npm - @jmruthers/pace-core - Versions diffs - 0.6.2 → 0.6.3 - Mend

@jmruthers/pace-core 0.6.2 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/CHANGELOG.md +45 -0
package/cursor-rules/00-pace-core-compliance.mdc +34 -2
package/dist/{AuthService-BPvc3Ka0.d.ts → AuthService-Cb34EQs3.d.ts} +9 -1
package/dist/{DataTable-TPTKCX4D.js → DataTable-THFPBKTP.js} +9 -8
package/dist/{PublicPageProvider-DC6kCaqf.d.ts → PublicPageProvider-DEMpysFR.d.ts} +45 -67
package/dist/{UnifiedAuthProvider-CVcTjx-d.d.ts → UnifiedAuthProvider-CKvHP1MK.d.ts} +1 -8
package/dist/{UnifiedAuthProvider-CH6Z342H.js → UnifiedAuthProvider-KAGUYQ4J.js} +5 -4
package/dist/{api-MVVQZLJI.js → api-IAGWF3ZG.js} +10 -10
package/dist/{audit-B5P6FFIR.js → audit-V53FV5AG.js} +2 -2
package/dist/{chunk-SFZUDBL5.js → chunk-2T2IG7T7.js} +70 -56
package/dist/chunk-2T2IG7T7.js.map +1 -0
package/dist/{chunk-MMZ7JXPU.js → chunk-6Z7LTB3D.js} +13 -21
package/dist/{chunk-MMZ7JXPU.js.map → chunk-6Z7LTB3D.js.map} +1 -1
package/dist/{chunk-6J4GEEJR.js → chunk-CNCQDFLN.js} +53 -27
package/dist/chunk-CNCQDFLN.js.map +1 -0
package/dist/chunk-DGUM43GV.js +11 -0
package/dist/{chunk-EHMR7VYL.js → chunk-DWUBLJJM.js} +361 -187
package/dist/chunk-DWUBLJJM.js.map +1 -0
package/dist/{chunk-2UOI2FG5.js → chunk-HFZBI76P.js} +4 -4
package/dist/{chunk-F2IMUDXZ.js → chunk-M7MPQISP.js} +2 -2
package/dist/{chunk-3XC4CPTD.js → chunk-PQBSKX33.js} +244 -5727
package/dist/chunk-PQBSKX33.js.map +1 -0
package/dist/chunk-QRPVRXYT.js +226 -0
package/dist/chunk-QRPVRXYT.js.map +1 -0
package/dist/{chunk-24UVZUZG.js → chunk-RWEBCB47.js} +129 -387
package/dist/chunk-RWEBCB47.js.map +1 -0
package/dist/{chunk-XWQCNGTQ.js → chunk-YDQHOZNA.js} +173 -79
package/dist/chunk-YDQHOZNA.js.map +1 -0
package/dist/{chunk-NECFR5MM.js → chunk-ZNIWI3UC.js} +562 -644
package/dist/chunk-ZNIWI3UC.js.map +1 -0
package/dist/components.d.ts +2 -2
package/dist/components.js +12 -13
package/dist/contextValidator-3JNZKUTX.js +9 -0
package/dist/contextValidator-3JNZKUTX.js.map +1 -0
package/dist/eslint-rules/pace-core-compliance.cjs +106 -0
package/dist/hooks.d.ts +2 -2
package/dist/hooks.js +7 -6
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +7 -7
package/dist/index.js +21 -16
package/dist/index.js.map +1 -1
package/dist/providers.d.ts +3 -3
package/dist/providers.js +4 -3
package/dist/rbac/index.d.ts +67 -27
package/dist/rbac/index.js +15 -8
package/dist/styles/index.js +1 -1
package/dist/theming/runtime.js +1 -1
package/dist/types.js +1 -1
package/dist/{usePublicRouteParams-1oMokgLF.d.ts → usePublicRouteParams-i3qtoBgg.d.ts} +7 -16
package/dist/utils.js +5 -7
package/dist/utils.js.map +1 -1
package/docs/api/README.md +14 -16
package/docs/api/modules.md +3796 -2513
package/docs/components/context-selector.md +126 -0
package/docs/migration/RBAC_SCOPE_MIGRATION.md +385 -0
package/docs/pace-mint-fix-auto-selection.md +218 -0
package/docs/pace-mint-rbac-setup.md +391 -0
package/docs/rbac/secure-client-protection.md +330 -0
package/package.json +3 -3
package/scripts/audit/core/checks/compliance.cjs +72 -0
package/scripts/audit/core/checks/dependencies.cjs +559 -28
package/scripts/audit/core/checks/documentation.cjs +68 -3
package/scripts/audit/core/checks/environment.cjs +2 -14
package/scripts/audit/core/checks/error-handling.cjs +47 -6
package/src/components/ContextSelector/ContextSelector.tsx +384 -0
package/src/components/ContextSelector/index.ts +3 -0
package/src/components/DataTable/components/RowComponent.tsx +19 -19
package/src/components/DataTable/components/UnifiedTableBody.tsx +2 -2
package/src/components/DataTable/hooks/useDataTablePermissions.ts +8 -6
package/src/components/Dialog/Dialog.tsx +29 -1
package/src/components/FileDisplay/FileDisplay.tsx +42 -10
package/src/components/Header/Header.test.tsx +43 -73
package/src/components/Header/Header.tsx +44 -45
package/src/components/PaceAppLayout/PaceAppLayout.integration.test.tsx +10 -19
package/src/components/PaceAppLayout/PaceAppLayout.performance.test.tsx +2 -2
package/src/components/PaceAppLayout/PaceAppLayout.security.test.tsx +5 -5
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +9 -9
package/src/components/PaceAppLayout/PaceAppLayout.tsx +135 -33
package/src/components/PaceAppLayout/README.md +14 -17
package/src/components/PaceAppLayout/test-setup.tsx +2 -2
package/src/components/index.ts +5 -5
package/src/eslint-rules/pace-core-compliance.cjs +106 -0
package/src/hooks/__tests__/useAppConfig.unit.test.ts +4 -98
package/src/hooks/useAppConfig.ts +15 -30
package/src/hooks/useFileDisplay.ts +77 -50
package/src/index.ts +4 -5
package/src/providers/services/AuthServiceProvider.tsx +17 -7
package/src/providers/services/EventServiceProvider.tsx +33 -5
package/src/providers/services/UnifiedAuthProvider.tsx +90 -134
package/src/rbac/__tests__/adapters.comprehensive.test.tsx +1 -1
package/src/rbac/adapters.tsx +2 -2
package/src/rbac/api.test.ts +59 -51
package/src/rbac/api.ts +178 -132
