npm - @jmruthers/pace-core - Versions diffs - 0.6.2 → 0.6.4 - Mend

@jmruthers/pace-core 0.6.2 → 0.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (299) hide show

package/CHANGELOG.md +45 -0
package/cursor-rules/00-pace-core-compliance.mdc +34 -2
package/dist/{AuthService-BPvc3Ka0.d.ts → AuthService-Cb34EQs3.d.ts} +9 -1
package/dist/{DataTable-TPTKCX4D.js → DataTable-E7YQZD7D.js} +9 -8
package/dist/{PublicPageProvider-DC6kCaqf.d.ts → PublicPageProvider-DEMpysFR.d.ts} +45 -67
package/dist/{UnifiedAuthProvider-CVcTjx-d.d.ts → UnifiedAuthProvider-CKvHP1MK.d.ts} +1 -8
package/dist/{UnifiedAuthProvider-CH6Z342H.js → UnifiedAuthProvider-QPXO24B4.js} +5 -4
package/dist/{api-MVVQZLJI.js → api-6LVZTHDS.js} +10 -10
package/dist/{audit-B5P6FFIR.js → audit-V53FV5AG.js} +2 -2
package/dist/chunk-36LVWXB2.js +227 -0
package/dist/chunk-36LVWXB2.js.map +1 -0
package/dist/{chunk-24UVZUZG.js → chunk-3LPHPB62.js} +129 -387
package/dist/chunk-3LPHPB62.js.map +1 -0
package/dist/{chunk-2UOI2FG5.js → chunk-5EC5MEWX.js} +4 -4
package/dist/{chunk-3XC4CPTD.js → chunk-7JPAB3T5.js} +244 -5727
package/dist/chunk-7JPAB3T5.js.map +1 -0
package/dist/{chunk-6J4GEEJR.js → chunk-ATKZM7RX.js} +53 -27
package/dist/chunk-ATKZM7RX.js.map +1 -0
package/dist/{chunk-EHMR7VYL.js → chunk-AVMLPIM7.js} +443 -189
package/dist/chunk-AVMLPIM7.js.map +1 -0
package/dist/chunk-DGUM43GV.js +11 -0
package/dist/{chunk-NECFR5MM.js → chunk-I6DAQMWX.js} +575 -647
package/dist/chunk-I6DAQMWX.js.map +1 -0
package/dist/{chunk-F2IMUDXZ.js → chunk-M7MPQISP.js} +2 -2
package/dist/{chunk-XWQCNGTQ.js → chunk-NN6WWZ5U.js} +173 -79
package/dist/chunk-NN6WWZ5U.js.map +1 -0
package/dist/{chunk-MMZ7JXPU.js → chunk-OEWDTMG7.js} +13 -21
package/dist/{chunk-MMZ7JXPU.js.map → chunk-OEWDTMG7.js.map} +1 -1
package/dist/{chunk-SFZUDBL5.js → chunk-YKRAFF5K.js} +70 -56
package/dist/chunk-YKRAFF5K.js.map +1 -0
package/dist/components.d.ts +2 -2
package/dist/components.js +12 -13
package/dist/contextValidator-OOPCLPZW.js +9 -0
package/dist/contextValidator-OOPCLPZW.js.map +1 -0
package/dist/eslint-rules/pace-core-compliance.cjs +106 -0
package/dist/hooks.d.ts +2 -2
package/dist/hooks.js +7 -6
package/dist/hooks.js.map +1 -1
package/dist/index.d.ts +7 -7
package/dist/index.js +21 -16
package/dist/index.js.map +1 -1
package/dist/providers.d.ts +3 -3
package/dist/providers.js +4 -3
package/dist/rbac/index.d.ts +67 -27
package/dist/rbac/index.js +15 -8
package/dist/styles/index.js +1 -1
package/dist/theming/runtime.js +1 -1
package/dist/types.js +1 -1
package/dist/{usePublicRouteParams-1oMokgLF.d.ts → usePublicRouteParams-i3qtoBgg.d.ts} +7 -16
package/dist/utils.js +5 -7
package/dist/utils.js.map +1 -1
package/docs/api/README.md +14 -16
package/docs/api/modules.md +3796 -2513
package/docs/components/context-selector.md +126 -0
package/docs/migration/RBAC_SCOPE_MIGRATION.md +385 -0
package/docs/pace-mint-fix-auto-selection.md +218 -0
package/docs/pace-mint-rbac-setup.md +391 -0
package/docs/rbac/secure-client-protection.md +330 -0
package/package.json +10 -5
package/scripts/audit/core/checks/compliance.cjs +72 -0
package/scripts/audit/core/checks/dependencies.cjs +568 -28
package/scripts/audit/core/checks/documentation.cjs +68 -3
package/scripts/audit/core/checks/environment.cjs +2 -14
package/scripts/audit/core/checks/error-handling.cjs +47 -6
package/src/components/ContextSelector/ContextSelector.tsx +384 -0
package/src/components/ContextSelector/index.ts +3 -0
package/src/components/DataTable/components/RowComponent.tsx +19 -19
package/src/components/DataTable/components/UnifiedTableBody.tsx +2 -2
package/src/components/DataTable/hooks/useDataTablePermissions.ts +8 -6
package/src/components/Dialog/Dialog.tsx +29 -1
package/src/components/FileDisplay/FileDisplay.tsx +42 -10
package/src/components/Header/Header.test.tsx +43 -73
package/src/components/Header/Header.tsx +44 -45
package/src/components/PaceAppLayout/PaceAppLayout.integration.test.tsx +10 -19
package/src/components/PaceAppLayout/PaceAppLayout.performance.test.tsx +2 -2
package/src/components/PaceAppLayout/PaceAppLayout.security.test.tsx +5 -5
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +9 -9
package/src/components/PaceAppLayout/PaceAppLayout.tsx +157 -36
package/src/components/PaceAppLayout/README.md +14 -17
package/src/components/PaceAppLayout/test-setup.tsx +2 -2
package/src/components/index.ts +5 -5
package/src/eslint-rules/pace-core-compliance.cjs +106 -0
