@jmruthers/pace-core 0.5.76 → 0.5.78

package/dist/{chunk-FGMFQSHX.js → chunk-S63MFSY6.js}

@@ -2,7 +2,7 @@ import {
   createAuditManager,
   emitAuditEvent,
   setGlobalAuditManager
-} from "./chunk-B2WTCLCV.js";
+} from "./chunk-Q7APDV6H.js";
 
 // src/rbac/types.ts
 var RBACError = class extends Error {
@@ -13,6 +13,16 @@ var RBACError = class extends Error {
     this.name = "RBACError";
   }
 };
+var PermissionDeniedError = class extends RBACError {
+  constructor(permission, context) {
+    super(
+      `Permission denied: ${permission}`,
+      "PERMISSION_DENIED",
+      { permission, ...context }
+    );
+    this.name = "PermissionDeniedError";
+  }
+};
 var OrganisationContextRequiredError = class extends RBACError {
   constructor() {
     super(
@@ -31,6 +41,25 @@ var RBACNotInitializedError = class extends RBACError {
     this.name = "RBACNotInitializedError";
   }
 };
+var InvalidScopeError = class extends RBACError {
+  constructor(scope, reason) {
+    super(
+      `Invalid scope provided: ${JSON.stringify(scope)}. ${reason}`,
+      "INVALID_SCOPE",
+      { scope, reason }
+    );
+    this.name = "InvalidScopeError";
+  }
+};
+var MissingUserContextError = class extends RBACError {
+  constructor() {
+    super(
+      "User context is required but not available. Make sure to wrap your app with an auth provider.",
+      "MISSING_USER_CONTEXT"
+    );
+    this.name = "MissingUserContextError";
+  }
+};
 
 // src/rbac/cache.ts
 var RBACCache = class {
@@ -122,7 +151,30 @@ var RBACCache = class {
     };
   }
   /**
-   * Generate cache key for permission check
+   * Generate cache key for permission check (simplified signature)
+   * 
+   * @param userId - User ID
+   * @param permission - Permission string
+   * @param organisationId - Organisation ID (optional)
+   * @param eventId - Event ID (optional)
+   * @param appId - App ID (optional)
+   * @param pageId - Page ID (optional)
+   * @returns String cache key
+   */
+  static generateKey(userId, permission, organisationId, eventId, appId, pageId) {
+    const parts = [
+      "perm",
+      userId,
+      organisationId || "null",
+      eventId || "null",
+      appId || "null",
+      permission || "null",
+      pageId || "null"
+    ];
+    return parts.join(":");
+  }
+  /**
+   * Generate cache key for permission check (object signature)
    * 
    * @param key - Permission cache key object
    * @returns String cache key
@@ -413,6 +465,124 @@ function initializeCacheInvalidation(supabase) {
   return globalCacheInvalidationManager;
 }
 
+// src/rbac/errors.ts
+var RATE_LIMIT_STATUS_CODES = /* @__PURE__ */ new Set([429]);
+var AUTH_STATUS_CODES = /* @__PURE__ */ new Set([401]);
+var AUTHZ_STATUS_CODES = /* @__PURE__ */ new Set([403]);
+function normalize(value) {
+  if (!value) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value.toLowerCase();
+  }
+  if (value instanceof Error && typeof value.message === "string") {
+    return value.message.toLowerCase();
+  }
+  return String(value).toLowerCase();
+}
+function categorizeError(error) {
+  if (error instanceof PermissionDeniedError) {
+    return "authorization_error" /* AUTHORIZATION */;
+  }
+  if (error instanceof OrganisationContextRequiredError || error instanceof InvalidScopeError) {
+    return "validation_error" /* VALIDATION */;
+  }
+  if (error instanceof MissingUserContextError) {
+    return "authentication_error" /* AUTHENTICATION */;
+  }
+  if (error instanceof RBACError) {
+    switch (error.code) {
+      case "PERMISSION_DENIED":
+        return "authorization_error" /* AUTHORIZATION */;
+      case "ORGANISATION_CONTEXT_REQUIRED":
+      case "INVALID_SCOPE":
+        return "validation_error" /* VALIDATION */;
+      case "MISSING_USER_CONTEXT":
+        return "authentication_error" /* AUTHENTICATION */;
+      default:
+        break;
+    }
+  }
+  if (error && typeof error === "object") {
+    const status = error.status;
+    if (typeof status === "number") {
+      if (RATE_LIMIT_STATUS_CODES.has(status)) {
+        return "rate_limit_error" /* RATE_LIMIT */;
+      }
+      if (AUTH_STATUS_CODES.has(status)) {
+        return "authentication_error" /* AUTHENTICATION */;
+      }
+      if (AUTHZ_STATUS_CODES.has(status)) {
+        return "authorization_error" /* AUTHORIZATION */;
+      }
+      if (status >= 500) {
+        return "database_error" /* DATABASE */;
+      }
+    }
+    const codeValue = normalize(error.code);
+    if (codeValue) {
+      if (codeValue.includes("network")) {
+        return "network_error" /* NETWORK */;
+      }
+      if (codeValue.includes("postgres") || codeValue.includes("database") || codeValue.includes("db")) {
+        return "database_error" /* DATABASE */;
+      }
+      if (codeValue.includes("rate")) {
+        return "rate_limit_error" /* RATE_LIMIT */;
+      }
+      if (codeValue.includes("auth")) {
+        return "authentication_error" /* AUTHENTICATION */;
+      }
+      if (codeValue.includes("permission")) {
+        return "authorization_error" /* AUTHORIZATION */;
+      }
+      if (codeValue.includes("scope") || codeValue.includes("invalid")) {
+        return "validation_error" /* VALIDATION */;
+      }
+    }
+  }
+  const message = normalize(error);
+  if (message.includes("timeout") || message.includes("network") || message.includes("fetch")) {
+    return "network_error" /* NETWORK */;
+  }
+  if (message.includes("postgres") || message.includes("database") || message.includes("connection")) {
+    return "database_error" /* DATABASE */;
+  }
+  if (message.includes("rate limit") || message.includes("too many requests")) {
+    return "rate_limit_error" /* RATE_LIMIT */;
+  }
+  if (message.includes("permission") || message.includes("forbidden")) {
+    return "authorization_error" /* AUTHORIZATION */;
