@jmruthers/pace-core 0.6.1 → 0.6.3

package/dist/{chunk-XM25TVIE.js → chunk-YDQHOZNA.js}

@@ -1,50 +1,96 @@
 import {
   useAppConfig,
   useEvents,
-  useOrganisationSecurity,
-  useResolvedScope
-} from "./chunk-3XTALGJF.js";
+  useOrganisationSecurity
+} from "./chunk-6Z7LTB3D.js";
 import {
   useOrganisations,
   useUnifiedAuth
-} from "./chunk-BYFSK72L.js";
+} from "./chunk-DWUBLJJM.js";
 import {
-  ContextValidator,
-  OrganisationContextRequiredError,
   getAccessLevel,
+  getPageScopeType,
   getPermissionMap,
   getRBACLogger,
   getRoleContext,
   isPermitted,
   isPermittedCached,
   resolveAppContext
-} from "./chunk-KNC55RTG.js";
+} from "./chunk-RWEBCB47.js";
+import {
+  ContextValidator,
+  OrganisationContextRequiredError
+} from "./chunk-QRPVRXYT.js";
 import {
+  getCurrentAppName
+} from "./chunk-M7MPQISP.js";
+import {
+  createLogger,
   logger
 } from "./chunk-PWLANIRT.js";
 
+// src/rbac/utils/clientSecurity.ts
+var SECURE_CLIENT_SYMBOL = Symbol("pace-core-secure-client");
+function isSecureClient(client) {
+  if (!client) return false;
+  return client[SECURE_CLIENT_SYMBOL] === true;
+}
+function warnIfInsecureClient(client, context) {
+  if (typeof process !== "undefined" && true) {
+    return;
+  }
+  if (!client) return;
+  if (!isSecureClient(client)) {
+    const contextMsg = context ? ` in ${context}` : "";
+    console.warn(
+      `[pace-core Security Warning] Non-secure Supabase client detected${contextMsg}.
+You are using a Supabase client created with createClient() instead of useSecureSupabase().
+This bypasses organisation context enforcement and RLS policies, which can lead to:
+- Cross-organisation data access
+- Security vulnerabilities
+- Data leakage between organisations
+
+Fix: Replace with:
+  import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+  const supabase = useSecureSupabase();
+
+See: https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/rbac/getting-started.md`
+    );
+  }
+}
+function markClientAsSecure(client) {
+  client[SECURE_CLIENT_SYMBOL] = true;
+}
+
 // src/rbac/secureClient.ts
 import { createClient } from "@supabase/supabase-js";
-var SecureSupabaseClient = class _SecureSupabaseClient {
-  constructor(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin = false) {
+var _SecureSupabaseClient = class _SecureSupabaseClient {
+  constructor(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin = false, existingClient) {
     this.edgeFunctionClient = null;
+    this.usesExistingClient = false;
     this.supabaseUrl = supabaseUrl;
     this.supabaseKey = supabaseKey;
     this.organisationId = organisationId;
     this.eventId = eventId;
     this.appId = appId;
     this.isSuperAdmin = isSuperAdmin;
-    this.supabase = createClient(supabaseUrl, supabaseKey, {
-      global: {
-        headers: {
-          "x-organisation-id": organisationId,
-          "x-event-id": eventId || "",
-          "x-app-id": appId || ""
+    if (existingClient) {
+      this.supabase = existingClient;
+      this.usesExistingClient = true;
+    } else {
+      this.supabase = createClient(supabaseUrl, supabaseKey, {
+        global: {
+          headers: {
+            "x-organisation-id": organisationId || "",
+            "x-event-id": eventId || "",
+            "x-app-id": appId || ""
+          }
         }
-      }
-    });
+      });
+    }
     this.setupContextInjection();
     this.setupEdgeFunctionHandling();
+    markClientAsSecure(this.supabase);
   }
   /**
    * Setup context injection for all database operations
@@ -52,20 +98,26 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
   setupContextInjection() {
     const originalFrom = this.supabase.from.bind(this.supabase);
     this.supabase.from = (table) => {
-      this.validateContext();
+      this.validateContextForTable(table);
       const query = originalFrom(table);
       query._tableName = table;
       return this.injectContext(query, table);
     };
     const originalRpc = this.supabase.rpc.bind(this.supabase);
     this.supabase.rpc = (fn, args, options) => {
-      this.validateContext();
-      const contextArgs = {
-        ...args,
-        p_organisation_id: this.organisationId,
-        p_event_id: this.eventId,
-        p_app_id: this.appId
-      };
+      this.validateContextForRpc(fn);
+      const acceptedParams = this.getRpcAcceptedParams(fn);
+      const safeArgs = args ?? {};
+      const contextArgs = { ...safeArgs };
+      if (acceptedParams.has("p_organisation_id") && this.organisationId && safeArgs.p_organisation_id === void 0) {
+        contextArgs.p_organisation_id = this.organisationId;
+      }
+      if (acceptedParams.has("p_event_id") && this.eventId && safeArgs.p_event_id === void 0) {
+        contextArgs.p_event_id = this.eventId;
+      }
+      if (acceptedParams.has("p_app_id") && this.appId && safeArgs.p_app_id === void 0) {
+        contextArgs.p_app_id = this.appId;
+      }
       return originalRpc(fn, contextArgs, options);
     };
   }
@@ -79,6 +131,10 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
    * This avoids interfering with the main client's operations.
    */
   setupEdgeFunctionHandling() {
+    if (this.usesExistingClient) {
+      this.edgeFunctionClient = null;
+      return;
+    }
     this.edgeFunctionClient = createClient(this.supabaseUrl, this.supabaseKey);
   }
   /**
@@ -99,6 +155,7 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
     const originalDelete = query.delete.bind(query);
     query.select = (columns) => {
       const result = originalSelect(columns);
+      result._tableName = tableName;
       return this.addOrganisationFilter(result, tableName);
     };
     query.insert = (values) => {
@@ -119,9 +176,18 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
         if (this.isSuperAdmin) {
           return originalInsert(values);
         }
+        if (!this.organisationId) {
+          throw new OrganisationContextRequiredError();
+        }
         const contextValues2 = Array.isArray(values) ? values.map((v) => ({ ...v, organisation_id: this.organisationId })) : { ...values, organisation_id: this.organisationId };
         return originalInsert(contextValues2);
       }
+      if (this.isSuperAdmin && !this.organisationId) {
+        return originalInsert(values);
+      }
+      if (!this.organisationId) {
+        throw new OrganisationContextRequiredError();
+      }
       const contextValues = Array.isArray(values) ? values.map((v) => ({ ...v, organisation_id: this.organisationId })) : { ...values, organisation_id: this.organisationId };
       return originalInsert(contextValues);
     };
@@ -146,6 +212,10 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
    * - Super admins: No org filter (see all users) - RLS will allow access
    * - Non-super-admins: Apply org filter as defense in depth - RLS will also filter
    * 
+   * For system-wide tables (like core_organisations):
+   * - Super admins: No org filter (see all records) - RLS will allow access
+   * - Non-super-admins: Apply org filter as defense in depth - RLS will also filter
+   * 
    * For other tables:
    * - Always apply org filter unless super admin bypasses it
    */
@@ -189,11 +259,18 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
     if (!this.organisationId) {
       return query;
     }
+    const systemWideTablesForSuperAdmins = [
+      "core_organisations"
+      // Super-admins need to see all organisations
+    ];
+    if (systemWideTablesForSuperAdmins.includes(tableName) && this.isSuperAdmin) {
+      return query;
+    }
     if (tableName === "rbac_user_profiles") {
       if (this.isSuperAdmin) {
         return query;
       }
-      return query.eq("organisation_id", this.organisationId);
+      return query.or(`organisation_id.eq.${this.organisationId},organisation_id.is.null`);
     }
     if (this.isSuperAdmin) {
       return query.eq("organisation_id", this.organisationId);
@@ -202,12 +279,57 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
   }
   /**
    * Validate that required context is present
+   * Super-admins can operate without organisation context
    */
   validateContext() {
+    if (this.isSuperAdmin) {
+      return;
+    }
     if (!this.organisationId) {
       throw new OrganisationContextRequiredError();
     }
   }
+  /**
+   * Determine whether a table requires organisation context.
