npm - @jmruthers/pace-core - Versions diffs - 0.5.110 → 0.5.111 - Mend

@jmruthers/pace-core 0.5.110 → 0.5.111

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (230) hide show

package/dist/{AuthService-DrHrvXNZ.d.ts → AuthService-CVgsgtaZ.d.ts} +8 -0
package/dist/{DataTable-D3BK2FCN.js → DataTable-5W2HVLLV.js} +8 -8
package/dist/{UnifiedAuthProvider-A7I23UCN.js → UnifiedAuthProvider-LUM3QLS5.js} +3 -3
package/dist/{api-PIE4JRFS.js → api-SIZPFBFX.js} +5 -3
package/dist/{audit-65VNHEV2.js → audit-5JI5T3SL.js} +2 -2
package/dist/{chunk-3J5N2T2N.js → chunk-2BIDKXQU.js} +113 -116
package/dist/chunk-2BIDKXQU.js.map +1 -0
package/dist/{chunk-AWK2FAUN.js → chunk-ACYQNYHB.js} +7 -7
package/dist/{chunk-D6MEKC27.js → chunk-EFVQBYFN.js} +2 -2
package/dist/{chunk-EZ64QG2I.js → chunk-I5YM5BGS.js} +2 -2
package/dist/{chunk-Q7APDV6H.js → chunk-IWJYNWXN.js} +13 -5
package/dist/chunk-IWJYNWXN.js.map +1 -0
package/dist/{chunk-YFMENCR4.js → chunk-JE2GFA3O.js} +3 -3
package/dist/{chunk-AUXS7XSO.js → chunk-MW73E7SP.js} +35 -11
package/dist/chunk-MW73E7SP.js.map +1 -0
package/dist/{chunk-XRSP3H52.js → chunk-PXXS26G5.js} +57 -23
package/dist/chunk-PXXS26G5.js.map +1 -0
package/dist/{chunk-HGZSO43Y.js → chunk-TD4BXGPE.js} +4 -4
package/dist/{chunk-EYSXQ756.js → chunk-TDFBX7KJ.js} +2 -2
package/dist/{chunk-HADXAZT3.js → chunk-UGVU7L7N.js} +52 -90
package/dist/chunk-UGVU7L7N.js.map +1 -0
package/dist/{chunk-2W4WKJVF.js → chunk-X7SPKHYZ.js} +290 -255
package/dist/chunk-X7SPKHYZ.js.map +1 -0
package/dist/{chunk-7GBEBJLR.js → chunk-ZL45MG76.js} +45 -37
package/dist/chunk-ZL45MG76.js.map +1 -0
package/dist/components.js +10 -10
package/dist/hooks.d.ts +11 -1
package/dist/hooks.js +9 -7
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +2 -2
package/dist/index.js +13 -13
package/dist/providers.d.ts +2 -2
package/dist/providers.js +2 -2
package/dist/rbac/index.d.ts +13 -8
package/dist/rbac/index.js +9 -9
package/dist/utils.js +1 -1
package/docs/api/classes/ColumnFactory.md +1 -1
package/docs/api/classes/ErrorBoundary.md +1 -1
package/docs/api/classes/InvalidScopeError.md +4 -4
package/docs/api/classes/MissingUserContextError.md +4 -4
package/docs/api/classes/OrganisationContextRequiredError.md +4 -4
package/docs/api/classes/PermissionDeniedError.md +4 -4
package/docs/api/classes/PublicErrorBoundary.md +1 -1
package/docs/api/classes/RBACAuditManager.md +8 -8
package/docs/api/classes/RBACCache.md +8 -8
package/docs/api/classes/RBACEngine.md +4 -4
package/docs/api/classes/RBACError.md +4 -4
package/docs/api/classes/RBACNotInitializedError.md +4 -4
package/docs/api/classes/SecureSupabaseClient.md +1 -1
package/docs/api/classes/StorageUtils.md +1 -1
package/docs/api/enums/FileCategory.md +1 -1
package/docs/api/interfaces/AggregateConfig.md +1 -1
package/docs/api/interfaces/ButtonProps.md +1 -1
package/docs/api/interfaces/CardProps.md +1 -1
package/docs/api/interfaces/ColorPalette.md +1 -1
package/docs/api/interfaces/ColorShade.md +1 -1
package/docs/api/interfaces/DataAccessRecord.md +1 -1
package/docs/api/interfaces/DataRecord.md +1 -1
package/docs/api/interfaces/DataTableAction.md +1 -1
package/docs/api/interfaces/DataTableColumn.md +1 -1
package/docs/api/interfaces/DataTableProps.md +1 -1
package/docs/api/interfaces/DataTableToolbarButton.md +1 -1
package/docs/api/interfaces/EmptyStateConfig.md +1 -1
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +1 -1
package/docs/api/interfaces/FileDisplayProps.md +1 -1
package/docs/api/interfaces/FileMetadata.md +1 -1
package/docs/api/interfaces/FileReference.md +1 -1
package/docs/api/interfaces/FileSizeLimits.md +1 -1
package/docs/api/interfaces/FileUploadOptions.md +1 -1
package/docs/api/interfaces/FileUploadProps.md +1 -1
package/docs/api/interfaces/FooterProps.md +1 -1
package/docs/api/interfaces/InactivityWarningModalProps.md +1 -1
package/docs/api/interfaces/InputProps.md +1 -1
