@jmruthers/pace-core 0.2.7 → 0.5.1

package/src/rbac/__tests__/core-permission-logic.test.ts

@@ -1,966 +0,0 @@
-/**
- * Core Permission Logic Tests
- * 
- * Tests the fundamental RBAC permission resolution logic including:
- * - Scope precedence (page → eventApp → organisation → global)
- * - Deny overrides allow
- * - Super admin bypass with audit logging
- * - Time-bound grants (valid_from/valid_to)
- * - Page-level rule refinements
- */
-
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { createRBACEngine, RBACEngine } from '../engine';
-import { Scope, Permission } from '../types';
-import { rbacCache } from '../cache';
-
-// Mock dependencies
-vi.mock('../cache');
-vi.mock('../audit');
-
-// Create a comprehensive mock for Supabase queries
-function createSupabaseMock() {
-  const mockQuery = {
-    select: vi.fn().mockReturnThis(),
-    eq: vi.fn().mockReturnThis(),
-    is: vi.fn().mockReturnThis(),
-    lte: vi.fn().mockReturnThis(),
-    gte: vi.fn().mockReturnThis(),
-    or: vi.fn().mockReturnThis(),
-    and: vi.fn().mockReturnThis(),
-    order: vi.fn().mockReturnThis(),
-    in: vi.fn().mockReturnThis(),
-    single: vi.fn().mockResolvedValue({ data: null, error: null }),
-    maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-  };
-
-  return {
-    from: vi.fn().mockReturnValue(mockQuery),
-    rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
-  };
-}
-
-describe('Core Permission Logic', () => {
-  let engine: RBACEngine;
-  let mockSupabase: ReturnType<typeof createSupabaseMock>;
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    // Clear the cache to ensure fresh state
-    rbacCache.clear();
-    // Reset the cache mock to return null by default
-    vi.mocked(rbacCache.get).mockReturnValue(null);
-    mockSupabase = createSupabaseMock();
-    engine = createRBACEngine(mockSupabase as any);
-  });
-
-  describe('Scope Precedence', () => {
-    it('should prioritize page permissions over event-app permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:events';
-      const pageId = 'page-999';
-
-      // Mock: No super admin
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        single: vi.fn().mockResolvedValue({
-          data: null,
-          error: { code: 'PGRST116' }
-        })
-      });
-
-      // Mock: Page permission that DENIES (should override)
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ operation: 'manage', role_name: 'event_admin', allowed: false }],
-          error: null
-        })
-      });
-
-      // Mock: Event-app permission that ALLOWS (should be overridden)
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ role: 'event_admin', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-          error: null
-        })
-      });
-
-      // Mock: Organisation permission that ALLOWS (should be overridden)
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ role: 'org_admin', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-          error: null
-        })
-      });
-
-      // Mock: Global permission that ALLOWS (should be overridden)
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [],
-          error: null
-        })
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission,
-        pageId
-      });
-
-      expect(result).toBe(false); // Page deny should override event-app allow
-    });
-
-    it('should prioritize event-app permissions over organisation permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'read:events';
-
-      // Mock: No super admin
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        single: vi.fn().mockResolvedValue({
-          data: null,
-          error: { code: 'PGRST116' }
-        })
-      });
-
-      // Mock: No page permissions
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [],
-          error: null
-        })
-      });
-
-      // Mock: Event-app permission that DENIES
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ role: 'viewer', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-          error: null
-        })
-      });
-
-      // Mock: Organisation permission that ALLOWS (should be overridden)
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ role: 'org_admin', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-          error: null
-        })
-      });
-
-      // Mock: Global permission that ALLOWS (should be overridden)
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [],
-          error: null
-        })
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Event-app deny should override org allow
-    });
-
-    it('should prioritize organisation permissions over global permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'manage:organisation.events';
-
-      // Mock: No super admin
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        single: vi.fn().mockResolvedValue({
-          data: null,
-          error: { code: 'PGRST116' }
-        })
-      });
-
-      // Mock: No page permissions
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [],
-          error: null
-        })
-      });
