@jmruthers/pace-core 0.5.76 → 0.5.78

package/src/hooks/__tests__/useRBAC.unit.test.ts

@@ -1,913 +1,218 @@
 import { renderHook, waitFor } from '@testing-library/react';
-import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { describe, it, expect, beforeEach, vi } from 'vitest';
 import { useRBAC } from '../../rbac/hooks/useRBAC';
-import { createMockSupabaseClient, testDataGenerators } from '../../__tests__/helpers/test-utils';
 
-// Mock the providers
-const mockUseUnifiedAuth = vi.fn();
-const mockUseOrganisations = vi.fn();
-const mockUseEvents = vi.fn();
-
-vi.mock('../../providers', () => ({
-  useUnifiedAuth: () => mockUseUnifiedAuth()
+vi.mock('../../providers/UnifiedAuthProvider', () => ({
+  useUnifiedAuth: vi.fn(),
 }));
 
 vi.mock('../../providers/services/UnifiedAuthProvider', () => ({
-  useUnifiedAuth: () => mockUseUnifiedAuth()
+  useUnifiedAuth: vi.fn(),
 }));
 
 vi.mock('../../hooks/useOrganisations', () => ({
-  useOrganisations: () => mockUseOrganisations()
+  useOrganisations: vi.fn(),
 }));
 
 vi.mock('../../hooks/useEvents', () => ({
-  useEvents: () => mockUseEvents()
+  useEvents: vi.fn(),
 }));
 
-// Mock Supabase client
-const mockSupabase = createMockSupabaseClient();
-
-// Helper to setup RPC mocks for useRBAC hook
-// useRBAC makes TWO RPC calls: util_app_resolve and rbac_permissions_get
-const setupRBACMock = (permissions: any[] = []) => {
-  mockSupabase.rpc.mockImplementation((functionName: string, params?: any) => {
-    if (functionName === 'util_app_resolve') {
-      return Promise.resolve({
-        data: [{
-          app_id: 'test-app-id',
-          app_name: 'test-app',
-          has_access: true,
-          is_active: true
-        }],
-        error: null
-      });
-    }
-    
-    if (functionName === 'rbac_permissions_get') {
-      return Promise.resolve({
-        data: permissions,
-        error: null
-      });
-    }
-    
-    if (functionName === 'rbac_page_access_check') {
-      return Promise.resolve({ data: true, error: null });
-    }
-    
-    return Promise.resolve({ data: null, error: null });
-  });
-};
-
-// Setup default RPC mock
-setupRBACMock();
+vi.mock('../../rbac/api', () => ({
+  getPermissionMap: vi.fn(),
+  getAccessLevel: vi.fn(),
+  isPermittedCached: vi.fn(),
+  resolveAppContext: vi.fn(),
+  getRoleContext: vi.fn(),
+}));
 
