npm - @jmruthers/pace-core - Versions diffs - 0.5.190 → 0.5.193 - Mend

@jmruthers/pace-core 0.5.190 → 0.5.193

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (334) hide show

package/dist/{AuthService-CbP_utw2.d.ts → AuthService-DjnJHDtC.d.ts} +1 -0
package/dist/{DataTable-ON3IXISJ.js → DataTable-5FU7IESH.js} +7 -6
package/dist/{DataTable-IVYljGJ6.d.ts → DataTable-Be6dH_dR.d.ts} +1 -1
package/dist/{PublicPageProvider-C4uxosp6.d.ts → PublicPageProvider-C0Sm_e5k.d.ts} +4 -2
package/dist/{UnifiedAuthProvider-BYA9qB-o.d.ts → UnifiedAuthProvider-185Ih4dj.d.ts} +2 -0
package/dist/{UnifiedAuthProvider-X5NXANVI.js → UnifiedAuthProvider-RGJTDE2C.js} +3 -3
package/dist/{api-I6UCQ5S6.js → api-N774RPUA.js} +2 -2
package/dist/chunk-6C4YBBJM 5.js +628 -0
package/dist/chunk-7D4SUZUM.js 2.map +1 -0
package/dist/{chunk-73HSNNOQ.js → chunk-7EQTDTTJ.js} +47 -74
package/dist/chunk-7EQTDTTJ.js 2.map +1 -0
package/dist/chunk-7EQTDTTJ.js.map +1 -0
package/dist/{chunk-J2XXC7R5.js → chunk-7FLMSG37.js} +409 -244
package/dist/chunk-7FLMSG37.js 2.map +1 -0
package/dist/chunk-7FLMSG37.js.map +1 -0
package/dist/{chunk-NIU6J6OX.js → chunk-BC4IJKSL.js} +23 -32
package/dist/chunk-BC4IJKSL.js.map +1 -0
package/dist/{chunk-SDMHPX3X.js → chunk-E3SPN4VZ 5.js } +198 -53
package/dist/chunk-E3SPN4VZ.js +12917 -0
package/dist/{chunk-SDMHPX3X.js.map → chunk-E3SPN4VZ.js.map} +1 -1
package/dist/chunk-E66EQZE6 5.js +37 -0
package/dist/chunk-E66EQZE6.js 2.map +1 -0
package/dist/{chunk-DZWK57KZ.js → chunk-G37KK66H.js} +1 -1
package/dist/{chunk-DZWK57KZ.js.map → chunk-G37KK66H.js.map} +1 -1
package/dist/{chunk-STYK4OH2.js → chunk-HWIIPPNI.js} +44 -225
package/dist/chunk-HWIIPPNI.js.map +1 -0
package/dist/chunk-I7PSE6JW 5.js +191 -0
package/dist/chunk-I7PSE6JW.js 2.map +1 -0
package/dist/{chunk-Y4BUBBHD.js → chunk-IIELH4DL.js} +211 -136
package/dist/chunk-IIELH4DL.js.map +1 -0
package/dist/{chunk-RUYZKXOD.js → chunk-KNC55RTG.js} +17 -5
package/dist/chunk-KNC55RTG.js 5.map +1 -0
package/dist/chunk-KNC55RTG.js.map +1 -0
package/dist/chunk-KQCRWDSA.js 5.map +1 -0
package/dist/{chunk-4QYC5L4K.js → chunk-LFNCN2SP.js} +26 -30
package/dist/chunk-LFNCN2SP.js 2.map +1 -0
package/dist/chunk-LFNCN2SP.js.map +1 -0
package/dist/chunk-LMC26NLJ 2.js +84 -0
package/dist/{chunk-VVBAW5A5.js → chunk-NOAYCWCX 5.js } +118 -110
package/dist/chunk-NOAYCWCX.js +4993 -0
package/dist/chunk-NOAYCWCX.js.map +1 -0
package/dist/chunk-QWWZ5CAQ.js 3.map +1 -0
package/dist/chunk-QXHPKYJV 3.js +113 -0
package/dist/chunk-R77UEZ4E 3.js +68 -0
package/dist/chunk-VBXEHIUJ.js 6.map +1 -0
package/dist/{chunk-HQVPB5MZ.js → chunk-XNXXZ43G.js} +77 -33
package/dist/chunk-XNXXZ43G.js.map +1 -0
package/dist/chunk-ZSAAAMVR 6.js +25 -0
package/dist/components.d.ts +4 -4
package/dist/components.js +8 -8
package/dist/components.js 5.map +1 -0
package/dist/{database.generated-DI89OQeI.d.ts → database.generated-CzIvgcPu.d.ts} +165 -201
package/dist/hooks.d.ts +12 -12
package/dist/hooks.js +9 -9
package/dist/index.d.ts +11 -11
package/dist/index.js +20 -27
package/dist/index.js.map +1 -1
package/dist/providers.d.ts +3 -3
package/dist/providers.js +2 -2
package/dist/rbac/index.d.ts +2 -20
package/dist/rbac/index.js +7 -9
package/dist/styles/index 2.js +12 -0
package/dist/styles/index.js 5.map +1 -0
package/dist/theming/runtime 5.js +19 -0
package/dist/theming/runtime.js 5.map +1 -0
package/dist/{types-Bwgl--Xo.d.ts → types-CEpcvwwF.d.ts} +1 -1
package/dist/types.d.ts +2 -2
package/dist/{usePublicRouteParams-DxIDS4bC.d.ts → usePublicRouteParams-TZe0gy-4.d.ts} +1 -1
package/dist/utils.d.ts +8 -8
package/dist/utils.js +2 -2
package/docs/api/classes/ColumnFactory.md +1 -1
package/docs/api/classes/ErrorBoundary.md +1 -1
package/docs/api/classes/InvalidScopeError.md +1 -1
package/docs/api/classes/Logger.md +1 -1
package/docs/api/classes/MissingUserContextError.md +1 -1
package/docs/api/classes/OrganisationContextRequiredError.md +1 -1
package/docs/api/classes/PermissionDeniedError.md +2 -2
package/docs/api/classes/RBACAuditManager.md +2 -2
package/docs/api/classes/RBACCache.md +1 -1
package/docs/api/classes/RBACEngine.md +2 -2
package/docs/api/classes/RBACError.md +1 -1
package/docs/api/classes/RBACNotInitializedError.md +1 -1
package/docs/api/classes/SecureSupabaseClient.md +10 -10
package/docs/api/classes/StorageUtils.md +1 -1
package/docs/api/enums/FileCategory.md +1 -1
package/docs/api/enums/LogLevel.md +1 -1
package/docs/api/enums/RBACErrorCode.md +1 -1
package/docs/api/enums/RPCFunction.md +1 -1
package/docs/api/interfaces/AddressFieldProps.md +1 -1
package/docs/api/interfaces/AddressFieldRef.md +1 -1
package/docs/api/interfaces/AggregateConfig.md +1 -1
package/docs/api/interfaces/AutocompleteOptions.md +1 -1
package/docs/api/interfaces/AvatarProps.md +1 -1
