@jmruthers/pace-core 0.5.114 → 0.5.116

package/src/rbac/hooks/useRoleManagement.test.ts

@@ -0,0 +1,908 @@
+/**
+ * @file useRoleManagement Hook Tests
+ * @package @jmruthers/pace-core
+ * @module RBAC/Hooks
+ * @since 2.1.0
+ *
+ * Comprehensive tests for the useRoleManagement hook following TEST_STANDARD.md.
+ * Tests focus on behavior: role granting, revoking, loading states, and error handling.
+ */
+
+import { renderHook, waitFor } from '@testing-library/react';
+import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { useRoleManagement } from './useRoleManagement';
+import type { SupabaseClient } from '@supabase/supabase-js';
+import type { Database } from '../../types/database';
+
+// Mock UnifiedAuthProvider
+vi.mock('../../providers/services/UnifiedAuthProvider', () => ({
+  useUnifiedAuth: vi.fn(),
+}));
+
+import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
+
+// Mock Supabase client
+const createMockSupabaseClient = () => {
+  return {
+    rpc: vi.fn(),
+    from: vi.fn(),
+  } as unknown as SupabaseClient<Database>;
+};
+
+describe('useRoleManagement Hook', () => {
+  const mockUseUnifiedAuth = vi.mocked(useUnifiedAuth);
+
+  let mockSupabase: SupabaseClient<Database>;
+  const mockUser = { id: 'user-123', email: 'test@example.com' };
+
+  const mockRoleParams = {
+    user_id: 'user-456',
+    organisation_id: 'org-123',
+    event_id: 'event-123',
+    app_id: 'app-123',
+    role: 'viewer' as const,
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockSupabase = createMockSupabaseClient();
+
+    mockUseUnifiedAuth.mockReturnValue({
+      user: mockUser,
+      supabase: mockSupabase,
+    } as any);
+  });
+
+  // Helper function to set up the from().select().eq().single() chain mock
+  const setupFromChain = (roleData: any) => {
+    const mockSingle = vi.fn().mockResolvedValue({
+      data: roleData,
+      error: null,
+    });
+    const mockEq = vi.fn().mockReturnValue({ single: mockSingle });
+    const mockSelect = vi.fn().mockReturnValue({ eq: mockEq });
+    const mockFrom = (mockSupabase as any).from;
+    mockFrom.mockReturnValue({ select: mockSelect });
+    return { mockFrom, mockSelect, mockEq, mockSingle };
+  };
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe('Initialization', () => {
+    it('throws error when supabase client is not available', () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: mockUser,
+        supabase: null,
+      } as any);
+
+      // Wrap in try-catch to catch the error during render
+      let error: Error | null = null;
+      try {
+        renderHook(() => useRoleManagement());
+      } catch (e) {
+        error = e as Error;
+      }
+
+      expect(error).toBeInstanceOf(Error);
+      expect(error?.message).toBe(
+        'useRoleManagement requires a Supabase client. Ensure UnifiedAuthProvider is configured.'
+      );
+    });
+
+    it('initializes with correct state', () => {
+      const { result } = renderHook(() => useRoleManagement());
+
+      expect(result.current.isLoading).toBe(false);
+      expect(result.current.error).toBeNull();
+      expect(typeof result.current.revokeEventAppRole).toBe('function');
+      expect(typeof result.current.grantEventAppRole).toBe('function');
+      expect(typeof result.current.revokeRoleById).toBe('function');
+    });
+  });
+
+  describe('revokeEventAppRole', () => {
+    it('revokes role successfully', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: true,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(true);
+      expect(revokeResult.message).toBe('Role revoked successfully');
+      expect(revokeResult.error).toBeUndefined();
+      expect(result.current.error).toBeNull();
+      expect(mockSupabase.rpc).toHaveBeenCalledWith('revoke_event_app_role', {
+        p_user_id: 'user-456',
+        p_organisation_id: 'org-123',
+        p_event_id: 'event-123',
+        p_app_id: 'app-123',
+        p_role: 'viewer',
+        p_revoked_by: 'user-123',
+      });
+    });
+
+    it('handles case when role not found', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: false,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.message).toBe('No role found to revoke');
+      expect(revokeResult.error).toBe('No matching role found');
+    });
+
+    it('uses provided revoked_by parameter', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: true,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      await result.current.revokeEventAppRole({
+        ...mockRoleParams,
+        revoked_by: 'admin-789',
+      });
+
+      expect(mockSupabase.rpc).toHaveBeenCalledWith(
+        'revoke_event_app_role',
+        expect.objectContaining({
+          p_revoked_by: 'admin-789',
+        })
+      );
+    });
+
+    it('uses user ID as revoked_by when not provided', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: true,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(mockSupabase.rpc).toHaveBeenCalledWith(
+        'revoke_event_app_role',
+        expect.objectContaining({