-describe('useRBAC', () => {
+import { useUnifiedAuth } from '../../providers';
+import { useOrganisations } from '../../hooks/useOrganisations';
+import { useEvents } from '../../hooks/useEvents';
+import {
+  getPermissionMap,
+  getAccessLevel,
+  isPermittedCached,
+  resolveAppContext,
+  getRoleContext,
+} from '../../rbac/api';
+
+const mockUseUnifiedAuth = vi.mocked(useUnifiedAuth);
+const mockUseOrganisations = vi.mocked(useOrganisations);
+const mockUseEvents = vi.mocked(useEvents);
+const mockGetPermissionMap = vi.mocked(getPermissionMap);
+const mockGetAccessLevel = vi.mocked(getAccessLevel);
+const mockIsPermittedCached = vi.mocked(isPermittedCached);
+const mockResolveAppContext = vi.mocked(resolveAppContext);
+const mockGetRoleContext = vi.mocked(getRoleContext);
+
+describe('useRBAC (unit)', () => {
   beforeEach(() => {
     vi.clearAllMocks();
-    
-    // Default mock implementations
+
     mockUseUnifiedAuth.mockReturnValue({
-      user: { id: 'test-user-id' },
-      session: { access_token: 'test-token' },
-      supabase: mockSupabase,
-      appName: 'test-app'
-    });
-    
-    mockUseOrganisations.mockReturnValue({
-      selectedOrganisation: { id: 'test-org-id' }
-    });
-    
-    mockUseEvents.mockReturnValue({
-      selectedEvent: { event_id: 'test-event-id' }
-    });
+      user: null,
+      session: null,
+      appName: 'test-app',
+    });
+    mockUseOrganisations.mockReturnValue({ selectedOrganisation: null });
+    mockUseEvents.mockReturnValue({ selectedEvent: null });
+
+    mockResolveAppContext.mockResolvedValue({ appId: 'app-1' as any, hasAccess: true });
+    mockGetPermissionMap.mockResolvedValue({});
+    mockGetAccessLevel.mockResolvedValue('viewer');
+    mockGetRoleContext.mockResolvedValue({
+      globalRole: null,
+      organisationRole: null,
+      eventAppRole: null,
+    });
+    mockIsPermittedCached.mockResolvedValue(false);
   });
 
-  describe('Initial State', () => {
-    it('returns initial state when no user is provided', () => {
-      mockUseUnifiedAuth.mockReturnValue({
-        user: null,
-        supabase: null,
-        appName: null
-      });
-
-      const { result } = renderHook(() => useRBAC());
-
-      expect(result.current.globalRole).toBeNull();
-      expect(result.current.organisationRole).toBeNull();
-      expect(result.current.eventAppRole).toBeNull();
-      expect(result.current.isLoading).toBe(false);
-      expect(result.current.error).toBeNull();
-    });
-
-    it('returns initial state when no supabase client is provided', () => {
-      mockUseUnifiedAuth.mockReturnValue({
-        user: { id: 'test-user-id' },
-        supabase: null,
-        appName: 'test-app'
-      });
+  it('returns null roles when user is not authenticated', () => {
+    const { result } = renderHook(() => useRBAC());
 
-      const { result } = renderHook(() => useRBAC());
-
-      expect(result.current.globalRole).toBeNull();
-      expect(result.current.organisationRole).toBeNull();
-      expect(result.current.eventAppRole).toBeNull();
-      expect(result.current.isLoading).toBe(false);
-      expect(result.current.error).toBeNull();
-    });
-
-    it('returns initial state when no app name is provided', () => {
-      mockUseUnifiedAuth.mockReturnValue({
-        user: { id: 'test-user-id' },
-        supabase: mockSupabase,
-        appName: null
-      });
-
-      const { result } = renderHook(() => useRBAC());
-
-      expect(result.current.globalRole).toBeNull();
-      expect(result.current.organisationRole).toBeNull();
-      expect(result.current.eventAppRole).toBeNull();
-      expect(result.current.isLoading).toBe(false);
-      expect(result.current.error).toBeNull();
-    });
+    expect(result.current.user).toBeNull();
+    expect(result.current.globalRole).toBeNull();
+    expect(result.current.organisationRole).toBeNull();
+    expect(result.current.eventAppRole).toBeNull();
+    expect(result.current.isLoading).toBe(false);
   });
 
