@jmruthers/pace-core 0.6.4 → 0.6.6

package/dist/{chunk-3LPHPB62.js → chunk-ZFYPMX46.js}

@@ -1,20 +1,71 @@
-import {
-  createAuditManager,
-  emitAuditEvent,
-  setGlobalAuditManager
-} from "./chunk-63FOKYGO.js";
-import {
-  ContextValidator,
-  InvalidScopeError,
-  MissingUserContextError,
-  OrganisationContextRequiredError,
-  PermissionDeniedError,
-  RBACError,
-  RBACNotInitializedError
-} from "./chunk-36LVWXB2.js";
-import {
-  createLogger
-} from "./chunk-PWLANIRT.js";
+import { emitAuditEvent, createAuditManager, setGlobalAuditManager } from './chunk-AHU7G2R5.js';
+import { createLogger } from './chunk-TTRFSOKR.js';
+
+// src/rbac/types.ts
+var RBACError = class extends Error {
+  constructor(message, code, context) {
+    super(message);
+    this.code = code;
+    this.context = context;
+    this.name = "RBACError";
+  }
+};
+var PermissionDeniedError = class extends RBACError {
+  constructor(permission, context) {
+    super(
+      `Permission denied: ${permission}`,
+      "PERMISSION_DENIED",
+      { permission, ...context }
+    );
+    this.name = "PermissionDeniedError";
+  }
+};
+var OrganisationContextRequiredError = class extends RBACError {
+  constructor() {
+    super(
+      "Organisation context is required for this operation",
+      "ORGANISATION_CONTEXT_REQUIRED"
+    );
+    this.name = "OrganisationContextRequiredError";
+  }
+};
+var EventContextRequiredError = class extends RBACError {
+  constructor() {
+    super(
+      "Event context is required for this operation",
+      "EVENT_CONTEXT_REQUIRED"
+    );
+    this.name = "EventContextRequiredError";
+  }
+};
+var RBACNotInitializedError = class extends RBACError {
+  constructor() {
+    super(
+      "RBAC system not initialized. Please call setupRBAC(supabase) before using any RBAC components or hooks. See: https://docs.pace-core.dev/rbac/setup",
+      "RBAC_NOT_INITIALIZED"
+    );
+    this.name = "RBACNotInitializedError";
+  }
+};
+var InvalidScopeError = class extends RBACError {
+  constructor(scope, reason) {
+    super(
+      `Invalid scope provided: ${JSON.stringify(scope)}. ${reason}`,
+      "INVALID_SCOPE",
+      { scope, reason }
+    );
+    this.name = "InvalidScopeError";
+  }
+};
+var MissingUserContextError = class extends RBACError {
+  constructor() {
+    super(
+      "User context is required but not available. Make sure to wrap your app with an auth provider.",
+      "MISSING_USER_CONTEXT"
+    );
+    this.name = "MissingUserContextError";
+  }
+};
 
 // src/rbac/cache.ts
 var RBACCache = class {
@@ -512,7 +563,6 @@ var RBACCacheInvalidationManager = class {
 var globalCacheInvalidationManager = null;
 function initializeCacheInvalidation(supabase) {
   if (globalCacheInvalidationManager) {
-    log.debug("Cleaning up existing cache invalidation manager before creating new one");
     globalCacheInvalidationManager.cleanup();
   }
   globalCacheInvalidationManager = new RBACCacheInvalidationManager(supabase);
@@ -554,8 +604,6 @@ function categorizeError(error) {
         return "validation_error" /* VALIDATION */;
       case "MISSING_USER_CONTEXT":
         return "authentication_error" /* AUTHENTICATION */;
-      default:
-        break;
     }
   }
   if (error && typeof error === "object") {
@@ -1141,27 +1189,27 @@ var RBACEngine = class {
         });
         return false;
       }
-      const hasPermission2 = data === true;
-      rbacCache.set(cacheKey, hasPermission2, 6e4);
