@jmruthers/pace-core 0.6.4 → 0.6.6

package/dist/chunk-OHIK3MIO.js

@@ -0,0 +1,994 @@
+import { AccessDenied } from './chunk-4T7OBVTU.js';
+import { useResolvedScope, scopeEqual, useCan, useMultiplePermissions } from './chunk-7TYHROIV.js';
+import { useUnifiedAuth } from './chunk-FTCRZOG2.js';
+import { getRBACLogger, getRBACConfig, RBACNotInitializedError } from './chunk-ZFYPMX46.js';
+import { createLogger } from './chunk-TTRFSOKR.js';
+import React, { useRef, useMemo, useState, useEffect } from 'react';
+import { jsx, Fragment, jsxs } from 'react/jsx-runtime';
+
+// src/rbac/types/functions.ts
+var RPCFunction = /* @__PURE__ */ ((RPCFunction2) => {
+  RPCFunction2["RBAC_PERMISSION_CHECK"] = "rbac_permission_check";
+  RPCFunction2["RBAC_PERMISSIONS_GET"] = "rbac_permissions_get";
+  RPCFunction2["RBAC_ACCESS_VALIDATE"] = "rbac_access_validate";
+  RPCFunction2["RBAC_PAGE_ACCESS_CHECK"] = "rbac_page_access_check";
+  RPCFunction2["RBAC_ROLE_GRANT"] = "rbac_role_grant";
+  RPCFunction2["RBAC_ROLE_REVOKE"] = "rbac_role_revoke";
+  RPCFunction2["RBAC_ROLES_LIST"] = "rbac_roles_list";
+  RPCFunction2["RBAC_ROLE_VALIDATE"] = "rbac_role_validate";
+  RPCFunction2["RBAC_SESSION_TRACK"] = "rbac_session_track";
+  RPCFunction2["RBAC_AUDIT_LOG"] = "rbac_audit_log";
+  return RPCFunction2;
+})(RPCFunction || {});
+var RBACErrorCode = /* @__PURE__ */ ((RBACErrorCode2) => {
+  RBACErrorCode2["USER_NOT_FOUND"] = "USER_NOT_FOUND";
+  RBACErrorCode2["INVALID_ROLE_TYPE"] = "INVALID_ROLE_TYPE";
+  RBACErrorCode2["INVALID_ROLE_NAME"] = "INVALID_ROLE_NAME";
+  RBACErrorCode2["MISSING_ORGANISATION_ID"] = "MISSING_ORGANISATION_ID";
+  RBACErrorCode2["MISSING_EVENT_APP_CONTEXT"] = "MISSING_EVENT_APP_CONTEXT";
+  RBACErrorCode2["ORGANISATION_NOT_FOUND"] = "ORGANISATION_NOT_FOUND";
+  RBACErrorCode2["EVENT_NOT_FOUND"] = "EVENT_NOT_FOUND";
+  RBACErrorCode2["APP_NOT_FOUND"] = "APP_NOT_FOUND";
+  RBACErrorCode2["INVALID_SESSION_TYPE"] = "INVALID_SESSION_TYPE";
+  RBACErrorCode2["INVALID_EVENT_TYPE"] = "INVALID_EVENT_TYPE";
+  RBACErrorCode2["DATABASE_ERROR"] = "DATABASE_ERROR";
+  RBACErrorCode2["ROLE_NOT_FOUND"] = "ROLE_NOT_FOUND";
+  RBACErrorCode2["USER_NOT_AUTHENTICATED"] = "USER_NOT_AUTHENTICATED";
+  RBACErrorCode2["INVALID_GLOBAL_ROLE"] = "INVALID_GLOBAL_ROLE";
+  RBACErrorCode2["INVALID_ORGANISATION_ROLE"] = "INVALID_ORGANISATION_ROLE";
+  RBACErrorCode2["INVALID_EVENT_APP_ROLE"] = "INVALID_EVENT_APP_ROLE";
+  RBACErrorCode2["INVALID_EVENT_APP_FORMAT"] = "INVALID_EVENT_APP_FORMAT";
+  RBACErrorCode2["MISSING_CONTEXT"] = "MISSING_CONTEXT";
+  RBACErrorCode2["INVALID_CONTEXT"] = "INVALID_CONTEXT";
+  RBACErrorCode2["GRANTED_BY_NOT_FOUND"] = "GRANTED_BY_NOT_FOUND";
+  return RBACErrorCode2;
+})(RBACErrorCode || {});
+var PagePermissionGuardComponent = ({
+  pageName,
+  operation,
+  children,
+  fallback = /* @__PURE__ */ jsx(AccessDenied, {}),
+  strictMode = true,
+  auditLog = true,
+  pageId,
+  scope,
+  onDenied,
+  loading = /* @__PURE__ */ jsx(DefaultLoading, {})
+}) => {
+  const renderCountRef = useRef(0);
+  renderCountRef.current += 1;
+  useMemo(() => Math.random().toString(36).substr(2, 9), []);
+  const { user, selectedOrganisation, selectedEvent, supabase, appId: contextAppId, appName } = useUnifiedAuth();
+  const [hasChecked, setHasChecked] = useState(false);
+  const hasLoggedSuperAdminRef = useRef(false);
+  const effectivePageId = useMemo(() => {
+    return pageId || pageName;
+  }, [pageId, pageName]);
+  const [isSuperAdmin, setIsSuperAdmin] = useState(null);
+  useEffect(() => {
+    if (!user?.id) {
+      setIsSuperAdmin(false);
+      return;
+    }
+    let cancelled = false;
+    const checkSuperAdmin = async () => {
+      const startTime = Date.now();
+      try {
+        const { isSuperAdmin: checkSuperAdmin2 } = await import('./api-Y4MQWOFW.js');
+        const timeoutPromise = new Promise((_, reject) => {
+          setTimeout(() => reject(new Error("Super admin check timeout")), 1e4);
+        });
+        const isSuper = await Promise.race([
+          checkSuperAdmin2(user.id),
+          timeoutPromise
+        ]);
+        const elapsed = Date.now() - startTime;
+        if (!cancelled) {
+          setIsSuperAdmin(isSuper);
+          if (false) ;
+        }
+      } catch (err) {
+        const elapsed = Date.now() - startTime;
+        if (!cancelled) {
+          console.error("[PagePermissionGuard] Error checking super admin", {
+            error: err,
+            userId: user.id,
+            elapsedMs: elapsed
+          });
+          setIsSuperAdmin(false);
+        }
+      }
+    };
