@jmruthers/pace-core 0.6.4 → 0.6.6

package/dist/{chunk-NN6WWZ5U.js → chunk-7TYHROIV.js}

@@ -1,33 +1,130 @@
-import {
-  useAppConfig,
-  useEvents,
-  useOrganisationSecurity
-} from "./chunk-OEWDTMG7.js";
-import {
-  useOrganisations,
-  useUnifiedAuth
-} from "./chunk-AVMLPIM7.js";
-import {
-  getAccessLevel,
-  getPageScopeType,
-  getPermissionMap,
-  getRBACLogger,
-  getRoleContext,
-  isPermitted,
-  isPermittedCached,
-  resolveAppContext
-} from "./chunk-3LPHPB62.js";
-import {
-  ContextValidator,
-  OrganisationContextRequiredError
-} from "./chunk-36LVWXB2.js";
-import {
-  getCurrentAppName
-} from "./chunk-M7MPQISP.js";
-import {
-  createLogger,
-  logger
-} from "./chunk-PWLANIRT.js";
+import { useAppConfig, useOrganisationSecurity } from './chunk-3O3WHILE.js';
+import { useEventService, useUnifiedAuth, useOrganisations } from './chunk-FTCRZOG2.js';
+import { OrganisationContextRequiredError, getRBACLogger, resolveAppContext, getPageScopeType, ContextValidator, getPermissionMap, getRoleContext, getAccessLevel, isPermittedCached, isPermitted, isSuperAdmin } from './chunk-ZFYPMX46.js';
+import { cn, getCurrentAppName } from './chunk-A55DK444.js';
+import { createLogger, logger } from './chunk-TTRFSOKR.js';
+import * as React from 'react';
+import { useRef, useMemo, useState, useCallback, useEffect } from 'react';
+import * as TooltipPrimitive from '@radix-ui/react-tooltip';
+import { jsx, jsxs } from 'react/jsx-runtime';
+import { Slot } from '@radix-ui/react-slot';
+import { createClient } from '@supabase/supabase-js';
+
+function useEvents() {
+  const eventService = useEventService();
+  const rawEvents = eventService.getEvents();
+  const selectedEvent = eventService.getSelectedEvent();
+  const isLoading = eventService.isLoading();
+  const error = eventService.getError();
+  const prevEventsRef = useRef([]);
+  const prevEventsIdsRef = useRef("");
+  const currentEventsIds = rawEvents.map((e) => e.event_id || e.id).join(",");
+  const eventsChanged = currentEventsIds !== prevEventsIdsRef.current;
+  if (eventsChanged) {
+    prevEventsRef.current = rawEvents;
+    prevEventsIdsRef.current = currentEventsIds;
+  }
+  const events = useMemo(() => {
+    return prevEventsRef.current;
+  }, [currentEventsIds]);
+  const setSelectedEventCallback = useMemo(
+    () => (event) => eventService.setSelectedEvent(event),
+    [eventService]
+  );
+  const refreshEventsCallback = useMemo(
+    () => () => eventService.refreshEvents(),
+    [eventService]
+  );
+  const clearEventSelectionCallback = useMemo(
+    () => () => eventService.clearEventSelection(),
+    [eventService]
+  );
+  return useMemo(() => ({
+    events,
+    selectedEvent,
+    isLoading,
+    error,
+    setSelectedEvent: setSelectedEventCallback,
+    refreshEvents: refreshEventsCallback,
+    clearEventSelection: clearEventSelectionCallback
+  }), [events, selectedEvent?.event_id, isLoading, error?.message, setSelectedEventCallback, refreshEventsCallback, clearEventSelectionCallback]);
+}
+var TooltipProvider = TooltipPrimitive.Provider;
+var TooltipRoot = TooltipPrimitive.Root;
+var TooltipTrigger = TooltipPrimitive.Trigger;
+var TooltipContent = React.forwardRef(({ className, sideOffset = 4, ...props }, ref) => /* @__PURE__ */ jsx(
+  TooltipPrimitive.Content,
+  {
+    ref,
+    sideOffset,
+    className: cn(
+      "z-50 overflow-hidden rounded-md border bg-main-500 px-3 py-1.5 text-sm text-main-50 shadow-md animate-in fade-in-0 zoom-in-95 data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=closed]:zoom-out-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2",
+      className
+    ),
+    ...props
+  }
+));
+TooltipContent.displayName = TooltipPrimitive.Content.displayName;
+var Tooltip = React.forwardRef(({ children, content, delayDuration = 200 }, ref) => /* @__PURE__ */ jsx(TooltipProvider, { children: /* @__PURE__ */ jsxs(TooltipRoot, { delayDuration, children: [
+  /* @__PURE__ */ jsx(TooltipTrigger, { ref, asChild: true, children: /* @__PURE__ */ jsx("span", { children }) }),
+  /* @__PURE__ */ jsx(TooltipContent, { children: content })
+] }) }));
+Tooltip.displayName = "Tooltip";
+function getButtonClasses(variant = "default", size = "default") {
+  const baseClasses = "inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md text-sm font-medium transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:pointer-events-none disabled:opacity-50";
+  const variantClasses = {
+    default: "bg-main-600 text-main-50 shadow hover:bg-acc-400",
+    destructive: "bg-acc-600 text-acc-50 shadow-sm hover:bg-acc-400",
+    outline: "border border-main-300 bg-background shadow-sm hover:bg-acc-400",
+    secondary: "bg-sec-100 text-sec-900 shadow-sm hover:bg-acc-400",
+    ghost: "hover:bg-acc-400",
+    link: "text-main-700 underline-offset-4 hover:underline hover:drop-shadow-lg hover:drop-shadow-acc-400"
+  };
+  const sizeClasses = {
+    default: "h-9 px-4 py-2",
+    sm: "h-8 rounded-md px-3 text-xs",
+    lg: "h-10 rounded-md px-8",
+    icon: "size-8"
+  };
+  return `${baseClasses} ${variantClasses[variant]} ${sizeClasses[size]}`;
+}
+var Button = React.forwardRef(
+  ({ className, variant, size, asChild = false, type = "button", disabled, ...props }, ref) => {
+    const Comp = asChild ? Slot : "button";
+    return /* @__PURE__ */ jsx(
+      Comp,
+      {
+        className: cn(getButtonClasses(variant, size), className),
+        ref,
+        type: !asChild ? type : void 0,
+        disabled,
+        "aria-disabled": disabled ? "true" : void 0,
+        ...props
+      }
+    );
+  }
+);
+Button.displayName = "Button";
+var IconButton = React.forwardRef(
+  ({ icon, className, size = "icon", "aria-label": ariaLabel, tooltip, ...props }, ref) => {
+    const button = /* @__PURE__ */ jsx(
+      Button,
+      {
+        ref,
+        size,
+        className: cn("shrink-0", className),
+        "aria-label": ariaLabel,
+        ...props,
+        children: icon
+      }
+    );
+    if (tooltip) {
+      return /* @__PURE__ */ jsx(Tooltip, { content: tooltip, children: button });
+    }
+    return button;
+  }
+);
+IconButton.displayName = "IconButton";
 
 // src/rbac/utils/clientSecurity.ts
 var SECURE_CLIENT_SYMBOL = Symbol("pace-core-secure-client");
@@ -61,11 +158,8 @@ See: https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/rbac/ge
 function markClientAsSecure(client) {
   client[SECURE_CLIENT_SYMBOL] = true;
 }
-
-// src/rbac/secureClient.ts
-import { createClient } from "@supabase/supabase-js";
 var _SecureSupabaseClient = class _SecureSupabaseClient {
-  constructor(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin = false, existingClient) {
+  constructor(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin2 = false, existingClient) {
     this.edgeFunctionClient = null;
     this.usesExistingClient = false;
     this.supabaseUrl = supabaseUrl;
@@ -73,7 +167,7 @@ var _SecureSupabaseClient = class _SecureSupabaseClient {
     this.organisationId = organisationId;
     this.eventId = eventId;
     this.appId = appId;
-    this.isSuperAdmin = isSuperAdmin;
+    this.isSuperAdmin = isSuperAdmin2;
     if (existingClient) {
       this.supabase = existingClient;
       this.usesExistingClient = true;
@@ -422,200 +516,12 @@ _SecureSupabaseClient.GLOBAL_RPC_ALLOWLIST = /* @__PURE__ */ new Set([
   "data_rbac_apps_list"
 ]);
 var SecureSupabaseClient = _SecureSupabaseClient;
-function createSecureClient(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin = false) {
-  return new SecureSupabaseClient(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin);
+function createSecureClient(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin2 = false) {
