@jmruthers/pace-core 0.6.4 → 0.6.6

package/dist/chunk-3LPHPB62.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/rbac/cache.ts","../src/rbac/cache-invalidation.ts","../src/rbac/errors.ts","../src/rbac/security.ts","../src/rbac/config.ts","../src/rbac/engine.ts","../src/rbac/performance.ts","../src/rbac/request-deduplication.ts","../src/rbac/api.ts"],"sourcesContent":["/**\n * RBAC Cache Implementation\n * @package @jmruthers/pace-core\n * @module RBAC/Cache\n * @since 1.0.0\n * \n * This module provides caching functionality for RBAC operations with TTL and invalidation.\n */\n\nimport { UUID } from './types';\nimport { CacheEntry, PermissionCacheKey } from './types';\n\n/**\n * In-memory cache for RBAC operations\n * \n * Provides two-tier caching:\n * - Short-term cache: 120 seconds for frequently changing permissions\n * - Session cache: 15 minutes for stable permissions (page-level checks)\n */\nexport class RBACCache {\n  private cache = new Map<string, CacheEntry<any>>();\n  private sessionCache = new Map<string, CacheEntry<any>>();\n  private readonly TTL = 120 * 1000; // 120 seconds (short-term) - increased from 60s\n  private readonly SESSION_TTL = 15 * 60 * 1000; // 15 minutes (session-level) - increased from 5min\n  private invalidationCallbacks: Set<(pattern: string) => void> = new Set();\n\n  /**\n   * Get a value from the cache\n   * \n   * Checks both short-term cache and session cache.\n   * \n   * @param key - Cache key\n   * @param useSessionCache - Whether to check session cache (default: true)\n   * @returns Cached value or null if not found/expired\n   */\n  get<T>(key: string, useSessionCache: boolean = true): T | null {\n    const now = Date.now();\n    \n    // Check short-term cache first\n    const entry = this.cache.get(key);\n    if (entry && now <= entry.expires) {\n      return entry.data as T;\n    }\n    if (entry && now > entry.expires) {\n      this.cache.delete(key);\n    }\n    \n    // Check session cache if enabled\n    if (useSessionCache) {\n      const sessionEntry = this.sessionCache.get(key);\n      if (sessionEntry && now <= sessionEntry.expires) {\n        return sessionEntry.data as T;\n      }\n      if (sessionEntry && now > sessionEntry.expires) {\n        this.sessionCache.delete(key);\n      }\n    }\n    \n    return null;\n  }\n\n  /**\n   * Set a value in the cache\n   * \n   * @param key - Cache key\n   * @param data - Data to cache\n   * @param ttl - Time to live in milliseconds (defaults to 60s)\n   * @param useSessionCache - Whether to also store in session cache (default: false for page-level checks)\n   */\n  set<T>(key: string, data: T, ttl: number = this.TTL, useSessionCache: boolean = false): void {\n    const now = Date.now();\n    // For zero or negative TTL, set expires to current time to make it immediately expired\n    const expires = ttl <= 0 ? now - 1 : now + ttl;\n    \n    // Always store in short-term cache\n    this.cache.set(key, {\n      data,\n      expires,\n    });\n    \n    // Optionally store in session cache for page-level permissions\n    if (useSessionCache) {\n      const sessionExpires = ttl <= 0 ? now - 1 : now + this.SESSION_TTL;\n      this.sessionCache.set(key, {\n        data,\n        expires: sessionExpires,\n      });\n    }\n  }\n\n  /**\n   * Delete a specific key from the cache\n   * \n   * @param key - Cache key to delete\n   */\n  delete(key: string): void {\n    this.cache.delete(key);\n    this.sessionCache.delete(key);\n  }\n\n  /**\n   * Invalidate cache entries matching a pattern\n   * \n   * @param pattern - Pattern to match against cache keys\n   */\n  invalidate(pattern: string): void {\n    const trimmedPattern = pattern?.trim();\n\n    if (!trimmedPattern) {\n      return;\n    }\n\n    const matcher = this.createMatcher(trimmedPattern);\n    const keysToDelete: string[] = [];\n\n    // Invalidate from both caches\n    for (const key of this.cache.keys()) {\n      if (matcher(key)) {\n        keysToDelete.push(key);\n      }\n    }\n    \n    for (const key of this.sessionCache.keys()) {\n      if (matcher(key) && !keysToDelete.includes(key)) {\n        keysToDelete.push(key);\n      }\n    }\n\n    keysToDelete.forEach(key => {\n      this.cache.delete(key);\n      this.sessionCache.delete(key);\n    });\n\n    // Notify invalidation callbacks\n    this.invalidationCallbacks.forEach(callback => callback(trimmedPattern));\n  }\n\n  private createMatcher(pattern: string): (key: string) => boolean {\n    if (pattern.includes('*')) {\n      const escapedSegments = pattern\n        .split('*')\n        .map(segment => segment.replace(/[|\\\\{}()[\\]^$+?.-]/g, '\\\\$&'));\n      const regexPattern = escapedSegments.join('.*');\n      const regex = new RegExp(regexPattern);\n      return (key: string) => regex.test(key);\n    }\n\n    return (key: string) => key.includes(pattern);\n  }\n\n  /**\n   * Clear all cache entries\n   */\n  clear(): void {\n    this.cache.clear();\n    this.sessionCache.clear();\n  }\n\n  /**\n   * Get cache statistics\n   */\n  getStats(): {\n    size: number;\n    sessionSize: number;\n    ttl: number;\n    sessionTtl: number;\n    keys: string[];\n  } {\n    return {\n      size: this.cache.size,\n      sessionSize: this.sessionCache.size,\n      ttl: this.TTL,\n      sessionTtl: this.SESSION_TTL,\n      keys: Array.from(this.cache.keys()),\n    };\n  }\n\n  /**\n   * Add an invalidation callback\n   * \n   * @param callback - Function to call when cache is invalidated\n   */\n  onInvalidate(callback: (pattern: string) => void): () => void {\n    this.invalidationCallbacks.add(callback);\n    \n    // Return unsubscribe function\n    return () => {\n      this.invalidationCallbacks.delete(callback);\n    };\n  }\n\n  /**\n   * Generate cache key for permission check (simplified signature)\n   * \n   * @param userId - User ID\n   * @param permission - Permission string\n   * @param organisationId - Organisation ID (optional)\n   * @param eventId - Event ID (optional)\n   * @param appId - App ID (optional)\n   * @param pageId - Page ID (optional)\n   * @returns String cache key\n   */\n  static generateKey(\n    userId: UUID,\n    permission: string,\n    organisationId?: UUID,\n    eventId?: string,\n    appId?: UUID,\n    pageId?: UUID | string\n  ): string {\n    const parts = [\n      'perm',\n      userId,\n      organisationId || 'null',\n      eventId || 'null',\n      appId || 'null',\n      permission || 'null',\n      pageId || 'null',\n    ];\n    \n    return parts.join(':');\n  }\n\n  /**\n   * Generate cache key for permission check (object signature)\n   * \n   * @param key - Permission cache key object\n   * @returns String cache key\n   */\n  static generatePermissionKey(key: PermissionCacheKey): string {\n    const parts = [\n      'perm',\n      key.userId,\n      key.organisationId || 'null',\n      key.eventId || 'null',\n      key.appId || 'null',\n      key.permission || 'null',\n      key.pageId || 'null',\n    ];\n    \n    return parts.join(':');\n  }\n\n  /**\n   * Generate cache key for access level\n   * \n   * @param userId - User ID\n   * @param organisationId - Organisation ID\n   * @param eventId - Event ID (optional)\n   * @param appId - App ID (optional)\n   * @returns String cache key\n   */\n  static generateAccessLevelKey(\n    userId: UUID,\n    organisationId: UUID,\n    eventId?: string,\n    appId?: UUID\n  ): string {\n    const parts = [\n      'access',\n      userId,\n      organisationId,\n      eventId || 'null',\n      appId || 'null',\n    ];\n    \n    return parts.join(':');\n  }\n\n  /**\n   * Generate cache key for permission map\n   * \n   * @param userId - User ID\n   * @param organisationId - Organisation ID\n   * @param eventId - Event ID (optional)\n   * @param appId - App ID (optional)\n   * @returns String cache key\n   */\n  static generatePermissionMapKey(\n    userId: UUID,\n    organisationId: UUID,\n    eventId?: string,\n    appId?: UUID\n  ): string {\n    const parts = [\n      'map',\n      userId,\n      organisationId,\n      eventId || 'null',\n      appId || 'null',\n    ];\n    \n    return parts.join(':');\n  }\n}\n\n/**\n * Global cache instance\n * \n * This is the default cache instance used by the RBAC system.\n * You can create additional instances if needed for different contexts.\n */\nexport const rbacCache = new RBACCache();\n\n/**\n * Cache key patterns for invalidation\n */\nexport const CACHE_PATTERNS = {\n  USER: (userId: UUID) => `:${userId}:`,\n  ORGANISATION: (organisationId: UUID) => `:${organisationId}:`,\n  EVENT: (eventId: string) => `:${eventId}:`,\n  APP: (appId: UUID) => `:${appId}`,\n  PERMISSION: (userId: UUID, organisationId: UUID) => `perm:${userId}:${organisationId}:`,\n} as const;\n","/**\n * RBAC Cache Invalidation Service\n * @package @jmruthers/pace-core\n * @module RBAC/CacheInvalidation\n * @since 1.0.0\n * \n * This module provides automatic cache invalidation when RBAC data changes.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { rbacCache, CACHE_PATTERNS } from './cache';\nimport { emitAuditEvent } from './audit';\nimport { UUID } from './types';\nimport { createLogger } from '../utils/core/logger';\n\nconst log = createLogger('RBACCache');\n\n/**\n * Cache invalidation patterns for different RBAC changes\n */\nexport const INVALIDATION_PATTERNS = {\n  // User-level invalidation\n  USER_ROLES_CHANGED: (userId: UUID) => [\n    CACHE_PATTERNS.USER(userId),\n    `perm:${userId}:*`,\n    `access:${userId}:*`,\n    `map:${userId}:*`\n  ],\n  \n  // Organisation-level invalidation\n  ORGANISATION_PERMISSIONS_CHANGED: (organisationId: UUID) => [\n    CACHE_PATTERNS.ORGANISATION(organisationId),\n    `perm:*:${organisationId}:*`,\n    `access:*:${organisationId}:*`,\n    `map:*:${organisationId}:*`\n  ],\n  \n  // Event-level invalidation\n  EVENT_PERMISSIONS_CHANGED: (eventId: string) => [\n    CACHE_PATTERNS.EVENT(eventId),\n    `perm:*:*:${eventId}:*`,\n    `access:*:*:${eventId}:*`,\n    `map:*:*:${eventId}:*`\n  ],\n  \n  // App-level invalidation\n  APP_PERMISSIONS_CHANGED: (appId: UUID) => [\n    CACHE_PATTERNS.APP(appId),\n    `perm:*:*:*:${appId}:*`,\n    `access:*:*:*:${appId}`,\n    `map:*:*:*:${appId}`\n  ],\n  \n  // Page-level invalidation\n  PAGE_PERMISSIONS_CHANGED: (pageId: UUID) => [\n    `perm:*:*:*:*:${pageId}`,\n    `map:*:*:*:*`\n  ]\n} as const;\n\n/**\n * RBAC Cache Invalidation Manager\n * \n * Handles automatic cache invalidation when RBAC data changes.\n */\nexport class RBACCacheInvalidationManager {\n  private supabase: SupabaseClient<Database>;\n  private invalidationCallbacks: Set<(pattern: string) => void> = new Set();\n  private channels: Array<{ unsubscribe: () => void }> = [];\n\n  constructor(supabase: SupabaseClient<Database>) {\n    this.supabase = supabase;\n    this.setupRealtimeSubscriptions();\n  }\n\n  /**\n   * Add a callback for cache invalidation events\n   * \n   * @param callback - Function to call when cache is invalidated\n   * @returns Unsubscribe function\n   */\n  onInvalidation(callback: (pattern: string) => void): () => void {\n    this.invalidationCallbacks.add(callback);\n    return () => this.invalidationCallbacks.delete(callback);\n  }\n\n  /**\n   * Invalidate cache for a specific user\n   * \n   * @param userId - User ID\n   * @param reason - Reason for invalidation\n   */\n  invalidateUser(userId: UUID, reason: string): void {\n    const patterns = INVALIDATION_PATTERNS.USER_ROLES_CHANGED(userId);\n    this.invalidatePatterns(patterns, reason);\n  }\n\n  /**\n   * Invalidate cache for a specific organisation\n   * \n   * @param organisationId - Organisation ID\n   * @param reason - Reason for invalidation\n   */\n  invalidateOrganisation(organisationId: UUID, reason: string): void {\n    const patterns = INVALIDATION_PATTERNS.ORGANISATION_PERMISSIONS_CHANGED(organisationId);\n    this.invalidatePatterns(patterns, reason);\n  }\n\n  /**\n   * Invalidate cache for a specific event\n   * \n   * @param eventId - Event ID\n   * @param reason - Reason for invalidation\n   */\n  invalidateEvent(eventId: string, reason: string): void {\n    const patterns = INVALIDATION_PATTERNS.EVENT_PERMISSIONS_CHANGED(eventId);\n    this.invalidatePatterns(patterns, reason);\n  }\n\n  /**\n   * Invalidate cache for a specific app\n   * \n   * @param appId - App ID\n   * @param reason - Reason for invalidation\n   */\n  invalidateApp(appId: UUID, reason: string): void {\n    const patterns = INVALIDATION_PATTERNS.APP_PERMISSIONS_CHANGED(appId);\n    this.invalidatePatterns(patterns, reason);\n  }\n\n  /**\n   * Invalidate cache for a specific page\n   * \n   * @param pageId - Page ID\n   * @param reason - Reason for invalidation\n   */\n  invalidatePage(pageId: UUID, reason: string): void {\n    const patterns = INVALIDATION_PATTERNS.PAGE_PERMISSIONS_CHANGED(pageId);\n    this.invalidatePatterns(patterns, reason);\n  }\n\n  /**\n   * Invalidate cache patterns and notify callbacks\n   * \n   * @param patterns - Array of cache patterns to invalidate\n   * @param reason - Reason for invalidation\n   */\n  private invalidatePatterns(patterns: string[], reason: string): void {\n    log.debug(`Invalidating patterns: ${patterns.join(', ')} (${reason})`);\n    \n    patterns.forEach(pattern => {\n      rbacCache.invalidate(pattern);\n    });\n\n    // Notify callbacks\n    this.invalidationCallbacks.forEach(callback => {\n      patterns.forEach(pattern => callback(pattern));\n    });\n\n    // Log audit event for cache invalidation\n    emitAuditEvent({\n      type: 'permission_check',\n      userId: 'system' as UUID,\n      organisationId: '00000000-0000-0000-0000-000000000000' as UUID,\n      permission: 'cache:invalidate',\n      decision: true,\n      source: 'api',\n      duration_ms: 0,\n      metadata: {\n        reason,\n        patterns,\n        timestamp: new Date().toISOString(),\n        cache_invalidation: true\n      }\n    }).catch(error => {\n      log.warn('Failed to log cache invalidation audit event:', error);\n    });\n  }\n\n  /**\n   * Cleanup subscriptions only (not all callbacks)\n   * Used internally to cleanup before setting up new subscriptions\n   */\n  private cleanupSubscriptions(): void {\n    this.channels.forEach(channel => {\n      try {\n        if (channel && typeof channel.unsubscribe === 'function') {\n          channel.unsubscribe();\n        }\n      } catch (error) {\n        log.warn('Failed to unsubscribe from channel:', error);\n      }\n    });\n    this.channels = [];\n  }\n\n  /**\n   * Setup realtime subscriptions for automatic cache invalidation\n   * Always cleans up existing subscriptions before setting up new ones to prevent duplicates\n   */\n  private setupRealtimeSubscriptions(): void {\n    // Always cleanup existing subscriptions first to prevent duplicates\n    this.cleanupSubscriptions();\n    \n    // Check if realtime is available (skip in test environments)\n    if (!this.supabase.channel || typeof this.supabase.channel !== 'function') {\n      log.debug('Realtime not available, skipping subscriptions');\n      return;\n    }\n\n    // Subscribe to organisation role changes\n    const orgRolesChannel = this.supabase\n      .channel('rbac_organisation_roles_changes')\n      .on('postgres_changes', {\n        event: '*',\n        schema: 'public',\n        table: 'rbac_organisation_roles'\n      }, (payload: any) => {\n        const { organisation_id, user_id } = payload.new || payload.old || {};\n        if (organisation_id) {\n          this.invalidateOrganisation(organisation_id, `organisation_role_${payload.eventType}`);\n        }\n        if (user_id) {\n          this.invalidateUser(user_id, `organisation_role_${payload.eventType}`);\n        }\n      });\n    const orgRolesSubscription = orgRolesChannel.subscribe();\n    this.channels.push(orgRolesSubscription);\n\n    // Subscribe to event app role changes\n    const eventAppRolesChannel = this.supabase\n      .channel('rbac_event_app_roles_changes')\n      .on('postgres_changes', {\n        event: '*',\n        schema: 'public',\n        table: 'rbac_event_app_roles'\n      }, (payload: any) => {\n        const { organisation_id, user_id, event_id, app_id } = payload.new || payload.old || {};\n        if (organisation_id) {\n          this.invalidateOrganisation(organisation_id, `event_app_role_${payload.eventType}`);\n        }\n        if (user_id) {\n          this.invalidateUser(user_id, `event_app_role_${payload.eventType}`);\n        }\n        if (event_id) {\n          this.invalidateEvent(event_id, `event_app_role_${payload.eventType}`);\n        }\n        if (app_id) {\n          this.invalidateApp(app_id, `event_app_role_${payload.eventType}`);\n        }\n      });\n    const eventAppRolesSubscription = eventAppRolesChannel.subscribe();\n    this.channels.push(eventAppRolesSubscription);\n\n    // Subscribe to global role changes\n    const globalRolesChannel = this.supabase\n      .channel('rbac_global_roles_changes')\n      .on('postgres_changes', {\n        event: '*',\n        schema: 'public',\n        table: 'rbac_global_roles'\n      }, (payload: any) => {\n        const { user_id } = payload.new || payload.old || {};\n        if (user_id) {\n          this.invalidateUser(user_id, `global_role_${payload.eventType}`);\n        }\n      });\n    const globalRolesSubscription = globalRolesChannel.subscribe();\n    this.channels.push(globalRolesSubscription);\n\n    // Subscribe to page permission changes\n    const pagePermissionsChannel = this.supabase\n      .channel('rbac_page_permissions_changes')\n      .on('postgres_changes', {\n        event: '*',\n        schema: 'public',\n        table: 'rbac_page_permissions'\n      }, (payload: any) => {\n        const { organisation_id, app_page_id, role_id } = payload.new || payload.old || {};\n        if (organisation_id) {\n          this.invalidateOrganisation(organisation_id, `page_permission_${payload.eventType}`);\n        }\n        if (app_page_id) {\n          this.invalidatePage(app_page_id, `page_permission_${payload.eventType}`);\n        }\n        // Note: We can't easily get user_id from role_id without additional query\n        // This is a limitation of the current schema design\n      });\n    const pagePermissionsSubscription = pagePermissionsChannel.subscribe();\n    this.channels.push(pagePermissionsSubscription);\n  }\n\n  /**\n   * Cleanup all realtime subscriptions\n   * Call this when the manager is no longer needed to prevent memory leaks\n   */\n  cleanup(): void {\n    // Unsubscribe from all channels\n    this.channels.forEach(channel => {\n      try {\n        if (channel && typeof channel.unsubscribe === 'function') {\n          channel.unsubscribe();\n        }\n      } catch (error) {\n        log.warn('Failed to unsubscribe from channel:', error);\n      }\n    });\n    this.channels = [];\n    \n    // Clear all callbacks\n    this.invalidationCallbacks.clear();\n  }\n\n  /**\n   * Manually trigger cache invalidation for all users in an organisation\n   * \n   * @param organisationId - Organisation ID\n   * @param reason - Reason for invalidation\n   */\n  async invalidateAllUsersInOrganisation(organisationId: UUID, reason: string): Promise<void> {\n    // Get all users in the organisation\n    const { data: users } = await this.supabase\n      .from('rbac_organisation_roles')\n      .select('user_id')\n      .eq('organisation_id', organisationId)\n      .eq('is_active', true);\n\n    if (users) {\n      users.forEach(({ user_id }) => {\n        this.invalidateUser(user_id, reason);\n      });\n    }\n  }\n\n  /**\n   * Clear all cache entries\n   */\n  clearAllCache(): void {\n    log.debug('Clearing all cache entries');\n    rbacCache.clear();\n  }\n}\n\n/**\n * Global cache invalidation manager instance\n */\nlet globalCacheInvalidationManager: RBACCacheInvalidationManager | null = null;\n\n/**\n * Initialize the global cache invalidation manager\n * Ensures only one instance exists per application lifecycle\n * \n * @param supabase - Supabase client\n * @returns Cache invalidation manager instance\n */\nexport function initializeCacheInvalidation(supabase: SupabaseClient<Database>): RBACCacheInvalidationManager {\n  // Clean up existing manager if it exists (e.g., when switching Supabase clients)\n  if (globalCacheInvalidationManager) {\n    log.debug('Cleaning up existing cache invalidation manager before creating new one');\n    globalCacheInvalidationManager.cleanup();\n  }\n  \n  globalCacheInvalidationManager = new RBACCacheInvalidationManager(supabase);\n  return globalCacheInvalidationManager;\n}\n\n/**\n * Get the global cache invalidation manager\n * \n * @returns Global cache invalidation manager or null if not initialized\n */\nexport function getCacheInvalidationManager(): RBACCacheInvalidationManager | null {\n  return globalCacheInvalidationManager;\n}\n\n/**\n * Cleanup the global cache invalidation manager\n * Call this when the application is shutting down or when switching Supabase clients\n */\nexport function cleanupCacheInvalidation(): void {\n  if (globalCacheInvalidationManager) {\n    globalCacheInvalidationManager.cleanup();\n    globalCacheInvalidationManager = null;\n  }\n}\n","import {\n  RBACError,\n  PermissionDeniedError,\n  OrganisationContextRequiredError,\n  InvalidScopeError,\n  MissingUserContextError,\n  RBACNotInitializedError,\n} from './types';\n\nexport enum RBACErrorCategory {\n  NETWORK = 'network_error',\n  DATABASE = 'database_error',\n  VALIDATION = 'validation_error',\n  RATE_LIMIT = 'rate_limit_error',\n  AUTHENTICATION = 'authentication_error',\n  AUTHORIZATION = 'authorization_error',\n  UNKNOWN = 'unknown_error',\n}\n\nconst RATE_LIMIT_STATUS_CODES = new Set([429]);\nconst AUTH_STATUS_CODES = new Set([401]);\nconst AUTHZ_STATUS_CODES = new Set([403]);\n\nfunction normalize(value: unknown): string {\n  if (!value) {\n    return '';\n  }\n  if (typeof value === 'string') {\n    return value.toLowerCase();\n  }\n  if (value instanceof Error && typeof value.message === 'string') {\n    return value.message.toLowerCase();\n  }\n  return String(value).toLowerCase();\n}\n\nexport function categorizeError(error: unknown): RBACErrorCategory {\n  if (error instanceof PermissionDeniedError) {\n    return RBACErrorCategory.AUTHORIZATION;\n  }\n\n  if (error instanceof OrganisationContextRequiredError || error instanceof InvalidScopeError) {\n    return RBACErrorCategory.VALIDATION;\n  }\n\n  if (error instanceof MissingUserContextError) {\n    return RBACErrorCategory.AUTHENTICATION;\n  }\n\n  if (error instanceof RBACError) {\n    switch (error.code) {\n      case 'PERMISSION_DENIED':\n        return RBACErrorCategory.AUTHORIZATION;\n      case 'ORGANISATION_CONTEXT_REQUIRED':\n      case 'INVALID_SCOPE':\n        return RBACErrorCategory.VALIDATION;\n      case 'MISSING_USER_CONTEXT':\n        return RBACErrorCategory.AUTHENTICATION;\n      default:\n        break;\n    }\n  }\n\n  if (error && typeof error === 'object') {\n    const status = (error as { status?: number }).status;\n    if (typeof status === 'number') {\n      if (RATE_LIMIT_STATUS_CODES.has(status)) {\n        return RBACErrorCategory.RATE_LIMIT;\n      }\n      if (AUTH_STATUS_CODES.has(status)) {\n        return RBACErrorCategory.AUTHENTICATION;\n      }\n      if (AUTHZ_STATUS_CODES.has(status)) {\n        return RBACErrorCategory.AUTHORIZATION;\n      }\n      if (status >= 500) {\n        return RBACErrorCategory.DATABASE;\n      }\n    }\n\n    const codeValue = normalize((error as { code?: string }).code);\n    if (codeValue) {\n      if (codeValue.includes('network')) {\n        return RBACErrorCategory.NETWORK;\n      }\n      if (codeValue.includes('postgres') || codeValue.includes('database') || codeValue.includes('db')) {\n        return RBACErrorCategory.DATABASE;\n      }\n      if (codeValue.includes('rate')) {\n        return RBACErrorCategory.RATE_LIMIT;\n      }\n      if (codeValue.includes('auth')) {\n        return RBACErrorCategory.AUTHENTICATION;\n      }\n      if (codeValue.includes('permission')) {\n        return RBACErrorCategory.AUTHORIZATION;\n      }\n      if (codeValue.includes('scope') || codeValue.includes('invalid')) {\n        return RBACErrorCategory.VALIDATION;\n      }\n    }\n  }\n\n  const message = normalize(error);\n  if (message.includes('timeout') || message.includes('network') || message.includes('fetch')) {\n    return RBACErrorCategory.NETWORK;\n  }\n  if (message.includes('postgres') || message.includes('database') || message.includes('connection')) {\n    return RBACErrorCategory.DATABASE;\n  }\n  if (message.includes('rate limit') || message.includes('too many requests')) {\n    return RBACErrorCategory.RATE_LIMIT;\n  }\n  if (message.includes('permission') || message.includes('forbidden')) {\n    return RBACErrorCategory.AUTHORIZATION;\n  }\n  if (message.includes('auth') || message.includes('token') || message.includes('session')) {\n    return RBACErrorCategory.AUTHENTICATION;\n  }\n  if (message.includes('invalid') || message.includes('scope') || message.includes('validation')) {\n    return RBACErrorCategory.VALIDATION;\n  }\n\n  return RBACErrorCategory.UNKNOWN;\n}\n\nexport type SecurityEventType =\n  | 'permission_denied'\n  | 'invalid_input'\n  | 'rate_limit_exceeded'\n  | 'suspicious_activity'\n  | 'network_error'\n  | 'database_error'\n  | 'validation_error'\n  | 'rate_limit_error'\n  | 'authentication_error'\n  | 'unknown_error';\n\nexport function mapErrorCategoryToSecurityEventType(category: RBACErrorCategory): SecurityEventType {\n  switch (category) {\n    case RBACErrorCategory.AUTHORIZATION:\n      return 'permission_denied';\n    case RBACErrorCategory.NETWORK:\n      return 'network_error';\n    case RBACErrorCategory.DATABASE:\n      return 'database_error';\n    case RBACErrorCategory.VALIDATION:\n      return 'validation_error';\n    case RBACErrorCategory.RATE_LIMIT:\n      return 'rate_limit_error';\n    case RBACErrorCategory.AUTHENTICATION:\n      return 'authentication_error';\n    case RBACErrorCategory.UNKNOWN:\n    default:\n      return 'unknown_error';\n  }\n}\n\n// Re-export error classes for convenience\nexport {\n  RBACError,\n  PermissionDeniedError,\n  OrganisationContextRequiredError,\n  InvalidScopeError,\n  MissingUserContextError,\n  RBACNotInitializedError,\n};\n","/**\n * RBAC Security Enhancements\n * @package @jmruthers/pace-core\n * @module RBAC/Security\n * @since 1.0.0\n * \n * Additional security measures for the RBAC system\n */\n\nimport { UUID, Permission, Scope } from './types';\nimport { createLogger } from '../utils/core/logger';\n\nconst log = createLogger('RBACSecurity');\n\n/**\n * Security validation utilities for RBAC operations\n */\nexport class RBACSecurityValidator {\n  /**\n   * Validate permission string format\n   * @param permission - Permission string to validate\n   * @returns True if valid, false otherwise\n   */\n  static validatePermission(permission: string): boolean {\n    if (typeof permission !== 'string' || permission.length === 0) {\n      return false;\n    }\n\n    // Permission format: operation:resource[.subresource]\n    // Only CRUD operations are allowed (read, create, update, delete)\n    // The 'manage' operation has been removed for RBAC compliance\n    const permissionRegex = /^(read|create|update|delete):[a-z0-9._-]+$/;\n    return permissionRegex.test(permission);\n  }\n\n  /**\n   * Validate UUID format\n   * @param uuid - UUID string to validate\n   * @returns True if valid, false otherwise\n   */\n  static validateUUID(uuid: string): boolean {\n    if (typeof uuid !== 'string' || uuid.length === 0) {\n      return false;\n    }\n\n    // More permissive UUID regex that allows all valid UUID versions\n    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n    return uuidRegex.test(uuid);\n  }\n\n  /**\n   * Validate scope object\n   * @param scope - Scope object to validate\n   * @returns True if valid, false otherwise\n   */\n  static validateScope(scope: Scope): boolean {\n    if (!scope || typeof scope !