npm - @jmruthers/pace-core - Versions diffs - 0.5.189 → 0.5.191 - Mend

@jmruthers/pace-core 0.5.189 → 0.5.191

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (438) hide show

package/core-usage-manifest.json +0 -4
package/dist/{AuthService-B-cd2MA4.d.ts → AuthService-CbP_utw2.d.ts} +7 -3
package/dist/{DataTable-IVYljGJ6.d.ts → DataTable-Be6dH_dR.d.ts} +1 -1
package/dist/{DataTable-GUFUNZ3N.js → DataTable-WKRZD47S.js} +8 -8
package/dist/{PublicPageProvider-B8HaLe69.d.ts → PublicPageProvider-ULXC_u6U.d.ts} +84 -25
package/dist/{UnifiedAuthProvider-BG0AL5eE.d.ts → UnifiedAuthProvider-BYA9qB-o.d.ts} +4 -3
package/dist/{UnifiedAuthProvider-643PUAIM.js → UnifiedAuthProvider-FTSG5XH7.js} +4 -2
package/dist/{api-YP7XD5L6.js → api-IHKALJZD.js} +4 -2
package/dist/{chunk-VGZZXKBR.js → chunk-6LTQQAT6.js} +351 -157
package/dist/chunk-6LTQQAT6.js.map +1 -0
package/dist/{chunk-MX64ZF6I.js → chunk-6TQDD426.js} +15 -15
package/dist/chunk-6TQDD426.js.map +1 -0
package/dist/{chunk-YHCN776L.js → chunk-G37KK66H.js} +2 -75
package/dist/chunk-G37KK66H.js.map +1 -0
package/dist/{chunk-THRPYOFK.js → chunk-HW3OVDUF.js} +5 -5
package/dist/chunk-HW3OVDUF.js.map +1 -0
package/dist/{chunk-F2IMUDXZ.js → chunk-I7PSE6JW.js} +75 -2
package/dist/chunk-I7PSE6JW.js.map +1 -0
package/dist/{chunk-IM4QE42D.js → chunk-LOMZXPSN.js} +141 -326
package/dist/chunk-LOMZXPSN.js.map +1 -0
package/dist/chunk-OETXORNB.js +614 -0
package/dist/chunk-OETXORNB.js.map +1 -0
package/dist/{chunk-HESYZWZW.js → chunk-QWWZ5CAQ.js} +2 -2
package/dist/{chunk-HEHYGYOX.js → chunk-ROXMHMY2.js} +403 -46
package/dist/chunk-ROXMHMY2.js.map +1 -0
package/dist/{chunk-2UUZZJFT.js → chunk-ULHIJK66.js} +228 -177
package/dist/{chunk-2UUZZJFT.js.map → chunk-ULHIJK66.js.map} +1 -1
package/dist/{chunk-YGPFYGA6.js → chunk-VKB2CO4Z.js} +838 -503
package/dist/chunk-VKB2CO4Z.js.map +1 -0
package/dist/{chunk-3GOZZZYH.js → chunk-VRGWKHDB.js} +238 -301
package/dist/chunk-VRGWKHDB.js.map +1 -0
package/dist/{chunk-UCQSRW7Z.js → chunk-XNYQOL3Z.js} +431 -384
package/dist/chunk-XNYQOL3Z.js.map +1 -0
package/dist/{chunk-DDM4CCYT.js → chunk-XYXSXPUK.js} +79 -59
package/dist/chunk-XYXSXPUK.js.map +1 -0
package/dist/{chunk-SAUPYVLF.js → chunk-ZSAAAMVR.js} +1 -1
package/dist/chunk-ZSAAAMVR.js.map +1 -0
package/dist/components.d.ts +5 -6
package/dist/components.js +19 -19
package/dist/components.js.map +1 -1
package/dist/{database.generated-DI89OQeI.d.ts → database.generated-CzIvgcPu.d.ts} +165 -201
package/dist/eslint-rules/pace-core-compliance.cjs +0 -2
package/dist/{file-reference-D037xOFK.d.ts → file-reference-BavO2eQj.d.ts} +13 -10
package/dist/hooks.d.ts +20 -15
package/dist/hooks.js +14 -8
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +17 -15
package/dist/index.js +86 -81
package/dist/index.js.map +1 -1
package/dist/providers.d.ts +3 -3
package/dist/providers.js +3 -1
package/dist/rbac/index.d.ts +77 -13
package/dist/rbac/index.js +12 -9
package/dist/{types-Bwgl--Xo.d.ts → types-CEpcvwwF.d.ts} +1 -1
package/dist/types.d.ts +3 -3
package/dist/types.js +1 -1
package/dist/{usePublicRouteParams-CTDELQ7H.d.ts → usePublicRouteParams-TZe0gy-4.d.ts} +17 -10
package/dist/utils.d.ts +8 -8
package/dist/utils.js +16 -16
package/docs/README.md +2 -2
package/docs/api/classes/ColumnFactory.md +1 -1
package/docs/api/classes/ErrorBoundary.md +1 -1
package/docs/api/classes/InvalidScopeError.md +2 -2
package/docs/api/classes/Logger.md +1 -1
package/docs/api/classes/MissingUserContextError.md +2 -2
package/docs/api/classes/OrganisationContextRequiredError.md +1 -1
package/docs/api/classes/PermissionDeniedError.md +1 -1
package/docs/api/classes/RBACAuditManager.md +2 -2
package/docs/api/classes/RBACCache.md +1 -1
package/docs/api/classes/RBACEngine.md +5 -5
package/docs/api/classes/RBACError.md +1 -1
package/docs/api/classes/RBACNotInitializedError.md +2 -2
package/docs/api/classes/SecureSupabaseClient.md +25 -20
package/docs/api/classes/StorageUtils.md +7 -4
package/docs/api/enums/FileCategory.md +1 -1
package/docs/api/enums/LogLevel.md +1 -1
package/docs/api/enums/RBACErrorCode.md +1 -1
package/docs/api/enums/RPCFunction.md +1 -1
package/docs/api/interfaces/AddressFieldProps.md +1 -1
package/docs/api/interfaces/AddressFieldRef.md +1 -1
package/docs/api/interfaces/AggregateConfig.md +1 -1
package/docs/api/interfaces/AutocompleteOptions.md +1 -1
package/docs/api/interfaces/AvatarProps.md +1 -1
package/docs/api/interfaces/BadgeProps.md +1 -1
package/docs/api/interfaces/ButtonProps.md +1 -1
package/docs/api/interfaces/CalendarProps.md +20 -6
package/docs/api/interfaces/CardProps.md +1 -1
package/docs/api/interfaces/ColorPalette.md +1 -1
package/docs/api/interfaces/ColorShade.md +1 -1
package/docs/api/interfaces/ComplianceResult.md +1 -1
package/docs/api/interfaces/DataAccessRecord.md +9 -9
package/docs/api/interfaces/DataRecord.md +1 -1
package/docs/api/interfaces/DataTableAction.md +1 -1
package/docs/api/interfaces/DataTableColumn.md +1 -1
package/docs/api/interfaces/DataTableProps.md +1 -1
package/docs/api/interfaces/DataTableToolbarButton.md +1 -1
package/docs/api/interfaces/DatabaseComplianceResult.md +1 -1
package/docs/api/interfaces/DatabaseIssue.md +1 -1
package/docs/api/interfaces/EmptyStateConfig.md +1 -1
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +1 -1
package/docs/api/interfaces/EventAppRoleData.md +1 -1
package/docs/api/interfaces/ExportColumn.md +1 -1
package/docs/api/interfaces/ExportOptions.md +1 -1
package/docs/api/interfaces/FileDisplayProps.md +62 -16
package/docs/api/interfaces/FileMetadata.md +1 -1
package/docs/api/interfaces/FileReference.md +2 -2
package/docs/api/interfaces/FileSizeLimits.md +1 -1
package/docs/api/interfaces/FileUploadOptions.md +26 -12
package/docs/api/interfaces/FileUploadProps.md +30 -19
package/docs/api/interfaces/FooterProps.md +1 -1
package/docs/api/interfaces/FormFieldProps.md +1 -1
package/docs/api/interfaces/FormProps.md +1 -1
package/docs/api/interfaces/GrantEventAppRoleParams.md +1 -1
package/docs/api/interfaces/InactivityWarningModalProps.md +1 -1
package/docs/api/interfaces/InputProps.md +1 -1
package/docs/api/interfaces/LabelProps.md +1 -1
package/docs/api/interfaces/LoggerConfig.md +1 -1
package/docs/api/interfaces/LoginFormProps.md +1 -1
package/docs/api/interfaces/NavigationAccessRecord.md +10 -10
package/docs/api/interfaces/NavigationContextType.md +9 -9
package/docs/api/interfaces/NavigationGuardProps.md +1 -1
package/docs/api/interfaces/NavigationItem.md +1 -1
package/docs/api/interfaces/NavigationMenuProps.md +1 -1
package/docs/api/interfaces/NavigationProviderProps.md +7 -7
