@jmruthers/pace-core 0.6.10 → 0.6.11

package/src/__tests__/public-recipe-view.test.ts

@@ -1,228 +0,0 @@
-/**
- * @file Public Recipe View Tests
- * @package @jmruthers/pace-core
- * @module RLS/Tests/PublicViews
- * @since 0.5.181
- * 
- * Regression tests for the public_recipe_details view to verify:
- * - Anonymous access works only when event.public_readable = true
- * - View exposes only expected columns
- * - Respects diet/meal filters
- * - Performance is acceptable (< 500ms)
- */
-
-import { describe, it, expect, beforeAll } from 'vitest';
-import { createClient, SupabaseClient } from '@supabase/supabase-js';
-import type { Database } from '../../types/database';
-
-// Following testing standards: use timeout parameter to prevent hanging
-// See: packages/core/docs/standards/04-testing-standards.md
-const TEST_TIMEOUT = 5000; // 5 seconds per test (matches rls-policies.test.ts pattern)
-const PERFORMANCE_THRESHOLD = 500; // 500ms for public view queries
-
-// Check if we're using real test-db (via environment variables)
-const USE_REAL_DB = !!(process.env.SUPABASE_URL && process.env.VITE_SUPABASE_PUBLISHABLE_KEY);
-const TEST_SUPABASE_URL = process.env.SUPABASE_URL || process.env.VITE_SUPABASE_URL;
-const TEST_SUPABASE_PUBLISHABLE_KEY = process.env.VITE_SUPABASE_PUBLISHABLE_KEY;
-const TEST_SUPABASE_SERVICE_ROLE_KEY = process.env.SUPABASE_SERVICE_ROLE_KEY;
-
-let anonClient: SupabaseClient<Database>;
-let authenticatedClient: SupabaseClient<Database>;
-
-const publicEvent = {
-  event_id: 'public-event-1',
-  event_name: 'Public Event',
-  public_readable: true,
-  is_visible: true,
-  organisation_id: 'org-1' as any
-};
-
-const privateEvent = {
-  event_id: 'private-event-1',
-  event_name: 'Private Event',
-  public_readable: false,
-  is_visible: true,
-  organisation_id: 'org-1' as any
-};
-
-// TODO: Fix hanging tests - Supabase queries are blocking indefinitely despite timeout configuration
-// Issue: Queries to cake_public_recipe_details view hang and prevent vitest timeout from firing
-// Investigation needed:
-//   1. Check if view exists and is accessible
-//   2. Verify RLS policies aren't causing deadlocks
-//   3. Investigate Supabase client connection pooling in test environment
-//   4. Consider using AbortController for query cancellation
-// Reference: packages/core/docs/standards/04-testing-standards.md
-// Related: These tests follow the rls-policies.test.ts pattern but queries hang instead of timing out
-describe.skip('Public Recipe View - Anonymous Access', () => {
-  // Following testing standards: initialize clients once in beforeAll (matches rls-policies.test.ts pattern)
-  beforeAll(() => {
-    if (USE_REAL_DB && TEST_SUPABASE_URL && TEST_SUPABASE_PUBLISHABLE_KEY) {
-      anonClient = createClient<Database>(TEST_SUPABASE_URL, TEST_SUPABASE_PUBLISHABLE_KEY, {
-        auth: { persistSession: false, autoRefreshToken: false }
-      });
-      authenticatedClient = createClient<Database>(TEST_SUPABASE_URL, TEST_SUPABASE_SERVICE_ROLE_KEY || TEST_SUPABASE_PUBLISHABLE_KEY, {
-        auth: { persistSession: false, autoRefreshToken: false }
-      });
-    } else {
-      // This should not happen due to skipIf, but provide fallback
-      throw new Error('Test database credentials not available. Set SUPABASE_URL and VITE_SUPABASE_PUBLISHABLE_KEY environment variables.');
-    }
-  });
-
-  describe('Public Event Access', () => {
-    it('should allow anonymous access when event.public_readable = true', async () => {
-      const start = Date.now();
