@jmruthers/pace-core 0.6.4 → 0.6.6

package/dist/rbac/index.d.ts

@@ -1,10 +1,11 @@
-import { U as UUID, g as PermissionCacheKey, h as AuditEventSource, i as RBACAuditEvent, a as PermissionCheck, S as Scope, A as AccessLevel, b as PermissionMap, j as RBACAppContext, k as RBACRoleContext, P as Permission, l as UserRBACContext } from '../types-BeoeWV5I.js';
+import { U as UUID, g as PermissionCacheKey, h as AuditEventSource, i as RBACAuditEvent, a as PermissionCheck, S as Scope, A as AccessLevel, b as PermissionMap, j as RBACAppContext, k as RBACRoleContext, l as UserRBACContext, P as Permission } from '../types-BeoeWV5I.js';
 export { E as EventAppRole, G as GlobalRole, I as InvalidScopeError, M as MissingUserContextError, O as Operation, e as OrganisationContextRequiredError, c as OrganisationRole, d as PermissionDeniedError, R as RBACError, f as RBACNotInitializedError } from '../types-BeoeWV5I.js';
 export { A as AccessLevelContext, s as AuditEventType, P as PermissionSource, d as RBACAccessValidateParams, e as RBACAccessValidateResult, q as RBACAuditLogParams, r as RBACAuditLogResult, t as RBACContext, w as RBACErrorCode, v as RBACFunctionResponse, f as RBACPageAccessCheckParams, R as RBACPermissionCheckParams, a as RBACPermissionCheckResult, b as RBACPermissionsGetParams, c as RBACPermissionsGetResult, u as RBACResult, g as RBACRoleGrantParams, h as RBACRoleGrantResult, i as RBACRoleRevokeParams, j as RBACRoleRevokeResult, m as RBACRoleValidateParams, n as RBACRoleValidateResult, k as RBACRolesListParams, l as RBACRolesListResult, o as RBACSessionTrackParams, p as RBACSessionTrackResult, x as RPCFunction, S as SessionType } from '../functions-DHebl8-F.js';
 import { SupabaseClient } from '@supabase/supabase-js';
-import { D as Database } from '../database.generated-CzIvgcPu.js';
+import { D as Database } from '../database.generated-CcnC_DRc.js';
 import * as react_jsx_runtime from 'react/jsx-runtime';
-import React__default, { ReactNode } from 'react';
+import React__default from 'react';
+import { a as NavigationItem } from '../types-t9H8qKRw.js';
 import '../core-CUElvH_C.js';
 
 /**
@@ -842,63 +843,6 @@ declare class RBACEngine {
  */
 declare function createRBACEngine(supabase: SupabaseClient<Database>, securityConfig?: Partial<RBACSecurityConfig>): RBACEngine;
 
-interface PagePermissionContextType {
-    /** Check if user has permission for a page */
-    hasPagePermission: (pageName: string, operation: string, pageId?: string, scope?: Scope) => boolean;
-    /** Get all page permissions for current user */
-    getPagePermissions: () => Record<string, string[]>;
-    /** Check if page permission checking is enabled */
-    isEnabled: boolean;
-    /** Check if strict mode is enabled */
-    isStrictMode: boolean;
-    /** Check if audit logging is enabled */
-    isAuditLogEnabled: boolean;
-    /** Get page access history */
-    getPageAccessHistory: () => PageAccessRecord[];
-    /** Clear page access history */
-    clearPageAccessHistory: () => void;
-}
-interface PageAccessRecord {
-    pageName: string;
-    operation: string;
-    userId: UUID;
-    scope: Scope;
-    allowed: boolean;
-    timestamp: string;
-    pageId?: string;
-}
-interface PagePermissionProviderProps {
-    /** Child components */
-    children: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Enable audit logging (default: true) */
-    auditLog?: boolean;
-    /** Callback when page access is attempted */
-    onPageAccess?: (pageName: string, operation: string, allowed: boolean, record: PageAccessRecord) => void;
-    /** Callback when strict mode violation occurs */
-    onStrictModeViolation?: (pageName: string, operation: string, record: PageAccessRecord) => void;
-    /** Maximum number of access records to keep in history */
-    maxHistorySize?: number;
-}
-/**
- * PagePermissionProvider - Manages page-level permissions across the app
- *
- * This provider ensures that all pages are properly protected and provides
- * centralized page permission management with strict enforcement.
