npm - @jmruthers/pace-core - Versions diffs - 0.5.109 → 0.5.111 - Mend

@jmruthers/pace-core 0.5.109 → 0.5.111

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (240) hide show

package/CHANGELOG.md +22 -0
package/dist/{AuthService-DrHrvXNZ.d.ts → AuthService-CVgsgtaZ.d.ts} +8 -0
package/dist/{DataTable-5HITILXS.js → DataTable-5W2HVLLV.js} +8 -8
package/dist/{UnifiedAuthProvider-A7I23UCN.js → UnifiedAuthProvider-LUM3QLS5.js} +3 -3
package/dist/{api-5I3E47G2.js → api-SIZPFBFX.js} +5 -3
package/dist/{audit-65VNHEV2.js → audit-5JI5T3SL.js} +2 -2
package/dist/{chunk-P72NKAT5.js → chunk-2BIDKXQU.js} +157 -120
package/dist/chunk-2BIDKXQU.js.map +1 -0
package/dist/{chunk-S4D3Z723.js → chunk-ACYQNYHB.js} +7 -7
package/dist/{chunk-D6MEKC27.js → chunk-EFVQBYFN.js} +2 -2
package/dist/{chunk-EZ64QG2I.js → chunk-I5YM5BGS.js} +2 -2
package/dist/{chunk-Q7APDV6H.js → chunk-IWJYNWXN.js} +13 -5
package/dist/chunk-IWJYNWXN.js.map +1 -0
package/dist/{chunk-YFMENCR4.js → chunk-JE2GFA3O.js} +3 -3
package/dist/{chunk-AUXS7XSO.js → chunk-MW73E7SP.js} +35 -11
package/dist/chunk-MW73E7SP.js.map +1 -0
package/dist/{chunk-F6TSYCKP.js → chunk-PXXS26G5.js} +68 -29
package/dist/chunk-PXXS26G5.js.map +1 -0
package/dist/{chunk-UW2DE6JX.js → chunk-TD4BXGPE.js} +4 -4
package/dist/{chunk-EYSXQ756.js → chunk-TDFBX7KJ.js} +2 -2
package/dist/{chunk-WWNOVFDC.js → chunk-UGVU7L7N.js} +52 -90
package/dist/chunk-UGVU7L7N.js.map +1 -0
package/dist/{chunk-2W4WKJVF.js → chunk-X7SPKHYZ.js} +290 -255
package/dist/chunk-X7SPKHYZ.js.map +1 -0
package/dist/{chunk-3TKTL5AZ.js → chunk-ZL45MG76.js} +60 -60
package/dist/chunk-ZL45MG76.js.map +1 -0
package/dist/components.js +10 -10
package/dist/hooks.d.ts +11 -1
package/dist/hooks.js +9 -7
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +2 -2
package/dist/index.js +13 -13
package/dist/providers.d.ts +2 -2
package/dist/providers.js +2 -2
package/dist/rbac/index.d.ts +46 -29
package/dist/rbac/index.js +9 -9
package/dist/utils.js +1 -1
package/docs/api/classes/ColumnFactory.md +1 -1
package/docs/api/classes/ErrorBoundary.md +1 -1
package/docs/api/classes/InvalidScopeError.md +4 -4
package/docs/api/classes/MissingUserContextError.md +4 -4
package/docs/api/classes/OrganisationContextRequiredError.md +4 -4
package/docs/api/classes/PermissionDeniedError.md +4 -4
package/docs/api/classes/PublicErrorBoundary.md +1 -1
package/docs/api/classes/RBACAuditManager.md +8 -8
package/docs/api/classes/RBACCache.md +8 -8
package/docs/api/classes/RBACEngine.md +9 -8
package/docs/api/classes/RBACError.md +4 -4
package/docs/api/classes/RBACNotInitializedError.md +4 -4
package/docs/api/classes/SecureSupabaseClient.md +1 -1
package/docs/api/classes/StorageUtils.md +1 -1
package/docs/api/enums/FileCategory.md +1 -1
package/docs/api/interfaces/AggregateConfig.md +1 -1
package/docs/api/interfaces/ButtonProps.md +1 -1
package/docs/api/interfaces/CardProps.md +1 -1
package/docs/api/interfaces/ColorPalette.md +1 -1
package/docs/api/interfaces/ColorShade.md +1 -1
package/docs/api/interfaces/DataAccessRecord.md +1 -1
package/docs/api/interfaces/DataRecord.md +1 -1
package/docs/api/interfaces/DataTableAction.md +1 -1
package/docs/api/interfaces/DataTableColumn.md +1 -1
package/docs/api/interfaces/DataTableProps.md +1 -1
package/docs/api/interfaces/DataTableToolbarButton.md +1 -1
package/docs/api/interfaces/EmptyStateConfig.md +1 -1
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +1 -1
package/docs/api/interfaces/FileDisplayProps.md +1 -1
package/docs/api/interfaces/FileMetadata.md +1 -1
package/docs/api/interfaces/FileReference.md +1 -1
package/docs/api/interfaces/FileSizeLimits.md +1 -1
package/docs/api/interfaces/FileUploadOptions.md +1 -1
package/docs/api/interfaces/FileUploadProps.md +1 -1
package/docs/api/interfaces/FooterProps.md +1 -1
package/docs/api/interfaces/InactivityWarningModalProps.md +1 -1
package/docs/api/interfaces/InputProps.md +1 -1
