@jmruthers/pace-core 0.5.139 → 0.5.141

package/src/rbac/hooks/useResourcePermissions.ts

@@ -0,0 +1,235 @@
+/**
+ * @file useResourcePermissions Hook
+ * @package @jmruthers/pace-core
+ * @module RBAC/Hooks
+ * @since 1.0.0
+ * 
+ * Hook to check permissions for a specific resource type.
+ * This hook centralizes the common pattern of checking create/update/delete/read
+ * permissions, eliminating ~30 lines of boilerplate code per hook usage.
+ * 
+ * @example
+ * ```tsx
+ * import { useResourcePermissions } from '@jmruthers/pace-core/rbac';
+ * 
+ * function ContactsHook() {
+ *   const { canCreate, canUpdate, canDelete } = useResourcePermissions('contacts');
+ *   
+ *   const addContact = async (data: ContactData) => {
+ *     if (!canCreate('contacts')) {
+ *       throw new Error("Permission denied: You do not have permission to create contacts.");
+ *     }
+ *     // ... perform mutation
+ *   };
+ * }
+ * ```
+ * 
+ * @example
+ * ```tsx
+ * // With read permissions enabled
+ * const { canRead } = useResourcePermissions('contacts', { enableRead: true });
+ * 
+ * if (!canRead('contacts')) {
+ *   return <PermissionDenied />;
+ * }
+ * ```
+ * 
+ * @security
+ * - Requires organisation context (handled by useResolvedScope)
+ * - All permission checks are scoped to the current organisation/event/app context
+ * - Missing user context results in all permissions being denied
+ */
+
+import { useMemo } from 'react';
+import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
+import { useOrganisations } from '../../hooks/useOrganisations';
+import { useEvents } from '../../hooks/useEvents';
+import { useResolvedScope } from './useResolvedScope';
+import { useCan } from './usePermissions';
+import type { Scope } from '../types';
+
+export interface UseResourcePermissionsOptions {
+  /** Whether to check read permissions (default: false) */
+  enableRead?: boolean;
+  /** Whether scope resolution is required (default: true) */
+  requireScope?: boolean;
+}
+
+export interface ResourcePermissions {
+  /** Check if user can create resources of this type */
+  canCreate: (resource: string) => boolean;
+  /** Check if user can update resources of this type */
+  canUpdate: (resource: string) => boolean;
+  /** Check if user can delete resources of this type */
+  canDelete: (resource: string) => boolean;
+  /** Check if user can read resources of this type */
+  canRead: (resource: string) => boolean;
+  /** The resolved scope object (for advanced use cases) */
+  scope: Scope;
+  /** Whether any permission check is currently loading */
+  isLoading: boolean;
+  /** Error from any permission check or scope resolution */
+  error: Error | null;
+}
+
+/**
+ * Hook to check permissions for a specific resource
+ * 
+ * This hook encapsulates the common pattern of checking create/update/delete/read
+ * permissions for a resource type. It handles scope resolution, user context,
+ * and provides a simple API for permission checking.
+ * 
+ * @param resource - The resource name (e.g., 'contacts', 'risks', 'journal')
+ * @param options - Optional configuration
+ * @param options.enableRead - Whether to check read permissions (default: false)
+ * @param options.requireScope - Whether scope resolution is required (default: true)
+ * @returns Object with permission check functions and scope
+ * 
+ * @example
+ * ```tsx
+ * function useContacts() {
+ *   const { canCreate, canUpdate, canDelete } = useResourcePermissions('contacts');
+ *   
+ *   const addContact = async (data: ContactData) => {
+ *     if (!canCreate('contacts')) {
+ *       throw new Error("Permission denied");
+ *     }
+ *     // ... perform mutation
+ *   };
+ * }
+ * ```
+ */
+export function useResourcePermissions(
+  resource: string,
+  options: UseResourcePermissionsOptions = {}
+): ResourcePermissions {
+  const { enableRead = false, requireScope = true } = options;
+
+  // Get user and supabase client from UnifiedAuth
+  const { user, supabase } = useUnifiedAuth();
+  
+  // Get selected organisation
+  const { selectedOrganisation } = useOrganisations();
+  
+  // Get selected event (optional - wrap in try/catch)
+  let selectedEvent: { event_id: string } | null = null;
+  try {
+    const eventsContext = useEvents();
+    selectedEvent = eventsContext.selectedEvent;
+  } catch (error) {
+    // Event provider not available - continue without event context
+    // This is expected in some apps that don't use events
+  }
+
+  // Resolve scope for permission checks
+  const { resolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
+    supabase,
+    selectedOrganisationId: selectedOrganisation?.id || null,
+    selectedEventId: selectedEvent?.event_id || null
+  });
+
+  // Create fallback scope if resolvedScope is not available
+  const scope: Scope = resolvedScope || {
+    organisationId: selectedOrganisation?.id || '',
+    eventId: selectedEvent?.event_id || undefined,
+    appId: undefined
+  };
+
+  // Permission checks for create, update, delete
+  const { can: canCreateResult, isLoading: createLoading, error: createError } = useCan(
+    user?.id || '',
+    scope,
+    `create:${resource}` as const,
+    undefined, // pageId
+    true // useCache
+  );
+
+  const { can: canUpdateResult, isLoading: updateLoading, error: updateError } = useCan(
+    user?.id || '',
+    scope,
+    `update:${resource}` as const,
+    undefined, // pageId
+    true // useCache
+  );
+
+  const { can: canDeleteResult, isLoading: deleteLoading, error: deleteError } = useCan(
+    user?.id || '',
+    scope,
+    `delete:${resource}` as const,
+    undefined, // pageId
+    true // useCache
+  );
+
+  // Optional read permission check
+  const { can: canReadResult, isLoading: readLoading, error: readError } = useCan(
+    user?.id || '',
+    scope,
+    `read:${resource}` as const,
+    undefined, // pageId
+    true // useCache
+  );
+
+  // Aggregate loading states - any permission check or scope resolution loading
+  const isLoading = useMemo(() => {
+    return scopeLoading || createLoading || updateLoading || deleteLoading || (enableRead && readLoading);
+  }, [scopeLoading, createLoading, updateLoading, deleteLoading, readLoading, enableRead]);
+
+  // Aggregate errors - prefer scope error, then any permission error
+  const error = useMemo(() => {
+    if (scopeError) return scopeError;
+    if (createError) return createError;
+    if (updateError) return updateError;
+    if (deleteError) return deleteError;
+    if (enableRead && readError) return readError;
+    return null;
+  }, [scopeError, createError, updateError, deleteError, readError, enableRead]);
+
+  // Return wrapper functions that take resource name and return permission result
+  // Note: The resource parameter in the function is for consistency with the API,
+  // but we're checking permissions for the resource passed to the hook
+  return useMemo(() => ({
+    canCreate: (res: string) => {
+      // For now, we only check the resource passed to the hook
+      // Future enhancement could support checking different resources
+      if (res !== resource) {
+        return false;
+      }
+      return canCreateResult;
+    },
+    canUpdate: (res: string) => {
+      if (res !== resource) {
+        return false;
+      }
+      return canUpdateResult;
+    },
+    canDelete: (res: string) => {
+      if (res !== resource) {
+        return false;
+      }
+      return canDeleteResult;
+    },
+    canRead: (res: string) => {
+      if (!enableRead) {
+        return true; // If read checking is disabled, allow read
+      }
+      if (res !== resource) {
+        return false;
+      }
+      return canReadResult;
+    },
+    scope,
+    isLoading,
+    error
+  }), [
+    resource,
+    canCreateResult,
+    canUpdateResult,
+    canDeleteResult,
+    canReadResult,
+    enableRead,
+    scope,
+    isLoading,
+    error
+  ]);
+}
+