+    checkSuperAdmin();
+    return () => {
+      cancelled = true;
+    };
+  }, [user?.id]);
+  const { resolvedScope: hookResolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
+    supabase,
+    selectedOrganisationId: selectedOrganisation?.id || null,
+    selectedEventId: selectedEvent?.event_id || null,
+    selectedEventOrganisationId: selectedEvent?.organisation_id || null
+  });
+  const shouldBypassScopeForSuperAdmin = isSuperAdmin === true;
+  const allowsOptionalContexts = appName === "PORTAL" || appName === "ADMIN";
+  const effectiveScope = scope || (hookResolvedScope ? {
+    ...hookResolvedScope,
+    appId: hookResolvedScope.appId || (allowsOptionalContexts ? contextAppId : void 0)
+  } : allowsOptionalContexts && contextAppId ? {
+    organisationId: void 0,
+    eventId: void 0,
+    appId: contextAppId
+  } : selectedEvent?.event_id ? {
+    organisationId: void 0,
+    // Will be derived from event
+    eventId: selectedEvent.event_id,
+    appId: contextAppId || void 0
+  } : null);
+  const checkError = scopeError;
+  const permission = useMemo(() => {
+    return `${operation}:page.${pageName}`;
+  }, [operation, pageName]);
+  const prevScopeRef = useRef(null);
+  const stableScope = useMemo(() => {
+    if (allowsOptionalContexts && effectiveScope) {
+      const newScope2 = {
+        organisationId: effectiveScope.organisationId,
+        appId: effectiveScope.appId || contextAppId || void 0,
+        eventId: effectiveScope.eventId
+      };
+      if (scopeEqual(prevScopeRef.current, newScope2)) {
+        return prevScopeRef.current;
+      }
+      prevScopeRef.current = newScope2;
+      return newScope2;
+    }
+    const newScope = effectiveScope && effectiveScope.organisationId ? {
+      organisationId: effectiveScope.organisationId,
+      appId: effectiveScope.appId || contextAppId || void 0,
+      eventId: effectiveScope.eventId || void 0
+    } : {
+      organisationId: effectiveScope?.organisationId || void 0,
+      appId: effectiveScope?.appId || contextAppId || void 0,
+      eventId: effectiveScope?.eventId || selectedEvent?.event_id || void 0
+    };
+    if (scopeEqual(prevScopeRef.current, newScope)) {
+      return prevScopeRef.current;
+    }
+    prevScopeRef.current = newScope;
+    return newScope;
+  }, [effectiveScope, appName, contextAppId, selectedEvent?.event_id]);
+  const scopeForPermissionCheck = shouldBypassScopeForSuperAdmin && !stableScope?.organisationId ? {
+    organisationId: void 0,
+    appId: contextAppId || void 0,
+    eventId: selectedEvent?.event_id || void 0
+  } : stableScope;
+  const shouldSkipPermissionCheck = isSuperAdmin === true;
+  const { can, isLoading: canIsLoading, error: canError } = useCan(
+    user?.id || "",
+    shouldSkipPermissionCheck ? { organisationId: void 0, appId: contextAppId || void 0, eventId: void 0 } : scopeForPermissionCheck,
+    permission,
+    effectivePageId,
+    true,
+    // Use cache
+    isSuperAdmin,
+    // precomputedSuperAdmin - null if checking, true/false if checked
+    appName
+    // Pass appName for PORTAL/ADMIN special case
+  );
+  const effectiveCan = shouldSkipPermissionCheck ? true : can;
+  const effectiveIsLoading = shouldSkipPermissionCheck ? false : canIsLoading;
+  const isLoading = shouldBypassScopeForSuperAdmin ? effectiveIsLoading : scopeLoading || effectiveIsLoading;
+  const error = checkError || canError;
+  useEffect(() => {
+    if (!isLoading && !error) {
+      setHasChecked(true);
+      if (!effectiveCan && onDenied) {
+        onDenied(pageName, operation);
+      }
+    } else if (error) {
+      setHasChecked(true);
+    }
+  }, [effectiveCan, isLoading, error, pageName, operation, onDenied]);
+  useEffect(() => {
+    if (auditLog && hasChecked && !isLoading) {
+      const rbacLogger = getRBACLogger();
+      rbacLogger.debug("Page access attempt:", {
+        pageName,
+        operation,
+        userId: user?.id,
+        scope: effectiveScope,
+        allowed: effectiveCan,
+        isSuperAdmin,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [auditLog, hasChecked, isLoading, pageName, operation, user?.id, effectiveScope, effectiveCan, isSuperAdmin]);
+  useEffect(() => {
+    if (strictMode && hasChecked && !isLoading && !effectiveCan && !shouldBypassScopeForSuperAdmin) {
+      const logger = getRBACLogger();
+      logger.error(`STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
+        pageName,
+        operation,
+        permission: `${operation}:page.${pageName}`,
+        pageId: effectivePageId,
+        userId: user?.id,
+        scope: effectiveScope,
