@jmruthers/pace-core 0.5.191 → 0.5.193

package/src/components/PaceAppLayout/PaceAppLayout.tsx

@@ -103,10 +103,10 @@ import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
 import { useOrganisations } from '../../hooks/useOrganisations';
 import { useEvents } from '../../hooks/useEvents';
 import { useEventTheme } from '../../hooks/useEventTheme';
-import { useCan, useResolvedScope } from '../../rbac/hooks';
+import { useCan, useResolvedScope, useRBAC } from '../../rbac/hooks';
 import { createScopeFromEvent } from '../../rbac/utils/eventContext';
 import { getCurrentAppName } from '../../utils/app/appNameResolver';
-import { isSuperAdmin } from '../../rbac/api';
+import { isSuperAdmin as checkSuperAdminApi } from '../../rbac/api';
 import { logger } from '../../utils/core/logger';
 import type { Permission, Scope } from '../../rbac/types';
 
@@ -372,7 +372,7 @@ export function PaceAppLayout({
   onRouteAccessDenied,
   onRouteStrictModeViolation
 }: PaceAppLayoutProps) {
-  const { user, signOut, updatePassword, supabase, appId: contextAppId } = useUnifiedAuth(); // Get appId from context (resolved on login)
+  const { user, signOut, updatePassword, supabase, appId: contextAppId, selectedOrganisationId } = useUnifiedAuth(); // Get appId from context (resolved on login)
   const { 
     selectedOrganisation, 
     isContextReady, 
@@ -380,6 +380,47 @@ export function PaceAppLayout({
     ensureOrganisationContext,
     isLoading: organisationLoading 
   } = useOrganisations();
+  // Use useRBAC to get super admin status - it's more reliable than async check
+  // Note: isSuperAdmin might be false initially while loading, but that's OK - we'll allow rendering
+  // if organisation loading completes or if we're a super admin
+  const { isSuperAdmin: isSuperAdminFromRBAC, isLoading: rbacLoading } = useRBAC();
+
+  // Also check super admin status directly as a fallback (for ADMIN/PORTAL apps)
+  // This allows super admins to proceed even if RBAC hasn't loaded yet
+  const [isSuperAdminDirect, setIsSuperAdminDirect] = useState<boolean>(false);
+  const [isCheckingSuperAdminDirect, setIsCheckingSuperAdminDirect] = useState<boolean>(false);
+
+  useEffect(() => {
+    const checkSuperAdminDirect = async () => {
+      if (!user?.id) {
+        setIsSuperAdminDirect(false);
+        setIsCheckingSuperAdminDirect(false);
+        return;
+      }
+
+      // Only skip if RBAC already confirmed super admin
+      if (isSuperAdminFromRBAC) {
+        setIsCheckingSuperAdminDirect(false);
+        return;
+      }
+
+      setIsCheckingSuperAdminDirect(true);
+      try {
+        const superAdminStatus = await checkSuperAdminApi(user.id);
+        setIsSuperAdminDirect(superAdminStatus);
+      } catch (error) {
+        logger.error('PaceAppLayout', 'Error checking super admin status directly', { userId: user?.id, error });
+        setIsSuperAdminDirect(false);
+      } finally {
+        setIsCheckingSuperAdminDirect(false);
+      }
+    };
+
+    checkSuperAdminDirect();
+  }, [user?.id, isSuperAdminFromRBAC]);
+
+  // Use direct check if RBAC hasn't loaded yet, otherwise use RBAC result
+  const isSuperAdmin = isSuperAdminFromRBAC || isSuperAdminDirect;
   const navigate = useNavigate();
   const location = useLocation();
   
