From c81e574957abb5ddb71f3c67ffbf3aadaebd5ffd Mon Sep 17 00:00:00 2001
From: Dennis van der Stelt <dvdstelt@gmail.com>
Date: Tue, 23 Jun 2026 12:01:11 +0200
Subject: [PATCH 01/25] =?UTF-8?q?=E2=9C=A8=20Add=20permission-based=20UI?=
 =?UTF-8?q?=20gating?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Gate UI on the current user's permissions, fetched from ServiceControl's
GET api/my/permissions/all (a flat list of permission strings such as
"error:messages:retry"; see ServiceControl PR #5538).

- PermissionsStore: holds the user and a Set<string> of granted permissions.
- usePermissions: can(permission)/canAny(permissions) (set membership) plus
  fetchDescriptor() (deduped, fail-safe). Gating is fail-open — it only applies
  once authorization is enabled, the user is authenticated and the descriptor
  has loaded, so the UI is unchanged for auth-disabled/older deployments.

No UI consumes this yet.
---
 .../src/composables/usePermissions.spec.ts    | 131 ++++++++++++++++++
 .../src/composables/usePermissions.ts         |  60 ++++++++
 src/Frontend/src/stores/PermissionsStore.ts   |  37 +++++
 3 files changed, 228 insertions(+)
 create mode 100644 src/Frontend/src/composables/usePermissions.spec.ts
 create mode 100644 src/Frontend/src/composables/usePermissions.ts
 create mode 100644 src/Frontend/src/stores/PermissionsStore.ts

diff --git a/src/Frontend/src/composables/usePermissions.spec.ts b/src/Frontend/src/composables/usePermissions.spec.ts
new file mode 100644
index 000000000..96c6cf4fa
--- /dev/null
+++ b/src/Frontend/src/composables/usePermissions.spec.ts
@@ -0,0 +1,131 @@
+import { describe, test, expect, beforeEach, vi } from "vitest";
+import { createTestingPinia } from "@pinia/testing";
+import { setActivePinia } from "pinia";
+
+vi.mock("@/components/serviceControlClient", () => ({
+  default: { fetchFromServiceControl: vi.fn() },
+}));
+
+import serviceControlClient from "@/components/serviceControlClient";
+import logger from "@/logger";
+import { usePermissions } from "@/composables/usePermissions";
+import { usePermissionsStore } from "@/stores/PermissionsStore";
+import { useAuthStore } from "@/stores/AuthStore";
+
+const fetchFromServiceControl = vi.mocked(serviceControlClient.fetchFromServiceControl);
+
+// Minimal Response-like stub for the bits the composable reads.
+function response(status: number, body?: unknown): Response {
+  return {
+    ok: status >= 200 && status < 300,
+    status,
+    statusText: `status ${status}`,
+    json: () => Promise.resolve(body),
+  } as Response;
+}
+
+function withState(opts: { authEnabled: boolean; isAuthenticated: boolean; permissions: string[] | null }) {
+  const auth = useAuthStore();
+  auth.authEnabled = opts.authEnabled;
+  auth.isAuthenticated = opts.isAuthenticated;
+  if (opts.permissions !== null) {
+    usePermissionsStore().setDescriptor({ user: "alice", permissions: opts.permissions });
+  }
+  return usePermissions();
+}
+
+describe("usePermissions", () => {
+  beforeEach(() => {
+    setActivePinia(createTestingPinia({ stubActions: false }));
+    fetchFromServiceControl.mockReset();
+  });
+
+  describe("can / canAny (fail-open gating)", () => {
+    test("fails open when authorization is disabled", () => {
+      const { can, shouldGate } = withState({ authEnabled: false, isAuthenticated: true, permissions: [] });
+      expect(shouldGate.value).toBe(false);
+      expect(can("error:messages:retry")).toBe(true);
+    });
+
+    test("fails open when the user is not authenticated", () => {
+      const { can } = withState({ authEnabled: true, isAuthenticated: false, permissions: [] });
+      expect(can("error:messages:retry")).toBe(true);
+    });
+
+    test("fails open until the descriptor has loaded", () => {
+      const { can } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
+      expect(can("error:messages:retry")).toBe(true);
+    });
+
+    test("gates per permission once enabled, authenticated and loaded", () => {
+      const { can, shouldGate } = withState({ authEnabled: true, isAuthenticated: true, permissions: ["error:messages:view"] });
+      expect(shouldGate.value).toBe(true);
+      expect(can("error:messages:view")).toBe(true);
+      expect(can("error:messages:retry")).toBe(false);
+    });
+
+    test("canAny is true when any permission is held", () => {
+      const { canAny } = withState({ authEnabled: true, isAuthenticated: true, permissions: ["error:redirects:view"] });
+      expect(canAny(["error:licensing:view", "error:redirects:view"])).toBe(true);
+      expect(canAny(["error:licensing:view", "error:notifications:view"])).toBe(false);
+    });
+  });
+
+  describe("fetchDescriptor", () => {
+    test("200 fetches my/permissions/all and populates the store", async () => {
+      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
+      fetchFromServiceControl.mockResolvedValue(response(200, { user: "alice", permissions: ["error:messages:view"] }));
+
+      await fetchDescriptor();
+
+      expect(fetchFromServiceControl).toHaveBeenCalledWith("my/permissions/all");
+      const store = usePermissionsStore();
+      expect(store.loaded).toBe(true);
+      expect(store.permissions.has("error:messages:view")).toBe(true);
+    });
+
+    test("a non-OK response leaves the store intact and warns", async () => {
+      const warn = vi.spyOn(logger, "warn").mockImplementation(() => {});
+      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: ["error:messages:view"] });
+      fetchFromServiceControl.mockResolvedValue(response(401));
+
+      await fetchDescriptor();
+
+      expect(usePermissionsStore().permissions.has("error:messages:view")).toBe(true); // unchanged
+      expect(warn).toHaveBeenCalled();
+      warn.mockRestore();
+    });
+
+    test("a thrown request is logged and leaves the store intact", async () => {
+      const error = vi.spyOn(logger, "error").mockImplementation(() => {});
+      const failure = new Error("boom");
+      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
+      fetchFromServiceControl.mockRejectedValue(failure);
+
+      await fetchDescriptor();
+
+      expect(usePermissionsStore().loaded).toBe(false);
+      expect(error).toHaveBeenCalledWith("Error fetching permissions", failure);
+      error.mockRestore();
+    });
+
+    test("concurrent calls share a single in-flight request", async () => {
+      let resolveFetch: (value: Response) => void = () => {};
+      const pending = new Promise<Response>((resolve) => (resolveFetch = resolve));
+      fetchFromServiceControl.mockReturnValue(pending);
+
+      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
+      const first = fetchDescriptor();
+      const second = fetchDescriptor();
+
+      expect(fetchFromServiceControl).toHaveBeenCalledTimes(1);
+
+      resolveFetch(response(200, { user: "alice", permissions: [] }));
+      await Promise.all([first, second]);
+
+      // Slot released after settling, so a later call fetches again.
+      await fetchDescriptor();
+      expect(fetchFromServiceControl).toHaveBeenCalledTimes(2);
+    });
+  });
+});
diff --git a/src/Frontend/src/composables/usePermissions.ts b/src/Frontend/src/composables/usePermissions.ts
new file mode 100644
index 000000000..973f36f27
--- /dev/null
+++ b/src/Frontend/src/composables/usePermissions.ts
@@ -0,0 +1,60 @@
+import { computed } from "vue";
+import { storeToRefs } from "pinia";
+import { usePermissionsStore } from "@/stores/PermissionsStore";
+import { useAuthStore } from "@/stores/AuthStore";
+import serviceControlClient from "@/components/serviceControlClient";
+import logger from "@/logger";
+
+// Module-singleton in-flight guard so concurrent callers (e.g. an app-level load and a
+// view's onMounted) share one request instead of fetching the descriptor twice.
+let inFlight: Promise<void> | null = null;
+
+// Permission-aware composable. Consumers (button v-ifs, nav filters) are UX-only: they
+// hide what the user cannot do. ServiceControl remains the real authority; the descriptor
+// this reads is a cache of the effective permission set the server would enforce.
+//
+// Gating is fail-open: it only kicks in once authorization is enabled, the user is
+// authenticated and the descriptor has loaded. Otherwise everything is shown, so the UI
+// is unchanged for auth-disabled and older-ServiceControl deployments.
+export function usePermissions() {
+  const store = usePermissionsStore();
+  const { authEnabled, isAuthenticated } = storeToRefs(useAuthStore());
+
+  const shouldGate = computed(() => authEnabled.value && isAuthenticated.value && store.loaded);
+
+  async function load(): Promise<void> {
+    try {
+      const response = await serviceControlClient.fetchFromServiceControl("my/permissions/all");
+
+      // Leave any existing descriptor intact on failure (fail-safe — don't widen or drop
+      // the user's permissions because of a transient error or a 401), and log it.
+      if (!response.ok) {
+        logger.warn(`Failed to fetch permissions: ${response.status} ${response.statusText}`);
+        return;
+      }
+
+      store.setDescriptor(await response.json());
+    } catch (error) {
+      logger.error("Error fetching permissions", error);
+    }
+  }
+
+  // Fetch (or join an in-flight fetch of) the current user's permissions.
+  function fetchDescriptor(): Promise<void> {
+    return (inFlight ??= load().finally(() => (inFlight = null)));
+  }
+
+  // Whether the current user holds `permission` (e.g. "error:messages:retry").
+  // Fail-open until gating applies.
+  function can(permission: string): boolean {
+    return !shouldGate.value || store.permissions.has(permission);
+  }
+
+  // Whether the user holds ANY of the given permissions. Handy for showing a parent nav
+  // item when the user can reach at least one child.
+  function canAny(permissions: string[]): boolean {
+    return permissions.some((permission) => can(permission));
+  }
+
+  return { fetchDescriptor, can, canAny, shouldGate };
+}
diff --git a/src/Frontend/src/stores/PermissionsStore.ts b/src/Frontend/src/stores/PermissionsStore.ts
new file mode 100644
index 000000000..3f40320df
--- /dev/null
+++ b/src/Frontend/src/stores/PermissionsStore.ts
@@ -0,0 +1,37 @@
+import { acceptHMRUpdate, defineStore } from "pinia";
+import { ref } from "vue";
+
+// The JSON shape returned by GET api/my/permissions/all (snake_case on the wire).
+// Permissions is a flat list of permission strings, e.g. "error:messages:retry".
+// (ServiceControl has no per-resource scopes yet; when it gains them this descriptor
+// will grow a scope per entry — see the dormant permissionMatching.ts.)
+export interface PermissionsDescriptor {
+  user: string;
+  permissions: string[];
+}
+
+// Holds the current user's effective permission set. Pure state only: fetching lives
+// in usePermissions. A Set gives O(1) membership checks for can().
+export const usePermissionsStore = defineStore("PermissionsStore", () => {
+  const user = ref("");
+  const permissions = ref<Set<string>>(new Set());
+  const loaded = ref(false);
+
+  function setDescriptor(descriptor: PermissionsDescriptor) {
+    user.value = descriptor.user;
+    permissions.value = new Set(descriptor.permissions);
+    loaded.value = true;
+  }
+
+  function clear() {
+    user.value = "";
+    permissions.value = new Set();
+    loaded.value = false;
+  }
+
+  return { user, permissions, loaded, setDescriptor, clear };
+});
+
+if (import.meta.hot) {
+  import.meta.hot.accept(acceptHMRUpdate(usePermissionsStore, import.meta.hot));
+}

From e5a3abaedbfc812c44d434764fedf00e49ceedf6 Mon Sep 17 00:00:00 2001
From: Dennis van der Stelt <dvdstelt@gmail.com>
Date: Tue, 23 Jun 2026 12:01:11 +0200
Subject: [PATCH 02/25] =?UTF-8?q?=E2=9C=A8=20Add=20dormant=20resource-scop?=
 =?UTF-8?q?e=20matcher=20for=20future=20per-queue=20scoping?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Not wired into the UI. ServiceControl does not yet support per-resource
(per-queue) scopes — limiting a permission to queues like "sales.*" — so this is
kept ready for when it does, at which point can(permission, resource) can enforce
a grant's allow/deny patterns.

- permissionMatching: pure matchesPattern/entryPermits (exact, prefix.*, *,
  deny-wins, case-insensitive), self-contained.
- scope-vectors.json: shared test vectors so the frontend matcher and the future
  ServiceControl ResourceScope/FilterByQueueScope cannot drift; both suites run
  the same cases.
---
 .../composables/permissionMatching.spec.ts    | 55 +++++++++++++++++++
 .../src/composables/permissionMatching.ts     | 52 ++++++++++++++++++
 .../src/composables/scope-vectors.json        | 20 +++++++
 3 files changed, 127 insertions(+)
 create mode 100644 src/Frontend/src/composables/permissionMatching.spec.ts
 create mode 100644 src/Frontend/src/composables/permissionMatching.ts
 create mode 100644 src/Frontend/src/composables/scope-vectors.json

diff --git a/src/Frontend/src/composables/permissionMatching.spec.ts b/src/Frontend/src/composables/permissionMatching.spec.ts
new file mode 100644
index 000000000..7b175aafe
--- /dev/null
+++ b/src/Frontend/src/composables/permissionMatching.spec.ts
@@ -0,0 +1,55 @@
+import { describe, test, expect } from "vitest";
+import { matchesPattern, entryPermits, type PermissionEntry } from "@/composables/permissionMatching";
+import scopeVectors from "@/composables/scope-vectors.json";
+
+describe("permissionMatching", () => {
+  // Shared vectors: these MUST produce the same result in the ServiceControl
+  // ResourceScope/FilterByQueueScope tests. entryPermits with a resource is the
+  // frontend equivalent of the server's ResourceScope.Permits.
+  describe("scope-vectors.json (shared with ServiceControl)", () => {
+    test.each(scopeVectors.vectors)("$name", ({ allow, deny, resource, permits }) => {
+      const entry: PermissionEntry = { permission: "messages:view", scope: { allow, deny } };
+      expect(entryPermits(entry, resource)).toBe(permits);
+    });
+  });
+
+  describe("matchesPattern", () => {
+    test("universal wildcard matches everything", () => {
+      expect(matchesPattern("*", "anything")).toBe(true);
+    });
+
+    test("prefix crosses dots but excludes the bare prefix", () => {
+      expect(matchesPattern("sales.*", "sales.orders.eu")).toBe(true);
+      expect(matchesPattern("sales.*", "sales")).toBe(false);
+    });
+
+    test("is case-insensitive on both sides", () => {
+      expect(matchesPattern("Sales.Orders", "sales.orders")).toBe(true);
+      expect(matchesPattern("SALES.*", "sales.orders")).toBe(true);
+    });
+  });
+
+  describe("entryPermits scope semantics", () => {
+    test("null scope is unrestricted for any resource", () => {
+      const entry: PermissionEntry = { permission: "messages:retry", scope: null };
+      expect(entryPermits(entry, "anything")).toBe(true);
+    });
+
+    test("null scope passes the verb-level check", () => {
+      const entry: PermissionEntry = { permission: "messages:retry", scope: null };
+      expect(entryPermits(entry)).toBe(true);
+    });
+
+    test("verb-level check (no resource) passes for a scoped entry", () => {
+      // Holding the permission for *some* scope counts at the verb level.
+      const entry: PermissionEntry = { permission: "messages:retry", scope: { allow: ["sales.*"], deny: [] } };
+      expect(entryPermits(entry)).toBe(true);
+    });
+
+    test("resource-level check enforces the scope", () => {
+      const entry: PermissionEntry = { permission: "messages:retry", scope: { allow: ["sales.*"], deny: [] } };
+      expect(entryPermits(entry, "sales.orders")).toBe(true);
+      expect(entryPermits(entry, "finance.invoicing")).toBe(false);
+    });
+  });
+});
diff --git a/src/Frontend/src/composables/permissionMatching.ts b/src/Frontend/src/composables/permissionMatching.ts
new file mode 100644
index 000000000..4a5918c65
--- /dev/null
+++ b/src/Frontend/src/composables/permissionMatching.ts
@@ -0,0 +1,52 @@
+// DORMANT — not currently wired into the UI. ServiceControl does not yet expose
+// per-resource (per-queue) scopes; today's my/permissions/all returns a flat list of
+// permission strings (see usePermissions/PermissionsStore). This module is kept ready
+// for when the backend gains allow/deny scopes, at which point a PermissionEntry will
+// carry a ScopeDescriptor and can(permission, resource) can enforce it.
+
+// A scope's allow/deny resource patterns. null (on an entry) means unrestricted.
+export interface ScopeDescriptor {
+  allow: string[];
+  deny: string[];
+}
+
+// A single scoped permission grant (the future descriptor entry shape).
+export interface PermissionEntry {
+  permission: string;
+  scope: ScopeDescriptor | null;
+}
+
+// Resource-scope pattern matching. This MUST stay in lockstep with the
+// ServiceControl server-side rules: `ResourceScope.Matches` (C#) and
+// `FilterByQueueScope` (RavenDB query translation). The shared behaviour is
+// pinned by scope-vectors.json, which both this suite and the ServiceControl
+// test suite consume.
+//
+// Patterns:
+//   "*"        matches everything
+//   "prefix.*" prefix match crossing dots: "sales.*" matches "sales.orders"
+//              and "sales.secret.payroll", but NOT bare "sales"
+//   exact      case-insensitive equality
+//
+// Matching is case-insensitive: the server lowercases both sides (queue
+// addresses are stored lowercased in the index), so we do the same here.
+export function matchesPattern(pattern: string, resource: string): boolean {
+  const p = pattern.toLowerCase();
+  const r = resource.toLowerCase();
+  if (p === "*") return true;
+  if (p === r) return true;
+  if (p.endsWith(".*")) return r.startsWith(p.slice(0, -1)); // "sales.*" -> "sales."
+  return false;
+}
+
+// Whether a single permission entry permits access.
+//   scope null          -> unrestricted (any resource; verb-level true)
+//   resource undefined  -> verb-level check: holding the permission counts
+//   resource provided   -> allow AND NOT deny, deny wins
+export function entryPermits(entry: PermissionEntry, resource?: string): boolean {
+  if (entry.scope === null) return true;
+  if (resource === undefined) return true;
+  const allowed = entry.scope.allow.some((pattern) => matchesPattern(pattern, resource));
+  const denied = entry.scope.deny.some((pattern) => matchesPattern(pattern, resource));
+  return allowed && !denied;
+}
diff --git a/src/Frontend/src/composables/scope-vectors.json b/src/Frontend/src/composables/scope-vectors.json
new file mode 100644
index 000000000..29e0788b2
--- /dev/null
+++ b/src/Frontend/src/composables/scope-vectors.json
@@ -0,0 +1,20 @@
+{
+  "description": "Shared resource-scope test vectors. Consumed by ServicePulse (permissionMatching.spec.ts) and, later, by ServiceControl (ResourceScope/FilterByQueueScope tests) so all implementations of the matcher agree. permits = does scope {allow,deny} permit `resource`.",
+  "vectors": [
+    { "name": "exact allow matches", "allow": ["sales.orders"], "deny": [], "resource": "sales.orders", "permits": true },
+    { "name": "exact allow does not match other", "allow": ["sales.orders"], "deny": [], "resource": "finance.invoicing", "permits": false },
+    { "name": "prefix matches child", "allow": ["sales.*"], "deny": [], "resource": "sales.orders", "permits": true },
+    { "name": "prefix matches deeper child", "allow": ["sales.*"], "deny": [], "resource": "sales.secret.payroll", "permits": true },
+    { "name": "prefix does not match bare prefix", "allow": ["sales.*"], "deny": [], "resource": "sales", "permits": false },
+    { "name": "universal wildcard matches anything", "allow": ["*"], "deny": [], "resource": "anything.at.all", "permits": true },
+    { "name": "empty allow denies everything", "allow": [], "deny": [], "resource": "sales.orders", "permits": false },
+    { "name": "deny prefix wins over allow wildcard", "allow": ["*"], "deny": ["finance.*"], "resource": "finance.accounts", "permits": false },
+    { "name": "deny exact denies only exact", "allow": ["*"], "deny": ["finance"], "resource": "finance.payroll", "permits": true },
+    { "name": "deny exact matches exact", "allow": ["*"], "deny": ["finance"], "resource": "finance", "permits": false },
+    { "name": "carve-out: allow prefix, deny sub-prefix (public allowed)", "allow": ["sales.*"], "deny": ["sales.secret.*"], "resource": "sales.public.orders", "permits": true },
+    { "name": "carve-out: allow prefix, deny sub-prefix (secret denied)", "allow": ["sales.*"], "deny": ["sales.secret.*"], "resource": "sales.secret.data", "permits": false },
+    { "name": "case-insensitive prefix pattern", "allow": ["Sales.*"], "deny": [], "resource": "sales.orders", "permits": true },
+    { "name": "case-insensitive exact pattern", "allow": ["Finance.Payroll"], "deny": [], "resource": "finance.payroll", "permits": true },
+    { "name": "case-insensitive deny pattern", "allow": ["*"], "deny": ["Finance.*"], "resource": "finance.accounts", "permits": false }
+  ]
+}

From c6513f6edc6a2a88011a4629ae25d2e3fa75a88e Mon Sep 17 00:00:00 2001
From: Dennis van der Stelt <dvdstelt@gmail.com>
Date: Tue, 23 Jun 2026 13:50:26 +0200
Subject: [PATCH 03/25] =?UTF-8?q?=F0=9F=90=9B=20Handle=20errors=20in=20Thr?=
 =?UTF-8?q?oughputStore=20auto-refresh?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

refresh() runs from a watch/auto-refresh, so a rejected throughput connection
test (ServiceControl unreachable, or the auth token cleared during logout)
surfaced as an unhandled promise rejection. Catch and log instead.
---
 src/Frontend/src/stores/ThroughputStore.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/Frontend/src/stores/ThroughputStore.ts b/src/Frontend/src/stores/ThroughputStore.ts
index e90b48cc4..60e702a07 100644
--- a/src/Frontend/src/stores/ThroughputStore.ts
+++ b/src/Frontend/src/stores/ThroughputStore.ts
@@ -5,6 +5,7 @@ import createThroughputClient from "@/views/throughputreport/throughputClient";
 import { Transport } from "@/views/throughputreport/transport";
 import useIsThroughputSupported from "@/views/throughputreport/isThroughputSupported";
 import monitoringClient from "@/components/monitoring/monitoringClient";
+import logger from "@/logger";
 
 export const useThroughputStore = defineStore("ThroughputStore", () => {
   const isMonitoringEnabled = monitoringClient.isMonitoringEnabled;
@@ -13,8 +14,15 @@ export const useThroughputStore = defineStore("ThroughputStore", () => {
   const throughputClient = createThroughputClient();
 
   const refresh = async () => {
-    if (isThroughputSupported.value) {
+    if (!isThroughputSupported.value) {
+      return;
+    }
+    try {
       testResults.value = await throughputClient.test();
+    } catch (error) {
+      // This runs on a watch/auto-refresh, so a rejection here would be unhandled. Swallow
+      // and log (e.g. ServiceControl unreachable, or the token cleared during logout).
+      logger.error("Failed to run throughput connection test", error);
     }
   };
 

From 0ddcdfdc0c69623e194c6e5ed1eadb0ff877c85e Mon Sep 17 00:00:00 2001
From: Dennis van der Stelt <dvdstelt@gmail.com>
Date: Tue, 23 Jun 2026 13:50:26 +0200
Subject: [PATCH 04/25] =?UTF-8?q?=E2=9C=A8=20Gate=20nav=20menu=20on=20user?=
 =?UTF-8?q?=20permissions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PageHeader now shows each nav item only when the user holds the matching
ServiceControl permission (e.g. Heartbeats -> error:heartbeats:view, Throughput
-> error:throughput:view, Monitoring -> monitoring:endpoint:view, Audit ->
audit:message:view), replacing the coarse 7-bool usePermissionGate.

