@jmruthers/pace-core 0.6.5 → 0.6.7

package/dist/chunk-G7QEZTYQ.js

@@ -1,2053 +0,0 @@
-import {
-  scopeEqual,
-  useAccessLevel,
-  useCan,
-  useMultiplePermissions,
-  useResolvedScope,
-  useSecureSupabase
-} from "./chunk-HU2C6SSC.js";
-import {
-  useOrganisationSecurity
-} from "./chunk-NTM7ZSB6.js";
-import {
-  useUnifiedAuth
-} from "./chunk-IHB5DR3H.js";
-import {
-  RBACCache,
-  getRBACConfig,
-  getRBACLogger,
-  rbacCache
-} from "./chunk-EFN2EIMK.js";
-import {
-  RBACNotInitializedError
-} from "./chunk-AFVQODI2.js";
-import {
-  createLogger,
-  logger
-} from "./chunk-PWLANIRT.js";
-
-// src/rbac/types/functions.ts
-var RPCFunction = /* @__PURE__ */ ((RPCFunction2) => {
-  RPCFunction2["RBAC_PERMISSION_CHECK"] = "rbac_permission_check";
-  RPCFunction2["RBAC_PERMISSIONS_GET"] = "rbac_permissions_get";
-  RPCFunction2["RBAC_ACCESS_VALIDATE"] = "rbac_access_validate";
-  RPCFunction2["RBAC_PAGE_ACCESS_CHECK"] = "rbac_page_access_check";
-  RPCFunction2["RBAC_ROLE_GRANT"] = "rbac_role_grant";
-  RPCFunction2["RBAC_ROLE_REVOKE"] = "rbac_role_revoke";
-  RPCFunction2["RBAC_ROLES_LIST"] = "rbac_roles_list";
-  RPCFunction2["RBAC_ROLE_VALIDATE"] = "rbac_role_validate";
-  RPCFunction2["RBAC_SESSION_TRACK"] = "rbac_session_track";
-  RPCFunction2["RBAC_AUDIT_LOG"] = "rbac_audit_log";
-  return RPCFunction2;
-})(RPCFunction || {});
-var RBACErrorCode = /* @__PURE__ */ ((RBACErrorCode2) => {
-  RBACErrorCode2["USER_NOT_FOUND"] = "USER_NOT_FOUND";
-  RBACErrorCode2["INVALID_ROLE_TYPE"] = "INVALID_ROLE_TYPE";
-  RBACErrorCode2["INVALID_ROLE_NAME"] = "INVALID_ROLE_NAME";
-  RBACErrorCode2["MISSING_ORGANISATION_ID"] = "MISSING_ORGANISATION_ID";
-  RBACErrorCode2["MISSING_EVENT_APP_CONTEXT"] = "MISSING_EVENT_APP_CONTEXT";
-  RBACErrorCode2["ORGANISATION_NOT_FOUND"] = "ORGANISATION_NOT_FOUND";
-  RBACErrorCode2["EVENT_NOT_FOUND"] = "EVENT_NOT_FOUND";
-  RBACErrorCode2["APP_NOT_FOUND"] = "APP_NOT_FOUND";
-  RBACErrorCode2["INVALID_SESSION_TYPE"] = "INVALID_SESSION_TYPE";
-  RBACErrorCode2["INVALID_EVENT_TYPE"] = "INVALID_EVENT_TYPE";
-  RBACErrorCode2["DATABASE_ERROR"] = "DATABASE_ERROR";
-  RBACErrorCode2["ROLE_NOT_FOUND"] = "ROLE_NOT_FOUND";
-  RBACErrorCode2["USER_NOT_AUTHENTICATED"] = "USER_NOT_AUTHENTICATED";
-  RBACErrorCode2["INVALID_GLOBAL_ROLE"] = "INVALID_GLOBAL_ROLE";
-  RBACErrorCode2["INVALID_ORGANISATION_ROLE"] = "INVALID_ORGANISATION_ROLE";
-  RBACErrorCode2["INVALID_EVENT_APP_ROLE"] = "INVALID_EVENT_APP_ROLE";
-  RBACErrorCode2["INVALID_EVENT_APP_FORMAT"] = "INVALID_EVENT_APP_FORMAT";
-  RBACErrorCode2["MISSING_CONTEXT"] = "MISSING_CONTEXT";
-  RBACErrorCode2["INVALID_CONTEXT"] = "INVALID_CONTEXT";
-  RBACErrorCode2["GRANTED_BY_NOT_FOUND"] = "GRANTED_BY_NOT_FOUND";
-  return RBACErrorCode2;
-})(RBACErrorCode || {});
-
-// src/rbac/components/PagePermissionProvider.tsx
-import { createContext, useContext, useState, useCallback, useMemo, useEffect } from "react";
-import { jsx } from "react/jsx-runtime";
-var log = createLogger("PagePermissionProvider");
-var PagePermissionContext = createContext(null);
-function PagePermissionProvider({
-  children,
-  strictMode = true,
-  auditLog = true,
-  onPageAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1e3
-}) {
-  const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
-  const [pageAccessHistory, setPageAccessHistory] = useState([]);
-  const [isEnabled, setIsEnabled] = useState(true);
-  const { resolvedScope } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
-  });
-  const currentScope = resolvedScope;
-  const hasPagePermission = useCallback((pageName, operation, pageId, scope) => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    const permission = `${operation}:page.${pageName}`;
-    return false;
-  }, [isEnabled, user?.id, currentScope]);
-  const getPagePermissions = useCallback(() => {
-    if (!isEnabled || !user?.id) return {};
-    return {};
-  }, [isEnabled, user?.id]);
-  const getPageAccessHistory = useCallback(() => {
-    return [...pageAccessHistory];
-  }, [pageAccessHistory]);
-  const clearPageAccessHistory = useCallback(() => {
-    setPageAccessHistory([]);
-  }, []);
-  const recordPageAccess = useCallback((pageName, operation, allowed, pageId, scope) => {
-    if (!auditLog || !user?.id) return;
-    const record = {
-      pageName,
-      operation,
-      userId: user.id,
-      scope: scope || currentScope || { organisationId: "" },
-      allowed,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      pageId
-    };
-    setPageAccessHistory((prev) => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, maxHistorySize);
-    });
-    if (onPageAccess) {
-      onPageAccess(pageName, operation, allowed, record);
-    }
-    if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(pageName, operation, record);
-    }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onPageAccess, onStrictModeViolation, strictMode]);
-  const contextValue = useMemo(() => ({
-    hasPagePermission,
-    getPagePermissions,
-    isEnabled,
-    isStrictMode: strictMode,
-    isAuditLogEnabled: auditLog,
-    getPageAccessHistory,
-    clearPageAccessHistory
-  }), [
-    hasPagePermission,
-    getPagePermissions,
-    isEnabled,
-    strictMode,
-    auditLog,
-    getPageAccessHistory,
-    clearPageAccessHistory
-  ]);
-  useEffect(() => {
-    if (strictMode && auditLog) {
-      log.debug("Strict mode enabled - all page access attempts will be logged and enforced");
-    }
-  }, [strictMode, auditLog]);
-  return /* @__PURE__ */ jsx(PagePermissionContext.Provider, { value: contextValue, children });
-}
-function usePagePermissions() {
-  const context = useContext(PagePermissionContext);
-  if (!context) {
-    throw new Error("usePagePermissions must be used within a PagePermissionProvider");
-  }
-  return context;
-}
-
-// src/rbac/components/PagePermissionGuard.tsx
-import React2, { useMemo as useMemo2, useEffect as useEffect2, useState as useState2, useRef } from "react";
-import { Fragment, jsx as jsx2, jsxs } from "react/jsx-runtime";
-var PagePermissionGuardComponent = ({
-  pageName,
-  operation,
-  children,
-  fallback = /* @__PURE__ */ jsx2(DefaultAccessDenied, {}),
-  strictMode = true,
-  auditLog = true,
-  pageId,
-  scope,
-  onDenied,
-  loading = /* @__PURE__ */ jsx2(DefaultLoading, {})
-}) => {
-  const renderCountRef = useRef(0);
-  renderCountRef.current += 1;
-  const instanceId = useMemo2(() => Math.random().toString(36).substr(2, 9), []);
-  const { user, selectedOrganisation, selectedEvent, supabase, appId: contextAppId, appName } = useUnifiedAuth();
-  const [hasChecked, setHasChecked] = useState2(false);
-  const hasLoggedSuperAdminRef = useRef(false);
-  const effectivePageId = useMemo2(() => {
-    return pageId || pageName;
-  }, [pageId, pageName]);
-  const [isSuperAdmin, setIsSuperAdmin] = useState2(null);
-  useEffect2(() => {
-    if (!user?.id) {
-      setIsSuperAdmin(false);
-      return;
-    }
-    let cancelled = false;
-    const checkSuperAdmin = async () => {
-      const startTime = Date.now();
-      try {
-        const { isSuperAdmin: checkSuperAdmin2 } = await import("./api-O6HTBX5Y.js");
-        const timeoutPromise = new Promise((_, reject) => {
-          setTimeout(() => reject(new Error("Super admin check timeout")), 1e4);
-        });
-        const isSuper = await Promise.race([
-          checkSuperAdmin2(user.id),
-          timeoutPromise
-        ]);
-        const elapsed = Date.now() - startTime;
-        if (!cancelled) {
-          setIsSuperAdmin(isSuper);
-          if (false) {
-            console.log("[PagePermissionGuard] Super admin check completed", {
-              userId: user.id,
-              isSuperAdmin: isSuper,
-              elapsedMs: elapsed
-            });
-          }
-        }
-      } catch (err) {
-        const elapsed = Date.now() - startTime;
-        if (!cancelled) {
-          console.error("[PagePermissionGuard] Error checking super admin", {
-            error: err,
-            userId: user.id,
-            elapsedMs: elapsed
-          });
-          setIsSuperAdmin(false);
-        }
-      }
-    };
-    checkSuperAdmin();
-    return () => {
-      cancelled = true;
-    };
-  }, [user?.id]);
-  const { resolvedScope: hookResolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
-  });
-  const shouldBypassScopeForSuperAdmin = isSuperAdmin === true;
-  const allowsOptionalContexts = appName === "PORTAL" || appName === "ADMIN";
-  const effectiveScope = scope || (hookResolvedScope ? {
-    ...hookResolvedScope,
-    appId: hookResolvedScope.appId || (allowsOptionalContexts ? contextAppId : void 0)
-  } : allowsOptionalContexts && contextAppId ? {
-    organisationId: void 0,
-    eventId: void 0,
-    appId: contextAppId
-  } : selectedEvent?.event_id ? {
-    organisationId: void 0,
-    // Will be derived from event
-    eventId: selectedEvent.event_id,
-    appId: contextAppId || void 0
-  } : null);
-  const checkError = scopeError;
-  const permission = useMemo2(() => {
-    return `${operation}:page.${pageName}`;
-  }, [operation, pageName]);
-  const prevScopeRef = useRef(null);
-  const stableScope = useMemo2(() => {
-    if (allowsOptionalContexts && effectiveScope) {
-      const newScope2 = {
-        organisationId: effectiveScope.organisationId,
-        appId: effectiveScope.appId || contextAppId || void 0,
-        eventId: effectiveScope.eventId
-      };
