@jmruthers/pace-core 0.6.2 → 0.6.3

package/dist/chunk-QRPVRXYT.js

@@ -0,0 +1,226 @@
+import {
+  createLogger
+} from "./chunk-PWLANIRT.js";
+
+// src/rbac/types.ts
+var RBACError = class extends Error {
+  constructor(message, code, context) {
+    super(message);
+    this.code = code;
+    this.context = context;
+    this.name = "RBACError";
+  }
+};
+var PermissionDeniedError = class extends RBACError {
+  constructor(permission, context) {
+    super(
+      `Permission denied: ${permission}`,
+      "PERMISSION_DENIED",
+      { permission, ...context }
+    );
+    this.name = "PermissionDeniedError";
+  }
+};
+var OrganisationContextRequiredError = class extends RBACError {
+  constructor() {
+    super(
+      "Organisation context is required for this operation",
+      "ORGANISATION_CONTEXT_REQUIRED"
+    );
+    this.name = "OrganisationContextRequiredError";
+  }
+};
+var EventContextRequiredError = class extends RBACError {
+  constructor() {
+    super(
+      "Event context is required for this operation",
+      "EVENT_CONTEXT_REQUIRED"
+    );
+    this.name = "EventContextRequiredError";
+  }
+};
+var RBACNotInitializedError = class extends RBACError {
+  constructor() {
+    super(
+      "RBAC system not initialized. Please call setupRBAC(supabase) before using any RBAC components or hooks. See: https://docs.pace-core.dev/rbac/setup",
+      "RBAC_NOT_INITIALIZED"
+    );
+    this.name = "RBACNotInitializedError";
+  }
+};
+var InvalidScopeError = class extends RBACError {
+  constructor(scope, reason) {
+    super(
+      `Invalid scope provided: ${JSON.stringify(scope)}. ${reason}`,
+      "INVALID_SCOPE",
+      { scope, reason }
+    );
+    this.name = "InvalidScopeError";
+  }
+};
+var MissingUserContextError = class extends RBACError {
+  constructor() {
+    super(
+      "User context is required but not available. Make sure to wrap your app with an auth provider.",
+      "MISSING_USER_CONTEXT"
+    );
+    this.name = "MissingUserContextError";
+  }
+};
+
+// src/rbac/utils/eventContext.ts
+var orgDerivationCache = /* @__PURE__ */ new Map();
+var MAX_CACHE_SIZE = 100;
+async function getOrganisationFromEvent(supabase, eventId) {
+  if (orgDerivationCache.has(eventId)) {
+    return orgDerivationCache.get(eventId) ?? null;
+  }
+  const { data, error } = await supabase.from("core_events").select("organisation_id").eq("event_id", eventId).single();
+  let organisationId = null;
+  if (error || !data) {
+    organisationId = null;
+  } else if (data.organisation_id) {
+    organisationId = data.organisation_id;
+  } else {
+    organisationId = null;
+  }
+  if (orgDerivationCache.size >= MAX_CACHE_SIZE) {
+    const firstKey = orgDerivationCache.keys().next().value;
+    if (firstKey) {
+      orgDerivationCache.delete(firstKey);
+    }
+  }
+  orgDerivationCache.set(eventId, organisationId);
+  return organisationId;
+}
+
+// src/rbac/utils/contextValidator.ts
+var log = createLogger("ContextValidator");
+var ContextValidator = class {
+  /**
+   * Derive organisation ID from event ID
+   * 
+   * @param supabase - Supabase client
+   * @param eventId - Event ID
+   * @returns Organisation ID or null
+   */
+  static async deriveOrgFromEvent(supabase, eventId) {
+    return getOrganisationFromEvent(supabase, eventId);
+  }
+  /**
+   * Resolve scope based on page-level scope_type
+   * 
+   * This method handles page-level scoping. All pages have explicit scope_type set.
+   * Used for hybrid apps like pace-mint that have both event and organisation pages.