package/src/hooks/__tests__/useAppConfig.unit.test.ts +4 -98
package/src/hooks/useAppConfig.ts +15 -30
package/src/hooks/useFileDisplay.ts +77 -50
package/src/index.ts +4 -5
package/src/providers/services/AuthServiceProvider.tsx +17 -7
package/src/providers/services/EventServiceProvider.tsx +33 -5
package/src/providers/services/UnifiedAuthProvider.tsx +90 -134
package/src/rbac/__tests__/adapters.comprehensive.test.tsx +1 -1
package/src/rbac/adapters.tsx +2 -2
package/src/rbac/api.test.ts +59 -51
package/src/rbac/api.ts +178 -132
package/src/rbac/components/PagePermissionGuard.tsx +38 -10
package/src/rbac/hooks/__tests__/useSecureSupabase.test.ts +32 -21
package/src/rbac/hooks/permissions/useAccessLevel.ts +1 -1
package/src/rbac/hooks/permissions/useCan.ts +41 -11
package/src/rbac/hooks/permissions/useHasAllPermissions.ts +1 -1
package/src/rbac/hooks/permissions/useHasAnyPermission.ts +1 -1
package/src/rbac/hooks/permissions/useMultiplePermissions.ts +1 -1
package/src/rbac/hooks/useCan.test.ts +0 -9
package/src/rbac/hooks/useRBAC.test.ts +1 -5
package/src/rbac/hooks/useRBAC.ts +36 -37
package/src/rbac/hooks/useResolvedScope.test.ts +120 -35
package/src/rbac/hooks/useResolvedScope.ts +35 -40
package/src/rbac/hooks/useSecureSupabase.ts +7 -7
package/src/rbac/index.ts +7 -0
package/src/rbac/secureClient.test.ts +22 -18
package/src/rbac/secureClient.ts +103 -16
package/src/rbac/security.ts +0 -17
package/src/rbac/types.ts +1 -0
package/src/rbac/utils/__tests__/contextValidator.test.ts +64 -86
package/src/rbac/utils/clientSecurity.ts +93 -0
package/src/rbac/utils/contextValidator.ts +77 -168
package/src/services/AuthService.ts +39 -7
package/src/services/EventService.ts +285 -56
package/src/services/OrganisationService.ts +81 -14
package/src/services/__tests__/EventService.test.ts +1 -2
package/src/services/base/BaseService.ts +3 -0
package/src/utils/dynamic/dynamicUtils.ts +7 -4
package/dist/chunk-24UVZUZG.js.map +0 -1
package/dist/chunk-3XC4CPTD.js.map +0 -1
package/dist/chunk-6J4GEEJR.js.map +0 -1
package/dist/chunk-7D4SUZUM.js +0 -38
package/dist/chunk-EHMR7VYL.js.map +0 -1
package/dist/chunk-NECFR5MM.js.map +0 -1
package/dist/chunk-SFZUDBL5.js.map +0 -1
package/dist/chunk-XWQCNGTQ.js.map +0 -1
package/docs/api/classes/ColumnFactory.md +0 -243
package/docs/api/classes/InvalidScopeError.md +0 -73
package/docs/api/classes/Logger.md +0 -178
package/docs/api/classes/MissingUserContextError.md +0 -66
package/docs/api/classes/OrganisationContextRequiredError.md +0 -66
package/docs/api/classes/PermissionDeniedError.md +0 -73
package/docs/api/classes/RBACAuditManager.md +0 -297
package/docs/api/classes/RBACCache.md +0 -322
package/docs/api/classes/RBACEngine.md +0 -171
package/docs/api/classes/RBACError.md +0 -76
package/docs/api/classes/RBACNotInitializedError.md +0 -66
package/docs/api/classes/SecureSupabaseClient.md +0 -163
package/docs/api/classes/StorageUtils.md +0 -328
package/docs/api/enums/FileCategory.md +0 -184
package/docs/api/enums/LogLevel.md +0 -54
package/docs/api/enums/RBACErrorCode.md +0 -228
package/docs/api/enums/RPCFunction.md +0 -118
package/docs/api/interfaces/AddressFieldProps.md +0 -241
package/docs/api/interfaces/AddressFieldRef.md +0 -94
package/docs/api/interfaces/AggregateConfig.md +0 -43
package/docs/api/interfaces/AutocompleteOptions.md +0 -75
package/docs/api/interfaces/AvatarProps.md +0 -128
package/docs/api/interfaces/BadgeProps.md +0 -34
package/docs/api/interfaces/ButtonProps.md +0 -56
package/docs/api/interfaces/CalendarProps.md +0 -73
package/docs/api/interfaces/CardProps.md +0 -69
package/docs/api/interfaces/ColorPalette.md +0 -7
package/docs/api/interfaces/ColorShade.md +0 -66
package/docs/api/interfaces/ComplianceResult.md +0 -30
package/docs/api/interfaces/DataAccessRecord.md +0 -96
package/docs/api/interfaces/DataRecord.md +0 -11
package/docs/api/interfaces/DataTableAction.md +0 -252
package/docs/api/interfaces/DataTableColumn.md +0 -504
package/docs/api/interfaces/DataTableProps.md +0 -625
package/docs/api/interfaces/DataTableToolbarButton.md +0 -96
package/docs/api/interfaces/DatabaseComplianceResult.md +0 -85
package/docs/api/interfaces/DatabaseIssue.md +0 -41
package/docs/api/interfaces/EmptyStateConfig.md +0 -61
package/docs/api/interfaces/EnhancedNavigationMenuProps.md +0 -235
package/docs/api/interfaces/ErrorBoundaryProps.md +0 -147
package/docs/api/interfaces/ErrorBoundaryProviderProps.md +0 -36
