npm - @jmruthers/pace-core - Versions diffs - 0.6.10 → 0.6.11 - Mend

@jmruthers/pace-core 0.6.10 → 0.6.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (726) hide show

package/src/rbac/api.test.ts CHANGED Viewed

@@ -413,7 +413,7 @@ describe('RBAC API', () => {
       };
       const mockSupabaseForEngine = {
-        from: vi.fn((table: string) => createQueryBuilder(table)),
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
         rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
         auth: mockSupabase.auth
       };
@@ -452,7 +452,8 @@ describe('RBAC API', () => {
           scope: { organisationId: 'org-456' }
         });
-        expect(result).toBe(mockAccessLevel);
+        expect(result.ok).toBe(true);
+        expect(result.ok && result.data).toBe(mockAccessLevel);
         expect(mockEngine.getAccessLevel).toHaveBeenCalledWith({
           userId: 'user-123',
           scope: { organisationId: 'org-456' }
@@ -465,10 +466,12 @@ describe('RBAC API', () => {
         const error = new Error('Engine error');
         mockEngine.getAccessLevel.mockRejectedValue(error);
-        await expect(getAccessLevel({
+        const result = await getAccessLevel({
           userId: 'user-123',
           scope: { organisationId: 'org-456' }
-        })).rejects.toThrow('Engine error');
+        });
+        expect(result.ok).toBe(false);
+        expect(result.ok === false && result.error.message).toContain('Engine error');
       });
     });
@@ -487,7 +490,8 @@ describe('RBAC API', () => {
           scope: { organisationId: 'org-456' }
         });
-        expect(result).toEqual(mockPermissionMap);
+        expect(result.ok).toBe(true);
+        expect(result.ok && result.data).toEqual(mockPermissionMap);
         expect(mockEngine.getPermissionMap).toHaveBeenCalledWith({
           userId: 'user-123',
           scope: { organisationId: 'org-456' }
@@ -500,10 +504,11 @@ describe('RBAC API', () => {
         const error = new Error('Engine error');
         mockEngine.getPermissionMap.mockRejectedValue(error);
-        await expect(getPermissionMap({
+        const result = await getPermissionMap({
           userId: 'user-123',
           scope: { organisationId: 'org-456' }
-        })).rejects.toThrow('Engine error');
+        });
+        expect(result.ok).toBe(false);
       });
     });
@@ -515,7 +520,8 @@ describe('RBAC API', () => {
         const result = await resolveAppContext({ userId: 'user-1', appName: 'test-app' });
-        expect(result).toEqual(context);
+        expect(result.ok).toBe(true);
+        expect(result.ok && result.data).toEqual(context);
         expect(mockEngine.resolveAppContext).toHaveBeenCalledWith({ userId: 'user-1', appName: 'test-app' });
       });
@@ -525,7 +531,8 @@ describe('RBAC API', () => {
         const result = await resolveAppContext({ userId: 'user-1', appName: 'test-app' });
-        expect(result).toBeNull();
+        expect(result.ok).toBe(true);
+        expect(result.ok && result.data).toBeNull();
       });
     });
@@ -545,7 +552,8 @@ describe('RBAC API', () => {
           scope: { organisationId: 'org-456' },
         });
-        expect(result).toEqual(roleContext);
+        expect(result.ok).toBe(true);
+        expect(result.ok && result.data).toEqual(roleContext);
         expect(mockEngine.getRoleContext).toHaveBeenCalledWith({
           userId: 'user-123',
           scope: { organisationId: 'org-456' },
@@ -566,7 +574,7 @@ describe('RBAC API', () => {
           pageId: '123e4567-e89b-12d3-a456-426614174000' // Valid UUID format
         });
-        expect(result).toBe(true);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
         expect(mockEngine.isPermitted).toHaveBeenCalled();
       });
@@ -576,31 +584,35 @@ describe('RBAC API', () => {
         const error = new Error('Engine error');
         mockEngine.isPermitted.mockRejectedValue(error);
-        await expect(isPermitted({
+        const result = await isPermitted({
           userId: 'user-123',
           scope: { organisationId: 'org-456' },
           permission: 'read:users'
-        })).rejects.toThrow('Engine error');
+        });
+        expect(result.ok).toBe(false);
+        expect(result.ok === false && result.error.message).toContain('Engine error');
       });
       it('throws OrganisationContextRequiredError when organisationId is missing', async () => {
-        const { isPermitted, OrganisationContextRequiredError } = await import('./api');
+        const { isPermitted } = await import('./api');
-        await expect(isPermitted({
+        const result = await isPermitted({
           userId: 'user-123',
           scope: {}, // Missing organisationId
           permission: 'read:users'
