@jmruthers/pace-core 0.5.190 → 0.5.193

package/src/types/supabase.ts

@@ -106,8 +106,8 @@ export type TableName =
   | 'rbac_user_sessions'
   | 'rbac_user_profiles'
   | 'rbac_user_login_history'
-  | 'event'
-  | 'organisations'
+  | 'core_events'
+  | 'core_organisations'
 
   | 'rbac_apps';
 

package/src/utils/__tests__/secureDataAccess.unit.test.ts

@@ -103,7 +103,7 @@ describe('Secure Data Access', () => {
       mockSupabaseClient.from = vi.fn(() => mockQuery);
 
       const options = {
-        table: 'event', // Use a table that has organisation_id
+        table: 'core_events', // Use a table that has organisation_id
         select: '*',
         organisationId: organisationId,
         filters: { name: 'Test' }
@@ -111,8 +111,9 @@ describe('Secure Data Access', () => {
 
       const result = await secureDataAccess.secureQuery(options);
 
-      expect(mockSupabaseClient.from).toHaveBeenCalledWith('event');
+      expect(mockSupabaseClient.from).toHaveBeenCalledWith('core_events');
       expect(mockQuery.select).toHaveBeenCalledWith('*');
+      // Organisation filter should be applied first
       expect(mockQuery.eq).toHaveBeenCalledWith('organisation_id', organisationId);
       expect(mockQuery.eq).toHaveBeenCalledWith('name', 'Test');
     });

package/src/utils/file-reference/index.ts

@@ -100,7 +100,7 @@ export class FileReferenceServiceImpl implements FileReferenceService {
       }
 
       // Step 4: Create file reference in database using RPC function
-      // This links the storage path to the record in file_references table
+      // This links the storage path to the record in core_file_references table
       const { data, error } = await this.supabase
         .rpc('data_file_reference_create', {
           p_table_name: options.table_name,
@@ -137,7 +137,7 @@ export class FileReferenceServiceImpl implements FileReferenceService {
 
       // Get the created file reference
       const { data: fileRef, error: fetchError } = await this.supabase
-        .from('file_references')
+        .from('core_file_references')
         .select('id, table_name, record_id, file_path, file_metadata, organisation_id, app_id, is_public, created_at, updated_at')
         .eq('id', data)
         .single();
@@ -167,7 +167,7 @@ export class FileReferenceServiceImpl implements FileReferenceService {
   async getFileReference(table_name: string, record_id: string, organisation_id?: string): Promise<FileReference | null> {
     try {
       let query = this.supabase
-        .from('file_references')
+        .from('core_file_references')
         .select('id, table_name, record_id, file_path, file_metadata, organisation_id, app_id, is_public, created_at, updated_at')
         .eq('table_name', table_name)
         .eq('record_id', record_id);
@@ -265,7 +265,7 @@ export class FileReferenceServiceImpl implements FileReferenceService {
   async updateFileReference(id: string, updates: Partial<FileReference>): Promise<FileReference> {
     try {
       const { data, error } = await this.supabase
-        .from('file_references')
+        .from('core_file_references')
         .update(updates)
         .eq('id', id)
         .select()

package/src/utils/google-places/googlePlacesUtils.ts

@@ -411,7 +411,7 @@ export function parseAddressComponents(
  * Create parsed address from Google Places API place result
  *
  * @param place - Place result from Google Places Details API
- * @returns Parsed address matching pace_address table structure
+ * @returns Parsed address matching core_address table structure
  */
 export function createAddressFromPlaceResult(
   place: {

package/src/utils/google-places/types.ts

@@ -61,7 +61,7 @@ export interface GooglePlaceDetailsResponse {
 }
 
 /**
- * Parsed address matching pace_address table structure
+ * Parsed address matching core_address table structure
  */
 export interface ParsedAddress {
   place_id: string;

package/src/utils/request-deduplication.ts

@@ -53,10 +53,10 @@ export function generateRequestKey(
  * @example
  * ```ts
  * const data = await getOrCreateRequest(
- *   'GET:pace_person:{"user_id":"123"}',
+ *   'GET:core_person:{"user_id":"123"}',
  *   async () => {
  *     const { data } = await supabase
- *       .from('pace_person')
+ *       .from('core_person')
  *       .select('id, first_name')
  *       .eq('user_id', '123')
  *       .single();
@@ -138,12 +138,12 @@ export function getInFlightRequestStats(): {
  * ```ts
  * const person = await deduplicatedQuery(
  *   supabase,
- *   'pace_person',
+ *   'core_person',
  *   { user_id: userId },
  *   'id, first_name, last_name',
  *   async () => {
  *     const { data } = await supabase
- *       .from('pace_person')
+ *       .from('core_person')
  *       .select('id, first_name, last_name')
  *       .eq('user_id', userId)
  *       .single();

package/src/utils/security/secureDataAccess.test.ts

@@ -100,7 +100,7 @@ describe('secureDataAccess', () => {
 
       describe('ensureOrganisationColumn', () => {
         it('should return true for tables with organisation_id column', () => {
-          expect(secureDataAccess.ensureOrganisationColumn('event')).toBe(true);
+          expect(secureDataAccess.ensureOrganisationColumn('core_events')).toBe(true);
           expect(secureDataAccess.ensureOrganisationColumn('organisation_settings')).toBe(true);
           expect(secureDataAccess.ensureOrganisationColumn('rbac_event_app_roles')).toBe(true);
         });

