@jmruthers/pace-core 0.6.9 → 0.6.11

package/src/rbac/hooks/useRBAC.test.ts

@@ -1,3 +1,17 @@
+/**
+ * @file useRBAC Hook Tests
+ * @package @jmruthers/pace-core
+ * @module RBAC/Hooks/useRBAC
+ * @since 0.3.0
+ *
+ * Comprehensive tests for the useRBAC hook covering:
+ * - Role context loading and caching
+ * - Permission map fetching
+ * - App context resolution
+ * - Super admin handling
+ * - Error handling and edge cases
+ */
+
 import { renderHook, waitFor } from '@testing-library/react';
 import { describe, it, expect, beforeEach, vi } from 'vitest';
 import { useRBAC } from './useRBAC';
@@ -24,6 +38,13 @@ vi.mock('../api', () => ({
   isPermittedCached: vi.fn(),
   resolveAppContext: vi.fn(),
   getRoleContext: vi.fn(),
+  getPageScopeType: vi.fn(),
+}));
+
+vi.mock('../utils/contextValidator', () => ({
+  ContextValidator: {
+    resolveScopeForPage: vi.fn(),
+  },
 }));
 
 import { useUnifiedAuth } from '../../providers';
@@ -35,7 +56,9 @@ import {
   isPermittedCached,
   resolveAppContext,
   getRoleContext,
+  getPageScopeType,
 } from '../api';
+import { ContextValidator } from '../utils/contextValidator';
 
 const mockUseUnifiedAuth = vi.mocked(useUnifiedAuth);
 const mockUseOrganisations = vi.mocked(useOrganisations);
@@ -45,6 +68,8 @@ const mockGetAccessLevel = vi.mocked(getAccessLevel);
 const mockIsPermittedCached = vi.mocked(isPermittedCached);
 const mockResolveAppContext = vi.mocked(resolveAppContext);
 const mockGetRoleContext = vi.mocked(getRoleContext);
+const mockGetPageScopeType = vi.mocked(getPageScopeType);
+const mockContextValidator = vi.mocked(ContextValidator);
 
 describe('useRBAC', () => {
   beforeEach(() => {
@@ -59,15 +84,28 @@ describe('useRBAC', () => {
     mockUseOrganisations.mockReturnValue({ selectedOrganisation: null });
     mockUseEvents.mockReturnValue({ selectedEvent: null });
 
-    mockGetPermissionMap.mockResolvedValue({});
-    mockGetAccessLevel.mockResolvedValue('viewer');
-    mockResolveAppContext.mockResolvedValue({ appId: 'app-123' as any, hasAccess: true });
+    mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+    mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+    mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
     mockGetRoleContext.mockResolvedValue({
-      globalRole: null,
-      organisationRole: null,
-      eventAppRole: null,
+      ok: true,
+      data: {
+        globalRole: null,
+        organisationRole: null,
+        eventAppRole: null,
+      },
+    });
+    mockIsPermittedCached.mockResolvedValue({ ok: true, data: false });
+    mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+    mockContextValidator.resolveScopeForPage.mockResolvedValue({
+      isValid: true,
+      resolvedScope: {
+        organisationId: undefined,
+        eventId: undefined,
+        appId: undefined,
+      },
+      error: null,
     });
-    mockIsPermittedCached.mockResolvedValue(false);
   });
 
   it('returns base state when unauthenticated', () => {
@@ -95,14 +133,28 @@ describe('useRBAC', () => {
     });
     mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
 
-    mockGetPermissionMap.mockResolvedValue({ 'read:dashboard': true });
+    mockGetPermissionMap.mockResolvedValue({ ok: true, data: { 'read:dashboard': true } });
+    mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
     mockGetRoleContext.mockResolvedValue({
-      globalRole: null,
-      organisationRole: null,
-      eventAppRole: null,
+      ok: true,
+      data: {
+        globalRole: null,
+        organisationRole: null,
+        eventAppRole: null,
+      },
     });
     // Ensure resolveAppContext returns a value so the hook continues
-    mockResolveAppContext.mockResolvedValue({ appId: 'app-123' as any, hasAccess: true });
+    mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+    mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+    mockContextValidator.resolveScopeForPage.mockResolvedValue({
+      isValid: true,
+      resolvedScope: {
+        organisationId: 'org-1',
+        eventId: undefined,
+        appId: 'app-123',
+      },
+      error: null,
+    });
 
     const { result } = renderHook(() => useRBAC('dashboard'));
 
