npm - @jmruthers/pace-core - Versions diffs - 0.5.110 → 0.5.112 - Mend

@jmruthers/pace-core 0.5.110 → 0.5.112

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (236) hide show

package/dist/{AuthService-DrHrvXNZ.d.ts → AuthService-CVgsgtaZ.d.ts} +8 -0
package/dist/{DataTable-D3BK2FCN.js → DataTable-3D3BUZDV.js} +8 -8
package/dist/{UnifiedAuthProvider-A7I23UCN.js → UnifiedAuthProvider-KZZUO27W.js} +3 -3
package/dist/{api-PIE4JRFS.js → api-QPMBZZUZ.js} +5 -3
package/dist/{audit-65VNHEV2.js → audit-H4YJJF7R.js} +2 -2
package/dist/{chunk-Q7APDV6H.js → chunk-3OGQLOJM.js} +23 -7
package/dist/chunk-3OGQLOJM.js.map +1 -0
package/dist/{chunk-EYSXQ756.js → chunk-7H75SHXZ.js} +2 -2
package/dist/{chunk-D6MEKC27.js → chunk-BUN7NMV7.js} +2 -2
package/dist/{chunk-AWK2FAUN.js → chunk-C5RN4TE5.js} +7 -7
package/dist/{chunk-3J5N2T2N.js → chunk-EKVVTPIF.js} +183 -127
package/dist/chunk-EKVVTPIF.js.map +1 -0
package/dist/{chunk-2W4WKJVF.js → chunk-F6QB26OS.js} +290 -255
package/dist/chunk-F6QB26OS.js.map +1 -0
package/dist/{chunk-HADXAZT3.js → chunk-I7JC7PTJ.js} +54 -92
package/dist/chunk-I7JC7PTJ.js.map +1 -0
package/dist/{chunk-EZ64QG2I.js → chunk-L36JW4KV.js} +2 -2
package/dist/{chunk-7GBEBJLR.js → chunk-MNSGWRPB.js} +45 -37
package/dist/chunk-MNSGWRPB.js.map +1 -0
package/dist/{chunk-YFMENCR4.js → chunk-NEONKMTU.js} +3 -3
package/dist/{chunk-AUXS7XSO.js → chunk-OO3V7W4H.js} +35 -11
package/dist/chunk-OO3V7W4H.js.map +1 -0
package/dist/{chunk-XRSP3H52.js → chunk-TAJRS6YB.js} +57 -23
package/dist/chunk-TAJRS6YB.js.map +1 -0
package/dist/{chunk-HGZSO43Y.js → chunk-WMPZY26G.js} +8 -4
package/dist/{chunk-HGZSO43Y.js.map → chunk-WMPZY26G.js.map} +1 -1
package/dist/components.js +10 -10
package/dist/hooks.d.ts +11 -1
package/dist/hooks.js +9 -7
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +2 -2
package/dist/index.js +13 -13
package/dist/providers.d.ts +2 -2
package/dist/providers.js +2 -2
package/dist/rbac/index.d.ts +13 -8
package/dist/rbac/index.js +9 -9
package/dist/utils.js +1 -1
package/docs/api/classes/ColumnFactory.md +1 -1
package/docs/api/classes/ErrorBoundary.md +1 -1
package/docs/api/classes/InvalidScopeError.md +4 -4
package/docs/api/classes/MissingUserContextError.md +4 -4
package/docs/api/classes/OrganisationContextRequiredError.md +4 -4
package/docs/api/classes/PermissionDeniedError.md +4 -4
package/docs/api/classes/PublicErrorBoundary.md +1 -1
package/docs/api/classes/RBACAuditManager.md +8 -8
package/docs/api/classes/RBACCache.md +8 -8
package/docs/api/classes/RBACEngine.md +4 -4
package/docs/api/classes/RBACError.md +4 -4
package/docs/api/classes/RBACNotInitializedError.md +4 -4
package/docs/api/classes/SecureSupabaseClient.md +1 -1
package/docs/api/classes/StorageUtils.md +1 -1
package/docs/api/enums/FileCategory.md +1 -1
package/docs/api/interfaces/AggregateConfig.md +1 -1
package/docs/api/interfaces/ButtonProps.md +1 -1
package/docs/api/interfaces/CardProps.md +1 -1
package/docs/api/interfaces/ColorPalette.md +1 -1
package/docs/api/interfaces/ColorShade.md +1 -1
package/docs/api/interfaces/DataAccessRecord.md +1 -1
package/docs/api/interfaces/DataRecord.md +1 -1
package/docs/api/interfaces/DataTableAction.md +1 -1
package/docs/api/interfaces/DataTableColumn.md +1 -1
package/docs/api/interfaces/DataTableProps.md +1 -1
package/docs/api/interfaces/DataTableToolbarButton.md +1 -1
package/docs/api/interfaces/EmptyStateConfig.md +1 -1
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +1 -1
package/docs/api/interfaces/FileDisplayProps.md +1 -1
package/docs/api/interfaces/FileMetadata.md +1 -1
package/docs/api/interfaces/FileReference.md +1 -1
package/docs/api/interfaces/FileSizeLimits.md +1 -1
package/docs/api/interfaces/FileUploadOptions.md +1 -1
package/docs/api/interfaces/FileUploadProps.md +1 -1
package/docs/api/interfaces/FooterProps.md +1 -1
package/docs/api/interfaces/InactivityWarningModalProps.md +1 -1
package/docs/api/interfaces/InputProps.md +1 -1
package/docs/api/interfaces/LabelProps.md +1 -1
package/docs/api/interfaces/LoginFormProps.md +1 -1
package/docs/api/interfaces/NavigationAccessRecord.md +1 -1
package/docs/api/interfaces/NavigationContextType.md +1 -1
package/docs/api/interfaces/NavigationGuardProps.md +1 -1
package/docs/api/interfaces/NavigationItem.md +1 -1
package/docs/api/interfaces/NavigationMenuProps.md +1 -1
