@jmruthers/pace-core 0.6.2 → 0.6.3

package/dist/{chunk-24UVZUZG.js → chunk-RWEBCB47.js}

@@ -3,76 +3,19 @@ import {
   emitAuditEvent,
   setGlobalAuditManager
 } from "./chunk-63FOKYGO.js";
+import {
+  ContextValidator,
+  InvalidScopeError,
+  MissingUserContextError,
+  OrganisationContextRequiredError,
+  PermissionDeniedError,
+  RBACError,
+  RBACNotInitializedError
+} from "./chunk-QRPVRXYT.js";
 import {
   createLogger
 } from "./chunk-PWLANIRT.js";
 
-// src/rbac/types.ts
-var RBACError = class extends Error {
-  constructor(message, code, context) {
-    super(message);
-    this.code = code;
-    this.context = context;
-    this.name = "RBACError";
-  }
-};
-var PermissionDeniedError = class extends RBACError {
-  constructor(permission, context) {
-    super(
-      `Permission denied: ${permission}`,
-      "PERMISSION_DENIED",
-      { permission, ...context }
-    );
-    this.name = "PermissionDeniedError";
-  }
-};
-var OrganisationContextRequiredError = class extends RBACError {
-  constructor() {
-    super(
-      "Organisation context is required for this operation",
-      "ORGANISATION_CONTEXT_REQUIRED"
-    );
-    this.name = "OrganisationContextRequiredError";
-  }
-};
-var EventContextRequiredError = class extends RBACError {
-  constructor() {
-    super(
-      "Event context is required for this operation",
-      "EVENT_CONTEXT_REQUIRED"
-    );
-    this.name = "EventContextRequiredError";
-  }
-};
-var RBACNotInitializedError = class extends RBACError {
-  constructor() {
-    super(
-      "RBAC system not initialized. Please call setupRBAC(supabase) before using any RBAC components or hooks. See: https://docs.pace-core.dev/rbac/setup",
-      "RBAC_NOT_INITIALIZED"
-    );
-    this.name = "RBACNotInitializedError";
-  }
-};
-var InvalidScopeError = class extends RBACError {
-  constructor(scope, reason) {
-    super(
-      `Invalid scope provided: ${JSON.stringify(scope)}. ${reason}`,
-      "INVALID_SCOPE",
-      { scope, reason }
-    );
-    this.name = "InvalidScopeError";
-  }
-};
-var MissingUserContextError = class extends RBACError {
-  constructor() {
-    super(
-      "User context is required but not available. Make sure to wrap your app with an auth provider.",
-      "MISSING_USER_CONTEXT"
-    );
-    this.name = "MissingUserContextError";
-  }
-};
-
 // src/rbac/cache.ts
 var RBACCache = class {
   constructor() {
@@ -694,228 +637,8 @@ function mapErrorCategoryToSecurityEventType(category) {
   }
 }
 
-// src/rbac/utils/eventContext.ts
-var orgDerivationCache = /* @__PURE__ */ new Map();
-var MAX_CACHE_SIZE = 100;
-async function getOrganisationFromEvent(supabase, eventId) {
-  if (orgDerivationCache.has(eventId)) {
-    return orgDerivationCache.get(eventId) ?? null;
-  }
-  const { data, error } = await supabase.from("core_events").select("organisation_id").eq("event_id", eventId).single();
-  let organisationId = null;
-  if (error || !data) {
-    organisationId = null;
-  } else if (data.organisation_id) {
-    organisationId = data.organisation_id;
-  } else {
-    organisationId = null;
-  }
-  if (orgDerivationCache.size >= MAX_CACHE_SIZE) {
-    const firstKey = orgDerivationCache.keys().next().value;
-    if (firstKey) {
-      orgDerivationCache.delete(firstKey);
-    }
-  }
-  orgDerivationCache.set(eventId, organisationId);
-  return organisationId;
-}
-
-// src/rbac/utils/contextValidator.ts
-var log2 = createLogger("ContextValidator");
-function allowsOptionalContexts(appName) {
-  return appName === "PORTAL" || appName === "ADMIN";
-}
-var ContextValidator = class {
-  /**
-   * Validate scope against app requirements
-   * 
-   * @param scope - Current scope
-   * @param appConfig - App configuration (requires_event flag)
-   * @param appName - App name (for PORTAL/ADMIN special case)
