feat(rbac): full permission catalog in the custom-role matrix UI (fa/en/ar)

Mirrors the expanded backend catalog on the client: the Permission type and the
custom-role permission matrix now expose all ~80 capabilities grouped into 16
sections (admin, branches, menu, inventory, taxes, staff, tables, orders,
register, queue/kitchen, delivery, customers, coupons, marketing, reports,
expenses), each with fa/en/ar labels. Nav visibility now maps each page to its
View permission; taxes & branches become permission-driven (managers can view),
leaving billing as the sole hard owner-only nav gate.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

web/dashboard/messages/ar.json

@@ -1256,34 +1256,106 @@
       "saveError": "فشل حفظ الدور",
       "deleteConfirm": "حذف الدور «{name}»؟ سيعود الموظفون إلى صلاحيات دورهم الأساسي.",
       "groupAdmin": "إدارة المقهى",
-      "groupMenu": "القائمة والمخزون",
+      "groupBranches": "الفروع",
-      "groupStaff": "الموظفون",
+      "groupMenu": "القائمة",
-      "groupCustomer": "العملاء والطاولات",
+      "groupInventory": "المخزون",
+      "groupTaxes": "الضرائب",
+      "groupStaff": "الموظفون والموارد البشرية",
+      "groupTables": "الطاولات والحجوزات",
+      "groupOrders": "الطلبات ونقطة البيع",
+      "groupRegister": "الصندوق والنقد",
+      "groupQueueKitchen": "الانتظار والمطبخ",
+      "groupDelivery": "التوصيل",
+      "groupCustomers": "العملاء",
+      "groupCoupons": "الكوبونات",
+      "groupMarketing": "التسويق والتقييمات",
       "groupReports": "التقارير والمالية",
-      "groupOps": "عمليات الصندوق",
+      "groupExpenses": "المصروفات",
-      "groupKitchen": "المطبخ والتوصيل",
       "perm": {
-        "ManageCafeSettings": "إعدادات المقهى",
+        "ViewCafeSettings": "عرض إعدادات المقهى",
-        "ManageBilling": "الاشتراك والفواتير",
+        "ManageCafeSettings": "تعديل إعدادات المقهى",
-        "ManageBranches": "إدارة الفروع",
+        "ManageDiscoverProfile": "الملف العام و«كوجا»",
-        "ManageMenu": "إدارة القائمة",
+        "ViewBilling": "عرض الفواتير",
-        "ManageInventory": "المخزون",
+        "ManageBilling": "إدارة الاشتراك والفواتير",
-        "ManageTaxes": "الضرائب",
+        "ManageRoles": "إدارة الأدوار",
-        "ManagePrintSettings": "إعدادات الطباعة",
+        "ViewPrintSettings": "عرض إعدادات الطباعة",
-        "ManageStaff": "إدارة الموظفين",
+        "ManagePrintSettings": "تعديل إعدادات الطباعة",
-        "ManageSalaries": "الرواتب",
+        "ViewBranches": "عرض الفروع",
-        "ReviewLeave": "طلبات الإجازة",
+        "CreateBranch": "إنشاء فرع",
-        "ManageReservations": "الحجوزات",
+        "EditBranch": "تعديل فرع",
-        "ManageTables": "الطاولات",
+        "DeleteBranch": "حذف فرع",
-        "ManageCoupons": "الكوبونات",
+        "ViewMenu": "عرض القائمة",
-        "ViewReports": "التقارير",
+        "CreateMenuItem": "إضافة أصناف",
-        "ManageExpenses": "المصروفات",
+        "EditMenuItem": "تعديل الأصناف",
-        "ProcessOrders": "معالجة الطلبات",
+        "DeleteMenuItem": "حذف الأصناف",
-        "HandlePayments": "المدفوعات",
