npm - @jmruthers/pace-core - Versions diffs - 0.6.10 → 0.6.11 - Mend

@jmruthers/pace-core 0.6.10 → 0.6.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (726) hide show

package/dist/{chunk-W46INAVW.js → chunk-YYTWKVHO.js} RENAMED Viewed

@@ -1,11 +1,13 @@
-import { AccessDenied, useEvents } from './chunk-X5EAU5G7.js';
-import { useResolvedScope, scopeEqual, useCan, Alert, AlertTitle, useMultiplePermissions } from './chunk-KYURMOQM.js';
-import { useUnifiedAuth, useOrganisations } from './chunk-Y4PF6HIM.js';
-import { getRBACLogger, isSuperAdmin } from './chunk-LNHFAF4X.js';
-import { LoadingSpinner } from './chunk-UZNAFKGW.js';
+import { AccessDenied } from './chunk-PCSHBLPB.js';
+import { useResolvedScope, scopeEqual, useCan, Alert, AlertTitle, useMultiplePermissions } from './chunk-V7FTM2LU.js';
+import { useEvents } from './chunk-WY6Y7KC3.js';
+import { useUnifiedAuth, useOrganisations } from './chunk-4R3T5ENU.js';
+import { setPrintTitle } from './chunk-D6BMFMQZ.js';
+import { getRBACLogger, isSuperAdmin } from './chunk-7A6IMHH2.js';
+import { cn, LoadingSpinner } from './chunk-UZNAFKGW.js';
 import { createLogger } from './chunk-BTHN5MKC.js';
-import React, { useRef, useMemo, useState, useEffect, useCallback } from 'react';
-import { jsx, Fragment, jsxs } from 'react/jsx-runtime';
+import React, { useEffect, useRef, useMemo, useState, useCallback } from 'react';
+import { jsx, jsxs, Fragment } from 'react/jsx-runtime';
 // src/rbac/types/functions.ts
 var RPCFunction = /* @__PURE__ */ ((RPCFunction2) => {
@@ -45,57 +47,37 @@ var RBACErrorCode = /* @__PURE__ */ ((RBACErrorCode2) => {
   return RBACErrorCode2;
 })(RBACErrorCode || {});
 var logger = getRBACLogger();
-var PagePermissionGuardComponent = ({
-  pageName,
-  operation,
-  children,
-  fallback = /* @__PURE__ */ jsx(AccessDenied, {}),
-  strictMode = true,
-  auditLog = true,
-  pageId,
-  scope,
-  onDenied,
-  loading = /* @__PURE__ */ jsx(DefaultLoading, {})
-}) => {
-  const renderCountRef = useRef(0);
-  renderCountRef.current += 1;
-  useMemo(() => Math.random().toString(36).substr(2, 9), []);
-  const { user, selectedOrganisation, selectedEvent, supabase, appId: contextAppId, appName } = useUnifiedAuth();
-  const [hasChecked, setHasChecked] = useState(false);
-  const hasLoggedSuperAdminRef = useRef(false);
-  const effectivePageId = useMemo(() => {
-    return pageId || pageName;
-  }, [pageId, pageName]);
+function useSuperAdminCheck(userId) {
   const [isSuperAdmin2, setIsSuperAdmin] = useState(null);
   useEffect(() => {
-    if (!user?.id) {
+    if (!userId) {
       setIsSuperAdmin(false);
       return;
     }
     let cancelled = false;
+    const startTime = Date.now();
     const checkSuperAdmin = async () => {
-      const startTime = Date.now();
       try {
-        const { isSuperAdmin: checkSuperAdmin2 } = await import('./api-F47QJ7FX.js');
+        const { isSuperAdmin: checkSuperAdmin2 } = await import('./api-BZR2CYXL.js');
         const timeoutPromise = new Promise((_, reject) => {
           setTimeout(() => reject(new Error("Super admin check timeout")), 1e4);
         });
-        const isSuper = await Promise.race([
-          checkSuperAdmin2(user.id),
+        const result = await Promise.race([
+          checkSuperAdmin2(userId),
           timeoutPromise
         ]);
         const elapsed = Date.now() - startTime;
         if (!cancelled) {
+          const isSuper = result.ok && result.data;
           setIsSuperAdmin(isSuper);
           if (false) ;
         }
       } catch (err) {
         const elapsed = Date.now() - startTime;
         if (!cancelled) {
-          const logger3 = getRBACLogger();
-          logger3.error("[PagePermissionGuard] Error checking super admin", {
+          logger.error("[PagePermissionGuard] Error checking super admin", {
             error: err,
-            userId: user.id,
+            userId,
             elapsedMs: elapsed
           });
           setIsSuperAdmin(false);
@@ -106,32 +88,33 @@ var PagePermissionGuardComponent = ({
     return () => {
       cancelled = true;
     };
-  }, [user?.id]);
+  }, [userId]);
+  return { isSuperAdmin: isSuperAdmin2 };
+}
+function usePageGuardScope({
+  supabase,
+  selectedOrganisationId,
+  selectedEventId,
+  selectedEventOrganisationId,
+  scope,
+  contextAppId,
+  appName,
+  isSuperAdmin: isSuperAdmin2
+}) {
   const { resolvedScope: hookResolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
     supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null,
-    selectedEventOrganisationId: selectedEvent?.organisation_id || null
+    selectedOrganisationId,
+    selectedEventId,
+    selectedEventOrganisationId
   });
-  const shouldBypassScopeForSuperAdmin = isSuperAdmin2 === true;
   const allowsOptionalContexts = useMemo(() => appName === "PORTAL" || appName === "ADMIN", [appName]);
-  const effectiveScope = useMemo(() => scope || (hookResolvedScope ? {
-    ...hookResolvedScope,
-    appId: hookResolvedScope.appId || (allowsOptionalContexts ? contextAppId : void 0)
-  } : allowsOptionalContexts && contextAppId ? {
-    organisationId: void 0,
-    eventId: void 0,
-    appId: contextAppId
-  } : selectedEvent?.event_id ? {
-    organisationId: void 0,
-    // Will be derived from event
-    eventId: selectedEvent.event_id,
-    appId: contextAppId || void 0
-  } : null), [scope, hookResolvedScope, allowsOptionalContexts, contextAppId, selectedEvent?.event_id]);
-  const checkError = scopeError;
-  const permission = useMemo(() => {
-    return `${operation}:page.${pageName}`;
-  }, [operation, pageName]);
+  const effectiveScope = useMemo(
+    () => scope || (hookResolvedScope ? {
+      ...hookResolvedScope,
+      appId: hookResolvedScope.appId || (allowsOptionalContexts ? contextAppId : void 0)
+    } : allowsOptionalContexts && contextAppId ? { organisationId: void 0, eventId: void 0, appId: contextAppId } : selectedEventId ? { organisationId: void 0, eventId: selectedEventId, appId: contextAppId || void 0 } : null),
+    [scope, hookResolvedScope, allowsOptionalContexts, contextAppId, selectedEventId]
+  );
   const prevScopeRef = useRef(null);
   const stableScope = useMemo(() => {
     if (allowsOptionalContexts && effectiveScope) {
@@ -140,9 +123,7 @@ var PagePermissionGuardComponent = ({
         appId: effectiveScope.appId || contextAppId || void 0,
         eventId: effectiveScope.eventId
       };
-      if (scopeEqual(prevScopeRef.current, newScope2)) {
-        return prevScopeRef.current;
-      }
+      if (scopeEqual(prevScopeRef.current, newScope2)) return prevScopeRef.current;
       prevScopeRef.current = newScope2;
