@jmruthers/pace-core 0.5.68 → 0.5.70

package/src/rbac/__tests__/engine.comprehensive.test.ts

@@ -0,0 +1,954 @@
+/**
+ * @file RBAC Engine Comprehensive Tests
+ * @description Comprehensive test suite for RBACEngine class
+ */
+
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { RBACEngine, createRBACEngine } from '../engine';
+import { 
+  UUID, 
+  Permission, 
+  Scope, 
+  PermissionCheck, 
+  AccessLevel,
+  Operation,
+  OrganisationRole,
+  EventAppRole
+} from '../types';
+import { Database } from '../../types/database';
+import { rbacCache } from '../cache';
+
+// Mock Supabase client with comprehensive mocking
+const createMockSupabaseClient = () => ({
+  from: vi.fn(() => ({
+    select: vi.fn().mockReturnThis(),
+    eq: vi.fn().mockReturnThis(),
+    neq: vi.fn().mockReturnThis(),
+    in: vi.fn().mockReturnThis(),
+    is: vi.fn().mockReturnThis(),
+    lte: vi.fn().mockReturnThis(),
+    or: vi.fn().mockReturnThis(),
+    single: vi.fn(),
+    maybeSingle: vi.fn(),
+  })),
+  rpc: vi.fn(),
+});
+
+describe('RBACEngine - Comprehensive Tests', () => {
+  let engine: RBACEngine;
+  let mockSupabase: any;
+
+  beforeEach(() => {
+    mockSupabase = createMockSupabaseClient();
+    engine = new RBACEngine(mockSupabase as any);
+    // Clear cache before each test
+    rbacCache.clear();
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+    // Clear cache after each test
+    rbacCache.clear();
+  });
+
+  describe('Constructor and Factory', () => {
+    it('creates engine instance with Supabase client', () => {
+      expect(engine).toBeInstanceOf(RBACEngine);
+      expect(engine).toBeDefined();
+    });
+
+    it('creates engine using factory function', () => {
+      const factoryEngine = createRBACEngine(mockSupabase as any);
+      expect(factoryEngine).toBeInstanceOf(RBACEngine);
+    });
+  });
+
+  describe('Permission Checking - Super Admin Bypass', () => {
+    it('allows super admin to bypass all permissions', async () => {
+      // Mock super admin check to return true
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: true, role_name: 'super_admin' }],
+        error: null
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'super-admin-123' as UUID,
+        scope: { organisationId: 'org-123' as UUID },
+        permission: 'manage:everything' as Permission
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(true);
+    });
+
+    it('denies non-super admin users', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockReturnValue({
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        single: vi.fn().mockResolvedValue({
+          data: { requires_event: false },
+          error: null
+        })
+      });
+
+      // Mock empty roles and permissions
+      mockSupabase.from.mockImplementation(() => ({
+        select: vi.fn().mockReturnThis(),
+        eq: vi.fn().mockReturnThis(),
+        lte: vi.fn().mockReturnThis(),
+        or: vi.fn().mockReturnThis(),
+        data: [],
+        error: null
+      }));
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'regular-user-123' as UUID,
+        scope: { organisationId: 'org-123' as UUID },
+        permission: 'manage:everything' as Permission
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(false);
+    });
+  });
+
+  describe('Permission Checking - Context Validation', () => {
+    it('validates organisation context for organisation-based apps', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config - organisation-based app
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { organisationId: 'org-123' as UUID, appId: 'app-123' as UUID },
+        permission: 'read:users' as Permission
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(false); // Should fail due to no permissions granted
+    });
+
+    it('validates event context for event-based apps', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config - event-based app
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: true },
+              error: null
+            })
+          };
+        }
+        if (table === 'event') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { organisation_id: 'org-123' },
+              error: null
+            })
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { 
+          organisationId: 'org-123' as UUID, 
+          eventId: 'event-123',
+          appId: 'app-123' as UUID 
+        },
+        permission: 'read:users' as Permission
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(false); // Should fail due to no permissions granted
+    });
+
+    it('rejects permission check without required context', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config - organisation-based app
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { appId: 'app-123' as UUID }, // Missing organisationId
+        permission: 'read:users' as Permission
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(false);
+    });
+  });
+
+  describe('Permission Checking - Grant Collection', () => {
+    it('collects and processes page-level grants', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        if (table === 'rbac_app_pages') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { id: 'page-123', page_name: 'users' },
+              error: null
+            })
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          lte: vi.fn().mockReturnThis(),
+          or: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      // Mock RPC call for page permissions
+      mockSupabase.rpc.mockImplementation((functionName: string) => {
+        if (functionName === 'rbac_permissions_get') {
+          return Promise.resolve({
+            data: [
+              {
+                permission_type: 'read:page.users',
+                role_name: 'org_admin',
+                has_permission: true,
+                granted_at: '2023-01-01T00:00:00Z'
+              }