+        "ViewInventory": "عرض المخزون",
-        "OperateRegister": "الصندوق",
+        "CreateInventory": "إضافة للمخزون",
-        "ManageQueue": "قائمة الانتظار",
+        "EditInventory": "تعديل المخزون والكميات",
+        "DeleteInventory": "حذف من المخزون",
+        "ViewTaxes": "عرض الضرائب",
+        "CreateTax": "إنشاء ضريبة",
+        "EditTax": "تعديل ضريبة",
+        "DeleteTax": "حذف ضريبة",
+        "ViewStaff": "عرض الموظفين",
+        "CreateStaff": "إضافة موظف",
+        "EditStaff": "تعديل موظف",
+        "DeleteStaff": "حذف موظف",
+        "ManageStaff": "تعيين أدوار الفروع",
+        "ManageStaffCredentials": "إدارة بيانات الدخول",
+        "ViewAttendance": "عرض الحضور",
+        "ManageAttendance": "إدارة الحضور",
+        "ViewSchedules": "عرض المناوبات",
+        "ManageSchedules": "إدارة المناوبات",
+        "ViewLeave": "عرض طلبات الإجازة",
+        "ReviewLeave": "اعتماد الإجازات",
+        "ViewSalaries": "عرض الرواتب",
+        "ManageSalaries": "إدارة الرواتب",
+        "ViewTables": "عرض الطاولات",
+        "ManageTables": "إدارة الطاولات والأقسام",
+        "ViewReservations": "عرض الحجوزات",
+        "CreateReservation": "إنشاء حجز",
+        "EditReservation": "تعديل حجز",
+        "DeleteReservation": "حذف حجز",
+        "ViewOrders": "عرض الطلبات",
+        "ProcessOrders": "تسجيل الطلبات",
+        "EditOrder": "تعديل الطلبات",
+        "VoidOrder": "إبطال / إلغاء الطلبات",
+        "RefundOrder": "استرداد الطلبات",
+        "ApplyDiscount": "تطبيق الخصومات",
+        "CompOrder": "طلب مجاني (ضيافة)",
+        "HandlePayments": "استلام المدفوعات",
+        "UpdateOrderStatus": "تحديث حالة الطلب",
+        "OperateRegister": "فتح / إغلاق الصندوق",
+        "OpenCashDrawer": "فتح درج النقود (بدون بيع)",
+        "ViewQueue": "عرض قائمة الانتظار",
+        "ManageQueue": "إدارة قائمة الانتظار",
         "ViewKitchen": "شاشة المطبخ",
-        "HandleDelivery": "التوصيل"
+        "ManageKitchenStations": "إدارة محطات المطبخ",
+        "ViewDelivery": "عرض التوصيل",
+        "HandleDelivery": "إدارة التوصيل",
+        "AssignDelivery": "تعيين السائق",
+        "ViewCustomers": "عرض العملاء",
+        "CreateCustomer": "إضافة عميل",
+        "EditCustomer": "تعديل عميل",
+        "DeleteCustomer": "حذف عميل",
+        "ViewCoupons": "عرض الكوبونات",
+        "CreateCoupon": "إنشاء كوبون",
+        "EditCoupon": "تعديل كوبون",
+        "DeleteCoupon": "حذف كوبون",
+        "ViewSms": "عرض الرسائل",
+        "SendSms": "إرسال حملات الرسائل",
+        "ManageSmsSettings": "إعدادات الرسائل",
+        "ViewReviews": "عرض التقييمات",
+        "ManageReviews": "الرد على التقييمات وإدارتها",
+        "ViewReports": "عرض التقارير",
+        "ExportReports": "تصدير التقارير",
+        "ViewAuditLog": "عرض سجل العمليات",
+        "ViewFinancials": "عرض المالية (الأرباح والخسائر)",
+        "ManageFinancials": "تصحيح سندات الدفع",
+        "ViewExpenses": "عرض المصروفات",
+        "CreateExpense": "إضافة مصروف",
+        "EditExpense": "تعديل مصروف",
+        "DeleteExpense": "حذف مصروف"
       }
     },
     "appearance": {