+        scopeValid: allowsOptionalContexts ? true : effectiveScope !== null,
+        // PORTAL/ADMIN allow scope without org/event
+        checkError,
+        canError,
+        isSuperAdmin,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [strictMode, hasChecked, isLoading, effectiveCan, shouldBypassScopeForSuperAdmin, pageName, operation, effectivePageId, user?.id, effectiveScope, allowsOptionalContexts, checkError, canError, isSuperAdmin]);
+  const hasValidScopeForPagePermissions = shouldBypassScopeForSuperAdmin ? true : allowsOptionalContexts ? true : effectiveScope !== null;
+  const hasValidUser = user && user.id;
+  const isPermissionCheckComplete = hasChecked && !isLoading;
+  const shouldShowAccessDenied = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && !effectiveCan;
+  const shouldShowContent = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && effectiveCan;
+  effectiveScope ? `${effectiveScope.organisationId}-${effectiveScope.eventId}-${effectiveScope.appId}` : "no-scope";
+  useRef("");
+  useEffect(() => {
+  }, [pageName, user?.id, isSuperAdmin, isLoading, scopeLoading, canIsLoading, hasChecked, hasValidUser, effectiveCan, stableScope, effectiveScope]);
+  useEffect(() => {
+    if (isLoading && isSuperAdmin === null && hasValidUser) {
+      const timeout = setTimeout(() => {
+        console.warn("[PagePermissionGuard] Permission check taking longer than expected", {
+          pageName,
+          userId: user?.id,
+          isSuperAdmin,
+          scopeLoading,
+          canIsLoading,
+          hasChecked,
+          stableScope,
+          effectiveScope,
+          appName
+        });
+      }, 5e3);
+      return () => clearTimeout(timeout);
+    }
+  }, [isLoading, isSuperAdmin, hasValidUser, pageName, user?.id, scopeLoading, canIsLoading, hasChecked, stableScope, effectiveScope, appName]);
+  useEffect(() => {
+    if (isSuperAdmin === true && hasValidUser && !hasLoggedSuperAdminRef.current && false) ;
+    if (isSuperAdmin !== true) {
+      hasLoggedSuperAdminRef.current = false;
+    }
+  }, [isSuperAdmin, hasValidUser, pageName, user?.id, operation]);
+  if (isSuperAdmin === true && hasValidUser) {
+    return /* @__PURE__ */ jsx(Fragment, { children });
+  }
+  if (isLoading || !hasValidUser || !hasChecked || isSuperAdmin === null) {
+    return loading || /* @__PURE__ */ jsx("div", { children: "Checking permissions..." });
+  }
+  if (checkError && !can) {
+    return fallback;
+  }
+  if (shouldShowAccessDenied) {
+    return fallback;
+  }
+  if (shouldShowContent) {
+    return /* @__PURE__ */ jsx(Fragment, { children });
+  }
+  return fallback;
+};
+function DefaultLoading() {
+  return /* @__PURE__ */ jsx("div", { className: "flex items-center justify-center min-h-[200px] p-8", children: /* @__PURE__ */ jsxs("div", { className: "flex items-center space-x-2", children: [
+    /* @__PURE__ */ jsx("div", { className: "animate-spin rounded-full size-8 border-b-2 border-main-600" }),
+    /* @__PURE__ */ jsx("span", { className: "text-sec-600", children: "Checking permissions..." })
+  ] }) });
+}
+var PagePermissionGuard = React.memo(PagePermissionGuardComponent);
+function NavigationGuard({
+  navigationItem,
+  children,
+  fallback = /* @__PURE__ */ jsx(AccessDenied, {}),
+  strictMode = true,
+  auditLog = true,
+  scope,
+  onDenied,
+  loading = /* @__PURE__ */ jsx(DefaultLoading2, {}),
+  requireAll = true
+}) {
+  const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
+  const [hasChecked, setHasChecked] = useState(false);
+  const { resolvedScope: hookResolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
+    supabase,
+    selectedOrganisationId: selectedOrganisation?.id || null,
+    selectedEventId: selectedEvent?.event_id || null,
+    selectedEventOrganisationId: selectedEvent?.organisation_id || null
+  });
+  const effectiveScope = scope || hookResolvedScope;
+  const checkError = scopeError;
+  const validPermissions = (navigationItem.permissions || []).filter(
+    (p) => typeof p === "string" && (p.startsWith("read:") || p.startsWith("create:") || p.startsWith("update:") || p.startsWith("delete:"))
+  );
+  const { results: permissionResults, isLoading: permissionsLoading, error: permissionsError } = useMultiplePermissions(
+    user?.id || "",
+    effectiveScope || { eventId: selectedEvent?.event_id || void 0 },
+    validPermissions,
+    true
+    // Use cache
+  );
+  const isLoading = scopeLoading || permissionsLoading;
+  const error = checkError || permissionsError;
+  const hasRequiredPermissions = useMemo(() => {