package/src/utils/security/secureDataAccess.ts

@@ -94,15 +94,18 @@ export const createSecureDataAccess = (
   const ensureOrganisationColumn = (table: string): boolean => {
     // This is a simplified check - in production you might want to cache this
     const tablesWithOrganisation = [
-      'event',  'organisation_settings',
+      'core_events',  'organisation_settings',
       'rbac_event_app_roles', 'rbac_organisation_roles',
       // SECURITY: Phase 2 additions - complete organisation table mapping
       'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',
       // SECURITY: Emergency additions for Phase 1 fixes
-      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member',
+      'cake_meal', 'cake_mealtype', 'core_person', 'pace_person',
+      // NOTE: core_member, medi_profile, core_contact, core_consent, core_identification, core_qualification
+      // are now person-scoped (not organisation-scoped) - removed from this list
       // SECURITY: Phase 3A additions - medical and personal data
-      'medi_profile', 'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',
-      'pace_consent', 'pace_contact', 'pace_identification', 'pace_identification_type', 'pace_qualification',
+      // NOTE: medi_condition, medi_diet, medi_action_plan, medi_profile_versions are now person-scoped
+      // (via medi_profile) - removed from this list
+      // core_identification_type remains organisation-scoped (lookup table)
       'form_responses', 'form_response_values', 'forms',
       // SECURITY: Phase 3B additions - remaining critical tables
       'invoice', 'line_item', 'credit_balance', 'payment_method',

