@jmruthers/pace-core 0.5.108 → 0.5.110

package/docs/rbac/api-reference.md

@@ -247,43 +247,90 @@ function UserActions() {
 
 ### PagePermissionGuard
 
-Conditionally render children based on page-level permissions.
+**⚠️ CRITICAL: This is the PRIMARY component for protecting pages.** Always use `PagePermissionGuard` for page-level permissions. It automatically resolves scope from context and checks permissions in the database.
+
+**Permission Format**: The component checks for permissions in the format `{operation}:page.{pageName}` (e.g., `read:page.dashboard`).
 
 ```typescript
 interface PagePermissionGuardProps {
-  pageName: string;
-  operation: 'read' | 'write' | 'delete' | 'manage';
-  children: React.ReactNode;
-  fallback?: React.ReactNode;
-  strictMode?: boolean;
-  auditLog?: boolean;
-  pageId?: UUID;
-  scope?: Scope;
-  onDenied?: (pageName: string, operation: string, reason: string) => void;
-  loading?: React.ReactNode;
+  pageName: string;           // Page name (e.g., "dashboard", "users") - must match rbac_app_pages.page_name
+  operation: 'read' | 'create' | 'update' | 'delete';  // Operation being performed
+  children: React.ReactNode;   // Content to render if user has permission
+  fallback?: React.ReactNode;  // Content to render if user lacks permission (default: Access Denied component)
+  strictMode?: boolean;        // Enable strict mode for security logging (default: true)
+  auditLog?: boolean;          // Enable audit logging (default: true)
+  pageId?: string;             // Optional page ID override (defaults to pageName)
+  scope?: Scope;               // Optional scope override (defaults to resolving from context)
+  onDenied?: (pageName: string, operation: string) => void;  // Callback when access denied
+  loading?: React.ReactNode;   // Loading state component (default: "Checking permissions...")
 }
 ```
 
-#### Usage
+#### Basic Usage
 
 ```tsx
 import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';
 
-function AdminPage() {
+function DashboardPage() {
+  return (
+    <PagePermissionGuard
+      pageName="dashboard"
+      operation="read"
+      fallback={<div>You don't have permission to view the dashboard</div>}
+    >
+      <DashboardContent />
+    </PagePermissionGuard>
+  );
+}
+```
+
+#### Multiple Operations
+
+```tsx
+function UsersPage() {
   return (
     <div>
+      {/* Read permission - show user list */}
       <PagePermissionGuard
-        pageName="admin"
+        pageName="users"
         operation="read"
-        fallback={<div>Admin access required</div>}
+        fallback={null}
+      >
+        <UserList />
+      </PagePermissionGuard>
+      
+      {/* Create permission - show add button */}
+      <PagePermissionGuard
+        pageName="users"
+        operation="create"
+        fallback={null}
       >
-        <AdminSettings />
+        <AddUserButton />
+      </PagePermissionGuard>
+      
+      {/* Update permission - show edit buttons */}
+      <PagePermissionGuard
+        pageName="users"
+        operation="update"
+        fallback={null}
+      >
+        <EditUserButtons />
       </PagePermissionGuard>
     </div>
   );
 }
 ```
 
+#### Important Notes
+
+1. **Automatic Scope Resolution**: `PagePermissionGuard` automatically resolves `organisationId` from `UnifiedAuthProvider` context. You don't need to pass `scope` unless you need custom scope.
+
+2. **Permission Format**: The component checks for `{operation}:page.{pageName}` in the database. Ensure your `rbac_page_permissions` table has entries matching this format.
+
+3. **Loading State**: The component shows a loading state while checking permissions. Provide a custom `loading` prop if needed.
+
+4. **Error Handling**: If permission check fails, the component shows the `fallback`. Check browser console for `[PagePermissionGuard]` logs to debug issues.
+
 ### NavigationGuard
 
 Conditionally render navigation items based on permissions.

package/docs/rbac/getting-started.md

@@ -70,32 +70,32 @@ export default App;
 