package/docs/api/interfaces/LabelProps.md +1 -1
package/docs/api/interfaces/LoginFormProps.md +1 -1
package/docs/api/interfaces/NavigationAccessRecord.md +1 -1
package/docs/api/interfaces/NavigationContextType.md +1 -1
package/docs/api/interfaces/NavigationGuardProps.md +1 -1
package/docs/api/interfaces/NavigationItem.md +1 -1
package/docs/api/interfaces/NavigationMenuProps.md +1 -1
package/docs/api/interfaces/NavigationProviderProps.md +1 -1
package/docs/api/interfaces/Organisation.md +1 -1
package/docs/api/interfaces/OrganisationContextType.md +1 -1
package/docs/api/interfaces/OrganisationMembership.md +1 -1
package/docs/api/interfaces/OrganisationProviderProps.md +1 -1
package/docs/api/interfaces/OrganisationSecurityError.md +1 -1
package/docs/api/interfaces/PaceAppLayoutProps.md +27 -27
package/docs/api/interfaces/PaceLoginPageProps.md +4 -4
package/docs/api/interfaces/PageAccessRecord.md +1 -1
package/docs/api/interfaces/PagePermissionContextType.md +1 -1
package/docs/api/interfaces/PagePermissionGuardProps.md +1 -1
package/docs/api/interfaces/PagePermissionProviderProps.md +1 -1
package/docs/api/interfaces/PaletteData.md +1 -1
package/docs/api/interfaces/PermissionEnforcerProps.md +1 -1
package/docs/api/interfaces/ProtectedRouteProps.md +1 -1
package/docs/api/interfaces/PublicErrorBoundaryProps.md +1 -1
package/docs/api/interfaces/PublicErrorBoundaryState.md +1 -1
package/docs/api/interfaces/PublicLoadingSpinnerProps.md +1 -1
package/docs/api/interfaces/PublicPageFooterProps.md +1 -1
package/docs/api/interfaces/PublicPageHeaderProps.md +1 -1
package/docs/api/interfaces/PublicPageLayoutProps.md +1 -1
package/docs/api/interfaces/RBACConfig.md +1 -1
package/docs/api/interfaces/RBACLogger.md +1 -1
package/docs/api/interfaces/RoleBasedRouterContextType.md +8 -8
package/docs/api/interfaces/RoleBasedRouterProps.md +10 -10
package/docs/api/interfaces/RouteAccessRecord.md +10 -10
package/docs/api/interfaces/RouteConfig.md +19 -6
package/docs/api/interfaces/SecureDataContextType.md +1 -1
package/docs/api/interfaces/SecureDataProviderProps.md +1 -1
package/docs/api/interfaces/StorageConfig.md +1 -1
package/docs/api/interfaces/StorageFileInfo.md +1 -1
package/docs/api/interfaces/StorageFileMetadata.md +1 -1
package/docs/api/interfaces/StorageListOptions.md +1 -1
package/docs/api/interfaces/StorageListResult.md +1 -1
package/docs/api/interfaces/StorageUploadOptions.md +1 -1
package/docs/api/interfaces/StorageUploadResult.md +1 -1
package/docs/api/interfaces/StorageUrlOptions.md +1 -1
package/docs/api/interfaces/StyleImport.md +1 -1
package/docs/api/interfaces/SwitchProps.md +1 -1
package/docs/api/interfaces/ToastActionElement.md +1 -1
package/docs/api/interfaces/ToastProps.md +1 -1
package/docs/api/interfaces/UnifiedAuthContextType.md +1 -1
package/docs/api/interfaces/UnifiedAuthProviderProps.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerOptions.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventOptions.md +1 -1
package/docs/api/interfaces/UsePublicEventReturn.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +1 -1
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +1 -1
package/docs/api/interfaces/UseResolvedScopeOptions.md +1 -1
package/docs/api/interfaces/UseResolvedScopeReturn.md +1 -1
package/docs/api/interfaces/UserEventAccess.md +1 -1
package/docs/api/interfaces/UserMenuProps.md +1 -1
package/docs/api/interfaces/UserProfile.md +1 -1
package/docs/api/modules.md +36 -36
package/docs/api-reference/hooks.md +8 -4
package/docs/architecture/rpc-function-standards.md +3 -1
package/docs/best-practices/common-patterns.md +3 -3
package/docs/best-practices/deployment.md +10 -4
package/docs/best-practices/performance.md +11 -3
package/docs/core-concepts/organisations.md +8 -8
package/docs/core-concepts/permissions.md +133 -72
package/docs/migration/rbac-migration.md +65 -66
