@jmruthers/pace-core 0.6.1 → 0.6.3

package/dist/rbac/index.d.ts

@@ -1,31 +1,12 @@
-import { U as UUID, g as PermissionCacheKey, h as AuditEventSource, i as RBACAuditEvent, a as PermissionCheck, S as Scope, A as AccessLevel, b as PermissionMap, j as RBACAppContext, k as RBACRoleContext, P as Permission, l as UserRBACContext } from '../types-UU913iLA.js';
-export { E as EventAppRole, G as GlobalRole, I as InvalidScopeError, M as MissingUserContextError, O as Operation, e as OrganisationContextRequiredError, c as OrganisationRole, d as PermissionDeniedError, R as RBACError, f as RBACNotInitializedError } from '../types-UU913iLA.js';
-export { A as AccessLevelContext, s as AuditEventType, P as PermissionSource, d as RBACAccessValidateParams, e as RBACAccessValidateResult, q as RBACAuditLogParams, r as RBACAuditLogResult, t as RBACContext, w as RBACErrorCode, v as RBACFunctionResponse, f as RBACPageAccessCheckParams, R as RBACPermissionCheckParams, a as RBACPermissionCheckResult, b as RBACPermissionsGetParams, c as RBACPermissionsGetResult, u as RBACResult, g as RBACRoleGrantParams, h as RBACRoleGrantResult, i as RBACRoleRevokeParams, j as RBACRoleRevokeResult, m as RBACRoleValidateParams, n as RBACRoleValidateResult, k as RBACRolesListParams, l as RBACRolesListResult, o as RBACSessionTrackParams, p as RBACSessionTrackResult, x as RPCFunction, S as SessionType } from '../functions-D_kgHktt.js';
+import { U as UUID, g as PermissionCacheKey, h as AuditEventSource, i as RBACAuditEvent, a as PermissionCheck, S as Scope, A as AccessLevel, b as PermissionMap, j as RBACAppContext, k as RBACRoleContext, P as Permission, l as UserRBACContext } from '../types-BeoeWV5I.js';
+export { E as EventAppRole, G as GlobalRole, I as InvalidScopeError, M as MissingUserContextError, O as Operation, e as OrganisationContextRequiredError, c as OrganisationRole, d as PermissionDeniedError, R as RBACError, f as RBACNotInitializedError } from '../types-BeoeWV5I.js';
+export { A as AccessLevelContext, s as AuditEventType, P as PermissionSource, d as RBACAccessValidateParams, e as RBACAccessValidateResult, q as RBACAuditLogParams, r as RBACAuditLogResult, t as RBACContext, w as RBACErrorCode, v as RBACFunctionResponse, f as RBACPageAccessCheckParams, R as RBACPermissionCheckParams, a as RBACPermissionCheckResult, b as RBACPermissionsGetParams, c as RBACPermissionsGetResult, u as RBACResult, g as RBACRoleGrantParams, h as RBACRoleGrantResult, i as RBACRoleRevokeParams, j as RBACRoleRevokeResult, m as RBACRoleValidateParams, n as RBACRoleValidateResult, k as RBACRolesListParams, l as RBACRolesListResult, o as RBACSessionTrackParams, p as RBACSessionTrackResult, x as RPCFunction, S as SessionType } from '../functions-DHebl8-F.js';
 import { SupabaseClient } from '@supabase/supabase-js';
 import { D as Database } from '../database.generated-CzIvgcPu.js';
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import React__default, { ReactNode } from 'react';
 import '../core-CUElvH_C.js';
 
-/**
- * Context Validator for RBAC
- * @package @jmruthers/pace-core
- * @module RBAC/ContextValidator
- * @since 1.0.0
- *
- * Centralized validation for RBAC context requirements based on app configuration.
- * Enforces app-specific context rules with single primary context:
- * - requires_event = TRUE: Event is PRIMARY context, org derived from event (org not required in input)
- * - requires_event = FALSE: Organisation is PRIMARY context, event optional
- * - PORTAL/ADMIN apps: Both contexts optional (allows users to view/edit own profiles, super admin access)
- *
- * Key principle: Only one primary context is required based on app config. The other is derived or optional.