package/docs/api/interfaces/NavigationProviderProps.md +1 -1
package/docs/api/interfaces/Organisation.md +1 -1
package/docs/api/interfaces/OrganisationContextType.md +1 -1
package/docs/api/interfaces/OrganisationMembership.md +1 -1
package/docs/api/interfaces/OrganisationProviderProps.md +1 -1
package/docs/api/interfaces/OrganisationSecurityError.md +1 -1
package/docs/api/interfaces/PaceAppLayoutProps.md +27 -27
package/docs/api/interfaces/PaceLoginPageProps.md +4 -4
package/docs/api/interfaces/PageAccessRecord.md +1 -1
package/docs/api/interfaces/PagePermissionContextType.md +1 -1
package/docs/api/interfaces/PagePermissionGuardProps.md +1 -1
package/docs/api/interfaces/PagePermissionProviderProps.md +1 -1
package/docs/api/interfaces/PaletteData.md +1 -1
package/docs/api/interfaces/PermissionEnforcerProps.md +1 -1
package/docs/api/interfaces/ProtectedRouteProps.md +1 -1
package/docs/api/interfaces/PublicErrorBoundaryProps.md +1 -1
package/docs/api/interfaces/PublicErrorBoundaryState.md +1 -1
package/docs/api/interfaces/PublicLoadingSpinnerProps.md +1 -1
package/docs/api/interfaces/PublicPageFooterProps.md +1 -1
package/docs/api/interfaces/PublicPageHeaderProps.md +1 -1
package/docs/api/interfaces/PublicPageLayoutProps.md +1 -1
package/docs/api/interfaces/RBACConfig.md +1 -1
package/docs/api/interfaces/RBACLogger.md +1 -1
package/docs/api/interfaces/RoleBasedRouterContextType.md +8 -8
package/docs/api/interfaces/RoleBasedRouterProps.md +10 -10
package/docs/api/interfaces/RouteAccessRecord.md +10 -10
package/docs/api/interfaces/RouteConfig.md +19 -6
package/docs/api/interfaces/SecureDataContextType.md +1 -1
package/docs/api/interfaces/SecureDataProviderProps.md +1 -1
package/docs/api/interfaces/StorageConfig.md +1 -1
package/docs/api/interfaces/StorageFileInfo.md +1 -1
package/docs/api/interfaces/StorageFileMetadata.md +1 -1
package/docs/api/interfaces/StorageListOptions.md +1 -1
package/docs/api/interfaces/StorageListResult.md +1 -1
package/docs/api/interfaces/StorageUploadOptions.md +1 -1
package/docs/api/interfaces/StorageUploadResult.md +1 -1
package/docs/api/interfaces/StorageUrlOptions.md +1 -1
package/docs/api/interfaces/StyleImport.md +1 -1
package/docs/api/interfaces/SwitchProps.md +1 -1
package/docs/api/interfaces/ToastActionElement.md +1 -1
package/docs/api/interfaces/ToastProps.md +1 -1
package/docs/api/interfaces/UnifiedAuthContextType.md +1 -1
package/docs/api/interfaces/UnifiedAuthProviderProps.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerOptions.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventOptions.md +1 -1
package/docs/api/interfaces/UsePublicEventReturn.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +1 -1
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +1 -1
package/docs/api/interfaces/UseResolvedScopeOptions.md +1 -1
package/docs/api/interfaces/UseResolvedScopeReturn.md +1 -1
package/docs/api/interfaces/UserEventAccess.md +1 -1
package/docs/api/interfaces/UserMenuProps.md +1 -1
package/docs/api/interfaces/UserProfile.md +1 -1
package/docs/api/modules.md +36 -36
package/docs/api-reference/hooks.md +8 -4
package/docs/architecture/rpc-function-standards.md +3 -1
package/docs/best-practices/common-patterns.md +3 -3
package/docs/best-practices/deployment.md +10 -4
package/docs/best-practices/performance.md +11 -3
package/docs/core-concepts/organisations.md +8 -8
package/docs/core-concepts/permissions.md +133 -72
package/docs/migration/rbac-migration.md +65 -66
package/docs/rbac/advanced-patterns.md +15 -22
package/docs/rbac/examples.md +12 -12
package/docs/rbac/getting-started.md +3 -3
package/docs/rbac/troubleshooting.md +2 -1
package/package.json +1 -1
package/src/components/DataTable/DataTable.test.tsx +405 -154
package/src/components/DataTable/components/DataTableCore.tsx +6 -1
package/src/components/DataTable/components/__tests__/ActionButtons.test.tsx +913 -0
package/src/components/DataTable/components/__tests__/ColumnFilter.test.tsx +609 -0
package/src/components/DataTable/components/__tests__/EmptyState.test.tsx +434 -0
package/src/components/DataTable/components/__tests__/LoadingState.test.tsx +120 -0
package/src/components/DataTable/components/__tests__/PaginationControls.test.tsx +519 -0
package/src/components/DataTable/examples/__tests__/HierarchicalActionsExample.test.tsx +316 -0