@@ -408,28 +449,25 @@ export function PaceAppLayout({
   
   // Build scope from resolved values
   // Preserve appId from resolvedScope or fallback to resolvedAppId
+  // CRITICAL: Always create a new scope object from primitive values to ensure stable reference
+  // This prevents useCan from re-checking permissions when resolvedScope changes reference but values are the same
+  const scopeOrgId = resolvedScope?.organisationId || selectedOrganisation?.id || '';
+  const scopeEventId = resolvedScope?.eventId || selectedEvent?.event_id || undefined;
+  const scopeAppId = resolvedScope?.appId || resolvedAppId || undefined;
+  
   const scope = useMemo<Scope>(() => {
-    // Prefer resolvedScope if available (includes appId)
-    if (resolvedScope?.organisationId) {
-      return resolvedScope;
+    const newScope: Scope = {};
+    if (scopeOrgId) {
+      newScope.organisationId = scopeOrgId;
     }
-    
-    // Fallback: build scope from context values with resolvedAppId
-    if (selectedOrganisation?.id) {
-      return {
-        organisationId: selectedOrganisation.id,
-        eventId: selectedEvent?.event_id || undefined,
-        appId: resolvedAppId || resolvedScope?.appId || undefined
-      };
+    if (scopeEventId) {
+      newScope.eventId = scopeEventId;
     }
-    
-    // Last resort: return minimal scope
-    return {
-      organisationId: selectedOrganisation?.id || '',
-      eventId: selectedEvent?.event_id || undefined,
-      appId: resolvedAppId || resolvedScope?.appId || undefined
-    };
-  }, [resolvedScope, selectedOrganisation?.id, selectedEvent?.event_id, resolvedAppId]);
+    if (scopeAppId) {
+      newScope.appId = scopeAppId;
+    }
+    return newScope;
+  }, [scopeOrgId, scopeEventId, scopeAppId]);
 
   // Default navigation items if none provided
   const defaultNavItems: NavigationItem[] = useMemo(() => [
@@ -460,61 +498,45 @@ export function PaceAppLayout({
     }
     // Extract first path segment (base page name)
     const pathSegments = currentPath.slice(1).split('/').filter(Boolean);
-    return pathSegments[0] || 'home';
+    // Only return 'home' if there's actually a path segment, otherwise return empty string
+    // This prevents checking permissions for a non-existent "home" page when the index route is used
+    return pathSegments[0] || '';
   }, [location.pathname, pageIdMapping]);
 
   // Build permission string in format: operation:page.pageId
   const currentPermission = useMemo<Permission>(() => {
-    if (!enforcePermissions) {
-      return 'read:page.home' as Permission;
+    // If enforcePermissions is false, don't check any permission (return empty string)
+    // If currentPageId is empty (index route with no path segments), don't check permissions
+    if (!enforcePermissions || !currentPageId) {
+      return '' as Permission;
     }
     const permissionString = `${currentRoutePermission}:page.${currentPageId}`;
     return permissionString as Permission;
   }, [enforcePermissions, currentRoutePermission, currentPageId]);
 
   // Check super admin status before permission enforcement
-  const [isSuperAdminUser, setIsSuperAdminUser] = useState<boolean>(false);
-  const [isCheckingSuperAdmin, setIsCheckingSuperAdmin] = useState<boolean>(false);
-
-  useEffect(() => {
-    const checkSuperAdminStatus = async () => {
-      if (!user?.id) {
-        setIsSuperAdminUser(false);
-        setIsCheckingSuperAdmin(false);
-        return;
-      }
-
-      setIsCheckingSuperAdmin(true);
-      try {
-        const superAdminStatus = await isSuperAdmin(user.id);
-        setIsSuperAdminUser(superAdminStatus);
-      } catch (error) {
-        logger.error('PaceAppLayout', 'Error checking super admin status', { userId: user?.id, error });
-        setIsSuperAdminUser(false);
-      } finally {
-        setIsCheckingSuperAdmin(false);
-      }
-    };
-
-    checkSuperAdminStatus();
-  }, [user?.id]);
+  // Removed duplicate super admin check - using useRBAC hook instead
+  // The useRBAC hook provides isSuperAdmin which is more reliable
 
   // Use useCan hook for permission checking (standardized approach)
   // Note: The database function already handles super admin bypass, but we check here
   // as an additional safety layer to prevent unnecessary permission checks
   // Pass appName to useCan so it can be passed to isPermitted for PORTAL/ADMIN special case
+  // Only check permissions if enforcePermissions is true and we have a valid permission string
+  const shouldCheckPermission = enforcePermissions && !!currentPermission && !!currentPageId;
   const { can: canFromHook, isLoading: isCheckingPermission, error: permissionError } = useCan(
     user?.id || '',
     scope,
-    currentPermission,
-    currentPageId,
+    shouldCheckPermission ? currentPermission : ('' as Permission),
+    shouldCheckPermission ? currentPageId : '',
     true, // useCache
     appName // Pass appName for PORTAL/ADMIN special case
   );
 