+   * 
+   * @param scope - Current scope
+   * @param pageScopeType - Page scope type ('event', 'organisation', or 'both')
+   * @param appName - App name (for PORTAL/ADMIN special case)
+   * @param supabase - Supabase client (for deriving org from event)
+   * @returns Resolved scope with all required context
+   */
+  static async resolveScopeForPage(scope, pageScopeType, appName, supabase) {
+    const effectiveScopeType = pageScopeType;
+    if (effectiveScopeType === "both") {
+      if (!scope.organisationId && !scope.eventId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new Error("Page requires either organisation or event context")
+        };
+      }
+      let organisationId = scope.organisationId;
+      if (!organisationId && scope.eventId && supabase) {
+        try {
+          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
+          organisationId = derivedOrgId || void 0;
+        } catch (error) {
+          log.warn("Failed to derive org from event for both-scope page:", error);
+        }
+      }
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    if (effectiveScopeType === "event") {
+      if (!scope.eventId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new EventContextRequiredError()
+        };
+      }
+      let organisationId = scope.organisationId;
+      if (!organisationId && supabase && scope.eventId) {
+        try {
+          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
+          organisationId = derivedOrgId || void 0;
+          if (!organisationId) {
+            return {
+              isValid: false,
+              resolvedScope: null,
+              error: new Error("Could not resolve organisation from event context")
+            };
+          }
+        } catch (error) {
+          log.error("Failed to derive org from event:", error);
+          return {
+            isValid: false,
+            resolvedScope: null,
+            error: error instanceof Error ? error : new Error("Failed to derive organisation from event")
+          };
+        }
+      }
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    if (effectiveScopeType === "organisation") {
+      if (!scope.organisationId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new OrganisationContextRequiredError()
+        };
+      }
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId: scope.organisationId,
+          eventId: scope.eventId,
+          // Event is optional for org-scoped pages
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    return {
+      isValid: false,
+      resolvedScope: null,
+      error: new Error("Invalid scope type")
+    };
+  }
+};
+
+export {
+  RBACError,
+  PermissionDeniedError,
+  OrganisationContextRequiredError,
+  RBACNotInitializedError,
+  InvalidScopeError,
+  MissingUserContextError,
+  ContextValidator
+};
+//# sourceMappingURL=chunk-QRPVRXYT.js.map

package/dist/chunk-QRPVRXYT.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/rbac/types.ts","../src/rbac/utils/eventContext.ts","../src/rbac/utils/contextValidator.ts"],"sourcesContent":["/**\n * RBAC (Role-Based Access Control) Types - Build Contract Compliant\n * @package @jmruthers/pace-core\n * @module RBAC/Types\n * @since 1.0.0\n * \n * This module defines the core types for the RBAC system that match the build contract exactly.\n * All types are designed to be framework-agnostic and provide strong typing for permission operations.\n */\n\nimport type React from 'react';\nimport type { AppId, PageId } from '../types/core';\n\n// ============================================================================\n// CORE TYPES\n// ============================================================================\n\nexport type UUID = string;\n\nexport type Operation = 'read' | 'create' | 'update' | 'delete';\n\nexport type Permission = `${Operation}:${string}`; // e.g. \"read:base.events\" or \"create:team.members\"\n\nexport type AccessLevel =\n  | 'viewer'\n  | 'participant'\n  | 'planner'\n  | 'admin'\n  | 'super';\n\n/**\n * Scope defines the context for permission checks.