       return newScope2;
     }
@@ -153,93 +134,123 @@ var PagePermissionGuardComponent = ({
     } : {
       organisationId: effectiveScope?.organisationId || void 0,
       appId: effectiveScope?.appId || contextAppId || void 0,
-      eventId: effectiveScope?.eventId || selectedEvent?.event_id || void 0
+      eventId: effectiveScope?.eventId || selectedEventId || void 0
     };
-    if (scopeEqual(prevScopeRef.current, newScope)) {
-      return prevScopeRef.current;
-    }
+    if (scopeEqual(prevScopeRef.current, newScope)) return prevScopeRef.current;
     prevScopeRef.current = newScope;
     return newScope;
-  }, [effectiveScope, contextAppId, selectedEvent?.event_id, allowsOptionalContexts]);
-  const scopeForPermissionCheck = shouldBypassScopeForSuperAdmin && !stableScope?.organisationId ? {
-    organisationId: void 0,
-    appId: contextAppId || void 0,
-    eventId: selectedEvent?.event_id || void 0
-  } : stableScope;
-  const shouldSkipPermissionCheck = isSuperAdmin2 === true;
+  }, [effectiveScope, contextAppId, selectedEventId, allowsOptionalContexts]);
+  const shouldBypassScopeForSuperAdmin = isSuperAdmin2 === true;
+  const scopeForPermissionCheck = shouldBypassScopeForSuperAdmin && !stableScope?.organisationId ? { organisationId: void 0, appId: contextAppId || void 0, eventId: selectedEventId || void 0 } : stableScope;
+  return {
+    effectiveScope,
+    stableScope,
+    scopeForPermissionCheck,
+    scopeLoading,
+    scopeError: scopeError ?? null,
+    allowsOptionalContexts
+  };
+}
+// src/rbac/hooks/usePagePermissionCheck.ts
+var dummyScope = { organisationId: void 0, appId: void 0, eventId: void 0 };
+function usePagePermissionCheck({
+  userId,
+  scopeForPermissionCheck,
+  shouldSkipPermissionCheck,
+  contextAppId,
+  permission,
+  effectivePageId,
+  isSuperAdmin: isSuperAdmin2,
+  appName
+}) {
+  const scope = shouldSkipPermissionCheck ? { ...dummyScope, appId: contextAppId } : scopeForPermissionCheck ?? dummyScope;
   const { can, isLoading: canIsLoading, error: canError } = useCan(
-    user?.id || "",
-    shouldSkipPermissionCheck ? { organisationId: void 0, appId: contextAppId || void 0, eventId: void 0 } : scopeForPermissionCheck,
+    userId,
+    scope,
     permission,
     effectivePageId,
     true,
-    // Use cache
     isSuperAdmin2,
-    // precomputedSuperAdmin - null if checking, true/false if checked
     appName
-    // Pass appName for PORTAL/ADMIN special case
   );
   const effectiveCan = shouldSkipPermissionCheck ? true : can;
   const effectiveIsLoading = shouldSkipPermissionCheck ? false : canIsLoading;
-  const isLoading = shouldBypassScopeForSuperAdmin ? effectiveIsLoading : scopeLoading || effectiveIsLoading;
-  const error = checkError || canError;
+  return { can, effectiveCan, canIsLoading: effectiveIsLoading, canError: canError ?? null };
+}
+var logger2 = getRBACLogger();
+function usePageAccessLogging(options) {
+  const {
+    setHasChecked,
+    hasChecked,
+    isLoading,
+    error,
+    effectiveCan,
+    pageName,
+    operation,
+    onDenied,
+    auditLog: _auditLog,
+    userId,
+    effectiveScope,
+    isSuperAdmin: isSuperAdmin2,
+    strictMode,
+    shouldBypassScopeForSuperAdmin,
+    effectivePageId,
+    allowsOptionalContexts,
+    checkError,
+    canError,
+    scopeLoading,
+    canIsLoading,
+    hasValidUser,
+    stableScope,
+    appName
+  } = options;
   useEffect(() => {
     if (!isLoading && !error) {
       setHasChecked(true);
-      if (!effectiveCan && onDenied) {
-        onDenied(pageName, operation);
-      }
+      if (!effectiveCan && onDenied) onDenied(pageName, operation);
     } else if (error) {
       setHasChecked(true);
     }
-  }, [effectiveCan, isLoading, error, pageName, operation, onDenied]);
-  useEffect(() => {
-    if (auditLog && hasChecked && !isLoading) {
-      const rbacLogger = getRBACLogger();
-      rbacLogger.debug("Page access attempt:", {
-        pageName,
-        operation,
-        userId: user?.id,
-        scope: effectiveScope,
-        allowed: effectiveCan,
-        isSuperAdmin: isSuperAdmin2,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [auditLog, hasChecked, isLoading, pageName, operation, user?.id, effectiveScope, effectiveCan, isSuperAdmin2]);
+  }, [effectiveCan, isLoading, error, pageName, operation, onDenied, setHasChecked]);
   useEffect(() => {
     if (strictMode && hasChecked && !isLoading && !effectiveCan && !shouldBypassScopeForSuperAdmin) {
-      const logger3 = getRBACLogger();
-      logger3.error(`STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
+      logger2.error("STRICT MODE VIOLATION: User attempted to access protected page without permission", {
         pageName,
         operation,
         permission: `${operation}:page.${pageName}`,
         pageId: effectivePageId,
-        userId: user?.id,
+        userId,
         scope: effectiveScope,
         scopeValid: allowsOptionalContexts ? true : effectiveScope !== null,
-        // PORTAL/ADMIN allow scope without org/event
         checkError,
         canError,
         isSuperAdmin: isSuperAdmin2,
         timestamp: (/* @__PURE__ */ new Date()).toISOString()
       });
     }
-  }, [strictMode, hasChecked, isLoading, effectiveCan, shouldBypassScopeForSuperAdmin, pageName, operation, effectivePageId, user?.id, effectiveScope, allowsOptionalContexts, checkError, canError, isSuperAdmin2]);
-  const hasValidScopeForPagePermissions = shouldBypassScopeForSuperAdmin ? true : allowsOptionalContexts ? true : effectiveScope !== null;
-  const hasValidUser = user && user.id;
-  const isPermissionCheckComplete = hasChecked && !isLoading;
-  const shouldShowAccessDenied = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && !effectiveCan;
-  const shouldShowContent = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && effectiveCan;
-  useRef("");
-  useEffect(() => {
-  }, [pageName, user?.id, isSuperAdmin2, isLoading, scopeLoading, canIsLoading, hasChecked, hasValidUser, effectiveCan, stableScope, effectiveScope]);
+  }, [
+    strictMode,
+    hasChecked,
+    isLoading,
+    effectiveCan,
+    shouldBypassScopeForSuperAdmin,
+    pageName,
+    operation,
+    effectivePageId,
+    userId,
+    effectiveScope,
+    allowsOptionalContexts,
+    checkError,
+    canError,
+    isSuperAdmin2
+  ]);
   useEffect(() => {
     if (isLoading && isSuperAdmin2 === null && hasValidUser) {
       const timeout = setTimeout(() => {
-        logger.warn("Permission check taking longer than expected", {
+        logger2.warn("Permission check taking longer than expected", {
           pageName,
-          userId: user?.id,
