npm - @jmruthers/pace-core - Versions diffs - 0.5.184 → 0.5.186 - Mend

@jmruthers/pace-core 0.5.184 → 0.5.186

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (319) hide show

package/CHANGELOG.md +38 -0
package/README.md +60 -1
package/core-usage-manifest.json +312 -0
package/dist/{DataTable-QAB34V6K.js → DataTable-IX2NBUTP.js} +6 -6
package/dist/{DataTable-Bz8ffqyA.d.ts → DataTable-Z9NLVJh0.d.ts} +1 -1
package/dist/{index-Bl--n7-T.d.ts → PublicPageProvider-DIzEzwKl.d.ts} +23 -10
package/dist/{UnifiedAuthProvider-7F6T4B6K.js → UnifiedAuthProvider-A4BCQRJY.js} +4 -2
package/dist/{UnifiedAuthProvider-F86d7dSi.d.ts → UnifiedAuthProvider-BG0AL5eE.d.ts} +2 -1
package/dist/{api-ROMBCNKU.js → api-BMFCXVQX.js} +2 -2
package/dist/{chunk-RA3JUFMW.js → chunk-445GEP27.js} +154 -4
package/dist/{chunk-RA3JUFMW.js.map → chunk-445GEP27.js.map} +1 -1
package/dist/{chunk-W22JP75J.js → chunk-DAGICKHT.js} +9 -7
package/dist/chunk-DAGICKHT.js.map +1 -0
package/dist/{chunk-FUEYYMX5.js → chunk-FXFJRTKI.js} +24 -3
package/dist/chunk-FXFJRTKI.js.map +1 -0
package/dist/{chunk-CSOFYHAG.js → chunk-GRIQLQ52.js} +374 -60
package/dist/chunk-GRIQLQ52.js.map +1 -0
package/dist/{chunk-NQPMQGS2.js → chunk-HDCUMOOI.js} +497 -399
package/dist/chunk-HDCUMOOI.js.map +1 -0
package/dist/chunk-HESYZWZW.js +388 -0
package/dist/chunk-HESYZWZW.js.map +1 -0
package/dist/{chunk-QUVSNGIP.js → chunk-HGPQUCBC.js} +34 -9
package/dist/{chunk-QUVSNGIP.js.map → chunk-HGPQUCBC.js.map} +1 -1
package/dist/{chunk-PWAHJW4G.js → chunk-OALXJH4Y.js} +86 -33
package/dist/chunk-OALXJH4Y.js.map +1 -0
package/dist/{chunk-MI7HBHN3.js → chunk-TC7D3CR3.js} +89 -9
package/dist/chunk-TC7D3CR3.js.map +1 -0
package/dist/chunk-THRPYOFK.js +215 -0
package/dist/chunk-THRPYOFK.js.map +1 -0
package/dist/{chunk-M7W4CP3M.js → chunk-U6WNSFX5.js} +2 -1
package/dist/chunk-U6WNSFX5.js.map +1 -0
package/dist/{chunk-UHNYIBXL.js → chunk-UQWSHFVX.js} +1 -1
package/dist/chunk-UQWSHFVX.js.map +1 -0
package/dist/{chunk-QCDXODCA.js → chunk-XAUHJD3L.js} +2 -2
package/dist/components.d.ts +182 -6
package/dist/components.js +157 -11
package/dist/components.js.map +1 -1
package/dist/{database.generated-CBmg2950.d.ts → database.generated-DI89OQeI.d.ts} +63 -9
package/dist/eslint-rules/pace-core-compliance.cjs +406 -0
package/dist/{file-reference-D06mEEWW.d.ts → file-reference-PRTSLxKx.d.ts} +10 -1
package/dist/hooks.d.ts +52 -15
package/dist/hooks.js +12 -22
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +12 -12
package/dist/index.js +82 -18
package/dist/index.js.map +1 -1
package/dist/providers.d.ts +1 -1
package/dist/providers.js +3 -1
package/dist/rbac/index.d.ts +206 -15
package/dist/rbac/index.js +28 -6
package/dist/timezone-_pgH8qrY.d.ts +530 -0
package/dist/{types-_x1f4QBF.d.ts → types-DUyCRSTj.d.ts} +1 -1
package/dist/types.d.ts +2 -2
package/dist/types.js +1 -1
package/dist/{usePublicRouteParams-JJczomYq.d.ts → usePublicRouteParams-D71QLlg4.d.ts} +114 -3
package/dist/utils.d.ts +110 -152
package/dist/utils.js +128 -138
package/dist/utils.js.map +1 -1
package/docs/api/README.md +60 -1
package/docs/api/classes/ColumnFactory.md +1 -1
package/docs/api/classes/ErrorBoundary.md +1 -1
package/docs/api/classes/InvalidScopeError.md +1 -1
package/docs/api/classes/Logger.md +178 -0
package/docs/api/classes/MissingUserContextError.md +1 -1
package/docs/api/classes/OrganisationContextRequiredError.md +1 -1
package/docs/api/classes/PermissionDeniedError.md +1 -1
package/docs/api/classes/RBACAuditManager.md +2 -2
package/docs/api/classes/RBACCache.md +1 -1
package/docs/api/classes/RBACEngine.md +2 -2
package/docs/api/classes/RBACError.md +1 -1
package/docs/api/classes/RBACNotInitializedError.md +1 -1
package/docs/api/classes/SecureSupabaseClient.md +5 -5
package/docs/api/classes/StorageUtils.md +1 -1
package/docs/api/enums/FileCategory.md +1 -1
package/docs/api/enums/LogLevel.md +54 -0
package/docs/api/enums/RBACErrorCode.md +1 -1
package/docs/api/enums/RPCFunction.md +1 -1
package/docs/api/interfaces/AggregateConfig.md +1 -1
package/docs/api/interfaces/BadgeProps.md +1 -1
package/docs/api/interfaces/ButtonProps.md +1 -1
package/docs/api/interfaces/CalendarProps.md +18 -2
package/docs/api/interfaces/CardProps.md +1 -1
package/docs/api/interfaces/ColorPalette.md +1 -1
package/docs/api/interfaces/ColorShade.md +1 -1
