@jmruthers/pace-core 0.5.76 → 0.5.78

package/src/providers/AuthProvider.simplified.tsx

@@ -0,0 +1,880 @@
+/**
+ * @file Simplified Auth Provider
+ * @package @jmruthers/pace-core
+ * @module Providers
+ * @since 2.0.0
+ *
+ * BREAKING CHANGES FROM v1:
+ * - Single provider instead of nested contexts
+ * - No service classes (direct React state)
+ * - No observer pattern (React's built-in re-rendering)
+ * - No UnifiedAuthProvider nesting
+ *
+ * This provides:
+ * - Authentication (user, session)
+ * - Organisation management
+ * - Event management
+ * - Inactivity tracking
+ *
+ * All in one provider with React state management.
+ */
+
+import React, { 
+  createContext, 
+  useContext, 
+  useState, 
+  useEffect, 
+  useCallback, 
+  useMemo,
+  useRef 
+} from 'react';
+import { 
+  type SupabaseClient, 
+  type User, 
+  type Session, 
+  type AuthError 
+} from '@supabase/supabase-js';
+import type { UUID } from '../rbac/types';
+
+// ============================================================================
+// TYPES
+// ============================================================================
+
+export interface Organisation {
+  id: UUID;
+  name: string;
+  display_name?: string;
+  subscription_tier?: string;
+  settings?: Record<string, any>;
+  is_active: boolean;
+  created_at: string;
+  updated_at?: string;
+}
+
+export interface Event {
+  id: string;
+  event_id: string;
+  name: string;
+  organisation_id: UUID;
+  start_date?: string;
+  end_date?: string;
+  status?: string;
+  settings?: Record<string, any>;
+}
+
+export interface AuthContextType {
+  // ========== Auth State ==========
+  user: User | null;
+  session: Session | null;
+  isAuthenticated: boolean;
+  authLoading: boolean;
+  authError: AuthError | null;
+  supabase: SupabaseClient;
+
+  // ========== Auth Methods ==========
+  signIn: (email: string, password?: string) => Promise<{ error: AuthError | null }>;
+  signUp: (email: string, password: string) => Promise<{ error: AuthError | null }>;
+  signOut: () => Promise<{ error: AuthError | null }>;
+  resetPassword: (email: string) => Promise<{ error: AuthError | null }>;
+  updatePassword: (password: string) => Promise<{ error: AuthError | null }>;
+  refreshSession: () => Promise<{ error: AuthError | null }>;
+
+  // ========== Organisation State ==========
+  selectedOrganisation: Organisation | null;
+  organisations: Organisation[];
+  organisationLoading: boolean;
+  organisationError: Error | null;
+  hasValidOrganisationContext: boolean;
+  isContextReady: boolean;
+
+  // ========== Organisation Methods ==========
+  switchOrganisation: (orgId: UUID) => Promise<void>;
+  refreshOrganisations: () => Promise<void>;
+  getUserRole: (orgId?: UUID) => string | null;
+  getPrimaryOrganisation: () => Organisation | null;
+
+  // ========== Event State ==========
+  events: Event[];
+  selectedEvent: Event | null;
+  eventLoading: boolean;
+  eventError: Error | null;
+
+  // ========== Event Methods ==========
+  setSelectedEvent: (event: Event | null) => void;
+  refreshEvents: () => Promise<void>;
+
+  // ========== Inactivity State ==========
+  showInactivityWarning: boolean;
+  inactivityTimeRemaining: number;
+  isIdle: boolean;
+  isTracking: boolean;
+
+  // ========== Inactivity Methods ==========
+  resetActivity: () => void;
+  startTracking: () => void;
+  stopTracking: () => void;
+
+  // ========== Session Management ==========
+  sessionId: string | null;
+  deviceFingerprint: string | null;
+  hasConcurrentSessions: boolean;
+}
+
+export interface AuthProviderProps {
+  children: React.ReactNode;
+  supabaseClient: SupabaseClient;
+  appName: string;
+  persistState?: boolean;
+  requireOrganisationContext?: boolean;
+  
+  // Inactivity configuration (MANDATORY for security)
+  idleTimeoutMs: number;
+  warnBeforeMs: number;
+  onIdleLogout: (reason: 'inactivity') => void;
+  renderInactivityWarning?: (args: {
+    timeRemaining: number;
+    onStaySignedIn: () => void;
+    onSignOutNow: () => void;
+  }) => React.ReactNode;
+}
+
