npm - @jmruthers/pace-core - Versions diffs - 0.5.1 → 0.5.4 - Mend

@jmruthers/pace-core 0.5.1 → 0.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (210) hide show

package/dist/{DataTable-GX3XERFJ.js → DataTable-ZQDRE46Q.js} +7 -6
package/dist/{PublicLoadingSpinner-DztrzuJr.d.ts → PublicLoadingSpinner-Bq_-BeK-.d.ts} +1 -1
package/dist/RBACProvider-BO4ilsQB.d.ts +63 -0
package/dist/{UnifiedAuthProvider-w66zSCUf.d.ts → UnifiedAuthProvider-DGQsy-vY.d.ts} +2 -59
package/dist/{api-ETQ6YJ3C.js → api-H5A3H4IR.js} +2 -2
package/dist/{chunk-T3XIA4AJ.js → chunk-5H3C2SWM.js} +14 -16
package/dist/chunk-5H3C2SWM.js.map +1 -0
package/dist/chunk-5SIXIV7R.js +1925 -0
package/dist/chunk-5SIXIV7R.js.map +1 -0
package/dist/chunk-GNTALZV3.js +17 -0
package/dist/chunk-GNTALZV3.js.map +1 -0
package/dist/{chunk-C5G2A4PO.js → chunk-GWSBHC4J.js} +6 -6
package/dist/{chunk-XJK2J4N6.js → chunk-HD7PYDUV.js} +4 -6
package/dist/{chunk-XJK2J4N6.js.map → chunk-HD7PYDUV.js.map} +1 -1
package/dist/{chunk-TGDCLPP2.js → chunk-HXX35Q2M.js} +6 -21
package/dist/chunk-HXX35Q2M.js.map +1 -0
package/dist/{chunk-5EL3KHOQ.js → chunk-K6B7BLSE.js} +2 -2
package/dist/{chunk-GSNM5D6H.js → chunk-M4RW7PIP.js} +4 -4
package/dist/{chunk-U6JDHVC2.js → chunk-PVMYVQSM.js} +6 -8
package/dist/{chunk-U6JDHVC2.js.map → chunk-PVMYVQSM.js.map} +1 -1
package/dist/{chunk-6CR3MRZN.js → chunk-QKHFMQ5R.js} +372 -11
package/dist/{chunk-6CR3MRZN.js.map → chunk-QKHFMQ5R.js.map} +1 -1
package/dist/chunk-QVYBYGT2.js +428 -0
package/dist/chunk-QVYBYGT2.js.map +1 -0
package/dist/{chunk-OEGRKULD.js → chunk-WJARTBCT.js} +56 -1
package/dist/chunk-WJARTBCT.js.map +1 -0
package/dist/components.d.ts +4 -3
package/dist/components.js +16 -162
package/dist/components.js.map +1 -1
package/dist/hooks.d.ts +2 -2
package/dist/hooks.js +7 -9
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +8 -6
package/dist/index.js +152 -17
package/dist/index.js.map +1 -1
package/dist/providers.d.ts +3 -2
package/dist/providers.js +6 -12
package/dist/rbac/index.d.ts +167 -98
package/dist/rbac/index.js +48 -1881
package/dist/rbac/index.js.map +1 -1
package/dist/styles/core.css +0 -55
package/dist/types.d.ts +2 -2
package/dist/{unified-CM7T0aTK.d.ts → unified-CMPjE_fv.d.ts} +1 -1
package/dist/{usePublicRouteParams-B6i0KtXW.d.ts → usePublicRouteParams-B2OcAsur.d.ts} +1 -1
package/dist/utils.js +12 -14
package/dist/utils.js.map +1 -1
package/docs/api/classes/ErrorBoundary.md +1 -1
package/docs/api/classes/InvalidScopeError.md +73 -0
package/docs/api/classes/MissingUserContextError.md +66 -0
package/docs/api/classes/OrganisationContextRequiredError.md +66 -0
package/docs/api/classes/PermissionDeniedError.md +73 -0
package/docs/api/classes/PublicErrorBoundary.md +1 -1
package/docs/api/classes/RBACAuditManager.md +270 -0
package/docs/api/classes/RBACCache.md +284 -0
package/docs/api/classes/RBACEngine.md +141 -0
package/docs/api/classes/RBACError.md +76 -0
package/docs/api/classes/RBACNotInitializedError.md +66 -0
package/docs/api/classes/SecureSupabaseClient.md +135 -0
package/docs/api/interfaces/AggregateConfig.md +1 -1
package/docs/api/interfaces/ButtonProps.md +1 -1
package/docs/api/interfaces/CardProps.md +1 -1
package/docs/api/interfaces/ColorPalette.md +1 -1
package/docs/api/interfaces/ColorShade.md +1 -1
package/docs/api/interfaces/DataAccessRecord.md +96 -0
package/docs/api/interfaces/DataTableAction.md +1 -1
package/docs/api/interfaces/DataTableColumn.md +1 -1
package/docs/api/interfaces/DataTableProps.md +1 -1
package/docs/api/interfaces/DataTableToolbarButton.md +1 -1
package/docs/api/interfaces/EmptyStateConfig.md +1 -1
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +235 -0
package/docs/api/interfaces/EventContextType.md +1 -1
package/docs/api/interfaces/EventLogoProps.md +1 -1
package/docs/api/interfaces/EventProviderProps.md +1 -1
package/docs/api/interfaces/FileSizeLimits.md +1 -1
package/docs/api/interfaces/FileUploadProps.md +1 -1
package/docs/api/interfaces/FooterProps.md +1 -1
package/docs/api/interfaces/InactivityWarningModalProps.md +1 -1
package/docs/api/interfaces/InputProps.md +1 -1
package/docs/api/interfaces/LabelProps.md +1 -1
