@jmruthers/pace-core 0.6.1 → 0.6.3

package/src/services/AuthService.ts

@@ -23,6 +23,8 @@ type AuthStateSubscription = {
 };
 
 export class AuthService extends BaseService implements IAuthService {
+  private static instanceCount = 0;
+  private instanceId: number;
   private user: User | null = null;
   private session: Session | null = null;
   private authLoading = false;
@@ -43,12 +45,23 @@ export class AuthService extends BaseService implements IAuthService {
 
   constructor(supabaseClient: SupabaseClient, appName?: string) {
     super();
+    this.instanceId = ++AuthService.instanceCount;
     this.supabaseClient = supabaseClient;
     this.appName = appName;
+    logger.debug('AuthService', `Instance created [ID:${this.instanceId}]`, { appName });
+  }
+
+  getInstanceId(): number {
+    return this.instanceId;
   }
 
   // Auth state getters
   getUser(): User | null {
+    if (this.user) {
+      logger.debug('AuthService', `getUser() [ID:${this.instanceId}] returning user: ${this.user.id}`);
+    } else {
+      logger.debug('AuthService', `getUser() [ID:${this.instanceId}] returning null`);
+    }
     return this.user;
   }
 
@@ -398,6 +411,11 @@ export class AuthService extends BaseService implements IAuthService {
       const subscription = this.supabaseClient.auth.onAuthStateChange(
         (event: AuthChangeEvent, session: SupabaseSession | null) => {
           try {
+            logger.debug('AuthService', `Auth state change [ID:${this.instanceId}]`, {
+              event,
+              hasSession: !!session,
+              userId: session?.user?.id
+            });
             // Handle different auth events
             if (event === 'SIGNED_OUT') {
               this.session = null;
@@ -407,15 +425,15 @@ export class AuthService extends BaseService implements IAuthService {
               // Automatic session tracking (non-blocking)
               if (session?.user) {
                 this.trackSession('logout', session).catch(err => {
-                  logger.warn('AuthService', 'Failed to track logout session:', err);
+                  logger.warn('AuthService', `Failed to track logout session [ID:${this.instanceId}]:`, err);
                 });
               }
             } else if (event === 'SIGNED_IN' || event === 'TOKEN_REFRESHED') {
               this.session = session;
               this.user = session?.user ?? null;
 
-              // Only clear auth error if we have a valid session
-              if (session) {
+              // Ensure state is set before non-blocking tracking calls
+              if (session?.user) {
                 this.authError = null;
               }
               
@@ -423,7 +441,7 @@ export class AuthService extends BaseService implements IAuthService {
               // Only track on SIGNED_IN, not TOKEN_REFRESHED (to avoid duplicate login records)
               if (event === 'SIGNED_IN' && session?.user) {
                 this.trackSession('login', session).catch(err => {
-                  logger.warn('AuthService', 'Failed to track login session:', err);
+                  logger.warn('AuthService', `Failed to track login session [ID:${this.instanceId}]:`, err);
                 });
               }
             } else if (event === 'INITIAL_SESSION') {
@@ -452,16 +470,30 @@ export class AuthService extends BaseService implements IAuthService {
               // This ensures ProtectedRoute waits for session restoration to complete
               // before checking authentication state
               this.authLoading = false;
+              
+              // Final check: Ensure state matches what we just logged
+              logger.debug('AuthService', `State synchronized after INITIAL_SESSION [ID:${this.instanceId}]`, {
+                hasUser: !!this.user,
+                userId: this.user?.id
+              });
+              
               this.notify();
               return; // Return early to avoid setting loading to false again below
             }
 