+          userId,
           isSuperAdmin: isSuperAdmin2,
           scopeLoading,
           canIsLoading,
@@ -251,30 +262,166 @@ var PagePermissionGuardComponent = ({
       }, 5e3);
       return () => clearTimeout(timeout);
     }
-  }, [isLoading, isSuperAdmin2, hasValidUser, pageName, user?.id, scopeLoading, canIsLoading, hasChecked, stableScope, effectiveScope, appName]);
+  }, [
+    isLoading,
+    isSuperAdmin2,
+    hasValidUser,
+    pageName,
+    userId,
+    scopeLoading,
+    canIsLoading,
+    hasChecked,
+    stableScope,
+    effectiveScope,
+    appName
+  ]);
+  const hasLoggedSuperAdminRef = useRef(false);
   useEffect(() => {
     if (isSuperAdmin2 === true && hasValidUser && !hasLoggedSuperAdminRef.current && false) ;
-    if (isSuperAdmin2 !== true) {
-      hasLoggedSuperAdminRef.current = false;
-    }
-  }, [isSuperAdmin2, hasValidUser, pageName, user?.id, operation]);
-  if (isSuperAdmin2 === true && hasValidUser) {
-    return /* @__PURE__ */ jsx(Fragment, { children });
-  }
-  if (isLoading || !hasValidUser || !hasChecked || isSuperAdmin2 === null) {
-    return loading || /* @__PURE__ */ jsx("p", { children: "Checking permissions..." });
-  }
-  if (checkError && !can) {
-    return fallback;
-  }
-  if (shouldShowAccessDenied) {
-    return fallback;
-  }
-  if (shouldShowContent) {
-    return /* @__PURE__ */ jsx(Fragment, { children });
+    if (isSuperAdmin2 !== true) hasLoggedSuperAdminRef.current = false;
+  }, [isSuperAdmin2, hasValidUser, pageName, userId, operation]);
+}
+function getPageGuardView(state) {
+  const { isSuperAdmin: isSuperAdmin2, hasValidUser, isLoading, hasChecked, scopeError, can, effectiveCan, effectiveScope, allowsOptionalContexts, shouldBypassScopeForSuperAdmin } = state;
+  if (isSuperAdmin2 === true && hasValidUser) return "super-admin";
+  if (isLoading || !hasValidUser || !hasChecked || isSuperAdmin2 === null) return "loading";
+  const hasValidScope = shouldBypassScopeForSuperAdmin ? true : allowsOptionalContexts ? true : effectiveScope !== null;
+  const checkComplete = hasChecked && !isLoading;
+  if (scopeError && !can) return "denied";
+  if (checkComplete && hasValidScope && hasValidUser && !scopeError && !effectiveCan) return "denied";
+  if (checkComplete && hasValidScope && hasValidUser && !scopeError && effectiveCan) return "content";
+  return "fallback";
+}
+var PagePermissionGuardComponent = ({
+  pageName,
+  operation,
+  children,
+  fallback = /* @__PURE__ */ jsx(AccessDenied, {}),
+  strictMode = true,
+  auditLog = true,
+  pageId,
+  scope,
+  onDenied,
+  loading = /* @__PURE__ */ jsx(DefaultLoading, {}),
+  printPageOrientation = "portrait",
+  printTitle
+}) => {
+  useEffect(() => {
+    if (printTitle) setPrintTitle(printTitle);
+    return () => {
+      if (typeof document !== "undefined" && document.documentElement) {
+        document.documentElement.style.removeProperty("--print-title");
+      }
+    };
+  }, [printTitle]);
+  const renderCountRef = useRef(0);
+  renderCountRef.current += 1;
+  useMemo(() => Math.random().toString(36).substr(2, 9), []);
+  const { user, selectedOrganisation, selectedEvent, supabase, appId: contextAppId, appName } = useUnifiedAuth();
+  const { isSuperAdmin: isSuperAdmin2 } = useSuperAdminCheck(user?.id);
+  const effectivePageId = useMemo(() => pageId || pageName, [pageId, pageName]);
+  const permission = useMemo(() => `${operation}:page.${pageName}`, [operation, pageName]);
+  const {
+    effectiveScope,
+    stableScope,
+    scopeForPermissionCheck,
+    scopeLoading,
+    scopeError,
+    allowsOptionalContexts
+  } = usePageGuardScope({
+    supabase,
+    selectedOrganisationId: selectedOrganisation?.id ?? null,
+    selectedEventId: selectedEvent?.event_id ?? null,
+    selectedEventOrganisationId: selectedEvent?.organisation_id ?? null,
+    scope,
+    contextAppId,
+    appName,
+    isSuperAdmin: isSuperAdmin2
+  });
+  const shouldBypassScopeForSuperAdmin = isSuperAdmin2 === true;
+  const shouldSkipPermissionCheck = isSuperAdmin2 === true;
+  const { can, effectiveCan, canIsLoading, canError } = usePagePermissionCheck({
+    userId: user?.id ?? "",
+    scopeForPermissionCheck,
+    shouldSkipPermissionCheck,
+    contextAppId,
+    permission,
+    effectivePageId,
+    isSuperAdmin: isSuperAdmin2,
+    appName
+  });
+  const isLoading = shouldBypassScopeForSuperAdmin ? canIsLoading : scopeLoading || canIsLoading;
+  const error = scopeError ?? canError;
+  const [hasChecked, setHasChecked] = useState(false);
+  const hasValidUser = Boolean(user?.id);
+  usePageAccessLogging({
+    setHasChecked,
+    hasChecked,
+    isLoading,
+    error,
+    effectiveCan,
+    pageName,
+    operation,
+    onDenied,
+    auditLog,
+    userId: user?.id,
+    effectiveScope,
+    isSuperAdmin: isSuperAdmin2,
+    strictMode,
+    shouldBypassScopeForSuperAdmin,
+    effectivePageId,
+    allowsOptionalContexts,
+    checkError: scopeError,
+    canError,
+    scopeLoading,
+    canIsLoading,
+    hasValidUser,
+    stableScope,
+    appName
+  });
+  const view = getPageGuardView({
+    isSuperAdmin: isSuperAdmin2,
+    hasValidUser,
+    isLoading,
+    hasChecked,
+    scopeError,
+    can,
+    effectiveCan,
+    effectiveScope,
+    allowsOptionalContexts,
+    shouldBypassScopeForSuperAdmin
+  });
+  switch (view) {
+    case "super-admin":
+      return /* @__PURE__ */ jsx(PageGuardLayout, { printPageOrientation, children });
+    case "loading":
+      return loading || /* @__PURE__ */ jsx("p", { children: "Checking permissions..." });
+    case "denied":
+      return fallback;
+    case "content":
+      return /* @__PURE__ */ jsx(PageGuardLayout, { printPageOrientation, withPrintPadding: true, children });
+    default:
+      return fallback;
   }
-  return fallback;
 };
+function PageGuardLayout({
+  children,
+  printPageOrientation,
+  withPrintPadding = false
+}) {
+  return /* @__PURE__ */ jsx(
+    "main",
+    {
+      className: cn(
+        "px-4 w-[min(var(--app-width),100%)] mx-auto py-8",
+        withPrintPadding && "print:p-0 print:pb-[40mm]",
+        printPageOrientation === "landscape" && "print-page-landscape",
+        printPageOrientation === "portrait" && "print-page-portrait"
+      ),
+      children
+    }
+  );
+}
 function DefaultLoading() {
   return /* @__PURE__ */ jsx(Alert, { role: "status", "aria-live": "polite", children: /* @__PURE__ */ jsxs(AlertTitle, { children: [
     /* @__PURE__ */ jsx(LoadingSpinner, { size: "sm" }),
@@ -338,8 +485,8 @@ function NavigationGuard({
   }, [auditLog, hasChecked, isLoading, navigationItem, user?.id, effectiveScope, hasRequiredPermissions, requireAll]);