web/dashboard/messages/en.json

@@ -1328,34 +1328,106 @@
       "saveError": "Failed to save role",
       "deleteConfirm": "Delete role '{name}'? Employees will revert to their base role permissions.",
       "groupAdmin": "Café Administration",
-      "groupMenu": "Menu & Inventory",
+      "groupBranches": "Branches",
-      "groupStaff": "Staff",
+      "groupMenu": "Menu",
-      "groupCustomer": "Customer & Tables",
+      "groupInventory": "Inventory",
+      "groupTaxes": "Taxes",
+      "groupStaff": "Staff & HR",
+      "groupTables": "Tables & Reservations",
+      "groupOrders": "Orders & POS",
+      "groupRegister": "Register & Cash",
+      "groupQueueKitchen": "Queue & Kitchen",
+      "groupDelivery": "Delivery",
+      "groupCustomers": "Customers",
+      "groupCoupons": "Coupons",
+      "groupMarketing": "Marketing & Reviews",
       "groupReports": "Reports & Finance",
-      "groupOps": "Register Operations",
+      "groupExpenses": "Expenses",
-      "groupKitchen": "Kitchen & Delivery",
       "perm": {
-        "ManageCafeSettings": "Café settings",
+        "ViewCafeSettings": "View café settings",
-        "ManageBilling": "Billing & subscription",
+        "ManageCafeSettings": "Edit café settings",
-        "ManageBranches": "Manage branches",
+        "ManageDiscoverProfile": "Discover & public profile",
-        "ManageMenu": "Menu management",
+        "ViewBilling": "View billing",
-        "ManageInventory": "Inventory",
+        "ManageBilling": "Manage billing & subscription",
-        "ManageTaxes": "Taxes",
+        "ManageRoles": "Manage roles",
-        "ManagePrintSettings": "Print settings",
+        "ViewPrintSettings": "View print settings",
-        "ManageStaff": "Staff management",
+        "ManagePrintSettings": "Edit print settings",
-        "ManageSalaries": "Salaries",
+        "ViewBranches": "View branches",
-        "ReviewLeave": "Leave requests",
+        "CreateBranch": "Create branch",
-        "ManageReservations": "Reservations",
+        "EditBranch": "Edit branch",
-        "ManageTables": "Tables",
+        "DeleteBranch": "Delete branch",
-        "ManageCoupons": "Coupons",
+        "ViewMenu": "View menu",
-        "ViewReports": "Reports",
+        "CreateMenuItem": "Add menu items",
-        "ManageExpenses": "Expenses",
+        "EditMenuItem": "Edit menu items",
-        "ProcessOrders": "Process orders",
+        "DeleteMenuItem": "Delete menu items",
-        "HandlePayments": "Handle payments",
+        "ViewInventory": "View inventory",
-        "OperateRegister": "Register",
+        "CreateInventory": "Add inventory",
-        "ManageQueue": "Queue",
+        "EditInventory": "Edit inventory & stock",
+        "DeleteInventory": "Delete inventory",
+        "ViewTaxes": "View taxes",
+        "CreateTax": "Create tax",
+        "EditTax": "Edit tax",
+        "DeleteTax": "Delete tax",
+        "ViewStaff": "View staff",
+        "CreateStaff": "Add staff",
+        "EditStaff": "Edit staff",
+        "DeleteStaff": "Remove staff",
+        "ManageStaff": "Assign branch roles",
+        "ManageStaffCredentials": "Manage login credentials",
+        "ViewAttendance": "View attendance",
+        "ManageAttendance": "Manage attendance",
+        "ViewSchedules": "View schedules",
+        "ManageSchedules": "Manage schedules",
+        "ViewLeave": "View leave requests",
+        "ReviewLeave": "Approve leave requests",
+        "ViewSalaries": "View salaries",
+        "ManageSalaries": "Manage salaries",
+        "ViewTables": "View tables",
+        "ManageTables": "Manage tables & sections",
+        "ViewReservations": "View reservations",
+        "CreateReservation": "Create reservation",
+        "EditReservation": "Edit reservation",
+        "DeleteReservation": "Delete reservation",
+        "ViewOrders": "View orders",
+        "ProcessOrders": "Take orders",
+        "EditOrder": "Edit orders",
+        "VoidOrder": "Void / cancel orders",
+        "RefundOrder": "Refund orders",
+        "ApplyDiscount": "Apply discounts",
+        "CompOrder": "Comp (free) orders",
+        "HandlePayments": "Take payments",
+        "UpdateOrderStatus": "Update order status",
+        "OperateRegister": "Open / close register",
+        "OpenCashDrawer": "Open cash drawer (no-sale)",
+        "ViewQueue": "View queue",
+        "ManageQueue": "Manage queue",
         "ViewKitchen": "Kitchen display",
-        "HandleDelivery": "Delivery"
+        "ManageKitchenStations": "Manage kitchen stations",
+        "ViewDelivery": "View delivery",
+        "HandleDelivery": "Handle delivery",
+        "AssignDelivery": "Assign delivery",
+        "ViewCustomers": "View customers",
+        "CreateCustomer": "Add customers",
+        "EditCustomer": "Edit customers",
+        "DeleteCustomer": "Delete customers",
+        "ViewCoupons": "View coupons",
+        "CreateCoupon": "Create coupon",
+        "EditCoupon": "Edit coupon",
+        "DeleteCoupon": "Delete coupon",
+        "ViewSms": "View SMS",
+        "SendSms": "Send SMS campaigns",
+        "ManageSmsSettings": "SMS settings",
+        "ViewReviews": "View reviews",
+        "ManageReviews": "Reply & moderate reviews",
+        "ViewReports": "View reports",
+        "ExportReports": "Export reports",
+        "ViewAuditLog": "View audit log",
+        "ViewFinancials": "View financials (P&L)",
+        "ManageFinancials": "Payment corrections",
+        "ViewExpenses": "View expenses",
+        "CreateExpense": "Add expense",
+        "EditExpense": "Edit expense",
+        "DeleteExpense": "Delete expense"
       }
     },
     "appearance": {

