@jmruthers/pace-core 0.5.193 → 0.6.2

package/src/rbac/components/PagePermissionGuard.tsx

@@ -61,7 +61,7 @@
  * - Efficient error handling
  *
  * @dependencies
- * - React 18+ - Component framework
+ * - React 19+ - Component framework
  * - useCan hook - Permission checking
  * - useUnifiedAuth - Authentication context
  * - RBAC types - Type definitions
@@ -141,17 +141,86 @@ const PagePermissionGuardComponent = ({
   const { user, selectedOrganisation, selectedEvent, supabase, appId: contextAppId, appName } = useUnifiedAuth();
   
   const [hasChecked, setHasChecked] = useState(false);
+
+  // Determine the page ID for permission checking
+  const effectivePageId = useMemo((): string => {
+    return pageId || pageName;
+  }, [pageId, pageName]);
+  
+  // Check super admin status directly - don't rely on useRBAC which might not be loaded yet
+  // This ensures super admins get immediate access without waiting for RBAC context to load
+  const [isSuperAdmin, setIsSuperAdmin] = useState<boolean | null>(null);
+  
+  useEffect(() => {
+    if (!user?.id) {
+      setIsSuperAdmin(false);
+      return;
+    }
+
+    let cancelled = false;
+    const checkSuperAdmin = async () => {
+      const startTime = Date.now();
+      try {
+        const { isSuperAdmin: checkSuperAdmin } = await import('../api');
+        
+        // Add timeout to prevent hanging
+        const timeoutPromise = new Promise<boolean>((_, reject) => {
+          setTimeout(() => reject(new Error('Super admin check timeout')), 10000);
+        });
+        
+        const isSuper = await Promise.race([
+          checkSuperAdmin(user.id),
+          timeoutPromise
+        ]);
+        
+        const elapsed = Date.now() - startTime;
+        
+        if (!cancelled) {
+          setIsSuperAdmin(isSuper);
+          if (process.env.NODE_ENV === 'development') {
+            console.log('[PagePermissionGuard] Super admin check completed', {
+              userId: user.id,
+              isSuperAdmin: isSuper,
+              elapsedMs: elapsed
+            });
+          }
+        }
+      } catch (err) {
+        const elapsed = Date.now() - startTime;
+        if (!cancelled) {
+          console.error('[PagePermissionGuard] Error checking super admin', { 
+            error: err,
+            userId: user.id,
+            elapsedMs: elapsed
+          });
+          // On timeout or error, assume not super admin (fail secure)
+          // But log it so we can debug
+          setIsSuperAdmin(false);
+        }
+      }
+    };
+
+    checkSuperAdmin();
+    return () => {
+      cancelled = true;
+    };
+  }, [user?.id]);
   
   // Use useResolvedScope hook for consistent scope resolution
   // For event-required apps: selectedOrganisation is null, org derived from event
   // For org-required apps: selectedOrganisation is available, event optional
   // For page-level permissions, PORTAL app allows both contexts to be optional
+  // NOTE: Super admins bypass scope requirements, but we still need to call the hook
   const { resolvedScope: hookResolvedScope, isLoading: scopeLoading, error: scopeError } = useResolvedScope({
     supabase,
     selectedOrganisationId: selectedOrganisation?.id || null,
     selectedEventId: selectedEvent?.event_id || null
   });
   
+  // For super admins, we can use a minimal scope since they bypass all checks
+  // This prevents scope resolution from blocking super admin access
+  const shouldBypassScopeForSuperAdmin = isSuperAdmin === true;
+  
   // Use provided scope if available, otherwise use resolved scope
   // For PORTAL app page-level permissions, allow scope without org/event
   // Ensure appId is available for PORTAL/ADMIN (use contextAppId as fallback)
@@ -171,11 +240,6 @@ const PagePermissionGuardComponent = ({
   } : null)));
   const checkError = scopeError;
 
-  // Determine the page ID for permission checking
-  const effectivePageId = useMemo((): string => {
-    return pageId || pageName;
-  }, [pageId, pageName]);
-
   // Build the permission string
   const permission = useMemo((): Permission => {
     return `${operation}:page.${pageName}` as Permission;
@@ -225,22 +289,44 @@ const PagePermissionGuardComponent = ({
     return newScope;
   }, [effectiveScope, appName, contextAppId, selectedEvent?.event_id]);
 