-   * @returns Validation result with resolved scope
-   */
-  static async validateScope(scope, appConfig, appName) {
-    if (allowsOptionalContexts(appName)) {
-      return {
-        isValid: true,
-        resolvedScope: {
-          organisationId: scope.organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId
-        },
-        error: null
-      };
-    }
-    if (!appConfig) {
-      if (!scope.organisationId) {
-        return {
-          isValid: false,
-          resolvedScope: null,
-          error: new OrganisationContextRequiredError()
-        };
-      }
-      return {
-        isValid: true,
-        resolvedScope: scope,
-        error: null
-      };
-    }
-    if (appConfig.requires_event) {
-      if (!scope.eventId) {
-        return {
-          isValid: false,
-          resolvedScope: null,
-          error: new EventContextRequiredError()
-        };
-      }
-      return {
-        isValid: true,
-        resolvedScope: scope,
-        error: null
-      };
-    }
-    if (!scope.organisationId) {
-      return {
-        isValid: false,
-        resolvedScope: null,
-        error: new OrganisationContextRequiredError()
-      };
-    }
-    return {
-      isValid: true,
-      resolvedScope: scope,
-      error: null
-    };
-  }
-  /**
-   * Resolve required context and derive missing values
-   * 
-   * @param scope - Current scope
-   * @param appConfig - App configuration
-   * @param appName - App name (for PORTAL/ADMIN special case)
-   * @param supabase - Supabase client (for deriving org from event)
-   * @returns Resolved scope with all required context
-   */
-  static async resolveRequiredContext(scope, appConfig, appName, supabase) {
-    if (allowsOptionalContexts(appName)) {
-      return {
-        isValid: true,
-        resolvedScope: {
-          organisationId: scope.organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId
-        },
-        error: null
-      };
-    }
-    if (!appConfig) {
-      if (!scope.organisationId) {
-        return {
-          isValid: false,
-          resolvedScope: null,
-          error: new OrganisationContextRequiredError()
-        };
-      }
-      return {
-        isValid: true,
-        resolvedScope: scope,
-        error: null
-      };
-    }
-    if (appConfig.requires_event) {
-      if (!scope.eventId) {
-        return {
-          isValid: false,
-          resolvedScope: null,
-          error: new EventContextRequiredError()
-        };
-      }
-      let organisationId = scope.organisationId;
-      if (!organisationId && supabase && scope.eventId) {
-        try {
-          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
-          organisationId = derivedOrgId || void 0;
-          if (!organisationId) {
-            return {
-              isValid: false,
-              resolvedScope: null,
-              error: new Error("Could not resolve organisation from event context")
-            };
-          }
-        } catch (error) {
-          log2.error("Failed to derive org from event:", error);
-          return {
-            isValid: false,
-            resolvedScope: null,
-            error: error instanceof Error ? error : new Error("Failed to derive organisation from event")
-          };
-        }
-      } else if (!organisationId) {
-        return {
-          isValid: false,
-          resolvedScope: null,
-          error: new Error("Event context requires organisationId but it could not be derived (supabase client not available)")
-        };
-      }
-      return {
-        isValid: true,
-        resolvedScope: {
-          organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId
-        },
-        error: null
-      };
-    }
-    if (!scope.organisationId) {
-      return {