== 'object') {\n      return false;\n    }\n\n    // Organisation ID validation - reject empty strings\n    if (scope.organisationId !== undefined) {\n      // Reject empty strings - use undefined/null instead\n      if (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '') {\n        return false;\n      }\n      if (scope.organisationId && !this.validateUUID(scope.organisationId)) {\n        return false;\n      }\n    }\n\n    // Event ID should be a string if provided\n    if (scope.eventId && typeof scope.eventId !== 'string') {\n      return false;\n    }\n\n    // App ID should be a valid UUID if provided\n    if (scope.appId && !this.validateUUID(scope.appId)) {\n      return false;\n    }\n\n    // At least one valid field must be present\n    return !!(scope.organisationId || scope.eventId || scope.appId);\n  }\n\n  /**\n   * Sanitize input string to prevent injection attacks\n   * @param input - Input string to sanitize\n   * @returns Sanitized string\n   */\n  static sanitizeInput(input: string): string {\n    if (typeof input !== 'string') {\n      return '';\n    }\n\n    // Remove potentially dangerous characters\n    return input\n      .replace(/<[^>]*>/g, '') // Remove HTML tags\n      .replace(/[<>\\\"'&]/g, '') // Remove HTML/XML characters\n      .replace(/[;()]/g, '') // Remove SQL injection characters\n      .replace(/javascript:/gi, '') // Remove javascript: protocol\n      .replace(/data:/gi, '') // Remove data: protocol\n      .trim();\n  }\n\n  /**\n   * Validate user ID format\n   * @param userId - User ID to validate\n   * @returns True if valid, false otherwise\n   */\n  static validateUserId(userId: UUID): boolean {\n    return this.validateUUID(userId);\n  }\n\n  /**\n   * Check if permission is a wildcard permission\n   * @param permission - Permission string to check\n   * @returns True if wildcard, false otherwise\n   */\n  static isWildcardPermission(permission: string): boolean {\n    return permission.includes('*') || permission.endsWith(':*');\n  }\n\n  /**\n   * Validate permission hierarchy\n   * @param permission - Permission to validate\n   * @param requiredOperation - Required operation\n   * @returns True if permission matches or is higher in hierarchy\n   */\n  static validatePermissionHierarchy(permission: string, requiredOperation: string): boolean {\n    if (!this.validatePermission(permission)) {\n      return false;\n    }\n\n    const [operation] = permission.split(':');\n    // Only CRUD operations - 'manage' has been removed\n    const hierarchy = ['read', 'create', 'update', 'delete'];\n    \n    const permissionLevel = hierarchy.indexOf(operation);\n    const requiredLevel = hierarchy.indexOf(requiredOperation);\n    \n    if (permissionLevel === -1 || requiredLevel === -1) {\n      return false;\n    }\n\n    // Higher level permissions include lower level permissions\n    return permissionLevel >= requiredLevel;\n  }\n\n  /**\n   * Rate limiting check (placeholder for future implementation)\n   * @param userId - User ID\n   * @param operation - Operation being performed\n   * @returns True if within rate limit, false otherwise\n   */\n  static async checkRateLimit(userId: UUID, operation: string): Promise<boolean> {\n    // TODO: Implement actual rate limiting logic\n    // This could use Redis, in-memory cache, or database-based rate limiting\n    return true;\n  }\n\n\n  /**\n   * Log security event for monitoring\n   * @param event - Security event details\n   */\n  private static rateLimitWarningCount = new Map<UUID, { count: number; lastWarning: number }>();\n  private static readonly RATE_LIMIT_WARNING_THROTTLE_MS = 5000; // Only warn once per 5 seconds per user\n  \n  static logSecurityEvent(event: {\n    type:\n      | 'permission_denied'\n      | 'invalid_input'\n      | 'rate_limit_exceeded'\n      | 'suspicious_activity'\n      | 'network_error'\n      | 'database_error'\n      | 'validation_error'\n      | 'rate_limit_error'\n      | 'authentication_error'\n      | 'unknown_error';\n    userId: UUID;\n    details: Record<string, any>;\n    timestamp?: Date;\n  }): void {\n    const securityEvent = {\n      ...event,\n      timestamp: event.timestamp || new Date(),\n      severity: this.getEventSeverity(event.type),\n    };\n\n    // Throttle rate limit warnings to prevent console flooding\n    if (event.type === 'rate_limit_exceeded') {\n      const now = Date.now();\n      const userWarning = this.rateLimitWarningCount.get(event.userId);\n      \n      if (userWarning) {\n        const timeSinceLastWarning = now - userWarning.lastWarning;\n        if (timeSinceLastWarning < this.RATE_LIMIT_WARNING_THROTTLE_MS) {\n          // Still within throttle window - increment count but don't log\n          userWarning.count++;\n          this.rateLimitWarningCount.set(event.userId, userWarning);\n          return; // Skip logging to prevent console flooding\n        } else {\n          // Throttle window expired - log with count and reset\n          log.warn('Security event (throttled):', {\n            ...securityEvent,\n            details: {\n              ...securityEvent.details,\n              suppressedWarnings: userWarning.count,\n              message: `Rate limit exceeded (${userWarning.count + 1} times in last ${Math.round(timeSinceLastWarning / 1000)}s)`\n            }\n          });\n          this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });\n          return;\n        }\n      } else {\n        // First warning for this user - log it\n        this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });\n        log.warn('Security event:', securityEvent);\n        return;\n      }\n    }\n\n    // Log other security events normally\n    log.warn('Security event:', securityEvent);\n\n    // TODO: Send to security monitoring service\n  }\n\n  /**\n   * Get severity level for security event\n   * @param eventType - Type of security event\n   * @returns Severity level\n   */\n  private static getEventSeverity(eventType: string): 'low' | 'medium' | 'high' | 'critical' {\n    switch (eventType) {\n      case 'permission_denied':\n        return 'low';\n      case 'invalid_input':\n      case 'rate_limit_exceeded':\n      case 'rate_limit_error':\n      case 'network_error':\n        return 'medium';\n      case 'validation_error':\n        return 'high';\n      case 'authentication_error':\n      case 'database_error':\n        return 'critical';\n      case 'suspicious_activity':\n      case 'unknown_error':\n        return 'high';\n      default:\n        return 'low';\n    }\n  }\n}\n\n/**\n * Security configuration for RBAC system\n */\nexport interface RBACSecurityConfig {\n  enableInputValidation: boolean;\n  enableRateLimiting: boolean;\n  enableAuditLogging: boolean;\n  maxPermissionChecksPerMinute: number;\n  suspiciousActivityThreshold: number;\n}\n\n/**\n * Default security configuration\n */\nexport const DEFAULT_SECURITY_CONFIG: RBACSecurityConfig = {\n  enableInputValidation: true,\n  enableRateLimiting: true,\n  enableAuditLogging: true,\n  maxPermissionChecksPerMinute: 1000, // Increased from 100 to 1000 for normal app usage\n  suspiciousActivityThreshold: 10,\n};\n\n/**\n * Security context for RBAC operations\n * \n * OrganisationId is required - it can always be derived from event context in event-based apps.\n * If organisation context is not available, the operation should fail rather than proceed without context.\n */\nexport interface SecurityContext {\n  userId: UUID;\n  organisationId: UUID | null; // Required for resource-level permissions, null for page-level permissions (database handles NULL)\n  ipAddress?: string;\n  userAgent?: string;\n  timestamp: Date;\n}\n\n/**\n * Security middleware for RBAC operations\n */\nexport class RBACSecurityMiddleware {\n  private config: RBACSecurityConfig;\n\n  constructor(config: RBACSecurityConfig = DEFAULT_SECURITY_CONFIG) {\n    this.config = config;\n    this._startCleanupInterval();\n  }\n\n  /**\n   * Start periodic cleanup of expired entries\n   */\n  private _startCleanupInterval(): void {\n    // Clear expired entries every 5 minutes\n    setInterval(() => {\n      this.clearExpiredEntries();\n    }, 5 * 60 * 1000);\n  }\n\n  /**\n   * Validate input before processing\n   * @param input - Input to validate\n   * @param context - Security context\n   * @returns Validation result\n   */\n  async validateInput(input: any, context: SecurityContext): Promise<{\n    isValid: boolean;\n    errors: string[];\n  }> {\n    const errors: string[] = [];\n\n    // Core validations are always enforced regardless of configuration\n    if (!RBACSecurityValidator.validateUserId(context.userId)) {\n      errors.push('Invalid user ID format');\n    }\n\n    // For page-level permissions, organisationId can be null (database handles it)\n    // For resource-level permissions, organisationId is required\n    const isPagePermission = input.permission?.includes(':page.') || !!input.pageId;\n    const requiresOrgId = !isPagePermission;\n\n    // OrganisationId validation - only required for resource-level permissions\n    if (requiresOrgId) {\n      if (!context.organisationId) {\n        errors.push('Organisation ID is required for resource-level permissions');\n      } else if (!RBACSecurityValidator.validateUUID(context.organisationId)) {\n        errors.push('Invalid organisation ID format');\n      }\n    } else {\n      // For page-level permissions, organisationId can be null, but if provided, it must be valid\n      if (context.organisationId && !RBACSecurityValidator.validateUUID(context.organisationId)) {\n        errors.push('Invalid organisation ID format');\n      }\n    }\n\n    if (input.permission && !RBACSecurityValidator.validatePermission(input.permission)) {\n      errors.push('Invalid permission format');\n    }\n\n    if (input.scope && !RBACSecurityValidator.validateScope(input.scope)) {\n      errors.push('Invalid scope format');\n    }\n\n    if (this.config.enableInputValidation) {\n      if (context.ipAddress && typeof context.ipAddress !== 'string') {\n        errors.push('Invalid IP address format');\n      }\n\n      if (context.userAgent && typeof context.userAgent !== 'string') {\n        errors.push('Invalid user agent format');\n      }\n    }\n\n    // Log suspicious activity\n    if (errors.length > 0) {\n      RBACSecurityValidator.logSecurityEvent({\n        type: 'invalid_input',\n        userId: context.userId,\n        details: { errors, input: this.sanitizeInput(JSON.stringify(input)) },\n      });\n    }\n\n    return {\n      isValid: errors.length === 0,\n      errors,\n    };\n  }\n\n  /**\n   * Check rate limiting\n   * @param context - Security context\n   * @returns Rate limit check result\n   */\n  async checkRateLimit(context: SecurityContext): Promise<{\n    isAllowed: boolean;\n    remaining: number;\n  }> {\n    if (!this.config.enableRateLimiting) {\n      return { isAllowed: true, remaining: this.config.maxPermissionChecksPerMinute };\n    }\n\n    // Implementation: In-memory rate limiting with sliding window\n    // For production, consider using Redis or Supabase Edge Functions\n    const isAllowed = await this._checkRateLimitInternal(context.userId);\n    \n    const remaining = isAllowed ? this.config.maxPermissionChecksPerMinute - this._getRequestCount(context.userId) : 0;\n\n    return {\n      isAllowed,\n      remaining: Math.max(0, remaining),\n    };\n  }\n\n  /**\n   * In-memory rate limiting cache (sliding window)\n   * Note: For production, this should use Redis or Supabase Edge Functions\n   */\n  private rateLimitCache = new Map<UUID, Array<{ timestamp: number }>>();\n\n  private async _checkRateLimitInternal(userId: UUID): Promise<boolean> {\n    const now = Date.now();\n    const windowMs = 60 * 1000; // 1 minute window\n\n    // Get or create rate limit entries for this user\n    const entries = this.rateLimitCache.get(userId) || [];\n    \n    // Remove entries outside the time window\n    const validEntries = entries.filter(entry => now - entry.timestamp < windowMs);\n    \n    // Check if user exceeded rate limit\n    const requestCount = validEntries.length;\n    const isAllowed = requestCount < this.config.maxPermissionChecksPerMinute;\n    \n    // If allowed, add current request\n    if (isAllowed) {\n      validEntries.push({ timestamp: now });\n    }\n    \n    // Update cache\n    this.rateLimitCache.set(userId, validEntries);\n    \n    return isAllowed;\n  }\n\n  private _getRequestCount(userId: UUID): number {\n    const now = Date.now();\n    const windowMs = 60 * 1000; // 1 minute window\n    \n    const entries = this.rateLimitCache.get(userId) || [];\n    const validEntries = entries.filter(entry => now - entry.timestamp < windowMs);\n    \n    return validEntries.length;\n  }\n\n  /**\n   * Clear old rate limit entries to prevent memory leaks\n   * Should be called periodically (e.g., every 5 minutes)\n   */\n  private clearExpiredEntries(): void {\n    const now = Date.now();\n    const windowMs = 60 * 1000; // 1 minute window\n    \n    for (const [userId, entries] of this.rateLimitCache.entries()) {\n      const validEntries = entries.filter(entry => now - entry.timestamp < windowMs);\n      \n      if (validEntries.length === 0) {\n        this.rateLimitCache.delete(userId);\n      } else {\n        this.rateLimitCache.set(userId, validEntries);\n      }\n    }\n  }\n\n  /**\n   * Sanitize input data\n   * @param input - Input to sanitize\n   * @returns Sanitized input\n   */\n  private sanitizeInput(input: string): string {\n    return RBACSecurityValidator.sanitizeInput(input);\n  }\n}\n","/**\n * RBAC Configuration\n * @package @jmruthers/pace-core\n * @module RBAC/Config\n * @since 1.0.0\n * \n * This module provides configuration options for the RBAC system.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { RBACSecurityConfig } from './security';\n\nexport type LogLevel = 'error' | 'warn' | 'info' | 'debug';\n\nexport interface RBACConfig {\n  supabase: SupabaseClient<Database>;\n  debug?: boolean;\n  logLevel?: LogLevel;\n  developmentMode?: boolean;\n  mockPermissions?: Record<string, boolean>;\n  cache?: {\n    ttl?: number;\n    enabled?: boolean;\n    sessionTtl?: number; // Session cache TTL in milliseconds (default: 5 minutes)\n  };\n  audit?: {\n    enabled?: boolean;\n    logLevel?: LogLevel;\n    batched?: boolean; // Enable batched audit logging (default: true)\n    batchWindow?: number; // Time window in milliseconds (default: 100ms)\n    batchSize?: number; // Maximum batch size (default: 10)\n  };\n  security?: Partial<RBACSecurityConfig>;\n  performance?: {\n    enableRequestDeduplication?: boolean; // Enable request deduplication (default: true)\n    enableBatchedAuditLogging?: boolean; // Enable batched audit logging (default: true)\n    enablePerformanceTracking?: boolean; // Enable performance tracking (default: false in production)\n  };\n}\n\nexport interface RBACLogger {\n  error: (message: string, ...args: unknown[]) => void;\n  warn: (message: string, ...args: unknown[]) => void;\n  info: (message: string, ...args: unknown[]) => void;\n  debug: (message: string, ...args: unknown[]) => void;\n}\n\nclass RBACConfigManager {\n  private config: RBACConfig | null = null;\n  private logger: RBACLogger | null = null;\n\n  setConfig(config: RBACConfig): void {\n    this.config = config;\n    this.setupLogger();\n  }\n\n  getConfig(): RBACConfig | null {\n    return this.config;\n  }\n\n  getLogger(): RBACLogger {\n    if (!this.logger) {\n      this.logger = this.createDefaultLogger();\n    }\n    return this.logger;\n  }\n\n  private setupLogger(): void {\n    if (!this.config) return;\n\n    const { debug = false, logLevel = 'warn' } = this.config;\n    \n    this.logger = {\n      error: (message: string, ...args: unknown[]) => {\n        console.error(`[RBAC ERROR] ${message}`, ...args);\n      },\n      warn: (message: string, ...args: unknown[]) => {\n        if (logLevel === 'warn' || logLevel === 'info' || logLevel === 'debug') {\n          console.warn(`[RBAC WARN] ${message}`, ...args);\n        }\n      },\n      info: (message: string, ...args: unknown[]) => {\n        if (logLevel === 'info' || logLevel === 'debug') {\n          console.info(`[RBAC INFO] ${message}`, ...args);\n        }\n      },\n      debug: (message: string, ...args: unknown[]) => {\n        if (debug && logLevel === 'debug') {\n          console.debug(`[RBAC DEBUG] ${message}`, ...args);\n        }\n      },\n    };\n  }\n\n  private createDefaultLogger(): RBACLogger {\n    return {\n      error: (message: string, ...args: unknown[]) => console.error(`[RBAC ERROR] ${message}`, ...args),\n      warn: (message: string, ...args: unknown[]) => console.warn(`[RBAC WARN] ${message}`, ...args),\n      info: (message: string, ...args: unknown[]) => console.info(`[RBAC INFO] ${message}`, ...args),\n      debug: (message: string, ...args: unknown[]) => console.debug(`[RBAC DEBUG] ${message}`, ...args),\n    };\n  }\n\n  isDebugMode(): boolean {\n    return this.config?.debug ?? false;\n  }\n\n  isDevelopmentMode(): boolean {\n    return this.config?.developmentMode ?? false;\n  }\n\n  getMockPermissions(): Record<string, boolean> | null {\n    return this.config?.mockPermissions ?? null;\n  }\n}\n\n// Global config manager instance\nconst configManager = new RBACConfigManager();\n\nexport function createRBACConfig(config: RBACConfig): RBACConfig {\n  configManager.setConfig(config);\n  return config;\n}\n\nexport function getRBACConfig(): RBACConfig | null {\n  return configManager.getConfig();\n}\n\nexport function getRBACLogger(): RBACLogger {\n  return configManager.getLogger();\n}\n\nexport function isDebugMode(): boolean {\n  return configManager.isDebugMode();\n}\n\nexport function isDevelopmentMode(): boolean {\n  return configManager.isDevelopmentMode();\n}\n\nexport function getMockPermissions(): Record<string, boolean> | null {\n  return configManager.getMockPermissions();\n}\n","/**\n * RBAC Core Engine - Simplified Version\n * @package @jmruthers/pace-core\n * @module RBAC/Engine\n * @since 2.0.0\n * \n * This is a drastically simplified version that delegates permission checking to a single RPC function.\n * All the complex grant collection logic has been moved to the database for better performance and security.\n * \n * BREAKING CHANGES FROM v1:\n * - No more client-side grant collection\n * - No more complex permission resolution algorithm\n * - Single RPC call for all permission checks\n * - Caching is still supported for performance\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport {\n  UUID,\n  Permission,\n  Scope,\n  PermissionCheck,\n  AccessLevel,\n  PermissionMap,\n  Operation,\n  RBACAppContext,\n  RBACRoleContext,\n  RBACPermission,\n} from './types';\nimport { rbacCache, RBACCache } from './cache';\nimport { emitAuditEvent } from './audit';\nimport { initializeCacheInvalidation } from './cache-invalidation';\nimport { categorizeError, mapErrorCategoryToSecurityEventType } from './errors';\nimport { \n  RBACSecurityValidator, \n  RBACSecurityMiddleware, \n  SecurityContext,\n  DEFAULT_SECURITY_CONFIG,\n  RBACSecurityConfig\n} from './security';\nimport { getRBACLogger } from './config';\n\n/**\n * Simplified RBAC Engine\n * \n * Delegates all permission checks to the database via a single RPC function.\n * This reduces complexity, improves performance, and enhances security.\n */\nexport class RBACEngine {\n  private supabase: SupabaseClient<Database>;\n  private securityMiddleware: RBACSecurityMiddleware;\n\n  constructor(supabase: SupabaseClient<Database>, securityConfig?: Partial<RBACSecurityConfig>) {\n    this.supabase = supabase;\n    // Merge provided security config with defaults\n    const mergedSecurityConfig: RBACSecurityConfig = {\n      ...DEFAULT_SECURITY_CONFIG,\n      ...securityConfig,\n    };\n    this.securityMiddleware = new RBACSecurityMiddleware(mergedSecurityConfig);\n    \n    // Initialize cache invalidation for automatic cache clearing\n    initializeCacheInvalidation(supabase);\n  }\n\n  /**\n   * Check if a user has a specific permission\n   * \n   * This method now delegates to the database RPC function for all the heavy lifting.\n   * \n   * @param input - Permission check input\n   * @param securityContext - Security context for validation (required)\n   * @returns Promise resolving to permission result\n   */\n  async isPermitted(input: PermissionCheck, securityContext: SecurityContext): Promise<boolean> {\n    const startTime = Date.now();\n    const { userId, permission, scope, pageId } = input;\n    \n    // Track cache usage for audit\n    let cacheHit = false;\n    let cacheSource: 'memory' | 'rpc' = 'rpc';\n\n    try {\n      // ========================================================================\n      // STEP 1: Security Validation & Rate Limiting (MANDATORY)\n      // ========================================================================\n      \n      // Validate input\n      const validation = await this.securityMiddleware.validateInput(input, securityContext);\n      if (!validation.isValid) {\n        RBACSecurityValidator.logSecurityEvent({\n          type: 'invalid_input',\n          userId,\n          details: { errors: validation.errors, input: JSON.stringify(input) },\n        });\n        return false;\n      }\n\n      // Check rate limits\n      const rateLimit = await this.securityMiddleware.checkRateLimit(securityContext);\n      if (!rateLimit.isAllowed) {\n        RBACSecurityValidator.logSecurityEvent({\n          type: 'rate_limit_exceeded',\n          userId,\n          details: { remaining: rateLimit.remaining },\n        });\n        return false;\n      }\n\n      // Validate user ID format\n      if (!RBACSecurityValidator.validateUserId(userId)) {\n        RBACSecurityValidator.logSecurityEvent({\n          type: 'invalid_input',\n          userId,\n          details: { error: 'Invalid user ID format' },\n        });\n        return false;\n      }\n\n      // Validate permission format\n      if (!RBACSecurityValidator.validatePermission(permission)) {\n        RBACSecurityValidator.logSecurityEvent({\n          type: 'invalid_input',\n          userId,\n          details: { error: 'Invalid permission format', permission },\n        });\n        return false;\n      }\n\n      // Validate scope format\n      if (!RBACSecurityValidator.validateScope(scope)) {\n        RBACSecurityValidator.logSecurityEvent({\n          type: 'invalid_input',\n          userId,\n          details: { error: 'Invalid scope format', scope },\n        });\n        return false;\n      }\n\n      // ========================================================================\n      // STEP 2: Check Cache (OPTIONAL - for performance)\n      // ========================================================================\n      \n      const cacheKey = RBACCache.generateKey(\n        userId,\n        permission,\n        scope.organisationId,\n        scope.eventId,\n        scope.appId,\n        pageId\n      );\n      \n      const cached = rbacCache.get<boolean>(cacheKey);\n      if (cached !== null) {\n        cacheHit = true;\n        cacheSource = 'memory';\n        \n        // Skip audit logging for cached checks (only log on cache miss)\n        // This significantly reduces network requests\n        return cached;\n      }\n\n      // ========================================================================\n      // STEP 3: Call Simplified RPC Function (SINGLE DATABASE CALL)\n      // ========================================================================\n      \n      // This single RPC call replaces hundreds of lines of complex client-side logic:\n      // - No more super admin checks here (RPC handles it)\n      // - No more grant collection (RPC handles it)\n      // - No more permission matching (RPC handles it)\n      // - No more deny-override-allow logic (RPC handles it)\n      \n      const { data, error } = await (this.supabase as any).rpc('rbac_check_permission_simplified', {\n        p_user_id: userId,\n        p_permission: permission,\n        p_organisation_id: scope.organisationId || undefined,\n        p_event_id: scope.eventId || undefined,\n        p_app_id: scope.appId || undefined,\n        p_page_id: pageId || undefined,\n      });\n\n      if (error) {\n        const logger = getRBACLogger();\n        logger.error('RPC error:', error);\n\n        const category = categorizeError(error);\n        const eventType = mapErrorCategoryToSecurityEventType(category);\n        const errorDetails = error as { message?: string; code?: string; hint?: string; details?: string };\n\n        RBACSecurityValidator.logSecurityEvent({\n          type: eventType,\n          userId,\n          details: {\n            error: errorDetails?.message || 'RPC call failed',\n            code: errorDetails?.code,\n            hint: errorDetails?.hint,\n            details: errorDetails?.details,\n            permission,\n            scope: JSON.stringify(scope),\n            category,\n          },\n        });\n\n        // Fail securely - deny on error\n        return false;\n      }\n\n      const hasPermission = data === true;\n      \n      // ========================================================================\n      // STEP 4: Cache Result & Audit (COMPLETION)\n      // ========================================================================\n      \n      // Cache the result for 60 seconds\n      rbacCache.set(cacheKey, hasPermission, 60000);\n      \n      const duration = Date.now() - startTime;\n      \n      // Emit audit event (if organisation context exists)\n      if (scope.organisationId) {\n        const resolvedPageId = await this.resolvePageId(pageId, scope.appId);\n        await emitAuditEvent({\n          type: hasPermission ? 'permission_check' : 'permission_denied',\n          userId,\n          organisationId: scope.organisationId,\n          eventId: scope.eventId,\n          appId: scope.appId,\n          pageId: resolvedPageId,\n          permission,\n          decision: hasPermission,\n          source: 'api',\n          duration_ms: duration,\n          cache_hit: cacheHit,\n          cache_source: cacheSource,\n        });\n      }\n\n      return hasPermission;\n      \n    } catch (error) {\n      const category = categorizeError(error);\n      const eventType = mapErrorCategoryToSecurityEventType(category);\n      const errorMessage = error instanceof Error ? error.message : 'Unknown error';\n\n      RBACSecurityValidator.logSecurityEvent({\n        type: eventType,\n        userId,\n        details: {\n          error: errorMessage,\n          permission,\n          scope: JSON.stringify(scope),\n          category,\n        },\n      });\n\n      // Fail securely - deny access on error\n      const logger = getRBACLogger();\n      logger.error('Permission check failed:', error);\n      return false;\n    }\n  }\n\n  /**\n   * Get user's access level in a scope\n   * \n   * This is derived from roles, not permissions.\n   * \n   * @param input - Access level input\n   * @returns Promise resolving to access level\n   */\n  async getAccessLevel(input: { userId: UUID; scope: Scope }): Promise<AccessLevel> {\n    const { userId, scope } = input;\n\n    // Check cache first\n    const cacheKey = RBACCache.generateAccessLevelKey(\n      userId,\n      scope.organisationId || '',\n      scope.eventId,\n      scope.appId\n    );\n    \n    const cached = rbacCache.get<AccessLevel>(cacheKey);\n    if (cached) {\n      return cached;\n    }\n\n    const now = new Date().toISOString();\n\n    // Check super admin\n    const isSuperAdmin = await this.checkSuperAdmin(userId);\n    if (isSuperAdmin) {\n      rbacCache.set(cacheKey, 'super', 60000);\n      return 'super';\n    }\n\n    // Check organisation role\n    if (scope.organisationId) {\n      const { data: orgRoles } = await this.supabase\n        .from('rbac_organisation_roles')\n        .select('role')\n        .eq('user_id', userId)\n        .eq('organisation_id', scope.organisationId)\n        .eq('status', 'active')\n        .is('revoked_at', null)\n        .lte('valid_from', now)\n        .or(`valid_to.is.null,valid_to.gte.