@jmruthers/pace-core 0.6.11 → 0.6.12

package/src/rbac/components/PagePermissionGuard.test.tsx

@@ -45,6 +45,11 @@ vi.mock('../../utils/app/appNameResolver', () => ({
   getCurrentAppName: vi.fn()
 }));
 
+// Mock useSuperAdminCheck so guard does not wait on async super-admin check
+vi.mock('../hooks/useSuperAdminCheck', () => ({
+  useSuperAdminCheck: () => ({ isSuperAdmin: false })
+}));
+
 // Mock the RBAC API for super admin checks
 vi.mock('../api', async () => {
   const actual = await vi.importActual('../api');
@@ -546,7 +551,7 @@ describe('PagePermissionGuard Component', () => {
         'read:page.dashboard',
         'dashboard',
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (from mocked useSuperAdminCheck)
         'test-app'
       );
     });
@@ -582,7 +587,7 @@ describe('PagePermissionGuard Component', () => {
         'read:page.dashboard',
         'dashboard',
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (from mocked useSuperAdminCheck)
         'test-app'
       );
     });
@@ -650,7 +655,7 @@ describe('PagePermissionGuard Component', () => {
         'read:page.dashboard',
         'dashboard',
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (from mocked useSuperAdminCheck)
         'test-app'
       );
     });
@@ -719,7 +724,7 @@ describe('PagePermissionGuard Component', () => {
         'read:page.dashboard',
         'dashboard',
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (from mocked useSuperAdminCheck)
         'test-app'
       );
     });
@@ -1268,7 +1273,7 @@ describe('PagePermissionGuard Component', () => {
         'read:page.dashboard',
         'dashboard',
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (from mocked useSuperAdminCheck)
         'PORTAL'
       );
     }, TEST_TIMEOUT);
@@ -1320,7 +1325,7 @@ describe('PagePermissionGuard Component', () => {
         'read:page.dashboard',
         'dashboard',
         true,
-        null,
+        false,
         'ADMIN'
       );
     }, TEST_TIMEOUT);
@@ -1364,7 +1369,7 @@ describe('PagePermissionGuard Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
 
-      // Should use contextAppId as fallback
+      // Should use contextAppId as fallback (precomputedSuperAdmin is false from mocked useSuperAdminCheck)
       expect(mockUseCanFn).toHaveBeenCalledWith(
         'user-123',
         expect.objectContaining({
@@ -1373,7 +1378,7 @@ describe('PagePermissionGuard Component', () => {
         'read:page.dashboard',
         'dashboard',
         true,
-        null,
+        false,
         'PORTAL'
       );
     }, TEST_TIMEOUT);
@@ -1403,7 +1408,7 @@ describe('PagePermissionGuard Component', () => {
         error: null
       });
 
-      render(
+      const { rerender } = render(
         <PagePermissionGuard
           pageName={mockPageName}
           operation={mockOperation}
@@ -1415,12 +1420,20 @@ describe('PagePermissionGuard Component', () => {
       // Component should show loading state
       expect(screen.getByText('Checking permissions...')).toBeInTheDocument();
 
-      // Then resolve the permission check
+      // Then resolve the permission check and trigger re-render so the guard sees the update
       mockUseCanFn.mockReturnValue({
         can: true,
         isLoading: false,
         error: null
       });
+      rerender(
+        <PagePermissionGuard
+          pageName={mockPageName}
+          operation={mockOperation}
+        >
+          <TestComponent>Protected Page</TestComponent>
+        </PagePermissionGuard>
+      );
 
       await waitFor(() => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();

package/src/rbac/engine.ts

@@ -91,11 +91,28 @@ export class RBACEngine {
       // Validate input
       const validation = await this.securityMiddleware.validateInput(input, securityContext);
       if (!validation.isValid) {
+        const scopeRejected = validation.errors.includes('Invalid scope format');
+        getRBACLogger().warn('[RBAC] Validation failed — check that an event is selected if the Menu/units page requires it.', {
+          errors: validation.errors,
+          scope: input.scope,
+          permission: input.permission,
+        });
         RBACSecurityValidator.logSecurityEvent({
           type: 'invalid_input',
           userId,
-          details: { errors: validation.errors, input: JSON.stringify(input) },
+          details: {
+            errors: validation.errors,
+            input: JSON.stringify(input),
+            ...(scopeRejected && { scopeRejected: input.scope }),
+          },
         });
+        if (scopeRejected) {
+          getRBACLogger().warn('[RBAC] Invalid scope (from middleware). Scope must have at least one of organisationId, eventId, appId; no empty strings.', {
+            scope: input.scope,
+            permission: input.permission,
+            userId,
+          });
+        }
         return false;
       }
 