- *
- * @param props - Provider props
- * @returns React element with page permission context
- */
-declare function PagePermissionProvider({ children, strictMode, auditLog, onPageAccess, onStrictModeViolation, maxHistorySize }: PagePermissionProviderProps): react_jsx_runtime.JSX.Element;
-/**
- * Hook to use page permission context
- *
- * @returns Page permission context
- * @throws Error if used outside of PagePermissionProvider
- */
-declare function usePagePermissions(): PagePermissionContextType;
-
 interface PagePermissionGuardProps {
     /** Name of the page being protected */
     pageName: string;
@@ -923,281 +867,6 @@ interface PagePermissionGuardProps {
 }
 declare const PagePermissionGuard: React__default.MemoExoticComponent<({ pageName, operation, children, fallback, strictMode, auditLog, pageId, scope, onDenied, loading }: PagePermissionGuardProps) => string | number | bigint | boolean | Iterable<React__default.ReactNode> | Promise<string | number | bigint | boolean | React__default.ReactPortal | React__default.ReactElement<unknown, string | React__default.JSXElementConstructor<any>> | Iterable<React__default.ReactNode> | null | undefined> | react_jsx_runtime.JSX.Element | null>;
 
-interface DataAccessRecord {
-    table: string;
-    operation: string;
-    userId: UUID;
-    scope: Scope;
-    allowed: boolean;
-    timestamp: string;
-    query?: string;
-    filters?: Record<string, any>;
-}
-interface SecureDataContextType {
-    /** Check if data access is allowed for a table and operation */
-    isDataAccessAllowed: (table: string, operation: string, scope?: Scope) => boolean;
-    /** Get all data access permissions for current user */
-    getDataAccessPermissions: () => Record<string, string[]>;
-    /** Check if secure data access is enabled */
-    isEnabled: boolean;
-    /** Check if strict mode is enabled */
-    isStrictMode: boolean;
-    /** Check if audit logging is enabled */
-    isAuditLogEnabled: boolean;
-    /** Get data access history */
-    getDataAccessHistory: () => DataAccessRecord[];
-    /** Clear data access history */
-    clearDataAccessHistory: () => void;
-    /** Validate data access attempt */
-    validateDataAccess: (table: string, operation: string, scope?: Scope) => boolean;
-}
-interface SecureDataProviderProps {
-    /** Child components */
-    children: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Enable audit logging (default: true) */
-    auditLog?: boolean;
-    /** Callback when data access is attempted */
-    onDataAccess?: (table: string, operation: string, allowed: boolean, record: DataAccessRecord) => void;
-    /** Callback when strict mode violation occurs */
-    onStrictModeViolation?: (table: string, operation: string, record: DataAccessRecord) => void;
-    /** Maximum number of access records to keep in history */
-    maxHistorySize?: number;
-    /** Enable RLS enforcement (default: true) */
-    enforceRLS?: boolean;
-}
-/**
- * SecureDataProvider - Prevents direct Supabase access and enforces secure data patterns
- *
- * This provider ensures that all data access goes through the secure RBAC system
- * and prevents apps from bypassing data access controls.
- *
- * @param props - Provider props
- * @returns React element with secure data context
- */
-declare function SecureDataProvider({ children, strictMode, auditLog, onDataAccess, onStrictModeViolation, maxHistorySize, enforceRLS }: SecureDataProviderProps): react_jsx_runtime.JSX.Element;
-/**
- * Hook to use secure data context
- *
- * @returns Secure data context
- * @throws Error if used outside of SecureDataProvider
- */
-declare function useSecureData(): SecureDataContextType;
-
-interface PermissionEnforcerProps {
-    /** Permissions required for access */
-    permissions: Permission[];
-    /** Operation being performed */
-    operation: string;
-    /** Content to render when user has permission */
-    children: React__default.ReactNode;
-    /** Content to render when user lacks permission */
-    fallback?: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Force audit logging for this operation (default: true) */
-    auditLog?: boolean;
-    /** Custom scope for permission checking */
-    scope?: Scope;
-    /** Callback when access is denied */
-    onDenied?: (permissions: Permission[], operation: string) => void;
-    /** Loading state content */
-    loading?: React__default.ReactNode;
-    /** Require all permissions (AND) or any permission (OR) */
-    requireAll?: boolean;
-}
-/**
- * PermissionEnforcer - Enforces permissions for operations
- *
- * This component ensures that users can only perform operations they have permission for.
- * It integrates with the existing RBAC system and provides strict enforcement to
- * prevent apps from bypassing permission checks.