-        })).rejects.toThrow(OrganisationContextRequiredError);
+        });
+        expect(result.ok).toBe(false);
       });
       it('throws OrganisationContextRequiredError when organisationId is undefined', async () => {
-        const { isPermitted, OrganisationContextRequiredError } = await import('./api');
+        const { isPermitted } = await import('./api');
-        await expect(isPermitted({
+        const result = await isPermitted({
           userId: 'user-123',
           scope: { organisationId: undefined },
           permission: 'read:users'
-        })).rejects.toThrow(OrganisationContextRequiredError);
+        });
+        expect(result.ok).toBe(false);
       });
     });
@@ -619,7 +631,7 @@ describe('RBAC API', () => {
           pageId: '123e4567-e89b-12d3-a456-426614174000' // Valid UUID format
         });
-        expect(result).toBe(true);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
         expect(rbacCache.get).toHaveBeenCalledWith(cacheKey, true);
         expect(mockEngine.isPermitted).not.toHaveBeenCalled();
       });
@@ -637,7 +649,7 @@ describe('RBAC API', () => {
           pageId: '123e4567-e89b-12d3-a456-426614174000' // Valid UUID format
         });
-        expect(result).toBe(true);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
         expect(mockEngine.isPermitted).toHaveBeenCalled();
         // Check that cache.set was called - pageId presence makes it a page-level check
         expect(rbacCache.set).toHaveBeenCalled();
@@ -665,7 +677,7 @@ describe('RBAC API', () => {
           permissions: ['read:users', 'write:users']
         });
-        expect(result).toBe(true);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
         expect(mockEngine.isPermitted).toHaveBeenCalledTimes(2);
       });
@@ -680,7 +692,7 @@ describe('RBAC API', () => {
           permissions: ['read:users', 'write:users']
         });
-        expect(result).toBe(false);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(false);
         expect(mockEngine.isPermitted).toHaveBeenCalledTimes(2);
       });
     });
@@ -697,7 +709,7 @@ describe('RBAC API', () => {
           permissions: ['read:users', 'write:users']
         });
-        expect(result).toBe(true);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
         expect(mockEngine.isPermitted).toHaveBeenCalledTimes(2);
       });
@@ -714,7 +726,7 @@ describe('RBAC API', () => {
           permissions: ['read:users', 'write:users']
         });
-        expect(result).toBe(false);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(false);
         expect(mockEngine.isPermitted).toHaveBeenCalledTimes(2);
       });
     });
@@ -727,7 +739,7 @@ describe('RBAC API', () => {
         const result = await isSuperAdmin('user-123');
-        expect(result).toBe(true);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
         expect(mockEngine.checkSuperAdmin).toHaveBeenCalledWith('user-123');
       });
@@ -737,7 +749,9 @@ describe('RBAC API', () => {
         const error = new Error('Engine error');
         mockEngine.checkSuperAdmin.mockRejectedValue(error);
-        await expect(isSuperAdmin('user-123')).rejects.toThrow('Engine error');
+        const result = await isSuperAdmin('user-123');
+        expect(result.ok).toBe(false);
+        expect(result.ok === false && result.error.message).toContain('Engine error');
       });
     });
@@ -752,7 +766,7 @@ describe('RBAC API', () => {
         const result = await isOrganisationAdmin('user-123', 'org-456');
-        expect(result).toBe(true);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
         expect(mockEngine.getAccessLevel).toHaveBeenCalledWith({
           userId: 'user-123',
           scope: { organisationId: 'org-456' }
@@ -766,7 +780,7 @@ describe('RBAC API', () => {
         const result = await isOrganisationAdmin('user-123', 'org-456');
-        expect(result).toBe(true);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
       });
       it('returns false for other access levels', async () => {
@@ -776,7 +790,7 @@ describe('RBAC API', () => {
         const result = await isOrganisationAdmin('user-123', 'org-456');
-        expect(result).toBe(false);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(false);
       });
     });
@@ -792,7 +806,7 @@ describe('RBAC API', () => {
           appId: 'app-101'
         });
-        expect(result).toBe(true);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
         expect(mockEngine.getAccessLevel).toHaveBeenCalledWith({
           userId: 'user-123',
           scope: {
@@ -812,7 +826,7 @@ describe('RBAC API', () => {
           appId: 'app-101'
         });
