import test from 'node:test'; import assert from 'node:assert/strict'; import { can } from '../src/services/policy.js'; test('client actions require business scope and matching business id', async () => { const allowed = await can( 'orders.create', 'order', { uid: 'user-1', policyContext: { user: { userId: 'user-1' }, tenant: { tenantId: 'tenant-1', role: 'MANAGER' }, business: { businessId: 'business-1' }, }, }, { body: { tenantId: 'tenant-1', businessId: 'business-1' } } ); const denied = await can( 'orders.create', 'order', { uid: 'user-1', policyContext: { user: { userId: 'user-1' }, tenant: { tenantId: 'tenant-1', role: 'MANAGER' }, business: { businessId: 'business-1' }, }, }, { body: { tenantId: 'tenant-1', businessId: 'business-2' } } ); assert.equal(allowed, true); assert.equal(denied, false); }); test('staff actions require staff scope', async () => { const allowed = await can( 'shifts.accept', 'shift', { uid: 'user-1', policyContext: { user: { userId: 'user-1' }, tenant: { tenantId: 'tenant-1' }, staff: { staffId: 'staff-1', workforceId: 'workforce-1' }, }, }, { body: { tenantId: 'tenant-1' } } ); const denied = await can( 'shifts.accept', 'shift', { uid: 'user-1', policyContext: { user: { userId: 'user-1' }, tenant: { tenantId: 'tenant-1' }, business: { businessId: 'business-1' }, }, }, { body: { tenantId: 'tenant-1' } } ); assert.equal(allowed, true); assert.equal(denied, false); }); test('notifications.device.write allows tenant-scoped actor', async () => { const allowed = await can( 'notifications.device.write', 'device', { uid: 'user-1', policyContext: { user: { userId: 'user-1' }, tenant: { tenantId: 'tenant-1' }, }, }, { body: { tenantId: 'tenant-1' } } ); assert.equal(allowed, true); });