@jmruthers/pace-core 0.6.9 → 0.6.11

package/dist/chunk-GS5672WG.js

@@ -1,2003 +0,0 @@
-import { useAppConfig, useOrganisationSecurity } from './chunk-EF2UGZWY.js';
-import { useEventService, useUnifiedAuth, useOrganisations } from './chunk-T5CVK4R3.js';
-import { OrganisationContextRequiredError, getRBACLogger, resolveAppContext, getPageScopeType, ContextValidator, getPermissionMap, getRoleContext, getAccessLevel, isPermittedCached, isPermitted, isSuperAdmin } from './chunk-LX6U42O3.js';
-import { getCurrentAppName } from './chunk-OJ4SKRSV.js';
-import { cn } from './chunk-7ILTDCL2.js';
-import { createLogger, logger } from './chunk-TTRFSOKR.js';
-import * as React2 from 'react';
-import { useRef, useMemo, useState, useCallback, useEffect } from 'react';
-import * as TooltipPrimitive from '@radix-ui/react-tooltip';
-import { jsx, jsxs } from 'react/jsx-runtime';
-import { Slot } from '@radix-ui/react-slot';
-import { createClient } from '@supabase/supabase-js';
-
-function useEvents() {
-  const eventService = useEventService();
-  const rawEvents = eventService.getEvents();
-  const selectedEvent = eventService.getSelectedEvent();
-  const isLoading = eventService.isLoading();
-  const error = eventService.getError();
-  const prevEventsRef = useRef([]);
-  const prevEventsIdsRef = useRef("");
-  const currentEventsIds = rawEvents.map((e) => e.event_id || e.id).join(",");
-  const eventsChanged = currentEventsIds !== prevEventsIdsRef.current;
-  if (eventsChanged) {
-    prevEventsRef.current = rawEvents;
-    prevEventsIdsRef.current = currentEventsIds;
-  }
-  const events = useMemo(() => {
-    return prevEventsRef.current;
-  }, [currentEventsIds]);
-  const setSelectedEventCallback = useMemo(
-    () => (event) => eventService.setSelectedEvent(event),
-    [eventService]
-  );
-  const refreshEventsCallback = useMemo(
-    () => () => eventService.refreshEvents(),
-    [eventService]
-  );
-  const clearEventSelectionCallback = useMemo(
-    () => () => eventService.clearEventSelection(),
-    [eventService]
-  );
-  return useMemo(() => ({
-    events,
-    selectedEvent,
-    isLoading,
-    error,
-    setSelectedEvent: setSelectedEventCallback,
-    refreshEvents: refreshEventsCallback,
-    clearEventSelection: clearEventSelectionCallback
-  }), [events, selectedEvent?.event_id, isLoading, error?.message, setSelectedEventCallback, refreshEventsCallback, clearEventSelectionCallback]);
-}
-var TooltipProvider = TooltipPrimitive.Provider;
-var TooltipRoot = TooltipPrimitive.Root;
-var TooltipTrigger = TooltipPrimitive.Trigger;
-var TooltipContent = React2.forwardRef(({ className, sideOffset = 4, ...props }, ref) => /* @__PURE__ */ jsx(
-  TooltipPrimitive.Content,
-  {
-    ref,
-    sideOffset,
-    className: cn(
-      "z-50 overflow-hidden rounded-md border bg-main-500 px-3 py-1.5 text-sm text-main-50 shadow-md animate-in fade-in-0 zoom-in-95 data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=closed]:zoom-out-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2",
-      className
-    ),
-    ...props
-  }
-));
-TooltipContent.displayName = TooltipPrimitive.Content.displayName;
-var Tooltip = React2.forwardRef(({ children, content, delayDuration = 200 }, ref) => /* @__PURE__ */ jsx(TooltipProvider, { children: /* @__PURE__ */ jsxs(TooltipRoot, { delayDuration, children: [
-  /* @__PURE__ */ jsx(TooltipTrigger, { ref, asChild: true, children: /* @__PURE__ */ jsx("span", { children }) }),
-  /* @__PURE__ */ jsx(TooltipContent, { children: content })
-] }) }));
-Tooltip.displayName = "Tooltip";
-function getButtonClasses(variant = "default", size = "default") {
-  const baseClasses = "inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md text-sm font-medium transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:pointer-events-none disabled:opacity-50";
-  const variantClasses = {
-    default: "bg-main-600 text-main-50 shadow hover:bg-acc-400",
-    destructive: "bg-acc-600 text-acc-50 shadow-sm hover:bg-acc-400",
-    outline: "border border-main-300 bg-background shadow-sm hover:bg-acc-400",
-    secondary: "bg-sec-100 text-sec-900 shadow-sm hover:bg-acc-400",
-    ghost: "hover:bg-acc-400",
-    link: "text-main-700 underline-offset-4 hover:underline hover:drop-shadow-lg hover:drop-shadow-acc-400"
-  };
-  const sizeClasses = {
-    default: "h-9 px-4 py-2",
-    sm: "h-8 rounded-md px-3 text-xs",
-    lg: "h-10 rounded-md px-8",
-    icon: "size-8"
-  };
-  return `${baseClasses} ${variantClasses[variant]} ${sizeClasses[size]}`;
-}
-var Button = React2.forwardRef(
-  ({ className, variant, size, asChild = false, type = "button", disabled, ...props }, ref) => {
-    const Comp = asChild ? Slot : "button";
-    return /* @__PURE__ */ jsx(
-      Comp,
-      {
-        className: cn(getButtonClasses(variant, size), className),
-        ref,
-        type: !asChild ? type : void 0,
-        disabled,
-        "aria-disabled": disabled ? "true" : void 0,
-        ...props
-      }
-    );
-  }
-);
-Button.displayName = "Button";
-function ButtonGroup({
-  children,
-  orientation = "horizontal",
-  variant,
-  size,
-  className,
-  spacing = "sm"
-}) {
-  const spacingClasses = {
-    none: "",
-    sm: orientation === "horizontal" ? "space-x-1" : "space-y-1",
-    md: orientation === "horizontal" ? "space-x-2" : "space-y-2",
-    lg: orientation === "horizontal" ? "space-x-4" : "space-y-4"
-  };
-  return /* @__PURE__ */ jsx(
-    "fieldset",
-    {
-      className: cn(
-        "flex",
-        orientation === "horizontal" ? "flex-row items-center" : "flex-col",
-        spacingClasses[spacing],
-        className
-      ),
-      role: "group",
-      children: React2.Children.map(children, (child) => {
-        if (React2.isValidElement(child) && child.type) {
-          const componentType = child.type;
-          if (componentType.displayName === "Button") {
-            const childProps = child.props;
-            return React2.cloneElement(child, {
-              variant: childProps.variant || variant,
-              size: childProps.size || size,
-              ...childProps
-            });
-          }
-        }
-        return child;
-      })
-    }
-  );
-}
-var IconButton = React2.forwardRef(
-  ({ icon, className, size = "icon", "aria-label": ariaLabel, tooltip, ...props }, ref) => {
-    const button = /* @__PURE__ */ jsx(
-      Button,
-      {
-        ref,
-        size,
-        className: cn("shrink-0", className),
-        "aria-label": ariaLabel,
-        ...props,
-        children: icon
-      }
-    );
-    if (tooltip) {
-      return /* @__PURE__ */ jsx(Tooltip, { content: tooltip, children: button });
-    }
-    return button;
-  }
-);
-IconButton.displayName = "IconButton";
-
-// src/rbac/utils/clientSecurity.ts
-var SECURE_CLIENT_SYMBOL = Symbol("pace-core-secure-client");
-function isSecureClient(client) {
-  if (!client) return false;
-  return client[SECURE_CLIENT_SYMBOL] === true;
-}
-function warnIfInsecureClient(client, context) {
-  if (typeof process !== "undefined" && true) {
-    return;
-  }
-  if (!client) return;
-  if (!isSecureClient(client)) {
-    const contextMsg = context ? ` in ${context}` : "";
-    console.warn(
-      `[pace-core Security Warning] Non-secure Supabase client detected${contextMsg}.
-You are using a Supabase client created with createClient() instead of useSecureSupabase().