+  }
+  if (message.includes("auth") || message.includes("token") || message.includes("session")) {
+    return "authentication_error" /* AUTHENTICATION */;
+  }
+  if (message.includes("invalid") || message.includes("scope") || message.includes("validation")) {
+    return "validation_error" /* VALIDATION */;
+  }
+  return "unknown_error" /* UNKNOWN */;
+}
+function mapErrorCategoryToSecurityEventType(category) {
+  switch (category) {
+    case "authorization_error" /* AUTHORIZATION */:
+      return "permission_denied";
+    case "network_error" /* NETWORK */:
+      return "network_error";
+    case "database_error" /* DATABASE */:
+      return "database_error";
+    case "validation_error" /* VALIDATION */:
+      return "validation_error";
+    case "rate_limit_error" /* RATE_LIMIT */:
+      return "rate_limit_error";
+    case "authentication_error" /* AUTHENTICATION */:
+      return "authentication_error";
+    case "unknown_error" /* UNKNOWN */:
+    default:
+      return "unknown_error";
+  }
+}
+
 // src/rbac/security.ts
 var RBACSecurityValidator = class {
   /**
@@ -555,10 +725,17 @@ var RBACSecurityValidator = class {
       case "permission_denied":
         return "low";
       case "invalid_input":
-        return "medium";
       case "rate_limit_exceeded":
+      case "rate_limit_error":
+      case "network_error":
         return "medium";
+      case "validation_error":
+        return "high";
+      case "authentication_error":
+      case "database_error":
+        return "critical";
       case "suspicious_activity":
+      case "unknown_error":
         return "high";
       default:
         return "low";
@@ -574,7 +751,21 @@ var DEFAULT_SECURITY_CONFIG = {
 };
 var RBACSecurityMiddleware = class {
   constructor(config = DEFAULT_SECURITY_CONFIG) {
+    /**
+     * In-memory rate limiting cache (sliding window)
+     * Note: For production, this should use Redis or Supabase Edge Functions
+     */
+    this.rateLimitCache = /* @__PURE__ */ new Map();
     this.config = config;
+    this._startCleanupInterval();
+  }
+  /**
+   * Start periodic cleanup of expired entries
+   */
+  _startCleanupInterval() {
+    setInterval(() => {
+      this.clearExpiredEntries();
+    }, 5 * 60 * 1e3);
   }
   /**
    * Validate input before processing
@@ -584,13 +775,10 @@ var RBACSecurityMiddleware = class {
    */
   async validateInput(input, context) {
     const errors = [];
-    if (!this.config.enableInputValidation) {
-      return { isValid: true, errors: [] };
-    }
     if (!RBACSecurityValidator.validateUserId(context.userId)) {
       errors.push("Invalid user ID format");
     }
-    if (!RBACSecurityValidator.validateUUID(context.organisationId)) {
+    if (context.organisationId && !RBACSecurityValidator.validateUUID(context.organisationId)) {
       errors.push("Invalid organisation ID format");
     }
     if (input.permission && !RBACSecurityValidator.validatePermission(input.permission)) {
@@ -599,6 +787,14 @@ var RBACSecurityMiddleware = class {
     if (input.scope && !RBACSecurityValidator.validateScope(input.scope)) {
       errors.push("Invalid scope format");
     }
+    if (this.config.enableInputValidation) {
+      if (context.ipAddress && typeof context.ipAddress !== "string") {
+        errors.push("Invalid IP address format");
+      }
+      if (context.userAgent && typeof context.userAgent !== "string") {
+        errors.push("Invalid user agent format");
+      }
+    }
     if (errors.length > 0) {
       RBACSecurityValidator.logSecurityEvent({
         type: "invalid_input",
@@ -620,15 +816,49 @@ var RBACSecurityMiddleware = class {
     if (!this.config.enableRateLimiting) {
       return { isAllowed: true, remaining: this.config.maxPermissionChecksPerMinute };
     }
-    const isAllowed = await RBACSecurityValidator.checkRateLimit(
-      context.userId,
-      "permission_check"
-    );
+    const isAllowed = await this._checkRateLimitInternal(context.userId);
+    const remaining = isAllowed ? this.config.maxPermissionChecksPerMinute - this._getRequestCount(context.userId) : 0;
     return {
       isAllowed,
-      remaining: this.config.maxPermissionChecksPerMinute
+      remaining: Math.max(0, remaining)
     };
   }
+  async _checkRateLimitInternal(userId) {
+    const now = Date.now();
+    const windowMs = 60 * 1e3;
+    const entries = this.rateLimitCache.get(userId) || [];
+    const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
+    const requestCount = validEntries.length;
+    const isAllowed = requestCount < this.config.maxPermissionChecksPerMinute;
+    if (isAllowed) {
+      validEntries.push({ timestamp: now });
+    }
+    this.rateLimitCache.set(userId, validEntries);
+    return isAllowed;
+  }
+  _getRequestCount(userId) {
+    const now = Date.now();
+    const windowMs = 60 * 1e3;
+    const entries = this.rateLimitCache.get(userId) || [];
+    const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
+    return validEntries.length;
+  }
+  /**
+   * Clear old rate limit entries to prevent memory leaks
+   * Should be called periodically (e.g., every 5 minutes)
+   */
+  clearExpiredEntries() {
+    const now = Date.now();
+    const windowMs = 60 * 1e3;
+    for (const [userId, entries] of this.rateLimitCache.entries()) {
+      const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
+      if (validEntries.length === 0) {
+        this.rateLimitCache.delete(userId);
+      } else {
+        this.rateLimitCache.set(userId, validEntries);
+      }
+    }
+  }
   /**
    * Sanitize input data
    * @param input - Input to sanitize
@@ -649,65 +879,73 @@ var RBACEngine = class {
   /**
    * Check if a user has a specific permission
    * 
+   * This method now delegates to the database RPC function for all the heavy lifting.