-      if (scopeEqual(prevScopeRef.current, newScope2)) {
-        return prevScopeRef.current;
-      }
-      prevScopeRef.current = newScope2;
-      return newScope2;
-    }
-    const newScope = effectiveScope && effectiveScope.organisationId ? {
-      organisationId: effectiveScope.organisationId,
-      appId: effectiveScope.appId || contextAppId || void 0,
-      eventId: effectiveScope.eventId || void 0
-    } : {
-      organisationId: effectiveScope?.organisationId || void 0,
-      appId: effectiveScope?.appId || contextAppId || void 0,
-      eventId: effectiveScope?.eventId || selectedEvent?.event_id || void 0
-    };
-    if (scopeEqual(prevScopeRef.current, newScope)) {
-      return prevScopeRef.current;
-    }
-    prevScopeRef.current = newScope;
-    return newScope;
-  }, [effectiveScope, appName, contextAppId, selectedEvent?.event_id]);
-  const scopeForPermissionCheck = shouldBypassScopeForSuperAdmin && !stableScope?.organisationId ? {
-    organisationId: void 0,
-    appId: contextAppId || void 0,
-    eventId: selectedEvent?.event_id || void 0
-  } : stableScope;
-  const shouldSkipPermissionCheck = isSuperAdmin === true;
-  const { can, isLoading: canIsLoading, error: canError } = useCan(
-    user?.id || "",
-    shouldSkipPermissionCheck ? { organisationId: void 0, appId: contextAppId || void 0, eventId: void 0 } : scopeForPermissionCheck,
-    permission,
-    effectivePageId,
-    true,
-    // Use cache
-    isSuperAdmin,
-    // precomputedSuperAdmin - null if checking, true/false if checked
-    appName
-    // Pass appName for PORTAL/ADMIN special case
-  );
-  const effectiveCan = shouldSkipPermissionCheck ? true : can;
-  const effectiveIsLoading = shouldSkipPermissionCheck ? false : canIsLoading;
-  const isLoading = shouldBypassScopeForSuperAdmin ? effectiveIsLoading : scopeLoading || effectiveIsLoading;
-  const error = checkError || canError;
-  useEffect2(() => {
-    if (!isLoading && !error) {
-      setHasChecked(true);
-      if (!effectiveCan && onDenied) {
-        onDenied(pageName, operation);
-      }
-    } else if (error) {
-      setHasChecked(true);
-    }
-  }, [effectiveCan, isLoading, error, pageName, operation, onDenied]);
-  useEffect2(() => {
-    if (auditLog && hasChecked && !isLoading) {
-      const rbacLogger = getRBACLogger();
-      rbacLogger.debug("Page access attempt:", {
-        pageName,
-        operation,
-        userId: user?.id,
-        scope: effectiveScope,
-        allowed: effectiveCan,
-        isSuperAdmin,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [auditLog, hasChecked, isLoading, pageName, operation, user?.id, effectiveScope, effectiveCan, isSuperAdmin]);
-  useEffect2(() => {
-    if (strictMode && hasChecked && !isLoading && !effectiveCan && !shouldBypassScopeForSuperAdmin) {
-      const logger2 = getRBACLogger();
-      logger2.error(`STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
-        pageName,
-        operation,
-        permission: `${operation}:page.${pageName}`,
-        pageId: effectivePageId,
-        userId: user?.id,
-        scope: effectiveScope,
-        scopeValid: allowsOptionalContexts ? true : effectiveScope !== null,
-        // PORTAL/ADMIN allow scope without org/event
-        checkError,
-        canError,
-        isSuperAdmin,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [strictMode, hasChecked, isLoading, effectiveCan, shouldBypassScopeForSuperAdmin, pageName, operation, effectivePageId, user?.id, effectiveScope, allowsOptionalContexts, checkError, canError, isSuperAdmin]);
-  const hasValidScopeForPagePermissions = shouldBypassScopeForSuperAdmin ? true : allowsOptionalContexts ? true : effectiveScope !== null;
-  const hasValidUser = user && user.id;
-  const isPermissionCheckComplete = hasChecked && !isLoading;
-  const shouldShowAccessDenied = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && !effectiveCan;
-  const shouldShowContent = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && effectiveCan;
-  const scopeKey = effectiveScope ? `${effectiveScope.organisationId}-${effectiveScope.eventId}-${effectiveScope.appId}` : "no-scope";
-  const permissionKey = `${scopeKey}-${can}-${isLoading}-${!!checkError}-${hasChecked}`;
-  const lastLogStateRef = useRef("");
-  useEffect2(() => {
-    if (false) {
-      const currentState = JSON.stringify({
-        pageName,
-        userId: user?.id,
-        isSuperAdmin,
-        isLoading,
-        scopeLoading,
-        canIsLoading,
-        hasChecked,
-        hasValidUser,
-        effectiveCan
-      });
-      if (currentState !== lastLogStateRef.current) {
-        lastLogStateRef.current = currentState;
-        console.log("[PagePermissionGuard] Permission check state", {
-          pageName,
-          userId: user?.id,
-          isSuperAdmin,
-          isLoading,
-          scopeLoading,
-          canIsLoading,
-          hasChecked,
-          hasValidUser,
-          effectiveCan,
-          stableScope,
-          effectiveScope
-        });
-      }
-    }
-  }, [pageName, user?.id, isSuperAdmin, isLoading, scopeLoading, canIsLoading, hasChecked, hasValidUser, effectiveCan, stableScope, effectiveScope]);
-  useEffect2(() => {
-    if (isLoading && isSuperAdmin === null && hasValidUser) {
-      const timeout = setTimeout(() => {
-        console.warn("[PagePermissionGuard] Permission check taking longer than expected", {
-          pageName,
-          userId: user?.id,
-          isSuperAdmin,
-          scopeLoading,
-          canIsLoading,
-          hasChecked,
-          stableScope,
-          effectiveScope,
-          appName
-        });
-      }, 5e3);
-      return () => clearTimeout(timeout);
-    }
-  }, [isLoading, isSuperAdmin, hasValidUser, pageName, user?.id, scopeLoading, canIsLoading, hasChecked, stableScope, effectiveScope, appName]);
-  useEffect2(() => {
-    if (isSuperAdmin === true && hasValidUser && !hasLoggedSuperAdminRef.current && false) {
-      hasLoggedSuperAdminRef.current = true;
-      console.log("[PagePermissionGuard] Super admin access granted - bypassing all checks", {
-        pageName,
-        userId: user?.id,
-        operation
-      });
-    }
-    if (isSuperAdmin !== true) {
-      hasLoggedSuperAdminRef.current = false;
-    }
-  }, [isSuperAdmin, hasValidUser, pageName, user?.id, operation]);
-  if (isSuperAdmin === true && hasValidUser) {
-    return /* @__PURE__ */ jsx2(Fragment, { children });
-  }
-  if (isLoading || !hasValidUser || !hasChecked || isSuperAdmin === null) {
-    return loading || /* @__PURE__ */ jsx2("div", { children: "Checking permissions..." });
-  }
-  if (checkError && !can) {
-    return fallback;
-  }
-  if (shouldShowAccessDenied) {
-    return fallback;
-  }
-  if (shouldShowContent) {
-    return /* @__PURE__ */ jsx2(Fragment, { children });
-  }
-  return fallback;
-};
-function DefaultAccessDenied() {
-  return /* @__PURE__ */ jsxs("div", { className: "flex flex-col items-center justify-center min-h-[200px] p-8 text-center", children: [
-    /* @__PURE__ */ jsx2("div", { className: "mb-4", children: /* @__PURE__ */ jsx2("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx2("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
-    /* @__PURE__ */ jsx2("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
-    /* @__PURE__ */ jsx2("p", { className: "text-sec-600 mb-4", children: "You don't have permission to access this page." }),
-    /* @__PURE__ */ jsx2(
-      "button",
-      {
-        onClick: () => window.history.back(),
-        className: "px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors",
-        children: "Go Back"
-      }
-    )
-  ] });
-}
-function DefaultLoading() {
-  return /* @__PURE__ */ jsx2("div", { className: "flex items-center justify-center min-h-[200px] p-8", children: /* @__PURE__ */ jsxs("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx2("div", { className: "animate-spin rounded-full size-8 border-b-2 border-main-600" }),
-    /* @__PURE__ */ jsx2("span", { className: "text-sec-600", children: "Checking permissions..." })
-  ] }) });
-}
-var PagePermissionGuard = React2.memo(PagePermissionGuardComponent);
-
-// src/rbac/components/SecureDataProvider.tsx
-import { createContext as createContext2, useContext as useContext2, useState as useState3, useCallback as useCallback3, useMemo as useMemo3, useEffect as useEffect3 } from "react";
-import { jsx as jsx3 } from "react/jsx-runtime";
-var SecureDataContext = createContext2(null);
-function SecureDataProvider({
-  children,
-  strictMode = true,
-  auditLog = true,
-  onDataAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1e3,
-  enforceRLS = true
-}) {
-  const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
-  const secureSupabase = useSecureSupabase(supabase);
-  const { superAdminContext } = useOrganisationSecurity();
-  const [dataAccessHistory, setDataAccessHistory] = useState3([]);
-  const [isEnabled, setIsEnabled] = useState3(true);
-  const { resolvedScope } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
-  });
-  const validateContext = useCallback3(() => {
-    if (!secureSupabase) {
-      throw new Error("No Supabase client available");
-    }
-    if (!user) {
-      throw new Error("User must be authenticated");
-    }
-    if (!superAdminContext.isSuperAdmin && !resolvedScope?.organisationId) {
-      throw new Error("Organisation context is required for data access");
-    }