web/dashboard/messages/fa.json

@@ -1329,34 +1329,106 @@
       "saveError": "ذخیره نقش ناموفق بود",
       "deleteConfirm": "نقش «{name}» حذف شود؟ این کارمندان به دسترسی پیش‌فرض نقش اصلی خود بازمی‌گردند.",
       "groupAdmin": "مدیریت کافه",
-      "groupMenu": "منو و انبار",
+      "groupBranches": "شعب",
-      "groupStaff": "پرسنل",
+      "groupMenu": "منو",
-      "groupCustomer": "مشتری و میز",
+      "groupInventory": "انبار و موجودی",
+      "groupTaxes": "مالیات",
+      "groupStaff": "پرسنل و منابع انسانی",
+      "groupTables": "میز و رزرو",
+      "groupOrders": "سفارش و فروش",
+      "groupRegister": "صندوق و وجه نقد",
+      "groupQueueKitchen": "صف و آشپزخانه",
+      "groupDelivery": "تحویل و پیک",
+      "groupCustomers": "مشتریان",
+      "groupCoupons": "کوپن‌ها",
+      "groupMarketing": "بازاریابی و نظرات",
       "groupReports": "گزارش و مالی",
-      "groupOps": "عملیات صندوق",
+      "groupExpenses": "هزینه‌ها",
-      "groupKitchen": "آشپزخانه و تحویل",
       "perm": {
-        "ManageCafeSettings": "تنظیمات کافه",
+        "ViewCafeSettings": "مشاهده تنظیمات کافه",
-        "ManageBilling": "اشتراک و پرداخت",
+        "ManageCafeSettings": "ویرایش تنظیمات کافه",
-        "ManageBranches": "مدیریت شعب",
+        "ManageDiscoverProfile": "پروفایل عمومی و کوجا",
-        "ManageMenu": "مدیریت منو",
+        "ViewBilling": "مشاهده صورتحساب",
-        "ManageInventory": "انبار و موجودی",
+        "ManageBilling": "مدیریت اشتراک و پرداخت",
-        "ManageTaxes": "مالیات",
+        "ManageRoles": "مدیریت نقش‌ها",
-        "ManagePrintSettings": "تنظیمات چاپ",
+        "ViewPrintSettings": "مشاهده تنظیمات چاپ",
-        "ManageStaff": "مدیریت کارمندان",
+        "ManagePrintSettings": "ویرایش تنظیمات چاپ",
-        "ManageSalaries": "حقوق و دستمزد",
+        "ViewBranches": "مشاهده شعب",
-        "ReviewLeave": "بررسی مرخصی",
+        "CreateBranch": "ایجاد شعبه",
-        "ManageReservations": "رزروها",
+        "EditBranch": "ویرایش شعبه",
-        "ManageTables": "میزها",
+        "DeleteBranch": "حذف شعبه",
-        "ManageCoupons": "کوپن‌ها",
+        "ViewMenu": "مشاهده منو",
-        "ViewReports": "گزارش‌ها",
+        "CreateMenuItem": "افزودن آیتم منو",
-        "ManageExpenses": "هزینه‌ها",
+        "EditMenuItem": "ویرایش آیتم منو",
+        "DeleteMenuItem": "حذف آیتم منو",
+        "ViewInventory": "مشاهده انبار",
+        "CreateInventory": "افزودن به انبار",
+        "EditInventory": "ویرایش انبار و موجودی",
+        "DeleteInventory": "حذف از انبار",
+        "ViewTaxes": "مشاهده مالیات",
+        "CreateTax": "ایجاد مالیات",
+        "EditTax": "ویرایش مالیات",
+        "DeleteTax": "حذف مالیات",
+        "ViewStaff": "مشاهده کارمندان",
+        "CreateStaff": "افزودن کارمند",
