@jmruthers/pace-core 0.5.110 → 0.5.111

package/src/rbac/hooks/usePermissions.test.ts

@@ -268,8 +268,8 @@ describe('usePermissions Hook', () => {
         'create:users': true,
         'update:users': true,
         'delete:users': true,
-        'manage:organisations': true,
-        'manage:events': true,
+        'update:organisations': true,
+        'update:events': true,
         'super_admin': true
       };
 
@@ -287,7 +287,7 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasPermission('create:users')).toBe(true);
       expect(result.current.hasPermission('update:users')).toBe(true);
       expect(result.current.hasPermission('delete:users')).toBe(true);
-      expect(result.current.hasPermission('manage:organisations')).toBe(true);
+      expect(result.current.hasPermission('update:organisations')).toBe(true);
       expect(result.current.hasPermission('super_admin')).toBe(true);
     });
 
@@ -297,8 +297,8 @@ describe('usePermissions Hook', () => {
         'create:users': true,
         'update:users': true,
         'delete:users': false, // Org admin can't delete users
-        'manage:organisations': true,
-        'manage:events': true,
+        'update:organisations': true,
+        'update:events': true,
         'org_admin': true
       };
 
@@ -316,7 +316,7 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasPermission('create:users')).toBe(true);
       expect(result.current.hasPermission('update:users')).toBe(true);
       expect(result.current.hasPermission('delete:users')).toBe(false);
-      expect(result.current.hasPermission('manage:organisations')).toBe(true);
+      expect(result.current.hasPermission('update:organisations')).toBe(true);
       expect(result.current.hasPermission('org_admin')).toBe(true);
     });
 
@@ -326,8 +326,8 @@ describe('usePermissions Hook', () => {
         'create:users': false,
         'update:users': false,
         'delete:users': false,
-        'manage:organisations': false,
-        'manage:events': true,
+        'update:organisations': false,
+        'update:events': true,
         'event_admin': true
       };
 
@@ -345,8 +345,8 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasPermission('create:users')).toBe(false);
       expect(result.current.hasPermission('update:users')).toBe(false);
       expect(result.current.hasPermission('delete:users')).toBe(false);
-      expect(result.current.hasPermission('manage:organisations')).toBe(false);
-      expect(result.current.hasPermission('manage:events')).toBe(true);
+      expect(result.current.hasPermission('update:organisations')).toBe(false);
+      expect(result.current.hasPermission('update:events')).toBe(true);
       expect(result.current.hasPermission('event_admin')).toBe(true);
     });
 
@@ -356,8 +356,8 @@ describe('usePermissions Hook', () => {
         'create:users': false,
         'update:users': false,
         'delete:users': false,
-        'manage:organisations': false,
-        'manage:events': false,
+        'update:organisations': false,
+        'update:events': false,
         'member': true
       };
 
@@ -375,8 +375,8 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasPermission('create:users')).toBe(false);
       expect(result.current.hasPermission('update:users')).toBe(false);
       expect(result.current.hasPermission('delete:users')).toBe(false);
-      expect(result.current.hasPermission('manage:organisations')).toBe(false);
-      expect(result.current.hasPermission('manage:events')).toBe(false);
+      expect(result.current.hasPermission('update:organisations')).toBe(false);
+      expect(result.current.hasPermission('update:events')).toBe(false);
       expect(result.current.hasPermission('member')).toBe(true);
     });
 
@@ -386,8 +386,8 @@ describe('usePermissions Hook', () => {
         'create:users': false,
         'update:users': false,
         'delete:users': false,
-        'manage:organisations': false,
-        'manage:events': false,
+        'update:organisations': false,
+        'update:events': false,
         'participant': true
       };
 
@@ -405,8 +405,8 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasPermission('create:users')).toBe(false);
       expect(result.current.hasPermission('update:users')).toBe(false);
       expect(result.current.hasPermission('delete:users')).toBe(false);
-      expect(result.current.hasPermission('manage:organisations')).toBe(false);
-      expect(result.current.hasPermission('manage:events')).toBe(false);
+      expect(result.current.hasPermission('update:organisations')).toBe(false);
+      expect(result.current.hasPermission('update:events')).toBe(false);
       expect(result.current.hasPermission('participant')).toBe(true);
     });
 
