feat: RBAC - management app access (#1569)

* feat: create reusable form components (SearchInput, RoleSelect)

- Add SearchInput component with icon for consistent search UI
- Add RoleSelect component for role dropdown selection
- Both components support v-model and are fully typed
- Reduces code duplication across modals and forms

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* feat: create RoleSelectionModal component

- Reusable modal for role/permission selection
- Integrates with RoleSelect component
- Handles validation and loading states
- Supports custom titles and descriptions
- Emits confirm/cancel events for flexible usage

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* refactor: use new reusable components in AppAccess and Members

AppAccess.vue:
- Replace search input with SearchInput component
- Replace role select with RoleSelect component
- Replace Edit Role Modal with RoleSelectionModal
- Remove duplicate modal code (~40 lines)
- Refactor updateRoleBinding to handleEditRoleConfirm

Members.vue:
- Replace search input in App Access modal with SearchInput
- Replace role select with RoleSelect component
- Remove unused selectedOrgRoleSummary computed property

Benefits:
- Reduced code duplication
- Consistent UI across modals
- Easier maintenance and testing

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: improve role display in AppTable

- Import getRbacRoleI18nKey for proper role translation
- Normalize role names (remove invite_ prefix)
- Use i18n translations when available
- Fallback to human-readable format (replace _ with spaces)
- Fixes display of roles like "app_admin" → "App Admin"

Applies the same display logic used in Members.vue and AppAccess.vue
for consistent user experience across the application.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix(backend): use wildcard middleware matcher for CORS and auth

- Change middleware from '/' to '*' for useCors and middlewareAuth
- Ensures middleware applies to all routes in groups, role_bindings, and roles
- Fixes potential CORS and auth issues on nested routes

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* feat(rbac): remove app/channel/bundle permissions from org_member role

Migration:
- Remove app, bundle, and channel scope permissions from org_member role
- Update role description to reflect org-only access
- Ensures org_member has no direct app access by default

Seed:
- Enable RBAC for test organization
- Remove unused variables (v_org, v_migration_result)

This enforces the principle that org_member should only have
org-level access and requires explicit app-level role assignments.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* chore(i18n): remove unused app-role-hint translation key

- Remove app-role-hint key from all language files
- Key was not referenced in the codebase
- Cleanup to reduce translation maintenance burden

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix(lint): fix ESLint errors in new components

- Fix import order in AppAccess.vue (SearchInput before RoleSelectionModal)
- Fix static class in SearchInput.vue (separate static class attribute)
- Fix inconsistent quote-props in RoleSelectionModal.vue emit types
- Fix indentation errors in Members.vue template (79 errors total)

All errors auto-fixed with eslint --fix

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix(i18n): correct t() function calls with interpolation

Remove invalid default string argument from t() calls in Members.vue.
The vue-i18n t() function expects (key, interpolationObject) not
(key, defaultString, interpolationObject).

* chore: create a new migration timestamp to be played last

* fix(rbac): align apps INSERT RLS policy with org-level permissions

After removing app/channel/bundle permissions from org_member role,
the apps table INSERT policy was still checking for app-level admin
permissions. This caused RLS violations when creating apps since the
app_id doesn't exist yet during creation.

Updated the policy to check org-level write permissions instead,
which maps to org.update_settings in RBAC and aligns with the API
endpoint's permission check.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix(rbac): create new migration for apps INSERT RLS policy fix

Previous attempt modified an already-applied migration, which
doesn't get re-run in CI. This creates a new migration with a
current timestamp to properly fix the RLS policy for app creation.

Changes:
- Remove RLS policy fix from old migration (already applied)
- Create new migration 20260203220918 with the RLS policy fix
- Policy now checks org-level 'write' permissions instead of
  app-level 'admin' permissions for INSERT operations

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* Revert "fix(rbac): create new migration for apps INSERT RLS policy fix"

This reverts commit 321696b.

* fix(rbac): use get_identity_org_allowed for app INSERT RLS policy

When creating a new app, the app_id doesn't exist yet, so we can't use
get_identity_org_appid which expects an app_id parameter. Instead, use
get_identity_org_allowed which only needs the org_id.