- */
-
-interface AppConfig {
-    requires_event: boolean;
-}
-
 /**
  * RBAC Security Enhancements
  * @package @jmruthers/pace-core
@@ -122,8 +103,10 @@ declare function isDevelopmentMode(): boolean;
  * This client automatically injects organisation context into all requests
  * and prevents queries that don't have the required context.
  *
- * Note: Callers should derive organisationId from eventId before creating this client
- * if working with event-required apps. The client requires organisationId.
+ * Note: For non-super-admins, organisationId is required. Super-admins can operate
+ * without organisationId to access system-wide tables (like core_organisations).
+ * Callers should derive organisationId from eventId before creating this client
+ * if working with event-required apps.
  */
 declare class SecureSupabaseClient {
     private supabase;
@@ -134,7 +117,20 @@ declare class SecureSupabaseClient {
     private eventId?;
     private appId?;
     private isSuperAdmin;
-    constructor(supabaseUrl: string, supabaseKey: string, organisationId: UUID, eventId?: string, appId?: UUID, isSuperAdmin?: boolean);
+    private usesExistingClient;
+    private static rpcSignatureCache;
+    /**
+     * RPC functions that are safe to call without organisation context.
+     *
+     * These functions must:
+     * - rely on JWT context (auth.uid()) for authentication
+     * - not read or write organisation-scoped data
+     *
+     * This allowlist enables compliant consuming apps to use `secureSupabase.rpc(...)`
+     * even before an organisation is selected (common during initial page load/refresh).
+     */
+    private static readonly GLOBAL_RPC_ALLOWLIST;
+    constructor(supabaseUrl: string, supabaseKey: string, organisationId: UUID | null, eventId?: string, appId?: UUID, isSuperAdmin?: boolean, existingClient?: SupabaseClient<Database>);
     /**
      * Setup context injection for all database operations
      */
@@ -170,18 +166,36 @@ declare class SecureSupabaseClient {
      * - Super admins: No org filter (see all users) - RLS will allow access
      * - Non-super-admins: Apply org filter as defense in depth - RLS will also filter
      *
+     * For system-wide tables (like core_organisations):
+     * - Super admins: No org filter (see all records) - RLS will allow access
+     * - Non-super-admins: Apply org filter as defense in depth - RLS will also filter
+     *
      * For other tables:
      * - Always apply org filter unless super admin bypasses it
      */
     private addOrganisationFilter;
     /**
      * Validate that required context is present
+     * Super-admins can operate without organisation context
      */
     private validateContext;
+    /**
+     * Determine whether a table requires organisation context.
+     * Tables without an organisation_id column (or global configuration tables) are safe without org context.
+     */
+    private tableRequiresOrganisationContext;
+    /**
+     * Validate context for a specific table operation.
+     */
+    private validateContextForTable;
+    /**
+     * Validate context for a specific RPC call.
+     */
+    private validateContextForRpc;
     /**
      * Get the current organisation ID
      */
-    getOrganisationId(): UUID;
+    getOrganisationId(): UUID | null;
     /**
      * Get the current event ID
      */
@@ -194,7 +208,7 @@ declare class SecureSupabaseClient {
      * Create a new client with updated context
      */
     withContext(updates: {
-        organisationId?: UUID;
+        organisationId?: UUID | null;
         eventId?: string;
         appId?: UUID;
         isSuperAdmin?: boolean;
@@ -204,16 +218,28 @@ declare class SecureSupabaseClient {
      * @internal
      */
     getClient(): SupabaseClient<Database>;
+    /**
+     * Get the set of parameter names that an RPC function accepts.
+     * Uses a static whitelist of RPCs that we know accept context parameters.
+     *
+     * This is an opt-in approach: by default, we don't inject context unless
+     * the function is explicitly whitelisted. This prevents PGRST202 errors from
+     * injecting unexpected parameters.
