@jmruthers/pace-core 0.6.2 → 0.6.3

package/src/rbac/api.ts

@@ -30,7 +30,6 @@ import { createLogger } from '../utils/core/logger';
 import { enablePerformanceMonitoring } from './performance';
 import { getOrCreateRequest } from './request-deduplication';
 import { ContextValidator } from './utils/contextValidator';
-import type { AppConfig } from './utils/contextValidator';
 
 const log = createLogger('RBACAPI');
 
@@ -92,6 +91,15 @@ export function setupRBAC(supabase: SupabaseClient<Database>, config?: Partial<R
   
 }
 
+/**
+ * Check if RBAC system is initialized
+ * 
+ * @returns True if RBAC is initialized
+ */
+export function isRBACInitialized(): boolean {
+  return globalEngine !== null;
+}
+
 /**
  * Get the global RBAC engine
  * 
@@ -126,7 +134,6 @@ export async function getAccessLevel(
     userId: UUID;
     scope: Scope;
   },
-  appConfig?: AppConfig | null,
   appName?: string
 ): Promise<AccessLevel> {
   try {
@@ -138,19 +145,12 @@ export async function getAccessLevel(
       return 'super';
     }
     
-    // Fetch app config if not provided
-    let resolvedAppConfig: AppConfig | null = appConfig ?? null;
-    let resolvedAppName = appName;
-    
-    if (!resolvedAppConfig && input.scope.appId) {
-      resolvedAppConfig = await getAppConfig(input.scope.appId);
-    }
-    
-    // Validate context using ContextValidator
-    const validation = await ContextValidator.resolveRequiredContext(
+    // For functions without pageId, default to organisation scope validation
+    // This is a safe default - most operations require organisation context
+    const validation = await ContextValidator.resolveScopeForPage(
       input.scope,
-      resolvedAppConfig,
-      resolvedAppName,
+      'organisation', // Default to organisation scope when no page context
+      appName,
       engine['supabase']
     );
     
@@ -194,25 +194,17 @@ export async function getPermissionMap(
     userId: UUID;
     scope: Scope;
   },
-  appConfig?: AppConfig | null,
   appName?: string
 ): Promise<PermissionMap> {
   try {
     const engine = getEngine();
     
-    // Fetch app config if not provided
-    let resolvedAppConfig: AppConfig | null = appConfig ?? null;
-    let resolvedAppName = appName;
-    
-    if (!resolvedAppConfig && input.scope.appId) {
-      resolvedAppConfig = await getAppConfig(input.scope.appId);
-    }
-    
-    // Validate context using ContextValidator
-    const validation = await ContextValidator.resolveRequiredContext(
+    // For functions without pageId, default to organisation scope validation
+    // This is a safe default - most operations require organisation context
+    const validation = await ContextValidator.resolveScopeForPage(
       input.scope,
-      resolvedAppConfig,
-      resolvedAppName,
+      'organisation', // Default to organisation scope when no page context
+      appName,
       engine['supabase']
     );
     
@@ -249,24 +241,15 @@ export async function getRoleContext(
     userId: UUID;
     scope: Scope;
   },
-  appConfig?: AppConfig | null,
   appName?: string
 ): Promise<RBACRoleContext> {
   const engine = getEngine();
   
-  // Fetch app config if not provided
-  let resolvedAppConfig: AppConfig | null = appConfig ?? null;
-  let resolvedAppName = appName;
-  
-  if (!resolvedAppConfig && input.scope.appId) {
-    resolvedAppConfig = await getAppConfig(input.scope.appId);
-  }
-  
-  // Validate context using ContextValidator
-  const validation = await ContextValidator.resolveRequiredContext(
+  // For functions without pageId, default to organisation scope validation
+  const validation = await ContextValidator.resolveScopeForPage(
     input.scope,
-    resolvedAppConfig,
-    resolvedAppName,
+    'organisation', // Default to organisation scope when no page context
+    appName,
     engine['supabase']
   );
   