   useEffect(() => {
     if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
-      const logger3 = getRBACLogger();
-      logger3.error(`STRICT MODE VIOLATION: User attempted to access protected navigation item without permission`, {
+      const logger4 = getRBACLogger();
+      logger4.error(`STRICT MODE VIOLATION: User attempted to access protected navigation item without permission`, {
         navigationItem: navigationItem.id,
         permissions: navigationItem.permissions,
         userId: user?.id,
@@ -353,8 +500,8 @@ function NavigationGuard({
     return /* @__PURE__ */ jsx(Fragment, { children: loading });
   }
   if (checkError) {
-    const logger3 = getRBACLogger();
-    logger3.error(`Permission check failed for navigation item ${navigationItem.id}:`, checkError);
+    const logger4 = getRBACLogger();
+    logger4.error(`Permission check failed for navigation item ${navigationItem.id}:`, checkError);
     return /* @__PURE__ */ jsx(Fragment, { children: fallback });
   }
   if (!hasRequiredPermissions) {
@@ -369,46 +516,40 @@ function DefaultLoading2() {
     "Checking..."
   ] }) });
 }
-function useResourcePermissions(resource, options = {}) {
-  const { enableRead = false, requireScope = true } = options;
-  const logger3 = createLogger("ResourcePermissions");
-  const { user, supabase } = useUnifiedAuth();
+function useResourcePermissionsSuperAdmin(userId) {
+  const logger4 = createLogger("ResourcePermissionsSuperAdmin");
   const [isSuperAdminUser, setIsSuperAdminUser] = useState(null);
-  const [isCheckingSuperAdmin, setIsCheckingSuperAdmin] = useState(() => !!user?.id);
+  const [isCheckingSuperAdmin, setIsCheckingSuperAdmin] = useState(() => !!userId);
   const lastCheckedUserIdRef = useRef(null);
   const isCheckingRef = useRef(false);
   useEffect(() => {
-    if (lastCheckedUserIdRef.current === user?.id && isSuperAdminUser !== null) {
-      return;
-    }
-    if (isCheckingRef.current) {
-      return;
-    }
+    if (lastCheckedUserIdRef.current === userId && isSuperAdminUser !== null) return;
+    if (isCheckingRef.current) return;
     const checkSuperAdminStatus = async () => {
-      if (!user?.id) {
+      if (!userId) {
         setIsSuperAdminUser(false);
         setIsCheckingSuperAdmin(false);
         lastCheckedUserIdRef.current = null;
         return;
       }
       isCheckingRef.current = true;
-      lastCheckedUserIdRef.current = user.id;
+      lastCheckedUserIdRef.current = userId;
       const startTime = Date.now();
       setIsCheckingSuperAdmin(true);
       const timeoutId = setTimeout(() => {
-        logger3.warn("useResourcePermissions", "Super admin check taking longer than 5 seconds", {
-          userId: user?.id,
+        logger4.warn("useResourcePermissions", "Super admin check taking longer than 5 seconds", {
+          userId,
           elapsedMs: Date.now() - startTime
         });
       }, 5e3);
       try {
-        const superAdminStatus = await isSuperAdmin(user.id);
-        setIsSuperAdminUser(superAdminStatus);
-      } catch (error2) {
+        const result = await isSuperAdmin(userId);
+        setIsSuperAdminUser(result.ok && result.data);
+      } catch (error) {
         const elapsed = Date.now() - startTime;
-        logger3.error("useResourcePermissions", "Error checking super admin status", {
-          userId: user?.id,
-          error: error2,
+        logger4.error("useResourcePermissions", "Error checking super admin status", {
+          userId,
+          error,
           elapsedMs: elapsed
         });
         setIsSuperAdminUser(false);
@@ -419,7 +560,34 @@ function useResourcePermissions(resource, options = {}) {
       }
     };
     checkSuperAdminStatus();
-  }, [user?.id, logger3, isSuperAdminUser]);
+  }, [userId, logger4, isSuperAdminUser]);
+  return { isSuperAdminUser, isCheckingSuperAdmin };
+}
+// src/rbac/hooks/useResourcePermissions.ts
+function buildResourcePermissions(params) {
+  const createSuperAdminAwarePermission = (result) => {
+    if (params.isSuperAdminUser === true) return true;
+    return result;
+  };
+  return {
+    canCreate: (res) => res !== params.resource ? false : createSuperAdminAwarePermission(params.canCreateResult),
+    canUpdate: (res) => res !== params.resource ? false : createSuperAdminAwarePermission(params.canUpdateResult),
+    canDelete: (res) => res !== params.resource ? false : createSuperAdminAwarePermission(params.canDeleteResult),
+    canRead: (res) => {
+      if (!params.enableRead) return true;
+      if (res !== params.resource) return false;
+      return createSuperAdminAwarePermission(params.canReadResult);
+    },
+    scope: params.scope,
+    isLoading: params.isCheckingSuperAdmin || params.isLoading,
+    error: params.error
+  };
+}
+function useResourcePermissions(resource, options = {}) {
+  const { enableRead = false, requireScope = true } = options;
+  const { user, supabase } = useUnifiedAuth();
+  const { isSuperAdminUser, isCheckingSuperAdmin } = useResourcePermissionsSuperAdmin(user?.id);
   const { selectedOrganisation } = useOrganisations();
   let selectedEvent = null;
   try {
@@ -512,60 +680,239 @@ function useResourcePermissions(resource, options = {}) {
     if (enableRead && readError) return readError;
     return null;
   }, [scopeError, createError, updateError, deleteError, readError, enableRead]);
-  return useMemo(() => {
-    const createSuperAdminAwarePermission = (result) => {
-      if (isSuperAdminUser === true) {
-        return true;
-      }
-      return result;
-    };
-    return {
-      canCreate: (res) => {
-        if (res !== resource) {
-          return false;
-        }
-        return createSuperAdminAwarePermission(canCreateResult);
-      },
-      canUpdate: (res) => {
-        if (res !== resource) {
-          return false;
-        }
-        return createSuperAdminAwarePermission(canUpdateResult);
-      },
-      canDelete: (res) => {
-        if (res !== resource) {
-          return false;
-        }
-        return createSuperAdminAwarePermission(canDeleteResult);
-      },
-      canRead: (res) => {
-        if (!enableRead) {
-          return true;
-        }
-        if (res !== resource) {
-          return false;
-        }
-        return createSuperAdminAwarePermission(canReadResult);
-      },
+  return useMemo(
+    () => buildResourcePermissions({
+      resource,
+      enableRead,
+      isSuperAdminUser,
+      isCheckingSuperAdmin,
+      canCreateResult,
+      canUpdateResult,
+      canDeleteResult,
+      canReadResult,
       scope,
-      isLoading: isCheckingSuperAdmin || isLoading,