+    if (!navigationItem.permissions || navigationItem.permissions.length === 0) return true;
+    if (requireAll) {
+      return Object.values(permissionResults).every((result) => result === true);
+    } else {
+      return Object.values(permissionResults).some((result) => result === true);
+    }
+  }, [navigationItem.permissions, permissionResults, requireAll]);
+  useEffect(() => {
+    if (!isLoading && !error) {
+      setHasChecked(true);
+      if (!hasRequiredPermissions && onDenied) {
+        onDenied(navigationItem);
+      }
+    } else if (error) {
+      setHasChecked(true);
+    }
+  }, [hasRequiredPermissions, isLoading, error, navigationItem, onDenied]);
+  useEffect(() => {
+  }, [auditLog, hasChecked, isLoading, navigationItem, user?.id, effectiveScope, hasRequiredPermissions, requireAll]);
+  useEffect(() => {
+    if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
+      const logger = getRBACLogger();
+      logger.error(`STRICT MODE VIOLATION: User attempted to access protected navigation item without permission`, {
+        navigationItem: navigationItem.id,
+        permissions: navigationItem.permissions,
+        userId: user?.id,
+        scope: effectiveScope,
+        requireAll,
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, navigationItem, user?.id, effectiveScope, requireAll]);
+  if (isLoading || !effectiveScope || !hasChecked) {
+    return /* @__PURE__ */ jsx(Fragment, { children: loading });
+  }
+  if (checkError) {
+    const logger = getRBACLogger();
+    logger.error(`Permission check failed for navigation item ${navigationItem.id}:`, checkError);
+    return /* @__PURE__ */ jsx(Fragment, { children: fallback });
+  }
+  if (!hasRequiredPermissions) {
+    return /* @__PURE__ */ jsx(Fragment, { children: fallback });
+  }
+  return /* @__PURE__ */ jsx(Fragment, { children });
+}
+function DefaultLoading2() {
+  return /* @__PURE__ */ jsx("div", { className: "flex items-center justify-center p-2", children: /* @__PURE__ */ jsxs("div", { className: "flex items-center space-x-2", children: [
+    /* @__PURE__ */ jsx("div", { className: "animate-spin rounded-full size-4 border-b-2 border-main-600" }),
+    /* @__PURE__ */ jsx("span", { className: "text-sm text-sec-600", children: "Checking..." })
+  ] }) });
+}
+
+// src/rbac/adapters.tsx
+function withPermissionGuard(config, handler) {
+  return async (...args) => {
+    const [req] = args;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      throw new Error("User context required for permission check");
+    }
+    const { isPermitted: isPermitted2 } = await import('./api-Y4MQWOFW.js');
+    const hasPermission = await isPermitted2({
+      userId,
+      scope: { organisationId, eventId, appId },
+      permission: config.permission,
+      pageId: config.pageId
+    });
+    if (!hasPermission) {
+      throw new Error(`Permission denied: ${config.permission}`);
+    }
+    return handler(...args);
+  };
+}
+function withAccessLevelGuard(minLevel, handler) {
+  return async (...args) => {
+    const [req] = args;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      throw new Error("User context required for access level check");
+    }
+    const { getAccessLevel: getAccessLevel2 } = await import('./api-Y4MQWOFW.js');
+    const accessLevel = await getAccessLevel2({
+      userId,
+      scope: { organisationId, eventId, appId }
+    });
+    const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
+    const userLevelIndex = levelHierarchy.indexOf(accessLevel);
+    const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
+    if (userLevelIndex < requiredLevelIndex) {
+      throw new Error(`Access level required: ${minLevel}, got: ${accessLevel}`);
+    }
+    return handler(...args);
+  };
+}
+function withRoleGuard(config, handler) {
+  return async (...args) => {
+    const [req] = args;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      throw new Error("User context required for role check");
+    }
+    if (config.globalRoles && config.globalRoles.length > 0) {
+      const { isSuperAdmin } = await import('./api-Y4MQWOFW.js');
+      const isSuper = await isSuperAdmin(userId);
+      if (isSuper) {
+        if (organisationId) {
+          const { emitAuditEvent: emitAuditEvent2 } = await import('./audit-MYQXYZFU.js');
+          await emitAuditEvent2({
+            type: "permission_check",
+            userId,
+            organisationId,
+            eventId,
+            appId,
+            permission: "bypass:all",
+            decision: true,
+            source: "api",
+            bypass: true,
