@jmruthers/pace-core 0.5.189 → 0.5.190

package/src/hooks/__tests__/{usePublicEvent.unit.test.ts → usePublicEvent.test.ts}

@@ -69,7 +69,7 @@ describe('usePublicEvent', () => {
     Object.defineProperty(import.meta, 'env', {
       value: {
         VITE_SUPABASE_URL: 'https://test.supabase.co',
-        VITE_SUPABASE_ANON_KEY: 'test-anon-key'
+        VITE_SUPABASE_PUBLISHABLE_KEY: 'test-publishable-key'
       },
       writable: true
     });
@@ -577,5 +577,32 @@ describe('usePublicEvent', () => {
       expect(result.current.event).toBe(null);
       expect(result.current.error).toEqual(new Error('Event not found'));
     });
+
+    it('warns when Supabase environment variables are missing', async () => {
+      vi.mocked(usePublicPageContext).mockReturnValue({
+        environment: { supabaseUrl: null, supabaseKey: null }
+      } as any);
+
+      Object.defineProperty(import.meta, 'env', {
+        value: {},
+        writable: true
+      });
+
+      const warnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const { createClient } = await import('@supabase/supabase-js');
+      vi.mocked(createClient).mockClear();
+
+      const { result } = renderHook(() => usePublicEvent('test-event'));
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { interval: 10 });
+
+      expect(result.current.error).toBeInstanceOf(Error);
+      expect(result.current.error?.message).toContain('Invalid event code or Supabase client not available');
+      expect(vi.mocked(createClient)).not.toHaveBeenCalled();
+
+      warnSpy.mockRestore();
+    });
   });
 });

package/src/hooks/__tests__/useQueryCache.test.ts

@@ -0,0 +1,144 @@
+import { renderHook, act } from '@testing-library/react';
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { SupabaseClient } from '@supabase/supabase-js';
+import { useQueryCache, queryCacheHelpers } from '../useQueryCache';
+
+vi.mock('../../utils/core/logger', () => ({
+  createLogger: () => ({
+    debug: vi.fn(),
+    error: vi.fn(),
+  }),
+}));
+
+describe('useQueryCache', () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+    vi.setSystemTime(0);
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+    vi.clearAllMocks();
+  });
+
+  const supabase = {} as SupabaseClient<any>;
+
+  it('caches query results and returns cached data', async () => {
+    const fetchFn = vi.fn().mockResolvedValue({ id: 1 });
+    const { result } = renderHook(() => useQueryCache(supabase));
+
+    const first = await result.current.getCachedQuery('table', 'id', '1', fetchFn, { ttl: 5 });
+    const second = await result.current.getCachedQuery('table', 'id', '1', fetchFn, { ttl: 5 });
+
+    expect(first).toEqual({ id: 1 });
+    expect(second).toEqual(first);
+    expect(fetchFn).toHaveBeenCalledTimes(1);
+
+    act(() => {
+      result.current.clearCache();
+    });
+  });
+
+  it('invalidates cache entries explicitly', async () => {
+    const fetchFn = vi.fn().mockResolvedValue({ id: 2 });
+    const { result } = renderHook(() => useQueryCache());
+
+    await result.current.getCachedQuery('table', 'id', '2', fetchFn);
+    act(() => {
+      result.current.invalidateQuery('table', 'id', '2');
+    });
+    await result.current.getCachedQuery('table', 'id', '2', fetchFn);
+
+    expect(fetchFn).toHaveBeenCalledTimes(2);
+
+    act(() => {
+      result.current.clearCache();
+    });
+  });
+
+  it('expires cache entries after ttl', async () => {
+    const fetchFn = vi.fn().mockResolvedValue('value');
+    const { result } = renderHook(() => useQueryCache());
+
+    await result.current.getCachedQuery('table', 'key', 'val', fetchFn, { ttl: 1 });
+
+    vi.setSystemTime(2000); // advance past ttl
+    await result.current.getCachedQuery('table', 'key', 'val', fetchFn, { ttl: 1 });
+
+    expect(fetchFn).toHaveBeenCalledTimes(2);
+
+    act(() => {
+      result.current.clearCache();
+    });
+  });
+
+  it('deduplicates in-flight requests', async () => {
+    let resolveFn: (value: string) => void;
+    const fetchPromise = new Promise<string>(resolve => {
+      resolveFn = resolve;
+    });
+    const fetchFn = vi.fn(() => fetchPromise);
+    const { result } = renderHook(() => useQueryCache());
+
+    const firstPromise = result.current.getCachedQuery('table', 'id', '3', fetchFn);
+    const secondPromise = result.current.getCachedQuery('table', 'id', '3', fetchFn);
+
+    expect(fetchFn).toHaveBeenCalledTimes(1);
+
+    resolveFn!('done');
+
+    await expect(firstPromise).resolves.toBe('done');
+    await expect(secondPromise).resolves.toBe('done');
+
+    act(() => {
+      result.current.clearCache();
+    });
+  });
+
+  it('bypasses cache when disabled', async () => {
+    const fetchFn = vi.fn().mockResolvedValue('fresh');
+    const { result } = renderHook(() => useQueryCache());
+
+    await result.current.getCachedQuery('table', 'id', '4', fetchFn, { enabled: false });
+    await result.current.getCachedQuery('table', 'id', '4', fetchFn, { enabled: false });
+
+    expect(fetchFn).toHaveBeenCalledTimes(2);
+  });
+});
+
+describe('queryCacheHelpers', () => {
+  beforeEach(() => {
+    vi.useFakeTimers();
+    vi.setSystemTime(0);
+  });
+
+  afterEach(() => {
+    vi.useRealTimers();
+    vi.clearAllMocks();
+  });
+
+  it('caches helper queries and reuses promises for in-flight requests', async () => {
+    let resolveFn: (value: string) => void;
+    const promise = new Promise<string>(resolve => {
+      resolveFn = resolve;
+    });
+    const fetchFn = vi.fn(() => promise);
+    const supabase = {} as SupabaseClient<any>;
+
+    const firstPromise = queryCacheHelpers.pacePersonByUserId(supabase, 'user', fetchFn);
+    const secondPromise = queryCacheHelpers.pacePersonByUserId(supabase, 'user', fetchFn);
+
+    expect(fetchFn).toHaveBeenCalledTimes(1);
+
+    resolveFn!('person');
+
+    await expect(firstPromise).resolves.toBe('person');
+    await expect(secondPromise).resolves.toBe('person');
+
+    // Subsequent call should return cached data immediately
+    const cached = await queryCacheHelpers.pacePersonByUserId(supabase, 'user', fetchFn);
+    expect(cached).toBe('person');
+    expect(fetchFn).toHaveBeenCalledTimes(1);
+  });
+});
+