package/docs/api/interfaces/ErrorBoundaryState.md +0 -75
package/docs/api/interfaces/EventAppRoleData.md +0 -71
package/docs/api/interfaces/ExportColumn.md +0 -90
package/docs/api/interfaces/ExportOptions.md +0 -126
package/docs/api/interfaces/FileDisplayProps.md +0 -249
package/docs/api/interfaces/FileMetadata.md +0 -129
package/docs/api/interfaces/FileReference.md +0 -118
package/docs/api/interfaces/FileSizeLimits.md +0 -7
package/docs/api/interfaces/FileUploadOptions.md +0 -139
package/docs/api/interfaces/FileUploadProps.md +0 -296
package/docs/api/interfaces/FooterProps.md +0 -107
package/docs/api/interfaces/FormFieldProps.md +0 -166
package/docs/api/interfaces/FormProps.md +0 -113
package/docs/api/interfaces/GrantEventAppRoleParams.md +0 -122
package/docs/api/interfaces/InactivityWarningModalProps.md +0 -115
package/docs/api/interfaces/InputProps.md +0 -56
package/docs/api/interfaces/LabelProps.md +0 -107
package/docs/api/interfaces/LoggerConfig.md +0 -62
package/docs/api/interfaces/LoginFormProps.md +0 -187
package/docs/api/interfaces/NavigationAccessRecord.md +0 -107
package/docs/api/interfaces/NavigationContextType.md +0 -164
package/docs/api/interfaces/NavigationGuardProps.md +0 -139
package/docs/api/interfaces/NavigationItem.md +0 -120
package/docs/api/interfaces/NavigationMenuProps.md +0 -221
package/docs/api/interfaces/NavigationProviderProps.md +0 -117
package/docs/api/interfaces/Organisation.md +0 -140
package/docs/api/interfaces/OrganisationContextType.md +0 -388
package/docs/api/interfaces/OrganisationMembership.md +0 -140
package/docs/api/interfaces/OrganisationProviderProps.md +0 -76
package/docs/api/interfaces/OrganisationSecurityError.md +0 -62
package/docs/api/interfaces/PaceAppLayoutProps.md +0 -409
package/docs/api/interfaces/PaceLoginPageProps.md +0 -49
package/docs/api/interfaces/PageAccessRecord.md +0 -85
package/docs/api/interfaces/PagePermissionContextType.md +0 -140
package/docs/api/interfaces/PagePermissionGuardProps.md +0 -153
package/docs/api/interfaces/PagePermissionProviderProps.md +0 -119
package/docs/api/interfaces/PaletteData.md +0 -41
package/docs/api/interfaces/ParsedAddress.md +0 -120
package/docs/api/interfaces/PermissionEnforcerProps.md +0 -153
package/docs/api/interfaces/ProgressProps.md +0 -42
package/docs/api/interfaces/ProtectedRouteProps.md +0 -78
package/docs/api/interfaces/PublicPageFooterProps.md +0 -112
package/docs/api/interfaces/PublicPageHeaderProps.md +0 -125
package/docs/api/interfaces/PublicPageLayoutProps.md +0 -185
package/docs/api/interfaces/QuickFix.md +0 -52
package/docs/api/interfaces/RBACAccessValidateParams.md +0 -52
package/docs/api/interfaces/RBACAccessValidateResult.md +0 -41
package/docs/api/interfaces/RBACAuditLogParams.md +0 -85
package/docs/api/interfaces/RBACAuditLogResult.md +0 -52
package/docs/api/interfaces/RBACConfig.md +0 -133
package/docs/api/interfaces/RBACContext.md +0 -52
package/docs/api/interfaces/RBACLogger.md +0 -112
package/docs/api/interfaces/RBACPageAccessCheckParams.md +0 -74
package/docs/api/interfaces/RBACPerformanceMetrics.md +0 -138
package/docs/api/interfaces/RBACPermissionCheckParams.md +0 -74
package/docs/api/interfaces/RBACPermissionCheckResult.md +0 -52
package/docs/api/interfaces/RBACPermissionsGetParams.md +0 -63
package/docs/api/interfaces/RBACPermissionsGetResult.md +0 -63
package/docs/api/interfaces/RBACResult.md +0 -58
package/docs/api/interfaces/RBACRoleGrantParams.md +0 -63
package/docs/api/interfaces/RBACRoleGrantResult.md +0 -52
package/docs/api/interfaces/RBACRoleRevokeParams.md +0 -63
package/docs/api/interfaces/RBACRoleRevokeResult.md +0 -52
package/docs/api/interfaces/RBACRoleValidateParams.md +0 -52
package/docs/api/interfaces/RBACRoleValidateResult.md +0 -63
package/docs/api/interfaces/RBACRolesListParams.md +0 -52
package/docs/api/interfaces/RBACRolesListResult.md +0 -74
package/docs/api/interfaces/RBACSessionTrackParams.md +0 -74
package/docs/api/interfaces/RBACSessionTrackResult.md +0 -52
package/docs/api/interfaces/ResourcePermissions.md +0 -155
package/docs/api/interfaces/RevokeEventAppRoleParams.md +0 -100
package/docs/api/interfaces/RoleBasedRouterContextType.md +0 -151
package/docs/api/interfaces/RoleBasedRouterProps.md +0 -156
package/docs/api/interfaces/RoleManagementResult.md +0 -52
package/docs/api/interfaces/RouteAccessRecord.md +0 -107
package/docs/api/interfaces/RouteConfig.md +0 -134