-This bypasses organisation context enforcement and RLS policies, which can lead to:
-- Cross-organisation data access
-- Security vulnerabilities
-- Data leakage between organisations
-
-Fix: Replace with:
-  import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
-  const supabase = useSecureSupabase();
-
-See: https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/rbac/getting-started.md`
-    );
-  }
-}
-function markClientAsSecure(client) {
-  client[SECURE_CLIENT_SYMBOL] = true;
-}
-var _SecureSupabaseClient = class _SecureSupabaseClient {
-  constructor(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin2 = false, existingClient) {
-    this.edgeFunctionClient = null;
-    this.usesExistingClient = false;
-    this.supabaseUrl = supabaseUrl;
-    this.supabaseKey = supabaseKey;
-    this.organisationId = organisationId;
-    this.eventId = eventId;
-    this.appId = appId;
-    this.isSuperAdmin = isSuperAdmin2;
-    if (existingClient) {
-      this.supabase = existingClient;
-      this.usesExistingClient = true;
-    } else {
-      this.supabase = createClient(supabaseUrl, supabaseKey, {
-        global: {
-          headers: {
-            "x-organisation-id": organisationId || "",
-            "x-event-id": eventId || "",
-            "x-app-id": appId || ""
-          }
-        }
-      });
-    }
-    this.setupContextInjection();
-    this.setupEdgeFunctionHandling();
-    markClientAsSecure(this.supabase);
-  }
-  /**
-   * Setup context injection for all database operations
-   */
-  setupContextInjection() {
-    const originalFrom = this.supabase.from.bind(this.supabase);
-    this.supabase.from = (table) => {
-      this.validateContextForTable(table);
-      const query = originalFrom(table);
-      query._tableName = table;
-      return this.injectContext(query, table);
-    };
-    const originalRpc = this.supabase.rpc.bind(this.supabase);
-    this.supabase.rpc = (fn, args, options) => {
-      this.validateContextForRpc(fn);
-      const acceptedParams = this.getRpcAcceptedParams(fn);
-      const safeArgs = args ?? {};
-      const contextArgs = { ...safeArgs };
-      if (acceptedParams.has("p_organisation_id") && this.organisationId && safeArgs.p_organisation_id === void 0) {
-        contextArgs.p_organisation_id = this.organisationId;
-      }
-      if (acceptedParams.has("p_event_id") && this.eventId && safeArgs.p_event_id === void 0) {
-        contextArgs.p_event_id = this.eventId;
-      }
-      if (acceptedParams.has("p_app_id") && this.appId && safeArgs.p_app_id === void 0) {
-        contextArgs.p_app_id = this.appId;
-      }
-      return originalRpc(fn, contextArgs, options);
-    };
-  }
-  /**
-   * Setup Edge Function handling to bypass custom headers
-   * Edge Functions may not have CORS configured to accept custom headers,
-   * so we create a separate client without custom headers for Edge Function calls
-   * 
-   * NOTE: We store the edge function client but don't override functions here.
-   * Instead, we provide a method to get the edge function client for direct use.
-   * This avoids interfering with the main client's operations.
-   */
-  setupEdgeFunctionHandling() {
-    if (this.usesExistingClient) {
-      this.edgeFunctionClient = null;
-      return;
-    }
-    this.edgeFunctionClient = createClient(this.supabaseUrl, this.supabaseKey);
-  }
-  /**
-   * Get a client for Edge Function calls without custom headers
-   * Edge Functions may not have CORS configured to accept custom headers
-   * @returns Supabase client without custom headers for Edge Function calls
-   */
-  getEdgeFunctionClient() {
-    return this.edgeFunctionClient || this.supabase;
-  }
-  /**
-   * Inject organisation context into a query
-   */
-  injectContext(query, tableName) {
-    const originalSelect = query.select.bind(query);
-    const originalInsert = query.insert.bind(query);
-    const originalUpdate = query.update.bind(query);
-    const originalDelete = query.delete.bind(query);
-    query.select = (columns) => {
-      const result = originalSelect(columns);
-      result._tableName = tableName;
-      return this.addOrganisationFilter(result, tableName);
-    };
-    query.insert = (values) => {
-      const tablesWithoutOrganisationId = [
-        "core_organisations",
-        // Organisation table itself - uses 'id' as primary key
-        "rbac_apps",
-        // App configuration table - no organisation scope
-        "rbac_app_pages",
-        // Page configuration table - scoped by app_id, not organisation_id
-        "rbac_global_roles"
-        // Global roles - no organisation scope
-      ];
-      if (tablesWithoutOrganisationId.includes(tableName)) {
-        return originalInsert(values);
-      }
-      if (tableName === "rbac_user_profiles") {
-        if (this.isSuperAdmin) {
-          return originalInsert(values);
-        }
-        if (!this.organisationId) {
-          throw new OrganisationContextRequiredError();
-        }
-        const contextValues2 = Array.isArray(values) ? values.map((v) => ({ ...v, organisation_id: this.organisationId })) : { ...values, organisation_id: this.organisationId };
-        return originalInsert(contextValues2);
-      }
-      if (this.isSuperAdmin && !this.organisationId) {
-        return originalInsert(values);
-      }
-      if (!this.organisationId) {
-        throw new OrganisationContextRequiredError();
-      }
-      const contextValues = Array.isArray(values) ? values.map((v) => ({ ...v, organisation_id: this.organisationId })) : { ...values, organisation_id: this.organisationId };
-      return originalInsert(contextValues);
-    };
-    query.update = (values) => {
-      const result = originalUpdate(values);
-      return this.addOrganisationFilter(result, tableName);
-    };
-    query.delete = () => {
-      const result = originalDelete();
-      return this.addOrganisationFilter(result, tableName);
-    };
-    return query;
-  }
-  /**
-   * Add organisation filter to a query
-   * 
-   * Defense in depth strategy:
-   * - RLS policies are the primary security layer (cannot be bypassed)
-   * - Application-level filtering adds an additional layer of protection
-   * 
-   * For rbac_user_profiles:
-   * - Super admins: No org filter (see all users) - RLS will allow access
-   * - Non-super-admins: Apply org filter as defense in depth - RLS will also filter
-   * 
-   * For system-wide tables (like core_organisations):
-   * - Super admins: No org filter (see all records) - RLS will allow access
-   * - Non-super-admins: Apply org filter as defense in depth - RLS will also filter
-   * 
-   * For other tables:
-   * - Always apply org filter unless super admin bypasses it
-   */
-  addOrganisationFilter(query, tableName) {
-    const tablesWithoutOrganisationId = [
-      "core_organisations",
-      // Organisation table itself - uses 'id' as primary key
-      "rbac_apps",
-      // App configuration table - no organisation scope
-      "rbac_app_pages",
-      // Page configuration table - scoped by app_id, not organisation_id
-      "rbac_global_roles",
-      // Global roles - no organisation scope
-      // Person-scoped tables (organisation_id was removed in person-scoped profiles migration)
-      "core_person",
-      // Person records - person-scoped, no organisation_id
-      "core_member",
-      // Member profiles - person-scoped, no organisation_id
-      "core_contact",
-      // Contact profiles - person-scoped, no organisation_id
-      "core_consent",
-      // Consent records - person-scoped, no organisation_id
-      "core_identification",
-      // Identification records - person-scoped, no organisation_id
-      "core_qualification",
-      // Qualification records - person-scoped, no organisation_id
-      "medi_profile",
-      // Medical profiles - person-scoped, no organisation_id
-      "medi_condition",
-      // Medical conditions - person-scoped via medi_profile, no organisation_id
-      "medi_diet",
-      // Medical diets - person-scoped via medi_profile, no organisation_id
-      "medi_action_plan",
-      // Medical action plans - person-scoped via medi_profile, no organisation_id
-      "medi_profile_versions"
-      // Medical profile versions - person-scoped via medi_profile, no organisation_id
-    ];
-    if (tablesWithoutOrganisationId.includes(tableName)) {
-      return query;
-    }
-    if (!this.organisationId) {
-      return query;
-    }
-    const systemWideTablesForSuperAdmins = [
-      "core_organisations"
-      // Super-admins need to see all organisations
-    ];
-    if (systemWideTablesForSuperAdmins.includes(tableName) && this.isSuperAdmin) {
-      return query;
-    }
-    if (tableName === "rbac_user_profiles") {
-      if (this.isSuperAdmin) {
-        return query;
-      }
-      return query.or(`organisation_id.eq.${this.organisationId},organisation_id.is.null`);
-    }
-    if (this.isSuperAdmin) {
-      return query.eq("organisation_id", this.organisationId);
-    }
-    return query.eq("organisation_id", this.organisationId);
-  }
-  /**
-   * Validate that required context is present
-   * Super-admins can operate without organisation context
-   */
-  validateContext() {
-    if (this.isSuperAdmin) {
-      return;
-    }
-    if (!this.organisationId) {
-      throw new OrganisationContextRequiredError();
-    }
-  }
-  /**
-   * Determine whether a table requires organisation context.
-   * Tables without an organisation_id column (or global configuration tables) are safe without org context.
-   */
-  tableRequiresOrganisationContext(tableName) {
-    const tablesWithoutOrganisationId = /* @__PURE__ */ new Set([
-      "core_organisations",
-      "rbac_apps",
-      "rbac_app_pages",
-      "rbac_global_roles",
-      "core_person",
-      "core_member",
-      "core_contact",
-      "core_consent",
-      "core_identification",
-      "core_qualification",
-      "medi_profile",
-      "medi_condition",
-      "medi_diet",
-      "medi_action_plan",
-      "medi_profile_versions"
-    ]);
-    return !tablesWithoutOrganisationId.has(tableName);
-  }
-  /**
-   * Validate context for a specific table operation.
