@jmruthers/pace-core 0.6.1 → 0.6.3

package/dist/chunk-EXUD6RNJ.js

@@ -1,451 +0,0 @@
-import {
-  useOrganisationSecurity,
-  useResolvedScope
-} from "./chunk-3XTALGJF.js";
-import {
-  EventServiceContext,
-  useUnifiedAuth
-} from "./chunk-BYFSK72L.js";
-import {
-  setOrganisationContext
-} from "./chunk-VBXEHIUJ.js";
-import {
-  logger
-} from "./chunk-PWLANIRT.js";
-
-// src/hooks/useSecureDataAccess.ts
-import { useCallback, useState, useContext } from "react";
-function useSecureDataAccess() {
-  const { supabase, user, session, selectedOrganisation, selectedEvent } = useUnifiedAuth();
-  const eventServiceContext = useContext(EventServiceContext);
-  const eventFromContext = eventServiceContext?.eventService?.getSelectedEvent() || null;
-  const effectiveSelectedEvent = selectedEvent || eventFromContext;
-  const { superAdminContext } = useOrganisationSecurity();
-  const isSuperAdmin = superAdminContext.isSuperAdmin;
-  const { resolvedScope } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: effectiveSelectedEvent?.event_id || null
-  });
-  const validateContext = useCallback(() => {
-    if (!supabase) {
-      throw new Error("No Supabase client available");
-    }
-    if (!user || !session) {
-      throw new Error("User must be authenticated with valid session");
-    }
-    if (isSuperAdmin) {
-      return;
-    }
-    if (!resolvedScope?.organisationId) {
-      throw new Error("Organisation context is required for data access");
-    }
-  }, [supabase, user, session, resolvedScope, isSuperAdmin]);
-  const getCurrentOrganisationId = useCallback(() => {
-    if (isSuperAdmin) {
-      return resolvedScope?.organisationId || selectedOrganisation?.id || "";
-    }
-    validateContext();
-    return resolvedScope?.organisationId || "";
-  }, [validateContext, resolvedScope, selectedOrganisation, isSuperAdmin]);
-  const setOrganisationContextInSession = useCallback(async (organisationId) => {
-    if (!supabase || !organisationId) {
-      return;
-    }
-    await setOrganisationContext(supabase, organisationId);
-  }, [supabase]);
-  const secureQuery = useCallback(async (table, columns, filters = {}, options = {}) => {
-    validateContext();
-    const bypassOrganisationFilter = isSuperAdmin;
-    const organisationId = bypassOrganisationFilter ? void 0 : getCurrentOrganisationId();
-    await setOrganisationContextInSession(organisationId);
-    let query = supabase.from(table).select(columns);
-    const tablesWithOrganisation = [
-      "core_events",
-      "organisation_settings",
-      "rbac_event_app_roles",
-      "rbac_organisation_roles",
-      // SECURITY: Phase 2 additions - complete organisation table mapping
-      "organisation_audit_log",
-      "organisation_invitations",
-      "organisation_app_access",
-      // SECURITY: Emergency additions for Phase 1 fixes
-      "cake_meal",
-      "cake_mealtype",
-      // NOTE: core_person, core_member, core_contact, core_consent, core_identification, 
-      // core_qualification, and medi_profile are person-scoped tables that do NOT have 
-      // organisation_id columns. They were removed as part of the person-scoped profiles migration.
-      // Do NOT add organisation_id filters to these tables - it will cause 400 errors.
-      // SECURITY: Phase 3A additions - medical and personal data
-      // NOTE: medi_condition, medi_diet, medi_action_plan, medi_profile_versions are now person-scoped
-      // (via medi_profile) - removed from this list
-      // core_identification_type remains organisation-scoped (lookup table)
-      "core_identification_type",
-      "form_responses",
-      "form_response_values",
-      "forms",
-      // SECURITY: Phase 3B additions - remaining critical tables
-      "invoice",
-      "line_item",
-      "credit_balance",
-      "payment_method",
-      "form_contexts",
-      "form_field_config",
-      "form_fields",
-      "cake_delivery",
-      "cake_diettype",
-      "cake_diner",
-      "cake_dish",
-      "cake_item",
-      "cake_logistics",
-      "cake_mealplan",
-      "cake_package",
-      "cake_recipe",
-      "cake_supplier",
-      "cake_supply",
-      "cake_unit",
-      "event_app_access",
-      "base_application",
-      "base_questions",
-      // rbac_user_profiles has organisation_id but uses conditional filtering
-      "rbac_user_profiles"
-    ];
-    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {
-      if (table === "rbac_user_profiles" && isSuperAdmin) {
-      } else {
-        query = query.eq("organisation_id", organisationId);
-      }
-    }
-    Object.entries(filters).forEach(([key, value]) => {
-      if (value !== void 0 && value !== null) {
-        const columnName = key.includes(".") ? key.split(".").pop() : key;
-        query = query.eq(columnName, value);
-      }
-    });
-    if (options.orderBy) {
-      const orderByColumn = options.orderBy.split(".").pop();
-      if (orderByColumn) {
-        query = query.order(orderByColumn, { ascending: options.ascending ?? true });
-      }
-    }
-    if (options.limit) {
-      query = query.limit(options.limit);
-    }
-    if (options.offset) {
-      query = query.range(options.offset, options.offset + (options.limit || 100) - 1);
-    }
-    const { data, error } = await query;
-    if (error) {
-      logger.error("useSecureDataAccess", "Query failed", { table, columns, filters, error });
-      recordDataAccess(table, "read", false, `SELECT ${columns} FROM ${table}`, filters);
-      throw error;
-    }
-    recordDataAccess(table, "read", true, `SELECT ${columns} FROM ${table}`, filters);
-    return data || [];
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
-  const secureInsert = useCallback(async (table, data) => {
-    validateContext();
-    const bypassOrganisationFilter = isSuperAdmin;
-    const organisationId = bypassOrganisationFilter ? void 0 : getCurrentOrganisationId();
-    await setOrganisationContextInSession(organisationId);
-    const secureData = bypassOrganisationFilter ? { ...data } : {
-      ...data,
-      organisation_id: organisationId
-    };
