@jmruthers/pace-core 0.5.136 → 0.5.137

package/src/utils/secureDataAccess.test.ts

@@ -0,0 +1,711 @@
+/**
+ * @file Secure Data Access Utility Tests
+ * @package @jmruthers/pace-core
+ * @module Utils/SecureDataAccess
+ * @since 0.4.0
+ *
+ * Comprehensive tests for secure data access utilities that enforce organisation context.
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import type { SupabaseClient } from '@supabase/supabase-js';
+import { createSecureDataAccess, useSecureDataAccess } from './secureDataAccess';
+import type { DatabaseRecord, DatabaseData, DatabaseFilters, SecureQueryOptions } from './secureDataAccess';
+
+// Mock Supabase client
+const mockSupabaseClient = {
+  from: vi.fn(),
+} as unknown as SupabaseClient;
+
+// Mock query builder with proper Promise-like behavior
+let mockQueryBuilder: any;
+
+const createMockQueryBuilder = (customData?: any, customError?: any) => {
+  const builder: any = {
+    select: vi.fn(function(this: any) { return this; }),
+    eq: vi.fn(function(this: any) { return this; }),
+    order: vi.fn(function(this: any) { return this; }),
+    limit: vi.fn(function(this: any) { return this; }),
+    range: vi.fn(function(this: any) { return this; }),
+    insert: vi.fn(function(this: any) { return this; }),
+    update: vi.fn(function(this: any) { return this; }),
+    delete: vi.fn(function(this: any) { return this; }),
+    single: vi.fn().mockImplementation(() => {
+      const data = customData !== undefined ? customData : { id: 'test-123' };
+      const error = customError !== undefined ? customError : null;
+      
+      // For single queries, return { data, error } structure, don't reject
+      return Promise.resolve({ data, error });
+    }),
+  };
+  
+  // Make it thenable (awaitable) with custom data/error support
+  builder.then = function(resolve: any, reject: any) {
+    const data = customData !== undefined ? customData : [{ id: 'test-123' }];
+    const error = customError !== undefined ? customError : null;
+    
+    if (error) {
+      return Promise.reject(error).then(resolve, reject);
+    }
+    return Promise.resolve({ data, error }).then(resolve, reject);
+  };
+  
+  return builder;
+};
+
+describe('secureDataAccess', () => {
+  let secureDataAccess: ReturnType<typeof createSecureDataAccess>;
+  const mockOrganisationId = 'org-123';
+  const mockTable = 'pace_person'; // Use a table that has organisation_id column
+  const mockSelect = 'id, name, organisation_id';
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    // Create a fresh mock query builder for each test
+    mockQueryBuilder = createMockQueryBuilder();
+    mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+  });
+
+    describe('createSecureDataAccess', () => {
+    describe('Regular User (Non-Super Admin)', () => {
+      beforeEach(() => {
+        secureDataAccess = createSecureDataAccess(mockSupabaseClient, mockOrganisationId, false);
+      });
+
+      describe('validateOrganisationContext', () => {
+        it('should throw error when organisation ID is empty', () => {
+          expect(() => {
+            secureDataAccess.validateOrganisationContext('');
+          }).toThrow('Organisation context is required for secure data access');
+        });
+
+        it('should throw error when organisation ID is null', () => {
+          expect(() => {
+            secureDataAccess.validateOrganisationContext(null as any);
+          }).toThrow('Organisation context is required for secure data access');
+        });
+
+        it('should throw error when organisation ID is undefined', () => {
+          expect(() => {
+            secureDataAccess.validateOrganisationContext(undefined as any);
+          }).toThrow('Organisation context is required for secure data access');
+        });
+
+        it('should not throw error when organisation ID is valid', () => {
+          expect(() => {
+            secureDataAccess.validateOrganisationContext(mockOrganisationId);
+          }).not.toThrow();
+        });
+      });
+
+      describe('ensureOrganisationColumn', () => {
+        it('should return true for tables with organisation_id column', () => {
+          expect(secureDataAccess.ensureOrganisationColumn('event')).toBe(true);
+          expect(secureDataAccess.ensureOrganisationColumn('organisation_settings')).toBe(true);
+          expect(secureDataAccess.ensureOrganisationColumn('rbac_event_app_roles')).toBe(true);
+        });
+
+        it('should return false for tables without organisation_id column', () => {