\n * Can include organisation, event, and/or app identifiers.\n */\nexport type Scope = {\n  organisationId?: UUID;\n  eventId?: string; // event_id is text/varchar\n  appId?: AppId | UUID;\n};\n\n/**\n * Permission check request parameters.\n * Defines who (userId) is checking what permission in what context (scope).\n */\nexport type PermissionCheck = {\n  userId: UUID;\n  scope: Scope;\n  permission: Permission;\n  pageId?: PageId | UUID;\n};\n\nexport type PermissionMap = Record<Permission, boolean> & Partial<Record<'*', boolean>>;\n\n// ============================================================================\n// ROLE TYPES\n// ============================================================================\n\nexport type GlobalRole = 'super_admin';\n\nexport type OrganisationRole = 'supporter' | 'member' | 'leader' | 'org_admin';\n\nexport type EventAppRole = 'viewer' | 'participant' | 'planner' | 'event_admin';\n\n// ============================================================================\n// DATABASE TYPES\n// ============================================================================\n\nexport interface RBACGlobalRole {\n  id: UUID;\n  user_id: UUID;\n  role: GlobalRole;\n  granted_at: string;\n  granted_by: UUID | null;\n  valid_from: string;\n  valid_to: string | null;\n}\n\nexport interface RBACOrganisationRole {\n  id: UUID;\n  user_id: UUID;\n  organisation_id: UUID;\n  role: OrganisationRole;\n  status: 'active' | 'inactive' | 'suspended';\n  granted_at: string;\n  granted_by: UUID | null;\n  revoked_at: string | null;\n  revoked_by: UUID | null;\n  notes: string | null;\n  created_at: string;\n  updated_at: string;\n  valid_from: string;\n  valid_to: string | null;\n}\n\nexport interface RBACEventAppRole {\n  id: UUID;\n  user_id: UUID;\n  event_id: string;\n  role: EventAppRole;\n  status: 'active' | 'inactive' | 'suspended';\n  granted_at: string;\n  granted_by: UUID | null;\n  organisation_id: UUID;\n  app_id: UUID;\n  valid_from: string;\n  valid_to: string | null;\n}\n\nexport interface RBACPagePermission {\n  id: UUID;\n  app_page_id: UUID;\n  operation: Operation;\n  role_name: string;\n  allowed: boolean;\n  created_at: string;\n  updated_at: string;\n  organisation_id: UUID;\n}\n\nexport interface RBACAppPage {\n  id: UUID;\n  page_name: string;\n  page_description: string | null;\n  created_at: string;\n  updated_at: string;\n  created_by: UUID | null;\n  updated_by: UUID | null;\n  app_id: UUID;\n  scope_type: 'event' | 'organisation' | 'both'; // Required - single source of truth for page scoping\n}\n\nexport interface RBACApp {\n  id: UUID;\n  name: string;\n  display_name: string;\n  description: string | null;\n  requires_event: boolean;\n  is_active: boolean;\n  created_at: string;\n  updated_at: string;\n  created_by: UUID | null;\n  updated_by: UUID | null;\n}\n\n// ============================================================================\n// AUDIT EVENT TYPES\n// ============================================================================\n\nexport type AuditEventType = \n  | 'permission_check'\n  | 'permission_denied'\n  | 'role_granted'\n  | 'role_denied'\n  | 'rls_denied';\n\nexport type AuditEventSource = 'api' | 'ui' | 'middleware' | 'rls';\n\nexport interface RBACAuditEvent {\n  id: UUID;\n  event_type: AuditEventType;\n  user_id: UUID;\n  organisation_id: UUID | null; // Nullable to properly track missing context cases (should be rare since organisationId is required)\n  event_id?: string;\n  app_id?: UUID;\n  page_id?: UUID;\n  