package/src/rbac/components/PagePermissionGuard.tsx +38 -10
package/src/rbac/hooks/__tests__/useSecureSupabase.test.ts +32 -21
package/src/rbac/hooks/permissions/useAccessLevel.ts +1 -1
package/src/rbac/hooks/permissions/useCan.ts +41 -11
package/src/rbac/hooks/permissions/useHasAllPermissions.ts +1 -1
package/src/rbac/hooks/permissions/useHasAnyPermission.ts +1 -1
package/src/rbac/hooks/permissions/useMultiplePermissions.ts +1 -1
package/src/rbac/hooks/useCan.test.ts +0 -9
package/src/rbac/hooks/useRBAC.test.ts +1 -5
package/src/rbac/hooks/useRBAC.ts +36 -37
package/src/rbac/hooks/useResolvedScope.test.ts +120 -35
package/src/rbac/hooks/useResolvedScope.ts +35 -40
package/src/rbac/hooks/useSecureSupabase.ts +7 -7
package/src/rbac/index.ts +7 -0
package/src/rbac/secureClient.test.ts +22 -18
package/src/rbac/secureClient.ts +103 -16
package/src/rbac/security.ts +0 -17
package/src/rbac/types.ts +1 -0
package/src/rbac/utils/__tests__/contextValidator.test.ts +64 -86
package/src/rbac/utils/clientSecurity.ts +93 -0
package/src/rbac/utils/contextValidator.ts +77 -168
package/src/services/AuthService.ts +39 -7
package/src/services/EventService.ts +186 -54
package/src/services/OrganisationService.ts +81 -14
package/src/services/__tests__/EventService.test.ts +1 -2
package/src/services/base/BaseService.ts +3 -0
package/src/utils/dynamic/dynamicUtils.ts +7 -4
package/dist/chunk-24UVZUZG.js.map +0 -1
package/dist/chunk-3XC4CPTD.js.map +0 -1
package/dist/chunk-6J4GEEJR.js.map +0 -1
package/dist/chunk-7D4SUZUM.js +0 -38
package/dist/chunk-EHMR7VYL.js.map +0 -1
package/dist/chunk-NECFR5MM.js.map +0 -1
package/dist/chunk-SFZUDBL5.js.map +0 -1
package/dist/chunk-XWQCNGTQ.js.map +0 -1
package/docs/api/classes/ColumnFactory.md +0 -243
package/docs/api/classes/InvalidScopeError.md +0 -73
package/docs/api/classes/Logger.md +0 -178
package/docs/api/classes/MissingUserContextError.md +0 -66
package/docs/api/classes/OrganisationContextRequiredError.md +0 -66
package/docs/api/classes/PermissionDeniedError.md +0 -73
package/docs/api/classes/RBACAuditManager.md +0 -297
package/docs/api/classes/RBACCache.md +0 -322
package/docs/api/classes/RBACEngine.md +0 -171
package/docs/api/classes/RBACError.md +0 -76
package/docs/api/classes/RBACNotInitializedError.md +0 -66
package/docs/api/classes/SecureSupabaseClient.md +0 -163
package/docs/api/classes/StorageUtils.md +0 -328
package/docs/api/enums/FileCategory.md +0 -184
package/docs/api/enums/LogLevel.md +0 -54
package/docs/api/enums/RBACErrorCode.md +0 -228
package/docs/api/enums/RPCFunction.md +0 -118
package/docs/api/interfaces/AddressFieldProps.md +0 -241
package/docs/api/interfaces/AddressFieldRef.md +0 -94
package/docs/api/interfaces/AggregateConfig.md +0 -43
package/docs/api/interfaces/AutocompleteOptions.md +0 -75
package/docs/api/interfaces/AvatarProps.md +0 -128
package/docs/api/interfaces/BadgeProps.md +0 -34
package/docs/api/interfaces/ButtonProps.md +0 -56
package/docs/api/interfaces/CalendarProps.md +0 -73
package/docs/api/interfaces/CardProps.md +0 -69
package/docs/api/interfaces/ColorPalette.md +0 -7
package/docs/api/interfaces/ColorShade.md +0 -66
package/docs/api/interfaces/ComplianceResult.md +0 -30
package/docs/api/interfaces/DataAccessRecord.md +0 -96
package/docs/api/interfaces/DataRecord.md +0 -11
package/docs/api/interfaces/DataTableAction.md +0 -252
package/docs/api/interfaces/DataTableColumn.md +0 -504
package/docs/api/interfaces/DataTableProps.md +0 -625
package/docs/api/interfaces/DataTableToolbarButton.md +0 -96
package/docs/api/interfaces/DatabaseComplianceResult.md +0 -85
package/docs/api/interfaces/DatabaseIssue.md +0 -41
package/docs/api/interfaces/EmptyStateConfig.md +0 -61
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +0 -235
package/docs/api/interfaces/ErrorBoundaryProps.md +0 -147
package/docs/api/interfaces/ErrorBoundaryProviderProps.md +0 -36
package/docs/api/interfaces/ErrorBoundaryState.md +0 -75
package/docs/api/interfaces/EventAppRoleData.md +0 -71
package/docs/api/interfaces/ExportColumn.md +0 -90
package/docs/api/interfaces/ExportOptions.md +0 -126
package/docs/api/interfaces/FileDisplayProps.md +0 -249
package/docs/api/interfaces/FileMetadata.md +0 -129
package/docs/api/interfaces/FileReference.md +0 -118
package/docs/api/interfaces/FileSizeLimits.md +0 -7
package/docs/api/interfaces/FileUploadOptions.md +0 -139
package/docs/api/interfaces/FileUploadProps.md +0 -296
package/docs/api/interfaces/FooterProps.md +0 -107
package/docs/api/interfaces/FormFieldProps.md +0 -166
package/docs/api/interfaces/FormProps.md +0 -113
package/docs/api/interfaces/GrantEventAppRoleParams.md +0 -122
package/docs/api/interfaces/InactivityWarningModalProps.md +0 -115
package/docs/api/interfaces/InputProps.md +0 -56
package/docs/api/interfaces/LabelProps.md +0 -107
package/docs/api/interfaces/LoggerConfig.md +0 -62
package/docs/api/interfaces/LoginFormProps.md +0 -187