-  }, [secureSupabase, user, superAdminContext.isSuperAdmin, resolvedScope?.organisationId]);
-  const currentScope = resolvedScope;
-  const isDataAccessAllowed = useCallback3((table, operation, scope) => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    const permission = `${operation}:data.${table}`;
-    return true;
-  }, [isEnabled, user?.id, currentScope]);
-  const getDataAccessPermissions = useCallback3(() => {
-    if (!isEnabled || !user?.id) return {};
-    return {};
-  }, [isEnabled, user?.id]);
-  const getDataAccessHistory = useCallback3(() => {
-    return [...dataAccessHistory];
-  }, [dataAccessHistory]);
-  const clearDataAccessHistory = useCallback3(() => {
-    setDataAccessHistory([]);
-  }, []);
-  const validateDataAccess = useCallback3((table, operation, scope) => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    const effectiveScope = scope || currentScope;
-    if (!effectiveScope) return false;
-    try {
-      validateContext();
-    } catch (error) {
-      const logger2 = getRBACLogger();
-      logger2.error("Organisation context validation failed:", error);
-      return false;
-    }
-    return isDataAccessAllowed(table, operation, effectiveScope);
-  }, [isEnabled, user?.id, currentScope, validateContext, isDataAccessAllowed]);
-  const recordDataAccess = useCallback3((table, operation, allowed, query, filters, scope) => {
-    if (!auditLog || !user?.id) return;
-    const record = {
-      table,
-      operation,
-      userId: user.id,
-      scope: scope || currentScope || { organisationId: "" },
-      allowed,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      query,
-      filters
-    };
-    setDataAccessHistory((prev) => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, maxHistorySize);
-    });
-    if (onDataAccess) {
-      onDataAccess(table, operation, allowed, record);
-    }
-    if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(table, operation, record);
-    }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onDataAccess, onStrictModeViolation, strictMode]);
-  const contextValue = useMemo3(() => ({
-    isDataAccessAllowed,
-    getDataAccessPermissions,
-    isEnabled,
-    isStrictMode: strictMode,
-    isAuditLogEnabled: auditLog,
-    getDataAccessHistory,
-    clearDataAccessHistory,
-    validateDataAccess
-  }), [
-    isDataAccessAllowed,
-    getDataAccessPermissions,
-    isEnabled,
-    strictMode,
-    auditLog,
-    getDataAccessHistory,
-    clearDataAccessHistory,
-    validateDataAccess
-  ]);
-  useEffect3(() => {
-    if (strictMode && auditLog) {
-      const logger2 = getRBACLogger();
-      logger2.debug("Strict mode enabled - all data access attempts will be logged and enforced");
-    }
-  }, [strictMode, auditLog]);
-  useEffect3(() => {
-    if (enforceRLS && auditLog) {
-      const logger2 = getRBACLogger();
-    }
-  }, [enforceRLS, auditLog]);
-  return /* @__PURE__ */ jsx3(SecureDataContext.Provider, { value: contextValue, children });
-}
-function useSecureData() {
-  const context = useContext2(SecureDataContext);
-  if (!context) {
-    throw new Error("useSecureData must be used within a SecureDataProvider");
-  }
-  return context;
-}
-
-// src/rbac/components/PermissionEnforcer.tsx
-import { useMemo as useMemo4, useEffect as useEffect4, useState as useState4, useRef as useRef2 } from "react";
-import { Fragment as Fragment2, jsx as jsx4, jsxs as jsxs2 } from "react/jsx-runtime";
-var log2 = createLogger("PermissionEnforcer");
-function PermissionEnforcer({
-  permissions,
-  operation,
-  children,
-  fallback = /* @__PURE__ */ jsx4(DefaultAccessDenied2, {}),
-  strictMode = true,
-  auditLog = true,
-  scope,
-  onDenied,
-  loading = /* @__PURE__ */ jsx4(DefaultLoading2, {}),
-  requireAll = true
-}) {
-  const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
-  const [hasChecked, setHasChecked] = useState4(false);
-  const { resolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
-  });
-  const scopeToUse = scope || resolvedScope;
-  const scopeOrgId = scopeToUse?.organisationId || "";
-  const scopeEventId = scopeToUse?.eventId || void 0;
-  const scopeAppId = scopeToUse?.appId || void 0;
-  const effectiveScope = useMemo4(() => {
-    const newScope = {};
-    if (scopeOrgId) {
-      newScope.organisationId = scopeOrgId;
-    }
-    if (scopeEventId) {
-      newScope.eventId = scopeEventId;
-    }
-    if (scopeAppId) {
-      newScope.appId = scopeAppId;
-    }
-    return newScope;
-  }, [scopeOrgId, scopeEventId, scopeAppId]);
-  const checkError = scopeError;
-  const { results: permissionResults, isLoading: permissionsLoading, error: permissionsError } = useMultiplePermissions(
-    user?.id || "",
-    effectiveScope || { eventId: selectedEvent?.event_id || void 0 },
-    permissions,
-    true
-    // Use cache
-  );
-  const isLoading = scopeLoading || permissionsLoading;
-  const error = checkError || permissionsError;
-  const hasRequiredPermissions = useMemo4(() => {
-    if (permissions.length === 0) return true;
-    if (!permissionResults || Object.keys(permissionResults).length === 0) {
-      return false;
-    }
-    if (requireAll) {
-      return Object.values(permissionResults).every((result) => result === true);
-    } else {
-      return Object.values(permissionResults).some((result) => result === true);
-    }
-  }, [permissions, permissionResults, requireAll]);
-  useEffect4(() => {
-    if (!isLoading && !error) {
-      setHasChecked(true);
-      if (!hasRequiredPermissions && onDenied) {
-        onDenied(permissions, operation);
-      }
-    } else if (error) {
-      setHasChecked(true);
-    }
-  }, [hasRequiredPermissions, isLoading, error, permissions, operation, onDenied]);
-  const permissionsKey = permissions.join(",");
-  const lastLoggedKeyRef = useRef2(null);
-  useEffect4(() => {
-    if (auditLog && hasChecked && !isLoading) {
-      const logKey = `${operation}-${user?.id}-${permissionsKey}-${hasRequiredPermissions}-${scopeOrgId}-${scopeEventId}-${scopeAppId}`;
-      if (lastLoggedKeyRef.current !== logKey) {
-        lastLoggedKeyRef.current = logKey;
-        log2.debug("Permission check attempt:", {
-          permissions,
-          operation,
-          userId: user?.id,
-          scope: effectiveScope,
-          allowed: hasRequiredPermissions,
-          requireAll,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        });
-      }
-    }
-  }, [auditLog, hasChecked, isLoading, permissionsKey, operation, user?.id, scopeOrgId, scopeEventId, scopeAppId, hasRequiredPermissions]);
-  useEffect4(() => {
-    if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
-      const logger2 = getRBACLogger();
-      logger2.error(`STRICT MODE VIOLATION: User attempted to perform operation without permission`, {
-        permissions,
-        operation,
-        userId: user?.id,
-        scope: effectiveScope,
-        requireAll,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, permissions, operation, user?.id, effectiveScope, requireAll]);
-  if (isLoading || !hasChecked) {
-    return /* @__PURE__ */ jsx4(Fragment2, { children: loading });
-  }
-  if (checkError) {
-    const logger2 = getRBACLogger();
-    logger2.error(`Permission check failed for operation ${operation}:`, checkError);
-    return /* @__PURE__ */ jsx4(Fragment2, { children: fallback });
-  }
-  if (!hasRequiredPermissions) {
-    return /* @__PURE__ */ jsx4(Fragment2, { children: fallback });
-  }
-  return /* @__PURE__ */ jsx4(Fragment2, { children });
-}
-function DefaultAccessDenied2() {
-  return /* @__PURE__ */ jsxs2("div", { className: "flex flex-col items-center justify-center min-h-[200px] p-8 text-center", children: [
-    /* @__PURE__ */ jsx4("div", { className: "mb-4", children: /* @__PURE__ */ jsx4("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx4("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
-    /* @__PURE__ */ jsx4("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
-    /* @__PURE__ */ jsx4("p", { className: "text-sec-600 mb-4", children: "You don't have permission to perform this operation." }),
-    /* @__PURE__ */ jsx4(
-      "button",
-      {
-        onClick: () => window.history.back(),
-        className: "px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors",
-        children: "Go Back"
-      }
-    )
-  ] });
-}
-function DefaultLoading2() {
-  return /* @__PURE__ */ jsx4("div", { className: "flex items-center justify-center min-h-[200px] p-8", children: /* @__PURE__ */ jsxs2("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx4("div", { className: "animate-spin rounded-full size-8 border-b-2 border-main-600" }),
-    /* @__PURE__ */ jsx4("span", { className: "text-sec-600", children: "Checking permissions..." })
-  ] }) });
-}
-
-// src/rbac/components/RoleBasedRouter.tsx
-import { useMemo as useMemo5, useCallback as useCallback5, useEffect as useEffect5, useState as useState5, createContext as createContext3, useContext as useContext3 } from "react";
-import { useLocation, useNavigate, Outlet } from "react-router-dom";
-import { jsx as jsx5, jsxs as jsxs3 } from "react/jsx-runtime";
-var RoleBasedRouterContext = createContext3(null);
-function RoleBasedRouter({
-  routes,
-  fallbackRoute = "/unauthorized",
-  children,
-  strictMode = true,
-  auditLog = true,
-  onRouteAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1e3,
-  unauthorizedComponent: UnauthorizedComponent = DefaultUnauthorizedComponent
