@jmruthers/pace-core 0.5.76 → 0.5.78

package/dist/rbac/index.d.ts

@@ -1,8 +1,7 @@
-import { SupabaseClient, User, Session } from '@supabase/supabase-js';
-import { D as Database } from '../database-C3Szpi5J.js';
+import { SupabaseClient } from '@supabase/supabase-js';
+import { D as Database } from '../database-BXAfr2Y_.js';
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import React__default, { ReactNode } from 'react';
-import { c as AccessLevel$1 } from '../unified-CM7T0aTK.js';
 
 /**
  * RBAC (Role-Based Access Control) Types - Build Contract Compliant
@@ -29,7 +28,7 @@ type PermissionCheck = {
     permission: Permission;
     pageId?: UUID | string;
 };
-type PermissionMap = Record<string, Operation[]>;
+type PermissionMap = Record<Permission, boolean> & Partial<Record<'*', boolean>>;
 type GlobalRole = 'super_admin';
 type OrganisationRole = 'supporter' | 'member' | 'leader' | 'org_admin';
 type EventAppRole = 'viewer' | 'participant' | 'planner' | 'event_admin';
@@ -51,6 +50,15 @@ interface RBACAuditEvent {
     metadata: Record<string, any>;
     created_at: string;
 }
+interface RBACAppContext {
+    appId: UUID;
+    hasAccess: boolean;
+}
+interface RBACRoleContext {
+    globalRole: GlobalRole | null;
+    organisationRole: OrganisationRole | null;
+    eventAppRole: EventAppRole | null;
+}
 interface PermissionCacheKey {
     userId: UUID;
     organisationId?: UUID;
@@ -295,7 +303,19 @@ declare class RBACCache {
      */
     onInvalidate(callback: (pattern: string) => void): () => void;
     /**
-     * Generate cache key for permission check
+     * Generate cache key for permission check (simplified signature)
+     *
+     * @param userId - User ID
+     * @param permission - Permission string
+     * @param organisationId - Organisation ID (optional)
+     * @param eventId - Event ID (optional)
+     * @param appId - App ID (optional)
+     * @param pageId - Page ID (optional)
+     * @returns String cache key
+     */
+    static generateKey(userId: UUID, permission: string, organisationId?: UUID, eventId?: string, appId?: UUID, pageId?: UUID | string): string;
+    /**
+     * Generate cache key for permission check (object signature)
      *
      * @param key - Permission cache key object
      * @returns String cache key
@@ -538,25 +558,33 @@ declare function emitAuditEvent(event: AuditEventPayload): Promise<void>;
  */
 interface SecurityContext {
     userId: UUID;
-    organisationId: UUID;
+    organisationId?: UUID;
     ipAddress?: string;
     userAgent?: string;
     timestamp: Date;
 }
 
 /**
- * RBAC Core Engine
+ * RBAC Core Engine - Simplified Version
  * @package @jmruthers/pace-core
  * @module RBAC/Engine
- * @since 1.0.0
+ * @since 2.0.0
  *
- * This module implements the core RBAC permission algorithm with deny-overrides-allow precedence.
+ * This is a drastically simplified version that delegates permission checking to a single RPC function.
+ * All the complex grant collection logic has been moved to the database for better performance and security.
+ *
+ * BREAKING CHANGES FROM v1:
+ * - No more client-side grant collection
+ * - No more complex permission resolution algorithm
+ * - Single RPC call for all permission checks
+ * - Caching is still supported for performance
  */
 
