@jmruthers/pace-core 0.6.10 → 0.6.12

package/dist/chunk-YFGNMB67.js

@@ -0,0 +1,2390 @@
+import { emitAuditEvent, createAuditManager, setGlobalAuditManager } from './chunk-QRYSEPHB.js';
+import { getCurrentAppName } from './chunk-GHCUP64P.js';
+import { createLogger } from './chunk-BTHN5MKC.js';
+import { ok, err } from './chunk-44CNXN4P.js';
+
+// src/rbac/types.ts
+var RBACError = class extends Error {
+  constructor(message, code, context) {
+    super(message);
+    this.code = code;
+    this.context = context;
+    this.name = "RBACError";
+  }
+};
+var PermissionDeniedError = class extends RBACError {
+  constructor(permission, context) {
+    super(
+      `Permission denied: ${permission}`,
+      "PERMISSION_DENIED",
+      { permission, ...context }
+    );
+    this.name = "PermissionDeniedError";
+  }
+};
+var OrganisationContextRequiredError = class extends RBACError {
+  constructor() {
+    super(
+      "Organisation context is required for this operation",
+      "ORGANISATION_CONTEXT_REQUIRED"
+    );
+    this.name = "OrganisationContextRequiredError";
+  }
+};
+var EventContextRequiredError = class extends RBACError {
+  constructor() {
+    super(
+      "Event context is required for this operation",
+      "EVENT_CONTEXT_REQUIRED"
+    );
+    this.name = "EventContextRequiredError";
+  }
+};
+var RBACNotInitializedError = class extends RBACError {
+  constructor() {
+    super(
+      "RBAC system not initialized. Please call setupRBAC(supabase) before using any RBAC components or hooks. See: https://docs.pace-core.dev/rbac/setup",
+      "RBAC_NOT_INITIALIZED"
+    );
+    this.name = "RBACNotInitializedError";
+  }
+};
+var InvalidScopeError = class extends RBACError {
+  constructor(scope, reason) {
+    super(
+      `Invalid scope provided: ${JSON.stringify(scope)}. ${reason}`,
+      "INVALID_SCOPE",
+      { scope, reason }
+    );
+    this.name = "InvalidScopeError";
+  }
+};
+var MissingUserContextError = class extends RBACError {
+  constructor() {
+    super(
+      "User context is required but not available. Make sure to wrap your app with an auth provider.",
+      "MISSING_USER_CONTEXT"
+    );
+    this.name = "MissingUserContextError";
+  }
+};
+
+// src/rbac/cache.ts
+var RBACCache = class {
+  constructor() {
+    this.cache = /* @__PURE__ */ new Map();
+    this.sessionCache = /* @__PURE__ */ new Map();
+    this.TTL = 120 * 1e3;
+    // 120 seconds (short-term) - increased from 60s
+    this.SESSION_TTL = 15 * 60 * 1e3;
+    // 15 minutes (session-level) - increased from 5min
+    this.invalidationCallbacks = /* @__PURE__ */ new Set();
+  }
+  /**
+   * Get a value from the cache
+   * 
+   * Checks both short-term cache and session cache.
+   * 
+   * @param key - Cache key
+   * @param useSessionCache - Whether to check session cache (default: true)
+   * @returns Cached value or null if not found/expired
+   */
+  get(key, useSessionCache = true) {
+    const now = Date.now();
+    const entry = this.cache.get(key);
+    if (entry && now <= entry.expires) {
+      return entry.data;
+    }
+    if (entry && now > entry.expires) {
+      this.cache.delete(key);
+    }
+    if (useSessionCache) {
+      const sessionEntry = this.sessionCache.get(key);
+      if (sessionEntry && now <= sessionEntry.expires) {
+        return sessionEntry.data;
+      }
+      if (sessionEntry && now > sessionEntry.expires) {
+        this.sessionCache.delete(key);
+      }
+    }
+    return null;
+  }
+  /**
+   * Set a value in the cache
+   * 
+   * @param key - Cache key
+   * @param data - Data to cache
+   * @param ttl - Time to live in milliseconds (defaults to 60s)
+   * @param useSessionCache - Whether to also store in session cache (default: false for page-level checks)
+   */
+  set(key, data, ttl = this.TTL, useSessionCache = false) {
+    const now = Date.now();
+    const expires = ttl <= 0 ? now - 1 : now + ttl;
+    this.cache.set(key, {
+      data,
+      expires
+    });
+    if (useSessionCache) {
+      const sessionExpires = ttl <= 0 ? now - 1 : now + this.SESSION_TTL;
+      this.sessionCache.set(key, {
+        data,
+        expires: sessionExpires
+      });
+    }
+  }
+  /**
+   * Delete a specific key from the cache
+   * 
+   * @param key - Cache key to delete
+   */
+  delete(key) {
+    this.cache.delete(key);
+    this.sessionCache.delete(key);
+  }
+  /**
+   * Invalidate cache entries matching a pattern
+   * 
+   * @param pattern - Pattern to match against cache keys
+   */
+  invalidate(pattern) {
+    const trimmedPattern = pattern?.trim();
+    if (!trimmedPattern) {
+      return;
+    }
+    const matcher = this.createMatcher(trimmedPattern);
+    const keysToDelete = [];
+    for (const key of this.cache.keys()) {
+      if (matcher(key)) {
+        keysToDelete.push(key);
+      }
+    }
+    for (const key of this.sessionCache.keys()) {
+      if (matcher(key) && !keysToDelete.includes(key)) {
+        keysToDelete.push(key);
+      }
+    }
+    keysToDelete.forEach((key) => {
+      this.cache.delete(key);
+      this.sessionCache.delete(key);
+    });
+    this.invalidationCallbacks.forEach((callback) => callback(trimmedPattern));
+  }
+  createMatcher(pattern) {
+    if (pattern.includes("*")) {
+      const escapedSegments = pattern.split("*").map((segment) => segment.replace(/[|\\{}()[\]^$+?.-]/g, "\\$&"));
+      const regexPattern = escapedSegments.join(".*");
+      const regex = new RegExp(regexPattern);
+      return (key) => regex.test(key);
+    }
+    return (key) => key.includes(pattern);
+  }
+  /**
+   * Clear all cache entries
+   */
+  clear() {
+    this.cache.clear();
+    this.sessionCache.clear();
+  }
+  /**
+   * Get cache statistics
+   */
+  getStats() {
+    return {
+      size: this.cache.size,
+      sessionSize: this.sessionCache.size,
+      ttl: this.TTL,
+      sessionTtl: this.SESSION_TTL,
+      keys: Array.from(this.cache.keys())
+    };
+  }
+  /**
+   * Add an invalidation callback
+   * 
+   * @param callback - Function to call when cache is invalidated
+   */
+  onInvalidate(callback) {
+    this.invalidationCallbacks.add(callback);
+    return () => {
+      this.invalidationCallbacks.delete(callback);
+    };
+  }
+  /**
+   * Generate cache key for permission check (simplified signature)
+   * 
+   * @param userId - User ID
+   * @param permission - Permission string
+   * @param organisationId - Organisation ID (optional)
+   * @param eventId - Event ID (optional)
+   * @param appId - App ID (optional)
+   * @param pageId - Page ID (optional)
+   * @returns String cache key
+   */
+  static generateKey(userId, permission, organisationId, eventId, appId, pageId) {
+    const parts = [
+      "perm",
+      userId,
+      organisationId || "null",
+      eventId || "null",
+      appId || "null",
+      permission || "null",
+      pageId || "null"
+    ];
+    return parts.join(":");
+  }
+  /**
+   * Generate cache key for permission check (object signature)
+   * 
+   * @param key - Permission cache key object
+   * @returns String cache key
+   */
+  static generatePermissionKey(key) {
+    const parts = [
+      "perm",
+      key.userId,
+      key.organisationId || "null",
+      key.eventId || "null",
+      key.appId || "null",
+      key.permission || "null",
+      key.pageId || "null"
+    ];
+    return parts.join(":");
+  }
+  /**
+   * Generate cache key for access level
+   * 
+   * @param userId - User ID
+   * @param organisationId - Organisation ID
+   * @param eventId - Event ID (optional)
+   * @param appId - App ID (optional)
+   * @returns String cache key
+   */
+  static generateAccessLevelKey(userId, organisationId, eventId, appId) {
+    const parts = [
+      "access",
+      userId,
+      organisationId,
+      eventId || "null",
+      appId || "null"
+    ];
+    return parts.join(":");
+  }
+  /**
+   * Generate cache key for permission map
+   * 
+   * @param userId - User ID
+   * @param organisationId - Organisation ID
+   * @param eventId - Event ID (optional)
+   * @param appId - App ID (optional)
+   * @returns String cache key
+   */
+  static generatePermissionMapKey(userId, organisationId, eventId, appId) {
+    const parts = [
+      "map",
+      userId,
+      organisationId,
+      eventId || "null",
+      appId || "null"
+    ];
+    return parts.join(":");
+  }
+};
+var rbacCache = new RBACCache();
+var CACHE_PATTERNS = {
+  USER: (userId) => `:${userId}:`,
+  ORGANISATION: (organisationId) => `:${organisationId}:`,
+  EVENT: (eventId) => `:${eventId}:`,
+  APP: (appId) => `:${appId}`,
+  PERMISSION: (userId, organisationId) => `perm:${userId}:${organisationId}:`
+};
+
+// src/rbac/cache-invalidation.ts
+var log = createLogger("RBACCache");
+var INVALIDATION_PATTERNS = {
+  // User-level invalidation
+  USER_ROLES_CHANGED: (userId) => [
+    CACHE_PATTERNS.USER(userId),
+    `perm:${userId}:*`,
+    `access:${userId}:*`,
+    `map:${userId}:*`
+  ],
+  // Organisation-level invalidation
+  ORGANISATION_PERMISSIONS_CHANGED: (organisationId) => [
+    CACHE_PATTERNS.ORGANISATION(organisationId),
+    `perm:*:${organisationId}:*`,
+    `access:*:${organisationId}:*`,
