@jmruthers/pace-core 0.6.1 → 0.6.3

package/src/rbac/api.ts

@@ -30,7 +30,6 @@ import { createLogger } from '../utils/core/logger';
 import { enablePerformanceMonitoring } from './performance';
 import { getOrCreateRequest } from './request-deduplication';
 import { ContextValidator } from './utils/contextValidator';
-import type { AppConfig } from './utils/contextValidator';
 
 const log = createLogger('RBACAPI');
 
@@ -92,6 +91,15 @@ export function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<R
   
 }
 
+/**
+ * Check if RBAC system is initialized
+ * 
+ * @returns True if RBAC is initialized
+ */
+export function isRBACInitialized(): boolean {
+  return globalEngine !== null;
+}
+
 /**
  * Get the global RBAC engine
  * 
@@ -126,42 +134,39 @@ export async function getAccessLevel(
     userId: UUID;
     scope: Scope;
   },
-  appConfig?: AppConfig | null,
   appName?: string
 ): Promise<AccessLevel> {
-  const engine = getEngine();
-  
-  // Check super admin status first - super admins bypass context requirements
-  const isSuperAdminUser = await engine['checkSuperAdmin'](input.userId);
-  if (isSuperAdminUser) {
-    return 'super';
-  }
-  
-  // Fetch app config if not provided
-  let resolvedAppConfig: AppConfig | null = appConfig ?? null;
-  let resolvedAppName = appName;
-  
-  if (!resolvedAppConfig && input.scope.appId) {
-    resolvedAppConfig = await getAppConfig(input.scope.appId);
-  }
-  
-  // Validate context using ContextValidator
-  const validation = await ContextValidator.resolveRequiredContext(
-    input.scope,
-    resolvedAppConfig,
-    resolvedAppName,
-    engine['supabase']
-  );
-  
-  if (!validation.isValid || !validation.resolvedScope) {
-    throw validation.error || new OrganisationContextRequiredError();
+  try {
+    const engine = getEngine();
+    
+    // Check super admin status first - super admins bypass context requirements
+    const isSuperAdminUser = await engine['checkSuperAdmin'](input.userId);
+    if (isSuperAdminUser) {
+      return 'super';
+    }
+    
+    // For functions without pageId, default to organisation scope validation
+    // This is a safe default - most operations require organisation context
+    const validation = await ContextValidator.resolveScopeForPage(
+      input.scope,
+      'organisation', // Default to organisation scope when no page context
+      appName,
+      engine['supabase']
+    );
+    
+    if (!validation.isValid || !validation.resolvedScope) {
+      throw validation.error || new OrganisationContextRequiredError();
+    }
+    
+    // Use resolved scope
+    return engine.getAccessLevel({
+      ...input,
+      scope: validation.resolvedScope
+    });
+  } catch (error) {
+    // Re-throw the error - this is an API function that should propagate errors
+    throw error;
   }
-  
-  // Use resolved scope
-  return engine.getAccessLevel({
-    ...input,
-    scope: validation.resolvedScope
-  });
 }
 
 /**
@@ -189,44 +194,46 @@ export async function getPermissionMap(
     userId: UUID;
     scope: Scope;
   },
-  appConfig?: AppConfig | null,
   appName?: string
 ): Promise<PermissionMap> {
-  const engine = getEngine();
-  
-  // Fetch app config if not provided
-  let resolvedAppConfig: AppConfig | null = appConfig ?? null;
-  let resolvedAppName = appName;
-  
-  if (!resolvedAppConfig && input.scope.appId) {
-    resolvedAppConfig = await getAppConfig(input.scope.appId);
-  }
-  
-  // Validate context using ContextValidator
-  const validation = await ContextValidator.resolveRequiredContext(
-    input.scope,
-    resolvedAppConfig,
-    resolvedAppName,
-    engine['supabase']
-  );
-  
-  if (!validation.isValid || !validation.resolvedScope) {
-    throw validation.error || new OrganisationContextRequiredError();
+  try {
+    const engine = getEngine();
+    
+    // For functions without pageId, default to organisation scope validation
+    // This is a safe default - most operations require organisation context
+    const validation = await ContextValidator.resolveScopeForPage(
+      input.scope,
+      'organisation', // Default to organisation scope when no page context
+      appName,
+      engine['supabase']
+    );
+    
+    if (!validation.isValid || !validation.resolvedScope) {
+      throw validation.error || new OrganisationContextRequiredError();
+    }
+    
+    // Use resolved scope
+    return engine.getPermissionMap({
+      ...input,
+      scope: validation.resolvedScope
+    });
+  } catch (error) {
+    // Re-throw the error - this is an API function that should propagate errors
+    throw error;
   }
-  
-  // Use resolved scope
-  return engine.getPermissionMap({
-    ...input,
-    scope: validation.resolvedScope
-  });
 }
 
