npm - @jmruthers/pace-core - Versions diffs - 0.6.2 → 0.6.4 - Mend

@jmruthers/pace-core 0.6.2 → 0.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/CHANGELOG.md +45 -0
package/cursor-rules/00-pace-core-compliance.mdc +34 -2
package/dist/{AuthService-BPvc3Ka0.d.ts → AuthService-Cb34EQs3.d.ts} +9 -1
package/dist/{DataTable-TPTKCX4D.js → DataTable-E7YQZD7D.js} +9 -8
package/dist/{PublicPageProvider-DC6kCaqf.d.ts → PublicPageProvider-DEMpysFR.d.ts} +45 -67
package/dist/{UnifiedAuthProvider-CVcTjx-d.d.ts → UnifiedAuthProvider-CKvHP1MK.d.ts} +1 -8
package/dist/{UnifiedAuthProvider-CH6Z342H.js → UnifiedAuthProvider-QPXO24B4.js} +5 -4
package/dist/{api-MVVQZLJI.js → api-6LVZTHDS.js} +10 -10
package/dist/{audit-B5P6FFIR.js → audit-V53FV5AG.js} +2 -2
package/dist/chunk-36LVWXB2.js +227 -0
package/dist/chunk-36LVWXB2.js.map +1 -0
package/dist/{chunk-24UVZUZG.js → chunk-3LPHPB62.js} +129 -387
package/dist/chunk-3LPHPB62.js.map +1 -0
package/dist/{chunk-2UOI2FG5.js → chunk-5EC5MEWX.js} +4 -4
package/dist/{chunk-3XC4CPTD.js → chunk-7JPAB3T5.js} +244 -5727
package/dist/chunk-7JPAB3T5.js.map +1 -0
package/dist/{chunk-6J4GEEJR.js → chunk-ATKZM7RX.js} +53 -27
package/dist/chunk-ATKZM7RX.js.map +1 -0
package/dist/{chunk-EHMR7VYL.js → chunk-AVMLPIM7.js} +443 -189
package/dist/chunk-AVMLPIM7.js.map +1 -0
package/dist/chunk-DGUM43GV.js +11 -0
package/dist/{chunk-NECFR5MM.js → chunk-I6DAQMWX.js} +575 -647
package/dist/chunk-I6DAQMWX.js.map +1 -0
package/dist/{chunk-F2IMUDXZ.js → chunk-M7MPQISP.js} +2 -2
package/dist/{chunk-XWQCNGTQ.js → chunk-NN6WWZ5U.js} +173 -79
package/dist/chunk-NN6WWZ5U.js.map +1 -0
package/dist/{chunk-MMZ7JXPU.js → chunk-OEWDTMG7.js} +13 -21
package/dist/{chunk-MMZ7JXPU.js.map → chunk-OEWDTMG7.js.map} +1 -1
package/dist/{chunk-SFZUDBL5.js → chunk-YKRAFF5K.js} +70 -56
package/dist/chunk-YKRAFF5K.js.map +1 -0
package/dist/components.d.ts +2 -2
package/dist/components.js +12 -13
package/dist/contextValidator-OOPCLPZW.js +9 -0
package/dist/contextValidator-OOPCLPZW.js.map +1 -0
package/dist/eslint-rules/pace-core-compliance.cjs +106 -0
package/dist/hooks.d.ts +2 -2
package/dist/hooks.js +7 -6
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +7 -7
package/dist/index.js +21 -16
package/dist/index.js.map +1 -1
package/dist/providers.d.ts +3 -3
package/dist/providers.js +4 -3
package/dist/rbac/index.d.ts +67 -27
package/dist/rbac/index.js +15 -8
package/dist/styles/index.js +1 -1
package/dist/theming/runtime.js +1 -1
package/dist/types.js +1 -1
package/dist/{usePublicRouteParams-1oMokgLF.d.ts → usePublicRouteParams-i3qtoBgg.d.ts} +7 -16
package/dist/utils.js +5 -7
package/dist/utils.js.map +1 -1
package/docs/api/README.md +14 -16
package/docs/api/modules.md +3796 -2513
package/docs/components/context-selector.md +126 -0
package/docs/migration/RBAC_SCOPE_MIGRATION.md +385 -0
package/docs/pace-mint-fix-auto-selection.md +218 -0
package/docs/pace-mint-rbac-setup.md +391 -0
package/docs/rbac/secure-client-protection.md +330 -0
package/package.json +10 -5
package/scripts/audit/core/checks/compliance.cjs +72 -0
package/scripts/audit/core/checks/dependencies.cjs +568 -28
package/scripts/audit/core/checks/documentation.cjs +68 -3
package/scripts/audit/core/checks/environment.cjs +2 -14
package/scripts/audit/core/checks/error-handling.cjs +47 -6
package/src/components/ContextSelector/ContextSelector.tsx +384 -0
package/src/components/ContextSelector/index.ts +3 -0
package/src/components/DataTable/components/RowComponent.tsx +19 -19
package/src/components/DataTable/components/UnifiedTableBody.tsx +2 -2
package/src/components/DataTable/hooks/useDataTablePermissions.ts +8 -6
package/src/components/Dialog/Dialog.tsx +29 -1
package/src/components/FileDisplay/FileDisplay.tsx +42 -10
package/src/components/Header/Header.test.tsx +43 -73
