npm - @jmruthers/pace-core - Versions diffs - 0.5.189 → 0.5.191 - Mend

@jmruthers/pace-core 0.5.189 → 0.5.191

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (438) hide show

package/core-usage-manifest.json +0 -4
package/dist/{AuthService-B-cd2MA4.d.ts → AuthService-CbP_utw2.d.ts} +7 -3
package/dist/{DataTable-IVYljGJ6.d.ts → DataTable-Be6dH_dR.d.ts} +1 -1
package/dist/{DataTable-GUFUNZ3N.js → DataTable-WKRZD47S.js} +8 -8
package/dist/{PublicPageProvider-B8HaLe69.d.ts → PublicPageProvider-ULXC_u6U.d.ts} +84 -25
package/dist/{UnifiedAuthProvider-BG0AL5eE.d.ts → UnifiedAuthProvider-BYA9qB-o.d.ts} +4 -3
package/dist/{UnifiedAuthProvider-643PUAIM.js → UnifiedAuthProvider-FTSG5XH7.js} +4 -2
package/dist/{api-YP7XD5L6.js → api-IHKALJZD.js} +4 -2
package/dist/{chunk-VGZZXKBR.js → chunk-6LTQQAT6.js} +351 -157
package/dist/chunk-6LTQQAT6.js.map +1 -0
package/dist/{chunk-MX64ZF6I.js → chunk-6TQDD426.js} +15 -15
package/dist/chunk-6TQDD426.js.map +1 -0
package/dist/{chunk-YHCN776L.js → chunk-G37KK66H.js} +2 -75
package/dist/chunk-G37KK66H.js.map +1 -0
package/dist/{chunk-THRPYOFK.js → chunk-HW3OVDUF.js} +5 -5
package/dist/chunk-HW3OVDUF.js.map +1 -0
package/dist/{chunk-F2IMUDXZ.js → chunk-I7PSE6JW.js} +75 -2
package/dist/chunk-I7PSE6JW.js.map +1 -0
package/dist/{chunk-IM4QE42D.js → chunk-LOMZXPSN.js} +141 -326
package/dist/chunk-LOMZXPSN.js.map +1 -0
package/dist/chunk-OETXORNB.js +614 -0
package/dist/chunk-OETXORNB.js.map +1 -0
package/dist/{chunk-HESYZWZW.js → chunk-QWWZ5CAQ.js} +2 -2
package/dist/{chunk-HEHYGYOX.js → chunk-ROXMHMY2.js} +403 -46
package/dist/chunk-ROXMHMY2.js.map +1 -0
package/dist/{chunk-2UUZZJFT.js → chunk-ULHIJK66.js} +228 -177
package/dist/{chunk-2UUZZJFT.js.map → chunk-ULHIJK66.js.map} +1 -1
package/dist/{chunk-YGPFYGA6.js → chunk-VKB2CO4Z.js} +838 -503
package/dist/chunk-VKB2CO4Z.js.map +1 -0
package/dist/{chunk-3GOZZZYH.js → chunk-VRGWKHDB.js} +238 -301
package/dist/chunk-VRGWKHDB.js.map +1 -0
package/dist/{chunk-UCQSRW7Z.js → chunk-XNYQOL3Z.js} +431 -384
package/dist/chunk-XNYQOL3Z.js.map +1 -0
package/dist/{chunk-DDM4CCYT.js → chunk-XYXSXPUK.js} +79 -59
package/dist/chunk-XYXSXPUK.js.map +1 -0
package/dist/{chunk-SAUPYVLF.js → chunk-ZSAAAMVR.js} +1 -1
package/dist/chunk-ZSAAAMVR.js.map +1 -0
package/dist/components.d.ts +5 -6
package/dist/components.js +19 -19
package/dist/components.js.map +1 -1
package/dist/{database.generated-DI89OQeI.d.ts → database.generated-CzIvgcPu.d.ts} +165 -201
package/dist/eslint-rules/pace-core-compliance.cjs +0 -2
package/dist/{file-reference-D037xOFK.d.ts → file-reference-BavO2eQj.d.ts} +13 -10
package/dist/hooks.d.ts +20 -15
package/dist/hooks.js +14 -8
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +17 -15
package/dist/index.js +86 -81
package/dist/index.js.map +1 -1
package/dist/providers.d.ts +3 -3
package/dist/providers.js +3 -1
package/dist/rbac/index.d.ts +77 -13
package/dist/rbac/index.js +12 -9
package/dist/{types-Bwgl--Xo.d.ts → types-CEpcvwwF.d.ts} +1 -1
package/dist/types.d.ts +3 -3
package/dist/types.js +1 -1
package/dist/{usePublicRouteParams-CTDELQ7H.d.ts → usePublicRouteParams-TZe0gy-4.d.ts} +17 -10
package/dist/utils.d.ts +8 -8
package/dist/utils.js +16 -16
package/docs/README.md +2 -2
package/docs/api/classes/ColumnFactory.md +1 -1
package/docs/api/classes/ErrorBoundary.md +1 -1
package/docs/api/classes/InvalidScopeError.md +2 -2
package/docs/api/classes/Logger.md +1 -1
package/docs/api/classes/MissingUserContextError.md +2 -2
package/docs/api/classes/OrganisationContextRequiredError.md +1 -1
package/docs/api/classes/PermissionDeniedError.md +1 -1
package/docs/api/classes/RBACAuditManager.md +2 -2
package/docs/api/classes/RBACCache.md +1 -1
package/docs/api/classes/RBACEngine.md +5 -5
package/docs/api/classes/RBACError.md +1 -1
package/docs/api/classes/RBACNotInitializedError.md +2 -2
package/docs/api/classes/SecureSupabaseClient.md +25 -20
package/docs/api/classes/StorageUtils.md +7 -4
package/docs/api/enums/FileCategory.md +1 -1
package/docs/api/enums/LogLevel.md +1 -1
package/docs/api/enums/RBACErrorCode.md +1 -1
package/docs/api/enums/RPCFunction.md +1 -1
package/docs/api/interfaces/AddressFieldProps.md +1 -1
package/docs/api/interfaces/AddressFieldRef.md +1 -1
package/docs/api/interfaces/AggregateConfig.md +1 -1
package/docs/api/interfaces/AutocompleteOptions.md +1 -1
package/docs/api/interfaces/AvatarProps.md +1 -1
package/docs/api/interfaces/BadgeProps.md +1 -1
package/docs/api/interfaces/ButtonProps.md +1 -1
package/docs/api/interfaces/CalendarProps.md +20 -6
package/docs/api/interfaces/CardProps.md +1 -1
package/docs/api/interfaces/ColorPalette.md +1 -1
package/docs/api/interfaces/ColorShade.md +1 -1
package/docs/api/interfaces/ComplianceResult.md +1 -1
package/docs/api/interfaces/DataAccessRecord.md +9 -9
package/docs/api/interfaces/DataRecord.md +1 -1
package/docs/api/interfaces/DataTableAction.md +1 -1
package/docs/api/interfaces/DataTableColumn.md +1 -1
package/docs/api/interfaces/DataTableProps.md +1 -1
package/docs/api/interfaces/DataTableToolbarButton.md +1 -1
package/docs/api/interfaces/DatabaseComplianceResult.md +1 -1
package/docs/api/interfaces/DatabaseIssue.md +1 -1