+        "EditStaff": "ویرایش کارمند",
+        "DeleteStaff": "حذف کارمند",
+        "ManageStaff": "تخصیص نقش شعبه",
+        "ManageStaffCredentials": "مدیریت اطلاعات ورود",
+        "ViewAttendance": "مشاهده حضور و غیاب",
+        "ManageAttendance": "مدیریت حضور و غیاب",
+        "ViewSchedules": "مشاهده شیفت‌ها",
+        "ManageSchedules": "مدیریت شیفت‌ها",
+        "ViewLeave": "مشاهده درخواست مرخصی",
+        "ReviewLeave": "تأیید مرخصی",
+        "ViewSalaries": "مشاهده حقوق",
+        "ManageSalaries": "مدیریت حقوق و دستمزد",
+        "ViewTables": "مشاهده میزها",
+        "ManageTables": "مدیریت میز و بخش‌ها",
+        "ViewReservations": "مشاهده رزروها",
+        "CreateReservation": "ایجاد رزرو",
+        "EditReservation": "ویرایش رزرو",
+        "DeleteReservation": "حذف رزرو",
+        "ViewOrders": "مشاهده سفارش‌ها",
         "ProcessOrders": "ثبت سفارش",
-        "HandlePayments": "پردازش پرداخت",
+        "EditOrder": "ویرایش سفارش",
-        "OperateRegister": "صندوق",
+        "VoidOrder": "ابطال / لغو سفارش",
-        "ManageQueue": "صف انتظار",
+        "RefundOrder": "استرداد وجه سفارش",
+        "ApplyDiscount": "اعمال تخفیف",
+        "CompOrder": "سفارش رایگان (مهمان)",
+        "HandlePayments": "دریافت پرداخت",
+        "UpdateOrderStatus": "تغییر وضعیت سفارش",
+        "OperateRegister": "باز / بستن صندوق",
+        "OpenCashDrawer": "باز کردن کشوی پول (بدون فروش)",
+        "ViewQueue": "مشاهده صف",
+        "ManageQueue": "مدیریت صف",
         "ViewKitchen": "نمایش آشپزخانه",
-        "HandleDelivery": "تحویل و پیک"
+        "ManageKitchenStations": "مدیریت ایستگاه‌های آشپزخانه",
+        "ViewDelivery": "مشاهده تحویل",
+        "HandleDelivery": "مدیریت تحویل",
+        "AssignDelivery": "تخصیص پیک",
+        "ViewCustomers": "مشاهده مشتریان",
+        "CreateCustomer": "افزودن مشتری",
+        "EditCustomer": "ویرایش مشتری",
+        "DeleteCustomer": "حذف مشتری",
+        "ViewCoupons": "مشاهده کوپن‌ها",
+        "CreateCoupon": "ایجاد کوپن",
+        "EditCoupon": "ویرایش کوپن",
+        "DeleteCoupon": "حذف کوپن",
+        "ViewSms": "مشاهده پیامک",
+        "SendSms": "ارسال کمپین پیامکی",
+        "ManageSmsSettings": "تنظیمات پیامک",
+        "ViewReviews": "مشاهده نظرات",
+        "ManageReviews": "پاسخ و مدیریت نظرات",
+        "ViewReports": "مشاهده گزارش‌ها",
+        "ExportReports": "خروجی گرفتن از گزارش",
+        "ViewAuditLog": "مشاهده گزارش رویدادها",
+        "ViewFinancials": "مشاهده مالی (سود و زیان)",
+        "ManageFinancials": "اصلاح سند پرداخت",
+        "ViewExpenses": "مشاهده هزینه‌ها",
+        "CreateExpense": "افزودن هزینه",
+        "EditExpense": "ویرایش هزینه",
+        "DeleteExpense": "حذف هزینه"
       }
     },
     "appearance": {