+   * 
    * @param input - Permission check input
-   * @param securityContext - Optional security context for enhanced validation
+   * @param securityContext - Security context for validation (required)
    * @returns Promise resolving to permission result
    */
   async isPermitted(input, securityContext) {
     const startTime = Date.now();
     const { userId, permission, scope, pageId } = input;
     let cacheHit = false;
-    let cacheSource = "database";
+    let cacheSource = "rpc";
     try {
-      if (securityContext) {
-        const validation = await this.securityMiddleware.validateInput(input, securityContext);
-        if (!validation.isValid) {
-          RBACSecurityValidator.logSecurityEvent({
-            type: "invalid_input",
-            userId,
-            details: { errors: validation.errors, input: JSON.stringify(input) }
-          });
-          return false;
-        }
-        const rateLimit = await this.securityMiddleware.checkRateLimit(securityContext);
-        if (!rateLimit.isAllowed) {
-          RBACSecurityValidator.logSecurityEvent({
-            type: "rate_limit_exceeded",
-            userId,
-            details: { remaining: rateLimit.remaining }
-          });
-          return false;
-        }
+      const validation = await this.securityMiddleware.validateInput(input, securityContext);
+      if (!validation.isValid) {
+        RBACSecurityValidator.logSecurityEvent({
+          type: "invalid_input",
+          userId,
+          details: { errors: validation.errors, input: JSON.stringify(input) }
+        });
+        return false;
       }
-      if (securityContext) {
-        if (!RBACSecurityValidator.validateUserId(userId)) {
-          RBACSecurityValidator.logSecurityEvent({
-            type: "invalid_input",
-            userId,
-            details: { error: "Invalid user ID format" }
-          });
-          return false;
-        }
-        if (!RBACSecurityValidator.validatePermission(permission)) {
-          RBACSecurityValidator.logSecurityEvent({
-            type: "invalid_input",
-            userId,
-            details: { error: "Invalid permission format", permission }
-          });
-          return false;
-        }
-        if (!RBACSecurityValidator.validateScope(scope)) {
-          RBACSecurityValidator.logSecurityEvent({
-            type: "invalid_input",
-            userId,
-            details: { error: "Invalid scope format", scope }
-          });
-          return false;
-        }
+      const rateLimit = await this.securityMiddleware.checkRateLimit(securityContext);
+      if (!rateLimit.isAllowed) {
+        RBACSecurityValidator.logSecurityEvent({
+          type: "rate_limit_exceeded",
+          userId,
+          details: { remaining: rateLimit.remaining }
+        });
+        return false;
+      }
+      if (!RBACSecurityValidator.validateUserId(userId)) {
+        RBACSecurityValidator.logSecurityEvent({
+          type: "invalid_input",
+          userId,
+          details: { error: "Invalid user ID format" }
+        });
+        return false;
+      }
+      if (!RBACSecurityValidator.validatePermission(permission)) {
+        RBACSecurityValidator.logSecurityEvent({
+          type: "invalid_input",
+          userId,
+          details: { error: "Invalid permission format", permission }
+        });
+        return false;
+      }
+      if (!RBACSecurityValidator.validateScope(scope)) {
+        RBACSecurityValidator.logSecurityEvent({
+          type: "invalid_input",
+          userId,
+          details: { error: "Invalid scope format", scope }
+        });
+        return false;
       }
-      const isSuperAdmin2 = await this.checkSuperAdmin(userId);
-      if (isSuperAdmin2) {
-        const duration = Date.now() - startTime;
+      const cacheKey = RBACCache.generateKey(
+        userId,
+        permission,
+        scope.organisationId,
+        scope.eventId,
+        scope.appId,
+        pageId
+      );
+      const cached = rbacCache.get(cacheKey);
+      if (cached !== null) {
+        cacheHit = true;
+        cacheSource = "memory";
+        const duration2 = Date.now() - startTime;
         if (scope.organisationId) {
           const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
           await emitAuditEvent({
@@ -718,600 +956,281 @@ var RBACEngine = class {
             appId: scope.appId,
             pageId: resolvedPageId,
             permission,
-            decision: true,
+            decision: cached,
             source: "api",
-            bypass: true,
-            duration_ms: duration
+            duration_ms: duration2,
+            cache_hit: true,
+            cache_source: "memory"
           });
         }
-        return true;
+        return cached;
       }
-      const validatedScope = await this.validateContextRequirements(scope, scope.appId);
-      if (!validatedScope) {
-        const duration = Date.now() - startTime;
-        if (scope.organisationId) {
-          const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
-          await emitAuditEvent({
-            type: "permission_denied",
-            userId,
-            organisationId: scope.organisationId,
-            eventId: scope.eventId,
-            appId: scope.appId,
-            pageId: resolvedPageId,
+      const { data, error } = await this.supabase.rpc("rbac_check_permission_simplified", {
+        p_user_id: userId,
+        p_permission: permission,
+        p_organisation_id: scope.organisationId || void 0,
+        p_event_id: scope.eventId || void 0,
+        p_app_id: scope.appId || void 0,
