@jmruthers/pace-core 0.2.7 → 0.5.1

package/src/rbac/__tests__/core-permission-logic-comprehensive.test.ts

@@ -1,1467 +0,0 @@
-/**
- * Comprehensive Core Permission Logic Tests
- * 
- * Tests the fundamental RBAC permission resolution logic including:
- * - Scope precedence (page → eventApp → organisation → global)
- * - Deny overrides allow
- * - Super admin bypass with audit logging
- * - Time-bound grants (valid_from/valid_to)
- * - Page-level rule refinements
- * - Permission matching (exact and wildcard)
- */
-
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { createRBACEngine, RBACEngine } from '../engine';
-import { Scope, Permission } from '../types';
-import { rbacCache } from '../cache';
-
-// Mock dependencies
-vi.mock('../cache');
-vi.mock('../audit');
-
-// Create a comprehensive mock for Supabase queries
-function createSupabaseMock() {
-  const mockQuery = {
-    select: vi.fn().mockReturnThis(),
-    eq: vi.fn().mockReturnThis(),
-    is: vi.fn().mockReturnThis(),
-    lte: vi.fn().mockReturnThis(),
-    gte: vi.fn().mockReturnThis(),
-    or: vi.fn().mockReturnThis(),
-    and: vi.fn().mockReturnThis(),
-    order: vi.fn().mockReturnThis(),
-    in: vi.fn().mockReturnThis(),
-    single: vi.fn().mockResolvedValue({ data: null, error: null }),
-    maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-    insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-  };
-
-  return {
-    from: vi.fn().mockReturnValue(mockQuery),
-    rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
-  };
-}
-
-describe('Core Permission Logic - Comprehensive', () => {
-  let engine: RBACEngine;
-  let mockSupabase: ReturnType<typeof createSupabaseMock>;
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    // Clear the cache to ensure fresh state
-    rbacCache.clear();
-    // Reset the cache mock to return null by default
-    vi.mocked(rbacCache.get).mockReturnValue(null);
-    mockSupabase = createSupabaseMock();
-    engine = createRBACEngine(mockSupabase as any);
-  });
-
-  describe('Scope Precedence', () => {
-    it('should prioritize page permissions over event-app permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:page.events'; // Updated to match page permission format
-      const pageId = '12345678-1234-1234-1234-123456789012';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      
-      // Mock RPC calls for get_rbac_permissions
-      mockSupabase.rpc.mockImplementation((fnName: string, params: any) => {
-        if (fnName === 'get_rbac_permissions') {
-          callCount++;
-          // Return page-level deny for event_admin role
-          return Promise.resolve({
-            data: [
-              { permission_type: 'manage', role_name: 'event_admin', has_permission: false, granted_at: '2024-01-01T00:00:00Z' }
-            ],
-            error: null
-          });
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-      
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_app_pages':
-            // Return page name for permission matching  
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { page_name: 'events' },
-                error: null
-              })
-            };
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // Event-app permission that ALLOWS (should be overridden)
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ role: 'event_admin', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission that ALLOWS (should be overridden)
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ role: 'org_admin', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission,
-        pageId
-      });
-
-      expect(result).toBe(false); // Page deny should override event-app allow
-      expect(callCount).toBe(6); // Should check: super_admin, app_config, event_app, org, global_roles, rpc (page via RPC)
-    });
-
-    it('should prioritize event-app permissions over organisation permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'read:events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              eq: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // Event-app permission that DENIES
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ role: 'viewer', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission that ALLOWS (should be overridden)
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ role: 'org_admin', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Event-app deny should override org allow
-      expect(callCount).toBe(5); // Should check all scopes (including app config)
-    });
-
-    it('should prioritize organisation permissions over global permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'manage:organisation.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              eq: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission that DENIES
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ role: 'supporter', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Org deny should override global allow
-      expect(callCount).toBe(3); // Should check super admin + organisation + audit
-    });
-  });
-
-  describe('Deny Overrides Allow', () => {
-    it('should deny access when any scope has explicit deny', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:events';
-      const pageId = '12345678-1234-1234-1234-123456789012';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      
-      // Mock RPC calls for get_rbac_permissions
-      mockSupabase.rpc.mockImplementation((fnName: string, params: any) => {
-        if (fnName === 'get_rbac_permissions') {
-          callCount++;
-          // Return page-level deny for supporter role
-          return Promise.resolve({
-            data: [
-              { permission_type: 'manage', role_name: 'supporter', has_permission: false, granted_at: '2024-01-01T00:00:00Z' }
-            ],
-            error: null
-          });
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-      
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // Event-app permission that ALLOWS
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ role: 'event_admin', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission that ALLOWS
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ role: 'supporter', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission,
-        pageId
-      });
-
-      expect(result).toBe(false); // Page deny should override all allows
-      expect(callCount).toBe(6); // Should check: super_admin, app_config, event_app, org, global_roles, rpc (page via RPC)
-    });
-
-    it('should allow access when no denies exist and at least one allow exists', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              eq: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission that ALLOWS
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ role: 'member', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow when organisation permission exists
-      expect(callCount).toBe(5); // Should check all scopes (including app config)
-    });
-  });
-
-  describe('Super Admin Bypass', () => {
-    it('should allow super admin to access everything and log bypass', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:everything';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - super admin exists
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { id: 'role-123' },
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow due to super admin