package/docs/api/interfaces/ComplianceResult.md +30 -0
package/docs/api/interfaces/DataAccessRecord.md +1 -1
package/docs/api/interfaces/DataRecord.md +1 -1
package/docs/api/interfaces/DataTableAction.md +1 -1
package/docs/api/interfaces/DataTableColumn.md +1 -1
package/docs/api/interfaces/DataTableProps.md +1 -1
package/docs/api/interfaces/DataTableToolbarButton.md +1 -1
package/docs/api/interfaces/DatabaseComplianceResult.md +85 -0
package/docs/api/interfaces/DatabaseIssue.md +41 -0
package/docs/api/interfaces/EmptyStateConfig.md +1 -1
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +1 -1
package/docs/api/interfaces/EventAppRoleData.md +6 -6
package/docs/api/interfaces/ExportColumn.md +1 -1
package/docs/api/interfaces/ExportOptions.md +1 -1
package/docs/api/interfaces/FileDisplayProps.md +1 -1
package/docs/api/interfaces/FileMetadata.md +1 -1
package/docs/api/interfaces/FileReference.md +1 -1
package/docs/api/interfaces/FileSizeLimits.md +1 -1
package/docs/api/interfaces/FileUploadOptions.md +48 -8
package/docs/api/interfaces/FileUploadProps.md +46 -13
package/docs/api/interfaces/FooterProps.md +1 -1
package/docs/api/interfaces/FormFieldProps.md +1 -1
package/docs/api/interfaces/FormProps.md +1 -1
package/docs/api/interfaces/GrantEventAppRoleParams.md +9 -9
package/docs/api/interfaces/InactivityWarningModalProps.md +1 -1
package/docs/api/interfaces/InputProps.md +1 -1
package/docs/api/interfaces/LabelProps.md +1 -1
package/docs/api/interfaces/LoggerConfig.md +62 -0
package/docs/api/interfaces/LoginFormProps.md +1 -1
package/docs/api/interfaces/NavigationAccessRecord.md +1 -1
package/docs/api/interfaces/NavigationContextType.md +1 -1
package/docs/api/interfaces/NavigationGuardProps.md +1 -1
package/docs/api/interfaces/NavigationItem.md +1 -1
package/docs/api/interfaces/NavigationMenuProps.md +1 -1
package/docs/api/interfaces/NavigationProviderProps.md +1 -1
package/docs/api/interfaces/Organisation.md +1 -1
package/docs/api/interfaces/OrganisationContextType.md +1 -1
package/docs/api/interfaces/OrganisationMembership.md +1 -1
package/docs/api/interfaces/OrganisationProviderProps.md +1 -1
package/docs/api/interfaces/OrganisationSecurityError.md +1 -1
package/docs/api/interfaces/PaceAppLayoutProps.md +36 -23
package/docs/api/interfaces/PaceLoginPageProps.md +1 -1
package/docs/api/interfaces/PageAccessRecord.md +1 -1
package/docs/api/interfaces/PagePermissionContextType.md +1 -1
package/docs/api/interfaces/PagePermissionGuardProps.md +11 -11
package/docs/api/interfaces/PagePermissionProviderProps.md +1 -1
package/docs/api/interfaces/PaletteData.md +1 -1
package/docs/api/interfaces/PermissionEnforcerProps.md +1 -1
package/docs/api/interfaces/ProgressProps.md +1 -1
package/docs/api/interfaces/ProtectedRouteProps.md +6 -6
package/docs/api/interfaces/PublicPageFooterProps.md +1 -1
package/docs/api/interfaces/PublicPageHeaderProps.md +1 -1
package/docs/api/interfaces/PublicPageLayoutProps.md +1 -1
package/docs/api/interfaces/QuickFix.md +52 -0
package/docs/api/interfaces/RBACAccessValidateParams.md +1 -1
package/docs/api/interfaces/RBACAccessValidateResult.md +1 -1
package/docs/api/interfaces/RBACAuditLogParams.md +1 -1
package/docs/api/interfaces/RBACAuditLogResult.md +1 -1
package/docs/api/interfaces/RBACConfig.md +4 -4
package/docs/api/interfaces/RBACContext.md +1 -1
package/docs/api/interfaces/RBACLogger.md +1 -1
package/docs/api/interfaces/RBACPageAccessCheckParams.md +1 -1
package/docs/api/interfaces/RBACPermissionCheckParams.md +1 -1
package/docs/api/interfaces/RBACPermissionCheckResult.md +1 -1
package/docs/api/interfaces/RBACPermissionsGetParams.md +1 -1
package/docs/api/interfaces/RBACPermissionsGetResult.md +1 -1
package/docs/api/interfaces/RBACResult.md +1 -1
package/docs/api/interfaces/RBACRoleGrantParams.md +1 -1
package/docs/api/interfaces/RBACRoleGrantResult.md +1 -1
package/docs/api/interfaces/RBACRoleRevokeParams.md +1 -1
package/docs/api/interfaces/RBACRoleRevokeResult.md +1 -1
package/docs/api/interfaces/RBACRoleValidateParams.md +1 -1
package/docs/api/interfaces/RBACRoleValidateResult.md +1 -1
package/docs/api/interfaces/RBACRolesListParams.md +1 -1
package/docs/api/interfaces/RBACRolesListResult.md +1 -1
package/docs/api/interfaces/RBACSessionTrackParams.md +1 -1
