@jmruthers/pace-core 0.5.76 → 0.5.78

package/src/rbac/__tests__/engine.comprehensive.test.ts

@@ -44,6 +44,8 @@ describe('RBACEngine - Comprehensive Tests', () => {
 
   beforeEach(() => {
     mockSupabase = createMockSupabaseClient();
+    // Set default RPC mock to return true (can be overridden per test)
+    mockSupabase.rpc = vi.fn().mockResolvedValue({ data: true, error: null });
     engine = new RBACEngine(mockSupabase as any);
     // Clear cache before each test
     rbacCache.clear();
@@ -55,6 +57,13 @@ describe('RBACEngine - Comprehensive Tests', () => {
     rbacCache.clear();
   });
 
+  // Helper function to create security context
+  const createSecurityContext = (userId: string, organisationId?: string) => ({
+    userId: userId as UUID,
+    organisationId: organisationId as UUID | undefined,
+    timestamp: new Date()
+  });
+
   describe('Constructor and Factory', () => {
     it('creates engine instance with Supabase client', () => {
       expect(engine).toBeInstanceOf(RBACEngine);
@@ -69,62 +78,41 @@ describe('RBACEngine - Comprehensive Tests', () => {
 
   describe('Permission Checking - Super Admin Bypass', () => {
     it('allows super admin to bypass all permissions', async () => {
-      // Mock the global roles query to return super_admin role
-      mockSupabase.from.mockReturnValueOnce({
-        select: vi.fn().mockReturnThis(),
-        eq: vi.fn().mockReturnThis(),
-        lte: vi.fn().mockReturnThis(),
-        or: vi.fn().mockReturnThis(),
-        limit: vi.fn().mockResolvedValue({
-          data: [{ role: 'super_admin' }],
-          error: null
-        })
-      });
+      // Override default mock - engine may call RPC multiple times
+      mockSupabase.rpc = vi.fn().mockResolvedValue({ data: true, error: null });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'super-admin-123' as UUID,
-        scope: { organisationId: 'org-123' as UUID },
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
+        scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
         permission: 'manage:everything' as Permission
       };
 
-      const result = await engine.isPermitted(permissionCheck);
+      const securityContext = createSecurityContext('00000000-0000-0000-0000-000000000001', '00000000-0000-0000-0000-000000000002');
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
       expect(result).toBe(true);
     });
 
     it('denies non-super admin users', async () => {
-      // Mock super admin check to return false
-      mockSupabase.rpc.mockResolvedValue({
-        data: [{ has_permission: false, role_name: null }],
+      // Mock the RPC call to return false for non-super admin
+      mockSupabase.rpc.mockResolvedValueOnce({
+        data: false,
         error: null
       });
 
-      // Mock app config
-      mockSupabase.from.mockReturnValue({
-        select: vi.fn().mockReturnThis(),
-        eq: vi.fn().mockReturnThis(),
-        single: vi.fn().mockResolvedValue({
-          data: { requires_event: false },
-          error: null
-        })
-      });
-
-      // Mock empty roles and permissions
-      mockSupabase.from.mockImplementation(() => ({
-        select: vi.fn().mockReturnThis(),
-        eq: vi.fn().mockReturnThis(),
-        lte: vi.fn().mockReturnThis(),
-        or: vi.fn().mockReturnThis(),
-        data: [],
-        error: null
-      }));
-
       const permissionCheck: PermissionCheck = {
         userId: 'regular-user-123' as UUID,
-        scope: { organisationId: 'org-123' as UUID },
+        scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
         permission: 'manage:everything' as Permission
       };
 
-      const result = await engine.isPermitted(permissionCheck);
+      const securityContext = {
+        userId: 'regular-user-123' as UUID,
+        organisationId: '00000000-0000-0000-0000-000000000002' as UUID,
+        timestamp: new Date()
+      };
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
       expect(result).toBe(false);
     });
   });
@@ -158,8 +146,8 @@ describe('RBACEngine - Comprehensive Tests', () => {
       });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
-        scope: { organisationId: 'org-123' as UUID, appId: 'app-123' as UUID },
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
+        scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID, appId: '00000000-0000-0000-0000-000000000003' as UUID },
         permission: 'read:users' as Permission
       };
 
