@jmruthers/pace-core 0.6.4 → 0.6.5

package/src/rbac/README.md

@@ -229,18 +229,18 @@ import { PermissionEnforcer } from '@jmruthers/pace-core/rbac';
 
 function Dashboard() {
   return (
-    <div>
+    <main>
       <h1>Dashboard</h1>
       
       {/* Automatic scope resolution - no manual context needed */}
       <PermissionEnforcer
         permissions={['read:admin']}
         operation="admin-panel"
-        fallback={<div>Access Denied</div>}
+        fallback={<main>Access Denied</main>}
       >
         <AdminPanel />
       </PermissionEnforcer>
-    </div>
+    </main>
   );
 }
 ```
@@ -266,14 +266,14 @@ function UserActions() {
     }
   );
 
-  if (isLoading) return <div>Loading permissions...</div>;
-  if (error) return <div>Error: {error.message}</div>;
+  if (isLoading) return <main>Loading permissions...</main>;
+  if (error) return <main>Error: {error.message}</main>;
 
   return (
-    <div>
+    <section>
       {permissions['page-1']?.includes('read') && <ReadButton />}
       {permissions['page-1']?.includes('update') && <UpdateButton />}
-    </div>
+    </section>
   );
 }
 ```
@@ -301,13 +301,13 @@ function UserActions() {
     'page-123' // optional pageId
   );
 
-  if (isLoading) return <div>Checking permission...</div>;
-  if (error) return <div>Error: {error.message}</div>;
+  if (isLoading) return <main>Checking permission...</main>;
+  if (error) return <main>Error: {error.message}</main>;
 
   return (
-    <div>
+    <section>
       {can ? <AdminPanel /> : <AccessDenied />}
-    </div>
+    </section>
   );
 }
 ```
@@ -321,7 +321,7 @@ import { PermissionEnforcer, PagePermissionGuard } from '@jmruthers/pace-core/rb
 
 function EventDashboard() {
   return (
-    <div>
+    <main>
       <h1>Event Dashboard</h1>
       
       {/* Organization is automatically resolved from event context */}
@@ -338,7 +338,7 @@ function EventDashboard() {
       >
         <EventSettings />
       </PagePermissionGuard>
-    </div>
+    </main>
   );
 }
 ```
@@ -374,7 +374,7 @@ function EventDashboard() {
    ```tsx
    const { selectedOrganisationId } = useUnifiedAuth();
    if (!selectedOrganisationId) {
-     return <div>Please select an organisation first</div>;
+     return <main>Please select an organisation first</main>;
    }
    ```
 
@@ -479,14 +479,14 @@ function MyComponent() {
     { organisationId: 'org-456' }
   );
 
-  if (isLoading) return <div>Loading...</div>;
-  if (error) return <div>Error: {error.message}</div>;
+  if (isLoading) return <main>Loading...</main>;
+  if (error) return <main>Error: {error.message}</main>;
 
   return (
-    <div>
+    <section>
       {can && <AdminPanel />}
       {accessLevel === 'admin' && <AdminControls />}
-    </div>
+    </section>
   );
 }
 ```
@@ -498,7 +498,7 @@ import { PermissionEnforcer, PagePermissionGuard } from '@jmruthers/pace-core/rb
 
 function App() {
   return (
-    <div>
+    <main>
       <PermissionEnforcer
         permissions={['update:events']}
         operation="event-management"
@@ -514,7 +514,7 @@ function App() {
       >
         <AdminPanel />
       </PagePermissionGuard>
-    </div>
+    </main>
   );
 }
 ```

package/src/rbac/hooks/useRBAC.test.ts

@@ -83,12 +83,15 @@ describe('useRBAC', () => {
       user: { id: 'user-1' },
       session: { access_token: 'token' },
       appName: 'test-app',
+      appId: undefined, // Ensure appId is undefined so resolveAppContext is called
+      contextAppId: undefined, // Also ensure contextAppId is undefined
       appConfig: { requires_event: false },
       selectedOrganisation: { id: 'org-1' },
       isContextReady: true,
       organisationLoading: false,
       selectedEvent: null,
       eventLoading: false,
+      supabase: {} as any,
     });
     mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
 