+            ],
+            error: null
+          });
+        }
+        return Promise.resolve({ data: null, error: null });
+      });
+
+      // Mock organisation roles to include org_admin
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        if (table === 'rbac_app_pages') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { id: 'page-123', page_name: 'users' },
+              error: null
+            })
+          };
+        }
+        if (table === 'rbac_organisation_roles') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
+            data: [{ role: 'org_admin', status: 'active', valid_from: '2023-01-01', valid_to: null }],
+            error: null
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          lte: vi.fn().mockReturnThis(),
+          or: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { 
+          organisationId: 'org-123' as UUID,
+          appId: 'app-123' as UUID
+        },
+        permission: 'read:page.users' as Permission,
+        pageId: 'users'
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(true);
+    });
+
+    it('collects and processes global grants', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        if (table === 'rbac_global_roles') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
+            data: [{ role: 'super_admin', valid_from: '2023-01-01', valid_to: null }],
+            error: null
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          lte: vi.fn().mockReturnThis(),
+          or: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { organisationId: 'org-123' as UUID },
+        permission: 'read:*' as Permission
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(true);
+    });
+  });
+
+  describe('Permission Matching Logic', () => {
+    it('matches exact permissions', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        if (table === 'rbac_global_roles') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
+            data: [{ role: 'super_admin', valid_from: '2023-01-01', valid_to: null }],
+            error: null
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          lte: vi.fn().mockReturnThis(),
+          or: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { organisationId: 'org-123' as UUID },
+        permission: 'read:users' as Permission
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(true); // Should match read:* wildcard
+    });
+
+    it('matches wildcard permissions', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        if (table === 'rbac_global_roles') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
+            data: [{ role: 'super_admin', valid_from: '2023-01-01', valid_to: null }],
+            error: null
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          lte: vi.fn().mockReturnThis(),
+          or: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { organisationId: 'org-123' as UUID },
+        permission: 'read:organisation.users' as Permission
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(true); // Should match read:* wildcard
+    });
+  });
+
+  describe('Access Level Resolution', () => {
+    it('resolves super admin access level', async () => {
+      // Mock super admin check to return true
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: true, role_name: 'super_admin' }],
+        error: null
+      });
+
+      const scope: Scope = { organisationId: 'org-123' as UUID };
+      const accessLevel = await engine.getAccessLevel({ 
+        userId: 'super-admin-123' as UUID, 
+        scope 
+      });
+      
+      expect(accessLevel).toBe('super');
+    });
+
+    it('resolves organisation admin access level', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        if (table === 'rbac_organisation_roles') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { role: 'org_admin' },
+              error: null
+            })
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      const scope: Scope = { organisationId: 'org-123' as UUID };
+      const accessLevel = await engine.getAccessLevel({ 
+        userId: 'user-123' as UUID, 
+        scope 
+      });
+      
+      expect(accessLevel).toBe('admin');
+    });
+
+    it('resolves event-app roles access level', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: true },
+              error: null
+            })
+          };
+        }
+        if (table === 'event') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { organisation_id: 'org-123' },
+              error: null
+            })
+          };
+        }
+        if (table === 'rbac_event_app_roles') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            lte: vi.fn().mockReturnThis(),
+            or: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { role: 'event_admin', status: 'active', valid_from: '2023-01-01', valid_to: null },
+              error: null
+            })
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          lte: vi.fn().mockReturnThis(),
+          or: vi.fn().mockReturnThis(),
+          single: vi.fn().mockResolvedValue({
+            data: null,
+            error: { code: 'PGRST116' }
+          })
+        };
+      });
+
+      const scope: Scope = { 
+        organisationId: 'org-123' as UUID,
+        eventId: 'event-123',
+        appId: 'app-123' as UUID
+      };
+      const accessLevel = await engine.getAccessLevel({ 
+        userId: 'user-123' as UUID, 
+        scope 
+      });
+      
+      expect(accessLevel).toBe('admin');
+    });
+
+    it('defaults to viewer access level', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          single: vi.fn().mockResolvedValue({
+            data: null,
+            error: { code: 'PGRST116' }
+          })
+        };
+      });
+
+      const scope: Scope = { organisationId: 'org-123' as UUID };
+      const accessLevel = await engine.getAccessLevel({ 