+            duration_ms: 0,
+            metadata: {
+              operation: "role_guard",
+              reason: "super_admin_bypass"
+            }
+          });
+        }
+        return handler(...args);
+      }
+    }
+    if (config.organisationRoles && config.organisationRoles.length > 0) {
+      const { isOrganisationAdmin } = await import('./api-Y4MQWOFW.js');
+      const isOrgAdmin = await isOrganisationAdmin(userId, organisationId);
+      if (!isOrgAdmin && config.requireAll !== false) {
+        throw new Error(`Organisation admin role required`);
+      }
+    }
+    if (config.eventAppRoles && config.eventAppRoles.length > 0 && eventId && appId) {
+      const { isEventAdmin } = await import('./api-Y4MQWOFW.js');
+      const isEventAdminUser = await isEventAdmin(userId, { organisationId, eventId, appId });
+      if (!isEventAdminUser && config.requireAll !== false) {
+        throw new Error(`Event admin role required`);
+      }
+    }
+    if (organisationId) {
+      const { emitAuditEvent: emitAuditEvent2 } = await import('./audit-MYQXYZFU.js');
+      await emitAuditEvent2({
+        type: "permission_check",
+        userId,
+        organisationId,
+        eventId,
+        appId,
+        permission: "role:check",
+        decision: true,
+        source: "api",
+        bypass: false,
+        duration_ms: 0,
+        metadata: {
+          operation: "role_guard"
+        }
+      });
+    }
+    return handler(...args);
+  };
+}
+function createRBACMiddleware(config) {
+  return async (req, res, next) => {
+    const { pathname } = req.nextUrl;
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    if (!userId || !organisationId) {
+      return res.redirect(config.fallbackUrl || "/login");
+    }
+    const protectedRoute = config.protectedRoutes.find(
+      (route) => pathname.startsWith(route.path)
+    );
+    if (protectedRoute) {
+      try {
+        const { isPermitted: isPermitted2 } = await import('./api-Y4MQWOFW.js');
+        const hasPermission = await isPermitted2({
+          userId,
+          scope: { organisationId },
+          permission: protectedRoute.permission,
+          pageId: protectedRoute.pageId
+        });
+        if (!hasPermission) {
+          return res.redirect(config.fallbackUrl || "/access-denied");
+        }
+      } catch (_error) {
+        return res.redirect(config.fallbackUrl || "/access-denied");
+      }
+    }
+    next();
+  };
+}
+function createRBACExpressMiddleware(config) {
+  return async (req, res, next) => {
+    const userId = req.user?.id;
+    const organisationId = req.organisationId;
+    const eventId = req.eventId;
+    const appId = req.appId;
+    if (!userId || !organisationId) {
+      return res.status(401).json({ error: "User context required" });
+    }
+    try {
+      const { isPermitted: isPermitted2 } = await import('./api-Y4MQWOFW.js');
+      const hasPermission = await isPermitted2({
+        userId,
+        scope: { organisationId, eventId, appId },
+        permission: config.permission,
+        pageId: config.pageId
+      });
+      if (!hasPermission) {
+        return res.status(403).json({ error: "Permission denied" });
+      }
+      next();
+    } catch (_error) {
+      return res.status(500).json({ error: "Permission check failed" });
+    }
+  };
+}
+
+// src/rbac/permissions.ts
+createLogger("RBACPermissions");
+var GLOBAL_PERMISSIONS = {
+  READ_ALL: "read:*",
+  CREATE_ALL: "create:*",
+  UPDATE_ALL: "update:*",
+  DELETE_ALL: "delete:*"
+};
+var ORGANISATION_PERMISSIONS = {
+  // Organisation management
+  READ_ORGANISATION: "read:organisation",
+  UPDATE_ORGANISATION: "update:organisation",
+  DELETE_ORGANISATION: "delete:organisation",
+  // User management
+  READ_USERS: "read:users",
+  CREATE_USERS: "create:users",
+  UPDATE_USERS: "update:users",
+  DELETE_USERS: "delete:users",
+  // Role management
+  READ_ROLES: "read:roles",
+  CREATE_ROLES: "create:roles",
+  UPDATE_ROLES: "update:roles",
+  DELETE_ROLES: "delete:roles",
+  // Event management
+  READ_EVENTS: "read:events",
+  CREATE_EVENTS: "create:events",
+  UPDATE_EVENTS: "update:events",
+  DELETE_EVENTS: "delete:events",
+  // App management
+  READ_APPS: "read:apps",
+  CREATE_APPS: "create:apps",
+  UPDATE_APPS: "update:apps",
+  DELETE_APPS: "delete:apps"
+};
+var EVENT_APP_PERMISSIONS = {
+  // Event management
+  READ_EVENT: "read:event",
+  CREATE_EVENT: "create:event",
+  UPDATE_EVENT: "update:event",
+  DELETE_EVENT: "delete:event",
+  // App management
+  READ_APP: "read:app",
+  CREATE_APP: "create:app",
