@jmruthers/pace-core 0.5.190 → 0.5.193

package/dist/chunk-QWWZ5CAQ.js 3.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/utils/context/sessionTracking.ts","../src/utils/validation/common.ts","../src/utils/validation/passwordSchema.ts","../src/utils/app/appConfig.ts","../src/utils/formatting/formatting.ts"],"sourcesContent":["import type { SupabaseClient } from '@supabase/supabase-js';\nimport { createLogger } from '../core/logger';\n\nconst log = createLogger('SessionTracking');\n\n// Define the tracking parameters locally since old RBAC types are removed\ninterface TrackUserSessionParams {\n  p_session_type: 'event_switch' | 'session_expired';\n  p_event_id?: string;\n  p_app_id?: string;\n  ip_address?: string;\n  user_agent?: string;\n}\n\n/**\n * Hook for manual session tracking (event switches and session expiration).\n * \n * Note: Login and logout tracking is automatically handled by UnifiedAuthProvider.\n * You should only use this hook for tracking event switches or session expirations.\n * \n * @param supabaseClient - Supabase client instance\n * @param appName - Optional application name for tracking\n * @returns Object containing tracking functions for event switches and session expiration\n */\nexport function useSessionTracking(supabaseClient: SupabaseClient, appName?: string) {\n  // Resolve app name to app_id\n  const resolveAppId = async (): Promise<string | undefined> => {\n    if (!appName) return undefined;\n    \n    try {\n      const { data, error } = await supabaseClient\n        .from('rbac_apps')\n        .select('id')\n        .eq('name', appName)\n        .eq('is_active', true)\n        .single();\n      \n      if (error || !data) {\n        log.warn('App not found or inactive:', appName);\n        return undefined;\n      }\n      \n      return data.id;\n    } catch (error) {\n      log.error('Failed to resolve app ID:', error);\n      return undefined;\n    }\n  };\n  /**\n   * Track an event switch\n   * @param eventId - ID of the event being switched to\n   */\n  const trackEventSwitch = async (eventId: string) => {\n    try {\n      const { data: { user } } = await supabaseClient.auth.getUser();\n      if (!user) {\n        log.warn('No authenticated user found for session tracking');\n        return;\n      }\n\n      const appId = await resolveAppId();\n\n      const params: TrackUserSessionParams = {\n        p_session_type: 'event_switch',\n        p_event_id: eventId,\n        p_app_id: appId\n      };\n\n      const { error } = await supabaseClient.rpc('rbac_session_track', {\n        p_user_id: user?.id,\n        p_session_type: params.p_session_type,\n        p_event_id: params.p_event_id,\n        p_app_id: params.p_app_id,\n        p_ip_address: params.ip_address,\n        p_user_agent: params.user_agent\n      });\n      \n      if (error) {\n        log.error('Failed to track event switch session:', error);\n      }\n    } catch (error) {\n      log.error('Failed to track event switch:', error);\n    }\n  };\n\n  /**\n   * Track a session expiration\n   */\n  const trackSessionExpired = async () => {\n    try {\n      const { data: { user } } = await supabaseClient.auth.getUser();\n      if (!user) {\n        log.warn('No authenticated user found for session tracking');\n        return;\n      }\n\n      const appId = await resolveAppId();\n\n      const params: TrackUserSessionParams = {\n        p_session_type: 'session_expired',\n        p_app_id: appId\n      };\n\n      const { error } = await supabaseClient.rpc('rbac_session_track', {\n        p_user_id: user?.id,\n        p_session_type: params.p_session_type,\n        p_event_id: params.p_event_id,\n        p_app_id: params.p_app_id,\n        p_ip_address: params.ip_address,\n        p_user_agent: params.user_agent\n      });\n      \n      if (error) {\n        log.error('Failed to track session expiration:', error);\n      }\n    } catch (error) {\n      log.error('Failed to track session expiration:', error);\n    }\n  };\n\n  return {\n    trackEventSwitch,\n    trackSessionExpired\n  };\n} ","\n/**\n * @file Common validation schemas\n * @description Reusable validation schemas for common data types\n */\n\nimport { z } from 'zod';\n\n/**\n * Email validation schema\n */\nexport const emailSchema = z\n  .string()\n  .min(1, 'Email is required')\n  .email('Invalid email format')\n  .max(254, 'Email too long');\n\n/**\n * Name validation schema\n */\nexport const nameSchema = z\n  .string()\n  .min(1, 'Name is required')\n  .max(100, 'Name too long')\n  .regex(/^[a-zA-Z\\s'-]+$/, 'Name contains invalid characters');\n\n/**\n * Phone number validation schema\n */\nexport const phoneSchema = z\n  .string()\n  .regex(/^\\+?[\\d\\s\\-\\(\\)]+$/, 'Invalid phone number format')\n  .min(10, 'Phone number too short')\n  .max(20, 'Phone number too long');\n\n/**\n * URL validation schema\n */\nexport const urlSchema = z\n  .string()\n  .url('Invalid URL format')\n  .max(2048, 'URL too long');\n\n/**\n * Date validation schema\n */\nexport const dateSchema = z\n  .string()\n  .regex(/^\\d{4}-\\d{2}-\\d{2}$/, 'Date must be in YYYY-MM-DD format')\n  .refine((date) => {\n    const parsed = new Date(date);\n    return !isNaN(parsed.getTime());\n  }, 'Invalid date');\n","\n/**\n * @file Enhanced Password Schema with Security Validations\n * @description Comprehensive password validation with security checks\n */\n\nimport { z } from 'zod';\n\n// Common weak passwords to check against\nconst COMMON_PASSWORDS = new Set([\n  'password', '123456', '123456789', 'qwerty', 'abc123', 'password123',\n  'admin', 'letmein', 'welcome', 'monkey', '1234567890', 'password1'\n]);\n\n// Common password patterns to avoid\nconst WEAK_PATTERNS = [\n  /^(.)\\1+$/, // All same character\n  /^(012|123|234|345|456|567|678|789|890|987|876|765|654|543|432|321|210)+/, // Sequential numbers\n  /^(abc|bcd|cde|def|efg|fgh|ghi|hij|ijk|jkl|klm|lmn|mno|nop|opq|pqr|qrs|rst|stu|tuv|uvw|vwx|wxy|xyz)+/i, // Sequential letters\n];\n\n/**\n * Enhanced password validation schema with security checks\n */\nexport const securePasswordSchema = z\n  .string()\n  .min(8, 'Password must be at least 8 characters long')\n  .max(128, 'Password must not exceed 128 characters')\n  .refine(\n    (password) => /[a-z]/.test(password),\n    'Password must contain at least one lowercase letter'\n  )\n  .refine(\n    (password) => /[A-Z]/.test(password),\n    'Password must contain at least one uppercase letter'\n  )\n  .refine(\n    (password) => /\\d/.test(password),\n    'Password must contain at least one number'\n  )\n  .refine(\n    (password) => /[!@#$%^&*()_+\\-=\\[\\]{};':\"\\\\|,.<>\\/?]/.test(password),\n    'Password must contain at least one special character'\n  )\n  .refine(\n    (password) => !COMMON_PASSWORDS.has(password.toLowerCase()),\n    'Password is too common. Please choose a stronger password'\n  )\n  .refine(\n    (password) => !WEAK_PATTERNS.some(pattern => pattern.test(password)),\n    'Password contains weak patterns. Please choose a more complex password'\n  )\n  .refine(\n    (password) => {\n      // Check for keyboard patterns (qwerty, asdf, etc.)