@jmruthers/pace-core 0.6.9 → 0.6.11

package/dist/chunk-LX6U42O3.js

@@ -1,2177 +0,0 @@
-import { emitAuditEvent, createAuditManager, setGlobalAuditManager } from './chunk-AHU7G2R5.js';
-import { createLogger } from './chunk-TTRFSOKR.js';
-
-// src/rbac/types.ts
-var RBACError = class extends Error {
-  constructor(message, code, context) {
-    super(message);
-    this.code = code;
-    this.context = context;
-    this.name = "RBACError";
-  }
-};
-var PermissionDeniedError = class extends RBACError {
-  constructor(permission, context) {
-    super(
-      `Permission denied: ${permission}`,
-      "PERMISSION_DENIED",
-      { permission, ...context }
-    );
-    this.name = "PermissionDeniedError";
-  }
-};
-var OrganisationContextRequiredError = class extends RBACError {
-  constructor() {
-    super(
-      "Organisation context is required for this operation",
-      "ORGANISATION_CONTEXT_REQUIRED"
-    );
-    this.name = "OrganisationContextRequiredError";
-  }
-};
-var EventContextRequiredError = class extends RBACError {
-  constructor() {
-    super(
-      "Event context is required for this operation",
-      "EVENT_CONTEXT_REQUIRED"
-    );
-    this.name = "EventContextRequiredError";
-  }
-};
-var RBACNotInitializedError = class extends RBACError {
-  constructor() {
-    super(
-      "RBAC system not initialized. Please call setupRBAC(supabase) before using any RBAC components or hooks. See: https://docs.pace-core.dev/rbac/setup",
-      "RBAC_NOT_INITIALIZED"
-    );
-    this.name = "RBACNotInitializedError";
-  }
-};
-var InvalidScopeError = class extends RBACError {
-  constructor(scope, reason) {
-    super(
-      `Invalid scope provided: ${JSON.stringify(scope)}. ${reason}`,
-      "INVALID_SCOPE",
-      { scope, reason }
-    );
-    this.name = "InvalidScopeError";
-  }
-};
-var MissingUserContextError = class extends RBACError {
-  constructor() {
-    super(
-      "User context is required but not available. Make sure to wrap your app with an auth provider.",
-      "MISSING_USER_CONTEXT"
-    );
-    this.name = "MissingUserContextError";
-  }
-};
-
-// src/rbac/cache.ts
-var RBACCache = class {
-  constructor() {
-    this.cache = /* @__PURE__ */ new Map();
-    this.sessionCache = /* @__PURE__ */ new Map();
-    this.TTL = 120 * 1e3;
-    // 120 seconds (short-term) - increased from 60s
-    this.SESSION_TTL = 15 * 60 * 1e3;
-    // 15 minutes (session-level) - increased from 5min
-    this.invalidationCallbacks = /* @__PURE__ */ new Set();
-  }
-  /**
-   * Get a value from the cache
-   * 
-   * Checks both short-term cache and session cache.
-   * 
-   * @param key - Cache key
-   * @param useSessionCache - Whether to check session cache (default: true)
-   * @returns Cached value or null if not found/expired
-   */
-  get(key, useSessionCache = true) {
-    const now = Date.now();
-    const entry = this.cache.get(key);
-    if (entry && now <= entry.expires) {
-      return entry.data;
-    }
-    if (entry && now > entry.expires) {
-      this.cache.delete(key);
-    }
-    if (useSessionCache) {
-      const sessionEntry = this.sessionCache.get(key);
-      if (sessionEntry && now <= sessionEntry.expires) {
-        return sessionEntry.data;
-      }
-      if (sessionEntry && now > sessionEntry.expires) {
-        this.sessionCache.delete(key);
-      }
-    }
-    return null;
-  }
-  /**
-   * Set a value in the cache
-   * 
-   * @param key - Cache key
-   * @param data - Data to cache
-   * @param ttl - Time to live in milliseconds (defaults to 60s)
-   * @param useSessionCache - Whether to also store in session cache (default: false for page-level checks)
-   */
-  set(key, data, ttl = this.TTL, useSessionCache = false) {
-    const now = Date.now();
-    const expires = ttl <= 0 ? now - 1 : now + ttl;
-    this.cache.set(key, {
-      data,
-      expires
-    });
-    if (useSessionCache) {
-      const sessionExpires = ttl <= 0 ? now - 1 : now + this.SESSION_TTL;
-      this.sessionCache.set(key, {
-        data,
-        expires: sessionExpires
-      });
-    }
-  }
-  /**
-   * Delete a specific key from the cache
-   * 
-   * @param key - Cache key to delete
-   */
-  delete(key) {
-    this.cache.delete(key);
-    this.sessionCache.delete(key);
-  }
-  /**
-   * Invalidate cache entries matching a pattern
-   * 
-   * @param pattern - Pattern to match against cache keys
-   */
-  invalidate(pattern) {
-    const trimmedPattern = pattern?.trim();
-    if (!trimmedPattern) {
-      return;
-    }
-    const matcher = this.createMatcher(trimmedPattern);
-    const keysToDelete = [];
-    for (const key of this.cache.keys()) {
-      if (matcher(key)) {
-        keysToDelete.push(key);
-      }
-    }
-    for (const key of this.sessionCache.keys()) {
-      if (matcher(key) && !keysToDelete.includes(key)) {
-        keysToDelete.push(key);
-      }
-    }
-    keysToDelete.forEach((key) => {
-      this.cache.delete(key);
-      this.sessionCache.delete(key);
-    });
-    this.invalidationCallbacks.forEach((callback) => callback(trimmedPattern));
-  }
-  createMatcher(pattern) {
-    if (pattern.includes("*")) {
-      const escapedSegments = pattern.split("*").map((segment) => segment.replace(/[|\\{}()[\]^$+?.-]/g, "\\$&"));
-      const regexPattern = escapedSegments.join(".*");
-      const regex = new RegExp(regexPattern);
-      return (key) => regex.test(key);
-    }
-    return (key) => key.includes(pattern);
-  }
-  /**
-   * Clear all cache entries
-   */
-  clear() {
-    this.cache.clear();
-    this.sessionCache.clear();
-  }
-  /**
-   * Get cache statistics
-   */
-  getStats() {
-    return {
-      size: this.cache.size,
-      sessionSize: this.sessionCache.size,
-      ttl: this.TTL,
-      sessionTtl: this.SESSION_TTL,
-      keys: Array.from(this.cache.keys())
-    };
-  }
-  /**
-   * Add an invalidation callback
-   * 
-   * @param callback - Function to call when cache is invalidated
-   */
-  onInvalidate(callback) {
-    this.invalidationCallbacks.add(callback);
-    return () => {
-      this.invalidationCallbacks.delete(callback);
-    };
-  }
-  /**
-   * Generate cache key for permission check (simplified signature)
-   * 
-   * @param userId - User ID
-   * @param permission - Permission string
-   * @param organisationId - Organisation ID (optional)
-   * @param eventId - Event ID (optional)
-   * @param appId - App ID (optional)
-   * @param pageId - Page ID (optional)
-   * @returns String cache key
-   */
-  static generateKey(userId, permission, organisationId, eventId, appId, pageId) {
-    const parts = [
-      "perm",
-      userId,
-      organisationId || "null",
-      eventId || "null",
-      appId || "null",
-      permission || "null",
-      pageId || "null"
-    ];
-    return parts.join(":");
-  }
-  /**
-   * Generate cache key for permission check (object signature)
-   * 
-   * @param key - Permission cache key object
-   * @returns String cache key
-   */
-  static generatePermissionKey(key) {
-    const parts = [
-      "perm",
-      key.userId,
-      key.organisationId || "null",
-      key.eventId || "null",
-      key.appId || "null",
-      key.permission || "null",
-      key.pageId || "null"
-    ];
-    return parts.join(":");
-  }
-  /**
-   * Generate cache key for access level
-   * 
-   * @param userId - User ID
-   * @param organisationId - Organisation ID
-   * @param eventId - Event ID (optional)
-   * @param appId - App ID (optional)
-   * @returns String cache key
-   */
-  static generateAccessLevelKey(userId, organisationId, eventId, appId) {
-    const parts = [
-      "access",
-      userId,
-      organisationId,
-      eventId || "null",
-      appId || "null"
-    ];
-    return parts.join(":");
-  }
-  /**
-   * Generate cache key for permission map
-   * 
-   * @param userId - User ID
-   * @param organisationId - Organisation ID
-   * @param eventId - Event ID (optional)
-   * @param appId - App ID (optional)
-   * @returns String cache key
-   */
-  static generatePermissionMapKey(userId, organisationId, eventId, appId) {
-    const parts = [
-      "map",
-      userId,
-      organisationId,
-      eventId || "null",
-      appId || "null"
-    ];
-    return parts.join(":");
-  }
-};
-var rbacCache = new RBACCache();
-var CACHE_PATTERNS = {
-  USER: (userId) => `:${userId}:`,
-  ORGANISATION: (organisationId) => `:${organisationId}:`,
-  EVENT: (eventId) => `:${eventId}:`,
-  APP: (appId) => `:${appId}`,
-  PERMISSION: (userId, organisationId) => `perm:${userId}:${organisationId}:`
-};
-
-// src/rbac/cache-invalidation.ts
-var log = createLogger("RBACCache");
-var INVALIDATION_PATTERNS = {
-  // User-level invalidation
-  USER_ROLES_CHANGED: (userId) => [
-    CACHE_PATTERNS.USER(userId),
-    `perm:${userId}:*`,
-    `access:${userId}:*`,
-    `map:${userId}:*`
-  ],
-  // Organisation-level invalidation