package/docs/api/interfaces/LabelProps.md +1 -1
package/docs/api/interfaces/LoginFormProps.md +1 -1
package/docs/api/interfaces/NavigationAccessRecord.md +1 -1
package/docs/api/interfaces/NavigationContextType.md +1 -1
package/docs/api/interfaces/NavigationGuardProps.md +1 -1
package/docs/api/interfaces/NavigationItem.md +1 -1
package/docs/api/interfaces/NavigationMenuProps.md +1 -1
package/docs/api/interfaces/NavigationProviderProps.md +1 -1
package/docs/api/interfaces/Organisation.md +1 -1
package/docs/api/interfaces/OrganisationContextType.md +1 -1
package/docs/api/interfaces/OrganisationMembership.md +1 -1
package/docs/api/interfaces/OrganisationProviderProps.md +1 -1
package/docs/api/interfaces/OrganisationSecurityError.md +1 -1
package/docs/api/interfaces/PaceAppLayoutProps.md +27 -27
package/docs/api/interfaces/PaceLoginPageProps.md +4 -4
package/docs/api/interfaces/PageAccessRecord.md +1 -1
package/docs/api/interfaces/PagePermissionContextType.md +1 -1
package/docs/api/interfaces/PagePermissionGuardProps.md +1 -1
package/docs/api/interfaces/PagePermissionProviderProps.md +1 -1
package/docs/api/interfaces/PaletteData.md +1 -1
package/docs/api/interfaces/PermissionEnforcerProps.md +1 -1
package/docs/api/interfaces/ProtectedRouteProps.md +1 -1
package/docs/api/interfaces/PublicErrorBoundaryProps.md +1 -1
package/docs/api/interfaces/PublicErrorBoundaryState.md +1 -1
package/docs/api/interfaces/PublicLoadingSpinnerProps.md +1 -1
package/docs/api/interfaces/PublicPageFooterProps.md +1 -1
package/docs/api/interfaces/PublicPageHeaderProps.md +1 -1
package/docs/api/interfaces/PublicPageLayoutProps.md +1 -1
package/docs/api/interfaces/RBACConfig.md +19 -8
package/docs/api/interfaces/RBACLogger.md +5 -5
package/docs/api/interfaces/RoleBasedRouterContextType.md +8 -8
package/docs/api/interfaces/RoleBasedRouterProps.md +10 -10
package/docs/api/interfaces/RouteAccessRecord.md +10 -10
package/docs/api/interfaces/RouteConfig.md +19 -6
package/docs/api/interfaces/SecureDataContextType.md +1 -1
package/docs/api/interfaces/SecureDataProviderProps.md +1 -1
package/docs/api/interfaces/StorageConfig.md +1 -1
package/docs/api/interfaces/StorageFileInfo.md +1 -1
package/docs/api/interfaces/StorageFileMetadata.md +1 -1
package/docs/api/interfaces/StorageListOptions.md +1 -1
package/docs/api/interfaces/StorageListResult.md +1 -1
package/docs/api/interfaces/StorageUploadOptions.md +1 -1
package/docs/api/interfaces/StorageUploadResult.md +1 -1
package/docs/api/interfaces/StorageUrlOptions.md +1 -1
package/docs/api/interfaces/StyleImport.md +1 -1
package/docs/api/interfaces/SwitchProps.md +1 -1
package/docs/api/interfaces/ToastActionElement.md +1 -1
package/docs/api/interfaces/ToastProps.md +1 -1
package/docs/api/interfaces/UnifiedAuthContextType.md +1 -1
package/docs/api/interfaces/UnifiedAuthProviderProps.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerOptions.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventOptions.md +1 -1
package/docs/api/interfaces/UsePublicEventReturn.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +1 -1
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +1 -1
package/docs/api/interfaces/UseResolvedScopeOptions.md +1 -1
package/docs/api/interfaces/UseResolvedScopeReturn.md +1 -1
package/docs/api/interfaces/UserEventAccess.md +1 -1
package/docs/api/interfaces/UserMenuProps.md +1 -1
package/docs/api/interfaces/UserProfile.md +1 -1
package/docs/api/modules.md +44 -43
package/docs/api-reference/hooks.md +8 -4
package/docs/architecture/rpc-function-standards.md +3 -1
package/docs/best-practices/common-patterns.md +3 -3
package/docs/best-practices/deployment.md +10 -4
package/docs/best-practices/performance.md +11 -3
package/docs/core-concepts/organisations.md +8 -8
package/docs/core-concepts/permissions.md +133 -72
package/docs/documentation-index.md +0 -2
package/docs/migration/rbac-migration.md +65 -66
package/docs/rbac/README.md +114 -38