-    const { data: insertData, error } = await supabase.from(table).insert(secureData).select().single();
-    if (error) {
-      logger.error("useSecureDataAccess", "Insert failed", { table, data: secureData, error });
-      throw error;
-    }
-    return insertData;
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
-  const secureUpdate = useCallback(async (table, data, filters) => {
-    validateContext();
-    const bypassOrganisationFilter = isSuperAdmin;
-    const organisationId = bypassOrganisationFilter ? void 0 : getCurrentOrganisationId();
-    await setOrganisationContextInSession(organisationId);
-    const { organisation_id, ...secureData } = data;
-    let query = supabase.from(table).update(secureData);
-    const tablesWithOrganisation = [
-      "core_events",
-      "organisation_settings",
-      "rbac_event_app_roles",
-      "rbac_organisation_roles",
-      // SECURITY: Phase 2 additions - complete organisation table mapping
-      "organisation_audit_log",
-      "organisation_invitations",
-      "organisation_app_access",
-      // SECURITY: Emergency additions for Phase 1 fixes
-      "cake_meal",
-      "cake_mealtype",
-      "core_person",
-      // SECURITY: These tables still have organisation_id columns and must be filtered
-      "core_member",
-      "core_contact",
-      "core_consent",
-      "core_identification",
-      "core_qualification",
-      "medi_profile",
-      // SECURITY: Phase 3A additions - medical and personal data
-      "medi_condition",
-      "medi_diet",
-      "medi_action_plan",
-      "medi_profile_versions",
-      "core_identification_type",
-      "form_responses",
-      "form_response_values",
-      "forms",
-      // SECURITY: Phase 3B additions - remaining critical tables
-      "invoice",
-      "line_item",
-      "credit_balance",
-      "payment_method",
-      "form_contexts",
-      "form_field_config",
-      "form_fields",
-      "cake_delivery",
-      "cake_diettype",
-      "cake_diner",
-      "cake_dish",
-      "cake_item",
-      "cake_logistics",
-      "cake_mealplan",
-      "cake_package",
-      "cake_recipe",
-      "cake_supplier",
-      "cake_supply",
-      "cake_unit",
-      "event_app_access",
-      "base_application",
-      "base_questions"
-    ];
-    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {
-      query = query.eq("organisation_id", organisationId);
-    }
-    Object.entries(filters).forEach(([key, value]) => {
-      if (value !== void 0 && value !== null) {
-        query = query.eq(key, value);
-      }
-    });
-    const { data: updateData, error } = await query.select();
-    if (error) {
-      logger.error("useSecureDataAccess", "Update failed", { table, data: secureData, filters, error });
-      throw error;
-    }
-    return updateData || [];
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
-  const secureDelete = useCallback(async (table, filters) => {
-    validateContext();
-    const bypassOrganisationFilter = isSuperAdmin;
-    const organisationId = bypassOrganisationFilter ? void 0 : getCurrentOrganisationId();
-    await setOrganisationContextInSession(organisationId);
-    let query = supabase.from(table).delete();
-    const tablesWithOrganisation = [
-      "core_events",
-      "organisation_settings",
-      "rbac_event_app_roles",
-      "rbac_organisation_roles",
-      // SECURITY: Phase 2 additions - complete organisation table mapping
-      "organisation_audit_log",
-      "organisation_invitations",
-      "organisation_app_access",
-      // SECURITY: Emergency additions for Phase 1 fixes
-      "cake_meal",
-      "cake_mealtype",
-      "core_person",
-      "core_member",
-      // SECURITY: Phase 3A additions - medical and personal data
-      "medi_profile",
-      "medi_condition",
-      "medi_diet",
-      "medi_action_plan",
-      "medi_profile_versions",
-      "core_consent",
-      "core_contact",
-      "core_identification",
-      "core_identification_type",
-      "core_qualification",
-      "form_responses",
-      "form_response_values",
-      "forms",
-      // SECURITY: Phase 3B additions - remaining critical tables
-      "invoice",
-      "line_item",
-      "credit_balance",
-      "payment_method",
-      "form_contexts",
-      "form_field_config",
-      "form_fields",
-      "cake_delivery",
-      "cake_diettype",
-      "cake_diner",
-      "cake_dish",
-      "cake_item",
-      "cake_logistics",
-      "cake_mealplan",
-      "cake_package",
-      "cake_recipe",
-      "cake_supplier",
-      "cake_supply",
-      "cake_unit",
-      "event_app_access",
-      "base_application",
-      "base_questions"
-    ];
-    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {
-      query = query.eq("organisation_id", organisationId);
-    }
-    Object.entries(filters).forEach(([key, value]) => {
-      if (value !== void 0 && value !== null) {
-        query = query.eq(key, value);
-      }
-    });
-    const { error } = await query;
-    if (error) {
-      logger.error("useSecureDataAccess", "Delete failed", { table, filters, error });
-      throw error;
-    }
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);
-  const secureRpc = useCallback(async (functionName, params = {}) => {
-    validateContext();
-    const bypassOrganisationFilter = isSuperAdmin;
-    const organisationId = bypassOrganisationFilter ? void 0 : getCurrentOrganisationId();
-    await setOrganisationContextInSession(organisationId);
-    const functionsWithPOrganisationId = [
-      "data_cake_diners_list",
-      "data_cake_mealplans_list"
-    ];
-    const paramName = functionsWithPOrganisationId.includes(functionName) ? "p_organisation_id" : "organisation_id";
-    const functionsNeedingEventId = [
-      "data_cake_items_list",
-      "data_cake_packages_list",
-      "data_cake_suppliers_list",
-      "data_cake_diettypes_list",
-      "data_cake_mealtypes_list",
-      "data_cake_diners_list",
-      "data_cake_mealplans_list",
-      "data_cake_dishes_list",
-      "data_cake_recipes_list",
-      "data_cake_meals_list",
-      "data_cake_units_list",
-      "data_cake_orders_list",
-      "app_cake_item_create",
