@jmruthers/pace-core 0.5.76 → 0.5.77

package/dist/{chunk-KHJS6VIA.js → chunk-PUKTJMRT.js}

@@ -1,164 +1,180 @@
 import {
   getAccessLevel,
   getPermissionMap,
+  getRBACLogger,
+  getRoleContext,
   isPermitted,
-  isPermittedCached
-} from "./chunk-FGMFQSHX.js";
+  isPermittedCached,
+  resolveAppContext
+} from "./chunk-S63MFSY6.js";
 import {
   init_useOrganisations,
   useEvents,
   useOrganisations
-} from "./chunk-LW7MMEAQ.js";
+} from "./chunk-CRKP3HXI.js";
 import {
   init_UnifiedAuthProvider,
   useUnifiedAuth
-} from "./chunk-WN6XJWOS.js";
+} from "./chunk-JDQ7T3QB.js";
 import {
-  getCurrentAppName,
-  init_appNameResolver
-} from "./chunk-5BSLGBYI.js";
+  getCurrentAppName
+} from "./chunk-JCQZ6LA7.js";
 
 // src/rbac/hooks/useRBAC.ts
 init_UnifiedAuthProvider();
 init_useOrganisations();
 import { useState, useEffect, useCallback, useMemo } from "react";
+function mapAccessLevelToEventRole(level) {
+  switch (level) {
+    case "viewer":
+      return "viewer";
+    case "participant":
+      return "participant";
+    case "planner":
+      return "planner";
+    case "admin":
+    case "super":
+      return "event_admin";
+    default:
+      return null;
+  }
+}
 function useRBAC(pageId) {
-  const { user, session, supabase, appName } = useUnifiedAuth();
+  const logger = getRBACLogger();
+  const { user, session, appName } = useUnifiedAuth();
   const { selectedOrganisation } = useOrganisations();
   let selectedEvent = null;
   try {
     const eventsContext = useEvents();
     selectedEvent = eventsContext.selectedEvent;
   } catch (error2) {
-    console.debug("useRBAC: EventProvider not available, continuing without event context");
+    logger.debug("[useRBAC] Event provider not available, continuing without event context", error2);
   }
   const [globalRole, setGlobalRole] = useState(null);
   const [organisationRole, setOrganisationRole] = useState(null);
   const [eventAppRole, setEventAppRole] = useState(null);
-  const [permissions, setPermissions] = useState([]);
+  const [permissionMap, setPermissionMap] = useState({});
+  const [currentScope, setCurrentScope] = useState(null);
   const [isLoading, setIsLoading] = useState(false);
   const [error, setError] = useState(null);
+  const resetState = useCallback(() => {
+    setGlobalRole(null);
+    setOrganisationRole(null);
+    setEventAppRole(null);
+    setPermissionMap({});
+    setCurrentScope(null);
+  }, []);
   const loadRBACContext = useCallback(async () => {
-    if (!user || !session || !supabase || !appName) {
-      console.log("[useRBAC] Missing required dependencies, clearing RBAC state");
-      setGlobalRole(null);
-      setOrganisationRole(null);
-      setEventAppRole(null);
-      setPermissions([]);
+    if (!user || !session) {
+      resetState();
       return;
     }
     setIsLoading(true);
     setError(null);
     try {
-      const { data: appData, error: appError } = await supabase.rpc("util_app_resolve", {
-        p_app_name: appName,
-        p_user_id: user.id
-      });
-      if (appError || !appData || appData.length === 0) {
-        console.warn("App not found or inactive:", appName);
-        setIsLoading(false);
-        return;
-      }
-      const app = appData[0];
-      if (!app.has_access) {
-        console.warn("User does not have access to app:", appName);
-        setIsLoading(false);
-        return;
-      }
-      const { data, error: rpcError } = await supabase.rpc("rbac_permissions_get", {
-        p_user_id: user.id,
-        p_app_id: app.app_id,
-        p_event_id: selectedEvent?.event_id || null,
-        p_organisation_id: selectedOrganisation?.id || null
-      });
-      if (rpcError) {
-        throw new Error(`Failed to load RBAC permissions: ${rpcError.message}`);
-      }
-      if (data) {
-        const globalPerms = data.filter((p) => p.permission_type === "all_permissions");
-        const orgPerms = data.filter((p) => p.permission_type === "organisation_access");
-        const eventPerms = data.filter((p) => p.permission_type === "event_app_access");
-        setGlobalRole(globalPerms.length > 0 ? "super_admin" : null);
-        setOrganisationRole(orgPerms.length > 0 ? orgPerms[0].role_name : null);
-        setEventAppRole(eventPerms.length > 0 ? eventPerms[0].role_name : null);
-        setPermissions(data);
-      } else {
-        setPermissions([]);
+      let appId;
+      if (appName) {
+        const resolved = await resolveAppContext({ userId: user.id, appName });
+        if (!resolved || !resolved.hasAccess) {
+          throw new Error(`User does not have access to app "${appName}"`);
+        }
+        appId = resolved.appId;
       }
+      const scope = {
+        organisationId: selectedOrganisation?.id,
+        eventId: selectedEvent?.event_id || void 0,
+        appId
+      };
+      setCurrentScope(scope);
+      const [map, roleContext, accessLevel] = await Promise.all([
+        getPermissionMap({ userId: user.id, scope }),
+        getRoleContext({ userId: user.id, scope }),
+        getAccessLevel({ userId: user.id, scope })
+      ]);
+      setPermissionMap(map);
+      setGlobalRole(roleContext.globalRole);
+      setOrganisationRole(roleContext.organisationRole);
+      setEventAppRole(roleContext.eventAppRole || mapAccessLevelToEventRole(accessLevel));
     } catch (err) {
-      console.error("RBAC Context Loading Error:", err);
-      setError(err instanceof Error ? err : new Error("Unknown error loading RBAC context"));
-      setPermissions([]);
+      const handledError = err instanceof Error ? err : new Error("Failed to load RBAC context");
+      logger.error("[useRBAC] Error loading RBAC context:", handledError);
+      setError(handledError);
+      resetState();
     } finally {
       setIsLoading(false);
     }
-  }, [user?.id, session, supabase, appName, selectedEvent?.event_id, selectedOrganisation?.id, pageId]);
-  const hasPermission = useCallback(async (operation, targetPageId) => {
-    if (!user || !session || !supabase || !appName) return false;
-    if (globalRole === "super_admin") {
-      return true;
-    }
-    try {
-      const { data: appData, error: appError } = await supabase.rpc("util_app_resolve", {
-        p_app_name: appName,
-        p_user_id: user.id
-      });
-      if (appError || !appData || appData.length === 0) {
-        console.warn("App not found or inactive:", appName);
+  }, [appName, logger, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user]);
+  const hasPermission = useCallback(
+    async (operationOrPermission, targetPageId) => {
+      if (!user) {
+        logger.warn("[useRBAC] Permission check attempted without authenticated user context");
         return false;
       }
-      const app = appData[0];
-      if (!app.has_access) {
-        console.warn("User does not have access to app:", appName);
+      if (!currentScope || !currentScope.organisationId) {
+        logger.error("[useRBAC] Permission check denied due to missing organisation context", {
+          hasScope: !!currentScope,
+          scope: currentScope,
+          userId: user.id,
+          permission: operationOrPermission
+        });
         return false;
       }
-      const { data, error: error2 } = await supabase.rpc("rbac_page_access_check", {
-        p_user_id: user.id,
-        p_app_id: app.app_id,
-        p_page_id: targetPageId || pageId || "default",
-        p_operation: operation,
-        p_event_id: selectedEvent?.event_id,
-        p_organisation_id: selectedOrganisation?.id
-      });
-      if (error2) {
-        console.error("Permission check failed:", error2);
+      if (globalRole === "super_admin" || permissionMap["*"]) {
+        logger.info("[useRBAC] Super admin bypass granted", {
+          userId: user.id,
+          permission: operationOrPermission
+        });
+        return true;
+      }
+      let permission;
+      if (operationOrPermission.includes(":")) {
+        permission = operationOrPermission;
+      } else if (targetPageId || pageId) {
+        permission = `${operationOrPermission}:${targetPageId || pageId}`;
+      } else {
+        permission = operationOrPermission;
+      }
+      const cachedValue = permissionMap[permission];
+      if (cachedValue === true) {
+        return true;
+      }
+      if (cachedValue === false) {
         return false;
       }
-      return data === true;
-    } catch (err) {
-      console.error("Permission check error:", err);
-      return false;
-    }
-  }, [user, supabase, appName, selectedEvent, selectedOrganisation, pageId, globalRole]);
-  const hasGlobalPermission = useCallback((permission) => {
-    if (globalRole === "super_admin") {
-      return true;
-    }
-    if (permission === "super_admin") {
-      return globalRole === "super_admin";
-    }
-    if (permission === "org_admin") {
-      return organisationRole === "org_admin" || globalRole === "super_admin";
-    }
-    return false;
-  }, [globalRole, organisationRole]);
-  const isSuperAdmin = useMemo(() => globalRole === "super_admin", [globalRole]);
-  const isOrgAdmin = useMemo(() => organisationRole === "org_admin", [organisationRole]);
-  const isEventAdmin = useMemo(() => eventAppRole === "event_admin", [eventAppRole]);
-  const canManageOrganisation = useMemo(
-    () => isSuperAdmin || isOrgAdmin,
-    [isSuperAdmin, isOrgAdmin]
+      return isPermittedCached({
+        userId: user.id,
+        scope: currentScope,
+        permission,
+        pageId: targetPageId ?? pageId
+      });
+    },
+    [currentScope, globalRole, logger, pageId, permissionMap, user]
   );
-  const canManageEvent = useMemo(
-    () => isSuperAdmin || isEventAdmin,
-    [isSuperAdmin, isEventAdmin]
+  const hasGlobalPermission = useCallback(
+    (permission) => {
+      if (globalRole === "super_admin" || permissionMap["*"]) {
+        return true;
+      }
+      if (permission === "super_admin") {
+        return globalRole === "super_admin";
+      }
+      if (permission === "org_admin") {
+        return organisationRole === "org_admin";
+      }
+      return permissionMap[permission] === true;
+    },
+    [globalRole, organisationRole, permissionMap]
   );
+  const isSuperAdmin = useMemo(() => globalRole === "super_admin" || permissionMap["*"] === true, [globalRole, permissionMap]);
+  const isOrgAdmin = useMemo(() => organisationRole === "org_admin" || isSuperAdmin, [organisationRole, isSuperAdmin]);
+  const isEventAdmin = useMemo(() => eventAppRole === "event_admin" || isSuperAdmin, [eventAppRole, isSuperAdmin]);
