@jmruthers/pace-core 0.6.4 → 0.6.6

package/docs/rbac/MIGRATION_GUIDE.md

@@ -0,0 +1,819 @@
+---
+lastUpdated: 2025-01-04T00:00:00+00:00
+version: 2.0.0
+reviewedBy: rbac-architecture-review
+---
+
+# RBAC Migration Guide
+
+> **🔄 Migrating to RBAC Contract v2.0.0** | [← Back to RBAC Documentation](./README.md) | [RBAC Contract](./RBAC_CONTRACT.md)
+
+This guide helps you migrate your consuming application to comply with the RBAC Contract v2.0.0.
+
+## Breaking Changes
+
+### 1. RBAC Package Surface Area Reduction
+
+**What Changed:**
+- Removed redundant and overlapping RBAC exports to enforce a single correct pattern
+- Reduced API surface area by ~40-50%
+- All removed functionality has clear migration paths
+
+**Impact:**
+- Code using removed components/hooks/APIs will fail to build
+- Must migrate to the minimal, canonical API
+
+**Migration:**
+
+#### Components Removed
+
+**PermissionEnforcer → PagePermissionGuard**
+
+```tsx
+// ❌ OLD
+import { PermissionEnforcer } from '@jmruthers/pace-core/rbac';
+
+<PermissionEnforcer permissions={['read:events']} operation="event-management">
+  <Content />
+</PermissionEnforcer>
+
+// ✅ NEW
+import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';
+
+<PagePermissionGuard pageName="events" operation="read">
+  <Content />
+</PagePermissionGuard>
+```
+
+**PermissionGuard (from adapters) → PagePermissionGuard**
+
+```tsx
+// ❌ OLD
+import { PermissionGuard } from '@jmruthers/pace-core/rbac';
+
+<PermissionGuard permission="update:events" scope={{ organisationId: 'org-123' }}>
+  <Content />
+</PermissionGuard>
+
+// ✅ NEW
+import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';
+
+<PagePermissionGuard pageName="events" operation="update">
+  <Content />
+</PagePermissionGuard>
+```
+
+**AccessLevelGuard → useAccessLevel Hook**
+
+```tsx
+// ❌ OLD
+import { AccessLevelGuard } from '@jmruthers/pace-core/rbac';
+
+<AccessLevelGuard minLevel="admin" scope={{ organisationId: 'org-123' }}>
+  <AdminPanel />
+</AccessLevelGuard>
+
+// ✅ NEW
+import { useAccessLevel } from '@jmruthers/pace-core/rbac';
+
+function AdminPanel() {
+  const { accessLevel } = useAccessLevel();
+  
+  if (accessLevel !== 'admin' && accessLevel !== 'super') {
+    return <AccessDenied />;
+  }
+  
+  return <AdminPanelContent />;
+}
+```
+
+**RoleBasedRouter → PagePermissionGuard + React Router**
+
+```tsx
+// ❌ OLD
+import { RoleBasedRouter } from '@jmruthers/pace-core/rbac';
+
+<RoleBasedRouter routes={routeConfig}>
+  <App />
+</RoleBasedRouter>
+
+// ✅ NEW
+import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';
+import { Routes, Route } from 'react-router-dom';
+
+<Routes>
+  <Route path="/dashboard" element={
+    <PagePermissionGuard pageName="dashboard" operation="read">
+      <Dashboard />
+    </PagePermissionGuard>
+  } />
+</Routes>
+```
+
+**EnhancedNavigationMenu → NavigationMenu + NavigationGuard**
+
+```tsx
+// ❌ OLD
+import { EnhancedNavigationMenu } from '@jmruthers/pace-core/rbac';
+
+<EnhancedNavigationMenu items={items} />
+
+// ✅ NEW
+import { NavigationMenu, NavigationGuard } from '@jmruthers/pace-core';
+
+<NavigationMenu>
+  {items.map(item => (
+    <NavigationGuard key={item.id} permission={item.permission}>
+      <NavigationItem {...item} />
+    </NavigationGuard>
+  ))}
+</NavigationMenu>
+```
+
+**Context Providers Removed**
+
+All context providers have been removed. Use components/hooks directly:
+
+```tsx
+// ❌ OLD
+import { PagePermissionProvider, SecureDataProvider, NavigationProvider } from '@jmruthers/pace-core/rbac';
+
+<PagePermissionProvider>
+  <SecureDataProvider>
+    <NavigationProvider>
+      <App />
+    </NavigationProvider>
