@jmruthers/pace-core 0.6.1 → 0.6.3

package/dist/{chunk-4ZC4GX36.js → chunk-CNCQDFLN.js}

@@ -2,24 +2,25 @@ import {
   scopeEqual,
   useAccessLevel,
   useCan,
-  useMultiplePermissions
-} from "./chunk-XM25TVIE.js";
+  useMultiplePermissions,
+  useResolvedScope,
+  useSecureSupabase
+} from "./chunk-YDQHOZNA.js";
 import {
-  useSecureDataAccess
-} from "./chunk-EXUD6RNJ.js";
-import {
-  useResolvedScope
-} from "./chunk-3XTALGJF.js";
+  useOrganisationSecurity
+} from "./chunk-6Z7LTB3D.js";
 import {
   useUnifiedAuth
-} from "./chunk-BYFSK72L.js";
+} from "./chunk-DWUBLJJM.js";
 import {
   RBACCache,
-  RBACNotInitializedError,
   getRBACConfig,
   getRBACLogger,
   rbacCache
-} from "./chunk-KNC55RTG.js";
+} from "./chunk-RWEBCB47.js";
+import {
+  RBACNotInitializedError
+} from "./chunk-QRPVRXYT.js";
 import {
   createLogger,
   logger
@@ -177,11 +178,62 @@ var PagePermissionGuardComponent = ({
   const instanceId = useMemo2(() => Math.random().toString(36).substr(2, 9), []);
   const { user, selectedOrganisation, selectedEvent, supabase, appId: contextAppId, appName } = useUnifiedAuth();
   const [hasChecked, setHasChecked] = useState2(false);
+  const hasLoggedSuperAdminRef = useRef(false);
+  const effectivePageId = useMemo2(() => {
+    return pageId || pageName;
+  }, [pageId, pageName]);
+  const [isSuperAdmin, setIsSuperAdmin] = useState2(null);
+  useEffect2(() => {
+    if (!user?.id) {
+      setIsSuperAdmin(false);
+      return;
+    }
+    let cancelled = false;
+    const checkSuperAdmin = async () => {
+      const startTime = Date.now();
+      try {
+        const { isSuperAdmin: checkSuperAdmin2 } = await import("./api-IAGWF3ZG.js");
+        const timeoutPromise = new Promise((_, reject) => {
+          setTimeout(() => reject(new Error("Super admin check timeout")), 1e4);
+        });
+        const isSuper = await Promise.race([
+          checkSuperAdmin2(user.id),
+          timeoutPromise
+        ]);
+        const elapsed = Date.now() - startTime;
+        if (!cancelled) {
+          setIsSuperAdmin(isSuper);
+          if (false) {
+            console.log("[PagePermissionGuard] Super admin check completed", {
+              userId: user.id,
+              isSuperAdmin: isSuper,
+              elapsedMs: elapsed
+            });
+          }
+        }
+      } catch (err) {
+        const elapsed = Date.now() - startTime;
+        if (!cancelled) {
+          console.error("[PagePermissionGuard] Error checking super admin", {
+            error: err,
+            userId: user.id,
+            elapsedMs: elapsed
+          });
+          setIsSuperAdmin(false);
+        }
+      }
+    };
+    checkSuperAdmin();
+    return () => {
+      cancelled = true;
+    };
+  }, [user?.id]);
   const { resolvedScope: hookResolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
     supabase,
     selectedOrganisationId: selectedOrganisation?.id || null,
     selectedEventId: selectedEvent?.event_id || null
   });
+  const shouldBypassScopeForSuperAdmin = isSuperAdmin === true;
   const allowsOptionalContexts = appName === "PORTAL" || appName === "ADMIN";
   const effectiveScope = scope || (hookResolvedScope ? {
     ...hookResolvedScope,
@@ -197,9 +249,6 @@ var PagePermissionGuardComponent = ({
     appId: contextAppId || void 0
   } : null);
   const checkError = scopeError;
-  const effectivePageId = useMemo2(() => {
-    return pageId || pageName;
-  }, [pageId, pageName]);
   const permission = useMemo2(() => {
     return `${operation}:page.${pageName}`;
