@jmruthers/pace-core 0.6.11 → 0.6.12

package/dist/{chunk-YYTWKVHO.js → chunk-MVVWZ7JV.js}

@@ -1,10 +1,10 @@
-import { AccessDenied } from './chunk-PCSHBLPB.js';
-import { useResolvedScope, scopeEqual, useCan, Alert, AlertTitle, useMultiplePermissions } from './chunk-V7FTM2LU.js';
-import { useEvents } from './chunk-WY6Y7KC3.js';
-import { useUnifiedAuth, useOrganisations } from './chunk-4R3T5ENU.js';
+import { AccessDenied } from './chunk-NJ7FGQWB.js';
+import { useResolvedScope, scopeEqual, useCan, Alert, AlertTitle, useMultiplePermissions } from './chunk-H6RTU4DZ.js';
+import { useEvents } from './chunk-QWIG36BZ.js';
+import { useUnifiedAuth, useOrganisations } from './chunk-S57OLCLO.js';
 import { setPrintTitle } from './chunk-D6BMFMQZ.js';
-import { getRBACLogger, isSuperAdmin } from './chunk-7A6IMHH2.js';
-import { cn, LoadingSpinner } from './chunk-UZNAFKGW.js';
+import { getRBACLogger, isSuperAdmin } from './chunk-YFGNMB67.js';
+import { cn, LoadingSpinner } from './chunk-VFLR5K2H.js';
 import { createLogger } from './chunk-BTHN5MKC.js';
 import React, { useEffect, useRef, useMemo, useState, useCallback } from 'react';
 import { jsx, jsxs, Fragment } from 'react/jsx-runtime';
@@ -58,7 +58,7 @@ function useSuperAdminCheck(userId) {
     const startTime = Date.now();
     const checkSuperAdmin = async () => {
       try {
-        const { isSuperAdmin: checkSuperAdmin2 } = await import('./api-BZR2CYXL.js');
+        const { isSuperAdmin: checkSuperAdmin2 } = await import('./api-6OQXYT67.js');
         const timeoutPromise = new Promise((_, reject) => {
           setTimeout(() => reject(new Error("Super admin check timeout")), 1e4);
         });
@@ -141,7 +141,7 @@ function usePageGuardScope({
     return newScope;
   }, [effectiveScope, contextAppId, selectedEventId, allowsOptionalContexts]);
   const shouldBypassScopeForSuperAdmin = isSuperAdmin2 === true;
-  const scopeForPermissionCheck = shouldBypassScopeForSuperAdmin && !stableScope?.organisationId ? { organisationId: void 0, appId: contextAppId || void 0, eventId: selectedEventId || void 0 } : stableScope;
+  const scopeForPermissionCheck = scopeLoading ? null : shouldBypassScopeForSuperAdmin && !stableScope?.organisationId ? { organisationId: void 0, appId: contextAppId || void 0, eventId: selectedEventId || void 0 } : stableScope;
   return {
     effectiveScope,
     stableScope,
@@ -164,7 +164,7 @@ function usePagePermissionCheck({
   isSuperAdmin: isSuperAdmin2,
   appName
 }) {
-  const scope = shouldSkipPermissionCheck ? { ...dummyScope, appId: contextAppId } : scopeForPermissionCheck ?? dummyScope;
+  const scope = shouldSkipPermissionCheck ? { ...dummyScope, appId: contextAppId } : scopeForPermissionCheck;
   const { can, isLoading: canIsLoading, error: canError } = useCan(
     userId,
     scope,
@@ -454,9 +454,10 @@ function NavigationGuard({
   const validPermissions = (navigationItem.permissions || []).filter(
     (p) => typeof p === "string" && (p.startsWith("read:") || p.startsWith("create:") || p.startsWith("update:") || p.startsWith("delete:"))
   );
+  const scopeForCheck = effectiveScope ?? null;
   const { results: permissionResults, isLoading: permissionsLoading, error: permissionsError } = useMultiplePermissions(
     user?.id || "",
-    effectiveScope || { eventId: selectedEvent?.event_id || void 0 },
+    scopeForCheck,
     validPermissions,
     true
     // Use cache
@@ -601,13 +602,7 @@ function useResourcePermissions(resource, options = {}) {
     selectedEventId: selectedEvent?.event_id || null,
     selectedEventOrganisationId: selectedEvent?.organisation_id || null
   });
-  const scope = useMemo(() => {
-    return resolvedScope || {
-      organisationId: selectedOrganisation?.id || "",
-      eventId: selectedEvent?.event_id || void 0,
-      appId: void 0
-    };
-  }, [resolvedScope, selectedOrganisation?.id, selectedEvent?.event_id]);
+  const scopeForPermissionCheck = resolvedScope;
   const hasAppId = !!resolvedScope?.appId;
   const pageId = hasAppId ? resource : void 0;
   const isPagePermission = hasAppId && !!pageId;
@@ -617,7 +612,7 @@ function useResourcePermissions(resource, options = {}) {
   const readPermission = isPagePermission ? `read:page.${resource}` : `read:${resource}`;
   const { can: canCreateResult, isLoading: createLoading, error: createError } = useCan(
     user?.id || "",
-    scope,
+    scopeForPermissionCheck,
     createPermission,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