package/docs/api/interfaces/RBACSessionTrackResult.md +1 -1
package/docs/api/interfaces/ResourcePermissions.md +1 -1
package/docs/api/interfaces/RevokeEventAppRoleParams.md +7 -7
package/docs/api/interfaces/RoleBasedRouterContextType.md +1 -1
package/docs/api/interfaces/RoleBasedRouterProps.md +1 -1
package/docs/api/interfaces/RoleManagementResult.md +5 -5
package/docs/api/interfaces/RouteAccessRecord.md +1 -1
package/docs/api/interfaces/RouteConfig.md +1 -1
package/docs/api/interfaces/RuntimeComplianceResult.md +55 -0
package/docs/api/interfaces/SecureDataContextType.md +1 -1
package/docs/api/interfaces/SecureDataProviderProps.md +1 -1
package/docs/api/interfaces/SessionRestorationLoaderProps.md +1 -1
package/docs/api/interfaces/SetupIssue.md +41 -0
package/docs/api/interfaces/StorageConfig.md +1 -1
package/docs/api/interfaces/StorageFileInfo.md +1 -1
package/docs/api/interfaces/StorageFileMetadata.md +1 -1
package/docs/api/interfaces/StorageListOptions.md +1 -1
package/docs/api/interfaces/StorageListResult.md +1 -1
package/docs/api/interfaces/StorageUploadOptions.md +1 -1
package/docs/api/interfaces/StorageUploadResult.md +1 -1
package/docs/api/interfaces/StorageUrlOptions.md +1 -1
package/docs/api/interfaces/StyleImport.md +1 -1
package/docs/api/interfaces/SwitchProps.md +1 -1
package/docs/api/interfaces/TabsContentProps.md +1 -1
package/docs/api/interfaces/TabsListProps.md +1 -1
package/docs/api/interfaces/TabsProps.md +1 -1
package/docs/api/interfaces/TabsTriggerProps.md +1 -1
package/docs/api/interfaces/TextareaProps.md +1 -1
package/docs/api/interfaces/ToastActionElement.md +1 -1
package/docs/api/interfaces/ToastProps.md +1 -1
package/docs/api/interfaces/UnifiedAuthContextType.md +1 -1
package/docs/api/interfaces/UnifiedAuthProviderProps.md +1 -1
package/docs/api/interfaces/UseFormDialogOptions.md +62 -0
package/docs/api/interfaces/UseFormDialogReturn.md +117 -0
package/docs/api/interfaces/UseInactivityTrackerOptions.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventLogoOptions.md +2 -2
package/docs/api/interfaces/UsePublicEventLogoReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventOptions.md +1 -1
package/docs/api/interfaces/UsePublicEventReturn.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +2 -2
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +1 -1
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +1 -1
package/docs/api/interfaces/UseResolvedScopeOptions.md +2 -2
package/docs/api/interfaces/UseResolvedScopeReturn.md +1 -1
package/docs/api/interfaces/UseResourcePermissionsOptions.md +1 -1
package/docs/api/interfaces/UserEventAccess.md +1 -1
package/docs/api/interfaces/UserMenuProps.md +1 -1
package/docs/api/interfaces/UserProfile.md +1 -1
package/docs/api/modules.md +746 -50
package/docs/api-reference/components.md +26 -12
package/docs/api-reference/hooks.md +111 -0
package/docs/api-reference/rpc-functions.md +1 -1
package/docs/api-reference/utilities.md +184 -0
package/docs/getting-started/installation-guide.md +75 -16
package/docs/getting-started/quick-start.md +61 -11
package/docs/implementation-guides/authentication.md +88 -12
package/docs/implementation-guides/file-reference-system.md +26 -3
package/docs/implementation-guides/file-upload-storage.md +30 -1
package/docs/rbac/README.md +1 -0
package/docs/rbac/compliance/compliance-guide.md +544 -0
package/docs/rbac/getting-started.md +158 -33
package/docs/standards/pace-core-compliance.md +432 -0
package/eslint-config-pace-core.cjs +93 -0
package/package.json +15 -3
package/scripts/analyze-bundle.js +232 -0
package/scripts/build-css.js +56 -0
package/scripts/build-docs-incremental.js +1015 -0
package/scripts/check-pace-core-compliance.cjs +2353 -0
package/scripts/check-pace-core-compliance.js +512 -0
package/scripts/generate-docs.js +157 -0
package/scripts/setup-build-cache.js +73 -0
package/scripts/utils/command-runner.js +131 -0
package/scripts/utils/env.js +33 -0
package/scripts/utils/index.js +10 -0
package/scripts/utils/logger.js +88 -0
package/scripts/utils/path-helpers.js +37 -0
package/scripts/validate-formats.js +133 -0
package/scripts/validate-master.js +155 -0
package/scripts/validate-pre-publish.js +140 -0
package/scripts/validate-theme.js +142 -0
package/src/components/Calendar/Calendar.tsx +8 -1
package/src/components/Card/Card.tsx +47 -8