package/docs/rbac/advanced-patterns.md +15 -22
package/docs/rbac/api-reference.md +63 -16
package/docs/rbac/examples.md +12 -12
package/docs/rbac/getting-started.md +19 -19
package/docs/rbac/quick-start.md +110 -35
package/docs/rbac/troubleshooting.md +127 -3
package/package.json +1 -1
package/src/components/DataTable/components/__tests__/ActionButtons.test.tsx +913 -0
package/src/components/DataTable/components/__tests__/ColumnFilter.test.tsx +609 -0
package/src/components/DataTable/components/__tests__/EmptyState.test.tsx +434 -0
package/src/components/DataTable/components/__tests__/LoadingState.test.tsx +120 -0
package/src/components/DataTable/components/__tests__/PaginationControls.test.tsx +519 -0
package/src/components/DataTable/examples/__tests__/HierarchicalActionsExample.test.tsx +316 -0
package/src/components/DataTable/examples/__tests__/InitialPageSizeExample.test.tsx +211 -0
package/src/components/FileUpload/FileUpload.tsx +2 -8
package/src/components/NavigationMenu/NavigationMenu.test.tsx +38 -4
package/src/components/NavigationMenu/NavigationMenu.tsx +71 -6
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +193 -63
package/src/components/PaceAppLayout/PaceAppLayout.tsx +102 -135
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.accessibility.test.tsx +41 -2
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.integration.test.tsx +61 -6
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.performance.test.tsx +71 -21
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.security.test.tsx +113 -41
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.unit.test.tsx +155 -45
package/src/components/PaceLoginPage/PaceLoginPage.tsx +30 -1
package/src/hooks/__tests__/usePermissionCache.simple.test.ts +63 -5
package/src/hooks/__tests__/usePermissionCache.unit.test.ts +156 -72
package/src/hooks/__tests__/useRBAC.unit.test.ts +4 -38
package/src/hooks/index.ts +1 -1
package/src/hooks/useFileDisplay.ts +51 -0
package/src/hooks/usePermissionCache.test.ts +112 -68
package/src/hooks/usePermissionCache.ts +55 -15
package/src/rbac/README.md +81 -39
package/src/rbac/__tests__/adapters.comprehensive.test.tsx +3 -3
package/src/rbac/__tests__/engine.comprehensive.test.ts +15 -6
package/src/rbac/__tests__/rbac-core.test.tsx +1 -1
package/src/rbac/__tests__/rbac-engine-core-logic.test.ts +57 -4
package/src/rbac/__tests__/rbac-engine-simplified.test.ts +3 -2
package/src/rbac/adapters.tsx +4 -4
package/src/rbac/api.test.ts +39 -15
package/src/rbac/api.ts +27 -9
package/src/rbac/audit.test.ts +2 -2
package/src/rbac/audit.ts +14 -5
package/src/rbac/cache.test.ts +12 -0
package/src/rbac/cache.ts +29 -9
package/src/rbac/components/EnhancedNavigationMenu.test.tsx +1 -1
package/src/rbac/components/NavigationGuard.tsx +14 -14
package/src/rbac/components/NavigationProvider.test.tsx +1 -1
package/src/rbac/components/PagePermissionGuard.tsx +22 -38
package/src/rbac/components/PagePermissionProvider.test.tsx +1 -1
package/src/rbac/components/PermissionEnforcer.tsx +19 -15
package/src/rbac/components/RoleBasedRouter.tsx +16 -9
package/src/rbac/components/__tests__/NavigationGuard.test.tsx +123 -107
package/src/rbac/components/__tests__/PagePermissionGuard.test.tsx +2 -2
package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx +121 -103
package/src/rbac/config.ts +2 -0
package/src/rbac/docs/event-based-apps.md +6 -6
package/src/rbac/engine.ts +27 -7
package/src/rbac/hooks/useCan.test.ts +29 -2
package/src/rbac/hooks/usePermissions.test.ts +25 -25
package/src/rbac/hooks/usePermissions.ts +47 -23
package/src/rbac/hooks/useRBAC.simple.test.ts +1 -8
package/src/rbac/hooks/useRBAC.test.ts +3 -40
package/src/rbac/hooks/useRBAC.ts +0 -55
package/src/rbac/hooks/useResolvedScope.ts +23 -31
package/src/rbac/permissions.test.ts +11 -7
package/src/rbac/security.test.ts +2 -2
package/src/rbac/security.ts +23 -8
package/src/rbac/types.test.ts +2 -2
package/src/rbac/types.ts +1 -2
