@jmruthers/pace-core 0.2.7 → 0.5.1

package/dist/rbac/index.d.ts

@@ -1,7 +1,7 @@
 import { SupabaseClient } from '@supabase/supabase-js';
 import { D as Database } from '../database-C3Szpi5J.js';
-import React__default, { ReactNode } from 'react';
 import * as react_jsx_runtime from 'react/jsx-runtime';
+import React__default, { ReactNode } from 'react';
 
 /**
  * RBAC (Role-Based Access Control) Types - Build Contract Compliant
@@ -692,950 +692,950 @@ declare class RBACEngine {
  */
 declare function createRBACEngine(supabase: SupabaseClient<Database>): RBACEngine;
 
+interface PagePermissionContextType {
+    /** Check if user has permission for a page */
+    hasPagePermission: (pageName: string, operation: string, pageId?: string, scope?: Scope) => boolean;
+    /** Get all page permissions for current user */
+    getPagePermissions: () => Record<string, string[]>;
+    /** Check if page permission checking is enabled */
+    isEnabled: boolean;
+    /** Check if strict mode is enabled */
+    isStrictMode: boolean;
+    /** Check if audit logging is enabled */
+    isAuditLogEnabled: boolean;
+    /** Get page access history */
+    getPageAccessHistory: () => PageAccessRecord[];
+    /** Clear page access history */
+    clearPageAccessHistory: () => void;
+}
+interface PageAccessRecord {
+    pageName: string;
+    operation: string;
+    userId: UUID;
+    scope: Scope;
+    allowed: boolean;
+    timestamp: string;
+    pageId?: string;
+}
+interface PagePermissionProviderProps {
+    /** Child components */
+    children: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Enable audit logging (default: true) */
+    auditLog?: boolean;
+    /** Callback when page access is attempted */
+    onPageAccess?: (pageName: string, operation: string, allowed: boolean, record: PageAccessRecord) => void;
+    /** Callback when strict mode violation occurs */
+    onStrictModeViolation?: (pageName: string, operation: string, record: PageAccessRecord) => void;
+    /** Maximum number of access records to keep in history */
+    maxHistorySize?: number;
+}
 /**
- * RBAC React Hooks
- * @package @jmruthers/pace-core
- * @module RBAC/Hooks
- * @since 1.0.0
- *
- * This module provides React hooks for RBAC functionality.
- */
-
-/**
- * Hook to get user's permissions in a scope
- *
- * @param userId - User ID
- * @param scope - Permission scope
- * @returns Permission data and loading state
- *
- * @example
- * ```tsx
- * function MyComponent() {
- *   const { permissions, isLoading, error } = usePermissions(
- *     'user-123',
- *     { organisationId: 'org-456' }
- *   );
+ * PagePermissionProvider - Manages page-level permissions across the app
  *
- *   if (isLoading) return <div>Loading...</div>;
- *   if (error) return <div>Error: {error.message}</div>;
+ * This provider ensures that all pages are properly protected and provides
+ * centralized page permission management with strict enforcement.
  *
- *   return (
- *     <div>
- *       {permissions['page-1']?.includes('read') && <ReadButton />}
- *       {permissions['page-1']?.includes('manage') && <ManageButton />}
- *     </div>
- *   );
- * }
- * ```
+ * @param props - Provider props
+ * @returns React element with page permission context
  */
-declare function usePermissions(userId: UUID, scope: Scope): UsePermissionsReturn;
+declare function PagePermissionProvider({ children, strictMode, auditLog, onPageAccess, onStrictModeViolation, maxHistorySize }: PagePermissionProviderProps): react_jsx_runtime.JSX.Element;
 /**
- * Hook to check if user has a specific permission
- *
- * @param userId - User ID
- * @param scope - Permission scope
- * @param permission - Permission to check
- * @param pageId - Optional page ID
- * @param useCache - Whether to use cached results (default: true)
- * @returns Permission check result and loading state
- *
- * @example
- * ```tsx
- * function MyComponent() {
- *   const { can, isLoading } = useCan(
- *     'user-123',
- *     { organisationId: 'org-456' },
- *     'manage:events',
- *     'page-789'
- *   );
- *
- *   if (isLoading) return <div>Checking permission...</div>;
+ * Hook to use page permission context
  *
- *   return (
- *     <div>
- *       {can ? <AdminPanel /> : <AccessDenied />}
- *     </div>
- *   );
- * }
- * ```
+ * @returns Page permission context
+ * @throws Error if used outside of PagePermissionProvider
  */
-declare function useCan(userId: UUID, scope: Scope, permission: Permission, pageId?: UUID, useCache?: boolean): UseCanReturn;
+declare function usePagePermissions(): PagePermissionContextType;
+
+interface PagePermissionGuardProps {
+    /** Name of the page being protected */
+    pageName: string;
+    /** Operation being performed on the page */
+    operation: 'read' | 'create' | 'update' | 'delete';
+    /** Content to render when user has permission */
+    children: React__default.ReactNode;
+    /** Content to render when user lacks permission */
+    fallback?: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Force audit logging for this page access (default: true) */
+    auditLog?: boolean;
+    /** Custom page ID for permission checking */
+    pageId?: string;
+    /** Custom scope for permission checking */
+    scope?: Scope;
+    /** Callback when access is denied */
+    onDenied?: (pageName: string, operation: string) => void;
+    /** Loading state content */
+    loading?: React__default.ReactNode;
+}
 /**
- * Hook to get user's access level in a scope
- *
- * @param userId - User ID
- * @param scope - Permission scope
- * @returns Access level and loading state
- *
- * @example
- * ```tsx
- * function MyComponent() {
- *   const { accessLevel, isLoading } = useAccessLevel(
- *     'user-123',
- *     { organisationId: 'org-456' }
- *   );
+ * PagePermissionGuard - Enforces page-level permissions
  *
- *   if (isLoading) return <div>Loading...</div>;
+ * This component ensures that users can only access pages they have permission for.
+ * It integrates with the existing RBAC system and provides strict enforcement to
+ * prevent apps from bypassing permission checks.
  *
- *   return (
- *     <div>
- *       {accessLevel === 'super' && <SuperAdminPanel />}
- *       {accessLevel === 'admin' && <AdminPanel />}
- *       {accessLevel === 'planner' && <PlannerPanel />}
- *     </div>
- *   );
- * }
- * ```
+ * @param props - Component props
+ * @returns React element with permission enforcement
  */
-declare function useAccessLevel(userId: UUID, scope: Scope): {
-    accessLevel: AccessLevel | null;
-    isLoading: boolean;
-    error: Error | null;
-    refetch: () => Promise<void>;
-};
+declare function PagePermissionGuard({ pageName, operation, children, fallback, strictMode, auditLog, pageId, scope, onDenied, loading }: PagePermissionGuardProps): react_jsx_runtime.JSX.Element;
+
+interface DataAccessRecord {
+    table: string;
+    operation: string;
+    userId: UUID;
+    scope: Scope;
+    allowed: boolean;
+    timestamp: string;
+    query?: string;
+    filters?: Record<string, any>;
+}
+interface SecureDataContextType {
+    /** Check if data access is allowed for a table and operation */
+    isDataAccessAllowed: (table: string, operation: string, scope?: Scope) => boolean;
+    /** Get all data access permissions for current user */
+    getDataAccessPermissions: () => Record<string, string[]>;
+    /** Check if secure data access is enabled */
+    isEnabled: boolean;
+    /** Check if strict mode is enabled */
+    isStrictMode: boolean;
+    /** Check if audit logging is enabled */
+    isAuditLogEnabled: boolean;
+    /** Get data access history */
+    getDataAccessHistory: () => DataAccessRecord[];
+    /** Clear data access history */
+    clearDataAccessHistory: () => void;
+    /** Validate data access attempt */
+    validateDataAccess: (table: string, operation: string, scope?: Scope) => boolean;
+}
+interface SecureDataProviderProps {
+    /** Child components */
+    children: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Enable audit logging (default: true) */
+    auditLog?: boolean;
+    /** Callback when data access is attempted */
+    onDataAccess?: (table: string, operation: string, allowed: boolean, record: DataAccessRecord) => void;
+    /** Callback when strict mode violation occurs */
+    onStrictModeViolation?: (table: string, operation: string, record: DataAccessRecord) => void;
+    /** Maximum number of access records to keep in history */
+    maxHistorySize?: number;
+    /** Enable RLS enforcement (default: true) */
+    enforceRLS?: boolean;
+}
 /**
- * Hook to check multiple permissions at once
- *
- * @param userId - User ID
- * @param scope - Permission scope
- * @param permissions - Array of permissions to check
- * @param pageId - Optional page ID
- * @param useCache - Whether to use cached results (default: true)
- * @returns Object with permission results and loading state
+ * SecureDataProvider - Prevents direct Supabase access and enforces secure data patterns
  *
- * @example
- * ```tsx
- * function MyComponent() {
- *   const { permissions, isLoading } = useMultiplePermissions(
- *     'user-123',
- *     { organisationId: 'org-456' },
- *     ['read:events', 'manage:events', 'delete:events']
- *   );
+ * This provider ensures that all data access goes through the secure RBAC system
+ * and prevents apps from bypassing data access controls.