   // Permission enforcement state - super admin bypasses all checks
   // This ensures super admins never see permission errors even if useCan hasn't completed
-  const can = isSuperAdminUser ? true : canFromHook;
+  // Use combined super admin check (RBAC + direct check)
+  const can = isSuperAdmin ? true : canFromHook;
   const hasPermission = enforcePermissions ? can : true;
 
   // Handle permission check results with audit logging and callbacks
@@ -524,19 +546,20 @@ export function PaceAppLayout({
     }
 
     // Only proceed when permission check is complete (not loading)
-    // Wait for both super admin check and permission check to complete
-    if (isCheckingSuperAdmin || isCheckingPermission) {
+    // Super admin status is checked via useRBAC hook (isSuperAdminFromRBAC)
+    // If RBAC is still loading, allow rendering to proceed (optimistic for super admins)
+    if (isCheckingPermission) {
       return;
     }
 
     // NEW: Phase 1 - Enhanced Security Features
     // Handle strict mode violations - skip for super admins
-    if (strictMode && !isSuperAdminUser && !can) {
+    if (strictMode && !isSuperAdmin && !can) {
       logger.error('PaceAppLayout', 'STRICT MODE VIOLATION: User attempted to access protected page without permission', {
         pageName: currentPageId,
         operation: currentRoutePermission,
         userId: user?.id,
-        isSuperAdmin: isSuperAdminUser,
+        isSuperAdmin: isSuperAdmin,
         timestamp: new Date().toISOString()
       });
       
@@ -546,10 +569,10 @@ export function PaceAppLayout({
     }
     
     // Handle page access denied callback - skip for super admins
-    if (!isSuperAdminUser && !can && onPageAccessDenied) {
+    if (!isSuperAdmin && !can && onPageAccessDenied) {
       onPageAccessDenied(currentPageId, currentRoutePermission);
     }
-  }, [enforcePermissions, can, isCheckingPermission, isCheckingSuperAdmin, isSuperAdminUser, currentPageId, currentRoutePermission, user?.id, strictMode, auditLog, onPageAccessDenied, onStrictModeViolation]);
+  }, [enforcePermissions, can, isCheckingPermission, isSuperAdmin, currentPageId, currentRoutePermission, user?.id, strictMode, auditLog, onPageAccessDenied, onStrictModeViolation]);
 
   // Filter navigation items based on permissions
   // Permission filtering is always enabled - users only see navigation items they have permission to access
@@ -610,8 +633,8 @@ export function PaceAppLayout({
       // For super admins, show all items (they bypass permission checks)
       // Gracefully handle RBAC not being initialized (e.g., in tests)
       try {
-        const { isSuperAdmin } = await import('../../rbac/api');
-        const isSuper = await isSuperAdmin(user.id);
+        const { isSuperAdmin: checkSuperAdminDynamic } = await import('../../rbac/api');
+        const isSuper = await checkSuperAdminDynamic(user.id);
         
         if (isSuper) {
           // Super admins see all navigation items
@@ -825,7 +848,13 @@ export function PaceAppLayout({
   // This is critical - we must wait for organisation context before allowing any data access
   // BUT: Allow rendering to proceed if loading is complete, even if user has no organisations (valid state for profile pages)
   // Only block if we're actively loading - once loading completes (success or error), allow rendering
-  if (user?.id && organisationLoading) {
+  // EXCEPTION: Super admins can proceed even during organisation loading (they can access all orgs)
+  // Use combined super admin check (RBAC + direct check) to allow super admins to proceed immediately
+  // IMPORTANT: If we're still checking super admin status, allow rendering to proceed (optimistic approach)
+  // This prevents blocking super admins while their status is being determined
+  // Also allow rendering if we already have a selectedOrganisationId (even if organisationLoading is still true)
+  // This prevents blank pages when organisation context is available but loading state hasn't cleared yet
+  if (user?.id && organisationLoading && !isSuperAdmin && !isCheckingSuperAdminDirect && !rbacLoading && !selectedOrganisationId) {
     return (
       <div className="flex items-center justify-center min-h-screen">
         <div className="text-center">
@@ -841,10 +870,10 @@ export function PaceAppLayout({
   // These pages work with user context only and don't require organisation context
   // The app can check hasValidOrganisationContext() to determine if org context is available for org-specific features
 
