@jmruthers/pace-core 0.5.193 → 0.6.2

package/dist/rbac/index.d.ts

@@ -1,6 +1,6 @@
-import { U as UUID, g as PermissionCacheKey, h as AuditEventSource, i as RBACAuditEvent, a as PermissionCheck, S as Scope, A as AccessLevel, b as PermissionMap, j as RBACAppContext, k as RBACRoleContext, P as Permission, l as UserRBACContext } from '../types-UU913iLA.js';
-export { E as EventAppRole, G as GlobalRole, I as InvalidScopeError, M as MissingUserContextError, O as Operation, e as OrganisationContextRequiredError, c as OrganisationRole, d as PermissionDeniedError, R as RBACError, f as RBACNotInitializedError } from '../types-UU913iLA.js';
-export { A as AccessLevelContext, s as AuditEventType, P as PermissionSource, d as RBACAccessValidateParams, e as RBACAccessValidateResult, q as RBACAuditLogParams, r as RBACAuditLogResult, t as RBACContext, w as RBACErrorCode, v as RBACFunctionResponse, f as RBACPageAccessCheckParams, R as RBACPermissionCheckParams, a as RBACPermissionCheckResult, b as RBACPermissionsGetParams, c as RBACPermissionsGetResult, u as RBACResult, g as RBACRoleGrantParams, h as RBACRoleGrantResult, i as RBACRoleRevokeParams, j as RBACRoleRevokeResult, m as RBACRoleValidateParams, n as RBACRoleValidateResult, k as RBACRolesListParams, l as RBACRolesListResult, o as RBACSessionTrackParams, p as RBACSessionTrackResult, x as RPCFunction, S as SessionType } from '../functions-D_kgHktt.js';
+import { U as UUID, g as PermissionCacheKey, h as AuditEventSource, i as RBACAuditEvent, a as PermissionCheck, S as Scope, A as AccessLevel, b as PermissionMap, j as RBACAppContext, k as RBACRoleContext, P as Permission, l as UserRBACContext } from '../types-BeoeWV5I.js';
+export { E as EventAppRole, G as GlobalRole, I as InvalidScopeError, M as MissingUserContextError, O as Operation, e as OrganisationContextRequiredError, c as OrganisationRole, d as PermissionDeniedError, R as RBACError, f as RBACNotInitializedError } from '../types-BeoeWV5I.js';
+export { A as AccessLevelContext, s as AuditEventType, P as PermissionSource, d as RBACAccessValidateParams, e as RBACAccessValidateResult, q as RBACAuditLogParams, r as RBACAuditLogResult, t as RBACContext, w as RBACErrorCode, v as RBACFunctionResponse, f as RBACPageAccessCheckParams, R as RBACPermissionCheckParams, a as RBACPermissionCheckResult, b as RBACPermissionsGetParams, c as RBACPermissionsGetResult, u as RBACResult, g as RBACRoleGrantParams, h as RBACRoleGrantResult, i as RBACRoleRevokeParams, j as RBACRoleRevokeResult, m as RBACRoleValidateParams, n as RBACRoleValidateResult, k as RBACRolesListParams, l as RBACRolesListResult, o as RBACSessionTrackParams, p as RBACSessionTrackResult, x as RPCFunction, S as SessionType } from '../functions-DHebl8-F.js';
 import { SupabaseClient } from '@supabase/supabase-js';
 import { D as Database } from '../database.generated-CzIvgcPu.js';
 import * as react_jsx_runtime from 'react/jsx-runtime';
@@ -122,8 +122,10 @@ declare function isDevelopmentMode(): boolean;
  * This client automatically injects organisation context into all requests
  * and prevents queries that don't have the required context.
  *
- * Note: Callers should derive organisationId from eventId before creating this client
- * if working with event-required apps. The client requires organisationId.
+ * Note: For non-super-admins, organisationId is required. Super-admins can operate
+ * without organisationId to access system-wide tables (like core_organisations).
+ * Callers should derive organisationId from eventId before creating this client
+ * if working with event-required apps.
  */
 declare class SecureSupabaseClient {
     private supabase;
@@ -134,7 +136,19 @@ declare class SecureSupabaseClient {
     private eventId?;
     private appId?;
     private isSuperAdmin;
-    constructor(supabaseUrl: string, supabaseKey: string, organisationId: UUID, eventId?: string, appId?: UUID, isSuperAdmin?: boolean);
+    private usesExistingClient;
+    /**
+     * RPC functions that are safe to call without organisation context.