-            // For other events (SIGNED_IN, SIGNED_OUT, TOKEN_REFRESHED), set loading to false
-            // INITIAL_SESSION is handled above and returns early
+            // For other events (SIGNED_IN, SIGNED_OUT, TOKEN_REFRESHED), set loading to false and notify
             this.authLoading = false;
+            
+            // Final check: Ensure state matches what we just logged
+            logger.debug('AuthService', `State synchronized after event [ID:${this.instanceId}]`, {
+              event,
+              hasUser: !!this.user,
+              userId: this.user?.id
+            });
+            
             this.notify();
           } catch (error) {
-            logger.warn('AuthService', 'Error in auth state change handler:', error);
+            logger.warn('AuthService', `Error in auth state change handler [ID:${this.instanceId}]:`, error);
             this.authLoading = false;
             this.notify();
           }

package/src/services/EventService.ts

@@ -16,11 +16,12 @@ import { Organisation } from '../types/organisation';
 import { assertOrganisationId } from '../types/core';
 import { logger } from '../utils/core/logger';
 import { secureStorage } from '../utils/security/secureStorage';
-import { isSuperAdmin, getAppConfigByName } from '../rbac/api';
+import { isSuperAdmin } from '../rbac/api';
 import type { UUID } from '../rbac/types';
-import type { AppConfig } from '../rbac/utils/contextValidator';
 
 export class EventService extends BaseService implements IEventService {
+  private static instanceCount = 0;
+  private instanceId: number;
   private events: Event[] = [];
   private selectedEvent: Event | null = null;
   private _isLoading = false; // Start as false to avoid blocking UI
@@ -34,7 +35,7 @@ export class EventService extends BaseService implements IEventService {
   private selectedOrganisation: Organisation | null = null;
   private setSelectedEventId: ((eventId: string | null) => void) | null = null;
   private isSuperAdmin: boolean = false; // Track super admin status for conditional validation
-  private appConfig: AppConfig | null = null; // Cache app config to avoid repeated lookups
+  // App config removed - scope is now page-level only (rbac_app_pages.scope_type)
 
   // Internal state management
   private isInitializedRef = false;
@@ -51,12 +52,22 @@ export class EventService extends BaseService implements IEventService {
     setSelectedEventId: (eventId: string | null) => void
   ) {
     super();
+    this.instanceId = ++EventService.instanceCount;
     this.supabaseClient = supabaseClient;
     this.user = user;
     this.session = session;
     this.appName = appName;
     this.selectedOrganisation = selectedOrganisation;
     this.setSelectedEventId = setSelectedEventId;
+    logger.debug('EventService', `Instance created [ID:${this.instanceId}]`, {
+      appName,
+      hasUser: !!user,
+      userId: user?.id
+    });
+  }
+
+  getInstanceId(): number {
+    return this.instanceId;
   }
 
   // Helper method to get user-scoped storage key
@@ -97,6 +108,12 @@ export class EventService extends BaseService implements IEventService {
       this.resetInitialization();
       this.isInitializedRef = false;
       this.isFetchingRef = false;
+      
+      logger.debug('EventService', `User changed [ID:${this.instanceId}]`, {
+        previousUserId,
+        newUserId,
+        willInitialize: newUserId !== null
+      });
     }
     
     this.supabaseClient = supabaseClient;
@@ -106,19 +123,43 @@ export class EventService extends BaseService implements IEventService {
     this.selectedOrganisation = selectedOrganisation;
     this.setSelectedEventId = setSelectedEventId;
     
-    // Clear app config cache when app name changes
-    if (previousAppName !== appName) {
-      this.appConfig = null;
-    }
+    // App name changed - state will be reset by updateDependencies
     