package/docs/api/interfaces/Organisation.md +1 -1
package/docs/api/interfaces/OrganisationContextType.md +1 -1
package/docs/api/interfaces/OrganisationMembership.md +1 -1
package/docs/api/interfaces/OrganisationProviderProps.md +1 -1
package/docs/api/interfaces/OrganisationSecurityError.md +1 -1
package/docs/api/interfaces/PaceAppLayoutProps.md +1 -1
package/docs/api/interfaces/PaceLoginPageProps.md +1 -1
package/docs/api/interfaces/PageAccessRecord.md +8 -8
package/docs/api/interfaces/PagePermissionContextType.md +8 -8
package/docs/api/interfaces/PagePermissionGuardProps.md +1 -1
package/docs/api/interfaces/PagePermissionProviderProps.md +7 -7
package/docs/api/interfaces/PaletteData.md +1 -1
package/docs/api/interfaces/ParsedAddress.md +2 -2
package/docs/api/interfaces/PermissionEnforcerProps.md +1 -1
package/docs/api/interfaces/ProgressProps.md +3 -11
package/docs/api/interfaces/ProtectedRouteProps.md +1 -1
package/docs/api/interfaces/PublicPageFooterProps.md +1 -1
package/docs/api/interfaces/PublicPageHeaderProps.md +1 -1
package/docs/api/interfaces/PublicPageLayoutProps.md +1 -1
package/docs/api/interfaces/QuickFix.md +1 -1
package/docs/api/interfaces/RBACAccessValidateParams.md +1 -1
package/docs/api/interfaces/RBACAccessValidateResult.md +1 -1
package/docs/api/interfaces/RBACAuditLogParams.md +1 -1
package/docs/api/interfaces/RBACAuditLogResult.md +1 -1
package/docs/api/interfaces/RBACConfig.md +2 -2
package/docs/api/interfaces/RBACContext.md +1 -1
package/docs/api/interfaces/RBACLogger.md +1 -1
package/docs/api/interfaces/RBACPageAccessCheckParams.md +1 -1
package/docs/api/interfaces/RBACPerformanceMetrics.md +1 -1
package/docs/api/interfaces/RBACPermissionCheckParams.md +1 -1
package/docs/api/interfaces/RBACPermissionCheckResult.md +1 -1
package/docs/api/interfaces/RBACPermissionsGetParams.md +1 -1
package/docs/api/interfaces/RBACPermissionsGetResult.md +1 -1
package/docs/api/interfaces/RBACResult.md +1 -1
package/docs/api/interfaces/RBACRoleGrantParams.md +1 -1
package/docs/api/interfaces/RBACRoleGrantResult.md +1 -1
package/docs/api/interfaces/RBACRoleRevokeParams.md +1 -1
package/docs/api/interfaces/RBACRoleRevokeResult.md +1 -1
package/docs/api/interfaces/RBACRoleValidateParams.md +1 -1
package/docs/api/interfaces/RBACRoleValidateResult.md +1 -1
package/docs/api/interfaces/RBACRolesListParams.md +1 -1
package/docs/api/interfaces/RBACRolesListResult.md +1 -1
package/docs/api/interfaces/RBACSessionTrackParams.md +1 -1
package/docs/api/interfaces/RBACSessionTrackResult.md +1 -1
package/docs/api/interfaces/ResourcePermissions.md +1 -1
package/docs/api/interfaces/RevokeEventAppRoleParams.md +1 -1
package/docs/api/interfaces/RoleBasedRouterContextType.md +8 -8
package/docs/api/interfaces/RoleBasedRouterProps.md +10 -10
package/docs/api/interfaces/RoleManagementResult.md +1 -1
package/docs/api/interfaces/RouteAccessRecord.md +10 -10
package/docs/api/interfaces/RouteConfig.md +10 -10
package/docs/api/interfaces/RuntimeComplianceResult.md +1 -1
package/docs/api/interfaces/SecureDataContextType.md +9 -9
package/docs/api/interfaces/SecureDataProviderProps.md +8 -8
package/docs/api/interfaces/SessionRestorationLoaderProps.md +1 -1
package/docs/api/interfaces/SetupIssue.md +1 -1
package/docs/api/interfaces/StorageConfig.md +4 -4
package/docs/api/interfaces/StorageFileInfo.md +7 -7
package/docs/api/interfaces/StorageFileMetadata.md +25 -14
package/docs/api/interfaces/StorageListOptions.md +22 -9
package/docs/api/interfaces/StorageListResult.md +4 -4
package/docs/api/interfaces/StorageUploadOptions.md +21 -8
package/docs/api/interfaces/StorageUploadResult.md +6 -6
package/docs/api/interfaces/StorageUrlOptions.md +19 -6
package/docs/api/interfaces/StyleImport.md +1 -1
package/docs/api/interfaces/SwitchProps.md +1 -1
package/docs/api/interfaces/TabsContentProps.md +1 -1
package/docs/api/interfaces/TabsListProps.md +1 -1
package/docs/api/interfaces/TabsProps.md +1 -1
package/docs/api/interfaces/TabsTriggerProps.md +1 -1
package/docs/api/interfaces/TextareaProps.md +1 -1
package/docs/api/interfaces/ToastActionElement.md +1 -1
package/docs/api/interfaces/ToastProps.md +1 -1
package/docs/api/interfaces/UnifiedAuthContextType.md +53 -53
package/docs/api/interfaces/UnifiedAuthProviderProps.md +13 -13
package/docs/api/interfaces/UseFormDialogOptions.md +1 -1
package/docs/api/interfaces/UseFormDialogReturn.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerOptions.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventLogoOptions.md +2 -2
package/docs/api/interfaces/UsePublicEventLogoReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventOptions.md +1 -1
package/docs/api/interfaces/UsePublicEventReturn.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +2 -2
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +1 -1
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +1 -1
package/docs/api/interfaces/UseResolvedScopeOptions.md +5 -5
package/docs/api/interfaces/UseResolvedScopeReturn.md +4 -4
package/docs/api/interfaces/UseResourcePermissionsOptions.md +1 -1
package/docs/api/interfaces/UserEventAccess.md +11 -11
package/docs/api/interfaces/UserMenuProps.md +1 -1
package/docs/api/interfaces/UserProfile.md +1 -1
package/docs/api/modules.md +165 -106
package/docs/api-reference/components.md +15 -7
package/docs/api-reference/providers.md +2 -2
package/docs/api-reference/rpc-functions.md +1 -0
package/docs/best-practices/README.md +1 -1
package/docs/best-practices/deployment.md +8 -8
package/docs/getting-started/examples/README.md +2 -2
package/docs/getting-started/installation-guide.md +4 -4
package/docs/getting-started/quick-start.md +3 -3
package/docs/migration/MIGRATION_GUIDE.md +3 -3
package/docs/migration/README.md +18 -0
package/docs/migration/database-changes-december-2025.md +767 -0
package/docs/migration/person-scoped-profiles-migration-guide.md +472 -0
package/docs/rbac/compliance/compliance-guide.md +2 -2
package/docs/rbac/event-based-apps.md +2 -2
package/docs/rbac/getting-started.md +2 -2
package/docs/rbac/quick-start.md +2 -2
package/docs/security/README.md +4 -4
package/docs/standards/07-rbac-and-rls-standard.md +430 -7
package/docs/troubleshooting/README.md +2 -2
package/docs/troubleshooting/migration.md +3 -3
package/package.json +1 -3
package/scripts/check-pace-core-compliance.cjs +1 -1
package/scripts/check-pace-core-compliance.js +1 -1
package/src/__tests__/fixtures/supabase.ts +301 -0
package/src/__tests__/public-recipe-view.test.ts +19 -19
package/src/__tests__/rls-policies.test.ts +210 -74