  *
- *   return (
- *     <div>
- *       {permissions['read:events'] && <ReadButton />}
- *       {permissions['manage:events'] && <ManageButton />}
- *       {permissions['delete:events'] && <DeleteButton />}
- *     </div>
- *   );
- * }
- * ```
+ * @param props - Provider props
+ * @returns React element with secure data context
  */
-declare function useMultiplePermissions(userId: UUID, scope: Scope, permissions: Permission[], pageId?: UUID, useCache?: boolean): {
-    permissions: Record<Permission, boolean>;
-    isLoading: boolean;
-    error: Error | null;
-    refetch: () => Promise<void>;
-};
+declare function SecureDataProvider({ children, strictMode, auditLog, onDataAccess, onStrictModeViolation, maxHistorySize, enforceRLS }: SecureDataProviderProps): react_jsx_runtime.JSX.Element;
 /**
- * Hook to check if user has any of the specified permissions
+ * Hook to use secure data context
  *
- * @param userId - User ID
+ * @returns Secure data context
+ * @throws Error if used outside of SecureDataProvider
+ */
+declare function useSecureData(): SecureDataContextType;
+
+interface PermissionEnforcerProps {
+    /** Permissions required for access */
+    permissions: Permission[];
+    /** Operation being performed */
+    operation: string;
+    /** Content to render when user has permission */
+    children: React__default.ReactNode;
+    /** Content to render when user lacks permission */
+    fallback?: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Force audit logging for this operation (default: true) */
+    auditLog?: boolean;
+    /** Custom scope for permission checking */
+    scope?: Scope;
+    /** Callback when access is denied */
+    onDenied?: (permissions: Permission[], operation: string) => void;
+    /** Loading state content */
+    loading?: React__default.ReactNode;
+    /** Require all permissions (AND) or any permission (OR) */
+    requireAll?: boolean;
+}
+/**
+ * PermissionEnforcer - Enforces permissions for operations
+ *
+ * This component ensures that users can only perform operations they have permission for.
+ * It integrates with the existing RBAC system and provides strict enforcement to
+ * prevent apps from bypassing permission checks.
+ *
+ * @param props - Component props
+ * @returns React element with permission enforcement
+ */
+declare function PermissionEnforcer({ permissions, operation, children, fallback, strictMode, auditLog, scope, onDenied, loading, requireAll }: PermissionEnforcerProps): react_jsx_runtime.JSX.Element;
+
+interface RouteConfig {
+    /** Route path */
+    path: string;
+    /** React component to render */
+    component: React__default.ComponentType;
+    /** Permissions required for this route */
+    permissions: Permission[];
+    /** Roles that can access this route */
+    roles?: string[];
+    /** Minimum access level required */
+    accessLevel?: AccessLevel;
+    /** Page ID for permission checking */
+    pageId?: string;
+    /** Enable strict mode for this route */
+    strictMode?: boolean;
+    /** Route metadata */
+    meta?: {
+        title?: string;
+        description?: string;
+        requiresAuth?: boolean;
+        hidden?: boolean;
+    };
+}
+interface RouteAccessRecord {
+    route: string;
+    permissions: Permission[];
+    userId: UUID;
+    scope: Scope;
+    allowed: boolean;
+    timestamp: string;
+    pageId?: string;
+    roles?: string[];
+    accessLevel?: AccessLevel;
+}
+interface RoleBasedRouterContextType {
+    /** Get all accessible routes for current user */
+    getAccessibleRoutes: () => RouteConfig[];
+    /** Check if user can access a specific route */
+    canAccessRoute: (path: string) => boolean;
+    /** Get route configuration for a path */
+    getRouteConfig: (path: string) => RouteConfig | null;
+    /** Get route access history */
+    getRouteAccessHistory: () => RouteAccessRecord[];
+    /** Clear route access history */
+    clearRouteAccessHistory: () => void;
+    /** Check if strict mode is enabled */
+    isStrictMode: boolean;
+    /** Check if audit logging is enabled */
+    isAuditLogEnabled: boolean;
+}
+interface RoleBasedRouterProps {
+    /** Route configuration */
+    routes: RouteConfig[];
+    /** Fallback route for unauthorized access */
+    fallbackRoute?: string;
+    /** Child components */
+    children: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Enable audit logging (default: true) */
+    auditLog?: boolean;
+    /** Callback when route access is attempted */
+    onRouteAccess?: (route: string, allowed: boolean, record: RouteAccessRecord) => void;
+    /** Callback when strict mode violation occurs */
+    onStrictModeViolation?: (route: string, record: RouteAccessRecord) => void;
+    /** Maximum number of access records to keep in history */
+    maxHistorySize?: number;
+    /** Custom unauthorized component */
+    unauthorizedComponent?: React__default.ComponentType<{
+        route: string;
+        reason: string;
+    }>;
+}
+/**
+ * RoleBasedRouter - Centralized routing control with role-based protection
+ *
+ * This component ensures that all routes are properly protected and provides
+ * centralized routing control to prevent apps from bypassing route protection.