+          expect(secureDataAccess.ensureOrganisationColumn('unknown_table')).toBe(false);
+          expect(secureDataAccess.ensureOrganisationColumn('system_table')).toBe(false);
+        });
+      });
+
+      describe('secureQuery', () => {
+        it('should execute query with organisation filter', async () => {
+          const mockData = [
+            { id: '1', name: 'Test 1', organisation_id: mockOrganisationId },
+            { id: '2', name: 'Test 2', organisation_id: mockOrganisationId }
+          ];
+          
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          const options: SecureQueryOptions = {
+            table: mockTable,
+            select: mockSelect,
+            organisationId: mockOrganisationId
+          };
+
+          const result = await secureDataAccess.secureQuery(options);
+
+          expect(mockSupabaseClient.from).toHaveBeenCalledWith(mockTable);
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+          expect(result).toEqual(mockData);
+        });
+
+        it('should handle query errors', async () => {
+          const mockError = new Error('Database error');
+          // Create a new mock with the error
+          mockQueryBuilder = createMockQueryBuilder(null, mockError);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          const options: SecureQueryOptions = {
+            table: mockTable,
+            select: mockSelect,
+            organisationId: mockOrganisationId
+          };
+
+          await expect(secureDataAccess.secureQuery(options)).rejects.toThrow('Database error');
+        });
+
+        it('should return empty array when data is not an array', async () => {
+          // Create a new mock with null data (not an array)
+          mockQueryBuilder = createMockQueryBuilder(null);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          const options: SecureQueryOptions = {
+            table: mockTable,
+            select: mockSelect,
+            organisationId: mockOrganisationId
+          };
+
+          const result = await secureDataAccess.secureQuery(options);
+          expect(result).toEqual([]);
+        });
+
+        it('should apply additional filters', async () => {
+          const mockData = [{ id: '1', name: 'Test', organisation_id: mockOrganisationId }];
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          const options: SecureQueryOptions = {
+            table: mockTable,
+            select: mockSelect,
+            organisationId: mockOrganisationId,
+            filters: { name: 'Test', status: 'active' }
+          };
+
+          await secureDataAccess.secureQuery(options);
+
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('name', 'Test');
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('status', 'active');
+        });
+
+        it('should handle qualified column names in filters', async () => {
+          const mockData = [{ id: '1', name: 'Test', organisation_id: mockOrganisationId }];
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          const options: SecureQueryOptions = {
+            table: mockTable,
+            select: mockSelect,
+            organisationId: mockOrganisationId,
+            filters: { 'users.role': 'admin' }
+          };
+
+          await secureDataAccess.secureQuery(options);
+
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('role', 'admin');
+        });
+
+        it('should skip undefined and null filter values', async () => {
+          const mockData = [{ id: '1', name: 'Test', organisation_id: mockOrganisationId }];
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          const options: SecureQueryOptions = {
+            table: mockTable,
+            select: mockSelect,
+            organisationId: mockOrganisationId,
+            filters: { name: 'Test', status: undefined, active: null }
+          };
+
+          await secureDataAccess.secureQuery(options);
+
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('name', 'Test');
+          expect(mockQueryBuilder.eq).not.toHaveBeenCalledWith('status', undefined);
+          expect(mockQueryBuilder.eq).not.toHaveBeenCalledWith('active', null);
+        });
+      });
+
+      describe('secureSingleQuery', () => {
+        it('should execute single query with organisation filter', async () => {
+          const mockData = { id: '1', name: 'Test', organisation_id: mockOrganisationId };
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          const options: SecureQueryOptions = {
+            table: mockTable,
+            select: mockSelect,