package/docs/api/interfaces/LoginFormProps.md +1 -1
package/docs/api/interfaces/NavigationAccessRecord.md +107 -0
package/docs/api/interfaces/NavigationContextType.md +164 -0
package/docs/api/interfaces/NavigationGuardProps.md +139 -0
package/docs/api/interfaces/NavigationItem.md +1 -1
package/docs/api/interfaces/NavigationMenuProps.md +1 -1
package/docs/api/interfaces/NavigationProviderProps.md +117 -0
package/docs/api/interfaces/Organisation.md +1 -1
package/docs/api/interfaces/OrganisationContextType.md +1 -1
package/docs/api/interfaces/OrganisationMembership.md +2 -2
package/docs/api/interfaces/OrganisationProviderProps.md +1 -1
package/docs/api/interfaces/OrganisationSecurityError.md +1 -1
package/docs/api/interfaces/PaceAppLayoutProps.md +1 -1
package/docs/api/interfaces/PaceLoginPageProps.md +1 -1
package/docs/api/interfaces/PageAccessRecord.md +85 -0
package/docs/api/interfaces/PagePermissionContextType.md +140 -0
package/docs/api/interfaces/PagePermissionGuardProps.md +153 -0
package/docs/api/interfaces/PagePermissionProviderProps.md +119 -0
package/docs/api/interfaces/PaletteData.md +1 -1
package/docs/api/interfaces/PermissionEnforcerProps.md +153 -0
package/docs/api/interfaces/PublicErrorBoundaryProps.md +1 -1
package/docs/api/interfaces/PublicErrorBoundaryState.md +1 -1
package/docs/api/interfaces/PublicLoadingSpinnerProps.md +1 -1
package/docs/api/interfaces/PublicPageFooterProps.md +1 -1
package/docs/api/interfaces/PublicPageHeaderProps.md +1 -1
package/docs/api/interfaces/PublicPageLayoutProps.md +1 -1
package/docs/api/interfaces/RBACConfig.md +99 -0
package/docs/api/interfaces/RBACContextType.md +474 -0
package/docs/api/interfaces/RBACLogger.md +112 -0
package/docs/api/interfaces/RBACProviderProps.md +107 -0
package/docs/api/interfaces/RoleBasedRouterContextType.md +151 -0
package/docs/api/interfaces/RoleBasedRouterProps.md +156 -0
package/docs/api/interfaces/RouteAccessRecord.md +107 -0
package/docs/api/interfaces/RouteConfig.md +121 -0
package/docs/api/interfaces/SecureDataContextType.md +168 -0
package/docs/api/interfaces/SecureDataProviderProps.md +132 -0
package/docs/api/interfaces/StorageConfig.md +1 -1
package/docs/api/interfaces/StorageFileInfo.md +1 -1
package/docs/api/interfaces/StorageFileMetadata.md +1 -1
package/docs/api/interfaces/StorageListOptions.md +1 -1
package/docs/api/interfaces/StorageListResult.md +1 -1
package/docs/api/interfaces/StorageUploadOptions.md +1 -1
package/docs/api/interfaces/StorageUploadResult.md +1 -1
package/docs/api/interfaces/StorageUrlOptions.md +1 -1
package/docs/api/interfaces/StyleImport.md +1 -1
package/docs/api/interfaces/ToastActionElement.md +1 -1
package/docs/api/interfaces/ToastProps.md +1 -1
package/docs/api/interfaces/UnifiedAuthContextType.md +85 -85
package/docs/api/interfaces/UnifiedAuthProviderProps.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerOptions.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventLogoOptions.md +1 -1
package/docs/api/interfaces/UsePublicEventLogoReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventOptions.md +1 -1
package/docs/api/interfaces/UsePublicEventReturn.md +1 -1
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +1 -1
package/docs/api/interfaces/UserEventAccess.md +11 -11
package/docs/api/interfaces/UserMenuProps.md +1 -1
package/docs/api/interfaces/UserProfile.md +1 -1
package/docs/api/modules.md +2244 -3
package/docs/migration-guide.md +43 -18
package/docs/styles/README.md +187 -98
package/docs/usage.md +32 -7
package/package.json +2 -2
package/src/components/Footer/Footer.test.tsx +482 -0
package/src/components/Form/Form.test.tsx +1158 -0
package/src/components/Header/Header.test.tsx +582 -0
package/src/components/Header/Header.tsx +1 -1
package/src/components/InactivityWarningModal/InactivityWarningModal.test.tsx +489 -0
package/src/components/Input/Input.test.tsx +466 -0
package/src/components/LoadingSpinner/LoadingSpinner.test.tsx +450 -0
package/src/components/LoginForm/LoginForm.test.tsx +816 -0
package/src/components/NavigationMenu/NavigationMenu.test.tsx +883 -0
package/src/components/OrganisationSelector/OrganisationSelector.test.tsx +748 -0
