@jmruthers/pace-core 0.6.2 → 0.6.4

package/dist/rbac/index.d.ts

@@ -7,25 +7,6 @@ import * as react_jsx_runtime from 'react/jsx-runtime';
 import React__default, { ReactNode } from 'react';
 import '../core-CUElvH_C.js';
 
-/**
- * Context Validator for RBAC
- * @package @jmruthers/pace-core
- * @module RBAC/ContextValidator
- * @since 1.0.0
- *
- * Centralized validation for RBAC context requirements based on app configuration.
- * Enforces app-specific context rules with single primary context:
- * - requires_event = TRUE: Event is PRIMARY context, org derived from event (org not required in input)
- * - requires_event = FALSE: Organisation is PRIMARY context, event optional
- * - PORTAL/ADMIN apps: Both contexts optional (allows users to view/edit own profiles, super admin access)
- *
- * Key principle: Only one primary context is required based on app config. The other is derived or optional.
- */
-
-interface AppConfig {
-    requires_event: boolean;
-}
-
 /**
  * RBAC Security Enhancements
  * @package @jmruthers/pace-core
@@ -137,6 +118,7 @@ declare class SecureSupabaseClient {
     private appId?;
     private isSuperAdmin;
     private usesExistingClient;
+    private static rpcSignatureCache;
     /**
      * RPC functions that are safe to call without organisation context.
      *
@@ -236,6 +218,18 @@ declare class SecureSupabaseClient {
      * @internal
      */
     getClient(): SupabaseClient<Database>;
+    /**
+     * Get the set of parameter names that an RPC function accepts.
+     * Uses a static whitelist of RPCs that we know accept context parameters.
+     *
+     * This is an opt-in approach: by default, we don't inject context unless
+     * the function is explicitly whitelisted. This prevents PGRST202 errors from
+     * injecting unexpected parameters.
+     *
+     * @param fn - The RPC function name
+     * @returns Set of parameter names the function accepts
+     */
+    private getRpcAcceptedParams;
 }
 /**
  * Create a secure Supabase client with organisation context
@@ -282,6 +276,53 @@ declare function createSecureClient(supabaseUrl: string, supabaseKey: string, or
  */
 declare function fromSupabaseClient(client: SupabaseClient<Database>, organisationId: UUID | null, eventId?: string, appId?: UUID, isSuperAdmin?: boolean): SecureSupabaseClient;
 
+/**
+ * Client Security Detection Utilities
+ * @package @jmruthers/pace-core
+ * @module RBAC/Utils/ClientSecurity
+ * @since 1.0.0
+ *
+ * Utilities to detect and warn about insecure Supabase client usage.
+ */
+
+/**
+ * Symbol to mark secure clients
+ * This is attached to clients created by SecureSupabaseClient
+ */
+declare const SECURE_CLIENT_SYMBOL: unique symbol;
+/**
+ * Check if a Supabase client is a secure client (created via useSecureSupabase or createSecureClient)
+ *
+ * @param client - The Supabase client to check
+ * @returns true if the client is secure, false otherwise
+ *
+ * @example
+ * ```tsx
+ * import { isSecureClient } from '@jmruthers/pace-core/rbac/utils/clientSecurity';
+ *
+ * const supabase = useSecureSupabase();
+ * if (isSecureClient(supabase)) {
+ *   // Client is secure, safe to use
+ * }
+ * ```
+ */
+declare function isSecureClient(client: SupabaseClient<Database> | null | undefined): boolean;
+/**
+ * Warn about insecure client usage in development
+ *
+ * @param client - The client being used
+ * @param context - Context about where the client is being used (for better error messages)
+ *
+ * @example
+ * ```tsx
+ * import { warnIfInsecureClient } from '@jmruthers/pace-core/rbac/utils/clientSecurity';
+ *
+ * const supabase = createClient(...); // Wrong!