- *
- * @param props - Component props
- * @returns React element with permission enforcement
- */
-declare function PermissionEnforcer({ permissions, operation, children, fallback, strictMode, auditLog, scope, onDenied, loading, requireAll }: PermissionEnforcerProps): react_jsx_runtime.JSX.Element;
-
-interface RouteConfig {
-    /** Route path */
-    path: string;
-    /** React component to render */
-    component: React__default.ComponentType;
-    /** Permissions required for this route */
-    permissions: Permission[];
-    /** If true, this route is public and doesn't require permission checks */
-    public?: boolean;
-    /** Roles that can access this route */
-    roles?: string[];
-    /** Minimum access level required */
-    accessLevel?: AccessLevel;
-    /** Page ID for permission checking */
-    pageId?: string;
-    /** Enable strict mode for this route */
-    strictMode?: boolean;
-    /** Route metadata */
-    meta?: {
-        title?: string;
-        description?: string;
-        requiresAuth?: boolean;
-        hidden?: boolean;
-    };
-}
-interface RouteAccessRecord {
-    route: string;
-    permissions: Permission[];
-    userId: UUID;
-    scope: Scope;
-    allowed: boolean;
-    timestamp: string;
-    pageId?: string;
-    roles?: string[];
-    accessLevel?: AccessLevel;
-}
-interface RoleBasedRouterContextType {
-    /** Get all accessible routes for current user */
-    getAccessibleRoutes: () => RouteConfig[];
-    /** Check if user can access a specific route */
-    canAccessRoute: (path: string) => boolean;
-    /** Get route configuration for a path */
-    getRouteConfig: (path: string) => RouteConfig | null;
-    /** Get route access history */
-    getRouteAccessHistory: () => RouteAccessRecord[];
-    /** Clear route access history */
-    clearRouteAccessHistory: () => void;
-    /** Check if strict mode is enabled */
-    isStrictMode: boolean;
-    /** Check if audit logging is enabled */
-    isAuditLogEnabled: boolean;
-}
-interface RoleBasedRouterProps {
-    /** Route configuration */
-    routes: RouteConfig[];
-    /** Fallback route for unauthorized access */
-    fallbackRoute?: string;
-    /** Child components */
-    children: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Enable audit logging (default: true) */
-    auditLog?: boolean;
-    /** Callback when route access is attempted */
-    onRouteAccess?: (route: string, allowed: boolean, record: RouteAccessRecord) => void;
-    /** Callback when strict mode violation occurs */
-    onStrictModeViolation?: (route: string, record: RouteAccessRecord) => void;
-    /** Maximum number of access records to keep in history */
-    maxHistorySize?: number;
-    /** Custom unauthorized component */
-    unauthorizedComponent?: React__default.ComponentType<{
-        route: string;
-        reason: string;
-    }>;
-}
-/**
- * RoleBasedRouter - Centralized routing control with role-based protection
- *
- * This component ensures that all routes are properly protected and provides
- * centralized routing control to prevent apps from bypassing route protection.
- *
- * @param props - Router props
- * @returns React element with role-based routing
- */
-declare function RoleBasedRouter({ routes, fallbackRoute, children, strictMode, auditLog, onRouteAccess, onStrictModeViolation, maxHistorySize, unauthorizedComponent: UnauthorizedComponent }: RoleBasedRouterProps): react_jsx_runtime.JSX.Element;
-/**
- * Hook to use role-based router context
- *
- * @returns Role-based router context
- * @throws Error if used outside of RoleBasedRouter
- */
-declare function useRoleBasedRouter(): RoleBasedRouterContextType;
-
-interface NavigationItem {
-    /** Unique identifier for the navigation item */
-    id: string;
-    /** Display label for the navigation item */
-    label: string;
-    /** Navigation path/URL */
-    path: string;
-    /** Permissions required for this navigation item */
-    permissions: Permission[];
-    /** Roles that can access this navigation item */
-    roles?: string[];
-    /** Minimum access level required */
-    accessLevel?: 'viewer' | 'participant' | 'planner' | 'admin' | 'super';
-    /** Page ID for permission checking */
-    pageId?: string;
-    /** Enable strict mode for this navigation item */
-    strictMode?: boolean;
-    /** Navigation item metadata */
-    meta?: {
-        icon?: string;
-        description?: string;
-        hidden?: boolean;
-        order?: number;
-    };
-}
-interface NavigationAccessRecord {
-    navigationItem: string;
-    permissions: Permission[];
-    userId: UUID;
-    scope: Scope;
-    allowed: boolean;
-    timestamp: string;
-    pageId?: string;
-    roles?: string[];
-    accessLevel?: string;
-}
-interface NavigationContextType {
-    /** Check if user has permission for a navigation item */
-    hasNavigationPermission: (item: NavigationItem) => boolean;
-    /** Get all navigation permissions for current user */
-    getNavigationPermissions: () => Record<string, string[]>;
-    /** Get filtered navigation items based on permissions */
-    getFilteredNavigationItems: (items: NavigationItem[]) => NavigationItem[];
-    /** Check if navigation permission checking is enabled */
-    isEnabled: boolean;
-    /** Check if strict mode is enabled */
-    isStrictMode: boolean;
-    /** Check if audit logging is enabled */
-    isAuditLogEnabled: boolean;
-    /** Get navigation access history */
-    getNavigationAccessHistory: () => NavigationAccessRecord[];
-    /** Clear navigation access history */
-    clearNavigationAccessHistory: () => void;
-}
-interface NavigationProviderProps {
-    /** Child components */
-    children: React__default.ReactNode;
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Enable audit logging (default: true) */
-    auditLog?: boolean;
-    /** Callback when navigation access is attempted */
-    onNavigationAccess?: (item: NavigationItem, allowed: boolean, record: NavigationAccessRecord) => void;
-    /** Callback when strict mode violation occurs */
-    onStrictModeViolation?: (item: NavigationItem, record: NavigationAccessRecord) => void;
-    /** Maximum number of access records to keep in history */
-    maxHistorySize?: number;
-}
-/**
- * NavigationProvider - Manages navigation-level permissions across the app
- *
- * This provider ensures that all navigation items are properly protected and provides
- * centralized navigation permission management with strict enforcement.
