fix: align role casing and unstick integration roundtrip tests

Addresses the integration-test failures that the fork-sync branch exposed:

- sdk/mpr/writer_security.go: AddModuleRole now overwrites the existing
  role's Name/Description when a case-insensitive duplicate is detected.
  Mendix rejects case-insensitive duplicate role names (CE0123), so
  adopting the caller's casing matches runtime semantics and keeps
  subsequent GRANT ACCESS lookups resolvable.

- mdl/executor/cmd_security_write.go: execCreateModuleRole matches the
  existing role case-insensitively and propagates a casing change to all
  units via UpdateQualifiedNameInAllUnits. Without this, AllowedModuleRoles
  references on microflows/pages/published REST services that were
  created before the user-declared role ran would be stale (CE1613).

- mdl-examples/doctype-tests/06-rest-client-examples.mdl: capitalize
  Status = status in the PetRecord find-or-create block; attribute
  references are case-sensitive.

- mdl-examples/doctype-tests/workflow-user-targeting.mdl: replace the
  obsolete System.UserGroup with System.WorkflowGroup to match the
  Mendix 11.9 workflow metamodel (CE5012).

- mdl/executor/roundtrip_microflow_test.go: compare LOG INFO NODE
  expected output case-insensitively. DESCRIBE now emits lowercase
  keywords (commit 00b80f3).

- mdl/executor/cmd_odata.go: pick up the gofmt-clean tab indentation
  after make lint-go; purely whitespace.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: 2 people

mdl-examples/doctype-tests/06-rest-client-examples.mdl

@@ -1314,7 +1314,7 @@ create import mapping RestTest.IMM_UpsertPet
   find or create RestTest.PetRecord {
     PetId = id key,
     Name = name,
-    status = status
+    Status = status
   }
 };
 

mdl-examples/doctype-tests/workflow-user-targeting.mdl

@@ -35,10 +35,10 @@ CREATE MICROFLOW WFTarget.ACT_GetGroups (
   $Workflow: System.Workflow,
   $Context: WFTarget.Request
 )
-RETURNS List of System.UserGroup AS $Groups
+RETURNS List of System.WorkflowGroup AS $Groups
 BEGIN
   @position(200,200)
-  RETRIEVE $Groups FROM System.UserGroup;
+  RETRIEVE $Groups FROM System.WorkflowGroup;
   @position(400,200) RETURN $Groups;
 END;
 /

mdl/executor/cmd_odata.go

@@ -1496,38 +1496,38 @@ func fetchODataMetadata(metadataUrl string) (metadata string, hash string, err e
 		return "", "", nil
 	}
 
-  var body []byte
-
-  // At this point, metadataUrl is already normalized by NormalizeURL() in createODataClient:
-  // - Relative paths have been converted to absolute file:// URLs
-  // - HTTP(S) URLs are unchanged
-  // So we only need to distinguish file:// vs HTTP(S)
-
-  filePath := pathutil.PathFromURL(metadataUrl)
-  if filePath != "" {
-      // Local file - read directly (path is already absolute)
-      body, err = os.ReadFile(filePath)
-      if err != nil {
-          return "", "", mdlerrors.NewBackend(fmt.Sprintf("read local metadata file %s", filePath), err)
-      }
-  } else {
-      // HTTP(S) fetch
-      client := &http.Client{Timeout: 30 * time.Second}
-      resp, err := client.Get(metadataUrl)
-      if err != nil {
-          return "", "", mdlerrors.NewBackend(fmt.Sprintf("fetch $metadata from %s", metadataUrl), err)
-      }
-      defer resp.Body.Close()
-
-      if resp.StatusCode != http.StatusOK {
-          return "", "", mdlerrors.NewValidationf("$metadata fetch returned HTTP %d from %s", resp.StatusCode, metadataUrl)
-      }
-
-      body, err = io.ReadAll(resp.Body)
-      if err != nil {
-          return "", "", mdlerrors.NewBackend("read $metadata response", err)
-      }
-  }
+	var body []byte
+
+	// At this point, metadataUrl is already normalized by NormalizeURL() in createODataClient:
+	// - Relative paths have been converted to absolute file:// URLs
+	// - HTTP(S) URLs are unchanged
+	// So we only need to distinguish file:// vs HTTP(S)
+
+	filePath := pathutil.PathFromURL(metadataUrl)
+	if filePath != "" {
+		// Local file - read directly (path is already absolute)
+		body, err = os.ReadFile(filePath)
+		if err != nil {
+			return "", "", mdlerrors.NewBackend(fmt.Sprintf("read local metadata file %s", filePath), err)
+		}
+	} else {
+		// HTTP(S) fetch
+		client := &http.Client{Timeout: 30 * time.Second}
+		resp, err := client.Get(metadataUrl)
+		if err != nil {
+			return "", "", mdlerrors.NewBackend(fmt.Sprintf("fetch $metadata from %s", metadataUrl), err)
+		}
+		defer resp.Body.Close()
+
+		if resp.StatusCode != http.StatusOK {
+			return "", "", mdlerrors.NewValidationf("$metadata fetch returned HTTP %d from %s", resp.StatusCode, metadataUrl)
+		}
+
+		body, err = io.ReadAll(resp.Body)
+		if err != nil {
+			return "", "", mdlerrors.NewBackend("read $metadata response", err)
+		}
+	}
 