 ## 🎯 **When to Use What Pattern**
 
-### Pattern 1: PermissionEnforcer (Recommended for Pages)
-**Use when**: Protecting entire pages or large components
-**Benefits**: Automatic scope resolution, no manual context handling
+### Pattern 1: PagePermissionGuard (REQUIRED for Pages)
+**Use when**: Protecting entire pages or page-level access
+**Benefits**: Automatic scope resolution, page-level permission checking, strict mode enforcement
 
 ```tsx
-// components/Dashboard.tsx
-import { PermissionEnforcer } from '@jmruthers/pace-core/rbac';
+// pages/Dashboard.tsx
+import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';
 
 function Dashboard() {
   return (
-    <div>
-      <h1>Dashboard</h1>
-      
-      {/* Automatic scope resolution - no manual context needed */}
-      <PermissionEnforcer
-        permissions={['read:events']}
-        operation="dashboard"
-        fallback={<div>Access Denied</div>}
-      >
+    <PagePermissionGuard
+      pageName="dashboard"
+      operation="read"
+      fallback={<div>Access Denied</div>}
+    >
+      <div>
+        <h1>Dashboard</h1>
         <EventContent />
-      </PermissionEnforcer>
-    </div>
+      </div>
+    </PagePermissionGuard>
   );
 }
 ```
 
+**⚠️ CRITICAL**: Always use `PagePermissionGuard` for pages. It's the only component that properly checks page-level permissions against the database.
+
 ### Pattern 2: usePermissions (For Data Fetching)
 **Use when**: You need the actual permission data for custom logic
 **Requirements**: Must provide explicit scope

package/docs/rbac/quick-start.md

@@ -25,9 +25,11 @@ A simple user management app that demonstrates:
 
 1. **ALWAYS call `setupRBAC()` first** - This is MANDATORY and must be called before any RBAC features
 2. **Never make direct database queries** to `rbac_apps`, `rbac_global_roles`, or other RBAC tables
-3. **Always use `PagePermissionGuard`** for page-level permissions (not manual permission checks)
-4. **Always set up providers correctly** in the exact order shown
-5. **Use the exact app name** from your environment variable (must match database exactly)
+3. **ALWAYS use `PagePermissionGuard`** for page-level permissions - This is the ONLY way to properly protect pages
+4. **ALWAYS set up providers correctly** in the exact order shown below
+5. **Use the exact app name** from your environment variable (must match database exactly, case-sensitive)
+6. **Ensure database setup is complete** before starting the app - App must be registered with pages and permissions
+7. **User must have organisation role** - Users need roles assigned in `rbac_organisation_roles` table
 
 ## 🚀 Step-by-Step Implementation
 
@@ -127,8 +129,11 @@ WHERE a.name = 'user-manager';
 
 #### 5.3 Set Up Page Permissions
 
+**CRITICAL**: Page permissions use the format `{operation}:page.{pageName}` (e.g., `read:page.dashboard`). The database stores permissions per page per role per organisation.
+
 ```sql
 -- Set up basic permissions for each page (replace 'user-manager' with your actual app name)
+-- IMPORTANT: Replace the organisation_id UUID with your actual organisation ID
 WITH app_pages AS (
   SELECT ap.id as page_id, ap.page_name, a.id as app_id
   FROM rbac_app_pages ap
@@ -146,10 +151,24 @@ SELECT
     WHEN role.role_name = 'member' AND ap.page_name IN ('dashboard', 'users') THEN true
     ELSE false
   END,
-  '00000000-0000-0000-0000-000000000000'::uuid -- Replace with your organisation ID
+  '00000000-0000-0000-0000-000000000000'::uuid -- ⚠️ REPLACE THIS with your actual organisation ID
 FROM app_pages ap
 CROSS JOIN (SELECT unnest(ARRAY['read', 'create', 'update', 'delete']) as operation) op
 CROSS JOIN (SELECT unnest(ARRAY['org_admin', 'leader', 'member']) as role_name) role;
+
+-- Verify permissions were created correctly
+SELECT 
+  a.name as app_name,
+  ap.page_name,
+  pp.operation,
+  pp.role_name,
+  pp.allowed,
+  pp.organisation_id
+FROM rbac_page_permissions pp
+JOIN rbac_app_pages ap ON pp.app_page_id = ap.id
+JOIN rbac_apps a ON ap.app_id = a.id
+WHERE a.name = 'user-manager'
+ORDER BY ap.page_name, pp.operation, pp.role_name;
 ```
 