@@ -416,8 +416,8 @@ describe('usePermissions Hook', () => {
         'create:users': false,
         'update:users': true,
         'delete:users': false,
-        'manage:organisations': false,
-        'manage:events': true
+        'update:organisations': false,
+        'update:events': true
       };
 
       mockGetPermissionMap.mockResolvedValue(mixedPermissions);
@@ -432,8 +432,8 @@ describe('usePermissions Hook', () => {
       // Test hasAnyPermission with mixed results
       expect(result.current.hasAnyPermission(['read:users', 'create:users'])).toBe(true); // One is true
       expect(result.current.hasAnyPermission(['create:users', 'delete:users'])).toBe(false); // Both are false
-      expect(result.current.hasAnyPermission(['update:users', 'manage:events'])).toBe(true); // Both are true
-      expect(result.current.hasAnyPermission(['read:users', 'update:users', 'manage:events'])).toBe(true); // All are true
+      expect(result.current.hasAnyPermission(['update:users', 'update:events'])).toBe(true); // Both are true
+      expect(result.current.hasAnyPermission(['read:users', 'update:users', 'update:events'])).toBe(true); // All are true
     });
 
     it('handles mixed permission scenarios with hasAllPermissions', async () => {
@@ -442,8 +442,8 @@ describe('usePermissions Hook', () => {
         'create:users': false,
         'update:users': true,
         'delete:users': false,
-        'manage:organisations': false,
-        'manage:events': true
+        'update:organisations': false,
+        'update:events': true
       };
 
       mockGetPermissionMap.mockResolvedValue(mixedPermissions);
@@ -459,7 +459,7 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasAllPermissions(['read:users', 'update:users'])).toBe(true); // Both are true
       expect(result.current.hasAllPermissions(['read:users', 'create:users'])).toBe(false); // One is false
       expect(result.current.hasAllPermissions(['create:users', 'delete:users'])).toBe(false); // Both are false
-      expect(result.current.hasAllPermissions(['read:users', 'update:users', 'manage:events'])).toBe(true); // All are true
+      expect(result.current.hasAllPermissions(['read:users', 'update:users', 'update:events'])).toBe(true); // All are true
     });
   });
 

package/src/rbac/hooks/usePermissions.ts

@@ -52,6 +52,22 @@ export function usePermissions(userId: UUID, scope: Scope) {
   const [error, setError] = useState<Error | null>(null);
   const isFetchingRef = useRef(false);
 
+  // Add timeout for missing organisation context (3 seconds)
+  useEffect(() => {
+    if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
+      const timeoutId = setTimeout(() => {
+        setError(new Error('Organisation context is required for permission checks'));
+        setIsLoading(false);
+      }, 3000); // 3 seconds - typical permission check is < 1 second
+      
+      return () => clearTimeout(timeoutId);
+    }
+    // Clear error if organisation context becomes available
+    if (error?.message === 'Organisation context is required for permission checks') {
+      setError(null);
+    }
+  }, [scope.organisationId, error]);
+
   useEffect(() => {
     const fetchPermissions = async () => {
       // Prevent multiple simultaneous fetches
@@ -65,9 +81,9 @@ export function usePermissions(userId: UUID, scope: Scope) {
         return;
       }
 
-      // Don't fetch permissions if scope is invalid (e.g., organisationId is empty)
-      // Return empty permissions and loading true for invalid scopes to prevent premature access denied
-      if (!scope.organisationId || scope.organisationId.trim() === '') {
+      // Don't fetch permissions if scope is invalid (e.g., organisationId is null/empty)
+      // Wait for organisation context to resolve
+      if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
         setPermissions({} as PermissionMap);
         setIsLoading(true);
         setError(null);
@@ -125,8 +141,8 @@ export function usePermissions(userId: UUID, scope: Scope) {
       return;
     }
 
-    // Don't fetch permissions if scope is invalid (e.g., organisationId is empty)
-    if (!scope.organisationId || scope.organisationId.trim() === '') {
+    // Don't fetch permissions if scope is invalid (e.g., organisationId is null/empty)
+    if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
       setPermissions({} as PermissionMap);
       setIsLoading(true);
       setError(null);
@@ -193,6 +209,23 @@ export function useCan(
   const [isLoading, setIsLoading] = useState(true);
   const [error, setError] = useState<Error | null>(null);
 
