HQD-128: Make sure role client is a superset of admin, manager and support roles

[VadymHrechukha]

Summary by CodeRabbit

• New Features

  • New installment-plan processing permission and expanded client-facing capabilities (installment handling, notifications, subclient access).

• Permissions

  • Broad reorganization of role entitlements: added accounter role, adjusted support, staff, finance, stock and owner-staff privileges, refined blacklist/audit scopes, and normalized domain/hosting permission wording.

• Documentation

  • Added guidance document on repository conventions and RBAC metadata.

• Tests

  • Unit tests updated to match revised role and permission expectations.

[coderabbitai]

📝 Walkthrough

Walkthrough

Reorganizes RBAC: expands client entitlements, reassigns blacklist and "see-no-mans" roles across staff/accounter/owner-staff, adds installment-plan permissions and internal flags, updates permission metadata/descriptions, and adjusts unit tests and a new contributor doc (CLAUDE.md).

Changes

RBAC: permission metadata, role hierarchy, and tests

Layer / File(s)	Summary
Permission Definitions / Metadata src/files/source/metadata.php, src/files/items.php	Added installment-plan.process + deny:installment-plan.process; marked role:accounter, see-no-mans, blacklist.*, and several installment-plan entries internal; many descriptions/terminology refined (domains, vhosts, server, consumption, contacts, parts).
Core Role Hierarchy / Assignments src/files/source/tree.php, src/files/items.php	role:client gains role:installment-plan.user, client.notify, access-subclients, role:admin, role:manager; role:support reworked (blacklist removed, ticket/client/domain/dns/certificate/contact/server/hosting entitlements added); role:staff-admin, role:staff-manager, role:accounter gain role:blacklist.manager and/or see-no-mans; role:stock.master swaps role:move.master → role:order.master; role:owner-staff updated (part.read-all-hierarchy replaced, added move.read-all, see-no-mans, blacklist/audit/installment-plan manager).
Tests / Expectations tests/unit/AuthManagerTest.php, tests/unit/CheckAccessTrait.php	AuthManager internal-role list updated (removed role:support, added/reordered admin/staff/accounter/manager/client entries); wide expansions/revisions to role permission assertions (testClient, testLimited, testSupport, mighty/almighty integration permissions).
Docs / Contributor Guide CLAUDE.md	New guidance: running tests, regenerating RBAC compiled files, architecture (source vs compiled), staff-* pattern, internal flag behavior, deny: semantics, AuthManager notes, and test update guidance.

Sequence Diagram(s)

(Skipped — changes are metadata/role/test updates without a new multi-component runtime sequence.)

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• hiqdev/hipanel-rbac#76: Overlaps on installment-plan role/permission additions and wiring into tree/items/tests.
• hiqdev/hipanel-rbac#60: Related propagation of role:blacklist.manager and blacklist.* permission changes across items/tree/tests.
• hiqdev/hipanel-rbac#78: Also touches installment-plan.process and deny/manager wiring in metadata/tree/tests.

Suggested reviewers

• SilverFire
• hiqsol

Poem

🐰 I nibble through roles, hop through the tree,
I added notifications and plans for the fee.
Staff got their badges, blacklist tucked tight,
Tests sing the new chorus into the night.
Hopping with joy — RBAC feels just right.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly and clearly summarizes the main objective: ensuring role 'client' becomes a superset of 'admin', 'manager', and 'support' roles. This aligns with the primary changes across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 PHPStan (2.1.54)

Composer install failed: this project depends on private packages that require authentication (e.g. GitLab/GitHub, Laravel Nova, etc.).
CodeRabbit tooling environment cannot access private registries.
If your project requires private packages, disable the PHPStan tool in your coderabbit settings.

Instead, run PHPStan in a CI/CD pipeline where you can use custom packages — our pipeline remediation tool can use the PHPStan output from your CI/CD pipeline.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/files/source/tree.php`:
- Around line 391-393: The role hierarchy change made in tree.php now has
'role:client' inherit 'role:support', 'role:admin', and 'role:manager', so
update the testClient() expectations to reflect that role:client grants
admin/manager/support permissions (e.g., admin, manage, client.read,
client.list, ticket.update/delete) or alternatively change the role hierarchy if
that was unintended; locate the role array in tree.php and the testClient()
method in the tests and modify assertions to assert presence of those
permissions (or adjust role composition) so the test aligns with the new
hierarchy.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eeddb042-1de5-4e1c-b929-8efc9ee479c0

📥 Commits

Reviewing files that changed from the base of the PR and between 8597428 and 4ae503d.