${now}`)\n        .limit(1) as { data: Array<{ role: string }> | null; error: any };\n\n      const orgRole = orgRoles?.[0];\n\n      if (orgRole?.role === 'org_admin') {\n        rbacCache.set(cacheKey, 'admin', 60000);\n        return 'admin';\n      }\n    }\n\n    // Check event-app role\n    if (scope.eventId && scope.appId) {\n      const { data: eventRole } = await this.supabase\n        .from('rbac_event_app_roles')\n        .select('role')\n        .eq('user_id', userId)\n        .eq('event_id', scope.eventId)\n        .eq('app_id', scope.appId)\n        .eq('status', 'active')\n        .lte('valid_from', now)\n        .or(`valid_to.is.null,valid_to.gte.${now}`)\n        .single() as { data: { role: string } | null; error: any };\n\n      if (eventRole?.role === 'event_admin') {\n        rbacCache.set(cacheKey, 'admin', 60000);\n        return 'admin';\n      }\n      if (eventRole?.role === 'planner') {\n        rbacCache.set(cacheKey, 'planner', 60000);\n        return 'planner';\n      }\n      if (eventRole?.role === 'participant') {\n        rbacCache.set(cacheKey, 'participant', 60000);\n        return 'participant';\n      }\n    }\n\n    // Default to viewer\n    rbacCache.set(cacheKey, 'viewer', 60000);\n    return 'viewer';\n  }\n\n  /**\n   * Get user's permission map for a scope\n   * \n   * This builds a map of page IDs to allowed operations.\n   * Uses the simplified RPC for each permission check.\n   * \n   * @param input - Permission map input\n   * @returns Promise resolving to permission map\n   */\n  async getPermissionMap(input: { userId: UUID; scope: Scope }): Promise<PermissionMap> {\n    const { userId, scope } = input;\n\n    // Generate cache key early so it's available for super admin caching\n    const cacheKey = RBACCache.generatePermissionMapKey(\n      userId,\n      scope.organisationId || '',\n      scope.eventId,\n      scope.appId\n    );\n\n    // Check super admin first - super admins have all permissions\n    const isSuperAdmin = await this.checkSuperAdmin(userId);\n    if (isSuperAdmin) {\n      const wildcardMap: PermissionMap = { '*': true };\n      rbacCache.set(cacheKey, wildcardMap, 60000);\n      return wildcardMap;\n    }\n\n    // Validate scope\n    if (!scope.organisationId) {\n      return {}; // No permissions without valid context\n    }\n\n    // Check cache first\n    \n    const cached = rbacCache.get<PermissionMap>(cacheKey);\n    if (cached) {\n      return cached;\n    }\n\n    const permissionMap: PermissionMap = {};\n\n    // Get all pages for the app\n    if (scope.appId) {\n      const { data: pages } = await this.supabase\n        .from('rbac_app_pages')\n        .select('id, page_name')\n        .eq('app_id', scope.appId) as { data: Array<{ id: string; page_name: string }> | null };\n\n      if (pages) {\n        // OrganisationId is required for permission checks\n        if (!scope.organisationId) {\n          // Return empty permission map if no organisation context\n          rbacCache.set(cacheKey, permissionMap, 60000);\n          return permissionMap;\n        }\n\n        // Create a security context for permission checks\n        const securityContext: SecurityContext = {\n          userId,\n          organisationId: scope.organisationId, // Required\n          timestamp: new Date(),\n        };\n\n        for (const page of pages) {\n          // Check each CRUD operation\n          // Permission format: {operation}:page.{pageName} (e.g., read:page.meals)\n          for (const operation of ['read', 'create', 'update', 'delete'] as Operation[]) {\n            const permissionString = `${operation}:page.${page.page_name}`;\n            const hasPermission = await this.isPermitted(\n              {\n                userId,\n                scope,\n                permission: permissionString as Permission,\n                pageId: page.id,\n              },\n              securityContext\n            );\n\n            const permissionKey = permissionString as Permission;\n            permissionMap[permissionKey] = hasPermission;\n          }\n        }\n      }\n    }\n\n    rbacCache.set(cacheKey, permissionMap, 60000);\n    return permissionMap;\n  }\n\n  async resolveAppContext(input: { userId: UUID; appName: string }): Promise<RBACAppContext | null> {\n    try {\n      const { userId, appName } = input;\n      const { data, error } = await (this.supabase as any).rpc('util_app_resolve', {\n        p_user_id: userId,\n        p_app_name: appName,\n      });\n\n      if (error) {\n        const logger = getRBACLogger();\n        logger.error('Failed to resolve app context:', error);\n        return null;\n      }\n\n      if (!data || data.length === 0) {\n        return null;\n      }\n\n      const appData = data[0] as { app_id: UUID; has_access: boolean };\n      if (!appData?.app_id) {\n        return null;\n      }\n\n      return {\n        appId: appData.app_id,\n        hasAccess: appData.has_access !== false,\n      };\n    } catch (error) {\n      const logger = getRBACLogger();\n      logger.error('Unexpected error resolving app context:', error);\n      return null;\n    }\n  }\n\n  async getRoleContext(input: { userId: UUID; scope: Scope }): Promise<RBACRoleContext> {\n    const result: RBACRoleContext = {\n      globalRole: null,\n      organisationRole: null,\n      eventAppRole: null,\n    };\n\n    try {\n      const { userId, scope } = input;\n      // Call unified function (tech debt removed: consolidated from 2 overloaded versions)\n      const { data, error } = await (this.supabase as any).rpc('rbac_permissions_get', {\n        p_user_id: userId,\n        p_organisation_id: scope.organisationId || null,\n        p_event_id: scope.eventId || null,\n        p_app_id: scope.appId || null,\n        p_page_id: null, // Optional: can filter to specific page if needed\n      });\n\n      if (error) {\n        const logger = getRBACLogger();\n        logger.error('Failed to load role context:', error);\n        return result;\n      }\n\n      if (!Array.isArray(data)) {\n        return result;\n      }\n\n      for (const permission of data as RBACPermission[]) {\n        if (permission.permission_type === 'all_permissions') {\n          result.globalRole = 'super_admin';\n        }\n\n        if (permission.permission_type === 'organisation_access') {\n          result.organisationRole = permission.role_name as any;\n        }\n\n        if (permission.permission_type === 'event_app_access') {\n          result.eventAppRole = permission.role_name as any;\n        }\n      }\n\n      return result;\n    } catch (error) {\n      const logger = getRBACLogger();\n      logger.error('Unexpected error loading role context:', error);\n      return result;\n    }\n  }\n\n  /**\n   * Check if user is super admin\n   * \n   * @param userId - User ID\n   * @returns Promise resolving to super admin status\n   */\n  private async checkSuperAdmin(userId: UUID): Promise<boolean> {\n    // Check cache first\n    const cacheKey = `super_admin:${userId}`;\n    const cached = rbacCache.get<boolean>(cacheKey);\n    if (cached !== null) {\n      return cached;\n    }\n\n    const startTime = Date.now();\n    const now = new Date().toISOString();\n    \n    try {\n      const { data, error } = await this.supabase\n        .from('rbac_global_roles')\n        .select('role')\n        .eq('user_id', userId)\n        .eq('role', 'super_admin')\n        .lte('valid_from', now)\n        .or(`valid_to.is.null,valid_to.gte.${now}`)\n        .limit(1) as { data: Array<{ role: string }> | null; error: any };\n\n      const elapsed = Date.now() - startTime;\n      \n      // Log warning if query takes too long\n      if (elapsed > 2000) {\n        console.warn('[RBACEngine] Super admin check took longer than expected', {\n          userId,\n          elapsedMs: elapsed,\n          error: error?.message,\n        });\n      }\n\n      const isSuperAdmin = !error && data && data.length > 0;\n      \n      // Cache for 60 seconds\n      rbacCache.set(cacheKey, isSuperAdmin, 60000);\n      \n      return Boolean(isSuperAdmin);\n    } catch (err) {\n      const elapsed = Date.now() - startTime;\n      console.error('[RBACEngine] Error checking super admin', {\n        userId,\n        error: err,\n        elapsedMs: elapsed,\n      });\n      // Return false on error (fail secure)\n      return false;\n    }\n  }\n\n  /**\n   * Resolve a page ID to UUID if it's a page name\n   * \n   * @param pageId - Page ID (UUID) or page name (string)\n   * @param appId - App ID to look up the page\n   * @returns Resolved page ID (UUID) or original pageId\n   */\n  private async resolvePageId(pageId?: UUID | string, appId?: UUID): Promise<UUID | string | undefined> {\n    if (!pageId) {\n      return undefined;\n    }\n\n    // Check if it's already a UUID\n    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n    if (uuidRegex.test(pageId)) {\n      return pageId as UUID;\n    }\n\n    // It's a page name, but we need appId to resolve it\n    if (!appId) {\n      return pageId;\n    }\n\n    // Resolve page name to UUID\n    try {\n      // Use maybeSingle() instead of single() to avoid 406 errors when page doesn't exist\n      // This handles the case where the page might not exist gracefully\n      const { data: page, error: pageError } = await this.supabase\n        .from('rbac_app_pages')\n        .select('id')\n        .eq('app_id', appId)\n        .eq('page_name', pageId)\n        .maybeSingle() as { data: { id: UUID } | null; error: any };\n      \n      // If there's an error (including 406 Not Acceptable), log it but don't throw\n      if (pageError) {\n        const logger = getRBACLogger();\n        // Only log if it's not a \"not found\" error (PGRST116)\n        if (pageError.code !== 'PGRST116') {\n          logger.warn('Failed to resolve page name to UUID:', { pageId, appId, error: pageError });\n        }\n        return pageId;\n      }\n      \n      return page?.id || pageId;\n    } catch (error) {\n      const logger = getRBACLogger();\n      logger.warn('Failed to resolve page name to UUID:', { pageId, appId, error });\n      return pageId;\n    }\n  }\n}\n\n/**\n * Create an RBAC engine instance\n * \n * @param supabase - Supabase client\n * @param securityConfig - Optional security configuration\n * @returns RBACEngine instance\n */\nexport function createRBACEngine(\n  supabase: SupabaseClient<Database>,\n  securityConfig?: Partial<RBACSecurityConfig>\n): RBACEngine {\n  return new RBACEngine(supabase, securityConfig);\n}\n\n","/**\n * Performance Monitoring for RBAC\n * @package @jmruthers/pace-core\n * @module RBAC/Performance\n * @since 2.0.0\n * \n * This module provides performance monitoring and metrics tracking for RBAC operations.\n */\n\nexport interface RBACPerformanceMetrics {\n  /** Total number of permission checks */\n  totalChecks: number;\n  /** Number of cache hits */\n  cacheHits: number;\n  /** Number of cache misses */\n  cacheMisses: number;\n  /** Cache hit rate (0-1) */\n  cacheHitRate: number;\n  /** Number of deduplicated requests */\n  deduplicatedRequests: number;\n  /** Total number of network requests made */\n  networkRequests: number;\n  /** Average response time in milliseconds */\n  averageResponseTime: number;\n  /** Total response time in milliseconds */\n  totalResponseTime: number;\n  /** Number of batched audit events */\n  batchedAuditEvents: number;\n  /** Number of individual audit events */\n  individualAuditEvents: number;\n}\n\nclass RBACPerformanceMonitor {\n  private metrics: RBACPerformanceMetrics = {\n    totalChecks: 0,\n    cacheHits: 0,\n    cacheMisses: 0,\n    cacheHitRate: 0,\n    deduplicatedRequests: 0,\n    networkRequests: 0,\n    averageResponseTime: 0,\n    totalResponseTime: 0,\n    batchedAuditEvents: 0,\n    individualAuditEvents: 0,\n  };\n\n  private enabled: boolean = false;\n\n  /**\n   * Enable or disable performance monitoring\n   */\n  setEnabled(enabled: boolean): void {\n    this.enabled = enabled;\n  }\n\n  /**\n   * Check if performance monitoring is enabled\n   */\n  isEnabled(): boolean {\n    return this.enabled;\n  }\n\n  /**\n   * Record a permission check\n   */\n  recordCheck(cacheHit: boolean, responseTime: number, wasDeduplicated: boolean = false): void {\n    if (!this.enabled) {\n      return;\n    }\n\n    this.metrics.totalChecks++;\n    \n    if (cacheHit) {\n      this.metrics.cacheHits++;\n    } else {\n      this.metrics.cacheMisses++;\n      this.metrics.networkRequests++;\n    }\n\n    if (wasDeduplicated) {\n      this.metrics.deduplicatedRequests++;\n    }\n\n    this.metrics.totalResponseTime += responseTime;\n    this.metrics.averageResponseTime = this.metrics.totalResponseTime / this.metrics.totalChecks;\n    this.metrics.cacheHitRate = this.metrics.cacheHits / this.metrics.totalChecks;\n  }\n\n  /**\n   * Record an audit event\n   */\n  recordAuditEvent(batched: boolean): void {\n    if (!this.enabled) {\n      return;\n    }\n\n    if (batched) {\n      this.metrics.batchedAuditEvents++;\n    } else {\n      this.metrics.individualAuditEvents++;\n    }\n  }\n\n  /**\n   * Get current metrics\n   */\n  getMetrics(): RBACPerformanceMetrics {\n    return { ...this.metrics };\n  }\n\n  /**\n   * Reset all metrics\n   */\n  reset(): void {\n    this.metrics = {\n      totalChecks: 0,\n      cacheHits: 0,\n      cacheMisses: 0,\n      cacheHitRate: 0,\n      deduplicatedRequests: 0,\n      networkRequests: 0,\n      averageResponseTime: 0,\n      totalResponseTime: 0,\n      batchedAuditEvents: 0,\n      individualAuditEvents: 0,\n    };\n  }\n\n  /**\n   * Get metrics summary as a formatted string\n   */\n  getSummary(): string {\n    const m = this.metrics;\n    return `\nRBAC Performance Metrics:\n  Total Checks: ${m.totalChecks}\n  Cache Hits: ${m.cacheHits} (${(m.cacheHitRate * 100).toFixed(1)}%)\n  Cache Misses: ${m.cacheMisses}\n  Deduplicated Requests: ${m.deduplicatedRequests}\n  Network Requests: ${m.networkRequests}\n  Average Response Time: ${m.averageResponseTime.toFixed(2)}ms\n  Batched Audit Events: ${m.batchedAuditEvents}\n  Individual Audit Events: ${m.individualAuditEvents}\n`;\n  }\n}\n\n// Global performance monitor instance\nconst performanceMonitor = new RBACPerformanceMonitor();\n\n/**\n * Enable performance monitoring\n */\nexport function enablePerformanceMonitoring(): void {\n  performanceMonitor.setEnabled(true);\n}\n\n/**\n * Disable performance monitoring\n */\nexport function disablePerformanceMonitoring(): void {\n  performanceMonitor.setEnabled(false);\n}\n\n/**\n * Check if performance monitoring is enabled\n */\nexport function isPerformanceMonitoringEnabled(): boolean {\n  return performanceMonitor.isEnabled();\n}\n\n/**\n * Record a permission check\n */\nexport function recordPermissionCheck(\n  cacheHit: boolean,\n  responseTime: number,\n  wasDeduplicated: boolean = false\n): void {\n  performanceMonitor.recordCheck(cacheHit, responseTime, wasDeduplicated);\n}\n\n/**\n * Record an audit event\n */\nexport function recordAuditEvent(batched: boolean): void {\n  performanceMonitor.recordAuditEvent(batched);\n}\n\n/**\n * Get current performance metrics\n */\nexport function getPerformanceMetrics(): RBACPerformanceMetrics {\n  return performanceMonitor.getMetrics();\n}\n\n/**\n * Reset performance metrics\n */\nexport function resetPerformanceMetrics(): void {\n  performanceMonitor.reset();\n}\n\n/**\n * Get performance metrics summary\n */\nexport function getPerformanceSummary(): string {\n  return performanceMonitor.getSummary();\n}\n\n","/**\n * Request Deduplication for RBAC Permission Checks\n * @package @jmruthers/pace-core\n * @module RBAC/RequestDeduplication\n * @since 2.0.0\n * \n * This module provides request deduplication to prevent multiple identical\n * permission checks from being made simultaneously. When multiple components\n * request the same permission at the same time, they share the same promise.\n */\n\nimport { PermissionCheck } from './types';\nimport { RBACCache } from './cache';\n\n/**\n * Map of in-flight permission check requests\n * Key: cache key string, Value: Promise<boolean>\n */\nconst inFlightRequests = new Map<string, Promise<boolean>>();\n\n/**\n * Generate a deduplication key from permission check input\n * \n * @param input - Permission check input\n * @returns Deduplication key string\n */\nfunction generateDeduplicationKey(input: PermissionCheck): string {\n  return RBACCache.generatePermissionKey({\n    userId: input.userId,\n    organisationId: input.scope.organisationId, // Can be undefined for page-level permissions\n    eventId: input.scope.eventId,\n    appId: input.scope.appId,\n    permission: input.permission,\n    pageId: input.pageId,\n  });\n}\n\n/**\n * Get or create a deduplicated permission check request\n * \n * If a request for the same permission is already in-flight, returns the existing promise.\n * Otherwise, creates a new request and tracks it.\n * \n * @param input - Permission check input\n * @param checkFn - Function to perform the actual permission check\n * @returns Promise resolving to permission result\n */\nexport async function getOrCreateRequest(\n  input: PermissionCheck,\n  checkFn: (input: PermissionCheck) => Promise<boolean>\n): Promise<boolean> {\n  const key = generateDeduplicationKey(input);\n  \n  // Check if request is already in-flight\n  const existingRequest = inFlightRequests.get(key);\n  if (existingRequest) {\n    return existingRequest;\n  }\n  \n  // Create new request\n  const requestPromise = checkFn(input).finally(() => {\n    // Clean up when request completes (success or failure)\n    inFlightRequests.delete(key);\n  });\n  \n  // Track the request\n  inFlightRequests.set(key, requestPromise);\n  \n  return requestPromise;\n}\n\n/**\n * Clear all in-flight requests (useful for testing or cleanup)\n */\nexport function clearInFlightRequests(): void {\n  inFlightRequests.clear();\n}\n\n/**\n * Get count of in-flight requests (useful for monitoring)\n * \n * @returns Number of in-flight requests\n */\nexport function getInFlightRequestCount(): number {\n  return inFlightRequests.size;\n}\n\n","/**\n * RBAC Main API Functions\n * @package @jmruthers/pace-core\n * @module RBAC/API\n * @since 1.0.0\n * \n * This module provides the main API functions for the RBAC system.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport {\n  UUID,\n  Scope,\n  Permission,\n  AccessLevel,\n  PermissionMap,\n  PermissionCheck,\n  RBACNotInitializedError,\n  OrganisationContextRequiredError,\n  RBACAppContext,\n  RBACRoleContext,\n} from './types';\nimport { createRBACEngine, RBACEngine } from './engine';\nimport { createAuditManager, setGlobalAuditManager } from './audit';\nimport { rbacCache, RBACCache, CACHE_PATTERNS } from './cache';\nimport { createRBACConfig, RBACConfig, getRBACLogger } from './config';\nimport { SecurityContext } from './security';\nimport { createLogger } from '../utils/core/logger';\nimport { enablePerformanceMonitoring } from './performance';\nimport { getOrCreateRequest } from './request-deduplication';\nimport { ContextValidator } from './utils/contextValidator';\n\nconst log = createLogger('RBACAPI');\n\n// Global engine instance\nlet globalEngine: RBACEngine | null = null;\n\n/**\n * Setup RBAC system\n * \n * @param supabase - Supabase client\n * @param config - Optional configuration\n */\nexport function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<RBACConfig>): void {\n  const logger = getRBACLogger();\n  \n  // Create full config\n  const isDevelopment = import.meta.env.MODE === 'development';\n  const fullConfig: RBACConfig = {\n    supabase,\n    debug: isDevelopment,\n    logLevel: 'warn',\n    developmentMode: isDevelopment,\n    ...config,\n  };\n  \n  createRBACConfig(fullConfig);\n  \n  // Automatically disable rate limiting in development mode unless explicitly overridden\n  // Apply default first, then let explicit config override it\n  // Pass undefined if no config provided and not in development, otherwise create security config\n  const securityConfig = \n    config === undefined && !isDevelopment\n      ? undefined\n      : {\n          // Default: disable rate limiting in development\n          ...(isDevelopment && config?.security?.enableRateLimiting === undefined\n            ? { enableRateLimiting: false }\n            : {}),\n          // Explicit config overrides defaults\n          ...config?.security,\n        };\n  \n  // Pass security config to engine\n  globalEngine = createRBACEngine(supabase, securityConfig);\n  \n  // Setup audit manager with batching configuration\n  const useBatchedAudit = config?.audit?.batched !== false && (config?.performance?.enableBatchedAuditLogging !== false);\n  const batchConfig = useBatchedAudit ? {\n    batchWindow: config?.audit?.batchWindow,\n    batchSize: config?.audit?.batchSize,\n  } : undefined;\n  const auditManager = createAuditManager(supabase, useBatchedAudit, batchConfig);\n  setGlobalAuditManager(auditManager);\n  \n  // Setup performance monitoring if enabled\n  if (config?.performance?.enablePerformanceTracking) {\n    enablePerformanceMonitoring();\n  }\n  \n}\n\n/**\n * Check if RBAC system is initialized\n * \n * @returns True if RBAC is initialized\n */\nexport function isRBACInitialized(): boolean {\n  return globalEngine !== null;\n}\n\n/**\n * Get the global RBAC engine\n * \n * @returns Global RBAC engine\n * @throws Error if RBAC not initialized\n */\nfunction getEngine(): RBACEngine {\n  if (!globalEngine) {\n    throw new RBACNotInitializedError();\n  }\n  return globalEngine;\n}\n\n/**\n * Get user's access level in a scope\n * \n * @param input - Access level input\n * @param appConfig - Optional app configuration\n * @param appName - Optional app name\n * @returns Promise resolving to access level\n * \n * @example\n * ```typescript\n * const accessLevel = await getAccessLevel({\n *   userId: 'user-123',\n *   scope: { organisationId: 'org-456' }\n * });\n * ```\n */\nexport async function getAccessLevel(\n  input: {\n    userId: UUID;\n    scope: Scope;\n  },\n  appName?: string\n): Promise<AccessLevel> {\n  try {\n    const engine = getEngine();\n    \n    // Check super admin status first - super admins bypass context requirements\n    const isSuperAdminUser = await engine['checkSuperAdmin'](input.userId);\n    if (isSuperAdminUser) {\n      return 'super';\n    }\n    \n    // For functions without pageId, default to organisation scope validation\n    // This is a safe default - most operations require organisation context\n    const validation = await ContextValidator.resolveScopeForPage(\n      input.scope,\n      'organisation', // Default to organisation scope when no page context\n      appName,\n      engine['supabase']\n    );\n    \n    if (!validation.isValid || !validation.resolvedScope) {\n      throw validation.error || new OrganisationContextRequiredError();\n    }\n    \n    // Use resolved scope\n    return engine.getAccessLevel({\n      ...input,\n      scope: validation.resolvedScope\n    });\n  } catch (error) {\n    // Re-throw the error - this is an API function that should propagate errors\n    throw error;\n  }\n}\n\n/**\n * Get user's permission map for a scope\n * \n * @param input - Permission map input\n * @param appConfig - Optional app configuration\n * @param appName - Optional app name\n * @returns Promise resolving to permission map\n * \n * @example\n * ```typescript\n * const permissions = await getPermissionMap({\n *   userId: 'user-123',\n *   scope: { \n *     organisationId: 'org-456',\n *     eventId: 'event-789',\n *     appId: 'app-101'\n *   }\n * });\n * ```\n */\nexport async function getPermissionMap(\n  input: {\n    userId: UUID;\n    scope: Scope;\n  },\n  appName?: string\n): Promise<PermissionMap> {\n  try {\n    const engine = getEngine();\n    \n    // For functions without pageId, default to organisation scope validation\n    // This is a safe default - most operations require organisation context\n    const validation = await ContextValidator.resolveScopeForPage(\n      input.scope,\n      'organisation', // Default to organisation scope when no page context\n      appName,\n      engine['supabase']\n    );\n    \n    if (!validation.isValid || !validation.resolvedScope) {\n      throw validation.error || new OrganisationContextRequiredError();\n    }\n    \n    // Use resolved scope\n    return engine.getPermissionMap({\n      ...input,\n      scope: validation.resolvedScope\n    });\n  } catch (error) {\n    // Re-throw the error - this is an API function that should propagate errors\n    throw error;\n  }\n}\n\nexport async function resolveAppContext(input: {\n  userId: UUID;\n  appName: string;\n}): Promise<RBACAppContext | null> {\n  try {\n    const engine = getEngine();\n    return await engine.resolveAppContext(input);\n  } catch (error) {\n    // Re-throw the error - this is an API function that should propagate errors\n    throw error;\n  }\n}\n\nexport async function getRoleContext(\n  input: {\n    userId: UUID;\n    scope: Scope;\n  },\n  appName?: string\n): Promise<RBACRoleContext> {\n  const engine = getEngine();\n  \n  // For functions without pageId, default to organisation scope validation\n  const validation = await ContextValidator.resolveScopeForPage(\n    input.scope,\n    'organisation', // Default to organisation scope when no page context\n    appName,\n    engine['supabase']\n  );\n  \n  if (!validation.isValid || !validation.resolvedScope) {\n    throw validation.error || new OrganisationContextRequiredError();\n  }\n  \n  // Use resolved scope\n  return engine.getRoleContext({\n    ...input,\n    scope: validation.resolvedScope\n  });\n}\n\n/**\n * Check if user has a specific permission\n * \n * @param input - Permission check input\n * @param appConfig - Optional app configuration (if not provided, will be fetched)\n * @param appName - Optional app name (for PORTAL/ADMIN special case and config lookup)\n * @returns Promise resolving to permission result\n * \n * @example\n * ```typescript\n * const canManage = await isPermitted({\n *   userId: 'user-123',\n *   scope: { organisationId: 'org-456' },\n *   permission: 'update:events',\n *   pageId: 'page-789'\n * });\n * ```\n */\nexport async function isPermitted(\n  input: PermissionCheck,\n  appName?: string,\n  /**\n   * Pre-computed super admin status to avoid duplicate checks.\n   * Pass null if not checked yet (will check), true if already checked and is super admin,\n   * or false if already checked and is not super admin.