npm - @jmruthers/pace-core - Versions diffs - 0.5.110 → 0.5.112 - Mend

@jmruthers/pace-core 0.5.110 → 0.5.112

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (236) hide show

package/dist/{AuthService-DrHrvXNZ.d.ts → AuthService-CVgsgtaZ.d.ts} +8 -0
package/dist/{DataTable-D3BK2FCN.js → DataTable-3D3BUZDV.js} +8 -8
package/dist/{UnifiedAuthProvider-A7I23UCN.js → UnifiedAuthProvider-KZZUO27W.js} +3 -3
package/dist/{api-PIE4JRFS.js → api-QPMBZZUZ.js} +5 -3
package/dist/{audit-65VNHEV2.js → audit-H4YJJF7R.js} +2 -2
package/dist/{chunk-Q7APDV6H.js → chunk-3OGQLOJM.js} +23 -7
package/dist/chunk-3OGQLOJM.js.map +1 -0
package/dist/{chunk-EYSXQ756.js → chunk-7H75SHXZ.js} +2 -2
package/dist/{chunk-D6MEKC27.js → chunk-BUN7NMV7.js} +2 -2
package/dist/{chunk-AWK2FAUN.js → chunk-C5RN4TE5.js} +7 -7
package/dist/{chunk-3J5N2T2N.js → chunk-EKVVTPIF.js} +183 -127
package/dist/chunk-EKVVTPIF.js.map +1 -0
package/dist/{chunk-2W4WKJVF.js → chunk-F6QB26OS.js} +290 -255
package/dist/chunk-F6QB26OS.js.map +1 -0
package/dist/{chunk-HADXAZT3.js → chunk-I7JC7PTJ.js} +54 -92
package/dist/chunk-I7JC7PTJ.js.map +1 -0
package/dist/{chunk-EZ64QG2I.js → chunk-L36JW4KV.js} +2 -2
package/dist/{chunk-7GBEBJLR.js → chunk-MNSGWRPB.js} +45 -37
package/dist/chunk-MNSGWRPB.js.map +1 -0
package/dist/{chunk-YFMENCR4.js → chunk-NEONKMTU.js} +3 -3
package/dist/{chunk-AUXS7XSO.js → chunk-OO3V7W4H.js} +35 -11
package/dist/chunk-OO3V7W4H.js.map +1 -0
package/dist/{chunk-XRSP3H52.js → chunk-TAJRS6YB.js} +57 -23
package/dist/chunk-TAJRS6YB.js.map +1 -0
package/dist/{chunk-HGZSO43Y.js → chunk-WMPZY26G.js} +8 -4
package/dist/{chunk-HGZSO43Y.js.map → chunk-WMPZY26G.js.map} +1 -1
package/dist/components.js +10 -10
package/dist/hooks.d.ts +11 -1
package/dist/hooks.js +9 -7
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +2 -2
package/dist/index.js +13 -13
package/dist/providers.d.ts +2 -2
package/dist/providers.js +2 -2
package/dist/rbac/index.d.ts +13 -8
package/dist/rbac/index.js +9 -9
package/dist/utils.js +1 -1
package/docs/api/classes/ColumnFactory.md +1 -1
package/docs/api/classes/ErrorBoundary.md +1 -1
package/docs/api/classes/InvalidScopeError.md +4 -4
package/docs/api/classes/MissingUserContextError.md +4 -4
package/docs/api/classes/OrganisationContextRequiredError.md +4 -4
package/docs/api/classes/PermissionDeniedError.md +4 -4
package/docs/api/classes/PublicErrorBoundary.md +1 -1
package/docs/api/classes/RBACAuditManager.md +8 -8
package/docs/api/classes/RBACCache.md +8 -8
package/docs/api/classes/RBACEngine.md +4 -4
package/docs/api/classes/RBACError.md +4 -4
package/docs/api/classes/RBACNotInitializedError.md +4 -4
package/docs/api/classes/SecureSupabaseClient.md +1 -1
package/docs/api/classes/StorageUtils.md +1 -1
package/docs/api/enums/FileCategory.md +1 -1
package/docs/api/interfaces/AggregateConfig.md +1 -1
package/docs/api/interfaces/ButtonProps.md +1 -1
package/docs/api/interfaces/CardProps.md +1 -1
package/docs/api/interfaces/ColorPalette.md +1 -1
package/docs/api/interfaces/ColorShade.md +1 -1
package/docs/api/interfaces/DataAccessRecord.md +1 -1
package/docs/api/interfaces/DataRecord.md +1 -1
package/docs/api/interfaces/DataTableAction.md +1 -1
package/docs/api/interfaces/DataTableColumn.md +1 -1
package/docs/api/interfaces/DataTableProps.md +1 -1
package/docs/api/interfaces/DataTableToolbarButton.md +1 -1
package/docs/api/interfaces/EmptyStateConfig.md +1 -1
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +1 -1
package/docs/api/interfaces/FileDisplayProps.md +1 -1
package/docs/api/interfaces/FileMetadata.md +1 -1
package/docs/api/interfaces/FileReference.md +1 -1
package/docs/api/interfaces/FileSizeLimits.md +1 -1
package/docs/api/interfaces/FileUploadOptions.md +1 -1
package/docs/api/interfaces/FileUploadProps.md +1 -1
package/docs/api/interfaces/FooterProps.md +1 -1
package/docs/api/interfaces/InactivityWarningModalProps.md +1 -1
package/docs/api/interfaces/InputProps.md +1 -1
package/docs/api/interfaces/LabelProps.md +1 -1
package/docs/api/interfaces/LoginFormProps.md +1 -1
package/docs/api/interfaces/NavigationAccessRecord.md +1 -1
package/docs/api/interfaces/NavigationContextType.md +1 -1
package/docs/api/interfaces/NavigationGuardProps.md +1 -1
package/docs/api/interfaces/NavigationItem.md +1 -1
package/docs/api/interfaces/NavigationMenuProps.md +1 -1