+  return new SecureSupabaseClient(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin2);
 }
-function fromSupabaseClient(client, organisationId, eventId, appId, isSuperAdmin = false) {
-  return new SecureSupabaseClient("", "", organisationId, eventId, appId, isSuperAdmin, client);
+function fromSupabaseClient(client, organisationId, eventId, appId, isSuperAdmin2 = false) {
+  return new SecureSupabaseClient("", "", organisationId, eventId, appId, isSuperAdmin2, client);
 }
-
-// src/rbac/hooks/useResolvedScope.ts
-import { useEffect, useState, useRef, useMemo } from "react";
-var log = createLogger("useResolvedScope");
-var appIdCache = /* @__PURE__ */ new Map();
-var CACHE_TTL = 5 * 60 * 1e3;
-function useResolvedScope({
-  supabase,
-  selectedOrganisationId,
-  selectedEventId
-}) {
-  const [resolvedScope, setResolvedScope] = useState(null);
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState(null);
-  const stableScopeRef = useRef({
-    organisationId: "",
-    appId: "",
-    eventId: void 0
-  });
-  useEffect(() => {
-    if (resolvedScope) {
-      const newScope = {
-        organisationId: resolvedScope.organisationId || "",
-        appId: resolvedScope.appId || "",
-        eventId: resolvedScope.eventId
-      };
-      if (stableScopeRef.current.organisationId !== newScope.organisationId || stableScopeRef.current.eventId !== newScope.eventId || stableScopeRef.current.appId !== newScope.appId) {
-        stableScopeRef.current = {
-          organisationId: newScope.organisationId,
-          appId: newScope.appId,
-          eventId: newScope.eventId
-        };
-      }
-    } else {
-      stableScopeRef.current = { organisationId: "", appId: "", eventId: void 0 };
-    }
-  }, [resolvedScope]);
-  const appName = getCurrentAppName();
-  const stableScope = stableScopeRef.current;
-  useEffect(() => {
-    let cancelled = false;
-    const resolveScope = async () => {
-      if (!supabase && !selectedOrganisationId && !selectedEventId) {
-        if (!cancelled) {
-          setResolvedScope(null);
-          setIsLoading(false);
-          setError(null);
-        }
-        return;
-      }
-      setIsLoading(true);
-      setError(null);
-      try {
-        const appName2 = getCurrentAppName();
-        let appId = void 0;
-        if (supabase && appName2) {
-          try {
-            const { data: session } = await supabase.auth.getSession();
-            if (!session?.session) {
-              log.debug(`Skipping app resolution for "${appName2}" - user not authenticated`);
-            } else {
-              const cached = appIdCache.get(appName2);
-              const now = Date.now();
-              if (cached && now - cached.timestamp < CACHE_TTL) {
-                appId = cached.appId;
-              } else {
-                const { data: app, error: error2 } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName2).eq("is_active", true).single();
-                if (error2) {
-                  if (error2.code === "406" || error2.code === "PGRST116" || error2.message?.includes("406")) {
-                    log.debug(`App resolution blocked by RLS for "${appName2}" - user may not be authenticated`);
-                    appId = void 0;
-                  } else {
-                    const { data: inactiveApp } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName2).single();
-                    if (inactiveApp) {
-                      log.error(`App "${appName2}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
-                      appId = void 0;
-                    } else {
-                      log.error(`App "${appName2}" not found in rbac_apps table`, { error: error2 });
-                      appId = void 0;
-                    }
-                  }
-                } else if (app) {
-                  appId = app.id;
-                  appIdCache.set(appName2, { appId, timestamp: now });
-                }
-              }
-            }
-          } catch (error2) {
-            const errorMessage = error2 instanceof Error ? error2.message : String(error2);
-            if (!errorMessage.includes("406") && !errorMessage.includes("PGRST116")) {
-              log.error("Unexpected error resolving app ID:", error2);
-            } else {
-              log.debug("App resolution skipped - authentication required");
-            }
-          }
-        }
-        const initialScope = {
-          organisationId: selectedOrganisationId || void 0,
-          eventId: selectedEventId || void 0,
-          appId
-        };
-        if (appName2 === "PORTAL" || appName2 === "ADMIN") {
-          if (!cancelled) {
-            const optionalContextScope = {
-              organisationId: void 0,
-              eventId: void 0,
-              appId: appId || void 0
-            };
-            setResolvedScope(optionalContextScope);
-            setError(null);
-            setIsLoading(false);
-          }
-          return;
-        }
-        const { ContextValidator: ContextValidator2 } = await import("./contextValidator-OOPCLPZW.js");
-        const validation = await ContextValidator2.resolveScopeForPage(
-          initialScope,
-          "organisation",
-          // Default to organisation scope when no page context
-          appName2 || void 0,
-          supabase
-        );
-        if (!validation.isValid) {
-          if (selectedEventId) {
-            if (!cancelled) {
-              const eventScope = {
-                organisationId: void 0,
-                // Will be derived from event during permission check
-                eventId: selectedEventId,
-                appId: appId || void 0
-              };
-              setResolvedScope(eventScope);
-              setError(null);
-              setIsLoading(false);
-            }
-            return;
-          }
-          if (!cancelled) {
-            setResolvedScope(null);
-            setError(validation.error || new Error("Context validation failed"));
-            setIsLoading(false);
-          }
-          return;
-        }
-        if (!cancelled) {
-          setResolvedScope(validation.resolvedScope);
-          setError(null);
-          setIsLoading(false);
-        }
-      } catch (err) {
-        if (!cancelled) {
-          setError(err);
-          setIsLoading(false);
-        }
-      }
-    };
-    resolveScope();
-    return () => {
-      cancelled = true;
-    };
-  }, [selectedOrganisationId, selectedEventId, supabase]);
-  const allowsOptionalContexts = appName === "PORTAL" || appName === "ADMIN";
-  const hasValidScope = allowsOptionalContexts ? true : stableScope.appId || stableScope.organisationId;
-  const finalScope = useMemo(() => {
-    if (!hasValidScope) {
-      return allowsOptionalContexts ? {} : null;
-    }
-    const scope = {};
-    if (stableScope.organisationId) {
-      scope.organisationId = stableScope.organisationId;
-    }
-    if (stableScope.eventId) {
-      scope.eventId = stableScope.eventId;
-    }
-    if (stableScope.appId) {
-      scope.appId = stableScope.appId;
-    }
-    return scope;
-  }, [hasValidScope, allowsOptionalContexts, stableScope.organisationId, stableScope.eventId, stableScope.appId]);
-  return {
-    resolvedScope: finalScope,
-    isLoading,
-    error
-  };
-}
-
-// src/rbac/hooks/useRBAC.ts
-import { useState as useState2, useEffect as useEffect2, useCallback, useMemo as useMemo2 } from "react";
 function mapAccessLevelToEventRole(level) {
   switch (level) {
     case "viewer":
@@ -645,13 +551,13 @@ function useRBAC(pageId) {
     selectedEvent,
     eventLoading
   } = useUnifiedAuth();
-  const [globalRole, setGlobalRole] = useState2(null);
-  const [organisationRole, setOrganisationRole] = useState2(null);