package/src/components/DataTable/examples/__tests__/InitialPageSizeExample.test.tsx +211 -0
package/src/components/EventSelector/EventSelector.tsx +32 -2
package/src/components/FileUpload/FileUpload.tsx +2 -8
package/src/components/NavigationMenu/NavigationMenu.test.tsx +56 -8
package/src/components/NavigationMenu/NavigationMenu.tsx +75 -12
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +193 -63
package/src/components/PaceAppLayout/PaceAppLayout.tsx +102 -135
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.accessibility.test.tsx +41 -2
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.integration.test.tsx +61 -6
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.performance.test.tsx +71 -21
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.security.test.tsx +113 -41
package/src/components/PaceAppLayout/__tests__/PaceAppLayout.unit.test.tsx +155 -45
package/src/components/PaceLoginPage/PaceLoginPage.tsx +30 -1
package/src/hooks/__tests__/usePermissionCache.simple.test.ts +63 -5
package/src/hooks/__tests__/usePermissionCache.unit.test.ts +156 -72
package/src/hooks/__tests__/useRBAC.unit.test.ts +4 -38
package/src/hooks/index.ts +1 -1
package/src/hooks/useFileDisplay.ts +51 -0
package/src/hooks/usePermissionCache.test.ts +112 -68
package/src/hooks/usePermissionCache.ts +55 -15
package/src/rbac/README.md +81 -39
package/src/rbac/__tests__/adapters.comprehensive.test.tsx +3 -3
package/src/rbac/__tests__/engine.comprehensive.test.ts +15 -6
package/src/rbac/__tests__/rbac-core.test.tsx +1 -1
package/src/rbac/__tests__/rbac-engine-core-logic.test.ts +57 -4
package/src/rbac/__tests__/rbac-engine-simplified.test.ts +3 -2
package/src/rbac/adapters.tsx +4 -4
package/src/rbac/api.test.ts +37 -13
package/src/rbac/api.ts +25 -8
package/src/rbac/audit-enhanced.ts +14 -2
package/src/rbac/audit.test.ts +18 -8
package/src/rbac/audit.ts +25 -6
package/src/rbac/cache.test.ts +12 -0
package/src/rbac/cache.ts +29 -9
package/src/rbac/components/EnhancedNavigationMenu.test.tsx +1 -1
package/src/rbac/components/NavigationGuard.tsx +14 -14
package/src/rbac/components/NavigationProvider.test.tsx +1 -1
package/src/rbac/components/PagePermissionGuard.tsx +4 -3
package/src/rbac/components/PagePermissionProvider.test.tsx +1 -1
package/src/rbac/components/PermissionEnforcer.tsx +19 -15
package/src/rbac/components/RoleBasedRouter.tsx +16 -9
package/src/rbac/components/__tests__/NavigationGuard.test.tsx +123 -107
package/src/rbac/components/__tests__/PagePermissionGuard.test.tsx +1 -1
package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx +121 -103
package/src/rbac/docs/event-based-apps.md +6 -6
package/src/rbac/engine.ts +12 -2
package/src/rbac/hooks/useCan.test.ts +29 -2
package/src/rbac/hooks/usePermissions.test.ts +25 -25
package/src/rbac/hooks/usePermissions.ts +65 -25
package/src/rbac/hooks/useRBAC.simple.test.ts +1 -8
package/src/rbac/hooks/useRBAC.test.ts +3 -40
package/src/rbac/hooks/useRBAC.ts +0 -55
package/src/rbac/hooks/useResolvedScope.ts +23 -31
package/src/rbac/permissions.test.ts +11 -7
package/src/rbac/security.test.ts +2 -2
package/src/rbac/security.ts +22 -7
package/src/rbac/types.test.ts +2 -2
package/src/rbac/types.ts +1 -2
package/src/services/EventService.ts +42 -13
package/src/services/__tests__/EventService.test.ts +25 -4
package/src/services/interfaces/IEventService.ts +1 -0
package/src/utils/file-reference.ts +9 -0
package/dist/chunk-2W4WKJVF.js.map +0 -1
package/dist/chunk-3J5N2T2N.js.map +0 -1
package/dist/chunk-7GBEBJLR.js.map +0 -1
package/dist/chunk-AUXS7XSO.js.map +0 -1
package/dist/chunk-HADXAZT3.js.map +0 -1
package/dist/chunk-Q7APDV6H.js.map +0 -1
package/dist/chunk-XRSP3H52.js.map +0 -1
/package/dist/{DataTable-D3BK2FCN.js.map → DataTable-3D3BUZDV.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-A7I23UCN.js.map → UnifiedAuthProvider-KZZUO27W.js.map} +0 -0
/package/dist/{api-PIE4JRFS.js.map → api-QPMBZZUZ.js.map} +0 -0
/package/dist/{audit-65VNHEV2.js.map → audit-H4YJJF7R.js.map} +0 -0
/package/dist/{chunk-EYSXQ756.js.map → chunk-7H75SHXZ.js.map} +0 -0
/package/dist/{chunk-D6MEKC27.js.map → chunk-BUN7NMV7.js.map} +0 -0
/package/dist/{chunk-AWK2FAUN.js.map → chunk-C5RN4TE5.js.map} +0 -0
/package/dist/{chunk-EZ64QG2I.js.map → chunk-L36JW4KV.js.map} +0 -0
/package/dist/{chunk-YFMENCR4.js.map → chunk-NEONKMTU.js.map} +0 -0