+      isLoading,
       error
+    }),
+    [
+      resource,
+      enableRead,
+      isSuperAdminUser,
+      isCheckingSuperAdmin,
+      canCreateResult,
+      canUpdateResult,
+      canDeleteResult,
+      canReadResult,
+      scope,
+      isLoading,
+      error
+    ]
+  );
+}
+// src/rbac/utils/roleManagementRpc.ts
+var logger3 = createLogger("roleManagementRpc");
+function logIfDev(message, data) {
+  if (import.meta.env.MODE === "development") {
+    if (data !== void 0) {
+      logger3.debug(message, data);
+    } else {
+      logger3.debug(message);
+    }
+  }
+}
+function formatRpcError(rpcError) {
+  const parts = [
+    rpcError.message,
+    rpcError.details,
+    rpcError.hint,
+    rpcError.code ? `Error code: ${rpcError.code}` : null
+  ].filter(Boolean);
+  return parts.length > 0 ? parts.join(" | ") : "Unknown RPC error";
+}
+function parseRevokeResponse(data) {
+  if (!data || !Array.isArray(data) || data.length === 0) {
+    logIfDev("Empty or null revoke response", { data });
+    return { success: false, error: "No response from database - role revocation may have failed" };
+  }
+  const result = data[0];
+  logIfDev("Revoke RPC result", result);
+  if (!result || result.success !== true) {
+    const errorMessage = result?.message || result?.error_code || "Role revocation failed";
+    return {
+      success: false,
+      message: result?.message,
+      error: errorMessage
     };
-  }, [
-    resource,
-    isSuperAdminUser,
-    isCheckingSuperAdmin,
-    canCreateResult,
-    canUpdateResult,
-    canDeleteResult,
-    canReadResult,
-    enableRead,
-    scope,
-    isLoading,
-    error
-  ]);
+  }
+  return {
+    success: true,
+    message: result.message ?? "Role revoked successfully",
+    error: void 0
+  };
+}
+async function revokeEventAppRoleRpc(supabase, params, revokedBy) {
+  const contextId = `${params.event_id}:${params.app_id}`;
+  const rpcParams = {
+    p_user_id: params.user_id,
+    p_role_type: "event_app",
+    p_role_name: params.role,
+    p_context_id: contextId,
+    p_revoked_by: params.revoked_by ?? revokedBy ?? void 0
+  };
+  logIfDev("revokeEventAppRole called with", rpcParams);
+  const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", rpcParams);
+  if (rpcError) {
+    logIfDev("RPC error", { message: rpcError.message, code: rpcError.code });
+    throw new Error(rpcError.message || "Failed to revoke role - unknown RPC error");
+  }
+  logIfDev("RPC response", { dataType: Array.isArray(data) ? "array" : typeof data });
+  return parseRevokeResponse(data);
+}
+async function grantEventAppRoleRpc(supabase, params, grantedBy) {
+  const contextId = `${params.event_id}:${params.app_id}`;
+  const rpcParams = {
+    p_user_id: params.user_id,
+    p_role_type: "event_app",
+    p_role_name: params.role,
+    p_context_id: contextId,
+    p_granted_by: params.granted_by ?? grantedBy ?? void 0
+  };
+  logIfDev("grantEventAppRole called with", rpcParams);
+  const { data, error: rpcError } = await supabase.rpc("rbac_role_grant", rpcParams);
+  if (rpcError) {
+    throw new Error(rpcError.message || "Failed to grant role");
+  }
+  if (!data || !Array.isArray(data) || data.length === 0) {
+    return { success: false, error: "No response from database - role grant may have failed" };
+  }
+  const result = data[0];
+  if (!result || result.success !== true) {
+    const errorMessage = result?.message ?? result?.error_code ?? "Role grant failed";
+    return {
+      success: false,
+      message: result?.message,
+      error: errorMessage
+    };
+  }
+  return {
+    success: true,
+    message: result.message ?? "Role granted successfully",
+    roleId: result.role_id
+  };
+}
+async function revokeRoleByIdRpc(supabase, roleId, revokedBy) {
+  const { data: roleData, error: fetchError } = await supabase.from("rbac_event_app_roles").select("user_id, role, event_id, app_id").eq("id", roleId).single();
+  if (fetchError || !roleData) {
+    throw new Error(fetchError?.message || "Role not found");
+  }
+  const contextId = `${roleData.event_id}:${roleData.app_id}`;
+  const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", {
+    p_user_id: roleData.user_id,
+    p_role_type: "event_app",
+    p_role_name: roleData.role,
+    p_context_id: contextId,
+    p_revoked_by: revokedBy ?? void 0
+  });
+  if (rpcError) {
+    throw new Error(rpcError.message || "Failed to revoke role - unknown RPC error");
+  }
+  const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
+  if (!result) {
+    return { success: false, error: void 0 };
+  }
+  if (result.success === false) {
+    const errorMessage = result.message || result.error_code || "Role revocation failed";
+    return { success: false, message: result.message, error: errorMessage };
+  }
+  return {
+    success: true,
+    message: result.message ?? "Role revoked successfully",
+    error: void 0
+  };
+}
+function parseGrantResponse(data, fallbackError) {
+  const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
+  if (!result || !result.success) {
+    return {
+      success: false,
+      error: result?.message || result?.error_code || fallbackError,
+      message: result?.message
+    };
+  }
+  return {
+    success: true,
+    message: result.message ?? "Role granted successfully",
+    roleId: result.role_id
+  };
+}
+async function grantGlobalRoleRpc(supabase, params, grantedBy) {
+  const { data, error: rpcError } = await supabase.rpc("rbac_role_grant", {
+    p_user_id: params.user_id,
+    p_role_type: "global",
+    p_role_name: params.role,
+    p_context_id: null,
+    p_granted_by: params.granted_by ?? grantedBy ?? void 0
+  });
+  if (rpcError) {
+    throw new Error(rpcError.message || "Failed to grant role");
+  }
+  return parseGrantResponse(data, "Failed to grant role");
+}
+async function revokeGlobalRoleRpc(supabase, params, revokedBy) {
+  const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", {
+    p_user_id: params.user_id,
+    p_role_type: "global",
+    p_role_name: params.role,
+    p_context_id: null,
+    p_revoked_by: params.revoked_by ?? revokedBy ?? void 0
+  });
+  if (rpcError) {
+    throw new Error(formatRpcError(rpcError));
+  }
+  const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
+  return {
+    success: result?.success === true,
+    message: result?.message,
+    error: result?.success === false ? result?.message || result?.error_code || "Unknown error" : void 0
+  };
+}
+async function grantOrganisationRoleRpc(supabase, params, grantedBy) {
+  const { data, error: rpcError } = await supabase.rpc("rbac_role_grant", {
