feat(portal): implement RBAC with permission gates and user management

src/portal/CloudHealthOffice.Portal/Pages/AddEditUserDialog.razor

@@ -0,0 +1,169 @@
+@using CloudHealthOffice.Portal.Services
+@inject HttpClient Http
+@inject IConfiguration Configuration
+
+<MudDialog>
+    <TitleContent>
+        <MudText Typo="Typo.h6">
+            <MudIcon Icon="@(IsEdit ? Icons.Material.Filled.Edit : Icons.Material.Filled.PersonAdd)" Class="mr-2" />
+            @(IsEdit ? "Edit User" : "Add User")
+        </MudText>
+    </TitleContent>
+    <DialogContent>
+        <MudTextField @bind-Value="_email" Label="Email" Required="true" RequiredError="Email is required"
+                      InputType="InputType.Email" Disabled="@IsEdit" Class="mb-3" />
+        <MudTextField @bind-Value="_displayName" Label="Display Name" Required="true"
+                      RequiredError="Display name is required" Class="mb-3" />
+        <MudStack Row="true" Spacing="2" Class="mb-3">
+            <MudTextField @bind-Value="_firstName" Label="First Name" />
+            <MudTextField @bind-Value="_lastName" Label="Last Name" />
+        </MudStack>
+        <MudSelect T="string" Label="Department" @bind-Value="_department" Class="mb-3">
+            <MudSelectItem Value="@("Claims")">Claims</MudSelectItem>
+            <MudSelectItem Value="@("Utilization Management")">Utilization Management</MudSelectItem>
+            <MudSelectItem Value="@("Member Services")">Member Services</MudSelectItem>
+            <MudSelectItem Value="@("Enrollment")">Enrollment</MudSelectItem>
+            <MudSelectItem Value="@("Provider Relations")">Provider Relations</MudSelectItem>
+            <MudSelectItem Value="@("Finance")">Finance</MudSelectItem>
+            <MudSelectItem Value="@("Compliance")">Compliance</MudSelectItem>
+            <MudSelectItem Value="@("Administration")">Administration</MudSelectItem>
+        </MudSelect>
+        <MudSelect T="string" Label="Roles" MultiSelection="true" @bind-SelectedValues="_selectedRoles" Class="mb-3">
+            @foreach (var role in AvailableRoles)
+            {
+                <MudSelectItem T="string" Value="@role">@FormatRoleName(role)</MudSelectItem>
+            }
+        </MudSelect>
+
+        @if (!string.IsNullOrEmpty(_errorMessage))
+        {
+            <MudAlert Severity="Severity.Error" Class="mt-2">@_errorMessage</MudAlert>
+        }
+    </DialogContent>
+    <DialogActions>
+        <MudButton OnClick="Cancel">Cancel</MudButton>
+        <MudButton Color="Color.Primary" Variant="Variant.Filled" OnClick="Submit" Disabled="_saving">
+            @if (_saving) { <MudProgressCircular Size="Size.Small" Indeterminate="true" Class="mr-2" /> }
+            @(IsEdit ? "Save Changes" : "Add User")
+        </MudButton>
+    </DialogActions>
+</MudDialog>
+
+@code {
+    [CascadingParameter] IMudDialogInstance MudDialog { get; set; } = null!;
+    [Parameter] public string? TenantId { get; set; }
+    [Parameter] public UserManagement.UserListItem? ExistingUser { get; set; }
+    [Parameter] public List<string> AvailableRoles { get; set; } = new();
+
+    private string _email = string.Empty;
+    private string _displayName = string.Empty;
+    private string _firstName = string.Empty;
+    private string _lastName = string.Empty;
+    private string _department = string.Empty;
+    private IEnumerable<string> _selectedRoles = new List<string>();
+    private string? _errorMessage;
+    private bool _saving;
+
+    private bool IsEdit => ExistingUser != null;
+
+    protected override void OnInitialized()
+    {
+        if (ExistingUser != null)
+        {
+            _email = ExistingUser.Email;
+            _displayName = ExistingUser.DisplayName;
+            _department = ExistingUser.Department;
+            _selectedRoles = ExistingUser.Roles;
+        }
+    }
+
+    private async Task Submit()
+    {
+        _errorMessage = null;
+
+        if (string.IsNullOrWhiteSpace(_email) || string.IsNullOrWhiteSpace(_displayName))
+        {
+            _errorMessage = "Email and Display Name are required.";
+            return;
+        }
+
+        if (!_selectedRoles.Any())
+        {
+            _errorMessage = "At least one role must be selected.";
+            return;
+        }
+
+        _saving = true;
+
+        try
+        {
+            var baseUrl = Configuration["Services:TenantService"] ?? "http://tenant-service.cho-svcs/api";
+
+            if (IsEdit)
+            {
+                var response = await Http.PutAsJsonAsync(
+                    $"{baseUrl}/v1/tenants/{TenantId}/users/{ExistingUser!.Id}",
+                    new
+                    {
+                        DisplayName = _displayName,
+                        FirstName = _firstName,
+                        LastName = _lastName,
+                        Roles = _selectedRoles.ToList(),
+                        Department = _department
+                    });
+
+                if (!response.IsSuccessStatusCode)
+                {
+                    _errorMessage = $"Failed to update user: {response.ReasonPhrase}";
+                    return;
+                }
+            }
+            else
+            {
+                var response = await Http.PostAsJsonAsync(
+                    $"{baseUrl}/v1/tenants/{TenantId}/users",
+                    new
+                    {
+                        Email = _email,
+                        DisplayName = _displayName,
+                        FirstName = _firstName,
+                        LastName = _lastName,
+                        Roles = _selectedRoles.ToList(),
+                        Department = _department
+                    });
+
+                if (!response.IsSuccessStatusCode)
+                {
+                    var body = await response.Content.ReadAsStringAsync();
+                    _errorMessage = $"Failed to add user: {body}";
+                    return;
+                }
+            }
+
+            MudDialog.Close(DialogResult.Ok(true));
+        }
+        catch (Exception ex)
+        {
+            _errorMessage = $"Error: {ex.Message}";
+        }
+        finally
+        {
+            _saving = false;
+        }
+    }
+
+    private void Cancel() => MudDialog.Cancel();
+
+    private string FormatRoleName(string role) => role switch
+    {
+        "ClaimsExaminer" => "Claims Examiner",
+        "ClaimsSupervisor" => "Claims Supervisor",
+        "MemberServices" => "Member Services",
+        "EnrollmentSpecialist" => "Enrollment Specialist",
+        "UMCoordinator" => "UM Coordinator",
+        "ProviderRelations" => "Provider Relations",
+        "ComplianceOfficer" => "Compliance Officer",
+        "TenantAdmin" => "Tenant Admin",
+        _ => role
+    };
+}