package/docs/rbac/advanced-patterns.md +15 -22
package/docs/rbac/examples.md +12 -12
package/docs/rbac/getting-started.md +3 -3
package/docs/rbac/troubleshooting.md +2 -1
package/package.json +1 -1
package/src/components/DataTable/components/__tests__/ActionButtons.test.tsx +913 -0
package/src/components/DataTable/components/__tests__/ColumnFilter.test.tsx +609 -0
package/src/components/DataTable/components/__tests__/EmptyState.test.tsx +434 -0
package/src/components/DataTable/components/__tests__/LoadingState.test.tsx +120 -0
package/src/components/DataTable/components/__tests__/PaginationControls.test.tsx +519 -0
package/src/components/DataTable/examples/__tests__/HierarchicalActionsExample.test.tsx +316 -0
package/src/components/DataTable/examples/__tests__/InitialPageSizeExample.test.tsx +211 -0
package/src/components/FileUpload/FileUpload.tsx +2 -8
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +193 -63
package/src/components/PaceAppLayout/PaceAppLayout.tsx +102 -135
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.accessibility.test.tsx +41 -2
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.integration.test.tsx +61 -6
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.performance.test.tsx +71 -21
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.security.test.tsx +113 -41
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.unit.test.tsx +155 -45
package/src/components/PaceLoginPage/PaceLoginPage.tsx +30 -1
package/src/hooks/__tests__/usePermissionCache.simple.test.ts +63 -5
package/src/hooks/__tests__/usePermissionCache.unit.test.ts +156 -72
package/src/hooks/__tests__/useRBAC.unit.test.ts +4 -38
package/src/hooks/index.ts +1 -1
package/src/hooks/useFileDisplay.ts +51 -0
package/src/hooks/usePermissionCache.test.ts +112 -68
package/src/hooks/usePermissionCache.ts +55 -15
package/src/rbac/README.md +81 -39
package/src/rbac/__tests__/adapters.comprehensive.test.tsx +3 -3
package/src/rbac/__tests__/engine.comprehensive.test.ts +15 -6
package/src/rbac/__tests__/rbac-core.test.tsx +1 -1
package/src/rbac/__tests__/rbac-engine-core-logic.test.ts +57 -4
package/src/rbac/__tests__/rbac-engine-simplified.test.ts +3 -2
package/src/rbac/adapters.tsx +4 -4
package/src/rbac/api.test.ts +37 -13
package/src/rbac/api.ts +25 -8
package/src/rbac/audit.test.ts +2 -2
package/src/rbac/audit.ts +14 -5
package/src/rbac/cache.test.ts +12 -0
package/src/rbac/cache.ts +29 -9
package/src/rbac/components/EnhancedNavigationMenu.test.tsx +1 -1
package/src/rbac/components/NavigationGuard.tsx +14 -14
package/src/rbac/components/NavigationProvider.test.tsx +1 -1
package/src/rbac/components/PagePermissionGuard.tsx +4 -3
package/src/rbac/components/PagePermissionProvider.test.tsx +1 -1
package/src/rbac/components/PermissionEnforcer.tsx +19 -15
package/src/rbac/components/RoleBasedRouter.tsx +16 -9
package/src/rbac/components/__tests__/NavigationGuard.test.tsx +123 -107
package/src/rbac/components/__tests__/PagePermissionGuard.test.tsx +1 -1
package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx +121 -103
package/src/rbac/docs/event-based-apps.md +6 -6
package/src/rbac/engine.ts +12 -2
package/src/rbac/hooks/useCan.test.ts +29 -2
package/src/rbac/hooks/usePermissions.test.ts +25 -25
package/src/rbac/hooks/usePermissions.ts +47 -23
package/src/rbac/hooks/useRBAC.simple.test.ts +1 -8
package/src/rbac/hooks/useRBAC.test.ts +3 -40
package/src/rbac/hooks/useRBAC.ts +0 -55
package/src/rbac/hooks/useResolvedScope.ts +23 -31
package/src/rbac/permissions.test.ts +11 -7
package/src/rbac/security.test.ts +2 -2
package/src/rbac/security.ts +22 -7
package/src/rbac/types.test.ts +2 -2
package/src/rbac/types.ts +1 -2
package/src/services/EventService.ts +41 -13
package/src/services/__tests__/EventService.test.ts +25 -4
package/src/services/interfaces/IEventService.ts +1 -0