package/src/hooks/__tests__/useSecureDataAccess.unit.test.tsx

@@ -4,6 +4,8 @@ import { useSecureDataAccess } from '../useSecureDataAccess';
 import { useUnifiedAuth } from '../../providers';
 import { useOrganisations } from '../../hooks/useOrganisations';
 import { testDataGenerators } from '../../__tests__/helpers/test-utils';
+import { useResolvedScope } from '../../rbac/hooks/useResolvedScope';
+import { useSuperAdminBypass } from '../../rbac/hooks/useSuperAdminBypass';
 
 // Mock dependencies
 vi.mock('../../providers', () => ({
@@ -22,10 +24,20 @@ vi.mock('../../utils/context/organisationContext', () => ({
   setOrganisationContext: vi.fn().mockResolvedValue(undefined),
 }));
 
+vi.mock('../../rbac/hooks/useResolvedScope', () => ({
+  useResolvedScope: vi.fn(),
+}));
+
+vi.mock('../../rbac/hooks/useSuperAdminBypass', () => ({
+  useSuperAdminBypass: vi.fn(),
+}));
+
 const mockUseUnifiedAuth = {
   user: null,
   session: null,
-  supabase: null
+  supabase: null,
+  selectedOrganisation: null,
+  selectedEvent: null,
 };
 
 const mockUseOrganisations = vi.fn(() => ({
@@ -54,7 +66,8 @@ const createAuthenticatedContext = (supabase = { auth: {} }, org = { id: 'org-12
     ...mockUseUnifiedAuth,
     user: mockUser,
     session: mockSession,
-    supabase
+    supabase,
+    selectedOrganisation: org,
   } as any);
   