 /**
- * RBAC Engine
+ * Simplified RBAC Engine
  *
- * Implements the core permission algorithm with deny-overrides-allow precedence.
+ * Delegates all permission checks to the database via a single RPC function.
+ * This reduces complexity, improves performance, and enhances security.
  */
 declare class RBACEngine {
     private supabase;
@@ -565,14 +593,18 @@ declare class RBACEngine {
     /**
      * Check if a user has a specific permission
      *
+     * This method now delegates to the database RPC function for all the heavy lifting.
+     *
      * @param input - Permission check input
-     * @param securityContext - Optional security context for enhanced validation
+     * @param securityContext - Security context for validation (required)
      * @returns Promise resolving to permission result
      */
-    isPermitted(input: PermissionCheck, securityContext?: SecurityContext): Promise<boolean>;
+    isPermitted(input: PermissionCheck, securityContext: SecurityContext): Promise<boolean>;
     /**
      * Get user's access level in a scope
      *
+     * This is derived from roles, not permissions.
+     *
      * @param input - Access level input
      * @returns Promise resolving to access level
      */
@@ -583,6 +615,9 @@ declare class RBACEngine {
     /**
      * Get user's permission map for a scope
      *
+     * This builds a map of page IDs to allowed operations.
+     * Uses the simplified RPC for each permission check.
+     *
      * @param input - Permission map input
      * @returns Promise resolving to permission map
      */
@@ -590,107 +625,27 @@ declare class RBACEngine {
         userId: UUID;
         scope: Scope;
     }): Promise<PermissionMap>;
+    resolveAppContext(input: {
+        userId: UUID;
+        appName: string;
+    }): Promise<RBACAppContext | null>;
+    getRoleContext(input: {
+        userId: UUID;
+        scope: Scope;
+    }): Promise<RBACRoleContext>;
     /**
      * Check if user is super admin
      *
-     * Directly queries the rbac_global_roles table to check for super_admin role.
-     * This is consistent with how other RPC functions (rbac_permissions_get, etc.) check
-     * for super admin status - they all use direct queries to the rbac_global_roles table.
-     *
      * @param userId - User ID
      * @returns Promise resolving to super admin status
      */
     private checkSuperAdmin;
-    /**
-     * Get app configuration including requires_event setting
-     *
-     * @param appId - App ID
-     * @returns Promise resolving to app configuration
-     */
-    getAppConfig(appId: UUID): Promise<{
-        requires_event: boolean;
-    } | null>;
-    /**
-     * Resolve organisation ID from event ID
-     *
-     * @param eventId - Event ID
-     * @returns Promise resolving to organisation ID
-     */
-    private resolveOrganisationFromEvent;
-    /**
-     * Validate context requirements based on app configuration
-     *
-     * @param scope - Permission scope
-     * @param appId - Optional app ID
-     * @returns Promise resolving to validated scope with resolved organisation ID
-     */
-    private validateContextRequirements;
-    /**
-     * Collect active grants for a user in a scope
-     *
-     * @param userId - User ID
-     * @param scope - Permission scope
-     * @param pageId - Optional page ID
-     * @returns Promise resolving to grants array
-     *
-     * PRECEDENCE ORDER (closest scope first): page → eventApp → organisation → global
-     */
-    private collectActiveGrants;
-    /**
-     * Check page-specific permissions
-     *
-     * @param userId - User ID
-     * @param pageId - Page ID
-     * @param permission - Permission to check
-     * @param scope - Permission scope
-     * @returns Promise resolving to page permission result
-     */
-    private checkPagePermissions;
-    /**
-     * Get organisation role for a user
-     *
-     * @param userId - User ID
-     * @param organisationId - Organisation ID
-     * @returns Promise resolving to organisation role
-     */
-    private getOrganisationRole;
-    /**
-     * Get event-app role for a user
-     *
-     * @param userId - User ID
-     * @param eventId - Event ID
-     * @param appId - App ID
-     * @returns Promise resolving to event-app role
-     */
-    private getEventAppRole;
-    /**
-     * Get permission for organisation role
-     *
-     * @param role - Organisation role
-     * @returns Permission string
-     */
-    private getPermissionForOrgRole;
-    /**
-     * Get permission for event-app role
-     *
-     * @param role - Event-app role
-     * @returns Permission string
-     */
-    private getPermissionForEventRole;
-    /**
-     * Check if a permission matches another permission
-     *
-     * @param grantPermission - Permission from grant
-     * @param requestedPermission - Requested permission
-     * @returns True if permissions match
-     */
-    private permissionMatches;
     /**
      * Resolve a page ID to UUID if it's a page name
      *
      * @param pageId - Page ID (UUID) or page name (string)
      * @param appId - App ID to look up the page
-     * @returns Resolved page ID (UUID) or original pageId if it's already a UUID or can't be resolved
+     * @returns Resolved page ID (UUID) or original pageId
      */
     private resolvePageId;
 }
@@ -1133,69 +1088,13 @@ declare function EnhancedNavigationMenu({ items, strictMode, auditLog, onNavigat
  * @module RBAC/Hooks
  * @since 0.3.0
  *
- * A React hook that provides access to the new RBAC (Role-Based Access Control) system.
- * This hook integrates with the database to provide real-time role and permission information.
- *
- * Features:
- * - Real-time role detection (global, organisation, event-app)
- * - Permission checking with database validation
- * - Hierarchical permission resolution
- * - Loading states and error handling
- * - Type-safe permission operations
- * - Automatic context detection
- *
- * @example
- * ```tsx
- * import { useRBAC } from '@jmruthers/pace-core/rbac';
- *
- * function MyComponent() {
- *   const {
- *     globalRole,
- *     organisationRole,
- *     eventAppRole,
- *     hasPermission,
- *     isSuperAdmin,
- *     isLoading,
- *     error
- *   } = useRBAC();
- *
- *   if (isLoading) return <div>Loading permissions...</div>;
- *   if (error) return <div>Error: {error.message}</div>;
- *
- *   return (
- *     <div>
- *       {isSuperAdmin && <AdminPanel />}
- *       {hasPermission('read', 'dashboard') && <Dashboard />}
- *       {hasPermission('create', 'events') && <CreateEventButton />}
- *     </div>
- *   );
- * }
- * ```
- *
- * @accessibility
- * - No direct accessibility concerns (hook)
- * - Enables accessible permission-based UI rendering
- * - Supports screen reader friendly conditional content
- *
- * @security
- * - Database-backed permission validation
- * - Hierarchical permission resolution
- * - Organisation context enforcement
- * - Real-time permission updates
- *
- * @performance
- * - Optimized with useMemo and useCallback
- * - Permission caching
- * - Minimal re-renders
- * - Lazy loading of permissions
- *
- * @dependencies
- * - React 18+ - Hooks and effects
- * - @supabase/supabase-js - Database integration
- * - RBAC types - Type definitions
+ * A React hook that provides access to the RBAC (Role-Based Access Control) system
+ * through the hardened RBAC engine API. The hook defers all permission and role
+ * resolution to the shared engine to ensure consistent security behaviour across
+ * applications.
  */
 
