@jmruthers/pace-core 0.5.105 → 0.5.107

package/src/components/NavigationMenu/NavigationMenu.test.tsx

@@ -21,9 +21,11 @@ const mockAuthContext = {
   refreshSession: vi.fn(),
   appName: 'Test App',
   hasErrors: false,
-  selectedOrganisation: null,
+  selectedOrganisation: { id: 'test-org-1', name: 'Test Org', display_name: 'Test Organisation', subscription_tier: 'basic', settings: {}, is_active: true, parent_id: null, created_at: '', updated_at: '' },
   organisations: [],
+  selectedEvent: null,
   events: [],
+  supabase: {},
   // Note: hasPermission, hasRole, hasAccessLevel, permissions, roles, and accessLevel
   // were removed from UnifiedAuthProvider. Use useRBAC() hook for permissions instead.
   // Inactivity context
@@ -39,6 +41,50 @@ vi.mock('../../providers/UnifiedAuthProvider', () => ({
   useUnifiedAuth: vi.fn(() => mockAuthContext),
 }));
 
+// Mock RBAC hooks with hoisted mocks so they can be controlled per test
+const mockUseRBAC = vi.hoisted(() => vi.fn(() => ({
+  user: { id: 'test-user', email: 'test@example.com' },
+  globalRole: null,
+  organisationRole: null,
+  eventAppRole: null,
+  hasPermission: vi.fn(),
+  hasGlobalPermission: vi.fn(),
+  isSuperAdmin: false,
+  isOrgAdmin: false,
+  isEventAdmin: false,
+  canManageOrganisation: false,
+  canManageEvent: false,
+  isLoading: false,
+  error: null,
+})));
+
+const mockUseResolvedScope = vi.hoisted(() => vi.fn(() => ({
+  resolvedScope: { organisationId: 'test-org-1', eventId: undefined, appId: undefined },
+  isLoading: false,
+})));
+
+const mockUsePermissions = vi.hoisted(() => vi.fn(() => ({
+  permissions: {} as any,
+  isLoading: false,
+  error: null,
+  hasPermission: vi.fn(() => false),
+  hasAnyPermission: vi.fn(() => false),
+  hasAllPermissions: vi.fn(() => false),
+  refetch: vi.fn(),
+})));
+
+vi.mock('../../rbac/hooks/useRBAC', () => ({
+  useRBAC: mockUseRBAC,
+}));
+
+vi.mock('../../rbac/hooks', () => ({
+  useResolvedScope: mockUseResolvedScope,
+}));
+
+vi.mock('../../rbac/hooks/usePermissions', () => ({
+  usePermissions: mockUsePermissions,
+}));
+
 // Mock console methods to avoid noise in tests
 const originalConsoleLog = console.log;
 const originalConsoleWarn = console.warn;
@@ -381,15 +427,41 @@ describe('NavigationMenu Component', () => {
   // Permission-based filtering tests
   describe('Permission-Based Filtering', () => {
     beforeEach(() => {
-      // Note: Permission checks are currently disabled in NavigationMenu
-      // until migrated to useRBAC() hook. See NavigationMenu.tsx for TODOs.
       vi.clearAllMocks();
     });
 