package/src/utils/file-reference.ts +9 -0
package/dist/chunk-2W4WKJVF.js.map +0 -1
package/dist/chunk-3J5N2T2N.js.map +0 -1
package/dist/chunk-7GBEBJLR.js.map +0 -1
package/dist/chunk-AUXS7XSO.js.map +0 -1
package/dist/chunk-HADXAZT3.js.map +0 -1
package/dist/chunk-Q7APDV6H.js.map +0 -1
package/dist/chunk-XRSP3H52.js.map +0 -1
/package/dist/{DataTable-D3BK2FCN.js.map → DataTable-5W2HVLLV.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-A7I23UCN.js.map → UnifiedAuthProvider-LUM3QLS5.js.map} +0 -0
/package/dist/{api-PIE4JRFS.js.map → api-SIZPFBFX.js.map} +0 -0
/package/dist/{audit-65VNHEV2.js.map → audit-5JI5T3SL.js.map} +0 -0
/package/dist/{chunk-AWK2FAUN.js.map → chunk-ACYQNYHB.js.map} +0 -0
/package/dist/{chunk-D6MEKC27.js.map → chunk-EFVQBYFN.js.map} +0 -0
/package/dist/{chunk-EZ64QG2I.js.map → chunk-I5YM5BGS.js.map} +0 -0
/package/dist/{chunk-YFMENCR4.js.map → chunk-JE2GFA3O.js.map} +0 -0
/package/dist/{chunk-HGZSO43Y.js.map → chunk-TD4BXGPE.js.map} +0 -0
/package/dist/{chunk-EYSXQ756.js.map → chunk-TDFBX7KJ.js.map} +0 -0

package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx CHANGED Viewed

@@ -11,12 +11,12 @@ import { render, screen, waitFor } from '@testing-library/react';
 import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { ReactNode } from 'react';
 import { PermissionEnforcer } from '../PermissionEnforcer';
-import { useCan } from '../../hooks';
+import { useMultiplePermissions } from '../../hooks/usePermissions';
 import { useUnifiedAuth } from '../../../providers/UnifiedAuthProvider';
 // Mock the RBAC hooks
-vi.mock('../../hooks', () => ({
-  useCan: vi.fn()
+vi.mock('../../hooks/usePermissions', () => ({
+  useMultiplePermissions: vi.fn()
 }));
 // Mock the auth provider
@@ -43,7 +43,7 @@ const mockScope = {
   appId: 'app-123'
 };
-const mockPermissions = ['read:events', 'manage:events'] as const;
+const mockPermissions = ['read:events', 'update:events'] as const;
 const mockOperation = 'event-management';
 // Test component
@@ -60,7 +60,7 @@ const TestLoading = () => (
 );
 describe('PermissionEnforcer Component', () => {
-  const mockUseCan = vi.mocked(useCan);
+  const mockUseMultiplePermissions = vi.mocked(useMultiplePermissions);
   const mockUseUnifiedAuth = vi.mocked(useUnifiedAuth);
   const mockCreateScopeFromEvent = vi.mocked(createScopeFromEvent);
@@ -75,19 +75,24 @@ describe('PermissionEnforcer Component', () => {
       supabase: {} as any
     });
-    mockUseCan.mockReturnValue({
-      can: true,
+    mockUseMultiplePermissions.mockReturnValue({
+      results: {
+        'read:events': true,
+        'update:events': true
+      } as Record<string, boolean>,
       isLoading: false,
-      error: null
+      error: null,
+      refetch: vi.fn()
     });
   });
     describe('Rendering', () => {
     it('renders children when permission is granted', async () => {
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true, 'update:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -106,10 +111,11 @@ describe('PermissionEnforcer Component', () => {
     });
     it('renders fallback when permission is denied', async () => {
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -128,11 +134,12 @@ describe('PermissionEnforcer Component', () => {
       }, { interval: 10 });
     });
-    it('shows loading state during permission check', () => {
-      mockUseCan.mockReturnValue({
-        can: false,
+    it('shows loading state during permission check', async () => {
+      mockUseMultiplePermissions.mockReturnValue({
+        results: {} as Record<string, boolean>,
         isLoading: true,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -150,10 +157,11 @@ describe('PermissionEnforcer Component', () => {
     });
     it('uses default fallback when none provided', async () => {
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -172,10 +180,11 @@ describe('PermissionEnforcer Component', () => {