+      const hasPermission = data === true;
+      rbacCache.set(cacheKey, hasPermission, 6e4);
       const duration = Date.now() - startTime;
       if (scope.organisationId) {
         const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
         await emitAuditEvent({
-          type: hasPermission2 ? "permission_check" : "permission_denied",
+          type: hasPermission ? "permission_check" : "permission_denied",
           userId,
           organisationId: scope.organisationId,
           eventId: scope.eventId,
           appId: scope.appId,
           pageId: resolvedPageId,
           permission,
-          decision: hasPermission2,
+          decision: hasPermission,
           source: "api",
           duration_ms: duration,
           cache_hit: cacheHit,
           cache_source: cacheSource
         });
       }
-      return hasPermission2;
+      return hasPermission;
     } catch (error) {
       const category = categorizeError(error);
       const eventType = mapErrorCategoryToSecurityEventType(category);
@@ -1280,7 +1328,7 @@ var RBACEngine = class {
         for (const page of pages) {
           for (const operation of ["read", "create", "update", "delete"]) {
             const permissionString = `${operation}:page.${page.page_name}`;
-            const hasPermission2 = await this.isPermitted(
+            const hasPermission = await this.isPermitted(
               {
                 userId,
                 scope,
@@ -1290,7 +1338,7 @@ var RBACEngine = class {
               securityContext
             );
             const permissionKey = permissionString;
-            permissionMap[permissionKey] = hasPermission2;
+            permissionMap[permissionKey] = hasPermission;
           }
         }
       }
@@ -1607,11 +1655,194 @@ function getInFlightRequestCount() {
   return inFlightRequests.size;
 }
 
+// src/rbac/utils/eventContext.ts
+var orgDerivationCache = /* @__PURE__ */ new Map();
+var MAX_CACHE_SIZE = 100;
+async function getOrganisationFromEvent(supabase, eventId) {
+  if (orgDerivationCache.has(eventId)) {
+    return orgDerivationCache.get(eventId) ?? null;
+  }
+  const { data, error } = await supabase.from("core_events").select("organisation_id").eq("event_id", eventId).single();
+  let organisationId = null;
+  if (error || !data) {
+    organisationId = null;
+  } else if (data.organisation_id) {
+    organisationId = data.organisation_id;
+  } else {
+    organisationId = null;
+  }
+  if (orgDerivationCache.size >= MAX_CACHE_SIZE) {
+    const firstKey = orgDerivationCache.keys().next().value;
+    if (firstKey) {
+      orgDerivationCache.delete(firstKey);
+    }
+  }
+  orgDerivationCache.set(eventId, organisationId);
+  return organisationId;
+}
+
+// src/rbac/utils/contextValidator.ts
+var log3 = createLogger("ContextValidator");
+function allowsOptionalContexts(appName) {
+  return appName === "PORTAL" || appName === "ADMIN";
+}
+var ContextValidator = class {
+  /**
+   * Derive organisation ID from event ID
+   * 
+   * @param supabase - Supabase client
+   * @param eventId - Event ID
+   * @returns Organisation ID or null
+   */
+  static async deriveOrgFromEvent(supabase, eventId) {
+    return getOrganisationFromEvent(supabase, eventId);
+  }
+  /**
+   * Resolve scope based on page-level scope_type
+   * 
+   * This method handles page-level scoping. All pages have explicit scope_type set.
+   * Used for hybrid apps that have both event and organisation pages.