+  // Add timeout for missing organisation context (3 seconds)
+  useEffect(() => {
+    if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
+      const timeoutId = setTimeout(() => {
+        setError(new Error('Organisation context is required for permission checks'));
+        setIsLoading(false);
+        setCan(false);
+      }, 3000); // 3 seconds - typical permission check is < 1 second
+      
+      return () => clearTimeout(timeoutId);
+    }
+    // Clear error if organisation context becomes available
+    if (error?.message === 'Organisation context is required for permission checks') {
+      setError(null);
+    }
+  }, [scope.organisationId, error]);
+
   // Use refs to track the last values to prevent unnecessary re-runs
   const lastUserIdRef = useRef<UUID | null>(null);
   const lastScopeRef = useRef<string | null>(null);
@@ -226,12 +259,13 @@ export function useCan(
           return;
         }
 
-        // Don't check permissions if scope is invalid (e.g., organisationId is empty)
-        // Return can: false and loading: true for invalid scopes to prevent premature access denied
-        if (!scope.organisationId || scope.organisationId.trim() === '') {
-          console.log('[useCan] Invalid scope - organisationId is empty:', { scope, permission, pageId });
-          setCan(false);
+        // Don't check permissions if scope is invalid (e.g., organisationId is null/empty)
+        // Wait for organisation context to resolve
+        if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
           setIsLoading(true);
+          setCan(false);
+          setError(null);
+          // Timeout is handled in separate useEffect (Phase 1.4)
           return;
         }
 
@@ -239,21 +273,10 @@ export function useCan(
           setIsLoading(true);
           setError(null);
           
-          console.log('[useCan] Checking permission:', { 
-            userId, 
-            organisationId: scope.organisationId, 
-            eventId: scope.eventId, 
-            appId: scope.appId,
-            permission, 
-            pageId 
-          });
-          
           const result = useCache 
             ? await isPermittedCached({ userId, scope, permission, pageId })
             : await isPermitted({ userId, scope, permission, pageId });
           
-          console.log('[useCan] Permission check result:', { permission, result, pageId });
-          
           setCan(result);
         } catch (err) {
           console.error('[useCan] Permission check error:', { permission, error: err });
@@ -275,10 +298,11 @@ export function useCan(
       return;
     }
 
-    // Don't check permissions if scope is invalid (e.g., organisationId is empty)
-    if (!scope.organisationId || scope.organisationId.trim() === '') {
+    // Don't check permissions if scope is invalid (e.g., organisationId is null/empty)
+    if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
       setCan(false);
       setIsLoading(true);
+      setError(null);
       return;
     }
 

package/src/rbac/hooks/useRBAC.simple.test.ts

@@ -57,7 +57,6 @@ vi.mock('./useRBAC', () => ({
     eventAppRole: 'participant',
     isSuperAdmin: false,
     isOrgAdmin: false,
-    hasPermission: () => true,
     hasGlobalPermission: () => true,
     error: null,
   }),
@@ -80,18 +79,12 @@ describe('useRBAC Hook - Simple Tests', () => {
     expect(result.current).toHaveProperty('globalRole');
     expect(result.current).toHaveProperty('organisationRole');
     expect(result.current).toHaveProperty('eventAppRole');
-    expect(result.current).toHaveProperty('hasPermission');
     expect(result.current).toHaveProperty('hasGlobalPermission');
     expect(result.current).toHaveProperty('isSuperAdmin');
     expect(result.current).toHaveProperty('isOrgAdmin');
     expect(result.current).toHaveProperty('isLoading');
     expect(result.current).toHaveProperty('error');
-  });
-
-  it('hasPermission is a function', () => {
-    const { result } = renderHook(() => useRBAC());
-    
-    expect(typeof result.current.hasPermission).toBe('function');
+    // Note: hasPermission was removed - use useCan() hook instead
   });
 
   it('hasGlobalPermission is a function', () => {

package/src/rbac/hooks/useRBAC.test.ts

@@ -97,7 +97,7 @@ describe('useRBAC', () => {
 
     await waitFor(() => {
       expect(result.current.isLoading).toBe(false);
-      expect(result.current.hasPermission).toBeTypeOf('function');
+      expect(result.current.hasGlobalPermission).toBeTypeOf('function');
     });
 
     expect(mockResolveAppContext).toHaveBeenCalledWith({ userId: 'user-1', appName: 'test-app' });
@@ -109,45 +109,8 @@ describe('useRBAC', () => {
     );
   });
 