- App.vue loads my/permissions/all once authenticated.
- usePermissions exposes ready (gate-on-ready): the nav renders nothing until
  permissions are known, so items never appear and then disappear. Fail-open on
  auth-disabled / failed load (loadAttempted settles, can() permits).
- Move the descriptor fetch + in-flight dedupe into PermissionsStore so each
  Pinia instance owns it; a module-level singleton leaked a stale request across
  app re-mounts, leaving ready stuck false.
- Tests: hasUserPermissions precondition (mocks my/permissions/all, granted by
  default when auth is enabled); ready unit tests.

ConfigurationView still uses the old summary path until the config-tab step (F5).
---
 src/Frontend/src/App.vue                      | 16 +++++
 src/Frontend/src/components/PageHeader.vue    | 35 ++++++-----
 .../src/composables/usePermissions.spec.ts    | 32 ++++++++++
 .../src/composables/usePermissions.ts         | 32 +++-------
 src/Frontend/src/stores/PermissionsStore.ts   | 43 +++++++++++--
 .../test/preconditions/authentication.ts      | 63 +++++++++++++++++++
 6 files changed, 177 insertions(+), 44 deletions(-)

diff --git a/src/Frontend/src/App.vue b/src/Frontend/src/App.vue
index 567f2973e..a133bf6f8 100644
--- a/src/Frontend/src/App.vue
+++ b/src/Frontend/src/App.vue
@@ -10,6 +10,7 @@ import { storeToRefs } from "pinia";
 import { useAuthStore } from "@/stores/AuthStore";
 import { useUserPermissionsStore } from "@/stores/UserPermissionsStore";
 import { useEnvironmentAndVersionsStore } from "@/stores/EnvironmentAndVersionsStore";
+import { usePermissions } from "@/composables/usePermissions";
 
 const authStore = useAuthStore();
 const route = useRoute();
@@ -27,6 +28,21 @@ watch(
   { immediate: true }
 );
 
+// Load the user's effective permissions (my/permissions/all) once authenticated, so the
+// nav and (later) other UI can gate on them. Fail-safe: a missing/old endpoint just leaves
+// permissions unloaded and the UI fails open. (The summary fetch above is still used by
+// ConfigurationView and is removed in F5 once everything reads usePermissions.)
+const { fetchDescriptor } = usePermissions();
+watch(
+  [authEnabled, isAuthenticated],
+  ([enabled, authenticated]) => {
+    if (enabled && authenticated) {
+      fetchDescriptor();
+    }
+  },
+  { immediate: true }
+);
+
 // Check if the current route allows anonymous access (e.g., logged-out page)
 const isAnonymousRoute = computed(() => route.meta?.allowAnonymous === true);
 const shouldShowApp = computed(() => !authEnabled.value || isAuthenticated.value || isAnonymousRoute.value);
diff --git a/src/Frontend/src/components/PageHeader.vue b/src/Frontend/src/components/PageHeader.vue
index b5c810211..fdb03e618 100644
--- a/src/Frontend/src/components/PageHeader.vue
+++ b/src/Frontend/src/components/PageHeader.vue
@@ -15,7 +15,7 @@ import AuditMenuItem from "./audit/AuditMenuItem.vue";
 import monitoringClient from "@/components/monitoring/monitoringClient";
 import UserProfileMenuItem from "@/components/UserProfileMenuItem.vue";
 import { useAuthStore } from "@/stores/AuthStore";
-import usePermissionGate from "@/composables/usePermissionGate";
+import { usePermissions } from "@/composables/usePermissions";
 import { storeToRefs } from "pinia";
 
 const isMonitoringEnabled = monitoringClient.isMonitoringEnabled;
@@ -23,22 +23,27 @@ const isMonitoringEnabled = monitoringClient.isMonitoringEnabled;
 const authStore = useAuthStore();
 const { authEnabled, isAuthenticated } = storeToRefs(authStore);
 
-const { has } = usePermissionGate();
+const { can, ready } = usePermissions();
 
+// Each item gates on the specific permission ServiceControl enforces for that area.
+// Gate-on-ready: render nothing until permissions are known, so items never appear and
+// then disappear. can() fails open, so auth-disabled / failed-load shows everything.
 // prettier-ignore
-const menuItems = computed(
-  () => [
-  DashboardMenuItem,
-  ...(has("failed_messages_read") ? [HeartbeatsMenuItem] : []),
-  ...(isMonitoringEnabled && has("monitoring_read") ? [MonitoringMenuItem] : []),
-  ...(has("auditing_read") ? [AuditMenuItem] : []),
-  ...(has("failed_messages_read") ? [FailedMessagesMenuItem] : []),
-  ...(has("failed_messages_read") ? [CustomChecksMenuItem] : []),
-  ...(has("failed_messages_read") ? [EventsMenuItem] : []),
-  ...(has("admin_read") ? [ThroughputMenuItem] : []),
-  ConfigurationMenuItem,
-  FeedbackButton,
-]);
+const menuItems = computed(() => {
+  if (!ready.value) return [];
+  return [
+    DashboardMenuItem,
+    ...(can("error:heartbeats:view") ? [HeartbeatsMenuItem] : []),
+    ...(isMonitoringEnabled && can("monitoring:endpoint:view") ? [MonitoringMenuItem] : []),
+    ...(can("audit:message:view") ? [AuditMenuItem] : []),
+    ...(can("error:messages:view") ? [FailedMessagesMenuItem] : []),
+    ...(can("error:customchecks:view") ? [CustomChecksMenuItem] : []),
+    ...(can("error:eventlog:view") ? [EventsMenuItem] : []),
+    ...(can("error:throughput:view") ? [ThroughputMenuItem] : []),
+    ConfigurationMenuItem,
+    FeedbackButton,
+  ];
+});
 </script>
 
 <template>
diff --git a/src/Frontend/src/composables/usePermissions.spec.ts b/src/Frontend/src/composables/usePermissions.spec.ts
index 96c6cf4fa..35e6bf73f 100644
--- a/src/Frontend/src/composables/usePermissions.spec.ts
+++ b/src/Frontend/src/composables/usePermissions.spec.ts
@@ -71,6 +71,38 @@ describe("usePermissions", () => {
     });
   });
 
+  describe("ready (gate-on-ready)", () => {
+    test("ready immediately when authorization is disabled (nothing to gate)", () => {
+      const { ready } = withState({ authEnabled: false, isAuthenticated: true, permissions: null });
+      expect(ready.value).toBe(true);
+    });
+
+    test("not ready while authenticated and the fetch has not settled", () => {
+      const { ready } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
+      expect(ready.value).toBe(false);
+    });
+
+    test("ready after a successful fetch settles", async () => {
+      const { ready, fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
+      fetchFromServiceControl.mockResolvedValue(response(200, { user: "alice", permissions: [] }));
+
+      await fetchDescriptor();
+
+      expect(ready.value).toBe(true);
+    });
+
+    test("ready after a failed fetch settles, and can() then fails open", async () => {
+      vi.spyOn(logger, "warn").mockImplementation(() => {});
+      const { ready, can, fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
+      fetchFromServiceControl.mockResolvedValue(response(500));
+
+      await fetchDescriptor();
+
+      expect(ready.value).toBe(true);
+      expect(can("error:messages:view")).toBe(true); // fail-open: loaded never became true
+    });
+  });
+
   describe("fetchDescriptor", () => {
     test("200 fetches my/permissions/all and populates the store", async () => {
       const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
diff --git a/src/Frontend/src/composables/usePermissions.ts b/src/Frontend/src/composables/usePermissions.ts
index 973f36f27..f3de7f88d 100644
--- a/src/Frontend/src/composables/usePermissions.ts
+++ b/src/Frontend/src/composables/usePermissions.ts
@@ -2,16 +2,10 @@ import { computed } from "vue";
 import { storeToRefs } from "pinia";
 import { usePermissionsStore } from "@/stores/PermissionsStore";
 import { useAuthStore } from "@/stores/AuthStore";
-import serviceControlClient from "@/components/serviceControlClient";
-import logger from "@/logger";
-
-// Module-singleton in-flight guard so concurrent callers (e.g. an app-level load and a
-// view's onMounted) share one request instead of fetching the descriptor twice.
-let inFlight: Promise<void> | null = null;
 
 // Permission-aware composable. Consumers (button v-ifs, nav filters) are UX-only: they
 // hide what the user cannot do. ServiceControl remains the real authority; the descriptor
-// this reads is a cache of the effective permission set the server would enforce.
+// the store holds is a cache of the effective permission set the server would enforce.
 //
 // Gating is fail-open: it only kicks in once authorization is enabled, the user is
 // authenticated and the descriptor has loaded. Otherwise everything is shown, so the UI
@@ -22,26 +16,14 @@ export function usePermissions() {
 
   const shouldGate = computed(() => authEnabled.value && isAuthenticated.value && store.loaded);
 
-  async function load(): Promise<void> {
-    try {
-      const response = await serviceControlClient.fetchFromServiceControl("my/permissions/all");
-
-      // Leave any existing descriptor intact on failure (fail-safe — don't widen or drop
-      // the user's permissions because of a transient error or a 401), and log it.
-      if (!response.ok) {
-        logger.warn(`Failed to fetch permissions: ${response.status} ${response.statusText}`);
-        return;
-      }
-
-      store.setDescriptor(await response.json());
-    } catch (error) {
-      logger.error("Error fetching permissions", error);
-    }
-  }
+  // Whether gating decisions can be made: true when there is nothing to gate (auth off or
+  // user not authenticated) or once a fetch has settled. Consumers use this to hold UI until
+  // permissions are known (gate-on-ready), so items don't appear and then disappear.
+  const ready = computed(() => !(authEnabled.value && isAuthenticated.value) || store.loadAttempted);
 
   // Fetch (or join an in-flight fetch of) the current user's permissions.
   function fetchDescriptor(): Promise<void> {
-    return (inFlight ??= load().finally(() => (inFlight = null)));
+    return store.refresh();
   }
 
   // Whether the current user holds `permission` (e.g. "error:messages:retry").
@@ -56,5 +38,5 @@ export function usePermissions() {
     return permissions.some((permission) => can(permission));
   }
 
-  return { fetchDescriptor, can, canAny, shouldGate };
+  return { fetchDescriptor, can, canAny, shouldGate, ready };
 }
diff --git a/src/Frontend/src/stores/PermissionsStore.ts b/src/Frontend/src/stores/PermissionsStore.ts
index 3f40320df..5fb1db7e3 100644
--- a/src/Frontend/src/stores/PermissionsStore.ts
+++ b/src/Frontend/src/stores/PermissionsStore.ts
@@ -1,5 +1,7 @@
 import { acceptHMRUpdate, defineStore } from "pinia";
 import { ref } from "vue";
+import serviceControlClient from "@/components/serviceControlClient";
+import logger from "@/logger";
 
 // The JSON shape returned by GET api/my/permissions/all (snake_case on the wire).
 // Permissions is a flat list of permission strings, e.g. "error:messages:retry".
@@ -10,12 +12,18 @@ export interface PermissionsDescriptor {
   permissions: string[];
 }
 
-// Holds the current user's effective permission set. Pure state only: fetching lives
-// in usePermissions. A Set gives O(1) membership checks for can().
+// Holds the current user's effective permission set and loads it from ServiceControl.
+// A Set gives O(1) membership checks for usePermissions().can().
 export const usePermissionsStore = defineStore("PermissionsStore", () => {
   const user = ref("");
   const permissions = ref<Set<string>>(new Set());
-  const loaded = ref(false);
+  const loaded = ref(false); // a descriptor was successfully applied
+  const loadAttempted = ref(false); // a fetch has settled (success OR failure)
+
+  // Per-store in-flight guard so concurrent callers share one request. Kept on the store
+  // (not module scope) so each Pinia instance — e.g. a re-mounted app — has its own, and a
+  // stale request can never resolve into a different store instance.
+  let inFlight: Promise<void> | null = null;
 
   function setDescriptor(descriptor: PermissionsDescriptor) {
     user.value = descriptor.user;
@@ -23,13 +31,40 @@ export const usePermissionsStore = defineStore("PermissionsStore", () => {
     loaded.value = true;
   }
 
+  async function load() {
+    try {
+      const response = await serviceControlClient.fetchFromServiceControl("my/permissions/all");
+
+      // Leave any existing descriptor intact on failure (fail-safe — don't widen or drop the
+      // user's permissions because of a transient error or a 401), and log it.
+      if (!response.ok) {
+        logger.warn(`Failed to fetch permissions: ${response.status} ${response.statusText}`);
+        return;
+      }
+
+      setDescriptor(await response.json());
+    } catch (error) {
+      logger.error("Error fetching permissions", error);
+    } finally {
+      // Even on failure, mark the attempt settled so gate-on-ready can proceed; can() then
+      // fails open because loaded stayed false.
+      loadAttempted.value = true;
+    }
+  }
+
+  // Fetch (or join an in-flight fetch of) the current user's permissions.
+  function refresh() {
+    return (inFlight ??= load().finally(() => (inFlight = null)));
+  }
+
   function clear() {
     user.value = "";
     permissions.value = new Set();
     loaded.value = false;
+    loadAttempted.value = false;
   }
 
-  return { user, permissions, loaded, setDescriptor, clear };
+  return { user, permissions, loaded, loadAttempted, setDescriptor, refresh, clear };
 });
 
 if (import.meta.hot) {
diff --git a/src/Frontend/test/preconditions/authentication.ts b/src/Frontend/test/preconditions/authentication.ts
index ba8a73014..8bfdbc8bc 100644
--- a/src/Frontend/test/preconditions/authentication.ts
+++ b/src/Frontend/test/preconditions/authentication.ts
@@ -51,6 +51,66 @@ export const hasAuthenticationDisabled =
     return authDisabledConfig;
   };
 
+/**
+ * The full ServiceControl permission catalogue (writer/admin). Mirrors
+ * ServiceControl's Auth/Permissions.cs. Used as the default for hasUserPermissions so
+ * authenticated tests see the full UI unless they opt into a restricted set.
+ */
+export const allPermissions: string[] = [
+  "error:messages:view",
+  "error:messages:retry",
+  "error:messages:archive",
+  "error:messages:unarchive",
+  "error:messages:edit",
+  "error:recoverabilitygroups:view",
+  "error:recoverabilitygroups:retry",
+  "error:recoverabilitygroups:archive",
+  "error:recoverabilitygroups:unarchive",
+  "error:endpoints:view",
+  "error:endpoints:manage",
+  "error:endpoints:delete",
+  "error:heartbeats:view",
+  "error:customchecks:view",
+  "error:customchecks:delete",
+  "error:sagas:view",
+  "error:eventlog:view",
+  "error:licensing:view",
+  "error:licensing:manage",
+  "error:notifications:view",
+  "error:notifications:manage",
+  "error:notifications:test",
+  "error:redirects:view",
+  "error:redirects:manage",
+  "error:queues:view",
+  "error:queues:delete",
+  "error:throughput:view",
+  "error:throughput:manage",
+  "error:connections:view",
+  "error:connections:manage",
+  "audit:message:view",
+  "audit:connection:view",
+  "audit:endpoint:view",
+  "audit:saga:view",
+  "monitoring:endpoint:view",
+  "monitoring:endpoint:delete",
+  "monitoring:connection:view",
+  "monitoring:license:view",
+];
+
+/**
+ * Mocks GET my/permissions/all (the user's effective permission list).
+ * @param permissions - the permission strings to grant (defaults to the full catalogue)
+ * @param user - the subject name returned in the descriptor
+ */
+export const hasUserPermissions =
+  (permissions: string[] = allPermissions, user = "test-user") =>
+  ({ driver }: SetupFactoryOptions) => {
+    const serviceControlInstanceUrl = window.defaultConfig.service_control_url;
+    driver.mockEndpoint(`${serviceControlInstanceUrl}my/permissions/all`, {
+      body: { user, permissions },
+    });
+  };
+
 /**
  * Authentication enabled with custom configuration
  * @param config - Custom auth configuration to return
@@ -66,6 +126,9 @@ export const hasAuthenticationEnabled =
     driver.mockEndpoint(`${serviceControlInstanceUrl}authentication/configuration`, {
       body: fullConfig,
     });
+    // When auth is enabled the app fetches the user's permissions; provide them by default
+    // (full access) so gate-on-ready can render. Tests can re-mock with a restricted set.
+    hasUserPermissions()({ driver });
     return fullConfig;
   };
 

From d507c20149425c3ed13df11fe96e60c10e22245c Mon Sep 17 00:00:00 2001
From: Dennis van der Stelt <dvdstelt@gmail.com>
Date: Tue, 23 Jun 2026 15:29:58 +0200
Subject: [PATCH 05/25] =?UTF-8?q?=E2=9C=A8=20Gate=20failed-message=20actio?=
 =?UTF-8?q?n=20buttons=20on=20permissions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Each failed-message action button now shows only when the user holds the matching
ServiceControl permission, in addition to its existing visibility conditions:

- Retry        -> error:messages:retry
- Edit & retry -> error:messages:edit
- Delete       -> error:messages:archive
- Restore      -> error:messages:unarchive

Fail-open via can() (unchanged for auth-disabled deployments). Verb-level only;
the per-queue resource argument is deferred until ServiceControl supports scopes.
Adds messageButtonPermissions.spec.ts covering shown-when-granted/hidden-when-denied.
---
 .../messages/DeleteMessageButton.vue          |  4 +-
 .../messages/EditAndRetryButton.vue           |  4 +-
 .../messages/RestoreMessageButton.vue         |  4 +-
 .../messages/RetryMessageButton.vue           |  4 +-
 .../messages/messageButtonPermissions.spec.ts | 65 +++++++++++++++++++
 5 files changed, 77 insertions(+), 4 deletions(-)
 create mode 100644 src/Frontend/src/components/messages/messageButtonPermissions.spec.ts

diff --git a/src/Frontend/src/components/messages/DeleteMessageButton.vue b/src/Frontend/src/components/messages/DeleteMessageButton.vue
index 033d39ba1..287985b0a 100644
--- a/src/Frontend/src/components/messages/DeleteMessageButton.vue
+++ b/src/Frontend/src/components/messages/DeleteMessageButton.vue
@@ -9,14 +9,16 @@ import { MessageStatus } from "@/resources/Message";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faTrash } from "@fortawesome/free-solid-svg-icons";
+import { usePermissions } from "@/composables/usePermissions";
 
 const store = useMessageStore();
 const { state } = storeToRefs(store);
+const { can } = usePermissions();
 const isConfirmDialogVisible = ref(false);
 
 const failureStatus = computed(() => state.value.data.failure_status);
 const isDisabled = computed(() => failureStatus.value.retried || failureStatus.value.resolved);
-const isVisible = computed(() => !failureStatus.value.archived && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
+const isVisible = computed(() => can("error:messages:archive") && !failureStatus.value.archived && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
 
 const handleConfirm = async () => {
   isConfirmDialogVisible.value = false;
diff --git a/src/Frontend/src/components/messages/EditAndRetryButton.vue b/src/Frontend/src/components/messages/EditAndRetryButton.vue
index 4976aedf4..b1f434fe4 100644
--- a/src/Frontend/src/components/messages/EditAndRetryButton.vue
+++ b/src/Frontend/src/components/messages/EditAndRetryButton.vue
@@ -10,15 +10,17 @@ import { MessageStatus } from "@/resources/Message";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faPencil } from "@fortawesome/free-solid-svg-icons";
+import { usePermissions } from "@/composables/usePermissions";
 
 const store = useMessageStore();
 const { state, edit_and_retry_config, editRetryResponse } = storeToRefs(store);
+const { can } = usePermissions();
 const isConfirmDialogVisible = ref(false);
 const isEditIgnoredDialogVisible = ref(false);
 
 const failureStatus = computed(() => state.value.data.failure_status);
 const isDisabled = computed(() => failureStatus.value.retried || failureStatus.value.archived || failureStatus.value.resolved);
-const isVisible = computed(() => edit_and_retry_config.value.enabled && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
+const isVisible = computed(() => can("error:messages:edit") && edit_and_retry_config.value.enabled && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
 
 const handleIgnoreClose = async () => {
   isEditIgnoredDialogVisible.value = false;
diff --git a/src/Frontend/src/components/messages/RestoreMessageButton.vue b/src/Frontend/src/components/messages/RestoreMessageButton.vue
index 5390b3f82..36969f724 100644
--- a/src/Frontend/src/components/messages/RestoreMessageButton.vue
+++ b/src/Frontend/src/components/messages/RestoreMessageButton.vue
@@ -8,12 +8,14 @@ import { TYPE } from "vue-toastification";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faUndo } from "@fortawesome/free-solid-svg-icons";
+import { usePermissions } from "@/composables/usePermissions";
 
 const store = useMessageStore();
 const { state } = storeToRefs(store);
+const { can } = usePermissions();
 const isConfirmDialogVisible = ref(false);
 