package/docs/api/interfaces/BadgeProps.md +1 -1
package/docs/api/interfaces/ButtonProps.md +1 -1
package/docs/api/interfaces/CalendarProps.md +1 -1
package/docs/api/interfaces/CardProps.md +1 -1
package/docs/api/interfaces/ColorPalette.md +1 -1
package/docs/api/interfaces/ColorShade.md +1 -1
package/docs/api/interfaces/ComplianceResult.md +1 -1
package/docs/api/interfaces/DataAccessRecord.md +1 -1
package/docs/api/interfaces/DataRecord.md +1 -1
package/docs/api/interfaces/DataTableAction.md +1 -1
package/docs/api/interfaces/DataTableColumn.md +1 -1
package/docs/api/interfaces/DataTableProps.md +1 -1
package/docs/api/interfaces/DataTableToolbarButton.md +1 -1
package/docs/api/interfaces/DatabaseComplianceResult.md +1 -1
package/docs/api/interfaces/DatabaseIssue.md +1 -1
package/docs/api/interfaces/EmptyStateConfig.md +1 -1
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +1 -1
package/docs/api/interfaces/EventAppRoleData.md +1 -1
package/docs/api/interfaces/ExportColumn.md +1 -1
package/docs/api/interfaces/ExportOptions.md +1 -1
package/docs/api/interfaces/FileDisplayProps.md +24 -11
package/docs/api/interfaces/FileMetadata.md +1 -1
package/docs/api/interfaces/FileReference.md +1 -1
package/docs/api/interfaces/FileSizeLimits.md +1 -1
package/docs/api/interfaces/FileUploadOptions.md +1 -1
package/docs/api/interfaces/FileUploadProps.md +1 -1
package/docs/api/interfaces/FooterProps.md +1 -1
package/docs/api/interfaces/FormFieldProps.md +1 -1
package/docs/api/interfaces/FormProps.md +1 -1
package/docs/api/interfaces/GrantEventAppRoleParams.md +1 -1
package/docs/api/interfaces/InactivityWarningModalProps.md +1 -1
package/docs/api/interfaces/InputProps.md +1 -1
package/docs/api/interfaces/LabelProps.md +1 -1
package/docs/api/interfaces/LoggerConfig.md +1 -1
package/docs/api/interfaces/LoginFormProps.md +1 -1
package/docs/api/interfaces/NavigationAccessRecord.md +2 -2
package/docs/api/interfaces/NavigationContextType.md +1 -1
package/docs/api/interfaces/NavigationGuardProps.md +1 -1
package/docs/api/interfaces/NavigationItem.md +1 -1
package/docs/api/interfaces/NavigationMenuProps.md +1 -1
package/docs/api/interfaces/NavigationProviderProps.md +1 -1
package/docs/api/interfaces/Organisation.md +1 -1
package/docs/api/interfaces/OrganisationContextType.md +1 -1
package/docs/api/interfaces/OrganisationMembership.md +1 -1
package/docs/api/interfaces/OrganisationProviderProps.md +1 -1
package/docs/api/interfaces/OrganisationSecurityError.md +1 -1
package/docs/api/interfaces/PaceAppLayoutProps.md +1 -1
package/docs/api/interfaces/PaceLoginPageProps.md +1 -1
package/docs/api/interfaces/PageAccessRecord.md +1 -1
package/docs/api/interfaces/PagePermissionContextType.md +1 -1
package/docs/api/interfaces/PagePermissionGuardProps.md +2 -2
package/docs/api/interfaces/PagePermissionProviderProps.md +1 -1
package/docs/api/interfaces/PaletteData.md +1 -1
package/docs/api/interfaces/ParsedAddress.md +2 -2
package/docs/api/interfaces/PermissionEnforcerProps.md +4 -4
package/docs/api/interfaces/ProgressProps.md +1 -1
package/docs/api/interfaces/ProtectedRouteProps.md +1 -1
package/docs/api/interfaces/PublicPageFooterProps.md +1 -1
package/docs/api/interfaces/PublicPageHeaderProps.md +1 -1
package/docs/api/interfaces/PublicPageLayoutProps.md +1 -1
package/docs/api/interfaces/QuickFix.md +1 -1
package/docs/api/interfaces/RBACAccessValidateParams.md +1 -1
package/docs/api/interfaces/RBACAccessValidateResult.md +1 -1
package/docs/api/interfaces/RBACAuditLogParams.md +1 -1
package/docs/api/interfaces/RBACAuditLogResult.md +1 -1
package/docs/api/interfaces/RBACConfig.md +2 -2
package/docs/api/interfaces/RBACContext.md +1 -1
package/docs/api/interfaces/RBACLogger.md +1 -1
package/docs/api/interfaces/RBACPageAccessCheckParams.md +1 -1
package/docs/api/interfaces/RBACPerformanceMetrics.md +1 -1
package/docs/api/interfaces/RBACPermissionCheckParams.md +1 -1
package/docs/api/interfaces/RBACPermissionCheckResult.md +2 -2
package/docs/api/interfaces/RBACPermissionsGetParams.md +1 -1
package/docs/api/interfaces/RBACPermissionsGetResult.md +1 -1
package/docs/api/interfaces/RBACResult.md +1 -1
package/docs/api/interfaces/RBACRoleGrantParams.md +2 -2
package/docs/api/interfaces/RBACRoleGrantResult.md +1 -1
package/docs/api/interfaces/RBACRoleRevokeParams.md +2 -2
package/docs/api/interfaces/RBACRoleRevokeResult.md +1 -1
package/docs/api/interfaces/RBACRoleValidateParams.md +2 -2
package/docs/api/interfaces/RBACRoleValidateResult.md +1 -1
package/docs/api/interfaces/RBACRolesListParams.md +1 -1
package/docs/api/interfaces/RBACRolesListResult.md +2 -2
package/docs/api/interfaces/RBACSessionTrackParams.md +1 -1
package/docs/api/interfaces/RBACSessionTrackResult.md +1 -1
package/docs/api/interfaces/ResourcePermissions.md +1 -1