-  const [eventAppRole, setEventAppRole] = useState2(null);
-  const [permissionMap, setPermissionMap] = useState2({});
-  const [currentScope, setCurrentScope] = useState2(null);
-  const [isLoading, setIsLoading] = useState2(false);
-  const [error, setError] = useState2(null);
+  const [globalRole, setGlobalRole] = useState(null);
+  const [organisationRole, setOrganisationRole] = useState(null);
+  const [eventAppRole, setEventAppRole] = useState(null);
+  const [permissionMap, setPermissionMap] = useState({});
+  const [currentScope, setCurrentScope] = useState(null);
+  const [isLoading, setIsLoading] = useState(false);
+  const [error, setError] = useState(null);
   const resetState = useCallback(() => {
     setGlobalRole(null);
     setOrganisationRole(null);
@@ -737,9 +643,9 @@ function useRBAC(pageId) {
       const resolvedScope = validation.resolvedScope;
       setCurrentScope(resolvedScope);
       const [map, roleContext, accessLevel] = await Promise.all([
-        getPermissionMap({ userId: user.id, scope: resolvedScope }),
-        getRoleContext({ userId: user.id, scope: resolvedScope }),
-        getAccessLevel({ userId: user.id, scope: resolvedScope })
+        getPermissionMap({ userId: user.id, scope: resolvedScope }, appName),
+        getRoleContext({ userId: user.id, scope: resolvedScope }, appName),
+        getAccessLevel({ userId: user.id, scope: resolvedScope }, appName)
       ]);
       setPermissionMap(map);
       setGlobalRole(roleContext.globalRole);
@@ -777,12 +683,12 @@ function useRBAC(pageId) {
     },
     [globalRole, organisationRole, permissionMap]
   );
-  const isSuperAdmin = useMemo2(() => globalRole === "super_admin" || permissionMap["*"] === true, [globalRole, permissionMap]);
-  const isOrgAdmin = useMemo2(() => organisationRole === "org_admin" || isSuperAdmin, [organisationRole, isSuperAdmin]);
-  const isEventAdmin = useMemo2(() => eventAppRole === "event_admin" || isSuperAdmin, [eventAppRole, isSuperAdmin]);
-  const canManageOrganisation = useMemo2(() => isSuperAdmin || organisationRole === "org_admin", [isSuperAdmin, organisationRole]);
-  const canManageEvent = useMemo2(() => isSuperAdmin || eventAppRole === "event_admin", [isSuperAdmin, eventAppRole]);
-  useEffect2(() => {
+  const isSuperAdmin2 = useMemo(() => globalRole === "super_admin" || permissionMap["*"] === true, [globalRole, permissionMap]);
+  const isOrgAdmin = useMemo(() => organisationRole === "org_admin" || isSuperAdmin2, [organisationRole, isSuperAdmin2]);
+  const isEventAdmin = useMemo(() => eventAppRole === "event_admin" || isSuperAdmin2, [eventAppRole, isSuperAdmin2]);
+  const canManageOrganisation = useMemo(() => isSuperAdmin2 || organisationRole === "org_admin", [isSuperAdmin2, organisationRole]);
+  const canManageEvent = useMemo(() => isSuperAdmin2 || eventAppRole === "event_admin", [isSuperAdmin2, eventAppRole]);
+  useEffect(() => {
     loadRBACContext();
   }, [loadRBACContext, appName, eventLoading, selectedEvent?.event_id, user, session, selectedOrganisation?.id, orgContextReady, orgLoading]);
   return {
@@ -791,7 +697,7 @@ function useRBAC(pageId) {
     organisationRole,
     eventAppRole,
     hasGlobalPermission,
-    isSuperAdmin,
+    isSuperAdmin: isSuperAdmin2,
     isOrgAdmin,
     isEventAdmin,
     canManageOrganisation,
@@ -800,20 +706,131 @@ function useRBAC(pageId) {
     error
   };
 }
-
-// src/rbac/hooks/permissions/useAccessLevel.ts
-import { useCallback as useCallback2, useEffect as useEffect3, useMemo as useMemo3, useState as useState3 } from "react";
+var log = createLogger("useResolvedScope");
+var appIdCache = /* @__PURE__ */ new Map();
+var CACHE_TTL = 5 * 60 * 1e3;
+function useResolvedScope({
+  supabase,
+  selectedOrganisationId,
+  selectedEventId,
+  selectedEventOrganisationId
+}) {
+  const immediateOrganisationId = selectedEventOrganisationId || selectedOrganisationId || void 0;
+  const immediateEventId = selectedEventId || void 0;
+  const [appId, setAppId] = useState(void 0);
+  const [isResolvingAppId, setIsResolvingAppId] = useState(false);
+  const [error, setError] = useState(null);
+  const appName = getCurrentAppName();
+  useEffect(() => {
+    let cancelled = false;
+    const resolveAppId = async () => {
+      if (!supabase && !selectedOrganisationId && !selectedEventId) {
+        if (!cancelled) {
+          setAppId(void 0);
+          setIsResolvingAppId(false);
+          setError(null);
+        }
+        return;
+      }
+      setIsResolvingAppId(true);
+      setError(null);
+      try {
+        const appName2 = getCurrentAppName();
+        let resolvedAppId = void 0;
+        if (supabase && appName2) {
+          try {
+            const { data: session } = await supabase.auth.getSession();
+            if (!session?.session) {
+              log.debug(`Skipping app resolution for "${appName2}" - user not authenticated`);
+            } else {
+              const cached = appIdCache.get(appName2);
+              const now = Date.now();
+              if (cached && now - cached.timestamp < CACHE_TTL) {
+                resolvedAppId = cached.appId;
+              } else {
+                const { data: app, error: error2 } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName2).eq("is_active", true).single();
+                if (error2) {
+                  if (error2.code === "406" || error2.code === "PGRST116" || error2.message?.includes("406")) {
+                    log.debug(`App resolution blocked by RLS for "${appName2}" - user may not be authenticated`);
+                    resolvedAppId = void 0;
+                  } else {
+                    const { data: inactiveApp } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName2).single();
+                    if (inactiveApp) {
+                      log.error(`App "${appName2}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
+                      resolvedAppId = void 0;
+                    } else {
+                      log.error(`App "${appName2}" not found in rbac_apps table`, { error: error2 });
+                      resolvedAppId = void 0;
+                    }
+                  }
+                } else if (app) {
+                  resolvedAppId = app.id;
+                  appIdCache.set(appName2, { appId: resolvedAppId, timestamp: now });
+                }
+              }
+            }
+          } catch (error2) {
+            const errorMessage = error2 instanceof Error ? error2.message : String(error2);
+            if (!errorMessage.includes("406") && !errorMessage.includes("PGRST116")) {
+              log.error("Unexpected error resolving app ID:", error2);
+            } else {
+              log.debug("App resolution skipped - authentication required");
+            }
+          }
+        }
+        if (!cancelled) {
+          setAppId(resolvedAppId);
+          setIsResolvingAppId(false);
+          setError(null);
+        }
+      } catch (err) {
+        if (!cancelled) {
+          setError(err);
+          setIsResolvingAppId(false);
+        }
+      }
+    };
+    resolveAppId();
+    return () => {
+      cancelled = true;
+    };
+  }, [supabase, selectedOrganisationId, selectedEventId]);
+  const immediateScope = useMemo(() => {
+    if (appName === "PORTAL" || appName === "ADMIN") {
+      return {
+        organisationId: void 0,
+        eventId: void 0,
+        appId: appId || void 0
+      };
+    }
+    const scope = {};
+    if (immediateOrganisationId) {
+      scope.organisationId = immediateOrganisationId;
+    }
+    if (immediateEventId) {
+      scope.eventId = immediateEventId;
+    }
+    if (appId) {
+      scope.appId = appId;
+    }
+    if (!scope.organisationId && !scope.appId) {