-const isVisible = computed(() => state.value.data.failure_status.archived);
+const isVisible = computed(() => can("error:messages:unarchive") && state.value.data.failure_status.archived);
 
 const handleConfirm = async () => {
   isConfirmDialogVisible.value = false;
diff --git a/src/Frontend/src/components/messages/RetryMessageButton.vue b/src/Frontend/src/components/messages/RetryMessageButton.vue
index b670a8908..dee67f722 100644
--- a/src/Frontend/src/components/messages/RetryMessageButton.vue
+++ b/src/Frontend/src/components/messages/RetryMessageButton.vue
@@ -9,14 +9,16 @@ import { MessageStatus } from "@/resources/Message";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faRefresh } from "@fortawesome/free-solid-svg-icons";
+import { usePermissions } from "@/composables/usePermissions";
 
 const store = useMessageStore();
 const { state } = storeToRefs(store);
+const { can } = usePermissions();
 const isConfirmDialogVisible = ref(false);
 
 const failureStatus = computed(() => state.value.data.failure_status);
 const isDisabled = computed(() => failureStatus.value.retried || failureStatus.value.archived || failureStatus.value.resolved);
-const isVisible = computed(() => state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
+const isVisible = computed(() => can("error:messages:retry") && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
 
 const handleConfirm = async () => {
   isConfirmDialogVisible.value = false;
diff --git a/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts b/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
new file mode 100644
index 000000000..48a3dc4af
--- /dev/null
+++ b/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
@@ -0,0 +1,65 @@
+import { render, screen } from "@testing-library/vue";
+import { describe, test, expect, beforeEach } from "vitest";
+import { createTestingPinia } from "@pinia/testing";
+import type { Component } from "vue";
+import { MessageStatus } from "@/resources/Message";
+import RetryMessageButton from "@/components/messages/RetryMessageButton.vue";
+import EditAndRetryButton from "@/components/messages/EditAndRetryButton.vue";
+import DeleteMessageButton from "@/components/messages/DeleteMessageButton.vue";
+import RestoreMessageButton from "@/components/messages/RestoreMessageButton.vue";
+
+// Each failed-message action button is gated on its own ServiceControl permission. These
+// tests pin the per-action gating: with auth enabled + the descriptor loaded, the button
+// shows only when the matching permission is granted.
+interface ButtonCase {
+  name: string;
+  component: Component;
+  permission: string;
+  text: RegExp;
+  archived: boolean; // Restore is only relevant on an archived message; the others on a live one
+}
+
+const cases: ButtonCase[] = [
+  { name: "Retry", component: RetryMessageButton, permission: "error:messages:retry", text: /Retry message/i, archived: false },
+  { name: "Edit & retry", component: EditAndRetryButton, permission: "error:messages:edit", text: /Edit & retry/i, archived: false },
+  { name: "Delete", component: DeleteMessageButton, permission: "error:messages:archive", text: /Delete message/i, archived: false },
+  { name: "Restore", component: RestoreMessageButton, permission: "error:messages:unarchive", text: /Restore/i, archived: true },
+];
+
+function renderButton(component: Component, permissions: string[], archived: boolean) {
+  render(component, {
+    global: {
+      plugins: [
+        createTestingPinia({
+          stubActions: true,
+          initialState: {
+            auth: { authEnabled: true, isAuthenticated: true },
+            PermissionsStore: { permissions: new Set(permissions), loaded: true, loadAttempted: true },
+            MessageStore: {
+              state: { data: { id: "msg-1", status: MessageStatus.Failed, failure_status: { archived } } },
+              edit_and_retry_config: { enabled: true, locked_headers: [], sensitive_headers: [] },
+            },
+          },
+        }),
+      ],
+      directives: { tippy: () => {} },
+    },
+  });
+}
+
+describe("failed-message action button permissions", () => {
+  beforeEach(() => {
+    // Teleport target used by the confirm dialogs the buttons render.
+    document.body.innerHTML = '<div id="modalDisplay"></div>';
+  });
+
+  test.each(cases)("$name is shown when its permission is granted", ({ component, permission, text, archived }) => {
+    renderButton(component, [permission], archived);
+    expect(screen.queryByText(text)).not.toBeNull();
+  });
+
+  test.each(cases)("$name is hidden when its permission is denied", ({ component, text, archived }) => {
+    renderButton(component, [], archived);
+    expect(screen.queryByText(text)).toBeNull();
+  });
+});

From d1e7ef8e297306cb0736e80892419d190fa1d160 Mon Sep 17 00:00:00 2001
From: Dennis van der Stelt <dvdstelt@gmail.com>
Date: Wed, 24 Jun 2026 08:28:57 +0200
Subject: [PATCH 06/25] =?UTF-8?q?=E2=9C=A8=20Gate=20configuration=20tabs?=
 =?UTF-8?q?=20on=20permissions;=20show=20flat=20permission=20list?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ConfigurationView tabs now gate on the specific ServiceControl permission each
needs, via usePermissions (gate-on-ready, consistent with the nav):

- License        -> error:licensing:view
- Usage Setup    -> error:throughput:manage
- MassTransit    -> error:connections:view
- Health Checks  -> error:notifications:view
- Retry Redirects-> error:redirects:view
- Connections    -> error:connections:view
- Endpoint Conn. -> error:endpoints:view
- User Permissions tab -> shown when auth is enabled

Connections / Endpoint Connection were previously ungated; they now require the
permission the server actually enforces.

The User Permissions page is reworked to render the new flat descriptor (user +
sorted list of granted permission strings) instead of the retired 7-bool matrix.
---
 .../configuration/UserPermissions.vue         | 101 ++++--------------
 src/Frontend/src/views/ConfigurationView.vue  |  34 +++---
 2 files changed, 36 insertions(+), 99 deletions(-)

diff --git a/src/Frontend/src/components/configuration/UserPermissions.vue b/src/Frontend/src/components/configuration/UserPermissions.vue
index 973b7b1cc..01ad5f10a 100644
--- a/src/Frontend/src/components/configuration/UserPermissions.vue
+++ b/src/Frontend/src/components/configuration/UserPermissions.vue
@@ -1,97 +1,40 @@
 <script setup lang="ts">
-import { onMounted } from "vue";
-import { faCheck, faTimes } from "@fortawesome/free-solid-svg-icons";
-import FAIcon from "@/components/FAIcon.vue";
-import LoadingSpinner from "@/components/LoadingSpinner.vue";
-import { useUserPermissionsStore } from "@/stores/UserPermissionsStore";
+import { computed, onMounted } from "vue";
+import { storeToRefs } from "pinia";
+import { usePermissionsStore } from "@/stores/PermissionsStore";
+import { usePermissions } from "@/composables/usePermissions";
 
-const store = useUserPermissionsStore();
+const store = usePermissionsStore();
+const { user, permissions, loadAttempted } = storeToRefs(store);
+const { fetchDescriptor } = usePermissions();
 
-onMounted(async () => {
-  await store.refresh();
+// Sorted for a stable, readable list.
+const sortedPermissions = computed(() => [...permissions.value].sort());
+
+onMounted(() => {
+  // Normally already loaded at app start; ensures the page works on direct navigation.
+  fetchDescriptor();
 });
 </script>
 
 <template>
   <section name="user-permissions">
     <div class="box">
-      <LoadingSpinner v-if="store.loading" />
-      <div v-else-if="store.error" class="alert alert-danger">{{ store.error }}</div>
-      <template v-else-if="store.summary && store.descriptor">
-        <div class="row">
-          <div class="col-12">
-            <h3>Permissions Summary</h3>
-            <table class="table permissions-table">
-              <thead>
-                <tr>
-                  <th>Area</th>
-                  <th class="text-center">Read</th>
-                  <th class="text-center">Write</th>
-                </tr>
-              </thead>
-              <tbody>
-                <tr>
-                  <td>Failed Messages</td>
-                  <td class="text-center">
-                    <FAIcon :icon="store.summary.failed_messages_read ? faCheck : faTimes" :class="store.summary.failed_messages_read ? 'text-success' : 'text-danger'" />
-                  </td>
-                  <td class="text-center">
-                    <FAIcon :icon="store.summary.failed_messages_write ? faCheck : faTimes" :class="store.summary.failed_messages_write ? 'text-success' : 'text-danger'" />
-                  </td>
-                </tr>
-                <tr>
-                  <td>Auditing</td>
-                  <td class="text-center">
-                    <FAIcon :icon="store.summary.auditing_read ? faCheck : faTimes" :class="store.summary.auditing_read ? 'text-success' : 'text-danger'" />
-                  </td>
-                  <td class="text-center">—</td>
-                </tr>
-                <tr>
-                  <td>Monitoring</td>
-                  <td class="text-center">
-                    <FAIcon :icon="store.summary.monitoring_read ? faCheck : faTimes" :class="store.summary.monitoring_read ? 'text-success' : 'text-danger'" />
-                  </td>
-                  <td class="text-center">
-                    <FAIcon :icon="store.summary.monitoring_write ? faCheck : faTimes" :class="store.summary.monitoring_write ? 'text-success' : 'text-danger'" />
-                  </td>
-                </tr>
-                <tr>
-                  <td>Admin</td>
-                  <td class="text-center">
-                    <FAIcon :icon="store.summary.admin_read ? faCheck : faTimes" :class="store.summary.admin_read ? 'text-success' : 'text-danger'" />
-                  </td>
-                  <td class="text-center">
-                    <FAIcon :icon="store.summary.admin_write ? faCheck : faTimes" :class="store.summary.admin_write ? 'text-success' : 'text-danger'" />
-                  </td>
-                </tr>
-              </tbody>
-            </table>
-          </div>
-        </div>
-        <div class="row">
-          <div class="col-12">
-            <h3>All Permissions</h3>
-            <p class="user-label">User: {{ store.descriptor.user }}</p>
-            <ul class="permissions-list">
-              <li v-for="permission in store.descriptor.permissions" :key="permission">{{ permission }}</li>
-            </ul>
-          </div>
+      <div class="row">
+        <div class="col-12">
+          <h3>Your permissions</h3>
+          <p class="user-label">User: {{ user || "—" }}</p>
+          <ul v-if="sortedPermissions.length" class="permissions-list">
+            <li v-for="permission in sortedPermissions" :key="permission">{{ permission }}</li>
+          </ul>
+          <p v-else-if="loadAttempted" class="user-label">No permissions are granted to this user.</p>
         </div>
-      </template>
+      </div>
     </div>
   </section>
 </template>
 
 <style scoped>
-.permissions-table {
-  max-width: 480px;
-}
-
-.permissions-table th,
-.permissions-table td {
-  padding: 10px 16px;
-}
-
 .user-label {
   color: #666;
   margin-bottom: 12px;
diff --git a/src/Frontend/src/views/ConfigurationView.vue b/src/Frontend/src/views/ConfigurationView.vue
index 0dd4f7ea6..8525afbfe 100644
--- a/src/Frontend/src/views/ConfigurationView.vue
+++ b/src/Frontend/src/views/ConfigurationView.vue
@@ -12,8 +12,7 @@ import useConnectionsAndStatsAutoRefresh from "@/composables/useConnectionsAndSt
 import { useRedirectsStore } from "@/stores/RedirectsStore";
 import { useLicenseStore } from "@/stores/LicenseStore";
 import { useAuthStore } from "@/stores/AuthStore";
-import usePermissionGate from "@/composables/usePermissionGate";
-import { useEnvironmentAndVersionsStore } from "@/stores/EnvironmentAndVersionsStore";
+import { usePermissions } from "@/composables/usePermissions";
 
 const { store: throughputStore } = useThroughputStoreAutoRefresh();
 const { hasErrors } = storeToRefs(throughputStore);
@@ -23,10 +22,10 @@ const redirectsStore = useRedirectsStore();
 const licenseStore = useLicenseStore();
 const { licenseStatus } = licenseStore;
 const authStore = useAuthStore();
-const environmentStore = useEnvironmentAndVersionsStore();
 
-const { has } = usePermissionGate();
-const hasAdminRead = computed(() => has("admin_read"));
+// Each tab gates on the specific permission ServiceControl enforces for it. Gate-on-ready:
+// the tab row is held until permissions are known, so tabs don't appear and then disappear.
+const { can, ready } = usePermissions();
 
 onMounted(async () => {
   if (notConnected.value) {
@@ -61,13 +60,13 @@ function preventIfDisabled(e: Event) {
     </div>
     <div class="row">
       <div class="col-sm-12">
-        <div class="nav tabs">
-          <h5 v-if="hasAdminRead" :class="{ active: isRouteSelected(routeLinks.configuration.license.link), disabled: notConnected }" @click.capture="preventIfDisabled" class="nav-item" role="tab" aria-label="license">
+        <div class="nav tabs" v-if="ready">
+          <h5 v-if="can('error:licensing:view')" :class="{ active: isRouteSelected(routeLinks.configuration.license.link), disabled: notConnected }" @click.capture="preventIfDisabled" class="nav-item" role="tab" aria-label="license">
             <RouterLink :to="routeLinks.configuration.license.link">License</RouterLink>
             <exclamation-mark :type="convertToWarningLevel(licenseStatus.warningLevel)" />
           </h5>
           <h5
-            v-if="hasAdminRead"
+            v-if="can('error:throughput:manage')"
             :class="{ active: isRouteSelected(routeLinks.throughput.setup.root) || isRouteSelected(routeLinks.throughput.setup.mask.link) || isRouteSelected(routeLinks.throughput.setup.diagnostics.link), disabled: notConnected }"
             @click.capture="preventIfDisabled"
             class="nav-item"
@@ -79,7 +78,7 @@ function preventIfDisabled(e: Event) {
           </h5>
           <template v-if="!licenseStatus.isExpired">
             <h5
-              v-if="hasAdminRead"
+              v-if="can('error:connections:view')"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.massTransitConnector.link),
                 disabled: notConnected,
@@ -92,7 +91,7 @@ function preventIfDisabled(e: Event) {
               <RouterLink :to="routeLinks.configuration.massTransitConnector.link">MassTransit Connector</RouterLink>
             </h5>
             <h5
-              v-if="hasAdminRead"
+              v-if="can('error:notifications:view')"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.healthCheckNotifications.link),
                 disabled: notConnected,
@@ -105,7 +104,7 @@ function preventIfDisabled(e: Event) {
               <RouterLink :to="routeLinks.configuration.healthCheckNotifications.link">Health Check Notifications</RouterLink>
             </h5>
             <h5
-              v-if="hasAdminRead"
+              v-if="can('error:redirects:view')"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.retryRedirects.link),
                 disabled: notConnected,
@@ -118,6 +117,7 @@ function preventIfDisabled(e: Event) {
               <RouterLink :to="routeLinks.configuration.retryRedirects.link">Retry Redirects ({{ redirectsStore.redirects.total }})</RouterLink>
             </h5>
             <h5
+              v-if="can('error:connections:view')"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.connections.link),
               }"
@@ -131,6 +131,7 @@ function preventIfDisabled(e: Event) {
               </RouterLink>
             </h5>
             <h5
+              v-if="can('error:endpoints:view')"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.endpointConnection.link),
                 disabled: notConnected,
@@ -144,21 +145,14 @@ function preventIfDisabled(e: Event) {
             </h5>
           </template>
           <template v-else>
-            <h5 :class="{ active: isRouteSelected(routeLinks.configuration.connections.link) }" class="nav-item" role="tab" aria-label="connections">
+            <h5 v-if="can('error:connections:view')" :class="{ active: isRouteSelected(routeLinks.configuration.connections.link) }" class="nav-item" role="tab" aria-label="connections">
               <RouterLink :to="routeLinks.configuration.connections.link">
                 Connections
                 <exclamation-mark v-if="connectionStore.displayConnectionsWarning" :type="WarningLevel.Danger" />
               </RouterLink>
             </h5>
           </template>
-          <h5
-            v-if="authStore.authEnabled && environmentStore.environment.supportsUserPermissions"
-            :class="{ active: isRouteSelected(routeLinks.configuration.userPermissions.link), disabled: notConnected }"
-            @click.capture="preventIfDisabled"
-            class="nav-item"
-            role="tab"
-            aria-label="user-permissions"
-          >
+          <h5 v-if="authStore.authEnabled" :class="{ active: isRouteSelected(routeLinks.configuration.userPermissions.link), disabled: notConnected }" @click.capture="preventIfDisabled" class="nav-item" role="tab" aria-label="user-permissions">
             <RouterLink :to="routeLinks.configuration.userPermissions.link">User Permissions</RouterLink>
           </h5>
         </div>

From f285967850f14321968df9a5976f5e1bb2f41ab4 Mon Sep 17 00:00:00 2001
From: Dennis van der Stelt <dvdstelt@gmail.com>
Date: Wed, 24 Jun 2026 08:33:18 +0200
Subject: [PATCH 07/25] =?UTF-8?q?=F0=9F=94=A5=20Remove=20the=20retired=207?=
 =?UTF-8?q?-bool=20permission-summary=20path?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Nothing reads the old summary path anymore (PageHeader, ConfigurationView and the
User Permissions page now use usePermissions / PermissionsStore), so delete it:

- usePermissionGate composable (+ spec)
- UserPermissionsStore (+ spec)
- App.vue: drop the old summary-fetch watch and its supportsUserPermissions gate,
  leaving only the my/permissions/all load
- EnvironmentAndVersionsStore: drop the now-unused supportsUserPermissions,
  mypermissions_all_url and mypermissions_summary_url fields
---
 src/Frontend/src/App.vue                      | 19 +---
 .../src/composables/usePermissionGate.spec.ts | 75 ----------------
 .../src/composables/usePermissionGate.ts      | 22 -----
 .../src/stores/EnvironmentAndVersionsStore.ts |  6 --
 .../src/stores/UserPermissionsStore.spec.ts   | 89 -------------------
 .../src/stores/UserPermissionsStore.ts        | 63 -------------
 6 files changed, 2 insertions(+), 272 deletions(-)
 delete mode 100644 src/Frontend/src/composables/usePermissionGate.spec.ts
 delete mode 100644 src/Frontend/src/composables/usePermissionGate.ts
 delete mode 100644 src/Frontend/src/stores/UserPermissionsStore.spec.ts
 delete mode 100644 src/Frontend/src/stores/UserPermissionsStore.ts

diff --git a/src/Frontend/src/App.vue b/src/Frontend/src/App.vue
index a133bf6f8..5f0f6d49a 100644
--- a/src/Frontend/src/App.vue
+++ b/src/Frontend/src/App.vue
@@ -8,30 +8,15 @@ import LicenseNotifications from "@/components/LicenseNotifications.vue";
 import BackendChecksNotifications from "@/components/BackendChecksNotifications.vue";
 import { storeToRefs } from "pinia";
 import { useAuthStore } from "@/stores/AuthStore";
-import { useUserPermissionsStore } from "@/stores/UserPermissionsStore";
-import { useEnvironmentAndVersionsStore } from "@/stores/EnvironmentAndVersionsStore";
 import { usePermissions } from "@/composables/usePermissions";
 
 const authStore = useAuthStore();
 const route = useRoute();
 const { isAuthenticated, authEnabled } = storeToRefs(authStore);
 