package/docs/api/interfaces/RevokeEventAppRoleParams.md +1 -1
package/docs/api/interfaces/RoleBasedRouterContextType.md +1 -1
package/docs/api/interfaces/RoleBasedRouterProps.md +1 -1
package/docs/api/interfaces/RoleManagementResult.md +1 -1
package/docs/api/interfaces/RouteAccessRecord.md +2 -2
package/docs/api/interfaces/RouteConfig.md +2 -2
package/docs/api/interfaces/RuntimeComplianceResult.md +1 -1
package/docs/api/interfaces/SecureDataContextType.md +1 -1
package/docs/api/interfaces/SecureDataProviderProps.md +1 -1
package/docs/api/interfaces/SessionRestorationLoaderProps.md +1 -1
package/docs/api/interfaces/SetupIssue.md +1 -1
package/docs/api/interfaces/StorageConfig.md +1 -1
package/docs/api/interfaces/StorageFileInfo.md +1 -1
package/docs/api/interfaces/StorageFileMetadata.md +1 -1
package/docs/api/interfaces/StorageListOptions.md +1 -1
package/docs/api/interfaces/StorageListResult.md +1 -1
package/docs/api/interfaces/StorageUploadOptions.md +1 -1
package/docs/api/interfaces/StorageUploadResult.md +1 -1
package/docs/api/interfaces/StorageUrlOptions.md +1 -1
package/docs/api/interfaces/StyleImport.md +1 -1
package/docs/api/interfaces/SwitchProps.md +1 -1
package/docs/api/interfaces/TabsContentProps.md +1 -1
package/docs/api/interfaces/TabsListProps.md +1 -1
package/docs/api/interfaces/TabsProps.md +1 -1
package/docs/api/interfaces/TabsTriggerProps.md +1 -1
package/docs/api/interfaces/TextareaProps.md +1 -1
package/docs/api/interfaces/ToastActionElement.md +1 -1
package/docs/api/interfaces/ToastProps.md +1 -1
package/docs/api/interfaces/UnifiedAuthContextType.md +60 -38
package/docs/api/interfaces/UnifiedAuthProviderProps.md +13 -13
package/docs/api/interfaces/UseFormDialogOptions.md +1 -1
package/docs/api/interfaces/UseFormDialogReturn.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerOptions.md +1 -1
package/docs/api/interfaces/UseInactivityTrackerReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventLogoOptions.md +2 -2
package/docs/api/interfaces/UsePublicEventLogoReturn.md +1 -1
package/docs/api/interfaces/UsePublicEventOptions.md +1 -1
package/docs/api/interfaces/UsePublicEventReturn.md +1 -1
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +2 -2
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +1 -1
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +1 -1
package/docs/api/interfaces/UseResolvedScopeOptions.md +2 -2
package/docs/api/interfaces/UseResolvedScopeReturn.md +1 -1
package/docs/api/interfaces/UseResourcePermissionsOptions.md +1 -1
package/docs/api/interfaces/UserEventAccess.md +1 -1
package/docs/api/interfaces/UserMenuProps.md +1 -1
package/docs/api/interfaces/UserProfile.md +1 -1
package/docs/api/modules.md +202 -217
package/docs/migration/README.md +18 -0
package/docs/migration/database-changes-december-2025.md +768 -0
package/docs/migration/person-scoped-profiles-migration-guide.md +472 -0
package/docs/rbac/event-based-apps.md +124 -6
package/package.json +1 -1
package/scripts/check-pace-core-compliance.cjs +292 -57
package/src/__tests__/public-recipe-view.test.ts +10 -10
package/src/__tests__/rls-policies.test.ts +16 -14
package/src/components/AddressField/README.md +6 -6
package/src/components/DataTable/__tests__/DataTable.default-state.test.tsx +172 -45
package/src/components/DataTable/__tests__/DataTable.grouping-aggregation.test.tsx +121 -28
package/src/components/DataTable/__tests__/DataTableCore.test-setup.ts +9 -8
package/src/components/DataTable/__tests__/DataTableCore.test.tsx +20 -52
package/src/components/DataTable/__tests__/a11y.basic.test.tsx +170 -34
package/src/components/DataTable/__tests__/keyboard.test.tsx +75 -12
package/src/components/DataTable/__tests__/pagination.modes.test.tsx +75 -11
package/src/components/DataTable/components/UnifiedTableBody.tsx +85 -14
package/src/components/DataTable/hooks/useDataTablePermissions.ts +75 -10
package/src/components/FileDisplay/FileDisplay.test.tsx +2 -1
package/src/components/FileDisplay/FileDisplay.tsx +16 -4
package/src/components/NavigationMenu/NavigationMenu.test.tsx +6 -4
package/src/components/NavigationMenu/NavigationMenu.tsx +1 -10
package/src/components/OrganisationSelector/OrganisationSelector.tsx +35 -16
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +25 -2
package/src/components/PaceAppLayout/PaceAppLayout.tsx +97 -68
package/src/components/PaceLoginPage/PaceLoginPage.tsx +0 -7
package/src/components/ProtectedRoute/ProtectedRoute.test.tsx +5 -9
package/src/components/ProtectedRoute/ProtectedRoute.tsx +0 -1
package/src/components/PublicLayout/PublicPageProvider.tsx +0 -1
package/src/components/Select/Select.test.tsx +4 -1
package/src/components/Select/Select.tsx +60 -15
package/src/hooks/__tests__/usePermissionCache.simple.test.ts +192 -0