\n      const keyboardPatterns = ['qwerty', 'asdfgh', 'zxcvbn', '1234567890'];\n      return !keyboardPatterns.some(pattern => \n        password.toLowerCase().includes(pattern)\n      );\n    },\n    'Password contains keyboard patterns. Please choose a more secure password'\n  );\n\n/**\n * Basic password schema for less strict requirements\n */\nexport const passwordSchema = z\n  .string()\n  .min(6, 'Password must be at least 6 characters long')\n  .max(128, 'Password must not exceed 128 characters');\n\n/**\n * Password strength calculator\n */\nexport function calculatePasswordStrength(password: string): {\n  score: number;\n  feedback: string[];\n  level: 'very-weak' | 'weak' | 'fair' | 'good' | 'strong';\n} {\n  let score = 0;\n  const feedback: string[] = [];\n\n  // Length check\n  if (password.length >= 8) score += 20;\n  else if (password.length >= 6) score += 10;\n  else feedback.push('Use at least 8 characters');\n\n  // Character variety\n  if (/[a-z]/.test(password)) score += 15;\n  else feedback.push('Add lowercase letters');\n\n  if (/[A-Z]/.test(password)) score += 15;\n  else feedback.push('Add uppercase letters');\n\n  if (/\\d/.test(password)) score += 15;\n  else feedback.push('Add numbers');\n\n  if (/[!@#$%^&*()_+\\-=\\[\\]{};':\"\\\\|,.<>\\/?]/.test(password)) score += 15;\n  else feedback.push('Add special characters');\n\n  // Additional complexity\n  if (password.length >= 12) score += 10;\n  if (/[^a-zA-Z0-9]/.test(password)) score += 10;\n\n  // Penalties\n  if (COMMON_PASSWORDS.has(password.toLowerCase())) {\n    score -= 30;\n    feedback.push('Avoid common passwords');\n  }\n\n  if (WEAK_PATTERNS.some(pattern => pattern.test(password))) {\n    score -= 20;\n    feedback.push('Avoid predictable patterns');\n  }\n\n  // Determine level\n  let level: 'very-weak' | 'weak' | 'fair' | 'good' | 'strong';\n  if (score < 30) level = 'very-weak';\n  else if (score < 50) level = 'weak';\n  else if (score < 70) level = 'fair';\n  else if (score < 90) level = 'good';\n  else level = 'strong';\n\n  return { score: Math.max(0, Math.min(100, score)), feedback, level };\n}\n","\n/**\n * Application configuration utilities\n */\n\nexport interface AppConfig {\n  appName: string;\n  appId: string;\n}\n\nlet currentAppConfig: AppConfig | null = null;\n\n/**\n * Set the current application configuration\n */\nexport function setAppConfig(config: AppConfig) {\n  currentAppConfig = config;\n}\n\n/**\n * Get the current application configuration\n */\nexport function getAppConfig(): AppConfig {\n  if (!currentAppConfig) {\n    // Fallback to environment or default\n    const appName = import.meta.env.REACT_APP_NAME || 'PACE';\n    return {\n      appName,\n      appId: appName\n    };\n  }\n  return currentAppConfig;\n}\n\n/**\n * Get the current app name\n */\nexport function getCurrentAppName(): string {\n  return getAppConfig().appName;\n}\n\n/**\n * Get the current app ID\n */\nexport function getCurrentAppId(): string {\n  return getAppConfig().appId;\n}\n","/**\n * Utility functions for formatting data in the application\n */\n\nimport { parseISO, isValid } from 'date-fns';\nimport { formatInTimeZone, getTimezoneAbbreviation } from '../timezone';\n\n/**\n * Format a date as a readable string in \"dd mmm yyyy\" format (e.g., \"15 Jun 2024\")\n */\nexport function formatDate(date: Date | string | number): string {\n  const dateObj = typeof date === 'string' || typeof date === 'number' \n    ? new Date(date) \n    : date;\n  \n  // Use 'en-GB' locale to ensure \"dd mmm yyyy\" format (e.g., \"15 Jun 2024\")\n  return dateObj.toLocaleDateString('en-GB', {\n    year: 'numeric',\n    month: 'short',\n    day: 'numeric'\n  });\n}\n\n/**\n * Format a time as a readable string in \"HH:mm\" format (e.g., \"14:30\")\n * Uses 24-hour format for consistency across pace apps\n */\nexport function formatTime(date: Date | string | number): string {\n  const dateObj = typeof date === 'string' || typeof date === 'number' \n    ? new Date(date) \n    : date;\n  \n  // Use 'en-GB' locale to ensure \"HH:mm\" format (24-hour format)\n  return dateObj.toLocaleTimeString('en-GB', {\n    hour: '2-digit',\n    minute: '2-digit',\n    hour12: false\n  });\n}\n\n/**\n * Format a date and time as a readable string in \"dd mmm yyyy, HH:mm\" format (e.g., \"15 Jun 2024, 14:30\")\n * Uses 24-hour format for consistency across pace apps\n */\nexport function formatDateTime(date: Date | string | number): string {\n  const dateObj = typeof date === 'string' || typeof date === 'number' \n    ? new Date(date) \n    : date;\n  \n  // Use 'en-GB' locale to ensure consistent format (e.g., \"15 Jun 2024, 14:30\")\n  return dateObj.toLocaleString('en-GB', {\n    year: 'numeric',\n    month: 'short',\n    day: 'numeric',\n    hour: '2-digit',\n    minute: '2-digit',\n    hour12: false\n  });\n}\n\n/**\n * Format a number as a currency\n */\nexport function formatCurrency(value: number, currencyCode = 'USD', locale = 'en-US'): string {\n  return new Intl.NumberFormat(locale, {\n    style: 'currency',\n    currency: currencyCode,\n  }).format(value);\n}\n\n/**\n * Format a number with custom options\n */\nexport function formatNumber(\n  value: number,\n  options: Intl.NumberFormatOptions = {},\n  locale = 'en-US'\n): string {\n  return new Intl.NumberFormat(locale, options).format(value);\n}\n\n/**\n * Format a number as a percentage.\n * \n * The third parameter can be either:\n * - A number for fixed decimal places (backward compatible): `formatPercent(0.81, 'en-US', 2)`\n * - An options object with:\n *   - `decimals`: Fixed number of decimal places (default: 1)\n *   - `preserveDecimals`: Auto-detect and preserve decimal places from the input value\n *   - `maxDecimals`: Maximum decimal places when preserving (default: 10)\n * \n * @param value - The percentage value as a decimal (e.g., 0.81 for 0.81%)\n * @param locale - The locale string (default: 'en-US')\n * @param decimalsOrOptions - Either a number for fixed decimals, or an options object with:\n *   - `decimals` - Fixed number of decimal places (default: 1)\n *   - `preserveDecimals` - Auto-detect and preserve decimal places from the input value\n *   - `maxDecimals` - Maximum decimal places when preserving (default: 10)\n * @returns Formatted percentage string (e.g., \"0.81%\", \"81%\")\n * \n * @example\n * ```ts\n * // Fixed decimals (default behavior)\n * formatPercent(0.5) // '0.5%'\n * formatPercent(0.81, 'en-US', 1) // '0.8%' (loses precision)\n * \n * // Preserve decimal places dynamically\n * formatPercent(0.81, 'en-US', { preserveDecimals: true }) // '0.81%'\n * formatPercent(0.8123, 'en-US', { preserveDecimals: true, maxDecimals: 2 }) // '0.81%'\n * ```\n */\nexport function formatPercent(\n  value: number,\n  locale: string = 'en-US',\n  decimalsOrOptions?: number | {\n    decimals?: number;\n    preserveDecimals?: boolean;\n    maxDecimals?: number;\n  }\n): string {\n  let decimals: number;\n\n  // Backward compatibility: if decimalsOrOptions is a number, use it directly\n  if (typeof decimalsOrOptions === 'number') {\n    decimals = decimalsOrOptions;\n  } else if (decimalsOrOptions && typeof decimalsOrOptions === 'object') {\n    // New options object: check if we should preserve decimals\n    if (decimalsOrOptions.preserveDecimals) {\n      const valueStr = value.toString();\n      const decimalIndex = valueStr.indexOf('.');\n      \n      if (decimalIndex !== -1) {\n        const detectedDecimals = valueStr.length - decimalIndex - 1;\n        const maxDecimals = decimalsOrOptions.maxDecimals ?? 10;\n        decimals = Math.min(detectedDecimals, maxDecimals);\n      } else {\n        decimals = 0;\n      }\n    } else {\n      decimals = decimalsOrOptions.decimals ?? 