-   */
-  validateContextForTable(tableName) {
-    if (this.isSuperAdmin) return;
-    if (!this.organisationId && this.tableRequiresOrganisationContext(tableName)) {
-      throw new OrganisationContextRequiredError();
-    }
-  }
-  /**
-   * Validate context for a specific RPC call.
-   */
-  validateContextForRpc(fn) {
-    if (this.isSuperAdmin) return;
-    if (_SecureSupabaseClient.GLOBAL_RPC_ALLOWLIST.has(fn)) return;
-    this.validateContext();
-  }
-  /**
-   * Get the current organisation ID
-   */
-  getOrganisationId() {
-    return this.organisationId;
-  }
-  /**
-   * Get the current event ID
-   */
-  getEventId() {
-    return this.eventId;
-  }
-  /**
-   * Get the current app ID
-   */
-  getAppId() {
-    return this.appId;
-  }
-  /**
-   * Create a new client with updated context
-   */
-  withContext(updates) {
-    return new _SecureSupabaseClient(
-      this.supabaseUrl,
-      this.supabaseKey,
-      updates.organisationId !== void 0 ? updates.organisationId : this.organisationId,
-      updates.eventId !== void 0 ? updates.eventId : this.eventId,
-      updates.appId !== void 0 ? updates.appId : this.appId,
-      updates.isSuperAdmin !== void 0 ? updates.isSuperAdmin : this.isSuperAdmin
-    );
-  }
-  /**
-   * Get the underlying Supabase client (for internal use only)
-   * @internal
-   */
-  getClient() {
-    const proxiedClient = new Proxy(this.supabase, {
-      get: (target, prop) => {
-        if (prop === "functions" && this.edgeFunctionClient) {
-          return this.edgeFunctionClient.functions;
-        }
-        return target[prop];
-      }
-    });
-    markClientAsSecure(proxiedClient);
-    return proxiedClient;
-  }
-  /**
-   * Get the set of parameter names that an RPC function accepts.
-   * Uses a static whitelist of RPCs that we know accept context parameters.
-   * 
-   * This is an opt-in approach: by default, we don't inject context unless
-   * the function is explicitly whitelisted. This prevents PGRST202 errors from
-   * injecting unexpected parameters.
-   * 
-   * @param fn - The RPC function name
-   * @returns Set of parameter names the function accepts
-   */
-  getRpcAcceptedParams(fn) {
-    if (_SecureSupabaseClient.rpcSignatureCache.has(fn)) {
-      return _SecureSupabaseClient.rpcSignatureCache.get(fn);
-    }
-    const rpcContextWhitelist = {
-      // RPCs that accept all three context parameters
-      "data_rbac_roles_list": /* @__PURE__ */ new Set(["p_organisation_id", "p_event_id", "p_app_id"]),
-      // RPCs that accept only p_organisation_id (not p_app_id or p_event_id)
-      "data_file_reference_by_category_list": /* @__PURE__ */ new Set(["p_organisation_id"])
-      // Add more RPCs here as we discover them
-      // Format: 'function_name': new Set(['p_organisation_id', 'p_event_id', 'p_app_id']),
-    };
-    const acceptedParams = rpcContextWhitelist[fn] || /* @__PURE__ */ new Set();
-    _SecureSupabaseClient.rpcSignatureCache.set(fn, acceptedParams);
-    return acceptedParams;
-  }
-};
-// Cache for RPC function signatures to avoid repeated database queries
-// Maps function name -> Set of parameter names it accepts
-_SecureSupabaseClient.rpcSignatureCache = /* @__PURE__ */ new Map();
-/**
- * RPC functions that are safe to call without organisation context.
- *
- * These functions must:
- * - rely on JWT context (auth.uid()) for authentication
- * - not read or write organisation-scoped data
- *
- * This allowlist enables compliant consuming apps to use `secureSupabase.rpc(...)`
- * even before an organisation is selected (common during initial page load/refresh).
- */
-_SecureSupabaseClient.GLOBAL_RPC_ALLOWLIST = /* @__PURE__ */ new Set([
-  "data_rbac_apps_list"
-]);
-var SecureSupabaseClient = _SecureSupabaseClient;
-function createSecureClient(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin2 = false) {
-  return new SecureSupabaseClient(supabaseUrl, supabaseKey, organisationId, eventId, appId, isSuperAdmin2);
-}
-function fromSupabaseClient(client, organisationId, eventId, appId, isSuperAdmin2 = false) {
-  return new SecureSupabaseClient("", "", organisationId, eventId, appId, isSuperAdmin2, client);
-}
-function mapAccessLevelToEventRole(level) {
-  switch (level) {
-    case "viewer":
-      return "viewer";
-    case "participant":
-      return "participant";
-    case "planner":
-      return "planner";
-    case "admin":
-    case "super":
-      return "event_admin";
-    default:
-      return null;
-  }
-}
-function useRBAC(pageId) {
-  const logger2 = getRBACLogger();
-  const {
-    user,
-    session,
-    supabase,
-    appName,
-    appId: contextAppId,
-    selectedOrganisation,
-    isContextReady: orgContextReady,
-    organisationLoading: orgLoading,
-    selectedEvent,
-    eventLoading
-  } = useUnifiedAuth();
-  const [globalRole, setGlobalRole] = useState(null);
-  const [organisationRole, setOrganisationRole] = useState(null);
-  const [eventAppRole, setEventAppRole] = useState(null);
-  const [permissionMap, setPermissionMap] = useState({});
-  const [currentScope, setCurrentScope] = useState(null);
-  const [isLoading, setIsLoading] = useState(false);
-  const [error, setError] = useState(null);
-  const resetState = useCallback(() => {
-    setGlobalRole(null);
-    setOrganisationRole(null);
-    setEventAppRole(null);
-    setPermissionMap({});
-    setCurrentScope(null);
-  }, []);
-  const loadRBACContext = useCallback(async () => {
-    if (!user || !session) {
-      resetState();
-      setIsLoading(false);
-      return;
-    }
-    const initialScope = {
-      organisationId: selectedEvent?.organisation_id || selectedOrganisation?.id || void 0,
-      eventId: selectedEvent?.event_id || void 0,
-      appId: void 0
-    };
-    if (appName !== "PORTAL" && appName !== "ADMIN") {
-      if (!selectedOrganisation && !selectedEvent) {
-        setIsLoading(true);
-        return;
-      }
-    }
-    setIsLoading(true);
-    setError(null);
-    try {
-      let appId = contextAppId;
-      if (appName && !appId) {
-        try {
-          const resolved = await resolveAppContext({ userId: user.id, appName });
-          if (!resolved) {
-            if (appName === "PORTAL" || appName === "ADMIN") {
-            } else {
-              throw new Error(`User does not have access to app "${appName}"`);
-            }
-          } else if (!resolved.hasAccess && appName !== "PORTAL" && appName !== "ADMIN") {
-            throw new Error(`User does not have access to app "${appName}"`);
-          } else {
-            appId = resolved.appId;
-          }
-        } catch (rpcError) {
-          if (rpcError?.message?.includes("NetworkError") || rpcError?.message?.includes("fetch")) {
-            logger2.warn("[useRBAC] NetworkError resolving app context - may be timing issue, will retry when context is ready", {
-              appName,
-              error: rpcError.message,
-              eventLoading,
-              hasSelectedEvent: !!selectedEvent
-            });
-            setIsLoading(false);
-            return;
-          }
-          if (appName === "PORTAL" || appName === "ADMIN") {
-          } else {
-            throw rpcError;
-          }
-        }
-      }
-      const scope = {
-        ...initialScope,
-        appId: appId || contextAppId
-      };
-      let pageScopeType = "organisation";
-      if (pageId && scope.appId) {
-        try {
-          pageScopeType = await getPageScopeType(pageId, scope.appId, appName);
-        } catch (error2) {
-          logger2.warn("[useRBAC] Failed to get page scope type, defaulting to organisation", {
-            pageId,
-            error: error2 instanceof Error ? error2.message : String(error2)
-          });
-        }
-      }
-      const validation = await ContextValidator.resolveScopeForPage(
-        scope,
-        pageScopeType,
-        appName,
-        supabase || null
-      );
-      if (!validation.isValid || !validation.resolvedScope) {
-        throw validation.error || new Error("Context validation failed");
-      }
-      const resolvedScope = validation.resolvedScope;
-      setCurrentScope(resolvedScope);
-      const [map, roleContext, accessLevel] = await Promise.all([
-        getPermissionMap({ userId: user.id, scope: resolvedScope }, appName),
-        getRoleContext({ userId: user.id, scope: resolvedScope }, appName),
-        getAccessLevel({ userId: user.id, scope: resolvedScope }, appName)
-      ]);
-      setPermissionMap(map);
-      setGlobalRole(roleContext.globalRole);
-      setOrganisationRole(roleContext.organisationRole);
-      setEventAppRole(roleContext.eventAppRole || mapAccessLevelToEventRole(accessLevel));
-      const permissionCount = Object.keys(map).length;
-      if (permissionCount === 0) {
-        logger2.warn("[useRBAC] RBAC context loaded but returned 0 permissions", {
-          appName,
-          organisationId: resolvedScope.organisationId,
-          eventId: resolvedScope.eventId
-        });
-      }