+            organisationId: mockOrganisationId
+          };
+
+          const result = await secureDataAccess.secureSingleQuery(options);
+
+          expect(mockSupabaseClient.from).toHaveBeenCalledWith(mockTable);
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+          expect(result).toEqual(mockData);
+        });
+
+        it('should return null when no rows found', async () => {
+          const mockError = { code: 'PGRST116', message: 'No rows returned' };
+          // Create a new mock with the error
+          mockQueryBuilder = createMockQueryBuilder(null, mockError);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          const options: SecureQueryOptions = {
+            table: mockTable,
+            select: mockSelect,
+            organisationId: mockOrganisationId
+          };
+
+          const result = await secureDataAccess.secureSingleQuery(options);
+          expect(result).toBeNull();
+        });
+
+        it('should handle query errors', async () => {
+          const mockError = new Error('Database error');
+          // Create a new mock with the error
+          mockQueryBuilder = createMockQueryBuilder(null, mockError);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          const options: SecureQueryOptions = {
+            table: mockTable,
+            select: mockSelect,
+            organisationId: mockOrganisationId
+          };
+
+          await expect(secureDataAccess.secureSingleQuery(options)).rejects.toThrow('Database error');
+        });
+
+        it('should return null when data is error type', async () => {
+          const mockData = { code: 'ERROR', message: 'Invalid data' };
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          const options: SecureQueryOptions = {
+            table: mockTable,
+            select: mockSelect,
+            organisationId: mockOrganisationId
+          };
+
+          const result = await secureDataAccess.secureSingleQuery(options);
+          expect(result).toBeNull();
+        });
+      });
+
+      describe('secureInsert', () => {
+        it('should insert data with organisation context', async () => {
+          const mockData = { name: 'Test Item' };
+          const mockResult = { id: '1', name: 'Test Item', organisation_id: mockOrganisationId };
+          
+          mockQueryBuilder.insert = vi.fn().mockReturnThis();
+          mockQueryBuilder.select = vi.fn().mockReturnThis();
+          mockQueryBuilder.single = vi.fn().mockResolvedValue({ data: mockResult, error: null });
+
+          const result = await secureDataAccess.secureInsert(mockTable, mockData, mockOrganisationId);
+
+          expect(mockQueryBuilder.insert).toHaveBeenCalledWith({
+            ...mockData,
+            organisation_id: mockOrganisationId
+          });
+          expect(result).toEqual(mockResult);
+        });
+
+        it('should handle insert errors', async () => {
+          const mockData = { name: 'Test Item' };
+          const mockError = new Error('Insert failed');
+          
+          mockQueryBuilder.insert = vi.fn().mockReturnThis();
+          mockQueryBuilder.select = vi.fn().mockReturnThis();
+          // Create a new mock with the error
+          mockQueryBuilder = createMockQueryBuilder(null, mockError);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          await expect(secureDataAccess.secureInsert(mockTable, mockData, mockOrganisationId))
+            .rejects.toThrow('Insert failed');
+        });
+      });
+
+      describe('secureUpdate', () => {
+        it('should update data with organisation filter', async () => {
+          const mockData = { name: 'Updated Item' };
+          const mockFilters = { id: '1' };
+          const mockResult = { id: '1', name: 'Updated Item', organisation_id: mockOrganisationId };
+          
+          mockQueryBuilder.update = vi.fn().mockReturnThis();
+          mockQueryBuilder.eq = vi.fn().mockReturnThis();
+          mockQueryBuilder.select = vi.fn().mockReturnThis();
+          mockQueryBuilder.single = vi.fn().mockResolvedValue({ data: mockResult, error: null });
+
+          const result = await secureDataAccess.secureUpdate(mockTable, mockData, mockFilters, mockOrganisationId);
+
+          expect(mockQueryBuilder.update).toHaveBeenCalledWith(mockData);
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('id', '1');
+          expect(result).toEqual(mockResult);
+        });
+
+        it('should handle update errors', async () => {
+          const mockData = { name: 'Updated Item' };