-  describe('Role Detection', () => {
-    it('detects global role from permissions', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'all_permissions',
-          role_name: 'super_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      setupRBACMock(mockPermissions);
-
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.globalRole).toBe('super_admin');
-        expect(result.current.organisationRole).toBeNull();
-        expect(result.current.eventAppRole).toBeNull();
-      }, { interval: 10, timeout: 3000 });
-    });
-
-    it('detects organisation role from permissions', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      setupRBACMock(mockPermissions);
-
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.globalRole).toBeNull();
-        expect(result.current.organisationRole).toBe('org_admin');
-        expect(result.current.eventAppRole).toBeNull();
-      }, { interval: 10, timeout: 3000 });
-    });
-
-    it('detects event app role from permissions', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'event_app_access',
-          role_name: 'event_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.globalRole).toBeNull();
-        expect(result.current.organisationRole).toBeNull();
-        expect(result.current.eventAppRole).toBe('event_admin');
-      }, { interval: 10, timeout: 3000 });
+  it('loads role context and permissions when authenticated', async () => {
+    mockUseUnifiedAuth.mockReturnValue({
+      user: { id: 'user-1' },
+      session: { access_token: 'token' },
+      appName: 'console',
     });
+    mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+    mockUseEvents.mockReturnValue({ selectedEvent: { event_id: 'event-1' } });
 
-    it('detects multiple roles from permissions', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'all_permissions',
-          role_name: 'super_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        },
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        },
-        {
-          permission_type: 'event_app_access',
-          role_name: 'event_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.globalRole).toBe('super_admin');
-        expect(result.current.organisationRole).toBe('org_admin');
-        expect(result.current.eventAppRole).toBe('event_admin');
-      }, { interval: 10, timeout: 3000 });
+    mockGetPermissionMap.mockResolvedValue({ 'read:dashboard': true });
+    mockGetRoleContext.mockResolvedValue({
+      globalRole: 'super_admin',
+      organisationRole: 'org_admin',
+      eventAppRole: null,
     });
 
-    it('handles empty permissions array', async () => {
-      mockSupabase.rpc.mockResolvedValue({
-        data: [],
-        error: null
-      });
+    const { result } = renderHook(() => useRBAC('dashboard'));
 
-      const { result } = renderHook(() => useRBAC());
+    await waitFor(() => expect(result.current.isLoading).toBe(false));
 
-      await waitFor(() => {
-        expect(result.current.globalRole).toBeNull();
-        expect(result.current.organisationRole).toBeNull();
-        expect(result.current.eventAppRole).toBeNull();
-      });
-    });
+    expect(result.current.globalRole).toBe('super_admin');
+    expect(result.current.organisationRole).toBe('org_admin');
+    expect(result.current.isSuperAdmin).toBe(true);
+    expect(mockGetPermissionMap).toHaveBeenCalled();
   });
 
-  describe('Permission Checking', () => {
-    it('returns true for super admin regardless of operation', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'all_permissions',
-          role_name: 'super_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.globalRole).toBe('super_admin');
-      }, { interval: 10, timeout: 3000 });
-
-      const hasPermission = await result.current.hasPermission('read', 'dashboard');
-      expect(hasPermission).toBe(true);
+  it('maps access level to event role when engine omits event role', async () => {
+    mockUseUnifiedAuth.mockReturnValue({
+      user: { id: 'user-1' },
+      session: { access_token: 'token' },
+      appName: 'console',
     });
-
-    it('checks specific permission with database call', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      // Fully mock RPC responses for this test
-      mockSupabase.rpc.mockImplementation((functionName: string, params?: any) => {
-        if (functionName === 'util_app_resolve') {
-          return Promise.resolve({
-            data: [{ app_id: 'test-app-id', app_name: 'test-app', has_access: true, is_active: true }],
-            error: null
-          });
-        }
-        if (functionName === 'rbac_permissions_get') {
-          return Promise.resolve({ data: mockPermissions, error: null });
-        }
-        if (functionName === 'rbac_page_access_check') {
-          return Promise.resolve({ data: true, error: null });
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.organisationRole).toBe('org_admin');
-      }, { interval: 10, timeout: 3000 });
-
-      const hasPermission = await result.current.hasPermission('read', 'dashboard');
-      expect(hasPermission).toBe(true);
-      expect(mockSupabase.rpc).toHaveBeenCalledWith('rbac_page_access_check', {
-        p_user_id: 'test-user-id',
-        p_app_id: 'test-app-id',
-        p_page_id: 'dashboard',
-        p_operation: 'read',
-        p_event_id: 'test-event-id',
-        p_organisation_id: 'test-org-id'
-      });
+    mockGetRoleContext.mockResolvedValue({
+      globalRole: null,
+      organisationRole: null,
+      eventAppRole: null,
     });
+    mockGetAccessLevel.mockResolvedValue('planner');
 