package/docs/api/interfaces/EmptyStateConfig.md +1 -1
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +1 -1
package/docs/api/interfaces/EventAppRoleData.md +1 -1
package/docs/api/interfaces/ExportColumn.md +1 -1
package/docs/api/interfaces/ExportOptions.md +1 -1
package/docs/api/interfaces/FileDisplayProps.md +62 -16
package/docs/api/interfaces/FileMetadata.md +1 -1
package/docs/api/interfaces/FileReference.md +2 -2
package/docs/api/interfaces/FileSizeLimits.md +1 -1
package/docs/api/interfaces/FileUploadOptions.md +26 -12
package/docs/api/interfaces/FileUploadProps.md +30 -19
package/docs/api/interfaces/FooterProps.md +1 -1
package/docs/api/interfaces/FormFieldProps.md +1 -1
package/docs/api/interfaces/FormProps.md +1 -1
package/docs/api/interfaces/GrantEventAppRoleParams.md +1 -1
package/docs/api/interfaces/InactivityWarningModalProps.md +1 -1
package/docs/api/interfaces/InputProps.md +1 -1
package/docs/api/interfaces/LabelProps.md +1 -1
package/docs/api/interfaces/LoggerConfig.md +1 -1
package/docs/api/interfaces/LoginFormProps.md +1 -1
package/docs/api/interfaces/NavigationAccessRecord.md +10 -10
package/docs/api/interfaces/NavigationContextType.md +9 -9
package/docs/api/interfaces/NavigationGuardProps.md +1 -1
package/docs/api/interfaces/NavigationItem.md +1 -1
package/docs/api/interfaces/NavigationMenuProps.md +1 -1
package/docs/api/interfaces/NavigationProviderProps.md +7 -7
package/docs/api/interfaces/Organisation.md +1 -1
package/docs/api/interfaces/OrganisationContextType.md +1 -1
package/docs/api/interfaces/OrganisationMembership.md +1 -1
package/docs/api/interfaces/OrganisationProviderProps.md +1 -1
package/docs/api/interfaces/OrganisationSecurityError.md +1 -1
package/docs/api/interfaces/PaceAppLayoutProps.md +1 -1
package/docs/api/interfaces/PaceLoginPageProps.md +1 -1
package/docs/api/interfaces/PageAccessRecord.md +8 -8
package/docs/api/interfaces/PagePermissionContextType.md +8 -8
package/docs/api/interfaces/PagePermissionGuardProps.md +1 -1
package/docs/api/interfaces/PagePermissionProviderProps.md +7 -7
package/docs/api/interfaces/PaletteData.md +1 -1
package/docs/api/interfaces/ParsedAddress.md +2 -2
package/docs/api/interfaces/PermissionEnforcerProps.md +1 -1
package/docs/api/interfaces/ProgressProps.md +3 -11
package/docs/api/interfaces/ProtectedRouteProps.md +1 -1
package/docs/api/interfaces/PublicPageFooterProps.md +1 -1
package/docs/api/interfaces/PublicPageHeaderProps.md +1 -1
package/docs/api/interfaces/PublicPageLayoutProps.md +1 -1
package/docs/api/interfaces/QuickFix.md +1 -1
package/docs/api/interfaces/RBACAccessValidateParams.md +1 -1
package/docs/api/interfaces/RBACAccessValidateResult.md +1 -1
package/docs/api/interfaces/RBACAuditLogParams.md +1 -1
package/docs/api/interfaces/RBACAuditLogResult.md +1 -1
package/docs/api/interfaces/RBACConfig.md +2 -2
package/docs/api/interfaces/RBACContext.md +1 -1
package/docs/api/interfaces/RBACLogger.md +1 -1
package/docs/api/interfaces/RBACPageAccessCheckParams.md +1 -1
package/docs/api/interfaces/RBACPerformanceMetrics.md +1 -1
package/docs/api/interfaces/RBACPermissionCheckParams.md +1 -1
package/docs/api/interfaces/RBACPermissionCheckResult.md +1 -1
package/docs/api/interfaces/RBACPermissionsGetParams.md +1 -1
package/docs/api/interfaces/RBACPermissionsGetResult.md +1 -1
package/docs/api/interfaces/RBACResult.md +1 -1
package/docs/api/interfaces/RBACRoleGrantParams.md +1 -1
package/docs/api/interfaces/RBACRoleGrantResult.md +1 -1
package/docs/api/interfaces/RBACRoleRevokeParams.md +1 -1
package/docs/api/interfaces/RBACRoleRevokeResult.md +1 -1
package/docs/api/interfaces/RBACRoleValidateParams.md +1 -1
package/docs/api/interfaces/RBACRoleValidateResult.md +1 -1
package/docs/api/interfaces/RBACRolesListParams.md +1 -1
package/docs/api/interfaces/RBACRolesListResult.md +1 -1
package/docs/api/interfaces/RBACSessionTrackParams.md +1 -1
package/docs/api/interfaces/RBACSessionTrackResult.md +1 -1
package/docs/api/interfaces/ResourcePermissions.md +1 -1
package/docs/api/interfaces/RevokeEventAppRoleParams.md +1 -1
package/docs/api/interfaces/RoleBasedRouterContextType.md +8 -8
package/docs/api/interfaces/RoleBasedRouterProps.md +10 -10
package/docs/api/interfaces/RoleManagementResult.md +1 -1
package/docs/api/interfaces/RouteAccessRecord.md +10 -10
package/docs/api/interfaces/RouteConfig.md +10 -10
package/docs/api/interfaces/RuntimeComplianceResult.md +1 -1
package/docs/api/interfaces/SecureDataContextType.md +9 -9
package/docs/api/interfaces/SecureDataProviderProps.md +8 -8
package/docs/api/interfaces/SessionRestorationLoaderProps.md +1 -1
package/docs/api/interfaces/SetupIssue.md +1 -1
package/docs/api/interfaces/StorageConfig.md +4 -4
package/docs/api/interfaces/StorageFileInfo.md +7 -7
package/docs/api/interfaces/StorageFileMetadata.md +25 -14
package/docs/api/interfaces/StorageListOptions.md +22 -9
package/docs/api/interfaces/StorageListResult.md +4 -4
package/docs/api/interfaces/StorageUploadOptions.md +21 -8
package/docs/api/interfaces/StorageUploadResult.md +6 -6
package/docs/api/interfaces/StorageUrlOptions.md +19 -6
package/docs/api/interfaces/StyleImport.md +1 -1