package/src/services/EventService.ts +41 -13
package/src/services/__tests__/EventService.test.ts +25 -4
package/src/services/interfaces/IEventService.ts +1 -0
package/src/utils/file-reference.ts +9 -0
package/dist/chunk-2W4WKJVF.js.map +0 -1
package/dist/chunk-3TKTL5AZ.js.map +0 -1
package/dist/chunk-AUXS7XSO.js.map +0 -1
package/dist/chunk-F6TSYCKP.js.map +0 -1
package/dist/chunk-P72NKAT5.js.map +0 -1
package/dist/chunk-Q7APDV6H.js.map +0 -1
package/dist/chunk-WWNOVFDC.js.map +0 -1
package/docs/rbac/breaking-changes-v3.md +0 -222
package/docs/rbac/migration-guide.md +0 -260
/package/dist/{DataTable-5HITILXS.js.map → DataTable-5W2HVLLV.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-A7I23UCN.js.map → UnifiedAuthProvider-LUM3QLS5.js.map} +0 -0
/package/dist/{api-5I3E47G2.js.map → api-SIZPFBFX.js.map} +0 -0
/package/dist/{audit-65VNHEV2.js.map → audit-5JI5T3SL.js.map} +0 -0
/package/dist/{chunk-S4D3Z723.js.map → chunk-ACYQNYHB.js.map} +0 -0
/package/dist/{chunk-D6MEKC27.js.map → chunk-EFVQBYFN.js.map} +0 -0
/package/dist/{chunk-EZ64QG2I.js.map → chunk-I5YM5BGS.js.map} +0 -0
/package/dist/{chunk-YFMENCR4.js.map → chunk-JE2GFA3O.js.map} +0 -0
/package/dist/{chunk-UW2DE6JX.js.map → chunk-TD4BXGPE.js.map} +0 -0
/package/dist/{chunk-EYSXQ756.js.map → chunk-TDFBX7KJ.js.map} +0 -0

package/src/rbac/README.md CHANGED Viewed

@@ -44,25 +44,15 @@ The RBAC system includes comprehensive security measures:
 ```typescript
 import { isPermitted } from '@jmruthers/pace-core/rbac';
-// Basic usage (backward compatible)
+// Basic usage - organisationId is required
 const hasPermission = await isPermitted({
   userId: 'user-123',
-  scope: { organisationId: 'org-456' },
-  permission: 'manage:events'
+  scope: { organisationId: 'org-456' }, // organisationId is required
+  permission: 'update:events'
 });
-// Enhanced usage with security context
-const hasPermissionSecure = await isPermitted({
-  userId: 'user-123',
-  scope: { organisationId: 'org-456' },
-  permission: 'manage:events'
-}, {
-  userId: 'user-123',
-  organisationId: 'org-456',
-  ipAddress: '192.168.1.1',
-  userAgent: 'Mozilla/5.0...',
-  timestamp: new Date()
-});
+// Security context is automatically created internally
+// If organisationId is missing, OrganisationContextRequiredError is thrown
 ```
 ### Security Context Examples
@@ -77,17 +67,16 @@ app.get('/api/users', async (req, res) => {
   const userId = req.user.id;
   const organisationId = req.user.organisationId;
-  // Use security context for API routes
+  // organisationId is required - if missing, OrganisationContextRequiredError is thrown
+  if (!organisationId) {
+    return res.status(400).json({ error: 'Organisation context is required' });
+  }
+  // Check permission - security context is created automatically
   const hasAccess = await isPermitted({
     userId,
-    scope: { organisationId },
+    scope: { organisationId }, // Required
     permission: 'read:users'
-  }, {
-    userId,
-    organisationId,
-    ipAddress: req.ip,
-    userAgent: req.get('User-Agent'),
-    timestamp: new Date()
   });
   if (!hasAccess) {
@@ -111,7 +100,7 @@ function UserManagement() {
   const { hasPermission, isLoading } = useCan(
     user.id,
     { organisationId: user.organisationId },
-    'manage:users',
+    'update:users',
     true, // useCache
     {
       userId: user.id,
@@ -172,7 +161,7 @@ function AdminDashboard() {
     [
       'read:users',
       'create:events',
-      'manage:organisations',
+      'update:organisations',
       'delete:data'
     ],
     {
@@ -190,7 +179,7 @@ function AdminDashboard() {
     <div>
       {permissions['read:users'] && <UserManagement />}
       {permissions['create:events'] && <EventCreation />}
-      {permissions['manage:organisations'] && <OrganisationSettings />}
+      {permissions['update:organisations'] && <OrganisationSettings />}
     </div>
   );
 }
@@ -283,7 +272,7 @@ function UserActions() {