\n   * @default null\n   */\n  precomputedSuperAdmin: boolean | null = null\n): Promise<boolean> {\n  const engine = getEngine();\n  \n  // Check super admin status first - super admins bypass context requirements\n  // Super admins have access to all permissions regardless of organisation context\n  // PERFORMANCE: Use precomputed value if provided to avoid duplicate checks\n  if (precomputedSuperAdmin === true) {\n    return true;\n  }\n  \n  // If null, check super admin status\n  if (precomputedSuperAdmin === null) {\n    const isSuperAdminUser = await engine['checkSuperAdmin'](input.userId);\n    if (isSuperAdminUser) {\n      return true;\n    }\n  }\n  // If precomputedSuperAdmin === false, skip check and proceed with permission check\n  \n  // Get app name if not provided (for PORTAL/ADMIN special case)\n  let resolvedAppName = appName;\n  if (!resolvedAppName && input.scope.appId) {\n    try {\n      const { data } = await engine['supabase']\n        .from('rbac_apps')\n        .select('name')\n        .eq('id', input.scope.appId)\n        .eq('is_active', true)\n        .single() as { data: { name: string } | null };\n      if (data) {\n        resolvedAppName = data.name;\n      }\n    } catch (err) {\n      // Ignore errors - appName is optional\n    }\n  }\n  \n  // Get page scope type (required for all permission checks)\n  // All pages must have scope_type set - this is the single source of truth\n  let pageScopeType: 'event' | 'organisation' | 'both';\n  if (input.pageId) {\n    try {\n      const scopeType = await getPageScopeType(\n        input.pageId,\n        input.scope.appId,\n        resolvedAppName\n      );\n      if (!scopeType) {\n        throw new Error(`Page ${input.pageId} does not have scope_type set`);\n      }\n      pageScopeType = scopeType;\n    } catch (err) {\n      log.error('Failed to get page scope type:', err);\n      throw new Error(`Failed to determine page scope type: ${err instanceof Error ? err.message : String(err)}`);\n    }\n  } else {\n    // No pageId provided - default to organisation scope\n    // This should rarely happen, but provides a safe fallback\n    pageScopeType = 'organisation';\n  }\n  \n  // Validate context using page-level scope (single source of truth)\n  const validation = await ContextValidator.resolveScopeForPage(\n    input.scope,\n    pageScopeType,\n    resolvedAppName,\n    engine['supabase']\n  );\n  \n  if (!validation.isValid || !validation.resolvedScope) {\n    throw validation.error || new OrganisationContextRequiredError();\n  }\n  \n  // Use resolved scope for permission check\n  const validatedScope = validation.resolvedScope;\n  \n  // Handle 'both' scope pages - check both scopes and return union\n  if (pageScopeType === 'both' && input.pageId) {\n    // Check permission with event scope\n    const eventScope: Scope = {\n      organisationId: validatedScope.organisationId, // Org derived from event\n      eventId: validatedScope.eventId,\n      appId: validatedScope.appId\n    };\n    \n    // Check permission with organisation scope (if org is available separately)\n    // For 'both' pages, we check the permission in both contexts and return the union\n    // Higher permission wins (true > false, admin > user, etc.)\n    \n    const eventSecurityContext: SecurityContext = {\n      userId: input.userId,\n      organisationId: eventScope.organisationId || null,\n      timestamp: new Date(),\n    };\n    \n    const eventInput: PermissionCheck = {\n      ...input,\n      scope: eventScope\n    };\n    \n    const hasEventPermission = await engine.isPermitted(eventInput, eventSecurityContext);\n    \n    // Also check with organisation scope if we have a separate org context\n    // (This handles cases where user has org permissions separate from event)\n    if (validatedScope.organisationId && validatedScope.eventId) {\n      const orgScope: Scope = {\n        organisationId: validatedScope.organisationId,\n        eventId: undefined, // Clear event for org-only check\n        appId: validatedScope.appId\n      };\n      \n      const orgSecurityContext: SecurityContext = {\n        userId: input.userId,\n        organisationId: orgScope.organisationId || null,\n        timestamp: new Date(),\n      };\n      \n      const orgInput: PermissionCheck = {\n        ...input,\n        scope: orgScope\n      };\n      \n      const hasOrgPermission = await engine.isPermitted(orgInput, orgSecurityContext);\n      \n      // Return union (true if either scope grants permission)\n      // For access levels, the database function handles the \"higher wins\" logic\n      return hasEventPermission || hasOrgPermission;\n    }\n    \n    // If only event scope available, return event permission\n    return hasEventPermission;\n  }\n  \n  // Standard permission check for single-scope pages\n  const securityContext: SecurityContext = {\n    userId: input.userId,\n    organisationId: validatedScope.organisationId || null,\n    timestamp: new Date(),\n    // Optional fields can be omitted\n  };\n  \n  // Create new input with validated scope\n  const validatedInput: PermissionCheck = {\n    ...input,\n    scope: validatedScope\n  };\n  \n  return engine.isPermitted(validatedInput, securityContext);\n}\n\n/**\n * Check if user has a specific permission (cached version)\n * \n * Uses request deduplication to share in-flight requests across components\n * and checks cache before making new requests. Uses session cache for page-level checks.\n * \n * @param input - Permission check input\n * @param appName - Optional app name (for PORTAL/ADMIN special case)\n * @returns Promise resolving to permission result\n */\nexport async function isPermittedCached(\n  input: PermissionCheck,\n  appName?: string\n): Promise<boolean> {\n  const { userId, scope, permission, pageId } = input;\n  \n  // Check cache first (checks both short-term and session cache)\n  const cacheKey = RBACCache.generatePermissionKey({\n    userId,\n    organisationId: scope.organisationId,\n    eventId: scope.eventId,\n    appId: scope.appId,\n    permission,\n    pageId,\n  });\n  \n  const cached = rbacCache.get<boolean>(cacheKey, true);\n  if (cached !== null) {\n    return cached;\n  }\n\n  // Use request deduplication - if same request is in-flight, share the promise\n  return getOrCreateRequest(input, async (checkInput) => {\n    // Check permission with context validation\n    // Note: We can't pass precomputedSuperAdmin here because getOrCreateRequest doesn't support it\n    // The super admin check in isPermitted will be cached, so it's not a huge performance hit\n    const result = await isPermitted(checkInput, appName, null);\n    \n    // Determine if this is a page-level check (has pageId or permission contains 'page.')\n    const isPageLevelCheck = !!pageId || permission.includes('page.');\n    \n    // Cache result - use session cache for page-level checks\n    rbacCache.set(cacheKey, result, undefined, isPageLevelCheck);\n    \n    return result;\n  });\n}\n\n/**\n * Check if a user has a specific permission (alias for isPermitted)\n * \n * @param input - Permission check parameters\n * @returns Promise<boolean> - True if user has permission\n */\nexport async function hasPermission(input: PermissionCheck): Promise<boolean> {\n  return isPermitted(input);\n}\n\n/**\n * Check if user has any of the specified permissions\n * \n * @param input - Permission check input with array of permissions\n * @returns Promise resolving to true if user has any permission\n */\nexport async function hasAnyPermission(input: {\n  userId: UUID;\n  scope: Scope;\n  permissions: Permission[];\n  pageId?: UUID;\n}): Promise<boolean> {\n  const { permissions, ...baseInput } = input;\n  \n  for (const permission of permissions) {\n    const hasPermission = await isPermitted({\n      ...baseInput,\n      permission,\n    });\n    \n    if (hasPermission) {\n      return true;\n    }\n  }\n  \n  return false;\n}\n\n/**\n * Check if user has all of the specified permissions\n * \n * @param input - Permission check input with array of permissions\n * @returns Promise resolving to true if user has all permissions\n */\nexport async function hasAllPermissions(input: {\n  userId: UUID;\n  scope: Scope;\n  permissions: Permission[];\n  pageId?: UUID;\n}): Promise<boolean> {\n  const { permissions, ...baseInput } = input;\n  \n  for (const permission of permissions) {\n    const hasPermission = await isPermitted({\n      ...baseInput,\n      permission,\n    });\n    \n    if (!hasPermission) {\n      return false;\n    }\n  }\n  \n  return true;\n}\n\n/**\n * Check if user is super admin\n * \n * @param userId - User ID\n * @returns Promise resolving to super admin status\n */\nexport async function isSuperAdmin(userId: UUID): Promise<boolean> {\n  const engine = getEngine();\n  return engine['checkSuperAdmin'](userId);\n}\n\n\n/**\n * Get page scope type (effective scope for a page)\n * \n * Returns the scope type for a page. After migration, all pages have explicit scope_type set.\n * This is the single source of truth for page scoping.\n * \n * @param pageId - Page ID (UUID) or page name\n * @param appId - App ID (required if pageId is a page name)\n * @param appName - App name (alternative to appId, used to resolve appId)\n * @returns Promise resolving to page scope type: 'event', 'organisation', or 'both'\n */\nexport async function getPageScopeType(\n  pageId: UUID | string,\n  appId?: UUID,\n  appName?: string\n): Promise<'event' | 'organisation' | 'both'> {\n  const engine = getEngine();\n  \n  try {\n    // Resolve appId if not provided\n    let resolvedAppId = appId;\n    if (!resolvedAppId && appName) {\n      // Get appId directly from app name\n      const { data: app } = await engine['supabase']\n        .from('rbac_apps')\n        .select('id')\n        .eq('name', appName)\n        .eq('is_active', true)\n        .single() as { data: { id: UUID } | null; error: any };\n      resolvedAppId = app?.id;\n    }\n    \n    if (!resolvedAppId) {\n      throw new Error(`Could not resolve appId for page ${pageId}`);\n    }\n    \n    // Resolve pageId if it's a page name\n    let resolvedPageId: UUID | string = pageId;\n    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n    if (!uuidRegex.test(pageId)) {\n      // It's a page name, resolve to UUID\n      const { data: page } = await engine['supabase']\n        .from('rbac_app_pages')\n        .select('id')\n        .eq('app_id', resolvedAppId)\n        .eq('page_name', pageId)\n        .maybeSingle() as { data: { id: UUID } | null; error: any };\n      resolvedPageId = page?.id || pageId;\n    }\n    \n    // If still not a UUID, can't proceed\n    if (!uuidRegex.test(resolvedPageId)) {\n      throw new Error(`Could not resolve pageId ${pageId} to a valid UUID`);\n    }\n    \n    // Call the database function to get scope type (always returns a value)\n    const { data, error } = await engine['supabase']\n      .rpc('get_page_scope_type' as any, {\n        p_page_id: resolvedPageId\n      }) as { data: 'event' | 'organisation' | 'both' | null; error: any };\n    \n    if (error) {\n      log.error('Error fetching page scope type:', { pageId, appId, error });\n      throw new Error(`Failed to get page scope type: ${error.message}`);\n    }\n    \n    if (!data) {\n      throw new Error(`Page ${resolvedPageId} does not have scope_type set`);\n    }\n    \n    return data;\n  } catch (err) {\n    log.error('Error fetching page scope type:', err);\n    throw err instanceof Error ? err : new Error(`Failed to get page scope type: ${String(err)}`);\n  }\n}\n\n/**\n * Check if user is organisation admin\n * \n * @param userId - User ID\n * @param organisationId - Organisation ID\n * @returns Promise resolving to organisation admin status\n */\nexport async function isOrganisationAdmin(userId: UUID, organisationId: UUID): Promise<boolean> {\n  const accessLevel = await getAccessLevel({\n    userId,\n    scope: { organisationId },\n  });\n  \n  return accessLevel === 'admin' || accessLevel === 'super';\n}\n\n/**\n * Check if user is event admin\n * \n * @param userId - User ID\n * @param scope - Permission scope with eventId and appId\n * @returns Promise resolving to event admin status\n */\nexport async function isEventAdmin(userId: UUID, scope: Scope): Promise<boolean> {\n  if (!scope.eventId || !scope.appId) {\n    return false;\n  }\n  \n  const accessLevel = await getAccessLevel({ userId, scope });\n  return accessLevel === 'admin' || accessLevel === 'super';\n}\n\n/**\n * Invalidate user's permission cache\n * \n * @param userId - User ID\n * @param organisationId - Organisation ID (optional)\n */\nexport function invalidateUserCache(userId: UUID, organisationId?: UUID): void {\n  const patterns = organisationId\n    ? [\n        CACHE_PATTERNS.PERMISSION(userId, organisationId),\n        `access:${userId}:${organisationId}:`,\n        `map:${userId}:${organisationId}:`,\n      ]\n    : [\n        `perm:${userId}:`,\n        `access:${userId}:`,\n        `map:${userId}:`,\n      ];\n\n  patterns.forEach(pattern => rbacCache.invalidate(pattern));\n}\n\n/**\n * Invalidate organisation's permission cache\n * \n * @param organisationId - Organisation ID\n */\nexport function invalidateOrganisationCache(organisationId: UUID): void {\n  rbacCache.invalidate(CACHE_PATTERNS.ORGANISATION(organisationId));\n}\n\n/**\n * Invalidate event's permission cache\n * \n * @param eventId - Event ID\n */\nexport function invalidateEventCache(eventId: string): void {\n  rbacCache.invalidate(CACHE_PATTERNS.EVENT(eventId));\n}\n\n/**\n * Invalidate app's permission cache\n * \n * @param appId - App ID\n */\nexport function invalidateAppCache(appId: UUID): void {\n  rbacCache.invalidate(CACHE_PATTERNS.APP(appId));\n}\n\n/**\n * Clear all permission cache\n */\nexport function clearCache(): void {\n  rbacCache.clear();\n}\n\n// Re-export OrganisationContextRequiredError for convenience\nexport { OrganisationContextRequiredError } from './types';\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAmBO,IAAM,YAAN,MAAgB;AAAA,EAAhB;AACL,SAAQ,QAAQ,oBAAI,IAA6B;AACjD,SAAQ,eAAe,oBAAI,IAA6B;AACxD,SAAiB,MAAM,MAAM;AAC7B;AAAA,SAAiB,cAAc,KAAK,KAAK;AACzC;AAAA,SAAQ,wBAAwD,oBAAI,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWxE,IAAO,KAAa,kBAA2B,MAAgB;AAC7D,UAAM,MAAM,KAAK,IAAI;AAGrB,UAAM,QAAQ,KAAK,MAAM,IAAI,GAAG;AAChC,QAAI,SAAS,OAAO,MAAM,SAAS;AACjC,aAAO,MAAM;AAAA,IACf;AACA,QAAI,SAAS,MAAM,MAAM,SAAS;AAChC,WAAK,MAAM,OAAO,GAAG;AAAA,IACvB;AAGA,QAAI,iBAAiB;AACnB,YAAM,eAAe,KAAK,aAAa,IAAI,GAAG;AAC9C,UAAI,gBAAgB,OAAO,aAAa,SAAS;AAC/C,eAAO,aAAa;AAAA,MACtB;AACA,UAAI,gBAAgB,MAAM,aAAa,SAAS;AAC9C,aAAK,aAAa,OAAO,GAAG;AAAA,MAC9B;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,IAAO,KAAa,MAAS,MAAc,KAAK,KAAK,kBAA2B,OAAa;AAC3F,UAAM,MAAM,KAAK,IAAI;AAErB,UAAM,UAAU,OAAO,IAAI,MAAM,IAAI,MAAM;AAG3C,SAAK,MAAM,IAAI,KAAK;AAAA,MAClB;AAAA,MACA;AAAA,IACF,CAAC;AAGD,QAAI,iBAAiB;AACnB,YAAM,iBAAiB,OAAO,IAAI,MAAM,IAAI,MAAM,KAAK;AACvD,WAAK,aAAa,IAAI,KAAK;AAAA,QACzB;AAAA,QACA,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,KAAmB;AACxB,SAAK,MAAM,OAAO,GAAG;AACrB,SAAK,aAAa,OAAO,GAAG;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAW,SAAuB;AAChC,UAAM,iBAAiB,SAAS,KAAK;AAErC,QAAI,CAAC,gBAAgB;AACnB;AAAA,IACF;AAEA,UAAM,UAAU,KAAK,cAAc,cAAc;AACjD,UAAM,eAAyB,CAAC;AAGhC,eAAW,OAAO,KAAK,MAAM,KAAK,GAAG;AACnC,UAAI,QAAQ,GAAG,GAAG;AAChB,qBAAa,KAAK,GAAG;AAAA,MACvB;AAAA,IACF;AAEA,eAAW,OAAO,KAAK,aAAa,KAAK,GAAG;AAC1C,UAAI,QAAQ,GAAG,KAAK,CAAC,aAAa,SAAS,GAAG,GAAG;AAC/C,qBAAa,KAAK,GAAG;AAAA,MACvB;AAAA,IACF;AAEA,iBAAa,QAAQ,SAAO;AAC1B,WAAK,MAAM,OAAO,GAAG;AACrB,WAAK,aAAa,OAAO,GAAG;AAAA,IAC9B,CAAC;AAGD,SAAK,sBAAsB,QAAQ,cAAY,SAAS,cAAc,CAAC;AAAA,EACzE;AAAA,EAEQ,cAAc,SAA2C;AAC/D,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,YAAM,kBAAkB,QACrB,MAAM,GAAG,EACT,IAAI,aAAW,QAAQ,QAAQ,uBAAuB,MAAM,CAAC;AAChE,YAAM,eAAe,gBAAgB,KAAK,IAAI;AAC9C,YAAM,QAAQ,IAAI,OAAO,YAAY;AACrC,aAAO,CAAC,QAAgB,MAAM,KAAK,GAAG;AAAA,IACxC;AAEA,WAAO,CAAC,QAAgB,IAAI,SAAS,OAAO;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA,EAKA,QAAc;AACZ,SAAK,MAAM,MAAM;AACjB,SAAK,aAAa,MAAM;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,WAME;AACA,WAAO;AAAA,MACL,MAAM,KAAK,MAAM;AAAA,MACjB,aAAa,KAAK,aAAa;AAAA,MAC/B,KAAK,KAAK;AAAA,MACV,YAAY,KAAK;AAAA,MACjB,MAAM,MAAM,KAAK,KAAK,MAAM,KAAK,CAAC;AAAA,IACpC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,UAAiD;AAC5D,SAAK,sBAAsB,IAAI,QAAQ;AAGvC,WAAO,MAAM;AACX,WAAK,sBAAsB,OAAO,QAAQ;AAAA,IAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,OAAO,YACL,QACA,YACA,gBACA,SACA,OACA,QACQ;AACR,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA;AAAA,MACA,kBAAkB;AAAA,MAClB,WAAW;AAAA,MACX,SAAS;AAAA,MACT,cAAc;AAAA,MACd,UAAU;AAAA,IACZ;AAEA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAO,sBAAsB,KAAiC;AAC5D,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA,IAAI;AAAA,MACJ,IAAI,kBAAkB;AAAA,MACtB,IAAI,WAAW;AAAA,MACf,IAAI,SAAS;AAAA,MACb,IAAI,cAAc;AAAA,MAClB,IAAI,UAAU;AAAA,IAChB;AAEA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,uBACL,QACA,gBACA,SACA,OACQ;AACR,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,MACA,WAAW;AAAA,MACX,SAAS;AAAA,IACX;AAEA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,yBACL,QACA,gBACA,SACA,OACQ;AACR,UAAM,QAAQ;AAAA,MACZ;AAAA,MACA;AAAA,MACA;AAAA,MACA,WAAW;AAAA,MACX,SAAS;AAAA,IACX;AAEA,WAAO,MAAM,KAAK,GAAG;AAAA,EACvB;AACF;AAQO,IAAM,YAAY,IAAI,UAAU;AAKhC,IAAM,iBAAiB;AAAA,EAC5B,MAAM,CAAC,WAAiB,IAAI,MAAM;AAAA,EAClC,cAAc,CAAC,mBAAyB,IAAI,cAAc;AAAA,EAC1D,OAAO,CAAC,YAAoB,IAAI,OAAO;AAAA,EACvC,KAAK,CAAC,UAAgB,IAAI,KAAK;AAAA,EAC/B,YAAY,CAAC,QAAc,mBAAyB,QAAQ,MAAM,IAAI,cAAc;AACtF;;;ACzSA,IAAM,MAAM,aAAa,WAAW;AAK7B,IAAM,wBAAwB;AAAA;AAAA,EAEnC,oBAAoB,CAAC,WAAiB;AAAA,IACpC,eAAe,KAAK,MAAM;AAAA,IAC1B,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM;AAAA,IAChB,OAAO,MAAM;AAAA,EACf;AAAA;AAAA,EAGA,kCAAkC,CAAC,mBAAyB;AAAA,IAC1D,eAAe,aAAa,cAAc;AAAA,IAC1C,UAAU,cAAc;AAAA,IACxB,YAAY,cAAc;AAAA,IAC1B,SAAS,cAAc;AAAA,EACzB;AAAA;AAAA,EAGA,2BAA2B,CAAC,YAAoB;AAAA,IAC9C,eAAe,MAAM,OAAO;AAAA,IAC5B,YAAY,OAAO;AAAA,IACnB,cAAc,OAAO;AAAA,IACrB,WAAW,OAAO;AAAA,EACpB;AAAA;AAAA,EAGA,yBAAyB,CAAC,UAAgB;AAAA,IACxC,eAAe,IAAI,KAAK;AAAA,IACxB,cAAc,KAAK;AAAA,IACnB,gBAAgB,KAAK;AAAA,IACrB,aAAa,KAAK;AAAA,EACpB;AAAA;AAAA,EAGA,0BAA0B,CAAC,WAAiB;AAAA,IAC1C,gBAAgB,MAAM;AAAA,IACtB;AAAA,EACF;AACF;AAOO,IAAM,+BAAN,MAAmC;AAAA,EAKxC,YAAY,UAAoC;AAHhD,SAAQ,wBAAwD,oBAAI,IAAI;AACxE,SAAQ,WAA+C,CAAC;AAGtD,SAAK,WAAW;AAChB,SAAK,2BAA2B;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,eAAe,UAAiD;AAC9D,SAAK,sBAAsB,IAAI,QAAQ;AACvC,WAAO,MAAM,KAAK,sBAAsB,OAAO,QAAQ;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,eAAe,QAAc,QAAsB;AACjD,UAAM,WAAW,sBAAsB,mBAAmB,MAAM;AAChE,SAAK,mBAAmB,UAAU,MAAM;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,uBAAuB,gBAAsB,QAAsB;AACjE,UAAM,WAAW,sBAAsB,iCAAiC,cAAc;AACtF,SAAK,mBAAmB,UAAU,MAAM;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,gBAAgB,SAAiB,QAAsB;AACrD,UAAM,WAAW,sBAAsB,0BAA0B,OAAO;AACxE,SAAK,mBAAmB,UAAU,MAAM;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,cAAc,OAAa,QAAsB;AAC/C,UAAM,WAAW,sBAAsB,wBAAwB,KAAK;AACpE,SAAK,mBAAmB,UAAU,MAAM;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,eAAe,QAAc,QAAsB;AACjD,UAAM,WAAW,sBAAsB,yBAAyB,MAAM;AACtE,SAAK,mBAAmB,UAAU,MAAM;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,mBAAmB,UAAoB,QAAsB;AACnE,QAAI,MAAM,0BAA0B,SAAS,KAAK,IAAI,CAAC,KAAK,MAAM,GAAG;AAErE,aAAS,QAAQ,aAAW;AAC1B,gBAAU,WAAW,OAAO;AAAA,IAC9B,CAAC;AAGD,SAAK,sBAAsB,QAAQ,cAAY;AAC7C,eAAS,QAAQ,aAAW,SAAS,OAAO,CAAC;AAAA,IAC/C,CAAC;AAGD,mBAAe;AAAA,MACb,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,gBAAgB;AAAA,MAChB,YAAY;AAAA,MACZ,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,aAAa;AAAA,MACb,UAAU;AAAA,QACR;AAAA,QACA;AAAA,QACA,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,QAClC,oBAAoB;AAAA,MACtB;AAAA,IACF,CAAC,EAAE,MAAM,WAAS;AAChB,UAAI,KAAK,iDAAiD,KAAK;AAAA,IACjE,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,uBAA6B;AACnC,SAAK,SAAS,QAAQ,aAAW;AAC/B,UAAI;AACF,YAAI,WAAW,OAAO,QAAQ,gBAAgB,YAAY;AACxD,kBAAQ,YAAY;AAAA,QACtB;AAAA,MACF,SAAS,OAAO;AACd,YAAI,KAAK,uCAAuC,KAAK;AAAA,MACvD;AAAA,IACF,CAAC;AACD,SAAK,WAAW,CAAC;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,6BAAmC;AAEzC,SAAK,qBAAqB;AAG1B,QAAI,CAAC,KAAK,SAAS,WAAW,OAAO,KAAK,SAAS,YAAY,YAAY;AACzE,UAAI,MAAM,gDAAgD;AAC1D;AAAA,IACF;AAGA,UAAM,kBAAkB,KAAK,SAC1B,QAAQ,iCAAiC,EACzC,GAAG,oBAAoB;AAAA,MACtB,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,OAAO;AAAA,IACT,GAAG,CAAC,YAAiB;AACnB,YAAM,EAAE,iBAAiB,QAAQ,IAAI,QAAQ,OAAO,QAAQ,OAAO,CAAC;AACpE,UAAI,iBAAiB;AACnB,aAAK,uBAAuB,iBAAiB,qBAAqB,QAAQ,SAAS,EAAE;AAAA,MACvF;AACA,UAAI,SAAS;AACX,aAAK,eAAe,SAAS,qBAAqB,QAAQ,SAAS,EAAE;AAAA,MACvE;AAAA,IACF,CAAC;AACH,UAAM,uBAAuB,gBAAgB,UAAU;AACvD,SAAK,SAAS,KAAK,oBAAoB;AAGvC,UAAM,uBAAuB,KAAK,SAC/B,QAAQ,8BAA8B,EACtC,GAAG,oBAAoB;AAAA,MACtB,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,OAAO;AAAA,IACT,GAAG,CAAC,YAAiB;AACnB,YAAM,EAAE,iBAAiB,SAAS,UAAU,OAAO,IAAI,QAAQ,OAAO,QAAQ,OAAO,CAAC;AACtF,UAAI,iBAAiB;AACnB,aAAK,uBAAuB,iBAAiB,kBAAkB,QAAQ,SAAS,EAAE;AAAA,MACpF;AACA,UAAI,SAAS;AACX,aAAK,eAAe,SAAS,kBAAkB,QAAQ,SAAS,EAAE;AAAA,MACpE;AACA,UAAI,UAAU;AACZ,aAAK,gBAAgB,UAAU,kBAAkB,QAAQ,SAAS,EAAE;AAAA,MACtE;AACA,UAAI,QAAQ;AACV,aAAK,cAAc,QAAQ,kBAAkB,QAAQ,SAAS,EAAE;AAAA,MAClE;AAAA,IACF,CAAC;AACH,UAAM,4BAA4B,qBAAqB,UAAU;AACjE,SAAK,SAAS,KAAK,yBAAyB;AAG5C,UAAM,qBAAqB,KAAK,SAC7B,QAAQ,2BAA2B,EACnC,GAAG,oBAAoB;AAAA,MACtB,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,OAAO;AAAA,IACT,GAAG,CAAC,YAAiB;AACnB,YAAM,EAAE,QAAQ,IAAI,QAAQ,OAAO,QAAQ,OAAO,CAAC;AACnD,UAAI,SAAS;AACX,aAAK,eAAe,SAAS,eAAe,QAAQ,SAAS,EAAE;AAAA,MACjE;AAAA,IACF,CAAC;AACH,UAAM,0BAA0B,mBAAmB,UAAU;AAC7D,SAAK,SAAS,KAAK,uBAAuB;AAG1C,UAAM,yBAAyB,KAAK,SACjC,QAAQ,+BAA+B,EACvC,GAAG,oBAAoB;AAAA,MACtB,OAAO;AAAA,MACP,QAAQ;AAAA,MACR,OAAO;AAAA,IACT,GAAG,CAAC,YAAiB;AACnB,YAAM,EAAE,iBAAiB,aAAa,QAAQ,IAAI,QAAQ,OAAO,QAAQ,OAAO,CAAC;AACjF,UAAI,iBAAiB;AACnB,aAAK,uBAAuB,iBAAiB,mBAAmB,QAAQ,SAAS,EAAE;AAAA,MACrF;AACA,UAAI,aAAa;AACf,aAAK,eAAe,aAAa,mBAAmB,QAAQ,SAAS,EAAE;AAAA,MACzE;AAAA,IAGF,CAAC;AACH,UAAM,8BAA8B,uBAAuB,UAAU;AACrE,SAAK,SAAS,KAAK,2BAA2B;AAAA,EAChD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAgB;AAEd,SAAK,SAAS,QAAQ,aAAW;AAC/B,UAAI;AACF,YAAI,WAAW,OAAO,QAAQ,gBAAgB,YAAY;AACxD,kBAAQ,YAAY;AAAA,QACtB;AAAA,MACF,SAAS,OAAO;AACd,YAAI,KAAK,uCAAuC,KAAK;AAAA,MACvD;AAAA,IACF,CAAC;AACD,SAAK,WAAW,CAAC;AAGjB,SAAK,sBAAsB,MAAM;AAAA,EACnC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iCAAiC,gBAAsB,QAA+B;AAE1F,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,yBAAyB,EAC9B,OAAO,SAAS,EAChB,GAAG,mBAAmB,cAAc,EACpC,GAAG,aAAa,IAAI;AAEvB,QAAI,OAAO;AACT,YAAM,QAAQ,CAAC,EAAE,QAAQ,MAAM;AAC7B,aAAK,eAAe,SAAS,MAAM;AAAA,MACrC,CAAC;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAsB;AACpB,QAAI,MAAM,4BAA4B;AACtC,cAAU,MAAM;AAAA,EAClB;AACF;AAKA,IAAI,iCAAsE;AASnE,SAAS,4BAA4B,UAAkE;AAE5G,MAAI,gCAAgC;AAClC,QAAI,MAAM,yEAAyE;AACnF,mCAA+B,QAAQ;AAAA,EACzC;AAEA,mCAAiC,IAAI,6BAA6B,QAAQ;AAC1E,SAAO;AACT;;;AC1VA,IAAM,0BAA0B,oBAAI,IAAI,CAAC,GAAG,CAAC;AAC7C,IAAM,oBAAoB,oBAAI,IAAI,CAAC,GAAG,CAAC;AACvC,IAAM,qBAAqB,oBAAI,IAAI,CAAC,GAAG,CAAC;AAExC,SAAS,UAAU,OAAwB;AACzC,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,EACT;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,MAAM,YAAY;AAAA,EAC3B;AACA,MAAI,iBAAiB,SAAS,OAAO,MAAM,YAAY,UAAU;AAC/D,WAAO,MAAM,QAAQ,YAAY;AAAA,EACnC;AACA,SAAO,OAAO,KAAK,EAAE,YAAY;AACnC;AAEO,SAAS,gBAAgB,OAAmC;AACjE,MAAI,iBAAiB,uBAAuB;AAC1C,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,oCAAoC,iBAAiB,mBAAmB;AAC3F,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,yBAAyB;AAC5C,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,WAAW;AAC9B,YAAQ,MAAM,MAAM;AAAA,MAClB,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT;AACE;AAAA,IACJ;AAAA,EACF;AAEA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,SAAU,MAA8B;AAC9C,QAAI,OAAO,WAAW,UAAU;AAC9B,UAAI,wBAAwB,IAAI,MAAM,GAAG;AACvC,eAAO;AAAA,MACT;AACA,UAAI,kBAAkB,IAAI,MAAM,GAAG;AACjC,eAAO;AAAA,MACT;AACA,UAAI,mBAAmB,IAAI,MAAM,GAAG;AAClC,eAAO;AAAA,MACT;AACA,UAAI,UAAU,KAAK;AACjB,eAAO;AAAA,MACT;AAAA,IACF;AAEA,UAAM,YAAY,UAAW,MAA4B,IAAI;AAC7D,QAAI,WAAW;AACb,UAAI,UAAU,SAAS,SAAS,GAAG;AACjC,eAAO;AAAA,MACT;AACA,UAAI,UAAU,SAAS,UAAU,KAAK,UAAU,SAAS,UAAU,KAAK,UAAU,SAAS,IAAI,GAAG;AAChG,eAAO;AAAA,MACT;AACA,UAAI,UAAU,SAAS,MAAM,GAAG;AAC9B,eAAO;AAAA,MACT;AACA,UAAI,UAAU,SAAS,MAAM,GAAG;AAC9B,eAAO;AAAA,MACT;AACA,UAAI,UAAU,SAAS,YAAY,GAAG;AACpC,eAAO;AAAA,MACT;AACA,UAAI,UAAU,SAAS,OAAO,KAAK,UAAU,SAAS,SAAS,GAAG;AAChE,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAEA,QAAM,UAAU,UAAU,KAAK;AAC/B,MAAI,QAAQ,SAAS,SAAS,KAAK,QAAQ,SAAS,SAAS,KAAK,QAAQ,SAAS,OAAO,GAAG;AAC3F,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,UAAU,KAAK,QAAQ,SAAS,UAAU,KAAK,QAAQ,SAAS,YAAY,GAAG;AAClG,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,YAAY,KAAK,QAAQ,SAAS,mBAAmB,GAAG;AAC3E,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,YAAY,KAAK,QAAQ,SAAS,WAAW,GAAG;AACnE,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,MAAM,KAAK,QAAQ,SAAS,OAAO,KAAK,QAAQ,SAAS,SAAS,GAAG;AACxF,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,SAAS,KAAK,QAAQ,SAAS,OAAO,KAAK,QAAQ,SAAS,YAAY,GAAG;AAC9F,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAcO,SAAS,oCAAoC,UAAgD;AAClG,UAAQ,UAAU;AAAA,IAChB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL;AACE,aAAO;AAAA,EACX;AACF;;;AChJA,IAAMA,OAAM,aAAa,cAAc;AAKhC,IAAM,wBAAN,MAA4B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMjC,OAAO,mBAAmB,YAA6B;AACrD,QAAI,OAAO,eAAe,YAAY,WAAW,WAAW,GAAG;AAC7D,aAAO;AAAA,IACT;AAKA,UAAM,kBAAkB;AACxB,WAAO,gBAAgB,KAAK,UAAU;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,aAAa,MAAuB;AACzC,QAAI,OAAO,SAAS,YAAY,KAAK,WAAW,GAAG;AACjD,aAAO;AAAA,IACT;AAGA,UAAM,YAAY;AAClB,WAAO,UAAU,KAAK,IAAI;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,cAAc,OAAuB;AAC1C,QAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,aAAO;AAAA,IACT;AAGA,QAAI,MAAM,mBAAmB,QAAW;AAEtC,UAAI,OAAO,MAAM,mBAAmB,YAAY,MAAM,eAAe,KAAK,MAAM,IAAI;AAClF,eAAO;AAAA,MACT;AACA,UAAI,MAAM,kBAAkB,CAAC,KAAK,aAAa,MAAM,cAAc,GAAG;AACpE,eAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,MAAM,WAAW,OAAO,MAAM,YAAY,UAAU;AACtD,aAAO;AAAA,IACT;AAGA,QAAI,MAAM,SAAS,CAAC,KAAK,aAAa,MAAM,KAAK,GAAG;AAClD,aAAO;AAAA,IACT;AAGA,WAAO,CAAC,EAAE,MAAM,kBAAkB,MAAM,WAAW,MAAM;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,cAAc,OAAuB;AAC1C,QAAI,OAAO,UAAU,UAAU;AAC7B,aAAO;AAAA,IACT;AAGA,WAAO,MACJ,QAAQ,YAAY,EAAE,EACtB,QAAQ,aAAa,EAAE,EACvB,QAAQ,UAAU,EAAE,EACpB,QAAQ,iBAAiB,EAAE,EAC3B,QAAQ,WAAW,EAAE,EACrB,KAAK;AAAA,EACV;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,eAAe,QAAuB;AAC3C,WAAO,KAAK,aAAa,MAAM;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,qBAAqB,YAA6B;AACvD,WAAO,WAAW,SAAS,GAAG,KAAK,WAAW,SAAS,IAAI;AAAA,EAC7D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAO,4BAA4B,YAAoB,mBAAoC;AACzF,QAAI,CAAC,KAAK,mBAAmB,UAAU,GAAG;AACxC,aAAO;AAAA,IACT;AAEA,UAAM,CAAC,SAAS,IAAI,WAAW,MAAM,GAAG;AAExC,UAAM,YAAY,CAAC,QAAQ,UAAU,UAAU,QAAQ;AAEvD,UAAM,kBAAkB,UAAU,QAAQ,SAAS;AACnD,UAAM,gBAAgB,UAAU,QAAQ,iBAAiB;AAEzD,QAAI,oBAAoB,MAAM,kBAAkB,IAAI;AAClD,aAAO;AAAA,IACT;AAGA,WAAO,mBAAmB;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,aAAa,eAAe,QAAc,WAAqC;AAG7E,WAAO;AAAA,EACT;AAAA;AAAA,EAUA,OAAO,iBAAiB,OAef;AACP,UAAM,gBAAgB;AAAA,MACpB,GAAG;AAAA,MACH,WAAW,MAAM,aAAa,oBAAI,KAAK;AAAA,MACvC,UAAU,KAAK,iBAAiB,MAAM,IAAI;AAAA,IAC5C;AAGA,QAAI,MAAM,SAAS,uBAAuB;AACxC,YAAM,MAAM,KAAK,IAAI;AACrB,YAAM,cAAc,KAAK,sBAAsB,IAAI,MAAM,MAAM;AAE/D,UAAI,aAAa;AACf,cAAM,uBAAuB,MAAM,YAAY;AAC/C,YAAI,uBAAuB,KAAK,gCAAgC;AAE9D,sBAAY;AACZ,eAAK,sBAAsB,IAAI,MAAM,QAAQ,WAAW;AACxD;AAAA,QACF,OAAO;AAEL,UAAAA,KAAI,KAAK,+BAA+B;AAAA,YACtC,GAAG;AAAA,YACH,SAAS;AAAA,cACP,GAAG,cAAc;AAAA,cACjB,oBAAoB,YAAY;AAAA,cAChC,SAAS,wBAAwB,YAAY,QAAQ,CAAC,kBAAkB,KAAK,MAAM,uBAAuB,GAAI,CAAC;AAAA,YACjH;AAAA,UACF,CAAC;AACD,eAAK,sBAAsB,IAAI,MAAM,QAAQ,EAAE,OAAO,GAAG,aAAa,IAAI,CAAC;AAC3E;AAAA,QACF;AAAA,MACF,OAAO;AAEL,aAAK,sBAAsB,IAAI,MAAM,QAAQ,EAAE,OAAO,GAAG,aAAa,IAAI,CAAC;AAC3E,QAAAA,KAAI,KAAK,mBAAmB,aAAa;AACzC;AAAA,MACF;AAAA,IACF;AAGA,IAAAA,KAAI,KAAK,mBAAmB,aAAa;AAAA,EAG3C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAe,iBAAiB,WAA2D;AACzF,YAAQ,WAAW;AAAA,MACjB,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;AAAA;AAAA;AAAA;AAAA;AA/Oa,sBAqJI,wBAAwB,oBAAI,IAAkD;AArJlF,sBAsJa,iCAAiC;AAyGpD,IAAM,0BAA8C;AAAA,EACzD,uBAAuB;AAAA,EACvB,oBAAoB;AAAA,EACpB,oBAAoB;AAAA,EACpB,8BAA8B;AAAA;AAAA,EAC9B,6BAA6B;AAC/B;AAmBO,IAAM,yBAAN,MAA6B;AAAA,EAGlC,YAAY,SAA6B,yBAAyB;AAiHlE;AAAA;AAAA;AAAA;AAAA,SAAQ,iBAAiB,oBAAI,IAAwC;AAhHnE,SAAK,SAAS;AACd,SAAK,sBAAsB;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA,EAKQ,wBAA8B;AAEpC,gBAAY,MAAM;AAChB,WAAK,oBAAoB;AAAA,IAC3B,GAAG,IAAI,KAAK,GAAI;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,cAAc,OAAY,SAG7B;AACD,UAAM,SAAmB,CAAC;AAG1B,QAAI,CAAC,sBAAsB,eAAe,QAAQ,MAAM,GAAG;AACzD,aAAO,KAAK,wBAAwB;AAAA,IACtC;AAIA,UAAM,mBAAmB,MAAM,YAAY,SAAS,QAAQ,KAAK,CAAC,CAAC,MAAM;AACzE,UAAM,gBAAgB,CAAC;AAGvB,QAAI,eAAe;AACjB,UAAI,CAAC,QAAQ,gBAAgB;AAC3B,eAAO,KAAK,4DAA4D;AAAA,MAC1E,WAAW,CAAC,sBAAsB,aAAa,QAAQ,cAAc,GAAG;AACtE,eAAO,KAAK,gCAAgC;AAAA,MAC9