+     *
+     * @param fn - The RPC function name
+     * @returns Set of parameter names the function accepts
+     */
+    private getRpcAcceptedParams;
 }
 /**
  * Create a secure Supabase client with organisation context
  *
  * @param supabaseUrl - Supabase project URL
  * @param supabaseKey - Supabase publishable key or anon key (accepts both legacy anon keys and modern publishable keys)
- * @param organisationId - Required organisation ID
+ * @param organisationId - Organisation ID (optional for super-admins)
  * @param eventId - Optional event ID
  * @param appId - Optional app ID
- * @param isSuperAdmin - Optional super admin flag (defaults to false)
+ * @param isSuperAdmin - Optional super admin flag (defaults to false). When true, organisationId can be null.
  * @returns SecureSupabaseClient instance
  *
  * @example
@@ -226,9 +252,19 @@ declare class SecureSupabaseClient {
  *   'app-789',
  *   false // isSuperAdmin
  * );
+ *
+ * // For super-admins, organisationId can be null
+ * const superAdminClient = createSecureClient(
+ *   'https://your-project.supabase.co',
+ *   'your-publishable-key-or-anon-key',
+ *   null, // organisationId not required for super-admins
+ *   undefined,
+ *   undefined,
+ *   true // isSuperAdmin
+ * );
  * ```
  */
-declare function createSecureClient(supabaseUrl: string, supabaseKey: string, organisationId: UUID, eventId?: string, appId?: UUID, isSuperAdmin?: boolean): SecureSupabaseClient;
+declare function createSecureClient(supabaseUrl: string, supabaseKey: string, organisationId: UUID | null, eventId?: string, appId?: UUID, isSuperAdmin?: boolean): SecureSupabaseClient;
 /**
  * Create a secure client from an existing Supabase client
  *
@@ -238,7 +274,54 @@ declare function createSecureClient(supabaseUrl: string, supabaseKey: string, or
  * @param appId - Optional app ID
  * @returns SecureSupabaseClient instance
  */
-declare function fromSupabaseClient(client: SupabaseClient<Database>, organisationId: UUID, eventId?: string, appId?: UUID): SecureSupabaseClient;
+declare function fromSupabaseClient(client: SupabaseClient<Database>, organisationId: UUID | null, eventId?: string, appId?: UUID, isSuperAdmin?: boolean): SecureSupabaseClient;
+
+/**
+ * Client Security Detection Utilities
+ * @package @jmruthers/pace-core
+ * @module RBAC/Utils/ClientSecurity
+ * @since 1.0.0
+ *
+ * Utilities to detect and warn about insecure Supabase client usage.
+ */
+
+/**
+ * Symbol to mark secure clients
+ * This is attached to clients created by SecureSupabaseClient
+ */
+declare const SECURE_CLIENT_SYMBOL: unique symbol;
+/**
+ * Check if a Supabase client is a secure client (created via useSecureSupabase or createSecureClient)
+ *
+ * @param client - The Supabase client to check
+ * @returns true if the client is secure, false otherwise
+ *
+ * @example
+ * ```tsx
+ * import { isSecureClient } from '@jmruthers/pace-core/rbac/utils/clientSecurity';
+ *
+ * const supabase = useSecureSupabase();
+ * if (isSecureClient(supabase)) {
+ *   // Client is secure, safe to use
+ * }
+ * ```
+ */
+declare function isSecureClient(client: SupabaseClient<Database> | null | undefined): boolean;
+/**
+ * Warn about insecure client usage in development
+ *
+ * @param client - The client being used
+ * @param context - Context about where the client is being used (for better error messages)
+ *
+ * @example
+ * ```tsx
+ * import { warnIfInsecureClient } from '@jmruthers/pace-core/rbac/utils/clientSecurity';
+ *
+ * const supabase = createClient(...); // Wrong!
+ * warnIfInsecureClient(supabase, 'MyComponent');
+ * ```
+ */
+declare function warnIfInsecureClient(client: SupabaseClient<Database> | null | undefined, context?: string): void;
 
 /**
  * RBAC Cache Implementation
@@ -1376,126 +1459,118 @@ interface ResourcePermissions {
 declare function useResourcePermissions(resource: string, options?: UseResourcePermissionsOptions): ResourcePermissions;
 
 /**
- * @file RBAC Permission Hooks
- * @package @jmruthers/pace-core
- * @module RBAC/Hooks
- * @since 1.0.0
- *
- * This module provides React hooks for RBAC functionality.
