Add role loading fallback to HasPermission check

Extract ash_resource? helper to reduce nesting depth.
Add ensure_role_loaded fallback for unloaded actor roles.

lib/mv/authorization/checks/has_permission.ex

@@ -8,10 +8,37 @@ defmodule Mv.Authorization.Checks.HasPermission do
   3. Finds matching permission for current resource + action
   4. Applies scope filter (:own, :linked, :all)
 
+  ## Important: strict_check Behavior
+
+  For filter-based scopes (`:own`, `:linked`):
+  - **WITH record**: Evaluates filter against record (returns `true`/`false`)
+  - **WITHOUT record** (queries/lists): Returns `false`
+
+  **Why `false` instead of `:unknown`?**
+
+  Ash's policy evaluation doesn't reliably call `auto_filter` when `strict_check`
+  returns `:unknown`. To ensure list queries work correctly, resources **MUST** use
+  bypass policies with `expr()` for READ operations (see `docs/policy-bypass-vs-haspermission.md`).
+
+  This means `HasPermission` is **NOT** generically reusable for query authorization
+  with filter scopes - it requires companion bypass policies.
+
+  ## Usage Pattern
+
+  See `docs/policy-bypass-vs-haspermission.md` for the two-tier pattern:
+  - **READ**: `bypass` with `expr()` (handles auto_filter)
+  - **UPDATE/CREATE/DESTROY**: `HasPermission` (handles scope evaluation)
+
   ## Usage in Ash Resource
 
       policies do
-        policy action_type(:read) do
+        # READ: Bypass for list queries
+        bypass action_type(:read) do
+          authorize_if expr(id == ^actor(:id))
+        end
+
+        # UPDATE: HasPermission for scope evaluation
+        policy action_type([:update, :create, :destroy]) do
           authorize_if Mv.Authorization.Checks.HasPermission
         end
       end
@@ -34,6 +61,12 @@ defmodule Mv.Authorization.Checks.HasPermission do
 
   All errors result in Forbidden (policy fails).
 
+  ## Role Loading Fallback
+
+  If the actor's `:role` relationship is `%Ash.NotLoaded{}`, this check will
+  attempt to load it automatically. This provides a fallback if `on_mount` hooks
+  didn't run (e.g., in non-LiveView contexts).
+
   ## Examples
 
       # In a resource policy
@@ -83,6 +116,9 @@ defmodule Mv.Authorization.Checks.HasPermission do
 
   # Helper function to reduce nesting depth
   defp strict_check_with_permissions(actor, resource, action, record) do
+    # Ensure role is loaded (fallback if on_mount didn't run)
+    actor = ensure_role_loaded(actor)
+
     with %{role: %{permission_set_name: ps_name}} when not is_nil(ps_name) <- actor,
          {:ok, ps_atom} <- PermissionSets.permission_set_name_to_atom(ps_name),
          permissions <- PermissionSets.get_permissions(ps_atom),
@@ -353,4 +389,31 @@ defmodule Mv.Authorization.Checks.HasPermission do
   defp get_resource_name_for_logging(_resource) do
     "unknown"
   end
+
+  # Fallback: Load role if not loaded (in case on_mount didn't run)
+  defp ensure_role_loaded(%{role: %Ash.NotLoaded{}} = actor) do
+    if ash_resource?(actor) do
+      load_role_for_actor(actor)
+    else
+      # Not an Ash resource (plain map), return as-is
+      actor
+    end
+  end
+
+  defp ensure_role_loaded(actor), do: actor
+
+  # Check if actor is a valid Ash resource
+  defp ash_resource?(actor) do
+    is_map(actor) and Map.has_key?(actor, :__struct__) and
+      function_exported?(actor.__struct__, :__ash_resource__, 0)
+  end
+
+  # Attempt to load role for Ash resource
+  defp load_role_for_actor(actor) do
+    case Ash.load(actor, :role, domain: Mv.Accounts, actor: actor) do
+      {:ok, loaded} -> loaded
+      # Return original if loading fails
+      {:error, _} -> actor
+    end
+  end
 end