@@ -630,7 +625,7 @@ function useResourcePermissions(resource, options = {}) {
   );
   const { can: canUpdateResult, isLoading: updateLoading, error: updateError } = useCan(
     user?.id || "",
-    scope,
+    scopeForPermissionCheck,
     updatePermission,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
@@ -643,7 +638,7 @@ function useResourcePermissions(resource, options = {}) {
   );
   const { can: canDeleteResult, isLoading: deleteLoading, error: deleteError } = useCan(
     user?.id || "",
-    scope,
+    scopeForPermissionCheck,
     deletePermission,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
@@ -656,7 +651,7 @@ function useResourcePermissions(resource, options = {}) {
   );
   const { can: canReadResult, isLoading: readLoading, error: readError } = useCan(
     user?.id || "",
-    scope,
+    scopeForPermissionCheck,
     readPermission,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
@@ -690,7 +685,7 @@ function useResourcePermissions(resource, options = {}) {
       canUpdateResult,
       canDeleteResult,
       canReadResult,
-      scope,
+      scope: scopeForPermissionCheck,
       isLoading,
       error
     }),
@@ -703,7 +698,7 @@ function useResourcePermissions(resource, options = {}) {
       canUpdateResult,
       canDeleteResult,
       canReadResult,
-      scope,
+      scopeForPermissionCheck,
       isLoading,
       error
     ]
@@ -1050,7 +1045,7 @@ function withPermissionGuard(config, handler) {
     if (!userId || !organisationId) {
       throw new Error("User context required for permission check");
     }
-    const { isPermitted: isPermitted2 } = await import('./api-BZR2CYXL.js');
+    const { isPermitted: isPermitted2 } = await import('./api-6OQXYT67.js');
     const result = await isPermitted2({
       userId,
       scope: { organisationId, eventId, appId },
@@ -1076,7 +1071,7 @@ function withAccessLevelGuard(minLevel, handler) {
     if (!userId || !organisationId) {
       throw new Error("User context required for access level check");
     }
-    const { getAccessLevel: getAccessLevel2 } = await import('./api-BZR2CYXL.js');
+    const { getAccessLevel: getAccessLevel2 } = await import('./api-6OQXYT67.js');
     const result = await getAccessLevel2({
       userId,
       scope: { organisationId, eventId, appId }
@@ -1105,7 +1100,7 @@ function withRoleGuard(config, handler) {
       throw new Error("User context required for role check");
     }
     if (config.globalRoles && config.globalRoles.length > 0) {
-      const { isSuperAdmin: isSuperAdmin2 } = await import('./api-BZR2CYXL.js');
+      const { isSuperAdmin: isSuperAdmin2 } = await import('./api-6OQXYT67.js');
       const superResult = await isSuperAdmin2(userId);
       if (superResult.ok && superResult.data) {
         if (organisationId) {
@@ -1131,7 +1126,7 @@ function withRoleGuard(config, handler) {
       }
     }
     if (config.organisationRoles && config.organisationRoles.length > 0) {
-      const { isOrganisationAdmin } = await import('./api-BZR2CYXL.js');
+      const { isOrganisationAdmin } = await import('./api-6OQXYT67.js');
       const orgResult = await isOrganisationAdmin(userId, organisationId);
       if (!orgResult.ok) {
         throw new Error(orgResult.error.message);
@@ -1141,7 +1136,7 @@ function withRoleGuard(config, handler) {
       }
     }
     if (config.eventAppRoles && config.eventAppRoles.length > 0 && eventId && appId) {
-      const { isEventAdmin } = await import('./api-BZR2CYXL.js');
+      const { isEventAdmin } = await import('./api-6OQXYT67.js');
       const eventResult = await isEventAdmin(userId, { organisationId, eventId, appId });
       if (!eventResult.ok) {
         throw new Error(eventResult.error.message);
@@ -1184,7 +1179,7 @@ function createRBACMiddleware(config) {
     );
     if (protectedRoute) {
       try {
-        const { isPermitted: isPermitted2 } = await import('./api-BZR2CYXL.js');
+        const { isPermitted: isPermitted2 } = await import('./api-6OQXYT67.js');
         const result = await isPermitted2({
           userId,
           scope: { organisationId },
@@ -1211,7 +1206,7 @@ function createRBACExpressMiddleware(config) {
       return res.status(401).json({ error: "User context required" });
     }
     try {
-      const { isPermitted: isPermitted2 } = await import('./api-BZR2CYXL.js');
+      const { isPermitted: isPermitted2 } = await import('./api-6OQXYT67.js');
       const result = await isPermitted2({
         userId,
         scope: { organisationId, eventId, appId },

