RBAC Permission Reconciliation

[Connorbelez]

Summary by Sourcery

Introduce a canonical RBAC permission catalog and align role/permission metadata, runtime authorization, and tests with it, tightening onboarding and payments access control.

New Features:

• Add a shared permission catalog module that centralizes permission metadata, role mappings, and helper functions for permission checks.
• Expose canonical RBAC metadata to UI components for consistent permission and domain display.
• Add new test endpoints to exercise payment and onboarding management permission chains.

Bug Fixes:

• Ensure onboarding role requests and self-service onboarding queries require explicit onboarding access rather than just authentication.
• Tighten document and underwriting resource checks to use the canonical permission grant helpers and correct permission slugs for sensitive access and review flows.
• Correct mortgage transition and obligation payment flows to rely on the intended service and payment management permissions.
• Restrict payment and cash ledger mutations, actions, and webhooks to admin-scoped auth chains instead of generic authenticated access.
• Fix audit and onboarding demo pages to respect FairLend staff admin constraints alongside permission checks.
• Prevent admin-access inference in frontend permission checks by delegating to shared grant helpers instead of local shortcuts.

Enhancements:

• Refactor existing role-permission fixtures and permission display metadata to derive from the canonical catalog, eliminating duplication and drift.
• Add automated drift tests that scan runtime code for permission literals and enforce alignment with the canonical catalog and WorkOS-exported permissions.
• Extend RBAC demo UI to use shared permission helpers and improve rule editor UX with clearer busy-state button icons.
• Align viewer permission middleware with canonical grant helpers, removing bespoke admin-access shortcuts.
• Update domain labels and colors to cover new cash ledger permissions and domains.

Documentation:

• Add a detailed implementation plan documenting RBAC permission reconciliation, catalog architecture, and operational rollout steps.

Tests:

• Expand auth chain tests to cover new payment management, retry, cancel, webhook, and onboarding management permission gates.
• Extend onboarding auth integration tests to verify onboarding access requirements for role requests and self-service queries.
• Add catalog sync tests that detect runtime permission literals missing from the canonical permission catalog or WorkOS export set.
• Adjust permission metadata sync tests to treat all catalog entries as assigned or intentionally orphan-free.

[Connorbelez]

• eng-279 #395
• RBAC Permission Reconciliation #394 👈 (View in Graphite)
• test: fix harness failures and update manifest #393 : 1 other dependent PR (#396 )
• provider managed payment schedule #392
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[sourcery-ai]

Sorry @Connorbelez, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[sourcery-ai]

Reviewer's Guide

Centralizes RBAC permissions into a canonical catalog, updates auth helpers and middleware to respect an admin superuser grant, tightens onboarding and payments authorization, and wires UI/tests to consume the new catalog while keeping permission metadata and role matrices in sync.

Sequence diagram for permission check with superuser override

sequenceDiagram
    actor User
    participant ClientFunction
    participant ConvexMiddleware as requirePermission
    participant PermissionCatalog as hasPermissionGrant
    participant Handler

    User->>ClientFunction: Invoke protected API
    ClientFunction->>ConvexMiddleware: Call with viewer + requiredPermission
    ConvexMiddleware->>PermissionCatalog: hasPermissionGrant(viewer.permissions, requiredPermission)
    alt viewer has SUPERUSER_PERMISSION
        PermissionCatalog-->>ConvexMiddleware: true (superuser)
    else viewer has requiredPermission directly
        PermissionCatalog-->>ConvexMiddleware: true
    else no matching grant
        PermissionCatalog-->>ConvexMiddleware: false
        ConvexMiddleware->>ConvexMiddleware: auditAuthFailure
        ConvexMiddleware-->>ClientFunction: throw permission error
        ClientFunction-->>User: Show authorization error
    end
    ConvexMiddleware-->>Handler: next() when true
    Handler-->>ClientFunction: business result
    ClientFunction-->>User: Render success response