permission?: string;\n  decision?: boolean;\n  source?: AuditEventSource;\n  bypass?: boolean;\n  duration_ms?: number;\n  metadata: Record<string, any>;\n  created_at: string;\n}\n\nexport interface RBACAppContext {\n  appId: UUID;\n  hasAccess: boolean;\n}\n\nexport interface RBACRoleContext {\n  globalRole: GlobalRole | null;\n  organisationRole: OrganisationRole | null;\n  eventAppRole: EventAppRole | null;\n}\n\n// ============================================================================\n// CACHE TYPES\n// ============================================================================\n\nexport interface CacheEntry<T> {\n  data: T;\n  expires: number;\n}\n\nexport interface PermissionCacheKey {\n  userId: UUID;\n  organisationId?: UUID;\n  eventId?: string;\n  appId?: UUID;\n  permission?: Permission;\n  pageId?: UUID | string;\n}\n\n// ============================================================================\n// API TYPES\n// ============================================================================\n\nexport interface GetAccessLevelInput {\n  userId: UUID;\n  scope: Scope;\n}\n\nexport interface GetPermissionMapInput {\n  userId: UUID;\n  scope: Scope;\n}\n\nexport interface IsPermittedInput extends PermissionCheck {}\n\n// ============================================================================\n// HOOK TYPES\n// ============================================================================\n\nexport interface UsePermissionsReturn {\n  permissions: PermissionMap;\n  isLoading: boolean;\n  error: Error | null;\n  refetch: () => Promise<void>;\n}\n\nexport interface UseCanReturn {\n  can: boolean;\n  isLoading: boolean;\n  error: Error | null;\n  check: () => Promise<void>;\n}\n\n// ============================================================================\n// ADAPTER TYPES\n// ============================================================================\n\nexport interface PermissionGuardConfig {\n  permission: Permission;\n  pageId?: UUID;\n}\n\nexport interface WithPermissionGuardOptions {\n  permission: Permission;\n  pageId?: UUID;\n  fallback?: React.ReactNode;\n  onDenied?: () => void;\n}\n\n// ============================================================================\n// HOOK RETURN TYPES\n// ============================================================================\n\nexport interface UserRBACContext {\n  user: any; // User from auth context\n  globalRole: GlobalRole | null;\n  organisationRole: OrganisationRole | null;\n  eventAppRole: EventAppRole | null;\n  hasGlobalPermission: (permission: Permission) => boolean;\n  isSuperAdmin: boolean;\n  isOrgAdmin: boolean;\n  isEventAdmin: boolean;\n  canManageOrganisation: boolean;\n  canManageEvent: boolean;\n  isLoading: boolean;\n  error: Error | null;\n}\n\nexport interface RBACPermission {\n  permission_type: string;\n  role_name: string;\n  [key: string]: any;\n}\n\n// ============================================================================\n// COMPONENT TYPES\n// ============================================================================\n\nexport interface RBACGuardProps {\n  children: React.ReactNode;\n  operation: Operation;\n  pageId?: UUID;\n  fallback?: React.ReactNode;\n}\n\nexport interface RoleBasedContentProps {\n  children: React.ReactNode;\n  globalRoles?: GlobalRole[];\n  organisationRoles?: OrganisationRole[];\n  eventAppRoles?: EventAppRole[];\n  fallback?: React.ReactNode;\n}\n\n// ============================================================================\n// ERROR TYPES\n// ============================================================================\n\nexport class RBACError extends Error {\n  constructor(\n    message: string,\n    public code: string,\n    public context?: Record<string, any>\n  ) {\n    super(message);\n    this.name = 