     // Update super admin status when user changes
     // This allows super admins to select events from any organisation
+    // RBAC should be initialized synchronously by UnifiedAuthProvider, so this should always work
     if (user?.id) {
       try {
-        this.isSuperAdmin = await isSuperAdmin(user.id as UUID);
+        const { isRBACInitialized, isSuperAdmin: checkSuperAdmin, setupRBAC } = await import('../rbac/api');
+        
+        // Ensure RBAC is initialized if possible (defensive check for edge cases)
+        if (!isRBACInitialized() && this.supabaseClient) {
+          setupRBAC(this.supabaseClient);
+        }
+
+        if (isRBACInitialized()) {
+          this.isSuperAdmin = await checkSuperAdmin(user.id as UUID);
+          logger.debug('EventService', 'Super admin status updated in updateDependencies', {
+            userId: user.id,
+            isSuperAdmin: this.isSuperAdmin
+          });
+        } else {
+          // RBAC not initialized - this should be rare since UnifiedAuthProvider initializes it synchronously
+          // Keep existing value (don't reset to false) to avoid clearing a previously determined super admin status
+          logger.warn('EventService', 'RBAC not initialized in updateDependencies, keeping existing super admin status', {
+            userId: user.id,
+            existingIsSuperAdmin: this.isSuperAdmin,
+            note: 'RBAC should be initialized by UnifiedAuthProvider. This may indicate EventService is being used outside the provider.'
+          });
+        }
       } catch (error) {
-        logger.warn('EventService', 'Failed to check super admin status', { error });
-        this.isSuperAdmin = false; // Default to false on error
+        logger.warn('EventService', 'Failed to check super admin status in updateDependencies', { 
+          error,
+          userId: user.id,
+          existingIsSuperAdmin: this.isSuperAdmin
+        });
+        // Don't reset to false on error - keep existing value to avoid blocking super admins
+        // The error might be transient, and we don't want to clear a valid super admin status
       }
     } else {
       this.isSuperAdmin = false;
@@ -131,14 +172,26 @@ export class EventService extends BaseService implements IEventService {
       this.resetInitialization(); // Reset BaseService's isInitialized flag
       this.isInitializedRef = false;
       this.isFetchingRef = false;
+      
+      // SECURITY: Super admins can see events regardless of organisation context
+      // Do not clear events for super admins when organisation context is removed
+      const shouldClearEvents = !this.isSuperAdmin;
+
       // Clear events ONLY when switching between different organisations (not when org first becomes available)
       if (previousOrgId !== null && newOrgId !== null && previousOrgId !== newOrgId) {
-        this.events = [];
-        this.selectedEvent = null;
+        if (shouldClearEvents) {
+          this.events = [];
+          // Use setSelectedEvent(null) to preserve userClearedEventRef flag if user explicitly cleared
+          // This prevents auto-selection from re-selecting the event after org switch
+          this.setSelectedEvent(null);
+        }
       } else if (previousOrgId !== null && newOrgId === null) {
-        // Organisation was removed - clear events
-        this.events = [];
-        this.selectedEvent = null;
+        // Organisation was removed - clear events if not super admin
+        if (shouldClearEvents) {
+          this.events = [];
+          // Use setSelectedEvent(null) to preserve userClearedEventRef flag if user explicitly cleared
+          this.setSelectedEvent(null);
+        }
       }
     }
     
@@ -220,7 +273,7 @@ export class EventService extends BaseService implements IEventService {
         const persistedEvent = events.find(event => event.event_id === persistedEventId);
         
         if (persistedEvent) {
-          // Use setSelectedEvent() to go through same path as EventSelector
+          // Use setSelectedEvent() to ensure consistent behavior
           // This ensures consistent behavior and proper notification
           // Theme will be applied by useEventTheme hook once user navigates away from login
           this.setSelectedEvent(persistedEvent);
@@ -315,11 +368,13 @@ export class EventService extends BaseService implements IEventService {
   protected async doInitialize(): Promise<void> {
     // Skip if already initialized
     if (this.isInitializedRef) {
+      logger.debug('EventService', 'Skipping initialization - already initialized');
       return;
     }
     
     // Skip if already fetching
     if (this.isFetchingRef) {
+      logger.debug('EventService', 'Skipping initialization - already fetching');
       return;
     }
     
@@ -336,14 +391,27 @@ export class EventService extends BaseService implements IEventService {
     // For event-required apps, selectedOrganisation may be null (org derived from event)
     // For org-required apps, selectedOrganisation is required
     if (!this.user) {
+      logger.debug('EventService', 'Skipping initialization - no user');
       return;
     }
     