📒 Files selected for processing (1)

• src/files/source/tree.php

[coderabbitai]

🧹 Nitpick comments (1)

src/files/source/tree.php (1)

543-556: 💤 Low value

role:owner-staff composition — verify duplication with role:staff-admin/role:staff-manager

role:owner-staff and role:staff-admin/role:staff-manager now both directly include role:blacklist.manager and see-no-mans. If role:owner-staff is intended to inherit a broader staff scope, consider composing it from role:staff-admin (or similar) instead of re-listing overlapping entitlements; this reduces drift risk if staff role contents evolve. Skip if the current flat composition is deliberate.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/files/source/tree.php` around lines 543 - 556, The ACL for
'role:owner-staff' duplicates entitlements already present on staff roles (e.g.
'role:blacklist.manager' and 'see-no-mans'), increasing drift risk; update the
definition by composing/inheriting from the existing staff role(s) instead of
repeating overlapping entries — replace the explicit duplicated rights in
'role:owner-staff' with a reference to 'role:staff-admin' or
'role:staff-manager' (or a merged include of those role symbols) so
'role:owner-staff' derives staff permissions centrally and only declares
owner-specific entitlements.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/files/source/tree.php`:
- Around line 543-556: The ACL for 'role:owner-staff' duplicates entitlements
already present on staff roles (e.g. 'role:blacklist.manager' and
'see-no-mans'), increasing drift risk; update the definition by
composing/inheriting from the existing staff role(s) instead of repeating
overlapping entries — replace the explicit duplicated rights in
'role:owner-staff' with a reference to 'role:staff-admin' or
'role:staff-manager' (or a merged include of those role symbols) so
'role:owner-staff' derives staff permissions centrally and only declares
owner-specific entitlements.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b2cc0891-9d4e-4b0f-b3b6-0464b73250f6

📥 Commits

Reviewing files that changed from the base of the PR and between e6bb44e and 476be8d.

📒 Files selected for processing (3)

• src/files/items.php
• src/files/source/metadata.php
• src/files/source/tree.php

[SilverFire]

Suggested change

	'description' => 'Sign and view service acceptance documents',
	'description' => 'View acceptance reports for employees',

[SilverFire]

• document.acceptance – should be only in role:employee and role:employee-manager
• document.generate – only in staff-manager and document.master
• document.invoice – consult with @bladeroot, seems to be unused and should be removed
• document.update, document.delete – only in staff-manager and document.master
• certificate.delete – consult with @bladeroot

[SilverFire]

• access-reseller – definitely not for client. Client should never access it's reseller!
• client.notify – See API, seems to be staff permission only

[SilverFire]

• ticket.delete – I'd not allow this. Staff permission

[SilverFire]

Consult with @bladeroot on these permissions. I think they all are staff-only.

[SilverFire]

• certificate.delete is for staff only. @bladeroot, correct?

[SilverFire]

• contact.set-verified, contact.force-verify – staff only for sure. You've set description Force-mark a contact as verified, bypassing the normal verification process. It's a clear sign of an internal permission.

[SilverFire]

All of these should be internal and fall into staff-roles.

• server.see-label and server.set-label are for internal server labels. This should be available for both staff-manager and staff-admin.
• server.move-disks and server.manage-settings – for staff-admin.

[SilverFire]

@bladeroot we should check all of these together.

[SilverFire]

• server.enable-block, server.disable-block – staff only
• server.sell – staff-manager only

[SilverFire]

Suggested change

	'description' => 'Grants access to reseller-level functionality, allowing the user to manage clients within their reseller scope',
	'description' => 'Grants access not only to the clients within their reseller scope, but to objects that belong the the reseller itself. Should be assigned to managers and admins of the resellers.',

[SilverFire]

Suggested change

	'description' => 'Force-push domains to another registrar account, bypassing normal restrictions',
	'description' => 'Force-push domains to another client, bypassing normal restrictions',

[SilverFire]

Suggested change

	'description' => 'Push (transfer) domains to another registrar account',
	'description' => 'Push (transfer) domains to another client',

[SilverFire]

Fun fact: not used, should be removed.

[SilverFire]

Fun fact: not used, should be removed.

[SilverFire]

Suggested change

	'description' => 'Set a credit limit on a client\'s purse (wallet)',
	'description' => 'Set a credit limit on a client\'s purse',

[SilverFire]

Suggested change

	'description' => 'View unused internal reference entries (internal technical permission)',
	'description' => 'See the whole type tree not limited to types, that are used by client. E.g. see all bill types, including the internal ones.',