     });
     it('uses default loading when none provided', () => {
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: {} as Record<string, boolean>,
         isLoading: true,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -195,10 +204,11 @@ describe('PermissionEnforcer Component', () => {
     it('enforces single permission correctly', async () => {
       const singlePermission = ['read:events'] as const;
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -214,23 +224,23 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events'], // singlePermission only includes read:events
         true
       );
     });
-    it('enforces multiple permissions with AND logic', async () => {
-      mockUseCan.mockReturnValue({
-        can: true,
+    it('enforces multiple permissions with AND logic (requireAll=true)', async () => {
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true, 'update:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -247,25 +257,25 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
-      // Should check the first permission as representative
-      expect(mockUseCan).toHaveBeenCalledWith(
+      // Should check all permissions when requireAll=true
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'],
         true
       );
     });
     it('handles permission checking errors gracefully', async () => {
       const error = new Error('Permission check failed');
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: {} as Record<string, boolean>,
         isLoading: false,
-        error
+        error,
+        refetch: vi.fn()
       });
       render(
@@ -284,10 +294,11 @@ describe('PermissionEnforcer Component', () => {
     });
     it('handles empty permissions array', async () => {
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -313,10 +324,11 @@ describe('PermissionEnforcer Component', () => {
         appId: 'custom-app'
       };
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -333,20 +345,20 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         customScope,
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
     it('resolves scope from organisation and event context', async () => {
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -362,14 +374,13 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
@@ -382,10 +393,11 @@ describe('PermissionEnforcer Component', () => {
         supabase: {} as any
       });
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -401,14 +413,13 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: undefined
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
@@ -427,10 +438,11 @@ describe('PermissionEnforcer Component', () => {
         appId: 'resolved-app'
       });
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -447,14 +459,13 @@ describe('PermissionEnforcer Component', () => {
       }, { interval: 10 });
       expect(mockCreateScopeFromEvent).toHaveBeenCalledWith({}, 'event-123');
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'resolved-org',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
@@ -513,10 +524,11 @@ describe('PermissionEnforcer Component', () => {
     it('prevents bypassing in strict mode', async () => {
       const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -549,10 +561,11 @@ describe('PermissionEnforcer Component', () => {
     it('logs security violations for audit', async () => {
       const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -586,10 +599,11 @@ describe('PermissionEnforcer Component', () => {
     it('calls onDenied callback when access is denied', async () => {
       const onDeniedSpy = vi.fn();
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -613,10 +627,11 @@ describe('PermissionEnforcer Component', () => {
     it('does not call onDenied when access is granted', async () => {