+        p_page_id: pageId || void 0
+      });
+      if (error) {
+        console.error("[RBACEngine] RPC error:", error);
+        const category = categorizeError(error);
+        const eventType = mapErrorCategoryToSecurityEventType(category);
+        const errorDetails = error;
+        RBACSecurityValidator.logSecurityEvent({
+          type: eventType,
+          userId,
+          details: {
+            error: errorDetails?.message || "RPC call failed",
+            code: errorDetails?.code,
+            hint: errorDetails?.hint,
+            details: errorDetails?.details,
             permission,
-            source: "api",
-            metadata: {
-              reason: "invalid_context_requirements",
-              app_requires_event: scope.appId ? await this.getAppConfig(scope.appId).then((config) => config?.requires_event) : null
-            }
-          });
-        }
-        return false;
-      }
-      const grants = await this.collectActiveGrants(userId, validatedScope, pageId);
-      console.log("[RBACEngine] Collected grants:", grants);
-      const denies = grants.filter((g) => g.type === "deny");
-      console.log("[RBACEngine] Deny grants:", denies);
-      for (const deny of denies) {
-        const matches = this.permissionMatches(deny.permission, permission);
-        console.log("[RBACEngine] Checking deny:", {
-          denyPermission: deny.permission,
-          requestedPermission: permission,
-          matches
-        });
-        if (matches) {
-          const duration = Date.now() - startTime;
-          console.log("[RBACEngine] Permission DENIED by explicit deny rule");
-          if (scope.organisationId) {
-            const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
-            await emitAuditEvent({
-              type: "permission_denied",
-              userId,
-              organisationId: scope.organisationId,
-              eventId: scope.eventId,
-              appId: scope.appId,
-              pageId: resolvedPageId,
-              permission,
-              source: "api"
-            });
-          }
-          return false;
-        }
-      }
-      const allows = grants.filter((g) => g.type === "allow");
-      console.log("[RBACEngine] Allow grants:", allows);
-      let hasPermission2 = false;
-      const scopeOrder = ["page", "eventApp", "organisation", "global"];
-      for (const scopeType of scopeOrder) {
-        const scopeAllows = allows.filter((g) => g.scope === scopeType);
-        console.log(`[RBACEngine] Checking ${scopeType} allows:`, scopeAllows);
-        for (const allow of scopeAllows) {
-          console.log(`[RBACEngine] About to check permission match for ${scopeType}:`, {
-            allowPermission: allow.permission,
-            requestedPermission: permission,
-            scopeType
-          });
-          const matches = this.permissionMatches(allow.permission, permission);
-          console.log(`[RBACEngine] Permission match result:`, {
-            scopeType,
-            allowPermission: allow.permission,
-            requestedPermission: permission,
-            matches
-          });
-          if (matches) {
-            console.log(`[RBACEngine] Permission GRANTED by ${scopeType} allow rule`);
-            hasPermission2 = true;
-            break;
+            scope: JSON.stringify(scope),
+            category
           }
-        }
-        if (hasPermission2) break;
+        });
+        return false;
       }
-      const finalDecision = hasPermission2;
-      const _duration = Date.now() - startTime;
-      console.log("[RBACEngine] Final decision:", {
-        userId,
-        permission,
-        pageId,
-        hasPermission: hasPermission2,
-        grantsCount: grants.length,
-        allowsCount: allows.length,
-        deniesCount: denies.length,
-        duration: _duration
-      });
+      const hasPermission2 = data === true;
+      rbacCache.set(cacheKey, hasPermission2, 6e4);
+      const duration = Date.now() - startTime;
       if (scope.organisationId) {
         const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
         await emitAuditEvent({
-          type: "permission_check",
+          type: hasPermission2 ? "permission_check" : "permission_denied",
           userId,
           organisationId: scope.organisationId,
           eventId: scope.eventId,
           appId: scope.appId,
           pageId: resolvedPageId,
           permission,
-          decision: finalDecision,
+          decision: hasPermission2,
           source: "api",
-          duration_ms: _duration,
+          duration_ms: duration,
           cache_hit: cacheHit,
           cache_source: cacheSource
         });
       }
-      return finalDecision;
+      return hasPermission2;
     } catch (error) {
+      const category = categorizeError(error);
+      const eventType = mapErrorCategoryToSecurityEventType(category);
+      const errorMessage = error instanceof Error ? error.message : "Unknown error";
       RBACSecurityValidator.logSecurityEvent({
-        type: "suspicious_activity",
+        type: eventType,
         userId,
         details: {
-          error: error instanceof Error ? error.message : "Unknown error",
+          error: errorMessage,
           permission,
-          scope: JSON.stringify(scope)
+          scope: JSON.stringify(scope),
+          category
         }
       });
+      console.error("[RBACEngine] Permission check failed:", error);
       return false;
     }
   }
   /**
    * Get user's access level in a scope
    * 
+   * This is derived from roles, not permissions.