C;AAAA,IACF,OAAO;AAEL,UAAI,QAAQ,kBAAkB,CAAC,sBAAsB,aAAa,QAAQ,cAAc,GAAG;AACzF,eAAO,KAAK,gCAAgC;AAAA,MAC9C;AAAA,IACF;AAEA,QAAI,MAAM,cAAc,CAAC,sBAAsB,mBAAmB,MAAM,UAAU,GAAG;AACnF,aAAO,KAAK,2BAA2B;AAAA,IACzC;AAEA,QAAI,MAAM,SAAS,CAAC,sBAAsB,cAAc,MAAM,KAAK,GAAG;AACpE,aAAO,KAAK,sBAAsB;AAAA,IACpC;AAEA,QAAI,KAAK,OAAO,uBAAuB;AACrC,UAAI,QAAQ,aAAa,OAAO,QAAQ,cAAc,UAAU;AAC9D,eAAO,KAAK,2BAA2B;AAAA,MACzC;AAEA,UAAI,QAAQ,aAAa,OAAO,QAAQ,cAAc,UAAU;AAC9D,eAAO,KAAK,2BAA2B;AAAA,MACzC;AAAA,IACF;AAGA,QAAI,OAAO,SAAS,GAAG;AACrB,4BAAsB,iBAAiB;AAAA,QACrC,MAAM;AAAA,QACN,QAAQ,QAAQ;AAAA,QAChB,SAAS,EAAE,QAAQ,OAAO,KAAK,cAAc,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,MACtE,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL,SAAS,OAAO,WAAW;AAAA,MAC3B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eAAe,SAGlB;AACD,QAAI,CAAC,KAAK,OAAO,oBAAoB;AACnC,aAAO,EAAE,WAAW,MAAM,WAAW,KAAK,OAAO,6BAA6B;AAAA,IAChF;AAIA,UAAM,YAAY,MAAM,KAAK,wBAAwB,QAAQ,MAAM;AAEnE,UAAM,YAAY,YAAY,KAAK,OAAO,+BAA+B,KAAK,iBAAiB,QAAQ,MAAM,IAAI;AAEjH,WAAO;AAAA,MACL;AAAA,MACA,WAAW,KAAK,IAAI,GAAG,SAAS;AAAA,IAClC;AAAA,EACF;AAAA,EAQA,MAAc,wBAAwB,QAAgC;AACpE,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,WAAW,KAAK;AAGtB,UAAM,UAAU,KAAK,eAAe,IAAI,MAAM,KAAK,CAAC;AAGpD,UAAM,eAAe,QAAQ,OAAO,WAAS,MAAM,MAAM,YAAY,QAAQ;AAG7E,UAAM,eAAe,aAAa;AAClC,UAAM,YAAY,eAAe,KAAK,OAAO;AAG7C,QAAI,WAAW;AACb,mBAAa,KAAK,EAAE,WAAW,IAAI,CAAC;AAAA,IACtC;AAGA,SAAK,eAAe,IAAI,QAAQ,YAAY;AAE5C,WAAO;AAAA,EACT;AAAA,EAEQ,iBAAiB,QAAsB;AAC7C,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,WAAW,KAAK;AAEtB,UAAM,UAAU,KAAK,eAAe,IAAI,MAAM,KAAK,CAAC;AACpD,UAAM,eAAe,QAAQ,OAAO,WAAS,MAAM,MAAM,YAAY,QAAQ;AAE7E,WAAO,aAAa;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,sBAA4B;AAClC,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,WAAW,KAAK;AAEtB,eAAW,CAAC,QAAQ,OAAO,KAAK,KAAK,eAAe,QAAQ,GAAG;AAC7D,YAAM,eAAe,QAAQ,OAAO,WAAS,MAAM,MAAM,YAAY,QAAQ;AAE7E,UAAI,aAAa,WAAW,GAAG;AAC7B,aAAK,eAAe,OAAO,MAAM;AAAA,MACnC,OAAO;AACL,aAAK,eAAe,IAAI,QAAQ,YAAY;AAAA,MAC9C;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,cAAc,OAAuB;AAC3C,WAAO,sBAAsB,cAAc,KAAK;AAAA,EAClD;AACF;;;AC7aA,IAAM,oBAAN,MAAwB;AAAA,EAAxB;AACE,SAAQ,SAA4B;AACpC,SAAQ,SAA4B;AAAA;AAAA,EAEpC,UAAU,QAA0B;AAClC,SAAK,SAAS;AACd,SAAK,YAAY;AAAA,EACnB;AAAA,EAEA,YAA+B;AAC7B,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,YAAwB;AACtB,QAAI,CAAC,KAAK,QAAQ;AAChB,WAAK,SAAS,KAAK,oBAAoB;AAAA,IACzC;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,cAAoB;AAC1B,QAAI,CAAC,KAAK,OAAQ;AAElB,UAAM,EAAE,QAAQ,OAAO,WAAW,OAAO,IAAI,KAAK;AAElD,SAAK,SAAS;AAAA,MACZ,OAAO,CAAC,YAAoB,SAAoB;AAC9C,gBAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,MAClD;AAAA,MACA,MAAM,CAAC,YAAoB,SAAoB;AAC7C,YAAI,aAAa,UAAU,aAAa,UAAU,aAAa,SAAS;AACtE,kBAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,QAChD;AAAA,MACF;AAAA,MACA,MAAM,CAAC,YAAoB,SAAoB;AAC7C,YAAI,aAAa,UAAU,aAAa,SAAS;AAC/C,kBAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,QAChD;AAAA,MACF;AAAA,MACA,OAAO,CAAC,YAAoB,SAAoB;AAC9C,YAAI,SAAS,aAAa,SAAS;AACjC,kBAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,QAClD;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,sBAAkC;AACxC,WAAO;AAAA,MACL,OAAO,CAAC,YAAoB,SAAoB,QAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,MAChG,MAAM,CAAC,YAAoB,SAAoB,QAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,MAC7F,MAAM,CAAC,YAAoB,SAAoB,QAAQ,KAAK,eAAe,OAAO,IAAI,GAAG,IAAI;AAAA,MAC7F,OAAO,CAAC,YAAoB,SAAoB,QAAQ,MAAM,gBAAgB,OAAO,IAAI,GAAG,IAAI;AAAA,IAClG;AAAA,EACF;AAAA,EAEA,cAAuB;AACrB,WAAO,KAAK,QAAQ,SAAS;AAAA,EAC/B;AAAA,EAEA,oBAA6B;AAC3B,WAAO,KAAK,QAAQ,mBAAmB;AAAA,EACzC;AAAA,EAEA,qBAAqD;AACnD,WAAO,KAAK,QAAQ,mBAAmB;AAAA,EACzC;AACF;AAGA,IAAM,gBAAgB,IAAI,kBAAkB;AAErC,SAAS,iBAAiB,QAAgC;AAC/D,gBAAc,UAAU,MAAM;AAC9B,SAAO;AACT;AAEO,SAAS,gBAAmC;AACjD,SAAO,cAAc,UAAU;AACjC;AAEO,SAAS,gBAA4B;AAC1C,SAAO,cAAc,UAAU;AACjC;AAEO,SAAS,cAAuB;AACrC,SAAO,cAAc,YAAY;AACnC;AAEO,SAAS,oBAA6B;AAC3C,SAAO,cAAc,kBAAkB;AACzC;;;AC1FO,IAAM,aAAN,MAAiB;AAAA,EAItB,YAAY,UAAoC,gBAA8C;AAC5F,SAAK,WAAW;AAEhB,UAAM,uBAA2C;AAAA,MAC/C,GAAG;AAAA,MACH,GAAG;AAAA,IACL;AACA,SAAK,qBAAqB,IAAI,uBAAuB,oBAAoB;AAGzE,gCAA4B,QAAQ;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,YAAY,OAAwB,iBAAoD;AAC5F,UAAM,YAAY,KAAK,IAAI;AAC3B,UAAM,EAAE,QAAQ,YAAY,OAAO,OAAO,IAAI;AAG9C,QAAI,WAAW;AACf,QAAI,cAAgC;AAEpC,QAAI;AAMF,YAAM,aAAa,MAAM,KAAK,mBAAmB,cAAc,OAAO,eAAe;AACrF,UAAI,CAAC,WAAW,SAAS;AACvB,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS,EAAE,QAAQ,WAAW,QAAQ,OAAO,KAAK,UAAU,KAAK,EAAE;AAAA,QACrE,CAAC;AACD,eAAO;AAAA,MACT;AAGA,YAAM,YAAY,MAAM,KAAK,mBAAmB,eAAe,eAAe;AAC9E,UAAI,CAAC,UAAU,WAAW;AACxB,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS,EAAE,WAAW,UAAU,UAAU;AAAA,QAC5C,CAAC;AACD,eAAO;AAAA,MACT;AAGA,UAAI,CAAC,sBAAsB,eAAe,MAAM,GAAG;AACjD,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS,EAAE,OAAO,yBAAyB;AAAA,QAC7C,CAAC;AACD,eAAO;AAAA,MACT;AAGA,UAAI,CAAC,sBAAsB,mBAAmB,UAAU,GAAG;AACzD,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS,EAAE,OAAO,6BAA6B,WAAW;AAAA,QAC5D,CAAC;AACD,eAAO;AAAA,MACT;AAGA,UAAI,CAAC,sBAAsB,cAAc,KAAK,GAAG;AAC/C,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS,EAAE,OAAO,wBAAwB,MAAM;AAAA,QAClD,CAAC;AACD,eAAO;AAAA,MACT;AAMA,YAAM,WAAW,UAAU;AAAA,QACzB;AAAA,QACA;AAAA,QACA,MAAM;AAAA,QACN,MAAM;AAAA,QACN,MAAM;AAAA,QACN;AAAA,MACF;AAEA,YAAM,SAAS,UAAU,IAAa,QAAQ;AAC9C,UAAI,WAAW,MAAM;AACnB,mBAAW;AACX,sBAAc;AAId,eAAO;AAAA,MACT;AAYA,YAAM,EAAE,MAAM,MAAM,IAAI,MAAO,KAAK,SAAiB,IAAI,oCAAoC;AAAA,QAC3F,WAAW;AAAA,QACX,cAAc;AAAA,QACd,mBAAmB,MAAM,kBAAkB;AAAA,QAC3C,YAAY,MAAM,WAAW;AAAA,QAC7B,UAAU,MAAM,SAAS;AAAA,QACzB,WAAW,UAAU;AAAA,MACvB,CAAC;AAED,UAAI,OAAO;AACT,cAAM,SAAS,cAAc;AAC7B,eAAO,MAAM,cAAc,KAAK;AAEhC,cAAM,WAAW,gBAAgB,KAAK;AACtC,cAAM,YAAY,oCAAoC,QAAQ;AAC9D,cAAM,eAAe;AAErB,8BAAsB,iBAAiB;AAAA,UACrC,MAAM;AAAA,UACN;AAAA,UACA,SAAS;AAAA,YACP,OAAO,cAAc,WAAW;AAAA,YAChC,MAAM,cAAc;AAAA,YACpB,MAAM,cAAc;AAAA,YACpB,SAAS,cAAc;AAAA,YACvB;AAAA,YACA,OAAO,KAAK,UAAU,KAAK;AAAA,YAC3B;AAAA,UACF;AAAA,QACF,CAAC;AAGD,eAAO;AAAA,MACT;AAEA,YAAMC,iBAAgB,SAAS;AAO/B,gBAAU,IAAI,UAAUA,gBAAe,GAAK;AAE5C,YAAM,WAAW,KAAK,IAAI,IAAI;AAG9B,UAAI,MAAM,gBAAgB;AACxB,cAAM,iBAAiB,MAAM,KAAK,cAAc,QAAQ,MAAM,KAAK;AACnE,cAAM,eAAe;AAAA,UACnB,MAAMA,iBAAgB,qBAAqB;AAAA,UAC3C;AAAA,UACA,gBAAgB,MAAM;AAAA,UACtB,SAAS,MAAM;AAAA,UACf,OAAO,MAAM;AAAA,UACb,QAAQ;AAAA,UACR;AAAA,UACA,UAAUA;AAAA,UACV,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,WAAW;AAAA,UACX,cAAc;AAAA,QAChB,CAAC;AAAA,MACH;AAEA,aAAOA;AAAA,IAET,SAAS,OAAO;AACd,YAAM,WAAW,gBAAgB,KAAK;AACtC,YAAM,YAAY,oCAAoC,QAAQ;AAC9D,YAAM,eAAe,iBAAiB,QAAQ,MAAM,UAAU;AAE9D,4BAAsB,iBAAiB;AAAA,QACrC,MAAM;AAAA,QACN;AAAA,QACA,SAAS;AAAA,UACP,OAAO;AAAA,UACP;AAAA,UACA,OAAO,KAAK,UAAU,KAAK;AAAA,UAC3B;AAAA,QACF;AAAA,MACF,CAAC;AAGD,YAAM,SAAS,cAAc;AAC7B,aAAO,MAAM,4BAA4B,KAAK;AAC9C,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,eAAe,OAA6D;AAChF,UAAM,EAAE,QAAQ,MAAM,IAAI;AAG1B,UAAM,WAAW,UAAU;AAAA,MACzB;AAAA,MACA,MAAM,kBAAkB;AAAA,MACxB,MAAM;AAAA,MACN,MAAM;AAAA,IACR;AAEA,UAAM,SAAS,UAAU,IAAiB,QAAQ;AAClD,QAAI,QAAQ;AACV,aAAO;AAAA,IACT;AAEA,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AAGnC,UAAMC,gBAAe,MAAM,KAAK,gBAAgB,MAAM;AACtD,QAAIA,eAAc;AAChB,gBAAU,IAAI,UAAU,SAAS,GAAK;AACtC,aAAO;AAAA,IACT;AAGA,QAAI,MAAM,gBAAgB;AACxB,YAAM,EAAE,MAAM,SAAS,IAAI,MAAM,KAAK,SACnC,KAAK,yBAAyB,EAC9B,OAAO,MAAM,EACb,GAAG,WAAW,MAAM,EACpB,GAAG,mBAAmB,MAAM,cAAc,EAC1C,GAAG,UAAU,QAAQ,EACrB,GAAG,cAAc,IAAI,EACrB,IAAI,cAAc,GAAG,EACrB,GAAG,iCAAiC,GAAG,EAAE,EACzC,MAAM,CAAC;AAEV,YAAM,UAAU,WAAW,CAAC;AAE5B,UAAI,SAAS,SAAS,aAAa;AACjC,kBAAU,IAAI,UAAU,SAAS,GAAK;AACtC,eAAO;AAAA,MACT;AAAA,IACF;AAGA,QAAI,MAAM,WAAW,MAAM,OAAO;AAChC,YAAM,EAAE,MAAM,UAAU,IAAI,MAAM,KAAK,SACpC,KAAK,sBAAsB,EAC3B,OAAO,MAAM,EACb,GAAG,WAAW,MAAM,EACpB,GAAG,YAAY,MAAM,OAAO,EAC5B,GAAG,UAAU,MAAM,KAAK,EACxB,GAAG,UAAU,QAAQ,EACrB,IAAI,cAAc,GAAG,EACrB,GAAG,iCAAiC,GAAG,EAAE,EACzC,OAAO;AAEV,UAAI,WAAW,SAAS,eAAe;AACrC,kBAAU,IAAI,UAAU,SAAS,GAAK;AACtC,eAAO;AAAA,MACT;AACA,UAAI,WAAW,SAAS,WAAW;AACjC,kBAAU,IAAI,UAAU,WAAW,GAAK;AACxC,eAAO;AAAA,MACT;AACA,UAAI,WAAW,SAAS,eAAe;AACrC,kBAAU,IAAI,UAAU,eAAe,GAAK;AAC5C,eAAO;AAAA,MACT;AAAA,IACF;AAGA,cAAU,IAAI,UAAU,UAAU,GAAK;AACvC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,iBAAiB,OAA+D;AACpF,UAAM,EAAE,QAAQ,MAAM,IAAI;AAG1B,UAAM,WAAW,UAAU;AAAA,MACzB;AAAA,MACA,MAAM,kBAAkB;AAAA,MACxB,MAAM;AAAA,MACN,MAAM;AAAA,IACR;AAGA,UAAMA,gBAAe,MAAM,KAAK,gBAAgB,MAAM;AACtD,QAAIA,eAAc;AAChB,YAAM,cAA6B,EAAE,KAAK,KAAK;AAC/C,gBAAU,IAAI,UAAU,aAAa,GAAK;AAC1C,aAAO;AAAA,IACT;AAGA,QAAI,CAAC,MAAM,gBAAgB;AACzB,aAAO,CAAC;AAAA,IACV;AAIA,UAAM,SAAS,UAAU,IAAmB,QAAQ;AACpD,QAAI,QAAQ;AACV,aAAO;AAAA,IACT;AAEA,UAAM,gBAA+B,CAAC;AAGtC,QAAI,MAAM,OAAO;AACf,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,gBAAgB,EACrB,OAAO,eAAe,EACtB,GAAG,UAAU,MAAM,KAAK;AAE3B,UAAI,OAAO;AAET,YAAI,CAAC,MAAM,gBAAgB;AAEzB,oBAAU,IAAI,UAAU,eAAe,GAAK;AAC5C,iBAAO;AAAA,QACT;AAGA,cAAM,kBAAmC;AAAA,UACvC;AAAA,UACA,gBAAgB,MAAM;AAAA;AAAA,UACtB,WAAW,oBAAI,KAAK;AAAA,QACtB;AAEA,mBAAW,QAAQ,OAAO;AAGxB,qBAAW,aAAa,CAAC,QAAQ,UAAU,UAAU,QAAQ,GAAkB;AAC7E,kBAAM,mBAAmB,GAAG,SAAS,SAAS,KAAK,SAAS;AAC5D,kBAAMD,iBAAgB,MAAM,KAAK;AAAA,cAC/B;AAAA,gBACE;AAAA,gBACA;AAAA,gBACA,YAAY;AAAA,gBACZ,QAAQ,KAAK;AAAA,cACf;AAAA,cACA;AAAA,YACF;AAEA,kBAAM,gBAAgB;AACtB,0BAAc,aAAa,IAAIA;AAAA,UACjC;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,cAAU,IAAI,UAAU,eAAe,GAAK;AAC5C,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,kBAAkB,OAA0E;AAChG,QAAI;AACF,YAAM,EAAE,QAAQ,QAAQ,IAAI;AAC5B,YAAM,EAAE,MAAM,MAAM,IAAI,MAAO,KAAK,SAAiB,IAAI,oBAAoB;AAAA,QAC3E,WAAW;AAAA,QACX,YAAY;AAAA,MACd,CAAC;AAED,UAAI,OAAO;AACT,cAAM,SAAS,cAAc;AAC7B,eAAO,MAAM,kCAAkC,KAAK;AACpD,eAAO;AAAA,MACT;AAEA,UAAI,CAAC,QAAQ,KAAK,WAAW,GAAG;AAC9B,eAAO;AAAA,MACT;AAEA,YAAM,UAAU,KAAK,CAAC;AACtB,UAAI,CAAC,SAAS,QAAQ;AACpB,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,QACL,OAAO,QAAQ;AAAA,QACf,WAAW,QAAQ,eAAe;AAAA,MACpC;AAAA,IACF,SAAS,OAAO;AACd,YAAM,SAAS,cAAc;AAC7B,aAAO,MAAM,2CAA2C,KAAK;AAC7D,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAM,eAAe,OAAiE;AACpF,UAAM,SAA0B;AAAA,MAC9B,YAAY;AAAA,MACZ,kBAAkB;AAAA,MAClB,cAAc;AAAA,IAChB;AAEA,QAAI;AACF,YAAM,EAAE,QAAQ,MAAM,IAAI;AAE1B,YAAM,EAAE,MAAM,MAAM,IAAI,MAAO,KAAK,SAAiB,IAAI,wBAAwB;AAAA,QAC/E,WAAW;AAAA,QACX,mBAAmB,MAAM,kBAAkB;AAAA,QAC3C,YAAY,MAAM,WAAW;AAAA,QAC7B,UAAU,MAAM,SAAS;AAAA,QACzB,WAAW;AAAA;AAAA,MACb,CAAC;AAED,UAAI,OAAO;AACT,cAAM,SAAS,cAAc;AAC7B,eAAO,MAAM,gCAAgC,KAAK;AAClD,eAAO;AAAA,MACT;AAEA,UAAI,CAAC,MAAM,QAAQ,IAAI,GAAG;AACxB,eAAO;AAAA,MACT;AAEA,iBAAW,cAAc,MAA0B;AACjD,YAAI,WAAW,oBAAoB,mBAAmB;AACpD,iBAAO,aAAa;AAAA,QACtB;AAEA,YAAI,WAAW,oBAAoB,uBAAuB;AACxD,iBAAO,mBAAmB,WAAW;AAAA,QACvC;AAEA,YAAI,WAAW,oBAAoB,oBAAoB;AACrD,iBAAO,eAAe,WAAW;AAAA,QACnC;AAAA,MACF;AAEA,aAAO;AAAA,IACT,SAAS,OAAO;AACd,YAAM,SAAS,cAAc;AAC7B,aAAO,MAAM,0CAA0C,KAAK;AAC5D,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,gBAAgB,QAAgC;AAE5D,UAAM,WAAW,eAAe,MAAM;AACtC,UAAM,SAAS,UAAU,IAAa,QAAQ;AAC9C,QAAI,WAAW,MAAM;AACnB,aAAO;AAAA,IACT;AAEA,UAAM,YAAY,KAAK,IAAI;AAC3B,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AAEnC,QAAI;AACF,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,MAAM,EACb,GAAG,WAAW,MAAM,EACpB,GAAG,QAAQ,aAAa,EACxB,IAAI,cAAc,GAAG,EACrB,GAAG,iCAAiC,GAAG,EAAE,EACzC,MAAM,CAAC;AAEV,YAAM,UAAU,KAAK,IAAI,IAAI;AAG7B,UAAI,UAAU,KAAM;AAClB,gBAAQ,KAAK,4DAA4D;AAAA,UACvE;AAAA,UACA,WAAW;AAAA,UACX,OAAO,OAAO;AAAA,QAChB,CAAC;AAAA,MACH;AAEA,YAAMC,gBAAe,CAAC,SAAS,QAAQ,KAAK,SAAS;AAGrD,gBAAU,IAAI,UAAUA,eAAc,GAAK;AAE3C,aAAO,QAAQA,aAAY;AAAA,IAC7B,SAAS,KAAK;AACZ,YAAM,UAAU,KAAK,IAAI,IAAI;AAC7B,cAAQ,MAAM,2CAA2C;AAAA,QACvD;AAAA,QACA,OAAO;AAAA,QACP,WAAW;AAAA,MACb,CAAC;AAED,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,cAAc,QAAwB,OAAkD;AACpG,QAAI,CAAC,QAAQ;AACX,aAAO;AAAA,IACT;AAGA,UAAM,YAAY;AAClB,QAAI,UAAU,KAAK,MAAM,GAAG;AAC1B,aAAO;AAAA,IACT;AAGA,QAAI,CAAC,OAAO;AACV,aAAO;AAAA,IACT;AAGA,QAAI;AAGF,YAAM,EAAE,MAAM,MAAM,OAAO,UAAU,IAAI,MAAM,KAAK,SACjD,KAAK,gBAAgB,EACrB,OAAO,IAAI,EACX,GAAG,UAAU,KAAK,EAClB,GAAG,aAAa,MAAM,EACtB,YAAY;AAGf,UAAI,WAAW;AACb,cAAM,SAAS,cAAc;AAE7B,YAAI,UAAU,SAAS,YAAY;AACjC,iBAAO,KAAK,wCAAwC,EAAE,QAAQ,OAAO,OAAO,UAAU,CAAC;AAAA,QACzF;AACA,eAAO;AAAA,MACT;AAEA,aAAO,MAAM,MAAM;AAAA,IACrB,SAAS,OAAO;AACd,YAAM,SAAS,cAAc;AAC7B,aAAO,KAAK,wCAAwC,EAAE,QAAQ,OAAO,MAAM,CAAC;AAC5E,aAAO;AAAA,IACT;AAAA,EACF;AACF;AASO,SAAS,iBACd,UACA,gBACY;AACZ,SAAO,IAAI,WAAW,UAAU,cAAc;AAChD;;;ACpmBA,IAAM,yBAAN,MAA6B;AAAA,EAA7B;AACE,SAAQ,UAAkC;AAAA,MACxC,aAAa;AAAA,MACb,WAAW;AAAA,MACX,aAAa;AAAA,MACb,cAAc;AAAA,MACd,sBAAsB;AAAA,MACtB,iBAAiB;AAAA,MACjB,qBAAqB;AAAA,MACrB,mBAAmB;AAAA,MACnB,oBAAoB;AAAA,MACpB,uBAAuB;AAAA,IACzB;AAEA,SAAQ,UAAmB;AAAA;AAAA;AAAA;AAAA;AAAA,EAK3B,WAAW,SAAwB;AACjC,SAAK,UAAU;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,UAAmB,cAAsB,kBAA2B,OAAa;AAC3F,QAAI,CAAC,KAAK,SAAS;AACjB;AAAA,IACF;AAEA,SAAK,QAAQ;AAEb,QAAI,UAAU;AACZ,WAAK,QAAQ;AAAA,IACf,OAAO;AACL,WAAK,QAAQ;AACb,WAAK,QAAQ;AAAA,IACf;AAEA,QAAI,iBAAiB;AACnB,WAAK,QAAQ;AAAA,IACf;AAEA,SAAK,QAAQ,qBAAqB;AAClC,SAAK,QAAQ,sBAAsB,KAAK,QAAQ,oBAAoB,KAAK,QAAQ;AACjF,SAAK,QAAQ,eAAe,KAAK,QAAQ,YAAY,KAAK,QAAQ;AAAA,EACpE;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAiB,SAAwB;AACvC,QAAI,CAAC,KAAK,SAAS;AACjB;AAAA,IACF;AAEA,QAAI,SAAS;AACX,WAAK,QAAQ;AAAA,IACf,OAAO;AACL,WAAK,QAAQ;AAAA,IACf;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,aAAqC;AACnC,WAAO,EAAE,GAAG,KAAK,QAAQ;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAKA,QAAc;AACZ,SAAK,UAAU;AAAA,MACb,aAAa;AAAA,MACb,WAAW;AAAA,MACX,aAAa;AAAA,MACb,cAAc;AAAA,MACd,sBAAsB;AAAA,MACtB,iBAAiB;AAAA,MACjB,qBAAqB;AAAA,MACrB,mBAAmB;AAAA,MACnB,oBAAoB;AAAA,MACpB,uBAAuB;AAAA,IACzB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,aAAqB;AACnB,UAAM,IAAI,KAAK;AACf,WAAO;AAAA;AAAA,kBAEO,EAAE,WAAW;AAAA,gBACf,EAAE,SAAS,MAAM,EAAE,eAAe,KAAK,QAAQ,CAAC,CAAC;AAAA,kBAC/C,EAAE,WAAW;AAAA,2BACJ,EAAE,oBAAoB;AAAA,sBAC3B,EAAE,eAAe;AAAA,2BACZ,EAAE,oBAAoB,QAAQ,CAAC,CAAC;AAAA,0BACjC,EAAE,kBAAkB;AAAA,6BACjB,EAAE,qBAAqB;AAAA;AAAA,EAElD;AACF;AAGA,IAAM,qBAAqB,IAAI,uBAAuB;AAK/C,SAAS,8BAAoC;AAClD,qBAAmB,WAAW,IAAI;AACpC;AAKO,SAAS,+BAAqC;AACnD,qBAAmB,WAAW,KAAK;AACrC;AAKO,SAAS,iCAA0C;AACxD,SAAO,mBAAmB,UAAU;AACtC;AAKO,SAAS,sBACd,UACA,cACA,kBAA2B,OACrB;AACN,qBAAmB,YAAY,UAAU,cAAc,eAAe;AACxE;AAKO,SAAS,iBAAiB,SAAwB;AACvD,qBAAmB,iBAAiB,OAAO;AAC7C;AAKO,SAAS,wBAAgD;AAC9D,SAAO,mBAAmB,WAAW;AACvC;AAKO,SAAS,0BAAgC;AAC9C,qBAAmB,MAAM;AAC3B;AAKO,SAAS,wBAAgC;AAC9C,SAAO,mBAAmB,WAAW;AACvC;;;AC9LA,IAAM,mBAAmB,oBAAI,IAA8B;AAQ3D,SAAS,yBAAyB,OAAgC;AAChE,SAAO,UAAU,sBAAsB;AAAA,IACrC,QAAQ,MAAM;AAAA,IACd,gBAAgB,MAAM,MAAM;AAAA;AAAA,IAC5B,SAAS,MAAM,MAAM;AAAA,IACrB,OAAO,MAAM,MAAM;AAAA,IACnB,YAAY,MAAM;AAAA,IAClB,QAAQ,MAAM;AAAA,EAChB,CAAC;AACH;AAYA,eAAsB,mBACpB,OACA,SACkB;AAClB,QAAM,MAAM,yBAAyB,KAAK;AAG1C,QAAM,kBAAkB,iBAAiB,IAAI,GAAG;AAChD,MAAI,iBAAiB;AACnB,WAAO;AAAA,EACT;AAGA,QAAM,iBAAiB,QAAQ,KAAK,EAAE,QAAQ,MAAM;AAElD,qBAAiB,OAAO,GAAG;AAAA,EAC7B,CAAC;AAGD,mBAAiB,IAAI,KAAK,cAAc;AAExC,SAAO;AACT;AAKO,SAAS,wBAA8B;AAC5C,mBAAiB,MAAM;AACzB;AAOO,SAAS,0BAAkC;AAChD,SAAO,iBAAiB;AAC1B;;;ACpDA,IAAMC,OAAM,aAAa,SAAS;AAGlC,IAAI,eAAkC;AAQ/B,SAAS,UAAU,UAAoC,QAAoC;AAChG,QAAM,SAAS,cAAc;AAG7B,QAAM,gBAAgB,YAAY,IAAI,SAAS;AAC/C,QAAM,aAAyB;AAAA,IAC7B;AAAA,IACA,OAAO;AAAA,IACP,UAAU;AAAA,IACV,iBAAiB;AAAA,IACjB,GAAG;AAAA,EACL;AAEA,mBAAiB,UAAU;AAK3B,QAAM,iBACJ,WAAW,UAAa,CAAC,gBACrB,SACA;AAAA;AAAA,IAEE,GAAI,iBAAiB,QAAQ,UAAU,uBAAuB,SAC1D,EAAE,oBAAoB,MAAM,IAC5B,CAAC;AAAA;AAAA,IAEL,GAAG,QAAQ;AAAA,EACb;AAGN,iBAAe,iBAAiB,UAAU,cAAc;AAGxD,QAAM,kBAAkB,QAAQ,OAAO,YAAY,SAAU,QAAQ,aAAa,8BAA8B;AAChH,QAAM,cAAc,kBAAkB;AAAA,IACpC,aAAa,QAAQ,OAAO;AAAA,IAC5B,WAAW,QAAQ,OAAO;AAAA,EAC5B,IAAI;AACJ,QAAM,eAAe,mBAAmB,UAAU,iBAAiB,WAAW;AAC9E,wBAAsB,YAAY;AAGlC,MAAI,QAAQ,aAAa,2BAA2B;AAClD,gCAA4B;AAAA,EAC9B;AAEF;AAOO,SAAS,oBAA6B;AAC3C,SAAO,iBAAiB;AAC1B;AAQA,SAAS,YAAwB;AAC/B,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,wBAAwB;AAAA,EACpC;AACA,SAAO;AACT;AAkBA,eAAsB,eACpB,OAIA,SACsB;AACtB,MAAI;AACF,UAAM,SAAS,UAAU;AAGzB,UAAM,mBAAmB,MAAM,OAAO,iBAAiB,EAAE,MAAM,MAAM;AACrE,QAAI,kBAAkB;AACpB,aAAO;AAAA,IACT;AAIA,UAAM,aAAa,MAAM,iBAAiB;AAAA,MACxC,MAAM;AAAA,MACN;AAAA;AAAA,MACA;AAAA,MACA,OAAO,UAAU;AAAA,IACnB;AAEA,QAAI,CAAC,WAAW,WAAW,CAAC,WAAW,eAAe;AACpD,YAAM,WAAW,SAAS,IAAI,iCAAiC;AAAA,IACjE;AAGA,WAAO,OAAO,eAAe;AAAA,MAC3B,GAAG;AAAA,MACH,OAAO,WAAW;AAAA,IACpB,CAAC;AAAA,EACH,SAAS,OAAO;AAEd,UAAM;AAAA,EACR;AACF;AAsBA,eAAsB,iBACpB,OAIA,SACwB;AACxB,MAAI;AACF,UAAM,SAAS,UAAU;AAIzB,UAAM,aAAa,MAAM,iBAAiB;AAAA,MACxC,MAAM;AAAA,MACN;AAAA;AAAA,MACA;AAAA,MACA,OAAO,UAAU;AAAA,IACnB;AAEA,QAAI,CAAC,WAAW,WAAW,CAAC,WAAW,eAAe;AACpD,YAAM,WAAW,SAAS,IAAI,iCAAiC;AAAA,IACjE;AAGA,WAAO,OAAO,iBAAiB;AAAA,MAC7B,GAAG;AAAA,MACH,OAAO,WAAW;AAAA,IACpB,CAAC;AAAA,EACH,SAAS,OAAO;AAEd,UAAM;AAAA,EACR;AACF;AAEA,eAAsB,kBAAkB,OAGL;AACjC,MAAI;AACF,UAAM,SAAS,UAAU;AACzB,WAAO,MAAM,OAAO,kBAAkB,KAAK;AAAA,EAC7C,SAAS,OAAO;AAEd,UAAM;AAAA,EACR;AACF;AAEA,eAAsB,eACpB,OAIA,SAC0B;AAC1B,QAAM,SAAS,UAAU;AAGzB,QAAM,aAAa,MAAM,iBAAiB;AAAA,IACxC,MAAM;AAAA,IACN;AAAA;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,EACnB;AAEA,MAAI,CAAC,WAAW,WAAW,CAAC,WAAW,eAAe;AACpD,UAAM,WAAW,SAAS,IAAI,iCAAiC;AAAA,EACjE;AAGA,SAAO,OAAO,eAAe;AAAA,IAC3B,GAAG;AAAA,IACH,OAAO,WAAW;AAAA,EACpB,CAAC;AACH;AAoBA,eAAsB,YACpB,OACA,SAOA,wBAAwC,MACtB;AAClB,QAAM,SAAS,UAAU;AAKzB,MAAI,0BAA0B,MAAM;AAClC,WAAO;AAAA,EACT;AAGA,MAAI,0BAA0B,MAAM;AAClC,UAAM,mBAAmB,MAAM,OAAO,iBAAiB,EAAE,MAAM,MAAM;AACrE,QAAI,kBAAkB;AACpB,aAAO;AAAA,IACT;AAAA,EACF;AAIA,MAAI,kBAAkB;AACtB,MAAI,CAAC,mBAAmB,MAAM,MAAM,OAAO;AACzC,QAAI;AACF,YAAM,EAAE,KAAK,IAAI,MAAM,OAAO,UAAU,EACrC,KAAK,WAAW,EAChB,OAAO,MAAM,EACb,GAAG,MAAM,MAAM,MAAM,KAAK,EAC1B,GAAG,aAAa,IAAI,EACpB,OAAO;AACV,UAAI,MAAM;AACR,0BAAkB,KAAK;AAAA,MACzB;AAAA,IACF,SAAS,KAAK;AAAA,IAEd;AAAA,EACF;AAIA,MAAI;AACJ,MAAI,MAAM,QAAQ;AAChB,QAAI;AACF,YAAM,YAAY,MAAM;AAAA,QACtB,MAAM;AAAA,QACN,MAAM,MAAM;AAAA,QACZ;AAAA,MACF;AACA,UAAI,CAAC,WAAW;AACd,cAAM,IAAI,MAAM,QAAQ,MAAM,MAAM,+BAA+B;AAAA,MACrE;AACA,sBAAgB;AAAA,IAClB,SAAS,KAAK;AACZ,MAAAA,KAAI,MAAM,kCAAkC,GAAG;AAC/C,YAAM,IAAI,MAAM,wCAAwC,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,EAAE;AAAA,IAC5G;AAAA,EACF,OAAO;AAGL,oBAAgB;AAAA,EAClB;AAGA,QAAM,aAAa,MAAM,iBAAiB;AAAA,IACxC,MAAM;AAAA,IACN;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,EACnB;AAEA,MAAI,CAAC,WAAW,WAAW,CAAC,WAAW,eAAe;AACpD,UAAM,WAAW,SAAS,IAAI,iCAAiC;AAAA,EACjE;AAGA,QAAM,iBAAiB,WAAW;AAGlC,MAAI,kBAAkB,UAAU,MAAM,QAAQ;AAE5C,UAAM,aAAoB;AAAA,MACxB,gBAAgB,eAAe;AAAA;AAAA,MAC/B,SAAS,eAAe;AAAA,MACxB,OAAO,eAAe;AAAA,IACxB;AAMA,UAAM,uBAAwC;AAAA,MAC5C,QAAQ,MAAM;AAAA,MACd,gBAAgB,WAAW,kBAAkB;AAAA,MAC7C,WAAW,oBAAI,KAAK;AAAA,IACtB;AAEA,UAAM,aAA8B;AAAA,MAClC,GAAG;AAAA,MACH,OAAO;AAAA,IACT;AAEA,UAAM,qBAAqB,MAAM,OAAO,YAAY,YAAY,oBAAoB;AAIpF,QAAI,eAAe,kBAAkB,eAAe,SAAS;AAC3D,YAAM,WAAkB;AAAA,QACtB,gBAAgB,eAAe;AAAA,QAC/B,SAAS;AAAA;AAAA,QACT,OAAO,eAAe;AAAA,MACxB;AAEA,YAAM,qBAAsC;AAAA,QAC1C,QAAQ,MAAM;AAAA,QACd,gBAAgB,SAAS,kBAAkB;AAAA,QAC3C,WAAW,oBAAI,KAAK;AAAA,MACtB;AAEA,YAAM,WAA4B;AAAA,QAChC,GAAG;AAAA,QACH,OAAO;AAAA,MACT;AAEA,YAAM,mBAAmB,MAAM,OAAO,YAAY,UAAU,kBAAkB;AAI9E,aAAO,sBAAsB;AAAA,IAC/B;AAGA,WAAO;AAAA,EACT;AAGA,QAAM,kBAAmC;AAAA,IACvC,QAAQ,MAAM;AAAA,IACd,gBAAgB,eAAe,kBAAkB;AAAA,IACjD,WAAW,oBAAI,KAAK;AAAA;AAAA,EAEtB;AAGA,QAAM,iBAAkC;AAAA,IACtC,GAAG;AAAA,IACH,OAAO;AAAA,EACT;AAEA,SAAO,OAAO,YAAY,gBAAgB,eAAe;AAC3D;AAYA,eAAsB,kBACpB,OACA,SACkB;AAClB,QAAM,EAAE,QAAQ,OAAO,YAAY,OAAO,IAAI;AAG9C,QAAM,WAAW,UAAU,sBAAsB;AAAA,IAC/C;AAAA,IACA,gBAAgB,MAAM;AAAA,IACtB,SAAS,MAAM;AAAA,IACf,OAAO,MAAM;AAAA,IACb;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,SAAS,UAAU,IAAa,UAAU,IAAI;AACpD,MAAI,WAAW,MAAM;AACnB,WAAO;AAAA,EACT;AAGA,SAAO,mBAAmB,OAAO,OAAO,eAAe;AAIrD,UAAM,SAAS,MAAM,YAAY,YAAY,SAAS,IAAI;AAG1D,UAAM,mBAAmB,CAAC,CAAC,UAAU,WAAW,SAAS,OAAO;AAGhE,cAAU,IAAI,UAAU,QAAQ,QAAW,gBAAgB;AAE3D,WAAO;AAAA,EACT,CAAC;AACH;AAQA,eAAsB,cAAc,OAA0C;AAC5E,SAAO,YAAY,KAAK;AAC1B;AAQA,eAAsB,iBAAiB,OAKlB;AACnB,QAAM,EAAE,aAAa,GAAG,UAAU,IAAI;AAEtC,aAAW,cAAc,aAAa;AACpC,UAAMC,iBAAgB,MAAM,YAAY;AAAA,MACtC,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAED,QAAIA,gBAAe;AACjB,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAQA,eAAsB,kBAAkB,OAKnB;AACnB,QAAM,EAAE,aAAa,GAAG,UAAU,IAAI;AAEtC,aAAW,cAAc,aAAa;AACpC,UAAMA,iBAAgB,MAAM,YAAY;AAAA,MACtC,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAED,QAAI,CAACA,gBAAe;AAClB,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAQA,eAAsB,aAAa,QAAgC;AACjE,QAAM,SAAS,UAAU;AACzB,SAAO,OAAO,iBAAiB,EAAE,MAAM;AACzC;AAcA,eAAsB,iBACpB,QACA,OACA,SAC4C;AAC5C,QAAM,SAAS,UAAU;AAEzB,MAAI;AAEF,QAAI,gBAAgB;AACpB,QAAI,CAAC,iBAAiB,SAAS;AAE7B,YAAM,EAAE,MAAM,IAAI,IAAI,MAAM,OAAO,UAAU,EAC1C,KAAK,WAAW,EAChB,OAAO,IAAI,EACX,GAAG,QAAQ,OAAO,EAClB,GAAG,aAAa,IAAI,EACpB,OAAO;AACV,sBAAgB,KAAK;AAAA,IACvB;AAEA,QAAI,CAAC,eAAe;AAClB,YAAM,IAAI,MAAM,oCAAoC,MAAM,EAAE;AAAA,IAC9D;AAGA,QAAI,iBAAgC;AACpC,UAAM,YAAY;AAClB,QAAI,CAAC,UAAU,KAAK,MAAM,GAAG;AAE3B,YAAM,EAAE,MAAM,KAAK,IAAI,MAAM,OAAO,UAAU,EAC3C,KAAK,gBAAgB,EACrB,OAAO,IAAI,EACX,GAAG,UAAU,aAAa,EAC1B,GAAG,aAAa,MAAM,EACtB,YAAY;AACf,uBAAiB,MAAM,MAAM;AAAA,IAC/B;AAGA,QAAI,CAAC,UAAU,KAAK,cAAc,GAAG;AACnC,YAAM,IAAI,MAAM,4BAA4B,MAAM,kBAAkB;AAAA,IACtE;AAGA,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,OAAO,UAAU,EAC5C,IAAI,uBAA8B;AAAA,MACjC,WAAW;AAAA,IACb,CAAC;AAEH,QAAI,OAAO;AACT,MAAAD,KAAI,MAAM,mCAAmC,EAAE,QAAQ,OAAO,MAAM,CAAC;AACrE,YAAM,IAAI,MAAM,kCAAkC,MAAM,OAAO,EAAE;AAAA,IACnE;AAEA,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,MAAM,QAAQ,cAAc,+BAA+B;AAAA,IACvE;AAEA,WAAO;AAAA,EACT,SAAS,KAAK;AACZ,IAAAA,KAAI,MAAM,mCAAmC,GAAG;AAChD,UAAM,eAAe,QAAQ,MAAM,IAAI,MAAM,kCAAkC,OAAO,GAAG,CAAC,EAAE;AAAA,EAC9F;AACF;AASA,eAAsB,oBAAoB,QAAc,gBAAwC;AAC9F,QAAM,cAAc,MAAM,eAAe;AAAA,IACvC;AAAA,IACA,OAAO,EAAE,eAAe;AAAA,EAC1B,CAAC;AAED,SAAO,gBAAgB,WAAW,gBAAgB;AACpD;AASA,eAAsB,aAAa,QAAc,OAAgC;AAC/E,MAAI,CAAC,MAAM,WAAW,CAAC,MAAM,OAAO;AAClC,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,MAAM,eAAe,EAAE,QAAQ,MAAM,CAAC;AAC1D,SAAO,gBAAgB,WAAW,gBAAgB;AACpD;AAQO,SAAS,oBAAoB,QAAc,gBAA6B;AAC7E,QAAM,WAAW,iBACb;AAAA,IACE,eAAe,WAAW,QAAQ,cAAc;AAAA,IAChD,UAAU,MAAM,IAAI,cAAc;AAAA,IAClC,OAAO,MAAM,IAAI,cAAc;AAAA,EACjC,IACA;AAAA,IACE,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM;AAAA,IAChB,OAAO,MAAM;AAAA,EACf;AAEJ,WAAS,QAAQ,aAAW,UAAU,WAAW,OAAO,CAAC;AAC3D;AAOO,SAAS,4BAA4B,gBAA4B;AACtE,YAAU,WAAW,eAAe,aAAa,cAAc,CAAC;AAClE;AAOO,SAAS,qBAAqB,SAAuB;AAC1D,YAAU,WAAW,eAAe,MAAM,OAAO,CAAC;AACpD;AAOO,SAAS,mBAAmB,OAAmB;AACpD,YAAU,WAAW,eAAe,IAAI,KAAK,CAAC;AAChD;AAKO,SAAS,aAAmB;AACjC,YAAU,MAAM;AAClB;","names":["log","hasPermission","isSuperAdmin","log","hasPermission"]}

package/dist/chunk-5DRSZLL2.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/styles/index.ts"],"sourcesContent":["/**\n * @file Styles Index\n * @package @jmruthers/pace-core\n * @module Styles\n * @since 2.0.0\n * \n * Central export for all pace-core styles.\n * This file provides easy access to all CSS files for consuming applications.\n * \n * @example\n * ```tsx\n * // Import the core CSS file\n * import '@jmruthers/pace-core/src/styles/core.css';\n * ```\n * \n * @example\n * ```tsx\n * // For dynamic theming, import from theming/runtime\n * import { applyPalette, clearPalette } from '@jmruthers/pace-core/theming/runtime';\n * ```\n */\n\n// Note: CSS files are available at runtime via package exports\n// Import them using the individual file paths\n\n// Type definitions for style imports\nexport interface StyleImport {\n  default: string;\n}\n\n// Style configuration\nexport const styleConfig = {\n  core: {\n    path: './core.css',\n    description: 'Complete CSS foundation including base styles, theme mappings, fonts, resets, and neutral tokens'\n  }\n} as const;\n\n// Helper function to get style paths\nexport function getStylePath(style: keyof typeof styleConfig): string {\n  return styleConfig[style].path;\n}\n\n// Helper function to get all style paths\nexport function getAllStylePaths(): string[] {\n  return Object.values(styleConfig).map(config => config.path);\n}\n"],"mappings":";AA+BO,IAAM,cAAc;AAAA,EACzB,MAAM;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AACF;AAGO,SAAS,aAAa,OAAyC;AACpE,SAAO,YAAY,KAAK,EAAE;AAC5B;AAGO,SAAS,mBAA6B;AAC3C,SAAO,OAAO,OAAO,WAAW,EAAE,IAAI,YAAU,OAAO,IAAI;AAC7D;","names":[]}

package/dist/chunk-5EC5MEWX.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/hooks/useZodForm.ts","../src/hooks/useFormDialog.ts","../src/hooks/useOrganisationPermissions.ts","../src/utils/storage/index.ts","../src/hooks/public/usePublicEvent.ts","../src/hooks/public/usePublicEventLogo.ts","../src/hooks/public/usePublicRouteParams.ts"],"sourcesContent":["\n/**\n * Zod Form Hook\n * \n * Enhanced form hook with Zod validation\n */\n\nimport { useForm } from 'react-hook-form';\nimport { zodResolver } from '@hookform/resolvers/zod';\nimport { z } from 'zod';\n\ninterface UseZodFormProps<T extends z.ZodTypeAny> {\n  schema: T;\n  defaultValues?: Partial<z.infer<T>>;\n  mode?: 'onSubmit' | 'onBlur' | 'onChange' | 'onTouched' | 'all';\n}\n\nexport function useZodForm<T extends z.ZodTypeAny>({\n  schema,\n  defaultValues,\n  mode = 'onSubmit'\n}: UseZodFormProps<T>) {\n  return useForm<z.infer<T>>({\n    resolver: zodResolver(schema),\n    defaultValues: defaultValues as any,\n    mode\n  });\n}\n","/**\n * @file useFormDialog Hook\n * @package @jmruthers/pace-core\n * @module Hooks\n * @since 0.1.0\n * \n * Generic React hook for managing form dialog state (open/close, form data, reset behavior).\n * \n * @example\n * ```ts\n * interface ContactFormData {\n *   name: string;\n *   email: string;\n * }\n * \n * function ContactDialog() {\n *   const { isOpen, formData, openDialog, closeDialog, handleOpenChange } = \n *     useFormDialog<ContactFormData>();\n * \n *   // Use in Dialog component\n *   // <Dialog open={isOpen} onOpenChange={handleOpenChange}>...</Dialog>\n * }\n * ```\n */\n\nimport { useState } from 'react';\n\n/**\n * Options for configuring the useFormDialog hook behavior\n */\nexport interface UseFormDialogOptions<T = unknown> {\n  /**\n   * Callback invoked when the dialog open state changes\n   * @param open - The new open state\n   */\n  onOpenChange?: (open: boolean) => void;\n  \n  /**\n   * Whether to reset form data when the dialog closes\n   * @default true\n   */\n  resetOnClose?: boolean;\n}\n\n/**\n * Return type for the useFormDialog hook\n */\nexport interface UseFormDialogReturn<T = unknown> {\n  /**\n   * Current open state of the dialog\n   */\n  isOpen: boolean;\n  \n  /**\n   * Current form data (null when dialog is closed or no data provided)\n   */\n  formData: T | null;\n  \n  /**\n   * Open the dialog with optional form data\n   * @param data - Optional form data to populate the dialog\n   */\n  openDialog: (data?: T | null) => void;\n  \n  /**\n   * Close the dialog\n   */\n  closeDialog: () => void;\n  \n  /**\n   * Handler for controlled dialog components (e.g., Radix UI Dialog)\n   * @param open - The new open state\n   */\n  handleOpenChange: (open: boolean) => void;\n}\n\n/**\n * Generic React hook for managing form dialog state.\n * \n * Provides state management for form dialogs including:\n * - Open/close state\n * - Form data management\n * - Automatic reset on close (configurable)\n * - Controlled and uncontrolled usage patterns\n * \n * @param options - Configuration options for the hook\n * @returns Object containing dialog state and control functions\n * \n * @example\n * ```ts\n * // Basic usage\n * const { isOpen, openDialog, closeDialog } = useFormDialog();\n * \n * // With form data\n * interface UserData {\n *   id: string;\n *   name: string;\n * }\n * const { isOpen, formData, openDialog } = useFormDialog<UserData>();\n * \n * // Open with data\n * openDialog({ id: '1', name: 'John' });\n * \n * // Controlled usage with callback\n * const { handleOpenChange, isOpen } = useFormDialog({\n *   onOpenChange: (open) => console.log('Dialog state:', open),\n *   resetOnClose: false\n * });\n * ```\n */\nexport function useFormDialog<T = unknown>({\n  onOpenChange,\n  resetOnClose = true,\n}: UseFormDialogOptions<T> = {}): UseFormDialogReturn<T> {\n  const [isOpen, setIsOpen] = useState(false);\n  const [formData, setFormData] = useState<T | null>(null);\n\n  // React Compiler handles memoization automatically\n  const openDialog = (data: T | null = null) => {\n    setFormData(data);\n    setIsOpen(true);\n    onOpenChange?.(true);\n  };\n\n  const closeDialog = () => {\n    setIsOpen(false);\n    if (resetOnClose) {\n      setFormData(null);\n    }\n    onOpenChange?.