       const onDeniedSpy = vi.fn();
-      mockUseCan.mockReturnValue({
-        can: true,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -641,10 +656,11 @@ describe('PermissionEnforcer Component', () => {
     it('respects strictMode setting', async () => {
       const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -672,10 +688,11 @@ describe('PermissionEnforcer Component', () => {
     it('respects auditLog setting', async () => {
       const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -700,11 +717,12 @@ describe('PermissionEnforcer Component', () => {
       consoleSpy.mockRestore();
     });
-    it('respects requireAll setting', async () => {
-      mockUseCan.mockReturnValue({
-        can: true,
+    it('respects requireAll=false (any permission granted)', async () => {
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': true, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -721,15 +739,14 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
-      // Should still check the first permission as representative
-      expect(mockUseCan).toHaveBeenCalledWith(
+      // Should check all permissions and allow access if any is granted
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'],
         true
       );
     });
@@ -744,10 +761,11 @@ describe('PermissionEnforcer Component', () => {
         supabase: {} as any
       });
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: { 'read:events': false, 'update:events': false } as Record<string, boolean>,
         isLoading: false,
-        error: null
+        error: null,
+        refetch: vi.fn()
       });
       render(
@@ -764,24 +782,24 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-fallback')).toBeInTheDocument();
       }, { interval: 10 });
-      expect(mockUseCan).toHaveBeenCalledWith(
+      expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         '',
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123'
         }),
-        'read:events',
-        undefined,
+        ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
     it('handles permission check errors', async () => {
       const error = new Error('Database connection failed');
-      mockUseCan.mockReturnValue({
-        can: false,
+      mockUseMultiplePermissions.mockReturnValue({
+        results: {} as Record<string, boolean>,
         isLoading: false,
-        error
+        error,
+        refetch: vi.fn()
       });
       render(

package/src/rbac/docs/event-based-apps.md CHANGED Viewed

@@ -40,7 +40,7 @@ import { PermissionEnforcer } from '@jmruthers/pace-core/rbac';
 function EventDashboard() {
   return (
     <PermissionEnforcer
-      permissions={['read:events', 'manage:participants']}
+      permissions={['read:events', 'update:participants']}
       operation="dashboard"
     >
       <div>Event Dashboard Content</div>
@@ -84,7 +84,7 @@ const navigationItems = [
     id: 'settings',
     name: 'Settings',
     path: '/event/settings',
-    permissions: ['manage:events']
+    permissions: ['update:events']
   }
 ];
@@ -118,7 +118,7 @@ function EventComponent() {
   const { can: canManageEvents } = useCan(
     userId,
     { eventId: selectedEventId },
-    'manage:events'
+    'update:events'
   );
   return (
@@ -178,19 +178,19 @@ These permissions are specific to an event and app combination:
 ```typescript
 const EVENT_APP_PERMISSIONS = {
   // Event management
-  MANAGE_EVENT: 'manage:event',
+  MANAGE_EVENT: 'update:event',
   READ_EVENT: 'read:event',
   UPDATE_EVENT: 'update:event',
   // Participant management
-  MANAGE_PARTICIPANTS: 'manage:participants',
+  MANAGE_PARTICIPANTS: 'update:participants',
   READ_PARTICIPANTS: 'read:participants',
   CREATE_PARTICIPANTS: 'create:participants',
   UPDATE_PARTICIPANTS: 'update:participants',