   return (
     <div>
       {permissions['page-1']?.includes('read') && <ReadButton />}
-      {permissions['page-1']?.includes('manage') && <ManageButton />}
+      {permissions['page-1']?.includes('update') && <UpdateButton />}
     </div>
   );
 }
@@ -308,7 +297,7 @@ function UserActions() {
       eventId: undefined,
       appId: undefined
     },
-    'manage:users',
+    'update:users',
     'page-123' // optional pageId
   );
@@ -447,7 +436,7 @@ import { isPermitted, getAccessLevel, getPermissionMap } from '@jmruthers/pace-c
 const canManage = await isPermitted({
   userId: 'user-123',
   scope: { organisationId: 'org-456' },
-  permission: 'manage:events',
+  permission: 'update:events',
   pageId: 'page-789'
 });
@@ -482,7 +471,7 @@ function MyComponent() {
   const { can, isLoading: checking } = useCan(
     'user-123',
     { organisationId: 'org-456' },
-    'manage:events'
+    'update:events'
   );
   const { accessLevel } = useAccessLevel(
@@ -511,7 +500,7 @@ function App() {
   return (
     <div>
       <PermissionEnforcer
-        permissions={['manage:events']}
+        permissions={['update:events']}
         operation="event-management"
         fallback={<AccessDenied />}
       >
@@ -537,7 +526,7 @@ import { withPermissionGuard, withAccessLevelGuard } from '@jmruthers/pace-core/
 // Express middleware
 app.get('/admin',
-  withPermissionGuard({ permission: 'manage:admin' },
+  withPermissionGuard({ permission: 'update:admin' },
     (req, res) => {
       res.json({ message: 'Admin access granted' });
     }
@@ -566,7 +555,7 @@ Check if a user has a specific permission.
 const hasPermission = await isPermitted({
   userId: 'user-123',
   scope: { organisationId: 'org-456' },
-  permission: 'manage:events',
+  permission: 'update:events',
   pageId: 'page-789'
 });
 ```
@@ -616,7 +605,7 @@ Hook to check if user has a specific permission.
 const { can, isLoading, error, check } = useCan(
   'user-123',
   { organisationId: 'org-456' },
-  'manage:events',
+  'update:events',
   'page-789'
 );
 ```
@@ -639,14 +628,34 @@ const { accessLevel, isLoading, error, refetch } = useAccessLevel(
 Conditionally renders children based on permissions. Works for both organization-based and event-based apps.
 ```tsx
+// Single permission
 <PermissionEnforcer
-  permissions={['manage:events']}
+  permissions={['update:events']}
   operation="event-management"
   fallback={<AccessDenied />}
-  onDenied={() => console.log('Access denied')}
 >
   <AdminPanel />
 </PermissionEnforcer>
+// Multiple permissions - require ALL (default)
+<PermissionEnforcer
+  permissions={['read:events', 'update:events']}
+  operation="event-management"
+  requireAll={true}
+  fallback={<AccessDenied />}
+>
+  <EventManagementPanel />
+</PermissionEnforcer>
+// Multiple permissions - require ANY
+<PermissionEnforcer
+  permissions={['read:events', 'read:reports']}
+  operation="viewing"
+  requireAll={false}
+  fallback={<AccessDenied />}
+>
+  <ViewingPanel />
+</PermissionEnforcer>
 ```
 #### `PagePermissionGuard`
@@ -676,6 +685,39 @@ Conditionally renders navigation items based on permissions.
 </NavigationGuard>
 ```
+#### `RoleBasedRouter`
+Centralized routing with permission enforcement and public route support.
+```tsx
+const routes: RouteConfig[] = [
+  {
+    path: '/dashboard',
+    component: Dashboard,
+    permissions: ['read:dashboard'],
+  },
+  {
+    path: '/login',
+    component: Login,
+    public: true, // Public route - no permission checks
+  },
+  {
+    path: '/admin',
+    component: Admin,
+    permissions: ['update:admin'],
+    accessLevel: 'admin',
+  },
+];
+<RoleBasedRouter
+  routes={routes}
+  fallbackRoute="/unauthorized"
+  strictMode={true}
+>
+  <App />
+</RoleBasedRouter>
+```
 ### Server Adapters
 #### `withPermissionGuard(config, handler)`
@@ -684,7 +726,7 @@ Wraps a server handler with permission checking.