+          p_revoked_by: 'user-123',
+        })
+      );
+    });
+
+    it('handles RPC errors', async () => {
+      const rpcError = { message: 'Permission denied', code: 'PERMISSION_DENIED' };
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: null,
+        error: rpcError,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('Permission denied');
+      // Error is set during operation but cleared on next operation
+      await waitFor(
+        () => {
+          expect(result.current.error).toBeInstanceOf(Error);
+          expect(result.current.error?.message).toBe('Permission denied');
+        },
+        { timeout: 1000 }
+      );
+    });
+
+    it('handles exceptions during revocation', async () => {
+      const error = new Error('Network error');
+      (mockSupabase.rpc as any).mockRejectedValue(error);
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('Network error');
+      // Error is set during operation
+      await waitFor(
+        () => {
+          expect(result.current.error).toEqual(error);
+        },
+        { timeout: 1000 }
+      );
+    });
+
+    it('handles non-Error exceptions', async () => {
+      (mockSupabase.rpc as any).mockRejectedValue('String error');
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('Unknown error occurred');
+      // Error is set during operation
+      await waitFor(
+        () => {
+          expect(result.current.error).toBeInstanceOf(Error);
+        },
+        { timeout: 1000 }
+      );
+    });
+
+    it('manages loading state correctly', async () => {
+      let resolvePromise: (value: any) => void;
+      const promise = new Promise((resolve) => {
+        resolvePromise = resolve;
+      });
+
+      (mockSupabase.rpc as any).mockReturnValue(promise);
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokePromise = result.current.revokeEventAppRole(mockRoleParams);
+
+      // Loading state is set synchronously
+      await waitFor(
+        () => {
+          expect(result.current.isLoading).toBe(true);
+        },
+        { timeout: 100 }
+      );
+
+      resolvePromise!({
+        data: true,
+        error: null,
+      });
+
+      await revokePromise;
+
+      await waitFor(
+        () => {
+          expect(result.current.isLoading).toBe(false);
+        },
+        { timeout: 2000 }
+      );
+    });
+  });
+
+  describe('grantEventAppRole', () => {
+    it('grants role successfully', async () => {
+      const roleId = 'role-789';
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: roleId,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const grantResult = await result.current.grantEventAppRole(mockRoleParams);
+
+      expect(grantResult.success).toBe(true);
+      expect(grantResult.message).toBe('Role granted successfully');
+      expect(grantResult.roleId).toBe(roleId);
+      expect(grantResult.error).toBeUndefined();
+      expect(result.current.error).toBeNull();
+      expect(mockSupabase.rpc).toHaveBeenCalledWith('grant_event_app_role', {
+        p_user_id: 'user-456',
+        p_organisation_id: 'org-123',
+        p_event_id: 'event-123',
+        p_app_id: 'app-123',
+        p_role: 'viewer',
+        p_granted_by: 'user-123',
+        p_valid_from: undefined,
+        p_valid_to: undefined,
+      });
+    });
+
+    it('handles case when no role ID returned', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: null,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const grantResult = await result.current.grantEventAppRole(mockRoleParams);
+
+      expect(grantResult.success).toBe(false);
+      expect(grantResult.error).toBe('Failed to grant role - no role ID returned');
+    });
+
+    it('uses provided granted_by parameter', async () => {
+      const roleId = 'role-789';
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: roleId,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      await result.current.grantEventAppRole({
+        ...mockRoleParams,
+        granted_by: 'admin-789',
+      });
+
+      expect(mockSupabase.rpc).toHaveBeenCalledWith(
+        'grant_event_app_role',
+        expect.objectContaining({
+          p_granted_by: 'admin-789',
+        })
+      );
+    });
+
+    it('uses user ID as granted_by when not provided', async () => {
+      const roleId = 'role-789';
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: roleId,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      await result.current.grantEventAppRole(mockRoleParams);
+
+      expect(mockSupabase.rpc).toHaveBeenCalledWith(
+        'grant_event_app_role',
+        expect.objectContaining({
+          p_granted_by: 'user-123',
+        })
+      );
+    });
+
+    it('passes valid_from and valid_to parameters', async () => {
+      const roleId = 'role-789';
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: roleId,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      await result.current.grantEventAppRole({
+        ...mockRoleParams,
+        valid_from: '2024-01-01',