+      return null;
+    }
+    return scope;
+  }, [immediateOrganisationId, immediateEventId, appId, appName]);
+  return {
+    resolvedScope: immediateScope,
+    isLoading: isResolvingAppId,
+    // Only true while appId resolves
+    error
+  };
+}
 function useAccessLevel(userId, scope) {
-  const [accessLevel, setAccessLevel] = useState3("viewer");
-  const [isLoading, setIsLoading] = useState3(true);
-  const [error, setError] = useState3(null);
-  let appName;
-  try {
-    const { appName: contextAppName } = useAppConfig();
-    appName = contextAppName;
-  } catch {
-  }
-  const fetchAccessLevel = useCallback2(async () => {
+  const [accessLevel, setAccessLevel] = useState("viewer");
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const { appName } = useAppConfig();
+  const fetchAccessLevel = useCallback(async () => {
     if (!userId) {
       setAccessLevel("viewer");
       setIsLoading(false);
@@ -822,7 +839,7 @@ function useAccessLevel(userId, scope) {
     try {
       setIsLoading(true);
       setError(null);
-      const { isSuperAdmin: checkSuperAdmin } = await import("./api-6LVZTHDS.js");
+      const { isSuperAdmin: checkSuperAdmin } = await import('./api-Y4MQWOFW.js');
       const isSuperAdminUser = await checkSuperAdmin(userId);
       if (isSuperAdminUser) {
         setAccessLevel("super");
@@ -846,10 +863,10 @@ function useAccessLevel(userId, scope) {
       setIsLoading(false);
     }
   }, [userId, scope.organisationId, scope.eventId, scope.appId, appName]);
-  useEffect3(() => {
+  useEffect(() => {
     fetchAccessLevel();
   }, [fetchAccessLevel]);
-  return useMemo3(() => ({
+  return useMemo(() => ({
     accessLevel,
     isLoading,
     error,
@@ -857,47 +874,6 @@ function useAccessLevel(userId, scope) {
   }), [accessLevel, isLoading, error, fetchAccessLevel]);
 }
 
-// src/rbac/hooks/permissions/useCachedPermissions.ts
-import { useCallback as useCallback3, useEffect as useEffect4, useMemo as useMemo4, useState as useState4 } from "react";
-function useCachedPermissions(userId, scope) {
-  const [permissions, setPermissions] = useState4({});
-  const [isLoading, setIsLoading] = useState4(true);
-  const [error, setError] = useState4(null);
-  const fetchCachedPermissions = useCallback3(async () => {
-    if (!userId) {
-      setPermissions({});
-      setIsLoading(false);
-      return;
-    }
-    try {
-      setIsLoading(true);
-      setError(null);
-      const permissionMap = await getPermissionMap({ userId, scope });
-      setPermissions(permissionMap);
-    } catch (err) {
-      setError(err instanceof Error ? err : new Error("Failed to fetch cached permissions"));
-    } finally {
-      setIsLoading(false);
-    }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId]);
-  const invalidateCache = useCallback3(() => {
-    fetchCachedPermissions();
-  }, [fetchCachedPermissions]);
-  useEffect4(() => {
-    fetchCachedPermissions();
-  }, [fetchCachedPermissions]);
-  return useMemo4(() => ({
-    permissions,
-    isLoading,
-    error,
-    invalidateCache,
-    refetch: fetchCachedPermissions
-  }), [permissions, isLoading, error, invalidateCache, fetchCachedPermissions]);
-}
-
-// src/rbac/hooks/permissions/useCan.ts
-import { useCallback as useCallback4, useEffect as useEffect5, useMemo as useMemo5, useRef as useRef2, useState as useState5 } from "react";
-
 // src/rbac/utils/deep-equal.ts
 function scopeEqual(a, b) {
   if (a === b) {
@@ -911,27 +887,27 @@ function scopeEqual(a, b) {
 
 // src/rbac/hooks/permissions/useCan.ts
 function useCan(userId, scope, permission, pageId, useCache = true, precomputedSuperAdmin = null, appName) {
-  const [isSuperAdmin, setIsSuperAdmin] = useState5(precomputedSuperAdmin ?? null);
+  const [isSuperAdmin2, setIsSuperAdmin] = useState(precomputedSuperAdmin ?? null);
   const initialCan = precomputedSuperAdmin === true ? true : false;
   const initialIsLoading = precomputedSuperAdmin === true ? false : true;
-  const [can, setCan] = useState5(initialCan);
-  const [isLoading, setIsLoading] = useState5(initialIsLoading);
-  const [error, setError] = useState5(null);
+  const [can, setCan] = useState(initialCan);
+  const [isLoading, setIsLoading] = useState(initialIsLoading);
+  const [error, setError] = useState(null);
   const isValidScope = scope && typeof scope === "object";
   const organisationId = isValidScope ? scope.organisationId : void 0;
   const eventId = isValidScope ? scope.eventId : void 0;
   const appId = isValidScope ? scope.appId : void 0;
-  useEffect5(() => {
-    if (precomputedSuperAdmin === true && isSuperAdmin !== true) {
+  useEffect(() => {
+    if (precomputedSuperAdmin === true && isSuperAdmin2 !== true) {
       setIsSuperAdmin(true);
       setCan(true);
       setIsLoading(false);
       setError(null);
-    } else if (precomputedSuperAdmin === false && isSuperAdmin !== false) {
+    } else if (precomputedSuperAdmin === false && isSuperAdmin2 !== false) {
       setIsSuperAdmin(false);
     }
-  }, [precomputedSuperAdmin, isSuperAdmin]);
-  useEffect5(() => {
+  }, [precomputedSuperAdmin, isSuperAdmin2]);
+  useEffect(() => {
     if (precomputedSuperAdmin === null) {
       if (!userId) {
         setIsSuperAdmin(false);
@@ -941,7 +917,7 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
       const checkSuperAdmin = async () => {
         const startTime = Date.now();
         try {
-          const { isSuperAdmin: checkSuperAdmin2 } = await import("./api-6LVZTHDS.js");
+          const { isSuperAdmin: checkSuperAdmin2 } = await import('./api-Y4MQWOFW.js');
           const timeoutWarning = setTimeout(() => {
             if (!cancelled) {
               console.warn("[useCan] Super admin check taking longer than 5 seconds", {
@@ -985,10 +961,10 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
       };
     }
   }, [userId, precomputedSuperAdmin]);
-  useEffect5(() => {
+  useEffect(() => {
     const isPagePermission = permission.includes(":page.") || !!pageId;
     const requiresOrgId = !isPagePermission;
-    if (isSuperAdmin === true) {
+    if (isSuperAdmin2 === true) {
       return;
     }
     if (requiresOrgId && (!isValidScope || !organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "")) {
@@ -1002,14 +978,14 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
     if (error?.message === "Organisation context is required for permission checks") {
       setError(null);
     }
-  }, [isValidScope, organisationId, error, permission, pageId, isSuperAdmin]);
-  const lastUserIdRef = useRef2(null);
-  const lastScopeRef = useRef2(null);
-  const lastPermissionRef = useRef2(null);
-  const lastPageIdRef = useRef2(null);
-  const lastUseCacheRef = useRef2(null);
-  const lastIsSuperAdminRef = useRef2(null);
-  const stableScope = useMemo5(() => {
+  }, [isValidScope, organisationId, error, permission, pageId, isSuperAdmin2]);
+  const lastUserIdRef = useRef(null);
+  useRef(null);
+  const lastPermissionRef = useRef(null);
+  const lastPageIdRef = useRef(null);
+  const lastUseCacheRef = useRef(null);
+  const lastIsSuperAdminRef = useRef(null);
+  const stableScope = useMemo(() => {
     if (!isValidScope) {
       return null;
     }
@@ -1019,12 +995,12 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
       appId
     };
   }, [isValidScope, organisationId, eventId, appId]);
-  const prevScopeRef = useRef2(null);
-  useEffect5(() => {
+  const prevScopeRef = useRef(null);
+  useEffect(() => {
     const scopeChanged = !scopeEqual(prevScopeRef.current, stableScope);
-    const isSuperAdminChanged = lastIsSuperAdminRef.current !== isSuperAdmin;
+    const isSuperAdminChanged = lastIsSuperAdminRef.current !== isSuperAdmin2;