-    it.skip('renders items with permission requirements', async () => {
-      // TODO: This test is skipped because NavigationMenu permission filtering is temporarily disabled
-      // until migrated to useRBAC() hook. See NavigationMenu.tsx for TODOs.
+    it('renders items with permission requirements', async () => {
       const user = userEvent.setup();
+      
+      // Mock RBAC hooks to grant permissions and roles
+      mockUseRBAC.mockReturnValue({
+        user: { id: 'test-user', email: 'test@example.com' },
+        globalRole: null,
+        organisationRole: 'org_admin' as any,
+        eventAppRole: 'event_admin' as any,
+        hasPermission: vi.fn(),
+        hasGlobalPermission: vi.fn(),
+        isSuperAdmin: false,
+        isOrgAdmin: true,
+        isEventAdmin: true,
+        canManageOrganisation: true,
+        canManageEvent: true,
+        isLoading: false,
+        error: null,
+      });
+      
+      mockUsePermissions.mockReturnValue({
+        permissions: {
+          'dashboard:read': true,
+        } as any,
+        isLoading: false,
+        error: null,
+        hasPermission: vi.fn((p: any) => p === 'dashboard:read'),
+        hasAnyPermission: vi.fn((ps: any[]) => ps.some((p: any) => p === 'dashboard:read')),
+        hasAllPermissions: vi.fn(() => true),
+        refetch: vi.fn(),
+      });
+      
       renderWithProviders(
         <NavigationMenu
           items={permissionBasedNavItems}
@@ -507,11 +579,38 @@ describe('NavigationMenu Component', () => {
       expect(window.location.href).toBe('/');
     });
 
-    it.skip('handles permission-based navigation', async () => {
-      // TODO: This test is skipped because NavigationMenu permission filtering is temporarily disabled
-      // until migrated to useRBAC() hook. See NavigationMenu.tsx for TODOs.
+    it('handles permission-based navigation', async () => {
       const user = userEvent.setup();
       
+      // Mock RBAC hooks to grant permissions and roles
+      mockUseRBAC.mockReturnValue({
+        user: { id: 'test-user', email: 'test@example.com' },
+        globalRole: null,
+        organisationRole: 'org_admin' as any,
+        eventAppRole: 'event_admin' as any,
+        hasPermission: vi.fn(),
+        hasGlobalPermission: vi.fn(),
+        isSuperAdmin: false,
+        isOrgAdmin: true,
+        isEventAdmin: true,
+        canManageOrganisation: true,
+        canManageEvent: true,
+        isLoading: false,
+        error: null,
+      });
+      
+      mockUsePermissions.mockReturnValue({
+        permissions: {
+          'dashboard:read': true,
+        } as any,
+        isLoading: false,
+        error: null,
+        hasPermission: vi.fn((p: any) => p === 'dashboard:read'),
+        hasAnyPermission: vi.fn((ps: any[]) => ps.some((p: any) => p === 'dashboard:read')),
+        hasAllPermissions: vi.fn(() => true),
+        refetch: vi.fn(),
+      });
+      
       renderWithProviders(
         <NavigationMenu
           items={permissionBasedNavItems}
@@ -530,12 +629,52 @@ describe('NavigationMenu Component', () => {
         expect(screen.getByText('Users')).toBeInTheDocument();
         expect(screen.getByText('Settings')).toBeInTheDocument();
       }, { interval: 10 });
+      
+      // Click on an item to verify navigation works
+      const dashboardItem = screen.getByText('Dashboard');
+      await user.click(dashboardItem);
+      
+      expect(mockNavigate).toHaveBeenCalledWith(
+        expect.objectContaining({
+          id: 'dashboard',
+          label: 'Dashboard',
+          href: '/dashboard',
+        })
+      );
     });
 