package/dist/{chunk-PCSHBLPB.js → chunk-NJ7FGQWB.js}

@@ -1,7 +1,7 @@
-import { Card, CardHeader, CardTitle, CardDescription, CardFooter, Button, useResolvedScope } from './chunk-V7FTM2LU.js';
-import { useEvents, useOrganisationSecurity } from './chunk-WY6Y7KC3.js';
-import { useUnifiedAuth, useOrganisations } from './chunk-4R3T5ENU.js';
-import { OrganisationContextRequiredError, getRBACLogger, resolveAppContext, getPageScopeType, ContextValidator, getPermissionMap, getRoleContext, getAccessLevel } from './chunk-7A6IMHH2.js';
+import { Card, CardHeader, CardTitle, CardDescription, CardFooter, Button, useResolvedScope } from './chunk-H6RTU4DZ.js';
+import { useEvents, useOrganisationSecurity } from './chunk-QWIG36BZ.js';
+import { useUnifiedAuth, useOrganisations } from './chunk-S57OLCLO.js';
+import { OrganisationContextRequiredError, getRBACLogger, resolveAppContext, getPageScopeType, ContextValidator, getPermissionMap, getRoleContext, getAccessLevel } from './chunk-YFGNMB67.js';
 import { Logger, logger } from './chunk-BTHN5MKC.js';
 import { createClient } from '@supabase/supabase-js';
 import { ShieldX } from 'lucide-react';
@@ -9,7 +9,7 @@ import { jsxs, jsx } from 'react/jsx-runtime';
 import { useState, useCallback, useMemo, useEffect, useRef } from 'react';
 