package/docs/api/interfaces/SwitchProps.md +1 -1
package/docs/api/interfaces/TabsContentProps.md +1 -1
package/docs/api/interfaces/TabsListProps.md +1 -1
package/docs/api/interfaces/TabsProps.md +1 -1
package/docs/api/interfaces/TabsTriggerProps.md +1 -1
package/docs/api/interfaces/TextareaProps.md +1 -1
package/docs/api/interfaces/ToastActionElement.md +1 -1
package/docs/api/interfaces/ToastProps.md +1 -1
package/docs/api/interfaces/UnifiedAuthContextType.md +53 -53
package/docs/api/interfaces/UnifiedAuthProviderProps.md +13 -13
package/docs/api/interfaces/UseFormDialogOptions.md +1 -1
package/docs/api/interfaces/UseFormDialogReturn.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerOptions.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventLogoOptions.md +2 -2
package/docs/api/interfaces/UsePublicEventLogoReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventOptions.md +1 -1
package/docs/api/interfaces/UsePublicEventReturn.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +2 -2
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +1 -1
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +1 -1
package/docs/api/interfaces/UseResolvedScopeOptions.md +5 -5
package/docs/api/interfaces/UseResolvedScopeReturn.md +4 -4
package/docs/api/interfaces/UseResourcePermissionsOptions.md +1 -1
package/docs/api/interfaces/UserEventAccess.md +11 -11
package/docs/api/interfaces/UserMenuProps.md +1 -1
package/docs/api/interfaces/UserProfile.md +1 -1
package/docs/api/modules.md +165 -106
package/docs/api-reference/components.md +15 -7
package/docs/api-reference/providers.md +2 -2
package/docs/api-reference/rpc-functions.md +1 -0
package/docs/best-practices/README.md +1 -1
package/docs/best-practices/deployment.md +8 -8
package/docs/getting-started/examples/README.md +2 -2
package/docs/getting-started/installation-guide.md +4 -4
package/docs/getting-started/quick-start.md +3 -3
package/docs/migration/MIGRATION_GUIDE.md +3 -3
package/docs/migration/README.md +18 -0
package/docs/migration/database-changes-december-2025.md +767 -0
package/docs/migration/person-scoped-profiles-migration-guide.md +472 -0
package/docs/rbac/compliance/compliance-guide.md +2 -2
package/docs/rbac/event-based-apps.md +2 -2
package/docs/rbac/getting-started.md +2 -2
package/docs/rbac/quick-start.md +2 -2
package/docs/security/README.md +4 -4
package/docs/standards/07-rbac-and-rls-standard.md +430 -7
package/docs/troubleshooting/README.md +2 -2
package/docs/troubleshooting/migration.md +3 -3
package/package.json +1 -3
package/scripts/check-pace-core-compliance.cjs +1 -1
package/scripts/check-pace-core-compliance.js +1 -1
package/src/__tests__/fixtures/supabase.ts +301 -0
package/src/__tests__/public-recipe-view.test.ts +19 -19
package/src/__tests__/rls-policies.test.ts +210 -74
package/src/components/AddressField/AddressField.test.tsx +42 -0
package/src/components/AddressField/AddressField.tsx +71 -60
package/src/components/AddressField/README.md +7 -6
package/src/components/Alert/Alert.test.tsx +50 -10
package/src/components/Alert/Alert.tsx +5 -3
package/src/components/Avatar/Avatar.test.tsx +95 -43
package/src/components/Avatar/Avatar.tsx +16 -16
package/src/components/Button/Button.test.tsx +2 -1
package/src/components/Button/Button.tsx +3 -3
package/src/components/Calendar/Calendar.test.tsx +53 -37
package/src/components/Calendar/Calendar.tsx +409 -82
package/src/components/Card/Card.test.tsx +7 -4
package/src/components/Card/Card.tsx +3 -6
package/src/components/Checkbox/Checkbox.tsx +2 -2
package/src/components/DataTable/components/ActionButtons.tsx +5 -5
package/src/components/DataTable/components/BulkOperationsDropdown.tsx +2 -2
package/src/components/DataTable/components/ColumnFilter.tsx +1 -1
package/src/components/DataTable/components/ColumnVisibilityDropdown.tsx +3 -3
package/src/components/DataTable/components/DataTableBody.tsx +12 -12
package/src/components/DataTable/components/DataTableCore.tsx +3 -3
package/src/components/DataTable/components/DataTableToolbar.tsx +5 -5
package/src/components/DataTable/components/DraggableColumnHeader.tsx +3 -3
package/src/components/DataTable/components/EditableRow.tsx +2 -2
package/src/components/DataTable/components/EmptyState.tsx +3 -3
package/src/components/DataTable/components/GroupHeader.tsx +2 -2
package/src/components/DataTable/components/GroupingDropdown.tsx +1 -1
package/src/components/DataTable/components/ImportModal.tsx +4 -4
package/src/components/DataTable/components/LoadingState.tsx +1 -1
package/src/components/DataTable/components/PaginationControls.tsx +11 -11
package/src/components/DataTable/components/UnifiedTableBody.tsx +9 -9
package/src/components/DataTable/components/ViewRowModal.tsx +2 -2
package/src/components/DataTable/components/__tests__/AccessDeniedPage.test.tsx +11 -37
package/src/components/DataTable/components/__tests__/DataTableToolbar.test.tsx +157 -0
package/src/components/DataTable/components/__tests__/LoadingState.test.tsx +2 -1
package/src/components/DataTable/components/__tests__/VirtualizedDataTable.test.tsx +128 -0
package/src/components/DataTable/core/__tests__/ActionManager.test.ts +19 -0