-    } catch (err) {
-      const handledError = err instanceof Error ? err : new Error("Failed to load RBAC context");
-      logger2.error("[useRBAC] Error loading RBAC context:", handledError);
-      setError(handledError);
-      resetState();
-    } finally {
-      setIsLoading(false);
-    }
-  }, [appName, logger2, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user, eventLoading, orgContextReady, orgLoading]);
-  const hasGlobalPermission = useCallback(
-    (permission) => {
-      if (globalRole === "super_admin" || permissionMap["*"]) {
-        return true;
-      }
-      if (permission === "super_admin") {
-        return globalRole === "super_admin";
-      }
-      if (permission === "org_admin") {
-        return organisationRole === "org_admin";
-      }
-      return permissionMap[permission] === true;
-    },
-    [globalRole, organisationRole, permissionMap]
-  );
-  const isSuperAdmin2 = useMemo(() => globalRole === "super_admin" || permissionMap["*"] === true, [globalRole, permissionMap]);
-  const isOrgAdmin = useMemo(() => organisationRole === "org_admin" || isSuperAdmin2, [organisationRole, isSuperAdmin2]);
-  const isEventAdmin = useMemo(() => eventAppRole === "event_admin" || isSuperAdmin2, [eventAppRole, isSuperAdmin2]);
-  const canManageOrganisation = useMemo(() => isSuperAdmin2 || organisationRole === "org_admin", [isSuperAdmin2, organisationRole]);
-  const canManageEvent = useMemo(() => isSuperAdmin2 || eventAppRole === "event_admin", [isSuperAdmin2, eventAppRole]);
-  useEffect(() => {
-    loadRBACContext();
-  }, [loadRBACContext, appName, eventLoading, selectedEvent?.event_id, user, session, selectedOrganisation?.id, orgContextReady, orgLoading]);
-  return {
-    user,
-    globalRole,
-    organisationRole,
-    eventAppRole,
-    hasGlobalPermission,
-    isSuperAdmin: isSuperAdmin2,
-    isOrgAdmin,
-    isEventAdmin,
-    canManageOrganisation,
-    canManageEvent,
-    isLoading,
-    error
-  };
-}
-var log = createLogger("useResolvedScope");
-var appIdCache = /* @__PURE__ */ new Map();
-var CACHE_TTL = 5 * 60 * 1e3;
-function useResolvedScope({
-  supabase,
-  selectedOrganisationId,
-  selectedEventId,
-  selectedEventOrganisationId
-}) {
-  const immediateOrganisationId = selectedEventOrganisationId || selectedOrganisationId || void 0;
-  const immediateEventId = selectedEventId || void 0;
-  const [appId, setAppId] = useState(void 0);
-  const [isResolvingAppId, setIsResolvingAppId] = useState(false);
-  const [error, setError] = useState(null);
-  const appName = getCurrentAppName();
-  useEffect(() => {
-    let cancelled = false;
-    const resolveAppId = async () => {
-      if (!supabase && !selectedOrganisationId && !selectedEventId) {
-        if (!cancelled) {
-          setAppId(void 0);
-          setIsResolvingAppId(false);
-          setError(null);
-        }
-        return;
-      }
-      setIsResolvingAppId(true);
-      setError(null);
-      try {
-        const appName2 = getCurrentAppName();
-        let resolvedAppId = void 0;
-        if (supabase && appName2) {
-          try {
-            const { data: session } = await supabase.auth.getSession();
-            if (!session?.session) {
-              log.debug(`Skipping app resolution for "${appName2}" - user not authenticated`);
-            } else {
-              const cached = appIdCache.get(appName2);
-              const now = Date.now();
-              if (cached && now - cached.timestamp < CACHE_TTL) {
-                resolvedAppId = cached.appId;
-              } else {
-                const { data: app, error: error2 } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName2).eq("is_active", true).single();
-                if (error2) {
-                  if (error2.code === "406" || error2.code === "PGRST116" || error2.message?.includes("406")) {
-                    log.debug(`App resolution blocked by RLS for "${appName2}" - user may not be authenticated`);
-                    resolvedAppId = void 0;
-                  } else {
-                    const { data: inactiveApp } = await supabase.from("rbac_apps").select("id, name, is_active").eq("name", appName2).single();
-                    if (inactiveApp) {
-                      log.error(`App "${appName2}" exists but is inactive (is_active: ${inactiveApp.is_active})`);
-                      resolvedAppId = void 0;
-                    } else {
-                      log.error(`App "${appName2}" not found in rbac_apps table`, { error: error2 });
-                      resolvedAppId = void 0;
-                    }
-                  }
-                } else if (app) {
-                  resolvedAppId = app.id;
-                  appIdCache.set(appName2, { appId: resolvedAppId, timestamp: now });
-                }
-              }
-            }
-          } catch (error2) {
-            const errorMessage = error2 instanceof Error ? error2.message : String(error2);
-            if (!errorMessage.includes("406") && !errorMessage.includes("PGRST116")) {
-              log.error("Unexpected error resolving app ID:", error2);
-            } else {
-              log.debug("App resolution skipped - authentication required");
-            }
-          }
-        }
-        if (!cancelled) {
-          setAppId(resolvedAppId);
-          setIsResolvingAppId(false);
-          setError(null);
-        }
-      } catch (err) {
-        if (!cancelled) {
-          setError(err);
-          setIsResolvingAppId(false);
-        }
-      }
-    };
-    resolveAppId();
-    return () => {
-      cancelled = true;
-    };
-  }, [supabase, selectedOrganisationId, selectedEventId]);
-  const immediateScope = useMemo(() => {
-    if (appName === "PORTAL" || appName === "ADMIN") {
-      return {
-        organisationId: void 0,
-        eventId: void 0,
-        appId: appId || void 0
-      };
-    }
-    const scope = {};
-    if (immediateOrganisationId) {
-      scope.organisationId = immediateOrganisationId;
-    }
-    if (immediateEventId) {
-      scope.eventId = immediateEventId;
-    }
-    if (appId) {
-      scope.appId = appId;
-    }
-    if (!scope.organisationId && !scope.appId) {
-      return null;
-    }
-    return scope;
-  }, [immediateOrganisationId, immediateEventId, appId, appName]);
-  return {
-    resolvedScope: immediateScope,
-    isLoading: isResolvingAppId,
-    // Only true while appId resolves
-    error
-  };
-}
-function useAccessLevel(userId, scope) {
-  const [accessLevel, setAccessLevel] = useState("viewer");
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState(null);
-  const { appName } = useAppConfig();
-  const fetchAccessLevel = useCallback(async () => {
-    if (!userId) {
-      setAccessLevel("viewer");
-      setIsLoading(false);
-      return;
-    }
-    try {
-      setIsLoading(true);
-      setError(null);
-      const { isSuperAdmin: checkSuperAdmin } = await import('./api-7P7DI652.js');
-      const isSuperAdminUser = await checkSuperAdmin(userId);
-      if (isSuperAdminUser) {
-        setAccessLevel("super");
-        setIsLoading(false);
-        return;
-      }
-      if (appName !== "PORTAL" && appName !== "ADMIN" && !scope.organisationId && !scope.eventId) {
-        const orgError = new OrganisationContextRequiredError();
-        setError(orgError);
-        setAccessLevel("viewer");
-        setIsLoading(false);
-        return;
-      }
-      const level = await getAccessLevel({ userId, scope }, appName);
-      setAccessLevel(level);
-    } catch (err) {
-      const error2 = err instanceof Error ? err : new Error("Failed to fetch access level");
-      setError(error2);
-      setAccessLevel("viewer");
-    } finally {
-      setIsLoading(false);
-    }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId, appName]);
-  useEffect(() => {
-    fetchAccessLevel();
-  }, [fetchAccessLevel]);
-  return useMemo(() => ({
-    accessLevel,
-    isLoading,
-    error,
-    refetch: fetchAccessLevel
-  }), [accessLevel, isLoading, error, fetchAccessLevel]);
-}
-
-// src/rbac/utils/deep-equal.ts
-function scopeEqual(a, b) {
-  if (a === b) {
-    return true;
-  }
-  if (a == null || b == null) {
-    return a === b;
-  }
-  return a.organisationId === b.organisationId && a.eventId === b.eventId && a.appId === b.appId;
-}
-
-// src/rbac/hooks/permissions/useCan.ts
-function useCan(userId, scope, permission, pageId, useCache = true, precomputedSuperAdmin = null, appName) {
-  const [isSuperAdmin2, setIsSuperAdmin] = useState(precomputedSuperAdmin ?? null);
-  const initialCan = precomputedSuperAdmin === true ? true : false;
-  const initialIsLoading = precomputedSuperAdmin === true ? false : true;
-  const [can, setCan] = useState(initialCan);
-  const [isLoading, setIsLoading] = useState(initialIsLoading);
-  const [error, setError] = useState(null);
-  const isValidScope = scope && typeof scope === "object";
-  const organisationId = isValidScope ? scope.organisationId : void 0;
-  const eventId = isValidScope ? scope.eventId : void 0;