src/portal/CloudHealthOffice.Portal/Pages/Appeals.razor

@@ -8,6 +8,7 @@
 
 <PageTitle>Appeals - Cloud Health Office</PageTitle>
 
+<PermissionGate Permission="appeals:read" RoleName="UMCoordinator">
 <MudContainer MaxWidth="MaxWidth.ExtraExtraLarge" Class="mt-4">
     <MudText Typo="Typo.h3" GutterBottom="true">
         <MudIcon Icon="@Icons.Material.Filled.Balance" Class="mr-2" />
@@ -274,6 +275,7 @@
         </MudAlert>
     }
 </MudContainer>
+</PermissionGate>
 
 @code {
     private bool _loadingSummary = true;

src/portal/CloudHealthOffice.Portal/Pages/Authorizations.razor

@@ -6,6 +6,7 @@
 
 <PageTitle>Authorizations - Cloud Health Office</PageTitle>
 
+<PermissionGate Permission="authorizations:read" RoleName="UMCoordinator">
 <MudContainer MaxWidth="MaxWidth.ExtraExtraLarge" Class="mt-4">
     <MudText Typo="Typo.h3" GutterBottom="true">
         <MudIcon Icon="@Icons.Material.Filled.FactCheck" Class="mr-2" />
@@ -214,6 +215,7 @@
         </MudPaper>
     }
 </MudContainer>
+</PermissionGate>
 