-}) {
-  const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
-  const location = useLocation();
-  const navigate = useNavigate();
-  const [routeAccessHistory, setRouteAccessHistory] = useState5([]);
-  const [currentRoute, setCurrentRoute] = useState5("");
-  const { resolvedScope } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
-  });
-  const currentScope = resolvedScope;
-  const currentRouteConfig = useMemo5(() => {
-    const currentPath = location.pathname;
-    return routes.find((route) => route.path === currentPath) || null;
-  }, [routes, location.pathname]);
-  const canAccessRoute = useCallback5((path) => {
-    if (!user?.id || !currentScope) return false;
-    const routeConfig = routes.find((route) => route.path === path);
-    if (!routeConfig) return false;
-    return true;
-  }, [user?.id, currentScope, routes]);
-  const { can: canAccessCurrentRoute, isLoading: permissionLoading } = useCan(
-    user?.id || "",
-    currentScope || { organisationId: "", eventId: void 0, appId: void 0 },
-    currentRouteConfig?.permissions?.[0] || "read:page",
-    currentRouteConfig?.pageId,
-    true,
-    // useCache
-    null,
-    // precomputedSuperAdmin - not checked yet
-    void 0
-    // appName
-  );
-  const isPublicRoute = currentRouteConfig?.public === true;
-  const hasPermissions = currentRouteConfig?.permissions && currentRouteConfig.permissions.length > 0;
-  const finalCanAccess = isPublicRoute ? true : hasPermissions ? canAccessCurrentRoute : false;
-  const finalLoading = isPublicRoute ? false : hasPermissions ? permissionLoading : false;
-  const getAccessibleRoutes = useCallback5(() => {
-    if (!user?.id || !currentScope) return [];
-    return routes.filter((route) => canAccessRoute(route.path));
-  }, [user?.id, currentScope, routes, canAccessRoute]);
-  const getRouteConfig = useCallback5((path) => {
-    return routes.find((route) => route.path === path) || null;
-  }, [routes]);
-  const getRouteAccessHistory = useCallback5(() => {
-    return [...routeAccessHistory];
-  }, [routeAccessHistory]);
-  const clearRouteAccessHistory = useCallback5(() => {
-    setRouteAccessHistory([]);
-  }, []);
-  const recordRouteAccess = useCallback5((route, allowed, routeConfig) => {
-    if (!auditLog || !user?.id || !currentScope) return;
-    const record = {
-      route,
-      permissions: routeConfig.permissions,
-      userId: user.id,
-      scope: currentScope,
-      allowed,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      pageId: routeConfig.pageId,
-      roles: routeConfig.roles,
-      accessLevel: routeConfig.accessLevel
-    };
-    setRouteAccessHistory((prev) => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, maxHistorySize);
-    });
-    if (onRouteAccess) {
-      onRouteAccess(route, allowed, record);
-    }
-    if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(route, record);
-    }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onRouteAccess, onStrictModeViolation, strictMode]);
-  useEffect5(() => {
-    const currentPath = location.pathname;
-    setCurrentRoute(currentPath);
-    if (!currentRouteConfig) {
-      if (strictMode) {
-        const logger2 = getRBACLogger();
-        logger2.error(`STRICT MODE VIOLATION: Route not found in configuration`, {
-          route: currentPath,
-          userId: user?.id,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        });
-        if (onStrictModeViolation) {
-          onStrictModeViolation(currentPath, {
-            route: currentPath,
-            permissions: [],
-            userId: user?.id || "",
-            scope: currentScope || { organisationId: "" },
-            allowed: false,
-            timestamp: (/* @__PURE__ */ new Date()).toISOString()
-          });
-        }
-      }
-      return;
-    }
-    const allowed = finalCanAccess;
-    recordRouteAccess(currentPath, allowed, currentRouteConfig);
-    if (!allowed && !isPublicRoute) {
-      navigate(fallbackRoute, { replace: true });
-    }
-  }, [location.pathname, currentRouteConfig, canAccessCurrentRoute, recordRouteAccess, strictMode, user?.id, currentScope, onStrictModeViolation, navigate, fallbackRoute, isPublicRoute]);
-  const contextValue = useMemo5(() => ({
-    getAccessibleRoutes,
-    canAccessRoute,
-    getRouteConfig,
-    getRouteAccessHistory,
-    clearRouteAccessHistory,
-    isStrictMode: strictMode,
-    isAuditLogEnabled: auditLog
-  }), [
-    getAccessibleRoutes,
-    canAccessRoute,
-    getRouteConfig,
-    getRouteAccessHistory,
-    clearRouteAccessHistory,
-    strictMode,
-    auditLog
-  ]);
-  if (finalLoading && !isPublicRoute) {
-    return /* @__PURE__ */ jsx5("div", { className: "flex items-center justify-center min-h-screen", children: /* @__PURE__ */ jsxs3("div", { className: "text-center", children: [
-      /* @__PURE__ */ jsx5("div", { className: "animate-spin rounded-full size-8 border-b-2 border-main-600 mx-auto mb-4" }),
-      /* @__PURE__ */ jsx5("p", { className: "text-sec-600", children: "Checking permissions..." })
-    ] }) });
-  }
-  if (currentRouteConfig && !finalCanAccess && !isPublicRoute) {
-    return /* @__PURE__ */ jsx5(
-      UnauthorizedComponent,
-      {
-        route: currentRoute,
-        reason: "Insufficient permissions"
-      }
-    );
-  }
-  return /* @__PURE__ */ jsxs3(RoleBasedRouterContext.Provider, { value: contextValue, children: [
-    children,
-    /* @__PURE__ */ jsx5(Outlet, {})
-  ] });
-}
-function useRoleBasedRouter() {
-  const context = useContext3(RoleBasedRouterContext);
-  if (!context) {
-    throw new Error("useRoleBasedRouter must be used within a RoleBasedRouter");
-  }
-  return context;
-}
-function DefaultUnauthorizedComponent({ route, reason }) {
-  return /* @__PURE__ */ jsxs3("div", { className: "flex flex-col items-center justify-center min-h-screen p-8 text-center", children: [
-    /* @__PURE__ */ jsx5("div", { className: "mb-4", children: /* @__PURE__ */ jsx5("svg", { className: "w-16 h-16 text-acc-500 mx-auto", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx5("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }) }),
-    /* @__PURE__ */ jsx5("h2", { className: "text-xl font-semibold text-sec-900 mb-2", children: "Access Denied" }),
-    /* @__PURE__ */ jsxs3("p", { className: "text-sec-600 mb-4", children: [
-      "You don't have permission to access ",
-      /* @__PURE__ */ jsx5("code", { className: "bg-sec-100 px-2 py-1 rounded", children: route })
-    ] }),
-    /* @__PURE__ */ jsxs3("p", { className: "text-sm text-sec-500 mb-4", children: [
-      "Reason: ",
-      reason
-    ] }),
-    /* @__PURE__ */ jsx5(
-      "button",
-      {
-        onClick: () => window.history.back(),
-        className: "px-4 py-2 bg-main-600 text-main-50 rounded-md hover:bg-main-700 transition-colors",
-        children: "Go Back"
-      }
-    )
-  ] });
-}
-
-// src/rbac/components/NavigationProvider.tsx
-import { createContext as createContext4, useContext as useContext4, useState as useState6, useCallback as useCallback6, useMemo as useMemo6, useEffect as useEffect6 } from "react";
-import { jsx as jsx6 } from "react/jsx-runtime";
-var NavigationContext = createContext4(null);
-function NavigationProvider({
-  children,
-  strictMode = true,
-  auditLog = true,
-  onNavigationAccess,
-  onStrictModeViolation,
-  maxHistorySize = 1e3
-}) {
-  const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
-  const [navigationAccessHistory, setNavigationAccessHistory] = useState6([]);
-  const [isEnabled, setIsEnabled] = useState6(true);
-  const { resolvedScope } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
-  });
-  const currentScope = resolvedScope;
-  const hasNavigationPermission = useCallback6((item) => {
-    if (!isEnabled) return true;
-    if (!user?.id) return false;
-    if (!currentScope) return false;
-    if (!item.permissions || item.permissions.length === 0) {
-      logger.warn("NavigationProvider", `Navigation item "${item.id}" has no permissions defined - denying access`);
-      return false;
-    }
-    const permission = item.permissions[0];
-    const { can, error } = useCan(
-      user.id,
-      currentScope,
-      permission,
-      item.pageId,
-      true,
-      // useCache
-      null,
-      // precomputedSuperAdmin - not checked yet
-      void 0
-      // appName
-    );
-    if (error) {
-      logger.warn("NavigationProvider", `Permission check error for "${item.id}": ${error.message} - allowing access for graceful degradation`);
-      return true;
-    }
-    return can;
-  }, [isEnabled, user?.id, currentScope]);
-  const getNavigationPermissions = useCallback6(() => {
-    if (!isEnabled || !user?.id) return {};
-    return {};
-  }, [isEnabled, user?.id]);
-  const getFilteredNavigationItems = useCallback6((items) => {
-    if (!isEnabled) return items;
-    return items.filter((item) => hasNavigationPermission(item));
-  }, [isEnabled, hasNavigationPermission]);
-  const getNavigationAccessHistory = useCallback6(() => {
-    return [...navigationAccessHistory];
-  }, [navigationAccessHistory]);
-  const clearNavigationAccessHistory = useCallback6(() => {
-    setNavigationAccessHistory([]);
-  }, []);
-  const recordNavigationAccess = useCallback6((item, allowed) => {
-    if (!auditLog || !user?.id || !currentScope) return;
-    const record = {
-      navigationItem: item.id,
-      permissions: item.permissions,