+    logger.debug('EventService', 'Initializing', {
+      userId: this.user.id,
+      appName: this.appName,
+      hasSelectedOrganisation: !!this.selectedOrganisation,
+      hasSupabaseClient: !!this.supabaseClient,
+      hasSession: !!this.session
+    });
+    
     // Initial setup - fetch events on initialization
     await this.fetchEvents(false);
     
     // Mark as initialized after successful fetch
     this.isInitializedRef = true;
+    logger.debug('EventService', 'Initialization complete', {
+      eventsCount: this.events.length,
+      hasError: !!this.error
+    });
   }
 
   protected doCleanup(): void {
@@ -372,18 +440,7 @@ export class EventService extends BaseService implements IEventService {
     let isMounted = true;
 
     try {
-      // Load app config if not already cached (only once per app)
-      if (!this.appConfig && this.appName) {
-        try {
-          this.appConfig = await getAppConfigByName(this.appName);
-        } catch (configError) {
-          logger.warn('EventService', 'Failed to load app config, defaulting to event-required', {
-            error: configError
-          });
-          // Default to event-required for safety
-          this.appConfig = { requires_event: true };
-        }
-      }
+      // Scope is now page-level only - no app-level config needed
 
       // Determine organisationId for RPC call
       // For event-required apps: org is derived from selectedEvent (if available), or null to get all accessible events
@@ -392,58 +449,119 @@ export class EventService extends BaseService implements IEventService {
       let organisationIdForRpc: string | null = null;
       