package/docs/api/interfaces/NavigationAccessRecord.md +0 -107
package/docs/api/interfaces/NavigationContextType.md +0 -164
package/docs/api/interfaces/NavigationGuardProps.md +0 -139
package/docs/api/interfaces/NavigationItem.md +0 -120
package/docs/api/interfaces/NavigationMenuProps.md +0 -221
package/docs/api/interfaces/NavigationProviderProps.md +0 -117
package/docs/api/interfaces/Organisation.md +0 -140
package/docs/api/interfaces/OrganisationContextType.md +0 -388
package/docs/api/interfaces/OrganisationMembership.md +0 -140
package/docs/api/interfaces/OrganisationProviderProps.md +0 -76
package/docs/api/interfaces/OrganisationSecurityError.md +0 -62
package/docs/api/interfaces/PaceAppLayoutProps.md +0 -409
package/docs/api/interfaces/PaceLoginPageProps.md +0 -49
package/docs/api/interfaces/PageAccessRecord.md +0 -85
package/docs/api/interfaces/PagePermissionContextType.md +0 -140
package/docs/api/interfaces/PagePermissionGuardProps.md +0 -153
package/docs/api/interfaces/PagePermissionProviderProps.md +0 -119
package/docs/api/interfaces/PaletteData.md +0 -41
package/docs/api/interfaces/ParsedAddress.md +0 -120
package/docs/api/interfaces/PermissionEnforcerProps.md +0 -153
package/docs/api/interfaces/ProgressProps.md +0 -42
package/docs/api/interfaces/ProtectedRouteProps.md +0 -78
package/docs/api/interfaces/PublicPageFooterProps.md +0 -112
package/docs/api/interfaces/PublicPageHeaderProps.md +0 -125
package/docs/api/interfaces/PublicPageLayoutProps.md +0 -185
package/docs/api/interfaces/QuickFix.md +0 -52
package/docs/api/interfaces/RBACAccessValidateParams.md +0 -52
package/docs/api/interfaces/RBACAccessValidateResult.md +0 -41
package/docs/api/interfaces/RBACAuditLogParams.md +0 -85
package/docs/api/interfaces/RBACAuditLogResult.md +0 -52
package/docs/api/interfaces/RBACConfig.md +0 -133
package/docs/api/interfaces/RBACContext.md +0 -52
package/docs/api/interfaces/RBACLogger.md +0 -112
package/docs/api/interfaces/RBACPageAccessCheckParams.md +0 -74
package/docs/api/interfaces/RBACPerformanceMetrics.md +0 -138
package/docs/api/interfaces/RBACPermissionCheckParams.md +0 -74
package/docs/api/interfaces/RBACPermissionCheckResult.md +0 -52
package/docs/api/interfaces/RBACPermissionsGetParams.md +0 -63
package/docs/api/interfaces/RBACPermissionsGetResult.md +0 -63
package/docs/api/interfaces/RBACResult.md +0 -58
package/docs/api/interfaces/RBACRoleGrantParams.md +0 -63
package/docs/api/interfaces/RBACRoleGrantResult.md +0 -52
package/docs/api/interfaces/RBACRoleRevokeParams.md +0 -63
package/docs/api/interfaces/RBACRoleRevokeResult.md +0 -52
package/docs/api/interfaces/RBACRoleValidateParams.md +0 -52
package/docs/api/interfaces/RBACRoleValidateResult.md +0 -63
package/docs/api/interfaces/RBACRolesListParams.md +0 -52
package/docs/api/interfaces/RBACRolesListResult.md +0 -74
package/docs/api/interfaces/RBACSessionTrackParams.md +0 -74
package/docs/api/interfaces/RBACSessionTrackResult.md +0 -52
package/docs/api/interfaces/ResourcePermissions.md +0 -155
package/docs/api/interfaces/RevokeEventAppRoleParams.md +0 -100
package/docs/api/interfaces/RoleBasedRouterContextType.md +0 -151
package/docs/api/interfaces/RoleBasedRouterProps.md +0 -156
package/docs/api/interfaces/RoleManagementResult.md +0 -52
package/docs/api/interfaces/RouteAccessRecord.md +0 -107
package/docs/api/interfaces/RouteConfig.md +0 -134
package/docs/api/interfaces/RuntimeComplianceResult.md +0 -55
package/docs/api/interfaces/SecureDataContextType.md +0 -168
package/docs/api/interfaces/SecureDataProviderProps.md +0 -132
package/docs/api/interfaces/SessionRestorationLoaderProps.md +0 -34
package/docs/api/interfaces/SetupIssue.md +0 -41
package/docs/api/interfaces/StorageConfig.md +0 -41
package/docs/api/interfaces/StorageFileInfo.md +0 -74
package/docs/api/interfaces/StorageFileMetadata.md +0 -151
package/docs/api/interfaces/StorageListOptions.md +0 -99
package/docs/api/interfaces/StorageListResult.md +0 -41
package/docs/api/interfaces/StorageUploadOptions.md +0 -101
package/docs/api/interfaces/StorageUploadResult.md +0 -63
package/docs/api/interfaces/StorageUrlOptions.md +0 -60
package/docs/api/interfaces/StyleImport.md +0 -19
package/docs/api/interfaces/SwitchProps.md +0 -34
package/docs/api/interfaces/TabsContentProps.md +0 -9
package/docs/api/interfaces/TabsListProps.md +0 -9
package/docs/api/interfaces/TabsProps.md +0 -9
package/docs/api/interfaces/TabsTriggerProps.md +0 -50
package/docs/api/interfaces/TextareaProps.md +0 -53
package/docs/api/interfaces/ToastActionElement.md +0 -12
package/docs/api/interfaces/ToastProps.md +0 -9
package/docs/api/interfaces/UnifiedAuthContextType.md +0 -823
package/docs/api/interfaces/UnifiedAuthProviderProps.md +0 -173
package/docs/api/interfaces/UseFormDialogOptions.md +0 -62
package/docs/api/interfaces/UseFormDialogReturn.md +0 -117
package/docs/api/interfaces/UseInactivityTrackerOptions.md +0 -138