package/docs/api/interfaces/NavigationProviderProps.md +1 -1
package/docs/api/interfaces/Organisation.md +1 -1
package/docs/api/interfaces/OrganisationContextType.md +1 -1
package/docs/api/interfaces/OrganisationMembership.md +1 -1
package/docs/api/interfaces/OrganisationProviderProps.md +1 -1
package/docs/api/interfaces/OrganisationSecurityError.md +1 -1
package/docs/api/interfaces/PaceAppLayoutProps.md +27 -27
package/docs/api/interfaces/PaceLoginPageProps.md +4 -4
package/docs/api/interfaces/PageAccessRecord.md +1 -1
package/docs/api/interfaces/PagePermissionContextType.md +1 -1
package/docs/api/interfaces/PagePermissionGuardProps.md +1 -1
package/docs/api/interfaces/PagePermissionProviderProps.md +1 -1
package/docs/api/interfaces/PaletteData.md +1 -1
package/docs/api/interfaces/PermissionEnforcerProps.md +1 -1
package/docs/api/interfaces/ProtectedRouteProps.md +1 -1
package/docs/api/interfaces/PublicErrorBoundaryProps.md +1 -1
package/docs/api/interfaces/PublicErrorBoundaryState.md +1 -1
package/docs/api/interfaces/PublicLoadingSpinnerProps.md +1 -1
package/docs/api/interfaces/PublicPageFooterProps.md +1 -1
package/docs/api/interfaces/PublicPageHeaderProps.md +1 -1
package/docs/api/interfaces/PublicPageLayoutProps.md +1 -1
package/docs/api/interfaces/RBACConfig.md +1 -1
package/docs/api/interfaces/RBACLogger.md +1 -1
package/docs/api/interfaces/RoleBasedRouterContextType.md +8 -8
package/docs/api/interfaces/RoleBasedRouterProps.md +10 -10
package/docs/api/interfaces/RouteAccessRecord.md +10 -10
package/docs/api/interfaces/RouteConfig.md +19 -6
package/docs/api/interfaces/SecureDataContextType.md +1 -1
package/docs/api/interfaces/SecureDataProviderProps.md +1 -1
package/docs/api/interfaces/StorageConfig.md +1 -1
package/docs/api/interfaces/StorageFileInfo.md +1 -1
package/docs/api/interfaces/StorageFileMetadata.md +1 -1
package/docs/api/interfaces/StorageListOptions.md +1 -1
package/docs/api/interfaces/StorageListResult.md +1 -1
package/docs/api/interfaces/StorageUploadOptions.md +1 -1
package/docs/api/interfaces/StorageUploadResult.md +1 -1
package/docs/api/interfaces/StorageUrlOptions.md +1 -1
package/docs/api/interfaces/StyleImport.md +1 -1
package/docs/api/interfaces/SwitchProps.md +1 -1
package/docs/api/interfaces/ToastActionElement.md +1 -1
package/docs/api/interfaces/ToastProps.md +1 -1
package/docs/api/interfaces/UnifiedAuthContextType.md +1 -1
package/docs/api/interfaces/UnifiedAuthProviderProps.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerOptions.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventOptions.md +1 -1
package/docs/api/interfaces/UsePublicEventReturn.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +1 -1
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +1 -1
package/docs/api/interfaces/UseResolvedScopeOptions.md +1 -1
package/docs/api/interfaces/UseResolvedScopeReturn.md +1 -1
package/docs/api/interfaces/UserEventAccess.md +1 -1
package/docs/api/interfaces/UserMenuProps.md +1 -1
package/docs/api/interfaces/UserProfile.md +1 -1
package/docs/api/modules.md +36 -36
package/docs/api-reference/hooks.md +8 -4
package/docs/architecture/rpc-function-standards.md +3 -1
package/docs/best-practices/common-patterns.md +3 -3
package/docs/best-practices/deployment.md +10 -4
package/docs/best-practices/performance.md +11 -3
package/docs/core-concepts/organisations.md +8 -8
package/docs/core-concepts/permissions.md +133 -72
package/docs/migration/rbac-migration.md +65 -66
package/docs/rbac/advanced-patterns.md +15 -22
package/docs/rbac/examples.md +12 -12
package/docs/rbac/getting-started.md +3 -3
package/docs/rbac/troubleshooting.md +2 -1
package/package.json +1 -1
package/src/components/DataTable/DataTable.test.tsx +405 -154
package/src/components/DataTable/components/DataTableCore.tsx +6 -1
package/src/components/DataTable/components/__tests__/ActionButtons.test.tsx +913 -0
package/src/components/DataTable/components/__tests__/ColumnFilter.test.tsx +609 -0
package/src/components/DataTable/components/__tests__/EmptyState.test.tsx +434 -0
package/src/components/DataTable/components/__tests__/LoadingState.test.tsx +120 -0
package/src/components/DataTable/components/__tests__/PaginationControls.test.tsx +519 -0
package/src/components/DataTable/examples/__tests__/HierarchicalActionsExample.test.tsx +316 -0
