## Original task
The existing role-permission tests cover the system-role guard,
unknown-permission 404, and the admin happy paths for
PUT/POST/DELETE /api/roles/:id/permissions, but they never
exercised the requireAdmin middleware with a real non-admin
session. A silent regression of requireAdmin on these routes
would let regular users edit role permissions undetected.
## What changed
Added a new test file:
artifacts/api-server/tests/role-permissions-non-admin.test.mjs
It mirrors the style of role-permissions-assign.test.mjs:
- Creates an admin user (used only to seed a target role with
two known permissions).
- Creates a regular user with no role assignments.
- For each of PUT, POST, and DELETE on
/api/roles/:id/permissions, logs in as the regular user and
asserts the response status is 403.
- After every rejected call, asserts the role's permission set
in role_permissions is byte-for-byte unchanged.
- For POST it deliberately picks a permission the role does NOT
already have, so any regression would change the row count.
- Cleans up created users, roles, role_permissions, and
role_permission_audit rows in after().
## Verification
`pnpm --filter @workspace/api-server test` — all 192 tests pass,
including the 3 new ones.
## Deviations
None. Scope kept tight to the task description.
## Follow-up
Proposed #226: parallel non-admin 403 coverage for
POST/PATCH/DELETE /api/roles (CRUD), which today have no
non-admin rejection tests either.
Replit-Task-Id: 87446596-45f9-4241-acd6-299888b4feb4