Loading

Updated class diagram for RBAC permission catalog

classDiagram
    class PermissionDisplayMeta {
      +string name
      +string description
      +string domain
    }

    class PermissionCatalogEntry {
      +string name
      +string description
      +string domain
      +boolean workos
      +boolean grantsAllPermissions
    }

    class PermissionCatalogModule {
      <<module>>
      +SUPERUSER_PERMISSION : string
      +PERMISSION_DISPLAY_METADATA : Record~PermissionSlug, PermissionDisplayMeta~
      +ROLE_PERMISSIONS : Record~RoleSlug, PermissionSlug[]~
      +ALL_PERMISSION_SLUGS : PermissionSlug[]
      +PERMISSION_CATALOG : Record~PermissionSlug, PermissionCatalogEntry~
      +WORKOS_PERMISSION_SLUGS : PermissionSlug[]
      +hasPermissionGrant(permissions, permission) boolean
      +hasAnyPermissionGrant(permissions, requiredPermissions) boolean
      +lookupPermissions(roles) string[]
    }

    class RolePermissionsConsumer {
      <<interface>>
      +roles : string[]
      +permissions : string[]
    }

    class Viewer {
      +string? id
      +Set~string~ roles
      +Set~string~ permissions
    }

    class AuthLib {
      <<module>>
      +ISLAND_PERMISSIONS : object
      +hasPermission(permissions, permission) boolean
      +hasAnyPermission(permissions, requiredPermissions) boolean
      +isFairLendStaffAdmin(context) boolean
    }

    class FluentMiddleware {
      <<module>>
      +requirePermission(permission) middleware
      +requirePermissionAction(permission) middleware
    }

    class ResourceChecks {
      <<module>>
      +canAccessDocument(ctx, viewer, doc) Promise~boolean~
      +canAccessApplicationPackage(ctx, viewer, pkg) Promise~boolean~
    }

    class UIDisplayMetadata {
      <<module>>
      +PERMISSION_DISPLAY_METADATA : Record~string, PermissionDisplayMeta~
      +PERMISSION_DOMAINS : Record~string, string[]~
      +DOMAIN_LABELS : Record~string, string~
      +DOMAIN_COLORS : Record~string, object~
      +ROLE_DISPLAY_METADATA : Record~string, object~
    }

    class UseCanDoHook {
      <<hook>>
      +useCanDo(permission) boolean
    }

    PermissionCatalogModule "1" o-- "*" PermissionCatalogEntry : builds
    PermissionCatalogModule "1" o-- "*" PermissionDisplayMeta : uses

    AuthLib ..> PermissionCatalogModule : imports hasPermissionGrant
    FluentMiddleware ..> PermissionCatalogModule : imports hasPermissionGrant
    ResourceChecks ..> PermissionCatalogModule : imports hasPermissionGrant
    UIDisplayMetadata ..> PermissionCatalogModule : imports PERMISSION_DISPLAY_METADATA
    UseCanDoHook ..> AuthLib : calls hasPermission

    Viewer ..|> RolePermissionsConsumer
    AuthLib ..> Viewer : reads permissions
    FluentMiddleware ..> Viewer : checks permissions

Loading

Flow diagram for canonical RBAC catalog consumers

flowchart LR
    catalog["permissionCatalog.ts\n(PERMISSION_CATALOG, ROLE_PERMISSIONS, helpers)"]

    fluent["convex/fluent.ts\n(requirePermission, requirePermissionAction)"]
    authLib["src/lib/auth.ts\n(hasPermission, hasAnyPermission)"]
    resourceChecks["convex/auth/resourceChecks.ts\n(canAccessDocument, canAccessApplicationPackage)"]
    engine["convex/engine/commands.ts\n(transitionMortgage, confirmObligationPayment)"]
    onboarding["convex/onboarding/*\n(requestRole, queries)"]

    uiDemo["demo RBAC pages\n(access-control, audit, onboarding)"]
    useCanDo["src/hooks/use-can-do.ts\n(useCanDo)"]

    tests["auth tests\n(role-chains, catalog-sync, metadata-sync)"]
    metadata["src/lib/rbac-display-metadata.ts\n(PERMISSION_DISPLAY_METADATA, domains)"]

    catalog --> fluent
    catalog --> authLib
    catalog --> resourceChecks
    catalog --> engine
    catalog --> onboarding

    authLib --> uiDemo
    authLib --> useCanDo

    catalog --> metadata
    catalog --> tests
    metadata --> uiDemo
    fluent --> tests