+ * warnIfInsecureClient(supabase, 'MyComponent');
+ * ```
+ */
+declare function warnIfInsecureClient(client: SupabaseClient<Database> | null | undefined, context?: string): void;
+
 /**
  * RBAC Cache Implementation
  * @package @jmruthers/pace-core
@@ -2233,7 +2274,7 @@ declare function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<
 declare function getAccessLevel(input: {
     userId: UUID;
     scope: Scope;
-}, appConfig?: AppConfig | null, appName?: string): Promise<AccessLevel>;
+}, appName?: string): Promise<AccessLevel>;
 /**
  * Get user's permission map for a scope
  *
@@ -2257,7 +2298,7 @@ declare function getAccessLevel(input: {
 declare function getPermissionMap(input: {
     userId: UUID;
     scope: Scope;
-}, appConfig?: AppConfig | null, appName?: string): Promise<PermissionMap>;
+}, appName?: string): Promise<PermissionMap>;
 declare function resolveAppContext(input: {
     userId: UUID;
     appName: string;
@@ -2265,7 +2306,7 @@ declare function resolveAppContext(input: {
 declare function getRoleContext(input: {
     userId: UUID;
     scope: Scope;
-}, appConfig?: AppConfig | null, appName?: string): Promise<RBACRoleContext>;
+}, appName?: string): Promise<RBACRoleContext>;
 /**
  * Check if user has a specific permission
  *
@@ -2284,7 +2325,7 @@ declare function getRoleContext(input: {
  * });
  * ```
  */
-declare function isPermitted(input: PermissionCheck, appConfig?: AppConfig | null, appName?: string, 
+declare function isPermitted(input: PermissionCheck, appName?: string, 
 /**
  * Pre-computed super admin status to avoid duplicate checks.
  * Pass null if not checked yet (will check), true if already checked and is super admin,
@@ -2299,11 +2340,10 @@ precomputedSuperAdmin?: boolean | null): Promise<boolean>;
  * and checks cache before making new requests. Uses session cache for page-level checks.
  *
  * @param input - Permission check input
- * @param appConfig - Optional app configuration
- * @param appName - Optional app name
+ * @param appName - Optional app name (for PORTAL/ADMIN special case)
  * @returns Promise resolving to permission result
  */
-declare function isPermittedCached(input: PermissionCheck, appConfig?: AppConfig | null, appName?: string): Promise<boolean>;
+declare function isPermittedCached(input: PermissionCheck, appName?: string): Promise<boolean>;
 /**
  * Check if a user has a specific permission (alias for isPermitted)
  *
@@ -2640,4 +2680,4 @@ declare function getDirectSupabaseAuthFixes(): QuickFix;
  */
 declare function getQuickFixes(issueType: string, details?: Record<string, any>): QuickFix[];
 
-export { ALL_PERMISSIONS, AccessLevel, AccessLevelGuard, type AllPermissions, CACHE_PATTERNS, type ComplianceResult, type DataAccessRecord, type DatabaseComplianceResult, type DatabaseIssue, EVENT_APP_PERMISSIONS, EnhancedNavigationMenu, type EnhancedNavigationMenuProps, type EventAppRoleData, GLOBAL_PERMISSIONS, type GrantEventAppRoleParams, type LogLevel, type NavigationAccessRecord, type NavigationContextType, NavigationGuard, type NavigationGuardProps, type NavigationItem, NavigationProvider, type NavigationProviderProps, ORGANISATION_PERMISSIONS, PAGE_PERMISSIONS, type PageAccessRecord, type PagePermissionContextType, PagePermissionGuard, type PagePermissionGuardProps, PagePermissionProvider, type PagePermissionProviderProps, Permission, PermissionCheck, PermissionEnforcer, type