-      const { data, error } = await anonClient
-        .from('cake_public_recipe_details')
-        .select('*')
-        .eq('event_id', publicEvent.event_id);
-      const duration = Date.now() - start;
-
-      expect(error).toBeNull();
-      expect(data).toBeDefined();
-      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-    }, TEST_TIMEOUT);
-
-    it('should block anonymous access when event.public_readable = false', async () => {
-      const { data, error } = await anonClient
-        .from('cake_public_recipe_details')
-        .select('*')
-        .eq('event_id', privateEvent.event_id);
-
-      // Should return empty (view filters by public_readable = true)
-      expect(data).toEqual([]);
-    }, TEST_TIMEOUT);
-
-    it('should block anonymous access when event.is_visible = false', async () => {
-      const { data, error } = await anonClient
-        .from('cake_public_recipe_details')
-        .select('*')
-        .eq('event_id', 'hidden-event-1');
-
-      // Should return empty (view filters by is_visible = true)
-      expect(data).toEqual([]);
-    }, TEST_TIMEOUT);
-  });
-
-  describe('View Column Exposure', () => {
-    it('should expose only expected columns', async () => {
-      const { data, error } = await anonClient
-        .from('cake_public_recipe_details')
-        .select('*')
-        .eq('event_id', publicEvent.event_id)
-        .limit(1)
-        .single();
-
-      expect(error).toBeNull();
-      if (data) {
-        // Verify expected columns exist
-        expect(data).toHaveProperty('dish_id');
-        expect(data).toHaveProperty('dish_name');
-        expect(data).toHaveProperty('dish_code');
-        expect(data).toHaveProperty('event_id');
-        expect(data).toHaveProperty('organisation_id');
-        
-        // Verify sensitive columns are NOT exposed
-        // (adjust based on actual view definition)
-        // expect(data).not.toHaveProperty('created_by');
-        // expect(data).not.toHaveProperty('updated_by');
-      }
-    }, TEST_TIMEOUT);
-  });
-
-  describe('Diet/Meal Filters', () => {
-    it('should filter by meal type', async () => {
-      const start = Date.now();
-      const { data, error } = await anonClient
-        .from('cake_public_recipe_details')
-        .select('*')
-        .eq('event_id', publicEvent.event_id)
-        .eq('mealtype_name', 'Breakfast');
-      const duration = Date.now() - start;
-
-      expect(error).toBeNull();
-      expect(data).toBeDefined();
-      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-    }, TEST_TIMEOUT);
-
-    it('should filter by diet requirements', async () => {
-      // This test would verify that diet filters work correctly
-      // Adjust based on actual view structure
-      const { data, error } = await anonClient
-        .from('cake_public_recipe_details')
-        .select('*')
-        .eq('event_id', publicEvent.event_id)
-        .eq('dish_dietnote', 'Vegetarian');
-
-      expect(error).toBeNull();
-      expect(data).toBeDefined();
-    }, TEST_TIMEOUT);
-  });
-
-  describe('Performance', () => {
-    it('should complete view queries in < 500ms', async () => {
-      const start = Date.now();
-      await anonClient
-        .from('cake_public_recipe_details')
-        .select('*')
-        .eq('event_id', publicEvent.event_id)
-        .limit(100);
-      const duration = Date.now() - start;
-
-      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-    }, TEST_TIMEOUT);
-
-    it('should handle filtered queries efficiently', async () => {
-      const start = Date.now();