package/src/components/DataTable/examples/__tests__/InitialPageSizeExample.test.tsx +211 -0
package/src/components/EventSelector/EventSelector.tsx +32 -2
package/src/components/FileUpload/FileUpload.tsx +2 -8
package/src/components/NavigationMenu/NavigationMenu.test.tsx +56 -8
package/src/components/NavigationMenu/NavigationMenu.tsx +75 -12
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +193 -63
package/src/components/PaceAppLayout/PaceAppLayout.tsx +102 -135
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.accessibility.test.tsx +41 -2
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.integration.test.tsx +61 -6
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.performance.test.tsx +71 -21
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.security.test.tsx +113 -41
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.unit.test.tsx +155 -45
package/src/components/PaceLoginPage/PaceLoginPage.tsx +30 -1
package/src/hooks/__tests__/usePermissionCache.simple.test.ts +63 -5
package/src/hooks/__tests__/usePermissionCache.unit.test.ts +156 -72
package/src/hooks/__tests__/useRBAC.unit.test.ts +4 -38
package/src/hooks/index.ts +1 -1
package/src/hooks/useFileDisplay.ts +51 -0
package/src/hooks/usePermissionCache.test.ts +112 -68
package/src/hooks/usePermissionCache.ts +55 -15
package/src/rbac/README.md +81 -39
package/src/rbac/__tests__/adapters.comprehensive.test.tsx +3 -3
package/src/rbac/__tests__/engine.comprehensive.test.ts +15 -6
package/src/rbac/__tests__/rbac-core.test.tsx +1 -1
package/src/rbac/__tests__/rbac-engine-core-logic.test.ts +57 -4
package/src/rbac/__tests__/rbac-engine-simplified.test.ts +3 -2
package/src/rbac/adapters.tsx +4 -4
package/src/rbac/api.test.ts +37 -13
package/src/rbac/api.ts +25 -8
package/src/rbac/audit-enhanced.ts +14 -2
package/src/rbac/audit.test.ts +18 -8
package/src/rbac/audit.ts +25 -6
package/src/rbac/cache.test.ts +12 -0
package/src/rbac/cache.ts +29 -9
package/src/rbac/components/EnhancedNavigationMenu.test.tsx +1 -1
package/src/rbac/components/NavigationGuard.tsx +14 -14
package/src/rbac/components/NavigationProvider.test.tsx +1 -1
package/src/rbac/components/PagePermissionGuard.tsx +4 -3
package/src/rbac/components/PagePermissionProvider.test.tsx +1 -1
package/src/rbac/components/PermissionEnforcer.tsx +19 -15
package/src/rbac/components/RoleBasedRouter.tsx +16 -9
package/src/rbac/components/__tests__/NavigationGuard.test.tsx +123 -107
package/src/rbac/components/__tests__/PagePermissionGuard.test.tsx +1 -1
package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx +121 -103
package/src/rbac/docs/event-based-apps.md +6 -6
package/src/rbac/engine.ts +12 -2
package/src/rbac/hooks/useCan.test.ts +29 -2
package/src/rbac/hooks/usePermissions.test.ts +25 -25
package/src/rbac/hooks/usePermissions.ts +65 -25
package/src/rbac/hooks/useRBAC.simple.test.ts +1 -8
package/src/rbac/hooks/useRBAC.test.ts +3 -40
package/src/rbac/hooks/useRBAC.ts +0 -55
package/src/rbac/hooks/useResolvedScope.ts +23 -31
package/src/rbac/permissions.test.ts +11 -7
package/src/rbac/security.test.ts +2 -2
package/src/rbac/security.ts +22 -7
package/src/rbac/types.test.ts +2 -2
package/src/rbac/types.ts +1 -2
package/src/services/EventService.ts +42 -13
package/src/services/__tests__/EventService.test.ts +25 -4
package/src/services/interfaces/IEventService.ts +1 -0
package/src/utils/file-reference.ts +9 -0
package/dist/chunk-2W4WKJVF.js.map +0 -1
package/dist/chunk-3J5N2T2N.js.map +0 -1
package/dist/chunk-7GBEBJLR.js.map +0 -1
package/dist/chunk-AUXS7XSO.js.map +0 -1
package/dist/chunk-HADXAZT3.js.map +0 -1
package/dist/chunk-Q7APDV6H.js.map +0 -1
package/dist/chunk-XRSP3H52.js.map +0 -1
/package/dist/{DataTable-D3BK2FCN.js.map → DataTable-3D3BUZDV.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-A7I23UCN.js.map → UnifiedAuthProvider-KZZUO27W.js.map} +0 -0
/package/dist/{api-PIE4JRFS.js.map → api-QPMBZZUZ.js.map} +0 -0
/package/dist/{audit-65VNHEV2.js.map → audit-H4YJJF7R.js.map} +0 -0
/package/dist/{chunk-EYSXQ756.js.map → chunk-7H75SHXZ.js.map} +0 -0
/package/dist/{chunk-D6MEKC27.js.map → chunk-BUN7NMV7.js.map} +0 -0
/package/dist/{chunk-AWK2FAUN.js.map → chunk-C5RN4TE5.js.map} +0 -0
/package/dist/{chunk-EZ64QG2I.js.map → chunk-L36JW4KV.js.map} +0 -0
/package/dist/{chunk-YFMENCR4.js.map → chunk-NEONKMTU.js.map} +0 -0