PermissionEnforcerProps, PermissionGuard, PermissionMap, type QuickFix, RBACAuditManager, RBACCache, type RBACConfig, RBACEngine, type RBACLogger, type RBACPerformanceMetrics, type ResourcePermissions, type RevokeEventAppRoleParams, RoleBasedRouter, type RoleBasedRouterContextType, type RoleBasedRouterProps, type RoleManagementResult, type RouteAccessRecord, type RouteConfig, type RuntimeComplianceResult, Scope, type SecureDataContextType, SecureDataProvider, type SecureDataProviderProps, SecureSupabaseClient, type SetupIssue, UUID, type UseResolvedScopeOptions, type UseResolvedScopeReturn, type UseResourcePermissionsOptions, checkRuntimeCompliance, clearInFlightRequests, createAuditManager, createRBACConfig, createRBACEngine, createRBACExpressMiddleware, createRBACMiddleware, createSecureClient, disablePerformanceMonitoring, emitAuditEvent, enablePerformanceMonitoring, fromSupabaseClient, getAccessLevel, getCustomAuthCodeFixes, getDirectSupabaseAuthFixes, getDuplicateConfigFixes, getGlobalAuditManager, getInFlightRequestCount, getPerformanceMetrics, getPerformanceSummary, getPermissionMap, getQuickFixes, getRBACConfig, getRBACLogger, getRoleContext, getSetupIssues, getUnprotectedPageFixes, hasAllPermissions, hasAnyPermission, hasAnyPermissionCached, hasPermission, hasPermissionCached, isDebugMode, isDevelopmentMode, isPerformanceMonitoringEnabled, isPermitted, isPermittedCached, isRBACInitialized, isValidPermission, rbacCache, recordAuditEvent, recordPermissionCheck, resetPerformanceMetrics, resolveAppContext, setGlobalAuditManager, setupRBAC, useAccessLevel, useCachedPermissions, useCan, useHasAllPermissions, useHasAnyPermission, useMultiplePermissions, useNavigationPermissions, usePagePermissions, usePermissions, useRBAC, useResolvedScope, useResourcePermissions, useRoleBasedRouter, useRoleManagement, useSecureData, useSecureSupabase, validateAndWarn, validateDatabaseConfiguration, validateRBACSetup, withAccessLevelGuard, withPermissionGuard, withRoleGuard };
+export { ALL_PERMISSIONS, AccessLevel, AccessLevelGuard, type AllPermissions, CACHE_PATTERNS, type ComplianceResult, type DataAccessRecord, type DatabaseComplianceResult, type DatabaseIssue, EVENT_APP_PERMISSIONS, EnhancedNavigationMenu, type EnhancedNavigationMenuProps, type EventAppRoleData, GLOBAL_PERMISSIONS, type GrantEventAppRoleParams, type LogLevel, type NavigationAccessRecord, type NavigationContextType, NavigationGuard, type NavigationGuardProps, type NavigationItem, NavigationProvider, type NavigationProviderProps, ORGANISATION_PERMISSIONS, PAGE_PERMISSIONS, type PageAccessRecord, type PagePermissionContextType, PagePermissionGuard, type PagePermissionGuardProps, PagePermissionProvider, type PagePermissionProviderProps, Permission, PermissionCheck, PermissionEnforcer, type PermissionEnforcerProps, PermissionGuard, PermissionMap, type QuickFix, RBACAuditManager, RBACCache, type RBACConfig, RBACEngine, type RBACLogger, type RBACPerformanceMetrics, type ResourcePermissions, type RevokeEventAppRoleParams, RoleBasedRouter, type RoleBasedRouterContextType, type RoleBasedRouterProps, type RoleManagementResult, type RouteAccessRecord, type RouteConfig, type RuntimeComplianceResult, SECURE_CLIENT_SYMBOL, Scope, type SecureDataContextType, SecureDataProvider, type SecureDataProviderProps, SecureSupabaseClient, type SetupIssue, UUID, type UseResolvedScopeOptions, type UseResolvedScopeReturn, type