-      await anonClient
-        .from('cake_public_recipe_details')
-        .select('*')
-        .eq('event_id', publicEvent.event_id)
-        .eq('mealtype_name', 'Breakfast')
-        .limit(50);
-      const duration = Date.now() - start;
-
-      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-    }, TEST_TIMEOUT);
-  });
-});
-
-// TODO: Fix hanging tests - Supabase queries are blocking indefinitely despite timeout configuration
-// Issue: Queries to cake_public_recipe_details view hang and prevent vitest timeout from firing
-// Investigation needed:
-//   1. Check if view exists and is accessible
-//   2. Verify RLS policies aren't causing deadlocks
-//   3. Investigate Supabase client connection pooling in test environment
-//   4. Consider using AbortController for query cancellation
-// Reference: packages/core/docs/standards/04-testing-standards.md
-// Related: These tests follow the rls-policies.test.ts pattern but queries hang instead of timing out
-describe.skip('Public Recipe View - Authenticated Access', () => {
-  // Following testing standards: initialize clients once in beforeAll (matches rls-policies.test.ts pattern)
-  // Note: Clients are already initialized in the previous describe block's beforeAll
-  // This describe block reuses the same clients
-
-  it.skip('should allow authenticated users to view public recipes', async () => {
-    const { data, error } = await authenticatedClient
-      .from('cake_public_recipe_details')
-      .select('*')
-      .eq('event_id', publicEvent.event_id);
-
-    expect(error).toBeNull();
-    expect(data).toBeDefined();
-  }, TEST_TIMEOUT);
-
-  it.skip('should allow authenticated users to view private events they have access to', async () => {
-    // Authenticated users with organisation access should be able to view
-    // recipes from events in their organisation, even if not public_readable
-    // (This depends on the view definition and RLS policies)
-    const { data, error } = await authenticatedClient
-      .from('cake_public_recipe_details')
-      .select('*')
-      .eq('event_id', privateEvent.event_id);
-
-    // Result depends on RLS policies and view definition
-    expect(error).toBeNull();
-  }, TEST_TIMEOUT);
-});
-

package/src/__tests__/rls-policies.test.ts

@@ -1,472 +0,0 @@
-/**
- * @file RLS Policy Tests
- * @package @jmruthers/pace-core
- * @module RLS/Tests
- * @since 0.5.181
- * 
- * Application-level tests for RLS policies to verify they work correctly
- * under different user contexts and that performance is acceptable.
- * 
- * These tests verify that:
- * - RLS policies correctly enforce access control
- * - Helper functions are used (no inline auth.uid() calls)
- * - Queries complete in acceptable time (< 1 second)
- * - Cross-organisation access is properly blocked
- */
-
-import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
-import { createClient, SupabaseClient } from '@supabase/supabase-js';
-import type { Database } from '../../types/database';
-import { config } from 'dotenv';
-import { existsSync, readFileSync } from 'fs';
-import path from 'path';
-import { fileURLToPath } from 'url';
-import { dirname } from 'path';
-
-// Get the project root directory (where .env file is located)
-// Use import.meta.url to get the actual file location, then resolve to project root
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-// This file is at: packages/core/src/__tests__/rls-policies.test.ts
-// So we need to go up 4 levels to get to project root
