@jmruthers/pace-core 0.2.7 → 0.5.1

package/src/rbac/__tests__/scope-isolation-comprehensive.test.ts

@@ -1,1349 +0,0 @@
-/**
- * Comprehensive Scope Isolation Tests
- * 
- * Tests that users only see what their organisation role allows:
- * - Organisation boundaries are enforced
- * - Event-App roles are restricted to their (event_id, app_id) pair
- * - Cross-org and cross-event access is denied by default
- * - Scope switching updates permissions correctly
- */
-
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { createRBACEngine, RBACEngine } from '../engine';
-import { Scope, Permission } from '../types';
-
-// Mock dependencies
-vi.mock('../cache');
-vi.mock('../audit');
-
-// Create a comprehensive mock for Supabase queries
-function createSupabaseMock() {
-  const mockQuery = {
-    select: vi.fn().mockReturnThis(),
-    eq: vi.fn().mockReturnThis(),
-    is: vi.fn().mockReturnThis(),
-    lte: vi.fn().mockReturnThis(),
-    gte: vi.fn().mockReturnThis(),
-    or: vi.fn().mockReturnThis(),
-    and: vi.fn().mockReturnThis(),
-    order: vi.fn().mockReturnThis(),
-    in: vi.fn().mockReturnThis(),
-    single: vi.fn().mockResolvedValue({ data: null, error: null }),
-    maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-    insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-  };
-
-  return {
-    from: vi.fn().mockReturnValue(mockQuery),
-    rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
-  };
-}
-
-describe('Scope Isolation - Comprehensive', () => {
-  let engine: RBACEngine;
-  let mockSupabase: ReturnType<typeof createSupabaseMock>;
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    mockSupabase = createSupabaseMock();
-    engine = createRBACEngine(mockSupabase as any);
-  });
-
-  describe('Organisation Boundaries', () => {
-    it('should allow access within the same organisation', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission for the same org
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'member',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow within same organisation
-      expect(callCount).toBe(2); // Should check: global, organisation, audit
-    });
-
-    it('should deny access across different organisations', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-999' // Different org
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission for different org - should be empty
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [], // No roles for this org
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny across different organisations
-      expect(callCount).toBe(2); // Should check: global, organisation, audit
-    });
-
-    it('should enforce organisation context in all queries', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission for the same org
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'member',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow within same organisation
-      
-      // Verify that organisation context was used in queries
-      expect(mockSupabase.from).toHaveBeenCalledWith('rbac_organisation_roles');
-      expect(callCount).toBe(2); // Should check: global, organisation, audit
-    });
-  });
-
-  describe('Event-App Role Boundaries', () => {
-    it('should allow access within the same event-app pair', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:event.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // Event-app permission for the same event-app pair
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'event_admin',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permissions - empty
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow within same event-app pair
-      expect(callCount).toBe(4); // Should check: global, app config, event-app, organisation, audit
-    });
-
-    it('should deny access across different event-app pairs', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-999', // Different event
-        appId: 'app-101'
-      };
-      const permission: Permission = 'read:event.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // Event-app permission for different event-app pair - should be empty
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [], // No roles for this event-app pair
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permissions - empty
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny across different event-app pairs
-      expect(callCount).toBe(4); // Should check: global, app config, event-app, organisation, audit
-    });
-
-    it('should deny access across different apps within same event', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-999' // Different app
-      };
-      const permission: Permission = 'read:event.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // Event-app permission for different app - should be empty
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [], // No roles for this app
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permissions - empty
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny across different apps
-      expect(callCount).toBe(4); // Should check: global, app config, event-app, organisation, audit
-    });
-
-    it('should enforce event-app context in all queries', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:event.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // Event-app permission for the same event-app pair
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'event_admin',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permissions - empty
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(true); // Should allow within same event-app pair
-      
-      // Verify that event-app context was used in queries
-      expect(mockSupabase.from).toHaveBeenCalledWith('rbac_event_app_roles');
-      expect(callCount).toBe(4); // Should check: global, app config, event-app, organisation, audit
-    });
-  });
-
-  describe('Cross-Organisation and Cross-Event Access', () => {
-    it('should deny access when user has no roles in target organisation', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-999' // User has no roles in this org
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // No event-app permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permission for different org - should be empty
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [], // No roles for this org
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny when no roles in target org
-      expect(callCount).toBe(2); // Should check: global, organisation, audit
-    });
-
-    it('should deny access when user has no roles in target event-app', async () => {
-      const userId = 'user-123';
-      const scope: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-999', // User has no roles in this event
-        appId: 'app-101'
-      };
-      const permission: Permission = 'read:event.events';
-
-      // Mock all database calls with proper sequencing
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            // Super admin check - no super admin
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            // App configuration - default to requires_event: false
-            callCount++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            // No page permissions