+  // For super admins, use a minimal valid scope since they bypass all checks
+  // This prevents scope validation from blocking super admin access
+  const scopeForPermissionCheck = shouldBypassScopeForSuperAdmin && !stableScope?.organisationId
+    ? { 
+        organisationId: undefined, 
+        appId: contextAppId || undefined, 
+        eventId: selectedEvent?.event_id || undefined 
+      }
+    : stableScope;
+  
+  // CRITICAL: If super admin is confirmed, skip useCan entirely to avoid any blocking
+  // Super admins have access to everything, so no need to check permissions
+  const shouldSkipPermissionCheck = isSuperAdmin === true;
+  
   // Check if user has permission - only call useCan when we have a resolved scope with valid organisationId
   // If resolvedScope is null or has no organisationId, useCan will keep isLoading=true
   // Pass appName to useCan so it can be passed to isPermitted for PORTAL/ADMIN special case
+  // Pass precomputed super admin status to avoid duplicate checks in useCan
+  // For super admins, we can skip the check entirely, but still call useCan with a dummy scope to avoid hook rule violations
   const { can, isLoading: canIsLoading, error: canError } = useCan(
     user?.id || '',
-    stableScope,
+    shouldSkipPermissionCheck ? { organisationId: undefined, appId: contextAppId || undefined, eventId: undefined } : scopeForPermissionCheck,
     permission,
     effectivePageId,
     true, // Use cache
+    isSuperAdmin, // precomputedSuperAdmin - null if checking, true/false if checked
     appName // Pass appName for PORTAL/ADMIN special case
   );
   
+  // Override can for super admins - they always have access
+  const effectiveCan = shouldSkipPermissionCheck ? true : can;
+  const effectiveIsLoading = shouldSkipPermissionCheck ? false : canIsLoading;
+  
   
   // Combine loading states - we're loading if scope resolution or permission check is loading
   // For page-level permissions, PORTAL/ADMIN apps allow undefined organisationId
-  const isLoading = scopeLoading || canIsLoading;
+  // Super admins bypass scope resolution - don't wait for it
+  const isLoading = shouldBypassScopeForSuperAdmin ? effectiveIsLoading : (scopeLoading || effectiveIsLoading);
   const error = checkError || canError;
 
   // Handle permission check completion
@@ -248,13 +334,13 @@ const PagePermissionGuardComponent = ({
     if (!isLoading && !error) {
       setHasChecked(true);
       
-      if (!can && onDenied) {
+      if (!effectiveCan && onDenied) {
         onDenied(pageName, operation);
       }
     } else if (error) {
       setHasChecked(true);
     }
-  }, [can, isLoading, error, pageName, operation, onDenied]);
+  }, [effectiveCan, isLoading, error, pageName, operation, onDenied]);
 
   // Log page access attempt for audit
   useEffect(() => {
@@ -265,16 +351,17 @@ const PagePermissionGuardComponent = ({
         operation,
         userId: user?.id,
         scope: effectiveScope,
-        allowed: can,
+        allowed: effectiveCan,
+        isSuperAdmin,
         timestamp: new Date().toISOString()
       });
     }
-  }, [auditLog, hasChecked, isLoading, pageName, operation, user?.id, effectiveScope, can]);
+  }, [auditLog, hasChecked, isLoading, pageName, operation, user?.id, effectiveScope, effectiveCan, isSuperAdmin]);
 
 
   // Handle strict mode violations
   useEffect(() => {
-    if (strictMode && hasChecked && !isLoading && !can) {
+    if (strictMode && hasChecked && !isLoading && !effectiveCan && !shouldBypassScopeForSuperAdmin) {
       const logger = getRBACLogger();
       logger.error(`STRICT MODE VIOLATION: User attempted to access protected page without permission`, {
         pageName,
@@ -286,20 +373,22 @@ const PagePermissionGuardComponent = ({
         scopeValid: allowsOptionalContexts ? true : (effectiveScope !== null), // PORTAL/ADMIN allow scope without org/event
         checkError,
         canError,
+        isSuperAdmin,
         timestamp: new Date().toISOString()
       });
     }
-  }, [strictMode, hasChecked, isLoading, can, pageName, operation, effectivePageId, user?.id, effectiveScope, allowsOptionalContexts, checkError, canError]);
+  }, [strictMode, hasChecked, isLoading, effectiveCan, shouldBypassScopeForSuperAdmin, pageName, operation, effectivePageId, user?.id, effectiveScope, allowsOptionalContexts, checkError, canError, isSuperAdmin]);
 