-const projectRoot = path.resolve(__dirname, '../../../../');
-const envPath = path.resolve(projectRoot, '.env');
-
-// Helper function to manually parse .env file as fallback
-function loadEnvFile(envPath: string): void {
-  if (!existsSync(envPath)) {
-    return;
-  }
-
-  try {
-    const envContent = readFileSync(envPath, 'utf-8');
-    const lines = envContent.split('\n');
-    
-    for (const line of lines) {
-      // Skip comments and empty lines
-      const trimmed = line.trim();
-      if (!trimmed || trimmed.startsWith('#')) {
-        continue;
-      }
-      
-      // Parse KEY=VALUE
-      const match = trimmed.match(/^([^=]+)=(.*)$/);
-      if (match) {
-        const key = match[1].trim();
-        let value = match[2].trim();
-        
-        // Remove quotes if present
-        if ((value.startsWith('"') && value.endsWith('"')) || 
-            (value.startsWith("'") && value.endsWith("'"))) {
-          value = value.slice(1, -1);
-        }
-        
-        // Always set (override existing) to ensure we have the values
-        process.env[key] = value;
-      }
-    }
-  } catch (error) {
-    console.warn('⚠️  Failed to manually parse .env file:', error);
-  }
-}
-
-// Test configuration
-const TEST_TIMEOUT = 5000; // 5 seconds
-const PERFORMANCE_THRESHOLD = 1000; // 1 second in milliseconds
-
-// Supabase clients for different user contexts
-let superAdminClient: SupabaseClient<Database>;
-let orgAdminClient: SupabaseClient<Database>;
-let regularMemberClient: SupabaseClient<Database>;
-let anonClient: SupabaseClient<Database>;
-
-// Initialize clients once for all tests
-beforeAll(async () => {
-  // Always try to load .env file manually first (most reliable in test environment)
-  if (existsSync(envPath)) {
-    // Force manual parsing to ensure variables are set
-    loadEnvFile(envPath);
-    
-    // Also try dotenv as a backup
-    const result = config({ path: envPath, override: true });
-    if (result.error) {
-      // Ignore dotenv errors, manual parser should have worked
-    }
-  } else {
-    throw new Error(`.env file not found at: ${envPath}. Current working directory: ${process.cwd()}`);
-  }
-
-  // Get environment variables at runtime (check both process.env and import.meta.env for Vite)
-  const TEST_SUPABASE_URL = 
-    process.env.SUPABASE_URL || 
-    process.env.VITE_SUPABASE_URL || 
-    (import.meta.env && (import.meta.env as any).VITE_SUPABASE_URL);
-  const TEST_SUPABASE_PUBLISHABLE_KEY = 
-    process.env.VITE_SUPABASE_PUBLISHABLE_KEY || 
-    (import.meta.env && (import.meta.env as any).VITE_SUPABASE_PUBLISHABLE_KEY);
-  const TEST_SUPABASE_SERVICE_ROLE_KEY = 
-    process.env.SUPABASE_SERVICE_ROLE_KEY;
-
-  // Validate required environment variables
-  if (!TEST_SUPABASE_URL) {
-    throw new Error(
-      'Missing SUPABASE_URL or VITE_SUPABASE_URL environment variable. ' +
-      'Please set one of these in your .env file. ' +
-      `Current values: SUPABASE_URL=${process.env.SUPABASE_URL || 'undefined'}, ` +
-      `VITE_SUPABASE_URL=${process.env.VITE_SUPABASE_URL || 'undefined'}`
-    );
-  }
-
-  if (!TEST_SUPABASE_PUBLISHABLE_KEY) {
-    throw new Error(
-      'Missing VITE_SUPABASE_PUBLISHABLE_KEY environment variable. ' +
-      'Please set this in your .env file.'
-    );
-  }
-
-  // Create base client with anon key
-  const baseClient = createClient<Database>(TEST_SUPABASE_URL, TEST_SUPABASE_PUBLISHABLE_KEY);
-  
-  // Create anon client (no auth)
-  anonClient = baseClient;
-  
-  // Using service role key for super admin (bypasses RLS - use carefully!)