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +891 -0
package/src/components/PaceLoginPage/PaceLoginPage.test.tsx +475 -0
package/src/components/PasswordReset/PasswordChangeForm.test.tsx +621 -0
package/src/components/PasswordReset/PasswordResetForm.test.tsx +605 -0
package/src/components/Select/Select.test.tsx +948 -0
package/src/components/SuperAdminGuard.tsx +1 -1
package/src/components/Toast/Toast.test.tsx +586 -0
package/src/components/Tooltip/Tooltip.test.tsx +852 -0
package/src/components/UserMenu/UserMenu.test.tsx +702 -0
package/src/components/UserMenu/UserMenu.tsx +2 -2
package/src/hooks/useDebounce.test.ts +375 -0
package/src/hooks/useOrganisationPermissions.test.ts +528 -0
package/src/hooks/useOrganisationSecurity.test.ts +734 -0
package/src/hooks/usePermissionCache.test.ts +542 -0
package/src/hooks/usePermissionCache.ts +1 -1
package/src/index.ts +2 -3
package/src/providers/UnifiedAuthProvider.tsx +2 -2
package/src/providers/index.ts +3 -1
package/src/rbac/__tests__/integration.test.tsx +218 -0
package/src/rbac/api.test.ts +952 -0
package/src/rbac/components/__tests__/NavigationGuard.test.tsx +843 -0
package/src/rbac/components/__tests__/PagePermissionGuard.test.tsx +1007 -0
package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx +806 -0
package/src/rbac/components/__tests__/RoleBasedRouter.test.tsx +741 -0
package/src/rbac/hooks/index.ts +21 -0
package/src/rbac/hooks/useCan.test.ts +461 -0
package/src/rbac/hooks/usePermissions.test.ts +364 -0
package/src/rbac/hooks/usePermissions.ts +567 -0
package/src/rbac/hooks/useRBAC.simple.test.ts +90 -0
package/src/rbac/hooks/useRBAC.test.ts +551 -0
package/src/{hooks → rbac/hooks}/useRBAC.ts +7 -7
package/src/rbac/index.ts +5 -10
package/src/{providers → rbac/providers}/RBACProvider.tsx +6 -6
package/src/rbac/providers/__tests__/RBACProvider.test.tsx +687 -0
package/src/rbac/providers/index.ts +11 -0
package/src/styles/core.css +0 -55
package/src/utils/formatDate.test.ts +241 -0
package/dist/chunk-AUE24LVR.js +0 -268
package/dist/chunk-AUE24LVR.js.map +0 -1
package/dist/chunk-COBPIXXQ.js +0 -379
package/dist/chunk-COBPIXXQ.js.map +0 -1
package/dist/chunk-OEGRKULD.js.map +0 -1
package/dist/chunk-OYRY44Q2.js +0 -62
package/dist/chunk-OYRY44Q2.js.map +0 -1
package/dist/chunk-T3XIA4AJ.js.map +0 -1
package/dist/chunk-TGDCLPP2.js.map +0 -1
package/src/components/RBAC/PagePermissionGuard.tsx +0 -287
package/src/components/RBAC/RBACGuard.tsx +0 -143
package/src/components/RBAC/RBACProvider.tsx +0 -186
package/src/components/RBAC/RoleBasedContent.tsx +0 -129
package/src/components/RBAC/index.ts +0 -23
package/src/rbac/hooks.ts +0 -570
/package/dist/{DataTable-GX3XERFJ.js.map → DataTable-ZQDRE46Q.js.map} +0 -0
/package/dist/{api-ETQ6YJ3C.js.map → api-H5A3H4IR.js.map} +0 -0
/package/dist/{chunk-C5G2A4PO.js.map → chunk-GWSBHC4J.js.map} +0 -0
/package/dist/{chunk-5EL3KHOQ.js.map → chunk-K6B7BLSE.js.map} +0 -0
/package/dist/{chunk-GSNM5D6H.js.map → chunk-M4RW7PIP.js.map} +0 -0

package/src/rbac/components/__tests__/NavigationGuard.test.tsx ADDED Viewed

@@ -0,0 +1,843 @@
+/**
+ * @file NavigationGuard Component Tests
+ * @package @jmruthers/pace-core
+ * @module RBAC/Components/NavigationGuard
+ * @since 2.0.0
+ *
+ * Comprehensive tests for the NavigationGuard component covering all critical functionality.
+ */
+import { render, screen, waitFor } from '@testing-library/react';
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { ReactNode } from 'react';
+import { NavigationGuard } from '../NavigationGuard';
+import { useCan } from '../../hooks';
+import { useUnifiedAuth } from '../../../providers/UnifiedAuthProvider';
+// Mock the RBAC hooks
+vi.mock('../../hooks', () => ({
+  useCan: vi.fn()
+}));
+// Mock the auth provider
+vi.mock('../../../providers/UnifiedAuthProvider', () => ({
+  useUnifiedAuth: vi.fn()
+}));
+// Mock the event context utility
+vi.mock('../../utils/eventContext', () => ({
+  createScopeFromEvent: vi.fn()
+}));
+import { createScopeFromEvent } from '../../utils/eventContext';
+// Mock data
+const mockUser = {
+  id: 'user-123',
+  email: 'test@example.com'
+};