-        isValid: false,
-        resolvedScope: null,
-        error: new OrganisationContextRequiredError()
-      };
-    }
-    return {
-      isValid: true,
-      resolvedScope: scope,
-      error: null
-    };
-  }
-  /**
-   * Derive organisation ID from event ID
-   * 
-   * @param supabase - Supabase client
-   * @param eventId - Event ID
-   * @returns Organisation ID or null
-   */
-  static async deriveOrgFromEvent(supabase, eventId) {
-    return getOrganisationFromEvent(supabase, eventId);
-  }
-  /**
-   * Check if context is ready for permission checks
-   * 
-   * @param scope - Current scope
-   * @param appConfig - App configuration
-   * @param appName - App name
-   * @param hasSelectedEvent - Whether event is selected
-   * @param hasSelectedOrganisation - Whether organisation is selected
-   * @returns True if context is ready
-   */
-  static isContextReady(scope, appConfig, appName, hasSelectedEvent, hasSelectedOrganisation) {
-    if (allowsOptionalContexts(appName)) {
-      return true;
-    }
-    if (!appConfig) {
-      return !!hasSelectedOrganisation || !!scope.organisationId;
-    }
-    if (appConfig.requires_event) {
-      return !!hasSelectedEvent || !!scope.eventId;
-    }
-    return !!hasSelectedOrganisation || !!scope.organisationId;
-  }
-};
-
 // src/rbac/security.ts
-var log3 = createLogger("RBACSecurity");
+var log2 = createLogger("RBACSecurity");
 var RBACSecurityValidator = class {
   /**
    * Validate permission string format
@@ -1021,17 +744,6 @@ var RBACSecurityValidator = class {
   static async checkRateLimit(userId, operation) {
     return true;
   }
-  /**
-   * Validate context requirements for security
-   * @param scope - Scope object
-   * @param appConfig - App configuration
-   * @param appName - App name (for PORTAL special case)
-   * @returns True if context is valid, false otherwise
-   */
-  static async validateContextRequirements(scope, appConfig, appName) {
-    const validation = await ContextValidator.validateScope(scope, appConfig || null, appName);
-    return validation.isValid;
-  }
   // Only warn once per 5 seconds per user
   static logSecurityEvent(event) {
     const securityEvent = {
@@ -1049,7 +761,7 @@ var RBACSecurityValidator = class {
           this.rateLimitWarningCount.set(event.userId, userWarning);
           return;
         } else {
-          log3.warn("Security event (throttled):", {
+          log2.warn("Security event (throttled):", {
             ...securityEvent,
             details: {
               ...securityEvent.details,
@@ -1062,11 +774,11 @@ var RBACSecurityValidator = class {
         }
       } else {
         this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });
-        log3.warn("Security event:", securityEvent);
+        log2.warn("Security event:", securityEvent);
         return;
       }
     }
-    log3.warn("Security event:", securityEvent);
+    log2.warn("Security event:", securityEvent);
   }
   /**
    * Get severity level for security event
@@ -1896,7 +1608,7 @@ function getInFlightRequestCount() {
 }
 
 // src/rbac/api.ts
-var log4 = createLogger("RBACAPI");
+var log3 = createLogger("RBACAPI");
 var globalEngine = null;
 function setupRBAC(supabase, config) {
   const logger = getRBACLogger();
@@ -1927,28 +1639,27 @@ function setupRBAC(supabase, config) {
     enablePerformanceMonitoring();
   }
 }
+function isRBACInitialized() {
+  return globalEngine !== null;
+}
 function getEngine() {
   if (!globalEngine) {
     throw new RBACNotInitializedError();
   }
   return globalEngine;
 }
-async function getAccessLevel(input, appConfig, appName) {
+async function getAccessLevel(input, appName) {
   try {
     const engine = getEngine();
     const isSuperAdminUser = await engine["checkSuperAdmin"](input.userId);