+ *
+ * @param props - Router props
+ * @returns React element with role-based routing
+ */
+declare function RoleBasedRouter({ routes, fallbackRoute, children, strictMode, auditLog, onRouteAccess, onStrictModeViolation, maxHistorySize, unauthorizedComponent: UnauthorizedComponent }: RoleBasedRouterProps): react_jsx_runtime.JSX.Element;
+/**
+ * Hook to use role-based router context
+ *
+ * @returns Role-based router context
+ * @throws Error if used outside of RoleBasedRouter
+ */
+declare function useRoleBasedRouter(): RoleBasedRouterContextType;
+
+interface NavigationItem {
+    /** Unique identifier for the navigation item */
+    id: string;
+    /** Display label for the navigation item */
+    label: string;
+    /** Navigation path/URL */
+    path: string;
+    /** Permissions required for this navigation item */
+    permissions: Permission[];
+    /** Roles that can access this navigation item */
+    roles?: string[];
+    /** Minimum access level required */
+    accessLevel?: 'viewer' | 'participant' | 'planner' | 'admin' | 'super';
+    /** Page ID for permission checking */
+    pageId?: string;
+    /** Enable strict mode for this navigation item */
+    strictMode?: boolean;
+    /** Navigation item metadata */
+    meta?: {
+        icon?: string;
+        description?: string;
+        hidden?: boolean;
+        order?: number;
+    };
+}
+interface NavigationAccessRecord {
+    navigationItem: string;
+    permissions: Permission[];
+    userId: UUID;
+    scope: Scope;
+    allowed: boolean;
+    timestamp: string;
+    pageId?: string;
+    roles?: string[];
+    accessLevel?: string;
+}
+interface NavigationContextType {
+    /** Check if user has permission for a navigation item */
+    hasNavigationPermission: (item: NavigationItem) => boolean;
+    /** Get all navigation permissions for current user */
+    getNavigationPermissions: () => Record<string, string[]>;
+    /** Get filtered navigation items based on permissions */
+    getFilteredNavigationItems: (items: NavigationItem[]) => NavigationItem[];
+    /** Check if navigation permission checking is enabled */
+    isEnabled: boolean;
+    /** Check if strict mode is enabled */
+    isStrictMode: boolean;
+    /** Check if audit logging is enabled */
+    isAuditLogEnabled: boolean;
+    /** Get navigation access history */
+    getNavigationAccessHistory: () => NavigationAccessRecord[];
+    /** Clear navigation access history */
+    clearNavigationAccessHistory: () => void;
+}
+interface NavigationProviderProps {
+    /** Child components */
+    children: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Enable audit logging (default: true) */
+    auditLog?: boolean;
+    /** Callback when navigation access is attempted */
+    onNavigationAccess?: (item: NavigationItem, allowed: boolean, record: NavigationAccessRecord) => void;
+    /** Callback when strict mode violation occurs */
+    onStrictModeViolation?: (item: NavigationItem, record: NavigationAccessRecord) => void;
+    /** Maximum number of access records to keep in history */
+    maxHistorySize?: number;
+}
+/**
+ * NavigationProvider - Manages navigation-level permissions across the app
+ *
+ * This provider ensures that all navigation items are properly protected and provides
+ * centralized navigation permission management with strict enforcement.
+ *
+ * @param props - Provider props
+ * @returns React element with navigation permission context
+ */
+declare function NavigationProvider({ children, strictMode, auditLog, onNavigationAccess, onStrictModeViolation, maxHistorySize }: NavigationProviderProps): react_jsx_runtime.JSX.Element;
+/**
+ * Hook to use navigation permission context
+ *
+ * @returns Navigation permission context
+ * @throws Error if used outside of NavigationProvider
+ */
+declare function useNavigationPermissions(): NavigationContextType;
+
+interface NavigationGuardProps {
+    /** Navigation item being protected */
+    navigationItem: NavigationItem;
+    /** Content to render when user has permission */
+    children: React__default.ReactNode;
+    /** Content to render when user lacks permission */
+    fallback?: React__default.ReactNode;
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Force audit logging for this navigation access (default: true) */
+    auditLog?: boolean;
+    /** Custom scope for permission checking */
+    scope?: Scope;
+    /** Callback when access is denied */
+    onDenied?: (item: NavigationItem) => void;
+    /** Loading state content */
+    loading?: React__default.ReactNode;
+    /** Require all permissions (AND) or any permission (OR) */
+    requireAll?: boolean;
+}
+/**
+ * NavigationGuard - Enforces navigation-level permissions
+ *
+ * This component ensures that users can only access navigation items they have permission for.
+ * It integrates with the existing RBAC system and provides strict enforcement to
+ * prevent apps from bypassing navigation permission checks.
+ *
+ * @param props - Component props
+ * @returns React element with navigation permission enforcement
+ */
+declare function NavigationGuard({ navigationItem, children, fallback, strictMode, auditLog, scope, onDenied, loading, requireAll }: NavigationGuardProps): react_jsx_runtime.JSX.Element;
+
+interface EnhancedNavigationMenuProps {
+    /** Navigation items to display */
+    items: NavigationItem[];
+    /** Enable strict mode to prevent bypassing (default: true) */
+    strictMode?: boolean;
+    /** Enable audit logging (default: true) */
+    auditLog?: boolean;
+    /** Callback when navigation access is attempted */
+    onNavigationAccess?: (item: NavigationItem, allowed: boolean) => void;
+    /** Callback when strict mode violation occurs */
+    onStrictModeViolation?: (item: NavigationItem) => void;
+    /** Custom className for the navigation menu */
+    className?: string;
+    /** Custom className for navigation items */
+    itemClassName?: string;
+    /** Custom className for active navigation items */
+    activeItemClassName?: string;
+    /** Custom className for disabled navigation items */
+    disabledItemClassName?: string;
+    /** Show/hide navigation items that user doesn't have permission for */
+    hideUnauthorizedItems?: boolean;
+    /** Custom render function for navigation items */
+    renderItem?: (item: NavigationItem, isAuthorized: boolean) => React__default.ReactNode;
+    /** Current active path for highlighting */
+    activePath?: string;
+    /** Navigation item click handler */
+    onItemClick?: (item: NavigationItem) => void;
+}
+/**
+ * EnhancedNavigationMenu - Secure navigation menu with RBAC integration
+ *
+ * This component provides a navigation menu that automatically filters items based on
+ * user permissions and enforces strict security controls.
+ *
+ * @param props - Component props
+ * @returns React element with enhanced navigation menu
+ */
+declare function EnhancedNavigationMenu({ items, strictMode, auditLog, onNavigationAccess, onStrictModeViolation, className, itemClassName, activeItemClassName, disabledItemClassName, hideUnauthorizedItems, renderItem, activePath, onItemClick }: EnhancedNavigationMenuProps): react_jsx_runtime.JSX.Element;
+
+/**
+ * RBAC React Hooks
+ * @package @jmruthers/pace-core
+ * @module RBAC/Hooks
+ * @since 1.0.0
+ *
+ * This module provides React hooks for RBAC functionality.
+ */
+
+/**
+ * Hook to get user's permissions in a scope
+ *
+ * @param userId - User ID
  * @param scope - Permission scope
- * @param permissions - Array of permissions to check
- * @param pageId - Optional page ID
- * @returns True if user has any permission and loading state
+ * @returns Permission data and loading state
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { hasAny, isLoading } = useHasAnyPermission(
+ *   const { permissions, isLoading, error } = usePermissions(
  *     'user-123',
- *     { organisationId: 'org-456' },
- *     ['read:events', 'manage:events']
+ *     { organisationId: 'org-456' }
  *   );
  *
+ *   if (isLoading) return <div>Loading...</div>;
+ *   if (error) return <div>Error: {error.message}</div>;
+ *
  *   return (
  *     <div>
- *       {hasAny ? <EventContent /> : <AccessDenied />}
+ *       {permissions['page-1']?.includes('read') && <ReadButton />}
+ *       {permissions['page-1']?.includes('manage') && <ManageButton />}
  *     </div>
  *   );
  * }
  * ```
  */
-declare function useHasAnyPermission(userId: UUID, scope: Scope, permissions: Permission[], pageId?: UUID): {
-    hasAny: boolean;
-    isLoading: boolean;
-    error: Error | null;
-    refetch: () => Promise<void>;
-};
+declare function usePermissions(userId: UUID, scope: Scope): UsePermissionsReturn;
 /**
- * Hook to check if user has all of the specified permissions
+ * Hook to check if user has a specific permission
  *
  * @param userId - User ID
  * @param scope - Permission scope
- * @param permissions - Array of permissions to check
+ * @param permission - Permission to check
  * @param pageId - Optional page ID
- * @returns True if user has all permissions and loading state
+ * @param useCache - Whether to use cached results (default: true)
+ * @returns Permission check result and loading state
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { hasAll, isLoading } = useHasAllPermissions(
+ *   const { can, isLoading } = useCan(
  *     'user-123',
  *     { organisationId: 'org-456' },
- *     ['read:events', 'manage:events']
+ *     'manage:events',
+ *     'page-789'
  *   );
  *
+ *   if (isLoading) return <div>Checking permission...</div>;
+ *
  *   return (
  *     <div>
- *       {hasAll ? <FullAccessPanel /> : <LimitedAccessPanel />}
+ *       {can ? <AdminPanel /> : <AccessDenied />}
  *     </div>
  *   );
  * }
  * ```
  */
-declare function useHasAllPermissions(userId: UUID, scope: Scope, permissions: Permission[], pageId?: UUID): {
-    hasAll: boolean;
-    isLoading: boolean;
-    error: Error | null;
-    refetch: () => Promise<void>;
-};
+declare function useCan(userId: UUID, scope: Scope, permission: Permission, pageId?: UUID, useCache?: boolean): UseCanReturn;
 /**
- * Hook to read cached permissions (contract requirement)
- *
- * This hook only reads from the core cache and does not perform
- * any bespoke caching as per the contract requirements.
