@jmruthers/pace-core 0.5.54 → 0.5.55

package/dist/{chunk-GWSBHC4J.js → chunk-KLPVOPRI.js}

@@ -2,7 +2,7 @@ import {
   createAuditManager,
   emitAuditEvent,
   setGlobalAuditManager
-} from "./chunk-7BNPOCLL.js";
+} from "./chunk-B2WTCLCV.js";
 
 // src/rbac/types.ts
 var RBACError = class extends Error {
@@ -187,6 +187,232 @@ var CACHE_PATTERNS = {
   PERMISSION: (userId, organisationId) => `perm:${userId}:${organisationId}`
 };
 
+// src/rbac/cache-invalidation.ts
+var INVALIDATION_PATTERNS = {
+  // User-level invalidation
+  USER_ROLES_CHANGED: (userId) => [
+    CACHE_PATTERNS.USER(userId),
+    `perm:${userId}:*`,
+    `access:${userId}:*`,
+    `map:${userId}:*`
+  ],
+  // Organisation-level invalidation
+  ORGANISATION_PERMISSIONS_CHANGED: (organisationId) => [
+    CACHE_PATTERNS.ORGANISATION(organisationId),
+    `perm:*:${organisationId}:*`,
+    `access:*:${organisationId}:*`,
+    `map:*:${organisationId}:*`
+  ],
+  // Event-level invalidation
+  EVENT_PERMISSIONS_CHANGED: (eventId) => [
+    CACHE_PATTERNS.EVENT(eventId),
+    `perm:*:*:${eventId}:*`,
+    `access:*:*:${eventId}:*`,
+    `map:*:*:${eventId}:*`
+  ],
+  // App-level invalidation
+  APP_PERMISSIONS_CHANGED: (appId) => [
+    CACHE_PATTERNS.APP(appId),
+    `perm:*:*:*:${appId}:*`,
+    `access:*:*:*:${appId}`,
+    `map:*:*:*:${appId}`
+  ],
+  // Page-level invalidation
+  PAGE_PERMISSIONS_CHANGED: (pageId) => [
+    `perm:*:*:*:*:${pageId}`,
+    `map:*:*:*:*`
+  ]
+};
+var RBACCacheInvalidationManager = class {
+  constructor(supabase) {
+    this.invalidationCallbacks = /* @__PURE__ */ new Set();
+    this.supabase = supabase;
+    this.setupRealtimeSubscriptions();
+  }
+  /**
+   * Add a callback for cache invalidation events
+   * 
+   * @param callback - Function to call when cache is invalidated
+   * @returns Unsubscribe function
+   */
+  onInvalidation(callback) {
+    this.invalidationCallbacks.add(callback);
+    return () => this.invalidationCallbacks.delete(callback);
+  }
+  /**
+   * Invalidate cache for a specific user
+   * 
+   * @param userId - User ID
+   * @param reason - Reason for invalidation
+   */
+  invalidateUser(userId, reason) {
+    const patterns = INVALIDATION_PATTERNS.USER_ROLES_CHANGED(userId);
+    this.invalidatePatterns(patterns, reason);
+  }
+  /**
+   * Invalidate cache for a specific organisation
+   * 
+   * @param organisationId - Organisation ID
+   * @param reason - Reason for invalidation
+   */
+  invalidateOrganisation(organisationId, reason) {
+    const patterns = INVALIDATION_PATTERNS.ORGANISATION_PERMISSIONS_CHANGED(organisationId);
+    this.invalidatePatterns(patterns, reason);
+  }
+  /**
+   * Invalidate cache for a specific event
+   * 
+   * @param eventId - Event ID
+   * @param reason - Reason for invalidation
+   */
+  invalidateEvent(eventId, reason) {
+    const patterns = INVALIDATION_PATTERNS.EVENT_PERMISSIONS_CHANGED(eventId);
+    this.invalidatePatterns(patterns, reason);
+  }
+  /**
+   * Invalidate cache for a specific app
+   * 
+   * @param appId - App ID
+   * @param reason - Reason for invalidation
+   */
+  invalidateApp(appId, reason) {
+    const patterns = INVALIDATION_PATTERNS.APP_PERMISSIONS_CHANGED(appId);
+    this.invalidatePatterns(patterns, reason);
+  }
+  /**
+   * Invalidate cache for a specific page
+   * 
+   * @param pageId - Page ID
+   * @param reason - Reason for invalidation
+   */
+  invalidatePage(pageId, reason) {
+    const patterns = INVALIDATION_PATTERNS.PAGE_PERMISSIONS_CHANGED(pageId);
+    this.invalidatePatterns(patterns, reason);
+  }
+  /**
+   * Invalidate cache patterns and notify callbacks
+   * 
+   * @param patterns - Array of cache patterns to invalidate
+   * @param reason - Reason for invalidation
+   */
+  invalidatePatterns(patterns, reason) {
+    console.log(`[RBAC Cache] Invalidating patterns: ${patterns.join(", ")} (${reason})`);