+  </SecureDataProvider>
+</PagePermissionProvider>
+
+// ✅ NEW - No providers needed, use components/hooks directly
+import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';
+import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+
+// Use PagePermissionGuard in routes
+// Use useSecureSupabase hook in components that need secure client
+```
+
+#### Hooks Removed
+
+**useHasAnyPermission → useMultiplePermissions**
+
+```tsx
+// ❌ OLD
+import { useHasAnyPermission } from '@jmruthers/pace-core/rbac';
+
+const hasAny = useHasAnyPermission(['read:events', 'read:users']);
+
+// ✅ NEW
+import { useMultiplePermissions } from '@jmruthers/pace-core/rbac';
+
+const { permissions } = useMultiplePermissions(['read:events', 'read:users']);
+const hasAny = Object.values(permissions).some(Boolean);
+```
+
+**useHasAllPermissions → useMultiplePermissions**
+
+```tsx
+// ❌ OLD
+import { useHasAllPermissions } from '@jmruthers/pace-core/rbac';
+
+const hasAll = useHasAllPermissions(['read:events', 'update:events']);
+
+// ✅ NEW
+import { useMultiplePermissions } from '@jmruthers/pace-core/rbac';
+
+const { permissions } = useMultiplePermissions(['read:events', 'update:events']);
+const hasAll = Object.values(permissions).every(Boolean);
+```
+
+**useCachedPermissions → Automatic Caching**
+
+```tsx
+// ❌ OLD
+import { useCachedPermissions } from '@jmruthers/pace-core/rbac';
+
+const cached = useCachedPermissions(['read:events']);
+
+// ✅ NEW - Caching is automatic in all hooks
+import { useCan } from '@jmruthers/pace-core/rbac';
+
+const can = useCan('read:events'); // Automatically cached
+```
+
+#### API Functions Removed
+
+**hasPermission → isPermitted**
+
+```tsx
+// ❌ OLD
+import { hasPermission } from '@jmruthers/pace-core/rbac';
+
+const hasAccess = await hasPermission({
+  permission: 'read:events',
+  pageName: 'events'
+});
+
+// ✅ NEW
+import { isPermitted } from '@jmruthers/pace-core/rbac';
+
+const hasAccess = await isPermitted({
+  permission: 'read:events',
+  pageName: 'events'
+});
+```
+
+**Cache-only helpers → Automatic Caching**
+
+```tsx
+// ❌ OLD
+import { hasPermissionCached, hasAnyPermissionCached } from '@jmruthers/pace-core/rbac';
+
+const cached = hasPermissionCached(userId, scope, 'read:events');
+const anyCached = hasAnyPermissionCached(userId, scope, ['read:events', 'read:users']);
+
+// ✅ NEW - Use hooks or API with automatic caching
+import { useCan, useMultiplePermissions } from '@jmruthers/pace-core/rbac';
+import { isPermittedCached } from '@jmruthers/pace-core/rbac';
+
+// In components (automatic caching)
+const can = useCan('read:events');
+
+// In API/server code
+const cached = await isPermittedCached({
+  permission: 'read:events',
+  pageName: 'events'
+});
+```
+
+#### Internal Exports
+
+The following exports are now marked as `@internal` and should not be used by consuming apps:
+
+- `RBACEngine`, `createRBACEngine` → Use `isPermitted` API instead
+- `RBACCache`, `rbacCache`, `CACHE_PATTERNS` → Caching is automatic
+- `SecureSupabaseClient`, `createSecureClient`, `fromSupabaseClient` → Use `useSecureSupabase` hook instead
+
+**Migration Steps:**
+
+1. **Search for removed exports:**
+   ```bash
+   grep -r "PermissionEnforcer\|PermissionGuard\|AccessLevelGuard\|RoleBasedRouter\|EnhancedNavigationMenu\|PagePermissionProvider\|SecureDataProvider\|NavigationProvider\|useHasAnyPermission\|useHasAllPermissions\|useCachedPermissions\|hasPermission\|hasPermissionCached\|hasAnyPermissionCached" src/
+   ```
+
+2. **Replace with canonical alternatives** (see examples above)
+
+3. **Remove internal export usage:**
+   ```bash