   }, [operation, pageName]);
@@ -232,28 +281,38 @@ var PagePermissionGuardComponent = ({
     prevScopeRef.current = newScope;
     return newScope;
   }, [effectiveScope, appName, contextAppId, selectedEvent?.event_id]);
+  const scopeForPermissionCheck = shouldBypassScopeForSuperAdmin && !stableScope?.organisationId ? {
+    organisationId: void 0,
+    appId: contextAppId || void 0,
+    eventId: selectedEvent?.event_id || void 0
+  } : stableScope;
+  const shouldSkipPermissionCheck = isSuperAdmin === true;
   const { can, isLoading: canIsLoading, error: canError } = useCan(
     user?.id || "",
-    stableScope,
+    shouldSkipPermissionCheck ? { organisationId: void 0, appId: contextAppId || void 0, eventId: void 0 } : scopeForPermissionCheck,
     permission,
     effectivePageId,
     true,
     // Use cache
+    isSuperAdmin,
+    // precomputedSuperAdmin - null if checking, true/false if checked
     appName
     // Pass appName for PORTAL/ADMIN special case
   );
-  const isLoading = scopeLoading || canIsLoading;
+  const effectiveCan = shouldSkipPermissionCheck ? true : can;
+  const effectiveIsLoading = shouldSkipPermissionCheck ? false : canIsLoading;
+  const isLoading = shouldBypassScopeForSuperAdmin ? effectiveIsLoading : scopeLoading || effectiveIsLoading;
   const error = checkError || canError;
   useEffect2(() => {
     if (!isLoading && !error) {
       setHasChecked(true);
-      if (!can && onDenied) {
+      if (!effectiveCan && onDenied) {
         onDenied(pageName, operation);
       }
     } else if (error) {
       setHasChecked(true);
     }
-  }, [can, isLoading, error, pageName, operation, onDenied]);
+  }, [effectiveCan, isLoading, error, pageName, operation, onDenied]);
   useEffect2(() => {
     if (auditLog && hasChecked && !isLoading) {
       const rbacLogger = getRBACLogger();
@@ -262,13 +321,14 @@ var PagePermissionGuardComponent = ({
         operation,
         userId: user?.id,
         scope: effectiveScope,
-        allowed: can,
+        allowed: effectiveCan,
+        isSuperAdmin,
         timestamp: (/* @__PURE__ */ new Date()).toISOString()
       });
     }
-  }, [auditLog, hasChecked, isLoading, pageName, operation, user?.id, effectiveScope, can]);
+  }, [auditLog, hasChecked, isLoading, pageName, operation, user?.id, effectiveScope, effectiveCan, isSuperAdmin]);
   useEffect2(() => {
-    if (strictMode && hasChecked && !isLoading && !can) {
+    if (strictMode && hasChecked && !isLoading && !effectiveCan && !shouldBypassScopeForSuperAdmin) {
       const logger2 = getRBACLogger();
       logger2.error(`STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
         pageName,
@@ -281,18 +341,85 @@ var PagePermissionGuardComponent = ({
         // PORTAL/ADMIN allow scope without org/event
         checkError,
         canError,
+        isSuperAdmin,
         timestamp: (/* @__PURE__ */ new Date()).toISOString()
       });
     }
-  }, [strictMode, hasChecked, isLoading, can, pageName, operation, effectivePageId, user?.id, effectiveScope, allowsOptionalContexts, checkError, canError]);
-  const hasValidScopeForPagePermissions = allowsOptionalContexts ? true : effectiveScope !== null;
+  }, [strictMode, hasChecked, isLoading, effectiveCan, shouldBypassScopeForSuperAdmin, pageName, operation, effectivePageId, user?.id, effectiveScope, allowsOptionalContexts, checkError, canError, isSuperAdmin]);
+  const hasValidScopeForPagePermissions = shouldBypassScopeForSuperAdmin ? true : allowsOptionalContexts ? true : effectiveScope !== null;