package/docs/api/interfaces/RuntimeComplianceResult.md +0 -55
package/docs/api/interfaces/SecureDataContextType.md +0 -168
package/docs/api/interfaces/SecureDataProviderProps.md +0 -132
package/docs/api/interfaces/SessionRestorationLoaderProps.md +0 -34
package/docs/api/interfaces/SetupIssue.md +0 -41
package/docs/api/interfaces/StorageConfig.md +0 -41
package/docs/api/interfaces/StorageFileInfo.md +0 -74
package/docs/api/interfaces/StorageFileMetadata.md +0 -151
package/docs/api/interfaces/StorageListOptions.md +0 -99
package/docs/api/interfaces/StorageListResult.md +0 -41
package/docs/api/interfaces/StorageUploadOptions.md +0 -101
package/docs/api/interfaces/StorageUploadResult.md +0 -63
package/docs/api/interfaces/StorageUrlOptions.md +0 -60
package/docs/api/interfaces/StyleImport.md +0 -19
package/docs/api/interfaces/SwitchProps.md +0 -34
package/docs/api/interfaces/TabsContentProps.md +0 -9
package/docs/api/interfaces/TabsListProps.md +0 -9
package/docs/api/interfaces/TabsProps.md +0 -9
package/docs/api/interfaces/TabsTriggerProps.md +0 -50
package/docs/api/interfaces/TextareaProps.md +0 -53
package/docs/api/interfaces/ToastActionElement.md +0 -12
package/docs/api/interfaces/ToastProps.md +0 -9
package/docs/api/interfaces/UnifiedAuthContextType.md +0 -823
package/docs/api/interfaces/UnifiedAuthProviderProps.md +0 -173
package/docs/api/interfaces/UseFormDialogOptions.md +0 -62
package/docs/api/interfaces/UseFormDialogReturn.md +0 -117
package/docs/api/interfaces/UseInactivityTrackerOptions.md +0 -138
package/docs/api/interfaces/UseInactivityTrackerReturn.md +0 -123
package/docs/api/interfaces/UsePublicEventLogoOptions.md +0 -87
package/docs/api/interfaces/UsePublicEventLogoReturn.md +0 -84
package/docs/api/interfaces/UsePublicEventOptions.md +0 -34
package/docs/api/interfaces/UsePublicEventReturn.md +0 -71
package/docs/api/interfaces/UsePublicFileDisplayOptions.md +0 -47
package/docs/api/interfaces/UsePublicFileDisplayReturn.md +0 -123
package/docs/api/interfaces/UsePublicRouteParamsReturn.md +0 -97
package/docs/api/interfaces/UseResolvedScopeOptions.md +0 -47
package/docs/api/interfaces/UseResolvedScopeReturn.md +0 -47
package/docs/api/interfaces/UseResourcePermissionsOptions.md +0 -34
package/docs/api/interfaces/UserEventAccess.md +0 -121
package/docs/api/interfaces/UserMenuProps.md +0 -88
package/docs/api/interfaces/UserProfile.md +0 -63
package/src/components/EventSelector/EventSelector.test.tsx +0 -720
package/src/components/EventSelector/EventSelector.tsx +0 -423
package/src/components/EventSelector/index.ts +0 -3
package/src/components/OrganisationSelector/OrganisationSelector.test.tsx +0 -784
package/src/components/OrganisationSelector/OrganisationSelector.tsx +0 -327
package/src/components/OrganisationSelector/index.ts +0 -9
/package/dist/{DataTable-TPTKCX4D.js.map → DataTable-E7YQZD7D.js.map} +0 -0
/package/dist/{UnifiedAuthProvider-CH6Z342H.js.map → UnifiedAuthProvider-QPXO24B4.js.map} +0 -0
/package/dist/{api-MVVQZLJI.js.map → api-6LVZTHDS.js.map} +0 -0
/package/dist/{audit-B5P6FFIR.js.map → audit-V53FV5AG.js.map} +0 -0
/package/dist/{chunk-2UOI2FG5.js.map → chunk-5EC5MEWX.js.map} +0 -0
/package/dist/{chunk-7D4SUZUM.js.map → chunk-DGUM43GV.js.map} +0 -0
/package/dist/{chunk-F2IMUDXZ.js.map → chunk-M7MPQISP.js.map} +0 -0

package/src/components/PaceAppLayout/PaceAppLayout.test.tsx CHANGED Viewed

@@ -205,14 +205,14 @@ vi.mock('../Header', () => ({
     onChangePassword,
     currentPath,
     onNavigate,
-    showEventSelector,
+    showContextSelector,
     showUserMenu,
     className
   }: any) => (
     <header
       data-testid="header"
       className={className}
-      data-show-event-selector={showEventSelector !== false ? 'true' : 'false'}
+      data-show-context-selector={showContextSelector !== false ? 'true' : 'false'}
       data-show-user-menu={showUserMenu !== false ? 'true' : 'false'}
     >
       <div data-testid="header-logo" data-logo-url={logoUrl} data-logo-alt={logoAlt}>
@@ -421,29 +421,29 @@ describe('PaceAppLayout Component', () => {
         { withRouter: false }
       );
-      expect(screen.getByTestId('header')).toHaveAttribute('data-show-event-selector', 'true');
+      expect(screen.getByTestId('header')).toHaveAttribute('data-show-context-selector', 'true');
     });
-    it('hides event selector when showEventSelector is false', () => {
+    it('hides context selector when showContextSelector is false', () => {