+    p_user_id: params.user_id,
+    p_role_type: "organisation",
+    p_role_name: params.role,
+    p_context_id: params.organisation_id,
+    p_granted_by: params.granted_by ?? grantedBy ?? void 0
+  });
+  if (rpcError) {
+    throw new Error(rpcError.message || "Failed to grant role");
+  }
+  return parseGrantResponse(data, "Failed to grant role");
+}
+async function revokeOrganisationRoleRpc(supabase, params, revokedBy) {
+  const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", {
+    p_user_id: params.user_id,
+    p_role_type: "organisation",
+    p_role_name: params.role,
+    p_context_id: params.organisation_id,
+    p_revoked_by: params.revoked_by ?? revokedBy ?? void 0
+  });
+  if (rpcError) {
+    throw new Error(formatRpcError(rpcError));
+  }
+  const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
+  return {
+    success: result?.success === true,
+    message: result?.message,
+    error: result?.success === false ? result?.message || result?.error_code || "Unknown error" : void 0
+  };
+}
+// src/rbac/hooks/useRoleManagement.ts
+function failureResult(errorMessage) {
+  return { success: false, error: errorMessage };
 }
-var logger2 = createLogger("useRoleManagement");
 function useRoleManagement() {
   const { user, supabase } = useUnifiedAuth();
   const [isLoading, setIsLoading] = useState(false);
@@ -573,362 +920,120 @@ function useRoleManagement() {
   if (!supabase) {
     throw new Error("useRoleManagement requires a Supabase client. Ensure UnifiedAuthProvider is configured.");
   }
-  const revokeEventAppRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const contextId = `${params.event_id}:${params.app_id}`;
-      const rpcParams = {
-        p_user_id: params.user_id,
-        p_role_type: "event_app",
-        p_role_name: params.role,
-        p_context_id: contextId,
-        p_revoked_by: params.revoked_by || user?.id || void 0
-      };
-      if (import.meta.env.MODE === "development") {
-        logger2.debug("revokeEventAppRole called with:", rpcParams);
-      }
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", rpcParams);
-      if (rpcError) {
-        if (import.meta.env.MODE === "development") {
-          logger2.error("RPC error:", {
-            message: rpcError.message,
-            details: rpcError.details,
-            hint: rpcError.hint,
-            code: rpcError.code,
-            fullError: rpcError
-          });
-        }
-        const errorMessage = rpcError.message || "Failed to revoke role - unknown RPC error";
-        throw new Error(errorMessage);
-      }
-      if (import.meta.env.MODE === "development") {
-        logger2.debug("RPC response:", {
-          data,
-          error: rpcError,
-          dataType: Array.isArray(data) ? "array" : typeof data,
-          dataLength: Array.isArray(data) ? data.length : "N/A"
-        });
-      }
-      if (!data || !Array.isArray(data) || data.length === 0) {
-        const errorMsg = "No response from database - role revocation may have failed";
-        if (import.meta.env.MODE === "development") {
-          logger2.error("Empty or null data response:", {
-            data,
-            dataType: typeof data,
-            isArray: Array.isArray(data),
-            length: Array.isArray(data) ? data.length : "N/A"
-          });
-        }
-        throw new Error(errorMsg);
-      }
-      const result = data[0];
-      if (import.meta.env.MODE === "development") {
-        logger2.debug("RPC result:", {
-          success: result?.success,
-          message: result?.message,
-          error_code: result?.error_code,
-          revoked_count: result?.revoked_count,
-          fullResult: result
-        });
-      }
-      if (!result || result.success !== true) {
-        const errorMessage = result?.message || result?.error_code || "Role revocation failed";
-        if (import.meta.env.MODE === "development") {
-          logger2.error("Role revocation failed:", {
-            result,
-            errorMessage,
-            fullData: data,
-            rpcParams
-          });
-        }
-        return {
-          success: false,
-          message: result?.message || void 0,
-          error: errorMessage
-        };
-      }
-      return {
-        success: true,
-        message: result.message || "Role revoked successfully",
-        error: void 0
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      if (import.meta.env.MODE === "development") {
-        logger2.error("Exception in revokeEventAppRole:", {
-          error: err,
-          errorMessage,
-          params
-        });
-      }
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  const grantEventAppRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data, error: rpcError } = await supabase.rpc("grant_event_app_role", {
-        p_user_id: params.user_id,
-        p_organisation_id: params.organisation_id,
-        p_event_id: params.event_id,
-        p_app_id: params.app_id,
-        p_role: params.role,
-        p_granted_by: params.granted_by || user?.id || void 0,
-        p_valid_from: params.valid_from,
-        p_valid_to: params.valid_to
-      });
-      if (rpcError) {
-        throw new Error(rpcError.message || "Failed to grant role");
-      }
-      if (!data) {
-        return {
-          success: false,
-          error: "Failed to grant role - no role ID returned"
-        };
-      }
-      return {
-        success: true,
-        message: "Role granted successfully",
-        roleId: data
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  const revokeRoleById = useCallback(async (roleId) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data: roleData, error: fetchError } = await supabase.from("rbac_event_app_roles").select("user_id, role, event_id, app_id").eq("id", roleId).single();
-      if (fetchError || !roleData) {
-        throw new Error(fetchError?.message || "Role not found");
-      }
-      const contextId = `${roleData.event_id}:${roleData.app_id}`;
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", {
-        p_user_id: roleData.user_id,
-        p_role_type: "event_app",
-        p_role_name: roleData.role,
-        p_context_id: contextId,
-        p_revoked_by: user?.id || void 0
-      });
-      if (rpcError) {
-        const errorMessage = rpcError.message || "Failed to revoke role - unknown RPC error";
-        throw new Error(errorMessage);
-      }
-      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
-      if (!result) {
-        return {
-          success: false,
-          error: void 0
-        };
+  const runWithLoading = useCallback(
+    async (fn) => {