-    it.skip('handles strict mode configuration', async () => {
-      // TODO: This test is skipped because NavigationMenu permission filtering is temporarily disabled
-      // until migrated to useRBAC() hook. See NavigationMenu.tsx for TODOs.
+    it('handles strict mode configuration', async () => {
       const user = userEvent.setup();
+      
+      // Mock RBAC hooks to grant permissions and roles
+      mockUseRBAC.mockReturnValue({
+        user: { id: 'test-user', email: 'test@example.com' },
+        globalRole: null,
+        organisationRole: 'org_admin' as any,
+        eventAppRole: 'event_admin' as any,
+        hasPermission: vi.fn(),
+        hasGlobalPermission: vi.fn(),
+        isSuperAdmin: false,
+        isOrgAdmin: true,
+        isEventAdmin: true,
+        canManageOrganisation: true,
+        canManageEvent: true,
+        isLoading: false,
+        error: null,
+      });
+      
+      mockUsePermissions.mockReturnValue({
+        permissions: {
+          'dashboard:read': true,
+        } as any,
+        isLoading: false,
+        error: null,
+        hasPermission: vi.fn((p: any) => p === 'dashboard:read'),
+        hasAnyPermission: vi.fn((ps: any[]) => ps.some((p: any) => p === 'dashboard:read')),
+        hasAllPermissions: vi.fn(() => true),
+        refetch: vi.fn(),
+      });
+      
       renderWithProviders(
         <NavigationMenu
           items={permissionBasedNavItems}
@@ -555,6 +694,14 @@ describe('NavigationMenu Component', () => {
         expect(screen.getByText('Users')).toBeInTheDocument();
         expect(screen.getByText('Settings')).toBeInTheDocument();
       }, { interval: 10 });
+      
+      // Verify strict mode is working - navigation should proceed with permissions
+      const dashboardItem = screen.getByText('Dashboard');
+      await user.click(dashboardItem);
+      
+      expect(mockNavigate).toHaveBeenCalled();
+      // Should not trigger strict mode violation since user has permissions
+      expect(mockOnStrictModeViolation).not.toHaveBeenCalled();
     });
   });
 
@@ -693,6 +840,35 @@ describe('NavigationMenu Component', () => {
         },
       ];
 
+      // Mock RBAC to grant the valid permission
+      mockUseRBAC.mockReturnValue({
+        user: { id: 'test-user', email: 'test@example.com' },
+        globalRole: null,
+        organisationRole: null,
+        eventAppRole: null,
+        hasPermission: vi.fn(),
+        hasGlobalPermission: vi.fn(),
+        isSuperAdmin: false,
+        isOrgAdmin: false,
+        isEventAdmin: false,
+        canManageOrganisation: false,
+        canManageEvent: false,
+        isLoading: false,
+        error: null,
+      });
+      
+      mockUsePermissions.mockReturnValue({
+        permissions: {
+          'valid-permission': true,
+        } as any,
+        isLoading: false,
+        error: null,
+        hasPermission: vi.fn((p: any) => p === 'valid-permission'),
+        hasAnyPermission: vi.fn((ps: any[]) => ps.some((p: any) => typeof p === 'string' && p === 'valid-permission')),
+        hasAllPermissions: vi.fn(() => true),
+        refetch: vi.fn(),
+      });
+
       renderWithProviders(
         <NavigationMenu
           items={invalidPermissionItems}
@@ -706,7 +882,7 @@ describe('NavigationMenu Component', () => {
       await user.click(trigger);
 
       await waitFor(() => {
-        // Should not crash and should show the item
+        // Should not crash and should show the item (invalid types filtered out, valid permission granted)
         expect(screen.getByText('Test')).toBeInTheDocument();
       }, { interval: 10 });
     });

package/src/components/NavigationMenu/NavigationMenu.tsx

@@ -198,7 +198,10 @@ import { NavigationMenuProps, NavigationItem } from "./types";
 import { Button } from "../Button";
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from "../Select";
 import { useUnifiedAuth } from "../../providers/UnifiedAuthProvider";
-import { AccessLevel } from "../../types/unified";
+import { useRBAC } from "../../rbac/hooks/useRBAC";
+import { useResolvedScope } from "../../rbac/hooks";
+import { usePermissions } from "../../rbac/hooks/usePermissions";
+import type { Permission, AccessLevel as RBACAccessLevel } from "../../rbac/types";
 
 /**
  * Unified NavigationMenu component that supports both dropdown and hierarchical navigation modes.
@@ -424,10 +427,40 @@ export const NavigationMenu = React.forwardRef<
     console.warn('[NavigationMenu] useUnifiedAuth not available, running in unauthenticated mode');
   }
 
