feat: user role management

Author: gallayl

common/schemas/identity-api.json

@@ -18,7 +18,7 @@
       "type": "array",
       "items": {
         "type": "string",
-        "const": "admin"
+        "enum": ["admin", "media-manager", "viewer", "iot-manager"]
       }
     },
     "IsAuthenticatedAction": {

common/schemas/identity-entities.json

@@ -5,7 +5,7 @@
       "type": "array",
       "items": {
         "type": "string",
-        "const": "admin"
+        "enum": ["admin", "media-manager", "viewer", "iot-manager"]
       }
     },
     "User": {
@@ -26,6 +26,63 @@
       },
       "required": ["username", "roles", "createdAt", "updatedAt"],
       "additionalProperties": false
+    },
+    "RoleMetadata": {
+      "type": "object",
+      "properties": {
+        "displayName": {
+          "type": "string",
+          "description": "Human-readable name for display in UI"
+        },
+        "description": {
+          "type": "string",
+          "description": "Brief description of what this role allows"
+        }
+      },
+      "required": ["displayName", "description"],
+      "additionalProperties": false,
+      "description": "Metadata for a role (displayName, description)"
+    },
+    "RoleDefinition": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "name": {
+          "type": "string",
+          "enum": ["admin", "media-manager", "viewer", "iot-manager"],
+          "description": "Role name (matches values in Roles type)"
+        },
+        "displayName": {
+          "type": "string",
+          "description": "Human-readable name for display in UI"
+        },
+        "description": {
+          "type": "string",
+          "description": "Brief description of what this role allows"
+        }
+      },
+      "required": ["description", "displayName", "name"],
+      "description": "Full role definition including the name"
+    },
+    "getRoleDefinition": {
+      "$comment": "(name: Roles[number]) => RoleDefinition",
+      "type": "object",
+      "properties": {
+        "namedArgs": {
+          "type": "object",
+          "properties": {
+            "name": {
+              "type": "string",
+              "enum": ["admin", "media-manager", "viewer", "iot-manager"]
+            }
+          },
+          "required": ["name"],
+          "additionalProperties": false
+        }
+      }
+    },
+    "getAllRoleDefinitions": {
+      "$comment": "() => RoleDefinition[]"
     }
   }
 }

common/src/models/identity/index.ts

@@ -1 +1,2 @@
 export * from './user.js'
+export * from './roles.js'

common/src/models/identity/roles.ts

@@ -0,0 +1,56 @@
+import type { Roles } from './user.js'
+
+/**
+ * Metadata for a role (displayName, description)
+ */
+export type RoleMetadata = {
+  /** Human-readable name for display in UI */
+  displayName: string
+  /** Brief description of what this role allows */
+  description: string
+}
+
+/**
+ * Full role definition including the name
+ */
+export type RoleDefinition = RoleMetadata & {
+  /** Role name (matches values in Roles type) */
+  name: Roles[number]
+}
+
+/**
+ * All available roles in the system with their metadata.
+ * Using Record<Roles[number], ...> ensures TS will error if a role is missing.
+ */
+export const AVAILABLE_ROLES: Record<Roles[number], RoleMetadata> = {
+  admin: {
+    displayName: 'Application Admin',
+    description: 'Full system access including user management and all settings',
+  },
+  'media-manager': {
+    displayName: 'Media Manager',
+    description: 'Can manage movies, series, and encoding tasks',
+  },
+  viewer: {
+    displayName: 'Viewer',
+    description: 'Can browse and watch media content',
+  },
+  'iot-manager': {
+    displayName: 'IoT Manager',
+    description: 'Can manage IoT devices and their settings',
+  },
+}
+
+/**
+ * Helper to get full role definition by name
+ */
+export const getRoleDefinition = (name: Roles[number]): RoleDefinition => ({
+  name,
+  ...AVAILABLE_ROLES[name],
+})
+
+/**
+ * Get all role definitions as an array (useful for dropdowns)
+ */
+export const getAllRoleDefinitions = (): RoleDefinition[] =>
+  (Object.keys(AVAILABLE_ROLES) as Array<Roles[number]>).map(getRoleDefinition)

common/src/models/identity/user.ts

@@ -1,4 +1,4 @@
-export type Roles = Array<'admin'>
+export type Roles = Array<'admin' | 'media-manager' | 'viewer' | 'iot-manager'>
 