+  UPDATE_APP: "update:app",
+  DELETE_APP: "delete:app",
+  // Team management
+  READ_TEAM: "read:team",
+  CREATE_TEAM: "create:team",
+  UPDATE_TEAM: "update:team",
+  DELETE_TEAM: "delete:team",
+  // Team members
+  READ_TEAM_MEMBERS: "read:team.members",
+  CREATE_TEAM_MEMBERS: "create:team.members",
+  UPDATE_TEAM_MEMBERS: "update:team.members",
+  DELETE_TEAM_MEMBERS: "delete:team.members",
+  // Event content
+  READ_EVENT_CONTENT: "read:event.content",
+  CREATE_EVENT_CONTENT: "create:event.content",
+  UPDATE_EVENT_CONTENT: "update:event.content",
+  DELETE_EVENT_CONTENT: "delete:event.content",
+  // Event settings
+  READ_EVENT_SETTINGS: "read:event.settings",
+  CREATE_EVENT_SETTINGS: "create:event.settings",
+  UPDATE_EVENT_SETTINGS: "update:event.settings",
+  DELETE_EVENT_SETTINGS: "delete:event.settings"
+};
+var PAGE_PERMISSIONS = {
+  // General page access (generic - used for wildcard checks)
+  READ_PAGE: "read:page",
+  CREATE_PAGE: "create:page",
+  UPDATE_PAGE: "update:page",
+  DELETE_PAGE: "delete:page",
+  // Admin pages
+  READ_ADMIN: "read:page.admin",
+  CREATE_ADMIN: "create:page.admin",
+  UPDATE_ADMIN: "update:page.admin",
+  DELETE_ADMIN: "delete:page.admin",
+  // Dashboard pages
+  READ_DASHBOARD: "read:page.dashboard",
+  CREATE_DASHBOARD: "create:page.dashboard",
+  UPDATE_DASHBOARD: "update:page.dashboard",
+  DELETE_DASHBOARD: "delete:page.dashboard",
+  // Settings pages
+  READ_SETTINGS: "read:page.settings",
+  CREATE_SETTINGS: "create:page.settings",
+  UPDATE_SETTINGS: "update:page.settings",
+  DELETE_SETTINGS: "delete:page.settings",
+  // Reports pages
+  READ_REPORTS: "read:page.reports",
+  CREATE_REPORTS: "create:page.reports",
+  UPDATE_REPORTS: "update:page.reports",
+  DELETE_REPORTS: "delete:page.reports"
+};
+function isValidPermission(permission) {
+  const pattern = /^(read|create|update|delete):[a-z0-9]+(\.[a-z0-9]+)*$|^(read|create|update|delete):\*$/;
+  return pattern.test(permission);
+}
+var ALL_PERMISSIONS = {
+  ...GLOBAL_PERMISSIONS,
+  ...ORGANISATION_PERMISSIONS,
+  ...EVENT_APP_PERMISSIONS,
+  ...PAGE_PERMISSIONS
+};
+
+// src/rbac/compliance/setup-validator.ts
+function isRBACInitialized() {
+  try {
+    const config = getRBACConfig();
+    return config !== null && config.supabase !== null;
+  } catch (error) {
+    if (error instanceof RBACNotInitializedError) {
+      return false;
+    }
+    throw error;
+  }
+}
+function getSetupIssues() {
+  const issues = [];
+  const config = getRBACConfig();
+  if (!config) {
+    issues.push({
+      type: "not-initialized",
+      message: "RBAC system has not been initialized. setupRBAC() has not been called.",
+      recommendation: "Call setupRBAC(supabase) before using any RBAC features. This should be done in your main entry point (main.tsx or App.tsx) before rendering the app."
+    });
+    return issues;
+  }
+  if (!config.supabase) {
+    issues.push({
+      type: "missing-config",
+      message: "RBAC configuration is missing Supabase client.",
+      recommendation: "Ensure setupRBAC() is called with a valid Supabase client instance."
+    });
+  }
+  return issues;
+}
+function getProviderContextIssues() {
+  const issues = [];
+  if (!isRBACInitialized()) {
+    issues.push({
+      type: "not-initialized",
+      message: "RBAC system must be initialized before provider context can be used.",
+      recommendation: "Call setupRBAC(supabase) before rendering UnifiedAuthProvider."
+    });
+  }
+  return issues;
+}
+function validateRBACSetup() {
+  const issues = getSetupIssues();
+  const providerIssues = getProviderContextIssues();
+  return {
+    isCompliant: issues.length === 0 && providerIssues.length === 0,
+    issues: [...issues, ...providerIssues]
+  };
+}
+
+// src/rbac/compliance/runtime-compliance.ts
+function checkRuntimeCompliance() {
+  const logger = getRBACLogger();
+  const setupValidation = validateRBACSetup();
+  const warnings = [];
+  if (!setupValidation.isCompliant) {
+    setupValidation.issues.forEach((issue) => {
+      const warning = `[RBAC Compliance] ${issue.message}
+  Recommendation: ${issue.recommendation}`;
+      warnings.push(warning);
+      logger.warn(warning);
+    });
+  }
+  const providerContextIssues = setupValidation.issues.filter(
+    (issue) => issue.type === "missing-provider-context" || issue.type === "not-initialized"
+  );
+  const providerContext = providerContextIssues.length > 0 ? {
+    available: false,
+    message: "UnifiedAuthProvider context may not be available. Ensure your app is wrapped with UnifiedAuthProvider from @jmruthers/pace-core."