 @code {
     private List<AuthorizationSummary> _allAuthorizations = new();

src/portal/CloudHealthOffice.Portal/Pages/BenefitPlans.razor

@@ -8,6 +8,7 @@
 
 <PageTitle>Benefit Plans - Cloud Health Office</PageTitle>
 
+<PermissionGate>
 <MudContainer MaxWidth="MaxWidth.ExtraExtraLarge" Class="mt-4">
     <MudText Typo="Typo.h3" GutterBottom="true">
         <MudIcon Icon="@Icons.Material.Filled.HealthAndSafety" Class="mr-2" />
@@ -172,6 +173,7 @@
         </LoadingContent>
     </MudTable>
 </MudContainer>
+</PermissionGate>
 
 @code {
     private List<BenefitPlanListItem> _allPlans = new();

src/portal/CloudHealthOffice.Portal/Pages/Claims.razor

@@ -10,6 +10,7 @@
 
 <PageTitle>Claims - Cloud Health Office</PageTitle>
 
+<PermissionGate Permission="claims:read,claims:work" RoleName="ClaimsExaminer">
 <MudContainer MaxWidth="MaxWidth.ExtraExtraLarge" Class="mt-4">
     <MudText Typo="Typo.h3" GutterBottom="true">
         <MudIcon Icon="@Icons.Material.Filled.Receipt" Class="mr-2" />
@@ -360,6 +361,7 @@
         </MudAlert>
     }
 </MudContainer>
+</PermissionGate>
 
 @code {
     private ClaimSearchRequest _searchRequest = new();

src/portal/CloudHealthOffice.Portal/Pages/Dashboard.razor

@@ -7,20 +7,31 @@
 @inject IClaimsService ClaimsService
 @inject CloudHealthOffice.Portal.Services.IAuthorizationService AuthorizationService
 @inject ITenantContextService TenantContextService
+@inject IUserContextService UserContextService
 
 <PageTitle>Dashboard - Cloud Health Office</PageTitle>
 
+<PermissionGate>
 <MudContainer MaxWidth="MaxWidth.ExtraExtraLarge" Class="mt-4">
 
     @* ── Top Bar: Welcome + Tenant ── *@
     <MudStack Row="true" Justify="Justify.SpaceBetween" AlignItems="AlignItems.Center" Class="mb-4">
         <MudStack Spacing="0">
             <MudText Typo="Typo.h4">
-                Welcome back@(tenantContext != null ? $", {tenantContext.TenantName}" : "")
-            </MudText>
-            <MudText Typo="Typo.body2" Color="Color.Secondary">
-                @DateTime.Now.ToString("dddd, MMMM d, yyyy")
+                Welcome back@(_userContext != null ? $", {_userContext.DisplayName}" : tenantContext != null ? $", {tenantContext.TenantName}" : "")
             </MudText>
+            @if (_userContext != null)
+            {
+                <MudText Typo="Typo.body2" Color="Color.Secondary">
+                    @_userContext.PrimaryRoleDisplayName — @DateTime.Now.ToString("dddd, MMMM d, yyyy")
+                </MudText>
+            }
+            else
+            {
+                <MudText Typo="Typo.body2" Color="Color.Secondary">
+                    @DateTime.Now.ToString("dddd, MMMM d, yyyy")
+                </MudText>
+            }
         </MudStack>
         @if (tenantContext != null)
         {
@@ -367,12 +378,14 @@
     </MudCard>
 
 </MudContainer>
+</PermissionGate>
 
 @code {
     private DashboardMetrics? metrics;
     private List<ClaimSummary>? recentClaims;
     private List<AuthorizationSummary>? recentAuthorizations;
     private TenantContext? tenantContext;
+    private UserContext? _userContext;
     private OperationalAlerts? _alerts;
     private EdiVolumeSummary? _ediVolume;
     private bool _loading = true;
@@ -398,10 +411,11 @@
         try
         {
             tenantContext = await TenantContextService.GetCurrentTenantContextAsync();
+            _userContext = await UserContextService.GetCurrentUserAsync();
         }
         catch (Exception ex)
         {
-            Logger.LogWarning(ex, "Failed to load tenant context");
+            Logger.LogWarning(ex, "Failed to load tenant/user context");
         }
 
         try

src/portal/CloudHealthOffice.Portal/Pages/Eligibility.razor

@@ -7,6 +7,7 @@
 
 <PageTitle>Eligibility Verification - Cloud Health Office</PageTitle>
 
+<PermissionGate Permission="eligibility:check" RoleName="MemberServices">
 <MudContainer MaxWidth="MaxWidth.Large" Class="mt-4">
     <MudText Typo="Typo.h3" GutterBottom="true">
         <MudIcon Icon="@Icons.Material.Filled.VerifiedUser" Class="mr-2" />
@@ -216,6 +217,7 @@
         </MudItem>
     </MudGrid>
 </MudContainer>
+</PermissionGate>
 