package/src/components/AddressField/AddressField.test.tsx +42 -0
package/src/components/AddressField/AddressField.tsx +71 -60
package/src/components/AddressField/README.md +7 -6
package/src/components/Alert/Alert.test.tsx +50 -10
package/src/components/Alert/Alert.tsx +5 -3
package/src/components/Avatar/Avatar.test.tsx +95 -43
package/src/components/Avatar/Avatar.tsx +16 -16
package/src/components/Button/Button.test.tsx +2 -1
package/src/components/Button/Button.tsx +3 -3
package/src/components/Calendar/Calendar.test.tsx +53 -37
package/src/components/Calendar/Calendar.tsx +409 -82
package/src/components/Card/Card.test.tsx +7 -4
package/src/components/Card/Card.tsx +3 -6
package/src/components/Checkbox/Checkbox.tsx +2 -2
package/src/components/DataTable/components/ActionButtons.tsx +5 -5
package/src/components/DataTable/components/BulkOperationsDropdown.tsx +2 -2
package/src/components/DataTable/components/ColumnFilter.tsx +1 -1
package/src/components/DataTable/components/ColumnVisibilityDropdown.tsx +3 -3
package/src/components/DataTable/components/DataTableBody.tsx +12 -12
package/src/components/DataTable/components/DataTableCore.tsx +3 -3
package/src/components/DataTable/components/DataTableToolbar.tsx +5 -5
package/src/components/DataTable/components/DraggableColumnHeader.tsx +3 -3
package/src/components/DataTable/components/EditableRow.tsx +2 -2
package/src/components/DataTable/components/EmptyState.tsx +3 -3
package/src/components/DataTable/components/GroupHeader.tsx +2 -2
package/src/components/DataTable/components/GroupingDropdown.tsx +1 -1
package/src/components/DataTable/components/ImportModal.tsx +4 -4
package/src/components/DataTable/components/LoadingState.tsx +1 -1
package/src/components/DataTable/components/PaginationControls.tsx +11 -11
package/src/components/DataTable/components/UnifiedTableBody.tsx +9 -9
package/src/components/DataTable/components/ViewRowModal.tsx +2 -2
package/src/components/DataTable/components/__tests__/AccessDeniedPage.test.tsx +11 -37
package/src/components/DataTable/components/__tests__/DataTableToolbar.test.tsx +157 -0
package/src/components/DataTable/components/__tests__/LoadingState.test.tsx +2 -1
package/src/components/DataTable/components/__tests__/VirtualizedDataTable.test.tsx +128 -0
package/src/components/DataTable/core/__tests__/ActionManager.test.ts +19 -0
package/src/components/DataTable/core/__tests__/ColumnFactory.test.ts +51 -0
package/src/components/DataTable/core/__tests__/ColumnManager.test.ts +84 -0
package/src/components/DataTable/core/__tests__/DataManager.test.ts +14 -0
package/src/components/DataTable/core/__tests__/DataTableContext.test.tsx +136 -0
package/src/components/DataTable/core/__tests__/LocalDataAdapter.test.ts +16 -0
package/src/components/DataTable/core/__tests__/PluginRegistry.test.ts +18 -0
package/src/components/DataTable/hooks/useDataTablePermissions.ts +28 -7
package/src/components/DataTable/utils/__tests__/hierarchicalUtils.test.ts +30 -1
package/src/components/DataTable/utils/hierarchicalUtils.ts +38 -10
package/src/components/DatePickerWithTimezone/DatePickerWithTimezone.test.tsx +8 -3
package/src/components/DatePickerWithTimezone/DatePickerWithTimezone.tsx +4 -4
package/src/components/Dialog/Dialog.tsx +2 -2
package/src/components/EventSelector/EventSelector.tsx +7 -7
package/src/components/FileDisplay/FileDisplay.tsx +291 -179
package/src/components/FileUpload/FileUpload.tsx +7 -4
package/src/components/Header/Header.test.tsx +28 -0
package/src/components/Header/Header.tsx +22 -9
package/src/components/InactivityWarningModal/InactivityWarningModal.tsx +2 -2
package/src/components/LoadingSpinner/LoadingSpinner.test.tsx +19 -14
package/src/components/LoadingSpinner/LoadingSpinner.tsx +5 -5
package/src/components/NavigationMenu/NavigationMenu.test.tsx +127 -1
package/src/components/OrganisationSelector/OrganisationSelector.tsx +42 -22
package/src/components/PaceAppLayout/PaceAppLayout.integration.test.tsx +4 -0
package/src/components/PaceAppLayout/PaceAppLayout.performance.test.tsx +3 -0
package/src/components/PaceAppLayout/PaceAppLayout.security.test.tsx +3 -0
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +16 -6
package/src/components/PaceAppLayout/PaceAppLayout.tsx +37 -3
package/src/components/PaceAppLayout/test-setup.tsx +1 -0
package/src/components/PaceLoginPage/PaceLoginPage.test.tsx +66 -45
package/src/components/PaceLoginPage/PaceLoginPage.tsx +6 -4
package/src/components/Progress/Progress.test.tsx +18 -19
package/src/components/Progress/Progress.tsx +31 -32
package/src/components/PublicLayout/PublicLayout.test.tsx +6 -6
package/src/components/PublicLayout/PublicPageProvider.tsx +5 -3
package/src/components/Select/Select.test.tsx +4 -1
package/src/components/Select/Select.tsx +65 -20
package/src/components/Switch/Switch.test.tsx +2 -1
package/src/components/Switch/Switch.tsx +1 -1
package/src/components/Toast/Toast.tsx +1 -1
package/src/components/Tooltip/Tooltip.test.tsx +8 -2
package/src/components/UserMenu/UserMenu.tsx +3 -3
package/src/eslint-rules/pace-core-compliance.cjs +0 -2
package/src/eslint-rules/pace-core-compliance.js +0 -2
package/src/hooks/__tests__/hooks.integration.test.tsx +4 -1
package/src/hooks/__tests__/useAppConfig.unit.test.ts +76 -5
package/src/hooks/__tests__/useDataTableState.test.ts +76 -0
package/src/hooks/__tests__/useFileUrl.unit.test.ts +25 -69
package/src/hooks/__tests__/useFileUrlCache.test.ts +129 -0
package/src/hooks/__tests__/usePreventTabReload.test.ts +88 -0
package/src/hooks/__tests__/usePublicEvent.simple.test.ts +1 -1
package/src/hooks/__tests__/usePublicEvent.test.ts +608 -0
package/src/hooks/__tests__/useQueryCache.test.ts +144 -0
package/src/hooks/__tests__/useSecureDataAccess.unit.test.tsx +67 -24
package/src/hooks/index.ts +1 -1
package/src/hooks/public/usePublicEvent.ts +10 -10
package/src/hooks/public/usePublicFileDisplay.ts +173 -87
package/src/hooks/useAppConfig.ts +24 -5
package/src/hooks/useFileDisplay.ts +298 -36
package/src/hooks/useFileReference.ts +56 -11
package/src/hooks/useFileUrl.ts +1 -1
package/src/hooks/useInactivityTracker.ts +16 -7
package/src/hooks/usePermissionCache.test.ts +85 -8
package/src/hooks/useQueryCache.ts +27 -6
package/src/hooks/useSecureDataAccess.test.ts +87 -42
package/src/hooks/useSecureDataAccess.ts +95 -48
package/src/providers/__tests__/OrganisationProvider.test.tsx +27 -21
package/src/providers/services/EventServiceProvider.tsx +37 -17
package/src/providers/services/InactivityServiceProvider.tsx +4 -4
package/src/providers/services/OrganisationServiceProvider.tsx +8 -1