@@ -301,7 +284,6 @@ export async function getRoleContext(
  */
 export async function isPermitted(
   input: PermissionCheck,
-  appConfig?: AppConfig | null,
   appName?: string,
   /**
    * Pre-computed super admin status to avoid duplicate checks.
@@ -329,15 +311,8 @@ export async function isPermitted(
   }
   // If precomputedSuperAdmin === false, skip check and proceed with permission check
   
-  // Fetch app config if not provided and we have appId
-  let resolvedAppConfig: AppConfig | null = appConfig ?? null;
+  // Get app name if not provided (for PORTAL/ADMIN special case)
   let resolvedAppName = appName;
-  
-  if (!resolvedAppConfig && input.scope.appId) {
-    resolvedAppConfig = await getAppConfig(input.scope.appId);
-  }
-  
-  // If we have appId but no appName, try to get it from the database
   if (!resolvedAppName && input.scope.appId) {
     try {
       const { data } = await engine['supabase']
@@ -354,10 +329,34 @@ export async function isPermitted(
     }
   }
   
-  // Validate context using ContextValidator
-  const validation = await ContextValidator.resolveRequiredContext(
+  // Get page scope type (required for all permission checks)
+  // All pages must have scope_type set - this is the single source of truth
+  let pageScopeType: 'event' | 'organisation' | 'both';
+  if (input.pageId) {
+    try {
+      const scopeType = await getPageScopeType(
+        input.pageId,
+        input.scope.appId,
+        resolvedAppName
+      );
+      if (!scopeType) {
+        throw new Error(`Page ${input.pageId} does not have scope_type set`);
+      }
+      pageScopeType = scopeType;
+    } catch (err) {
+      log.error('Failed to get page scope type:', err);
+      throw new Error(`Failed to determine page scope type: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  } else {
+    // No pageId provided - default to organisation scope
+    // This should rarely happen, but provides a safe fallback
+    pageScopeType = 'organisation';
+  }
+  
+  // Validate context using page-level scope (single source of truth)
+  const validation = await ContextValidator.resolveScopeForPage(
     input.scope,
-    resolvedAppConfig,
+    pageScopeType,
     resolvedAppName,
     engine['supabase']
   );
@@ -369,7 +368,64 @@ export async function isPermitted(
   // Use resolved scope for permission check
   const validatedScope = validation.resolvedScope;
   
-  // Create security context from validated scope
+  // Handle 'both' scope pages - check both scopes and return union
+  if (pageScopeType === 'both' && input.pageId) {
+    // Check permission with event scope
+    const eventScope: Scope = {
+      organisationId: validatedScope.organisationId, // Org derived from event
+      eventId: validatedScope.eventId,
+      appId: validatedScope.appId
+    };
+    
+    // Check permission with organisation scope (if org is available separately)
+    // For 'both' pages, we check the permission in both contexts and return the union
+    // Higher permission wins (true > false, admin > user, etc.)
+    
+    const eventSecurityContext: SecurityContext = {
+      userId: input.userId,
+      organisationId: eventScope.organisationId || null,
+      timestamp: new Date(),
+    };
+    
+    const eventInput: PermissionCheck = {
+      ...input,
+      scope: eventScope
+    };
+    
+    const hasEventPermission = await engine.isPermitted(eventInput, eventSecurityContext);
+    
+    // Also check with organisation scope if we have a separate org context
+    // (This handles cases where user has org permissions separate from event)
+    if (validatedScope.organisationId && validatedScope.eventId) {
+      const orgScope: Scope = {
+        organisationId: validatedScope.organisationId,
+        eventId: undefined, // Clear event for org-only check
+        appId: validatedScope.appId
+      };
+      
+      const orgSecurityContext: SecurityContext = {
+        userId: input.userId,
+        organisationId: orgScope.organisationId || null,
+        timestamp: new Date(),
+      };
+      
+      const orgInput: PermissionCheck = {
+        ...input,
+        scope: orgScope
+      };
+      
+      const hasOrgPermission = await engine.isPermitted(orgInput, orgSecurityContext);
+      
+      // Return union (true if either scope grants permission)
+      // For access levels, the database function handles the "higher wins" logic
+      return hasEventPermission || hasOrgPermission;
+    }
+    
+    // If only event scope available, return event permission
+    return hasEventPermission;
+  }
+  
+  // Standard permission check for single-scope pages
   const securityContext: SecurityContext = {
     userId: input.userId,
     organisationId: validatedScope.organisationId || null,
@@ -393,13 +449,11 @@ export async function isPermitted(
  * and checks cache before making new requests. Uses session cache for page-level checks.
  * 
  * @param input - Permission check input
- * @param appConfig - Optional app configuration
- * @param appName - Optional app name
+ * @param appName - Optional app name (for PORTAL/ADMIN special case)
  * @returns Promise resolving to permission result
  */
 export async function isPermittedCached(
   input: PermissionCheck,
-  appConfig?: AppConfig | null,
   appName?: string
 ): Promise<boolean> {
   const { userId, scope, permission, pageId } = input;
@@ -424,7 +478,7 @@ export async function isPermittedCached(
     // Check permission with context validation
     // Note: We can't pass precomputedSuperAdmin here because getOrCreateRequest doesn't support it
     // The super admin check in isPermitted will be cached, so it's not a huge performance hit
-    const result = await isPermitted(checkInput, appConfig, appName, null);
+    const result = await isPermitted(checkInput, appName, null);
     