+  const canManageOrganisation = useMemo(() => isSuperAdmin || organisationRole === "org_admin", [isSuperAdmin, organisationRole]);
+  const canManageEvent = useMemo(() => isSuperAdmin || eventAppRole === "event_admin", [isSuperAdmin, eventAppRole]);
   useEffect(() => {
     loadRBACContext();
   }, [loadRBACContext]);
   return {
     user,
-    // Add user to the returned context
     globalRole,
     organisationRole,
     eventAppRole,
@@ -198,7 +214,6 @@ async function createScopeFromEvent(supabase, eventId, appId) {
 }
 
 // src/rbac/hooks/useResolvedScope.ts
-init_appNameResolver();
 function useResolvedScope({
   supabase,
   selectedOrganisationId,
@@ -256,7 +271,14 @@ function useResolvedScope({
             }
           }
         }
+        console.log("[useResolvedScope] Attempting to resolve scope:", {
+          selectedOrganisationId,
+          selectedEventId,
+          appId: appId || "NOT RESOLVED YET",
+          resolveStep: "initial"
+        });
         if (selectedOrganisationId && selectedEventId) {
+          console.log("[useResolvedScope] Resolving with both org and event");
           if (!cancelled) {
             setResolvedScope({
               organisationId: selectedOrganisationId,
@@ -268,6 +290,7 @@ function useResolvedScope({
           return;
         }
         if (selectedOrganisationId) {
+          console.log("[useResolvedScope] Resolving with organisation only");
           if (!cancelled) {
             setResolvedScope({
               organisationId: selectedOrganisationId,
@@ -280,6 +303,7 @@ function useResolvedScope({
         }
         if (selectedEventId && supabase) {
           try {
+            console.log("[useResolvedScope] Resolving from event:", { selectedEventId, appId });
             const eventScope = await createScopeFromEvent(supabase, selectedEventId, appId);
             if (!eventScope) {
               console.error("[useResolvedScope] Could not resolve organization from event context");
@@ -290,6 +314,7 @@ function useResolvedScope({
               }
               return;
             }
+            console.log("[useResolvedScope] Resolved from event:", eventScope);
             if (!cancelled) {
               setResolvedScope({
                 ...eventScope,
@@ -371,13 +396,22 @@ function usePermissions(userId, scope) {
     fetchPermissions();
   }, [userId, scope.organisationId, scope.eventId, scope.appId]);
   const hasPermission = useCallback2((permission) => {
-    return !!permissions[permission];
+    if (permissions["*"]) {
+      return true;
+    }
+    return permissions[permission] === true;
   }, [permissions]);
   const hasAnyPermission = useCallback2((permissionList) => {
-    return permissionList.some((p) => !!permissions[p]);
+    if (permissions["*"]) {
+      return true;
+    }
+    return permissionList.some((p) => permissions[p] === true);
   }, [permissions]);
   const hasAllPermissions = useCallback2((permissionList) => {
-    return permissionList.every((p) => !!permissions[p]);
+    if (permissions["*"]) {
+      return true;
+    }
+    return permissionList.every((p) => permissions[p] === true);
   }, [permissions]);
   const refetch = useCallback2(async () => {
     if (isFetchingRef.current) {
@@ -441,6 +475,7 @@ function useCan(userId, scope, permission, pageId, useCache = true) {
           return;
         }
         if (!scope.organisationId || scope.organisationId.trim() === "") {
+          console.log("[useCan] Invalid scope - organisationId is empty:", { scope, permission, pageId });
           setCan(false);
           setIsLoading(true);
           return;
@@ -448,9 +483,19 @@ function useCan(userId, scope, permission, pageId, useCache = true) {
         try {
           setIsLoading(true);
           setError(null);
+          console.log("[useCan] Checking permission:", {
+            userId,
+            organisationId: scope.organisationId,
+            eventId: scope.eventId,
+            appId: scope.appId,
+            permission,
+            pageId
+          });
           const result = useCache ? await isPermittedCached({ userId, scope, permission, pageId }) : await isPermitted({ userId, scope, permission, pageId });
+          console.log("[useCan] Permission check result:", { permission, result, pageId });
           setCan(result);
         } catch (err) {
+          console.error("[useCan] Permission check error:", { permission, error: err });
           setError(err instanceof Error ? err : new Error("Failed to check permission"));
           setCan(false);
         } finally {
@@ -684,4 +729,4 @@ export {
   useHasAllPermissions,
   useCachedPermissions
 };
-//# sourceMappingURL=chunk-KHJS6VIA.js.map
+//# sourceMappingURL=chunk-PUKTJMRT.js.map

package/dist/chunk-PUKTJMRT.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/rbac/hooks/useRBAC.ts","../src/rbac/hooks/useResolvedScope.ts","../src/rbac/utils/eventContext.ts","../src/rbac/hooks/usePermissions.ts"],"sourcesContent":["/**\n * @file RBAC Hook\n * @package @jmruthers/pace-core\n * @module RBAC/Hooks\n * @since 0.3.0\n *\n * A React hook that provides access to the RBAC (Role-Based Access Control) system\n * through the hardened RBAC engine API. The hook defers all permission and role\n * resolution to the shared engine to ensure consistent security behaviour across\n * applications.\n */\n\nimport { useState, useEffect, useCallback, useMemo } from 'react';\nimport { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';\nimport { useOrganisations } from '../../hooks/useOrganisations';\nimport { useEvents } from '../../hooks/useEvents';\nimport {\n  getPermissionMap,\n  getAccessLevel,\n  isPermittedCached,\n  resolveAppContext,\n  getRoleContext,\n} from '../api';\nimport { getRBACLogger } from '../config';\nimport type {\n  UserRBACContext,\n  GlobalRole,\n  OrganisationRole,\n  EventAppRole,\n  Operation,\n  Permission,\n  Scope,\n  PermissionMap,\n  UUID,\n} from '../types';\n\nfunction mapAccessLevelToEventRole(level: string | null): EventAppRole | null {\n  switch (level) {\n    case 'viewer':\n      return 'viewer';\n    case 'participant':\n      return 'participant';\n    case 'planner':\n      return 'planner';\n    case 'admin':\n    case 'super':\n      return 'event_admin';\n    default:\n      return null;\n  }\n}\n\nexport function useRBAC(pageId?: string): UserRBACContext {\n  const logger = getRBACLogger();\n  const { user, session, appName } = useUnifiedAuth();\n  const { selectedOrganisation } = useOrganisations();\n\n  let selectedEvent: { event_id: string } | null = null;\n  try {\n    const eventsContext = useEvents();\n    selectedEvent = eventsContext.selectedEvent;\n  } catch (error) {\n    logger.debug('[useRBAC] Event provider not available, continuing without event context', error);\n  }\n\n  const [globalRole, setGlobalRole] = useState<GlobalRole | null>(null);\n  const [organisationRole, setOrganisationRole] = useState<OrganisationRole | null>(null);\n  const [eventAppRole, setEventAppRole] = useState<EventAppRole | null>(null);\n  const [permissionMap, setPermissionMap] = useState<PermissionMap>({} as PermissionMap);\n  const [currentScope, setCurrentScope] = useState<Scope | null>(null);\n  const [isLoading, setIsLoading] = useState(false);\n  const [error, setError] = useState<Error | null>(null);\n\n  const resetState = useCallback(() => {\n    setGlobalRole(null);\n    setOrganisationRole(null);\n    setEventAppRole(null);\n    setPermissionMap({} as PermissionMap);\n    setCurrentScope(null);\n  }, []);\n\n  const loadRBACContext = useCallback(async () => {\n    if (!user || !session) {\n      resetState();\n      return;\n    }\n\n    setIsLoading(true);\n    setError(null);\n\n    try {\n      let appId: UUID | undefined;\n      if (appName) {\n        const resolved = await resolveAppContext({ userId: user.id as UUID, appName });\n        if (!resolved || !resolved.hasAccess) {\n          throw new Error(`User does not have access to app \"${appName}\"`);\n        }\n        appId = resolved.appId;\n      }\n\n      const scope: Scope = {\n        organisationId: selectedOrganisation?.id,\n        eventId: selectedEvent?.event_id || undefined,\n        appId,\n      };\n      setCurrentScope(scope);\n\n      const [map, roleContext, accessLevel] = await Promise.all([\n        getPermissionMap({ userId: user.id as UUID, scope }),\n        getRoleContext({ userId: user.id as UUID, scope }),\n        getAccessLevel({ userId: user.id as UUID, scope }),\n      ]);\n\n      setPermissionMap(map);\n      setGlobalRole(roleContext.globalRole);\n      setOrganisationRole(roleContext.organisationRole);\n      setEventAppRole(roleContext.eventAppRole || mapAccessLevelToEventRole(accessLevel));\n    } catch (err) {\n      const handledError = err instanceof Error ? err : new Error('Failed to load RBAC context');\n      logger.error('[useRBAC] Error loading RBAC context:', handledError);\n      setError(handledError);\n      resetState();\n    } finally {\n      setIsLoading(false);\n    }\n  }, [appName, logger, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user]);\n\n  const hasPermission = useCallback(\n    async (operationOrPermission: Operation | string, targetPageId?: string): Promise<boolean> => {\n      if (!user) {\n        logger.warn('[useRBAC] Permission check attempted without authenticated user context');\n        return false;\n      }\n\n      if (!currentScope || !currentScope.organisationId) {\n        logger.error('[useRBAC] Permission check denied due to missing organisation context', {\n          hasScope: !!currentScope,\n          scope: currentScope,\n          userId: user.id,\n          permission: operationOrPermission,\n        });\n        return false;\n      }\n\n      if (globalRole === 'super_admin' || permissionMap['*']) {\n        logger.info('[useRBAC] Super admin bypass granted', {\n          userId: user.id,\n          permission: operationOrPermission,\n        });\n        return true;\n      }\n\n      let permission: Permission;\n      if (operationOrPermission.includes(':')) {\n        permission = operationOrPermission as Permission;\n      } else if (targetPageId || pageId) {\n        permission = `${operationOrPermission}:${targetPageId || pageId}` as Permission;\n      } else {\n        permission = operationOrPermission as Permission;\n      }\n\n      const cachedValue = permissionMap[permission];\n      if (cachedValue === true) {\n        return true;\n      }\n      if (cachedValue === false) {\n        return false;\n      }\n\n      return isPermittedCached({\n        userId: user.id as UUID,\n        scope: currentScope,\n        permission,\n        pageId: targetPageId ?? pageId,\n      });\n    },\n    [currentScope, globalRole, logger, pageId, permissionMap, user],\n  );\n\n  const hasGlobalPermission = useCallback(\n    (permission: string): boolean => {\n      if (globalRole === 'super_admin' || permissionMap['*']) {\n        return true;\n      }\n\n      if (permission === 'super_admin') {\n        return globalRole === 'super_admin';\n      }\n\n      if (permission === 'org_admin') {\n        return organisationRole === 'org_admin';\n      }\n\n      return permissionMap[permission as Permission] === true;\n    },\n    [globalRole, organisationRole, permissionMap],\n  );\n\n  const isSuperAdmin = useMemo(() => globalRole === 'super_admin' || permissionMap['*'] === true, [globalRole, permissionMap]);\n  const isOrgAdmin = useMemo(() => organisationRole === 'org_admin' || isSuperAdmin, [organisationRole, isSuperAdmin]);\n  const isEventAdmin = useMemo(() => eventAppRole === 'event_admin' || isSuperAdmin, [eventAppRole, isSuperAdmin]);\n  const canManageOrganisation = useMemo(() => isSuperAdmin || organisationRole === 'org_admin', [isSuperAdmin, organisationRole]);\n  const canManageEvent = useMemo(() => isSuperAdmin || eventAppRole === 'event_admin', [isSuperAdmin, eventAppRole]);\n\n  useEffect(() => {\n    loadRBACContext();\n  }, [loadRBACContext]);\n\n  return {\n    user,\n    globalRole,\n    organisationRole,\n    eventAppRole,\n    hasPermission,\n    hasGlobalPermission,\n    isSuperAdmin,\n    isOrgAdmin,\n    isEventAdmin,\n    canManageOrganisation,\n    canManageEvent,\n    isLoading,\n    error,\n  };\n}\n","/**\n * @file useResolvedScope Hook\n * @package @jmruthers/pace-core\n * @module RBAC/Hooks\n * @since 1.0.0\n * \n * Shared hook for resolving RBAC scope from various contexts.\n * This hook is used by both DataTable and PagePermissionGuard to ensure\n * consistent scope resolution logic.\n */\n\nimport { useEffect, useState, useRef } from 'react';\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport type { Database } from '../../types/database';\nimport type { Scope } from '../types';\nimport { createScopeFromEvent } from '../utils/eventContext';\nimport { getCurrentAppName } from '../../utils/appNameResolver';\n\nexport interface UseResolvedScopeOptions {\n  /** Supabase client instance */\n  supabase: SupabaseClient<Database> | null;\n  /** Selected organisation ID */\n  selectedOrganisationId: string | null;\n  /** Selected event ID */\n  selectedEventId: string | null;\n}\n\nexport interface UseResolvedScopeReturn {\n  /** Resolved scope, or null if not yet resolved */\n  resolvedScope: Scope | null;\n  /** Whether the scope resolution is in progress */\n  isLoading: boolean;\n  /** Error if scope resolution failed */\n  error: Error | null;\n}\n\n/**\n * Resolves RBAC scope from organisation and event context\n * \n * This hook handles the complex logic of determining the correct RBAC scope\n * based on available context (organisation, event, app). It ensures consistent\n * scope resolution across the application.\n * \n * @param options - Hook options\n * @returns Resolved scope and loading state\n * \n * @example\n * ```tsx\n * const { resolvedScope, isLoading } = useResolvedScope({\n *   supabase,\n *   selectedOrganisationId,\n *   selectedEventId\n * });\n * \n * if (isLoading) return <Loading />;\n * if (!resolvedScope) return <Error />;\n * \n * const permission = useCan(userId, resolvedScope, permission);\n * ```\n */\nexport function useResolvedScope({\n  supabase,\n  selectedOrganisationId,\n  selectedEventId\n}: UseResolvedScopeOptions): UseResolvedScopeReturn {\n  const [resolvedScope, setResolvedScope] = useState<Scope | null>(null);\n  const [isLoading, setIsLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n  \n  // Use a ref to track the stable scope and only update it when it actually changes\n  const stableScopeRef = useRef<{ organisationId: string; appId: string; eventId: string | undefined }>({ \n    organisationId: '', \n    appId: '', \n    eventId: undefined \n  });\n  \n  // Only update the stable scope if the resolved scope has actually changed\n  if (resolvedScope && resolvedScope.organisationId) {\n    const newScope = {\n      organisationId: resolvedScope.organisationId,\n      appId: resolvedScope.appId,\n      eventId: resolvedScope.eventId\n    };\n    \n    // Only update if the scope has actually changed\n    if (stableScopeRef.current.organisationId !== newScope.organisationId ||\n        stableScopeRef.current.eventId !== newScope.eventId ||\n        stableScopeRef.current.appId !== newScope.appId) {\n      stableScopeRef.current = {\n        organisationId: newScope.organisationId,\n        appId: newScope.appId || '',\n        eventId: newScope.eventId\n      };\n    }\n  } else if (!resolvedScope) {\n    // Reset to empty scope when no resolved scope\n    stableScopeRef.current = { organisationId: '', appId: '', eventId: undefined };\n  }\n  \n  const stableScope = stableScopeRef.current;\n  \n  useEffect(() => {\n    let cancelled = false;\n    \n    const resolveScope = async () => {\n      setIsLoading(true);\n      setError(null);\n      \n      try {\n        // Get app ID from package.json or environment\n        let appId: string | undefined = undefined;\n        \n        // Try to resolve from database\n        if (supabase) {\n          const appName = getCurrentAppName();\n          if (appName) {\n            try {\n              const { data: app, error } = await supabase\n                .from('rbac_apps')\n                .select('id, name, is_active')\n                .eq('name', appName)\n                .eq('is_active', true)\n                .single() as { data: { id: string; name: string; is_active: boolean } | null; error: any };\n              \n              if (error) {\n                // Check if app exists but is inactive\n                const { data: inactiveApp } = await supabase\n                  .from('rbac_apps')\n                  .select('id, name, is_active')\n                  .eq('name', appName)\n                  .single() as { data: { id: string; name: string; is_active: boolean } | null };\n                \n                if (inactiveApp) {\n                  console.error(`[useResolvedScope] App \"${appName}\" exists but is inactive (is_active: ${inactiveApp.is_active})`);\n                } else {\n                  console.error(`[useResolvedScope] App \"${appName}\" not found in rbac_apps table`);\n                }\n              } else if (app) {\n                appId = app.id;\n              }\n            } catch (error) {\n              console.error('[useResolvedScope] Unexpected error resolving app ID:', error);\n            }\n          }\n        }\n\n        // Debug logging\n        console.log('[useResolvedScope] Attempting to resolve scope:', {\n          selectedOrganisationId,\n          selectedEventId,\n          appId: appId || 'NOT RESOLVED YET',\n          resolveStep: 'initial'\n        });\n\n        // If we have both organisation and event, use them directly\n        if (selectedOrganisationId && selectedEventId) {\n          console.log('[useResolvedScope] Resolving with both org and event');\n          if (!cancelled) {\n            setResolvedScope({\n              organisationId: selectedOrganisationId,\n              eventId: selectedEventId,\n              appId: appId\n            });\n            setIsLoading(false);\n          }\n          return;\n        }\n\n        // If we only have organisation, use it\n        if (selectedOrganisationId) {\n          console.log('[useResolvedScope] Resolving with organisation only');\n          if (!cancelled) {\n            setResolvedScope({\n              organisationId: selectedOrganisationId,\n              eventId: selectedEventId || undefined,\n              appId: appId\n            });\n            setIsLoading(false);\n          }\n          return;\n        }\n\n        // If we only have event, resolve organisation from event\n        if (selectedEventId && supabase) {\n          try {\n            console.log('[useResolvedScope] Resolving from event:', { selectedEventId, appId });\n            const eventScope = await createScopeFromEvent(supabase, selectedEventId, appId);\n            if (!eventScope) {\n              console.error('[useResolvedScope] Could not resolve organization from event context');\n              if (!cancelled) {\n                setResolvedScope(null);\n                setError(new Error('Could not resolve organisation from event context'));\n                setIsLoading(false);\n              }\n              return;\n            }\n            console.log('[useResolvedScope] Resolved from event:', eventScope);\n            // Preserve the resolved app ID\n            if (!cancelled) {\n              setResolvedScope({\n                ...eventScope,\n                appId: appId || eventScope.appId\n              });\n              setIsLoading(false);\n            }\n          } catch (err) {\n            console.error('[useResolvedScope] Error resolving scope from event:', err);\n            if (!cancelled) {\n              setResolvedScope(null);\n              setError(err as Error);\n              setIsLoading(false);\n            }\n          }\n          return;\n        }\n\n        // No context available\n        console.error('[useResolvedScope] No organisation or event context available');\n        if (!cancelled) {\n          setResolvedScope(null);\n          setError(new Error('No organisation or event context available'));\n          setIsLoading(false);\n        }\n      } catch (err) {\n        if (!cancelled) {\n          setError(err as Error);\n          setIsLoading(false);\n        }\n      }\n    };\n\n    resolveScope();\n    \n    return () => {\n      cancelled = true;\n    };\n  }, [selectedOrganisationId, selectedEventId, supabase]);\n  \n  return {\n    resolvedScope: stableScope.organisationId ? stableScope as Scope : null,\n    isLoading,\n    error\n  };\n}\n","/**\n * Event Context Utilities for RBAC\n * @package @jmruthers/pace-core\n * @module RBAC/EventContext\n * @since 1.0.0\n * \n * This module provides utilities for event-based RBAC operations where\n * the organization context is derived from the event context.