   DELETE_PARTICIPANTS: 'delete:participants',
   // App-specific permissions
-  MANAGE_APP: 'manage:app',
+  MANAGE_APP: 'update:app',
   READ_APP: 'read:app',
   UPDATE_APP: 'update:app',
 };

package/src/rbac/engine.ts CHANGED Viewed

@@ -301,6 +301,8 @@ export class RBACEngine {
       return cached;
     }
+    const now = new Date().toISOString();
     // Check super admin
     const isSuperAdmin = await this.checkSuperAdmin(userId);
     if (isSuperAdmin) {
@@ -317,6 +319,8 @@ export class RBACEngine {
         .eq('organisation_id', scope.organisationId)
         .eq('status', 'active')
         .is('revoked_at', null)
+        .lte('valid_from', now)
+        .or(`valid_to.is.null,valid_to.gte.${now}`)
         .single() as { data: { role: string } | null; error: any };
       if (orgRole?.role === 'org_admin') {
@@ -327,7 +331,6 @@ export class RBACEngine {
     // Check event-app role
     if (scope.eventId && scope.appId) {
-      const now = new Date().toISOString();
       const { data: eventRole } = await this.supabase
         .from('rbac_event_app_roles')
         .select('role')
@@ -408,10 +411,17 @@ export class RBACEngine {
         .eq('app_id', scope.appId) as { data: Array<{ id: string; page_name: string }> | null };
       if (pages) {
+        // OrganisationId is required for permission checks
+        if (!scope.organisationId) {
+          // Return empty permission map if no organisation context
+          rbacCache.set(cacheKey, permissionMap, 60000);
+          return permissionMap;
+        }
         // Create a security context for permission checks
         const securityContext: SecurityContext = {
           userId,
-          organisationId: scope.organisationId,
+          organisationId: scope.organisationId, // Required
           timestamp: new Date(),
         };

package/src/rbac/hooks/useCan.test.ts CHANGED Viewed

@@ -350,7 +350,7 @@ describe('useCan Hook', () => {
       mockIsPermitted.mockResolvedValue(true);
       const { result } = renderHook(() =>
-        useCan(mockUserId, mockScope, 'manage:organisations', undefined, false)
+        useCan(mockUserId, mockScope, 'update:organisations', undefined, false)
       );
       await waitFor(() => {
@@ -362,7 +362,7 @@ describe('useCan Hook', () => {
       expect(mockIsPermitted).toHaveBeenCalledWith({
         userId: mockUserId,
         scope: mockScope,
-        permission: 'manage:organisations',
+        permission: 'update:organisations',
         pageId: undefined
       });
     });
@@ -601,6 +601,33 @@ describe('useCan Hook', () => {
       }, { timeout: 20000 });
     });
+    it('times out after 3 seconds when organisationId is missing', async () => {
+      vi.useFakeTimers({ shouldAdvanceTime: true });
+      const emptyScope = {} as any;
+      const { result } = renderHook(() =>
+        useCan(mockUserId, emptyScope, mockPermission, undefined, false)
+      );
+      // Initially loading
+      expect(result.current.isLoading).toBe(true);
+      expect(result.current.can).toBe(false);
+      expect(result.current.error).toBeNull();
+      // Fast-forward 3 seconds - advance time and run pending timers
+      await vi.advanceTimersByTimeAsync(3000);
+      await vi.runOnlyPendingTimersAsync();
+      // Flush React updates - waitFor with real timers to handle React state updates
+      vi.useRealTimers();
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+        expect(result.current.can).toBe(false);
+        expect(result.current.error).not.toBeNull();
+        expect(result.current.error?.message).toBe('Organisation context is required for permission checks');
+      }, { timeout: 2000 });
+    }, { timeout: 10000 });
     it('handles null userId', async () => {
       const { result } = renderHook(() =>
         useCan(null as any, mockScope, mockPermission, undefined, false)