-const permissionsStore = useUserPermissionsStore();
-const environmentStore = useEnvironmentAndVersionsStore();
-watch(
-  [authEnabled, isAuthenticated, () => environmentStore.environment.supportsUserPermissions],
-  ([enabled, authenticated, supported]) => {
-    if (enabled && authenticated && supported) {
-      permissionsStore.refresh();
-    }
-  },
-  { immediate: true }
-);
-
 // Load the user's effective permissions (my/permissions/all) once authenticated, so the
-// nav and (later) other UI can gate on them. Fail-safe: a missing/old endpoint just leaves
-// permissions unloaded and the UI fails open. (The summary fetch above is still used by
-// ConfigurationView and is removed in F5 once everything reads usePermissions.)
+// nav and other UI can gate on them. Fail-safe: a missing/old endpoint just leaves
+// permissions unloaded and the UI fails open.
 const { fetchDescriptor } = usePermissions();
 watch(
   [authEnabled, isAuthenticated],
diff --git a/src/Frontend/src/composables/usePermissionGate.spec.ts b/src/Frontend/src/composables/usePermissionGate.spec.ts
deleted file mode 100644
index a76ed96c6..000000000
--- a/src/Frontend/src/composables/usePermissionGate.spec.ts
+++ /dev/null
@@ -1,75 +0,0 @@
-import { describe, test, expect, beforeEach } from "vitest";
-import { createTestingPinia } from "@pinia/testing";
-import { setActivePinia } from "pinia";
-import usePermissionGate from "@/composables/usePermissionGate";
-import { useAuthStore } from "@/stores/AuthStore";
-import { useUserPermissionsStore, type PermissionsSummary } from "@/stores/UserPermissionsStore";
-
-const summaryWith = (overrides: Partial<PermissionsSummary> = {}): PermissionsSummary => ({
-  failed_messages_read: false,
-  failed_messages_write: false,
-  auditing_read: false,
-  monitoring_read: false,
-  monitoring_write: false,
-  admin_read: false,
-  admin_write: false,
-  ...overrides,
-});
-
-describe("usePermissionGate", () => {
-  beforeEach(() => {
-    setActivePinia(createTestingPinia({ stubActions: false }));
-  });
-
-  function withState(opts: { authEnabled: boolean; isAuthenticated: boolean; summary: PermissionsSummary | null }) {
-    const auth = useAuthStore();
-    auth.authEnabled = opts.authEnabled;
-    auth.isAuthenticated = opts.isAuthenticated;
-    useUserPermissionsStore().summary = opts.summary;
-    return usePermissionGate();
-  }
-
-  test("fails open (shows everything) when authorization is disabled", () => {
-    const { has, shouldGate } = withState({ authEnabled: false, isAuthenticated: true, summary: summaryWith() });
-
-    expect(shouldGate.value).toBe(false);
-    expect(has("admin_read")).toBe(true);
-    expect(has("failed_messages_read")).toBe(true);
-  });
-
-  test("fails open when the user is not authenticated", () => {
-    const { has, shouldGate } = withState({ authEnabled: true, isAuthenticated: false, summary: summaryWith() });
-
-    expect(shouldGate.value).toBe(false);
-    expect(has("admin_read")).toBe(true);
-  });
-
-  test("fails open while the permission summary has not loaded yet", () => {
-    const { has, shouldGate } = withState({ authEnabled: true, isAuthenticated: true, summary: null });
-
-    expect(shouldGate.value).toBe(false);
-    expect(has("admin_read")).toBe(true);
-  });
-
-  test("gates per flag once enabled, authenticated and loaded", () => {
-    const { has, shouldGate } = withState({ authEnabled: true, isAuthenticated: true, summary: summaryWith({ admin_read: true }) });
-
-    expect(shouldGate.value).toBe(true);
-    expect(has("admin_read")).toBe(true);
-    expect(has("failed_messages_read")).toBe(false);
-  });
-
-  test("reacts to the summary being updated", () => {
-    const auth = useAuthStore();
-    auth.authEnabled = true;
-    auth.isAuthenticated = true;
-    const permissions = useUserPermissionsStore();
-    permissions.summary = summaryWith();
-
-    const { has } = usePermissionGate();
-    expect(has("monitoring_read")).toBe(false);
-
-    permissions.summary = summaryWith({ monitoring_read: true });
-    expect(has("monitoring_read")).toBe(true);
-  });
-});
diff --git a/src/Frontend/src/composables/usePermissionGate.ts b/src/Frontend/src/composables/usePermissionGate.ts
deleted file mode 100644
index 516a3abee..000000000
--- a/src/Frontend/src/composables/usePermissionGate.ts
+++ /dev/null
@@ -1,22 +0,0 @@
-import { computed } from "vue";
-import { storeToRefs } from "pinia";
-import { useAuthStore } from "@/stores/AuthStore";
-import { useUserPermissionsStore, type PermissionsSummary } from "@/stores/UserPermissionsStore";
-
-// Centralises the "should this UI element be shown for the current user" decision.
-// Gating only kicks in once authorization is enabled, the user is authenticated and
-// the permission summary has loaded; otherwise everything is shown (fail-open) so the
-// UI is unchanged for unauthenticated/older-ServiceControl setups. Server-side checks
-// remain the real enforcement — this only hides UI the user cannot use anyway.
-export default function usePermissionGate() {
-  const { authEnabled, isAuthenticated } = storeToRefs(useAuthStore());
-  const { summary } = storeToRefs(useUserPermissionsStore());
-
-  const shouldGate = computed(() => authEnabled.value && isAuthenticated.value && summary.value !== null);
-
-  function has(flag: keyof PermissionsSummary): boolean {
-    return !shouldGate.value || summary.value?.[flag] === true;
-  }
-
-  return { has, shouldGate };
-}
diff --git a/src/Frontend/src/stores/EnvironmentAndVersionsStore.ts b/src/Frontend/src/stores/EnvironmentAndVersionsStore.ts
index 1ce6b4f09..0f15264f9 100644
--- a/src/Frontend/src/stores/EnvironmentAndVersionsStore.ts
+++ b/src/Frontend/src/stores/EnvironmentAndVersionsStore.ts
@@ -17,9 +17,6 @@ export const useEnvironmentAndVersionsStore = defineStore("EnvironmentAndVersion
     is_compatible_with_sc: true,
     sp_version: window.defaultConfig && window.defaultConfig.version ? window.defaultConfig.version : "1.2.0",
     supportsArchiveGroups: false,
-    supportsUserPermissions: false,
-    mypermissions_all_url: "",
-    mypermissions_summary_url: "",
     endpoints_error_url: "",
     known_endpoints_url: "",
     endpoints_message_search_url: "",
@@ -59,9 +56,6 @@ export const useEnvironmentAndVersionsStore = defineStore("EnvironmentAndVersion
     const [products, scVer] = await Promise.all([productsResult, scResult, mResult]);
     if (scVer) {
       environment.supportsArchiveGroups = !!scVer.archived_groups_url;
-      environment.supportsUserPermissions = !!scVer.mypermissions_all && !!scVer.mypermissions_summary;
-      environment.mypermissions_all_url = scVer.mypermissions_all ?? "";
-      environment.mypermissions_summary_url = scVer.mypermissions_summary ?? "";
       environment.is_compatible_with_sc = isSupported(environment.sc_version, environment.minimum_supported_sc_version);
       environment.endpoints_error_url = scVer && scVer.endpoints_error_url;
       environment.known_endpoints_url = scVer && scVer.known_endpoints_url;
diff --git a/src/Frontend/src/stores/UserPermissionsStore.spec.ts b/src/Frontend/src/stores/UserPermissionsStore.spec.ts
deleted file mode 100644
index e73270c92..000000000
--- a/src/Frontend/src/stores/UserPermissionsStore.spec.ts
+++ /dev/null
@@ -1,89 +0,0 @@
-import { describe, test, expect, beforeEach, vi } from "vitest";
-import { createTestingPinia } from "@pinia/testing";
-import { setActivePinia } from "pinia";
-
-vi.mock("@/components/serviceControlClient", () => ({
-  default: { fetchTypedFromUrl: vi.fn() },
-}));
-
-import serviceControlClient from "@/components/serviceControlClient";
-import logger from "@/logger";
-import { useUserPermissionsStore } from "@/stores/UserPermissionsStore";
-import { useEnvironmentAndVersionsStore } from "@/stores/EnvironmentAndVersionsStore";
-
-const summaryUrl = "http://localhost/my/permissions";
-const allUrl = "http://localhost/my/permissions/all";
-
-const fetchTypedFromUrl = vi.mocked(serviceControlClient.fetchTypedFromUrl);
-
-const summaryData = { failed_messages_read: true, failed_messages_write: false, auditing_read: true, monitoring_read: false, monitoring_write: false, admin_read: false, admin_write: false };
-const descriptorData = { user: "alice", permissions: ["error:messages:view", "audit:view"] };
-
-function ok<T>(data: T): [Response, T] {
-  return [{} as Response, data];
-}
-
-function setup() {
-  setActivePinia(createTestingPinia({ stubActions: false }));
-  const environment = useEnvironmentAndVersionsStore().environment;
-  environment.mypermissions_summary_url = summaryUrl;
-  environment.mypermissions_all_url = allUrl;
-  return useUserPermissionsStore();
-}
-
-describe("UserPermissionsStore", () => {
-  beforeEach(() => {
-    fetchTypedFromUrl.mockReset();
-  });
-
-  test("refresh fetches the discovered URLs and populates summary and descriptor", async () => {
-    const store = setup();
-    fetchTypedFromUrl.mockImplementation((url: string) => Promise.resolve(url === summaryUrl ? ok(summaryData) : ok(descriptorData)));
-
-    await store.refresh();
-
-    expect(fetchTypedFromUrl).toHaveBeenCalledWith(summaryUrl);
-    expect(fetchTypedFromUrl).toHaveBeenCalledWith(allUrl);
-    expect(store.summary).toEqual(summaryData);
-    expect(store.descriptor).toEqual(descriptorData);
-    expect(store.error).toBeNull();
-    expect(store.loading).toBe(false);
-  });
-
-  test("refresh records an error and logs when a request fails", async () => {
-    const store = setup();
-    const loggerError = vi.spyOn(logger, "error").mockImplementation(() => {});
-    const failure = new Error("boom");
-    fetchTypedFromUrl.mockRejectedValue(failure);
-
-    await store.refresh();
-
-    expect(store.summary).toBeNull();
-    expect(store.error).toBe("Failed to load user permissions");
-    expect(store.loading).toBe(false);
-    expect(loggerError).toHaveBeenCalledWith("Failed to load user permissions", failure);
-    loggerError.mockRestore();
-  });
-
-  test("concurrent refreshes share a single in-flight request", async () => {
-    const store = setup();
-    let resolveSummary: (value: [Response, typeof summaryData]) => void = () => {};
-    const pendingSummary = new Promise<[Response, typeof summaryData]>((resolve) => (resolveSummary = resolve));
-    fetchTypedFromUrl.mockImplementation((url: string) => (url === summaryUrl ? pendingSummary : Promise.resolve(ok(descriptorData))));
-
-    const first = store.refresh();
-    const second = store.refresh();
-
-    // One load in flight => two endpoint calls (summary + descriptor), not four.
-    expect(fetchTypedFromUrl).toHaveBeenCalledTimes(2);
-
-    resolveSummary(ok(summaryData));
-    await Promise.all([first, second]);
-
-    expect(store.summary).toEqual(summaryData);
-
-    // Once settled the in-flight slot is released, so a later refresh fetches again.
-    await store.refresh();
-    expect(fetchTypedFromUrl).toHaveBeenCalledTimes(4);
-  });
-});
diff --git a/src/Frontend/src/stores/UserPermissionsStore.ts b/src/Frontend/src/stores/UserPermissionsStore.ts
deleted file mode 100644
index 434adaa32..000000000
--- a/src/Frontend/src/stores/UserPermissionsStore.ts
+++ /dev/null
@@ -1,63 +0,0 @@
-import { acceptHMRUpdate, defineStore } from "pinia";
-import { ref } from "vue";
-import serviceControlClient from "@/components/serviceControlClient";
-import { useEnvironmentAndVersionsStore } from "@/stores/EnvironmentAndVersionsStore";
-import logger from "@/logger";
-
-interface PermissionsSummary {
-  failed_messages_read: boolean;
-  failed_messages_write: boolean;
-  auditing_read: boolean;
-  monitoring_read: boolean;
-  monitoring_write: boolean;
-  admin_read: boolean;
-  admin_write: boolean;
-}
-
-interface PermissionsDescriptor {
-  user: string;
-  permissions: string[];
-}
-
-export const useUserPermissionsStore = defineStore("UserPermissionsStore", () => {
-  const summary = ref<PermissionsSummary | null>(null);
-  const descriptor = ref<PermissionsDescriptor | null>(null);
-  const loading = ref(false);
-  const error = ref<string | null>(null);
-
-  // Multiple callers can request a refresh in the same tick (the App-level watch
-  // and the User Permissions view's onMounted). Share a single in-flight request
-  // so they don't trigger duplicate fetches.
-  let inFlight: Promise<void> | null = null;
-
-  function refresh() {
-    return (inFlight ??= load().finally(() => (inFlight = null)));
-  }
-
-  async function load() {
-    loading.value = true;
-    error.value = null;
-    const { environment } = useEnvironmentAndVersionsStore();
-    try {
-      const [summaryResult, descriptorResult] = await Promise.all([
-        serviceControlClient.fetchTypedFromUrl<PermissionsSummary>(environment.mypermissions_summary_url),
-        serviceControlClient.fetchTypedFromUrl<PermissionsDescriptor>(environment.mypermissions_all_url),
-      ]);
-      summary.value = summaryResult[1];
-      descriptor.value = descriptorResult[1];
-    } catch (err) {
-      logger.error("Failed to load user permissions", err);
-      error.value = "Failed to load user permissions";
-    } finally {
-      loading.value = false;
-    }
-  }
-
-  return { summary, descriptor, loading, error, refresh };
-});
-
-export type { PermissionsSummary, PermissionsDescriptor };
-
-if (import.meta.hot) {
-  import.meta.hot.accept(acceptHMRUpdate(useUserPermissionsStore, import.meta.hot));
-}

From 59000babe3b9c36531b86a06b6fbb98c3aef35dc Mon Sep 17 00:00:00 2001
From: Dennis van der Stelt <dvdstelt@gmail.com>
Date: Wed, 24 Jun 2026 16:03:40 +0200
Subject: [PATCH 08/25] =?UTF-8?q?=F0=9F=92=84=20Show=20the=20User=20Permis?=
 =?UTF-8?q?sions=20page=20as=20a=20per-instance=20permission=20matrix?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace the flat list of permission strings with a table per instance (Error/
Audit/Monitoring): features as rows, actions as columns, a checkmark where the
action is granted. All tables share the same column set, ordered most-widely-
shared first (View, Delete, then the rest) so columns line up across instances; a
column shows its header and checks only for instances that use it. Feature names
are left-aligned and action columns have a fixed width, so the table shrinks to
fit and stays left-aligned (a view-only user sees just Feature | View). Features
and instances with no granted permission are omitted.
---
 .../configuration/UserPermissions.vue         | 223 ++++++++++++++++--
 1 file changed, 199 insertions(+), 24 deletions(-)

diff --git a/src/Frontend/src/components/configuration/UserPermissions.vue b/src/Frontend/src/components/configuration/UserPermissions.vue
index 01ad5f10a..6e2214f66 100644
--- a/src/Frontend/src/components/configuration/UserPermissions.vue
+++ b/src/Frontend/src/components/configuration/UserPermissions.vue
@@ -1,6 +1,8 @@
 <script setup lang="ts">
 import { computed, onMounted } from "vue";
 import { storeToRefs } from "pinia";
+import { faCheck } from "@fortawesome/free-solid-svg-icons";
+import FAIcon from "@/components/FAIcon.vue";
 import { usePermissionsStore } from "@/stores/PermissionsStore";
 import { usePermissions } from "@/composables/usePermissions";
 
@@ -8,8 +10,108 @@ const store = usePermissionsStore();
 const { user, permissions, loadAttempted } = storeToRefs(store);
 const { fetchDescriptor } = usePermissions();
 
-// Sorted for a stable, readable list.
-const sortedPermissions = computed(() => [...permissions.value].sort());
+// Permission strings are "instance:resource:action" (e.g. error:messages:retry).
+// We render one table per instance (Error/Audit/Monitoring), feature per row, action per
+// column, with a checkmark where the action is granted. All tables share the SAME columns
+// (ordered so the most widely shared actions come first: View, Delete, then the rest), so
+// the columns line up across instances. A column only shows its header label and checks for
+// instances that actually use it; otherwise it stays blank, keeping every table the same
+// width. Features and instances with no granted permission are omitted.
+const INSTANCE_ORDER = ["error", "audit", "monitoring"];
+const INSTANCE_LABELS: Record<string, string> = { error: "Error", audit: "Audit", monitoring: "Monitoring" };
+// Only the multi-word resources need a label; the rest are capitalized.
+const RESOURCE_LABELS: Record<string, string> = {
+  customchecks: "Custom checks",
+  recoverabilitygroups: "Recoverability groups",
+  eventlog: "Event log",
+};
+const ACTION_LABELS: Record<string, string> = {};
+const ACTION_ORDER = ["view", "retry", "edit", "archive", "unarchive", "manage", "test", "delete"];
+
+function label(code: string, overrides: Record<string, string>): string {
+  return overrides[code] ?? code.charAt(0).toUpperCase() + code.slice(1);
+}
+
+function rank(code: string, order: string[]): number {
+  const index = order.indexOf(code);
+  return index === -1 ? order.length : index;
+}
+
+interface Column {
+  action: string;
+  label: string;
+}
+interface FeatureRow {
+  resource: string;
+  label: string;
+  actions: Set<string>;
+  permissions: string[];
+}
+interface InstanceGroup {
+  instance: string;
+  label: string;
+  used: Set<string>;
+  features: FeatureRow[];
+}
+interface PermissionView {
+  columns: Column[];
+  instances: InstanceGroup[];
+}
+
+const view = computed<PermissionView>(() => {
+  const byInstance = new Map<string, Map<string, Set<string>>>();
+  const actionInstances = new Map<string, Set<string>>();
+
+  for (const permission of permissions.value) {
+    const [instance, resource, action] = permission.split(":");
+    if (!instance || !resource || !action) continue;
+
+    let features = byInstance.get(instance);
+    if (!features) {
+      features = new Map();
+      byInstance.set(instance, features);
+    }
+    let actions = features.get(resource);
+    if (!actions) {
+      actions = new Set();
+      features.set(resource, actions);
+    }
+    actions.add(action);
+
+    let instancesWithAction = actionInstances.get(action);
+    if (!instancesWithAction) {
+      instancesWithAction = new Set();
+      actionInstances.set(action, instancesWithAction);
+    }
+    instancesWithAction.add(instance);
+  }
+
+  // Shared columns, most widely shared first, so they align across the instance tables.
+  const columns = [...actionInstances.entries()]
+    .sort(([actionA, instancesA], [actionB, instancesB]) => instancesB.size - instancesA.size || rank(actionA, ACTION_ORDER) - rank(actionB, ACTION_ORDER) || actionA.localeCompare(actionB))
+    .map(([action]) => ({ action, label: label(action, ACTION_LABELS) }));
+
+  const instances = [...byInstance.entries()]
+    .sort(([a], [b]) => rank(a, INSTANCE_ORDER) - rank(b, INSTANCE_ORDER) || a.localeCompare(b))
+    .map(([instance, features]) => {
+      const used = new Set<string>();
+      for (const featureActions of features.values()) {
+        for (const action of featureActions) used.add(action);
+      }
+      const featureRows = [...features.entries()]
+        .map(([resource, featureActions]) => ({
+          resource,
+          label: label(resource, RESOURCE_LABELS),
+          actions: featureActions,
+          // The full permission strings the user holds for this feature, shown on hover.
+          permissions: [...featureActions].sort((a, b) => rank(a, ACTION_ORDER) - rank(b, ACTION_ORDER) || a.localeCompare(b)).map((action) => `${instance}:${resource}:${action}`),
+        }))
+        .sort((a, b) => a.label.localeCompare(b.label));
+      return { instance, label: label(instance, INSTANCE_LABELS), used, features: featureRows };
+    });
+
+  return { columns, instances };
+});
 
 onMounted(() => {
   // Normally already loaded at app start; ensures the page works on direct navigation.
@@ -20,40 +122,113 @@ onMounted(() => {
 <template>
   <section name="user-permissions">
     <div class="box">
-      <div class="row">
-        <div class="col-12">
-          <h3>Your permissions</h3>
-          <p class="user-label">User: {{ user || "—" }}</p>
-          <ul v-if="sortedPermissions.length" class="permissions-list">
-            <li v-for="permission in sortedPermissions" :key="permission">{{ permission }}</li>
-          </ul>
-          <p v-else-if="loadAttempted" class="user-label">No permissions are granted to this user.</p>
-        </div>
-      </div>
+      <h3>Your permissions</h3>
+      <p class="user-label">{{ user || "Unknown user" }}</p>
+
+      <template v-if="view.instances.length">
+        <section v-for="group in view.instances" :key="group.instance" class="instance">
+          <h4 class="instance-title">{{ group.label }}</h4>
+          <div class="table-scroll">
+            <table class="permissions-table">
+              <colgroup>
+                <col class="feature-col-width" />
+                <col v-for="column in view.columns" :key="column.action" class="action-col-width" />
+              </colgroup>
+              <thead>
+                <tr>
+                  <th scope="col" class="feature-col">Feature</th>
+                  <th scope="col" v-for="column in view.columns" :key="column.action">
+                    <span v-if="group.used.has(column.action)">{{ column.label }}</span>
+                  </th>
+                </tr>
+              </thead>
+              <tbody>
+                <tr v-for="feature in group.features" :key="feature.resource">
+                  <td class="feature-col" v-tippy="{ content: feature.permissions.join('<br>'), allowHTML: true }">{{ feature.label }}</td>
+                  <td v-for="column in view.columns" :key="column.action">
+                    <FAIcon v-if="feature.actions.has(column.action)" :icon="faCheck" class="check" :aria-label="`${feature.label} ${column.label} allowed`" />
+                  </td>
+                </tr>
+              </tbody>
+            </table>
+          </div>
+        </section>
+      </template>
+
+      <p v-else-if="loadAttempted" class="empty">No permissions are granted to this user.</p>
     </div>
   </section>
 </template>
 
 <style scoped>
 .user-label {
-  color: #666;
-  margin-bottom: 12px;
+  color: #6c757d;
+  margin-bottom: 28px;
+}
+
+.instance {
+  margin-bottom: 32px;
+}
+.instance:last-child {
+  margin-bottom: 0;
+}
+
+.instance-title {
+  font-size: 16px;
+  font-weight: 600;
+  color: #2a2a2a;
+  margin: 0 0 8px;
+}
+
+.table-scroll {
+  overflow-x: auto;
+}
+
+.permissions-table {
+  border-collapse: collapse;
+  table-layout: fixed;
+}
+
+.feature-col-width {
+  width: 220px;
 }
 
-.permissions-list {
-  list-style: none;
-  padding: 0;
-  margin: 0;
-  font-family: monospace;
-  font-size: 13px;
+/* Fixed, compact action columns so the table shrinks to fit and stays left-aligned;
+   a view-only user sees just "Feature | View" together instead of a stretched column. */
+.action-col-width {
+  width: 90px;
 }
 
-.permissions-list li {
-  padding: 4px 0;
+.permissions-table th,
+.permissions-table td {
+  padding: 8px 12px;
+  text-align: center;
+  font-size: 14px;
   border-bottom: 1px solid #f0f0f0;
 }
 
-.permissions-list li:last-child {
-  border-bottom: none;
+.permissions-table thead th {
+  font-weight: 600;
+  color: #6c757d;
+  border-bottom: 2px solid #e9ecef;
+  white-space: nowrap;
+}
+
+/* More specific than the generic ".permissions-table td { text-align: center }" so the
+   feature names actually left-align. */
+.permissions-table th.feature-col,
+.permissions-table td.feature-col {
+  text-align: left;
+}
+
+td.feature-col {
+  font-weight: 600;
+  color: #2a2a2a;
+  /* Hover shows the exact permission strings held for this feature. */
+  cursor: help;
+}
+
+.check {
+  color: #28a745;
 }
 </style>

From c49f0f67d44b67ca4687b3f8719893a3464b456b Mon Sep 17 00:00:00 2001
From: Dennis van der Stelt <dvdstelt@gmail.com>
Date: Wed, 24 Jun 2026 16:03:40 +0200
Subject: [PATCH 09/25] =?UTF-8?q?=E2=9C=A8=20Disable=20(not=20hide)=20fail?=
 =?UTF-8?q?ed-message=20actions=20without=20permission?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Across the failed-message screens, retry/delete/restore actions stay visible but
are disabled with a tooltip explaining why when the user lacks the permission,
instead of silently failing server-side:
- Groups list: Request retry / Delete group -> error:recoverabilitygroups:retry / :archive
- All failed messages toolbar: Retry/Delete selected -> error:messages:retry / :archive;
  Retry all / Delete all -> error:recoverabilitygroups:retry / :archive
- Deleted message groups: Restore group -> error:recoverabilitygroups:unarchive
- Deleted messages toolbar: Restore selected -> error:messages:unarchive

A shared PermissionGate wrapper centralises the behaviour: it shows the tooltip
(via a span so it appears even over a disabled button), lets pointer events reach
the wrapper, and tidies the disabled look of link-style buttons. Toolbar spacing
for the wrapper is handled by the existing .btn-toolbar rule in main.css.