package/src/hooks/__tests__/usePermissionCache.unit.test.ts +741 -0
package/src/hooks/__tests__/usePublicEvent.simple.test.ts +703 -0
package/src/hooks/__tests__/usePublicEvent.unit.test.ts +581 -0
package/src/hooks/__tests__/useSecureDataAccess.unit.test.tsx +23 -15
package/src/hooks/public/usePublicEvent.ts +8 -8
package/src/hooks/public/usePublicFileDisplay.ts +2 -2
package/src/hooks/services/useAuthService.ts +21 -3
package/src/hooks/services/useEventService.ts +21 -3
package/src/hooks/services/useInactivityService.ts +21 -3
package/src/hooks/services/useOrganisationService.ts +21 -3
package/src/hooks/useFileDisplay.ts +18 -26
package/src/hooks/useQueryCache.ts +6 -6
package/src/hooks/useSecureDataAccess.test.ts +24 -17
package/src/hooks/useSecureDataAccess.ts +18 -13
package/src/providers/__tests__/OrganisationProvider.test.tsx +27 -21
package/src/providers/services/EventServiceProvider.tsx +0 -8
package/src/providers/services/UnifiedAuthProvider.tsx +174 -24
package/src/rbac/__tests__/adapters.comprehensive.test.tsx +10 -16
package/src/rbac/__tests__/isSuperAdmin.real.test.ts +82 -0
package/src/rbac/adapters.tsx +3 -22
package/src/rbac/api.test.ts +2 -2
package/src/rbac/api.ts +7 -1
package/src/rbac/components/EnhancedNavigationMenu.tsx +2 -15
package/src/rbac/components/NavigationGuard.tsx +1 -10
package/src/rbac/components/NavigationProvider.tsx +0 -1
package/src/rbac/components/PermissionEnforcer.tsx +45 -12
package/src/rbac/components/SecureDataProvider.tsx +0 -1
package/src/rbac/components/__tests__/EnhancedNavigationMenu.test.tsx +7 -43
package/src/rbac/components/__tests__/NavigationGuard.test.tsx +4 -11
package/src/rbac/components/__tests__/NavigationProvider.test.tsx +3 -3
package/src/rbac/components/__tests__/SecureDataProvider.fixed.test.tsx +1 -1
package/src/rbac/components/__tests__/SecureDataProvider.test.tsx +1 -1
package/src/rbac/engine.ts +14 -2
package/src/rbac/hooks/index.ts +0 -3
package/src/rbac/hooks/usePermissions.ts +51 -11
package/src/rbac/hooks/useRBAC.simple.test.ts +95 -0
package/src/rbac/hooks/useRBAC.ts +3 -13
package/src/rbac/hooks/useResolvedScope.test.ts +75 -54
package/src/rbac/hooks/useResolvedScope.ts +58 -33
package/src/rbac/hooks/useSecureSupabase.ts +4 -9
package/src/rbac/secureClient.ts +31 -0
package/src/rbac/utils/__tests__/eventContext.test.ts +2 -2
package/src/rbac/utils/__tests__/eventContext.unit.test.ts +490 -0
package/src/rbac/utils/eventContext.ts +5 -2
package/src/services/AuthService.ts +37 -8
package/src/services/EventService.ts +4 -57
package/src/services/InactivityService.ts +127 -34
package/src/services/OrganisationService.ts +160 -149
package/src/services/__tests__/OrganisationService.pagination.test.ts +34 -8
package/src/services/__tests__/OrganisationService.test.ts +218 -86
package/src/types/database.generated.ts +166 -201
package/src/types/supabase.ts +2 -2
package/src/utils/__tests__/secureDataAccess.unit.test.ts +3 -2
package/src/utils/file-reference/index.ts +4 -4
package/src/utils/google-places/googlePlacesUtils.ts +1 -1
package/src/utils/google-places/types.ts +1 -1
package/src/utils/request-deduplication.ts +4 -4
package/src/utils/security/secureDataAccess.test.ts +1 -1
package/src/utils/security/secureDataAccess.ts +7 -4
package/src/utils/storage/README.md +1 -1
package/dist/chunk-4QYC5L4K.js.map +0 -1
package/dist/chunk-73HSNNOQ.js.map +0 -1
package/dist/chunk-HQVPB5MZ.js.map +0 -1
package/dist/chunk-J2XXC7R5.js.map +0 -1
package/dist/chunk-NIU6J6OX.js.map +0 -1
package/dist/chunk-RUYZKXOD.js.map +0 -1
package/dist/chunk-STYK4OH2.js.map +0 -1
package/dist/chunk-VVBAW5A5.js.map +0 -1
package/dist/chunk-Y4BUBBHD.js.map +0 -1
package/scripts/check-pace-core-compliance.js +0 -512
package/src/rbac/hooks/useSuperAdminBypass.ts +0 -126
package/src/utils/context/superAdminOverride.ts +0 -58
/package/dist/{DataTable-ON3IXISJ.js.map → DataTable-5FU7IESH.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-X5NXANVI.js.map → UnifiedAuthProvider-RGJTDE2C.js.map} +0 -0
/package/dist/{api-I6UCQ5S6.js.map → api-N774RPUA.js.map} +0 -0

package/src/services/OrganisationService.ts CHANGED Viewed

@@ -20,6 +20,8 @@ import type {
 import { setOrganisationContext } from '../utils/context/organisationContext';
 import { logger } from '../utils/core/logger';
 import { assertUserId, assertOrganisationId } from '../types/core';
+import { isSuperAdmin } from '../rbac/api';
+import type { UUID } from '../rbac/types';
 // Type for RPC response from data_user_organisation_roles_get
 interface OrganisationRoleRpcResponse {
@@ -27,6 +29,15 @@ interface OrganisationRoleRpcResponse {
   organisation_id: string;
   role: 'org_admin' | 'leader' | 'member' | 'supporter';
   status: 'active' | 'inactive' | 'suspended';