+ * Hook to get user's access level in a scope
  *
  * @param userId - User ID
  * @param scope - Permission scope
- * @returns Cached permission data and loading state
+ * @returns Access level and loading state
  *
  * @example
  * ```tsx
  * function MyComponent() {
- *   const { permissions, isLoading, error } = useCachedPermissions(
+ *   const { accessLevel, isLoading } = useAccessLevel(
  *     'user-123',
  *     { organisationId: 'org-456' }
  *   );
  *
- *   if (isLoading) return <div>Loading cached permissions...</div>;
- *   if (error) return <div>Error: {error.message}</div>;
+ *   if (isLoading) return <div>Loading...</div>;
  *
  *   return (
  *     <div>
- *       {permissions['page-1']?.includes('read') && <ReadButton />}
- *       {permissions['page-1']?.includes('manage') && <ManageButton />}
+ *       {accessLevel === 'super' && <SuperAdminPanel />}
+ *       {accessLevel === 'admin' && <AdminPanel />}
+ *       {accessLevel === 'planner' && <PlannerPanel />}
  *     </div>
  *   );
  * }
  * ```
  */
-declare function useCachedPermissions(userId: UUID, scope: Scope): {
-    permissions: PermissionMap;
+declare function useAccessLevel(userId: UUID, scope: Scope): {
+    accessLevel: AccessLevel | null;
     isLoading: boolean;
     error: Error | null;
     refetch: () => Promise<void>;
 };
-
-/**
- * RBAC Adapters
- * @package @jmruthers/pace-core
- * @module RBAC/Adapters
- * @since 1.0.0
- *
- * This module provides adapters for different frameworks and server runtimes.
- */
-
-/**
- * Permission Guard Component
- *
- * A React component that conditionally renders children based on permissions.
- * Can auto-infer userId from context if not provided.
- *
- * @example
- * ```tsx
- * // With explicit userId and scope
- * <PermissionGuard
- *   userId="user-123"
- *   scope={{ organisationId: 'org-456' }}
- *   permission="manage:events"
- *   pageId="page-789"
- *   fallback={<AccessDenied />}
- * >
- *   <AdminPanel />
- * </PermissionGuard>
- *
- * // With context inference (requires auth context)
- * <PermissionGuard
- *   permission="manage:events"
- *   scope={{ organisationId: 'org-456' }}
- *   fallback={<AccessDenied />}
- * >
- *   <AdminPanel />
- * </PermissionGuard>
- * ```
- */
-declare function PermissionGuard({ userId, scope, permission, pageId, children, fallback, onDenied, loading, strictMode, auditLog, enforceAudit, }: {
-    userId?: UUID;
-    scope: {
-        organisationId: UUID;
-        eventId?: string;
-        appId?: UUID;
-    };
-    permission: Permission;
-    pageId?: UUID;
-    children: ReactNode;
-    fallback?: ReactNode;
-    onDenied?: () => void;
-    loading?: ReactNode;
-    strictMode?: boolean;
-    auditLog?: boolean;
-    enforceAudit?: boolean;
-}): React__default.ReactNode;
 /**
- * Access Level Guard Component
+ * Hook to check multiple permissions at once
  *
- * A React component that conditionally renders children based on access level.
- * Can auto-infer userId from context if not provided.
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @param permissions - Array of permissions to check
+ * @param pageId - Optional page ID
+ * @param useCache - Whether to use cached results (default: true)
+ * @returns Object with permission results and loading state
  *
  * @example
  * ```tsx
- * // With explicit userId and scope
- * <AccessLevelGuard
- *   userId="user-123"
- *   scope={{ organisationId: 'org-456' }}
- *   minLevel="admin"
- *   fallback={<AccessDenied />}
- * >
- *   <AdminPanel />
- * </AccessLevelGuard>
- *
- * // With context inference (requires auth context)
- * <AccessLevelGuard
- *   minLevel="admin"
- *   scope={{ organisationId: 'org-456' }}
- *   fallback={<AccessDenied />}
- * >
- *   <AdminPanel />
- * </AccessLevelGuard>
- * ```
- */
-declare function AccessLevelGuard({ userId, scope, minLevel, children, fallback, loading, }: {
-    userId?: UUID;
-    scope: {
-        organisationId: UUID;
-        eventId?: string;
-        appId?: UUID;
-    };
-    minLevel: 'viewer' | 'participant' | 'planner' | 'admin' | 'super';
-    children: ReactNode;
-    fallback?: ReactNode;
-    loading?: ReactNode;
-}): React__default.ReactNode;
-/**
- * Permission Guard for Server Handlers
- *
- * Wraps a server handler with permission checking.
- *
- * @param config - Permission guard configuration
- * @param handler - Handler function to wrap
- * @returns Wrapped handler function
- *
- * @example
- * ```typescript
- * const protectedHandler = withPermissionGuard(
- *   { permission: 'manage:events', pageId: 'page-789' },
- *   async (req, res) => {
- *     // Handler logic here
- *     res.json({ success: true });
- *   }
- * );
- * ```
- */
-declare function withPermissionGuard<T extends any[]>(config: {
-    permission: Permission;
-    pageId?: UUID;
-}, handler: (...args: T) => Promise<any>): (...args: T) => Promise<any>;
-/**
- * Access Level Guard for Server Handlers
- *
- * Wraps a server handler with access level checking.
- *
- * @param minLevel - Minimum access level required
- * @param handler - Handler function to wrap
- * @returns Wrapped handler function
- *
- * @example
- * ```typescript
- * const adminHandler = withAccessLevelGuard(
- *   'admin',
- *   async (req, res) => {
- *     // Admin-only logic here
- *     res.json({ success: true });
- *   }
- * );
- * ```
- */
-declare function withAccessLevelGuard<T extends any[]>(minLevel: 'viewer' | 'participant' | 'planner' | 'admin' | 'super', handler: (...args: T) => Promise<any>): (...args: T) => Promise<any>;
-/**
- * Role Guard for Server Handlers
- *
- * Wraps a server handler with role-based access control.
- * This is the primary middleware for routing protection as specified in the contract.
- *
- * @param config - Role guard configuration
- * @param handler - Handler function to wrap
- * @returns Wrapped handler function
- *
- * @example
- * ```typescript
- * const adminHandler = withRoleGuard(
- *   {
- *     globalRoles: ['super_admin'],
- *     organisationRoles: ['org_admin', 'leader'],
- *     eventAppRoles: ['event_admin', 'planner']
- *   },
- *   async (req, res) => {
- *     // Admin-only logic here
- *     res.json({ success: true });
- *   }
- * );
- * ```
- */
-declare function withRoleGuard<T extends any[]>(config: {
-    globalRoles?: string[];
-    organisationRoles?: string[];
-    eventAppRoles?: string[];
-    requireAll?: boolean;
-}, handler: (...args: T) => Promise<any>): (...args: T) => Promise<any>;
-/**
- * Next.js Middleware for RBAC
- *
- * Middleware that checks permissions before allowing access to pages.