 ```typescript
 const protectedHandler = withPermissionGuard(
-  { permission: 'manage:events', pageId: 'page-789' },
+  { permission: 'update:events', pageId: 'page-789' },
   async (req, res) => {
     // Handler logic here
     res.json({ success: true });
@@ -711,12 +753,12 @@ const adminHandler = withAccessLevelGuard(
 ### Core Types
 ```typescript
-type Operation = 'read' | 'create' | 'update' | 'delete' | 'manage';
+type Operation = 'read' | 'create' | 'update' | 'delete';
 type Permission = `${Operation}:${string}`;
 type AccessLevel = 'viewer' | 'participant' | 'planner' | 'admin' | 'super';
 interface Scope {
-  organisationId?: UUID;
+  organisationId: UUID; // Required - can always be derived from event context in event-based apps
   eventId?: string;
   appId?: UUID;
 }

package/src/rbac/__tests__/adapters.comprehensive.test.tsx CHANGED Viewed

@@ -686,7 +686,7 @@ describe('RBAC Adapters - Comprehensive Tests', () => {
       it('redirects to fallback URL when permission is denied', async () => {
         const middleware = createRBACMiddleware({
           protectedRoutes: [
-            { path: '/admin', permission: 'manage:admin' as Permission }
+            { path: '/admin', permission: 'update:admin' as Permission }
           ],
           fallbackUrl: '/access-denied'
         });
@@ -710,7 +710,7 @@ describe('RBAC Adapters - Comprehensive Tests', () => {
       it('calls next when permission is granted', async () => {
         const middleware = createRBACMiddleware({
           protectedRoutes: [
-            { path: '/admin', permission: 'manage:admin' as Permission }
+            { path: '/admin', permission: 'update:admin' as Permission }
           ],
           fallbackUrl: '/access-denied'
         });
@@ -734,7 +734,7 @@ describe('RBAC Adapters - Comprehensive Tests', () => {
       it('redirects to login when user context is missing', async () => {
         const middleware = createRBACMiddleware({
           protectedRoutes: [
-            { path: '/admin', permission: 'manage:admin' as Permission }
+            { path: '/admin', permission: 'update:admin' as Permission }
           ],
           fallbackUrl: '/access-denied'
         });

package/src/rbac/__tests__/engine.comprehensive.test.ts CHANGED Viewed

@@ -58,9 +58,10 @@ describe('RBACEngine - Comprehensive Tests', () => {
   });
   // Helper function to create security context
-  const createSecurityContext = (userId: string, organisationId?: string) => ({
+  // OrganisationId is required - use mockOrgId as default
+  const createSecurityContext = (userId: string, organisationId: string = mockOrgId) => ({
     userId: userId as UUID,
-    organisationId: organisationId as UUID | undefined,
+    organisationId: organisationId as UUID,
     timestamp: new Date()
   });
@@ -84,7 +85,7 @@ describe('RBACEngine - Comprehensive Tests', () => {
       const permissionCheck: PermissionCheck = {
         userId: '00000000-0000-0000-0000-000000000001' as UUID,
         scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
-        permission: 'manage:everything' as Permission
+        permission: 'update:everything' as Permission
       };
       const securityContext = createSecurityContext('00000000-0000-0000-0000-000000000001', '00000000-0000-0000-0000-000000000002');
@@ -103,7 +104,7 @@ describe('RBACEngine - Comprehensive Tests', () => {
       const permissionCheck: PermissionCheck = {
         userId: 'regular-user-123' as UUID,
         scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
-        permission: 'manage:everything' as Permission
+        permission: 'update:everything' as Permission
       };
       const securityContext = {
@@ -366,6 +367,8 @@ describe('RBACEngine - Comprehensive Tests', () => {
             select: vi.fn().mockReturnThis(),
             eq: vi.fn().mockReturnThis(),
             is: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
             single: vi.fn().mockResolvedValue({
               data: { role: 'org_admin' },
               error: null
@@ -427,6 +430,8 @@ describe('RBACEngine - Comprehensive Tests', () => {
             select: vi.fn().mockReturnThis(),
             eq: vi.fn().mockReturnThis(),
             is: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
             single: vi.fn().mockResolvedValue({
               data: null,
               error: { code: 'PGRST116' }
@@ -495,6 +500,8 @@ describe('RBACEngine - Comprehensive Tests', () => {
             select: vi.fn().mockReturnThis(),
             eq: vi.fn().mockReturnThis(),
             is: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
             single: vi.fn().mockResolvedValue({
               data: null,
               error: { code: 'PGRST116' }
@@ -780,9 +787,11 @@ describe('RBACEngine - Comprehensive Tests', () => {
       };
       const securityContext = {
-        userId: 'user-123',
+        userId: 'user-123' as UUID,
+        organisationId: '00000000-0000-0000-0000-000000000002' as UUID, // Required
         ipAddress: '192.168.1.1',
-        userAgent: 'test-agent'
+        userAgent: 'test-agent',
+        timestamp: new Date()
       };