-  const appId = isValidScope ? scope.appId : void 0;
-  useEffect(() => {
-    if (precomputedSuperAdmin === true && isSuperAdmin2 !== true) {
-      setIsSuperAdmin(true);
-      setCan(true);
-      setIsLoading(false);
-      setError(null);
-    } else if (precomputedSuperAdmin === false && isSuperAdmin2 !== false) {
-      setIsSuperAdmin(false);
-    }
-  }, [precomputedSuperAdmin, isSuperAdmin2]);
-  useEffect(() => {
-    if (precomputedSuperAdmin === null) {
-      if (!userId) {
-        setIsSuperAdmin(false);
-        return;
-      }
-      let cancelled = false;
-      const checkSuperAdmin = async () => {
-        const startTime = Date.now();
-        try {
-          const { isSuperAdmin: checkSuperAdmin2 } = await import('./api-7P7DI652.js');
-          const timeoutWarning = setTimeout(() => {
-            if (!cancelled) {
-              console.warn("[useCan] Super admin check taking longer than 5 seconds", {
-                userId,
-                elapsedMs: Date.now() - startTime
-              });
-            }
-          }, 5e3);
-          const isSuper = await checkSuperAdmin2(userId);
-          clearTimeout(timeoutWarning);
-          if (!cancelled) {
-            const elapsed = Date.now() - startTime;
-            if (elapsed > 1e3) {
-              console.warn("[useCan] Super admin check took longer than expected", {
-                userId,
-                elapsedMs: elapsed
-              });
-            }
-            setIsSuperAdmin(isSuper);
-            if (isSuper) {
-              setCan(true);
-              setIsLoading(false);
-              setError(null);
-            }
-          }
-        } catch (err) {
-          if (!cancelled) {
-            const elapsed = Date.now() - startTime;
-            console.error("[useCan] Error checking super admin", {
-              userId,
-              error: err,
-              elapsedMs: elapsed
-            });
-            setIsSuperAdmin(false);
-          }
-        }
-      };
-      checkSuperAdmin();
-      return () => {
-        cancelled = true;
-      };
-    }
-  }, [userId, precomputedSuperAdmin]);
-  useEffect(() => {
-    const isPagePermission = permission.includes(":page.") || !!pageId;
-    const requiresOrgId = !isPagePermission;
-    if (isSuperAdmin2 === true) {
-      return;
-    }
-    if (requiresOrgId && (!isValidScope || !organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "")) {
-      const timeoutId = setTimeout(() => {
-        setError(new Error("Organisation context is required for permission checks"));
-        setIsLoading(false);
-        setCan(false);
-      }, 3e3);
-      return () => clearTimeout(timeoutId);
-    }
-    if (error?.message === "Organisation context is required for permission checks") {
-      setError(null);
-    }
-  }, [isValidScope, organisationId, error, permission, pageId, isSuperAdmin2]);
-  const lastUserIdRef = useRef(null);
-  useRef(null);
-  const lastPermissionRef = useRef(null);
-  const lastPageIdRef = useRef(null);
-  const lastUseCacheRef = useRef(null);
-  const lastIsSuperAdminRef = useRef(null);
-  const stableScope = useMemo(() => {
-    if (!isValidScope) {
-      return null;
-    }
-    return {
-      organisationId,
-      eventId,
-      appId
-    };
-  }, [isValidScope, organisationId, eventId, appId]);
-  const prevScopeRef = useRef(null);
-  useEffect(() => {
-    const scopeChanged = !scopeEqual(prevScopeRef.current, stableScope);
-    const isSuperAdminChanged = lastIsSuperAdminRef.current !== isSuperAdmin2;
-    if (lastUserIdRef.current !== userId || scopeChanged || lastPermissionRef.current !== permission || lastPageIdRef.current !== pageId || lastUseCacheRef.current !== useCache || isSuperAdminChanged) {
-      lastIsSuperAdminRef.current = isSuperAdmin2;
-      lastUserIdRef.current = userId;
-      prevScopeRef.current = stableScope;
-      lastPermissionRef.current = permission;
-      lastPageIdRef.current = pageId;
-      lastUseCacheRef.current = useCache;
-      const checkPermission = async () => {
-        if (!userId) {
-          setCan(false);
-          setIsLoading(false);
-          return;
-        }
-        if (isSuperAdmin2 === true) {
-          setCan(true);
-          setIsLoading(false);
-          setError(null);
-          return;
-        }
-        if (isSuperAdmin2 === null) {
-          setIsLoading(true);
-          setCan(false);
-          setError(null);
-          return;
-        }
-        if (!isValidScope) {
-          setIsLoading(true);
-          setCan(false);
-          setError(null);
-          return;
-        }
-        const isPagePermission = permission.includes(":page.") || !!pageId;
-        const requiresOrgId = !isPagePermission;
-        const isPageName = pageId && typeof pageId === "string" && !/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(pageId);
-        const needsAppIdForPageName = isPagePermission && isPageName;
-        if (requiresOrgId && (!organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "")) {
-          setIsLoading(true);
-          setCan(false);
-          setError(null);
-          return;
-        }
-        if (needsAppIdForPageName && (!appId || appId === null || typeof appId === "string" && appId.trim() === "")) {
-          setIsLoading(true);
-          setCan(false);
-          setError(null);
-          return;
-        }
-        try {
-          setIsLoading(true);
-          setError(null);
-          const validScope = {
-            ...organisationId ? { organisationId } : {},
-            ...eventId ? { eventId } : {},
-            ...appId ? { appId } : {}
-          };
-          const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, appName, isSuperAdmin2 === false ? false : null);
-          setCan(result);
-        } catch (err) {
-          const logger2 = getRBACLogger();
-          logger2.error("Permission check error:", { permission, error: err });
-          console.error("[useCan] Permission check error", { userId, permission, error: err });
-          setError(err instanceof Error ? err : new Error("Failed to check permission"));
-          setCan(false);
-        } finally {
-          setIsLoading(false);
-        }
-      };
-      checkPermission();
-    }
-  }, [userId, stableScope, permission, pageId, useCache, appName, isSuperAdmin2]);
-  const refetch = useCallback(async () => {
-    if (!userId) {
-      setCan(false);
-      setIsLoading(false);
-      return;
-    }
-    if (!isValidScope) {
-      setCan(false);
-      setIsLoading(true);
-      setError(null);
-      return;
-    }
-    const isPagePermission = permission.includes(":page.") || !!pageId;
-    const requiresOrgId = !isPagePermission;
-    if (requiresOrgId && (!organisationId || organisationId === null || typeof organisationId === "string" && organisationId.trim() === "")) {
-      setCan(false);
-      setIsLoading(true);
-      setError(null);
-      return;
-    }
-    try {
-      setIsLoading(true);
-      setError(null);
-      const validScope = {
-        ...organisationId ? { organisationId } : {},
-        ...eventId ? { eventId } : {},
-        ...appId ? { appId } : {}
-      };
-      const result = useCache ? await isPermittedCached({ userId, scope: validScope, permission, pageId }, appName) : await isPermitted({ userId, scope: validScope, permission, pageId }, appName, null);
-      setCan(result);
-    } catch (err) {
-      setError(err instanceof Error ? err : new Error("Failed to check permission"));
-      setCan(false);
-    } finally {
-      setIsLoading(false);
-    }
-  }, [userId, isValidScope, organisationId, eventId, appId, permission, pageId, useCache, appName]);
-  return useMemo(() => ({
-    can,
-    isLoading,
-    error,
-    refetch
-  }), [can, isLoading, error, refetch]);
-}
-function useMultiplePermissions(userId, scope, permissions, useCache = true) {
-  const [results, setResults] = useState({});
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState(null);
-  const checkPermissions = useCallback(async () => {
-    if (!userId || permissions.length === 0) {
-      setResults({});
-      setIsLoading(false);
-      return;
-    }
-    try {
-      setIsLoading(true);
-      setError(null);
-      const permissionResults = {};
-      for (const permission of permissions) {
-        const result = useCache ? await isPermittedCached({ userId, scope, permission }) : await isPermitted({ userId, scope, permission });
-        permissionResults[permission] = result;
-      }
-      setResults(permissionResults);
-    } catch (err) {
-      setError(err instanceof Error ? err : new Error("Failed to check permissions"));
-      setResults({});
-    } finally {
-      setIsLoading(false);
-    }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache]);
-  useEffect(() => {
-    checkPermissions();
-  }, [checkPermissions]);
-  return useMemo(() => ({
-    results,
-    isLoading,
-    error,
-    refetch: checkPermissions