package/src/components/Header/Header.tsx +44 -45
package/src/components/PaceAppLayout/PaceAppLayout.integration.test.tsx +10 -19
package/src/components/PaceAppLayout/PaceAppLayout.performance.test.tsx +2 -2
package/src/components/PaceAppLayout/PaceAppLayout.security.test.tsx +5 -5
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +9 -9
package/src/components/PaceAppLayout/PaceAppLayout.tsx +157 -36
package/src/components/PaceAppLayout/README.md +14 -17
package/src/components/PaceAppLayout/test-setup.tsx +2 -2
package/src/components/index.ts +5 -5
package/src/eslint-rules/pace-core-compliance.cjs +106 -0
package/src/hooks/__tests__/useAppConfig.unit.test.ts +4 -98
package/src/hooks/useAppConfig.ts +15 -30
package/src/hooks/useFileDisplay.ts +77 -50
package/src/index.ts +4 -5
package/src/providers/services/AuthServiceProvider.tsx +17 -7
package/src/providers/services/EventServiceProvider.tsx +33 -5
package/src/providers/services/UnifiedAuthProvider.tsx +90 -134
package/src/rbac/__tests__/adapters.comprehensive.test.tsx +1 -1
package/src/rbac/adapters.tsx +2 -2
package/src/rbac/api.test.ts +59 -51
package/src/rbac/api.ts +178 -132
package/src/rbac/components/PagePermissionGuard.tsx +38 -10
package/src/rbac/hooks/__tests__/useSecureSupabase.test.ts +32 -21
package/src/rbac/hooks/permissions/useAccessLevel.ts +1 -1
package/src/rbac/hooks/permissions/useCan.ts +41 -11
package/src/rbac/hooks/permissions/useHasAllPermissions.ts +1 -1
package/src/rbac/hooks/permissions/useHasAnyPermission.ts +1 -1
package/src/rbac/hooks/permissions/useMultiplePermissions.ts +1 -1
package/src/rbac/hooks/useCan.test.ts +0 -9
package/src/rbac/hooks/useRBAC.test.ts +1 -5
package/src/rbac/hooks/useRBAC.ts +36 -37
package/src/rbac/hooks/useResolvedScope.test.ts +120 -35
package/src/rbac/hooks/useResolvedScope.ts +35 -40
package/src/rbac/hooks/useSecureSupabase.ts +7 -7
package/src/rbac/index.ts +7 -0
package/src/rbac/secureClient.test.ts +22 -18
package/src/rbac/secureClient.ts +103 -16
package/src/rbac/security.ts +0 -17
package/src/rbac/types.ts +1 -0
package/src/rbac/utils/__tests__/contextValidator.test.ts +64 -86
package/src/rbac/utils/clientSecurity.ts +93 -0
package/src/rbac/utils/contextValidator.ts +77 -168
package/src/services/AuthService.ts +39 -7
package/src/services/EventService.ts +285 -56
package/src/services/OrganisationService.ts +81 -14
package/src/services/__tests__/EventService.test.ts +1 -2
package/src/services/base/BaseService.ts +3 -0
package/src/utils/dynamic/dynamicUtils.ts +7 -4
package/dist/chunk-24UVZUZG.js.map +0 -1
package/dist/chunk-3XC4CPTD.js.map +0 -1
package/dist/chunk-6J4GEEJR.js.map +0 -1
package/dist/chunk-7D4SUZUM.js +0 -38
package/dist/chunk-EHMR7VYL.js.map +0 -1
package/dist/chunk-NECFR5MM.js.map +0 -1
package/dist/chunk-SFZUDBL5.js.map +0 -1
package/dist/chunk-XWQCNGTQ.js.map +0 -1
package/docs/api/classes/ColumnFactory.md +0 -243
package/docs/api/classes/InvalidScopeError.md +0 -73
package/docs/api/classes/Logger.md +0 -178
package/docs/api/classes/MissingUserContextError.md +0 -66
package/docs/api/classes/OrganisationContextRequiredError.md +0 -66
package/docs/api/classes/PermissionDeniedError.md +0 -73
package/docs/api/classes/RBACAuditManager.md +0 -297
package/docs/api/classes/RBACCache.md +0 -322
package/docs/api/classes/RBACEngine.md +0 -171
package/docs/api/classes/RBACError.md +0 -76
package/docs/api/classes/RBACNotInitializedError.md +0 -66
package/docs/api/classes/SecureSupabaseClient.md +0 -163
package/docs/api/classes/StorageUtils.md +0 -328
package/docs/api/enums/FileCategory.md +0 -184
package/docs/api/enums/LogLevel.md +0 -54
package/docs/api/enums/RBACErrorCode.md +0 -228
package/docs/api/enums/RPCFunction.md +0 -118
package/docs/api/interfaces/AddressFieldProps.md +0 -241
