feat(rbac): enforce admin access checks and document permission model

packages/content/src/rbac.test.ts

@@ -0,0 +1,27 @@
+import { describe, expect, it } from "vitest"
+
+import { hasPermission, normalizeRole, permissionMatrix } from "./rbac"
+
+describe("rbac model", () => {
+  it("normalizes valid roles", () => {
+    expect(normalizeRole("ADMIN")).toBe("admin")
+    expect(normalizeRole("manager")).toBe("manager")
+    expect(normalizeRole("unknown")).toBeNull()
+  })
+
+  it("grants admin full access", () => {
+    expect(hasPermission("admin", "users:manage_roles", "global")).toBe(true)
+    expect(hasPermission("admin", "news:publish", "global")).toBe(true)
+  })
+
+  it("enforces scope hierarchy", () => {
+    expect(hasPermission("editor", "news:write", "team")).toBe(true)
+    expect(hasPermission("editor", "news:write", "global")).toBe(false)
+    expect(hasPermission("editor", "news:publish", "own")).toBe(true)
+  })
+
+  it("keeps matrix explicit for non-admin roles", () => {
+    expect(permissionMatrix.editor.length).toBeGreaterThan(0)
+    expect(permissionMatrix.manager.length).toBeGreaterThan(0)
+  })
+})