+   * Tables without an organisation_id column (or global configuration tables) are safe without org context.
+   */
+  tableRequiresOrganisationContext(tableName) {
+    const tablesWithoutOrganisationId = /* @__PURE__ */ new Set([
+      "core_organisations",
+      "rbac_apps",
+      "rbac_app_pages",
+      "rbac_global_roles",
+      "core_person",
+      "core_member",
+      "core_contact",
+      "core_consent",
+      "core_identification",
+      "core_qualification",
+      "medi_profile",
+      "medi_condition",
+      "medi_diet",
+      "medi_action_plan",
+      "medi_profile_versions"
+    ]);
+    return !tablesWithoutOrganisationId.has(tableName);
+  }
+  /**
+   * Validate context for a specific table operation.
+   */
+  validateContextForTable(tableName) {
+    if (this.isSuperAdmin) return;
+    if (!this.organisationId && this.tableRequiresOrganisationContext(tableName)) {
+      throw new OrganisationContextRequiredError();
+    }
+  }
+  /**
+   * Validate context for a specific RPC call.
+   */
+  validateContextForRpc(fn) {
+    if (this.isSuperAdmin) return;
+    if (_SecureSupabaseClient.GLOBAL_RPC_ALLOWLIST.has(fn)) return;
+    this.validateContext();
+  }
   /**
    * Get the current organisation ID
    */
@@ -233,7 +355,7 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
     return new _SecureSupabaseClient(
       this.supabaseUrl,
       this.supabaseKey,
-      updates.organisationId || this.organisationId,
+      updates.organisationId !== void 0 ? updates.organisationId : this.organisationId,
       updates.eventId !== void 0 ? updates.eventId : this.eventId,
       updates.appId !== void 0 ? updates.appId : this.appId,
       updates.isSuperAdmin !== void 0 ? updates.isSuperAdmin : this.isSuperAdmin
@@ -244,7 +366,7 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
    * @internal
    */
   getClient() {
-    return new Proxy(this.supabase, {
+    const proxiedClient = new Proxy(this.supabase, {
       get: (target, prop) => {
         if (prop === "functions" && this.edgeFunctionClient) {
           return this.edgeFunctionClient.functions;
@@ -252,17 +374,248 @@ var SecureSupabaseClient = class _SecureSupabaseClient {
         return target[prop];
       }
     });
+    markClientAsSecure(proxiedClient);
+    return proxiedClient;
+  }
+  /**
+   * Get the set of parameter names that an RPC function accepts.
+   * Uses a static whitelist of RPCs that we know accept context parameters.
+   * 
+   * This is an opt-in approach: by default, we don't inject context unless
+   * the function is explicitly whitelisted. This prevents PGRST202 errors from
+   * injecting unexpected parameters.
+   * 
+   * @param fn - The RPC function name
+   * @returns Set of parameter names the function accepts
+   */
+  getRpcAcceptedParams(fn) {
+    if (_SecureSupabaseClient.rpcSignatureCache.has(fn)) {
+      return _SecureSupabaseClient.rpcSignatureCache.get(fn);
+    }
+    const rpcContextWhitelist = {
+      // RPCs that accept all three context parameters
+      "rbac_roles_list": /* @__PURE__ */ new Set(["p_organisation_id", "p_event_id", "p_app_id"]),
+      // RPCs that accept only p_organisation_id (not p_app_id or p_event_id)
+      "data_file_reference_by_category_list": /* @__PURE__ */ new Set(["p_organisation_id"])
+      // Add more RPCs here as we discover them
+      // Format: 'function_name': new Set(['p_organisation_id', 'p_event_id', 'p_app_id']),
+    };
+    const acceptedParams = rpcContextWhitelist[fn] || /* @__PURE__ */ new Set();
+    _SecureSupabaseClient.rpcSignatureCache.set(fn, acceptedParams);
+    return acceptedParams;
   }
 };
+// Cache for RPC function signatures to avoid repeated database queries
+// Maps function name -> Set of parameter names it accepts
+_SecureSupabaseClient.rpcSignatureCache = /* @__PURE__ */ new Map();
+/**
+ * RPC functions that are safe to call without organisation context.
+ *
+ * These functions must:
+ * - rely on JWT context (auth.uid()) for authentication
+ * - not read or write organisation-scoped data
+ *
+ * This allowlist enables compliant consuming apps to use `secureSupabase.rpc(...)`
+ * even before an organisation is selected (common during initial page load/refresh).
+ */
+_SecureSupabaseClient.GLOBAL_RPC_ALLOWLIST = /* @__PURE__ */ new Set([
+  "data_rbac_apps_list"
+]);
+var SecureSupabaseClient = _SecureSupabaseClient;
 function createSecureClient(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin = false) {
   return new SecureSupabaseClient(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin);
 }
-function fromSupabaseClient(client, organisationId, eventId, appId) {
-  throw new Error("fromSupabaseClient is not supported. Use createSecureClient instead.");
+function fromSupabaseClient(client, organisationId, eventId, appId, isSuperAdmin = false) {
+  return new SecureSupabaseClient("", "", organisationId, eventId, appId, isSuperAdmin, client);
+}
+
+// src/rbac/hooks/useResolvedScope.ts
+import { useEffect, useState, useRef, useMemo } from "react";
+var log = createLogger("useResolvedScope");
+var appIdCache = /* @__PURE__ */ new Map();
+var CACHE_TTL = 5 * 60 * 1e3;
+function useResolvedScope({
+  supabase,
+  selectedOrganisationId,
+  selectedEventId
+}) {
+  const [resolvedScope, setResolvedScope] = useState(null);
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const stableScopeRef = useRef({
+    organisationId: "",
+    appId: "",
+    eventId: void 0
+  });
+  useEffect(() => {
+    if (resolvedScope) {
+      const newScope = {
+        organisationId: resolvedScope.organisationId || "",
+        appId: resolvedScope.appId || "",
+        eventId: resolvedScope.eventId
+      };
+      if (stableScopeRef.current.organisationId !== newScope.organisationId || stableScopeRef.current.eventId !== newScope.eventId || stableScopeRef.current.appId !== newScope.appId) {
+        stableScopeRef.current = {
+          organisationId: newScope.organisationId,
+          appId: newScope.appId,
+          eventId: newScope.eventId
+        };
+      }
+    } else {
+      stableScopeRef.current = { organisationId: "", appId: "", eventId: void 0 };
+    }
+  }, [resolvedScope]);
+  const appName = getCurrentAppName();
+  const stableScope = stableScopeRef.current;
+  useEffect(() => {
+    let cancelled = false;
+    const resolveScope = async () => {
+      if (!supabase && !selectedOrganisationId && !selectedEventId) {
+        if (!cancelled) {
+          setResolvedScope(null);
+          setIsLoading(false);
+          setError(null);
+        }
+        return;
+      }
+      setIsLoading(true);
+      setError(null);
+      try {
+        const appName2 = getCurrentAppName();
+        let appId = void 0;
+        if (supabase && appName2) {
+          try {
+            const { data: session } = await supabase.auth.getSession();
+            if (!session?.session) {
+              log.debug(`Skipping app resolution for "${appName2}" - user not authenticated`);
+            } else {
+              const cached = appIdCache.get(appName2);
+              const now = Date.now();
+              if (cached && now - cached.timestamp < CACHE_TTL) {
+                appId = cached.appId;
+              } else {
+                const { data: app, error: error2 } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName2).eq("is_active", true).single();
+                if (error2) {
+                  if (error2.code === "406" || error2.code === "PGRST116" || error2.message?.includes("406")) {
+                    log.debug(`App resolution blocked by RLS for "${appName2}" - user may not be authenticated`);
+                    appId = void 0;
+                  } else {
+                    const { data: inactiveApp } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName2).single();
+                    if (inactiveApp) {
+                      log.error(`App "${appName2}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
+                      appId = void 0;
+                    } else {
+                      log.error(`App "${appName2}" not found in rbac_apps table`, { error: error2 });
+                      appId = void 0;
+                    }
+                  }
+                } else if (app) {
+                  appId = app.id;