@@ -98,15 +101,29 @@ describe('useRBAC', () => {
       organisationRole: null,
       eventAppRole: null,
     });
+    // Ensure resolveAppContext returns a value so the hook continues
+    mockResolveAppContext.mockResolvedValue({ appId: 'app-123' as any, hasAccess: true });
 
     const { result } = renderHook(() => useRBAC('dashboard'));
 
     await waitFor(() => {
       expect(result.current.isLoading).toBe(false);
       expect(result.current.hasGlobalPermission).toBeTypeOf('function');
+    }, { timeout: 5000 });
+
+    // resolveAppContext should be called when appName is set and appId/contextAppId are undefined
+    // The function signature is: resolveAppContext({ userId, appName })
+    // Note: The error message format may be confusing - check actual call structure
+    expect(mockResolveAppContext).toHaveBeenCalled();
+    // Verify it was called with correct structure (userId and appName in first argument)
+    const calls = mockResolveAppContext.mock.calls;
+    const hasCorrectCall = calls.some(call => {
+      const firstArg = call[0];
+      return firstArg && typeof firstArg === 'object' && 
+             'userId' in firstArg && firstArg.userId === 'user-1' &&
+             'appName' in firstArg && firstArg.appName === 'test-app';
     });
-
-    expect(mockResolveAppContext).toHaveBeenCalledWith({ userId: 'user-1', appName: 'test-app' });
+    expect(hasCorrectCall).toBe(true);
     expect(mockGetPermissionMap).toHaveBeenCalledWith(
       {
         userId: 'user-1',
@@ -115,7 +132,8 @@ describe('useRBAC', () => {
           eventId: undefined,
           appId: 'app-123'
         }
-      }
+      },
+      'test-app' // appName is passed as second argument to getPermissionMap
     );
   });
 

package/src/rbac/hooks/useRBAC.ts

@@ -196,10 +196,11 @@ export function useRBAC(pageId?: string): UserRBACContext {
       setCurrentScope(resolvedScope);
 
       // API calls no longer need appConfig (scope is page-level)
+      // Pass appName to allow PORTAL/ADMIN apps to work without organisation context
       const [map, roleContext, accessLevel] = await Promise.all([
-        getPermissionMap({ userId: user.id as UUID, scope: resolvedScope }),
-        getRoleContext({ userId: user.id as UUID, scope: resolvedScope }),
-        getAccessLevel({ userId: user.id as UUID, scope: resolvedScope }),
+        getPermissionMap({ userId: user.id as UUID, scope: resolvedScope }, appName),
+        getRoleContext({ userId: user.id as UUID, scope: resolvedScope }, appName),
+        getAccessLevel({ userId: user.id as UUID, scope: resolvedScope }, appName),
       ]);
 
       setPermissionMap(map);

package/src/rbac/hooks/useResourcePermissions.test.ts

@@ -137,11 +137,12 @@ describe('useResourcePermissions Hook', () => {
       renderHook(() => useResourcePermissions('contacts'));
 
       expect(mockUseCan).toHaveBeenCalledTimes(4); // create, update, delete, read
-      // When appId is available in scope, resource name is passed as pageId to enable page permission checks
+      // When appId is available in scope, permission strings include page. prefix
+      // and resource name is passed as pageId to enable page permission checks
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         mockScope,
-        'create:contacts',
+        'create:page.contacts',
         'contacts', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -150,7 +151,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         mockScope,
-        'update:contacts',
+        'update:page.contacts',
         'contacts', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -159,7 +160,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         mockScope,
-        'delete:contacts',
+        'delete:page.contacts',
         'contacts', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -168,7 +169,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         mockScope,
-        'read:contacts',
+        'read:page.contacts',
         'contacts', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -193,7 +194,7 @@ describe('useResourcePermissions Hook', () => {
 