+     *
+     * These functions must:
+     * - rely on JWT context (auth.uid()) for authentication
+     * - not read or write organisation-scoped data
+     *
+     * This allowlist enables compliant consuming apps to use `secureSupabase.rpc(...)`
+     * even before an organisation is selected (common during initial page load/refresh).
+     */
+    private static readonly GLOBAL_RPC_ALLOWLIST;
+    constructor(supabaseUrl: string, supabaseKey: string, organisationId: UUID | null, eventId?: string, appId?: UUID, isSuperAdmin?: boolean, existingClient?: SupabaseClient<Database>);
     /**
      * Setup context injection for all database operations
      */
@@ -170,18 +184,36 @@ declare class SecureSupabaseClient {
      * - Super admins: No org filter (see all users) - RLS will allow access
      * - Non-super-admins: Apply org filter as defense in depth - RLS will also filter
      *
+     * For system-wide tables (like core_organisations):
+     * - Super admins: No org filter (see all records) - RLS will allow access
+     * - Non-super-admins: Apply org filter as defense in depth - RLS will also filter
+     *
      * For other tables:
      * - Always apply org filter unless super admin bypasses it
      */
     private addOrganisationFilter;
     /**
      * Validate that required context is present
+     * Super-admins can operate without organisation context
      */
     private validateContext;
+    /**
+     * Determine whether a table requires organisation context.
+     * Tables without an organisation_id column (or global configuration tables) are safe without org context.
+     */
+    private tableRequiresOrganisationContext;
+    /**
+     * Validate context for a specific table operation.
+     */
+    private validateContextForTable;
+    /**
+     * Validate context for a specific RPC call.
+     */
+    private validateContextForRpc;
     /**
      * Get the current organisation ID
      */
-    getOrganisationId(): UUID;
+    getOrganisationId(): UUID | null;
     /**
      * Get the current event ID
      */
@@ -194,7 +226,7 @@ declare class SecureSupabaseClient {
      * Create a new client with updated context
      */
     withContext(updates: {
-        organisationId?: UUID;
+        organisationId?: UUID | null;
         eventId?: string;
         appId?: UUID;
         isSuperAdmin?: boolean;
@@ -210,10 +242,10 @@ declare class SecureSupabaseClient {
  *
  * @param supabaseUrl - Supabase project URL
  * @param supabaseKey - Supabase publishable key or anon key (accepts both legacy anon keys and modern publishable keys)
- * @param organisationId - Required organisation ID
+ * @param organisationId - Organisation ID (optional for super-admins)
  * @param eventId - Optional event ID
  * @param appId - Optional app ID
- * @param isSuperAdmin - Optional super admin flag (defaults to false)
+ * @param isSuperAdmin - Optional super admin flag (defaults to false). When true, organisationId can be null.
  * @returns SecureSupabaseClient instance
  *
  * @example
@@ -226,9 +258,19 @@ declare class SecureSupabaseClient {
  *   'app-789',
  *   false // isSuperAdmin
  * );
+ *
+ * // For super-admins, organisationId can be null
+ * const superAdminClient = createSecureClient(
+ *   'https://your-project.supabase.co',
+ *   'your-publishable-key-or-anon-key',
+ *   null, // organisationId not required for super-admins
+ *   undefined,
+ *   undefined,
+ *   true // isSuperAdmin
+ * );
  * ```
  */
-declare function createSecureClient(supabaseUrl: string, supabaseKey: string, organisationId: UUID, eventId?: string, appId?: UUID, isSuperAdmin?: boolean): SecureSupabaseClient;
+declare function createSecureClient(supabaseUrl: string, supabaseKey: string, organisationId: UUID | null, eventId?: string, appId?: UUID, isSuperAdmin?: boolean): SecureSupabaseClient;
 /**
  * Create a secure client from an existing Supabase client
  *
@@ -238,7 +280,7 @@ declare function createSecureClient(supabaseUrl: string, supabaseKey: string, or
  * @param appId - Optional app ID
  * @returns SecureSupabaseClient instance
  */
-declare function fromSupabaseClient(client: SupabaseClient<Database>, organisationId: UUID, eventId?: string, appId?: UUID): SecureSupabaseClient;