   // Calculate the actual render state - FIXED: Proper state calculation
   // Add defensive checks to ensure we have valid state
   // For page-level permissions, PORTAL/ADMIN apps allow scope without org/event
-  const hasValidScopeForPagePermissions = allowsOptionalContexts ? true : (effectiveScope !== null);
+  // Super admins bypass scope validation
+  const hasValidScopeForPagePermissions = shouldBypassScopeForSuperAdmin ? true : (allowsOptionalContexts ? true : (effectiveScope !== null));
   const hasValidUser = user && user.id;
   const isPermissionCheckComplete = hasChecked && !isLoading;
   
-  const shouldShowAccessDenied = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && !can;
-  const shouldShowContent = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && can;
+  const shouldShowAccessDenied = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && !effectiveCan;
+  const shouldShowContent = isPermissionCheckComplete && hasValidScopeForPagePermissions && hasValidUser && !checkError && effectiveCan;
 
   // Create a key to force re-render when scope or permission state changes
   const scopeKey = effectiveScope ? `${effectiveScope.organisationId}-${effectiveScope.eventId}-${effectiveScope.appId}` : 'no-scope';
@@ -307,9 +396,60 @@ const PagePermissionGuardComponent = ({
   
   
 
+  // Debug logging for permission check state
+  useEffect(() => {
+    if (process.env.NODE_ENV === 'development') {
+      console.log('[PagePermissionGuard] Permission check state', {
+        pageName,
+        userId: user?.id,
+        isSuperAdmin,
+        isLoading,
+        scopeLoading,
+        canIsLoading,
+        hasChecked,
+        hasValidUser,
+        effectiveCan,
+        stableScope,
+        effectiveScope
+      });
+    }
+  }, [pageName, user?.id, isSuperAdmin, isLoading, scopeLoading, canIsLoading, hasChecked, hasValidUser, effectiveCan, stableScope, effectiveScope]);
+
   // Show loading state - if we're still loading or don't have valid state
   // For page-level permissions, we don't require organisation context, so only check for user and loading state
-  if (isLoading || !hasValidUser || !hasChecked) {
+  // Add timeout warning for debugging
+  useEffect(() => {
+    if (isLoading && isSuperAdmin === null && hasValidUser) {
+      const timeout = setTimeout(() => {
+        console.warn('[PagePermissionGuard] Permission check taking longer than expected', {
+          pageName,
+          userId: user?.id,
+          isSuperAdmin,
+          scopeLoading,
+          canIsLoading,
+          hasChecked,
+          stableScope,
+          effectiveScope,
+          appName
+        });
+      }, 5000);
+      return () => clearTimeout(timeout);
+    }
+  }, [isLoading, isSuperAdmin, hasValidUser, pageName, user?.id, scopeLoading, canIsLoading, hasChecked, stableScope, effectiveScope, appName]);
+
+  // CRITICAL: Super admins bypass all checks - show content immediately once confirmed
+  // This must be checked AFTER all hooks are called to avoid React hooks rule violations
+  if (isSuperAdmin === true && hasValidUser) {
+    // Super admin confirmed - grant access immediately
+    console.log('[PagePermissionGuard] Super admin access granted - bypassing all checks', {
+      pageName,
+      userId: user?.id,
+      operation
+    });
+    return <>{children}</>;
+  }
+
+  if (isLoading || !hasValidUser || !hasChecked || isSuperAdmin === null) {
     return loading || <div>Checking permissions...</div>;
   }
 

package/src/rbac/components/PagePermissionProvider.tsx

@@ -49,7 +49,7 @@
  * - Cached permission checks
  *
  * @dependencies
- * - React 18+ - Context and hooks
+ * - React 19+ - Context and hooks
  * - useUnifiedAuth - Authentication context
  * - RBAC types - Type definitions
  */