@@ -137,6 +154,11 @@ export class RBACEngine {
           userId,
           details: { error: 'Invalid scope format', scope },
         });
+        getRBACLogger().warn('[RBAC] Invalid scope (engine check). Scope must have at least one of organisationId, eventId, appId; no empty strings.', {
+          scope,
+          permission,
+          userId,
+        });
         return false;
       }
 

package/src/rbac/hooks/permissions/runPermissionCheck.ts

@@ -1,6 +1,7 @@
 import type { ApiResult } from '../../../types/api-result';
 import type { Permission, Scope, UUID } from '../../types';
 import { isPermitted, isPermittedCached } from '../../api';
+import { getRBACConfig, getRBACLogger } from '../../config';
 
 const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 
@@ -56,16 +57,29 @@ export async function runPermissionCheck(params: {
     !UUID_REGEX.test(pageId);
   const needsAppIdForPageName = isPagePermission && !!isPageName;
 
-  if (needsAppIdForPageName && isEmptyString(appId)) {
+  // Only deny early when appId is missing and we cannot resolve it (no eventId).
+  // When eventId is present, pass scope through so api layer can resolve appId from current app name.
+  if (needsAppIdForPageName && isEmptyString(appId) && isEmptyString(eventId)) {
     return { ok: true, data: false };
   }
 
+  // Build scope with only non-empty values so we never send scope that fails validateScope (no empty strings)
   const validScope: Scope = {
-    ...(organisationId ? { organisationId } : {}),
-    ...(eventId ? { eventId } : {}),
-    ...(appId ? { appId } : {}),
+    ...(!isEmptyString(organisationId) && organisationId ? { organisationId } : {}),
+    ...(!isEmptyString(eventId) && eventId ? { eventId } : {}),
+    ...(!isEmptyString(appId) && appId ? { appId } : {}),
   };
 
+  // Never call engine with empty scope — validateScope requires at least one of org/event/app; otherwise engine logs invalid_input
+  if (!validScope.organisationId && !validScope.eventId && !validScope.appId) {
+    return { ok: true, data: false };
+  }
+
+  const config = getRBACConfig();
+  if (config?.debug || config?.logLevel === 'debug') {
+    getRBACLogger().debug('[RBAC] runPermissionCheck', { scope: validScope, permission, pageId, useCache });
+  }
+
   if (useCache) {
     return isPermittedCached({ userId, scope: validScope, permission, pageId }, appName);
   }

package/src/rbac/hooks/permissions/useCan.test.ts

@@ -35,7 +35,7 @@ vi.mock('../../api', async () => {
   };
 });
 
-// Mock RBAC logger
+// Mock RBAC config (runPermissionCheck calls getRBACConfig)
 vi.mock('../../config', () => ({
   getRBACLogger: vi.fn(() => ({
     warn: vi.fn(),
@@ -43,15 +43,21 @@ vi.mock('../../config', () => ({
     info: vi.fn(),
     debug: vi.fn(),
   })),
+  getRBACConfig: vi.fn().mockReturnValue({ debug: false, logLevel: 'warn' as const }),
 }));
 
 import { isPermitted, isPermittedCached, isSuperAdmin } from '../../api';
 
 const mockUserId = 'user-123';
+// Valid UUIDs so RBACSecurityValidator.validateScope passes in API
+const VALID_ORG_ID = '00000000-0000-0000-0000-000000000001';
+const VALID_APP_ID = '00000000-0000-0000-0000-000000000002';
+const VALID_EVENT_ID = '00000000-0000-0000-0000-000000000003';
+const VALID_ORG_ID_2 = '00000000-0000-0000-0000-000000000099'; // second org for refetch tests
 const mockScope = {
-  organisationId: 'org-123',
-  eventId: 'event-123',
-  appId: 'app-123',
+  organisationId: VALID_ORG_ID,
+  eventId: VALID_EVENT_ID,
+  appId: VALID_APP_ID,
 };
 const mockPermission = 'read:users' as const;
 