+    `map:*:${organisationId}:*`
+  ],
+  // Event-level invalidation
+  EVENT_PERMISSIONS_CHANGED: (eventId) => [
+    CACHE_PATTERNS.EVENT(eventId),
+    `perm:*:*:${eventId}:*`,
+    `access:*:*:${eventId}:*`,
+    `map:*:*:${eventId}:*`
+  ],
+  // App-level invalidation
+  APP_PERMISSIONS_CHANGED: (appId) => [
+    CACHE_PATTERNS.APP(appId),
+    `perm:*:*:*:${appId}:*`,
+    `access:*:*:*:${appId}`,
+    `map:*:*:*:${appId}`
+  ],
+  // Page-level invalidation
+  PAGE_PERMISSIONS_CHANGED: (pageId) => [
+    `perm:*:*:*:*:${pageId}`,
+    `map:*:*:*:*`
+  ]
+};
+var RBACCacheInvalidationManager = class {
+  constructor(supabase) {
+    this.invalidationCallbacks = /* @__PURE__ */ new Set();
+    this.channels = [];
+    this.supabase = supabase;
+    this.setupRealtimeSubscriptions();
+  }
+  /**
+   * Add a callback for cache invalidation events
+   * 
+   * @param callback - Function to call when cache is invalidated
+   * @returns Unsubscribe function
+   */
+  onInvalidation(callback) {
+    this.invalidationCallbacks.add(callback);
+    return () => this.invalidationCallbacks.delete(callback);
+  }
+  /**
+   * Invalidate cache for a specific user
+   * 
+   * @param userId - User ID
+   * @param reason - Reason for invalidation
+   */
+  invalidateUser(userId, reason) {
+    const patterns = INVALIDATION_PATTERNS.USER_ROLES_CHANGED(userId);
+    this.invalidatePatterns(patterns, reason);
+  }
+  /**
+   * Invalidate cache for a specific organisation
+   * 
+   * @param organisationId - Organisation ID
+   * @param reason - Reason for invalidation
+   */
+  invalidateOrganisation(organisationId, reason) {
+    const patterns = INVALIDATION_PATTERNS.ORGANISATION_PERMISSIONS_CHANGED(organisationId);
+    this.invalidatePatterns(patterns, reason);
+  }
+  /**
+   * Invalidate cache for a specific event
+   * 
+   * @param eventId - Event ID
+   * @param reason - Reason for invalidation
+   */
+  invalidateEvent(eventId, reason) {
+    const patterns = INVALIDATION_PATTERNS.EVENT_PERMISSIONS_CHANGED(eventId);
+    this.invalidatePatterns(patterns, reason);
+  }
+  /**
+   * Invalidate cache for a specific app
+   * 
+   * @param appId - App ID
+   * @param reason - Reason for invalidation
+   */
+  invalidateApp(appId, reason) {
+    const patterns = INVALIDATION_PATTERNS.APP_PERMISSIONS_CHANGED(appId);
+    this.invalidatePatterns(patterns, reason);
+  }
+  /**
+   * Invalidate cache for a specific page
+   * 
+   * @param pageId - Page ID
+   * @param reason - Reason for invalidation
+   */
+  invalidatePage(pageId, reason) {
+    const patterns = INVALIDATION_PATTERNS.PAGE_PERMISSIONS_CHANGED(pageId);
+    this.invalidatePatterns(patterns, reason);
+  }
+  /**
+   * Invalidate cache patterns and notify callbacks
+   * 
+   * @param patterns - Array of cache patterns to invalidate
+   * @param reason - Reason for invalidation
+   */
+  invalidatePatterns(patterns, reason) {
+    log.debug(`Invalidating patterns: ${patterns.join(", ")} (${reason})`);
+    patterns.forEach((pattern) => {
+      rbacCache.invalidate(pattern);
+    });
+    this.invalidationCallbacks.forEach((callback) => {
+      patterns.forEach((pattern) => callback(pattern));
+    });
+    emitAuditEvent({
+      type: "permission_check",
+      userId: "system",
+      organisationId: "00000000-0000-0000-0000-000000000000",
+      permission: "cache:invalidate",
+      decision: true,
+      source: "api",
+      duration_ms: 0,
+      metadata: {
+        reason,
+        patterns,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        cache_invalidation: true
+      }
+    }).catch((error) => {
+      log.warn("Failed to log cache invalidation audit event:", error);
+    });
+  }
+  /**
+   * Cleanup subscriptions only (not all callbacks)
+   * Used internally to cleanup before setting up new subscriptions
+   */
+  cleanupSubscriptions() {
+    this.channels.forEach((channel) => {
+      try {
+        if (channel && typeof channel.unsubscribe === "function") {
+          channel.unsubscribe();
+        }
+      } catch (error) {
+        log.warn("Failed to unsubscribe from channel:", error);
+      }
+    });
+    this.channels = [];
+  }
+  /**
+   * Setup realtime subscriptions for automatic cache invalidation
+   * Always cleans up existing subscriptions before setting up new ones to prevent duplicates
+   */
+  setupRealtimeSubscriptions() {
+    this.cleanupSubscriptions();
+    if (!this.supabase.channel || typeof this.supabase.channel !== "function") {
+      log.debug("Realtime not available, skipping subscriptions");
+      return;
+    }
+    const orgRolesChannel = this.supabase.channel("rbac_organisation_roles_changes").on("postgres_changes", {
+      event: "*",
+      schema: "public",
+      table: "rbac_organisation_roles"
+    }, (payload) => {
+      const payloadData = payload;
+      const { organisation_id, user_id } = payloadData.new || payloadData.old || {};
+      if (organisation_id) {
+        this.invalidateOrganisation(organisation_id, `organisation_role_${payloadData.eventType || "unknown"}`);
+      }
+      if (user_id) {
+        this.invalidateUser(user_id, `organisation_role_${payloadData.eventType || "unknown"}`);
+      }
+    });
+    const orgRolesSubscription = orgRolesChannel.subscribe();
+    this.channels.push(orgRolesSubscription);
+    const eventAppRolesChannel = this.supabase.channel("rbac_event_app_roles_changes").on("postgres_changes", {
+      event: "*",
+      schema: "public",
+      table: "rbac_event_app_roles"
+    }, (payload) => {
+      const payloadData = payload;
+      const { organisation_id, user_id, event_id, app_id } = payloadData.new || payloadData.old || {};
+      if (organisation_id) {
+        this.invalidateOrganisation(organisation_id, `event_app_role_${payloadData.eventType || "unknown"}`);
+      }
+      if (user_id) {
+        this.invalidateUser(user_id, `event_app_role_${payloadData.eventType || "unknown"}`);
+      }
+      if (event_id) {
+        this.invalidateEvent(event_id, `event_app_role_${payloadData.eventType || "unknown"}`);
+      }
+      if (app_id) {
+        this.invalidateApp(app_id, `event_app_role_${payloadData.eventType || "unknown"}`);
+      }
+    });
+    const eventAppRolesSubscription = eventAppRolesChannel.subscribe();
+    this.channels.push(eventAppRolesSubscription);
+    const globalRolesChannel = this.supabase.channel("rbac_global_roles_changes").on("postgres_changes", {
+      event: "*",
+      schema: "public",
+      table: "rbac_global_roles"
+    }, (payload) => {
+      const payloadData = payload;
+      const { user_id } = payloadData.new || payloadData.old || {};
+      if (user_id) {
+        this.invalidateUser(user_id, `global_role_${payloadData.eventType || "unknown"}`);
+      }
+    });
+    const globalRolesSubscription = globalRolesChannel.subscribe();
+    this.channels.push(globalRolesSubscription);
+    const pagePermissionsChannel = this.supabase.channel("rbac_page_permissions_changes").on("postgres_changes", {
+      event: "*",
+      schema: "public",
+      table: "rbac_page_permissions"
+    }, (payload) => {
+      const { organisation_id, app_page_id } = payload.new || payload.old || {};
+      if (organisation_id) {
+        this.invalidateOrganisation(organisation_id, `page_permission_${payload.eventType}`);
+      }
+      if (app_page_id) {
+        this.invalidatePage(app_page_id, `page_permission_${payload.eventType}`);
+      }
+    });
+    const pagePermissionsSubscription = pagePermissionsChannel.subscribe();
+    this.channels.push(pagePermissionsSubscription);
+  }
+  /**
+   * Cleanup all realtime subscriptions
+   * Call this when the manager is no longer needed to prevent memory leaks
+   */
+  cleanup() {
+    this.channels.forEach((channel) => {
+      try {
+        if (channel && typeof channel.unsubscribe === "function") {
+          channel.unsubscribe();
+        }
+      } catch (error) {
+        log.warn("Failed to unsubscribe from channel:", error);
+      }
+    });
+    this.channels = [];
+    this.invalidationCallbacks.clear();
+  }
+  /**
+   * Manually trigger cache invalidation for all users in an organisation
+   * 
+   * @param organisationId - Organisation ID
+   * @param reason - Reason for invalidation
+   */
+  async invalidateAllUsersInOrganisation(organisationId, reason) {
+    const { data: users } = await this.supabase.from("rbac_organisation_roles").select("user_id").eq("organisation_id", organisationId).eq("is_active", true);
+    if (users) {
+      users.forEach(({ user_id }) => {
+        this.invalidateUser(user_id, reason);
+      });
+    }
+  }
+  /**
+   * Clear all cache entries
+   */
+  clearAllCache() {
+    log.debug("Clearing all cache entries");
+    rbacCache.clear();
+  }
+};
+var globalCacheInvalidationManager = null;
+function initializeCacheInvalidation(supabase) {
+  if (globalCacheInvalidationManager) {
+    globalCacheInvalidationManager.cleanup();
+  }
+  globalCacheInvalidationManager = new RBACCacheInvalidationManager(supabase);
+  return globalCacheInvalidationManager;
+}
+
+// src/rbac/errors.ts