(false);\n  };\n\n  const handleOpenChange = (open: boolean) => {\n    setIsOpen(open);\n    if (!open && resetOnClose) {\n      setFormData(null);\n    }\n    onOpenChange?.(open);\n  };\n\n  return {\n    isOpen,\n    formData,\n    openDialog,\n    closeDialog,\n    handleOpenChange,\n  };\n}\n","/**\n * @file useOrganisationPermissions Hook\n * @package @jmruthers/pace-core\n * @module Hooks/useOrganisationPermissions\n * @since 0.4.0\n *\n * Hook for managing organisation-specific permissions and role validation.\n * Provides secure access to user's role and permissions within organisations.\n *\n * @example\n * ```tsx\n * function OrganisationComponent() {\n *   const { \n *     isOrgAdmin, \n *     canManageMembers,\n *     userRole,\n *     hasOrganisationAccess\n *   } = useOrganisationPermissions();\n *   \n *   return (\n *     <div>\n *       {isOrgAdmin && <AdminPanel />}\n *       {canManageMembers && <MemberManagement />}\n *       <p>Your role: {userRole}</p>\n *     </div>\n *   );\n * }\n * \n * // For specific organisation\n * function MultiOrgComponent() {\n *   const permissions = useOrganisationPermissions('org-123');\n *   \n *   if (!permissions.hasOrganisationAccess) {\n *     return <div>No access to this organisation</div>;\n *   }\n *   \n *   return <div>Role in org-123: {permissions.userRole}</div>;\n * }\n * ```\n *\n * @security\n * - Validates user membership in organisation\n * - Provides role-based permission checks\n * - Ensures secure access to organisation data\n * - Real-time permission validation\n */\n\nimport { useMemo } from 'react';\nimport { useOrganisations } from './useOrganisations';\nimport { useOrganisationSecurity } from './useOrganisationSecurity';\nimport type { OrganisationRole, OrganisationPermission } from '../types/organisation';\n\n/**\n * Return value of the useOrganisationPermissions hook.\n * Provides organisation-specific permissions and role information.\n */\nexport interface UseOrganisationPermissionsReturn {\n  /** User's role in the organisation */\n  userRole: OrganisationRole | 'no_access';\n  \n  /** Whether user has organisation admin role */\n  isOrgAdmin: boolean;\n  \n  /** Whether user is a super admin */\n  isSuperAdmin: boolean;\n  \n  /** Whether user can moderate content */\n  canModerate: boolean;\n  \n  /** Whether user can manage members */\n  canManageMembers: boolean;\n  \n  /** Whether user can manage organisation settings */\n  canManageSettings: boolean;\n  \n  /** Whether user can manage events */\n  canManageEvents: boolean;\n  \n  /** Whether user has any admin privileges */\n  hasAdminPrivileges: boolean;\n  \n  /** Whether user has access to the organisation */\n  hasOrganisationAccess: boolean;\n  \n  /** Check if user has specific permission */\n  hasPermission: (permission: OrganisationPermission) => boolean;\n  \n  /** Get all permissions for the user */\n  getAllPermissions: () => OrganisationPermission[];\n  \n  /** Organisation ID being checked */\n  organisationId: string;\n}\n\n/**\n * Hook to access organisation-specific permissions and roles\n * \n * @param orgId - Optional organisation ID. Defaults to currently selected organisation\n * @returns Organisation permissions and role information\n */\nexport function useOrganisationPermissions(orgId?: string): UseOrganisationPermissionsReturn {\n  const { \n    selectedOrganisation, \n    getUserRole, \n    validateOrganisationAccess,\n    ensureOrganisationContext\n  } = useOrganisations();\n  \n  // Get super admin context if available (may not be available in all contexts)\n  let superAdminContext: { isSuperAdmin: boolean } = { isSuperAdmin: false };\n  try {\n    superAdminContext = useOrganisationSecurity().superAdminContext;\n  } catch {\n    // Not available in this context, default to false\n  }\n\n  const organisationId = useMemo(() => {\n    if (orgId) {\n      return orgId;\n    }\n    try {\n      const currentOrg = ensureOrganisationContext();\n      return currentOrg.id;\n    } catch {\n      return '';\n    }\n  }, [orgId, ensureOrganisationContext]);\n\n  const userRole = useMemo(() => {\n    if (!organisationId) return 'no_access';\n    const role = getUserRole(organisationId);\n    // Map to valid OrganisationRole or 'no_access'\n    if (role === 'org_admin' || role === 'leader' || role === 'member' || role === 'supporter') {\n      return role as OrganisationRole;\n    }\n    return 'no_access';\n  }, [organisationId, getUserRole]);\n\n  const hasOrganisationAccess = useMemo(() => {\n    if (!organisationId) return false;\n    return validateOrganisationAccess(organisationId);\n  }, [organisationId, validateOrganisationAccess]);\n\n  const permissions = useMemo(() => {\n    if (!hasOrganisationAccess || userRole === 'no_access') {\n      return {\n        isOrgAdmin: false,\n        isSuperAdmin: false,\n        canModerate: false,\n        canManageMembers: false,\n        canManageSettings: false,\n        canManageEvents: false,\n        hasAdminPrivileges: false\n      };\n    }\n\n    const isOrgAdmin = userRole === 'org_admin';\n    const isLeader = userRole === 'leader';\n    const isMember = userRole === 'member';\n    const isSupporter = userRole === 'supporter';\n\n    // Super admin status - database backed (user_metadata can be spoofed)\n    // Get super admin status from the security hook\n    const isSuperAdmin = superAdminContext.isSuperAdmin;\n\n    return {\n      isOrgAdmin,\n      isSuperAdmin,\n      canModerate: isSuperAdmin || isOrgAdmin || isLeader,\n      canManageMembers: isSuperAdmin || isOrgAdmin || isLeader, // Leaders can manage members\n      canManageSettings: isSuperAdmin || isOrgAdmin,\n      canManageEvents: isSuperAdmin || isOrgAdmin || isLeader,\n      hasAdminPrivileges: isSuperAdmin || isOrgAdmin || isLeader // Leaders have admin privileges\n    };\n  }, [hasOrganisationAccess, userRole]);\n\n  const hasPermission = useMemo(() => {\n    return (permission: OrganisationPermission): boolean => {\n      if (!hasOrganisationAccess || userRole === 'no_access') {\n        return false;\n      }\n\n      // Super admin has all permissions (org_admin acts as super admin within org)\n      if (userRole === 'org_admin' || permission === '*') {\n        return true;\n      }\n\n      // Map permissions to roles using the defined permissions from organisation types\n      const rolePermissions: Record<OrganisationRole, OrganisationPermission[]> = {\n        supporter: ['view_basic'],\n        member: ['view_basic', 'view_details'],\n        leader: ['view_basic', 'view_details', 'moderate_content', 'manage_events'],\n        org_admin: ['view_basic', 'view_details', 'moderate_content', 'manage_events', 'manage_members', 'manage_settings']\n      };\n\n      const userPermissions = rolePermissions[userRole as OrganisationRole] || [];\n      return userPermissions.includes(permission) || userPermissions.includes('*');\n    };\n  }, [hasOrganisationAccess, userRole]);\n\n  const getAllPermissions = useMemo(() => {\n    return (): OrganisationPermission[] => {\n      if (!hasOrganisationAccess || userRole === 'no_access') {\n        return [];\n      }\n\n      const rolePermissions: Record<OrganisationRole, OrganisationPermission[]> = {\n        supporter: ['view_basic'],\n        member: ['view_basic', 'view_details'],\n        leader: ['view_basic', 'view_details', 'moderate_content', 'manage_events'],\n        org_admin: ['view_basic', 'view_details', 'moderate_content', 'manage_events', 'manage_members', 'manage_settings']\n      };\n\n      return rolePermissions[userRole as OrganisationRole] || [];\n    };\n  }, [hasOrganisationAccess, userRole]);\n\n  return useMemo(() => ({\n    userRole,\n    organisationId,\n    hasOrganisationAccess,\n    hasPermission,\n    getAllPermissions,\n    ...permissions\n  }), [userRole, organisationId, hasOrganisationAccess, hasPermission, getAllPermissions, permissions]);\n} ","/**\n * Storage utilities for pace-core\n * \n * Provides app-segregated file storage with organisation-scoped access\n */\n\nexport * from './types';\nexport * from './config';\nexport * from './helpers';\n\n// Import functions for StorageUtils class\nimport {\n  uploadFile,\n  getPublicUrl,\n  getSignedUrl,\n  deleteFile,\n  downloadFile,\n  listFiles,\n  archiveFile,\n  generateFilePath,\n  generateUniqueFileName,\n  extractFileMetadata\n} from './helpers';\n\n// Re-export commonly used functions for convenience\nexport {\n  uploadFile,\n  getPublicUrl,\n  getSignedUrl,\n  deleteFile,\n  downloadFile,\n  listFiles,\n  archiveFile,\n  generateFilePath,\n  generateUniqueFileName,\n  extractFileMetadata\n};\n\nexport {\n  validateFileSize,\n  getFileSizeLimit,\n  formatFileSize\n} from './config';\n\n\nexport {\n  FILE_SIZE_LIMITS,\n  DEFAULT_FILE_SIZE_LIMIT,\n  STORAGE_CONFIG,\n  APP_PATH_MAPPING\n} from './config';\n\n/**\n * StorageUtils class for convenient access to storage functions\n */\nexport class StorageUtils {\n  static generateFilePath = generateFilePath;\n  static generateUniqueFileName = generateUniqueFileName;\n  static extractFileMetadata = extractFileMetadata;\n  static uploadFile = uploadFile;\n  static getPublicUrl = getPublicUrl;\n  static getSignedUrl = getSignedUrl;\n  static deleteFile = deleteFile;\n  static downloadFile = downloadFile;\n  static listFiles = listFiles;\n  static archiveFile = archiveFile;\n}\n","/**\n * @file Public Event Hook\n * @package @jmruthers/pace-core\n * @module Hooks/Public\n * @since 1.0.0\n *\n * A React hook for accessing public event data without authentication.\n * Provides event information by event_code for public pages.\n *\n * Features:\n * - No authentication required\n * - Caching for performance\n * - Error handling and loading states\n * - TypeScript support\n * - Automatic refetch capabilities\n *\n * @example\n * ```tsx\n * import { usePublicEvent } from '@jmruthers/pace-core';\n *\n * function PublicEventPage() {\n *   const { eventCode } = usePublicRouteParams();\n *   const { event, isLoading, error, refetch } = usePublicEvent(eventCode);\n *\n *   if (isLoading) return <div>Loading event...</div>;\n *   if (error) return <div>Error: {error.message}</div>;\n *   if (!event) return <div>Event not found</div>;\n *\n *   return (\n *     <div>\n *       <h1>{event.event_name}</h1>\n *       <p>Date: {event.event_date}</p>\n *       <p>Venue: {event.event_venue}</p>\n *     </div>\n *   );\n * }\n * ```\n *\n * @accessibility\n * - No direct accessibility concerns (hook)\n * - Enables accessible public event display\n * - Supports screen reader friendly loading states\n *\n * @security\n * - Only returns public-safe event data\n * - Validates event_code before querying\n * - No sensitive information exposed\n * - Rate limiting applied at database level\n *\n * @performance\n * - Built-in caching with TTL\n * - Minimal re-renders with stable references\n * - Lazy loading support\n * - Error boundary integration\n *\n * @dependencies\n * - React 19+ - Hooks and effects\n * - @supabase/supabase-js - Database integration\n * - Event types - Type definitions\n */\n\nimport { useState, useEffect, useCallback, useMemo } from 'react';\nimport { createClient } from '@supabase/supabase-js';\nimport type { Event } from '../../types/event';\nimport type { Database } from '../../types/database';\nimport { assertOrganisationId } from '../../types/core';\nimport { usePublicPageContext } from '../../components/PublicLayout/PublicPageProvider';\nimport { logger } from '../../utils/core/logger';\n\n// Simple in-memory cache for public data\nconst publicDataCache = new Map<string, { data: any; timestamp: number; ttl: number }>();\n\n/**\n * Return value of the usePublicEvent hook.\n * Provides event data, loading state, error, and refetch function.\n */\nexport interface UsePublicEventReturn {\n  /** The event data, null if not loaded or not found */\n  event: Event | null;\n  /** Whether the data is currently loading */\n  isLoading: boolean;\n  /** Any error that occurred during loading */\n  error: Error | null;\n  /** Function to manually refetch the data */\n  refetch: () => Promise<void>;\n}\n\nexport interface UsePublicEventOptions {\n  /** Cache TTL in milliseconds (default: 5 minutes) */\n  cacheTtl?: number;\n  /** Whether to enable caching (default: true) */\n  enableCache?: boolean;\n}\n\n/**\n * Hook for accessing public event data by event_code\n * \n * This hook provides access to public event information without requiring\n * authentication. It includes caching, error handling, and loading states.\n * \n * @param eventCode - The event code to look up\n * @param options - Configuration options for caching and behavior\n * @returns Object containing event data, loading state, error, and refetch function\n */\nexport function usePublicEvent(\n  eventCode: string,\n  options: UsePublicEventOptions = {}\n): UsePublicEventReturn {\n  const {\n    cacheTtl = 5 * 60 * 1000, // 5 minutes\n    enableCache = true\n  } = options;\n\n  const [event, setEvent] = useState<Event | null>(null);\n  const [isLoading, setIsLoading] = useState<boolean>(true);\n  const [error, setError] = useState<Error | null>(null);\n\n  // Get environment variables from public page context or fallback to direct access\n  let environment: { supabaseUrl: string | null; supabaseKey: string | null };\n  \n  try {\n    environment = usePublicPageContext().environment;\n  } catch {\n    // Fallback to direct environment variable access if not in PublicPageProvider\n    environment = {\n      supabaseUrl: (import.meta as any).env?.VITE_SUPABASE_URL || (import.meta as any).env?.NEXT_PUBLIC_SUPABASE_URL || null,\n      supabaseKey: (import.meta as any).env?.VITE_SUPABASE_PUBLISHABLE_KEY || (import.meta as any).env?.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY || null\n    };\n  }\n  \n  // Create a simple Supabase client for public access\n  const supabase = useMemo(() => {\n    if (typeof window === 'undefined') return null;\n    \n    if (!environment.supabaseUrl || !environment.supabaseKey) {\n      logger.warn('usePublicEvent', 'Missing Supabase environment variables. Please ensure VITE_SUPABASE_URL and VITE_SUPABASE_PUBLISHABLE_KEY are set in your environment.');\n      return null;\n    }\n\n    return createClient<Database>(environment.supabaseUrl, environment.supabaseKey);\n  }, [environment.supabaseUrl, environment.supabaseKey]);\n\n  // Helper function to try refreshing schema cache\n  const refreshSchemaCache = useCallback(async () => {\n    try {\n      // Try to trigger a schema refresh by querying a system table\n      await (supabase as any).from('information_schema.routines').select('routine_name').limit(1);\n    } catch (error) {\n      // Ignore errors, this is just an attempt to refresh cache\n      logger.debug('usePublicEvent', 'Schema cache refresh attempt failed:', error);\n    }\n  }, [supabase]);\n\n  const fetchEvent = useCallback(async (): Promise<void> => {\n    if (!eventCode || !supabase) {\n      setError(new Error('Invalid event code or Supabase client not available'));\n      setIsLoading(false);\n      return;\n    }\n\n    // Check cache first\n    const cacheKey = `public_event_${eventCode}`;\n    if (enableCache) {\n      const cached = publicDataCache.get(cacheKey);\n      if (cached && Date.now() - cached.timestamp < cached.ttl) {\n        setEvent(cached.data);\n        setIsLoading(false);\n        setError(null);\n        return;\n      }\n    }\n\n    try {\n      setIsLoading(true);\n      setError(null);\n\n      let eventData: any = null;\n\n      try {\n        // Try to call the public event RPC function first\n        const response = await (supabase as any).rpc('get_public_event_by_code', {\n          event_code_param: eventCode\n        });\n        \n        const data = response?.data;\n        const rpcError = response?.error;\n\n        if (rpcError) {\n          // If RPC function doesn't exist or schema cache issue, try refresh first, then fallback\n          if (rpcError.message?.includes('Could not find the function') || \n              rpcError.message?.includes('does not exist') ||\n              rpcError.message?.includes('schema cache')) {\n            logger.warn('usePublicEvent', 'RPC function not found or schema cache issue, attempting refresh:', rpcError.message);\n            \n            // Try to refresh schema cache first\n            await refreshSchemaCache();\n            \n            // Try RPC call one more time after refresh\n            try {\n              const retryResponse = await (supabase as any).rpc('get_public_event_by_code', {\n                event_code_param: eventCode\n              });\n              \n              const retryData = retryResponse?.data;\n              const retryError = retryResponse?.error;\n              \n              if (!retryError && retryData && retryData.length > 0) {\n                eventData = retryData[0];\n              } else {\n                throw new Error('RPC still failing after cache refresh');\n              }\n            } catch (retryError) {\n              logger.warn('usePublicEvent', 'RPC still failing after cache refresh, falling back to direct table access');\n              \n              // Fallback: Direct table access with public RLS policy\n            const tableResponse2 = await (supabase as any)\n              .from('core_events')\n              .select(`\n                event_id,\n                event_name,\n                event_date,\n                event_venue,\n                event_participants,\n                event_colours,\n                organisation_id,\n                event_days,\n                event_typicalunit,\n                event_rounddown,\n                event_youthmultiplier,\n                event_catering_email,\n                event_news,\n                event_billing,\n                event_email\n              `)\n              .eq('event_code', eventCode)\n              .eq('is_visible', true)\n              .not('organisation_id', 'is', null)\n              .limit(1)\n              .single();\n\n            const tableData = tableResponse2?.data;\n            const tableError = tableResponse2?.error;\n\n            if (tableError) {\n              throw new Error(tableError?.message || 'Failed to fetch event from table');\n            }\n\n            if (!tableData) {\n              setEvent(null);\n              setError(new Error('Event not found'));\n              return;\n            }\n\n            // Get event logo from core_file_references\n            const logoResponse = await (supabase as any)\n              .from('core_file_references')\n              .select('file_path')\n              .eq('table_name', 'core_events')\n              .eq('record_id', tableData.event_id)\n              .eq('is_public', true)\n              .eq('file_metadata->>category', 'event_logos')\n              .limit(1)\n              .single();\n              \n            const logoData = logoResponse?.data;\n\n            eventData = {\n              ...tableData,\n              event_logo: logoData?.file_path || null\n            };\n            }\n          } else {\n            // For RPC errors that aren't schema cache issues, throw immediately without fallback\n            const errorMessage = rpcError?.message || rpcError?.toString() || 'Failed to fetch event';\n            setEvent(null);\n            setError(new Error(errorMessage));\n            setIsLoading(false);\n            return;\n          }\n        } else {\n          if (!data || data.length === 0 || !data[0]) {\n            setEvent(null);\n            setError(new Error('Event not found'));\n            return;\n          }\n          eventData = data[0];\n        }\n      } catch (rpcError) {\n        // If RPC call fails for any reason (including schema cache issues), try direct table access\n        logger.warn('usePublicEvent', 'RPC call failed, falling back to direct table access:', rpcError);\n        \n        const tableResponse = await (supabase as any)\n          .from('core_events')\n          .select(`\n            event_id,\n            event_name,\n            event_date,\n            event_venue,\n            event_participants,\n            event_colours,\n            organisation_id,\n            event_days,\n            event_typicalunit,\n            event_rounddown,\n            event_youthmultiplier,\n            event_catering_email,\n            event_news,\n            event_billing,\n            event_email\n          `)\n          .eq('event_code', eventCode)\n          .eq('is_visible', true)\n          .not('organisation_id', 'is', null)\n          .limit(1)\n          .single();\n\n        const tableData = tableResponse?.data;\n        const tableError = tableResponse?.error;\n\n        if (tableError) {\n          throw new Error(tableError?.message || 'Failed to fetch event from table');\n        }\n\n        if (!tableData) {\n          setEvent(null);\n          setError(new Error('Event not found'));\n          return;\n        }\n\n        // Get event logo from core_file_references\n        const logoResponse = await (supabase as any)\n          .from('core_file_references')\n          .select('file_path')\n          .eq('table_name', 'core_events')\n          .eq('record_id', tableData.event_id)\n          .eq('is_public', true)\n          .eq('file_metadata->>category', 'event_logos')\n          .limit(1)\n          .single();\n          \n        const logoData = logoResponse?.data;\n\n        eventData = {\n          ...tableData,\n          event_logo: logoData?.file_path || null\n        };\n      }\n      \n      // Transform to Event type\n      const transformedEvent: Event = {\n        id: eventData.event_id,\n        event_id: eventData.event_id,\n        event_name: eventData.event_name,\n        event_code: eventCode,\n        event_date: eventData.event_date,\n        event_venue: eventData.event_venue,\n        event_participants: eventData.event_participants,\n        event_logo: eventData.event_logo,\n        event_colours: eventData.event_colours,\n        organisation_id: assertOrganisationId(eventData.organisation_id),\n        is_visible: true,\n        created_at: new Date().toISOString(),\n        updated_at: new Date().toISOString()\n      };\n\n      setEvent(transformedEvent);\n\n      // Cache the result\n      if (enableCache) {\n        publicDataCache.set(cacheKey, {\n          data: transformedEvent,\n          timestamp: Date.now(),\n          ttl: cacheTtl\n        });\n      }\n\n    } catch (err) {\n      logger.error('usePublicEvent', 'Error fetching event:', err);\n      const error = err instanceof Error ? err : new Error('Unknown error occurred');\n      setError(error);\n      setEvent(null);\n    } finally {\n      setIsLoading(false);\n    }\n  }, [eventCode, supabase, cacheTtl, enableCache]);\n\n  // Fetch event when eventCode changes\n  useEffect(() => {\n    fetchEvent();\n  }, [fetchEvent]);\n\n  const refetch = useCallback(async (): Promise<void> => {\n    // Clear cache for this event\n    if (enableCache) {\n      const cacheKey = `public_event_${eventCode}`;\n      publicDataCache.delete(cacheKey);\n    }\n    await fetchEvent();\n  }, [fetchEvent, eventCode, enableCache]);\n\n  return {\n    event,\n    isLoading,\n    error,\n    refetch\n  };\n}\n\n/**\n * Clear all cached public event data\n * Useful for testing or when you need to force refresh all data\n */\nexport function clearPublicEventCache(): void {\n  for (const [key] of publicDataCache) {\n    if (key.startsWith('public_event_')) {\n      publicDataCache.delete(key);\n    }\n  }\n}\n\n/**\n * Get cache statistics for debugging\n */\nexport function getPublicEventCacheStats(): { size: number; keys: string[] } {\n  const keys = Array.from(publicDataCache.keys()).filter(key => key.startsWith('public_event_'));\n  return {\n    size: keys.length,\n    keys\n  };\n}\n","/**\n * @file Public Event Logo Hook\n * @package @jmruthers/pace-core\n * @module Hooks/Public\n * @since 1.0.0\n *\n * A React hook for accessing public event logo URLs without authentication.\n * Provides logo URLs with fallback handling for public pages.\n *\n * Features:\n * - No authentication required\n * - Automatic fallback to event initials\n * - Caching for performance\n * - Error handling and loading states\n * - TypeScript support\n * - Image validation\n *\n * @example\n * ```tsx\n * import { usePublicEventLogo } from '@jmruthers/pace-core';\n *\n * function EventHeader() {\n *   const { logoUrl, fallbackText, isLoading, error } = usePublicEventLogo(\n *     eventId, \n *     eventName, \n *     organisationId\n *   );\n *\n *   if (isLoading) return <div>Loading logo...</div>;\n *   if (error) return <div>Error: {error.message}</div>;\n *\n *   return (\n *     <div>\n *       {logoUrl ? (\n *         <img src={logoUrl} alt={`${eventName} logo`} />\n *       ) : (\n *         <div className=\"logo-fallback\">{fallbackText}</div>\n *       )}\n *     </div>\n *   );\n * }\n * ```\n *\n * @accessibility\n * - No direct accessibility concerns (hook)\n * - Enables accessible logo display with proper alt text\n * - Supports screen reader friendly fallbacks\n *\n * @security\n * - Only returns public-safe logo URLs\n * - Validates image existence before returning URL\n * - No sensitive information exposed\n * - Rate limiting applied at storage level\n *\n * @performance\n * - Built-in caching with TTL\n * - Image validation and optimization\n * - Minimal re-renders with stable references\n * - Lazy loading support\n *\n * @dependencies\n * - React 19+ - Hooks and effects\n * - @supabase/supabase-js - Storage integration\n * - Event types - Type definitions\n */\n\nimport { useState, useEffect, useCallback, useMemo } from 'react';\nimport type { SupabaseClient } from '@supabase/supabase-js';\nimport type { Database } from '../../types/database';\nimport { createLogger } from '../../utils/core/logger';\n\nconst log = createLogger('usePublicEventLogo');\n\n// Simple in-memory cache for public data\nconst publicDataCache = new Map<string, { data: any; timestamp: number; ttl: number }>();\n\n/**\n * Return value of the usePublicEventLogo hook.\n * Provides logo URL, fallback text, loading state, error, and refetch function.\n */\nexport interface UsePublicEventLogoReturn {\n  /** The logo URL if available, null if not found or error */\n  logoUrl: string | null;\n  /** Fallback text (event initials) if no logo is available */\n  fallbackText: string;\n  /** Whether the logo is currently loading */\n  isLoading: boolean;\n  /** Any error that occurred during loading */\n  error: Error | null;\n  /** Function to manually refetch the logo */\n  refetch: () => Promise<void>;\n}\n\nexport interface UsePublicEventLogoOptions {\n  /** Cache TTL in milliseconds (default: 30 minutes) */\n  cacheTtl?: number;\n  /** Whether to enable caching (default: true) */\n  enableCache?: boolean;\n  /** Whether to validate image existence (default: true) */\n  validateImage?: boolean;\n  /** Custom fallback text generator */\n  generateFallbackText?: (eventName: string) => string;\n  /** Supabase client instance (required) */\n  supabase: SupabaseClient<Database>;\n}\n\n/**\n * Generate fallback text from event name (first letter of each word)\n */\nfunction defaultGenerateFallbackText(eventName: string): string {\n  if (!eventName) return 'EV';\n  \n  return eventName\n    .split(' ')\n    .map(word => word.charAt(0).toUpperCase())\n    .join('')\n    .substring(0, 3); // Max 3 characters\n}\n\n/**\n * Hook for accessing public event logo URLs\n * \n * This hook provides access to event logo URLs without requiring\n * authentication. It includes fallback handling and image validation.