package/src/providers/services/UnifiedAuthProvider.tsx +115 -29
package/src/rbac/__tests__/auth-rbac.e2e.test.tsx +451 -0
package/src/rbac/__tests__/engine.comprehensive.test.ts +12 -0
package/src/rbac/__tests__/rbac-engine-core-logic.test.ts +8 -0
package/src/rbac/__tests__/rbac-engine-simplified.test.ts +4 -0
package/src/rbac/api.ts +240 -36
package/src/rbac/cache-invalidation.ts +21 -7
package/src/rbac/compliance/quick-fix-suggestions.ts +1 -1
package/src/rbac/components/NavigationGuard.tsx +23 -63
package/src/rbac/components/NavigationProvider.test.tsx +52 -23
package/src/rbac/components/NavigationProvider.tsx +13 -11
package/src/rbac/components/PagePermissionGuard.tsx +77 -203
package/src/rbac/components/PagePermissionProvider.tsx +13 -11
package/src/rbac/components/PermissionEnforcer.tsx +24 -62
package/src/rbac/components/RoleBasedRouter.tsx +14 -12
package/src/rbac/components/SecureDataProvider.tsx +13 -11
package/src/rbac/components/__tests__/NavigationGuard.test.tsx +104 -41
package/src/rbac/components/__tests__/NavigationProvider.test.tsx +49 -12
package/src/rbac/components/__tests__/PagePermissionGuard.race-condition.test.tsx +22 -1
package/src/rbac/components/__tests__/PagePermissionGuard.test.tsx +161 -82
package/src/rbac/components/__tests__/PagePermissionGuard.verification.test.tsx +22 -1
package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx +77 -30
package/src/rbac/components/__tests__/RoleBasedRouter.test.tsx +39 -5
package/src/rbac/components/__tests__/SecureDataProvider.test.tsx +47 -4
package/src/rbac/engine.ts +4 -2
package/src/rbac/hooks/__tests__/useSecureSupabase.test.ts +144 -52
package/src/rbac/hooks/index.ts +3 -0
package/src/rbac/hooks/useCan.test.ts +101 -53
package/src/rbac/hooks/usePermissions.ts +108 -41
package/src/rbac/hooks/useRBAC.test.ts +11 -3
package/src/rbac/hooks/useRBAC.ts +83 -40
package/src/rbac/hooks/useResolvedScope.test.ts +189 -63
package/src/rbac/hooks/useResolvedScope.ts +128 -70
package/src/rbac/hooks/useSecureSupabase.ts +36 -19
package/src/rbac/hooks/useSuperAdminBypass.ts +126 -0
package/src/rbac/request-deduplication.ts +1 -1
package/src/rbac/secureClient.ts +72 -12
package/src/rbac/security.ts +29 -23
package/src/rbac/types.ts +10 -0
package/src/rbac/utils/__tests__/contextValidator.test.ts +150 -0
package/src/rbac/utils/__tests__/deep-equal.test.ts +53 -0
package/src/rbac/utils/__tests__/eventContext.test.ts +8 -3
package/src/rbac/utils/__tests__/eventContext.unit.test.ts +74 -12
package/src/rbac/utils/contextValidator.ts +288 -0
package/src/rbac/utils/eventContext.ts +52 -3
package/src/services/AuthService.ts +37 -8
package/src/services/EventService.ts +165 -21
package/src/services/OrganisationService.ts +125 -137
package/src/services/__tests__/EventService.test.ts +26 -21
package/src/services/__tests__/OrganisationService.pagination.test.ts +34 -8
package/src/services/__tests__/OrganisationService.test.ts +218 -86
package/src/types/database.generated.ts +166 -201
package/src/types/file-reference.ts +13 -10
package/src/types/supabase.ts +2 -2
package/src/utils/__tests__/secureDataAccess.unit.test.ts +3 -2
package/src/utils/app/appNameResolver.test.ts +346 -73
package/src/utils/context/superAdminOverride.ts +58 -0
package/src/utils/file-reference/index.ts +65 -37
package/src/utils/google-places/googlePlacesUtils.test.ts +98 -0
package/src/utils/google-places/googlePlacesUtils.ts +1 -1
package/src/utils/google-places/loadGoogleMapsScript.test.ts +83 -0
package/src/utils/google-places/types.ts +1 -1
package/src/utils/request-deduplication.ts +4 -4
package/src/utils/security/secureDataAccess.test.ts +1 -1
package/src/utils/security/secureDataAccess.ts +7 -4
package/src/utils/storage/README.md +1 -1
package/src/utils/storage/helpers.test.ts +1 -1
package/src/utils/storage/helpers.ts +38 -19
package/src/utils/storage/types.ts +15 -8
package/src/utils/validation/__tests__/csrf.test.ts +105 -0
package/src/utils/validation/__tests__/sqlInjectionProtection.test.ts +92 -0
package/src/vite-env.d.ts +2 -2
package/dist/chunk-3GOZZZYH.js.map +0 -1
package/dist/chunk-DDM4CCYT.js.map +0 -1
package/dist/chunk-E7UAOUMY.js +0 -75
package/dist/chunk-E7UAOUMY.js.map +0 -1
package/dist/chunk-F2IMUDXZ.js.map +0 -1
package/dist/chunk-HEHYGYOX.js.map +0 -1
package/dist/chunk-IM4QE42D.js.map +0 -1
package/dist/chunk-MX64ZF6I.js.map +0 -1
package/dist/chunk-SAUPYVLF.js.map +0 -1
package/dist/chunk-THRPYOFK.js.map +0 -1
package/dist/chunk-UCQSRW7Z.js.map +0 -1
package/dist/chunk-VGZZXKBR.js.map +0 -1
package/dist/chunk-YGPFYGA6.js.map +0 -1
package/dist/chunk-YHCN776L.js.map +0 -1
/package/dist/{DataTable-GUFUNZ3N.js.map → DataTable-WKRZD47S.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-643PUAIM.js.map → UnifiedAuthProvider-FTSG5XH7.js.map} +0 -0
/package/dist/{api-YP7XD5L6.js.map → api-IHKALJZD.js.map} +0 -0
/package/dist/{chunk-HESYZWZW.js.map → chunk-QWWZ5CAQ.js.map} +0 -0

package/src/services/EventService.ts CHANGED Viewed

@@ -16,6 +16,9 @@ import { Organisation } from '../types/organisation';
 import { assertOrganisationId } from '../types/core';
 import { logger } from '../utils/core/logger';
 import { secureStorage } from '../utils/security/secureStorage';
+import { isSuperAdmin, getAppConfigByName } from '../rbac/api';
+import type { UUID } from '../rbac/types';
+import type { AppConfig } from '../rbac/utils/contextValidator';
 export class EventService extends BaseService implements IEventService {
   private events: Event[] = [];
@@ -30,6 +33,8 @@ export class EventService extends BaseService implements IEventService {
   private appName: string = '';
   private selectedOrganisation: Organisation | null = null;
   private setSelectedEventId: ((eventId: string | null) => void) | null = null;
+  private isSuperAdmin: boolean = false; // Track super admin status for conditional validation
+  private appConfig: AppConfig | null = null; // Cache app config to avoid repeated lookups
   // Internal state management
   private isInitializedRef = false;
@@ -76,6 +81,7 @@ export class EventService extends BaseService implements IEventService {
     const newOrgId = selectedOrganisation?.id;
     const previousUserId = this.user?.id || null;
     const newUserId = user?.id || null;
+    const previousAppName = this.appName;
     // If user changed, clear previous user's event selection from storage
     if (previousUserId !== newUserId) {
@@ -87,6 +93,10 @@ export class EventService extends BaseService implements IEventService {
         this.selectedEvent = null;