-      expect(callCount).toBe(1); // Should check super admin and audit
-
-      // Verify audit event was emitted with bypass: true
-      const { emitAuditEvent } = await import('../audit');
-      expect(emitAuditEvent).toHaveBeenCalledWith(
-        expect.objectContaining({
-          type: 'permission_check',
-          userId,
-          organisationId: scope.organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId,
-          permission,
-          decision: true,
-          source: 'api',
-          bypass: true,
-          duration_ms: expect.any(Number)
-        })
-      );
-    });
-
-    it('should not check other permissions when super admin exists', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:everything';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - super admin exists
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { id: 'role-123' },
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow due to super admin
-      expect(callCount).toBe(1); // Should check super admin and audit
-    });
-  });
-
-  describe('Time-bound Grants', () => {
-    it('should deny access for expired grants', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'manage:organisation.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              eq: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission that is EXPIRED - should return empty data
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [], // Empty because expired grants should be filtered out
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny for expired grants
-      expect(callCount).toBe(3); // Should check super admin + app config + organisation + audit
-    });
-
-    it('should deny access for future-dated grants', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'manage:organisation.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              eq: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission that is FUTURE-DATED - should return empty data
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [], // Empty because future-dated grants should be filtered out
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny for future-dated grants
-      expect(callCount).toBe(3); // Should check super admin + app config + organisation + audit
-    });
-
-    it('should allow access for valid time-bound grants', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'manage:organisation.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              eq: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission that is VALID time-bound
-            const pastDate = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString(); // Yesterday
-            const futureDate = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(); // Tomorrow
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'org_admin', 
-                  status: 'active', 
-                  valid_from: pastDate, 
-                  valid_to: futureDate 
-                }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow for valid time-bound grants
-      expect(callCount).toBe(3); // Should check super admin + app config + organisation + audit
-    });
-  });
-
-  describe('Page-level Rule Refinements', () => {
-    it('should apply page-level permissions to refine broader permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:event.events';
-      const pageId = '12345678-1234-1234-1234-123456789012';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      
-      // Mock RPC calls for get_rbac_permissions
-      mockSupabase.rpc.mockImplementation((fnName: string, params: any) => {
-        if (fnName === 'get_rbac_permissions') {
-          callCount++;
-          // Return page-level allow for event_admin role
-          return Promise.resolve({
-            data: [
-              { permission_type: 'manage', role_name: 'event_admin', has_permission: true, granted_at: '2024-01-01T00:00:00Z' }
-            ],
-            error: null
-          });
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-      
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // Event-app permissions - user has event_admin role
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'event_admin',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permissions - empty
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission,
-        pageId
-      });
-
-      expect(result).toBe(true); // Should allow when page permission allows
-      expect(callCount).toBe(6); // Should check: super_admin, app_config, event_app, org, global_roles, rpc (page via RPC)
-    });
-
-    it('should deny access when page-level permission explicitly denies', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:page.events';
-      const pageId = '12345678-1234-1234-1234-123456789012';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      
-      // Mock RPC calls for get_rbac_permissions
-      mockSupabase.rpc.mockImplementation((fnName: string, params: any) => {
-        if (fnName === 'get_rbac_permissions') {
-          callCount++;
-          // Return page-level deny for event_admin role
-          return Promise.resolve({
-            data: [
-              { permission_type: 'manage', role_name: 'event_admin', has_permission: false, granted_at: '2024-01-01T00:00:00Z' }
-            ],
-            error: null
-          });
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-      
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_app_pages':
-            // Return page name for permission matching
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { page_name: 'events' },
-                error: null
-              })
-            };
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // Event-app permission that ALLOWS (should be overridden)
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ role: 'event_admin', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission that ALLOWS (should be overridden)
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ role: 'org_admin', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission,
-        pageId
-      });
-
-      expect(result).toBe(false); // Should deny when page permission denies
-      expect(callCount).toBe(6); // Should check: super_admin, app_config, event_app, org, global_roles, rpc (page via RPC)
-    });
-  });
-
-  describe('Permission Matching', () => {
-    it('should match exact permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              eq: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permissions - member role
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'member',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should match exact permission
-      expect(callCount).toBe(3); // Should check super admin + app config + organisation + audit
-    });
-
-    it('should match wildcard permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'manage:organisation.events.details';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              eq: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permissions - org_admin role
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'org_admin',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should match wildcard permission
-      expect(callCount).toBe(3); // Should check super admin + app config + organisation + audit
-    });
-  });
-});