   // Create a fresh mock with ensureOrganisationContext that returns the org
@@ -76,6 +89,17 @@ const createAuthenticatedContext = (supabase = { auth: {} }, org = { id: 'org-12
   };
   
   vi.mocked(useOrganisations).mockReturnValue(mockOrgs as any);
+  
+  // Mock resolved scope with organisationId
+  vi.mocked(useResolvedScope).mockReturnValue({
+    resolvedScope: {
+      organisationId: org.id,
+      eventId: undefined,
+      appId: undefined,
+    },
+    isLoading: false,
+    error: null,
+  });
 };
 
 describe('useSecureDataAccess', () => {
@@ -84,6 +108,16 @@ describe('useSecureDataAccess', () => {
     vi.mocked(useUnifiedAuth).mockReturnValue(mockUseUnifiedAuth as any);
     // Set up useOrganisations to return the default mock (which throws for org context)
     vi.mocked(useOrganisations).mockReturnValue(mockUseOrganisations() as any);
+    // Default mock for useResolvedScope - returns null scope (no context)
+    vi.mocked(useResolvedScope).mockReturnValue({
+      resolvedScope: null,
+      isLoading: false,
+      error: null,
+    });
+    // Default mock for useSuperAdminBypass - not super admin
+    vi.mocked(useSuperAdminBypass).mockReturnValue({
+      isSuperAdmin: false,
+    });
   });
 
   describe('validateContext', () => {
@@ -129,21 +163,23 @@ describe('useSecureDataAccess', () => {
         user: mockUser,
         session: mockSession,
         supabase: mockSupabase,
+        selectedOrganisation: { id: 'org-123' },
       } as any);
       
-      const mockOrg = { id: 'org-123' };
-      const ensureOrgContextMock = vi.fn(() => mockOrg);
-      
-      const mockOrgs = {
-        ...mockUseOrganisations(),
-        ensureOrganisationContext: ensureOrgContextMock,
-      };
-      vi.mocked(useOrganisations).mockReturnValue(mockOrgs as any);
+      // Mock useResolvedScope to return resolved scope with organisationId
+      vi.mocked(useResolvedScope).mockReturnValue({
+        resolvedScope: {
+          organisationId: 'org-123',
+          eventId: undefined,
+          appId: undefined,
+        },
+        isLoading: false,
+        error: null,
+      });
 
       const { result } = renderHook(() => useSecureDataAccess());
 
       expect(() => result.current.validateContext()).not.toThrow();
-      expect(ensureOrgContextMock).toHaveBeenCalled();
     });
   });
 
@@ -158,13 +194,19 @@ describe('useSecureDataAccess', () => {
         user: mockUser,
         session: mockSession,
         supabase: mockSupabase,
+        selectedOrganisation: { id: 'org-123' },
       } as any);
       
-      const mockOrgs = {
-        ...mockUseOrganisations(),
-        ensureOrganisationContext: vi.fn().mockReturnValue({ id: 'org-123' }),
-      };
-      vi.mocked(useOrganisations).mockReturnValue(mockOrgs as any);
+      // Mock resolved scope with organisationId
+      vi.mocked(useResolvedScope).mockReturnValue({
+        resolvedScope: {
+          organisationId: 'org-123',
+          eventId: undefined,
+          appId: undefined,
+        },
+        isLoading: false,
+        error: null,
+      });
 
       const { result } = renderHook(() => useSecureDataAccess());
 

package/src/hooks/index.ts

@@ -50,7 +50,7 @@ export { useComponentPerformance } from './useComponentPerformance';
 export { useAppConfig } from './useAppConfig';
 export type { UseAppConfigReturn } from './useAppConfig';
 export { usePerformanceMonitor } from './usePerformanceMonitor';
-export { useQueryCache, queryCacheHelpers } from './useQueryCache';
+export { useQueryCache, queryCacheHelpers, cleanupQueryCache } from './useQueryCache';
 export type { UseQueryCacheReturn, UseQueryCacheOptions } from './useQueryCache';
 
 // DataTable performance hook

package/src/hooks/public/usePublicEvent.ts

@@ -120,7 +120,7 @@ export function usePublicEvent(
     // Fallback to direct environment variable access if not in PublicPageProvider
     environment = {
       supabaseUrl: (import.meta as any).env?.VITE_SUPABASE_URL || (import.meta as any).env?.NEXT_PUBLIC_SUPABASE_URL || null,
-      supabaseKey: (import.meta as any).env?.VITE_SUPABASE_ANON_KEY || (import.meta as any).env?.NEXT_PUBLIC_SUPABASE_ANON_KEY || null
+      supabaseKey: (import.meta as any).env?.VITE_SUPABASE_PUBLISHABLE_KEY || (import.meta as any).env?.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY || null
     };
   }
   