       // Check if user is super admin first
-      let userIsSuperAdmin = false;
+      // RBAC should be initialized synchronously by UnifiedAuthProvider before EventService is used
+      // Use cached value as fallback for edge cases (e.g., EventService used outside UnifiedAuthProvider)
+      let userIsSuperAdmin = this.isSuperAdmin; // Start with cached value from updateDependencies
       try {
-        userIsSuperAdmin = await isSuperAdmin(this.user.id as UUID);
+        const { isRBACInitialized, isSuperAdmin: checkSuperAdmin, setupRBAC } = await import('../rbac/api');
+        
+        // Ensure RBAC is initialized if possible (defensive check for edge cases)
+        if (!isRBACInitialized() && this.supabaseClient) {
+          setupRBAC(this.supabaseClient);
+        }
+
+        // Check super admin status if RBAC is ready
+        // RBAC should always be initialized by UnifiedAuthProvider, but we check defensively
+        if (isRBACInitialized()) {
+          userIsSuperAdmin = await checkSuperAdmin(this.user.id as UUID);
+          // Update cached value for future use
+          this.isSuperAdmin = userIsSuperAdmin;
+          logger.debug('EventService', 'Super admin check completed', {
+            userId: this.user.id,
+            isSuperAdmin: userIsSuperAdmin
+          });
+        } else {
+          // RBAC not initialized - this should be rare since UnifiedAuthProvider initializes it synchronously
+          // Use cached value from updateDependencies as fallback
+          // If cached value is true, trust it to avoid blocking super admins
+          if (this.isSuperAdmin) {
+            userIsSuperAdmin = true;
+            logger.warn('EventService', 'RBAC not initialized, using cached super admin status', {
+              userId: this.user.id,
+              cachedIsSuperAdmin: this.isSuperAdmin,
+              note: 'RBAC should be initialized by UnifiedAuthProvider. This may indicate EventService is being used outside the provider.'
+            });
+          } else {
+            logger.warn('EventService', 'RBAC not initialized, using cached non-super-admin status', {
+              userId: this.user.id,
+              cachedIsSuperAdmin: this.isSuperAdmin,
+              note: 'RBAC should be initialized by UnifiedAuthProvider. This may indicate EventService is being used outside the provider.'
+            });
+          }
+        }
+        
         if (userIsSuperAdmin) {
           // Super admin: Pass null to see all events across all organisations
           organisationIdForRpc = null;
         } else {
-          // Not super admin: determine org from context based on app type
+          // Not super admin: determine org from available context
+          // Scope is now page-level only - use whatever context is available
           if (this.selectedEvent) {
             // If event is already selected, use its organisation
             organisationIdForRpc = this.selectedEvent.organisation_id;
-          } else if (this.appConfig?.requires_event === true) {
-            // Event-required app with no selected event yet: pass null to get all accessible events
-            // The RPC will filter by event app roles, returning all events the user has access to
-            organisationIdForRpc = null;
           } else if (this.selectedOrganisation) {
-            // Org-required app: use selected organisation
+            // Use selected organisation
             organisationIdForRpc = this.selectedOrganisation.id;
           } else {
-            // No context available - this shouldn't happen for authenticated users
-            logger.warn('EventService', 'No organisation context available for event fetch', {
+            // No context available - pass null to get all accessible events via event-app roles
+            // This allows users with event-app roles to see their events even without org context
+            logger.debug('EventService', 'No organisation context available, fetching all accessible events', {
               hasSelectedEvent: !!this.selectedEvent,
-              hasSelectedOrganisation: !!this.selectedOrganisation,
-              appRequiresEvent: this.appConfig?.requires_event
+              hasSelectedOrganisation: !!this.selectedOrganisation
             });
-            organisationIdForRpc = null; // Will return empty list
+            organisationIdForRpc = null; // Will return events user has access to via event-app roles
           }
         }
       } catch (superAdminCheckError) {
-        // If super admin check fails, fall back to organisation-scoped query
-        logger.warn('EventService', 'Failed to check super admin status, using organisation-scoped query', {
-          error: superAdminCheckError
-        });
-        // Fallback: use available context
-        if (this.selectedEvent) {
-          organisationIdForRpc = this.selectedEvent.organisation_id;
-        } else if (this.appConfig?.requires_event === true) {
-          // Event-required app: pass null to get all accessible events
-          organisationIdForRpc = null;
-        } else if (this.selectedOrganisation) {
-          organisationIdForRpc = this.selectedOrganisation.id;
+        // If super admin check fails, use cached value as fallback
+        // If cached value is true, trust it to avoid blocking super admins
+        if (this.isSuperAdmin) {
+          userIsSuperAdmin = true;
+          organisationIdForRpc = null; // Super admin gets all events
+          logger.warn('EventService', 'Super admin check failed, using cached super admin status', {
+            error: superAdminCheckError,
+            cachedIsSuperAdmin: this.isSuperAdmin
+          });
+        } else {
+          // Fallback: use available context
+          logger.warn('EventService', 'Failed to check super admin status, using organisation-scoped query', {
+            error: superAdminCheckError,
+            cachedIsSuperAdmin: this.isSuperAdmin
+          });
+          if (this.selectedEvent) {
+            organisationIdForRpc = this.selectedEvent.organisation_id;
+          } else if (this.selectedOrganisation) {
+            organisationIdForRpc = this.selectedOrganisation.id;
+          } else {
+            // No context - pass null to get all accessible events via event-app roles
+            organisationIdForRpc = null;
+          }
         }
       }
       
       // Call the RPC function following the established pattern
       // For super admins, pass null for p_organisation_id to see all events
+      logger.debug('EventService', 'Fetching events', {
+        userId: this.user.id,
+        organisationIdForRpc,
+        appName: this.appName,
+        hasSelectedEvent: !!this.selectedEvent,
+        hasSelectedOrganisation: !!this.selectedOrganisation,
+        isSuperAdmin: userIsSuperAdmin
+      });
+      
       let { data, error: rpcError } = await this.supabaseClient.rpc('data_user_events_get', {
         p_user_id: this.user.id,
         p_organisation_id: organisationIdForRpc,
         p_app_name: this.appName
       });
       
+      logger.debug('EventService', 'RPC response', {
+        dataLength: data?.length || 0,
+        hasError: !!rpcError,
+        error: rpcError
+      });
+      
       if (rpcError) {
         logger.error('EventService', 'RPC error fetching events:', rpcError);
         throw new Error(rpcError.message || 'Failed to fetch events');
@@ -482,7 +600,21 @@ export class EventService extends BaseService implements IEventService {
           updated_at: new Date().toISOString()
         }));
 