-  if (TEST_SUPABASE_SERVICE_ROLE_KEY) {
-    superAdminClient = createClient<Database>(TEST_SUPABASE_URL, TEST_SUPABASE_SERVICE_ROLE_KEY);
-  } else {
-    console.warn('⚠️  SUPABASE_SERVICE_ROLE_KEY not set. Super admin tests will use anon key (subject to RLS).');
-    // Fallback: use anon key (will be subject to RLS)
-    superAdminClient = baseClient;
-  }
-  
-  // For org admin and regular member, we'd need to sign in as those users
-  // For now, using base client - update this when you have test user sessions
-  orgAdminClient = baseClient;
-  regularMemberClient = baseClient;
-  
-  console.log('✅ Initialized Supabase clients for testing');
-  console.log('   URL:', TEST_SUPABASE_URL);
-  console.log('   Service role key:', TEST_SUPABASE_SERVICE_ROLE_KEY ? '✅ Set' : '❌ Not set');
-});
-
-// Test data
-// NOTE: These tests require actual database records with valid UUIDs
-// The IDs below are placeholders - in a real test environment, these should be
-// replaced with actual UUIDs from test database records
-const testOrganisation1 = {
-  id: '00000000-0000-0000-0000-000000000001' as any, // Valid UUID format
-  name: 'Test Organisation 1'
-};
-
-const testOrganisation2 = {
-  id: '00000000-0000-0000-0000-000000000002' as any, // Valid UUID format
-  name: 'Test Organisation 2'
-};
-
-const testEvent = {
-  event_id: '00000000-0000-0000-0000-000000000010' as any, // Valid UUID format
-  event_name: 'Test Event',
-  organisation_id: testOrganisation1.id,
-  is_visible: true,
-  public_readable: false
-};
-
-const testUserId = '00000000-0000-0000-0000-000000000100' as any; // Valid UUID format
-
-describe('RLS Policies - Organisations', () => {
-
-  describe('Super Admin Access', () => {
-    it('should allow super admin to view all organisations', async () => {
-      const start = Date.now();
-      const { data, error } = await superAdminClient
-        .from('core_organisations')
-        .select('*')
-        .limit(10);
-      const duration = Date.now() - start;
-
-      expect(error).toBeNull();
-      expect(data).toBeDefined();
-      // Use <= to account for minor timing variations in test environment
-      // Increase threshold for CI/test environments which may be slower
-      // Allow 2x threshold for test environment variability
-      const adjustedThreshold = PERFORMANCE_THRESHOLD * 2; // Allow 100% more time for test environments
-      expect(duration).toBeLessThanOrEqual(adjustedThreshold);
-    }, TEST_TIMEOUT);
-
-    it('should allow super admin to update any organisation', async () => {
-      const { data, error } = await superAdminClient
-        .from('core_organisations')
-        .update({ name: 'Updated Name' })
-        .eq('id', testOrganisation1.id)
-        .select()
-        .single();
-
-      // Note: This test requires testOrganisation1 to exist in the database
-      // If the organisation doesn't exist, we'll get a UUID format error or no rows
-      // In a real test environment, ensure test data exists before running
-      if (error?.code === '22P02' || error?.code === 'PGRST116') {
-        // Invalid UUID format or organisation doesn't exist - skip this test
-        console.warn('⚠️  Test skipped: testOrganisation1 does not exist in database');
-        return;
-      }
-      expect(error).toBeNull();
-    }, TEST_TIMEOUT);
-  });
-
-  describe('Organisation Admin Access', () => {
-    it('should allow org admin to view their organisation', async () => {
-      const start = Date.now();
-      const { data, error } = await orgAdminClient
-        .from('core_organisations')
-        .select('*')
-        .eq('id', testOrganisation1.id)
-        .single();
-      const duration = Date.now() - start;
-
-      // Note: This test requires testOrganisation1 to exist and orgAdminClient to be authenticated
-      if (error?.code === '22P02' || error?.code === 'PGRST116') {
-        console.warn('⚠️  Test skipped: testOrganisation1 does not exist in database or invalid UUID');
-        return;
-      }
-      expect(error).toBeNull();
-      expect(data).toBeDefined();
-      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-    }, TEST_TIMEOUT);
-
-    it('should block org admin from viewing other organisations', async () => {
-      const { data, error } = await orgAdminClient
-        .from('core_organisations')
-        .select('*')
-        .eq('id', testOrganisation2.id)