-declare function useRBAC$1(pageId?: string): UserRBACContext;
+declare function useRBAC(pageId?: string): UserRBACContext;
 
 /**
  * @file useResolvedScope Hook
@@ -1481,63 +1380,6 @@ declare function useCachedPermissions(userId: UUID, scope: Scope): {
     refetch: () => Promise<void>;
 };
 
-interface AppConfig {
-    supports_direct_access: boolean;
-    requires_event: boolean;
-}
-interface UserEventAccess {
-    event_id: string;
-    event_name: string;
-    event_description?: string | null;
-    start_date: string;
-    end_date: string;
-    event_status: string;
-    app_id: string;
-    access_level: string;
-    granted_at: string;
-    organisation_id: string;
-}
-interface RBACContextType {
-    permissions: Record<string, boolean>;
-    roles: string[];
-    accessLevel: AccessLevel$1;
-    rbacLoading: boolean;
-    rbacError: Error | null;
-    selectedEventId: string | null;
-    appConfig: AppConfig | null;
-    userEventAccess: UserEventAccess[];
-    eventAccessLoading: boolean;
-    selectedOrganisationId: string | null;
-    requireOrganisationContext: () => string;
-    hasPermission: (permission: string, orgId?: string) => boolean;
-    hasAnyPermission: (permissions: string[], orgId?: string) => boolean;
-    hasAllPermissions: (permissions: string[], orgId?: string) => boolean;
-    hasRole: (role: string) => boolean;
-    hasAccessLevel: (level: AccessLevel$1) => boolean;
-    canAccess: (resource: string, action: string, orgId?: string) => boolean;
-    validatePermission: (permission: string, orgId?: string) => Promise<boolean>;
-    validateAccess: (resource: string, action: string, orgId?: string) => Promise<boolean>;
-    refreshPermissions: (eventId?: string, orgId?: string) => Promise<void>;
-    setSelectedEventId: (eventId: string | null) => void;
-    loadUserEventAccess: (orgId?: string) => Promise<void>;
-    getUserEventAccess: (eventId: string) => UserEventAccess | undefined;
-    rbacEnabled: boolean;
-    rbacContext?: any;
-}
-declare const useRBAC: () => RBACContextType;
-interface RBACProviderProps {
-    children: React__default.ReactNode;
-    supabaseClient?: SupabaseClient;
-    user: User | null;
-    session: Session | null;
-    appName: string;
-    enableRBAC?: boolean;
-    persistState?: boolean;
-    enablePersistence?: boolean;
-    requireOrganisationContext?: boolean;
-}
-declare function RBACProvider({ children, supabaseClient, user, session, appName, enableRBAC, persistState, enablePersistence, requireOrganisationContext: _requireOrganisationContext, }: RBACProviderProps): react_jsx_runtime.JSX.Element;
-
 /**
  * RBAC Adapters
  * @package @jmruthers/pace-core
@@ -1867,6 +1709,14 @@ declare function getPermissionMap(input: {
     userId: UUID;
     scope: Scope;
 }): Promise<PermissionMap>;
+declare function resolveAppContext(input: {
+    userId: UUID;
+    appName: string;
+}): Promise<RBACAppContext | null>;
+declare function getRoleContext(input: {
+    userId: UUID;
+    scope: Scope;
+}): Promise<RBACRoleContext>;
 /**
  * Check if user has a specific permission
  *
@@ -2108,4 +1958,4 @@ declare const ALL_PERMISSIONS: {
 };
 type AllPermissions = typeof ALL_PERMISSIONS;
 