+// ============================================================================
+// CONTEXT
+// ============================================================================
+
+const AuthContext = createContext<AuthContextType | null>(null);
+
+// ============================================================================
+// PROVIDER
+// ============================================================================
+
+export function AuthProvider({
+  children,
+  supabaseClient,
+  appName,
+  persistState = true,
+  requireOrganisationContext = true,
+  idleTimeoutMs = 30 * 60 * 1000, // 30 minutes - MANDATORY for security
+  warnBeforeMs = 60 * 1000, // 1 minute
+  onIdleLogout, // MANDATORY - must be provided
+  renderInactivityWarning,
+}: AuthProviderProps) {
+  // MANDATORY: Inactivity timeout cannot be disabled
+  if (!idleTimeoutMs || idleTimeoutMs < 60000) {
+    throw new Error(
+      'AuthProvider: idleTimeoutMs is MANDATORY and must be at least 60 seconds (60000ms) for security. ' +
+      'The dangerouslyDisableInactivity flag has been removed.'
+    );
+  }
+
+  if (!onIdleLogout) {
+    throw new Error(
+      'AuthProvider: onIdleLogout callback is MANDATORY and must be provided for security.'
+    );
+  }
+  
+  // ==========================================================================
+  // AUTH STATE (replaces AuthService)
+  // ==========================================================================
+  
+  const [user, setUser] = useState<User | null>(null);
+  const [session, setSession] = useState<Session | null>(null);
+  const [authLoading, setAuthLoading] = useState(true);
+  const [authError, setAuthError] = useState<AuthError | null>(null);
+
+  // ==========================================================================
+  // ORGANISATION STATE (replaces OrganisationService)
+  // ==========================================================================
+  
+  const [selectedOrganisation, setSelectedOrganisation] = useState<Organisation | null>(null);
+  const [organisations, setOrganisations] = useState<Organisation[]>([]);
+  const [organisationLoading, setOrganisationLoading] = useState(false);
+  const [organisationError, setOrganisationError] = useState<Error | null>(null);
+
+  // ==========================================================================
+  // EVENT STATE (replaces EventService)
+  // ==========================================================================
+  
+  const [events, setEvents] = useState<Event[]>([]);
+  const [selectedEvent, setSelectedEvent] = useState<Event | null>(null);
+  const [eventLoading, setEventLoading] = useState(false);
+  const [eventError, setEventError] = useState<Error | null>(null);
+
+  // ==========================================================================
+  // INACTIVITY STATE (replaces InactivityService)
+  // ==========================================================================
+  
+  const [showInactivityWarning, setShowInactivityWarning] = useState(false);
+  const [inactivityTimeRemaining, setInactivityTimeRemaining] = useState(idleTimeoutMs);
+  const [isIdle, setIsIdle] = useState(false);
+  const [isTracking, setIsTracking] = useState(false);
+  
+  const lastActivityRef = useRef<number>(Date.now());
+  const idleTimerRef = useRef<NodeJS.Timeout | null>(null);
+  const warningTimerRef = useRef<NodeJS.Timeout | null>(null);
+  const deviceFingerprintRef = useRef<string | null>(null);
+  const sessionIdRef = useRef<string | null>(null);
+
+  // ==========================================================================
+  // AUTH EFFECTS (replaces AuthService initialization)
+  // ==========================================================================
+  
+  useEffect(() => {
+    // Setup auth state listener
+    const { data: { subscription } } = supabaseClient.auth.onAuthStateChange(
+      (event, newSession) => {
+        console.log('[AuthProvider] Auth state change:', event);
+        
+        if (event === 'SIGNED_OUT') {
+          setSession(null);
+          setUser(null);
+          setAuthError(null);
+        } else if (event === 'SIGNED_IN' || event === 'TOKEN_REFRESHED') {