+   * 
    * @param input - Access level input
    * @returns Promise resolving to access level
    */
   async getAccessLevel(input) {
     const { userId, scope } = input;
-    const isSuperAdmin2 = await this.checkSuperAdmin(userId);
-    if (isSuperAdmin2) {
-      return "super";
-    }
-    const validatedScope = await this.validateContextRequirements(scope, scope.appId);
-    if (!validatedScope) {
-      return "viewer";
-    }
     const cacheKey = RBACCache.generateAccessLevelKey(
       userId,
-      validatedScope.organisationId,
-      validatedScope.eventId,
-      validatedScope.appId
+      scope.organisationId || "",
+      scope.eventId,
+      scope.appId
     );
     const cached = rbacCache.get(cacheKey);
     if (cached) {
       return cached;
     }
-    const orgRole = await this.getOrganisationRole(userId, validatedScope.organisationId);
-    if (orgRole === "org_admin") {
-      rbacCache.set(cacheKey, "admin");
-      return "admin";
+    const isSuperAdmin2 = await this.checkSuperAdmin(userId);
+    if (isSuperAdmin2) {
+      rbacCache.set(cacheKey, "super", 6e4);
+      return "super";
     }
-    if (validatedScope.eventId && validatedScope.appId) {
-      const eventRole = await this.getEventAppRole(userId, validatedScope.eventId, validatedScope.appId);
-      if (eventRole === "event_admin") {
-        rbacCache.set(cacheKey, "admin");
+    if (scope.organisationId) {
+      const { data: orgRole } = await this.supabase.from("rbac_organisation_roles").select("role").eq("user_id", userId).eq("organisation_id", scope.organisationId).eq("status", "active").is("revoked_at", null).single();
+      if (orgRole?.role === "org_admin") {
+        rbacCache.set(cacheKey, "admin", 6e4);
         return "admin";
       }
-      if (eventRole === "planner") {
-        rbacCache.set(cacheKey, "planner");
+    }
+    if (scope.eventId && scope.appId) {
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      const { data: eventRole } = await this.supabase.from("rbac_event_app_roles").select("role").eq("user_id", userId).eq("event_id", scope.eventId).eq("app_id", scope.appId).eq("status", "active").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).single();
+      if (eventRole?.role === "event_admin") {
+        rbacCache.set(cacheKey, "admin", 6e4);
+        return "admin";
+      }
+      if (eventRole?.role === "planner") {
+        rbacCache.set(cacheKey, "planner", 6e4);
         return "planner";
       }
-      if (eventRole === "participant") {
-        rbacCache.set(cacheKey, "participant");
+      if (eventRole?.role === "participant") {
+        rbacCache.set(cacheKey, "participant", 6e4);
         return "participant";
       }
     }
-    rbacCache.set(cacheKey, "viewer");
+    rbacCache.set(cacheKey, "viewer", 6e4);
     return "viewer";
   }
   /**
    * Get user's permission map for a scope
    * 
+   * This builds a map of page IDs to allowed operations.
+   * Uses the simplified RPC for each permission check.
+   * 
    * @param input - Permission map input
    * @returns Promise resolving to permission map
    */
   async getPermissionMap(input) {
     const { userId, scope } = input;
+    const cacheKey = RBACCache.generatePermissionMapKey(
+      userId,
+      scope.organisationId || "",
+      scope.eventId,
+      scope.appId
+    );
     const isSuperAdmin2 = await this.checkSuperAdmin(userId);
     if (isSuperAdmin2) {
-      return {};
+      const wildcardMap = { "*": true };
+      rbacCache.set(cacheKey, wildcardMap, 6e4);
+      return wildcardMap;
     }
-    const validatedScope = await this.validateContextRequirements(scope, scope.appId);
-    if (!validatedScope) {
+    if (!scope.organisationId) {
       return {};
     }
-    const cacheKey = RBACCache.generatePermissionMapKey(
-      userId,
-      validatedScope.organisationId,
-      validatedScope.eventId,
-      validatedScope.appId
-    );
     const cached = rbacCache.get(cacheKey);
     if (cached) {
       return cached;
     }
     const permissionMap = {};
-    if (validatedScope.appId) {
-      const { data: pages } = await this.supabase.from("rbac_app_pages").select("id, page_name").eq("app_id", validatedScope.appId);
+    if (scope.appId) {
+      const { data: pages } = await this.supabase.from("rbac_app_pages").select("id, page_name").eq("app_id", scope.appId);
       if (pages) {
+        const securityContext = {
+          userId,
+          organisationId: scope.organisationId,
+          timestamp: /* @__PURE__ */ new Date()
+        };
         for (const page of pages) {
-          const operations = [];
           for (const operation of ["read", "create", "update", "delete"]) {
-            const hasPermission2 = await this.isPermitted({
-              userId,
-              scope: validatedScope,
-              permission: `${operation}:${page.page_name}`,
-              pageId: page.id
-            });
-            if (hasPermission2) {
-              operations.push(operation);
-            }
+            const hasPermission2 = await this.isPermitted(
+              {
+                userId,
+                scope,
+                permission: `${operation}:${page.page_name}`,
+                pageId: page.id
+              },
+              securityContext
+            );
+            const permissionKey = `${operation}:${page.page_name}`;
+            permissionMap[permissionKey] = hasPermission2;
           }
-          permissionMap[page.id] = operations;
         }
       }
     }
-    rbacCache.set(cacheKey, permissionMap);
+    rbacCache.set(cacheKey, permissionMap, 6e4);
     return permissionMap;
   }
-  /**
-   * Check if user is super admin
-   * 
-   * Directly queries the rbac_global_roles table to check for super_admin role.
-   * This is consistent with how other RPC functions (rbac_permissions_get, etc.) check
-   * for super admin status - they all use direct queries to the rbac_global_roles table.
