Files
TX/scripts
riyadhafraa 19200140c1 Task #121: Hide Executive Meetings icon from non-executive users
Gate the home-screen "Executive Meetings" app icon behind a new
`executive_meetings.access` permission so only admins and the five
executive_* roles see it. Reuses the existing `app_permissions` →
`getVisibleAppsForUser` machinery; no route or middleware changes.

Changes
- scripts/src/seed.ts
  * Added permission `executive_meetings.access`.
  * Granted it to: admin, executive_ceo, executive_office_manager,
    executive_coord_lead, executive_coordinator, executive_viewer.
  * Linked it to apps.slug = 'executive-meetings' via app_permissions.
  * All inserts use onConflictDoNothing — re-running the seeder is safe.
- artifacts/api-server/scripts/gate-executive-meetings.mjs (new)
  * One-shot, idempotent pg migration that performs the same three
    inserts in a single transaction (BEGIN/ROLLBACK on error). Prints
    JSON summary with grant counts. Already executed against dev DB
    (newRoleGrantsThisRun=6, newAppLinksThisRun=1).
- artifacts/api-server/tests/executive-meetings-visibility.test.mjs (new)
  * Regression: creates a fresh `order_receiver`-only user, asserts
    /api/apps does NOT include `executive-meetings`; then grants
    `executive_coordinator` and asserts it does. Per-run username
    prefix + defensive sweep + after-hook cleanup.

Out of scope (not modified)
- artifacts/api-server/src/routes/apps.ts (getVisibleAppsForUser)
- artifacts/api-server/src/routes/executive-meetings.ts
  (requireExecutiveAccess)
- Any UI files

Verification
- `node artifacts/api-server/scripts/gate-executive-meetings.mjs` →
  ok=true, 6 role grants, 1 app link.
- `node --test tests/executive-meetings-visibility.test.mjs` →
  2/2 pass.
- TypeScript clean for scripts package.
- Architect review: PASS, no blocking issues.
2026-04-29 07:13:55 +00:00
..
2026-04-18 02:00:09 +00:00