         this.setSelectedEventId?.(null);
       }
+      // Reset initialization when user changes
+      this.resetInitialization();
+      this.isInitializedRef = false;
+      this.isFetchingRef = false;
     }
     this.supabaseClient = supabaseClient;
@@ -96,8 +106,31 @@ export class EventService extends BaseService implements IEventService {
     this.selectedOrganisation = selectedOrganisation;
     this.setSelectedEventId = setSelectedEventId;
-    // If organisation changed (from null to value, or different org), reset initialization
-    // This ensures events are re-fetched when organisation context becomes available
+    // Clear app config cache when app name changes
+    if (previousAppName !== appName) {
+      this.appConfig = null;
+    }
+    // Update super admin status when user changes
+    // This allows super admins to select events from any organisation
+    if (user?.id) {
+      try {
+        this.isSuperAdmin = await isSuperAdmin(user.id as UUID);
+        logger.debug('EventService', 'Updated super admin status', {
+          userId: user.id,
+          isSuperAdmin: this.isSuperAdmin
+        });
+      } catch (error) {
+        logger.warn('EventService', 'Failed to check super admin status', { error });
+        this.isSuperAdmin = false; // Default to false on error
+      }
+    } else {
+      this.isSuperAdmin = false;
+    }
+    // If organisation changed (from null to value, or different org, or value to null), reset initialization
+    // This ensures events are re-fetched when organisation context changes
+    // For event-required apps, selectedOrganisation will be null, so we need to reset when it changes from undefined/null to null
     if (previousOrgId !== newOrgId) {
       this.resetInitialization(); // Reset BaseService's isInitialized flag
       this.isInitializedRef = false;
@@ -138,20 +171,9 @@ export class EventService extends BaseService implements IEventService {
   // Event methods
   setSelectedEvent(event: Event | null): void {
     if (event) {
-      // SECURITY: Validate event belongs to current organisation
-      try {
-        if (this.selectedOrganisation && event.organisation_id !== this.selectedOrganisation.id) {
-          logger.error('EventService', 'Event organisation_id does not match selected organisation', {
-            eventOrganisationId: event.organisation_id,
-            selectedOrganisationId: this.selectedOrganisation.id,
-            eventName: event.event_name
-          });
-          return;
-        }
-      } catch (error) {
-        logger.error('EventService', 'Error during event validation:', error);
-      }
+      // No validation needed: For event-required apps, org is derived from event
+      // For org-required apps, event is optional and doesn't need validation
+      // RLS policies handle security at the database level
       this.selectedEvent = event;
       this.setSelectedEventId?.(event.event_id);
       // Persist asynchronously (don't await to avoid blocking)
@@ -286,6 +308,12 @@ export class EventService extends BaseService implements IEventService {
   async initialize(): Promise<void> {
     // Only call super.initialize() which will call doInitialize() and fetchEvents()
     // Don't call fetchEvents() again here to avoid double-fetching
+    logger.debug('EventService', 'initialize() called', {
+      isInitializedRef: this.isInitializedRef,
+      hasUser: !!this.user,
+      hasSession: !!this.session,
+      appName: this.appName
+    });
     await super.initialize();
   }
@@ -294,13 +322,23 @@ export class EventService extends BaseService implements IEventService {
   }
   protected async doInitialize(): Promise<void> {
+    logger.debug('EventService', 'doInitialize() called', {
+      isInitializedRef: this.isInitializedRef,
+      isFetchingRef: this.isFetchingRef,
+      hasUser: !!this.user,
+      hasSession: !!this.session,
+      appName: this.appName
+    });
     // Skip if already initialized
     if (this.isInitializedRef) {
+      logger.debug('EventService', 'Skipping initialization - already initialized');
       return;
     }
     // Skip if already fetching
     if (this.isFetchingRef) {
+      logger.debug('EventService', 'Skipping initialization - already fetching');
       return;
     }
@@ -313,13 +351,25 @@ export class EventService extends BaseService implements IEventService {
       logger.warn('EventService', 'Failed to clean up old storage keys:', error);
     }
-    // Skip if no user or organisation
-    if (!this.user || !this.selectedOrganisation) {
+    // Skip if no user
+    // For event-required apps, selectedOrganisation may be null (org derived from event)
+    // For org-required apps, selectedOrganisation is required
+    if (!this.user) {
+      logger.debug('EventService', 'Skipping initialization - missing user');
       return;
     }
+    logger.debug('EventService', 'Initializing - fetching events', {
+      userId: this.user.id,
+      organisationId: this.selectedOrganisation?.id || 'derived-from-event',
+      appName: this.appName
+    });
     // Initial setup - fetch events on initialization
     await this.fetchEvents(false);
+    // Mark as initialized after successful fetch
+    this.isInitializedRef = true;
   }
   protected doCleanup(): void {
@@ -327,7 +377,15 @@ export class EventService extends BaseService implements IEventService {
   }
   private async fetchEvents(skipLoadPersisted: boolean = false): Promise<void> {
-    if (!this.user || !this.session || !this.supabaseClient || !this.appName || !this.selectedOrganisation) {
+    // For event-required apps, selectedOrganisation may be null (org derived from event)
+    // For org-required apps, selectedOrganisation is required
+    if (!this.user || !this.session || !this.supabaseClient || !this.appName) {
+      logger.debug('EventService', 'Skipping fetchEvents - missing dependencies', {
+        hasUser: !!this.user,
+        hasSession: !!this.session,
+        hasSupabaseClient: !!this.supabaseClient,
+        appName: this.appName
+      });
       // Already false from initialization, just notify
       this.notify();
       return;
@@ -339,6 +397,7 @@ export class EventService extends BaseService implements IEventService {
     // Prevent multiple simultaneous fetches
     if (this.isFetchingRef) {
+      logger.debug('EventService', 'Skipping fetchEvents - already fetching');
       return;
     }
@@ -346,12 +405,97 @@ export class EventService extends BaseService implements IEventService {
     let isMounted = true;