+   grep -r "RBACEngine\|createRBACEngine\|RBACCache\|rbacCache\|CACHE_PATTERNS\|SecureSupabaseClient\|createSecureClient\|fromSupabaseClient" src/
+   ```
+   Replace with public APIs/hooks
+
+4. **Verify build:**
+   ```bash
+   npm run build
+   ```
+
+### 2. ESLint Rules Now ERROR (Not Warning)
+
+**What Changed:**
+- All RBAC compliance ESLint rules are now **ERROR** severity
+- Builds will fail if violations are detected
+- No more warnings - violations must be fixed
+
+**Impact:**
+- Existing code with violations will fail to build
+- Must fix all violations before deployment
+
+**Migration:**
+1. Run ESLint to identify violations:
+   ```bash
+   npm run lint
+   ```
+2. Fix all violations (see sections below)
+3. Verify build passes:
+   ```bash
+   npm run build
+   ```
+
+### 2. EventPageGuard Wrapper Pattern Removed
+
+**What Changed:**
+- `EventPageGuard` wrapper components are **forbidden**
+- Must use `PagePermissionGuard` directly
+- Event context validation should be in page components
+
+**Before:**
+
+```tsx
+// ❌ OLD PATTERN - Remove this
+import { EventPageGuard } from '@/components/permissions';
+
+function DashboardPage() {
+  return (
+    <EventPageGuard pageName={PAGE_NAMES.DASHBOARD}>
+      <DashboardContent />
+    </EventPageGuard>
+  );
+}
+```
+
+**After:**
+
+```tsx
+// ✅ NEW PATTERN - Use this
+import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';
+import { useEvents } from '@jmruthers/pace-core';
+import { EventSelectionPrompt } from '@/components/permissions/EventSelectionPrompt';
+
+function DashboardPage() {
+  const { selectedEvent } = useEvents();
+  
+  // Handle event context validation in page
+  if (!selectedEvent) {
+    return <EventSelectionPrompt />;
+  }
+  
+  return (
+    <PagePermissionGuard pageName={PAGE_NAMES.DASHBOARD} operation="read">
+      <DashboardContent />
+    </PagePermissionGuard>
+  );
+}
+```
+
+**Migration Steps:**
+
+1. **Remove EventPageGuard component:**
+   ```bash
+   rm src/components/permissions/EventPageGuard.tsx
+   ```
+
+2. **Update all imports:**
+   ```tsx
+   // Remove
+   import { EventPageGuard } from '@/components/permissions';
+   
+   // Add
+   import { PagePermissionGuard } from '@jmruthers/pace-core/rbac';
+   ```
+
+3. **Replace all usages:**
+   - Replace `<EventPageGuard pageName="...">` with `<PagePermissionGuard pageName="..." operation="read">`
+   - Add event context validation in page components
+   - Add `operation` prop (usually `"read"`)
+
+4. **Update index exports:**
+   ```tsx
+   // src/components/permissions/index.ts
+   // Remove EventPageGuard export
+   // export { EventPageGuard } from './EventPageGuard';
+   ```
+
+### 3. Custom AccessDenied Components No Longer Allowed
+
+**What Changed:**
+- Custom access denied components are **forbidden**
+- Must use `AccessDenied` from pace-core
+- Ensures consistent UX across all apps
+
+**Before:**
+
+```tsx
+// ❌ OLD PATTERN - Remove this
+function CustomAccessDenied() {
+  return (
+    <div>
+      <h2>Access Denied</h2>
+      <p>You don't have permission.</p>
+    </div>
+  );
+}
+
+<PagePermissionGuard 
+  pageName="dashboard"
+  fallback={<CustomAccessDenied />}
+>
+  <DashboardContent />
+</PagePermissionGuard>
+```
+
+**After:**
+
+```tsx
+// ✅ NEW PATTERN - Use this
+import { AccessDenied } from '@jmruthers/pace-core/rbac';
+
+<PagePermissionGuard 
+  pageName="dashboard"
+  operation="read"
+  fallback={<AccessDenied />}
+>
+  <DashboardContent />
+</PagePermissionGuard>
+```
+
+**Migration Steps:**
+
+1. **Remove custom access denied components:**
+   ```bash
+   rm src/components/permissions/CustomAccessDenied.tsx
+   rm src/components/permissions/StandardAccessDenied.tsx
+   # etc.