UseResourcePermissionsOptions, checkRuntimeCompliance, clearInFlightRequests, createAuditManager, createRBACConfig, createRBACEngine, createRBACExpressMiddleware, createRBACMiddleware, createSecureClient, disablePerformanceMonitoring, emitAuditEvent, enablePerformanceMonitoring, fromSupabaseClient, getAccessLevel, getCustomAuthCodeFixes, getDirectSupabaseAuthFixes, getDuplicateConfigFixes, getGlobalAuditManager, getInFlightRequestCount, getPerformanceMetrics, getPerformanceSummary, getPermissionMap, getQuickFixes, getRBACConfig, getRBACLogger, getRoleContext, getSetupIssues, getUnprotectedPageFixes, hasAllPermissions, hasAnyPermission, hasAnyPermissionCached, hasPermission, hasPermissionCached, isDebugMode, isDevelopmentMode, isPerformanceMonitoringEnabled, isPermitted, isPermittedCached, isRBACInitialized, isSecureClient, isValidPermission, rbacCache, recordAuditEvent, recordPermissionCheck, resetPerformanceMetrics, resolveAppContext, setGlobalAuditManager, setupRBAC, useAccessLevel, useCachedPermissions, useCan, useHasAllPermissions, useHasAnyPermission, useMultiplePermissions, useNavigationPermissions, usePagePermissions, usePermissions, useRBAC, useResolvedScope, useResourcePermissions, useRoleBasedRouter, useRoleManagement, useSecureData, useSecureSupabase, validateAndWarn, validateDatabaseConfiguration, validateRBACSetup, warnIfInsecureClient, withAccessLevelGuard, withPermissionGuard, withRoleGuard };

package/dist/rbac/index.js

@@ -39,11 +39,13 @@ import {
   withAccessLevelGuard,
   withPermissionGuard,
   withRoleGuard
-} from "../chunk-6J4GEEJR.js";
+} from "../chunk-ATKZM7RX.js";
 import {
+  SECURE_CLIENT_SYMBOL,
   SecureSupabaseClient,
   createSecureClient,
   fromSupabaseClient,
+  isSecureClient,
   useAccessLevel,
   useCachedPermissions,
   useCan,
@@ -55,11 +57,12 @@ import {
   useResolvedScope,
   useResourcePermissions,
   useRoleManagement,
-  useSecureSupabase
-} from "../chunk-XWQCNGTQ.js";
-import "../chunk-MMZ7JXPU.js";
+  useSecureSupabase,
+  warnIfInsecureClient
+} from "../chunk-NN6WWZ5U.js";
+import "../chunk-OEWDTMG7.js";
 import "../chunk-KQCRWDSA.js";
-import "../chunk-EHMR7VYL.js";
+import "../chunk-AVMLPIM7.js";
 import {
   CACHE_PATTERNS,
   RBACCache,
@@ -91,7 +94,7 @@ import {
   resetPerformanceMetrics,
   resolveAppContext,
   setupRBAC
-} from "../chunk-24UVZUZG.js";
+} from "../chunk-3LPHPB62.js";
 import {
   RBACAuditManager,
   createAuditManager,
@@ -99,12 +102,13 @@ import {
   getGlobalAuditManager,
   setGlobalAuditManager
 } from "../chunk-63FOKYGO.js";
+import "../chunk-36LVWXB2.js";
 import "../chunk-QXHPKYJV.js";
-import "../chunk-F2IMUDXZ.js";
+import "../chunk-M7MPQISP.js";
 import "../chunk-FMUCXFII.js";
 import "../chunk-VBXEHIUJ.js";
 import "../chunk-PWLANIRT.js";
-import "../chunk-7D4SUZUM.js";
+import "../chunk-DGUM43GV.js";
 export {
   ALL_PERMISSIONS,
   AccessLevelGuard,
@@ -126,6 +130,7 @@ export {
   RBACErrorCode,
   RPCFunction,
   RoleBasedRouter,
+  SECURE_CLIENT_SYMBOL,
   SecureDataProvider,
   SecureSupabaseClient,
   checkRuntimeCompliance,
@@ -166,6 +171,7 @@ export {
   isPermitted,
   isPermittedCached,
   isRBACInitialized,
+  isSecureClient,
   isValidPermission,
   rbacCache,
   recordAuditEvent,
@@ -193,6 +199,7 @@ export {
   validateAndWarn,
   validateDatabaseConfiguration,
   validateRBACSetup,
+  warnIfInsecureClient,
   withAccessLevelGuard,
   withPermissionGuard,
   withRoleGuard

package/dist/styles/index.js

@@ -3,7 +3,7 @@ import {