 export class User {
   public username!: string

frontend/src/components/role-tag/index.tsx

@@ -0,0 +1,111 @@
+import { createComponent, Shade } from '@furystack/shades'
+import type { Roles } from 'common'
+import { getRoleDefinition } from 'common'
+
+type RoleTagProps = {
+  roleName: Roles[number]
+  variant: 'default' | 'added' | 'removed'
+  onRemove?: () => void
+  onRestore?: () => void
+}
+
+export const RoleTag = Shade<RoleTagProps>({
+  shadowDomName: 'role-tag',
+  render: ({ props }) => {
+    const role = getRoleDefinition(props.roleName)
+    const baseStyle: Partial<CSSStyleDeclaration> = {
+      display: 'inline-flex',
+      alignItems: 'center',
+      gap: '6px',
+      padding: '4px 12px',
+      borderRadius: '16px',
+      fontSize: '13px',
+      fontWeight: '500',
+      transition: 'all 0.2s ease',
+    }
+
+    const variantStyles: Record<RoleTagProps['variant'], Partial<CSSStyleDeclaration>> = {
+      default: {
+        backgroundColor: 'var(--theme-background-paper)',
+        border: '1px solid var(--theme-border-default)',
+        color: 'var(--theme-text-primary)',
+      },
+      added: {
+        backgroundColor: 'rgba(76, 175, 80, 0.15)',
+        border: '1px solid var(--theme-success-main, #4caf50)',
+        color: 'var(--theme-success-dark, #2e7d32)',
+      },
+      removed: {
+        backgroundColor: 'rgba(244, 67, 54, 0.15)',
+        border: '1px solid var(--theme-error-main, #f44336)',
+        color: 'var(--theme-error-dark, #c62828)',
+        textDecoration: 'line-through',
+      },
+    }
+
+    const buttonBaseStyle: Partial<CSSStyleDeclaration> = {
+      background: 'none',
+      border: 'none',
+      cursor: 'pointer',
+      padding: '0',
+      margin: '0',
+      marginLeft: '4px',
+      fontSize: '14px',
+      lineHeight: '1',
+      opacity: '0.7',
+      transition: 'opacity 0.2s ease',
+    }
+
+    const style = { ...baseStyle, ...variantStyles[props.variant] }
+
+    return (
+      <span style={style} title={role.description}>
+        {role.displayName}
+        {props.variant === 'removed' && props.onRestore && (
+          <button
+            type="button"
+            onclick={(e) => {
+              e.stopPropagation()
+              props.onRestore?.()
+            }}
+            title="Restore role"
+            style={{
+              ...buttonBaseStyle,
+              color: 'var(--theme-error-dark, #c62828)',
+            }}
+            onmouseenter={(e) => {
+              ;(e.target as HTMLButtonElement).style.opacity = '1'
+            }}
+            onmouseleave={(e) => {
+              ;(e.target as HTMLButtonElement).style.opacity = '0.7'
+            }}
+          >
+            ↩
+          </button>
+        )}
+        {props.variant !== 'removed' && props.onRemove && (
+          <button
+            type="button"
+            onclick={(e) => {
+              e.stopPropagation()
+              props.onRemove?.()
+            }}
+            title="Remove role"
+            style={{
+              ...buttonBaseStyle,
+              color: props.variant === 'added' ? 'var(--theme-success-dark, #2e7d32)' : 'var(--theme-text-secondary)',
+            }}
+            onmouseenter={(e) => {
+              ;(e.target as HTMLButtonElement).style.opacity = '1'
+            }}
+            onmouseleave={(e) => {
+              ;(e.target as HTMLButtonElement).style.opacity = '0.7'
+            }}
+          >
+            ×
+          </button>
+        )}
+      </span>
+    )
+  },
+})

frontend/src/pages/admin/app-settings.tsx

@@ -47,6 +47,28 @@ const settingsRoutes = [
       />
     ),
   },
+  {
+    url: '/app-settings/users/:username',
+    component: () => (
+      <PiRatLazyLoad
+        component={async () => {
+          const { UserDetailsPage } = await import('./user-details.js')
+          return <UserDetailsPage />
+        }}
+      />
+    ),
+  },
+  {
+    url: '/app-settings/users',
+    component: () => (
+      <PiRatLazyLoad
+        component={async () => {
+          const { UserListPage } = await import('./user-list.js')
+          return <UserListPage />
+        }}
+      />
+    ),
+  },
   {
     url: '/app-settings',
     component: () => (
@@ -103,6 +125,9 @@ export const AppSettingsPage = Shade({
           <SettingsMenuSection title="AI">
             <SettingsMenuItem icon="🤖" label="Ollama Settings" href="/app-settings/ai" />
           </SettingsMenuSection>
+          <SettingsMenuSection title="Identity">
+            <SettingsMenuItem icon="👥" label="Users" href="/app-settings/users" />
+          </SettingsMenuSection>
         </SettingsSidebar>
 
         <div