-  ORGANISATION_PERMISSIONS_CHANGED: (organisationId) => [
-    CACHE_PATTERNS.ORGANISATION(organisationId),
-    `perm:*:${organisationId}:*`,
-    `access:*:${organisationId}:*`,
-    `map:*:${organisationId}:*`
-  ],
-  // Event-level invalidation
-  EVENT_PERMISSIONS_CHANGED: (eventId) => [
-    CACHE_PATTERNS.EVENT(eventId),
-    `perm:*:*:${eventId}:*`,
-    `access:*:*:${eventId}:*`,
-    `map:*:*:${eventId}:*`
-  ],
-  // App-level invalidation
-  APP_PERMISSIONS_CHANGED: (appId) => [
-    CACHE_PATTERNS.APP(appId),
-    `perm:*:*:*:${appId}:*`,
-    `access:*:*:*:${appId}`,
-    `map:*:*:*:${appId}`
-  ],
-  // Page-level invalidation
-  PAGE_PERMISSIONS_CHANGED: (pageId) => [
-    `perm:*:*:*:*:${pageId}`,
-    `map:*:*:*:*`
-  ]
-};
-var RBACCacheInvalidationManager = class {
-  constructor(supabase) {
-    this.invalidationCallbacks = /* @__PURE__ */ new Set();
-    this.channels = [];
-    this.supabase = supabase;
-    this.setupRealtimeSubscriptions();
-  }
-  /**
-   * Add a callback for cache invalidation events
-   * 
-   * @param callback - Function to call when cache is invalidated
-   * @returns Unsubscribe function
-   */
-  onInvalidation(callback) {
-    this.invalidationCallbacks.add(callback);
-    return () => this.invalidationCallbacks.delete(callback);
-  }
-  /**
-   * Invalidate cache for a specific user
-   * 
-   * @param userId - User ID
-   * @param reason - Reason for invalidation
-   */
-  invalidateUser(userId, reason) {
-    const patterns = INVALIDATION_PATTERNS.USER_ROLES_CHANGED(userId);
-    this.invalidatePatterns(patterns, reason);
-  }
-  /**
-   * Invalidate cache for a specific organisation
-   * 
-   * @param organisationId - Organisation ID
-   * @param reason - Reason for invalidation
-   */
-  invalidateOrganisation(organisationId, reason) {
-    const patterns = INVALIDATION_PATTERNS.ORGANISATION_PERMISSIONS_CHANGED(organisationId);
-    this.invalidatePatterns(patterns, reason);
-  }
-  /**
-   * Invalidate cache for a specific event
-   * 
-   * @param eventId - Event ID
-   * @param reason - Reason for invalidation
-   */
-  invalidateEvent(eventId, reason) {
-    const patterns = INVALIDATION_PATTERNS.EVENT_PERMISSIONS_CHANGED(eventId);
-    this.invalidatePatterns(patterns, reason);
-  }
-  /**
-   * Invalidate cache for a specific app
-   * 
-   * @param appId - App ID
-   * @param reason - Reason for invalidation
-   */
-  invalidateApp(appId, reason) {
-    const patterns = INVALIDATION_PATTERNS.APP_PERMISSIONS_CHANGED(appId);
-    this.invalidatePatterns(patterns, reason);
-  }
-  /**
-   * Invalidate cache for a specific page
-   * 
-   * @param pageId - Page ID
-   * @param reason - Reason for invalidation
-   */
-  invalidatePage(pageId, reason) {
-    const patterns = INVALIDATION_PATTERNS.PAGE_PERMISSIONS_CHANGED(pageId);
-    this.invalidatePatterns(patterns, reason);
-  }
-  /**
-   * Invalidate cache patterns and notify callbacks
-   * 
-   * @param patterns - Array of cache patterns to invalidate
-   * @param reason - Reason for invalidation
-   */
-  invalidatePatterns(patterns, reason) {
-    log.debug(`Invalidating patterns: ${patterns.join(", ")} (${reason})`);
-    patterns.forEach((pattern) => {
-      rbacCache.invalidate(pattern);
-    });
-    this.invalidationCallbacks.forEach((callback) => {
-      patterns.forEach((pattern) => callback(pattern));
-    });
-    emitAuditEvent({
-      type: "permission_check",
-      userId: "system",
-      organisationId: "00000000-0000-0000-0000-000000000000",
-      permission: "cache:invalidate",
-      decision: true,
-      source: "api",
-      duration_ms: 0,
-      metadata: {
-        reason,
-        patterns,
-        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-        cache_invalidation: true
-      }
-    }).catch((error) => {
-      log.warn("Failed to log cache invalidation audit event:", error);
-    });
-  }
-  /**
-   * Cleanup subscriptions only (not all callbacks)
-   * Used internally to cleanup before setting up new subscriptions
-   */
-  cleanupSubscriptions() {
-    this.channels.forEach((channel) => {
-      try {
-        if (channel && typeof channel.unsubscribe === "function") {
-          channel.unsubscribe();
-        }
-      } catch (error) {
-        log.warn("Failed to unsubscribe from channel:", error);
-      }
-    });
-    this.channels = [];
-  }
-  /**
-   * Setup realtime subscriptions for automatic cache invalidation
-   * Always cleans up existing subscriptions before setting up new ones to prevent duplicates
-   */
-  setupRealtimeSubscriptions() {
-    this.cleanupSubscriptions();
-    if (!this.supabase.channel || typeof this.supabase.channel !== "function") {
-      log.debug("Realtime not available, skipping subscriptions");
-      return;
-    }
-    const orgRolesChannel = this.supabase.channel("rbac_organisation_roles_changes").on("postgres_changes", {
-      event: "*",
-      schema: "public",
-      table: "rbac_organisation_roles"
-    }, (payload) => {
-      const { organisation_id, user_id } = payload.new || payload.old || {};
-      if (organisation_id) {
-        this.invalidateOrganisation(organisation_id, `organisation_role_${payload.eventType}`);
-      }
-      if (user_id) {
-        this.invalidateUser(user_id, `organisation_role_${payload.eventType}`);
-      }
-    });
-    const orgRolesSubscription = orgRolesChannel.subscribe();
-    this.channels.push(orgRolesSubscription);
-    const eventAppRolesChannel = this.supabase.channel("rbac_event_app_roles_changes").on("postgres_changes", {
-      event: "*",
-      schema: "public",
-      table: "rbac_event_app_roles"
-    }, (payload) => {
-      const { organisation_id, user_id, event_id, app_id } = payload.new || payload.old || {};
-      if (organisation_id) {
-        this.invalidateOrganisation(organisation_id, `event_app_role_${payload.eventType}`);
-      }
-      if (user_id) {
-        this.invalidateUser(user_id, `event_app_role_${payload.eventType}`);
-      }
-      if (event_id) {
-        this.invalidateEvent(event_id, `event_app_role_${payload.eventType}`);
-      }
-      if (app_id) {
-        this.invalidateApp(app_id, `event_app_role_${payload.eventType}`);
-      }
-    });
-    const eventAppRolesSubscription = eventAppRolesChannel.subscribe();
-    this.channels.push(eventAppRolesSubscription);
-    const globalRolesChannel = this.supabase.channel("rbac_global_roles_changes").on("postgres_changes", {
-      event: "*",
-      schema: "public",
-      table: "rbac_global_roles"
-    }, (payload) => {
-      const { user_id } = payload.new || payload.old || {};
-      if (user_id) {
-        this.invalidateUser(user_id, `global_role_${payload.eventType}`);
-      }
-    });
-    const globalRolesSubscription = globalRolesChannel.subscribe();
-    this.channels.push(globalRolesSubscription);
-    const pagePermissionsChannel = this.supabase.channel("rbac_page_permissions_changes").on("postgres_changes", {
-      event: "*",
-      schema: "public",
-      table: "rbac_page_permissions"
-    }, (payload) => {
-      const { organisation_id, app_page_id, role_id } = payload.new || payload.old || {};
-      if (organisation_id) {
-        this.invalidateOrganisation(organisation_id, `page_permission_${payload.eventType}`);
-      }
-      if (app_page_id) {
-        this.invalidatePage(app_page_id, `page_permission_${payload.eventType}`);
-      }
-    });
-    const pagePermissionsSubscription = pagePermissionsChannel.subscribe();
-    this.channels.push(pagePermissionsSubscription);
-  }
-  /**
-   * Cleanup all realtime subscriptions
-   * Call this when the manager is no longer needed to prevent memory leaks
-   */
-  cleanup() {
-    this.channels.forEach((channel) => {
-      try {
-        if (channel && typeof channel.unsubscribe === "function") {
-          channel.unsubscribe();
-        }
-      } catch (error) {
-        log.warn("Failed to unsubscribe from channel:", error);
-      }
-    });
-    this.channels = [];
-    this.invalidationCallbacks.clear();
-  }
-  /**
-   * Manually trigger cache invalidation for all users in an organisation
-   * 
-   * @param organisationId - Organisation ID
-   * @param reason - Reason for invalidation
-   */
-  async invalidateAllUsersInOrganisation(organisationId, reason) {
-    const { data: users } = await this.supabase.from("rbac_organisation_roles").select("user_id").eq("organisation_id", organisationId).eq("is_active", true);
-    if (users) {
-      users.forEach(({ user_id }) => {
-        this.invalidateUser(user_id, reason);
-      });
-    }
-  }
-  /**
-   * Clear all cache entries
-   */
-  clearAllCache() {
-    log.debug("Clearing all cache entries");
-    rbacCache.clear();
-  }
-};
-var globalCacheInvalidationManager = null;
-function initializeCacheInvalidation(supabase) {
-  if (globalCacheInvalidationManager) {
-    globalCacheInvalidationManager.cleanup();