package/src/utils/storage/README.md

@@ -342,7 +342,7 @@ Enable debug logging by checking the browser console for detailed information ab
 ```typescript
 // Check file reference status
 const { data } = await supabase
-  .from('file_references')
+  .from('core_file_references')
   .select('*')
   .eq('table_name', 'person')
   .eq('record_id', recordId)

package/dist/chunk-4QYC5L4K.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/hooks/useSecureDataAccess.ts"],"sourcesContent":["/**\n * @file useSecureDataAccess Hook\n * @package @jmruthers/pace-core\n * @module Hooks/useSecureDataAccess\n * @since 0.4.0\n *\n * Hook for secure database operations with mandatory organisation context.\n * Ensures all data access is properly scoped to the user's current organisation.\n *\n * @example\n * ```tsx\n * function DataComponent() {\n *   const { secureQuery, secureInsert, secureUpdate, secureDelete } = useSecureDataAccess();\n *   \n *   const loadData = async () => {\n *     try {\n *       // Automatically includes organisation_id filter\n *       const events = await secureQuery('event', '*', { is_visible: true });\n *       console.log('Organisation events:', events);\n *     } catch (error) {\n *       console.error('Failed to load data:', error);\n *     }\n *   };\n *   \n *   const createEvent = async (eventData) => {\n *     try {\n *       // Automatically sets organisation_id\n *       const newEvent = await secureInsert('event', eventData);\n *       console.log('Created event:', newEvent);\n *     } catch (error) {\n *       console.error('Failed to create event:', error);\n *     }\n *   };\n *   \n *   return (\n *     <div>\n *       <button onClick={loadData}>Load Data</button>\n *       <button onClick={() => createEvent({ event_name: 'New Event' })}>\n *         Create Event\n *       </button>\n *     </div>\n *   );\n * }\n * ```\n *\n * @security\n * - All queries automatically include organisation_id filter\n * - Validates organisation context before any operation\n * - Prevents data leaks between organisations\n * - Error handling for security violations\n * - Type-safe database operations\n */\n\nimport { useCallback, useState, useContext } from 'react';\nimport { useUnifiedAuth } from '../providers';\nimport { useOrganisations } from './useOrganisations';\nimport { EventServiceContext } from '../providers/services/EventServiceProvider';\nimport { setOrganisationContext } from '../utils/context/organisationContext';\nimport { logger } from '../utils/core/logger';\nimport type { Permission } from '../rbac/types';\nimport type { OrganisationSecurityError } from '../types/organisation';\nimport { useSuperAdminBypass } from '../rbac/hooks/useSuperAdminBypass';\nimport { useResolvedScope } from '../rbac/hooks/useResolvedScope';\n\nexport interface SecureDataAccessReturn {\n  /** Execute a secure query with organisation filtering */\n  secureQuery: <T = any>(\n    table: string,\n    columns: string,\n    filters?: Record<string, any>,\n    options?: {\n      orderBy?: string;\n      ascending?: boolean;\n      limit?: number;\n      offset?: number;\n    }\n  ) => Promise<T[]>;\n  \n  /** Execute a secure insert with organisation context */\n  secureInsert: <T = any>(\n    table: string,\n    data: Record<string, any>\n  ) => Promise<T>;\n  \n  /** Execute a secure update with organisation filtering */\n  secureUpdate: <T = any>(\n    table: string,\n    data: Record<string, any>,\n    filters: Record<string, any>\n  ) => Promise<T[]>;\n  \n  /** Execute a secure delete with organisation filtering */\n  secureDelete: (\n    table: string,\n    filters: Record<string, any>\n  ) => Promise<void>;\n  \n  /** Execute a secure RPC call with organisation context */\n  secureRpc: <T = any>(\n    functionName: string,\n    params?: Record<string, any>\n  ) => Promise<T>;\n  \n  /** Get current organisation ID */\n  getCurrentOrganisationId: () => string;\n  \n  /** Validate organisation context */\n  validateContext: () => void;\n  \n  // NEW: Phase 1 - Enhanced Security Features\n  /** Check if data access is allowed for a table and operation */\n  isDataAccessAllowed: (table: string, operation: string) => boolean;\n  \n  /** Get all data access permissions for current user */\n  getDataAccessPermissions: () => Record<string, string[]>;\n  \n  /** Check if strict mode is enabled */\n  isStrictMode: boolean;\n  \n  /** Check if audit logging is enabled */\n  isAuditLogEnabled: boolean;\n  \n  /** Get data access history */\n  getDataAccessHistory: () => DataAccessRecord[];\n  \n  /** Clear data access history */\n  clearDataAccessHistory: () => void;\n  \n  /** Validate data access attempt */\n  validateDataAccess: (table: string, operation: string) => boolean;\n}\n\nexport interface DataAccessRecord {\n  table: string;\n  operation: string;\n  userId: string;\n  organisationId: string;\n  allowed: boolean;\n  timestamp: string;\n  query?: string;\n  filters?: Record<string, any>;\n}\n\n/**\n * Hook for secure data access with automatic organisation filtering\n * \n * All database operations automatically include organisation context:\n * - Queries