@@ -112,8 +164,6 @@ describe('useRBAC', () => {
     }, { timeout: 5000 });
 
     // resolveAppContext should be called when appName is set and appId/contextAppId are undefined
-    // The function signature is: resolveAppContext({ userId, appName })
-    // Note: The error message format may be confusing - check actual call structure
     expect(mockResolveAppContext).toHaveBeenCalled();
     // Verify it was called with correct structure (userId and appName in first argument)
     const calls = mockResolveAppContext.mock.calls;
@@ -124,6 +174,7 @@ describe('useRBAC', () => {
              'appName' in firstArg && firstArg.appName === 'test-app';
     });
     expect(hasCorrectCall).toBe(true);
+    // getPermissionMap is called with the resolved scope from ContextValidator
     expect(mockGetPermissionMap).toHaveBeenCalledWith(
       {
         userId: 'user-1',
@@ -152,7 +203,7 @@ describe('useRBAC', () => {
       selectedEvent: null,
       eventLoading: false,
     });
-    mockResolveAppContext.mockResolvedValue(null);
+    mockResolveAppContext.mockResolvedValue({ ok: true, data: null });
 
     const { result } = renderHook(() => useRBAC());
 
@@ -174,13 +225,16 @@ describe('useRBAC', () => {
       selectedEvent: null,
       eventLoading: false,
     });
-    mockResolveAppContext.mockResolvedValue({ appId: 'app-123' as any, hasAccess: true });
-    mockGetPermissionMap.mockResolvedValue({});
-    mockGetAccessLevel.mockResolvedValue('viewer');
+    mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+    mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+    mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
     mockGetRoleContext.mockResolvedValue({
-      globalRole: 'super_admin',
-      organisationRole: null,
-      eventAppRole: null,
+      ok: true,
+      data: {
+        globalRole: 'super_admin',
+        organisationRole: null,
+        eventAppRole: null,
+      },
     });
 