\n * \n * @param eventId - The event ID to fetch logo for\n * @param eventName - The event name for fallback text generation\n * @param organisationId - The organisation ID for storage path\n * @param options - Configuration options for caching and behavior\n * @returns Object containing logo URL, fallback text, loading state, error, and refetch function\n */\nexport function usePublicEventLogo(\n  eventId: string | undefined,\n  eventName: string | undefined,\n  organisationId: string | undefined,\n  options: UsePublicEventLogoOptions\n): UsePublicEventLogoReturn {\n  const {\n    cacheTtl = 30 * 60 * 1000, // 30 minutes\n    enableCache = true,\n    validateImage = true,\n    generateFallbackText = defaultGenerateFallbackText,\n    supabase\n  } = options;\n\n  const [logoUrl, setLogoUrl] = useState<string | null>(null);\n  const [isLoading, setIsLoading] = useState<boolean>(false);\n  const [error, setError] = useState<Error | null>(null);\n\n  // Generate fallback text\n  const fallbackText = useMemo(() => {\n    return eventName ? generateFallbackText(eventName) : 'EV';\n  }, [eventName, generateFallbackText]);\n\n  const fetchLogo = useCallback(async (): Promise<void> => {\n    if (!eventId || !organisationId || !supabase) {\n      setLogoUrl(null);\n      setIsLoading(false);\n      return;\n    }\n\n    // Validate UUID format for organisationId to prevent database errors\n    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n    if (!uuidRegex.test(organisationId)) {\n      log.warn('Invalid organisationId format (not a valid UUID):', organisationId);\n      // Don't return early - let the database handle the validation\n      // This allows for more graceful error handling\n    }\n\n    // Check cache first\n    const cacheKey = `public_logo_${eventId}_${organisationId}`;\n    if (enableCache) {\n      const cached = publicDataCache.get(cacheKey);\n      if (cached && Date.now() - cached.timestamp < cached.ttl) {\n        setLogoUrl(cached.data);\n        setIsLoading(false);\n        setError(null);\n        return;\n      }\n    }\n\n    try {\n      setIsLoading(true);\n      setError(null);\n\n      // Call the public logo RPC function\n      const { data, error: rpcError } = await (supabase as any).rpc('get_public_event_logo', {\n        event_id_param: eventId,\n        organisation_id_param: organisationId\n      });\n\n      if (rpcError) {\n        throw new Error(rpcError.message || 'Failed to fetch logo');\n      }\n\n      if (!data || data.length === 0 || !data[0] || !data[0].logo_url) {\n        setLogoUrl(null);\n        return;\n      }\n\n      const logoUrl = data[0].logo_url;\n\n      // Validate image existence if requested\n      if (validateImage) {\n        try {\n          const response = await fetch(logoUrl, { method: 'HEAD' });\n          if (!response.ok) {\n            log.warn('Logo URL not accessible:', logoUrl);\n            setLogoUrl(null);\n            return;\n          }\n        } catch (fetchError) {\n          log.warn('Error validating logo URL:', fetchError);\n          setLogoUrl(null);\n          return;\n        }\n      }\n\n      setLogoUrl(logoUrl);\n\n      // Cache the result\n      if (enableCache) {\n        publicDataCache.set(cacheKey, {\n          data: logoUrl,\n          timestamp: Date.now(),\n          ttl: cacheTtl\n        });\n      }\n\n    } catch (err) {\n      log.error('Error fetching logo:', err);\n      const error = err instanceof Error ? err : new Error('Unknown error occurred');\n      setError(error);\n      setLogoUrl(null);\n    } finally {\n      setIsLoading(false);\n    }\n  }, [eventId, organisationId, supabase, cacheTtl, enableCache, validateImage]);\n\n  // Fetch logo when parameters change\n  useEffect(() => {\n    if (eventId && organisationId) {\n      fetchLogo();\n    } else {\n      setLogoUrl(null);\n      setIsLoading(false);\n      setError(null);\n    }\n  }, [fetchLogo, eventId, organisationId]);\n\n  const refetch = useCallback(async (): Promise<void> => {\n    if (!eventId || !organisationId) return;\n    \n    // Clear cache for this logo\n    if (enableCache) {\n      const cacheKey = `public_logo_${eventId}_${organisationId}`;\n      publicDataCache.delete(cacheKey);\n    }\n    await fetchLogo();\n  }, [fetchLogo, eventId, organisationId, enableCache]);\n\n  return {\n    logoUrl,\n    fallbackText,\n    isLoading,\n    error,\n    refetch\n  };\n}\n\n/**\n * Clear all cached public logo data\n * Useful for testing or when you need to force refresh all data\n */\nexport function clearPublicLogoCache(): void {\n  for (const [key] of publicDataCache) {\n    if (key.startsWith('public_logo_')) {\n      publicDataCache.delete(key);\n    }\n  }\n}\n\n/**\n * Get cache statistics for debugging\n */\nexport function getPublicLogoCacheStats(): { size: number; keys: string[] } {\n  const keys = Array.from(publicDataCache.keys()).filter(key => key.startsWith('public_logo_'));\n  return {\n    size: keys.length,\n    keys\n  };\n}\n","/**\n * @file Public Route Params Hook\n * @package @jmruthers/pace-core\n * @module Hooks/Public\n * @since 1.0.0\n *\n * A React hook for extracting and validating public route parameters.\n * Provides event code extraction and validation for public pages.\n *\n * Features:\n * - URL parameter extraction\n * - Event code validation\n * - TypeScript support\n * - Error handling\n * - Route pattern support\n *\n * @example\n * ```tsx\n * import { usePublicRouteParams } from '@jmruthers/pace-core';\n *\n * function PublicEventPage() {\n *   const { eventCode, eventId, event, error, isLoading } = usePublicRouteParams();\n *\n *   if (isLoading) return <div>Loading...</div>;\n *   if (error) return <div>Error: {error.message}</div>;\n *   if (!event) return <div>Event not found</div>;\n *\n *   return (\n *     <div>\n *       <h1>{event.event_name}</h1>\n *       <p>Event Code: {eventCode}</p>\n *     </div>\n *   );\n * }\n * ```\n *\n * @accessibility\n * - No direct accessibility concerns (hook)\n * - Enables accessible route parameter handling\n * - Supports screen reader friendly error states\n *\n * @security\n * - Validates event codes before processing\n * - Sanitizes URL parameters\n * - No sensitive information exposed\n * - Rate limiting applied at route level\n *\n * @performance\n * - Minimal re-renders with stable references\n * - Efficient parameter extraction\n * - Caching integration\n *\n * @dependencies\n * - React 19+ - Hooks and effects\n * - React Router - URL parameter extraction\n * - Event types - Type definitions\n */\n\nimport { useState, useEffect, useCallback, useMemo } from 'react';\nimport { useParams, useLocation } from 'react-router-dom';\nimport type { Event } from '../../types/event';\nimport { usePublicEvent } from './usePublicEvent';\n\n/**\n * Return value of the usePublicRouteParams hook.\n * Provides event code, event ID, event data, loading state, error, and refetch function.\n */\nexport interface UsePublicRouteParamsReturn {\n  /** The event code from the URL */\n  eventCode: string | null;\n  /** The event ID (resolved from event code) */\n  eventId: string | null;\n  /** The full event object */\n  event: Event | null;\n  /** Whether the route parameters are being processed */\n  isLoading: boolean;\n  /** Any error that occurred during processing */\n  error: Error | null;\n  /** Function to manually refetch the event data */\n  refetch: () => Promise<void>;\n}\n\ninterface UsePublicRouteParamsOptions {\n  /** Whether to automatically fetch event data (default: true) */\n  fetchEventData?: boolean;\n  /** Custom event code parameter name (default: 'eventCode') */\n  eventCodeParam?: string;\n  /** Whether to validate event code format (default: true) */\n  validateEventCode?: boolean;\n}\n\n/**\n * Validate event code format\n * Event codes should be alphanumeric with optional hyphens/underscores in the middle\n * Supports 2-50 characters\n */\nfunction validateEventCodeFormat(eventCode: string): boolean {\n  if (!eventCode || typeof eventCode !== 'string') return false;\n  \n  // Length check: 2-50 characters\n  if (eventCode.length < 2 || eventCode.length > 50) return false;\n  \n  // For 2-character codes: both must be alphanumeric\n  if (eventCode.length === 2) {\n    return /^[a-zA-Z0-9]{2}$/.test(eventCode);\n  }\n  \n  // For 3+ character codes: alphanumeric at start and end, hyphens/underscores allowed in middle\n  // Must not start or end with hyphen/underscore\n  const eventCodeRegex = /^[a-zA-Z0-9][a-zA-Z0-9_-]{1,48}[a-zA-Z0-9]$/;\n  const matchesFormat = eventCodeRegex.test(eventCode);\n  \n  if (!matchesFormat) return false;\n  \n  // Additional check: no consecutive hyphens or underscores\n  if (eventCode.includes('--') || eventCode.includes('__') || eventCode.includes('-_') || eventCode.includes('_-')) {\n    return false;\n  }\n  \n  return true;\n}\n\n/**\n * Hook for extracting and validating public route parameters\n * \n * This hook extracts event codes from URL parameters and optionally\n * fetches the corresponding event data. It provides validation and\n * error handling for public routes.\n * \n * @param options - Configuration options for behavior\n * @returns Object containing route parameters, event data, loading state, error, and refetch function\n */\nexport function usePublicRouteParams(\n  options: UsePublicRouteParamsOptions = {}\n): UsePublicRouteParamsReturn {\n  const {\n    fetchEventData = true,\n    eventCodeParam = 'eventCode',\n    validateEventCode = true\n  } = options;\n\n  const params = useParams();\n  const location = useLocation();\n  \n  const [error, setError] = useState<Error | null>(null);\n\n  // Extract event code from URL parameters\n  const eventCode = useMemo(() => {\n    const code = params[eventCodeParam] as string;\n    \n    if (!code) {\n      // Don't set error immediately - let the component handle missing eventCode gracefully\n      return null;\n    }\n\n    // Validate event code format if requested\n    if (validateEventCode && !validateEventCodeFormat(code)) {\n      setError(new Error(`Invalid event code format: ${code}`));\n      return null;\n    }\n\n    setError(null);\n    return code;\n  }, [params, eventCodeParam, validateEventCode]);\n\n  // Use the public event hook to fetch event data\n  const {\n    event,\n    isLoading: eventLoading,\n    error: eventError,\n    refetch: refetchEvent\n  } = usePublicEvent(eventCode || '', {\n    enableCache: true,\n    cacheTtl: 5 * 60 * 1000 // 5 minutes\n  });\n\n  // Determine if we should show loading state\n  const isLoading = useMemo(() => {\n    if (!fetchEventData) return false;\n    return eventLoading;\n  }, [fetchEventData, eventLoading]);\n\n  // Determine the final error state\n  const finalError = useMemo(() => {\n    if (error) return error;\n    if (eventError) return eventError;\n    return null;\n  }, [error, eventError]);\n\n  // Extract event ID from event data\n  const eventId = useMemo(() => {\n    if (!event) return null;\n    return event.event_id || event.id;\n  }, [event]);\n\n  // Refetch function\n  const refetch = useCallback(async (): Promise<void> => {\n    if (!fetchEventData) return;\n    await refetchEvent();\n  }, [fetchEventData, refetchEvent]);\n\n  return {\n    eventCode,\n    eventId,\n    event: fetchEventData ? event : null,\n    isLoading,\n    error: finalError,\n    refetch\n  };\n}\n\n/**\n * Hook for extracting just the event code without fetching event data\n * Useful when you only need the event code and will fetch data separately\n */\nexport function usePublicEventCode(\n  eventCodeParam: string = 'eventCode'\n): { eventCode: string | null; error: Error | null } {\n  const params = useParams();\n  \n  const eventCode = useMemo(() => {\n    const code = params[eventCodeParam] as string;\n    \n    if (!code) {\n      return null;\n    }\n\n    // Validate event code format\n    if (!validateEventCodeFormat(code)) {\n      return null;\n    }\n\n    return code;\n  }, [params, eventCodeParam]);\n\n  const error = useMemo(() => {\n    if (!eventCode) {\n      return new Error(`Event code parameter '${eventCodeParam}' not found or invalid`);\n    }\n    return null;\n  }, [eventCode, eventCodeParam]);\n\n  return {\n    eventCode,\n    error\n  };\n}\n\n/**\n * Utility function to generate public route paths\n */\nexport function generatePublicRoutePath(\n  eventCode: string,\n  pageName: string = 'index'\n): string {\n  if (!eventCode || !validateEventCodeFormat(eventCode)) {\n    throw new Error('Invalid event code for route generation');\n  }\n  \n  return `/public/event/${eventCode}/${pageName}`;\n}\n\n/**\n * Utility function to extract event code from a public route path\n * Supports 2-50 character event codes\n */\nexport function extractEventCodeFromPath(path: string): string | null {\n  const match = path.match(/^\\/public\\/event\\/([a-zA-Z0-9_-]{2,50})(?:\\/.*)?$/);\n  if (!match) return null;\n  \n  const eventCode = match[1];\n  // Validate the extracted code using the same validation function\n  if (!validateEventCodeFormat(eventCode)) {\n    return null;\n  }\n  \n  return eventCode;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAOA,SAAS,eAAe;AACxB,SAAS,mBAAmB;AASrB,SAAS,WAAmC;AAAA,EACjD;AAAA,EACA;AAAA,EACA,OAAO;AACT,GAAuB;AACrB,SAAO,QAAoB;AAAA,IACzB,UAAU,YAAY,MAAM;AAAA,IAC5B;AAAA,IACA;AAAA,EACF,CAAC;AACH;;;ACFA,SAAS,gBAAgB;AAqFlB,SAAS,cAA2B;AAAA,EACzC;AAAA,EACA,eAAe;AACjB,IAA6B,CAAC,GAA2B;AACvD,QAAM,CAAC,QAAQ,SAAS,IAAI,SAAS,KAAK;AAC1C,QAAM,CAAC,UAAU,WAAW,IAAI,SAAmB,IAAI;AAGvD,QAAM,aAAa,CAAC,OAAiB,SAAS;AAC5C,gBAAY,IAAI;AAChB,cAAU,IAAI;AACd,mBAAe,IAAI;AAAA,EACrB;AAEA,QAAM,cAAc,MAAM;AACxB,cAAU,KAAK;AACf,QAAI,cAAc;AAChB,kBAAY,IAAI;AAAA,IAClB;AACA,mBAAe,KAAK;AAAA,EACtB;AAEA,QAAM,mBAAmB,CAAC,SAAkB;AAC1C,cAAU,IAAI;AACd,QAAI,CAAC,QAAQ,cAAc;AACzB,kBAAY,IAAI;AAAA,IAClB;AACA,mBAAe,IAAI;AAAA,EACrB;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;ACpGA,SAAS,eAAe;AAqDjB,SAAS,2BAA2B,OAAkD;AAC3F,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI,iBAAiB;AAGrB,MAAI,oBAA+C,EAAE,cAAc,MAAM;AACzE,MAAI;AACF,wBAAoB,wBAAwB,EAAE;AAAA,EAChD,QAAQ;AAAA,EAER;AAEA,QAAM,iBAAiB,QAAQ,MAAM;AACnC,QAAI,OAAO;AACT,aAAO;AAAA,IACT;AACA,QAAI;AACF,YAAM,aAAa,0BAA0B;AAC7C,aAAO,WAAW;AAAA,IACpB,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF,GAAG,CAAC,OAAO,yBAAyB,CAAC;AAErC,QAAM,WAAW,QAAQ,MAAM;AAC7B,QAAI,CAAC,eAAgB,QAAO;AAC5B,UAAM,OAAO,YAAY,cAAc;AAEvC,QAAI,SAAS,eAAe,SAAS,YAAY,SAAS,YAAY,SAAS,aAAa;AAC1F,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,GAAG,CAAC,gBAAgB,WAAW,CAAC;AAEhC,QAAM,wBAAwB,QAAQ,MAAM;AAC1C,QAAI,CAAC,eAAgB,QAAO;AAC5B,WAAO,2BAA2B,cAAc;AAAA,EAClD,GAAG,CAAC,gBAAgB,0BAA0B,CAAC;AAE/C,QAAM,cAAc,QAAQ,MAAM;AAChC,QAAI,CAAC,yBAAyB,aAAa,aAAa;AACtD,aAAO;AAAA,QACL,YAAY;AAAA,QACZ,cAAc;AAAA,QACd,aAAa;AAAA,QACb,kBAAkB;AAAA,QAClB,mBAAmB;AAAA,QACnB,iBAAiB;AAAA,QACjB,oBAAoB;AAAA,MACtB;AAAA,IACF;AAEA,UAAM,aAAa,aAAa;AAChC,UAAM,WAAW,aAAa;AAC9B,UAAM,WAAW,aAAa;AAC9B,UAAM,cAAc,aAAa;AAIjC,UAAM,eAAe,kBAAkB;AAEvC,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA,aAAa,gBAAgB,cAAc;AAAA,MAC3C,kBAAkB,gBAAgB,cAAc;AAAA;AAAA,MAChD,mBAAmB,gBAAgB;AAAA,MACnC,iBAAiB,gBAAgB,cAAc;AAAA,MAC/C,oBAAoB,gBAAgB,cAAc;AAAA;AAAA,IACpD;AAAA,EACF,GAAG,CAAC,uBAAuB,QAAQ,CAAC;AAEpC,QAAM,gBAAgB,QAAQ,MAAM;AAClC,WAAO,CAAC,eAAgD;AACtD,UAAI,CAAC,yBAAyB,aAAa,aAAa;AACtD,eAAO;AAAA,MACT;AAGA,UAAI,aAAa,eAAe,eAAe,KAAK;AAClD,eAAO;AAAA,MACT;AAGA,YAAM,kBAAsE;AAAA,QAC1E,WAAW,CAAC,YAAY;AAAA,QACxB,QAAQ,CAAC,cAAc,cAAc;AAAA,QACrC,QAAQ,CAAC,cAAc,gBAAgB,oBAAoB,eAAe;AAAA,QAC1E,WAAW,CAAC,cAAc,gBAAgB,oBAAoB,iBAAiB,kBAAkB,iBAAiB;AAAA,MACpH;AAEA,YAAM,kBAAkB,gBAAgB,QAA4B,KAAK,CAAC;AAC1E,aAAO,gBAAgB,SAAS,UAAU,KAAK,gBAAgB,SAAS,GAAG;AAAA,IAC7E;AAAA,EACF,GAAG,CAAC,uBAAuB,QAAQ,CAAC;AAEpC,QAAM,oBAAoB,QAAQ,MAAM;AACtC,WAAO,MAAgC;AACrC,UAAI,CAAC,yBAAyB,aAAa,aAAa;AACtD,eAAO,CAAC;AAAA,MACV;AAEA,YAAM,kBAAsE;AAAA,QAC1E,WAAW,CAAC,YAAY;AAAA,QACxB,QAAQ,CAAC,cAAc,cAAc;AAAA,QACrC,QAAQ,CAAC,cAAc,gBAAgB,oBAAoB,eAAe;AAAA,QAC1E,WAAW,CAAC,cAAc,gBAAgB,oBAAoB,iBAAiB,kBAAkB,iBAAiB;AAAA,MACpH;AAEA,aAAO,gBAAgB,QAA4B,KAAK,CAAC;AAAA,IAC3D;AAAA,EACF,GAAG,CAAC,uBAAuB,QAAQ,CAAC;AAEpC,SAAO,QAAQ,OAAO;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAG;AAAA,EACL,IAAI,CAAC,UAAU,gBAAgB,uBAAuB,eAAe,mBAAmB,WAAW,CAAC;AACtG;;;AC1KO,IAAM,eAAN,MAAmB;AAW1B;AAXa,aACJ,mBAAmB;AADf,aAEJ,yBAAyB;AAFrB,aAGJ,sBAAsB;AAHlB,aAIJ,aAAa;AAJT,aAKJ,eAAe;AALX,aAMJ,eAAe;AANX,aAOJ,aAAa;AAPT,aAQJ,eAAe;AARX,aASJ,YAAY;AATR,aAUJ,cAAc;;;ACJvB,SAAS,YAAAA,WAAU,WAAW,aAAa,WAAAC,gBAAe;AAC1D,SAAS,oBAAoB;AAQ7B,IAAM,kBAAkB,oBAAI,IAA2D;AAkChF,SAAS,eACd,WACA,UAAiC,CAAC,GACZ;AACtB,QAAM;AAAA,IACJ,WAAW,IAAI,KAAK;AAAA;AAAA,IACpB,cAAc;AAAA,EAChB,IAAI;AAEJ,QAAM,CAAC,OAAO,QAAQ,IAAIC,UAAuB,IAAI;AACrD,QAAM,CAAC,WAAW,YAAY,IAAIA,UAAkB,IAAI;AACxD,QAAM,CAAC,OAAO,QAAQ,IAAIA,UAAuB,IAAI;AAGrD,MAAI;AAEJ,MAAI;AACF,kBAAc,qBAAqB,EAAE;AAAA,EACvC,QAAQ;AAEN,kBAAc;AAAA,MACZ,aAAc,YAAoB,KAAK,qBAAsB,YAAoB,KAAK,4BAA4B;AAAA,MAClH,aAAc,YAAoB,KAAK,iCAAkC,YAAoB,KAAK,wCAAwC;AAAA,IAC5I;AAAA,EACF;AAGA,QAAM,WAAWC,SAAQ,MAAM;AAC7B,QAAI,OAAO,WAAW,YAAa,QAAO;AAE1C,QAAI,CAAC,YAAY,eAAe,CAAC,YAAY,aAAa;AACxD,aAAO,KAAK,kBAAkB,wIAAwI;AACtK,aAAO;AAAA,IACT;AAEA,WAAO,aAAuB,YAAY,aAAa,YAAY,WAAW;AAAA,EAChF,GAAG,CAAC,YAAY,aAAa,YAAY,WAAW,CAAC;AAGrD,QAAM,qBAAqB,YAAY,YAAY;AACjD,QAAI;AAEF,YAAO,SAAiB,KAAK,6BAA6B,EAAE,OAAO,cAAc,EAAE,MAAM,CAAC;AAAA,IAC5F,SAASC,QAAO;AAEd,aAAO,MAAM,kBAAkB,wCAAwCA,MAAK;AAAA,IAC9E;AAAA,EACF,GAAG,CAAC,QAAQ,CAAC;AAEb,QAAM,aAAa,YAAY,YAA2B;AACxD,QAAI,CAAC,aAAa,CAAC,UAAU;AAC3B,eAAS,IAAI,MAAM,qDAAqD,CAAC;AACzE,mBAAa,KAAK;AAClB;AAAA,IACF;AAGA,UAAM,WAAW,gBAAgB,SAAS;AAC1C,QAAI,aAAa;AACf,YAAM,SAAS,gBAAgB,IAAI,QAAQ;AAC3C,UAAI,UAAU,KAAK,IAAI,IAAI,OAAO,YAAY,OAAO,KAAK;AACxD,iBAAS,OAAO,IAAI;AACpB,qBAAa,KAAK;AAClB,iBAAS,IAAI;AACb;AAAA,MACF;AAAA,IACF;AAEA,QAAI;AACF,mBAAa,IAAI;AACjB,eAAS,IAAI;AAEb,UAAI,YAAiB;AAErB,UAAI;AAEF,cAAM,WAAW,MAAO,SAAiB,IAAI,4BAA4B;AAAA,UACvE,kBAAkB;AAAA,QACpB,CAAC;AAED,cAAM,OAAO,UAAU;AACvB,cAAM,WAAW,UAAU;AAE3B,YAAI,UAAU;AAEZ,cAAI,SAAS,SAAS,SAAS,6BAA6B,KACxD,SAAS,SAAS,SAAS,gBAAgB,KAC3C,SAAS,SAAS,SAAS,cAAc,GAAG;AAC9C,mBAAO,KAAK,kBAAkB,qEAAqE,SAAS,OAAO;AAGnH,kBAAM,mBAAmB;AAGzB,gBAAI;AACF,oBAAM,gBAAgB,MAAO,SAAiB,IAAI,4BAA4B;AAAA,gBAC5E,kBAAkB;AAAA,cACpB,CAAC;AAED,oBAAM,YAAY,eAAe;AACjC,oBAAM,aAAa,eAAe;AAElC,kBAAI,CAAC,cAAc,aAAa,UAAU,SAAS,GAAG;AACpD,4BAAY,UAAU,CAAC;AAAA,cACzB,OAAO;AACL,sBAAM,IAAI,MAAM,uCAAuC;AAAA,cACzD;AAAA,YACF,SAAS,YAAY;AACnB,qBAAO,KAAK,kBAAkB,4EAA4E;AAG5G,oBAAM,iBAAiB,MAAO,SAC3B,KAAK,aAAa,EAClB,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAgBP,EACA,GAAG,cAAc,SAAS,EAC1B,GAAG,cAAc,IAAI,EACrB,IAAI,mBAAmB,MAAM,IAAI,EACjC,MAAM,CAAC,EACP,OAAO;AAEV,oBAAM,YAAY,gBAAgB;AAClC,oBAAM,aAAa,gBAAgB;AAEnC,kBAAI,YAAY;AACd,sBAAM,IAAI,MAAM,YAAY,WAAW,kCAAkC;AAAA,cAC3E;AAEA,kBAAI,CAAC,WAAW;AACd,yBAAS,IAAI;AACb,yBAAS,IAAI,MAAM,iBAAiB,CAAC;AACrC;AAAA,cACF;AAGA,oBAAM,eAAe,MAAO,SACzB,KAAK,sBAAsB,EAC3B,OAAO,WAAW,EAClB,GAAG,cAAc,aAAa,EAC9B,GAAG,aAAa,UAAU,QAAQ,EAClC,GAAG,aAAa,IAAI,EACpB,GAAG,4BAA4B,aAAa,EAC5C,MAAM,CAAC,EACP,OAAO;AAEV,oBAAM,WAAW,cAAc;AAE/B,0BAAY;AAAA,gBACV,GAAG;AAAA,gBACH,YAAY,UAAU,aAAa;AAAA,cACrC;AAAA,YACA;AAAA,UACF,OAAO;AAEL,kBAAM,eAAe,UAAU,WAAW,UAAU,SAAS,KAAK;AAClE,qBAAS,IAAI;AACb,qBAAS,IAAI,MAAM,YAAY,CAAC;AAChC,yBAAa,KAAK;AAClB;AAAA,UACF;AAAA,QACF,OAAO;AACL,cAAI,CAAC,QAAQ,KAAK,WAAW,KAAK,CAAC,KAAK,CAAC,GAAG;AAC1C,qBAAS,IAAI;AACb,qBAAS,IAAI,MAAM,iBAAiB,CAAC;AACrC;AAAA,UACF;AACA,sBAAY,KAAK,CAAC;AAAA,QACpB;AAAA,MACF,SAAS,UAAU;AAEjB,eAAO,KAAK,kBAAkB,yDAAyD,QAAQ;AAE/F,cAAM,gBAAgB,MAAO,SAC1B,KAAK,aAAa,EAClB,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,WAgBP,EACA,GAAG,cAAc,SAAS,EAC1B,GAAG,cAAc,IAAI,EACrB,IAAI,mBAAmB,MAAM,IAAI,EACjC,MAAM,CAAC,EACP,OAAO;AAEV,cAAM,YAAY,eAAe;AACjC,cAAM,aAAa,eAAe;AAElC,YAAI,YAAY;AACd,gBAAM,IAAI,MAAM,YAAY,WAAW,kCAAkC;AAAA,QAC3E;AAEA,YAAI,CAAC,WAAW;AACd,mBAAS,IAAI;AACb,mBAAS,IAAI,MAAM,iBAAiB,CAAC;AACrC;AAAA,QACF;AAGA,cAAM,eAAe,MAAO,SACzB,KAAK,sBAAsB,EAC3B,OAAO,WAAW,EAClB,GAAG,cAAc,aAAa,EAC9B,GAAG,aAAa,UAAU,QAAQ,EAClC,GAAG,aAAa,IAAI,EACpB,GAAG,4BAA4B,aAAa,EAC5C,MAAM,CAAC,EACP,OAAO;AAEV,cAAM,WAAW,cAAc;AAE/B,oBAAY;AAAA,UACV,GAAG;AAAA,UACH,YAAY,UAAU,aAAa;AAAA,QACrC;AAAA,MACF;AAGA,YAAM,mBAA0B;AAAA,QAC9B,IAAI,UAAU;AAAA,QACd,UAAU,UAAU;AAAA,QACpB,YAAY,UAAU;AAAA,QACtB,YAAY;AAAA,QACZ,YAAY,UAAU;AAAA,QACtB,aAAa,UAAU;AAAA,QACvB,oBAAoB,UAAU;AAAA,QAC9B,YAAY,UAAU;AAAA,QACtB,eAAe,UAAU;AAAA,QACzB,iBAAiB,qBAAqB,UAAU,eAAe;AAAA,QAC/D,YAAY;AAAA,QACZ,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,QACnC,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,MACrC;AAEA,eAAS,gBAAgB;AAGzB,UAAI,aAAa;AACf,wBAAgB,IAAI,UAAU;AAAA,UAC5B,MAAM;AAAA,UACN,WAAW,KAAK,IAAI;AAAA,UACpB,KAAK;AAAA,QACP,CAAC;AAAA,MACH;AAAA,IAEF,SAAS,KAAK;AACZ,aAAO,MAAM,kBAAkB,yBAAyB,GAAG;AAC3D,YAAMA,SAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,wBAAwB;AAC7E,eAASA,MAAK;AACd,eAAS,IAAI;AAAA,IACf,UAAE;AACA,mBAAa,KAAK;AAAA,IACpB;AAAA,EACF,GAAG,CAAC,WAAW,UAAU,UAAU,WAAW,CAAC;AAG/C,YAAU,MAAM;AACd,eAAW;AAAA,EACb,GAAG,CAAC,UAAU,CAAC;AAEf,QAAM,UAAU,YAAY,YAA2B;AAErD,QAAI,aAAa;AACf,YAAM,WAAW,gBAAgB,SAAS;AAC1C,sBAAgB,OAAO,QAAQ;AAAA,IACjC;AACA,UAAM,WAAW;AAAA,EACnB,GAAG,CAAC,YAAY,WAAW,WAAW,CAAC;AAEvC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAMO,SAAS,wBAA8B;AAC5C,aAAW,CAAC,GAAG,KAAK,iBAAiB;AACnC,QAAI,IAAI,WAAW,eAAe,GAAG;AACnC,sBAAgB,OAAO,GAAG;AAAA,IAC5B;AAAA,EACF;AACF;AAKO,SAAS,2BAA6D;AAC3E,QAAM,OAAO,MAAM,KAAK,gBAAgB,KAAK,CAAC,EAAE,OAAO,SAAO,IAAI,WAAW,eAAe,CAAC;AAC7F,SAAO;AAAA,IACL,MAAM,KAAK;AAAA,IACX;AAAA,EACF;AACF;;;AC3WA,SAAS,YAAAC,WAAU,aAAAC,YAAW,eAAAC,cAAa,WAAAC,gBAAe;AAK1D,IAAM,MAAM,aAAa,oBAAoB;AAG7C,IAAMC,mBAAkB,oBAAI,IAA2D;AAmCvF,SAAS,4BAA4B,WAA2B;AAC9D,MAAI,CAAC,UAAW,QAAO;AAEvB,SAAO,UACJ,MAAM,GAAG,EACT,IAAI,UAAQ,KAAK,OAAO,CAAC,EAAE,YAAY,CAAC,EACxC,KAAK,EAAE,EACP,UAAU,GAAG,CAAC;AACnB;AAcO,SAAS,mBACd,SACA,WACA,gBACA,SAC0B;AAC1B,QAAM;AAAA,IACJ,WAAW,KAAK,KAAK;AAAA;AAAA,IACrB,cAAc;AAAA,IACd,gBAAgB;AAAA,IAChB,uBAAuB;AAAA,IACvB;AAAA,EACF,IAAI;AAEJ,QAAM,CAAC,SAAS,UAAU,IAAIC,UAAwB,IAAI;AAC1D,QAAM,CAAC,WAAW,YAAY,IAAIA,UAAkB,KAAK;AACzD,QAAM,CAAC,OAAO,QAAQ,IAAIA,UAAuB,IAAI;AAGrD,QAAM,eAAeC,SAAQ,MAAM;AACjC,WAAO,YAAY,qBAAqB,SAAS,IAAI;AAAA,EACvD,GAAG,CAAC,WAAW,oBAAoB,CAAC;AAEpC,QAAM,YAAYC,aAAY,YAA2B;AACvD,QAAI,CAAC,WAAW,CAAC,kBAAkB,CAAC,UAAU;AAC5C,iBAAW,IAAI;AACf,mBAAa,KAAK;AAClB;AAAA,IACF;AAGA,UAAM,YAAY;AAClB,QAAI,CAAC,UAAU,KAAK,cAAc,GAAG;AACnC,UAAI,KAAK,qDAAqD,cAAc;AAAA,IAG9E;AAGA,UAAM,WAAW,eAAe,OAAO,IAAI,cAAc;AACzD,QAAI,aAAa;AACf,YAAM,SAASH,iBAAgB,IAAI,QAAQ;AAC3C,UAAI,UAAU,KAAK,IAAI,IAAI,OAAO,YAAY,OAAO,KAAK;AACxD,mBAAW,OAAO,IAAI;AACtB,qBAAa,KAAK;AAClB,iBAAS,IAAI;AACb;AAAA,MACF;AAAA,IACF;AAEA,QAAI;AACF,mBAAa,IAAI;AACjB,eAAS,IAAI;AAGb,YAAM,EAAE,MAAM,OAAO,SAAS,IAAI,MAAO,SAAiB,IAAI,yBAAyB;AAAA,QACrF,gBAAgB;AAAA,QAChB,uBAAuB;AAAA,MACzB,CAAC;AAED,UAAI,UAAU;AACZ,cAAM,IAAI,MAAM,SAAS,WAAW,sBAAsB;AAAA,MAC5D;AAEA,UAAI,CAAC,QAAQ,KAAK,WAAW,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,UAAU;AAC/D,mBAAW,IAAI;AACf;AAAA,MACF;AAEA,YAAMI,WAAU,KAAK,CAAC,EAAE;AAGxB,UAAI,eAAe;AACjB,YAAI;AACF,gBAAM,WAAW,MAAM,MAAMA,UAAS,EAAE,QAAQ,OAAO,CAAC;AACxD,cAAI,CAAC,SAAS,IAAI;AAChB,gBAAI,KAAK,4BAA4BA,QAAO;AAC5C,uBAAW,IAAI;AACf;AAAA,UACF;AAAA,QACF,SAAS,YAAY;AACnB,cAAI,KAAK,8BAA8B,UAAU;AACjD,qBAAW,IAAI;AACf;AAAA,QACF;AAAA,MACF;AAEA,iBAAWA,QAAO;AAGlB,UAAI,aAAa;AACf,QAAAJ,iBAAgB,IAAI,UAAU;AAAA,UAC5B,MAAMI;AAAA,UACN,WAAW,KAAK,IAAI;AAAA,UACpB,KAAK;AAAA,QACP,CAAC;AAAA,MACH;AAAA,IAEF,SAAS,KAAK;AACZ,UAAI,MAAM,wBAAwB,GAAG;AACrC,YAAMC,SAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,wBAAwB;AAC7E,eAASA,MAAK;AACd,iBAAW,IAAI;AAAA,IACjB,UAAE;AACA,mBAAa,KAAK;AAAA,IACpB;AAAA,EACF,GAAG,CAAC,SAAS,gBAAgB,UAAU,UAAU,aAAa,aAAa,CAAC;AAG5E,EAAAC,WAAU,MAAM;AACd,QAAI,WAAW,gBAAgB;AAC7B,gBAAU;AAAA,IACZ,OAAO;AACL,iBAAW,IAAI;AACf,mBAAa,KAAK;AAClB,eAAS,IAAI;AAAA,IACf;AAAA,EACF,GAAG,CAAC,WAAW,SAAS,cAAc,CAAC;AAEvC,QAAM,UAAUH,aAAY,YAA2B;AACrD,QAAI,CAAC,WAAW,CAAC,eAAgB;AAGjC,QAAI,aAAa;AACf,YAAM,WAAW,eAAe,OAAO,IAAI,cAAc;AACzD,MAAAH,iBAAgB,OAAO,QAAQ;AAAA,IACjC;AACA,UAAM,UAAU;AAAA,EAClB,GAAG,CAAC,WAAW,SAAS,gBAAgB,WAAW,CAAC;AAEpD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAMO,SAAS,uBAA6B;AAC3C,aAAW,CAAC,GAAG,KAAKA,kBAAiB;AACnC,QAAI,IAAI,WAAW,cAAc,GAAG;AAClC,MAAAA,iBAAgB,OAAO,GAAG;AAAA,IAC5B;AAAA,EACF;AACF;AAKO,SAAS,0BAA4D;AAC1E,QAAM,OAAO,MAAM,KAAKA,iBAAgB,KAAK,CAAC,EAAE,OAAO,SAAO,IAAI,WAAW,cAAc,CAAC;AAC5F,SAAO;AAAA,IACL,MAAM,KAAK;AAAA,IACX;AAAA,EACF;AACF;;;ACzOA,SAAS,YAAAO,WAAqB,eAAAC,cAAa,WAAAC,gBAAe;AAC1D,SAAS,WAAW,mBAAmB;AAqCvC,SAAS,wBAAwB,WAA4B;AAC3D,MAAI,CAAC,aAAa,OAAO,cAAc,SAAU,QAAO;AAGxD,MAAI,UAAU,SAAS,KAAK,UAAU,SAAS,GAAI,QAAO;AAG1D,MAAI,UAAU,WAAW,GAAG;AAC1B,WAAO,mBAAmB,KAAK,SAAS;AAAA,EAC1C;AAIA,QAAM,iBAAiB;AACvB,QAAM,gBAAgB,eAAe,KAAK,SAAS;AAEnD,MAAI,CAAC,cAAe,QAAO;AAG3B,MAAI,UAAU,SAAS,IAAI,KAAK,UAAU,SAAS,IAAI,KAAK,UAAU,SAAS,IAAI,KAAK,UAAU,SAAS,IAAI,GAAG;AAChH,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAYO,SAAS,qBACd,UAAuC,CAAC,GACZ;AAC5B,QAAM;AAAA,IACJ,iBAAiB;AAAA,IACjB,iBAAiB;AAAA,IACjB,oBAAoB;AAAA,EACtB,IAAI;AAEJ,QAAM,SAAS,UAAU;AACzB,QAAM,WAAW,YAAY;AAE7B,QAAM,CAAC,OAAO,QAAQ,IAAIC,UAAuB,IAAI;AAGrD,QAAM,YAAYC,SAAQ,MAAM;AAC9B,UAAM,OAAO,OAAO,cAAc;AAElC,QAAI,CAAC,MAAM;AAET,aAAO;AAAA,IACT;AAGA,QAAI,qBAAqB,CAAC,wBAAwB,IAAI,GAAG;AACvD,eAAS,IAAI,MAAM,8BAA8B,IAAI,EAAE,CAAC;AACxD,aAAO;AAAA,IACT;AAEA,aAAS,IAAI;AACb,WAAO;AAAA,EACT,GAAG,CAAC,QAAQ,gBAAgB,iBAAiB,CAAC;AAG9C,QAAM;AAAA,IACJ;AAAA,IACA,WAAW;AAAA,IACX,OAAO;AAAA,IACP,SAAS;AAAA,EACX,IAAI,eAAe,aAAa,IAAI;AAAA,IAClC,aAAa;AAAA,IACb,UAAU,IAAI,KAAK;AAAA;AAAA,EACrB,CAAC;AAGD,QAAM,YAAYA,SAAQ,MAAM;AAC9B,QAAI,CAAC,eAAgB,QAAO;AAC5B,WAAO;AAAA,EACT,GAAG,CAAC,gBAAgB,YAAY,CAAC;AAGjC,QAAM,aAAaA,SAAQ,MAAM;AAC/B,QAAI,MAAO,QAAO;AAClB,QAAI,WAAY,QAAO;AACvB,WAAO;AAAA,EACT,GAAG,CAAC,OAAO,UAAU,CAAC;AAGtB,QAAM,UAAUA,SAAQ,MAAM;AAC5B,QAAI,CAAC,MAAO,QAAO;AACnB,WAAO,MAAM,YAAY,MAAM;AAAA,EACjC,GAAG,CAAC,KAAK,CAAC;AAGV,QAAM,UAAUC,aAAY,YAA2B;AACrD,QAAI,CAAC,eAAgB;AACrB,UAAM,aAAa;AAAA,EACrB,GAAG,CAAC,gBAAgB,YAAY,CAAC;AAEjC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,OAAO,iBAAiB,QAAQ;AAAA,IAChC;AAAA,IACA,OAAO;AAAA,IACP;AAAA,EACF;AACF;AAMO,SAAS,mBACd,iBAAyB,aAC0B;AACnD,QAAM,SAAS,UAAU;AAEzB,QAAM,YAAYD,SAAQ,MAAM;AAC9B,UAAM,OAAO,OAAO,cAAc;AAElC,QAAI,CAAC,MAAM;AACT,aAAO;AAAA,IACT;AAGA,QAAI,CAAC,wBAAwB,IAAI,GAAG;AAClC,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT,GAAG,CAAC,QAAQ,cAAc,CAAC;AAE3B,QAAM,QAAQA,SAAQ,MAAM;AAC1B,QAAI,CAAC,WAAW;AACd,aAAO,IAAI,MAAM,yBAAyB,cAAc,wBAAwB;AAAA,IAClF;AACA,WAAO;AAAA,EACT,GAAG,CAAC,WAAW,cAAc,CAAC;AAE9B,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;AAKO,SAAS,wBACd,WACA,WAAmB,SACX;AACR,MAAI,CAAC,aAAa,CAAC,wBAAwB,SAAS,GAAG;AACrD,UAAM,IAAI,MAAM,yCAAyC;AAAA,EAC3D;AAEA,SAAO,iBAAiB,SAAS,IAAI,QAAQ;AAC/C;AAMO,SAAS,yBAAyB,MAA6B;AACpE,QAAM,QAAQ,KAAK,MAAM,mDAAmD;AAC5E,MAAI,CAAC,MAAO,QAAO;AAEnB,QAAM,YAAY,MAAM,CAAC;AAEzB,MAAI,CAAC,wBAAwB,SAAS,GAAG;AACvC,WAAO;AAAA,EACT;AAEA,SAAO;AACT;","names":["useState","useMemo","useState","useMemo","error","useState","useEffect","useCallback","useMemo","publicDataCache","useState","useMemo","useCallback","logoUrl","error","useEffect","useState","useCallback","useMemo","useState","useMemo","useCallback"]}