-    it('returns false when permission check fails', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      // Fully mock RPC responses for this test
-      mockSupabase.rpc.mockImplementation((functionName: string, params?: any) => {
-        if (functionName === 'util_app_resolve') {
-          return Promise.resolve({
-            data: [{ app_id: 'test-app-id', app_name: 'test-app', has_access: true, is_active: true }],
-            error: null
-          });
-        }
-        if (functionName === 'rbac_permissions_get') {
-          return Promise.resolve({ data: mockPermissions, error: null });
-        }
-        if (functionName === 'rbac_page_access_check') {
-          return Promise.resolve({ data: false, error: null });
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.organisationRole).toBe('org_admin');
-      }, { interval: 10, timeout: 3000 });
-
-      const hasPermission = await result.current.hasPermission('write', 'admin');
-      expect(hasPermission).toBe(false);
-    });
+    const { result } = renderHook(() => useRBAC());
 
-    it('returns false when permission check throws error', async () => {
-      const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
-      
-      const mockPermissions = [
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      // Fully mock RPC responses (reject on access check)
-      mockSupabase.rpc.mockImplementation((functionName: string, params?: any) => {
-        if (functionName === 'util_app_resolve') {
-          return Promise.resolve({
-            data: [{ app_id: 'test-app-id', app_name: 'test-app', has_access: true, is_active: true }],
-            error: null
-          });
-        }
-        if (functionName === 'rbac_permissions_get') {
-          return Promise.resolve({ data: mockPermissions, error: null });
-        }
-        if (functionName === 'rbac_page_access_check') {
-          return Promise.reject(new Error('Database error'));
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.organisationRole).toBe('org_admin');
-      }, { interval: 10, timeout: 3000 });
-
-      const hasPermission = await result.current.hasPermission('read', 'dashboard');
-      expect(hasPermission).toBe(false);
-
-      consoleSpy.mockRestore();
-    });
+    await waitFor(() => expect(result.current.isLoading).toBe(false));
 
-    it('uses default pageId when not provided', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      // Fully mock RPC responses
-      mockSupabase.rpc.mockImplementation((functionName: string, params?: any) => {
-        if (functionName === 'util_app_resolve') {
-          return Promise.resolve({
-            data: [{ app_id: 'test-app-id', app_name: 'test-app', has_access: true, is_active: true }],
-            error: null
-          });
-        }
-        if (functionName === 'rbac_permissions_get') {
-          return Promise.resolve({ data: mockPermissions, error: null });
-        }
-        if (functionName === 'rbac_page_access_check') {
-          return Promise.resolve({ data: true, error: null });
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-
-      const { result } = renderHook(() => useRBAC('default-page'));
-
-      await waitFor(() => {
-        expect(result.current.organisationRole).toBe('org_admin');
-      }, { interval: 10, timeout: 3000 });
-
-      await result.current.hasPermission('read');
-      
-      expect(mockSupabase.rpc).toHaveBeenCalledWith('rbac_page_access_check', {
-        p_user_id: 'test-user-id',
-        p_app_id: 'test-app-id',
-        p_page_id: 'default-page',
-        p_operation: 'read',
-        p_event_id: 'test-event-id',
-        p_organisation_id: 'test-org-id'
-      });
-    });
+    expect(result.current.eventAppRole).toBe('planner');
   });
 