     if (isSuperAdminUser) {
       return "super";
     }
-    let resolvedAppConfig = appConfig ?? null;
-    let resolvedAppName = appName;
-    if (!resolvedAppConfig && input.scope.appId) {
-      resolvedAppConfig = await getAppConfig(input.scope.appId);
-    }
-    const validation = await ContextValidator.resolveRequiredContext(
+    const validation = await ContextValidator.resolveScopeForPage(
       input.scope,
-      resolvedAppConfig,
-      resolvedAppName,
+      "organisation",
+      // Default to organisation scope when no page context
+      appName,
       engine["supabase"]
     );
     if (!validation.isValid || !validation.resolvedScope) {
@@ -1962,18 +1673,14 @@ async function getAccessLevel(input, appConfig, appName) {
     throw error;
   }
 }
-async function getPermissionMap(input, appConfig, appName) {
+async function getPermissionMap(input, appName) {
   try {
     const engine = getEngine();
-    let resolvedAppConfig = appConfig ?? null;
-    let resolvedAppName = appName;
-    if (!resolvedAppConfig && input.scope.appId) {
-      resolvedAppConfig = await getAppConfig(input.scope.appId);
-    }
-    const validation = await ContextValidator.resolveRequiredContext(
+    const validation = await ContextValidator.resolveScopeForPage(
       input.scope,
-      resolvedAppConfig,
-      resolvedAppName,
+      "organisation",
+      // Default to organisation scope when no page context
+      appName,
       engine["supabase"]
     );
     if (!validation.isValid || !validation.resolvedScope) {
@@ -1995,17 +1702,13 @@ async function resolveAppContext(input) {
     throw error;
   }
 }
-async function getRoleContext(input, appConfig, appName) {
+async function getRoleContext(input, appName) {
   const engine = getEngine();
-  let resolvedAppConfig = appConfig ?? null;
-  let resolvedAppName = appName;
-  if (!resolvedAppConfig && input.scope.appId) {
-    resolvedAppConfig = await getAppConfig(input.scope.appId);
-  }
-  const validation = await ContextValidator.resolveRequiredContext(
+  const validation = await ContextValidator.resolveScopeForPage(
     input.scope,
-    resolvedAppConfig,
-    resolvedAppName,
+    "organisation",
+    // Default to organisation scope when no page context
+    appName,
     engine["supabase"]
   );
   if (!validation.isValid || !validation.resolvedScope) {
@@ -2016,7 +1719,7 @@ async function getRoleContext(input, appConfig, appName) {
     scope: validation.resolvedScope
   });
 }
-async function isPermitted(input, appConfig, appName, precomputedSuperAdmin = null) {
+async function isPermitted(input, appName, precomputedSuperAdmin = null) {
   const engine = getEngine();
   if (precomputedSuperAdmin === true) {
     return true;
@@ -2027,11 +1730,7 @@ async function isPermitted(input, appConfig, appName, precomputedSuperAdmin = nu
       return true;
     }
   }
-  let resolvedAppConfig = appConfig ?? null;
   let resolvedAppName = appName;
-  if (!resolvedAppConfig && input.scope.appId) {
-    resolvedAppConfig = await getAppConfig(input.scope.appId);
-  }
   if (!resolvedAppName && input.scope.appId) {
     try {
       const { data } = await engine["supabase"].from("rbac_apps").select("name").eq("id", input.scope.appId).eq("is_active", true).single();
@@ -2041,9 +1740,28 @@ async function isPermitted(input, appConfig, appName, precomputedSuperAdmin = nu
     } catch (err) {
     }
   }
-  const validation = await ContextValidator.resolveRequiredContext(
+  let pageScopeType;
+  if (input.pageId) {
+    try {
+      const scopeType = await getPageScopeType(
+        input.pageId,
+        input.scope.appId,
+        resolvedAppName
+      );
+      if (!scopeType) {
+        throw new Error(`Page ${input.pageId} does not have scope_type set`);
+      }