+                  appIdCache.set(appName2, { appId, timestamp: now });
+                }
+              }
+            }
+          } catch (error2) {
+            const errorMessage = error2 instanceof Error ? error2.message : String(error2);
+            if (!errorMessage.includes("406") && !errorMessage.includes("PGRST116")) {
+              log.error("Unexpected error resolving app ID:", error2);
+            } else {
+              log.debug("App resolution skipped - authentication required");
+            }
+          }
+        }
+        const initialScope = {
+          organisationId: selectedOrganisationId || void 0,
+          eventId: selectedEventId || void 0,
+          appId
+        };
+        if (appName2 === "PORTAL" || appName2 === "ADMIN") {
+          if (!cancelled) {
+            const optionalContextScope = {
+              organisationId: void 0,
+              eventId: void 0,
+              appId: appId || void 0
+            };
+            setResolvedScope(optionalContextScope);
+            setError(null);
+            setIsLoading(false);
+          }
+          return;
+        }
+        const { ContextValidator: ContextValidator2 } = await import("./contextValidator-3JNZKUTX.js");
+        const validation = await ContextValidator2.resolveScopeForPage(
+          initialScope,
+          "organisation",
+          // Default to organisation scope when no page context
+          appName2 || void 0,
+          supabase
+        );
+        if (!validation.isValid) {
+          if (selectedEventId) {
+            if (!cancelled) {
+              const eventScope = {
+                organisationId: void 0,
+                // Will be derived from event during permission check
+                eventId: selectedEventId,
+                appId: appId || void 0
+              };
+              setResolvedScope(eventScope);
+              setError(null);
+              setIsLoading(false);
+            }
+            return;
+          }
+          if (!cancelled) {
+            setResolvedScope(null);
+            setError(validation.error || new Error("Context validation failed"));
+            setIsLoading(false);
+          }
+          return;
+        }
+        if (!cancelled) {
+          setResolvedScope(validation.resolvedScope);
+          setError(null);
+          setIsLoading(false);
+        }
+      } catch (err) {
+        if (!cancelled) {
+          setError(err);
+          setIsLoading(false);
+        }
+      }
+    };
+    resolveScope();
+    return () => {
+      cancelled = true;
+    };
+  }, [selectedOrganisationId, selectedEventId, supabase]);
+  const allowsOptionalContexts = appName === "PORTAL" || appName === "ADMIN";
+  const hasValidScope = allowsOptionalContexts ? true : stableScope.appId || stableScope.organisationId;
+  const finalScope = useMemo(() => {
+    if (!hasValidScope) {
+      return allowsOptionalContexts ? {} : null;
+    }
+    const scope = {};
+    if (stableScope.organisationId) {
+      scope.organisationId = stableScope.organisationId;
+    }
+    if (stableScope.eventId) {
+      scope.eventId = stableScope.eventId;
+    }
+    if (stableScope.appId) {
+      scope.appId = stableScope.appId;
+    }
+    return scope;
+  }, [hasValidScope, allowsOptionalContexts, stableScope.organisationId, stableScope.eventId, stableScope.appId]);
+  return {
+    resolvedScope: finalScope,
+    isLoading,
+    error
+  };
 }
 
 // src/rbac/hooks/useRBAC.ts
-import { useState, useEffect, useCallback, useMemo } from "react";
+import { useState as useState2, useEffect as useEffect2, useCallback, useMemo as useMemo2 } from "react";
 function mapAccessLevelToEventRole(level) {
   switch (level) {
     case "viewer":
@@ -285,7 +638,6 @@ function useRBAC(pageId) {
     session,
     supabase,
     appName,
-    appConfig,
     appId: contextAppId,
     selectedOrganisation,
     isContextReady: orgContextReady,
@@ -293,13 +645,13 @@ function useRBAC(pageId) {
     selectedEvent,
     eventLoading
   } = useUnifiedAuth();
-  const [globalRole, setGlobalRole] = useState(null);
-  const [organisationRole, setOrganisationRole] = useState(null);
-  const [eventAppRole, setEventAppRole] = useState(null);
-  const [permissionMap, setPermissionMap] = useState({});
-  const [currentScope, setCurrentScope] = useState(null);
-  const [isLoading, setIsLoading] = useState(false);
-  const [error, setError] = useState(null);
+  const [globalRole, setGlobalRole] = useState2(null);
+  const [organisationRole, setOrganisationRole] = useState2(null);
+  const [eventAppRole, setEventAppRole] = useState2(null);
+  const [permissionMap, setPermissionMap] = useState2({});
+  const [currentScope, setCurrentScope] = useState2(null);
+  const [isLoading, setIsLoading] = useState2(false);
+  const [error, setError] = useState2(null);
   const resetState = useCallback(() => {
     setGlobalRole(null);
     setOrganisationRole(null);
@@ -314,20 +666,15 @@ function useRBAC(pageId) {
       return;
     }
     const initialScope = {
-      organisationId: appConfig?.requires_event ? selectedEvent?.organisation_id || selectedOrganisation?.id : selectedOrganisation?.id,
+      organisationId: selectedEvent?.organisation_id || selectedOrganisation?.id || void 0,
       eventId: selectedEvent?.event_id || void 0,
       appId: void 0
     };
-    const contextReady = ContextValidator.isContextReady(
-      initialScope,
-      appConfig,
-      appName,
-      !!selectedEvent,
-      !!selectedOrganisation
-    );
-    if (appName !== "PORTAL" && appName !== "ADMIN" && !contextReady) {
-      setIsLoading(true);
-      return;
+    if (appName !== "PORTAL" && appName !== "ADMIN") {
+      if (!selectedOrganisation && !selectedEvent) {
+        setIsLoading(true);
+        return;
+      }
     }
     setIsLoading(true);
     setError(null);
@@ -338,11 +685,6 @@ function useRBAC(pageId) {
           const resolved = await resolveAppContext({ userId: user.id, appName });
           if (!resolved) {
             if (appName === "PORTAL" || appName === "ADMIN") {
-              try {
-                const { getAppConfigByName } = await import("./api-N774RPUA.js");
-                await getAppConfigByName(appName);
-              } catch (err) {
-              }
             } else {
               throw new Error(`User does not have access to app "${appName}"`);
             }
@@ -372,9 +714,20 @@ function useRBAC(pageId) {
         ...initialScope,
         appId: appId || contextAppId
       };
-      const validation = await ContextValidator.resolveRequiredContext(
+      let pageScopeType = "organisation";
+      if (pageId && scope.appId) {
+        try {
+          pageScopeType = await getPageScopeType(pageId, scope.appId, appName);
+        } catch (error2) {
+          logger2.warn("[useRBAC] Failed to get page scope type, defaulting to organisation", {
+            pageId,
+            error: error2 instanceof Error ? error2.message : String(error2)
+          });
+        }
+      }
+      const validation = await ContextValidator.resolveScopeForPage(
         scope,
-        appConfig,
+        pageScopeType,
         appName,
         supabase || null
       );
@@ -384,9 +737,9 @@ function useRBAC(pageId) {
       const resolvedScope = validation.resolvedScope;
       setCurrentScope(resolvedScope);
       const [map, roleContext, accessLevel] = await Promise.all([
-        getPermissionMap({ userId: user.id, scope: resolvedScope }, appConfig, appName),
-        getRoleContext({ userId: user.id, scope: resolvedScope }, appConfig, appName),
-        getAccessLevel({ userId: user.id, scope: resolvedScope }, appConfig, appName)
+        getPermissionMap({ userId: user.id, scope: resolvedScope }),
+        getRoleContext({ userId: user.id, scope: resolvedScope }),
+        getAccessLevel({ userId: user.id, scope: resolvedScope })
       ]);
       setPermissionMap(map);
       setGlobalRole(roleContext.globalRole);
@@ -408,7 +761,7 @@ function useRBAC(pageId) {
     } finally {
       setIsLoading(false);
     }
-  }, [appName, logger2, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user, eventLoading, appConfig, orgContextReady, orgLoading]);