   const hasValidUser = user && user.id;
   const isPermissionCheckComplete = hasChecked && !isLoading;
-  const shouldShowAccessDenied = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && !can;
-  const shouldShowContent = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && can;
+  const shouldShowAccessDenied = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && !effectiveCan;
+  const shouldShowContent = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && effectiveCan;
   const scopeKey = effectiveScope ? `${effectiveScope.organisationId}-${effectiveScope.eventId}-${effectiveScope.appId}` : "no-scope";
   const permissionKey = `${scopeKey}-${can}-${isLoading}-${!!checkError}-${hasChecked}`;
-  if (isLoading || !hasValidUser || !hasChecked) {
+  const lastLogStateRef = useRef("");
+  useEffect2(() => {
+    if (false) {
+      const currentState = JSON.stringify({
+        pageName,
+        userId: user?.id,
+        isSuperAdmin,
+        isLoading,
+        scopeLoading,
+        canIsLoading,
+        hasChecked,
+        hasValidUser,
+        effectiveCan
+      });
+      if (currentState !== lastLogStateRef.current) {
+        lastLogStateRef.current = currentState;
+        console.log("[PagePermissionGuard] Permission check state", {
+          pageName,
+          userId: user?.id,
+          isSuperAdmin,
+          isLoading,
+          scopeLoading,
+          canIsLoading,
+          hasChecked,
+          hasValidUser,
+          effectiveCan,
+          stableScope,
+          effectiveScope
+        });
+      }
+    }
+  }, [pageName, user?.id, isSuperAdmin, isLoading, scopeLoading, canIsLoading, hasChecked, hasValidUser, effectiveCan, stableScope, effectiveScope]);
+  useEffect2(() => {
+    if (isLoading && isSuperAdmin === null && hasValidUser) {
+      const timeout = setTimeout(() => {
+        console.warn("[PagePermissionGuard] Permission check taking longer than expected", {
+          pageName,
+          userId: user?.id,
+          isSuperAdmin,
+          scopeLoading,
+          canIsLoading,
+          hasChecked,
+          stableScope,
+          effectiveScope,
+          appName
+        });
+      }, 5e3);
+      return () => clearTimeout(timeout);
+    }
+  }, [isLoading, isSuperAdmin, hasValidUser, pageName, user?.id, scopeLoading, canIsLoading, hasChecked, stableScope, effectiveScope, appName]);
+  useEffect2(() => {
+    if (isSuperAdmin === true && hasValidUser && !hasLoggedSuperAdminRef.current && false) {
+      hasLoggedSuperAdminRef.current = true;
+      console.log("[PagePermissionGuard] Super admin access granted - bypassing all checks", {
+        pageName,
+        userId: user?.id,
+        operation
+      });
+    }
+    if (isSuperAdmin !== true) {
+      hasLoggedSuperAdminRef.current = false;
+    }
+  }, [isSuperAdmin, hasValidUser, pageName, user?.id, operation]);
+  if (isSuperAdmin === true && hasValidUser) {
+    return /* @__PURE__ */ jsx2(Fragment, { children });
+  }
+  if (isLoading || !hasValidUser || !hasChecked || isSuperAdmin === null) {
     return loading || /* @__PURE__ */ jsx2("div", { children: "Checking permissions..." });
   }
   if (checkError && !can) {
@@ -343,7 +470,8 @@ function SecureDataProvider({
   enforceRLS = true
 }) {
   const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
-  const { validateContext } = useSecureDataAccess();
+  const secureSupabase = useSecureSupabase(supabase);
+  const { superAdminContext } = useOrganisationSecurity();
   const [dataAccessHistory, setDataAccessHistory] = useState3([]);