- *
- * @param props - Provider props
- * @returns React element with navigation permission context
- */
-declare function NavigationProvider({ children, strictMode, auditLog, onNavigationAccess, onStrictModeViolation, maxHistorySize }: NavigationProviderProps): react_jsx_runtime.JSX.Element;
-/**
- * Hook to use navigation permission context
- *
- * @returns Navigation permission context
- * @throws Error if used outside of NavigationProvider
- */
-declare function useNavigationPermissions(): NavigationContextType;
-
 interface NavigationGuardProps {
     /** Navigation item being protected */
     navigationItem: NavigationItem;
@@ -1230,44 +899,72 @@ interface NavigationGuardProps {
  */
 declare function NavigationGuard({ navigationItem, children, fallback, strictMode, auditLog, scope, onDenied, loading, requireAll }: NavigationGuardProps): react_jsx_runtime.JSX.Element;
 
-interface EnhancedNavigationMenuProps {
-    /** Navigation items to display */
-    items: NavigationItem[];
-    /** Enable strict mode to prevent bypassing (default: true) */
-    strictMode?: boolean;
-    /** Enable audit logging (default: true) */
-    auditLog?: boolean;
-    /** Callback when navigation access is attempted */
-    onNavigationAccess?: (item: NavigationItem, allowed: boolean) => void;
-    /** Callback when strict mode violation occurs */
-    onStrictModeViolation?: (item: NavigationItem) => void;
-    /** Custom className for the navigation menu */
+/**
+ * @file Access Denied Component
+ * @package @jmruthers/pace-core
+ * @module RBAC/Components/AccessDenied
+ * @since 2.0.0
+ *
+ * Standard access denied component for consistent error messaging across all PACE apps.
+ * This component provides a uniform user experience when users lack permissions.
+ *
+ * Features:
+ * - Consistent styling and behavior across all apps
+ * - Configurable message and actions
+ * - Accessibility compliant
+ * - Responsive design
+ *
+ * @example
+ * ```tsx
+ * // Basic usage
+ * <AccessDenied />
+ *
+ * // With custom message
+ * <AccessDenied message="You don't have permission to view this page." />
+ *
+ * // With custom actions
+ * <AccessDenied
+ *   onGoBack={() => navigate('/dashboard')}
+ *   onSignOut={handleSignOut}
+ * />
+ * ```
+ *
+ * @accessibility
+ * - Proper ARIA labels and roles
+ * - High contrast support
+ * - Screen reader friendly
+ * - Keyboard navigation support
+ *
+ * @dependencies
+ * - React 19+
+ * - pace-core Button component
+ */
+interface AccessDeniedProps {
+    /** Custom error message */
+    message?: string;
+    /** Resource or page name that was denied */
+    resource?: string;
+    /** Operation that was denied */
+    operation?: string;
+    /** Callback when "Go Back" is clicked */
+    onGoBack?: () => void;
+    /** Callback when "Sign Out" is clicked */
+    onSignOut?: () => void;
+    /** Custom class names */
     className?: string;
-    /** Custom className for navigation items */
-    itemClassName?: string;
-    /** Custom className for active navigation items */
-    activeItemClassName?: string;
-    /** Custom className for disabled navigation items */
-    disabledItemClassName?: string;
-    /** Show/hide navigation items that user doesn't have permission for */
-    hideUnauthorizedItems?: boolean;
-    /** Custom render function for navigation items */
-    renderItem?: (item: NavigationItem, isAuthorized: boolean) => React__default.ReactNode;
-    /** Current active path for highlighting */
-    activePath?: string;
-    /** Navigation item click handler */
-    onItemClick?: (item: NavigationItem) => void;
+    /** Show sign out button */
+    showSignOut?: boolean;
 }
 /**
- * EnhancedNavigationMenu - Secure navigation menu with RBAC integration
+ * Standard access denied component
  *
- * This component provides a navigation menu that automatically filters items based on
- * user permissions and enforces strict security controls.
+ * This component is displayed when users lack the necessary permissions.
+ * It provides clear messaging and actionable next steps.