-  it('uses cached permission map before hitting engine', async () => {
-    mockUseUnifiedAuth.mockReturnValue({
-      user: { id: 'user-1' },
-      session: { access_token: 'token' },
-      appName: 'test-app',
-    });
-    mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
-    mockGetPermissionMap.mockResolvedValue({ 'read:dashboard': true });
-
-    const { result } = renderHook(() => useRBAC('dashboard'));
-
-    await waitFor(() => expect(result.current.isLoading).toBe(false));
-
-    mockIsPermittedCached.mockClear();
-    const allowed = await result.current.hasPermission('read', 'dashboard');
-
-    expect(allowed).toBe(true);
-    expect(mockIsPermittedCached).not.toHaveBeenCalled();
-  });
-
-  it('falls back to engine when permission not cached', async () => {
-    mockUseUnifiedAuth.mockReturnValue({
-      user: { id: 'user-1' },
-      session: { access_token: 'token' },
-      appName: 'test-app',
-    });
-    mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
-    mockGetPermissionMap.mockResolvedValue({});
-    mockIsPermittedCached.mockResolvedValue(true);
-
-    const { result } = renderHook(() => useRBAC('dashboard'));
-
-    await waitFor(() => expect(result.current.isLoading).toBe(false));
-
-    const allowed = await result.current.hasPermission('read', 'dashboard');
-
-    expect(allowed).toBe(true);
-    expect(mockIsPermittedCached).toHaveBeenCalled();
-  });
+  // Note: Permission checking tests have been moved to useCan.test.ts
+  // useRBAC now focuses on role information and context, not permission checks
 
   it('handles denied app resolution securely', async () => {
     mockUseUnifiedAuth.mockReturnValue({

package/src/rbac/hooks/useRBAC.ts

@@ -17,7 +17,6 @@ import { useEvents } from '../../hooks/useEvents';
 import {
   getPermissionMap,
   getAccessLevel,
-  isPermittedCached,
   resolveAppContext,
   getRoleContext,
 } from '../api';
@@ -27,7 +26,6 @@ import type {
   GlobalRole,
   OrganisationRole,
   EventAppRole,
-  Operation,
   Permission,
   Scope,
   PermissionMap,
@@ -125,58 +123,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
     }
   }, [appName, logger, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user]);
 
-  const hasPermission = useCallback(
-    async (operationOrPermission: Operation | string, targetPageId?: string): Promise<boolean> => {
-      if (!user) {
-        logger.warn('[useRBAC] Permission check attempted without authenticated user context');
-        return false;
-      }
-
-      if (!currentScope || !currentScope.organisationId) {
-        logger.error('[useRBAC] Permission check denied due to missing organisation context', {
-          hasScope: !!currentScope,
-          scope: currentScope,
-          userId: user.id,
-          permission: operationOrPermission,
-        });
-        return false;
-      }
-
-      if (globalRole === 'super_admin' || permissionMap['*']) {
-        logger.info('[useRBAC] Super admin bypass granted', {
-          userId: user.id,
-          permission: operationOrPermission,
-        });
-        return true;
-      }
-
-      let permission: Permission;
-      if (operationOrPermission.includes(':')) {
-        permission = operationOrPermission as Permission;
-      } else if (targetPageId || pageId) {
-        permission = `${operationOrPermission}:${targetPageId || pageId}` as Permission;
-      } else {
-        permission = operationOrPermission as Permission;
-      }
-
-      const cachedValue = permissionMap[permission];
-      if (cachedValue === true) {
-        return true;
-      }
-      if (cachedValue === false) {
-        return false;
-      }
-
-      return isPermittedCached({
-        userId: user.id as UUID,
-        scope: currentScope,
-        permission,
-        pageId: targetPageId ?? pageId,
-      });
-    },
-    [currentScope, globalRole, logger, pageId, permissionMap, user],
-  );
-
   const hasGlobalPermission = useCallback(
     (permission: string): boolean => {
       if (globalRole === 'super_admin' || permissionMap['*']) {
@@ -211,7 +157,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
     globalRole,
     organisationRole,
     eventAppRole,
-    hasPermission,
     hasGlobalPermission,
     isSuperAdmin,
     isOrgAdmin,

package/src/rbac/hooks/useResolvedScope.ts

@@ -74,28 +74,30 @@ export function useResolvedScope({
     eventId: undefined 
   });
   