+var RATE_LIMIT_STATUS_CODES = /* @__PURE__ */ new Set([429]);
+var AUTH_STATUS_CODES = /* @__PURE__ */ new Set([401]);
+var AUTHZ_STATUS_CODES = /* @__PURE__ */ new Set([403]);
+function normalize(value) {
+  if (!value) {
+    return "";
+  }
+  if (typeof value === "string") {
+    return value.toLowerCase();
+  }
+  if (value instanceof Error && typeof value.message === "string") {
+    return value.message.toLowerCase();
+  }
+  return String(value).toLowerCase();
+}
+function categorizeByErrorClass(error) {
+  if (error instanceof PermissionDeniedError) {
+    return "authorization_error" /* AUTHORIZATION */;
+  }
+  if (error instanceof OrganisationContextRequiredError || error instanceof InvalidScopeError) {
+    return "validation_error" /* VALIDATION */;
+  }
+  if (error instanceof MissingUserContextError) {
+    return "authentication_error" /* AUTHENTICATION */;
+  }
+  return null;
+}
+function categorizeByRBACErrorCode(error) {
+  if (!(error instanceof RBACError)) {
+    return null;
+  }
+  switch (error.code) {
+    case "PERMISSION_DENIED":
+      return "authorization_error" /* AUTHORIZATION */;
+    case "ORGANISATION_CONTEXT_REQUIRED":
+    case "INVALID_SCOPE":
+      return "validation_error" /* VALIDATION */;
+    case "MISSING_USER_CONTEXT":
+      return "authentication_error" /* AUTHENTICATION */;
+    default:
+      return null;
+  }
+}
+function categorizeByHttpStatus(error) {
+  if (!error || typeof error !== "object") {
+    return null;
+  }
+  const status = error.status;
+  if (typeof status !== "number") {
+    return null;
+  }
+  if (RATE_LIMIT_STATUS_CODES.has(status)) {
+    return "rate_limit_error" /* RATE_LIMIT */;
+  }
+  if (AUTH_STATUS_CODES.has(status)) {
+    return "authentication_error" /* AUTHENTICATION */;
+  }
+  if (AUTHZ_STATUS_CODES.has(status)) {
+    return "authorization_error" /* AUTHORIZATION */;
+  }
+  if (status >= 500) {
+    return "database_error" /* DATABASE */;
+  }
+  return null;
+}
+function categorizeByCodeString(error) {
+  if (!error || typeof error !== "object") {
+    return null;
+  }
+  const codeValue = normalize(error.code);
+  if (!codeValue) {
+    return null;
+  }
+  if (codeValue.includes("network")) {
+    return "network_error" /* NETWORK */;
+  }
+  if (codeValue.includes("postgres") || codeValue.includes("database") || codeValue.includes("db")) {
+    return "database_error" /* DATABASE */;
+  }
+  if (codeValue.includes("rate")) {
+    return "rate_limit_error" /* RATE_LIMIT */;
+  }
+  if (codeValue.includes("auth")) {
+    return "authentication_error" /* AUTHENTICATION */;
+  }
+  if (codeValue.includes("permission")) {
+    return "authorization_error" /* AUTHORIZATION */;
+  }
+  if (codeValue.includes("scope") || codeValue.includes("invalid")) {
+    return "validation_error" /* VALIDATION */;
+  }
+  return null;
+}
+function categorizeByMessage(error) {
+  const message = normalize(error);
+  if (message.includes("timeout") || message.includes("network") || message.includes("fetch")) {
+    return "network_error" /* NETWORK */;
+  }
+  if (message.includes("postgres") || message.includes("database") || message.includes("connection")) {
+    return "database_error" /* DATABASE */;
+  }
+  if (message.includes("rate limit") || message.includes("too many requests")) {
+    return "rate_limit_error" /* RATE_LIMIT */;
+  }
+  if (message.includes("permission") || message.includes("forbidden")) {
+    return "authorization_error" /* AUTHORIZATION */;
+  }
+  if (message.includes("auth") || message.includes("token") || message.includes("session")) {
+    return "authentication_error" /* AUTHENTICATION */;
+  }
+  if (message.includes("invalid") || message.includes("scope") || message.includes("validation")) {
+    return "validation_error" /* VALIDATION */;
+  }
+  return null;
+}
+function categorizeError(error) {
+  const byClass = categorizeByErrorClass(error);
+  if (byClass !== null) return byClass;
+  const byCode = categorizeByRBACErrorCode(error);
+  if (byCode !== null) return byCode;
+  const byStatus = categorizeByHttpStatus(error);
+  if (byStatus !== null) return byStatus;
+  const byCodeString = categorizeByCodeString(error);
+  if (byCodeString !== null) return byCodeString;
+  const byMessage = categorizeByMessage(error);
+  if (byMessage !== null) return byMessage;
+  return "unknown_error" /* UNKNOWN */;
+}
+function mapErrorCategoryToSecurityEventType(category) {
+  switch (category) {
+    case "authorization_error" /* AUTHORIZATION */:
+      return "permission_denied";
+    case "network_error" /* NETWORK */:
+      return "network_error";
+    case "database_error" /* DATABASE */:
+      return "database_error";
+    case "validation_error" /* VALIDATION */:
+      return "validation_error";
+    case "rate_limit_error" /* RATE_LIMIT */:
+      return "rate_limit_error";
+    case "authentication_error" /* AUTHENTICATION */:
+      return "authentication_error";
+    case "unknown_error" /* UNKNOWN */:
+    default:
+      return "unknown_error";
+  }
+}
+
+// src/rbac/security.ts
+var log2 = createLogger("RBACSecurity");
+var RBACSecurityValidator = class {
+  /**
+   * Validate permission string format
+   * @param permission - Permission string to validate
+   * @returns True if valid, false otherwise
+   */
+  static validatePermission(permission) {
+    if (typeof permission !== "string" || permission.length === 0) {
+      return false;
+    }
+    const permissionRegex = /^(read|create|update|delete):[a-z0-9._-]+$/;
+    return permissionRegex.test(permission);
+  }
+  /**
+   * Validate UUID format
+   * @param uuid - UUID string to validate
+   * @returns True if valid, false otherwise
+   */
+  static validateUUID(uuid) {
+    if (typeof uuid !== "string" || uuid.length === 0) {
+      return false;
+    }
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+    return uuidRegex.test(uuid);
+  }
+  /**
+   * Validate scope object
+   * @param scope - Scope object to validate
+   * @returns True if valid, false otherwise
+   */
+  static validateScope(scope) {
+    if (!scope || typeof scope !== "object") {
+      return false;
+    }
+    if (scope.organisationId !== void 0) {
+      if (typeof scope.organisationId === "string" && scope.organisationId.trim() === "") {
+        return false;
+      }
+      if (scope.organisationId && !this.validateUUID(scope.organisationId)) {
+        return false;
+      }
+    }
+    if (scope.eventId && typeof scope.eventId !== "string") {
+      return false;
+    }
+    if (scope.appId && !this.validateUUID(scope.appId)) {
+      return false;
+    }
+    return !!(scope.organisationId || scope.eventId || scope.appId);
+  }
+  /**
+   * Sanitize input string to prevent injection attacks
+   * @param input - Input string to sanitize
+   * @returns Sanitized string
+   */
+  static sanitizeInput(input) {
+    if (typeof input !== "string") {
+      return "";
+    }
+    return input.replace(/<[^>]*>/g, "").replace(/[<>\"'&]/g, "").replace(/[;()]/g, "").replace(/javascript:/gi, "").replace(/data:/gi, "").trim();
+  }
+  /**
+   * Validate user ID format
+   * @param userId - User ID to validate
+   * @returns True if valid, false otherwise
+   */
+  static validateUserId(userId) {
+    return this.validateUUID(userId);
+  }
+  /**
+   * Check if permission is a wildcard permission
+   * @param permission - Permission string to check
+   * @returns True if wildcard, false otherwise
+   */
+  static isWildcardPermission(permission) {
+    return permission.includes("*") || permission.endsWith(":*");
+  }
+  /**
+   * Validate permission hierarchy
+   * @param permission - Permission to validate
+   * @param requiredOperation - Required operation
+   * @returns True if permission matches or is higher in hierarchy
+   */
+  static validatePermissionHierarchy(permission, requiredOperation) {
+    if (!this.validatePermission(permission)) {
+      return false;
+    }
+    const [operation] = permission.split(":");
+    const hierarchy = ["read", "create", "update", "delete"];
+    const permissionLevel = hierarchy.indexOf(operation);
+    const requiredLevel = hierarchy.indexOf(requiredOperation);
+    if (permissionLevel === -1 || requiredLevel === -1) {
+      return false;
+    }
+    return permissionLevel >= requiredLevel;
+  }
+  /**
+   * Rate limiting check (placeholder for future implementation)
+   * @param userId - User ID
+   * @param operation - Operation being performed
+   * @returns True if within rate limit, false otherwise
+   */
+  static async checkRateLimit(_userId, _operation) {
+    return true;
+  }
+  // Only warn once per 5 seconds per user
+  static logSecurityEvent(event) {
+    const securityEvent = {
+      ...event,
+      timestamp: event.timestamp || /* @__PURE__ */ new Date(),
+      severity: this.getEventSeverity(event.type)
+    };
+    if (event.type === "rate_limit_exceeded") {
+      const now = Date.now();
+      const userWarning = this.rateLimitWarningCount.get(event.userId);
+      if (userWarning) {
+        const timeSinceLastWarning = now - userWarning.lastWarning;
+        if (timeSinceLastWarning < this.RATE_LIMIT_WARNING_THROTTLE_MS) {