- */
-
-/**
- * Hook to get user's permissions in a scope
+ * Hook to get user's access level in a scope
  *
  * @param userId - User ID
- * @param organisationId - Organisation ID
- * @param eventId - Event ID (optional)
- * @param appId - Application ID (optional)
- * @returns Permission state and methods
+ * @param scope - Scope for access level checking
+ * @returns Access level state and methods
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { permissions, isLoading, error } = usePermissions(
- *     userId,
- *     organisationId,
- *     eventId,
- *     appId
- *   );
+ *   const { accessLevel, isLoading, error } = useAccessLevel(userId, scope);
  *
- *   if (isLoading) return <div>Loading...</div>;
+ *   if (isLoading) return <div>Loading access level...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
  *   return (
  *     <div>
- *       {permissions['read:users'] && <UserList />}
- *       {permissions['create:users'] && <CreateUserButton />}
+ *       Access Level: {accessLevel}
+ *       {accessLevel >= AccessLevel.ADMIN && <AdminPanel />}
  *     </div>
  *   );
  * }
  * ```
  */
-declare function usePermissions(userId: UUID, organisationId: string | undefined, eventId: string | undefined, appId: string | undefined): {
-    permissions: PermissionMap;
+declare function useAccessLevel(userId: UUID, scope: Scope): {
+    accessLevel: AccessLevel;
     isLoading: boolean;
     error: Error | null;
-    hasPermission: (permission: Permission) => boolean;
-    hasAnyPermission: (permissionList: Permission[]) => boolean;
-    hasAllPermissions: (permissionList: Permission[]) => boolean;
     refetch: () => Promise<void>;
 };
+
 /**
- * Hook to check if user can perform an action
+ * Hook to get cached permissions with TTL management
  *
  * @param userId - User ID
  * @param scope - Scope for permission checking
- * @param permission - Permission to check
- * @param pageId - Optional page ID
- * @param useCache - Whether to use cached results
- * @param appName - Optional app name (for PORTAL/ADMIN special case)
- * @returns Permission check state and methods
+ * @returns Cached permission state and methods
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { can, isLoading, error } = useCan(userId, scope, 'read:users');
+ *   const { permissions, isLoading, error, invalidateCache } = useCachedPermissions(userId, scope);
  *
- *   if (isLoading) return <div>Checking permission...</div>;
+ *   if (isLoading) return <div>Loading cached permissions...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
- *   return can ? <UserList /> : <div>Access denied</div>;
+ *   return (
+ *     <div>
+ *       {permissions['read:users'] && <UserList />}
+ *       <button onClick={invalidateCache}>Refresh Permissions</button>
+ *     </div>
+ *   );
  * }
  * ```
  */
-declare function useCan(userId: UUID, scope: Scope, permission: Permission, pageId?: UUID, useCache?: boolean, appName?: string): {
-    can: boolean;
+declare function useCachedPermissions(userId: UUID, scope: Scope): {
+    permissions: PermissionMap;
     isLoading: boolean;
     error: Error | null;
+    invalidateCache: () => void;
     refetch: () => Promise<void>;
 };
+
 /**
- * Hook to get user's access level in a scope
+ * Hook to check if user can perform an action
  *
  * @param userId - User ID
- * @param scope - Scope for access level checking
- * @returns Access level state and methods
+ * @param scope - Scope for permission checking
+ * @param permission - Permission to check
+ * @param pageId - Optional page ID
+ * @param useCache - Whether to use cached results
+ * @param appName - Optional app name (for PORTAL/ADMIN special case)
+ * @returns Permission check state and methods
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { accessLevel, isLoading, error } = useAccessLevel(userId, scope);
+ *   const { can, isLoading, error } = useCan(userId, scope, 'read:users');
  *
- *   if (isLoading) return <div>Loading access level...</div>;
+ *   if (isLoading) return <div>Checking permission...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
- *   return (
- *     <div>
- *       Access Level: {accessLevel}
- *       {accessLevel >= AccessLevel.ADMIN && <AdminPanel />}
- *     </div>
- *   );
+ *   return can ? <UserList /> : <div>Access denied</div>;
  * }
  * ```
  */
-declare function useAccessLevel(userId: UUID, scope: Scope): {
-    accessLevel: AccessLevel;
+declare function useCan(userId: UUID, scope: Scope, permission: Permission, pageId?: UUID, useCache?: boolean, 
+/**
+ * Pre-computed super admin flag to avoid duplicate super admin checks.