+          setSession(newSession);
+          setUser(newSession?.user ?? null);
+          if (newSession) {
+            setAuthError(null);
+          }
+        } else if (event === 'INITIAL_SESSION') {
+          if (newSession) {
+            setSession(newSession);
+            setUser(newSession.user ?? null);
+            setAuthError(null);
+          }
+        }
+        
+        setAuthLoading(false);
+      }
+    );
+
+    // Initial session check
+    supabaseClient.auth.getSession().then(({ data: { session: initialSession } }) => {
+      setSession(initialSession);
+      setUser(initialSession?.user ?? null);
+      setAuthLoading(false);
+    });
+
+    return () => {
+      subscription.unsubscribe();
+    };
+  }, [supabaseClient]);
+
+  // ==========================================================================
+  // ORGANISATION EFFECTS (replaces OrganisationService initialization)
+  // ==========================================================================
+  
+  useEffect(() => {
+    if (!user) {
+      setOrganisations([]);
+      setSelectedOrganisation(null);
+      return;
+    }
+
+    // Load user's organisations
+    const loadOrganisations = async () => {
+      setOrganisationLoading(true);
+      setOrganisationError(null);
+
+      try {
+        // Use RPC to get organisations with roles
+        const { data, error } = await supabaseClient
+          .rpc('rbac_user_organisation_roles_get', {
+            p_user_id: user.id
+          }) as { data: Array<{ organisation_id: UUID }> | null; error: any };
+
+        if (error) throw error;
+
+        if (data && data.length > 0) {
+          // Fetch full organisation details
+          const orgIds = data.map(r => r.organisation_id);
+          const { data: orgs, error: orgsError } = await supabaseClient
+            .from('organisations')
+            .select('*')
+            .in('id', orgIds)
+            .eq('is_active', true) as { data: Organisation[] | null; error: any };
+
+          if (orgsError) throw orgsError;
+
+          setOrganisations(orgs || []);
+
+          // Auto-select first organisation if none selected
+          if (!selectedOrganisation && orgs && orgs.length > 0) {
+            const savedOrgId = persistState ? localStorage.getItem(`pace_${appName}_org`) : null;
+            const orgToSelect = savedOrgId 
+              ? orgs.find(o => o.id === savedOrgId) || orgs[0]
+              : orgs[0];
+            setSelectedOrganisation(orgToSelect);
+          }
+        }
+      } catch (error) {
+        console.error('[AuthProvider] Failed to load organisations:', error);
+        setOrganisationError(error as Error);
+      } finally {
+        setOrganisationLoading(false);
+      }
+    };
+
+    loadOrganisations();
+  }, [user, supabaseClient, appName, persistState, selectedOrganisation]);
+
+  // ==========================================================================
+  // EVENT EFFECTS (replaces EventService initialization)
+  // ==========================================================================
+  
+  useEffect(() => {
+    if (!user || !selectedOrganisation) {
+      setEvents([]);
+      setSelectedEvent(null);
+      return;
+    }
+
+    // Load user's events for the selected organisation
+    const loadEvents = async () => {
+      setEventLoading(true);
+      setEventError(null);
+
+      try {
+        // Use RPC to get user's events
+        const { data, error } = await supabaseClient
+          .rpc('data_user_events_get', {
+            p_user_id: user.id,
+            p_app_name: appName
+          }) as { data: Event[] | null; error: any };
+
+        if (error) throw error;
+
+        // Filter events for current organisation
+        const orgEvents = (data || []).filter(e => e.organisation_id === selectedOrganisation.id);
+        setEvents(orgEvents);
+
+        // Auto-select first event if none selected
+        if (!selectedEvent && orgEvents.length > 0) {
+          const savedEventId = persistState ? localStorage.getItem(`pace_${appName}_event`) : null;