+        valid_to: '2024-12-31',
+      });
+
+      expect(mockSupabase.rpc).toHaveBeenCalledWith(
+        'grant_event_app_role',
+        expect.objectContaining({
+          p_valid_from: '2024-01-01',
+          p_valid_to: '2024-12-31',
+        })
+      );
+    });
+
+    it('handles null valid_to parameter', async () => {
+      const roleId = 'role-789';
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: roleId,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      await result.current.grantEventAppRole({
+        ...mockRoleParams,
+        valid_from: '2024-01-01',
+        valid_to: null,
+      });
+
+      expect(mockSupabase.rpc).toHaveBeenCalledWith(
+        'grant_event_app_role',
+        expect.objectContaining({
+          p_valid_from: '2024-01-01',
+          p_valid_to: null,
+        })
+      );
+    });
+
+    it('handles RPC errors', async () => {
+      const rpcError = { message: 'User not found', code: 'USER_NOT_FOUND' };
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: null,
+        error: rpcError,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const grantResult = await result.current.grantEventAppRole(mockRoleParams);
+
+      expect(grantResult.success).toBe(false);
+      expect(grantResult.error).toBe('User not found');
+      // Error is set during operation
+      await waitFor(
+        () => {
+          expect(result.current.error).toBeInstanceOf(Error);
+          expect(result.current.error?.message).toBe('User not found');
+        },
+        { timeout: 1000 }
+      );
+    });
+
+    it('handles exceptions during grant', async () => {
+      const error = new Error('Database connection failed');
+      (mockSupabase.rpc as any).mockRejectedValue(error);
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const grantResult = await result.current.grantEventAppRole(mockRoleParams);
+
+      expect(grantResult.success).toBe(false);
+      expect(grantResult.error).toBe('Database connection failed');
+      // Error is set during operation
+      await waitFor(
+        () => {
+          expect(result.current.error).toEqual(error);
+        },
+        { timeout: 1000 }
+      );
+    });
+
+    it('manages loading state correctly', async () => {
+      let resolvePromise: (value: any) => void;
+      const promise = new Promise((resolve) => {
+        resolvePromise = resolve;
+      });
+
+      (mockSupabase.rpc as any).mockReturnValue(promise);
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const grantPromise = result.current.grantEventAppRole(mockRoleParams);
+
+      // Loading state is set synchronously, but React state updates are async
+      await waitFor(
+        () => {
+          expect(result.current.isLoading).toBe(true);
+        },
+        { timeout: 100 }
+      );
+
+      resolvePromise!({
+        data: 'role-789',
+        error: null,
+      });
+
+      await grantPromise;
+
+      await waitFor(
+        () => {
+          expect(result.current.isLoading).toBe(false);
+        },
+        { timeout: 2000 }
+      );
+    });
+  });
+
+  describe('revokeRoleById', () => {
+    it('revokes role by ID successfully', async () => {
+      const roleId = 'role-789';
+      const mockRoleData = {
+        user_id: 'user-456',
+        role: 'viewer',
+        event_id: 'event-123',
+        app_id: 'app-123',
+      };
+
+      // Mock the from().select().eq().single() chain
+      const { mockFrom, mockSelect, mockEq, mockSingle } = setupFromChain(mockRoleData);
+
+      // Mock the rpc call
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: [{ success: true, message: 'Role revoked', revoked_count: 1 }],
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeRoleById(roleId);
+
+      expect(revokeResult.success).toBe(true);
+      expect(revokeResult.message).toBe('Role revoked');
+      expect(revokeResult.error).toBeUndefined();
+      expect(result.current.error).toBeNull();
+      
+      // Verify the role was fetched first
+      expect(mockFrom).toHaveBeenCalledWith('rbac_event_app_roles');
+      expect(mockSelect).toHaveBeenCalledWith('user_id, role, event_id, app_id');
+      expect(mockEq).toHaveBeenCalledWith('id', roleId);
+      expect(mockSingle).toHaveBeenCalled();
+      
+      // Verify rpc was called with correct parameters from fetched role
+      expect(mockSupabase.rpc).toHaveBeenCalledWith('rbac_role_revoke', {
+        p_user_id: 'user-456',
+        p_role_type: 'event_app',
+        p_role_name: 'viewer',
+        p_context_id: 'event-123:app-123',
+        p_revoked_by: 'user-123',
+      });
+    });
+
+    it('handles case when role not found by ID', async () => {
+      // Mock the from().select().eq().single() chain to return error
+      const mockSingle = vi.fn().mockResolvedValue({
+        data: null,
+        error: { message: 'Role not found', code: 'PGRST116' },
+      });
+      const mockEq = vi.fn().mockReturnValue({ single: mockSingle });
