 -1
- package/docs/api/interfaces/UserEventAccess.md +1 -1
- package/docs/api/interfaces/UserMenuProps.md +1 -1
- package/docs/api/interfaces/UserProfile.md +1 -1
- package/docs/api/modules.md +202 -217
- package/docs/migration/README.md +18 -0
- package/docs/migration/database-changes-december-2025.md +768 -0
- package/docs/migration/person-scoped-profiles-migration-guide.md +472 -0
- package/docs/rbac/event-based-apps.md +124 -6
- package/package.json +1 -1
- package/scripts/check-pace-core-compliance.cjs +292 -57
- package/src/__tests__/public-recipe-view.test.ts +10 -10
- package/src/__tests__/rls-policies.test.ts +16 -14
- package/src/components/AddressField/README.md +6 -6
- package/src/components/DataTable/__tests__/DataTable.default-state.test.tsx +172 -45
- package/src/components/DataTable/__tests__/DataTable.grouping-aggregation.test.tsx +121 -28
- package/src/components/DataTable/__tests__/DataTableCore.test-setup.ts +9 -8
- package/src/components/DataTable/__tests__/DataTableCore.test.tsx +20 -52
- package/src/components/DataTable/__tests__/a11y.basic.test.tsx +170 -34
- package/src/components/DataTable/__tests__/keyboard.test.tsx +75 -12
- package/src/components/DataTable/__tests__/pagination.modes.test.tsx +75 -11
- package/src/components/DataTable/components/UnifiedTableBody.tsx +85 -14
- package/src/components/DataTable/hooks/useDataTablePermissions.ts +75 -10
- package/src/components/FileDisplay/FileDisplay.test.tsx +2 -1
- package/src/components/FileDisplay/FileDisplay.tsx +16 -4
- package/src/components/NavigationMenu/NavigationMenu.test.tsx +6 -4
- package/src/components/NavigationMenu/NavigationMenu.tsx +1 -10
- package/src/components/OrganisationSelector/OrganisationSelector.tsx +35 -16
- package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +25 -2
- package/src/components/PaceAppLayout/PaceAppLayout.tsx +97 -68
- package/src/components/PaceLoginPage/PaceLoginPage.tsx +0 -7
- package/src/components/ProtectedRoute/ProtectedRoute.test.tsx +5 -9
- package/src/components/ProtectedRoute/ProtectedRoute.tsx +0 -1
- package/src/components/PublicLayout/PublicPageProvider.tsx +0 -1
- package/src/components/Select/Select.test.tsx +4 -1
- package/src/components/Select/Select.tsx +60 -15
- package/src/hooks/__tests__/usePermissionCache.simple.test.ts +192 -0
- package/src/hooks/__tests__/usePermissionCache.unit.test.ts +741 -0
- package/src/hooks/__tests__/usePublicEvent.simple.test.ts +703 -0
- package/src/hooks/__tests__/usePublicEvent.unit.test.ts +581 -0
- package/src/hooks/__tests__/useSecureDataAccess.unit.test.tsx +23 -15
- package/src/hooks/public/usePublicEvent.ts +8 -8
- package/src/hooks/public/usePublicFileDisplay.ts +2 -2
- package/src/hooks/services/useAuthService.ts +21 -3
- package/src/hooks/services/useEventService.ts +21 -3
- package/src/hooks/services/useInactivityService.ts +21 -3
- package/src/hooks/services/useOrganisationService.ts +21 -3
- package/src/hooks/useFileDisplay.ts +18 -26
- package/src/hooks/useQueryCache.ts +6 -6
- package/src/hooks/useSecureDataAccess.test.ts +24 -17
- package/src/hooks/useSecureDataAccess.ts +18 -13
- package/src/providers/__tests__/OrganisationProvider.test.tsx +27 -21
- package/src/providers/services/EventServiceProvider.tsx +0 -8
- package/src/providers/services/UnifiedAuthProvider.tsx +174 -24
- package/src/rbac/__tests__/adapters.comprehensive.test.tsx +10 -16
- package/src/rbac/__tests__/isSuperAdmin.real.test.ts +82 -0
- package/src/rbac/adapters.tsx +3 -22
- package/src/rbac/api.test.ts +2 -2
- package/src/rbac/api.ts +7 -1
- package/src/rbac/components/EnhancedNavigationMenu.tsx +2 -15
- package/src/rbac/components/NavigationGuard.tsx +1 -10
- package/src/rbac/components/NavigationProvider.tsx +0 -1
- package/src/rbac/components/PermissionEnforcer.tsx +45 -12
- package/src/rbac/components/SecureDataProvider.tsx +0 -1
- package/src/rbac/components/__tests__/EnhancedNavigationMenu.test.tsx +7 -43
- package/src/rbac/components/__tests__/NavigationGuard.test.tsx +4 -11
- package/src/rbac/components/__tests__/NavigationProvider.test.tsx +3 -3
- package/src/rbac/components/__tests__/SecureDataProvider.fixed.test.tsx +1 -1
- package/src/rbac/components/__tests__/SecureDataProvider.test.tsx +1 -1
- package/src/rbac/engine.ts +14 -2
- package/src/rbac/hooks/index.ts +0 -3
- package/src/rbac/hooks/usePermissions.ts +51 -11
- package/src/rbac/hooks/useRBAC.simple.test.ts +95 -0
- package/src/rbac/hooks/useRBAC.ts +3 -13
- package/src/rbac/hooks/useResolvedScope.test.ts +75 -54
- package/src/rbac/hooks/useResolvedScope.ts +58 -33
- package/src/rbac/hooks/useSecureSupabase.ts +4 -9
- package/src/rbac/secureClient.ts +31 -0
- package/src/rbac/utils/__tests__/eventContext.test.ts +2 -2
- package/src/rbac/utils/__tests__/eventContext.unit.test.ts +490 -0
- package/src/rbac/utils/eventContext.ts +5 -2
- package/src/services/AuthService.ts +37 -8
- package/src/services/EventService.ts +4 -57
- package/src/services/InactivityService.ts +127 -34
- package/src/services/OrganisationService.ts +160 -149
- package/src/services/__tests__/OrganisationService.pagination.test.ts +34 -8
- package/src/services/__tests__/OrganisationService.test.ts +218 -86
- package/src/types/database.generated.ts +166 -201
- package/src/types/supabase.ts +2 -2
- package/src/utils/__tests__/secureDataAccess.unit.test.ts +3 -2
- package/src/utils/file-reference/index.ts +4 -4
- package/src/utils/google-places/googlePlacesUtils.ts +1 -1
- package/src/utils/google-places/types.ts +1 -1
- package/src/utils/request-deduplication.ts +4 -4
- package/src/utils/security/secureDataAccess.test.ts +1 -1
- package/src/utils/security/secureDataAccess.ts +7 -4
- package/src/utils/storage/README.md +1 -1
- package/dist/chunk-4QYC5L4K.js.map +0 -1
- package/dist/chunk-73HSNNOQ.js.map +0 -1
- package/dist/chunk-HQVPB5MZ.js.map +0 -1
- package/dist/chunk-J2XXC7R5.js.map +0 -1
- package/dist/chunk-NIU6J6OX.js.map +0 -1
- package/dist/chunk-RUYZKXOD.js.map +0 -1
- package/dist/chunk-STYK4OH2.js.map +0 -1
- package/dist/chunk-VVBAW5A5.js.map +0 -1
- package/dist/chunk-Y4BUBBHD.js.map +0 -1
- package/scripts/check-pace-core-compliance.js +0 -512
- package/src/rbac/hooks/useSuperAdminBypass.ts +0 -126
- package/src/utils/context/superAdminOverride.ts +0 -58
- /package/dist/{DataTable-ON3IXISJ.js.map → DataTable-5FU7IESH.js.map} +0 -0
- /package/dist/{UnifiedAuthProvider-X5NXANVI.js.map → UnifiedAuthProvider-RGJTDE2C.js.map} +0 -0
- /package/dist/{api-I6UCQ5S6.js.map → api-N774RPUA.js.map} +0 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/hooks/useEvents.ts","../src/rbac/hooks/useResolvedScope.ts","../src/components/ErrorBoundary/ErrorBoundary.tsx","../src/components/PublicLayout/PublicPageProvider.tsx","../src/hooks/useAppConfig.ts","../src/hooks/useOrganisationSecurity.ts"],"sourcesContent":["/**\n * @file Event Hook\n * @package @jmruthers/pace-core\n * @module Hooks\n * @since 0.1.0\n *\n * Convenience hook for accessing event context.\n * This hook provides a simple interface for working with events.\n * \n * Note: This is a convenience wrapper around the EventService.\n * For better performance, consider using useEventService directly.\n */\n\nimport { useMemo, useRef } from 'react';\nimport { useEventService } from './services/useEventService';\nimport { Event } from '../types/event';\n\nexport interface EventContextType {\n events: Event[];\n selectedEvent: Event | null;\n isLoading: boolean;\n error: Error | null;\n setSelectedEvent: (event: Event | null) => void;\n refreshEvents: () => Promise<void>;\n clearEventSelection: () => Promise<void>;\n}\n\n/**\n * Hook to access event context\n * \n * @returns Event context with events, selected event, and helper methods\n * @throws {Error} If used outside EventServiceProvider\n * \n * @example\n * ```tsx\n * function MyComponent() {\n * const { events, selectedEvent, setSelectedEvent } = useEvents();\n * \n * return (\n * <div>\n * {events.map(event => (\n * <button key={event.id} onClick={() => setSelectedEvent(event)}>\n * {event.event_name}\n * </button>\n * ))}\n * </div>\n * );\n * }\n * ```\n */\nexport function useEvents(): EventContextType {\n const eventService = useEventService();\n\n // Get current state - service subscription will trigger re-renders when state changes\n const rawEvents = eventService.getEvents();\n const selectedEvent = eventService.getSelectedEvent();\n const isLoading = eventService.isLoading();\n const error = eventService.getError();\n\n // Use refs to track previous values and only create new array reference when events actually change\n const prevEventsRef = useRef<Event[]>([]);\n const prevEventsIdsRef = useRef<string>('');\n \n // Compare event IDs to detect actual changes (more efficient than deep comparison)\n // Do this outside useMemo to avoid dependency on rawEvents array\n const currentEventsIds = rawEvents.map(e => e.event_id || e.id).join(',');\n const eventsChanged = currentEventsIds !== prevEventsIdsRef.current;\n \n // Only create new array reference when events actually changed\n // Update refs synchronously, then memoize based on the ID string\n if (eventsChanged) {\n prevEventsRef.current = rawEvents;\n prevEventsIdsRef.current = currentEventsIds;\n }\n \n // Return stable array reference - only changes when event IDs change\n const events = useMemo(() => {\n return prevEventsRef.current;\n }, [currentEventsIds]);\n\n // Memoize callbacks to prevent unnecessary re-renders in child components\n const setSelectedEventCallback = useMemo(\n () => (event: Event | null) => eventService.setSelectedEvent(event),\n [eventService]\n );\n const refreshEventsCallback = useMemo(\n () => () => eventService.refreshEvents(),\n [eventService]\n );\n const clearEventSelectionCallback = useMemo(\n () => () => eventService.clearEventSelection(),\n [eventService]\n );\n\n // Memoize the return object - only recreate when actual values change\n return useMemo(() => ({\n events,\n selectedEvent,\n isLoading,\n error,\n setSelectedEvent: setSelectedEventCallback,\n refreshEvents: refreshEventsCallback,\n clearEventSelection: clearEventSelectionCallback,\n }), [events, selectedEvent?.event_id, isLoading, error?.message, setSelectedEventCallback, refreshEventsCallback, clearEventSelectionCallback]);\n}\n\n","/**\n * @file useResolvedScope Hook\n * @package @jmruthers/pace-core\n * @module RBAC/Hooks\n * @since 1.0.0\n * \n * Shared hook for resolving RBAC scope from various contexts.\n * This hook is used by both DataTable and PagePermissionGuard to ensure\n * consistent scope resolution logic.\n */\n\nimport { useEffect, useState, useRef, useMemo } from 'react';\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport type { Database } from '../../types/database';\nimport type { Scope } from '../types';\nimport { ContextValidator } from '../utils/contextValidator';\nimport type { AppConfig } from '../utils/contextValidator';\nimport { getCurrentAppName } from '../../utils/app/appNameResolver';\nimport { createLogger } from '../../utils/core/logger';\n\nconst log = createLogger('useResolvedScope');\n\n// Cache app config to avoid repeated database queries\n// App config rarely changes during a session, so we can cache it\nconst appConfigCache = new Map<string, { appId: string; appConfig: AppConfig; timestamp: number }>();\nconst CACHE_TTL = 5 * 60 * 1000; // 5 minutes\n\n// Export function to clear cache (for testing)\nexport function clearAppConfigCache(): void {\n appConfigCache.clear();\n}\n\nexport interface UseResolvedScopeOptions {\n /** Supabase client instance */\n supabase: SupabaseClient<Database> | null;\n /** Selected organisation ID */\n selectedOrganisationId: string | null;\n /** Selected event ID */\n selectedEventId: string | null;\n}\n\nexport interface UseResolvedScopeReturn {\n /** Resolved scope, or null if not yet resolved */\n resolvedScope: Scope | null;\n /** Whether the scope resolution is in progress */\n isLoading: boolean;\n /** Error if scope resolution failed */\n error: Error | null;\n}\n\n/**\n * Resolves RBAC scope from organisation and event context\n * \n * This hook handles the complex logic of determining the correct RBAC scope\n * based on available context (organisation, event, app). It ensures consistent\n * scope resolution across the application.\n * \n * @param options - Hook options\n * @returns Resolved scope and loading state\n * \n * @example\n * ```tsx\n * const { resolvedScope, isLoading } = useResolvedScope({\n * supabase,\n * selectedOrganisationId,\n * selectedEventId\n * });\n * \n * if (isLoading) return <Loading />;\n * if (!resolvedScope) return <Error />;\n * \n * const permission = useCan(userId, resolvedScope, permission);\n * ```\n */\nexport function useResolvedScope({\n supabase,\n selectedOrganisationId,\n selectedEventId\n}: UseResolvedScopeOptions): UseResolvedScopeReturn {\n const [resolvedScope, setResolvedScope] = useState<Scope | null>(null);\n const [isLoading, setIsLoading] = useState(true);\n const [error, setError] = useState<Error | null>(null);\n \n // Use a ref to track the stable scope and only update it when it actually changes\n const stableScopeRef = useRef<{ organisationId: string; appId: string; eventId: string | undefined }>({ \n organisationId: '', \n appId: '', \n eventId: undefined \n });\n \n // Update stable scope ref in useEffect to avoid updates during render\n // For PORTAL, allow scopes without organisationId\n useEffect(() => {\n if (resolvedScope) {\n const newScope = {\n organisationId: resolvedScope.organisationId || '',\n appId: resolvedScope.appId || '',\n eventId: resolvedScope.eventId\n };\n \n // Only update if the scope has actually changed\n if (stableScopeRef.current.organisationId !== newScope.organisationId ||\n stableScopeRef.current.eventId !== newScope.eventId ||\n stableScopeRef.current.appId !== newScope.appId) {\n stableScopeRef.current = {\n organisationId: newScope.organisationId,\n appId: newScope.appId,\n eventId: newScope.eventId\n };\n }\n } else {\n // Reset to empty scope when no resolved scope\n stableScopeRef.current = { organisationId: '', appId: '', eventId: undefined };\n }\n }, [resolvedScope]);\n \n // Get app name to check if it's PORTAL (needed for return logic)\n const appName = getCurrentAppName();\n \n const stableScope = stableScopeRef.current;\n \n useEffect(() => {\n let cancelled = false;\n \n const resolveScope = async () => {\n // OPTIMIZATION: If all inputs are null/undefined, immediately return empty scope\n // This indicates pre-filtered mode where we don't need to resolve scope\n if (!supabase && !selectedOrganisationId && !selectedEventId) {\n if (!cancelled) {\n setResolvedScope(null);\n setIsLoading(false);\n setError(null);\n }\n return;\n }\n \n setIsLoading(true);\n setError(null);\n \n try {\n // Get app name and config\n const appName = getCurrentAppName();\n let appId: string | undefined = undefined;\n let appConfig: AppConfig | null = null;\n \n // Try to resolve app config from database (with caching)\n // Only query if user is authenticated (RLS policies require authentication)\n if (supabase && appName) {\n try {\n // Check if user is authenticated before querying (RLS requires auth)\n // HTTP 406 errors are expected when not authenticated, so we skip the query\n const { data: session } = await supabase.auth.getSession();\n if (!session?.session) {\n // User not authenticated - skip app resolution, will retry after login\n // This is expected on login pages, so don't log as error\n log.debug(`Skipping app resolution for \"${appName}\" - user not authenticated`);\n } else {\n // Check cache first\n const cached = appConfigCache.get(appName);\n const now = Date.now();\n if (cached && (now - cached.timestamp) < CACHE_TTL) {\n appId = cached.appId;\n appConfig = cached.appConfig;\n } else {\n // Cache miss or expired - fetch from database\n const { data: app, error } = await supabase\n .from('rbac_apps')\n .select('id, name, requires_event, is_active')\n .eq('name', appName)\n .eq('is_active', true)\n .single() as { data: { id: string; name: string; requires_event: boolean; is_active: boolean } | null; error: any };\n \n if (error) {\n // HTTP 406 is expected when not authenticated (RLS blocks query)\n // Don't log as error if it's a 406 - this is expected behavior\n if (error.code === '406' || error.code === 'PGRST116' || error.message?.includes('406')) {\n log.debug(`App resolution blocked by RLS for \"${appName}\" - user may not be authenticated`);\n // Don't cache - will retry after authentication\n appId = undefined;\n } else {\n // Check if app exists but is inactive\n const { data: inactiveApp } = await supabase\n .from('rbac_apps')\n .select('id, name, is_active')\n .eq('name', appName)\n .single() as { data: { id: string; name: string; is_active: boolean } | null };\n \n if (inactiveApp) {\n log.error(`App \"${appName}\" exists but is inactive (is_active: ${inactiveApp.is_active})`);\n // Don't cache inactive apps - set appId to undefined\n appId = undefined;\n } else {\n log.error(`App \"${appName}\" not found in rbac_apps table`, { error });\n // Don't cache missing apps - set appId to undefined\n appId = undefined;\n }\n }\n } else if (app) {\n appId = app.id;\n appConfig = { requires_event: app.requires_event ?? false };\n // Only cache successful lookups of active apps\n appConfigCache.set(appName, { appId, appConfig, timestamp: now });\n }\n }\n }\n } catch (error) {\n // Handle network errors or other unexpected errors gracefully\n // Don't log 406 errors as they're expected when not authenticated\n const errorMessage = error instanceof Error ? error.message : String(error);\n if (!errorMessage.includes('406') && !errorMessage.includes('PGRST116')) {\n log.error('Unexpected error resolving app config:', error);\n } else {\n log.debug('App resolution skipped - authentication required');\n }\n }\n }\n\n // Build initial scope from available context\n // For event-required apps: Only use eventId (org will be derived)\n // For org-required apps: Only use organisationId (event is optional)\n const initialScope: Scope = {\n organisationId: appConfig?.requires_event ? undefined : (selectedOrganisationId || undefined),\n eventId: selectedEventId || undefined,\n appId: appId\n };\n\n // Use ContextValidator to resolve required context\n // For PORTAL, always allow scope resolution even if appConfig is null\n const validation = await ContextValidator.resolveRequiredContext(\n initialScope,\n appConfig,\n appName || undefined,\n supabase\n );\n\n if (!validation.isValid) {\n // For PORTAL/ADMIN apps, allow scope without org/event even if validation fails\n if (appName === 'PORTAL' || appName === 'ADMIN') {\n if (!cancelled) {\n // For PORTAL/ADMIN, we need at least an appId. If we don't have it from the query,\n // we'll set it to undefined and let the component handle it (it can use contextAppId)\n const optionalContextScope: Scope = {\n organisationId: undefined,\n eventId: undefined,\n appId: appId || undefined // appId might be undefined if query failed, that's OK\n };\n setResolvedScope(optionalContextScope);\n setError(null);\n setIsLoading(false);\n }\n return;\n }\n \n // For event-required apps: if validation fails but we have an eventId, return scope with eventId\n // The organisation will be derived later during permission checks\n if (appConfig?.requires_event && selectedEventId) {\n if (!cancelled) {\n const eventScope: Scope = {\n organisationId: undefined, // Will be derived from event during permission check\n eventId: selectedEventId,\n appId: appId || undefined\n };\n setResolvedScope(eventScope);\n setError(null); // Don't set error - let permission check handle derivation\n setIsLoading(false);\n }\n return;\n }\n \n if (!cancelled) {\n setResolvedScope(null);\n setError(validation.error || new Error('Context validation failed'));\n setIsLoading(false);\n }\n return;\n }\n\n // Set resolved scope\n if (!cancelled) {\n setResolvedScope(validation.resolvedScope);\n setError(null);\n setIsLoading(false);\n }\n } catch (err) {\n if (!cancelled) {\n setError(err as Error);\n setIsLoading(false);\n }\n }\n };\n\n resolveScope();\n \n return () => {\n cancelled = true;\n };\n }, [selectedOrganisationId, selectedEventId, supabase]);\n \n // Return scope if it has appId (for PORTAL/ADMIN) or organisationId (for other apps)\n // For PORTAL/ADMIN, always return a scope (even if empty) so components can use contextAppId\n const allowsOptionalContexts = appName === 'PORTAL' || appName === 'ADMIN';\n const hasValidScope = allowsOptionalContexts\n ? true // PORTAL/ADMIN always have valid scope (even without org/event/appId)\n : (stableScope.appId || stableScope.organisationId);\n \n // CRITICAL FIX: Memoize finalScope to prevent creating new object references on every render\n // This prevents infinite loops in useCan and other hooks that depend on scope equality\n const finalScope: Scope | null = useMemo(() => {\n if (!hasValidScope) {\n return allowsOptionalContexts ? {} : null;\n }\n \n // Build scope object only with defined values to ensure stable reference\n const scope: Scope = {};\n if (stableScope.organisationId) {\n scope.organisationId = stableScope.organisationId;\n }\n if (stableScope.eventId) {\n scope.eventId = stableScope.eventId;\n }\n if (stableScope.appId) {\n scope.appId = stableScope.appId;\n }\n \n return scope;\n }, [hasValidScope, allowsOptionalContexts, stableScope.organisationId, stableScope.eventId, stableScope.appId]);\n \n return {\n resolvedScope: finalScope,\n isLoading,\n error\n };\n}\n","/**\n * @file Error Boundary Component\n * @package @jmruthers/pace-core\n * @module Components/ErrorBoundary\n * @since 0.1.0\n *\n * A comprehensive error boundary component that catches JavaScript errors in child components\n * and provides fallback UI with retry functionality and error reporting.\n *\n * Features:\n * - Catches JavaScript errors in component tree\n * - Custom fallback UI with retry functionality\n * - Error reporting and logging\n * - Performance monitoring integration\n * - Retry mechanism with configurable attempts\n * - Development mode error details\n * - Accessibility compliant error display\n * - Component-specific error tracking\n * - Error ID generation for tracking\n *\n * @example\n * ```tsx\n * // Basic error boundary\n * <ErrorBoundary>\n * <MyComponent />\n * </ErrorBoundary>\n * \n * // Error boundary with custom fallback\n * <ErrorBoundary\n * componentName=\"UserProfile\"\n * fallback={<div>Something went wrong loading the profile.</div>}\n * onError={(error, errorInfo, errorId) => {\n * console.log('Error caught:', errorId, error);\n * }}\n * >\n * <UserProfile />\n * </ErrorBoundary>\n * \n * // Error boundary with retry functionality\n * <ErrorBoundary\n * componentName=\"DataTable\"\n * maxRetries={3}\n * enableRetry={true}\n * enableReporting={true}\n * onError={(error, errorInfo, errorId) => {\n * // Send to error reporting service\n * errorReportingService.report({ error, errorInfo, errorId });\n * }}\n * >\n * <DataTable data={data} />\n * </ErrorBoundary>\n * \n * // Wrapping multiple components\n * <ErrorBoundary componentName=\"App\">\n * <Header />\n * <ErrorBoundary componentName=\"MainContent\">\n * <MainContent />\n * </ErrorBoundary>\n * <Footer />\n * </ErrorBoundary>\n * ```\n *\n * @accessibility\n * - WCAG 2.1 AA compliant\n * - Proper ARIA role=\"alert\" for error announcements\n * - Screen reader friendly error messages\n * - Keyboard accessible retry buttons\n * - High contrast error styling\n * - Clear error identification\n *\n * @performance\n * - Efficient error state management\n * - Performance monitoring integration\n * - Minimal impact on normal rendering\n * - Configurable error reporting\n *\n * @dependencies\n * - React 18+ - Component lifecycle\n * - Performance monitoring utilities\n * - Tailwind CSS - Styling\n */\n\nimport React, { Component, ReactNode } from 'react';\nimport { performanceBudgetMonitor } from '../../utils/performance/performanceBudgets';\nimport { logger } from '../../utils/core/logger';\n\n/**\n * State interface for the ErrorBoundary component\n * @public\n */\nexport interface ErrorBoundaryState {\n /** Whether an error has been caught */\n hasError: boolean;\n /** The error that was caught */\n error?: Error;\n /** Additional error information from React */\n errorInfo?: React.ErrorInfo;\n /** Unique identifier for the error */\n errorId?: string;\n /** Number of retry attempts made */\n retryCount: number;\n}\n\n/**\n * Props interface for the ErrorBoundary component\n * @public\n */\nexport interface ErrorBoundaryProps {\n /** Child components to wrap with error boundary */\n children: ReactNode;\n /** Name of the component for error reporting */\n componentName?: string;\n /** Custom fallback UI to display when error occurs */\n fallback?: ReactNode;\n /** Callback function called when an error is caught */\n onError?: (error: Error, errorInfo: React.ErrorInfo, errorId: string) => void;\n /** Maximum number of retry attempts */\n maxRetries?: number;\n /** Whether to enable retry functionality */\n enableRetry?: boolean;\n /** Whether to enable error reporting */\n enableReporting?: boolean;\n}\n\n/**\n * ErrorBoundary component\n * Catches JavaScript errors in child components and provides fallback UI\n * \n * @example\n * ```tsx\n * <ErrorBoundary\n * componentName=\"MyComponent\"\n * maxRetries={3}\n * onError={(error, errorInfo, errorId) => {\n * console.log('Error caught:', errorId);\n * }}\n * >\n * <MyComponent />\n * </ErrorBoundary>\n * ```\n */\nexport class ErrorBoundary extends Component<ErrorBoundaryProps, ErrorBoundaryState> {\n private retryTimeoutId: NodeJS.Timeout | null = null;\n\n constructor(props: ErrorBoundaryProps) {\n super(props);\n this.state = { \n hasError: false, \n retryCount: 0 \n };\n }\n\n static getDerivedStateFromError(error: Error): Partial<ErrorBoundaryState> {\n const errorId = `error_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;\n return { \n hasError: true, \n error,\n errorId \n };\n }\n\n componentDidCatch(error: Error, errorInfo: React.ErrorInfo) {\n const { componentName = 'Unknown Component', onError, enableReporting = true } = this.props;\n const errorId = this.state.errorId!;\n \n this.setState({ errorInfo });\n \n // Enhanced logging with component name and error ID\n logger.error('ErrorBoundary', `[${componentName}] Caught error ${errorId}:`, error, errorInfo);\n \n // Performance monitoring - track error occurrence\n performanceBudgetMonitor.measure('ERROR_BOUNDARY_TRIGGER', 1, {\n componentName,\n errorId,\n errorMessage: error.message,\n stack: error.stack?.substring(0, 200), // Truncated stack trace\n });\n\n // Report error if enabled\n if (enableReporting) {\n this.reportError(errorId, componentName);\n }\n \n // Call custom error handler if provided\n if (onError) {\n onError(error, errorInfo, errorId);\n }\n }\n\n private reportError = (errorId: string, componentName: string) => {\n // In production, this would send to error reporting service\n if (import.meta.env.MODE === 'production') {\n // Example: Send to error reporting service\n // errorReportingService.report({ error, errorInfo, errorId, componentName });\n logger.warn('ErrorBoundary', 'Error reporting would be triggered in production:', { errorId, componentName });\n }\n };\n\n private handleRetry = () => {\n const { maxRetries = 3 } = this.props;\n const { retryCount } = this.state;\n\n if (retryCount < maxRetries) {\n logger.debug('ErrorBoundary', `Retrying component render (attempt ${retryCount + 1}/${maxRetries})`);\n \n this.setState(prevState => ({\n hasError: false,\n error: undefined,\n errorInfo: undefined,\n errorId: undefined,\n retryCount: prevState.retryCount + 1\n }));\n }\n };\n\n componentWillUnmount() {\n if (this.retryTimeoutId) {\n clearTimeout(this.retryTimeoutId);\n }\n }\n\n render() {\n if (this.state.hasError) {\n const { \n componentName = 'Component', \n fallback, \n enableRetry = true, \n maxRetries = 3 \n } = this.props;\n const { retryCount, errorId } = this.state;\n\n // Use custom fallback if provided\n if (fallback) {\n return fallback;\n }\n\n // Enhanced error UI with retry functionality\n return (\n <div \n role=\"alert\" \n className=\"p-6 bg-destructive/10 border border-destructive/20 rounded-lg\"\n data-error-boundary={errorId}\n >\n <div className=\"flex items-start gap-3\">\n <div className=\"flex-shrink-0\">\n <svg className=\"w-5 h-5 text-destructive\" viewBox=\"0 0 20 20\" fill=\"currentColor\">\n <path fillRule=\"evenodd\" d=\"M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7 4a1 1 0 11-2 0 1 1 0 012 0zm-1-9a1 1 0 00-1 1v4a1 1 0 102 0V6a1 1 0 00-1-1z\" clipRule=\"evenodd\" />\n </svg>\n </div>\n <div className=\"flex-1 min-w-0\">\n <h3 className=\"text-destructive\">\n Error in {componentName}\n </h3>\n <p className=\"text-destructive/80\">\n {this.state.error?.message || 'An unexpected error occurred.'