-        expect(result).toBe(false);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(false);
         expect(mockEngine.getAccessLevel).not.toHaveBeenCalled();
       });
@@ -825,7 +839,7 @@ describe('RBAC API', () => {
           appId: undefined
         });
-        expect(result).toBe(false);
+        expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(false);
         expect(mockEngine.getAccessLevel).not.toHaveBeenCalled();
       });
     });
@@ -926,17 +940,934 @@ describe('RBAC API', () => {
     });
   });
-  describe('Error Handling', () => {
-    it('throws RBACNotInitializedError when engine not available', async () => {
-      // Reset global engine by clearing the module cache
-      vi.resetModules();
+  describe('getPageScopeType', () => {
+    let mockEngine: any;
+    beforeEach(() => {
+      const createQueryBuilder = (table: string, selectField?: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        if (table === 'rbac_apps') {
+          if (selectField === 'id, name, is_active') {
+            builder.maybeSingle = vi.fn().mockResolvedValue({
+              data: { id: 'app-123', name: 'test-app', is_active: true },
+              error: null
+            });
+          }
+        } else if (table === 'rbac_app_pages') {
+          if (selectField === 'id, page_name, app_id') {
+            builder.maybeSingle = vi.fn().mockResolvedValue({
+              data: { id: '123e4567-e89b-12d3-a456-426614174000', page_name: 'test-page', app_id: 'app-123' },
+              error: null
+            });
+          } else if (selectField === 'scope_type, page_name, app_id') {
+            builder.single = vi.fn().mockResolvedValue({
+              data: { scope_type: 'organisation', page_name: 'test-page', app_id: 'app-123' },
+              error: null
+            });
+          }
+        }
+        builder.select = vi.fn((fields: string) => {
+          return createQueryBuilder(table, fields);
+        });
+        return builder;
+      };
-      const { getAccessLevel } = await import('./api');
+      const mockSupabaseForEngine = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      mockEngine = {
+        getAccessLevel: vi.fn(),
+        getPermissionMap: vi.fn(),
+        isPermitted: vi.fn(),
+        resolveAppContext: vi.fn(),
+        getRoleContext: vi.fn(),
+        checkSuperAdmin: vi.fn(),
+        supabase: mockSupabaseForEngine as any
+      };
+      mockCreateRBACEngine.mockReturnValue(mockEngine);
+      mockCreateAuditManager.mockReturnValue({} as any);
+      mockGetRBACLogger.mockReturnValue({
+        info: vi.fn(),
+        warn: vi.fn(),
+        error: vi.fn(),
+        debug: vi.fn()
+      });
+      setupRBAC(mockSupabase as any);
+    });
+    it('returns scope type for UUID pageId', async () => {
+      // Update mockEngine.supabase before importing (globalEngine references mockEngine)
+      const mockSupabaseForQuery = {
+        from: vi.fn((table: string) => {
+          if (table === 'rbac_app_pages') {
+            return {
+              select: vi.fn().mockReturnThis(),
+              eq: vi.fn().mockReturnThis(),
+              single: vi.fn().mockResolvedValue({
+                data: { scope_type: 'organisation', page_name: 'test-page', app_id: 'app-123' },
+                error: null
+              })
+            };
+          }
+          return {
+            select: vi.fn().mockReturnThis(),
+            eq: vi.fn().mockReturnThis(),
+            maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+            single: vi.fn().mockResolvedValue({ data: null, error: null })
+          };
+        }),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
-      await expect(getAccessLevel({
-        userId: 'user-123',
-        scope: { organisationId: 'org-456' }
-      })).rejects.toThrow('RBAC system not initialized');
+      // Update the mockEngine's supabase property (globalEngine references the same object)
+      mockEngine.supabase = mockSupabaseForQuery as any;
+      const { getPageScopeType } = await import('./api');
+      const result = await getPageScopeType('123e4567-e89b-12d3-a456-426614174000', 'app-123');
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe('organisation');
+    });
+    it('resolves page name to UUID and returns scope type', async () => {
+      // Update mockEngine.supabase before importing (globalEngine references mockEngine)
+      const createQueryBuilder = (table: string, selectField?: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        if (table === 'rbac_app_pages') {
+          if (selectField === 'id, page_name, app_id') {
+            builder.maybeSingle = vi.fn().mockResolvedValue({
+              data: { id: '123e4567-e89b-12d3-a456-426614174000', page_name: 'test-page', app_id: 'app-123' },