Loading

File-Level Changes

Change	Details	Files
Introduce a canonical RBAC permission catalog and wire metadata/consumers to it.	Add convex/auth/permissionCatalog.ts defining permission metadata, role-to-permission assignments, WorkOS-export info, superuser semantics, and helper functions like hasPermissionGrant/lookupPermissions. Export PERMISSION_DISPLAY_METADATA and PermissionDisplayMeta from the catalog and re-export them in src/lib/rbac-display-metadata.ts, replacing the local permission metadata definition. Expose ROLE_PERMISSIONS and lookupPermissions/RoleSlug from the catalog in src/test/auth/permissions.ts instead of maintaining a separate role matrix.	convex/auth/permissionCatalog.ts src/lib/rbac-display-metadata.ts src/test/auth/permissions.ts
Add automated drift checks ensuring runtime gates and WorkOS permissions stay aligned with the catalog.	Introduce src/test/auth/permissions/catalog-sync.test.ts to scan runtime code for requirePermission/guardPermission calls and assert all referenced slugs exist in the canonical catalog. Tighten permission-metadata sync tests by clearing the KNOWN_ORPHANS map so any unassigned permission becomes a test failure.	src/test/auth/permissions/catalog-sync.test.ts src/test/auth/permissions/permission-metadata-sync.test.ts
Align backend middleware and resource checks with catalog-based permission helpers and refine superuser semantics.	Remove the local viewerHasPermission helper and ADMIN_ACCESS_PERMISSION constant from convex/fluent.ts and switch requirePermission/requirePermissionAction to use hasPermissionGrant from the catalog (which encodes admin:access as a superuser grant). Update convex/auth/resourceChecks.ts to use hasPermissionGrant for document and underwriting checks, and change sensitive document access to depend on document:review instead of a documents:sensitive_access orphan permission.	convex/fluent.ts convex/auth/resourceChecks.ts
Harden onboarding authorization by requiring explicit onboarding permissions on read/write paths and updating tests accordingly.	Require onboarding:access for onboarding.requestRole and onboarding.getMyOnboardingRequest, and tighten listPendingRequests/getRequestHistory to use onboarding:manage instead of onboarding:review. Extend onboarding auth integration tests to cover the new onboarding:access requirement and ensure underwriters lacking that permission are rejected. Add an onboardingManageQuery test endpoint and corresponding chain test entry to assert that only FAIRLEND_ADMIN can hit onboarding:manage surfaces.	convex/onboarding/mutations.ts convex/onboarding/queries.ts src/test/auth/integration/onboarding-auth.test.ts convex/test/authTestEndpoints.ts src/test/auth/chains/role-chains.test.ts
Tighten payments and cash-ledger authorization by promoting certain operations to admin-only and cataloging their permissions.	Change cashLedgerMutation, paymentMutation, paymentRetryMutation, paymentCancelMutation, and paymentWebhookMutation from authed* to admin* variants while still requiring the corresponding payment/cash_ledger permissions. Add test endpoints and role-chain tests for payment:manage, payment:retry, payment:cancel, and payment:webhook_process to assert they are only accessible to FAIRLEND_ADMIN. Ensure admin ROLE_PERMISSIONS in the catalog includes the new payment:* and cash_ledger:* permissions so tests and enforcement are consistent.	convex/fluent.ts convex/test/authTestEndpoints.ts src/test/auth/chains/role-chains.test.ts convex/auth/permissionCatalog.ts src/test/auth/permissions.ts
Standardize frontend permission checks on the shared helpers and tighten UI gating for audit/onboarding surfaces.	Update src/lib/auth.ts hasPermission/hasAnyPermission to delegate to hasPermissionGrant/hasAnyPermissionGrant so admin:access overrides UI checks consistently with backend middleware. Switch the RBAC demo access-control page and use-can-do hook to use hasPermission rather than direct array includes, so superuser semantics apply in the client. Tighten demo audit and onboarding pages to require FairLend staff admin plus the specific platform/onboarding permission before showing controls.	src/lib/auth.ts src/routes/demo/rbac-auth/access-control.tsx src/routes/demo/rbac-auth/audit.tsx src/routes/demo/rbac-auth/onboarding.tsx src/hooks/use-can-do.ts
Miscellaneous UX and typing polish related to RBAC and payments.	Refactor the RuleEditorDialog submit button icon selection into a local variable for readability and to ensure the busy state takes precedence. Broaden the persisted transfer status type to include a string literal 'completed' in addition to TransferStatus. Wire the generated Convex API typings to include the new auth/permissionCatalog module. Downgrade @fast-check/vitest to 0.2.3 to match current test harness expectations.	src/components/demo/amps/dialogs.tsx convex/payments/transfers/types.ts convex/_generated/api.d.ts package.json
Add design and implementation documentation for the RBAC reconciliation effort.	Introduce a long-form plan document under docs/superpowers/plans/2026-04-11-rbac-permission-reconciliation.md describing the target RBAC model, drift analysis, and step-by-step implementation tasks.	docs/superpowers/plans/2026-04-11-rbac-permission-reconciliation.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Warning