+   ```
+
+2. **Update imports:**
+   ```tsx
+   // Remove
+   import { CustomAccessDenied } from '@/components/permissions';
+   
+   // Add
+   import { AccessDenied } from '@jmruthers/pace-core/rbac';
+   ```
+
+3. **Replace all usages:**
+   ```tsx
+   // Replace
+   fallback={<CustomAccessDenied />}
+   
+   // With
+   fallback={<AccessDenied />}
+   ```
+
+4. **Customize if needed (via props):**
+   ```tsx
+   <AccessDenied 
+     message="Custom message"
+     onGoBack={() => navigate('/dashboard')}
+     showSignOut={true}
+   />
+   ```
+
+### 4. Direct RBAC Table Queries Now Errors
+
+**What Changed:**
+- Direct queries to RBAC tables are **forbidden**
+- Must use `useSecureSupabase` hook
+- ESLint will error on violations
+
+**Before:**
+
+```tsx
+// ❌ OLD PATTERN - Remove this
+const { data } = await supabase
+  .from('rbac_user_profiles')
+  .select('user_id, display_name')
+  .in('user_id', userIds);
+```
+
+**After:**
+
+```tsx
+// ✅ NEW PATTERN - Use this
+import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+
+function MyComponent() {
+  const secureSupabase = useSecureSupabase(supabase);
+  
+  const { data } = await secureSupabase
+    .from('rbac_user_profiles')
+    .select('user_id, display_name')
+    .in('user_id', userIds);
+}
+```
+
+**Migration Steps:**
+
+1. **Find all direct RBAC table queries:**
+   ```bash
+   # Search for RBAC table queries
+   grep -r "\.from(['\"]rbac_" src/
+   ```
+
+2. **Update to use useSecureSupabase:**
+   - Import `useSecureSupabase` from `@jmruthers/pace-core/rbac`
+   - Call `useSecureSupabase(supabase)` in component
+   - Replace `supabase` with `secureSupabase` in queries
+
+3. **Verify queries work:**
+   - Test that queries still return expected data
+   - Verify security is maintained
+
+### 5. Direct RPC Calls Now Errors
+
+**What Changed:**
+- Direct calls to `rbac_check_permission_simplified` are **forbidden**
+- Must use `isPermitted` from pace-core
+- ESLint will error on violations
+
+**Before:**
+
+```tsx
+// ❌ OLD PATTERN - Remove this
+const { data, error } = await supabase.rpc('rbac_check_permission_simplified', {
+  p_user_id: userId,
+  p_permission: 'read:dashboard',
+  p_organisation_id: orgId
+});
+```
+
+**After:**
+
+```tsx
+// ✅ NEW PATTERN - Use this
+import { isPermitted } from '@jmruthers/pace-core/rbac';
+
+const hasAccess = await isPermitted({
+  permission: 'read:dashboard',
+  pageName: 'dashboard'
+});
+```
+
+**Migration Steps:**
+
+1. **Find all direct RPC calls:**
+   ```bash
+   # Search for RPC calls
+   grep -r "rbac_check_permission_simplified" src/
+   ```
+
+2. **Replace with isPermitted:**
+   - Import `isPermitted` from `@jmruthers/pace-core/rbac`
+   - Replace RPC call with `isPermitted` call
+   - Update permission format if needed
+
+3. **Verify permission checks work:**
+   - Test that permission checks return expected results
+   - Verify caching behavior is correct
+
+### 6. enforcePermissions Pattern Clarified
+
+**What Changed:**
+- `enforcePermissions` usage clarified for event-based apps
+- Must be `false` for event-based apps
+- Must be `true` for organisation-based apps
+
+**Before (Event-Based Apps):**
+
+```tsx
+// ❌ OLD PATTERN - May have been true
+<PaceAppLayout 
+  appName="MyApp"
+  enforcePermissions={true}  // Wrong for event-based apps
+  showEvents={true}
+>
+```
+
+**After (Event-Based Apps):**
+
+```tsx
+// ✅ NEW PATTERN - Must be false
+<PaceAppLayout 
+  appName="MyApp"
+  enforcePermissions={false}  // Correct for event-based apps
+  showEvents={true}
+>
+```
+
+**Migration Steps:**