package/docs/api/interfaces/UseInactivityTrackerReturn.md +0 -123
package/docs/api/interfaces/UsePublicEventLogoOptions.md +0 -87
package/docs/api/interfaces/UsePublicEventLogoReturn.md +0 -84
package/docs/api/interfaces/UsePublicEventOptions.md +0 -34
package/docs/api/interfaces/UsePublicEventReturn.md +0 -71
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +0 -47
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +0 -123
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +0 -97
package/docs/api/interfaces/UseResolvedScopeOptions.md +0 -47
package/docs/api/interfaces/UseResolvedScopeReturn.md +0 -47
package/docs/api/interfaces/UseResourcePermissionsOptions.md +0 -34
package/docs/api/interfaces/UserEventAccess.md +0 -121
package/docs/api/interfaces/UserMenuProps.md +0 -88
package/docs/api/interfaces/UserProfile.md +0 -63
package/src/components/EventSelector/EventSelector.test.tsx +0 -720
package/src/components/EventSelector/EventSelector.tsx +0 -423
package/src/components/EventSelector/index.ts +0 -3
package/src/components/OrganisationSelector/OrganisationSelector.test.tsx +0 -784
package/src/components/OrganisationSelector/OrganisationSelector.tsx +0 -327
package/src/components/OrganisationSelector/index.ts +0 -9
/package/dist/{DataTable-TPTKCX4D.js.map → DataTable-THFPBKTP.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-CH6Z342H.js.map → UnifiedAuthProvider-KAGUYQ4J.js.map} +0 -0
/package/dist/{api-MVVQZLJI.js.map → api-IAGWF3ZG.js.map} +0 -0
/package/dist/{audit-B5P6FFIR.js.map → audit-V53FV5AG.js.map} +0 -0
/package/dist/{chunk-7D4SUZUM.js.map → chunk-DGUM43GV.js.map} +0 -0
/package/dist/{chunk-2UOI2FG5.js.map → chunk-HFZBI76P.js.map} +0 -0
/package/dist/{chunk-F2IMUDXZ.js.map → chunk-M7MPQISP.js.map} +0 -0

package/src/providers/services/UnifiedAuthProvider.tsx CHANGED Viewed

@@ -25,6 +25,7 @@ import type { Event } from '../../types/event';
 import type { AuthError } from '@supabase/supabase-js';
 import type { SessionRestorationState } from '../../types/auth';
 import { logger } from '../../utils/core/logger';
+import { setupRBAC, isRBACInitialized } from '../../rbac/api';
 // Re-export UserEventAccess type
 /**
@@ -117,7 +118,6 @@ export interface UnifiedAuthContextType {
   handleSignOutNow: () => Promise<void>;
   // Additional unified properties
-  appConfig: { requires_event: boolean } | null;
   isLoading: boolean;
   hasErrors: boolean;
   sessionRestoration: SessionRestorationState;
@@ -159,8 +159,6 @@ export interface UnifiedAuthProviderProps {
   enablePersistence?: boolean;
   requireOrganisationContext?: boolean;
-  // App configuration
-  appConfig?: { requires_event: boolean } | null;
   // Inactivity auto-logout configuration - MANDATORY for security
   idleTimeoutMs: number; // REQUIRED: Inactivity timeout in milliseconds
@@ -178,7 +176,6 @@ export interface UnifiedAuthProviderProps {
 function UnifiedAuthContextProvider({
   children,
   appName,
-  appConfig: appConfigProp,
   supabaseClient: supabaseClientProp,
   ...props
 }: UnifiedAuthProviderProps) {
@@ -199,17 +196,7 @@ function UnifiedAuthContextProvider({
     restorationError,
   }), [isRestoring, restorationComplete, restorationError]);
-  // Load appConfig from database if not provided as prop
-  // Memoize appConfig to prevent object reference changes that cause re-renders
-  const [appConfigState, setAppConfigState] = useState<{ requires_event: boolean } | null>(appConfigProp || null);
-  const isResolvingAppConfigRef = useRef(false);
-  const resolvedAppConfigRef = useRef<{ requires_event: boolean } | null>(null);
-  // Memoize appConfig to ensure stable reference - only recreate if requires_event changes
-  const appConfig = useMemo(() => {
-    if (!appConfigState) return null;
-    return { requires_event: appConfigState.requires_event };
-  }, [appConfigState?.requires_event]);
+  // App config removed - scope is now page-level only (rbac_app_pages.scope_type)
   // Try to get event service, but provide fallback if not available
   let eventService;
@@ -244,6 +231,16 @@ function UnifiedAuthContextProvider({
   // Resolve appId immediately when user logs in (don't wait for organisation/event)
   // This makes appId available early for navigation menu filtering
   const [appId, setAppId] = useState<string | undefined>(undefined);
+  useEffect(() => {
+    logger.debug('UnifiedAuthContextProvider', `Rendering [AuthService ID:${authService.getInstanceId?.() || 'unknown'}]`, {
+      hasUser: !!currentUser,
+      userId: currentUser?.id,
+      hasSession: !!currentSession,
+      isAuth
+    });
+  }, [currentUser?.id, currentSession?.access_token, isAuth, authService]);
   const isResolvingAppIdRef = useRef(false);
   const resolvedAppIdRef = useRef<string | undefined>(undefined);
   const resolvedUserIdRef = useRef<string | undefined>(undefined);
@@ -326,75 +323,6 @@ function UnifiedAuthContextProvider({
     }