+          const eventToSelect = savedEventId
+            ? orgEvents.find(e => e.event_id === savedEventId) || orgEvents[0]
+            : orgEvents[0];
+          setSelectedEvent(eventToSelect);
+        }
+      } catch (error) {
+        console.error('[AuthProvider] Failed to load events:', error);
+        setEventError(error as Error);
+      } finally {
+        setEventLoading(false);
+      }
+    };
+
+    loadEvents();
+  }, [user, selectedOrganisation, supabaseClient, appName, persistState, selectedEvent]);
+
+  // ==========================================================================
+  // INACTIVITY EFFECTS (replaces InactivityService)
+  // ==========================================================================
+  
+  const resetActivity = useCallback(() => {
+    lastActivityRef.current = Date.now();
+    setInactivityTimeRemaining(idleTimeoutMs);
+    setShowInactivityWarning(false);
+    setIsIdle(false);
+  }, [idleTimeoutMs]);
+
+  const startTracking = useCallback(() => {
+    if (isTracking) return;
+    
+    setIsTracking(true);
+    resetActivity();
+
+    // Activity event listeners
+    const activityEvents = ['mousedown', 'keydown', 'scroll', 'touchstart'];
+    const handleActivity = () => resetActivity();
+    
+    activityEvents.forEach(event => {
+      window.addEventListener(event, handleActivity, { passive: true });
+    });
+
+    // Idle check interval
+    idleTimerRef.current = setInterval(() => {
+      const timeSinceActivity = Date.now() - lastActivityRef.current;
+      const remaining = idleTimeoutMs - timeSinceActivity;
+      
+      setInactivityTimeRemaining(Math.max(0, remaining));
+
+      // Show warning
+      if (remaining <= warnBeforeMs && remaining > 0 && !showInactivityWarning) {
+        setShowInactivityWarning(true);
+      }
+
+      // Auto logout
+      if (remaining <= 0) {
+        setIsIdle(true);
+        onIdleLogout('inactivity');
+      }
+    }, 1000);
+
+    // Cleanup
+    return () => {
+      activityEvents.forEach(event => {
+        window.removeEventListener(event, handleActivity);
+      });
+      if (idleTimerRef.current) {
+        clearInterval(idleTimerRef.current);
+      }
+      if (warningTimerRef.current) {
+        clearTimeout(warningTimerRef.current);
+      }
+    };
+  }, [isTracking, idleTimeoutMs, warnBeforeMs, showInactivityWarning, onIdleLogout, resetActivity]);
+
+  const stopTracking = useCallback(() => {
+    setIsTracking(false);
+    if (idleTimerRef.current) {
+      clearInterval(idleTimerRef.current);
+      idleTimerRef.current = null;
+    }
+    if (warningTimerRef.current) {
+      clearTimeout(warningTimerRef.current);
+      warningTimerRef.current = null;
+    }
+  }, []);
+
+  // Generate and track device fingerprint
+  useEffect(() => {
+    if (user) {
+      // Generate device fingerprint (simple version - in production, use more sophisticated approach)
+      if (!deviceFingerprintRef.current) {
+        const fingerprint = btoa(JSON.stringify({
+          userAgent: navigator.userAgent,
+          language: navigator.language,
+          timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
+          screen: `${window.screen.width}x${window.screen.height}`,
+          timestamp: Date.now()
+        })).substring(0, 64);
+        deviceFingerprintRef.current = fingerprint;
+      }
+
+      // Track session with device fingerprint
+      const trackSession = async () => {
+        if (!deviceFingerprintRef.current || !user) return;
+        
+        try {
+          const { data, error } = await supabaseClient.rpc('rbac_session_track', {
+            p_user_id: user.id,
+            p_session_type: 'login',
+            p_app_id: null, // Will be resolved by the RPC function
+            p_ip_address: null, // Will be handled by backend
+            p_user_agent: navigator.userAgent,
+            p_device_fingerprint: deviceFingerprintRef.current
+          });
+          
+          if (!error && data) {
+            sessionIdRef.current = data;
+            