+ * Callers should check super admin once and pass the result to all useCan hooks.
+ * Pass null if not checked yet, false/true if checked.
+ * Defaults to null (not checked yet) - hook will check if needed.
+ */
+precomputedSuperAdmin?: boolean | null, appName?: string): {
+    can: boolean;
     isLoading: boolean;
     error: Error | null;
     refetch: () => Promise<void>;
 };
+
 /**
- * Hook to check multiple permissions at once
+ * Hook to check if user has all of the specified permissions
  *
  * @param userId - User ID
  * @param scope - Scope for permission checking
  * @param permissions - Array of permissions to check
  * @param useCache - Whether to use cached results
- * @returns Multiple permission check results
+ * @returns Whether user has all of the permissions
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { results, isLoading, error } = useMultiplePermissions(
+ *   const { hasAll, isLoading, error } = useHasAllPermissions(
  *     userId,
  *     scope,
  *     ['read:users', 'create:users', 'update:users']
@@ -1504,22 +1579,17 @@ declare function useAccessLevel(userId: UUID, scope: Scope): {
  *   if (isLoading) return <div>Checking permissions...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
- *   return (
- *     <div>
- *       {results['read:users'] && <UserList />}
- *       {results['create:users'] && <CreateUserButton />}
- *       {results['update:users'] && <EditUserButton />}
- *     </div>
- *   );
+ *   return hasAll ? <FullUserManagementPanel /> : <div>Insufficient permissions</div>;
  * }
  * ```
  */
-declare function useMultiplePermissions(userId: UUID, scope: Scope, permissions: Permission[], useCache?: boolean): {
-    results: Record<Permission, boolean>;
+declare function useHasAllPermissions(userId: UUID, scope: Scope, permissions: Permission[], useCache?: boolean): {
+    hasAll: boolean;
     isLoading: boolean;
     error: Error | null;
     refetch: () => Promise<void>;
 };
+
 /**
  * Hook to check if user has any of the specified permissions
  *
@@ -1551,19 +1621,20 @@ declare function useHasAnyPermission(userId: UUID, scope: Scope, permissions: Pe
     error: Error | null;
     refetch: () => Promise<void>;
 };
+
 /**
- * Hook to check if user has all of the specified permissions
+ * Hook to check multiple permissions at once
  *
  * @param userId - User ID
  * @param scope - Scope for permission checking
  * @param permissions - Array of permissions to check
  * @param useCache - Whether to use cached results
- * @returns Whether user has all of the permissions
+ * @returns Multiple permission check results
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { hasAll, isLoading, error } = useHasAllPermissions(
+ *   const { results, isLoading, error } = useMultiplePermissions(
  *     userId,
  *     scope,
  *     ['read:users', 'create:users', 'update:users']
@@ -1572,45 +1643,61 @@ declare function useHasAnyPermission(userId: UUID, scope: Scope, permissions: Pe
  *   if (isLoading) return <div>Checking permissions...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
- *   return hasAll ? <FullUserManagementPanel /> : <div>Insufficient permissions</div>;
+ *   return (
+ *     <div>
+ *       {results['read:users'] && <UserList />}
+ *       {results['create:users'] && <CreateUserButton />}
+ *       {results['update:users'] && <EditUserButton />}
+ *     </div>
+ *   );
  * }
  * ```
  */
-declare function useHasAllPermissions(userId: UUID, scope: Scope, permissions: Permission[], useCache?: boolean): {
-    hasAll: boolean;
+declare function useMultiplePermissions(userId: UUID, scope: Scope, permissions: Permission[], useCache?: boolean): {