     it('returns false when user cannot create resource', () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'create:contacts') {
+        if (permission === 'create:page.contacts') {
           return {
             can: false,
             isLoading: false,
@@ -234,7 +235,7 @@ describe('useResourcePermissions Hook', () => {
 
     it('checks read permissions when enableRead is true', () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'read:contacts') {
+        if (permission === 'read:page.contacts') {
           return {
             can: true,
             isLoading: false,
@@ -259,7 +260,7 @@ describe('useResourcePermissions Hook', () => {
 
     it('returns false for read when permission is denied and enableRead is true', () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'read:contacts') {
+        if (permission === 'read:page.contacts') {
           return {
             can: false,
             isLoading: false,
@@ -407,11 +408,11 @@ describe('useResourcePermissions Hook', () => {
       const { result } = renderHook(() => useResourcePermissions('contacts'));
 
       // When user is null, userId is empty string, but scope and permissions are still checked
-      // Since mockScope has appId, pageId will be the resource name ('contacts')
+      // Since mockScope has appId, permission strings include page. prefix and pageId will be the resource name ('contacts')
       expect(mockUseCan).toHaveBeenCalledWith(
         '',
         mockScope,
-        'create:contacts',
+        'create:page.contacts',
         'contacts', // pageId is resource name when appId is available in scope
         true,
         null, // precomputedSuperAdmin
@@ -420,7 +421,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         '',
         mockScope,
-        'update:contacts',
+        'update:page.contacts',
         'contacts',
         true,
         null, // precomputedSuperAdmin
@@ -429,7 +430,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         '',
         mockScope,
-        'delete:contacts',
+        'delete:page.contacts',
         'contacts',
         true,
         null, // precomputedSuperAdmin
@@ -438,7 +439,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         '',
         mockScope,
-        'read:contacts',
+        'read:page.contacts',
         'contacts',
         true,
         null, // precomputedSuperAdmin
@@ -481,7 +482,7 @@ describe('useResourcePermissions Hook', () => {
 
     it('aggregates loading states from permission checks', () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'create:contacts') {
+        if (permission === 'create:page.contacts') {
           return {
             can: false,
             isLoading: true,
@@ -504,7 +505,7 @@ describe('useResourcePermissions Hook', () => {
 
     it('includes read loading state when enableRead is true', () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'read:contacts') {
+        if (permission === 'read:page.contacts') {
           return {
             can: false,
             isLoading: true,
@@ -529,7 +530,7 @@ describe('useResourcePermissions Hook', () => {
 
     it('excludes read loading state when enableRead is false', () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'read:contacts') {
+        if (permission === 'read:page.contacts') {
           return {
             can: false,
             isLoading: true,
@@ -568,7 +569,7 @@ describe('useResourcePermissions Hook', () => {
     it('aggregates errors from permission checks', () => {
       const permissionError = new Error('Permission check failed');
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'create:contacts') {
+        if (permission === 'create:page.contacts') {
           return {
             can: false,
             isLoading: false,
@@ -600,7 +601,7 @@ describe('useResourcePermissions Hook', () => {
       });
 
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'create:contacts') {
+        if (permission === 'create:page.contacts') {
           return {
             can: false,
             isLoading: false,
@@ -632,11 +633,11 @@ describe('useResourcePermissions Hook', () => {
     it('respects enableRead option', () => {
       renderHook(() => useResourcePermissions('contacts', { enableRead: true }));
 