     if (lastUserIdRef.current !== userId || scopeChanged || lastPermissionRef.current !== permission || lastPageIdRef.current !== pageId || lastUseCacheRef.current !== useCache || isSuperAdminChanged) {
-      lastIsSuperAdminRef.current = isSuperAdmin;
+      lastIsSuperAdminRef.current = isSuperAdmin2;
       lastUserIdRef.current = userId;
       prevScopeRef.current = stableScope;
       lastPermissionRef.current = permission;
@@ -1036,13 +1012,13 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
           setIsLoading(false);
           return;
         }
-        if (isSuperAdmin === true) {
+        if (isSuperAdmin2 === true) {
           setCan(true);
           setIsLoading(false);
           setError(null);
           return;
         }
-        if (isSuperAdmin === null) {
+        if (isSuperAdmin2 === null) {
           setIsLoading(true);
           setCan(false);
           setError(null);
@@ -1078,7 +1054,7 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
             ...eventId ? { eventId } : {},
             ...appId ? { appId } : {}
           };
-          const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, appName, isSuperAdmin === false ? false : null);
+          const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, appName, isSuperAdmin2 === false ? false : null);
           setCan(result);
         } catch (err) {
           const logger2 = getRBACLogger();
@@ -1092,8 +1068,8 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
       };
       checkPermission();
     }
-  }, [userId, stableScope, permission, pageId, useCache, appName, isSuperAdmin]);
-  const refetch = useCallback4(async () => {
+  }, [userId, stableScope, permission, pageId, useCache, appName, isSuperAdmin2]);
+  const refetch = useCallback(async () => {
     if (!userId) {
       setCan(false);
       setIsLoading(false);
@@ -1130,105 +1106,18 @@ function useCan(userId, scope, permission, pageId, useCache = true, precomputedS
       setIsLoading(false);
     }
   }, [userId, isValidScope, organisationId, eventId, appId, permission, pageId, useCache, appName]);
-  return useMemo5(() => ({
+  return useMemo(() => ({
     can,
     isLoading,
     error,
     refetch
   }), [can, isLoading, error, refetch]);
 }
-
-// src/rbac/hooks/permissions/useHasAllPermissions.ts
-import { useCallback as useCallback5, useEffect as useEffect6, useMemo as useMemo6, useState as useState6 } from "react";
-function useHasAllPermissions(userId, scope, permissions, useCache = true) {
-  const [hasAll, setHasAll] = useState6(false);
-  const [isLoading, setIsLoading] = useState6(true);
-  const [error, setError] = useState6(null);
-  const checkAllPermissions = useCallback5(async () => {
-    if (!userId || permissions.length === 0) {
-      setHasAll(false);
-      setIsLoading(false);
-      return;
-    }
-    try {
-      setIsLoading(true);
-      setError(null);
-      let hasAllPermissions = true;
-      for (const permission of permissions) {
-        const result = useCache ? await isPermittedCached({ userId, scope, permission }) : await isPermitted({ userId, scope, permission });
-        if (!result) {
-          hasAllPermissions = false;
-          break;
-        }
-      }
-      setHasAll(hasAllPermissions);
-    } catch (err) {
-      setError(err instanceof Error ? err : new Error("Failed to check permissions"));
-      setHasAll(false);
-    } finally {
-      setIsLoading(false);
-    }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);
-  useEffect6(() => {
-    checkAllPermissions();
-  }, [checkAllPermissions]);
-  return useMemo6(() => ({
-    hasAll,
-    isLoading,
-    error,
-    refetch: checkAllPermissions
-  }), [hasAll, isLoading, error, checkAllPermissions]);
-}
-
-// src/rbac/hooks/permissions/useHasAnyPermission.ts
-import { useCallback as useCallback6, useEffect as useEffect7, useMemo as useMemo7, useState as useState7 } from "react";
-function useHasAnyPermission(userId, scope, permissions, useCache = true) {
-  const [hasAny, setHasAny] = useState7(false);
-  const [isLoading, setIsLoading] = useState7(true);
-  const [error, setError] = useState7(null);
-  const checkAnyPermission = useCallback6(async () => {
-    if (!userId || permissions.length === 0) {
-      setHasAny(false);
-      setIsLoading(false);
-      return;
-    }
-    try {
-      setIsLoading(true);
-      setError(null);
-      let hasAnyPermission = false;
-      for (const permission of permissions) {
-        const result = useCache ? await isPermittedCached({ userId, scope, permission }) : await isPermitted({ userId, scope, permission });
-        if (result) {
-          hasAnyPermission = true;
-          break;
-        }
-      }
-      setHasAny(hasAnyPermission);
-    } catch (err) {
-      setError(err instanceof Error ? err : new Error("Failed to check permissions"));
-      setHasAny(false);
-    } finally {
-      setIsLoading(false);
-    }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);
-  useEffect7(() => {
-    checkAnyPermission();
-  }, [checkAnyPermission]);
-  return useMemo7(() => ({
-    hasAny,
-    isLoading,
-    error,
-    refetch: checkAnyPermission
-  }), [hasAny, isLoading, error, checkAnyPermission]);
-}
-
-// src/rbac/hooks/permissions/useMultiplePermissions.ts
-import { useCallback as useCallback7, useEffect as useEffect8, useMemo as useMemo8, useState as useState8 } from "react";
 function useMultiplePermissions(userId, scope, permissions, useCache = true) {
-  const [results, setResults] = useState8({});
-  const [isLoading, setIsLoading] = useState8(true);
-  const [error, setError] = useState8(null);
-  const checkPermissions = useCallback7(async () => {
+  const [results, setResults] = useState({});
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const checkPermissions = useCallback(async () => {
     if (!userId || permissions.length === 0) {
       setResults({});
       setIsLoading(false);
@@ -1250,29 +1139,26 @@ function useMultiplePermissions(userId, scope, permissions, useCache = true) {
       setIsLoading(false);
     }
   }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);
-  useEffect8(() => {
+  useEffect(() => {
     checkPermissions();
   }, [checkPermissions]);
-  return useMemo8(() => ({
+  return useMemo(() => ({
     results,
     isLoading,
     error,
     refetch: checkPermissions
   }), [results, isLoading, error, checkPermissions]);
 }
-
-// src/rbac/hooks/permissions/usePermissions.ts
-import { useCallback as useCallback8, useEffect as useEffect9, useMemo as useMemo9, useRef as useRef3, useState as useState9 } from "react";
 function usePermissions(userId, organisationId, eventId, appId) {
-  const [permissions, setPermissions] = useState9({});
-  const [isLoading, setIsLoading] = useState9(true);
-  const [error, setError] = useState9(null);
-  const [fetchTrigger, setFetchTrigger] = useState9(0);
-  const isFetchingRef = useRef3(false);
+  const [permissions, setPermissions] = useState({});
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const [fetchTrigger, setFetchTrigger] = useState(0);
+  const isFetchingRef = useRef(false);
   const logger2 = getRBACLogger();
-  const prevValuesRef = useRef3({ userId, organisationId, eventId, appId });
+  const prevValuesRef = useRef({ userId, organisationId, eventId, appId });
   const orgId = organisationId || "";
-  useEffect9(() => {
+  useEffect(() => {
     if (!userId) {
       return;
     }
@@ -1287,16 +1173,15 @@ function usePermissions(userId, organisationId, eventId, appId) {
       setError(null);
     }
   }, [userId, organisationId, error, orgId]);
-  useEffect9(() => {
+  useEffect(() => {