@@ -129,7 +129,7 @@ export function usePublicEvent(
     if (typeof window === 'undefined') return null;
     
     if (!environment.supabaseUrl || !environment.supabaseKey) {
-      logger.warn('usePublicEvent', 'Missing Supabase environment variables. Please ensure VITE_SUPABASE_URL and VITE_SUPABASE_ANON_KEY are set in your environment. Use publishable key if anon key is disabled.');
+      logger.warn('usePublicEvent', 'Missing Supabase environment variables. Please ensure VITE_SUPABASE_URL and VITE_SUPABASE_PUBLISHABLE_KEY are set in your environment.');
       return null;
     }
 

package/src/hooks/public/usePublicFileDisplay.ts

@@ -109,7 +109,7 @@ export function usePublicFileDisplay(
   const [error, setError] = useState<Error | null>(null);
 
   const fetchFiles = useCallback(async (): Promise<void> => {
-    if (!table_name || !record_id || !organisation_id || !supabase) {
+    if (!table_name || !record_id || !supabase) {
       setFileUrl(null);
       setFileReference(null);
       setFileReferences([]);
@@ -119,14 +119,17 @@ export function usePublicFileDisplay(
       return;
     }
 
-    // Validate UUID format for organisationId to prevent database errors
-    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-    if (!uuidRegex.test(organisation_id)) {
-      logger.warn('usePublicFileDisplay', 'Invalid organisationId format (not a valid UUID)', { organisation_id });
+    // Validate UUID format for organisationId to prevent database errors (only if provided)
+    if (organisation_id) {
+      const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+      if (!uuidRegex.test(organisation_id)) {
+        logger.warn('usePublicFileDisplay', 'Invalid organisationId format (not a valid UUID)', { organisation_id });
+      }
     }
 
     // Check cache first
-    const cacheKey = `public_file_${table_name}_${record_id}_${organisation_id}_${category || 'all'}`;
+    // When organisation_id is undefined, use 'undefined' in cache key to distinguish from explicit null
+    const cacheKey = `public_file_${table_name}_${record_id}_${organisation_id === undefined ? 'undefined' : (organisation_id ?? 'null')}_${category || 'all'}`;
     if (enableCache) {
       const cached = publicFileCache.get(cacheKey);
       if (cached && Date.now() - cached.timestamp < cached.ttl) {
@@ -148,103 +151,186 @@ export function usePublicFileDisplay(
 
       let files: any[] = [];
 
-      // CRITICAL: When category is provided, MUST use RPC function, not direct queries
-      // Category is stored in file_metadata JSONB field, not a direct column
-      if (category) {
-        // Single file mode - use RPC to get files by category
-        const rpcParams = {
-          p_table_name: table_name,
-          p_record_id: record_id,
-          p_category: category,
-          p_organisation_id: organisation_id
-        };
-        
-        const { data, error: rpcError } = await (supabase as any)
-          .rpc('data_file_reference_by_category_list', rpcParams);
-
-        if (rpcError) {
-          logger.error('usePublicFileDisplay', 'RPC function error', {
-            function: 'data_file_reference_by_category_list',
-            table_name,
-            record_id,
-            category,
-            organisation_id,
-            error: rpcError.message,
-            errorCode: rpcError.code,
-            errorDetails: rpcError.details,
-            errorHint: rpcError.hint
-          });
-          throw new Error(rpcError.message || 'Failed to fetch file reference');
-        }
+      // When organisation_id is undefined, search both user-scoped (null) and organisation-scoped files
+      // This allows FileDisplay to work without requiring the organisation_id prop
+      if (organisation_id === undefined) {
+        logger.debug('usePublicFileDisplay', 'organisation_id is undefined, searching both user-scoped and organisation-scoped files:', {
+          table_name,
+          record_id,
+          category
+        });
 