+          const mockFilters = { id: '1' };
+          const mockError = new Error('Update failed');
+          
+          mockQueryBuilder.update = vi.fn().mockReturnThis();
+          mockQueryBuilder.eq = vi.fn().mockReturnThis();
+          mockQueryBuilder.select = vi.fn().mockReturnThis();
+          // Create a new mock with the error
+          mockQueryBuilder = createMockQueryBuilder(null, mockError);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          await expect(secureDataAccess.secureUpdate(mockTable, mockData, mockFilters, mockOrganisationId))
+            .rejects.toThrow('Update failed');
+        });
+      });
+
+      describe('secureDelete', () => {
+        it('should delete data with organisation filter', async () => {
+          const mockFilters = { id: '1' };
+          
+          mockQueryBuilder.delete = vi.fn().mockReturnThis();
+          mockQueryBuilder.eq = vi.fn().mockReturnThis();
+          mockQueryBuilder.single = vi.fn().mockResolvedValue({ data: null, error: null });
+
+          const result = await secureDataAccess.secureDelete(mockTable, mockFilters, mockOrganisationId);
+
+          expect(mockQueryBuilder.delete).toHaveBeenCalled();
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('id', '1');
+          expect(result).toBe(true);
+        });
+
+        it('should handle delete errors', async () => {
+          const mockFilters = { id: '1' };
+          const mockError = new Error('Delete failed');
+          
+          mockQueryBuilder.delete = vi.fn().mockReturnThis();
+          mockQueryBuilder.eq = vi.fn().mockReturnThis();
+          // Create a new mock with the error
+          mockQueryBuilder = createMockQueryBuilder(null, mockError);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          await expect(secureDataAccess.secureDelete(mockTable, mockFilters, mockOrganisationId))
+            .rejects.toThrow('Delete failed');
+        });
+      });
+
+      describe('queryByOrganisation', () => {
+        it('should query by organisation using secureQuery', async () => {
+          const mockData = [{ id: '1', name: 'Test', organisation_id: mockOrganisationId }];
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          const result = await secureDataAccess.queryByOrganisation(mockTable, mockSelect, mockOrganisationId);
+
+          expect(mockSupabaseClient.from).toHaveBeenCalledWith(mockTable);
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+          expect(result).toEqual(mockData);
+        });
+
+        it('should apply additional filters when provided', async () => {
+          const mockData = [{ id: '1', name: 'Test', organisation_id: mockOrganisationId }];
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+          const filters = { status: 'active' };
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+          await secureDataAccess.queryByOrganisation(mockTable, mockSelect, mockOrganisationId, filters);
+
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+          expect(mockQueryBuilder.eq).toHaveBeenCalledWith('status', 'active');
+        });
+      });
+    });
+
+    describe('Super Admin User', () => {
+      beforeEach(() => {
+        secureDataAccess = createSecureDataAccess(mockSupabaseClient, mockOrganisationId, true);
+      });
+
+      it('should not apply organisation filter for super admin', async () => {
+        const mockData = [{ id: '1', name: 'Test', organisation_id: 'other-org' }];
+        // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+        const options: SecureQueryOptions = {
+          table: mockTable,
+          select: mockSelect,
+          organisationId: mockOrganisationId
+        };
+
+        await secureDataAccess.secureQuery(options);
+
+        expect(mockQueryBuilder.eq).not.toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+      });
+
+      it('should not apply organisation filter for super admin updates', async () => {
+        const mockData = { name: 'Updated Item' };
+        const mockFilters = { id: '1' };
+        const mockResult = { id: '1', name: 'Updated Item', organisation_id: 'other-org' };
+        
+        mockQueryBuilder.update = vi.fn().mockReturnThis();
+        mockQueryBuilder.eq = vi.fn().mockReturnThis();
+        mockQueryBuilder.select = vi.fn().mockReturnThis();
+        mockQueryBuilder.single = vi.fn().mockResolvedValue({ data: mockResult, error: null });
+
+        await secureDataAccess.secureUpdate(mockTable, mockData, mockFilters, mockOrganisationId);
+