Adds PermissionGate (+ spec) and messageGroupButtonPermissions.spec.ts.
---
 src/Frontend/src/assets/main.css              |  1 +
 .../src/components/PermissionGate.spec.ts     | 25 +++++
 .../src/components/PermissionGate.vue         | 45 +++++++++
 .../failedmessages/DeletedMessageGroups.vue   | 24 +++--
 .../failedmessages/DeletedMessages.vue        | 14 ++-
 .../failedmessages/FailedMessages.vue         | 30 +++++-
 .../failedmessages/MessageGroupList.vue       | 64 +++++++-----
 .../messageGroupButtonPermissions.spec.ts     | 98 +++++++++++++++++++
 8 files changed, 260 insertions(+), 41 deletions(-)
 create mode 100644 src/Frontend/src/components/PermissionGate.spec.ts
 create mode 100644 src/Frontend/src/components/PermissionGate.vue
 create mode 100644 src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts

diff --git a/src/Frontend/src/assets/main.css b/src/Frontend/src/assets/main.css
index a3bd8e2a0..47c52a772 100644
--- a/src/Frontend/src/assets/main.css
+++ b/src/Frontend/src/assets/main.css
@@ -353,6 +353,7 @@ input.check-label {
 .btn-toolbar > .btn,
 .btn-toolbar > .btn-group,
 .btn-toolbar > .input-group,
+.btn-toolbar > .permission-gate,
 .action-btns .btn {
   margin-left: 0;
   margin-right: 5px;
diff --git a/src/Frontend/src/components/PermissionGate.spec.ts b/src/Frontend/src/components/PermissionGate.spec.ts
new file mode 100644
index 000000000..eb60fc752
--- /dev/null
+++ b/src/Frontend/src/components/PermissionGate.spec.ts
@@ -0,0 +1,25 @@
+import { render } from "@testing-library/vue";
+import { describe, test, expect } from "vitest";
+import PermissionGate from "@/components/PermissionGate.vue";
+
+function mountGate(allowed: boolean) {
+  return render(PermissionGate, {
+    props: { allowed, reason: "You don't have permission" },
+    slots: { default: '<button class="btn">Do it</button>' },
+    global: { directives: { tippy: () => {} } },
+  });
+}
+
+describe("PermissionGate", () => {
+  test("renders the slot and marks the wrapper denied when not allowed", () => {
+    const { container, getByText } = mountGate(false);
+    expect(getByText("Do it")).toBeTruthy();
+    expect(container.querySelector(".permission-gate.denied")).not.toBeNull();
+  });
+
+  test("does not mark the wrapper denied when allowed", () => {
+    const { container } = mountGate(true);
+    expect(container.querySelector(".permission-gate")).not.toBeNull();
+    expect(container.querySelector(".permission-gate.denied")).toBeNull();
+  });
+});
diff --git a/src/Frontend/src/components/PermissionGate.vue b/src/Frontend/src/components/PermissionGate.vue
new file mode 100644
index 000000000..a04ee05b9
--- /dev/null
+++ b/src/Frontend/src/components/PermissionGate.vue
@@ -0,0 +1,45 @@
+<script setup lang="ts">
+// Wraps an action (button or link) so that, when the current user is not allowed to use it,
+// it stays visible but reads as disabled and shows a tooltip explaining why, instead of
+// silently failing server-side.
+//
+// The consumer still disables the inner control (so it gets the native disabled state and
+// any other disable conditions still apply); this wrapper adds the tooltip, lets pointer
+// events reach the wrapper so the tooltip shows even over a disabled button, and tidies the
+// disabled look of link-style buttons.
+interface Props {
+  allowed: boolean;
+  reason?: string;
+}
+withDefaults(defineProps<Props>(), { reason: "" });
+</script>
+
+<template>
+  <span class="permission-gate" :class="{ denied: !allowed }" v-tippy="!allowed ? reason : ''">
+    <slot />
+  </span>
+</template>
+
+<style scoped>
+.permission-gate {
+  display: inline-flex;
+}
+
+.permission-gate.denied {
+  cursor: not-allowed;
+}
+
+/* Let pointer events reach the wrapper so its tooltip shows even though the button is disabled. */
+.permission-gate.denied :deep(.btn) {
+  pointer-events: none;
+}
+
+/* A permission-disabled link should read as disabled: gray, without the default button box. */
+.permission-gate.denied :deep(.btn-link),
+.permission-gate.denied :deep(.btn-link .button-text) {
+  color: #6c757d;
+  opacity: 1;
+  background-color: transparent;
+  border-color: transparent;
+}
+</style>
diff --git a/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue b/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue
index 39bc37259..d78da3709 100644
--- a/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue
+++ b/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue
@@ -11,6 +11,8 @@ import routeLinks from "@/router/routeLinks";
 import { TYPE } from "vue-toastification";
 import MetadataItem from "@/components/MetadataItem.vue";
 import ActionButton from "@/components/ActionButton.vue";
+import PermissionGate from "@/components/PermissionGate.vue";
+import { usePermissions } from "@/composables/usePermissions";
 import { faArrowRotateRight, faEnvelope } from "@fortawesome/free-solid-svg-icons";
 import { faClock } from "@fortawesome/free-regular-svg-icons";
 import { useDeletedMessageGroupsStore, statusesForRestoreOperation, type ExtendedFailureGroupView, type Status } from "@/stores/DeletedMessageGroupsStore";
@@ -25,6 +27,13 @@ const { autoRefresh, isRefreshing, updateInterval } = useStoreAutoRefresh("delet
 const { store } = autoRefresh();
 const { archiveGroups, classifiers, selectedClassifier } = storeToRefs(store);
 const router = useRouter();
+
+const { can } = usePermissions();
+// Restoring a deleted group is an unarchive; keep the button visible but disabled with a
+// tooltip when the user lacks the permission, instead of silently failing server-side.
+const canRestoreGroups = computed(() => can("error:recoverabilitygroups:unarchive"));
+const restoreDeniedTooltip = "You don't have permission to restore message groups.";
+
 const showRestoreGroupModal = ref(false);
 const selectedGroup = ref<ExtendedFailureGroupView>();
 
@@ -163,16 +172,11 @@ watch(isRestoreInProgress, (restoreInProgress) => {
 
                             <div class="row" v-if="!isBeingRestored(group.workflow_state.status)">
                               <div class="col-sm-12 no-side-padding">
-                                <ActionButton
-                                  variant="link"
-                                  size="sm"
-                                  :icon="faArrowRotateRight"
-                                  :disabled="group.count === 0 || isBeingRestored(group.workflow_state.status)"
-                                  v-if="archiveGroups.length > 0"
-                                  @click.stop="showRestoreGroupDialog(group)"
-                                >
-                                  Restore group
-                                </ActionButton>
+                                <PermissionGate :allowed="canRestoreGroups" :reason="restoreDeniedTooltip" v-if="archiveGroups.length > 0">
+                                  <ActionButton variant="link" size="sm" :icon="faArrowRotateRight" :disabled="group.count === 0 || isBeingRestored(group.workflow_state.status) || !canRestoreGroups" @click.stop="showRestoreGroupDialog(group)">
+                                    Restore group
+                                  </ActionButton>
+                                </PermissionGate>
                               </div>
                             </div>
 
diff --git a/src/Frontend/src/components/failedmessages/DeletedMessages.vue b/src/Frontend/src/components/failedmessages/DeletedMessages.vue
index b63533a18..59060ccdd 100644
--- a/src/Frontend/src/components/failedmessages/DeletedMessages.vue
+++ b/src/Frontend/src/components/failedmessages/DeletedMessages.vue
@@ -10,6 +10,8 @@ import PaginationStrip from "../../components/PaginationStrip.vue";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { TYPE } from "vue-toastification";
 import FAIcon from "@/components/FAIcon.vue";
+import PermissionGate from "@/components/PermissionGate.vue";
+import { usePermissions } from "@/composables/usePermissions";
 import { faArrowRotateRight } from "@fortawesome/free-solid-svg-icons";
 import { storeToRefs } from "pinia";
 import { useStoreAutoRefresh } from "@/composables/useAutoRefresh";
@@ -27,6 +29,12 @@ const { messages, groupId, groupName, totalCount, pageNumber, selectedPeriod } =
 const showConfirmRestore = ref(false);
 const messageList = ref<IMessageList | undefined>();
 
+const { can } = usePermissions();
+// Restoring messages is an unarchive; keep the button visible but disabled with a tooltip
+// when the user lacks the permission, instead of silently failing server-side.
+const canRestoreMessages = computed(() => can("error:messages:unarchive"));
+const restoreDeniedTooltip = "You don't have permission to restore messages.";
+
 function numberSelected() {
   return messageList.value?.getSelectedMessages()?.length ?? 0;
 }
@@ -103,7 +111,11 @@ watch(isRefreshing, () => {
             <div class="btn-toolbar">
               <button type="button" class="btn btn-default select-all" @click="selectAll" v-if="!isAnythingSelected()">Select all</button>
               <button type="button" class="btn btn-default select-all" @click="deselectAll" v-if="isAnythingSelected()">Clear selection</button>
-              <button type="button" class="btn btn-default" @click="showConfirmRestore = true" :disabled="!isAnythingSelected()"><FAIcon :icon="faArrowRotateRight" class="icon" /> Restore {{ numberSelected() }} selected</button>
+              <PermissionGate :allowed="canRestoreMessages" :reason="restoreDeniedTooltip">
+                <button type="button" class="btn btn-default" @click="showConfirmRestore = true" :disabled="!isAnythingSelected() || !canRestoreMessages">
+                  <FAIcon :icon="faArrowRotateRight" class="icon" /> Restore {{ numberSelected() }} selected
+                </button>
+              </PermissionGate>
             </div>
           </div>
           <div class="col-3">
diff --git a/src/Frontend/src/components/failedmessages/FailedMessages.vue b/src/Frontend/src/components/failedmessages/FailedMessages.vue
index 54cc9e165..1a38bf666 100644
--- a/src/Frontend/src/components/failedmessages/FailedMessages.vue
+++ b/src/Frontend/src/components/failedmessages/FailedMessages.vue
@@ -16,6 +16,8 @@ import { TYPE } from "vue-toastification";
 import type GroupOperation from "@/resources/GroupOperation";
 import { faArrowDownAZ, faArrowDownZA, faArrowDownShortWide, faArrowDownWideShort, faArrowRotateRight, faTrash, faDownload } from "@fortawesome/free-solid-svg-icons";
 import ActionButton from "@/components/ActionButton.vue";
+import PermissionGate from "@/components/PermissionGate.vue";
+import { usePermissions } from "@/composables/usePermissions";
 import { useMessageStore } from "@/stores/MessageStore";
 import { useRecoverabilityStore } from "@/stores/RecoverabilityStore";
 import { useStoreAutoRefresh } from "@/composables/useAutoRefresh";
@@ -32,6 +34,18 @@ const { autoRefresh, isRefreshing, updateInterval } = useStoreAutoRefresh("recov
 const { store } = autoRefresh();
 const { messages, groupId, groupName, totalCount, pageNumber } = storeToRefs(store);
 
+const { can } = usePermissions();
+// Keep the toolbar actions visible but disabled (with a tooltip) when the user lacks the
+// permission, so the capability stays discoverable and clicks don't silently fail server-side.
+const canRetryMessages = computed(() => can("error:messages:retry"));
+const canDeleteMessages = computed(() => can("error:messages:archive"));
+const canRetryGroup = computed(() => can("error:recoverabilitygroups:retry"));
+const canDeleteGroup = computed(() => can("error:recoverabilitygroups:archive"));
+const retryDeniedTooltip = "You don't have permission to retry messages.";
+const deleteDeniedTooltip = "You don't have permission to delete messages.";
+const retryAllDeniedTooltip = "You don't have permission to retry message groups.";
+const deleteAllDeniedTooltip = "You don't have permission to delete message groups.";
+
 const showDelete = ref(false);
 const showConfirmRetryAll = ref(false);
 const showConfirmDeleteAll = ref(false);
@@ -217,11 +231,19 @@ watch(isRefreshing, () => {
             <div class="btn-toolbar">
               <ActionButton v-if="!isAnythingSelected()" @click="selectAll">Select all</ActionButton>
               <ActionButton v-if="isAnythingSelected()" @click="deselectAll">Clear selection</ActionButton>
-              <ActionButton :icon="faArrowRotateRight" @click="retrySelected()" :disabled="!isAnythingSelected()">Retry {{ numberSelected() }} selected</ActionButton>
-              <ActionButton :icon="faTrash" @click="showDelete = true" :disabled="!isAnythingSelected()">Delete {{ numberSelected() }} selected</ActionButton>
+              <PermissionGate :allowed="canRetryMessages" :reason="retryDeniedTooltip">
+                <ActionButton :icon="faArrowRotateRight" @click="retrySelected()" :disabled="!isAnythingSelected() || !canRetryMessages">Retry {{ numberSelected() }} selected</ActionButton>
+              </PermissionGate>
+              <PermissionGate :allowed="canDeleteMessages" :reason="deleteDeniedTooltip">
+                <ActionButton :icon="faTrash" @click="showDelete = true" :disabled="!isAnythingSelected() || !canDeleteMessages">Delete {{ numberSelected() }} selected</ActionButton>
+              </PermissionGate>
               <ActionButton :icon="faDownload" @click="exportSelected()" :disabled="!isAnythingSelected()">Export {{ numberSelected() }} selected</ActionButton>
-              <ActionButton v-if="groupId" :icon="faArrowRotateRight" @click="showConfirmRetryAll = true">Retry all</ActionButton>
-              <ActionButton v-if="groupId" :icon="faTrash" @click="showConfirmDeleteAll = true">Delete all</ActionButton>
+              <PermissionGate :allowed="canRetryGroup" :reason="retryAllDeniedTooltip" v-if="groupId">
+                <ActionButton :icon="faArrowRotateRight" @click="showConfirmRetryAll = true" :disabled="!canRetryGroup">Retry all</ActionButton>
+              </PermissionGate>
+              <PermissionGate :allowed="canDeleteGroup" :reason="deleteAllDeniedTooltip" v-if="groupId">
+                <ActionButton :icon="faTrash" @click="showConfirmDeleteAll = true" :disabled="!canDeleteGroup">Delete all</ActionButton>
+              </PermissionGate>
             </div>
           </div>
           <div class="col-3">
diff --git a/src/Frontend/src/components/failedmessages/MessageGroupList.vue b/src/Frontend/src/components/failedmessages/MessageGroupList.vue
index 55ee9307d..fcbc60572 100644
--- a/src/Frontend/src/components/failedmessages/MessageGroupList.vue
+++ b/src/Frontend/src/components/failedmessages/MessageGroupList.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { onMounted, onUnmounted, ref } from "vue";
+import { computed, onMounted, onUnmounted, ref } from "vue";
 import { useRouter } from "vue-router";
 import { useShowToast } from "../../composables/toast";
 import createMessageGroupClient from "./messageGroupClient";
@@ -15,6 +15,16 @@ import { faArrowRotateRight, faEnvelope, faEraser, faExclamationTriangle, faPenc
 import { faClock } from "@fortawesome/free-regular-svg-icons";
 import ProgressMessage from "./ProgressMessage.vue";
 import ActionButton from "@/components/ActionButton.vue";
+import PermissionGate from "@/components/PermissionGate.vue";
+import { usePermissions } from "@/composables/usePermissions";
+
+const { can } = usePermissions();
+// Group-level actions are gated on the recoverabilitygroups permissions. When the user
+// lacks them the buttons stay visible but disabled, with a tooltip explaining why.
+const canRetryGroups = computed(() => can("error:recoverabilitygroups:retry"));
+const canDeleteGroups = computed(() => can("error:recoverabilitygroups:archive"));
+const retryDeniedTooltip = "You don't have permission to request a retry for message groups.";
+const deleteDeniedTooltip = "You don't have permission to delete message groups.";
 
 interface WorkflowState {
   status: string;
@@ -400,31 +410,33 @@ defineExpose<IMessageGroupList>({
                   </div>
                   <div class="row" v-if="!isBeingRetried(group) && !isBeingArchived(group.workflow_state.status)">
                     <div class="col-sm-12 no-side-padding">
-                      <ActionButton
-                        variant="link"
-                        size="sm"
-                        :icon="faArrowRotateRight"
-                        :disabled="group.count == 0 || isBeingRetried(group)"
-                        @mouseenter="group.hover3 = true"
-                        @mouseleave="group.hover3 = false"
-                        v-if="exceptionGroups.length > 0"
-                        @click.stop="retryGroup(group)"
-                      >
-                        <span>Request retry</span>
-                      </ActionButton>
-
-                      <ActionButton
-                        variant="link"
-                        size="sm"
-                        :icon="faTrash"
-                        :disabled="group.count == 0 || isBeingRetried(group)"
-                        @mouseenter="group.hover3 = true"
-                        @mouseleave="group.hover3 = false"
-                        v-if="exceptionGroups.length > 0"
-                        @click.stop="deleteGroup(group)"
-                      >
-                        <span>Delete group</span>
-                      </ActionButton>
+                      <PermissionGate :allowed="canRetryGroups" :reason="retryDeniedTooltip" v-if="exceptionGroups.length > 0">
+                        <ActionButton
+                          variant="link"
+                          size="sm"
+                          :icon="faArrowRotateRight"
+                          :disabled="group.count == 0 || isBeingRetried(group) || !canRetryGroups"
+                          @mouseenter="group.hover3 = true"
+                          @mouseleave="group.hover3 = false"
+                          @click.stop="retryGroup(group)"
+                        >
+                          <span>Request retry</span>
+                        </ActionButton>
+                      </PermissionGate>
+
+                      <PermissionGate :allowed="canDeleteGroups" :reason="deleteDeniedTooltip" v-if="exceptionGroups.length > 0">
+                        <ActionButton
+                          variant="link"
+                          size="sm"
+                          :icon="faTrash"
+                          :disabled="group.count == 0 || isBeingRetried(group) || !canDeleteGroups"
+                          @mouseenter="group.hover3 = true"
+                          @mouseleave="group.hover3 = false"
+                          @click.stop="deleteGroup(group)"
+                        >
+                          <span>Delete group</span>
+                        </ActionButton>
+                      </PermissionGate>
                       <ActionButton variant="link" size="sm" :icon="faStickyNote" v-if="!group.comment" @click.stop="editNote(group)">Add note</ActionButton>
                       <ActionButton variant="link" size="sm" :icon="faPencil" v-if="group.comment" @click.stop="editNote(group)">Edit note</ActionButton>
                       <ActionButton variant="link" size="sm" :icon="faEraser" v-if="group.comment" @click.stop="deleteNote(group)">Remove note</ActionButton>
diff --git a/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts b/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts
new file mode 100644
index 000000000..3f2741f30
--- /dev/null
+++ b/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts
@@ -0,0 +1,98 @@
+import { describe, test, expect, beforeEach, vi } from "vitest";
+import { render, screen } from "@testing-library/vue";
+import { createTestingPinia } from "@pinia/testing";
+import { defineComponent, h, nextTick, ref } from "vue";
+import { createRouter, createMemoryHistory } from "vue-router";
+import type GroupOperation from "@/resources/GroupOperation";
+import MessageGroupList, { type IMessageGroupList } from "@/components/failedmessages/MessageGroupList.vue";
+
+// The group-level Retry/Delete actions are gated on the recoverabilitygroups permissions.
+// Unlike the per-message buttons (which hide), these stay VISIBLE but DISABLED when the
+// permission is missing, with a tooltip explaining why, so it's clear the action exists.
+const RETRY_PERMISSION = "error:recoverabilitygroups:retry";
+const DELETE_PERMISSION = "error:recoverabilitygroups:archive";
+
+const group: GroupOperation = {
+  id: "group-1",
+  title: "SomeException",
+  type: "exception-type",
+  count: 2,
+  comment: "",
+  operation_status: "None",
+  operation_progress: 0,
+  need_user_acknowledgement: false,
+};
+
+vi.mock("@/components/failedmessages/messageGroupClient", () => ({
+  default: () => ({
+    getExceptionGroups: vi.fn().mockResolvedValue([group]),
+    isError: () => false,
+  }),
+}));
+
+async function renderGroupList(permissions: string[]) {
+  const listRef = ref<IMessageGroupList>();
+
+  const Harness = defineComponent({
+    setup() {
+      return () => h(MessageGroupList, { ref: listRef, sortFunction: () => 0 });
+    },
+  });
+
+  const router = createRouter({ history: createMemoryHistory(), routes: [{ path: "/:catchAll(.*)", component: { template: "<div />" } }] });
+
+  render(Harness, {
+    global: {
+      plugins: [
+        router,
+        createTestingPinia({
+          stubActions: true,
+          initialState: {
+            auth: { authEnabled: true, isAuthenticated: true },
+            PermissionsStore: { permissions: new Set(permissions), loaded: true, loadAttempted: true },
+          },
+        }),
+      ],
+      directives: { tippy: () => {} },
+    },
+  });
+
+  await nextTick();
+  await listRef.value?.loadFailedMessageGroups();
+  await nextTick();
+}
+
+function button(text: RegExp): HTMLButtonElement | null {
+  return screen.queryByText(text)?.closest("button") ?? null;
+}
+
+describe("failed-message group action button permissions", () => {
+  beforeEach(() => {
+    // Teleport target used by the confirm dialogs the list renders.
+    document.body.innerHTML = '<div id="modalDisplay"></div>';
+  });
+
+  test("Request retry is enabled when its permission is granted", async () => {
+    await renderGroupList([RETRY_PERMISSION, DELETE_PERMISSION]);
+    expect(button(/Request retry/i)?.disabled).toBe(false);
+  });
+
+  test("Request retry stays visible but disabled when its permission is denied", async () => {
+    await renderGroupList([DELETE_PERMISSION]);
+    const retry = button(/Request retry/i);
+    expect(retry).not.toBeNull();
+    expect(retry?.disabled).toBe(true);
+  });
+
+  test("Delete group is enabled when its permission is granted", async () => {
+    await renderGroupList([RETRY_PERMISSION, DELETE_PERMISSION]);
+    expect(button(/Delete group/i)?.disabled).toBe(false);
+  });
+
+  test("Delete group stays visible but disabled when its permission is denied", async () => {
+    await renderGroupList([RETRY_PERMISSION]);
+    const del = button(/Delete group/i);
+    expect(del).not.toBeNull();
+    expect(del?.disabled).toBe(true);
+  });
+});