-  }
-  globalCacheInvalidationManager = new RBACCacheInvalidationManager(supabase);
-  return globalCacheInvalidationManager;
-}
-
-// src/rbac/errors.ts
-var RATE_LIMIT_STATUS_CODES = /* @__PURE__ */ new Set([429]);
-var AUTH_STATUS_CODES = /* @__PURE__ */ new Set([401]);
-var AUTHZ_STATUS_CODES = /* @__PURE__ */ new Set([403]);
-function normalize(value) {
-  if (!value) {
-    return "";
-  }
-  if (typeof value === "string") {
-    return value.toLowerCase();
-  }
-  if (value instanceof Error && typeof value.message === "string") {
-    return value.message.toLowerCase();
-  }
-  return String(value).toLowerCase();
-}
-function categorizeError(error) {
-  if (error instanceof PermissionDeniedError) {
-    return "authorization_error" /* AUTHORIZATION */;
-  }
-  if (error instanceof OrganisationContextRequiredError || error instanceof InvalidScopeError) {
-    return "validation_error" /* VALIDATION */;
-  }
-  if (error instanceof MissingUserContextError) {
-    return "authentication_error" /* AUTHENTICATION */;
-  }
-  if (error instanceof RBACError) {
-    switch (error.code) {
-      case "PERMISSION_DENIED":
-        return "authorization_error" /* AUTHORIZATION */;
-      case "ORGANISATION_CONTEXT_REQUIRED":
-      case "INVALID_SCOPE":
-        return "validation_error" /* VALIDATION */;
-      case "MISSING_USER_CONTEXT":
-        return "authentication_error" /* AUTHENTICATION */;
-    }
-  }
-  if (error && typeof error === "object") {
-    const status = error.status;
-    if (typeof status === "number") {
-      if (RATE_LIMIT_STATUS_CODES.has(status)) {
-        return "rate_limit_error" /* RATE_LIMIT */;
-      }
-      if (AUTH_STATUS_CODES.has(status)) {
-        return "authentication_error" /* AUTHENTICATION */;
-      }
-      if (AUTHZ_STATUS_CODES.has(status)) {
-        return "authorization_error" /* AUTHORIZATION */;
-      }
-      if (status >= 500) {
-        return "database_error" /* DATABASE */;
-      }
-    }
-    const codeValue = normalize(error.code);
-    if (codeValue) {
-      if (codeValue.includes("network")) {
-        return "network_error" /* NETWORK */;
-      }
-      if (codeValue.includes("postgres") || codeValue.includes("database") || codeValue.includes("db")) {
-        return "database_error" /* DATABASE */;
-      }
-      if (codeValue.includes("rate")) {
-        return "rate_limit_error" /* RATE_LIMIT */;
-      }
-      if (codeValue.includes("auth")) {
-        return "authentication_error" /* AUTHENTICATION */;
-      }
-      if (codeValue.includes("permission")) {
-        return "authorization_error" /* AUTHORIZATION */;
-      }
-      if (codeValue.includes("scope") || codeValue.includes("invalid")) {
-        return "validation_error" /* VALIDATION */;
-      }
-    }
-  }
-  const message = normalize(error);
-  if (message.includes("timeout") || message.includes("network") || message.includes("fetch")) {
-    return "network_error" /* NETWORK */;
-  }
-  if (message.includes("postgres") || message.includes("database") || message.includes("connection")) {
-    return "database_error" /* DATABASE */;
-  }
-  if (message.includes("rate limit") || message.includes("too many requests")) {
-    return "rate_limit_error" /* RATE_LIMIT */;
-  }
-  if (message.includes("permission") || message.includes("forbidden")) {
-    return "authorization_error" /* AUTHORIZATION */;
-  }
-  if (message.includes("auth") || message.includes("token") || message.includes("session")) {
-    return "authentication_error" /* AUTHENTICATION */;
-  }
-  if (message.includes("invalid") || message.includes("scope") || message.includes("validation")) {
-    return "validation_error" /* VALIDATION */;
-  }
-  return "unknown_error" /* UNKNOWN */;
-}
-function mapErrorCategoryToSecurityEventType(category) {
-  switch (category) {
-    case "authorization_error" /* AUTHORIZATION */:
-      return "permission_denied";
-    case "network_error" /* NETWORK */:
-      return "network_error";
-    case "database_error" /* DATABASE */:
-      return "database_error";
-    case "validation_error" /* VALIDATION */:
-      return "validation_error";
-    case "rate_limit_error" /* RATE_LIMIT */:
-      return "rate_limit_error";
-    case "authentication_error" /* AUTHENTICATION */:
-      return "authentication_error";
-    case "unknown_error" /* UNKNOWN */:
-    default:
-      return "unknown_error";
-  }
-}
-
-// src/rbac/security.ts
-var log2 = createLogger("RBACSecurity");
-var RBACSecurityValidator = class {
-  /**
-   * Validate permission string format
-   * @param permission - Permission string to validate
-   * @returns True if valid, false otherwise
-   */
-  static validatePermission(permission) {
-    if (typeof permission !== "string" || permission.length === 0) {
-      return false;
-    }
-    const permissionRegex = /^(read|create|update|delete):[a-z0-9._-]+$/;
-    return permissionRegex.test(permission);
-  }
-  /**
-   * Validate UUID format
-   * @param uuid - UUID string to validate
-   * @returns True if valid, false otherwise
-   */
-  static validateUUID(uuid) {
-    if (typeof uuid !== "string" || uuid.length === 0) {
-      return false;
-    }
-    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-    return uuidRegex.test(uuid);
-  }
-  /**
-   * Validate scope object
-   * @param scope - Scope object to validate
-   * @returns True if valid, false otherwise
-   */
-  static validateScope(scope) {
-    if (!scope || typeof scope !== "object") {
-      return false;
-    }
-    if (scope.organisationId !== void 0) {
-      if (typeof scope.organisationId === "string" && scope.organisationId.trim() === "") {
-        return false;
-      }
-      if (scope.organisationId && !this.validateUUID(scope.organisationId)) {
-        return false;
-      }
-    }
-    if (scope.eventId && typeof scope.eventId !== "string") {
-      return false;
-    }
-    if (scope.appId && !this.validateUUID(scope.appId)) {
-      return false;
-    }
-    return !!(scope.organisationId || scope.eventId || scope.appId);
-  }
-  /**
-   * Sanitize input string to prevent injection attacks
-   * @param input - Input string to sanitize
-   * @returns Sanitized string
-   */
-  static sanitizeInput(input) {
-    if (typeof input !== "string") {
-      return "";
-    }
-    return input.replace(/<[^>]*>/g, "").replace(/[<>\"'&]/g, "").replace(/[;()]/g, "").replace(/javascript:/gi, "").replace(/data:/gi, "").trim();
-  }
-  /**
-   * Validate user ID format
-   * @param userId - User ID to validate
-   * @returns True if valid, false otherwise
-   */
-  static validateUserId(userId) {
-    return this.validateUUID(userId);
-  }
-  /**
-   * Check if permission is a wildcard permission
-   * @param permission - Permission string to check
-   * @returns True if wildcard, false otherwise
-   */
-  static isWildcardPermission(permission) {
-    return permission.includes("*") || permission.endsWith(":*");
-  }
-  /**
-   * Validate permission hierarchy
-   * @param permission - Permission to validate
-   * @param requiredOperation - Required operation
-   * @returns True if permission matches or is higher in hierarchy
-   */
-  static validatePermissionHierarchy(permission, requiredOperation) {
-    if (!this.validatePermission(permission)) {
-      return false;
-    }
-    const [operation] = permission.split(":");
-    const hierarchy = ["read", "create", "update", "delete"];
-    const permissionLevel = hierarchy.indexOf(operation);
-    const requiredLevel = hierarchy.indexOf(requiredOperation);
-    if (permissionLevel === -1 || requiredLevel === -1) {
-      return false;
-    }
-    return permissionLevel >= requiredLevel;
-  }
-  /**
-   * Rate limiting check (placeholder for future implementation)
-   * @param userId - User ID
-   * @param operation - Operation being performed
-   * @returns True if within rate limit, false otherwise
-   */
-  static async checkRateLimit(userId, operation) {
-    return true;
-  }
-  // Only warn once per 5 seconds per user
-  static logSecurityEvent(event) {
-    const securityEvent = {
-      ...event,
-      timestamp: event.timestamp || /* @__PURE__ */ new Date(),
-      severity: this.getEventSeverity(event.type)
-    };
-    if (event.type === "rate_limit_exceeded") {
-      const now = Date.now();
-      const userWarning = this.rateLimitWarningCount.get(event.userId);
-      if (userWarning) {
-        const timeSinceLastWarning = now - userWarning.lastWarning;
-        if (timeSinceLastWarning < this.RATE_LIMIT_WARNING_THROTTLE_MS) {
-          userWarning.count++;
-          this.rateLimitWarningCount.set(event.userId, userWarning);
-          return;
-        } else {
-          log2.warn("Security event (throttled):", {
-            ...securityEvent,
-            details: {
-              ...securityEvent.details,
-              suppressedWarnings: userWarning.count,