+  } : {
+    available: true
+  };
+  return {
+    setup: setupValidation,
+    warnings,
+    providerContext
+  };
+}
+function validateAndWarn() {
+  if (import.meta.env.MODE === "development" || import.meta.env.DEV) {
+    checkRuntimeCompliance();
+  }
+}
+
+// src/rbac/compliance/database-validator.ts
+async function validateDatabaseConfiguration(supabase, appName) {
+  const issues = [];
+  const recommendations = [];
+  let appConfigured = false;
+  let pagesConfigured = false;
+  let permissionsConfigured = false;
+  let rlsPoliciesActive = false;
+  let rolesConfigured = false;
+  try {
+    const { data: app, error: appError } = await supabase.from("rbac_apps").select("id, name").eq("name", appName).single();
+    if (appError || !app) {
+      issues.push({
+        type: "app-not-configured",
+        message: `App '${appName}' not found in rbac_apps table.`,
+        recommendation: `Register your app in the rbac_apps table with name '${appName}' (case-sensitive).`
+      });
+    } else {
+      appConfigured = true;
+      if (app.name !== appName) {
+        issues.push({
+          type: "app-name-mismatch",
+          message: `App name mismatch. Database has '${app.name}', but environment variable has '${appName}'.`,
+          recommendation: `Ensure VITE_APP_NAME (or NEXT_PUBLIC_APP_NAME) matches the app name in rbac_apps table exactly (case-sensitive).`
+        });
+      }
+      const { data: pages, error: pagesError } = await supabase.from("rbac_app_pages").select("id").eq("app_id", app.id).limit(1);
+      if (pagesError || !pages || pages.length === 0) {
+        issues.push({
+          type: "pages-not-configured",
+          message: `No pages found for app '${appName}' in rbac_app_pages table.`,
+          recommendation: "Register your app pages in the rbac_app_pages table. Each route/page should have an entry."
+        });
+      } else {
+        pagesConfigured = true;
+        const { data: permissions, error: permissionsError } = await supabase.from("rbac_page_permissions").select("id").in("page_id", pages.map((p) => p.id)).limit(1);
+        if (permissionsError || !permissions || permissions.length === 0) {
+          issues.push({
+            type: "permissions-not-configured",
+            message: `No permissions found for app '${appName}' pages in rbac_page_permissions table.`,
+            recommendation: "Configure permissions for your app pages in the rbac_page_permissions table. Each page should have permissions for different operations (read, create, update, delete)."
+          });
+        } else {
+          permissionsConfigured = true;
+        }
+      }
+    }
+    try {
+      const { data: rbacTables, error: rlsError } = await supabase.rpc("rbac_check_rls_status");
+      if (rlsError) {
+        rlsPoliciesActive = true;
+        recommendations.push("Consider adding an RLS status check function to validate RLS policies are active.");
+      } else {
+        rlsPoliciesActive = true;
+      }
+    } catch (error) {
+      rlsPoliciesActive = true;
+      recommendations.push("Consider adding an RLS status check function to validate RLS policies are active.");
+    }
+    const { data: orgRoles, error: rolesError } = await supabase.from("rbac_organisation_roles").select("id").limit(1);
+    if (rolesError) {
+      issues.push({
+        type: "roles-not-configured",
+        message: "Unable to query rbac_organisation_roles table. RLS might be blocking access or table might not exist.",
+        recommendation: "Ensure rbac_organisation_roles table exists and RLS policies allow read access for authenticated users."
+      });
+    } else {
+      rolesConfigured = true;
+    }
+  } catch (error) {
+    issues.push({
+      type: "app-not-configured",
+      message: `Error validating database configuration: ${error instanceof Error ? error.message : "Unknown error"}`,
+      recommendation: "Check your Supabase connection and ensure you have the necessary permissions to query RBAC tables."
+    });
+  }
+  return {
+    appConfigured,
+    pagesConfigured,
+    permissionsConfigured,
+    rlsPoliciesActive,
+    rolesConfigured,
+    issues,
+    recommendations
+  };
+}
+
+// src/rbac/compliance/quick-fix-suggestions.ts
+function getCustomAuthCodeFixes(customCodeName, type) {
+  const fixes = {
+    "useAuth": {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with useUnifiedAuth from pace-core`,
+      codeExample: `// Before
+import { useAuth } from './hooks/useAuth';
+
+// After
+import { useUnifiedAuth } from '@jmruthers/pace-core';`,
+      migrationSteps: [
+        "Remove custom useAuth hook",
+        "Import useUnifiedAuth from @jmruthers/pace-core",
+        "Update all usages to use useUnifiedAuth",
+        "Ensure UnifiedAuthProvider wraps your app"
+      ]
+    },
+    "usePermissions": {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with usePermissions from pace-core`,
+      codeExample: `// Before
+import { usePermissions } from './hooks/usePermissions';
+
+// After
+import { usePermissions } from '@jmruthers/pace-core/rbac';`,
+      migrationSteps: [
+        "Remove custom usePermissions hook",
+        "Import usePermissions from @jmruthers/pace-core/rbac",
+        "Update all usages - ensure setupRBAC() has been called",
+        "Verify provider hierarchy is correct"