filter by organisation_id\n * - Inserts include organisation_id\n * - Updates/deletes are scoped to organisation\n * - RPC calls include organisation_id parameter\n */\nexport function useSecureDataAccess(): SecureDataAccessReturn {\n  const { supabase, user, session, selectedOrganisation, selectedEvent } = useUnifiedAuth();\n  \n  // Get selected event for event-scoped RPC calls\n  // Use useContext directly to safely check if EventServiceProvider is available\n  const eventServiceContext = useContext(EventServiceContext);\n  const eventFromContext = eventServiceContext?.eventService?.getSelectedEvent() || null;\n  const effectiveSelectedEvent = selectedEvent || eventFromContext;\n  const { isSuperAdmin } = useSuperAdminBypass();\n\n  // Use resolved scope to get organisationId (derived from event if needed)\n  const { resolvedScope } = useResolvedScope({\n    supabase,\n    selectedOrganisationId: selectedOrganisation?.id || null,\n    selectedEventId: effectiveSelectedEvent?.event_id || null\n  });\n\n  const validateContext = useCallback((): void => {\n    if (!supabase) {\n      throw new Error('No Supabase client available') as OrganisationSecurityError;\n    }\n    if (!user || !session) {\n      throw new Error('User must be authenticated with valid session') as OrganisationSecurityError;\n    }\n    \n    if (isSuperAdmin) {\n      return;\n    }\n    \n    if (!resolvedScope?.organisationId) {\n      throw new Error('Organisation context is required for data access') as OrganisationSecurityError;\n    }\n  }, [supabase, user, session, resolvedScope, isSuperAdmin]);\n\n  const getCurrentOrganisationId = useCallback((): string => {\n    if (isSuperAdmin) {\n      // For super admins, try to get org from resolved scope or selectedOrganisation\n      return resolvedScope?.organisationId || selectedOrganisation?.id || '';\n    }\n\n    validateContext();\n    return resolvedScope?.organisationId || '';\n  }, [validateContext, resolvedScope, selectedOrganisation, isSuperAdmin]);\n\n  // Set organisation context in database session\n  const setOrganisationContextInSession = useCallback(async (organisationId?: string): Promise<void> => {\n    if (!supabase || !organisationId) {\n      return;\n    }\n\n    await setOrganisationContext(supabase, organisationId);\n  }, [supabase]);\n\n  const secureQuery = useCallback(async <T = any>(\n    table: string,\n    columns: string,\n    filters: Record<string, any> = {},\n    options: {\n      orderBy?: string;\n      ascending?: boolean;\n      limit?: number;\n      offset?: number;\n    } = {}\n  ): Promise<T[]> => {\n    validateContext();\n    const bypassOrganisationFilter = isSuperAdmin;\n    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Build query with organisation filter\n    let query = supabase!\n      .from(table)\n      .select(columns);\n\n    // Add organisation filter only if table has organisation_id column\n    // Defense in depth strategy:\n    // - RLS policies are the primary security layer (cannot be bypassed)\n    // - Application-level filtering adds an additional layer of protection\n    const tablesWithOrganisation = [\n      'event',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member',\n      // SECURITY: Phase 3A additions - medical and personal data\n      'medi_profile', 'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',\n      'pace_consent', 'pace_contact', 'pace_identification', 'pace_identification_type', 'pace_qualification',\n      'form_responses', 'form_response_values', 'forms',\n      // SECURITY: Phase 3B additions - remaining critical tables\n      'invoice', 'line_item', 'credit_balance', 'payment_method',\n      'form_contexts', 'form_field_config', 'form_fields',\n      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', \n      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', \n      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions',\n      // rbac_user_profiles has organisation_id but uses conditional filtering\n      'rbac_user_profiles'\n    ];\n    \n    // Apply organisation filtering based on table and super admin status\n    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {\n      // For rbac_user_profiles: Super admins see all (no filter), non-super-admins get filtered (defense in depth)\n      // For other tables: Always apply filter\n      if (table === 'rbac_user_profiles' && isSuperAdmin) {\n        // Super admin: No org filter - RLS handles access control\n        // This allows super admins to see all users across all organisations\n      } else {\n        // Non-super-admin OR other tables: Apply org filter as defense in depth\n        query = query.eq('organisation_id', organisationId);\n      }\n    }\n\n    // Apply additional filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        // Handle qualified column names (e.g., 'users.role')\n        const columnName = key.includes('.') ? key.split('.').pop()! : key;\n        query = query.eq(columnName, value);\n      }\n    });\n\n    // Apply options\n    if (options.orderBy) {\n      // Only use the column name, not a qualified name\n      