+      pageScopeType = scopeType;
+    } catch (err) {
+      log3.error("Failed to get page scope type:", err);
+      throw new Error(`Failed to determine page scope type: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  } else {
+    pageScopeType = "organisation";
+  }
+  const validation = await ContextValidator.resolveScopeForPage(
     input.scope,
-    resolvedAppConfig,
+    pageScopeType,
     resolvedAppName,
     engine["supabase"]
   );
@@ -2051,6 +1769,44 @@ async function isPermitted(input, appConfig, appName, precomputedSuperAdmin = nu
     throw validation.error || new OrganisationContextRequiredError();
   }
   const validatedScope = validation.resolvedScope;
+  if (pageScopeType === "both" && input.pageId) {
+    const eventScope = {
+      organisationId: validatedScope.organisationId,
+      // Org derived from event
+      eventId: validatedScope.eventId,
+      appId: validatedScope.appId
+    };
+    const eventSecurityContext = {
+      userId: input.userId,
+      organisationId: eventScope.organisationId || null,
+      timestamp: /* @__PURE__ */ new Date()
+    };
+    const eventInput = {
+      ...input,
+      scope: eventScope
+    };
+    const hasEventPermission = await engine.isPermitted(eventInput, eventSecurityContext);
+    if (validatedScope.organisationId && validatedScope.eventId) {
+      const orgScope = {
+        organisationId: validatedScope.organisationId,
+        eventId: void 0,
+        // Clear event for org-only check
+        appId: validatedScope.appId
+      };
+      const orgSecurityContext = {
+        userId: input.userId,
+        organisationId: orgScope.organisationId || null,
+        timestamp: /* @__PURE__ */ new Date()
+      };
+      const orgInput = {
+        ...input,
+        scope: orgScope
+      };
+      const hasOrgPermission = await engine.isPermitted(orgInput, orgSecurityContext);
+      return hasEventPermission || hasOrgPermission;
+    }
+    return hasEventPermission;
+  }
   const securityContext = {
     userId: input.userId,
     organisationId: validatedScope.organisationId || null,
@@ -2063,7 +1819,7 @@ async function isPermitted(input, appConfig, appName, precomputedSuperAdmin = nu
   };
   return engine.isPermitted(validatedInput, securityContext);
 }
-async function isPermittedCached(input, appConfig, appName) {
+async function isPermittedCached(input, appName) {
   const { userId, scope, permission, pageId } = input;
   const cacheKey = RBACCache.generatePermissionKey({
     userId,
@@ -2078,14 +1834,14 @@ async function isPermittedCached(input, appConfig, appName) {
     return cached;
   }
   return getOrCreateRequest(input, async (checkInput) => {
-    const result = await isPermitted(checkInput, appConfig, appName, null);
+    const result = await isPermitted(checkInput, appName, null);
     const isPageLevelCheck = !!pageId || permission.includes("page.");
     rbacCache.set(cacheKey, result, void 0, isPageLevelCheck);
     return result;
   });
 }
 async function hasPermission(input) {
-  return isPermitted(input, null, void 0, null);
+  return isPermitted(input);
 }
 async function hasAnyPermission(input) {
   const { permissions, ...baseInput } = input;
@@ -2093,7 +1849,7 @@ async function hasAnyPermission(input) {
     const hasPermission2 = await isPermitted({
       ...baseInput,
       permission
-    }, null, void 0, null);
+    });
     if (hasPermission2) {
       return true;
     }
@@ -2106,7 +1862,7 @@ async function hasAllPermissions(input) {
     const hasPermission2 = await isPermitted({
       ...baseInput,
       permission
-    }, null, void 0, null);
+    });
     if (!hasPermission2) {
       return false;
     }
@@ -2117,50 +1873,40 @@ async function isSuperAdmin(userId) {
   const engine = getEngine();
   return engine["checkSuperAdmin"](userId);