package/src/components/DataTable/core/__tests__/ColumnFactory.test.ts +51 -0
package/src/components/DataTable/core/__tests__/ColumnManager.test.ts +84 -0
package/src/components/DataTable/core/__tests__/DataManager.test.ts +14 -0
package/src/components/DataTable/core/__tests__/DataTableContext.test.tsx +136 -0
package/src/components/DataTable/core/__tests__/LocalDataAdapter.test.ts +16 -0
package/src/components/DataTable/core/__tests__/PluginRegistry.test.ts +18 -0
package/src/components/DataTable/hooks/useDataTablePermissions.ts +28 -7
package/src/components/DataTable/utils/__tests__/hierarchicalUtils.test.ts +30 -1
package/src/components/DataTable/utils/hierarchicalUtils.ts +38 -10
package/src/components/DatePickerWithTimezone/DatePickerWithTimezone.test.tsx +8 -3
package/src/components/DatePickerWithTimezone/DatePickerWithTimezone.tsx +4 -4
package/src/components/Dialog/Dialog.tsx +2 -2
package/src/components/EventSelector/EventSelector.tsx +7 -7
package/src/components/FileDisplay/FileDisplay.tsx +291 -179
package/src/components/FileUpload/FileUpload.tsx +7 -4
package/src/components/Header/Header.test.tsx +28 -0
package/src/components/Header/Header.tsx +22 -9
package/src/components/InactivityWarningModal/InactivityWarningModal.tsx +2 -2
package/src/components/LoadingSpinner/LoadingSpinner.test.tsx +19 -14
package/src/components/LoadingSpinner/LoadingSpinner.tsx +5 -5
package/src/components/NavigationMenu/NavigationMenu.test.tsx +127 -1
package/src/components/OrganisationSelector/OrganisationSelector.tsx +42 -22
package/src/components/PaceAppLayout/PaceAppLayout.integration.test.tsx +4 -0
package/src/components/PaceAppLayout/PaceAppLayout.performance.test.tsx +3 -0
package/src/components/PaceAppLayout/PaceAppLayout.security.test.tsx +3 -0
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +16 -6
package/src/components/PaceAppLayout/PaceAppLayout.tsx +37 -3
package/src/components/PaceAppLayout/test-setup.tsx +1 -0
package/src/components/PaceLoginPage/PaceLoginPage.test.tsx +66 -45
package/src/components/PaceLoginPage/PaceLoginPage.tsx +6 -4
package/src/components/Progress/Progress.test.tsx +18 -19
package/src/components/Progress/Progress.tsx +31 -32
package/src/components/PublicLayout/PublicLayout.test.tsx +6 -6
package/src/components/PublicLayout/PublicPageProvider.tsx +5 -3
package/src/components/Select/Select.test.tsx +4 -1
package/src/components/Select/Select.tsx +65 -20
package/src/components/Switch/Switch.test.tsx +2 -1
package/src/components/Switch/Switch.tsx +1 -1
package/src/components/Toast/Toast.tsx +1 -1
package/src/components/Tooltip/Tooltip.test.tsx +8 -2
package/src/components/UserMenu/UserMenu.tsx +3 -3
package/src/eslint-rules/pace-core-compliance.cjs +0 -2
package/src/eslint-rules/pace-core-compliance.js +0 -2
package/src/hooks/__tests__/hooks.integration.test.tsx +4 -1
package/src/hooks/__tests__/useAppConfig.unit.test.ts +76 -5
package/src/hooks/__tests__/useDataTableState.test.ts +76 -0
package/src/hooks/__tests__/useFileUrl.unit.test.ts +25 -69
package/src/hooks/__tests__/useFileUrlCache.test.ts +129 -0
package/src/hooks/__tests__/usePreventTabReload.test.ts +88 -0
package/src/hooks/__tests__/usePublicEvent.simple.test.ts +1 -1
package/src/hooks/__tests__/usePublicEvent.test.ts +608 -0
package/src/hooks/__tests__/useQueryCache.test.ts +144 -0
package/src/hooks/__tests__/useSecureDataAccess.unit.test.tsx +67 -24
package/src/hooks/index.ts +1 -1
package/src/hooks/public/usePublicEvent.ts +10 -10
package/src/hooks/public/usePublicFileDisplay.ts +173 -87
package/src/hooks/useAppConfig.ts +24 -5
package/src/hooks/useFileDisplay.ts +298 -36
package/src/hooks/useFileReference.ts +56 -11
package/src/hooks/useFileUrl.ts +1 -1
package/src/hooks/useInactivityTracker.ts +16 -7
package/src/hooks/usePermissionCache.test.ts +85 -8
package/src/hooks/useQueryCache.ts +27 -6
package/src/hooks/useSecureDataAccess.test.ts +87 -42
package/src/hooks/useSecureDataAccess.ts +95 -48
package/src/providers/__tests__/OrganisationProvider.test.tsx +27 -21
package/src/providers/services/EventServiceProvider.tsx +37 -17
package/src/providers/services/InactivityServiceProvider.tsx +4 -4
package/src/providers/services/OrganisationServiceProvider.tsx +8 -1
package/src/providers/services/UnifiedAuthProvider.tsx +115 -29
package/src/rbac/__tests__/auth-rbac.e2e.test.tsx +451 -0
package/src/rbac/__tests__/engine.comprehensive.test.ts +12 -0
package/src/rbac/__tests__/rbac-engine-core-logic.test.ts +8 -0
package/src/rbac/__tests__/rbac-engine-simplified.test.ts +4 -0
package/src/rbac/api.ts +240 -36
package/src/rbac/cache-invalidation.ts +21 -7
package/src/rbac/compliance/quick-fix-suggestions.ts +1 -1
package/src/rbac/components/NavigationGuard.tsx +23 -63
package/src/rbac/components/NavigationProvider.test.tsx +52 -23
package/src/rbac/components/NavigationProvider.tsx +13 -11
package/src/rbac/components/PagePermissionGuard.tsx +77 -203
package/src/rbac/components/PagePermissionProvider.tsx +13 -11
package/src/rbac/components/PermissionEnforcer.tsx +24 -62
package/src/rbac/components/RoleBasedRouter.tsx +14 -12
package/src/rbac/components/SecureDataProvider.tsx +13 -11