+  }, [appName, logger2, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user, eventLoading, orgContextReady, orgLoading]);
   const hasGlobalPermission = useCallback(
     (permission) => {
       if (globalRole === "super_admin" || permissionMap["*"]) {
@@ -424,14 +777,14 @@ function useRBAC(pageId) {
     },
     [globalRole, organisationRole, permissionMap]
   );
-  const isSuperAdmin = useMemo(() => globalRole === "super_admin" || permissionMap["*"] === true, [globalRole, permissionMap]);
-  const isOrgAdmin = useMemo(() => organisationRole === "org_admin" || isSuperAdmin, [organisationRole, isSuperAdmin]);
-  const isEventAdmin = useMemo(() => eventAppRole === "event_admin" || isSuperAdmin, [eventAppRole, isSuperAdmin]);
-  const canManageOrganisation = useMemo(() => isSuperAdmin || organisationRole === "org_admin", [isSuperAdmin, organisationRole]);
-  const canManageEvent = useMemo(() => isSuperAdmin || eventAppRole === "event_admin", [isSuperAdmin, eventAppRole]);
-  useEffect(() => {
+  const isSuperAdmin = useMemo2(() => globalRole === "super_admin" || permissionMap["*"] === true, [globalRole, permissionMap]);
+  const isOrgAdmin = useMemo2(() => organisationRole === "org_admin" || isSuperAdmin, [organisationRole, isSuperAdmin]);
+  const isEventAdmin = useMemo2(() => eventAppRole === "event_admin" || isSuperAdmin, [eventAppRole, isSuperAdmin]);
+  const canManageOrganisation = useMemo2(() => isSuperAdmin || organisationRole === "org_admin", [isSuperAdmin, organisationRole]);
+  const canManageEvent = useMemo2(() => isSuperAdmin || eventAppRole === "event_admin", [isSuperAdmin, eventAppRole]);
+  useEffect2(() => {
     loadRBACContext();
-  }, [loadRBACContext, appName, appConfig, eventLoading, selectedEvent?.event_id, user, session, selectedOrganisation?.id, orgContextReady, orgLoading]);
+  }, [loadRBACContext, appName, eventLoading, selectedEvent?.event_id, user, session, selectedOrganisation?.id, orgContextReady, orgLoading]);
   return {
     user,
     globalRole,
@@ -448,197 +801,191 @@ function useRBAC(pageId) {
   };
 }
 
-// src/rbac/hooks/usePermissions.ts
-import { useState as useState2, useEffect as useEffect2, useCallback as useCallback2, useMemo as useMemo2, useRef } from "react";
-
-// src/rbac/utils/deep-equal.ts
-function scopeEqual(a, b) {
-  if (a === b) {
-    return true;
-  }
-  if (a == null || b == null) {
-    return a === b;
+// src/rbac/hooks/permissions/useAccessLevel.ts
+import { useCallback as useCallback2, useEffect as useEffect3, useMemo as useMemo3, useState as useState3 } from "react";
+function useAccessLevel(userId, scope) {
+  const [accessLevel, setAccessLevel] = useState3("viewer");
+  const [isLoading, setIsLoading] = useState3(true);
+  const [error, setError] = useState3(null);
+  let appName;
+  try {
+    const { appName: contextAppName } = useAppConfig();
+    appName = contextAppName;
+  } catch {
   }
-  return a.organisationId === b.organisationId && a.eventId === b.eventId && a.appId === b.appId;
-}
-
-// src/rbac/hooks/usePermissions.ts
-function usePermissions(userId, organisationId, eventId, appId) {
-  const [permissions, setPermissions] = useState2({});
-  const [isLoading, setIsLoading] = useState2(true);
-  const [error, setError] = useState2(null);
-  const [fetchTrigger, setFetchTrigger] = useState2(0);
-  const isFetchingRef = useRef(false);
-  const logger2 = getRBACLogger();
-  const prevValuesRef = useRef({ userId, organisationId, eventId, appId });
-  const orgId = organisationId || "";
-  useEffect2(() => {
+  const fetchAccessLevel = useCallback2(async () => {
     if (!userId) {
+      setAccessLevel("viewer");
+      setIsLoading(false);
       return;
     }
-    if (!orgId || orgId === null || typeof orgId === "string" && orgId.trim() === "") {
-      const timeoutId = setTimeout(() => {
-        setError(new Error("Organisation context is required for permission checks"));
-        setIsLoading(false);
-      }, 3e3);
-      return () => clearTimeout(timeoutId);
-    }
-    if (error?.message === "Organisation context is required for permission checks") {
+    try {
+      setIsLoading(true);
       setError(null);
-    }
-  }, [userId, organisationId, error, orgId]);
-  useEffect2(() => {
-    const paramsChanged = prevValuesRef.current.userId !== userId || prevValuesRef.current.organisationId !== organisationId || prevValuesRef.current.eventId !== eventId || prevValuesRef.current.appId !== appId;
-    if (paramsChanged) {
-      if (prevValuesRef.current.appId !== appId) {
-      }
-      prevValuesRef.current = { userId, organisationId, eventId, appId };
-      setFetchTrigger((prev) => prev + 1);
-    }
-  }, [userId, organisationId, eventId, appId, logger2]);
-  useEffect2(() => {
-    const fetchPermissions = async () => {
-      if (isFetchingRef.current) {
-        return;
-      }
-      if (!userId) {
-        setPermissions({});
+      const { isSuperAdmin: checkSuperAdmin } = await import("./api-IAGWF3ZG.js");
+      const isSuperAdminUser = await checkSuperAdmin(userId);
+      if (isSuperAdminUser) {
+        setAccessLevel("super");
         setIsLoading(false);
         return;
       }
-      if (!userId) {
-        setPermissions({});
+      if (appName !== "PORTAL" && appName !== "ADMIN" && !scope.organisationId && !scope.eventId) {
+        const orgError = new OrganisationContextRequiredError();
+        setError(orgError);
+        setAccessLevel("viewer");
         setIsLoading(false);
         return;
       }
-      if (!orgId || orgId === null || typeof orgId === "string" && orgId.trim() === "") {
-        setIsLoading(true);
-        setError(null);
-        return;
-      }
-      try {
-        isFetchingRef.current = true;
-        setIsLoading(true);
-        setError(null);
-        const scope = {
-          organisationId: orgId,
-          eventId,
-          appId
-        };
-        const permissionMap = await getPermissionMap({ userId, scope });
-        const permissionCount = Object.keys(permissionMap).length;
-        if (permissionCount === 0 && Object.keys(permissions).length > 0) {
-          logger2.warn("[usePermissions] Permissions fetched but returned empty map", {
-            scope: { organisationId: orgId, eventId, appId }
-          });
-        }
-        setPermissions(permissionMap);
-      } catch (err) {
-        logger2.error("[usePermissions] Failed to fetch permissions:", err);
-        setError(err instanceof Error ? err : new Error("Failed to fetch permissions"));
-      } finally {
-        setIsLoading(false);
-        isFetchingRef.current = false;
-      }
-    };
-    fetchPermissions();
-  }, [fetchTrigger, userId, organisationId, eventId, appId]);
-  const hasPermission = useCallback2((permission) => {
-    if (permissions["*"]) {
-      return true;
-    }
-    return permissions[permission] === true;
-  }, [permissions]);
-  const hasAnyPermission = useCallback2((permissionList) => {
-    if (permissions["*"]) {
-      return true;
-    }
-    return permissionList.some((p) => permissions[p] === true);
-  }, [permissions]);
-  const hasAllPermissions = useCallback2((permissionList) => {
-    if (permissions["*"]) {
-      return true;
-    }
-    return permissionList.every((p) => permissions[p] === true);
-  }, [permissions]);
-  const refetch = useCallback2(async () => {
-    if (isFetchingRef.current) {
-      return;
+      const level = await getAccessLevel({ userId, scope }, appName);
+      setAccessLevel(level);
+    } catch (err) {
+      const error2 = err instanceof Error ? err : new Error("Failed to fetch access level");
+      setError(error2);
+      setAccessLevel("viewer");
+    } finally {
+      setIsLoading(false);
     }
+  }, [userId, scope.organisationId, scope.eventId, scope.appId, appName]);
+  useEffect3(() => {
+    fetchAccessLevel();
+  }, [fetchAccessLevel]);
+  return useMemo3(() => ({
+    accessLevel,
+    isLoading,
+    error,
+    refetch: fetchAccessLevel
+  }), [accessLevel, isLoading, error, fetchAccessLevel]);
+}
+
+// src/rbac/hooks/permissions/useCachedPermissions.ts
+import { useCallback as useCallback3, useEffect as useEffect4, useMemo as useMemo4, useState as useState4 } from "react";
+function useCachedPermissions(userId, scope) {
+  const [permissions, setPermissions] = useState4({});