-  describe('Global Permission Checking', () => {
-    it('returns true for super admin', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'all_permissions',
-          role_name: 'super_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.isLoading).toBe(false);
-      });
-
-      expect(result.current.hasGlobalPermission('super_admin')).toBe(true);
-      expect(result.current.hasGlobalPermission('org_admin')).toBe(true);
-      expect(result.current.hasGlobalPermission('any_permission')).toBe(true);
-    });
-
-    it('returns true for org admin when checking org_admin permission', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.isLoading).toBe(false);
-      });
-
-      expect(result.current.hasGlobalPermission('org_admin')).toBe(true);
-      expect(result.current.hasGlobalPermission('super_admin')).toBe(false);
-      expect(result.current.hasGlobalPermission('other_permission')).toBe(false);
-    });
-
-    it('returns false for non-admin users', () => {
-      const mockPermissions = [
-        {
-          permission_type: 'event_app_access',
-          role_name: 'viewer',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      expect(result.current.hasGlobalPermission('super_admin')).toBe(false);
-      expect(result.current.hasGlobalPermission('org_admin')).toBe(false);
-      expect(result.current.hasGlobalPermission('any_permission')).toBe(false);
-    });
-  });
-
-  describe('Computed Properties', () => {
-    it('correctly computes isSuperAdmin', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'all_permissions',
-          role_name: 'super_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.isSuperAdmin).toBe(true);
-      });
-    });
-
-    it('correctly computes isOrgAdmin', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.isOrgAdmin).toBe(true);
-      });
-    });
-
-    it('correctly computes isEventAdmin', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'event_app_access',
-          role_name: 'event_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.isEventAdmin).toBe(true);
-      });
+  it('treats wildcard permission map as super admin', async () => {
+    mockUseUnifiedAuth.mockReturnValue({
+      user: { id: 'user-1' },
+      session: { access_token: 'token' },
+      appName: 'console',
     });
+    mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+    mockGetPermissionMap.mockResolvedValue({ '*': true });
 
-    it('correctly computes canManageOrganisation', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.canManageOrganisation).toBe(true);
-      });
-    });
+    const { result } = renderHook(() => useRBAC());
 
-    it('correctly computes canManageEvent', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'event_app_access',
-          role_name: 'event_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.canManageEvent).toBe(true);
-      });
-    });
+    await waitFor(() => expect(result.current.isLoading).toBe(false));
 
-    it('super admin can manage both organisation and event', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'all_permissions',
-          role_name: 'super_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.canManageOrganisation).toBe(true);
-        expect(result.current.canManageEvent).toBe(true);
-      });
-    });
+    expect(result.current.isSuperAdmin).toBe(true);
+    expect(await result.current.hasPermission('delete', 'users')).toBe(true);
   });
 
-  describe('Loading States', () => {
-    it('sets loading state while fetching permissions', async () => {
-      let resolvePermissions: (value: any) => void;
-      const permissionsPromise = new Promise(resolve => {
-        resolvePermissions = resolve;
-      });
-
-      mockSupabase.rpc.mockReturnValue(permissionsPromise);
-
-      const { result } = renderHook(() => useRBAC());
-
-      expect(result.current.isLoading).toBe(true);
-
-      resolvePermissions!({
-        data: [],
-        error: null
-      });
-
-      await waitFor(() => {
-        expect(result.current.isLoading).toBe(false);
-      });
+  it('uses cached permission map when checking permissions', async () => {
+    mockUseUnifiedAuth.mockReturnValue({
+      user: { id: 'user-1' },
+      session: { access_token: 'token' },
+      appName: 'console',
     });
+    mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+    mockGetPermissionMap.mockResolvedValue({ 'read:users': true, 'write:users': false });
 
-    it('resets loading state on error', async () => {
-      mockSupabase.rpc.mockRejectedValue(new Error('Network error'));
+    const { result } = renderHook(() => useRBAC());
 
-      const { result } = renderHook(() => useRBAC());
+    await waitFor(() => expect(result.current.isLoading).toBe(false));
 