     // Determine if this is a page-level check (has pageId or permission contains 'page.')
     const isPageLevelCheck = !!pageId || permission.includes('page.');
@@ -443,7 +497,7 @@ export async function isPermittedCached(
  * @returns Promise<boolean> - True if user has permission
  */
 export async function hasPermission(input: PermissionCheck): Promise<boolean> {
-  return isPermitted(input, null, undefined, null);
+  return isPermitted(input);
 }
 
 /**
@@ -464,7 +518,7 @@ export async function hasAnyPermission(input: {
     const hasPermission = await isPermitted({
       ...baseInput,
       permission,
-    }, null, undefined, null);
+    });
     
     if (hasPermission) {
       return true;
@@ -492,7 +546,7 @@ export async function hasAllPermissions(input: {
     const hasPermission = await isPermitted({
       ...baseInput,
       permission,
-    }, null, undefined, null);
+    });
     
     if (!hasPermission) {
       return false;
@@ -513,89 +567,81 @@ export async function isSuperAdmin(userId: UUID): Promise<boolean> {
   return engine['checkSuperAdmin'](userId);
 }
 
+
 /**
- * Get app configuration including requires_event setting
+ * Get page scope type (effective scope for a page)
  * 
- * @param appId - App ID
- * @returns Promise resolving to app configuration
+ * Returns the scope type for a page. After migration, all pages have explicit scope_type set.
+ * This is the single source of truth for page scoping.
+ * 
+ * @param pageId - Page ID (UUID) or page name
+ * @param appId - App ID (required if pageId is a page name)
+ * @param appName - App name (alternative to appId, used to resolve appId)
+ * @returns Promise resolving to page scope type: 'event', 'organisation', or 'both'
  */
-export async function getAppConfig(appId: UUID): Promise<AppConfig | null> {
-  try {
-    const engine = getEngine();
-    return getAppConfigWithClient(engine['supabase'], appId);
-  } catch (err) {
-    // RBAC not initialized - return null gracefully
-    if (err instanceof RBACNotInitializedError) {
-      return null;
-    }
-    throw err;
-  }
-}
-
-export async function getAppConfigWithClient(client: SupabaseClient | null | undefined, appId: UUID): Promise<AppConfig | null> {
-  // Return null if client is not available
-  if (!client) {
-    return null;
-  }
-  
-  // Cache key for app config - cache for 5 minutes (app config rarely changes)
-  const cacheKey = `app_config:${appId}`;
-  
-  // Check cache first
-  const cached = rbacCache.get<AppConfig>(cacheKey, true);
-  if (cached !== null) {
-    return cached;
-  }
+export async function getPageScopeType(
+  pageId: UUID | string,
+  appId?: UUID,
+  appName?: string
+): Promise<'event' | 'organisation' | 'both'> {
+  const engine = getEngine();
   