 @code {
     private MudForm? _form;

src/portal/CloudHealthOffice.Portal/Pages/EnrollmentOperations.razor

@@ -7,6 +7,7 @@
 
 <PageTitle>Enrollment Operations - Cloud Health Office</PageTitle>
 
+<PermissionGate Permission="enrollment:read" RoleName="EnrollmentSpecialist">
 <MudContainer MaxWidth="MaxWidth.ExtraExtraLarge" Class="mt-4">
     <MudText Typo="Typo.h3" GutterBottom="true">
         <MudIcon Icon="@Icons.Material.Filled.UploadFile" Class="mr-2" />
@@ -214,6 +215,7 @@
         50% { opacity: 0.5; }
     }
 </style>
+</PermissionGate>
 
 @code {
     private bool _loading = true;

src/portal/CloudHealthOffice.Portal/Pages/Members.razor

@@ -8,6 +8,7 @@
 
 <PageTitle>Members - Cloud Health Office</PageTitle>
 
+<PermissionGate Permission="members:read" RoleName="MemberServices">
 <MudContainer MaxWidth="MaxWidth.ExtraExtraLarge" Class="mt-4">
     <MudText Typo="Typo.h3" GutterBottom="true">
         <MudIcon Icon="@Icons.Material.Filled.People" Class="mr-2" />
@@ -143,6 +144,7 @@
         </MudPaper>
     }
 </MudContainer>
+</PermissionGate>
 
 @code {
     private string _memberIdSearch = string.Empty;

src/portal/CloudHealthOffice.Portal/Pages/PaymentRuns.razor

@@ -11,6 +11,7 @@
 
 <PageTitle>Payment Runs — Cloud Health Office</PageTitle>
 
+<PermissionGate Permission="payments:read" RoleName="Finance">
 <MudText Typo="Typo.h4" Class="mb-1" Style="color: #00ffff; font-weight: 700; letter-spacing: -0.5px;">
     <MudIcon Icon="@Icons.Material.Filled.Payments" Class="mr-2" Style="vertical-align: middle;" />
     Payment Runs
@@ -206,6 +207,7 @@
         50% { opacity: 0.5; }
     }
 </style>
+</PermissionGate>
 
 @code {
     private List<PaymentRunSummary> _runs = new();

src/portal/CloudHealthOffice.Portal/Pages/PremiumBilling.razor

@@ -10,6 +10,7 @@
 
 <PageTitle>Premium Billing — Cloud Health Office</PageTitle>
 
+<PermissionGate Permission="billing:read" RoleName="Finance">
 <MudText Typo="Typo.h4" Class="mb-1" Style="color: #00ffff; font-weight: 700; letter-spacing: -0.5px;">
     <MudIcon Icon="@Icons.Material.Filled.RequestQuote" Class="mr-2" Style="vertical-align: middle;" />
     Premium Billing
@@ -346,6 +347,7 @@
     </MudTabPanel>
 
 </MudTabs>
+</PermissionGate>
 
 @code {
     private int _activeTab = 0;

src/portal/CloudHealthOffice.Portal/Pages/Providers.razor

@@ -5,6 +5,7 @@
 
 <PageTitle>Providers - Cloud Health Office</PageTitle>
 
+<PermissionGate Permission="providers:read" RoleName="ProviderRelations">
 <MudContainer MaxWidth="MaxWidth.ExtraExtraLarge" Class="mt-4">
     <MudText Typo="Typo.h4" GutterBottom="true">Provider Network</MudText>
     <MudText Typo="Typo.body1" Color="Color.Secondary" Class="mb-4">
@@ -247,6 +248,7 @@
 
 <ProviderDetailsDialog @ref="_detailsDialog" OnProviderUpdated="SearchProviders" />
 <CreateEditProviderDialog @ref="_createEditDialog" OnProviderSaved="SearchProviders" />
+</PermissionGate>
 
 @code {
     private bool _loading = false;