+          userWarning.count++;
+          this.rateLimitWarningCount.set(event.userId, userWarning);
+          return;
+        } else {
+          log2.warn("Security event (throttled):", {
+            ...securityEvent,
+            details: {
+              ...securityEvent.details,
+              suppressedWarnings: userWarning.count,
+              message: `Rate limit exceeded (${userWarning.count + 1} times in last ${Math.round(timeSinceLastWarning / 1e3)}s)`
+            }
+          });
+          this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });
+          return;
+        }
+      } else {
+        this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });
+        log2.warn("Security event:", securityEvent);
+        return;
+      }
+    }
+    log2.warn("Security event:", securityEvent);
+  }
+  /**
+   * Get severity level for security event
+   * @param eventType - Type of security event
+   * @returns Severity level
+   */
+  static getEventSeverity(eventType) {
+    switch (eventType) {
+      case "permission_denied":
+        return "low";
+      case "invalid_input":
+      case "rate_limit_exceeded":
+      case "rate_limit_error":
+      case "network_error":
+        return "medium";
+      case "validation_error":
+        return "high";
+      case "authentication_error":
+      case "database_error":
+        return "critical";
+      case "suspicious_activity":
+      case "unknown_error":
+        return "high";
+      default:
+        return "low";
+    }
+  }
+};
+/**
+ * Log security event for monitoring
+ * @param event - Security event details
+ */
+RBACSecurityValidator.rateLimitWarningCount = /* @__PURE__ */ new Map();
+RBACSecurityValidator.RATE_LIMIT_WARNING_THROTTLE_MS = 5e3;
+var DEFAULT_SECURITY_CONFIG = {
+  enableInputValidation: true,
+  enableRateLimiting: true,
+  enableAuditLogging: true,
+  maxPermissionChecksPerMinute: 1e3,
+  // Increased from 100 to 1000 for normal app usage
+  suspiciousActivityThreshold: 10
+};
+var RBACSecurityMiddleware = class {
+  constructor(config = DEFAULT_SECURITY_CONFIG) {
+    /**
+     * In-memory rate limiting cache (sliding window)
+     * Note: For production, this should use Redis or Supabase Edge Functions
+     */
+    this.rateLimitCache = /* @__PURE__ */ new Map();
+    this.config = config;
+    this._startCleanupInterval();
+  }
+  /**
+   * Start periodic cleanup of expired entries
+   */
+  _startCleanupInterval() {
+    setInterval(() => {
+      this.clearExpiredEntries();
+    }, 5 * 60 * 1e3);
+  }
+  /**
+   * Validate input before processing
+   * @param input - Input to validate
+   * @param context - Security context
+   * @returns Validation result
+   */
+  async validateInput(input, context) {
+    const errors = [];
+    if (!RBACSecurityValidator.validateUserId(context.userId)) {
+      errors.push("Invalid user ID format");
+    }
+    const permission = typeof input.permission === "string" ? input.permission : "";
+    const isPagePermission = permission.includes(":page.") || !!input.pageId;
+    const requiresOrgId = !isPagePermission;
+    if (requiresOrgId) {
+      if (!context.organisationId) {
+        errors.push("Organisation ID is required for resource-level permissions");
+      } else if (!RBACSecurityValidator.validateUUID(context.organisationId)) {
+        errors.push("Invalid organisation ID format");
+      }
+    } else {
+      if (context.organisationId && !RBACSecurityValidator.validateUUID(context.organisationId)) {
+        errors.push("Invalid organisation ID format");
+      }
+    }
+    if (permission && !RBACSecurityValidator.validatePermission(permission)) {
+      errors.push("Invalid permission format");
+    }
+    if (input.scope && !RBACSecurityValidator.validateScope(input.scope)) {
+      errors.push("Invalid scope format");
+    }
+    if (this.config.enableInputValidation) {
+      if (context.ipAddress && typeof context.ipAddress !== "string") {
+        errors.push("Invalid IP address format");
+      }
+      if (context.userAgent && typeof context.userAgent !== "string") {
+        errors.push("Invalid user agent format");
+      }
+    }
+    if (errors.length > 0) {
+      RBACSecurityValidator.logSecurityEvent({
+        type: "invalid_input",
+        userId: context.userId,
+        details: { errors, input: this.sanitizeInput(JSON.stringify(input)) }
+      });
+    }
+    return {
+      isValid: errors.length === 0,
+      errors
+    };
+  }
+  /**
+   * Check rate limiting
+   * @param context - Security context
+   * @returns Rate limit check result
+   */
+  async checkRateLimit(context) {
+    if (!this.config.enableRateLimiting) {
+      return { isAllowed: true, remaining: this.config.maxPermissionChecksPerMinute };
+    }
+    const isAllowed = await this._checkRateLimitInternal(context.userId);
+    const remaining = isAllowed ? this.config.maxPermissionChecksPerMinute - this._getRequestCount(context.userId) : 0;
+    return {
+      isAllowed,
+      remaining: Math.max(0, remaining)
+    };
+  }
+  async _checkRateLimitInternal(userId) {
+    const now = Date.now();
+    const windowMs = 60 * 1e3;
+    const entries = this.rateLimitCache.get(userId) || [];
+    const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
+    const requestCount = validEntries.length;
+    const isAllowed = requestCount < this.config.maxPermissionChecksPerMinute;
+    if (isAllowed) {
+      validEntries.push({ timestamp: now });
+    }
+    this.rateLimitCache.set(userId, validEntries);
+    return isAllowed;
+  }
+  _getRequestCount(userId) {
+    const now = Date.now();
+    const windowMs = 60 * 1e3;
+    const entries = this.rateLimitCache.get(userId) || [];
+    const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
+    return validEntries.length;
+  }
+  /**
+   * Clear old rate limit entries to prevent memory leaks
+   * Should be called periodically (e.g., every 5 minutes)
+   */
+  clearExpiredEntries() {
+    const now = Date.now();
+    const windowMs = 60 * 1e3;
+    for (const [userId, entries] of this.rateLimitCache.entries()) {
+      const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
+      if (validEntries.length === 0) {
+        this.rateLimitCache.delete(userId);
+      } else {
+        this.rateLimitCache.set(userId, validEntries);
+      }
+    }
+  }
+  /**
+   * Sanitize input data
+   * @param input - Input to sanitize
+   * @returns Sanitized input
+   */
+  sanitizeInput(input) {
+    return RBACSecurityValidator.sanitizeInput(input);
+  }
+};
+
+// src/rbac/config.ts
+var logger = createLogger("RBAC");
+var RBACConfigManager = class {
+  constructor() {
+    this.config = null;
+    this.logger = null;
+  }
+  setConfig(config) {
+    this.config = config;
+    this.setupLogger();
+  }
+  getConfig() {
+    return this.config;
+  }
+  getLogger() {
+    if (!this.logger) {
+      this.logger = this.createDefaultLogger();
+    }
+    return this.logger;
+  }
+  setupLogger() {
+    if (!this.config) return;
+    const { debug = false, logLevel = "warn" } = this.config;
+    this.logger = {
+      error: (message, ...args) => {
+        logger.error(message, ...args);
+      },
+      warn: (message, ...args) => {
+        if (logLevel === "warn" || logLevel === "info" || logLevel === "debug") {
+          logger.warn(message, ...args);
+        }
+      },
+      info: (message, ...args) => {
+        if (logLevel === "info" || logLevel === "debug") {
+          logger.info(message, ...args);
+        }
+      },
+      debug: (message, ...args) => {
+        if (debug && logLevel === "debug") {
+          logger.debug(message, ...args);
+        }
+      }
+    };
+  }
+  createDefaultLogger() {
+    return {
+      error: (message, ...args) => logger.error(message, ...args),
+      warn: (message, ...args) => logger.warn(message, ...args),
+      info: (message, ...args) => logger.info(message, ...args),
+      debug: (message, ...args) => logger.debug(message, ...args)
+    };
+  }
+  isDebugMode() {
+    return this.config?.debug ?? false;
+  }
+  isDevelopmentMode() {
+    return this.config?.developmentMode ?? false;
+  }
+  getMockPermissions() {
+    return this.config?.mockPermissions ?? null;
+  }
+};
+var configManager = new RBACConfigManager();
+function createRBACConfig(config) {
+  configManager.setConfig(config);
+  return config;
+}
+function getRBACConfig() {
+  return configManager.getConfig();
+}
+function getRBACLogger() {
+  return configManager.getLogger();
+}
+function isDebugMode() {
+  return configManager.isDebugMode();
+}
+function isDevelopmentMode() {
+  return configManager.isDevelopmentMode();
+}
+
+// src/rbac/engine.ts
+var RBACEngine = class {
+  constructor(supabase, securityConfig) {
+    this.supabase = supabase;
+    const mergedSecurityConfig = {
+      ...DEFAULT_SECURITY_CONFIG,
+      ...securityConfig
+    };
+    this.securityMiddleware = new RBACSecurityMiddleware(mergedSecurityConfig);
+    initializeCacheInvalidation(supabase);
+  }
+  /**
+   * Check if a user has a specific permission
+   * 
+   * This method now delegates to the database RPC function for all the heavy lifting.