package/src/rbac/audit-enhanced.ts CHANGED Viewed

@@ -163,19 +163,31 @@ export class EnhancedRBACAuditManager {
     }
     try {
+      // Validate pageId: only include in page_id column if it's a valid UUID
+      // Otherwise, store it in metadata to avoid database errors
+      const rawPageId = 'pageId' in event ? event.pageId : undefined;
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      const isValidPageIdUuid = rawPageId && uuidRegex.test(rawPageId);
+      const pageIdUuid: UUID | undefined = isValidPageIdUuid ? (rawPageId as UUID) : undefined;
+      const pageIdName: string | undefined = rawPageId && !isValidPageIdUuid ? rawPageId : undefined;
       const auditEvent: Omit<RBACAuditEvent, 'id' | 'created_at'> = {
         event_type: event.type,
         user_id: event.userId,
         organisation_id: event.organisationId,
         event_id: 'eventId' in event ? event.eventId : undefined,
         app_id: 'appId' in event ? event.appId : undefined,
-        page_id: 'pageId' in event ? event.pageId : undefined,
+        page_id: pageIdUuid, // Only set if it's a valid UUID
         permission: 'permission' in event ? event.permission : undefined,
         decision: 'decision' in event ? event.decision : undefined,
         source: 'source' in event ? event.source : 'api', // Default to 'api' if not provided
         bypass: 'bypass' in event ? event.bypass : undefined,
         duration_ms: 'duration_ms' in event ? event.duration_ms : undefined,
-        metadata: event.metadata || {},
+        metadata: {
+          ...(event.metadata || {}),
+          // Store page name/identifier in metadata if it's not a UUID
+          page_name: pageIdName,
+        },
       };
       const { error } = await (this.supabase as any)

