Implement RBAC with permissions, roles, and route guards

- permission, role, role_permission, user_role_assignment tables
- 42 system permissions across 13 domains
- 6 default roles: Admin, Manager, Sales Associate, Technician, Instructor, Viewer
- Permission inheritance: admin implies edit implies view
- requirePermission() Fastify decorator on ALL routes
- System permissions and roles seeded per company
- Test helpers and API test runner seed RBAC data
- All 42 API tests pass with permissions enforced

packages/backend/src/routes/v1/inventory.ts

@@ -11,7 +11,7 @@ import { CategoryService, SupplierService } from '../../services/inventory.servi
 export const inventoryRoutes: FastifyPluginAsync = async (app) => {
   // --- Categories ---
 
-  app.post('/categories', { preHandler: [app.authenticate] }, async (request, reply) => {
+  app.post('/categories', { preHandler: [app.authenticate, app.requirePermission('inventory.edit')] }, async (request, reply) => {
     const parsed = CategoryCreateSchema.safeParse(request.body)
     if (!parsed.success) {
       return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
@@ -20,20 +20,20 @@ export const inventoryRoutes: FastifyPluginAsync = async (app) => {
     return reply.status(201).send(category)
   })
 
-  app.get('/categories', { preHandler: [app.authenticate] }, async (request, reply) => {
+  app.get('/categories', { preHandler: [app.authenticate, app.requirePermission('inventory.view')] }, async (request, reply) => {
     const params = PaginationSchema.parse(request.query)
     const result = await CategoryService.list(app.db, request.companyId, params)
     return reply.send(result)
   })
 
-  app.get('/categories/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+  app.get('/categories/:id', { preHandler: [app.authenticate, app.requirePermission('inventory.view')] }, async (request, reply) => {
     const { id } = request.params as { id: string }
     const category = await CategoryService.getById(app.db, request.companyId, id)
     if (!category) return reply.status(404).send({ error: { message: 'Category not found', statusCode: 404 } })
     return reply.send(category)
   })
 
-  app.patch('/categories/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+  app.patch('/categories/:id', { preHandler: [app.authenticate, app.requirePermission('inventory.edit')] }, async (request, reply) => {
     const { id } = request.params as { id: string }
     const parsed = CategoryUpdateSchema.safeParse(request.body)
     if (!parsed.success) {
@@ -44,7 +44,7 @@ export const inventoryRoutes: FastifyPluginAsync = async (app) => {
     return reply.send(category)
   })
 
-  app.delete('/categories/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+  app.delete('/categories/:id', { preHandler: [app.authenticate, app.requirePermission('inventory.admin')] }, async (request, reply) => {
     const { id } = request.params as { id: string }
     const category = await CategoryService.softDelete(app.db, request.companyId, id)
     if (!category) return reply.status(404).send({ error: { message: 'Category not found', statusCode: 404 } })
@@ -53,7 +53,7 @@ export const inventoryRoutes: FastifyPluginAsync = async (app) => {
 
   // --- Suppliers ---
 
-  app.post('/suppliers', { preHandler: [app.authenticate] }, async (request, reply) => {
+  app.post('/suppliers', { preHandler: [app.authenticate, app.requirePermission('inventory.edit')] }, async (request, reply) => {
     const parsed = SupplierCreateSchema.safeParse(request.body)
     if (!parsed.success) {
       return reply.status(400).send({ error: { message: 'Validation failed', details: parsed.error.flatten(), statusCode: 400 } })
@@ -62,20 +62,20 @@ export const inventoryRoutes: FastifyPluginAsync = async (app) => {
     return reply.status(201).send(supplier)
   })
 
-  app.get('/suppliers', { preHandler: [app.authenticate] }, async (request, reply) => {
+  app.get('/suppliers', { preHandler: [app.authenticate, app.requirePermission('inventory.view')] }, async (request, reply) => {
     const params = PaginationSchema.parse(request.query)
     const result = await SupplierService.list(app.db, request.companyId, params)
     return reply.send(result)
   })
 
-  app.get('/suppliers/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+  app.get('/suppliers/:id', { preHandler: [app.authenticate, app.requirePermission('inventory.view')] }, async (request, reply) => {
     const { id } = request.params as { id: string }
     const supplier = await SupplierService.getById(app.db, request.companyId, id)
     if (!supplier) return reply.status(404).send({ error: { message: 'Supplier not found', statusCode: 404 } })
     return reply.send(supplier)
   })
 
-  app.patch('/suppliers/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+  app.patch('/suppliers/:id', { preHandler: [app.authenticate, app.requirePermission('inventory.edit')] }, async (request, reply) => {
     const { id } = request.params as { id: string }
     const parsed = SupplierUpdateSchema.safeParse(request.body)
     if (!parsed.success) {
@@ -86,7 +86,7 @@ export const inventoryRoutes: FastifyPluginAsync = async (app) => {
     return reply.send(supplier)
   })
 
-  app.delete('/suppliers/:id', { preHandler: [app.authenticate] }, async (request, reply) => {
+  app.delete('/suppliers/:id', { preHandler: [app.authenticate, app.requirePermission('inventory.admin')] }, async (request, reply) => {
     const { id } = request.params as { id: string }
     const supplier = await SupplierService.softDelete(app.db, request.companyId, id)
     if (!supplier) return reply.status(404).send({ error: { message: 'Supplier not found', statusCode: 404 } })