       const result = await engine.isPermitted(permissionCheck, securityContext);

package/src/rbac/__tests__/rbac-core.test.tsx CHANGED Viewed

@@ -216,7 +216,7 @@ describe('RBAC Core Functionality', () => {
         'create:events',
         'update:profiles',
         'delete:comments',
-        'manage:organisations',
+        'update:organisations',
       ];
       validPermissions.forEach(permission => {

package/src/rbac/__tests__/rbac-engine-core-logic.test.ts CHANGED Viewed

@@ -60,7 +60,7 @@ describe('RBACEngine - Core Logic Tests', () => {
       const permissionCheck: PermissionCheck = {
         userId: '00000000-0000-0000-0000-000000000001' as UUID,
         scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
-        permission: 'manage:everything' as Permission
+        permission: 'update:everything' as Permission
       };
       const securityContext = {
@@ -131,7 +131,7 @@ describe('RBACEngine - Core Logic Tests', () => {
       const permissionCheck: PermissionCheck = {
         userId: 'user-123' as UUID,
         scope: { organisationId: 'org-123' as UUID },
-        permission: 'manage:everything' as Permission
+        permission: 'update:everything' as Permission
       };
       const result = await engine.isPermitted(permissionCheck);
@@ -187,6 +187,7 @@ describe('RBACEngine - Core Logic Tests', () => {
     it('resolves organisation admin access level', async () => {
       // Mock the from() chain to handle both global roles and organisation roles queries
+      let organisationRoleQuery: any;
       mockSupabase.from.mockImplementation((table: string) => {
         if (table === 'rbac_global_roles') {
           return {
@@ -201,15 +202,20 @@ describe('RBACEngine - Core Logic Tests', () => {
           };
         }
         if (table === 'rbac_organisation_roles') {
-          return {
+          const query = {
             select: vi.fn().mockReturnThis(),
             eq: vi.fn().mockReturnThis(),
             is: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
             single: vi.fn().mockResolvedValue({
               data: { role: 'org_admin' },
               error: null
             })
           };
+          organisationRoleQuery = query;
+          return query;
         }
         return {
           select: vi.fn().mockReturnThis(),
@@ -222,8 +228,55 @@ describe('RBACEngine - Core Logic Tests', () => {
       const scope: Scope = { organisationId: 'org-123' as UUID };
       const accessLevel = await engine.getAccessLevel({ userId: 'user-123' as UUID, scope });
       expect(accessLevel).toBe('admin');
+      expect(organisationRoleQuery.lte).toHaveBeenCalledWith('valid_from', expect.any(String));
+      expect(organisationRoleQuery.or).toHaveBeenCalledWith(expect.stringContaining('valid_to.gte.'));
+    });
+    it('treats expired organisation roles as viewer access', async () => {
+      let organisationRoleQuery: any;
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_global_roles') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
+            limit: vi.fn().mockResolvedValue({
+              data: [],
+              error: null
+            })
+          };
+        }
+        if (table === 'rbac_organisation_roles') {
+          const query = {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            is: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({ data: null, error: null })
+          };
+          organisationRoleQuery = query;
+          return query;
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          lte: vi.fn().mockReturnThis(),
+          or: vi.fn().mockReturnThis(),
+          limit: vi.fn().mockResolvedValue({ data: [], error: null })
+        };
+      });
+      const scope: Scope = { organisationId: 'org-123' as UUID };
+      const accessLevel = await engine.getAccessLevel({ userId: 'user-123' as UUID, scope });
+      expect(accessLevel).toBe('viewer');
+      expect(organisationRoleQuery.lte).toHaveBeenCalledWith('valid_from', expect.any(String));
+      expect(organisationRoleQuery.or).toHaveBeenCalledWith(expect.stringContaining('valid_to.gte.'));
     });
   });

package/src/rbac/__tests__/rbac-engine-simplified.test.ts CHANGED Viewed

@@ -71,8 +71,7 @@ describe('RBACEngine - Simplified Tests', () => {
       const invalidPermissions = [
         'invalid',
         'read',
-        'manage:organisation', // manage is no longer valid
-        'manage:*',
+        // Note: manage operations have been removed
         ':users',
         'read:user-settings', // hyphens not allowed
         'read:user_settings', // underscores not allowed
@@ -175,6 +174,8 @@ describe('RBACEngine - Simplified Tests', () => {
             select: vi.fn().mockReturnThis(),
             eq: vi.fn().mockReturnThis(),
             is: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
             single: vi.fn().mockResolvedValue({
               data: { role: 'org_admin' },
               error: null

package/src/rbac/adapters.tsx CHANGED Viewed

@@ -30,7 +30,7 @@ import { useUnifiedAuth } from '../providers/UnifiedAuthProvider';
  * <PermissionGuard
  *   userId="user-123"
  *   scope={{ organisationId: 'org-456' }}
- *   permission="manage:events"