package/src/components/DatePickerWithTimezone/DatePickerWithTimezone.test.tsx +314 -0
package/src/components/DatePickerWithTimezone/DatePickerWithTimezone.tsx +126 -0
package/src/components/DatePickerWithTimezone/README.md +135 -0
package/src/components/DatePickerWithTimezone/index.ts +10 -0
package/src/components/DateTimeField/DateTimeField.test.tsx +358 -0
package/src/components/DateTimeField/DateTimeField.tsx +232 -0
package/src/components/DateTimeField/README.md +148 -0
package/src/components/DateTimeField/index.ts +10 -0
package/src/components/FileUpload/FileUpload.test.tsx +2 -0
package/src/components/FileUpload/FileUpload.tsx +10 -1
package/src/components/Header/Header.test.tsx +47 -18
package/src/components/Header/Header.tsx +22 -7
package/src/components/PaceAppLayout/PaceAppLayout.tsx +29 -20
package/src/components/PaceAppLayout/README.md +9 -0
package/src/components/ProtectedRoute/ProtectedRoute.test.tsx +37 -8
package/src/components/ProtectedRoute/ProtectedRoute.tsx +146 -5
package/src/components/index.ts +8 -0
package/src/eslint-rules/pace-core-compliance.cjs +406 -0
package/src/eslint-rules/pace-core-compliance.js +640 -0
package/src/hooks/__tests__/useFormDialog.test.ts +478 -0
package/src/hooks/index.ts +5 -0
package/src/hooks/useFileReference.test.ts +2 -0
package/src/hooks/useFormDialog.ts +147 -0
package/src/hooks/usePreventTabReload.ts +106 -0
package/src/hooks/useSecureDataAccess.ts +2 -2
package/src/index.ts +27 -0
package/src/providers/services/OrganisationServiceProvider.tsx +6 -5
package/src/providers/services/UnifiedAuthProvider.tsx +24 -3
package/src/rbac/__tests__/rbac-role-isolation.test.ts +456 -0
package/src/rbac/__tests__/scenarios.user-role.test.tsx +3 -0
package/src/rbac/compliance/database-validator.ts +165 -0
package/src/rbac/compliance/index.ts +38 -0
package/src/rbac/compliance/quick-fix-suggestions.ts +209 -0
package/src/rbac/compliance/runtime-compliance.ts +77 -0
package/src/rbac/compliance/setup-validator.ts +131 -0
package/src/rbac/components/PagePermissionGuard.tsx +8 -64
package/src/rbac/components/__tests__/PagePermissionGuard.test.tsx +35 -21
package/src/rbac/docs/event-based-apps.md +285 -0
package/src/rbac/errors.ts +11 -0
package/src/rbac/hooks/useRoleManagement.ts +292 -12
package/src/rbac/index.ts +30 -0
package/src/services/OrganisationService.ts +4 -0
package/src/styles/core.css +5 -5
package/src/types/database.generated.ts +63 -9
package/src/types/file-reference.ts +9 -0
package/src/utils/__tests__/timezone.test.ts +345 -0
package/src/utils/file-reference/__tests__/file-reference.test.ts +60 -4
package/src/utils/file-reference/index.ts +13 -2
package/src/utils/formatting/formatDateTimeTimezone.test.ts +167 -0
package/src/utils/formatting/formatting.ts +179 -0
package/src/utils/index.ts +27 -1
package/src/utils/location/index.ts +16 -0
package/src/utils/location/location.test.ts +286 -0
package/src/utils/location/location.ts +175 -0
package/src/utils/security/secureDataAccess.ts +1 -1
package/src/utils/storage/helpers.ts +68 -0
package/src/utils/timezone/index.ts +17 -0
package/src/utils/timezone/timezone.test.ts +349 -0
package/src/utils/timezone/timezone.ts +281 -0
package/dist/chunk-CSOFYHAG.js.map +0 -1
package/dist/chunk-FUEYYMX5.js.map +0 -1
package/dist/chunk-HKIT6O7W.js +0 -198
package/dist/chunk-HKIT6O7W.js.map +0 -1
package/dist/chunk-KUEN3HFB.js +0 -94
package/dist/chunk-KUEN3HFB.js.map +0 -1
package/dist/chunk-M7W4CP3M.js.map +0 -1
package/dist/chunk-MI7HBHN3.js.map +0 -1
package/dist/chunk-NQPMQGS2.js.map +0 -1
package/dist/chunk-PWAHJW4G.js.map +0 -1
package/dist/chunk-UHNYIBXL.js.map +0 -1
package/dist/chunk-W22JP75J.js.map +0 -1
package/dist/formatting-5wETwiGF.d.ts +0 -162
/package/dist/{DataTable-QAB34V6K.js.map → DataTable-IX2NBUTP.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-7F6T4B6K.js.map → UnifiedAuthProvider-A4BCQRJY.js.map} +0 -0
/package/dist/{api-ROMBCNKU.js.map → api-BMFCXVQX.js.map} +0 -0
/package/dist/{chunk-QCDXODCA.js.map → chunk-XAUHJD3L.js.map} +0 -0

package/src/rbac/docs/event-based-apps.md ADDED Viewed

@@ -0,0 +1,285 @@
+# Event-Based Apps with RBAC
+This guide explains how to use the RBAC system for event-based applications where the organization context is automatically derived from the event context.