+  const [isLoading, setIsLoading] = useState4(true);
+  const [error, setError] = useState4(null);
+  const fetchCachedPermissions = useCallback3(async () => {
     if (!userId) {
       setPermissions({});
       setIsLoading(false);
       return;
     }
-    if (!orgId || orgId === null || typeof orgId === "string" && orgId.trim() === "") {
-      setIsLoading(true);
-      setError(null);
-      return;
-    }
     try {
-      isFetchingRef.current = true;
       setIsLoading(true);
       setError(null);
-      const scope = {
-        organisationId: orgId,
-        eventId,
-        appId
-      };
       const permissionMap = await getPermissionMap({ userId, scope });
       setPermissions(permissionMap);
     } catch (err) {
-      const logger3 = getRBACLogger();
-      logger3.error("Failed to refetch permissions:", err);
-      setError(err instanceof Error ? err : new Error("Failed to fetch permissions"));
+      setError(err instanceof Error ? err : new Error("Failed to fetch cached permissions"));
     } finally {
       setIsLoading(false);
-      isFetchingRef.current = false;
     }
-  }, [userId, organisationId, eventId, appId]);
-  return useMemo2(() => ({
+  }, [userId, scope.organisationId, scope.eventId, scope.appId]);
+  const invalidateCache = useCallback3(() => {
+    fetchCachedPermissions();
+  }, [fetchCachedPermissions]);
+  useEffect4(() => {
+    fetchCachedPermissions();
+  }, [fetchCachedPermissions]);
+  return useMemo4(() => ({
     permissions,
     isLoading,
     error,
-    hasPermission,
-    hasAnyPermission,
-    hasAllPermissions,
-    refetch
-  }), [permissions, isLoading, error, hasPermission, hasAnyPermission, hasAllPermissions, refetch]);
+    invalidateCache,
+    refetch: fetchCachedPermissions
+  }), [permissions, isLoading, error, invalidateCache, fetchCachedPermissions]);
 }
-function useCan(userId, scope, permission, pageId, useCache = true, appName) {
-  const [can, setCan] = useState2(false);
-  const [isLoading, setIsLoading] = useState2(true);
-  const [error, setError] = useState2(null);
-  const [isSuperAdmin, setIsSuperAdmin] = useState2(null);
+
+// src/rbac/hooks/permissions/useCan.ts
+import { useCallback as useCallback4, useEffect as useEffect5, useMemo as useMemo5, useRef as useRef2, useState as useState5 } from "react";
+
+// src/rbac/utils/deep-equal.ts
+function scopeEqual(a, b) {
+  if (a === b) {
+    return true;
+  }
+  if (a == null || b == null) {
+    return a === b;
+  }
+  return a.organisationId === b.organisationId && a.eventId === b.eventId && a.appId === b.appId;
+}
+
+// src/rbac/hooks/permissions/useCan.ts
+function useCan(userId, scope, permission, pageId, useCache = true, precomputedSuperAdmin = null, appName) {
+  const [isSuperAdmin, setIsSuperAdmin] = useState5(precomputedSuperAdmin ?? null);
+  const initialCan = precomputedSuperAdmin === true ? true : false;
+  const initialIsLoading = precomputedSuperAdmin === true ? false : true;
+  const [can, setCan] = useState5(initialCan);
+  const [isLoading, setIsLoading] = useState5(initialIsLoading);
+  const [error, setError] = useState5(null);
   const isValidScope = scope && typeof scope === "object";
   const organisationId = isValidScope ? scope.organisationId : void 0;
   const eventId = isValidScope ? scope.eventId : void 0;
   const appId = isValidScope ? scope.appId : void 0;
-  useEffect2(() => {
-    if (!userId) {
+  useEffect5(() => {
+    if (precomputedSuperAdmin === true && isSuperAdmin !== true) {
+      setIsSuperAdmin(true);
+      setCan(true);
+      setIsLoading(false);
+      setError(null);
+    } else if (precomputedSuperAdmin === false && isSuperAdmin !== false) {
       setIsSuperAdmin(false);
-      return;
     }
-    let cancelled = false;
-    const checkSuperAdmin = async () => {
-      try {
-        const { isSuperAdmin: checkSuperAdmin2 } = await import("./api-N774RPUA.js");
-        const isSuper = await checkSuperAdmin2(userId);
-        if (!cancelled) {
-          setIsSuperAdmin(isSuper);
-        }
-      } catch (err) {
-        if (!cancelled) {
-          setIsSuperAdmin(false);
-        }
+  }, [precomputedSuperAdmin, isSuperAdmin]);
+  useEffect5(() => {
+    if (precomputedSuperAdmin === null) {
+      if (!userId) {
+        setIsSuperAdmin(false);
+        return;
       }
-    };
-    checkSuperAdmin();
-    return () => {
-      cancelled = true;
-    };
-  }, [userId]);
-  useEffect2(() => {
+      let cancelled = false;
+      const checkSuperAdmin = async () => {
+        const startTime = Date.now();
+        try {
+          const { isSuperAdmin: checkSuperAdmin2 } = await import("./api-IAGWF3ZG.js");
+          const timeoutWarning = setTimeout(() => {
+            if (!cancelled) {
+              console.warn("[useCan] Super admin check taking longer than 5 seconds", {
+                userId,
+                elapsedMs: Date.now() - startTime
+              });
+            }
+          }, 5e3);
+          const isSuper = await checkSuperAdmin2(userId);
+          clearTimeout(timeoutWarning);
+          if (!cancelled) {
+            const elapsed = Date.now() - startTime;
+            if (elapsed > 1e3) {
+              console.warn("[useCan] Super admin check took longer than expected", {
+                userId,
+                elapsedMs: elapsed
+              });
+            }
+            setIsSuperAdmin(isSuper);
+            if (isSuper) {
+              setCan(true);
+              setIsLoading(false);
+              setError(null);
+            }
+          }
+        } catch (err) {
+          if (!cancelled) {
+            const elapsed = Date.now() - startTime;
+            console.error("[useCan] Error checking super admin", {
+              userId,
+              error: err,
+              elapsedMs: elapsed
+            });
+            setIsSuperAdmin(false);
+          }
+        }
+      };
+      checkSuperAdmin();
+      return () => {
+        cancelled = true;
+      };
+    }
+  }, [userId, precomputedSuperAdmin]);
+  useEffect5(() => {
     const isPagePermission = permission.includes(":page.") || !!pageId;
     const requiresOrgId = !isPagePermission;
     if (isSuperAdmin === true) {
@@ -656,12 +1003,13 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
       setError(null);
     }
   }, [isValidScope, organisationId, error, permission, pageId, isSuperAdmin]);
-  const lastUserIdRef = useRef(null);
-  const lastScopeRef = useRef(null);
-  const lastPermissionRef = useRef(null);
-  const lastPageIdRef = useRef(null);
-  const lastUseCacheRef = useRef(null);
-  const stableScope = useMemo2(() => {
+  const lastUserIdRef = useRef2(null);
+  const lastScopeRef = useRef2(null);
+  const lastPermissionRef = useRef2(null);
+  const lastPageIdRef = useRef2(null);
+  const lastUseCacheRef = useRef2(null);
+  const lastIsSuperAdminRef = useRef2(null);
+  const stableScope = useMemo5(() => {
     if (!isValidScope) {
       return null;
     }
@@ -671,10 +1019,12 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
       appId
     };
   }, [isValidScope, organisationId, eventId, appId]);
-  const prevScopeRef = useRef(null);
-  useEffect2(() => {
+  const prevScopeRef = useRef2(null);
+  useEffect5(() => {
     const scopeChanged = !scopeEqual(prevScopeRef.current, stableScope);
-    if (lastUserIdRef.current !== userId || scopeChanged || lastPermissionRef.current !== permission || lastPageIdRef.current !== pageId || lastUseCacheRef.current !== useCache) {
+    const isSuperAdminChanged = lastIsSuperAdminRef.current !== isSuperAdmin;
+    if (lastUserIdRef.current !== userId || scopeChanged || lastPermissionRef.current !== permission || lastPageIdRef.current !== pageId || lastUseCacheRef.current !== useCache || isSuperAdminChanged) {
+      lastIsSuperAdminRef.current = isSuperAdmin;
       lastUserIdRef.current = userId;
       prevScopeRef.current = stableScope;
       lastPermissionRef.current = permission;
@@ -683,7 +1033,19 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
       const checkPermission = async () => {
         if (!userId) {
           setCan(false);
-          setIsLoading(false);
+          setIsLoading(false);
+          return;
+        }
+        if (isSuperAdmin === true) {
+          setCan(true);