-export { ALL_PERMISSIONS, type AccessLevel, AccessLevelGuard, type AllPermissions, CACHE_PATTERNS, type DataAccessRecord, EVENT_APP_PERMISSIONS, EnhancedNavigationMenu, type EnhancedNavigationMenuProps, type EventAppRole, GLOBAL_PERMISSIONS, type GlobalRole, InvalidScopeError, type LogLevel, MissingUserContextError, type NavigationAccessRecord, type NavigationContextType, NavigationGuard, type NavigationGuardProps, type NavigationItem, NavigationProvider, type NavigationProviderProps, ORGANISATION_PERMISSIONS, type Operation, OrganisationContextRequiredError, type OrganisationRole, PAGE_PERMISSIONS, type PageAccessRecord, type PagePermissionContextType, PagePermissionGuard, type PagePermissionGuardProps, PagePermissionProvider, type PagePermissionProviderProps, type Permission, type PermissionCheck, PermissionDeniedError, PermissionEnforcer, type PermissionEnforcerProps, PermissionGuard, type PermissionMap, RBACAuditManager, RBACCache, type RBACConfig, type RBACContextType, RBACEngine, RBACError, type RBACLogger, RBACNotInitializedError, RBACProvider, type RBACProviderProps, RoleBasedRouter, type RoleBasedRouterContextType, type RoleBasedRouterProps, type RouteAccessRecord, type RouteConfig, type Scope, type SecureDataContextType, SecureDataProvider, type SecureDataProviderProps, SecureSupabaseClient, type UUID, type UseResolvedScopeOptions, type UseResolvedScopeReturn, type UserEventAccess, createAuditManager, createRBACConfig, createRBACEngine, createRBACExpressMiddleware, createRBACMiddleware, createSecureClient, emitAuditEvent, fromSupabaseClient, getAccessLevel, getGlobalAuditManager, getPermissionMap, getPermissionsForRole, getRBACConfig, getRBACLogger, hasAllPermissions, hasAnyPermission, hasAnyPermissionCached, hasPermission, hasPermissionCached, isDebugMode, isDevelopmentMode, isPermitted, isPermittedCached, isValidPermission, rbacCache, setGlobalAuditManager, setupRBAC, useAccessLevel, useCachedPermissions, useCan, useHasAllPermissions, useHasAnyPermission, useMultiplePermissions, useNavigationPermissions, usePagePermissions, usePermissions, useRBAC$1 as useRBAC, useRBAC as useRBACProvider, useResolvedScope, useRoleBasedRouter, useSecureData, withAccessLevelGuard, withPermissionGuard, withRoleGuard };
+export { ALL_PERMISSIONS, type AccessLevel, AccessLevelGuard, type AllPermissions, CACHE_PATTERNS, type DataAccessRecord, EVENT_APP_PERMISSIONS, EnhancedNavigationMenu, type EnhancedNavigationMenuProps, type EventAppRole, GLOBAL_PERMISSIONS, type GlobalRole, InvalidScopeError, type LogLevel, MissingUserContextError, type NavigationAccessRecord, type NavigationContextType, NavigationGuard, type NavigationGuardProps, type NavigationItem, NavigationProvider, type NavigationProviderProps, ORGANISATION_PERMISSIONS, type Operation, OrganisationContextRequiredError, type OrganisationRole, PAGE_PERMISSIONS, type PageAccessRecord, type PagePermissionContextType, PagePermissionGuard, type PagePermissionGuardProps, PagePermissionProvider, type PagePermissionProviderProps, type Permission, type PermissionCheck, PermissionDeniedError, PermissionEnforcer, type PermissionEnforcerProps, PermissionGuard, type PermissionMap, RBACAuditManager, RBACCache, type RBACConfig, RBACEngine, RBACError, type RBACLogger, RBACNotInitializedError, RoleBasedRouter, type RoleBasedRouterContextType, type RoleBasedRouterProps, type RouteAccessRecord, type RouteConfig, type Scope, type SecureDataContextType, SecureDataProvider, type SecureDataProviderProps, SecureSupabaseClient, type UUID, type UseResolvedScopeOptions, type UseResolvedScopeReturn, createAuditManager, createRBACConfig, createRBACEngine, createRBACExpressMiddleware, createRBACMiddleware, createSecureClient, emitAuditEvent, fromSupabaseClient, getAccessLevel, getGlobalAuditManager, getPermissionMap, getPermissionsForRole, getRBACConfig, getRBACLogger, getRoleContext, hasAllPermissions, hasAnyPermission, hasAnyPermissionCached, hasPermission, hasPermissionCached, isDebugMode, isDevelopmentMode, isPermitted, isPermittedCached, isValidPermission, rbacCache, resolveAppContext, setGlobalAuditManager, setupRBAC, useAccessLevel, useCachedPermissions, useCan, useHasAllPermissions, useHasAnyPermission, useMultiplePermissions, useNavigationPermissions, usePagePermissions, usePermissions, useRBAC, useResolvedScope, useRoleBasedRouter, useSecureData, withAccessLevelGuard, withPermissionGuard, withRoleGuard };