+   * 
+   * @param input - Permission check input
+   * @param securityContext - Security context for validation (required)
+   * @returns Promise resolving to permission result
+   */
+  async isPermitted(input, securityContext) {
+    const startTime = Date.now();
+    const { userId, permission, scope, pageId } = input;
+    let cacheHit = false;
+    let cacheSource = "rpc";
+    try {
+      const validation = await this.securityMiddleware.validateInput(input, securityContext);
+      if (!validation.isValid) {
+        const scopeRejected = validation.errors.includes("Invalid scope format");
+        getRBACLogger().warn("[RBAC] Validation failed \u2014 check that an event is selected if the Menu/units page requires it.", {
+          errors: validation.errors,
+          scope: input.scope,
+          permission: input.permission
+        });
+        RBACSecurityValidator.logSecurityEvent({
+          type: "invalid_input",
+          userId,
+          details: {
+            errors: validation.errors,
+            input: JSON.stringify(input),
+            ...scopeRejected && { scopeRejected: input.scope }
+          }
+        });
+        if (scopeRejected) {
+          getRBACLogger().warn("[RBAC] Invalid scope (from middleware). Scope must have at least one of organisationId, eventId, appId; no empty strings.", {
+            scope: input.scope,
+            permission: input.permission,
+            userId
+          });
+        }
+        return false;
+      }
+      const rateLimit = await this.securityMiddleware.checkRateLimit(securityContext);
+      if (!rateLimit.isAllowed) {
+        RBACSecurityValidator.logSecurityEvent({
+          type: "rate_limit_exceeded",
+          userId,
+          details: { remaining: rateLimit.remaining }
+        });
+        return false;
+      }
+      if (!RBACSecurityValidator.validateUserId(userId)) {
+        RBACSecurityValidator.logSecurityEvent({
+          type: "invalid_input",
+          userId,
+          details: { error: "Invalid user ID format" }
+        });
+        return false;
+      }
+      if (!RBACSecurityValidator.validatePermission(permission)) {
+        RBACSecurityValidator.logSecurityEvent({
+          type: "invalid_input",
+          userId,
+          details: { error: "Invalid permission format", permission }
+        });
+        return false;
+      }
+      if (!RBACSecurityValidator.validateScope(scope)) {
+        RBACSecurityValidator.logSecurityEvent({
+          type: "invalid_input",
+          userId,
+          details: { error: "Invalid scope format", scope }
+        });
+        getRBACLogger().warn("[RBAC] Invalid scope (engine check). Scope must have at least one of organisationId, eventId, appId; no empty strings.", {
+          scope,
+          permission,
+          userId
+        });
+        return false;
+      }
+      const cacheKey = RBACCache.generateKey(
+        userId,
+        permission,
+        scope.organisationId,
+        scope.eventId,
+        scope.appId,
+        pageId
+      );
+      const cached = rbacCache.get(cacheKey);
+      if (cached !== null) {
+        cacheHit = true;
+        cacheSource = "memory";
+        return cached;
+      }
+      const { data, error } = await this.supabase.rpc("rbac_check_permission_simplified", {
+        p_user_id: userId,
+        p_permission: permission,
+        p_organisation_id: scope.organisationId || void 0,
+        p_event_id: scope.eventId || void 0,
+        p_app_id: scope.appId || void 0,
+        p_page_id: pageId || void 0
+      });
+      if (error) {
+        const logger2 = getRBACLogger();
+        logger2.error("RPC error:", error);
+        const category = categorizeError(error);
+        const eventType = mapErrorCategoryToSecurityEventType(category);
+        const errorDetails = error;
+        RBACSecurityValidator.logSecurityEvent({
+          type: eventType,
+          userId,
+          details: {
+            error: errorDetails?.message || "RPC call failed",
+            code: errorDetails?.code,
+            hint: errorDetails?.hint,
+            details: errorDetails?.details,
+            permission,
+            scope: JSON.stringify(scope),
+            category
+          }
+        });
+        return false;
+      }
+      const hasPermission = data === true;
+      rbacCache.set(cacheKey, hasPermission, 6e4);
+      const duration = Date.now() - startTime;
+      if (scope.organisationId) {
+        const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
+        await emitAuditEvent({
+          type: hasPermission ? "permission_check" : "permission_denied",
+          userId,
+          organisationId: scope.organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId,
+          pageId: resolvedPageId,
+          permission,
+          decision: hasPermission,
+          source: "api",
+          duration_ms: duration,
+          cache_hit: cacheHit,
+          cache_source: cacheSource
+        });
+      }
+      return hasPermission;
+    } catch (error) {
+      const category = categorizeError(error);
+      const eventType = mapErrorCategoryToSecurityEventType(category);
+      const errorMessage = error instanceof Error ? error.message : "Unknown error";
+      RBACSecurityValidator.logSecurityEvent({
+        type: eventType,
+        userId,
+        details: {
+          error: errorMessage,
+          permission,
+          scope: JSON.stringify(scope),
+          category
+        }
+      });
+      const logger2 = getRBACLogger();
+      logger2.error("Permission check failed:", error);
+      return false;
+    }
+  }
+  /**
+   * Get user's access level in a scope
+   * 
+   * This is derived from roles, not permissions.
+   * 
+   * @param input - Access level input
+   * @returns Promise resolving to access level
+   */
+  async getAccessLevel(input) {
+    const { userId, scope } = input;
+    const cacheKey = RBACCache.generateAccessLevelKey(
+      userId,
+      scope.organisationId || "",
+      scope.eventId,
+      scope.appId
+    );
+    const cached = rbacCache.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const isSuperAdmin2 = await this.checkSuperAdmin(userId);
+    if (isSuperAdmin2) {
+      rbacCache.set(cacheKey, "super", 6e4);
+      return "super";
+    }
+    if (scope.organisationId) {
+      const { data: orgRoles } = await this.supabase.from("rbac_organisation_roles").select("role").eq("user_id", userId).eq("organisation_id", scope.organisationId).eq("status", "active").is("revoked_at", null).lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).limit(1);
+      const orgRole = orgRoles?.[0];
+      if (orgRole?.role === "org_admin") {
+        rbacCache.set(cacheKey, "admin", 6e4);
+        return "admin";
+      }
+    }
+    if (scope.eventId && scope.appId) {
+      const { data: eventRole } = await this.supabase.from("rbac_event_app_roles").select("role").eq("user_id", userId).eq("event_id", scope.eventId).eq("app_id", scope.appId).eq("status", "active").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).single();
+      if (eventRole?.role === "event_admin") {
+        rbacCache.set(cacheKey, "admin", 6e4);
+        return "admin";
+      }
+      if (eventRole?.role === "planner") {
+        rbacCache.set(cacheKey, "planner", 6e4);
+        return "planner";
+      }
+      if (eventRole?.role === "participant") {
+        rbacCache.set(cacheKey, "participant", 6e4);
+        return "participant";
+      }
+    }
+    rbacCache.set(cacheKey, "viewer", 6e4);
+    return "viewer";
+  }
+  /**
+   * Get user's permission map for a scope
+   * 
+   * This builds a map of page IDs to allowed operations.
+   * Uses the simplified RPC for each permission check.
+   * 
+   * @param input - Permission map input
+   * @returns Promise resolving to permission map
+   */
+  async getPermissionMap(input) {
+    const { userId, scope } = input;
+    const cacheKey = RBACCache.generatePermissionMapKey(
+      userId,
+      scope.organisationId || "",
+      scope.eventId,
+      scope.appId
+    );
+    const isSuperAdmin2 = await this.checkSuperAdmin(userId);
+    if (isSuperAdmin2) {
+      const wildcardMap = { "*": true };
+      rbacCache.set(cacheKey, wildcardMap, 6e4);
+      return wildcardMap;
+    }
+    if (!scope.organisationId) {
+      return {};
+    }
+    const cached = rbacCache.get(cacheKey);
+    if (cached) {
+      return cached;
+    }
+    const permissionMap = {};
+    if (scope.appId) {
+      const { data: pages } = await this.supabase.from("rbac_app_pages").select("id, page_name").eq("app_id", scope.appId);
+      if (pages) {
+        if (!scope.organisationId) {
+          rbacCache.set(cacheKey, permissionMap, 6e4);
+          return permissionMap;
+        }
+        const securityContext = {
+          userId,
+          organisationId: scope.organisationId,
+          // Required
+          timestamp: /* @__PURE__ */ new Date()
+        };
+        for (const page of pages) {
+          for (const operation of ["read", "create", "update", "delete"]) {
+            const permissionString = `${operation}:page.${page.page_name}`;
+            const hasPermission = await this.isPermitted(
+              {
+                userId,
+                scope,
+                permission: permissionString,
+                pageId: page.id
+              },
+              securityContext
+            );
+            const permissionKey = permissionString;
+            permissionMap[permissionKey] = hasPermission;
+          }
+        }
+      }
+    }
+    rbacCache.set(cacheKey, permissionMap, 6e4);
+    return permissionMap;
+  }
+  async resolveAppContext(input) {
+    try {
+      const { userId, appName } = input;
+      const { data, error } = await this.supabase.rpc("data_app_resolve", {
+        p_user_id: userId,
+        p_app_name: appName
+      });
+      if (error) {
+        const logger2 = getRBACLogger();
+        logger2.error("Failed to resolve app context:", error);
+        return null;
+      }
+      if (!data || !Array.isArray(data) || data.length === 0) {
+        return null;
+      }
+      const appData = data[0];
+      if (!appData?.app_id) {
+        return null;
+      }
+      return {
+        appId: appData.app_id,
+        hasAccess: appData.has_access !== false
+      };
+    } catch (error) {
+      const logger2 = getRBACLogger();
+      logger2.error("Unexpected error resolving app context:", error);
+      return null;
+    }
+  }
+  async getRoleContext(input) {
+    const result = {
+      globalRole: null,
+      organisationRole: null,
+      eventAppRole: null
+    };
+    try {
+      const { userId, scope } = input;
+      const { data, error } = await this.supabase.rpc("rbac_permissions_get", {
+        p_user_id: userId,
+        p_organisation_id: scope.organisationId || null,