-  // Only update the stable scope if the resolved scope has actually changed
-  if (resolvedScope && resolvedScope.organisationId) {
-    const newScope = {
-      organisationId: resolvedScope.organisationId,
-      appId: resolvedScope.appId,
-      eventId: resolvedScope.eventId
-    };
-    
-    // Only update if the scope has actually changed
-    if (stableScopeRef.current.organisationId !== newScope.organisationId ||
-        stableScopeRef.current.eventId !== newScope.eventId ||
-        stableScopeRef.current.appId !== newScope.appId) {
-      stableScopeRef.current = {
-        organisationId: newScope.organisationId,
-        appId: newScope.appId || '',
-        eventId: newScope.eventId
+  // Update stable scope ref in useEffect to avoid updates during render
+  useEffect(() => {
+    if (resolvedScope && resolvedScope.organisationId) {
+      const newScope = {
+        organisationId: resolvedScope.organisationId,
+        appId: resolvedScope.appId,
+        eventId: resolvedScope.eventId
       };
+      
+      // Only update if the scope has actually changed
+      if (stableScopeRef.current.organisationId !== newScope.organisationId ||
+          stableScopeRef.current.eventId !== newScope.eventId ||
+          stableScopeRef.current.appId !== newScope.appId) {
+        stableScopeRef.current = {
+          organisationId: newScope.organisationId,
+          appId: newScope.appId || '',
+          eventId: newScope.eventId
+        };
+      }
+    } else if (!resolvedScope) {
+      // Reset to empty scope when no resolved scope
+      stableScopeRef.current = { organisationId: '', appId: '', eventId: undefined };
     }
-  } else if (!resolvedScope) {
-    // Reset to empty scope when no resolved scope
-    stableScopeRef.current = { organisationId: '', appId: '', eventId: undefined };
-  }
+  }, [resolvedScope]);
   
   const stableScope = stableScopeRef.current;
   
@@ -144,17 +146,10 @@ export function useResolvedScope({
           }
         }
 
-        // Debug logging
-        console.log('[useResolvedScope] Attempting to resolve scope:', {
-          selectedOrganisationId,
-          selectedEventId,
-          appId: appId || 'NOT RESOLVED YET',
-          resolveStep: 'initial'
-        });
+        // Resolve scope based on available context
 
         // If we have both organisation and event, use them directly
         if (selectedOrganisationId && selectedEventId) {
-          console.log('[useResolvedScope] Resolving with both org and event');
           if (!cancelled) {
             setResolvedScope({
               organisationId: selectedOrganisationId,
@@ -168,7 +163,6 @@ export function useResolvedScope({
 
         // If we only have organisation, use it
         if (selectedOrganisationId) {
-          console.log('[useResolvedScope] Resolving with organisation only');
           if (!cancelled) {
             setResolvedScope({
               organisationId: selectedOrganisationId,
@@ -183,7 +177,6 @@ export function useResolvedScope({
         // If we only have event, resolve organisation from event
         if (selectedEventId && supabase) {
           try {
-            console.log('[useResolvedScope] Resolving from event:', { selectedEventId, appId });
             const eventScope = await createScopeFromEvent(supabase, selectedEventId, appId);
             if (!eventScope) {
               console.error('[useResolvedScope] Could not resolve organization from event context');
@@ -194,7 +187,6 @@ export function useResolvedScope({
               }
               return;
             }
-            console.log('[useResolvedScope] Resolved from event:', eventScope);
             // Preserve the resolved app ID
             if (!cancelled) {
               setResolvedScope({

package/src/rbac/permissions.test.ts

@@ -84,13 +84,17 @@ describe('RBAC Permissions', () => {
 
     it('rejects invalid Permission types', () => {
       const invalidPermissions = [
-        'manage:users',
-        'READ:users',
-        'read:',
-        ':users',
-        'read:users*',
-        'read:*users',
-        'invalid'
+        'READ:users', // Capital letters not allowed
+        'read:', // Missing resource
+        ':users', // Missing operation
+        'read:users*', // Invalid wildcard placement
+        'read:*users', // Invalid wildcard placement
+        'invalid', // Not in format operation:resource
+        'read:users-', // Invalid character (hyphen) at end
+        'read:users_', // Invalid character (underscore) at end
+        'read:.users', // Cannot start with dot
+        'read:users.', // Cannot end with dot
+        'read:users..detail', // Cannot have consecutive dots
       ];
 