   getStylePath,
   styleConfig
 } from "../chunk-5DRSZLL2.js";
-import "../chunk-7D4SUZUM.js";
+import "../chunk-DGUM43GV.js";
 export {
   getAllStylePaths,
   getStylePath,

package/dist/theming/runtime.js

@@ -7,7 +7,7 @@ import {
   parseAndNormalizeEventColours
 } from "../chunk-L4OXEN46.js";
 import "../chunk-PWLANIRT.js";
-import "../chunk-7D4SUZUM.js";
+import "../chunk-DGUM43GV.js";
 export {
   applyPalette,
   clearPalette,

package/dist/types.js

@@ -44,7 +44,7 @@ import {
   urlSchema,
   userProfileSchema
 } from "./chunk-LMC26NLJ.js";
-import "./chunk-7D4SUZUM.js";
+import "./chunk-DGUM43GV.js";
 
 // src/types/organisation.ts
 var ORGANISATION_ROLE_PERMISSIONS = {

package/dist/{usePublicRouteParams-1oMokgLF.d.ts → usePublicRouteParams-i3qtoBgg.d.ts}

@@ -232,34 +232,25 @@ declare const useOrganisationSecurity: () => OrganisationSecurityHook;
  * @module Hooks/useAppConfig
  * @since 0.4.0
  *
- * Hook for accessing app configuration like direct access support and event requirements.
- * This is a convenience hook that extracts app config from the UnifiedAuthProvider.
+ * Hook for accessing app name and loading state.
+ *
+ * NOTE: Scope configuration (requires_event) is now page-level only (rbac_app_pages.scope_type).
+ * Use getPageScopeType() to determine if a specific page requires event or organisation context.
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { supportsDirectAccess, requiresEvent, isLoading } = useAppConfig();
+ *   const { appName, isLoading } = useAppConfig();
  *
  *   if (isLoading) return <div>Loading...</div>;
  *
- *   return (
- *     <div>
- *       {supportsDirectAccess && (
- *         <div>This app supports direct access!</div>
- *       )}
- *       {requiresEvent && (
- *         <EventSelector />
- *       )}
- *     </div>
- *   );
+ *   return <div>App: {appName}</div>;
  * }
  * ```
  */
 interface UseAppConfigReturn {
-    supportsDirectAccess: boolean;
-    requiresEvent: boolean;
-    isLoading: boolean;
     appName: string;
+    isLoading: boolean;
 }
 /**
  * Hook to access app configuration

package/dist/utils.js

@@ -52,7 +52,7 @@ import {
   getCurrentAppName,
   getCurrentAppNameWithFallback,
   setRBACAppName
-} from "./chunk-F2IMUDXZ.js";
+} from "./chunk-M7MPQISP.js";
 import {
   useComponentPerformance
 } from "./chunk-E66EQZE6.js";
@@ -97,7 +97,7 @@ import {
   createLogger,
   logger
 } from "./chunk-PWLANIRT.js";
-import "./chunk-7D4SUZUM.js";
+import "./chunk-DGUM43GV.js";
 
 // src/utils/core/debugLogger.ts
 var DebugLogger = class {
@@ -881,10 +881,8 @@ function trackDynamicImport(moduleName) {
 
 // src/utils/dynamic/dynamicUtils.ts
 var loadLodash = async () => {
-  const [debounceModule, throttleModule] = await Promise.all([
-    import("lodash.debounce"),
-    import("lodash.throttle")
-  ]);
+  const debounceModule = await import("lodash.debounce");
+  const throttleModule = await import("lodash.throttle");
   return {
     debounce: debounceModule.default || debounceModule,
     throttle: throttleModule.default || throttleModule
@@ -953,7 +951,7 @@ function createLazyComponent(importFn, componentName, options = {}) {
   return WrappedComponent;
 }
 var LazyDataTable = createLazyComponent(
-  () => import("./DataTable-TPTKCX4D.js").then((module) => ({ default: module.DataTable })),
+  () => import("./DataTable-E7YQZD7D.js").then((module) => ({ default: module.DataTable })),
   "DataTable"
 );