+
+1. **Identify app type:**
+   - Event-based: Uses events, pages handle checks
+   - Organisation-based: Uses organisations, layout handles checks
+
+2. **Update enforcePermissions:**
+   - Event-based apps: Set to `false`
+   - Organisation-based apps: Set to `true`
+
+3. **Verify behavior:**
+   - Test that pages are properly protected
+   - Verify no redundant permission checks
+
+## Step-by-Step Migration Checklist
+
+### Phase 1: Preparation
+
+- [ ] Review [RBAC Contract](./RBAC_CONTRACT.md)
+- [ ] Run ESLint: `npm run lint`
+- [ ] Document current violations
+
+### Phase 2: Remove Wrapper Components
+
+- [ ] Remove `EventPageGuard` component
+- [ ] Update all imports
+- [ ] Replace all `EventPageGuard` usages with `PagePermissionGuard`
+- [ ] Add event context validation in pages
+- [ ] Test all pages load correctly
+
+### Phase 3: Replace Custom Access Denied
+
+- [ ] Remove custom access denied components
+- [ ] Update imports to use `AccessDenied` from pace-core
+- [ ] Replace all fallback props
+- [ ] Customize via props if needed
+- [ ] Test access denied scenarios
+
+### Phase 4: Fix Direct Queries
+
+- [ ] Find all direct RBAC table queries
+- [ ] Replace with `useSecureSupabase`
+- [ ] Find all direct RPC calls
+- [ ] Replace with `isPermitted`
+- [ ] Test all queries work correctly
+
+### Phase 5: Remove Hardcoded Role Checks
+
+- [ ] Find all hardcoded role comparisons (`role === 'admin'`, etc.)
+- [ ] Replace with `useAccessLevel` hook or `getRoleContext` API
+- [ ] Test role-based logic still works correctly
+
+**Example Migration:**
+
+```tsx
+// ❌ OLD
+if (user.role === 'admin') {
+  // ...
+}
+
+// ✅ NEW
+import { useAccessLevel } from '@jmruthers/pace-core/rbac';
+const { accessLevel } = useAccessLevel();
+if (accessLevel === 'admin') {
+  // ...
+}
+```
+
+### Phase 6: Remove Custom Permission Utilities
+
+- [ ] Find all custom permission utility functions (`checkPermission`, `hasPermission`, etc.)
+- [ ] Replace with `isPermitted` API or `useCan` hook
+- [ ] Test permission checks still work correctly
+
+**Example Migration:**
+
+```tsx
+// ❌ OLD
+function checkPermission(userId, permission) {
+  // Custom logic...
+}
+
+// ✅ NEW
+import { isPermitted } from '@jmruthers/pace-core/rbac';
+const hasAccess = await isPermitted({ permission: 'read:dashboard' });
+```
+
+### Phase 7: Enforce Type-Safe Resource Names
+
+- [ ] Create `RESOURCE_NAMES` constant object in your config
+- [ ] Replace all `useResourcePermissions('string-literal')` with `RESOURCE_NAMES.CONSTANT`
+- [ ] Update all permission checks to use constants
+- [ ] Test all resource permissions still work
+
+**Example Migration:**
+
+```tsx
+// ❌ OLD
+const { canCreate } = useResourcePermissions('journal');
+
+// ✅ NEW
+// 1. Create config/resource-names.ts
+export const RESOURCE_NAMES = {
+  JOURNAL: 'journal',
+  RISKS: 'risks',
+  CONTACTS: 'contacts',
+} as const;
+
+// 2. Use in components
+import { RESOURCE_NAMES } from '@/config/resource-names';
+const { canCreate } = useResourcePermissions(RESOURCE_NAMES.JOURNAL);
+```
+
+### Phase 8: Remove Permission Wrapper Functions
+
+- [ ] Find all permission wrapper functions (e.g., `canEdit(postId)`, `canDeletePost(postId)`)
+- [ ] Remove wrapper functions from hooks
+- [ ] Update components to use `useResourcePermissions` directly
+- [ ] Test permission checks still work correctly
+
+**Example Migration:**
+
+```tsx
+// ❌ OLD - In hook
+const canEdit = useCallback((postId: string) => {
+  const hasPermission = canUpdate('journal');
+  const post = posts.find(p => p.id === postId);