+      const mockSelect = vi.fn().mockReturnValue({ eq: mockEq });
+      const mockFrom = (mockSupabase as any).from;
+      mockFrom.mockReturnValue({ select: mockSelect });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeRoleById('role-789');
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('Role not found');
+      // rpc should not be called when role fetch fails
+      expect(mockSupabase.rpc).not.toHaveBeenCalled();
+    });
+
+    it('handles empty result array', async () => {
+      const mockRoleData = {
+        user_id: 'user-456',
+        role: 'viewer',
+        event_id: 'event-123',
+        app_id: 'app-123',
+      };
+
+      // Mock the from().select().eq().single() chain
+      setupFromChain(mockRoleData);
+
+      // Mock rpc to return empty array
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: [],
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeRoleById('role-789');
+
+      // When data is empty array, result is null, so error is undefined
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBeUndefined();
+    });
+
+    it('handles null result', async () => {
+      const mockRoleData = {
+        user_id: 'user-456',
+        role: 'viewer',
+        event_id: 'event-123',
+        app_id: 'app-123',
+      };
+
+      // Mock the from().select().eq().single() chain
+      setupFromChain(mockRoleData);
+
+      // Mock rpc to return null
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: null,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeRoleById('role-789');
+
+      // When data is null, result is null, so error is undefined
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBeUndefined();
+      expect(result.current.error).toBeNull(); // Error is cleared on each operation
+    });
+
+    it('handles RPC errors', async () => {
+      const mockRoleData = {
+        user_id: 'user-456',
+        role: 'viewer',
+        event_id: 'event-123',
+        app_id: 'app-123',
+      };
+
+      // Mock the from().select().eq().single() chain
+      setupFromChain(mockRoleData);
+
+      // Mock rpc to return error
+      const rpcError = { message: 'Invalid role ID', code: 'INVALID_ID' };
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: null,
+        error: rpcError,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeRoleById('role-789');
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('Invalid role ID');
+      // Error is set during operation but cleared on next operation
+      await waitFor(
+        () => {
+          expect(result.current.error).toBeInstanceOf(Error);
+        },
+        { timeout: 1000 }
+      );
+    });
+
+    it('handles exceptions during revocation by ID', async () => {
+      const mockRoleData = {
+        user_id: 'user-456',
+        role: 'viewer',
+        event_id: 'event-123',
+        app_id: 'app-123',
+      };
+
+      // Mock the from().select().eq().single() chain
+      setupFromChain(mockRoleData);
+
+      // Mock rpc to throw error
+      const error = new Error('Network timeout');
+      (mockSupabase.rpc as any).mockRejectedValue(error);
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokeResult = await result.current.revokeRoleById('role-789');
+
+      expect(revokeResult.success).toBe(false);
+      expect(revokeResult.error).toBe('Network timeout');
+      // Error is set during operation
+      await waitFor(
+        () => {
+          expect(result.current.error).toBeInstanceOf(Error);
+          expect(result.current.error?.message).toBe('Network timeout');
+        },
+        { timeout: 1000 }
+      );
+    });
+
+    it('uses user ID when available', async () => {
+      const mockRoleData = {
+        user_id: 'user-456',
+        role: 'viewer',
+        event_id: 'event-123',
+        app_id: 'app-123',
+      };
+
+      // Mock the from().select().eq().single() chain
+      setupFromChain(mockRoleData);
+
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: [{ success: true, message: 'Role revoked', revoked_count: 1 }],
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      await result.current.revokeRoleById('role-789');
+
+      expect(mockSupabase.rpc).toHaveBeenCalledWith(
+        'rbac_role_revoke',
+        expect.objectContaining({
+          p_user_id: 'user-456', // From fetched role data
+          p_revoked_by: 'user-123', // From current user
+        })
+      );
+    });
+
+    it('handles missing user ID', async () => {
+      const mockRoleData = {
+        user_id: 'user-456',
+        role: 'viewer',
+        event_id: 'event-123',
+        app_id: 'app-123',
+      };
+
+      // Mock the from().select().eq().single() chain
+      setupFromChain(mockRoleData);
+
+      mockUseUnifiedAuth.mockReturnValue({
+        user: null,
+        supabase: mockSupabase,
+      } as any);
+
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: [{ success: true, message: 'Role revoked', revoked_count: 1 }],
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      await result.current.revokeRoleById('role-789');