+      setIsLoading(true);
+      setError(null);
+      try {
+        return await fn();
+      } catch (err) {
+        setError(err instanceof Error ? err : new Error(String(err)));
+        throw err;
+      } finally {
+        setIsLoading(false);
       }
-      if (result.success === false) {
-        const errorMessage = result.message || result.error_code || "Role revocation failed";
-        return {
-          success: false,
-          message: result.message || void 0,
-          error: errorMessage
-        };
+    },
+    []
+  );
+  const revokeEventAppRole = useCallback(
+    async (params) => {
+      try {
+        return await runWithLoading(
+          () => revokeEventAppRoleRpc(supabase, params, user?.id)
+        );
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : "Unknown error occurred";
+        return failureResult(msg);
       }
-      return {
-        success: true,
-        message: result.message || "Role revoked successfully",
-        error: void 0
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  const grantGlobalRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_grant", {
-        p_user_id: params.user_id,
-        p_role_type: "global",
-        p_role_name: params.role,
-        p_context_id: null,
-        // Global roles don't need context
-        p_granted_by: params.granted_by || user?.id || void 0
-      });
-      if (rpcError) {
-        throw new Error(rpcError.message || "Failed to grant role");
+    },
+    [supabase, user?.id, runWithLoading]
+  );
+  const grantEventAppRole = useCallback(
+    async (params) => {
+      try {
+        return await runWithLoading(
+          () => grantEventAppRoleRpc(supabase, params, user?.id)
+        );
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : "Unknown error occurred";
+        return failureResult(msg);
       }
-      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
-      if (!result || !result.success) {
-        return {
-          success: false,
-          error: result?.message || result?.error_code || "Failed to grant role",
-          message: result?.message
-        };
+    },
+    [supabase, user?.id, runWithLoading]
+  );
+  const revokeRoleById = useCallback(
+    async (roleId) => {
+      try {
+        return await runWithLoading(
+          () => revokeRoleByIdRpc(supabase, roleId, user?.id)
+        );
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : "Unknown error occurred";
+        return failureResult(msg);
       }
-      return {
-        success: true,
-        message: result.message || "Role granted successfully",
-        roleId: result.role_id
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  const revokeGlobalRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", {
-        p_user_id: params.user_id,
-        p_role_type: "global",
-        p_role_name: params.role,
-        p_context_id: null,
-        // Global roles don't need context
-        p_revoked_by: params.revoked_by || user?.id || void 0
-      });
-      if (rpcError) {
-        const errorParts = [
-          rpcError.message,
-          rpcError.details,
-          rpcError.hint,
-          rpcError.code ? `Error code: ${rpcError.code}` : null
-        ].filter(Boolean);
-        const errorMessage = errorParts.length > 0 ? errorParts.join(" | ") : "Failed to revoke role - unknown RPC error";
-        throw new Error(errorMessage);
+    },
+    [supabase, user?.id, runWithLoading]
+  );
+  const grantGlobalRole = useCallback(
+    async (params) => {
+      try {
+        return await runWithLoading(
+          () => grantGlobalRoleRpc(supabase, params, user?.id)
+        );
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : "Unknown error occurred";
+        return failureResult(msg);
       }
-      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
-      return {
-        success: result?.success === true,
-        message: result?.message || void 0,
-        error: result?.success === false ? result?.message || result?.error_code || "Unknown error" : void 0
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  const grantOrganisationRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_grant", {
-        p_user_id: params.user_id,
-        p_role_type: "organisation",
-        p_role_name: params.role,
-        p_context_id: params.organisation_id,
-        // Organisation ID as context
-        p_granted_by: params.granted_by || user?.id || void 0
-      });
-      if (rpcError) {
-        throw new Error(rpcError.message || "Failed to grant role");
+    },
+    [supabase, user?.id, runWithLoading]
+  );
+  const revokeGlobalRole = useCallback(
+    async (params) => {
+      try {
+        return await runWithLoading(
+          () => revokeGlobalRoleRpc(supabase, params, user?.id)
+        );
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : "Unknown error occurred";
+        return failureResult(msg);
       }
-      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
-      if (!result || !result.success) {
-        return {
-          success: false,
-          error: result?.message || result?.error_code || "Failed to grant role",
-          message: result?.message
-        };
+    },
+    [supabase, user?.id, runWithLoading]
+  );
+  const grantOrganisationRole = useCallback(
+    async (params) => {
+      try {
+        return await runWithLoading(
+          () => grantOrganisationRoleRpc(supabase, params, user?.id)
+        );
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : "Unknown error occurred";
+        return failureResult(msg);
       }
-      return {
-        success: true,
-        message: result.message || "Role granted successfully",
-        roleId: result.role_id
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  const revokeOrganisationRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", {
-        p_user_id: params.user_id,
-        p_role_type: "organisation",
-        p_role_name: params.role,
-        p_context_id: params.organisation_id,
-        // Organisation ID as context
-        p_revoked_by: params.revoked_by || user?.id || void 0
-      });
-      if (rpcError) {
-        const errorParts = [
-          rpcError.message,
-          rpcError.details,
-          rpcError.hint,
-          rpcError.code ? `Error code: ${rpcError.code}` : null
-        ].filter(Boolean);
-        const errorMessage = errorParts.length > 0 ? errorParts.join(" | ") : "Failed to revoke role - unknown RPC error";
-        throw new Error(errorMessage);
+    },
+    [supabase, user?.id, runWithLoading]
+  );
+  const revokeOrganisationRole = useCallback(