-              message: `Rate limit exceeded (${userWarning.count + 1} times in last ${Math.round(timeSinceLastWarning / 1e3)}s)`
-            }
-          });
-          this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });
-          return;
-        }
-      } else {
-        this.rateLimitWarningCount.set(event.userId, { count: 0, lastWarning: now });
-        log2.warn("Security event:", securityEvent);
-        return;
-      }
-    }
-    log2.warn("Security event:", securityEvent);
-  }
-  /**
-   * Get severity level for security event
-   * @param eventType - Type of security event
-   * @returns Severity level
-   */
-  static getEventSeverity(eventType) {
-    switch (eventType) {
-      case "permission_denied":
-        return "low";
-      case "invalid_input":
-      case "rate_limit_exceeded":
-      case "rate_limit_error":
-      case "network_error":
-        return "medium";
-      case "validation_error":
-        return "high";
-      case "authentication_error":
-      case "database_error":
-        return "critical";
-      case "suspicious_activity":
-      case "unknown_error":
-        return "high";
-      default:
-        return "low";
-    }
-  }
-};
-/**
- * Log security event for monitoring
- * @param event - Security event details
- */
-RBACSecurityValidator.rateLimitWarningCount = /* @__PURE__ */ new Map();
-RBACSecurityValidator.RATE_LIMIT_WARNING_THROTTLE_MS = 5e3;
-var DEFAULT_SECURITY_CONFIG = {
-  enableInputValidation: true,
-  enableRateLimiting: true,
-  enableAuditLogging: true,
-  maxPermissionChecksPerMinute: 1e3,
-  // Increased from 100 to 1000 for normal app usage
-  suspiciousActivityThreshold: 10
-};
-var RBACSecurityMiddleware = class {
-  constructor(config = DEFAULT_SECURITY_CONFIG) {
-    /**
-     * In-memory rate limiting cache (sliding window)
-     * Note: For production, this should use Redis or Supabase Edge Functions
-     */
-    this.rateLimitCache = /* @__PURE__ */ new Map();
-    this.config = config;
-    this._startCleanupInterval();
-  }
-  /**
-   * Start periodic cleanup of expired entries
-   */
-  _startCleanupInterval() {
-    setInterval(() => {
-      this.clearExpiredEntries();
-    }, 5 * 60 * 1e3);
-  }
-  /**
-   * Validate input before processing
-   * @param input - Input to validate
-   * @param context - Security context
-   * @returns Validation result
-   */
-  async validateInput(input, context) {
-    const errors = [];
-    if (!RBACSecurityValidator.validateUserId(context.userId)) {
-      errors.push("Invalid user ID format");
-    }
-    const isPagePermission = input.permission?.includes(":page.") || !!input.pageId;
-    const requiresOrgId = !isPagePermission;
-    if (requiresOrgId) {
-      if (!context.organisationId) {
-        errors.push("Organisation ID is required for resource-level permissions");
-      } else if (!RBACSecurityValidator.validateUUID(context.organisationId)) {
-        errors.push("Invalid organisation ID format");
-      }
-    } else {
-      if (context.organisationId && !RBACSecurityValidator.validateUUID(context.organisationId)) {
-        errors.push("Invalid organisation ID format");
-      }
-    }
-    if (input.permission && !RBACSecurityValidator.validatePermission(input.permission)) {
-      errors.push("Invalid permission format");
-    }
-    if (input.scope && !RBACSecurityValidator.validateScope(input.scope)) {
-      errors.push("Invalid scope format");
-    }
-    if (this.config.enableInputValidation) {
-      if (context.ipAddress && typeof context.ipAddress !== "string") {
-        errors.push("Invalid IP address format");
-      }
-      if (context.userAgent && typeof context.userAgent !== "string") {
-        errors.push("Invalid user agent format");
-      }
-    }
-    if (errors.length > 0) {
-      RBACSecurityValidator.logSecurityEvent({
-        type: "invalid_input",
-        userId: context.userId,
-        details: { errors, input: this.sanitizeInput(JSON.stringify(input)) }
-      });
-    }
-    return {
-      isValid: errors.length === 0,
-      errors
-    };
-  }
-  /**
-   * Check rate limiting
-   * @param context - Security context
-   * @returns Rate limit check result
-   */
-  async checkRateLimit(context) {
-    if (!this.config.enableRateLimiting) {
-      return { isAllowed: true, remaining: this.config.maxPermissionChecksPerMinute };
-    }
-    const isAllowed = await this._checkRateLimitInternal(context.userId);
-    const remaining = isAllowed ? this.config.maxPermissionChecksPerMinute - this._getRequestCount(context.userId) : 0;
-    return {
-      isAllowed,
-      remaining: Math.max(0, remaining)
-    };
-  }
-  async _checkRateLimitInternal(userId) {
-    const now = Date.now();
-    const windowMs = 60 * 1e3;
-    const entries = this.rateLimitCache.get(userId) || [];
-    const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
-    const requestCount = validEntries.length;
-    const isAllowed = requestCount < this.config.maxPermissionChecksPerMinute;
-    if (isAllowed) {
-      validEntries.push({ timestamp: now });
-    }
-    this.rateLimitCache.set(userId, validEntries);
-    return isAllowed;
-  }
-  _getRequestCount(userId) {
-    const now = Date.now();
-    const windowMs = 60 * 1e3;
-    const entries = this.rateLimitCache.get(userId) || [];
-    const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
-    return validEntries.length;
-  }
-  /**
-   * Clear old rate limit entries to prevent memory leaks
-   * Should be called periodically (e.g., every 5 minutes)
-   */
-  clearExpiredEntries() {
-    const now = Date.now();
-    const windowMs = 60 * 1e3;
-    for (const [userId, entries] of this.rateLimitCache.entries()) {
-      const validEntries = entries.filter((entry) => now - entry.timestamp < windowMs);
-      if (validEntries.length === 0) {
-        this.rateLimitCache.delete(userId);
-      } else {
-        this.rateLimitCache.set(userId, validEntries);
-      }
-    }
-  }
-  /**
-   * Sanitize input data
-   * @param input - Input to sanitize
-   * @returns Sanitized input
-   */
-  sanitizeInput(input) {
-    return RBACSecurityValidator.sanitizeInput(input);
-  }
-};
-
-// src/rbac/config.ts
-var RBACConfigManager = class {
-  constructor() {
-    this.config = null;
-    this.logger = null;
-  }
-  setConfig(config) {
-    this.config = config;
-    this.setupLogger();
-  }
-  getConfig() {
-    return this.config;
-  }
-  getLogger() {
-    if (!this.logger) {
-      this.logger = this.createDefaultLogger();
-    }
-    return this.logger;
-  }
-  setupLogger() {
-    if (!this.config) return;
-    const { debug = false, logLevel = "warn" } = this.config;
-    this.logger = {
-      error: (message, ...args) => {
-        console.error(`[RBAC ERROR] ${message}`, ...args);
-      },
-      warn: (message, ...args) => {
-        if (logLevel === "warn" || logLevel === "info" || logLevel === "debug") {
-          console.warn(`[RBAC WARN] ${message}`, ...args);
-        }
-      },
-      info: (message, ...args) => {
-        if (logLevel === "info" || logLevel === "debug") {
-          console.info(`[RBAC INFO] ${message}`, ...args);
-        }
-      },
-      debug: (message, ...args) => {
-        if (debug && logLevel === "debug") {
-          console.debug(`[RBAC DEBUG] ${message}`, ...args);
-        }
-      }
-    };
-  }
-  createDefaultLogger() {
-    return {
-      error: (message, ...args) => console.error(`[RBAC ERROR] ${message}`, ...args),
-      warn: (message, ...args) => console.warn(`[RBAC WARN] ${message}`, ...args),
-      info: (message, ...args) => console.info(`[RBAC INFO] ${message}`, ...args),
-      debug: (message, ...args) => console.debug(`[RBAC DEBUG] ${message}`, ...args)
-    };
-  }
-  isDebugMode() {
-    return this.config?.debug ?? false;
-  }
-  isDevelopmentMode() {
-    return this.config?.developmentMode ?? false;
-  }
-  getMockPermissions() {
-    return this.config?.mockPermissions ?? null;
-  }
-};
-var configManager = new RBACConfigManager();
-function createRBACConfig(config) {
-  configManager.setConfig(config);
-  return config;
-}
-function getRBACConfig() {
-  return configManager.getConfig();
-}
-function getRBACLogger() {
-  return configManager.getLogger();
-}
-function isDebugMode() {
-  return configManager.isDebugMode();
-}
-function isDevelopmentMode() {
-  return configManager.isDevelopmentMode();
-}
-
-// src/rbac/engine.ts
-var RBACEngine = class {
-  constructor(supabase, securityConfig) {
-    this.supabase = supabase;
-    const mergedSecurityConfig = {
-      ...DEFAULT_SECURITY_CONFIG,
-      ...securityConfig
-    };
-    this.securityMiddleware = new RBACSecurityMiddleware(mergedSecurityConfig);
-    initializeCacheInvalidation(supabase);
-  }
-  /**
-   * Check if a user has a specific permission
-   * 
-   * This method now delegates to the database RPC function for all the heavy lifting.