package/src/rbac/hooks/usePermissions.test.ts CHANGED Viewed

@@ -268,8 +268,8 @@ describe('usePermissions Hook', () => {
         'create:users': true,
         'update:users': true,
         'delete:users': true,
-        'manage:organisations': true,
-        'manage:events': true,
+        'update:organisations': true,
+        'update:events': true,
         'super_admin': true
       };
@@ -287,7 +287,7 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasPermission('create:users')).toBe(true);
       expect(result.current.hasPermission('update:users')).toBe(true);
       expect(result.current.hasPermission('delete:users')).toBe(true);
-      expect(result.current.hasPermission('manage:organisations')).toBe(true);
+      expect(result.current.hasPermission('update:organisations')).toBe(true);
       expect(result.current.hasPermission('super_admin')).toBe(true);
     });
@@ -297,8 +297,8 @@ describe('usePermissions Hook', () => {
         'create:users': true,
         'update:users': true,
         'delete:users': false, // Org admin can't delete users
-        'manage:organisations': true,
-        'manage:events': true,
+        'update:organisations': true,
+        'update:events': true,
         'org_admin': true
       };
@@ -316,7 +316,7 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasPermission('create:users')).toBe(true);
       expect(result.current.hasPermission('update:users')).toBe(true);
       expect(result.current.hasPermission('delete:users')).toBe(false);
-      expect(result.current.hasPermission('manage:organisations')).toBe(true);
+      expect(result.current.hasPermission('update:organisations')).toBe(true);
       expect(result.current.hasPermission('org_admin')).toBe(true);
     });
@@ -326,8 +326,8 @@ describe('usePermissions Hook', () => {
         'create:users': false,
         'update:users': false,
         'delete:users': false,
-        'manage:organisations': false,
-        'manage:events': true,
+        'update:organisations': false,
+        'update:events': true,
         'event_admin': true
       };
@@ -345,8 +345,8 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasPermission('create:users')).toBe(false);
       expect(result.current.hasPermission('update:users')).toBe(false);
       expect(result.current.hasPermission('delete:users')).toBe(false);
-      expect(result.current.hasPermission('manage:organisations')).toBe(false);
-      expect(result.current.hasPermission('manage:events')).toBe(true);
+      expect(result.current.hasPermission('update:organisations')).toBe(false);
+      expect(result.current.hasPermission('update:events')).toBe(true);
       expect(result.current.hasPermission('event_admin')).toBe(true);
     });
@@ -356,8 +356,8 @@ describe('usePermissions Hook', () => {
         'create:users': false,
         'update:users': false,
         'delete:users': false,
-        'manage:organisations': false,
-        'manage:events': false,
+        'update:organisations': false,
+        'update:events': false,
         'member': true
       };
@@ -375,8 +375,8 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasPermission('create:users')).toBe(false);
       expect(result.current.hasPermission('update:users')).toBe(false);
       expect(result.current.hasPermission('delete:users')).toBe(false);
-      expect(result.current.hasPermission('manage:organisations')).toBe(false);
-      expect(result.current.hasPermission('manage:events')).toBe(false);
+      expect(result.current.hasPermission('update:organisations')).toBe(false);
+      expect(result.current.hasPermission('update:events')).toBe(false);
       expect(result.current.hasPermission('member')).toBe(true);
     });
@@ -386,8 +386,8 @@ describe('usePermissions Hook', () => {
         'create:users': false,
         'update:users': false,
         'delete:users': false,
-        'manage:organisations': false,
-        'manage:events': false,
+        'update:organisations': false,
+        'update:events': false,
         'participant': true
       };
@@ -405,8 +405,8 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasPermission('create:users')).toBe(false);
       expect(result.current.hasPermission('update:users')).toBe(false);
       expect(result.current.hasPermission('delete:users')).toBe(false);
-      expect(result.current.hasPermission('manage:organisations')).toBe(false);
-      expect(result.current.hasPermission('manage:events')).toBe(false);
+      expect(result.current.hasPermission('update:organisations')).toBe(false);
+      expect(result.current.hasPermission('update:events')).toBe(false);
       expect(result.current.hasPermission('participant')).toBe(true);
     });
@@ -416,8 +416,8 @@ describe('usePermissions Hook', () => {
         'create:users': false,
         'update:users': true,
         'delete:users': false,
-        'manage:organisations': false,
-        'manage:events': true
+        'update:organisations': false,
+        'update:events': true
       };
       mockGetPermissionMap.mockResolvedValue(mixedPermissions);
@@ -432,8 +432,8 @@ describe('usePermissions Hook', () => {
       // Test hasAnyPermission with mixed results
       expect(result.current.hasAnyPermission(['read:users', 'create:users'])).toBe(true); // One is true
       expect(result.current.hasAnyPermission(['create:users', 'delete:users'])).toBe(false); // Both are false
-      expect(result.current.hasAnyPermission(['update:users', 'manage:events'])).toBe(true); // Both are true
-      expect(result.current.hasAnyPermission(['read:users', 'update:users', 'manage:events'])).toBe(true); // All are true
+      expect(result.current.hasAnyPermission(['update:users', 'update:events'])).toBe(true); // Both are true
+      expect(result.current.hasAnyPermission(['read:users', 'update:users', 'update:events'])).toBe(true); // All are true
     });
     it('handles mixed permission scenarios with hasAllPermissions', async () => {
@@ -442,8 +442,8 @@ describe('usePermissions Hook', () => {
         'create:users': false,
         'update:users': true,
         'delete:users': false,
-        'manage:organisations': false,
-        'manage:events': true
+        'update:organisations': false,
+        'update:events': true
       };
       mockGetPermissionMap.mockResolvedValue(mixedPermissions);
@@ -459,7 +459,7 @@ describe('usePermissions Hook', () => {
       expect(result.current.hasAllPermissions(['read:users', 'update:users'])).toBe(true); // Both are true
       expect(result.current.hasAllPermissions(['read:users', 'create:users'])).toBe(false); // One is false
       expect(result.current.hasAllPermissions(['create:users', 'delete:users'])).toBe(false); // Both are false
-      expect(result.current.hasAllPermissions(['read:users', 'update:users', 'manage:events'])).toBe(true); // All are true
+      expect(result.current.hasAllPermissions(['read:users', 'update:users', 'update:events'])).toBe(true); // All are true
     });
   });