package/src/rbac/audit.test.ts CHANGED Viewed

@@ -68,13 +68,15 @@ describe('RBACAuditManager', () => {
   describe('Permission Check Events', () => {
     it('emits permission check events correctly', async () => {
+      // Use a valid UUID format for pageId
+      const validPageId = '01234567-89ab-cdef-0123-456789abcdef' as UUID;
       const event: PermissionCheckAuditEvent = {
         type: 'permission_check',
         userId: 'user-123' as UUID,
         organisationId: 'org-456' as UUID,
         eventId: 'event-789',
         appId: 'app-101' as UUID,
-        pageId: 'page-202' as UUID,
+        pageId: validPageId,
         permission: 'read:users',
         decision: true,
         source: 'api' as AuditEventSource,
@@ -93,13 +95,16 @@ describe('RBACAuditManager', () => {
           organisation_id: 'org-456',
           event_id: 'event-789',
           app_id: 'app-101',
-          page_id: 'page-202',
+          page_id: validPageId,
           permission: 'read:users',
           decision: true,
           source: 'api',
           bypass: false,
           duration_ms: 150,
-          metadata: expect.objectContaining({ ip: '192.168.1.1' })
+          metadata: expect.objectContaining({
+            ip: '192.168.1.1',
+            no_organisation_context: false
+          })
         })
       ]
     );
@@ -136,14 +141,16 @@ describe('RBACAuditManager', () => {
   describe('Permission Denied Events', () => {
     it('emits permission denied events correctly', async () => {
+      // Use a valid UUID format for pageId
+      const validPageId = '01234567-89ab-cdef-0123-456789abcdef' as UUID;
       const event: PermissionDeniedAuditEvent = {
         type: 'permission_denied',
         userId: 'user-123' as UUID,
         organisationId: 'org-456' as UUID,
         eventId: 'event-789',
         appId: 'app-101' as UUID,
-        pageId: 'page-202' as UUID,
-        permission: 'manage:users',
+        pageId: validPageId,
+        permission: 'update:users',
         source: 'api' as AuditEventSource,
         metadata: { reason: 'Insufficient role' }
       };
@@ -158,10 +165,13 @@ describe('RBACAuditManager', () => {
             organisation_id: 'org-456',
             event_id: 'event-789',
             app_id: 'app-101',
-            page_id: 'page-202',
-            permission: 'manage:users',
+            page_id: validPageId,
+            permission: 'update:users',
             source: 'api',
-            metadata: expect.objectContaining({ reason: 'Insufficient role' })
+            metadata: expect.objectContaining({
+              reason: 'Insufficient role',
+              no_organisation_context: false
+            })
           })
         ]
       );

package/src/rbac/audit.ts CHANGED Viewed

@@ -163,16 +163,33 @@ export class RBACAuditManager {
     }
     try {
-      // For events without organisationId, store in a special way
+      // Since organisationId is now required in SecurityContext, this should rarely happen
+      // But we still handle the edge case properly without masking it
+      if (!event.organisationId) {
+        console.warn('[RBAC Audit] Audit event without organisation context - this should be investigated:', {
+          userId: event.userId,
+          eventType: event.type,
+          note: 'Organisation context is required for RBAC operations. This may indicate a security issue or missing context derivation.'
+        });
+      }
+      // Validate pageId: only include in page_id column if it's a valid UUID
+      // Otherwise, store it in metadata to avoid database errors
+      const rawPageId = 'pageId' in event ? event.pageId : undefined;
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      const isValidPageIdUuid = rawPageId && uuidRegex.test(rawPageId);
+      const pageIdUuid: UUID | undefined = isValidPageIdUuid ? (rawPageId as UUID) : undefined;
+      const pageIdName: string | undefined = rawPageId && !isValidPageIdUuid ? rawPageId : undefined;
       const auditEvent: Omit<RBACAuditEvent, 'id' | 'created_at'> = {
         event_type: event.type,
         user_id: event.userId,
-        // CRITICAL: Store organisationId even if null for auditing
-        // Use a fallback UUID if organisation context is missing (for database constraint)
-        organisation_id: event.organisationId || '00000000-0000-0000-0000-000000000000' as UUID,
+        // Store organisationId - nullable to properly track missing context cases
+        // Do NOT use fallback UUID as it masks security issues
+        organisation_id: event.organisationId || null, // Explicitly null if missing
         event_id: 'eventId' in event ? event.eventId : undefined,
         app_id: 'appId' in event ? event.appId : undefined,
-        page_id: 'pageId' in event ? event.pageId : undefined,
+        page_id: pageIdUuid, // Only set if it's a valid UUID
         permission: 'permission' in event ? event.permission : undefined,
         decision: 'decision' in event ? event.decision : undefined,
         source: 'source' in event ? event.source : 'api', // Default to 'api' if not provided
@@ -182,8 +199,10 @@ export class RBACAuditManager {
           ...event.metadata,
           cache_hit: 'cache_hit' in event ? event.cache_hit : undefined,
           cache_source: 'cache_source' in event ? event.cache_source : undefined,
-          // Store a flag indicating this event had no organisation context
+          // Explicit flag indicating this event had no organisation context
           no_organisation_context: !event.organisationId,
+          // Store page name/identifier in metadata if it's not a UUID
+          page_name: pageIdName,
         },
       };