From 9e8fbb01ddfac4f861be785e6101b864622d4eb4 Mon Sep 17 00:00:00 2001
From: Dennis van der Stelt <dvdstelt@gmail.com>
Date: Thu, 25 Jun 2026 00:20:59 +0200
Subject: [PATCH 10/25] =?UTF-8?q?=E2=9C=A8=20Gate=20more=20action=20button?=
 =?UTF-8?q?s=20on=20permissions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Extend the disable-with-tooltip gating (via PermissionGate) to more screens:
- Custom checks: Dismiss -> error:customchecks:delete
- Heartbeats: Delete instance / Delete endpoint -> error:endpoints:delete
- Retry redirects: Create / End / Modify -> error:redirects:manage
- Health check notifications: Configure + on/off toggle -> error:notifications:manage;
  Send test notification -> error:notifications:test
- Message detail: Edit & retry stays shown by its setting but is disabled (not
  hidden) without error:messages:edit
- Monitoring: remove-endpoint link gated on monitoring:endpoint:delete (hidden,
  since it is a hover link)

Adds a disabled prop to OnOffSwitch (native-disable + pointer-events:none so a
wrapping PermissionGate tooltip still shows) and updates the message-button spec
for the edit button's shown-but-disabled behaviour.
---
 src/Frontend/src/components/OnOffSwitch.vue   | 23 ++++++++++++++-----
 .../HealthCheckNotifications.vue              | 22 ++++++++++++++----
 .../configuration/RetryRedirects.vue          | 21 +++++++++++++----
 .../customchecks/CustomCheckView.vue          | 13 ++++++++++-
 .../heartbeats/EndpointInstances.vue          | 14 +++++++++--
 .../messages/EditAndRetryButton.vue           | 13 +++++++++--
 .../messages/messageButtonPermissions.spec.ts | 16 ++++++++++++-
 .../monitoring/EndpointInstances.vue          | 10 ++++++--
 8 files changed, 110 insertions(+), 22 deletions(-)

diff --git a/src/Frontend/src/components/OnOffSwitch.vue b/src/Frontend/src/components/OnOffSwitch.vue
index 1042c63cd..18aa2250d 100644
--- a/src/Frontend/src/components/OnOffSwitch.vue
+++ b/src/Frontend/src/components/OnOffSwitch.vue
@@ -1,15 +1,19 @@
 <script setup lang="ts">
-defineProps<{
-  id: string;
-  value: boolean | null;
-}>();
+withDefaults(
+  defineProps<{
+    id: string;
+    value: boolean | null;
+    disabled?: boolean;
+  }>(),
+  { disabled: false }
+);
 
 const emit = defineEmits<{ toggle: [] }>();
 </script>
 
 <template>
-  <div class="onoffswitch">
-    <input type="checkbox" :id="`onoffswitch${id}`" :name="`onoffswitch${id}`" :aria-label="`onoffswitch${id}`" class="onoffswitch-checkbox" @click="emit('toggle')" :checked="value ?? false" />
+  <div class="onoffswitch" :class="{ disabled }">
+    <input type="checkbox" :id="`onoffswitch${id}`" :name="`onoffswitch${id}`" :aria-label="`onoffswitch${id}`" class="onoffswitch-checkbox" :disabled="disabled" @click="emit('toggle')" :checked="value ?? false" />
     <label class="onoffswitch-label" :for="`onoffswitch${id}`" role="switch" :aria-checked="value ?? false" :aria-label="id">
       <span class="onoffswitch-inner"></span>
       <span class="onoffswitch-switch"></span>
@@ -27,6 +31,13 @@ const emit = defineEmits<{ toggle: [] }>();
   width: 76px;
 }
 
+/* Disabled: dim it and let pointer events pass through to a wrapping PermissionGate so its
+   tooltip shows. The native :disabled on the checkbox already prevents toggling. */
+.onoffswitch.disabled {
+  opacity: 0.65;
+  pointer-events: none;
+}
+
 .onoffswitch-checkbox {
   display: none;
 }
diff --git a/src/Frontend/src/components/configuration/HealthCheckNotifications.vue b/src/Frontend/src/components/configuration/HealthCheckNotifications.vue
index cc23cd219..56b5274dc 100644
--- a/src/Frontend/src/components/configuration/HealthCheckNotifications.vue
+++ b/src/Frontend/src/components/configuration/HealthCheckNotifications.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { onMounted, ref } from "vue";
+import { computed, onMounted, ref } from "vue";
 import LicenseNotExpired from "../LicenseNotExpired.vue";
 import ServiceControlAvailable from "../ServiceControlAvailable.vue";
 import HealthCheckNotifications_EmailConfiguration from "./HealthCheckNotifications_ConfigureEmail.vue";
@@ -9,13 +9,21 @@ import type UpdateEmailNotificationsSettingsRequest from "@/resources/UpdateEmai
 import OnOffSwitch from "../OnOffSwitch.vue";
 import FAIcon from "@/components/FAIcon.vue";
 import ActionButton from "@/components/ActionButton.vue";
+import PermissionGate from "@/components/PermissionGate.vue";
 import { faCheck, faEdit, faEnvelope, faExclamationTriangle } from "@fortawesome/free-solid-svg-icons";
 import { useHealthChecksStore } from "@/stores/HealthChecksStore";
 import { storeToRefs } from "pinia";
+import { usePermissions } from "@/composables/usePermissions";
 
 const healthChecksStore = useHealthChecksStore();
 const { emailNotifications } = storeToRefs(healthChecksStore);
 
+const { can } = usePermissions();
+const canManageNotifications = computed(() => can("error:notifications:manage"));
+const canTestNotifications = computed(() => can("error:notifications:test"));
+const manageDeniedTooltip = "You don't have permission to manage notifications.";
+const testDeniedTooltip = "You don't have permission to send test notifications.";
+
 const emailTestSuccessful = ref<boolean | null>(null);
 const emailTestInProgress = ref<boolean | null>(null);
 const emailToggleSuccessful = ref<boolean | null>(null);
@@ -77,7 +85,9 @@ onMounted(async () => {
                 <div class="col-12 no-side-padding">
                   <div class="row">
                     <div class="col-auto">
-                      <OnOffSwitch id="emailNotifications" @toggle="toggleEmailNotifications" :value="emailNotifications.enabled" />
+                      <PermissionGate :allowed="canManageNotifications" :reason="manageDeniedTooltip">
+                        <OnOffSwitch id="emailNotifications" @toggle="toggleEmailNotifications" :value="emailNotifications.enabled" :disabled="!canManageNotifications" />
+                      </PermissionGate>
                       <div>
                         <span class="connection-test connection-failed">
                           <template v-if="emailToggleSuccessful === false"> <FAIcon :icon="faExclamationTriangle" /> Update failed </template>
@@ -89,10 +99,14 @@ onMounted(async () => {
                         <div class="col-12">
                           <p class="lead">Email notifications</p>
                           <p class="endpoint-metadata">
-                            <ActionButton variant="link" size="sm" :icon="faEdit" @click="editEmailNotifications">Configure</ActionButton>
+                            <PermissionGate :allowed="canManageNotifications" :reason="manageDeniedTooltip">
+                              <ActionButton variant="link" size="sm" :icon="faEdit" :disabled="!canManageNotifications" @click="editEmailNotifications">Configure</ActionButton>
+                            </PermissionGate>
                           </p>
                           <p class="endpoint-metadata">
-                            <ActionButton variant="link" size="sm" :icon="faEnvelope" @click="testEmailNotifications" :disabled="!!emailTestInProgress">Send test notification</ActionButton>
+                            <PermissionGate :allowed="canTestNotifications" :reason="testDeniedTooltip">
+                              <ActionButton variant="link" size="sm" :icon="faEnvelope" :disabled="!!emailTestInProgress || !canTestNotifications" @click="testEmailNotifications">Send test notification</ActionButton>
+                            </PermissionGate>
                             <span class="connection-test connection-testing">
                               <template v-if="emailTestInProgress">
                                 <i class="glyphicon glyphicon-refresh rotate"></i>
diff --git a/src/Frontend/src/components/configuration/RetryRedirects.vue b/src/Frontend/src/components/configuration/RetryRedirects.vue
index 4904439aa..8b60cd5f2 100644
--- a/src/Frontend/src/components/configuration/RetryRedirects.vue
+++ b/src/Frontend/src/components/configuration/RetryRedirects.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { onMounted, ref } from "vue";
+import { computed, onMounted, ref } from "vue";
 import LicenseNotExpired from "../LicenseNotExpired.vue";
 import ServiceControlAvailable from "../ServiceControlAvailable.vue";
 import NoData from "../NoData.vue";
@@ -11,12 +11,19 @@ import type Redirect from "@/resources/Redirect";
 import RetryRedirectEdit, { type RetryRedirect } from "@/components/configuration/RetryRedirectEdit.vue";
 import FAIcon from "@/components/FAIcon.vue";
 import ActionButton from "@/components/ActionButton.vue";
+import PermissionGate from "@/components/PermissionGate.vue";
 import { faClock } from "@fortawesome/free-regular-svg-icons";
 import { useRedirectsStore } from "@/stores/RedirectsStore";
 import LoadingSpinner from "../LoadingSpinner.vue";
+import { usePermissions } from "@/composables/usePermissions";
 
 const redirectsStore = useRedirectsStore();
 
+const { can } = usePermissions();
+// Creating, modifying and ending redirects all manage redirects.
+const canManageRedirects = computed(() => can("error:redirects:manage"));
+const redirectsDeniedTooltip = "You don't have permission to manage redirects.";
+
 const loadingData = ref(true);
 const redirects = redirectsStore.redirects;
 
@@ -131,7 +138,9 @@ onMounted(async () => {
           <div class="row">
             <div class="col-sm-12">
               <div class="btn-toolbar">
-                <ActionButton @click="createRedirect"><i class="fa pa-redirect-source pa-redirect-small"></i> Create Redirect</ActionButton>
+                <PermissionGate :allowed="canManageRedirects" :reason="redirectsDeniedTooltip">
+                  <ActionButton @click="createRedirect" :disabled="!canManageRedirects"><i class="fa pa-redirect-source pa-redirect-small"></i> Create Redirect</ActionButton>
+                </PermissionGate>
                 <span></span>
               </div>
             </div>
@@ -163,8 +172,12 @@ onMounted(async () => {
                     <div class="row">
                       <div class="col-sm-12">
                         <p class="small">
-                          <ActionButton variant="link" size="sm" @click="deleteRedirect(redirect)">End Redirect</ActionButton>
-                          <ActionButton variant="link" size="sm" @click="editRedirect(redirect)">Modify Redirect</ActionButton>
+                          <PermissionGate :allowed="canManageRedirects" :reason="redirectsDeniedTooltip">
+                            <ActionButton variant="link" size="sm" :disabled="!canManageRedirects" @click="deleteRedirect(redirect)">End Redirect</ActionButton>
+                          </PermissionGate>
+                          <PermissionGate :allowed="canManageRedirects" :reason="redirectsDeniedTooltip">
+                            <ActionButton variant="link" size="sm" :disabled="!canManageRedirects" @click="editRedirect(redirect)">Modify Redirect</ActionButton>
+                          </PermissionGate>
                         </p>
                       </div>
                     </div>
diff --git a/src/Frontend/src/components/customchecks/CustomCheckView.vue b/src/Frontend/src/components/customchecks/CustomCheckView.vue
index e59f0acfd..14a3ac0b8 100644
--- a/src/Frontend/src/components/customchecks/CustomCheckView.vue
+++ b/src/Frontend/src/components/customchecks/CustomCheckView.vue
@@ -1,16 +1,23 @@
 <script setup lang="ts">
+import { computed } from "vue";
 import type CustomCheck from "@/resources/CustomCheck";
 import TimeSince from "@/components/TimeSince.vue";
 import FAIcon from "@/components/FAIcon.vue";
+import PermissionGate from "@/components/PermissionGate.vue";
 import { faCheck, faList, faServer } from "@fortawesome/free-solid-svg-icons";
 import { faClock } from "@fortawesome/free-regular-svg-icons";
 import { hexToCSSFilter } from "hex-to-css-filter";
 import useCustomChecksStoreAutoRefresh from "@/composables/useCustomChecksStoreAutoRefresh";
+import { usePermissions } from "@/composables/usePermissions";
 
 defineProps<{ customCheck: CustomCheck }>();
 
 const { store } = useCustomChecksStoreAutoRefresh();
 const endpointColor = hexToCSSFilter("#929E9E").filter;
+
+const { can } = usePermissions();
+const canDismiss = computed(() => can("error:customchecks:delete"));
+const dismissDeniedTooltip = "You don't have permission to dismiss custom checks.";
 </script>
 
 <template>
@@ -36,7 +43,11 @@ const endpointColor = hexToCSSFilter("#929E9E").filter;
           </div>
         </div>
         <div>
-          <button type="button" class="btn btn-default" title="Dismiss this custom check so it doesn't show up as an alert" role="button" aria-label="custom-check-dismiss" @click="store.dismissCustomCheck(customCheck.id)">Dismiss</button>
+          <PermissionGate :allowed="canDismiss" :reason="dismissDeniedTooltip">
+            <button type="button" class="btn btn-default" title="Dismiss this custom check so it doesn't show up as an alert" role="button" aria-label="custom-check-dismiss" :disabled="!canDismiss" @click="store.dismissCustomCheck(customCheck.id)">
+              Dismiss
+            </button>
+          </PermissionGate>
         </div>
       </div>
     </div>
diff --git a/src/Frontend/src/components/heartbeats/EndpointInstances.vue b/src/Frontend/src/components/heartbeats/EndpointInstances.vue
index 8fea77c1a..727efb004 100644
--- a/src/Frontend/src/components/heartbeats/EndpointInstances.vue
+++ b/src/Frontend/src/components/heartbeats/EndpointInstances.vue
@@ -19,8 +19,10 @@ import FilterInput from "../FilterInput.vue";
 import ResultsCount from "../ResultsCount.vue";
 import { faBell, faBellSlash, faChevronLeft, faHeartbeat, faTrash } from "@fortawesome/free-solid-svg-icons";
 import FAIcon from "@/components/FAIcon.vue";
+import PermissionGate from "@/components/PermissionGate.vue";
 import useHeartbeatInstancesStoreAutoRefresh from "@/composables/useHeartbeatInstancesStoreAutoRefresh";
 import { useEndpointSettingsStore } from "@/stores/EndpointSettingsStore";
+import { usePermissions } from "@/composables/usePermissions";
 
 enum Operation {
   Mute = "mute",
@@ -29,6 +31,10 @@ enum Operation {
 
 const route = useRoute();
 const router = useRouter();
+
+const { can } = usePermissions();
+const canDeleteEndpoints = computed(() => can("error:endpoints:delete"));
+const deleteDeniedTooltip = "You don't have permission to delete endpoints.";
 const endpointName = route.params.endpointName.toString();
 const { store } = useHeartbeatInstancesStoreAutoRefresh();
 const { filteredInstances, sortedInstances, instanceFilterString, sortByInstances } = storeToRefs(store);
@@ -170,7 +176,9 @@ async function toggleAlerts(instance: EndpointsView) {
       <no-data v-if="filteredValidInstances.length === 0" message="No endpoint instances found. For untracked endpoints, disconnected instances are automatically pruned.">
         <div class="delete-all">
           <span>You may</span>
-          <button type="button" @click="deleteAllInstances()" class="btn btn-danger btn-sm"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
+          <PermissionGate :allowed="canDeleteEndpoints" :reason="deleteDeniedTooltip">
+            <button type="button" @click="deleteAllInstances()" class="btn btn-danger btn-sm" :disabled="!canDeleteEndpoints"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
+          </PermissionGate>
           <span>this endpoint</span>
         </div>
       </no-data>
@@ -195,7 +203,9 @@ async function toggleAlerts(instance: EndpointsView) {
                 </div>
               </div>
               <div role="cell" aria-label="actions" class="col-1 actions">
-                <button v-if="instance.heartbeat_information?.reported_status !== EndpointStatus.Alive" type="button" @click="deleteInstance(instance)" class="btn btn-danger btn-sm"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
+                <PermissionGate v-if="instance.heartbeat_information?.reported_status !== EndpointStatus.Alive" :allowed="canDeleteEndpoints" :reason="deleteDeniedTooltip">
+                  <button type="button" @click="deleteInstance(instance)" class="btn btn-danger btn-sm" :disabled="!canDeleteEndpoints"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
+                </PermissionGate>
               </div>
             </div>
           </div>
diff --git a/src/Frontend/src/components/messages/EditAndRetryButton.vue b/src/Frontend/src/components/messages/EditAndRetryButton.vue
index b1f434fe4..add6c8ddc 100644
--- a/src/Frontend/src/components/messages/EditAndRetryButton.vue
+++ b/src/Frontend/src/components/messages/EditAndRetryButton.vue
@@ -11,6 +11,7 @@ import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faPencil } from "@fortawesome/free-solid-svg-icons";
 import { usePermissions } from "@/composables/usePermissions";
+import PermissionGate from "@/components/PermissionGate.vue";
 
 const store = useMessageStore();
 const { state, edit_and_retry_config, editRetryResponse } = storeToRefs(store);
@@ -18,9 +19,15 @@ const { can } = usePermissions();
 const isConfirmDialogVisible = ref(false);
 const isEditIgnoredDialogVisible = ref(false);
 
+// Edit & retry is enabled by a ServiceControl setting (edit_and_retry_config). When it is on,
+// the button is shown to everyone but disabled (with a tooltip) for users without the edit
+// permission, rather than hidden.
+const canEdit = computed(() => can("error:messages:edit"));
+const editDeniedTooltip = "You don't have permission to edit and retry messages.";
+
 const failureStatus = computed(() => state.value.data.failure_status);
 const isDisabled = computed(() => failureStatus.value.retried || failureStatus.value.archived || failureStatus.value.resolved);
-const isVisible = computed(() => can("error:messages:edit") && edit_and_retry_config.value.enabled && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
+const isVisible = computed(() => edit_and_retry_config.value.enabled && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
 
 const handleIgnoreClose = async () => {
   isEditIgnoredDialogVisible.value = false;
@@ -47,7 +54,9 @@ async function openDialog() {
 
 <template>
   <template v-if="isVisible">
-    <ActionButton :icon="faPencil" aria-label="Edit & retry" :disabled="isDisabled" @click="openDialog">Edit & retry</ActionButton>
+    <PermissionGate :allowed="canEdit" :reason="editDeniedTooltip">
+      <ActionButton :icon="faPencil" aria-label="Edit & retry" :disabled="isDisabled || !canEdit" @click="openDialog">Edit & retry</ActionButton>
+    </PermissionGate>
     <Teleport to="#modalDisplay">
       <EditRetryDialog v-if="isConfirmDialogVisible" @cancel="isConfirmDialogVisible = false" @confirm="handleConfirm"></EditRetryDialog>
       <EditIgnoredDialog v-if="isEditIgnoredDialogVisible" @close="handleIgnoreClose"></EditIgnoredDialog>
diff --git a/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts b/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
index 48a3dc4af..5ed2a2a7d 100644
--- a/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
+++ b/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
@@ -19,9 +19,11 @@ interface ButtonCase {
   archived: boolean; // Restore is only relevant on an archived message; the others on a live one
 }
 
+// Retry / Delete / Restore are hidden when the permission is denied. Edit & retry is handled
+// separately below: it is enabled by a setting and, when on, disabled (not hidden) without
+// the permission.
 const cases: ButtonCase[] = [
   { name: "Retry", component: RetryMessageButton, permission: "error:messages:retry", text: /Retry message/i, archived: false },
-  { name: "Edit & retry", component: EditAndRetryButton, permission: "error:messages:edit", text: /Edit & retry/i, archived: false },
   { name: "Delete", component: DeleteMessageButton, permission: "error:messages:archive", text: /Delete message/i, archived: false },
   { name: "Restore", component: RestoreMessageButton, permission: "error:messages:unarchive", text: /Restore/i, archived: true },
 ];
@@ -62,4 +64,16 @@ describe("failed-message action button permissions", () => {
     renderButton(component, [], archived);
     expect(screen.queryByText(text)).toBeNull();
   });
+
+  test("Edit & retry is shown and enabled when error:messages:edit is granted", () => {
+    renderButton(EditAndRetryButton, ["error:messages:edit"], false);
+    const button = screen.getByRole("button", { name: /Edit & retry/i }) as HTMLButtonElement;
+    expect(button.disabled).toBe(false);
+  });
+
+  test("Edit & retry is shown but disabled when error:messages:edit is denied", () => {
+    renderButton(EditAndRetryButton, [], false);
+    const button = screen.getByRole("button", { name: /Edit & retry/i }) as HTMLButtonElement;
+    expect(button.disabled).toBe(true);
+  });
 });
diff --git a/src/Frontend/src/components/monitoring/EndpointInstances.vue b/src/Frontend/src/components/monitoring/EndpointInstances.vue
index f78d09f91..8f662e80b 100644
--- a/src/Frontend/src/components/monitoring/EndpointInstances.vue
+++ b/src/Frontend/src/components/monitoring/EndpointInstances.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { ref, onMounted } from "vue";
+import { computed, ref, onMounted } from "vue";
 import { useRouter, RouterLink } from "vue-router";
 import { formatGraphDecimal, formatGraphDuration, smallGraphsMinimumYAxis } from "./formatGraph";
 import { storeToRefs } from "pinia";
@@ -14,6 +14,12 @@ import FAIcon from "@/components/FAIcon.vue";
 import { faEnvelope, faTrash } from "@fortawesome/free-solid-svg-icons";
 import monitoringClient from "./monitoringClient";
 import logger from "@/logger";
+import { usePermissions } from "@/composables/usePermissions";
+
+const { can } = usePermissions();
+// The remove control is a hover-revealed link (not a button), so gate its visibility
+// rather than disabling it.
+const canDeleteMonitoredEndpoints = computed(() => can("monitoring:endpoint:delete"));
 
 const isRemovingEndpointEnabled = ref<boolean>(false);
 const router = useRouter();
@@ -147,7 +153,7 @@ onMounted(async () => {
 