       renderWithProviders(
         <TestWrapper>
-          <PaceAppLayout {...baseProps} showEventSelector={false} />
+          <PaceAppLayout {...baseProps} showContextSelector={false} />
         </TestWrapper>,
         { withRouter: false }
       );
-      expect(screen.getByTestId('header')).toHaveAttribute('data-show-event-selector', 'false');
+      expect(screen.getByTestId('header')).toHaveAttribute('data-show-context-selector', 'false');
     });
-    it('shows event selector when showEventSelector is explicitly true', () => {
+    it('shows context selector when showContextSelector is explicitly true', () => {
       renderWithProviders(
         <TestWrapper>
-          <PaceAppLayout {...baseProps} showEventSelector={true} />
+          <PaceAppLayout {...baseProps} showContextSelector={true} />
         </TestWrapper>,
         { withRouter: false }
       );
-      expect(screen.getByTestId('header')).toHaveAttribute('data-show-event-selector', 'true');
+      expect(screen.getByTestId('header')).toHaveAttribute('data-show-context-selector', 'true');
     });
   });

package/src/components/PaceAppLayout/PaceAppLayout.tsx CHANGED Viewed

@@ -109,6 +109,7 @@ import { getCurrentAppName } from '../../utils/app/appNameResolver';
 import { isSuperAdmin as checkSuperAdminApi } from '../../rbac/api';
 import { logger } from '../../utils/core/logger';
 import type { Permission, Scope } from '../../rbac/types';
+import { EventContextRequiredError, OrganisationContextRequiredError } from '../../rbac/types';
 // Stable empty objects to prevent infinite loops
 const EMPTY_PAGE_ID_MAPPING = {};
@@ -130,10 +131,12 @@ export interface PaceAppLayoutProps {
   appName: string;
   /** Optional navigation items for the header menu. If not provided, uses default navigation. */
   navItems?: NavigationItem[];
-  /** Show/hide event selector in the header */
-  showEventSelector?: boolean;
-  /** Show/hide organisation selector in the header */
-  showOrgSelector?: boolean;
+  /** Show/hide unified context selector (shows all accessible orgs and events) - default: true */
+  showContextSelector?: boolean;
+  /** Show organisations in context selector - default: true */
+  showOrganisations?: boolean;
+  /** Show events in context selector - default: true */
+  showEvents?: boolean;
   /** Custom actions to display in the header (between event selector and user menu) */
   headerActions?: React.ReactNode;
   /** Custom logo component (overrides default logo) */
@@ -349,8 +352,9 @@ export interface PaceAppLayoutProps {
 export function PaceAppLayout({
   appName,
   navItems,
-  showEventSelector,
-  showOrgSelector,
+  showContextSelector = true,
+  showOrganisations = true,
+  showEvents = true,
   headerActions,
   customLogo,
   logoHref = '/dashboard',
@@ -545,6 +549,21 @@ export function PaceAppLayout({
   // Use combined super admin check (RBAC + direct check)
   const can = isSuperAdmin ? true : canFromHook;
   const hasPermission = enforcePermissions ? can : true;
+  // Check if the permission error is a context error (missing event/org context)
+  // Context errors should allow the page to render so it can show helpful messaging
+  // Real permission denials should still show "Access Denied"
+  const isContextError = useMemo(() => {
+    if (!permissionError) {
+      return false;
+    }
+    return (
+      permissionError instanceof EventContextRequiredError ||
+      permissionError instanceof OrganisationContextRequiredError ||
+      permissionError.name === 'EventContextRequiredError' ||
+      permissionError.name === 'OrganisationContextRequiredError'
+    );
+  }, [permissionError]);
   // Handle permission check results with audit logging and callbacks
   useEffect(() => {
@@ -614,9 +633,9 @@ export function PaceAppLayout({
       const hasOrganisationContext = currentScope.organisationId;
       const hasUser = !!user?.id;
-      // BUG FIX: When showOrgSelector is enabled, show navigation optimistically while waiting
-      // for organisation selection. Only hide navigation if user is not loaded.
-      // This prevents navigation from disappearing after initial render while waiting for org selection.
+      // Show navigation optimistically while waiting for context selection.
+      // Only hide navigation if user is not loaded.
+      // This prevents navigation from disappearing after initial render while waiting for context.
