import { describe, expect, it } from "vitest"

import { hasPermission, normalizeRole, permissionMatrix } from "./rbac"

describe("rbac model", () => {
  it("normalizes valid roles", () => {
    expect(normalizeRole("ADMIN")).toBe("admin")
    expect(normalizeRole("manager")).toBe("manager")
    expect(normalizeRole("unknown")).toBeNull()
  })

  it("grants admin full access", () => {
    expect(hasPermission("admin", "users:manage_roles", "global")).toBe(true)
    expect(hasPermission("admin", "news:publish", "global")).toBe(true)
  })

  it("enforces scope hierarchy", () => {
    expect(hasPermission("editor", "news:write", "team")).toBe(true)
    expect(hasPermission("editor", "news:write", "global")).toBe(false)
    expect(hasPermission("editor", "news:publish", "own")).toBe(true)
  })

  it("keeps matrix explicit for non-admin roles", () => {
    expect(permissionMatrix.editor.length).toBeGreaterThan(0)
    expect(permissionMatrix.manager.length).toBeGreaterThan(0)
  })
})