package/src/rbac/components/__tests__/NavigationGuard.test.tsx +104 -41
package/src/rbac/components/__tests__/NavigationProvider.test.tsx +49 -12
package/src/rbac/components/__tests__/PagePermissionGuard.race-condition.test.tsx +22 -1
package/src/rbac/components/__tests__/PagePermissionGuard.test.tsx +161 -82
package/src/rbac/components/__tests__/PagePermissionGuard.verification.test.tsx +22 -1
package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx +77 -30
package/src/rbac/components/__tests__/RoleBasedRouter.test.tsx +39 -5
package/src/rbac/components/__tests__/SecureDataProvider.test.tsx +47 -4
package/src/rbac/engine.ts +4 -2
package/src/rbac/hooks/__tests__/useSecureSupabase.test.ts +144 -52
package/src/rbac/hooks/index.ts +3 -0
package/src/rbac/hooks/useCan.test.ts +101 -53
package/src/rbac/hooks/usePermissions.ts +108 -41
package/src/rbac/hooks/useRBAC.test.ts +11 -3
package/src/rbac/hooks/useRBAC.ts +83 -40
package/src/rbac/hooks/useResolvedScope.test.ts +189 -63
package/src/rbac/hooks/useResolvedScope.ts +128 -70
package/src/rbac/hooks/useSecureSupabase.ts +36 -19
package/src/rbac/hooks/useSuperAdminBypass.ts +126 -0
package/src/rbac/request-deduplication.ts +1 -1
package/src/rbac/secureClient.ts +72 -12
package/src/rbac/security.ts +29 -23
package/src/rbac/types.ts +10 -0
package/src/rbac/utils/__tests__/contextValidator.test.ts +150 -0
package/src/rbac/utils/__tests__/deep-equal.test.ts +53 -0
package/src/rbac/utils/__tests__/eventContext.test.ts +8 -3
package/src/rbac/utils/__tests__/eventContext.unit.test.ts +74 -12
package/src/rbac/utils/contextValidator.ts +288 -0
package/src/rbac/utils/eventContext.ts +52 -3
package/src/services/AuthService.ts +37 -8
package/src/services/EventService.ts +165 -21
package/src/services/OrganisationService.ts +125 -137
package/src/services/__tests__/EventService.test.ts +26 -21
package/src/services/__tests__/OrganisationService.pagination.test.ts +34 -8
package/src/services/__tests__/OrganisationService.test.ts +218 -86
package/src/types/database.generated.ts +166 -201
package/src/types/file-reference.ts +13 -10
package/src/types/supabase.ts +2 -2
package/src/utils/__tests__/secureDataAccess.unit.test.ts +3 -2
package/src/utils/app/appNameResolver.test.ts +346 -73
package/src/utils/context/superAdminOverride.ts +58 -0
package/src/utils/file-reference/index.ts +65 -37
package/src/utils/google-places/googlePlacesUtils.test.ts +98 -0
package/src/utils/google-places/googlePlacesUtils.ts +1 -1
package/src/utils/google-places/loadGoogleMapsScript.test.ts +83 -0
package/src/utils/google-places/types.ts +1 -1
package/src/utils/request-deduplication.ts +4 -4
package/src/utils/security/secureDataAccess.test.ts +1 -1
package/src/utils/security/secureDataAccess.ts +7 -4
package/src/utils/storage/README.md +1 -1
package/src/utils/storage/helpers.test.ts +1 -1
package/src/utils/storage/helpers.ts +38 -19
package/src/utils/storage/types.ts +15 -8
package/src/utils/validation/__tests__/csrf.test.ts +105 -0
package/src/utils/validation/__tests__/sqlInjectionProtection.test.ts +92 -0
package/src/vite-env.d.ts +2 -2
package/dist/chunk-3GOZZZYH.js.map +0 -1
package/dist/chunk-DDM4CCYT.js.map +0 -1
package/dist/chunk-E7UAOUMY.js +0 -75
package/dist/chunk-E7UAOUMY.js.map +0 -1
package/dist/chunk-F2IMUDXZ.js.map +0 -1
package/dist/chunk-HEHYGYOX.js.map +0 -1
package/dist/chunk-IM4QE42D.js.map +0 -1
package/dist/chunk-MX64ZF6I.js.map +0 -1
package/dist/chunk-SAUPYVLF.js.map +0 -1
package/dist/chunk-THRPYOFK.js.map +0 -1
package/dist/chunk-UCQSRW7Z.js.map +0 -1
package/dist/chunk-VGZZXKBR.js.map +0 -1
package/dist/chunk-YGPFYGA6.js.map +0 -1
package/dist/chunk-YHCN776L.js.map +0 -1
/package/dist/{DataTable-GUFUNZ3N.js.map → DataTable-WKRZD47S.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-643PUAIM.js.map → UnifiedAuthProvider-FTSG5XH7.js.map} +0 -0
/package/dist/{api-YP7XD5L6.js.map → api-IHKALJZD.js.map} +0 -0
/package/dist/{chunk-HESYZWZW.js.map → chunk-QWWZ5CAQ.js.map} +0 -0

package/src/rbac/utils/__tests__/eventContext.unit.test.ts CHANGED Viewed

@@ -15,7 +15,9 @@ import {
   getOrganisationFromEvent,
   createScopeFromEvent,
   isEventBasedScope,
-  isValidEventBasedScope
+  isValidEventBasedScope,
+  clearAllOrgDerivationCache,
+  clearOrgDerivationCache
 } from '../eventContext';
 // Mock Supabase client
@@ -26,8 +28,10 @@ const createMockSupabaseClient = () => {
     single: vi.fn()
   };
+  const fromMock = vi.fn().mockReturnValue(mockQuery);
   return {
-    from: vi.fn().mockReturnValue(mockQuery),
+    from: fromMock,
     query: mockQuery
   } as unknown as SupabaseClient<Database>;
 };
@@ -37,12 +41,23 @@ describe('Event Context Utilities', () => {
   let mockQuery: any;
   beforeEach(() => {
+    // Clear cache before each test
+    clearAllOrgDerivationCache();
     mockSupabase = createMockSupabaseClient();
-    mockQuery = mockSupabase.from('event');
+    // Reset mockQuery to get a fresh query builder for each test
+    mockQuery = {
+      select: vi.fn().mockReturnThis(),
+      eq: vi.fn().mockReturnThis(),
+      single: vi.fn()
+    };
+    (mockSupabase.from as any).mockReturnValue(mockQuery);
   });
   afterEach(() => {