-      "app_cake_item_update",
-      "app_cake_package_create",
-      "app_cake_package_update",
-      "app_cake_supplier_create",
-      "app_cake_supplier_update",
-      "app_cake_supplier_delete",
-      "app_cake_meal_create",
-      "app_cake_meal_update",
-      "app_cake_meal_delete",
-      "app_cake_unit_create",
-      "app_cake_unit_update",
-      "app_cake_unit_delete",
-      "app_cake_delivery_upsert"
-    ];
-    const secureParams = {};
-    const functionsWithEventIdFirst = [
-      "data_cake_meals_list",
-      "data_cake_units_list"
-    ];
-    if (user?.id) {
-      secureParams.p_user_id = user.id;
-    }
-    if (!bypassOrganisationFilter && organisationId) {
-      secureParams[paramName] = organisationId;
-    } else if (organisationId && !(paramName in params)) {
-      secureParams[paramName] = organisationId;
-    }
-    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {
-      secureParams.p_event_id = selectedEvent.event_id;
-    }
-    Object.assign(secureParams, params);
-    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {
-      secureParams.p_event_id = selectedEvent.event_id;
-    }
-    const { data, error } = await supabase.rpc(functionName, secureParams);
-    if (error) {
-      logger.error("useSecureDataAccess", "RPC failed", { functionName, params: secureParams, error });
-      throw error;
-    }
-    return data;
-  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, selectedEvent?.event_id, user?.id, isSuperAdmin]);
-  const [dataAccessHistory, setDataAccessHistory] = useState([]);
-  const [isStrictMode] = useState(true);
-  const [isAuditLogEnabled] = useState(true);
-  const isDataAccessAllowed = useCallback((table, operation) => {
-    if (!user?.id) return false;
-    const permission = `${operation}:data.${table}`;
-    return true;
-  }, [user?.id]);
-  const getDataAccessPermissions = useCallback(() => {
-    if (!user?.id) return {};
-    return {};
-  }, [user?.id]);
-  const getDataAccessHistory = useCallback(() => {
-    return [...dataAccessHistory];
-  }, [dataAccessHistory]);
-  const clearDataAccessHistory = useCallback(() => {
-    setDataAccessHistory([]);
-  }, []);
-  const validateDataAccess = useCallback((table, operation) => {
-    if (!user?.id) return false;
-    try {
-      validateContext();
-    } catch (error) {
-      logger.error("useSecureDataAccess", "Organisation context validation failed", { table, operation, error });
-      return false;
-    }
-    return isDataAccessAllowed(table, operation);
-  }, [user?.id, validateContext, isDataAccessAllowed]);
-  const recordDataAccess = useCallback((table, operation, allowed, query, filters) => {
-    if (!isAuditLogEnabled || !user?.id) return;
-    const auditOrganisationId = getCurrentOrganisationId() || "super-admin-bypass";
-    const record = {
-      table,
-      operation,
-      userId: user.id,
-      organisationId: auditOrganisationId,
-      allowed,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      query,
-      filters
-    };
-    setDataAccessHistory((prev) => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, 1e3);
-    });
-    if (isStrictMode && !allowed) {
-      logger.error("useSecureDataAccess", "STRICT MODE VIOLATION: User attempted data access without permission", {
-        table,
-        operation,
-        userId: user.id,
-        organisationId: auditOrganisationId,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [isAuditLogEnabled, isStrictMode, user?.id, getCurrentOrganisationId]);
-  return {
-    secureQuery,
-    secureInsert,
-    secureUpdate,
-    secureDelete,
-    secureRpc,
-    getCurrentOrganisationId,
-    validateContext,
-    // NEW: Phase 1 - Enhanced Security Features
-    isDataAccessAllowed,
-    getDataAccessPermissions,
-    isStrictMode,
-    isAuditLogEnabled,
-    getDataAccessHistory,
-    clearDataAccessHistory,
-    validateDataAccess
-  };
-}
-
-export {
-  useSecureDataAccess
-};
-//# sourceMappingURL=chunk-EXUD6RNJ.js.map

package/dist/chunk-EXUD6RNJ.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/hooks/useSecureDataAccess.ts"],"sourcesContent":["/**\n * @file useSecureDataAccess Hook\n * @package @jmruthers/pace-core\n * @module Hooks/useSecureDataAccess\n * @since 0.4.0\n *\n * Hook for secure database operations with mandatory organisation context.\n * Ensures all data access is properly scoped to the user's current organisation.\n *\n * @example\n * ```tsx\n * function DataComponent() {\n *   const { secureQuery, secureInsert, secureUpdate, secureDelete } = useSecureDataAccess();\n *   \n *   const loadData = async () => {\n *     try {\n *       // Automatically includes organisation_id filter\n *       const events = await secureQuery('core_events', '*', { is_visible: true });\n *       console.log('Organisation events:', events);\n *     } catch (error) {\n *       console.error('Failed to load data:', error);\n *     }\n *   };\n *   \n *   const createEvent = async (eventData) => {\n *     try {\n *       // Automatically sets organisation_id\n *       const newEvent = await secureInsert('core_events', eventData);\n *       console.log('Created event:', newEvent);\n *     } catch (error) {\n *       console.error('Failed to create event:', error);\n *     }\n *   };\n *   \n *   return (\n *     <div>\n *       <button onClick={loadData}>Load Data</button>\n *       <button onClick={() => createEvent({ event_name: 'New Event' })}>\n *         Create Event\n *       </button>\n *     </div>\n *   );\n * }\n * ```\n *\n * @security\n * - All queries automatically include organisation_id filter\n * - Validates organisation context before any operation\n * - Prevents data leaks between organisations\n * - Error handling for security violations\n * - Type-safe database operations\n */\n\nimport { useCallback, useState, useContext } from 'react';\nimport { useUnifiedAuth } from '../providers';\nimport { useOrganisations } from './useOrganisations';\nimport { EventServiceContext } from '../providers/services/EventServiceProvider';\nimport { setOrganisationContext } from '../utils/context/organisationContext';\nimport { logger } from '../utils/core/logger';\nimport type { Permission } from '../rbac/types';\nimport type { OrganisationSecurityError } from '../types/organisation';\nimport { useOrganisationSecurity } from './useOrganisationSecurity';\nimport { useResolvedScope } from '../rbac/hooks/useResolvedScope';\n\nexport interface SecureDataAccessReturn {\n  /** Execute a secure query with organisation filtering */\n  secureQuery: <T = any>(\n    table: string,\n    columns: string,\n    filters?: Record<string, any>,\n    options?: {\n      orderBy?: string;\n      ascending?: boolean;\n      limit?: number;\n      offset?: number;\n    }\n  ) => Promise<T[]>;\n  \n  /** Execute a secure insert with organisation context */\n  secureInsert: <T = any>(\n    table: string,\n    data: Record<string, any>\n  ) => Promise<T>;\n  \n  /** Execute a secure update with organisation filtering */\n  secureUpdate: <T = any>(\n    table: string,\n    data: Record<string, any>,\n    filters: Record<string, any>\n  ) => Promise<T[]>;\n  \n  /** Execute a secure delete with organisation filtering */\n  secureDelete: (\n    table: string,\n    filters: Record<string, any>\n  ) => Promise<void>;\n  \n  /** Execute a secure RPC call with organisation context */\n  secureRpc: <T = any>(\n    functionName: string,\n    params?: Record<string, any>\n  ) => Promise<T>;\n  \n  /** Get current organisation ID */\n  getCurrentOrganisationId: () => string;\n  \n  /** Validate organisation context */\n  validateContext: () => void;\n  \n  // NEW: Phase 1 - Enhanced Security Features\n  /** Check if data access is allowed for a table and operation */\n  isDataAccessAllowed: (table: string, operation: string) => boolean;\n  \n  /** Get all data access permissions for current user */\n  getDataAccessPermissions: () => Record<string, string[]>;\n  \n  /** Check if strict mode is enabled */\n  isStrictMode: boolean;\n  \n  /** Check if audit logging is enabled */\n  isAuditLogEnabled: boolean;\n  \n  /** Get data access history */\n  getDataAccessHistory: () => DataAccessRecord[];\n  \n  /** Clear data access history */\n  clearDataAccessHistory: () => void;\n  \n  /** Validate data access attempt */\n  validateDataAccess: (table: string, operation: string) => boolean;\n}\n\nexport interface DataAccessRecord {\n  table: string;\n  operation: string;\n  userId: string;\n  organisationId: string;\n  allowed: boolean;\n  timestamp: string;\n  query?: string;\n  filters?: Record<string, any>;\n}\n\n/**\n * Hook for secure data access with automatic organisation filtering\n * \n * All database operations automatically include organisation context:\n * - Queries filter by organisation_id\n * - Inserts include organisation_id\n * - Updates/deletes are scoped to organisation\n * - RPC calls include organisation_id parameter\n */\nexport function useSecureDataAccess(): SecureDataAccessReturn {\n  const { supabase, user, session, selectedOrganisation, selectedEvent } = useUnifiedAuth();\n  \n  // Get selected event for event-scoped RPC calls\n  // Use useContext directly to safely check if EventServiceProvider is available\n  const eventServiceContext = useContext(EventServiceContext);\n  const eventFromContext = eventServiceContext?.eventService?.getSelectedEvent() || null;\n  const effectiveSelectedEvent = selectedEvent || eventFromContext;\n  const { superAdminContext } = useOrganisationSecurity();\n  const isSuperAdmin = superAdminContext.isSuperAdmin;\n\n  // Use resolved scope to get organisationId (derived from event if needed)\n  const { resolvedScope } = useResolvedScope({\n    supabase,\n    selectedOrganisationId: selectedOrganisation?.id || null,\n    selectedEventId: effectiveSelectedEvent?.event_id || null\n  });\n\n  const validateContext = useCallback((): void => {\n    if (!supabase) {\n      throw new Error('No Supabase client available') as OrganisationSecurityError;\n    }\n    if (!user || !session) {\n      throw new Error('User must be authenticated with valid session') as OrganisationSecurityError;\n    }\n    \n    if (isSuperAdmin) {\n      return;\n    }\n    \n    if (!resolvedScope?.organisationId) {\n      throw new Error('Organisation context is required for data access') as OrganisationSecurityError;\n    }\n  }, [supabase, user, session, resolvedScope, isSuperAdmin]);\n\n  const getCurrentOrganisationId = useCallback((): string => {\n    if (isSuperAdmin) {\n      // For super admins, try to get org from resolved scope or selectedOrganisation\n      return resolvedScope?.organisationId || selectedOrganisation?.id || '';\n    }\n\n    validateContext();\n    return resolvedScope?.organisationId || '';\n  }, [validateContext, resolvedScope, selectedOrganisation, isSuperAdmin]);\n\n  // Set organisation context in database session\n  const setOrganisationContextInSession = useCallback(async (organisationId?: string): Promise<void> => {\n    if (!supabase || !organisationId) {\n      return;\n    }\n\n    await setOrganisationContext(supabase, organisationId);\n  }, [supabase]);\n\n  const secureQuery = useCallback(async <T = any>(\n    table: string,\n    columns: string,\n    filters: Record<string, any> = {},\n    options: {\n      orderBy?: string;\n      ascending?: boolean;\n      limit?: number;\n      offset?: number;\n    } = {}\n  ): Promise<T[]> => {\n    validateContext();\n    const bypassOrganisationFilter = isSuperAdmin;\n    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Build query with organisation filter\n    let query = supabase!\n      .from(table)\n      .select(columns);\n\n    // Add organisation filter only if table has organisation_id column\n    // Defense in depth strategy:\n    // - RLS policies are the primary security layer (cannot be bypassed)\n    // - Application-level filtering adds an additional layer of protection\n    const tablesWithOrganisation = [\n      'core_events',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype',\n      // NOTE: core_person, core_member, core_contact, core_consent, core_identification, \n      // core_qualification, and medi_profile are person-scoped tables that do NOT have \n      // organisation_id columns. They were removed as part of the person-scoped profiles migration.