-      await waitFor(() => {
-        expect(result.current.isLoading).toBe(false);
-        expect(result.current.error).toBeInstanceOf(Error);
-      });
-    });
+    mockIsPermittedCached.mockClear();
+    expect(await result.current.hasPermission('read:users')).toBe(true);
+    expect(await result.current.hasPermission('write:users')).toBe(false);
+    expect(mockIsPermittedCached).not.toHaveBeenCalled();
   });
 
-  describe('Error Handling', () => {
-    it('handles RPC errors gracefully', async () => {
-      const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
-      
-      // Mock the app resolve to succeed, but permissions to fail
-      mockSupabase.rpc.mockImplementation((functionName: string) => {
-        if (functionName === 'util_app_resolve') {
-          return Promise.resolve({
-            data: [{
-              app_id: 'test-app-id',
-              app_name: 'test-app',
-              has_access: true,
-              is_active: true
-            }],
-            error: null
-          });
-        }
-        if (functionName === 'rbac_permissions_get') {
-          return Promise.resolve({
-            data: null,
-            error: { message: 'Database connection failed' }
-          });
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.error).toBeInstanceOf(Error);
-        expect(result.current.error?.message).toContain('Failed to load RBAC permissions');
-      });
-
-      consoleSpy.mockRestore();
-    });
-
-    it('handles network errors gracefully', async () => {
-      const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
-      
-      // Mock the app resolve to succeed, but permissions to fail
-      mockSupabase.rpc.mockImplementation((functionName: string) => {
-        if (functionName === 'util_app_resolve') {
-          return Promise.resolve({
-            data: [{
-              app_id: 'test-app-id',
-              app_name: 'test-app',
-              has_access: true,
-              is_active: true
-            }],
-            error: null
-          });
-        }
-        if (functionName === 'rbac_permissions_get') {
-          return Promise.resolve({
-            data: null,
-            error: { message: 'Network timeout' }
-          });
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-
-      const { result } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.error).toBeInstanceOf(Error);
-        expect(result.current.error?.message).toContain('Failed to load RBAC permissions');
-      });
-
-      consoleSpy.mockRestore();
+  it('falls back to engine when permission not cached', async () => {
+    mockUseUnifiedAuth.mockReturnValue({
+      user: { id: 'user-1' },
+      session: { access_token: 'token' },
+      appName: 'console',
     });
+    mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+    mockGetPermissionMap.mockResolvedValue({});
+    mockIsPermittedCached.mockResolvedValue(true);
 
-    it('handles unknown errors gracefully', async () => {
-      const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
-      
-      mockSupabase.rpc.mockRejectedValue('Unknown error');
-
-      const { result } = renderHook(() => useRBAC());
+    const { result } = renderHook(() => useRBAC());
 
-      await waitFor(() => {
-        expect(result.current.error).toBeInstanceOf(Error);
-        expect(result.current.error?.message).toBe('Unknown error loading RBAC context');
-      });
+    await waitFor(() => expect(result.current.isLoading).toBe(false));
 
-      consoleSpy.mockRestore();
-    });
+    expect(await result.current.hasPermission('read', 'users')).toBe(true);
+    expect(mockIsPermittedCached).toHaveBeenCalled();
   });
 