1;\n    }\n  } else {\n    decimals = 1;\n  }\n\n  return new Intl.NumberFormat(locale, {\n    style: 'percent',\n    minimumFractionDigits: decimals,\n    maximumFractionDigits: decimals,\n  }).format(value / 100);\n}\n\n/**\n * Format a large number with abbreviations (K, M, B)\n */\nexport function formatCompactNumber(value: number, locale = 'en-US'): string {\n  return new Intl.NumberFormat(locale, {\n    notation: 'compact',\n    compactDisplay: 'short'\n  }).format(value);\n}\n\n/**\n * Format a file size in bytes to a human-readable string\n */\nexport function formatFileSize(bytes: number): string {\n  if (bytes === 0) return '0 Bytes';\n  \n  const k = 1024;\n  const sizes = ['Bytes', 'KB', 'MB', 'GB', 'TB', 'PB'];\n  const i = Math.floor(Math.log(bytes) / Math.log(k));\n  \n  return parseFloat((bytes / Math.pow(k, i)).toFixed(2)) + ' ' + sizes[i];\n}\n\n/**\n * Options for formatting date/time with timezone\n */\nexport interface DateTimeFormatOptions {\n  /**\n   * Include timezone abbreviation (default: true)\n   */\n  includeTimezone?: boolean;\n  /**\n   * Custom format string (default: 'MMM dd, yyyy HH:mm')\n   */\n  format?: string;\n}\n\n/**\n * Format a UTC date for display in a specific timezone\n *\n * @param utcDate - UTC date (ISO string, Date object, or undefined)\n * @param timezone - IANA timezone string (e.g., 'America/New_York')\n * @param options - Formatting options\n * @returns Formatted date string or empty string if invalid\n *\n * @example\n * ```ts\n * formatDateTimeForDisplay('2024-01-15T10:00:00Z', 'America/New_York');\n * // \"Jan 15, 2024 05:00 (EST)\"\n *\n * formatDateTimeForDisplay('2024-01-15T10:00:00Z', 'America/New_York', { includeTimezone: false });\n * // \"Jan 15, 2024 05:00\"\n * ```\n */\nexport function formatDateTimeForDisplay(\n  utcDate: string | Date | undefined,\n  timezone: string | undefined,\n  options: DateTimeFormatOptions = {}\n): string {\n  if (!utcDate) {\n    return '';\n  }\n\n  if (!timezone) {\n    return '';\n  }\n\n  try {\n    const { includeTimezone = true, format: formatStr = 'MMM dd, yyyy HH:mm' } = options;\n\n    let dateObj: Date;\n    if (typeof utcDate === 'string') {\n      dateObj = parseISO(utcDate);\n    } else {\n      dateObj = utcDate;\n    }\n\n    if (!isValid(dateObj)) {\n      return '';\n    }\n\n    const formatted = formatInTimeZone(dateObj, timezone, formatStr);\n\n    if (includeTimezone) {\n      const tzAbbr = getTimezoneAbbreviation(dateObj, timezone);\n      return `${formatted} (${tzAbbr})`;\n    }\n\n    return formatted;\n  } catch {\n    return '';\n  }\n}\n\n/**\n * Format a UTC date for display (date only, no time)\n *\n * @param utcDate - UTC date (ISO string, Date object, or undefined)\n * @returns Formatted date string or empty string if invalid\n *\n * @example\n * ```ts\n * formatDateOnlyForDisplay('2024-01-15T10:00:00Z');\n * // \"15 January 2024\"\n * ```\n */\nexport function formatDateOnlyForDisplay(utcDate: string | Date | undefined): string {\n  if (!utcDate) {\n    return '';\n  }\n\n  try {\n    let dateObj: Date;\n    if (typeof utcDate === 'string') {\n      dateObj = parseISO(utcDate);\n    } else {\n      dateObj = utcDate;\n    }\n\n    if (!isValid(dateObj)) {\n      return '';\n    }\n\n    // Use 'en-GB' locale for \"dd mmm yyyy\" format\n    return dateObj.toLocaleDateString('en-GB', {\n      year: 'numeric',\n      month: 'long',\n      day: 'numeric'\n    });\n  } catch {\n    return '';\n  }\n}\n\n/**\n * Format a UTC date for table display (compact format with timezone)\n *\n * @param utcDate - UTC date (ISO string, Date object, or undefined)\n * @param timezone - IANA timezone string\n * @returns Formatted date string or empty string if invalid\n *\n * @example\n * ```ts\n * formatDateTimeForTable('2024-01-15T10:00:00Z', 'America/New_York');\n * // \"Jan 15, 2024 05:00 (EST)\"\n * ```\n */\nexport function formatDateTimeForTable(\n  utcDate: string | Date | undefined,\n  timezone: string | undefined\n): string {\n  return formatDateTimeForDisplay(utcDate, timezone, {\n    includeTimezone: true,\n    format: 'MMM dd, yyyy HH:mm'\n  });\n}\n\n/**\n * Format a UTC date for map display (compact format)\n *\n * @param utcDate - UTC date (ISO string, Date object, or undefined)\n * @param timezone - IANA timezone string\n * @returns Formatted date string or empty string if invalid\n *\n * @example\n * ```ts\n * formatDateTimeForMap('2024-01-15T10:00:00Z', 'America/New_York');\n * // \"Jan 15, 05:00 EST\"\n * ```\n */\nexport function formatDateTimeForMap(\n  utcDate: string | Date | undefined,\n  timezone: string | undefined\n): string {\n  if (!utcDate || !timezone) {\n    return '';\n  }\n\n  try {\n    let dateObj: Date;\n    if (typeof utcDate === 'string') {\n      dateObj = parseISO(utcDate);\n    } else {\n      dateObj = utcDate;\n    }\n\n    if (!isValid(dateObj)) {\n      return '';\n    }\n\n    const formatted = formatInTimeZone(dateObj, timezone, 'MMM dd, HH:mm');\n    const tzAbbr = getTimezoneAbbreviation(dateObj, timezone);\n\n    return `${formatted} ${tzAbbr}`;\n  } catch {\n    return '';\n  }\n}\n"],"mappings":";;;;;;;;;AAGA,IAAM,MAAM,aAAa,iBAAiB;AAqBnC,SAAS,mBAAmB,gBAAgC,SAAkB;AAEnF,QAAM,eAAe,YAAyC;AAC5D,QAAI,CAAC,QAAS,QAAO;AAErB,QAAI;AACF,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,eAC3B,KAAK,WAAW,EAChB,OAAO,IAAI,EACX,GAAG,QAAQ,OAAO,EAClB,GAAG,aAAa,IAAI,EACpB,OAAO;AAEV,UAAI,SAAS,CAAC,MAAM;AAClB,YAAI,KAAK,8BAA8B,OAAO;AAC9C,eAAO;AAAA,MACT;AAEA,aAAO,KAAK;AAAA,IACd,SAAS,OAAO;AACd,UAAI,MAAM,6BAA6B,KAAK;AAC5C,aAAO;AAAA,IACT;AAAA,EACF;AAKA,QAAM,mBAAmB,OAAO,YAAoB;AAClD,QAAI;AACF,YAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,MAAM,eAAe,KAAK,QAAQ;AAC7D,UAAI,CAAC,MAAM;AACT,YAAI,KAAK,kDAAkD;AAC3D;AAAA,MACF;AAEA,YAAM,QAAQ,MAAM,aAAa;AAEjC,YAAM,SAAiC;AAAA,QACrC,gBAAgB;AAAA,QAChB,YAAY;AAAA,QACZ,UAAU;AAAA,MACZ;AAEA,YAAM,EAAE,MAAM,IAAI,MAAM,eAAe,IAAI,sBAAsB;AAAA,QAC/D,WAAW,MAAM;AAAA,QACjB,gBAAgB,OAAO;AAAA,QACvB,YAAY,OAAO;AAAA,QACnB,UAAU,OAAO;AAAA,QACjB,cAAc,OAAO;AAAA,QACrB,cAAc,OAAO;AAAA,MACvB,CAAC;AAED,UAAI,OAAO;AACT,YAAI,MAAM,yCAAyC,KAAK;AAAA,MAC1D;AAAA,IACF,SAAS,OAAO;AACd,UAAI,MAAM,iCAAiC,KAAK;AAAA,IAClD;AAAA,EACF;AAKA,QAAM,sBAAsB,YAAY;AACtC,QAAI;AACF,YAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,MAAM,eAAe,KAAK,QAAQ;AAC7D,UAAI,CAAC,MAAM;AACT,YAAI,KAAK,kDAAkD;AAC3D;AAAA,MACF;AAEA,YAAM,QAAQ,MAAM,aAAa;AAEjC,YAAM,SAAiC;AAAA,QACrC,gBAAgB;AAAA,QAChB,UAAU;AAAA,MACZ;AAEA,YAAM,EAAE,MAAM,IAAI,MAAM,eAAe,IAAI,sBAAsB;AAAA,QAC/D,WAAW,MAAM;AAAA,QACjB,gBAAgB,OAAO;AAAA,QACvB,YAAY,OAAO;AAAA,QACnB,UAAU,OAAO;AAAA,QACjB,cAAc,OAAO;AAAA,QACrB,cAAc,OAAO;AAAA,MACvB,CAAC;AAED,UAAI,OAAO;AACT,YAAI,MAAM,uCAAuC,KAAK;AAAA,MACxD;AAAA,IACF,SAAS,OAAO;AACd,UAAI,MAAM,uCAAuC,KAAK;AAAA,IACxD;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;;;ACtHA,SAAS,SAAS;AAKX,IAAM,cAAc,EACxB,OAAO,EACP,IAAI,GAAG,mBAAmB,EAC1B,MAAM,sBAAsB,EAC5B,IAAI,KAAK,gBAAgB;AAKrB,IAAM,aAAa,EACvB,OAAO,EACP,IAAI,GAAG,kBAAkB,EACzB,IAAI,KAAK,eAAe,EACxB,MAAM,mBAAmB,kCAAkC;AAKvD,IAAM,cAAc,EACxB,OAAO,EACP,MAAM,sBAAsB,6BAA6B,EACzD,IAAI,IAAI,wBAAwB,EAChC,IAAI,IAAI,uBAAuB;AAK3B,IAAM,YAAY,EACtB,OAAO,EACP,IAAI,oBAAoB,EACxB,IAAI,MAAM,cAAc;AAKpB,IAAM,aAAa,EACvB,OAAO,EACP,MAAM,uBAAuB,mCAAmC,EAChE,OAAO,CAAC,SAAS;AAChB,QAAM,SAAS,IAAI,KAAK,IAAI;AAC5B,SAAO,CAAC,MAAM,OAAO,QAAQ,CAAC;AAChC,GAAG,cAAc;;;AC9CnB,SAAS,KAAAA,UAAS;AAGlB,IAAM,mBAAmB,oBAAI,IAAI;AAAA,EAC/B;AAAA,EAAY;AAAA,EAAU;AAAA,EAAa;AAAA,EAAU;AAAA,EAAU;AAAA,EACvD;AAAA,EAAS;AAAA,EAAW;AAAA,EAAW;AAAA,EAAU;AAAA,EAAc;AACzD,CAAC;AAGD,IAAM,