       invalidPermissions.forEach(permission => {

package/src/rbac/security.test.ts

@@ -23,7 +23,7 @@ describe('RBACSecurityValidator', () => {
         'create:user-profiles',
         'update:events',
         'delete:organisations',
-        'manage:base.events',
+        'update:base.events',
         'read:user-profiles.details'
       ];
 
@@ -352,7 +352,7 @@ describe('RBACSecurityMiddleware', () => {
       const input = {
         userId: '123e4567-e89b-12d3-a456-426614174000' as UUID,
         scope: { organisationId: '123e4567-e89b-12d3-a456-426614174001' as UUID },
-        permission: 'manage:everything' as Permission
+        permission: 'update:everything' as Permission
       };
 
       const context = {

package/src/rbac/security.ts

@@ -24,7 +24,9 @@ export class RBACSecurityValidator {
     }
 
     // Permission format: operation:resource[.subresource]
-    const permissionRegex = /^(read|create|update|delete|manage):[a-z0-9._-]+$/;
+    // Only CRUD operations are allowed (read, create, update, delete)
+    // The 'manage' operation has been removed for RBAC compliance
+    const permissionRegex = /^(read|create|update|delete):[a-z0-9._-]+$/;
     return permissionRegex.test(permission);
   }
 
@@ -53,9 +55,15 @@ export class RBACSecurityValidator {
       return false;
     }
 
-    // Organisation ID is required for most operations
-    if (scope.organisationId && !this.validateUUID(scope.organisationId)) {
-      return false;
+    // Organisation ID validation - reject empty strings
+    if (scope.organisationId !== undefined) {
+      // Reject empty strings - use undefined/null instead
+      if (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '') {
+        return false;
+      }
+      if (scope.organisationId && !this.validateUUID(scope.organisationId)) {
+        return false;
+      }
     }
 
     // Event ID should be a string if provided
@@ -122,7 +130,8 @@ export class RBACSecurityValidator {
     }
 
     const [operation] = permission.split(':');
-    const hierarchy = ['read', 'create', 'update', 'delete', 'manage'];
+    // Only CRUD operations - 'manage' has been removed
+    const hierarchy = ['read', 'create', 'update', 'delete'];
     
     const permissionLevel = hierarchy.indexOf(operation);
     const requiredLevel = hierarchy.indexOf(requiredOperation);
@@ -257,10 +266,13 @@ export const DEFAULT_SECURITY_CONFIG: RBACSecurityConfig = {
 
 /**
  * Security context for RBAC operations
+ * 
+ * OrganisationId is required - it can always be derived from event context in event-based apps.
+ * If organisation context is not available, the operation should fail rather than proceed without context.
  */
 export interface SecurityContext {
   userId: UUID;
-  organisationId?: UUID; // Optional for operations without organisation context
+  organisationId: UUID; // Required - can always be derived from event context
   ipAddress?: string;
   userAgent?: string;
   timestamp: Date;
@@ -304,7 +316,10 @@ export class RBACSecurityMiddleware {
       errors.push('Invalid user ID format');
     }
 
-    if (context.organisationId && !RBACSecurityValidator.validateUUID(context.organisationId)) {
+    // OrganisationId is required
+    if (!context.organisationId) {
+      errors.push('Organisation ID is required');
+    } else if (!RBACSecurityValidator.validateUUID(context.organisationId)) {
       errors.push('Invalid organisation ID format');
     }
 

package/src/rbac/types.test.ts

@@ -195,7 +195,7 @@ describe('Type Definitions', () => {
         'create:user-profiles',
         'update:events',
         'delete:organisations',
-        'manage:base.events'
+        'update:base.events'
       ];
 
       permissions.forEach(permission => {
@@ -206,7 +206,7 @@ describe('Type Definitions', () => {
     it('supports complex resource names', () => {
       const permissions: Permission[] = [
         'read:user-profiles.details',
-        'manage:base.events.schedule',
+        'update:base.events.schedule',
         'create:app-data.records'
       ];