package/dist/rbac/index.js

@@ -12,7 +12,6 @@ import {
   PagePermissionProvider,
   PermissionEnforcer,
   PermissionGuard,
-  RBACProvider,
   RoleBasedRouter,
   SecureDataProvider,
   SecureSupabaseClient,
@@ -26,13 +25,12 @@ import {
   isValidPermission,
   useNavigationPermissions,
   usePagePermissions,
-  useRBAC as useRBAC2,
   useRoleBasedRouter,
   useSecureData,
   withAccessLevelGuard,
   withPermissionGuard,
   withRoleGuard
-} from "../chunk-K34IM5CT.js";
+} from "../chunk-2OGV6IRV.js";
 import {
   useAccessLevel,
   useCachedPermissions,
@@ -43,7 +41,7 @@ import {
   usePermissions,
   useRBAC,
   useResolvedScope
-} from "../chunk-KHJS6VIA.js";
+} from "../chunk-LRQ6RBJC.js";
 import {
   CACHE_PATTERNS,
   RBACCache,
@@ -54,6 +52,7 @@ import {
   getPermissionMap,
   getRBACConfig,
   getRBACLogger,
+  getRoleContext,
   hasAllPermissions,
   hasAnyPermission,
   hasPermission,
@@ -62,23 +61,23 @@ import {
   isPermitted,
   isPermittedCached,
   rbacCache,
+  resolveAppContext,
   setupRBAC
-} from "../chunk-FGMFQSHX.js";
+} from "../chunk-S63MFSY6.js";
 import {
   RBACAuditManager,
   createAuditManager,
   emitAuditEvent,
   getGlobalAuditManager,
   setGlobalAuditManager
-} from "../chunk-B2WTCLCV.js";
-import "../chunk-NTNILOBC.js";
-import "../chunk-LW7MMEAQ.js";
-import "../chunk-URUTVZ7N.js";
-import "../chunk-A4FUBC7B.js";
-import "../chunk-WN6XJWOS.js";
-import "../chunk-ULBI5JGB.js";
-import "../chunk-5BSLGBYI.js";
-import "../chunk-XLZ7U46Z.js";
+} from "../chunk-Q7APDV6H.js";
+import "../chunk-5BO3MI5Y.js";
+import "../chunk-FT2M4R4F.js";
+import "../chunk-FL4ZCQLD.js";
+import "../chunk-QGVSOUJ2.js";
+import "../chunk-MNJXXD6C.js";
+import "../chunk-JCQZ6LA7.js";
+import "../chunk-CVMVPYAL.js";
 import "../chunk-PLDDJCW6.js";
 export {
   ALL_PERMISSIONS,
@@ -98,7 +97,6 @@ export {
   RBACAuditManager,
   RBACCache,
   RBACEngine,
-  RBACProvider,
   RoleBasedRouter,
   SecureDataProvider,
   SecureSupabaseClient,
@@ -116,6 +114,7 @@ export {
   getPermissionsForRole,
   getRBACConfig,
   getRBACLogger,
+  getRoleContext,
   hasAllPermissions,
   hasAnyPermission,
   hasAnyPermissionCached,
@@ -127,6 +126,7 @@ export {
   isPermittedCached,
   isValidPermission,
   rbacCache,
+  resolveAppContext,
   setGlobalAuditManager,
   setupRBAC,
   useAccessLevel,
@@ -139,7 +139,6 @@ export {
   usePagePermissions,
   usePermissions,
   useRBAC,
-  useRBAC2 as useRBACProvider,
   useResolvedScope,
   useRoleBasedRouter,
   useSecureData,