-   * 
-   * @param userId - User ID
-   * @returns Promise resolving to super admin status
-   */
-  async checkSuperAdmin(userId) {
-    const cacheKey = `super_admin:${userId}`;
-    const cached = rbacCache.get(cacheKey);
-    if (cached !== null) {
-      return cached;
-    }
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const { data, error } = await this.supabase.from("rbac_global_roles").select("role").eq("user_id", userId).eq("role", "super_admin").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).limit(1);
-    const isSuperAdmin2 = !error && data && data.length > 0;
-    rbacCache.set(cacheKey, isSuperAdmin2, 6e4);
-    return Boolean(isSuperAdmin2);
-  }
-  /**
-   * Get app configuration including requires_event setting
-   * 
-   * @param appId - App ID
-   * @returns Promise resolving to app configuration
-   */
-  async getAppConfig(appId) {
-    const { data, error } = await this.supabase.from("rbac_apps").select("requires_event").eq("id", appId).eq("is_active", true).single();
-    if (error || !data) {
-      return null;
-    }
-    return { requires_event: data.requires_event };
-  }
-  /**
-   * Resolve organisation ID from event ID
-   * 
-   * @param eventId - Event ID
-   * @returns Promise resolving to organisation ID
-   */
-  async resolveOrganisationFromEvent(eventId) {
-    const { data, error } = await this.supabase.from("event").select("organisation_id").eq("id", eventId).single();
-    if (error || !data) {
-      return null;
-    }
-    return data.organisation_id;
-  }
-  /**
-   * Validate context requirements based on app configuration
-   * 
-   * @param scope - Permission scope
-   * @param appId - Optional app ID
-   * @returns Promise resolving to validated scope with resolved organisation ID
-   */
-  async validateContextRequirements(scope, appId) {
-    if (appId) {
-      const appConfig = await this.getAppConfig(appId);
-      if (!appConfig) {
+  async resolveAppContext(input) {
+    try {
+      const { userId, appName } = input;
+      const { data, error } = await this.supabase.rpc("util_app_resolve", {
+        p_user_id: userId,
+        p_app_name: appName
+      });
+      if (error) {
+        console.error("[RBACEngine] Failed to resolve app context:", error);
         return null;
       }
-      if (appConfig.requires_event) {
-        if (!scope.eventId) {
-          return null;
-        }
-        if (!scope.organisationId) {
-          const resolvedOrgId = await this.resolveOrganisationFromEvent(scope.eventId);
-          if (!resolvedOrgId) {
-            return null;
-          }
-          return {
-            ...scope,
-            organisationId: resolvedOrgId
-          };
-        }
-        return scope;
-      } else {
-        if (!scope.organisationId) {
-          return null;
-        }
-        return scope;
+      if (!data || data.length === 0) {
+        return null;
       }
-    }
-    if (!scope.organisationId) {
+      const appData = data[0];
+      if (!appData?.app_id) {
+        return null;
+      }
+      return {
+        appId: appData.app_id,
+        hasAccess: appData.has_access !== false
+      };
+    } catch (error) {
+      console.error("[RBACEngine] Unexpected error resolving app context:", error);
       return null;
     }
-    return scope;
   }
-  /**
-   * Collect active grants for a user in a scope
-   * 
-   * @param userId - User ID
-   * @param scope - Permission scope
-   * @param pageId - Optional page ID
-   * @returns Promise resolving to grants array
-   * 
-   * PRECEDENCE ORDER (closest scope first): page → eventApp → organisation → global
-   */
-  async collectActiveGrants(userId, scope, pageId) {
-    const grants = [];
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const userRoles = [];
-    if (scope.eventId && scope.appId) {
-      const { data: eventRoles } = await this.supabase.from("rbac_event_app_roles").select("role, status, valid_from, valid_to").eq("user_id", userId).eq("event_id", scope.eventId).eq("app_id", scope.appId).eq("status", "active").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`);
-      if (eventRoles) {
-        userRoles.push(...eventRoles.map((r) => r.role));
-      }
-    }
-    if (scope.organisationId) {
-      const { data: orgRoles } = await this.supabase.from("rbac_organisation_roles").select("role, status, valid_from, valid_to").eq("user_id", userId).eq("organisation_id", scope.organisationId).eq("status", "active").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`);
-      if (orgRoles) {
-        userRoles.push(...orgRoles.map((r) => r.role));
+  async getRoleContext(input) {
+    const result = {
+      globalRole: null,
+      organisationRole: null,
+      eventAppRole: null
+    };
+    try {
+      const { userId, scope } = input;
+      const { data, error } = await this.supabase.rpc("rbac_permissions_get", {
+        p_user_id: userId,
+        p_organisation_id: scope.organisationId || null,
+        p_event_id: scope.eventId || null,
+        p_app_id: scope.appId || null
+      });
+      if (error) {
+        console.error("[RBACEngine] Failed to load role context:", error);
+        return result;
       }
-    }
-    console.log("[collectActiveGrants] User roles:", userRoles);
-    if (pageId) {
-      let resolvedPageId = null;
-      if (typeof pageId === "string") {
-        const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-        if (uuidRegex.test(pageId)) {
-          resolvedPageId = pageId;
-        } else {
-          const appId = scope.appId;
-          if (appId) {
-            const { data: page } = await this.supabase.from("rbac_app_pages").select("id").eq("app_id", appId).eq("page_name", pageId).single();
-            resolvedPageId = page?.id || null;
-          }
-        }
-      } else {
-        resolvedPageId = pageId;
+      if (!Array.isArray(data)) {
+        return result;
       }
-      if (resolvedPageId && scope.appId) {
-        console.log("[collectActiveGrants] Fetching page permissions via RPC for page:", resolvedPageId);
-        let pageName = null;
-        if (typeof pageId === "string" && !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(pageId)) {
-          pageName = pageId;
-        } else {
-          const { data: page } = await this.supabase.from("rbac_app_pages").select("page_name").eq("id", resolvedPageId).single();