- *
- * @param config - Middleware configuration
- * @returns Next.js middleware function
- *
- * @example
- * ```typescript
- * // middleware.ts
- * import { createRBACMiddleware } from '@jmruthers/pace-core/rbac';
- *
- * export default createRBACMiddleware({
- *   protectedRoutes: [
- *     { path: '/admin', permission: 'manage:admin' },
- *     { path: '/events', permission: 'read:events' },
- *   ],
- *   fallbackUrl: '/access-denied',
- * });
- * ```
- */
-declare function createRBACMiddleware(config: {
-    protectedRoutes: Array<{
-        path: string;
-        permission: Permission;
-        pageId?: UUID;
-    }>;
-    fallbackUrl?: string;
-}): (req: {
-    nextUrl: {
-        pathname: string;
-    };
-    user?: {
-        id: string;
-    };
-    organisationId?: string;
-}, res: {
-    redirect: (url: string) => void;
-}, next: () => void) => Promise<void>;
-/**
- * Express Middleware for RBAC
+ * function MyComponent() {
+ *   const { permissions, isLoading } = useMultiplePermissions(
+ *     'user-123',
+ *     { organisationId: 'org-456' },
+ *     ['read:events', 'manage:events', 'delete:events']
+ *   );
  *
- * Middleware that checks permissions for Express routes.
+ *   return (
+ *     <div>
+ *       {permissions['read:events'] && <ReadButton />}
+ *       {permissions['manage:events'] && <ManageButton />}
+ *       {permissions['delete:events'] && <DeleteButton />}
+ *     </div>
+ *   );
+ * }
+ * ```
+ */
+declare function useMultiplePermissions(userId: UUID, scope: Scope, permissions: Permission[], pageId?: UUID, useCache?: boolean): {
+    permissions: Record<Permission, boolean>;
+    isLoading: boolean;
+    error: Error | null;
+    refetch: () => Promise<void>;
+};
+/**
+ * Hook to check if user has any of the specified permissions
  *
- * @param config - Middleware configuration
- * @returns Express middleware function
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @param permissions - Array of permissions to check
+ * @param pageId - Optional page ID
+ * @returns True if user has any permission and loading state
  *
  * @example
- * ```typescript
- * import { createRBACExpressMiddleware } from '@jmruthers/pace-core/rbac';
+ * ```tsx
+ * function MyComponent() {
+ *   const { hasAny, isLoading } = useHasAnyPermission(
+ *     'user-123',
+ *     { organisationId: 'org-456' },
+ *     ['read:events', 'manage:events']
+ *   );
  *
- * app.use(createRBACExpressMiddleware({
- *   permission: 'read:api',
- *   pageId: 'api-page-123',
- * }));
+ *   return (
+ *     <div>
+ *       {hasAny ? <EventContent /> : <AccessDenied />}
+ *     </div>
+ *   );
+ * }
  * ```
  */
-declare function createRBACExpressMiddleware(config: {
-    permission: Permission;
-    pageId?: UUID;
-}): (req: {
-    user?: {
-        id: string;
-    };
-    organisationId?: string;
-    eventId?: string;
-    appId?: string;
-}, res: {
-    status: (code: number) => {
-        json: (data: object) => void;
-    };
-}, next: () => void) => Promise<void>;
+declare function useHasAnyPermission(userId: UUID, scope: Scope, permissions: Permission[], pageId?: UUID): {
+    hasAny: boolean;
+    isLoading: boolean;
+    error: Error | null;
+    refetch: () => Promise<void>;
+};
 /**
- * Check if a user has a permission (synchronous cache check only)
+ * Hook to check if user has all of the specified permissions
  *
  * @param userId - User ID
  * @param scope - Permission scope
- * @param permission - Permission to check
+ * @param permissions - Array of permissions to check
  * @param pageId - Optional page ID
- * @returns True if permission is cached and granted
+ * @returns True if user has all permissions and loading state
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { hasAll, isLoading } = useHasAllPermissions(
+ *     'user-123',
+ *     { organisationId: 'org-456' },
+ *     ['read:events', 'manage:events']
+ *   );
+ *
+ *   return (
+ *     <div>
+ *       {hasAll ? <FullAccessPanel /> : <LimitedAccessPanel />}
+ *     </div>
+ *   );
+ * }
+ * ```
  */
-declare function hasPermissionCached(userId: UUID, scope: {
-    organisationId: UUID;
-    eventId?: string;
-    appId?: UUID;
-}, _permission: Permission, _pageId?: UUID): boolean;
+declare function useHasAllPermissions(userId: UUID, scope: Scope, permissions: Permission[], pageId?: UUID): {
+    hasAll: boolean;
+    isLoading: boolean;
+    error: Error | null;
+    refetch: () => Promise<void>;
+};
 /**
- * Check if a user has any of the specified permissions (synchronous cache check only)
+ * Hook to read cached permissions (contract requirement)
+ *
+ * This hook only reads from the core cache and does not perform
+ * any bespoke caching as per the contract requirements.
  *
  * @param userId - User ID
  * @param scope - Permission scope
- * @param permissions - Array of permissions to check
- * @param pageId - Optional page ID
- * @returns True if any permission is cached and granted
+ * @returns Cached permission data and loading state
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { permissions, isLoading, error } = useCachedPermissions(
+ *     'user-123',
+ *     { organisationId: 'org-456' }
+ *   );
+ *
+ *   if (isLoading) return <div>Loading cached permissions...</div>;
+ *   if (error) return <div>Error: {error.message}</div>;
+ *
+ *   return (
+ *     <div>
+ *       {permissions['page-1']?.includes('read') && <ReadButton />}
+ *       {permissions['page-1']?.includes('manage') && <ManageButton />}
+ *     </div>
+ *   );
+ * }
+ * ```
  */
-declare function hasAnyPermissionCached(userId: UUID, scope: {
-    organisationId: UUID;
-    eventId?: string;
-    appId?: UUID;
-}, permissions: Permission[], pageId?: UUID): boolean;
+declare function useCachedPermissions(userId: UUID, scope: Scope): {
+    permissions: PermissionMap;
+    isLoading: boolean;
+    error: Error | null;
+    refetch: () => Promise<void>;
+};
 
-interface PagePermissionContextType {
-    /** Check if user has permission for a page */
-    hasPagePermission: (pageName: string, operation: string, pageId?: string, scope?: Scope) => boolean;
-    /** Get all page permissions for current user */
-    getPagePermissions: () => Record<string, string[]>;
-    /** Check if page permission checking is enabled */
-    isEnabled: boolean;
-    /** Check if strict mode is enabled */
-    isStrictMode: boolean;
-    /** Check if audit logging is enabled */
-    isAuditLogEnabled: boolean;
-    /** Get page access history */
-    getPageAccessHistory: () => PageAccessRecord[];
-    /** Clear page access history */
-    clearPageAccessHistory: () => void;
-}
-interface PageAccessRecord {
-    pageName: string;
-    operation: string;
-    userId: UUID;
-    scope: Scope;
-    allowed: boolean;
-    timestamp: string;
-    pageId?: string;
-}
-interface PagePermissionProviderProps {
-    /** Child components */
-    children: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Enable audit logging (default: true) */
-    auditLog?: boolean;
-    /** Callback when page access is attempted */
-    onPageAccess?: (pageName: string, operation: string, allowed: boolean, record: PageAccessRecord) => void;
-    /** Callback when strict mode violation occurs */
-    onStrictModeViolation?: (pageName: string, operation: string, record: PageAccessRecord) => void;
-    /** Maximum number of access records to keep in history */
-    maxHistorySize?: number;
-}
 /**
- * PagePermissionProvider - Manages page-level permissions across the app
- *
- * This provider ensures that all pages are properly protected and provides
- * centralized page permission management with strict enforcement.