     try {
+      // Load app config if not already cached (only once per app)
+      if (!this.appConfig && this.appName) {
+        try {
+          this.appConfig = await getAppConfigByName(this.appName);
+        } catch (configError) {
+          logger.warn('EventService', 'Failed to load app config, defaulting to event-required', {
+            error: configError
+          });
+          // Default to event-required for safety
+          this.appConfig = { requires_event: true };
+        }
+      }
+      // Determine organisationId for RPC call
+      // For event-required apps: org is derived from selectedEvent (if available), or null to get all accessible events
+      // For org-required apps: org comes from selectedOrganisation
+      // Super admins: pass null to see all events
+      let organisationIdForRpc: string | null = null;
+      // Check if user is super admin first
+      let userIsSuperAdmin = false;
+      try {
+        userIsSuperAdmin = await isSuperAdmin(this.user.id as UUID);
+        if (userIsSuperAdmin) {
+          // Super admin: Pass null to see all events across all organisations
+          organisationIdForRpc = null;
+          logger.debug('EventService', 'Super admin detected - fetching all events', {
+            userId: this.user.id
+          });
+        } else {
+          // Not super admin: determine org from context based on app type
+          if (this.selectedEvent) {
+            // If event is already selected, use its organisation
+            organisationIdForRpc = this.selectedEvent.organisation_id;
+          } else if (this.appConfig?.requires_event === true) {
+            // Event-required app with no selected event yet: pass null to get all accessible events
+            // The RPC will filter by event app roles, returning all events the user has access to
+            organisationIdForRpc = null;
+            logger.debug('EventService', 'Event-required app: fetching all accessible events (no event selected yet)', {
+              userId: this.user.id,
+              appName: this.appName
+            });
+          } else if (this.selectedOrganisation) {
+            // Org-required app: use selected organisation
+            organisationIdForRpc = this.selectedOrganisation.id;
+          } else {
+            // No context available - this shouldn't happen for authenticated users
+            logger.warn('EventService', 'No organisation context available for event fetch', {
+              hasSelectedEvent: !!this.selectedEvent,
+              hasSelectedOrganisation: !!this.selectedOrganisation,
+              appRequiresEvent: this.appConfig?.requires_event
+            });
+            organisationIdForRpc = null; // Will return empty list
+          }
+        }
+      } catch (superAdminCheckError) {
+        // If super admin check fails, fall back to organisation-scoped query
+        logger.warn('EventService', 'Failed to check super admin status, using organisation-scoped query', {
+          error: superAdminCheckError
+        });
+        // Fallback: use available context
+        if (this.selectedEvent) {
+          organisationIdForRpc = this.selectedEvent.organisation_id;
+        } else if (this.appConfig?.requires_event === true) {
+          // Event-required app: pass null to get all accessible events
+          organisationIdForRpc = null;
+        } else if (this.selectedOrganisation) {
+          organisationIdForRpc = this.selectedOrganisation.id;
+        }
+      }
+      logger.debug('EventService', 'Fetching events via RPC', {
+        userId: this.user.id,
+        organisationId: organisationIdForRpc,
+        appName: this.appName
+      });
       // Call the RPC function following the established pattern
-      const { data, error: rpcError } = await this.supabaseClient.rpc('data_user_events_get', {
+      // For super admins, pass null for p_organisation_id to see all events
+      let { data, error: rpcError } = await this.supabaseClient.rpc('data_user_events_get', {
         p_user_id: this.user.id,
-        p_organisation_id: this.selectedOrganisation.id,
+        p_organisation_id: organisationIdForRpc,
         p_app_name: this.appName
       });
+      logger.debug('EventService', 'RPC response received', {
+        hasData: !!data,
+        dataLength: Array.isArray(data) ? data.length : 'not array',
+        hasError: !!rpcError,
+        error: rpcError
+      });
       if (rpcError) {
         logger.error('EventService', 'RPC error fetching events:', rpcError);

package/src/services/OrganisationService.ts CHANGED Viewed

@@ -27,6 +27,15 @@ interface OrganisationRoleRpcResponse {
   organisation_id: string;
   role: 'org_admin' | 'leader' | 'member' | 'supporter';
   status: 'active' | 'inactive' | 'suspended';
+  // Organisation fields from RPC
+  name?: string;
+  display_name?: string;
+  subscription_tier?: string;
+  settings?: unknown;
+  is_active?: boolean;
+  parent_id?: string;
+  organisation_created_at?: string;
+  organisation_updated_at?: string;
   [key: string]: unknown;
 }
@@ -71,6 +80,21 @@ export class OrganisationService extends BaseService implements IOrganisationSer
   // Additional methods for testing
   setSelectedOrganisation(organisation: Organisation | null): void {
+    // SECURITY: Validate organisation is in user's accessible organisations (only if orgs are loaded)
+    if (organisation && this._organisations.length > 0) {
+      const isValidOrg = this._organisations.some(org => org.id === organisation.id);
+      if (!isValidOrg) {
+        logger.warn('OrganisationService', 'Attempted to set invalid organisation - not in user\'s accessible organisations', {
+          organisationId: organisation.id,
+          organisationName: organisation.name,
+          accessibleOrgIds: this._organisations.map(o => o.id)
+        });
+        // Don't set invalid organisation - this prevents security issues
+        // If organisations haven't loaded yet, validation will happen in loadUserOrganisations()
+        return;
+      }
+    }
     this._selectedOrganisation = organisation;
     if (organisation) {
       localStorage.setItem('pace-core-selected-organisation', JSON.stringify(organisation));
@@ -343,159 +367,106 @@ export class OrganisationService extends BaseService implements IOrganisationSer
     this.notify();
     try {
-      // Get user's organisation memberships using secure RPC function
-      // Include all roles (org_admin, leader, member, supporter) - supporters can access PORTAL