-      userId: user.id,
-      scope: currentScope,
-      allowed,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      pageId: item.pageId,
-      roles: item.roles,
-      accessLevel: item.accessLevel
-    };
-    setNavigationAccessHistory((prev) => {
-      const newHistory = [record, ...prev];
-      return newHistory.slice(0, maxHistorySize);
-    });
-    if (onNavigationAccess) {
-      onNavigationAccess(item, allowed, record);
-    }
-    if (strictMode && !allowed && onStrictModeViolation) {
-      onStrictModeViolation(item, record);
-    }
-  }, [auditLog, user?.id, currentScope, maxHistorySize, onNavigationAccess, onStrictModeViolation, strictMode]);
-  const contextValue = useMemo6(() => ({
-    hasNavigationPermission,
-    getNavigationPermissions,
-    getFilteredNavigationItems,
-    isEnabled,
-    isStrictMode: strictMode,
-    isAuditLogEnabled: auditLog,
-    getNavigationAccessHistory,
-    clearNavigationAccessHistory
-  }), [
-    hasNavigationPermission,
-    getNavigationPermissions,
-    getFilteredNavigationItems,
-    isEnabled,
-    strictMode,
-    auditLog,
-    getNavigationAccessHistory,
-    clearNavigationAccessHistory
-  ]);
-  useEffect6(() => {
-    if (strictMode && auditLog) {
-      const logger2 = getRBACLogger();
-    }
-  }, [strictMode, auditLog]);
-  return /* @__PURE__ */ jsx6(NavigationContext.Provider, { value: contextValue, children });
-}
-function useNavigationPermissions() {
-  const context = useContext4(NavigationContext);
-  if (!context) {
-    throw new Error("useNavigationPermissions must be used within a NavigationProvider");
-  }
-  return context;
-}
-
-// src/rbac/components/NavigationGuard.tsx
-import { useMemo as useMemo7, useEffect as useEffect7, useState as useState7 } from "react";
-import { Fragment as Fragment3, jsx as jsx7, jsxs as jsxs4 } from "react/jsx-runtime";
-function NavigationGuard({
-  navigationItem,
-  children,
-  fallback = /* @__PURE__ */ jsx7(DefaultAccessDenied3, {}),
-  strictMode = true,
-  auditLog = true,
-  scope,
-  onDenied,
-  loading = /* @__PURE__ */ jsx7(DefaultLoading3, {}),
-  requireAll = true
-}) {
-  const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
-  const [hasChecked, setHasChecked] = useState7(false);
-  const { resolvedScope: hookResolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null
-  });
-  const effectiveScope = scope || hookResolvedScope;
-  const checkError = scopeError;
-  const { results: permissionResults, isLoading: permissionsLoading, error: permissionsError } = useMultiplePermissions(
-    user?.id || "",
-    effectiveScope || { eventId: selectedEvent?.event_id || void 0 },
-    navigationItem.permissions || [],
-    true
-    // Use cache
-  );
-  const isLoading = scopeLoading || permissionsLoading;
-  const error = checkError || permissionsError;
-  const hasRequiredPermissions = useMemo7(() => {
-    if (!navigationItem.permissions || navigationItem.permissions.length === 0) return true;
-    if (requireAll) {
-      return Object.values(permissionResults).every((result) => result === true);
-    } else {
-      return Object.values(permissionResults).some((result) => result === true);
-    }
-  }, [navigationItem.permissions, permissionResults, requireAll]);
-  useEffect7(() => {
-    if (!isLoading && !error) {
-      setHasChecked(true);
-      if (!hasRequiredPermissions && onDenied) {
-        onDenied(navigationItem);
-      }
-    } else if (error) {
-      setHasChecked(true);
-    }
-  }, [hasRequiredPermissions, isLoading, error, navigationItem, onDenied]);
-  useEffect7(() => {
-    if (auditLog && hasChecked && !isLoading) {
-    }
-  }, [auditLog, hasChecked, isLoading, navigationItem, user?.id, effectiveScope, hasRequiredPermissions, requireAll]);
-  useEffect7(() => {
-    if (strictMode && hasChecked && !isLoading && !hasRequiredPermissions) {
-      const logger2 = getRBACLogger();
-      logger2.error(`STRICT MODE VIOLATION: User attempted to access protected navigation item without permission`, {
-        navigationItem: navigationItem.id,
-        permissions: navigationItem.permissions,
-        userId: user?.id,
-        scope: effectiveScope,
-        requireAll,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [strictMode, hasChecked, isLoading, hasRequiredPermissions, navigationItem, user?.id, effectiveScope, requireAll]);
-  if (isLoading || !effectiveScope || !hasChecked) {
-    return /* @__PURE__ */ jsx7(Fragment3, { children: loading });
-  }
-  if (checkError) {
-    const logger2 = getRBACLogger();
-    logger2.error(`Permission check failed for navigation item ${navigationItem.id}:`, checkError);
-    return /* @__PURE__ */ jsx7(Fragment3, { children: fallback });
-  }
-  if (!hasRequiredPermissions) {
-    return /* @__PURE__ */ jsx7(Fragment3, { children: fallback });
-  }
-  return /* @__PURE__ */ jsx7(Fragment3, { children });
-}
-function DefaultAccessDenied3() {
-  return /* @__PURE__ */ jsx7("div", { className: "flex items-center justify-center p-2 text-center", children: /* @__PURE__ */ jsxs4("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx7("svg", { className: "w-4 h-4 text-acc-500", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24", children: /* @__PURE__ */ jsx7("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-2.5L13.732 4c-.77-.833-1.964-.833-2.732 0L3.732 16.5c-.77.833.192 2.5 1.732 2.5z" }) }),
-    /* @__PURE__ */ jsx7("span", { className: "text-sm text-sec-600", children: "Access Denied" })
-  ] }) });
-}
-function DefaultLoading3() {
-  return /* @__PURE__ */ jsx7("div", { className: "flex items-center justify-center p-2", children: /* @__PURE__ */ jsxs4("div", { className: "flex items-center space-x-2", children: [
-    /* @__PURE__ */ jsx7("div", { className: "animate-spin rounded-full size-4 border-b-2 border-main-600" }),
-    /* @__PURE__ */ jsx7("span", { className: "text-sm text-sec-600", children: "Checking..." })
-  ] }) });
-}
-var NavigationGuard_default = NavigationGuard;
-
-// src/rbac/components/EnhancedNavigationMenu.tsx
-import { useMemo as useMemo8, useCallback as useCallback8, useEffect as useEffect8, useState as useState8 } from "react";
-import { jsx as jsx8, jsxs as jsxs5 } from "react/jsx-runtime";
-function EnhancedNavigationMenu({
-  items,
-  strictMode = true,
-  auditLog = true,
-  onNavigationAccess,
-  onStrictModeViolation,
-  className = "flex flex-col space-y-1",
-  itemClassName = "px-3 py-2 rounded-md text-sm font-medium transition-colors",
-  activeItemClassName = "bg-main-100 text-main-700",
-  disabledItemClassName = "text-sec-400 cursor-not-allowed",
-  hideUnauthorizedItems = false,
-  renderItem,
-  activePath,
-  onItemClick
-}) {
-  const {
-    hasNavigationPermission,
-    getFilteredNavigationItems,
-    isEnabled,
-    isStrictMode,
-    isAuditLogEnabled
-  } = useNavigationPermissions();
-  const [navigationHistory, setNavigationHistory] = useState8([]);
-  const filteredItems = useMemo8(() => {
-    if (!isEnabled) return items;
-    return getFilteredNavigationItems(items);
-  }, [isEnabled, items, getFilteredNavigationItems]);
-  const handleNavigationAccess = useCallback8((item, allowed) => {
-    if (onNavigationAccess) {
-      onNavigationAccess(item, allowed);
-    }
-    if (auditLog) {
-      const logger2 = getRBACLogger();
-      logger2.debug("Navigation access attempt:", {
-        item: item.id,
-        allowed,
-        strictMode,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [onNavigationAccess, auditLog, strictMode]);
-  const handleStrictModeViolation = useCallback8((item) => {
-    if (onStrictModeViolation) {
-      onStrictModeViolation(item);
-    }
-    if (strictMode) {
-      const logger2 = getRBACLogger();
-      logger2.error(`STRICT MODE VIOLATION: User attempted to access protected navigation item without permission`, {
-        item: item.id,
-        path: item.path,
-        permissions: item.permissions,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-  }, [onStrictModeViolation, strictMode]);
-  const handleItemClick = useCallback8((item) => {
-    const isAuthorized = hasNavigationPermission(item);
-    handleNavigationAccess(item, isAuthorized);
-    if (onItemClick) {
-      onItemClick(item);
-    }
-    if (auditLog) {
-    }
-    setNavigationHistory((prev) => {
-      const newHistory = [item, ...prev.filter((i) => i.id !== item.id)];
-      return newHistory.slice(0, 10);
-    });
-  }, [onItemClick, auditLog, hasNavigationPermission, handleNavigationAccess]);
-  const defaultRenderItem = useCallback8((item, isAuthorized) => {
-    const isActive = activePath === item.path;
-    const isDisabled = !isAuthorized;
-    return /* @__PURE__ */ jsx8(
-      NavigationGuard_default,
-      {
-        navigationItem: item,
-        strictMode,
-        auditLog,
-        onDenied: handleStrictModeViolation,
-        fallback: hideUnauthorizedItems ? null : /* @__PURE__ */ jsx8("div", { className: `${itemClassName} ${disabledItemClassName}`, children: /* @__PURE__ */ jsxs5("div", { className: "flex items-center space-x-2", children: [
-          item.meta?.icon && /* @__PURE__ */ jsx8("span", { className: "text-sm", children: item.meta.icon }),
-          /* @__PURE__ */ jsx8("span", { children: item.label }),
-          /* @__PURE__ */ jsx8("span", { className: "text-xs text-sec-400", children: "(Access Denied)" })
-        ] }) }),
-        children: /* @__PURE__ */ jsx8(