     const { result } = renderHook(() => useRBAC());
@@ -199,4 +253,1713 @@ describe('useRBAC', () => {
     expect(result.current.isSuperAdmin).toBe(true);
     expect(result.current.hasGlobalPermission('any')).toBe(true);
   });
+
+  describe('Role Context', () => {
+    it('loads organisation role correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: 'org_admin',
+          eventAppRole: null,
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+        expect(result.current.organisationRole).toBe('org_admin');
+      });
+
+      expect(result.current.isOrgAdmin).toBe(true);
+      expect(result.current.canManageOrganisation).toBe(true);
+    });
+
+    it('loads event app role correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' },
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+      mockUseEvents.mockReturnValue({ selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' } });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'admin' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: 'event_admin',
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: 'event-1',
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+        expect(result.current.eventAppRole).toBe('event_admin');
+      });
+
+      expect(result.current.isEventAdmin).toBe(true);
+      expect(result.current.canManageEvent).toBe(true);
+    });
+  });
+
+  describe('Permission Checking', () => {
+    it('checks permissions from permission map', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: { 'read:users': true, 'write:users': false } });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      expect(result.current.hasGlobalPermission('read:users')).toBe(true);
+      expect(result.current.hasGlobalPermission('write:users')).toBe(false);
+      expect(result.current.hasGlobalPermission('delete:users')).toBe(false);
+    });
+
+    it('checks org_admin permission correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: 'org_admin',
+          eventAppRole: null,
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      expect(result.current.hasGlobalPermission('org_admin')).toBe(true);
+    });
+
+    it('checks super_admin permission correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: 'super_admin',
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      expect(result.current.hasGlobalPermission('super_admin')).toBe(true);
+    });
+  });
+
+  describe('Loading States', () => {
+    it('shows loading state while context is being loaded', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+      
+      // Make resolveAppContext take some time
+      mockResolveAppContext.mockImplementation(() => 
+        new Promise(resolve => setTimeout(() => resolve({ appId: 'app-123' as any, hasAccess: true }), 100))
+      );
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      // Initially should be loading
+      expect(result.current.isLoading).toBe(true);
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+    });
+
+    it('waits for organisation context to be ready', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: null,
+        isContextReady: false,
+        organisationLoading: true,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: null });
+
+      const { result } = renderHook(() => useRBAC());
+
+      // Should be loading while waiting for context
+      expect(result.current.isLoading).toBe(true);
+    });
+  });
+
+  describe('Error Handling', () => {
+    it('handles permission map fetch errors', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockRejectedValue(new Error('Failed to fetch permissions'));
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+        expect(result.current.error).toBeInstanceOf(Error);
+      });
+
+      expect(result.current.error).toBeInstanceOf(Error);
+      expect(result.current.error?.message).toBeDefined();
+    });
+
+    it('handles role context fetch errors', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockRejectedValue(new Error('Failed to fetch role context'));
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+        expect(result.current.error).toBeInstanceOf(Error);
+      });
+    });
+
+    it('handles network errors during app context resolution', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+      
+      // Simulate network error
+      const networkError = new Error('NetworkError: Failed to fetch');
+      mockResolveAppContext.mockRejectedValue(networkError);
+
+      const { result } = renderHook(() => useRBAC());
+
+      // Should handle network error gracefully and retry
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+    });
+  });
+
+  describe('Edge Cases', () => {
+    it('handles PORTAL app without organisation context', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'PORTAL',
+        appConfig: { requires_event: false },
+        selectedOrganisation: null,
+        isContextReady: false,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: null });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: null }); // PORTAL can proceed without appId
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: undefined,
+          eventId: undefined,
+          appId: undefined,
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      // PORTAL should work without organisation context
+      expect(result.current.error).toBeNull();
+    });
+
+    it('handles ADMIN app without organisation context', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'ADMIN',
+        appConfig: { requires_event: false },
+        selectedOrganisation: null,
+        isContextReady: false,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: null });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: null }); // ADMIN can proceed without appId
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: undefined,
+          eventId: undefined,
+          appId: undefined,
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      // ADMIN should work without organisation context
+      expect(result.current.error).toBeNull();
+    });
+
+    it('handles user logout by resetting state', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: { 'read:users': true } });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: 'member',
+          eventAppRole: null,
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result, rerender } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+        expect(result.current.organisationRole).toBe('member');
+      });
+
+      // Simulate logout
+      mockUseUnifiedAuth.mockReturnValue({
+        user: null,
+        session: null,
+        appName: 'test-app',
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: null });
+
+      rerender();
+
+      await waitFor(() => {
+        expect(result.current.user).toBeNull();
+        expect(result.current.globalRole).toBeNull();
+        expect(result.current.organisationRole).toBeNull();
+        expect(result.current.isLoading).toBe(false);
+      });
+    });
+
+    it('handles permission map with wildcard permission', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: { '*': true } }); // Wildcard permission
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      expect(result.current.isSuperAdmin).toBe(true);
+      expect(result.current.hasGlobalPermission('any:permission')).toBe(true);
+    });
+  });
+
+  describe('Scope Resolution', () => {
+    it('supports organisation page type scope resolution', async () => {