+        p_event_id: scope.eventId || null,
+        p_app_id: scope.appId || null,
+        p_page_id: null
+        // Optional: can filter to specific page if needed
+      });
+      if (error) {
+        const logger2 = getRBACLogger();
+        logger2.error("Failed to load role context:", error);
+        return result;
+      }
+      if (!Array.isArray(data)) {
+        return result;
+      }
+      const mapToOrganisationRole = (level) => {
+        switch (level) {
+          case "supporter":
+            return "supporter";
+          case "member":
+            return "member";
+          case "leader":
+            return "leader";
+          case "org_admin":
+          case "admin":
+          case "super":
+            return "org_admin";
+          default:
+            return null;
+        }
+      };
+      const mapToEventAppRole = (level) => {
+        switch (level) {
+          case "viewer":
+            return "viewer";
+          case "participant":
+            return "participant";
+          case "planner":
+            return "planner";
+          case "admin":
+          case "super":
+            return "event_admin";
+          default:
+            return null;
+        }
+      };
+      for (const permission of data) {
+        if (permission.permission_type === "all_permissions") {
+          result.globalRole = "super_admin";
+        }
+        if (permission.permission_type === "organisation_access") {
+          result.organisationRole = mapToOrganisationRole(permission.role_name);
+        }
+        if (permission.permission_type === "event_app_access") {
+          result.eventAppRole = mapToEventAppRole(permission.role_name);
+        }
+      }
+      return result;
+    } catch (error) {
+      const logger2 = getRBACLogger();
+      logger2.error("Unexpected error loading role context:", error);
+      return result;
+    }
+  }
+  /**
+   * Check if user is super admin
+   * 
+   * @param userId - User ID
+   * @returns Promise resolving to super admin status
+   */
+  async checkSuperAdmin(userId) {
+    const cacheKey = `super_admin:${userId}`;
+    const cached = rbacCache.get(cacheKey);
+    if (cached !== null) {
+      return cached;
+    }
+    const startTime = Date.now();
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    try {
+      const { data, error } = await this.supabase.from("rbac_global_roles").select("role").eq("user_id", userId).eq("role", "super_admin").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).limit(1);
+      const elapsed = Date.now() - startTime;
+      if (elapsed > 2e3) {
+        const logger2 = getRBACLogger();
+        const errorMessage = error && typeof error === "object" && "message" in error ? String(error.message) : void 0;
+        logger2.warn("[RBACEngine] Super admin check took longer than expected", {
+          userId,
+          elapsedMs: elapsed,
+          error: errorMessage
+        });
+      }
+      const isSuperAdmin2 = !error && data && data.length > 0;
+      rbacCache.set(cacheKey, isSuperAdmin2, 6e4);
+      return Boolean(isSuperAdmin2);
+    } catch (err2) {
+      const elapsed = Date.now() - startTime;
+      const logger2 = getRBACLogger();
+      logger2.error("[RBACEngine] Error checking super admin", {
+        userId,
+        error: err2,
+        elapsedMs: elapsed
+      });
+      return false;
+    }
+  }
+  /**
+   * Resolve a page ID to UUID if it's a page name
+   * 
+   * @param pageId - Page ID (UUID) or page name (string)
+   * @param appId - App ID to look up the page
+   * @returns Resolved page ID (UUID) or original pageId
+   */
+  async resolvePageId(pageId, appId) {
+    if (!pageId) {
+      return void 0;
+    }
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+    if (uuidRegex.test(pageId)) {
+      return pageId;
+    }
+    if (!appId) {
+      return pageId;
+    }
+    try {
+      const { data: page, error: pageError } = await this.supabase.from("rbac_app_pages").select("id").eq("app_id", appId).eq("page_name", pageId).maybeSingle();
+      if (pageError) {
+        const logger2 = getRBACLogger();
+        if (pageError.code !== "PGRST116") {
+          logger2.warn("Failed to resolve page name to UUID:", { pageId, appId, error: pageError });
+        }
+        return pageId;
+      }
+      return page?.id || pageId;
+    } catch (error) {
+      const logger2 = getRBACLogger();
+      logger2.warn("Failed to resolve page name to UUID:", { pageId, appId, error });
+      return pageId;
+    }
+  }
+};
+function createRBACEngine(supabase, securityConfig) {
+  return new RBACEngine(supabase, securityConfig);
+}
+
+// src/rbac/performance.ts
+var RBACPerformanceMonitor = class {
+  constructor() {
+    this.metrics = {
+      totalChecks: 0,
+      cacheHits: 0,
+      cacheMisses: 0,
+      cacheHitRate: 0,
+      deduplicatedRequests: 0,
+      networkRequests: 0,
+      averageResponseTime: 0,
+      totalResponseTime: 0,
+      batchedAuditEvents: 0,
+      individualAuditEvents: 0
+    };
+    this.enabled = false;
+  }
+  /**
+   * Enable or disable performance monitoring
+   */
+  setEnabled(enabled) {
+    this.enabled = enabled;
+  }
+  /**
+   * Check if performance monitoring is enabled
+   */
+  isEnabled() {
+    return this.enabled;
+  }
+  /**
+   * Record a permission check
+   */
+  recordCheck(cacheHit, responseTime, wasDeduplicated = false) {
+    if (!this.enabled) {
+      return;
+    }
+    this.metrics.totalChecks++;
+    if (cacheHit) {
+      this.metrics.cacheHits++;
+    } else {
+      this.metrics.cacheMisses++;
+      this.metrics.networkRequests++;
+    }
+    if (wasDeduplicated) {
+      this.metrics.deduplicatedRequests++;
+    }
+    this.metrics.totalResponseTime += responseTime;
+    this.metrics.averageResponseTime = this.metrics.totalResponseTime / this.metrics.totalChecks;
+    this.metrics.cacheHitRate = this.metrics.cacheHits / this.metrics.totalChecks;
+  }
+  /**
+   * Record an audit event
+   */
+  recordAuditEvent(batched) {
+    if (!this.enabled) {
+      return;
+    }
+    if (batched) {
+      this.metrics.batchedAuditEvents++;
+    } else {
+      this.metrics.individualAuditEvents++;
+    }
+  }
+  /**
+   * Get current metrics
+   */
+  getMetrics() {
+    return { ...this.metrics };
+  }
+  /**
+   * Reset all metrics
+   */
+  reset() {
+    this.metrics = {
+      totalChecks: 0,
+      cacheHits: 0,
+      cacheMisses: 0,
+      cacheHitRate: 0,
+      deduplicatedRequests: 0,
+      networkRequests: 0,
+      averageResponseTime: 0,
+      totalResponseTime: 0,
+      batchedAuditEvents: 0,
+      individualAuditEvents: 0
+    };
+  }
+  /**
+   * Get metrics summary as a formatted string
+   */
+  getSummary() {
+    const m = this.metrics;
+    return `
+RBAC Performance Metrics:
+  Total Checks: ${m.totalChecks}
+  Cache Hits: ${m.cacheHits} (${(m.cacheHitRate * 100).toFixed(1)}%)
+  Cache Misses: ${m.cacheMisses}
+  Deduplicated Requests: ${m.deduplicatedRequests}
+  Network Requests: ${m.networkRequests}
+  Average Response Time: ${m.averageResponseTime.toFixed(2)}ms
+  Batched Audit Events: ${m.batchedAuditEvents}
+  Individual Audit Events: ${m.individualAuditEvents}
+`;
+  }
+};
+var performanceMonitor = new RBACPerformanceMonitor();
+function enablePerformanceMonitoring() {
+  performanceMonitor.setEnabled(true);
+}
+function disablePerformanceMonitoring() {
+  performanceMonitor.setEnabled(false);
+}
+function isPerformanceMonitoringEnabled() {
+  return performanceMonitor.isEnabled();
+}
+function recordPermissionCheck(cacheHit, responseTime, wasDeduplicated = false) {
+  performanceMonitor.recordCheck(cacheHit, responseTime, wasDeduplicated);
+}
+function recordAuditEvent(batched) {
+  performanceMonitor.recordAuditEvent(batched);
+}
+function getPerformanceMetrics() {
+  return performanceMonitor.getMetrics();
+}
+function resetPerformanceMetrics() {
+  performanceMonitor.reset();
+}
+function getPerformanceSummary() {
+  return performanceMonitor.getSummary();
+}
+
+// src/rbac/request-deduplication.ts
+var inFlightRequests = /* @__PURE__ */ new Map();
+function generateDeduplicationKey(input) {
+  return RBACCache.generatePermissionKey({
+    userId: input.userId,
+    organisationId: input.scope.organisationId,
+    // Can be undefined for page-level permissions
+    eventId: input.scope.eventId,
+    appId: input.scope.appId,
+    permission: input.permission,
+    pageId: input.pageId
+  });
+}
+async function getOrCreateRequest(input, checkFn) {
+  const key = generateDeduplicationKey(input);
+  const existingRequest = inFlightRequests.get(key);
+  if (existingRequest) {
+    return existingRequest;
+  }
+  const requestPromise = checkFn(input).finally(() => {
+    inFlightRequests.delete(key);
+  });
+  inFlightRequests.set(key, requestPromise);
+  return requestPromise;
+}
+function clearInFlightRequests() {
+  inFlightRequests.clear();
+}
+function getInFlightRequestCount() {
+  return inFlightRequests.size;
+}
+
+// src/rbac/utils/eventContext.ts
+var orgDerivationCache = /* @__PURE__ */ new Map();
+var MAX_CACHE_SIZE = 100;
+async function getOrganisationFromEvent(supabase, eventId) {
+  if (orgDerivationCache.has(eventId)) {
+    return ok(orgDerivationCache.get(eventId) ?? null);
+  }
+  try {
+    const { data, error } = await supabase.from("core_events").select("organisation_id").eq("event_id", eventId).single();
+    let organisationId = null;
+    if (error) {
+      return err({ code: "ORG_FROM_EVENT_FAILED", message: error.message ?? "Failed to get organisation from event" });
+    }
+    if (data?.organisation_id) {
+      organisationId = data.organisation_id;
+    }
+    if (orgDerivationCache.size >= MAX_CACHE_SIZE) {
+      const firstKey = orgDerivationCache.keys().next().value;
+      if (firstKey) {
+        orgDerivationCache.delete(firstKey);
+      }
+    }
+    orgDerivationCache.set(eventId, organisationId);
+    return ok(organisationId);
+  } catch (e) {
+    return err({ code: "ORG_FROM_EVENT_FAILED", message: e instanceof Error ? e.message : String(e) });
+  }
+}
+
+// src/rbac/utils/contextValidator.ts
+var log3 = createLogger("ContextValidator");
+function allowsOptionalContexts(appName) {
+  return appName === "PORTAL" || appName === "ADMIN";
+}
+var ContextValidator = class {
+  /**
+   * Derive organisation ID from event ID
+   * 
+   * @param supabase - Supabase client
+   * @param eventId - Event ID
+   * @returns Organisation ID or null
+   */
+  static async deriveOrgFromEvent(supabase, eventId) {
+    const result = await getOrganisationFromEvent(supabase, eventId);
+    if (!result.ok) {
+      return null;
+    }
+    return result.data;
+  }
+  /**
+   * Resolve scope based on page-level scope_type
+   * 
+   * This method handles page-level scoping. All pages have explicit scope_type set.
+   * Used for hybrid apps that have both event and organisation pages.