web/dashboard/src/components/settings/custom-roles-panel.tsx

@@ -34,31 +34,84 @@ interface PermGroup {
 const PERM_GROUPS: PermGroup[] = [
   {
     labelKey: "customRoles.groupAdmin",
-    perms: ["ManageCafeSettings", "ManageBilling", "ManageBranches"],
+    perms: [
+      "ViewCafeSettings", "ManageCafeSettings", "ManageDiscoverProfile",
+      "ViewBilling", "ManageBilling", "ManageRoles",
+      "ViewPrintSettings", "ManagePrintSettings",
+    ],
+  },
+  {
+    labelKey: "customRoles.groupBranches",
+    perms: ["ViewBranches", "CreateBranch", "EditBranch", "DeleteBranch"],
   },
   {
     labelKey: "customRoles.groupMenu",
-    perms: ["ManageMenu", "ManageInventory", "ManageTaxes", "ManagePrintSettings"],
+    perms: ["ViewMenu", "CreateMenuItem", "EditMenuItem", "DeleteMenuItem"],
+  },
+  {
+    labelKey: "customRoles.groupInventory",
+    perms: ["ViewInventory", "CreateInventory", "EditInventory", "DeleteInventory"],
+  },
+  {
+    labelKey: "customRoles.groupTaxes",
+    perms: ["ViewTaxes", "CreateTax", "EditTax", "DeleteTax"],
   },
   {
     labelKey: "customRoles.groupStaff",
-    perms: ["ManageStaff", "ManageSalaries", "ReviewLeave"],
+    perms: [
+      "ViewStaff", "CreateStaff", "EditStaff", "DeleteStaff",
+      "ManageStaff", "ManageStaffCredentials",
+      "ViewAttendance", "ManageAttendance",
+      "ViewSchedules", "ManageSchedules",
+      "ViewLeave", "ReviewLeave",
+      "ViewSalaries", "ManageSalaries",
+    ],
   },
   {
-    labelKey: "customRoles.groupCustomer",
+    labelKey: "customRoles.groupTables",
-    perms: ["ManageReservations", "ManageTables", "ManageCoupons"],
+    perms: [
+      "ViewTables", "ManageTables",
+      "ViewReservations", "CreateReservation", "EditReservation", "DeleteReservation",
+    ],
+  },
+  {
+    labelKey: "customRoles.groupOrders",
+    perms: [
+      "ViewOrders", "ProcessOrders", "EditOrder", "VoidOrder", "RefundOrder",
+      "ApplyDiscount", "CompOrder", "HandlePayments", "UpdateOrderStatus",
+    ],
+  },
+  {
+    labelKey: "customRoles.groupRegister",
+    perms: ["OperateRegister", "OpenCashDrawer"],
+  },
+  {
+    labelKey: "customRoles.groupQueueKitchen",
+    perms: ["ViewQueue", "ManageQueue", "ViewKitchen", "ManageKitchenStations"],
+  },
+  {
+    labelKey: "customRoles.groupDelivery",
+    perms: ["ViewDelivery", "HandleDelivery", "AssignDelivery"],
+  },
+  {
+    labelKey: "customRoles.groupCustomers",
+    perms: ["ViewCustomers", "CreateCustomer", "EditCustomer", "DeleteCustomer"],
+  },
+  {
+    labelKey: "customRoles.groupCoupons",
+    perms: ["ViewCoupons", "CreateCoupon", "EditCoupon", "DeleteCoupon"],
+  },
+  {
+    labelKey: "customRoles.groupMarketing",
+    perms: ["ViewSms", "SendSms", "ManageSmsSettings", "ViewReviews", "ManageReviews"],
   },
   {
     labelKey: "customRoles.groupReports",
-    perms: ["ViewReports", "ManageExpenses"],
+    perms: ["ViewReports", "ExportReports", "ViewAuditLog", "ViewFinancials", "ManageFinancials"],
   },
   {
-    labelKey: "customRoles.groupOps",
+    labelKey: "customRoles.groupExpenses",
-    perms: ["ProcessOrders", "HandlePayments", "OperateRegister", "ManageQueue"],
+    perms: ["ViewExpenses", "CreateExpense", "EditExpense", "DeleteExpense"],
-  },
-  {
-    labelKey: "customRoles.groupKitchen",
-    perms: ["ViewKitchen", "HandleDelivery"],
   },
 ];
 