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-123',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-123' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-123' } } as any);
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      // Hook should complete successfully
+      expect(result.current).toBeDefined();
+    });
+
+    it('supports event page type scope resolution', async () => {
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'event' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-123',
+          eventId: 'event-123',
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: true },
+        selectedOrganisation: { id: 'org-123' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: { event_id: 'event-123' },
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-123' } } as any);
+      mockUseEvents.mockReturnValue({ selectedEvent: { event_id: 'event-123' } } as any);
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      // Hook should complete successfully
+      expect(result.current).toBeDefined();
+    });
+  });
+
+  describe('Error Recovery', () => {
+    it('handles permission map fetch errors without crashing', async () => {
+      mockGetPermissionMap.mockRejectedValue(new Error('Network error'));
+
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 2000 });
+
+      // Hook should handle error gracefully
+      expect(result.current).toBeDefined();
+    });
+  });
+
+  describe('Context Changes', () => {
+    it('handles organisation context changes', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appConfig: { requires_event: false },
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+
+      const { result, rerender } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      // Change organisation context
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-2' } } as any);
+
+      rerender();
+
+      // Hook should handle context change
+      await waitFor(() => {
+        expect(result.current).toBeDefined();
+      }, { timeout: 2000 });
+    });
+  });
+
+  describe('Edge Cases and Boundary Conditions', () => {
+    it('handles PORTAL app without organisation context', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'PORTAL',
+        appId: 'portal-app-id' as any,
+        selectedOrganisation: null,
+        isContextReady: false,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'portal-app-id' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: { 'read:profile': true } });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: undefined,
+          eventId: undefined,
+          appId: 'portal-app-id',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // PORTAL app should work without organisation context
+      expect(result.current.error).toBeNull();
+    });
+
+    it('handles ADMIN app without organisation context', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'ADMIN',
+        appId: 'admin-app-id' as any,
+        selectedOrganisation: null,
+        isContextReady: false,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'admin-app-id' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: { 'read:admin': true } });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: undefined,
+          eventId: undefined,
+          appId: 'admin-app-id',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // ADMIN app should work without organisation context
+      expect(result.current.error).toBeNull();
+    });
+
+    it('handles NetworkError when resolving app context gracefully', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      
+      // Simulate NetworkError
+      const networkError = new Error('NetworkError: Failed to fetch');
+      mockResolveAppContext.mockRejectedValue(networkError);
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: undefined,
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Should handle NetworkError gracefully without crashing
+      expect(result.current).toBeDefined();
+    });
+
+    it('handles pageId parameter correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: { 'read:page.dashboard': true } });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'event' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC('dashboard'));
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Should call getPageScopeType with pageId
+      expect(mockGetPageScopeType).toHaveBeenCalledWith('dashboard', 'app-123', 'test-app');
+    });
+
+    it('handles getPageScopeType error gracefully', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: false, error: { code: 'RBAC_ERROR', message: 'Failed to get page scope type' } });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC('dashboard'));
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Should default to organisation scope on error (ApiResult error, not thrown)
+      expect(result.current.error).toBeNull();
+    });
+
+    it('handles context validation failure', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: false,
+        resolvedScope: null,
+        error: new Error('Context validation failed'),
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Should set error when validation fails
+      expect(result.current.error).toBeInstanceOf(Error);
+      expect(result.current.error?.message).toContain('Context validation failed');
+    });
+
+    it('handles event loading state correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: true, // Event is loading
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+
+      const { result } = renderHook(() => useRBAC());
+
+      // Should wait for event loading to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(true);
+      }, { timeout: 1000 });
+    });
+
+    it('handles rapid context changes without crashing', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result, rerender } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      // Rapidly change context multiple times
+      for (let i = 0; i < 5; i++) {
+        mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: `org-${i}` } } as any);
+        rerender();
+      }
+
+      // Should not crash
+      await waitFor(() => {
+        expect(result.current).toBeDefined();
+      }, { timeout: 3000 });
+    });
+
+    it('handles empty permission map with warning', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} }); // Empty permission map
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Should handle empty permission map gracefully
+      // useRBAC doesn't expose permissionMap in return value, but empty map should still work
+      // Check that the hook returns valid values and doesn't crash
+      expect(result.current).toBeDefined();
+      expect(result.current.error).toBeNull();
+      // hasGlobalPermission should work even with empty permission map
+      expect(result.current.hasGlobalPermission('read:users')).toBe(false);
+    });
+
+    it('handles access level mapping to event role correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' },
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockUseEvents.mockReturnValue({ selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'admin' }); // Should map to event_admin
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null, // No role from getRoleContext
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'event' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: 'event-1',
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Access level 'admin' should map to event_admin
+      expect(result.current.eventAppRole).toBe('event_admin');