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../../types/database';\nimport { UUID, Scope } from '../types';\n\n/**\n * Get organization ID from event ID\n * \n * @param supabase - Supabase client\n * @param eventId - Event ID\n * @returns Promise resolving to organization ID or null\n */\nexport async function getOrganisationFromEvent(\n  supabase: SupabaseClient<Database>,\n  eventId: string\n): Promise<UUID | null> {\n  const { data, error } = await supabase\n    .from('event')\n    .select('organisation_id')\n    .eq('event_id', eventId)\n    .single() as { data: { organisation_id: string } | null; error: any };\n\n  if (error || !data) {\n    return null;\n  }\n\n  return data.organisation_id;\n}\n\n/**\n * Create a complete scope from event context\n * \n * @param supabase - Supabase client\n * @param eventId - Event ID\n * @param appId - Optional app ID\n * @returns Promise resolving to complete scope\n */\nexport async function createScopeFromEvent(\n  supabase: SupabaseClient<Database>,\n  eventId: string,\n  appId?: UUID\n): Promise<Scope | null> {\n  const organisationId = await getOrganisationFromEvent(supabase, eventId);\n  \n  if (!organisationId) {\n    return null;\n  }\n\n  return {\n    organisationId,\n    eventId,\n    appId\n  };\n}\n\n/**\n * Check if a scope is event-based (has eventId but no explicit organisationId)\n * \n * @param scope - Permission scope\n * @returns True if scope is event-based\n */\nexport function isEventBasedScope(scope: Scope): boolean {\n  return !scope.organisationId && !!scope.eventId;\n}\n\n/**\n * Validate that an event-based scope has the required context\n * \n * @param scope - Permission scope\n * @returns True if scope is valid for event-based operations\n */\nexport function isValidEventBasedScope(scope: Scope): boolean {\n  return isEventBasedScope(scope) && !!scope.eventId;\n}\n","/**\n * @file RBAC Permission Hooks\n * @package @jmruthers/pace-core\n * @module RBAC/Hooks\n * @since 1.0.0\n * \n * This module provides React hooks for RBAC functionality.\n */\n\nimport { useState, useEffect, useCallback, useMemo, useRef } from 'react';\nimport { \n  UUID, \n  Scope, \n  Permission, \n  PermissionMap\n} from '../types';\nimport { AccessLevel as AccessLevelType } from '../types';\nimport { \n  getAccessLevel, \n  getPermissionMap, \n  isPermitted,\n  isPermittedCached \n} from '../api';\n\n/**\n * Hook to get user's permissions in a scope\n * \n * @param userId - User ID\n * @param scope - Scope for permission checking\n * @returns Permission state and methods\n * \n * @example\n * ```tsx\n * function MyComponent() {\n *   const { permissions, isLoading, error } = usePermissions(userId, scope);\n *   \n *   if (isLoading) return <div>Loading...</div>;\n *   if (error) return <div>Error: {error.message}</div>;\n *   \n *   return (\n *     <div>\n *       {permissions['read:users'] && <UserList />}\n *       {permissions['create:users'] && <CreateUserButton />}\n *     </div>\n *   );\n * }\n * ```\n */\nexport function usePermissions(userId: UUID, scope: Scope) {\n  const [permissions, setPermissions] = useState<PermissionMap>({} as PermissionMap);\n  const [isLoading, setIsLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n  const isFetchingRef = useRef(false);\n\n  useEffect(() => {\n    const fetchPermissions = async () => {\n      // Prevent multiple simultaneous fetches\n      if (isFetchingRef.current) {\n        return;\n      }\n\n      if (!userId) {\n        setPermissions({} as PermissionMap);\n        setIsLoading(false);\n        return;\n      }\n\n      // Don't fetch permissions if scope is invalid (e.g., organisationId is empty)\n      // Return empty permissions and loading true for invalid scopes to prevent premature access denied\n      if (!scope.organisationId || scope.organisationId.trim() === '') {\n        setPermissions({} as PermissionMap);\n        setIsLoading(true);\n        setError(null);\n        return;\n      }\n\n      try {\n        isFetchingRef.current = true;\n        setIsLoading(true);\n        setError(null);\n        \n        const permissionMap = await getPermissionMap({ userId, scope });\n        setPermissions(permissionMap);\n      } catch (err) {\n        setError(err instanceof Error ? err : new Error('Failed to fetch permissions'));\n      } finally {\n        setIsLoading(false);\n        isFetchingRef.current = false;\n      }\n    };\n\n    fetchPermissions();\n  }, [userId, scope.organisationId, scope.eventId, scope.appId]);\n\n  const hasPermission = useCallback((permission: Permission): boolean => {\n    if (permissions['*']) {\n      return true;\n    }\n    return permissions[permission] === true;\n  }, [permissions]);\n\n  const hasAnyPermission = useCallback((permissionList: Permission[]): boolean => {\n    if (permissions['*']) {\n      return true;\n    }\n    return permissionList.some(p => permissions[p] === true);\n  }, [permissions]);\n\n  const hasAllPermissions = useCallback((permissionList: Permission[]): boolean => {\n    if (permissions['*']) {\n      return true;\n    }\n    return permissionList.every(p => permissions[p] === true);\n  }, [permissions]);\n\n  const refetch = useCallback(async () => {\n    // Prevent multiple simultaneous fetches\n    if (isFetchingRef.current) {\n      return;\n    }\n\n    if (!userId) {\n      setPermissions({} as PermissionMap);\n      setIsLoading(false);\n      return;\n    }\n\n    // Don't fetch permissions if scope is invalid (e.g., organisationId is empty)\n    if (!scope.organisationId || scope.organisationId.trim() === '') {\n      setPermissions({} as PermissionMap);\n      setIsLoading(true);\n      setError(null);\n      return;\n    }\n\n    try {\n      isFetchingRef.current = true;\n      setIsLoading(true);\n      setError(null);\n      \n      const permissionMap = await getPermissionMap({ userId, scope });\n      setPermissions(permissionMap);\n    } catch (err) {\n      setError(err instanceof Error ? err : new Error('Failed to fetch permissions'));\n    } finally {\n      setIsLoading(false);\n      isFetchingRef.current = false;\n    }\n  }, [userId, scope.organisationId, scope.eventId, scope.appId]);\n\n  // Memoize the return object to prevent unnecessary re-renders\n  return useMemo(() => ({\n    permissions,\n    isLoading,\n    error,\n    hasPermission,\n    hasAnyPermission,\n    hasAllPermissions,\n    refetch\n  }), [permissions, isLoading, error, hasPermission, hasAnyPermission, hasAllPermissions, refetch]);\n}\n\n/**\n * Hook to check if user can perform an action\n * \n * @param userId - User ID\n * @param scope - Scope for permission checking\n * @param permission - Permission to check\n * @param pageId - Optional page ID\n * @param useCache - Whether to use cached results\n * @returns Permission check state and methods\n * \n * @example\n * ```tsx\n * function MyComponent() {\n *   const { can, isLoading, error } = useCan(userId, scope, 'read:users');\n *   \n *   if (isLoading) return <div>Checking permission...</div>;\n *   if (error) return <div>Error: {error.message}</div>;\n *   \n *   return can ? <UserList /> : <div>Access denied</div>;\n * }\n * ```\n */\nexport function useCan(\n  userId: UUID, \n  scope: Scope, \n  permission: Permission, \n  pageId?: UUID,\n  useCache: boolean = true\n) {\n  const [can, setCan] = useState<boolean>(false);\n  const [isLoading, setIsLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  // Use refs to track the last values to prevent unnecessary re-runs\n  const lastUserIdRef = useRef<UUID | null>(null);\n  const lastScopeRef = useRef<string | null>(null);\n  const lastPermissionRef = useRef<Permission | null>(null);\n  const lastPageIdRef = useRef<UUID | undefined | null>(null);\n  const lastUseCacheRef = useRef<boolean | null>(null);\n\n  useEffect(() => {\n    // Create a scope key to track changes\n    const scopeKey = `${scope.organisationId}-${scope.eventId}-${scope.appId}`;\n    \n    // Only run if something has actually changed\n    if (\n      lastUserIdRef.current !== userId ||\n      lastScopeRef.current !== scopeKey ||\n      lastPermissionRef.current !== permission ||\n      lastPageIdRef.current !== pageId ||\n      lastUseCacheRef.current !== useCache\n    ) {\n      lastUserIdRef.current = userId;\n      lastScopeRef.current = scopeKey;\n      lastPermissionRef.current = permission;\n      lastPageIdRef.current = pageId;\n      lastUseCacheRef.current = useCache;\n      \n      // Inline the permission check logic to avoid useCallback dependency issues\n      const checkPermission = async () => {\n        if (!userId) {\n          setCan(false);\n          setIsLoading(false);\n          return;\n        }\n\n        // Don't check permissions if scope is invalid (e.g., organisationId is empty)\n        // Return can: false and loading: true for invalid scopes to prevent premature access denied\n        if (!scope.organisationId || scope.organisationId.trim() === '') {\n          console.log('[useCan] Invalid scope - organisationId is empty:', { scope, permission, pageId });\n          setCan(false);\n          setIsLoading(true);\n          return;\n        }\n\n        try {\n          setIsLoading(true);\n          setError(null);\n          \n          console.log('[useCan] Checking permission:', { \n            userId, \n            organisationId: scope.organisationId, \n            eventId: scope.eventId, \n            appId: scope.appId,\n            permission, \n            pageId \n          });\n          \n          const result = useCache \n            ? await isPermittedCached({ userId, scope, permission, pageId })\n            : await isPermitted({ userId, scope, permission, pageId });\n          \n          console.log('[useCan] Permission check result:', { permission, result, pageId });\n          \n          setCan(result);\n        } catch (err) {\n          console.error('[useCan] Permission check error:', { permission, error: err });\n          setError(err instanceof Error ? err : new Error('Failed to check permission'));\n          setCan(false);\n        } finally {\n          setIsLoading(false);\n        }\n      };\n      \n      checkPermission();\n    }\n  }, [userId, scope.organisationId, scope.eventId, scope.appId, permission, pageId, useCache]);\n\n  const refetch = useCallback(async () => {\n    if (!userId) {\n      setCan(false);\n      setIsLoading(false);\n      return;\n    }\n\n    // Don't check permissions if scope is invalid (e.g., organisationId is empty)\n    if (!scope.organisationId || scope.organisationId.trim() === '') {\n      setCan(false);\n      setIsLoading(true);\n      return;\n    }\n\n    try {\n      setIsLoading(true);\n      setError(null);\n      \n      const result = useCache \n        ? await isPermittedCached({ userId, scope, permission, pageId })\n        : await isPermitted({ userId, scope, permission, pageId });\n      \n      setCan(result);\n    } catch (err) {\n      setError(err instanceof Error ? err : new Error('Failed to check permission'));\n      setCan(false);\n    } finally {\n      setIsLoading(false);\n    }\n  }, [userId, scope.organisationId, scope.eventId, scope.appId, permission, pageId, useCache]);\n\n  // Memoize the return object to prevent unnecessary re-renders\n  return useMemo(() => ({\n    can,\n    isLoading,\n    error,\n    refetch\n  }), [can, isLoading, error, refetch]);\n}\n\n/**\n * Hook to get user's access level in a scope\n * \n * @param userId - User ID\n * @param scope - Scope for access level checking\n * @returns Access level state and methods\n * \n * @example\n * ```tsx\n * function MyComponent() {\n *   const { accessLevel, isLoading, error } = useAccessLevel(userId, scope);\n *   \n *   if (isLoading) return <div>Loading access level...