+          setIsLoading(false);
+          setError(null);
+          return;
+        }
+        if (isSuperAdmin === null) {
+          setIsLoading(true);
+          setCan(false);
+          setError(null);
           return;
         }
         if (!isValidScope) {
@@ -697,13 +1059,10 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
         const isPageName = pageId && typeof pageId === "string" && !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(pageId);
         const needsAppIdForPageName = isPagePermission && isPageName;
         if (requiresOrgId && (!organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "")) {
-          if (isSuperAdmin === true) {
-          } else {
-            setIsLoading(true);
-            setCan(false);
-            setError(null);
-            return;
-          }
+          setIsLoading(true);
+          setCan(false);
+          setError(null);
+          return;
         }
         if (needsAppIdForPageName && (!appId || appId === null || typeof appId === "string" && appId.trim() === "")) {
           setIsLoading(true);
@@ -719,11 +1078,12 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
             ...eventId ? { eventId } : {},
             ...appId ? { appId } : {}
           };
-          const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, void 0, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, void 0, appName);
+          const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, appName, isSuperAdmin === false ? false : null);
           setCan(result);
         } catch (err) {
           const logger2 = getRBACLogger();
           logger2.error("Permission check error:", { permission, error: err });
+          console.error("[useCan] Permission check error", { userId, permission, error: err });
           setError(err instanceof Error ? err : new Error("Failed to check permission"));
           setCan(false);
         } finally {
@@ -733,7 +1093,7 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
       checkPermission();
     }
   }, [userId, stableScope, permission, pageId, useCache, appName, isSuperAdmin]);
-  const refetch = useCallback2(async () => {
+  const refetch = useCallback4(async () => {
     if (!userId) {
       setCan(false);
       setIsLoading(false);
@@ -761,7 +1121,7 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
         ...eventId ? { eventId } : {},
         ...appId ? { appId } : {}
       };
-      const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, void 0, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, void 0, appName);
+      const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, appName, null);
       setCan(result);
     } catch (err) {
       setError(err instanceof Error ? err : new Error("Failed to check permission"));
@@ -770,107 +1130,63 @@ function useCan(userId, scope, permission, pageId, useCache = true, appName) {
       setIsLoading(false);
     }
   }, [userId, isValidScope, organisationId, eventId, appId, permission, pageId, useCache, appName]);
-  return useMemo2(() => ({
+  return useMemo5(() => ({
     can,
     isLoading,
     error,
     refetch
   }), [can, isLoading, error, refetch]);
 }
-function useAccessLevel(userId, scope) {
-  const [accessLevel, setAccessLevel] = useState2("viewer");
-  const [isLoading, setIsLoading] = useState2(true);
-  const [error, setError] = useState2(null);
-  let appName;
-  try {
-    const { appName: contextAppName } = useAppConfig();
-    appName = contextAppName;
-  } catch {
-  }
-  const fetchAccessLevel = useCallback2(async () => {
-    if (!userId) {
-      setAccessLevel("viewer");
-      setIsLoading(false);
-      return;
-    }
-    try {
-      setIsLoading(true);
-      setError(null);
-      const { isSuperAdmin: checkSuperAdmin } = await import("./api-N774RPUA.js");
-      const isSuperAdminUser = await checkSuperAdmin(userId);
-      if (isSuperAdminUser) {
-        setAccessLevel("super");
-        setIsLoading(false);
-        return;
-      }
-      if (appName !== "PORTAL" && appName !== "ADMIN" && !scope.organisationId && !scope.eventId) {
-        const orgError = new OrganisationContextRequiredError();
-        setError(orgError);
-        setAccessLevel("viewer");
-        setIsLoading(false);
-        return;
-      }
-      const level = await getAccessLevel({ userId, scope }, null, appName);
-      setAccessLevel(level);
-    } catch (err) {
-      const error2 = err instanceof Error ? err : new Error("Failed to fetch access level");
-      setError(error2);
-      setAccessLevel("viewer");
-    } finally {
-      setIsLoading(false);
-    }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId, appName]);
-  useEffect2(() => {
-    fetchAccessLevel();
-  }, [fetchAccessLevel]);
-  return useMemo2(() => ({
-    accessLevel,
-    isLoading,
-    error,
-    refetch: fetchAccessLevel
-  }), [accessLevel, isLoading, error, fetchAccessLevel]);
-}
-function useMultiplePermissions(userId, scope, permissions, useCache = true) {
-  const [results, setResults] = useState2({});
-  const [isLoading, setIsLoading] = useState2(true);
-  const [error, setError] = useState2(null);
-  const checkPermissions = useCallback2(async () => {
+
+// src/rbac/hooks/permissions/useHasAllPermissions.ts
+import { useCallback as useCallback5, useEffect as useEffect6, useMemo as useMemo6, useState as useState6 } from "react";
+function useHasAllPermissions(userId, scope, permissions, useCache = true) {
+  const [hasAll, setHasAll] = useState6(false);
+  const [isLoading, setIsLoading] = useState6(true);
+  const [error, setError] = useState6(null);
+  const checkAllPermissions = useCallback5(async () => {
     if (!userId || permissions.length === 0) {
-      setResults({});
+      setHasAll(false);
       setIsLoading(false);
       return;
     }
     try {
       setIsLoading(true);
       setError(null);
-      const permissionResults = {};
+      let hasAllPermissions = true;
       for (const permission of permissions) {
         const result = useCache ? await isPermittedCached({ userId, scope, permission }) : await isPermitted({ userId, scope, permission });
-        permissionResults[permission] = result;
+        if (!result) {
+          hasAllPermissions = false;
+          break;
+        }
       }
-      setResults(permissionResults);
+      setHasAll(hasAllPermissions);
     } catch (err) {
       setError(err instanceof Error ? err : new Error("Failed to check permissions"));
-      setResults({});
+      setHasAll(false);
     } finally {
       setIsLoading(false);
     }
   }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);
-  useEffect2(() => {
-    checkPermissions();
-  }, [checkPermissions]);
-  return useMemo2(() => ({
-    results,
+  useEffect6(() => {
+    checkAllPermissions();
+  }, [checkAllPermissions]);
+  return useMemo6(() => ({
+    hasAll,
     isLoading,
     error,
-    refetch: checkPermissions
-  }), [results, isLoading, error, checkPermissions]);
+    refetch: checkAllPermissions
+  }), [hasAll, isLoading, error, checkAllPermissions]);
 }
+
+// src/rbac/hooks/permissions/useHasAnyPermission.ts
+import { useCallback as useCallback6, useEffect as useEffect7, useMemo as useMemo7, useState as useState7 } from "react";
 function useHasAnyPermission(userId, scope, permissions, useCache = true) {
-  const [hasAny, setHasAny] = useState2(false);
-  const [isLoading, setIsLoading] = useState2(true);
-  const [error, setError] = useState2(null);
-  const checkAnyPermission = useCallback2(async () => {
+  const [hasAny, setHasAny] = useState7(false);
+  const [isLoading, setIsLoading] = useState7(true);
+  const [error, setError] = useState7(null);
+  const checkAnyPermission = useCallback6(async () => {
     if (!userId || permissions.length === 0) {
       setHasAny(false);
       setIsLoading(false);
@@ -895,93 +1211,203 @@ function useHasAnyPermission(userId, scope, permissions, useCache = true) {
       setIsLoading(false);
     }
   }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);
-  useEffect2(() => {
+  useEffect7(() => {
     checkAnyPermission();
   }, [checkAnyPermission]);
-  return useMemo2(() => ({
+  return useMemo7(() => ({
     hasAny,
     isLoading,
     error,
     refetch: checkAnyPermission