                 <!--remove endpoint-->
                 <div class="col-xs-2 col-xl-1 no-side-padding">
-                  <a v-if="isRemovingEndpointEnabled && instance.isStale" class="remove-endpoint" @click="removeEndpoint(endpointName, instance)">
+                  <a v-if="isRemovingEndpointEnabled && instance.isStale && canDeleteMonitoredEndpoints" class="remove-endpoint" @click="removeEndpoint(endpointName, instance)">
                     <FAIcon :icon="faTrash" v-tippy="`Remove endpoint`" />
                   </a>
                 </div>

From 4ef6840b42e6e0a3f20c3924ee95176cbd983f90 Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 15:32:00 +0200
Subject: [PATCH 11/25] =?UTF-8?q?=E2=9C=A8=20Add=20API=20route=20registry?=
 =?UTF-8?q?=20for=20UI=20gating?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/Frontend/src/composables/apiRoutes.ts | 37 +++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 src/Frontend/src/composables/apiRoutes.ts

diff --git a/src/Frontend/src/composables/apiRoutes.ts b/src/Frontend/src/composables/apiRoutes.ts
new file mode 100644
index 000000000..2897bd179
--- /dev/null
+++ b/src/Frontend/src/composables/apiRoutes.ts
@@ -0,0 +1,37 @@
+// Maps each gated UI capability to the ServiceControl HTTP route it represents.
+// This is the ONLY place coupling ServicePulse to ServiceControl's route surface:
+// the UI gates on routes it already calls, never on the internal permission grammar.
+// Paths use {} for each route parameter; matching is param-name-insensitive (see routeMatching.ts).
+// Each entry tracks a route in ServiceControl's APIApprovals.HttpApiRoutes (Primary or Monitoring instance).
+export type RouteRef = { method: string; path: string };
+
+export const ApiRoutes = {
+  // ---- nav / verb-level (GET routes gated by the matching :view permission) ----
+  viewHeartbeats:          { method: "GET",    path: "/api/heartbeats/stats" },       // error:heartbeats:view (EndpointsMonitoringController)
+  viewMonitoredEndpoints:  { method: "GET",    path: "/api/monitored-endpoints" },     // monitoring:endpoint:view (DiagramApiController, Monitoring instance)
+  viewAuditMessages:       { method: "GET",    path: "/api/messages2" },               // error:messages:view (GetMessages2Controller)
+  viewFailedMessages:      { method: "GET",    path: "/api/errors" },                  // error:messages:view (GetAllErrorsController)
+  viewCustomChecks:        { method: "GET",    path: "/api/customchecks" },            // error:customchecks:view (CustomCheckController)
+  viewEventLog:            { method: "GET",    path: "/api/eventlogitems" },           // error:eventlog:view (EventLogApiController)
+  viewThroughput:          { method: "GET",    path: "/api/licensing/report/available" }, // error:throughput:view (LicensingController)
+  viewLicense:             { method: "GET",    path: "/api/license" },                 // error:licensing:view (LicenseController)
+  viewConnections:         { method: "GET",    path: "/api/connection" },              // error:connections:view (ConnectionController)
+  viewNotifications:       { method: "GET",    path: "/api/notifications/email" },    // error:notifications:view (NotificationsController)
+  viewRedirects:           { method: "GET",    path: "/api/redirects" },              // error:redirects:view (MessageRedirectsController)
+  viewEndpoints:           { method: "GET",    path: "/api/endpoints" },              // error:endpoints:view (EndpointsMonitoringController)
+  manageThroughput:        { method: "POST",   path: "/api/licensing/settings/masks/update" }, // error:throughput:manage (LicensingController)
+  // ---- actions ----
+  manageNotifications:     { method: "POST",   path: "/api/notifications/email" },
+  testNotifications:       { method: "POST",   path: "/api/notifications/email/test" },
+  manageRedirects:         { method: "POST",   path: "/api/redirects" },
+  dismissCustomCheck:      { method: "DELETE", path: "/api/customchecks/{}" },
+  retryMessage:            { method: "POST",   path: "/api/errors/retry" },
+  editMessage:             { method: "POST",   path: "/api/edit/{}" },
+  deleteMessage:           { method: "PATCH",  path: "/api/errors/archive" },
+  restoreMessage:          { method: "PATCH",  path: "/api/errors/unarchive" },
+  retryGroup:              { method: "POST",   path: "/api/recoverability/groups/{}/errors/retry" },
+  deleteGroup:             { method: "POST",   path: "/api/recoverability/groups/{}/errors/archive" },
+  restoreGroup:            { method: "POST",   path: "/api/recoverability/groups/{}/errors/unarchive" },
+  deleteEndpointInstance:  { method: "DELETE", path: "/api/endpoints/{}" },
+  deleteMonitoredEndpoint: { method: "DELETE", path: "/api/monitored-instance/{}/{}" },
+} as const satisfies Record<string, RouteRef>;

From 6ef129fd9f3068591f722101dc02c5954bffdea8 Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 15:36:41 +0200
Subject: [PATCH 12/25] =?UTF-8?q?=E2=9C=A8=20Add=20structural=20route-key?=
 =?UTF-8?q?=20matcher?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/Frontend/src/composables/routeMatching.spec.ts | 14 ++++++++++++++
 src/Frontend/src/composables/routeMatching.ts      |  9 +++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 src/Frontend/src/composables/routeMatching.spec.ts
 create mode 100644 src/Frontend/src/composables/routeMatching.ts

diff --git a/src/Frontend/src/composables/routeMatching.spec.ts b/src/Frontend/src/composables/routeMatching.spec.ts
new file mode 100644
index 000000000..6ebbfd012
--- /dev/null
+++ b/src/Frontend/src/composables/routeMatching.spec.ts
@@ -0,0 +1,14 @@
+import { describe, it, expect } from "vitest";
+import { normalizeRouteKey } from "@/composables/routeMatching";
+
+describe("normalizeRouteKey", () => {
+  it.each([
+    ["POST", "/api/errors/{id}/retry", "POST /api/errors/{}/retry"],
+    ["post", "/api/errors/{failedMessageId}/retry", "POST /api/errors/{}/retry"], // param-name-insensitive + verb case
+    ["GET", "/api/errors", "GET /api/errors"],
+    ["DELETE", "/api/monitored-instance/{name}/{instanceId}", "DELETE /api/monitored-instance/{}/{}"],
+    ["GET", "api/messages2", "GET /api/messages2"], // adds leading slash
+  ])("normalizes %s %s", (method, path, expected) => {
+    expect(normalizeRouteKey(method, path)).toBe(expected);
+  });
+});
diff --git a/src/Frontend/src/composables/routeMatching.ts b/src/Frontend/src/composables/routeMatching.ts
new file mode 100644
index 000000000..9c1ee8d9d
--- /dev/null
+++ b/src/Frontend/src/composables/routeMatching.ts
@@ -0,0 +1,9 @@
+// Normalizes a (method, path) into a comparison key for allowed-route matching.
+// Param names are collapsed to {} so matching couples only to method + path STRUCTURE
+// (the stable public contract), surviving server route-parameter renames.
+export function normalizeRouteKey(method: string, path: string): string {
+  const normalizedPath = path
+    .replace(/\{[^}]*\}/g, "{}")
+    .replace(/^\/?/, "/");
+  return `${method.toUpperCase()} ${normalizedPath}`;
+}

From 0fad7d2e08b63a7195ddb803f02dd55422fe8a7f Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 15:39:52 +0200
Subject: [PATCH 13/25] =?UTF-8?q?=E2=9C=A8=20Add=20AllowedRoutesStore=20fe?=
 =?UTF-8?q?tching=20my/routes=20from=20Primary=20+=20Monitoring?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../components/monitoring/monitoringClient.ts |  7 ++
 .../src/stores/AllowedRoutesStore.spec.ts     | 36 ++++++++++
 src/Frontend/src/stores/AllowedRoutesStore.ts | 69 +++++++++++++++++++
 3 files changed, 112 insertions(+)
 create mode 100644 src/Frontend/src/stores/AllowedRoutesStore.spec.ts
 create mode 100644 src/Frontend/src/stores/AllowedRoutesStore.ts

diff --git a/src/Frontend/src/components/monitoring/monitoringClient.ts b/src/Frontend/src/components/monitoring/monitoringClient.ts
index 5793d5f09..92c77aa18 100644
--- a/src/Frontend/src/components/monitoring/monitoringClient.ts
+++ b/src/Frontend/src/components/monitoring/monitoringClient.ts
@@ -91,6 +91,13 @@ class MonitoringClient {
     return false;
   }
 
+  public async fetchAllowedRoutes() {
+    if (this.isMonitoringDisabled) {
+      return undefined;
+    }
+    return await authFetch(`${this.url}my/routes`);
+  }
+
   public get isMonitoringEnabled() {
     return this.url && this.url !== "!" ? true : false;
   }
diff --git a/src/Frontend/src/stores/AllowedRoutesStore.spec.ts b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
new file mode 100644
index 000000000..834d599b7
--- /dev/null
+++ b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
@@ -0,0 +1,36 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { setActivePinia, createPinia } from "pinia";
+
+const scFetch = vi.fn();
+const monFetch = vi.fn();
+vi.mock("@/components/serviceControlClient", () => ({ default: { fetchFromServiceControl: (s: string) => scFetch(s) } }));
+vi.mock("@/components/monitoring/monitoringClient", () => ({
+  default: { get isMonitoringEnabled() { return true; }, fetchAllowedRoutes: () => monFetch() },
+}));
+
+import { useAllowedRoutesStore } from "@/stores/AllowedRoutesStore";
+
+const ok = (body: unknown) => ({ ok: true, status: 200, json: async () => body });
+
+describe("AllowedRoutesStore", () => {
+  beforeEach(() => { setActivePinia(createPinia()); scFetch.mockReset(); monFetch.mockReset(); });
+
+  it("merges Primary and Monitoring manifests into normalized keys", async () => {
+    scFetch.mockResolvedValue(ok([{ method: "POST", urlTemplate: "/api/errors/{id}/retry" }]));
+    monFetch.mockResolvedValue(ok([{ method: "DELETE", urlTemplate: "/api/monitored-instance/{n}/{i}" }]));
+    const store = useAllowedRoutesStore();
+    await store.refresh();
+    expect(store.routes.has("POST /api/errors/{}/retry")).toBe(true);
+    expect(store.routes.has("DELETE /api/monitored-instance/{}/{}")).toBe(true);
+    expect(store.loaded).toBe(true);
+  });
+
+  it("fails open per instance: a 404 from one instance contributes nothing but does not throw", async () => {
+    scFetch.mockResolvedValue(ok([{ method: "GET", urlTemplate: "/api/errors" }]));
+    monFetch.mockResolvedValue({ ok: false, status: 404, json: async () => ({}) });
+    const store = useAllowedRoutesStore();
+    await store.refresh();
+    expect(store.routes.has("GET /api/errors")).toBe(true);
+    expect(store.loadAttempted).toBe(true);
+  });
+});
diff --git a/src/Frontend/src/stores/AllowedRoutesStore.ts b/src/Frontend/src/stores/AllowedRoutesStore.ts
new file mode 100644
index 000000000..e337a3e9b
--- /dev/null
+++ b/src/Frontend/src/stores/AllowedRoutesStore.ts
@@ -0,0 +1,69 @@
+import { acceptHMRUpdate, defineStore } from "pinia";
+import { ref } from "vue";
+import serviceControlClient from "@/components/serviceControlClient";
+import monitoringClient from "@/components/monitoring/monitoringClient";
+import { normalizeRouteKey } from "@/composables/routeMatching";
+import logger from "@/logger";
+
+export interface ManifestEntry { method: string; urlTemplate: string; [k: string]: unknown }
+
+// Holds the allowed-route manifest the current token may call, merged from the instances
+// ServicePulse calls directly (Primary + Monitoring). A Map (not a Set) preserves each entry so a
+// future per-route `scope` field survives (resource-level checks). Keys are normalizeRouteKey().
+export const useAllowedRoutesStore = defineStore("AllowedRoutesStore", () => {
+  const routes = ref<Map<string, ManifestEntry>>(new Map());
+  const loaded = ref(false);
+  const loadAttempted = ref(false);
+
+  // Per-store in-flight guard so concurrent callers share one request. Kept on the store
+  // (not module scope) so each Pinia instance — e.g. a re-mounted app — has its own, and a
+  // stale request can never resolve into a different store instance.
+  let inFlight: Promise<void> | null = null;
+
+  async function fetchInstance(get: () => Promise<Response | undefined>): Promise<ManifestEntry[] | null> {
+    try {
+      const response = await get();
+      if (!response || !response.ok) return null; // per-instance fail-open
+      return (await response.json()) as ManifestEntry[];
+    } catch (error) {
+      logger.warn("Failed to fetch allowed routes", error);
+      return null;
+    }
+  }
+
+  async function load() {
+    try {
+      const [primary, monitoring] = await Promise.all([
+        fetchInstance(() => serviceControlClient.fetchFromServiceControl("my/routes")),
+        fetchInstance(() => monitoringClient.isMonitoringEnabled ? monitoringClient.fetchAllowedRoutes() : Promise.resolve(undefined)),
+      ]);
+      const merged = new Map<string, ManifestEntry>();
+      for (const list of [primary, monitoring]) {
+        for (const entry of list ?? []) {
+          merged.set(normalizeRouteKey(entry.method, entry.urlTemplate), entry);
+        }
+      }
+      routes.value = merged;
+      loaded.value = primary !== null || monitoring !== null;
+    } finally {
+      loadAttempted.value = true;
+    }
+  }
+
+  // Fetch (or join an in-flight fetch of) the current user's allowed routes.
+  function refresh() {
+    return (inFlight ??= load().finally(() => (inFlight = null)));
+  }
+
+  function clear() {
+    routes.value = new Map();
+    loaded.value = false;
+    loadAttempted.value = false;
+  }
+
+  return { routes, loaded, loadAttempted, refresh, clear };
+});
+
+if (import.meta.hot) {
+  import.meta.hot.accept(acceptHMRUpdate(useAllowedRoutesStore, import.meta.hot));
+}

From bee86e494ab08a1827801658449068798f4395b6 Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 15:44:21 +0200
Subject: [PATCH 14/25] =?UTF-8?q?=E2=9C=A8=20Add=20useAllowedRoutes=20comp?=
 =?UTF-8?q?osable=20(canCall/canAnyCall)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../src/composables/useAllowedRoutes.spec.ts  | 47 +++++++++++++++++++
 .../src/composables/useAllowedRoutes.ts       | 32 +++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 src/Frontend/src/composables/useAllowedRoutes.spec.ts
 create mode 100644 src/Frontend/src/composables/useAllowedRoutes.ts

diff --git a/src/Frontend/src/composables/useAllowedRoutes.spec.ts b/src/Frontend/src/composables/useAllowedRoutes.spec.ts
new file mode 100644
index 000000000..3224b5aa5
--- /dev/null
+++ b/src/Frontend/src/composables/useAllowedRoutes.spec.ts
@@ -0,0 +1,47 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { setActivePinia, createPinia } from "pinia";
+import { useAllowedRoutesStore } from "@/stores/AllowedRoutesStore";
+import { useAuthStore } from "@/stores/AuthStore";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
+
+vi.mock("@/components/serviceControlClient", () => ({
+  default: { fetchFromServiceControl: vi.fn(), fetchTypedFromServiceControl: vi.fn() },
+}));
+vi.mock("@/components/monitoring/monitoringClient", () => ({
+  default: { isMonitoringEnabled: false, fetchAllowedRoutes: vi.fn() },
+}));
+
+describe("useAllowedRoutes", () => {
+  beforeEach(() => setActivePinia(createPinia()));
+
+  function arrange(enabled: boolean, authed: boolean, keys: string[]) {
+    const auth = useAuthStore();
+    auth.authEnabled = enabled;
+    auth.isAuthenticated = authed;
+    const store = useAllowedRoutesStore();
+    store.routes = new Map(keys.map((k) => [k, { method: "", urlTemplate: "" }]));
+    store.loaded = keys.length > 0;
+  }
+
+  it("allows a granted route", () => {
+    arrange(true, true, ["POST /api/errors/retry"]);
+    expect(useAllowedRoutes().canCall(ApiRoutes.retryMessage)).toBe(true);
+  });
+  it("denies an ungranted route when gating", () => {
+    arrange(true, true, ["GET /api/errors"]);
+    expect(useAllowedRoutes().canCall(ApiRoutes.retryMessage)).toBe(false);
+  });
+  it("fails open when auth disabled", () => {
+    arrange(false, false, []);
+    expect(useAllowedRoutes().canCall(ApiRoutes.retryMessage)).toBe(true);
+  });
+  it("canCall accepts and ignores a resource argument", () => {
+    arrange(true, true, ["POST /api/errors/retry"]);
+    expect(useAllowedRoutes().canCall(ApiRoutes.retryMessage, { queue: "billing" })).toBe(true);
+  });
+  it("canAnyCall is true if any entry is granted", () => {
+    arrange(true, true, ["GET /api/errors"]);
+    expect(useAllowedRoutes().canAnyCall([ApiRoutes.retryMessage, ApiRoutes.viewFailedMessages])).toBe(true);
+  });
+});
diff --git a/src/Frontend/src/composables/useAllowedRoutes.ts b/src/Frontend/src/composables/useAllowedRoutes.ts
new file mode 100644
index 000000000..496af6dbc
--- /dev/null
+++ b/src/Frontend/src/composables/useAllowedRoutes.ts
@@ -0,0 +1,32 @@
+import { computed } from "vue";
+import { storeToRefs } from "pinia";
+import { useAllowedRoutesStore } from "@/stores/AllowedRoutesStore";
+import { useAuthStore } from "@/stores/AuthStore";
+import { normalizeRouteKey } from "@/composables/routeMatching";
+import type { RouteRef } from "@/composables/apiRoutes";
+
+// Route-aware gating composable (the primitive). The resource-owning view-model calls canCall and
+// exposes the result; templates bind. Gating is fail-open: only applies once authorization is enabled,
+// the user is authenticated and the manifest has loaded — otherwise everything is shown.
+export function useAllowedRoutes() {
+  const store = useAllowedRoutesStore();
+  const { authEnabled, isAuthenticated } = storeToRefs(useAuthStore());
+
+  const shouldGate = computed(() => authEnabled.value && isAuthenticated.value && store.loaded);
+  const ready = computed(() => !(authEnabled.value && isAuthenticated.value) || store.loadAttempted);
+
+  function fetchManifest(): Promise<void> {
+    return store.refresh();
+  }
+
+  // resource: reserved for future resource-level scope (ignored today). See design Future-proofing.
+  function canCall(entry: RouteRef, _resource?: object): boolean {
+    return !shouldGate.value || store.routes.has(normalizeRouteKey(entry.method, entry.path));
+  }
+
+  function canAnyCall(entries: RouteRef[]): boolean {
+    return entries.some((e) => canCall(e));
+  }
+
+  return { fetchManifest, canCall, canAnyCall, shouldGate, ready };
+}

From f6dc1d0492cd230077971d535e1b36912850c34a Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 15:50:35 +0200
Subject: [PATCH 15/25] =?UTF-8?q?=F0=9F=90=9B=20Guard=20AllowedRoutesStore?=
 =?UTF-8?q?=20against=20non-array=20fetch=20response;=20add=20fail-open=20?=
 =?UTF-8?q?tests?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- fetchInstance() now validates Array.isArray(json) before using the parsed body;
  a non-array 200 response (error envelope, null, {}) returns null like a network
  failure instead of propagating into load() and rejecting refresh()
- Add test: both instances return non-array 200 → loaded=false
- Add test: both instances throw network error → loaded=false (global fail-open)
- Fix arrange() in useAllowedRoutes.spec.ts to set loadAttempted=true so future
  ready-computed tests work correctly by default
---
 .../src/composables/useAllowedRoutes.spec.ts   |  1 +
 .../src/stores/AllowedRoutesStore.spec.ts      | 18 ++++++++++++++++++
 src/Frontend/src/stores/AllowedRoutesStore.ts  |  4 +++-
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/Frontend/src/composables/useAllowedRoutes.spec.ts b/src/Frontend/src/composables/useAllowedRoutes.spec.ts
index 3224b5aa5..9111a9dc7 100644
--- a/src/Frontend/src/composables/useAllowedRoutes.spec.ts
+++ b/src/Frontend/src/composables/useAllowedRoutes.spec.ts
@@ -22,6 +22,7 @@ describe("useAllowedRoutes", () => {
     const store = useAllowedRoutesStore();
     store.routes = new Map(keys.map((k) => [k, { method: "", urlTemplate: "" }]));
     store.loaded = keys.length > 0;
+    store.loadAttempted = true;
   }
 
   it("allows a granted route", () => {
diff --git a/src/Frontend/src/stores/AllowedRoutesStore.spec.ts b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
index 834d599b7..55bee5b24 100644
--- a/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
+++ b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
@@ -33,4 +33,22 @@ describe("AllowedRoutesStore", () => {
     expect(store.routes.has("GET /api/errors")).toBe(true);
     expect(store.loadAttempted).toBe(true);
   });
+
+  it("treats a non-array 200 response body as a failed instance: loaded stays false when both return non-array", async () => {
+    scFetch.mockResolvedValue(ok({}));
+    monFetch.mockResolvedValue(ok(null));
+    const store = useAllowedRoutesStore();
+    await store.refresh();
+    expect(store.loaded).toBe(false);
+    expect(store.loadAttempted).toBe(true);
+  });
+
+  it("fails open globally: loaded is false when both instances fail with network errors", async () => {
+    scFetch.mockRejectedValue(new Error("network error"));
+    monFetch.mockRejectedValue(new Error("network error"));
+    const store = useAllowedRoutesStore();
+    await store.refresh();
+    expect(store.loaded).toBe(false);
+    expect(store.loadAttempted).toBe(true);
+  });
 });
diff --git a/src/Frontend/src/stores/AllowedRoutesStore.ts b/src/Frontend/src/stores/AllowedRoutesStore.ts
index e337a3e9b..4e52f1805 100644
--- a/src/Frontend/src/stores/AllowedRoutesStore.ts
+++ b/src/Frontend/src/stores/AllowedRoutesStore.ts
@@ -24,7 +24,9 @@ export const useAllowedRoutesStore = defineStore("AllowedRoutesStore", () => {
     try {
       const response = await get();
       if (!response || !response.ok) return null; // per-instance fail-open
-      return (await response.json()) as ManifestEntry[];
+      const json = await response.json();
+      if (!Array.isArray(json)) return null; // guard against non-array bodies (error envelopes, etc.)
+      return json as ManifestEntry[];
     } catch (error) {
       logger.warn("Failed to fetch allowed routes", error);
       return null;