   try {
-    const { data, error } = await client
-      .from('rbac_apps')
-      .select('requires_event, name')
-      .eq('id', appId)
-      .eq('is_active', true)
-      .single() as { data: { requires_event: boolean; name: string } | null; error: any };
-
-    if (error || !data) {
-      return null;
+    // Resolve appId if not provided
+    let resolvedAppId = appId;
+    if (!resolvedAppId && appName) {
+      // Get appId directly from app name
+      const { data: app } = await engine['supabase']
+        .from('rbac_apps')
+        .select('id')
+        .eq('name', appName)
+        .eq('is_active', true)
+        .single() as { data: { id: UUID } | null; error: any };
+      resolvedAppId = app?.id;
     }
-
-    const appConfig: AppConfig = { requires_event: data.requires_event ?? false };
     
-    // Cache the result for 5 minutes (300000ms) with session cache enabled
-    // App config rarely changes, so we can cache it longer
-    rbacCache.set(cacheKey, appConfig, 5 * 60 * 1000, true);
+    if (!resolvedAppId) {
+      throw new Error(`Could not resolve appId for page ${pageId}`);
+    }
     
-    return appConfig;
-  } catch (err) {
-    log.error('Error fetching app config:', err);
-    return null;
-  }
-}
-
-/**
- * Get app configuration by app name
- * 
- * @param appName - App name
- * @returns Promise resolving to app configuration
- */
-export async function getAppConfigByName(appName: string): Promise<AppConfig | null> {
-  const engine = getEngine();
-  try {
+    // Resolve pageId if it's a page name
+    let resolvedPageId: UUID | string = pageId;
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+    if (!uuidRegex.test(pageId)) {
+      // It's a page name, resolve to UUID
+      const { data: page } = await engine['supabase']
+        .from('rbac_app_pages')
+        .select('id')
+        .eq('app_id', resolvedAppId)
+        .eq('page_name', pageId)
+        .maybeSingle() as { data: { id: UUID } | null; error: any };
+      resolvedPageId = page?.id || pageId;
+    }
+    
+    // If still not a UUID, can't proceed
+    if (!uuidRegex.test(resolvedPageId)) {
+      throw new Error(`Could not resolve pageId ${pageId} to a valid UUID`);
+    }
+    
+    // Call the database function to get scope type (always returns a value)
     const { data, error } = await engine['supabase']
-      .from('rbac_apps')
-      .select('requires_event, name')
-      .eq('name', appName)
-      .eq('is_active', true)
-      .single() as { data: { requires_event: boolean; name: string } | null; error: any };
-
-    if (error || !data) {
-      return null;
+      .rpc('get_page_scope_type' as any, {
+        p_page_id: resolvedPageId
+      }) as { data: 'event' | 'organisation' | 'both' | null; error: any };
+    
+    if (error) {
+      log.error('Error fetching page scope type:', { pageId, appId, error });
+      throw new Error(`Failed to get page scope type: ${error.message}`);
     }
-
-    return { requires_event: data.requires_event ?? false };
+    
+    if (!data) {
+      throw new Error(`Page ${resolvedPageId} does not have scope_type set`);
+    }
+    
+    return data;
   } catch (err) {
-    log.error('Error fetching app config by name:', err);
-    return null;
+    log.error('Error fetching page scope type:', err);
+    throw err instanceof Error ? err : new Error(`Failed to get page scope type: ${String(err)}`);
   }
 }
 

package/src/rbac/components/PagePermissionGuard.tsx

@@ -141,6 +141,7 @@ const PagePermissionGuardComponent = ({
   const { user, selectedOrganisation, selectedEvent, supabase, appId: contextAppId, appName } = useUnifiedAuth();
   
   const [hasChecked, setHasChecked] = useState(false);
+  const hasLoggedSuperAdminRef = useRef(false);
 
   // Determine the page ID for permission checking
   const effectivePageId = useMemo((): string => {
@@ -396,10 +397,11 @@ const PagePermissionGuardComponent = ({
   
   
 