package/src/rbac/cache.test.ts CHANGED Viewed

@@ -129,6 +129,18 @@ describe('RBACCache', () => {
       expect(cache.get('org-789-data')).not.toBeNull();
     });
+    it('supports wildcard patterns spanning cache segments', () => {
+      cache.set('perm:user-123:org-789:null:null:view:dashboard', true);
+      cache.set('perm:user-456:org-789:null:null:view:dashboard', true);
+      cache.set('perm:user-123:org-000:null:null:view:dashboard', true);
+      cache.invalidate('perm:*:org-789:*');
+      expect(cache.get('perm:user-123:org-789:null:null:view:dashboard')).toBeNull();
+      expect(cache.get('perm:user-456:org-789:null:null:view:dashboard')).toBeNull();
+      expect(cache.get('perm:user-123:org-000:null:null:view:dashboard')).toBe(true);
+    });
     it('handles empty pattern gracefully', () => {
       expect(() => cache.invalidate('')).not.toThrow();
     });

package/src/rbac/cache.ts CHANGED Viewed

@@ -72,18 +72,38 @@ export class RBACCache {
    * @param pattern - Pattern to match against cache keys
    */
   invalidate(pattern: string): void {
+    const trimmedPattern = pattern?.trim();
+    if (!trimmedPattern) {
+      return;
+    }
+    const matcher = this.createMatcher(trimmedPattern);
     const keysToDelete: string[] = [];
     for (const key of this.cache.keys()) {
-      if (key.includes(pattern)) {
+      if (matcher(key)) {
         keysToDelete.push(key);
       }
     }
     keysToDelete.forEach(key => this.cache.delete(key));
     // Notify invalidation callbacks
-    this.invalidationCallbacks.forEach(callback => callback(pattern));
+    this.invalidationCallbacks.forEach(callback => callback(trimmedPattern));
+  }
+  private createMatcher(pattern: string): (key: string) => boolean {
+    if (pattern.includes('*')) {
+      const escapedSegments = pattern
+        .split('*')
+        .map(segment => segment.replace(/[|\\{}()[\]^$+?.-]/g, '\\$&'));
+      const regexPattern = escapedSegments.join('.*');
+      const regex = new RegExp(regexPattern);
+      return (key: string) => regex.test(key);
+    }
+    return (key: string) => key.includes(pattern);
   }
   /**
@@ -239,9 +259,9 @@ export const rbacCache = new RBACCache();
  * Cache key patterns for invalidation
  */
 export const CACHE_PATTERNS = {
-  USER: (userId: UUID) => `user:${userId}`,
-  ORGANISATION: (organisationId: UUID) => `org:${organisationId}`,
-  EVENT: (eventId: string) => `event:${eventId}`,
-  APP: (appId: UUID) => `app:${appId}`,
-  PERMISSION: (userId: UUID, organisationId: UUID) => `perm:${userId}:${organisationId}`,
+  USER: (userId: UUID) => `:${userId}:`,
+  ORGANISATION: (organisationId: UUID) => `:${organisationId}:`,
+  EVENT: (eventId: string) => `:${eventId}:`,
+  APP: (appId: UUID) => `:${appId}`,
+  PERMISSION: (userId: UUID, organisationId: UUID) => `perm:${userId}:${organisationId}:`,
 } as const;

package/src/rbac/components/EnhancedNavigationMenu.test.tsx CHANGED Viewed

@@ -74,7 +74,7 @@ const mockNavigationItems: NavigationItem[] = [
     id: 'admin',
     label: 'Admin',
     path: '/admin',
-    permissions: ['manage:admin'] as Permission[],
+    permissions: ['update:admin'] as Permission[],
     pageId: 'page-admin',
     accessLevel: 'admin',
     meta: {