-  // Show loading state while checking permissions or super admin status
-  // Keep loading active until BOTH checks complete to prevent exposing protected content
-  // This ensures we don't render the main layout when permission check failed but super admin check is pending
-  if (enforcePermissions && (isCheckingSuperAdmin || isCheckingPermission)) {
+  // Show loading state while checking permissions
+  // Keep loading active until permission check completes to prevent exposing protected content
+  // Super admin status is checked via useRBAC hook (isSuperAdminFromRBAC)
+  if (enforcePermissions && isCheckingPermission) {
     return (
       <div className="flex items-center justify-center min-h-screen">
         <div className="text-center">
@@ -857,7 +886,7 @@ export function PaceAppLayout({
 
   // Show permission error (only after BOTH checks are complete)
   // Super admins bypass all permission checks, so don't show errors for them
-  if (enforcePermissions && permissionError && !isSuperAdminUser) {
+  if (enforcePermissions && permissionError && !isSuperAdmin) {
     return (
       <div className="flex items-center justify-center min-h-screen">
         <div className="text-center">
@@ -871,7 +900,7 @@ export function PaceAppLayout({
 
   // Show permission fallback if user lacks permission
   // Only show this if super admin check is complete and user is not a super admin
-  if (enforcePermissions && hasPermission === false && !isCheckingSuperAdmin && !isSuperAdminUser) {
+  if (enforcePermissions && hasPermission === false && !isCheckingSuperAdminDirect && !isSuperAdmin) {
     // NEW: Phase 1 - Use page permission fallback if available
     if (enforcePagePermissions && pagePermissionFallback) {
       return <>{pagePermissionFallback}</>;

package/src/components/PaceLoginPage/PaceLoginPage.tsx

@@ -208,7 +208,6 @@ export const PaceLoginPage: React.FC<PaceLoginPageProps> = ({
         }
       } catch (error) {
         // Service may not be available yet or events not loaded - that's okay
-        logger.debug('PaceLoginPage', 'Could not restore persisted event (service may not be ready):', error);
       }
     };
     
@@ -266,7 +265,6 @@ export const PaceLoginPage: React.FC<PaceLoginPageProps> = ({
           .eq('app_id', appData.id);
 
         if (pagesError || !pagesData || pagesData.length === 0) {
-          logger.debug('PaceLoginPage', 'No pages configured for app:', appName);
           setAccessError(`You do not have permission to access ${appName}. This application is currently unavailable. Please contact your administrator if you believe you should have access.`);
           setIsCheckingAccess(false);
           return;
@@ -285,7 +283,6 @@ export const PaceLoginPage: React.FC<PaceLoginPageProps> = ({
         const organisationId = orgRow?.organisation_id;
 
         if (!organisationId) {
-          logger.debug('PaceLoginPage', 'User has no organisation access');
           setAccessError(`You do not have permission to access ${appName}. You are not assigned to any organisation. Please contact your administrator.`);
           setIsCheckingAccess(false);
           return;
@@ -305,8 +302,6 @@ export const PaceLoginPage: React.FC<PaceLoginPageProps> = ({
               p_page_id: page.page_name // Page name to resolve to UUID
             });
 
-          logger.debug('PaceLoginPage', 'Permission check for page:', { pageName: page.page_name, hasPermission, error: permError });
-
           if (!permError && hasPermission === true) {
             hasAnyAccess = true;
             break;
@@ -314,14 +309,12 @@ export const PaceLoginPage: React.FC<PaceLoginPageProps> = ({
         }
 
         if (hasAnyAccess) {
-          logger.debug('PaceLoginPage', 'User has access to app');
           setIsCheckingAccess(false);
           navigate(onSuccessRedirectPath, { replace: true });
           return;
         }
 
         // No access - deny
-        logger.debug('PaceLoginPage', 'Access denied - no permissions');
         setAccessError(`You do not have permission to access ${appName}. This application is restricted to authorized users only. Please contact your administrator if you believe you should have access.`);
         setIsCheckingAccess(false);
       } catch (error) {

package/src/components/ProtectedRoute/ProtectedRoute.test.tsx

@@ -165,12 +165,8 @@ describe('ProtectedRoute Component', () => {
 
       expect(screen.getByTestId('outlet')).toBeInTheDocument();
       