-  // Debug logging for permission check state
+  // Debug logging for permission check state (only log when state actually changes, not on every render)
+  const lastLogStateRef = useRef<string>('');
   useEffect(() => {
     if (process.env.NODE_ENV === 'development') {
-      console.log('[PagePermissionGuard] Permission check state', {
+      const currentState = JSON.stringify({
         pageName,
         userId: user?.id,
         isSuperAdmin,
@@ -408,10 +410,25 @@ const PagePermissionGuardComponent = ({
         canIsLoading,
         hasChecked,
         hasValidUser,
-        effectiveCan,
-        stableScope,
-        effectiveScope
+        effectiveCan
       });
+      // Only log if state actually changed
+      if (currentState !== lastLogStateRef.current) {
+        lastLogStateRef.current = currentState;
+        console.log('[PagePermissionGuard] Permission check state', {
+          pageName,
+          userId: user?.id,
+          isSuperAdmin,
+          isLoading,
+          scopeLoading,
+          canIsLoading,
+          hasChecked,
+          hasValidUser,
+          effectiveCan,
+          stableScope,
+          effectiveScope
+        });
+      }
     }
   }, [pageName, user?.id, isSuperAdmin, isLoading, scopeLoading, canIsLoading, hasChecked, hasValidUser, effectiveCan, stableScope, effectiveScope]);
 
@@ -439,13 +456,24 @@ const PagePermissionGuardComponent = ({
 
   // CRITICAL: Super admins bypass all checks - show content immediately once confirmed
   // This must be checked AFTER all hooks are called to avoid React hooks rule violations
+  // Log super admin access only once when it's first confirmed (not on every render)
+  useEffect(() => {
+    if (isSuperAdmin === true && hasValidUser && !hasLoggedSuperAdminRef.current && process.env.NODE_ENV === 'development') {
+      hasLoggedSuperAdminRef.current = true;
+      console.log('[PagePermissionGuard] Super admin access granted - bypassing all checks', {
+        pageName,
+        userId: user?.id,
+        operation
+      });
+    }
+    // Reset log flag if super admin status changes back to false/null
+    if (isSuperAdmin !== true) {
+      hasLoggedSuperAdminRef.current = false;
+    }
+  }, [isSuperAdmin, hasValidUser, pageName, user?.id, operation]);
+  
   if (isSuperAdmin === true && hasValidUser) {
     // Super admin confirmed - grant access immediately
-    console.log('[PagePermissionGuard] Super admin access granted - bypassing all checks', {
-      pageName,
-      userId: user?.id,
-      operation
-    });
     return <>{children}</>;
   }
 

package/src/rbac/hooks/__tests__/useSecureSupabase.test.ts

@@ -33,14 +33,15 @@ vi.mock('../useResolvedScope', () => ({
 }));
 
 vi.mock('../../secureClient', () => ({
-  createSecureClient: vi.fn()
+  createSecureClient: vi.fn(),
+  fromSupabaseClient: vi.fn()
 }));
 
 import { useUnifiedAuth } from '../../../providers/services/UnifiedAuthProvider';
 import { useOrganisations } from '../../../hooks/useOrganisations';
 import { useEvents } from '../../../hooks/useEvents';
 import { useResolvedScope } from '../useResolvedScope';
-import { createSecureClient } from '../../secureClient';
+import { createSecureClient, fromSupabaseClient } from '../../secureClient';
 import type { SupabaseClient } from '@supabase/supabase-js';
 import type { Database } from '../../../types/database';
 