gBAAgB;AAAA,EACpB;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AACF;AAKO,IAAM,uBAAuBA,GACjC,OAAO,EACP,IAAI,GAAG,6CAA6C,EACpD,IAAI,KAAK,yCAAyC,EAClD;AAAA,EACC,CAAC,aAAa,QAAQ,KAAK,QAAQ;AAAA,EACnC;AACF,EACC;AAAA,EACC,CAAC,aAAa,QAAQ,KAAK,QAAQ;AAAA,EACnC;AACF,EACC;AAAA,EACC,CAAC,aAAa,KAAK,KAAK,QAAQ;AAAA,EAChC;AACF,EACC;AAAA,EACC,CAAC,aAAa,wCAAwC,KAAK,QAAQ;AAAA,EACnE;AACF,EACC;AAAA,EACC,CAAC,aAAa,CAAC,iBAAiB,IAAI,SAAS,YAAY,CAAC;AAAA,EAC1D;AACF,EACC;AAAA,EACC,CAAC,aAAa,CAAC,cAAc,KAAK,aAAW,QAAQ,KAAK,QAAQ,CAAC;AAAA,EACnE;AACF,EACC;AAAA,EACC,CAAC,aAAa;AAEZ,UAAM,mBAAmB,CAAC,UAAU,UAAU,UAAU,YAAY;AACpE,WAAO,CAAC,iBAAiB;AAAA,MAAK,aAC5B,SAAS,YAAY,EAAE,SAAS,OAAO;AAAA,IACzC;AAAA,EACF;AAAA,EACA;AACF;AAKK,IAAM,iBAAiBA,GAC3B,OAAO,EACP,IAAI,GAAG,6CAA6C,EACpD,IAAI,KAAK,yCAAyC;AAK9C,SAAS,0BAA0B,UAIxC;AACA,MAAI,QAAQ;AACZ,QAAM,WAAqB,CAAC;AAG5B,MAAI,SAAS,UAAU,EAAG,UAAS;AAAA,WAC1B,SAAS,UAAU,EAAG,UAAS;AAAA,MACnC,UAAS,KAAK,2BAA2B;AAG9C,MAAI,QAAQ,KAAK,QAAQ,EAAG,UAAS;AAAA,MAChC,UAAS,KAAK,uBAAuB;AAE1C,MAAI,QAAQ,KAAK,QAAQ,EAAG,UAAS;AAAA,MAChC,UAAS,KAAK,uBAAuB;AAE1C,MAAI,KAAK,KAAK,QAAQ,EAAG,UAAS;AAAA,MAC7B,UAAS,KAAK,aAAa;AAEhC,MAAI,wCAAwC,KAAK,QAAQ,EAAG,UAAS;AAAA,MAChE,UAAS,KAAK,wBAAwB;AAG3C,MAAI,SAAS,UAAU,GAAI,UAAS;AACpC,MAAI,eAAe,KAAK,QAAQ,EAAG,UAAS;AAG5C,MAAI,iBAAiB,IAAI,SAAS,YAAY,CAAC,GAAG;AAChD,aAAS;AACT,aAAS,KAAK,wBAAwB;AAAA,EACxC;AAEA,MAAI,cAAc,KAAK,aAAW,QAAQ,KAAK,QAAQ,CAAC,GAAG;AACzD,aAAS;AACT,aAAS,KAAK,4BAA4B;AAAA,EAC5C;AAGA,MAAI;AACJ,MAAI,QAAQ,GAAI,SAAQ;AAAA,WACf,QAAQ,GAAI,SAAQ;AAAA,WACpB,QAAQ,GAAI,SAAQ;AAAA,WACpB,QAAQ,GAAI,SAAQ;AAAA,MACxB,SAAQ;AAEb,SAAO,EAAE,OAAO,KAAK,IAAI,GAAG,KAAK,IAAI,KAAK,KAAK,CAAC,GAAG,UAAU,MAAM;AACrE;;;AClHA,IAAI,mBAAqC;AAKlC,SAAS,aAAa,QAAmB;AAC9C,qBAAmB;AACrB;AAKO,SAAS,eAA0B;AACxC,MAAI,CAAC,kBAAkB;AAErB,UAAM,UAAU,YAAY,IAAI,kBAAkB;AAClD,WAAO;AAAA,MACL;AAAA,MACA,OAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAKO,SAAS,oBAA4B;AAC1C,SAAO,aAAa,EAAE;AACxB;AAKO,SAAS,kBAA0B;AACxC,SAAO,aAAa,EAAE;AACxB;;;AC1CA,SAAS,UAAU,eAAe;AAM3B,SAAS,WAAW,MAAsC;AAC/D,QAAM,UAAU,OAAO,SAAS,YAAY,OAAO,SAAS,WACxD,IAAI,KAAK,IAAI,IACb;AAGJ,SAAO,QAAQ,mBAAmB,SAAS;AAAA,IACzC,MAAM;AAAA,IACN,OAAO;AAAA,IACP,KAAK;AAAA,EACP,CAAC;AACH;AAMO,SAAS,WAAW,MAAsC;AAC/D,QAAM,UAAU,OAAO,SAAS,YAAY,OAAO,SAAS,WACxD,IAAI,KAAK,IAAI,IACb;AAGJ,SAAO,QAAQ,mBAAmB,SAAS;AAAA,IACzC,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,QAAQ;AAAA,EACV,CAAC;AACH;AAMO,SAAS,eAAe,MAAsC;AACnE,QAAM,UAAU,OAAO,SAAS,YAAY,OAAO,SAAS,WACxD,IAAI,KAAK,IAAI,IACb;AAGJ,SAAO,QAAQ,eAAe,SAAS;AAAA,IACrC,MAAM;AAAA,IACN,OAAO;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,IACN,QAAQ;AAAA,IACR,QAAQ;AAAA,EACV,CAAC;AACH;AAKO,SAAS,eAAe,OAAe,eAAe,OAAO,SAAS,SAAiB;AAC5F,SAAO,IAAI,KAAK,aAAa,QAAQ;AAAA,IACnC,OAAO;AAAA,IACP,UAAU;AAAA,EACZ,CAAC,EAAE,OAAO,KAAK;AACjB;AAKO,SAAS,aACd,OACA,UAAoC,CAAC,GACrC,SAAS,SACD;AACR,SAAO,IAAI,KAAK,aAAa,QAAQ,OAAO,EAAE,OAAO,KAAK;AAC5D;AA+BO,SAAS,cACd,OACA,SAAiB,SACjB,mBAKQ;AACR,MAAI;AAGJ,MAAI,OAAO,sBAAsB,UAAU;AACzC,eAAW;AAAA,EACb,WAAW,qBAAqB,OAAO,sBAAsB,UAAU;AAErE,QAAI,kBAAkB,kBAAkB;AACtC,YAAM,WAAW,MAAM,SAAS;AAChC,YAAM,eAAe,SAAS,QAAQ,GAAG;AAEzC,UAAI,iBAAiB,IAAI;AACvB,cAAM,mBAAmB,SAAS,SAAS,eAAe;AAC1D,cAAM,cAAc,kBAAkB,eAAe;AACrD,mBAAW,KAAK,IAAI,kBAAkB,WAAW;AAAA,MACnD,OAAO;AACL,mBAAW;AAAA,MACb;AAAA,IACF,OAAO;AACL,iBAAW,kBAAkB,YAAY;AAAA,IAC3C;AAAA,EACF,OAAO;AACL,eAAW;AAAA,EACb;AAEA,SAAO,IAAI,KAAK,aAAa,QAAQ;AAAA,IACnC,OAAO;AAAA,IACP,uBAAuB;AAAA,IACvB,uBAAuB;AAAA,EACzB,CAAC,EAAE,OAAO,QAAQ,GAAG;AACvB;AAKO,SAAS,oBAAoB,OAAe,SAAS,SAAiB;AAC3E,SAAO,IAAI,KAAK,aAAa,QAAQ;AAAA,IACnC,UAAU;AAAA,IACV,gBAAgB;AAAA,EAClB,CAAC,EAAE,OAAO,KAAK;AACjB;AAKO,SAAS,eAAe,OAAuB;AACpD,MAAI,UAAU,EAAG,QAAO;AAExB,QAAM,IAAI;AACV,QAAM,QAAQ,CAAC,SAAS,MAAM,MAAM,MAAM,MAAM,IAAI;AACpD,QAAM,IAAI,KAAK,MAAM,KAAK,IAAI,KAAK,IAAI,KAAK,IAAI,CAAC,CAAC;AAElD,SAAO,YAAY,QAAQ,KAAK,IAAI,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,MAAM,MAAM,CAAC;AACxE;AAiCO,SAAS,yBACd,SACA,UACA,UAAiC,CAAC,GAC1B;AACR,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,EAAE,kBAAkB,MAAM,QAAQ,YAAY,qBAAqB,IAAI;AAE7E,QAAI;AACJ,QAAI,OAAO,YAAY,UAAU;AAC/B,gBAAU,SAAS,OAAO;AAAA,IAC5B,OAAO;AACL,gBAAU;AAAA,IACZ;AAEA,QAAI,CAAC,QAAQ,OAAO,GAAG;AACrB,aAAO;AAAA,IACT;AAEA,UAAM,YAAY,iBAAiB,SAAS,UAAU,SAAS;AAE/D,QAAI,iBAAiB;AACnB,YAAM,SAAS,wBAAwB,SAAS,QAAQ;AACxD,aAAO,GAAG,SAAS,KAAK,MAAM;AAAA,IAChC;AAEA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAcO,SAAS,yBAAyB,SAA4C;AACnF,MAAI,CAAC,SAAS;AACZ,WAAO;AAAA,EACT;AAEA,MAAI;AACF,QAAI;AACJ,QAAI,OAAO,YAAY,UAAU;AAC/B,gBAAU,SAAS,OAAO;AAAA,IAC5B,OAAO;AACL,gBAAU;AAAA,IACZ;AAEA,QAAI,CAAC,QAAQ,OAAO,GAAG;AACrB,aAAO;AAAA,IACT;AAGA,WAAO,QAAQ,mBAAmB,SAAS;AAAA,MACzC,MAAM;AAAA,MACN,OAAO;AAAA,MACP,KAAK;AAAA,IACP,CAAC;AAAA,EACH,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAeO,SAAS,uBACd,SACA,UACQ;AACR,SAAO,yBAAyB,SAAS,UAAU;AAAA,IACjD,iBAAiB;AAAA,IACjB,QAAQ;AAAA,EACV,CAAC;AACH;AAeO,SAAS,qBACd,SACA,UACQ;AACR,MAAI,CAAC,WAAW,CAAC,UAAU;AACzB,WAAO;AAAA,EACT;AAEA,MAAI;AACF,QAAI;AACJ,QAAI,OAAO,YAAY,UAAU;AAC/B,gBAAU,SAAS,OAAO;AAAA,IAC5B,OAAO;AACL,gBAAU;AAAA,IACZ;AAEA,QAAI,CAAC,QAAQ,OAAO,GAAG;AACrB,aAAO;AAAA,IACT;AAEA,UAAM,YAAY,iBAAiB,SAAS,UAAU,eAAe;AACrE,UAAM,SAAS,wBAAwB,SAAS,QAAQ;AAExD,WAAO,GAAG,SAAS,IAAI,MAAM;AAAA,EAC/B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;","names":["z"]}

package/dist/chunk-QXHPKYJV 3.js

@@ -0,0 +1,113 @@
+// src/types/core.ts
+function createUserId(id) {
+  return id;
+}
+function createSessionToken(token) {
+  return token;
+}
+function createPermissionString(permission) {
+  return permission;
+}
+function createRequestId(id) {
+  return id;
+}
+function createOrganisationId(id) {
+  return id;
+}
+function createEventId(id) {
+  return id;
+}
+function createAppId(id) {
+  return id;
+}
+function createPageId(id) {
+  return id;
+}
+function isUserId(value) {
+  return typeof value === "string" && value.length > 0;
+}
+function isSessionToken(value) {
+  return typeof value === "string" && value.length > 0;
+}
+function isPermissionString(value) {
+  if (typeof value !== "string" || value.length === 0) return false;
+  return value.includes(":") && value.split(":").length === 2;
+}
+function isRequestId(value) {
+  return typeof value === "string" && value.length > 0;
+}
+function isOrganisationId(value) {
+  return typeof value === "string" && value.length > 0;
+}
+function isEventId(value) {
+  return typeof value === "string" && value.length > 0;
+}
+function isAppId(value) {
+  return typeof value === "string" && value.length > 0;
+}
+function isPageId(value) {
+  return typeof value === "string" && value.length > 0;
+}
+function assertUserId(id) {
+  return id;
+}
+function assertOrganisationId(id) {
+  return id;
+}
+function assertEventId(id) {
+  return id;
+}
+function assertAppId(id) {
+  return id;
+}
+function assertPageId(id) {
+  return id;
+}
+var AuthErrorCode = /* @__PURE__ */ ((AuthErrorCode2) => {
+  AuthErrorCode2["UNKNOWN_ERROR"] = "UNKNOWN_ERROR";
+  AuthErrorCode2["INVALID_CREDENTIALS"] = "INVALID_CREDENTIALS";
+  AuthErrorCode2["USER_NOT_FOUND"] = "USER_NOT_FOUND";
+  AuthErrorCode2["EMAIL_NOT_CONFIRMED"] = "EMAIL_NOT_CONFIRMED";
+  AuthErrorCode2["PASSWORD_TOO_WEAK"] = "PASSWORD_TOO_WEAK";
+  AuthErrorCode2["WEAK_PASSWORD"] = "WEAK_PASSWORD";
+  AuthErrorCode2["RATE_LIMITED"] = "RATE_LIMITED";
+  AuthErrorCode2["RATE_LIMIT_EXCEEDED"] = "RATE_LIMIT_EXCEEDED";
+  AuthErrorCode2["SESSION_EXPIRED"] = "SESSION_EXPIRED";
+  AuthErrorCode2["PERMISSION_DENIED"] = "PERMISSION_DENIED";
+  AuthErrorCode2["NETWORK_ERROR"] = "NETWORK_ERROR";
+  return AuthErrorCode2;
+})(AuthErrorCode || {});