+   * 
+   * @param scope - Current scope
+   * @param pageScopeType - Page scope type ('event', 'organisation', or 'both')
+   * @param appName - App name (for PORTAL/ADMIN special case)
+   * @param supabase - Supabase client (for deriving org from event, only if not already provided)
+   * @param immediateOrganisationId - Optional immediate organisation ID (from selectedEvent.organisation_id) - avoids querying
+   * @returns Resolved scope with all required context
+   */
+  static async resolveScopeForPage(scope, pageScopeType, appName, supabase, immediateOrganisationId) {
+    const effectiveScopeType = pageScopeType;
+    if (effectiveScopeType === "both") {
+      if (!scope.organisationId && !scope.eventId) {
+        if (allowsOptionalContexts(appName)) {
+          return {
+            isValid: true,
+            resolvedScope: {
+              organisationId: void 0,
+              eventId: void 0,
+              appId: scope.appId
+            },
+            error: null
+          };
+        }
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new Error("Page requires either organisation or event context")
+        };
+      }
+      let organisationId = scope.organisationId || immediateOrganisationId || void 0;
+      if (!organisationId && scope.eventId && supabase) {
+        try {
+          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
+          organisationId = derivedOrgId || void 0;
+        } catch (error) {
+          log3.warn("Failed to derive org from event for both-scope page:", error);
+        }
+      }
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    if (effectiveScopeType === "event") {
+      if (!scope.eventId) {
+        if (allowsOptionalContexts(appName)) {
+          return {
+            isValid: true,
+            resolvedScope: {
+              organisationId: scope.organisationId,
+              eventId: void 0,
+              appId: scope.appId
+            },
+            error: null
+          };
+        }
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new EventContextRequiredError()
+        };
+      }
+      let organisationId = scope.organisationId || immediateOrganisationId || void 0;
+      if (!organisationId && supabase && scope.eventId) {
+        try {
+          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
+          organisationId = derivedOrgId || void 0;
+          if (!organisationId) {
+            return {
+              isValid: false,
+              resolvedScope: null,
+              error: new Error("Could not resolve organisation from event context")
+            };
+          }
+        } catch (error) {
+          log3.error("Failed to derive org from event:", error);
+          return {
+            isValid: false,
+            resolvedScope: null,
+            error: error instanceof Error ? error : new Error("Failed to derive organisation from event")
+          };
+        }
+      }
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    if (effectiveScopeType === "organisation") {
+      if (!scope.organisationId) {
+        if (allowsOptionalContexts(appName)) {
+          return {
+            isValid: true,
+            resolvedScope: {
+              organisationId: void 0,
+              eventId: scope.eventId,
+              appId: scope.appId
+            },
+            error: null
+          };
+        }
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new OrganisationContextRequiredError()
+        };
+      }
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId: scope.organisationId,
+          eventId: scope.eventId,
+          // Event is optional for org-scoped pages
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    return {
+      isValid: false,
+      resolvedScope: null,
+      error: new Error("Invalid scope type")
+    };
+  }
+};
+
+// src/rbac/api.ts
+var log4 = createLogger("RBACAPI");
+var UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function normalizeScope(scope) {
+  const org = scope.organisationId;
+  const ev = scope.eventId;
+  const app = scope.appId;
+  const hasOrg = typeof org === "string" && org.trim() !== "";
+  const hasEv = typeof ev === "string" && ev.trim() !== "";
+  const hasApp = typeof app === "string" && app.trim() !== "";
+  return {
+    ...hasOrg ? { organisationId: org } : {},
+    ...hasEv ? { eventId: ev } : {},
+    ...hasApp ? { appId: app } : {}
+  };
+}
+function toApiError(error) {
+  if (error instanceof RBACNotInitializedError) {
+    return { code: "RBAC_NOT_INITIALIZED", message: error.message };
+  }
+  if (error instanceof OrganisationContextRequiredError) {
+    return { code: "ORGANISATION_CONTEXT_REQUIRED", message: error.message };
+  }
+  const message = error instanceof Error ? error.message : String(error);
+  return { code: "RBAC_ERROR", message };
+}
+var globalEngine = null;
+function setupRBAC(supabase, config) {
+  const isDevelopment = import.meta.env.MODE === "development";
+  const fullConfig = {
+    supabase,
+    debug: isDevelopment,
+    logLevel: "warn",
+    developmentMode: isDevelopment,
+    ...config
+  };
+  createRBACConfig(fullConfig);
+  const securityConfig = config === void 0 && !isDevelopment ? void 0 : {
+    // Default: disable rate limiting in development
+    ...isDevelopment && config?.security?.enableRateLimiting === void 0 ? { enableRateLimiting: false } : {},
+    // Explicit config overrides defaults
+    ...config?.security
+  };
+  globalEngine = createRBACEngine(supabase, securityConfig);
+  const useBatchedAudit = config?.audit?.batched !== false && config?.performance?.enableBatchedAuditLogging !== false;
+  const batchConfig = useBatchedAudit ? {
+    batchWindow: config?.audit?.batchWindow,
+    batchSize: config?.audit?.batchSize
+  } : void 0;
+  const auditManager = createAuditManager(supabase, useBatchedAudit, batchConfig);
+  setGlobalAuditManager(auditManager);
+  if (config?.performance?.enablePerformanceTracking) {
+    enablePerformanceMonitoring();
+  }
+}
+function isRBACInitialized() {
+  return globalEngine !== null;
+}
+function getEngine() {
+  if (!globalEngine) {
+    throw new RBACNotInitializedError();
+  }
+  return globalEngine;
+}
+async function getAccessLevel(input, appName) {
+  try {
+    const engine = getEngine();
+    const isSuperAdminUser = await engine["checkSuperAdmin"](input.userId);
+    if (isSuperAdminUser) {
+      return ok("super");
+    }
+    const validation = await ContextValidator.resolveScopeForPage(
+      input.scope,
+      "organisation",
+      // Default to organisation scope when no page context
+      appName,
+      engine["supabase"]
+    );
+    if (!validation.isValid || !validation.resolvedScope) {
+      throw validation.error || new OrganisationContextRequiredError();
+    }
+    const accessLevel = await engine.getAccessLevel({
+      ...input,
+      scope: validation.resolvedScope
+    });
+    return ok(accessLevel);
+  } catch (error) {
+    return err(toApiError(error));
+  }
+}
+async function getPermissionMap(input, appName) {
+  try {
+    const engine = getEngine();
+    const validation = await ContextValidator.resolveScopeForPage(
+      input.scope,
+      "organisation",
+      // Default to organisation scope when no page context
+      appName,
+      engine["supabase"]
+    );
+    if (!validation.isValid || !validation.resolvedScope) {
+      throw validation.error || new OrganisationContextRequiredError();
+    }
+    const permissionMap = await engine.getPermissionMap({
+      ...input,
+      scope: validation.resolvedScope
+    });
+    return ok(permissionMap);
+  } catch (error) {
+    return err(toApiError(error));
+  }
+}
+async function resolveAppContext(input) {
+  try {
+    const engine = getEngine();
+    const context = await engine.resolveAppContext(input);
+    return ok(context);
+  } catch (error) {
+    return err(toApiError(error));
+  }
+}
+async function getRoleContext(input, appName) {
+  try {
+    const engine = getEngine();
+    const validation = await ContextValidator.resolveScopeForPage(
+      input.scope,
+      "organisation",
+      // Default to organisation scope when no page context
+      appName,
+      engine["supabase"]
+    );
+    if (!validation.isValid || !validation.resolvedScope) {
+      throw validation.error || new OrganisationContextRequiredError();
+    }
+    const roleContext = await engine.getRoleContext({
+      ...input,
+      scope: validation.resolvedScope
+    });
+    return ok(roleContext);
+  } catch (error) {
+    return err(toApiError(error));
+  }
+}
+async function isPermitted(input, appName, precomputedSuperAdmin = null) {
+  try {
+    const engine = getEngine();
+    if (!input.scope || typeof input.scope !== "object") {
+      return ok(false);
+    }
+    const normalizedInputScope = normalizeScope(input.scope);
+    if (!RBACSecurityValidator.validateScope(normalizedInputScope)) {
+      return ok(false);
+    }
+    let inputWithNormalizedScope = { ...input, scope: normalizedInputScope };
+    if (precomputedSuperAdmin === true) {
+      return ok(true);
+    }
+    if (precomputedSuperAdmin === null) {
+      const isSuperAdminUser = await engine["checkSuperAdmin"](input.userId);
+      if (isSuperAdminUser) {
+        return ok(true);
+      }
+    }
+    let scopeForCheck = inputWithNormalizedScope.scope;
+    const isPageName = input.pageId && typeof input.pageId === "string" && !UUID_REGEX.test(input.pageId);
+    const hasEventId = typeof scopeForCheck.eventId === "string" && scopeForCheck.eventId.trim() !== "";
+    const noAppId = !scopeForCheck.appId || typeof scopeForCheck.appId === "string" && scopeForCheck.appId.trim() === "";
+    if (isPageName && hasEventId && noAppId) {
+      const currentAppName = getCurrentAppName();
+      if (currentAppName) {
+        try {
+          const { data: app } = await engine["supabase"].from("rbac_apps").select("id").eq("name", currentAppName).eq("is_active", true).maybeSingle();
+          if (app) {
+            scopeForCheck = { ...scopeForCheck, appId: app.id };
+            inputWithNormalizedScope = { ...inputWithNormalizedScope, scope: scopeForCheck };
+          }
+        } catch (_err) {
+        }
+      }
+    }
+    let resolvedAppName = appName;
+    if (!resolvedAppName && inputWithNormalizedScope.scope.appId) {
+      try {
+        const { data } = await engine["supabase"].from("rbac_apps").select("name").eq("id", inputWithNormalizedScope.scope.appId).eq("is_active", true).single();
+        if (data) {
+          resolvedAppName = data.name;
+        }
+      } catch (_err) {