}\n </p>\n \n {enableRetry && retryCount < maxRetries && (\n <div className=\"flex gap-3 mb-4\">\n <button\n onClick={this.handleRetry}\n className=\"px-4 py-2 bg-destructive text-destructive-foreground rounded-md hover:bg-destructive/90 transition-colors text-sm font-medium\"\n >\n Retry ({retryCount + 1}/{maxRetries})\n </button>\n <button\n onClick={() => window.location.reload()}\n className=\"px-4 py-2 bg-sec-600 text-main-50 rounded-md hover:bg-sec-700 transition-colors text-sm font-medium\"\n >\n Reload Page\n </button>\n </div>\n )}\n\n {retryCount >= maxRetries && (\n <div className=\"mb-4 p-3 bg-acc-50 border border-acc-200 rounded-md\">\n <p className=\"text-acc-800\">\n Maximum retry attempts reached. Please reload the page or contact support.\n </p>\n <button\n onClick={() => window.location.reload()}\n className=\"mt-2 px-3 py-1 bg-acc-600 text-main-50 rounded text-sm hover:bg-acc-700\"\n >\n Reload Page\n </button>\n </div>\n )}\n\n {import.meta.env.MODE === 'development' && this.state.error && (\n <details className=\"text-sm text-destructive/70\">\n <summary className=\"cursor-pointer font-medium mb-2\">\n Error Details (Development)\n </summary>\n <div className=\"bg-destructive/5 p-3 rounded border\">\n <p className=\"font-mono\">Error ID: {errorId}</p>\n <pre className=\"whitespace-pre-wrap text-xs overflow-auto max-h-32\">\n {this.state.error.toString()}\n {this.state.errorInfo?.componentStack}\n </pre>\n </div>\n </details>\n )}\n </div>\n </div>\n </div>\n );\n }\n\n return this.props.children;\n }\n}\n\nexport default ErrorBoundary;\n","/**\n * @file Public Page Provider\n * @package @jmruthers/pace-core\n * @module Components/PublicLayout\n * @since 1.0.0\n *\n * A completely isolated provider for public pages that doesn't trigger\n * any authentication context. This ensures public pages work independently\n * of the main application's authentication system.\n *\n * Features:\n * - No authentication required\n * - No organisation context\n * - No event context\n * - Completely isolated from main app context\n * - Environment variable access for public data\n * - Error boundary integration\n *\n * @example\n * ```tsx\n * import { PublicPageProvider } from '@jmruthers/pace-core';\n * \n * const APP_NAME = 'CORE';\n * \n * function PublicApp() {\n * return (\n * <PublicPageProvider appName={APP_NAME}>\n * <Routes>\n * <Route path=\"/events/:eventCode/recipe-grid-report\" element={<PublicRecipePage />} />\n * </Routes>\n * </PublicPageProvider>\n * );\n * }\n * ```\n */\n\nimport React, { createContext, useContext, ReactNode, useMemo } from 'react';\nimport { createClient } from '@supabase/supabase-js';\nimport type { Database } from '../../types/database';\nimport { ErrorBoundary } from '../ErrorBoundary';\nimport { logger } from '../../utils/core/logger';\n\ninterface PublicPageContextType {\n isPublicPage: true;\n supabase: ReturnType<typeof createClient<Database>> | null;\n appName: string | null;\n environment: {\n supabaseUrl: string | null;\n supabaseKey: string | null;\n };\n}\n\nexport const PublicPageContext = createContext<PublicPageContextType | undefined>(undefined);\n\nexport interface PublicPageProviderProps {\n children: ReactNode;\n /** Application name for logo display and branding. Should match the APP_NAME constant used in App.tsx */\n appName?: string;\n}\n\n/**\n * Provider for public pages that completely isolates them from authentication context\n * \n * This provider:\n * - Does not initialize any authentication providers\n * - Provides environment variables for public data access\n * - Includes error boundary for graceful error handling\n * - Is completely separate from the main app context\n * - Provides appName for consistent logo display\n */\nexport function PublicPageProvider({ children, appName }: PublicPageProviderProps) {\n // Get environment variables for public data access\n // Handle both Vite (import.meta.env) and Node.js (process.env) environments\n const getEnvVar = (key: string): string | undefined => {\n // Check Vite environment first (browser)\n if (typeof import.meta !== 'undefined' && import.meta.env) {\n const env = import.meta.env as Record<string, string | undefined>;\n return env[key];\n }\n // Check Node.js environment (server-side)\n if (typeof process !== 'undefined' && process.env) {\n return process.env[key];\n }\n return undefined;\n };\n\n const supabaseUrl = getEnvVar('VITE_SUPABASE_URL') || \n getEnvVar('NEXT_PUBLIC_SUPABASE_URL') || \n null;\n \n const supabaseKey = getEnvVar('VITE_SUPABASE_PUBLISHABLE_KEY') || \n getEnvVar('NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY') ||\n getEnvVar('VITE_SUPABASE_ANON_KEY') ||\n getEnvVar('NEXT_PUBLIC_SUPABASE_ANON_KEY') || \n null;\n\n // Create Supabase client if environment variables are available\n // Note: VITE_SUPABASE_PUBLISHABLE_KEY should be your publishable key (sb_publishable_...)\n const supabase = useMemo(() => {\n if (!supabaseUrl || !supabaseKey) {\n logger.warn('PublicPageProvider', 'Missing Supabase environment variables. Please ensure VITE_SUPABASE_URL and VITE_SUPABASE_PUBLISHABLE_KEY are set in your environment.');\n return null;\n }\n const client = createClient<Database>(supabaseUrl, supabaseKey);\n return client;\n }, [supabaseUrl, supabaseKey]);\n\n const contextValue: PublicPageContextType = {\n isPublicPage: true,\n supabase,\n appName: appName || null,\n environment: {\n supabaseUrl,\n supabaseKey\n }\n };\n\n return (\n <PublicPageContext.Provider value={contextValue}>\n <ErrorBoundary componentName=\"PublicPageProvider\">\n {children}\n </ErrorBoundary>\n </PublicPageContext.Provider>\n );\n}\n\n/**\n * Hook to access public page context\n * \n * @returns Public page context with environment variables\n */\nexport function usePublicPageContext(): PublicPageContextType {\n const context = useContext(PublicPageContext);\n \n if (!context) {\n throw new Error('usePublicPageContext must be used within a PublicPageProvider');\n }\n \n return context;\n}\n\n/**\n * Hook to check if we're in a public page context\n * \n * @returns True if we're in a public page context\n */\nexport function useIsPublicPage(): boolean {\n const context = useContext(PublicPageContext);\n return context !== undefined;\n}\n","/**\n * @file useAppConfig Hook\n * @package @jmruthers/pace-core\n * @module Hooks/useAppConfig\n * @since 0.4.0\n *\n * Hook for accessing app configuration like direct access support and event requirements.\n * This is a convenience hook that extracts app config from the UnifiedAuthProvider.\n *\n * @example\n * ```tsx\n * function MyComponent() {\n * const { supportsDirectAccess, requiresEvent, isLoading } = useAppConfig();\n * \n * if (isLoading) return <div>Loading...</div>;\n * \n * return (\n * <div>\n * {supportsDirectAccess && (\n * <div>This app supports direct access!</div>\n * )}\n * {requiresEvent && (\n * <EventSelector />\n * )}\n * </div>\n * );\n * }\n * ```\n */\n\nimport { useMemo, useContext } from 'react';\nimport { useUnifiedAuth } from '../providers/services/UnifiedAuthProvider';\nimport { useIsPublicPage, PublicPageContext } from '../components/PublicLayout/PublicPageProvider';\n\nexport interface UseAppConfigReturn {\n supportsDirectAccess: boolean;\n requiresEvent: boolean;\n isLoading: boolean;\n appName: string;\n}\n\n/**\n * Hook to access app configuration\n * Works in both authenticated and public contexts\n * @returns App configuration and loading state\n */\nexport function useAppConfig(): UseAppConfigReturn {\n // Check if we're in a public page context first\n const isPublicPage = useIsPublicPage();\n \n // Try to get appName from PublicPageContext (access context directly to avoid hook rule violations)\n const publicPageContext = useContext(PublicPageContext);\n const hasPublicContext = publicPageContext !== undefined;\n const contextAppName = publicPageContext?.appName || null;\n const getNodeEnvVar = (key: string): string | undefined =>\n typeof process !== 'undefined' && process.env ? process.env[key] : undefined;\n \n if (isPublicPage) {\n const getAppName = (): string => {\n // When tests mock public mode without the provider, default to PACE\n if (!hasPublicContext) {\n return 'PACE';\n }\n \n // Priority 1: Use appName from PublicPageContext (passed from App.tsx)\n if (contextAppName) {\n return contextAppName;\n }\n \n // Priority 2: Check environment variables\n if (typeof import.meta !== 'undefined' && (import.meta as any).env) {\n const env = (import.meta as any).env;\n return env.VITE_APP_NAME || \n env.NEXT_PUBLIC_APP_NAME || \n 'PACE';\n }\n if (typeof import.meta !== 'undefined' && import.meta.env) {\n return import.meta.env.VITE_APP_NAME || \n import.meta.env.NEXT_PUBLIC_APP_NAME || \n 'PACE';\n }\n \n const nodeEnvAppName =\n getNodeEnvVar('VITE_APP_NAME') ||\n getNodeEnvVar('NEXT_PUBLIC_APP_NAME');\n if (nodeEnvAppName) {\n return nodeEnvAppName;\n }\n \n // Priority 3: Default fallback\n return 'PACE';\n };\n \n return useMemo(() => ({\n supportsDirectAccess: false, // Public pages don't support direct access\n requiresEvent: true, // Public pages always require an event\n isLoading: false,\n appName: getAppName()\n }), [contextAppName, hasPublicContext]);\n }\n \n // For authenticated pages, use UnifiedAuthProvider\n try {\n const { appConfig, appName } = useUnifiedAuth();\n return useMemo(() => ({\n supportsDirectAccess: !(appConfig?.requires_event ?? true),\n requiresEvent: appConfig?.requires_event ?? true,\n isLoading: appConfig === null,\n appName\n }), [appConfig?.requires_event, appName]);\n } catch (error) {\n // Fallback if UnifiedAuthProvider is not available\n return useMemo(() => ({\n supportsDirectAccess: false,\n requiresEvent: true,\n isLoading: false,\n appName: contextAppName ||\n getNodeEnvVar('VITE_APP_NAME') ||\n getNodeEnvVar('NEXT_PUBLIC_APP_NAME') ||\n 'PACE'\n }), [contextAppName]);\n }\n} ","/**\n * @file Organisation Security Hook\n * @package @jmruthers/pace-core\n * @module Hooks/OrganisationSecurity\n * @since 0.4.0\n *\n * Security-focused hook for organisation access validation and super admin functionality.\n * Provides utilities for validating user access to organisations and checking permissions.\n */\n\nimport { useCallback, useMemo, useEffect, useState } from 'react';\nimport { useUnifiedAuth } from '../providers';\nimport { useOrganisations } from './useOrganisations';\n// Legacy useRBAC hook removed - use new RBAC system instead\nimport type { OrganisationSecurityError, SuperAdminContext } from '../types/organisation';\nimport type { Permission } from '../rbac/types';\nimport { logger } from '../utils/core/logger';\n\nexport interface OrganisationSecurityHook {\n // Super admin context\n superAdminContext: SuperAdminContext;\n \n // Access validation\n validateOrganisationAccess: (orgId: string) => Promise<boolean>;\n hasMinimumRole: (minRole: string, orgId?: string) => boolean;\n canAccessChildOrganisations: (orgId?: string) => boolean;\n \n // Permission checks\n hasPermission: (permission: string, orgId?: string) => Promise<boolean>;\n getUserPermissions: (orgId?: string) => Promise<string[]>;\n \n // Audit logging\n logOrganisationAccess: (action: string, details?: Record<string, unknown>) => Promise<void>;\n \n // Security utilities\n ensureOrganisationAccess: (orgId: string) => Promise<void>;\n validateUserAccess: (userId: string, orgId: string) => Promise<boolean>;\n}\n\nexport const useOrganisationSecurity = (): OrganisationSecurityHook => {\n const { user, session, supabase } = useUnifiedAuth();\n const { selectedOrganisation, getUserRole, validateOrganisationAccess: validateAccess } = useOrganisations();\n \n // Super admin status - query database for security (user_metadata can be spoofed)\n const [isSuperAdmin, setIsSuperAdmin] = useState<boolean>(false);\n const [isCheckingSuperAdmin, setIsCheckingSuperAdmin] = useState(false);\n\n // Check super admin status from database\n useEffect(() => {\n if (!user || !session || !supabase) {\n setIsSuperAdmin(false);\n return;\n }\n\n const checkSuperAdmin = async () => {\n setIsCheckingSuperAdmin(true);\n try {\n const now = new Date().toISOString();\n const { data, error } = await supabase\n .from('rbac_global_roles')\n .select('role')\n .eq('user_id', user.id)\n .eq('role', 'super_admin')\n .lte('valid_from', now)\n .or(`valid_to.is.null,valid_to.gte.${now}`)\n .limit(1);\n\n setIsSuperAdmin(!error && data && data.length > 0);\n } catch (error) {\n logger.error('useOrganisationSecurity', 'Error checking super admin status:', error);\n setIsSuperAdmin(false);\n } finally {\n setIsCheckingSuperAdmin(false);\n }\n };\n\n checkSuperAdmin();\n }, [user, session, supabase]);\n\n // Super admin context\n const superAdminContext = useMemo((): SuperAdminContext => {\n return {\n isSuperAdmin,\n hasGlobalAccess: isSuperAdmin,\n canManageAllOrganisations: isSuperAdmin\n };\n }, [isSuperAdmin]);\n\n // Validate organisation access with database check\n const validateOrganisationAccess = useCallback(async (orgId: string): Promise<boolean> => {\n if (!user || !session || !supabase) return false;\n \n try {\n // Super admin has access to all organisations\n if (superAdminContext.isSuperAdmin) {\n return true;\n }\n\n // Check organisation membership using consolidated rbac_organisation_roles table\n const { data, error } = await supabase\n .from('rbac_organisation_roles')\n .select('id')\n .eq('user_id', user.id)\n .eq('organisation_id', orgId)\n .eq('status', 'active')\n .is('revoked_at', null)\n .in('role', ['org_admin', 'leader', 'member']) // Only actual members, not supporters\n .single();\n\n if (error) {\n logger.error('useOrganisationSecurity', 'Error validating organisation access:', error);\n return false;\n }\n\n return !!data;\n } catch (error) {\n logger.error('useOrganisationSecurity', 'Exception validating organisation access:', error);\n return false;\n }\n }, [user, session, supabase, superAdminContext.isSuperAdmin]);\n\n // Check if user has minimum role\n const hasMinimumRole = useCallback((minRole: string, orgId?: string): boolean => {\n // Super admin has all roles\n if (superAdminContext.isSuperAdmin) {\n return true;\n }\n\n const targetOrgId = orgId || selectedOrganisation?.id;\n if (!targetOrgId) return false;\n\n const userRole = getUserRole(targetOrgId);\n const roleHierarchy = ['supporter', 'member', 'leader', 'org_admin'];\n \n const userRoleIndex = roleHierarchy.indexOf(userRole);\n const minRoleIndex = roleHierarchy.indexOf(minRole);\n \n return userRoleIndex >= minRoleIndex;\n }, [selectedOrganisation, getUserRole, superAdminContext.isSuperAdmin]);\n\n // Check if user can access child organisations\n const canAccessChildOrganisations = useCallback((orgId?: string): boolean => {\n // Super admin can access all organisations\n if (superAdminContext.isSuperAdmin) {\n return true;\n }\n\n const targetOrgId = orgId || selectedOrganisation?.id;\n if (!targetOrgId) return false;\n\n const userRole = getUserRole(targetOrgId);\n return userRole === 'org_admin';\n }, [selectedOrganisation, getUserRole, superAdminContext.isSuperAdmin]);\n\n // Check specific permission using the new RBAC system\n const hasPermission = useCallback(async (permission: string, orgId?: string): Promise<boolean> => {\n // Super admin has all permissions\n if (superAdminContext.isSuperAdmin) {\n return true;\n }\n\n const targetOrgId = orgId || selectedOrganisation?.id;\n if (!targetOrgId || !user) return false;\n\n try {\n // Use the new RBAC system with caching\n const { isPermittedCached } = await import('../rbac/api');\n \n const scope = {\n organisationId: targetOrgId,\n eventId: user.user_metadata?.eventId || user.app_metadata?.eventId,\n appId: user.user_metadata?.appId || user.app_metadata?.appId,\n };\n\n return await isPermittedCached({\n userId: user.id,\n scope,\n permission: permission as Permission\n });\n } catch (error) {\n logger.error('useOrganisationSecurity', 'Exception checking permission:', error);\n return false;\n }\n }, [selectedOrganisation, user, superAdminContext.isSuperAdmin]);\n\n // Get user's permissions for organisation using the new RBAC system\n const getUserPermissions = useCallback(async (orgId?: string): Promise<string[]> => {\n // Super admin has all permissions\n if (superAdminContext.isSuperAdmin) {\n return ['*']; // All permissions\n }\n\n const targetOrgId = orgId || selectedOrganisation?.id;\n if (!targetOrgId || !user) return [];\n\n try {\n // Use the new RBAC system\n const { getPermissionMap } = await import('../rbac/api');\n \n const scope = {\n organisationId: targetOrgId,\n eventId: user.user_metadata?.eventId || user.app_metadata?.eventId,\n appId: user.user_metadata?.appId || user.app_metadata?.appId,\n };\n\n const permissionMap = await getPermissionMap({\n userId: user.id,\n scope\n });\n \n // Flatten all permissions from all pages\n const allPermissions = Object.entries(permissionMap)\n .filter(([, allowed]) => allowed)\n .map(([permission]) => permission);\n return [...new Set(allPermissions)]; // Remove duplicates\n } catch (error) {\n logger.error('useOrganisationSecurity', 'Exception getting user permissions:', error);\n return [];\n }\n }, [selectedOrganisation, user, getUserRole, superAdminContext.isSuperAdmin]);\n\n // Log organisation access for audit using the new RBAC audit system\n const logOrganisationAccess = useCallback(async (action: string, details?: Record<string, unknown>): Promise<void> => {\n if (!user || !selectedOrganisation) return;\n\n try {\n // Use the new RBAC audit system - only if we have a valid organisation ID\n if (selectedOrganisation.id) {\n const { emitAuditEvent } = await import('../rbac/audit');\n \n await emitAuditEvent({\n type: 'permission_check',\n userId: user.id,\n organisationId: selectedOrganisation.id,\n permission: action,\n decision: true, // Assume access was granted if we're logging it\n source: 'api',\n duration_ms: 0, // No actual permission check performed here\n metadata: details || {}\n });\n }\n } catch (error) {\n logger.error('useOrganisationSecurity', 'Error logging organisation access:', error);\n }\n }, [user, selectedOrganisation]);\n\n // Ensure organisation access (throws if no access)\n const ensureOrganisationAccess = useCallback(async (orgId: string): Promise<void> => {\n const hasAccess = await validateOrganisationAccess(orgId);\n \n if (!hasAccess) {\n const error = new Error(`User does not have access to organisation ${orgId}`) as OrganisationSecurityError;\n error.name = 'OrganisationSecurityError';\n error.code = 'ACCESS_DENIED';\n error.organisationId = orgId;\n error.userId = user?.id;\n throw error;\n }\n }, [validateOrganisationAccess, user]);\n\n // Validate user access (for admin functions)\n const validateUserAccess = useCallback(async (userId: string, orgId: string): Promise<boolean> => {\n if (!supabase) return false;\n\n try {\n // Super admin can validate any user\n if (superAdminContext.isSuperAdmin) {\n return true;\n }\n\n // Regular users can only validate their own access\n if (userId !== user?.id) {\n return false;\n }\n\n return await validateOrganisationAccess(orgId);\n } catch (error) {\n logger.error('useOrganisationSecurity', 'Exception validating user access:', error);\n return false;\n }\n }, [supabase, superAdminContext.isSuperAdmin, user, validateOrganisationAccess]);\n\n return {\n superAdminContext,\n validateOrganisationAccess,\n hasMinimumRole,\n canAccessChildOrganisations,\n hasPermission,\n getUserPermissions,\n logOrganisationAccess,\n ensureOrganisationAccess,\n validateUserAccess\n };\n}; "],"mappings":";;;;;;;;;;;;;;;;;;AAaA,SAAS,SAAS,cAAc;AAqCzB,SAAS,YAA8B;AAC5C,QAAM,eAAe,gBAAgB;AAGrC,QAAM,YAAY,aAAa,UAAU;AACzC,QAAM,gBAAgB,aAAa,iBAAiB;AACpD,QAAM,YAAY,aAAa,UAAU;AACzC,QAAM,QAAQ,aAAa,SAAS;AAGpC,QAAM,gBAAgB,OAAgB,CAAC,CAAC;AACxC,QAAM,mBAAmB,OAAe,EAAE;AAI1C,QAAM,mBAAmB,UAAU,IAAI,OAAK,EAAE,YAAY,EAAE,EAAE,EAAE,KAAK,GAAG;AACxE,QAAM,gBAAgB,qBAAqB,iBAAiB;AAI5D,MAAI,eAAe;AACjB,kBAAc,UAAU;AACxB,qBAAiB,UAAU;AAAA,EAC7B;AAGA,QAAM,SAAS,QAAQ,MAAM;AAC3B,WAAO,cAAc;AAAA,EACvB,GAAG,CAAC,gBAAgB,CAAC;AAGrB,QAAM,2BAA2B;AAAA,IAC/B,MAAM,CAAC,UAAwB,aAAa,iBAAiB,KAAK;AAAA,IAClE,CAAC,YAAY;AAAA,EACf;AACA,QAAM,wBAAwB;AAAA,IAC5B,MAAM,MAAM,aAAa,cAAc;AAAA,IACvC,CAAC,YAAY;AAAA,EACf;AACA,QAAM,8BAA8B;AAAA,IAClC,MAAM,MAAM,aAAa,oBAAoB;AAAA,IAC7C,CAAC,YAAY;AAAA,EACf;AAGA,SAAO,QAAQ,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,kBAAkB;AAAA,IAClB,eAAe;AAAA,IACf,qBAAqB;AAAA,EACvB,IAAI,CAAC,QAAQ,eAAe,UAAU,WAAW,OAAO,SAAS,0BAA0B,uBAAuB,2BAA2B,CAAC;AAChJ;;;AC7FA,SAAS,WAAW,UAAU,UAAAA,SAAQ,WAAAC,gBAAe;AASrD,IAAM,MAAM,aAAa,kBAAkB;AAI3C,IAAM,iBAAiB,oBAAI,IAAwE;AACnG,IAAM,YAAY,IAAI,KAAK;AAiDpB,SAAS,iBAAiB;AAAA,EAC/B;AAAA,EACA;AAAA,EACA;AACF,GAAoD;AAClD,QAAM,CAAC,eAAe,gBAAgB,IAAI,SAAuB,IAAI;AACrE,QAAM,CAAC,WAAW,YAAY,IAAI,SAAS,IAAI;AAC/C,QAAM,CAAC,OAAO,QAAQ,IAAI,SAAuB,IAAI;AAGrD,QAAM,iBAAiBC,QAA+E;AAAA,IACpG,gBAAgB;AAAA,IAChB,OAAO;AAAA,IACP,SAAS;AAAA,EACX,CAAC;AAID,YAAU,MAAM;AACd,QAAI,eAAe;AACjB,YAAM,WAAW;AAAA,QACf,gBAAgB,cAAc,kBAAkB;AAAA,QAChD,OAAO,cAAc,SAAS;AAAA,QAC9B,SAAS,cAAc;AAAA,MACzB;AAGA,UAAI,eAAe,QAAQ,mBAAmB,SAAS,kBACnD,eAAe,QAAQ,YAAY,SAAS,WAC5C,eAAe,QAAQ,UAAU,SAAS,OAAO;AACnD,uBAAe,UAAU;AAAA,UACvB,gBAAgB,SAAS;AAAA,UACzB,OAAO,SAAS;AAAA,UAChB,SAAS,SAAS;AAAA,QACpB;AAAA,MACF;AAAA,IACF,OAAO;AAEL,qBAAe,UAAU,EAAE,gBAAgB,IAAI,OAAO,IAAI,SAAS,OAAU;AAAA,IAC/E;AAAA,EACF,GAAG,CAAC,aAAa,CAAC;AAGlB,QAAM,UAAU,kBAAkB;AAElC,QAAM,cAAc,eAAe;AAEnC,YAAU,MAAM;AACd,QAAI,YAAY;AAEhB,UAAM,eAAe,YAAY;AAG/B,UAAI,CAAC,YAAY,CAAC,0BAA0B,CAAC,iBAAiB;AAC5D,YAAI,CAAC,WAAW;AACd,2BAAiB,IAAI;AACrB,uBAAa,KAAK;AAClB,mBAAS,IAAI;AAAA,QACf;AACA;AAAA,MACF;AAEA,mBAAa,IAAI;AACjB,eAAS,IAAI;AAEb,UAAI;AAEF,cAAMC,WAAU,kBAAkB;AAClC,YAAI,QAA4B;AAChC,YAAI,YAA8B;AAIlC,YAAI,YAAYA,UAAS;AACvB,cAAI;AAGF,kBAAM,EAAE,MAAM,QAAQ,IAAI,MAAM,SAAS,KAAK,WAAW;AACzD,gBAAI,CAAC,SAAS,SAAS;AAGrB,kBAAI,MAAM,gCAAgCA,QAAO,4BAA4B;AAAA,YAC/E,OAAO;AAEL,oBAAM,SAAS,eAAe,IAAIA,QAAO;AACzC,oBAAM,MAAM,KAAK,IAAI;AACrB,kBAAI,UAAW,MAAM,OAAO,YAAa,WAAW;AAClD,wBAAQ,OAAO;AACf,4BAAY,OAAO;AAAA,cACrB,OAAO;AAEL,sBAAM,EAAE,MAAM,KAAK,OAAAC,OAAM,IAAI,MAAM,SAChC,KAAK,WAAW,EAChB,OAAO,qCAAqC,EAC5C,GAAG,QAAQD,QAAO,EAClB,GAAG,aAAa,IAAI,EACpB,OAAO;AAEV,oBAAIC,QAAO;AAGT,sBAAIA,OAAM,SAAS,SAASA,OAAM,SAAS,cAAcA,OAAM,SAAS,SAAS,KAAK,GAAG;AACvF,wBAAI,MAAM,sCAAsCD,QAAO,mCAAmC;AAE1F,4BAAQ;AAAA,kBACV,OAAO;AAEL,0BAAM,EAAE,MAAM,YAAY,IAAI,MAAM,SACjC,KAAK,WAAW,EAChB,OAAO,qBAAqB,EAC5B,GAAG,QAAQA,QAAO,EAClB,OAAO;AAEV,wBAAI,aAAa;AACf,0BAAI,MAAM,QAAQA,QAAO,wCAAwC,YAAY,SAAS,GAAG;AAEzF,8BAAQ;AAAA,oBACV,OAAO;AACL,0BAAI,MAAM,QAAQA,QAAO,kCAAkC,EAAE,OAAAC,OAAM,CAAC;AAEpE,8BAAQ;AAAA,oBACV;AAAA,kBACF;AAAA,gBACF,WAAW,KAAK;AACd,0BAAQ,IAAI;AACZ,8BAAY,EAAE,gBAAgB,IAAI,kBAAkB,MAAM;AAE1D,iCAAe,IAAID,UAAS,EAAE,OAAO,WAAW,WAAW,IAAI,CAAC;AAAA,gBAClE;AAAA,cACF;AAAA,YACF;AAAA,UACF,SAASC,QAAO;AAGd,kBAAM,eAAeA,kBAAiB,QAAQA,OAAM,UAAU,OAAOA,MAAK;AAC1E,gBAAI,CAAC,aAAa,SAAS,KAAK,KAAK,CAAC,aAAa,SAAS,UAAU,GAAG;AACvE,kBAAI,MAAM,0CAA0CA,MAAK;AAAA,YAC3D,OAAO;AACL,kBAAI,MAAM,kDAAkD;AAAA,YAC9D;AAAA,UACF;AAAA,QACF;AAKA,cAAM,eAAsB;AAAA,UAC1B,gBAAgB,WAAW,iBAAiB,SAAa,0BAA0B;AAAA,UACnF,SAAS,mBAAmB;AAAA,UAC5B;AAAA,QACF;AAIA,cAAM,aAAa,MAAM,iBAAiB;AAAA,UACxC;AAAA,UACA;AAAA,UACAD,YAAW;AAAA,UACX;AAAA,QACF;AAEA,YAAI,CAAC,WAAW,SAAS;AAEvB,cAAIA,aAAY,YAAYA,aAAY,SAAS;AAC/C,gBAAI,CAAC,WAAW;AAGd,oBAAM,uBAA8B;AAAA,gBAClC,gBAAgB;AAAA,gBAChB,SAAS;AAAA,gBACT,OAAO,SAAS;AAAA;AAAA,cAClB;AACA,+BAAiB,oBAAoB;AACrC,uBAAS,IAAI;AACb,2BAAa,KAAK;AAAA,YACpB;AACA;AAAA,UACF;AAIA,cAAI,WAAW,kBAAkB,iBAAiB;AAChD,gBAAI,CAAC,WAAW;AACd,oBAAM,aAAoB;AAAA,gBACxB,gBAAgB;AAAA;AAAA,gBAChB,SAAS;AAAA,gBACT,OAAO,SAAS;AAAA,cAClB;AACA,+BAAiB,UAAU;AAC3B,uBAAS,IAAI;AACb,2BAAa,KAAK;AAAA,YACpB;AACA;AAAA,UACF;AAEA,cAAI,CAAC,WAAW;AACd,6BAAiB,IAAI;AACrB,qBAAS,WAAW,SAAS,IAAI,MAAM,2BAA2B,CAAC;AACnE,yBAAa,KAAK;AAAA,UACpB;AACA;AAAA,QACF;AAGA,YAAI,CAAC,WAAW;AACd,2BAAiB,WAAW,aAAa;AACzC,mBAAS,IAAI;AACb,uBAAa,KAAK;AAAA,QACpB;AAAA,MACF,SAAS,KAAK;AACZ,YAAI,CAAC,WAAW;AACd,mBAAS,GAAY;AACrB,uBAAa,KAAK;AAAA,QACpB;AAAA,MACF;AAAA,IACF;AAEA,iBAAa;AAEb,WAAO,MAAM;AACX,kBAAY;AAAA,IACd;AAAA,EACF,GAAG,CAAC,wBAAwB,iBAAiB,QAAQ,CAAC;AAItD,QAAM,yBAAyB,YAAY,YAAY,YAAY;AACnE,QAAM,gBAAgB,yBAClB,OACC,YAAY,SAAS,YAAY;AAItC,QAAM,aAA2BE,SAAQ,MAAM;AAC7C,QAAI,CAAC,eAAe;AAClB,aAAO,yBAAyB,CAAC,IAAI;AAAA,IACvC;AAGA,UAAM,QAAe,CAAC;AACtB,QAAI,YAAY,gBAAgB;AAC9B,YAAM,iBAAiB,YAAY;AAAA,IACrC;AACA,QAAI,YAAY,SAAS;AACvB,YAAM,UAAU,YAAY;AAAA,IAC9B;AACA,QAAI,YAAY,OAAO;AACrB,YAAM,QAAQ,YAAY;AAAA,IAC5B;AAEA,WAAO;AAAA,EACT,GAAG,CAAC,eAAe,wBAAwB,YAAY,gBAAgB,YAAY,SAAS,YAAY,KAAK,CAAC;AAE9G,SAAO;AAAA,IACL,eAAe;AAAA,IACf;AAAA,IACA;AAAA,EACF;AACF;;;AC1PA,SAAgB,iBAA4B;AAoK5B,cAIF,YAJE;AAzGT,IAAM,gBAAN,cAA4B,UAAkD;AAAA,EAGnF,YAAY,OAA2B;AACrC,UAAM,KAAK;AAHb,SAAQ,iBAAwC;AA+ChD,SAAQ,cAAc,CAAC,SAAiB,kBAA0B;AAEhE,UAAI,YAAY,IAAI,SAAS,cAAc;AAGzC,eAAO,KAAK,iBAAiB,qDAAqD,EAAE,SAAS,cAAc,CAAC;AAAA,MAC9G;AAAA,IACF;AAEA,SAAQ,cAAc,MAAM;AAC1B,YAAM,EAAE,aAAa,EAAE,IAAI,KAAK;AAChC,YAAM,EAAE,WAAW,IAAI,KAAK;AAE5B,UAAI,aAAa,YAAY;AAC3B,eAAO,MAAM,iBAAiB,sCAAsC,aAAa,CAAC,IAAI,UAAU,GAAG;AAEnG,aAAK,SAAS,gBAAc;AAAA,UAC1B,UAAU;AAAA,UACV,OAAO;AAAA,UACP,WAAW;AAAA,UACX,SAAS;AAAA,UACT,YAAY,UAAU,aAAa;AAAA,QACrC,EAAE;AAAA,MACJ;AAAA,IACF;AAnEE,SAAK,QAAQ;AAAA,MACX,UAAU;AAAA,MACV,YAAY;AAAA,IACd;AAAA,EACF;AAAA,EAEA,OAAO,yBAAyB,OAA2C;AACzE,UAAM,UAAU,SAAS,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,OAAO,GAAG,CAAC,CAAC;AAC9E,WAAO;AAAA,MACL,UAAU;AAAA,MACV;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,kBAAkB,OAAc,WAA4B;AAC1D,UAAM,EAAE,gBAAgB,qBAAqB,SAAS,kBAAkB,KAAK,IAAI,KAAK;AACtF,UAAM,UAAU,KAAK,MAAM;AAE3B,SAAK,SAAS,EAAE,UAAU,CAAC;AAG3B,WAAO,MAAM,iBAAiB,IAAI,aAAa,kBAAkB,OAAO,KAAK,OAAO,SAAS;AAG7F,6BAAyB,QAAQ,0BAA0B,GAAG;AAAA,MAC5D;AAAA,MACA;AAAA,MACA,cAAc,MAAM;AAAA,MACpB,OAAO,MAAM,OAAO,UAAU,GAAG,GAAG;AAAA;AAAA,IACtC,CAAC;AAGD,QAAI,iBAAiB;AACnB,WAAK,YAAY,SAAS,aAAa;AAAA,IACzC;AAGA,QAAI,SAAS;AACX,cAAQ,OAAO,WAAW,OAAO;AAAA,IACnC;AAAA,EACF;AAAA,EA4BA,uBAAuB;AACrB,QAAI,KAAK,gBAAgB;AACvB,mBAAa,KAAK,cAAc;AAAA,IAClC;AAAA,EACF;AAAA,EAEA,SAAS;AACP,QAAI,KAAK,MAAM,UAAU;AACvB,YAAM;AAAA,QACJ,gBAAgB;AAAA,QAChB;AAAA,QACA,cAAc;AAAA,QACd,aAAa;AAAA,MACf,IAAI,KAAK;AACT,YAAM,EAAE,YAAY,QAAQ,IAAI,KAAK;AAGrC,UAAI,UAAU;AACZ,eAAO;AAAA,MACT;AAGA,aACE;AAAA,QAAC;AAAA;AAAA,UACC,MAAK;AAAA,UACL,WAAU;AAAA,UACV,uBAAqB;AAAA,UAErB,+BAAC,SAAI,WAAU,0BACb;AAAA,gCAAC,SAAI,WAAU,iBACb,8BAAC,SAAI,WAAU,4BAA2B,SAAQ,aAAY,MAAK,gBACjE,8BAAC,UAAK,UAAS,WAAU,GAAE,qHAAoH,UAAS,WAAU,GACpK,GACF;AAAA,YACA,qBAAC,SAAI,WAAU,kBACb;AAAA,mCAAC,QAAG,WAAU,oBAAmB;AAAA;AAAA,gBACrB;AAAA,iBACZ;AAAA,cACA,oBAAC,OAAE,WAAU,uBACV,eAAK,MAAM,OAAO,WAAW,iCAChC;AAAA,cAEC,eAAe,aAAa,cAC3B,qBAAC,SAAI,WAAU,mBACb;AAAA;AAAA,kBAAC;AAAA;AAAA,oBACC,SAAS,KAAK;AAAA,oBACd,WAAU;AAAA,oBACX;AAAA;AAAA,sBACS,aAAa;AAAA,sBAAE;AAAA,sBAAE;AAAA,sBAAW;AAAA;AAAA;AAAA,gBACtC;AAAA,gBACA;AAAA,kBAAC;AAAA;AAAA,oBACC,SAAS,MAAM,OAAO,SAAS,OAAO;AAAA,oBACtC,WAAU;AAAA,oBACX;AAAA;AAAA,gBAED;AAAA,iBACF;AAAA,cAGD,cAAc,cACb,qBAAC,SAAI,WAAU,uDACb;AAAA,oCAAC,OAAE,WAAU,gBAAe,wFAE5B;AAAA,gBACA;AAAA,kBAAC;AAAA;AAAA,oBACC,SAAS,MAAM,OAAO,SAAS,OAAO;AAAA,oBACtC,WAAU;AAAA,oBACX;AAAA;AAAA,gBAED;AAAA,iBACF;AAAA,cAGD,YAAY,IAAI,SAAS,iBAAiB,KAAK,MAAM,SACpD,qBAAC,aAAQ,WAAU,+BACjB;AAAA,oCAAC,aAAQ,WAAU,mCAAkC,yCAErD;AAAA,gBACA,qBAAC,SAAI,WAAU,uCACb;AAAA,uCAAC,OAAE,WAAU,aAAY;AAAA;AAAA,oBAAW;AAAA,qBAAQ;AAAA,kBAC5C,qBAAC,SAAI,WAAU,sDACZ;AAAA,yBAAK,MAAM,MAAM,SAAS;AAAA,oBAC1B,KAAK,MAAM,WAAW;AAAA,qBACzB;AAAA,mBACF;AAAA,iBACF;AAAA,eAEJ;AAAA,aACF;AAAA;AAAA,MACF;AAAA,IAEJ;AAEA,WAAO,KAAK,MAAM;AAAA,EACpB;AACF;;;AClRA,SAAgB,eAAe,YAAuB,WAAAC,gBAAe;AACrE,SAAS,oBAAoB;AAkFvB,gBAAAC,YAAA;AAnEC,IAAM,oBAAoB,cAAiD,MAAS;AAkBpF,SAAS,mBAAmB,EAAE,UAAU,QAAQ,GAA4B;AAGjF,QAAM,YAAY,CAAC,QAAoC;AAErD,QAAI,OAAO,gBAAgB,eAAe,YAAY,KAAK;AACzD,YAAM,MAAM,YAAY;AACxB,aAAO,IAAI,GAAG;AAAA,IAChB;AAEA,QAAI,OAAO,YAAY,eAAe,QAAQ,KAAK;AACjD,aAAO,QAAQ,IAAI,GAAG;AAAA,IACxB;AACA,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,UAAU,mBAAmB,KAC9B,UAAU,0BAA0B,KACpC;AAEnB,QAAM,cAAc,UAAU,+BAA+B,KAC1C,UAAU,sCAAsC,KAChD,UAAU,wBAAwB,KAClC,UAAU,+BAA+B,KACzC;AAInB,QAAM,WAAWC,SAAQ,MAAM;AAC7B,QAAI,CAAC,eAAe,CAAC,aAAa;AAChC,aAAO,KAAK,sBAAsB,wIAAwI;AAC1K,aAAO;AAAA,IACT;AACA,UAAM,SAAS,aAAuB,aAAa,WAAW;AAC9D,WAAO;AAAA,EACT,GAAG,CAAC,aAAa,WAAW,CAAC;AAE7B,QAAM,eAAsC;AAAA,IAC1C,cAAc;AAAA,IACd;AAAA,IACA,SAAS,WAAW;AAAA,IACpB,aAAa;AAAA,MACX;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SACE,gBAAAD,KAAC,kBAAkB,UAAlB,EAA2B,OAAO,cACjC,0BAAAA,KAAC,iBAAc,eAAc,sBAC1B,UACH,GACF;AAEJ;AAOO,SAAS,uBAA8C;AAC5D,QAAM,UAAU,WAAW,iBAAiB;AAE5C,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI,MAAM,+DAA+D;AAAA,EACjF;AAEA,SAAO;AACT;AAOO,SAAS,kBAA2B;AACzC,QAAM,UAAU,WAAW,iBAAiB;AAC5C,SAAO,YAAY;AACrB;;;ACvHA,SAAS,WAAAE,UAAS,cAAAC,mBAAkB;AAgB7B,SAAS,eAAmC;AAEjD,QAAM,eAAe,gBAAgB;AAGrC,QAAM,oBAAoBC,YAAW,iBAAiB;AACtD,QAAM,mBAAmB,sBAAsB;AAC/C,QAAM,iBAAiB,mBAAmB,WAAW;AACrD,QAAM,gBAAgB,CAAC,QACrB,OAAO,YAAY,eAAe,QAAQ,MAAM,QAAQ,IAAI,GAAG,IAAI;AAErE,MAAI,cAAc;AAChB,UAAM,aAAa,MAAc;AAE/B,UAAI,CAAC,kBAAkB;AACrB,eAAO;AAAA,MACT;AAGA,UAAI,gBAAgB;AAClB,eAAO;AAAA,MACT;AAGA,UAAI,OAAO,gBAAgB,eAAgB,YAAoB,KAAK;AAClE,cAAM,MAAO,YAAoB;AACjC,eAAO,IAAI,iBACJ,IAAI,wBACJ;AAAA,MACT;AACA,UAAI,OAAO,gBAAgB,eAAe,YAAY,KAAK;AACzD,eAAO,YAAY,IAAI,iBAChB,YAAY,IAAI,wBAChB;AAAA,MACT;AAEA,YAAM,iBACJ,cAAc,eAAe,KAC7B,cAAc,sBAAsB;AACtC,UAAI,gBAAgB;AAClB,eAAO;AAAA,MACT;AAGA,aAAO;AAAA,IACT;AAEA,WAAOC,SAAQ,OAAO;AAAA,MACpB,sBAAsB;AAAA;AAAA,MACtB,eAAe;AAAA;AAAA,MACf,WAAW;AAAA,MACX,SAAS,WAAW;AAAA,IACtB,IAAI,CAAC,gBAAgB,gBAAgB,CAAC;AAAA,EACxC;AAGA,MAAI;AACF,UAAM,EAAE,WAAW,QAAQ,IAAI,eAAe;AAC9C,WAAOA,SAAQ,OAAO;AAAA,MACpB,sBAAsB,EAAE,WAAW,kBAAkB;AAAA,MACrD,eAAe,WAAW,kBAAkB;AAAA,MAC5C,WAAW,cAAc;AAAA,MACzB;AAAA,IACF,IAAI,CAAC,WAAW,gBAAgB,OAAO,CAAC;AAAA,EAC1C,SAAS,OAAO;AAEd,WAAOA,SAAQ,OAAO;AAAA,MACpB,sBAAsB;AAAA,MACtB,eAAe;AAAA,MACf,WAAW;AAAA,MACX,SAAS,kBACP,cAAc,eAAe,KAC7B,cAAc,sBAAsB,KACpC;AAAA,IACJ,IAAI,CAAC,cAAc,CAAC;AAAA,EACtB;AACF;;;AChHA,SAAS,aAAa,WAAAC,UAAS,aAAAC,YAAW,YAAAC,iBAAgB;AA6BnD,IAAM,0BAA0B,MAAgC;AACrE,QAAM,EAAE,MAAM,SAAS,SAAS,IAAI,eAAe;AACnD,QAAM,EAAE,sBAAsB,aAAa,4BAA4B,eAAe,IAAI,iBAAiB;AAG3G,QAAM,CAAC,cAAc,eAAe,IAAIC,UAAkB,KAAK;AAC/D,QAAM,CAAC,sBAAsB,uBAAuB,IAAIA,UAAS,KAAK;AAGtE,EAAAC,WAAU,MAAM;AACd,QAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,UAAU;AAClC,sBAAgB,KAAK;AACrB;AAAA,IACF;AAEA,UAAM,kBAAkB,YAAY;AAClC,8BAAwB,IAAI;AAC5B,UAAI;AACF,cAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,cAAM,EAAE,MAAM,MAAM,IAAI,MAAM,SAC3B,KAAK,mBAAmB,EACxB,OAAO,MAAM,EACb,GAAG,WAAW,KAAK,EAAE,EACrB,GAAG,QAAQ,aAAa,EACxB,IAAI,cAAc,GAAG,EACrB,GAAG,iCAAiC,GAAG,EAAE,EACzC,MAAM,CAAC;AAEV,wBAAgB,CAAC,SAAS,QAAQ,KAAK,SAAS,CAAC;AAAA,MACnD,SAAS,OAAO;AACd,eAAO,MAAM,2BAA2B,sCAAsC,KAAK;AACnF,wBAAgB,KAAK;AAAA,MACvB,UAAE;AACA,gCAAwB,KAAK;AAAA,MAC/B;AAAA,IACF;AAEA,oBAAgB;AAAA,EAClB,GAAG,CAAC,MAAM,SAAS,QAAQ,CAAC;AAG5B,QAAM,oBAAoBC,SAAQ,MAAyB;AACzD,WAAO;AAAA,MACL;AAAA,MACA,iBAAiB;AAAA,MACjB,2BAA2B;AAAA,IAC7B;AAAA,EACF,GAAG,CAAC,YAAY,CAAC;AAGjB,QAAM,6BAA6B,YAAY,OAAO,UAAoC;AACxF,QAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,SAAU,QAAO;AAE3C,QAAI;AAEF,UAAI,kBAAkB,cAAc;AAClC,eAAO;AAAA,MACT;AAGA,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,SAC3B,KAAK,yBAAyB,EAC9B,OAAO,IAAI,EACX,GAAG,WAAW,KAAK,EAAE,EACrB,GAAG,mBAAmB,KAAK,EAC3B,GAAG,UAAU,QAAQ,EACrB,GAAG,cAAc,IAAI,EACrB,GAAG,QAAQ,CAAC,aAAa,UAAU,QAAQ,CAAC,EAC5C,OAAO;AAEV,UAAI,OAAO;AACT,eAAO,MAAM,2BAA2B,yCAAyC,KAAK;AACtF,eAAO;AAAA,MACT;AAEA,aAAO,CAAC,CAAC;AAAA,IACX,SAAS,OAAO;AACd,aAAO,MAAM,2BAA2B,6CAA6C,KAAK;AAC1F,aAAO;AAAA,IACT;AAAA,EACF,GAAG,CAAC,MAAM,SAAS,UAAU,kBAAkB,YAAY,CAAC;AAG5D,QAAM,iBAAiB,YAAY,CAAC,SAAiB,UAA4B;AAE/E,QAAI,kBAAkB,cAAc;AAClC,aAAO;AAAA,IACT;AAEA,UAAM,cAAc,SAAS,sBAAsB;AACnD,QAAI,CAAC,YAAa,QAAO;AAEzB,UAAM,WAAW,YAAY,WAAW;AACxC,UAAM,gBAAgB,CAAC,aAAa,UAAU,UAAU,WAAW;AAEnE,UAAM,gBAAgB,cAAc,QAAQ,QAAQ;AACpD,UAAM,eAAe,cAAc,QAAQ,OAAO;AAElD,WAAO,iBAAiB;AAAA,EAC1B,GAAG,CAAC,sBAAsB,aAAa,kBAAkB,YAAY,CAAC;AAGtE,QAAM,8BAA8B,YAAY,CAAC,UAA4B;AAE3E,QAAI,kBAAkB,cAAc;AAClC,aAAO;AAAA,IACT;AAEA,UAAM,cAAc,SAAS,sBAAsB;AACnD,QAAI,CAAC,YAAa,QAAO;AAEzB,UAAM,WAAW,YAAY,WAAW;AACxC,WAAO,aAAa;AAAA,EACtB,GAAG,CAAC,sBAAsB,aAAa,kBAAkB,YAAY,CAAC;AAGtE,QAAM,gBAAgB,YAAY,OAAO,YAAoB,UAAqC;AAEhG,QAAI,kBAAkB,cAAc;AAClC,aAAO;AAAA,IACT;AAEA,UAAM,cAAc,SAAS,sBAAsB;AACnD,QAAI,CAAC,eAAe,CAAC,KAAM,QAAO;AAElC,QAAI;AAEF,YAAM,EAAE,kBAAkB,IAAI,MAAM,OAAO,mBAAa;AAExD,YAAM,QAAQ;AAAA,QACZ,gBAAgB;AAAA,QAChB,SAAS,KAAK,eAAe,WAAW,KAAK,cAAc;AAAA,QAC3D,OAAO,KAAK,eAAe,SAAS,KAAK,cAAc;AAAA,MACzD;AAEA,aAAO,MAAM,kBAAkB;AAAA,QAC7B,QAAQ,KAAK;AAAA,QACb;AAAA,QACA;AAAA,MACF,CAAC;AAAA,IACH,SAAS,OAAO;AACd,aAAO,MAAM,2BAA2B,kCAAkC,KAAK;AAC/E,aAAO;AAAA,IACT;AAAA,EACF,GAAG,CAAC,sBAAsB,MAAM,kBAAkB,YAAY,CAAC;AAG/D,QAAM,qBAAqB,YAAY,OAAO,UAAsC;AAElF,QAAI,kBAAkB,cAAc;AAClC,aAAO,CAAC,GAAG;AAAA,IACb;AAEA,UAAM,cAAc,SAAS,sBAAsB;AACnD,QAAI,CAAC,eAAe,CAAC,KAAM,QAAO,CAAC;AAEnC,QAAI;AAEF,YAAM,EAAE,iBAAiB,IAAI,MAAM,OAAO,mBAAa;AAEvD,YAAM,QAAQ;AAAA,QACZ,gBAAgB;AAAA,QAChB,SAAS,KAAK,eAAe,WAAW,KAAK,cAAc;AAAA,QAC3D,OAAO,KAAK,eAAe,SAAS,KAAK,cAAc;AAAA,MACzD;AAEA,YAAM,gBAAgB,MAAM,iBAAiB;AAAA,QAC3C,QAAQ,KAAK;AAAA,QACb;AAAA,MACF,CAAC;AAGD,YAAM,iBAAiB,OAAO,QAAQ,aAAa,EAChD,OAAO,CAAC,CAAC,EAAE,OAAO,MAAM,OAAO,EAC/B,IAAI,CAAC,CAAC,UAAU,MAAM,UAAU;AACnC,aAAO,CAAC,GAAG,IAAI,IAAI,cAAc,CAAC;AAAA,IACpC,SAAS,OAAO;AACd,aAAO,MAAM,2BAA2B,uCAAuC,KAAK;AACpF,aAAO,CAAC;AAAA,IACV;AAAA,EACF,GAAG,CAAC,sBAAsB,MAAM,aAAa,kBAAkB,YAAY,CAAC;AAG5E,QAAM,wBAAwB,YAAY,OAAO,QAAgB,YAAqD;AACpH,QAAI,CAAC,QAAQ,CAAC,qBAAsB;AAEpC,QAAI;AAEF,UAAI,qBAAqB,IAAI;AAC3B,cAAM,EAAE,eAAe,IAAI,MAAM,OAAO,qBAAe;AAEvD,cAAM,eAAe;AAAA,UACnB,MAAM;AAAA,UACN,QAAQ,KAAK;AAAA,UACb,gBAAgB,qBAAqB;AAAA,UACrC,YAAY;AAAA,UACZ,UAAU;AAAA;AAAA,UACV,QAAQ;AAAA,UACR,aAAa;AAAA;AAAA,UACb,UAAU,WAAW,CAAC;AAAA,QACxB,CAAC;AAAA,MACH;AAAA,IACF,SAAS,OAAO;AACd,aAAO,MAAM,2BAA2B,sCAAsC,KAAK;AAAA,IACrF;AAAA,EACF,GAAG,CAAC,MAAM,oBAAoB,CAAC;AAG/B,QAAM,2BAA2B,YAAY,OAAO,UAAiC;AACnF,UAAM,YAAY,MAAM,2BAA2B,KAAK;AAExD,QAAI,CAAC,WAAW;AACd,YAAM,QAAQ,IAAI,MAAM,6CAA6C,KAAK,EAAE;AAC5E,YAAM,OAAO;AACb,YAAM,OAAO;AACb,YAAM,iBAAiB;AACvB,YAAM,SAAS,MAAM;AACrB,YAAM;AAAA,IACR;AAAA,EACF,GAAG,CAAC,4BAA4B,IAAI,CAAC;AAGrC,QAAM,qBAAqB,YAAY,OAAO,QAAgB,UAAoC;AAChG,QAAI,CAAC,SAAU,QAAO;AAEtB,QAAI;AAEF,UAAI,kBAAkB,cAAc;AAClC,eAAO;AAAA,MACT;AAGA,UAAI,WAAW,MAAM,IAAI;AACvB,eAAO;AAAA,MACT;AAEA,aAAO,MAAM,2BAA2B,KAAK;AAAA,IAC/C,SAAS,OAAO;AACd,aAAO,MAAM,2BAA2B,qCAAqC,KAAK;AAClF,aAAO;AAAA,IACT;AAAA,EACF,GAAG,CAAC,UAAU,kBAAkB,cAAc,MAAM,0BAA0B,CAAC;AAE/E,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":["useRef","useMemo","useRef","appName","error","useMemo","useMemo","jsx","useMemo","useMemo","useContext","useContext","useMemo","useMemo","useEffect","useState","useState","useEffect","useMemo"]}
|
|
@@ -701,12 +701,14 @@ async function getOrganisationFromEvent(supabase, eventId) {
|
|
|
701
701
|
if (orgDerivationCache.has(eventId)) {
|
|
702
702
|
return orgDerivationCache.get(eventId) ?? null;
|
|
703
703
|
}
|
|
704
|
-
const { data, error } = await supabase.from("
|
|
704
|
+
const { data, error } = await supabase.from("core_events").select("organisation_id").eq("event_id", eventId).single();
|
|
705
705
|
let organisationId = null;
|
|
706
706
|
if (error || !data) {
|
|
707
707
|
organisationId = null;
|
|
708
|
-
} else {
|
|
708
|
+
} else if (data.organisation_id) {
|
|
709
709
|
organisationId = data.organisation_id;
|
|
710
|
+
} else {
|
|
711
|
+
organisationId = null;
|
|
710
712
|
}
|
|
711
713
|
if (orgDerivationCache.size >= MAX_CACHE_SIZE) {
|
|
712
714
|
const firstKey = orgDerivationCache.keys().next().value;
|
|
@@ -1692,7 +1694,14 @@ var RBACEngine = class {
|
|
|
1692
1694
|
return pageId;
|
|
1693
1695
|
}
|
|
1694
1696
|
try {
|
|
1695
|
-
const { data: page } = await this.supabase.from("rbac_app_pages").select("id").eq("app_id", appId).eq("page_name", pageId).
|
|
1697
|
+
const { data: page, error: pageError } = await this.supabase.from("rbac_app_pages").select("id").eq("app_id", appId).eq("page_name", pageId).maybeSingle();
|
|
1698
|
+
if (pageError) {
|
|
1699
|
+
const logger = getRBACLogger();
|
|
1700
|
+
if (pageError.code !== "PGRST116") {
|
|
1701
|
+
logger.warn("Failed to resolve page name to UUID:", { pageId, appId, error: pageError });
|
|
1702
|
+
}
|
|
1703
|
+
return pageId;
|
|
1704
|
+
}
|
|
1696
1705
|
return page?.id || pageId;
|
|
1697
1706
|
} catch (error) {
|
|
1698
1707
|
const logger = getRBACLogger();
|
|
@@ -1898,7 +1907,6 @@ function setupRBAC(supabase, config) {
|
|
|
1898
1907
|
if (config?.performance?.enablePerformanceTracking) {
|
|
1899
1908
|
enablePerformanceMonitoring();
|
|
1900
1909
|
}
|
|
1901
|
-
logger.info("RBAC system initialized successfully");
|
|
1902
1910
|
}
|
|
1903
1911
|
function getEngine() {
|
|
1904
1912
|
if (!globalEngine) {
|
|
@@ -1979,6 +1987,10 @@ async function getRoleContext(input, appConfig, appName) {
|
|
|
1979
1987
|
}
|
|
1980
1988
|
async function isPermitted(input, appConfig, appName) {
|
|
1981
1989
|
const engine = getEngine();
|
|
1990
|
+
const isSuperAdminUser = await engine["checkSuperAdmin"](input.userId);
|
|
1991
|
+
if (isSuperAdminUser) {
|
|
1992
|
+
return true;
|
|
1993
|
+
}
|
|
1982
1994
|
let resolvedAppConfig = appConfig ?? null;
|
|
1983
1995
|
let resolvedAppName = appName;
|
|
1984
1996
|
if (!resolvedAppConfig && input.scope.appId) {
|
|
@@ -2200,4 +2212,4 @@ export {
|
|
|
2200
2212
|
invalidateAppCache,
|
|
2201
2213
|
clearCache
|
|
2202
2214
|
};
|
|
2203
|
-
//# sourceMappingURL=chunk-
|
|
2215
|
+
//# sourceMappingURL=chunk-KNC55RTG.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/rbac/types.ts","../src/rbac/cache.ts","../src/rbac/cache-invalidation.ts","../src/rbac/errors.ts","../src/rbac/utils/eventContext.ts","../src/rbac/utils/contextValidator.ts","../src/rbac/security.ts","../src/rbac/config.ts","../src/rbac/engine.ts","../src/rbac/performance.ts","../src/rbac/request-deduplication.ts","../src/rbac/api.ts"],"sourcesContent":["/**\n * RBAC (Role-Based Access Control) Types - Build Contract Compliant\n * @package @jmruthers/pace-core\n * @module RBAC/Types\n * @since 1.0.0\n * \n * This module defines the core types for the RBAC system that match the build contract exactly.\n * All types are designed to be framework-agnostic and provide strong typing for permission operations.\n */\n\nimport type React from 'react';\nimport type { AppId, PageId } from '../types/core';\n\n// ============================================================================\n// CORE TYPES\n// ============================================================================\n\nexport type UUID = string;\n\nexport type Operation = 'read' | 'create' | 'update' | 'delete';\n\nexport type Permission = `${Operation}:${string}`; // e.g. \"read:base.events\" or \"create:team.members\"\n\nexport type AccessLevel =\n | 'viewer'\n | 'participant'\n | 'planner'\n | 'admin'\n | 'super';\n\nexport type Scope = {\n organisationId?: UUID;\n eventId?: string; // event_id is text/varchar\n appId?: AppId | UUID;\n};\n\nexport type PermissionCheck = {\n userId: UUID;\n scope: Scope;\n permission: Permission;\n pageId?: PageId | UUID;\n};\n\nexport type PermissionMap = Record<Permission, boolean> & Partial<Record<'*', boolean>>;\n\n// ============================================================================\n// ROLE TYPES\n// ============================================================================\n\nexport type GlobalRole = 'super_admin';\n\nexport type OrganisationRole = 'supporter' | 'member' | 'leader' | 'org_admin';\n\nexport type EventAppRole = 'viewer' | 'participant' | 'planner' | 'event_admin';\n\n// ============================================================================\n// DATABASE TYPES\n// ============================================================================\n\nexport interface RBACGlobalRole {\n id: UUID;\n user_id: UUID;\n role: GlobalRole;\n granted_at: string;\n granted_by: UUID | null;\n valid_from: string;\n valid_to: string | null;\n}\n\nexport interface RBACOrganisationRole {\n id: UUID;\n user_id: UUID;\n organisation_id: UUID;\n role: OrganisationRole;\n status: 'active' | 'inactive' | 'suspended';\n granted_at: string;\n granted_by: UUID | null;\n revoked_at: string | null;\n revoked_by: UUID | null;\n notes: string | null;\n created_at: string;\n updated_at: string;\n valid_from: string;\n valid_to: string | null;\n}\n\nexport interface RBACEventAppRole {\n id: UUID;\n user_id: UUID;\n event_id: string;\n role: EventAppRole;\n status: 'active' | 'inactive' | 'suspended';\n granted_at: string;\n granted_by: UUID | null;\n organisation_id: UUID;\n app_id: UUID;\n valid_from: string;\n valid_to: string | null;\n}\n\nexport interface RBACPagePermission {\n id: UUID;\n app_page_id: UUID;\n operation: Operation;\n role_name: string;\n allowed: boolean;\n created_at: string;\n updated_at: string;\n organisation_id: UUID;\n}\n\nexport interface RBACAppPage {\n id: UUID;\n page_name: string;\n page_description: string | null;\n created_at: string;\n updated_at: string;\n created_by: UUID | null;\n updated_by: UUID | null;\n app_id: UUID;\n}\n\nexport interface RBACApp {\n id: UUID;\n name: string;\n display_name: string;\n description: string | null;\n requires_event: boolean;\n is_active: boolean;\n created_at: string;\n updated_at: string;\n created_by: UUID | null;\n updated_by: UUID | null;\n}\n\n// ============================================================================\n// AUDIT EVENT TYPES\n// ============================================================================\n\nexport type AuditEventType = \n | 'permission_check'\n | 'permission_denied'\n | 'role_granted'\n | 'role_denied'\n | 'rls_denied';\n\nexport type AuditEventSource = 'api' | 'ui' | 'middleware' | 'rls';\n\nexport interface RBACAuditEvent {\n id: UUID;\n event_type: AuditEventType;\n user_id: UUID;\n organisation_id: UUID | null; // Nullable to properly track missing context cases (should be rare since organisationId is required)\n event_id?: string;\n app_id?: UUID;\n page_id?: UUID;\n permission?: string;\n decision?: boolean;\n source?: AuditEventSource;\n bypass?: boolean;\n duration_ms?: number;\n metadata: Record<string, any>;\n created_at: string;\n}\n\nexport interface RBACAppContext {\n appId: UUID;\n hasAccess: boolean;\n}\n\nexport interface RBACRoleContext {\n globalRole: GlobalRole | null;\n organisationRole: OrganisationRole | null;\n eventAppRole: EventAppRole | null;\n}\n\n// ============================================================================\n// CACHE TYPES\n// ============================================================================\n\nexport interface CacheEntry<T> {\n data: T;\n expires: number;\n}\n\nexport interface PermissionCacheKey {\n userId: UUID;\n organisationId?: UUID;\n eventId?: string;\n appId?: UUID;\n permission?: Permission;\n pageId?: UUID | string;\n}\n\n// ============================================================================\n// API TYPES\n// ============================================================================\n\nexport interface GetAccessLevelInput {\n userId: UUID;\n scope: Scope;\n}\n\nexport interface GetPermissionMapInput {\n userId: UUID;\n scope: Scope;\n}\n\nexport interface IsPermittedInput extends PermissionCheck {}\n\n// ============================================================================\n// HOOK TYPES\n// ============================================================================\n\nexport interface UsePermissionsReturn {\n permissions: PermissionMap;\n isLoading: boolean;\n error: Error | null;\n refetch: () => Promise<void>;\n}\n\nexport interface UseCanReturn {\n can: boolean;\n isLoading: boolean;\n error: Error | null;\n check: () => Promise<void>;\n}\n\n// ============================================================================\n// ADAPTER TYPES\n// ============================================================================\n\nexport interface PermissionGuardConfig {\n permission: Permission;\n pageId?: UUID;\n}\n\nexport interface WithPermissionGuardOptions {\n permission: Permission;\n pageId?: UUID;\n fallback?: React.ReactNode;\n onDenied?: () => void;\n}\n\n// ============================================================================\n// HOOK RETURN TYPES\n// ============================================================================\n\nexport interface UserRBACContext {\n user: any; // User from auth context\n globalRole: GlobalRole | null;\n organisationRole: OrganisationRole | null;\n eventAppRole: EventAppRole | null;\n hasGlobalPermission: (permission: Permission) => boolean;\n isSuperAdmin: boolean;\n isOrgAdmin: boolean;\n isEventAdmin: boolean;\n canManageOrganisation: boolean;\n canManageEvent: boolean;\n isLoading: boolean;\n error: Error | null;\n}\n\nexport interface RBACPermission {\n permission_type: string;\n role_name: string;\n [key: string]: any;\n}\n\n// ============================================================================\n// COMPONENT TYPES\n// ============================================================================\n\nexport interface RBACGuardProps {\n children: React.ReactNode;\n operation: Operation;\n pageId?: UUID;\n fallback?: React.ReactNode;\n}\n\nexport interface RoleBasedContentProps {\n children: React.ReactNode;\n globalRoles?: GlobalRole[];\n organisationRoles?: OrganisationRole[];\n eventAppRoles?: EventAppRole[];\n fallback?: React.ReactNode;\n}\n\n// ============================================================================\n// ERROR TYPES\n// ============================================================================\n\nexport class RBACError extends Error {\n constructor(\n message: string,\n public code: string,\n public context?: Record<string, any>\n ) {\n super(message);\n this.name = 'RBACError';\n }\n}\n\nexport class PermissionDeniedError extends RBACError {\n constructor(permission: Permission, context?: Record<string, any>) {\n super(\n `Permission denied: ${permission}`,\n 'PERMISSION_DENIED',\n { permission, ...context }\n );\n this.name = 'PermissionDeniedError';\n }\n}\n\nexport class OrganisationContextRequiredError extends RBACError {\n constructor() {\n super(\n 'Organisation context is required for this operation',\n 'ORGANISATION_CONTEXT_REQUIRED'\n );\n this.name = 'OrganisationContextRequiredError';\n }\n}\n\nexport class EventContextRequiredError extends RBACError {\n constructor() {\n super(\n 'Event context is required for this operation',\n 'EVENT_CONTEXT_REQUIRED'\n );\n this.name = 'EventContextRequiredError';\n }\n}\n\nexport class RBACNotInitializedError extends RBACError {\n constructor() {\n super(\n 'RBAC system not initialized. Please call setupRBAC(supabase) before using any RBAC components or hooks. See: https://docs.pace-core.dev/rbac/setup',\n 'RBAC_NOT_INITIALIZED'\n );\n this.name = 'RBACNotInitializedError';\n }\n}\n\nexport class InvalidScopeError extends RBACError {\n constructor(scope: Scope, reason: string) {\n super(\n `Invalid scope provided: ${JSON.stringify(scope)}. ${reason}`,\n 'INVALID_SCOPE',\n { scope, reason }\n );\n this.name = 'InvalidScopeError';\n }\n}\n\nexport class MissingUserContextError extends RBACError {\n constructor() {\n super(\n 'User context is required but not available. Make sure to wrap your app with an auth provider.',\n 'MISSING_USER_CONTEXT'\n );\n this.name = 'MissingUserContextError';\n }\n}\n","/**\n * RBAC Cache Implementation\n * @package @jmruthers/pace-core\n * @module RBAC/Cache\n * @since 1.0.0\n * \n * This module provides caching functionality for RBAC operations with TTL and invalidation.\n */\n\nimport { UUID } from './types';\nimport { CacheEntry, PermissionCacheKey } from './types';\n\n/**\n * In-memory cache for RBAC operations\n * \n * Provides two-tier caching:\n * - Short-term cache: 120 seconds for frequently changing permissions\n * - Session cache: 15 minutes for stable permissions (page-level checks)\n */\nexport class RBACCache {\n private cache = new Map<string, CacheEntry<any>>();\n private sessionCache = new Map<string, CacheEntry<any>>();\n private readonly TTL = 120 * 1000; // 120 seconds (short-term) - increased from 60s\n private readonly SESSION_TTL = 15 * 60 * 1000; // 15 minutes (session-level) - increased from 5min\n private invalidationCallbacks: Set<(pattern: string) => void> = new Set();\n\n /**\n * Get a value from the cache\n * \n * Checks both short-term cache and session cache.\n * \n * @param key - Cache key\n * @param useSessionCache - Whether to check session cache (default: true)\n * @returns Cached value or null if not found/expired\n */\n get<T>(key: string, useSessionCache: boolean = true): T | null {\n const now = Date.now();\n \n // Check short-term cache first\n const entry = this.cache.get(key);\n if (entry && now <= entry.expires) {\n return entry.data as T;\n }\n if (entry && now > entry.expires) {\n this.cache.delete(key);\n }\n \n // Check session cache if enabled\n if (useSessionCache) {\n const sessionEntry = this.sessionCache.get(key);\n if (sessionEntry && now <= sessionEntry.expires) {\n return sessionEntry.data as T;\n }\n if (sessionEntry && now > sessionEntry.expires) {\n this.sessionCache.delete(key);\n }\n }\n \n return null;\n }\n\n /**\n * Set a value in the cache\n * \n * @param key - Cache key\n * @param data - Data to cache\n * @param ttl - Time to live in milliseconds (defaults to 60s)\n * @param useSessionCache - Whether to also store in session cache (default: false for page-level checks)\n */\n set<T>(key: string, data: T, ttl: number = this.TTL, useSessionCache: boolean = false): void {\n const now = Date.now();\n // For zero or negative TTL, set expires to current time to make it immediately expired\n const expires = ttl <= 0 ? now - 1 : now + ttl;\n \n // Always store in short-term cache\n this.cache.set(key, {\n data,\n expires,\n });\n \n // Optionally store in session cache for page-level permissions\n if (useSessionCache) {\n const sessionExpires = ttl <= 0 ? now - 1 : now + this.SESSION_TTL;\n this.sessionCache.set(key, {\n data,\n expires: sessionExpires,\n });\n }\n }\n\n /**\n * Delete a specific key from the cache\n * \n * @param key - Cache key to delete\n */\n delete(key: string): void {\n this.cache.delete(key);\n this.sessionCache.delete(key);\n }\n\n /**\n * Invalidate cache entries matching a pattern\n * \n * @param pattern - Pattern to match against cache keys\n */\n invalidate(pattern: string): void {\n const trimmedPattern = pattern?.trim();\n\n if (!trimmedPattern) {\n return;\n }\n\n const matcher = this.createMatcher(trimmedPattern);\n const keysToDelete: string[] = [];\n\n // Invalidate from both caches\n for (const key of this.cache.keys()) {\n if (matcher(key)) {\n keysToDelete.push(key);\n }\n }\n \n for (const key of this.sessionCache.keys()) {\n if (matcher(key) && !keysToDelete.includes(key)) {\n keysToDelete.push(key);\n }\n }\n\n keysToDelete.forEach(key => {\n this.cache.delete(key);\n this.sessionCache.delete(key);\n });\n\n // Notify invalidation callbacks\n this.invalidationCallbacks.forEach(callback => callback(trimmedPattern));\n }\n\n private createMatcher(pattern: string): (key: string) => boolean {\n if (pattern.includes('*')) {\n const escapedSegments = pattern\n .split('*')\n .map(segment => segment.replace(/[|\\\\{}()[\\]^$+?.