+ * RBAC Adapters
+ * @package @jmruthers/pace-core
+ * @module RBAC/Adapters
+ * @since 1.0.0
  *
- * @param props - Provider props
- * @returns React element with page permission context
+ * This module provides adapters for different frameworks and server runtimes.
  */
-declare function PagePermissionProvider({ children, strictMode, auditLog, onPageAccess, onStrictModeViolation, maxHistorySize }: PagePermissionProviderProps): react_jsx_runtime.JSX.Element;
+
 /**
- * Hook to use page permission context
+ * Permission Guard Component
  *
- * @returns Page permission context
- * @throws Error if used outside of PagePermissionProvider
+ * A React component that conditionally renders children based on permissions.
+ * Can auto-infer userId from context if not provided.
+ *
+ * @example
+ * ```tsx
+ * // With explicit userId and scope
+ * <PermissionGuard
+ *   userId="user-123"
+ *   scope={{ organisationId: 'org-456' }}
+ *   permission="manage:events"
+ *   pageId="page-789"
+ *   fallback={<AccessDenied />}
+ * >
+ *   <AdminPanel />
+ * </PermissionGuard>
+ *
+ * // With context inference (requires auth context)
+ * <PermissionGuard
+ *   permission="manage:events"
+ *   scope={{ organisationId: 'org-456' }}
+ *   fallback={<AccessDenied />}
+ * >
+ *   <AdminPanel />
+ * </PermissionGuard>
+ * ```
  */
-declare function usePagePermissions(): PagePermissionContextType;
-
-interface PagePermissionGuardProps {
-    /** Name of the page being protected */
-    pageName: string;
-    /** Operation being performed on the page */
-    operation: 'read' | 'create' | 'update' | 'delete';
-    /** Content to render when user has permission */
-    children: React__default.ReactNode;
-    /** Content to render when user lacks permission */
-    fallback?: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
+declare function PermissionGuard({ userId, scope, permission, pageId, children, fallback, onDenied, loading, strictMode, auditLog, enforceAudit, }: {
+    userId?: UUID;
+    scope: {
+        organisationId: UUID;
+        eventId?: string;
+        appId?: UUID;
+    };
+    permission: Permission;
+    pageId?: UUID;
+    children: ReactNode;
+    fallback?: ReactNode;
+    onDenied?: () => void;
+    loading?: ReactNode;
     strictMode?: boolean;
-    /** Force audit logging for this page access (default: true) */
     auditLog?: boolean;
-    /** Custom page ID for permission checking */
-    pageId?: string;
-    /** Custom scope for permission checking */
-    scope?: Scope;
-    /** Callback when access is denied */
-    onDenied?: (pageName: string, operation: string) => void;
-    /** Loading state content */
-    loading?: React__default.ReactNode;
-}
+    enforceAudit?: boolean;
+}): React__default.ReactNode;
 /**
- * PagePermissionGuard - Enforces page-level permissions
+ * Access Level Guard Component
  *
- * This component ensures that users can only access pages they have permission for.
- * It integrates with the existing RBAC system and provides strict enforcement to
- * prevent apps from bypassing permission checks.
+ * A React component that conditionally renders children based on access level.
+ * Can auto-infer userId from context if not provided.
  *
- * @param props - Component props
- * @returns React element with permission enforcement
+ * @example
+ * ```tsx
+ * // With explicit userId and scope
+ * <AccessLevelGuard
+ *   userId="user-123"
+ *   scope={{ organisationId: 'org-456' }}
+ *   minLevel="admin"
+ *   fallback={<AccessDenied />}
+ * >
+ *   <AdminPanel />
+ * </AccessLevelGuard>
+ *
+ * // With context inference (requires auth context)
+ * <AccessLevelGuard
+ *   minLevel="admin"
+ *   scope={{ organisationId: 'org-456' }}
+ *   fallback={<AccessDenied />}
+ * >
+ *   <AdminPanel />
+ * </AccessLevelGuard>
+ * ```
  */
-declare function PagePermissionGuard({ pageName, operation, children, fallback, strictMode, auditLog, pageId, scope, onDenied, loading }: PagePermissionGuardProps): react_jsx_runtime.JSX.Element;
-
-interface DataAccessRecord {
-    table: string;
-    operation: string;
-    userId: UUID;
-    scope: Scope;
-    allowed: boolean;
-    timestamp: string;
-    query?: string;
-    filters?: Record<string, any>;
-}
-interface SecureDataContextType {
-    /** Check if data access is allowed for a table and operation */
-    isDataAccessAllowed: (table: string, operation: string, scope?: Scope) => boolean;
-    /** Get all data access permissions for current user */
-    getDataAccessPermissions: () => Record<string, string[]>;
-    /** Check if secure data access is enabled */
-    isEnabled: boolean;
-    /** Check if strict mode is enabled */
-    isStrictMode: boolean;
-    /** Check if audit logging is enabled */
-    isAuditLogEnabled: boolean;
-    /** Get data access history */
-    getDataAccessHistory: () => DataAccessRecord[];
-    /** Clear data access history */
-    clearDataAccessHistory: () => void;
-    /** Validate data access attempt */
-    validateDataAccess: (table: string, operation: string, scope?: Scope) => boolean;
-}
-interface SecureDataProviderProps {
-    /** Child components */
-    children: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Enable audit logging (default: true) */
-    auditLog?: boolean;
-    /** Callback when data access is attempted */
-    onDataAccess?: (table: string, operation: string, allowed: boolean, record: DataAccessRecord) => void;
-    /** Callback when strict mode violation occurs */
-    onStrictModeViolation?: (table: string, operation: string, record: DataAccessRecord) => void;
-    /** Maximum number of access records to keep in history */
-    maxHistorySize?: number;
-    /** Enable RLS enforcement (default: true) */
-    enforceRLS?: boolean;
-}
+declare function AccessLevelGuard({ userId, scope, minLevel, children, fallback, loading, }: {
+    userId?: UUID;
+    scope: {
+        organisationId: UUID;
+        eventId?: string;
+        appId?: UUID;
+    };
+    minLevel: 'viewer' | 'participant' | 'planner' | 'admin' | 'super';
+    children: ReactNode;
+    fallback?: ReactNode;
+    loading?: ReactNode;
+}): React__default.ReactNode;
 /**
- * SecureDataProvider - Prevents direct Supabase access and enforces secure data patterns
+ * Permission Guard for Server Handlers
  *
- * This provider ensures that all data access goes through the secure RBAC system
- * and prevents apps from bypassing data access controls.
+ * Wraps a server handler with permission checking.
  *
- * @param props - Provider props
- * @returns React element with secure data context
+ * @param config - Permission guard configuration
+ * @param handler - Handler function to wrap
+ * @returns Wrapped handler function
+ *
+ * @example
+ * ```typescript
+ * const protectedHandler = withPermissionGuard(
+ *   { permission: 'manage:events', pageId: 'page-789' },
+ *   async (req, res) => {
+ *     // Handler logic here
+ *     res.json({ success: true });
+ *   }
+ * );
+ * ```
  */
-declare function SecureDataProvider({ children, strictMode, auditLog, onDataAccess, onStrictModeViolation, maxHistorySize, enforceRLS }: SecureDataProviderProps): react_jsx_runtime.JSX.Element;
+declare function withPermissionGuard<T extends any[]>(config: {
+    permission: Permission;
+    pageId?: UUID;
+}, handler: (...args: T) => Promise<any>): (...args: T) => Promise<any>;
 /**
- * Hook to use secure data context
+ * Access Level Guard for Server Handlers
  *
- * @returns Secure data context
- * @throws Error if used outside of SecureDataProvider
+ * Wraps a server handler with access level checking.