web/dashboard/src/lib/auth-permissions.ts

@@ -11,7 +11,10 @@ export function isBranchAccount(branchId: string | null | undefined): boolean {
   return !!branchId;
 }
 
-export const OWNER_ONLY_NAV_KEYS = ["subscription", "taxes", "branches"] as const;
+// Billing stays a hard owner gate (also covers legacy sessions with no
+// permission list). Taxes & branches are now permission-driven via
+// NAV_REQUIRED_PERMISSION (ViewTaxes / ViewBranches), which managers hold.
+export const OWNER_ONLY_NAV_KEYS = ["subscription"] as const;
 
 export function canSeeNavItem(
   key: string,

web/dashboard/src/lib/permissions.ts

@@ -5,50 +5,136 @@ import type { NavItemKey } from "@/lib/sidebar-nav";
  * Client mirror of the backend `Meezi.Core.Authorization.Permission` enum. The
  * server (EnsurePermission) remains the single source of truth — these values
  * only drive what the UI *shows* (pages, action buttons). Never rely on them
- * for actual security.
+ * for actual security. Keep this list in sync with Permission.cs.
  */
 export type Permission =
+  // Café administration
+  | "ViewCafeSettings"
   | "ManageCafeSettings"
+  | "ManageDiscoverProfile"
+  | "ViewBilling"
   | "ManageBilling"
-  | "ManageBranches"
+  | "ViewBranches"
-  | "ManageStaff"
+  | "CreateBranch"
-  | "ManageMenu"
+  | "EditBranch"
-  | "ManageInventory"
+  | "DeleteBranch"
-  | "ManageExpenses"
+  | "ManageRoles"
-  | "ManageTaxes"
+  | "ViewPrintSettings"
-  | "ManageCoupons"
-  | "ManageReservations"
-  | "ManageTables"
-  | "ViewReports"
-  | "ReviewLeave"
-  | "ManageSalaries"
   | "ManagePrintSettings"
+  // Taxes
+  | "ViewTaxes"
+  | "CreateTax"
+  | "EditTax"
+  | "DeleteTax"
+  // Staff & HR
+  | "ViewStaff"
+  | "CreateStaff"
+  | "EditStaff"
+  | "DeleteStaff"
+  | "ManageStaff"
+  | "ManageStaffCredentials"
+  | "ViewAttendance"
+  | "ManageAttendance"
+  | "ViewSchedules"
+  | "ManageSchedules"
+  | "ViewLeave"
+  | "ReviewLeave"
+  | "ViewSalaries"
+  | "ManageSalaries"
+  // Menu
+  | "ViewMenu"
+  | "CreateMenuItem"
+  | "EditMenuItem"
+  | "DeleteMenuItem"
+  // Inventory
+  | "ViewInventory"
+  | "CreateInventory"
+  | "EditInventory"
+  | "DeleteInventory"
+  // Tables
+  | "ViewTables"
+  | "ManageTables"
+  // Reservations
+  | "ViewReservations"
+  | "CreateReservation"
+  | "EditReservation"
+  | "DeleteReservation"