-      // Wait a bit for the logger to be called (it's called during render)
-      await waitFor(() => {
-        expect(consoleDebugSpy).toHaveBeenCalledWith(
-          expect.stringContaining('[DEBUG] [ProtectedRoute] Events available but none selected - allowing render so selector is visible')
-        );
-      }, { timeout: 1000 });
+      // Note: ProtectedRoute no longer logs this debug message - it just allows rendering
+      // The component allows rendering when events exist but none selected to make the selector visible
     });
 
     it('renders session restoration loader when session is restoring', () => {
@@ -461,9 +457,9 @@ describe('ProtectedRoute Component', () => {
       renderWithProviders(<ProtectedRoute requireEvent={true} />);
 
       expect(screen.getByTestId('outlet')).toBeInTheDocument();
-      expect(consoleDebugSpy).toHaveBeenCalledWith(
-        expect.stringContaining('[DEBUG] [ProtectedRoute] Events available but none selected - allowing render so selector is visible')
-      );
+      
+      // Note: ProtectedRoute no longer logs this debug message - it just allows rendering
+      // The component allows rendering when events exist but none selected to make the selector visible
     });
 
     it('renders outlet when event is selected', () => {

package/src/components/ProtectedRoute/ProtectedRoute.tsx

@@ -359,7 +359,6 @@ export function ProtectedRoute({
   // The event selector will be visible and user can select, or auto-selection will kick in
   if (!selectedEvent) {
     // Log for debugging - this is expected behavior, not an error
-    logger.debug('ProtectedRoute', 'Events available but none selected - allowing render so selector is visible');
     return <Outlet />;
   }
 

package/src/components/PublicLayout/PublicPageProvider.tsx

@@ -102,7 +102,6 @@ export function PublicPageProvider({ children, appName }: PublicPageProviderProp
       return null;
     }
     const client = createClient<Database>(supabaseUrl, supabaseKey);
-    logger.info('PublicPageProvider', 'Supabase client created successfully for public pages');
     return client;
   }, [supabaseUrl, supabaseKey]);
 

package/src/hooks/__tests__/useSecureDataAccess.unit.test.tsx

@@ -5,7 +5,7 @@ import { useUnifiedAuth } from '../../providers';
 import { useOrganisations } from '../../hooks/useOrganisations';
 import { testDataGenerators } from '../../__tests__/helpers/test-utils';
 import { useResolvedScope } from '../../rbac/hooks/useResolvedScope';
-import { useSuperAdminBypass } from '../../rbac/hooks/useSuperAdminBypass';
+import { useOrganisationSecurity } from '../useOrganisationSecurity';
 
 // Mock dependencies
 vi.mock('../../providers', () => ({
@@ -28,8 +28,8 @@ vi.mock('../../rbac/hooks/useResolvedScope', () => ({
   useResolvedScope: vi.fn(),
 }));
 
-vi.mock('../../rbac/hooks/useSuperAdminBypass', () => ({
-  useSuperAdminBypass: vi.fn(),
+vi.mock('../useOrganisationSecurity', () => ({
+  useOrganisationSecurity: vi.fn(),
 }));
 
 const mockUseUnifiedAuth = {
@@ -114,10 +114,17 @@ describe('useSecureDataAccess', () => {
       isLoading: false,
       error: null,
     });
-    // Default mock for useSuperAdminBypass - not super admin
-    vi.mocked(useSuperAdminBypass).mockReturnValue({
-      isSuperAdmin: false,
-    });
+    // Default mock for useOrganisationSecurity - not super admin
+    vi.mocked(useOrganisationSecurity).mockReturnValue({
+      superAdminContext: { isSuperAdmin: false, hasGlobalAccess: false, canManageAllOrganisations: false },
+      validateOrganisationAccess: vi.fn(),
+      hasMinimumRole: vi.fn(),
+      canAccessChildOrganisations: vi.fn(),
+      checkPermission: vi.fn(),
+      getPermissions: vi.fn(),
+      logOrganisationAccess: vi.fn(),
+      canManageOrganisation: vi.fn(),
+    } as any);
   });
 
   describe('validateContext', () => {

package/src/hooks/services/useAuthService.ts

@@ -8,7 +8,7 @@
  * Provides authentication service with reactive state updates.
  */
 
