import test from 'node:test';
import assert from 'node:assert/strict';
import { can } from '../src/services/policy.js';

test('core actions require tenant scope', async () => {
  const allowed = await can(
    'core.verification.read',
    'verification',
    {
      uid: 'user-1',
      policyContext: {
        user: { userId: 'user-1' },
        tenant: { tenantId: 'tenant-1' },
      },
    },
    {}
  );

  const denied = await can(
    'core.verification.read',
    'verification',
    {
      uid: 'user-1',
      policyContext: {
        user: { userId: 'user-1' },
      },
    },
    {}
  );

  assert.equal(allowed, true);
  assert.equal(denied, false);
});