-  }), [results, isLoading, error, checkPermissions]);
-}
-function usePermissions(userId, organisationId, eventId, appId) {
-  const [permissions, setPermissions] = useState({});
-  const [isLoading, setIsLoading] = useState(true);
-  const [error, setError] = useState(null);
-  const [fetchTrigger, setFetchTrigger] = useState(0);
-  const isFetchingRef = useRef(false);
-  const logger2 = getRBACLogger();
-  const prevValuesRef = useRef({ userId, organisationId, eventId, appId });
-  const orgId = organisationId || "";
-  useEffect(() => {
-    if (!userId) {
-      return;
-    }
-    if (!orgId || orgId === null || typeof orgId === "string" && orgId.trim() === "") {
-      const timeoutId = setTimeout(() => {
-        setError(new Error("Organisation context is required for permission checks"));
-        setIsLoading(false);
-      }, 3e3);
-      return () => clearTimeout(timeoutId);
-    }
-    if (error?.message === "Organisation context is required for permission checks") {
-      setError(null);
-    }
-  }, [userId, organisationId, error, orgId]);
-  useEffect(() => {
-    const paramsChanged = prevValuesRef.current.userId !== userId || prevValuesRef.current.organisationId !== organisationId || prevValuesRef.current.eventId !== eventId || prevValuesRef.current.appId !== appId;
-    if (paramsChanged) {
-      if (prevValuesRef.current.appId !== appId) ;
-      prevValuesRef.current = { userId, organisationId, eventId, appId };
-      setFetchTrigger((prev) => prev + 1);
-    }
-  }, [userId, organisationId, eventId, appId, logger2]);
-  useEffect(() => {
-    const fetchPermissions = async () => {
-      if (isFetchingRef.current) {
-        return;
-      }
-      if (!userId) {
-        setPermissions({});
-        setIsLoading(false);
-        return;
-      }
-      if (!userId) {
-        setPermissions({});
-        setIsLoading(false);
-        return;
-      }
-      if (!orgId || orgId === null || typeof orgId === "string" && orgId.trim() === "") {
-        setIsLoading(true);
-        setError(null);
-        return;
-      }
-      try {
-        isFetchingRef.current = true;
-        setIsLoading(true);
-        setError(null);
-        const scope = {
-          organisationId: orgId,
-          eventId,
-          appId
-        };
-        const permissionMap = await getPermissionMap({ userId, scope });
-        const permissionCount = Object.keys(permissionMap).length;
-        if (permissionCount === 0 && Object.keys(permissions).length > 0) {
-          logger2.warn("[usePermissions] Permissions fetched but returned empty map", {
-            scope: { organisationId: orgId, eventId, appId }
-          });
-        }
-        setPermissions(permissionMap);
-      } catch (err) {
-        logger2.error("[usePermissions] Failed to fetch permissions:", err);
-        setError(err instanceof Error ? err : new Error("Failed to fetch permissions"));
-      } finally {
-        setIsLoading(false);
-        isFetchingRef.current = false;
-      }
-    };
-    fetchPermissions();
-  }, [fetchTrigger, userId, organisationId, eventId, appId]);
-  const hasPermission = useCallback((permission) => {
-    if (permissions["*"]) {
-      return true;
-    }
-    return permissions[permission] === true;
-  }, [permissions]);
-  const hasAnyPermission = useCallback((permissionList) => {
-    if (permissions["*"]) {
-      return true;
-    }
-    return permissionList.some((p) => permissions[p] === true);
-  }, [permissions]);
-  const hasAllPermissions = useCallback((permissionList) => {
-    if (permissions["*"]) {
-      return true;
-    }
-    return permissionList.every((p) => permissions[p] === true);
-  }, [permissions]);
-  const refetch = useCallback(async () => {
-    if (isFetchingRef.current) {
-      return;
-    }
-    if (!userId) {
-      setPermissions({});
-      setIsLoading(false);
-      return;
-    }
-    if (!orgId || orgId === null || typeof orgId === "string" && orgId.trim() === "") {
-      setIsLoading(true);
-      setError(null);
-      return;
-    }
-    try {
-      isFetchingRef.current = true;
-      setIsLoading(true);
-      setError(null);
-      const scope = {
-        organisationId: orgId,
-        eventId,
-        appId
-      };
-      const permissionMap = await getPermissionMap({ userId, scope });
-      setPermissions(permissionMap);
-    } catch (err) {
-      const logger3 = getRBACLogger();
-      logger3.error("Failed to refetch permissions:", err);
-      setError(err instanceof Error ? err : new Error("Failed to fetch permissions"));
-    } finally {
-      setIsLoading(false);
-      isFetchingRef.current = false;
-    }
-  }, [userId, organisationId, eventId, appId]);
-  return useMemo(() => ({
-    permissions,
-    isLoading,
-    error,
-    hasPermission,
-    hasAnyPermission,
-    hasAllPermissions,
-    refetch
-  }), [permissions, isLoading, error, hasPermission, hasAnyPermission, hasAllPermissions, refetch]);
-}
-function useResourcePermissions(resource, options = {}) {
-  const { enableRead = false, requireScope = true } = options;
-  const logger2 = createLogger("ResourcePermissions");
-  const { user, supabase } = useUnifiedAuth();
-  const [isSuperAdminUser, setIsSuperAdminUser] = useState(null);
-  const [isCheckingSuperAdmin, setIsCheckingSuperAdmin] = useState(() => !!user?.id);
-  const lastCheckedUserIdRef = useRef(null);
-  const isCheckingRef = useRef(false);
-  useEffect(() => {
-    if (lastCheckedUserIdRef.current === user?.id && isSuperAdminUser !== null) {
-      return;
-    }
-    if (isCheckingRef.current) {
-      return;
-    }
-    const checkSuperAdminStatus = async () => {
-      if (!user?.id) {
-        setIsSuperAdminUser(false);
-        setIsCheckingSuperAdmin(false);
-        lastCheckedUserIdRef.current = null;
-        return;
-      }
-      isCheckingRef.current = true;
-      lastCheckedUserIdRef.current = user.id;
-      const startTime = Date.now();
-      setIsCheckingSuperAdmin(true);
-      const timeoutId = setTimeout(() => {
-        logger2.warn("useResourcePermissions", "Super admin check taking longer than 5 seconds", {
-          userId: user?.id,
-          elapsedMs: Date.now() - startTime
-        });
-      }, 5e3);
-      try {
-        const superAdminStatus = await isSuperAdmin(user.id);
-        setIsSuperAdminUser(superAdminStatus);
-      } catch (error2) {
-        const elapsed = Date.now() - startTime;
-        logger2.error("useResourcePermissions", "Error checking super admin status", {
-          userId: user?.id,
-          error: error2,
-          elapsedMs: elapsed
-        });
-        setIsSuperAdminUser(false);
-      } finally {
-        clearTimeout(timeoutId);
-        setIsCheckingSuperAdmin(false);
-        isCheckingRef.current = false;
-      }
-    };
-    checkSuperAdminStatus();
-  }, [user?.id, logger2]);
-  const { selectedOrganisation } = useOrganisations();
-  let selectedEvent = null;
-  try {
-    const eventsContext = useEvents();
-    selectedEvent = eventsContext.selectedEvent;
-  } catch (error2) {
-  }
-  const { resolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
-    supabase,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null,
-    selectedEventOrganisationId: selectedEvent?.organisation_id || null
-  });
-  const scope = resolvedScope || {
-    organisationId: selectedOrganisation?.id || "",
-    eventId: selectedEvent?.event_id || void 0,
-    appId: void 0
-  };
-  const hasAppId = !!resolvedScope?.appId;
-  const pageId = hasAppId ? resource : void 0;
-  const isPagePermission = hasAppId && !!pageId;
-  const createPermission = isPagePermission ? `create:page.${resource}` : `create:${resource}`;
-  const updatePermission = isPagePermission ? `update:page.${resource}` : `update:${resource}`;
-  const deletePermission = isPagePermission ? `delete:page.${resource}` : `delete:${resource}`;
-  const readPermission = isPagePermission ? `read:page.${resource}` : `read:${resource}`;
-  const { can: canCreateResult, isLoading: createLoading, error: createError } = useCan(
-    user?.id || "",
-    scope,
-    createPermission,
-    pageId,
-    // Pass resource name as pageId when appId is available to enable page permission checks
-    true,
-    // useCache
-    isSuperAdminUser,
-    // precomputedSuperAdmin - null if checking, false/true if checked
-    void 0
-    // appName
-  );
-  const { can: canUpdateResult, isLoading: updateLoading, error: updateError } = useCan(
-    user?.id || "",
-    scope,
-    updatePermission,
-    pageId,
-    // Pass resource name as pageId when appId is available to enable page permission checks
-    true,
-    // useCache
-    isSuperAdminUser,
-    // precomputedSuperAdmin - null if checking, false/true if checked
-    void 0
-    // appName
-  );
-  const { can: canDeleteResult, isLoading: deleteLoading, error: deleteError } = useCan(
-    user?.id || "",
-    scope,
-    deletePermission,
-    pageId,
-    // Pass resource name as pageId when appId is available to enable page permission checks