 #### 5.4 Assign User Roles
@@ -202,28 +221,23 @@ if (!supabaseUrl || !supabaseAnonKey) {
 export const supabase = createClient(supabaseUrl, supabaseAnonKey)
 ```
 
-### 8. Initialize RBAC (MANDATORY - NEW STEP!)
+### 8. Initialize RBAC (MANDATORY!)
 
-**CRITICAL**: You MUST call `setupRBAC()` before using any RBAC features. Create `src/lib/rbac-setup.ts`:
+**CRITICAL**: You MUST call `setupRBAC()` before using any RBAC features. This configures rate limiting (default: 1000 requests/minute) and enables security validation.
 
-```typescript
-// src/lib/rbac-setup.ts
-import { setupRBAC } from '@jmruthers/pace-core/rbac'
-import { supabase } from './supabase'
-
-// ⚠️ REQUIRED: Initialize RBAC before using any RBAC features
-setupRBAC(supabase)
-```
-
-**Then import this in your main entry point:**
+**Option 1: Setup in main entry point (Recommended)**
 
 ```typescript
 // src/main.tsx
 import React from 'react'
 import ReactDOM from 'react-dom/client'
-import './lib/rbac-setup' // ⚠️ Import setup BEFORE App
+import { setupRBAC } from '@jmruthers/pace-core/rbac'
+import { supabase } from './lib/supabase'
 import App from './App'
 
+// ⚠️ CRITICAL: Call setupRBAC BEFORE rendering App
+setupRBAC(supabase)
+
 ReactDOM.createRoot(document.getElementById('root')!).render(
   <React.StrictMode>
     <App />
@@ -231,18 +245,24 @@ ReactDOM.createRoot(document.getElementById('root')!).render(
 )
 ```
 
-**Or in your App.tsx (alternative approach):**
+**Option 2: Setup in separate file (Alternative)**
 
 ```typescript
-// src/App.tsx
-import React from 'react'
+// src/lib/rbac-setup.ts
 import { setupRBAC } from '@jmruthers/pace-core/rbac'
-import { supabase } from './lib/supabase'
+import { supabase } from './supabase'
 
-// ⚠️ REQUIRED: Call setupRBAC before anything else
-setupRBAC(supabase)
+// ⚠️ REQUIRED: Initialize RBAC before using any RBAC features
+setupRBAC(supabase, {
+  // Optional: Configure rate limiting for high-traffic apps
+  security: {
+    maxPermissionChecksPerMinute: 2000 // Increase from default 1000 if needed
+  }
+})
 
-// ... rest of your app
+// src/main.tsx
+import './lib/rbac-setup' // Import BEFORE App
+import App from './App'
 ```
 
 ### 9. App Setup (CRITICAL)
@@ -560,12 +580,25 @@ export function Users() {
 
 Your RBAC setup is working correctly if:
 
+**Setup Checklist:**
+- [ ] `setupRBAC(supabase)` is called before rendering App
+- [ ] App is registered in `rbac_apps` table with `is_active = true`
+- [ ] Pages exist in `rbac_app_pages` for your app
+- [ ] Page permissions exist in `rbac_page_permissions` for your pages, roles, and organisation
+- [ ] User has an active role in `rbac_organisation_roles` for the organisation
+- [ ] `VITE_APP_NAME` environment variable matches database `rbac_apps.name` exactly
+
+**Runtime Checklist:**
 - [ ] You can log in successfully
+- [ ] Browser console shows "RBAC system initialized successfully"
 - [ ] You see the dashboard without "Access Denied" messages
+- [ ] `PagePermissionGuard` shows loading state, then renders content (not fallback)
 - [ ] You can navigate to the users page
 - [ ] You see "Success! Your RBAC setup is working correctly" on the users page
 - [ ] No 400/406 errors in the browser console
 - [ ] No "App not found" errors in the console
+- [ ] No "STRICT MODE VIOLATION" errors in the console
+- [ ] No "rate_limit_exceeded" errors (if you see these, increase rate limit in setupRBAC)
 
 ## 🚨 Troubleshooting
 
@@ -579,33 +612,75 @@ import { setupRBAC } from '@jmruthers/pace-core/rbac'
 setupRBAC(supabase) // Must be called BEFORE rendering app
 ```
 
-### Issue: "Access Denied" on all pages
+### Issue: "Access Denied" or "STRICT MODE VIOLATION" on all pages
+
+**This is the most common issue. Check these in EXACT ORDER:**
 
-**Check these in order:**
+1. **Verify setupRBAC was called**:
+   - Check browser console for "RBAC system initialized successfully"
+   - If missing, add `setupRBAC(supabase)` in your main.tsx before rendering
 
-1. **Verify your app is registered**:
+2. **Verify your app is registered and active**:
    ```sql
-   SELECT * FROM rbac_apps WHERE name = 'user-manager';
+   SELECT id, name, display_name, requires_event, is_active 
+   FROM rbac_apps 
+   WHERE name = 'user-manager';
    ```
+   - Must return exactly 1 row
+   - `is_active` must be `true`
+   - `name` must match your `VITE_APP_NAME` exactly (case-sensitive)
 