package/src/rbac/hooks/usePermissions.ts CHANGED Viewed

@@ -52,6 +52,22 @@ export function usePermissions(userId: UUID, scope: Scope) {
   const [error, setError] = useState<Error | null>(null);
   const isFetchingRef = useRef(false);
+  // Add timeout for missing organisation context (3 seconds)
+  useEffect(() => {
+    if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
+      const timeoutId = setTimeout(() => {
+        setError(new Error('Organisation context is required for permission checks'));
+        setIsLoading(false);
+      }, 3000); // 3 seconds - typical permission check is < 1 second
+      return () => clearTimeout(timeoutId);
+    }
+    // Clear error if organisation context becomes available
+    if (error?.message === 'Organisation context is required for permission checks') {
+      setError(null);
+    }
+  }, [scope.organisationId, error]);
   useEffect(() => {
     const fetchPermissions = async () => {
       // Prevent multiple simultaneous fetches
@@ -65,10 +81,11 @@ export function usePermissions(userId: UUID, scope: Scope) {
         return;
       }
-      // Don't fetch permissions if scope is invalid (e.g., organisationId is empty)
-      // Return empty permissions and loading true for invalid scopes to prevent premature access denied
-      if (!scope.organisationId || scope.organisationId.trim() === '') {
-        setPermissions({} as PermissionMap);
+      // Don't fetch permissions if scope is invalid (e.g., organisationId is null/empty)
+      // Wait for organisation context to resolve
+      // IMPORTANT: Don't clear existing permissions here - keep them until we have new ones
+      if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
+        // Keep existing permissions, just mark as loading
         setIsLoading(true);
         setError(null);
         return;
@@ -79,10 +96,17 @@ export function usePermissions(userId: UUID, scope: Scope) {
         setIsLoading(true);
         setError(null);
+        // Fetch new permissions - don't clear old ones until we have new ones
         const permissionMap = await getPermissionMap({ userId, scope });
+        // Only update permissions if fetch was successful
         setPermissions(permissionMap);
       } catch (err) {
+        // On error, keep existing permissions but set error state
+        // This prevents the UI from losing all items when there's a transient error
+        console.error('[usePermissions] Failed to fetch permissions:', err);
         setError(err instanceof Error ? err : new Error('Failed to fetch permissions'));
+        // Don't clear permissions on error - keep what we had
       } finally {
         setIsLoading(false);
         isFetchingRef.current = false;
@@ -125,9 +149,10 @@ export function usePermissions(userId: UUID, scope: Scope) {
       return;
     }
-    // Don't fetch permissions if scope is invalid (e.g., organisationId is empty)
-    if (!scope.organisationId || scope.organisationId.trim() === '') {
-      setPermissions({} as PermissionMap);
+    // Don't fetch permissions if scope is invalid (e.g., organisationId is null/empty)
+    // IMPORTANT: Don't clear existing permissions - keep them until we have new ones
+    if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
+      // Keep existing permissions, just mark as loading
       setIsLoading(true);
       setError(null);
       return;
@@ -138,10 +163,17 @@ export function usePermissions(userId: UUID, scope: Scope) {
       setIsLoading(true);
       setError(null);
+      // Fetch new permissions - don't clear old ones until we have new ones
       const permissionMap = await getPermissionMap({ userId, scope });
+      // Only update permissions if fetch was successful
       setPermissions(permissionMap);
     } catch (err) {
+      // On error, keep existing permissions but set error state
+      // This prevents the UI from losing all items when there's a transient error
+      console.error('[usePermissions] Failed to refetch permissions:', err);
       setError(err instanceof Error ? err : new Error('Failed to fetch permissions'));
+      // Don't clear permissions on error - keep what we had
     } finally {
       setIsLoading(false);
       isFetchingRef.current = false;
@@ -193,6 +225,23 @@ export function useCan(
   const [isLoading, setIsLoading] = useState(true);