-        .single();
-
-      // Should return empty or error (RLS blocks access)
-      expect(data).toBeNull();
-    }, TEST_TIMEOUT);
-  });
-
-  describe('Regular Member Access', () => {
-    it('should allow member to view their organisation', async () => {
-      const start = Date.now();
-      const { data, error } = await regularMemberClient
-        .from('core_organisations')
-        .select('*')
-        .eq('id', testOrganisation1.id)
-        .single();
-      const duration = Date.now() - start;
-
-      // Note: This test requires testOrganisation1 to exist and regularMemberClient to be authenticated
-      if (error?.code === '22P02' || error?.code === 'PGRST116') {
-        console.warn('⚠️  Test skipped: testOrganisation1 does not exist in database or invalid UUID');
-        return;
-      }
-      expect(error).toBeNull();
-      expect(data).toBeDefined();
-      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-    }, TEST_TIMEOUT);
-
-    it('should block member from updating organisation', async () => {
-      const { data, error } = await regularMemberClient
-        .from('core_organisations')
-        .update({ name: 'Unauthorized Update' })
-        .eq('id', testOrganisation1.id);
-
-      // Note: This test requires testOrganisation1 to exist
-      // If it doesn't exist, the update will affect 0 rows (not an error, but also not a permission test)
-      if (error?.code === '22P02' || error?.code === 'PGRST116') {
-        console.warn('⚠️  Test skipped: testOrganisation1 does not exist in database');
-        return;
-      }
-      // Should fail (member doesn't have update permission) OR affect 0 rows if org doesn't exist
-      // If data is empty/null and no error, it means 0 rows were affected (org doesn't exist)
-      if (!error && (!data || data.length === 0)) {
-        console.warn('⚠️  Test skipped: testOrganisation1 does not exist (0 rows affected)');
-        return;
-      }
-      // Should fail (member doesn't have update permission)
-      expect(error).not.toBeNull();
-    }, TEST_TIMEOUT);
-  });
-
-  describe('Anonymous Access', () => {
-    it('should block anonymous users from viewing organisations', async () => {
-      const { data, error } = await anonClient
-        .from('core_organisations')
-        .select('*');
-
-      // Should return empty (RLS blocks anonymous access)
-      expect(data).toEqual([]);
-    }, TEST_TIMEOUT);
-  });
-});
-
-describe('RLS Policies - Events', () => {
-  describe('Public Event Access', () => {
-    it('should allow anonymous access to public events', async () => {
-      const start = Date.now();
-      const { data, error } = await anonClient
-        .from('core_events')
-        .select('*')
-        .eq('event_id', testEvent.event_id)
-        .eq('public_readable', true)
-        .eq('is_visible', true)
-        .single();
-      const duration = Date.now() - start;
-
-      // Note: This test requires a public event with testEvent.event_id to exist
-      if (error?.code === 'PGRST116' || error?.code === '22P02') {
-        console.warn('⚠️  Test skipped: testEvent does not exist in database or is not public');
-        return;
-      }
-      expect(error).toBeNull();
-      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-    }, TEST_TIMEOUT);
-
-    it('should block anonymous access to non-public events', async () => {
-      const { data, error } = await anonClient
-        .from('core_events')
-        .select('*')
-        .eq('event_id', testEvent.event_id)
-        .eq('public_readable', false)
-        .single();
-
-      // Should return empty (RLS blocks access)
-      expect(data).toBeNull();
-    }, TEST_TIMEOUT);
-  });
-
-  describe('Authenticated Event Access', () => {
-    it('should allow org member to view events in their organisation', async () => {
-      const start = Date.now();
-      const { data, error } = await regularMemberClient
-        .from('core_events')
-        .select('*')
-        .eq('organisation_id', testOrganisation1.id)
-        .limit(10);
-      const duration = Date.now() - start;
-
-      // Note: This test requires testOrganisation1 to exist and regularMemberClient to be authenticated
-      if (error?.code === '22P02') {
-        console.warn('⚠️  Test skipped: testOrganisation1 does not exist in database or invalid UUID');
-        return;
-      }