package/src/rbac/components/NavigationGuard.tsx CHANGED Viewed

@@ -65,7 +65,7 @@
  */
 import React, { useMemo, useCallback, useEffect, useState } from 'react';
-import { useCan } from '../hooks';
+import { useMultiplePermissions } from '../hooks/usePermissions';
 import { useUnifiedAuth } from '../../providers/UnifiedAuthProvider';
 import { UUID, Permission, Scope } from '../types';
 import { createScopeFromEvent } from '../utils/eventContext';
@@ -176,26 +176,26 @@ export function NavigationGuard({
     resolveScope();
   }, [scope, selectedOrganisation, selectedEvent, supabase]);
-  // Check permissions using the first permission as a representative
-  // For multiple permissions, we'll check them sequentially
-  const representativePermission = navigationItem.permissions[0];
-  const { can, isLoading, error } = useCan(
+  // Check all permissions using useMultiplePermissions hook
+  const { results: permissionResults, isLoading, error } = useMultiplePermissions(
     user?.id || '',
     resolvedScope || { eventId: selectedEvent?.event_id || undefined },
-    representativePermission,
-    navigationItem.pageId,
+    navigationItem.permissions || [],
     true // Use cache
   );
-  // Determine if user has required permissions
+  // Determine if user has required permissions based on requireAll prop
   const hasRequiredPermissions = useMemo((): boolean => {
-    if (navigationItem.permissions.length === 0) return true;
+    if (!navigationItem.permissions || navigationItem.permissions.length === 0) return true;
-    // For now, use the representative permission result
-    // In a future enhancement, we could check all permissions
-    // but this would require multiple useCan hooks or a custom hook
-    return can;
-  }, [navigationItem.permissions, can]);
+    if (requireAll) {
+      // User must have ALL permissions
+      return Object.values(permissionResults).every(result => result === true);
+    } else {
+      // User must have ANY permission (default behavior)
+      return Object.values(permissionResults).some(result => result === true);
+    }
+  }, [navigationItem.permissions, permissionResults, requireAll]);
   // Handle permission check completion
   useEffect(() => {

package/src/rbac/components/NavigationProvider.test.tsx CHANGED Viewed

@@ -57,7 +57,7 @@ const mockNavigationItems: NavigationItem[] = [
     id: 'admin',
     label: 'Admin',
     path: '/admin',
-    permissions: ['manage:admin'] as Permission[],
+    permissions: ['update:admin'] as Permission[],
     pageId: 'page-admin',
     accessLevel: 'admin'
   }

package/src/rbac/components/PagePermissionGuard.tsx CHANGED Viewed

@@ -378,7 +378,7 @@ const PagePermissionGuardComponent = ({
   }, [operation, pageName]);
   // Create a stable scope that only includes valid values
-  // This ensures useCan doesn't run with empty organisationId which causes it to stay in loading state
+  // OrganisationId is required - use undefined if not available, useCan will handle loading state
   const stableScope = useMemo(() => {
     if (resolvedScope && resolvedScope.organisationId) {
       return {
@@ -387,8 +387,9 @@ const PagePermissionGuardComponent = ({
         eventId: resolvedScope.eventId || undefined
       };
     }
-    // Return a scope with empty string organisationId - useCan will handle this by keeping loading state
-    return { organisationId: '', appId: undefined, eventId: undefined };
+    // Return scope without organisationId - useCan will keep loading state until resolved
+    // Scope.organisationId is optional, so undefined is valid
+    return { organisationId: undefined, appId: undefined, eventId: undefined };
   }, [resolvedScope]);
   // Check if user has permission - only call useCan when we have a resolved scope with valid organisationId

package/src/rbac/components/PagePermissionProvider.test.tsx CHANGED Viewed

@@ -38,7 +38,7 @@ const mockScope: Scope = {
   appId: 'app-789' as UUID
 };
-const mockPermissions = ['read:users', 'manage:users'] as const;
+const mockPermissions = ['read:users', 'update:users'] as const;
 const mockPageId = 'page-123';
 // Test component