+      ]
+    },
+    "PermissionGuard": {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with PagePermissionGuard from pace-core`,
+      codeExample: `// Before
+import { PermissionGuard } from './components/PermissionGuard';
+
+// After
+import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';`,
+      migrationSteps: [
+        "Remove custom PermissionGuard component",
+        "Import PagePermissionGuard from @jmruthers/pace-core/rbac",
+        "Wrap pages with PagePermissionGuard",
+        "Use pageName and operation props instead of custom permission strings"
+      ]
+    },
+    "checkPermission": {
+      issue: `Custom ${type} '${customCodeName}' detected`,
+      suggestion: `Replace with isPermitted from pace-core`,
+      codeExample: `// Before
+import { checkPermission } from './utils/permissions';
+
+// After
+import { isPermitted } from '@jmruthers/pace-core/rbac';`,
+      migrationSteps: [
+        "Remove custom checkPermission utility",
+        "Import isPermitted from @jmruthers/pace-core/rbac",
+        "Update all usages to use isPermitted with proper scope",
+        "Ensure setupRBAC() has been called"
+      ]
+    }
+  };
+  return fixes[customCodeName] || {
+    issue: `Custom ${type} '${customCodeName}' detected`,
+    suggestion: `Use pace-core's equivalent instead. Check @jmruthers/pace-core documentation for the correct import.`,
+    migrationSteps: [
+      `Remove custom ${customCodeName} ${type}`,
+      "Find equivalent in pace-core",
+      "Import from @jmruthers/pace-core or @jmruthers/pace-core/rbac",
+      "Update all usages"
+    ]
+  };
+}
+function getDuplicateConfigFixes() {
+  return {
+    issue: "Multiple Supabase client instantiations found",
+    suggestion: "Consolidate to a single Supabase client configuration",
+    codeExample: `// Before - Multiple createClient calls
+// src/lib/supabase.ts
+export const supabase = createClient(url, key);
+
+// src/utils/api.ts
+export const supabase = createClient(url, key);
+
+// After - Single configuration
+// src/lib/supabase.ts
+export const supabase = createClient(
+  import.meta.env.VITE_SUPABASE_URL,
+  import.meta.env.VITE_SUPABASE_PUBLISHABLE_KEY
+);
+
+// src/utils/api.ts
+import { supabase } from '../lib/supabase';`,
+    migrationSteps: [
+      "Create a single supabase.ts file in a shared location (e.g., src/lib/supabase.ts)",
+      "Move all Supabase client creation to this file",
+      "Export the client instance",
+      "Update all files to import from the shared location",
+      "Remove duplicate createClient calls"
+    ]
+  };
+}
+function getUnprotectedPageFixes() {
+  return {
+    issue: "Route/page found without PagePermissionGuard",
+    suggestion: "Wrap all routes with PagePermissionGuard",
+    codeExample: `// Before
+<Route path="/dashboard" element={<Dashboard />} />
+
+// After
+<Route 
+  path="/dashboard" 
+  element={
+    <PagePermissionGuard pageName="dashboard" operation="read">
+      <Dashboard />
+    </PagePermissionGuard>
+  } 
+/>`,
+    migrationSteps: [
+      "Import PagePermissionGuard from @jmruthers/pace-core/rbac",
+      "Wrap each route/page component with PagePermissionGuard",
+      "Set pageName prop to match your page name in rbac_app_pages table",
+      "Set operation prop (read, create, update, or delete)",
+      "Ensure setupRBAC() has been called and providers are set up correctly"
+    ]
+  };
+}
+function getDirectSupabaseAuthFixes() {
+  return {
+    issue: "Direct Supabase auth usage detected",
+    suggestion: "Use UnifiedAuthProvider and useUnifiedAuth from pace-core",
+    codeExample: `// Before
+import { createClient } from '@supabase/supabase-js';
+const supabase = createClient(url, key);
+await supabase.auth.signInWithPassword({ email, password });
+
+// After
+import { useUnifiedAuth } from '@jmruthers/pace-core';
+const { signIn } = useUnifiedAuth();
+await signIn({ email, password });`,
+    migrationSteps: [
+      "Remove direct Supabase auth calls",
+      "Import useUnifiedAuth from @jmruthers/pace-core",
+      "Use the auth methods from useUnifiedAuth hook",
+      "Ensure UnifiedAuthProvider wraps your app",
+      "Update all auth-related code to use pace-core hooks"
+    ]
+  };
+}
+function getQuickFixes(issueType, details) {
+  const fixes = [];
+  switch (issueType) {
+    case "custom-auth-code":
+      if (details?.name && details?.type) {
+        fixes.push(getCustomAuthCodeFixes(details.name, details.type));
+      }
+      break;
+    case "duplicate-config":
+      fixes.push(getDuplicateConfigFixes());
+      break;
+    case "unprotected-pages":
+      fixes.push(getUnprotectedPageFixes());
+      break;
+    case "direct-supabase-auth":
+      fixes.push(getDirectSupabaseAuthFixes());
+      break;
+  }
+  return fixes;
+}
+
+export { ALL_PERMISSIONS, EVENT_APP_PERMISSIONS, GLOBAL_PERMISSIONS, NavigationGuard, ORGANISATION_PERMISSIONS, PAGE_PERMISSIONS, PagePermissionGuard, RBACErrorCode, RPCFunction, checkRuntimeCompliance, createRBACExpressMiddleware, createRBACMiddleware, getCustomAuthCodeFixes, getDirectSupabaseAuthFixes, getDuplicateConfigFixes, getQuickFixes, getSetupIssues, getUnprotectedPageFixes, isRBACInitialized, isValidPermission, validateAndWarn, validateDatabaseConfiguration, validateRBACSetup, withAccessLevelGuard, withPermissionGuard, withRoleGuard };