-          pageName = page?.page_name || null;
+      for (const permission of data) {
+        if (permission.permission_type === "all_permissions") {
+          result.globalRole = "super_admin";
         }
-        const rpcResult = await this.supabase.rpc("rbac_permissions_get", {
-          p_user_id: userId,
-          p_app_id: scope.appId,
-          p_event_id: scope.eventId || null,
-          p_organisation_id: scope.organisationId || null,
-          p_page_id: resolvedPageId
-        });
-        const { data: rpcPermissions } = rpcResult;
-        console.log("[collectActiveGrants] RPC page permissions:", rpcPermissions);
-        if (rpcPermissions && pageName) {
-          const pagePerms = rpcPermissions.filter(
-            (p) => p.permission_type !== "all_permissions" && p.permission_type !== "organisation_access" && p.permission_type !== "event_app_access"
-          );
-          for (const perm of pagePerms) {
-            if (userRoles.includes(perm.role_name)) {
-              console.log("[collectActiveGrants] Adding page grant:", { operation: perm.permission_type, role: perm.role_name, allowed: perm.has_permission, pageName });
-              grants.push({
-                type: perm.has_permission ? "allow" : "deny",
-                // Use permission_type directly as it already includes the page name
-                permission: perm.permission_type,
-                scope: "page",
-                source: "rbac_page_permissions"
-              });
-            }
-          }
+        if (permission.permission_type === "organisation_access") {
+          result.organisationRole = permission.role_name;
         }
-      }
-    }
-    const { data: globalRoles } = await this.supabase.from("rbac_global_roles").select("role, valid_from, valid_to").eq("user_id", userId).lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`);
-    if (globalRoles) {
-      for (const role of globalRoles) {
-        if (role.role === "super_admin") {
-          grants.push(
-            { type: "allow", permission: "read:*", scope: "global", source: "rbac_global_roles" },
-            { type: "allow", permission: "create:*", scope: "global", source: "rbac_global_roles" },
-            { type: "allow", permission: "update:*", scope: "global", source: "rbac_global_roles" },
-            { type: "allow", permission: "delete:*", scope: "global", source: "rbac_global_roles" }
-          );
+        if (permission.permission_type === "event_app_access") {
+          result.eventAppRole = permission.role_name;
         }
       }
+      return result;
+    } catch (error) {
+      console.error("[RBACEngine] Unexpected error loading role context:", error);
+      return result;
     }
-    console.log("[collectActiveGrants] Final grants:", grants);
-    return grants;
-  }
-  /**
-   * Check page-specific permissions
-   * 
-   * @param userId - User ID
-   * @param pageId - Page ID
-   * @param permission - Permission to check
-   * @param scope - Permission scope
-   * @returns Promise resolving to page permission result
-   */
-  async checkPagePermissions(userId, pageId, permission, scope) {
-    if (!pageId) {
-      return true;
-    }
-    const [operation] = permission.split(":");
-    const userRoles = [];
-    if (scope.organisationId) {
-      const orgRole = await this.getOrganisationRole(userId, scope.organisationId);
-      if (orgRole) {
-        userRoles.push(orgRole);
-      }
-    }
-    if (scope.eventId && scope.appId) {
-      const eventRole = await this.getEventAppRole(userId, scope.eventId, scope.appId);
-      if (eventRole) {
-        userRoles.push(eventRole);
-      }
-    }
-    let resolvedPageId = null;
-    if (typeof pageId === "string") {
-      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-      if (uuidRegex.test(pageId)) {
-        resolvedPageId = pageId;
-      } else {
-        let appId = scope.appId;
-        if (!appId) {
-          const appName = import.meta.env.VITE_APP_NAME || import.meta.env.REACT_APP_NAME;
-          if (appName) {
-            const { data: app } = await this.supabase.from("rbac_apps").select("id").eq("name", appName).eq("is_active", true).single();
-            if (app) {
-              appId = app.id;
-            }
-          }
-        }
-        if (appId) {
-          const { data: page } = await this.supabase.from("rbac_app_pages").select("id").eq("app_id", appId).eq("page_name", pageId).single();
-          resolvedPageId = page?.id || null;
-        }
-      }
-    } else {
-      resolvedPageId = pageId;
-    }
-    if (!resolvedPageId) {
-      return false;
-    }
-    const { data: pagePermissions } = await this.supabase.from("rbac_page_permissions").select("allowed").eq("app_page_id", resolvedPageId).eq("operation", operation).in("role_name", userRoles).single();
-    return pagePermissions?.allowed ?? false;
-  }
-  /**
-   * Get organisation role for a user
-   * 
-   * @param userId - User ID
-   * @param organisationId - Organisation ID
-   * @returns Promise resolving to organisation role
-   */
-  async getOrganisationRole(userId, organisationId) {
-    const { data, error } = await this.supabase.from("rbac_organisation_roles").select("role").eq("user_id", userId).eq("organisation_id", organisationId).eq("status", "active").single();
-    return error ? null : data?.role || null;
   }
   /**
-   * Get event-app role for a user
+   * Check if user is super admin
    * 
    * @param userId - User ID
-   * @param eventId - Event ID
-   * @param appId - App ID
-   * @returns Promise resolving to event-app role
-   */
-  async getEventAppRole(userId, eventId, appId) {
-    const { data, error } = await this.supabase.from("rbac_event_app_roles").select("role, status, valid_from, valid_to").eq("user_id", userId).eq("event_id", eventId).eq("app_id", appId).eq("status", "active").lte("valid_from", (/* @__PURE__ */ new Date()).toISOString()).or(`valid_to.is.null,valid_to.gte.${(/* @__PURE__ */ new Date()).toISOString()}`).single();
-    return error ? null : data?.role || null;
-  }
-  /**
-   * Get permission for organisation role
-   * 
-   * @param role - Organisation role
-   * @returns Permission string
-   */
-  getPermissionForOrgRole(role) {
-    switch (role) {
-      case "org_admin":