package/dist/{types-CGX9Vyf5.d.ts → types-BDg1mAGG.d.ts}

@@ -17,13 +17,21 @@ declare module '@tanstack/react-table' {
     }
 }
 /**
- * Generic data record type - all DataTable data must extend this
+ * Base data record type - all DataTable data must extend this
+ * This is a marker type that allows any object to be used as a data record
+ * Individual implementations should define more specific types
  */
-type DataRecord = Record<string, any>;
+interface DataRecord {
+    [key: string]: unknown;
+}
+/**
+ * Row ID type - always a string
+ */
+type RowId = string;
 /**
  * Row identifier function type
  */
-type GetRowId<TData extends DataRecord> = (row: TData, index: number) => string;
+type GetRowId<TData extends DataRecord> = (row: TData, index: number) => RowId;
 /**
  * Hierarchical configuration for DataTable
  */
@@ -170,6 +178,8 @@ interface DataTableColumn<TData extends DataRecord = DataRecord> extends Omit<Co
     id?: string;
     /** Accessor key for data */
     accessorKey?: string;
+    /** Alternative accessor key used while editing */
+    editAccessorKey?: string;
     /** Custom header label for the column */
     header: string;
     /** Whether this column should be searchable in global filter */
@@ -187,7 +197,9 @@ interface DataTableColumn<TData extends DataRecord = DataRecord> extends Omit<Co
     /** Enable virtual scrolling for this column */
     virtualizable?: boolean;
     /** Custom cell renderer with memoization */
-    memoizedCell?: React__default.ComponentType<any>;
+    memoizedCell?: React__default.ComponentType<{
+        row: TData;
+    }>;
     /** Field type for editing (text, select, date, etc.) */
     fieldType?: 'text' | 'select' | 'date' | 'number' | 'boolean';
     /** Options for select fields */
@@ -216,6 +228,10 @@ interface DataTableColumn<TData extends DataRecord = DataRecord> extends Omit<Co
 /**
  * Action definition for row-level operations
  */
+/**
+ * Boolean condition or predicate evaluated against a row
+ */
+type ActionCondition<TData extends DataRecord> = boolean | ((row: TData) => boolean);
 interface DataTableAction<TData extends DataRecord> {
     /** Display label for the action */
     label: string;
@@ -228,9 +244,11 @@ interface DataTableAction<TData extends DataRecord> {
     /** Visual variant */
     variant?: 'default' | 'destructive' | 'outline' | 'secondary' | 'ghost';
     /** Whether action is disabled */
-    disabled?: (row: TData) => boolean;
+    disabled?: ActionCondition<TData>;
     /** Whether action is hidden (for RBAC) */
     hidden?: boolean;
+    /** Explicit visibility override */
+    visible?: ActionCondition<TData>;
     /** Test ID for testing */
     testId?: string;
     /** Whether this action should only show for parent rows (hierarchical mode) */
@@ -249,6 +267,12 @@ interface DataTableAction<TData extends DataRecord> {
     parentLabel?: string;
     /** Label for child rows (overrides label when showForChild is true) */
     childLabel?: string;
+    /** Whether the action should be shown while the row is in edit mode */
+    showInEditMode?: boolean;
+    /** Whether the action should be hidden while the row is in view mode */
+    hideInViewMode?: boolean;
+    /** Whether the action should explicitly render while in view mode */
+    showInViewMode?: boolean;
 }
 /**
  * Toolbar button definition
@@ -295,7 +319,7 @@ interface EmptyStateConfig {
  * Unified feature configuration for DataTable
  * All features are disabled by default and must be explicitly enabled
  */
-interface DataTableFeatureConfig {
+interface DataTableFeatureFlags {
     /** Enable global search functionality */
     search: boolean;
     /** Enable pagination controls */
@@ -327,6 +351,12 @@ interface DataTableFeatureConfig {
     /** Enable hierarchical parent/child rows */
     hierarchical: boolean;
 }
+/**
+ * Consumer-facing feature configuration. All properties are optional and will be
+ * merged with {@link defaultDataTableFeatures} at runtime to keep the public API
+ * ergonomic while maintaining strict internal guarantees.
+ */
+type DataTableFeatureConfig = Partial<DataTableFeatureFlags>;
 /**
  * RBAC configuration for DataTable - MANDATORY for all DataTables
  *