+declare function fromSupabaseClient(client: SupabaseClient<Database>, organisationId: UUID | null, eventId?: string, appId?: UUID, isSuperAdmin?: boolean): SecureSupabaseClient;
 
 /**
  * RBAC Cache Implementation
@@ -838,7 +880,7 @@ interface PagePermissionGuardProps {
     /** Loading state content */
     loading?: React__default.ReactNode;
 }
-declare const PagePermissionGuard: React__default.MemoExoticComponent<({ pageName, operation, children, fallback, strictMode, auditLog, pageId, scope, onDenied, loading }: PagePermissionGuardProps) => string | number | boolean | Iterable<React__default.ReactNode> | react_jsx_runtime.JSX.Element | null>;
+declare const PagePermissionGuard: React__default.MemoExoticComponent<({ pageName, operation, children, fallback, strictMode, auditLog, pageId, scope, onDenied, loading }: PagePermissionGuardProps) => string | number | bigint | boolean | Iterable<React__default.ReactNode> | Promise<string | number | bigint | boolean | React__default.ReactPortal | React__default.ReactElement<unknown, string | React__default.JSXElementConstructor<any>> | Iterable<React__default.ReactNode> | null | undefined> | react_jsx_runtime.JSX.Element | null>;
 
 interface DataAccessRecord {
     table: string;
@@ -1376,126 +1418,118 @@ interface ResourcePermissions {
 declare function useResourcePermissions(resource: string, options?: UseResourcePermissionsOptions): ResourcePermissions;
 
 /**
- * @file RBAC Permission Hooks
- * @package @jmruthers/pace-core
- * @module RBAC/Hooks
- * @since 1.0.0
- *
- * This module provides React hooks for RBAC functionality.
- */
-
-/**
- * Hook to get user's permissions in a scope
+ * Hook to get user's access level in a scope
  *
  * @param userId - User ID
- * @param organisationId - Organisation ID
- * @param eventId - Event ID (optional)
- * @param appId - Application ID (optional)
- * @returns Permission state and methods
+ * @param scope - Scope for access level checking
+ * @returns Access level state and methods
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { permissions, isLoading, error } = usePermissions(
- *     userId,
- *     organisationId,
- *     eventId,
- *     appId
- *   );
+ *   const { accessLevel, isLoading, error } = useAccessLevel(userId, scope);
  *
- *   if (isLoading) return <div>Loading...</div>;
+ *   if (isLoading) return <div>Loading access level...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
  *   return (
  *     <div>
- *       {permissions['read:users'] && <UserList />}
- *       {permissions['create:users'] && <CreateUserButton />}
+ *       Access Level: {accessLevel}
+ *       {accessLevel >= AccessLevel.ADMIN && <AdminPanel />}
  *     </div>
  *   );
  * }
  * ```
  */
-declare function usePermissions(userId: UUID, organisationId: string | undefined, eventId: string | undefined, appId: string | undefined): {
-    permissions: PermissionMap;
+declare function useAccessLevel(userId: UUID, scope: Scope): {
+    accessLevel: AccessLevel;
     isLoading: boolean;
     error: Error | null;
-    hasPermission: (permission: Permission) => boolean;
-    hasAnyPermission: (permissionList: Permission[]) => boolean;
-    hasAllPermissions: (permissionList: Permission[]) => boolean;
     refetch: () => Promise<void>;
 };
+
 /**
- * Hook to check if user can perform an action
+ * Hook to get cached permissions with TTL management
  *
  * @param userId - User ID
  * @param scope - Scope for permission checking
- * @param permission - Permission to check
- * @param pageId - Optional page ID
- * @param useCache - Whether to use cached results
- * @param appName - Optional app name (for PORTAL/ADMIN special case)
- * @returns Permission check state and methods
+ * @returns Cached permission state and methods
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { can, isLoading, error } = useCan(userId, scope, 'read:users');
+ *   const { permissions, isLoading, error, invalidateCache } = useCachedPermissions(userId, scope);
  *
- *   if (isLoading) return <div>Checking permission...</div>;
+ *   if (isLoading) return <div>Loading cached permissions...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
- *   return can ? <UserList /> : <div>Access denied</div>;
+ *   return (
+ *     <div>
+ *       {permissions['read:users'] && <UserList />}
+ *       <button onClick={invalidateCache}>Refresh Permissions</button>