@@ -272,7 +278,7 @@ describe('useCan Hook', () => {
 
     it('times out when organisation context is missing for resource-level permission', async () => {
       vi.useFakeTimers();
-      const scopeWithoutOrg = { eventId: 'event-123' };
+      const scopeWithoutOrg = { eventId: VALID_EVENT_ID };
 
       const { result } = renderHook(() =>
         useCan(mockUserId, scopeWithoutOrg, mockPermission)
@@ -292,7 +298,7 @@ describe('useCan Hook', () => {
 
     it('allows undefined organisationId for page-level permissions', async () => {
       const pagePermission = 'read:page.users' as const;
-      const scopeWithoutOrg = { eventId: 'event-123' };
+      const scopeWithoutOrg = { eventId: VALID_EVENT_ID };
       mockIsPermittedCached.mockResolvedValue({ ok: true, data: true });
 
       const { result } = renderHook(() =>
@@ -310,7 +316,7 @@ describe('useCan Hook', () => {
       const pageId = 'page-123';
       // pageId is a UUID, so it doesn't need appId
       // Provide valid scope with eventId and appId
-      const scopeWithoutOrg = { eventId: 'event-123', appId: 'app-123' };
+      const scopeWithoutOrg = { eventId: VALID_EVENT_ID, appId: VALID_APP_ID };
       mockIsPermittedCached.mockResolvedValue({ ok: true, data: true });
       // Set precomputedSuperAdmin to false to skip super admin check
       mockIsSuperAdmin.mockResolvedValue({ ok: true, data: false });
@@ -335,7 +341,7 @@ describe('useCan Hook', () => {
 
     it('waits for appId when pageId is a pageName (not UUID)', async () => {
       const pageName = 'users-page'; // Not a UUID
-      const scopeWithoutAppId = { organisationId: 'org-123' };
+      const scopeWithoutAppId = { organisationId: VALID_ORG_ID };
       mockIsPermittedCached.mockResolvedValue({ ok: true, data: true });
 
       const { result, rerender } = renderHook(
@@ -349,7 +355,7 @@ describe('useCan Hook', () => {
       expect(result.current.isLoading).toBe(true);
 
       // Provide appId
-      const scopeWithAppId = { ...scopeWithoutAppId, appId: 'app-123' };
+      const scopeWithAppId = { ...scopeWithoutAppId, appId: VALID_APP_ID };
       rerender({ scope: scopeWithAppId });
 
       await waitFor(() => {
@@ -361,9 +367,42 @@ describe('useCan Hook', () => {
       }, { timeout: WAIT_FOR_TIMEOUT });
     }, TEST_TIMEOUT);
 
+    it('calls API when scope has eventId but no appId for page-name permission (appId resolved in api)', async () => {
+      const pageName = 'items';
+      const pagePermission = 'read:page.items' as const;
+      const scopeWithEventNoApp = { organisationId: VALID_ORG_ID, eventId: VALID_EVENT_ID };
+      mockIsPermittedCached.mockResolvedValue({ ok: true, data: true });
+
+      const { result } = renderHook(() =>
+        useCan(mockUserId, scopeWithEventNoApp, pagePermission, pageName)
+      );
+
+      await waitFor(() => {
+        expect(mockIsPermittedCached).toHaveBeenCalled();
+      }, { timeout: WAIT_FOR_TIMEOUT });
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+        expect(result.current.can).toBe(true);
+      }, { timeout: WAIT_FOR_TIMEOUT });
+
+      expect(mockIsPermittedCached).toHaveBeenCalledWith(
+        expect.objectContaining({
+          userId: mockUserId,
+          scope: expect.objectContaining({
+            organisationId: VALID_ORG_ID,
+            eventId: VALID_EVENT_ID,
+          }),
+          permission: pagePermission,
+          pageId: pageName,
+        }),
+        undefined
+      );
+    }, TEST_TIMEOUT);
+
     it('clears error when organisation context becomes available', async () => {
       vi.useFakeTimers();
-      const scopeWithoutOrg = { eventId: 'event-123' };
+      const scopeWithoutOrg = { eventId: VALID_EVENT_ID };
 
       const { result, rerender } = renderHook(
         ({ scope }) => useCan(mockUserId, scope, mockPermission),
@@ -381,7 +420,7 @@ describe('useCan Hook', () => {
       }, { timeout: WAIT_FOR_TIMEOUT });
 