package/docs/api/interfaces/AddressFieldRef.md +0 -94
package/docs/api/interfaces/AggregateConfig.md +0 -43
package/docs/api/interfaces/AutocompleteOptions.md +0 -75
package/docs/api/interfaces/AvatarProps.md +0 -128
package/docs/api/interfaces/BadgeProps.md +0 -34
package/docs/api/interfaces/ButtonProps.md +0 -56
package/docs/api/interfaces/CalendarProps.md +0 -73
package/docs/api/interfaces/CardProps.md +0 -69
package/docs/api/interfaces/ColorPalette.md +0 -7
package/docs/api/interfaces/ColorShade.md +0 -66
package/docs/api/interfaces/ComplianceResult.md +0 -30
package/docs/api/interfaces/DataAccessRecord.md +0 -96
package/docs/api/interfaces/DataRecord.md +0 -11
package/docs/api/interfaces/DataTableAction.md +0 -252
package/docs/api/interfaces/DataTableColumn.md +0 -504
package/docs/api/interfaces/DataTableProps.md +0 -625
package/docs/api/interfaces/DataTableToolbarButton.md +0 -96
package/docs/api/interfaces/DatabaseComplianceResult.md +0 -85
package/docs/api/interfaces/DatabaseIssue.md +0 -41
package/docs/api/interfaces/EmptyStateConfig.md +0 -61
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +0 -235
package/docs/api/interfaces/ErrorBoundaryProps.md +0 -147
package/docs/api/interfaces/ErrorBoundaryProviderProps.md +0 -36
package/docs/api/interfaces/ErrorBoundaryState.md +0 -75
package/docs/api/interfaces/EventAppRoleData.md +0 -71
package/docs/api/interfaces/ExportColumn.md +0 -90
package/docs/api/interfaces/ExportOptions.md +0 -126
package/docs/api/interfaces/FileDisplayProps.md +0 -249
package/docs/api/interfaces/FileMetadata.md +0 -129
package/docs/api/interfaces/FileReference.md +0 -118
package/docs/api/interfaces/FileSizeLimits.md +0 -7
package/docs/api/interfaces/FileUploadOptions.md +0 -139
package/docs/api/interfaces/FileUploadProps.md +0 -296
package/docs/api/interfaces/FooterProps.md +0 -107
package/docs/api/interfaces/FormFieldProps.md +0 -166
package/docs/api/interfaces/FormProps.md +0 -113
package/docs/api/interfaces/GrantEventAppRoleParams.md +0 -122
package/docs/api/interfaces/InactivityWarningModalProps.md +0 -115
package/docs/api/interfaces/InputProps.md +0 -56
package/docs/api/interfaces/LabelProps.md +0 -107
package/docs/api/interfaces/LoggerConfig.md +0 -62
package/docs/api/interfaces/LoginFormProps.md +0 -187
package/docs/api/interfaces/NavigationAccessRecord.md +0 -107
package/docs/api/interfaces/NavigationContextType.md +0 -164
package/docs/api/interfaces/NavigationGuardProps.md +0 -139
package/docs/api/interfaces/NavigationItem.md +0 -120
package/docs/api/interfaces/NavigationMenuProps.md +0 -221
package/docs/api/interfaces/NavigationProviderProps.md +0 -117
package/docs/api/interfaces/Organisation.md +0 -140
package/docs/api/interfaces/OrganisationContextType.md +0 -388
package/docs/api/interfaces/OrganisationMembership.md +0 -140
package/docs/api/interfaces/OrganisationProviderProps.md +0 -76
package/docs/api/interfaces/OrganisationSecurityError.md +0 -62
package/docs/api/interfaces/PaceAppLayoutProps.md +0 -409
package/docs/api/interfaces/PaceLoginPageProps.md +0 -49
package/docs/api/interfaces/PageAccessRecord.md +0 -85
package/docs/api/interfaces/PagePermissionContextType.md +0 -140
package/docs/api/interfaces/PagePermissionGuardProps.md +0 -153
package/docs/api/interfaces/PagePermissionProviderProps.md +0 -119
package/docs/api/interfaces/PaletteData.md +0 -41
package/docs/api/interfaces/ParsedAddress.md +0 -120
package/docs/api/interfaces/PermissionEnforcerProps.md +0 -153
package/docs/api/interfaces/ProgressProps.md +0 -42
package/docs/api/interfaces/ProtectedRouteProps.md +0 -78
package/docs/api/interfaces/PublicPageFooterProps.md +0 -112
package/docs/api/interfaces/PublicPageHeaderProps.md +0 -125
package/docs/api/interfaces/PublicPageLayoutProps.md +0 -185