 export async function resolveAppContext(input: {
   userId: UUID;
   appName: string;
 }): Promise<RBACAppContext | null> {
-  const engine = getEngine();
-  return engine.resolveAppContext(input);
+  try {
+    const engine = getEngine();
+    return await engine.resolveAppContext(input);
+  } catch (error) {
+    // Re-throw the error - this is an API function that should propagate errors
+    throw error;
+  }
 }
 
 export async function getRoleContext(
@@ -234,24 +241,15 @@ export async function getRoleContext(
     userId: UUID;
     scope: Scope;
   },
-  appConfig?: AppConfig | null,
   appName?: string
 ): Promise<RBACRoleContext> {
   const engine = getEngine();
   
-  // Fetch app config if not provided
-  let resolvedAppConfig: AppConfig | null = appConfig ?? null;
-  let resolvedAppName = appName;
-  
-  if (!resolvedAppConfig && input.scope.appId) {
-    resolvedAppConfig = await getAppConfig(input.scope.appId);
-  }
-  
-  // Validate context using ContextValidator
-  const validation = await ContextValidator.resolveRequiredContext(
+  // For functions without pageId, default to organisation scope validation
+  const validation = await ContextValidator.resolveScopeForPage(
     input.scope,
-    resolvedAppConfig,
-    resolvedAppName,
+    'organisation', // Default to organisation scope when no page context
+    appName,
     engine['supabase']
   );
   
@@ -286,27 +284,35 @@ export async function getRoleContext(
  */
 export async function isPermitted(
   input: PermissionCheck,
-  appConfig?: AppConfig | null,
-  appName?: string
+  appName?: string,
+  /**
+   * Pre-computed super admin status to avoid duplicate checks.
+   * Pass null if not checked yet (will check), true if already checked and is super admin,
+   * or false if already checked and is not super admin.
+   * @default null
+   */
+  precomputedSuperAdmin: boolean | null = null
 ): Promise<boolean> {
   const engine = getEngine();
   
   // Check super admin status first - super admins bypass context requirements
   // Super admins have access to all permissions regardless of organisation context
-  const isSuperAdminUser = await engine['checkSuperAdmin'](input.userId);
-  if (isSuperAdminUser) {
+  // PERFORMANCE: Use precomputed value if provided to avoid duplicate checks
+  if (precomputedSuperAdmin === true) {
     return true;
   }
   
-  // Fetch app config if not provided and we have appId
-  let resolvedAppConfig: AppConfig | null = appConfig ?? null;
-  let resolvedAppName = appName;
-  
-  if (!resolvedAppConfig && input.scope.appId) {
-    resolvedAppConfig = await getAppConfig(input.scope.appId);
+  // If null, check super admin status
+  if (precomputedSuperAdmin === null) {
+    const isSuperAdminUser = await engine['checkSuperAdmin'](input.userId);
+    if (isSuperAdminUser) {
+      return true;
+    }
   }
+  // If precomputedSuperAdmin === false, skip check and proceed with permission check
   
-  // If we have appId but no appName, try to get it from the database
+  // Get app name if not provided (for PORTAL/ADMIN special case)
+  let resolvedAppName = appName;
   if (!resolvedAppName && input.scope.appId) {
     try {
       const { data } = await engine['supabase']
@@ -323,10 +329,34 @@ export async function isPermitted(
     }
   }
   
-  // Validate context using ContextValidator
-  const validation = await ContextValidator.resolveRequiredContext(
+  // Get page scope type (required for all permission checks)
+  // All pages must have scope_type set - this is the single source of truth
+  let pageScopeType: 'event' | 'organisation' | 'both';
+  if (input.pageId) {
+    try {
+      const scopeType = await getPageScopeType(
+        input.pageId,
+        input.scope.appId,
+        resolvedAppName
+      );
+      if (!scopeType) {
+        throw new Error(`Page ${input.pageId} does not have scope_type set`);
+      }
+      pageScopeType = scopeType;
+    } catch (err) {
+      log.error('Failed to get page scope type:', err);
+      throw new Error(`Failed to determine page scope type: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  } else {
+    // No pageId provided - default to organisation scope
+    // This should rarely happen, but provides a safe fallback
+    pageScopeType = 'organisation';
+  }
+  
+  // Validate context using page-level scope (single source of truth)
+  const validation = await ContextValidator.resolveScopeForPage(
     input.scope,
-    resolvedAppConfig,
+    pageScopeType,
     resolvedAppName,
     engine['supabase']
   );
@@ -338,7 +368,64 @@ export async function isPermitted(
   // Use resolved scope for permission check
   const validatedScope = validation.resolvedScope;
   