+  // Organisation fields from RPC
+  name?: string;
+  display_name?: string;
+  subscription_tier?: string;
+  settings?: unknown;
+  is_active?: boolean;
+  parent_id?: string;
+  organisation_created_at?: string;
+  organisation_updated_at?: string;
   [key: string]: unknown;
 }
@@ -37,6 +48,7 @@ export class OrganisationService extends BaseService implements IOrganisationSer
   private _roleMapState: Map<string, string> = new Map();
   private _isLoading = false;
   private _error: Error | null = null;
+  private _isSuperAdmin: boolean = false; // Cache super admin status
   private _isContextReady = false;
   private retryCount = 0;
@@ -72,17 +84,21 @@ export class OrganisationService extends BaseService implements IOrganisationSer
   // Additional methods for testing
   setSelectedOrganisation(organisation: Organisation | null): void {
     // SECURITY: Validate organisation is in user's accessible organisations (only if orgs are loaded)
+    // Exception: Super admins can set any organisation (they have global access)
     if (organisation && this._organisations.length > 0) {
-      const isValidOrg = this._organisations.some(org => org.id === organisation.id);
-      if (!isValidOrg) {
-        logger.warn('OrganisationService', 'Attempted to set invalid organisation - not in user\'s accessible organisations', {
-          organisationId: organisation.id,
-          organisationName: organisation.name,
-          accessibleOrgIds: this._organisations.map(o => o.id)
-        });
-        // Don't set invalid organisation - this prevents security issues
-        // If organisations haven't loaded yet, validation will happen in loadUserOrganisations()
-        return;
+      // Only validate if user is not a super admin (use cached status)
+      if (!this._isSuperAdmin) {
+        const isValidOrg = this._organisations.some(org => org.id === organisation.id);
+        if (!isValidOrg) {
+          logger.warn('OrganisationService', 'Attempted to set invalid organisation - not in user\'s accessible organisations', {
+            organisationId: organisation.id,
+            organisationName: organisation.name,
+            accessibleOrgIds: this._organisations.map(o => o.id)
+          });
+          // Don't set invalid organisation - this prevents security issues
+          // If organisations haven't loaded yet, validation will happen in loadUserOrganisations()
+          return;
+        }
       }
     }
@@ -131,6 +147,11 @@ export class OrganisationService extends BaseService implements IOrganisationSer
     const wasAuthenticated = !!(this.user && this.session);
     const isAuthenticated = !!(user && session);
+    // Reset super admin cache when user changes
+    if (this.user?.id !== user?.id) {
+      this._isSuperAdmin = false;
+    }
     this.user = user;
     this.session = session;
@@ -358,159 +379,142 @@ export class OrganisationService extends BaseService implements IOrganisationSer
     this.notify();
     try {
-      // Get user's organisation memberships using secure RPC function
-      // Include all roles (org_admin, leader, member, supporter) - supporters can access PORTAL
-      let memberships, membershipError;
+      // Get user's organisation roles directly from rbac_organisation_roles table
+      // This queries the source table directly instead of using the RPC which filters to match core_organisation_memberships view
+      // We still filter to active, non-revoked roles for the org selector
+      // The join includes organisation data, so we don't need a separate query that might be filtered by RLS
+      let memberships, membershipError, organisations: Organisation[] = [];
       try {
-        // Add timeout and abort signal to prevent hanging RPC calls
-        const timeoutPromise = new Promise((_, reject) => {
-          const timeoutId = setTimeout(() => reject(new Error('RPC call timeout after 10 seconds')), 10000);
-          abortSignal.addEventListener('abort', () => {
-            clearTimeout(timeoutId);
-            reject(new Error('Request aborted'));
-          });
-        });
-        const rpcPromise = this.supabaseClient.rpc('data_user_organisation_roles_get', {
-          p_user_id: this.user.id,
-          p_organisation_id: null
-        });
-        // Check if request was aborted before making the call
+        // Check if request was aborted before making query
         if (abortSignal.aborted) {
           throw new Error('Request aborted');
         }
+        const { data: rolesData, error: rolesError } = await this.supabaseClient
+          .from('rbac_organisation_roles')
+          .select(`
+            id,
+            user_id,
+            organisation_id,
+            role,