-import { useContext, useReducer, useEffect } from 'react';
+import { useContext, useReducer, useEffect, useRef } from 'react';
 import { AuthServiceContext } from '../../providers/services/AuthServiceProvider';
 import { AuthService } from '../../services/AuthService';
 
@@ -19,11 +19,29 @@ export function useAuthService(): AuthService {
     throw new Error('useAuthService must be used within AuthServiceProvider');
   }
   
-  // Subscribe to service state changes
+  // Subscribe to service state changes with debouncing to prevent excessive re-renders
   const [, forceUpdate] = useReducer(x => x + 1, 0);
+  const timeoutRef = useRef<ReturnType<typeof setTimeout> | null>(null);
   
   useEffect(() => {
-    return context.authService.subscribe(() => forceUpdate());
+    const debouncedUpdate = () => {
+      if (timeoutRef.current) {
+        clearTimeout(timeoutRef.current);
+      }
+      timeoutRef.current = setTimeout(() => {
+        forceUpdate();
+        timeoutRef.current = null;
+      }, 50); // 50ms debounce to batch rapid updates
+    };
+    
+    const unsubscribe = context.authService.subscribe(debouncedUpdate);
+    
+    return () => {
+      unsubscribe();
+      if (timeoutRef.current) {
+        clearTimeout(timeoutRef.current);
+      }
+    };
   }, [context.authService]);
   
   return context.authService;

package/src/hooks/services/useEventService.ts

@@ -8,7 +8,7 @@
  * Provides event service with reactive state updates.
  */
 
-import { useContext, useReducer, useEffect } from 'react';
+import { useContext, useReducer, useEffect, useRef } from 'react';
 import { EventServiceContext } from '../../providers/services/EventServiceProvider';
 import { EventService } from '../../services/EventService';
 
@@ -19,11 +19,29 @@ export function useEventService(): EventService {
     throw new Error('useEventService must be used within EventServiceProvider');
   }
   
-  // Subscribe to service state changes
+  // Subscribe to service state changes with debouncing to prevent excessive re-renders
   const [, forceUpdate] = useReducer(x => x + 1, 0);
+  const timeoutRef = useRef<ReturnType<typeof setTimeout> | null>(null);
   
   useEffect(() => {
-    return context.eventService.subscribe(() => forceUpdate());
+    const debouncedUpdate = () => {
+      if (timeoutRef.current) {
+        clearTimeout(timeoutRef.current);
+      }
+      timeoutRef.current = setTimeout(() => {
+        forceUpdate();
+        timeoutRef.current = null;
+      }, 50); // 50ms debounce to batch rapid updates
+    };
+    
+    const unsubscribe = context.eventService.subscribe(debouncedUpdate);
+    
+    return () => {
+      unsubscribe();
+      if (timeoutRef.current) {
+        clearTimeout(timeoutRef.current);
+      }
+    };
   }, [context.eventService]);
   
   return context.eventService;

package/src/hooks/services/useInactivityService.ts

@@ -8,7 +8,7 @@
  * Provides inactivity service with reactive state updates.
  */
 
-import { useContext, useReducer, useEffect } from 'react';
+import { useContext, useReducer, useEffect, useRef } from 'react';
 import { InactivityServiceContext } from '../../providers/services/InactivityServiceProvider';
 import { InactivityService } from '../../services/InactivityService';
 
@@ -19,11 +19,29 @@ export function useInactivityService(): InactivityService {
     throw new Error('useInactivityService must be used within InactivityServiceProvider');
   }
   