-  // Create security context from validated scope
+  // Handle 'both' scope pages - check both scopes and return union
+  if (pageScopeType === 'both' && input.pageId) {
+    // Check permission with event scope
+    const eventScope: Scope = {
+      organisationId: validatedScope.organisationId, // Org derived from event
+      eventId: validatedScope.eventId,
+      appId: validatedScope.appId
+    };
+    
+    // Check permission with organisation scope (if org is available separately)
+    // For 'both' pages, we check the permission in both contexts and return the union
+    // Higher permission wins (true > false, admin > user, etc.)
+    
+    const eventSecurityContext: SecurityContext = {
+      userId: input.userId,
+      organisationId: eventScope.organisationId || null,
+      timestamp: new Date(),
+    };
+    
+    const eventInput: PermissionCheck = {
+      ...input,
+      scope: eventScope
+    };
+    
+    const hasEventPermission = await engine.isPermitted(eventInput, eventSecurityContext);
+    
+    // Also check with organisation scope if we have a separate org context
+    // (This handles cases where user has org permissions separate from event)
+    if (validatedScope.organisationId && validatedScope.eventId) {
+      const orgScope: Scope = {
+        organisationId: validatedScope.organisationId,
+        eventId: undefined, // Clear event for org-only check
+        appId: validatedScope.appId
+      };
+      
+      const orgSecurityContext: SecurityContext = {
+        userId: input.userId,
+        organisationId: orgScope.organisationId || null,
+        timestamp: new Date(),
+      };
+      
+      const orgInput: PermissionCheck = {
+        ...input,
+        scope: orgScope
+      };
+      
+      const hasOrgPermission = await engine.isPermitted(orgInput, orgSecurityContext);
+      
+      // Return union (true if either scope grants permission)
+      // For access levels, the database function handles the "higher wins" logic
+      return hasEventPermission || hasOrgPermission;
+    }
+    
+    // If only event scope available, return event permission
+    return hasEventPermission;
+  }
+  
+  // Standard permission check for single-scope pages
   const securityContext: SecurityContext = {
     userId: input.userId,
     organisationId: validatedScope.organisationId || null,
@@ -362,13 +449,11 @@ export async function isPermitted(
  * and checks cache before making new requests. Uses session cache for page-level checks.
  * 
  * @param input - Permission check input
- * @param appConfig - Optional app configuration
- * @param appName - Optional app name
+ * @param appName - Optional app name (for PORTAL/ADMIN special case)
  * @returns Promise resolving to permission result
  */
 export async function isPermittedCached(
   input: PermissionCheck,
-  appConfig?: AppConfig | null,
   appName?: string
 ): Promise<boolean> {
   const { userId, scope, permission, pageId } = input;
@@ -391,7 +476,9 @@ export async function isPermittedCached(
   // Use request deduplication - if same request is in-flight, share the promise
   return getOrCreateRequest(input, async (checkInput) => {
     // Check permission with context validation
-    const result = await isPermitted(checkInput, appConfig, appName);
+    // Note: We can't pass precomputedSuperAdmin here because getOrCreateRequest doesn't support it
+    // The super admin check in isPermitted will be cached, so it's not a huge performance hit
+    const result = await isPermitted(checkInput, appName, null);
     
     // Determine if this is a page-level check (has pageId or permission contains 'page.')
     const isPageLevelCheck = !!pageId || permission.includes('page.');
@@ -480,89 +567,81 @@ export async function isSuperAdmin(userId: UUID): Promise<boolean> {
   return engine['checkSuperAdmin'](userId);
 }
 
+
 /**
- * Get app configuration including requires_event setting
+ * Get page scope type (effective scope for a page)
  * 
- * @param appId - App ID
- * @returns Promise resolving to app configuration
+ * Returns the scope type for a page. After migration, all pages have explicit scope_type set.
+ * This is the single source of truth for page scoping.
+ * 
+ * @param pageId - Page ID (UUID) or page name
+ * @param appId - App ID (required if pageId is a page name)
+ * @param appName - App name (alternative to appId, used to resolve appId)
+ * @returns Promise resolving to page scope type: 'event', 'organisation', or 'both'
  */
-export async function getAppConfig(appId: UUID): Promise<AppConfig | null> {
-  try {
-    const engine = getEngine();
-    return getAppConfigWithClient(engine['supabase'], appId);
-  } catch (err) {
-    // RBAC not initialized - return null gracefully
-    if (err instanceof RBACNotInitializedError) {
-      return null;
-    }
-    throw err;
-  }
-}
-
-export async function getAppConfigWithClient(client: SupabaseClient | null | undefined, appId: UUID): Promise<AppConfig | null> {
-  // Return null if client is not available
-  if (!client) {
-    return null;
-  }
-  
-  // Cache key for app config - cache for 5 minutes (app config rarely changes)
-  const cacheKey = `app_config:${appId}`;
-  
-  // Check cache first
-  const cached = rbacCache.get<AppConfig>(cacheKey, true);
-  if (cached !== null) {
-    return cached;
-  }
+export async function getPageScopeType(
+  pageId: UUID | string,
+  appId?: UUID,
+  appName?: string
+): Promise<'event' | 'organisation' | 'both'> {
+  const engine = getEngine();
   