\n      // Do NOT add organisation_id filters to these tables - it will cause 400 errors.\n      // SECURITY: Phase 3A additions - medical and personal data\n      // NOTE: medi_condition, medi_diet, medi_action_plan, medi_profile_versions are now person-scoped\n      // (via medi_profile) - removed from this list\n      // core_identification_type remains organisation-scoped (lookup table)\n      'core_identification_type',\n      'form_responses', 'form_response_values', 'forms',\n      // SECURITY: Phase 3B additions - remaining critical tables\n      'invoice', 'line_item', 'credit_balance', 'payment_method',\n      'form_contexts', 'form_field_config', 'form_fields',\n      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', \n      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', \n      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions',\n      // rbac_user_profiles has organisation_id but uses conditional filtering\n      'rbac_user_profiles'\n    ];\n    \n    // Apply organisation filtering based on table and super admin status\n    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {\n      // For rbac_user_profiles: Super admins see all (no filter), non-super-admins get filtered (defense in depth)\n      // For other tables: Always apply filter\n      if (table === 'rbac_user_profiles' && isSuperAdmin) {\n        // Super admin: No org filter - RLS handles access control\n        // This allows super admins to see all users across all organisations\n      } else {\n        // Non-super-admin OR other tables: Apply org filter as defense in depth\n        query = query.eq('organisation_id', organisationId);\n      }\n    }\n\n    // Apply additional filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        // Handle qualified column names (e.g., 'users.role')\n        const columnName = key.includes('.') ? key.split('.').pop()! : key;\n        query = query.eq(columnName, value);\n      }\n    });\n\n    // Apply options\n    if (options.orderBy) {\n      // Only use the column name, not a qualified name\n      const orderByColumn = options.orderBy.split('.').pop();\n      if (orderByColumn) {\n        query = query.order(orderByColumn, { ascending: options.ascending ?? true });\n      }\n    }\n    \n    if (options.limit) {\n      query = query.limit(options.limit);\n    }\n    \n    if (options.offset) {\n      query = query.range(options.offset, options.offset + (options.limit || 100) - 1);\n    }\n\n    const { data, error } = await query;\n    \n    if (error) {\n      logger.error('useSecureDataAccess', 'Query failed', { table, columns, filters, error });\n      // NEW: Phase 1 - Record failed data access attempt\n      recordDataAccess(table, 'read', false, `SELECT ${columns} FROM ${table}`, filters);\n      throw error;\n    }\n\n    // NEW: Phase 1 - Record successful data access attempt\n    recordDataAccess(table, 'read', true, `SELECT ${columns} FROM ${table}`, filters);\n\n    return (data as T[]) || [];\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);\n\n  const secureInsert = useCallback(async <T = any>(\n    table: string,\n    data: Record<string, any>\n  ): Promise<T> => {\n    validateContext();\n    const bypassOrganisationFilter = isSuperAdmin;\n    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Ensure organisation_id is set\n    const secureData = bypassOrganisationFilter\n      ? { ...data }\n      : {\n          ...data,\n          organisation_id: organisationId\n        };\n\n    const { data: insertData, error } = await supabase!\n      .from(table)\n      .insert(secureData)\n      .select()\n      .single();\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Insert failed', { table, data: secureData, error });\n      throw error;\n    }\n\n    return insertData as T;\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);\n\n  const secureUpdate = useCallback(async <T = any>(\n    table: string,\n    data: Record<string, any>,\n    filters: Record<string, any>\n  ): Promise<T[]> => {\n    validateContext();\n    const bypassOrganisationFilter = isSuperAdmin;\n    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Filter out organisation_id from data to prevent manipulation\n    const { organisation_id, ...secureData } = data;\n    \n    // Build update query with organisation filter\n    let query = supabase!\n      .from(table)\n      .update(secureData);\n\n    // Add organisation filter only if table has organisation_id column\n    const tablesWithOrganisation = [\n      'core_events',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype', 'core_person',\n      // SECURITY: These tables still have organisation_id columns and must be filtered\n      'core_member', 'core_contact', 'core_consent', 'core_identification', 'core_qualification',\n      'medi_profile',\n      // SECURITY: Phase 3A additions - medical and personal data\n      'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',\n      'core_identification_type',\n      'form_responses', 'form_response_values', 'forms',\n      // SECURITY: Phase 3B additions - remaining critical tables\n      'invoice', 'line_item', 'credit_balance', 'payment_method',\n      'form_contexts', 'form_field_config', 'form_fields',\n      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', \n      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', \n      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'\n    ];\n    \n    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {\n      query = query.eq('organisation_id', organisationId);\n    }\n\n    // Apply filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        query = query.eq(key, value);\n      }\n    });\n\n    const { data: updateData, error } = await query.select();\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Update failed', { table, data: secureData, filters, error });\n      throw error;\n    }\n\n    return (updateData as T[]) || [];\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);\n\n  const secureDelete = useCallback(async (\n    table: string,\n    filters: Record<string, any>\n  ): Promise<void> => {\n    validateContext();\n    const bypassOrganisationFilter = isSuperAdmin;\n    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Build delete query with organisation filter\n    let query = supabase!