Add PAT scope foundation: request-context plugin, permission tagging, migrations, and models

[cstns]

Description

Lays the groundwork for scoped PATs (#7411). No behavior changes for existing tokens or sessions.

• Registered @fastify/request-context as a Fastify plugin so later tasks can pass PAT metadata to hasPermission without changing its signature
• Tagged all 166 permissions in permissions.js with access: 'read' or access: 'write' to support the read-only toggle
• Two migrations: new readOnly and adminOptIn boolean columns on AccessTokens (both default to false), and a new AccessTokenTeamScopes join table with cascading FKs and indexes
• New AccessTokenTeamScope Sequelize model with belongsTo associations to AccessToken, Team, and User
• Updated the AccessToken model with the new fields, hasMany association, and eager-loading in getPersonalAccessTokens
• Unit tests covering column defaults, CRUD, cascade deletes, eager-loading, and permission tagging completeness

Important

this PR introduces database changes through two new migration files

Related Issue(s)

closes #7445

Checklist

• I have read the contribution guidelines
• Suitable unit/system level tests have been added and they pass
• Documentation has been updated
  • Upgrade instructions
  • Configuration details
  • Concepts
• Changes flowforge.yml?
  • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
  • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production
• Link to Changelog Entry PR, or note why one is not needed.

Labels

• Includes a DB migration? -> add the area:migration label

[cstns]

@hardillb, @knolleary :this is the PR we discussed during planning.

Setting the read/write flags on the existing permissions will need an extra set of eyes, which is why I've added you both as reviewers.

[codecov]

Codecov Report

❌ Patch coverage is 90.90909% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.96%. Comparing base (fab5b55) to head (d97d96d).

Files with missing lines	Patch %	Lines
.../db/migrations/20260622-01-add-pat-scope-fields.js	83.33%	1 Missing ⚠️
...rations/20260622-02-add-access-token-team-scope.js	85.71%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7580      +/-   ##
==========================================
+ Coverage   76.95%   76.96%   +0.01%     
==========================================
  Files         410      413       +3     
  Lines       21002    21024      +22     
  Branches     5117     5117              
==========================================
+ Hits        16162    16182      +20     
- Misses       4840     4842       +2     

Flag	Coverage Δ
backend	76.96% <90.90%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hardillb]

WARNING

There is another PR that includes a db migration #7577
need to check which is merged first

[hardillb]

I've read this through and it all pretty much makes sense.

Only question is that I only see @fastify/request-context being added to the forge.js but not used anywhere yet. I assume this is just prep?

[cstns]

Only question is that I only see @fastify/request-context being added to the forge.js but not used anywhere yet. I assume this is just prep?

That is a correct assumption. the @fastify/request-context plugin should have been used in the follow up task (and other in the chain) but that got pushed aside to focus on exposing the mcp tools for the first party mcp agent

[knolleary]

Following up on @hardillb's warning about migrations.

#7577 is getting merged first. It includes a migration with the date 20260622-01-add-device-nodejs-ver.js - the same date as the two migrations in this PR.

The migrations in this PR will need renaming. Either increment to -02- and -03- or bump the date.