+const mockScope = {
+  organisationId: 'org-123',
+  eventId: 'event-123',
+  appId: 'app-123'
+};
+const mockNavigationItem = {
+  id: 'nav-dashboard',
+  label: 'Dashboard',
+  path: '/dashboard',
+  permissions: ['read:dashboard'] as const,
+  pageId: 'dashboard',
+  icon: 'dashboard',
+  order: 1,
+  hidden: false
+};
+// Test component
+const TestComponent = ({ children }: { children: ReactNode }) => (
+  <div data-testid="test-component">{children}</div>
+);
+const TestFallback = () => (
+  <div data-testid="test-fallback">Access Denied</div>
+);
+const TestLoading = () => (
+  <div data-testid="test-loading">Loading...</div>
+);
+describe('NavigationGuard Component', () => {
+  const mockUseCan = vi.mocked(useCan);
+  const mockUseUnifiedAuth = vi.mocked(useUnifiedAuth);
+  const mockCreateScopeFromEvent = vi.mocked(createScopeFromEvent);
+  beforeEach(() => {
+    vi.clearAllMocks();
+    // Default mock implementations
+    mockUseUnifiedAuth.mockReturnValue({
+      user: mockUser,
+      selectedOrganisationId: 'org-123',
+      selectedEventId: 'event-123',
+      supabase: {} as any
+    });
+    mockUseCan.mockReturnValue({
+      can: true,
+      isLoading: false,
+      error: null
+    });
+  });
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+  describe('Rendering', () => {
+    it('renders children when permission is granted', async () => {
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard navigationItem={mockNavigationItem}>
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+        expect(screen.getByText('Navigation Link')).toBeInTheDocument();
+      });
+    });
+    it('renders fallback when permission is denied', async () => {
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+        expect(screen.queryByTestId('test-component')).not.toBeInTheDocument();
+      });
+    });
+    it('shows loading state during permission check', () => {
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: true,
+        error: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          loading={<TestLoading />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      expect(screen.getByTestId('test-loading')).toBeInTheDocument();
+      expect(screen.queryByTestId('test-component')).not.toBeInTheDocument();
+    });
+    it('uses default fallback when none provided', async () => {
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard navigationItem={mockNavigationItem}>
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByText('Access Denied')).toBeInTheDocument();
+      });
+    });
+    it('uses default loading when none provided', () => {
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: true,
+        error: null
+      });
+      render(
+        <NavigationGuard navigationItem={mockNavigationItem}>
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      expect(screen.getByText('Checking...')).toBeInTheDocument();
+    });
+  });
+  describe('Permission Checking', () => {
+    it('enforces navigation permissions correctly', async () => {
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard navigationItem={mockNavigationItem}>
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: 'event-123'
+        }),
+        'read:dashboard',
+        'dashboard',
+        true
+      );
+    });
+    it('handles multiple permissions', async () => {
+      const multiPermissionItem = {
+        ...mockNavigationItem,
+        permissions: ['read:dashboard', 'write:dashboard'] as const
+      };
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard navigationItem={multiPermissionItem}>
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      // Should check the first permission as representative
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: 'event-123'
+        }),
+        'read:dashboard',
+        'dashboard',
+        true
+      );
+    });
+    it('handles empty permissions array', async () => {
+      const noPermissionItem = {
+        ...mockNavigationItem,
+        permissions: [] as const
+      };
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard navigationItem={noPermissionItem}>