  *
- * @param props - Component props
- * @returns React element with enhanced navigation menu
+ * @param props - Component configuration
+ * @returns JSX.Element - The rendered access denied page
  */
-declare function EnhancedNavigationMenu({ items, strictMode, auditLog, onNavigationAccess, onStrictModeViolation, className, itemClassName, activeItemClassName, disabledItemClassName, hideUnauthorizedItems, renderItem, activePath, onItemClick }: EnhancedNavigationMenuProps): react_jsx_runtime.JSX.Element;
+declare function AccessDenied({ message, resource, operation, onGoBack, onSignOut, className, showSignOut }: AccessDeniedProps): react_jsx_runtime.JSX.Element;
 
 /**
  * @file RBAC Hook
@@ -1301,6 +998,8 @@ interface UseResolvedScopeOptions {
     selectedOrganisationId: string | null;
     /** Selected event ID */
     selectedEventId: string | null;
+    /** Selected event organisation ID (from selectedEvent.organisation_id) - allows immediate context without querying */
+    selectedEventOrganisationId?: string | null;
 }
 interface UseResolvedScopeReturn {
     /** Resolved scope, or null if not yet resolved */
@@ -1334,7 +1033,7 @@ interface UseResolvedScopeReturn {
  * const permission = useCan(userId, resolvedScope, permission);
  * ```
  */
-declare function useResolvedScope({ supabase, selectedOrganisationId, selectedEventId }: UseResolvedScopeOptions): UseResolvedScopeReturn;
+declare function useResolvedScope({ supabase, selectedOrganisationId, selectedEventId, selectedEventOrganisationId }: UseResolvedScopeOptions): UseResolvedScopeReturn;
 
 /**
  * @file useResourcePermissions Hook
@@ -1408,15 +1107,22 @@ interface ResourcePermissions {
  * and provides a simple API for permission checking.
  *
  * **Page Permission Support:**
- * When an `appId` is available in the resolved scope, the resource name is passed
- * as `pageId` to enable page-based permission checks. This allows the hook to work
- * with both resource-based permissions (when appId is not available) and page-based
- * permissions (when appId is available and the resource is a registered page).
+ * When an `appId` is available in the resolved scope, the hook automatically:
+ * 1. Waits for scope resolution to complete (including `appId` being set)
+ * 2. Constructs permission strings with the `page.` prefix (e.g., `create:page.planning`)
+ * 3. Passes the resource name as `pageId` to enable page-based permission checks
+ *
+ * This ensures permission strings match the format returned by `rbac_permissions_get`
+ * (e.g., `create:page.planning`) rather than resource-based format (e.g., `create:planning`).
+ *
+ * **Scope Resolution Timing:**
+ * The hook waits for scope resolution to complete before constructing permission strings.
+ * This prevents timing issues where permission checks use the wrong format (e.g., `delete:planning`
+ * instead of `delete:page.planning`) when `appId` is not yet available in the scope.
  *
- * The RPC function `rbac_check_permission_simplified` will automatically resolve
- * the page name to a page ID and check page permissions if the resource matches
- * a registered page in `rbac_app_pages`. If the resource is not a registered page,
- * it will fall back to resource-based permission checking.
+ * The RPC function `rbac_check_permission_simplified` will resolve the page name to a page ID
+ * and check page permissions if the resource matches a registered page in `rbac_app_pages`.
+ * If the resource is not a registered page, it will fall back to resource-based permission checking.
  *
  * @param resource - The resource name (e.g., 'contacts', 'risks', 'planning')
  *                   Can be a resource name or a page name registered in rbac_app_pages
@@ -1489,38 +1195,6 @@ declare function useAccessLevel(userId: UUID, scope: Scope): {
     refetch: () => Promise<void>;
 };
 
-/**
- * Hook to get cached permissions with TTL management
- *
- * @param userId - User ID
- * @param scope - Scope for permission checking
- * @returns Cached permission state and methods
- *
- * @example
- * ```tsx
- * function MyComponent() {
- *   const { permissions, isLoading, error, invalidateCache } = useCachedPermissions(userId, scope);
- *
- *   if (isLoading) return <div>Loading cached permissions...</div>;
- *   if (error) return <div>Error: {error.message}</div>;
- *
- *   return (
- *     <div>
- *       {permissions['read:users'] && <UserList />}
- *       <button onClick={invalidateCache}>Refresh Permissions</button>
- *     </div>
- *   );
- * }
- * ```
- */
-declare function useCachedPermissions(userId: UUID, scope: Scope): {
