fix(authz): tighten policy scope enforcement

backend/core-api/test/policy.test.js

@@ -0,0 +1,33 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import { can } from '../src/services/policy.js';
+
+test('core actions require tenant scope', async () => {
+  const allowed = await can(
+    'core.verification.read',
+    'verification',
+    {
+      uid: 'user-1',
+      policyContext: {
+        user: { userId: 'user-1' },
+        tenant: { tenantId: 'tenant-1' },
+      },
+    },
+    {}
+  );
+
+  const denied = await can(
+    'core.verification.read',
+    'verification',
+    {
+      uid: 'user-1',
+      policyContext: {
+        user: { userId: 'user-1' },
+      },
+    },
+    {}
+  );
+
+  assert.equal(allowed, true);
+  assert.equal(denied, false);
+});