+
+      expect(mockSupabase.rpc).toHaveBeenCalledWith(
+        'rbac_role_revoke',
+        expect.objectContaining({
+          p_user_id: 'user-456', // From fetched role data
+          p_revoked_by: undefined, // No current user
+        })
+      );
+    });
+
+    it('manages loading state correctly', async () => {
+      const mockRoleData = {
+        user_id: 'user-456',
+        role: 'viewer',
+        event_id: 'event-123',
+        app_id: 'app-123',
+      };
+
+      // Mock the from().select().eq().single() chain to resolve immediately
+      setupFromChain(mockRoleData);
+
+      // Mock rpc to return a promise that we can control
+      let resolvePromise: (value: any) => void;
+      const promise = new Promise((resolve) => {
+        resolvePromise = resolve;
+      });
+
+      (mockSupabase.rpc as any).mockReturnValue(promise);
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const revokePromise = result.current.revokeRoleById('role-789');
+
+      // Loading state may be set asynchronously, wait for it
+      await waitFor(
+        () => {
+          expect(result.current.isLoading).toBe(true);
+        },
+        { timeout: 1000 }
+      );
+
+      resolvePromise!({
+        data: [{ success: true, message: 'Role revoked', revoked_count: 1 }],
+        error: null,
+      });
+
+      await revokePromise;
+
+      await waitFor(
+        () => {
+          expect(result.current.isLoading).toBe(false);
+        },
+        { timeout: 2000 }
+      );
+    });
+  });
+
+  describe('Role Types', () => {
+    it('handles all valid role types', async () => {
+      const roleTypes = ['viewer', 'participant', 'planner', 'event_admin'] as const;
+
+      for (const role of roleTypes) {
+        (mockSupabase.rpc as any).mockResolvedValue({
+          data: true,
+          error: null,
+        });
+
+        const { result } = renderHook(() => useRoleManagement());
+
+        await result.current.revokeEventAppRole({
+          ...mockRoleParams,
+          role,
+        });
+
+        expect(mockSupabase.rpc).toHaveBeenCalledWith(
+          'revoke_event_app_role',
+          expect.objectContaining({
+            p_role: role,
+          })
+        );
+      }
+    });
+  });
+
+  describe('Error Recovery', () => {
+    it('clears error on successful operation after error', async () => {
+      // First call fails
+      (mockSupabase.rpc as any).mockRejectedValueOnce(new Error('Network error'));
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      await result.current.revokeEventAppRole(mockRoleParams);
+
+      // Error should be set after failed operation
+      await waitFor(
+        () => {
+          expect(result.current.error).toBeInstanceOf(Error);
+        },
+        { timeout: 1000 }
+      );
+
+      // Second call succeeds
+      (mockSupabase.rpc as any).mockResolvedValueOnce({
+        data: true,
+        error: null,
+      });
+
+      await result.current.revokeEventAppRole(mockRoleParams);
+
+      // Error should be cleared after successful operation
+      await waitFor(
+        () => {
+          expect(result.current.error).toBeNull();
+        },
+        { timeout: 1000 }
+      );
+    });
+
+    it('maintains stability after error recovery', async () => {
+      // First call fails
+      (mockSupabase.rpc as any).mockRejectedValueOnce(new Error('Error'));
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      await result.current.revokeEventAppRole(mockRoleParams);
+
+      // Second call succeeds
+      (mockSupabase.rpc as any).mockResolvedValueOnce({
+        data: true,
+        error: null,
+      });
+
+      const revokeResult = await result.current.revokeEventAppRole(mockRoleParams);
+
+      expect(revokeResult.success).toBe(true);
+      expect(result.current.error).toBeNull();
+    });
+  });
+
+  describe('Concurrent Operations', () => {
+    it('handles concurrent role operations', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: true,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      const operations = [
+        result.current.revokeEventAppRole(mockRoleParams),
+        result.current.revokeEventAppRole({
+          ...mockRoleParams,
+          user_id: 'user-789',
+        }),
+      ];
+
+      const results = await Promise.all(operations);
+
+      expect(results.every((r) => r.success)).toBe(true);
+    });
+
+    it('handles rapid sequential operations', async () => {
+      (mockSupabase.rpc as any).mockResolvedValue({
+        data: true,
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRoleManagement());
+
+      await result.current.revokeEventAppRole(mockRoleParams);
+      await result.current.revokeEventAppRole({
+        ...mockRoleParams,
+        user_id: 'user-789',
+      });
+      await result.current.revokeEventAppRole({
+        ...mockRoleParams,
+        user_id: 'user-101',
+      });
+
+      expect(mockSupabase.rpc).toHaveBeenCalledTimes(3);
+    });
+  });
+});
+