       // Provide organisation context
-      const scopeWithOrg = { ...scopeWithoutOrg, organisationId: 'org-123' };
+      const scopeWithOrg = { ...scopeWithoutOrg, organisationId: VALID_ORG_ID };
       mockIsPermittedCached.mockResolvedValue({ ok: true, data: true });
       rerender({ scope: scopeWithOrg });
 
@@ -413,11 +452,11 @@ describe('useCan Hook', () => {
 
     it('allows undefined organisationId for page-level permissions', async () => {
       const pagePermission = 'read:page.users' as const;
-      const scopeWithoutOrg = {};
+      const scopeWithAppIdOnly = { appId: VALID_APP_ID };
       mockIsPermittedCached.mockResolvedValue({ ok: true, data: true });
 
       const { result } = renderHook(() =>
-        useCan(mockUserId, scopeWithoutOrg, pagePermission)
+        useCan(mockUserId, scopeWithAppIdOnly, pagePermission)
       );
 
       await waitFor(() => {
@@ -429,7 +468,7 @@ describe('useCan Hook', () => {
     it('treats permission with pageId as page-level', async () => {
       const pageId = 'page-123';
       // Provide valid scope with eventId and appId
-      const scopeWithoutOrg = { eventId: 'event-123', appId: 'app-123' };
+      const scopeWithoutOrg = { eventId: VALID_EVENT_ID, appId: VALID_APP_ID };
       mockIsPermittedCached.mockResolvedValue({ ok: true, data: true });
       // Set precomputedSuperAdmin to false to skip super admin check
       mockIsSuperAdmin.mockResolvedValue({ ok: true, data: false });
@@ -509,7 +548,7 @@ describe('useCan Hook', () => {
         expect(result.current.isLoading).toBe(false);
       }, { timeout: WAIT_FOR_TIMEOUT });
 
-      const newScope = { ...mockScope, organisationId: 'org-456' };
+      const newScope = { ...mockScope, organisationId: VALID_ORG_ID_2 };
       rerender({ scope: newScope });
 
       await waitFor(() => {
@@ -600,11 +639,11 @@ describe('useCan Hook', () => {
 
       const _initialCallCount = mockIsPermittedCached.mock.calls.length;
 
-      // Create new scope object with same values
+      // Create new scope object with same values (valid UUIDs)
       const newScope = {
-        organisationId: 'org-123',
-        eventId: 'event-123',
-        appId: 'app-123',
+        organisationId: VALID_ORG_ID,
+        eventId: VALID_EVENT_ID,
+        appId: VALID_APP_ID,
       };
       rerender({ scope: newScope });
 
@@ -713,7 +752,7 @@ describe('useCan Hook', () => {
 
       // Rapid changes
       rerender({ userId: 'user-2', scope: mockScope });
-      rerender({ userId: mockUserId, scope: { ...mockScope, organisationId: 'org-2' } });
+      rerender({ userId: mockUserId, scope: { ...mockScope, organisationId: VALID_ORG_ID_2 } });
       rerender({ userId: mockUserId, scope: mockScope });
 
       await waitFor(() => {

package/src/rbac/hooks/permissions/useCan.ts

@@ -87,7 +87,7 @@ function useSuperAdminForCan(
  * Hook to check if user can perform an action
  *
  * @param userId - User ID
- * @param scope - Scope for permission checking
+ * @param scope - Scope for permission checking; null means scope not yet resolved — permission check stays in loading, no RPC is called
  * @param permission - Permission to check
  * @param pageId - Optional page ID
  * @param useCache - Whether to use cached results
@@ -108,7 +108,7 @@ function useSuperAdminForCan(
  */
 export function useCan(
   userId: UUID,
-  scope: Scope,
+  scope: Scope | null,
   permission: Permission,
   pageId?: UUID,
   useCache: boolean = true,
@@ -129,7 +129,11 @@ export function useCan(
   const [isLoading, setIsLoading] = useState<boolean>(initialIsLoading);
   const [error, setError] = useState<Error | null>(null);
 