+    results: Record<Permission, boolean>;
     isLoading: boolean;
     error: Error | null;
     refetch: () => Promise<void>;
 };
+
 /**
- * Hook to get cached permissions with TTL management
+ * Hook to get user's permissions in a scope
  *
  * @param userId - User ID
- * @param scope - Scope for permission checking
- * @returns Cached permission state and methods
+ * @param organisationId - Organisation ID
+ * @param eventId - Event ID (optional)
+ * @param appId - Application ID (optional)
+ * @returns Permission state and methods
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { permissions, isLoading, error, invalidateCache } = useCachedPermissions(userId, scope);
+ *   const { permissions, isLoading, error } = usePermissions(
+ *     userId,
+ *     organisationId,
+ *     eventId,
+ *     appId
+ *   );
  *
- *   if (isLoading) return <div>Loading cached permissions...</div>;
+ *   if (isLoading) return <div>Loading...</div>;
  *   if (error) return <div>Error: {error.message}</div>;
  *
  *   return (
  *     <div>
  *       {permissions['read:users'] && <UserList />}
- *       <button onClick={invalidateCache}>Refresh Permissions</button>
+ *       {permissions['create:users'] && <CreateUserButton />}
  *     </div>
  *   );
  * }
  * ```
  */
-declare function useCachedPermissions(userId: UUID, scope: Scope): {
+declare function usePermissions(userId: UUID, organisationId: string | undefined, eventId: string | undefined, appId: string | undefined): {
     permissions: PermissionMap;
     isLoading: boolean;
     error: Error | null;
-    invalidateCache: () => void;
+    hasPermission: (permission: Permission) => boolean;
+    hasAnyPermission: (permissionList: Permission[]) => boolean;
+    hasAllPermissions: (permissionList: Permission[]) => boolean;
     refetch: () => Promise<void>;
 };
 
@@ -2187,7 +2274,7 @@ declare function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<
 declare function getAccessLevel(input: {
     userId: UUID;
     scope: Scope;
-}, appConfig?: AppConfig | null, appName?: string): Promise<AccessLevel>;
+}, appName?: string): Promise<AccessLevel>;
 /**
  * Get user's permission map for a scope
  *
@@ -2211,7 +2298,7 @@ declare function getAccessLevel(input: {
 declare function getPermissionMap(input: {
     userId: UUID;
     scope: Scope;
-}, appConfig?: AppConfig | null, appName?: string): Promise<PermissionMap>;
+}, appName?: string): Promise<PermissionMap>;
 declare function resolveAppContext(input: {
     userId: UUID;
     appName: string;
@@ -2219,7 +2306,7 @@ declare function resolveAppContext(input: {
 declare function getRoleContext(input: {
     userId: UUID;
     scope: Scope;
-}, appConfig?: AppConfig | null, appName?: string): Promise<RBACRoleContext>;
+}, appName?: string): Promise<RBACRoleContext>;
 /**
  * Check if user has a specific permission
  *
@@ -2238,7 +2325,14 @@ declare function getRoleContext(input: {
  * });
  * ```
  */
-declare function isPermitted(input: PermissionCheck, appConfig?: AppConfig | null, appName?: string): Promise<boolean>;
+declare function isPermitted(input: PermissionCheck, appName?: string, 
+/**
+ * Pre-computed super admin status to avoid duplicate checks.
+ * Pass null if not checked yet (will check), true if already checked and is super admin,
+ * or false if already checked and is not super admin.
+ * @default null
+ */
+precomputedSuperAdmin?: boolean | null): Promise<boolean>;
 /**
  * Check if user has a specific permission (cached version)
  *
@@ -2246,11 +2340,10 @@ declare function isPermitted(input: PermissionCheck, appConfig?: AppConfig | nul
  * and checks cache before making new requests. Uses session cache for page-level checks.