+              error: null
+            });
+          } else if (selectField === 'scope_type, page_name, app_id') {
+            builder.single = vi.fn().mockResolvedValue({
+              data: { scope_type: 'organisation', page_name: 'test-page', app_id: 'app-123' },
+              error: null
+            });
+          }
+        }
+        builder.select = vi.fn((fields: string) => {
+          return createQueryBuilder(table, fields);
+        });
+        return builder;
+      };
+      const mockSupabaseForQuery = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      // Update the mockEngine's supabase property (globalEngine references the same object)
+      mockEngine.supabase = mockSupabaseForQuery as any;
+      const { getPageScopeType } = await import('./api');
+      const result = await getPageScopeType('test-page', 'app-123');
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe('organisation');
+    });
+    it('resolves appId from appName', async () => {
+      // Update mockEngine.supabase before importing (globalEngine references mockEngine)
+      const createQueryBuilder = (table: string, selectField?: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        if (table === 'rbac_apps') {
+          if (selectField === 'id, name, is_active') {
+            builder.maybeSingle = vi.fn().mockResolvedValue({
+              data: { id: 'app-123', name: 'test-app', is_active: true },
+              error: null
+            });
+          }
+        } else if (table === 'rbac_app_pages') {
+          if (selectField === 'id, page_name, app_id') {
+            builder.maybeSingle = vi.fn().mockResolvedValue({
+              data: { id: '123e4567-e89b-12d3-a456-426614174000', page_name: 'test-page', app_id: 'app-123' },
+              error: null
+            });
+          } else if (selectField === 'scope_type, page_name, app_id') {
+            builder.single = vi.fn().mockResolvedValue({
+              data: { scope_type: 'event', page_name: 'test-page', app_id: 'app-123' },
+              error: null
+            });
+          }
+        }
+        builder.select = vi.fn((fields: string) => {
+          return createQueryBuilder(table, fields);
+        });
+        return builder;
+      };
+      const mockSupabaseForQuery = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      // Update the mockEngine's supabase property (globalEngine references the same object)
+      mockEngine.supabase = mockSupabaseForQuery as any;
+      const { getPageScopeType } = await import('./api');
+      const result = await getPageScopeType('test-page', undefined, 'test-app');
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe('event');
+    });
+    it('handles errors when app not found', async () => {
+      const createQueryBuilder = (table: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        if (table === 'rbac_apps') {
+          builder.maybeSingle = vi.fn().mockResolvedValue({
+            data: null,
+            error: null
+          });
+        }
+        builder.select = vi.fn(() => builder);
+        return builder;
+      };
+      const mockSupabaseForEngine = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      // Update the existing mockEngine's supabase property (globalEngine references the same object)
+      mockEngine.supabase = mockSupabaseForEngine as any;
+      const { getPageScopeType } = await import('./api');
+      const result = await getPageScopeType('test-page', undefined, 'nonexistent-app');
+      expect(result.ok).toBe(false);
+    });
+    it('handles errors when page not found', async () => {
+      const createQueryBuilder = (table: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        if (table === 'rbac_app_pages') {
+          builder.single = vi.fn().mockResolvedValue({
+            data: null,
+            error: { message: 'Page not found' }
+          });
+        }
+        builder.select = vi.fn(() => builder);
+        return builder;
+      };
+      const mockSupabaseForEngine = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      // Update the existing mockEngine's supabase property (globalEngine references the same object)
+      mockEngine.supabase = mockSupabaseForEngine as any;
+      const { getPageScopeType } = await import('./api');
+      const result = await getPageScopeType('nonexistent-page', 'app-123');
+      expect(result.ok).toBe(false);
+    });
+    it('handles database errors gracefully', async () => {
+      // Update mockEngine.supabase before importing (globalEngine references mockEngine)
+      const createQueryBuilder = (_table: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          single: vi.fn().mockResolvedValue({