+        userId: 'user-123' as UUID, 
+        scope 
+      });
+      
+      expect(accessLevel).toBe('viewer');
+    });
+  });
+
+  describe('Permission Map Generation', () => {
+    it('returns empty map for super admin', async () => {
+      // Mock super admin check to return true
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: true, role_name: 'super_admin' }],
+        error: null
+      });
+
+      const scope: Scope = { organisationId: 'org-123' as UUID };
+      const permissionMap = await engine.getPermissionMap({ 
+        userId: 'super-admin-123' as UUID, 
+        scope 
+      });
+      
+      expect(permissionMap).toEqual({});
+    });
+
+    it('generates permission map for regular user', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        if (table === 'rbac_app_pages') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            data: [
+              { id: 'page-1', page_name: 'users' },
+              { id: 'page-2', page_name: 'settings' }
+            ],
+            error: null
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      // Mock permission checks
+      const originalIsPermitted = engine.isPermitted.bind(engine);
+      vi.spyOn(engine, 'isPermitted').mockImplementation(async (input) => {
+        if (input.permission === 'read:users' || input.permission === 'create:users') {
+          return true;
+        }
+        return false;
+      });
+
+      const scope: Scope = { 
+        organisationId: 'org-123' as UUID,
+        appId: 'app-123' as UUID
+      };
+      const permissionMap = await engine.getPermissionMap({ 
+        userId: 'user-123' as UUID, 
+        scope 
+      });
+      
+      expect(permissionMap).toBeDefined();
+      expect(typeof permissionMap).toBe('object');
+    });
+  });
+
+  describe('Error Handling', () => {
+    it('handles database errors gracefully', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock database error
+      mockSupabase.from.mockImplementation(() => {
+        throw new Error('Database connection failed');
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { organisationId: 'org-123' as UUID },
+        permission: 'read:users' as Permission
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(false);
+    });
+
+    it('handles invalid inputs gracefully', async () => {
+      const invalidInputs = [
+        { userId: '' as UUID, scope: { organisationId: 'org-123' as UUID }, permission: 'read:users' as Permission },
+        { userId: 'user-123' as UUID, scope: {} as any, permission: 'read:users' as Permission },
+        { userId: 'user-123' as UUID, scope: { organisationId: 'org-123' as UUID }, permission: '' as Permission },
+      ];
+
+      for (const input of invalidInputs) {
+        const result = await engine.isPermitted(input);
+        expect(result).toBe(false);
+      }
+    });
+
+    it('handles RPC errors gracefully', async () => {
+      // Mock RPC error
+      mockSupabase.rpc.mockRejectedValue(new Error('RPC call failed'));
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { organisationId: 'org-123' as UUID },
+        permission: 'read:users' as Permission
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(false);
+    });
+  });
+
+  describe('Cache Integration', () => {
+    it('uses cache for repeated permission checks', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { organisationId: 'org-123' as UUID },
+        permission: 'read:users' as Permission
+      };
+
+      // First call
+      const result1 = await engine.isPermitted(permissionCheck);
+      expect(result1).toBe(false);
+
+      // Second call should use cache
+      const result2 = await engine.isPermitted(permissionCheck);
+      expect(result2).toBe(false);
+
+      // Verify RPC was called only once (cached on second call)
+      expect(mockSupabase.rpc).toHaveBeenCalledTimes(1);
+    });
+  });
+
+  describe('Page ID Resolution', () => {
+    it('resolves page names to UUIDs', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        if (table === 'rbac_app_pages') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { id: 'page-uuid-123', page_name: 'users' },
+              error: null
+            })
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { 
+          organisationId: 'org-123' as UUID,
+          appId: 'app-123' as UUID
+        },
+        permission: 'read:page.users' as Permission,
+        pageId: 'users' // Page name, not UUID
+      };
+
+      const result = await engine.isPermitted(permissionCheck);
+      expect(result).toBe(false); // Should fail due to no permissions granted
+    });
+  });
+
+  describe('Security Context Integration', () => {
+    it('validates security context when provided', async () => {
+      // Mock super admin check to return false
+      mockSupabase.rpc.mockResolvedValue({
+        data: [{ has_permission: false, role_name: null }],
+        error: null
+      });
+
+      // Mock app config
+      mockSupabase.from.mockImplementation((table: string) => {
+        if (table === 'rbac_apps') {
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            single: vi.fn().mockResolvedValue({
+              data: { requires_event: false },
+              error: null
+            })
+          };
+        }
+        return {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          data: [],
+          error: null
+        };
+      });
+
+      const permissionCheck: PermissionCheck = {
+        userId: 'user-123' as UUID,
+        scope: { organisationId: 'org-123' as UUID },
+        permission: 'read:users' as Permission
+      };
+
+      const securityContext = {
+        userId: 'user-123',
+        ipAddress: '192.168.1.1',
+        userAgent: 'test-agent'
+      };
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result).toBe(false);
+    });
+  });
+});