+ *
+ * @param minLevel - Minimum access level required
+ * @param handler - Handler function to wrap
+ * @returns Wrapped handler function
+ *
+ * @example
+ * ```typescript
+ * const adminHandler = withAccessLevelGuard(
+ *   'admin',
+ *   async (req, res) => {
+ *     // Admin-only logic here
+ *     res.json({ success: true });
+ *   }
+ * );
+ * ```
  */
-declare function useSecureData(): SecureDataContextType;
-
-interface PermissionEnforcerProps {
-    /** Permissions required for access */
-    permissions: Permission[];
-    /** Operation being performed */
-    operation: string;
-    /** Content to render when user has permission */
-    children: React__default.ReactNode;
-    /** Content to render when user lacks permission */
-    fallback?: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Force audit logging for this operation (default: true) */
-    auditLog?: boolean;
-    /** Custom scope for permission checking */
-    scope?: Scope;
-    /** Callback when access is denied */
-    onDenied?: (permissions: Permission[], operation: string) => void;
-    /** Loading state content */
-    loading?: React__default.ReactNode;
-    /** Require all permissions (AND) or any permission (OR) */
-    requireAll?: boolean;
-}
+declare function withAccessLevelGuard<T extends any[]>(minLevel: 'viewer' | 'participant' | 'planner' | 'admin' | 'super', handler: (...args: T) => Promise<any>): (...args: T) => Promise<any>;
 /**
- * PermissionEnforcer - Enforces permissions for operations
+ * Role Guard for Server Handlers
  *
- * This component ensures that users can only perform operations they have permission for.
- * It integrates with the existing RBAC system and provides strict enforcement to
- * prevent apps from bypassing permission checks.
+ * Wraps a server handler with role-based access control.
+ * This is the primary middleware for routing protection as specified in the contract.
  *
- * @param props - Component props
- * @returns React element with permission enforcement
- */
-declare function PermissionEnforcer({ permissions, operation, children, fallback, strictMode, auditLog, scope, onDenied, loading, requireAll }: PermissionEnforcerProps): react_jsx_runtime.JSX.Element;
-
-interface RouteConfig {
-    /** Route path */
-    path: string;
-    /** React component to render */
-    component: React__default.ComponentType;
-    /** Permissions required for this route */
-    permissions: Permission[];
-    /** Roles that can access this route */
-    roles?: string[];
-    /** Minimum access level required */
-    accessLevel?: AccessLevel;
-    /** Page ID for permission checking */
-    pageId?: string;
-    /** Enable strict mode for this route */
-    strictMode?: boolean;
-    /** Route metadata */
-    meta?: {
-        title?: string;
-        description?: string;
-        requiresAuth?: boolean;
-        hidden?: boolean;
-    };
-}
-interface RouteAccessRecord {
-    route: string;
-    permissions: Permission[];
-    userId: UUID;
-    scope: Scope;
-    allowed: boolean;
-    timestamp: string;
-    pageId?: string;
-    roles?: string[];
-    accessLevel?: AccessLevel;
-}
-interface RoleBasedRouterContextType {
-    /** Get all accessible routes for current user */
-    getAccessibleRoutes: () => RouteConfig[];
-    /** Check if user can access a specific route */
-    canAccessRoute: (path: string) => boolean;
-    /** Get route configuration for a path */
-    getRouteConfig: (path: string) => RouteConfig | null;
-    /** Get route access history */
-    getRouteAccessHistory: () => RouteAccessRecord[];
-    /** Clear route access history */
-    clearRouteAccessHistory: () => void;
-    /** Check if strict mode is enabled */
-    isStrictMode: boolean;
-    /** Check if audit logging is enabled */
-    isAuditLogEnabled: boolean;
-}
-interface RoleBasedRouterProps {
-    /** Route configuration */
-    routes: RouteConfig[];
-    /** Fallback route for unauthorized access */
-    fallbackRoute?: string;
-    /** Child components */
-    children: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Enable audit logging (default: true) */
-    auditLog?: boolean;
-    /** Callback when route access is attempted */
-    onRouteAccess?: (route: string, allowed: boolean, record: RouteAccessRecord) => void;
-    /** Callback when strict mode violation occurs */
-    onStrictModeViolation?: (route: string, record: RouteAccessRecord) => void;
-    /** Maximum number of access records to keep in history */
-    maxHistorySize?: number;
-    /** Custom unauthorized component */
-    unauthorizedComponent?: React__default.ComponentType<{
-        route: string;
-        reason: string;
-    }>;
-}
+ * @param config - Role guard configuration
+ * @param handler - Handler function to wrap
+ * @returns Wrapped handler function
+ *
+ * @example
+ * ```typescript
+ * const adminHandler = withRoleGuard(
+ *   {
+ *     globalRoles: ['super_admin'],
+ *     organisationRoles: ['org_admin', 'leader'],
+ *     eventAppRoles: ['event_admin', 'planner']
+ *   },
+ *   async (req, res) => {
+ *     // Admin-only logic here
+ *     res.json({ success: true });
+ *   }
+ * );
+ * ```
+ */
+declare function withRoleGuard<T extends any[]>(config: {
+    globalRoles?: string[];
+    organisationRoles?: string[];
+    eventAppRoles?: string[];
+    requireAll?: boolean;
+}, handler: (...args: T) => Promise<any>): (...args: T) => Promise<any>;
 /**
- * RoleBasedRouter - Centralized routing control with role-based protection
+ * Next.js Middleware for RBAC
  *
- * This component ensures that all routes are properly protected and provides
- * centralized routing control to prevent apps from bypassing route protection.
+ * Middleware that checks permissions before allowing access to pages.