+        expect(mockQueryBuilder.eq).not.toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+        expect(mockQueryBuilder.eq).toHaveBeenCalledWith('id', '1');
+      });
+
+      it('should not apply organisation filter for super admin deletes', async () => {
+        const mockFilters = { id: '1' };
+        
+        mockQueryBuilder.delete = vi.fn().mockReturnThis();
+        mockQueryBuilder.eq = vi.fn().mockReturnThis();
+        mockQueryBuilder.single = vi.fn().mockResolvedValue({ data: null, error: null });
+
+        await secureDataAccess.secureDelete(mockTable, mockFilters, mockOrganisationId);
+
+        expect(mockQueryBuilder.eq).not.toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+        expect(mockQueryBuilder.eq).toHaveBeenCalledWith('id', '1');
+      });
+    });
+
+    describe('Query Building Features', () => {
+      beforeEach(() => {
+        secureDataAccess = createSecureDataAccess(mockSupabaseClient, mockOrganisationId, false);
+      });
+
+      it('should handle ordering with qualified column names', async () => {
+        const mockData = [{ id: '1', name: 'Test', organisation_id: mockOrganisationId }];
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+        // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+        const options: SecureQueryOptions = {
+          table: mockTable,
+          select: mockSelect,
+          organisationId: mockOrganisationId,
+          orderBy: 'users.created_at'
+        };
+
+        await secureDataAccess.secureQuery(options);
+
+        expect(mockQueryBuilder.order).toHaveBeenCalledWith('created_at');
+      });
+
+      it('should handle pagination with limit and offset', async () => {
+        const mockData = [{ id: '1', name: 'Test', organisation_id: mockOrganisationId }];
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+        // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+        const options: SecureQueryOptions = {
+          table: mockTable,
+          select: mockSelect,
+          organisationId: mockOrganisationId,
+          limit: 10,
+          offset: 20
+        };
+
+        await secureDataAccess.secureQuery(options);
+
+        expect(mockQueryBuilder.limit).toHaveBeenCalledWith(10);
+        expect(mockQueryBuilder.range).toHaveBeenCalledWith(20, 29);
+      });
+
+      it('should handle pagination with limit only', async () => {
+        const mockData = [{ id: '1', name: 'Test', organisation_id: mockOrganisationId }];
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+        // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+        const options: SecureQueryOptions = {
+          table: mockTable,
+          select: mockSelect,
+          organisationId: mockOrganisationId,
+          limit: 5
+        };
+
+        await secureDataAccess.secureQuery(options);
+
+        expect(mockQueryBuilder.limit).toHaveBeenCalledWith(5);
+        expect(mockQueryBuilder.range).not.toHaveBeenCalled();
+      });
+    });
+  });
+
+  describe('useSecureDataAccess', () => {
+    it('should throw error when used without explicit parameters', () => {
+      expect(() => {
+        useSecureDataAccess();
+      }).toThrow('useSecureDataAccess must be used with explicit parameters. Use createSecureDataAccess instead.');
+    });
+  });
+
+  describe('Error Handling', () => {
+    beforeEach(() => {
+      secureDataAccess = createSecureDataAccess(mockSupabaseClient, mockOrganisationId, false);
+    });
+
+    it('should propagate errors from secureQuery', async () => {
+      const mockError = new Error('Network error');
+      // Create a new mock with the error for the main query (not single)
+      mockQueryBuilder = createMockQueryBuilder(null, mockError);
+      mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+      const options: SecureQueryOptions = {
+        table: mockTable,
+        select: mockSelect,
+        organisationId: mockOrganisationId
+      };
+
+      await expect(secureDataAccess.secureQuery(options)).rejects.toThrow('Network error');
+    });
+
+    it('should propagate errors from secureSingleQuery', async () => {
+      const mockError = new Error('Database connection failed');
+      mockQueryBuilder.single = vi.fn().mockRejectedValue(mockError);
+
+      const options: SecureQueryOptions = {
+        table: mockTable,
+        select: mockSelect,
+        organisationId: mockOrganisationId
+      };
+
+      await expect(secureDataAccess.secureSingleQuery(options)).rejects.toThrow('Database connection failed');
+    });
+