package/docs/api/interfaces/QuickFix.md +0 -52
package/docs/api/interfaces/RBACAccessValidateParams.md +0 -52
package/docs/api/interfaces/RBACAccessValidateResult.md +0 -41
package/docs/api/interfaces/RBACAuditLogParams.md +0 -85
package/docs/api/interfaces/RBACAuditLogResult.md +0 -52
package/docs/api/interfaces/RBACConfig.md +0 -133
package/docs/api/interfaces/RBACContext.md +0 -52
package/docs/api/interfaces/RBACLogger.md +0 -112
package/docs/api/interfaces/RBACPageAccessCheckParams.md +0 -74
package/docs/api/interfaces/RBACPerformanceMetrics.md +0 -138
package/docs/api/interfaces/RBACPermissionCheckParams.md +0 -74
package/docs/api/interfaces/RBACPermissionCheckResult.md +0 -52
package/docs/api/interfaces/RBACPermissionsGetParams.md +0 -63
package/docs/api/interfaces/RBACPermissionsGetResult.md +0 -63
package/docs/api/interfaces/RBACResult.md +0 -58
package/docs/api/interfaces/RBACRoleGrantParams.md +0 -63
package/docs/api/interfaces/RBACRoleGrantResult.md +0 -52
package/docs/api/interfaces/RBACRoleRevokeParams.md +0 -63
package/docs/api/interfaces/RBACRoleRevokeResult.md +0 -52
package/docs/api/interfaces/RBACRoleValidateParams.md +0 -52
package/docs/api/interfaces/RBACRoleValidateResult.md +0 -63
package/docs/api/interfaces/RBACRolesListParams.md +0 -52
package/docs/api/interfaces/RBACRolesListResult.md +0 -74
package/docs/api/interfaces/RBACSessionTrackParams.md +0 -74
package/docs/api/interfaces/RBACSessionTrackResult.md +0 -52
package/docs/api/interfaces/ResourcePermissions.md +0 -155
package/docs/api/interfaces/RevokeEventAppRoleParams.md +0 -100
package/docs/api/interfaces/RoleBasedRouterContextType.md +0 -151
package/docs/api/interfaces/RoleBasedRouterProps.md +0 -156
package/docs/api/interfaces/RoleManagementResult.md +0 -52
package/docs/api/interfaces/RouteAccessRecord.md +0 -107
package/docs/api/interfaces/RouteConfig.md +0 -134
package/docs/api/interfaces/RuntimeComplianceResult.md +0 -55
package/docs/api/interfaces/SecureDataContextType.md +0 -168
package/docs/api/interfaces/SecureDataProviderProps.md +0 -132
package/docs/api/interfaces/SessionRestorationLoaderProps.md +0 -34
package/docs/api/interfaces/SetupIssue.md +0 -41
package/docs/api/interfaces/StorageConfig.md +0 -41
package/docs/api/interfaces/StorageFileInfo.md +0 -74
package/docs/api/interfaces/StorageFileMetadata.md +0 -151
package/docs/api/interfaces/StorageListOptions.md +0 -99
package/docs/api/interfaces/StorageListResult.md +0 -41
package/docs/api/interfaces/StorageUploadOptions.md +0 -101
package/docs/api/interfaces/StorageUploadResult.md +0 -63
package/docs/api/interfaces/StorageUrlOptions.md +0 -60
package/docs/api/interfaces/StyleImport.md +0 -19
package/docs/api/interfaces/SwitchProps.md +0 -34
package/docs/api/interfaces/TabsContentProps.md +0 -9
package/docs/api/interfaces/TabsListProps.md +0 -9
package/docs/api/interfaces/TabsProps.md +0 -9
package/docs/api/interfaces/TabsTriggerProps.md +0 -50
package/docs/api/interfaces/TextareaProps.md +0 -53
package/docs/api/interfaces/ToastActionElement.md +0 -12
package/docs/api/interfaces/ToastProps.md +0 -9
package/docs/api/interfaces/UnifiedAuthContextType.md +0 -823
package/docs/api/interfaces/UnifiedAuthProviderProps.md +0 -173
package/docs/api/interfaces/UseFormDialogOptions.md +0 -62
package/docs/api/interfaces/UseFormDialogReturn.md +0 -117
package/docs/api/interfaces/UseInactivityTrackerOptions.md +0 -138
package/docs/api/interfaces/UseInactivityTrackerReturn.md +0 -123
package/docs/api/interfaces/UsePublicEventLogoOptions.md +0 -87
package/docs/api/interfaces/UsePublicEventLogoReturn.md +0 -84
package/docs/api/interfaces/UsePublicEventOptions.md +0 -34
package/docs/api/interfaces/UsePublicEventReturn.md +0 -71
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +0 -47