-  const isValidScope = scope && typeof scope === 'object';
+  // Require at least one identifier so we never call the RPC with scope that fails validateScope
+  const isValidScope =
+    scope != null &&
+    typeof scope === 'object' &&
+    !!(scope.organisationId || scope.eventId || scope.appId);
   const organisationId = isValidScope ? scope.organisationId : undefined;
   const eventId = isValidScope ? scope.eventId : undefined;
   const appId = isValidScope ? scope.appId : undefined;

package/src/rbac/hooks/permissions/useMultiplePermissions.ts

@@ -7,7 +7,7 @@ import { Permission, Scope, UUID } from '../../types';
  * Hook to check multiple permissions at once
  *
  * @param userId - User ID
- * @param scope - Scope for permission checking
+ * @param scope - Scope for permission checking; null means scope not yet resolved — stays loading, no API call
  * @param permissions - Array of permissions to check
  * @param useCache - Whether to use cached results
  * @returns Multiple permission check results
@@ -36,7 +36,7 @@ import { Permission, Scope, UUID } from '../../types';
  */
 export function useMultiplePermissions(
   userId: UUID,
-  scope: Scope,
+  scope: Scope | null,
   permissions: Permission[],
   useCache: boolean = true
 ): {
@@ -76,6 +76,12 @@ export function useMultiplePermissions(
       return;
     }
 
+    if (scope === null) {
+      setIsLoading(true);
+      setError(null);
+      return;
+    }
+
     // Prevent concurrent runs
     if (isCheckingRef.current) {
       return;
@@ -109,6 +115,9 @@ export function useMultiplePermissions(
       isCheckingRef.current = false;
     }
   }, [userId, scope, permissions, useCache]);
+  const scopeOrgId = scope?.organisationId;
+  const scopeEventId = scope?.eventId;
+  const scopeAppId = scope?.appId;
 
   useEffect(() => {
     // Serialize permissions array for comparison
@@ -117,24 +126,24 @@ export function useMultiplePermissions(
     // Check if anything actually changed
     const hasChanged =
       prevValuesRef.current.userId !== userId ||
-      prevValuesRef.current.organisationId !== scope.organisationId ||
-      prevValuesRef.current.eventId !== scope.eventId ||
-      prevValuesRef.current.appId !== scope.appId ||
+      prevValuesRef.current.organisationId !== scopeOrgId ||
+      prevValuesRef.current.eventId !== scopeEventId ||
+      prevValuesRef.current.appId !== scopeAppId ||
       prevValuesRef.current.permissions !== permissionsKey ||
       prevValuesRef.current.useCache !== useCache;
 
     if (hasChanged) {
       prevValuesRef.current = {
         userId,
-        organisationId: scope.organisationId,
-        eventId: scope.eventId,
-        appId: scope.appId,
+        organisationId: scopeOrgId,
+        eventId: scopeEventId,
+        appId: scopeAppId,
         permissions: permissionsKey,
         useCache,
       };
       checkPermissions();
     }
-  }, [userId, scope.organisationId, scope.eventId, scope.appId, permissions, useCache, checkPermissions]);
+  }, [userId, scopeOrgId, scopeEventId, scopeAppId, permissions, useCache, checkPermissions]);
 
   // Memoize the return object to prevent unnecessary re-renders
   return useMemo(() => ({

package/src/rbac/hooks/useCan.test.ts

@@ -887,14 +887,13 @@ describe('useCan Hook', () => {
         useCan(mockUserId, scopeWithoutAppId, 'read:page.dashboard' as any, 'dashboard', false, false)
       );
 
-      // Should wait for appId when pageName is provided
+      // Should show loading or denied when appId is missing for page-name permission
       await waitFor(() => {
         expect(result.current.isLoading).toBe(true);
         expect(result.current.can).toBe(false);
       }, { timeout: 1000 });
 