  *
  * @param input - Permission check input
- * @param appConfig - Optional app configuration
- * @param appName - Optional app name
+ * @param appName - Optional app name (for PORTAL/ADMIN special case)
  * @returns Promise resolving to permission result
  */
-declare function isPermittedCached(input: PermissionCheck, appConfig?: AppConfig | null, appName?: string): Promise<boolean>;
+declare function isPermittedCached(input: PermissionCheck, appName?: string): Promise<boolean>;
 /**
  * Check if a user has a specific permission (alias for isPermitted)
  *
@@ -2375,28 +2468,6 @@ declare const PAGE_PERMISSIONS: {
  * @returns True if valid, false otherwise
  */
 declare function isValidPermission(permission: string): permission is Permission;
-/**
- * Get all permissions for a role - REMOVED
- *
- * @deprecated This function has been removed to ensure RBAC compliance.
- * Permissions must be queried from the rbac_page_permissions database table,
- * not hardcoded in application code. This allows organizations to customize
- * their own page-level permissions as required by the RBAC specification.
- *
- * To get permissions for a role, query the database:
- * ```typescript
- * const { data } = await supabase
- *   .from('rbac_page_permissions')
- *   .select('operation, allowed')
- *   .eq('role_name', roleName)
- *   .eq('organisation_id', organisationId)
- *   .eq('allowed', true);
- * ```
- *
- * @param role - Role name
- * @returns Empty array (function deprecated)
- */
-declare function getPermissionsForRole(role: string): Permission[];
 declare const ALL_PERMISSIONS: {
     readonly READ_PAGE: Permission;
     readonly CREATE_PAGE: Permission;
@@ -2609,4 +2680,4 @@ declare function getDirectSupabaseAuthFixes(): QuickFix;
  */
 declare function getQuickFixes(issueType: string, details?: Record<string, any>): QuickFix[];
 
-export { ALL_PERMISSIONS, AccessLevel, AccessLevelGuard, type AllPermissions, CACHE_PATTERNS, type ComplianceResult, type DataAccessRecord, type DatabaseComplianceResult, type DatabaseIssue, EVENT_APP_PERMISSIONS, EnhancedNavigationMenu, type EnhancedNavigationMenuProps, type EventAppRoleData, GLOBAL_PERMISSIONS, type GrantEventAppRoleParams, type LogLevel, type NavigationAccessRecord, type NavigationContextType, NavigationGuard, type NavigationGuardProps, type NavigationItem, NavigationProvider, type NavigationProviderProps, ORGANISATION_PERMISSIONS, PAGE_PERMISSIONS, type PageAccessRecord, type PagePermissionContextType, PagePermissionGuard, type PagePermissionGuardProps, PagePermissionProvider, type PagePermissionProviderProps, Permission, PermissionCheck, PermissionEnforcer, type PermissionEnforcerProps, PermissionGuard, PermissionMap, type QuickFix, RBACAuditManager, RBACCache, type RBACConfig, RBACEngine, type RBACLogger, type RBACPerformanceMetrics, type ResourcePermissions, type RevokeEventAppRoleParams, RoleBasedRouter, type RoleBasedRouterContextType, type RoleBasedRouterProps, type RoleManagementResult, type RouteAccessRecord, type RouteConfig, type RuntimeComplianceResult, Scope, type SecureDataContextType, SecureDataProvider, type SecureDataProviderProps, SecureSupabaseClient, type SetupIssue, UUID, type UseResolvedScopeOptions, type UseResolvedScopeReturn, type