+    async (params) => {
+      try {
+        return await runWithLoading(
+          () => revokeOrganisationRoleRpc(supabase, params, user?.id)
+        );
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : "Unknown error occurred";
+        return failureResult(msg);
       }
-      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
-      return {
-        success: result?.success === true,
-        message: result?.message || void 0,
-        error: result?.success === false ? result?.message || result?.error_code || "Unknown error" : void 0
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
+    },
+    [supabase, user?.id, runWithLoading]
+  );
   return {
-    // Event app roles (existing)
     revokeEventAppRole,
     grantEventAppRole,
     revokeRoleById,
-    // Global roles (new)
     grantGlobalRole,
     revokeGlobalRole,
-    // Organisation roles (new)
     grantOrganisationRole,
     revokeOrganisationRole,
-    // Shared state
     isLoading,
     error
   };
@@ -945,14 +1050,17 @@ function withPermissionGuard(config, handler) {
     if (!userId || !organisationId) {
       throw new Error("User context required for permission check");
     }
-    const { isPermitted: isPermitted2 } = await import('./api-F47QJ7FX.js');
-    const hasPermission = await isPermitted2({
+    const { isPermitted: isPermitted2 } = await import('./api-BZR2CYXL.js');
+    const result = await isPermitted2({
       userId,
       scope: { organisationId, eventId, appId },
       permission: config.permission,
       pageId: config.pageId
     });
-    if (!hasPermission) {
+    if (!result.ok) {
+      throw new Error(result.error.message);
+    }
+    if (!result.data) {
       throw new Error(`Permission denied: ${config.permission}`);
     }
     return handler(...args);
@@ -968,11 +1076,15 @@ function withAccessLevelGuard(minLevel, handler) {
     if (!userId || !organisationId) {
       throw new Error("User context required for access level check");
     }
-    const { getAccessLevel: getAccessLevel2 } = await import('./api-F47QJ7FX.js');
-    const accessLevel = await getAccessLevel2({
+    const { getAccessLevel: getAccessLevel2 } = await import('./api-BZR2CYXL.js');
+    const result = await getAccessLevel2({
       userId,
       scope: { organisationId, eventId, appId }
     });
+    if (!result.ok) {
+      throw new Error(result.error.message);
+    }
+    const accessLevel = result.data;
     const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
     const userLevelIndex = levelHierarchy.indexOf(accessLevel);
     const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
@@ -993,11 +1105,11 @@ function withRoleGuard(config, handler) {
       throw new Error("User context required for role check");
     }
     if (config.globalRoles && config.globalRoles.length > 0) {
-      const { isSuperAdmin: isSuperAdmin2 } = await import('./api-F47QJ7FX.js');
-      const isSuper = await isSuperAdmin2(userId);
-      if (isSuper) {
+      const { isSuperAdmin: isSuperAdmin2 } = await import('./api-BZR2CYXL.js');
+      const superResult = await isSuperAdmin2(userId);
+      if (superResult.ok && superResult.data) {
         if (organisationId) {
-          const { emitAuditEvent: emitAuditEvent2 } = await import('./audit-Z6ZZBWLU.js');
+          const { emitAuditEvent: emitAuditEvent2 } = await import('./audit-HI2DHUVU.js');
           await emitAuditEvent2({
             type: "permission_check",
             userId,
@@ -1019,21 +1131,27 @@ function withRoleGuard(config, handler) {
       }
     }
     if (config.organisationRoles && config.organisationRoles.length > 0) {
-      const { isOrganisationAdmin } = await import('./api-F47QJ7FX.js');
-      const isOrgAdmin = await isOrganisationAdmin(userId, organisationId);
-      if (!isOrgAdmin && config.requireAll !== false) {
+      const { isOrganisationAdmin } = await import('./api-BZR2CYXL.js');
+      const orgResult = await isOrganisationAdmin(userId, organisationId);
+      if (!orgResult.ok) {
+        throw new Error(orgResult.error.message);
+      }
+      if (!orgResult.data && config.requireAll !== false) {
         throw new Error(`Organisation admin role required`);
       }
     }
     if (config.eventAppRoles && config.eventAppRoles.length > 0 && eventId && appId) {
-      const { isEventAdmin } = await import('./api-F47QJ7FX.js');
-      const isEventAdminUser = await isEventAdmin(userId, { organisationId, eventId, appId });
-      if (!isEventAdminUser && config.requireAll !== false) {
+      const { isEventAdmin } = await import('./api-BZR2CYXL.js');
+      const eventResult = await isEventAdmin(userId, { organisationId, eventId, appId });
+      if (!eventResult.ok) {
+        throw new Error(eventResult.error.message);
+      }
+      if (!eventResult.data && config.requireAll !== false) {
         throw new Error(`Event admin role required`);
       }
     }
     if (organisationId) {
-      const { emitAuditEvent: emitAuditEvent2 } = await import('./audit-Z6ZZBWLU.js');
+      const { emitAuditEvent: emitAuditEvent2 } = await import('./audit-HI2DHUVU.js');
       await emitAuditEvent2({
         type: "permission_check",
         userId,
@@ -1066,14 +1184,14 @@ function createRBACMiddleware(config) {
     );
     if (protectedRoute) {
       try {
-        const { isPermitted: isPermitted2 } = await import('./api-F47QJ7FX.js');
-        const hasPermission = await isPermitted2({
+        const { isPermitted: isPermitted2 } = await import('./api-BZR2CYXL.js');
+        const result = await isPermitted2({
           userId,
           scope: { organisationId },
           permission: protectedRoute.permission,
           pageId: protectedRoute.pageId
         });
-        if (!hasPermission) {
+        if (!result.ok || !result.data) {
           return res.redirect(config.fallbackUrl || "/access-denied");
         }
       } catch (_error) {
@@ -1093,14 +1211,14 @@ function createRBACExpressMiddleware(config) {
       return res.status(401).json({ error: "User context required" });
     }
     try {
-      const { isPermitted: isPermitted2 } = await import('./api-F47QJ7FX.js');
-      const hasPermission = await isPermitted2({
+      const { isPermitted: isPermitted2 } = await import('./api-BZR2CYXL.js');
+      const result = await isPermitted2({
         userId,
         scope: { organisationId, eventId, appId },
         permission: config.permission,
         pageId: config.pageId
       });
-      if (!hasPermission) {
+      if (!result.ok || !result.data) {
         return res.status(403).json({ error: "Permission denied" });
       }
       next();