'RBACError';\n  }\n}\n\nexport class PermissionDeniedError extends RBACError {\n  constructor(permission: Permission, context?: Record<string, any>) {\n    super(\n      `Permission denied: ${permission}`,\n      'PERMISSION_DENIED',\n      { permission, ...context }\n    );\n    this.name = 'PermissionDeniedError';\n  }\n}\n\nexport class OrganisationContextRequiredError extends RBACError {\n  constructor() {\n    super(\n      'Organisation context is required for this operation',\n      'ORGANISATION_CONTEXT_REQUIRED'\n    );\n    this.name = 'OrganisationContextRequiredError';\n  }\n}\n\nexport class EventContextRequiredError extends RBACError {\n  constructor() {\n    super(\n      'Event context is required for this operation',\n      'EVENT_CONTEXT_REQUIRED'\n    );\n    this.name = 'EventContextRequiredError';\n  }\n}\n\nexport class RBACNotInitializedError extends RBACError {\n  constructor() {\n    super(\n      'RBAC system not initialized. Please call setupRBAC(supabase) before using any RBAC components or hooks. See: https://docs.pace-core.dev/rbac/setup',\n      'RBAC_NOT_INITIALIZED'\n    );\n    this.name = 'RBACNotInitializedError';\n  }\n}\n\nexport class InvalidScopeError extends RBACError {\n  constructor(scope: Scope, reason: string) {\n    super(\n      `Invalid scope provided: ${JSON.stringify(scope)}. ${reason}`,\n      'INVALID_SCOPE',\n      { scope, reason }\n    );\n    this.name = 'InvalidScopeError';\n  }\n}\n\nexport class MissingUserContextError extends RBACError {\n  constructor() {\n    super(\n      'User context is required but not available. Make sure to wrap your app with an auth provider.',\n      'MISSING_USER_CONTEXT'\n    );\n    this.name = 'MissingUserContextError';\n  }\n}\n","/**\n * Event Context Utilities for RBAC\n * @package @jmruthers/pace-core\n * @module RBAC/EventContext\n * @since 1.0.0\n * \n * This module provides utilities for event-based RBAC operations where\n * the organization context is derived from the event context.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../../types/database';\nimport { UUID, Scope } from '../types';\n\n/**\n * Cache for organisation derivation from event\n * Key: eventId, Value: organisationId | null\n * Maximum cache size to prevent memory leaks\n */\nconst orgDerivationCache = new Map<string, UUID | null>();\nconst MAX_CACHE_SIZE = 100; // Limit cache to 100 entries\n\n/**\n * Clear cache entry for a specific event (useful if event's org changes)\n * @param eventId - Event ID to clear from cache\n */\nexport function clearOrgDerivationCache(eventId: string): void {\n  orgDerivationCache.delete(eventId);\n}\n\n/**\n * Clear all cached organisation derivations\n */\nexport function clearAllOrgDerivationCache(): void {\n  orgDerivationCache.clear();\n}\n\n/**\n * Get organization ID from event ID\n * \n * Uses caching to avoid repeated database queries for the same event.\n * Cache is limited to prevent memory leaks.\n * \n * @param supabase - Supabase client\n * @param eventId - Event ID\n * @returns Promise resolving to organization ID or null\n */\nexport async function getOrganisationFromEvent(\n  supabase: SupabaseClient<Database>,\n  eventId: string\n): Promise<UUID | null> {\n  // Check cache first\n  if (orgDerivationCache.has(eventId)) {\n    return orgDerivationCache.get(eventId) ?? null;\n  }\n\n  // Query database\n  const { data, error } = await supabase\n    .from('core_events')\n    .select('organisation_id')\n    .eq('event_id', eventId)\n    .single() as { data: { organisation_id: string } | null; error: any };\n\n  let organisationId: UUID | null = null;\n\n  if (error || !data) {\n    organisationId = null;\n  } else if (data.organisation_id) {\n    organisationId = data.organisation_id;\n  } else {\n    // organisation_id is null or