+ *     </div>
+ *   );
  * }
  * ```
  */
-declare function useCan(userId: UUID, scope: Scope, permission: Permission, pageId?: UUID, useCache?: boolean, appName?: string): {
-    can: boolean;
+declare function useCachedPermissions(userId: UUID, scope: Scope): {
+    permissions: PermissionMap;
     isLoading: boolean;
     error: Error | null;
+    invalidateCache: () => void;
     refetch: () => Promise<void>;
 };
+
 /**
- * Hook to get user's access level in a scope
+ * Hook to check if user can perform an action
  *
  * @param userId - User ID
- * @param scope - Scope for access level checking
- * @returns Access level state and methods
+ * @param scope - Scope for permission checking
+ * @param permission - Permission to check
+ * @param pageId - Optional page ID
+ * @param useCache - Whether to use cached results
+ * @param appName - Optional app name (for PORTAL/ADMIN special case)
+ * @returns Permission check state and methods
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { accessLevel, isLoading, error } = useAccessLevel(userId, scope);
+ *   const { can, isLoading, error } = useCan(userId, scope, 'read:users');
  *
- *   if (isLoading) return <div>Loading access level...</div>;
+ *   if (isLoading) return <div>Checking permission...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
- *   return (
- *     <div>
- *       Access Level: {accessLevel}
- *       {accessLevel >= AccessLevel.ADMIN && <AdminPanel />}
- *     </div>
- *   );
+ *   return can ? <UserList /> : <div>Access denied</div>;
  * }
  * ```
  */
-declare function useAccessLevel(userId: UUID, scope: Scope): {
-    accessLevel: AccessLevel;
+declare function useCan(userId: UUID, scope: Scope, permission: Permission, pageId?: UUID, useCache?: boolean, 
+/**
+ * Pre-computed super admin flag to avoid duplicate super admin checks.
+ * Callers should check super admin once and pass the result to all useCan hooks.
+ * Pass null if not checked yet, false/true if checked.
+ * Defaults to null (not checked yet) - hook will check if needed.
+ */
+precomputedSuperAdmin?: boolean | null, appName?: string): {
+    can: boolean;
     isLoading: boolean;
     error: Error | null;
     refetch: () => Promise<void>;
 };
+
 /**
- * Hook to check multiple permissions at once
+ * Hook to check if user has all of the specified permissions
  *
  * @param userId - User ID
  * @param scope - Scope for permission checking
  * @param permissions - Array of permissions to check
  * @param useCache - Whether to use cached results
- * @returns Multiple permission check results
+ * @returns Whether user has all of the permissions
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { results, isLoading, error } = useMultiplePermissions(
+ *   const { hasAll, isLoading, error } = useHasAllPermissions(
  *     userId,
  *     scope,
  *     ['read:users', 'create:users', 'update:users']
@@ -1504,22 +1538,17 @@ declare function useAccessLevel(userId: UUID, scope: Scope): {
  *   if (isLoading) return <div>Checking permissions...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
- *   return (
- *     <div>
- *       {results['read:users'] && <UserList />}
- *       {results['create:users'] && <CreateUserButton />}
- *       {results['update:users'] && <EditUserButton />}
- *     </div>
- *   );
+ *   return hasAll ? <FullUserManagementPanel /> : <div>Insufficient permissions</div>;
  * }
  * ```
  */
-declare function useMultiplePermissions(userId: UUID, scope: Scope, permissions: Permission[], useCache?: boolean): {
-    results: Record<Permission, boolean>;
+declare function useHasAllPermissions(userId: UUID, scope: Scope, permissions: Permission[], useCache?: boolean): {
+    hasAll: boolean;
     isLoading: boolean;
     error: Error | null;
     refetch: () => Promise<void>;
 };
+
 /**
  * Hook to check if user has any of the specified permissions
  *
@@ -1551,19 +1580,20 @@ declare function useHasAnyPermission(userId: UUID, scope: Scope, permissions: Pe
     error: Error | null;
     refetch: () => Promise<void>;
 };
+
 /**
- * Hook to check if user has all of the specified permissions
+ * Hook to check multiple permissions at once
  *
  * @param userId - User ID
  * @param scope - Scope for permission checking