Rate limit exceeded

@Connorbelez has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 40 minutes and 30 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 40 minutes and 30 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f997b599-f1d3-4b38-bf0b-060eed1e7e78

📥 Commits

Reviewing files that changed from the base of the PR and between 4ea5880 and 11eb30c.

⛔ Files ignored due to path filters (2)

• bun.lock is excluded by !**/*.lock
• convex/_generated/api.d.ts is excluded by !**/_generated/**

📒 Files selected for processing (25)

• convex/auth/__tests__/resourceChecks.test.ts
• convex/auth/permissionCatalog.ts
• convex/auth/resourceChecks.ts
• convex/engine/commands.ts
• convex/fluent.ts
• convex/onboarding/mutations.ts
• convex/onboarding/queries.ts
• convex/payments/transfers/types.ts
• convex/test/authTestEndpoints.ts
• docs/superpowers/plans/2026-04-11-rbac-permission-reconciliation.md
• package.json
• src/components/demo/amps/dialogs.tsx
• src/hooks/use-can-do.ts
• src/lib/auth.ts
• src/lib/rbac-display-metadata.ts
• src/routes/demo/rbac-auth/access-control.tsx
• src/routes/demo/rbac-auth/audit.tsx
• src/routes/demo/rbac-auth/onboarding.tsx
• src/test/auth/chains/role-chains.test.ts
• src/test/auth/integration/onboarding-auth.test.ts
• src/test/auth/middleware/requirePermission.test.ts
• src/test/auth/permissions.ts
• src/test/auth/permissions/catalog-sync.test.ts
• src/test/auth/permissions/permission-metadata-sync.test.ts
• src/test/auth/permissions/workos-permissions.snapshot.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch rbac-permission-reconciliation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Introduces a canonical RBAC permission catalog and refactors backend authorization, frontend permission helpers, and tests to derive from it, with tighter gating around onboarding and payments.

Changes:

• Add convex/auth/permissionCatalog.ts as the single source of truth for permission slugs, display metadata, role mappings, and grant helper functions (incl. admin:access superuser behavior).
• Refactor backend permission enforcement (Convex fluent chains + onboarding + engine commands) and frontend permission checks to use catalog-backed helpers.
• Add/expand drift + integration tests to catch permission literal drift and validate new onboarding/payment auth chains.