UseResourcePermissionsOptions, checkRuntimeCompliance, clearInFlightRequests, createAuditManager, createRBACConfig, createRBACEngine, createRBACExpressMiddleware, createRBACMiddleware, createSecureClient, disablePerformanceMonitoring, emitAuditEvent, enablePerformanceMonitoring, fromSupabaseClient, getAccessLevel, getCustomAuthCodeFixes, getDirectSupabaseAuthFixes, getDuplicateConfigFixes, getGlobalAuditManager, getInFlightRequestCount, getPerformanceMetrics, getPerformanceSummary, getPermissionMap, getPermissionsForRole, getQuickFixes, getRBACConfig, getRBACLogger, getRoleContext, getSetupIssues, getUnprotectedPageFixes, hasAllPermissions, hasAnyPermission, hasAnyPermissionCached, hasPermission, hasPermissionCached, isDebugMode, isDevelopmentMode, isPerformanceMonitoringEnabled, isPermitted, isPermittedCached, isRBACInitialized, isValidPermission, rbacCache, recordAuditEvent, recordPermissionCheck, resetPerformanceMetrics, resolveAppContext, setGlobalAuditManager, setupRBAC, useAccessLevel, useCachedPermissions, useCan, useHasAllPermissions, useHasAnyPermission, useMultiplePermissions, useNavigationPermissions, usePagePermissions, usePermissions, useRBAC, useResolvedScope, useResourcePermissions, useRoleBasedRouter, useRoleManagement, useSecureData, useSecureSupabase, validateAndWarn, validateDatabaseConfiguration, validateRBACSetup, withAccessLevelGuard, withPermissionGuard, withRoleGuard };
+export { ALL_PERMISSIONS, AccessLevel, AccessLevelGuard, type AllPermissions, CACHE_PATTERNS, type ComplianceResult, type DataAccessRecord, type DatabaseComplianceResult, type DatabaseIssue, EVENT_APP_PERMISSIONS, EnhancedNavigationMenu, type EnhancedNavigationMenuProps, type EventAppRoleData, GLOBAL_PERMISSIONS, type GrantEventAppRoleParams, type LogLevel, type NavigationAccessRecord, type NavigationContextType, NavigationGuard, type NavigationGuardProps, type NavigationItem, NavigationProvider, type NavigationProviderProps, ORGANISATION_PERMISSIONS, PAGE_PERMISSIONS, type PageAccessRecord, type PagePermissionContextType, PagePermissionGuard, type PagePermissionGuardProps, PagePermissionProvider, type PagePermissionProviderProps, Permission, PermissionCheck, PermissionEnforcer, type PermissionEnforcerProps, PermissionGuard, PermissionMap, type QuickFix, RBACAuditManager, RBACCache, type RBACConfig, RBACEngine, type RBACLogger, type RBACPerformanceMetrics, type ResourcePermissions, type RevokeEventAppRoleParams, RoleBasedRouter, type RoleBasedRouterContextType, type RoleBasedRouterProps, type RoleManagementResult, type RouteAccessRecord, type RouteConfig, type RuntimeComplianceResult, SECURE_CLIENT_SYMBOL, Scope, type SecureDataContextType, SecureDataProvider, type SecureDataProviderProps, SecureSupabaseClient, type SetupIssue, UUID, type UseResolvedScopeOptions, type UseResolvedScopeReturn, type UseResourcePermissionsOptions, checkRuntimeCompliance, clearInFlightRequests, createAuditManager, createRBACConfig, createRBACEngine, createRBACExpressMiddleware, createRBACMiddleware, createSecureClient, disablePerformanceMonitoring, emitAuditEvent, enablePerformanceMonitoring, fromSupabaseClient, getAccessLevel, getCustomAuthCodeFixes, getDirectSupabaseAuthFixes, getDuplicateConfigFixes, getGlobalAuditManager, getInFlightRequestCount, getPerformanceMetrics, getPerformanceSummary, getPermissionMap, getQuickFixes, getRBACConfig, getRBACLogger, getRoleContext, getSetupIssues, getUnprotectedPageFixes, hasAllPermissions, hasAnyPermission, hasAnyPermissionCached, hasPermission, hasPermissionCached, isDebugMode, isDevelopmentMode, isPerformanceMonitoringEnabled, isPermitted, isPermittedCached, isRBACInitialized, isSecureClient, isValidPermission, rbacCache, recordAuditEvent, recordPermissionCheck, resetPerformanceMetrics, resolveAppContext, setGlobalAuditManager, setupRBAC, useAccessLevel, useCachedPermissions, useCan, useHasAllPermissions, useHasAnyPermission, useMultiplePermissions, useNavigationPermissions, usePagePermissions, usePermissions, useRBAC, useResolvedScope, useResourcePermissions, useRoleBasedRouter, useRoleManagement, useSecureData, useSecureSupabase, validateAndWarn, validateDatabaseConfiguration, validateRBACSetup, warnIfInsecureClient, withAccessLevelGuard, withPermissionGuard, withRoleGuard };