  * @param permissions - Array of permissions to check
  * @param useCache - Whether to use cached results
- * @returns Whether user has all of the permissions
+ * @returns Multiple permission check results
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { hasAll, isLoading, error } = useHasAllPermissions(
+ *   const { results, isLoading, error } = useMultiplePermissions(
  *     userId,
  *     scope,
  *     ['read:users', 'create:users', 'update:users']
@@ -1572,45 +1602,61 @@ declare function useHasAnyPermission(userId: UUID, scope: Scope, permissions: Pe
  *   if (isLoading) return <div>Checking permissions...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
- *   return hasAll ? <FullUserManagementPanel /> : <div>Insufficient permissions</div>;
+ *   return (
+ *     <div>
+ *       {results['read:users'] && <UserList />}
+ *       {results['create:users'] && <CreateUserButton />}
+ *       {results['update:users'] && <EditUserButton />}
+ *     </div>
+ *   );
  * }
  * ```
  */
-declare function useHasAllPermissions(userId: UUID, scope: Scope, permissions: Permission[], useCache?: boolean): {
-    hasAll: boolean;
+declare function useMultiplePermissions(userId: UUID, scope: Scope, permissions: Permission[], useCache?: boolean): {
+    results: Record<Permission, boolean>;
     isLoading: boolean;
     error: Error | null;
     refetch: () => Promise<void>;
 };
+
 /**
- * Hook to get cached permissions with TTL management
+ * Hook to get user's permissions in a scope
  *
  * @param userId - User ID
- * @param scope - Scope for permission checking
- * @returns Cached permission state and methods
+ * @param organisationId - Organisation ID
+ * @param eventId - Event ID (optional)
+ * @param appId - Application ID (optional)
+ * @returns Permission state and methods
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { permissions, isLoading, error, invalidateCache } = useCachedPermissions(userId, scope);
+ *   const { permissions, isLoading, error } = usePermissions(
+ *     userId,
+ *     organisationId,
+ *     eventId,
+ *     appId
+ *   );
  *
- *   if (isLoading) return <div>Loading cached permissions...</div>;
+ *   if (isLoading) return <div>Loading...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
  *   return (
  *     <div>
  *       {permissions['read:users'] && <UserList />}
- *       <button onClick={invalidateCache}>Refresh Permissions</button>
+ *       {permissions['create:users'] && <CreateUserButton />}
  *     </div>
  *   );
  * }
  * ```
  */
-declare function useCachedPermissions(userId: UUID, scope: Scope): {
+declare function usePermissions(userId: UUID, organisationId: string | undefined, eventId: string | undefined, appId: string | undefined): {
     permissions: PermissionMap;
     isLoading: boolean;
     error: Error | null;
-    invalidateCache: () => void;
+    hasPermission: (permission: Permission) => boolean;
+    hasAnyPermission: (permissionList: Permission[]) => boolean;
+    hasAllPermissions: (permissionList: Permission[]) => boolean;
     refetch: () => Promise<void>;
 };
 
@@ -2238,7 +2284,14 @@ declare function getRoleContext(input: {
  * });
  * ```
  */
-declare function isPermitted(input: PermissionCheck, appConfig?: AppConfig | null, appName?: string): Promise<boolean>;
+declare function isPermitted(input: PermissionCheck, appConfig?: AppConfig | null, appName?: string, 
+/**
+ * Pre-computed super admin status to avoid duplicate checks.
+ * Pass null if not checked yet (will check), true if already checked and is super admin,
+ * or false if already checked and is not super admin.
+ * @default null
+ */
+precomputedSuperAdmin?: boolean | null): Promise<boolean>;
 /**
  * Check if user has a specific permission (cached version)
  *
@@ -2375,28 +2428,6 @@ declare const PAGE_PERMISSIONS: {
  * @returns True if valid, false otherwise
  */
 declare function isValidPermission(permission: string): permission is Permission;
-/**
- * Get all permissions for a role - REMOVED
- *
- * @deprecated This function has been removed to ensure RBAC compliance.
- * Permissions must be queried from the rbac_page_permissions database table,
- * not hardcoded in application code. This allows organizations to customize
- * their own page-level permissions as required by the RBAC specification.