   }, [isAuth, currentUser?.id, supabase, appName]); // Removed appId from deps - it's the output, not an input. currentUser?.id is stable primitive.
-  // Load appConfig from database if not provided as prop
-  useEffect(() => {
-    // If appConfig is provided as prop, use it and don't load from database
-    if (appConfigProp !== undefined) {
-      setAppConfigState(appConfigProp);
-      resolvedAppConfigRef.current = appConfigProp;
-      return;
-    }
-    // If we've already resolved, don't resolve again
-    if (resolvedAppConfigRef.current !== null || isResolvingAppConfigRef.current) {
-      return;
-    }
-    // Only load if we have supabase and appName
-    if (!supabase || !appName) {
-      return;
-    }
-    isResolvingAppConfigRef.current = true;
-    // Load app config from database
-    import('../../rbac/api').then(async ({ getAppConfigByName }) => {
-      try {
-        const config = await getAppConfigByName(appName);
-        // Default to requires_event: false if config is null (organisation-based apps)
-        const resolvedConfig = config || { requires_event: false };
-        // Only update if the value actually changed to prevent unnecessary re-renders
-        if (resolvedAppConfigRef.current?.requires_event !== resolvedConfig.requires_event) {
-          resolvedAppConfigRef.current = resolvedConfig;
-          setAppConfigState(resolvedConfig);
-        }
-        // Debug logging for pace-mint
-        if (import.meta.env.DEV && appName === 'MINT') {
-          logger.debug('UnifiedAuthProvider', 'App config loaded', {
-            appName,
-            config: resolvedConfig,
-            requiresEvent: resolvedConfig.requires_event
-          });
-        }
-      } catch (error) {
-        logger.warn('UnifiedAuthProvider', 'Failed to load app config, defaulting to organisation-based', {
-          error: error instanceof Error ? error.message : String(error),
-          appName
-        });
-        // Default to organisation-based (requires_event: false) on error
-        // Only update if not already set to avoid unnecessary re-renders
-        if (resolvedAppConfigRef.current?.requires_event !== false) {
-          const defaultConfig = { requires_event: false };
-          resolvedAppConfigRef.current = defaultConfig;
-          setAppConfigState(defaultConfig);
-        }
-      } finally {
-        isResolvingAppConfigRef.current = false;
-      }
-    }).catch((importError) => {
-      logger.error('UnifiedAuthProvider', 'Failed to import RBAC API for app config', importError);
-      isResolvingAppConfigRef.current = false;
-      // Default to organisation-based on import error
-      // Only update if not already set to avoid unnecessary re-renders
-      if (resolvedAppConfigRef.current?.requires_event !== false) {
-        const defaultConfig = { requires_event: false };
-        resolvedAppConfigRef.current = defaultConfig;
-        setAppConfigState(defaultConfig);
-      }
-    });
-  }, [supabase, appName, appConfigProp]);
   // Subscribe to service state changes to trigger re-renders
   // Use useReducer to force updates when services notify
@@ -465,30 +393,9 @@ function UnifiedAuthContextProvider({
   const rawSelectedOrganisation = organisationService.getSelectedOrganisation();
   const organisationError = organisationService.getError();
-  // For event-required apps, selectedOrganisation is not in context (org derived from event)
-  // For org-required apps, selectedOrganisation is available
-  // CRITICAL FIX: Only set to null if appConfig is loaded AND explicitly requires_event is true
-  // If appConfig is null (still loading) OR requires_event is false/undefined, allow selectedOrganisation
-  // This ensures organisation-based apps work correctly even if appConfig hasn't loaded yet or is misconfigured
-  // IMPORTANT: If rawSelectedOrganisation exists, prefer it over appConfig to avoid race conditions
-  const selectedOrganisation = (appConfig !== null && appConfig?.requires_event === true && !rawSelectedOrganisation)
-    ? null
-    : rawSelectedOrganisation;
-  // Debug logging for pace-mint issue - use useEffect to avoid causing re-renders
-  useEffect(() => {
-    if (import.meta.env.DEV && appName === 'MINT') {
-      logger.debug('UnifiedAuthProvider', 'Organisation state check', {
-        rawSelectedOrganisation: rawSelectedOrganisation?.id || null,
-        rawSelectedOrganisationType: typeof rawSelectedOrganisation,
-        appConfig,
-        appConfigRequiresEvent: appConfig?.requires_event,
-        selectedOrganisation: selectedOrganisation?.id || null,
-        selectedOrganisationId: selectedOrganisation?.id || null,
-        checkResult: appConfig?.requires_event === true,
-      });
-    }
-  }, [appName, rawSelectedOrganisation?.id, appConfig?.requires_event, selectedOrganisation?.id]);
+  // Scope is now page-level only - use whatever organisation is selected