-]/g, '\\\\$&'));\n const regexPattern = escapedSegments.join('.*');\n const regex = new RegExp(regexPattern);\n return (key: string) => regex.test(key);\n }\n\n return (key: string) => key.includes(pattern);\n }\n\n /**\n * Clear all cache entries\n */\n clear(): void {\n this.cache.clear();\n this.sessionCache.clear();\n }\n\n /**\n * Get cache statistics\n */\n getStats(): {\n size: number;\n sessionSize: number;\n ttl: number;\n sessionTtl: number;\n keys: string[];\n } {\n return {\n size: this.cache.size,\n sessionSize: this.sessionCache.size,\n ttl: this.TTL,\n sessionTtl: this.SESSION_TTL,\n keys: Array.from(this.cache.keys()),\n };\n }\n\n /**\n * Add an invalidation callback\n * \n * @param callback - Function to call when cache is invalidated\n */\n onInvalidate(callback: (pattern: string) => void): () => void {\n this.invalidationCallbacks.add(callback);\n \n // Return unsubscribe function\n return () => {\n this.invalidationCallbacks.delete(callback);\n };\n }\n\n /**\n * Generate cache key for permission check (simplified signature)\n * \n * @param userId - User ID\n * @param permission - Permission string\n * @param organisationId - Organisation ID (optional)\n * @param eventId - Event ID (optional)\n * @param appId - App ID (optional)\n * @param pageId - Page ID (optional)\n * @returns String cache key\n */\n static generateKey(\n userId: UUID,\n permission: string,\n organisationId?: UUID,\n eventId?: string,\n appId?: UUID,\n pageId?: UUID | string\n ): string {\n const parts = [\n 'perm',\n userId,\n organisationId || 'null',\n eventId || 'null',\n appId || 'null',\n permission || 'null',\n pageId || 'null',\n ];\n \n return parts.join(':');\n }\n\n /**\n * Generate cache key for permission check (object signature)\n * \n * @param key - Permission cache key object\n * @returns String cache key\n */\n static generatePermissionKey(key: PermissionCacheKey): string {\n const parts = [\n 'perm',\n key.userId,\n key.organisationId || 'null',\n key.eventId || 'null',\n key.appId || 'null',\n key.permission || 'null',\n key.pageId || 'null',\n ];\n \n return parts.join(':');\n }\n\n /**\n * Generate cache key for access level\n * \n * @param userId - User ID\n * @param organisationId - Organisation ID\n * @param eventId - Event ID (optional)\n * @param appId - App ID (optional)\n * @returns String cache key\n */\n static generateAccessLevelKey(\n userId: UUID,\n organisationId: UUID,\n eventId?: string,\n appId?: UUID\n ): string {\n const parts = [\n 'access',\n userId,\n organisationId,\n eventId || 'null',\n appId || 'null',\n ];\n \n return parts.join(':');\n }\n\n /**\n * Generate cache key for permission map\n * \n * @param userId - User ID\n * @param organisationId - Organisation ID\n * @param eventId - Event ID (optional)\n * @param appId - App ID (optional)\n * @returns String cache key\n */\n static generatePermissionMapKey(\n userId: UUID,\n organisationId: UUID,\n eventId?: string,\n appId?: UUID\n ): string {\n const parts = [\n 'map',\n userId,\n organisationId,\n eventId || 'null',\n appId || 'null',\n ];\n \n return parts.join(':');\n }\n}\n\n/**\n * Global cache instance\n * \n * This is the default cache instance used by the RBAC system.\n * You can create additional instances if needed for different contexts.\n */\nexport const rbacCache = new RBACCache();\n\n/**\n * Cache key patterns for invalidation\n */\nexport const CACHE_PATTERNS = {\n USER: (userId: UUID) => `:${userId}:`,\n ORGANISATION: (organisationId: UUID) => `:${organisationId}:`,\n EVENT: (eventId: string) => `:${eventId}:`,\n APP: (appId: UUID) => `:${appId}`,\n PERMISSION: (userId: UUID, organisationId: UUID) => `perm:${userId}:${organisationId}:`,\n} as const;\n","/**\n * RBAC Cache Invalidation Service\n * @package @jmruthers/pace-core\n * @module RBAC/CacheInvalidation\n * @since 1.0.0\n * \n * This module provides automatic cache invalidation when RBAC data changes.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { rbacCache, CACHE_PATTERNS } from './cache';\nimport { emitAuditEvent } from './audit';\nimport { UUID } from './types';\nimport { createLogger } from '../utils/core/logger';\n\nconst log = createLogger('RBACCache');\n\n/**\n * Cache invalidation patterns for different RBAC changes\n */\nexport const INVALIDATION_PATTERNS = {\n // User-level invalidation\n USER_ROLES_CHANGED: (userId: UUID) => [\n CACHE_PATTERNS.USER(userId),\n `perm:${userId}:*`,\n `access:${userId}:*`,\n `map:${userId}:*`\n ],\n \n // Organisation-level invalidation\n ORGANISATION_PERMISSIONS_CHANGED: (organisationId: UUID) => [\n CACHE_PATTERNS.ORGANISATION(organisationId),\n `perm:*:${organisationId}:*`,\n `access:*:${organisationId}:*`,\n `map:*:${organisationId}:*`\n ],\n \n // Event-level invalidation\n EVENT_PERMISSIONS_CHANGED: (eventId: string) => [\n CACHE_PATTERNS.EVENT(eventId),\n `perm:*:*:${eventId}:*`,\n `access:*:*:${eventId}:*`,\n `map:*:*:${eventId}:*`\n ],\n \n // App-level invalidation\n APP_PERMISSIONS_CHANGED: (appId: UUID) => [\n CACHE_PATTERNS.APP(appId),\n `perm:*:*:*:${appId}:*`,\n `access:*:*:*:${appId}`,\n `map:*:*:*:${appId}`\n ],\n \n // Page-level invalidation\n PAGE_PERMISSIONS_CHANGED: (pageId: UUID) => [\n `perm:*:*:*:*:${pageId}`,\n `map:*:*:*:*`\n ]\n} as const;\n\n/**\n * RBAC Cache Invalidation Manager\n * \n * Handles automatic cache invalidation when RBAC data changes.\n */\nexport class RBACCacheInvalidationManager {\n private supabase: SupabaseClient<Database>;\n private invalidationCallbacks: Set<(pattern: string) => void> = new Set();\n private channels: Array<{ unsubscribe: () => void }> = [];\n\n constructor(supabase: SupabaseClient<Database>) {\n this.supabase = supabase;\n this.setupRealtimeSubscriptions();\n }\n\n /**\n * Add a callback for cache invalidation events\n * \n * @param callback - Function to call when cache is invalidated\n * @returns Unsubscribe function\n */\n onInvalidation(callback: (pattern: string) => void): () => void {\n this.invalidationCallbacks.add(callback);\n return () => this.invalidationCallbacks.delete(callback);\n }\n\n /**\n * Invalidate cache for a specific user\n * \n * @param userId - User ID\n * @param reason - Reason for invalidation\n */\n invalidateUser(userId: UUID, reason: string): void {\n const patterns = INVALIDATION_PATTERNS.USER_ROLES_CHANGED(userId);\n this.invalidatePatterns(patterns, reason);\n }\n\n /**\n * Invalidate cache for a specific organisation\n * \n * @param organisationId - Organisation ID\n * @param reason - Reason for invalidation\n */\n invalidateOrganisation(organisationId: UUID, reason: string): void {\n const patterns = INVALIDATION_PATTERNS.ORGANISATION_PERMISSIONS_CHANGED(organisationId);\n this.invalidatePatterns(patterns, reason);\n }\n\n /**\n * Invalidate cache for a specific event\n * \n * @param eventId - Event ID\n * @param reason - Reason for invalidation\n */\n invalidateEvent(eventId: string, reason: string): void {\n const patterns = INVALIDATION_PATTERNS.EVENT_PERMISSIONS_CHANGED(eventId);\n this.invalidatePatterns(patterns, reason);\n }\n\n /**\n * Invalidate cache for a specific app\n * \n * @param appId - App ID\n * @param reason - Reason for invalidation\n */\n invalidateApp(appId: UUID, reason: string): void {\n const patterns = INVALIDATION_PATTERNS.APP_PERMISSIONS_CHANGED(appId);\n this.invalidatePatterns(patterns, reason);\n }\n\n /**\n * Invalidate cache for a specific page\n * \n * @param pageId - Page ID\n * @param reason - Reason for invalidation\n */\n invalidatePage(pageId: UUID, reason: string): void {\n const patterns = INVALIDATION_PATTERNS.PAGE_PERMISSIONS_CHANGED(pageId);\n this.invalidatePatterns(patterns, reason);\n }\n\n /**\n * Invalidate cache patterns and notify callbacks\n * \n * @param patterns - Array of cache patterns to invalidate\n * @param reason - Reason for invalidation\n */\n private invalidatePatterns(patterns: string[], reason: string): void {\n log.debug(`Invalidating patterns: ${patterns.join(', ')} (${reason})`);\n \n patterns.forEach(pattern => {\n rbacCache.invalidate(pattern);\n });\n\n // Notify callbacks\n this.invalidationCallbacks.forEach(callback => {\n patterns.forEach(pattern => callback(pattern));\n });\n\n // Log audit event for cache invalidation\n emitAuditEvent({\n type: 'permission_check',\n userId: 'system' as UUID,\n organisationId: '00000000-0000-0000-0000-000000000000' as UUID,\n permission: 'cache:invalidate',\n decision: true,\n source: 'api',\n duration_ms: 0,\n metadata: {\n reason,\n patterns,\n timestamp: new Date().toISOString(),\n cache_invalidation: true\n }\n }).catch(error => {\n log.warn('Failed to log cache invalidation audit event:', error);\n });\n }\n\n /**\n * Cleanup subscriptions only (not all callbacks)\n * Used internally to cleanup before setting up new subscriptions\n */\n private cleanupSubscriptions(): void {\n this.channels.forEach(channel => {\n try {\n if (channel && typeof channel.unsubscribe === 'function') {\n channel.unsubscribe();\n }\n } catch (error) {\n log.warn('Failed to unsubscribe from channel:', error);\n }\n });\n this.channels = [];\n }\n\n /**\n * Setup realtime subscriptions for automatic cache invalidation\n * Always cleans up existing subscriptions before setting up new ones to prevent duplicates\n */\n private setupRealtimeSubscriptions(): void {\n // Always cleanup existing subscriptions first to prevent duplicates\n this.cleanupSubscriptions();\n \n // Check if realtime is available (skip in test environments)\n if (!this.supabase.channel || typeof this.supabase.channel !== 'function') {\n log.debug('Realtime not available, skipping subscriptions');\n return;\n }\n\n // Subscribe to organisation role changes\n const orgRolesChannel = this.supabase\n .channel('rbac_organisation_roles_changes')\n .on('postgres_changes', {\n event: '*',\n schema: 'public',\n table: 'rbac_organisation_roles'\n }, (payload: any) => {\n const { organisation_id, user_id } = payload.new || payload.old || {};\n if (organisation_id) {\n this.invalidateOrganisation(organisation_id, `organisation_role_${payload.eventType}`);\n }\n if (user_id) {\n this.invalidateUser(user_id, `organisation_role_${payload.eventType}`);\n }\n });\n const orgRolesSubscription = orgRolesChannel.subscribe();\n this.channels.push(orgRolesSubscription);\n\n // Subscribe to event app role changes\n const eventAppRolesChannel = this.supabase\n .channel('rbac_event_app_roles_changes')\n .on('postgres_changes', {\n event: '*',\n schema: 'public',\n table: 'rbac_event_app_roles'\n }, (payload: any) => {\n const { organisation_id, user_id, event_id, app_id } = payload.new || payload.old || {};\n if (organisation_id) {\n this.invalidateOrganisation(organisation_id, `event_app_role_${payload.eventType}`);\n }\n if (user_id) {\n this.invalidateUser(user_id, `event_app_role_${payload.eventType}`);\n }\n if (event_id) {\n this.invalidateEvent(event_id, `event_app_role_${payload.eventType}`);\n }\n if (app_id) {\n this.invalidateApp(app_id, `event_app_role_${payload.eventType}`);\n }\n });\n const eventAppRolesSubscription = eventAppRolesChannel.subscribe();\n this.channels.push(eventAppRolesSubscription);\n\n // Subscribe to global role changes\n const globalRolesChannel = this.supabase\n .channel('rbac_global_roles_changes')\n .on('postgres_changes', {\n event: '*',\n schema: 'public',\n table: 'rbac_global_roles'\n }, (payload: any) => {\n const { user_id } = payload.new || payload.old || {};\n if (user_id) {\n this.invalidateUser(user_id, `global_role_${payload.eventType}`);\n }\n });\n const globalRolesSubscription = globalRolesChannel.subscribe();\n this.channels.push(globalRolesSubscription);\n\n // Subscribe to page permission changes\n const pagePermissionsChannel = this.supabase\n .channel('rbac_page_permissions_changes')\n .on('postgres_changes', {\n event: '*',\n schema: 'public',\n table: 'rbac_page_permissions'\n }, (payload: any) => {\n const { organisation_id, app_page_id, role_id } = payload.new || payload.old || {};\n if (organisation_id) {\n this.invalidateOrganisation(organisation_id, `page_permission_${payload.eventType}`);\n }\n if (app_page_id) {\n this.invalidatePage(app_page_id, `page_permission_${payload.eventType}`);\n }\n // Note: We can't easily get user_id from role_id without additional query\n // This is a limitation of the current schema design\n });\n const pagePermissionsSubscription = pagePermissionsChannel.subscribe();\n this.channels.push(pagePermissionsSubscription);\n }\n\n /**\n * Cleanup all realtime subscriptions\n * Call this when the manager is no longer needed to prevent memory leaks\n */\n cleanup(): void {\n // Unsubscribe from all channels\n this.channels.forEach(channel => {\n try {\n if (channel && typeof channel.unsubscribe === 'function') {\n channel.unsubscribe();\n }\n } catch (error) {\n log.warn('Failed to unsubscribe from channel:', error);\n }\n });\n this.channels = [];\n \n // Clear all callbacks\n this.invalidationCallbacks.clear();\n }\n\n /**\n * Manually trigger cache invalidation for all users in an organisation\n * \n * @param organisationId - Organisation ID\n * @param reason - Reason for invalidation\n */\n async invalidateAllUsersInOrganisation(organisationId: UUID, reason: string): Promise<void> {\n // Get all users in the organisation\n const { data: users } = await this.supabase\n .from('rbac_organisation_roles')\n .select('user_id')\n .eq('organisation_id', organisationId)\n .eq('is_active', true);\n\n if (users) {\n users.forEach(({ user_id }) => {\n this.invalidateUser(user_id, reason);\n });\n }\n }\n\n /**\n * Clear all cache entries\n */\n clearAllCache(): void {\n log.debug('Clearing all cache entries');\n rbacCache.clear();\n }\n}\n\n/**\n * Global cache invalidation manager instance\n */\nlet globalCacheInvalidationManager: RBACCacheInvalidationManager | null = null;\n\n/**\n * Initialize the global cache invalidation manager\n * Ensures only one instance exists per application lifecycle\n * \n * @param supabase - Supabase client\n * @returns Cache invalidation manager instance\n */\nexport function initializeCacheInvalidation(supabase: SupabaseClient<Database>): RBACCacheInvalidationManager {\n // Clean up existing manager if it exists (e.g., when switching Supabase clients)\n if (globalCacheInvalidationManager) {\n log.debug('Cleaning up existing cache invalidation manager before creating new one');\n globalCacheInvalidationManager.cleanup();\n }\n \n globalCacheInvalidationManager = new RBACCacheInvalidationManager(supabase);\n return globalCacheInvalidationManager;\n}\n\n/**\n * Get the global cache invalidation manager\n * \n * @returns Global cache invalidation manager or null if not initialized\n */\nexport function getCacheInvalidationManager(): RBACCacheInvalidationManager | null {\n return globalCacheInvalidationManager;\n}\n\n/**\n * Cleanup the global cache invalidation manager\n * Call this when the application is shutting down or when switching Supabase clients\n */\nexport function cleanupCacheInvalidation(): void {\n if (globalCacheInvalidationManager) {\n globalCacheInvalidationManager.cleanup();\n globalCacheInvalidationManager = null;\n }\n}\n","import {\n RBACError,\n PermissionDeniedError,\n OrganisationContextRequiredError,\n InvalidScopeError,\n MissingUserContextError,\n RBACNotInitializedError,\n} from './types';\n\nexport enum RBACErrorCategory {\n NETWORK = 'network_error',\n DATABASE = 'database_error',\n VALIDATION = 'validation_error',\n RATE_LIMIT = 'rate_limit_error',\n AUTHENTICATION = 'authentication_error',\n AUTHORIZATION = 'authorization_error',\n UNKNOWN = 'unknown_error',\n}\n\nconst RATE_LIMIT_STATUS_CODES = new Set([429]);\nconst AUTH_STATUS_CODES = new Set([401]);\nconst AUTHZ_STATUS_CODES = new Set([403]);\n\nfunction normalize(value: unknown): string {\n if (!value) {\n return '';\n }\n if (typeof value === 'string') {\n return value.toLowerCase();\n }\n if (value instanceof Error && typeof value.message === 'string') {\n return value.message.toLowerCase();\n }\n return String(value).toLowerCase();\n}\n\nexport function categorizeError(error: unknown): RBACErrorCategory {\n if (error instanceof PermissionDeniedError) {\n return RBACErrorCategory.AUTHORIZATION;\n }\n\n if (error instanceof OrganisationContextRequiredError || error instanceof InvalidScopeError) {\n return RBACErrorCategory.VALIDATION;\n }\n\n if (error instanceof MissingUserContextError) {\n return RBACErrorCategory.AUTHENTICATION;\n }\n\n if (error instanceof RBACError) {\n switch (error.code) {\n case 'PERMISSION_DENIED':\n return RBACErrorCategory.AUTHORIZATION;\n case 'ORGANISATION_CONTEXT_REQUIRED':\n case 'INVALID_SCOPE':\n return RBACErrorCategory.VALIDATION;\n case 'MISSING_USER_CONTEXT':\n return RBACErrorCategory.AUTHENTICATION;\n default:\n break;\n }\n }\n\n if (error && typeof error === 'object') {\n const status = (error as { status?: number }).status;\n if (typeof status === 'number') {\n if (RATE_LIMIT_STATUS_CODES.has(status)) {\n return RBACErrorCategory.RATE_LIMIT;\n }\n if (AUTH_STATUS_CODES.has(status)) {\n return RBACErrorCategory.AUTHENTICATION;\n }\n if (AUTHZ_STATUS_CODES.has(status)) {\n return RBACErrorCategory.AUTHORIZATION;\n }\n if (status >= 500) {\n return RBACErrorCategory.DATABASE;\n }\n }\n\n const codeValue = normalize((error as { code?: string }).code);\n if (codeValue) {\n if (codeValue.includes('network')) {\n return RBACErrorCategory.NETWORK;\n }\n if (codeValue.includes('postgres') || codeValue.includes('database') || codeValue.includes('db')) {\n return RBACErrorCategory.DATABASE;\n }\n if (codeValue.includes('rate')) {\n return RBACErrorCategory.RATE_LIMIT;\n }\n if (codeValue.includes('auth')) {\n return RBACErrorCategory.AUTHENTICATION;\n }\n if (codeValue.includes('permission')) {\n return RBACErrorCategory.AUTHORIZATION;\n }\n if (codeValue.includes('scope') || codeValue.includes('invalid')) {\n return RBACErrorCategory.VALIDATION;\n }\n }\n }\n\n const message = normalize(error);\n if (message.includes('timeout') || message.includes('network') || message.includes('fetch')) {\n return RBACErrorCategory.NETWORK;\n }\n if (message.includes('postgres') || message.includes('database') || message.includes('connection')) {\n return RBACErrorCategory.DATABASE;\n }\n if (message.includes('rate limit') || message.includes('too many requests')) {\n return RBACErrorCategory.RATE_LIMIT;\n }\n if (message.includes('permission') || message.includes('forbidden')) {\n return RBACErrorCategory.AUTHORIZATION;\n }\n if (message.includes('auth') || message.includes('token') || message.includes('session')) {\n return RBACErrorCategory.AUTHENTICATION;\n }\n if (message.includes('invalid') || message.includes('scope') || message.includes('validation')) {\n return RBACErrorCategory.VALIDATION;\n }\n\n return RBACErrorCategory.UNKNOWN;\n}\n\nexport type SecurityEventType =\n | 'permission_denied'\n | 'invalid_input'\n | 'rate_limit_exceeded'\n | 'suspicious_activity'\n | 'network_error'\n | 'database_error'\n | 'validation_error'\n | 'rate_limit_error'\n | 'authentication_error'\n | 'unknown_error';\n\nexport function mapErrorCategoryToSecurityEventType(category: RBACErrorCategory): SecurityEventType {\n switch (category) {\n case RBACErrorCategory.AUTHORIZATION:\n return 'permission_denied';\n case RBACErrorCategory.NETWORK:\n return 'network_error';\n case RBACErrorCategory.DATABASE:\n return 'database_error';\n case RBACErrorCategory.VALIDATION:\n return 'validation_error';\n case RBACErrorCategory.RATE_LIMIT:\n return 'rate_limit_error';\n case RBACErrorCategory.AUTHENTICATION:\n return 'authentication_error';\n case RBACErrorCategory.UNKNOWN:\n default:\n return 'unknown_error';\n }\n}\n\n// Re-export error classes for convenience\nexport {\n RBACError,\n PermissionDeniedError,\n OrganisationContextRequiredError,\n InvalidScopeError,\n MissingUserContextError,\n RBACNotInitializedError,\n};\n","/**\n * Event Context Utilities for RBAC\n * @package @jmruthers/pace-core\n * @module RBAC/EventContext\n * @since 1.0.0\n * \n * This module provides utilities for event-based RBAC operations where\n * the organization context is derived from the event context.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../../types/database';\nimport { UUID, Scope } from '../types';\n\n/**\n * Cache for organisation derivation from event\n * Key: eventId, Value: organisationId | null\n * Maximum cache size to prevent memory leaks\n */\nconst orgDerivationCache = new Map<string, UUID | null>();\nconst MAX_CACHE_SIZE = 100; // Limit cache to 100 entries\n\n/**\n * Clear cache entry for a specific event (useful if event's org changes)\n * @param eventId - Event ID to clear from cache\n */\nexport function clearOrgDerivationCache(eventId: string): void {\n orgDerivationCache.delete(eventId);\n}\n\n/**\n * Clear all cached organisation derivations\n */\nexport function clearAllOrgDerivationCache(): void {\n orgDerivationCache.clear();\n}\n\n/**\n * Get organization ID from event ID\n * \n * Uses caching to avoid repeated database queries for the same event.\n * Cache is limited to prevent memory leaks.\n * \n * @param supabase - Supabase client\n * @param eventId - Event ID\n * @returns Promise resolving to organization ID or null\n */\nexport async function getOrganisationFromEvent(\n supabase: SupabaseClient<Database>,\n eventId: string\n): Promise<UUID | null> {\n // Check cache first\n if (orgDerivationCache.has(eventId)) {\n return orgDerivationCache.get(eventId) ?? null;\n }\n\n // Query database\n const { data, error } = await supabase\n .from('core_events')\n .select('organisation_id')\n .eq('event_id', eventId)\n .single() as { data: { organisation_id: string } | null; error: any };\n\n let organisationId: UUID | null = null;\n\n if (error || !data) {\n organisationId = null;\n } else if (data.organisation_id) {\n organisationId = data.organisation_id;\n } else {\n // organisation_id is null or undefined\n organisationId = null;\n }\n\n // Cache the result (with size limit to prevent memory leaks)\n if (orgDerivationCache.size >= MAX_CACHE_SIZE) {\n // Remove oldest entry (first key in Map)\n const firstKey = orgDerivationCache.keys().next().value;\n if (firstKey) {\n orgDerivationCache.delete(firstKey);\n }\n }\n orgDerivationCache.set(eventId, organisationId);\n\n return organisationId;\n}\n\n/**\n * Create a complete scope from event context\n * \n * @param supabase - Supabase client\n * @param eventId - Event ID\n * @param appId - Optional app ID\n * @returns Promise resolving to complete scope\n */\nexport async function createScopeFromEvent(\n supabase: SupabaseClient<Database>,\n eventId: string,\n appId?: UUID\n): Promise<Scope | null> {\n const organisationId = await getOrganisationFromEvent(supabase, eventId);\n \n if (!organisationId) {\n return null;\n }\n\n return {\n organisationId,\n eventId,\n appId\n };\n}\n\n/**\n * Check if a scope is event-based (has eventId but no explicit organisationId)\n * \n * @param scope - Permission scope\n * @returns True if scope is event-based\n */\nexport function isEventBasedScope(scope: Scope): boolean {\n return !scope.organisationId && !!scope.eventId;\n}\n\n/**\n * Validate that an event-based scope has the required context\n * \n * @param scope - Permission scope\n * @returns True if scope is valid for event-based operations\n */\nexport function isValidEventBasedScope(scope: Scope): boolean {\n return isEventBasedScope(scope) && !!scope.eventId;\n}\n","/**\n * Context Validator for RBAC\n * @package @jmruthers/pace-core\n * @module RBAC/ContextValidator\n * @since 1.0.0\n * \n * Centralized validation for RBAC context requirements based on app configuration.\n * Enforces app-specific context rules with single primary context:\n * - requires_event = TRUE: Event is PRIMARY context, org derived from event (org not required in input)\n * - requires_event = FALSE: Organisation is PRIMARY context, event optional\n * - PORTAL/ADMIN apps: Both contexts optional (allows users to view/edit own profiles, super admin access)\n * \n * Key principle: Only one primary context is required based on app config. The other is derived or optional.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../../types/database';\nimport { UUID, Scope } from '../types';\nimport { EventContextRequiredError, OrganisationContextRequiredError } from '../types';\nimport { getOrganisationFromEvent } from './eventContext';\nimport { createLogger } from '../../utils/core/logger';\n\nconst log = createLogger('ContextValidator');\n\nexport interface AppConfig {\n requires_event: boolean;\n}\n\n/**\n * Check if an app allows optional contexts (both organisation and event optional)\n * @param appName - App name to check\n * @returns True if app allows optional contexts\n */\nfunction allowsOptionalContexts(appName?: string): boolean {\n return appName === 'PORTAL' || appName === 'ADMIN';\n}\n\nexport interface ContextValidationResult {\n isValid: boolean;\n resolvedScope: Scope | null;\n error: Error | null;\n}\n\n/**\n * Context Validator class\n * \n * Validates and resolves RBAC scope based on app configuration requirements.