-2. **Check your environment variable**:
+3. **Check your environment variable matches database**:
    ```typescript
-   console.log('App name:', import.meta.env.VITE_APP_NAME);
+   console.log('App name from env:', import.meta.env.VITE_APP_NAME);
+   ```
+   - Must match database `rbac_apps.name` exactly
+
+4. **Verify pages exist for your app**:
+   ```sql
+   SELECT ap.id, ap.page_name, ap.page_description
+   FROM rbac_app_pages ap
+   JOIN rbac_apps a ON ap.app_id = a.id
+   WHERE a.name = 'user-manager'
+   ORDER BY ap.page_name;
    ```
+   - Must have pages for `dashboard`, `users`, etc.
 
-3. **Verify user has roles**:
+5. **Verify user has organisation role**:
    ```sql
-   SELECT * FROM rbac_organisation_roles WHERE user_id = 'your-user-id';
+   SELECT ror.*, u.email
+   FROM rbac_organisation_roles ror
+   JOIN auth.users u ON ror.user_id = u.id
+   WHERE ror.user_id = 'your-user-id'::uuid 
+     AND ror.status = 'active';
    ```
+   - User must have at least one active role
+   - Must be for the organisation you're testing with
 
-4. **Check page permissions exist**:
+6. **Check page permissions exist for user's role**:
    ```sql
-   SELECT pp.*, ap.page_name, a.name as app_name
+   SELECT 
+     ap.page_name,
+     pp.operation,
+     pp.role_name,
+     pp.allowed,
+     pp.organisation_id
    FROM rbac_page_permissions pp
    JOIN rbac_app_pages ap ON pp.app_page_id = ap.id
    JOIN rbac_apps a ON ap.app_id = a.id
-   WHERE a.name = 'user-manager';
+   WHERE a.name = 'user-manager'
+     AND pp.role_name = 'org_admin'  -- Replace with your user's role
+     AND pp.organisation_id = 'your-org-id'::uuid  -- Replace with your org ID
+     AND pp.allowed = true;
    ```
+   - Must have permissions for the pages you're trying to access
+   - Must have `allowed = true` for the operation (read, create, etc.)
+   - `organisation_id` must match the organisation the user is accessing
+
+7. **Check browser console for specific errors**:
+   - Look for `[PagePermissionGuard]` error messages
+   - Look for `[useCan]` permission check logs
+   - Look for rate limit errors (if you see these, you may need to increase the limit)
 
 ### Issue: 400/406 Database Errors
 

package/docs/rbac/troubleshooting.md

@@ -12,11 +12,134 @@ This guide helps you resolve common issues when using the PACE Core RBAC system.
 