   }), [hasAny, isLoading, error, checkAnyPermission]);
 }
-function useHasAllPermissions(userId, scope, permissions, useCache = true) {
-  const [hasAll, setHasAll] = useState2(false);
-  const [isLoading, setIsLoading] = useState2(true);
-  const [error, setError] = useState2(null);
-  const checkAllPermissions = useCallback2(async () => {
+
+// src/rbac/hooks/permissions/useMultiplePermissions.ts
+import { useCallback as useCallback7, useEffect as useEffect8, useMemo as useMemo8, useState as useState8 } from "react";
+function useMultiplePermissions(userId, scope, permissions, useCache = true) {
+  const [results, setResults] = useState8({});
+  const [isLoading, setIsLoading] = useState8(true);
+  const [error, setError] = useState8(null);
+  const checkPermissions = useCallback7(async () => {
     if (!userId || permissions.length === 0) {
-      setHasAll(false);
+      setResults({});
       setIsLoading(false);
       return;
     }
     try {
       setIsLoading(true);
       setError(null);
-      let hasAllPermissions = true;
+      const permissionResults = {};
       for (const permission of permissions) {
         const result = useCache ? await isPermittedCached({ userId, scope, permission }) : await isPermitted({ userId, scope, permission });
-        if (!result) {
-          hasAllPermissions = false;
-          break;
-        }
+        permissionResults[permission] = result;
       }
-      setHasAll(hasAllPermissions);
+      setResults(permissionResults);
     } catch (err) {
       setError(err instanceof Error ? err : new Error("Failed to check permissions"));
-      setHasAll(false);
+      setResults({});
     } finally {
       setIsLoading(false);
     }
   }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);
-  useEffect2(() => {
-    checkAllPermissions();
-  }, [checkAllPermissions]);
-  return useMemo2(() => ({
-    hasAll,
+  useEffect8(() => {
+    checkPermissions();
+  }, [checkPermissions]);
+  return useMemo8(() => ({
+    results,
     isLoading,
     error,
-    refetch: checkAllPermissions
-  }), [hasAll, isLoading, error, checkAllPermissions]);
+    refetch: checkPermissions
+  }), [results, isLoading, error, checkPermissions]);
 }
-function useCachedPermissions(userId, scope) {
-  const [permissions, setPermissions] = useState2({});
-  const [isLoading, setIsLoading] = useState2(true);
-  const [error, setError] = useState2(null);
-  const fetchCachedPermissions = useCallback2(async () => {
+
+// src/rbac/hooks/permissions/usePermissions.ts
+import { useCallback as useCallback8, useEffect as useEffect9, useMemo as useMemo9, useRef as useRef3, useState as useState9 } from "react";
+function usePermissions(userId, organisationId, eventId, appId) {
+  const [permissions, setPermissions] = useState9({});
+  const [isLoading, setIsLoading] = useState9(true);
+  const [error, setError] = useState9(null);
+  const [fetchTrigger, setFetchTrigger] = useState9(0);
+  const isFetchingRef = useRef3(false);
+  const logger2 = getRBACLogger();
+  const prevValuesRef = useRef3({ userId, organisationId, eventId, appId });
+  const orgId = organisationId || "";
+  useEffect9(() => {
+    if (!userId) {
+      return;
+    }
+    if (!orgId || orgId === null || typeof orgId === "string" && orgId.trim() === "") {
+      const timeoutId = setTimeout(() => {
+        setError(new Error("Organisation context is required for permission checks"));
+        setIsLoading(false);
+      }, 3e3);
+      return () => clearTimeout(timeoutId);
+    }
+    if (error?.message === "Organisation context is required for permission checks") {
+      setError(null);
+    }
+  }, [userId, organisationId, error, orgId]);
+  useEffect9(() => {
+    const paramsChanged = prevValuesRef.current.userId !== userId || prevValuesRef.current.organisationId !== organisationId || prevValuesRef.current.eventId !== eventId || prevValuesRef.current.appId !== appId;
+    if (paramsChanged) {
+      if (prevValuesRef.current.appId !== appId) {
+      }
+      prevValuesRef.current = { userId, organisationId, eventId, appId };
+      setFetchTrigger((prev) => prev + 1);
+    }
+  }, [userId, organisationId, eventId, appId, logger2]);
+  useEffect9(() => {
+    const fetchPermissions = async () => {
+      if (isFetchingRef.current) {
+        return;
+      }
+      if (!userId) {
+        setPermissions({});
+        setIsLoading(false);
+        return;
+      }
+      if (!userId) {
+        setPermissions({});
+        setIsLoading(false);
+        return;
+      }
+      if (!orgId || orgId === null || typeof orgId === "string" && orgId.trim() === "") {
+        setIsLoading(true);
+        setError(null);
+        return;
+      }
+      try {
+        isFetchingRef.current = true;
+        setIsLoading(true);
+        setError(null);
+        const scope = {
+          organisationId: orgId,
+          eventId,
+          appId
+        };
+        const permissionMap = await getPermissionMap({ userId, scope });
+        const permissionCount = Object.keys(permissionMap).length;
+        if (permissionCount === 0 && Object.keys(permissions).length > 0) {
+          logger2.warn("[usePermissions] Permissions fetched but returned empty map", {
+            scope: { organisationId: orgId, eventId, appId }
+          });
+        }
+        setPermissions(permissionMap);
+      } catch (err) {
+        logger2.error("[usePermissions] Failed to fetch permissions:", err);
+        setError(err instanceof Error ? err : new Error("Failed to fetch permissions"));
+      } finally {
+        setIsLoading(false);
+        isFetchingRef.current = false;
+      }
+    };
+    fetchPermissions();
+  }, [fetchTrigger, userId, organisationId, eventId, appId]);
+  const hasPermission = useCallback8((permission) => {
+    if (permissions["*"]) {
+      return true;
+    }
+    return permissions[permission] === true;
+  }, [permissions]);
+  const hasAnyPermission = useCallback8((permissionList) => {
+    if (permissions["*"]) {
+      return true;
+    }
+    return permissionList.some((p) => permissions[p] === true);
+  }, [permissions]);
+  const hasAllPermissions = useCallback8((permissionList) => {
+    if (permissions["*"]) {
+      return true;
+    }
+    return permissionList.every((p) => permissions[p] === true);
+  }, [permissions]);
+  const refetch = useCallback8(async () => {
+    if (isFetchingRef.current) {
+      return;
+    }
     if (!userId) {
       setPermissions({});
       setIsLoading(false);
       return;
     }
+    if (!orgId || orgId === null || typeof orgId === "string" && orgId.trim() === "") {
+      setIsLoading(true);
+      setError(null);
+      return;
+    }
     try {
+      isFetchingRef.current = true;
       setIsLoading(true);
       setError(null);
+      const scope = {
+        organisationId: orgId,
+        eventId,
+        appId
+      };
       const permissionMap = await getPermissionMap({ userId, scope });
       setPermissions(permissionMap);
     } catch (err) {
-      setError(err instanceof Error ? err : new Error("Failed to fetch cached permissions"));
+      const logger3 = getRBACLogger();
+      logger3.error("Failed to refetch permissions:", err);
+      setError(err instanceof Error ? err : new Error("Failed to fetch permissions"));
     } finally {
       setIsLoading(false);
+      isFetchingRef.current = false;
     }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId]);
-  const invalidateCache = useCallback2(() => {
-    fetchCachedPermissions();
-  }, [fetchCachedPermissions]);
-  useEffect2(() => {
-    fetchCachedPermissions();
-  }, [fetchCachedPermissions]);
-  return useMemo2(() => ({
+  }, [userId, organisationId, eventId, appId]);
+  return useMemo9(() => ({
     permissions,
     isLoading,
     error,
-    invalidateCache,
-    refetch: fetchCachedPermissions
-  }), [permissions, isLoading, error, invalidateCache, fetchCachedPermissions]);
+    hasPermission,
+    hasAnyPermission,
+    hasAllPermissions,
+    refetch
+  }), [permissions, isLoading, error, hasPermission, hasAnyPermission, hasAllPermissions, refetch]);
 }
 
 // src/rbac/hooks/useResourcePermissions.ts
-import { useMemo as useMemo3 } from "react";
+import { useMemo as useMemo10 } from "react";