   const [error, setError] = useState<Error | null>(null);
+  // Add timeout for missing organisation context (3 seconds)
+  useEffect(() => {
+    if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
+      const timeoutId = setTimeout(() => {
+        setError(new Error('Organisation context is required for permission checks'));
+        setIsLoading(false);
+        setCan(false);
+      }, 3000); // 3 seconds - typical permission check is < 1 second
+      return () => clearTimeout(timeoutId);
+    }
+    // Clear error if organisation context becomes available
+    if (error?.message === 'Organisation context is required for permission checks') {
+      setError(null);
+    }
+  }, [scope.organisationId, error]);
   // Use refs to track the last values to prevent unnecessary re-runs
   const lastUserIdRef = useRef<UUID | null>(null);
   const lastScopeRef = useRef<string | null>(null);
@@ -226,12 +275,13 @@ export function useCan(
           return;
         }
-        // Don't check permissions if scope is invalid (e.g., organisationId is empty)
-        // Return can: false and loading: true for invalid scopes to prevent premature access denied
-        if (!scope.organisationId || scope.organisationId.trim() === '') {
-          console.log('[useCan] Invalid scope - organisationId is empty:', { scope, permission, pageId });
-          setCan(false);
+        // Don't check permissions if scope is invalid (e.g., organisationId is null/empty)
+        // Wait for organisation context to resolve
+        if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
           setIsLoading(true);
+          setCan(false);
+          setError(null);
+          // Timeout is handled in separate useEffect (Phase 1.4)
           return;
         }
@@ -239,21 +289,10 @@ export function useCan(
           setIsLoading(true);
           setError(null);
-          console.log('[useCan] Checking permission:', {
-            userId,
-            organisationId: scope.organisationId,
-            eventId: scope.eventId,
-            appId: scope.appId,
-            permission,
-            pageId
-          });
           const result = useCache
             ? await isPermittedCached({ userId, scope, permission, pageId })
             : await isPermitted({ userId, scope, permission, pageId });
-          console.log('[useCan] Permission check result:', { permission, result, pageId });
           setCan(result);
         } catch (err) {
           console.error('[useCan] Permission check error:', { permission, error: err });
@@ -275,10 +314,11 @@ export function useCan(
       return;
     }
-    // Don't check permissions if scope is invalid (e.g., organisationId is empty)
-    if (!scope.organisationId || scope.organisationId.trim() === '') {
+    // Don't check permissions if scope is invalid (e.g., organisationId is null/empty)
+    if (!scope.organisationId || scope.organisationId === null || (typeof scope.organisationId === 'string' && scope.organisationId.trim() === '')) {
       setCan(false);
       setIsLoading(true);
+      setError(null);
       return;
     }

package/src/rbac/hooks/useRBAC.simple.test.ts CHANGED Viewed

@@ -57,7 +57,6 @@ vi.mock('./useRBAC', () => ({
     eventAppRole: 'participant',
     isSuperAdmin: false,
     isOrgAdmin: false,
-    hasPermission: () => true,
     hasGlobalPermission: () => true,
     error: null,
   }),
@@ -80,18 +79,12 @@ describe('useRBAC Hook - Simple Tests', () => {
     expect(result.current).toHaveProperty('globalRole');
     expect(result.current).toHaveProperty('organisationRole');
     expect(result.current).toHaveProperty('eventAppRole');
-    expect(result.current).toHaveProperty('hasPermission');
     expect(result.current).toHaveProperty('hasGlobalPermission');
     expect(result.current).toHaveProperty('isSuperAdmin');
     expect(result.current).toHaveProperty('isOrgAdmin');
     expect(result.current).toHaveProperty('isLoading');
     expect(result.current).toHaveProperty('error');
-  });
-  it('hasPermission is a function', () => {
-    const { result } = renderHook(() => useRBAC());
-    expect(typeof result.current.hasPermission).toBe('function');
+    // Note: hasPermission was removed - use useCan() hook instead
   });
   it('hasGlobalPermission is a function', () => {