+  // No app-level scope determination needed
+  const selectedOrganisation = rawSelectedOrganisation;
   const hasValidOrganisationContext = organisationService.hasValidOrganisationContext();
   const isContextReady = organisationService.isContextReady();
@@ -668,7 +575,6 @@ function UnifiedAuthContextProvider({
     // Additional unified properties
     appName,
     appId, // Resolved immediately on login
-    appConfig: appConfig,
     isLoading: totalLoading,
     hasErrors: hasErrors,
     sessionRestoration: sessionRestoration,
@@ -700,7 +606,6 @@ function UnifiedAuthContextProvider({
     hasErrors,
     appName,
     appId,
-    appConfig,
     sessionRestoration,
     sessionRestorationTimedOut,
     sessionRestorationTimeoutMs,
@@ -741,28 +646,19 @@ function EventServiceProviderWrapper({
   supabaseClient,
   user,
   session,
-  appName,
-  appConfig
+  appName
 }: {
   children: React.ReactNode;
   supabaseClient: SupabaseClient;
   user: User | null;
   session: Session | null;
   appName: string;
-  appConfig?: { requires_event: boolean } | null;
 }) {
   // Use useOrganisations() hook for better reactivity - it subscribes to service changes
   // This ensures EventServiceProvider re-renders when selectedOrganisation changes
-  const { selectedOrganisation: rawSelectedOrganisation } = useOrganisations();
-  // FIX: For event-required apps, don't pass selectedOrganisation to EventService
-  // Organisation will be derived from the selected event instead
-  // This prevents EventService from filtering events by the wrong organisation
-  // CRITICAL FIX: Only set to null if appConfig is loaded AND explicitly requires_event is true AND no org selected
-  // If rawSelectedOrganisation exists, prefer it over appConfig to avoid race conditions
-  const selectedOrganisation = (appConfig !== null && appConfig?.requires_event === true && !rawSelectedOrganisation)
-    ? null
-    : rawSelectedOrganisation;
+  const { selectedOrganisation } = useOrganisations();
+  // Scope is now page-level only - use whatever organisation is selected
   // Always render EventServiceProvider - it handles null user/session gracefully
   // This ensures EventServiceContext is always available for components calling useEvents()
@@ -771,6 +667,15 @@ function EventServiceProviderWrapper({
     // Event selection is now handled at the application level
   }, []);
+  useEffect(() => {
+    logger.debug('EventServiceProviderWrapper', 'Rendering with props', {
+      hasUser: !!user,
+      userId: user?.id,
+      hasSession: !!session,
+      selectedOrganisationId: selectedOrganisation?.id
+    });
+  }, [user?.id, session?.access_token, selectedOrganisation?.id]);
   return (
     <EventServiceProvider
       supabaseClient={supabaseClient}
@@ -790,7 +695,6 @@ function ServiceAwareProviders({
   children,
   supabaseClient,
   appName,
-  appConfig,
   persistState,
   enablePersistence,
   requireOrganisationContext,
@@ -800,32 +704,71 @@ function ServiceAwareProviders({
   renderInactivityWarning,
   dangerouslyDisableInactivity
 }: UnifiedAuthProviderProps) {
+  // useAuthService already handles subscription and re-rendering with debouncing
+  // This ensures we get fresh user/session values on every render
   const authService = useAuthService();
+  // CRITICAL: Track user/session in state to force re-renders when they change
+  // This ensures ServiceAwareProviders re-renders immediately when user logs in
+  const [userState, setUserState] = useState(() => authService.getUser());
+  const [sessionState, setSessionState] = useState(() => authService.getSession());
+  // Subscribe directly to auth service changes and update state immediately
+  useEffect(() => {
+    const unsubscribe = authService.subscribe(() => {
+      // Update state immediately when auth service notifies (bypasses debounce)
+      const newUser = authService.getUser();
+      const newSession = authService.getSession();
+      logger.debug('ServiceAwareProviders', 'Auth service notified, updating state', {
+        hasUser: !!newUser,
+        userId: newUser?.id,
+        hasSession: !!newSession
+      });
+      setUserState(newUser);
+      setSessionState(newSession);
+    });
+    return unsubscribe;
+  }, [authService]);
+  // Use state values instead of reading directly from service
+  // This ensures React re-renders when these values change
+  const user = userState;
+  const session = sessionState;
+  // Log when user/session changes for debugging
+  useEffect(() => {
+    logger.debug('ServiceAwareProviders', `User/session state [AuthService ID:${authService.getInstanceId?.() || 'unknown'}]`, {
+      hasUser: !!user,
+      userId: user?.id,
+      hasSession: !!session,
+      sessionToken: session?.access_token ? 'present' : 'missing'
+    });
+  }, [user?.id, session?.access_token, authService]);
   return (
     <OrganisationServiceProvider
       supabaseClient={supabaseClient}