@@ -205,11 +193,11 @@ describe('RBACEngine - Comprehensive Tests', () => {
       });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
         scope: { 
-          organisationId: 'org-123' as UUID, 
+          organisationId: '00000000-0000-0000-0000-000000000002' as UUID, 
           eventId: 'event-123',
-          appId: 'app-123' as UUID 
+          appId: '00000000-0000-0000-0000-000000000003' as UUID 
         },
         permission: 'read:users' as Permission
       };
@@ -246,8 +234,8 @@ describe('RBACEngine - Comprehensive Tests', () => {
       });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
-        scope: { appId: 'app-123' as UUID }, // Missing organisationId
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
+        scope: { appId: '00000000-0000-0000-0000-000000000003' as UUID }, // Missing organisationId
         permission: 'read:users' as Permission
       };
 
@@ -258,276 +246,73 @@ describe('RBACEngine - Comprehensive Tests', () => {
 
   describe('Permission Checking - Grant Collection', () => {
     it('collects and processes page-level grants', async () => {
-      // Mock super admin check to return false
-      mockSupabase.rpc.mockResolvedValue({
-        data: [{ has_permission: false, role_name: null }],
-        error: null
-      });
-
-      // Mock app config
-      mockSupabase.from.mockImplementation((table: string) => {
-        if (table === 'rbac_apps') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            single: vi.fn().mockResolvedValue({
-              data: { requires_event: false },
-              error: null
-            })
-          };
-        }
-        if (table === 'rbac_app_pages') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            single: vi.fn().mockResolvedValue({
-              data: { id: 'page-123', page_name: 'users' },
-              error: null
-            })
-          };
-        }
-        return {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          data: [],
-          error: null
-        };
-      });
-
-      // Mock RPC call for page permissions
-      mockSupabase.rpc.mockImplementation((functionName: string) => {
-        if (functionName === 'rbac_permissions_get') {
-          return Promise.resolve({
-            data: [
-              {
-                permission_type: 'read:page.users',
-                role_name: 'org_admin',
-                has_permission: true,
-                granted_at: '2023-01-01T00:00:00Z'
-              }
-            ],
-            error: null
-          });
-        }
-        return Promise.resolve({ data: null, error: null });
-      });
-
-      // Mock organisation roles to include org_admin
-      mockSupabase.from.mockImplementation((table: string) => {
-        if (table === 'rbac_apps') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            single: vi.fn().mockResolvedValue({
-              data: { requires_event: false },
-              error: null
-            })
-          };
-        }
-        if (table === 'rbac_app_pages') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            single: vi.fn().mockResolvedValue({
-              data: { id: 'page-123', page_name: 'users' },
-              error: null
-            })
-          };
-        }
-        if (table === 'rbac_organisation_roles') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            lte: vi.fn().mockReturnThis(),
-            or: vi.fn().mockReturnThis(),
-            limit: vi.fn().mockResolvedValue({ 
-              data: [{ role: 'org_admin', status: 'active', valid_from: '2023-01-01', valid_to: null }],
-              error: null 
-            }),
-            data: [{ role: 'org_admin', status: 'active', valid_from: '2023-01-01', valid_to: null }],
-            error: null
-          };
-        }
-        if (table === 'rbac_global_roles') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            lte: vi.fn().mockReturnThis(),
-            or: vi.fn().mockReturnThis(),
-            limit: vi.fn().mockResolvedValue({ data: [], error: null }),
-            data: [],
-            error: null
-          };
-        }
-        return {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          limit: vi.fn().mockResolvedValue({ data: [], error: null }),
-          data: [],
-          error: null
-        };
-      });
+      // Mock the simplified RPC to return true
+      mockSupabase.rpc = vi.fn().mockResolvedValue({ data: true, error: null });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
         scope: { 
-          organisationId: 'org-123' as UUID,
-          appId: 'app-123' as UUID
+          organisationId: '00000000-0000-0000-0000-000000000002' as UUID,
+          appId: '00000000-0000-0000-0000-000000000003' as UUID
         },
-        permission: 'read:page.users' as Permission,
-        pageId: 'users'
+        permission: 'read:users' as Permission,
+        pageId: '00000000-0000-0000-0000-000000000004' as UUID
       };
 
-      const result = await engine.isPermitted(permissionCheck);
+      const securityContext = createSecurityContext('00000000-0000-0000-0000-000000000001', '00000000-0000-0000-0000-000000000002');
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
       expect(result).toBe(true);
     });
 
