Implement user role management with RBAC and fix Docker Cloud Build workflow

[Copilot]

Adds role-based access control (RBAC) infrastructure with JWT authentication and fixes the failing Docker Cloud Build & Push workflow by specifying the correct Dockerfile path and skipping registry push on pull requests.

Database & Models

• UserRole: UUID primary key, unique name, description, timestamps
• User: UUID primary key, username, email, hashed_password (bcrypt), role_id foreign key, is_active
• SQLAlchemy ORM with PostgreSQL/SQLite support via app/database.py

API Endpoints

REST API at /api/roles:

• GET /roles - list roles (paginated)
• POST /roles - create role (validates unique name)
• GET /roles/{id} - get role by UUID
• PUT /roles/{id} - update role
• DELETE /roles/{id} - delete role

All endpoints require API key authentication.

Authentication & Authorization

Enhanced app/auth/dependencies.py:

• create_access_token() - generates JWT with 30min expiration
• get_current_user() - validates JWT, loads user with role relationship
• require_role(*roles) - decorator factory for flexible role checks
• Convenience decorators: admin_only, customer_only, auditor_only

Example usage:

from app.auth.dependencies import require_role, admin_only

@router.get("/admin-only", dependencies=[Depends(admin_only)])
async def admin_endpoint():
    return {"message": "Admin access granted"}

@router.get("/multi-role", dependencies=[Depends(require_role("admin", "auditor"))])
async def multi_role_endpoint():
    return {"message": "Admin or auditor access"}

Docker Workflow Fix

Created docker/Dockerfile.api:

• Multi-stage build with Python 3.11-slim and virtual environment
• Non-root user execution with correct PATH (/opt/venv/bin)
• ARG support for BUILD_DATE and VCS_REF labels
• Health check at /health endpoint

Updated .github/workflows/production-pipeline.yml:

• Added file: ./docker/Dockerfile.api to both docker-security and docker-cloud-build jobs
• Added push: ${{ github.event_name != 'pull_request' }} to prevent registry push on PRs
• Conditional Docker Hub login (skipped for pull_request events)

Dependencies

• sqlalchemy==2.0.36 - ORM and database toolkit
• psycopg2-binary==2.9.10 - PostgreSQL adapter
• python-jose[cryptography]==3.4.0 - JWT tokens (fixes CVE-2024-33663)
• passlib[bcrypt]==1.7.4 - password hashing
• email-validator==2.2.0 - email validation for Pydantic

Tests

16 new tests covering role CRUD, JWT auth, password hashing, role validation, and access control. All 23 tests passing with 0 CodeQL alerts.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Feature Request: Implement User Role Management</issue_title>
<issue_description>## Feature Request: User Role Management

Description

The current NeuroBank FastAPI Toolkit provides a robust foundation for a banking application, but it lacks a user role management system that would allow for different access levels and permissions based on user roles (e.g., admin, customer, auditor).

Motivation

Implementing user roles would enhance security and administration control within the application, allowing organizations to manage permissions more effectively and ensuring that users can only access the features relevant to their responsibilities.

Proposed Solution

• Add a new model for user roles in the database.
• Include APIs to create, read, update, and delete user roles.
• Adjust the authentication and authorization mechanisms to check user roles before granting access to specific API endpoints.
• Update documentation to reflect changes in user management and provide example use cases.

Additional Notes

This feature could significantly improve the functionality and security of the NeuroBank toolkit, making it more attractive for enterprise-level applications.</issue_description>

<agent_instructions>Implement user role management in the NeuroBank FastAPI Toolkit using SQLAlchemy and Pydantic models.
Create a new UserRole model with fields: id (UUID), name (str, unique), and description (str).
Extend the existing User model to include a foreign key to UserRole.
Add REST API endpoints under /roles for CRUD operations:

• GET /roles (list all roles)
• POST /roles (create new role)
• GET /roles/{id}
• PUT /roles/{id}
• DELETE /roles/{id}

Integrate role-based access control (RBAC) with FastAPI’s dependency injection system.
Add a get_current_user dependency that verifies the user's JWT and attaches the user role.
Restrict protected routes with role checks (e.g., admin_only, customer_only, auditor_only decorators).

Update OpenAPI documentation to include role information in the JWT schema.
Include database migrations if Alembic is configured, and add unit tests for role CRUD and authorization rules.
Follow existing code style and directory structure of the NeuroBank FastAPI Toolkit (app/models, app/api/routes, app/core/security).
</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Feature Request: Implement User Role Management #34

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 74.01575% with 132 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
app/tests/test_auth.py	52.25%	53 Missing ⚠️
app/auth/dependencies.py	40.38%	31 Missing ⚠️
app/crud/user.py	40.81%	29 Missing ⚠️
app/database.py	64.70%	6 Missing ⚠️
app/routers/roles.py	88.09%	5 Missing ⚠️
app/crud/role.py	94.44%	2 Missing ⚠️
app/main.py	71.42%	2 Missing ⚠️
app/tests/test_roles.py	98.13%	2 Missing ⚠️
app/models/role.py	93.75%	1 Missing ⚠️
app/models/user.py	95.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[Neiland85]

Great! all new config it's done!

[Neiland85]

Closing this PR. The changes no longer align with the updated architecture and dependency model introduced in the December 2025 refactor.

This contribution is now obsolete and would add noise rather than value to the current codebase.