+## Overview
+Event-based apps are applications that operate within the context of a specific event. Since events inherently belong to an organization, these apps don't need explicit organization context - it is automatically resolved from the event by the RBAC components.
+## Key Concepts
+### Automatic Organization Resolution
+The RBAC components automatically resolve the organization from the event context when needed. You only need to provide the `eventId` (and optionally `appId`), and the system handles the rest.
+```typescript
+// The components automatically resolve organisationId from eventId
+const scope: Scope = {
+  eventId: 'event-123',
+  appId: 'app-456' // optional
+  // organisationId is automatically resolved
+};
+```
+### Permission Hierarchy
+For event-based apps, the permission hierarchy is:
+1. **Page-level permissions** (most specific)
+2. **Event-app permissions** (event + app specific)
+3. **Organization permissions** (automatically resolved from event)
+4. **Global permissions** (least specific)
+## Components
+The same RBAC components work for both organization-based and event-based apps. They automatically detect the context and resolve the organization when needed.
+### PermissionEnforcer
+Use this component for general permission enforcement in event-based apps:
+```tsx
+import { PermissionEnforcer } from '@jmruthers/pace-core/rbac';
+function EventDashboard() {
+  return (
+    <PermissionEnforcer
+      permissions={['read:events', 'update:participants']}
+      operation="dashboard"
+    >
+      <div>Event Dashboard Content</div>
+    </PermissionEnforcer>
+  );
+}
+```
+### PagePermissionGuard
+Use this component for page-level permission enforcement:
+```tsx
+import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';
+function EventSettingsPage() {
+  return (
+    <PagePermissionGuard
+      pageName="settings"
+      operation="read"
+    >
+      <div>Event Settings</div>
+    </PagePermissionGuard>
+  );
+}
+```
+### NavigationGuard
+Use this component for navigation-level permission enforcement:
+```tsx
+import { NavigationGuard } from '@jmruthers/pace-core/rbac';
+const navigationItems = [
+  {
+    id: 'dashboard',
+    name: 'Dashboard',
+    path: '/event/dashboard',
+    permissions: ['read:events']
+  },
+  {
+    id: 'settings',
+    name: 'Settings',
+    path: '/event/settings',
+    permissions: ['update:events']
+  }
+];
+function EventNavigation() {
+  return (
+    <nav>
+      {navigationItems.map(item => (
+        <NavigationGuard
+          key={item.id}
+          navigationItem={item}
+        >
+          <Link to={item.path}>{item.name}</Link>
+        </NavigationGuard>
+      ))}
+    </nav>
+  );
+}
+```
+## Hooks
+### useCan with Event Context
+You can use the standard `useCan` hook with event-based scopes:
+```tsx
+import { useCan } from '@jmruthers/pace-core/rbac';
+function EventComponent() {
+  const { selectedEventId } = useUnifiedAuth();
+  const { can: canManageEvents } = useCan(
+    userId,
+    { eventId: selectedEventId },
+    'update:events'
+  );
+  return (
+    <div>
+      {canManageEvents && (
+        <button>Manage Event</button>
+      )}
+    </div>
+  );
+}
+```
+## Setup
+### 1. Event Context Provider
+Ensure your app has event context available:
+```tsx
+import { UnifiedAuthProvider } from '@jmruthers/pace-core';
+function App() {
+  return (
+    <UnifiedAuthProvider>
+      {/* Your event-based app components */}
+    </UnifiedAuthProvider>
+  );
+}
+```
+### 2. Event Selection
+Make sure the event is selected in the auth context:
+```tsx
+import { useUnifiedAuth } from '@jmruthers/pace-core';
+function EventSelector() {
+  const { setSelectedEventId } = useUnifiedAuth();
+  const handleEventSelect = (eventId: string) => {
+    setSelectedEventId(eventId);
+  };
+  return (
+    <select onChange={(e) => handleEventSelect(e.target.value)}>
+      <option value="event-1">Event 1</option>
+      <option value="event-2">Event 2</option>
+    </select>
+  );
+}
+```
+## Permission Types
+### Event-App Permissions
+These permissions are specific to an event and app combination:
+```typescript
+const EVENT_APP_PERMISSIONS = {
+  // Event management
+  MANAGE_EVENT: 'update:event',
+  READ_EVENT: 'read:event',
+  UPDATE_EVENT: 'update:event',
+  // Participant management
+  MANAGE_PARTICIPANTS: 'update:participants',
+  READ_PARTICIPANTS: 'read:participants',
+  CREATE_PARTICIPANTS: 'create:participants',
+  UPDATE_PARTICIPANTS: 'update:participants',
+  DELETE_PARTICIPANTS: 'delete:participants',
+  // App-specific permissions
+  MANAGE_APP: 'update:app',
+  READ_APP: 'read:app',
+  UPDATE_APP: 'update:app',
+};
+```
+### Page Permissions
+Page permissions are specific to individual pages within an event app:
+```typescript
+const PAGE_PERMISSIONS = {
+  DASHBOARD_READ: 'read:page.dashboard',
+  DASHBOARD_WRITE: 'write:page.dashboard',
+  SETTINGS_READ: 'read:page.settings',
+  SETTINGS_WRITE: 'write:page.settings',
+  PARTICIPANTS_READ: 'read:page.participants',
+  PARTICIPANTS_WRITE: 'write:page.participants',
+};
+```
+## Best Practices
+### 1. Use Event-Based Components
+Always use the event-based components (`EventPermissionEnforcer`, `EventPagePermissionGuard`, `EventNavigationGuard`) instead of the organization-based ones for event apps.