-    permissions: PermissionMap;
-    isLoading: boolean;
-    error: Error | null;
-    invalidateCache: () => void;
-    refetch: () => Promise<void>;
-};
-
 /**
  * Hook to check if user can perform an action
  *
@@ -1558,70 +1232,6 @@ precomputedSuperAdmin?: boolean | null, appName?: string): {
     refetch: () => Promise<void>;
 };
 
-/**
- * Hook to check if user has all of the specified permissions
- *
- * @param userId - User ID
- * @param scope - Scope for permission checking
- * @param permissions - Array of permissions to check
- * @param useCache - Whether to use cached results
- * @returns Whether user has all of the permissions
- *
- * @example
- * ```tsx
- * function MyComponent() {
- *   const { hasAll, isLoading, error } = useHasAllPermissions(
- *     userId,
- *     scope,
- *     ['read:users', 'create:users', 'update:users']
- *   );
- *
- *   if (isLoading) return <div>Checking permissions...</div>;
- *   if (error) return <div>Error: {error.message}</div>;
- *
- *   return hasAll ? <FullUserManagementPanel /> : <div>Insufficient permissions</div>;
- * }
- * ```
- */
-declare function useHasAllPermissions(userId: UUID, scope: Scope, permissions: Permission[], useCache?: boolean): {
-    hasAll: boolean;
-    isLoading: boolean;
-    error: Error | null;
-    refetch: () => Promise<void>;
-};
-
-/**
- * Hook to check if user has any of the specified permissions
- *
- * @param userId - User ID
- * @param scope - Scope for permission checking
- * @param permissions - Array of permissions to check
- * @param useCache - Whether to use cached results
- * @returns Whether user has any of the permissions
- *
- * @example
- * ```tsx
- * function MyComponent() {
- *   const { hasAny, isLoading, error } = useHasAnyPermission(
- *     userId,
- *     scope,
- *     ['read:users', 'create:users']
- *   );
- *
- *   if (isLoading) return <div>Checking permissions...</div>;
- *   if (error) return <div>Error: {error.message}</div>;
- *
- *   return hasAny ? <UserManagementPanel /> : <div>No user permissions</div>;
- * }
- * ```
- */
-declare function useHasAnyPermission(userId: UUID, scope: Scope, permissions: Permission[], useCache?: boolean): {
-    hasAny: boolean;
-    isLoading: boolean;
-    error: Error | null;
-    refetch: () => Promise<void>;
-};
-
 /**
  * Hook to check multiple permissions at once
  *
@@ -1972,95 +1582,16 @@ declare function useSecureSupabase(baseClient?: SupabaseClient<Database> | null)
  * @module RBAC/Adapters
  * @since 1.0.0
  *
- * This module provides adapters for different frameworks and server runtimes.
- */
-
-/**
- * Permission Guard Component
+ * This module provides server-side adapters for different frameworks and server runtimes.
  *
- * A React component that conditionally renders children based on permissions.
- * Can auto-infer userId from context if not provided.
+ * NOTE: React components (PermissionGuard, AccessLevelGuard) have been removed.
+ * Use PagePermissionGuard from @jmruthers/pace-core/rbac for all client-side permission enforcement.
+ * Use useAccessLevel hook + conditional rendering for access level checks.
  *
- * @example
- * ```tsx
- * // With explicit userId and scope
- * <PermissionGuard
- *   userId="user-123"
- *   scope={{ organisationId: 'org-456' }}
- *   permission="update:events"
- *   pageId="page-789"
- *   fallback={<AccessDenied />}
- * >
- *   <AdminPanel />
- * </PermissionGuard>
- *
- * // With context inference (requires auth context)
- * <PermissionGuard
- *   permission="update:events"
- *   scope={{ organisationId: 'org-456' }}
- *   fallback={<AccessDenied />}
- * >
- *   <AdminPanel />
- * </PermissionGuard>
- * ```
+ * Server adapters are provided for server-side route protection (Next.js, Express, etc.).
+ * These are optional utilities for server-side applications.
  */
-declare function PermissionGuard({ userId, scope, permission, pageId, children, fallback, onDenied, loading, strictMode, auditLog, enforceAudit, }: {
-    userId?: UUID;
-    scope: {
-        organisationId: UUID;
-        eventId?: string;
-        appId?: UUID;
-    };
-    permission: Permission;
-    pageId?: UUID;
-    children: ReactNode;
-    fallback?: ReactNode;
-    onDenied?: () => void;
-    loading?: ReactNode;
-    strictMode?: boolean;
-    auditLog?: boolean;
-    enforceAudit?: boolean;
-}): React__default.ReactNode;
-/**
- * Access Level Guard Component
- *
- * A React component that conditionally renders children based on access level.
- * Can auto-infer userId from context if not provided.