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +0 -123
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +0 -97
package/docs/api/interfaces/UseResolvedScopeOptions.md +0 -47
package/docs/api/interfaces/UseResolvedScopeReturn.md +0 -47
package/docs/api/interfaces/UseResourcePermissionsOptions.md +0 -34
package/docs/api/interfaces/UserEventAccess.md +0 -121
package/docs/api/interfaces/UserMenuProps.md +0 -88
package/docs/api/interfaces/UserProfile.md +0 -63
package/src/components/EventSelector/EventSelector.test.tsx +0 -720
package/src/components/EventSelector/EventSelector.tsx +0 -423
package/src/components/EventSelector/index.ts +0 -3
package/src/components/OrganisationSelector/OrganisationSelector.test.tsx +0 -784
package/src/components/OrganisationSelector/OrganisationSelector.tsx +0 -327
package/src/components/OrganisationSelector/index.ts +0 -9
/package/dist/{DataTable-TPTKCX4D.js.map → DataTable-E7YQZD7D.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-CH6Z342H.js.map → UnifiedAuthProvider-QPXO24B4.js.map} +0 -0
/package/dist/{api-MVVQZLJI.js.map → api-6LVZTHDS.js.map} +0 -0
/package/dist/{audit-B5P6FFIR.js.map → audit-V53FV5AG.js.map} +0 -0
/package/dist/{chunk-2UOI2FG5.js.map → chunk-5EC5MEWX.js.map} +0 -0
/package/dist/{chunk-7D4SUZUM.js.map → chunk-DGUM43GV.js.map} +0 -0
/package/dist/{chunk-F2IMUDXZ.js.map → chunk-M7MPQISP.js.map} +0 -0

package/docs/components/context-selector.md ADDED Viewed

@@ -0,0 +1,126 @@
+# Context Selector - Unified Intelligent Selector
+## Overview
+The `ContextSelector` (formerly `HybridContextSelector`) is the **single unified selector** for all pace-core applications. It intelligently shows all organisations and events a user can access based on their roles and permissions.
+## Why Unified Selector?
+Previously, apps had to choose between:
+- `OrganisationSelector` - for org-based apps
+- `EventSelector` - for event-based apps
+- `HybridContextSelector` - for hybrid apps
+This created complexity and required apps to know their scope type upfront. With page-level scope, we can now intelligently show **everything** the user can access in one place.
+## How It Works
+The `ContextSelector` automatically:
+1. **Shows all accessible organisations** - Based on user's organisation roles
+2. **Shows all accessible events** - Based on user's event-app roles and organisation membership
+3. **Groups items intelligently** - Organisations and Events in separate sections
+4. **Handles super admins** - Shows all orgs and events
+5. **Respects permissions** - Only shows what user can actually access
+## Usage
+### Basic Usage
+```tsx
+import { ContextSelector } from '@jmruthers/pace-core';
+function MyHeader() {
+  const { switchOrganisation } = useOrganisations();
+  const { events, setSelectedEvent } = useEvents();
+  return (
+    <ContextSelector
+      onOrganisationSelect={(org) => switchOrganisation(org.id)}
+      onEventSelect={(event) => {
+        const fullEvent = events.find(e => e.event_id === event.event_id);
+        setSelectedEvent(fullEvent || event);
+      }}
+    />
+  );
+}
+```
+### In Header Component
+The `Header` component now uses `ContextSelector` by default:
+```tsx
+<Header
+  logoUrl="/logo.svg"
+  showContextSelector={true} // Default: shows unified selector
+  user={user}
+  onSignOut={handleSignOut}
+/>
+```
+### In PaceAppLayout
+```tsx
+<PaceAppLayout
+  appName="MINT"
+  showContextSelector={true} // Default: shows unified selector
+  navItems={navItems}
+>
+  {children}
+</PaceAppLayout>
+```
+## Migration from Separate Selectors
+### Before (Separate Selectors)
+```tsx
+<Header
+  showOrgSelector={true}
+  showEventSelector={true}
+  // ...
+/>
+```
+### After (Unified Selector)
+```tsx
+<Header
+  showContextSelector={true} // Single prop replaces both
+  // ...