-      let memberships, membershipError;
+      // Get user's organisation roles directly from rbac_organisation_roles table
+      // This queries the source table directly instead of using the RPC which filters to match core_organisation_memberships view
+      // We still filter to active, non-revoked roles for the org selector
+      // The join includes organisation data, so we don't need a separate query that might be filtered by RLS
+      let memberships, membershipError, organisations: Organisation[] = [];
       try {
-        // Add timeout and abort signal to prevent hanging RPC calls
-        const timeoutPromise = new Promise((_, reject) => {
-          const timeoutId = setTimeout(() => reject(new Error('RPC call timeout after 10 seconds')), 10000);
-          abortSignal.addEventListener('abort', () => {
-            clearTimeout(timeoutId);
-            reject(new Error('Request aborted'));
-          });
-        });
-        const rpcPromise = this.supabaseClient.rpc('data_user_organisation_roles_get', {
-          p_user_id: this.user.id,
-          p_organisation_id: null
-        });
-        // Check if request was aborted before making the call
+        // Check if request was aborted before making query
         if (abortSignal.aborted) {
           throw new Error('Request aborted');
         }
+        const { data: rolesData, error: rolesError } = await this.supabaseClient
+          .from('rbac_organisation_roles')
+          .select(`
+            id,
+            user_id,
+            organisation_id,
+            role,
+            status,
+            granted_at,
+            granted_by,
+            revoked_at,
+            revoked_by,
+            notes,
+            created_at,
+            updated_at,
+            core_organisations!inner(
+              id,
+              name,
+              display_name,
+              subscription_tier,
+              settings,
+              is_active,
+              parent_id,
+              created_at,
+              updated_at
+            )
+          `)
+          .eq('user_id', this.user.id)
+          .eq('status', 'active')
+          .is('revoked_at', null);
-        const result = await Promise.race([rpcPromise, timeoutPromise]) as { data: OrganisationRoleRpcResponse[] | null; error: Error | null };
+        if (rolesError) {
+          logger.error("OrganisationService", "Error loading organisation roles:", rolesError);
+          throw rolesError;
+        }
-        // Filter to organisation members (org_admin, leader, member, supporter)
-        // Supporters are included to allow PORTAL access
-        // Map to branded types when filtering
-        memberships = result.data?.filter((role) =>
-          ['org_admin', 'leader', 'member', 'supporter'].includes(role.role)
-        ).map((m) => ({
+        // Map to branded types and extract organisation data from the join
+        // The join already includes organisation data, so we don't need a separate query
+        memberships = rolesData?.map((m) => ({
           ...m,
           user_id: assertUserId(m.user_id),
           organisation_id: assertOrganisationId(m.organisation_id),
         })) || [];
-        membershipError = result.error;
-      } catch (queryError) {
-        membershipError = queryError instanceof Error ? queryError : new Error(String(queryError));
-      }
-      if (membershipError) {
-        logger.error("OrganisationService", "Error loading memberships:", membershipError);
-        // If RPC fails with timeout, try direct database query as fallback
-        if (membershipError.message?.includes('timeout')) {
-          try {
-            // Check if request was aborted before making fallback query
-            if (abortSignal.aborted) {
-              throw new Error('Request aborted');
-            }
-            const { data: fallbackData, error: fallbackError } = await this.supabaseClient
-              .from('rbac_organisation_roles')
-              .select(`
-                id,
-                user_id,
-                organisation_id,
-                role,
-                status,
-                granted_at,
-                granted_by,
-                revoked_at,
-                revoked_by,
-                notes,
-                created_at,
-                updated_at,
-                organisations!inner(
-                  id,
-                  name,
-                  display_name,
-                  subscription_tier,
-                  settings,
-                  is_active,
-                  parent_id,
-                  created_at,
-                  updated_at
-                )
-              `)
-              .eq('user_id', this.user.id)
-              .eq('status', 'active')
-              .is('revoked_at', null)
-              .in('role', ['org_admin', 'leader', 'member', 'supporter']);
-            if (fallbackError) {
-              logger.error("OrganisationService", "Fallback query also failed:", fallbackError);
-              throw membershipError; // Throw original error
-            }
-            // Map to branded types
-            memberships = fallbackData?.map((m) => ({
-              ...m,
-              user_id: assertUserId(m.user_id),
-              organisation_id: assertOrganisationId(m.organisation_id),
-            })) || [];
-            membershipError = null;
-          } catch (fallbackErr) {
-            logger.error("OrganisationService", "Fallback query failed:", fallbackErr);
-            throw membershipError; // Throw original error
+        // Extract unique organisations from the join results
+        // Use a Map to deduplicate by organisation ID
+        // Supabase returns joined data nested under the relation name
+        const organisationsMap = new Map<string, Organisation>();
+        rolesData?.forEach((role: any) => {
+          // The join returns organisation data nested under 'core_organisations' key
+          const orgData = role.core_organisations;
+          if (orgData && role.organisation_id && !organisationsMap.has(role.organisation_id)) {
+            organisationsMap.set(role.organisation_id, {
+              id: orgData.id,
+              name: orgData.name,
+              display_name: orgData.display_name,
+              subscription_tier: orgData.subscription_tier,
+              settings: orgData.settings,
+              is_active: orgData.is_active,
+              parent_id: orgData.parent_id,
+              created_at: orgData.created_at,
+              updated_at: orgData.updated_at,