       if (!hasUser) {
         // User not loaded yet - show all items until user is ready
         if (isMounted) {
@@ -625,9 +644,9 @@ export function PaceAppLayout({
         return;
       }
-      // If no organisation context yet, show items optimistically if org selector is enabled
-      // This allows users to see navigation while they select an organisation
-      // Only proceed with permission filtering once organisation is selected
+      // If no organisation context yet, show items optimistically
+      // This allows users to see navigation while they select a context
+      // Only proceed with permission filtering once context is selected
       if (!hasOrganisationContext) {
         if (isMounted) {
           // Show items optimistically when org selector is enabled, otherwise show all items
@@ -682,32 +701,130 @@ export function PaceAppLayout({
           scope: permissionScope,
         });
-        // Filter items using the permission map (synchronous, no rate limit issues)
-        const filtered = baseMenuItems.map((item) => {
-          if (!item.href) return { item, hasAccess: true };
-          // Extract page ID from href: remove leading slash, fallback to 'dashboard' for root
-          // This matches database page names in rbac_app_pages
-          const pageId = pageIdMapping[item.href] || (item.href === '/' ? 'dashboard' : item.href.slice(1)) || 'dashboard';
-          const permission = routePermissions[item.href] || defaultPermission;
-          const fullPermission: Permission = permission.includes(':')
-            ? (permission as Permission)
-            : (pageId ? `${permission}:page.${pageId}` : permission) as Permission;
-          // Check permission map (super admin check already handled in getPermissionMap)
-          const hasAccess = permissionMap['*'] === true || permissionMap[fullPermission] === true;
-          return { item, hasAccess };
-        });
+        // Filter items using the permission map and scope type
+        // First, get scope types for all pages (batch if possible, or individual)
+        const { getPageScopeType } = await import('../../rbac/api');
+        const effectiveAppId = currentScope.appId || resolvedAppId;
+        const effectiveAppName = appName;
+        // Determine current context type for scope filtering
+        const hasEventContext = !!currentScope.eventId;
+        const hasOrgContext = !!currentScope.organisationId;
+        // Filter items using both permission map and scope type
+        const filtered = await Promise.all(
+          baseMenuItems.map(async (item) => {
+            if (!item.href) return { item, hasAccess: true, matchesScope: true, scopeCheckError: false };
+            // Extract page ID from href: remove leading slash, fallback to 'dashboard' for root
+            // This matches database page names in rbac_app_pages
+            const pageId = pageIdMapping[item.href] || (item.href === '/' ? 'dashboard' : item.href.slice(1)) || 'dashboard';
+            const permission = routePermissions[item.href] || defaultPermission;
+            const fullPermission: Permission = permission.includes(':')
+              ? (permission as Permission)
+              : (pageId ? `${permission}:page.${pageId}` : permission) as Permission;
+            // Check permission map (super admin check already handled in getPermissionMap)
+            const hasAccess = permissionMap['*'] === true || permissionMap[fullPermission] === true;
+            // Check scope type compatibility
+            let matchesScope = true;
+            let scopeCheckError = false;
+            if (effectiveAppId || effectiveAppName) {
+              try {
+                const pageScopeType = await getPageScopeType(
+                  pageId,
+                  effectiveAppId,
+                  effectiveAppName
+                );
+                // Filter based on current context:
+                // - If event is selected: show only 'event' or 'both' pages
+                // - If only org is selected: show only 'organisation' or 'both' pages
+                if (hasEventContext) {
+                  // Event context: show 'event' or 'both' pages only
+                  matchesScope = pageScopeType === 'event' || pageScopeType === 'both';
+                } else if (hasOrgContext) {
+                  // Organisation context only: show 'organisation' or 'both' pages only
+                  matchesScope = pageScopeType === 'organisation' || pageScopeType === 'both';
+                } else {
+                  // No context: show all pages (shouldn't happen, but safe fallback)
+                  matchesScope = true;
+                }
+              } catch (error) {
+                // If we can't get scope type, allow the page (graceful degradation)
+                // This prevents navigation from disappearing if there's a database issue
+                scopeCheckError = true;
+                logger.warn('PaceAppLayout', 'Failed to get page scope type for navigation filtering', {
+                  pageId,
+                  href: item.href,
+                  contextType: hasEventContext ? 'event' : (hasOrgContext ? 'organisation' : 'none'),
+                  error: error instanceof Error ? error.message : String(error),
+                  note: 'Allowing page to prevent navigation from disappearing - this may indicate missing scope_type in database'
+                });
+                matchesScope = true; // Default to allowing if we can't check
+              }
+            } else {
+              // No appId/appName available - can't check scope, allow the page
+              // This happens during initial load before app context is resolved
+              matchesScope = true;
+            }
+            return { item, hasAccess, matchesScope, scopeCheckError };
+          })
+        );
         if (!isMounted) return;
         const accessibleItems = filtered
-          .filter(({ hasAccess }) => hasAccess)
+          .filter(({ hasAccess, matchesScope }) => hasAccess && matchesScope)
           .map(({ item }) => item);
+        // If all items were filtered out, check if it's due to scope filtering
+        // This can happen if:
+        // 1. All pages are scoped for the other context type (expected behavior)
+        // 2. Scope type lookup failed for all pages (should fallback to showing items with permissions)
+        if (accessibleItems.length === 0 && filtered.length > 0) {
+          const itemsWithPermissions = filtered.filter(({ hasAccess }) => hasAccess);
+          const itemsFilteredByScope = filtered.filter(({ hasAccess, matchesScope }) => hasAccess && !matchesScope);
+          const itemsWithScopeErrors = filtered.filter(({ hasAccess, scopeCheckError }) => hasAccess && scopeCheckError);
+          // If scope checking failed for ALL items with permissions, fall back to showing them
+          // This prevents navigation from disappearing due to database/API issues
+          if (itemsWithPermissions.length > 0 &&
+              itemsWithScopeErrors.length === itemsWithPermissions.length) {
+            logger.warn('PaceAppLayout', 'Scope checking failed for all items - falling back to permission-only filtering', {
+              contextType: hasEventContext ? 'event' : (hasOrgContext ? 'organisation' : 'none'),
+              totalItems: baseMenuItems.length,
+              itemsWithPermissions: itemsWithPermissions.length,
+              scopeCheckErrorCount: itemsWithScopeErrors.length,
+              note: 'Showing items based on permissions only - scope filtering disabled due to errors. This may indicate database issues or missing scope_type values.'
+            });
+            // Fall back to showing items that have permissions (ignore scope check)
+            const fallbackItems = filtered
+              .filter(({ hasAccess }) => hasAccess)
+              .map(({ item }) => item);
+            if (isMounted && fallbackItems.length > 0) {
+              setFilteredMenuItems(fallbackItems);
+              return;
+            }
+          } else if (itemsWithPermissions.length > 0 && itemsFilteredByScope.length === itemsWithPermissions.length) {
+            // All items were filtered by scope (not errors) - this is expected if all pages are scoped for other context
+            logger.info('PaceAppLayout', 'All navigation items filtered out by scope type', {
+              contextType: hasEventContext ? 'event' : (hasOrgContext ? 'organisation' : 'none'),
+              totalItems: baseMenuItems.length,
+              itemsWithPermissions: itemsWithPermissions.length,
+              itemsFilteredByScope: itemsFilteredByScope.length,
+              note: 'All pages appear to be scoped for a different context type - this is expected behavior. Navigation will be empty until user selects the appropriate context.'
