Dev 권한/테넌트 격리 회귀 테스트 보강

backend/internal/handler/dev_handler_test.go

@@ -227,3 +227,25 @@ func TestListAuditLogs_FilterByActionAndClientID(t *testing.T) {
 	assert.Equal(t, "evt-1", res.Items[0].EventID)
 	assert.Equal(t, "success", res.Items[0].Status)
 }
+
+func TestListAuditLogs_NonAdminKetoErrorReturnsForbidden(t *testing.T) {
+	mockKeto := new(MockKetoService)
+	mockKeto.On("CheckPermission", mock.Anything, "user-1", "System", "AppManager", "member").Return(false, assert.AnError)
+
+	h := &DevHandler{
+		AuditRepo: &mockAuditRepo{},
+		Keto:      mockKeto,
+	}
+	app := fiber.New()
+	app.Use(func(c *fiber.Ctx) error {
+		c.Locals("user_profile", &domain.UserProfileResponse{ID: "user-1", Role: domain.RoleUser})
+		return c.Next()
+	})
+	app.Get("/api/v1/dev/audit-logs", h.ListAuditLogs)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/audit-logs?limit=50", nil)
+	resp, _ := app.Test(req, -1)
+
+	assert.Equal(t, http.StatusForbidden, resp.StatusCode)
+	mockKeto.AssertExpectations(t)
+}