+var PermissionErrorCode = /* @__PURE__ */ ((PermissionErrorCode2) => {
+  PermissionErrorCode2["INSUFFICIENT_PERMISSIONS"] = "INSUFFICIENT_PERMISSIONS";
+  PermissionErrorCode2["INVALID_PERMISSION"] = "INVALID_PERMISSION";
+  PermissionErrorCode2["PERMISSION_CHECK_FAILED"] = "PERMISSION_CHECK_FAILED";
+  PermissionErrorCode2["ACCESS_DENIED"] = "ACCESS_DENIED";
+  return PermissionErrorCode2;
+})(PermissionErrorCode || {});
+
+export {
+  createUserId,
+  createSessionToken,
+  createPermissionString,
+  createRequestId,
+  createOrganisationId,
+  createEventId,
+  createAppId,
+  createPageId,
+  isUserId,
+  isSessionToken,
+  isPermissionString,
+  isRequestId,
+  isOrganisationId,
+  isEventId,
+  isAppId,
+  isPageId,
+  assertUserId,
+  assertOrganisationId,
+  assertEventId,
+  assertAppId,
+  assertPageId,
+  AuthErrorCode,
+  PermissionErrorCode
+};
+//# sourceMappingURL=chunk-QXHPKYJV.js.map

package/dist/chunk-R77UEZ4E 3.js

@@ -0,0 +1,68 @@
+// src/utils/core/cn.ts
+import { clsx } from "clsx";
+import { twMerge } from "tailwind-merge";
+function cn(...inputs) {
+  return twMerge(clsx(inputs));
+}
+
+// src/utils/validation/htmlSanitization.ts
+function sanitizeHtml(html) {
+  if (!html || typeof html !== "string") {
+    return "";
+  }
+  let sanitized = html.replace(/<script\b[^>]*>.*?<\/script>/gi, "").replace(/<script\b[^>]*\/>/gi, "").replace(/<iframe\b[^>]*>.*?<\/iframe>/gi, "").replace(/<iframe\b[^>]*\/>/gi, "").replace(/<object\b[^>]*>.*?<\/object>/gi, "").replace(/<object\b[^>]*\/>/gi, "").replace(/<embed\b[^>]*\/?>/gi, "").replace(/<form\b[^>]*>.*?<\/form>/gi, "").replace(/<form\b[^>]*\/>/gi, "").replace(/<input\b[^>]*\/?>/gi, "").replace(/<button\b[^>]*>.*?<\/button>/gi, "").replace(/<button\b[^>]*\/>/gi, "").replace(/\s*on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:[^"'\s>]*/gi, "").replace(/data:[^"'\s>]*/gi, "");
+  return sanitized;
+}
+function validateHtml(html) {
+  const warnings = [];
+  if (!html || typeof html !== "string") {
+    return { isValid: false, warnings: ["HTML content must be a non-empty string"] };
+  }
+  const dangerousPatterns = [
+    { pattern: /<script\b[^>]*>.*?<\/script>/gi, message: "Script tags are not allowed" },
+    { pattern: /<script\b[^>]*\/>/gi, message: "Script tags are not allowed" },
+    { pattern: /<iframe\b[^>]*>.*?<\/iframe>/gi, message: "Iframe tags are not allowed" },
+    { pattern: /<iframe\b[^>]*\/>/gi, message: "Iframe tags are not allowed" },
+    { pattern: /<object\b[^>]*>.*?<\/object>/gi, message: "Object tags are not allowed" },
+    { pattern: /<object\b[^>]*\/>/gi, message: "Object tags are not allowed" },
+    { pattern: /<embed\b[^>]*\/?>/gi, message: "Embed tags are not allowed" },
+    { pattern: /<form\b[^>]*>.*?<\/form>/gi, message: "Form tags are not allowed" },
+    { pattern: /<form\b[^>]*\/>/gi, message: "Form tags are not allowed" },
+    { pattern: /<input\b[^>]*\/?>/gi, message: "Input tags are not allowed" },
+    { pattern: /<button\b[^>]*>.*?<\/button>/gi, message: "Button tags are not allowed" },
+    { pattern: /<button\b[^>]*\/>/gi, message: "Button tags are not allowed" },
+    { pattern: /on\w+\s*=/gi, message: "Event handlers are not allowed" },
+    { pattern: /javascript:/gi, message: "JavaScript protocols are not allowed" },
+    { pattern: /data:/gi, message: "Data protocols are not allowed" }
+  ];
+  dangerousPatterns.forEach(({ pattern, message }) => {
+    if (pattern.test(html)) {
+      warnings.push(message);
+    }
+  });
+  return {
+    isValid: warnings.length === 0,
+    warnings
+  };
+}
+function renderSafeHtml(html, options = {}) {
+  const { strict = true, logWarnings = false } = options;
+  const validation = validateHtml(html);
+  const sanitizedHtml = sanitizeHtml(html);
+  if (logWarnings && validation.warnings.length > 0) {
+    console.warn("HTML content warnings:", validation.warnings);
+  }
+  return {
+    html: sanitizedHtml,
+    isValid: validation.isValid,
+    warnings: validation.warnings
+  };
+}
+
+export {
+  cn,
+  sanitizeHtml,
+  validateHtml,
+  renderSafeHtml
+};
+//# sourceMappingURL=chunk-R77UEZ4E.js.map

package/dist/chunk-VBXEHIUJ.js 6.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/utils/context/organisationContext.ts","../src/utils/security/secureStorage.ts"],"sourcesContent":["/**\n * @file Organisation Context Utility\n * @package @jmruthers/pace-core\n * @module Utils/OrganisationContext\n * @since 0.4.0\n *\n * Utility functions for managing organisation context in database sessions.\n * Provides fallback mechanisms for when database functions are not available.\n */\n\nimport type { SupabaseClient } from '@supabase/supabase-js';\nimport { createLogger } from '../core/logger';\n\nconst log = createLogger('organisationContext');\n\n/**\n * Set organisation context in the database session\n * \n * This function attempts to set the organisation context using a database function.\n * If the function is not available, it falls back gracefully without throwing errors.\n * \n * @param supabase - Supabase client instance\n * @param organisationId - The organisation ID to set as context\n * @returns Promise that resolves when context is set (or falls back gracefully)\n */\nexport async function setOrganisationContext(\n  supabase: SupabaseClient,\n  organisationId: string\n): Promise<void> {\n  if (!supabase || !organisationId) {\n    // TODO: Replace with proper logging service integration\n    return;\n  }\n\n  try {\n    // Add timeout to prevent hanging RPC calls\n    const timeoutPromise = new Promise((_, reject) => {\n      setTimeout(() => reject(new Error('RPC timeout after 3 seconds')), 3000);\n    });\n    \n    // Call the database function to set organisation context\n    const rpcPromise = supabase.rpc('set_organisation_context', {\n      org_id: organisationId\n    });\n\n    const { error } = await Promise.race([rpcPromise, timeoutPromise]) as any;\n\n    if (error) {\n      // Function might not exist yet - this is expected during migration\n      // Silent fail - will fall back to client-side filtering\n      log.debug('RPC function not available or failed, continuing without database context');\n    } else {\n      log.debug('Organisation context set in database successfully');\n    }\n  } catch (error) {\n    // Handle any other errors gracefully\n    // Silent fail - will fall back to client-side filtering\n    log.debug('Failed to set database context, continuing without it:', error);\n  }\n}\n\n/**\n * Clear organisation context from the database session\n * \n * @param supabase - Supabase client instance\n * @returns Promise that resolves when context is cleared\n */\nexport async function clearOrganisationContext(\n  supabase: SupabaseClient\n): Promise<void> {\n  if (!supabase) {\n    // TODO: Replace with proper logging service integration\n    return;\n  }\n\n  try {\n    const { error } = await supabase.rpc('rbac_audit_log', {\n      p_event_type: 'organisation_switched',\n      p_metadata: { action: 'clear_context' }\n    });\n    \n    if (error) {\n      // Silent fail - function not available\n      // TODO: Replace with proper logging service integration\n    } else {\n      // TODO: Replace with proper logging service integration\n    }\n  } catch (error) {\n    // Silent fail - error occurred\n    // TODO: Replace with proper logging service integration\n  }\n}\n\n/**\n * Get current organisation context from the database