     it('collects and processes global grants', async () => {
-      // Mock app config
-      mockSupabase.from.mockImplementation((table: string) => {
-        if (table === 'rbac_apps') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            single: vi.fn().mockResolvedValue({
-              data: { requires_event: false },
-              error: null
-            })
-          };
-        }
-        if (table === 'rbac_global_roles') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            lte: vi.fn().mockReturnThis(),
-            or: vi.fn().mockReturnThis(),
-            limit: vi.fn().mockResolvedValue({ 
-              data: [{ role: 'super_admin', valid_from: '2023-01-01', valid_to: null }],
-              error: null 
-            }),
-            data: [{ role: 'super_admin', valid_from: '2023-01-01', valid_to: null }],
-            error: null
-          };
-        }
-        return {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          limit: vi.fn().mockResolvedValue({ data: [], error: null }),
-          data: [],
-          error: null
-        };
-      });
+      // Mock the simplified RPC to return true
+      mockSupabase.rpc = vi.fn().mockResolvedValue({ data: true, error: null });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
-        scope: { organisationId: 'org-123' as UUID },
-        permission: 'read:*' as Permission
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
+        scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
+        permission: 'read:users' as Permission
       };
 
-      const result = await engine.isPermitted(permissionCheck);
+      const securityContext = createSecurityContext('00000000-0000-0000-0000-000000000001', '00000000-0000-0000-0000-000000000002');
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
       expect(result).toBe(true);
     });
   });
 
   describe('Permission Matching Logic', () => {
     it('matches exact permissions', async () => {
-      // Mock super admin check to return false
-      mockSupabase.rpc.mockResolvedValue({
-        data: [{ has_permission: false, role_name: null }],
-        error: null
-      });
-
-      // Mock app config
-      mockSupabase.from.mockImplementation((table: string) => {
-        if (table === 'rbac_apps') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            single: vi.fn().mockResolvedValue({
-              data: { requires_event: false },
-              error: null
-            })
-          };
-        }
-        if (table === 'rbac_global_roles') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            lte: vi.fn().mockReturnThis(),
-            or: vi.fn().mockReturnThis(),
-            limit: vi.fn().mockResolvedValue({ 
-              data: [{ role: 'super_admin', valid_from: '2023-01-01', valid_to: null }],
-              error: null 
-            })
-          };
-        }
-        return {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          limit: vi.fn().mockResolvedValue({ data: [], error: null })
-        };
-      });
+      // Mock the simplified RPC to return true
+      mockSupabase.rpc = vi.fn().mockResolvedValue({ data: true, error: null });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
-        scope: { organisationId: 'org-123' as UUID },
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
+        scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
         permission: 'read:users' as Permission
       };
 
-      const result = await engine.isPermitted(permissionCheck);
-      expect(result).toBe(true); // Should match read:* wildcard
+      const securityContext = createSecurityContext('00000000-0000-0000-0000-000000000001', '00000000-0000-0000-0000-000000000002');
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result).toBe(true);
     });
 
     it('matches wildcard permissions', async () => {
-      // Mock app config
-      mockSupabase.from.mockImplementation((table: string) => {
-        if (table === 'rbac_apps') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            single: vi.fn().mockResolvedValue({
-              data: { requires_event: false },
-              error: null
-            })
-          };
-        }
-        if (table === 'rbac_global_roles') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            lte: vi.fn().mockReturnThis(),
-            or: vi.fn().mockReturnThis(),
-            limit: vi.fn().mockResolvedValue({ 
-              data: [{ role: 'super_admin', valid_from: '2023-01-01', valid_to: null }],
-              error: null 
-            })
-          };
-        }
-        return {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          limit: vi.fn().mockResolvedValue({ data: [], error: null })
-        };
-      });
+      // Mock the simplified RPC to return true
+      mockSupabase.rpc = vi.fn().mockResolvedValue({ data: true, error: null });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
-        scope: { organisationId: 'org-123' as UUID },
-        permission: 'read:organisation.users' as Permission
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
+        scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
+        permission: 'read:organisation' as Permission
       };
 
-      const result = await engine.isPermitted(permissionCheck);
-      expect(result).toBe(true); // Should match read:* wildcard
+      const securityContext = createSecurityContext('00000000-0000-0000-0000-000000000001', '00000000-0000-0000-0000-000000000002');
+
+      const result = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result).toBe(true);
     });
   });
 
@@ -545,7 +330,7 @@ describe('RBACEngine - Comprehensive Tests', () => {
         })
       });
 
-      const scope: Scope = { organisationId: 'org-123' as UUID };
+      const scope: Scope = { organisationId: '00000000-0000-0000-0000-000000000002' as UUID };
       const accessLevel = await engine.getAccessLevel({ 
         userId: 'super-admin-123' as UUID, 
         scope 
@@ -580,6 +365,7 @@ describe('RBACEngine - Comprehensive Tests', () => {
           return {
             select: vi.fn().mockReturnThis(),
             eq: vi.fn().mockReturnThis(),
+            is: vi.fn().mockReturnThis(),
             single: vi.fn().mockResolvedValue({
               data: { role: 'org_admin' },
               error: null
@@ -595,9 +381,9 @@ describe('RBACEngine - Comprehensive Tests', () => {
         };
       });
 