-        this.events = transformedEvents;
+        // Sort events by event_date descending (newest first)
+        // Handle null dates by putting them at the end
+        const sortedEvents = [...transformedEvents].sort((a, b) => {
+          // If both have dates, sort descending (newest first)
+          if (a.event_date && b.event_date) {
+            return new Date(b.event_date).getTime() - new Date(a.event_date).getTime();
+          }
+          // If only one has a date, prioritize the one with a date
+          if (a.event_date && !b.event_date) return -1;
+          if (!a.event_date && b.event_date) return 1;
+          // If neither has a date, maintain original order
+          return 0;
+        });
+        
+        this.events = sortedEvents;
         this.error = null;
 
         // Reset auto-selection ref for new events

package/src/services/OrganisationService.ts

@@ -20,7 +20,6 @@ import type {
 import { setOrganisationContext } from '../utils/context/organisationContext';
 import { logger } from '../utils/core/logger';
 import { assertUserId, assertOrganisationId } from '../types/core';
-import { isSuperAdmin } from '../rbac/api';
 import type { UUID } from '../rbac/types';
 
 // Type for RPC response from data_user_organisation_roles_get
@@ -42,6 +41,8 @@ interface OrganisationRoleRpcResponse {
 }
 
 export class OrganisationService extends BaseService implements IOrganisationService {
+  private static instanceCount = 0;
+  private instanceId: number;
   private _selectedOrganisation: Organisation | null = null;
   private _organisations: Organisation[] = [];
   private _userMemberships: OrganisationMembership[] = [];
@@ -65,9 +66,18 @@ export class OrganisationService extends BaseService implements IOrganisationSer
 
   constructor(supabaseClient: SupabaseClient, user: User | null, session: Session | null) {
     super();
+    this.instanceId = ++OrganisationService.instanceCount;
     this.supabaseClient = supabaseClient;
     this.user = user;
     this.session = session;
+    logger.debug('OrganisationService', `Instance created [ID:${this.instanceId}]`, {
+      hasUser: !!user,
+      userId: user?.id
+    });
+  }
+
+  getInstanceId(): number {
+    return this.instanceId;
   }
 
   // Interface implementation
@@ -144,23 +154,43 @@ export class OrganisationService extends BaseService implements IOrganisationSer
 
   // Update dependencies
   updateDependencies(user: User | null, session: Session | null): void {
-    const wasAuthenticated = !!(this.user && this.session);
-    const isAuthenticated = !!(user && session);
+    const previousUserId = this.user?.id || null;
+    const newUserId = user?.id || null;
     
-    // Reset super admin cache when user changes
-    if (this.user?.id !== user?.id) {
+    // Only reset if the User ID has actually changed (null -> ID or ID -> different ID)
+    const userChanged = previousUserId !== newUserId;
+    const needsRetry = this._error !== null && !this.isLoadingRef;
+    const isEmpty = newUserId !== null && this._organisations.length === 0 && !this.isLoadingRef;
+
+    if (userChanged || needsRetry || isEmpty) {
+      if (userChanged) {
+        logger.debug('OrganisationService', `User changed [ID:${this.instanceId}], resetting initialization`, {
+          previousUserId,
+          newUserId
+        });
+      } else if (needsRetry) {
+        logger.debug('OrganisationService', `Previous error detected [ID:${this.instanceId}], retrying initialization`);
+      } else if (isEmpty) {
+        logger.debug('OrganisationService', `No organisations found [ID:${this.instanceId}], retrying initialization`);
+      }
+      
       this._isSuperAdmin = false;
+      this.resetInitialization();
+      
+      // Only clear all state if the user actually changed
+      if (userChanged) {
+        this._organisations = [];
+        this._userMemberships = [];
+        this._roleMapState = new Map();
+        this._selectedOrganisation = null;
+        this._isContextReady = false;
+      }
+      this.lastLoadTimeRef = 0; // Allow immediate reload
     }
     
     this.user = user;
     this.session = session;
     