-          "button",
-          {
-            onClick: () => handleItemClick(item),
-            className: `${itemClassName} ${isActive ? activeItemClassName : ""} ${isDisabled ? disabledItemClassName : "hover:bg-sec-100"}`,
-            disabled: isDisabled,
-            children: /* @__PURE__ */ jsxs5("div", { className: "flex items-center space-x-2", children: [
-              item.meta?.icon && /* @__PURE__ */ jsx8("span", { className: "text-sm", children: item.meta.icon }),
-              /* @__PURE__ */ jsx8("span", { children: item.label }),
-              item.meta?.description && /* @__PURE__ */ jsx8("span", { className: "text-xs text-sec-500 ml-auto", children: item.meta.description })
-            ] })
-          }
-        )
-      },
-      item.id
-    );
-  }, [
-    activePath,
-    itemClassName,
-    activeItemClassName,
-    disabledItemClassName,
-    hideUnauthorizedItems,
-    strictMode,
-    auditLog,
-    handleStrictModeViolation,
-    handleItemClick
-  ]);
-  useEffect8(() => {
-    if (strictMode && auditLog) {
-      const logger2 = getRBACLogger();
-    }
-  }, [strictMode, auditLog]);
-  useEffect8(() => {
-    if (auditLog) {
-    }
-  }, [items.length, filteredItems.length, strictMode, auditLog]);
-  return /* @__PURE__ */ jsx8("nav", { className, children: filteredItems.map((item) => {
-    const isAuthorized = hasNavigationPermission(item);
-    if (renderItem) {
-      return renderItem(item, isAuthorized);
-    }
-    return defaultRenderItem(item, isAuthorized);
-  }) });
-}
-
-// src/rbac/adapters.tsx
-import { Fragment as Fragment4, jsx as jsx9 } from "react/jsx-runtime";
-function PermissionGuard({
-  userId,
-  scope,
-  permission,
-  pageId,
-  children,
-  fallback = null,
-  onDenied,
-  loading = null,
-  // NEW: Phase 1 - Enhanced Security Features
-  strictMode = true,
-  auditLog = true,
-  enforceAudit = true
-}) {
-  const logger2 = getRBACLogger();
-  let authContext = null;
-  try {
-    authContext = useUnifiedAuth();
-  } catch (error2) {
-    if (error2 instanceof Error && error2.message.includes("must be used within")) {
-      authContext = null;
-    } else {
-      throw error2;
-    }
-  }
-  const effectiveUserId = userId ?? authContext?.user?.id ?? null;
-  const { can, isLoading, error } = useCan(
-    effectiveUserId || "",
-    scope,
-    permission,
-    pageId,
-    true,
-    // useCache
-    null,
-    // precomputedSuperAdmin - not checked yet
-    void 0
-    // appName
-  );
-  if (!effectiveUserId) {
-    logger2.error("PermissionGuard: No userId provided and could not infer from context");
-    return fallback ?? null;
-  }
-  if (isLoading) {
-    return loading || /* @__PURE__ */ jsx9("div", { className: "rbac-loading", role: "status", "aria-live": "polite", children: /* @__PURE__ */ jsx9("span", { className: "sr-only", children: "Checking permissions..." }) });
-  }
-  if (error) {
-    logger2.error("Permission check failed:", error);
-    if (auditLog) {
-    }
-    return fallback;
-  }
-  if (!can) {
-    if (auditLog) {
-    }
-    if (strictMode) {
-      logger2.error(`[PermissionGuard] STRICT MODE VIOLATION: User attempted to access protected resource without permission`, {
-        userId: effectiveUserId,
-        scope,
-        permission,
-        pageId,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString()
-      });
-    }
-    if (onDenied) {
-      onDenied();
-    }
-    return /* @__PURE__ */ jsx9(Fragment4, { children: fallback });
-  }
-  if (auditLog) {
-  }
-  return /* @__PURE__ */ jsx9(Fragment4, { children });
-}
-function AccessLevelGuard({
-  userId,
-  scope,
-  minLevel,
-  children,
-  fallback = null,
-  loading = null
-}) {
-  const logger2 = getRBACLogger();
-  let authContext = null;
-  try {
-    authContext = useUnifiedAuth();
-  } catch (error2) {
-    if (error2 instanceof Error && error2.message.includes("must be used within")) {
-      authContext = null;
-    } else {
-      throw error2;
-    }
-  }
-  const effectiveUserId = userId ?? authContext?.user?.id ?? null;
-  const { accessLevel, isLoading, error } = useAccessLevel(effectiveUserId || "", scope);
-  if (!effectiveUserId) {
-    logger2.error("AccessLevelGuard: No userId provided and could not infer from context");
-    return fallback ?? null;
-  }
-  if (isLoading) {
-    return loading || /* @__PURE__ */ jsx9("div", { className: "rbac-loading", role: "status", "aria-live": "polite", children: /* @__PURE__ */ jsx9("span", { className: "sr-only", children: "Checking access level..." }) });
-  }
-  if (error) {
-    logger2.error("Access level check failed:", error);
-    return fallback;
-  }
-  const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
-  const userLevelIndex = accessLevel ? levelHierarchy.indexOf(accessLevel) : -1;
-  const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
-  if (userLevelIndex < requiredLevelIndex) {
-    return /* @__PURE__ */ jsx9(Fragment4, { children: fallback });
-  }
-  return /* @__PURE__ */ jsx9(Fragment4, { children });
-}
-function withPermissionGuard(config, handler) {
-  return async (...args) => {
-    const [req] = args;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      throw new Error("User context required for permission check");
-    }
-    const { isPermitted: isPermitted2 } = await import("./api-O6HTBX5Y.js");
-    const hasPermission2 = await isPermitted2({
-      userId,
-      scope: { organisationId, eventId, appId },
-      permission: config.permission,
-      pageId: config.pageId
-    });
-    if (!hasPermission2) {
-      throw new Error(`Permission denied: ${config.permission}`);
-    }
-    return handler(...args);
-  };
-}
-function withAccessLevelGuard(minLevel, handler) {
-  return async (...args) => {
-    const [req] = args;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      throw new Error("User context required for access level check");
-    }
-    const { getAccessLevel: getAccessLevel2 } = await import("./api-O6HTBX5Y.js");
-    const accessLevel = await getAccessLevel2({
-      userId,
-      scope: { organisationId, eventId, appId }
-    });
-    const levelHierarchy = ["viewer", "participant", "planner", "admin", "super"];
-    const userLevelIndex = levelHierarchy.indexOf(accessLevel);
-    const requiredLevelIndex = levelHierarchy.indexOf(minLevel);
-    if (userLevelIndex < requiredLevelIndex) {
-      throw new Error(`Access level required: ${minLevel}, got: ${accessLevel}`);
-    }
-    return handler(...args);
-  };
-}
-function withRoleGuard(config, handler) {
-  return async (...args) => {
-    const [req] = args;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      throw new Error("User context required for role check");
-    }
-    if (config.globalRoles && config.globalRoles.length > 0) {
-      const { isSuperAdmin } = await import("./api-O6HTBX5Y.js");
-      const isSuper = await isSuperAdmin(userId);
-      if (isSuper) {
-        if (organisationId) {
-          const { emitAuditEvent: emitAuditEvent2 } = await import("./audit-V53FV5AG.js");
-          await emitAuditEvent2({
-            type: "permission_check",
-            userId,
-            organisationId,
-            eventId,
-            appId,
-            permission: "bypass:all",
-            decision: true,
-            source: "api",
-            bypass: true,
-            duration_ms: 0,
-            metadata: {
-              operation: "role_guard",
-              reason: "super_admin_bypass"
-            }
-          });
-        }
-        return handler(...args);
-      }
-    }
-    if (config.organisationRoles && config.organisationRoles.length > 0) {
-      const { isOrganisationAdmin } = await import("./api-O6HTBX5Y.js");
-      const isOrgAdmin = await isOrganisationAdmin(userId, organisationId);
-      if (!isOrgAdmin && config.requireAll !== false) {
-        throw new Error(`Organisation admin role required`);
-      }
-    }
-    if (config.eventAppRoles && config.eventAppRoles.length > 0 && eventId && appId) {
-      const { isEventAdmin } = await import("./api-O6HTBX5Y.js");
-      const isEventAdminUser = await isEventAdmin(userId, { organisationId, eventId, appId });
-      if (!isEventAdminUser && config.requireAll !== false) {
-        throw new Error(`Event admin role required`);
-      }
-    }
-    if (organisationId) {
-      const { emitAuditEvent: emitAuditEvent2 } = await import("./audit-V53FV5AG.js");
-      await emitAuditEvent2({
-        type: "permission_check",
-        userId,
-        organisationId,
-        eventId,
-        appId,
-        permission: "role:check",
-        decision: true,
-        source: "api",
-        bypass: false,
-        duration_ms: 0,
-        metadata: {
-          operation: "role_guard"
-        }
-      });
-    }
-    return handler(...args);
-  };
-}
-function createRBACMiddleware(config) {
-  return async (req, res, next) => {
-    const { pathname } = req.nextUrl;
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    if (!userId || !organisationId) {
-      return res.redirect(config.fallbackUrl || "/login");
-    }
-    const protectedRoute = config.protectedRoutes.find(
-      (route) => pathname.startsWith(route.path)
-    );
-    if (protectedRoute) {
-      try {
-        const { isPermitted: isPermitted2 } = await import("./api-O6HTBX5Y.js");
-        const hasPermission2 = await isPermitted2({
-          userId,
-          scope: { organisationId },