This fixes the RLS policy to properly check org-level 'write' permissions
when creating apps, which admins and super_admins have through RBAC.

Also added debugging to expose-metadata test to help diagnose any remaining
issues with app creation.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix(api): avoid RLS read on app create

* fix(db): validate user in has_app_right_apikey

* fix(db): enforce 2FA for RBAC super-admin

* test: improve error logging for app create

* fix(api): use pg client for app create

---------

Co-authored-by: Claude Sonnet 4.5 <[email protected]>

Author: Dalanir

RBAC_SYSTEM.md

@@ -206,9 +206,6 @@ CREATE TABLE public.role_permissions (
 
 **Example for `org_member`**:
 - `org.read`, `org.read_members`
-- `app.read`, `app.list_bundles`, `app.list_channels`, `app.read_logs`, `app.read_devices`, `app.read_audit`
-- `bundle.read`
-- `channel.read`, `channel.read_history`, `channel.read_forced_devices`, `channel.read_audit`
 
 **Example for `bundle_admin`**:
 - `bundle.read`, `bundle.update`, `bundle.delete`
@@ -450,11 +447,8 @@ The system defines 13 predefined roles covering all hierarchy levels.
 - **Priority rank**: 75
 - **Permissions**:
   - **Org**: read, read_members
-  - **App**: read, list_bundles, list_channels, read_logs, read_devices, read_audit
-  - **Channel**: read, read_history, read_forced_devices, read_audit
-  - **Bundle**: read
-- **Usage**: Basic member, read-only across the entire org
-- **Use case**: Observers, stakeholders, QA with visibility but no modification power
+- **Usage**: Basic org member (no app access by default)
+- **Use case**: Users who only need org visibility; grant app access via app-scoped roles
 
 ### Application Roles
 
@@ -594,20 +588,20 @@ The system defines **40+ atomic permissions** organized by scope.
 
 | Permission | Description | Roles with this permission |
 |-----------|-------------|------------------------------|
-| `app.read` | View app info | All app_* roles, org_admin, org_super_admin, org_member |
+| `app.read` | View app info | All app_* roles, org_admin, org_super_admin |
 | `app.update_settings` | Modify app settings | app_admin, org_admin, org_super_admin |
 | `app.delete` | Delete app | org_super_admin only |
 | `app.read_bundles` | View bundle metadata | app_admin, app_developer, app_uploader, app_reader, org_admin, org_super_admin |
-| `app.list_bundles` | List bundles | org_member |
+| `app.list_bundles` | List bundles | None |
 | `app.upload_bundle` | Upload bundles | app_admin, app_developer, app_uploader, org_admin, org_super_admin |
 | `app.create_channel` | Create channels | app_admin, org_admin, org_super_admin |
 | `app.read_channels` | View channels | app_admin, app_developer, app_uploader, app_reader, org_admin, org_super_admin |
-| `app.list_channels` | List channels | org_member |
-| `app.read_logs` | View logs | app_admin, app_developer, app_uploader, app_reader, org_admin, org_super_admin, org_member |
+| `app.list_channels` | List channels | None |
+| `app.read_logs` | View logs | app_admin, app_developer, app_uploader, app_reader, org_admin, org_super_admin |
 | `app.manage_devices` | Manage devices | app_admin, app_developer, org_admin, org_super_admin |
-| `app.read_devices` | View devices | All app_* roles, org_admin, org_super_admin, org_member |
+| `app.read_devices` | View devices | All app_* roles, org_admin, org_super_admin |
 | `app.build_native` | Build native versions | app_admin, app_developer, org_admin, org_super_admin |
-| `app.read_audit` | View app audit | All app_* roles, org_admin, org_super_admin, org_member |
+| `app.read_audit` | View app audit | All app_* roles, org_admin, org_super_admin |
 | `app.update_user_roles` | Manage user roles for this app | app_admin, org_admin, org_super_admin |
 
 ### Bundle Permissions (scope: `bundle`)
@@ -616,23 +610,23 @@ The system defines **40+ atomic permissions** organized by scope.
 