+    patterns.forEach((pattern) => {
+      rbacCache.invalidate(pattern);
+    });
+    this.invalidationCallbacks.forEach((callback) => {
+      patterns.forEach((pattern) => callback(pattern));
+    });
+    emitAuditEvent({
+      type: "permission_check",
+      userId: "system",
+      organisationId: "00000000-0000-0000-0000-000000000000",
+      permission: "cache:invalidate",
+      decision: true,
+      source: "api",
+      duration_ms: 0,
+      metadata: {
+        reason,
+        patterns,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        cache_invalidation: true
+      }
+    }).catch((error) => {
+      console.warn("[RBAC Cache] Failed to log cache invalidation audit event:", error);
+    });
+  }
+  /**
+   * Setup realtime subscriptions for automatic cache invalidation
+   */
+  setupRealtimeSubscriptions() {
+    if (!this.supabase.channel || typeof this.supabase.channel !== "function") {
+      console.log("[RBAC Cache] Realtime not available, skipping subscriptions");
+      return;
+    }
+    this.supabase.channel("rbac_organisation_roles_changes").on("postgres_changes", {
+      event: "*",
+      schema: "public",
+      table: "rbac_organisation_roles"
+    }, (payload) => {
+      const { organisation_id, user_id } = payload.new || payload.old || {};
+      if (organisation_id) {
+        this.invalidateOrganisation(organisation_id, `organisation_role_${payload.eventType}`);
+      }
+      if (user_id) {
+        this.invalidateUser(user_id, `organisation_role_${payload.eventType}`);
+      }
+    }).subscribe();
+    this.supabase.channel("rbac_event_app_roles_changes").on("postgres_changes", {
+      event: "*",
+      schema: "public",
+      table: "rbac_event_app_roles"
+    }, (payload) => {
+      const { organisation_id, user_id, event_id, app_id } = payload.new || payload.old || {};
+      if (organisation_id) {
+        this.invalidateOrganisation(organisation_id, `event_app_role_${payload.eventType}`);
+      }
+      if (user_id) {
+        this.invalidateUser(user_id, `event_app_role_${payload.eventType}`);
+      }
+      if (event_id) {
+        this.invalidateEvent(event_id, `event_app_role_${payload.eventType}`);
+      }
+      if (app_id) {
+        this.invalidateApp(app_id, `event_app_role_${payload.eventType}`);
+      }
+    }).subscribe();
+    this.supabase.channel("rbac_global_roles_changes").on("postgres_changes", {
+      event: "*",
+      schema: "public",
+      table: "rbac_global_roles"
+    }, (payload) => {
+      const { user_id } = payload.new || payload.old || {};
+      if (user_id) {
+        this.invalidateUser(user_id, `global_role_${payload.eventType}`);
+      }
+    }).subscribe();
+    this.supabase.channel("rbac_page_permissions_changes").on("postgres_changes", {
+      event: "*",
+      schema: "public",
+      table: "rbac_page_permissions"
+    }, (payload) => {
+      const { organisation_id, app_page_id, role_id } = payload.new || payload.old || {};
+      if (organisation_id) {
+        this.invalidateOrganisation(organisation_id, `page_permission_${payload.eventType}`);
+      }
+      if (app_page_id) {
+        this.invalidatePage(app_page_id, `page_permission_${payload.eventType}`);
+      }
+    }).subscribe();
+  }
+  /**
+   * Manually trigger cache invalidation for all users in an organisation
+   * 
+   * @param organisationId - Organisation ID
+   * @param reason - Reason for invalidation
+   */
+  async invalidateAllUsersInOrganisation(organisationId, reason) {
+    const { data: users } = await this.supabase.from("rbac_organisation_roles").select("user_id").eq("organisation_id", organisationId).eq("is_active", true);
+    if (users) {
+      users.forEach(({ user_id }) => {
+        this.invalidateUser(user_id, reason);
+      });
+    }
+  }
+  /**