+            // Check for concurrent sessions
+            const { data: concurrentData } = await supabaseClient.rpc('rbac_detect_concurrent_sessions', {
+              p_user_id: user.id,
+              p_device_fingerprint: deviceFingerprintRef.current,
+              p_timeout_seconds: 300
+            });
+            
+            if (concurrentData && concurrentData.has_concurrent) {
+              console.warn(
+                '[AuthProvider] Concurrent session detected:',
+                concurrentData.concurrent_sessions_count,
+                'other session(s) active'
+              );
+            }
+          }
+        } catch (err) {
+          console.error('[AuthProvider] Session tracking failed:', err);
+        }
+      };
+      
+      trackSession();
+    }
+  }, [user, supabaseClient]);
+
+  // Auto-start tracking when user is authenticated
+  useEffect(() => {
+    if (user && !authLoading) {
+      startTracking();
+    } else {
+      stopTracking();
+    }
+
+    return () => {
+      stopTracking();
+    };
+  }, [user, authLoading, startTracking, stopTracking]);
+
+  // ==========================================================================
+  // AUTH METHODS
+  // ==========================================================================
+  
+  const signIn = useCallback(async (email: string, password?: string) => {
+    setAuthLoading(true);
+    setAuthError(null);
+
+    try {
+      let result;
+      if (password) {
+        // Email + password sign in
+        result = await supabaseClient.auth.signInWithPassword({ email, password });
+      } else {
+        // Magic link sign in
+        result = await supabaseClient.auth.signInWithOtp({ email });
+      }
+
+      if (result.error) {
+        setAuthError(result.error);
+        return { error: result.error };
+      }
+
+      return { error: null };
+    } catch (error) {
+      const authError = error as AuthError;
+      setAuthError(authError);
+      return { error: authError };
+    } finally {
+      setAuthLoading(false);
+    }
+  }, [supabaseClient]);
+
+  const signUp = useCallback(async (email: string, password: string) => {
+    setAuthLoading(true);
+    setAuthError(null);
+
+    try {
+      const { error } = await supabaseClient.auth.signUp({ email, password });
+      
+      if (error) {
+        setAuthError(error);
+        return { error };
+      }
+
+      return { error: null };
+    } catch (error) {
+      const authError = error as AuthError;
+      setAuthError(authError);
+      return { error: authError };
+    } finally {
+      setAuthLoading(false);
+    }
+  }, [supabaseClient]);
+
+  const signOut = useCallback(async () => {
+    setAuthLoading(true);
+    setAuthError(null);
+
+    try {
+      const { error } = await supabaseClient.auth.signOut();
+      
+      if (error) {
+        setAuthError(error);
+        return { error };
+      }
+
+      // Clear local state
+      setUser(null);
+      setSession(null);
+      setSelectedOrganisation(null);
+      setOrganisations([]);
+      setSelectedEvent(null);
+      setEvents([]);
+
+      // Clear persisted state
+      if (persistState) {
+        localStorage.removeItem(`pace_${appName}_org`);
+        localStorage.removeItem(`pace_${appName}_event`);
+      }
+
+      return { error: null };
+    } catch (error) {
+      const authError = error as AuthError;
+      setAuthError(authError);
+      return { error: authError };
+    } finally {
+      setAuthLoading(false);
+    }
+  }, [supabaseClient, appName, persistState]);
+
+  const resetPassword = useCallback(async (email: string) => {
+    setAuthError(null);
+
+    try {
+      const { error } = await supabaseClient.auth.resetPasswordForEmail(email);
+      
+      if (error) {
+        setAuthError(error);
+        return { error };
+      }
+
+      return { error: null };
+    } catch (error) {
+      const authError = error as AuthError;
+      setAuthError(authError);
+      return { error: authError };
+    }
+  }, [supabaseClient]);
+
+  const updatePassword = useCallback(async (password: string) => {