 // src/rbac/utils/clientSecurity.ts
-var SECURE_CLIENT_SYMBOL = Symbol("pace-core-secure-client");
+var SECURE_CLIENT_SYMBOL = /* @__PURE__ */ Symbol("pace-core-secure-client");
 function isSecureClient(client) {
   if (!client) return false;
   return client[SECURE_CLIENT_SYMBOL] === true;

package/dist/{chunk-WY6Y7KC3.js → chunk-QWIG36BZ.js}

@@ -1,4 +1,4 @@
-import { EventServiceContext, useEventService, useUnifiedAuth, useOrganisations } from './chunk-4R3T5ENU.js';
+import { EventServiceContext, useEventService, useUnifiedAuth, useOrganisations } from './chunk-S57OLCLO.js';
 import { logger } from './chunk-BTHN5MKC.js';
 import { useContext, useState, useEffect, useMemo, useRef, useCallback } from 'react';
 
@@ -100,7 +100,7 @@ async function hasPermissionImpl(ctx, permission, orgId) {
   const targetOrgId = orgId || ctx.selectedOrganisation?.id;
   if (!targetOrgId || !ctx.user) return false;
   try {
-    const { isPermittedCached } = await import('./api-BZR2CYXL.js');
+    const { isPermittedCached } = await import('./api-6OQXYT67.js');
     const scope = {
       organisationId: targetOrgId,
       eventId: ctx.user.user_metadata?.eventId || ctx.user.app_metadata?.eventId,
@@ -122,7 +122,7 @@ async function getUserPermissionsImpl(ctx, orgId) {
   const targetOrgId = orgId || ctx.selectedOrganisation?.id;
   if (!targetOrgId || !ctx.user) return [];
   try {
-    const { getPermissionMap } = await import('./api-BZR2CYXL.js');
+    const { getPermissionMap } = await import('./api-6OQXYT67.js');
     const scope = {
       organisationId: targetOrgId,
       eventId: ctx.user.user_metadata?.eventId || ctx.user.app_metadata?.eventId,

package/dist/{chunk-4R3T5ENU.js → chunk-S57OLCLO.js}

@@ -1,5 +1,5 @@
 import { setPrintAppName } from './chunk-D6BMFMQZ.js';
-import { isRBACInitialized, setupRBAC } from './chunk-7A6IMHH2.js';
+import { isRBACInitialized, setupRBAC } from './chunk-YFGNMB67.js';
 import { assertOrganisationId, assertUserId } from './chunk-4SXLQIZO.js';
 import { secureStorage } from './chunk-RMLY6KB5.js';
 import { createLogger, logger } from './chunk-BTHN5MKC.js';
@@ -1112,7 +1112,7 @@ var _OrganisationService = class _OrganisationService extends BaseService {
       return false;
     }
     try {
-      const { isSuperAdmin: checkSuperAdmin, isRBACInitialized: isRBACInitialized2, setupRBAC: setupRBAC2 } = await import('./api-BZR2CYXL.js');
+      const { isSuperAdmin: checkSuperAdmin, isRBACInitialized: isRBACInitialized2, setupRBAC: setupRBAC2 } = await import('./api-6OQXYT67.js');
       if (!isRBACInitialized2() && this.supabaseClient) {
         setupRBAC2(this.supabaseClient);
       }
@@ -1381,7 +1381,7 @@ var _EventService = class _EventService extends BaseService {
       return;
     }
     try {
-      const { isRBACInitialized: isRBACInitialized2, isSuperAdmin: checkSuperAdmin, setupRBAC: setupRBAC2 } = await import('./api-BZR2CYXL.js');
+      const { isRBACInitialized: isRBACInitialized2, isSuperAdmin: checkSuperAdmin, setupRBAC: setupRBAC2 } = await import('./api-6OQXYT67.js');
       if (!isRBACInitialized2() && this.supabaseClient) {
         setupRBAC2(this.supabaseClient);
       }
@@ -1455,7 +1455,10 @@ var _EventService = class _EventService extends BaseService {
   // Event methods
   setSelectedEvent(event) {
     if (event) {
-      this.selectedEvent = event;
+      const orgId = event.organisation_id;
+      const missingOrg = !orgId || typeof orgId === "string" && orgId.trim() === "";
+      const eventToStore = missingOrg && this.selectedOrganisation?.id ? { ...event, organisation_id: this.selectedOrganisation.id } : event;
+      this.selectedEvent = eventToStore;
       this.setSelectedEventId?.(event.event_id);
       this.persistEventSelection(event.event_id).catch((error) => {
         logger.warn("EventService", "Failed to persist event selection:", error);
@@ -1582,7 +1585,7 @@ var _EventService = class _EventService extends BaseService {
   async resolveOrganisationIdForRpc() {
     let userIsSuperAdmin = this.isSuperAdmin;
     try {
-      const { isRBACInitialized: isRBACInitialized2, isSuperAdmin: checkSuperAdmin, setupRBAC: setupRBAC2 } = await import('./api-BZR2CYXL.js');
+      const { isRBACInitialized: isRBACInitialized2, isSuperAdmin: checkSuperAdmin, setupRBAC: setupRBAC2 } = await import('./api-6OQXYT67.js');
       if (!isRBACInitialized2() && this.supabaseClient) {
         setupRBAC2(this.supabaseClient);
       }
@@ -2465,7 +2468,7 @@ function useAppIdResolution(supabase, appName, isAuth, currentUserId) {
     resolvedUserIdRef.current = currentUserId;
     const userId = currentUserId;
     const appNameValue = appName;
-    import('./api-BZR2CYXL.js').then(async ({ resolveAppContext, setupRBAC: setupRBAC2 }) => {
+    import('./api-6OQXYT67.js').then(async ({ resolveAppContext, setupRBAC: setupRBAC2 }) => {
       try {
         setupRBAC2(supabase);
         const result = await resolveAppContext({ userId, appName: appNameValue });

