chore(core): Use dynamic role resolution for access control (#19400)

packages/cli/test/integration/credentials/credentials.api.ee.test.ts

@@ -34,6 +34,7 @@ import {
 } from '../shared/db/users';
 import type { SaveCredentialFunction, SuperAgentTest } from '../shared/types';
 import * as utils from '../shared/utils';
+import { RoleCacheService } from '@/services/role-cache.service';
 
 const testServer = utils.setupTestServer({
 	endpointGroups: ['credentials'],
@@ -59,6 +60,10 @@ const mailer = mockInstance(UserManagementMailer);
 let projectService: ProjectService;
 let projectRepository: ProjectRepository;
 
+beforeAll(async () => {
+	await Container.get(RoleCacheService).refreshCache();
+});
+
 beforeEach(async () => {
 	await testDb.truncate(['SharedCredentials', 'CredentialsEntity', 'Project', 'ProjectRelation']);
 	projectRepository = Container.get(ProjectRepository);

packages/cli/test/integration/shared/db/roles.ts

@@ -49,6 +49,32 @@ export async function createCustomRoleWithScopes(
 	});
 }
 
+/**
+ * Creates a custom role with specific scope slugs (using existing permission system scopes)
+ */
+export async function createCustomRoleWithScopeSlugs(
+	scopeSlugs: string[],
+	overrides: Partial<Role> = {},
+): Promise<Role> {
+	const scopeRepository = Container.get(ScopeRepository);
+
+	// Find existing scopes by their slugs
+	const scopes = await scopeRepository.findByList(scopeSlugs);
+
+	if (scopes.length !== scopeSlugs.length) {
+		const missingScopes = scopeSlugs.filter((slug) => !scopes.some((scope) => scope.slug === slug));
+		throw new Error(
+			`Could not find all scopes. Expected ${scopeSlugs.length}, found ${scopes.length}, missing: ${missingScopes.join(', ')}`,
+		);
+	}
+
+	return await createRole({
+		scopes,
+		systemRole: false,
+		...overrides,
+	});
+}
+
 /**
  * Creates a test scope with given parameters
  */