\n */\nexport class ContextValidator {\n /**\n * Validate scope against app requirements\n * \n * @param scope - Current scope\n * @param appConfig - App configuration (requires_event flag)\n * @param appName - App name (for PORTAL/ADMIN special case)\n * @returns Validation result with resolved scope\n */\n static async validateScope(\n scope: Scope,\n appConfig: AppConfig | null,\n appName?: string\n ): Promise<ContextValidationResult> {\n // PORTAL/ADMIN special case: both contexts optional\n if (allowsOptionalContexts(appName)) {\n return {\n isValid: true,\n resolvedScope: {\n organisationId: scope.organisationId,\n eventId: scope.eventId,\n appId: scope.appId\n },\n error: null\n };\n }\n\n // If no app config, default to requiring org context\n if (!appConfig) {\n if (!scope.organisationId) {\n return {\n isValid: false,\n resolvedScope: null,\n error: new OrganisationContextRequiredError()\n };\n }\n return {\n isValid: true,\n resolvedScope: scope,\n error: null\n };\n }\n\n // Event-required apps: must have eventId, derive org from event\n if (appConfig.requires_event) {\n if (!scope.eventId) {\n return {\n isValid: false,\n resolvedScope: null,\n error: new EventContextRequiredError()\n };\n }\n\n // If org is not provided, we'll need to derive it from event\n // But for validation, we just check that eventId exists\n // The actual derivation happens in resolveRequiredContext\n return {\n isValid: true,\n resolvedScope: scope,\n error: null\n };\n }\n\n // Org-required apps: must have organisationId, eventId optional\n if (!scope.organisationId) {\n return {\n isValid: false,\n resolvedScope: null,\n error: new OrganisationContextRequiredError()\n };\n }\n\n return {\n isValid: true,\n resolvedScope: scope,\n error: null\n };\n }\n\n /**\n * Resolve required context and derive missing values\n * \n * @param scope - Current scope\n * @param appConfig - App configuration\n * @param appName - App name (for PORTAL/ADMIN special case)\n * @param supabase - Supabase client (for deriving org from event)\n * @returns Resolved scope with all required context\n */\n static async resolveRequiredContext(\n scope: Scope,\n appConfig: AppConfig | null,\n appName?: string,\n supabase?: SupabaseClient<Database> | null\n ): Promise<ContextValidationResult> {\n // PORTAL/ADMIN special case: both contexts optional\n if (allowsOptionalContexts(appName)) {\n return {\n isValid: true,\n resolvedScope: {\n organisationId: scope.organisationId,\n eventId: scope.eventId,\n appId: scope.appId\n },\n error: null\n };\n }\n\n // If no app config, default to requiring org context\n if (!appConfig) {\n if (!scope.organisationId) {\n return {\n isValid: false,\n resolvedScope: null,\n error: new OrganisationContextRequiredError()\n };\n }\n return {\n isValid: true,\n resolvedScope: scope,\n error: null\n };\n }\n\n // Event-required apps: must have eventId, derive org from event\n if (appConfig.requires_event) {\n if (!scope.eventId) {\n return {\n isValid: false,\n resolvedScope: null,\n error: new EventContextRequiredError()\n };\n }\n\n // Derive organisationId from event if not provided\n let organisationId: UUID | undefined = scope.organisationId;\n if (!organisationId && supabase && scope.eventId) {\n try {\n const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);\n organisationId = derivedOrgId || undefined;\n if (!organisationId) {\n return {\n isValid: false,\n resolvedScope: null,\n error: new Error('Could not resolve organisation from event context')\n };\n }\n } catch (error) {\n log.error('Failed to derive org from event:', error);\n return {\n isValid: false,\n resolvedScope: null,\n error: error instanceof Error ? error : new Error('Failed to derive organisation from event')\n };\n }\n } else if (!organisationId) {\n return {\n isValid: false,\n resolvedScope: null,\n error: new Error('Event context requires organisationId but it could not be derived (supabase client not available)')\n };\n }\n\n return {\n isValid: true,\n resolvedScope: {\n organisationId,\n eventId: scope.eventId,\n appId: scope.appId\n },\n error: null\n };\n }\n\n // Org-required apps: must have organisationId, eventId optional\n if (!scope.organisationId) {\n return {\n isValid: false,\n resolvedScope: null,\n error: new OrganisationContextRequiredError()\n };\n }\n\n return {\n isValid: true,\n resolvedScope: scope,\n error: null\n };\n }\n\n /**\n * Derive organisation ID from event ID\n * \n * @param supabase - Supabase client\n * @param eventId - Event ID\n * @returns Organisation ID or null\n */\n static async deriveOrgFromEvent(\n supabase: SupabaseClient<Database>,\n eventId: string\n ): Promise<UUID | null> {\n return getOrganisationFromEvent(supabase, eventId);\n }\n\n /**\n * Check if context is ready for permission checks\n * \n * @param scope - Current scope\n * @param appConfig - App configuration\n * @param appName - App name\n * @param hasSelectedEvent - Whether event is selected\n * @param hasSelectedOrganisation - Whether organisation is selected\n * @returns True if context is ready\n */\n static isContextReady(\n scope: Scope,\n appConfig: AppConfig | null,\n appName?: string,\n hasSelectedEvent?: boolean,\n hasSelectedOrganisation?: boolean\n ): boolean {\n // PORTAL/ADMIN special case: context is always ready\n if (allowsOptionalContexts(appName)) {\n return true;\n }\n\n // If no app config, default to requiring org context\n if (!appConfig) {\n return !!hasSelectedOrganisation || !!scope.organisationId;\n }\n\n // Event-required apps: need event context\n if (appConfig.requires_event) {\n return !!hasSelectedEvent || !!scope.eventId;\n }\n\n // Org-required apps: need org context\n return !!hasSelectedOrganisation || !!scope.organisationId;\n }\n}\n\n","/**\n * RBAC Security Enhancements\n * @package @jmruthers/pace-core\n * @module RBAC/Security\n * @since 1.0.0\n * \n * Additional security measures for the RBAC system\n */\n\nimport { UUID, Permission, Scope } from './types';\nimport { createLogger } from '../utils/core/logger';\nimport { ContextValidator } from './utils/contextValidator';\nimport type { AppConfig } from './utils/contextValidator';\n\nconst log = createLogger('RBACSecurity');\n\n/**\n * Security validation utilities for RBAC operations\n */\nexport class RBACSecurityValidator {\n /**\n * Validate permission string format\n * @param permission - Permission string to validate\n * @returns True if valid, false otherwise\n */\n static validatePermission(permission: string): boolean {\n if (typeof permission !== 'string' || permission.length === 0) {\n return false;\n }\n\n // Permission format: operation:resource[.subresource]\n // Only CRUD operations are allowed (read, create, update, delete)\n // The 'manage' operation has been removed for RBAC compliance\n const permissionRegex = /^(read|create|update|delete):[a-z0-9._-]+$/;\n return permissionRegex.test(permission);\n }\n\n /**\n * Validate UUID format\n * @param uuid - UUID string to validate\n * @returns True if valid, false otherwise\n */\n static validateUUID(uuid: string): boolean {\n if (typeof uuid !== 'string' || uuid.length === 0) {\n return false;\n }\n\n // More permissive UUID regex that allows all valid UUID versions\n const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n return uuidRegex.test(uuid);\n }\n\n /**\n * Validate scope object\n * @param scope - Scope object to validate\n * @returns True if valid, false otherwise\n */\n static validateScope(scope: Scope): boolean {\n if (!scope || typeof scope !== 'object') {\n return false;\n }\n\n // Organisation ID validation - reject empty strings\n if (scope.organisationId !== undefined) {\n // Reject empty strings - use undefined/null instead\n if (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '') {\n return false;\n }\n if (scope.organisationId && !this.validateUUID(scope.organisationId)) {\n return false;\n }\n }\n\n // Event ID should be a string if provided\n if (scope.eventId && typeof scope.eventId !== 'string') {\n return false;\n }\n\n // App ID should be a valid UUID if provided\n if (scope.appId && !this.validateUUID(scope.appId)) {\n return false;\n }\n\n // At least one valid field must be present\n return !!(scope.organisationId || scope.eventId || scope.appId);\n }\n\n /**\n * Sanitize input string to prevent injection attacks\n * @param input - Input string to sanitize\n * @returns Sanitized string\n */\n static sanitizeInput(input: string): string {\n if (typeof input !== 'string') {\n return '';\n }\n\n // Remove potentially dangerous characters\n return input\n .replace(/<[^>]*>/g, '') // Remove HTML tags\n .replace(/[<>\\\"'&]/g, '') // Remove HTML/XML characters\n .replace(/[;()]/g, '') // Remove SQL injection characters\n .replace(/javascript:/gi, '') // Remove javascript: protocol\n .replace(/data:/gi, '') // Remove data: protocol\n .trim();\n }\n\n /**\n * Validate user ID format\n * @param userId - User ID to validate\n * @returns True if valid, false otherwise\n */\n static validateUserId(userId: UUID): boolean {\n return this.validateUUID(userId);\n }\n\n /**\n * Check if permission is a wildcard permission\n * @param permission - Permission string to check\n * @returns True if wildcard, false otherwise\n */\n static isWildcardPermission(permission: string): boolean {\n return permission.includes('*') || permission.endsWith(':*');\n }\n\n /**\n * Validate permission hierarchy\n * @param permission - Permission to validate\n * @param requiredOperation - Required operation\n * @returns True if permission matches or is higher in hierarchy\n */\n static validatePermissionHierarchy(permission: string, requiredOperation: string): boolean {\n if (!this.validatePermission(permission)) {\n return false;\n }\n\n const [operation] = permission.split(':');\n // Only CRUD operations - 'manage' has been removed\n const hierarchy = ['read', 'create', 'update', 'delete'];\n \n const permissionLevel = hierarchy.indexOf(operation);\n const requiredLevel = hierarchy.indexOf(requiredOperation);\n \n if (permissionLevel === -1 || requiredLevel === -1) {\n return false;\n }\n\n // Higher level permissions include lower level permissions\n return permissionLevel >= requiredLevel;\n }\n\n /**\n * Rate limiting check (placeholder for future implementation)\n * @param userId - User ID\n * @param operation - Operation being performed\n * @returns True if within rate limit, false otherwise\n */\n static async checkRateLimit(userId: UUID, operation: string): Promise<boolean> {\n // TODO: Implement actual rate limiting logic\n // This could use Redis, in-memory cache, or database-based rate limiting\n return true;\n }\n\n /**\n * Validate context requirements for security\n * @param scope - Scope object\n * @param appConfig - App configuration\n * @param appName - App name (for PORTAL special case)\n * @returns True if context is valid, false otherwise\n */\n static async validateContextRequirements(\n scope: Scope,\n appConfig?: AppConfig | null,\n appName?: string\n ): Promise<boolean> {\n const validation = await ContextValidator.validateScope(scope, appConfig || null, appName);\n return validation.isValid;\n }\n\n /**\n * Log security event for monitoring\n * @param event - Security event details\n */\n private static rateLimitWarningCount = new Map<UUID, { count: number; lastWarning: number }>();\n private static readonly RATE_LIMIT_WARNING_THROTTLE_MS = 5000; // Only warn once per 5 seconds per user\n \n static logSecurityEvent(event: {\n type:\n | 'permission_denied'\n | 'invalid_input'\n | 'rate_limit_exceeded'\n | 'suspicious_activity'\n | 'network_error'\n | 'database_error'\n | 'validation_error'\n | 'rate_limit_error'\n | 'authentication_error'\n | 'unknown_error';\n userId: UUID;\n details: Record<string, any>;\n timestamp?: Date;\n }): void {\n const securityEvent = {\n ...event,\n timestamp: event.timestamp || new Date(),\n severity: this.getEventSeverity(event.type),\n };\n\n // Throttle rate limit warnings to prevent console flooding\n if (event.type === 'rate_limit_exceeded') {\n const now = Date.now();\n const userWarning = this.rateLimitWarningCount.get(event.userId);\n \n if (userWarning) {\n const timeSinceLastWarning = now - userWarning.lastWarning;\n if (timeSinceLastWarning < this.RATE_LIMIT_WARNING_THROTTLE_MS) {\n // Still within throttle window - increment count but don't log\n userWarning.count++;\n this.rateLimitWarningCount.set(event.userId, userWarning);\n return; // Skip logging to prevent console flooding\n } else {\n // Throttle window expired - log with count and reset\n log.warn('Security event (throttled):', {\n ...securityEvent,\n details: {\n ...securityEvent.details,\n suppressedWarnings: userWarning.count,\n message: `Rate limit exceeded (${userWarning.count + 1} times in last ${Math.round(timeSinceLastWarning / 1000)}s)`\n }\n });\n this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });\n return;\n }\n } else {\n // First warning for this user - log it\n this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });\n log.warn('Security event:', securityEvent);\n return;\n }\n }\n\n // Log other security events normally\n log.warn('Security event:', securityEvent);\n\n // TODO: Send to security monitoring service\n }\n\n /**\n * Get severity level for security event\n * @param eventType - Type of security event\n * @returns Severity level\n */\n private static getEventSeverity(eventType: string): 'low' | 'medium' | 'high' | 'critical' {\n switch (eventType) {\n case 'permission_denied':\n return 'low';\n case 'invalid_input':\n case 'rate_limit_exceeded':\n case 'rate_limit_error':\n case 'network_error':\n return 'medium';\n case 'validation_error':\n return 'high';\n case 'authentication_error':\n case 'database_error':\n return 'critical';\n case 'suspicious_activity':\n case 'unknown_error':\n return 'high';\n default:\n return 'low';\n }\n }\n}\n\n/**\n * Security configuration for RBAC system\n */\nexport interface RBACSecurityConfig {\n enableInputValidation: boolean;\n enableRateLimiting: boolean;\n enableAuditLogging: boolean;\n maxPermissionChecksPerMinute: number;\n suspiciousActivityThreshold: number;\n}\n\n/**\n * Default security configuration\n */\nexport const DEFAULT_SECURITY_CONFIG: RBACSecurityConfig = {\n enableInputValidation: true,\n enableRateLimiting: true,\n enableAuditLogging: true,\n maxPermissionChecksPerMinute: 1000, // Increased from 100 to 1000 for normal app usage\n suspiciousActivityThreshold: 10,\n};\n\n/**\n * Security context for RBAC operations\n * \n * OrganisationId is required - it can always be derived from event context in event-based apps.\n * If organisation context is not available, the operation should fail rather than proceed without context.\n */\nexport interface SecurityContext {\n userId: UUID;\n organisationId: UUID | null; // Required for resource-level permissions, null for page-level permissions (database handles NULL)\n ipAddress?: string;\n userAgent?: string;\n timestamp: Date;\n}\n\n/**\n * Security middleware for RBAC operations\n */\nexport class RBACSecurityMiddleware {\n private config: RBACSecurityConfig;\n\n constructor(config: RBACSecurityConfig = DEFAULT_SECURITY_CONFIG) {\n this.config = config;\n this._startCleanupInterval();\n }\n\n /**\n * Start periodic cleanup of expired entries\n */\n private _startCleanupInterval(): void {\n // Clear expired entries every 5 minutes\n setInterval(() => {\n this.clearExpiredEntries();\n }, 5 * 60 * 1000);\n }\n\n /**\n * Validate input before processing\n * @param input - Input to validate\n * @param context - Security context\n * @returns Validation result\n */\n async validateInput(input: any, context: SecurityContext): Promise<{\n isValid: boolean;\n errors: string[];\n }> {\n const errors: string[] = [];\n\n // Core validations are always enforced regardless of configuration\n if (!RBACSecurityValidator.validateUserId(context.userId)) {\n errors.push('Invalid user ID format');\n }\n\n // For page-level permissions, organisationId can be null (database handles it)\n // For resource-level permissions, organisationId is required\n const isPagePermission = input.permission?.includes(':page.') || !!input.pageId;\n const requiresOrgId = !isPagePermission;\n\n // OrganisationId validation - only required for resource-level permissions\n if (requiresOrgId) {\n if (!context.organisationId) {\n errors.push('Organisation ID is required for resource-level permissions');\n } else if (!RBACSecurityValidator.validateUUID(context.organisationId)) {\n errors.push('Invalid organisation ID format');\n }\n } else {\n // For page-level permissions, organisationId can be null, but if provided, it must be valid\n if (context.organisationId && !RBACSecurityValidator.validateUUID(context.organisationId)) {\n errors.push('Invalid organisation ID format');\n }\n }\n\n if (input.permission && !RBACSecurityValidator.validatePermission(input.permission)) {\n errors.push('Invalid permission format');\n }\n\n if (input.scope && !RBACSecurityValidator.validateScope(input.scope)) {\n errors.push('Invalid scope format');\n }\n\n if (this.config.enableInputValidation) {\n if (context.ipAddress && typeof context.ipAddress !== 'string') {\n errors.push('Invalid IP address format');\n }\n\n if (context.userAgent && typeof context.userAgent !== 'string') {\n errors.push('Invalid user agent format');\n }\n }\n\n // Log suspicious activity\n if (errors.length > 0) {\n RBACSecurityValidator.logSecurityEvent({\n type: 'invalid_input',\n userId: context.userId,\n details: { errors, input: this.sanitizeInput(JSON.stringify(input)) },\n });\n }\n\n return {\n isValid: errors.length === 0,\n errors,\n };\n }\n\n /**\n * Check rate limiting\n * @param context - Security context\n * @returns Rate limit check result\n */\n async checkRateLimit(context: SecurityContext): Promise<{\n isAllowed: boolean;\n remaining: number;\n }> {\n if (!this.config.enableRateLimiting) {\n return { isAllowed: true, remaining: this.config.maxPermissionChecksPerMinute };\n }\n\n // Implementation: In-memory rate limiting with sliding window\n // For production, consider using Redis or Supabase Edge Functions\n const isAllowed = await this._checkRateLimitInternal(context.userId);\n \n const remaining = isAllowed ? this.config.maxPermissionChecksPerMinute - this._getRequestCount(context.userId) : 0;\n\n return {\n isAllowed,\n remaining: Math.max(0, remaining),\n };\n }\n\n /**\n * In-memory rate limiting cache (sliding window)\n * Note: For production, this should use Redis or Supabase Edge Functions\n */\n private rateLimitCache = new Map<UUID, Array<{ timestamp: number }>>();\n\n private async _checkRateLimitInternal(userId: UUID): Promise<boolean> {\n const now = Date.now();\n const windowMs = 60 * 1000; // 1 minute window\n\n // Get or create rate limit entries for this user\n const entries = this.rateLimitCache.get(userId) || [];\n \n // Remove entries outside the time window\n const validEntries = entries.filter(entry => now - entry.timestamp < windowMs);\n \n // Check if user exceeded rate limit\n const requestCount = validEntries.length;\n const isAllowed = requestCount < this.config.maxPermissionChecksPerMinute;\n \n // If allowed, add current request\n if (isAllowed) {\n validEntries.push({ timestamp: now });\n }\n \n // Update cache\n this.rateLimitCache.set(userId, validEntries);\n \n return isAllowed;\n }\n\n private _getRequestCount(userId: UUID): number {\n const now = Date.now();\n const windowMs = 60 * 1000; // 1 minute window\n \n const entries = this.rateLimitCache.get(userId) || [];\n const validEntries = entries.filter(entry => now - entry.timestamp < windowMs);\n \n return validEntries.length;\n }\n\n /**\n * Clear old rate limit entries to prevent memory leaks\n * Should be called periodically (e.g., every 5 minutes)\n */\n private clearExpiredEntries(): void {\n const now = Date.now();\n const windowMs = 60 * 1000; // 1 minute window\n \n for (const [userId, entries] of this.rateLimitCache.entries()) {\n const validEntries = entries.filter(entry => now - entry.timestamp < windowMs);\n \n if (validEntries.length === 0) {\n this.rateLimitCache.delete(userId);\n } else {\n this.rateLimitCache.set(userId, validEntries);\n }\n }\n }\n\n /**\n * Sanitize input data\n * @param input - Input to sanitize\n * @returns Sanitized input\n */\n private sanitizeInput(input: string): string {\n return RBACSecurityValidator.sanitizeInput(input);\n }\n}\n","/**\n * RBAC Configuration\n * @package @jmruthers/pace-core\n * @module RBAC/Config\n * @since 1.0.0\n * \n * This module provides configuration options for the RBAC system.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { RBACSecurityConfig } from './security';\n\nexport type LogLevel = 'error' | 'warn' | 'info' | 'debug';\n\nexport interface RBACConfig {\n supabase: SupabaseClient<Database>;\n debug?: boolean;\n logLevel?: LogLevel;\n developmentMode?: boolean;\n mockPermissions?: Record<string, boolean>;\n cache?: {\n ttl?: number;\n enabled?: boolean;\n sessionTtl?: number; // Session cache TTL in milliseconds (default: 5 minutes)\n };\n audit?: {\n enabled?: boolean;\n logLevel?: LogLevel;\n batched?: boolean; // Enable batched audit logging (default: true)\n batchWindow?: number; // Time window in milliseconds (default: 100ms)\n batchSize?: number; // Maximum batch size (default: 10)\n };\n security?: Partial<RBACSecurityConfig>;\n performance?: {\n enableRequestDeduplication?: boolean; // Enable request deduplication (default: true)\n enableBatchedAuditLogging?: boolean; // Enable batched audit logging (default: true)\n enablePerformanceTracking?: boolean; // Enable performance tracking (default: false in production)\n };\n}\n\nexport interface RBACLogger {\n error: (message: string, ...args: unknown[]) => void;\n warn: (message: string, ...args: unknown[]) => void;\n info: (message: string, ...args: unknown[]) => void;\n debug: (message: string, ...args: unknown[]) => void;\n}\n\nclass RBACConfigManager {\n private config: RBACConfig | null = null;\n private logger: RBACLogger | null = null;\n\n setConfig(config: RBACConfig): void {\n this.config = config;\n this.setupLogger();\n }\n\n getConfig(): RBACConfig | null {\n return this.config;\n }\n\n getLogger(): RBACLogger {\n if (!this.logger) {\n this.logger = this.createDefaultLogger();\n }\n return this.logger;\n }\n\n private setupLogger(): void {\n if (!this.config) return;\n\n const { debug = false, logLevel = 'warn' } = this.config;\n \n this.logger = {\n error: (message: string, ...args: unknown[]) => {\n console.error(`[RBAC ERROR] ${message}`, ...args);\n },\n warn: (message: string, ...args: unknown[]) => {\n if (logLevel === 'warn' || logLevel === 'info' || logLevel === 'debug') {\n console.warn(`[RBAC WARN] ${message}`, ...args);\n }\n },\n info: (message: string, ...args: unknown[]) => {\n if (logLevel === 'info' || logLevel === 'debug') {\n console.info(`[RBAC INFO] ${message}`, ...args);\n }\n },\n debug: (message: string, ...args: unknown[]) => {\n if (debug && logLevel === 'debug') {\n console.debug(`[RBAC DEBUG] ${message}`, ...args);\n }\n },\n };\n }\n\n private createDefaultLogger(): RBACLogger {\n return {\n error: (message: string, ...args: unknown[]) => console.error(`[RBAC ERROR] ${message}`, ...args),\n warn: (message: string, ...args: unknown[]) => console.warn(`[RBAC WARN] ${message}`, ...args),\n info: (message: string, ...args: unknown[]) => console.info(`[RBAC INFO] ${message}`, ...args),\n debug: (message: string, ...args: unknown[]) => console.debug(`[RBAC DEBUG] ${message}`, ...args),\n };\n }\n\n isDebugMode(): boolean {\n return this.config?.debug ?? false;\n }\n\n isDevelopmentMode(): boolean {\n return this.config?.developmentMode ?? false;\n }\n\n getMockPermissions(): Record<string, boolean> | null {\n return this.config?.mockPermissions ?? null;\n }\n}\n\n// Global config manager instance\nconst configManager = new RBACConfigManager();\n\nexport function createRBACConfig(config: RBACConfig): RBACConfig {\n configManager.setConfig(config);\n return config;\n}\n\nexport function getRBACConfig(): RBACConfig | null {\n return configManager.getConfig();\n}\n\nexport function getRBACLogger(): RBACLogger {\n return configManager.getLogger();\n}\n\nexport function isDebugMode(): boolean {\n return configManager.isDebugMode();\n}\n\nexport function isDevelopmentMode(): boolean {\n return configManager.isDevelopmentMode();\n}\n\nexport function getMockPermissions(): Record<string, boolean> | null {\n return configManager.getMockPermissions();\n}\n","/**\n * RBAC Core Engine - Simplified Version\n * @package @jmruthers/pace-core\n * @module RBAC/Engine\n * @since 2.0.0\n * \n * This is a drastically simplified version that delegates permission checking to a single RPC function.\n * All the complex grant collection logic has been moved to the database for better performance and security.\n * \n * BREAKING CHANGES FROM v1:\n * - No more client-side grant collection\n * - No more complex permission resolution algorithm\n * - Single RPC call for all permission checks\n * - Caching is still supported for performance\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport {\n UUID,\n Permission,\n Scope,\n PermissionCheck,\n AccessLevel,\n PermissionMap,\n Operation,\n RBACAppContext,\n RBACRoleContext,\n RBACPermission,\n} from './types';\nimport { rbacCache, RBACCache } from './cache';\nimport { emitAuditEvent } from './audit';\nimport { initializeCacheInvalidation } from './cache-invalidation';\nimport { categorizeError, mapErrorCategoryToSecurityEventType } from './errors';\nimport { \n RBACSecurityValidator, \n RBACSecurityMiddleware, \n SecurityContext,\n DEFAULT_SECURITY_CONFIG,\n RBACSecurityConfig\n} from './security';\nimport { getRBACLogger } from './config';\n\n/**\n * Simplified RBAC Engine\n * \n * Delegates all permission checks to the database via a single RPC function.\n * This reduces complexity, improves performance, and enhances security.\n */\nexport class RBACEngine {\n private supabase: SupabaseClient<Database>;\n private securityMiddleware: RBACSecurityMiddleware;\n\n constructor(supabase: SupabaseClient<Database>, securityConfig?: Partial<RBACSecurityConfig>) {\n this.supabase = supabase;\n // Merge provided security config with defaults\n const mergedSecurityConfig: RBACSecurityConfig = {\n ...DEFAULT_SECURITY_CONFIG,\n ...securityConfig,\n };\n this.securityMiddleware = new RBACSecurityMiddleware(mergedSecurityConfig);\n \n // Initialize cache invalidation for automatic cache clearing\n initializeCacheInvalidation(supabase);\n }\n\n /**\n * Check if a user has a specific permission\n * \n * This method now delegates to the database RPC function for all the heavy lifting.