package/dist/chunk-VFLR5K2H.js

@@ -0,0 +1,23 @@
+import { clsx } from 'clsx';
+import { twMerge } from 'tailwind-merge';
+import { jsx } from 'react/jsx-runtime';
+
+// src/utils/core/cn.ts
+function cn(...inputs) {
+  return twMerge(clsx(inputs));
+}
+var LoadingSpinner = ({
+  size = "md",
+  className = ""
+}) => {
+  const sizeClasses = {
+    sm: "size-4",
+    md: "size-6",
+    lg: "size-8"
+  };
+  const validSize = size && size in sizeClasses ? size : "md";
+  const sizeClass = sizeClasses[validSize];
+  return /* @__PURE__ */ jsx("canvas", { className: `inline-block animate-spin rounded-full border-2 border-solid border-current border-r-transparent motion-reduce:animate-[spin_1.5s_linear_infinite] ${sizeClass} ${className}`.trim(), role: "status", children: /* @__PURE__ */ jsx("span", { className: "sr-only", children: "Loading..." }) });
+};
+
+export { LoadingSpinner, cn };

package/dist/{chunk-2OEVOGGR.js → chunk-Y2LWSLLB.js}

@@ -1,9 +1,9 @@
-import { Button, IconButton, mergeRefs, Alert, AlertTitle, AlertDescription, ButtonGroup, Card, CardHeader, CardDescription, CardContent, CardFooter, CardTitle, useCan, useResolvedScope } from './chunk-V7FTM2LU.js';
+import { Button, IconButton, mergeRefs, Alert, AlertTitle, AlertDescription, ButtonGroup, Card, CardHeader, CardDescription, CardContent, CardFooter, CardTitle, useCan, useResolvedScope } from './chunk-H6RTU4DZ.js';
 import { useFocusTrap, useIsPrint, useDataTablePerformance, toast } from './chunk-ENLXB7GP.js';
-import { useUnifiedAuth } from './chunk-4R3T5ENU.js';
-import { isSuperAdmin } from './chunk-7A6IMHH2.js';
+import { useUnifiedAuth } from './chunk-S57OLCLO.js';
+import { isSuperAdmin } from './chunk-YFGNMB67.js';
 import { renderSafeHtml } from './chunk-DDMPHZ3D.js';
-import { cn, LoadingSpinner } from './chunk-UZNAFKGW.js';
+import { cn, LoadingSpinner } from './chunk-VFLR5K2H.js';
 import { createLogger } from './chunk-BTHN5MKC.js';
 import { X as X$1 } from './chunk-CU2BU2MQ.js';
 import * as React7 from 'react';
@@ -7613,22 +7613,35 @@ function useDataTableEffectiveActions(params) {
     params.onDeleteSelected
   ]);
   const effectiveActions = useMemo(() => {
+    const defaultEditOnClick = (row) => {
+      if (!permissions.canUpdate.can) {
+        throw new Error("Insufficient permissions to edit this resource");
+      }
+      const rowIndex = data.findIndex((r) => r === row);
+      const rowId = resolvedGetRowId(row, rowIndex >= 0 ? rowIndex : 0);
+      stateActions.setEditingRow(rowId, toCellValueRecord(row));
+    };
     const result = [...actions];
-    if (secureFeatures.editing && secureHandlers.onEditRow && !result.some((a) => a.label === "Edit")) {
-      result.push({
-        label: "Edit",
-        onClick: (row) => {
-          if (!permissions.canUpdate.can) {
-            throw new Error("Insufficient permissions to edit this resource");
-          }
-          const rowIndex = data.findIndex((r) => r === row);
-          const rowId = resolvedGetRowId(row, rowIndex >= 0 ? rowIndex : 0);
-          stateActions.setEditingRow(rowId, toCellValueRecord(row));
-        },
-        icon: Edit,
-        testId: "edit",
-        hidden: !permissions.canUpdate.can
-      });
+    if (secureFeatures.editing && secureHandlers.onEditRow) {
+      const existingEditIndex = result.findIndex((a) => a.label === "Edit");
+      if (existingEditIndex >= 0) {
+        const customEdit = result[existingEditIndex];
+        result[existingEditIndex] = {
+          ...customEdit,
+          onClick: defaultEditOnClick,
+          icon: customEdit.icon ?? Edit,
+          testId: customEdit.testId ?? "edit",
+          hidden: customEdit.hidden ?? !permissions.canUpdate.can
+        };
+      } else {
+        result.push({
+          label: "Edit",
+          onClick: defaultEditOnClick,
+          icon: Edit,
+          testId: "edit",
+          hidden: !permissions.canUpdate.can
+        });
+      }
     }
     if (secureFeatures.deletion && secureHandlers.onDeleteRow && !result.some((a) => a.label === "Delete")) {
       const handleDelete = createDeleteHandler({
@@ -9098,10 +9111,13 @@ function useDataTableScope(options) {
   });
   const stableScopeRef = useRef({ ...EMPTY_SCOPE });
   if (rawResolvedScope) {
+    const org = rawResolvedScope.organisationId;
+    const ev = rawResolvedScope.eventId;
+    const app = rawResolvedScope.appId;
     const newScope = {
-      organisationId: rawResolvedScope.organisationId,
-      appId: rawResolvedScope.appId,
-      eventId: rawResolvedScope.eventId
+      organisationId: typeof org === "string" && org.trim() !== "" ? org : void 0,
+      eventId: typeof ev === "string" && ev.trim() !== "" ? ev : void 0,
+      appId: typeof app === "string" && app.trim() !== "" ? app : void 0
     };
     if (!scopeValuesEqual(stableScopeRef.current, newScope)) {
       stableScopeRef.current = { ...newScope };
@@ -9115,9 +9131,9 @@ function useDataTableScope(options) {
   const hasPageId = !!pageId && typeof pageId === "string";
   const canProceedWithoutFullScope = hasPageId && !isPageName;
   const shouldWaitForScope = needsAppIdForResolution && !stableScope.appId || scopeLoading && !canProceedWithoutFullScope;
-  const hasScopeValues = stableScope.organisationId || stableScope.appId || stableScope.eventId || canProceedWithoutFullScope;
-  const effectiveScope = !shouldWaitForScope && hasScopeValues ? stableScope : canProceedWithoutFullScope ? { ...EMPTY_SCOPE } : null;
-  const consistentScope = effectiveScope ?? { ...EMPTY_SCOPE };
+  const hasScopeValues = !!stableScope.organisationId || !!stableScope.appId || !!stableScope.eventId;
+  const effectiveScope = !shouldWaitForScope && hasScopeValues ? stableScope : null;
+  const consistentScope = effectiveScope;
   return { consistentScope };
 }
 