   try {
-    const { data, error } = await client
-      .from('rbac_apps')
-      .select('requires_event, name')
-      .eq('id', appId)
-      .eq('is_active', true)
-      .single() as { data: { requires_event: boolean; name: string } | null; error: any };
-
-    if (error || !data) {
-      return null;
+    // Resolve appId if not provided
+    let resolvedAppId = appId;
+    if (!resolvedAppId && appName) {
+      // Get appId directly from app name
+      const { data: app } = await engine['supabase']
+        .from('rbac_apps')
+        .select('id')
+        .eq('name', appName)
+        .eq('is_active', true)
+        .single() as { data: { id: UUID } | null; error: any };
+      resolvedAppId = app?.id;
     }
-
-    const appConfig: AppConfig = { requires_event: data.requires_event ?? false };
     
-    // Cache the result for 5 minutes (300000ms) with session cache enabled
-    // App config rarely changes, so we can cache it longer
-    rbacCache.set(cacheKey, appConfig, 5 * 60 * 1000, true);
+    if (!resolvedAppId) {
+      throw new Error(`Could not resolve appId for page ${pageId}`);
+    }
     
-    return appConfig;
-  } catch (err) {
-    log.error('Error fetching app config:', err);
-    return null;
-  }
-}
-
-/**
- * Get app configuration by app name
- * 
- * @param appName - App name
- * @returns Promise resolving to app configuration
- */
-export async function getAppConfigByName(appName: string): Promise<AppConfig | null> {
-  const engine = getEngine();
-  try {
+    // Resolve pageId if it's a page name
+    let resolvedPageId: UUID | string = pageId;
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+    if (!uuidRegex.test(pageId)) {
+      // It's a page name, resolve to UUID
+      const { data: page } = await engine['supabase']
+        .from('rbac_app_pages')
+        .select('id')
+        .eq('app_id', resolvedAppId)
+        .eq('page_name', pageId)
+        .maybeSingle() as { data: { id: UUID } | null; error: any };
+      resolvedPageId = page?.id || pageId;
+    }
+    
+    // If still not a UUID, can't proceed
+    if (!uuidRegex.test(resolvedPageId)) {
+      throw new Error(`Could not resolve pageId ${pageId} to a valid UUID`);
+    }
+    
+    // Call the database function to get scope type (always returns a value)
     const { data, error } = await engine['supabase']
-      .from('rbac_apps')
-      .select('requires_event, name')
-      .eq('name', appName)
-      .eq('is_active', true)
-      .single() as { data: { requires_event: boolean; name: string } | null; error: any };
-
-    if (error || !data) {
-      return null;
+      .rpc('get_page_scope_type' as any, {
+        p_page_id: resolvedPageId
+      }) as { data: 'event' | 'organisation' | 'both' | null; error: any };
+    
+    if (error) {
+      log.error('Error fetching page scope type:', { pageId, appId, error });
+      throw new Error(`Failed to get page scope type: ${error.message}`);
     }
-
-    return { requires_event: data.requires_event ?? false };
+    
+    if (!data) {
+      throw new Error(`Page ${resolvedPageId} does not have scope_type set`);
+    }
+    
+    return data;
   } catch (err) {
-    log.error('Error fetching app config by name:', err);
-    return null;
+    log.error('Error fetching page scope type:', err);
+    throw err instanceof Error ? err : new Error(`Failed to get page scope type: ${String(err)}`);
   }
 }
 

package/src/rbac/components/NavigationProvider.tsx

@@ -211,12 +211,15 @@ export function NavigationProvider({
     const permission = item.permissions[0];
     
     // Call useCan hook for actual permission checking
+    // Pass null for super admin status (not checked yet - hook will check if needed)
     const { can, error } = useCan(
       user.id,
       currentScope,
       permission,
       item.pageId,
-      true // useCache
+      true, // useCache
+      null, // precomputedSuperAdmin - not checked yet
+      undefined // appName
     );
     
     // Handle errors gracefully - allow access when there are permission check errors (graceful degradation)