+            data: null,
+            error: { message: 'Database error', code: 'PGRST116' }
+          })
+        };
+        builder.select = vi.fn(() => builder);
+        return builder;
+      };
+      const mockSupabaseForQuery = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      // Update the mockEngine's supabase property (globalEngine references the same object)
+      mockEngine.supabase = mockSupabaseForQuery as any;
+      const { getPageScopeType } = await import('./api');
+      const result = await getPageScopeType('123e4567-e89b-12d3-a456-426614174000', 'app-123');
+      expect(result.ok).toBe(false);
+    });
+    it('returns "both" scope type when page has both scope', async () => {
+      // Update mockEngine.supabase before importing (globalEngine references mockEngine)
+      const createQueryBuilder = (table: string, selectField?: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        if (table === 'rbac_app_pages' && selectField === 'scope_type, page_name, app_id') {
+          builder.single = vi.fn().mockResolvedValue({
+            data: { scope_type: 'both', page_name: 'test-page', app_id: 'app-123' },
+            error: null
+          });
+        }
+        builder.select = vi.fn((fields: string) => {
+          return createQueryBuilder(table, fields);
+        });
+        return builder;
+      };
+      const mockSupabaseForQuery = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      // Update the mockEngine's supabase property (globalEngine references the same object)
+      mockEngine.supabase = mockSupabaseForQuery as any;
+      const { getPageScopeType } = await import('./api');
+      const result = await getPageScopeType('123e4567-e89b-12d3-a456-426614174000', 'app-123');
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe('both');
+    });
+  });
+  describe('isPermitted - Advanced Cases', () => {
+    let mockEngine: any;
+    beforeEach(() => {
+      const createQueryBuilder = (table: string, selectField?: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        if (table === 'rbac_apps') {
+          if (selectField === 'name') {
+            builder.single = vi.fn().mockResolvedValue({ data: { name: 'test-app' }, error: null });
+          }
+        } else if (table === 'rbac_app_pages') {
+          if (selectField === 'scope_type, page_name, app_id') {
+            builder.single = vi.fn().mockResolvedValue({
+              data: { scope_type: 'organisation', page_name: 'test-page', app_id: 'app-123' },
+              error: null
+            });
+          }
+        }
+        builder.select = vi.fn((fields: string) => {
+          return createQueryBuilder(table, fields);
+        });
+        return builder;
+      };
+      const mockSupabaseForEngine = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      mockEngine = {
+        getAccessLevel: vi.fn(),
+        getPermissionMap: vi.fn(),
+        isPermitted: vi.fn(),
+        resolveAppContext: vi.fn(),
+        getRoleContext: vi.fn(),
+        checkSuperAdmin: vi.fn(),
+        supabase: mockSupabaseForEngine as any
+      };
+      mockCreateRBACEngine.mockReturnValue(mockEngine);
+      mockCreateAuditManager.mockReturnValue({} as any);
+      mockGetRBACLogger.mockReturnValue({
+        info: vi.fn(),
+        warn: vi.fn(),
+        error: vi.fn(),
+        debug: vi.fn()
+      });
+      setupRBAC(mockSupabase as any);
+    });
+    it('uses precomputed super admin status when provided as true', async () => {
+      const { isPermitted } = await import('./api');
+      mockEngine.isPermitted.mockResolvedValue(true);
+      const result = await isPermitted({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456', appId: 'app-123' },
+        permission: 'read:users',
+        pageId: '123e4567-e89b-12d3-a456-426614174000'
+      }, undefined, true);
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
+      expect(mockEngine.checkSuperAdmin).not.toHaveBeenCalled();
+    });
+    it('checks super admin when precomputed is null', async () => {
+      const { isPermitted } = await import('./api');
+      mockEngine.checkSuperAdmin.mockResolvedValue(false);
+      mockEngine.isPermitted.mockResolvedValue(true);
+      const result = await isPermitted({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456', appId: 'app-123' },
+        permission: 'read:users',
+        pageId: '123e4567-e89b-12d3-a456-426614174000'
+      }, undefined, null);
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
+      expect(mockEngine.checkSuperAdmin).toHaveBeenCalled();
+    });
+    it('handles "both" scope type pages correctly', async () => {