 | Permission | Description | Roles with this permission |
 |-----------|-------------|------------------------------|
-| `bundle.read` | Read bundle metadata | bundle_admin, bundle_reader, org_member |
+| `bundle.read` | Read bundle metadata | bundle_admin, bundle_reader |
 | `bundle.update` | Modify a bundle | bundle_admin |
 | `bundle.delete` | Delete a bundle | bundle_admin, app_admin, org_admin, org_super_admin |
 
 ### Channel Permissions (scope: `channel`)
 
 | Permission | Description | Roles with this permission |
 |-----------|-------------|------------------------------|
-| `channel.read` | View a channel | All channel_* roles, app_admin, app_developer, org_admin, org_super_admin, org_member |
+| `channel.read` | View a channel | All channel_* roles, app_admin, app_developer, org_admin, org_super_admin |
 | `channel.update_settings` | Modify channel settings | channel_admin, app_admin, app_developer, org_admin, org_super_admin |
 | `channel.delete` | Delete a channel | channel_admin, app_admin, org_admin, org_super_admin |
-| `channel.read_history` | View deployment history | All channel_* roles, app_admin, app_developer, org_admin, org_super_admin, org_member |
+| `channel.read_history` | View deployment history | All channel_* roles, app_admin, app_developer, org_admin, org_super_admin |
 | `channel.promote_bundle` | Promote a bundle | channel_admin, app_admin, app_developer, org_admin, org_super_admin |
 | `channel.rollback_bundle` | Rollback a bundle | channel_admin, app_admin, app_developer, org_admin, org_super_admin |
 | `channel.manage_forced_devices` | Manage forced devices | channel_admin, app_admin, app_developer, org_admin, org_super_admin |
-| `channel.read_forced_devices` | View forced devices | All channel_* roles, app_admin, app_developer, org_admin, org_super_admin, org_member |
-| `channel.read_audit` | View channel audit | All channel_* roles, app_admin, app_developer, org_admin, org_super_admin, org_member |
+| `channel.read_forced_devices` | View forced devices | All channel_* roles, app_admin, app_developer, org_admin, org_super_admin |
+| `channel.read_audit` | View channel audit | All channel_* roles, app_admin, app_developer, org_admin, org_super_admin |
 