-        // RPC returns partial data with: id, file_path, file_metadata, is_public, created_at
-        // We have table_name, record_id, organisation_id from function parameters
-        // We can construct FileReference objects directly without another query (avoiding RLS issues)
-        if (!data || data.length === 0) {
-          files = [];
-        } else {
-          // Construct file reference objects from RPC response
-          // This avoids RLS issues - the RPC already validated permissions and filtered public files
-          files = data
-            .filter((item: any) => {
-              // RPC should only return public files for public context, but verify
-              return item.is_public === true && item.id && item.file_path && item.file_metadata;
-            })
-            .map((item: any) => {
-              // Construct complete file reference from RPC response + function parameters
-              return {
+        // First, try user-scoped files (organisation_id = null)
+        let userScopedFiles: any[] = [];
+        let orgScopedFiles: any[] = [];
+
+        // Query user-scoped files
+        if (category) {
+          const { data: userData, error: userRpcError } = await (supabase as any)
+            .rpc('data_file_reference_by_category_list', {
+              p_table_name: table_name,
+              p_record_id: record_id,
+              p_category: category,
+              p_organisation_id: null
+            });
+
+          if (!userRpcError && userData) {
+            userScopedFiles = userData
+              .filter((item: any) => item.is_public === true && item.id && item.file_path && item.file_metadata)
+              .map((item: any) => ({
                 id: item.id,
                 table_name: table_name,
                 record_id: record_id,
                 file_path: item.file_path,
                 file_metadata: item.file_metadata || {},
-                organisation_id: organisation_id,
+                organisation_id: null,
                 app_id: item.file_metadata?.app_id || null,
-                is_public: true, // RPC already filtered for public files
+                is_public: true,
                 created_at: item.created_at || new Date().toISOString(),
                 updated_at: item.created_at || new Date().toISOString()
-              };
+              }));
+          }
+        } else {
+          const { data: userData, error: userRpcError } = await (supabase as any)
+            .rpc('data_file_reference_list', {
+              p_table_name: table_name,
+              p_record_id: record_id,
+              p_organisation_id: null
             });
+
+          if (!userRpcError && userData) {
+            const ids = userData.map((item: any) => item.id);
+            if (ids.length > 0) {
+              const { data: fullData } = await supabase
+                .from('file_references')
+                .select('id, table_name, record_id, file_path, file_metadata, organisation_id, app_id, is_public, created_at, updated_at')
+                .in('id', ids)
+                .eq('is_public', true);
+              userScopedFiles = fullData || [];
+            }
+          }
         }
+
+        // For public pages, we can't query user's organisations (user is anonymous)
+        // But we can try to find organisation-scoped files by querying the record's context
+        // For now, we'll just use user-scoped files. If needed, the page context can provide organisation_id
+        // Note: This is a limitation of public pages - they should provide organisation_id if needed
+
+        // Merge results
+        const allFiles = [...userScopedFiles, ...orgScopedFiles];
+        allFiles.sort((a, b) => {
+          const aTime = new Date(a.created_at).getTime();
+          const bTime = new Date(b.created_at).getTime();
+          return bTime - aTime;
+        });
+
+        files = allFiles;
+
+        logger.debug('usePublicFileDisplay', 'Found files with undefined organisation_id:', {
+          userScopedCount: userScopedFiles.length,
+          orgScopedCount: orgScopedFiles.length,
+          totalCount: files.length
+        });
       } else {
-        // Multiple files mode - use RPC to get all files
-        const { data: fileIds, error: rpcError } = await (supabase as any)
-          .rpc('data_file_reference_list', {
+        // organisation_id is provided (or explicitly null) - use normal query
+        // CRITICAL: When category is provided, MUST use RPC function, not direct queries
+        // Category is stored in file_metadata JSONB field, not a direct column
+        if (category) {
+          // Single file mode - use RPC to get files by category
+          const rpcParams = {
             p_table_name: table_name,
             p_record_id: record_id,
-            p_organisation_id: organisation_id
-          });
+            p_category: category,
+            p_organisation_id: organisation_id ?? null
+          };
+          
+          const { data, error: rpcError } = await (supabase as any)
+            .rpc('data_file_reference_by_category_list', rpcParams);
 
-        if (rpcError) {
-          logger.error('usePublicFileDisplay', 'RPC function error', {
-            function: 'data_file_reference_list',
-            table_name,
-            record_id,
-            organisation_id,
-            error: rpcError.message,
-            errorCode: rpcError.code,
-            errorDetails: rpcError.details,
-            errorHint: rpcError.hint
-          });
-          throw new Error(rpcError.message || 'Failed to fetch file references');
-        }
+          if (rpcError) {
+            logger.error('usePublicFileDisplay', 'RPC function error', {
+              function: 'data_file_reference_by_category_list',
+              table_name,
+              record_id,
+              category,
+              organisation_id,
+              error: rpcError.message,
+              errorCode: rpcError.code,
+              errorDetails: rpcError.details,
+              errorHint: rpcError.hint
+            });
+            throw new Error(rpcError.message || 'Failed to fetch file reference');
+          }
 