 function useResourcePermissions(resource, options = {}) {
   const { enableRead = false, requireScope = true } = options;
   const { user, supabase } = useUnifiedAuth();
@@ -1009,8 +1435,12 @@ function useResourcePermissions(resource, options = {}) {
     `create:${resource}`,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
-    true
+    true,
     // useCache
+    null,
+    // precomputedSuperAdmin - not checked yet
+    void 0
+    // appName
   );
   const { can: canUpdateResult, isLoading: updateLoading, error: updateError } = useCan(
     user?.id || "",
@@ -1018,8 +1448,12 @@ function useResourcePermissions(resource, options = {}) {
     `update:${resource}`,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
-    true
+    true,
     // useCache
+    null,
+    // precomputedSuperAdmin - not checked yet
+    void 0
+    // appName
   );
   const { can: canDeleteResult, isLoading: deleteLoading, error: deleteError } = useCan(
     user?.id || "",
@@ -1027,8 +1461,12 @@ function useResourcePermissions(resource, options = {}) {
     `delete:${resource}`,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
-    true
+    true,
     // useCache
+    null,
+    // precomputedSuperAdmin - not checked yet
+    void 0
+    // appName
   );
   const { can: canReadResult, isLoading: readLoading, error: readError } = useCan(
     user?.id || "",
@@ -1036,13 +1474,17 @@ function useResourcePermissions(resource, options = {}) {
     `read:${resource}`,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
-    true
+    true,
     // useCache
+    null,
+    // precomputedSuperAdmin - not checked yet
+    void 0
+    // appName
   );
-  const isLoading = useMemo3(() => {
+  const isLoading = useMemo10(() => {
     return scopeLoading || createLoading || updateLoading || deleteLoading || enableRead && readLoading;
   }, [scopeLoading, createLoading, updateLoading, deleteLoading, readLoading, enableRead]);
-  const error = useMemo3(() => {
+  const error = useMemo10(() => {
     if (scopeError) return scopeError;
     if (createError) return createError;
     if (updateError) return updateError;
@@ -1050,7 +1492,7 @@ function useResourcePermissions(resource, options = {}) {
     if (enableRead && readError) return readError;
     return null;
   }, [scopeError, createError, updateError, deleteError, readError, enableRead]);
-  return useMemo3(() => ({
+  return useMemo10(() => ({
     canCreate: (res) => {
       if (res !== resource) {
         return false;
@@ -1095,15 +1537,15 @@ function useResourcePermissions(resource, options = {}) {
 }
 
 // src/rbac/hooks/useRoleManagement.ts
-import { useState as useState3, useCallback as useCallback3 } from "react";
+import { useState as useState10, useCallback as useCallback9 } from "react";
 function useRoleManagement() {
   const { user, supabase } = useUnifiedAuth();
-  const [isLoading, setIsLoading] = useState3(false);
-  const [error, setError] = useState3(null);
+  const [isLoading, setIsLoading] = useState10(false);
+  const [error, setError] = useState10(null);
   if (!supabase) {
     throw new Error("useRoleManagement requires a Supabase client. Ensure UnifiedAuthProvider is configured.");
   }
-  const revokeEventAppRole = useCallback3(async (params) => {
+  const revokeEventAppRole = useCallback9(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1134,7 +1576,7 @@ function useRoleManagement() {
       setIsLoading(false);
     }
   }, [user?.id]);
-  const grantEventAppRole = useCallback3(async (params) => {
+  const grantEventAppRole = useCallback9(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1173,7 +1615,7 @@ function useRoleManagement() {
       setIsLoading(false);
     }
   }, [user?.id]);
-  const revokeRoleById = useCallback3(async (roleId) => {
+  const revokeRoleById = useCallback9(async (roleId) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1209,7 +1651,7 @@ function useRoleManagement() {
       setIsLoading(false);
     }
   }, [user?.id, supabase]);
-  const grantGlobalRole = useCallback3(async (params) => {
+  const grantGlobalRole = useCallback9(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1248,7 +1690,7 @@ function useRoleManagement() {
       setIsLoading(false);
     }
   }, [user?.id, supabase]);
-  const revokeGlobalRole = useCallback3(async (params) => {
+  const revokeGlobalRole = useCallback9(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1280,7 +1722,7 @@ function useRoleManagement() {
       setIsLoading(false);
     }
   }, [user?.id, supabase]);
-  const grantOrganisationRole = useCallback3(async (params) => {
+  const grantOrganisationRole = useCallback9(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1319,7 +1761,7 @@ function useRoleManagement() {
       setIsLoading(false);
     }
   }, [user?.id, supabase]);
-  const revokeOrganisationRole = useCallback3(async (params) => {
+  const revokeOrganisationRole = useCallback9(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1369,11 +1811,11 @@ function useRoleManagement() {
 }
 
 // src/rbac/hooks/useSecureSupabase.ts
-import { useMemo as useMemo4, useRef as useRef2 } from "react";
+import { useMemo as useMemo11, useRef as useRef4 } from "react";
 var secureClientCache = /* @__PURE__ */ new Map();
 var MAX_CACHE_SIZE = 5;
 function getCacheKey(organisationId, eventId, appId, isSuperAdmin) {
-  return `${organisationId}-${eventId || "no-event"}-${appId || "no-app"}-${isSuperAdmin ? "super" : "regular"}`;
+  return `${organisationId || "no-org"}-${eventId || "no-event"}-${appId || "no-app"}-${isSuperAdmin ? "super" : "regular"}`;
 }
 function getSupabaseConfig() {
   const getEnvVar = (key) => {
@@ -1405,19 +1847,20 @@ function useSecureSupabase(baseClient) {
     selectedOrganisationId: selectedOrganisation?.id || null,
     selectedEventId: selectedEvent?.event_id || null
   });
-  const prevContextRef = useRef2({
+  const prevContextRef = useRef4({
     organisationId: void 0,
     eventId: void 0,
     appId: void 0
   });
-  return useMemo4(() => {
+  return useMemo11(() => {
     if (eventLoading) {
       return baseClient || authSupabase || null;
     }
     const organisationId = resolvedScope?.organisationId;
     const eventId = resolvedScope?.eventId || selectedEvent?.event_id;
     const appId = resolvedScope?.appId;
-    if (organisationId && user?.id) {
+    const canCreateSecureClient = user?.id && (isSuperAdmin || organisationId);
+    if (canCreateSecureClient) {
       prevContextRef.current = { organisationId, eventId, appId };
       const cacheKey = getCacheKey(organisationId, eventId, appId, isSuperAdmin);
       const cachedClient = secureClientCache.get(cacheKey);
@@ -1432,11 +1875,19 @@ function useSecureSupabase(baseClient) {
         return baseClient || authSupabase || null;
       }
       try {
-        const secureClient = createSecureClient(
+        const effectiveOrganisationId = isSuperAdmin ? organisationId || null : organisationId;
+        const baseForSecureClient = baseClient || authSupabase || null;
+        const secureClient = baseForSecureClient ? fromSupabaseClient(
+          baseForSecureClient,
+          effectiveOrganisationId ?? null,
+          eventId,
+          appId,
+          isSuperAdmin
+        ) : createSecureClient(
           config.url,
           config.key,
-          organisationId,
-          // organisationId is string, UUID is string alias
+          effectiveOrganisationId,
+          // organisationId is string | null, UUID is string alias
           eventId,
           appId,
           // appId is string | undefined, UUID is string alias
@@ -1471,20 +1922,24 @@ function useSecureSupabase(baseClient) {
 }
 
 export {
+  SECURE_CLIENT_SYMBOL,
+  isSecureClient,
+  warnIfInsecureClient,
   SecureSupabaseClient,
   createSecureClient,
   fromSupabaseClient,
+  useResolvedScope,
   useRBAC,
+  useAccessLevel,
+  useCachedPermissions,
   scopeEqual,
-  usePermissions,
   useCan,
-  useAccessLevel,
-  useMultiplePermissions,
-  useHasAnyPermission,
   useHasAllPermissions,
-  useCachedPermissions,
+  useHasAnyPermission,
+  useMultiplePermissions,
+  usePermissions,
   useResourcePermissions,
   useRoleManagement,
   useSecureSupabase
 };
-//# sourceMappingURL=chunk-XM25TVIE.js.map
+//# sourceMappingURL=chunk-YDQHOZNA.js.map