   const [isEnabled, setIsEnabled] = useState3(true);
   const { resolvedScope } = useResolvedScope({
@@ -351,6 +479,17 @@ function SecureDataProvider({
     selectedOrganisationId: selectedOrganisation?.id || null,
     selectedEventId: selectedEvent?.event_id || null
   });
+  const validateContext = useCallback3(() => {
+    if (!secureSupabase) {
+      throw new Error("No Supabase client available");
+    }
+    if (!user) {
+      throw new Error("User must be authenticated");
+    }
+    if (!superAdminContext.isSuperAdmin && !resolvedScope?.organisationId) {
+      throw new Error("Organisation context is required for data access");
+    }
+  }, [secureSupabase, user, superAdminContext.isSuperAdmin, resolvedScope?.organisationId]);
   const currentScope = resolvedScope;
   const isDataAccessAllowed = useCallback3((table, operation, scope) => {
     if (!isEnabled) return true;
@@ -626,7 +765,13 @@ function RoleBasedRouter({
     user?.id || "",
     currentScope || { organisationId: "", eventId: void 0, appId: void 0 },
     currentRouteConfig?.permissions?.[0] || "read:page",
-    currentRouteConfig?.pageId
+    currentRouteConfig?.pageId,
+    true,
+    // useCache
+    null,
+    // precomputedSuperAdmin - not checked yet
+    void 0
+    // appName
   );
   const isPublicRoute = currentRouteConfig?.public === true;
   const hasPermissions = currentRouteConfig?.permissions && currentRouteConfig.permissions.length > 0;
@@ -801,8 +946,12 @@ function NavigationProvider({
       currentScope,
       permission,
       item.pageId,
-      true
+      true,
       // useCache
+      null,
+      // precomputedSuperAdmin - not checked yet
+      void 0
+      // appName
     );
     if (error) {
       logger.warn("NavigationProvider", `Permission check error for "${item.id}": ${error.message} - allowing access for graceful degradation`);
@@ -1135,7 +1284,18 @@ function PermissionGuard({
     }
   }
   const effectiveUserId = userId ?? authContext?.user?.id ?? null;
-  const { can, isLoading, error } = useCan(effectiveUserId || "", scope, permission, pageId);
+  const { can, isLoading, error } = useCan(
+    effectiveUserId || "",
+    scope,
+    permission,
+    pageId,
+    true,
+    // useCache
+    null,
+    // precomputedSuperAdmin - not checked yet
+    void 0
+    // appName
+  );
   if (!effectiveUserId) {
     logger2.error("PermissionGuard: No userId provided and could not infer from context");
     return fallback ?? null;
@@ -1220,7 +1380,7 @@ function withPermissionGuard(config, handler) {
     if (!userId || !organisationId) {
       throw new Error("User context required for permission check");
     }
-    const { isPermitted: isPermitted2 } = await import("./api-N774RPUA.js");
+    const { isPermitted: isPermitted2 } = await import("./api-IAGWF3ZG.js");
     const hasPermission2 = await isPermitted2({
       userId,
       scope: { organisationId, eventId, appId },
@@ -1243,7 +1403,7 @@ function withAccessLevelGuard(minLevel, handler) {
     if (!userId || !organisationId) {
       throw new Error("User context required for access level check");
     }
-    const { getAccessLevel: getAccessLevel2 } = await import("./api-N774RPUA.js");
+    const { getAccessLevel: getAccessLevel2 } = await import("./api-IAGWF3ZG.js");
     const accessLevel = await getAccessLevel2({
       userId,
       scope: { organisationId, eventId, appId }
@@ -1268,11 +1428,11 @@ function withRoleGuard(config, handler) {
       throw new Error("User context required for role check");