+    });
+
+    it('handles super access level mapping correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' },
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockUseEvents.mockReturnValue({ selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'super' }); // Should map to event_admin
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'event' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: 'event-1',
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Access level 'super' should map to event_admin
+      expect(result.current.eventAppRole).toBe('event_admin');
+    });
+
+    it('handles viewer access level mapping correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' },
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockUseEvents.mockReturnValue({ selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'event' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: 'event-1',
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Access level 'viewer' should map to viewer
+      expect(result.current.eventAppRole).toBe('viewer');
+    });
+
+    it('handles participant access level mapping correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' },
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockUseEvents.mockReturnValue({ selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'participant' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'event' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: 'event-1',
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Access level 'participant' should map to participant
+      expect(result.current.eventAppRole).toBe('participant');
+    });
+
+    it('handles planner access level mapping correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' },
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockUseEvents.mockReturnValue({ selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'planner' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'event' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: 'event-1',
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Access level 'planner' should map to planner
+      expect(result.current.eventAppRole).toBe('planner');
+    });
+
+    it('handles unknown access level mapping correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' },
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockUseEvents.mockReturnValue({ selectedEvent: { event_id: 'event-1', organisation_id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'unknown' as any });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'event' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: 'event-1',
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Unknown access level should map to null
+      expect(result.current.eventAppRole).toBeNull();
+    });
+
+    it('handles hasGlobalPermission with wildcard permission', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: { '*': true } }); // Wildcard permission
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Wildcard permission should grant all permissions
+      expect(result.current.hasGlobalPermission('any:permission')).toBe(true);
+      expect(result.current.isSuperAdmin).toBe(true);
+    });
+
+    it('handles hasGlobalPermission with org_admin permission string', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: 'org_admin',
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Should check organisationRole when permission is 'org_admin'
+      expect(result.current.hasGlobalPermission('org_admin')).toBe(true);
+    });
+
+    it('handles hasGlobalPermission with super_admin permission string', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: true } });
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: 'super_admin',
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'app-123',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Should check globalRole when permission is 'super_admin'
+      expect(result.current.hasGlobalPermission('super_admin')).toBe(true);
+    });
+
+    it('handles app access denial for non-PORTAL/ADMIN apps', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: { appId: 'app-123' as any, hasAccess: false } }); // No access
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Should set error when access is denied
+      expect(result.current.error).toBeInstanceOf(Error);
+      expect(result.current.error?.message).toContain('does not have access to app');
+    });
+
+    it('handles app context resolution returning null', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      mockResolveAppContext.mockResolvedValue({ ok: true, data: null }); // No app context
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Should set error when app context is null
+      expect(result.current.error).toBeInstanceOf(Error);
+      expect(result.current.error?.message).toContain('does not have access to app');
+    });
+
+    it('handles contextAppId from UnifiedAuthProvider', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        appId: 'context-app-id' as any, // Context appId
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: false,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+      // Don't call resolveAppContext since appId is already available
+      mockGetPermissionMap.mockResolvedValue({ ok: true, data: {} });
+      mockGetAccessLevel.mockResolvedValue({ ok: true, data: 'viewer' });
+      mockGetRoleContext.mockResolvedValue({
+        ok: true,
+        data: {
+          globalRole: null,
+          organisationRole: null,
+          eventAppRole: null,
+        },
+      });
+      mockGetPageScopeType.mockResolvedValue({ ok: true, data: 'organisation' });
+      mockContextValidator.resolveScopeForPage.mockResolvedValue({
+        isValid: true,
+        resolvedScope: {
+          organisationId: 'org-1',
+          eventId: undefined,
+          appId: 'context-app-id',
+        },
+        error: null,
+      });
+
+      const { result } = renderHook(() => useRBAC());
+
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      }, { timeout: 3000 });
+
+      // Should use contextAppId without calling resolveAppContext
+      expect(mockResolveAppContext).not.toHaveBeenCalled();
+      expect(result.current.error).toBeNull();
+    });
+
+    it('handles organisation context ready state correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: false, // Context not ready
+        organisationLoading: true,
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+
+      const { result } = renderHook(() => useRBAC());
+
+      // Should wait for context to be ready
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(true);
+      }, { timeout: 1000 });
+    });
+
+    it('handles organisation loading state correctly', async () => {
+      mockUseUnifiedAuth.mockReturnValue({
+        user: { id: 'user-1' },
+        session: { access_token: 'token' },
+        appName: 'test-app',
+        selectedOrganisation: { id: 'org-1' },
+        isContextReady: true,
+        organisationLoading: true, // Organisation is loading
+        selectedEvent: null,
+        eventLoading: false,
+        supabase: {} as any,
+      });
+      mockUseOrganisations.mockReturnValue({ selectedOrganisation: { id: 'org-1' } } as any);
+
+      const { result } = renderHook(() => useRBAC());
+
+      // Should wait for organisation loading to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(true);
+      }, { timeout: 1000 });
+    });
+  });
 });