-
-      // Mock: No event-app permissions
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [],
-          error: null
-        })
-      });
-
-      // Mock: Organisation permission that DENIES
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ role: 'supporter', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-          error: null
-        })
-      });
-
-      // Mock: Global permission that ALLOWS (should be overridden)
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ role: 'super_admin', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-          error: null
-        })
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Org deny should override global allow
-    });
-  });
-
-  describe('Deny Overrides Allow', () => {
-    it('should deny access when any scope has explicit deny', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:events';
-      const pageId = 'page-999';
-
-      // Mock: No super admin
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        single: vi.fn().mockResolvedValue({
-          data: null,
-          error: { code: 'PGRST116' }
-        })
-      });
-
-      // Mock: Page permission that ALLOWS
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ operation: 'manage', role_name: 'event_admin', allowed: true }],
-          error: null
-        })
-      });
-
-      // Mock: Event-app permission that ALLOWS
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ role: 'event_admin', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-          error: null
-        })
-      });
-
-      // Mock: Organisation permission that DENIES (should override all allows)
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ role: 'supporter', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-          error: null
-        })
-      });
-
-      // Mock: Global permission that ALLOWS (should be overridden)
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ role: 'super_admin', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-          error: null
-        })
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission,
-        pageId
-      });
-
-      expect(result).toBe(false); // Org deny should override all allows
-    });
-
-    it('should allow access when no denies exist and at least one allow exists', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Create a comprehensive mock that handles all database calls
-      const createMockQuery = (tableName: string, data: any[] = [], error: any = null) => ({
-        select: vi.fn().mockReturnThis(),
-        eq: vi.fn().mockReturnThis(),
-        is: vi.fn().mockReturnThis(),
-        lte: vi.fn().mockReturnThis(),
-        gte: vi.fn().mockReturnThis(),
-        or: vi.fn().mockResolvedValue({ data, error }),
-        single: vi.fn().mockResolvedValue({ 
-          data: data[0] || null, 
-          error: data.length === 0 ? { code: 'PGRST116' } : null 
-        }),
-        insert: vi.fn().mockResolvedValue({ data: null, error: null })
-      });
-
-      // Mock all database calls - use a more flexible approach
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            return createMockQuery(tableName, []);
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return createMockQuery(tableName, [{ requires_event: false }]);
-          case 'rbac_page_permissions':
-            // Page permissions - empty
-            return createMockQuery(tableName, []);
-          case 'rbac_event_app_roles':
-            // Event-app permissions - empty
-            return createMockQuery(tableName, []);
-          case 'rbac_organisation_roles':
-            // Organisation permissions - member role
-            return createMockQuery(tableName, [{ 
-              role: 'member', 
-              status: 'active', 
-              valid_from: '2024-01-01T00:00:00Z', 
-              valid_to: null 
-            }]);
-          case 'rbac_audit_events':
-            // Audit events
-            return createMockQuery(tableName, []);
-          default:
-            // Default mock for any other table
-            return createMockQuery(tableName, []);
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      console.log('Test result:', result);
-      console.log('Mock calls:', mockSupabase.from.mock.calls.length);
-      console.log('Mock calls:', mockSupabase.from.mock.calls);
-
-      expect(result).toBe(true); // Should allow when organisation permission exists
-    });
-  });
-
-  describe('Super Admin Bypass', () => {
-    it('should allow super admin to access everything and log bypass', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:everything';
-
-      // Mock: Super admin exists
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        single: vi.fn().mockResolvedValue({
-          data: { id: 'role-123' },
-          error: null
-        })
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true);
-
-      // Verify audit event was emitted with bypass: true
-      const { emitAuditEvent } = await import('../audit');
-      expect(emitAuditEvent).toHaveBeenCalledWith(