\n * \n * @param input - Permission check input\n * @param securityContext - Security context for validation (required)\n * @returns Promise resolving to permission result\n */\n async isPermitted(input: PermissionCheck, securityContext: SecurityContext): Promise<boolean> {\n const startTime = Date.now();\n const { userId, permission, scope, pageId } = input;\n \n // Track cache usage for audit\n let cacheHit = false;\n let cacheSource: 'memory' | 'rpc' = 'rpc';\n\n try {\n // ========================================================================\n // STEP 1: Security Validation & Rate Limiting (MANDATORY)\n // ========================================================================\n \n // Validate input\n const validation = await this.securityMiddleware.validateInput(input, securityContext);\n if (!validation.isValid) {\n RBACSecurityValidator.logSecurityEvent({\n type: 'invalid_input',\n userId,\n details: { errors: validation.errors, input: JSON.stringify(input) },\n });\n return false;\n }\n\n // Check rate limits\n const rateLimit = await this.securityMiddleware.checkRateLimit(securityContext);\n if (!rateLimit.isAllowed) {\n RBACSecurityValidator.logSecurityEvent({\n type: 'rate_limit_exceeded',\n userId,\n details: { remaining: rateLimit.remaining },\n });\n return false;\n }\n\n // Validate user ID format\n if (!RBACSecurityValidator.validateUserId(userId)) {\n RBACSecurityValidator.logSecurityEvent({\n type: 'invalid_input',\n userId,\n details: { error: 'Invalid user ID format' },\n });\n return false;\n }\n\n // Validate permission format\n if (!RBACSecurityValidator.validatePermission(permission)) {\n RBACSecurityValidator.logSecurityEvent({\n type: 'invalid_input',\n userId,\n details: { error: 'Invalid permission format', permission },\n });\n return false;\n }\n\n // Validate scope format\n if (!RBACSecurityValidator.validateScope(scope)) {\n RBACSecurityValidator.logSecurityEvent({\n type: 'invalid_input',\n userId,\n details: { error: 'Invalid scope format', scope },\n });\n return false;\n }\n\n // ========================================================================\n // STEP 2: Check Cache (OPTIONAL - for performance)\n // ========================================================================\n \n const cacheKey = RBACCache.generateKey(\n userId,\n permission,\n scope.organisationId,\n scope.eventId,\n scope.appId,\n pageId\n );\n \n const cached = rbacCache.get<boolean>(cacheKey);\n if (cached !== null) {\n cacheHit = true;\n cacheSource = 'memory';\n \n // Skip audit logging for cached checks (only log on cache miss)\n // This significantly reduces network requests\n return cached;\n }\n\n // ========================================================================\n // STEP 3: Call Simplified RPC Function (SINGLE DATABASE CALL)\n // ========================================================================\n \n // This single RPC call replaces hundreds of lines of complex client-side logic:\n // - No more super admin checks here (RPC handles it)\n // - No more grant collection (RPC handles it)\n // - No more permission matching (RPC handles it)\n // - No more deny-override-allow logic (RPC handles it)\n \n const { data, error } = await (this.supabase as any).rpc('rbac_check_permission_simplified', {\n p_user_id: userId,\n p_permission: permission,\n p_organisation_id: scope.organisationId || undefined,\n p_event_id: scope.eventId || undefined,\n p_app_id: scope.appId || undefined,\n p_page_id: pageId || undefined,\n });\n\n if (error) {\n const logger = getRBACLogger();\n logger.error('RPC error:', error);\n\n const category = categorizeError(error);\n const eventType = mapErrorCategoryToSecurityEventType(category);\n const errorDetails = error as { message?: string; code?: string; hint?: string; details?: string };\n\n RBACSecurityValidator.logSecurityEvent({\n type: eventType,\n userId,\n details: {\n error: errorDetails?.message || 'RPC call failed',\n code: errorDetails?.code,\n hint: errorDetails?.hint,\n details: errorDetails?.details,\n permission,\n scope: JSON.stringify(scope),\n category,\n },\n });\n\n // Fail securely - deny on error\n return false;\n }\n\n const hasPermission = data === true;\n \n // ========================================================================\n // STEP 4: Cache Result & Audit (COMPLETION)\n // ========================================================================\n \n // Cache the result for 60 seconds\n rbacCache.set(cacheKey, hasPermission, 60000);\n \n const duration = Date.now() - startTime;\n \n // Emit audit event (if organisation context exists)\n if (scope.organisationId) {\n const resolvedPageId = await this.resolvePageId(pageId, scope.appId);\n await emitAuditEvent({\n type: hasPermission ? 'permission_check' : 'permission_denied',\n userId,\n organisationId: scope.organisationId,\n eventId: scope.eventId,\n appId: scope.appId,\n pageId: resolvedPageId,\n permission,\n decision: hasPermission,\n source: 'api',\n duration_ms: duration,\n cache_hit: cacheHit,\n cache_source: cacheSource,\n });\n }\n\n return hasPermission;\n \n } catch (error) {\n const category = categorizeError(error);\n const eventType = mapErrorCategoryToSecurityEventType(category);\n const errorMessage = error instanceof Error ? error.message : 'Unknown error';\n\n RBACSecurityValidator.logSecurityEvent({\n type: eventType,\n userId,\n details: {\n error: errorMessage,\n permission,\n scope: JSON.stringify(scope),\n category,\n },\n });\n\n // Fail securely - deny access on error\n const logger = getRBACLogger();\n logger.error('Permission check failed:', error);\n return false;\n }\n }\n\n /**\n * Get user's access level in a scope\n * \n * This is derived from roles, not permissions.\n * \n * @param input - Access level input\n * @returns Promise resolving to access level\n */\n async getAccessLevel(input: { userId: UUID; scope: Scope }): Promise<AccessLevel> {\n const { userId, scope } = input;\n\n // Check cache first\n const cacheKey = RBACCache.generateAccessLevelKey(\n userId,\n scope.organisationId || '',\n scope.eventId,\n scope.appId\n );\n \n const cached = rbacCache.get<AccessLevel>(cacheKey);\n if (cached) {\n return cached;\n }\n\n const now = new Date().toISOString();\n\n // Check super admin\n const isSuperAdmin = await this.checkSuperAdmin(userId);\n if (isSuperAdmin) {\n rbacCache.set(cacheKey, 'super', 60000);\n return 'super';\n }\n\n // Check organisation role\n if (scope.organisationId) {\n const { data: orgRoles } = await this.supabase\n .from('rbac_organisation_roles')\n .select('role')\n .eq('user_id', userId)\n .eq('organisation_id', scope.organisationId)\n .eq('status', 'active')\n .is('revoked_at', null)\n .lte('valid_from', now)\n .or(`valid_to.is.null,valid_to.gte.${now}`)\n .limit(1) as { data: Array<{ role: string }> | null; error: any };\n\n const orgRole = orgRoles?.[0];\n\n if (orgRole?.role === 'org_admin') {\n rbacCache.set(cacheKey, 'admin', 60000);\n return 'admin';\n }\n }\n\n // Check event-app role\n if (scope.eventId && scope.appId) {\n const { data: eventRole } = await this.supabase\n .from('rbac_event_app_roles')\n .select('role')\n .eq('user_id', userId)\n .eq('event_id', scope.eventId)\n .eq('app_id', scope.appId)\n .eq('status', 'active')\n .lte('valid_from', now)\n .or(`valid_to.is.null,valid_to.gte.${now}`)\n .single() as { data: { role: string } | null; error: any };\n\n if (eventRole?.role === 'event_admin') {\n rbacCache.set(cacheKey, 'admin', 60000);\n return 'admin';\n }\n if (eventRole?.role === 'planner') {\n rbacCache.set(cacheKey, 'planner', 60000);\n return 'planner';\n }\n if (eventRole?.role === 'participant') {\n rbacCache.set(cacheKey, 'participant', 60000);\n return 'participant';\n }\n }\n\n // Default to viewer\n rbacCache.set(cacheKey, 'viewer', 60000);\n return 'viewer';\n }\n\n /**\n * Get user's permission map for a scope\n * \n * This builds a map of page IDs to allowed operations.\n * Uses the simplified RPC for each permission check.\n * \n * @param input - Permission map input\n * @returns Promise resolving to permission map\n */\n async getPermissionMap(input: { userId: UUID; scope: Scope }): Promise<PermissionMap> {\n const { userId, scope } = input;\n\n // Generate cache key early so it's available for super admin caching\n const cacheKey = RBACCache.generatePermissionMapKey(\n userId,\n scope.organisationId || '',\n scope.eventId,\n scope.appId\n );\n\n // Check super admin first - super admins have all permissions\n const isSuperAdmin = await this.checkSuperAdmin(userId);\n if (isSuperAdmin) {\n const wildcardMap: PermissionMap = { '*': true };\n rbacCache.set(cacheKey, wildcardMap, 60000);\n return wildcardMap;\n }\n\n // Validate scope\n if (!scope.organisationId) {\n return {}; // No permissions without valid context\n }\n\n // Check cache first\n \n const cached = rbacCache.get<PermissionMap>(cacheKey);\n if (cached) {\n return cached;\n }\n\n const permissionMap: PermissionMap = {};\n\n // Get all pages for the app\n if (scope.appId) {\n const { data: pages } = await this.supabase\n .from('rbac_app_pages')\n .select('id, page_name')\n .eq('app_id', scope.appId) as { data: Array<{ id: string; page_name: string }> | null };\n\n if (pages) {\n // OrganisationId is required for permission checks\n if (!scope.organisationId) {\n // Return empty permission map if no organisation context\n rbacCache.set(cacheKey, permissionMap, 60000);\n return permissionMap;\n }\n\n // Create a security context for permission checks\n const securityContext: SecurityContext = {\n userId,\n organisationId: scope.organisationId, // Required\n timestamp: new Date(),\n };\n\n for (const page of pages) {\n // Check each CRUD operation\n // Permission format: {operation}:page.{pageName} (e.g., read:page.meals)\n for (const operation of ['read', 'create', 'update', 'delete'] as Operation[]) {\n const permissionString = `${operation}:page.${page.page_name}`;\n const hasPermission = await this.isPermitted(\n {\n userId,\n scope,\n permission: permissionString as Permission,\n pageId: page.id,\n },\n securityContext\n );\n\n const permissionKey = permissionString as Permission;\n permissionMap[permissionKey] = hasPermission;\n }\n }\n }\n }\n\n rbacCache.set(cacheKey, permissionMap, 60000);\n return permissionMap;\n }\n\n async resolveAppContext(input: { userId: UUID; appName: string }): Promise<RBACAppContext | null> {\n try {\n const { userId, appName } = input;\n const { data, error } = await (this.supabase as any).rpc('util_app_resolve', {\n p_user_id: userId,\n p_app_name: appName,\n });\n\n if (error) {\n const logger = getRBACLogger();\n logger.error('Failed to resolve app context:', error);\n return null;\n }\n\n if (!data || data.length === 0) {\n return null;\n }\n\n const appData = data[0] as { app_id: UUID; has_access: boolean };\n if (!appData?.app_id) {\n return null;\n }\n\n return {\n appId: appData.app_id,\n hasAccess: appData.has_access !== false,\n };\n } catch (error) {\n const logger = getRBACLogger();\n logger.error('Unexpected error resolving app context:', error);\n return null;\n }\n }\n\n async getRoleContext(input: { userId: UUID; scope: Scope }): Promise<RBACRoleContext> {\n const result: RBACRoleContext = {\n globalRole: null,\n organisationRole: null,\n eventAppRole: null,\n };\n\n try {\n const { userId, scope } = input;\n // Call unified function (tech debt removed: consolidated from 2 overloaded versions)\n const { data, error } = await (this.supabase as any).rpc('rbac_permissions_get', {\n p_user_id: userId,\n p_organisation_id: scope.organisationId || null,\n p_event_id: scope.eventId || null,\n p_app_id: scope.appId || null,\n p_page_id: null, // Optional: can filter to specific page if needed\n });\n\n if (error) {\n const logger = getRBACLogger();\n logger.error('Failed to load role context:', error);\n return result;\n }\n\n if (!Array.isArray(data)) {\n return result;\n }\n\n for (const permission of data as RBACPermission[]) {\n if (permission.permission_type === 'all_permissions') {\n result.globalRole = 'super_admin';\n }\n\n if (permission.permission_type === 'organisation_access') {\n result.organisationRole = permission.role_name as any;\n }\n\n if (permission.permission_type === 'event_app_access') {\n result.eventAppRole = permission.role_name as any;\n }\n }\n\n return result;\n } catch (error) {\n const logger = getRBACLogger();\n logger.error('Unexpected error loading role context:', error);\n return result;\n }\n }\n\n /**\n * Check if user is super admin\n * \n * @param userId - User ID\n * @returns Promise resolving to super admin status\n */\n private async checkSuperAdmin(userId: UUID): Promise<boolean> {\n // Check cache first\n const cacheKey = `super_admin:${userId}`;\n const cached = rbacCache.get<boolean>(cacheKey);\n if (cached !== null) {\n return cached;\n }\n\n const now = new Date().toISOString();\n const { data, error } = await this.supabase\n .from('rbac_global_roles')\n .select('role')\n .eq('user_id', userId)\n .eq('role', 'super_admin')\n .lte('valid_from', now)\n .or(`valid_to.is.null,valid_to.gte.${now}`)\n .limit(1) as { data: Array<{ role: string }> | null; error: any };\n\n const isSuperAdmin = !error && data && data.length > 0;\n \n // Cache for 60 seconds\n rbacCache.set(cacheKey, isSuperAdmin, 60000);\n \n return Boolean(isSuperAdmin);\n }\n\n /**\n * Resolve a page ID to UUID if it's a page name\n * \n * @param pageId - Page ID (UUID) or page name (string)\n * @param appId - App ID to look up the page\n * @returns Resolved page ID (UUID) or original pageId\n */\n private async resolvePageId(pageId?: UUID | string, appId?: UUID): Promise<UUID | string | undefined> {\n if (!pageId) {\n return undefined;\n }\n\n // Check if it's already a UUID\n const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n if (uuidRegex.test(pageId)) {\n return pageId as UUID;\n }\n\n // It's a page name, but we need appId to resolve it\n if (!appId) {\n return pageId;\n }\n\n // Resolve page name to UUID\n try {\n // Use maybeSingle() instead of single() to avoid 406 errors when page doesn't exist\n // This handles the case where the page might not exist gracefully\n const { data: page, error: pageError } = await this.supabase\n .from('rbac_app_pages')\n .select('id')\n .eq('app_id', appId)\n .eq('page_name', pageId)\n .maybeSingle() as { data: { id: UUID } | null; error: any };\n \n // If there's an error (including 406 Not Acceptable), log it but don't throw\n if (pageError) {\n const logger = getRBACLogger();\n // Only log if it's not a \"not found\" error (PGRST116)\n if (pageError.code !== 'PGRST116') {\n logger.warn('Failed to resolve page name to UUID:', { pageId, appId, error: pageError });\n }\n return pageId;\n }\n \n return page?.id || pageId;\n } catch (error) {\n const logger = getRBACLogger();\n logger.warn('Failed to resolve page name to UUID:', { pageId, appId, error });\n return pageId;\n }\n }\n}\n\n/**\n * Create an RBAC engine instance\n * \n * @param supabase - Supabase client\n * @param securityConfig - Optional security configuration\n * @returns RBACEngine instance\n */\nexport function createRBACEngine(\n supabase: SupabaseClient<Database>,\n securityConfig?: Partial<RBACSecurityConfig>\n): RBACEngine {\n return new RBACEngine(supabase, securityConfig);\n}\n\n","/**\n * Performance Monitoring for RBAC\n * @package @jmruthers/pace-core\n * @module RBAC/Performance\n * @since 2.0.0\n * \n * This module provides performance monitoring and metrics tracking for RBAC operations.\n */\n\nexport interface RBACPerformanceMetrics {\n /** Total number of permission checks */\n totalChecks: number;\n /** Number of cache hits */\n cacheHits: number;\n /** Number of cache misses */\n cacheMisses: number;\n /** Cache hit rate (0-1) */\n cacheHitRate: number;\n /** Number of deduplicated requests */\n deduplicatedRequests: number;\n /** Total number of network requests made */\n networkRequests: number;\n /** Average response time in milliseconds */\n averageResponseTime: number;\n /** Total response time in milliseconds */\n totalResponseTime: number;\n /** Number of batched audit events */\n batchedAuditEvents: number;\n /** Number of individual audit events */\n individualAuditEvents: number;\n}\n\nclass RBACPerformanceMonitor {\n private metrics: RBACPerformanceMetrics = {\n totalChecks: 0,\n cacheHits: 0,\n cacheMisses: 0,\n cacheHitRate: 0,\n deduplicatedRequests: 0,\n networkRequests: 0,\n averageResponseTime: 0,\n totalResponseTime: 0,\n batchedAuditEvents: 0,\n individualAuditEvents: 0,\n };\n\n private enabled: boolean = false;\n\n /**\n * Enable or disable performance monitoring\n */\n setEnabled(enabled: boolean): void {\n this.enabled = enabled;\n }\n\n /**\n * Check if performance monitoring is enabled\n */\n isEnabled(): boolean {\n return this.enabled;\n }\n\n /**\n * Record a permission check\n */\n recordCheck(cacheHit: boolean, responseTime: number, wasDeduplicated: boolean = false): void {\n if (!this.enabled) {\n return;\n }\n\n this.metrics.totalChecks++;\n \n if (cacheHit) {\n this.metrics.cacheHits++;\n } else {\n this.metrics.cacheMisses++;\n this.metrics.networkRequests++;\n }\n\n if (wasDeduplicated) {\n this.metrics.deduplicatedRequests++;\n }\n\n this.metrics.totalResponseTime += responseTime;\n this.metrics.averageResponseTime = this.metrics.totalResponseTime / this.metrics.totalChecks;\n this.metrics.cacheHitRate = this.metrics.cacheHits / this.metrics.totalChecks;\n }\n\n /**\n * Record an audit event\n */\n recordAuditEvent(batched: boolean): void {\n if (!this.enabled) {\n return;\n }\n\n if (batched) {\n this.metrics.batchedAuditEvents++;\n } else {\n this.metrics.individualAuditEvents++;\n }\n }\n\n /**\n * Get current metrics\n */\n getMetrics(): RBACPerformanceMetrics {\n return { ...this.metrics };\n }\n\n /**\n * Reset all metrics\n */\n reset(): void {\n this.metrics = {\n totalChecks: 0,\n cacheHits: 0,\n cacheMisses: 0,\n cacheHitRate: 0,\n deduplicatedRequests: 0,\n networkRequests: 0,\n averageResponseTime: 0,\n totalResponseTime: 0,\n batchedAuditEvents: 0,\n individualAuditEvents: 0,\n };\n }\n\n /**\n * Get metrics summary as a formatted string\n */\n getSummary(): string {\n const m = this.metrics;\n return `\nRBAC Performance Metrics:\n Total Checks: ${m.totalChecks}\n Cache Hits: ${m.cacheHits} (${(m.cacheHitRate * 100).toFixed(1)}%)\n Cache Misses: ${m.cacheMisses}\n Deduplicated Requests: ${m.deduplicatedRequests}\n Network Requests: ${m.networkRequests}\n Average Response Time: ${m.averageResponseTime.toFixed(2)}ms\n Batched Audit Events: ${m.batchedAuditEvents}\n Individual Audit Events: ${m.individualAuditEvents}\n`;\n }\n}\n\n// Global performance monitor instance\nconst performanceMonitor = new RBACPerformanceMonitor();\n\n/**\n * Enable performance monitoring\n */\nexport function enablePerformanceMonitoring(): void {\n performanceMonitor.setEnabled(true);\n}\n\n/**\n * Disable performance monitoring\n */\nexport function disablePerformanceMonitoring(): void {\n performanceMonitor.setEnabled(false);\n}\n\n/**\n * Check if performance monitoring is enabled\n */\nexport function isPerformanceMonitoringEnabled(): boolean {\n return performanceMonitor.isEnabled();\n}\n\n/**\n * Record a permission check\n */\nexport function recordPermissionCheck(\n cacheHit: boolean,\n responseTime: number,\n wasDeduplicated: boolean = false\n): void {\n performanceMonitor.recordCheck(cacheHit, responseTime, wasDeduplicated);\n}\n\n/**\n * Record an audit event\n */\nexport function recordAuditEvent(batched: boolean): void {\n performanceMonitor.recordAuditEvent(batched);\n}\n\n/**\n * Get current performance metrics\n */\nexport function getPerformanceMetrics(): RBACPerformanceMetrics {\n return performanceMonitor.getMetrics();\n}\n\n/**\n * Reset performance metrics\n */\nexport function resetPerformanceMetrics(): void {\n performanceMonitor.reset();\n}\n\n/**\n * Get performance metrics summary\n */\nexport function getPerformanceSummary(): string {\n return performanceMonitor.getSummary();\n}\n\n","/**\n * Request Deduplication for RBAC Permission Checks\n * @package @jmruthers/pace-core\n * @module RBAC/RequestDeduplication\n * @since 2.0.0\n * \n * This module provides request deduplication to prevent multiple identical\n * permission checks from being made simultaneously. When multiple components\n * request the same permission at the same time, they share the same promise.\n */\n\nimport { PermissionCheck } from './types';\nimport { RBACCache } from './cache';\n\n/**\n * Map of in-flight permission check requests\n * Key: cache key string, Value: Promise<boolean>\n */\nconst inFlightRequests = new Map<string, Promise<boolean>>();\n\n/**\n * Generate a deduplication key from permission check input\n * \n * @param input - Permission check input\n * @returns Deduplication key string\n */\nfunction generateDeduplicationKey(input: PermissionCheck): string {\n return RBACCache.generatePermissionKey({\n userId: input.userId,\n organisationId: input.scope.organisationId, // Can be undefined for page-level permissions\n eventId: input.scope.eventId,\n appId: input.scope.appId,\n permission: input.permission,\n pageId: input.pageId,\n });\n}\n\n/**\n * Get or create a deduplicated permission check request\n * \n * If a request for the same permission is already in-flight, returns the existing promise.\n * Otherwise, creates a new request and tracks it.\n * \n * @param input - Permission check input\n * @param checkFn - Function to perform the actual permission check\n * @returns Promise resolving to permission result\n */\nexport async function getOrCreateRequest(\n input: PermissionCheck,\n checkFn: (input: PermissionCheck) => Promise<boolean>\n): Promise<boolean> {\n const key = generateDeduplicationKey(input);\n \n // Check if request is already in-flight\n const existingRequest = inFlightRequests.get(key);\n if (existingRequest) {\n return existingRequest;\n }\n \n // Create new request\n const requestPromise = checkFn(input).finally(() => {\n // Clean up when request completes (success or failure)\n inFlightRequests.delete(key);\n });\n \n // Track the request\n inFlightRequests.set(key, requestPromise);\n \n return requestPromise;\n}\n\n/**\n * Clear all in-flight requests (useful for testing or cleanup)\n */\nexport function clearInFlightRequests(): void {\n inFlightRequests.clear();\n}\n\n/**\n * Get count of in-flight requests (useful for monitoring)\n * \n * @returns Number of in-flight requests\n */\nexport function getInFlightRequestCount(): number {\n return inFlightRequests.size;\n}\n\n","/**\n * RBAC Main API Functions\n * @package @jmruthers/pace-core\n * @module RBAC/API\n * @since 1.0.0\n * \n * This module provides the main API functions for the RBAC system.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport {\n UUID,\n Scope,\n Permission,\n AccessLevel,\n PermissionMap,\n PermissionCheck,\n RBACNotInitializedError,\n OrganisationContextRequiredError,\n RBACAppContext,\n RBACRoleContext,\n} from './types';\nimport { createRBACEngine, RBACEngine } from './engine';\nimport { createAuditManager, setGlobalAuditManager } from './audit';\nimport { rbacCache, RBACCache, CACHE_PATTERNS } from './cache';\nimport { createRBACConfig, RBACConfig, getRBACLogger } from './config';\nimport { SecurityContext } from './security';\nimport { createLogger } from '../utils/core/logger';\nimport { enablePerformanceMonitoring } from './performance';\nimport { getOrCreateRequest } from './request-deduplication';\nimport { ContextValidator } from './utils/contextValidator';\nimport type { AppConfig } from './utils/contextValidator';\n\nconst log = createLogger('RBACAPI');\n\n// Global engine instance\nlet globalEngine: RBACEngine | null = null;\n\n/**\n * Setup RBAC system\n * \n * @param supabase - Supabase client\n * @param config - Optional configuration\n */\nexport function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<RBACConfig>): void {\n const logger = getRBACLogger();\n \n // Create full config\n const isDevelopment = import.meta.env.MODE === 'development';\n const fullConfig: RBACConfig = {\n supabase,\n debug: isDevelopment,\n logLevel: 'warn',\n developmentMode: isDevelopment,\n ...config,\n };\n \n createRBACConfig(fullConfig);\n \n // Automatically disable rate limiting in development mode unless explicitly overridden\n // Apply default first, then let explicit config override it\n // Pass undefined if no config provided and not in development, otherwise create security config\n const securityConfig = \n config === undefined && !isDevelopment\n ? undefined\n : {\n // Default: disable rate limiting in development\n ...(isDevelopment && config?.security?.enableRateLimiting === undefined\n ? { enableRateLimiting: false }\n : {}),\n // Explicit config overrides defaults\n ...config?.security,\n };\n \n // Pass security config to engine\n globalEngine = createRBACEngine(supabase, securityConfig);\n \n // Setup audit manager with batching configuration\n const useBatchedAudit = config?.audit?.batched !== false && (config?.performance?.enableBatchedAuditLogging !