-      expect(error).toBeNull();
-      expect(data).toBeDefined();
-      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-    }, TEST_TIMEOUT);
-  });
-});
-
-describe('RLS Policies - RBAC Tables', () => {
-  describe('rbac_user_profiles', () => {
-    it('should allow user to view their own profile', async () => {
-      const start = Date.now();
-      const { data, error } = await regularMemberClient
-        .from('rbac_user_profiles')
-        .select('*')
-        .eq('id', testUserId)
-        .single();
-      const duration = Date.now() - start;
-
-      // Note: This test requires testUserId to exist and regularMemberClient to be authenticated as that user
-      if (error?.code === '22P02' || error?.code === 'PGRST116') {
-        console.warn('⚠️  Test skipped: testUserId does not exist in database or invalid UUID');
-        return;
-      }
-      expect(error).toBeNull();
-      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-    }, TEST_TIMEOUT);
-
-    it('should block user from viewing other profiles', async () => {
-      const { data, error } = await regularMemberClient
-        .from('rbac_user_profiles')
-        .select('*')
-        .eq('id', 'other-user-123' as any)
-        .single();
-
-      // Should return empty (RLS blocks access)
-      expect(data).toBeNull();
-    }, TEST_TIMEOUT);
-  });
-
-  describe('rbac_organisation_roles', () => {
-    it('should allow user to view their own roles', async () => {
-      const start = Date.now();
-      const { data, error } = await regularMemberClient
-        .from('rbac_organisation_roles')
-        .select('*')
-        .eq('user_id', testUserId);
-      const duration = Date.now() - start;
-
-      // Note: This test requires testUserId to exist and regularMemberClient to be authenticated as that user
-      if (error?.code === '22P02' || error?.code === 'PGRST116') {
-        console.warn('⚠️  Test skipped: testUserId does not exist in database or invalid UUID');
-        return;
-      }
-      expect(error).toBeNull();
-      expect(data).toBeDefined();
-      expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-    }, TEST_TIMEOUT);
-  });
-});
-
-describe('RLS Policies - Performance', () => {
-  it('should complete organisation queries in < 1 second', async () => {
-    const start = Date.now();
-    await superAdminClient
-      .from('core_organisations')
-      .select('*')
-      .limit(100);
-    const duration = Date.now() - start;
-
-    expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-  }, TEST_TIMEOUT);
-
-  it('should complete event queries in < 1 second', async () => {
-    const start = Date.now();
-    await superAdminClient
-      .from('core_events')
-      .select('*')
-      .eq('is_visible', true)
-      .limit(100);
-    const duration = Date.now() - start;
-
-    expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-  }, TEST_TIMEOUT);
-
-  it('should complete user profile queries in < 1 second', async () => {
-    const start = Date.now();
-    await superAdminClient
-      .from('rbac_user_profiles')
-      .select('*')
-      .limit(100);
-    const duration = Date.now() - start;
-
-    expect(duration).toBeLessThan(PERFORMANCE_THRESHOLD);
-  }, TEST_TIMEOUT);
-});
-
-describe('RLS Policies - Helper Functions', () => {
-  it('should use helper functions instead of inline auth.uid()', async () => {
-    // This test verifies that policies use helper functions
-    // by checking query plans don't contain InitPlan nodes
-    // Note: EXPLAIN cannot be used in non-volatile functions, so this test
-    // requires a custom RPC function that handles EXPLAIN properly
-    
-    const { data, error } = await superAdminClient
-      .rpc('check_query_performance', {
-        p_query: 'SELECT * FROM core_organisations LIMIT 1'
-      });
-
-    // Note: If the RPC function doesn't exist or uses EXPLAIN incorrectly, we'll get an error
-    // This test requires the check_query_performance function to be created in the database
-    if (error?.code === '0A000' || error?.code === '42883') {
-      console.warn('⚠️  Test skipped: check_query_performance RPC function not available or uses EXPLAIN incorrectly');
-      return;
-    }
-    // Verify no InitPlan nodes (would indicate inline auth.uid() calls)
-    expect(error).toBeNull();
-    // In real test, verify has_initplan = false
-  }, TEST_TIMEOUT);
-});
-