+  // Get RBAC context for permission and role checks
+  let rbacContext = null;
+  try {
+    rbacContext = useRBAC();
+  } catch (error) {
+    // RBAC not available - permission filtering will be disabled
+    console.warn('[NavigationMenu] useRBAC not available, permission filtering disabled');
+  }
+
+  // Get resolved scope for permission checks
+  const { supabase } = authContext || {};
+  const { selectedOrganisation } = authContext || {};
+  const selectedEvent = authContext?.selectedEvent || null;
+  const { resolvedScope, isLoading: scopeLoading } = useResolvedScope({
+    supabase: supabase || null,
+    selectedOrganisationId: selectedOrganisation?.id || null,
+    selectedEventId: selectedEvent?.event_id || null
+  });
+
+  // Get permissions map for synchronous permission checks
+  const userId = authContext?.user?.id || '';
+  const scope = resolvedScope || { organisationId: '', eventId: undefined, appId: undefined };
+  const { permissions: permissionMap, hasAnyPermission, isLoading: permissionsLoading } = usePermissions(
+    userId as any,
+    scope as any
+  );
+
   // NEW: Phase 2 - Enhanced Security Features
-  // Filter navigation items based on permissions
+  // Filter navigation items based on permissions using RBAC hooks
   const filteredItems = React.useMemo(() => {
-    if (!filterByPermissions || !authContext) return items || [];
+    // If filtering disabled, auth unavailable, RBAC unavailable, scope/permissions loading, or no org context: show all items (except hidden)
+    if (!filterByPermissions || !authContext || !rbacContext || scopeLoading || permissionsLoading || !resolvedScope?.organisationId) {
+      return (items || []).filter(item => !item.meta?.hidden);
+    }
     
     return (items || []).filter(item => {
       // Check if item should be hidden
@@ -435,44 +468,98 @@ export const NavigationMenu = React.forwardRef<
       
       // Check permissions if available
       if (item.permissions && item.permissions.length > 0) {
-        const hasPermission = item.permissions.some(permission => {
-          // Only check string permissions, ignore invalid types
-          if (typeof permission !== 'string') return true;
-          // TODO: Migrate to useRBAC() hook for permission checks
-          // RBAC properties were removed from UnifiedAuthProvider
-          return false; // Default to no permission until migrated
-        });
-        if (!hasPermission) return false;
+        // Convert string permissions to Permission type and check
+        const permissions = item.permissions
+          .filter((p): p is string => typeof p === 'string')
+          .map(p => p as Permission);
+        
+        if (permissions.length > 0) {
+          const hasPermission = hasAnyPermission(permissions);
+          if (!hasPermission) return false;
+        }
       }
       
       // Check roles if available
       if (item.roles && item.roles.length > 0) {
         const hasRole = item.roles.some(role => {
-          // Only check string roles, ignore invalid types
           if (typeof role !== 'string') return true;
-          // TODO: Migrate to useRBAC() hook for role checks
-          // RBAC properties were removed from UnifiedAuthProvider
-          return false; // Default to no role until migrated
+          
+          // Map role strings to RBAC role checks
+          switch (role.toLowerCase()) {
+            case 'super_admin':
+            case 'super admin':
+              return rbacContext.isSuperAdmin;
+            case 'org_admin':
+            case 'org admin':
+            case 'admin':
+              return rbacContext.isOrgAdmin || rbacContext.isSuperAdmin;
+            case 'event_admin':
+            case 'event admin':
+              return rbacContext.isEventAdmin || rbacContext.isSuperAdmin;
+            default:
+              // For other roles, check against organisationRole or eventAppRole
+              return (
+                rbacContext.organisationRole === role ||
+                rbacContext.eventAppRole === role ||
+                rbacContext.isSuperAdmin
+              );
+          }
         });
         if (!hasRole) return false;
       }
       