-  describe('Context Dependencies', () => {
-    it('reloads when user changes', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'all_permissions',
-          role_name: 'super_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      setupRBACMock(mockPermissions);
-
-      const { result, rerender } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.globalRole).toBe('super_admin');
-      });
-
-      // Change user
-      mockUseUnifiedAuth.mockReturnValue({
-        user: { id: 'different-user-id' },
-        session: { access_token: 'test-token' },
-        supabase: mockSupabase,
-        appName: 'test-app'
-      });
-
-      rerender();
-
-      await waitFor(() => {
-        expect(mockSupabase.rpc).toHaveBeenCalledTimes(4);
-      });
+  it('returns true for hasGlobalPermission when organisation admin', async () => {
+    mockUseUnifiedAuth.mockReturnValue({
+      user: { id: 'user-1' },
+      session: { access_token: 'token' },
+      appName: 'console',
     });
-
-    it('reloads when organisation changes', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      setupRBACMock(mockPermissions);
-
-      const { result, rerender } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.organisationRole).toBe('org_admin');
-      }, { interval: 10, timeout: 3000 });
-
-      // Change organisation
-      mockUseOrganisations.mockReturnValue({
-        selectedOrganisation: { id: 'different-org-id' }
-      });
-
-      rerender();
-
-      await waitFor(() => {
-        expect(mockSupabase.rpc).toHaveBeenCalledTimes(4);
-      });
+    mockGetRoleContext.mockResolvedValue({
+      globalRole: null,
+      organisationRole: 'org_admin',
+      eventAppRole: null,
     });
 
-    it('reloads when event changes', async () => {
-      const mockPermissions = [
-        {
-          permission_type: 'event_app_access',
-          role_name: 'event_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      setupRBACMock(mockPermissions);
-
-      const { result, rerender } = renderHook(() => useRBAC());
-
-      await waitFor(() => {
-        expect(result.current.eventAppRole).toBe('event_admin');
-      });
-
-      // Change event
-      mockUseEvents.mockReturnValue({
-        selectedEvent: { event_id: 'different-event-id' }
-      });
+    const { result } = renderHook(() => useRBAC());
 
-      rerender();
+    await waitFor(() => expect(result.current.isLoading).toBe(false));
 
-      await waitFor(() => {
-        expect(mockSupabase.rpc).toHaveBeenCalledTimes(4);
-      });
-    });
-
-    it('handles missing EventProvider gracefully', () => {
-      const consoleSpy = vi.spyOn(console, 'debug').mockImplementation(() => {});
-      
-      // Mock EventProvider to throw error
-      mockUseEvents.mockImplementation(() => {
-        throw new Error('EventProvider not available');
-      });
-
-      const mockPermissions = [
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-      setupRBACMock(mockPermissions);
-      
-      const { result } = renderHook(() => useRBAC());
-
-      expect(result.current.eventAppRole).toBeNull();
-      expect(consoleSpy).toHaveBeenCalledWith('useRBAC: EventProvider not available, continuing without event context');
-
-      consoleSpy.mockRestore();
-    });
+    expect(result.current.hasGlobalPermission('org_admin')).toBe(true);
+    expect(result.current.hasGlobalPermission('super_admin')).toBe(false);
   });
 
-  describe('User Context', () => {
-    it('includes user in returned context', async () => {
-      const mockUser = testDataGenerators.createUser();
-      
-      mockUseUnifiedAuth.mockReturnValue({
-        user: mockUser,
-        supabase: mockSupabase,
-        appName: 'test-app'
-      });
-
-      const mockPermissions = [
-        {
-          permission_type: 'organisation_access',
-          role_name: 'org_admin',
-          has_permission: true,
-          granted_at: '2023-01-01T00:00:00Z'
-        }
-      ];
-
-      
-
-      setupRBACMock(mockPermissions);
+  it('captures errors from resolveAppContext', async () => {
+    mockUseUnifiedAuth.mockReturnValue({
+      user: { id: 'user-1' },
+      session: { access_token: 'token' },
+      appName: 'console',
+    });
+    mockResolveAppContext.mockResolvedValue(null);
 
-      
+    const { result } = renderHook(() => useRBAC());
 
-      const { result } = renderHook(() => useRBAC());
+    await waitFor(() => expect(result.current.isLoading).toBe(false));
 
-      await waitFor(() => {
-        expect(result.current.user).toEqual(mockUser);
-      });
-    });
+    expect(result.current.error).toBeInstanceOf(Error);
+    expect(result.current.globalRole).toBeNull();
+    expect(await result.current.hasPermission('read', 'users')).toBe(false);
   });
-}); 
+});