-        expect.objectContaining({
-          type: 'permission_check',
-          userId,
-          organisationId: scope.organisationId,
-          eventId: scope.eventId,
-          appId: scope.appId,
-          permission,
-          decision: true,
-          source: 'api',
-          bypass: true,
-          duration_ms: expect.any(Number)
-        })
-      );
-    });
-
-    it('should not check other permissions when super admin exists', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:everything';
-
-      // Create a comprehensive mock that handles all database calls
-      const createMockQuery = (tableName: string, data: any[] = [], error: any = null) => ({
-        select: vi.fn().mockReturnThis(),
-        eq: vi.fn().mockReturnThis(),
-        is: vi.fn().mockReturnThis(),
-        lte: vi.fn().mockReturnThis(),
-        gte: vi.fn().mockReturnThis(),
-        or: vi.fn().mockResolvedValue({ data, error }),
-        single: vi.fn().mockResolvedValue({ 
-          data: data[0] || null, 
-          error: data.length === 0 ? { code: 'PGRST116' } : null 
-        }),
-        insert: vi.fn().mockResolvedValue({ data: null, error: null })
-      });
-
-      // Mock all database calls - super admin should be found
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - super admin exists
-            return createMockQuery(tableName, [{ id: 'role-123' }]);
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return createMockQuery(tableName, [{ requires_event: false }]);
-          case 'rbac_audit_events':
-            // Audit events
-            return createMockQuery(tableName, []);
-          default:
-            // Default mock for any other table
-            return createMockQuery(tableName, []);
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      // Should return true due to super admin
-      expect(result).toBe(true);
-      
-      // Verify super admin check was called
-      expect(mockSupabase.from).toHaveBeenCalledWith('rbac_global_roles');
-    });
-  });
-
-  describe('Time-bound Grants', () => {
-    it('should deny access for expired grants', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'manage:organisation.events';
-
-      // Mock: No super admin
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        single: vi.fn().mockResolvedValue({
-          data: null,
-          error: { code: 'PGRST116' }
-        })
-      });
-
-      // Mock: No page permissions
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [],
-          error: null
-        })
-      });
-
-      // Mock: No event-app permissions
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [],
-          error: null
-        })
-      });
-
-      // Mock: Organisation permission that is EXPIRED
-      const expiredDate = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString(); // Yesterday
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ 
-            role: 'org_admin', 
-            status: 'active', 
-            valid_from: '2024-01-01T00:00:00Z', 
-            valid_to: expiredDate 
-          }],
-          error: null
-        })
-      });
-
-      // Mock: Global permission that is EXPIRED
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ 
-            role: 'super_admin', 
-            valid_from: '2024-01-01T00:00:00Z', 
-            valid_to: expiredDate 
-          }],
-          error: null
-        })
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny for expired grants
-    });
-
-    it('should deny access for future-dated grants', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'manage:organisation.events';
-
-      // Mock: No super admin
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        single: vi.fn().mockResolvedValue({
-          data: null,
-          error: { code: 'PGRST116' }
-        })
-      });
-
-      // Mock: No page permissions
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [],
-          error: null
-        })
-      });
-
-      // Mock: No event-app permissions
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [],
-          error: null
-        })
-      });
-
-      // Mock: Organisation permission that is FUTURE-DATED
-      const futureDate = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(); // Tomorrow
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ 
-            role: 'org_admin', 
-            status: 'active', 
-            valid_from: futureDate, 
-            valid_to: null 
-          }],
-          error: null
-        })
-      });
-
-      // Mock: Global permission that is FUTURE-DATED
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ 
-            role: 'super_admin', 
-            valid_from: futureDate, 
-            valid_to: null 
-          }],
-          error: null
-        })
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny for future-dated grants
-    });
-
-    it('should allow access for valid time-bound grants', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'manage:organisation.events';
-
-      // Create a comprehensive mock that handles all database calls