-   * 
-   * @param input - Permission check input
-   * @param securityContext - Security context for validation (required)
-   * @returns Promise resolving to permission result
-   */
-  async isPermitted(input, securityContext) {
-    const startTime = Date.now();
-    const { userId, permission, scope, pageId } = input;
-    let cacheHit = false;
-    let cacheSource = "rpc";
-    try {
-      const validation = await this.securityMiddleware.validateInput(input, securityContext);
-      if (!validation.isValid) {
-        RBACSecurityValidator.logSecurityEvent({
-          type: "invalid_input",
-          userId,
-          details: { errors: validation.errors, input: JSON.stringify(input) }
-        });
-        return false;
-      }
-      const rateLimit = await this.securityMiddleware.checkRateLimit(securityContext);
-      if (!rateLimit.isAllowed) {
-        RBACSecurityValidator.logSecurityEvent({
-          type: "rate_limit_exceeded",
-          userId,
-          details: { remaining: rateLimit.remaining }
-        });
-        return false;
-      }
-      if (!RBACSecurityValidator.validateUserId(userId)) {
-        RBACSecurityValidator.logSecurityEvent({
-          type: "invalid_input",
-          userId,
-          details: { error: "Invalid user ID format" }
-        });
-        return false;
-      }
-      if (!RBACSecurityValidator.validatePermission(permission)) {
-        RBACSecurityValidator.logSecurityEvent({
-          type: "invalid_input",
-          userId,
-          details: { error: "Invalid permission format", permission }
-        });
-        return false;
-      }
-      if (!RBACSecurityValidator.validateScope(scope)) {
-        RBACSecurityValidator.logSecurityEvent({
-          type: "invalid_input",
-          userId,
-          details: { error: "Invalid scope format", scope }
-        });
-        return false;
-      }
-      const cacheKey = RBACCache.generateKey(
-        userId,
-        permission,
-        scope.organisationId,
-        scope.eventId,
-        scope.appId,
-        pageId
-      );
-      const cached = rbacCache.get(cacheKey);
-      if (cached !== null) {
-        cacheHit = true;
-        cacheSource = "memory";
-        return cached;
-      }
-      const { data, error } = await this.supabase.rpc("rbac_check_permission_simplified", {
-        p_user_id: userId,
-        p_permission: permission,
-        p_organisation_id: scope.organisationId || void 0,
-        p_event_id: scope.eventId || void 0,
-        p_app_id: scope.appId || void 0,
-        p_page_id: pageId || void 0
-      });
-      if (error) {
-        const logger = getRBACLogger();
-        logger.error("RPC error:", error);
-        const category = categorizeError(error);
-        const eventType = mapErrorCategoryToSecurityEventType(category);
-        const errorDetails = error;
-        RBACSecurityValidator.logSecurityEvent({
-          type: eventType,
-          userId,
-          details: {
-            error: errorDetails?.message || "RPC call failed",
-            code: errorDetails?.code,
-            hint: errorDetails?.hint,
-            details: errorDetails?.details,
-            permission,
-            scope: JSON.stringify(scope),
-            category
-          }
-        });
-        return false;
-      }
-      const hasPermission = data === true;
-      rbacCache.set(cacheKey, hasPermission, 6e4);
-      const duration = Date.now() - startTime;
-      if (scope.organisationId) {
-        const resolvedPageId = await this.resolvePageId(pageId, scope.appId);
-        await emitAuditEvent({
-          type: hasPermission ? "permission_check" : "permission_denied",
-          userId,
-          organisationId: scope.organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId,
-          pageId: resolvedPageId,
-          permission,
-          decision: hasPermission,
-          source: "api",
-          duration_ms: duration,
-          cache_hit: cacheHit,
-          cache_source: cacheSource
-        });
-      }
-      return hasPermission;
-    } catch (error) {
-      const category = categorizeError(error);
-      const eventType = mapErrorCategoryToSecurityEventType(category);
-      const errorMessage = error instanceof Error ? error.message : "Unknown error";
-      RBACSecurityValidator.logSecurityEvent({
-        type: eventType,
-        userId,
-        details: {
-          error: errorMessage,
-          permission,
-          scope: JSON.stringify(scope),
-          category
-        }
-      });
-      const logger = getRBACLogger();
-      logger.error("Permission check failed:", error);
-      return false;
-    }
-  }
-  /**
-   * Get user's access level in a scope
-   * 
-   * This is derived from roles, not permissions.
-   * 
-   * @param input - Access level input
-   * @returns Promise resolving to access level
-   */
-  async getAccessLevel(input) {
-    const { userId, scope } = input;
-    const cacheKey = RBACCache.generateAccessLevelKey(
-      userId,
-      scope.organisationId || "",
-      scope.eventId,
-      scope.appId
-    );
-    const cached = rbacCache.get(cacheKey);
-    if (cached) {
-      return cached;
-    }
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    const isSuperAdmin2 = await this.checkSuperAdmin(userId);
-    if (isSuperAdmin2) {
-      rbacCache.set(cacheKey, "super", 6e4);
-      return "super";
-    }
-    if (scope.organisationId) {
-      const { data: orgRoles } = await this.supabase.from("rbac_organisation_roles").select("role").eq("user_id", userId).eq("organisation_id", scope.organisationId).eq("status", "active").is("revoked_at", null).lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).limit(1);
-      const orgRole = orgRoles?.[0];
-      if (orgRole?.role === "org_admin") {
-        rbacCache.set(cacheKey, "admin", 6e4);
-        return "admin";
-      }
-    }
-    if (scope.eventId && scope.appId) {
-      const { data: eventRole } = await this.supabase.from("rbac_event_app_roles").select("role").eq("user_id", userId).eq("event_id", scope.eventId).eq("app_id", scope.appId).eq("status", "active").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).single();
-      if (eventRole?.role === "event_admin") {
-        rbacCache.set(cacheKey, "admin", 6e4);
-        return "admin";
-      }
-      if (eventRole?.role === "planner") {
-        rbacCache.set(cacheKey, "planner", 6e4);
-        return "planner";
-      }
-      if (eventRole?.role === "participant") {
-        rbacCache.set(cacheKey, "participant", 6e4);
-        return "participant";
-      }
-    }
-    rbacCache.set(cacheKey, "viewer", 6e4);
-    return "viewer";
-  }
-  /**
-   * Get user's permission map for a scope
-   * 
-   * This builds a map of page IDs to allowed operations.
-   * Uses the simplified RPC for each permission check.