package/dist/{chunk-7A6IMHH2.js → chunk-YFGNMB67.js}

@@ -1,4 +1,5 @@
 import { emitAuditEvent, createAuditManager, setGlobalAuditManager } from './chunk-QRYSEPHB.js';
+import { getCurrentAppName } from './chunk-GHCUP64P.js';
 import { createLogger } from './chunk-BTHN5MKC.js';
 import { ok, err } from './chunk-44CNXN4P.js';
 
@@ -1145,11 +1146,28 @@ var RBACEngine = class {
     try {
       const validation = await this.securityMiddleware.validateInput(input, securityContext);
       if (!validation.isValid) {
+        const scopeRejected = validation.errors.includes("Invalid scope format");
+        getRBACLogger().warn("[RBAC] Validation failed \u2014 check that an event is selected if the Menu/units page requires it.", {
+          errors: validation.errors,
+          scope: input.scope,
+          permission: input.permission
+        });
         RBACSecurityValidator.logSecurityEvent({
           type: "invalid_input",
           userId,
-          details: { errors: validation.errors, input: JSON.stringify(input) }
+          details: {
+            errors: validation.errors,
+            input: JSON.stringify(input),
+            ...scopeRejected && { scopeRejected: input.scope }
+          }
         });
+        if (scopeRejected) {
+          getRBACLogger().warn("[RBAC] Invalid scope (from middleware). Scope must have at least one of organisationId, eventId, appId; no empty strings.", {
+            scope: input.scope,
+            permission: input.permission,
+            userId
+          });
+        }
         return false;
       }
       const rateLimit = await this.securityMiddleware.checkRateLimit(securityContext);
@@ -1183,6 +1201,11 @@ var RBACEngine = class {
           userId,
           details: { error: "Invalid scope format", scope }
         });
+        getRBACLogger().warn("[RBAC] Invalid scope (engine check). Scope must have at least one of organisationId, eventId, appId; no empty strings.", {
+          scope,
+          permission,
+          userId
+        });
         return false;
       }
       const cacheKey = RBACCache.generateKey(
@@ -1920,6 +1943,20 @@ var ContextValidator = class {
 
 // src/rbac/api.ts
 var log4 = createLogger("RBACAPI");
+var UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function normalizeScope(scope) {
+  const org = scope.organisationId;
+  const ev = scope.eventId;
+  const app = scope.appId;
+  const hasOrg = typeof org === "string" && org.trim() !== "";
+  const hasEv = typeof ev === "string" && ev.trim() !== "";
+  const hasApp = typeof app === "string" && app.trim() !== "";
+  return {
+    ...hasOrg ? { organisationId: org } : {},
+    ...hasEv ? { eventId: ev } : {},
+    ...hasApp ? { appId: app } : {}
+  };
+}
 function toApiError(error) {
   if (error instanceof RBACNotInitializedError) {
     return { code: "RBAC_NOT_INITIALIZED", message: error.message };
@@ -2050,6 +2087,14 @@ async function getRoleContext(input, appName) {
 async function isPermitted(input, appName, precomputedSuperAdmin = null) {
   try {
     const engine = getEngine();
+    if (!input.scope || typeof input.scope !== "object") {
+      return ok(false);
+    }
+    const normalizedInputScope = normalizeScope(input.scope);
+    if (!RBACSecurityValidator.validateScope(normalizedInputScope)) {
+      return ok(false);
+    }
+    let inputWithNormalizedScope = { ...input, scope: normalizedInputScope };
     if (precomputedSuperAdmin === true) {
       return ok(true);
     }
@@ -2059,10 +2104,27 @@ async function isPermitted(input, appName, precomputedSuperAdmin = null) {
         return ok(true);
       }
     }
+    let scopeForCheck = inputWithNormalizedScope.scope;
+    const isPageName = input.pageId && typeof input.pageId === "string" && !UUID_REGEX.test(input.pageId);
+    const hasEventId = typeof scopeForCheck.eventId === "string" && scopeForCheck.eventId.trim() !== "";
+    const noAppId = !scopeForCheck.appId || typeof scopeForCheck.appId === "string" && scopeForCheck.appId.trim() === "";
+    if (isPageName && hasEventId && noAppId) {
+      const currentAppName = getCurrentAppName();
+      if (currentAppName) {
+        try {
+          const { data: app } = await engine["supabase"].from("rbac_apps").select("id").eq("name", currentAppName).eq("is_active", true).maybeSingle();
+          if (app) {
+            scopeForCheck = { ...scopeForCheck, appId: app.id };
+            inputWithNormalizedScope = { ...inputWithNormalizedScope, scope: scopeForCheck };
+          }
+        } catch (_err) {
+        }
+      }
+    }
     let resolvedAppName = appName;
-    if (!resolvedAppName && input.scope.appId) {
+    if (!resolvedAppName && inputWithNormalizedScope.scope.appId) {
       try {
-        const { data } = await engine["supabase"].from("rbac_apps").select("name").eq("id", input.scope.appId).eq("is_active", true).single();
+        const { data } = await engine["supabase"].from("rbac_apps").select("name").eq("id", inputWithNormalizedScope.scope.appId).eq("is_active", true).single();
         if (data) {
           resolvedAppName = data.name;
         }
@@ -2073,7 +2135,7 @@ async function isPermitted(input, appName, precomputedSuperAdmin = null) {
     if (input.pageId) {
       const scopeResult = await getPageScopeType(
         input.pageId,
-        input.scope.appId,
+        inputWithNormalizedScope.scope.appId,
         resolvedAppName
       );
       if (!scopeResult.ok) {
@@ -2088,7 +2150,7 @@ async function isPermitted(input, appName, precomputedSuperAdmin = null) {
       pageScopeType = "organisation";
     }
     const validation = await ContextValidator.resolveScopeForPage(
-      input.scope,
+      inputWithNormalizedScope.scope,
       pageScopeType,
       resolvedAppName,
       engine["supabase"]
@@ -2096,7 +2158,14 @@ async function isPermitted(input, appName, precomputedSuperAdmin = null) {
     if (!validation.isValid || !validation.resolvedScope) {
       throw validation.error || new OrganisationContextRequiredError();
     }
-    const validatedScope = validation.resolvedScope;
+    const validatedScope = normalizeScope(validation.resolvedScope);
+    if (!RBACSecurityValidator.validateScope(validatedScope)) {
+      log4.warn("Scope has no valid identifier after normalisation \u2014 skipping engine call", {
+        permission: input.permission,
+        pageId: input.pageId
+      });
+      return ok(false);
+    }
     if (pageScopeType === "both" && input.pageId) {
       const eventScope = {
         organisationId: validatedScope.organisationId,

