feat: ui support for authz

[gusfcarvalho]

Summary by CodeRabbit

Release Notes

• New Features
  • Added permission-aware controls across the app: actions are disabled when unauthorized and show explanatory tooltips.
  • Added route/menu access gating so only permitted navigation and admin routes are accessible.
  • Introduced a reusable permission-rendering component for conditional UI.
• Infrastructure
  • Centralized permission vocabulary and enabled permission hydration/resync (including a throttled “Permission denied” notification on 403).
• Tests
  • Updated/added test mocks to ensure permission-gated UI behaves consistently in test runs.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR adds shared permission primitives, hydrates permission state, checks route and navigation permissions, and updates many forms, dialogs, lists, and action buttons to disable unauthorized actions and show permission tooltips. Tests were updated to mock permission access where needed.

Changes

Permission system rollout

Layer / File(s)	Summary
Permission primitives and hydration src/constants/permissions.ts, src/stores/permissions.ts, src/composables/usePermissions.ts, src/composables/axios/index.ts, src/composables/useAuthHydration.ts, src/stores/auth.ts, src/views/layouts/App.vue, src/components/auth/PermissionGate.vue, src/components/auth/__tests__/*, src/stores/__tests__/*, src/composables/__tests__/axios.spec.ts	Adds shared permission constants, tooltip text, store state and hydration, composable helpers, logout/reset behavior, 403-triggered permission refresh, app startup hydration, and a slot-based permission gate component with tests.
Route and navigation checks src/router/index.ts, src/router/__tests__/index.spec.ts, src/views/LeftSideNav.vue	Adds route-level permission metadata for admin areas, checks that metadata during navigation, and filters side navigation links and nested sections by permission.
Resource screens and CRUD action gating src/components/SystemCharacteristicsForm.vue, src/components/assessment-plans/*, src/views/assessment-plans/*, src/views/assessment-results/*, src/components/catalogs/*, src/views/catalog/*, src/components/component-definitions/*, src/views/component-definitions/*, src/views/dashboard/*, src/views/evidence/*, src/views/InventoryView.vue, src/components/profiles/CatalogImportDialog.vue, src/views/profile/*, src/components/risk/RiskRegisterPanel.vue	Adds permission-based disabled states and tooltip messaging to create, edit, update, delete, import, and attach controls across assessment, catalog, component definition, dashboard, evidence, inventory, profile, risk, and related screens.
POAM and SSP authoring gates src/components/poam/*, src/views/plan-of-actions-and-milestones/*, src/components/system-security-plans/*, src/views/system-security-plans/*	Adds permission-aware submit and action controls across POAM and SSP forms, editors, and overview pages, including computed create/update action selection in dual-mode forms.
Workflow screens and permission test wiring src/views/workflow-executions/*, src/views/workflow-instances/*, src/views/workflows/*, src/components/catalogs/__tests__/*, src/components/risk/__tests__/*, src/views/**/__tests__/*	Adds permission gating to workflow execution, workflow instance, and workflow definition actions, and updates tests across affected components and views to mock permission access.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Poem

🐇 I hopped through routes and buttons bright,
And tucked each click behind the right.
A tooltip hums, “You’ll need a key,”
Then opens only when allowed to be.
Now forms and flows know when to stay,
Or bloom with permission all the way.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: ui support for authz' clearly describes the pull request's primary objective: adding authorization (authz) support to the UI layer across numerous components.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gusfcarvalho]

Findings inline (4, all non-blocking). Headline: clean, well-tested permission-aware UI layer — no blockers (type-check + 754 unit tests + CI test/type-check all green), correct optimistic/PDP-backstop design. The 4 inline notes are polish + one verify-against-manifest item:

• Low — axios 403 handler fires a toast + hydrate() per response with no dedup; bulk actions can spam both.
• Low — persist: true rehydrates loaded: true with a stale map, so the router guard/nav use stale hints on the first paint after a hard refresh.
• Low → High if manifest disagrees — confirm evidence (and inventory) expose create/update rather than ingest/register; otherwise those submit buttons are permanently disabled.
• Nit — permissionTooltip falls back to raw keys for resources/actions missing from the label/verb maps.

Out-of-scope (not introduced here): pre-existing duplicate inventory:index route in router/index.ts; and login hydrates twice (useAuthHydration then App.vue onMounted).

Nice work — layering, docs, reset()-on-logout, and test coverage are all solid.

[gusfcarvalho]

✅ LGTM / sign-off (posting as COMMENT — GitHub blocks self-approval on own PR). All four prior findings addressed and verified on e89ab41:

1. 403 dedup — toast throttled (module-level 3s window) and hydrate() collapses concurrent callers into one in-flight GET /api/me/permissions. ✅
2. Stale-permission window — persist: { paths: ['subject','permissions'] } drops loaded from persistence (correct for the locked pinia-plugin-persistedstate@3.2.3, where paths is the v3 option), so can() is optimistic on hard refresh until onMounted hydrate resolves and the router guard never bounces a newly-granted user. ✅
3. Manifest check — confirmed against internal/authz/manifest.yaml: evidence and inventory both expose [read, create, update, delete]; ingest/register live on heartbeat/agent only. The gated buttons are valid. ✅
4. Tooltip maps — filled for ai-diagnostics/import/digest and ingest/*.manage. ✅

Verified locally: type-check clean, 754 unit tests pass; CI test + type-check green. (CodeRabbit is non-blocking and posted no threads.) No remaining concerns from me — good to merge. Nice, tidy permission-aware UI layer.