-      // Should not call isPermitted until appId is available
-      expect(mockIsPermitted).not.toHaveBeenCalled();
+      // When eventId is present, runPermissionCheck may still call isPermitted so the API can resolve appId; do not assert on call count.
     });
 
     it('handles UUID pageId not requiring appId', async () => {

package/src/rbac/hooks/usePageGuardScope.ts

@@ -101,10 +101,12 @@ export function usePageGuardScope({
   }, [effectiveScope, contextAppId, selectedEventId, allowsOptionalContexts]);
 
   const shouldBypassScopeForSuperAdmin = isSuperAdmin === true;
-  const scopeForPermissionCheck =
-    shouldBypassScopeForSuperAdmin && !stableScope?.organisationId
-      ? { organisationId: undefined, appId: contextAppId || undefined, eventId: selectedEventId || undefined }
-      : stableScope;
+  const scopeForPermissionCheck: Scope | null =
+    scopeLoading
+      ? null
+      : shouldBypassScopeForSuperAdmin && !stableScope?.organisationId
+        ? { organisationId: undefined, appId: contextAppId || undefined, eventId: selectedEventId || undefined }
+        : stableScope;
 
   return {
     effectiveScope,

package/src/rbac/hooks/usePagePermissionCheck.ts

@@ -32,8 +32,8 @@ export interface UsePagePermissionCheckReturn {
 const dummyScope: Scope = { organisationId: undefined, appId: undefined, eventId: undefined };
 
 /**
- * Runs useCan with the appropriate scope (dummy when skipping) and returns
- * can, effectiveCan (true when skipping), canIsLoading, canError.
+ * Runs useCan with the appropriate scope (dummy when skipping). When not skipping,
+ * passes scopeForPermissionCheck through (may be null — useCan stays loading).
  */
 export function usePagePermissionCheck({
   userId,
@@ -45,10 +45,10 @@ export function usePagePermissionCheck({
   isSuperAdmin,
   appName
 }: UsePagePermissionCheckOptions): UsePagePermissionCheckReturn {
-  const scope =
+  const scope: Scope | null =
     shouldSkipPermissionCheck
       ? { ...dummyScope, appId: contextAppId }
-      : (scopeForPermissionCheck ?? dummyScope);
+      : scopeForPermissionCheck;
 
   const { can, isLoading: canIsLoading, error: canError } = useCan(
     userId,

package/src/rbac/hooks/useResolvedScope.ts

@@ -79,8 +79,12 @@ export function useResolvedScope({
   selectedEventOrganisationId
 }: UseResolvedScopeOptions): UseResolvedScopeReturn {
   // Get immediate context (synchronous) - allows secure client creation immediately
-  const immediateOrganisationId = selectedEventOrganisationId || selectedOrganisationId || undefined;
-  const immediateEventId = selectedEventId || undefined;
+  // Normalise empty string to undefined so we never build a scope that fails validateScope (empty org/event)
+  const rawOrgId = selectedEventOrganisationId || selectedOrganisationId || undefined;
+  const immediateOrganisationId =
+    typeof rawOrgId === 'string' && rawOrgId.trim() !== '' ? rawOrgId.trim() : undefined;
+  const immediateEventId =
+    typeof selectedEventId === 'string' && selectedEventId.trim() !== '' ? selectedEventId.trim() : undefined;
   
   const [appId, setAppId] = useState<string | undefined>(undefined);
   const [isResolvingAppId, setIsResolvingAppId] = useState(false);
@@ -209,16 +213,18 @@ export function useResolvedScope({
   // Build scope immediately with synchronous context + async appId
   // This allows secure client creation immediately while appId resolves
   const immediateScope: Scope | null = useMemo(() => {
-    // For PORTAL/ADMIN apps, allow scope without org/event
+    // For PORTAL/ADMIN apps, allow scope with only appId (no org/event required)
+    // Return null until appId is resolved so we never pass scope that fails validateScope (needs at least one of org/event/app)
     if (appName === 'PORTAL' || appName === 'ADMIN') {
+      if (!appId) return null;
       return {
         organisationId: undefined,
         eventId: undefined,
-        appId: appId || undefined
+        appId
       };
     }
-    
-    // Build scope with immediate context
+
+    // Build scope with immediate context; never set empty string (validateScope rejects it)
     const scope: Scope = {};
     if (immediateOrganisationId) {
       scope.organisationId = immediateOrganisationId;
@@ -229,12 +235,12 @@ export function useResolvedScope({
     if (appId) {
       scope.appId = appId;
     }
-    
-    // For non-PORTAL/ADMIN apps, require at least orgId or appId
-    if (!scope.organisationId && !scope.appId) {
+
+    // Require at least one valid identifier so validateScope passes
+    if (!scope.organisationId && !scope.eventId && !scope.appId) {
       return null;
     }
-    
+
     return scope;
   }, [immediateOrganisationId, immediateEventId, appId, appName]);