package/src/utils/performance/bundleAnalysis.ts

@@ -14,7 +14,13 @@ interface ChunkInfo {
 }
 
 class BundleAnalyzer {
-  private enabled = import.meta.env.MODE === 'development';
+  private get enabled(): boolean {
+    try {
+      return import.meta.env?.MODE === 'development';
+    } catch {
+      return false;
+    }
+  }
 
   analyzeBundle(): BundleStats | null {
     if (!this.enabled) return null;
@@ -104,7 +110,11 @@ export const bundleAnalyzer = new BundleAnalyzer();
 
 // Helper to check if imports are optimized
 export function validateImportPattern(moduleId: string, importedItems: string[]): void {
-  if (import.meta.env.MODE !== 'development') return;
+  try {
+    if (import.meta.env?.MODE !== 'development') return;
+  } catch {
+    return; // Silently skip in test environments
+  }
 
   const largeModules = ['lodash', 'moment', 'rxjs'];
   const isLargeModule = largeModules.some(mod => moduleId.includes(mod));
@@ -121,7 +131,11 @@ export function validateImportPattern(moduleId: string, importedItems: string[])
 
 // Monitor dynamic imports
 export function trackDynamicImport(moduleName: string): void {
-  if (import.meta.env.MODE !== 'development') return;
+  try {
+    if (import.meta.env?.MODE !== 'development') return;
+  } catch {
+    return; // Silently skip in test environments
+  }
   
   // TODO: Replace with proper logging service integration
   // For now, we'll log to console for testing purposes