undefined\n    organisationId = null;\n  }\n\n  // Cache the result (with size limit to prevent memory leaks)\n  if (orgDerivationCache.size >= MAX_CACHE_SIZE) {\n    // Remove oldest entry (first key in Map)\n    const firstKey = orgDerivationCache.keys().next().value;\n    if (firstKey) {\n      orgDerivationCache.delete(firstKey);\n    }\n  }\n  orgDerivationCache.set(eventId, organisationId);\n\n  return organisationId;\n}\n\n/**\n * Create a complete scope from event context\n * \n * @param supabase - Supabase client\n * @param eventId - Event ID\n * @param appId - Optional app ID\n * @returns Promise resolving to complete scope\n */\nexport async function createScopeFromEvent(\n  supabase: SupabaseClient<Database>,\n  eventId: string,\n  appId?: UUID\n): Promise<Scope | null> {\n  const organisationId = await getOrganisationFromEvent(supabase, eventId);\n  \n  if (!organisationId) {\n    return null;\n  }\n\n  return {\n    organisationId,\n    eventId,\n    appId\n  };\n}\n\n/**\n * Check if a scope is event-based (has eventId but no explicit organisationId)\n * \n * @param scope - Permission scope\n * @returns True if scope is event-based\n */\nexport function isEventBasedScope(scope: Scope): boolean {\n  return !scope.organisationId && !!scope.eventId;\n}\n\n/**\n * Validate that an event-based scope has the required context\n * \n * @param scope - Permission scope\n * @returns True if scope is valid for event-based operations\n */\nexport function isValidEventBasedScope(scope: Scope): boolean {\n  return isEventBasedScope(scope) && !!scope.eventId;\n}\n","/**\n * Context Validator for RBAC\n * @package @jmruthers/pace-core\n * @module RBAC/ContextValidator\n * @since 1.0.0\n * \n * Centralized validation for RBAC context requirements based on app configuration.\n * Enforces app-specific context rules with single primary context:\n * - requires_event = TRUE: Event is PRIMARY context, org derived from event (org not required in input)\n * - requires_event = FALSE: Organisation is PRIMARY context, event optional\n * - PORTAL/ADMIN apps: Both contexts optional (allows users to view/edit own profiles, super admin access)\n * \n * Key principle: Only one primary context is required based on app config. The other is derived or optional.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../../types/database';\nimport { UUID, Scope } from '../types';\nimport { EventContextRequiredError, OrganisationContextRequiredError } from '../types';\nimport { getOrganisationFromEvent } from './eventContext';\nimport { createLogger } from '../../utils/core/logger';\n\nconst log = createLogger('ContextValidator');\n\n/**\n * Page scope type - determines what context is required for a page\n * This is the single source of truth for page scoping.\n */\nexport type PageScopeType = 'event' | 'organisation' | 'both';\n\n/**\n * Check if an app allows optional contexts (both organisation and event optional)\n * @param appName - App name to check\n * @returns True if app allows optional contexts\n */\nfunction allowsOptionalContexts(appName?: string): boolean {\n  return appName === 'PORTAL' || appName === 'ADMIN';\n}\n\nexport interface ContextValidationResult {\n  isValid: boolean;\n  resolvedScope: Scope | null;\n  error: Error | null;\n}\n\n/**\n * Context Validator class\n * \n * Validates and resolves RBAC scope based on app configuration requirements.\n */\nexport class ContextValidator {\n\n  /**\n   * Derive organisation ID from event ID\n   * \n   * @param supabase - Supabase client\n   * @param eventId - Event ID\n   * @returns Organisation ID or null\n   */\n  static async deriveOrgFromEvent(\n    supabase: SupabaseClient<Database>,\n    eventId: string\n  ): Promise<UUID | null> {\n    return getOrganisationFromEvent(supabase, eventId);\n  }\n\n  /**\n   * Resolve scope based on page-level scope_type\n   * \n   * This method handles page-level scoping. All pages have explicit scope_type set.