     vi.clearAllMocks();
+    // Clear cache after each test
+    clearAllOrgDerivationCache();
   });
   describe('getOrganisationFromEvent', () => {
@@ -58,7 +73,7 @@ describe('Event Context Utilities', () => {
       const result = await getOrganisationFromEvent(mockSupabase, eventId);
       expect(result).toBe(organisationId);
-      expect(mockSupabase.from).toHaveBeenCalledWith('event');
+      expect(mockSupabase.from).toHaveBeenCalledWith('core_events');
       expect(mockQuery.select).toHaveBeenCalledWith('organisation_id');
       expect(mockQuery.eq).toHaveBeenCalledWith('event_id', eventId);
       expect(mockQuery.single).toHaveBeenCalled();
@@ -80,6 +95,9 @@ describe('Event Context Utilities', () => {
     it('should return null when data is null', async () => {
       const eventId = 'event-123';
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
       mockQuery.single.mockResolvedValue({
         data: null,
         error: null
@@ -94,6 +112,9 @@ describe('Event Context Utilities', () => {
       const eventId = 'event-123';
       const dbError = new Error('Database connection failed');
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
       mockQuery.single.mockRejectedValue(dbError);
       await expect(getOrganisationFromEvent(mockSupabase, eventId))
@@ -103,6 +124,9 @@ describe('Event Context Utilities', () => {
     it('should handle empty organisation_id', async () => {
       const eventId = 'event-123';
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
       mockQuery.single.mockResolvedValue({
         data: { organisation_id: null },
         error: null
@@ -168,6 +192,9 @@ describe('Event Context Utilities', () => {
     it('should return null when organisation lookup fails', async () => {
       const eventId = 'event-123';
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
       mockQuery.single.mockResolvedValue({
         data: { organisation_id: null },
         error: null
@@ -182,6 +209,9 @@ describe('Event Context Utilities', () => {
       const eventId = 'event-123';
       const dbError = new Error('Database connection failed');
+      // Clear cache for this specific test
+      clearOrgDerivationCache(eventId);
       mockQuery.single.mockRejectedValue(dbError);
       await expect(createScopeFromEvent(mockSupabase, eventId))
@@ -349,15 +379,31 @@ describe('Event Context Utilities', () => {
       const organisationId1 = 'org-123';
       const organisationId2 = 'org-456';
-      mockQuery.single
-        .mockResolvedValueOnce({
+      // Clear cache for these specific events
+      clearOrgDerivationCache(eventId1);
+      clearOrgDerivationCache(eventId2);
+      // Create separate query builders for concurrent calls
+      const mockQuery1 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
           data: { organisation_id: organisationId1 },
           error: null
         })
-        .mockResolvedValueOnce({
+      };
+      const mockQuery2 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
           data: { organisation_id: organisationId2 },
           error: null
-        });
+        })
+      };
+      (mockSupabase.from as any)
+        .mockReturnValueOnce(mockQuery1)
+        .mockReturnValueOnce(mockQuery2);
       const [result1, result2] = await Promise.all([
         getOrganisationFromEvent(mockSupabase, eventId1),
@@ -376,15 +422,31 @@ describe('Event Context Utilities', () => {
       const appId1 = 'app-123';
       const appId2 = 'app-456';
-      mockQuery.single
-        .mockResolvedValueOnce({
+      // Clear cache for these specific events
+      clearOrgDerivationCache(eventId1);
+      clearOrgDerivationCache(eventId2);
+      // Create separate query builders for concurrent calls
+      const mockQuery1 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
           data: { organisation_id: organisationId1 },
           error: null
         })
-        .mockResolvedValueOnce({
+      };
+      const mockQuery2 = {
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
           data: { organisation_id: organisationId2 },
           error: null
-        });
+        })
+      };
+      (mockSupabase.from as any)
+        .mockReturnValueOnce(mockQuery1)
+        .mockReturnValueOnce(mockQuery2);
       const [result1, result2] = await Promise.all([
         createScopeFromEvent(mockSupabase, eventId1, appId1),

package/src/rbac/utils/contextValidator.ts ADDED Viewed

@@ -0,0 +1,288 @@
+/**
+ * Context Validator for RBAC
+ * @package @jmruthers/pace-core
+ * @module RBAC/ContextValidator
+ * @since 1.0.0
+ *
+ * Centralized validation for RBAC context requirements based on app configuration.
+ * Enforces app-specific context rules with single primary context:
+ * - requires_event = TRUE: Event is PRIMARY context, org derived from event (org not required in input)
+ * - requires_event = FALSE: Organisation is PRIMARY context, event optional
+ * - PORTAL/ADMIN apps: Both contexts optional (allows users to view/edit own profiles, super admin access)
+ *
+ * Key principle: Only one primary context is required based on app config. The other is derived or optional.