 ### Platform Permissions (scope: `platform`)
 
@@ -1752,11 +1746,10 @@ ORDER BY rb.granted_at DESC;
 #### 8. Find missing permissions for a role
 
 ```sql
--- Permissions that org_member should have but doesn't
+-- Permissions not granted to a role (example: org_member)
 SELECT DISTINCT p.key, p.description
 FROM permissions p
 WHERE p.scope_type IN ('org', 'app', 'channel')
-  AND p.key LIKE 'app.read%'
   AND p.id NOT IN (
     SELECT permission_id
     FROM role_permissions rp

bun.lock

@@ -223,7 +223,6 @@
   "app-not-found": "App nicht gefunden",
   "app-not-found-description": "Diese App konnte nicht gefunden werden. Sie könnte gelöscht worden sein oder Sie haben möglicherweise keinen Zugriff darauf.",
   "app-perm": "App-Berechtigung",
-  "app-role-hint": "App-Rollen steuern, welche Aktionen Benutzer ausführen dürfen",
   "app-transferred": "App erfolgreich übertragen",
   "app-will-be-transferred": "Die App wird an $ORG_ID übertragen. Bitte geben Sie die App-ID ('$APP_ID') ein, um die Übertragung zu bestätigen.",
   "apps": "Apps",

messages/de.json

@@ -223,7 +223,6 @@
   "app-not-found": "App not found",
   "app-not-found-description": "This app could not be found. It might have been deleted or you might not have access to it.",
   "app-perm": "App permission",
-  "app-role-hint": "App roles control what actions users can perform on this app",
   "app-transferred": "App transferred successfully",
   "app-will-be-transferred": "App will be transferred to $ORG_ID. Please type the app ID ('$APP_ID') to confirm the transfer. ",
   "apps": "apps",

messages/en.json

@@ -223,7 +223,6 @@
   "app-not-found": "Aplicación no encontrada",
   "app-not-found-description": "Esta aplicación no pudo ser encontrada. Podría haber sido eliminada o es posible que no tengas acceso a ella.",
   "app-perm": "Permiso de la aplicación",
-  "app-role-hint": "Los roles de la app controlan las acciones permitidas",
   "app-transferred": "Aplicación transferida con éxito",
   "app-will-be-transferred": "La aplicación será transferida a $ORG_ID. Por favor, escriba el ID de la aplicación ('$APP_ID') para confirmar la transferencia.",
   "apps": "aplicaciones",

messages/es.json

@@ -223,7 +223,6 @@
   "app-not-found": "Application non trouvée",
   "app-not-found-description": "Cette application n'a pas pu être trouvée. Elle a peut-être été supprimée ou vous n'avez peut-être pas accès à celle-ci.",
   "app-perm": "Autorisation d'application",
-  "app-role-hint": "Les rôles d'application contrôlent les actions que les utilisateurs peuvent effectuer sur cette app",
   "app-transferred": "L'application a été transférée avec succès",
   "app-will-be-transferred": "L'application sera transférée à $ORG_ID. Veuillez taper l'ID de l'application ('$APP_ID') pour confirmer le transfert.",
   "apps": "applications",

messages/fr.json

@@ -223,7 +223,6 @@
   "app-not-found": "ऐप नहीं मिला",
   "app-not-found-description": "यह ऐप नहीं मिल सका। हो सकता है कि इसे हटा दिया गया हो या फिर आपके पास इसे प्राप्त करने की क्षमता नहीं हो।",
   "app-perm": "ऐप अनुमति",
-  "app-role-hint": "ऐप भूमिकाएँ अनुमत कार्यों को नियंत्रित करती हैं",
   "app-transferred": "ऐप सफलतापूर्वक स्थानांतरित हुआ",
   "app-will-be-transferred": "ऐप $ORG_ID को स्थानांतरित किया जाएगा। स्थानांतरण की पुष्टि के लिए, कृपया ऐप ID ('$APP_ID') टाइप करें।",
   "apps": "ऐप्स",

messages/hi.json

@@ -223,7 +223,6 @@
   "app-not-found": "Aplikasi tidak ditemukan",
   "app-not-found-description": "Aplikasi ini tidak dapat ditemukan. Mungkin sudah dihapus atau Anda mungkin tidak memiliki akses kepadanya.",
   "app-perm": "Izin aplikasi",
-  "app-role-hint": "Peran aplikasi mengontrol tindakan yang diizinkan",
   "app-transferred": "Aplikasi berhasil dipindahkan",
   "app-will-be-transferred": "Aplikasi akan dipindahkan ke $ORG_ID. Silakan ketik ID aplikasi ('$APP_ID') untuk mengkonfirmasi pemindahan.",
   "apps": "aplikasi",

messages/id.json

@@ -223,7 +223,6 @@
   "app-not-found": "App non trovata",
   "app-not-found-description": "Questa app non è stata trovata. Potrebbe essere stata cancellata o potresti non avere accesso ad essa.",
   "app-perm": "Autorizzazione dell'app",
-  "app-role-hint": "I ruoli dell'app controllano le azioni consentite",
   "app-transferred": "App trasferita con successo",
   "app-will-be-transferred": "L'app verrà trasferita a $ORG_ID. Si prega di digitare l'ID dell'app ('$APP_ID') per confermare il trasferimento.",
   "apps": "app",

messages/it.json

@@ -223,7 +223,6 @@
   "app-not-found": "アプリが見つかりません",
   "app-not-found-description": "このアプリは見つかりませんでした。削除された可能性があるか、またはアクセス権限がない可能性があります。",
   "app-perm": "アプリの許可",
-  "app-role-hint": "アプリロールで実行可能な操作を制御します",
   "app-transferred": "アプリが正常に転送されました",
   "app-will-be-transferred": "アプリは$ORG_IDに移行されます。移行を確認するために、アプリID（'$APP_ID'）を入力してください。",
   "apps": "アプリ",