+            status,
+            granted_at,
+            granted_by,
+            revoked_at,
+            revoked_by,
+            notes,
+            created_at,
+            updated_at,
+            core_organisations!inner(
+              id,
+              name,
+              display_name,
+              subscription_tier,
+              settings,
+              is_active,
+              parent_id,
+              created_at,
+              updated_at
+            )
+          `)
+          .eq('user_id', this.user.id)
+          .eq('status', 'active')
+          .is('revoked_at', null);
-        const result = await Promise.race([rpcPromise, timeoutPromise]) as { data: OrganisationRoleRpcResponse[] | null; error: Error | null };
+        if (rolesError) {
+          logger.error("OrganisationService", "Error loading organisation roles:", rolesError);
+          throw rolesError;
+        }
-        // Filter to organisation members (org_admin, leader, member, supporter)
-        // Supporters are included to allow PORTAL access
-        // Map to branded types when filtering
-        memberships = result.data?.filter((role) =>
-          ['org_admin', 'leader', 'member', 'supporter'].includes(role.role)
-        ).map((m) => ({
+        // Map to branded types and extract organisation data from the join
+        // The join already includes organisation data, so we don't need a separate query
+        memberships = rolesData?.map((m) => ({
           ...m,
           user_id: assertUserId(m.user_id),
           organisation_id: assertOrganisationId(m.organisation_id),
         })) || [];
-        membershipError = result.error;
-      } catch (queryError) {
-        membershipError = queryError instanceof Error ? queryError : new Error(String(queryError));
-      }
-      if (membershipError) {
-        logger.error("OrganisationService", "Error loading memberships:", membershipError);
-        // If RPC fails with timeout, try direct database query as fallback
-        if (membershipError.message?.includes('timeout')) {
-          try {
-            // Check if request was aborted before making fallback query
-            if (abortSignal.aborted) {
-              throw new Error('Request aborted');
-            }
-            const { data: fallbackData, error: fallbackError } = await this.supabaseClient
-              .from('rbac_organisation_roles')
-              .select(`
-                id,
-                user_id,
-                organisation_id,
-                role,
-                status,
-                granted_at,
-                granted_by,
-                revoked_at,
-                revoked_by,
-                notes,
-                created_at,
-                updated_at,
-                organisations!inner(
-                  id,
-                  name,
-                  display_name,
-                  subscription_tier,
-                  settings,
-                  is_active,
-                  parent_id,
-                  created_at,
-                  updated_at
-                )
-              `)
-              .eq('user_id', this.user.id)
-              .eq('status', 'active')
-              .is('revoked_at', null)
-              .in('role', ['org_admin', 'leader', 'member', 'supporter']);
-            if (fallbackError) {
-              logger.error("OrganisationService", "Fallback query also failed:", fallbackError);
-              throw membershipError; // Throw original error
-            }
-            // Map to branded types
-            memberships = fallbackData?.map((m) => ({
-              ...m,
-              user_id: assertUserId(m.user_id),
-              organisation_id: assertOrganisationId(m.organisation_id),
-            })) || [];
-            membershipError = null;
-          } catch (fallbackErr) {
-            logger.error("OrganisationService", "Fallback query failed:", fallbackErr);
-            throw membershipError; // Throw original error
+        // Extract unique organisations from the join results
+        // Use a Map to deduplicate by organisation ID
+        // Supabase returns joined data nested under the relation name
+        const organisationsMap = new Map<string, Organisation>();
+        rolesData?.forEach((role: any) => {
+          // The join returns organisation data nested under 'core_organisations' key
+          const orgData = role.core_organisations;
+          if (orgData && role.organisation_id && !organisationsMap.has(role.organisation_id)) {
+            organisationsMap.set(role.organisation_id, {
+              id: orgData.id,
+              name: orgData.name,
+              display_name: orgData.display_name,
+              subscription_tier: orgData.subscription_tier,