package/src/rbac/hooks/useRBAC.test.ts CHANGED Viewed

@@ -97,7 +97,7 @@ describe('useRBAC', () => {
     await waitFor(() => {
       expect(result.current.isLoading).toBe(false);
-      expect(result.current.hasPermission).toBeTypeOf('function');
+      expect(result.current.hasGlobalPermission).toBeTypeOf('function');
     });
     expect(mockResolveAppContext).toHaveBeenCalledWith({ userId: 'user-1', appName: 'test-app' });
@@ -109,45 +109,8 @@ describe('useRBAC', () => {
     );
   });
-  it('uses cached permission map before hitting engine', async () => {
-    mockUseUnifiedAuth.mockReturnValue({
-      user: { id: 'user-1' },
-      session: { access_token: 'token' },
-      appName: 'test-app',
-    });
-    mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
-    mockGetPermissionMap.mockResolvedValue({ 'read:dashboard': true });
-    const { result } = renderHook(() => useRBAC('dashboard'));
-    await waitFor(() => expect(result.current.isLoading).toBe(false));
-    mockIsPermittedCached.mockClear();
-    const allowed = await result.current.hasPermission('read', 'dashboard');
-    expect(allowed).toBe(true);
-    expect(mockIsPermittedCached).not.toHaveBeenCalled();
-  });
-  it('falls back to engine when permission not cached', async () => {
-    mockUseUnifiedAuth.mockReturnValue({
-      user: { id: 'user-1' },
-      session: { access_token: 'token' },
-      appName: 'test-app',
-    });
-    mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
-    mockGetPermissionMap.mockResolvedValue({});
-    mockIsPermittedCached.mockResolvedValue(true);
-    const { result } = renderHook(() => useRBAC('dashboard'));
-    await waitFor(() => expect(result.current.isLoading).toBe(false));
-    const allowed = await result.current.hasPermission('read', 'dashboard');
-    expect(allowed).toBe(true);
-    expect(mockIsPermittedCached).toHaveBeenCalled();
-  });
+  // Note: Permission checking tests have been moved to useCan.test.ts
+  // useRBAC now focuses on role information and context, not permission checks
   it('handles denied app resolution securely', async () => {
     mockUseUnifiedAuth.mockReturnValue({

package/src/rbac/hooks/useRBAC.ts CHANGED Viewed

@@ -17,7 +17,6 @@ import { useEvents } from '../../hooks/useEvents';
 import {
   getPermissionMap,
   getAccessLevel,
-  isPermittedCached,
   resolveAppContext,
   getRoleContext,
 } from '../api';
@@ -27,7 +26,6 @@ import type {
   GlobalRole,
   OrganisationRole,
   EventAppRole,
-  Operation,
   Permission,
   Scope,
   PermissionMap,
@@ -125,58 +123,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
     }
   }, [appName, logger, resetState, selectedEvent?.event_id, selectedOrganisation?.id, session, user]);
-  const hasPermission = useCallback(
-    async (operationOrPermission: Operation | string, targetPageId?: string): Promise<boolean> => {
-      if (!user) {
-        logger.warn('[useRBAC] Permission check attempted without authenticated user context');
-        return false;
-      }
-      if (!currentScope || !currentScope.organisationId) {
-        logger.error('[useRBAC] Permission check denied due to missing organisation context', {
-          hasScope: !!currentScope,
-          scope: currentScope,
-          userId: user.id,
-          permission: operationOrPermission,
-        });
-        return false;
-      }
-      if (globalRole === 'super_admin' || permissionMap['*']) {
-        logger.info('[useRBAC] Super admin bypass granted', {
-          userId: user.id,
-          permission: operationOrPermission,
-        });
-        return true;
-      }
-      let permission: Permission;
-      if (operationOrPermission.includes(':')) {
-        permission = operationOrPermission as Permission;
-      } else if (targetPageId || pageId) {
-        permission = `${operationOrPermission}:${targetPageId || pageId}` as Permission;
-      } else {
-        permission = operationOrPermission as Permission;
-      }
-      const cachedValue = permissionMap[permission];
-      if (cachedValue === true) {
-        return true;
-      }
-      if (cachedValue === false) {
-        return false;
-      }
-      return isPermittedCached({
-        userId: user.id as UUID,
-        scope: currentScope,
-        permission,
-        pageId: targetPageId ?? pageId,
-      });
-    },
-    [currentScope, globalRole, logger, pageId, permissionMap, user],
-  );
   const hasGlobalPermission = useCallback(
     (permission: string): boolean => {
       if (globalRole === 'super_admin' || permissionMap['*']) {
@@ -211,7 +157,6 @@ export function useRBAC(pageId?: string): UserRBACContext {
     globalRole,
     organisationRole,
     eventAppRole,
-    hasPermission,
     hasGlobalPermission,
     isSuperAdmin,
     isOrgAdmin,