session\n * \n * @param supabase - Supabase client instance\n * @returns Promise that resolves to the current organisation ID or null\n */\nexport async function getOrganisationContext(\n  supabase: SupabaseClient\n): Promise<string | null> {\n  if (!supabase) {\n    // TODO: Replace with proper logging service integration\n    return null;\n  }\n\n  try {\n    // For now, return null since we're not using database context\n    // This will be replaced with proper context management\n    const data = null;\n    const error = null;\n    \n    if (error) {\n      // TODO: Replace with proper logging service integration\n      return null;\n    }\n    \n    // Validate that data is a string (allow empty strings)\n    if (typeof data === 'string') {\n      return data;\n    }\n    \n    // Return null for invalid data formats\n    return null;\n  } catch (error) {\n    // TODO: Replace with proper logging service integration\n    return null;\n  }\n}\n\n/**\n * Check if organisation context functions are available in the database\n * \n * @param supabase - Supabase client instance\n * @returns Promise that resolves to true if functions are available\n */\nexport async function isOrganisationContextAvailable(\n  supabase: SupabaseClient\n): Promise<boolean> {\n  if (!supabase) {\n    return false;\n  }\n\n  try {\n    const { error } = await supabase.rpc('get_organisation_context');\n    \n    if (error) {\n      return false;\n    }\n    \n    return true;\n  } catch (error) {\n    return false;\n  }\n} ","\n/**\n * @file Secure Storage Utilities\n * @description Encrypted storage wrapper for sensitive data\n */\n\nexport interface SecureStorageOptions {\n  encrypt?: boolean;\n  expiry?: number; // TTL in milliseconds\n}\n\n/**\n * Secure storage implementation with encryption support\n */\nclass SecureStorageImpl {\n  private encryptionKey: CryptoKey | null = null;\n  private initialized = false;\n\n  /**\n   * Initialize secure storage with encryption\n   */\n  async init(): Promise<void> {\n    if (this.initialized) return;\n\n    try {\n      // Check if Web Crypto API is available\n      if (window.crypto && window.crypto.subtle) {\n        // Generate or retrieve encryption key\n        const keyData = localStorage.getItem('_sec_key');\n        if (keyData) {\n          try {\n            const keyBuffer = this.base64ToArrayBuffer(keyData);\n            this.encryptionKey = await window.crypto.subtle.importKey(\n              'raw',\n              keyBuffer,\n              { name: 'AES-GCM' },\n              false,\n              ['encrypt', 'decrypt']\n            );\n          } catch (error) {\n            await this.generateNewKey();\n          }\n        } else {\n          await this.generateNewKey();\n        }\n      }\n      this.initialized = true;\n    } catch (error) {\n      this.initialized = true;\n    }\n  }\n\n  /**\n   * Store item securely\n   */\n  async setItem(\n    key: string,\n    value: string,\n    options: SecureStorageOptions = {}\n  ): Promise<void> {\n    await this.init();\n\n    const data = {\n      value,\n      timestamp: Date.now(),\n      expiry: options.expiry ? Date.now() + options.expiry : undefined,\n    };\n\n    const serialized = JSON.stringify(data);\n    \n    if (options.encrypt && this.encryptionKey) {\n      try {\n        const encrypted = await this.encrypt(serialized);\n        localStorage.setItem(`_sec_${key}`, encrypted);\n        return;\n      } catch (error) {\n        // Silent fail - store as plain text\n      }\n    }\n\n    localStorage.setItem(key, serialized);\n  }\n\n  /**\n   * Retrieve item securely\n   */\n  async getItem(key: string): Promise<string | null> {\n    await this.init();\n\n    // Try encrypted storage first\n    const encryptedData = localStorage.getItem(`_sec_${key}`);\n    if (encryptedData && this.encryptionKey) {\n      try {\n        const decrypted = await this.decrypt(encryptedData);\n        const parsed = JSON.parse(decrypted);\n        \n        // Check expiry\n        if (parsed.expiry && Date.now() > parsed.expiry) {\n          await this.removeItem(key);\n          return null;\n        }\n        \n        return parsed.value;\n      } catch (error) {\n        // Silent fail - try plain storage\n      }\n    }\n\n    // Fallback to plain storage\n    const plainData = localStorage.getItem(key);\n    if (!plainData) return null;\n\n    try {\n      const parsed = JSON.parse(plainData);\n      \n      // Check expiry\n      if (parsed.expiry && Date.now() > parsed.expiry) {\n        await this.removeItem(key);\n        return null;\n      }\n      \n      return parsed.value || plainData;\n    } catch (error) {\n      // If parsing fails, return as-is (backward compatibility)\n      return plainData;\n    }\n  }\n\n  /**\n   * Remove item\n   */\n  async removeItem(key: string): Promise<void> {\n    localStorage.removeItem(key);\n    localStorage.removeItem(`_sec_${key}`);\n  }\n\n  /**\n   * Clear all secure storage\n   */\n  async clear(): Promise<void> {\n    const keys = Object.keys(localStorage);\n    for (const key of keys) {\n      if (key.startsWith('_sec_')) {\n        localStorage.removeItem(key);\n      }\n    }\n  }\n\n  /**\n   * Generate new encryption key\n   */\n  private async generateNewKey(): Promise<void> {\n    if (!window.crypto?.subtle) return;\n\n    try {\n      this.encryptionKey = await window.crypto.subtle.generateKey(\n        { name: 'AES-GCM', length: 256 },\n        true,\n        ['encrypt', 'decrypt']\n      );\n\n      // Export and store key\n      const exportedKey = await window.crypto.subtle.exportKey('raw', this.encryptionKey);\n      const keyData = this.arrayBufferToBase64(exportedKey);\n      localStorage.setItem('_sec_key', keyData);\n    } catch (error) {\n      // Silent fail - encryption not available\n    }\n  }\n\n  /**\n   * Encrypt data\n   */\n  private async encrypt(data: string): Promise<string> {\n    if (!this.encryptionKey || !window.crypto?.subtle) {\n      throw new Error('Encryption not available');\n    }\n\n    const encoder = new TextEncoder();\n    const dataBuffer = encoder.encode(data);\n    const iv = window.crypto.getRandomValues(new Uint8Array(12));\n\n    const encrypted = await window.crypto.subtle.encrypt(\n      { name: 'AES-GCM', iv },\n      this.encryptionKey,\n      dataBuffer\n    );\n\n    // Combine IV and encrypted data\n    const combined = new Uint8Array(iv.length + encrypted.byteLength);\n    combined.set(iv);\n    combined.set(new Uint8Array(encrypted), iv.length);\n\n    return this.arrayBufferToBase64(combined.buffer);\n  }\n\n  /**\n   * Decrypt data\n   */\n  private async decrypt(encryptedData: string): Promise<string> {\n    if (!this.encryptionKey || !window.crypto?.subtle) {\n      throw new Error('Decryption not available');\n    }\n\n    const combined = this.base64ToArrayBuffer(encryptedData);\n    const iv = combined.slice(0, 12);\n    const encrypted = combined.slice(12);\n\n    const decrypted = await window.crypto.subtle.decrypt(\n      { name: 'AES-GCM', iv },\n      this.encryptionKey,\n      encrypted\n    );\n\n    const decoder = new TextDecoder();\n    return decoder.decode(decrypted);\n  }\n\n  /**\n   * Convert ArrayBuffer to base64\n   */\n  private arrayBufferToBase64(buffer: ArrayBuffer): string {\n    const bytes = new Uint8Array(buffer);\n    let binary = '';\n    for (let i = 0; i < bytes.byteLength; i++) {\n      binary += String.fromCharCode(bytes[i]);\n    }\n    return btoa(binary);\n  }\n\n  /**\n   * Convert base64 to ArrayBuffer\n   */\n  private base64ToArrayBuffer(base64: string): ArrayBuffer {\n    const binary = atob(base64);\n    const bytes = new Uint8Array(binary.length);\n    for (let i = 0; i < binary.length; i++) {\n      bytes[i] = binary.charCodeAt(i);\n    }\n    return bytes.buffer;\n  }\n}\n\nexport const secureStorage = new SecureStorageImpl();\n"],"mappings":";;;;;AAaA,IAAM,MAAM,aAAa,qBAAqB;AAY9C,eAAsB,uBACpB,UACA,gBACe;AACf,MAAI,CAAC,YAAY,CAAC,gBAAgB;AAEhC;AAAA,EACF;AAEA,MAAI;AAEF,UAAM,iBAAiB,IAAI,QAAQ,CAAC,GAAG,WAAW;AAChD,iBAAW,MAAM,OAAO,IAAI,MAAM,6BAA6B,CAAC,GAAG,GAAI;AAAA,IACzE,CAAC;AAGD,UAAM,aAAa,SAAS,IAAI,4BAA4B;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAED,UAAM,EAAE,MAAM,IAAI,MAAM,QAAQ,KAAK,CAAC,YAAY,cAAc,CAAC;AAEjE,QAAI,OAAO;AAGT,UAAI,MAAM,2EAA2E;AAAA,IACvF,OAAO;AACL,UAAI,MAAM,mDAAmD;AAAA,IAC/D;AAAA,EACF,SAAS,OAAO;AAGd,QAAI,MAAM,0DAA0D,KAAK;AAAA,EAC3E;AACF;AAQA,eAAsB,yBACpB,UACe;AACf,MAAI,CAAC,UAAU;AAEb;AAAA,EACF;AAEA,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,SAAS,IAAI,kBAAkB;AAAA,MACrD,cAAc;AAAA,MACd,YAAY,EAAE,QAAQ,gBAAgB;AAAA,IACxC,CAAC;AAED,QAAI,OAAO;AAAA,IAGX,OAAO;AAAA,IAEP;AAAA,EACF,SAAS,OAAO;AAAA,EAGhB;AACF;AAQA,eAAsB,uBACpB,UACwB;AACxB,MAAI,CAAC,UAAU;AAEb,WAAO;AAAA,EACT;AAEA,MAAI;AAGF,UAAM,OAAO;AACb,UAAM,QAAQ;AAEd,QAAI,OAAO;AAET,aAAO;AAAA,IACT;AAGA,QAAI,OAAO,SAAS,UAAU;AAC5B,aAAO;AAAA,IACT;AAGA,WAAO;AAAA,EACT,SAAS,OAAO;AAEd,WAAO;AAAA,EACT;AACF;AAQA,eAAsB,+BACpB,UACkB;AAClB,MAAI,CAAC,UAAU;AACb,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,EAAE,MAAM,IAAI,MAAM,SAAS,IAAI,0BAA0B;AAE/D,QAAI,OAAO;AACT,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT,SAAS,OAAO;AACd,WAAO;AAAA,EACT;AACF;;;AC7IA,IAAM,oBAAN,MAAwB;AAAA,EAAxB;AACE,SAAQ,gBAAkC;AAC1C,SAAQ,cAAc;AAAA;AAAA;AAAA;AAAA;AAAA,EAKtB,MAAM,OAAsB;AAC1B,QAAI,KAAK,YAAa;AAEtB,QAAI;AAEF,UAAI,OAAO,UAAU,OAAO,OAAO,QAAQ;AAEzC,cAAM,UAAU,aAAa,QAAQ,UAAU;AAC/C,YAAI,SAAS;AACX,cAAI;AACF,kBAAM,YAAY,KAAK,oBAAoB,OAAO;AAClD,iBAAK,gBAAgB,MAAM,OAAO,OAAO,OAAO;AAAA,cAC9C;AAAA,cACA;AAAA,cACA,EAAE,MAAM,UAAU;AAAA,cAClB;AAAA,cACA,CAAC,WAAW,SAAS;AAAA,YACvB;AAAA,UACF,SAAS,OAAO;AACd,kBAAM,KAAK,eAAe;AAAA,UAC5B;AAAA,QACF,OAAO;AACL,gBAAM,KAAK,eAAe;AAAA,QAC5B;AAAA,MACF;AACA,WAAK,cAAc;AAAA,IACrB,SAAS,OAAO;AACd,WAAK,cAAc;AAAA,IACrB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QACJ,KACA,OACA,UAAgC,CAAC,GAClB;AACf,UAAM,KAAK,KAAK;AAEhB,UAAM,OAAO;AAAA,MACX;AAAA,MACA,WAAW,KAAK,IAAI;AAAA,MACpB,QAAQ,QAAQ,SAAS,KAAK,IAAI,IAAI,QAAQ,SAAS;AAAA,IACzD;AAEA,UAAM,aAAa,KAAK,UAAU,IAAI;AAEtC,QAAI,QAAQ,WAAW,KAAK,eAAe;AACzC,UAAI;AACF,cAAM,YAAY,MAAM,KAAK,QAAQ,UAAU;AAC/C,qBAAa,QAAQ,QAAQ,GAAG,IAAI,SAAS;AAC7C;AAAA,MACF,SAAS,OAAO;AAAA,MAEhB;AAAA,IACF;AAEA,iBAAa,QAAQ,KAAK,UAAU;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAQ,KAAqC;AACjD,UAAM,KAAK,KAAK;AAGhB,UAAM,gBAAgB,aAAa,QAAQ,QAAQ,GAAG,EAAE;AACxD,QAAI,iBAAiB,KAAK,eAAe;AACvC,UAAI;AACF,cAAM,YAAY,MAAM,KAAK,QAAQ,aAAa;AAClD,cAAM,SAAS,KAAK,MAAM,SAAS;AAGnC,YAAI,OAAO,UAAU,KAAK,IAAI,IAAI,OAAO,QAAQ;AAC/C,gBAAM,KAAK,WAAW,GAAG;AACzB,iBAAO;AAAA,QACT;AAEA,eAAO,OAAO;AAAA,MAChB,SAAS,OAAO;AAAA,MAEhB;AAAA,IACF;AAGA,UAAM,YAAY,aAAa,QAAQ,GAAG;AAC1C,QAAI,CAAC,UAAW,QAAO;AAEvB,QAAI;AACF,YAAM,SAAS,KAAK,MAAM,SAAS;AAGnC,UAAI,OAAO,UAAU,KAAK,IAAI,IAAI,OAAO,QAAQ;AAC/C,cAAM,KAAK,WAAW,GAAG;AACzB,eAAO;AAAA,MACT;AAEA,aAAO,OAAO,SAAS;AAAA,IACzB,SAAS,OAAO;AAEd,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAW,KAA4B;AAC3C,iBAAa,WAAW,GAAG;AAC3B,iBAAa,WAAW,QAAQ,GAAG,EAAE;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAuB;AAC3B,UAAM,OAAO,OAAO,KAAK,YAAY;AACrC,eAAW,OAAO,MAAM;AACtB,UAAI,IAAI,WAAW,OAAO,GAAG;AAC3B,qBAAa,WAAW,GAAG;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,iBAAgC;AAC5C,QAAI,CAAC,OAAO,QAAQ,OAAQ;AAE5B,QAAI;AACF,WAAK,gBAAgB,MAAM,OAAO,OAAO,OAAO;AAAA,QAC9C,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,QAC/B;AAAA,QACA,CAAC,WAAW,SAAS;AAAA,MACvB;AAGA,YAAM,cAAc,MAAM,OAAO,OAAO,OAAO,UAAU,OAAO,KAAK,aAAa;AAClF,YAAM,UAAU,KAAK,oBAAoB,WAAW;AACpD,mBAAa,QAAQ,YAAY,OAAO;AAAA,IAC1C,SAAS,OAAO;AAAA,IAEhB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QAAQ,MAA+B;AACnD,QAAI,CAAC,KAAK,iBAAiB,CAAC,OAAO,QAAQ,QAAQ;AACjD,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC5C;AAEA,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,aAAa,QAAQ,OAAO,IAAI;AACtC,UAAM,KAAK,OAAO,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAE3D,UAAM,YAAY,MAAM,OAAO,OAAO,OAAO;AAAA,MAC3C,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB,KAAK;AAAA,MACL;AAAA,IACF;AAGA,UAAM,WAAW,IAAI,WAAW,GAAG,SAAS,UAAU,UAAU;AAChE,aAAS,IAAI,EAAE;AACf,aAAS,IAAI,IAAI,WAAW,SAAS,GAAG,GAAG,MAAM;AAEjD,WAAO,KAAK,oBAAoB,SAAS,MAAM;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,QAAQ,eAAwC;AAC5D,QAAI,CAAC,KAAK,iBAAiB,CAAC,OAAO,QAAQ,QAAQ;AACjD,YAAM,IAAI,MAAM,0BAA0B;AAAA,IAC5C;AAEA,UAAM,WAAW,KAAK,oBAAoB,aAAa;AACvD,UAAM,KAAK,SAAS,MAAM,GAAG,EAAE;AAC/B,UAAM,YAAY,SAAS,MAAM,EAAE;AAEnC,UAAM,YAAY,MAAM,OAAO,OAAO,OAAO;AAAA,MAC3C,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB,KAAK;AAAA,MACL;AAAA,IACF;AAEA,UAAM,UAAU,IAAI,YAAY;AAChC,WAAO,QAAQ,OAAO,SAAS;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAoB,QAA6B;AACvD,UAAM,QAAQ,IAAI,WAAW,MAAM;AACnC,QAAI,SAAS;AACb,aAAS,IAAI,GAAG,IAAI,MAAM,YAAY,KAAK;AACzC,gBAAU,OAAO,aAAa,MAAM,CAAC,CAAC;AAAA,IACxC;AACA,WAAO,KAAK,MAAM;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAoB,QAA6B;AACvD,UAAM,SAAS,KAAK,MAAM;AAC1B,UAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,aAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,YAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,IAChC;AACA,WAAO,MAAM;AAAA,EACf;AACF;AAEO,IAAM,gBAAgB,IAAI,kBAAkB;","names":[]}

package/dist/{chunk-HQVPB5MZ.js → chunk-XNXXZ43G.js}

@@ -1,13 +1,13 @@
 import {
   useAppConfig,
   useEvents,
-  useResolvedScope,
-  useSuperAdminBypass
-} from "./chunk-Y4BUBBHD.js";
+  useOrganisationSecurity,
+  useResolvedScope
+} from "./chunk-IIELH4DL.js";
 import {
   useOrganisations,
   useUnifiedAuth
-} from "./chunk-J2XXC7R5.js";
+} from "./chunk-7FLMSG37.js";
 import {
   ContextValidator,
   OrganisationContextRequiredError,
@@ -18,7 +18,7 @@ import {
   isPermitted,
   isPermittedCached,
   resolveAppContext
-} from "./chunk-RUYZKXOD.js";
+} from "./chunk-KNC55RTG.js";
 import {
   logger
 } from "./chunk-PWLANIRT.js";
@@ -102,6 +102,19 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
       return this.addOrganisationFilter(result, tableName);
     };
     query.insert = (values) => {
+      const tablesWithoutOrganisationId = [
+        "core_organisations",
+        // Organisation table itself - uses 'id' as primary key
+        "rbac_apps",
+        // App configuration table - no organisation scope
+        "rbac_app_pages",
+        // Page configuration table - scoped by app_id, not organisation_id
+        "rbac_global_roles"
+        // Global roles - no organisation scope
+      ];
+      if (tablesWithoutOrganisationId.includes(tableName)) {
+        return originalInsert(values);
+      }
       if (tableName === "rbac_user_profiles") {
         if (this.isSuperAdmin) {
           return originalInsert(values);
@@ -137,6 +150,22 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
    * - Always apply org filter unless super admin bypasses it
    */
   addOrganisationFilter(query, tableName) {
+    const tablesWithoutOrganisationId = [
+      "core_organisations",
+      // Organisation table itself - uses 'id' as primary key
+      "rbac_apps",