-      // Should still call useCan for read permission
+      // Should still call useCan for read permission with page. prefix when appId is available
       expect(mockUseCan).toHaveBeenCalledWith(
         expect.any(String),
         expect.any(Object),
-        'read:contacts',
+        'read:page.contacts',
         'contacts', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -659,7 +660,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         expect.any(String),
         expect.any(Object),
-        'create:risks',
+        'create:page.risks',
         'risks', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -668,7 +669,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         expect.any(String),
         expect.any(Object),
-        'update:risks',
+        'update:page.risks',
         'risks', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -677,7 +678,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         expect.any(String),
         expect.any(Object),
-        'delete:risks',
+        'delete:page.risks',
         'risks', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -687,7 +688,7 @@ describe('useResourcePermissions Hook', () => {
   });
 
   describe('Page Permission Support', () => {
-    it('passes resource name as pageId when appId is available in scope', () => {
+    it('constructs permission strings with page. prefix when appId is available', () => {
       const scopeWithAppId: Scope = {
         organisationId: 'org-123',
         eventId: 'event-123',
@@ -702,20 +703,38 @@ describe('useResourcePermissions Hook', () => {
 
       renderHook(() => useResourcePermissions('planning'));
 
-      // When appId is available, resource name should be passed as pageId
-      // This enables the RPC function to check page permissions
+      // When appId is available, permission strings should include page. prefix
+      // and resource name should be passed as pageId to enable page permission checks
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         scopeWithAppId,
-        'create:planning',
+        'create:page.planning',
         'planning', // Resource name passed as pageId to enable page permission checks
         true,
         null, // precomputedSuperAdmin
         undefined // appName
       );
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        scopeWithAppId,
+        'update:page.planning',
+        'planning',
+        true,
+        null,
+        undefined
+      );
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        scopeWithAppId,
+        'delete:page.planning',
+        'planning',
+        true,
+        null,
+        undefined
+      );
     });
 
-    it('does not pass pageId when appId is not available', () => {
+    it('does not add page. prefix when appId is not available', () => {
       const scopeWithoutAppId: Scope = {
         organisationId: 'org-123',
         eventId: 'event-123',
@@ -730,8 +749,8 @@ describe('useResourcePermissions Hook', () => {
 
       renderHook(() => useResourcePermissions('planning'));
 
-      // When appId is not available, pageId should be undefined
-      // This falls back to resource-based permission checking
+      // When appId is not available, permission strings should NOT include page. prefix
+      // and pageId should be undefined - falls back to resource-based permission checking
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         scopeWithoutAppId,
@@ -741,6 +760,82 @@ describe('useResourcePermissions Hook', () => {
         null, // precomputedSuperAdmin
         undefined // appName
       );
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        scopeWithoutAppId,
+        'update:planning',
+        undefined,
+        true,
+        null,
+        undefined
+      );
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        scopeWithoutAppId,
+        'delete:planning',
+        undefined,
+        true,
+        null,
+        undefined
+      );
+    });
+
+    it('waits for scope resolution before using page permissions (timing fix)', () => {
+      // Simulate scope resolution in progress (resolvedScope is null, isLoading is true)
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: null,
+        isLoading: true,
+        error: null,
+      });
+
+      renderHook(() => useResourcePermissions('planning'));
+
+      // During scope loading, should use resource-based permissions (no page. prefix)
+      // because resolvedScope is null, so hasAppId is false
+      const fallbackScope: Scope = {
+        organisationId: 'org-123',
+        eventId: 'event-123',
+        appId: undefined,
+      };
+
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        fallbackScope,
+        'create:planning', // Resource-based permission (no page. prefix) during loading
+        undefined, // No pageId when appId is not available
+        true,
+        null,
+        undefined
+      );
+
+      // Now simulate scope resolution completing with appId
+      const scopeWithAppId: Scope = {
+        organisationId: 'org-123',
+        eventId: 'event-123',
+        appId: 'app-123',
+      };
+
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: scopeWithAppId,
+        isLoading: false,
+        error: null,
+      });
+
+      // Re-render to trigger update
+      const { rerender } = renderHook(() => useResourcePermissions('planning'));
+      rerender();
+
+      // After scope resolution, should use page permissions (with page. prefix)
+      // because resolvedScope.appId is now available, so hasAppId is true
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        scopeWithAppId,
+        'create:page.planning', // Page-based permission (with page. prefix) after resolution
+        'planning', // pageId is resource name when appId is available
+        true,
+        null,
+        undefined
+      );
     });
   });
 });