       // Check access level if available
       if (item.accessLevel) {
-        // Only check string access levels, ignore invalid types
         if (typeof item.accessLevel === 'string') {
-          // Convert string to AccessLevel enum
-          const accessLevel = item.accessLevel as AccessLevel;
-          // TODO: Migrate to useRBAC() hook for access level checks
-          // RBAC properties were removed from UnifiedAuthProvider
-          const hasAccessLevel = false; // Default to no access until migrated
-          if (!hasAccessLevel) return false;
+          // Map access level string to RBAC access level
+          const accessLevel = item.accessLevel.toLowerCase() as RBACAccessLevel;
+          const userEventRole = rbacContext.eventAppRole;
+          
+          // If user is super admin, they have all access levels
+          if (rbacContext.isSuperAdmin) {
+            // Super admin has access
+          } else {
+            // Map eventAppRole to access level for comparison
+            // eventAppRole: 'viewer' | 'participant' | 'planner' | 'event_admin'
+            const roleToAccessLevel: Record<string, RBACAccessLevel> = {
+              'viewer': 'viewer',
+              'participant': 'participant',
+              'planner': 'planner',
+              'event_admin': 'admin',
+            };
+            const userAccessLevel = userEventRole ? (roleToAccessLevel[userEventRole] || 'viewer') : null;
+            
+            // Check if user's access level meets the required access level
+            const levelHierarchy: Record<RBACAccessLevel, number> = {
+              viewer: 1,
+              participant: 2,
+              planner: 3,
+              admin: 4,
+              super: 5
+            };
+            const requiredLevel = levelHierarchy[accessLevel] || 0;
+            const userLevel = userAccessLevel ? levelHierarchy[userAccessLevel] || 0 : 0;
+            
+            if (userLevel < requiredLevel) {
+              return false;
+            }
+          }
         }
       }
       
       return true;
     });
-  }, [items, filterByPermissions, authContext]);
+  }, [
+    items, 
+    filterByPermissions, 
+    authContext, 
+    rbacContext, 
+    permissionMap, 
+    hasAnyPermission, 
+    scopeLoading, 
+    permissionsLoading,
+    resolvedScope
+  ]);
 
   // Log navigation access attempts for debugging
   React.useEffect(() => {
@@ -552,26 +639,46 @@ export const NavigationMenu = React.forwardRef<
     // Check if item should be visible (already filtered)
     const isItemVisible = filteredItems.some(filtered => filtered.id === item.id);
     
-    // Check permissions if the item requires them
+    // Check permissions if the item requires them using RBAC hooks
     let hasPermission = true; // Default to true if no permission requirements
     
-    if (item.permissions && item.permissions.length > 0) {
-      hasPermission = item.permissions.some(permission => {
-        if (typeof permission !== 'string') return true;
-        // TODO: Migrate to useRBAC() hook for permission checks
-        // RBAC properties were removed from UnifiedAuthProvider
-        return false; // Default to no permission until migrated
-      });
+    if (item.permissions && item.permissions.length > 0 && rbacContext && hasAnyPermission) {
+      // Convert string permissions to Permission type and check
+      const permissions = item.permissions
+        .filter((p): p is string => typeof p === 'string')
+        .map(p => p as Permission);
+      
+      if (permissions.length > 0) {
+        hasPermission = hasAnyPermission(permissions);
+      }
     }
     
-    if (!hasPermission) {
+    if (!hasPermission && rbacContext) {
       // Check roles if permissions check failed or item has role requirements
       if (item.roles && item.roles.length > 0) {
         hasPermission = item.roles.some(role => {
           if (typeof role !== 'string') return true;
-          // TODO: Migrate to useRBAC() hook for role checks
-          // RBAC properties were removed from UnifiedAuthProvider
-          return false; // Default to no role until migrated
+          
+          // Map role strings to RBAC role checks (same logic as filtering)
+          switch (role.toLowerCase()) {
+            case 'super_admin':
+            case 'super admin':
+              return rbacContext.isSuperAdmin;
+            case 'org_admin':
+            case 'org admin':
+            case 'admin':
+              return rbacContext.isOrgAdmin || rbacContext.isSuperAdmin;
+            case 'event_admin':
+            case 'event admin':
+              return rbacContext.isEventAdmin || rbacContext.isSuperAdmin;
+            default:
+              // For other roles, check against organisationRole or eventAppRole
+              return (
+                rbacContext.organisationRole === role ||
+                rbacContext.eventAppRole === role ||
+                rbacContext.isSuperAdmin
+              );
+          }
         });
       }
     }