+      const createQueryBuilder = (table: string, selectField?: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        if (table === 'rbac_apps') {
+          if (selectField === 'name') {
+            builder.single = vi.fn().mockResolvedValue({ data: { name: 'test-app' }, error: null });
+          }
+        } else if (table === 'rbac_app_pages') {
+          if (selectField === 'scope_type, page_name, app_id') {
+            builder.single = vi.fn().mockResolvedValue({
+              data: { scope_type: 'both', page_name: 'test-page', app_id: 'app-123' },
+              error: null
+            });
+          }
+        }
+        builder.select = vi.fn((fields: string) => {
+          return createQueryBuilder(table, fields);
+        });
+        return builder;
+      };
+      const mockSupabaseForEngine = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      // Update the mockEngine's supabase property (globalEngine references the same object)
+      mockEngine.supabase = mockSupabaseForEngine as any;
+      mockEngine.checkSuperAdmin.mockResolvedValue(false);
+      mockEngine.isPermitted
+        .mockResolvedValueOnce(true) // Event scope check
+        .mockResolvedValueOnce(false); // Org scope check
+      const { isPermitted } = await import('./api');
+      const result = await isPermitted({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456', eventId: 'event-789', appId: 'app-123' },
+        permission: 'read:users',
+        pageId: '123e4567-e89b-12d3-a456-426614174000'
+      });
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true); // Union: true || false = true
+    });
+    it('resolves appName from appId when not provided', async () => {
+      const { isPermitted } = await import('./api');
+      mockEngine.checkSuperAdmin.mockResolvedValue(false);
+      mockEngine.isPermitted.mockResolvedValue(true);
+      const result = await isPermitted({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456', appId: 'app-123' },
+        permission: 'read:users',
+        pageId: '123e4567-e89b-12d3-a456-426614174000'
+      });
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
+    });
+    it('handles errors in getPageScopeType gracefully', async () => {
+      const createQueryBuilder = (_table: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          single: vi.fn().mockResolvedValue({
+            data: null,
+            error: { message: 'Database error' }
+          })
+        };
+        builder.select = vi.fn(() => builder);
+        return builder;
+      };
+      const mockSupabaseForEngine = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      // Update the mockEngine's supabase property (globalEngine references the same object)
+      mockEngine.supabase = mockSupabaseForEngine as any;
+      mockEngine.checkSuperAdmin.mockResolvedValue(false);
+      const { isPermitted } = await import('./api');
+      const result = await isPermitted({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456', appId: 'app-123' },
+        permission: 'read:users',
+        pageId: '123e4567-e89b-12d3-a456-426614174000'
+      });
+      expect(result.ok).toBe(false);
+    });
+  });
+  describe('isPermittedCached - Edge Cases', () => {
+    let mockEngine: any;
+    beforeEach(() => {
+      const createQueryBuilder = (table: string, selectField?: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        if (table === 'rbac_apps') {
+          if (selectField === 'name') {
+            builder.single = vi.fn().mockResolvedValue({ data: { name: 'test-app' }, error: null });
+          }
+        } else if (table === 'rbac_app_pages') {
+          if (selectField === 'scope_type, page_name, app_id') {
+            builder.single = vi.fn().mockResolvedValue({
+              data: { scope_type: 'organisation', page_name: 'test-page', app_id: 'app-123' },
+              error: null
+            });
+          }
+        }
+        builder.select = vi.fn((fields: string) => {
+          return createQueryBuilder(table, fields);
+        });
+        return builder;
+      };
+      const mockSupabaseForEngine = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      mockEngine = {
+        getAccessLevel: vi.fn(),
+        getPermissionMap: vi.fn(),
+        isPermitted: vi.fn(),
+        resolveAppContext: vi.fn(),
+        getRoleContext: vi.fn(),
+        checkSuperAdmin: vi.fn(),
+        supabase: mockSupabaseForEngine as any
+      };
+      mockCreateRBACEngine.mockReturnValue(mockEngine);
+      mockCreateAuditManager.mockReturnValue({} as any);
+      mockGetRBACLogger.mockReturnValue({
+        info: vi.fn(),
+        warn: vi.fn(),
+        error: vi.fn(),
+        debug: vi.fn()
+      });