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+    });
+    it('handles permission checking errors gracefully', async () => {
+      const error = new Error('Permission check failed');
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+    });
+  });
+  describe('Scope Resolution', () => {
+    it('uses provided scope when available', async () => {
+      const customScope = {
+        organisationId: 'custom-org',
+        eventId: 'custom-event',
+        appId: 'custom-app'
+      };
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          scope={customScope}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        customScope,
+        'read:dashboard',
+        'dashboard',
+        true
+      );
+    });
+    it('resolves scope from organisation and event context', async () => {
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard navigationItem={mockNavigationItem}>
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: 'event-123'
+        }),
+        'read:dashboard',
+        'dashboard',
+        true
+      );
+    });
+    it('resolves scope from organisation only', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: mockUser,
+        selectedOrganisationId: 'org-123',
+        selectedEventId: null,
+        supabase: {} as any
+      });
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard navigationItem={mockNavigationItem}>
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: undefined
+        }),
+        'read:dashboard',
+        'dashboard',
+        true
+      );
+    });
+    it('resolves scope from event context when organisation not available', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: mockUser,
+        selectedOrganisationId: null,
+        selectedEventId: 'event-123',
+        supabase: {} as any
+      });
+      mockCreateScopeFromEvent.mockResolvedValue({
+        organisationId: 'resolved-org',
+        eventId: 'event-123',
+        appId: 'resolved-app'
+      });
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard navigationItem={mockNavigationItem}>
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(mockCreateScopeFromEvent).toHaveBeenCalledWith({}, 'event-123');
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'resolved-org',
+          eventId: 'event-123'
+        }),
+        'read:dashboard',
+        'dashboard',
+        true
+      );
+    });
+    it('handles scope resolution errors', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: mockUser,
+        selectedOrganisationId: null,
+        selectedEventId: 'event-123',
+        supabase: {} as any
+      });
+      const error = new Error('Could not resolve organisation from event');
+      mockCreateScopeFromEvent.mockRejectedValue(error);
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByText('Checking...')).toBeInTheDocument();
+      });
+    });
+    it('handles missing context gracefully', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: mockUser,
+        selectedOrganisationId: null,
+        selectedEventId: null,
+        supabase: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByText('Checking...')).toBeInTheDocument();
+      });
+    });
+  });
+  describe('Security Features', () => {
+    it('prevents bypassing in strict mode', async () => {
+      const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          strictMode={true}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining('STRICT MODE VIOLATION'),
+        expect.objectContaining({
+          navigationItem: 'nav-dashboard',
+          permissions: ['read:dashboard'],
+          userId: 'user-123'
+        })
+      );
+      consoleSpy.mockRestore();
+    });
+    it('logs navigation access attempts for audit', async () => {
+      const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          auditLog={true}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining('Navigation access attempt'),
+        expect.objectContaining({
+          navigationItem: 'nav-dashboard',
+          permissions: ['read:dashboard'],
+          userId: 'user-123',
+          allowed: false
+        })
+      );
+      consoleSpy.mockRestore();