+  // Orders & POS
+  | "ViewOrders"
   | "ProcessOrders"
+  | "EditOrder"
+  | "VoidOrder"
+  | "RefundOrder"
+  | "ApplyDiscount"
+  | "CompOrder"
   | "HandlePayments"
+  | "UpdateOrderStatus"
+  // Register / cash
   | "OperateRegister"
+  | "OpenCashDrawer"
+  // Queue
+  | "ViewQueue"
   | "ManageQueue"
+  // Kitchen
   | "ViewKitchen"
-  | "HandleDelivery";
+  | "ManageKitchenStations"
+  // Delivery
+  | "ViewDelivery"
+  | "HandleDelivery"
+  | "AssignDelivery"
+  // Customers / CRM
+  | "ViewCustomers"
+  | "CreateCustomer"
+  | "EditCustomer"
+  | "DeleteCustomer"
+  // Coupons
+  | "ViewCoupons"
+  | "CreateCoupon"
+  | "EditCoupon"
+  | "DeleteCoupon"
+  // SMS / marketing
+  | "ViewSms"
+  | "SendSms"
+  | "ManageSmsSettings"
+  // Reviews
+  | "ViewReviews"
+  | "ManageReviews"
+  // Reports & finance
+  | "ViewReports"
+  | "ExportReports"
+  | "ViewAuditLog"
+  | "ViewFinancials"
+  | "ManageFinancials"
+  // Expenses
+  | "ViewExpenses"
+  | "CreateExpense"
+  | "EditExpense"
+  | "DeleteExpense";
 
 /**
- * Permission a nav page requires to be visible. Pages not listed here fall back
+ * Permission a nav page requires to be visible. Each maps to the page's "View"
- * to the existing owner-only / branch-account visibility logic in
+ * capability. Pages not listed fall back to the owner-only / branch-account
- * {@link file://./auth-permissions.ts}.
+ * visibility logic in {@link file://./auth-permissions.ts}.
  */
 export const NAV_REQUIRED_PERMISSION: Partial<Record<NavItemKey, Permission>> = {
   pos: "ProcessOrders",
-  tables: "ManageTables",
+  tables: "ViewTables",
-  queue: "ManageQueue",
+  queue: "ViewQueue",
   kds: "ViewKitchen",
-  reservations: "ManageReservations",
+  reservations: "ViewReservations",
-  menu: "ManageMenu",
+  menu: "ViewMenu",
-  inventory: "ManageInventory",
-  coupons: "ManageCoupons",
   reports: "ViewReports",
-  expenses: "ManageExpenses",
+  crm: "ViewCustomers",
+  coupons: "ViewCoupons",
+  sms: "ViewSms",
+  reviews: "ViewReviews",
+  inventory: "ViewInventory",
+  expenses: "ViewExpenses",
   shifts: "OperateRegister",
-  taxes: "ManageTaxes",
+  taxes: "ViewTaxes",
-  hr: "ManageStaff",
+  hr: "ViewStaff",
+  branches: "ViewBranches",
+  subscription: "ViewBilling",
 };
 
 /** Read the effective permission set off an auth response (null = legacy session). */