+    setAuthError(null);
+
+    try {
+      const { error } = await supabaseClient.auth.updateUser({ password });
+      
+      if (error) {
+        setAuthError(error);
+        return { error };
+      }
+
+      return { error: null };
+    } catch (error) {
+      const authError = error as AuthError;
+      setAuthError(authError);
+      return { error: authError };
+    }
+  }, [supabaseClient]);
+
+  const refreshSession = useCallback(async () => {
+    setAuthError(null);
+
+    try {
+      const { data, error } = await supabaseClient.auth.refreshSession();
+      
+      if (error) {
+        setAuthError(error);
+        return { error };
+      }
+
+      if (data.session) {
+        setSession(data.session);
+        setUser(data.session.user);
+      }
+
+      return { error: null };
+    } catch (error) {
+      const authError = error as AuthError;
+      setAuthError(authError);
+      return { error: authError };
+    }
+  }, [supabaseClient]);
+
+  // ==========================================================================
+  // ORGANISATION METHODS
+  // ==========================================================================
+  
+  const switchOrganisation = useCallback(async (orgId: UUID) => {
+    const org = organisations.find(o => o.id === orgId);
+    if (!org) {
+      throw new Error(`Organisation ${orgId} not found`);
+    }
+
+    setSelectedOrganisation(org);
+
+    if (persistState) {
+      localStorage.setItem(`pace_${appName}_org`, orgId);
+    }
+
+    // Clear event selection when switching orgs
+    setSelectedEvent(null);
+    if (persistState) {
+      localStorage.removeItem(`pace_${appName}_event`);
+    }
+  }, [organisations, appName, persistState]);
+
+  const refreshOrganisations = useCallback(async () => {
+    if (!user) return;
+
+    setOrganisationLoading(true);
+    setOrganisationError(null);
+
+    try {
+      const { data, error } = await supabaseClient
+        .rpc('rbac_user_organisation_roles_get', {
+          p_user_id: user.id
+        }) as { data: Array<{ organisation_id: UUID }> | null; error: any };
+
+      if (error) throw error;
+
+      if (data && data.length > 0) {
+        const orgIds = data.map(r => r.organisation_id);
+        const { data: orgs, error: orgsError } = await supabaseClient
+          .from('organisations')
+          .select('*')
+          .in('id', orgIds)
+          .eq('is_active', true) as { data: Organisation[] | null; error: any };
+
+        if (orgsError) throw orgsError;
+
+        setOrganisations(orgs || []);
+      }
+    } catch (error) {
+      console.error('[AuthProvider] Failed to refresh organisations:', error);
+      setOrganisationError(error as Error);
+    } finally {
+      setOrganisationLoading(false);
+    }
+  }, [user, supabaseClient]);
+
+  const getUserRole = useCallback((orgId?: UUID): string | null => {
+    // This would require fetching role data - placeholder for now
+    // In real implementation, we'd cache role data when loading organisations
+    return 'member';
+  }, []);
+
+  const getPrimaryOrganisation = useCallback((): Organisation | null => {
+    return organisations[0] || null;
+  }, [organisations]);
+
+  // ==========================================================================
+  // EVENT METHODS
+  // ==========================================================================
+  
+  const handleSetSelectedEvent = useCallback((event: Event | null) => {
+    setSelectedEvent(event);
+    
+    if (persistState) {
+      if (event) {
+        localStorage.setItem(`pace_${appName}_event`, event.event_id);
+      } else {
+        localStorage.removeItem(`pace_${appName}_event`);
+      }
+    }
+  }, [appName, persistState]);
+  
+  const refreshEvents = useCallback(async () => {
+    if (!user || !selectedOrganisation) return;
+
+    setEventLoading(true);
+    setEventError(null);
+
+    try {
+      const { data, error } = await supabaseClient
+        .rpc('data_user_events_get', {
+          p_user_id: user.id,
+          p_app_name: appName
+        }) as { data: Event[] | null; error: any };