+### 2. Provide Explicit Scopes
+When possible, provide explicit scopes to avoid context resolution overhead:
+```tsx
+<EventPermissionEnforcer
+  scope={{ eventId: 'event-123', appId: 'app-456' }}
+  permissions={['read:events']}
+>
+  <div>Content</div>
+</EventPermissionEnforcer>
+```
+### 3. Handle Loading States
+Event-based components automatically handle loading states while resolving the organization from the event:
+```tsx
+<EventPermissionEnforcer
+  permissions={['read:events']}
+  loading={<div>Loading permissions...</div>}
+>
+  <div>Content</div>
+</EventPermissionEnforcer>
+```
+### 4. Error Handling
+Handle cases where the organization cannot be resolved from the event:
+```tsx
+<EventPermissionEnforcer
+  permissions={['read:events']}
+  onDenied={(permission, reason) => {
+    console.error(`Permission denied: ${permission}, reason: ${reason}`);
+  }}
+>
+  <div>Content</div>
+</EventPermissionEnforcer>
+```
+## Migration from Organization-Based Apps
+If you're migrating from organization-based apps to event-based apps:
+1. Replace `PermissionEnforcer` with `EventPermissionEnforcer`
+2. Replace `PagePermissionGuard` with `EventPagePermissionGuard`
+3. Replace `NavigationGuard` with `EventNavigationGuard`
+4. Remove explicit organization context from your components
+5. Ensure event context is available in your app
+## Troubleshooting
+### Common Issues
+1. **"Event context is required" error**: Make sure `selectedEventId` is set in the auth context
+2. **"Could not resolve organization from event context" error**: Verify the event exists and has a valid `organisation_id`
+3. **Permission checks failing**: Ensure the user has the appropriate event-app roles assigned
+### Debug Mode
+Enable debug mode to see detailed permission resolution:
+```typescript
+import { createRBACConfig } from '@jmruthers/pace-core/rbac';
+const config = createRBACConfig({
+  debug: true,
+  logLevel: 'debug'
+});
+```

package/src/rbac/errors.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import {
   OrganisationContextRequiredError,
   InvalidScopeError,
   MissingUserContextError,
+  RBACNotInitializedError,
 } from './types';
 export enum RBACErrorCategory {
@@ -154,3 +155,13 @@ export function mapErrorCategoryToSecurityEventType(category: RBACErrorCategory)
       return 'unknown_error';
   }
 }
+// Re-export error classes for convenience
+export {
+  RBACError,
+  PermissionDeniedError,
+  OrganisationContextRequiredError,
+  InvalidScopeError,
+  MissingUserContextError,
+  RBACNotInitializedError,
+};

package/src/rbac/hooks/useRoleManagement.ts CHANGED Viewed

@@ -13,25 +13,46 @@
  * import { useRoleManagement } from '@jmruthers/pace-core/rbac';
  *
  * function UserRolesComponent() {
- *   const { revokeEventAppRole, grantEventAppRole, isLoading, error } = useRoleManagement();
+ *   const {
+ *     revokeEventAppRole,
+ *     grantEventAppRole,
+ *     grantGlobalRole,
+ *     revokeGlobalRole,
+ *     grantOrganisationRole,
+ *     revokeOrganisationRole,
+ *     isLoading,
+ *     error
+ *   } = useRoleManagement();
  *
- *   const handleRevokeRole = async (roleId: string, roleData: EventAppRoleData) => {
- *     const result = await revokeEventAppRole({
- *       userId: roleData.user_id,
- *       organisationId: roleData.organisation_id,
- *       eventId: roleData.event_id,
- *       appId: roleData.app_id,
- *       role: roleData.role
+ *   // Grant a global role
+ *   const handleGrantGlobalRole = async () => {
+ *     const result = await grantGlobalRole({
+ *       user_id: userId,
+ *       role: 'super_admin'
  *     });
+ *     if (result.success) {
+ *       toast({ title: 'Role granted successfully' });
+ *     }
+ *   };
  *
+ *   // Grant an organisation role
+ *   const handleGrantOrgRole = async () => {
+ *     const result = await grantOrganisationRole({
+ *       user_id: userId,
+ *       organisation_id: orgId,
+ *       role: 'org_admin'
+ *     });
  *     if (result.success) {
- *       toast({ title: 'Role revoked successfully' });
- *     } else {
- *       toast({ title: 'Failed to revoke role', variant: 'destructive' });
+ *       toast({ title: 'Role granted successfully' });
  *     }
  *   };
  *
- *   return <button onClick={() => handleRevokeRole(roleId, roleData)}>Revoke Role</button>;
+ *   return (
+ *     <div>
+ *       <button onClick={handleGrantGlobalRole}>Grant Super Admin</button>
+ *       <button onClick={handleGrantOrgRole}>Grant Org Admin</button>
+ *     </div>
+ *   );
  * }
  * ```
  */
@@ -48,6 +69,17 @@ export interface EventAppRoleData {
   role: 'viewer' | 'participant' | 'planner' | 'event_admin';
 }
+export interface OrganisationRoleData {
+  user_id: UUID;
+  organisation_id: UUID;
+  role: 'supporter' | 'member' | 'leader' | 'org_admin';
+}
+export interface GlobalRoleData {
+  user_id: UUID;
+  role: 'super_admin';
+}
 export interface RevokeEventAppRoleParams extends EventAppRoleData {
   revoked_by?: UUID;
 }
@@ -58,6 +90,26 @@ export interface GrantEventAppRoleParams extends EventAppRoleData {
   valid_to?: string | null;
 }
+export interface RevokeOrganisationRoleParams extends OrganisationRoleData {
+  revoked_by?: UUID;
+}
+export interface GrantOrganisationRoleParams extends OrganisationRoleData {
+  granted_by?: UUID;