package/dist/chunk-63FOKYGO.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/rbac/audit-batched.ts","../src/rbac/audit.ts"],"sourcesContent":["/**\n * Batched Audit Manager for RBAC\n * @package @jmruthers/pace-core\n * @module RBAC/AuditBatched\n * @since 2.0.0\n * \n * This module provides batched audit logging to reduce network requests\n * by queuing events and sending them in batches.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { RBACAuditEvent, UUID } from './types';\nimport { AuditEventPayload } from './audit';\nimport { logger } from '../utils/core/logger';\n\nexport interface BatchedAuditConfig {\n  /** Enable batched audit logging (default: true) */\n  enabled: boolean;\n  /** Time window in milliseconds to wait before sending batch (default: 100ms) */\n  batchWindow: number;\n  /** Maximum batch size before forcing send (default: 10) */\n  batchSize: number;\n}\n\nconst DEFAULT_CONFIG: BatchedAuditConfig = {\n  enabled: true,\n  batchWindow: 500, // 500ms - increased for better batching\n  batchSize: 20, // Increased from 10 to 20 for better efficiency\n};\n\n/**\n * Batched Audit Manager\n * \n * Queues audit events and sends them in batches to reduce network requests.\n */\nexport class BatchedAuditManager {\n  private supabase: SupabaseClient<Database>;\n  private config: BatchedAuditConfig;\n  private eventQueue: Array<Omit<RBACAuditEvent, 'id' | 'created_at'>> = [];\n  private flushTimer: ReturnType<typeof setTimeout> | null = null;\n  private isFlushing: boolean = false;\n\n  constructor(supabase: SupabaseClient<Database>, config: Partial<BatchedAuditConfig> = {}) {\n    this.supabase = supabase;\n    this.config = { ...DEFAULT_CONFIG, ...config };\n  }\n\n  /**\n   * Update configuration\n   */\n  updateConfig(config: Partial<BatchedAuditConfig>): void {\n    this.config = { ...this.config, ...config };\n  }\n\n  /**\n   * Queue an audit event for batching\n   * \n   * @param event - Audit event payload\n   */\n  async queueEvent(event: AuditEventPayload): Promise<void> {\n    if (!this.config.enabled) {\n      // If batching is disabled, send immediately\n      await this.sendEventImmediately(event);\n      return;\n    }\n\n    // Skip audit logging for cached checks (only log on cache miss)\n    if ('cache_hit' in event && event.cache_hit === true) {\n      return;\n    }\n\n    // Convert event payload to database format\n    const auditEvent = this.convertToAuditEvent(event);\n    if (!auditEvent) {\n      return;\n    }\n\n    // Add to queue\n    this.eventQueue.push(auditEvent);\n\n    // Check if we should flush immediately\n    if (this.eventQueue.length >= this.config.batchSize) {\n      await this.flush();\n    } else {\n      // Schedule flush after batch window\n      this.scheduleFlush();\n    }\n  }\n\n  /**\n   * Convert audit event payload to database format\n   */\n  private convertToAuditEvent(event: AuditEventPayload): Omit<RBACAuditEvent, 'id' | 'created_at'> | null {\n    // Validate required fields\n    if (!event.userId) {\n      logger.error('RBAC Audit', 'Cannot queue audit event without userId:', {\n        eventType: event.type,\n        organisationId: event.organisationId\n      });\n      return null;\n    }\n\n    // Validate pageId: only include in page_id column if it's a valid UUID\n    const rawPageId = 'pageId' in event ? event.pageId : undefined;\n    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n    const isValidPageIdUuid = rawPageId && uuidRegex.test(rawPageId);\n    const pageIdUuid: UUID | undefined = isValidPageIdUuid ? (rawPageId as UUID) : undefined;\n    const pageIdName: string | undefined = rawPageId && !isValidPageIdUuid ? rawPageId : undefined;\n\n    return {\n      event_type: event.type,\n      user_id: event.userId,\n      organisation_id: event.organisationId || null,\n      event_id: 'eventId' in event ? event.eventId : undefined,\n      app_id: 'appId' in event ? event.appId : undefined,\n      page_id: pageIdUuid,\n      permission: 'permission' in event ? event.permission : undefined,\n      decision: 'decision' in event ? event.decision : undefined,\n      source: 'source' in event ? event.source : 'api',\n      bypass: 'bypass' in event ? event.bypass : undefined,\n      duration_ms: 'duration_ms' in event ? event.duration_ms : undefined,\n      metadata: {\n        ...event.metadata,\n        cache_hit: 'cache_hit' in event ? event.cache_hit : undefined,\n        cache_source: 'cache_source' in event ? event.cache_source : undefined,\n        no_organisation_context: !event.organisationId,\n        page_name: pageIdName,\n      },\n    };\n  }\n\n  /**\n   * Schedule a flush after the batch window\n   */\n  private scheduleFlush(): void {\n    if (this.flushTimer) {\n      return; // Already scheduled\n    }\n\n    this.flushTimer = setTimeout(() => {\n      this.flushTimer = null;\n      this.flush();\n    }, this.config.batchWindow);\n  }\n\n  /**\n   * Flush all queued events\n   */\n  async flush(): Promise<void> {\n    if (this.isFlushing || this.eventQueue.length === 0) {\n      return;\n    }\n\n    // Clear any pending timer\n    if (this.flushTimer) {\n      clearTimeout(this.flushTimer);\n      this.flushTimer = null;\n    }\n\n    this.isFlushing = true;\n\n    try {\n      // Get all events from queue\n      const eventsToSend = [...this.eventQueue];\n      this.eventQueue = [];\n\n      if (eventsToSend.length === 0) {\n        return;\n      }\n\n      // Send batch to database\n      const { error } = await (this.supabase as any)\n        .from('rbac_audit_events')\n        .insert(eventsToSend);\n\n      if (error) {\n        logger.warn('RBAC Audit', 'Failed to insert batched audit events:', {\n          error: error.message,\n          code: error.code,\n          batchSize: eventsToSend.length,\n        });\n      }\n    } catch (error) {\n      logger.error('RBAC Audit', 'Unexpected error during batched audit logging:', error);\n    } finally {\n      this.isFlushing = false;\n    }\n  }\n\n  /**\n   * Send event immediately (bypass batching)\n   */\n  private async sendEventImmediately(event: AuditEventPayload): Promise<void> {\n    const auditEvent = this.convertToAuditEvent(event);\n    if (!auditEvent) {\n      return;\n    }\n\n    try {\n      const { error } = await (this.supabase as any)\n        .from('rbac_audit_events')\n        .insert([auditEvent]);\n\n      if (error) {\n        logger.warn('RBAC Audit', 'Failed to insert audit event:', {\n          error: error.message,\n          code: error.code,\n        });\n      }\n    } catch (error) {\n      logger.error('RBAC Audit', 'Unexpected error during audit logging:', error);\n    }\n  }\n\n  /**\n   * Force flush and wait for completion\n   */\n  async forceFlush(): Promise<void> {\n    await this.flush();\n  }\n}\n\n","/**\n * RBAC Audit Events System\n * @package @jmruthers/pace-core\n * @module RBAC/Audit\n * @since 1.0.0\n * \n * This module provides structured audit event emission for all RBAC operations.\n */\n\nimport { SupabaseClient } from '@supabase/supabase-js';\nimport { Database } from '../types/database';\nimport { \n  UUID, \n  AuditEventSource, \n  RBACAuditEvent \n} from './types';\nimport type { AuditEventType } from './types/functions';\nimport { logger } from '../utils/core/logger';\nimport { BatchedAuditManager } from './audit-batched';\n\n/**\n * Audit event payload for permission checks\n */\nexport interface PermissionCheckAuditEvent {\n  type: 'permission_check';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  pageId?: UUID;\n  permission: string;\n  decision: boolean;\n  source: AuditEventSource;\n  bypass?: boolean;\n  duration_ms: number;\n  cache_hit?: boolean;\n  cache_source?: 'memory' | 'database' | 'rpc';\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for permission denied\n */\nexport interface PermissionDeniedAuditEvent {\n  type: 'permission_denied';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  pageId?: UUID;\n  permission: string;\n  source: AuditEventSource;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for role granted\n */\nexport interface RoleGrantedAuditEvent {\n  type: 'role_granted';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  role: string;\n  grantedBy: UUID;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for role revoked\n */\nexport interface RoleRevokedAuditEvent {\n  type: 'role_denied';\n  userId: UUID;\n  organisationId: UUID;\n  eventId?: string;\n  appId?: UUID;\n  role: string;\n  revokedBy: UUID;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Audit event payload for RLS denied\n */\nexport interface RLSDeniedAuditEvent {\n  type: 'rls_denied';\n  userId: UUID;\n  organisationId: UUID;\n  table: string;\n  operation: string;\n  metadata?: Record<string, any>;\n}\n\n/**\n * Union type for all audit events\n */\nexport type AuditEventPayload = \n  | PermissionCheckAuditEvent\n  | PermissionDeniedAuditEvent\n  | RoleGrantedAuditEvent\n  | RoleRevokedAuditEvent\n  | RLSDeniedAuditEvent;\n\n/**\n * RBAC Audit Manager\n * \n * Handles emission of structured audit events for all RBAC operations.\n */\nexport class RBACAuditManager {\n  private supabase: SupabaseClient<Database>;\n  private enabled: boolean = true;\n  private fallbackEnabled: boolean = true;\n  private batchedManager: BatchedAuditManager | null = null;\n  private useBatching: boolean = true;\n\n  constructor(\n    supabase: SupabaseClient<Database>, \n    useBatching: boolean = true,\n    batchConfig?: { batchWindow?: number; batchSize?: number }\n  ) {\n    this.supabase = supabase;\n    this.useBatching = useBatching;\n    if (useBatching) {\n      this.batchedManager = new BatchedAuditManager(supabase, batchConfig);\n    }\n  }\n\n  /**\n   * Enable or disable audit logging\n   * \n   * @param enabled - Whether to enable audit logging\n   */\n  setEnabled(enabled: boolean): void {\n    this.enabled = enabled;\n  }\n\n  /**\n   * Check if audit logging is enabled\n   * \n   * @returns True if audit logging is enabled\n   */\n  isEnabled(): boolean {\n    return this.enabled;\n  }\n\n  /**\n   * Enable or disable fallback logging (console logging when database fails)\n   * \n   * @param enabled - Whether to enable fallback logging\n   */\n  setFallbackEnabled(enabled: boolean): void {\n    this.fallbackEnabled = enabled;\n  }\n\n  /**\n   * Emit an audit event\n   * \n   * @param event - Audit event payload\n   * @returns Promise that resolves when event is logged\n   */\n  async emitEvent(event: AuditEventPayload): Promise<void> {\n    if (!this.enabled) {\n      return;\n    }\n\n    // Skip audit logging for cached checks (only log on cache miss)\n    if ('cache_hit' in event && event.cache_hit === true) {\n      return;\n    }\n\n    // Use batched manager if enabled\n    if (this.useBatching && this.batchedManager) {\n      await this.batchedManager.queueEvent(event);\n      return;\n    }\n\n    // Validate required fields before attempting to insert\n    // MANDATORY: All audit events must have userId\n    if (!event.userId) {\n      logger.error('RBAC Audit', 'CRITICAL: Cannot log audit event without userId:', {\n        eventType: event.type,\n        organisationId: event.organisationId\n      });\n      return;\n    }\n\n    // WARNING: Some audit events may not have organisationId (e.g., global admin operations)\n    // Log these for security monitoring even if organisationId is missing\n    if (!event.organisationId) {\n      logger.warn('RBAC Audit', 'Audit event without organisation context:', {\n        userId: event.userId,\n        eventType: event.type,\n        note: 'This should be investigated for security compliance'\n      });\n    }\n\n    try {\n      // Since organisationId is now required in SecurityContext, this should rarely happen\n      // But we still handle the edge case properly without masking it\n      if (!event.organisationId) {\n        logger.warn('RBAC Audit', 'Audit event without organisation context - this should be investigated:', {\n          userId: event.userId,\n          eventType: event.type,\n          note: 'Organisation context is required for RBAC operations. This may indicate a security issue or missing context derivation.'\n        });\n      }\n\n      // Validate pageId: only include in page_id column if it's a valid UUID\n      // Otherwise, store it in metadata to avoid database errors\n      const rawPageId = 'pageId' in event ? event.pageId : undefined;\n      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;\n      const isValidPageIdUuid = rawPageId && uuidRegex.test(rawPageId);\n      const pageIdUuid: UUID | undefined = isValidPageIdUuid ? (rawPageId as UUID) : undefined;\n      const pageIdName: string | undefined = rawPageId && !isValidPageIdUuid ? rawPageId : undefined;\n\n      const auditEvent: Omit<RBACAuditEvent, 'id' | 'created_at'> = {\n        event_type: event.type,\n        user_id: event.userId,\n        // Store organisationId - nullable to properly track missing context cases\n        // Do NOT use fallback UUID as it masks security issues\n        organisation_id: event.organisationId || null, // Explicitly null if missing\n        event_id: 'eventId' in event ? event.eventId : undefined,\n        app_id: 'appId' in event ? event.appId : undefined,\n        page_id: pageIdUuid, // Only set if it's a valid UUID\n        permission: 'permission' in event ? event.permission : undefined,\n        decision: 'decision' in event ? event.decision : undefined,\n        source: 'source' in event ? event.source : 'api', // Default to 'api' if not provided\n        bypass: 'bypass' in event ? event.bypass : undefined,\n        duration_ms: 'duration_ms' in event ? event.duration_ms : undefined,\n        metadata: {\n          ...event.metadata,\n          cache_hit: 'cache_hit' in event ? event.cache_hit : undefined,\n          cache_source: 'cache_source' in event ? event.cache_source : undefined,\n          // Explicit flag indicating this event had no organisation context\n          no_organisation_context: !event.organisationId,\n          // Store page name/identifier in metadata if it's not a UUID\n          page_name: pageIdName,\n        },\n      };\n\n      const { error } = await (this.supabase as any)\n        .from('rbac_audit_events')\n        .insert([auditEvent]);\n\n      if (error) {\n        // Log the error for debugging\n        logger.warn('RBAC Audit', 'Failed to insert audit event:', {\n          error: error.message,\n          code: error.code,\n          details: error.details,\n          hint: error.hint,\n          event: auditEvent\n        });\n\n        // Use fallback logging if enabled\n        if (this.fallbackEnabled) {\n          this.logFallbackEvent(event, error);\n        }\n      }\n    } catch (error) {\n      // Log unexpected errors\n      logger.error('RBAC Audit', 'Unexpected error during audit logging:', error);\n      \n      // Use fallback logging if enabled\n      if (this.fallbackEnabled) {\n        this.logFallbackEvent(event, error);\n      }\n    }\n  }\n\n  /**\n   * Log event to console as fallback when database logging fails\n   * \n   * @param event - Audit event payload\n   * @param error - The error that occurred\n   */\n  private logFallbackEvent(event: AuditEventPayload, error: any): void {\n    logger.debug('RBAC Audit Fallback', 'Database audit logging failed, using console fallback', {\n      timestamp: new Date().toISOString(),\n      event,\n      error: error?.message || error\n    });\n  }\n\n  /**\n   * Emit a permission check audit event\n   * \n   * @param event - Permission check event data\n   */\n  async emitPermissionCheck(event: Omit<PermissionCheckAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'permission_check',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit a permission denied audit event\n   * \n   * @param event - Permission denied event data\n   */\n  async emitPermissionDenied(event: Omit<PermissionDeniedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'permission_denied',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit a role granted audit event\n   * \n   * @param event - Role granted event data\n   */\n  async emitRoleGranted(event: Omit<RoleGrantedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'role_granted',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit a role revoked audit event\n   * \n   * @param event - Role revoked event data\n   */\n  async emitRoleRevoked(event: Omit<RoleRevokedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'role_denied',\n      ...event,\n    });\n  }\n\n  /**\n   * Emit an RLS denied audit event\n   * \n   * @param event - RLS denied event data\n   */\n  async emitRLSDenied(event: Omit<RLSDeniedAuditEvent, 'type'>): Promise<void> {\n    await this.emitEvent({\n      type: 'rls_denied',\n      ...event,\n    });\n  }\n\n  /**\n   * Get audit events for a user\n   * \n   * @param userId - User ID\n   * @param limit - Maximum number of events to return\n   * @returns Promise resolving to audit events\n   */\n  async getUserAuditEvents(userId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {\n    const { data, error } = await this.supabase\n      .from('rbac_audit_events')\n      .select('id, event_type, user_id, organisation_id, event_id, app_id, page_id, permission, decision, source, bypass, duration_ms, metadata, created_at')\n      .eq('user_id', userId)\n      .order('created_at', { ascending: false })\n      .limit(limit);\n\n    if (error) {\n      // Detect CORS errors (they typically have null status or specific error codes)\n      const isCorsError = \n        error.message?.toLowerCase().includes('cors') ||\n        error.message?.toLowerCase().includes('cross-origin') ||\n        error.code === null ||\n        (error as any).status === null;\n      \n      if (isCorsError) {\n        const corsError = new Error(\n          `CORS error when querying audit events. This is a Supabase configuration issue. ` +\n          `Please configure CORS in your Supabase Dashboard: Settings → API → CORS. ` +\n          `Add your app's origin (e.g., http://localhost:8087) to the allowed origins list. ` +\n          `Original error: ${error.message || 'CORS request did not succeed'}`\n        );\n        (corsError as any).isCorsError = true;\n        (corsError as any).originalError = error;\n        throw corsError;\n      }\n      \n      throw new Error(`Failed to get audit events: ${error.message}`);\n    }\n\n    return (data || []).map(event => ({\n      ...event,\n      event_type: event.event_type as AuditEventType\n    })) as RBACAuditEvent[];\n  }\n\n  /**\n   * Get audit events for an organisation\n   * \n   * @param organisationId - Organisation ID\n   * @param limit - Maximum number of events to return\n   * @returns Promise resolving to audit events\n   */\n  async getOrganisationAuditEvents(organisationId: UUID, limit: number = 100): Promise<RBACAuditEvent[]> {\n    const { data, error } = await this.supabase\n      .from('rbac_audit_events')\n      .select('id, event_type, user_id, organisation_id, event_id, app_id, page_id, permission, decision, source, bypass, duration_ms, metadata, created_at')\n      .eq('organisation_id', organisationId)\n      .order('created_at', { ascending: false })\n      .limit(limit);\n\n    if (error) {\n      // Detect CORS errors (they typically have null status or specific error codes)\n      const isCorsError = \n        error.message?.toLowerCase().includes('cors') ||\n        error.message?.toLowerCase().includes('cross-origin') ||\n        error.code === null ||\n        (error as any).status === null;\n      \n      if (isCorsError) {\n        const corsError = new Error(\n          `CORS error when querying audit events. This is a Supabase configuration issue. ` +\n          `Please configure CORS in your Supabase Dashboard: Settings → API → CORS. ` +\n          `Add your app's origin (e.g., http://localhost:8087) to the allowed origins list. ` +\n          `Original error: ${error.message || 'CORS request did not succeed'}`\n        );\n        (corsError as any).isCorsError = true;\n        (corsError as any).originalError = error;\n        throw corsError;\n      }\n      \n      throw new Error(`Failed to get audit events: ${error.message}`);\n    }\n\n    return (data || []).map(event => ({\n      ...event,\n      event_type: event.event_type as AuditEventType\n    })) as RBACAuditEvent[];\n  }\n}\n\n/**\n * Create an audit manager instance\n * \n * @param supabase - Supabase client\n * @param useBatching - Whether to use batched audit logging (default: true)\n * @param batchConfig - Optional batch configuration\n * @returns RBACAuditManager instance\n */\nexport function createAuditManager(\n  supabase: SupabaseClient<Database>, \n  useBatching: boolean = true,\n  batchConfig?: { batchWindow?: number; batchSize?: number }\n): RBACAuditManager {\n  return new RBACAuditManager(supabase, useBatching, batchConfig);\n}\n\n/**\n * Global audit manager instance\n * \n * This is set by the RBAC engine when it initializes.\n */\nlet globalAuditManager: RBACAuditManager | null = null;\n\n/**\n * Set the global audit manager\n * \n * @param manager - Audit manager instance\n */\nexport function setGlobalAuditManager(manager: RBACAuditManager): void {\n  globalAuditManager = manager;\n}\n\n/**\n * Get the global audit manager\n * \n * @returns Global audit manager or null if not set\n */\nexport function getGlobalAuditManager(): RBACAuditManager | null {\n  return globalAuditManager;\n}\n\n/**\n * Emit an audit event using the global audit manager\n * \n * @param event - Audit event payload\n */\nexport async function emitAuditEvent(event: AuditEventPayload): Promise<void> {\n  if (globalAuditManager) {\n    await globalAuditManager.emitEvent(event);\n  }\n}\n"],"mappings":";;;;;AAyBA,IAAM,iBAAqC;AAAA,EACzC,SAAS;AAAA,EACT,aAAa;AAAA;AAAA,EACb,WAAW;AAAA;AACb;AAOO,IAAM,sBAAN,MAA0B;AAAA,EAO/B,YAAY,UAAoC,SAAsC,CAAC,GAAG;AAJ1F,SAAQ,aAA+D,CAAC;AACxE,SAAQ,aAAmD;AAC3D,SAAQ,aAAsB;AAG5B,SAAK,WAAW;AAChB,SAAK,SAAS,EAAE,GAAG,gBAAgB,GAAG,OAAO;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,QAA2C;AACtD,SAAK,SAAS,EAAE,GAAG,KAAK,QAAQ,GAAG,OAAO;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,WAAW,OAAyC;AACxD,QAAI,CAAC,KAAK,OAAO,SAAS;AAExB,YAAM,KAAK,qBAAqB,KAAK;AACrC;AAAA,IACF;AAGA,QAAI,eAAe,SAAS,MAAM,cAAc,MAAM;AACpD;AAAA,IACF;AAGA,UAAM,aAAa,KAAK,oBAAoB,KAAK;AACjD,QAAI,CAAC,YAAY;AACf;AAAA,IACF;AAGA,SAAK,WAAW,KAAK,UAAU;AAG/B,QAAI,KAAK,WAAW,UAAU,KAAK,OAAO,WAAW;AACnD,YAAM,KAAK,MAAM;AAAA,IACnB,OAAO;AAEL,WAAK,cAAc;AAAA,IACrB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAoB,OAA4E;AAEtG,QAAI,CAAC,MAAM,QAAQ;AACjB,aAAO,MAAM,cAAc,4CAA4C;AAAA,QACrE,WAAW,MAAM;AAAA,QACjB,gBAAgB,MAAM;AAAA,MACxB,CAAC;AACD,aAAO;AAAA,IACT;AAGA,UAAM,YAAY,YAAY,QAAQ,MAAM,SAAS;AACrD,UAAM,YAAY;AAClB,UAAM,oBAAoB,aAAa,UAAU,KAAK,SAAS;AAC/D,UAAM,aAA+B,oBAAqB,YAAqB;AAC/E,UAAM,aAAiC,aAAa,CAAC,oBAAoB,YAAY;AAErF,WAAO;AAAA,MACL,YAAY,MAAM;AAAA,MAClB,SAAS,MAAM;AAAA,MACf,iBAAiB,MAAM,kBAAkB;AAAA,MACzC,UAAU,aAAa,QAAQ,MAAM,UAAU;AAAA,MAC/C,QAAQ,WAAW,QAAQ,MAAM,QAAQ;AAAA,MACzC,SAAS;AAAA,MACT,YAAY,gBAAgB,QAAQ,MAAM,aAAa;AAAA,MACvD,UAAU,cAAc,QAAQ,MAAM,WAAW;AAAA,MACjD,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA,MAC3C,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA,MAC3C,aAAa,iBAAiB,QAAQ,MAAM,cAAc;AAAA,MAC1D,UAAU;AAAA,QACR,GAAG,MAAM;AAAA,QACT,WAAW,eAAe,QAAQ,MAAM,YAAY;AAAA,QACpD,cAAc,kBAAkB,QAAQ,MAAM,eAAe;AAAA,QAC7D,yBAAyB,CAAC,MAAM;AAAA,QAChC,WAAW;AAAA,MACb;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAsB;AAC5B,QAAI,KAAK,YAAY;AACnB;AAAA,IACF;AAEA,SAAK,aAAa,WAAW,MAAM;AACjC,WAAK,aAAa;AAClB,WAAK,MAAM;AAAA,IACb,GAAG,KAAK,OAAO,WAAW;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAuB;AAC3B,QAAI,KAAK,cAAc,KAAK,WAAW,WAAW,GAAG;AACnD;AAAA,IACF;AAGA,QAAI,KAAK,YAAY;AACnB,mBAAa,KAAK,UAAU;AAC5B,WAAK,aAAa;AAAA,IACpB;AAEA,SAAK,aAAa;AAElB,QAAI;AAEF,YAAM,eAAe,CAAC,GAAG,KAAK,UAAU;AACxC,WAAK,aAAa,CAAC;AAEnB,UAAI,aAAa,WAAW,GAAG;AAC7B;AAAA,MACF;AAGA,YAAM,EAAE,MAAM,IAAI,MAAO,KAAK,SAC3B,KAAK,mBAAmB,EACxB,OAAO,YAAY;AAEtB,UAAI,OAAO;AACT,eAAO,KAAK,cAAc,0CAA0C;AAAA,UAClE,OAAO,MAAM;AAAA,UACb,MAAM,MAAM;AAAA,UACZ,WAAW,aAAa;AAAA,QAC1B,CAAC;AAAA,MACH;AAAA,IACF,SAAS,OAAO;AACd,aAAO,MAAM,cAAc,kDAAkD,KAAK;AAAA,IACpF,UAAE;AACA,WAAK,aAAa;AAAA,IACpB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,qBAAqB,OAAyC;AAC1E,UAAM,aAAa,KAAK,oBAAoB,KAAK;AACjD,QAAI,CAAC,YAAY;AACf;AAAA,IACF;AAEA,QAAI;AACF,YAAM,EAAE,MAAM,IAAI,MAAO,KAAK,SAC3B,KAAK,mBAAmB,EACxB,OAAO,CAAC,UAAU,CAAC;AAEtB,UAAI,OAAO;AACT,eAAO,KAAK,cAAc,iCAAiC;AAAA,UACzD,OAAO,MAAM;AAAA,UACb,MAAM,MAAM;AAAA,QACd,CAAC;AAAA,MACH;AAAA,IACF,SAAS,OAAO;AACd,aAAO,MAAM,cAAc,0CAA0C,KAAK;AAAA,IAC5E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAA4B;AAChC,UAAM,KAAK,MAAM;AAAA,EACnB;AACF;;;AC/GO,IAAM,mBAAN,MAAuB;AAAA,EAO5B,YACE,UACA,cAAuB,MACvB,aACA;AATF,SAAQ,UAAmB;AAC3B,SAAQ,kBAA2B;AACnC,SAAQ,iBAA6C;AACrD,SAAQ,cAAuB;AAO7B,SAAK,WAAW;AAChB,SAAK,cAAc;AACnB,QAAI,aAAa;AACf,WAAK,iBAAiB,IAAI,oBAAoB,UAAU,WAAW;AAAA,IACrE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAW,SAAwB;AACjC,SAAK,UAAU;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAqB;AACnB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,mBAAmB,SAAwB;AACzC,SAAK,kBAAkB;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,UAAU,OAAyC;AACvD,QAAI,CAAC,KAAK,SAAS;AACjB;AAAA,IACF;AAGA,QAAI,eAAe,SAAS,MAAM,cAAc,MAAM;AACpD;AAAA,IACF;AAGA,QAAI,KAAK,eAAe,KAAK,gBAAgB;AAC3C,YAAM,KAAK,eAAe,WAAW,KAAK;AAC1C;AAAA,IACF;AAIA,QAAI,CAAC,MAAM,QAAQ;AACjB,aAAO,MAAM,cAAc,oDAAoD;AAAA,QAC7E,WAAW,MAAM;AAAA,QACjB,gBAAgB,MAAM;AAAA,MACxB,CAAC;AACD;AAAA,IACF;AAIA,QAAI,CAAC,MAAM,gBAAgB;AACzB,aAAO,KAAK,cAAc,6CAA6C;AAAA,QACrE,QAAQ,MAAM;AAAA,QACd,WAAW,MAAM;AAAA,QACjB,MAAM;AAAA,MACR,CAAC;AAAA,IACH;AAEA,QAAI;AAGF,UAAI,CAAC,MAAM,gBAAgB;AACzB,eAAO,KAAK,cAAc,2EAA2E;AAAA,UACnG,QAAQ,MAAM;AAAA,UACd,WAAW,MAAM;AAAA,UACjB,MAAM;AAAA,QACR,CAAC;AAAA,MACH;AAIA,YAAM,YAAY,YAAY,QAAQ,MAAM,SAAS;AACrD,YAAM,YAAY;AAClB,YAAM,oBAAoB,aAAa,UAAU,KAAK,SAAS;AAC/D,YAAM,aAA+B,oBAAqB,YAAqB;AAC/E,YAAM,aAAiC,aAAa,CAAC,oBAAoB,YAAY;AAErF,YAAM,aAAwD;AAAA,QAC5D,YAAY,MAAM;AAAA,QAClB,SAAS,MAAM;AAAA;AAAA;AAAA,QAGf,iBAAiB,MAAM,kBAAkB;AAAA;AAAA,QACzC,UAAU,aAAa,QAAQ,MAAM,UAAU;AAAA,QAC/C,QAAQ,WAAW,QAAQ,MAAM,QAAQ;AAAA,QACzC,SAAS;AAAA;AAAA,QACT,YAAY,gBAAgB,QAAQ,MAAM,aAAa;AAAA,QACvD,UAAU,cAAc,QAAQ,MAAM,WAAW;AAAA,QACjD,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA;AAAA,QAC3C,QAAQ,YAAY,QAAQ,MAAM,SAAS;AAAA,QAC3C,aAAa,iBAAiB,QAAQ,MAAM,cAAc;AAAA,QAC1D,UAAU;AAAA,UACR,GAAG,MAAM;AAAA,UACT,WAAW,eAAe,QAAQ,MAAM,YAAY;AAAA,UACpD,cAAc,kBAAkB,QAAQ,MAAM,eAAe;AAAA;AAAA,UAE7D,yBAAyB,CAAC,MAAM;AAAA;AAAA,UAEhC,WAAW;AAAA,QACb;AAAA,MACF;AAEA,YAAM,EAAE,MAAM,IAAI,MAAO,KAAK,SAC3B,KAAK,mBAAmB,EACxB,OAAO,CAAC,UAAU,CAAC;AAEtB,UAAI,OAAO;AAET,eAAO,KAAK,cAAc,iCAAiC;AAAA,UACzD,OAAO,MAAM;AAAA,UACb,MAAM,MAAM;AAAA,UACZ,SAAS,MAAM;AAAA,UACf,MAAM,MAAM;AAAA,UACZ,OAAO;AAAA,QACT,CAAC;AAGD,YAAI,KAAK,iBAAiB;AACxB,eAAK,iBAAiB,OAAO,KAAK;AAAA,QACpC;AAAA,MACF;AAAA,IACF,SAAS,OAAO;AAEd,aAAO,MAAM,cAAc,0CAA0C,KAAK;AAG1E,UAAI,KAAK,iBAAiB;AACxB,aAAK,iBAAiB,OAAO,KAAK;AAAA,MACpC;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,iBAAiB,OAA0B,OAAkB;AACnE,WAAO,MAAM,uBAAuB,yDAAyD;AAAA,MAC3F,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,MAClC;AAAA,MACA,OAAO,OAAO,WAAW;AAAA,IAC3B,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,oBAAoB,OAA+D;AACvF,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,qBAAqB,OAAgE;AACzF,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,OAA2D;AAC/E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,OAA2D;AAC/E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,cAAc,OAAyD;AAC3E,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN,GAAG;AAAA,IACL,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,mBAAmB,QAAc,QAAgB,KAAgC;AACrF,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,8IAA8I,EACrJ,GAAG,WAAW,MAAM,EACpB,MAAM,cAAc,EAAE,WAAW,MAAM,CAAC,EACxC,MAAM,KAAK;AAEd,QAAI,OAAO;AAET,YAAM,cACJ,MAAM,SAAS,YAAY,EAAE,SAAS,MAAM,KAC5C,MAAM,SAAS,YAAY,EAAE,SAAS,cAAc,KACpD,MAAM,SAAS,QACd,MAAc,WAAW;AAE5B,UAAI,aAAa;AACf,cAAM,YAAY,IAAI;AAAA,UACpB,sQAGmB,MAAM,WAAW,8BAA8B;AAAA,QACpE;AACA,QAAC,UAAkB,cAAc;AACjC,QAAC,UAAkB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,YAAM,IAAI,MAAM,+BAA+B,MAAM,OAAO,EAAE;AAAA,IAChE;AAEA,YAAQ,QAAQ,CAAC,GAAG,IAAI,YAAU;AAAA,MAChC,GAAG;AAAA,MACH,YAAY,MAAM;AAAA,IACpB,EAAE;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,2BAA2B,gBAAsB,QAAgB,KAAgC;AACrG,UAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAChC,KAAK,mBAAmB,EACxB,OAAO,8IAA8I,EACrJ,GAAG,mBAAmB,cAAc,EACpC,MAAM,cAAc,EAAE,WAAW,MAAM,CAAC,EACxC,MAAM,KAAK;AAEd,QAAI,OAAO;AAET,YAAM,cACJ,MAAM,SAAS,YAAY,EAAE,SAAS,MAAM,KAC5C,MAAM,SAAS,YAAY,EAAE,SAAS,cAAc,KACpD,MAAM,SAAS,QACd,MAAc,WAAW;AAE5B,UAAI,aAAa;AACf,cAAM,YAAY,IAAI;AAAA,UACpB,sQAGmB,MAAM,WAAW,8BAA8B;AAAA,QACpE;AACA,QAAC,UAAkB,cAAc;AACjC,QAAC,UAAkB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,YAAM,IAAI,MAAM,+BAA+B,MAAM,OAAO,EAAE;AAAA,IAChE;AAEA,YAAQ,QAAQ,CAAC,GAAG,IAAI,YAAU;AAAA,MAChC,GAAG;AAAA,MACH,YAAY,MAAM;AAAA,IACpB,EAAE;AAAA,EACJ;AACF;AAUO,SAAS,mBACd,UACA,cAAuB,MACvB,aACkB;AAClB,SAAO,IAAI,iBAAiB,UAAU,aAAa,WAAW;AAChE;AAOA,IAAI,qBAA8C;AAO3C,SAAS,sBAAsB,SAAiC;AACrE,uBAAqB;AACvB;AAOO,SAAS,wBAAiD;AAC/D,SAAO;AACT;AAOA,eAAsB,eAAe,OAAyC;AAC5E,MAAI,oBAAoB;AACtB,UAAM,mBAAmB,UAAU,KAAK;AAAA,EAC1C;AACF;","names":[]}