package/dist/components.d.ts

@@ -1,10 +1,10 @@
 export { b as UnifiedAuthContextType, U as UnifiedAuthProvider, a as UnifiedAuthProviderProps, u as useUnifiedAuth } from './UnifiedAuthProvider-Bkt_tzdS.js';
-export { A as AddressField, k as AddressFieldProps, l as AddressFieldRef, aK as AggregateConfig, o as Alert, q as AlertDescription, p as AlertTitle, r as Avatar, s as AvatarProps, t as Badge, u as BadgeProps, v as BadgeVariant, B as Button, a as ButtonProps, am as Calendar, an as CalendarProps, C as Card, g as CardActions, i as CardActionsProps, f as CardContent, e as CardDescription, c as CardFooter, b as CardHeader, h as CardProps, d as CardTitle, w as Checkbox, b5 as ContextSelector, b6 as ContextSelectorProps, aF as DataTable, aI as DataTableAction, aH as DataTableColumn, aG as DataTableProps, aJ as DataTableToolbarButton, ao as DatePickerWithTimezone, ap as DatePickerWithTimezoneProps, M as Dialog, V as DialogBody, a4 as DialogBodyProps, Q as DialogClose, a1 as DialogCloseProps, R as DialogContent, $ as DialogContentProps, Y as DialogDescription, W as DialogFooter, a3 as DialogFooterProps, U as DialogHeader, a2 as DialogHeaderProps, N as DialogPortal, a0 as DialogPortalProps, Z as DialogProps, a5 as DialogSize, X as DialogTitle, O as DialogTrigger, _ as DialogTriggerProps, aL as EmptyStateConfig, b8 as ErrorBoundary, ba as ErrorBoundaryProps, b9 as ErrorBoundaryProvider, bc as ErrorBoundaryProviderProps, bb as ErrorBoundaryState, bj as FileDisplay, bk as FileDisplayProps, bh as FileUpload, bi as FileUploadProps, aT as Footer, aU as FooterProps, aM as Form, aN as FormField, aP as FormFieldProps, aO as FormProps, bd as GlobalErrorHandler, aS as Header, I as Input, j as InputProps, L as Label, m as LabelProps, be as LoadingSpinner, aQ as LoginForm, aR as LoginFormProps, b4 as NavigationMenu, bz as PaceAppLayout, bt as PaceAppLayoutPermissionConfig, by as PaceAppLayoutProps, bv as PaceAppLayoutPropsLayout, bw as PaceAppLayoutPropsPermission, bx as PaceAppLayoutPropsRouting, bs as PaceAppLayoutRouteConfigItem, bu as PaceAppLayoutRoutingConfig, bB as PaceLoginPage, bA as PaceLoginPageProps, P as Progress, y as ProgressProps, b2 as ProtectedRoute, b3 as ProtectedRouteProps, aX as PublicPageFooter, b1 as PublicPageFooterProps, aW as PublicPageHeader, b0 as PublicPageHeaderProps, aV as PublicPageLayout, a$ as PublicPageLayoutProps, aY as PublicPageProvider, a6 as Select, aa as SelectContent, a7 as SelectGroup, ac as SelectItem, ab as SelectLabel, ad as SelectSeparator, a9 as SelectTrigger, a8 as SelectValue, bf as SessionRestorationLoader, bg as SessionRestorationLoaderProps, S as Switch, x as SwitchProps, z as Table, E as TableBody, F as TableCaption, G as TableCell, H as TableFooter, J as TableHead, D as TableHeader, K as TableRow, ae as Tabs, ah as TabsContent, al as TabsContentProps, af as TabsList, aj as TabsListProps, ai as TabsProps, ag as TabsTrigger, ak as TabsTriggerProps, T as Textarea, n as TextareaProps, aq as Toast, as as ToastAction, ay as ToastActionElement, ax as ToastClose, aw as ToastDescription, az as ToastProps, at as ToastProvider, av as ToastTitle, au as ToastViewport, ar as Toaster, aA as Tooltip, aC as TooltipContent, aD as TooltipProvider, aE as TooltipRoot, aB as TooltipTrigger, br as UseFileReferenceForRecordReturn, bp as UseFileReferenceOptions, bq as UseFileReferenceReturn, b7 as UserMenu, bl as useFileReference, bn as useFileReferenceById, bm as useFileReferenceForRecord, bo as useFilesByCategory, a_ as useIsPublicPage, aZ as usePublicPageContext } from './usePublicPageContext-B91dGYW1.js';
+export { A as AddressField, k as AddressFieldProps, l as AddressFieldRef, aK as AggregateConfig, o as Alert, q as AlertDescription, p as AlertTitle, r as Avatar, s as AvatarProps, t as Badge, u as BadgeProps, v as BadgeVariant, B as Button, a as ButtonProps, am as Calendar, an as CalendarProps, C as Card, g as CardActions, i as CardActionsProps, f as CardContent, e as CardDescription, c as CardFooter, b as CardHeader, h as CardProps, d as CardTitle, w as Checkbox, b5 as ContextSelector, b6 as ContextSelectorProps, aF as DataTable, aI as DataTableAction, aH as DataTableColumn, aG as DataTableProps, aJ as DataTableToolbarButton, ao as DatePickerWithTimezone, ap as DatePickerWithTimezoneProps, M as Dialog, V as DialogBody, a4 as DialogBodyProps, Q as DialogClose, a1 as DialogCloseProps, R as DialogContent, $ as DialogContentProps, Y as DialogDescription, W as DialogFooter, a3 as DialogFooterProps, U as DialogHeader, a2 as DialogHeaderProps, N as DialogPortal, a0 as DialogPortalProps, Z as DialogProps, a5 as DialogSize, X as DialogTitle, O as DialogTrigger, _ as DialogTriggerProps, aL as EmptyStateConfig, b8 as ErrorBoundary, ba as ErrorBoundaryProps, b9 as ErrorBoundaryProvider, bc as ErrorBoundaryProviderProps, bb as ErrorBoundaryState, bj as FileDisplay, bk as FileDisplayProps, bh as FileUpload, bi as FileUploadProps, aT as Footer, aU as FooterProps, aM as Form, aN as FormField, aP as FormFieldProps, aO as FormProps, bd as GlobalErrorHandler, aS as Header, I as Input, j as InputProps, L as Label, m as LabelProps, be as LoadingSpinner, aQ as LoginForm, aR as LoginFormProps, b4 as NavigationMenu, bz as PaceAppLayout, bt as PaceAppLayoutPermissionConfig, by as PaceAppLayoutProps, bv as PaceAppLayoutPropsLayout, bw as PaceAppLayoutPropsPermission, bx as PaceAppLayoutPropsRouting, bs as PaceAppLayoutRouteConfigItem, bu as PaceAppLayoutRoutingConfig, bB as PaceLoginPage, bA as PaceLoginPageProps, P as Progress, y as ProgressProps, b2 as ProtectedRoute, b3 as ProtectedRouteProps, aX as PublicPageFooter, b1 as PublicPageFooterProps, aW as PublicPageHeader, b0 as PublicPageHeaderProps, aV as PublicPageLayout, a$ as PublicPageLayoutProps, aY as PublicPageProvider, a6 as Select, aa as SelectContent, a7 as SelectGroup, ac as SelectItem, ab as SelectLabel, ad as SelectSeparator, a9 as SelectTrigger, a8 as SelectValue, bf as SessionRestorationLoader, bg as SessionRestorationLoaderProps, S as Switch, x as SwitchProps, z as Table, E as TableBody, F as TableCaption, G as TableCell, H as TableFooter, J as TableHead, D as TableHeader, K as TableRow, ae as Tabs, ah as TabsContent, al as TabsContentProps, af as TabsList, aj as TabsListProps, ai as TabsProps, ag as TabsTrigger, ak as TabsTriggerProps, T as Textarea, n as TextareaProps, aq as Toast, as as ToastAction, ay as ToastActionElement, ax as ToastClose, aw as ToastDescription, az as ToastProps, at as ToastProvider, av as ToastTitle, au as ToastViewport, ar as Toaster, aA as Tooltip, aC as TooltipContent, aD as TooltipProvider, aE as TooltipRoot, aB as TooltipTrigger, br as UseFileReferenceForRecordReturn, bp as UseFileReferenceOptions, bq as UseFileReferenceReturn, b7 as UserMenu, bl as useFileReference, bn as useFileReferenceById, bm as useFileReferenceForRecord, bo as useFilesByCategory, a_ as useIsPublicPage, aZ as usePublicPageContext } from './usePublicPageContext-BQrHf95t.js';
 import * as react_jsx_runtime from 'react/jsx-runtime';
 export { D as DataRecord, G as GetRowId, u as useToast } from './pagination-BW1mqywp.js';
 export { F as FileCategory, b as FileMetadata, a as FileReference, c as FileUploadOptions } from './file-reference-DU1hcawx.js';
 export { A as AutocompleteOptions, P as ParsedAddress } from './types-Dr8sNhER.js';
-export { a as NavigationItem, N as NavigationMenuProps } from './types-BE2sEHKd.js';
+export { a as NavigationItem, N as NavigationMenuProps } from './types-Besvoyzb.js';
 import 'react';
 import '@supabase/supabase-js';
 import './api-result-USV1Czr-.js';
@@ -21,7 +21,7 @@ import '@radix-ui/react-tooltip';
 import '@tanstack/react-table';
 import 'react-hook-form';
 import 'zod';
-import './types-CvOPXWWZ.js';
+import './types-CGHrxfqc.js';
 