-    // If user logs out, allow re-initialization when they log back in
-    if (wasAuthenticated && !isAuthenticated) {
-      // Reset BaseService initialization state to allow re-initialization
-      this.resetInitialization();
-    }
-    
     this.notify();
   }
 
@@ -260,6 +290,13 @@ export class OrganisationService extends BaseService implements IOrganisationSer
 
   // Lifecycle methods
   async initialize(): Promise<void> {
+    // SECURITY: Only initialize if we have an authenticated user
+    // This prevents premature initialization during early auth states
+    if (!this.user) {
+      logger.debug('OrganisationService', 'Skipping initialization - no user');
+      return;
+    }
+
     await super.initialize();
     
     // Don't load if already loading (prevents duplicate loads during rapid auth events)
@@ -351,8 +388,9 @@ export class OrganisationService extends BaseService implements IOrganisationSer
     }
 
     // Prevent rapid retries - minimum 2 seconds between attempts
+    // Skip this check if we don't have any organisations yet
     const now = Date.now();
-    if (now - this.lastLoadTimeRef < 2000) {
+    if (this._organisations.length > 0 && now - this.lastLoadTimeRef < 2000) {
       // Ensure loading state is correct
       if (this._organisations.length > 0 || this._selectedOrganisation) {
         this._isLoading = false;
@@ -377,6 +415,10 @@ export class OrganisationService extends BaseService implements IOrganisationSer
     this._isLoading = true;
     this._error = null;
     this.notify();
+
+    logger.debug('OrganisationService', 'Loading organisations for user', {
+      userId: this.user.id
+    });
       
     try {
       // Get user's organisation roles directly from rbac_organisation_roles table
@@ -458,6 +500,11 @@ export class OrganisationService extends BaseService implements IOrganisationSer
         
         organisations = Array.from(organisationsMap.values());
         
+        logger.debug('OrganisationService', 'Query results', {
+          membershipsCount: memberships.length,
+          organisationsCount: organisations.length
+        });
+        
         // Extract organisations from join results
       } catch (queryError) {
         // Extract error message properly from Supabase error objects
@@ -476,7 +523,20 @@ export class OrganisationService extends BaseService implements IOrganisationSer
       let userIsSuperAdmin = false;
       if (this.user?.id) {
         try {
-          userIsSuperAdmin = await isSuperAdmin(this.user.id as UUID);
+          // Dynamic import to avoid circular dependencies and ensure RBAC is initialized
+          const { isSuperAdmin: checkSuperAdmin, isRBACInitialized, setupRBAC } = await import('../rbac/api');
+          
+          // Ensure RBAC is initialized if possible
+          if (!isRBACInitialized() && this.supabaseClient) {
+            setupRBAC(this.supabaseClient);
+          }
+          
+          if (isRBACInitialized()) {
+            userIsSuperAdmin = await checkSuperAdmin(this.user.id as UUID);
+          } else {
+            userIsSuperAdmin = false;
+          }
+          
           this._isSuperAdmin = userIsSuperAdmin; // Cache the result
         } catch (error) {
           logger.warn('OrganisationService', 'Failed to check super admin status', { error });
@@ -542,7 +602,14 @@ export class OrganisationService extends BaseService implements IOrganisationSer
         throw new Error('User has no access to active organisations') as OrganisationSecurityError;
       }
 
-      this._organisations = activeOrgs;
+      // Sort organisations alphabetically by display_name
+      const sortedOrgs = [...activeOrgs].sort((a, b) => {
+        const nameA = (a.display_name || a.name || '').toLowerCase();
+        const nameB = (b.display_name || b.name || '').toLowerCase();
+        return nameA.localeCompare(nameB);
+      });
+      
+      this._organisations = sortedOrgs;
       // Memberships already have branded types from earlier mapping
       this._userMemberships = memberships as OrganisationMembership[];