-        return "read:*";
-      // Will be expanded to all CRUD in collectActiveGrants
-      case "leader":
-        return "read:organisation.*";
-      // Will be expanded to all CRUD in collectActiveGrants
-      case "member":
-        return "read:organisation.*";
-      case "supporter":
-        return "read:organisation.public";
-      default:
-        return "read:organisation.public";
-    }
-  }
-  /**
-   * Get permission for event-app role
-   * 
-   * @param role - Event-app role
-   * @returns Permission string
-   */
-  getPermissionForEventRole(role) {
-    switch (role) {
-      case "event_admin":
-        return "read:event.*";
-      // Will be expanded to all CRUD in collectActiveGrants
-      case "planner":
-        return "read:event.planning";
-      // Will be expanded to all CRUD in collectActiveGrants
-      case "participant":
-        return "read:event.*";
-      case "viewer":
-        return "read:event.public";
-      default:
-        return "read:event.public";
-    }
-  }
-  /**
-   * Check if a permission matches another permission
-   * 
-   * @param grantPermission - Permission from grant
-   * @param requestedPermission - Requested permission
-   * @returns True if permissions match
+   * @returns Promise resolving to super admin status
    */
-  permissionMatches(grantPermission, requestedPermission) {
-    console.log("[permissionMatches] Checking:", { grantPermission, requestedPermission });
-    if (grantPermission === requestedPermission) {
-      console.log("[permissionMatches] Exact match found");
-      return true;
-    }
-    if (grantPermission.endsWith(":*") || grantPermission.endsWith(".*")) {
-      const [grantOp, grantResource] = grantPermission.split(":");
-      const [requestedOp, requestedResource] = requestedPermission.split(":");
-      console.log("[permissionMatches] Wildcard check:", {
-        grantOp,
-        grantResource,
-        requestedOp,
-        requestedResource,
-        operationsMatch: grantOp === requestedOp
-      });
-      if (grantOp === requestedOp) {
-        const prefix = grantResource.slice(0, -1);
-        const matches = prefix === "" || requestedResource.startsWith(prefix);
-        console.log("[permissionMatches] Wildcard match result:", { prefix, matches });
-        return matches;
-      }
-    }
-    if (grantPermission.includes("*")) {
-      const [grantOp, grantResource] = grantPermission.split(":");
-      const [requestedOp, requestedResource] = requestedPermission.split(":");
-      console.log("[permissionMatches] Other wildcard check:", {
-        grantOp,
-        grantResource,
-        requestedOp,
-        requestedResource,
-        operationsMatch: grantOp === requestedOp
-      });
-      if (grantOp === requestedOp) {
-        const prefix = grantResource.replace("*", "");
-        const matches = requestedResource.startsWith(prefix);
-        console.log("[permissionMatches] Other wildcard match result:", { prefix, matches });
-        return matches;
-      }
+  async checkSuperAdmin(userId) {
+    const cacheKey = `super_admin:${userId}`;
+    const cached = rbacCache.get(cacheKey);
+    if (cached !== null) {
+      return cached;
     }
-    console.log("[permissionMatches] No match found");
-    return false;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const { data, error } = await this.supabase.from("rbac_global_roles").select("role").eq("user_id", userId).eq("role", "super_admin").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).limit(1);
+    const isSuperAdmin2 = !error && data && data.length > 0;
+    rbacCache.set(cacheKey, isSuperAdmin2, 6e4);
+    return Boolean(isSuperAdmin2);
   }
   /**
    * Resolve a page ID to UUID if it's a page name
    * 
    * @param pageId - Page ID (UUID) or page name (string)
    * @param appId - App ID to look up the page
-   * @returns Resolved page ID (UUID) or original pageId if it's already a UUID or can't be resolved
+   * @returns Resolved page ID (UUID) or original pageId
    */
   async resolvePageId(pageId, appId) {
     if (!pageId) {
@@ -1447,9 +1366,24 @@ async function getPermissionMap(input) {
   const engine = getEngine();
   return engine.getPermissionMap(input);
 }
+async function resolveAppContext(input) {
+  const engine = getEngine();
+  return engine.resolveAppContext(input);
+}
+async function getRoleContext(input) {
+  const engine = getEngine();
+  return engine.getRoleContext(input);
+}
 async function isPermitted(input) {
   const engine = getEngine();
-  return engine.isPermitted(input);
+  const securityContext = {
+    userId: input.userId,
+    organisationId: input.scope.organisationId || input.userId,
+    // Fallback to userId as UUID
+    timestamp: /* @__PURE__ */ new Date()
+    // Optional fields can be omitted
+  };
+  return engine.isPermitted(input, securityContext);
 }
 async function isPermittedCached(input) {
   const { userId, scope, permission, pageId } = input;
@@ -1503,8 +1437,20 @@ async function isSuperAdmin(userId) {
   return engine["checkSuperAdmin"](userId);
 }
 async function getAppConfig(appId) {
-  const engine = getEngine();
-  return engine["getAppConfig"](appId);
+  console.warn("[RBAC] getAppConfig called without Supabase client - returning null");
+  return null;
+}
+async function getAppConfigWithClient(client, appId) {
+  try {
+    const { data, error } = await client.from("rbac_apps").select("requires_event").eq("id", appId).eq("is_active", true).single();
+    if (error || !data) {
+      return null;
+    }
+    return { requires_event: data.requires_event };
+  } catch (err) {
+    console.error("[RBAC] Error fetching app config:", err);
+    return null;
+  }
 }
 async function isOrganisationAdmin(userId, organisationId) {
   const accessLevel = await getAccessLevel({
@@ -1555,6 +1501,8 @@ export {
   setupRBAC,
   getAccessLevel,
   getPermissionMap,
+  resolveAppContext,
+  getRoleContext,
   isPermitted,
   isPermittedCached,
   hasPermission,
@@ -1562,6 +1510,7 @@ export {
   hasAllPermissions,
   isSuperAdmin,
   getAppConfig,
+  getAppConfigWithClient,
   isOrganisationAdmin,
   isEventAdmin,
   invalidateUserCache,
@@ -1570,4 +1519,4 @@ export {
   invalidateAppCache,
   clearCache
 };
-//# sourceMappingURL=chunk-FGMFQSHX.js.map
+//# sourceMappingURL=chunk-S63MFSY6.js.map