+    });
+    it('calls onDenied callback when access is denied', async () => {
+      const onDeniedSpy = vi.fn();
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          onDenied={onDeniedSpy}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(onDeniedSpy).toHaveBeenCalledWith(mockNavigationItem);
+    });
+    it('does not call onDenied when access is granted', async () => {
+      const onDeniedSpy = vi.fn();
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          onDenied={onDeniedSpy}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(onDeniedSpy).not.toHaveBeenCalled();
+    });
+  });
+  describe('Configuration Options', () => {
+    it('respects strictMode setting', async () => {
+      const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          strictMode={false}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(consoleSpy).not.toHaveBeenCalledWith(
+        expect.stringContaining('STRICT MODE VIOLATION')
+      );
+      consoleSpy.mockRestore();
+    });
+    it('respects auditLog setting', async () => {
+      const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          auditLog={false}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(consoleSpy).not.toHaveBeenCalledWith(
+        expect.stringContaining('Navigation access attempt')
+      );
+      consoleSpy.mockRestore();
+    });
+    it('respects requireAll setting', async () => {
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          requireAll={false}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      // Should still check the first permission as representative
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: 'event-123'
+        }),
+        'read:dashboard',
+        'dashboard',
+        true
+      );
+    });
+  });
+  describe('Error Handling', () => {
+    it('handles missing user gracefully', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: null,
+        selectedOrganisationId: 'org-123',
+        selectedEventId: 'event-123',
+        supabase: {} as any
+      });
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+      expect(mockUseCan).toHaveBeenCalledWith(
+        '',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: 'event-123'
+        }),
+        'read:dashboard',
+        'dashboard',
+        true
+      );
+    });
+    it('handles permission check errors', async () => {
+      const error = new Error('Database connection failed');
+      mockUseCan.mockReturnValue({
+        can: false,
+        isLoading: false,
+        error
+      });
+      render(
+        <NavigationGuard
+          navigationItem={mockNavigationItem}
+          fallback={<TestFallback />}
+        >
+          <TestComponent>Navigation Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
+      });
+    });
+  });
+  describe('Navigation Item Properties', () => {
+    it('handles different navigation item types', async () => {
+      const differentItem = {
+        id: 'nav-settings',
+        label: 'Settings',
+        path: '/settings',
+        permissions: ['read:settings'] as const,
+        pageId: 'settings',
+        icon: 'settings',
+        order: 2,
+        hidden: false
+      };
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard navigationItem={differentItem}>
+          <TestComponent>Settings Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        expect.objectContaining({
+          organisationId: 'org-123',
+          eventId: 'event-123'
+        }),
+        'read:settings',
+        'settings',
+        true
+      );
+    });
+    it('handles hidden navigation items', async () => {
+      const hiddenItem = {
+        ...mockNavigationItem,
+        hidden: true
+      };
+      mockUseCan.mockReturnValue({
+        can: true,
+        isLoading: false,
+        error: null
+      });
+      render(
+        <NavigationGuard navigationItem={hiddenItem}>
+          <TestComponent>Hidden Link</TestComponent>
+        </NavigationGuard>
+      );
+      await waitFor(() => {
+        expect(screen.getByTestId('test-component')).toBeInTheDocument();
+      });
+    });
+  });
+});