     const paramsChanged = prevValuesRef.current.userId !== userId || prevValuesRef.current.organisationId !== organisationId || prevValuesRef.current.eventId !== eventId || prevValuesRef.current.appId !== appId;
     if (paramsChanged) {
-      if (prevValuesRef.current.appId !== appId) {
-      }
+      if (prevValuesRef.current.appId !== appId) ;
       prevValuesRef.current = { userId, organisationId, eventId, appId };
       setFetchTrigger((prev) => prev + 1);
     }
   }, [userId, organisationId, eventId, appId, logger2]);
-  useEffect9(() => {
+  useEffect(() => {
     const fetchPermissions = async () => {
       if (isFetchingRef.current) {
         return;
@@ -1343,25 +1228,25 @@ function usePermissions(userId, organisationId, eventId, appId) {
     };
     fetchPermissions();
   }, [fetchTrigger, userId, organisationId, eventId, appId]);
-  const hasPermission = useCallback8((permission) => {
+  const hasPermission = useCallback((permission) => {
     if (permissions["*"]) {
       return true;
     }
     return permissions[permission] === true;
   }, [permissions]);
-  const hasAnyPermission = useCallback8((permissionList) => {
+  const hasAnyPermission = useCallback((permissionList) => {
     if (permissions["*"]) {
       return true;
     }
     return permissionList.some((p) => permissions[p] === true);
   }, [permissions]);
-  const hasAllPermissions = useCallback8((permissionList) => {
+  const hasAllPermissions = useCallback((permissionList) => {
     if (permissions["*"]) {
       return true;
     }
     return permissionList.every((p) => permissions[p] === true);
   }, [permissions]);
-  const refetch = useCallback8(async () => {
+  const refetch = useCallback(async () => {
     if (isFetchingRef.current) {
       return;
     }
@@ -1395,7 +1280,7 @@ function usePermissions(userId, organisationId, eventId, appId) {
       isFetchingRef.current = false;
     }
   }, [userId, organisationId, eventId, appId]);
-  return useMemo9(() => ({
+  return useMemo(() => ({
     permissions,
     isLoading,
     error,
@@ -1405,12 +1290,57 @@ function usePermissions(userId, organisationId, eventId, appId) {
     refetch
   }), [permissions, isLoading, error, hasPermission, hasAnyPermission, hasAllPermissions, refetch]);
 }
-
-// src/rbac/hooks/useResourcePermissions.ts
-import { useMemo as useMemo10 } from "react";
 function useResourcePermissions(resource, options = {}) {
   const { enableRead = false, requireScope = true } = options;
+  const logger2 = createLogger("ResourcePermissions");
   const { user, supabase } = useUnifiedAuth();
+  const [isSuperAdminUser, setIsSuperAdminUser] = useState(null);
+  const [isCheckingSuperAdmin, setIsCheckingSuperAdmin] = useState(() => !!user?.id);
+  const lastCheckedUserIdRef = useRef(null);
+  const isCheckingRef = useRef(false);
+  useEffect(() => {
+    if (lastCheckedUserIdRef.current === user?.id && isSuperAdminUser !== null) {
+      return;
+    }
+    if (isCheckingRef.current) {
+      return;
+    }
+    const checkSuperAdminStatus = async () => {
+      if (!user?.id) {
+        setIsSuperAdminUser(false);
+        setIsCheckingSuperAdmin(false);
+        lastCheckedUserIdRef.current = null;
+        return;
+      }
+      isCheckingRef.current = true;
+      lastCheckedUserIdRef.current = user.id;
+      const startTime = Date.now();
+      setIsCheckingSuperAdmin(true);
+      const timeoutId = setTimeout(() => {
+        logger2.warn("useResourcePermissions", "Super admin check taking longer than 5 seconds", {
+          userId: user?.id,
+          elapsedMs: Date.now() - startTime
+        });
+      }, 5e3);
+      try {
+        const superAdminStatus = await isSuperAdmin(user.id);
+        setIsSuperAdminUser(superAdminStatus);
+      } catch (error2) {
+        const elapsed = Date.now() - startTime;
+        logger2.error("useResourcePermissions", "Error checking super admin status", {
+          userId: user?.id,
+          error: error2,
+          elapsedMs: elapsed
+        });
+        setIsSuperAdminUser(false);
+      } finally {
+        clearTimeout(timeoutId);
+        setIsCheckingSuperAdmin(false);
+        isCheckingRef.current = false;
+      }
+    };
+    checkSuperAdminStatus();
+  }, [user?.id, logger2]);
   const { selectedOrganisation } = useOrganisations();
   let selectedEvent = null;
   try {
@@ -1421,70 +1351,79 @@ function useResourcePermissions(resource, options = {}) {
   const { resolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
     supabase,
     selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
+    selectedEventId: selectedEvent?.event_id || null,
+    selectedEventOrganisationId: selectedEvent?.organisation_id || null
   });
   const scope = resolvedScope || {
     organisationId: selectedOrganisation?.id || "",
     eventId: selectedEvent?.event_id || void 0,
     appId: void 0
   };
-  const pageId = scope.appId ? resource : void 0;
+  const hasAppId = !!resolvedScope?.appId;
+  const pageId = hasAppId ? resource : void 0;
+  const isPagePermission = hasAppId && !!pageId;
+  const createPermission = isPagePermission ? `create:page.${resource}` : `create:${resource}`;
+  const updatePermission = isPagePermission ? `update:page.${resource}` : `update:${resource}`;
+  const deletePermission = isPagePermission ? `delete:page.${resource}` : `delete:${resource}`;
+  const readPermission = isPagePermission ? `read:page.${resource}` : `read:${resource}`;
   const { can: canCreateResult, isLoading: createLoading, error: createError } = useCan(
     user?.id || "",
     scope,
-    `create:${resource}`,
+    createPermission,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
     true,
     // useCache
-    null,
-    // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser,
+    // precomputedSuperAdmin - null if checking, false/true if checked
     void 0
     // appName
   );
   const { can: canUpdateResult, isLoading: updateLoading, error: updateError } = useCan(
     user?.id || "",
     scope,
-    `update:${resource}`,
+    updatePermission,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
     true,
     // useCache
-    null,
-    // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser,
+    // precomputedSuperAdmin - null if checking, false/true if checked
     void 0
     // appName
   );
   const { can: canDeleteResult, isLoading: deleteLoading, error: deleteError } = useCan(
     user?.id || "",
     scope,
-    `delete:${resource}`,
+    deletePermission,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
     true,
     // useCache
-    null,
-    // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser,
+    // precomputedSuperAdmin - null if checking, false/true if checked
     void 0
     // appName
   );
   const { can: canReadResult, isLoading: readLoading, error: readError } = useCan(
     user?.id || "",
     scope,
-    `read:${resource}`,
+    readPermission,
     pageId,
     // Pass resource name as pageId when appId is available to enable page permission checks
     true,
     // useCache
-    null,
-    // precomputedSuperAdmin - not checked yet
+    isSuperAdminUser,
+    // precomputedSuperAdmin - null if checking, false/true if checked
     void 0
     // appName
   );
-  const isLoading = useMemo10(() => {
-    return scopeLoading || createLoading || updateLoading || deleteLoading || enableRead && readLoading;
-  }, [scopeLoading, createLoading, updateLoading, deleteLoading, readLoading, enableRead]);
-  const error = useMemo10(() => {
+  const isLoading = useMemo(() => {
+    const waitingForScope = requireScope && scopeLoading;
+    const waitingForSuperAdmin = isSuperAdminUser === null && isCheckingSuperAdmin;
+    return waitingForScope || waitingForSuperAdmin || createLoading || updateLoading || deleteLoading || enableRead && readLoading;