+  return hasPermission && !!post;
+}, [posts, canUpdate]);
+
+// ❌ OLD - In component
+<JournalEntry canEdit={canEdit(post.id)} />
+
+// ✅ NEW - In component
+import { RESOURCE_NAMES } from '@/config/resource-names';
+const { canUpdate } = useResourcePermissions(RESOURCE_NAMES.JOURNAL);
+<JournalEntry canEdit={canUpdate(RESOURCE_NAMES.JOURNAL)} />
+```
+
+### Phase 9: Update Configuration
+
+- [ ] Update `enforcePermissions` for app type
+- [ ] Verify `PagePermissionGuard` on all pages
+- [ ] Test permission enforcement works
+
+### Phase 10: Verification
+
+- [ ] Run ESLint: `npm run lint`
+- [ ] Run build: `npm run build`
+- [ ] Test all pages and permission checks
+- [ ] Verify no console errors
+
+## Common Issues and Solutions
+
+### Issue: "EventPageGuard is not defined"
+
+**Solution:**
+- Remove `EventPageGuard` import
+- Use `PagePermissionGuard` from `@jmruthers/pace-core/rbac` instead
+
+### Issue: "AccessDenied is not defined"
+
+**Solution:**
+- Import `AccessDenied` from `@jmruthers/pace-core/rbac`
+- Remove custom access denied components
+
+### Issue: "Direct query to RBAC table detected"
+
+**Solution:**
+- Use `useSecureSupabase` hook
+- Replace `supabase` with `secureSupabase` in queries
+
+### Issue: "Direct RPC call detected"
+
+**Solution:**
+- Use `isPermitted` from `@jmruthers/pace-core/rbac`
+- Replace RPC call with `isPermitted` call
+
+### Issue: "Route found without PagePermissionGuard"
+
+**Solution:**
+- Wrap all route components with `PagePermissionGuard`
+- Add `operation` prop (usually `"read"`)
+
+### Issue: "Hardcoded role check detected"
+
+**Solution:**
+- Replace `user.role === 'admin'` with `useAccessLevel` hook
+- Use `getRoleContext` API for programmatic checks
+
+### Issue: "Custom permission utility function detected"
+
+**Solution:**
+- Remove custom permission functions
+- Use `isPermitted` API or `useCan` hook from pace-core
+
+### Issue: "Resource permission string literal detected"
+
+**Solution:**
+- Create `RESOURCE_NAMES` constant object
+- Replace `useResourcePermissions('journal')` with `useResourcePermissions(RESOURCE_NAMES.JOURNAL)`
+
+### Issue: "Permission wrapper function detected"
+
+**Solution:**
+- Remove wrapper functions from hooks
+- Use `useResourcePermissions` directly in components
+
+## Timeline
+
+**Recommended migration order:**
+
+1. **Week 1**: Remove wrapper components (EventPageGuard)
+2. **Week 2**: Replace custom access denied components
+3. **Week 3**: Fix direct queries and RPC calls
+4. **Week 4**: Remove hardcoded role checks and custom permission utilities
+5. **Week 5**: Enforce type-safe resource names and remove wrapper functions
+6. **Week 6**: Update configuration and verify
+
+**Total estimated time:** 4-6 weeks depending on codebase size
+
+## Getting Help
+
+If you encounter issues during migration:
+
+1. Review [RBAC Contract](./RBAC_CONTRACT.md) for contract details
+2. Check [Troubleshooting Guide](./troubleshooting.md) for common issues
+3. Review [Examples](./examples.md) for migration patterns
+4. Check [API Reference](./api-reference.md) for API details
+
+## Related Documentation
+
+- [RBAC Contract](./RBAC_CONTRACT.md) - The definitive contract
+- [RBAC README](./README.md) - Overview and quick start
+- [Quick Start Guide](./quick-start.md) - Step-by-step setup
+- [Event-Based Apps](./event-based-apps.md) - Event-based app patterns
+- [Permission Enforcement](../implementation-guides/permission-enforcement.md) - Detailed enforcement patterns
+
+---
+
+**Last Updated**: 2025-01-04  
+**Version**: 2.0.0
+