package/src/rbac/components/PermissionEnforcer.tsx CHANGED Viewed

@@ -19,7 +19,7 @@
  * ```tsx
  * // Basic permission enforcement
  * <PermissionEnforcer
- *   permissions={['read:events', 'manage:events']}
+ *   permissions={['read:events', 'update:events']}
  *   operation="event-management"
  *   fallback={<AccessDeniedPage />}
  * >
@@ -67,7 +67,7 @@
  */
 import React, { useMemo, useCallback, useEffect, useState } from 'react';
-import { useCan } from '../hooks';
+import { useMultiplePermissions } from '../hooks/usePermissions';
 import { useUnifiedAuth } from '../../providers/UnifiedAuthProvider';
 import { UUID, Permission, Scope } from '../types';
 import { createScopeFromEvent } from '../utils/eventContext';
@@ -129,7 +129,6 @@ export function PermissionEnforcer({
   const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
   const [hasChecked, setHasChecked] = useState(false);
   const [checkError, setCheckError] = useState<Error | null>(null);
-  const [permissionResults, setPermissionResults] = useState<Record<string, boolean>>({});
   const [resolvedScope, setResolvedScope] = useState<Scope | null>(null);
   // Resolve scope - either use provided scope or resolve from context
@@ -182,26 +181,31 @@ export function PermissionEnforcer({
     resolveScope();
   }, [scope, selectedOrganisation, selectedEvent, supabase]);
-  // Check permissions using the first permission as a representative
-  // For multiple permissions, we'll check them sequentially
-  const representativePermission = permissions[0];
-  const { can, isLoading, error } = useCan(
+  // Check all permissions using useMultiplePermissions hook
+  const { results: permissionResults, isLoading, error } = useMultiplePermissions(
     user?.id || '',
     resolvedScope || { eventId: selectedEvent?.event_id || undefined },
-    representativePermission,
-    undefined,
+    permissions,
     true // Use cache
   );
-  // Determine if user has required permissions
+  // Determine if user has required permissions based on requireAll prop
   const hasRequiredPermissions = useMemo((): boolean => {
     if (permissions.length === 0) return true;
-    // For now, use the representative permission result
-    // In a future enhancement, we could check all permissions
-    // but this would require multiple useCan hooks or a custom hook
-    return can;
-  }, [permissions, can]);
+    // If permissionResults is not yet available or empty, deny access
+    if (!permissionResults || Object.keys(permissionResults).length === 0) {
+      return false;
+    }
+    if (requireAll) {
+      // User must have ALL permissions
+      return Object.values(permissionResults).every(result => result === true);
+    } else {
+      // User must have ANY permission (default behavior)
+      return Object.values(permissionResults).some(result => result === true);
+    }
+  }, [permissions, permissionResults, requireAll]);
   // Handle permission check completion
   useEffect(() => {

package/src/rbac/components/RoleBasedRouter.tsx CHANGED Viewed

@@ -79,6 +79,9 @@ export interface RouteConfig {
   /** Permissions required for this route */
   permissions: Permission[];
+  /** If true, this route is public and doesn't require permission checks */
+  public?: boolean;
   /** Roles that can access this route */
   roles?: string[];
@@ -232,10 +235,13 @@ export function RoleBasedRouter({
     currentRouteConfig?.pageId
   );
-  // If route has no permissions, deny access (secure by default)
+  // Check if route is public
+  const isPublicRoute = currentRouteConfig?.public === true;
+  // If route has no permissions and is not public, deny access (secure by default)
   const hasPermissions = currentRouteConfig?.permissions && currentRouteConfig.permissions.length > 0;
-  const finalCanAccess = hasPermissions ? canAccessCurrentRoute : false;
-  const finalLoading = hasPermissions ? permissionLoading : false;
+  const finalCanAccess = isPublicRoute ? true : (hasPermissions ? canAccessCurrentRoute : false);
+  const finalLoading = isPublicRoute ? false : (hasPermissions ? permissionLoading : false);
   // Get all accessible routes for current user
   const getAccessibleRoutes = useCallback((): RouteConfig[] => {
@@ -323,13 +329,14 @@ export function RoleBasedRouter({
     // Use the actual permission check result
     const allowed = finalCanAccess;
+    // Log route access (including public routes for audit monitoring)
     recordRouteAccess(currentPath, allowed, currentRouteConfig);
-    if (!allowed) {
-      // Redirect to fallback route
+    if (!allowed && !isPublicRoute) {
+      // Redirect to fallback route (skip for public routes)
       navigate(fallbackRoute, { replace: true });
     }
-  }, [location.pathname, currentRouteConfig, canAccessCurrentRoute, recordRouteAccess, strictMode, user?.id, currentScope, onStrictModeViolation, navigate, fallbackRoute]);
+  }, [location.pathname, currentRouteConfig, canAccessCurrentRoute, recordRouteAccess, strictMode, user?.id, currentScope, onStrictModeViolation, navigate, fallbackRoute, isPublicRoute]);
   // Context value
   const contextValue = useMemo((): RoleBasedRouterContextType => ({
@@ -350,8 +357,8 @@ export function RoleBasedRouter({
     auditLog
   ]);
-  // Show loading state while checking permissions
-  if (finalLoading) {
+  // Show loading state while checking permissions (skip for public routes)
+  if (finalLoading && !isPublicRoute) {
     return (
       <div className="flex items-center justify-center min-h-screen">
         <div className="text-center">
@@ -363,7 +370,7 @@ export function RoleBasedRouter({
   }
   // Show unauthorized component if user can't access current route
-  if (currentRouteConfig && !finalCanAccess) {
+  if (currentRouteConfig && !finalCanAccess && !isPublicRoute) {
     return (
       <UnauthorizedComponent
         route={currentRoute}