+  valid_from?: string;
+  valid_to?: string | null;
+}
+export interface RevokeGlobalRoleParams extends GlobalRoleData {
+  revoked_by?: UUID;
+}
+export interface GrantGlobalRoleParams extends GlobalRoleData {
+  granted_by?: UUID;
+  valid_from?: string;
+  valid_to?: string | null;
+}
 export interface RoleManagementResult {
   success: boolean;
   message?: string;
@@ -244,10 +296,238 @@ export function useRoleManagement() {
     }
   }, [user?.id, supabase]);
+  /**
+   * Grant a global role using the unified RPC function
+   *
+   * This function uses the `rbac_role_grant` RPC which:
+   * - Runs with SECURITY DEFINER privileges
+   * - Includes proper permission checks
+   * - Automatically populates audit fields (granted_by, timestamps)
+   * - Complies with Row-Level Security policies
+   *
+   * @param params - Role grant parameters
+   * @returns Promise resolving to operation result with role ID
+   */
+  const grantGlobalRole = useCallback(async (
+    params: GrantGlobalRoleParams
+  ): Promise<RoleManagementResult> => {
+    setIsLoading(true);
+    setError(null);
+    try {
+      const { data, error: rpcError } = await supabase.rpc('rbac_role_grant', {
+        p_user_id: params.user_id,
+        p_role_type: 'global',
+        p_role_name: params.role,
+        p_context_id: null, // Global roles don't need context
+        p_granted_by: params.granted_by || user?.id || undefined
+      });
+      if (rpcError) {
+        throw new Error(rpcError.message || 'Failed to grant role');
+      }
+      // rbac_role_grant returns a table with success, message, role_id, error_code
+      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
+      if (!result || !result.success) {
+        return {
+          success: false,
+          error: result?.message || result?.error_code || 'Failed to grant role',
+          message: result?.message
+        };
+      }
+      return {
+        success: true,
+        message: result.message || 'Role granted successfully',
+        roleId: result.role_id
+      };
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : 'Unknown error occurred';
+      setError(err instanceof Error ? err : new Error(errorMessage));
+      return {
+        success: false,
+        error: errorMessage
+      };
+    } finally {
+      setIsLoading(false);
+    }
+  }, [user?.id, supabase]);
+  /**
+   * Revoke a global role using the unified RPC function
+   *
+   * This function uses the `rbac_role_revoke` RPC which:
+   * - Runs with SECURITY DEFINER privileges
+   * - Includes proper permission checks
+   * - Automatically populates audit fields (revoked_by, timestamps)
+   * - Complies with Row-Level Security policies
+   *
+   * @param params - Role revocation parameters
+   * @returns Promise resolving to operation result
+   */
+  const revokeGlobalRole = useCallback(async (
+    params: RevokeGlobalRoleParams
+  ): Promise<RoleManagementResult> => {
+    setIsLoading(true);
+    setError(null);
+    try {
+      const { data, error: rpcError } = await supabase.rpc('rbac_role_revoke', {
+        p_user_id: params.user_id,
+        p_role_type: 'global',
+        p_role_name: params.role,
+        p_context_id: null, // Global roles don't need context
+        p_revoked_by: params.revoked_by || user?.id || undefined
+      });
+      if (rpcError) {
+        throw new Error(rpcError.message || 'Failed to revoke role');
+      }
+      // rbac_role_revoke returns a table with success, message, revoked_count, error_code
+      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
+      return {
+        success: result?.success === true,
+        message: result?.message || undefined,
+        error: result?.success === false ? (result?.message || result?.error_code || 'Unknown error') : undefined
+      };
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : 'Unknown error occurred';
+      setError(err instanceof Error ? err : new Error(errorMessage));
+      return {
+        success: false,
+        error: errorMessage
+      };
+    } finally {
+      setIsLoading(false);
+    }
+  }, [user?.id, supabase]);
+  /**
+   * Grant an organisation role using the unified RPC function
+   *
+   * This function uses the `rbac_role_grant` RPC which:
+   * - Runs with SECURITY DEFINER privileges
+   * - Includes proper permission checks
+   * - Automatically populates audit fields (granted_by, timestamps)
+   * - Complies with Row-Level Security policies
+   *
+   * @param params - Role grant parameters
+   * @returns Promise resolving to operation result with role ID
+   */
+  const grantOrganisationRole = useCallback(async (
+    params: GrantOrganisationRoleParams
+  ): Promise<RoleManagementResult> => {
+    setIsLoading(true);
+    setError(null);
+    try {
+      const { data, error: rpcError } = await supabase.rpc('rbac_role_grant', {
+        p_user_id: params.user_id,
+        p_role_type: 'organisation',
+        p_role_name: params.role,
+        p_context_id: params.organisation_id, // Organisation ID as context
+        p_granted_by: params.granted_by || user?.id || undefined
+      });
+      if (rpcError) {
+        throw new Error(rpcError.message || 'Failed to grant role');
+      }
+      // rbac_role_grant returns a table with success, message, role_id, error_code