+/>
+```
+## Benefits
+1. **Simpler API** - One selector instead of three
+2. **Better UX** - Users see everything they can access in one place
+3. **Intelligent** - Automatically determines what to show based on permissions
+4. **Future-proof** - Works with any app configuration (org-based, event-based, hybrid)
+5. **No configuration needed** - Just use it, it figures out what to show
+## Migration from Separate Selectors
+**⚠️ BREAKING CHANGE**: The separate selectors have been removed. You must migrate to `ContextSelector`.
+### Removed Components
+- `OrganisationSelector` - Use `ContextSelector` instead
+- `EventSelector` - Use `ContextSelector` instead
+- `HybridContextSelector` - Use `ContextSelector` instead
+### Removed Props
+- `Header.showEventSelector` - Use `showContextSelector` instead
+- `Header.showOrgSelector` - Use `showContextSelector` instead
+- `PaceAppLayout.showEventSelector` - Use `showContextSelector` instead
+- `PaceAppLayout.showOrgSelector` - Use `showContextSelector` instead
+## Implementation Details
+The selector uses:
+- `useOrganisations()` - Gets accessible organisations
+- `useEvents()` - Gets accessible events (already filtered by permissions)
+- `useRBAC()` - Checks super admin status
+Both hooks already filter based on user permissions, so the selector automatically shows the correct items.

package/docs/migration/RBAC_SCOPE_MIGRATION.md ADDED Viewed

@@ -0,0 +1,385 @@
+# RBAC Scope Migration Guide
+## Overview
+This migration moves RBAC scope from app-level (`rbac_apps.requires_event`) to page-level (`rbac_app_pages.scope_type`). This enables hybrid apps like `pace-mint` to have both event-based and organisation-based pages within the same app.
+**⚠️ BREAKING CHANGE**: This migration removes app-level scope configuration entirely. All scope is now configured at the page level with no backward compatibility.
+## What Changed
+**Removed**: App-level scope configuration (`rbac_apps.requires_event`)
+**Now**: Page-level scope only (`rbac_app_pages.scope_type`)
+### Why This Change?
+1. **Single Source of Truth**: Scope is stored in one place (page-level), making it easier to understand and maintain
+2. **More Flexible**: Each page can have its own scope, enabling hybrid apps like pace-mint
+3. **Simpler Queries**: No need to join with `rbac_apps` to determine scope
+4. **More Explicit**: No inheritance logic - scope is always clear from the page itself
+5. **No Backward Compatibility Overhead**: Clean break from old patterns
+## Breaking Changes
+### Removed APIs
+1. **`UnifiedAuthProvider.appConfig` prop** - No longer needed
+2. **`useAppConfig().requiresEvent`** - Use `getPageScopeType(pageId)` instead
+3. **`useAppConfig().supportsDirectAccess`** - No longer relevant
+4. **`ContextValidator.validateScope()`** - Use `resolveScopeForPage()` instead
+5. **`ContextValidator.resolveRequiredContext()`** - Use `resolveScopeForPage()` instead
+6. **`ContextValidator.isContextReady()`** - Context readiness checked per page
+7. **`RBACSecurityValidator.validateContextRequirements()`** - No longer needed
+8. **`getAppConfig()`, `getAppConfigByName()`, `getAppConfigWithClient()`** - Use `getPageScopeType()` instead
+### Changed APIs
+1. **`useRBAC(pageId)`** - Now requires `pageId` parameter for proper scope resolution
+2. **`getPermissionMap()`, `getRoleContext()`, `getAccessLevel()`, `isPermitted()`** - No longer accept `appConfig` parameter
+### Removed Components
+- `OrganisationSelector` - Use `ContextSelector` instead
+- `EventSelector` - Use `ContextSelector` instead
+- `HybridContextSelector` - Use `ContextSelector` instead
+### Removed Props
+- `Header.showEventSelector` - Use `showContextSelector` instead
+- `Header.showOrgSelector` - Use `showContextSelector` instead
+- `PaceAppLayout.showEventSelector` - Use `showContextSelector` instead
+- `PaceAppLayout.showOrgSelector` - Use `showContextSelector` instead
+## Migration Steps
+### Step 1: Run Database Migration
+Run the migration to populate `rbac_app_pages.scope_type`:
+```bash