+ */
+import { SupabaseClient } from '@supabase/supabase-js';
+import { Database } from '../../types/database';
+import { UUID, Scope } from '../types';
+import { EventContextRequiredError, OrganisationContextRequiredError } from '../types';
+import { getOrganisationFromEvent } from './eventContext';
+import { createLogger } from '../../utils/core/logger';
+const log = createLogger('ContextValidator');
+export interface AppConfig {
+  requires_event: boolean;
+}
+/**
+ * Check if an app allows optional contexts (both organisation and event optional)
+ * @param appName - App name to check
+ * @returns True if app allows optional contexts
+ */
+function allowsOptionalContexts(appName?: string): boolean {
+  return appName === 'PORTAL' || appName === 'ADMIN';
+}
+export interface ContextValidationResult {
+  isValid: boolean;
+  resolvedScope: Scope | null;
+  error: Error | null;
+}
+/**
+ * Context Validator class
+ *
+ * Validates and resolves RBAC scope based on app configuration requirements.
+ */
+export class ContextValidator {
+  /**
+   * Validate scope against app requirements
+   *
+   * @param scope - Current scope
+   * @param appConfig - App configuration (requires_event flag)
+   * @param appName - App name (for PORTAL/ADMIN special case)
+   * @returns Validation result with resolved scope
+   */
+  static async validateScope(
+    scope: Scope,
+    appConfig: AppConfig | null,
+    appName?: string
+  ): Promise<ContextValidationResult> {
+    // PORTAL/ADMIN special case: both contexts optional
+    if (allowsOptionalContexts(appName)) {
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId: scope.organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    // If no app config, default to requiring org context
+    if (!appConfig) {
+      if (!scope.organisationId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new OrganisationContextRequiredError()
+        };
+      }
+      return {
+        isValid: true,
+        resolvedScope: scope,
+        error: null
+      };
+    }
+    // Event-required apps: must have eventId, derive org from event
+    if (appConfig.requires_event) {
+      if (!scope.eventId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new EventContextRequiredError()
+        };
+      }
+      // If org is not provided, we'll need to derive it from event
+      // But for validation, we just check that eventId exists
+      // The actual derivation happens in resolveRequiredContext
+      return {
+        isValid: true,
+        resolvedScope: scope,
+        error: null
+      };
+    }
+    // Org-required apps: must have organisationId, eventId optional
+    if (!scope.organisationId) {
+      return {
+        isValid: false,
+        resolvedScope: null,
+        error: new OrganisationContextRequiredError()
+      };
+    }
+    return {
+      isValid: true,
+      resolvedScope: scope,
+      error: null
+    };
+  }
+  /**
+   * Resolve required context and derive missing values
+   *
+   * @param scope - Current scope
+   * @param appConfig - App configuration
+   * @param appName - App name (for PORTAL/ADMIN special case)
+   * @param supabase - Supabase client (for deriving org from event)
+   * @returns Resolved scope with all required context
+   */
+  static async resolveRequiredContext(
+    scope: Scope,
+    appConfig: AppConfig | null,
+    appName?: string,
+    supabase?: SupabaseClient<Database> | null
+  ): Promise<ContextValidationResult> {
+    // PORTAL/ADMIN special case: both contexts optional
+    if (allowsOptionalContexts(appName)) {
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId: scope.organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    // If no app config, default to requiring org context
+    if (!appConfig) {
+      if (!scope.organisationId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new OrganisationContextRequiredError()
+        };
+      }
+      return {
+        isValid: true,
+        resolvedScope: scope,
+        error: null
+      };
+    }
+    // Event-required apps: must have eventId, derive org from event
+    if (appConfig.requires_event) {
+      if (!scope.eventId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new EventContextRequiredError()
+        };
+      }
+      // Derive organisationId from event if not provided
+      let organisationId: UUID | undefined = scope.organisationId;
+      if (!organisationId && supabase && scope.eventId) {
+        try {
+          const derivedOrgId = await this.deriveOrgFromEvent(supabase, scope.eventId);
+          organisationId = derivedOrgId || undefined;
+          if (!organisationId) {
+            return {
+              isValid: false,
+              resolvedScope: null,
+              error: new Error('Could not resolve organisation from event context')
+            };
+          }
+        } catch (error) {
+          log.error('Failed to derive org from event:', error);
+          return {
+            isValid: false,
+            resolvedScope: null,
+            error: error instanceof Error ? error : new Error('Failed to derive organisation from event')
+          };
+        }
+      } else if (!organisationId) {
+        return {
+          isValid: false,
+          resolvedScope: null,
+          error: new Error('Event context requires organisationId but it could not be derived (supabase client not available)')
+        };
+      }
+      return {
+        isValid: true,
+        resolvedScope: {
+          organisationId,
+          eventId: scope.eventId,
+          appId: scope.appId
+        },
+        error: null
+      };
+    }
+    // Org-required apps: must have organisationId, eventId optional
+    if (!scope.organisationId) {
+      return {
+        isValid: false,
+        resolvedScope: null,
+        error: new OrganisationContextRequiredError()
+      };
+    }
+    return {
+      isValid: true,
+      resolvedScope: scope,
+      error: null
+    };
+  }
+  /**
+   * Derive organisation ID from event ID
+   *
+   * @param supabase - Supabase client
+   * @param eventId - Event ID
+   * @returns Organisation ID or null
+   */
+  static async deriveOrgFromEvent(
+    supabase: SupabaseClient<Database>,
+    eventId: string
+  ): Promise<UUID | null> {
+    return getOrganisationFromEvent(supabase, eventId);
+  }
+  /**
+   * Check if context is ready for permission checks
+   *
+   * @param scope - Current scope
+   * @param appConfig - App configuration
+   * @param appName - App name
+   * @param hasSelectedEvent - Whether event is selected
+   * @param hasSelectedOrganisation - Whether organisation is selected
+   * @returns True if context is ready
+   */
+  static isContextReady(
+    scope: Scope,
+    appConfig: AppConfig | null,
+    appName?: string,
+    hasSelectedEvent?: boolean,
+    hasSelectedOrganisation?: boolean
+  ): boolean {
+    // PORTAL/ADMIN special case: context is always ready
+    if (allowsOptionalContexts(appName)) {
+      return true;
+    }
+    // If no app config, default to requiring org context
+    if (!appConfig) {
+      return !!hasSelectedOrganisation || !!scope.organisationId;
+    }
+    // Event-required apps: need event context
+    if (appConfig.requires_event) {
+      return !!hasSelectedEvent || !!scope.eventId;
+    }
+    // Org-required apps: need org context
+    return !!hasSelectedOrganisation || !!scope.organisationId;
+  }
+}

package/src/rbac/utils/eventContext.ts CHANGED Viewed

@@ -12,9 +12,35 @@ import { SupabaseClient } from '@supabase/supabase-js';
 import { Database } from '../../types/database';
 import { UUID, Scope } from '../types';
+/**
+ * Cache for organisation derivation from event
+ * Key: eventId, Value: organisationId | null
+ * Maximum cache size to prevent memory leaks
+ */
+const orgDerivationCache = new Map<string, UUID | null>();
+const MAX_CACHE_SIZE = 100; // Limit cache to 100 entries
+/**
+ * Clear cache entry for a specific event (useful if event's org changes)
+ * @param eventId - Event ID to clear from cache
+ */
+export function clearOrgDerivationCache(eventId: string): void {
+  orgDerivationCache.delete(eventId);
+}
+/**
+ * Clear all cached organisation derivations
+ */
+export function clearAllOrgDerivationCache(): void {
+  orgDerivationCache.clear();
+}
 /**
  * Get organization ID from event ID
  *
+ * Uses caching to avoid repeated database queries for the same event.