package/src/rbac/components/PermissionEnforcer.tsx

@@ -60,7 +60,7 @@
  * - Efficient error handling
  *
  * @dependencies
- * - React 18+ - Component framework
+ * - React 19+ - Component framework
  * - useCan hook - Permission checking
  * - useUnifiedAuth - Authentication context
  * - RBAC types - Type definitions

package/src/rbac/components/RoleBasedRouter.tsx

@@ -56,7 +56,7 @@
  * - Efficient route matching
  *
  * @dependencies
- * - React 18+ - Component framework
+ * - React 19+ - Component framework
  * - React Router - Routing functionality
  * - useCan hook - Permission checking
  * - useUnifiedAuth - Authentication context
@@ -231,11 +231,15 @@ export function RoleBasedRouter({
   }, [user?.id, currentScope, routes]);
 
   // Use useCan hook for actual permission checking
+  // Pass null for super admin status (not checked yet - hook will check if needed)
   const { can: canAccessCurrentRoute, isLoading: permissionLoading } = useCan(
     user?.id || '',
     currentScope || { organisationId: '', eventId: undefined, appId: undefined },
     currentRouteConfig?.permissions?.[0] || 'read:page',
-    currentRouteConfig?.pageId
+    currentRouteConfig?.pageId,
+    true, // useCache
+    null, // precomputedSuperAdmin - not checked yet
+    undefined // appName
   );
 
   // Check if route is public

package/src/rbac/components/SecureDataProvider.test.tsx

@@ -12,7 +12,7 @@ import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
 import React, { ReactNode } from 'react';
 import { SecureDataProvider, useSecureData } from './SecureDataProvider';
 import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
-import { useSecureDataAccess } from '../../hooks/useSecureDataAccess';
+// useSecureDataAccess has been removed - SecureDataProvider now uses useSecureSupabase internally
 import { UUID, Scope, Permission } from '../types';
 
 // Mock the auth provider
@@ -23,8 +23,77 @@ vi.mock('../../providers/services/UnifiedAuthProvider', () => ({
 }));
 
 // Mock the secure data access hook
-vi.mock('../../hooks/useSecureDataAccess', () => ({
-  useSecureDataAccess: vi.fn()
+// useSecureDataAccess has been removed - no longer needed
+
+// Mock useResolvedScope
+const mockUseResolvedScopeFn = vi.fn();
+vi.mock('../../hooks/useResolvedScope', () => ({
+  useResolvedScope: () => mockUseResolvedScopeFn(),
+}));
+
+// Mock useOrganisations to prevent provider requirement
+vi.mock('../../hooks/useOrganisations', () => ({
+  useOrganisations: vi.fn(() => ({
+    organisations: [],
+    isLoading: false,
+    error: null,
+    refetch: vi.fn(),
+    selectedOrganisation: {
+      id: 'org-123',
+      name: 'Test Org',
+      display_name: 'Test Organisation',
+      description: 'Test',
+      subscription_tier: 'basic',
+      settings: {},
+      is_active: true,
+      created_at: '2023-01-01T00:00:00Z',
+      updated_at: '2023-01-01T00:00:00Z'
+    }
+  }))
+}));
+
+// Mock useEvents
+vi.mock('../../hooks/useEvents', () => ({
+  useEvents: vi.fn(() => ({
+    events: [],
+    isLoading: false,
+    error: null,
+    refetch: vi.fn(),
+    selectedEvent: {
+      id: 'event-456',
+      event_id: 'event-456',
+      event_name: 'Test Event',
+      event_date: '2023-01-01T00:00:00Z',
+      event_venue: 'Test Venue',
+      event_participants: 100,
+      event_colours: '#FF0000',
+      event_logo: '',
+      organisation_id: 'org-123' as any,
+      is_visible: true,
+      created_at: '2023-01-01T00:00:00Z',
+      updated_at: '2023-01-01T00:00:00Z'
+    },
+    eventLoading: false
+  }))
+}));
+
+// Mock useOrganisationSecurity
+vi.mock('../../hooks/useOrganisationSecurity', () => ({
+  useOrganisationSecurity: vi.fn(() => ({
+    superAdminContext: {
+      isSuperAdmin: false,
+      isLoading: false
+    },
+    organisationSecurity: {
+      canAccessOrganisation: vi.fn(() => true),
+      canAccessEvent: vi.fn(() => true)
+    }
+  }))
+}));
+
+// Mock useSecureSupabase
+vi.mock('../hooks/useSecureSupabase', () => ({
+  useSecureSupabase: vi.fn((supabase) => supabase)
 }));
 