+ *   permission="update:events"
  *   pageId="page-789"
  *   fallback={<AccessDenied />}
  * >
@@ -39,7 +39,7 @@ import { useUnifiedAuth } from '../providers/UnifiedAuthProvider';
  *
  * // With context inference (requires auth context)
  * <PermissionGuard
- *   permission="manage:events"
+ *   permission="update:events"
  *   scope={{ organisationId: 'org-456' }}
  *   fallback={<AccessDenied />}
  * >
@@ -279,7 +279,7 @@ export function AccessLevelGuard({
  * @example
  * ```typescript
  * const protectedHandler = withPermissionGuard(
- *   { permission: 'manage:events', pageId: 'page-789' },
+ *   { permission: 'update:events', pageId: 'page-789' },
  *   async (req, res) => {
  *     // Handler logic here
  *     res.json({ success: true });
@@ -521,7 +521,7 @@ export function withRoleGuard<T extends any[]>(
  *
  * export default createRBACMiddleware({
  *   protectedRoutes: [
- *     { path: '/admin', permission: 'manage:admin' },
+ *     { path: '/admin', permission: 'update:admin' },
  *     { path: '/events', permission: 'read:events' },
  *   ],
  *   fallbackUrl: '/access-denied',

package/src/rbac/api.test.ts CHANGED Viewed

@@ -37,11 +37,11 @@ vi.mock('./cache', () => ({
     )
   },
   CACHE_PATTERNS: {
-    PERMISSION: vi.fn((userId, organisationId) => `permission:${userId}:${organisationId}:*`),
-    USER: vi.fn((userId) => `permission:${userId}:*`),
-    ORGANISATION: vi.fn((organisationId) => `permission:*:${organisationId}:*`),
-    EVENT: vi.fn((eventId) => `permission:*:*:${eventId}:*`),
-    APP: vi.fn((appId) => `permission:*:*:*:${appId}`)
+    PERMISSION: vi.fn((userId, organisationId) => `perm:${userId}:${organisationId}:`),
+    USER: vi.fn((userId) => `:${userId}:`),
+    ORGANISATION: vi.fn((organisationId) => `:${organisationId}:`),
+    EVENT: vi.fn((eventId) => `:${eventId}:`),
+    APP: vi.fn((appId) => `:${appId}`)
   }
 }));
@@ -119,7 +119,7 @@ describe('RBAC API', () => {
       process.env.NODE_ENV = originalEnv;
-      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase);
+      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase, undefined);
       expect(mockCreateAuditManager).toHaveBeenCalledWith(mockSupabase);
       expect(mockSetGlobalAuditManager).toHaveBeenCalledWith(mockAuditManager);
       expect(mockLogger.info).toHaveBeenCalledWith('RBAC system initialized successfully');
@@ -203,7 +203,7 @@ describe('RBAC API', () => {
       setupRBAC(mockSupabase as any);
-      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase);
+      expect(mockCreateRBACEngine).toHaveBeenCalledWith(mockSupabase, undefined);
     });
     it('handles multiple initialization calls', () => {
@@ -622,6 +622,26 @@ describe('RBAC API', () => {
           permission: 'read:users'
         })).rejects.toThrow('Engine error');
       });
+      it('throws OrganisationContextRequiredError when organisationId is missing', async () => {
+        const { isPermitted, OrganisationContextRequiredError } = await import('./api');
+        await expect(isPermitted({
+          userId: 'user-123',
+          scope: {}, // Missing organisationId
+          permission: 'read:users'
+        })).rejects.toThrow(OrganisationContextRequiredError);
+      });
+      it('throws OrganisationContextRequiredError when organisationId is undefined', async () => {
+        const { isPermitted, OrganisationContextRequiredError } = await import('./api');
+        await expect(isPermitted({
+          userId: 'user-123',
+          scope: { organisationId: undefined },
+          permission: 'read:users'
+        })).rejects.toThrow(OrganisationContextRequiredError);
+      });
     });
     describe('isPermittedCached', () => {
@@ -919,28 +939,32 @@ describe('RBAC API', () => {
         debug: vi.fn()
       });
+      vi.mocked(rbacCache.invalidate).mockClear();
       setupRBAC(mockSupabase as any);
     });
     describe('invalidateUserCache', () => {
       it('invalidates user cache with organisation', async () => {
         const { invalidateUserCache } = await import('./api');
         invalidateUserCache('user-123', 'org-456');
-        expect(rbacCache.invalidate).toHaveBeenCalledWith(
-          expect.stringContaining('user-123')
-        );
+        expect(rbacCache.invalidate).toHaveBeenCalledWith('perm:user-123:org-456:');
+        expect(rbacCache.invalidate).toHaveBeenCalledWith('access:user-123:org-456:');
+        expect(rbacCache.invalidate).toHaveBeenCalledWith('map:user-123:org-456:');
+        expect(rbacCache.invalidate).toHaveBeenCalledTimes(3);
       });
       it('invalidates user cache without organisation', async () => {
         const { invalidateUserCache } = await import('./api');
         invalidateUserCache('user-123');
-        expect(rbacCache.invalidate).toHaveBeenCalledWith(
-          expect.stringContaining('user-123')
-        );
+        expect(rbacCache.invalidate).toHaveBeenCalledWith('perm:user-123:');
+        expect(rbacCache.invalidate).toHaveBeenCalledWith('access:user-123:');
+        expect(rbacCache.invalidate).toHaveBeenCalledWith('map:user-123:');
+        expect(rbacCache.invalidate).toHaveBeenCalledTimes(3);
       });
     });