package/src/rbac/hooks/useResolvedScope.ts CHANGED Viewed

@@ -74,28 +74,30 @@ export function useResolvedScope({
     eventId: undefined
   });
-  // Only update the stable scope if the resolved scope has actually changed
-  if (resolvedScope && resolvedScope.organisationId) {
-    const newScope = {
-      organisationId: resolvedScope.organisationId,
-      appId: resolvedScope.appId,
-      eventId: resolvedScope.eventId
-    };
-    // Only update if the scope has actually changed
-    if (stableScopeRef.current.organisationId !== newScope.organisationId ||
-        stableScopeRef.current.eventId !== newScope.eventId ||
-        stableScopeRef.current.appId !== newScope.appId) {
-      stableScopeRef.current = {
-        organisationId: newScope.organisationId,
-        appId: newScope.appId || '',
-        eventId: newScope.eventId
+  // Update stable scope ref in useEffect to avoid updates during render
+  useEffect(() => {
+    if (resolvedScope && resolvedScope.organisationId) {
+      const newScope = {
+        organisationId: resolvedScope.organisationId,
+        appId: resolvedScope.appId,
+        eventId: resolvedScope.eventId
       };
+      // Only update if the scope has actually changed
+      if (stableScopeRef.current.organisationId !== newScope.organisationId ||
+          stableScopeRef.current.eventId !== newScope.eventId ||
+          stableScopeRef.current.appId !== newScope.appId) {
+        stableScopeRef.current = {
+          organisationId: newScope.organisationId,
+          appId: newScope.appId || '',
+          eventId: newScope.eventId
+        };
+      }
+    } else if (!resolvedScope) {
+      // Reset to empty scope when no resolved scope
+      stableScopeRef.current = { organisationId: '', appId: '', eventId: undefined };
     }
-  } else if (!resolvedScope) {
-    // Reset to empty scope when no resolved scope
-    stableScopeRef.current = { organisationId: '', appId: '', eventId: undefined };
-  }
+  }, [resolvedScope]);
   const stableScope = stableScopeRef.current;
@@ -144,17 +146,10 @@ export function useResolvedScope({
           }
         }
-        // Debug logging
-        console.log('[useResolvedScope] Attempting to resolve scope:', {
-          selectedOrganisationId,
-          selectedEventId,
-          appId: appId || 'NOT RESOLVED YET',
-          resolveStep: 'initial'
-        });
+        // Resolve scope based on available context
         // If we have both organisation and event, use them directly
         if (selectedOrganisationId && selectedEventId) {
-          console.log('[useResolvedScope] Resolving with both org and event');
           if (!cancelled) {
             setResolvedScope({
               organisationId: selectedOrganisationId,
@@ -168,7 +163,6 @@ export function useResolvedScope({
         // If we only have organisation, use it
         if (selectedOrganisationId) {
-          console.log('[useResolvedScope] Resolving with organisation only');
           if (!cancelled) {
             setResolvedScope({
               organisationId: selectedOrganisationId,
@@ -183,7 +177,6 @@ export function useResolvedScope({
         // If we only have event, resolve organisation from event
         if (selectedEventId && supabase) {
           try {
-            console.log('[useResolvedScope] Resolving from event:', { selectedEventId, appId });
             const eventScope = await createScopeFromEvent(supabase, selectedEventId, appId);
             if (!eventScope) {
               console.error('[useResolvedScope] Could not resolve organization from event context');
@@ -194,7 +187,6 @@ export function useResolvedScope({
               }
               return;
             }
-            console.log('[useResolvedScope] Resolved from event:', eventScope);
             // Preserve the resolved app ID
             if (!cancelled) {
               setResolvedScope({

package/src/rbac/permissions.test.ts CHANGED Viewed

@@ -84,13 +84,17 @@ describe('RBAC Permissions', () => {
     it('rejects invalid Permission types', () => {
       const invalidPermissions = [
-        'manage:users',
-        'READ:users',
-        'read:',
-        ':users',
-        'read:users*',
-        'read:*users',
-        'invalid'
+        'READ:users', // Capital letters not allowed
+        'read:', // Missing resource
+        ':users', // Missing operation
+        'read:users*', // Invalid wildcard placement
+        'read:*users', // Invalid wildcard placement
+        'invalid', // Not in format operation:resource
+        'read:users-', // Invalid character (hyphen) at end
+        'read:users_', // Invalid character (underscore) at end
+        'read:.users', // Cannot start with dot
+        'read:users.', // Cannot end with dot
+        'read:users..detail', // Cannot have consecutive dots
       ];
       invalidPermissions.forEach(permission => {

package/src/rbac/security.test.ts CHANGED Viewed

@@ -23,7 +23,7 @@ describe('RBACSecurityValidator', () => {
         'create:user-profiles',
         'update:events',
         'delete:organisations',
-        'manage:base.events',
+        'update:base.events',
         'read:user-profiles.details'
       ];
@@ -352,7 +352,7 @@ describe('RBACSecurityMiddleware', () => {
       const input = {
         userId: '123e4567-e89b-12d3-a456-426614174000' as UUID,
         scope: { organisationId: '123e4567-e89b-12d3-a456-426614174001' as UUID },
-        permission: 'manage:everything' as Permission
+        permission: 'update:everything' as Permission
       };
       const context = {