-      const createMockQuery = (tableName: string, data: any[] = [], error: any = null) => ({
-        select: vi.fn().mockReturnThis(),
-        eq: vi.fn().mockReturnThis(),
-        is: vi.fn().mockReturnThis(),
-        lte: vi.fn().mockReturnThis(),
-        gte: vi.fn().mockReturnThis(),
-        or: vi.fn().mockResolvedValue({ data, error }),
-        single: vi.fn().mockResolvedValue({ 
-          data: data[0] || null, 
-          error: data.length === 0 ? { code: 'PGRST116' } : null 
-        }),
-        insert: vi.fn().mockResolvedValue({ data: null, error: null })
-      });
-
-      // Mock all database calls - valid time-bound organisation permission
-      const pastDate = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString(); // Yesterday
-      const futureDate = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(); // Tomorrow
-      
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            return createMockQuery(tableName, []);
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return createMockQuery(tableName, [{ requires_event: false }]);
-          case 'rbac_page_permissions':
-            // Page permissions - empty
-            return createMockQuery(tableName, []);
-          case 'rbac_event_app_roles':
-            // Event-app permissions - empty
-            return createMockQuery(tableName, []);
-          case 'rbac_organisation_roles':
-            // Organisation permissions - valid time-bound org_admin role
-            return createMockQuery(tableName, [{ 
-              role: 'org_admin', 
-              status: 'active', 
-              valid_from: pastDate, 
-              valid_to: futureDate 
-            }]);
-          case 'rbac_audit_events':
-            // Audit events
-            return createMockQuery(tableName, []);
-          default:
-            // Default mock for any other table
-            return createMockQuery(tableName, []);
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow for valid time-bound grants
-    });
-  });
-
-  describe('Page-level Rule Refinements', () => {
-    it('should apply page-level permissions to refine broader permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:event.events';
-      const pageId = 'page-999';
-
-      // Create a comprehensive mock that handles all database calls
-      const createMockQuery = (tableName: string, data: any[] = [], error: any = null) => ({
-        select: vi.fn().mockReturnThis(),
-        eq: vi.fn().mockReturnThis(),
-        is: vi.fn().mockReturnThis(),
-        lte: vi.fn().mockReturnThis(),
-        gte: vi.fn().mockReturnThis(),
-        or: vi.fn().mockResolvedValue({ data, error }),
-        single: vi.fn().mockResolvedValue({ 
-          data: data[0] || null, 
-          error: data.length === 0 ? { code: 'PGRST116' } : null 
-        }),
-        insert: vi.fn().mockResolvedValue({ data: null, error: null })
-      });
-
-      // Mock all database calls - page permission should allow
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            return createMockQuery(tableName, []);
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return createMockQuery(tableName, [{ requires_event: false }]);
-          case 'rbac_page_permissions':
-            // Page permissions - allow manage operation
-            return createMockQuery(tableName, [{ 
-              operation: 'manage', 
-              role_name: 'event_admin', 
-              allowed: true 
-            }]);
-          case 'rbac_event_app_roles':
-            // Event-app permissions - user has event_admin role
-            return createMockQuery(tableName, [{ 
-              role: 'event_admin',
-              status: 'active',
-              valid_from: '2024-01-01T00:00:00Z',
-              valid_to: null
-            }]);
-          case 'rbac_organisation_roles':
-            // Organisation permissions - empty
-            return createMockQuery(tableName, []);
-          case 'rbac_audit_events':
-            // Audit events
-            return createMockQuery(tableName, []);
-          default:
-            // Default mock for any other table
-            return createMockQuery(tableName, []);
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission,
-        pageId
-      });
-
-      expect(result).toBe(true); // Should allow when page permission allows
-    });
-
-    it('should deny access when page-level permission explicitly denies', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:events';
-      const pageId = 'page-999';
-
-      // Mock: No super admin
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        single: vi.fn().mockResolvedValue({
-          data: null,
-          error: { code: 'PGRST116' }
-        })
-      });
-
-      // Mock: Page permission that DENIES specific operation
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ operation: 'manage', role_name: 'event_admin', allowed: false }],
-          error: null
-        })
-      });
-
-      // Mock: Event-app permission that ALLOWS (should be overridden)