+
+      if (error) throw error;
+
+      const orgEvents = (data || []).filter(e => e.organisation_id === selectedOrganisation.id);
+      setEvents(orgEvents);
+      
+      // Auto-select first event if none selected
+      if (!selectedEvent && orgEvents.length > 0) {
+        const savedEventId = persistState ? localStorage.getItem(`pace_${appName}_event`) : null;
+        const eventToSelect = savedEventId
+          ? orgEvents.find(e => e.event_id === savedEventId) || orgEvents[0]
+          : orgEvents[0];
+        setSelectedEvent(eventToSelect);
+      }
+    } catch (error) {
+      console.error('[AuthProvider] Failed to refresh events:', error);
+      setEventError(error as Error);
+    } finally {
+      setEventLoading(false);
+    }
+  }, [user, selectedOrganisation, supabaseClient, appName, selectedEvent, persistState]);
+
+  // ==========================================================================
+  // COMPUTED VALUES
+  // ==========================================================================
+  
+  const isAuthenticated = !!(user && session);
+  const hasValidOrganisationContext = !!(selectedOrganisation && !organisationLoading);
+  const isContextReady = isAuthenticated && (!requireOrganisationContext || hasValidOrganisationContext);
+
+  // ==========================================================================
+  // CONTEXT VALUE
+  // ==========================================================================
+  
+  const contextValue = useMemo<AuthContextType>(() => ({
+    // Auth
+    user,
+    session,
+    isAuthenticated,
+    authLoading,
+    authError,
+    supabase: supabaseClient,
+    signIn,
+    signUp,
+    signOut,
+    resetPassword,
+    updatePassword,
+    refreshSession,
+
+    // Organisation
+    selectedOrganisation,
+    organisations,
+    organisationLoading,
+    organisationError,
+    hasValidOrganisationContext,
+    isContextReady: hasValidOrganisationContext,
+    switchOrganisation,
+    refreshOrganisations,
+    getUserRole,
+    getPrimaryOrganisation,
+
+    // Event
+    events,
+    selectedEvent,
+    eventLoading,
+    eventError,
+    setSelectedEvent: handleSetSelectedEvent,
+    refreshEvents,
+
+    // Inactivity
+    showInactivityWarning,
+    inactivityTimeRemaining,
+    isIdle,
+    isTracking,
+    resetActivity,
+    startTracking,
+    stopTracking,
+
+    // Session Management
+    sessionId: sessionIdRef.current,
+    deviceFingerprint: deviceFingerprintRef.current,
+    hasConcurrentSessions: false, // TODO: implement state tracking
+  }), [
+    user, session, isAuthenticated, authLoading, authError,
+    selectedOrganisation, organisations, organisationLoading, organisationError,
+    hasValidOrganisationContext, isContextReady,
+    events, selectedEvent, eventLoading, eventError,
+    showInactivityWarning, inactivityTimeRemaining, isIdle, isTracking,
+    signIn, signUp, signOut, resetPassword, updatePassword, refreshSession,
+    switchOrganisation, refreshOrganisations, getUserRole, getPrimaryOrganisation,
+    handleSetSelectedEvent, refreshEvents,
+    resetActivity, startTracking, stopTracking,
+    supabaseClient
+  ]);
+
+  // ==========================================================================
+  // RENDER
+  // ==========================================================================
+  
+  return (
+    <AuthContext.Provider value={contextValue}>
+      {children}
+      {showInactivityWarning && renderInactivityWarning && renderInactivityWarning({
+        timeRemaining: inactivityTimeRemaining,
+        onStaySignedIn: resetActivity,
+        onSignOutNow: signOut,
+      })}
+    </AuthContext.Provider>
+  );
+}
+
+// ============================================================================
+// HOOK
+// ============================================================================
+
+export function useAuth(): AuthContextType {
+  const context = useContext(AuthContext);
+  
+  if (!context) {
+    throw new Error('useAuth must be used within AuthProvider');
+  }
+  
+  return context;
+}
+