+            } as Organisation);
           }
+        });
+        organisations = Array.from(organisationsMap.values());
+        // Extract organisations from join results
+      } catch (queryError) {
+        // Extract error message properly from Supabase error objects
+        if (queryError instanceof Error) {
+          membershipError = queryError;
+        } else if (queryError && typeof queryError === 'object' && 'message' in queryError) {
+          membershipError = new Error(String((queryError as any).message));
         } else {
-          throw membershipError;
+          membershipError = new Error(String(queryError));
         }
+        logger.error("OrganisationService", "Error loading organisation roles:", membershipError);
+        throw membershipError;
       }
       if (!memberships || memberships.length === 0) {
         throw new Error('User has no active organisation memberships') as OrganisationSecurityError;
       }
-      // Get organisation details for the memberships
-      const organisationIds = memberships
-        .map((m) => m.organisation_id)
-        .filter((id: string) => {
-          // Better validation to prevent empty string UUID errors
-          if (!id || typeof id !== 'string') {
-            logger.warn("OrganisationService", "Invalid organisation ID (not string):", id);
-            return false;
-          }
-          const trimmedId = id.trim();
-          if (trimmedId === '') {
-            logger.warn("OrganisationService", "Empty organisation ID found");
-            return false;
-          }
-          // Validate UUID format
-          const isValidUuid = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(trimmedId);
-          if (!isValidUuid) {
-            logger.warn("OrganisationService", "Invalid UUID format:", trimmedId);
-          }
-          return isValidUuid;
-        });
-      if (organisationIds.length === 0) {
-        logger.warn("OrganisationService", "No valid organisation IDs found in memberships:", memberships);
-        throw new Error('No valid organisation IDs found in memberships') as OrganisationSecurityError;
-      }
-      // Check if request was aborted before making organisations query
-      if (abortSignal.aborted) {
-        throw new Error('Request aborted');
-      }
-      const { data: allOrganisations, error: orgError } = await this.supabaseClient
-        .from('organisations')
-        .select('id, name, display_name, subscription_tier, settings, is_active, parent_id, created_at, updated_at');
-      if (orgError) {
-        logger.error("OrganisationService", "Error loading organisations:", orgError);
-        throw orgError;
+      if (!organisations || organisations.length === 0) {
+        throw new Error('No organisations found in role data') as OrganisationSecurityError;
       }
-      // Filter manually on the client side
-      const organisations = allOrganisations?.filter(org =>
-        organisationIds.includes(org.id)
-      ) || [];
       // Create a map of organisation_id to role from the memberships data
       const roleMap = new Map<string, string>();
@@ -507,6 +478,8 @@ export class OrganisationService extends BaseService implements IOrganisationSer
       const orgs = organisations as Organisation[];
       const activeOrgs = orgs.filter(org => org.is_active);
+      // Filter to active organisations only
       if (activeOrgs.length === 0) {
         throw new Error('User has no access to active organisations') as OrganisationSecurityError;
       }
@@ -534,16 +507,13 @@ export class OrganisationService extends BaseService implements IOrganisationSer
               initialOrg = validPersistedOrg;
               selectionMethod = 'persisted';
             } else {
-              logger.warn("OrganisationService", "Persisted organisation not found in active orgs, clearing cache");
               localStorage.removeItem('pace-core-selected-organisation');
             }
           } else {
-            logger.warn("OrganisationService", "Invalid persisted organisation ID, clearing cache");
             localStorage.removeItem('pace-core-selected-organisation');
           }
         }
       } catch (storageError) {
-        logger.warn("OrganisationService", "Failed to restore persisted organisation:", storageError);
         // Clear potentially corrupted cache
         localStorage.removeItem('pace-core-selected-organisation');
       }
@@ -570,6 +540,16 @@ export class OrganisationService extends BaseService implements IOrganisationSer
         throw new Error('No valid organisation found for user') as OrganisationSecurityError;
       }
+      // SECURITY: Validate current selected organisation is still valid (in case it was set before orgs loaded)
+      const currentSelectedOrg = this._selectedOrganisation;
+      if (currentSelectedOrg && !activeOrgs.some(org => org.id === currentSelectedOrg.id)) {
+        logger.warn('OrganisationService', 'Current selected organisation is no longer valid, resetting', {
+          invalidOrgId: currentSelectedOrg.id,
+          validOrgIds: activeOrgs.map(o => o.id)
+        });
+        this._selectedOrganisation = null;
+      }
       this._selectedOrganisation = initialOrg;
       // Persist selection
@@ -583,14 +563,22 @@ export class OrganisationService extends BaseService implements IOrganisationSer
       this.hasFailedRef = false;
     } catch (err) {
-      logger.error("OrganisationService", "Failed to load organisations:", err);
-      this._error = err as Error;
+      const error = err as Error;
+      // "User has no access to active organisations" is a valid state for users without orgs (e.g., profile pages)
+      // Only log actual errors, not expected states
+      if (error.message !== 'User has no access to active organisations') {
+        logger.error("OrganisationService", "Failed to load organisations:", err);
+      }
+      this._error = error;
       // Increment retry count on error
       this.retryCount = this.retryCount + 1;
       // Set failed flag to prevent further attempts
       this.hasFailedRef = true;
       // Clear all cached data on error to prevent corruption
       this.clearAllCachedData();
+      // Mark context as ready even on error - this allows the app to proceed
+      // The app can check hasValidOrganisationContext() to determine if org context is available
+      this._isContextReady = true;
     } finally {
       // Always cleanup refs and abort controller
       this.isLoadingRef = false;