-      const scope: Scope = { organisationId: 'org-123' as UUID };
+      const scope: Scope = { organisationId: '00000000-0000-0000-0000-000000000002' as UUID };
       const accessLevel = await engine.getAccessLevel({ 
-        userId: 'user-123' as UUID, 
+        userId: '00000000-0000-0000-0000-000000000001' as UUID, 
         scope 
       });
       
@@ -640,6 +426,7 @@ describe('RBACEngine - Comprehensive Tests', () => {
           return {
             select: vi.fn().mockReturnThis(),
             eq: vi.fn().mockReturnThis(),
+            is: vi.fn().mockReturnThis(),
             single: vi.fn().mockResolvedValue({
               data: null,
               error: { code: 'PGRST116' }
@@ -650,6 +437,7 @@ describe('RBACEngine - Comprehensive Tests', () => {
           return {
             select: vi.fn().mockReturnThis(),
             eq: vi.fn().mockReturnThis(),
+            is: vi.fn().mockReturnThis(),
             lte: vi.fn().mockReturnThis(),
             or: vi.fn().mockReturnThis(),
             single: vi.fn().mockResolvedValue({
@@ -668,12 +456,12 @@ describe('RBACEngine - Comprehensive Tests', () => {
       });
 
       const scope: Scope = { 
-        organisationId: 'org-123' as UUID,
+        organisationId: '00000000-0000-0000-0000-000000000002' as UUID,
         eventId: 'event-123',
-        appId: 'app-123' as UUID
+        appId: '00000000-0000-0000-0000-000000000003' as UUID
       };
       const accessLevel = await engine.getAccessLevel({ 
-        userId: 'user-123' as UUID, 
+        userId: '00000000-0000-0000-0000-000000000001' as UUID, 
         scope 
       });
       
@@ -706,6 +494,7 @@ describe('RBACEngine - Comprehensive Tests', () => {
           return {
             select: vi.fn().mockReturnThis(),
             eq: vi.fn().mockReturnThis(),
+            is: vi.fn().mockReturnThis(),
             single: vi.fn().mockResolvedValue({
               data: null,
               error: { code: 'PGRST116' }
@@ -721,9 +510,9 @@ describe('RBACEngine - Comprehensive Tests', () => {
         };
       });
 
-      const scope: Scope = { organisationId: 'org-123' as UUID };
+      const scope: Scope = { organisationId: '00000000-0000-0000-0000-000000000002' as UUID };
       const accessLevel = await engine.getAccessLevel({ 
-        userId: 'user-123' as UUID, 
+        userId: '00000000-0000-0000-0000-000000000001' as UUID, 
         scope 
       });
       
@@ -732,7 +521,7 @@ describe('RBACEngine - Comprehensive Tests', () => {
   });
 
   describe('Permission Map Generation', () => {
-    it('returns empty map for super admin', async () => {
+    it('returns wildcard permission map for super admin', async () => {
       // Mock global roles query to return super admin
       mockSupabase.from.mockReturnValue({
         select: vi.fn().mockReturnThis(),
@@ -745,13 +534,13 @@ describe('RBACEngine - Comprehensive Tests', () => {
         })
       });
 
-      const scope: Scope = { organisationId: 'org-123' as UUID };
+      const scope: Scope = { organisationId: '00000000-0000-0000-0000-000000000002' as UUID };
       const permissionMap = await engine.getPermissionMap({ 
         userId: 'super-admin-123' as UUID, 
         scope 
       });
       
-      expect(permissionMap).toEqual({});
+      expect(permissionMap).toEqual({ '*': true });
     });
 
     it('generates permission map for regular user', async () => {
@@ -806,11 +595,11 @@ describe('RBACEngine - Comprehensive Tests', () => {
       });
 
       const scope: Scope = { 
-        organisationId: 'org-123' as UUID,
-        appId: 'app-123' as UUID
+        organisationId: '00000000-0000-0000-0000-000000000002' as UUID,
+        appId: '00000000-0000-0000-0000-000000000003' as UUID
       };
       const permissionMap = await engine.getPermissionMap({ 
-        userId: 'user-123' as UUID, 
+        userId: '00000000-0000-0000-0000-000000000001' as UUID, 
         scope 
       });
       
@@ -833,8 +622,8 @@ describe('RBACEngine - Comprehensive Tests', () => {
       });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
-        scope: { organisationId: 'org-123' as UUID },
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
+        scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
         permission: 'read:users' as Permission
       };
 