\n      .from(table)\n      .delete();\n\n    // Add organisation filter only if table has organisation_id column\n    const tablesWithOrganisation = [\n      'core_events',  'organisation_settings',\n      'rbac_event_app_roles', 'rbac_organisation_roles',\n      // SECURITY: Phase 2 additions - complete organisation table mapping\n      'organisation_audit_log', 'organisation_invitations', 'organisation_app_access',\n      // SECURITY: Emergency additions for Phase 1 fixes\n      'cake_meal', 'cake_mealtype', 'core_person', 'core_member',\n      // SECURITY: Phase 3A additions - medical and personal data\n      'medi_profile', 'medi_condition', 'medi_diet', 'medi_action_plan', 'medi_profile_versions',\n      'core_consent', 'core_contact', 'core_identification', 'core_identification_type', 'core_qualification',\n      'form_responses', 'form_response_values', 'forms',\n      // SECURITY: Phase 3B additions - remaining critical tables\n      'invoice', 'line_item', 'credit_balance', 'payment_method',\n      'form_contexts', 'form_field_config', 'form_fields',\n      'cake_delivery', 'cake_diettype', 'cake_diner', 'cake_dish', 'cake_item', \n      'cake_logistics', 'cake_mealplan', 'cake_package', 'cake_recipe', 'cake_supplier', \n      'cake_supply', 'cake_unit', 'event_app_access', 'base_application', 'base_questions'\n    ];\n    \n    if (!bypassOrganisationFilter && organisationId && tablesWithOrganisation.includes(table)) {\n      query = query.eq('organisation_id', organisationId);\n    }\n\n    // Apply filters\n    Object.entries(filters).forEach(([key, value]) => {\n      if (value !== undefined && value !== null) {\n        query = query.eq(key, value);\n      }\n    });\n\n    const { error } = await query;\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'Delete failed', { table, filters, error });\n      throw error;\n    }\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, isSuperAdmin]);\n\n  const secureRpc = useCallback(async <T = any>(\n    functionName: string,\n    params: Record<string, any> = {}\n  ): Promise<T> => {\n    validateContext();\n    const bypassOrganisationFilter = isSuperAdmin;\n    const organisationId = bypassOrganisationFilter ? undefined : getCurrentOrganisationId();\n\n    // Set organisation context in database session\n    await setOrganisationContextInSession(organisationId);\n\n    // Include organisation_id in RPC parameters\n    // Some functions use p_organisation_id instead of organisation_id (to avoid conflicts with RETURNS TABLE columns)\n    const functionsWithPOrganisationId = [\n      'data_cake_diners_list',\n      'data_cake_mealplans_list'\n    ];\n    \n    const paramName = functionsWithPOrganisationId.includes(functionName) \n      ? 'p_organisation_id' \n      : 'organisation_id';\n    \n    // Functions that need p_event_id for event-app role permission checks\n    // Note: Even org-scoped functions (like items, packages, suppliers) need event_id\n    //       for permission checks when users have event-app roles\n    const functionsNeedingEventId = [\n      'data_cake_items_list',\n      'data_cake_packages_list',\n      'data_cake_suppliers_list',\n      'data_cake_diettypes_list',\n      'data_cake_mealtypes_list',\n      'data_cake_diners_list',\n      'data_cake_mealplans_list',\n      'data_cake_dishes_list',\n      'data_cake_recipes_list',\n      'data_cake_meals_list',\n      'data_cake_units_list',\n      'data_cake_orders_list',\n      'app_cake_item_create',\n      'app_cake_item_update',\n      'app_cake_package_create',\n      'app_cake_package_update',\n      'app_cake_supplier_create',\n      'app_cake_supplier_update',\n      'app_cake_supplier_delete',\n      'app_cake_meal_create',\n      'app_cake_meal_update',\n      'app_cake_meal_delete',\n      'app_cake_unit_create',\n      'app_cake_unit_update',\n      'app_cake_unit_delete',\n      'app_cake_delivery_upsert'\n    ];\n    \n    // Build secureParams with correct parameter order\n    // For functions that require p_event_id as first parameter, ensure it's first\n    const secureParams: Record<string, any> = {};\n    \n    // Functions where p_event_id is the FIRST required parameter (no default)\n    const functionsWithEventIdFirst = [\n      'data_cake_meals_list',\n      'data_cake_units_list'\n    ];\n    \n    // Add p_user_id explicitly for functions that need it (even though it has a default)\n    // This ensures parameter matching works correctly\n    if (user?.id) {\n      secureParams.p_user_id = user.id;\n    }\n    \n    // Add organisation_id parameter when needed\n    if (!bypassOrganisationFilter && organisationId) {\n      secureParams[paramName] = organisationId;\n    } else if (organisationId && !(paramName in params)) {\n      // Default to the current organisation if caller didn't specify one\n      secureParams[paramName] = organisationId;\n    }\n    \n    // Add p_event_id if function needs it and event is selected\n    // CRITICAL: This must be added AFTER organisation_id but BEFORE caller params\n    // to ensure it's not overwritten. For data_cake_items_list, p_event_id is the 3rd param.\n    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {\n      secureParams.p_event_id = selectedEvent.event_id;\n    }\n    \n    // Add any other params passed by caller (limit, offset, etc.)