+              settings: orgData.settings,
+              is_active: orgData.is_active,
+              parent_id: orgData.parent_id,
+              created_at: orgData.created_at,
+              updated_at: orgData.updated_at,
+            } as Organisation);
           }
+        });
+        organisations = Array.from(organisationsMap.values());
+        // Extract organisations from join results
+      } catch (queryError) {
+        // Extract error message properly from Supabase error objects
+        if (queryError instanceof Error) {
+          membershipError = queryError;
+        } else if (queryError && typeof queryError === 'object' && 'message' in queryError) {
+          membershipError = new Error(String((queryError as any).message));
         } else {
-          throw membershipError;
+          membershipError = new Error(String(queryError));
         }
+        logger.error("OrganisationService", "Error loading organisation roles:", membershipError);
+        throw membershipError;
       }
+      // Check if user is super admin - super admins don't need organisation memberships
+      let userIsSuperAdmin = false;
+      if (this.user?.id) {
+        try {
+          userIsSuperAdmin = await isSuperAdmin(this.user.id as UUID);
+          this._isSuperAdmin = userIsSuperAdmin; // Cache the result
+        } catch (error) {
+          logger.warn('OrganisationService', 'Failed to check super admin status', { error });
+          // Continue with normal flow if check fails
+          this._isSuperAdmin = false;
+        }
+      } else {
+        this._isSuperAdmin = false;
+      }
+      // Super admins can proceed without organisation memberships
       if (!memberships || memberships.length === 0) {
+        if (userIsSuperAdmin) {
+          // Super admin without org memberships - allow empty state
+          this._organisations = [];
+          this._userMemberships = [];
+          this._isLoading = false;
+          this._error = null;
+          this._isContextReady = true;
+          this.notify();
+          return;
+        }
         throw new Error('User has no active organisation memberships') as OrganisationSecurityError;
       }
-      // Get organisation details for the memberships
-      const organisationIds = memberships
-        .map((m) => m.organisation_id)
-        .filter((id: string) => {
-          // Better validation to prevent empty string UUID errors
-          if (!id || typeof id !== 'string') {
-            logger.warn("OrganisationService", "Invalid organisation ID (not string):", id);
-            return false;
-          }
-          const trimmedId = id.trim();
-          if (trimmedId === '') {
-            logger.warn("OrganisationService", "Empty organisation ID found");
-            return false;
-          }
-          // Validate UUID format
-          const isValidUuid = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(trimmedId);
-          if (!isValidUuid) {
-            logger.warn("OrganisationService", "Invalid UUID format:", trimmedId);
-          }
-          return isValidUuid;
-        });
-      if (organisationIds.length === 0) {
-        logger.warn("OrganisationService", "No valid organisation IDs found in memberships:", memberships);
-        throw new Error('No valid organisation IDs found in memberships') as OrganisationSecurityError;
-      }
-      // Check if request was aborted before making organisations query
-      if (abortSignal.aborted) {
-        throw new Error('Request aborted');
-      }
-      const { data: allOrganisations, error: orgError } = await this.supabaseClient
-        .from('organisations')
-        .select('id, name, display_name, subscription_tier, settings, is_active, parent_id, created_at, updated_at');
-      if (orgError) {
-        logger.error("OrganisationService", "Error loading organisations:", orgError);
-        throw orgError;
+      if (!organisations || organisations.length === 0) {
+        if (userIsSuperAdmin) {
+          // Super admin without orgs - allow empty state
+          this._organisations = [];
+          this._userMemberships = [];
+          this._isLoading = false;
+          this._error = null;
+          this._isContextReady = true;
+          this.notify();
+          return;
+        }
+        throw new Error('No organisations found in role data') as OrganisationSecurityError;
       }
-      // Filter manually on the client side
-      const organisations = allOrganisations?.filter(org =>
-        organisationIds.includes(org.id)
-      ) || [];
       // Create a map of organisation_id to role from the memberships data
       const roleMap = new Map<string, string>();