  *
- * @param props - Router props
- * @returns React element with role-based routing
- */
-declare function RoleBasedRouter({ routes, fallbackRoute, children, strictMode, auditLog, onRouteAccess, onStrictModeViolation, maxHistorySize, unauthorizedComponent: UnauthorizedComponent }: RoleBasedRouterProps): react_jsx_runtime.JSX.Element;
-/**
- * Hook to use role-based router context
+ * @param config - Middleware configuration
+ * @returns Next.js middleware function
  *
- * @returns Role-based router context
- * @throws Error if used outside of RoleBasedRouter
+ * @example
+ * ```typescript
+ * // middleware.ts
+ * import { createRBACMiddleware } from '@jmruthers/pace-core/rbac';
+ *
+ * export default createRBACMiddleware({
+ *   protectedRoutes: [
+ *     { path: '/admin', permission: 'manage:admin' },
+ *     { path: '/events', permission: 'read:events' },
+ *   ],
+ *   fallbackUrl: '/access-denied',
+ * });
+ * ```
  */
-declare function useRoleBasedRouter(): RoleBasedRouterContextType;
-
-interface NavigationItem {
-    /** Unique identifier for the navigation item */
-    id: string;
-    /** Display label for the navigation item */
-    label: string;
-    /** Navigation path/URL */
-    path: string;
-    /** Permissions required for this navigation item */
-    permissions: Permission[];
-    /** Roles that can access this navigation item */
-    roles?: string[];
-    /** Minimum access level required */
-    accessLevel?: 'viewer' | 'participant' | 'planner' | 'admin' | 'super';
-    /** Page ID for permission checking */
-    pageId?: string;
-    /** Enable strict mode for this navigation item */
-    strictMode?: boolean;
-    /** Navigation item metadata */
-    meta?: {
-        icon?: string;
-        description?: string;
-        hidden?: boolean;
-        order?: number;
+declare function createRBACMiddleware(config: {
+    protectedRoutes: Array<{
+        path: string;
+        permission: Permission;
+        pageId?: UUID;
+    }>;
+    fallbackUrl?: string;
+}): (req: {
+    nextUrl: {
+        pathname: string;
     };
-}
-interface NavigationAccessRecord {
-    navigationItem: string;
-    permissions: Permission[];
-    userId: UUID;
-    scope: Scope;
-    allowed: boolean;
-    timestamp: string;
-    pageId?: string;
-    roles?: string[];
-    accessLevel?: string;
-}
-interface NavigationContextType {
-    /** Check if user has permission for a navigation item */
-    hasNavigationPermission: (item: NavigationItem) => boolean;
-    /** Get all navigation permissions for current user */
-    getNavigationPermissions: () => Record<string, string[]>;
-    /** Get filtered navigation items based on permissions */
-    getFilteredNavigationItems: (items: NavigationItem[]) => NavigationItem[];
-    /** Check if navigation permission checking is enabled */
-    isEnabled: boolean;
-    /** Check if strict mode is enabled */
-    isStrictMode: boolean;
-    /** Check if audit logging is enabled */
-    isAuditLogEnabled: boolean;
-    /** Get navigation access history */
-    getNavigationAccessHistory: () => NavigationAccessRecord[];
-    /** Clear navigation access history */
-    clearNavigationAccessHistory: () => void;
-}
-interface NavigationProviderProps {
-    /** Child components */
-    children: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Enable audit logging (default: true) */
-    auditLog?: boolean;
-    /** Callback when navigation access is attempted */
-    onNavigationAccess?: (item: NavigationItem, allowed: boolean, record: NavigationAccessRecord) => void;
-    /** Callback when strict mode violation occurs */
-    onStrictModeViolation?: (item: NavigationItem, record: NavigationAccessRecord) => void;
-    /** Maximum number of access records to keep in history */
-    maxHistorySize?: number;
-}
+    user?: {
+        id: string;
+    };
+    organisationId?: string;
+}, res: {
+    redirect: (url: string) => void;
+}, next: () => void) => Promise<void>;
 /**
- * NavigationProvider - Manages navigation-level permissions across the app
+ * Express Middleware for RBAC
  *
- * This provider ensures that all navigation items are properly protected and provides
- * centralized navigation permission management with strict enforcement.
+ * Middleware that checks permissions for Express routes.
  *
- * @param props - Provider props
- * @returns React element with navigation permission context
- */
-declare function NavigationProvider({ children, strictMode, auditLog, onNavigationAccess, onStrictModeViolation, maxHistorySize }: NavigationProviderProps): react_jsx_runtime.JSX.Element;
-/**
- * Hook to use navigation permission context
+ * @param config - Middleware configuration
+ * @returns Express middleware function
  *
- * @returns Navigation permission context
- * @throws Error if used outside of NavigationProvider
+ * @example
+ * ```typescript
+ * import { createRBACExpressMiddleware } from '@jmruthers/pace-core/rbac';
+ *
+ * app.use(createRBACExpressMiddleware({
+ *   permission: 'read:api',
+ *   pageId: 'api-page-123',
+ * }));
+ * ```
  */
-declare function useNavigationPermissions(): NavigationContextType;
-
-interface NavigationGuardProps {
-    /** Navigation item being protected */
-    navigationItem: NavigationItem;
-    /** Content to render when user has permission */
-    children: React__default.ReactNode;
-    /** Content to render when user lacks permission */
-    fallback?: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Force audit logging for this navigation access (default: true) */
-    auditLog?: boolean;
-    /** Custom scope for permission checking */
-    scope?: Scope;
-    /** Callback when access is denied */
-    onDenied?: (item: NavigationItem) => void;
-    /** Loading state content */
-    loading?: React__default.ReactNode;
-    /** Require all permissions (AND) or any permission (OR) */
-    requireAll?: boolean;
-}
+declare function createRBACExpressMiddleware(config: {
+    permission: Permission;
+    pageId?: UUID;
+}): (req: {
+    user?: {
+        id: string;
+    };
+    organisationId?: string;
+    eventId?: string;
+    appId?: string;
+}, res: {
+    status: (code: number) => {
+        json: (data: object) => void;
+    };
+}, next: () => void) => Promise<void>;
 /**
- * NavigationGuard - Enforces navigation-level permissions
- *
- * This component ensures that users can only access navigation items they have permission for.
- * It integrates with the existing RBAC system and provides strict enforcement to
- * prevent apps from bypassing navigation permission checks.
+ * Check if a user has a permission (synchronous cache check only)
  *
- * @param props - Component props
- * @returns React element with navigation permission enforcement
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @param permission - Permission to check
+ * @param pageId - Optional page ID
+ * @returns True if permission is cached and granted
  */
-declare function NavigationGuard({ navigationItem, children, fallback, strictMode, auditLog, scope, onDenied, loading, requireAll }: NavigationGuardProps): react_jsx_runtime.JSX.Element;
-
-interface EnhancedNavigationMenuProps {
-    /** Navigation items to display */
-    items: NavigationItem[];
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Enable audit logging (default: true) */
-    auditLog?: boolean;
-    /** Callback when navigation access is attempted */
-    onNavigationAccess?: (item: NavigationItem, allowed: boolean) => void;
-    /** Callback when strict mode violation occurs */
-    onStrictModeViolation?: (item: NavigationItem) => void;
-    /** Custom className for the navigation menu */
-    className?: string;
-    /** Custom className for navigation items */
-    itemClassName?: string;
-    /** Custom className for active navigation items */
-    activeItemClassName?: string;
-    /** Custom className for disabled navigation items */
-    disabledItemClassName?: string;
-    /** Show/hide navigation items that user doesn't have permission for */
-    hideUnauthorizedItems?: boolean;
-    /** Custom render function for navigation items */
-    renderItem?: (item: NavigationItem, isAuthorized: boolean) => React__default.ReactNode;
-    /** Current active path for highlighting */
-    activePath?: string;
-    /** Navigation item click handler */
-    onItemClick?: (item: NavigationItem) => void;
-}
+declare function hasPermissionCached(userId: UUID, scope: {
+    organisationId: UUID;
+    eventId?: string;
+    appId?: UUID;
+}, _permission: Permission, _pageId?: UUID): boolean;
 /**
- * EnhancedNavigationMenu - Secure navigation menu with RBAC integration
- *
- * This component provides a navigation menu that automatically filters items based on
- * user permissions and enforces strict security controls.
+ * Check if a user has any of the specified permissions (synchronous cache check only)
  *
- * @param props - Component props
- * @returns React element with enhanced navigation menu
+ * @param userId - User ID
+ * @param scope - Permission scope
+ * @param permissions - Array of permissions to check
+ * @param pageId - Optional page ID
+ * @returns True if any permission is cached and granted
  */
-declare function EnhancedNavigationMenu({ items, strictMode, auditLog, onNavigationAccess, onStrictModeViolation, className, itemClassName, activeItemClassName, disabledItemClassName, hideUnauthorizedItems, renderItem, activePath, onItemClick }: EnhancedNavigationMenuProps): react_jsx_runtime.JSX.Element;
+declare function hasAnyPermissionCached(userId: UUID, scope: {
+    organisationId: UUID;
+    eventId?: string;
+    appId?: UUID;
+}, permissions: Permission[], pageId?: UUID): boolean;
 
 /**
  * RBAC Main API Functions