+   * 
+   * @param scope - Current scope
+   * @param pageScopeType - Page scope type ('event', 'organisation', or 'both')
+   * @param appName - App name (for PORTAL/ADMIN special case)
+   * @param supabase - Supabase client (for deriving org from event, only if not already provided)
+   * @param immediateOrganisationId - Optional immediate organisation ID (from selectedEvent.organisation_id) - avoids querying
+   * @returns Resolved scope with all required context
+   */
+  static async resolveScopeForPage(scope, pageScopeType, appName, supabase, immediateOrganisationId) {
+    const effectiveScopeType = pageScopeType;
+    if (effectiveScopeType === "both") {
+      if (!scope.organisationId && !scope.eventId) {
+        if (allowsOptionalContexts(appName)) {
+          return {
+            isValid: true,
+            resolvedScope: {
+              organisationId: void 0,
+              eventId: void 0,
+              appId: scope.appId
+            },
+            error: null
+          };
+        }
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new Error("Page requires either organisation or event context")
+        };
+      }
+      let organisationId = scope.organisationId || immediateOrganisationId || void 0;
+      if (!organisationId && scope.eventId && supabase) {
+        try {
+          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
+          organisationId = derivedOrgId || void 0;
+        } catch (error) {
+          log3.warn("Failed to derive org from event for both-scope page:", error);
+        }
+      }
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    if (effectiveScopeType === "event") {
+      if (!scope.eventId) {
+        if (allowsOptionalContexts(appName)) {
+          return {
+            isValid: true,
+            resolvedScope: {
+              organisationId: scope.organisationId,
+              eventId: void 0,
+              appId: scope.appId
+            },
+            error: null
+          };
+        }
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new EventContextRequiredError()
+        };
+      }
+      let organisationId = scope.organisationId || immediateOrganisationId || void 0;
+      if (!organisationId && supabase && scope.eventId) {
+        try {
+          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
+          organisationId = derivedOrgId || void 0;
+          if (!organisationId) {
+            return {
+              isValid: false,
+              resolvedScope: null,
+              error: new Error("Could not resolve organisation from event context")
+            };
+          }
+        } catch (error) {
+          log3.error("Failed to derive org from event:", error);
+          return {
+            isValid: false,
+            resolvedScope: null,
+            error: error instanceof Error ? error : new Error("Failed to derive organisation from event")
+          };
+        }
+      }
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    if (effectiveScopeType === "organisation") {
+      if (!scope.organisationId) {
+        if (allowsOptionalContexts(appName)) {
+          return {
+            isValid: true,
+            resolvedScope: {
+              organisationId: void 0,
+              eventId: scope.eventId,
+              appId: scope.appId
+            },
+            error: null
+          };
+        }
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new OrganisationContextRequiredError()
+        };
+      }
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId: scope.organisationId,
+          eventId: scope.eventId,
+          // Event is optional for org-scoped pages
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    return {
+      isValid: false,
+      resolvedScope: null,
+      error: new Error("Invalid scope type")
+    };
+  }
+};
+
 // src/rbac/api.ts
-var log3 = createLogger("RBACAPI");
+var log4 = createLogger("RBACAPI");
 var globalEngine = null;
 function setupRBAC(supabase, config) {
-  const logger = getRBACLogger();
+  getRBACLogger();
   const isDevelopment = import.meta.env.MODE === "development";
   const fullConfig = {
     supabase,
@@ -1753,7 +1984,7 @@ async function isPermitted(input, appName, precomputedSuperAdmin = null) {
       }
       pageScopeType = scopeType;