\n    // NOTE: This will NOT overwrite p_event_id if caller passes it, but we want to ensure\n    // our value takes precedence if event is selected\n    Object.assign(secureParams, params);\n    \n    // Ensure p_event_id is set if needed (after Object.assign, so it overrides caller params)\n    if (functionsNeedingEventId.includes(functionName) && selectedEvent?.event_id) {\n      secureParams.p_event_id = selectedEvent.event_id;\n    }\n\n    const { data, error } = await supabase!.rpc(functionName, secureParams);\n\n    if (error) {\n      logger.error('useSecureDataAccess', 'RPC failed', { functionName, params: secureParams, error });\n      throw error;\n    }\n\n    return data as T;\n  }, [validateContext, getCurrentOrganisationId, setOrganisationContextInSession, supabase, selectedEvent?.event_id, user?.id, isSuperAdmin]);\n\n  // NEW: Phase 1 - Enhanced Security Features\n  const [dataAccessHistory, setDataAccessHistory] = useState<DataAccessRecord[]>([]);\n  const [isStrictMode] = useState(true); // Always enabled in Phase 1\n  const [isAuditLogEnabled] = useState(true); // Always enabled in Phase 1\n\n  // Check if data access is allowed for a table and operation\n  const isDataAccessAllowed = useCallback((table: string, operation: string): boolean => {\n    if (!user?.id) return false;\n    \n    // Use the existing RBAC system to check data access permissions\n    // This is a synchronous check for the context - actual permission checking\n    // happens in the secure data operations using the RBAC engine\n    const permission = `${operation}:data.${table}` as Permission;\n    \n    // For now, we'll return true and let the secure data operations\n    // handle the actual permission checking asynchronously\n    // This context is mainly for tracking and audit purposes\n    return true;\n  }, [user?.id]);\n\n  // Get all data access permissions for current user\n  const getDataAccessPermissions = useCallback((): Record<string, string[]> => {\n    if (!user?.id) return {};\n    \n    // For now, return empty object - this will be enhanced with actual permission checking\n    // when we integrate with the existing RBAC system\n    return {};\n  }, [user?.id]);\n\n  // Get data access history\n  const getDataAccessHistory = useCallback((): DataAccessRecord[] => {\n    return [...dataAccessHistory];\n  }, [dataAccessHistory]);\n\n  // Clear data access history\n  const clearDataAccessHistory = useCallback(() => {\n    setDataAccessHistory([]);\n  }, []);\n\n  // Validate data access attempt\n  const validateDataAccess = useCallback((table: string, operation: string): boolean => {\n    if (!user?.id) return false;\n    \n    // Validate organisation context\n    try {\n      validateContext();\n    } catch (error) {\n      logger.error('useSecureDataAccess', 'Organisation context validation failed', { table, operation, error });\n      return false;\n    }\n    \n    return isDataAccessAllowed(table, operation);\n  }, [user?.id, validateContext, isDataAccessAllowed]);\n\n  // Record data access attempt\n  const recordDataAccess = useCallback((\n    table: string,\n    operation: string,\n    allowed: boolean,\n    query?: string,\n    filters?: Record<string, any>\n  ) => {\n    if (!isAuditLogEnabled || !user?.id) return;\n    const auditOrganisationId = getCurrentOrganisationId() || 'super-admin-bypass';\n\n    const record: DataAccessRecord = {\n      table,\n      operation,\n      userId: user.id,\n      organisationId: auditOrganisationId,\n      allowed,\n      timestamp: new Date().toISOString(),\n      query,\n      filters\n    };\n    \n    setDataAccessHistory(prev => {\n      const newHistory = [record, ...prev];\n      return newHistory.slice(0, 1000); // Keep last 1000 records\n    });\n    \n    if (isStrictMode && !allowed) {\n      logger.error('useSecureDataAccess', 'STRICT MODE VIOLATION: User attempted data access without permission', {\n        table,\n        operation,\n        userId: user.id,\n        organisationId: auditOrganisationId,\n        timestamp: new Date().toISOString()\n      });\n    }\n  }, [isAuditLogEnabled, isStrictMode, user?.id, getCurrentOrganisationId]);\n\n  return {\n    secureQuery,\n    secureInsert,\n    secureUpdate,\n    secureDelete,\n    secureRpc,\n    getCurrentOrganisationId,\n    validateContext,\n    // NEW: Phase 1 - Enhanced Security Features\n    isDataAccessAllowed,\n    getDataAccessPermissions,\n    isStrictMode,\n    isAuditLogEnabled,\n    getDataAccessHistory,\n    clearDataAccessHistory,\n    validateDataAccess\n  };\n} "],"mappings":";;;;;;;;;;;;;;;;AAqDA,SAAS,aAAa,UAAU,kBAAkB;AAmG3C,SAAS,sBAA8C;AAC5D,QAAM,EAAE,UAAU,MAAM,SAAS,sBAAsB,cAAc,IAAI,eAAe;AAIxF,QAAM,sBAAsB,WAAW,mBAAmB;AAC1D,QAAM,mBAAmB,qBAAqB,cAAc,iBAAiB,KAAK;AAClF,QAAM,yBAAyB,iBAAiB;AAChD,QAAM,EAAE,kBAAkB,IAAI,wBAAwB;AACtD,QAAM,eAAe,kBAAkB;AAGvC,QAAM,EAAE,cAAc,IAAI,iBAAiB;AAAA,IACzC;AAAA,IACA,wBAAwB,sBAAsB,MAAM;AAAA,IACpD,iBAAiB,wBAAwB,YAAY;AAAA,EACvD,CAAC;AAED,QAAM,kBAAkB,YAAY,MAAY;AAC9C,QAAI,CAAC,UAAU;AACb,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AACA,QAAI,CAAC,QAAQ,CAAC,SAAS;AACrB,YAAM,IAAI,MAAM,+CAA+C;AAAA,IACjE;AAEA,QAAI,cAAc;AAChB;AAAA,IACF;AAEA,QAAI,CAAC,eAAe,gBAAgB;AAClC,YAAM,IAAI,MAAM,kDAAkD;AAAA,IACpE;AAAA,EACF,GAAG,CAAC,UAAU,MAAM,SAAS,eAAe,YAAY,CAAC;AAEzD,QAAM,2BAA2B,YAAY,MAAc;AACzD,QAAI,cAAc;AAEhB,aAAO,eAAe,kBAAkB,sBAAsB,MAAM;AAAA,IACtE;AAEA,oBAAgB;AAChB,WAAO,eAAe,kBAAkB;AAAA,EAC1C,GAAG,CAAC,iBAAiB,eAAe,sBAAsB,YAAY,CAAC;AAGvE,QAAM,kCAAkC,YAAY,OAAO,mBAA2C;AACpG,QAAI,CAAC,YAAY,CAAC,gBAAgB;AAChC;AAAA,IACF;AAEA,UAAM,uBAAuB,UAAU,cAAc;AAAA,EACvD,GAAG,CAAC,QAAQ,CAAC;AAEb,QAAM,cAAc,YAAY,OAC9B,OACA,SACA,UAA+B,CAAC,GAChC,UAKI,CAAC,MACY;AACjB,oBAAgB;AAChB,UAAM,2BAA2B;AACjC,UAAM,iBAAiB,2BAA2B,SAAY,yBAAyB;AAGvF,UAAM,gCAAgC,cAAc;AAGpD,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO,OAAO;AAMjB,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAgB;AAAA,MAChB;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASb;AAAA,MACA;AAAA,MAAkB;AAAA,MAAwB;AAAA;AAAA,MAE1C;AAAA,MAAW;AAAA,MAAa;AAAA,MAAkB;AAAA,MAC1C;AAAA,MAAiB;AAAA,MAAqB;AAAA,MACtC;AAAA,MAAiB;AAAA,MAAiB;AAAA,MAAc;AAAA,MAAa;AAAA,MAC7D;AAAA,MAAkB;AAAA,MAAiB;AAAA,MAAgB;AAAA,MAAe;AAAA,MAClE;AAAA,MAAe;AAAA,MAAa;AAAA,MAAoB;AAAA,MAAoB;AAAA;AAAA,MAEpE;AAAA,IACF;AAGA,QAAI,CAAC,4BAA4B,kBAAkB,uBAAuB,SAAS,KAAK,GAAG;AAGzF,UAAI,UAAU,wBAAwB,cAAc;AAAA,MAGpD,OAAO;AAEL,gBAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,MACpD;AAAA,IACF;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AAEzC,cAAM,aAAa,IAAI,SAAS,GAAG,IAAI,IAAI,MAAM,GAAG,EAAE,IAAI,IAAK;AAC/D,gBAAQ,MAAM,GAAG,YAAY,KAAK;AAAA,MACpC;AAAA,IACF,CAAC;AAGD,QAAI,QAAQ,SAAS;AAEnB,YAAM,gBAAgB,QAAQ,QAAQ,MAAM,GAAG