+ * Cache is limited to prevent memory leaks.
+ *
  * @param supabase - Supabase client
  * @param eventId - Event ID
  * @returns Promise resolving to organization ID or null
@@ -23,17 +49,40 @@ export async function getOrganisationFromEvent(
   supabase: SupabaseClient<Database>,
   eventId: string
 ): Promise<UUID | null> {
+  // Check cache first
+  if (orgDerivationCache.has(eventId)) {
+    return orgDerivationCache.get(eventId) ?? null;
+  }
+  // Query database
   const { data, error } = await supabase
-    .from('event')
+    .from('core_events')
     .select('organisation_id')
     .eq('event_id', eventId)
     .single() as { data: { organisation_id: string } | null; error: any };
+  let organisationId: UUID | null = null;
   if (error || !data) {
-    return null;
+    organisationId = null;
+  } else if (data.organisation_id) {
+    organisationId = data.organisation_id;
+  } else {
+    // organisation_id is null or undefined
+    organisationId = null;
+  }
+  // Cache the result (with size limit to prevent memory leaks)
+  if (orgDerivationCache.size >= MAX_CACHE_SIZE) {
+    // Remove oldest entry (first key in Map)
+    const firstKey = orgDerivationCache.keys().next().value;
+    if (firstKey) {
+      orgDerivationCache.delete(firstKey);
+    }
   }
+  orgDerivationCache.set(eventId, organisationId);
-  return data.organisation_id;
+  return organisationId;
 }
 /**

package/src/services/AuthService.ts CHANGED Viewed

@@ -299,7 +299,15 @@ export class AuthService extends BaseService implements IAuthService {
   // Lifecycle methods
   async initialize(): Promise<void> {
     await super.initialize();
+    // Set loading to true before starting session restoration
+    // This ensures ProtectedRoute shows loading state while session is being restored
+    this.authLoading = true;
+    this.notify();
+    // Setup auth state listener first - this will receive INITIAL_SESSION event
     await this.setupAuthStateListener();
+    // Then restore session - this will trigger INITIAL_SESSION event if session exists
     await this.restoreSession();
   }
@@ -431,17 +439,25 @@ export class AuthService extends BaseService implements IAuthService {
                     this.sessionRestorationState.restorationError ||
                     (hasTimeoutError && session)) {
                   this.finishSessionRestoration();
-                  return;
+                }
+              } else {
+                // No session in INITIAL_SESSION event - user is not authenticated
+                // Finish restoration to clear loading state
+                if (this.sessionRestorationState.isRestoring) {
+                  this.finishSessionRestoration();
                 }
               }
-              if (this.sessionRestorationState.isRestoring) {
-                this.finishSessionRestoration();
-                return;
-              }
+              // CRITICAL: Set loading to false AFTER handling INITIAL_SESSION
+              // This ensures ProtectedRoute waits for session restoration to complete
+              // before checking authentication state
+              this.authLoading = false;
+              this.notify();
+              return; // Return early to avoid setting loading to false again below
             }
-            // Always set loading to false after any auth state change
+            // For other events (SIGNED_IN, SIGNED_OUT, TOKEN_REFRESHED), set loading to false
+            // INITIAL_SESSION is handled above and returns early
             this.authLoading = false;
             this.notify();
           } catch (error) {
@@ -519,8 +535,21 @@ export class AuthService extends BaseService implements IAuthService {
         this.authError = null;
       }
-      // Finish successfully even if earlier calls reported an error, to avoid noisy warnings in benign cases
-      this.finishSessionRestoration();
+      // CRITICAL FIX: Don't finish restoration here - wait for INITIAL_SESSION event
+      // The INITIAL_SESSION event should fire when the auth state listener is set up
+      // However, if it doesn't fire within a short delay (e.g., edge case), we'll finish it
+      // This ensures ProtectedRoute waits for the event before checking auth state
+      // Set a short fallback timeout to finish restoration if INITIAL_SESSION doesn't fire
+      // This handles edge cases where the event might be delayed or not fire
+      setTimeout(() => {
+        // Only finish if restoration is still in progress and INITIAL_SESSION hasn't fired
+        // The INITIAL_SESSION handler will have set restorationComplete to true if it fired
+        if (this.sessionRestorationState.isRestoring && !this.sessionRestorationState.restorationComplete) {
+          logger.debug('AuthService', 'INITIAL_SESSION event did not fire, finishing restoration');
+          this.finishSessionRestoration();
+        }
+      }, 100); // 100ms fallback - INITIAL_SESSION should fire immediately when listener is set up
     } catch (error) {
       const restorationError = error instanceof Error
         ? error