 ## 🚨 Critical Issues (Fix Immediately)
 
-### 1. "Access Denied" on All Pages - Missing App ID
+### 1. "STRICT MODE VIOLATION" Error - Page Access Denied
+
+**Symptoms:**
+- Console shows `[PagePermissionGuard] STRICT MODE VIOLATION: User attempted to access protected page without permission`
+- Error object shows: `{ pageName: "menus", operation: "read", userId: "...", scope: {...} }`
+- Pages show fallback/access denied content even for users who should have permission
+- All permission checks return `false`
+
+**Root Cause:** One or more of these issues:
+1. Missing or incorrect database setup (app, pages, or permissions)
+2. User doesn't have organisation role for the organisation being accessed
+3. Page permissions don't exist for user's role and organisation
+4. `setupRBAC()` wasn't called before using RBAC features
+5. Rate limiting is too restrictive (unlikely with default 1000/minute)
+
+**Fix (Check in order):**
+
+**Step 1: Verify setupRBAC was called**
+```typescript
+// Check browser console for this message:
+// "RBAC system initialized successfully"
+
+// If missing, add to main.tsx:
+import { setupRBAC } from '@jmruthers/pace-core/rbac';
+setupRBAC(supabase); // BEFORE rendering App
+```
+
+**Step 2: Verify app registration**
+```sql
+-- Check app exists and is active
+SELECT id, name, display_name, requires_event, is_active 
+FROM rbac_apps 
+WHERE name = 'your-app-name';  -- Replace with actual app name
+
+-- Must return 1 row with is_active = true
+-- name must match VITE_APP_NAME environment variable exactly
+```
+
+**Step 3: Verify pages exist**
+```sql
+-- Check pages exist for your app
+SELECT ap.id, ap.page_name, ap.page_description
+FROM rbac_app_pages ap
+JOIN rbac_apps a ON ap.app_id = a.id
+WHERE a.name = 'your-app-name'
+ORDER BY ap.page_name;
+
+-- Must have a page matching your pageName prop (e.g., "menus")
+```
+
+**Step 4: Verify user has organisation role**
+```sql
+-- Check user's role for the organisation
+SELECT ror.*, u.email
+FROM rbac_organisation_roles ror
+JOIN auth.users u ON ror.user_id = u.id
+WHERE ror.user_id = 'user-id-from-error'::uuid 
+  AND ror.organisation_id = 'org-id-from-scope'::uuid  -- From error scope
+  AND ror.status = 'active';
+
+-- User must have at least one active role (e.g., 'org_admin', 'leader', 'member')
+```
+
+**Step 5: Verify page permissions exist**
+```sql
+-- Check permissions for user's role, page, and organisation
+SELECT 
+  ap.page_name,
+  pp.operation,
+  pp.role_name,
+  pp.allowed,
+  pp.organisation_id
+FROM rbac_page_permissions pp
+JOIN rbac_app_pages ap ON pp.app_page_id = ap.id
+JOIN rbac_apps a ON ap.app_id = a.id
+WHERE a.name = 'your-app-name'
+  AND ap.page_name = 'menus'  -- From error pageName
+  AND pp.operation = 'read'   -- From error operation
+  AND pp.role_name = 'org_admin'  -- From Step 4 role
+  AND pp.organisation_id = 'org-id-from-scope'::uuid  -- From error scope
+  AND pp.allowed = true;
+
+-- Must return at least 1 row with allowed = true
+```
+
+**Step 6: Create missing permissions if needed**
+```sql
+-- Grant read permission for a page to a role
+INSERT INTO rbac_page_permissions (app_page_id, operation, role_name, allowed, organisation_id)
+SELECT 
+  ap.id,
+  'read',
+  'org_admin',  -- Or user's actual role
+  true,
+  'your-org-id'::uuid  -- From error scope
+FROM rbac_app_pages ap
+JOIN rbac_apps a ON ap.app_id = a.id
+WHERE a.name = 'your-app-name'
+  AND ap.page_name = 'menus';
+```
+
+### 2. "rate_limit_exceeded" Error
+
+**Symptoms:**
+- Console shows `[RBAC Security] Object { type: "rate_limit_exceeded", userId: "...", details: {...} }`
+- Permission checks stop working temporarily
+- Users can't access pages they should have permission for
+
+**Root Cause:** Default rate limit (1000 requests/minute) exceeded
+
+**Fix:**
+```typescript
+// Increase rate limit in setupRBAC
+import { setupRBAC } from '@jmruthers/pace-core/rbac';
+
+setupRBAC(supabase, {
+  security: {
+    maxPermissionChecksPerMinute: 2000  // Increase from default 1000
+  }
+});
+```
+
+**Note:** Rate limiting is per user, so if you have many components checking permissions on page load, you may need a higher limit.
+
+### 3. "Access Denied" on All Pages - Missing App ID
 
 **Symptoms:**
 - Users see "Access Denied" on every page
-- Console shows `[PagePermissionGuard] STRICT MODE VIOLATION` errors
 - Console shows `scope: { organisationId: "...", eventId: "..." }` (missing `appId`)
 - All permission checks return `false`
 