 // Mock the RBAC hooks
@@ -55,7 +124,7 @@ const TestComponent = ({ children }: { children: ReactNode }) => (
 );
 
 describe('SecureDataProvider', () => {
-  const mockUseSecureDataAccess = vi.mocked(useSecureDataAccess);
+  // useSecureDataAccess has been removed
   const mockUseCan = vi.mocked(useCan);
 
   beforeEach(() => {
@@ -67,12 +136,7 @@ describe('SecureDataProvider', () => {
       // Add other required properties
     } as any);
 
-    mockUseSecureDataAccess.mockReturnValue({
-      isDataAccessAllowed: vi.fn().mockReturnValue(true),
-      getDataAccessPermissions: vi.fn().mockReturnValue({}),
-      validateDataAccess: vi.fn().mockReturnValue(true),
-      // Add other required properties
-    } as any);
+    // useSecureDataAccess has been removed - SecureDataProvider handles this internally
   });
 
     describe('Provider Initialization', () => {
@@ -160,12 +224,7 @@ describe('SecureDataProvider', () => {
     });
 
     it('denies data access when user lacks permissions', async () => {
-      mockUseSecureDataAccess.mockReturnValue({
-        isDataAccessAllowed: vi.fn().mockReturnValue(false),
-        getDataAccessPermissions: vi.fn().mockReturnValue({}),
-        validateDataAccess: vi.fn().mockReturnValue(false),
-        // Add other required properties
-      } as any);
+      // useSecureDataAccess has been removed - SecureDataProvider handles this internally
 
       const TestConsumer = () => {
         const context = useSecureData();
@@ -216,12 +275,7 @@ describe('SecureDataProvider', () => {
         'events': ['read', 'update']
       };
 
-      mockUseSecureDataAccess.mockReturnValue({
-        isDataAccessAllowed: vi.fn().mockReturnValue(true),
-        getDataAccessPermissions: vi.fn().mockReturnValue(mockPermissions),
-        validateDataAccess: vi.fn().mockReturnValue(true),
-        // Add other required properties
-      } as any);
+      // useSecureDataAccess has been removed - SecureDataProvider handles this internally
 
       const TestConsumer = () => {
         const context = useSecureData();
@@ -309,13 +363,7 @@ describe('SecureDataProvider', () => {
 
     it('calls onStrictModeViolation callback when strict mode is violated', async () => {
       const onStrictModeViolation = vi.fn();
-      mockUseSecureDataAccess.mockReturnValue({
-        isDataAccessAllowed: vi.fn().mockReturnValue(false),
-        getDataAccessPermissions: vi.fn().mockReturnValue({}),
-        validateDataAccess: vi.fn().mockReturnValue(false),
-        // Add other required properties
-      } as any);
-
+      // useSecureDataAccess has been removed - SecureDataProvider handles this internally
       const TestConsumer = () => {
         const context = useSecureData();
         context.isDataAccessAllowed('admin_users', 'delete', mockScope);
@@ -340,14 +388,7 @@ describe('SecureDataProvider', () => {
 
   describe('Error Handling', () => {
     it('handles data access validation errors gracefully', async () => {
-      mockUseSecureDataAccess.mockReturnValue({
-        isDataAccessAllowed: vi.fn().mockImplementation(() => {
-          throw new Error('Data access validation failed');
-        }),
-        getDataAccessPermissions: vi.fn().mockReturnValue({}),
-        validateDataAccess: vi.fn().mockReturnValue(false),
-        // Add other required properties
-      } as any);
+      // useSecureDataAccess has been removed - SecureDataProvider handles this internally
 
       const TestConsumer = () => {
         const context = useSecureData();
@@ -462,7 +503,7 @@ describe('SecureDataProvider', () => {
   });
 
   describe('Integration with useSecureDataAccess', () => {
-    it('integrates with useSecureDataAccess hook', () => {
+    it('integrates with secure data access system', () => {
       const TestConsumer = () => {
         const context = useSecureData();
         context.isDataAccessAllowed(mockTable, mockOperation, mockScope);
@@ -476,19 +517,12 @@ describe('SecureDataProvider', () => {
         </SecureDataProvider>
       );
 