Reviewed changes

Copilot reviewed 23 out of 25 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/test/auth/permissions/permission-metadata-sync.test.ts	Removes known-orphan allowance to enforce full metadata↔role alignment.
src/test/auth/permissions/catalog-sync.test.ts	Adds drift test scanning runtime for permission literals and comparing to catalog.
src/test/auth/permissions.ts	Switches test role-permission fixtures to import from canonical catalog.
src/test/auth/middleware/requirePermission.test.ts	Updates middleware tests for admin:access wildcard behavior.
src/test/auth/integration/onboarding-auth.test.ts	Adds onboarding onboarding:access enforcement coverage for queries/mutations.
src/test/auth/chains/role-chains.test.ts	Adds chain tests for payment mutations/webhooks and onboarding manage query.
src/routes/demo/rbac-auth/onboarding.tsx	Uses shared permission helper + staff-admin gate for review UI.
src/routes/demo/rbac-auth/audit.tsx	Uses shared permission helper + staff-admin gate for audit UI.
src/routes/demo/rbac-auth/access-control.tsx	Uses shared hasPermission helper rather than local Set logic.
src/lib/rbac-display-metadata.ts	Derives permission display metadata from canonical catalog; updates domain labels/colors.
src/lib/auth.ts	Replaces local wildcard logic with canonical grant helpers.
src/hooks/use-can-do.ts	Uses shared hasPermission helper for client-side permission checks.
src/components/demo/amps/dialogs.tsx	Refactors rule editor submit button icon logic for clearer busy/create/update states.
package.json	Adjusts @fast-check/vitest dev dependency version.
docs/superpowers/plans/2026-04-11-rbac-permission-reconciliation.md	Adds detailed implementation/rollout plan and drift matrix documentation.
convex/test/authTestEndpoints.ts	Adds new test endpoints for payment and onboarding permission chains.
convex/payments/transfers/types.ts	Extends transfer status typing for legacy "completed" handling.
convex/onboarding/queries.ts	Tightens onboarding admin queries to require onboarding:manage; adds onboarding:access to self-service query.
convex/onboarding/mutations.ts	Requires onboarding:access for role requests.
convex/fluent.ts	Centralizes permission grant checks and tightens payment/cash-ledger chains to admin-scoped chains.
convex/engine/commands.ts	Reconciles command permissions (mortgage transition + obligation payment confirm).
convex/auth/resourceChecks.ts	Uses catalog grant helper and updates sensitive document permission check.
convex/auth/permissionCatalog.ts	Adds canonical permission catalog, role mappings, and grant helper utilities.
convex/_generated/api.d.ts	Updates generated API types to include new permission catalog module.
bun.lock	Locks dependency version change for @fast-check/vitest.

Comments suppressed due to low confidence (1)

convex/payments/transfers/types.ts:145

• PersistedTransferStatus is declared twice in this file (same alias name, same definition). TypeScript will fail with a duplicate identifier error; remove one of the declarations and keep a single documented type alias.

export type TransferStatus = (typeof TRANSFER_STATUSES)[number];
export type PersistedTransferStatus = TransferStatus | "completed";

/**
 * Persisted transfer status at the query boundary.
 *
 * Includes the legacy `"completed"` value while historical rows are still
 * tolerated by webhook and reversal handlers.
 */
export type PersistedTransferStatus = TransferStatus | "completed";

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Connorbelez]

Merge activity

• Apr 14, 5:26 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 14, 5:28 PM UTC: Graphite couldn't merge this pull request because a downstack PR test: fix harness failures and update manifest #393 failed to merge.
• Apr 14, 9:26 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 14, 9:28 PM UTC: Graphite couldn't merge this PR because it had merge conflicts.
• Apr 14, 9:41 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 14, 9:41 PM UTC: @Connorbelez merged this pull request with Graphite.