</div>;\n *   if (error) return <div>Error: {error.message}</div>;\n *   \n *   return (\n *     <div>\n *       Access Level: {accessLevel}\n *       {accessLevel >= AccessLevel.ADMIN && <AdminPanel />}\n *     </div>\n *   );\n * }\n * ```\n */\nexport function useAccessLevel(userId: UUID, scope: Scope): {\n  accessLevel: AccessLevelType;\n  isLoading: boolean;\n  error: Error | null;\n  refetch: () => Promise<void>;\n} {\n  const [accessLevel, setAccessLevel] = useState<AccessLevelType>('viewer');\n  const [isLoading, setIsLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const fetchAccessLevel = useCallback(async () => {\n    if (!userId) {\n      setAccessLevel('viewer');\n      setIsLoading(false);\n      return;\n    }\n\n    try {\n      setIsLoading(true);\n      setError(null);\n      \n      const level = await getAccessLevel({ userId, scope });\n      setAccessLevel(level);\n    } catch (err) {\n      setError(err instanceof Error ? err : new Error('Failed to fetch access level'));\n      setAccessLevel('viewer');\n    } finally {\n      setIsLoading(false);\n    }\n  }, [userId, scope.organisationId, scope.eventId, scope.appId]);\n\n  useEffect(() => {\n    fetchAccessLevel();\n  }, [fetchAccessLevel]);\n\n  // Memoize the return object to prevent unnecessary re-renders\n  return useMemo(() => ({\n    accessLevel,\n    isLoading,\n    error,\n    refetch: fetchAccessLevel\n  }), [accessLevel, isLoading, error, fetchAccessLevel]);\n}\n\n/**\n * Hook to check multiple permissions at once\n * \n * @param userId - User ID\n * @param scope - Scope for permission checking\n * @param permissions - Array of permissions to check\n * @param useCache - Whether to use cached results\n * @returns Multiple permission check results\n * \n * @example\n * ```tsx\n * function MyComponent() {\n *   const { results, isLoading, error } = useMultiplePermissions(\n *     userId, \n *     scope, \n *     ['read:users', 'create:users', 'update:users']\n *   );\n *   \n *   if (isLoading) return <div>Checking permissions...</div>;\n *   if (error) return <div>Error: {error.message}</div>;\n *   \n *   return (\n *     <div>\n *       {results['read:users'] && <UserList />}\n *       {results['create:users'] && <CreateUserButton />}\n *       {results['update:users'] && <EditUserButton />}\n *     </div>\n *   );\n * }\n * ```\n */\nexport function useMultiplePermissions(\n  userId: UUID, \n  scope: Scope, \n  permissions: Permission[],\n  useCache: boolean = true\n): {\n  results: Record<Permission, boolean>;\n  isLoading: boolean;\n  error: Error | null;\n  refetch: () => Promise<void>;\n} {\n  const [results, setResults] = useState<Record<Permission, boolean>>({} as Record<Permission, boolean>);\n  const [isLoading, setIsLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const checkPermissions = useCallback(async () => {\n    if (!userId || permissions.length === 0) {\n      setResults({} as Record<Permission, boolean>);\n      setIsLoading(false);\n      return;\n    }\n\n    try {\n      setIsLoading(true);\n      setError(null);\n      \n      const permissionResults: Record<Permission, boolean> = {} as Record<Permission, boolean>;\n      \n      // Check each permission\n      for (const permission of permissions) {\n        const result = useCache \n          ? await isPermittedCached({ userId, scope, permission })\n          : await isPermitted({ userId, scope, permission });\n        permissionResults[permission] = result;\n      }\n      \n      setResults(permissionResults);\n    } catch (err) {\n      setError(err instanceof Error ? err : new Error('Failed to check permissions'));\n      setResults({} as Record<Permission, boolean>);\n    } finally {\n      setIsLoading(false);\n    }\n  }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);\n\n  useEffect(() => {\n    checkPermissions();\n  }, [checkPermissions]);\n\n  // Memoize the return object to prevent unnecessary re-renders\n  return useMemo(() => ({\n    results,\n    isLoading,\n    error,\n    refetch: checkPermissions\n  }), [results, isLoading, error, checkPermissions]);\n}\n\n/**\n * Hook to check if user has any of the specified permissions\n * \n * @param userId - User ID\n * @param scope - Scope for permission checking\n * @param permissions - Array of permissions to check\n * @param useCache - Whether to use cached results\n * @returns Whether user has any of the permissions\n * \n * @example\n * ```tsx\n * function MyComponent() {\n *   const { hasAny, isLoading, error } = useHasAnyPermission(\n *     userId, \n *     scope, \n *     ['read:users', 'create:users']\n *   );\n *   \n *   if (isLoading) return <div>Checking permissions...</div>;\n *   if (error) return <div>Error: {error.message}</div>;\n *   \n *   return hasAny ? <UserManagementPanel /> : <div>No user permissions</div>;\n * }\n * ```\n */\nexport function useHasAnyPermission(\n  userId: UUID, \n  scope: Scope, \n  permissions: Permission[],\n  useCache: boolean = true\n): {\n  hasAny: boolean;\n  isLoading: boolean;\n  error: Error | null;\n  refetch: () => Promise<void>;\n} {\n  const [hasAny, setHasAny] = useState<boolean>(false);\n  const [isLoading, setIsLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const checkAnyPermission = useCallback(async () => {\n    if (!userId || permissions.length === 0) {\n      setHasAny(false);\n      setIsLoading(false);\n      return;\n    }\n\n    try {\n      setIsLoading(true);\n      setError(null);\n      \n      let hasAnyPermission = false;\n      \n      for (const permission of permissions) {\n        const result = useCache \n          ? await isPermittedCached({ userId, scope, permission })\n          : await isPermitted({ userId, scope, permission });\n        \n        if (result) {\n          hasAnyPermission = true;\n          break;\n        }\n      }\n      \n      setHasAny(hasAnyPermission);\n    } catch (err) {\n      setError(err instanceof Error ? err : new Error('Failed to check permissions'));\n      setHasAny(false);\n    } finally {\n      setIsLoading(false);\n    }\n  }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);\n\n  useEffect(() => {\n    checkAnyPermission();\n  }, [checkAnyPermission]);\n\n  // Memoize the return object to prevent unnecessary re-renders\n  return useMemo(() => ({\n    hasAny,\n    isLoading,\n    error,\n    refetch: checkAnyPermission\n  }), [hasAny, isLoading, error, checkAnyPermission]);\n}\n\n/**\n * Hook to check if user has all of the specified permissions\n * \n * @param userId - User ID\n * @param scope - Scope for permission checking\n * @param permissions - Array of permissions to check\n * @param useCache - Whether to use cached results\n * @returns Whether user has all of the permissions\n * \n * @example\n * ```tsx\n * function MyComponent() {\n *   const { hasAll, isLoading, error } = useHasAllPermissions(\n *     userId, \n *     scope, \n *     ['read:users', 'create:users', 'update:users']\n *   );\n *   \n *   if (isLoading) return <div>Checking permissions...</div>;\n *   if (error) return <div>Error: {error.message}</div>;\n *   \n *   return hasAll ? <FullUserManagementPanel /> : <div>Insufficient permissions</div>;\n * }\n * ```\n */\nexport function useHasAllPermissions(\n  userId: UUID, \n  scope: Scope, \n  permissions: Permission[],\n  useCache: boolean = true\n): {\n  hasAll: boolean;\n  isLoading: boolean;\n  error: Error | null;\n  refetch: () => Promise<void>;\n} {\n  const [hasAll, setHasAll] = useState<boolean>(false);\n  const [isLoading, setIsLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const checkAllPermissions = useCallback(async () => {\n    if (!userId || permissions.length === 0) {\n      setHasAll(false);\n      setIsLoading(false);\n      return;\n    }\n\n    try {\n      setIsLoading(true);\n      setError(null);\n      \n      let hasAllPermissions = true;\n      \n      for (const permission of permissions) {\n        const result = useCache \n          ? await isPermittedCached({ userId, scope, permission })\n          : await isPermitted({ userId, scope, permission });\n        \n        if (!result) {\n          hasAllPermissions = false;\n          break;\n        }\n      }\n      \n      setHasAll(hasAllPermissions);\n    } catch (err) {\n      setError(err instanceof Error ? err : new Error('Failed to check permissions'));\n      setHasAll(false);\n    } finally {\n      setIsLoading(false);\n    }\n  }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);\n\n  useEffect(() => {\n    checkAllPermissions();\n  }, [checkAllPermissions]);\n\n  // Memoize the return object to prevent unnecessary re-renders\n  return useMemo(() => ({\n    hasAll,\n    isLoading,\n    error,\n    refetch: checkAllPermissions\n  }), [hasAll, isLoading, error, checkAllPermissions]);\n}\n\n/**\n * Hook to get cached permissions with TTL management\n * \n * @param userId - User ID\n * @param scope - Scope for permission checking\n * @returns Cached permission state and methods\n * \n * @example\n * ```tsx\n * function MyComponent() {\n *   const { permissions, isLoading, error, invalidateCache } = useCachedPermissions(userId, scope);\n *   \n *   if (isLoading) return <div>Loading cached permissions...