+            });
+          }
+        }
         // SECURITY: Never show all items if permission check fails - this would be a security risk
         // If all items are filtered out, it means the user doesn't have permission to see any navigation
+        // OR all pages are scoped for a different context type
         // This is the correct behavior - better to show nothing than show unauthorized items
         setFilteredMenuItems(accessibleItems);
       } catch (error) {
@@ -725,7 +842,7 @@ export function PaceAppLayout({
     return () => {
       isMounted = false;
     };
-  }, [baseMenuItems, pageIdMapping, routePermissions, defaultPermission, can, user?.id, scope, scopeLoading, contextAppId, resolvedScope?.appId, selectedOrganisation?.id]);
+  }, [baseMenuItems, pageIdMapping, routePermissions, defaultPermission, can, user?.id, scope, scopeLoading, contextAppId, resolvedScope?.appId, selectedOrganisation?.id, selectedEvent?.event_id, appName]);
   // NEW: Phase 2 - Enhanced Routing Features
   // Check route access for role-based routing
@@ -905,9 +1022,11 @@ export function PaceAppLayout({
     );
   }
-  // Show permission error (only after BOTH checks are complete)
+  // Show permission error (only after check is complete)
   // Super admins bypass all permission checks, so don't show errors for them
-  if (enforcePermissions && permissionError && !isSuperAdmin) {
+  // Context errors (missing event/org) should allow the page to render so it can show helpful messaging
+  // Real permission errors should still show "Access Denied"
+  if (enforcePermissions && permissionError && !isSuperAdmin && !isContextError) {
     return (
       <div className="flex items-center justify-center min-h-screen">
         <div className="text-center">
@@ -921,7 +1040,8 @@ export function PaceAppLayout({
   // Show permission fallback if user lacks permission
   // Only show this if super admin check is complete and user is not a super admin
-  if (enforcePermissions && hasPermission === false && !isCheckingSuperAdminDirect && !isSuperAdmin) {
+  // Skip if it's a context error (missing event/org) - allow page to render and show helpful messaging
+  if (enforcePermissions && hasPermission === false && !isCheckingSuperAdminDirect && !isSuperAdmin && !isContextError) {
     // NEW: Phase 1 - Use page permission fallback if available
     if (enforcePagePermissions && pagePermissionFallback) {
       return <>{pagePermissionFallback}</>;
@@ -974,8 +1094,9 @@ export function PaceAppLayout({
             navigate(item.href);
           }
         }}
-        showEventSelector={showEventSelector}
-        showOrgSelector={showOrgSelector}
+        showContextSelector={showContextSelector}
+        showOrganisations={showOrganisations}
+        showEvents={showEvents}
         showUserMenu={showUserMenu}
         className={headerClassName || "sticky top-0 z-[40] w-full"}
       />

package/src/components/PaceAppLayout/README.md CHANGED Viewed

@@ -27,8 +27,7 @@ A comprehensive application layout component that provides a consistent structur
 |------|------|---------|-------------|
 | `appName` | `string` | required | The name of the application to be displayed in the header |
 | `navItems` | `NavigationItem[]` | optional | Navigation items for the header menu. If not provided, uses default navigation |
-| `showEventSelector` | `boolean` | `true` | Show/hide event selector in the header |
-| `showOrgSelector` | `boolean` | `false` | Show/hide organisation selector in the header |
+| `showContextSelector` | `boolean` | `true` | Show/hide unified context selector (organisations and events) in the header |
 | `headerActions` | `React.ReactNode` | optional | Custom actions to display in the header (between event selector and user menu) |
 | `customLogo` | `React.ReactNode` | optional | Custom logo component (overrides default logo) |
 | `logoHref` | `string` | `'/dashboard'` | URL to navigate to when logo is clicked (e.g., '/dashboard', '/home') |
@@ -162,7 +161,7 @@ function TeamApp() {
           <PaceAppLayout
             appName="TEAM"
             navItems={teamNavItems}
-            showEventSelector={false} // Hide event selector
+            showContextSelector={false} // Hide context selector
           />
         }>
           <Route index element={<ProfilePage />} />
@@ -231,26 +230,24 @@ function App() {
 ## When to Use Each Feature
-### Show Event Selector (`showEventSelector={true}`)
+### Show Context Selector (`showContextSelector={true}`) - Default
 - Event management applications
 - Apps with multi-tenant event contexts
-- Applications where users need to switch between events
+- Multi-organisation applications
+- Applications where users need to switch between events or organisations
 - Event planning tools
 - Event registration systems
+- Hybrid apps (like pace-mint) that support both event and organisation contexts
+- Organisation management tools
+- Multi-tenant applications with organisation context
+- Apps requiring organisation-scoped data access
-### Hide Event Selector (`showEventSelector={false}`)
+### Hide Context Selector (`showContextSelector={false}`)
 - Personal profile management apps (like TEAM)
 - User account settings applications
-- Non-event specific tools
+- Apps that don't require event or organisation context
 - Single-tenant applications
-- Administrative dashboards that don't depend on events
-### Show Organisation Selector (`showOrgSelector={true}`)
-- Multi-organisation applications
-- Apps where users need to switch between organisations
-- Organisation management tools
-- Multi-tenant applications with organisation context
-- Apps requiring organisation-scoped data access
+- Administrative dashboards that don't depend on events or organisations
 ### Custom Header Components
 - Applications requiring custom branding
@@ -267,7 +264,7 @@ function App() {
 ## Integration with UnifiedAuthProvider
-The PaceAppLayout works seamlessly with the UnifiedAuthProvider. When `showEventSelector={false}`, the provider will:
+The PaceAppLayout works seamlessly with the UnifiedAuthProvider. When `showContextSelector={false}`, the provider will:
 - Still handle user authentication
 - Provide user profile access
@@ -285,7 +282,7 @@ function App() {