const orderByColumn = options.orderBy.split('.').pop();\n      if (orderByColumn) {\n        query = query.order(orderByColumn, { ascending: options.ascending ?? true });\n      }\n    }\n    \n    if (options.limit) {\n      query = query.limit(options.limit);\n    }\n    \n    if (options.offset) {\n      query = query.range(options.offset, options.offset + (options.limit || 100) - 1);\n    }\n\n    const { data, error } = await query;\n    \n    if (error) {\n      logger.error('useSecureDataAccess', 'Query failed', { table, columns, filters, error });\n      // NEW: Phase 1 - Record failed data access attempt\n      recordDataAccess(table, 'read', false, `SELECT ${columns} FROM ${table}`, filters);\n      throw error;\n    }\n\n    // NEW: Phase 1 - Record successful data access attempt\n    recordDataAccess(table, 'read', true, `SELECT ${columns} FROM ${table}`, filters);\n\n    return (data as T[]) || [];\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);\n\n  const secureInsert = useCallback(async <T = any>(\n    table: string,\n    data: Record<string, any>\n  ): Promise<T> => {\n    validateContext();\n    const bypassOrganisationFilter = isSuperAdmin;\n    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Ensure organisation_id is set\n    const secureData = bypassOrganisationFilter\n      ? { ...data }\n      : {\n          ...data,\n          organisation_id: organisationId\n        };\n\n    const { data: insertData, error } = await supabase!\n      .from(table)\n      .insert(secureData)\n      .select()\n      .single();\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Insert failed', { table, data: secureData, error });\n      throw error;\n    }\n\n    return insertData as T;\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);\n\n  const secureUpdate = useCallback(async <T = any>(\n    table: string,\n    data: Record<string, any>,\n    filters: Record<string, any>\n  ): Promise<T[]> => {\n    validateContext();\n    const bypassOrganisationFilter = isSuperAdmin;\n    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Filter out organisation_id from data to prevent manipulation\n    const { organisation_id, ...secureData } = data;\n    \n    // Build update query with organisation filter\n    let query = supabase!\n      .from(table)\n      .update(secureData);\n\n    // Add organisation filter only if table has organisation_id column\n    const tablesWithOrganisation = [\n      'event',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member'\n    ];\n    \n    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {\n      query = query.eq('organisation_id', organisationId);\n    }\n\n    // Apply filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        query = query.eq(key, value);\n      }\n    });\n\n    const { data: updateData, error } = await query.select();\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Update failed', { table, data: secureData, filters, error });\n      throw error;\n    }\n\n    return (updateData as T[]) || [];\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);\n\n  const secureDelete = useCallback(async (\n    table: string,\n    filters: Record<string, any>\n  ): Promise<void> => {\n    validateContext();\n    const bypassOrganisationFilter = isSuperAdmin;\n    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Build delete query with organisation filter\n    let query = supabase!\n      .from(table)\n      .delete();\n\n    // Add organisation filter only if table has organisation_id column\n    const tablesWithOrganisation = [\n      'event',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype', 'pace_person', 'pace_member',\n      // SECURITY: Phase 3A additions - medical and personal data\n      'medi_profile', 'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',\n      'pace_consent', 'pace_contact', 'pace_identification', 'pace_identification_type', 'pace_qualification',\n      'form_responses', 'form_response_values', 'forms',\n      // SECURITY: Phase 3B additions - remaining critical tables\n      'invoice', 'line_item', 'credit_balance', 'payment_method',\n      'form_contexts', 'form_field_config', 'form_fields',\n      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', \n      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', \n      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'\n    ];\n    \n    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {\n      query = query.eq('organisation_id', organisationId);\n    }\n\n    // Apply filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        query = query.eq(key, value);\n      }\n    });\n\n    const { error } = await query;\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Delete failed', { table, filters, error });\n      throw error;\n    }\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);\n\n  const secureRpc = useCallback(async <T = any>(\n    functionName: string,\n    params: Record<string, any> = {}\n  ): Promise<T> => {\n    validateContext();\n    const bypassOrganisationFilter = isSuperAdmin;\n    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Include organisation_id in RPC parameters\n    // Some functions use p_organisation_id instead of organisation_id (to avoid conflicts with RETURNS TABLE columns)\n    const functionsWithPOrganisationId = [\n      'data_cake_diners_list',\n      'data_cake_mealplans_list'\n    ];\n    \n    const paramName = functionsWithPOrganisationId.includes(functionName) \n      ? 