- *
- * To get permissions for a role, query the database:
- * ```typescript
- * const { data } = await supabase
- *   .from('rbac_page_permissions')
- *   .select('operation, allowed')
- *   .eq('role_name', roleName)
- *   .eq('organisation_id', organisationId)
- *   .eq('allowed', true);
- * ```
- *
- * @param role - Role name
- * @returns Empty array (function deprecated)
- */
-declare function getPermissionsForRole(role: string): Permission[];
 declare const ALL_PERMISSIONS: {
     readonly READ_PAGE: Permission;
     readonly CREATE_PAGE: Permission;
@@ -2609,4 +2640,4 @@ declare function getDirectSupabaseAuthFixes(): QuickFix;
  */
 declare function getQuickFixes(issueType: string, details?: Record<string, any>): QuickFix[];
 
-export { ALL_PERMISSIONS, AccessLevel, AccessLevelGuard, type AllPermissions, CACHE_PATTERNS, type ComplianceResult, type DataAccessRecord, type DatabaseComplianceResult, type DatabaseIssue, EVENT_APP_PERMISSIONS, EnhancedNavigationMenu, type EnhancedNavigationMenuProps, type EventAppRoleData, GLOBAL_PERMISSIONS, type GrantEventAppRoleParams, type LogLevel, type NavigationAccessRecord, type NavigationContextType, NavigationGuard, type NavigationGuardProps, type NavigationItem, NavigationProvider, type NavigationProviderProps, ORGANISATION_PERMISSIONS, PAGE_PERMISSIONS, type PageAccessRecord, type PagePermissionContextType, PagePermissionGuard, type PagePermissionGuardProps, PagePermissionProvider, type PagePermissionProviderProps, Permission, PermissionCheck, PermissionEnforcer, type PermissionEnforcerProps, PermissionGuard, PermissionMap, type QuickFix, RBACAuditManager, RBACCache, type RBACConfig, RBACEngine, type RBACLogger, type RBACPerformanceMetrics, type ResourcePermissions, type RevokeEventAppRoleParams, RoleBasedRouter, type RoleBasedRouterContextType, type RoleBasedRouterProps, type RoleManagementResult, type RouteAccessRecord, type RouteConfig, type RuntimeComplianceResult, Scope, type SecureDataContextType, SecureDataProvider, type SecureDataProviderProps, SecureSupabaseClient, type SetupIssue, UUID, type UseResolvedScopeOptions, type UseResolvedScopeReturn, type UseResourcePermissionsOptions, checkRuntimeCompliance, clearInFlightRequests, createAuditManager, createRBACConfig, createRBACEngine, createRBACExpressMiddleware, createRBACMiddleware, createSecureClient, disablePerformanceMonitoring, emitAuditEvent, enablePerformanceMonitoring, fromSupabaseClient, getAccessLevel, getCustomAuthCodeFixes, getDirectSupabaseAuthFixes, getDuplicateConfigFixes, getGlobalAuditManager, getInFlightRequestCount, getPerformanceMetrics, getPerformanceSummary, getPermissionMap, getPermissionsForRole, getQuickFixes, getRBACConfig, getRBACLogger, getRoleContext, getSetupIssues, getUnprotectedPageFixes, hasAllPermissions, hasAnyPermission, hasAnyPermissionCached, hasPermission, hasPermissionCached, isDebugMode, isDevelopmentMode, isPerformanceMonitoringEnabled, isPermitted, isPermittedCached, isRBACInitialized, isValidPermission, rbacCache, recordAuditEvent, recordPermissionCheck, resetPerformanceMetrics, resolveAppContext, setGlobalAuditManager, setupRBAC, useAccessLevel, useCachedPermissions, useCan, useHasAllPermissions, useHasAnyPermission, useMultiplePermissions, useNavigationPermissions, usePagePermissions, usePermissions, useRBAC, useResolvedScope, useResourcePermissions, useRoleBasedRouter, useRoleManagement, useSecureData, useSecureSupabase, validateAndWarn, validateDatabaseConfiguration, validateRBACSetup, withAccessLevelGuard, withPermissionGuard, withRoleGuard };
