RBAC subsystem: pyright type errors and missing test coverage

[swinney]

Summary

The RBAC subsystem (src/utils/rbac/) has 3 pre-existing pyright type errors and zero unit test coverage. These type issues represent potential runtime edge cases, and the lack of tests means regressions can slip through undetected.

Type Errors

1. registry.py:148 — Set[str] = None default

def _resolve_permissions(self, role_name: str, visited: Set[str] = None) -> Set[str]:

None is not assignable to Set[str]. Should be Optional[Set[str]] = None.

2. jwt_parser.py:158 — List[str] = None default

def assign_default_role(user_email: str, original_roles: List[str] = None) -> List[str]:

None is not assignable to List[str]. Should be Optional[List[str]] = None.

3. decorators.py — 8 call sites pass Optional[str] to str parameter

All 8 calls to log_permission_check() pass request.endpoint (type str | None) to the endpoint parameter (type str):

• Lines: 71, 121, 153, 187, 219, 252, 284, 319
• Fix: request.endpoint or '<unknown>' at each call site

Missing Test Coverage

The following RBAC modules have no unit tests:

• registry.py — RBACRegistry permission resolution, inheritance chains, config validation, role filtering
• permissions.py — has_permission(), is_admin(), is_expert() utility functions
• audit.py — log_permission_check(), log_role_assignment(), log_authentication_event() log levels and format
• jwt_parser.py — extract_roles_from_token() with various token structures, get_user_roles() default fallback
• decorators.py — @require_permission, @require_any_permission, @check_sso_required HTTP status codes

Impact

• Type errors are pre-existing on dev (not introduced by any feature branch)
• request.endpoint can be None in edge cases (e.g., 404 handlers, error handlers), which would pass None to log_permission_check — currently harmless since it's logged as a string, but violates the function's type contract
• No test coverage means any refactor or feature addition to RBAC could silently break permission checks