</div>;\n *   if (error) return <div>Error: {error.message}</div>;\n *   \n *   return (\n *     <div>\n *       {permissions['read:users'] && <UserList />}\n *       <button onClick={invalidateCache}>Refresh Permissions</button>\n *     </div>\n *   );\n * }\n * ```\n */\nexport function useCachedPermissions(userId: UUID, scope: Scope): {\n  permissions: PermissionMap;\n  isLoading: boolean;\n  error: Error | null;\n  invalidateCache: () => void;\n  refetch: () => Promise<void>;\n} {\n  const [permissions, setPermissions] = useState<PermissionMap>({} as PermissionMap);\n  const [isLoading, setIsLoading] = useState(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  const fetchCachedPermissions = useCallback(async () => {\n    if (!userId) {\n      setPermissions({} as PermissionMap);\n      setIsLoading(false);\n      return;\n    }\n\n    try {\n      setIsLoading(true);\n      setError(null);\n      \n      const permissionMap = await getPermissionMap({ userId, scope });\n      setPermissions(permissionMap);\n    } catch (err) {\n      setError(err instanceof Error ? err : new Error('Failed to fetch cached permissions'));\n    } finally {\n      setIsLoading(false);\n    }\n  }, [userId, scope.organisationId, scope.eventId, scope.appId]);\n\n  const invalidateCache = useCallback(() => {\n    // This would typically invalidate the cache in the actual implementation\n    // For now, we'll just refetch\n    fetchCachedPermissions();\n  }, [fetchCachedPermissions]);\n\n  useEffect(() => {\n    fetchCachedPermissions();\n  }, [fetchCachedPermissions]);\n\n  // Memoize the return object to prevent unnecessary re-renders\n  return useMemo(() => ({\n    permissions,\n    isLoading,\n    error,\n    invalidateCache,\n    refetch: fetchCachedPermissions\n  }), [permissions, isLoading, error, invalidateCache, fetchCachedPermissions]);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAaA;AACA;AAFA,SAAS,UAAU,WAAW,aAAa,eAAe;AAwB1D,SAAS,0BAA0B,OAA2C;AAC5E,UAAQ,OAAO;AAAA,IACb,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,IACT;AACE,aAAO;AAAA,EACX;AACF;AAEO,SAAS,QAAQ,QAAkC;AACxD,QAAM,SAAS,cAAc;AAC7B,QAAM,EAAE,MAAM,SAAS,QAAQ,IAAI,eAAe;AAClD,QAAM,EAAE,qBAAqB,IAAI,iBAAiB;AAElD,MAAI,gBAA6C;AACjD,MAAI;AACF,UAAM,gBAAgB,UAAU;AAChC,oBAAgB,cAAc;AAAA,EAChC,SAASA,QAAO;AACd,WAAO,MAAM,4EAA4EA,MAAK;AAAA,EAChG;AAEA,QAAM,CAAC,YAAY,aAAa,IAAI,SAA4B,IAAI;AACpE,QAAM,CAAC,kBAAkB,mBAAmB,IAAI,SAAkC,IAAI;AACtF,QAAM,CAAC,cAAc,eAAe,IAAI,SAA8B,IAAI;AAC1E,QAAM,CAAC,eAAe,gBAAgB,IAAI,SAAwB,CAAC,CAAkB;AACrF,QAAM,CAAC,cAAc,eAAe,IAAI,SAAuB,IAAI;AACnE,QAAM,CAAC,WAAW,YAAY,IAAI,SAAS,KAAK;AAChD,QAAM,CAAC,OAAO,QAAQ,IAAI,SAAuB,IAAI;AAErD,QAAM,aAAa,YAAY,MAAM;AACnC,kBAAc,IAAI;AAClB,wBAAoB,IAAI;AACxB,oBAAgB,IAAI;AACpB,qBAAiB,CAAC,CAAkB;AACpC,oBAAgB,IAAI;AAAA,EACtB,GAAG,CAAC,CAAC;AAEL,QAAM,kBAAkB,YAAY,YAAY;AAC9C,QAAI,CAAC,QAAQ,CAAC,SAAS;AACrB,iBAAW;AACX;AAAA,IACF;AAEA,iBAAa,IAAI;AACjB,aAAS,IAAI;AAEb,QAAI;AACF,UAAI;AACJ,UAAI,SAAS;AACX,cAAM,WAAW,MAAM,kBAAkB,EAAE,QAAQ,KAAK,IAAY,QAAQ,CAAC;AAC7E,YAAI,CAAC,YAAY,CAAC,SAAS,WAAW;AACpC,gBAAM,IAAI,MAAM,qCAAqC,OAAO,GAAG;AAAA,QACjE;AACA,gBAAQ,SAAS;AAAA,MACnB;AAEA,YAAM,QAAe;AAAA,QACnB,gBAAgB,sBAAsB;AAAA,QACtC,SAAS,eAAe,YAAY;AAAA,QACpC;AAAA,MACF;AACA,sBAAgB,KAAK;AAErB,YAAM,CAAC,KAAK,aAAa,WAAW,IAAI,MAAM,QAAQ,IAAI;AAAA,QACxD,iBAAiB,EAAE,QAAQ,KAAK,IAAY,MAAM,CAAC;AAAA,QACnD,eAAe,EAAE,QAAQ,KAAK,IAAY,MAAM,CAAC;AAAA,QACjD,eAAe,EAAE,QAAQ,KAAK,IAAY,MAAM,CAAC;AAAA,MACnD,CAAC;AAED,uBAAiB,GAAG;AACpB,oBAAc,YAAY,UAAU;AACpC,0BAAoB,YAAY,gBAAgB;AAChD,sBAAgB,YAAY,gBAAgB,0BAA0B,WAAW,CAAC;AAAA,IACpF,SAAS,KAAK;AACZ,YAAM,eAAe,eAAe,QAAQ,MAAM,IAAI,MAAM,6BAA6B;AACzF,aAAO,MAAM,yCAAyC,YAAY;AAClE,eAAS,YAAY;AACrB,iBAAW;AAAA,IACb,UAAE;AACA,mBAAa,KAAK;AAAA,IACpB;AAAA,EACF,GAAG,CAAC,SAAS,QAAQ,YAAY,eAAe,UAAU,sBAAsB,IAAI,SAAS,IAAI,CAAC;AAElG,QAAM,gBAAgB;AAAA,IACpB,OAAO,uBAA2C,iBAA4C;AAC5F,UAAI,CAAC,MAAM;AACT,eAAO,KAAK,yEAAyE;AACrF,eAAO;AAAA,MACT;AAEA,UAAI,CAAC,gBAAgB,CAAC,aAAa,gBAAgB;AACjD,eAAO,MAAM,yEAAyE;AAAA,UACpF,UAAU,CAAC,CAAC;AAAA,UACZ,OAAO;AAAA,UACP,QAAQ,KAAK;AAAA,UACb,YAAY;AAAA,QACd,CAAC;AACD,eAAO;AAAA,MACT;AAEA,UAAI,eAAe,iBAAiB,cAAc,GAAG,GAAG;AACtD,eAAO,KAAK,wCAAwC;AAAA,UAClD,QAAQ,KAAK;AAAA,UACb,YAAY;AAAA,QACd,CAAC;AACD,eAAO;AAAA,MACT;AAEA,UAAI;AACJ,UAAI,sBAAsB,SAAS,GAAG,GAAG;AACvC,qBAAa;AAAA,MACf,WAAW,gBAAgB,QAAQ;AACjC,qBAAa,GAAG,qBAAqB,IAAI,gBAAgB,MAAM;AAAA,MACjE,OAAO;AACL,qBAAa;AAAA,MACf;AAEA,YAAM,cAAc,cAAc,UAAU;AAC5C,UAAI,gBAAgB,MAAM;AACxB,eAAO;AAAA,MACT;AACA,UAAI,gBAAgB,OAAO;AACzB,eAAO;AAAA,MACT;AAEA,aAAO,kBAAkB;AAAA,QACvB,QAAQ,KAAK;AAAA,QACb,OAAO;AAAA,QACP;AAAA,QACA,QAAQ,gBAAgB;AAAA,MAC1B,CAAC;AAAA,IACH;AAAA,IACA,CAAC,cAAc,YAAY,QAAQ,QAAQ,eAAe,IAAI;AAAA,EAChE;AAEA,QAAM,sBAAsB;AAAA,IAC1B,CAAC,eAAgC;AAC/B,UAAI,eAAe,iBAAiB,cAAc,GAAG,GAAG;AACtD,eAAO;AAAA,MACT;AAEA,UAAI,eAAe,eAAe;AAChC,eAAO,eAAe;AAAA,MACxB;AAEA,UAAI,eAAe,aAAa;AAC9B,eAAO,qBAAqB;AAAA,MAC9B;AAEA,aAAO,cAAc,UAAwB,MAAM;AAAA,IACrD;AAAA,IACA,CAAC,YAAY,kBAAkB,aAAa;AAAA,EAC9C;AAEA,QAAM,eAAe,QAAQ,MAAM,eAAe,iBAAiB,cAAc,GAAG,MAAM,MAAM,CAAC,YAAY,aAAa,CAAC;AAC3H,QAAM,aAAa,QAAQ,MAAM,qBAAqB,eAAe,cAAc,CAAC,kBAAkB,YAAY,CAAC;AACnH,QAAM,eAAe,QAAQ,MAAM,iBAAiB,iBAAiB,cAAc,CAAC,cAAc,YAAY,CAAC;AAC/G,QAAM,wBAAwB,QAAQ,MAAM,gBAAgB,qBAAqB,aAAa,CAAC,cAAc,gBAAgB,CAAC;AAC9H,QAAM,iBAAiB,QAAQ,MAAM,gBAAgB,iBAAiB,eAAe,CAAC,cAAc,YAAY,CAAC;AAEjH,YAAU,MAAM;AACd,oBAAgB;AAAA,EAClB,GAAG,CAAC,eAAe,CAAC;AAEpB,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;ACpNA,SAAS,aAAAC,YAAW,YAAAC,WAAU,cAAc;;;ACU5C,eAAsB,yBACpB,UACA,SACsB;AACtB,QAAM,EAAE,MAAM,MAAM,IAAI,MAAM,SAC3B,KAAK,OAAO,EACZ,OAAO,iBAAiB,EACxB,GAAG,YAAY,OAAO,EACtB,OAAO;AAEV,MAAI,SAAS,CAAC,MAAM;AAClB,WAAO;AAAA,EACT;AAEA,SAAO,KAAK;AACd;AAUA,eAAsB,qBACpB,UACA,SACA,OACuB;AACvB,QAAM,iBAAiB,MAAM,yBAAyB,UAAU,OAAO;AAEvE,MAAI,CAAC,gBAAgB;AACnB,WAAO;AAAA,EACT;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;ADFO,SAAS,iBAAiB;AAAA,EAC/B;AAAA,EACA;AAAA,EACA;AACF,GAAoD;AAClD,QAAM,CAAC,eAAe,gBAAgB,IAAIC,UAAuB,IAAI;AACrE,QAAM,CAAC,WAAW,YAAY,IAAIA,UAAS,IAAI;AAC/C,QAAM,CAAC,OAAO,QAAQ,IAAIA,UAAuB,IAAI;AAGrD,QAAM,iBAAiB,OAA+E;AAAA,IACpG,gBAAgB;AAAA,IAChB,OAAO;AAAA,IACP,SAAS;AAAA,EACX,CAAC;AAGD,MAAI,iBAAiB,cAAc,gBAAgB;AACjD,UAAM,WAAW;AAAA,MACf,gBAAgB,cAAc;AAAA,MAC9B,OAAO,cAAc;AAAA,MACrB,SAAS,cAAc;AAAA,IACzB;AAGA,QAAI,eAAe,QAAQ,mBAAmB,SAAS,kBACnD,eAAe,QAAQ,YAAY,SAAS,WAC5C,eAAe,QAAQ,UAAU,SAAS,OAAO;AACnD,qBAAe,UAAU;AAAA,QACvB,gBAAgB,SAAS;AAAA,QACzB,OAAO,SAAS,SAAS;AAAA,QACzB,SAAS,SAAS;AAAA,MACpB;AAAA,IACF;AAAA,EACF,WAAW,CAAC,eAAe;AAEzB,mBAAe,UAAU,EAAE,gBAAgB,IAAI,OAAO,IAAI,SAAS,OAAU;AAAA,EAC/E;AAEA,QAAM,cAAc,eAAe;AAEnC,EAAAC,WAAU,MAAM;AACd,QAAI,YAAY;AAEhB,UAAM,eAAe,YAAY;AAC/B,mBAAa,IAAI;AACjB,eAAS,IAAI;AAEb,UAAI;AAEF,YAAI,QAA4B;AAGhC,YAAI,UAAU;AACZ,gBAAM,UAAU,kBAAkB;AAClC,cAAI,SAAS;AACX,gBAAI;AACF,oBAAM,EAAE,MAAM,KAAK,OAAAC,OAAM,IAAI,MAAM,SAChC,KAAK,WAAW,EAChB,OAAO,qBAAqB,EAC5B,GAAG,QAAQ,OAAO,EAClB,GAAG,aAAa,IAAI,EACpB,OAAO;AAEV,kBAAIA,QAAO;AAET,sBAAM,EAAE,MAAM,YAAY,IAAI,MAAM,SACjC,KAAK,WAAW,EAChB,OAAO,qBAAqB,EAC5B,GAAG,QAAQ,OAAO,EAClB,OAAO;AAEV,oBAAI,aAAa;AACf,0BAAQ,MAAM,2BAA2B,OAAO,wCAAwC,YAAY,SAAS,GAAG;AAAA,gBAClH,OAAO;AACL,0BAAQ,MAAM,2BAA2B,OAAO,gCAAgC;AAAA,gBAClF;AAAA,cACF,WAAW,KAAK;AACd,wBAAQ,IAAI;AAAA,cACd;AAAA,YACF,SAASA,QAAO;AACd,sBAAQ,MAAM,yDAAyDA,MAAK;AAAA,YAC9E;AAAA,UACF;AAAA,QACF;AAGA,gBAAQ,IAAI,mDAAmD;AAAA,UAC7D;AAAA,UACA;AAAA,UACA,OAAO,SAAS;AAAA,UAChB,aAAa;AAAA,QACf,CAAC;AAGD,YAAI,0BAA0B,iBAAiB;AAC7C,kBAAQ,IAAI,sDAAsD;AAClE,cAAI,CAAC,WAAW;AACd,6BAAiB;AAAA,cACf,gBAAgB;AAAA,cAChB,SAAS;AAAA,cACT;AAAA,YACF,CAAC;AACD,yBAAa,KAAK;AAAA,UACpB;AACA;AAAA,QACF;AAGA,YAAI,wBAAwB;AAC1B,kBAAQ,IAAI,qDAAqD;AACjE,cAAI,CAAC,WAAW;AACd,6BAAiB;AAAA,cACf,gBAAgB;AAAA,cAChB,SAAS,mBAAmB;AAAA,cAC5B;AAAA,YACF,CAAC;AACD,yBAAa,KAAK;AAAA,UACpB;AACA;AAAA,QACF;AAGA,YAAI,mBAAmB,UAAU;AAC/B,cAAI;AACF,oBAAQ,IAAI,4CAA4C,EAAE,iBAAiB,MAAM,CAAC;AAClF,kBAAM,aAAa,MAAM,qBAAqB,UAAU,iBAAiB,KAAK;AAC9E,gBAAI,CAAC,YAAY;AACf,sBAAQ,MAAM,sEAAsE;AACpF,kBAAI,CAAC,WAAW;AACd,iCAAiB,IAAI;AACrB,yBAAS,IAAI,MAAM,mDAAmD,CAAC;AACvE,6BAAa,KAAK;AAAA,cACpB;AACA;AAAA,YACF;AACA,oBAAQ,IAAI,2CAA2C,UAAU;AAEjE,gBAAI,CAAC,WAAW;AACd,+BAAiB;AAAA,gBACf,GAAG;AAAA,gBACH,OAAO,SAAS,WAAW;AAAA,cAC7B,CAAC;AACD,2BAAa,KAAK;AAAA,YACpB;AAAA,UACF,SAAS,KAAK;AACZ,oBAAQ,MAAM,wDAAwD,GAAG;AACzE,gBAAI,CAAC,WAAW;AACd,+BAAiB,IAAI;AACrB,uBAAS,GAAY;AACrB,2BAAa,KAAK;AAAA,YACpB;AAAA,UACF;AACA;AAAA,QACF;AAGA,gBAAQ,MAAM,+DAA+D;AAC7E,YAAI,CAAC,WAAW;AACd,2BAAiB,IAAI;AACrB,mBAAS,IAAI,MAAM,4CAA4C,CAAC;AAChE,uBAAa,KAAK;AAAA,QACpB;AAAA,MACF,SAAS,KAAK;AACZ,YAAI,CAAC,WAAW;AACd,mBAAS,GAAY;AACrB,uBAAa,KAAK;AAAA,QACpB;AAAA,MACF;AAAA,IACF;AAEA,iBAAa;AAEb,WAAO,MAAM;AACX,kBAAY;AAAA,IACd;AAAA,EACF,GAAG,CAAC,wBAAwB,iBAAiB,QAAQ,CAAC;AAEtD,SAAO;AAAA,IACL,eAAe,YAAY,iBAAiB,cAAuB;AAAA,IACnE;AAAA,IACA;AAAA,EACF;AACF;;;AE1OA,SAAS,YAAAC,WAAU,aAAAC,YAAW,eAAAC,cAAa,WAAAC,UAAS,UAAAC,eAAc;AAuC3D,SAAS,eAAe,QAAc,OAAc;AACzD,QAAM,CAAC,aAAa,cAAc,IAAIC,UAAwB,CAAC,CAAkB;AACjF,QAAM,CAAC,WAAW,YAAY,IAAIA,UAAS,IAAI;AAC/C,QAAM,CAAC,OAAO,QAAQ,IAAIA,UAAuB,IAAI;AACrD,QAAM,gBAAgBC,QAAO,KAAK;AAElC,EAAAC,WAAU,MAAM;AACd,UAAM,mBAAmB,YAAY;AAEnC,UAAI,cAAc,SAAS;AACzB;AAAA,MACF;AAEA,UAAI,CAAC,QAAQ;AACX,uBAAe,CAAC,CAAkB;AAClC,qBAAa,KAAK;AAClB;AAAA,MACF;AAIA,UAAI,CAAC,MAAM,kBAAkB,MAAM,eAAe,KAAK,MAAM,IAAI;AAC/D,uBAAe,CAAC,CAAkB;AAClC,qBAAa,IAAI;AACjB,iBAAS,IAAI;AACb;AAAA,MACF;AAEA,UAAI;AACF,sBAAc,UAAU;AACxB,qBAAa,IAAI;AACjB,iBAAS,IAAI;AAEb,cAAM,gBAAgB,MAAM,iBAAiB,EAAE,QAAQ,MAAM,CAAC;AAC9D,uBAAe,aAAa;AAAA,MAC9B,SAAS,KAAK;AACZ,iBAAS,eAAe,QAAQ,MAAM,IAAI,MAAM,6BAA6B,CAAC;AAAA,MAChF,UAAE;AACA,qBAAa,KAAK;AAClB,sBAAc,UAAU;AAAA,MAC1B;AAAA,IACF;AAEA,qBAAiB;AAAA,EACnB,GAAG,CAAC,QAAQ,MAAM,gBAAgB,MAAM,SAAS,MAAM,KAAK,CAAC;AAE7D,QAAM,gBAAgBC,aAAY,CAAC,eAAoC;AACrE,QAAI,YAAY,GAAG,GAAG;AACpB,aAAO;AAAA,IACT;AACA,WAAO,YAAY,UAAU,MAAM;AAAA,EACrC,GAAG,CAAC,WAAW,CAAC;AAEhB,QAAM,mBAAmBA,aAAY,CAAC,mBAA0C;AAC9E,QAAI,YAAY,GAAG,GAAG;AACpB,aAAO;AAAA,IACT;AACA,WAAO,eAAe,KAAK,OAAK,YAAY,CAAC,MAAM,IAAI;AAAA,EACzD,GAAG,CAAC,WAAW,CAAC;AAEhB,QAAM,oBAAoBA,aAAY,CAAC,mBAA0C;AAC/E,QAAI,YAAY,GAAG,GAAG;AACpB,aAAO;AAAA,IACT;AACA,WAAO,eAAe,MAAM,OAAK,YAAY,CAAC,MAAM,IAAI;AAAA,EAC1D,GAAG,CAAC,WAAW,CAAC;AAEhB,QAAM,UAAUA,aAAY,YAAY;AAEtC,QAAI,cAAc,SAAS;AACzB;AAAA,IACF;AAEA,QAAI,CAAC,QAAQ;AACX,qBAAe,CAAC,CAAkB;AAClC,mBAAa,KAAK;AAClB;AAAA,IACF;AAGA,QAAI,CAAC,MAAM,kBAAkB,MAAM,eAAe,KAAK,MAAM,IAAI;AAC/D,qBAAe,CAAC,CAAkB;AAClC,mBAAa,IAAI;AACjB,eAAS,IAAI;AACb;AAAA,IACF;AAEA,QAAI;AACF,oBAAc,UAAU;AACxB,mBAAa,IAAI;AACjB,eAAS,IAAI;AAEb,YAAM,gBAAgB,MAAM,iBAAiB,EAAE,QAAQ,MAAM,CAAC;AAC9D,qBAAe,aAAa;AAAA,IAC9B,SAAS,KAAK;AACZ,eAAS,eAAe,QAAQ,MAAM,IAAI,MAAM,6BAA6B,CAAC;AAAA,IAChF,UAAE;AACA,mBAAa,KAAK;AAClB,oBAAc,UAAU;AAAA,IAC1B;AAAA,EACF,GAAG,CAAC,QAAQ,MAAM,gBAAgB,MAAM,SAAS,MAAM,KAAK,CAAC;AAG7D,SAAOC,SAAQ,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI,CAAC,aAAa,WAAW,OAAO,eAAe,kBAAkB,mBAAmB,OAAO,CAAC;AAClG;AAwBO,SAAS,OACd,QACA,OACA,YACA,QACA,WAAoB,MACpB;AACA,QAAM,CAAC,KAAK,MAAM,IAAIJ,UAAkB,KAAK;AAC7C,QAAM,CAAC,WAAW,YAAY,IAAIA,UAAS,IAAI;AAC/C,QAAM,CAAC,OAAO,QAAQ,IAAIA,UAAuB,IAAI;AAGrD,QAAM,gBAAgBC,QAAoB,IAAI;AAC9C,QAAM,eAAeA,QAAsB,IAAI;AAC/C,QAAM,oBAAoBA,QAA0B,IAAI;AACxD,QAAM,gBAAgBA,QAAgC,IAAI;AAC1D,QAAM,kBAAkBA,QAAuB,IAAI;AAEnD,EAAAC,WAAU,MAAM;AAEd,UAAM,WAAW,GAAG,MAAM,cAAc,IAAI,MAAM,OAAO,IAAI,MAAM,KAAK;AAGxE,QACE,cAAc,YAAY,UAC1B,aAAa,YAAY,YACzB,kBAAkB,YAAY,cAC9B,cAAc,YAAY,UAC1B,gBAAgB,YAAY,UAC5B;AACA,oBAAc,UAAU;AACxB,mBAAa,UAAU;AACvB,wBAAkB,UAAU;AAC5B,oBAAc,UAAU;AACxB,sBAAgB,UAAU;AAG1B,YAAM,kBAAkB,YAAY;AAClC,YAAI,CAAC,QAAQ;AACX,iBAAO,KAAK;AACZ,uBAAa,KAAK;AAClB;AAAA,QACF;AAIA,YAAI,CAAC,MAAM,kBAAkB,MAAM,eAAe,KAAK,MAAM,IAAI;AAC/D,kBAAQ,IAAI,qDAAqD,EAAE,OAAO,YAAY,OAAO,CAAC;AAC9F,iBAAO,KAAK;AACZ,uBAAa,IAAI;AACjB;AAAA,QACF;AAEA,YAAI;AACF,uBAAa,IAAI;AACjB,mBAAS,IAAI;AAEb,kBAAQ,IAAI,iCAAiC;AAAA,YAC3C;AAAA,YACA,gBAAgB,MAAM;AAAA,YACtB,SAAS,MAAM;AAAA,YACf,OAAO,MAAM;AAAA,YACb;AAAA,YACA;AAAA,UACF,CAAC;AAED,gBAAM,SAAS,WACX,MAAM,kBAAkB,EAAE,QAAQ,OAAO,YAAY,OAAO,CAAC,IAC7D,MAAM,YAAY,EAAE,QAAQ,OAAO,YAAY,OAAO,CAAC;AAE3D,kBAAQ,IAAI,qCAAqC,EAAE,YAAY,QAAQ,OAAO,CAAC;AAE/E,iBAAO,MAAM;AAAA,QACf,SAAS,KAAK;AACZ,kBAAQ,MAAM,oCAAoC,EAAE,YAAY,OAAO,IAAI,CAAC;AAC5E,mBAAS,eAAe,QAAQ,MAAM,IAAI,MAAM,4BAA4B,CAAC;AAC7E,iBAAO,KAAK;AAAA,QACd,UAAE;AACA,uBAAa,KAAK;AAAA,QACpB;AAAA,MACF;AAEA,sBAAgB;AAAA,IAClB;AAAA,EACF,GAAG,CAAC,QAAQ,MAAM,gBAAgB,MAAM,SAAS,MAAM,OAAO,YAAY,QAAQ,QAAQ,CAAC;AAE3F,QAAM,UAAUC,aAAY,YAAY;AACtC,QAAI,CAAC,QAAQ;AACX,aAAO,KAAK;AACZ,mBAAa,KAAK;AAClB;AAAA,IACF;AAGA,QAAI,CAAC,MAAM,kBAAkB,MAAM,eAAe,KAAK,MAAM,IAAI;AAC/D,aAAO,KAAK;AACZ,mBAAa,IAAI;AACjB;AAAA,IACF;AAEA,QAAI;AACF,mBAAa,IAAI;AACjB,eAAS,IAAI;AAEb,YAAM,SAAS,WACX,MAAM,kBAAkB,EAAE,QAAQ,OAAO,YAAY,OAAO,CAAC,IAC7D,MAAM,YAAY,EAAE,QAAQ,OAAO,YAAY,OAAO,CAAC;AAE3D,aAAO,MAAM;AAAA,IACf,SAAS,KAAK;AACZ,eAAS,eAAe,QAAQ,MAAM,IAAI,MAAM,4BAA4B,CAAC;AAC7E,aAAO,KAAK;AAAA,IACd,UAAE;AACA,mBAAa,KAAK;AAAA,IACpB;AAAA,EACF,GAAG,CAAC,QAAQ,MAAM,gBAAgB,MAAM,SAAS,MAAM,OAAO,YAAY,QAAQ,QAAQ,CAAC;AAG3F,SAAOC,SAAQ,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI,CAAC,KAAK,WAAW,OAAO,OAAO,CAAC;AACtC;AA0BO,SAAS,eAAe,QAAc,OAK3C;AACA,QAAM,CAAC,aAAa,cAAc,IAAIJ,UAA0B,QAAQ;AACxE,QAAM,CAAC,WAAW,YAAY,IAAIA,UAAS,IAAI;AAC/C,QAAM,CAAC,OAAO,QAAQ,IAAIA,UAAuB,IAAI;AAErD,QAAM,mBAAmBG,aAAY,YAAY;AAC/C,QAAI,CAAC,QAAQ;AACX,qBAAe,QAAQ;AACvB,mBAAa,KAAK;AAClB;AAAA,IACF;AAEA,QAAI;AACF,mBAAa,IAAI;AACjB,eAAS,IAAI;AAEb,YAAM,QAAQ,MAAM,eAAe,EAAE,QAAQ,MAAM,CAAC;AACpD,qBAAe,KAAK;AAAA,IACtB,SAAS,KAAK;AACZ,eAAS,eAAe,QAAQ,MAAM,IAAI,MAAM,8BAA8B,CAAC;AAC/E,qBAAe,QAAQ;AAAA,IACzB,UAAE;AACA,mBAAa,KAAK;AAAA,IACpB;AAAA,EACF,GAAG,CAAC,QAAQ,MAAM,gBAAgB,MAAM,SAAS,MAAM,KAAK,CAAC;AAE7D,EAAAD,WAAU,MAAM;AACd,qBAAiB;AAAA,EACnB,GAAG,CAAC,gBAAgB,CAAC;AAGrB,SAAOE,SAAQ,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX,IAAI,CAAC,aAAa,WAAW,OAAO,gBAAgB,CAAC;AACvD;AAiCO,SAAS,uBACd,QACA,OACA,aACA,WAAoB,MAMpB;AACA,QAAM,CAAC,SAAS,UAAU,IAAIJ,UAAsC,CAAC,CAAgC;AACrG,QAAM,CAAC,WAAW,YAAY,IAAIA,UAAS,IAAI;AAC/C,QAAM,CAAC,OAAO,QAAQ,IAAIA,UAAuB,IAAI;AAErD,QAAM,mBAAmBG,aAAY,YAAY;AAC/C,QAAI,CAAC,UAAU,YAAY,WAAW,GAAG;AACvC,iBAAW,CAAC,CAAgC;AAC5C,mBAAa,KAAK;AAClB;AAAA,IACF;AAEA,QAAI;AACF,mBAAa,IAAI;AACjB,eAAS,IAAI;AAEb,YAAM,oBAAiD,CAAC;AAGxD,iBAAW,cAAc,aAAa;AACpC,cAAM,SAAS,WACX,MAAM,kBAAkB,EAAE,QAAQ,OAAO,WAAW,CAAC,IACrD,MAAM,YAAY,EAAE,QAAQ,OAAO,WAAW,CAAC;AACnD,0BAAkB,UAAU,IAAI;AAAA,MAClC;AAEA,iBAAW,iBAAiB;AAAA,IAC9B,SAAS,KAAK;AACZ,eAAS,eAAe,QAAQ,MAAM,IAAI,MAAM,6BAA6B,CAAC;AAC9E,iBAAW,CAAC,CAAgC;AAAA,IAC9C,UAAE;AACA,mBAAa,KAAK;AAAA,IACpB;AAAA,EACF,GAAG,CAAC,QAAQ,MAAM,gBAAgB,MAAM,SAAS,MAAM,OAAO,aAAa,QAAQ,CAAC;AAEpF,EAAAD,WAAU,MAAM;AACd,qBAAiB;AAAA,EACnB,GAAG,CAAC,gBAAgB,CAAC;AAGrB,SAAOE,SAAQ,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX,IAAI,CAAC,SAAS,WAAW,OAAO,gBAAgB,CAAC;AACnD;AA2BO,SAAS,oBACd,QACA,OACA,aACA,WAAoB,MAMpB;AACA,QAAM,CAAC,QAAQ,SAAS,IAAIJ,UAAkB,KAAK;AACnD,QAAM,CAAC,WAAW,YAAY,IAAIA,UAAS,IAAI;AAC/C,QAAM,CAAC,OAAO,QAAQ,IAAIA,UAAuB,IAAI;AAErD,QAAM,qBAAqBG,aAAY,YAAY;AACjD,QAAI,CAAC,UAAU,YAAY,WAAW,GAAG;AACvC,gBAAU,KAAK;AACf,mBAAa,KAAK;AAClB;AAAA,IACF;AAEA,QAAI;AACF,mBAAa,IAAI;AACjB,eAAS,IAAI;AAEb,UAAI,mBAAmB;AAEvB,iBAAW,cAAc,aAAa;AACpC,cAAM,SAAS,WACX,MAAM,kBAAkB,EAAE,QAAQ,OAAO,WAAW,CAAC,IACrD,MAAM,YAAY,EAAE,QAAQ,OAAO,WAAW,CAAC;AAEnD,YAAI,QAAQ;AACV,6BAAmB;AACnB;AAAA,QACF;AAAA,MACF;AAEA,gBAAU,gBAAgB;AAAA,IAC5B,SAAS,KAAK;AACZ,eAAS,eAAe,QAAQ,MAAM,IAAI,MAAM,6BAA6B,CAAC;AAC9E,gBAAU,KAAK;AAAA,IACjB,UAAE;AACA,mBAAa,KAAK;AAAA,IACpB;AAAA,EACF,GAAG,CAAC,QAAQ,MAAM,gBAAgB,MAAM,SAAS,MAAM,OAAO,aAAa,QAAQ,CAAC;AAEpF,EAAAD,WAAU,MAAM;AACd,uBAAmB;AAAA,EACrB,GAAG,CAAC,kBAAkB,CAAC;AAGvB,SAAOE,SAAQ,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX,IAAI,CAAC,QAAQ,WAAW,OAAO,kBAAkB,CAAC;AACpD;AA2BO,SAAS,qBACd,QACA,OACA,aACA,WAAoB,MAMpB;AACA,QAAM,CAAC,QAAQ,SAAS,IAAIJ,UAAkB,KAAK;AACnD,QAAM,CAAC,WAAW,YAAY,IAAIA,UAAS,IAAI;AAC/C,QAAM,CAAC,OAAO,QAAQ,IAAIA,UAAuB,IAAI;AAErD,QAAM,sBAAsBG,aAAY,YAAY;AAClD,QAAI,CAAC,UAAU,YAAY,WAAW,GAAG;AACvC,gBAAU,KAAK;AACf,mBAAa,KAAK;AAClB;AAAA,IACF;AAEA,QAAI;AACF,mBAAa,IAAI;AACjB,eAAS,IAAI;AAEb,UAAI,oBAAoB;AAExB,iBAAW,cAAc,aAAa;AACpC,cAAM,SAAS,WACX,MAAM,kBAAkB,EAAE,QAAQ,OAAO,WAAW,CAAC,IACrD,MAAM,YAAY,EAAE,QAAQ,OAAO,WAAW,CAAC;AAEnD,YAAI,CAAC,QAAQ;AACX,8BAAoB;AACpB;AAAA,QACF;AAAA,MACF;AAEA,gBAAU,iBAAiB;AAAA,IAC7B,SAAS,KAAK;AACZ,eAAS,eAAe,QAAQ,MAAM,IAAI,MAAM,6BAA6B,CAAC;AAC9E,gBAAU,KAAK;AAAA,IACjB,UAAE;AACA,mBAAa,KAAK;AAAA,IACpB;AAAA,EACF,GAAG,CAAC,QAAQ,MAAM,gBAAgB,MAAM,SAAS,MAAM,OAAO,aAAa,QAAQ,CAAC;AAEpF,EAAAD,WAAU,MAAM;AACd,wBAAoB;AAAA,EACtB,GAAG,CAAC,mBAAmB,CAAC;AAGxB,SAAOE,SAAQ,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX,IAAI,CAAC,QAAQ,WAAW,OAAO,mBAAmB,CAAC;AACrD;AA0BO,SAAS,qBAAqB,QAAc,OAMjD;AACA,QAAM,CAAC,aAAa,cAAc,IAAIJ,UAAwB,CAAC,CAAkB;AACjF,QAAM,CAAC,WAAW,YAAY,IAAIA,UAAS,IAAI;AAC/C,QAAM,CAAC,OAAO,QAAQ,IAAIA,UAAuB,IAAI;AAErD,QAAM,yBAAyBG,aAAY,YAAY;AACrD,QAAI,CAAC,QAAQ;AACX,qBAAe,CAAC,CAAkB;AAClC,mBAAa,KAAK;AAClB;AAAA,IACF;AAEA,QAAI;AACF,mBAAa,IAAI;AACjB,eAAS,IAAI;AAEb,YAAM,gBAAgB,MAAM,iBAAiB,EAAE,QAAQ,MAAM,CAAC;AAC9D,qBAAe,aAAa;AAAA,IAC9B,SAAS,KAAK;AACZ,eAAS,eAAe,QAAQ,MAAM,IAAI,MAAM,oCAAoC,CAAC;AAAA,IACvF,UAAE;AACA,mBAAa,KAAK;AAAA,IACpB;AAAA,EACF,GAAG,CAAC,QAAQ,MAAM,gBAAgB,MAAM,SAAS,MAAM,KAAK,CAAC;AAE7D,QAAM,kBAAkBA,aAAY,MAAM;AAGxC,2BAAuB;AAAA,EACzB,GAAG,CAAC,sBAAsB,CAAC;AAE3B,EAAAD,WAAU,MAAM;AACd,2BAAuB;AAAA,EACzB,GAAG,CAAC,sBAAsB,CAAC;AAG3B,SAAOE,SAAQ,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,EACX,IAAI,CAAC,aAAa,WAAW,OAAO,iBAAiB,sBAAsB,CAAC;AAC9E;","names":["error","useEffect","useState","useState","useEffect","error","useState","useEffect","useCallback","useMemo","useRef","useState","useRef","useEffect","useCallback","useMemo"]}

package/dist/{chunk-B2WTCLCV.js → chunk-Q7APDV6H.js}

@@ -30,19 +30,27 @@ var RBACAuditManager = class {
     if (!this.enabled) {
       return;
     }
-    if (!event.userId || !event.organisationId) {
-      console.warn("[RBAC Audit] Skipping audit event - missing required fields:", {
-        userId: event.userId,
-        organisationId: event.organisationId,
-        eventType: event.type
+    if (!event.userId) {
+      console.error("[RBAC Audit] CRITICAL: Cannot log audit event without userId:", {
+        eventType: event.type,
+        organisationId: event.organisationId
       });
       return;
     }
+    if (!event.organisationId) {
+      console.warn("[RBAC Audit] Audit event without organisation context:", {
+        userId: event.userId,
+        eventType: event.type,
+        note: "This should be investigated for security compliance"
+      });
+    }
     try {
       const auditEvent = {
         event_type: event.type,
         user_id: event.userId,
-        organisation_id: event.organisationId,
+        // CRITICAL: Store organisationId even if null for auditing
+        // Use a fallback UUID if organisation context is missing (for database constraint)
+        organisation_id: event.organisationId || "00000000-0000-0000-0000-000000000000",
         event_id: "eventId" in event ? event.eventId : void 0,
         app_id: "appId" in event ? event.appId : void 0,
         page_id: "pageId" in event ? event.pageId : void 0,
@@ -55,7 +63,9 @@ var RBACAuditManager = class {
         metadata: {
           ...event.metadata,
           cache_hit: "cache_hit" in event ? event.cache_hit : void 0,
-          cache_source: "cache_source" in event ? event.cache_source : void 0
+          cache_source: "cache_source" in event ? event.cache_source : void 0,
+          // Store a flag indicating this event had no organisation context
+          no_organisation_context: !event.organisationId
         }
       };
       const { error } = await this.supabase.from("rbac_audit_events").insert([auditEvent]);
@@ -179,4 +189,4 @@ export {
   getGlobalAuditManager,
   emitAuditEvent
 };
-//# sourceMappingURL=chunk-B2WTCLCV.js.map
+//# sourceMappingURL=chunk-Q7APDV6H.js.map

package/dist/chunk-Q7APDV6H.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/rbac/audit.ts"],"sourcesContent":["/**\n * RBAC Audit Events System\n * @package @jmruthers/pace-core\n * @module RBAC/Audit\n * @since 1.0.0\n * \n * This module provides structured audit event emission for all RBAC operations.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { \n  UUID, \n  AuditEventSource, \n  RBACAuditEvent \n} from './types';\n\n/**\n * Audit event payload for permission checks\n */\nexport interface PermissionCheckAuditEvent {\n  type: 'permission_check';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  pageId?: UUID;\n  permission: string;\n  decision: boolean;\n  source: AuditEventSource;\n  bypass?: boolean;\n  duration_ms: number;\n  cache_hit?: boolean;\n  cache_source?: 'memory' | 'database' | 'rpc';\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for permission denied\n */\nexport interface PermissionDeniedAuditEvent {\n  type: 'permission_denied';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  pageId?: UUID;\n  permission: string;\n  source: AuditEventSource;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for role granted\n */\nexport interface RoleGrantedAuditEvent {\n  type: 'role_granted';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  role: string;\n  grantedBy: UUID;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for role revoked\n */\nexport interface RoleRevokedAuditEvent {\n  type: 'role_denied';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  role: string;\n  revokedBy: UUID;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for RLS denied\n */\nexport interface RLSDeniedAuditEvent {\n  type: 'rls_denied';\n  userId: UUID;\n  organisationId: UUID;\n  table: string;\n  operation: string;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Union type for all audit events\n */\nexport type AuditEventPayload = \n  | PermissionCheckAuditEvent\n  | PermissionDeniedAuditEvent\n  | RoleGrantedAuditEvent\n  | RoleRevokedAuditEvent\n  | RLSDeniedAuditEvent;\n\n/**\n * RBAC Audit Manager\n * \n * Handles emission of structured audit events for all RBAC operations.