+      setupRBAC(mockSupabase as any);
+    });
+    it('uses session cache for page-level checks', async () => {
+      const { isPermittedCached } = await import('./api');
+      rbacCache.get.mockReturnValue(null);
+      mockEngine.checkSuperAdmin.mockResolvedValue(false);
+      mockEngine.isPermitted.mockResolvedValue(true);
+      const result = await isPermittedCached({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456', appId: 'app-123' },
+        permission: 'read:users',
+        pageId: '123e4567-e89b-12d3-a456-426614174000'
+      });
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
+      expect(rbacCache.set).toHaveBeenCalledWith(
+        expect.any(String),
+        true,
+        undefined,
+        true // useSessionCache = true for page-level checks
+      );
+    });
+    it('uses regular cache for non-page-level checks', async () => {
+      const { isPermittedCached } = await import('./api');
+      rbacCache.get.mockReturnValue(null);
+      mockEngine.checkSuperAdmin.mockResolvedValue(false);
+      mockEngine.isPermitted.mockResolvedValue(true);
+      const result = await isPermittedCached({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456', appId: 'app-123' },
+        permission: 'read:users'
+        // No pageId
+      });
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
+      expect(rbacCache.set).toHaveBeenCalledWith(
+        expect.any(String),
+        true,
+        undefined,
+        false // useSessionCache = false for non-page-level checks
+      );
+    });
+    it('detects page-level check by permission pattern', async () => {
+      const { isPermittedCached } = await import('./api');
+      rbacCache.get.mockReturnValue(null);
+      mockEngine.checkSuperAdmin.mockResolvedValue(false);
+      mockEngine.isPermitted.mockResolvedValue(true);
+      const result = await isPermittedCached({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456', appId: 'app-123' },
+        permission: 'read:page.meals'
+        // No pageId, but permission contains 'page.'
+      });
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe(true);
+      expect(rbacCache.set).toHaveBeenCalledWith(
+        expect.any(String),
+        true,
+        undefined,
+        true // useSessionCache = true for page-level checks
+      );
+    });
+  });
+  describe('getAccessLevel - Super Admin Cases', () => {
+    let mockEngine: any;
+    beforeEach(() => {
+      const createQueryBuilder = (_table: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        builder.select = vi.fn(() => builder);
+        return builder;
+      };
+      const mockSupabaseForEngine = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      mockEngine = {
+        getAccessLevel: vi.fn(),
+        getPermissionMap: vi.fn(),
+        isPermitted: vi.fn(),
+        resolveAppContext: vi.fn(),
+        getRoleContext: vi.fn(),
+        checkSuperAdmin: vi.fn(),
+        supabase: mockSupabaseForEngine as any
+      };
+      mockCreateRBACEngine.mockReturnValue(mockEngine);
+      mockCreateAuditManager.mockReturnValue({} as any);
+      mockGetRBACLogger.mockReturnValue({
+        info: vi.fn(),
+        warn: vi.fn(),
+        error: vi.fn(),
+        debug: vi.fn()
+      });
+      setupRBAC(mockSupabase as any);
+    });
+    it('returns super for super admin users', async () => {
+      const { getAccessLevel } = await import('./api');
+      mockEngine.checkSuperAdmin.mockResolvedValue(true);
+      const result = await getAccessLevel({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456' }
+      });
+      expect(result.ok).toBe(true); expect(result.ok && result.data).toBe('super');
+      expect(mockEngine.getAccessLevel).not.toHaveBeenCalled();
+    });
+    it('handles context validation errors', async () => {
+      const { getAccessLevel } = await import('./api');
+      mockEngine.checkSuperAdmin.mockResolvedValue(false);
+      mockEngine.getAccessLevel.mockRejectedValue(new Error('Context validation failed'));
+      const result = await getAccessLevel({
+        userId: 'user-123',
+        scope: {} // Invalid scope
+      });
+      expect(result.ok).toBe(false);
+    });
+  });
+  describe('getPermissionMap - Error Cases', () => {
+    let mockEngine: any;
+    beforeEach(() => {
+      const createQueryBuilder = (_table: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        builder.select = vi.fn(() => builder);
+        return builder;
+      };
+      const mockSupabaseForEngine = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      mockEngine = {
+        getAccessLevel: vi.fn(),
+        getPermissionMap: vi.fn(),
+        isPermitted: vi.fn(),
+        resolveAppContext: vi.fn(),