+export { ALL_PERMISSIONS, AccessLevel, AccessLevelGuard, type AllPermissions, CACHE_PATTERNS, type ComplianceResult, type DataAccessRecord, type DatabaseComplianceResult, type DatabaseIssue, EVENT_APP_PERMISSIONS, EnhancedNavigationMenu, type EnhancedNavigationMenuProps, type EventAppRoleData, GLOBAL_PERMISSIONS, type GrantEventAppRoleParams, type LogLevel, type NavigationAccessRecord, type NavigationContextType, NavigationGuard, type NavigationGuardProps, type NavigationItem, NavigationProvider, type NavigationProviderProps, ORGANISATION_PERMISSIONS, PAGE_PERMISSIONS, type PageAccessRecord, type PagePermissionContextType, PagePermissionGuard, type PagePermissionGuardProps, PagePermissionProvider, type PagePermissionProviderProps, Permission, PermissionCheck, PermissionEnforcer, type PermissionEnforcerProps, PermissionGuard, PermissionMap, type QuickFix, RBACAuditManager, RBACCache, type RBACConfig, RBACEngine, type RBACLogger, type RBACPerformanceMetrics, type ResourcePermissions, type RevokeEventAppRoleParams, RoleBasedRouter, type RoleBasedRouterContextType, type RoleBasedRouterProps, type RoleManagementResult, type RouteAccessRecord, type RouteConfig, type RuntimeComplianceResult, Scope, type SecureDataContextType, SecureDataProvider, type SecureDataProviderProps, SecureSupabaseClient, type SetupIssue, UUID, type UseResolvedScopeOptions, type UseResolvedScopeReturn, type UseResourcePermissionsOptions, checkRuntimeCompliance, clearInFlightRequests, createAuditManager, createRBACConfig, createRBACEngine, createRBACExpressMiddleware, createRBACMiddleware, createSecureClient, disablePerformanceMonitoring, emitAuditEvent, enablePerformanceMonitoring, fromSupabaseClient, getAccessLevel, getCustomAuthCodeFixes, getDirectSupabaseAuthFixes, getDuplicateConfigFixes, getGlobalAuditManager, getInFlightRequestCount, getPerformanceMetrics, getPerformanceSummary, getPermissionMap, getQuickFixes, getRBACConfig, getRBACLogger, getRoleContext, getSetupIssues, getUnprotectedPageFixes, hasAllPermissions, hasAnyPermission, hasAnyPermissionCached, hasPermission, hasPermissionCached, isDebugMode, isDevelopmentMode, isPerformanceMonitoringEnabled, isPermitted, isPermittedCached, isRBACInitialized, isValidPermission, rbacCache, recordAuditEvent, recordPermissionCheck, resetPerformanceMetrics, resolveAppContext, setGlobalAuditManager, setupRBAC, useAccessLevel, useCachedPermissions, useCan, useHasAllPermissions, useHasAnyPermission, useMultiplePermissions, useNavigationPermissions, usePagePermissions, usePermissions, useRBAC, useResolvedScope, useResourcePermissions, useRoleBasedRouter, useRoleManagement, useSecureData, useSecureSupabase, validateAndWarn, validateDatabaseConfiguration, validateRBACSetup, withAccessLevelGuard, withPermissionGuard, withRoleGuard };

package/dist/rbac/index.js

@@ -22,7 +22,6 @@ import {
   getCustomAuthCodeFixes,
   getDirectSupabaseAuthFixes,
   getDuplicateConfigFixes,
-  getPermissionsForRole,
   getQuickFixes,
   getSetupIssues,
   getUnprotectedPageFixes,
@@ -40,7 +39,7 @@ import {
   withAccessLevelGuard,
   withPermissionGuard,
   withRoleGuard
-} from "../chunk-7EQTDTTJ.js";
+} from "../chunk-6J4GEEJR.js";
 import {
   SecureSupabaseClient,
   createSecureClient,
@@ -53,16 +52,14 @@ import {
   useMultiplePermissions,
   usePermissions,
   useRBAC,
+  useResolvedScope,
   useResourcePermissions,
   useRoleManagement,
   useSecureSupabase
-} from "../chunk-XNXXZ43G.js";
-import "../chunk-LFNCN2SP.js";
-import {
-  useResolvedScope
-} from "../chunk-IIELH4DL.js";
+} from "../chunk-XWQCNGTQ.js";
+import "../chunk-MMZ7JXPU.js";
 import "../chunk-KQCRWDSA.js";
-import "../chunk-7FLMSG37.js";
+import "../chunk-EHMR7VYL.js";
 import {
   CACHE_PATTERNS,
   RBACCache,
@@ -94,7 +91,7 @@ import {
   resetPerformanceMetrics,
   resolveAppContext,
   setupRBAC
-} from "../chunk-KNC55RTG.js";
+} from "../chunk-24UVZUZG.js";
 import {
   RBACAuditManager,
   createAuditManager,
@@ -103,7 +100,8 @@ import {
   setGlobalAuditManager
 } from "../chunk-63FOKYGO.js";
 import "../chunk-QXHPKYJV.js";
-import "../chunk-I7PSE6JW.js";
+import "../chunk-F2IMUDXZ.js";
+import "../chunk-FMUCXFII.js";
 import "../chunk-VBXEHIUJ.js";
 import "../chunk-PWLANIRT.js";
 import "../chunk-7D4SUZUM.js";
@@ -151,7 +149,6 @@ export {
   getPerformanceMetrics,
   getPerformanceSummary,
   getPermissionMap,