-    true,
-    // useCache
-    isSuperAdminUser,
-    // precomputedSuperAdmin - null if checking, false/true if checked
-    void 0
-    // appName
-  );
-  const { can: canReadResult, isLoading: readLoading, error: readError } = useCan(
-    user?.id || "",
-    scope,
-    readPermission,
-    pageId,
-    // Pass resource name as pageId when appId is available to enable page permission checks
-    true,
-    // useCache
-    isSuperAdminUser,
-    // precomputedSuperAdmin - null if checking, false/true if checked
-    void 0
-    // appName
-  );
-  const isLoading = useMemo(() => {
-    const waitingForScope = requireScope && scopeLoading;
-    const waitingForSuperAdmin = isSuperAdminUser === null && isCheckingSuperAdmin;
-    return waitingForScope || waitingForSuperAdmin || createLoading || updateLoading || deleteLoading || enableRead && readLoading;
-  }, [scopeLoading, requireScope, isSuperAdminUser, isCheckingSuperAdmin, createLoading, updateLoading, deleteLoading, readLoading, enableRead]);
-  const error = useMemo(() => {
-    if (scopeError) return scopeError;
-    if (createError) return createError;
-    if (updateError) return updateError;
-    if (deleteError) return deleteError;
-    if (enableRead && readError) return readError;
-    return null;
-  }, [scopeError, createError, updateError, deleteError, readError, enableRead]);
-  return useMemo(() => {
-    const createSuperAdminAwarePermission = (result) => {
-      if (isSuperAdminUser === true) {
-        return true;
-      }
-      return result;
-    };
-    return {
-      canCreate: (res) => {
-        if (res !== resource) {
-          return false;
-        }
-        return createSuperAdminAwarePermission(canCreateResult);
-      },
-      canUpdate: (res) => {
-        if (res !== resource) {
-          return false;
-        }
-        return createSuperAdminAwarePermission(canUpdateResult);
-      },
-      canDelete: (res) => {
-        if (res !== resource) {
-          return false;
-        }
-        return createSuperAdminAwarePermission(canDeleteResult);
-      },
-      canRead: (res) => {
-        if (!enableRead) {
-          return true;
-        }
-        if (res !== resource) {
-          return false;
-        }
-        return createSuperAdminAwarePermission(canReadResult);
-      },
-      scope,
-      isLoading: isCheckingSuperAdmin || isLoading,
-      error
-    };
-  }, [
-    resource,
-    isSuperAdminUser,
-    isCheckingSuperAdmin,
-    canCreateResult,
-    canUpdateResult,
-    canDeleteResult,
-    canReadResult,
-    enableRead,
-    scope,
-    isLoading,
-    error
-  ]);
-}
-function useRoleManagement() {
-  const { user, supabase } = useUnifiedAuth();
-  const [isLoading, setIsLoading] = useState(false);
-  const [error, setError] = useState(null);
-  if (!supabase) {
-    throw new Error("useRoleManagement requires a Supabase client. Ensure UnifiedAuthProvider is configured.");
-  }
-  const revokeEventAppRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const contextId = `${params.event_id}:${params.app_id}`;
-      const rpcParams = {
-        p_user_id: params.user_id,
-        p_role_type: "event_app",
-        p_role_name: params.role,
-        p_context_id: contextId,
-        p_revoked_by: params.revoked_by || user?.id || void 0
-      };
-      if (import.meta.env.MODE === "development") {
-        console.log("[useRoleManagement] revokeEventAppRole called with:", rpcParams);
-      }
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", rpcParams);
-      if (rpcError) {
-        if (import.meta.env.MODE === "development") {
-          console.error("[useRoleManagement] RPC error:", {
-            message: rpcError.message,
-            details: rpcError.details,
-            hint: rpcError.hint,
-            code: rpcError.code,
-            fullError: rpcError
-          });
-        }
-        const errorMessage = rpcError.message || "Failed to revoke role - unknown RPC error";
-        throw new Error(errorMessage);
-      }
-      if (import.meta.env.MODE === "development") {
-        console.log("[useRoleManagement] RPC response:", {
-          data,
-          error: rpcError,
-          dataType: Array.isArray(data) ? "array" : typeof data,
-          dataLength: Array.isArray(data) ? data.length : "N/A"
-        });
-      }
-      if (!data || !Array.isArray(data) || data.length === 0) {
-        const errorMsg = "No response from database - role revocation may have failed";
-        if (import.meta.env.MODE === "development") {
-          console.error("[useRoleManagement] Empty or null data response:", {
-            data,
-            dataType: typeof data,
-            isArray: Array.isArray(data),
-            length: Array.isArray(data) ? data.length : "N/A"
-          });
-        }
-        throw new Error(errorMsg);
-      }
-      const result = data[0];
-      if (import.meta.env.MODE === "development") {
-        console.log("[useRoleManagement] RPC result:", {
-          success: result?.success,
-          message: result?.message,
-          error_code: result?.error_code,
-          revoked_count: result?.revoked_count,
-          fullResult: result
-        });
-      }
-      if (!result || result.success !== true) {
-        const errorMessage = result?.message || result?.error_code || "Role revocation failed";
-        if (import.meta.env.MODE === "development") {
-          console.error("[useRoleManagement] Role revocation failed:", {
-            result,
-            errorMessage,
-            fullData: data,
-            rpcParams
-          });
-        }
-        return {
-          success: false,
-          message: result?.message || void 0,
-          error: errorMessage
-        };
-      }
-      return {
-        success: true,
-        message: result.message || "Role revoked successfully",
-        error: void 0
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      if (import.meta.env.MODE === "development") {
-        console.error("[useRoleManagement] Exception in revokeEventAppRole:", {
-          error: err,
-          errorMessage,
-          params
-        });
-      }
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  const grantEventAppRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data, error: rpcError } = await supabase.rpc("grant_event_app_role", {
-        p_user_id: params.user_id,
-        p_organisation_id: params.organisation_id,
-        p_event_id: params.event_id,
-        p_app_id: params.app_id,
-        p_role: params.role,
-        p_granted_by: params.granted_by || user?.id || void 0,
-        p_valid_from: params.valid_from,
-        p_valid_to: params.valid_to
-      });
-      if (rpcError) {
-        throw new Error(rpcError.message || "Failed to grant role");
-      }
-      if (!data) {
-        return {
-          success: false,
-          error: "Failed to grant role - no role ID returned"
-        };
-      }
-      return {
-        success: true,
-        message: "Role granted successfully",
-        roleId: data
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id]);
-  const revokeRoleById = useCallback(async (roleId) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data: roleData, error: fetchError } = await supabase.from("rbac_event_app_roles").select("user_id, role, event_id, app_id").eq("id", roleId).single();
-      if (fetchError || !roleData) {
-        throw new Error(fetchError?.message || "Role not found");
-      }
-      const contextId = `${roleData.event_id}:${roleData.app_id}`;
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", {
-        p_user_id: roleData.user_id,
-        p_role_type: "event_app",
-        p_role_name: roleData.role,
-        p_context_id: contextId,
-        p_revoked_by: user?.id || void 0
-      });
-      if (rpcError) {
-        const errorMessage = rpcError.message || "Failed to revoke role - unknown RPC error";
-        throw new Error(errorMessage);
-      }
-      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
-      if (!result) {
-        return {
-          success: false,
-          error: void 0
-        };
-      }
-      if (result.success === false) {
-        const errorMessage = result.message || result.error_code || "Role revocation failed";
-        return {
-          success: false,
-          message: result.message || void 0,
-          error: errorMessage
-        };
-      }
-      return {
-        success: true,
-        message: result.message || "Role revoked successfully",
-        error: void 0
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  const grantGlobalRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_grant", {
-        p_user_id: params.user_id,
-        p_role_type: "global",
-        p_role_name: params.role,
-        p_context_id: null,
-        // Global roles don't need context
-        p_granted_by: params.granted_by || user?.id || void 0
-      });
-      if (rpcError) {
-        throw new Error(rpcError.message || "Failed to grant role");