+supabase migration up
+```
+**Migration 1:** `supabase/migrations/20251231124932_add_page_scope_type_to_rbac_app_pages.sql`
+- Adds `scope_type` column to `rbac_app_pages`
+- Populates `scope_type` for all existing pages based on their app's `requires_event`
+- Makes `scope_type` NOT NULL (required for all pages)
+- Creates `get_page_scope_type()` function
+- **Drops `rbac_apps.requires_event` column** (no longer needed)
+**Migration 2:** `supabase/migrations/20251231131610_update_rpc_functions_remove_requires_event.sql`
+- Updates `data_rbac_apps_list` to remove `requires_event` from return type
+- Updates `data_user_events_get` to remove `requires_event` check (always checks event app roles if app_id provided)
+### Step 2: Verify Page Scope Types
+Check that all pages have `scope_type` set:
+```sql
+-- Check for any pages without scope_type (should return 0 rows after migration)
+SELECT
+  ap.page_name,
+  ap.scope_type,
+  a.name as app_name
+FROM rbac_app_pages ap
+JOIN rbac_apps a ON ap.app_id = a.id
+WHERE ap.scope_type IS NULL;
+```
+If any pages have `NULL` scope_type after migration, update them:
+```sql
+-- For event-based pages
+UPDATE rbac_app_pages
+SET scope_type = 'event'
+WHERE page_name = 'your-page-name'
+  AND app_id = (SELECT id FROM rbac_apps WHERE name = 'YOUR_APP');
+-- For organisation-based pages
+UPDATE rbac_app_pages
+SET scope_type = 'organisation'
+WHERE page_name = 'your-page-name'
+  AND app_id = (SELECT id FROM rbac_apps WHERE name = 'YOUR_APP');
+```
+### Step 3: Update UnifiedAuthProvider
+**Before:**
+```tsx
+<UnifiedAuthProvider
+  appConfig={{ requires_event: true }}
+  // ... other props
+>
+  {children}
+</UnifiedAuthProvider>
+```
+**After:**
+```tsx
+<UnifiedAuthProvider
+  // appConfig prop removed - scope is now page-level
+  // ... other props
+>
+  {children}
+</UnifiedAuthProvider>
+```
+### Step 4: Update useRBAC Calls
+**Before:**
+```tsx
+const { permissionMap } = useRBAC(); // No pageId
+```
+**After:**
+```tsx
+const { permissionMap } = useRBAC(pageId); // Pass pageId for proper scope resolution
+```
+### Step 5: Replace useAppConfig Usage
+**Before:**
+```tsx
+const { requiresEvent, supportsDirectAccess } = useAppConfig();
+if (requiresEvent) {
+  // Show event selector
+}
+```
+**After:**
+```tsx
+import { getPageScopeType } from '@jmruthers/pace-core';
+const pageScopeType = await getPageScopeType(pageId, appId, appName);
+if (pageScopeType === 'event' || pageScopeType === 'both') {
+  // Show event selector (or use ContextSelector which handles this automatically)
+}
+```
+### Step 6: Update ContextValidator Usage
+**Before:**
+```tsx
+import { ContextValidator } from '@jmruthers/pace-core';
+const validation = await ContextValidator.resolveRequiredContext(
+  scope,
+  appConfig,
+  appName,
+  supabase
+);
+```
+**After:**
+```tsx
+import { ContextValidator, getPageScopeType } from '@jmruthers/pace-core';
+const pageScopeType = await getPageScopeType(pageId, appId, appName);
+const validation = await ContextValidator.resolveScopeForPage(
+  scope,
+  pageScopeType,
+  appName,
+  supabase
+);
+```
+### Step 7: Update Permission Checks
+**Before:**
+```tsx
+const permissionMap = await getPermissionMap(
+  { userId, scope },
+  appConfig,
+  appName
+);
+```
+**After:**
+```tsx
+const permissionMap = await getPermissionMap(
+  { userId, scope }
+  // appConfig and appName no longer needed
+);
+```
+### Step 8: Update Selector Components
+**Before:**
+```tsx
+<Header
+  showOrgSelector={true}
+  showEventSelector={true}
+/>
+```
+**After:**
+```tsx
+<Header
+  showContextSelector={true} // Single unified selector
+/>
+```
+## Page Scope Types
+After migration, all pages must have one of these `scope_type` values:
+### `'event'`
+Page requires event context. Organisation is derived from event.
+### `'organisation'`
+Page requires organisation context. Event is optional.
+### `'both'`
+Page can be accessed with either event or organisation context. Permissions are merged (union), with higher permissions taking precedence.