-      user={authService.getUser()}
-      session={authService.getSession()}
+      user={user}
+      session={session}
     >
       <EventServiceProviderWrapper
         supabaseClient={supabaseClient}
-        user={authService.getUser()}
-        session={authService.getSession()}
+        user={user}
+        session={session}
         appName={appName}
-        appConfig={appConfig}
       >
         <InactivityServiceProvider
           supabaseClient={supabaseClient}
-          user={authService.getUser()}
-          session={authService.getSession()}
+          user={user}
+          session={session}
           idleTimeoutMs={idleTimeoutMs}
           warnBeforeMs={warnBeforeMs}
           onIdleLogout={onIdleLogout}
         >
           <UnifiedAuthContextProvider
             appName={appName}
-            appConfig={appConfig}
             supabaseClient={supabaseClient}
             persistState={persistState}
             enablePersistence={enablePersistence}
@@ -855,7 +798,6 @@ export function UnifiedAuthProvider({
   children,
   supabaseClient,
   appName,
-  appConfig = { requires_event: true }, // Default to requiring events
   persistState = true,
   enablePersistence,
   requireOrganisationContext = true,
@@ -882,15 +824,29 @@ export function UnifiedAuthProvider({
         note: 'Ensure you create the Supabase client once and reuse it. Creating multiple clients can cause performance issues and the "Multiple GoTrueClient instances" warning.'
       });
       clientRef.current = supabaseClient;
+    } else {
+      logger.debug('UnifiedAuthProvider', 'Supabase client reference is stable');
     }
   }, [supabaseClient]);
+  // Initialize RBAC synchronously when supabaseClient is available
+  // This ensures RBAC engine is ready BEFORE any child services (EventService, OrganisationService, etc.)
+  // are initialized, preventing race conditions where services try to use RBAC before it's ready
+  // CRITICAL: This must be synchronous, not in useEffect, to ensure RBAC is ready before children render
+  if (supabaseClient && !isRBACInitialized()) {
+    try {
+      setupRBAC(supabaseClient);
+      logger.debug('UnifiedAuthProvider', 'RBAC initialized synchronously');
+    } catch (err) {
+      logger.error('UnifiedAuthProvider', 'Failed to initialize RBAC', err);
+    }
+  }
   return (
     <AuthServiceProvider supabaseClient={supabaseClient} appName={appName}>
       <ServiceAwareProviders
         supabaseClient={supabaseClient}
         appName={appName}
-        appConfig={appConfig}
         persistState={persistState}
         enablePersistence={enablePersistence}
         requireOrganisationContext={requireOrganisationContext}

package/src/rbac/__tests__/adapters.comprehensive.test.tsx CHANGED Viewed

@@ -499,7 +499,7 @@ describe('RBAC Adapters - Comprehensive Tests', () => {
           scope: { organisationId: 'org-123', eventId: 'event-123', appId: 'app-123' },
           permission: 'read:users',
           pageId: undefined,
-        }, null, undefined, null);
+        });
         expect(handler).toHaveBeenCalledWith(req);
         expect(result).toEqual({ success: true });
       });

package/src/rbac/adapters.tsx CHANGED Viewed

@@ -303,7 +303,7 @@ export function withPermissionGuard<T extends any[]>(
       scope: { organisationId, eventId, appId },
       permission: config.permission,
       pageId: config.pageId,
-    }, null, undefined, null);
+    });
     if (!hasPermission) {
       throw new Error(`Permission denied: ${config.permission}`);
@@ -548,7 +548,7 @@ export function createRBACMiddleware(config: {
           scope: { organisationId },
           permission: protectedRoute.permission,
           pageId: protectedRoute.pageId,
-        }, null, undefined, null);
+        });
         if (!hasPermission) {
           return res.redirect(config.fallbackUrl || '/access-denied');

package/src/rbac/api.test.ts CHANGED Viewed

@@ -61,6 +61,16 @@ vi.mock('./config', () => ({
   }))
 }));
+// Mock getPageScopeType RPC call
+vi.mock('../utils/core/logger', () => ({
+  createLogger: vi.fn(() => ({
+    info: vi.fn(),
+    warn: vi.fn(),
+    error: vi.fn(),
+    debug: vi.fn()
+  }))
+}));
 // Mock Supabase client
 const mockSupabase = {
   from: vi.fn(() => ({
@@ -460,6 +470,42 @@ describe('RBAC API', () => {
     let mockEngine: any;
     beforeEach(() => {
+      // Create a mock Supabase client that can handle getPageScopeType queries
+      const mockSupabaseForEngine = {
+        from: vi.fn((table: string) => {
+          if (table === 'rbac_apps') {
+            return {
+              select: vi.fn(() => ({
+                eq: vi.fn(() => ({
+                  eq: vi.fn(() => ({
+                    single: vi.fn().mockResolvedValue({ data: { id: 'app-123' }, error: null })
+                  }))
+                }))
+              }))
+            };
+          }