+      // App configuration table - no organisation scope
+      "rbac_app_pages",
+      // Page configuration table - scoped by app_id, not organisation_id
+      "rbac_global_roles"
+      // Global roles - no organisation scope
+    ];
+    if (tablesWithoutOrganisationId.includes(tableName)) {
+      return query;
+    }
+    if (!this.organisationId) {
+      return query;
+    }
     if (tableName === "rbac_user_profiles") {
       if (this.isSuperAdmin) {
         return query;
@@ -279,13 +308,6 @@ function useRBAC(pageId) {
     }
     setIsLoading(true);
     setError(null);
-    logger2.debug("[useRBAC] Loading RBAC context", {
-      appName,
-      appConfig,
-      hasSelectedEvent: !!selectedEvent,
-      selectedEventId: selectedEvent?.event_id,
-      organisationId: selectedOrganisation?.id
-    });
     try {
       let appId = contextAppId;
       if (appName && !appId) {
@@ -293,13 +315,10 @@ function useRBAC(pageId) {
           const resolved = await resolveAppContext({ userId: user.id, appName });
           if (!resolved) {
             if (appName === "PORTAL" || appName === "ADMIN") {
-              logger2.debug(`[useRBAC] ${appName} app context not resolved, attempting direct lookup`);
               try {
-                const { getAppConfigByName } = await import("./api-I6UCQ5S6.js");
-                const config = await getAppConfigByName(appName);
-                logger2.debug(`[useRBAC] ${appName} app - proceeding without appId for page-level permissions`);
+                const { getAppConfigByName } = await import("./api-N774RPUA.js");
+                await getAppConfigByName(appName);
               } catch (err) {
-                logger2.debug(`[useRBAC] ${appName} app - proceeding without appId for page-level permissions`);
               }
             } else {
               throw new Error(`User does not have access to app "${appName}"`);
@@ -321,7 +340,6 @@ function useRBAC(pageId) {
             return;
           }
           if (appName === "PORTAL" || appName === "ADMIN") {
-            logger2.debug(`[useRBAC] ${appName} app - allowing access despite app context resolution failure`);
           } else {
             throw rpcError;
           }
@@ -450,10 +468,6 @@ function usePermissions(userId, organisationId, eventId, appId) {
     const paramsChanged = prevValuesRef.current.userId !== userId || prevValuesRef.current.organisationId !== organisationId || prevValuesRef.current.eventId !== eventId || prevValuesRef.current.appId !== appId;
     if (paramsChanged) {
       if (prevValuesRef.current.appId !== appId) {
-        logger2.debug("[usePermissions] AppId changed - triggering fetch", {
-          prevAppId: prevValuesRef.current.appId,
-          newAppId: appId
-        });
       }
       prevValuesRef.current = { userId, organisationId, eventId, appId };
       setFetchTrigger((prev) => prev + 1);
@@ -572,13 +586,41 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
   const [can, setCan] = useState2(false);
   const [isLoading, setIsLoading] = useState2(true);
   const [error, setError] = useState2(null);
+  const [isSuperAdmin, setIsSuperAdmin] = useState2(null);
   const isValidScope = scope && typeof scope === "object";
   const organisationId = isValidScope ? scope.organisationId : void 0;
   const eventId = isValidScope ? scope.eventId : void 0;
   const appId = isValidScope ? scope.appId : void 0;
+  useEffect2(() => {
+    if (!userId) {
+      setIsSuperAdmin(false);
+      return;
+    }
+    let cancelled = false;
+    const checkSuperAdmin = async () => {
+      try {
+        const { isSuperAdmin: checkSuperAdmin2 } = await import("./api-N774RPUA.js");
+        const isSuper = await checkSuperAdmin2(userId);
+        if (!cancelled) {
+          setIsSuperAdmin(isSuper);
+        }
+      } catch (err) {
+        if (!cancelled) {
+          setIsSuperAdmin(false);
+        }
+      }
+    };
+    checkSuperAdmin();
+    return () => {
+      cancelled = true;
+    };
+  }, [userId]);
   useEffect2(() => {
     const isPagePermission = permission.includes(":page.") || !!pageId;
     const requiresOrgId = !isPagePermission;
+    if (isSuperAdmin === true) {
+      return;
+    }
     if (requiresOrgId && (!isValidScope || !organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "")) {
       const timeoutId = setTimeout(() => {
         setError(new Error("Organisation context is required for permission checks"));
@@ -590,7 +632,7 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
     if (error?.message === "Organisation context is required for permission checks") {
       setError(null);
     }
-  }, [isValidScope, organisationId, error, permission, pageId]);
+  }, [isValidScope, organisationId, error, permission, pageId, isSuperAdmin]);
   const lastUserIdRef = useRef(null);
   const lastScopeRef = useRef(null);
   const lastPermissionRef = useRef(null);
@@ -632,10 +674,13 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
         const isPageName = pageId && typeof pageId === "string" && !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(pageId);
         const needsAppIdForPageName = isPagePermission && isPageName;
         if (requiresOrgId && (!organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "")) {
-          setIsLoading(true);
-          setCan(false);
-          setError(null);
-          return;
+          if (isSuperAdmin === true) {
+          } else {
+            setIsLoading(true);
+            setCan(false);
+            setError(null);
+            return;
+          }
         }
         if (needsAppIdForPageName && (!appId || appId === null || typeof appId === "string" && appId.trim() === "")) {
           setIsLoading(true);
@@ -664,7 +709,7 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
       };
       checkPermission();
     }
-  }, [userId, stableScope, permission, pageId, useCache, appName]);
+  }, [userId, stableScope, permission, pageId, useCache, appName, isSuperAdmin]);
   const refetch = useCallback2(async () => {
     if (!userId) {
       setCan(false);
@@ -728,7 +773,7 @@ function useAccessLevel(userId, scope) {
     try {
       setIsLoading(true);
       setError(null);
-      const { isSuperAdmin: checkSuperAdmin } = await import("./api-I6UCQ5S6.js");
+      const { isSuperAdmin: checkSuperAdmin } = await import("./api-N774RPUA.js");
       const isSuperAdminUser = await checkSuperAdmin(userId);
       if (isSuperAdminUser) {
         setAccessLevel("super");
@@ -1330,9 +1375,8 @@ function useSecureSupabase(baseClient) {
   const eventsContext = useEvents();
   const { selectedEvent } = eventsContext;
   const eventLoading = "eventLoading" in eventsContext ? eventsContext.eventLoading : false;
-  const { isSuperAdmin: verifiedIsSuperAdmin, isLoading: isVerifyingSuperAdmin } = useSuperAdminBypass();
-  const metadataHint = Boolean(user?.app_metadata?.is_super_admin) || Boolean(user?.user_metadata?.is_super_admin);
-  const isSuperAdmin = verifiedIsSuperAdmin || isVerifyingSuperAdmin && metadataHint;
+  const { superAdminContext } = useOrganisationSecurity();
+  const isSuperAdmin = superAdminContext.isSuperAdmin;
   const { resolvedScope } = useResolvedScope({
     supabase: authSupabase || null,
     selectedOrganisationId: selectedOrganisation?.id || null,
@@ -1420,4 +1464,4 @@ export {
   useRoleManagement,
   useSecureSupabase
 };
-//# sourceMappingURL=chunk-HQVPB5MZ.js.map
+//# sourceMappingURL=chunk-XNXXZ43G.js.map