-   * 
-   * @param input - Permission map input
-   * @returns Promise resolving to permission map
-   */
-  async getPermissionMap(input) {
-    const { userId, scope } = input;
-    const cacheKey = RBACCache.generatePermissionMapKey(
-      userId,
-      scope.organisationId || "",
-      scope.eventId,
-      scope.appId
-    );
-    const isSuperAdmin2 = await this.checkSuperAdmin(userId);
-    if (isSuperAdmin2) {
-      const wildcardMap = { "*": true };
-      rbacCache.set(cacheKey, wildcardMap, 6e4);
-      return wildcardMap;
-    }
-    if (!scope.organisationId) {
-      return {};
-    }
-    const cached = rbacCache.get(cacheKey);
-    if (cached) {
-      return cached;
-    }
-    const permissionMap = {};
-    if (scope.appId) {
-      const { data: pages } = await this.supabase.from("rbac_app_pages").select("id, page_name").eq("app_id", scope.appId);
-      if (pages) {
-        if (!scope.organisationId) {
-          rbacCache.set(cacheKey, permissionMap, 6e4);
-          return permissionMap;
-        }
-        const securityContext = {
-          userId,
-          organisationId: scope.organisationId,
-          // Required
-          timestamp: /* @__PURE__ */ new Date()
-        };
-        for (const page of pages) {
-          for (const operation of ["read", "create", "update", "delete"]) {
-            const permissionString = `${operation}:page.${page.page_name}`;
-            const hasPermission = await this.isPermitted(
-              {
-                userId,
-                scope,
-                permission: permissionString,
-                pageId: page.id
-              },
-              securityContext
-            );
-            const permissionKey = permissionString;
-            permissionMap[permissionKey] = hasPermission;
-          }
-        }
-      }
-    }
-    rbacCache.set(cacheKey, permissionMap, 6e4);
-    return permissionMap;
-  }
-  async resolveAppContext(input) {
-    try {
-      const { userId, appName } = input;
-      const { data, error } = await this.supabase.rpc("data_app_resolve", {
-        p_user_id: userId,
-        p_app_name: appName
-      });
-      if (error) {
-        const logger = getRBACLogger();
-        logger.error("Failed to resolve app context:", error);
-        return null;
-      }
-      if (!data || data.length === 0) {
-        return null;
-      }
-      const appData = data[0];
-      if (!appData?.app_id) {
-        return null;
-      }
-      return {
-        appId: appData.app_id,
-        hasAccess: appData.has_access !== false
-      };
-    } catch (error) {
-      const logger = getRBACLogger();
-      logger.error("Unexpected error resolving app context:", error);
-      return null;
-    }
-  }
-  async getRoleContext(input) {
-    const result = {
-      globalRole: null,
-      organisationRole: null,
-      eventAppRole: null
-    };
-    try {
-      const { userId, scope } = input;
-      const { data, error } = await this.supabase.rpc("rbac_permissions_get", {
-        p_user_id: userId,
-        p_organisation_id: scope.organisationId || null,
-        p_event_id: scope.eventId || null,
-        p_app_id: scope.appId || null,
-        p_page_id: null
-        // Optional: can filter to specific page if needed
-      });
-      if (error) {
-        const logger = getRBACLogger();
-        logger.error("Failed to load role context:", error);
-        return result;
-      }
-      if (!Array.isArray(data)) {
-        return result;
-      }
-      for (const permission of data) {
-        if (permission.permission_type === "all_permissions") {
-          result.globalRole = "super_admin";
-        }
-        if (permission.permission_type === "organisation_access") {
-          result.organisationRole = permission.role_name;
-        }
-        if (permission.permission_type === "event_app_access") {
-          result.eventAppRole = permission.role_name;
-        }
-      }
-      return result;
-    } catch (error) {
-      const logger = getRBACLogger();
-      logger.error("Unexpected error loading role context:", error);
-      return result;
-    }
-  }
-  /**
-   * Check if user is super admin
-   * 
-   * @param userId - User ID
-   * @returns Promise resolving to super admin status
-   */
-  async checkSuperAdmin(userId) {
-    const cacheKey = `super_admin:${userId}`;
-    const cached = rbacCache.get(cacheKey);
-    if (cached !== null) {
-      return cached;
-    }
-    const startTime = Date.now();
-    const now = (/* @__PURE__ */ new Date()).toISOString();
-    try {
-      const { data, error } = await this.supabase.from("rbac_global_roles").select("role").eq("user_id", userId).eq("role", "super_admin").lte("valid_from", now).or(`valid_to.is.null,valid_to.gte.${now}`).limit(1);
-      const elapsed = Date.now() - startTime;
-      if (elapsed > 2e3) {
-        console.warn("[RBACEngine] Super admin check took longer than expected", {
-          userId,
-          elapsedMs: elapsed,
-          error: error?.message
-        });
-      }
-      const isSuperAdmin2 = !error && data && data.length > 0;
-      rbacCache.set(cacheKey, isSuperAdmin2, 6e4);
-      return Boolean(isSuperAdmin2);
-    } catch (err) {
-      const elapsed = Date.now() - startTime;
-      console.error("[RBACEngine] Error checking super admin", {
-        userId,
-        error: err,
-        elapsedMs: elapsed
-      });
-      return false;
-    }
-  }
-  /**
-   * Resolve a page ID to UUID if it's a page name
-   * 
-   * @param pageId - Page ID (UUID) or page name (string)
-   * @param appId - App ID to look up the page
-   * @returns Resolved page ID (UUID) or original pageId
-   */
-  async resolvePageId(pageId, appId) {
-    if (!pageId) {
-      return void 0;
-    }
-    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-    if (uuidRegex.test(pageId)) {
-      return pageId;
-    }
-    if (!appId) {
-      return pageId;
-    }
-    try {
-      const { data: page, error: pageError } = await this.supabase.from("rbac_app_pages").select("id").eq("app_id", appId).eq("page_name", pageId).maybeSingle();
-      if (pageError) {
-        const logger = getRBACLogger();
-        if (pageError.code !== "PGRST116") {
-          logger.warn("Failed to resolve page name to UUID:", { pageId, appId, error: pageError });
-        }
-        return pageId;
-      }
-      return page?.id || pageId;
-    } catch (error) {
-      const logger = getRBACLogger();
-      logger.warn("Failed to resolve page name to UUID:", { pageId, appId, error });
-      return pageId;
-    }
-  }
-};
-function createRBACEngine(supabase, securityConfig) {
-  return new RBACEngine(supabase, securityConfig);
-}
-
-// src/rbac/performance.ts
-var RBACPerformanceMonitor = class {
-  constructor() {
-    this.metrics = {
-      totalChecks: 0,
-      cacheHits: 0,
-      cacheMisses: 0,
-      cacheHitRate: 0,
-      deduplicatedRequests: 0,
-      networkRequests: 0,
-      averageResponseTime: 0,
-      totalResponseTime: 0,
-      batchedAuditEvents: 0,
-      individualAuditEvents: 0
-    };
-    this.enabled = false;
-  }
-  /**
-   * Enable or disable performance monitoring
-   */
-  setEnabled(enabled) {
-    this.enabled = enabled;
-  }
-  /**
-   * Check if performance monitoring is enabled
-   */
-  isEnabled() {
-    return this.enabled;
-  }
-  /**
-   * Record a permission check
-   */
-  recordCheck(cacheHit, responseTime, wasDeduplicated = false) {
-    if (!this.enabled) {
-      return;
-    }
-    this.metrics.totalChecks++;
-    if (cacheHit) {
-      this.metrics.cacheHits++;
-    } else {
-      this.metrics.cacheMisses++;
-      this.metrics.networkRequests++;
-    }
-    if (wasDeduplicated) {
-      this.metrics.deduplicatedRequests++;
-    }
-    this.metrics.totalResponseTime += responseTime;
-    this.metrics.averageResponseTime = this.metrics.totalResponseTime / this.metrics.totalChecks;
-    this.metrics.cacheHitRate = this.metrics.cacheHits / this.metrics.totalChecks;
-  }
-  /**
-   * Record an audit event
-   */
-  recordAuditEvent(batched) {
-    if (!this.enabled) {
-      return;
-    }
-    if (batched) {
-      this.metrics.batchedAuditEvents++;
-    } else {
-      this.metrics.individualAuditEvents++;
-    }
-  }
-  /**
-   * Get current metrics
-   */
-  getMetrics() {
-    return { ...this.metrics };
-  }
-  /**
-   * Reset all metrics
-   */
-  reset() {
-    this.metrics = {
-      totalChecks: 0,
-      cacheHits: 0,
-      cacheMisses: 0,
-      cacheHitRate: 0,
-      deduplicatedRequests: 0,
-      networkRequests: 0,
-      averageResponseTime: 0,
-      totalResponseTime: 0,
-      batchedAuditEvents: 0,
-      individualAuditEvents: 0
-    };
-  }
-  /**
-   * Get metrics summary as a formatted string
-   */
-  getSummary() {
-    const m = this.metrics;
-    return `
-RBAC Performance Metrics:
-  Total Checks: ${m.totalChecks}
-  Cache Hits: ${m.cacheHits} (${(m.cacheHitRate * 100).toFixed(1)}%)
-  Cache Misses: ${m.cacheMisses}
-  Deduplicated Requests: ${m.deduplicatedRequests}
-  Network Requests: ${m.networkRequests}
-  Average Response Time: ${m.averageResponseTime.toFixed(2)}ms
-  Batched Audit Events: ${m.batchedAuditEvents}
-  Individual Audit Events: ${m.individualAuditEvents}
-`;
-  }
-};
-var performanceMonitor = new RBACPerformanceMonitor();
-function enablePerformanceMonitoring() {
-  performanceMonitor.setEnabled(true);
-}
-function disablePerformanceMonitoring() {
-  performanceMonitor.setEnabled(false);
-}
-function isPerformanceMonitoringEnabled() {
-  return performanceMonitor.isEnabled();
-}
-function recordPermissionCheck(cacheHit, responseTime, wasDeduplicated = false) {
-  performanceMonitor.recordCheck(cacheHit, responseTime, wasDeduplicated);
-}
-function recordAuditEvent(batched) {
-  performanceMonitor.recordAuditEvent(batched);
-}
-function getPerformanceMetrics() {
-  return performanceMonitor.getMetrics();
-}
-function resetPerformanceMetrics() {
-  performanceMonitor.reset();
-}
-function getPerformanceSummary() {
-  return performanceMonitor.getSummary();
-}
-
-// src/rbac/request-deduplication.ts
-var inFlightRequests = /* @__PURE__ */ new Map();
-function generateDeduplicationKey(input) {
-  return RBACCache.generatePermissionKey({
-    userId: input.userId,
-    organisationId: input.scope.organisationId,
-    // Can be undefined for page-level permissions
-    eventId: input.scope.eventId,
-    appId: input.scope.appId,
-    permission: input.permission,
-    pageId: input.pageId
-  });
-}
-async function getOrCreateRequest(input, checkFn) {
-  const key = generateDeduplicationKey(input);
-  const existingRequest = inFlightRequests.get(key);
-  if (existingRequest) {
-    return existingRequest;
-  }
-  const requestPromise = checkFn(input).finally(() => {
-    inFlightRequests.delete(key);
-  });
-  inFlightRequests.set(key, requestPromise);
-  return requestPromise;
-}
-function clearInFlightRequests() {
-  inFlightRequests.clear();
-}
-function getInFlightRequestCount() {
-  return inFlightRequests.size;
-}
-
-// src/rbac/utils/eventContext.ts
-var orgDerivationCache = /* @__PURE__ */ new Map();
-var MAX_CACHE_SIZE = 100;
-async function getOrganisationFromEvent(supabase, eventId) {
-  if (orgDerivationCache.has(eventId)) {
-    return orgDerivationCache.get(eventId) ?? null;
-  }
-  const { data, error } = await supabase.from("core_events").select("organisation_id").eq("event_id", eventId).single();
-  let organisationId = null;
-  if (error || !data) {
-    organisationId = null;
-  } else if (data.organisation_id) {
-    organisationId = data.organisation_id;
-  } else {
-    organisationId = null;
-  }
-  if (orgDerivationCache.size >= MAX_CACHE_SIZE) {
-    const firstKey = orgDerivationCache.keys().next().value;
-    if (firstKey) {
-      orgDerivationCache.delete(firstKey);
-    }
-  }
-  orgDerivationCache.set(eventId, organisationId);
-  return organisationId;
-}
-
-// src/rbac/utils/contextValidator.ts
-var log3 = createLogger("ContextValidator");
-function allowsOptionalContexts(appName) {
-  return appName === "PORTAL" || appName === "ADMIN";
-}
-var ContextValidator = class {
-  /**
-   * Derive organisation ID from event ID
-   * 
-   * @param supabase - Supabase client
-   * @param eventId - Event ID
-   * @returns Organisation ID or null
-   */
-  static async deriveOrgFromEvent(supabase, eventId) {
-    return getOrganisationFromEvent(supabase, eventId);
-  }
-  /**
-   * Resolve scope based on page-level scope_type
-   * 
-   * This method handles page-level scoping. All pages have explicit scope_type set.