+      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
+      if (!result || !result.success) {
+        return {
+          success: false,
+          error: result?.message || result?.error_code || 'Failed to grant role',
+          message: result?.message
+        };
+      }
+      return {
+        success: true,
+        message: result.message || 'Role granted successfully',
+        roleId: result.role_id
+      };
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : 'Unknown error occurred';
+      setError(err instanceof Error ? err : new Error(errorMessage));
+      return {
+        success: false,
+        error: errorMessage
+      };
+    } finally {
+      setIsLoading(false);
+    }
+  }, [user?.id, supabase]);
+  /**
+   * Revoke an organisation role using the unified RPC function
+   *
+   * This function uses the `rbac_role_revoke` RPC which:
+   * - Runs with SECURITY DEFINER privileges
+   * - Includes proper permission checks
+   * - Automatically populates audit fields (revoked_by, timestamps)
+   * - Complies with Row-Level Security policies
+   *
+   * @param params - Role revocation parameters
+   * @returns Promise resolving to operation result
+   */
+  const revokeOrganisationRole = useCallback(async (
+    params: RevokeOrganisationRoleParams
+  ): Promise<RoleManagementResult> => {
+    setIsLoading(true);
+    setError(null);
+    try {
+      const { data, error: rpcError } = await supabase.rpc('rbac_role_revoke', {
+        p_user_id: params.user_id,
+        p_role_type: 'organisation',
+        p_role_name: params.role,
+        p_context_id: params.organisation_id, // Organisation ID as context
+        p_revoked_by: params.revoked_by || user?.id || undefined
+      });
+      if (rpcError) {
+        throw new Error(rpcError.message || 'Failed to revoke role');
+      }
+      // rbac_role_revoke returns a table with success, message, revoked_count, error_code
+      const result = Array.isArray(data) && data.length > 0 ? data[0] : null;
+      return {
+        success: result?.success === true,
+        message: result?.message || undefined,
+        error: result?.success === false ? (result?.message || result?.error_code || 'Unknown error') : undefined
+      };
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : 'Unknown error occurred';
+      setError(err instanceof Error ? err : new Error(errorMessage));
+      return {
+        success: false,
+        error: errorMessage
+      };
+    } finally {
+      setIsLoading(false);
+    }
+  }, [user?.id, supabase]);
   return {
+    // Event app roles (existing)
     revokeEventAppRole,
     grantEventAppRole,
     revokeRoleById,
+    // Global roles (new)
+    grantGlobalRole,
+    revokeGlobalRole,
+    // Organisation roles (new)
+    grantOrganisationRole,
+    revokeOrganisationRole,
+    // Shared state
     isLoading,
     error
   };

package/src/rbac/index.ts CHANGED Viewed

@@ -113,3 +113,33 @@ export {
 // Permissions
 export * from './permissions';
+// Compliance
+export {
+  isRBACInitialized,
+  validateRBACSetup,
+  getSetupIssues,
+  type SetupIssue,
+  type ComplianceResult,
+} from './compliance/setup-validator';
+export {
+  checkRuntimeCompliance,
+  validateAndWarn,
+  type RuntimeComplianceResult,
+} from './compliance/runtime-compliance';
+export {
+  validateDatabaseConfiguration,
+  type DatabaseComplianceResult,
+  type DatabaseIssue,
+} from './compliance/database-validator';
+export {
+  getQuickFixes,
+  getCustomAuthCodeFixes,
+  getDuplicateConfigFixes,
+  getUnprotectedPageFixes,
+  getDirectSupabaseAuthFixes,
+  type QuickFix,
+} from './compliance/quick-fix-suggestions';

package/src/services/OrganisationService.ts CHANGED Viewed

@@ -519,6 +519,7 @@ export class OrganisationService extends BaseService implements IOrganisationSer
       // Auto-select organisation: try persisted, then primary, then first
       let initialOrg: Organisation | null = null;
+      let selectionMethod: 'persisted' | 'admin' | 'first' = 'first';
       // 1. Try to restore from localStorage
       try {
@@ -530,6 +531,7 @@ export class OrganisationService extends BaseService implements IOrganisationSer
             const validPersistedOrg = activeOrgs.find(org => org.id === persistedOrg.id);
             if (validPersistedOrg) {
               initialOrg = validPersistedOrg;
+              selectionMethod = 'persisted';
             } else {
               logger.warn("OrganisationService", "Persisted organisation not found in active orgs, clearing cache");
               localStorage.removeItem('pace-core-selected-organisation');
@@ -552,6 +554,7 @@ export class OrganisationService extends BaseService implements IOrganisationSer
           const foundOrg = organisations.find((org) => org.id === adminMembership.organisation_id);
           if (foundOrg) {
             initialOrg = foundOrg;
+            selectionMethod = 'admin';
           }
         }
       }
@@ -559,6 +562,7 @@ export class OrganisationService extends BaseService implements IOrganisationSer
       // 3. Fall back to first organisation
       if (!initialOrg) {
         initialOrg = activeOrgs[0];
+        selectionMethod = 'first';
       }
       if (!initialOrg) {