+      }
+    }
+    let pageScopeType;
+    if (input.pageId) {
+      const scopeResult = await getPageScopeType(
+        input.pageId,
+        inputWithNormalizedScope.scope.appId,
+        resolvedAppName
+      );
+      if (!scopeResult.ok) {
+        log4.error("Failed to get page scope type:", scopeResult.error);
+        return err(scopeResult.error);
+      }
+      if (!scopeResult.data) {
+        return err({ code: "PAGE_SCOPE_TYPE_MISSING", message: `Page ${input.pageId} does not have scope_type set` });
+      }
+      pageScopeType = scopeResult.data;
+    } else {
+      pageScopeType = "organisation";
+    }
+    const validation = await ContextValidator.resolveScopeForPage(
+      inputWithNormalizedScope.scope,
+      pageScopeType,
+      resolvedAppName,
+      engine["supabase"]
+    );
+    if (!validation.isValid || !validation.resolvedScope) {
+      throw validation.error || new OrganisationContextRequiredError();
+    }
+    const validatedScope = normalizeScope(validation.resolvedScope);
+    if (!RBACSecurityValidator.validateScope(validatedScope)) {
+      log4.warn("Scope has no valid identifier after normalisation \u2014 skipping engine call", {
+        permission: input.permission,
+        pageId: input.pageId
+      });
+      return ok(false);
+    }
+    if (pageScopeType === "both" && input.pageId) {
+      const eventScope = {
+        organisationId: validatedScope.organisationId,
+        // Org derived from event
+        eventId: validatedScope.eventId,
+        appId: validatedScope.appId
+      };
+      const eventSecurityContext = {
+        userId: input.userId,
+        organisationId: eventScope.organisationId || null,
+        timestamp: /* @__PURE__ */ new Date()
+      };
+      const eventInput = {
+        ...input,
+        scope: eventScope
+      };
+      const hasEventPermission = await engine.isPermitted(eventInput, eventSecurityContext);
+      if (validatedScope.organisationId && validatedScope.eventId) {
+        const orgScope = {
+          organisationId: validatedScope.organisationId,
+          eventId: void 0,
+          // Clear event for org-only check
+          appId: validatedScope.appId
+        };
+        const orgSecurityContext = {
+          userId: input.userId,
+          organisationId: orgScope.organisationId || null,
+          timestamp: /* @__PURE__ */ new Date()
+        };
+        const orgInput = {
+          ...input,
+          scope: orgScope
+        };
+        const hasOrgPermission = await engine.isPermitted(orgInput, orgSecurityContext);
+        return ok(hasEventPermission || hasOrgPermission);
+      }
+      return ok(hasEventPermission);
+    }
+    const securityContext = {
+      userId: input.userId,
+      organisationId: validatedScope.organisationId || null,
+      timestamp: /* @__PURE__ */ new Date()
+    };
+    const validatedInput = {
+      ...input,
+      scope: validatedScope
+    };
+    const permitted = await engine.isPermitted(validatedInput, securityContext);
+    return ok(permitted);
+  } catch (error) {
+    return err(toApiError(error));
+  }
+}
+async function isPermittedCached(input, appName) {
+  const { userId, scope, permission, pageId } = input;
+  const cacheKey = RBACCache.generatePermissionKey({
+    userId,
+    organisationId: scope.organisationId,
+    eventId: scope.eventId,
+    appId: scope.appId,
+    permission,
+    pageId
+  });
+  const cached = rbacCache.get(cacheKey, true);
+  if (cached !== null) {
+    return ok(cached);
+  }
+  return getOrCreateRequest(input, async (checkInput) => {
+    const result = await isPermitted(checkInput, appName, null);
+    if (!result.ok) {
+      return result;
+    }
+    const isPageLevelCheck = !!pageId || permission.includes("page.");
+    rbacCache.set(cacheKey, result.data, void 0, isPageLevelCheck);
+    return ok(result.data);
+  });
+}
+async function hasAnyPermission(input) {
+  const { permissions, ...baseInput } = input;
+  for (const permission of permissions) {
+    const result = await isPermitted({
+      ...baseInput,
+      permission
+    });
+    if (!result.ok) {
+      return result;
+    }
+    if (result.data) {
+      return ok(true);
+    }
+  }
+  return ok(false);
+}
+async function hasAllPermissions(input) {
+  const { permissions, ...baseInput } = input;
+  for (const permission of permissions) {
+    const result = await isPermitted({
+      ...baseInput,
+      permission
+    });
+    if (!result.ok) {
+      return result;
+    }
+    if (!result.data) {
+      return ok(false);
+    }
+  }
+  return ok(true);
+}
+async function isSuperAdmin(userId) {
+  try {
+    const engine = getEngine();
+    const value = await engine["checkSuperAdmin"](userId);
+    return ok(value);
+  } catch (error) {
+    return err(toApiError(error));
+  }
+}
+async function getPageScopeType(pageId, appId, appName) {
+  try {
+    const engine = getEngine();
+    let resolvedAppId = appId;
+    if (!resolvedAppId && appName) {
+      const { data: app, error: appError } = await engine["supabase"].from("rbac_apps").select("id, name, is_active").eq("name", appName).eq("is_active", true).maybeSingle();
+      if (appError) {
+        log4.error("Error resolving appId from appName", {
+          appName,
+          pageId,
+          error: appError,
+          errorMessage: appError instanceof Error ? appError.message : String(appError)
+        });
+        return err({ code: "APP_RESOLVE_FAILED", message: `Failed to resolve appId from appName "${appName}": ${appError instanceof Error ? appError.message : String(appError)}` });
+      }
+      if (!app) {
+        log4.error("App not found or inactive", { appName, pageId });
+        return err({ code: "APP_NOT_FOUND", message: `Could not resolve appId for appName "${appName}" - app not found or not active` });
+      }
+      resolvedAppId = app.id;
+    }
+    if (!resolvedAppId) {
+      log4.error("No appId resolved", { pageId, appId, appName });
+      return err({ code: "APP_ID_REQUIRED", message: `Could not resolve appId for page ${pageId} - appId and appName both missing or invalid` });
+    }
+    let resolvedPageId = pageId;
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+    if (!uuidRegex.test(pageId)) {
+      const { data: page, error: pageError } = await engine["supabase"].from("rbac_app_pages").select("id, page_name, app_id").eq("app_id", resolvedAppId).eq("page_name", pageId).maybeSingle();
+      if (pageError) {
+        log4.error("Error resolving pageId from page_name", { pageId, appId: resolvedAppId, appName, error: pageError });
+        return err({ code: "PAGE_RESOLVE_FAILED", message: `Failed to resolve pageId "${pageId}" for appId ${resolvedAppId}: ${pageError instanceof Error ? pageError.message : String(pageError)}` });
+      }
+      if (!page) {
+        log4.error("Page not found in database", { pageId, appId: resolvedAppId, appName });
+        return err({ code: "PAGE_NOT_FOUND", message: `Could not resolve pageId "${pageId}" to a valid UUID - page not found for appId ${resolvedAppId}` });
+      }
+      resolvedPageId = page.id;
+    }
+    if (!uuidRegex.test(resolvedPageId)) {
+      log4.error("PageId resolution failed - not a valid UUID", { originalPageId: pageId, resolvedPageId, appId: resolvedAppId, appName });
+      return err({ code: "PAGE_ID_INVALID", message: `Could not resolve pageId ${pageId} to a valid UUID` });
+    }
+    const { data: pageData, error } = await engine["supabase"].from("rbac_app_pages").select("scope_type, page_name, app_id").eq("id", resolvedPageId).single();
+    if (error) {
+      log4.error("Error fetching page scope type from database", { pageId: resolvedPageId, originalPageId: pageId, appId: resolvedAppId, appName, error });
+      return err({ code: "PAGE_SCOPE_FETCH_FAILED", message: `Failed to get page scope type: ${error instanceof Error ? error.message : String(error)}` });
+    }
+    if (!pageData || !pageData.scope_type) {
+      log4.error("Page found but scope_type is missing", { pageId: resolvedPageId, originalPageId: pageId, appId: resolvedAppId, appName, pageData });
+      return err({ code: "PAGE_SCOPE_TYPE_MISSING", message: `Page ${resolvedPageId} does not have scope_type set` });
+    }
+    return ok(pageData.scope_type);
+  } catch (error) {
+    log4.error("Error fetching page scope type (catch block)", { pageId, appId, appName, error });
+    return err(toApiError(error));
+  }
+}
+async function isOrganisationAdmin(userId, organisationId) {
+  const result = await getAccessLevel({
+    userId,
+    scope: { organisationId }
+  });
+  if (!result.ok) {
+    return result;
+  }
+  return ok(result.data === "admin" || result.data === "super");
+}
+async function isEventAdmin(userId, scope) {
+  if (!scope.eventId || !scope.appId) {
+    return ok(false);
+  }
+  const result = await getAccessLevel({ userId, scope });
+  if (!result.ok) {
+    return result;
+  }
+  return ok(result.data === "admin" || result.data === "super");
+}
+function invalidateUserCache(userId, organisationId) {
+  const patterns = organisationId ? [
+    CACHE_PATTERNS.PERMISSION(userId, organisationId),
+    `access:${userId}:${organisationId}:`,
+    `map:${userId}:${organisationId}:`
+  ] : [
+    `perm:${userId}:`,
+    `access:${userId}:`,
+    `map:${userId}:`
+  ];
+  patterns.forEach((pattern) => rbacCache.invalidate(pattern));
+}
+function invalidateOrganisationCache(organisationId) {
+  rbacCache.invalidate(CACHE_PATTERNS.ORGANISATION(organisationId));
+}
+function invalidateEventCache(eventId) {
+  rbacCache.invalidate(CACHE_PATTERNS.EVENT(eventId));
+}
+function invalidateAppCache(appId) {
+  rbacCache.invalidate(CACHE_PATTERNS.APP(appId));
+}
+function clearCache() {
+  rbacCache.clear();
+}
+
+export { CACHE_PATTERNS, ContextValidator, EventContextRequiredError, OrganisationContextRequiredError, RBACCache, RBACEngine, clearCache, clearInFlightRequests, createRBACConfig, createRBACEngine, disablePerformanceMonitoring, enablePerformanceMonitoring, getAccessLevel, getInFlightRequestCount, getPageScopeType, getPerformanceMetrics, getPerformanceSummary, getPermissionMap, getRBACConfig, getRBACLogger, getRoleContext, hasAllPermissions, hasAnyPermission, invalidateAppCache, invalidateEventCache, invalidateOrganisationCache, invalidateUserCache, isDebugMode, isDevelopmentMode, isEventAdmin, isOrganisationAdmin, isPerformanceMonitoringEnabled, isPermitted, isPermittedCached, isRBACInitialized, isSuperAdmin, rbacCache, recordAuditEvent, recordPermissionCheck, resetPerformanceMetrics, resolveAppContext, setupRBAC };