     }
     if (config.globalRoles && config.globalRoles.length > 0) {
-      const { isSuperAdmin } = await import("./api-N774RPUA.js");
+      const { isSuperAdmin } = await import("./api-IAGWF3ZG.js");
       const isSuper = await isSuperAdmin(userId);
       if (isSuper) {
         if (organisationId) {
-          const { emitAuditEvent: emitAuditEvent2 } = await import("./audit-B5P6FFIR.js");
+          const { emitAuditEvent: emitAuditEvent2 } = await import("./audit-V53FV5AG.js");
           await emitAuditEvent2({
             type: "permission_check",
             userId,
@@ -1294,21 +1454,21 @@ function withRoleGuard(config, handler) {
       }
     }
     if (config.organisationRoles && config.organisationRoles.length > 0) {
-      const { isOrganisationAdmin } = await import("./api-N774RPUA.js");
+      const { isOrganisationAdmin } = await import("./api-IAGWF3ZG.js");
       const isOrgAdmin = await isOrganisationAdmin(userId, organisationId);
       if (!isOrgAdmin && config.requireAll !== false) {
         throw new Error(`Organisation admin role required`);
       }
     }
     if (config.eventAppRoles && config.eventAppRoles.length > 0 && eventId && appId) {
-      const { isEventAdmin } = await import("./api-N774RPUA.js");
+      const { isEventAdmin } = await import("./api-IAGWF3ZG.js");
       const isEventAdminUser = await isEventAdmin(userId, { organisationId, eventId, appId });
       if (!isEventAdminUser && config.requireAll !== false) {
         throw new Error(`Event admin role required`);
       }
     }
     if (organisationId) {
-      const { emitAuditEvent: emitAuditEvent2 } = await import("./audit-B5P6FFIR.js");
+      const { emitAuditEvent: emitAuditEvent2 } = await import("./audit-V53FV5AG.js");
       await emitAuditEvent2({
         type: "permission_check",
         userId,
@@ -1341,7 +1501,7 @@ function createRBACMiddleware(config) {
     );
     if (protectedRoute) {
       try {
-        const { isPermitted: isPermitted2 } = await import("./api-N774RPUA.js");
+        const { isPermitted: isPermitted2 } = await import("./api-IAGWF3ZG.js");
         const hasPermission2 = await isPermitted2({
           userId,
           scope: { organisationId },
@@ -1368,7 +1528,7 @@ function createRBACExpressMiddleware(config) {
       return res.status(401).json({ error: "User context required" });
     }
     try {
-      const { isPermitted: isPermitted2 } = await import("./api-N774RPUA.js");
+      const { isPermitted: isPermitted2 } = await import("./api-IAGWF3ZG.js");
       const hasPermission2 = await isPermitted2({
         userId,
         scope: { organisationId, eventId, appId },
@@ -1496,12 +1656,6 @@ function isValidPermission(permission) {
   const pattern = /^(read|create|update|delete):[a-z0-9]+(\.[a-z0-9]+)*$|^(read|create|update|delete):\*$/;
   return pattern.test(permission);
 }
-function getPermissionsForRole(role) {
-  log3.warn(
-    `getPermissionsForRole() is deprecated. Permissions must be queried from rbac_page_permissions table. Called with role: ${role}`
-  );
-  return [];
-}
 var ALL_PERMISSIONS = {
   ...GLOBAL_PERMISSIONS,
   ...ORGANISATION_PERMISSIONS,
@@ -1883,7 +2037,6 @@ export {
   EVENT_APP_PERMISSIONS,
   PAGE_PERMISSIONS,
   isValidPermission,
-  getPermissionsForRole,
   ALL_PERMISSIONS,
   isRBACInitialized,
   getSetupIssues,
@@ -1897,4 +2050,4 @@ export {
   getDirectSupabaseAuthFixes,
   getQuickFixes
 };
-//# sourceMappingURL=chunk-4ZC4GX36.js.map
+//# sourceMappingURL=chunk-CNCQDFLN.js.map