-  getPermissionsForRole,
   getQuickFixes,
   getRBACConfig,
   getRBACLogger,

package/dist/theming/runtime.d.ts

@@ -10,9 +10,8 @@
 /**
  * Parse and normalize event_colours to PaletteData
  *
- * Supports multiple input formats:
+ * Supports input formats:
  * - Object with 'main', 'sec', 'acc' keys
- * - Object with 'ev-main', 'ev-sec', 'ev-acc' keys (legacy)
  * - JSON string that will be parsed
  *
  * Only includes explicitly defined color values. Does not fill
@@ -34,17 +33,6 @@
  * // Returns: { main: { 500: {...}, raw: {...} }, sec: { 500: {...} }, acc: { 500: {...} } }
  * ```
  *
- * @example
- * ```ts
- * // Legacy format with ev-* keys
- * const colours = {
- *   "ev-main": { 500: { L: 0.5, C: 0.2, H: 0 } },
- *   "ev-sec": { 500: { L: 0.5, C: 0.2, H: 120 } },
- *   "ev-acc": { 500: { L: 0.5, C: 0.2, H: 240 } }
- * };
- * const palette = parseAndNormalizeEventColours(colours);
- * // Returns normalized palette with only defined shades included
- * ```
  */
 declare function parseAndNormalizeEventColours(input: unknown): {
     main: any;

package/dist/theming/runtime.js

@@ -5,7 +5,7 @@ import {
   getCurrentThemeData,
   isDynamicThemingActive,
   parseAndNormalizeEventColours
-} from "../chunk-SQGMNID3.js";
+} from "../chunk-L4OXEN46.js";
 import "../chunk-PWLANIRT.js";
 import "../chunk-7D4SUZUM.js";
 export {

package/dist/{timezone-_pgH8qrY.d.ts → timezone-CHhWg6b4.d.ts}

@@ -267,16 +267,9 @@ declare function formatNumber(value: number, options?: Intl.NumberFormatOptions,
 /**
  * Format a number as a percentage.
  *
- * The third parameter can be either:
- * - A number for fixed decimal places (backward compatible): `formatPercent(0.81, 'en-US', 2)`
- * - An options object with:
- *   - `decimals`: Fixed number of decimal places (default: 1)
- *   - `preserveDecimals`: Auto-detect and preserve decimal places from the input value
- *   - `maxDecimals`: Maximum decimal places when preserving (default: 10)
- *
  * @param value - The percentage value as a decimal (e.g., 0.81 for 0.81%)
  * @param locale - The locale string (default: 'en-US')
- * @param decimalsOrOptions - Either a number for fixed decimals, or an options object with:
+ * @param options - Options object with:
  *   - `decimals` - Fixed number of decimal places (default: 1)
  *   - `preserveDecimals` - Auto-detect and preserve decimal places from the input value
  *   - `maxDecimals` - Maximum decimal places when preserving (default: 10)
@@ -286,14 +279,14 @@ declare function formatNumber(value: number, options?: Intl.NumberFormatOptions,
  * ```ts
  * // Fixed decimals (default behavior)
  * formatPercent(0.5) // '0.5%'
- * formatPercent(0.81, 'en-US', 1) // '0.8%' (loses precision)
+ * formatPercent(0.81, 'en-US', { decimals: 1 }) // '0.8%' (loses precision)
  *
  * // Preserve decimal places dynamically
  * formatPercent(0.81, 'en-US', { preserveDecimals: true }) // '0.81%'
  * formatPercent(0.8123, 'en-US', { preserveDecimals: true, maxDecimals: 2 }) // '0.81%'
  * ```
  */
-declare function formatPercent(value: number, locale?: string, decimalsOrOptions?: number | {
+declare function formatPercent(value: number, locale?: string, options?: {
     decimals?: number;
     preserveDecimals?: boolean;
     maxDecimals?: number;

package/dist/{types-UU913iLA.d.ts → types-BeoeWV5I.d.ts}

@@ -14,11 +14,19 @@ type UUID = string;
 type Operation = 'read' | 'create' | 'update' | 'delete';
 type Permission = `${Operation}:${string}`;
 type AccessLevel = 'viewer' | 'participant' | 'planner' | 'admin' | 'super';
+/**
+ * Scope defines the context for permission checks.
+ * Can include organisation, event, and/or app identifiers.
+ */
 type Scope = {
     organisationId?: UUID;
     eventId?: string;
     appId?: AppId | UUID;
 };
+/**
+ * Permission check request parameters.
+ * Defines who (userId) is checking what permission in what context (scope).
+ */
 type PermissionCheck = {
     userId: UUID;
     scope: Scope;