package/src/components/PublicLayout/__tests__/PublicPageHeader.test.tsx

@@ -48,12 +48,12 @@ vi.mock('../../../hooks/useAppConfig', () => ({
 
 // Mock the FileDisplay component
 vi.mock('../../FileDisplay/FileDisplay', () => ({
-  FileDisplay: vi.fn(({ table_name, record_id, organisation_id, category, className }) => (
+  FileDisplay: vi.fn(({ table_name, record_id, organisation_id, category, className, size = 'md' }) => (
     <div 
       data-testid="event-logo" 
-      data-event-id={eventId}
-      data-event-name={eventName}
-      data-organisation-id={organisationId}
+      data-table-name={table_name}
+      data-record-id={record_id}
+      data-organisation-id={organisation_id}
       data-size={size}
       className={className}
     >

package/src/components/Toast/Toast.tsx

@@ -12,7 +12,7 @@
  * - Customizable positioning and styling
  * - Swipe gestures for dismissal
  * - Keyboard navigation support
- * - Auto-dismiss with configurable duration
+ * - Auto-dismiss with default 10 second duration (configurable)
  * - Action buttons and close functionality
  * - Responsive design
  * - Accessibility compliant

package/src/hooks/public/usePublicFileDisplay.ts

@@ -169,24 +169,34 @@ export function usePublicFileDisplay(
           throw new Error(rpcError.message || 'Failed to fetch file reference');
         }
 
-        // RPC returns partial data, need to fetch full file references
+        // RPC returns partial data with: id, file_path, file_metadata, is_public, created_at
+        // We have table_name, record_id, organisation_id from function parameters
+        // We can construct FileReference objects directly without another query (avoiding RLS issues)
         if (!data || data.length === 0) {
           files = [];
         } else {
-          // Extract IDs from RPC response and fetch full file reference data
-          // Note: This query does NOT filter by category - the RPC already did that filtering
-          const ids = data.map((item: any) => item.id);
-          const { data: fullData, error: fetchError } = await supabase
-            .from('file_references')
-            .select('*')
-            .in('id', ids)
-            .eq('is_public', true); // Only public files in public context
-
-          if (fetchError) {
-            throw new Error(fetchError.message || 'Failed to fetch file references');
-          }
-
-          files = fullData || [];
+          // Construct file reference objects from RPC response
+          // This avoids RLS issues - the RPC already validated permissions and filtered public files
+          files = data
+            .filter((item: any) => {
+              // RPC should only return public files for public context, but verify
+              return item.is_public === true && item.id && item.file_path && item.file_metadata;
+            })
+            .map((item: any) => {
+              // Construct complete file reference from RPC response + function parameters
+              return {
+                id: item.id,
+                table_name: table_name,
+                record_id: record_id,
+                file_path: item.file_path,
+                file_metadata: item.file_metadata || {},
+                organisation_id: organisation_id,
+                app_id: item.file_metadata?.app_id || null,
+                is_public: true, // RPC already filtered for public files
+                created_at: item.created_at || new Date().toISOString(),
+                updated_at: item.created_at || new Date().toISOString()
+              };
+            });
         }
       } else {
         // Multiple files mode - use RPC to get all files

package/src/hooks/useEventTheme.test.ts

@@ -23,6 +23,17 @@ vi.mock('../theming/runtime', () => ({
   clearPalette: vi.fn()
 }));
 