-   * Used for hybrid apps that have both event and organisation pages.
-   * 
-   * @param scope - Current scope
-   * @param pageScopeType - Page scope type ('event', 'organisation', or 'both')
-   * @param appName - App name (for PORTAL/ADMIN special case)
-   * @param supabase - Supabase client (for deriving org from event, only if not already provided)
-   * @param immediateOrganisationId - Optional immediate organisation ID (from selectedEvent.organisation_id) - avoids querying
-   * @returns Resolved scope with all required context
-   */
-  static async resolveScopeForPage(scope, pageScopeType, appName, supabase, immediateOrganisationId) {
-    const effectiveScopeType = pageScopeType;
-    if (effectiveScopeType === "both") {
-      if (!scope.organisationId && !scope.eventId) {
-        if (allowsOptionalContexts(appName)) {
-          return {
-            isValid: true,
-            resolvedScope: {
-              organisationId: void 0,
-              eventId: void 0,
-              appId: scope.appId
-            },
-            error: null
-          };
-        }
-        return {
-          isValid: false,
-          resolvedScope: null,
-          error: new Error("Page requires either organisation or event context")
-        };
-      }
-      let organisationId = scope.organisationId || immediateOrganisationId || void 0;
-      if (!organisationId && scope.eventId && supabase) {
-        try {
-          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
-          organisationId = derivedOrgId || void 0;
-        } catch (error) {
-          log3.warn("Failed to derive org from event for both-scope page:", error);
-        }
-      }
-      return {
-        isValid: true,
-        resolvedScope: {
-          organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId
-        },
-        error: null
-      };
-    }
-    if (effectiveScopeType === "event") {
-      if (!scope.eventId) {
-        if (allowsOptionalContexts(appName)) {
-          return {
-            isValid: true,
-            resolvedScope: {
-              organisationId: scope.organisationId,
-              eventId: void 0,
-              appId: scope.appId
-            },
-            error: null
-          };
-        }
-        return {
-          isValid: false,
-          resolvedScope: null,
-          error: new EventContextRequiredError()
-        };
-      }
-      let organisationId = scope.organisationId || immediateOrganisationId || void 0;
-      if (!organisationId && supabase && scope.eventId) {
-        try {
-          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
-          organisationId = derivedOrgId || void 0;
-          if (!organisationId) {
-            return {
-              isValid: false,
-              resolvedScope: null,
-              error: new Error("Could not resolve organisation from event context")
-            };
-          }
-        } catch (error) {
-          log3.error("Failed to derive org from event:", error);
-          return {
-            isValid: false,
-            resolvedScope: null,
-            error: error instanceof Error ? error : new Error("Failed to derive organisation from event")
-          };
-        }
-      }
-      return {
-        isValid: true,
-        resolvedScope: {
-          organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId
-        },
-        error: null
-      };
-    }
-    if (effectiveScopeType === "organisation") {
-      if (!scope.organisationId) {
-        if (allowsOptionalContexts(appName)) {
-          return {
-            isValid: true,
-            resolvedScope: {
-              organisationId: void 0,
-              eventId: scope.eventId,
-              appId: scope.appId
-            },
-            error: null
-          };
-        }
-        return {
-          isValid: false,
-          resolvedScope: null,
-          error: new OrganisationContextRequiredError()
-        };
-      }
-      return {
-        isValid: true,
-        resolvedScope: {
-          organisationId: scope.organisationId,
-          eventId: scope.eventId,
-          // Event is optional for org-scoped pages
-          appId: scope.appId
-        },
-        error: null
-      };
-    }
-    return {
-      isValid: false,
-      resolvedScope: null,
-      error: new Error("Invalid scope type")
-    };
-  }
-};
-
-// src/rbac/api.ts
-var log4 = createLogger("RBACAPI");
-var globalEngine = null;
-function setupRBAC(supabase, config) {
-  getRBACLogger();
-  const isDevelopment = import.meta.env.MODE === "development";
-  const fullConfig = {
-    supabase,
-    debug: isDevelopment,
-    logLevel: "warn",
-    developmentMode: isDevelopment,
-    ...config
-  };
-  createRBACConfig(fullConfig);
-  const securityConfig = config === void 0 && !isDevelopment ? void 0 : {
-    // Default: disable rate limiting in development
-    ...isDevelopment && config?.security?.enableRateLimiting === void 0 ? { enableRateLimiting: false } : {},
-    // Explicit config overrides defaults
-    ...config?.security
-  };
-  globalEngine = createRBACEngine(supabase, securityConfig);
-  const useBatchedAudit = config?.audit?.batched !== false && config?.performance?.enableBatchedAuditLogging !== false;
-  const batchConfig = useBatchedAudit ? {
-    batchWindow: config?.audit?.batchWindow,
-    batchSize: config?.audit?.batchSize
-  } : void 0;
-  const auditManager = createAuditManager(supabase, useBatchedAudit, batchConfig);
-  setGlobalAuditManager(auditManager);
-  if (config?.performance?.enablePerformanceTracking) {
-    enablePerformanceMonitoring();
-  }
-}
-function isRBACInitialized() {
-  return globalEngine !== null;
-}
-function getEngine() {
-  if (!globalEngine) {
-    throw new RBACNotInitializedError();
-  }
-  return globalEngine;
-}
-async function getAccessLevel(input, appName) {
-  try {
-    const engine = getEngine();
-    const isSuperAdminUser = await engine["checkSuperAdmin"](input.userId);
-    if (isSuperAdminUser) {
-      return "super";
-    }
-    const validation = await ContextValidator.resolveScopeForPage(
-      input.scope,
-      "organisation",
-      // Default to organisation scope when no page context
-      appName,
-      engine["supabase"]
-    );
-    if (!validation.isValid || !validation.resolvedScope) {
-      throw validation.error || new OrganisationContextRequiredError();
-    }
-    return engine.getAccessLevel({
-      ...input,
-      scope: validation.resolvedScope
-    });
-  } catch (error) {
-    throw error;
-  }
-}
-async function getPermissionMap(input, appName) {
-  try {
-    const engine = getEngine();
-    const validation = await ContextValidator.resolveScopeForPage(
-      input.scope,
-      "organisation",
-      // Default to organisation scope when no page context
-      appName,
-      engine["supabase"]
-    );
-    if (!validation.isValid || !validation.resolvedScope) {
-      throw validation.error || new OrganisationContextRequiredError();
-    }
-    return engine.getPermissionMap({
-      ...input,
-      scope: validation.resolvedScope
-    });
-  } catch (error) {
-    throw error;
-  }
-}
-async function resolveAppContext(input) {
-  try {
-    const engine = getEngine();
-    return await engine.resolveAppContext(input);
-  } catch (error) {
-    throw error;
-  }
-}
-async function getRoleContext(input, appName) {
-  const engine = getEngine();
-  const validation = await ContextValidator.resolveScopeForPage(
-    input.scope,
-    "organisation",
-    // Default to organisation scope when no page context
-    appName,
-    engine["supabase"]
-  );
-  if (!validation.isValid || !validation.resolvedScope) {
-    throw validation.error || new OrganisationContextRequiredError();
-  }
-  return engine.getRoleContext({
-    ...input,
-    scope: validation.resolvedScope
-  });
-}
-async function isPermitted(input, appName, precomputedSuperAdmin = null) {
-  const engine = getEngine();
-  if (precomputedSuperAdmin === true) {
-    return true;
-  }
-  if (precomputedSuperAdmin === null) {