 /**
  * @file DateTimeField Component

package/dist/components.js

@@ -1,25 +1,26 @@
-export { AddressField, Avatar, Badge, Calendar, ContextSelector, DatePickerWithTimezone, ErrorBoundary, ErrorBoundaryProvider, FileDisplay, FileUpload, Footer, Form, FormField, Header, LoginForm, NavigationMenu, PaceAppLayout, PaceLoginPage, ProtectedRoute, PublicPageFooter, PublicPageHeader, PublicPageLayout, PublicPageProvider, SessionRestorationLoader, Switch, Tabs, TabsContent, TabsList, TabsTrigger, Textarea, Toast, ToastAction, ToastClose, ToastDescription, ToastProvider, ToastTitle, ToastViewport, Toaster, UserMenu, useFileReference, useFileReferenceById, useFileReferenceForRecord, useFilesByCategory } from './chunk-KJXRL3XE.js';
-import './chunk-PCSHBLPB.js';
-import { Label, Input } from './chunk-2OEVOGGR.js';
-export { Checkbox, DataTable, Dialog, DialogBody, DialogClose, DialogContent, DialogDescription, DialogFooter, DialogHeader, DialogPortal, DialogTitle, DialogTrigger, Input, Label, Progress, Select, SelectContent, SelectGroup, SelectItem, SelectLabel, SelectSeparator, SelectTrigger, SelectValue, Table, TableBody, TableCaption, TableCell, TableFooter, TableHead, TableHeader, TableRow } from './chunk-2OEVOGGR.js';
-export { Alert, AlertDescription, AlertTitle, Button, Card, CardActions, CardContent, CardDescription, CardFooter, CardHeader, CardTitle, Tooltip, TooltipContent, TooltipProvider, TooltipRoot, TooltipTrigger } from './chunk-V7FTM2LU.js';
-import './chunk-J2KQK6DG.js';
-import './chunk-WY6Y7KC3.js';
+export { AddressField, Avatar, Badge, Calendar, ContextSelector, DatePickerWithTimezone, ErrorBoundary, ErrorBoundaryProvider, FileDisplay, FileUpload, Footer, Form, FormField, Header, LoginForm, NavigationMenu, PaceAppLayout, PaceLoginPage, ProtectedRoute, PublicPageFooter, PublicPageHeader, PublicPageLayout, PublicPageProvider, SessionRestorationLoader, Switch, Tabs, TabsContent, TabsList, TabsTrigger, Textarea, Toast, ToastAction, ToastClose, ToastDescription, ToastProvider, ToastTitle, ToastViewport, Toaster, UserMenu, useFileReference, useFileReferenceById, useFileReferenceForRecord, useFilesByCategory } from './chunk-HQTYP6BX.js';
+import './chunk-NJ7FGQWB.js';
+import { Label, Input } from './chunk-Y2LWSLLB.js';
+export { Checkbox, DataTable, Dialog, DialogBody, DialogClose, DialogContent, DialogDescription, DialogFooter, DialogHeader, DialogPortal, DialogTitle, DialogTrigger, Input, Label, Progress, Select, SelectContent, SelectGroup, SelectItem, SelectLabel, SelectSeparator, SelectTrigger, SelectValue, Table, TableBody, TableCaption, TableCell, TableFooter, TableHead, TableHeader, TableRow } from './chunk-Y2LWSLLB.js';
+export { Alert, AlertDescription, AlertTitle, Button, Card, CardActions, CardContent, CardDescription, CardFooter, CardHeader, CardTitle, Tooltip, TooltipContent, TooltipProvider, TooltipRoot, TooltipTrigger } from './chunk-H6RTU4DZ.js';
+import './chunk-AP5FG7W4.js';
+import './chunk-QWIG36BZ.js';
 export { useToast } from './chunk-ENLXB7GP.js';
-export { useIsPublicPage, usePublicPageContext } from './chunk-L5LFKKLJ.js';
+export { useIsPublicPage, usePublicPageContext } from './chunk-2GBDPPUC.js';
 import './chunk-C7NSAPTL.js';
-export { UnifiedAuthProvider, useUnifiedAuth } from './chunk-4R3T5ENU.js';
+export { UnifiedAuthProvider, useUnifiedAuth } from './chunk-S57OLCLO.js';
 import './chunk-D6BMFMQZ.js';
-import './chunk-7A6IMHH2.js';
+import './chunk-YFGNMB67.js';
 import './chunk-QRYSEPHB.js';
 export { FileCategory } from './chunk-6QYDGKQY.js';
 import './chunk-4SXLQIZO.js';
 import { toZonedTime, fromZonedTime, getUserTimeZone } from './chunk-XOJME5T7.js';
 import './chunk-DDMPHZ3D.js';
-import { cn } from './chunk-UZNAFKGW.js';
-export { LoadingSpinner } from './chunk-UZNAFKGW.js';
+import { cn } from './chunk-VFLR5K2H.js';
+export { LoadingSpinner } from './chunk-VFLR5K2H.js';
 import './chunk-XPFVT3GN.js';
 import './chunk-RMLY6KB5.js';
+import './chunk-GHCUP64P.js';
 import './chunk-BTHN5MKC.js';
 import './chunk-44CNXN4P.js';
 import './chunk-CU2BU2MQ.js';

package/dist/{functions-DH45k8ec.d.ts → functions-hF5ImHCr.d.ts}

@@ -1,4 +1,4 @@
-import { O as Operation, U as UUID } from './types-CvOPXWWZ.js';
+import { O as Operation, U as UUID } from './types-CGHrxfqc.js';
 import { A as AppId, P as PageId } from './core-CUElvH_C.js';
 
 /**