+  }, [scopeLoading, requireScope, isSuperAdminUser, isCheckingSuperAdmin, createLoading, updateLoading, deleteLoading, readLoading, enableRead]);
+  const error = useMemo(() => {
     if (scopeError) return scopeError;
     if (createError) return createError;
     if (updateError) return updateError;
@@ -1492,39 +1431,49 @@ function useResourcePermissions(resource, options = {}) {
     if (enableRead && readError) return readError;
     return null;
   }, [scopeError, createError, updateError, deleteError, readError, enableRead]);
-  return useMemo10(() => ({
-    canCreate: (res) => {
-      if (res !== resource) {
-        return false;
-      }
-      return canCreateResult;
-    },
-    canUpdate: (res) => {
-      if (res !== resource) {
-        return false;
-      }
-      return canUpdateResult;
-    },
-    canDelete: (res) => {
-      if (res !== resource) {
-        return false;
-      }
-      return canDeleteResult;
-    },
-    canRead: (res) => {
-      if (!enableRead) {
+  return useMemo(() => {
+    const createSuperAdminAwarePermission = (result) => {
+      if (isSuperAdminUser === true) {
         return true;
       }
-      if (res !== resource) {
-        return false;
-      }
-      return canReadResult;
-    },
-    scope,
-    isLoading,
-    error
-  }), [
+      return result;
+    };
+    return {
+      canCreate: (res) => {
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canCreateResult);
+      },
+      canUpdate: (res) => {
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canUpdateResult);
+      },
+      canDelete: (res) => {
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canDeleteResult);
+      },
+      canRead: (res) => {
+        if (!enableRead) {
+          return true;
+        }
+        if (res !== resource) {
+          return false;
+        }
+        return createSuperAdminAwarePermission(canReadResult);
+      },
+      scope,
+      isLoading: isCheckingSuperAdmin || isLoading,
+      error
+    };
+  }, [
     resource,
+    isSuperAdminUser,
+    isCheckingSuperAdmin,
     canCreateResult,
     canUpdateResult,
     canDeleteResult,
@@ -1535,38 +1484,102 @@ function useResourcePermissions(resource, options = {}) {
     error
   ]);
 }
-
-// src/rbac/hooks/useRoleManagement.ts
-import { useState as useState10, useCallback as useCallback9 } from "react";
 function useRoleManagement() {
   const { user, supabase } = useUnifiedAuth();
-  const [isLoading, setIsLoading] = useState10(false);
-  const [error, setError] = useState10(null);
+  const [isLoading, setIsLoading] = useState(false);
+  const [error, setError] = useState(null);
   if (!supabase) {
     throw new Error("useRoleManagement requires a Supabase client. Ensure UnifiedAuthProvider is configured.");
   }
-  const revokeEventAppRole = useCallback9(async (params) => {
+  const revokeEventAppRole = useCallback(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
-      const { data, error: rpcError } = await supabase.rpc("revoke_event_app_role", {
+      const contextId = `${params.event_id}:${params.app_id}`;
+      const rpcParams = {
         p_user_id: params.user_id,
-        p_organisation_id: params.organisation_id,
-        p_event_id: params.event_id,
-        p_app_id: params.app_id,
-        p_role: params.role,
+        p_role_type: "event_app",
+        p_role_name: params.role,
+        p_context_id: contextId,
         p_revoked_by: params.revoked_by || user?.id || void 0
-      });
+      };
+      if (import.meta.env.MODE === "development") {
+        console.log("[useRoleManagement] revokeEventAppRole called with:", rpcParams);
+      }
+      const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", rpcParams);
       if (rpcError) {
-        throw new Error(rpcError.message || "Failed to revoke role");
+        if (import.meta.env.MODE === "development") {
+          console.error("[useRoleManagement] RPC error:", {
+            message: rpcError.message,
+            details: rpcError.details,
+            hint: rpcError.hint,
+            code: rpcError.code,
+            fullError: rpcError
+          });
+        }
+        const errorMessage = rpcError.message || "Failed to revoke role - unknown RPC error";
+        throw new Error(errorMessage);
+      }
+      if (import.meta.env.MODE === "development") {
+        console.log("[useRoleManagement] RPC response:", {
+          data,
+          error: rpcError,
+          dataType: Array.isArray(data) ? "array" : typeof data,
+          dataLength: Array.isArray(data) ? data.length : "N/A"
+        });
+      }
+      if (!data || !Array.isArray(data) || data.length === 0) {
+        const errorMsg = "No response from database - role revocation may have failed";
+        if (import.meta.env.MODE === "development") {
+          console.error("[useRoleManagement] Empty or null data response:", {
+            data,
+            dataType: typeof data,
+            isArray: Array.isArray(data),
+            length: Array.isArray(data) ? data.length : "N/A"
+          });
+        }
+        throw new Error(errorMsg);
+      }
+      const result = data[0];
+      if (import.meta.env.MODE === "development") {
+        console.log("[useRoleManagement] RPC result:", {
+          success: result?.success,
+          message: result?.message,
+          error_code: result?.error_code,
+          revoked_count: result?.revoked_count,
+          fullResult: result
+        });
+      }
+      if (!result || result.success !== true) {
+        const errorMessage = result?.message || result?.error_code || "Role revocation failed";
+        if (import.meta.env.MODE === "development") {
+          console.error("[useRoleManagement] Role revocation failed:", {
+            result,
+            errorMessage,
+            fullData: data,
+            rpcParams
+          });
+        }
+        return {
+          success: false,
+          message: result?.message || void 0,
+          error: errorMessage
+        };
       }
       return {
-        success: data === true,
-        message: data === true ? "Role revoked successfully" : "No role found to revoke",
-        error: data === false ? "No matching role found" : void 0
+        success: true,
+        message: result.message || "Role revoked successfully",
+        error: void 0
       };
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
+      if (import.meta.env.MODE === "development") {
+        console.error("[useRoleManagement] Exception in revokeEventAppRole:", {
+          error: err,
+          errorMessage,
+          params
+        });
+      }
       setError(err instanceof Error ? err : new Error(errorMessage));
       return {
         success: false,
@@ -1575,8 +1588,8 @@ function useRoleManagement() {
     } finally {
       setIsLoading(false);
     }
-  }, [user?.id]);
-  const grantEventAppRole = useCallback9(async (params) => {
+  }, [user?.id, supabase]);
+  const grantEventAppRole = useCallback(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1615,7 +1628,7 @@ function useRoleManagement() {
       setIsLoading(false);
     }
   }, [user?.id]);
-  const revokeRoleById = useCallback9(async (roleId) => {
+  const revokeRoleById = useCallback(async (roleId) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1632,13 +1645,28 @@ function useRoleManagement() {
         p_revoked_by: user?.id || void 0
       });
       if (rpcError) {
-        throw new Error(rpcError.message || "Failed to revoke role");
+        const errorMessage = rpcError.message || "Failed to revoke role - unknown RPC error";
+        throw new Error(errorMessage);
       }
       const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
+      if (!result) {
+        return {