== false);\n const batchConfig = useBatchedAudit ? {\n batchWindow: config?.audit?.batchWindow,\n batchSize: config?.audit?.batchSize,\n } : undefined;\n const auditManager = createAuditManager(supabase, useBatchedAudit, batchConfig);\n setGlobalAuditManager(auditManager);\n \n // Setup performance monitoring if enabled\n if (config?.performance?.enablePerformanceTracking) {\n enablePerformanceMonitoring();\n }\n \n}\n\n/**\n * Get the global RBAC engine\n * \n * @returns Global RBAC engine\n * @throws Error if RBAC not initialized\n */\nfunction getEngine(): RBACEngine {\n if (!globalEngine) {\n throw new RBACNotInitializedError();\n }\n return globalEngine;\n}\n\n/**\n * Get user's access level in a scope\n * \n * @param input - Access level input\n * @param appConfig - Optional app configuration\n * @param appName - Optional app name\n * @returns Promise resolving to access level\n * \n * @example\n * ```typescript\n * const accessLevel = await getAccessLevel({\n * userId: 'user-123',\n * scope: { organisationId: 'org-456' }\n * });\n * ```\n */\nexport async function getAccessLevel(\n input: {\n userId: UUID;\n scope: Scope;\n },\n appConfig?: AppConfig | null,\n appName?: string\n): Promise<AccessLevel> {\n const engine = getEngine();\n \n // Check super admin status first - super admins bypass context requirements\n const isSuperAdminUser = await engine['checkSuperAdmin'](input.userId);\n if (isSuperAdminUser) {\n return 'super';\n }\n \n // Fetch app config if not provided\n let resolvedAppConfig: AppConfig | null = appConfig ?? null;\n let resolvedAppName = appName;\n \n if (!resolvedAppConfig && input.scope.appId) {\n resolvedAppConfig = await getAppConfig(input.scope.appId);\n }\n \n // Validate context using ContextValidator\n const validation = await ContextValidator.resolveRequiredContext(\n input.scope,\n resolvedAppConfig,\n resolvedAppName,\n engine['supabase']\n );\n \n if (!validation.isValid || !validation.resolvedScope) {\n throw validation.error || new OrganisationContextRequiredError();\n }\n \n // Use resolved scope\n return engine.getAccessLevel({\n ...input,\n scope: validation.resolvedScope\n });\n}\n\n/**\n * Get user's permission map for a scope\n * \n * @param input - Permission map input\n * @param appConfig - Optional app configuration\n * @param appName - Optional app name\n * @returns Promise resolving to permission map\n * \n * @example\n * ```typescript\n * const permissions = await getPermissionMap({\n * userId: 'user-123',\n * scope: { \n * organisationId: 'org-456',\n * eventId: 'event-789',\n * appId: 'app-101'\n * }\n * });\n * ```\n */\nexport async function getPermissionMap(\n input: {\n userId: UUID;\n scope: Scope;\n },\n appConfig?: AppConfig | null,\n appName?: string\n): Promise<PermissionMap> {\n const engine = getEngine();\n \n // Fetch app config if not provided\n let resolvedAppConfig: AppConfig | null = appConfig ?? null;\n let resolvedAppName = appName;\n \n if (!resolvedAppConfig && input.scope.appId) {\n resolvedAppConfig = await getAppConfig(input.scope.appId);\n }\n \n // Validate context using ContextValidator\n const validation = await ContextValidator.resolveRequiredContext(\n input.scope,\n resolvedAppConfig,\n resolvedAppName,\n engine['supabase']\n );\n \n if (!validation.isValid || !validation.resolvedScope) {\n throw validation.error || new OrganisationContextRequiredError();\n }\n \n // Use resolved scope\n return engine.getPermissionMap({\n ...input,\n scope: validation.resolvedScope\n });\n}\n\nexport async function resolveAppContext(input: {\n userId: UUID;\n appName: string;\n}): Promise<RBACAppContext | null> {\n const engine = getEngine();\n return engine.resolveAppContext(input);\n}\n\nexport async function getRoleContext(\n input: {\n userId: UUID;\n scope: Scope;\n },\n appConfig?: AppConfig | null,\n appName?: string\n): Promise<RBACRoleContext> {\n const engine = getEngine();\n \n // Fetch app config if not provided\n let resolvedAppConfig: AppConfig | null = appConfig ?? null;\n let resolvedAppName = appName;\n \n if (!resolvedAppConfig && input.scope.appId) {\n resolvedAppConfig = await getAppConfig(input.scope.appId);\n }\n \n // Validate context using ContextValidator\n const validation = await ContextValidator.resolveRequiredContext(\n input.scope,\n resolvedAppConfig,\n resolvedAppName,\n engine['supabase']\n );\n \n if (!validation.isValid || !validation.resolvedScope) {\n throw validation.error || new OrganisationContextRequiredError();\n }\n \n // Use resolved scope\n return engine.getRoleContext({\n ...input,\n scope: validation.resolvedScope\n });\n}\n\n/**\n * Check if user has a specific permission\n * \n * @param input - Permission check input\n * @param appConfig - Optional app configuration (if not provided, will be fetched)\n * @param appName - Optional app name (for PORTAL/ADMIN special case and config lookup)\n * @returns Promise resolving to permission result\n * \n * @example\n * ```typescript\n * const canManage = await isPermitted({\n * userId: 'user-123',\n * scope: { organisationId: 'org-456' },\n * permission: 'update:events',\n * pageId: 'page-789'\n * });\n * ```\n */\nexport async function isPermitted(\n input: PermissionCheck,\n appConfig?: AppConfig | null,\n appName?: string\n): Promise<boolean> {\n const engine = getEngine();\n \n // Check super admin status first - super admins bypass context requirements\n // Super admins have access to all permissions regardless of organisation context\n const isSuperAdminUser = await engine['checkSuperAdmin'](input.userId);\n if (isSuperAdminUser) {\n return true;\n }\n \n // Fetch app config if not provided and we have appId\n let resolvedAppConfig: AppConfig | null = appConfig ?? null;\n let resolvedAppName = appName;\n \n if (!resolvedAppConfig && input.scope.appId) {\n resolvedAppConfig = await getAppConfig(input.scope.appId);\n }\n \n // If we have appId but no appName, try to get it from the database\n if (!resolvedAppName && input.scope.appId) {\n try {\n const { data } = await engine['supabase']\n .from('rbac_apps')\n .select('name')\n .eq('id', input.scope.appId)\n .eq('is_active', true)\n .single() as { data: { name: string } | null };\n if (data) {\n resolvedAppName = data.name;\n }\n } catch (err) {\n // Ignore errors - appName is optional\n }\n }\n \n // Validate context using ContextValidator\n const validation = await ContextValidator.resolveRequiredContext(\n input.scope,\n resolvedAppConfig,\n resolvedAppName,\n engine['supabase']\n );\n \n if (!validation.isValid || !validation.resolvedScope) {\n throw validation.error || new OrganisationContextRequiredError();\n }\n \n // Use resolved scope for permission check\n const validatedScope = validation.resolvedScope;\n \n // Create security context from validated scope\n const securityContext: SecurityContext = {\n userId: input.userId,\n organisationId: validatedScope.organisationId || null,\n timestamp: new Date(),\n // Optional fields can be omitted\n };\n \n // Create new input with validated scope\n const validatedInput: PermissionCheck = {\n ...input,\n scope: validatedScope\n };\n \n return engine.isPermitted(validatedInput, securityContext);\n}\n\n/**\n * Check if user has a specific permission (cached version)\n * \n * Uses request deduplication to share in-flight requests across components\n * and checks cache before making new requests. Uses session cache for page-level checks.\n * \n * @param input - Permission check input\n * @param appConfig - Optional app configuration\n * @param appName - Optional app name\n * @returns Promise resolving to permission result\n */\nexport async function isPermittedCached(\n input: PermissionCheck,\n appConfig?: AppConfig | null,\n appName?: string\n): Promise<boolean> {\n const { userId, scope, permission, pageId } = input;\n \n // Check cache first (checks both short-term and session cache)\n const cacheKey = RBACCache.generatePermissionKey({\n userId,\n organisationId: scope.organisationId,\n eventId: scope.eventId,\n appId: scope.appId,\n permission,\n pageId,\n });\n \n const cached = rbacCache.get<boolean>(cacheKey, true);\n if (cached !== null) {\n return cached;\n }\n\n // Use request deduplication - if same request is in-flight, share the promise\n return getOrCreateRequest(input, async (checkInput) => {\n // Check permission with context validation\n const result = await isPermitted(checkInput, appConfig, appName);\n \n // Determine if this is a page-level check (has pageId or permission contains 'page.')\n const isPageLevelCheck = !!pageId || permission.includes('page.');\n \n // Cache result - use session cache for page-level checks\n rbacCache.set(cacheKey, result, undefined, isPageLevelCheck);\n \n return result;\n });\n}\n\n/**\n * Check if a user has a specific permission (alias for isPermitted)\n * \n * @param input - Permission check parameters\n * @returns Promise<boolean> - True if user has permission\n */\nexport async function hasPermission(input: PermissionCheck): Promise<boolean> {\n return isPermitted(input);\n}\n\n/**\n * Check if user has any of the specified permissions\n * \n * @param input - Permission check input with array of permissions\n * @returns Promise resolving to true if user has any permission\n */\nexport async function hasAnyPermission(input: {\n userId: UUID;\n scope: Scope;\n permissions: Permission[];\n pageId?: UUID;\n}): Promise<boolean> {\n const { permissions, ...baseInput } = input;\n \n for (const permission of permissions) {\n const hasPermission = await isPermitted({\n ...baseInput,\n permission,\n });\n \n if (hasPermission) {\n return true;\n }\n }\n \n return false;\n}\n\n/**\n * Check if user has all of the specified permissions\n * \n * @param input - Permission check input with array of permissions\n * @returns Promise resolving to true if user has all permissions\n */\nexport async function hasAllPermissions(input: {\n userId: UUID;\n scope: Scope;\n permissions: Permission[];\n pageId?: UUID;\n}): Promise<boolean> {\n const { permissions, ...baseInput } = input;\n \n for (const permission of permissions) {\n const hasPermission = await isPermitted({\n ...baseInput,\n permission,\n });\n \n if (!hasPermission) {\n return false;\n }\n }\n \n return true;\n}\n\n/**\n * Check if user is super admin\n * \n * @param userId - User ID\n * @returns Promise resolving to super admin status\n */\nexport async function isSuperAdmin(userId: UUID): Promise<boolean> {\n const engine = getEngine();\n return engine['checkSuperAdmin'](userId);\n}\n\n/**\n * Get app configuration including requires_event setting\n * \n * @param appId - App ID\n * @returns Promise resolving to app configuration\n */\nexport async function getAppConfig(appId: UUID): Promise<AppConfig | null> {\n try {\n const engine = getEngine();\n return getAppConfigWithClient(engine['supabase'], appId);\n } catch (err) {\n // RBAC not initialized - return null gracefully\n if (err instanceof RBACNotInitializedError) {\n return null;\n }\n throw err;\n }\n}\n\nexport async function getAppConfigWithClient(client: SupabaseClient | null | undefined, appId: UUID): Promise<AppConfig | null> {\n // Return null if client is not available\n if (!client) {\n return null;\n }\n \n // Cache key for app config - cache for 5 minutes (app config rarely changes)\n const cacheKey = `app_config:${appId}`;\n \n // Check cache first\n const cached = rbacCache.get<AppConfig>(cacheKey, true);\n if (cached !== null) {\n return cached;\n }\n \n try {\n const { data, error } = await client\n .from('rbac_apps')\n .select('requires_event, name')\n .eq('id', appId)\n .eq('is_active', true)\n .single() as { data: { requires_event: boolean; name: string } | null; error: any };\n\n if (error || !data) {\n return null;\n }\n\n const appConfig: AppConfig = { requires_event: data.requires_event ?? false };\n \n // Cache the result for 5 minutes (300000ms) with session cache enabled\n // App config rarely changes, so we can cache it longer\n rbacCache.set(cacheKey, appConfig, 5 * 60 * 1000, true);\n \n return appConfig;\n } catch (err) {\n log.error('Error fetching app config:', err);\n return null;\n }\n}\n\n/**\n * Get app configuration by app name\n * \n * @param appName - App name\n * @returns Promise resolving to app configuration\n */\nexport async function getAppConfigByName(appName: string): Promise<AppConfig | null> {\n const engine = getEngine();\n try {\n const { data, error } = await engine['supabase']\n .from('rbac_apps')\n .select('requires_event, name')\n .eq('name', appName)\n .eq('is_active', true)\n .single() as { data: { requires_event: boolean; name: string } | null; error: any };\n\n if (error || !data) {\n return null;\n }\n\n return { requires_event: data.requires_event ?? false };\n } catch (err) {\n log.error('Error fetching app config by name:', err);\n return null;\n }\n}\n\n/**\n * Check if user is organisation admin\n * \n * @param userId - User ID\n * @param organisationId - Organisation ID\n * @returns Promise resolving to organisation admin status\n */\nexport async function isOrganisationAdmin(userId: UUID, organisationId: UUID): Promise<boolean> {\n const accessLevel = await getAccessLevel({\n userId,\n scope: { organisationId },\n });\n \n return accessLevel === 'admin' || accessLevel === 'super';\n}\n\n/**\n * Check if user is event admin\n * \n * @param userId - User ID\n * @param scope - Permission scope with eventId and appId\n * @returns Promise resolving to event admin status\n */\nexport async function isEventAdmin(userId: UUID, scope: Scope): Promise<boolean> {\n if (!scope.eventId || !scope.appId) {\n return false;\n }\n \n const accessLevel = await getAccessLevel({ userId, scope });\n return accessLevel === 'admin' || accessLevel === 'super';\n}\n\n/**\n * Invalidate user's permission cache\n * \n * @param userId - User ID\n * @param organisationId - Organisation ID (optional)\n */\nexport function invalidateUserCache(userId: UUID, organisationId?: UUID): void {\n const patterns = organisationId\n ? [\n CACHE_PATTERNS.PERMISSION(userId, organisationId),\n `access:${userId}:${organisationId}:`,\n `map:${userId}:${organisationId}:`,\n ]\n : [\n `perm:${userId}:`,\n `access:${userId}:`,\n `map:${userId}:`,\n ];\n\n patterns.forEach(pattern => rbacCache.invalidate(pattern));\n}\n\n/**\n * Invalidate organisation's permission cache\n * \n * @param organisationId - Organisation ID\n */\nexport function invalidateOrganisationCache(organisationId: UUID): void {\n rbacCache.invalidate(CACHE_PATTERNS.ORGANISATION(organisationId));\n}\n\n/**\n * Invalidate event's permission cache\n * \n * @param eventId - Event ID\n */\nexport function invalidateEventCache(eventId: string): void {\n rbacCache.invalidate(CACHE_PATTERNS.EVENT(eventId));\n}\n\n/**\n * Invalidate app's permission cache\n * \n * @param appId - App ID\n */\nexport function invalidateAppCache(appId: UUID): void {\n rbacCache.invalidate(CACHE_PATTERNS.APP(appId));\n}\n\n/**\n * Clear all permission cache\n */\nexport function clearCache(): void {\n rbacCache.clear();\n}\n\n// Re-export OrganisationContextRequiredError for convenience\nexport { OrganisationContextRequiredError } from './types';\n"],"mappings":";;;;;;;;;;AAoSO,IAAM,YAAN,cAAwB,MAAM;AAAA,EACnC,YACE,SACO,MACA,SACP;AACA,UAAM,OAAO;AAHN;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,wBAAN,cAAoC,UAAU;AAAA,EACnD,YAAY,YAAwB,SAA+B;AACjE;AAAA,MACE,sBAAsB,UAAU;AAAA,MAChC;AAAA,MACA,EAAE,YAAY,GAAG,QAAQ;AAAA,IAC3B;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,mCAAN,cAA+C,UAAU;AAAA,EAC9D,cAAc;AACZ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,4BAAN,cAAwC,UAAU;AAAA,EACvD,cAAc;AACZ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,0BAAN,cAAsC,UAAU;AAAA,EACrD,cAAc;AACZ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,oBAAN,cAAgC,UAAU;AAAA,EAC/C,YAAY,OAAc,QAAgB;AACxC;AAAA,MACE,2BAA2B,KAAK,UAAU,KAAK,CAAC,KAAK,MAAM;AAAA,MAC3D;AAAA,MACA,EAAE,OAAO,OAAO;AAAA,IAClB;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,0BAAN,cAAsC,UAAU;AAAA,EACrD,cAAc;AACZ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;;;ACxVO,IAAM,YAAN,MAAgB;AAAA,EAAhB;AACL,SAAQ,QAAQ,oBAAI,IAA6B;AACjD,SAAQ,eAAe,oBAAI,IAA6B;AACxD,SAAiB,MAAM,MAAM;AAC7B;AAAA,SAAiB,cAAc,KAAK,KAAK;AACzC;AAAA,SAAQ,wBAAwD,oBAAI,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWxE,IAAO,KAAa,kBAA2B,MAAgB;AAC7D,UAAM,MAAM,KAAK,IAAI;AAGrB,UAAM,QAAQ,KAAK,MAAM,IAAI,GAAG;AAChC,QAAI,SAAS,OAAO,MAAM,SAAS;AACjC,aAAO,MAAM;AAAA,IACf;AACA,QAAI,SAAS,MAAM,MAAM,SAAS;AAChC,WAAK,MAAM,OAAO,GAAG;AAAA,IACvB;AAGA,QAAI,iBAAiB;AACnB,YAAM,eAAe,KAAK,aAAa,IAAI,GAAG;AAC9C,UAAI,gBAAgB,OAAO,aAAa,SAAS;AAC/C,eAAO,aAAa;AAAA,MACtB;AACA,UAAI,gBAAgB,MAAM,aAAa,SAAS;AAC9C,aAAK,aAAa,OAAO,GAAG;AAAA,MAC9B;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,IAAO,KAAa,MAAS,MAAc,KAAK,KAAK,kBAA2B,OAAa;AAC3F,UAAM,MAAM,KAAK,IAAI;AAErB,UAAM,UAAU,OAAO,IAAI,MAAM,IAAI,MAAM;AAG3C,SAAK,MAAM,IAAI,KAAK;AAAA,MAClB;AAAA,MACA;AAAA,IACF,CAAC;AAGD,QAAI,iBAAiB;AACnB,YAAM,iBAAiB,OAAO,IAAI,MAAM,IAAI,MAAM,KAAK;AACvD,WAAK,aAAa,IAAI,KAAK;AAAA,QACzB;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,KAAmB;AACxB,SAAK,MAAM,OAAO,GAAG;AACrB,SAAK,aAAa,OAAO,GAAG;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAW,SAAuB;AAChC,UAAM,iBAAiB,SAAS,KAAK;AAErC,QAAI,CAAC,gBAAgB;AACnB;AAAA,IACF;AAEA,UAAM,UAAU,KAAK,cAAc,cAAc;AACjD,UAAM,eAAyB,CAAC;AAGhC,eAAW,OAAO,KAAK,MAAM,KAAK,GAAG;AACnC,UAAI,QAAQ,GAAG,GAAG;AAChB,qBAAa,KAAK,GAAG;AAAA,MACvB;AAAA,IACF;AAEA,eAAW,OAAO,KAAK,aAAa,KAAK,GAAG;AAC1C,UAAI,QAAQ,GAAG,KAAK,CAAC,aAAa,SAAS,GAAG,GAAG;AAC/C,qBAAa,KAAK,GAAG;AAAA,MACvB;AAAA,IACF;AAEA,iBAAa,QAAQ,SAAO;AAC1B,WAAK,MAAM,OAAO,GAAG;AACrB,WAAK,aAAa,OAAO,GAAG;AAAA,IAC9B,CAAC;AAGD,SAAK,sBAAsB,QAAQ,cAAY,SAAS,cAAc,CAAC;AAAA,EACzE;AAAA,EAEQ,cAAc,SAA2C;AAC/D,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,YAAM,kBAAkB,QACrB,MAAM,GAAG,EACT,IAAI,aAAW,QAAQ,QAAQ,uBAAuB,MAAM,CAAC;AAChE,YAAM,eAAe,gBAAgB,KAAK,IAAI;AAC9C,YAAM,QAAQ,IAAI,OAAO,YAAY;AACrC,aAAO,CAAC,QAAgB,MAAM,KAAK,GAAG;AAAA,IACxC;AAEA,WAAO,CAAC,QAAgB,IAAI,SAAS,OAAO;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA,EAKA,QAAc;AACZ,SAAK,MAAM,MAAM;AACjB,SAAK,aAAa,MAAM;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,WAME;AACA,WAAO;AAAA,MACL,MAAM,KAAK,MAAM;AAAA,MACjB,aAAa,KAAK,aAAa;AAAA,MAC/B,KAAK,KAAK;AAAA,MACV,YAAY,KAAK;AAAA,MACjB,MAAM,MAAM,KAAK,KAAK,MAAM,KAAK,CAAC;AAAA,IACpC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,UAAiD;AAC5D,SAAK,sBAAsB,IAAI,QAAQ;AAGvC,WAAO,MAAM;AACX,WAAK,sBAAsB,OAAO,QAAQ;AAAA,IAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,OAAO,YACL,QACA,YACA,gBACA,SACA,OACA,QACQ;AACR,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA;AAAA,MACA,kBAAkB;AAAA,MAClB,WAAW;AAAA,MACX,SAAS;AAAA,MACT,cAAc;AAAA,MACd,UAAU;AAAA,IACZ;AAEA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAO,sBAAsB,KAAiC;AAC5D,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,MACJ,IAAI,kBAAkB;AAAA,MACtB,IAAI,WAAW;AAAA,MACf,IAAI,SAAS;AAAA,MACb,IAAI,cAAc;AAAA,MAClB,IAAI,UAAU;AAAA,IAChB;AAEA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,uBACL,QACA,gBACA,SACA,OACQ;AACR,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,MACA,WAAW;AAAA,MACX,SAAS;AAAA,IACX;AAEA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,yBACL,QACA,gBACA,SACA,OACQ;AACR,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,MACA,WAAW;AAAA,MACX,SAAS;AAAA,IACX;AAEA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AACF;AAQO,IAAM,YAAY,IAAI,UAAU;AAKhC,IAAM,iBAAiB;AAAA,EAC5B,MAAM,CAAC,WAAiB,IAAI,MAAM;AAAA,EAClC,cAAc,CAAC,mBAAyB,IAAI,cAAc;AAAA,EAC1D,OAAO,CAAC,YAAoB,IAAI,OAAO;AAAA,EACvC,KAAK,CAAC,UAAgB,IAAI,KAAK;AAAA,EAC/B,YAAY,CAAC,QAAc,mBAAyB,QAAQ,MAAM,IAAI,cAAc;AACtF;;;ACzSA,IAAM,MAAM,aAAa,WAAW;AAK7B,IAAM,wBAAwB;AAAA;AAAA,EAEnC,oBAAoB,CAAC,WAAiB;AAAA,IACpC,eAAe,KAAK,MAAM;AAAA,IAC1B,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM;AAAA,IAChB,OAAO,MAAM;AAAA,EACf;AAAA;AAAA,EAGA,kCAAkC,CAAC,mBAAyB;AAAA,IAC1D,eAAe,aAAa,cAAc;AAAA,IAC1C,UAAU,cAAc;AAAA,IACxB,YAAY,cAAc;AAAA,IAC1B,SAAS,cAAc;AAAA,EACzB;AAAA;AAAA,EAGA,2BAA2B,CAAC,YAAoB;AAAA,IAC9C,eAAe,MAAM,OAAO;AAAA,IAC5B,YAAY,OAAO;AAAA,IACnB,cAAc,OAAO;AAAA,IACrB,WAAW,OAAO;AAAA,EACpB;AAAA;AAAA,EAGA,yBAAyB,CAAC,UAAgB;AAAA,IACxC,eAAe,IAAI,KAAK;AAAA,IACxB,cAAc,KAAK;AAAA,IACnB,gBAAgB,KAAK;AAAA,IACrB,aAAa,KAAK;AAAA,EACpB;AAAA;AAAA,EAGA,0BAA0B,CAAC,WAAiB;AAAA,IAC1C,gBAAgB,MAAM;AAAA,IACtB;AAAA,EACF;AACF;AAOO,IAAM,+BAAN,MAAmC;AAAA,EAKxC,YAAY,UAAoC;AAHhD,SAAQ,wBAAwD,oBAAI,IAAI;AACxE,SAAQ,WAA+C,CAAC;AAGtD,SAAK,WAAW;AAChB,SAAK,2BAA2B;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,eAAe,UAAiD;AAC9D,SAAK,sBAAsB,IAAI,QAAQ;AACvC,WAAO,MAAM,KAAK,sBAAsB,OAAO,QAAQ;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,eAAe,QAAc,QAAsB;AACjD,UAAM,WAAW,sBAAsB,mBAAmB,MAAM;AAChE,SAAK,mBAAmB,UAAU,MAAM;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,uBAAuB,gBAAsB,QAAsB;AACjE,UAAM,WAAW,sBAAsB,iCAAiC,cAAc;AACtF,SAAK,mBAAmB,UAAU,MAAM;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,gBAAgB,SAAiB,QAAsB;AACrD,UAAM,WAAW,sBAAsB,0BAA0B,OAAO;AACxE,SAAK,mBAAmB,UAAU,MAAM;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,cAAc,OAAa,QAAsB;AAC/C,UAAM,WAAW,sBAAsB,wBAAwB,KAAK;AACpE,SAAK,mBAAmB,UAAU,MAAM;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,eAAe,QAAc,QAAsB;AACjD,UAAM,WAAW,sBAAsB,yBAAyB,MAAM;AACtE,SAAK,mBAAmB,UAAU,MAAM;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,mBAAmB,UAAoB,QAAsB;AACnE,QAAI,MAAM,0BAA0B,SAAS,KAAK,IAAI,CAAC,KAAK,MAAM,GAAG;AAErE,aAAS,QAAQ,aAAW;AAC1B,gBAAU,WAAW,OAAO;AAAA,IAC9B,CAAC;AAGD,SAAK,sBAAsB,QAAQ,cAAY;AAC7C,eAAS,QAAQ,aAAW,SAAS,OAAO,CAAC;AAAA,IAC/C,CAAC;AAGD,mBAAe;AAAA,MACb,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,gBAAgB;AAAA,MAChB,YAAY;AAAA,MACZ,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,aAAa;AAAA,MACb,UAAU;AAAA,QACR;AAAA,QACA;AAAA,QACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,QAClC,oBAAoB;AAAA,MACtB;AAAA,IACF,CAAC,EAAE,MAAM,WAAS;AAChB,UAAI,KAAK,iDAAiD,KAAK;AAAA,IACjE,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,uBAA6B;AACnC,SAAK,SAAS,QAAQ,aAAW;AAC/B,UAAI;AACF,YAAI,WAAW,OAAO,QAAQ,gBAAgB,YAAY;AACxD,kBAAQ,YAAY;AAAA,QACtB;AAAA,MACF,SAAS,OAAO;AACd,YAAI,KAAK,uCAAuC,KAAK;AAAA,MACvD;AAAA,IACF,CAAC;AACD,SAAK,WAAW,CAAC;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,6BAAmC;AAEzC,SAAK,qBAAqB;AAG1B,QAAI,CAAC,KAAK,SAAS,WAAW,OAAO,KAAK,SAAS,YAAY,YAAY;AACzE,UAAI,MAAM,gDAAgD;AAC1D;AAAA,IACF;AAGA,UAAM,kBAAkB,KAAK,SAC1B,QAAQ,iCAAiC,EACzC,GAAG,oBAAoB;AAAA,MACtB,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,OAAO;AAAA,IACT,GAAG,CAAC,YAAiB;AACnB,YAAM,EAAE,iBAAiB,QAAQ,IAAI,QAAQ,OAAO,QAAQ,OAAO,CAAC;AACpE,UAAI,iBAAiB;AACnB,aAAK,uBAAuB,iBAAiB,qBAAqB,QAAQ,SAAS,EAAE;AAAA,MACvF;AACA,UAAI,SAAS;AACX,aAAK,eAAe,SAAS,qBAAqB,QAAQ,SAAS,EAAE;AAAA,MACvE;AAAA,IACF,CAAC;AACH,UAAM,uBAAuB,gBAAgB,UAAU;AACvD,SAAK,SAAS,KAAK,oBAAoB;AAGvC,UAAM,uBAAuB,KAAK,SAC/B,QAAQ,8BAA8B,EACtC,GAAG,oBAAoB;AAAA,MACtB,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,OAAO;AAAA,IACT,GAAG,CAAC,YAAiB;AACnB,YAAM,EAAE,iBAAiB,SAAS,UAAU,OAAO,IAAI,QAAQ,OAAO,QAAQ,OAAO,CAAC;AACtF,UAAI,iBAAiB;AACnB,aAAK,uBAAuB,iBAAiB,kBAAkB,QAAQ,SAAS,EAAE;AAAA,MACpF;AACA,UAAI,SAAS;AACX,aAAK,eAAe,SAAS,kBAAkB,QAAQ,SAAS,EAAE;AAAA,MACpE;AACA,UAAI,UAAU;AACZ,aAAK,gBAAgB,UAAU,kBAAkB,QAAQ,SAAS,EAAE;AAAA,MACtE;AACA,UAAI,QAAQ;AACV,aAAK,cAAc,QAAQ,kBAAkB,QAAQ,SAAS,EAAE;AAAA,MAClE;AAAA,IACF,CAAC;AACH,UAAM,4BAA4B,qBAAqB,UAAU;AACjE,SAAK,SAAS,KAAK,yBAAyB;AAG5C,UAAM,qBAAqB,KAAK,SAC7B,QAAQ,2BAA2B,EACnC,GAAG,oBAAoB;AAAA,MACtB,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,OAAO;AAAA,IACT,GAAG,CAAC,YAAiB;AACnB,YAAM,EAAE,QAAQ,IAAI,QAAQ,OAAO,QAAQ,OAAO,CAAC;AACnD,UAAI,SAAS;AACX,aAAK,eAAe,SAAS,eAAe,QAAQ,SAAS,EAAE;AAAA,MACjE;AAAA,IACF,CAAC;AACH,UAAM,0BAA0B,mBAAmB,UAAU;AAC7D,SAAK,SAAS,KAAK,uBAAuB;AAG1C,UAAM,yBAAyB,KAAK,SACjC,QAAQ,+BAA+B,EACvC,GAAG,oBAAoB;AAAA,MACtB,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,OAAO;AAAA,IACT,GAAG,CAAC,YAAiB;AACnB,YAAM,EAAE,iBAAiB,aAAa,QAAQ,IAAI,QAAQ,OAAO,QAAQ,OAAO,CAAC;AACjF,UAAI,iBAAiB;AACnB,aAAK,uBAAuB,iBAAiB,mBAAmB,QAAQ,SAAS,EAAE;AAAA,MACrF;AACA,UAAI,aAAa;AACf,aAAK,eAAe,aAAa,mBAAmB,QAAQ,SAAS,EAAE;AAAA,MACzE;AAAA,IAGF,CAAC;AACH,UAAM,8BAA8B,uBAAuB,UAAU;AACrE,SAAK,SAAS,KAAK,2BAA2B;AAAA,EAChD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAgB;AAEd,SAAK,SAAS,QAAQ,aAAW;AAC/B,UAAI;AACF,YAAI,WAAW,OAAO,QAAQ,gBAAgB,YAAY;AACxD,kBAAQ,YAAY;AAAA,QACtB;AAAA,MACF,SAAS,OAAO;AACd,YAAI,KAAK,uCAAuC,KAAK;AAAA,MACvD;AAAA,IACF,CAAC;AACD,SAAK,WAAW,CAAC;AAGjB,SAAK,sBAAsB,MAAM;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iCAAiC,gBAAsB,QAA+B;AAE1F,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,yBAAyB,EAC9B,OAAO,SAAS,EAChB,GAAG,mBAAmB,cAAc,EACpC,GAAG,aAAa,IAAI;AAEvB,QAAI,OAAO;AACT,YAAM,QAAQ,CAAC,EAAE,QAAQ,MAAM;AAC7B,aAAK,eAAe,SAAS,MAAM;AAAA,MACrC,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAsB;AACpB,QAAI,MAAM,4BAA4B;AACtC,cAAU,MAAM;AAAA,EAClB;AACF;AAKA,IAAI,iCAAsE;AASnE,SAAS,4BAA4B,UAAkE;AAE5G,MAAI,gCAAgC;AAClC,QAAI,MAAM,yEAAyE;AACnF,mCAA+B,QAAQ;AAAA,EACzC;AAEA,mCAAiC,IAAI,6BAA6B,QAAQ;AAC1E,SAAO;AACT;;;AC1VA,IAAM,0BAA0B,oBAAI,IAAI,CAAC,GAAG,CAAC;AAC7C,IAAM,oBAAoB,oBAAI,IAAI,CAAC,GAAG,CAAC;AACvC,IAAM,qBAAqB,oBAAI,IAAI,CAAC,GAAG,CAAC;AAExC,SAAS,UAAU,OAAwB;AACzC,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,EACT;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,MAAM,YAAY;AAAA,EAC3B;AACA,MAAI,iBAAiB,SAAS,OAAO,MAAM,YAAY,UAAU;AAC/D,WAAO,MAAM,QAAQ,YAAY;AAAA,EACnC;AACA,SAAO,OAAO,KAAK,EAAE,YAAY;AACnC;AAEO,SAAS,gBAAgB,OAAmC;AACjE,MAAI,iBAAiB,uBAAuB;AAC1C,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,oCAAoC,iBAAiB,mBAAmB;AAC3F,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,yBAAyB;AAC5C,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,WAAW;AAC9B,YAAQ,MAAM,MAAM;AAAA,MAClB,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT;AACE;AAAA,IACJ;AAAA,EACF;AAEA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,SAAU,MAA8B;AAC9C,QAAI,OAAO,WAAW,UAAU;AAC9B,UAAI,wBAAwB,IAAI,MAAM,GAAG;AACvC,eAAO;AAAA,MACT;AACA,UAAI,kBAAkB,IAAI,MAAM,GAAG;AACjC,eAAO;AAAA,MACT;AACA,UAAI,mBAAmB,IAAI,MAAM,GAAG;AAClC,eAAO;AAAA,MACT;AACA,UAAI,UAAU,KAAK;AACjB,eAAO;AAAA,MACT;AAAA,IACF;AAEA,UAAM,YAAY,UAAW,MAA4B,IAAI;AAC7D,QAAI,WAAW;AACb,UAAI,UAAU,SAAS,SAAS,GAAG;AACjC,eAAO;AAAA,MACT;AACA,UAAI,UAAU,SAAS,UAAU,KAAK,UAAU,SAAS,UAAU,KAAK,UAAU,SAAS,IAAI,GAAG;AAChG,eAAO;AAAA,MACT;AACA,UAAI,UAAU,SAAS,MAAM,GAAG;AAC9B,eAAO;AAAA,MACT;AACA,UAAI,UAAU,SAAS,MAAM,GAAG;AAC9B,eAAO;AAAA,MACT;AACA,UAAI,UAAU,SAAS,YAAY,GAAG;AACpC,eAAO;AAAA,MACT;AACA,UAAI,UAAU,SAAS,OAAO,KAAK,UAAU,SAAS,SAAS,GAAG;AAChE,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,QAAM,UAAU,UAAU,KAAK;AAC/B,MAAI,QAAQ,SAAS,SAAS,KAAK,QAAQ,SAAS,SAAS,KAAK,QAAQ,SAAS,OAAO,GAAG;AAC3F,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,UAAU,KAAK,QAAQ,SAAS,UAAU,KAAK,QAAQ,SAAS,YAAY,GAAG;AAClG,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,YAAY,KAAK,QAAQ,SAAS,mBAAmB,GAAG;AAC3E,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,YAAY,KAAK,QAAQ,SAAS,WAAW,GAAG;AACnE,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,MAAM,KAAK,QAAQ,SAAS,OAAO,KAAK,QAAQ,SAAS,SAAS,GAAG;AACxF,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,SAAS,KAAK,QAAQ,SAAS,OAAO,KAAK,QAAQ,SAAS,YAAY,GAAG;AAC9F,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAcO,SAAS,oCAAoC,UAAgD;AAClG,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL;AACE,aAAO;AAAA,EACX;AACF;;;ACzIA,IAAM,qBAAqB,oBAAI,IAAyB;AACxD,IAAM,iBAAiB;AA2BvB,eAAsB,yBACpB,UACA,SACsB;AAEtB,MAAI,mBAAmB,IAAI,OAAO,GAAG;AACnC,WAAO,mBAAmB,IAAI,OAAO,KAAK;AAAA,EAC5C;AAGA,QAAM,EAAE,MAAM,MAAM,IAAI,MAAM,SAC3B,KAAK,aAAa,EAClB,OAAO,iBAAiB,EACxB,GAAG,YAAY,OAAO,EACtB,OAAO;AAEV,MAAI,iBAA8B;AAElC,MAAI,SAAS,CAAC,MAAM;AAClB,qBAAiB;AAAA,EACnB,WAAW,KAAK,iBAAiB;AAC/B,qBAAiB,KAAK;AAAA,EACxB,OAAO;AAEL,qBAAiB;AAAA,EACnB;AAGA,MAAI,mBAAmB,QAAQ,gBAAgB;AAE7C,UAAM,WAAW,mBAAmB,KAAK,EAAE,KAAK,EAAE;AAClD,QAAI,UAAU;AACZ,yBAAmB,OAAO,QAAQ;AAAA,IACpC;AAAA,EACF;AACA,qBAAmB,IAAI,SAAS,cAAc;AAE9C,SAAO;AACT;;;AC/DA,IAAMA,OAAM,aAAa,kBAAkB;AAW3C,SAAS,uBAAuB,SAA2B;AACzD,SAAO,YAAY,YAAY,YAAY;AAC7C;AAaO,IAAM,mBAAN,MAAuB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAS5B,aAAa,cACX,OACA,WACA,SACkC;AAElC,QAAI,uBAAuB,OAAO,GAAG;AACnC,aAAO;AAAA,QACL,SAAS;AAAA,QACT,eAAe;AAAA,UACb,gBAAgB,MAAM;AAAA,UACtB,SAAS,MAAM;AAAA,UACf,OAAO,MAAM;AAAA,QACf;AAAA,QACA,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,CAAC,WAAW;AACd,UAAI,CAAC,MAAM,gBAAgB;AACzB,eAAO;AAAA,UACL,SAAS;AAAA,UACT,eAAe;AAAA,UACf,OAAO,IAAI,iCAAiC;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,QACL,SAAS;AAAA,QACT,eAAe;AAAA,QACf,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,UAAU,gBAAgB;AAC5B,UAAI,CAAC,MAAM,SAAS;AAClB,eAAO;AAAA,UACL,SAAS;AAAA,UACT,eAAe;AAAA,UACf,OAAO,IAAI,0BAA0B;AAAA,QACvC;AAAA,MACF;AAKA,aAAO;AAAA,QACL,SAAS;AAAA,QACT,eAAe;AAAA,QACf,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,CAAC,MAAM,gBAAgB;AACzB,aAAO;AAAA,QACL,SAAS;AAAA,QACT,eAAe;AAAA,QACf,OAAO,IAAI,iCAAiC;AAAA,MAC9C;AAAA,IACF;AAEA,WAAO;AAAA,MACL,SAAS;AAAA,MACT,eAAe;AAAA,MACf,OAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,aAAa,uBACX,OACA,WACA,SACA,UACkC;AAElC,QAAI,uBAAuB,OAAO,GAAG;AACnC,aAAO;AAAA,QACL,SAAS;AAAA,QACT,eAAe;AAAA,