\n */\nexport class RBACAuditManager {\n  private supabase: SupabaseClient<Database>;\n  private enabled: boolean = true;\n\n  constructor(supabase: SupabaseClient<Database>) {\n    this.supabase = supabase;\n  }\n\n  /**\n   * Enable or disable audit logging\n   * \n   * @param enabled - Whether to enable audit logging\n   */\n  setEnabled(enabled: boolean): void {\n    this.enabled = enabled;\n  }\n\n  /**\n   * Check if audit logging is enabled\n   * \n   * @returns True if audit logging is enabled\n   */\n  isEnabled(): boolean {\n    return this.enabled;\n  }\n\n  /**\n   * Emit an audit event\n   * \n   * @param event - Audit event payload\n   * @returns Promise that resolves when event is logged\n   */\n  async emitEvent(event: AuditEventPayload): Promise<void> {\n    if (!this.enabled) {\n      return;\n    }\n\n    // Validate required fields before attempting to insert\n    // MANDATORY: All audit events must have userId\n    if (!event.userId) {\n      console.error('[RBAC Audit] CRITICAL: Cannot log audit event without userId:', {\n        eventType: event.type,\n        organisationId: event.organisationId\n      });\n      return;\n    }\n\n    // WARNING: Some audit events may not have organisationId (e.g., global admin operations)\n    // Log these for security monitoring even if organisationId is missing\n    if (!event.organisationId) {\n      console.warn('[RBAC Audit] Audit event without organisation context:', {\n        userId: event.userId,\n        eventType: event.type,\n        note: 'This should be investigated for security compliance'\n      });\n    }\n\n    try {\n      // For events without organisationId, store in a special way\n      const auditEvent: Omit<RBACAuditEvent, 'id' | 'created_at'> = {\n        event_type: event.type,\n        user_id: event.userId,\n        // CRITICAL: Store organisationId even if null for auditing\n        // Use a fallback UUID if organisation context is missing (for database constraint)\n        organisation_id: event.organisationId || '00000000-0000-0000-0000-000000000000' as UUID,\n        event_id: 'eventId' in event ? event.eventId : undefined,\n        app_id: 'appId' in event ? event.appId : undefined,\n        page_id: 'pageId' in event ? event.pageId : undefined,\n        permission: 'permission' in event ? event.permission : undefined,\n        decision: 'decision' in event ? event.decision : undefined,\n        source: 'source' in event ? event.source : 'api', // Default to 'api' if not provided\n        bypass: 'bypass' in event ? event.bypass : undefined,\n        duration_ms: 'duration_ms' in event ? event.duration_ms : undefined,\n        metadata: {\n          ...event.metadata,\n          cache_hit: 'cache_hit' in event ? event.cache_hit : undefined,\n          cache_source: 'cache_source' in event ? event.cache_source : undefined,\n          // Store a flag indicating this event had no organisation context\n          no_organisation_context: !event.organisationId,\n        },\n      };\n\n      const { error } = await (this.supabase as any)\n        .from('rbac_audit_events')\n        .insert([auditEvent]);\n\n      if (error) {\n        // Log the error for debugging but don't throw\n        console.warn('[RBAC Audit] Failed to insert audit event:', {\n          error: error.message,\n          code: error.code,\n          details: error.details,\n          hint: error.hint,\n          event: auditEvent\n        });\n      }\n    } catch (error) {\n      // Log unexpected errors but don't throw\n      console.error('[RBAC Audit] Unexpected error during audit logging:', error);\n    }\n  }\n\n  /**\n   * Emit a permission check audit event\n   * \n   * @param event - Permission check event data\n   */\n  async emitPermissionCheck(event: Omit<PermissionCheckAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'permission_check',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit a permission denied audit event\n   * \n   * @param event - Permission denied event data\n   */\n  async emitPermissionDenied(event: Omit<PermissionDeniedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'permission_denied',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit a role granted audit event\n   * \n   * @param event - Role granted event data\n   */\n  async emitRoleGranted(event: Omit<RoleGrantedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'role_granted',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit a role revoked audit event\n   * \n   * @param event - Role revoked event data\n   */\n  async emitRoleRevoked(event: Omit<RoleRevokedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'role_denied',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit an RLS denied audit event\n   * \n   * @param event - RLS denied event data\n   */\n  async emitRLSDenied(event: Omit<RLSDeniedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'rls_denied',\n      ...event,\n    });\n  }\n\n  /**\n   * Get audit events for a user\n   * \n   * @param userId - User ID\n   * @param limit - Maximum number of events to return\n   * @returns Promise resolving to audit events\n   */\n  async getUserAuditEvents(userId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {\n    const { data, error } = await this.supabase\n      .from('rbac_audit_events')\n      .select('*')\n      .eq('user_id', userId)\n      .order('created_at', { ascending: false })\n      .limit(limit);\n\n    if (error) {\n      throw new Error(`Failed to get audit events: ${error.message}`);\n    }\n\n    return data || [];\n  }\n\n  /**\n   * Get audit events for an organisation\n   * \n   * @param organisationId - Organisation ID\n   * @param limit - Maximum number of events to return\n   * @returns Promise resolving to audit events\n   */\n  async getOrganisationAuditEvents(organisationId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {\n    const { data, error } = await this.supabase\n      .from('rbac_audit_events')\n      .select('*')\n      .eq('organisation_id', organisationId)\n      .order('created_at', { ascending: false })\n      .limit(limit);\n\n    if (error) {\n      throw new Error(`Failed to get audit events: ${error.message}`);\n    }\n\n    return data || [];\n  }\n}\n\n/**\n * Create an audit manager instance\n * \n * @param supabase - Supabase client\n * @returns RBACAuditManager instance\n */\nexport function createAuditManager(supabase: SupabaseClient<Database>): RBACAuditManager {\n  return new RBACAuditManager(supabase);\n}\n\n/**\n * Global audit manager instance\n * \n * This is set by the RBAC engine when it initializes.\n */\nlet globalAuditManager: RBACAuditManager | null = null;\n\n/**\n * Set the global audit manager\n * \n * @param manager - Audit manager instance\n */\nexport function setGlobalAuditManager(manager: RBACAuditManager): void {\n  globalAuditManager = manager;\n}\n\n/**\n * Get the global audit manager\n * \n * @returns Global audit manager or null if not set\n */\nexport function getGlobalAuditManager(): RBACAuditManager | null {\n  return globalAuditManager;\n}\n\n/**\n * Emit an audit event using the global audit manager\n * \n * @param event - Audit event payload\n */\nexport async function emitAuditEvent(event: AuditEventPayload): Promise<void> {\n  if (globalAuditManager) {\n    await globalAuditManager.emitEvent(event);\n  }\n}\n"],"mappings":";AA2GO,IAAM,mBAAN,MAAuB;AAAA,EAI5B,YAAY,UAAoC;AAFhD,SAAQ,UAAmB;AAGzB,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAW,SAAwB;AACjC,SAAK,UAAU;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAqB;AACnB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,UAAU,OAAyC;AACvD,QAAI,CAAC,KAAK,SAAS;AACjB;AAAA,IACF;AAIA,QAAI,CAAC,MAAM,QAAQ;AACjB,cAAQ,MAAM,iEAAiE;AAAA,QAC7E,WAAW,MAAM;AAAA,QACjB,gBAAgB,MAAM;AAAA,MACxB,CAAC;AACD;AAAA,IACF;AAIA,QAAI,CAAC,MAAM,gBAAgB;AACzB,cAAQ,KAAK,0DAA0D;AAAA,QACrE,QAAQ,MAAM;AAAA,QACd,WAAW,MAAM;AAAA,QACjB,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,QAAI;AAEF,YAAM,aAAwD;AAAA,QAC5D,YAAY,MAAM;AAAA,QAClB,SAAS,MAAM;AAAA;AAAA;AAAA,QAGf,iBAAiB,MAAM,kBAAkB;AAAA,QACzC,UAAU,aAAa,QAAQ,MAAM,UAAU;AAAA,QAC/C,QAAQ,WAAW,QAAQ,MAAM,QAAQ;AAAA,QACzC,SAAS,YAAY,QAAQ,MAAM,SAAS;AAAA,QAC5C,YAAY,gBAAgB,QAAQ,MAAM,aAAa;AAAA,QACvD,UAAU,cAAc,QAAQ,MAAM,WAAW;AAAA,QACjD,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA;AAAA,QAC3C,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA,QAC3C,aAAa,iBAAiB,QAAQ,MAAM,cAAc;AAAA,QAC1D,UAAU;AAAA,UACR,GAAG,MAAM;AAAA,UACT,WAAW,eAAe,QAAQ,MAAM,YAAY;AAAA,UACpD,cAAc,kBAAkB,QAAQ,MAAM,eAAe;AAAA;AAAA,UAE7D,yBAAyB,CAAC,MAAM;AAAA,QAClC;AAAA,MACF;AAEA,YAAM,EAAE,MAAM,IAAI,MAAO,KAAK,SAC3B,KAAK,mBAAmB,EACxB,OAAO,CAAC,UAAU,CAAC;AAEtB,UAAI,OAAO;AAET,gBAAQ,KAAK,8CAA8C;AAAA,UACzD,OAAO,MAAM;AAAA,UACb,MAAM,MAAM;AAAA,UACZ,SAAS,MAAM;AAAA,UACf,MAAM,MAAM;AAAA,UACZ,OAAO;AAAA,QACT,CAAC;AAAA,MACH;AAAA,IACF,SAAS,OAAO;AAEd,cAAQ,MAAM,uDAAuD,KAAK;AAAA,IAC5E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,oBAAoB,OAA+D;AACvF,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,qBAAqB,OAAgE;AACzF,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,OAA2D;AAC/E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,OAA2D;AAC/E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,cAAc,OAAyD;AAC3E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,mBAAmB,QAAc,QAAgB,KAAgC;AACrF,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,GAAG,EACV,GAAG,WAAW,MAAM,EACpB,MAAM,cAAc,EAAE,WAAW,MAAM,CAAC,EACxC,MAAM,KAAK;AAEd,QAAI,OAAO;AACT,YAAM,IAAI,MAAM,+BAA+B,MAAM,OAAO,EAAE;AAAA,IAChE;AAEA,WAAO,QAAQ,CAAC;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,2BAA2B,gBAAsB,QAAgB,KAAgC;AACrG,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,GAAG,EACV,GAAG,mBAAmB,cAAc,EACpC,MAAM,cAAc,EAAE,WAAW,MAAM,CAAC,EACxC,MAAM,KAAK;AAEd,QAAI,OAAO;AACT,YAAM,IAAI,MAAM,+BAA+B,MAAM,OAAO,EAAE;AAAA,IAChE;AAEA,WAAO,QAAQ,CAAC;AAAA,EAClB;AACF;AAQO,SAAS,mBAAmB,UAAsD;AACvF,SAAO,IAAI,iBAAiB,QAAQ;AACtC;AAOA,IAAI,qBAA8C;AAO3C,SAAS,sBAAsB,SAAiC;AACrE,uBAAqB;AACvB;AAOO,SAAS,wBAAiD;AAC/D,SAAO;AACT;AAOA,eAAsB,eAAe,OAAyC;AAC5E,MAAI,oBAAoB;AACtB,UAAM,mBAAmB,UAAU,KAAK;AAAA,EAC1C;AACF;","names":[]}