-      }
-      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
-      if (!result || !result.success) {
-        return {
-          success: false,
-          error: result?.message || result?.error_code || "Failed to grant role",
-          message: result?.message
-        };
-      }
-      return {
-        success: true,
-        message: result.message || "Role granted successfully",
-        roleId: result.role_id
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  const revokeGlobalRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", {
-        p_user_id: params.user_id,
-        p_role_type: "global",
-        p_role_name: params.role,
-        p_context_id: null,
-        // Global roles don't need context
-        p_revoked_by: params.revoked_by || user?.id || void 0
-      });
-      if (rpcError) {
-        const errorParts = [
-          rpcError.message,
-          rpcError.details,
-          rpcError.hint,
-          rpcError.code ? `Error code: ${rpcError.code}` : null
-        ].filter(Boolean);
-        const errorMessage = errorParts.length > 0 ? errorParts.join(" | ") : "Failed to revoke role - unknown RPC error";
-        throw new Error(errorMessage);
-      }
-      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
-      return {
-        success: result?.success === true,
-        message: result?.message || void 0,
-        error: result?.success === false ? result?.message || result?.error_code || "Unknown error" : void 0
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  const grantOrganisationRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_grant", {
-        p_user_id: params.user_id,
-        p_role_type: "organisation",
-        p_role_name: params.role,
-        p_context_id: params.organisation_id,
-        // Organisation ID as context
-        p_granted_by: params.granted_by || user?.id || void 0
-      });
-      if (rpcError) {
-        throw new Error(rpcError.message || "Failed to grant role");
-      }
-      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
-      if (!result || !result.success) {
-        return {
-          success: false,
-          error: result?.message || result?.error_code || "Failed to grant role",
-          message: result?.message
-        };
-      }
-      return {
-        success: true,
-        message: result.message || "Role granted successfully",
-        roleId: result.role_id
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  const revokeOrganisationRole = useCallback(async (params) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const { data, error: rpcError } = await supabase.rpc("rbac_role_revoke", {
-        p_user_id: params.user_id,
-        p_role_type: "organisation",
-        p_role_name: params.role,
-        p_context_id: params.organisation_id,
-        // Organisation ID as context
-        p_revoked_by: params.revoked_by || user?.id || void 0
-      });
-      if (rpcError) {
-        const errorParts = [
-          rpcError.message,
-          rpcError.details,
-          rpcError.hint,
-          rpcError.code ? `Error code: ${rpcError.code}` : null
-        ].filter(Boolean);
-        const errorMessage = errorParts.length > 0 ? errorParts.join(" | ") : "Failed to revoke role - unknown RPC error";
-        throw new Error(errorMessage);
-      }
-      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
-      return {
-        success: result?.success === true,
-        message: result?.message || void 0,
-        error: result?.success === false ? result?.message || result?.error_code || "Unknown error" : void 0
-      };
-    } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Unknown error occurred";
-      setError(err instanceof Error ? err : new Error(errorMessage));
-      return {
-        success: false,
-        error: errorMessage
-      };
-    } finally {
-      setIsLoading(false);
-    }
-  }, [user?.id, supabase]);
-  return {
-    // Event app roles (existing)
-    revokeEventAppRole,
-    grantEventAppRole,
-    revokeRoleById,
-    // Global roles (new)
-    grantGlobalRole,
-    revokeGlobalRole,
-    // Organisation roles (new)
-    grantOrganisationRole,
-    revokeOrganisationRole,
-    // Shared state
-    isLoading,
-    error
-  };
-}
-var secureClientCache = /* @__PURE__ */ new Map();
-var MAX_CACHE_SIZE = 5;
-function getCacheKey(organisationId, eventId, appId, isSuperAdmin2) {
-  return `${organisationId || "no-org"}-${eventId || "no-event"}-${appId || "no-app"}-${isSuperAdmin2 ? "super" : "regular"}`;
-}
-function getSupabaseConfig() {
-  const getEnvVar = (key) => {
-    if (typeof import.meta !== "undefined" && import.meta.env) {
-      return import.meta.env[key];
-    }
-    if (typeof process !== "undefined" && process.env) {
-      return process.env[key];
-    }
-    return void 0;
-  };
-  const supabaseUrl = getEnvVar("VITE_SUPABASE_URL") || getEnvVar("NEXT_PUBLIC_SUPABASE_URL") || null;
-  const supabaseKey = getEnvVar("VITE_SUPABASE_PUBLISHABLE_KEY") || getEnvVar("NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY") || null;
-  if (!supabaseUrl || !supabaseKey) {
-    return null;
-  }
-  return { url: supabaseUrl, key: supabaseKey };
-}
-function useSecureSupabase(baseClient) {
-  const { user, supabase: authSupabase } = useUnifiedAuth();
-  const { selectedOrganisation } = useOrganisations();
-  const eventsContext = useEvents();
-  const { selectedEvent } = eventsContext;
-  const eventLoading = "eventLoading" in eventsContext ? eventsContext.eventLoading : false;
-  const { superAdminContext } = useOrganisationSecurity();
-  const isSuperAdmin2 = superAdminContext.isSuperAdmin;
-  const { resolvedScope } = useResolvedScope({
-    supabase: authSupabase || null,
-    selectedOrganisationId: selectedOrganisation?.id || null,
-    selectedEventId: selectedEvent?.event_id || null,
-    selectedEventOrganisationId: selectedEvent?.organisation_id || null
-  });
-  const prevContextRef = useRef({
-    organisationId: void 0,
-    eventId: void 0,
-    appId: void 0
-  });
-  return useMemo(() => {
-    const organisationId = resolvedScope?.organisationId;
-    const eventId = resolvedScope?.eventId || selectedEvent?.event_id;
-    const appId = resolvedScope?.appId;
-    const canCreateSecureClient = user?.id && (isSuperAdmin2 || organisationId);
-    if (canCreateSecureClient) {
-      prevContextRef.current = { organisationId, eventId, appId };
-      const cacheKey = getCacheKey(organisationId, eventId, appId, isSuperAdmin2);
-      const cachedClient = secureClientCache.get(cacheKey);
-      if (cachedClient) {
-        return cachedClient.getClient();
-      }
-      const config = getSupabaseConfig();
-      if (!config || !config.url || !config.key) {
-        logger.warn("useSecureSupabase", "Missing Supabase environment variables. Falling back to base client.", {
-          note: "Ensure VITE_SUPABASE_URL and VITE_SUPABASE_PUBLISHABLE_KEY are set in your environment."
-        });
-        return baseClient || authSupabase || null;
-      }
-      try {
-        const effectiveOrganisationId = isSuperAdmin2 ? organisationId || null : organisationId;
-        const baseForSecureClient = baseClient || authSupabase || null;
-        const secureClient = baseForSecureClient ? fromSupabaseClient(
-          baseForSecureClient,
-          effectiveOrganisationId ?? null,
-          eventId,
-          appId,
-          isSuperAdmin2
-        ) : createSecureClient(
-          config.url,
-          config.key,
-          effectiveOrganisationId,
-          // organisationId is string | null, UUID is string alias
-          eventId,
-          appId,
-          // appId is string | undefined, UUID is string alias
-          isSuperAdmin2
-          // Pass super admin status for conditional filtering
-        );
-        secureClientCache.set(cacheKey, secureClient);
-        if (secureClientCache.size > MAX_CACHE_SIZE) {
-          const firstKey = secureClientCache.keys().next().value;
-          if (firstKey) {
-            secureClientCache.delete(firstKey);
-          }
-        }
-        return secureClient.getClient();
-      } catch (error) {
-        logger.error("useSecureSupabase", "Failed to create secure client", error);
-        return baseClient || authSupabase || null;
-      }
-    }
-    return baseClient || authSupabase || null;
-  }, [
-    resolvedScope?.organisationId,
-    resolvedScope?.eventId,
-    resolvedScope?.appId,
-    selectedEvent?.event_id,
-    user?.id,
-    eventLoading,
-    isSuperAdmin2,
-    baseClient,
-    authSupabase
-  ]);
-}
-
-export { Button, ButtonGroup, SECURE_CLIENT_SYMBOL, SecureSupabaseClient, Tooltip, TooltipContent, TooltipProvider, TooltipRoot, TooltipTrigger, createSecureClient, fromSupabaseClient, isSecureClient, scopeEqual, useAccessLevel, useCan, useEvents, useMultiplePermissions, usePermissions, useRBAC, useResolvedScope, useResourcePermissions, useRoleManagement, useSecureSupabase, warnIfInsecureClient };