@jmruthers/pace-core 0.2.7 → 0.5.1

package/src/rbac/__tests__/core-permission-logic-simple.test.ts

@@ -1,968 +0,0 @@
-/**
- * Simple Core Permission Logic Tests
- * 
- * Tests the fundamental RBAC permission resolution logic with the actual engine implementation:
- * - Scope precedence (page → eventApp → organisation → global)
- * - Deny overrides allow
- * - Super admin bypass with audit logging
- * - Time-bound grants (valid_from/valid_to)
- * - Page-level rule refinements
- */
-
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { createRBACEngine, RBACEngine } from '../engine';
-import { Scope, Permission } from '../types';
-import { rbacCache } from '../cache';
-
-// Mock dependencies
-vi.mock('../cache');
-vi.mock('../audit');
-
-// Create a comprehensive mock for Supabase queries
-function createSupabaseMock() {
-  const mockQuery = {
-    select: vi.fn().mockReturnThis(),
-    eq: vi.fn().mockReturnThis(),
-    is: vi.fn().mockReturnThis(),
-    lte: vi.fn().mockReturnThis(),
-    gte: vi.fn().mockReturnThis(),
-    or: vi.fn().mockReturnThis(),
-    and: vi.fn().mockReturnThis(),
-    order: vi.fn().mockReturnThis(),
-    in: vi.fn().mockReturnThis(),
-    single: vi.fn().mockResolvedValue({ data: null, error: null }),
-    maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-    insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-  };
-
-  return {
-    from: vi.fn().mockReturnValue(mockQuery),
-    rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
-  };
-}
-
-describe('Core Permission Logic - Simple', () => {
-  let engine: RBACEngine;
-  let mockSupabase: ReturnType<typeof createSupabaseMock>;
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    // Clear the cache to ensure fresh state
-    rbacCache.clear();
-    // Reset the cache mock to return null by default
-    vi.mocked(rbacCache.get).mockReturnValue(null);
-    mockSupabase = createSupabaseMock();
-    engine = createRBACEngine(mockSupabase as any);
-  });
-
-  describe('Super Admin Bypass', () => {
-    it('should allow super admin to access everything and log bypass', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:everything';
-
-      // Mock super admin check to return true
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { id: 'role-123' }, // Super admin exists
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow due to super admin
-      
-      // Verify audit event was emitted with bypass: true
-      const { emitAuditEvent } = await import('../audit');
-      expect(emitAuditEvent).toHaveBeenCalledWith(
-        expect.objectContaining({
-          type: 'permission_check',
-          userId,
-          organisationId: scope.organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId,
-          permission,
-          decision: true,
-          source: 'api',
-          bypass: true,
-          duration_ms: expect.any(Number)
-        })
-      );
-    });
-
-    it('should not check other permissions when super admin exists', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:everything';
-
-      // Mock super admin check to return true
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { id: 'role-123' }, // Super admin exists
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow due to super admin
-      
-      // Verify only super admin check was called, not other permission checks
-      expect(mockSupabase.from).toHaveBeenCalledWith('rbac_global_roles');
-      expect(mockSupabase.from).not.toHaveBeenCalledWith('rbac_page_permissions');
-      expect(mockSupabase.from).not.toHaveBeenCalledWith('rbac_event_app_roles');
-      expect(mockSupabase.from).not.toHaveBeenCalledWith('rbac_organisation_roles');
-      
-      // Verify audit event was emitted
-      const { emitAuditEvent } = await import('../audit');
-      expect(emitAuditEvent).toHaveBeenCalledWith(
-        expect.objectContaining({
-          type: 'permission_check',
-          userId,
-          organisationId: scope.organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId,
-          permission,
-          decision: true,
-          source: 'api',
-          bypass: true,
-          duration_ms: expect.any(Number)
-        })
-      );
-    });
-  });
-
-  describe('Organisation Role Permissions', () => {
-    it('should allow access when user has organisation role', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // No super admin
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission - member role
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'member',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow when organisation permission exists
-    });
-
-    it('should deny access when user lacks organisation role', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // No super admin
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // No organisation permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny when no organisation permission exists
-    });
-  });
-
-  describe('Event-App Role Permissions', () => {
-    it('should allow access when user has event-app role', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'read:event.events';
-
-      // Mock all database calls
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // No super admin
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // Event-app permission - participant role
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'participant',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // No organisation permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow when event-app permission exists
-    });
-
-    it('should deny access when user lacks event-app role', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'read:event.events';
-
-      // Mock all database calls
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // No super admin
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // No organisation permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny when no event-app permission exists
-    });
-  });
-
-  describe('Time-bound Grants', () => {
-    it('should deny access for expired grants', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls with expired grant
-      const expiredDate = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString(); // Yesterday
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // No super admin
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission that is EXPIRED - SQL query filters this out
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [], // Empty because SQL query filtered out expired grants
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny for expired grants
-    });
-
-    it('should allow access for valid time-bound grants', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls with valid grant
-      const pastDate = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString(); // Yesterday
-      const futureDate = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(); // Tomorrow
-      
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // No super admin
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission that is VALID time-bound
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'member',
-                  status: 'active',
-                  valid_from: pastDate,
-                  valid_to: futureDate // Valid time range
-                }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow for valid time-bound grants
-    });
-  });
-
-  describe('Permission Matching', () => {
-    it('should match exact permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // No super admin
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission - member role
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'member',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should match exact permission
-    });
-
-    it('should match wildcard permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'read:organisation.events.details';
-
-      // Mock all database calls
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // No super admin
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission - member role (has read:organisation.*)
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'member',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should match wildcard permission
-    });
-  });
-});