,EAAE,IAAI;AACrD,UAAI,eAAe;AACjB,gBAAQ,MAAM,MAAM,eAAe,EAAE,WAAW,QAAQ,aAAa,KAAK,CAAC;AAAA,MAC7E;AAAA,IACF;AAEA,QAAI,QAAQ,OAAO;AACjB,cAAQ,MAAM,MAAM,QAAQ,KAAK;AAAA,IACnC;AAEA,QAAI,QAAQ,QAAQ;AAClB,cAAQ,MAAM,MAAM,QAAQ,QAAQ,QAAQ,UAAU,QAAQ,SAAS,OAAO,CAAC;AAAA,IACjF;AAEA,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM;AAE9B,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,gBAAgB,EAAE,OAAO,SAAS,SAAS,MAAM,CAAC;AAEtF,uBAAiB,OAAO,QAAQ,OAAO,UAAU,OAAO,SAAS,KAAK,IAAI,OAAO;AACjF,YAAM;AAAA,IACR;AAGA,qBAAiB,OAAO,QAAQ,MAAM,UAAU,OAAO,SAAS,KAAK,IAAI,OAAO;AAEhF,WAAQ,QAAgB,CAAC;AAAA,EAC3B,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,YAAY,CAAC;AAEvG,QAAM,eAAe,YAAY,OAC/B,OACA,SACe;AACf,oBAAgB;AAChB,UAAM,2BAA2B;AACjC,UAAM,iBAAiB,2BAA2B,SAAY,yBAAyB;AAGvF,UAAM,gCAAgC,cAAc;AAGpD,UAAM,aAAa,2BACf,EAAE,GAAG,KAAK,IACV;AAAA,MACE,GAAG;AAAA,MACH,iBAAiB;AAAA,IACnB;AAEJ,UAAM,EAAE,MAAM,YAAY,MAAM,IAAI,MAAM,SACvC,KAAK,KAAK,EACV,OAAO,UAAU,EACjB,OAAO,EACP,OAAO;AAEV,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,MAAM,YAAY,MAAM,CAAC;AACvF,YAAM;AAAA,IACR;AAEA,WAAO;AAAA,EACT,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,YAAY,CAAC;AAEvG,QAAM,eAAe,YAAY,OAC/B,OACA,MACA,YACiB;AACjB,oBAAgB;AAChB,UAAM,2BAA2B;AACjC,UAAM,iBAAiB,2BAA2B,SAAY,yBAAyB;AAGvF,UAAM,gCAAgC,cAAc;AAGpD,UAAM,EAAE,iBAAiB,GAAG,WAAW,IAAI;AAG3C,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO,UAAU;AAGpB,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAgB;AAAA,MAChB;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA,MAAiB;AAAA;AAAA,MAE9B;AAAA,MAAe;AAAA,MAAgB;AAAA,MAAgB;AAAA,MAAuB;AAAA,MACtE;AAAA;AAAA,MAEA;AAAA,MAAkB;AAAA,MAAa;AAAA,MAAoB;AAAA,MACnD;AAAA,MACA;AAAA,MAAkB;AAAA,MAAwB;AAAA;AAAA,MAE1C;AAAA,MAAW;AAAA,MAAa;AAAA,MAAkB;AAAA,MAC1C;AAAA,MAAiB;AAAA,MAAqB;AAAA,MACtC;AAAA,MAAiB;AAAA,MAAiB;AAAA,MAAc;AAAA,MAAa;AAAA,MAC7D;AAAA,MAAkB;AAAA,MAAiB;AAAA,MAAgB;AAAA,MAAe;AAAA,MAClE;AAAA,MAAe;AAAA,MAAa;AAAA,MAAoB;AAAA,MAAoB;AAAA,IACtE;AAEA,QAAI,CAAC,4BAA4B,kBAAkB,uBAAuB,SAAS,KAAK,GAAG;AACzF,cAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,IACpD;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AACzC,gBAAQ,MAAM,GAAG,KAAK,KAAK;AAAA,MAC7B;AAAA,IACF,CAAC;AAED,UAAM,EAAE,MAAM,YAAY,MAAM,IAAI,MAAM,MAAM,OAAO;AAEvD,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,MAAM,YAAY,SAAS,MAAM,CAAC;AAChG,YAAM;AAAA,IACR;AAEA,WAAQ,cAAsB,CAAC;AAAA,EACjC,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,YAAY,CAAC;AAEvG,QAAM,eAAe,YAAY,OAC/B,OACA,YACkB;AAClB,oBAAgB;AAChB,UAAM,2BAA2B;AACjC,UAAM,iBAAiB,2BAA2B,SAAY,yBAAyB;AAGvF,UAAM,gCAAgC,cAAc;AAGpD,QAAI,QAAQ,SACT,KAAK,KAAK,EACV,OAAO;AAGV,UAAM,yBAAyB;AAAA,MAC7B;AAAA,MAAgB;AAAA,MAChB;AAAA,MAAwB;AAAA;AAAA,MAExB;AAAA,MAA0B;AAAA,MAA4B;AAAA;AAAA,MAEtD;AAAA,MAAa;AAAA,MAAiB;AAAA,MAAe;AAAA;AAAA,MAE7C;AAAA,MAAgB;AAAA,MAAkB;AAAA,MAAa;AAAA,MAAoB;AAAA,MACnE;AAAA,MAAgB;AAAA,MAAgB;AAAA,MAAuB;AAAA,MAA4B;AAAA,MACnF;AAAA,MAAkB;AAAA,MAAwB;AAAA;AAAA,MAE1C;AAAA,MAAW;AAAA,MAAa;AAAA,MAAkB;AAAA,MAC1C;AAAA,MAAiB;AAAA,MAAqB;AAAA,MACtC;AAAA,MAAiB;AAAA,MAAiB;AAAA,MAAc;AAAA,MAAa;AAAA,MAC7D;AAAA,MAAkB;AAAA,MAAiB;AAAA,MAAgB;AAAA,MAAe;AAAA,MAClE;AAAA,MAAe;AAAA,MAAa;AAAA,MAAoB;AAAA,MAAoB;AAAA,IACtE;AAEA,QAAI,CAAC,4BAA4B,kBAAkB,uBAAuB,SAAS,KAAK,GAAG;AACzF,cAAQ,MAAM,GAAG,mBAAmB,cAAc;AAAA,IACpD;AAGA,WAAO,QAAQ,OAAO,EAAE,QAAQ,CAAC,CAAC,KAAK,KAAK,MAAM;AAChD,UAAI,UAAU,UAAa,UAAU,MAAM;AACzC,gBAAQ,MAAM,GAAG,KAAK,KAAK;AAAA,MAC7B;AAAA,IACF,CAAC;AAED,UAAM,EAAE,MAAM,IAAI,MAAM;AAExB,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,iBAAiB,EAAE,OAAO,SAAS,MAAM,CAAC;AAC9E,YAAM;AAAA,IACR;AAAA,EACF,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,YAAY,CAAC;AAEvG,QAAM,YAAY,YAAY,OAC5B,cACA,SAA8B,CAAC,MAChB;AACf,oBAAgB;AAChB,UAAM,2BAA2B;AACjC,UAAM,iBAAiB,2BAA2B,SAAY,yBAAyB;AAGvF,UAAM,gCAAgC,cAAc;AAIpD,UAAM,+BAA+B;AAAA,MACnC;AAAA,MACA;AAAA,IACF;AAEA,UAAM,YAAY,6BAA6B,SAAS,YAAY,IAChE,sBACA;AAKJ,UAAM,0BAA0B;AAAA,MAC9B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAIA,UAAM,eAAoC,CAAC;AAG3C,UAAM,4BAA4B;AAAA,MAChC;AAAA,MACA;AAAA,IACF;AAIA,QAAI,MAAM,IAAI;AACZ,mBAAa,YAAY,KAAK;AAAA,IAChC;AAGA,QAAI,CAAC,4BAA4B,gBAAgB;AAC/C,mBAAa,SAAS,IAAI;AAAA,IAC5B,WAAW,kBAAkB,EAAE,aAAa,SAAS;AAEnD,mBAAa,SAAS,IAAI;AAAA,IAC5B;AAKA,QAAI,wBAAwB,SAAS,YAAY,KAAK,eAAe,UAAU;AAC7E,mBAAa,aAAa,cAAc;AAAA,IAC1C;AAKA,WAAO,OAAO,cAAc,MAAM;AAGlC,QAAI,wBAAwB,SAAS,YAAY,KAAK,eAAe,UAAU;AAC7E,mBAAa,aAAa,cAAc;AAAA,IAC1C;AAEA,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,SAAU,IAAI,cAAc,YAAY;AAEtE,QAAI,OAAO;AACT,aAAO,MAAM,uBAAuB,cAAc,EAAE,cAAc,QAAQ,cAAc,MAAM,CAAC;AAC/F,YAAM;AAAA,IACR;AAEA,WAAO;AAAA,EACT,GAAG,CAAC,iBAAiB,0BAA0B,iCAAiC,UAAU,eAAe,UAAU,MAAM,IAAI,YAAY,CAAC;AAG1I,QAAM,CAAC,mBAAmB,oBAAoB,IAAI,SAA6B,CAAC,CAAC;AACjF,QAAM,CAAC,YAAY,IAAI,SAAS,IAAI;AACpC,QAAM,CAAC,iBAAiB,IAAI,SAAS,IAAI;AAGzC,QAAM,sBAAsB,YAAY,CAAC,OAAe,cAA+B;AACrF,QAAI,CAAC,MAAM,GAAI,QAAO;AAKtB,UAAM,aAAa,GAAG,SAAS,SAAS,KAAK;AAK7C,WAAO;AAAA,EACT,GAAG,CAAC,MAAM,EAAE,CAAC;AAGb,QAAM,2BAA2B,YAAY,MAAgC;AAC3E,QAAI,CAAC,MAAM,GAAI,QAAO,CAAC;AAIvB,WAAO,CAAC;AAAA,EACV,GAAG,CAAC,MAAM,EAAE,CAAC;AAGb,QAAM,uBAAuB,YAAY,MAA0B;AACjE,WAAO,CAAC,GAAG,iBAAiB;AAAA,EAC9B,GAAG,CAAC,iBAAiB,CAAC;AAGtB,QAAM,yBAAyB,YAAY,MAAM;AAC/C,yBAAqB,CAAC,CAAC;AAAA,EACzB,GAAG,CAAC,CAAC;AAGL,QAAM,qBAAqB,YAAY,CAAC,OAAe,cAA+B;AACpF,QAAI,CAAC,MAAM,GAAI,QAAO;AAGtB,QAAI;AACF,sBAAgB;AAAA,IAClB,SAAS,OAAO;AACd,aAAO,MAAM,uBAAuB,0CAA0C,EAAE,OAAO,WAAW,MAAM,CAAC;AACzG,aAAO;AAAA,IACT;AAEA,WAAO,oBAAoB,OAAO,SAAS;AAAA,EAC7C,GAAG,CAAC,MAAM,IAAI,iBAAiB,mBAAmB,CAAC;AAGnD,QAAM,mBAAmB,YAAY,CACnC,OACA,WACA,SACA,OACA,YACG;AACH,QAAI,CAAC,qBAAqB,CAAC,MAAM,GAAI;AACrC,UAAM,sBAAsB,yBAAyB,KAAK;AAE1D,UAAM,SAA2B;AAAA,MAC/B;AAAA,MACA;AAAA,MACA,QAAQ,KAAK;AAAA,MACb,gBAAgB;AAAA,MAChB;AAAA,MACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MAClC;AAAA,MACA;AAAA,IACF;AAEA,yBAAqB,UAAQ;AAC3B,YAAM,aAAa,CAAC,QAAQ,GAAG,IAAI;AACnC,aAAO,WAAW,MAAM,GAAG,GAAI;AAAA,IACjC,CAAC;AAED,QAAI,gBAAgB,CAAC,SAAS;AAC5B,aAAO,MAAM,uBAAuB,wEAAwE;AAAA,QAC1G;AAAA,QACA;AAAA,QACA,QAAQ,KAAK;AAAA,QACb,gBAAgB;AAAA,QAChB,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MACpC,CAAC;AAAA,IACH;AAAA,EACF,GAAG,CAAC,mBAAmB,cAAc,MAAM,IAAI,wBAAwB,CAAC;AAExE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA;AAAA,IAEA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":[]}