+    it('should propagate errors from secureInsert', async () => {
+      const mockData = { name: 'Test Item' };
+      const mockError = new Error('Insert constraint violation');
+      mockQueryBuilder.insert = vi.fn().mockReturnThis();
+      mockQueryBuilder.select = vi.fn().mockReturnThis();
+      mockQueryBuilder.single = vi.fn().mockRejectedValue(mockError);
+
+      await expect(secureDataAccess.secureInsert(mockTable, mockData, mockOrganisationId))
+        .rejects.toThrow('Insert constraint violation');
+    });
+
+    it('should propagate errors from secureUpdate', async () => {
+      const mockData = { name: 'Updated Item' };
+      const mockFilters = { id: '1' };
+      const mockError = new Error('Update constraint violation');
+      mockQueryBuilder.update = vi.fn().mockReturnThis();
+      mockQueryBuilder.eq = vi.fn().mockReturnThis();
+      mockQueryBuilder.select = vi.fn().mockReturnThis();
+      mockQueryBuilder.single = vi.fn().mockRejectedValue(mockError);
+
+      await expect(secureDataAccess.secureUpdate(mockTable, mockData, mockFilters, mockOrganisationId))
+        .rejects.toThrow('Update constraint violation');
+    });
+
+    it('should propagate errors from secureDelete', async () => {
+      const mockFilters = { id: '1' };
+      const mockError = new Error('Delete constraint violation');
+      // Create a new mock with the error for the single query
+      mockQueryBuilder = createMockQueryBuilder(null, mockError);
+      mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+      await expect(secureDataAccess.secureDelete(mockTable, mockFilters, mockOrganisationId))
+        .rejects.toThrow('Delete constraint violation');
+    });
+  });
+
+  describe('Type Safety', () => {
+    beforeEach(() => {
+      secureDataAccess = createSecureDataAccess(mockSupabaseClient, mockOrganisationId, false);
+    });
+
+    it('should maintain type safety for DatabaseRecord', async () => {
+      interface TestRecord extends DatabaseRecord {
+        name: string;
+        status: string;
+      }
+
+      const mockData: TestRecord[] = [
+        { id: '1', name: 'Test 1', status: 'active', organisation_id: mockOrganisationId },
+        { id: '2', name: 'Test 2', status: 'inactive', organisation_id: mockOrganisationId }
+      ];
+      
+      // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+      const options: SecureQueryOptions = {
+        table: mockTable,
+        select: mockSelect,
+        organisationId: mockOrganisationId
+      };
+
+      const result = await secureDataAccess.secureQuery<TestRecord>(options);
+      
+      expect(result).toEqual(mockData);
+      expect(result[0]).toHaveProperty('name');
+      expect(result[0]).toHaveProperty('status');
+      expect(result[0]).toHaveProperty('organisation_id');
+    });
+
+    it('should maintain type safety for DatabaseData', async () => {
+      const mockData: DatabaseData = {
+        name: 'Test Item',
+        status: 'active',
+        metadata: { key: 'value' }
+      };
+
+      const mockResult = { id: '1', ...mockData, organisation_id: mockOrganisationId };
+      
+      mockQueryBuilder.insert = vi.fn().mockReturnThis();
+      mockQueryBuilder.select = vi.fn().mockReturnThis();
+      mockQueryBuilder.single = vi.fn().mockResolvedValue({ data: mockResult, error: null });
+
+      const result = await secureDataAccess.secureInsert(mockTable, mockData, mockOrganisationId);
+      
+      expect(result).toEqual(mockResult);
+    });
+
+    it('should maintain type safety for DatabaseFilters', async () => {
+      const mockFilters: DatabaseFilters = {
+        status: 'active',
+        category: 'test',
+        metadata: { key: 'value' }
+      };
+
+      const mockData = [{ id: '1', name: 'Test', organisation_id: mockOrganisationId }];
+          // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+      // Create a new mock with the expected data
+          mockQueryBuilder = createMockQueryBuilder(mockData);
+          mockSupabaseClient.from = vi.fn().mockReturnValue(mockQueryBuilder);
+
+      const options: SecureQueryOptions = {
+        table: mockTable,
+        select: mockSelect,
+        organisationId: mockOrganisationId,
+        filters: mockFilters
+      };
+
+      await secureDataAccess.secureQuery(options);
+
+      expect(mockQueryBuilder.eq).toHaveBeenCalledWith('organisation_id', mockOrganisationId);
+      expect(mockQueryBuilder.eq).toHaveBeenCalledWith('status', 'active');
+      expect(mockQueryBuilder.eq).toHaveBeenCalledWith('category', 'test');
+    });
+  });
+});