+   * Clear all cache entries
+   */
+  clearAllCache() {
+    console.log("[RBAC Cache] Clearing all cache entries");
+    rbacCache.clear();
+  }
+};
+var globalCacheInvalidationManager = null;
+function initializeCacheInvalidation(supabase) {
+  globalCacheInvalidationManager = new RBACCacheInvalidationManager(supabase);
+  return globalCacheInvalidationManager;
+}
+
 // src/rbac/security.ts
 var RBACSecurityValidator = class {
   /**
@@ -315,7 +541,7 @@ var RBACSecurityValidator = class {
       timestamp: event.timestamp || /* @__PURE__ */ new Date(),
       severity: this.getEventSeverity(event.type)
     };
-    if (false) {
+    if (import.meta.env.MODE === "development") {
       console.warn("[RBAC Security]", securityEvent);
     }
   }
@@ -418,6 +644,7 @@ var RBACEngine = class {
   constructor(supabase) {
     this.supabase = supabase;
     this.securityMiddleware = new RBACSecurityMiddleware(DEFAULT_SECURITY_CONFIG);
+    initializeCacheInvalidation(supabase);
   }
   /**
    * Check if a user has a specific permission
@@ -429,6 +656,8 @@ var RBACEngine = class {
   async isPermitted(input, securityContext) {
     const startTime = Date.now();
     const { userId, permission, scope, pageId } = input;
+    let cacheHit = false;
+    let cacheSource = "database";
     try {
       if (securityContext) {
         const validation = await this.securityMiddleware.validateInput(input, securityContext);
@@ -601,7 +830,9 @@ var RBACEngine = class {
           permission,
           decision: finalDecision,
           source: "api",
-          duration_ms: _duration
+          duration_ms: _duration,
+          cache_hit: cacheHit,
+          cache_source: cacheSource
         });
       }
       return finalDecision;
@@ -699,7 +930,7 @@ var RBACEngine = class {
       if (pages) {
         for (const page of pages) {
           const operations = [];
-          for (const operation of ["read", "create", "update", "delete", "manage"]) {
+          for (const operation of ["read", "create", "update", "delete"]) {
             const hasPermission2 = await this.isPermitted({
               userId,
               scope: validatedScope,
@@ -729,10 +960,14 @@ var RBACEngine = class {
     if (cached !== null) {
       return cached;
     }
-    const { data, error } = await this.supabase.from("rbac_global_roles").select("id").eq("user_id", userId).eq("role", "super_admin").is("valid_to", null).single();
-    const isSuperAdmin2 = !error && !!data;
+    const { data, error } = await this.supabase.rpc("rbac_permission_check", {
+      p_operation: "read",
+      p_page_name: "admin-panel",
+      p_user_id: userId
+    });
+    const isSuperAdmin2 = !error && data && data.length > 0 && data[0].has_permission && data[0].role_name === "super_admin";
     rbacCache.set(cacheKey, isSuperAdmin2, 6e4);
-    return isSuperAdmin2;
+    return Boolean(isSuperAdmin2);
   }
   /**
    * Get app configuration including requires_event setting
@@ -818,28 +1053,12 @@ var RBACEngine = class {
       const { data: eventRoles } = await this.supabase.from("rbac_event_app_roles").select("role, status, valid_from, valid_to").eq("user_id", userId).eq("event_id", scope.eventId).eq("app_id", scope.appId).eq("status", "active").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`);
       if (eventRoles) {
         userRoles.push(...eventRoles.map((r) => r.role));
-        for (const role of eventRoles) {
-          grants.push({
-            type: "allow",
-            permission: this.getPermissionForEventRole(role.role),
-            scope: "eventApp",
-            source: "rbac_event_app_roles"
-          });
-        }
       }
     }
     if (scope.organisationId) {
       const { data: orgRoles } = await this.supabase.from("rbac_organisation_roles").select("role, status, valid_from, valid_to").eq("user_id", userId).eq("organisation_id", scope.organisationId).eq("status", "active").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`);