-    const isSuperAdminUser = await engine["checkSuperAdmin"](input.userId);
-    if (isSuperAdminUser) {
-      return true;
-    }
-  }
-  let resolvedAppName = appName;
-  if (!resolvedAppName && input.scope.appId) {
-    try {
-      const { data } = await engine["supabase"].from("rbac_apps").select("name").eq("id", input.scope.appId).eq("is_active", true).single();
-      if (data) {
-        resolvedAppName = data.name;
-      }
-    } catch (err) {
-    }
-  }
-  let pageScopeType;
-  if (input.pageId) {
-    try {
-      const scopeType = await getPageScopeType(
-        input.pageId,
-        input.scope.appId,
-        resolvedAppName
-      );
-      if (!scopeType) {
-        throw new Error(`Page ${input.pageId} does not have scope_type set`);
-      }
-      pageScopeType = scopeType;
-    } catch (err) {
-      log4.error("Failed to get page scope type:", err);
-      throw new Error(`Failed to determine page scope type: ${err instanceof Error ? err.message : String(err)}`);
-    }
-  } else {
-    pageScopeType = "organisation";
-  }
-  const validation = await ContextValidator.resolveScopeForPage(
-    input.scope,
-    pageScopeType,
-    resolvedAppName,
-    engine["supabase"]
-  );
-  if (!validation.isValid || !validation.resolvedScope) {
-    throw validation.error || new OrganisationContextRequiredError();
-  }
-  const validatedScope = validation.resolvedScope;
-  if (pageScopeType === "both" && input.pageId) {
-    const eventScope = {
-      organisationId: validatedScope.organisationId,
-      // Org derived from event
-      eventId: validatedScope.eventId,
-      appId: validatedScope.appId
-    };
-    const eventSecurityContext = {
-      userId: input.userId,
-      organisationId: eventScope.organisationId || null,
-      timestamp: /* @__PURE__ */ new Date()
-    };
-    const eventInput = {
-      ...input,
-      scope: eventScope
-    };
-    const hasEventPermission = await engine.isPermitted(eventInput, eventSecurityContext);
-    if (validatedScope.organisationId && validatedScope.eventId) {
-      const orgScope = {
-        organisationId: validatedScope.organisationId,
-        eventId: void 0,
-        // Clear event for org-only check
-        appId: validatedScope.appId
-      };
-      const orgSecurityContext = {
-        userId: input.userId,
-        organisationId: orgScope.organisationId || null,
-        timestamp: /* @__PURE__ */ new Date()
-      };
-      const orgInput = {
-        ...input,
-        scope: orgScope
-      };
-      const hasOrgPermission = await engine.isPermitted(orgInput, orgSecurityContext);
-      return hasEventPermission || hasOrgPermission;
-    }
-    return hasEventPermission;
-  }
-  const securityContext = {
-    userId: input.userId,
-    organisationId: validatedScope.organisationId || null,
-    timestamp: /* @__PURE__ */ new Date()
-    // Optional fields can be omitted
-  };
-  const validatedInput = {
-    ...input,
-    scope: validatedScope
-  };
-  return engine.isPermitted(validatedInput, securityContext);
-}
-async function isPermittedCached(input, appName) {
-  const { userId, scope, permission, pageId } = input;
-  const cacheKey = RBACCache.generatePermissionKey({
-    userId,
-    organisationId: scope.organisationId,
-    eventId: scope.eventId,
-    appId: scope.appId,
-    permission,
-    pageId
-  });
-  const cached = rbacCache.get(cacheKey, true);
-  if (cached !== null) {
-    return cached;
-  }
-  return getOrCreateRequest(input, async (checkInput) => {
-    const result = await isPermitted(checkInput, appName, null);
-    const isPageLevelCheck = !!pageId || permission.includes("page.");
-    rbacCache.set(cacheKey, result, void 0, isPageLevelCheck);
-    return result;
-  });
-}
-async function hasAnyPermission(input) {
-  const { permissions, ...baseInput } = input;
-  for (const permission of permissions) {
-    const hasPermission = await isPermitted({
-      ...baseInput,
-      permission
-    });
-    if (hasPermission) {
-      return true;
-    }
-  }
-  return false;
-}
-async function hasAllPermissions(input) {
-  const { permissions, ...baseInput } = input;
-  for (const permission of permissions) {
-    const hasPermission = await isPermitted({
-      ...baseInput,
-      permission
-    });
-    if (!hasPermission) {
-      return false;
-    }
-  }
-  return true;
-}
-async function isSuperAdmin(userId) {
-  const engine = getEngine();
-  return engine["checkSuperAdmin"](userId);
-}
-async function getPageScopeType(pageId, appId, appName) {
-  const engine = getEngine();
-  try {
-    let resolvedAppId = appId;
-    if (!resolvedAppId && appName) {
-      const { data: app } = await engine["supabase"].from("rbac_apps").select("id").eq("name", appName).eq("is_active", true).single();
-      resolvedAppId = app?.id;
-    }
-    if (!resolvedAppId) {
-      throw new Error(`Could not resolve appId for page ${pageId}`);
-    }
-    let resolvedPageId = pageId;
-    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-    if (!uuidRegex.test(pageId)) {
-      const { data: page } = await engine["supabase"].from("rbac_app_pages").select("id").eq("app_id", resolvedAppId).eq("page_name", pageId).maybeSingle();
-      resolvedPageId = page?.id || pageId;
-    }
-    if (!uuidRegex.test(resolvedPageId)) {
-      throw new Error(`Could not resolve pageId ${pageId} to a valid UUID`);
-    }
-    const { data: pageData, error } = await engine["supabase"].from("rbac_app_pages").select("scope_type").eq("id", resolvedPageId).single();
-    if (error) {
-      log4.error("Error fetching page scope type:", { pageId, appId, error });
-      throw new Error(`Failed to get page scope type: ${error.message}`);
-    }
-    if (!pageData || !pageData.scope_type) {
-      throw new Error(`Page ${resolvedPageId} does not have scope_type set`);
-    }
-    return pageData.scope_type;
-  } catch (err) {
-    log4.error("Error fetching page scope type:", err);
-    throw err instanceof Error ? err : new Error(`Failed to get page scope type: ${String(err)}`);
-  }
-}
-async function isOrganisationAdmin(userId, organisationId) {
-  const accessLevel = await getAccessLevel({
-    userId,
-    scope: { organisationId }
-  });
-  return accessLevel === "admin" || accessLevel === "super";
-}
-async function isEventAdmin(userId, scope) {
-  if (!scope.eventId || !scope.appId) {
-    return false;
-  }
-  const accessLevel = await getAccessLevel({ userId, scope });
-  return accessLevel === "admin" || accessLevel === "super";
-}
-function invalidateUserCache(userId, organisationId) {
-  const patterns = organisationId ? [
-    CACHE_PATTERNS.PERMISSION(userId, organisationId),
-    `access:${userId}:${organisationId}:`,
-    `map:${userId}:${organisationId}:`
-  ] : [
-    `perm:${userId}:`,
-    `access:${userId}:`,
-    `map:${userId}:`
-  ];
-  patterns.forEach((pattern) => rbacCache.invalidate(pattern));
-}
-function invalidateOrganisationCache(organisationId) {
-  rbacCache.invalidate(CACHE_PATTERNS.ORGANISATION(organisationId));
-}
-function invalidateEventCache(eventId) {
-  rbacCache.invalidate(CACHE_PATTERNS.EVENT(eventId));
-}
-function invalidateAppCache(appId) {
-  rbacCache.invalidate(CACHE_PATTERNS.APP(appId));
-}
-function clearCache() {
-  rbacCache.clear();
-}
-
-export { CACHE_PATTERNS, ContextValidator, EventContextRequiredError, OrganisationContextRequiredError, RBACCache, RBACEngine, RBACNotInitializedError, clearCache, clearInFlightRequests, createRBACConfig, createRBACEngine, disablePerformanceMonitoring, enablePerformanceMonitoring, getAccessLevel, getInFlightRequestCount, getPageScopeType, getPerformanceMetrics, getPerformanceSummary, getPermissionMap, getRBACConfig, getRBACLogger, getRoleContext, hasAllPermissions, hasAnyPermission, invalidateAppCache, invalidateEventCache, invalidateOrganisationCache, invalidateUserCache, isDebugMode, isDevelopmentMode, isEventAdmin, isOrganisationAdmin, isPerformanceMonitoringEnabled, isPermitted, isPermittedCached, isRBACInitialized, isSuperAdmin, rbacCache, recordAuditEvent, recordPermissionCheck, resetPerformanceMetrics, resolveAppContext, setupRBAC };