+// Mock react-router-dom useLocation
+vi.mock('react-router-dom', () => ({
+  useLocation: vi.fn(() => ({
+    pathname: '/',
+    search: '',
+    hash: '',
+    state: null,
+    key: 'default'
+  }))
+}));
+
 describe('useEventTheme', () => {
   const mockUseEvents = vi.mocked(useEvents);
   const mockApplyPalette = vi.mocked(applyPalette);

package/src/hooks/useFileDisplay.ts

@@ -224,12 +224,21 @@ export function useFileDisplay(
       if (category && files.length > 0) {
         // Single file mode - get first file
         const firstFile = files[0];
+        console.log('[useFileDisplay] Processing category files, first file:', {
+          id: firstFile.id,
+          file_path: firstFile.file_path,
+          is_public: firstFile.is_public,
+          has_file_metadata: !!firstFile.file_metadata,
+          category_in_metadata: firstFile.file_metadata?.category
+        });
+        
         setFileReference(firstFile);
         
         // Generate URL based on file visibility
         let url: string | null = null;
         if (firstFile.is_public) {
           url = getPublicUrl(supabase, firstFile.file_path, true);
+          console.log('[useFileDisplay] Generated public URL:', url);
         } else {
           const signedUrlResult = await getSignedUrl(supabase, firstFile.file_path, {
             appName: 'pace-core',
@@ -237,7 +246,9 @@ export function useFileDisplay(
             expiresIn: 3600
           });
           url = signedUrlResult?.url || null;
+          console.log('[useFileDisplay] Generated signed URL:', url ? 'URL generated' : 'URL generation failed');
         }
+        console.log('[useFileDisplay] Setting file URL:', url ? 'URL set' : 'URL is null');
         setFileUrl(url);
       } else {
         // Multiple files mode - generate URLs for all files

package/src/hooks/useSecureDataAccess.test.ts

@@ -152,12 +152,28 @@ describe('useSecureDataAccess', () => {
       expect(freshMockQueryBuilder.select).toHaveBeenCalledWith('*');
     });
 
-    it.skip('executes secure query with pagination', async () => {
-      // Skipped: Complex mock setup for range() chaining requires additional work
-      // The mock needs to properly support: .from().select().eq().eq().range().then()
-      // This is a complex integration test that would require refactoring the Supabase mock
-      // See issue: Need comprehensive range() support in createMockQueryBuilder
+    it('executes secure query with pagination', async () => {
+      const paginatedData = Array.from({ length: 10 }, (_, i) => ({ id: `record-${i + 20}` }));
       
+      // Ensure range() returns a thenable that resolves with paginated data
+      // and that all chain methods (eq, select, etc.) maintain the range function
+      freshMockQueryBuilder.range = vi.fn().mockImplementation(function(min: number, max: number) {
+        const rangedBuilder = Object.assign({}, this, {
+          then: vi.fn().mockImplementation((resolve) => {
+            resolve({ data: paginatedData, error: null });
+          }),
+          catch: vi.fn(),
+          finally: vi.fn(),
+          range: freshMockQueryBuilder.range // Maintain range for further chaining if needed
+        });
+        return rangedBuilder;
+      });
+
+      // Ensure eq() returns this which has range()
+      freshMockQueryBuilder.eq = vi.fn().mockReturnThis();
+      freshMockQueryBuilder.select = vi.fn().mockReturnThis();
+      freshMockQueryBuilder.limit = vi.fn().mockReturnThis();
+
       const { result } = renderHook(() => useSecureDataAccess());
 
       const data = await result.current.secureQuery('users', '*', {}, {
@@ -167,6 +183,7 @@ describe('useSecureDataAccess', () => {
       
       expect(freshMockQueryBuilder.select).toHaveBeenCalledWith('*');
       expect(freshMockQueryBuilder.range).toHaveBeenCalledWith(20, 29); // offset to (offset + limit - 1)
+      expect(data).toEqual(paginatedData);
     });
 
     it('handles query errors gracefully', async () => {