-          permission: protectedRoute.permission,
-          pageId: protectedRoute.pageId
-        });
-        if (!hasPermission2) {
-          return res.redirect(config.fallbackUrl || "/access-denied");
-        }
-      } catch (_error) {
-        return res.redirect(config.fallbackUrl || "/access-denied");
-      }
-    }
-    next();
-  };
-}
-function createRBACExpressMiddleware(config) {
-  return async (req, res, next) => {
-    const userId = req.user?.id;
-    const organisationId = req.organisationId;
-    const eventId = req.eventId;
-    const appId = req.appId;
-    if (!userId || !organisationId) {
-      return res.status(401).json({ error: "User context required" });
-    }
-    try {
-      const { isPermitted: isPermitted2 } = await import("./api-O6HTBX5Y.js");
-      const hasPermission2 = await isPermitted2({
-        userId,
-        scope: { organisationId, eventId, appId },
-        permission: config.permission,
-        pageId: config.pageId
-      });
-      if (!hasPermission2) {
-        return res.status(403).json({ error: "Permission denied" });
-      }
-      next();
-    } catch (_error) {
-      return res.status(500).json({ error: "Permission check failed" });
-    }
-  };
-}
-function hasPermissionCached(userId, scope, _permission, _pageId) {
-  const cacheKey = RBACCache.generatePermissionKey({
-    userId,
-    organisationId: scope.organisationId,
-    eventId: scope.eventId,
-    appId: scope.appId
-  });
-  return rbacCache.get(cacheKey) || false;
-}
-function hasAnyPermissionCached(userId, scope, permissions, pageId) {
-  return permissions.some(
-    (permission) => hasPermissionCached(userId, scope, permission, pageId)
-  );
-}
-
-// src/rbac/permissions.ts
-var log3 = createLogger("RBACPermissions");
-var GLOBAL_PERMISSIONS = {
-  READ_ALL: "read:*",
-  CREATE_ALL: "create:*",
-  UPDATE_ALL: "update:*",
-  DELETE_ALL: "delete:*"
-};
-var ORGANISATION_PERMISSIONS = {
-  // Organisation management
-  READ_ORGANISATION: "read:organisation",
-  UPDATE_ORGANISATION: "update:organisation",
-  DELETE_ORGANISATION: "delete:organisation",
-  // User management
-  READ_USERS: "read:users",
-  CREATE_USERS: "create:users",
-  UPDATE_USERS: "update:users",
-  DELETE_USERS: "delete:users",
-  // Role management
-  READ_ROLES: "read:roles",
-  CREATE_ROLES: "create:roles",
-  UPDATE_ROLES: "update:roles",
-  DELETE_ROLES: "delete:roles",
-  // Event management
-  READ_EVENTS: "read:events",
-  CREATE_EVENTS: "create:events",
-  UPDATE_EVENTS: "update:events",
-  DELETE_EVENTS: "delete:events",
-  // App management
-  READ_APPS: "read:apps",
-  CREATE_APPS: "create:apps",
-  UPDATE_APPS: "update:apps",
-  DELETE_APPS: "delete:apps"
-};
-var EVENT_APP_PERMISSIONS = {
-  // Event management
-  READ_EVENT: "read:event",
-  CREATE_EVENT: "create:event",
-  UPDATE_EVENT: "update:event",
-  DELETE_EVENT: "delete:event",
-  // App management
-  READ_APP: "read:app",
-  CREATE_APP: "create:app",
-  UPDATE_APP: "update:app",
-  DELETE_APP: "delete:app",
-  // Team management
-  READ_TEAM: "read:team",
-  CREATE_TEAM: "create:team",
-  UPDATE_TEAM: "update:team",
-  DELETE_TEAM: "delete:team",
-  // Team members
-  READ_TEAM_MEMBERS: "read:team.members",
-  CREATE_TEAM_MEMBERS: "create:team.members",
-  UPDATE_TEAM_MEMBERS: "update:team.members",
-  DELETE_TEAM_MEMBERS: "delete:team.members",
-  // Event content
-  READ_EVENT_CONTENT: "read:event.content",
-  CREATE_EVENT_CONTENT: "create:event.content",
-  UPDATE_EVENT_CONTENT: "update:event.content",
-  DELETE_EVENT_CONTENT: "delete:event.content",
-  // Event settings
-  READ_EVENT_SETTINGS: "read:event.settings",
-  CREATE_EVENT_SETTINGS: "create:event.settings",
-  UPDATE_EVENT_SETTINGS: "update:event.settings",
-  DELETE_EVENT_SETTINGS: "delete:event.settings"
-};
-var PAGE_PERMISSIONS = {
-  // General page access (generic - used for wildcard checks)
-  READ_PAGE: "read:page",
-  CREATE_PAGE: "create:page",
-  UPDATE_PAGE: "update:page",
-  DELETE_PAGE: "delete:page",
-  // Admin pages
-  READ_ADMIN: "read:page.admin",
-  CREATE_ADMIN: "create:page.admin",
-  UPDATE_ADMIN: "update:page.admin",
-  DELETE_ADMIN: "delete:page.admin",
-  // Dashboard pages
-  READ_DASHBOARD: "read:page.dashboard",
-  CREATE_DASHBOARD: "create:page.dashboard",
-  UPDATE_DASHBOARD: "update:page.dashboard",
-  DELETE_DASHBOARD: "delete:page.dashboard",
-  // Settings pages
-  READ_SETTINGS: "read:page.settings",
-  CREATE_SETTINGS: "create:page.settings",
-  UPDATE_SETTINGS: "update:page.settings",
-  DELETE_SETTINGS: "delete:page.settings",
-  // Reports pages
-  READ_REPORTS: "read:page.reports",
-  CREATE_REPORTS: "create:page.reports",
-  UPDATE_REPORTS: "update:page.reports",
-  DELETE_REPORTS: "delete:page.reports"
-};
-function isValidPermission(permission) {
-  const pattern = /^(read|create|update|delete):[a-z0-9]+(\.[a-z0-9]+)*$|^(read|create|update|delete):\*$/;
-  return pattern.test(permission);
-}
-var ALL_PERMISSIONS = {
-  ...GLOBAL_PERMISSIONS,
-  ...ORGANISATION_PERMISSIONS,
-  ...EVENT_APP_PERMISSIONS,
-  ...PAGE_PERMISSIONS
-};
-
-// src/rbac/compliance/setup-validator.ts
-function isRBACInitialized() {
-  try {
-    const config = getRBACConfig();
-    return config !== null && config.supabase !== null;
-  } catch (error) {
-    if (error instanceof RBACNotInitializedError) {
-      return false;
-    }
-    throw error;
-  }
-}
-function getSetupIssues() {
-  const issues = [];
-  const config = getRBACConfig();
-  if (!config) {
-    issues.push({
-      type: "not-initialized",
-      message: "RBAC system has not been initialized. setupRBAC() has not been called.",
-      recommendation: "Call setupRBAC(supabase) before using any RBAC features. This should be done in your main entry point (main.tsx or App.tsx) before rendering the app."
-    });
-    return issues;
-  }
-  if (!config.supabase) {
-    issues.push({
-      type: "missing-config",
-      message: "RBAC configuration is missing Supabase client.",
-      recommendation: "Ensure setupRBAC() is called with a valid Supabase client instance."
-    });
-  }
-  return issues;
-}
-function getProviderContextIssues() {
-  const issues = [];
-  if (!isRBACInitialized()) {
-    issues.push({
-      type: "not-initialized",
-      message: "RBAC system must be initialized before provider context can be used.",
-      recommendation: "Call setupRBAC(supabase) before rendering UnifiedAuthProvider."
-    });
-  }
-  return issues;
-}
-function validateRBACSetup() {
-  const issues = getSetupIssues();
-  const providerIssues = getProviderContextIssues();
-  return {
-    isCompliant: issues.length === 0 && providerIssues.length === 0,
-    issues: [...issues, ...providerIssues]
-  };
-}
-
-// src/rbac/compliance/runtime-compliance.ts
-function checkRuntimeCompliance() {
-  const logger2 = getRBACLogger();
-  const setupValidation = validateRBACSetup();
-  const warnings = [];
-  if (!setupValidation.isCompliant) {
-    setupValidation.issues.forEach((issue) => {
-      const warning = `[RBAC Compliance] ${issue.message}
-  Recommendation: ${issue.recommendation}`;
-      warnings.push(warning);
-      logger2.warn(warning);
-    });
-  }
-  const providerContextIssues = setupValidation.issues.filter(
-    (issue) => issue.type === "missing-provider-context" || issue.type === "not-initialized"
-  );
-  const providerContext = providerContextIssues.length > 0 ? {
-    available: false,
-    message: "UnifiedAuthProvider context may not be available. Ensure your app is wrapped with UnifiedAuthProvider from @jmruthers/pace-core."
-  } : {
-    available: true
-  };
-  return {
-    setup: setupValidation,
-    warnings,
-    providerContext
-  };
-}
-function validateAndWarn() {
-  if (import.meta.env.MODE === "development" || import.meta.env.DEV) {
-    checkRuntimeCompliance();
-  }
-}
-
-// src/rbac/compliance/database-validator.ts
-async function validateDatabaseConfiguration(supabase, appName) {
-  const issues = [];
-  const recommendations = [];
-  let appConfigured = false;
-  let pagesConfigured = false;
-  let permissionsConfigured = false;
-  let rlsPoliciesActive = false;
-  let rolesConfigured = false;
-  try {
-    const { data: app, error: appError } = await supabase.from("rbac_apps").select("id, name").eq("name", appName).single();
-    if (appError || !app) {
-      issues.push({
-        type: "app-not-configured",
-        message: `App '${appName}' not found in rbac_apps table.`,
-        recommendation: `Register your app in the rbac_apps table with name '${appName}' (case-sensitive).`
-      });
-    } else {
-      appConfigured = true;
-      if (app.name !== appName) {
-        issues.push({
-          type: "app-name-mismatch",
-          message: `App name mismatch. Database has '${app.name}', but environment variable has '${appName}'.`,
-          recommendation: `Ensure VITE_APP_NAME (or NEXT_PUBLIC_APP_NAME) matches the app name in rbac_apps table exactly (case-sensitive).`
-        });
-      }
-      const { data: pages, error: pagesError } = await supabase.from("rbac_app_pages").select("id").eq("app_id", app.id).limit(1);
-      if (pagesError || !pages || pages.length === 0) {
-        issues.push({
-          type: "pages-not-configured",
-          message: `No pages found for app '${appName}' in rbac_app_pages table.`,
-          recommendation: "Register your app pages in the rbac_app_pages table. Each route/page should have an entry."