 	// Hash calculation (same for both HTTP and local file)
 	metadata = string(body)

mdl/executor/cmd_security_write.go

@@ -31,17 +31,35 @@ func execCreateModuleRole(ctx *ExecContext, s *ast.CreateModuleRoleStmt) error {
 		return mdlerrors.NewBackend(fmt.Sprintf("read module security for %s", s.Name.Module), err)
 	}
 
-	// Check if role already exists
+	// Check if role already exists. Mendix treats role names case-insensitively
+	// (CE0123), so match that way. An auto-provisioned role collides with any
+	// user-requested casing; let AddModuleRole overwrite to adopt the caller's
+	// casing so later case-sensitive lookups (GRANT ACCESS TO x.user) succeed.
 	for _, mr := range ms.ModuleRoles {
-		if mr.Name == s.Name.Name {
-			if mr.Description == autoDocumentRoleDescription {
-				if !ctx.Quiet {
-					fmt.Fprintf(ctx.Output, "Module role %s.%s already exists (auto-provisioned)\n", s.Name.Module, s.Name.Name)
+		if !strings.EqualFold(mr.Name, s.Name.Name) {
+			continue
+		}
+		if mr.Description == autoDocumentRoleDescription {
+			oldQualified := s.Name.Module + "." + mr.Name
+			newQualified := s.Name.Module + "." + s.Name.Name
+			if err := ctx.Backend.AddModuleRole(ms.ID, s.Name.Name, s.Description); err != nil {
+				return mdlerrors.NewBackend("create module role", err)
+			}
+			// If the casing actually changed, propagate the rename across every
+			// unit that referenced the old name (AllowedModuleRoles on microflows,
+			// pages, published REST services, etc.). Without this, mx check fails
+			// with CE1613 "selected module role X no longer exists".
+			if oldQualified != newQualified {
+				if _, err := ctx.Backend.UpdateQualifiedNameInAllUnits(oldQualified, newQualified); err != nil {
+					return mdlerrors.NewBackend(fmt.Sprintf("rename references %s -> %s", oldQualified, newQualified), err)
 				}
-				return nil
 			}
-			return mdlerrors.NewAlreadyExists("module role", s.Name.Module+"."+s.Name.Name)
+			if !ctx.Quiet {
+				fmt.Fprintf(ctx.Output, "Module role %s.%s already exists (auto-provisioned)\n", s.Name.Module, s.Name.Name)
+			}
+			return nil
 		}
+		return mdlerrors.NewAlreadyExists("module role", s.Name.Module+"."+s.Name.Name)
 	}
 
 	if err := ctx.Backend.AddModuleRole(ms.ID, s.Name.Name, s.Description); err != nil {

sdk/mpr/writer_security.go

@@ -4,6 +4,7 @@ package mpr
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/mendixlabs/mxcli/model"
 
@@ -170,8 +171,53 @@ func (w *Writer) RemoveFromAllowedRoles(unitID model.ID, roleName string) (bool,
 // ============================================================================
 
 // AddModuleRole adds a new module role to the module's Security$ModuleSecurity unit.
+// If a role with the same name (case-insensitive) already exists, the existing role's
+// Name is overwritten with the caller-supplied casing and Description is updated.
+// Mendix Studio Pro rejects case-insensitive duplicate role names with CE0123, so
+// merging into the existing entry matches runtime semantics — and preserves the
+// caller's casing for downstream case-sensitive lookups (e.g., GRANT ACCESS TO x.user).
 func (w *Writer) AddModuleRole(unitID model.ID, roleName, description string) error {
 	return w.readPatchWrite(unitID, func(doc bson.D) (bson.D, error) {
+		// Get existing ModuleRoles array
+		existing := getBsonArray(doc, "ModuleRoles")
+		if existing == nil {
+			existing = bson.A{int32(1)}
+		}
+
+		// If a case-insensitive duplicate already exists, overwrite its Name and
+		// Description with the caller's values. This keeps the ID stable (any
+		// references to it remain valid) while adopting the newly-requested casing.
+		for i, item := range existing {
+			role, ok := item.(bson.D)
+			if !ok {
+				continue
+			}
+			matched := false
+			for _, field := range role {
+				if field.Key == "Name" {
+					if name, ok := field.Value.(string); ok && strings.EqualFold(name, roleName) {
+						matched = true
+					}
+					break
+				}
+			}
+			if !matched {
+				continue
+			}
+			for j, field := range role {
+				switch field.Key {
+				case "Name":
+					role[j].Value = roleName
+				case "Description":
+					if description != "" {
+						role[j].Value = description
+					}
+				}
+			}
+			existing[i] = role
+			return setBsonField(doc, "ModuleRoles", existing), nil
+		}
+
 		// Build the new role BSON document
 		newRole := bson.D{
 			{Key: "$Type", Value: "Security$ModuleRole"},
@@ -180,12 +226,6 @@ func (w *Writer) AddModuleRole(unitID model.ID, roleName, description string) er
 			{Key: "Description", Value: description},
 		}
 
-		// Get existing ModuleRoles array
-		existing := getBsonArray(doc, "ModuleRoles")
-		if existing == nil {
-			existing = bson.A{int32(1)}
-		}
-
 		existing = append(existing, newRole)
 		return setBsonField(doc, "ModuleRoles", existing), nil
 	})