 }
-async function getAppConfig(appId) {
+async function getPageScopeType(pageId, appId, appName) {
+  const engine = getEngine();
   try {
-    const engine = getEngine();
-    return getAppConfigWithClient(engine["supabase"], appId);
-  } catch (err) {
-    if (err instanceof RBACNotInitializedError) {
-      return null;
+    let resolvedAppId = appId;
+    if (!resolvedAppId && appName) {
+      const { data: app } = await engine["supabase"].from("rbac_apps").select("id").eq("name", appName).eq("is_active", true).single();
+      resolvedAppId = app?.id;
     }
-    throw err;
-  }
-}
-async function getAppConfigWithClient(client, appId) {
-  if (!client) {
-    return null;
-  }
-  const cacheKey = `app_config:${appId}`;
-  const cached = rbacCache.get(cacheKey, true);
-  if (cached !== null) {
-    return cached;
-  }
-  try {
-    const { data, error } = await client.from("rbac_apps").select("requires_event, name").eq("id", appId).eq("is_active", true).single();
-    if (error || !data) {
-      return null;
+    if (!resolvedAppId) {
+      throw new Error(`Could not resolve appId for page ${pageId}`);
     }
-    const appConfig = { requires_event: data.requires_event ?? false };
-    rbacCache.set(cacheKey, appConfig, 5 * 60 * 1e3, true);
-    return appConfig;
-  } catch (err) {
-    log4.error("Error fetching app config:", err);
-    return null;
-  }
-}
-async function getAppConfigByName(appName) {
-  const engine = getEngine();
-  try {
-    const { data, error } = await engine["supabase"].from("rbac_apps").select("requires_event, name").eq("name", appName).eq("is_active", true).single();
-    if (error || !data) {
-      return null;
+    let resolvedPageId = pageId;
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+    if (!uuidRegex.test(pageId)) {
+      const { data: page } = await engine["supabase"].from("rbac_app_pages").select("id").eq("app_id", resolvedAppId).eq("page_name", pageId).maybeSingle();
+      resolvedPageId = page?.id || pageId;
+    }
+    if (!uuidRegex.test(resolvedPageId)) {
+      throw new Error(`Could not resolve pageId ${pageId} to a valid UUID`);
+    }
+    const { data, error } = await engine["supabase"].rpc("get_page_scope_type", {
+      p_page_id: resolvedPageId
+    });
+    if (error) {
+      log3.error("Error fetching page scope type:", { pageId, appId, error });
+      throw new Error(`Failed to get page scope type: ${error.message}`);
+    }
+    if (!data) {
+      throw new Error(`Page ${resolvedPageId} does not have scope_type set`);
     }
-    return { requires_event: data.requires_event ?? false };
+    return data;
   } catch (err) {
-    log4.error("Error fetching app config by name:", err);
-    return null;
+    log3.error("Error fetching page scope type:", err);
+    throw err instanceof Error ? err : new Error(`Failed to get page scope type: ${String(err)}`);
   }
 }
 async function isOrganisationAdmin(userId, organisationId) {
@@ -2203,12 +1949,9 @@ function clearCache() {
 }
 
 export {
-  OrganisationContextRequiredError,
-  RBACNotInitializedError,
   RBACCache,
   rbacCache,
   CACHE_PATTERNS,
-  ContextValidator,
   createRBACConfig,
   getRBACConfig,
   getRBACLogger,
@@ -2227,6 +1970,7 @@ export {
   clearInFlightRequests,
   getInFlightRequestCount,
   setupRBAC,
+  isRBACInitialized,
   getAccessLevel,
   getPermissionMap,
   resolveAppContext,
@@ -2237,9 +1981,7 @@ export {
   hasAnyPermission,
   hasAllPermissions,
   isSuperAdmin,
-  getAppConfig,
-  getAppConfigWithClient,
-  getAppConfigByName,
+  getPageScopeType,
   isOrganisationAdmin,
   isEventAdmin,
   invalidateUserCache,
@@ -2248,4 +1990,4 @@ export {
   invalidateAppCache,
   clearCache
 };
-//# sourceMappingURL=chunk-24UVZUZG.js.map
+//# sourceMappingURL=chunk-RWEBCB47.js.map