       if (orgRoles) {
         userRoles.push(...orgRoles.map((r) => r.role));
-        for (const role of orgRoles) {
-          grants.push({
-            type: "allow",
-            permission: this.getPermissionForOrgRole(role.role),
-            scope: "organisation",
-            source: "rbac_organisation_roles"
-          });
-        }
       }
     }
     console.log("[collectActiveGrants] User roles:", userRoles);
@@ -868,7 +1087,7 @@ var RBACEngine = class {
           const { data: page } = await this.supabase.from("rbac_app_pages").select("page_name").eq("id", resolvedPageId).single();
           pageName = page?.page_name || null;
         }
-        const rpcResult = await this.supabase.rpc("get_rbac_permissions", {
+        const rpcResult = await this.supabase.rpc("rbac_permissions_get", {
           p_user_id: userId,
           p_app_id: scope.appId,
           p_event_id: scope.eventId || null,
@@ -900,12 +1119,12 @@ var RBACEngine = class {
     if (globalRoles) {
       for (const role of globalRoles) {
         if (role.role === "super_admin") {
-          grants.push({
-            type: "allow",
-            permission: "manage:*",
-            scope: "global",
-            source: "rbac_global_roles"
-          });
+          grants.push(
+            { type: "allow", permission: "read:*", scope: "global", source: "rbac_global_roles" },
+            { type: "allow", permission: "create:*", scope: "global", source: "rbac_global_roles" },
+            { type: "allow", permission: "update:*", scope: "global", source: "rbac_global_roles" },
+            { type: "allow", permission: "delete:*", scope: "global", source: "rbac_global_roles" }
+          );
         }
       }
     }
@@ -947,7 +1166,7 @@ var RBACEngine = class {
       } else {
         let appId = scope.appId;
         if (!appId) {
-          const appName = process.env.VITE_APP_NAME || process.env.REACT_APP_NAME;
+          const appName = import.meta.env.VITE_APP_NAME || import.meta.env.REACT_APP_NAME;
           if (appName) {
             const { data: app } = await this.supabase.from("rbac_apps").select("id").eq("name", appName).eq("is_active", true).single();
             if (app) {
@@ -1001,9 +1220,11 @@ var RBACEngine = class {
   getPermissionForOrgRole(role) {
     switch (role) {
       case "org_admin":
-        return "manage:*";
+        return "read:*";
+      // Will be expanded to all CRUD in collectActiveGrants
       case "leader":
-        return "manage:organisation.*";
+        return "read:organisation.*";
+      // Will be expanded to all CRUD in collectActiveGrants
       case "member":
         return "read:organisation.*";
       case "supporter":
@@ -1021,9 +1242,11 @@ var RBACEngine = class {
   getPermissionForEventRole(role) {
     switch (role) {
       case "event_admin":
-        return "manage:event.*";
+        return "read:event.*";
+      // Will be expanded to all CRUD in collectActiveGrants
       case "planner":
-        return "manage:event.planning";
+        return "read:event.planning";
+      // Will be expanded to all CRUD in collectActiveGrants
       case "participant":
         return "read:event.*";
       case "viewer":
@@ -1198,9 +1421,9 @@ function setupRBAC(supabase, config) {
   const logger = getRBACLogger();
   const fullConfig = {
     supabase,
-    debug: false,
+    debug: import.meta.env.MODE === "development",
     logLevel: "warn",
-    developmentMode: false,
+    developmentMode: import.meta.env.MODE === "development",
     ...config
   };
   createRBACConfig(fullConfig);
@@ -1346,4 +1569,4 @@ export {
   invalidateAppCache,
   clearCache
 };
-//# sourceMappingURL=chunk-GWSBHC4J.js.map
+//# sourceMappingURL=chunk-KLPVOPRI.js.map