           <Route path="/" element={
             <PaceAppLayout
               appName="TEAM"
-              showEventSelector={false}  // No events needed
+              showContextSelector={false}  // No context selection needed
             />
           }>
             <Route index element={<ProfilePage />} />

package/src/components/PaceAppLayout/test-setup.tsx CHANGED Viewed

@@ -117,7 +117,7 @@ export const createMockHeader = () => ({
     onChangePassword,
     currentPath,
     onNavigate,
-    showEventSelector,
+    showContextSelector,
     showUserMenu,
     className
   }: any) => (
@@ -156,7 +156,7 @@ export const createMockHeader = () => ({
         Navigate
       </button>
       <div data-testid="current-path">{currentPath}</div>
-      <div data-testid="show-event-selector">{showEventSelector !== false ? 'true' : 'false'}</div>
+      <div data-testid="show-context-selector">{showContextSelector !== false ? 'true' : 'false'}</div>
     </header>
   )
 });

package/src/components/index.ts CHANGED Viewed

@@ -215,8 +215,9 @@ export {
 } from './NavigationMenu';
 export type { NavigationMenuProps, NavigationItem } from './NavigationMenu';
-export { OrganisationSelector } from './OrganisationSelector';
-export type { OrganisationSelectorProps } from './OrganisationSelector';
+// Unified context selector (replaces separate org/event selectors)
+export { ContextSelector } from './ContextSelector';
+export type { ContextSelectorProps } from './ContextSelector';
 export { UserMenu } from './UserMenu';
@@ -235,10 +236,9 @@ export { SessionRestorationLoader } from './SessionRestorationLoader';
 export type { SessionRestorationLoaderProps } from './SessionRestorationLoader';
 // ============================================================================
-// EVENT MANAGEMENT
+// CONTEXT SELECTION
 // ============================================================================
-export { EventSelector } from './EventSelector';
+// Note: EventSelector and OrganisationSelector removed - use ContextSelector instead
 // ============================================================================
 // AUTHENTICATION FORMS

package/src/eslint-rules/pace-core-compliance.cjs CHANGED Viewed

@@ -378,6 +378,112 @@ module.exports = {
           }
         };
       }
+    },
+    /**
+     * Disallow direct Supabase client creation - must use useSecureSupabase
+     */
+    'no-direct-supabase-client': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow direct createClient calls from @supabase/supabase-js. Use useSecureSupabase() from pace-core instead to ensure organisation context and RLS policies are enforced.',
+          category: 'Security',
+          recommended: true
+        },
+        messages: {
+          directClientCreation: "Direct Supabase client creation detected. You MUST use useSecureSupabase() from '@jmruthers/pace-core/rbac' instead to ensure organisation context and RLS policies are enforced. This prevents cross-organisation data access.",
+          directClientImport: "Direct import of createClient from @supabase/supabase-js is not allowed. Use useSecureSupabase() from '@jmruthers/pace-core/rbac' instead."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        let hasSupabaseImport = false;
+        let createClientImported = false;
+        const filename = context.getFilename();
+        // Allow createClient in specific config files (supabaseClient.ts/js, etc.)
+        const isConfigFile = /(supabase|client)\.(ts|js|tsx|jsx)$/i.test(filename) &&
+                            (filename.includes('supabase') || filename.includes('client'));
+        return {
+          ImportDeclaration(node) {
+            const importSource = node.source.value;
+            // Check for @supabase/supabase-js import
+            if (importSource === '@supabase/supabase-js') {
+              hasSupabaseImport = true;
+              // Check if createClient is imported
+              const hasCreateClient = node.specifiers.some(spec => {
+                if (spec.type === 'ImportSpecifier') {
+                  return spec.imported.name === 'createClient';
+                }
+                if (spec.type === 'ImportNamespaceSpecifier') {
+                  return true; // import * as supabase
+                }
+                return false;
+              });
+              if (hasCreateClient) {
+                createClientImported = true;
+                // Only report if not in a config file
+                if (!isConfigFile) {
+                  context.report({
+                    node: node.source,
+                    messageId: 'directClientImport',
+                    suggest: [{
+                      desc: 'Replace with useSecureSupabase hook',
+                      fix(fixer) {
+                        // Remove the import
+                        return fixer.remove(node);
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          },
+          CallExpression(node) {
+            // Check for createClient() calls
+            if (node.callee.type === 'Identifier' && node.callee.name === 'createClient') {
+              // Only report if not in a config file
+              if (!isConfigFile) {
+                context.report({
+                  node,
+                  messageId: 'directClientCreation',
+                  suggest: [{
+                    desc: 'Use useSecureSupabase() hook instead',
+                    fix(fixer) {
+                      // This is complex to auto-fix, so we'll just report
+                      return null;
+                    }
+                  }]
+                });
+              }
+            }
+            // Check for supabase.createClient() or similar patterns
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property?.name === 'createClient') {
+              if (!isConfigFile) {
+                context.report({
+                  node,
+                  messageId: 'directClientCreation',
+                  suggest: [{
+                    desc: 'Use useSecureSupabase() hook instead',
+                    fix(fixer) {
+                      return null;
+                    }
+                  }]
+                });
+              }
+            }
+          }
+        };
+      }
     }
   }
 };