+          success: false,
+          error: void 0
+        };
+      }
+      if (result.success === false) {
+        const errorMessage = result.message || result.error_code || "Role revocation failed";
+        return {
+          success: false,
+          message: result.message || void 0,
+          error: errorMessage
+        };
+      }
       return {
-        success: result?.success === true,
-        message: result?.message || void 0,
-        error: result?.success === false ? result?.message || result?.error_code || "Unknown error" : void 0
+        success: true,
+        message: result.message || "Role revoked successfully",
+        error: void 0
       };
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
@@ -1651,7 +1679,7 @@ function useRoleManagement() {
       setIsLoading(false);
     }
   }, [user?.id, supabase]);
-  const grantGlobalRole = useCallback9(async (params) => {
+  const grantGlobalRole = useCallback(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1690,7 +1718,7 @@ function useRoleManagement() {
       setIsLoading(false);
     }
   }, [user?.id, supabase]);
-  const revokeGlobalRole = useCallback9(async (params) => {
+  const revokeGlobalRole = useCallback(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1703,7 +1731,14 @@ function useRoleManagement() {
         p_revoked_by: params.revoked_by || user?.id || void 0
       });
       if (rpcError) {
-        throw new Error(rpcError.message || "Failed to revoke role");
+        const errorParts = [
+          rpcError.message,
+          rpcError.details,
+          rpcError.hint,
+          rpcError.code ? `Error code: ${rpcError.code}` : null
+        ].filter(Boolean);
+        const errorMessage = errorParts.length > 0 ? errorParts.join(" | ") : "Failed to revoke role - unknown RPC error";
+        throw new Error(errorMessage);
       }
       const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
       return {
@@ -1722,7 +1757,7 @@ function useRoleManagement() {
       setIsLoading(false);
     }
   }, [user?.id, supabase]);
-  const grantOrganisationRole = useCallback9(async (params) => {
+  const grantOrganisationRole = useCallback(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1761,7 +1796,7 @@ function useRoleManagement() {
       setIsLoading(false);
     }
   }, [user?.id, supabase]);
-  const revokeOrganisationRole = useCallback9(async (params) => {
+  const revokeOrganisationRole = useCallback(async (params) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -1774,7 +1809,14 @@ function useRoleManagement() {
         p_revoked_by: params.revoked_by || user?.id || void 0
       });
       if (rpcError) {
-        throw new Error(rpcError.message || "Failed to revoke role");
+        const errorParts = [
+          rpcError.message,
+          rpcError.details,
+          rpcError.hint,
+          rpcError.code ? `Error code: ${rpcError.code}` : null
+        ].filter(Boolean);
+        const errorMessage = errorParts.length > 0 ? errorParts.join(" | ") : "Failed to revoke role - unknown RPC error";
+        throw new Error(errorMessage);
       }
       const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
       return {
@@ -1809,13 +1851,10 @@ function useRoleManagement() {
     error
   };
 }
-
-// src/rbac/hooks/useSecureSupabase.ts
-import { useMemo as useMemo11, useRef as useRef4 } from "react";
 var secureClientCache = /* @__PURE__ */ new Map();
 var MAX_CACHE_SIZE = 5;
-function getCacheKey(organisationId, eventId, appId, isSuperAdmin) {
-  return `${organisationId || "no-org"}-${eventId || "no-event"}-${appId || "no-app"}-${isSuperAdmin ? "super" : "regular"}`;
+function getCacheKey(organisationId, eventId, appId, isSuperAdmin2) {
+  return `${organisationId || "no-org"}-${eventId || "no-event"}-${appId || "no-app"}-${isSuperAdmin2 ? "super" : "regular"}`;
 }
 function getSupabaseConfig() {
   const getEnvVar = (key) => {
@@ -1841,28 +1880,26 @@ function useSecureSupabase(baseClient) {
   const { selectedEvent } = eventsContext;
   const eventLoading = "eventLoading" in eventsContext ? eventsContext.eventLoading : false;
   const { superAdminContext } = useOrganisationSecurity();
-  const isSuperAdmin = superAdminContext.isSuperAdmin;
+  const isSuperAdmin2 = superAdminContext.isSuperAdmin;
   const { resolvedScope } = useResolvedScope({
     supabase: authSupabase || null,
     selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
+    selectedEventId: selectedEvent?.event_id || null,
+    selectedEventOrganisationId: selectedEvent?.organisation_id || null
   });
-  const prevContextRef = useRef4({
+  const prevContextRef = useRef({
     organisationId: void 0,
     eventId: void 0,
     appId: void 0
   });
-  return useMemo11(() => {
-    if (eventLoading) {
-      return baseClient || authSupabase || null;
-    }
+  return useMemo(() => {
     const organisationId = resolvedScope?.organisationId;
     const eventId = resolvedScope?.eventId || selectedEvent?.event_id;
     const appId = resolvedScope?.appId;
-    const canCreateSecureClient = user?.id && (isSuperAdmin || organisationId);
+    const canCreateSecureClient = user?.id && (isSuperAdmin2 || organisationId);
     if (canCreateSecureClient) {
       prevContextRef.current = { organisationId, eventId, appId };
-      const cacheKey = getCacheKey(organisationId, eventId, appId, isSuperAdmin);
+      const cacheKey = getCacheKey(organisationId, eventId, appId, isSuperAdmin2);
       const cachedClient = secureClientCache.get(cacheKey);
       if (cachedClient) {
         return cachedClient.getClient();
@@ -1875,14 +1912,14 @@ function useSecureSupabase(baseClient) {
         return baseClient || authSupabase || null;
       }
       try {
-        const effectiveOrganisationId = isSuperAdmin ? organisationId || null : organisationId;
+        const effectiveOrganisationId = isSuperAdmin2 ? organisationId || null : organisationId;
         const baseForSecureClient = baseClient || authSupabase || null;
         const secureClient = baseForSecureClient ? fromSupabaseClient(
           baseForSecureClient,
           effectiveOrganisationId ?? null,
           eventId,
           appId,
-          isSuperAdmin
+          isSuperAdmin2
         ) : createSecureClient(
           config.url,
           config.key,
@@ -1891,7 +1928,7 @@ function useSecureSupabase(baseClient) {
           eventId,
           appId,
           // appId is string | undefined, UUID is string alias
-          isSuperAdmin
+          isSuperAdmin2
           // Pass super admin status for conditional filtering
         );
         secureClientCache.set(cacheKey, secureClient);
@@ -1915,31 +1952,10 @@ function useSecureSupabase(baseClient) {
     selectedEvent?.event_id,
     user?.id,
     eventLoading,
-    isSuperAdmin,
+    isSuperAdmin2,
     baseClient,
     authSupabase
   ]);
 }
 
-export {
-  SECURE_CLIENT_SYMBOL,
-  isSecureClient,
-  warnIfInsecureClient,
-  SecureSupabaseClient,
-  createSecureClient,
-  fromSupabaseClient,
-  useResolvedScope,
-  useRBAC,
-  useAccessLevel,
-  useCachedPermissions,
-  scopeEqual,
-  useCan,
-  useHasAllPermissions,
-  useHasAnyPermission,
-  useMultiplePermissions,
-  usePermissions,
-  useResourcePermissions,
-  useRoleManagement,
-  useSecureSupabase
-};
-//# sourceMappingURL=chunk-NN6WWZ5U.js.map
+export { Button, SECURE_CLIENT_SYMBOL, SecureSupabaseClient, Tooltip, TooltipContent, TooltipProvider, TooltipRoot, TooltipTrigger, createSecureClient, fromSupabaseClient, isSecureClient, scopeEqual, useAccessLevel, useCan, useEvents, useMultiplePermissions, usePermissions, useRBAC, useResolvedScope, useResourcePermissions, useRoleManagement, useSecureSupabase, warnIfInsecureClient };