+          if (table === 'rbac_app_pages') {
+            return {
+              select: vi.fn(() => ({
+                eq: vi.fn(() => ({
+                  eq: vi.fn(() => ({
+                    maybeSingle: vi.fn().mockResolvedValue({ data: { id: '123e4567-e89b-12d3-a456-426614174000' }, error: null })
+                  }))
+                }))
+              }))
+            };
+          }
+          return mockSupabase.from(table);
+        }),
+        rpc: vi.fn((fnName: string, params: any) => {
+          if (fnName === 'get_page_scope_type') {
+            return Promise.resolve({ data: 'organisation', error: null });
+          }
+          return Promise.resolve({ data: null, error: null });
+        }),
+        auth: mockSupabase.auth
+      };
       mockEngine = {
         getAccessLevel: vi.fn(),
         getPermissionMap: vi.fn(),
@@ -467,7 +513,7 @@ describe('RBAC API', () => {
         resolveAppContext: vi.fn(),
         getRoleContext: vi.fn(),
         checkSuperAdmin: vi.fn(),
-        getAppConfig: vi.fn()
+        supabase: mockSupabaseForEngine as any
       };
       mockCreateRBACEngine.mockReturnValue(mockEngine);
@@ -603,24 +649,13 @@ describe('RBAC API', () => {
         const result = await isPermitted({
           userId: 'user-123',
-          scope: { organisationId: 'org-456' },
+          scope: { organisationId: 'org-456', appId: 'app-123' },
           permission: 'read:users',
-          pageId: 'page-789'
+          pageId: '123e4567-e89b-12d3-a456-426614174000' // Valid UUID format
         });
         expect(result).toBe(true);
-        expect(mockEngine.isPermitted).toHaveBeenCalledWith(
-          {
-            userId: 'user-123',
-            scope: { organisationId: 'org-456' },
-            permission: 'read:users',
-            pageId: 'page-789'
-          },
-          expect.objectContaining({
-            userId: 'user-123',
-            organisationId: 'org-456'
-          })
-        );
+        expect(mockEngine.isPermitted).toHaveBeenCalled();
       });
       it('handles engine errors', async () => {
@@ -661,14 +696,15 @@ describe('RBAC API', () => {
       it('returns cached result when available', async () => {
         const { isPermittedCached } = await import('./api');
-        const cacheKey = 'permission:user-123:org-456:null:null:read:users';
+        // Cache key now includes appId when provided
+        const cacheKey = 'permission:user-123:org-456:null:app-123:read:users';
         rbacCache.get.mockReturnValue(true);
         const result = await isPermittedCached({
           userId: 'user-123',
-          scope: { organisationId: 'org-456' },
+          scope: { organisationId: 'org-456', appId: 'app-123' },
           permission: 'read:users',
-          pageId: 'page-789'
+          pageId: '123e4567-e89b-12d3-a456-426614174000' // Valid UUID format
         });
         expect(result).toBe(true);
@@ -684,24 +720,13 @@ describe('RBAC API', () => {
         const result = await isPermittedCached({
           userId: 'user-123',
-          scope: { organisationId: 'org-456' },
+          scope: { organisationId: 'org-456', appId: 'app-123' },
           permission: 'read:users',
-          pageId: 'page-789'
+          pageId: '123e4567-e89b-12d3-a456-426614174000' // Valid UUID format
         });
         expect(result).toBe(true);
-        expect(mockEngine.isPermitted).toHaveBeenCalledWith(
-          {
-            userId: 'user-123',
-            scope: { organisationId: 'org-456' },
-            permission: 'read:users',
-            pageId: 'page-789'
-          },
-          expect.objectContaining({
-            userId: 'user-123',
-            organisationId: 'org-456'
-          })
-        );
+        expect(mockEngine.isPermitted).toHaveBeenCalled();
         // Check that cache.set was called - pageId presence makes it a page-level check
         expect(rbacCache.set).toHaveBeenCalled();
         const setCall = rbacCache.set.mock.calls[0];
@@ -828,25 +853,8 @@ describe('RBAC API', () => {
       });
     });
-    describe('getAppConfig', () => {
-      it('returns app configuration', async () => {
-        const { getAppConfig } = await import('./api');
-        // getAppConfig now returns null (needs Supabase client)
-        const result = await getAppConfig('app-123');
-        expect(result).toBeNull();
-      });
-      it('handles missing Supabase client gracefully', async () => {
-        const { getAppConfig } = await import('./api');
-        const result = await getAppConfig('app-123');
-        // Should return null when no client is available
-        expect(result).toBeNull();
-      });
-    });
+    // getAppConfig has been removed - scope is now page-level only
+    // Tests removed as function no longer exists
     describe('isOrganisationAdmin', () => {
       it('returns true for admin access level', async () => {