+        getRoleContext: vi.fn(),
+        checkSuperAdmin: vi.fn(),
+        supabase: mockSupabaseForEngine as any
+      };
+      mockCreateRBACEngine.mockReturnValue(mockEngine);
+      mockCreateAuditManager.mockReturnValue({} as any);
+      mockGetRBACLogger.mockReturnValue({
+        info: vi.fn(),
+        warn: vi.fn(),
+        error: vi.fn(),
+        debug: vi.fn()
+      });
+      setupRBAC(mockSupabase as any);
+    });
+    it('handles context validation errors', async () => {
+      const { getPermissionMap } = await import('./api');
+      mockEngine.checkSuperAdmin.mockResolvedValue(false);
+      mockEngine.getPermissionMap.mockRejectedValue(new Error('Context validation failed'));
+      const result = await getPermissionMap({
+        userId: 'user-123',
+        scope: {} // Invalid scope
+      });
+      expect(result.ok).toBe(false);
+    });
+  });
+  describe('Error Handling', () => {
+    let mockEngine: any;
+    beforeEach(() => {
+      const createQueryBuilder = (_table: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        builder.select = vi.fn(() => builder);
+        return builder;
+      };
+      const mockSupabaseForEngine = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      mockEngine = {
+        getAccessLevel: vi.fn(),
+        getPermissionMap: vi.fn(),
+        isPermitted: vi.fn(),
+        resolveAppContext: vi.fn(),
+        getRoleContext: vi.fn(),
+        checkSuperAdmin: vi.fn(),
+        supabase: mockSupabaseForEngine as any
+      };
+      mockCreateRBACEngine.mockReturnValue(mockEngine);
+      mockCreateAuditManager.mockReturnValue({} as any);
+      mockGetRBACLogger.mockReturnValue({
+        info: vi.fn(),
+        warn: vi.fn(),
+        error: vi.fn(),
+        debug: vi.fn()
+      });
+      setupRBAC(mockSupabase as any);
+    });
+    it('throws RBACNotInitializedError when engine not available', async () => {
+      // Reset global engine by clearing the module cache
+      vi.resetModules();
+      const { getAccessLevel } = await import('./api');
+      const result = await getAccessLevel({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456' }
+      });
+      expect(result.ok).toBe(false);
+      expect(result.ok === false && result.error.code).toBe('RBAC_NOT_INITIALIZED');
+    });
+    it('handles errors in resolveAppContext', async () => {
+      // Re-initialize RBAC after potential resetModules() in previous test
+      mockEngine.resolveAppContext.mockRejectedValue(new Error('Database error'));
+      // Re-import setupRBAC to get fresh reference after potential resetModules()
+      const { setupRBAC: freshSetupRBAC } = await import('./api');
+      freshSetupRBAC(mockSupabase as any);
+      // Dynamic import after setup
+      const { resolveAppContext } = await import('./api');
+      const result = await resolveAppContext({
+        userId: 'user-123',
+        appName: 'test-app'
+      });
+      expect(result.ok).toBe(false);
+      expect(result.ok === false && result.error.message).toContain('Database error');
+    });
+    it('handles errors in getRoleContext', async () => {
+      // Ensure engine is set up before importing
+      // getRoleContext calls ContextValidator.resolveScopeForPage which needs engine.supabase
+      const createQueryBuilder = (_table: string) => {
+        const builder: any = {
+          select: vi.fn().mockReturnThis(),
+          eq: vi.fn().mockReturnThis(),
+          maybeSingle: vi.fn().mockResolvedValue({ data: null, error: null }),
+          single: vi.fn().mockResolvedValue({ data: null, error: null })
+        };
+        builder.select = vi.fn(() => builder);
+        return builder;
+      };
+      const mockSupabaseForQuery = {
+        from: vi.fn((_table: string) => createQueryBuilder(_table)),
+        rpc: vi.fn().mockResolvedValue({ data: null, error: null }),
+        auth: mockSupabase.auth
+      };
+      // Update the mockEngine's supabase property (globalEngine references the same object)
+      mockEngine.supabase = mockSupabaseForQuery as any;
+      mockEngine.getRoleContext.mockRejectedValue(new Error('Database error'));
+      // Re-import setupRBAC to get fresh reference after potential resetModules()
+      const { setupRBAC: freshSetupRBAC } = await import('./api');
+      freshSetupRBAC(mockSupabase as any);
+      // Dynamic import after setup
+      const { getRoleContext } = await import('./api');
+      const result = await getRoleContext({
+        userId: 'user-123',
+        scope: { organisationId: 'org-456' }
+      });
+      expect(result.ok).toBe(false);
+      expect(result.ok === false && result.error.message).toContain('Database error');
     });
   });
 });