+## Creating New Pages
+When creating new pages, always set `scope_type` explicitly:
+```sql
+-- Create an event-based page
+INSERT INTO rbac_app_pages (app_id, page_name, page_description, scope_type)
+VALUES (
+  (SELECT id FROM rbac_apps WHERE name = 'MINT'),
+  'budget',
+  'Event Budget Management',
+  'event'  -- ✅ Explicit scope type
+);
+-- Create an organisation-based page
+INSERT INTO rbac_app_pages (app_id, page_name, page_description, scope_type)
+VALUES (
+  (SELECT id FROM rbac_apps WHERE name = 'MINT'),
+  'dashboard',
+  'Organisation Dashboard',
+  'organisation'  -- ✅ Explicit scope type
+);
+-- Create a 'both' page (can use either context)
+INSERT INTO rbac_app_pages (app_id, page_name, page_description, scope_type)
+VALUES (
+  (SELECT id FROM rbac_apps WHERE name = 'MINT'),
+  'reports',
+  'Reports (Event or Organisation)',
+  'both'  -- ✅ Can be accessed with either context
+);
+```
+## Hybrid Apps (e.g., pace-mint)
+For apps that have both event-based and organisation-based pages:
+1. Set `scope_type = 'event'` for event-based pages (e.g., budget pages)
+2. Set `scope_type = 'organisation'` for organisation-based pages (e.g., settings pages)
+3. Set `scope_type = 'both'` for pages that can use either context
+Example:
+```sql
+-- Event-based budget page
+UPDATE rbac_app_pages
+SET scope_type = 'event'
+WHERE page_name = 'budget' AND app_id = (SELECT id FROM rbac_apps WHERE name = 'MINT');
+-- Organisation-based settings page
+UPDATE rbac_app_pages
+SET scope_type = 'organisation'
+WHERE page_name = 'settings' AND app_id = (SELECT id FROM rbac_apps WHERE name = 'MINT');
+```
+## API Changes Summary
+### `getPageScopeType()`
+**Before**: Could return `null` (inherit from app)
+**After**: Always returns a value (`'event'`, `'organisation'`, or `'both'`)
+```typescript
+// After migration, this always returns a value
+const scopeType = await getPageScopeType(pageId, appId, appName);
+// scopeType is now: 'event' | 'organisation' | 'both' (never null)
+```
+### `resolveScopeForPage()`
+**Before**: Accepted `appConfig` parameter and could inherit from app
+**After**: `pageScopeType` is required (never null), `appConfig` removed
+```typescript
+// After migration
+const validation = await ContextValidator.resolveScopeForPage(
+  scope,
+  pageScopeType,  // Required, never null
+  appName,
+  supabase
+);
+```
+## Benefits
+1. **Clearer Intent**: Each page explicitly declares its scope requirements
+2. **Easier Debugging**: No need to trace through app-level config to understand page scope
+3. **Better Performance**: Direct lookup from page table, no join needed
+4. **More Flexible**: Hybrid apps can have mixed scopes without special handling
+5. **No Backward Compatibility Overhead**: Clean, maintainable codebase
+## Testing Checklist
+- [ ] Database migration completed successfully
+- [ ] All pages have `scope_type` set (no NULL values)
+- [ ] `UnifiedAuthProvider` no longer uses `appConfig` prop
+- [ ] All `useRBAC()` calls pass `pageId` parameter
+- [ ] All `useAppConfig().requiresEvent` replaced with `getPageScopeType()`
+- [ ] All deprecated `ContextValidator` methods replaced
+- [ ] All selector components updated to use `ContextSelector`
+- [ ] Permission checks work correctly for all page types
+- [ ] Event-based pages work correctly
+- [ ] Organisation-based pages work correctly
+- [ ] Hybrid pages (scope_type = 'both') work correctly
+## Troubleshooting
+### Pages Not Showing in Navigation
+If pages aren't showing after migration:
+1. **Check scope_type is set**:
+   ```sql
+   SELECT page_name, scope_type FROM rbac_app_pages WHERE app_id = 'your-app-id';
+   ```
+2. **Verify scope matches context**:
+   - Event-based pages require `eventId` to be selected
+   - Organisation-based pages require `organisationId` to be selected
+   - 'both' pages work with either context
+3. **Check permissions**: Ensure user has permissions for the page in the correct scope
+### Permission Denied Errors
+If you get permission denied errors:
+1. **Verify scope_type matches selected context**:
+   - If page is `'event'`, ensure an event is selected
+   - If page is `'organisation'`, ensure an organisation is selected
+2. **Check page permissions are configured** for the correct scope type
+3. **Verify user's roles are active** (valid_from/valid_to dates)
+### ContextSelector Not Showing Items
+1. Check user has organisation memberships or event-app roles
+2. Verify organisations/events are active
+3. Check RLS policies allow user to see the items
+4. Ensure super admin status if testing as super admin
+## Related Documentation
+- [pace-mint RBAC Setup Guide](../pace-mint-rbac-setup.md) - Specific guide for hybrid apps
+- [Context Selector Component](../components/context-selector.md) - Unified selector documentation
+- [RBAC System Overview](../rbac/README.md) - General RBAC documentation
+- [Event-Based Apps](../rbac/event-based-apps.md) - Event-based app patterns