-        });
-      } else {
-        pagesConfigured = true;
-        const { data: permissions, error: permissionsError } = await supabase.from("rbac_page_permissions").select("id").in("page_id", pages.map((p) => p.id)).limit(1);
-        if (permissionsError || !permissions || permissions.length === 0) {
-          issues.push({
-            type: "permissions-not-configured",
-            message: `No permissions found for app '${appName}' pages in rbac_page_permissions table.`,
-            recommendation: "Configure permissions for your app pages in the rbac_page_permissions table. Each page should have permissions for different operations (read, create, update, delete)."
-          });
-        } else {
-          permissionsConfigured = true;
-        }
-      }
-    }
-    try {
-      const { data: rbacTables, error: rlsError } = await supabase.rpc("rbac_check_rls_status");
-      if (rlsError) {
-        rlsPoliciesActive = true;
-        recommendations.push("Consider adding an RLS status check function to validate RLS policies are active.");
-      } else {
-        rlsPoliciesActive = true;
-      }
-    } catch (error) {
-      rlsPoliciesActive = true;
-      recommendations.push("Consider adding an RLS status check function to validate RLS policies are active.");
-    }
-    const { data: orgRoles, error: rolesError } = await supabase.from("rbac_organisation_roles").select("id").limit(1);
-    if (rolesError) {
-      issues.push({
-        type: "roles-not-configured",
-        message: "Unable to query rbac_organisation_roles table. RLS might be blocking access or table might not exist.",
-        recommendation: "Ensure rbac_organisation_roles table exists and RLS policies allow read access for authenticated users."
-      });
-    } else {
-      rolesConfigured = true;
-    }
-  } catch (error) {
-    issues.push({
-      type: "app-not-configured",
-      message: `Error validating database configuration: ${error instanceof Error ? error.message : "Unknown error"}`,
-      recommendation: "Check your Supabase connection and ensure you have the necessary permissions to query RBAC tables."
-    });
-  }
-  return {
-    appConfigured,
-    pagesConfigured,
-    permissionsConfigured,
-    rlsPoliciesActive,
-    rolesConfigured,
-    issues,
-    recommendations
-  };
-}
-
-// src/rbac/compliance/quick-fix-suggestions.ts
-function getCustomAuthCodeFixes(customCodeName, type) {
-  const fixes = {
-    "useAuth": {
-      issue: `Custom ${type} '${customCodeName}' detected`,
-      suggestion: `Replace with useUnifiedAuth from pace-core`,
-      codeExample: `// Before
-import { useAuth } from './hooks/useAuth';
-
-// After
-import { useUnifiedAuth } from '@jmruthers/pace-core';`,
-      migrationSteps: [
-        "Remove custom useAuth hook",
-        "Import useUnifiedAuth from @jmruthers/pace-core",
-        "Update all usages to use useUnifiedAuth",
-        "Ensure UnifiedAuthProvider wraps your app"
-      ]
-    },
-    "usePermissions": {
-      issue: `Custom ${type} '${customCodeName}' detected`,
-      suggestion: `Replace with usePermissions from pace-core`,
-      codeExample: `// Before
-import { usePermissions } from './hooks/usePermissions';
-
-// After
-import { usePermissions } from '@jmruthers/pace-core/rbac';`,
-      migrationSteps: [
-        "Remove custom usePermissions hook",
-        "Import usePermissions from @jmruthers/pace-core/rbac",
-        "Update all usages - ensure setupRBAC() has been called",
-        "Verify provider hierarchy is correct"
-      ]
-    },
-    "PermissionGuard": {
-      issue: `Custom ${type} '${customCodeName}' detected`,
-      suggestion: `Replace with PagePermissionGuard from pace-core`,
-      codeExample: `// Before
-import { PermissionGuard } from './components/PermissionGuard';
-
-// After
-import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';`,
-      migrationSteps: [
-        "Remove custom PermissionGuard component",
-        "Import PagePermissionGuard from @jmruthers/pace-core/rbac",
-        "Wrap pages with PagePermissionGuard",
-        "Use pageName and operation props instead of custom permission strings"
-      ]
-    },
-    "checkPermission": {
-      issue: `Custom ${type} '${customCodeName}' detected`,
-      suggestion: `Replace with isPermitted from pace-core`,
-      codeExample: `// Before
-import { checkPermission } from './utils/permissions';
-
-// After
-import { isPermitted } from '@jmruthers/pace-core/rbac';`,
-      migrationSteps: [
-        "Remove custom checkPermission utility",
-        "Import isPermitted from @jmruthers/pace-core/rbac",
-        "Update all usages to use isPermitted with proper scope",
-        "Ensure setupRBAC() has been called"
-      ]
-    }
-  };
-  return fixes[customCodeName] || {
-    issue: `Custom ${type} '${customCodeName}' detected`,
-    suggestion: `Use pace-core's equivalent instead. Check @jmruthers/pace-core documentation for the correct import.`,
-    migrationSteps: [
-      `Remove custom ${customCodeName} ${type}`,
-      "Find equivalent in pace-core",
-      "Import from @jmruthers/pace-core or @jmruthers/pace-core/rbac",
-      "Update all usages"
-    ]
-  };
-}
-function getDuplicateConfigFixes() {
-  return {
-    issue: "Multiple Supabase client instantiations found",
-    suggestion: "Consolidate to a single Supabase client configuration",
-    codeExample: `// Before - Multiple createClient calls
-// src/lib/supabase.ts
-export const supabase = createClient(url, key);
-
-// src/utils/api.ts
-export const supabase = createClient(url, key);
-
-// After - Single configuration
-// src/lib/supabase.ts
-export const supabase = createClient(
-  import.meta.env.VITE_SUPABASE_URL,
-  import.meta.env.VITE_SUPABASE_PUBLISHABLE_KEY
-);
-
-// src/utils/api.ts
-import { supabase } from '../lib/supabase';`,
-    migrationSteps: [
-      "Create a single supabase.ts file in a shared location (e.g., src/lib/supabase.ts)",
-      "Move all Supabase client creation to this file",
-      "Export the client instance",
-      "Update all files to import from the shared location",
-      "Remove duplicate createClient calls"
-    ]
-  };
-}
-function getUnprotectedPageFixes() {
-  return {
-    issue: "Route/page found without PagePermissionGuard",
-    suggestion: "Wrap all routes with PagePermissionGuard",
-    codeExample: `// Before
-<Route path="/dashboard" element={<Dashboard />} />
-
-// After
-<Route 
-  path="/dashboard" 
-  element={
-    <PagePermissionGuard pageName="dashboard" operation="read">
-      <Dashboard />
-    </PagePermissionGuard>
-  } 
-/>`,
-    migrationSteps: [
-      "Import PagePermissionGuard from @jmruthers/pace-core/rbac",
-      "Wrap each route/page component with PagePermissionGuard",
-      "Set pageName prop to match your page name in rbac_app_pages table",
-      "Set operation prop (read, create, update, or delete)",
-      "Ensure setupRBAC() has been called and providers are set up correctly"
-    ]
-  };
-}
-function getDirectSupabaseAuthFixes() {
-  return {
-    issue: "Direct Supabase auth usage detected",
-    suggestion: "Use UnifiedAuthProvider and useUnifiedAuth from pace-core",
-    codeExample: `// Before
-import { createClient } from '@supabase/supabase-js';
-const supabase = createClient(url, key);
-await supabase.auth.signInWithPassword({ email, password });
-
-// After
-import { useUnifiedAuth } from '@jmruthers/pace-core';
-const { signIn } = useUnifiedAuth();
-await signIn({ email, password });`,
-    migrationSteps: [
-      "Remove direct Supabase auth calls",
-      "Import useUnifiedAuth from @jmruthers/pace-core",
-      "Use the auth methods from useUnifiedAuth hook",
-      "Ensure UnifiedAuthProvider wraps your app",
-      "Update all auth-related code to use pace-core hooks"
-    ]
-  };
-}
-function getQuickFixes(issueType, details) {
-  const fixes = [];
-  switch (issueType) {
-    case "custom-auth-code":
-      if (details?.name && details?.type) {
-        fixes.push(getCustomAuthCodeFixes(details.name, details.type));
-      }
-      break;
-    case "duplicate-config":
-      fixes.push(getDuplicateConfigFixes());
-      break;
-    case "unprotected-pages":
-      fixes.push(getUnprotectedPageFixes());
-      break;
-    case "direct-supabase-auth":
-      fixes.push(getDirectSupabaseAuthFixes());
-      break;
-  }
-  return fixes;
-}
-
-export {
-  RPCFunction,
-  RBACErrorCode,
-  PagePermissionProvider,
-  usePagePermissions,
-  PagePermissionGuard,
-  SecureDataProvider,
-  useSecureData,
-  PermissionEnforcer,
-  RoleBasedRouter,
-  useRoleBasedRouter,
-  NavigationProvider,
-  useNavigationPermissions,
-  NavigationGuard,
-  EnhancedNavigationMenu,
-  PermissionGuard,
-  AccessLevelGuard,
-  withPermissionGuard,
-  withAccessLevelGuard,
-  withRoleGuard,
-  createRBACMiddleware,
-  createRBACExpressMiddleware,
-  hasPermissionCached,
-  hasAnyPermissionCached,
-  GLOBAL_PERMISSIONS,
-  ORGANISATION_PERMISSIONS,
-  EVENT_APP_PERMISSIONS,
-  PAGE_PERMISSIONS,
-  isValidPermission,
-  ALL_PERMISSIONS,
-  isRBACInitialized,
-  getSetupIssues,
-  validateRBACSetup,
-  checkRuntimeCompliance,
-  validateAndWarn,
-  validateDatabaseConfiguration,
-  getCustomAuthCodeFixes,
-  getDuplicateConfigFixes,
-  getUnprotectedPageFixes,
-  getDirectSupabaseAuthFixes,
-  getQuickFixes
-};
-//# sourceMappingURL=chunk-G7QEZTYQ.js.map