\n   * Used for hybrid apps like pace-mint that have both event and organisation pages.\n   * \n   * @param scope - Current scope\n   * @param pageScopeType - Page scope type ('event', 'organisation', or 'both')\n   * @param appName - App name (for PORTAL/ADMIN special case)\n   * @param supabase - Supabase client (for deriving org from event)\n   * @returns Resolved scope with all required context\n   */\n  static async resolveScopeForPage(\n    scope: Scope,\n    pageScopeType: PageScopeType,\n    appName?: string,\n    supabase?: SupabaseClient<Database> | null\n  ): Promise<ContextValidationResult> {\n    // Use page-level scope (single source of truth)\n    const effectiveScopeType = pageScopeType;\n    \n    // Handle 'both' scope - requires both contexts available, but can use either\n    if (effectiveScopeType === 'both') {\n      // For 'both' pages, we need at least one context (org or event)\n      // Both will be checked during permission evaluation\n      if (!scope.organisationId && !scope.eventId) {\n        return {\n          isValid: false,\n          resolvedScope: null,\n          error: new Error('Page requires either organisation or event context')\n        };\n      }\n      \n      // Derive org from event if event is provided but org is not\n      let organisationId = scope.organisationId;\n      if (!organisationId && scope.eventId && supabase) {\n        try {\n          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);\n          organisationId = derivedOrgId || undefined;\n        } catch (error) {\n          log.warn('Failed to derive org from event for both-scope page:', error);\n          // Continue without org - permission check will handle it\n        }\n      }\n      \n      return {\n        isValid: true,\n        resolvedScope: {\n          organisationId,\n          eventId: scope.eventId,\n          appId: scope.appId\n        },\n        error: null\n      };\n    }\n    \n    // Handle 'event' scope - requires event context\n    if (effectiveScopeType === 'event') {\n      if (!scope.eventId) {\n        return {\n          isValid: false,\n          resolvedScope: null,\n          error: new EventContextRequiredError()\n        };\n      }\n      \n      // Derive organisationId from event if not provided\n      let organisationId: UUID | undefined = scope.organisationId;\n      if (!organisationId && supabase && scope.eventId) {\n        try {\n          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);\n          organisationId = derivedOrgId || undefined;\n          if (!organisationId) {\n            return {\n              isValid: false,\n              resolvedScope: null,\n              error: new Error('Could not resolve organisation from event context')\n            };\n          }\n        } catch (error) {\n          log.error('Failed to derive org from event:', error);\n          return {\n            isValid: false,\n            resolvedScope: null,\n            error: error instanceof Error ? error : new Error('Failed to derive organisation from event')\n          };\n        }\n      }\n      \n      return {\n        isValid: true,\n        resolvedScope: {\n          organisationId,\n          eventId: scope.eventId,\n          appId: scope.appId\n        },\n        error: null\n      };\n    }\n    \n    // Handle 'organisation' scope - requires organisation context\n    if (effectiveScopeType === 'organisation') {\n      if (!scope.organisationId) {\n        return {\n          isValid: false,\n          resolvedScope: null,\n          error: new OrganisationContextRequiredError()\n        };\n      }\n      \n      return {\n        