-        if (!fileIds || fileIds.length === 0) {
-          files = [];
+          // RPC returns partial data with: id, file_path, file_metadata, is_public, created_at
+          // We have table_name, record_id, organisation_id from function parameters
+          // We can construct FileReference objects directly without another query (avoiding RLS issues)
+          if (!data || data.length === 0) {
+            files = [];
+          } else {
+            // Construct file reference objects from RPC response
+            // This avoids RLS issues - the RPC already validated permissions and filtered public files
+            files = data
+              .filter((item: any) => {
+                // RPC should only return public files for public context, but verify
+                return item.is_public === true && item.id && item.file_path && item.file_metadata;
+              })
+              .map((item: any) => {
+                // Construct complete file reference from RPC response + function parameters
+                return {
+                  id: item.id,
+                  table_name: table_name,
+                  record_id: record_id,
+                  file_path: item.file_path,
+                  file_metadata: item.file_metadata || {},
+                  organisation_id: organisation_id ?? null,
+                  app_id: item.file_metadata?.app_id || null,
+                  is_public: true, // RPC already filtered for public files
+                  created_at: item.created_at || new Date().toISOString(),
+                  updated_at: item.created_at || new Date().toISOString()
+                };
+              });
+          }
         } else {
-          // Fetch full file reference data for each ID, but only public files
-          const ids = fileIds.map((item: any) => item.id);
-          const { data: fullData, error: fetchError } = await supabase
-            .from('file_references')
-            .select('id, table_name, record_id, file_path, file_metadata, organisation_id, app_id, is_public, created_at, updated_at')
-            .in('id', ids)
-            .eq('is_public', true); // Only public files in public context
-
-          if (fetchError) {
-            throw new Error(fetchError.message || 'Failed to fetch file references');
+          // Multiple files mode - use RPC to get all files
+          const { data: fileIds, error: rpcError } = await (supabase as any)
+            .rpc('data_file_reference_list', {
+              p_table_name: table_name,
+              p_record_id: record_id,
+              p_organisation_id: organisation_id ?? null
+            });
+
+          if (rpcError) {
+            logger.error('usePublicFileDisplay', 'RPC function error', {
+              function: 'data_file_reference_list',
+              table_name,
+              record_id,
+              organisation_id,
+              error: rpcError.message,
+              errorCode: rpcError.code,
+              errorDetails: rpcError.details,
+              errorHint: rpcError.hint
+            });
+            throw new Error(rpcError.message || 'Failed to fetch file references');
           }
 
-          files = fullData || [];
+          if (!fileIds || fileIds.length === 0) {
+            files = [];
+          } else {
+            // Fetch full file reference data for each ID, but only public files
+            const ids = fileIds.map((item: any) => item.id);
+            const { data: fullData, error: fetchError } = await supabase
+              .from('file_references')
+              .select('id, table_name, record_id, file_path, file_metadata, organisation_id, app_id, is_public, created_at, updated_at')
+              .in('id', ids)
+              .eq('is_public', true); // Only public files in public context
+
+            if (fetchError) {
+              throw new Error(fetchError.message || 'Failed to fetch file references');
+            }
+
+            files = fullData || [];
+          }
         }
       }
 
@@ -353,7 +439,7 @@ export function usePublicFileDisplay(
 
   // Fetch files when parameters change
   useEffect(() => {
-    if (table_name && record_id && organisation_id) {
+    if (table_name && record_id) {
       fetchFiles();
     } else {
       setFileUrl(null);
@@ -367,11 +453,11 @@ export function usePublicFileDisplay(
   }, [fetchFiles, table_name, record_id, organisation_id]);
 
   const refetch = useCallback(async (): Promise<void> => {
-    if (!table_name || !record_id || !organisation_id) return;
+    if (!table_name || !record_id) return;
     
     // Clear cache for this file
     if (enableCache) {
-      const cacheKey = `public_file_${table_name}_${record_id}_${organisation_id}_${category || 'all'}`;
+      const cacheKey = `public_file_${table_name}_${record_id}_${organisation_id === undefined ? 'undefined' : (organisation_id ?? 'null')}_${category || 'all'}`;
       publicFileCache.delete(cacheKey);
     }
     await fetchFiles();