     } catch (err) {
-      log3.error("Failed to get page scope type:", err);
+      log4.error("Failed to get page scope type:", err);
       throw new Error(`Failed to determine page scope type: ${err instanceof Error ? err.message : String(err)}`);
     }
   } else {
@@ -1840,17 +2071,14 @@ async function isPermittedCached(input, appName) {
     return result;
   });
 }
-async function hasPermission(input) {
-  return isPermitted(input);
-}
 async function hasAnyPermission(input) {
   const { permissions, ...baseInput } = input;
   for (const permission of permissions) {
-    const hasPermission2 = await isPermitted({
+    const hasPermission = await isPermitted({
       ...baseInput,
       permission
     });
-    if (hasPermission2) {
+    if (hasPermission) {
       return true;
     }
   }
@@ -1859,11 +2087,11 @@ async function hasAnyPermission(input) {
 async function hasAllPermissions(input) {
   const { permissions, ...baseInput } = input;
   for (const permission of permissions) {
-    const hasPermission2 = await isPermitted({
+    const hasPermission = await isPermitted({
       ...baseInput,
       permission
     });
-    if (!hasPermission2) {
+    if (!hasPermission) {
       return false;
     }
   }
@@ -1893,19 +2121,17 @@ async function getPageScopeType(pageId, appId, appName) {
     if (!uuidRegex.test(resolvedPageId)) {
       throw new Error(`Could not resolve pageId ${pageId} to a valid UUID`);
     }
-    const { data, error } = await engine["supabase"].rpc("get_page_scope_type", {
-      p_page_id: resolvedPageId
-    });
+    const { data: pageData, error } = await engine["supabase"].from("rbac_app_pages").select("scope_type").eq("id", resolvedPageId).single();
     if (error) {
-      log3.error("Error fetching page scope type:", { pageId, appId, error });
+      log4.error("Error fetching page scope type:", { pageId, appId, error });
       throw new Error(`Failed to get page scope type: ${error.message}`);
     }
-    if (!data) {
+    if (!pageData || !pageData.scope_type) {
       throw new Error(`Page ${resolvedPageId} does not have scope_type set`);
     }
-    return data;
+    return pageData.scope_type;
   } catch (err) {
-    log3.error("Error fetching page scope type:", err);
+    log4.error("Error fetching page scope type:", err);
     throw err instanceof Error ? err : new Error(`Failed to get page scope type: ${String(err)}`);
   }
 }
@@ -1948,46 +2174,4 @@ function clearCache() {
   rbacCache.clear();
 }
 
-export {
-  RBACCache,
-  rbacCache,
-  CACHE_PATTERNS,
-  createRBACConfig,
-  getRBACConfig,
-  getRBACLogger,
-  isDebugMode,
-  isDevelopmentMode,
-  RBACEngine,
-  createRBACEngine,
-  enablePerformanceMonitoring,
-  disablePerformanceMonitoring,
-  isPerformanceMonitoringEnabled,
-  recordPermissionCheck,
-  recordAuditEvent,
-  getPerformanceMetrics,
-  resetPerformanceMetrics,
-  getPerformanceSummary,
-  clearInFlightRequests,
-  getInFlightRequestCount,
-  setupRBAC,
-  isRBACInitialized,
-  getAccessLevel,
-  getPermissionMap,
-  resolveAppContext,
-  getRoleContext,
-  isPermitted,
-  isPermittedCached,
-  hasPermission,
-  hasAnyPermission,
-  hasAllPermissions,
-  isSuperAdmin,
-  getPageScopeType,
-  isOrganisationAdmin,
-  isEventAdmin,
-  invalidateUserCache,
-  invalidateOrganisationCache,
-  invalidateEventCache,
-  invalidateAppCache,
-  clearCache
-};
-//# sourceMappingURL=chunk-3LPHPB62.js.map
+export { CACHE_PATTERNS, ContextValidator, EventContextRequiredError, OrganisationContextRequiredError, RBACCache, RBACEngine, RBACNotInitializedError, clearCache, clearInFlightRequests, createRBACConfig, createRBACEngine, disablePerformanceMonitoring, enablePerformanceMonitoring, getAccessLevel, getInFlightRequestCount, getPageScopeType, getPerformanceMetrics, getPerformanceSummary, getPermissionMap, getRBACConfig, getRBACLogger, getRoleContext, hasAllPermissions, hasAnyPermission, invalidateAppCache, invalidateEventCache, invalidateOrganisationCache, invalidateUserCache, isDebugMode, isDevelopmentMode, isEventAdmin, isOrganisationAdmin, isPerformanceMonitoringEnabled, isPermitted, isPermittedCached, isRBACInitialized, isSuperAdmin, rbacCache, recordAuditEvent, recordPermissionCheck, resetPerformanceMetrics, resolveAppContext, setupRBAC };