@@ -68,6 +69,7 @@ describe('useSecureSupabase Hook', () => {
   const mockUseEvents = vi.mocked(useEvents);
   const mockUseResolvedScope = vi.mocked(useResolvedScope);
   const mockCreateSecureClient = vi.mocked(createSecureClient);
+  const mockFromSupabaseClient = vi.mocked(fromSupabaseClient);
 
   beforeEach(() => {
     vi.clearAllMocks();
@@ -131,6 +133,9 @@ describe('useSecureSupabase Hook', () => {
     });
 
     mockCreateSecureClient.mockReturnValue(mockSecureClient as any);
+    // When fromSupabaseClient is used (when baseClient/authSupabase is available),
+    // it should return a secure client that wraps the existing client
+    mockFromSupabaseClient.mockReturnValue(mockSecureClient as any);
   });
 
   afterEach(() => {
@@ -171,14 +176,15 @@ describe('useSecureSupabase Hook', () => {
       const { result } = renderHook(() => useSecureSupabase());
 
       await waitFor(() => {
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }, { timeout: 2000 });
 
       expect(result.current).toBe(mockSupabaseClient);
-      const call = mockCreateSecureClient.mock.calls[0];
-      expect(call[2]).toBe(uniqueOrgId);
-      expect(call[3]).toBe(mockEventId);
-      expect(call[4]).toBe(mockAppId);
+      const call = mockFromSupabaseClient.mock.calls[0];
+      expect(call[1]).toBe(uniqueOrgId);
+      expect(call[2]).toBe(mockEventId);
+      expect(call[3]).toBe(mockAppId);
     });
 
     it('should return base client when event is loading', () => {
@@ -265,7 +271,8 @@ describe('useSecureSupabase Hook', () => {
         // The cache is working correctly by reusing the client
       } else {
         // Client was created - verify it was called
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }
 
       // Store the first client instance
@@ -316,11 +323,12 @@ describe('useSecureSupabase Hook', () => {
       const { result: result1, rerender: rerender1 } = renderHook(() => useSecureSupabase());
 
       await waitFor(() => {
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }, { timeout: 2000 });
 
       // Clear the mock to count new calls
-      mockCreateSecureClient.mockClear();
+      mockFromSupabaseClient.mockClear();
 
       // Change organisation - this should create a new client with different cache key
       const uniqueOrgId2 = `org-${Date.now()}-2`;
@@ -347,7 +355,8 @@ describe('useSecureSupabase Hook', () => {
       rerender1();
 
       await waitFor(() => {
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }, { timeout: 2000 });
     });
   });
@@ -448,13 +457,14 @@ describe('useSecureSupabase Hook', () => {
       const { result } = renderHook(() => useSecureSupabase());
 
       await waitFor(() => {
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }, { timeout: 2000 });
       
-      const call = mockCreateSecureClient.mock.calls[0];
-      expect(call[2]).toBe(uniqueOrgId);
-      expect(call[3]).toBe(mockEventId);
-      expect(call[4]).toBe(customAppId);
+      const call = mockFromSupabaseClient.mock.calls[0];
+      expect(call[1]).toBe(uniqueOrgId);
+      expect(call[2]).toBe(mockEventId);
+      expect(call[3]).toBe(customAppId);
     });
 
     it('should work without event context', async () => {
@@ -493,13 +503,14 @@ describe('useSecureSupabase Hook', () => {
       const { result } = renderHook(() => useSecureSupabase());
 
       await waitFor(() => {
-        expect(mockCreateSecureClient).toHaveBeenCalled();
+        // When authSupabase is available, the hook uses fromSupabaseClient
+        expect(mockFromSupabaseClient).toHaveBeenCalled();
       }, { timeout: 2000 });
       
-      const call = mockCreateSecureClient.mock.calls[0];
-      expect(call[2]).toBe(uniqueOrgId);
-      expect(call[3]).toBeUndefined();
-      expect(call[4]).toBe(mockAppId);
+      const call = mockFromSupabaseClient.mock.calls[0];
+      expect(call[1]).toBe(uniqueOrgId);
+      expect(call[2]).toBeUndefined();
+      expect(call[3]).toBe(mockAppId);
     });
   });
 

package/src/rbac/hooks/permissions/useAccessLevel.ts

@@ -80,7 +80,7 @@ export function useAccessLevel(userId: UUID, scope: Scope): {
         return;
       }
 
-      const level = await getAccessLevel({ userId, scope }, null, appName);
+      const level = await getAccessLevel({ userId, scope }, appName);
       setAccessLevel(level);
     } catch (err) {
       const error = err instanceof Error ? err : new Error('Failed to fetch access level');