test(auth): add User policies test suite

31 tests covering all 4 permission sets and bypass scenarios
Update HasPermission tests to expect false for scope :own without record

test/mv/authorization/checks/has_permission_test.exs

@@ -76,8 +76,10 @@ defmodule Mv.Authorization.Checks.HasPermissionTest do
 
       {:ok, result} = HasPermission.strict_check(own_data_user, authorizer, [])
 
-      # Should return :unknown for :own scope (needs filter)
-      assert result == :unknown
+      # Should return false for :own scope without record
+      # This prevents bypassing expr-based filters in bypass policies
+      # The actual filtering is done via bypass policies with expr(id == ^actor(:id))
+      assert result == false
     end
   end
 
@@ -104,14 +106,16 @@ defmodule Mv.Authorization.Checks.HasPermissionTest do
   end
 
   describe "strict_check/3 - Scope :own" do
-    test "actor with scope :own returns :unknown (needs filter)" do
+    test "actor with scope :own returns false (needs bypass policy with expr filter)" do
       user = create_actor("user-123", "own_data")
       authorizer = create_authorizer(Mv.Accounts.User, :read)
 
       {:ok, result} = HasPermission.strict_check(user, authorizer, [])
 
-      # Should return :unknown for :own scope (needs filter via auto_filter)
-      assert result == :unknown
+      # Should return false for :own scope without record
+      # This prevents bypassing expr-based filters in bypass policies
+      # The actual filtering is done via bypass policies with expr(id == ^actor(:id))
+      assert result == false
     end
   end