package/docs/security/README.md

@@ -16,6 +16,7 @@ PACE Core is designed with security as a first-class concern, providing:
 - **Comprehensive RBAC system** with fine-grained permissions
 - **Secure data access** with row-level security
 - **Audit logging** for compliance and monitoring
+- **Automatic login history tracking** for security audits and compliance
 - **Input validation** and sanitization
 - **XSS protection** and secure coding practices
 - **Auto-logout on inactivity** for enhanced security
@@ -59,6 +60,64 @@ Sessions are automatically managed by PACE Core:
 - **Session validation** on every request
 - **Automatic logout** on token expiration
 - **Inactivity auto-logout** after 30 minutes of inactivity (configurable)
+- **Automatic login history tracking** - All user logins are automatically recorded
+
+### 2.1 Login History Tracking
+
+PACE Core **automatically tracks all user logins** for security auditing and compliance - no manual intervention required.
+
+- **Fully Automatic** - Simply use `UnifiedAuthProvider` with `appName` prop - tracking happens automatically
+- **No Configuration Needed** - No calls to tracking functions, no setup code, no manual intervention
+- **Complete Audit Trail** - Records user ID, email, timestamp, IP address, user agent, and application context
+- **Database Storage** - All login events are stored in `rbac_user_login_history` table automatically
+- **Application Context** - Tracks which application the user logged into (when `appName` is provided)
+- **Non-Blocking** - Tracking failures don't prevent authentication from succeeding
+- **Privacy Compliant** - Users can only view their own login history (RLS enforced)
+
+**How It Works:**
+
+Login history tracking is **completely automatic** when you use `UnifiedAuthProvider`. Simply provide the `appName` prop (which is already required) and tracking happens automatically:
+
+```tsx
+import { UnifiedAuthProvider } from '@jmruthers/pace-core';
+
+function App() {
+  return (
+    <UnifiedAuthProvider
+      supabaseClient={supabaseClient}
+      appName="MY_APP"  // Optional: Enables app-specific tracking
+      // ... other props
+    >
+      <YourApp />
+    </UnifiedAuthProvider>
+  );
+}
+```
+
+**Querying Login History:**
+
+Login history can be queried directly from the database:
+
+```sql
+-- Get user's login history
+SELECT 
+  login_timestamp,
+  email,
+  ip_address,
+  user_agent,
+  app_id
+FROM rbac_user_login_history
+WHERE user_id = auth.uid()
+ORDER BY login_timestamp DESC
+LIMIT 100;
+```
+
+**Security Notes:**
+
+- Login history insertion uses `SECURITY DEFINER` functions (bypasses RLS)
+- RLS policies ensure users can only view their own login history
+- Failed tracking attempts are logged but don't break authentication
+- All tracking is asynchronous and non-blocking
 
 ```tsx
 import { useUnifiedAuth } from '@jmruthers/pace-core';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jmruthers/pace-core",
-  "version": "0.5.108",
+  "version": "0.5.110",
   "description": "Clean, modern React component library with Tailwind v4 styling and native utilities",
   "private": false,
   "publishConfig": {

package/src/components/NavigationMenu/NavigationMenu.test.tsx

@@ -64,12 +64,12 @@ const mockUseResolvedScope = vi.hoisted(() => vi.fn(() => ({
 })));
 
 const mockUsePermissions = vi.hoisted(() => vi.fn(() => ({
-  permissions: {} as any,
+  permissions: { '*': true } as any, // Grant all permissions by default (super admin access)
   isLoading: false,
   error: null,
-  hasPermission: vi.fn(() => false),
-  hasAnyPermission: vi.fn(() => false),
-  hasAllPermissions: vi.fn(() => false),
+  hasPermission: vi.fn(() => true), // Default to allowing all permissions
+  hasAnyPermission: vi.fn(() => true), // Default to allowing all permissions
+  hasAllPermissions: vi.fn(() => true), // Default to allowing all permissions
   refetch: vi.fn(),
 })));
 
@@ -137,6 +137,40 @@ describe('NavigationMenu Component', () => {
     console.log = vi.fn();
     console.warn = vi.fn();
     console.error = vi.fn();
+    
+    // Reset mocks to default permissive state (super admin access)
+    // Tests that need to test permission filtering can override these
+    mockUsePermissions.mockReturnValue({
+      permissions: { '*': true } as any,
+      isLoading: false,
+      error: null,
+      hasPermission: vi.fn(() => true),
+      hasAnyPermission: vi.fn(() => true),
+      hasAllPermissions: vi.fn(() => true),
+      refetch: vi.fn(),
+    });
+    
+    mockUseRBAC.mockReturnValue({
+      user: { id: 'test-user', email: 'test@example.com' },
+      globalRole: null,
+      organisationRole: null,
+      eventAppRole: null,
+      hasPermission: vi.fn(),
+      hasGlobalPermission: vi.fn(),
+      isSuperAdmin: false,
+      isOrgAdmin: false,
+      isEventAdmin: false,
+      canManageOrganisation: false,
+      canManageEvent: false,
+      isLoading: false,
+      error: null,
+    });
+    
+    mockUseResolvedScope.mockReturnValue({
+      resolvedScope: { organisationId: 'test-org-1', eventId: undefined, appId: undefined },
+      isLoading: false,
+    });
+    
     // Note: hasPermission, hasRole, hasAccessLevel were removed from UnifiedAuthProvider
     // Use useRBAC() hook for permissions instead
   });