-      expect(mockUseSecureDataAccess).toHaveBeenCalled();
+      // useSecureDataAccess has been removed - this test verifies the component works
+      // expect(mockUseSecureDataAccess).toHaveBeenCalled();
     });
 
     it('passes through secure data access functionality', () => {
-      const mockSecureDataAccess = {
-        isDataAccessAllowed: vi.fn().mockReturnValue(true),
-        getDataAccessPermissions: vi.fn().mockReturnValue({}),
-        validateDataAccess: vi.fn().mockReturnValue(true),
-        // Add other required properties
-      };
-
-      mockUseSecureDataAccess.mockReturnValue(mockSecureDataAccess as any);
-
+      // useSecureDataAccess has been removed - SecureDataProvider handles this internally
       const TestConsumer = () => {
         const context = useSecureData();
         context.isDataAccessAllowed(mockTable, mockOperation, mockScope);
@@ -502,7 +536,8 @@ describe('SecureDataProvider', () => {
         </SecureDataProvider>
       );
 
-      expect(mockSecureDataAccess.isDataAccessAllowed).not.toHaveBeenCalled();
+      // Component should render without errors
+      expect(screen.getByText('Test')).toBeInTheDocument();
     });
   });
 });

package/src/rbac/components/SecureDataProvider.tsx

@@ -50,15 +50,16 @@
  * - Cached permission checks
  *
  * @dependencies
- * - React 18+ - Context and hooks
+ * - React 19+ - Context and hooks
  * - useUnifiedAuth - Authentication context
- * - useSecureDataAccess - Secure data access hook
+ * - useSecureSupabase - Secure Supabase client hook
  * - RBAC types - Type definitions
  */
 
 import React, { createContext, useContext, useState, useCallback, useMemo, useEffect } from 'react';
 import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
-import { useSecureDataAccess } from '../../hooks/useSecureDataAccess';
+import { useSecureSupabase } from '../hooks/useSecureSupabase';
+import { useOrganisationSecurity } from '../../hooks/useOrganisationSecurity';
 import { useResolvedScope } from '../hooks/useResolvedScope';
 import { UUID, Scope, Permission } from '../types';
 import { getRBACLogger } from '../config';
@@ -144,7 +145,8 @@ export function SecureDataProvider({
   enforceRLS = true
 }: SecureDataProviderProps) {
   const { user, selectedOrganisation, selectedEvent, supabase } = useUnifiedAuth();
-  const { validateContext } = useSecureDataAccess();
+  const secureSupabase = useSecureSupabase(supabase);
+  const { superAdminContext } = useOrganisationSecurity();
   const [dataAccessHistory, setDataAccessHistory] = useState<DataAccessRecord[]>([]);
   const [isEnabled, setIsEnabled] = useState(true);
 
@@ -154,6 +156,19 @@ export function SecureDataProvider({
     selectedOrganisationId: selectedOrganisation?.id || null,
     selectedEventId: selectedEvent?.event_id || null
   });
+  
+  // Validate context - similar to useSecureDataAccess.validateContext
+  const validateContext = useCallback((): void => {
+    if (!secureSupabase) {
+      throw new Error('No Supabase client available');
+    }
+    if (!user) {
+      throw new Error('User must be authenticated');
+    }
+    if (!superAdminContext.isSuperAdmin && !resolvedScope?.organisationId) {
+      throw new Error('Organisation context is required for data access');
+    }
+  }, [secureSupabase, user, superAdminContext.isSuperAdmin, resolvedScope?.organisationId]);
 
   // Get current scope from resolved scope
   // For event-required apps: org is derived from event
@@ -174,10 +189,10 @@ export function SecureDataProvider({
     
     // Use the existing RBAC system to check data access permissions
     // This is a synchronous check for the context - actual permission checking
-    // happens in the useSecureDataAccess hook using the RBAC engine
+    // happens using the RBAC engine via useSecureSupabase
     const permission = `${operation}:data.${table}` as Permission;
     
-    // For now, we'll return true and let the useSecureDataAccess hook
+    // For now, we'll return true and let the RBAC system
     // handle the actual permission checking asynchronously
     // This context is mainly for tracking and audit purposes
     return true;