- *
- * @example
- * ```tsx
- * // With explicit userId and scope
- * <AccessLevelGuard
- *   userId="user-123"
- *   scope={{ organisationId: 'org-456' }}
- *   minLevel="admin"
- *   fallback={<AccessDenied />}
- * >
- *   <AdminPanel />
- * </AccessLevelGuard>
- *
- * // With context inference (requires auth context)
- * <AccessLevelGuard
- *   minLevel="admin"
- *   scope={{ organisationId: 'org-456' }}
- *   fallback={<AccessDenied />}
- * >
- *   <AdminPanel />
- * </AccessLevelGuard>
- * ```
- */
-declare function AccessLevelGuard({ userId, scope, minLevel, children, fallback, loading, }: {
-    userId?: UUID;
-    scope: {
-        organisationId: UUID;
-        eventId?: string;
-        appId?: UUID;
-    };
-    minLevel: 'viewer' | 'participant' | 'planner' | 'admin' | 'super';
-    children: ReactNode;
-    fallback?: ReactNode;
-    loading?: ReactNode;
-}): React__default.ReactNode;
+
 /**
  * Permission Guard for Server Handlers
  *
@@ -2210,34 +1741,6 @@ declare function createRBACExpressMiddleware(config: {
         json: (data: object) => void;
     };
 }, next: () => void) => Promise<void>;
-/**
- * Check if a user has a permission (synchronous cache check only)
- *
- * @param userId - User ID
- * @param scope - Permission scope
- * @param permission - Permission to check
- * @param pageId - Optional page ID
- * @returns True if permission is cached and granted
- */
-declare function hasPermissionCached(userId: UUID, scope: {
-    organisationId: UUID;
-    eventId?: string;
-    appId?: UUID;
-}, _permission: Permission, _pageId?: UUID): boolean;
-/**
- * Check if a user has any of the specified permissions (synchronous cache check only)
- *
- * @param userId - User ID
- * @param scope - Permission scope
- * @param permissions - Array of permissions to check
- * @param pageId - Optional page ID
- * @returns True if any permission is cached and granted
- */
-declare function hasAnyPermissionCached(userId: UUID, scope: {
-    organisationId: UUID;
-    eventId?: string;
-    appId?: UUID;
-}, permissions: Permission[], pageId?: UUID): boolean;
 
 /**
  * RBAC Main API Functions
@@ -2344,13 +1847,6 @@ precomputedSuperAdmin?: boolean | null): Promise<boolean>;
  * @returns Promise resolving to permission result
  */
 declare function isPermittedCached(input: PermissionCheck, appName?: string): Promise<boolean>;
-/**
- * Check if a user has a specific permission (alias for isPermitted)
- *
- * @param input - Permission check parameters
- * @returns Promise<boolean> - True if user has permission
- */
-declare function hasPermission(input: PermissionCheck): Promise<boolean>;
 /**
  * Check if user has any of the specified permissions
  *
@@ -2575,6 +2071,39 @@ declare function getSetupIssues(): SetupIssue[];
  */
 declare function validateRBACSetup(): ComplianceResult;
 
+/**
+ * Pattern Detector for RBAC Compliance
+ * @package @jmruthers/pace-core
+ * @module RBAC/Compliance/PatternDetector
+ * @since 1.0.0
+ *
+ * This module provides static and runtime pattern detection for RBAC violations.
+ * It detects direct RPC calls, direct table queries, and other non-standard patterns.
+ */
+interface PatternViolation {
+    type: 'direct-rpc-call' | 'direct-table-query' | 'bypass-pattern' | 'custom-component' | 'hardcoded-role-check' | 'custom-permission-utility' | 'ui-only-access-control' | 'permission-bypass-comment' | 'resource-permission-string-literal' | 'permission-wrapper-function';
+    file?: string;
+    line?: number;
+    message: string;
+    recommendation: string;
+}
+interface PatternDetectionResult {
+    violations: PatternViolation[];
+    isCompliant: boolean;
+    summary: {
+        directRpcCalls: number;
+        directTableQueries: number;
+        bypassPatterns: number;
+        customComponents: number;
+        hardcodedRoleChecks: number;
+        customPermissionUtilities: number;
+        uiOnlyAccessControl: number;
+        permissionBypassComments: number;
+        resourcePermissionStringLiterals: number;
+        permissionWrapperFunctions: number;
+    };
+}
+
 /**
  * Runtime Compliance Checking
  * @package @jmruthers/pace-core
@@ -2594,6 +2123,7 @@ interface RuntimeComplianceResult {
         available: boolean;
         message?: string;
     };
+    patternDetection?: PatternDetectionResult;
 }
 /**
  * Check runtime compliance
@@ -2680,4 +2210,4 @@ declare function getDirectSupabaseAuthFixes(): QuickFix;
  */
 declare function getQuickFixes(issueType: string, details?: Record<string, any>): QuickFix[];
 