package/dist/types.d.ts

@@ -1,7 +1,7 @@
-import { U as User, S as Session, A as AuthError, a as UserPermissions, P as PermissionError, b as PermissionString, c as AccessLevel, d as AuthErrorCode } from './unified-CM7T0aTK.js';
-export { D as DataRecord, t as DataTableAction, u as DataTableColumn, r as Event, s as EventContextType, E as EventTheme, q as PermissionContext, e as PermissionErrorCode, p as PermissionMap, R as RequestId, g as SessionToken, T as ThemeColors, f as UserId, j as createPermissionString, k as createRequestId, i as createSessionToken, h as createUserId, n as isPermissionString, o as isRequestId, m as isSessionToken, l as isUserId } from './unified-CM7T0aTK.js';
+import { U as User, S as Session, A as AuthError, a as UserPermissions, P as PermissionError, b as PermissionString, c as AccessLevel, d as AuthErrorCode } from './unified-DQ4VcT7H.js';
+export { D as DataRecord, t as DataTableAction, u as DataTableColumn, E as Event, s as EventContextType, r as EventTheme, q as PermissionContext, e as PermissionErrorCode, p as PermissionMap, R as RequestId, g as SessionToken, T as ThemeColors, f as UserId, j as createPermissionString, k as createRequestId, i as createSessionToken, h as createUserId, n as isPermissionString, o as isRequestId, m as isSessionToken, l as isUserId } from './unified-DQ4VcT7H.js';
 import { SupabaseClient } from '@supabase/supabase-js';
-export { D as Database } from './database-C3Szpi5J.js';
+export { D as Database } from './database-BXAfr2Y_.js';
 export { C as ChangePasswordFormValues, t as ContactFormData, F as FormData, m as LoginFormData, L as LoginFormValues, P as PasswordResetFormValues, q as ProfileFormData, o as RegistrationFormData, R as RegistrationFormValues, S as SecureLoginFormValues, k as SecurePasswordResetFormValues, j as SecureRegistrationFormValues, U as UserProfileFormValues, V as ValidationError, a as ValidationResult, g as changePasswordSchema, w as combineSchemas, i as contactFormSchema, d as dateSchema, e as emailSchema, l as loginSchema, n as nameSchema, f as passwordResetSchema, b as passwordSchema, p as phoneSchema, v as pickSchema, r as registrationSchema, c as secureLoginSchema, s as securePasswordSchema, u as urlSchema, h as userProfileSchema } from './validation-D8VcbTzC.js';
 export { b as FileCategory, a as FileMetadata, F as FileReference, d as FileReferenceService, c as FileUploadOptions, e as FileUploadResult, S as StorageUploadOptions } from './file-reference-9xUOnwyt.js';
 import 'zod';