-  // Subscribe to service state changes
+  // Subscribe to service state changes with debouncing to prevent excessive re-renders
   const [, forceUpdate] = useReducer(x => x + 1, 0);
+  const timeoutRef = useRef<ReturnType<typeof setTimeout> | null>(null);
   
   useEffect(() => {
-    return context.inactivityService.subscribe(() => forceUpdate());
+    const debouncedUpdate = () => {
+      if (timeoutRef.current) {
+        clearTimeout(timeoutRef.current);
+      }
+      timeoutRef.current = setTimeout(() => {
+        forceUpdate();
+        timeoutRef.current = null;
+      }, 50); // 50ms debounce to batch rapid updates
+    };
+    
+    const unsubscribe = context.inactivityService.subscribe(debouncedUpdate);
+    
+    return () => {
+      unsubscribe();
+      if (timeoutRef.current) {
+        clearTimeout(timeoutRef.current);
+      }
+    };
   }, [context.inactivityService]);
   
   return context.inactivityService;

package/src/hooks/services/useOrganisationService.ts

@@ -8,7 +8,7 @@
  * Provides organisation service with reactive state updates.
  */
 
-import { useContext, useReducer, useEffect } from 'react';
+import { useContext, useReducer, useEffect, useRef } from 'react';
 import { OrganisationServiceContext } from '../../providers/services/OrganisationServiceProvider';
 import { OrganisationService } from '../../services/OrganisationService';
 
@@ -19,11 +19,29 @@ export function useOrganisationService(): OrganisationService {
     throw new Error('useOrganisationService must be used within OrganisationServiceProvider');
   }
   
-  // Subscribe to service state changes
+  // Subscribe to service state changes with debouncing to prevent excessive re-renders
   const [, forceUpdate] = useReducer(x => x + 1, 0);
+  const timeoutRef = useRef<ReturnType<typeof setTimeout> | null>(null);
   
   useEffect(() => {
-    return context.organisationService.subscribe(() => forceUpdate());
+    const debouncedUpdate = () => {
+      if (timeoutRef.current) {
+        clearTimeout(timeoutRef.current);
+      }
+      timeoutRef.current = setTimeout(() => {
+        forceUpdate();
+        timeoutRef.current = null;
+      }, 50); // 50ms debounce to batch rapid updates
+    };
+    
+    const unsubscribe = context.organisationService.subscribe(debouncedUpdate);
+    
+    return () => {
+      unsubscribe();
+      if (timeoutRef.current) {
+        clearTimeout(timeoutRef.current);
+      }
+    };
   }, [context.organisationService]);
   
   return context.organisationService;

package/src/hooks/useFileDisplay.ts

@@ -391,12 +391,7 @@ export function useFileDisplay(
         // Category is stored in file_metadata JSONB field, not a direct column
         if (category) {
           // Single file mode - get files by category using RPC
-          logger.debug('useFileDisplay', 'Using RPC function for category filtering:', {
-            table_name,
-            record_id,
-            category,
-            organisation_id
-          });
+          // Removed verbose debug log - only log on errors
           files = await service.getFilesByCategory(
             table_name,
             record_id,
@@ -510,21 +505,13 @@ export function useFileDisplay(
       if (category && files.length > 0) {
         // Single file mode - get first file
         const firstFile = files[0];
-        logger.debug('useFileDisplay', 'Processing category files, first file:', {
-          id: firstFile.id,
-          file_path: firstFile.file_path,
-          is_public: firstFile.is_public,
-          has_file_metadata: !!firstFile.file_metadata,
-          category_in_metadata: firstFile.file_metadata?.category
-        });
-        
+        // Removed verbose debug logs - only log on errors
         setFileReference(firstFile);
         
         // Generate URL based on file visibility
         let url: string | null = null;
         if (firstFile.is_public) {
           url = getPublicUrl(supabase, firstFile.file_path, true);
-          logger.debug('useFileDisplay', 'Generated public URL:', url);
         } else {
           const signedUrlResult = await getSignedUrl(supabase, firstFile.file_path, {
             appName: 'pace-core',
@@ -533,9 +520,15 @@ export function useFileDisplay(
             expiresIn: 3600
           });
           url = signedUrlResult?.url || null;
-          logger.debug('useFileDisplay', 'Generated signed URL:', url ? 'URL generated' : 'URL generation failed');
+          // Only log if URL generation fails
+          if (!url) {
+            logger.warn('useFileDisplay', 'Failed to generate signed URL for file:', {
+              file_path: firstFile.file_path,
+              record_id,
+              table_name
+            });
+          }
         }
-        logger.debug('useFileDisplay', 'Setting file URL:', url ? 'URL set' : 'URL is null');
         setFileUrl(url);
       } else {
         // Multiple files mode - generate URLs for all files in batch