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            // Event-app permission for different event - should be empty
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [], // No roles for this event-app pair
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            // Organisation permissions - empty
-            callCount++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            // Audit event insert
-            callCount++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result = await engine.isPermitted({
-        userId,
-        scope,
-        permission
-      });
-
-      expect(result).toBe(false); // Should deny when no roles in target event-app
-      expect(callCount).toBe(4); // Should check: global, app config, event-app, organisation, audit
-    });
-  });
-
-  describe('Scope Switching', () => {
-    it('should update permissions when switching organisations', async () => {
-      const userId = 'user-123';
-      
-      // First scope - user has access
-      const scope1: Scope = {
-        organisationId: 'org-456'
-      };
-      const permission: Permission = 'read:organisation.events';
-
-      // Mock all database calls for first scope
-      let callCount1 = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            callCount1++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_page_permissions':
-            callCount1++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            callCount1++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            callCount1++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'member',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            callCount1++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result1 = await engine.isPermitted({
-        userId,
-        scope: scope1,
-        permission
-      });
-
-      expect(result1).toBe(true); // Should allow in first org
-      expect(callCount1).toBe(2); // Should check: global, organisation, audit
-
-      // Reset mocks for second scope
-      vi.clearAllMocks();
-      mockSupabase = createSupabaseMock();
-      engine = createRBACEngine(mockSupabase as any);
-
-      // Second scope - user has no access
-      const scope2: Scope = {
-        organisationId: 'org-999' // Different org
-      };
-
-      // Mock all database calls for second scope
-      let callCount2 = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            callCount2++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_page_permissions':
-            callCount2++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            callCount2++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            callCount2++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [], // No roles for this org
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            callCount2++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result2 = await engine.isPermitted({
-        userId,
-        scope: scope2,
-        permission
-      });
-
-      expect(result2).toBe(false); // Should deny in second org
-      expect(callCount2).toBe(2); // Should check: global, organisation, audit
-    });
-
-    it('should update permissions when switching event-app pairs', async () => {
-      const userId = 'user-123';
-      
-      // First scope - user has access
-      const scope1: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-789',
-        appId: 'app-101'
-      };
-      const permission: Permission = 'manage:event.events';
-
-      // Mock all database calls for first scope
-      let callCount1 = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            callCount1++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            callCount1++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            callCount1++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            callCount1++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [{ 
-                  role: 'event_admin',
-                  status: 'active',
-                  valid_from: '2024-01-01T00:00:00Z',
-                  valid_to: null
-                }],
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            callCount1++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            callCount1++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result1 = await engine.isPermitted({
-        userId,
-        scope: scope1,
-        permission
-      });
-
-      expect(result1).toBe(true); // Should allow in first event-app
-      expect(callCount1).toBe(4); // Should check: global, app config, event-app, organisation, audit
-
-      // Reset mocks for second scope
-      vi.clearAllMocks();
-      mockSupabase = createSupabaseMock();
-      engine = createRBACEngine(mockSupabase as any);
-
-      // Second scope - user has no access
-      const scope2: Scope = {
-        organisationId: 'org-456',
-        eventId: 'event-999', // Different event
-        appId: 'app-101'
-      };
-
-      // Mock all database calls for second scope
-      let callCount2 = 0;
-      mockSupabase.from.mockImplementation((tableName: string) => {
-        const mockQuery = {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          is: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          gte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          and: vi.fn().mockReturnThis(),
-          order: vi.fn().mockReturnThis(),
-          in: vi.fn().mockReturnThis(),
-          single: vi.fn().mockResolvedValue({ data: null, error: null }),
-          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
-          insert: vi.fn().mockResolvedValue({ data: null, error: null }),
-        };
-
-        switch (tableName) {
-          case 'rbac_global_roles':
-            callCount2++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: null,
-                error: { code: 'PGRST116' }
-              })
-            };
-          case 'rbac_apps':
-            callCount2++;
-            return {
-              ...mockQuery,
-              single: vi.fn().mockResolvedValue({
-                data: { requires_event: false },
-                error: null
-              })
-            };
-          case 'rbac_page_permissions':
-            callCount2++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_event_app_roles':
-            callCount2++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [], // No roles for this event-app pair
-                error: null
-              })
-            };
-          case 'rbac_organisation_roles':
-            callCount2++;
-            return {
-              ...mockQuery,
-              or: vi.fn().mockResolvedValue({
-                data: [],
-                error: null
-              })
-            };
-          case 'rbac_audit_events':
-            callCount2++;
-            return {
-              ...mockQuery,
-              insert: vi.fn().mockResolvedValue({ data: null, error: null })
-            };
-          default:
-            return mockQuery;
-        }
-      });
-
-      const result2 = await engine.isPermitted({
-        userId,
-        scope: scope2,
-        permission
-      });
-
-      expect(result2).toBe(false); // Should deny in second event-app
-      expect(callCount2).toBe(4); // Should check: global, app config, event-app, organisation, audit
-    });
-  });
-});