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ role: 'event_admin', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-          error: null
-        })
-      });
-
-      // Mock: Organisation permission that ALLOWS (should be overridden)
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [{ role: 'org_admin', status: 'active', valid_from: '2024-01-01T00:00:00Z', valid_to: null }],
-          error: null
-        })
-      });
-
-      // Mock: Global permission
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        or: vi.fn().mockResolvedValue({
-          data: [],
-          error: null
-        })
-      });
-
-      // Mock: Audit event insert
-      mockSupabase.from.mockReturnValueOnce({
-        ...mockSupabase.from(),
-        insert: vi.fn().mockResolvedValue({ data: null, error: null })
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission,
-        pageId
-      });
-
-      expect(result).toBe(false); // Should deny when page permission denies
-    });
-  });
-
-  describe('Permission Matching', () => {
-    it('should match exact permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Create a comprehensive mock that handles all database calls
-      const createMockQuery = (tableName: string, data: any[] = [], error: any = null) => ({
-        select: vi.fn().mockReturnThis(),
-        eq: vi.fn().mockReturnThis(),
-        is: vi.fn().mockReturnThis(),
-        lte: vi.fn().mockReturnThis(),
-        gte: vi.fn().mockReturnThis(),
-        or: vi.fn().mockResolvedValue({ data, error }),
-        single: vi.fn().mockResolvedValue({ 
-          data: data[0] || null, 
-          error: data.length === 0 ? { code: 'PGRST116' } : null 
-        }),
-        insert: vi.fn().mockResolvedValue({ data: null, error: null })
-      });
-
-      // Mock all database calls - organisation permission should allow
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            return createMockQuery(tableName, []);
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return createMockQuery(tableName, [{ requires_event: false }]);
-          case 'rbac_page_permissions':
-            // Page permissions - empty
-            return createMockQuery(tableName, []);
-          case 'rbac_event_app_roles':
-            // Event-app permissions - empty
-            return createMockQuery(tableName, []);
-          case 'rbac_organisation_roles':
-            // Organisation permissions - member role
-            return createMockQuery(tableName, [{ 
-              role: 'member',
-              status: 'active',
-              valid_from: '2024-01-01T00:00:00Z',
-              valid_to: null
-            }]);
-          case 'rbac_audit_events':
-            // Audit events
-            return createMockQuery(tableName, []);
-          default:
-            // Default mock for any other table
-            return createMockQuery(tableName, []);
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should match exact permission
-    });
-
-    it('should match wildcard permissions', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'manage:organisation.events.details';
-
-      // Create a comprehensive mock that handles all database calls
-      const createMockQuery = (tableName: string, data: any[] = [], error: any = null) => ({
-        select: vi.fn().mockReturnThis(),
-        eq: vi.fn().mockReturnThis(),
-        is: vi.fn().mockReturnThis(),
-        lte: vi.fn().mockReturnThis(),
-        gte: vi.fn().mockReturnThis(),
-        or: vi.fn().mockResolvedValue({ data, error }),
-        single: vi.fn().mockResolvedValue({ 
-          data: data[0] || null, 
-          error: data.length === 0 ? { code: 'PGRST116' } : null 
-        }),
-        insert: vi.fn().mockResolvedValue({ data: null, error: null })
-      });
-
-      // Mock all database calls - organisation permission should allow with wildcard
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            return createMockQuery(tableName, []);
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            return createMockQuery(tableName, [{ requires_event: false }]);
-          case 'rbac_page_permissions':
-            // Page permissions - empty
-            return createMockQuery(tableName, []);
-          case 'rbac_event_app_roles':
-            // Event-app permissions - empty
-            return createMockQuery(tableName, []);
-          case 'rbac_organisation_roles':
-            // Organisation permissions - org_admin role
-            return createMockQuery(tableName, [{ 
-              role: 'org_admin',
-              status: 'active',
-              valid_from: '2024-01-01T00:00:00Z',
-              valid_to: null
-            }]);
-          case 'rbac_audit_events':
-            // Audit events
-            return createMockQuery(tableName, []);
-          default:
-            // Default mock for any other table
-            return createMockQuery(tableName, []);
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should match wildcard permission
-    });
-  });
-});