UACb,gBAAgB,MAAM;AAAA,UACtB,SAAS,MAAM;AAAA,UACf,OAAO,MAAM;AAAA,QACf;AAAA,QACA,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,CAAC,WAAW;AACd,UAAI,CAAC,MAAM,gBAAgB;AACzB,eAAO;AAAA,UACL,SAAS;AAAA,UACT,eAAe;AAAA,UACf,OAAO,IAAI,iCAAiC;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,QACL,SAAS;AAAA,QACT,eAAe;AAAA,QACf,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,UAAU,gBAAgB;AAC5B,UAAI,CAAC,MAAM,SAAS;AAClB,eAAO;AAAA,UACL,SAAS;AAAA,UACT,eAAe;AAAA,UACf,OAAO,IAAI,0BAA0B;AAAA,QACvC;AAAA,MACF;AAGA,UAAI,iBAAmC,MAAM;AAC7C,UAAI,CAAC,kBAAkB,YAAY,MAAM,SAAS;AAChD,YAAI;AACF,gBAAM,eAAe,MAAM,KAAK,mBAAmB,UAAU,MAAM,OAAO;AAC1E,2BAAiB,gBAAgB;AACjC,cAAI,CAAC,gBAAgB;AACnB,mBAAO;AAAA,cACL,SAAS;AAAA,cACT,eAAe;AAAA,cACf,OAAO,IAAI,MAAM,mDAAmD;AAAA,YACtE;AAAA,UACF;AAAA,QACF,SAAS,OAAO;AACd,UAAAA,KAAI,MAAM,oCAAoC,KAAK;AACnD,iBAAO;AAAA,YACL,SAAS;AAAA,YACT,eAAe;AAAA,YACf,OAAO,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,0CAA0C;AAAA,UAC9F;AAAA,QACF;AAAA,MACF,WAAW,CAAC,gBAAgB;AAC1B,eAAO;AAAA,UACL,SAAS;AAAA,UACT,eAAe;AAAA,UACf,OAAO,IAAI,MAAM,mGAAmG;AAAA,QACtH;AAAA,MACF;AAEA,aAAO;AAAA,QACL,SAAS;AAAA,QACT,eAAe;AAAA,UACb;AAAA,UACA,SAAS,MAAM;AAAA,UACf,OAAO,MAAM;AAAA,QACf;AAAA,QACA,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,CAAC,MAAM,gBAAgB;AACzB,aAAO;AAAA,QACL,SAAS;AAAA,QACT,eAAe;AAAA,QACf,OAAO,IAAI,iCAAiC;AAAA,MAC9C;AAAA,IACF;AAEA,WAAO;AAAA,MACL,SAAS;AAAA,MACT,eAAe;AAAA,MACf,OAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,aAAa,mBACX,UACA,SACsB;AACtB,WAAO,yBAAyB,UAAU,OAAO;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,OAAO,eACL,OACA,WACA,SACA,kBACA,yBACS;AAET,QAAI,uBAAuB,OAAO,GAAG;AACnC,aAAO;AAAA,IACT;AAGA,QAAI,CAAC,WAAW;AACd,aAAO,CAAC,CAAC,2BAA2B,CAAC,CAAC,MAAM;AAAA,IAC9C;AAGA,QAAI,UAAU,gBAAgB;AAC5B,aAAO,CAAC,CAAC,oBAAoB,CAAC,CAAC,MAAM;AAAA,IACvC;AAGA,WAAO,CAAC,CAAC,2BAA2B,CAAC,CAAC,MAAM;AAAA,EAC9C;AACF;;;AChRA,IAAMC,OAAM,aAAa,cAAc;AAKhC,IAAM,wBAAN,MAA4B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMjC,OAAO,mBAAmB,YAA6B;AACrD,QAAI,OAAO,eAAe,YAAY,WAAW,WAAW,GAAG;AAC7D,aAAO;AAAA,IACT;AAKA,UAAM,kBAAkB;AACxB,WAAO,gBAAgB,KAAK,UAAU;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,aAAa,MAAuB;AACzC,QAAI,OAAO,SAAS,YAAY,KAAK,WAAW,GAAG;AACjD,aAAO;AAAA,IACT;AAGA,UAAM,YAAY;AAClB,WAAO,UAAU,KAAK,IAAI;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,cAAc,OAAuB;AAC1C,QAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,aAAO;AAAA,IACT;AAGA,QAAI,MAAM,mBAAmB,QAAW;AAEtC,UAAI,OAAO,MAAM,mBAAmB,YAAY,MAAM,eAAe,KAAK,MAAM,IAAI;AAClF,eAAO;AAAA,MACT;AACA,UAAI,MAAM,kBAAkB,CAAC,KAAK,aAAa,MAAM,cAAc,GAAG;AACpE,eAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,MAAM,WAAW,OAAO,MAAM,YAAY,UAAU;AACtD,aAAO;AAAA,IACT;AAGA,QAAI,MAAM,SAAS,CAAC,KAAK,aAAa,MAAM,KAAK,GAAG;AAClD,aAAO;AAAA,IACT;AAGA,WAAO,CAAC,EAAE,MAAM,kBAAkB,MAAM,WAAW,MAAM;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,cAAc,OAAuB;AAC1C,QAAI,OAAO,UAAU,UAAU;AAC7B,aAAO;AAAA,IACT;AAGA,WAAO,MACJ,QAAQ,YAAY,EAAE,EACtB,QAAQ,aAAa,EAAE,EACvB,QAAQ,UAAU,EAAE,EACpB,QAAQ,iBAAiB,EAAE,EAC3B,QAAQ,WAAW,EAAE,EACrB,KAAK;AAAA,EACV;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,eAAe,QAAuB;AAC3C,WAAO,KAAK,aAAa,MAAM;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,qBAAqB,YAA6B;AACvD,WAAO,WAAW,SAAS,GAAG,KAAK,WAAW,SAAS,IAAI;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAO,4BAA4B,YAAoB,mBAAoC;AACzF,QAAI,CAAC,KAAK,mBAAmB,UAAU,GAAG;AACxC,aAAO;AAAA,IACT;AAEA,UAAM,CAAC,SAAS,IAAI,WAAW,MAAM,GAAG;AAExC,UAAM,YAAY,CAAC,QAAQ,UAAU,UAAU,QAAQ;AAEvD,UAAM,kBAAkB,UAAU,QAAQ,SAAS;AACnD,UAAM,gBAAgB,UAAU,QAAQ,iBAAiB;AAEzD,QAAI,oBAAoB,MAAM,kBAAkB,IAAI;AAClD,aAAO;AAAA,IACT;AAGA,WAAO,mBAAmB;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,aAAa,eAAe,QAAc,WAAqC;AAG7E,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,aAAa,4BACX,OACA,WACA,SACkB;AAClB,UAAM,aAAa,MAAM,iBAAiB,cAAc,OAAO,aAAa,MAAM,OAAO;AACzF,WAAO,WAAW;AAAA,EACpB;AAAA;AAAA,EASA,OAAO,iBAAiB,OAef;AACP,UAAM,gBAAgB;AAAA,MACpB,GAAG;AAAA,MACH,WAAW,MAAM,aAAa,oBAAI,KAAK;AAAA,MACvC,UAAU,KAAK,iBAAiB,MAAM,IAAI;AAAA,IAC5C;AAGA,QAAI,MAAM,SAAS,uBAAuB;AACxC,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,cAAc,KAAK,sBAAsB,IAAI,MAAM,MAAM;AAE/D,UAAI,aAAa;AACf,cAAM,uBAAuB,MAAM,YAAY;AAC/C,YAAI,uBAAuB,KAAK,gCAAgC;AAE9D,sBAAY;AACZ,eAAK,sBAAsB,IAAI,MAAM,QAAQ,WAAW;AACxD;AAAA,QACF,OAAO;AAEL,UAAAA,KAAI,KAAK,+BAA+B;AAAA,YACtC,GAAG;AAAA,YACH,SAAS;AAAA,cACP,GAAG,cAAc;AAAA,cACjB,oBAAoB,YAAY;AAAA,cAChC,SAAS,wBAAwB,YAAY,QAAQ,CAAC,kBAAkB,KAAK,MAAM,uBAAuB,GAAI,CAAC;AAAA,YACjH;AAAA,UACF,CAAC;AACD,eAAK,sBAAsB,IAAI,MAAM,QAAQ,EAAE,OAAO,GAAG,aAAa,IAAI,CAAC;AAC3E;AAAA,QACF;AAAA,MACF,OAAO;AAEL,aAAK,sBAAsB,IAAI,MAAM,QAAQ,EAAE,OAAO,GAAG,aAAa,IAAI,CAAC;AAC3E,QAAAA,KAAI,KAAK,mBAAmB,aAAa;AACzC;AAAA,MACF;AAAA,IACF;AAGA,IAAAA,KAAI,KAAK,mBAAmB,aAAa;AAAA,EAG3C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAe,iBAAiB,WAA2D;AACzF,YAAQ,WAAW;AAAA,MACjB,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;AAAA;AAAA;AAAA;AAAA;AA9Pa,sBAoKI,wBAAwB,oBAAI,IAAkD;AApKlF,sBAqKa,iCAAiC;AAyGpD,IAAM,0BAA8C;AAAA,EACzD,uBAAuB;AAAA,EACvB,oBAAoB;AAAA,EACpB,oBAAoB;AAAA,EACpB,8BAA8B;AAAA;AAAA,EAC9B,6BAA6B;AAC/B;AAmBO,IAAM,yBAAN,MAA6B;AAAA,EAGlC,YAAY,SAA6B,yBAAyB;AAiHlE;AAAA;AAAA;AAAA;AAAA,SAAQ,iBAAiB,oBAAI,IAAwC;AAhHnE,SAAK,SAAS;AACd,SAAK,sBAAsB;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA,EAKQ,wBAA8B;AAEpC,gBAAY,MAAM;AAChB,WAAK,oBAAoB;AAAA,IAC3B,GAAG,IAAI,KAAK,GAAI;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,cAAc,OAAY,SAG7B;AACD,UAAM,SAAmB,CAAC;AAG1B,QAAI,CAAC,sBAAsB,eAAe,QAAQ,MAAM,GAAG;AACzD,aAAO,KAAK,wBAAwB;AAAA,IACtC;AAIA,UAAM,mBAAmB,MAAM,YAAY,SAAS,QAAQ,KAAK,CAAC,CAAC,MAAM;AACzE,UAAM,gBAAgB,CAAC;AAGvB,QAAI,eAAe;AACjB,UAAI,CAAC,QAAQ,gBAAgB;AAC3B,eAAO,KAAK,4DAA4D;AAAA,MAC1E,WAAW,CAAC,sBAAsB,aAAa,QAAQ,cAAc,GAAG;AACtE,eAAO,KAAK,gCAAgC;AAAA,MAC9C;AAAA,IACF,OAAO;AAEL,UAAI,QAAQ,kBAAkB,CAAC,sBAAsB,aAAa,QAAQ,cAAc,GAAG;AACzF,eAAO,KAAK,gCAAgC;AAAA,MAC9C;AAAA,IACF;AAEA,QAAI,MAAM,cAAc,CAAC,sBAAsB,mBAAmB,MAAM,UAAU,GAAG;AACnF,aAAO,KAAK,2BAA2B;AAAA,IACzC;AAEA,QAAI,MAAM,SAAS,CAAC,sBAAsB,cAAc,MAAM,KAAK,GAAG;AACpE,aAAO,KAAK,sBAAsB;AAAA,IACpC;AAEA,QAAI,KAAK,OAAO,uBAAuB;AACrC,UAAI,QAAQ,aAAa,OAAO,QAAQ,cAAc,UAAU;AAC9D,eAAO,KAAK,2BAA2B;AAAA,MACzC;AAEA,UAAI,QAAQ,aAAa,OAAO,QAAQ,cAAc,UAAU;AAC9D,eAAO,KAAK,2BAA2B;AAAA,MACzC;AAAA,IACF;AAGA,QAAI,OAAO,SAAS,GAAG;AACrB,4BAAsB,iBAAiB;AAAA,QACrC,MAAM;AAAA,QACN,QAAQ,QAAQ;AAAA,QAChB,SAAS,EAAE,QAAQ,OAAO,KAAK,cAAc,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,MACtE,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL,SAAS,OAAO,WAAW;AAAA,MAC3B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eAAe,SAGlB;AACD,QAAI,CAAC,KAAK,OAAO,oBAAoB;AACnC,aAAO,EAAE,WAAW,MAAM,WAAW,KAAK,OAAO,6BAA6B;AAAA,IAChF;AAIA,UAAM,YAAY,MAAM,KAAK,wBAAwB,QAAQ,MAAM;AAEnE,UAAM,YAAY,YAAY,KAAK,OAAO,+BAA+B,KAAK,iBAAiB,QAAQ,MAAM,IAAI;AAEjH,WAAO;AAAA,MACL;AAAA,MACA,WAAW,KAAK,IAAI,GAAG,SAAS;AAAA,IAClC;AAAA,EACF;AAAA,EAQA,MAAc,wBAAwB,QAAgC;AACpE,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,WAAW,KAAK;AAGtB,UAAM,UAAU,KAAK,eAAe,IAAI,MAAM,KAAK,CAAC;AAGpD,UAAM,eAAe,QAAQ,OAAO,WAAS,MAAM,MAAM,YAAY,QAAQ;AAG7E,UAAM,eAAe,aAAa;AAClC,UAAM,YAAY,eAAe,KAAK,OAAO;AAG7C,QAAI,WAAW;AACb,mBAAa,KAAK,EAAE,WAAW,IAAI,CAAC;AAAA,IACtC;AAGA,SAAK,eAAe,IAAI,QAAQ,YAAY;AAE5C,WAAO;AAAA,EACT;AAAA,EAEQ,iBAAiB,QAAsB;AAC7C,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,WAAW,KAAK;AAEtB,UAAM,UAAU,KAAK,eAAe,IAAI,MAAM,KAAK,CAAC;AACpD,UAAM,eAAe,QAAQ,OAAO,WAAS,MAAM,MAAM,YAAY,QAAQ;AAE7E,WAAO,aAAa;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,sBAA4B;AAClC,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,WAAW,KAAK;AAEtB,eAAW,CAAC,QAAQ,OAAO,KAAK,KAAK,eAAe,QAAQ,GAAG;AAC7D,YAAM,eAAe,QAAQ,OAAO,WAAS,MAAM,MAAM,YAAY,QAAQ;AAE7E,UAAI,aAAa,WAAW,GAAG;AAC7B,aAAK,eAAe,OAAO,MAAM;AAAA,MACnC,OAAO;AACL,aAAK,eAAe,IAAI,QAAQ,YAAY;AAAA,MAC9C;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,cAAc,OAAuB;AAC3C,WAAO,sBAAsB,cAAc,KAAK;AAAA,EAClD;AACF;;;AC9bA,IAAM,oBAAN,MAAwB;AAAA,EAAxB;AACE,SAAQ,SAA4B;AACpC,SAAQ,SAA4B;AAAA;AAAA,EAEpC,UAAU,QAA0B;AAClC,SAAK,SAAS;AACd,SAAK,YAAY;AAAA,EACnB;AAAA,EAEA,YAA+B;AAC7B,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,YAAwB;AACtB,QAAI,CAAC,KAAK,QAAQ;AAChB,WAAK,SAAS,KAAK,oBAAoB;AAAA,IACzC;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,cAAoB;AAC1B,QAAI,CAAC,KAAK,OAAQ;AAElB,UAAM,EAAE,QAAQ,OAAO,WAAW,OAAO,IAAI,KAAK;AAElD,SAAK,SAAS;AAAA,MACZ,OAAO,CAAC,YAAoB,SAAoB;AAC9C,gBAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,MAClD;AAAA,MACA,MAAM,CAAC,YAAoB,SAAoB;AAC7C,YAAI,aAAa,UAAU,aAAa,UAAU,aAAa,SAAS;AACtE,kBAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,QAChD;AAAA,MACF;AAAA,MACA,MAAM,CAAC,YAAoB,SAAoB;AAC7C,YAAI,aAAa,UAAU,aAAa,SAAS;AAC/C,kBAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,QAChD;AAAA,MACF;AAAA,MACA,OAAO,CAAC,YAAoB,SAAoB;AAC9C,YAAI,SAAS,aAAa,SAAS;AACjC,kBAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,QAClD;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,sBAAkC;AACxC,WAAO;AAAA,MACL,OAAO,CAAC,YAAoB,SAAoB,QAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,MAChG,MAAM,CAAC,YAAoB,SAAoB,QAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,MAC7F,MAAM,CAAC,YAAoB,SAAoB,QAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,MAC7F,OAAO,CAAC,YAAoB,SAAoB,QAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,IAClG;AAAA,EACF;AAAA,EAEA,cAAuB;AACrB,WAAO,KAAK,QAAQ,SAAS;AAAA,EAC/B;AAAA,EAEA,oBAA6B;AAC3B,WAAO,KAAK,QAAQ,mBAAmB;AAAA,EACzC;AAAA,EAEA,qBAAqD;AACnD,WAAO,KAAK,QAAQ,mBAAmB;AAAA,EACzC;AACF;AAGA,IAAM,gBAAgB,IAAI,kBAAkB;AAErC,SAAS,iBAAiB,QAAgC;AAC/D,gBAAc,UAAU,MAAM;AAC9B,SAAO;AACT;AAEO,SAAS,gBAAmC;AACjD,SAAO,cAAc,UAAU;AACjC;AAEO,SAAS,gBAA4B;AAC1C,SAAO,cAAc,UAAU;AACjC;AAEO,SAAS,cAAuB;AACrC,SAAO,cAAc,YAAY;AACnC;AAEO,SAAS,oBAA6B;AAC3C,SAAO,cAAc,kBAAkB;AACzC;;;AC1FO,IAAM,aAAN,MAAiB;AAAA,EAItB,YAAY,UAAoC,gBAA8C;AAC5F,SAAK,WAAW;AAEhB,UAAM,uBAA2C;AAAA,MAC/C,GAAG;AAAA,MACH,GAAG;AAAA,IACL;AACA,SAAK,qBAAqB,IAAI,uBAAuB,oBAAoB;AAGzE,gCAA4B,QAAQ;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,YAAY,OAAwB,iBAAoD;AAC5F,UAAM,YAAY,KAAK,IAAI;AAC3B,UAAM,EAAE,QAAQ,YAAY,OAAO,OAAO,IAAI;AAG9C,QAAI,WAAW;AACf,QAAI,cAAgC;AAEpC,QAAI;AAMF,YAAM,aAAa,MAAM,KAAK,mBAAmB,cAAc,OAAO,eAAe;AACrF,UAAI,CAAC,WAAW,SAAS;AACvB,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS,EAAE,QAAQ,WAAW,QAAQ,OAAO,KAAK,UAAU,KAAK,EAAE;AAAA,QACrE,CAAC;AACD,eAAO;AAAA,MACT;AAGA,YAAM,YAAY,MAAM,KAAK,mBAAmB,eAAe,eAAe;AAC9E,UAAI,CAAC,UAAU,WAAW;AACxB,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS,EAAE,WAAW,UAAU,UAAU;AAAA,QAC5C,CAAC;AACD,eAAO;AAAA,MACT;AAGA,UAAI,CAAC,sBAAsB,eAAe,MAAM,GAAG;AACjD,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS,EAAE,OAAO,yBAAyB;AAAA,QAC7C,CAAC;AACD,eAAO;AAAA,MACT;AAGA,UAAI,CAAC,sBAAsB,mBAAmB,UAAU,GAAG;AACzD,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS,EAAE,OAAO,6BAA6B,WAAW;AAAA,QAC5D,CAAC;AACD,eAAO;AAAA,MACT;AAGA,UAAI,CAAC,sBAAsB,cAAc,KAAK,GAAG;AAC/C,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS,EAAE,OAAO,wBAAwB,MAAM;AAAA,QAClD,CAAC;AACD,eAAO;AAAA,MACT;AAMA,YAAM,WAAW,UAAU;AAAA,QACzB;AAAA,QACA;AAAA,QACA,MAAM;AAAA,QACN,MAAM;AAAA,QACN,MAAM;AAAA,QACN;AAAA,MACF;AAEA,YAAM,SAAS,UAAU,IAAa,QAAQ;AAC9C,UAAI,WAAW,MAAM;AACnB,mBAAW;AACX,sBAAc;AAId,eAAO;AAAA,MACT;AAYA,YAAM,EAAE,MAAM,MAAM,IAAI,MAAO,KAAK,SAAiB,IAAI,oCAAoC;AAAA,QAC3F,WAAW;AAAA,QACX,cAAc;AAAA,QACd,mBAAmB,MAAM,kBAAkB;AAAA,QAC3C,YAAY,MAAM,WAAW;AAAA,QAC7B,UAAU,MAAM,SAAS;AAAA,QACzB,WAAW,UAAU;AAAA,MACvB,CAAC;AAED,UAAI,OAAO;AACT,cAAM,SAAS,cAAc;AAC7B,eAAO,MAAM,cAAc,KAAK;AAEhC,cAAM,WAAW,gBAAgB,KAAK;AACtC,cAAM,YAAY,oCAAoC,QAAQ;AAC9D,cAAM,eAAe;AAErB,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS;AAAA,YACP,OAAO,cAAc,WAAW;AAAA,YAChC,MAAM,cAAc;AAAA,YACpB,MAAM,cAAc;AAAA,YACpB,SAAS,cAAc;AAAA,YACvB;AAAA,YACA,OAAO,KAAK,UAAU,KAAK;AAAA,YAC3B;AAAA,UACF;AAAA,QACF,CAAC;AAGD,eAAO;AAAA,MACT;AAEA,YAAMC,iBAAgB,SAAS;AAO/B,gBAAU,IAAI,UAAUA,gBAAe,GAAK;AAE5C,YAAM,WAAW,KAAK,IAAI,IAAI;AAG9B,UAAI,MAAM,gBAAgB;AACxB,cAAM,iBAAiB,MAAM,KAAK,cAAc,QAAQ,MAAM,KAAK;AACnE,cAAM,eAAe;AAAA,UACnB,MAAMA,iBAAgB,qBAAqB;AAAA,UAC3C;AAAA,UACA,gBAAgB,MAAM;AAAA,UACtB,SAAS,MAAM;AAAA,UACf,OAAO,MAAM;AAAA,UACb,QAAQ;AAAA,UACR;AAAA,UACA,UAAUA;AAAA,UACV,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,WAAW;AAAA,UACX,cAAc;AAAA,QAChB,CAAC;AAAA,MACH;AAEA,aAAOA;AAAA,IAET,SAAS,OAAO;AACd,YAAM,WAAW,gBAAgB,KAAK;AACtC,YAAM,YAAY,oCAAoC,QAAQ;AAC9D,YAAM,eAAe,iBAAiB,QAAQ,MAAM,UAAU;AAE9D,4BAAsB,iBAAiB;AAAA,QACrC,MAAM;AAAA,QACN;AAAA,QACA,SAAS;AAAA,UACP,OAAO;AAAA,UACP;AAAA,UACA,OAAO,KAAK,UAAU,KAAK;AAAA,UAC3B;AAAA,QACF;AAAA,MACF,CAAC;AAGD,YAAM,SAAS,cAAc;AAC7B,aAAO,MAAM,4BAA4B,KAAK;AAC9C,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,eAAe,OAA6D;AAChF,UAAM,EAAE,QAAQ,MAAM,IAAI;AAG1B,UAAM,WAAW,UAAU;AAAA,MACzB;AAAA,MACA,MAAM,kBAAkB;AAAA,MACxB,MAAM;AAAA,MACN,MAAM;AAAA,IACR;AAEA,UAAM,SAAS,UAAU,IAAiB,QAAQ;AAClD,QAAI,QAAQ;AACV,aAAO;AAAA,IACT;AAEA,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AAGnC,UAAMC,gBAAe,MAAM,KAAK,gBAAgB,MAAM;AACtD,QAAIA,eAAc;AAChB,gBAAU,IAAI,UAAU,SAAS,GAAK;AACtC,aAAO;AAAA,IACT;AAGA,QAAI,MAAM,gBAAgB;AACxB,YAAM,EAAE,MAAM,SAAS,IAAI,MAAM,KAAK,SACnC,KAAK,yBAAyB,EAC9B,OAAO,MAAM,EACb,GAAG,WAAW,MAAM,EACpB,GAAG,mBAAmB,MAAM,cAAc,EAC1C,GAAG,UAAU,QAAQ,EACrB,GAAG,cAAc,IAAI,EACrB,IAAI,cAAc,GAAG,EACrB,GAAG,iCAAiC,GAAG,EAAE,EACzC,MAAM,CAAC;AAEV,YAAM,UAAU,WAAW,CAAC;AAE5B,UAAI,SAAS,SAAS,aAAa;AACjC,kBAAU,IAAI,UAAU,SAAS,GAAK;AACtC,eAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,MAAM,WAAW,MAAM,OAAO;AAChC,YAAM,EAAE,MAAM,UAAU,IAAI,MAAM,KAAK,SACpC,KAAK,sBAAsB,EAC3B,OAAO,MAAM,EACb,GAAG,WAAW,MAAM,EACpB,GAAG,YAAY,MAAM,OAAO,EAC5B,GAAG,UAAU,MAAM,KAAK,EACxB,GAAG,UAAU,QAAQ,EACrB,IAAI,cAAc,GAAG,EACrB,GAAG,iCAAiC,GAAG,EAAE,EACzC,OAAO;AAEV,UAAI,WAAW,SAAS,eAAe;AACrC,kBAAU,IAAI,UAAU,SAAS,GAAK;AACtC,eAAO;AAAA,MACT;AACA,UAAI,WAAW,SAAS,WAAW;AACjC,kBAAU,IAAI,UAAU,WAAW,GAAK;AACxC,eAAO;AAAA,MACT;AACA,UAAI,WAAW,SAAS,eAAe;AACrC,kBAAU,IAAI,UAAU,eAAe,GAAK;AAC5C,eAAO;AAAA,MACT;AAAA,IACF;AAGA,cAAU,IAAI,UAAU,UAAU,GAAK;AACvC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,iBAAiB,OAA+D;AACpF,UAAM,EAAE,QAAQ,MAAM,IAAI;AAG1B,UAAM,WAAW,UAAU;AAAA,MACzB;AAAA,MACA,MAAM,kBAAkB;AAAA,MACxB,MAAM;AAAA,MACN,MAAM;AAAA,IACR;AAGA,UAAMA,gBAAe,MAAM,KAAK,gBAAgB,MAAM;AACtD,QAAIA,eAAc;AAChB,YAAM,cAA6B,EAAE,KAAK,KAAK;AAC/C,gBAAU,IAAI,UAAU,aAAa,GAAK;AAC1C,aAAO;AAAA,IACT;AAGA,QAAI,CAAC,MAAM,gBAAgB;AACzB,aAAO,CAAC;AAAA,IACV;AAIA,UAAM,SAAS,UAAU,IAAmB,QAAQ;AACpD,QAAI,QAAQ;AACV,aAAO;AAAA,IACT;AAEA,UAAM,gBAA+B,CAAC;AAGtC,QAAI,MAAM,OAAO;AACf,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,gBAAgB,EACrB,OAAO,eAAe,EACtB,GAAG,UAAU,MAAM,KAAK;AAE3B,UAAI,OAAO;AAET,YAAI,CAAC,MAAM,gBAAgB;AAEzB,oBAAU,IAAI,UAAU,eAAe,GAAK;AAC5C,iBAAO;AAAA,QACT;AAGA,cAAM,kBAAmC;AAAA,UACvC;AAAA,UACA,gBAAgB,MAAM;AAAA;AAAA,UACtB,WAAW,oBAAI,KAAK;AAAA,QACtB;AAEA,mBAAW,QAAQ,OAAO;AAGxB,qBAAW,aAAa,CAAC,QAAQ,UAAU,UAAU,QAAQ,GAAkB;AAC7E,kBAAM,mBAAmB,GAAG,SAAS,SAAS,KAAK,SAAS;AAC5D,kBAAMD,iBAAgB,MAAM,KAAK;AAAA,cAC/B;AAAA,gBACE;AAAA,gBACA;AAAA,gBACA,YAAY;AAAA,gBACZ,QAAQ,KAAK;AAAA,cACf;AAAA,cACA;AAAA,YACF;AAEA,kBAAM,gBAAgB;AACtB,0BAAc,aAAa,IAAIA;AAAA,UACjC;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,cAAU,IAAI,UAAU,eAAe,GAAK;AAC5C,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,kBAAkB,OAA0E;AAChG,QAAI;AACF,YAAM,EAAE,QAAQ,QAAQ,IAAI;AAC5B,YAAM,EAAE,MAAM,MAAM,IAAI,MAAO,KAAK,SAAiB,IAAI,oBAAoB;AAAA,QAC3E,WAAW;AAAA,QACX,YAAY;AAAA,MACd,CAAC;AAED,UAAI,OAAO;AACT,cAAM,SAAS,cAAc;AAC7B,eAAO,MAAM,kCAAkC,KAAK;AACpD,eAAO;AAAA,MACT;AAEA,UAAI,CAAC,QAAQ,KAAK,WAAW,GAAG;AAC9B,eAAO;AAAA,MACT;AAEA,YAAM,UAAU,KAAK,CAAC;AACtB,UAAI,CAAC,SAAS,QAAQ;AACpB,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,QACL,OAAO,QAAQ;AAAA,QACf,WAAW,QAAQ,eAAe;AAAA,MACpC;AAAA,IACF,SAAS,OAAO;AACd,YAAM,SAAS,cAAc;AAC7B,aAAO,MAAM,2CAA2C,KAAK;AAC7D,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,OAAiE;AACpF,UAAM,SAA0B;AAAA,MAC9B,YAAY;AAAA,MACZ,kBAAkB;AAAA,MAClB,cAAc;AAAA,IAChB;AAEA,QAAI;AACF,YAAM,EAAE,QAAQ,MAAM,IAAI;AAE1B,YAAM,EAAE,MAAM,MAAM,IAAI,MAAO,KAAK,SAAiB,IAAI,wBAAwB;AAAA,QAC/E,WAAW;AAAA,QACX,mBAAmB,MAAM,kBAAkB;AAAA,QAC3C,YAAY,MAAM,WAAW;AAAA,QAC7B,UAAU,MAAM,SAAS;AAAA,QACzB,WAAW;AAAA;AAAA,MACb,CAAC;AAED,UAAI,OAAO;AACT,cAAM,SAAS,cAAc;AAC7B,eAAO,MAAM,gCAAgC,KAAK;AAClD,eAAO;AAAA,MACT;AAEA,UAAI,CAAC,MAAM,QAAQ,IAAI,GAAG;AACxB,eAAO;AAAA,MACT;AAEA,iBAAW,cAAc,MAA0B;AACjD,YAAI,WAAW,oBAAoB,mBAAmB;AACpD,iBAAO,aAAa;AAAA,QACtB;AAEA,YAAI,WAAW,oBAAoB,uBAAuB;AACxD,iBAAO,mBAAmB,WAAW;AAAA,QACvC;AAEA,YAAI,WAAW,oBAAoB,oBAAoB;AACrD,iBAAO,eAAe,WAAW;AAAA,QACnC;AAAA,MACF;AAEA,aAAO;AAAA,IACT,SAAS,OAAO;AACd,YAAM,SAAS,cAAc;AAC7B,aAAO,MAAM,0CAA0C,KAAK;AAC5D,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,gBAAgB,QAAgC;AAE5D,UAAM,WAAW,eAAe,MAAM;AACtC,UAAM,SAAS,UAAU,IAAa,QAAQ;AAC9C,QAAI,WAAW,MAAM;AACnB,aAAO;AAAA,IACT;AAEA,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,MAAM,EACb,GAAG,WAAW,MAAM,EACpB,GAAG,QAAQ,aAAa,EACxB,IAAI,cAAc,GAAG,EACrB,GAAG,iCAAiC,GAAG,EAAE,EACzC,MAAM,CAAC;AAEV,UAAMC,gBAAe,CAAC,SAAS,QAAQ,KAAK,SAAS;AAGrD,cAAU,IAAI,UAAUA,eAAc,GAAK;AAE3C,WAAO,QAAQA,aAAY;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,cAAc,QAAwB,OAAkD;AACpG,QAAI,CAAC,QAAQ;AACX,aAAO;AAAA,IACT;AAGA,UAAM,YAAY;AAClB,QAAI,UAAU,KAAK,MAAM,GAAG;AAC1B,aAAO;AAAA,IACT;AAGA,QAAI,CAAC,OAAO;AACV,aAAO;AAAA,IACT;AAGA,QAAI;AAGF,YAAM,EAAE,MAAM,MAAM,OAAO,UAAU,IAAI,MAAM,KAAK,SACjD,KAAK,gBAAgB,EACrB,OAAO,IAAI,EACX,GAAG,UAAU,KAAK,EAClB,GAAG,aAAa,MAAM,EACtB,YAAY;AAGf,UAAI,WAAW;AACb,cAAM,SAAS,cAAc;AAE7B,YAAI,UAAU,SAAS,YAAY;AACjC,iBAAO,KAAK,wCAAwC,EAAE,QAAQ,OAAO,OAAO,UAAU,CAAC;AAAA,QACzF;AACA,eAAO;AAAA,MACT;AAEA,aAAO,MAAM,MAAM;AAAA,IACrB,SAAS,OAAO;AACd,YAAM,SAAS,cAAc;AAC7B,aAAO,KAAK,wCAAwC,EAAE,QAAQ,OAAO,MAAM,CAAC;AAC5E,aAAO;AAAA,IACT;AAAA,EACF;AACF;AASO,SAAS,iBACd,UACA,gBACY;AACZ,SAAO,IAAI,WAAW,UAAU,cAAc;AAChD;;;AC5kBA,IAAM,yBAAN,MAA6B;AAAA,EAA7B;AACE,SAAQ,UAAkC;AAAA,MACxC,aAAa;AAAA,MACb,WAAW;AAAA,MACX,aAAa;AAAA,MACb,cAAc;AAAA,MACd,sBAAsB;AAAA,MACtB,iBAAiB;AAAA,MACjB,qBAAqB;AAAA,MACrB,mBAAmB;AAAA,MACnB,oBAAoB;AAAA,MACpB,uBAAuB;AAAA,IACzB;AAEA,SAAQ,UAAmB;AAAA;AAAA;AAAA;AAAA;AAAA,EAK3B,WAAW,SAAwB;AACjC,SAAK,UAAU;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,UAAmB,cAAsB,kBAA2B,OAAa;AAC3F,QAAI,CAAC,KAAK,SAAS;AACjB;AAAA,IACF;AAEA,SAAK,QAAQ;AAEb,QAAI,UAAU;AACZ,WAAK,QAAQ;AAAA,IACf,OAAO;AACL,WAAK,QAAQ;AACb,WAAK,QAAQ;AAAA,IACf;AAEA,QAAI,iBAAiB;AACnB,WAAK,QAAQ;AAAA,IACf;AAEA,SAAK,QAAQ,qBAAqB;AAClC,SAAK,QAAQ,sBAAsB,KAAK,QAAQ,oBAAoB,KAAK,QAAQ;AACjF,SAAK,QAAQ,eAAe,KAAK,QAAQ,YAAY,KAAK,QAAQ;AAAA,EACpE;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAiB,SAAwB;AACvC,QAAI,CAAC,KAAK,SAAS;AACjB;AAAA,IACF;AAEA,QAAI,SAAS;AACX,WAAK,QAAQ;AAAA,IACf,OAAO;AACL,WAAK,QAAQ;AAAA,IACf;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,aAAqC;AACnC,WAAO,EAAE,GAAG,KAAK,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAKA,QAAc;AACZ,SAAK,UAAU;AAAA,MACb,aAAa;AAAA,MACb,WAAW;AAAA,MACX,aAAa;AAAA,MACb,cAAc;AAAA,MACd,sBAAsB;AAAA,MACtB,iBAAiB;AAAA,MACjB,qBAAqB;AAAA,MACrB,mBAAmB;AAAA,MACnB,oBAAoB;AAAA,MACpB,uBAAuB;AAAA,IACzB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,aAAqB;AACnB,UAAM,IAAI,KAAK;AACf,WAAO;AAAA;AAAA,kBAEO,EAAE,WAAW;AAAA,gBACf,EAAE,SAAS,MAAM,EAAE,eAAe,KAAK,QAAQ,CAAC,CAAC;AAAA,kBAC/C,EAAE,WAAW;AAAA,2BACJ,EAAE,oBAAoB;AAAA,sBAC3B,EAAE,eAAe;AAAA,2BACZ,EAAE,oBAAoB,QAAQ,CAAC,CAAC;AAAA,0BACjC,EAAE,kBAAkB;AAAA,6BACjB,EAAE,qBAAqB;AAAA;AAAA,EAElD;AACF;AAGA,IAAM,qBAAqB,IAAI,uBAAuB;AAK/C,SAAS,8BAAoC;AAClD,qBAAmB,WAAW,IAAI;AACpC;AAKO,SAAS,+BAAqC;AACnD,qBAAmB,WAAW,KAAK;AACrC;AAKO,SAAS,iCAA0C;AACxD,SAAO,mBAAmB,UAAU;AACtC;AAKO,SAAS,sBACd,UACA,cACA,kBAA2B,OACrB;AACN,qBAAmB,YAAY,UAAU,cAAc,eAAe;AACxE;AAKO,SAAS,iBAAiB,SAAwB;AACvD,qBAAmB,iBAAiB,OAAO;AAC7C;AAKO,SAAS,wBAAgD;AAC9D,SAAO,mBAAmB,WAAW;AACvC;AAKO,SAAS,0BAAgC;AAC9C,qBAAmB,MAAM;AAC3B;AAKO,SAAS,wBAAgC;AAC9C,SAAO,mBAAmB,WAAW;AACvC;;;AC9LA,IAAM,mBAAmB,oBAAI,IAA8B;AAQ3D,SAAS,yBAAyB,OAAgC;AAChE,SAAO,UAAU,sBAAsB;AAAA,IACrC,QAAQ,MAAM;AAAA,IACd,gBAAgB,MAAM,MAAM;AAAA;AAAA,IAC5B,SAAS,MAAM,MAAM;AAAA,IACrB,OAAO,MAAM,MAAM;AAAA,IACnB,YAAY,MAAM;AAAA,IAClB,QAAQ,MAAM;AAAA,EAChB,CAAC;AACH;AAYA,eAAsB,mBACpB,OACA,SACkB;AAClB,QAAM,MAAM,yBAAyB,KAAK;AAG1C,QAAM,kBAAkB,iBAAiB,IAAI,GAAG;AAChD,MAAI,iBAAiB;AACnB,WAAO;AAAA,EACT;AAGA,QAAM,iBAAiB,QAAQ,KAAK,EAAE,QAAQ,MAAM;AAElD,qBAAiB,OAAO,GAAG;AAAA,EAC7B,CAAC;AAGD,mBAAiB,IAAI,KAAK,cAAc;AAExC,SAAO;AACT;AAKO,SAAS,wBAA8B;AAC5C,mBAAiB,MAAM;AACzB;AAOO,SAAS,0BAAkC;AAChD,SAAO,iBAAiB;AAC1B;;;ACnDA,IAAMC,OAAM,aAAa,SAAS;AAGlC,IAAI,eAAkC;AAQ/B,SAAS,UAAU,UAAoC,QAAoC;AAChG,QAAM,SAAS,cAAc;AAG7B,QAAM,gBAAgB,YAAY,IAAI,SAAS;AAC/C,QAAM,aAAyB;AAAA,IAC7B;AAAA,IACA,OAAO;AAAA,IACP,UAAU;AAAA,IACV,iBAAiB;AAAA,IACjB,GAAG;AAAA,EACL;AAEA,mBAAiB,UAAU;AAK3B,QAAM,iBACJ,WAAW,UAAa,CAAC,gBACrB,SACA;AAAA;AAAA,IAEE,GAAI,iBAAiB,QAAQ,UAAU,uBAAuB,SAC1D,EAAE,oBAAoB,MAAM,IAC5B,CAAC;AAAA;AAAA,IAEL,GAAG,QAAQ;AAAA,EACb;AAGN,iBAAe,iBAAiB,UAAU,cAAc;AAGxD,QAAM,kBAAkB,QAAQ,OAAO,YAAY,SAAU,QAAQ,aAAa,8BAA8B;AAChH,QAAM,cAAc,kBAAkB;AAAA,IACpC,aAAa,QAAQ,OAAO;AAAA,IAC5B,WAAW,QAAQ,OAAO;AAAA,EAC5B,IAAI;AACJ,QAAM,eAAe,mBAAmB,UAAU,iBAAiB,WAAW;AAC9E,wBAAsB,YAAY;AAGlC,MAAI,QAAQ,aAAa,2BAA2B;AAClD,gCAA4B;AAAA,EAC9B;AAEF;AAQA,SAAS,YAAwB;AAC/B,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,wBAAwB;AAAA,EACpC;AACA,SAAO;AACT;AAkBA,eAAsB,eACpB,OAIA,WACA,SACsB;AACtB,QAAM,SAAS,UAAU;AAGzB,QAAM,mBAAmB,MAAM,OAAO,iBAAiB,EAAE,MAAM,MAAM;AACrE,MAAI,kBAAkB;AACpB,WAAO;AAAA,EACT;AAGA,MAAI,oBAAsC,aAAa;AACvD,MAAI,kBAAkB;AAEtB,MAAI,CAAC,qBAAqB,MAAM,MAAM,OAAO;AAC3C,wBAAoB,MAAM,aAAa,MAAM,MAAM,KAAK;AAAA,EAC1D;AAGA,QAAM,aAAa,MAAM,iBAAiB;AAAA,IACxC,MAAM;AAAA,IACN;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,EACnB;AAEA,MAAI,CAAC,WAAW,WAAW,CAAC,WAAW,eAAe;AACpD,UAAM,WAAW,SAAS,IAAI,iCAAiC;AAAA,EACjE;AAGA,SAAO,OAAO,eAAe;AAAA,IAC3B,GAAG;AAAA,IACH,OAAO,WAAW;AAAA,EACpB,CAAC;AACH;AAsBA,eAAsB,iBACpB,OAIA,WACA,SACwB;AACxB,QAAM,SAAS,UAAU;AAGzB,MAAI,oBAAsC,aAAa;AACvD,MAAI,kBAAkB;AAEtB,MAAI,CAAC,qBAAqB,MAAM,MAAM,OAAO;AAC3C,wBAAoB,MAAM,aAAa,MAAM,MAAM,KAAK;AAAA,EAC1D;AAGA,QAAM,aAAa,MAAM,iBAAiB;AAAA,IACxC,MAAM;AAAA,IACN;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,EACnB;AAEA,MAAI,CAAC,WAAW,WAAW,CAAC,WAAW,eAAe;AACpD,UAAM,WAAW,SAAS,IAAI,iCAAiC;AAAA,EACjE;AAGA,SAAO,OAAO,iBAAiB;AAAA,IAC7B,GAAG;AAAA,IACH,OAAO,WAAW;AAAA,EACpB,CAAC;AACH;AAEA,eAAsB,kBAAkB,OAGL;AACjC,QAAM,SAAS,UAAU;AACzB,SAAO,OAAO,kBAAkB,KAAK;AACvC;AAEA,eAAsB,eACpB,OAIA,WACA,SAC0B;AAC1B,QAAM,SAAS,UAAU;AAGzB,MAAI,oBAAsC,aAAa;AACvD,MAAI,kBAAkB;AAEtB,MAAI,CAAC,qBAAqB,MAAM,MAAM,OAAO;AAC3C,wBAAoB,MAAM,aAAa,MAAM,MAAM,KAAK;AAAA,EAC1D;AAGA,QAAM,aAAa,MAAM,iBAAiB;AAAA,IACxC,MAAM;AAAA,IACN;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,EACnB;AAEA,MAAI,CAAC,WAAW,WAAW,CAAC,WAAW,eAAe;AACpD,UAAM,WAAW,SAAS,IAAI,iCAAiC;AAAA,EACjE;AAGA,SAAO,OAAO,eAAe;AAAA,IAC3B,GAAG;AAAA,IACH,OAAO,WAAW;AAAA,EACpB,CAAC;AACH;AAoBA,eAAsB,YACpB,OACA,WACA,SACkB;AAClB,QAAM,SAAS,UAAU;AAIzB,QAAM,mBAAmB,MAAM,OAAO,iBAAiB,EAAE,MAAM,MAAM;AACrE,MAAI,kBAAkB;AACpB,WAAO;AAAA,EACT;AAGA,MAAI,oBAAsC,aAAa;AACvD,MAAI,kBAAkB;AAEtB,MAAI,CAAC,qBAAqB,MAAM,MAAM,OAAO;AAC3C,wBAAoB,MAAM,aAAa,MAAM,MAAM,KAAK;AAAA,EAC1D;AAGA,MAAI,CAAC,mBAAmB,MAAM,MAAM,OAAO;AACzC,QAAI;AACF,YAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU,EACrC,KAAK,WAAW,EAChB,OAAO,MAAM,EACb,GAAG,MAAM,MAAM,MAAM,KAAK,EAC1B,GAAG,aAAa,IAAI,EACpB,OAAO;AACV,UAAI,MAAM;AACR,0BAAkB,KAAK;AAAA,MACzB;AAAA,IACF,SAAS,KAAK;AAAA,IAEd;AAAA,EACF;AAGA,QAAM,aAAa,MAAM,iBAAiB;AAAA,IACxC,MAAM;AAAA,IACN;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,EACnB;AAEA,MAAI,CAAC,WAAW,WAAW,CAAC,WAAW,eAAe;AACpD,UAAM,WAAW,SAAS,IAAI,iCAAiC;AAAA,EACjE;AAGA,QAAM,iBAAiB,WAAW;AAGlC,QAAM,kBAAmC;AAAA,IACvC,QAAQ,MAAM;AAAA,IACd,gBAAgB,eAAe,kBAAkB;AAAA,IACjD,WAAW,oBAAI,KAAK;AAAA;AAAA,EAEtB;AAGA,QAAM,iBAAkC;AAAA,IACtC,GAAG;AAAA,IACH,OAAO;AAAA,EACT;AAEA,SAAO,OAAO,YAAY,gBAAgB,eAAe;AAC3D;AAaA,eAAsB,kBACpB,OACA,WACA,SACkB;AAClB,QAAM,EAAE,QAAQ,OAAO,YAAY,OAAO,IAAI;AAG9C,QAAM,WAAW,UAAU,sBAAsB;AAAA,IAC/C;AAAA,IACA,gBAAgB,MAAM;AAAA,IACtB,SAAS,MAAM;AAAA,IACf,OAAO,MAAM;AAAA,IACb;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,SAAS,UAAU,IAAa,UAAU,IAAI;AACpD,MAAI,WAAW,MAAM;AACnB,WAAO;AAAA,EACT;AAGA,SAAO,mBAAmB,OAAO,OAAO,eAAe;AAErD,UAAM,SAAS,MAAM,YAAY,YAAY,WAAW,OAAO;AAG/D,UAAM,mBAAmB,CAAC,CAAC,UAAU,WAAW,SAAS,OAAO;AAGhE,cAAU,IAAI,UAAU,QAAQ,QAAW,gBAAgB;AAE3D,WAAO;AAAA,EACT,CAAC;AACH;AAQA,eAAsB,cAAc,OAA0C;AAC5E,SAAO,YAAY,KAAK;AAC1B;AAQA,eAAsB,iBAAiB,OAKlB;AACnB,QAAM,EAAE,aAAa,GAAG,UAAU,IAAI;AAEtC,aAAW,cAAc,aAAa;AACpC,UAAMC,iBAAgB,MAAM,YAAY;AAAA,MACtC,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAED,QAAIA,gBAAe;AACjB,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAQA,eAAsB,kBAAkB,OAKnB;AACnB,QAAM,EAAE,aAAa,GAAG,UAAU,IAAI;AAEtC,aAAW,cAAc,aAAa;AACpC,UAAMA,iBAAgB,MAAM,YAAY;AAAA,MACtC,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAED,QAAI,CAACA,gBAAe;AAClB,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAQA,eAAsB,aAAa,QAAgC;AACjE,QAAM,SAAS,UAAU;AACzB,SAAO,OAAO,iBAAiB,EAAE,MAAM;AACzC;AAQA,eAAsB,aAAa,OAAwC;AACzE,MAAI;AACF,UAAM,SAAS,UAAU;AACzB,WAAO,uBAAuB,OAAO,UAAU,GAAG,KAAK;AAAA,EACzD,SAAS,KAAK;AAEZ,QAAI,eAAe,yBAAyB;AAC1C,aAAO;AAAA,IACT;AACA,UAAM;AAAA,EACR;AACF;AAEA,eAAsB,uBAAuB,QAA2C,OAAwC;AAE9H,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,EACT;AAGA,QAAM,WAAW,cAAc,KAAK;AAGpC,QAAM,SAAS,UAAU,IAAe,UAAU,IAAI;AACtD,MAAI,WAAW,MAAM;AACnB,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAC3B,KAAK,WAAW,EAChB,OAAO,sBAAsB,EAC7B,GAAG,MAAM,KAAK,EACd,GAAG,aAAa,IAAI,EACpB,OAAO;AAEV,QAAI,SAAS,CAAC,MAAM;AAClB,aAAO;AAAA,IACT;AAEA,UAAM,YAAuB,EAAE,gBAAgB,KAAK,kBAAkB,MAAM;AAI5E,cAAU,IAAI,UAAU,WAAW,IAAI,KAAK,KAAM,IAAI;AAEtD,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,IAAAD,KAAI,MAAM,8BAA8B,GAAG;AAC3C,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,mBAAmB,SAA4C;AACnF,QAAM,SAAS,UAAU;AACzB,MAAI;AACF,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,UAAU,EAC5C,KAAK,WAAW,EAChB,OAAO,sBAAsB,EAC7B,GAAG,QAAQ,OAAO,EAClB,GAAG,aAAa,IAAI,EACpB,OAAO;AAEV,QAAI,SAAS,CAAC,MAAM;AAClB,aAAO;AAAA,IACT;AAEA,WAAO,EAAE,gBAAgB,KAAK,kBAAkB,MAAM;AAAA,EACxD,SAAS,KAAK;AACZ,IAAAA,KAAI,MAAM,sCAAsC,GAAG;AACnD,WAAO;AAAA,EACT;AACF;AASA,eAAsB,oBAAoB,QAAc,gBAAwC;AAC9F,QAAM,cAAc,MAAM,eAAe;AAAA,IACvC;AAAA,IACA,OAAO,EAAE,eAAe;AAAA,EAC1B,CAAC;AAED,SAAO,gBAAgB,WAAW,gBAAgB;AACpD;AASA,eAAsB,aAAa,QAAc,OAAgC;AAC/E,MAAI,CAAC,MAAM,WAAW,CAAC,MAAM,OAAO;AAClC,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,MAAM,eAAe,EAAE,QAAQ,MAAM,CAAC;AAC1D,SAAO,gBAAgB,WAAW,gBAAgB;AACpD;AAQO,SAAS,oBAAoB,QAAc,gBAA6B;AAC7E,QAAM,WAAW,iBACb;AAAA,IACE,eAAe,WAAW,QAAQ,cAAc;AAAA,IAChD,UAAU,MAAM,IAAI,cAAc;AAAA,IAClC,OAAO,MAAM,IAAI,cAAc;AAAA,EACjC,IACA;AAAA,IACE,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM;AAAA,IAChB,OAAO,MAAM;AAAA,EACf;AAEJ,WAAS,QAAQ,aAAW,UAAU,WAAW,OAAO,CAAC;AAC3D;AAOO,SAAS,4BAA4B,gBAA4B;AACtE,YAAU,WAAW,eAAe,aAAa,cAAc,CAAC;AAClE;AAOO,SAAS,qBAAqB,SAAuB;AAC1D,YAAU,WAAW,eAAe,MAAM,OAAO,CAAC;AACpD;AAOO,SAAS,mBAAmB,OAAmB;AACpD,YAAU,WAAW,eAAe,IAAI,KAAK,CAAC;AAChD;AAKO,SAAS,aAAmB;AACjC,YAAU,MAAM;AAClB;","names":["log","log","hasPermission","isSuperAdmin","log","hasPermission"]}
|