Role-Aware UI Rendering
OP-066p centralizes console role capability checks in the frontend without changing backend authorization. The console still derives role from the backend session/JWT; frontend rendering only decides which controls are visible.
What Changed
- Added a shared role capability helper for
system_admin,tenant_admin,operator, andauditor. - Replaced scattered one-off role checks across ticket, alert, asset, discovery, compliance, enrollment, SCIM, and integration UI surfaces.
- Kept auditor mutation controls hidden rather than disabled.
- Kept operator admin configuration controls hidden.
- Added frontend coverage for the role capability matrix.
Boundaries
- Backend authorization, audit, and tenant isolation remain authoritative.
- No auth/session rewrite was added.
- No new API, backend runtime, deployment, Helm, Terraform, or AWS behavior was added.
- Future OP-066 UI work should use the shared capability helper before rendering mutation controls.
Validation
npm --prefix frontend run typechecknpm --prefix frontend test -- --runmake docs-build