isValid: true,\n        resolvedScope: {\n          organisationId: scope.organisationId,\n          eventId: scope.eventId, // Event is optional for org-scoped pages\n          appId: scope.appId\n        },\n        error: null\n      };\n    }\n    \n    // Fallback (should not happen)\n    return {\n      isValid: false,\n      resolvedScope: null,\n      error: new Error('Invalid scope type')\n    };\n  }\n\n}\n\n"],"mappings":";;;;;AA6SO,IAAM,YAAN,cAAwB,MAAM;AAAA,EACnC,YACE,SACO,MACA,SACP;AACA,UAAM,OAAO;AAHN;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,wBAAN,cAAoC,UAAU;AAAA,EACnD,YAAY,YAAwB,SAA+B;AACjE;AAAA,MACE,sBAAsB,UAAU;AAAA,MAChC;AAAA,MACA,EAAE,YAAY,GAAG,QAAQ;AAAA,IAC3B;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,mCAAN,cAA+C,UAAU;AAAA,EAC9D,cAAc;AACZ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,4BAAN,cAAwC,UAAU;AAAA,EACvD,cAAc;AACZ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,0BAAN,cAAsC,UAAU;AAAA,EACrD,cAAc;AACZ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,oBAAN,cAAgC,UAAU;AAAA,EAC/C,YAAY,OAAc,QAAgB;AACxC;AAAA,MACE,2BAA2B,KAAK,UAAU,KAAK,CAAC,KAAK,MAAM;AAAA,MAC3D;AAAA,MACA,EAAE,OAAO,OAAO;AAAA,IAClB;AACA,SAAK,OAAO;AAAA,EACd;AACF;AAEO,IAAM,0BAAN,cAAsC,UAAU;AAAA,EACrD,cAAc;AACZ;AAAA,MACE;AAAA,MACA;AAAA,IACF;AACA,SAAK,OAAO;AAAA,EACd;AACF;;;ACjWA,IAAM,qBAAqB,oBAAI,IAAyB;AACxD,IAAM,iBAAiB;AA2BvB,eAAsB,yBACpB,UACA,SACsB;AAEtB,MAAI,mBAAmB,IAAI,OAAO,GAAG;AACnC,WAAO,mBAAmB,IAAI,OAAO,KAAK;AAAA,EAC5C;AAGA,QAAM,EAAE,MAAM,MAAM,IAAI,MAAM,SAC3B,KAAK,aAAa,EAClB,OAAO,iBAAiB,EACxB,GAAG,YAAY,OAAO,EACtB,OAAO;AAEV,MAAI,iBAA8B;AAElC,MAAI,SAAS,CAAC,MAAM;AAClB,qBAAiB;AAAA,EACnB,WAAW,KAAK,iBAAiB;AAC/B,qBAAiB,KAAK;AAAA,EACxB,OAAO;AAEL,qBAAiB;AAAA,EACnB;AAGA,MAAI,mBAAmB,QAAQ,gBAAgB;AAE7C,UAAM,WAAW,mBAAmB,KAAK,EAAE,KAAK,EAAE;AAClD,QAAI,UAAU;AACZ,yBAAmB,OAAO,QAAQ;AAAA,IACpC;AAAA,EACF;AACA,qBAAmB,IAAI,SAAS,cAAc;AAE9C,SAAO;AACT;;;AC/DA,IAAM,MAAM,aAAa,kBAAkB;AA4BpC,IAAM,mBAAN,MAAuB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAS5B,aAAa,mBACX,UACA,SACsB;AACtB,WAAO,yBAAyB,UAAU,OAAO;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,aAAa,oBACX,OACA,eACA,SACA,UACkC;AAElC,UAAM,qBAAqB;AAG3B,QAAI,uBAAuB,QAAQ;AAGjC,UAAI,CAAC,MAAM,kBAAkB,CAAC,MAAM,SAAS;AAC3C,eAAO;AAAA,UACL,SAAS;AAAA,UACT,eAAe;AAAA,UACf,OAAO,IAAI,MAAM,oDAAoD;AAAA,QACvE;AAAA,MACF;AAGA,UAAI,iBAAiB,MAAM;AAC3B,UAAI,CAAC,kBAAkB,MAAM,WAAW,UAAU;AAChD,YAAI;AACF,gBAAM,eAAe,MAAM,KAAK,mBAAmB,UAAU,MAAM,OAAO;AAC1E,2BAAiB,gBAAgB;AAAA,QACnC,SAAS,OAAO;AACd,cAAI,KAAK,wDAAwD,KAAK;AAAA,QAExE;AAAA,MACF;AAEA,aAAO;AAAA,QACL,SAAS;AAAA,QACT,eAAe;AAAA,UACb;AAAA,UACA,SAAS,MAAM;AAAA,UACf,OAAO,MAAM;AAAA,QACf;AAAA,QACA,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,uBAAuB,SAAS;AAClC,UAAI,CAAC,MAAM,SAAS;AAClB,eAAO;AAAA,UACL,SAAS;AAAA,UACT,eAAe;AAAA,UACf,OAAO,IAAI,0BAA0B;AAAA,QACvC;AAAA,MACF;AAGA,UAAI,iBAAmC,MAAM;AAC7C,UAAI,CAAC,kBAAkB,YAAY,MAAM,SAAS;AAChD,YAAI;AACF,gBAAM,eAAe,MAAM,KAAK,mBAAmB,UAAU,MAAM,OAAO;AAC1E,2BAAiB,gBAAgB;AACjC,cAAI,CAAC,gBAAgB;AACnB,mBAAO;AAAA,cACL,SAAS;AAAA,cACT,eAAe;AAAA,cACf,OAAO,IAAI,MAAM,mDAAmD;AAAA,YACtE;AAAA,UACF;AAAA,QACF,SAAS,OAAO;AACd,cAAI,MAAM,oCAAoC,KAAK;AACnD,iBAAO;AAAA,YACL,SAAS;AAAA,YACT,eAAe;AAAA,YACf,OAAO,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,0CAA0C;AAAA,UAC9F;AAAA,QACF;AAAA,MACF;AAEA,aAAO;AAAA,QACL,SAAS;AAAA,QACT,eAAe;AAAA,UACb;AAAA,UACA,SAAS,MAAM;AAAA,UACf,OAAO,MAAM;AAAA,QACf;AAAA,QACA,OAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,uBAAuB,gBAAgB;AACzC,UAAI,CAAC,MAAM,gBAAgB;AACzB,eAAO;AAAA,UACL,SAAS;AAAA,UACT,eAAe;AAAA,UACf,OAAO,IAAI,iCAAiC;AAAA,QAC9C;AAAA,MACF;AAEA,aAAO;AAAA,QACL,SAAS;AAAA,QACT,eAAe;AAAA,UACb,gBAAgB,MAAM;AAAA,UACtB,SAAS,MAAM;AAAA;AAAA,UACf,OAAO,MAAM;AAAA,QACf;AAAA,QACA,OAAO;AAAA,MACT;AAAA,IACF;AAGA,WAAO;AAAA,MACL,SAAS;AAAA,MACT,eAAe;AAAA,MACf,OAAO,IAAI,MAAM,oBAAoB;AAAA,IACvC;AAAA,EACF;AAEF;","names":[]}