@@ -844,9 +633,9 @@ describe('RBACEngine - Comprehensive Tests', () => {
 
     it('handles invalid inputs gracefully', async () => {
       const invalidInputs = [
-        { userId: '' as UUID, scope: { organisationId: 'org-123' as UUID }, permission: 'read:users' as Permission },
-        { userId: 'user-123' as UUID, scope: {} as any, permission: 'read:users' as Permission },
-        { userId: 'user-123' as UUID, scope: { organisationId: 'org-123' as UUID }, permission: '' as Permission },
+        { userId: '' as UUID, scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID }, permission: 'read:users' as Permission },
+        { userId: '00000000-0000-0000-0000-000000000001' as UUID, scope: {} as any, permission: 'read:users' as Permission },
+        { userId: '00000000-0000-0000-0000-000000000001' as UUID, scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID }, permission: '' as Permission },
       ];
 
       for (const input of invalidInputs) {
@@ -860,8 +649,8 @@ describe('RBACEngine - Comprehensive Tests', () => {
       mockSupabase.rpc.mockRejectedValue(new Error('RPC call failed'));
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
-        scope: { organisationId: 'org-123' as UUID },
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
+        scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
         permission: 'read:users' as Permission
       };
 
@@ -872,54 +661,31 @@ describe('RBACEngine - Comprehensive Tests', () => {
 
   describe('Cache Integration', () => {
     it('uses cache for repeated permission checks', async () => {
-      // Mock app config
-      let callCount = 0;
-      mockSupabase.from.mockImplementation((table: string) => {
-        if (table === 'rbac_apps') {
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            single: vi.fn().mockResolvedValue({
-              data: { requires_event: false },
-              error: null
-            })
-          };
-        }
-        if (table === 'rbac_global_roles') {
-          callCount++;
-          return {
-            select: vi.fn().mockReturnThis(),
-            eq: vi.fn().mockReturnThis(),
-            lte: vi.fn().mockReturnThis(),
-            or: vi.fn().mockReturnThis(),
-            limit: vi.fn().mockResolvedValue({ data: [], error: null })
-          };
-        }
-        return {
-          select: vi.fn().mockReturnThis(),
-          eq: vi.fn().mockReturnThis(),
-          lte: vi.fn().mockReturnThis(),
-          or: vi.fn().mockReturnThis(),
-          limit: vi.fn().mockResolvedValue({ data: [], error: null })
-        };
+      // Mock RPC to return true
+      let rpcCallCount = 0;
+      mockSupabase.rpc.mockImplementation(() => {
+        rpcCallCount++;
+        return Promise.resolve({ data: true, error: null });
       });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
-        scope: { organisationId: 'org-123' as UUID },
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
+        scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
         permission: 'read:users' as Permission
       };
 
+      const securityContext = createSecurityContext('00000000-0000-0000-0000-000000000001', '00000000-0000-0000-0000-000000000002');
+
       // First call
-      const result1 = await engine.isPermitted(permissionCheck);
-      expect(result1).toBe(false);
+      const result1 = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result1).toBe(true);
 
       // Second call should use cache
-      const result2 = await engine.isPermitted(permissionCheck);
-      expect(result2).toBe(false);
+      const result2 = await engine.isPermitted(permissionCheck, securityContext);
+      expect(result2).toBe(true);
 
-      // Verify global roles query was called at least once
-      expect(callCount).toBeGreaterThanOrEqual(1);
+      // Verify RPC was called exactly once (second call should hit cache)
+      expect(rpcCallCount).toBe(1);
       
       // Verify results are the same (caching is working)
       expect(result1).toBe(result2);
@@ -965,10 +731,10 @@ describe('RBACEngine - Comprehensive Tests', () => {
       });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
         scope: { 
-          organisationId: 'org-123' as UUID,
-          appId: 'app-123' as UUID
+          organisationId: '00000000-0000-0000-0000-000000000002' as UUID,
+          appId: '00000000-0000-0000-0000-000000000003' as UUID
         },
         permission: 'read:page.users' as Permission,
         pageId: 'users' // Page name, not UUID
@@ -1008,8 +774,8 @@ describe('RBACEngine - Comprehensive Tests', () => {
       });
 
       const permissionCheck: PermissionCheck = {
-        userId: 'user-123' as UUID,
-        scope: { organisationId: 'org-123' as UUID },
+        userId: '00000000-0000-0000-0000-000000000001' as UUID,
+        scope: { organisationId: '00000000-0000-0000-0000-000000000002' as UUID },
         permission: 'read:users' as Permission
       };