'p_organisation_id' \n      : 'organisation_id';\n    \n    // Functions that need p_event_id for event-app role permission checks\n    // Note: Even org-scoped functions (like items, packages, suppliers) need event_id\n    //       for permission checks when users have event-app roles\n    const functionsNeedingEventId = [\n      'data_cake_items_list',\n      'data_cake_packages_list',\n      'data_cake_suppliers_list',\n      'data_cake_diettypes_list',\n      'data_cake_mealtypes_list',\n      'data_cake_diners_list',\n      'data_cake_mealplans_list',\n      'data_cake_dishes_list',\n      'data_cake_recipes_list',\n      'data_cake_meals_list',\n      'data_cake_units_list',\n      'data_cake_orders_list',\n      'app_cake_item_create',\n      'app_cake_item_update',\n      'app_cake_package_create',\n      'app_cake_package_update',\n      'app_cake_supplier_create',\n      'app_cake_supplier_update',\n      'app_cake_supplier_delete',\n      'app_cake_meal_create',\n      'app_cake_meal_update',\n      'app_cake_meal_delete',\n      'app_cake_unit_create',\n      'app_cake_unit_update',\n      'app_cake_unit_delete',\n      'app_cake_delivery_upsert'\n    ];\n    \n    // Build secureParams with correct parameter order\n    // For functions that require p_event_id as first parameter, ensure it's first\n    const secureParams: Record<string, any> = {};\n    \n    // Functions where p_event_id is the FIRST required parameter (no default)\n    const functionsWithEventIdFirst = [\n      'data_cake_meals_list',\n      'data_cake_units_list'\n    ];\n    \n    // Add p_user_id explicitly for functions that need it (even though it has a default)\n    // This ensures parameter matching works correctly\n    if (user?.id) {\n      secureParams.p_user_id = user.id;\n    }\n    \n    // Add organisation_id parameter when needed\n    if (!bypassOrganisationFilter && organisationId) {\n      secureParams[paramName] = organisationId;\n    } else if (organisationId && !(paramName in params)) {\n      // Default to the current organisation if caller didn't specify one\n      secureParams[paramName] = organisationId;\n    }\n    \n    // Add p_event_id if function needs it and event is selected\n    // CRITICAL: This must be added AFTER organisation_id but BEFORE caller params\n    // to ensure it's not overwritten. For data_cake_items_list, p_event_id is the 3rd param.\n    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {\n      secureParams.p_event_id = selectedEvent.event_id;\n    }\n    \n    // Add any other params passed by caller (limit, offset, etc.)\n    // NOTE: This will NOT overwrite p_event_id if caller passes it, but we want to ensure\n    // our value takes precedence if event is selected\n    Object.assign(secureParams, params);\n    \n    // Ensure p_event_id is set if needed (after Object.assign, so it overrides caller params)\n    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {\n      secureParams.p_event_id = selectedEvent.event_id;\n    }\n\n    const { data, error } = await supabase!.rpc(functionName, secureParams);\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'RPC failed', { functionName, params: secureParams, error });\n      throw error;\n    }\n\n    return data as T;\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, selectedEvent?.event_id, user?.id, isSuperAdmin]);\n\n  // NEW: Phase 1 - Enhanced Security Features\n  const [dataAccessHistory, setDataAccessHistory] = useState<DataAccessRecord[]>([]);\n  const [isStrictMode] = useState(true); // Always enabled in Phase 1\n  const [isAuditLogEnabled] = useState(true); // Always enabled in Phase 1\n\n  // Check if data access is allowed for a table and operation\n  const isDataAccessAllowed = useCallback((table: string, operation: string): boolean => {\n    if (!user?.id) return false;\n    \n    // Use the existing RBAC system to check data access permissions\n    // This is a synchronous check for the context - actual permission checking\n    // happens in the secure data operations using the RBAC engine\n    const permission = `${operation}:data.