@@ -522,7 +526,19 @@ export class OrganisationService extends BaseService implements IOrganisationSer
       const orgs = organisations as Organisation[];
       const activeOrgs = orgs.filter(org => org.is_active);
+      // Filter to active organisations only
       if (activeOrgs.length === 0) {
+        if (userIsSuperAdmin) {
+          // Super admin without active orgs - allow empty state
+          this._organisations = [];
+          this._userMemberships = [];
+          this._isLoading = false;
+          this._error = null;
+          this._isContextReady = true;
+          this.notify();
+          return;
+        }
         throw new Error('User has no access to active organisations') as OrganisationSecurityError;
       }
@@ -549,16 +565,13 @@ export class OrganisationService extends BaseService implements IOrganisationSer
               initialOrg = validPersistedOrg;
               selectionMethod = 'persisted';
             } else {
-              logger.warn("OrganisationService", "Persisted organisation not found in active orgs, clearing cache");
               localStorage.removeItem('pace-core-selected-organisation');
             }
           } else {
-            logger.warn("OrganisationService", "Invalid persisted organisation ID, clearing cache");
             localStorage.removeItem('pace-core-selected-organisation');
           }
         }
       } catch (storageError) {
-        logger.warn("OrganisationService", "Failed to restore persisted organisation:", storageError);
         // Clear potentially corrupted cache
         localStorage.removeItem('pace-core-selected-organisation');
       }
@@ -610,10 +623,8 @@ export class OrganisationService extends BaseService implements IOrganisationSer
     } catch (err) {
       const error = err as Error;
       // "User has no access to active organisations" is a valid state for users without orgs (e.g., profile pages)
-      // Log it as a warning instead of an error to reduce noise
-      if (error.message === 'User has no access to active organisations') {
-        logger.warn("OrganisationService", "User has no active organisations (this is expected for users without organisation access):", error);
-      } else {
+      // Only log actual errors, not expected states
+      if (error.message !== 'User has no access to active organisations') {
         logger.error("OrganisationService", "Failed to load organisations:", err);
       }
       this._error = error;

package/src/services/__tests__/OrganisationService.pagination.test.ts CHANGED Viewed

@@ -88,16 +88,29 @@ describe('OrganisationService Pagination & Validation', () => {
     });
     mockSupabase.from.mockImplementation((table: string) => {
-      if (table === 'organisations') {
+      if (table === 'rbac_organisation_roles') {
         return {
           select: vi.fn().mockResolvedValue({
-            data: [mockOrganisation, mockOrganisation2],
+            data: [
+              {
+                ...mockMembership,
+                core_organisations: mockOrganisation
+              },
+              {
+                ...mockMembership2,
+                core_organisations: mockOrganisation2
+              }
+            ],
             error: null
-          })
+          }),
+          eq: vi.fn().mockReturnThis(),
+          is: vi.fn().mockReturnThis()
         };
       }
       return {
-        select: vi.fn().mockResolvedValue({ data: [], error: null })
+        select: vi.fn().mockResolvedValue({ data: [], error: null }),
+        eq: vi.fn().mockReturnThis(),
+        is: vi.fn().mockReturnThis()
       };
     });
@@ -175,16 +188,29 @@ describe('OrganisationService Pagination & Validation', () => {
       });
       mockSupabase.from.mockImplementation((table: string) => {
-        if (table === 'organisations') {
+        if (table === 'rbac_organisation_roles') {
           return {
             select: vi.fn().mockResolvedValue({
-              data: [mockOrganisation, inactiveOrganisation],
+              data: [
+                {
+                  ...mockMembership,
+                  core_organisations: mockOrganisation
+                },
+                {
+                  ...inactiveMembership,
+                  core_organisations: inactiveOrganisation
+                }
+              ],
               error: null
-            })
+            }),
+            eq: vi.fn().mockReturnThis(),
+            is: vi.fn().mockReturnThis()
           };
         }
         return {
-          select: vi.fn().mockResolvedValue({ data: [], error: null })
+          select: vi.fn().mockResolvedValue({ data: [], error: null }),
+          eq: vi.fn().mockReturnThis(),
+          is: vi.fn().mockReturnThis()
         };
       });