-export { ALL_PERMISSIONS, AccessLevel, AccessLevelGuard, type AllPermissions, CACHE_PATTERNS, type ComplianceResult, type DataAccessRecord, type DatabaseComplianceResult, type DatabaseIssue, EVENT_APP_PERMISSIONS, EnhancedNavigationMenu, type EnhancedNavigationMenuProps, type EventAppRoleData, GLOBAL_PERMISSIONS, type GrantEventAppRoleParams, type LogLevel, type NavigationAccessRecord, type NavigationContextType, NavigationGuard, type NavigationGuardProps, type NavigationItem, NavigationProvider, type NavigationProviderProps, ORGANISATION_PERMISSIONS, PAGE_PERMISSIONS, type PageAccessRecord, type PagePermissionContextType, PagePermissionGuard, type PagePermissionGuardProps, PagePermissionProvider, type PagePermissionProviderProps, Permission, PermissionCheck, PermissionEnforcer, type PermissionEnforcerProps, PermissionGuard, PermissionMap, type QuickFix, RBACAuditManager, RBACCache, type RBACConfig, RBACEngine, type RBACLogger, type RBACPerformanceMetrics, type ResourcePermissions, type RevokeEventAppRoleParams, RoleBasedRouter, type RoleBasedRouterContextType, type RoleBasedRouterProps, type RoleManagementResult, type RouteAccessRecord, type RouteConfig, type RuntimeComplianceResult, SECURE_CLIENT_SYMBOL, Scope, type SecureDataContextType, SecureDataProvider, type SecureDataProviderProps, SecureSupabaseClient, type SetupIssue, UUID, type UseResolvedScopeOptions, type UseResolvedScopeReturn, type UseResourcePermissionsOptions, checkRuntimeCompliance, clearInFlightRequests, createAuditManager, createRBACConfig, createRBACEngine, createRBACExpressMiddleware, createRBACMiddleware, createSecureClient, disablePerformanceMonitoring, emitAuditEvent, enablePerformanceMonitoring, fromSupabaseClient, getAccessLevel, getCustomAuthCodeFixes, getDirectSupabaseAuthFixes, getDuplicateConfigFixes, getGlobalAuditManager, getInFlightRequestCount, getPerformanceMetrics, getPerformanceSummary, getPermissionMap, getQuickFixes, getRBACConfig, getRBACLogger, getRoleContext, getSetupIssues, getUnprotectedPageFixes, hasAllPermissions, hasAnyPermission, hasAnyPermissionCached, hasPermission, hasPermissionCached, isDebugMode, isDevelopmentMode, isPerformanceMonitoringEnabled, isPermitted, isPermittedCached, isRBACInitialized, isSecureClient, isValidPermission, rbacCache, recordAuditEvent, recordPermissionCheck, resetPerformanceMetrics, resolveAppContext, setGlobalAuditManager, setupRBAC, useAccessLevel, useCachedPermissions, useCan, useHasAllPermissions, useHasAnyPermission, useMultiplePermissions, useNavigationPermissions, usePagePermissions, usePermissions, useRBAC, useResolvedScope, useResourcePermissions, useRoleBasedRouter, useRoleManagement, useSecureData, useSecureSupabase, validateAndWarn, validateDatabaseConfiguration, validateRBACSetup, warnIfInsecureClient, withAccessLevelGuard, withPermissionGuard, withRoleGuard };
+export { ALL_PERMISSIONS, AccessDenied, type AccessDeniedProps, AccessLevel, type AllPermissions, CACHE_PATTERNS, type ComplianceResult, type DatabaseComplianceResult, type DatabaseIssue, EVENT_APP_PERMISSIONS, type EventAppRoleData, GLOBAL_PERMISSIONS, type GrantEventAppRoleParams, type LogLevel, NavigationGuard, type NavigationGuardProps, ORGANISATION_PERMISSIONS, PAGE_PERMISSIONS, PagePermissionGuard, type PagePermissionGuardProps, Permission, PermissionCheck, PermissionMap, type QuickFix, RBACAuditManager, RBACCache, type RBACConfig, RBACEngine, type RBACLogger, type RBACPerformanceMetrics, type ResourcePermissions, type RevokeEventAppRoleParams, type RoleManagementResult, type RuntimeComplianceResult, SECURE_CLIENT_SYMBOL, Scope, SecureSupabaseClient, type SetupIssue, UUID, type UseResolvedScopeOptions, type UseResolvedScopeReturn, type UseResourcePermissionsOptions, checkRuntimeCompliance, clearInFlightRequests, createAuditManager, createRBACConfig, createRBACEngine, createRBACExpressMiddleware, createRBACMiddleware, createSecureClient, disablePerformanceMonitoring, emitAuditEvent, enablePerformanceMonitoring, fromSupabaseClient, getAccessLevel, getCustomAuthCodeFixes, getDirectSupabaseAuthFixes, getDuplicateConfigFixes, getGlobalAuditManager, getInFlightRequestCount, getPerformanceMetrics, getPerformanceSummary, getPermissionMap, getQuickFixes, getRBACConfig, getRBACLogger, getRoleContext, getSetupIssues, getUnprotectedPageFixes, hasAllPermissions, hasAnyPermission, isDebugMode, isDevelopmentMode, isPerformanceMonitoringEnabled, isPermitted, isPermittedCached, isRBACInitialized, isSecureClient, isValidPermission, rbacCache, recordAuditEvent, recordPermissionCheck, resetPerformanceMetrics, resolveAppContext, setGlobalAuditManager, setupRBAC, useAccessLevel, useCan, useMultiplePermissions, usePermissions, useRBAC, useResolvedScope, useResourcePermissions, useRoleManagement, useSecureSupabase, validateAndWarn, validateDatabaseConfiguration, validateRBACSetup, warnIfInsecureClient, withAccessLevelGuard, withPermissionGuard, withRoleGuard };