${table}` as Permission;\n    \n    // For now, we'll return true and let the secure data operations\n    // handle the actual permission checking asynchronously\n    // This context is mainly for tracking and audit purposes\n    return true;\n  }, [user?.id]);\n\n  // Get all data access permissions for current user\n  const getDataAccessPermissions = useCallback((): Record<string, string[]> => {\n    if (!user?.id) return {};\n    \n    // For now, return empty object - this will be enhanced with actual permission checking\n    // when we integrate with the existing RBAC system\n    return {};\n  }, [user?.id]);\n\n  // Get data access history\n  const getDataAccessHistory = useCallback((): DataAccessRecord[] => {\n    return [...dataAccessHistory];\n  }, [dataAccessHistory]);\n\n  // Clear data access history\n  const clearDataAccessHistory = useCallback(() => {\n    setDataAccessHistory([]);\n  }, []);\n\n  // Validate data access attempt\n  const validateDataAccess = useCallback((table: string, operation: string): boolean => {\n    if (!user?.id) return false;\n    \n    // Validate organisation context\n    try {\n      validateContext();\n    } catch (error) {\n      logger.error('useSecureDataAccess', 'Organisation context validation failed', { table, operation, error });\n      return false;\n    }\n    \n    return isDataAccessAllowed(table, operation);\n  }, [user?.id, validateContext, isDataAccessAllowed]);\n\n  // Record data access attempt\n  const recordDataAccess = useCallback((\n    table: string,\n    operation: string,\n    allowed: boolean,\n    query?: string,\n    filters?: Record<string, any>\n  ) => {\n    if (!isAuditLogEnabled || !user?.id) return;\n    const auditOrganisationId = getCurrentOrganisationId() || 'super-admin-bypass';\n\n    const record: DataAccessRecord = {\n      table,\n      operation,\n      userId: user.id,\n      organisationId: auditOrganisationId,\n      allowed,\n      timestamp: new Date().toISOString(),\n      query,\n      filters\n    };\n    \n    setDataAccessHistory(prev => {\n      const newHistory = [record, ...prev];\n      return newHistory.slice(0, 1000); // Keep last 1000 records\n    });\n    \n    if (isStrictMode && !allowed) {\n      logger.error('useSecureDataAccess', 'STRICT MODE VIOLATION: User attempted data access without permission', {\n        table,\n        operation,\n        userId: user.id,\n        organisationId: auditOrganisationId,\n        timestamp: new Date().toISOString()\n      });\n    }\n  }, [isAuditLogEnabled, isStrictMode, user?.id, getCurrentOrganisationId]);\n\n  return {\n    secureQuery,\n    secureInsert,\n    secureUpdate,\n    secureDelete,\n    secureRpc,\n    getCurrentOrganisationId,\n    validateContext,\n    // NEW: Phase 1 - Enhanced Security Features\n    isDataAccessAllowed,\n    getDataAccessPermissions,\n    isStrictMode,\n    isAuditLogEnabled,\n    getDataAccessHistory,\n    clearDataAccessHistory,\n    validateDataAccess\n  };\n} "],"mappings":";;;;;;;;;;;;;;;;AAqDA,SAAS,aAAa,UAAU,kBAAkB;AAmG3C,SAAS,sBAA8C;AAC5D,QAAM,EAAE,UAAU,MAAM,SAAS,sBAAsB,cAAc,IAAI,eAAe;AAIxF,QAAM,sBAAsB,WAAW,mBAAmB;AAC1D,QAAM,mBAAmB,qBAAqB,cAAc,iBAAiB,KAAK;AAClF,QAAM,yBAAyB,iBAAiB;AAChD,QAAM,EAAE,aAAa,IAAI,oBAAoB;AAG7C,QAAM,EAAE,cAAc,IAAI,iBAAiB;AAAA,IACzC;AAAA,IACA,wBAAwB,sBAAsB,MAAM;AAAA,IACpD,iBAAiB,wBAAwB,YAAY;AAAA,EACvD,CAAC;AAED,QAAM,kBAAkB,YAAY,MAAY;AAC9C,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AACA,QAAI,CAAC,QAAQ,CAAC,SAAS;AACrB,YAAM,IAAI,MAAM,+CAA+C;AAAA,IACjE;AAEA,QAAI,cAAc;AAChB;AAAA,IACF;AAEA,QAAI,CAAC,eAAe,gBAAgB;AAClC,YAAM,IAAI,MAAM,kDAAkD;AAAA,IACpE;AAAA,EACF,GAAG,CAAC,UAAU,MAAM,SAAS,eAAe,YAAY,CAAC;AAEzD,QAAM,2BAA2B,YAAY,MAAc;AACzD,QAAI,cAAc;AAEhB,aAAO,eAAe,kBAAkB,sBAAsB,MAAM;AAAA,IACtE;AAEA,oBAAgB;AAChB,WAAO,eAAe,kBAAkB;AAAA,EAC1C,GAAG,CAAC,iBAAiB,eAAe,sBAAsB,YAAY,CAAC;AAGvE,QAAM,kCAAkC,YAAY,OAAO,mBAA2C;AACpG,QAAI,CAAC,YAAY,CAAC,gBAAgB;AAChC;AAAA,IACF;AAEA,UAAM,uBAAuB,UAAU,cAAc;AAAA,EACvD,GAAG,CAAC,QAAQ,CAAC;AAEb,QAAM,cAAc,YAAY,OAC9B,OACA,SACA,UAA+B,CAAC,GAChC,UAKI,CAAC,MACY;AACjB,oBAAgB;AAChB,UAAM,2BAA2B;AACjC,UAAM,iBAAiB,2BAA2B,SAAY,yBAAyB;AAGvF,UAAM,gCAAgC,cAAc;AAGpD,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO,OAAO;AAMjB,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAU;AAAA,MACV;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA,MAAiB;AAAA,MAAe;AAAA;AAAA,MAE7C;AAAA,MAAgB;AAAA,MAAkB;AAAA,MAAa;AAAA,MAAoB;AAAA,MACnE;AAAA,MAAgB;AAAA,MAAgB;AAAA,MAAuB;AAAA,MAA4B;AAAA,MACnF;AAAA,MAAkB;AAAA,MAAwB;AAAA;AAAA,MAE1C;AAAA,MAAW;AAAA,MAAa;AAAA,MAAkB;AAAA,MAC1C;AAAA,MAAiB;AAAA,MAAqB;AAAA,MACtC;AAAA,MAAiB;AAAA,MAAiB;AAAA,MAAc;AAAA,MAAa;AAAA,MAC7D;AAAA,MAAkB;AAAA,MAAiB;AAAA,MAAgB;AAAA,MAAe;AAAA,MAClE;AAAA,MAAe;AAAA,MAAa;AAAA,MAAoB;AAAA,MAAoB;AAAA;AAAA,MAEpE;AAAA,IACF;AAGA,QAAI,CAAC,4BAA4B,kBAAkB,uBAAuB,SAAS,KAAK,GAAG;AAGzF,UAAI,UAAU,wBAAwB,cAAc;AAAA,MAGpD,OAAO;AAEL,gBAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,MACpD;AAAA,IACF;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AAEzC,cAAM,aAAa,IAAI,SAAS,GAAG,IAAI,IAAI,MAAM,GAAG,EAAE,IAAI,IAAK;AAC/D,gBAAQ,MAAM,GAAG,YAAY,KAAK;AAAA,MACpC;AAAA,IACF,CAAC;AAGD,QAAI,QAAQ,SAAS;AAEnB,YAAM,gBAAgB,QAAQ,QAAQ,MAAM,GAAG,EAAE,IAAI;AACrD,UAAI,eAAe;AACjB,gBAAQ,MAAM,MAAM,eAAe,EAAE,WAAW,QAAQ,aAAa,KAAK,CAAC;AAAA,MAC7E;AAAA,IACF;AAEA,QAAI,QAAQ,OAAO;AACjB,cAAQ,MAAM,MAAM,QAAQ,KAAK;AAAA,IACnC;AAEA,QAAI,QAAQ,QAAQ;AAClB,cAAQ,MAAM,MAAM,QAAQ,QAAQ,QAAQ,UAAU,QAAQ,SAAS,OAAO,CAAC;AAAA,IACjF;AAEA,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM;AAE9B,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,gBAAgB,EAAE,OAAO,SAAS,SAAS,MAAM,CAAC;AAEtF,uBAAiB,OAAO,QAAQ,OAAO,UAAU,OAAO,SAAS,KAAK,IAAI,OAAO;AACjF,YAAM;AAAA,IACR;AAGA,qBAAiB,OAAO,QAAQ,MAAM,UAAU,OAAO,SAAS,KAAK,IAAI,OAAO;AAEhF,WAAQ,QAAgB,CAAC;AAAA,EAC3B,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,YAAY,CAAC;AAEvG,QAAM,eAAe,YAAY,OAC/B,OACA,SACe;AACf,oBAAgB;AAChB,UAAM,2BAA2B;AACjC,UAAM,iBAAiB,2BAA2B,SAAY,yBAAyB;AAGvF,UAAM,gCAAgC,cAAc;AAGpD,UAAM,aAAa,2BACf,EAAE,GAAG,KAAK,IACV;AAAA,MACE,GAAG;AAAA,MACH,iBAAiB;AAAA,IACnB;AAEJ,UAAM,EAAE,MAAM,YAAY,MAAM,IAAI,MAAM,SACvC,KAAK,KAAK,EACV,OAAO,UAAU,EACjB,OAAO,EACP,OAAO;AAEV,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,MAAM,YAAY,MAAM,CAAC;AACvF,YAAM;AAAA,IACR;AAEA,WAAO;AAAA,EACT,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,YAAY,CAAC;AAEvG,QAAM,eAAe,YAAY,OAC/B,OACA,MACA,YACiB;AACjB,oBAAgB;AAChB,UAAM,2BAA2B;AACjC,UAAM,iBAAiB,2BAA2B,SAAY,yBAAyB;AAGvF,UAAM,gCAAgC,cAAc;AAGpD,UAAM,EAAE,iBAAiB,GAAG,WAAW,IAAI;AAG3C,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO,UAAU;AAGpB,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAU;AAAA,MACV;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA,MAAiB;AAAA,MAAe;AAAA,IAC/C;AAEA,QAAI,CAAC,4BAA4B,kBAAkB,uBAAuB,SAAS,KAAK,GAAG;AACzF,cAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,IACpD;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AACzC,gBAAQ,MAAM,GAAG,KAAK,KAAK;AAAA,MAC7B;AAAA,IACF,CAAC;AAED,UAAM,EAAE,MAAM,YAAY,MAAM,IAAI,MAAM,MAAM,OAAO;AAEvD,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,MAAM,YAAY,SAAS,MAAM,CAAC;AAChG,YAAM;AAAA,IACR;AAEA,WAAQ,cAAsB,CAAC;AAAA,EACjC,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,YAAY,CAAC;AAEvG,QAAM,eAAe,YAAY,OAC/B,OACA,YACkB;AAClB,oBAAgB;AAChB,UAAM,2BAA2B;AACjC,UAAM,iBAAiB,2BAA2B,SAAY,yBAAyB;AAGvF,UAAM,gCAAgC,cAAc;AAGpD,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO;AAGV,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAU;AAAA,MACV;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA,MAAiB;AAAA,MAAe;AAAA;AAAA,MAE7C;AAAA,MAAgB;AAAA,MAAkB;AAAA,MAAa;AAAA,MAAoB;AAAA,MACnE;AAAA,MAAgB;AAAA,MAAgB;AAAA,MAAuB;AAAA,MAA4B;AAAA,MACnF;AAAA,MAAkB;AAAA,MAAwB;AAAA;AAAA,MAE1C;AAAA,MAAW;AAAA,MAAa;AAAA,MAAkB;AAAA,MAC1C;AAAA,MAAiB;AAAA,MAAqB;AAAA,MACtC;AAAA,MAAiB;AAAA,MAAiB;AAAA,MAAc;AAAA,MAAa;AAAA,MAC7D;AAAA,MAAkB;AAAA,MAAiB;AAAA,MAAgB;AAAA,MAAe;AAAA,MAClE;AAAA,MAAe;AAAA,MAAa;AAAA,MAAoB;AAAA,MAAoB;AAAA,IACtE;AAEA,QAAI,CAAC,4BAA4B,kBAAkB,uBAAuB,SAAS,KAAK,GAAG;AACzF,cAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,IACpD;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AACzC,gBAAQ,MAAM,GAAG,KAAK,KAAK;AAAA,MAC7B;AAAA,IACF,CAAC;AAED,UAAM,EAAE,MAAM,IAAI,MAAM;AAExB,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,SAAS,MAAM,CAAC;AAC9E,YAAM;AAAA,IACR;AAAA,EACF,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,YAAY,CAAC;AAEvG,QAAM,YAAY,YAAY,OAC5B,cACA,SAA8B,CAAC,MAChB;AACf,oBAAgB;AAChB,UAAM,2BAA2B;AACjC,UAAM,iBAAiB,2BAA2B,SAAY,yBAAyB;AAGvF,UAAM,gCAAgC,cAAc;AAIpD,UAAM,+BAA+B;AAAA,MACnC;AAAA,MACA;AAAA,IACF;AAEA,UAAM,YAAY,6BAA6B,SAAS,YAAY,IAChE,sBACA;AAKJ,UAAM,0BAA0B;AAAA,MAC9B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAIA,UAAM,eAAoC,CAAC;AAG3C,UAAM,4BAA4B;AAAA,MAChC;AAAA,MACA;AAAA,IACF;AAIA,QAAI,MAAM,IAAI;AACZ,mBAAa,YAAY,KAAK;AAAA,IAChC;AAGA,QAAI,CAAC,4BAA4B,gBAAgB;AAC/C,mBAAa,SAAS,IAAI;AAAA,IAC5B,WAAW,kBAAkB,EAAE,aAAa,SAAS;AAEnD,mBAAa,SAAS,IAAI;AAAA,IAC5B;AAKA,QAAI,wBAAwB,SAAS,YAAY,KAAK,eAAe,UAAU;AAC7E,mBAAa,aAAa,cAAc;AAAA,IAC1C;AAKA,WAAO,OAAO,cAAc,MAAM;AAGlC,QAAI,wBAAwB,SAAS,YAAY,KAAK,eAAe,UAAU;AAC7E,mBAAa,aAAa,cAAc;AAAA,IAC1C;AAEA,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,SAAU,IAAI,cAAc,YAAY;AAEtE,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,cAAc,EAAE,cAAc,QAAQ,cAAc,MAAM,CAAC;AAC/F,YAAM;AAAA,IACR;AAEA,WAAO;AAAA,EACT,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,eAAe,UAAU,MAAM,IAAI,YAAY,CAAC;AAG1I,QAAM,CAAC,mBAAmB,oBAAoB,IAAI,SAA6B,CAAC,CAAC;AACjF,QAAM,CAAC,YAAY,IAAI,SAAS,IAAI;AACpC,QAAM,CAAC,iBAAiB,IAAI,SAAS,IAAI;AAGzC,QAAM,sBAAsB,YAAY,CAAC,OAAe,cAA+B;AACrF,QAAI,CAAC,MAAM,GAAI,QAAO;AAKtB,UAAM,aAAa,GAAG,SAAS,SAAS,KAAK;AAK7C,WAAO;AAAA,EACT,GAAG,CAAC,MAAM,EAAE,CAAC;AAGb,QAAM,2BAA2B,YAAY,MAAgC;AAC3E,QAAI,CAAC,MAAM,GAAI,QAAO,CAAC;AAIvB,WAAO,CAAC;AAAA,EACV,GAAG,CAAC,MAAM,EAAE,CAAC;AAGb,QAAM,uBAAuB,YAAY,MAA0B;AACjE,WAAO,CAAC,GAAG,iBAAiB;AAAA,EAC9B,GAAG,CAAC,iBAAiB,CAAC;AAGtB,QAAM,yBAAyB,YAAY,MAAM;AAC/C,yBAAqB,CAAC,CAAC;AAAA,EACzB,GAAG,CAAC,CAAC;AAGL,QAAM,qBAAqB,YAAY,CAAC,OAAe,cAA+B;AACpF,QAAI,CAAC,MAAM,GAAI,QAAO;AAGtB,QAAI;AACF,sBAAgB;AAAA,IAClB,SAAS,OAAO;AACd,aAAO,MAAM,uBAAuB,0CAA0C,EAAE,OAAO,WAAW,MAAM,CAAC;AACzG,aAAO;AAAA,IACT;AAEA,WAAO,oBAAoB,OAAO,SAAS;AAAA,EAC7C,GAAG,CAAC,MAAM,IAAI,iBAAiB,mBAAmB,CAAC;AAGnD,QAAM,mBAAmB,YAAY,CACnC,OACA,WACA,SACA,OACA,YACG;AACH,QAAI,CAAC,qBAAqB,CAAC,MAAM,GAAI;AACrC,UAAM,sBAAsB,yBAAyB,KAAK;AAE1D,UAAM,SAA2B;AAAA,MAC/B;AAAA,MACA;AAAA,MACA,QAAQ,KAAK;AAAA,MACb,gBAAgB;AAAA,MAChB;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MAClC;AAAA,MACA;AAAA,IACF;AAEA,yBAAqB,UAAQ;AAC3B,YAAM,aAAa,CAAC,QAAQ,GAAG,IAAI;AACnC,aAAO,WAAW,MAAM,GAAG,GAAI;AAAA,IACjC,CAAC;AAED,QAAI,gBAAgB,CAAC,SAAS;AAC5B,aAAO,MAAM,uBAAuB,wEAAwE;AAAA,QAC1G;AAAA,QACA;AAAA,QACA,QAAQ,KAAK;AAAA,QACb,gBAAgB;AAAA,QAChB,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MACpC,CAAC;AAAA,IACH;AAAA,EACF,GAAG,CAAC,mBAAmB,cAAc,MAAM,IAAI,wBAAwB,CAAC;AAExE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA;AAAA,IAEA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":[]}