[TESTING][RBAC]: Add unit tests for RBAC Tier 1/2/3 team derivation and session token permission paths

[crivetimihai]

Summary

The RBAC middleware (mcpgateway/middleware/rbac.py) introduced multi-team session token support with a tiered team derivation system (Tiers 1/2/3) as part of the JWT cookie size fix (#2757). While the implementation is functional and production-tested, it lacks dedicated unit tests for these new code paths. This creates regression risk for privilege-escalation bugs.

What Needs Tests

1. _derive_team_from_resource() — Tier 1 (resource lookup)

• Given a tool_id kwarg and a DB tool with team_id="team-A", returns "team-A"
• Given a server_id kwarg with no matching DB record, returns None
• Given no resource ID params in kwargs, returns None
• Handles DB exceptions gracefully (returns None)

2. _derive_team_from_payload() — Tier 3 (create payload)

• Given a Pydantic gateway object with team_id="team-B", returns "team-B"
• Given a request with Content-Type: application/x-www-form-urlencoded and team_id field, returns the form value
• Given no payload or form data, returns None

3. _is_mutate_permission() — mutate detection

• Dot-separated: tools.create → True, tools.read → False
• Colon-separated: admin.sso_providers:create → True, logs:read → False
• Non-standard mutating actions: tokens.revoke → True, teams.manage_members → True, teams.join → True
• Edge cases: empty string → False, single word → False

4. require_permission() with session tokens — Tier 2 (any-team read)

• Session token + read permission + no resource context → check_any_team=True
• Session token + mutate permission + no resource context → check_any_team=False (fail closed)
• Session token + resource in kwargs → team derived from resource (Tier 1)
• API token (non-session) → no team derivation, uses embedded team_id

5. require_any_permission() with session tokens

• Session token + mixed read/mutate permissions → check_any_team=True (any non-mutate triggers it)
• Session token + all-mutate permissions → check_any_team=False
• check_any_team passed through to permission_service.check_permission()

6. __anyteam__ cache isolation

• Verify that check_any_team=True uses a distinct cache key to avoid cache poisoning between team-scoped and any-team permission checks

Affected Files

• mcpgateway/middleware/rbac.py — functions under test
• tests/unit/mcpgateway/middleware/test_rbac.py — test file to extend

Effort Estimate

• ~20 test cases across 6 test groups
• Moderate mocking required (DB session, PermissionService, request objects)
• Existing test_rbac.py has patterns to follow

Related

• Closes gap identified during code review of [BUG][SCALE]: JWT cookie exceeds browser 4KB limit when user has many team memberships #2757 / fix: reduce JWT cookie size by removing teams/namespaces from session tokens #2765
• Prevents regressions in the RBAC multi-team session token handling

[crivetimihai]

Triage: Validated. RBAC unit tests for team derivation and token permission paths. Correct labels.