From 0c4f53dbe4a350a183a85433cb131075c420df94 Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 15:57:10 +0200
Subject: [PATCH 16/25] =?UTF-8?q?=E2=9C=A8=20Fetch=20my/routes=20at=20star?=
 =?UTF-8?q?tup=20and=20surface=20403=20denial=20reason?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/Frontend/src/App.vue                      | 12 ++++-----
 .../src/composables/useAuthenticatedFetch.ts  | 25 +++++++++++++++++--
 2 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/src/Frontend/src/App.vue b/src/Frontend/src/App.vue
index 5f0f6d49a..ccaa60e86 100644
--- a/src/Frontend/src/App.vue
+++ b/src/Frontend/src/App.vue
@@ -8,21 +8,21 @@ import LicenseNotifications from "@/components/LicenseNotifications.vue";
 import BackendChecksNotifications from "@/components/BackendChecksNotifications.vue";
 import { storeToRefs } from "pinia";
 import { useAuthStore } from "@/stores/AuthStore";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
 
 const authStore = useAuthStore();
 const route = useRoute();
 const { isAuthenticated, authEnabled } = storeToRefs(authStore);
 
-// Load the user's effective permissions (my/permissions/all) once authenticated, so the
-// nav and other UI can gate on them. Fail-safe: a missing/old endpoint just leaves
-// permissions unloaded and the UI fails open.
-const { fetchDescriptor } = usePermissions();
+// Load the allowed-route manifest (my/routes) once authenticated, so the nav and other
+// UI can gate on it. Fail-safe: a missing/old endpoint just leaves the manifest unloaded
+// and the UI fails open.
+const { fetchManifest } = useAllowedRoutes();
 watch(
   [authEnabled, isAuthenticated],
   ([enabled, authenticated]) => {
     if (enabled && authenticated) {
-      fetchDescriptor();
+      fetchManifest();
     }
   },
   { immediate: true }
diff --git a/src/Frontend/src/composables/useAuthenticatedFetch.ts b/src/Frontend/src/composables/useAuthenticatedFetch.ts
index 2fa2d0cfa..220ea4482 100644
--- a/src/Frontend/src/composables/useAuthenticatedFetch.ts
+++ b/src/Frontend/src/composables/useAuthenticatedFetch.ts
@@ -1,4 +1,6 @@
 import { useAuthStore } from "@/stores/AuthStore";
+import { useShowToast } from "@/composables/toast";
+import { TYPE } from "vue-toastification";
 
 const UNAUTHENTICATED_ENDPOINTS = ["/api/authentication/configuration"];
 
@@ -6,11 +8,24 @@ function isUnauthenticatedEndpoint(url: string): boolean {
   return UNAUTHENTICATED_ENDPOINTS.some((endpoint) => url.includes(endpoint));
 }
 
+async function handle403Toast(response: Response): Promise<void> {
+  let message = "You do not have permission to perform this action.";
+  try {
+    const body = await response.clone().json();
+    if (body?.message) message = body.message;
+  } catch {
+    // keep default message
+  }
+  useShowToast(TYPE.ERROR, "Forbidden", message);
+}
+
 /**
  * Authenticated fetch wrapper that automatically includes JWT token
  * in the Authorization header when authentication is enabled.
+ * When a 403 response is received the denial reason from ServiceControl's
+ * structured body ({ error, message }) is surfaced as an error toast.
  */
-export function authFetch(input: RequestInfo, init?: RequestInit): Promise<Response> {
+export async function authFetch(input: RequestInfo, init?: RequestInit): Promise<Response> {
   const authStore = useAuthStore();
   const url = typeof input === "string" ? input : input.url;
 
@@ -34,5 +49,11 @@ export function authFetch(input: RequestInfo, init?: RequestInit): Promise<Respo
   const headers = new Headers(init?.headers);
   headers.set("Authorization", `Bearer ${token}`);
 
-  return fetch(input, { ...init, headers });
+  const response = await fetch(input, { ...init, headers });
+
+  if (response.status === 403) {
+    await handle403Toast(response);
+  }
+
+  return response;
 }

From f602867d1f661b7e332aca8bce646bcc59a7ae52 Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 16:02:37 +0200
Subject: [PATCH 17/25] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Gate=20nav=20and=20c?=
 =?UTF-8?q?onfiguration=20tabs=20on=20allowed=20routes?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/Frontend/src/components/PageHeader.vue   | 23 ++++++++++----------
 src/Frontend/src/views/ConfigurationView.vue | 23 ++++++++++----------
 2 files changed, 24 insertions(+), 22 deletions(-)

diff --git a/src/Frontend/src/components/PageHeader.vue b/src/Frontend/src/components/PageHeader.vue
index fdb03e618..f465a267c 100644
--- a/src/Frontend/src/components/PageHeader.vue
+++ b/src/Frontend/src/components/PageHeader.vue
@@ -15,7 +15,8 @@ import AuditMenuItem from "./audit/AuditMenuItem.vue";
 import monitoringClient from "@/components/monitoring/monitoringClient";
 import UserProfileMenuItem from "@/components/UserProfileMenuItem.vue";
 import { useAuthStore } from "@/stores/AuthStore";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 import { storeToRefs } from "pinia";
 
 const isMonitoringEnabled = monitoringClient.isMonitoringEnabled;
@@ -23,23 +24,23 @@ const isMonitoringEnabled = monitoringClient.isMonitoringEnabled;
 const authStore = useAuthStore();
 const { authEnabled, isAuthenticated } = storeToRefs(authStore);
 
-const { can, ready } = usePermissions();
+const { canCall, ready } = useAllowedRoutes();
 
-// Each item gates on the specific permission ServiceControl enforces for that area.
+// Each item gates on the specific route ServiceControl enforces for that area.
 // Gate-on-ready: render nothing until permissions are known, so items never appear and
-// then disappear. can() fails open, so auth-disabled / failed-load shows everything.
+// then disappear. canCall() fails open, so auth-disabled / failed-load shows everything.
 // prettier-ignore
 const menuItems = computed(() => {
   if (!ready.value) return [];
   return [
     DashboardMenuItem,
-    ...(can("error:heartbeats:view") ? [HeartbeatsMenuItem] : []),
-    ...(isMonitoringEnabled && can("monitoring:endpoint:view") ? [MonitoringMenuItem] : []),
-    ...(can("audit:message:view") ? [AuditMenuItem] : []),
-    ...(can("error:messages:view") ? [FailedMessagesMenuItem] : []),
-    ...(can("error:customchecks:view") ? [CustomChecksMenuItem] : []),
-    ...(can("error:eventlog:view") ? [EventsMenuItem] : []),
-    ...(can("error:throughput:view") ? [ThroughputMenuItem] : []),
+    ...(canCall(ApiRoutes.viewHeartbeats) ? [HeartbeatsMenuItem] : []),
+    ...(isMonitoringEnabled && canCall(ApiRoutes.viewMonitoredEndpoints) ? [MonitoringMenuItem] : []),
+    ...(canCall(ApiRoutes.viewAuditMessages) ? [AuditMenuItem] : []),
+    ...(canCall(ApiRoutes.viewFailedMessages) ? [FailedMessagesMenuItem] : []),
+    ...(canCall(ApiRoutes.viewCustomChecks) ? [CustomChecksMenuItem] : []),
+    ...(canCall(ApiRoutes.viewEventLog) ? [EventsMenuItem] : []),
+    ...(canCall(ApiRoutes.viewThroughput) ? [ThroughputMenuItem] : []),
     ConfigurationMenuItem,
     FeedbackButton,
   ];
diff --git a/src/Frontend/src/views/ConfigurationView.vue b/src/Frontend/src/views/ConfigurationView.vue
index 8525afbfe..f823e23a1 100644
--- a/src/Frontend/src/views/ConfigurationView.vue
+++ b/src/Frontend/src/views/ConfigurationView.vue
@@ -12,7 +12,8 @@ import useConnectionsAndStatsAutoRefresh from "@/composables/useConnectionsAndSt
 import { useRedirectsStore } from "@/stores/RedirectsStore";
 import { useLicenseStore } from "@/stores/LicenseStore";
 import { useAuthStore } from "@/stores/AuthStore";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 const { store: throughputStore } = useThroughputStoreAutoRefresh();
 const { hasErrors } = storeToRefs(throughputStore);
@@ -23,9 +24,9 @@ const licenseStore = useLicenseStore();
 const { licenseStatus } = licenseStore;
 const authStore = useAuthStore();
 
-// Each tab gates on the specific permission ServiceControl enforces for it. Gate-on-ready:
+// Each tab gates on the specific route ServiceControl enforces for it. Gate-on-ready:
 // the tab row is held until permissions are known, so tabs don't appear and then disappear.
-const { can, ready } = usePermissions();
+const { canCall, ready } = useAllowedRoutes();
 
 onMounted(async () => {
   if (notConnected.value) {
@@ -61,12 +62,12 @@ function preventIfDisabled(e: Event) {
     <div class="row">
       <div class="col-sm-12">
         <div class="nav tabs" v-if="ready">
-          <h5 v-if="can('error:licensing:view')" :class="{ active: isRouteSelected(routeLinks.configuration.license.link), disabled: notConnected }" @click.capture="preventIfDisabled" class="nav-item" role="tab" aria-label="license">
+          <h5 v-if="canCall(ApiRoutes.viewLicense)" :class="{ active: isRouteSelected(routeLinks.configuration.license.link), disabled: notConnected }" @click.capture="preventIfDisabled" class="nav-item" role="tab" aria-label="license">
             <RouterLink :to="routeLinks.configuration.license.link">License</RouterLink>
             <exclamation-mark :type="convertToWarningLevel(licenseStatus.warningLevel)" />
           </h5>
           <h5
-            v-if="can('error:throughput:manage')"
+            v-if="canCall(ApiRoutes.manageThroughput)"
             :class="{ active: isRouteSelected(routeLinks.throughput.setup.root) || isRouteSelected(routeLinks.throughput.setup.mask.link) || isRouteSelected(routeLinks.throughput.setup.diagnostics.link), disabled: notConnected }"
             @click.capture="preventIfDisabled"
             class="nav-item"
@@ -78,7 +79,7 @@ function preventIfDisabled(e: Event) {
           </h5>
           <template v-if="!licenseStatus.isExpired">
             <h5
-              v-if="can('error:connections:view')"
+              v-if="canCall(ApiRoutes.viewConnections)"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.massTransitConnector.link),
                 disabled: notConnected,
@@ -91,7 +92,7 @@ function preventIfDisabled(e: Event) {
               <RouterLink :to="routeLinks.configuration.massTransitConnector.link">MassTransit Connector</RouterLink>
             </h5>
             <h5
-              v-if="can('error:notifications:view')"
+              v-if="canCall(ApiRoutes.viewNotifications)"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.healthCheckNotifications.link),
                 disabled: notConnected,
@@ -104,7 +105,7 @@ function preventIfDisabled(e: Event) {
               <RouterLink :to="routeLinks.configuration.healthCheckNotifications.link">Health Check Notifications</RouterLink>
             </h5>
             <h5
-              v-if="can('error:redirects:view')"
+              v-if="canCall(ApiRoutes.viewRedirects)"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.retryRedirects.link),
                 disabled: notConnected,
@@ -117,7 +118,7 @@ function preventIfDisabled(e: Event) {
               <RouterLink :to="routeLinks.configuration.retryRedirects.link">Retry Redirects ({{ redirectsStore.redirects.total }})</RouterLink>
             </h5>
             <h5
-              v-if="can('error:connections:view')"
+              v-if="canCall(ApiRoutes.viewConnections)"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.connections.link),
               }"
@@ -131,7 +132,7 @@ function preventIfDisabled(e: Event) {
               </RouterLink>
             </h5>
             <h5
-              v-if="can('error:endpoints:view')"
+              v-if="canCall(ApiRoutes.viewEndpoints)"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.endpointConnection.link),
                 disabled: notConnected,
@@ -145,7 +146,7 @@ function preventIfDisabled(e: Event) {
             </h5>
           </template>
           <template v-else>
-            <h5 v-if="can('error:connections:view')" :class="{ active: isRouteSelected(routeLinks.configuration.connections.link) }" class="nav-item" role="tab" aria-label="connections">
+            <h5 v-if="canCall(ApiRoutes.viewConnections)" :class="{ active: isRouteSelected(routeLinks.configuration.connections.link) }" class="nav-item" role="tab" aria-label="connections">
               <RouterLink :to="routeLinks.configuration.connections.link">
                 Connections
                 <exclamation-mark v-if="connectionStore.displayConnectionsWarning" :type="WarningLevel.Danger" />

From b80e977dfb09e24f2c05d4a6942b6228305aaaeb Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 16:08:42 +0200
Subject: [PATCH 18/25] =?UTF-8?q?=F0=9F=8E=A8=20Fix=20lint=20in=20new=20ro?=
 =?UTF-8?q?ute-gating=20files?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Auto-fix prettier in apiRoutes.ts, routeMatching.ts, AllowedRoutesStore.ts, AllowedRoutesStore.spec.ts. Remove async from mock json() helpers (require-await). Add eslint-disable-next-line for intentional future-scope _resource param in useAllowedRoutes.ts.
---
 src/Frontend/src/composables/apiRoutes.ts     | 50 +++++++++----------
 src/Frontend/src/composables/routeMatching.ts |  4 +-
 .../src/composables/useAllowedRoutes.ts       |  1 +
 .../src/stores/AllowedRoutesStore.spec.ts     | 17 +++++--
 src/Frontend/src/stores/AllowedRoutesStore.ts |  8 ++-
 5 files changed, 46 insertions(+), 34 deletions(-)

diff --git a/src/Frontend/src/composables/apiRoutes.ts b/src/Frontend/src/composables/apiRoutes.ts
index 2897bd179..cf07ac88e 100644
--- a/src/Frontend/src/composables/apiRoutes.ts
+++ b/src/Frontend/src/composables/apiRoutes.ts
@@ -7,31 +7,31 @@ export type RouteRef = { method: string; path: string };
 
 export const ApiRoutes = {
   // ---- nav / verb-level (GET routes gated by the matching :view permission) ----
-  viewHeartbeats:          { method: "GET",    path: "/api/heartbeats/stats" },       // error:heartbeats:view (EndpointsMonitoringController)
-  viewMonitoredEndpoints:  { method: "GET",    path: "/api/monitored-endpoints" },     // monitoring:endpoint:view (DiagramApiController, Monitoring instance)
-  viewAuditMessages:       { method: "GET",    path: "/api/messages2" },               // error:messages:view (GetMessages2Controller)
-  viewFailedMessages:      { method: "GET",    path: "/api/errors" },                  // error:messages:view (GetAllErrorsController)
-  viewCustomChecks:        { method: "GET",    path: "/api/customchecks" },            // error:customchecks:view (CustomCheckController)
-  viewEventLog:            { method: "GET",    path: "/api/eventlogitems" },           // error:eventlog:view (EventLogApiController)
-  viewThroughput:          { method: "GET",    path: "/api/licensing/report/available" }, // error:throughput:view (LicensingController)
-  viewLicense:             { method: "GET",    path: "/api/license" },                 // error:licensing:view (LicenseController)
-  viewConnections:         { method: "GET",    path: "/api/connection" },              // error:connections:view (ConnectionController)
-  viewNotifications:       { method: "GET",    path: "/api/notifications/email" },    // error:notifications:view (NotificationsController)
-  viewRedirects:           { method: "GET",    path: "/api/redirects" },              // error:redirects:view (MessageRedirectsController)
-  viewEndpoints:           { method: "GET",    path: "/api/endpoints" },              // error:endpoints:view (EndpointsMonitoringController)
-  manageThroughput:        { method: "POST",   path: "/api/licensing/settings/masks/update" }, // error:throughput:manage (LicensingController)
+  viewHeartbeats: { method: "GET", path: "/api/heartbeats/stats" }, // error:heartbeats:view (EndpointsMonitoringController)
+  viewMonitoredEndpoints: { method: "GET", path: "/api/monitored-endpoints" }, // monitoring:endpoint:view (DiagramApiController, Monitoring instance)
+  viewAuditMessages: { method: "GET", path: "/api/messages2" }, // error:messages:view (GetMessages2Controller)
+  viewFailedMessages: { method: "GET", path: "/api/errors" }, // error:messages:view (GetAllErrorsController)
+  viewCustomChecks: { method: "GET", path: "/api/customchecks" }, // error:customchecks:view (CustomCheckController)
+  viewEventLog: { method: "GET", path: "/api/eventlogitems" }, // error:eventlog:view (EventLogApiController)
+  viewThroughput: { method: "GET", path: "/api/licensing/report/available" }, // error:throughput:view (LicensingController)
+  viewLicense: { method: "GET", path: "/api/license" }, // error:licensing:view (LicenseController)
+  viewConnections: { method: "GET", path: "/api/connection" }, // error:connections:view (ConnectionController)
+  viewNotifications: { method: "GET", path: "/api/notifications/email" }, // error:notifications:view (NotificationsController)
+  viewRedirects: { method: "GET", path: "/api/redirects" }, // error:redirects:view (MessageRedirectsController)
+  viewEndpoints: { method: "GET", path: "/api/endpoints" }, // error:endpoints:view (EndpointsMonitoringController)
+  manageThroughput: { method: "POST", path: "/api/licensing/settings/masks/update" }, // error:throughput:manage (LicensingController)
   // ---- actions ----
-  manageNotifications:     { method: "POST",   path: "/api/notifications/email" },
-  testNotifications:       { method: "POST",   path: "/api/notifications/email/test" },
-  manageRedirects:         { method: "POST",   path: "/api/redirects" },
-  dismissCustomCheck:      { method: "DELETE", path: "/api/customchecks/{}" },
-  retryMessage:            { method: "POST",   path: "/api/errors/retry" },
-  editMessage:             { method: "POST",   path: "/api/edit/{}" },
-  deleteMessage:           { method: "PATCH",  path: "/api/errors/archive" },
-  restoreMessage:          { method: "PATCH",  path: "/api/errors/unarchive" },
-  retryGroup:              { method: "POST",   path: "/api/recoverability/groups/{}/errors/retry" },
-  deleteGroup:             { method: "POST",   path: "/api/recoverability/groups/{}/errors/archive" },
-  restoreGroup:            { method: "POST",   path: "/api/recoverability/groups/{}/errors/unarchive" },
-  deleteEndpointInstance:  { method: "DELETE", path: "/api/endpoints/{}" },
+  manageNotifications: { method: "POST", path: "/api/notifications/email" },
+  testNotifications: { method: "POST", path: "/api/notifications/email/test" },
+  manageRedirects: { method: "POST", path: "/api/redirects" },
+  dismissCustomCheck: { method: "DELETE", path: "/api/customchecks/{}" },
+  retryMessage: { method: "POST", path: "/api/errors/retry" },
+  editMessage: { method: "POST", path: "/api/edit/{}" },
+  deleteMessage: { method: "PATCH", path: "/api/errors/archive" },
+  restoreMessage: { method: "PATCH", path: "/api/errors/unarchive" },
+  retryGroup: { method: "POST", path: "/api/recoverability/groups/{}/errors/retry" },
+  deleteGroup: { method: "POST", path: "/api/recoverability/groups/{}/errors/archive" },
+  restoreGroup: { method: "POST", path: "/api/recoverability/groups/{}/errors/unarchive" },
+  deleteEndpointInstance: { method: "DELETE", path: "/api/endpoints/{}" },
   deleteMonitoredEndpoint: { method: "DELETE", path: "/api/monitored-instance/{}/{}" },
 } as const satisfies Record<string, RouteRef>;
diff --git a/src/Frontend/src/composables/routeMatching.ts b/src/Frontend/src/composables/routeMatching.ts
index 9c1ee8d9d..64e75ba5f 100644
--- a/src/Frontend/src/composables/routeMatching.ts
+++ b/src/Frontend/src/composables/routeMatching.ts
@@ -2,8 +2,6 @@
 // Param names are collapsed to {} so matching couples only to method + path STRUCTURE
 // (the stable public contract), surviving server route-parameter renames.
 export function normalizeRouteKey(method: string, path: string): string {
-  const normalizedPath = path
-    .replace(/\{[^}]*\}/g, "{}")
-    .replace(/^\/?/, "/");
+  const normalizedPath = path.replace(/\{[^}]*\}/g, "{}").replace(/^\/?/, "/");
   return `${method.toUpperCase()} ${normalizedPath}`;
 }
diff --git a/src/Frontend/src/composables/useAllowedRoutes.ts b/src/Frontend/src/composables/useAllowedRoutes.ts
index 496af6dbc..1473963c2 100644
--- a/src/Frontend/src/composables/useAllowedRoutes.ts
+++ b/src/Frontend/src/composables/useAllowedRoutes.ts
@@ -20,6 +20,7 @@ export function useAllowedRoutes() {
   }
 
   // resource: reserved for future resource-level scope (ignored today). See design Future-proofing.
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
   function canCall(entry: RouteRef, _resource?: object): boolean {
     return !shouldGate.value || store.routes.has(normalizeRouteKey(entry.method, entry.path));
   }
diff --git a/src/Frontend/src/stores/AllowedRoutesStore.spec.ts b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
index 55bee5b24..e4c20aa4c 100644
--- a/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
+++ b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
@@ -5,15 +5,24 @@ const scFetch = vi.fn();
 const monFetch = vi.fn();
 vi.mock("@/components/serviceControlClient", () => ({ default: { fetchFromServiceControl: (s: string) => scFetch(s) } }));
 vi.mock("@/components/monitoring/monitoringClient", () => ({
-  default: { get isMonitoringEnabled() { return true; }, fetchAllowedRoutes: () => monFetch() },
+  default: {
+    get isMonitoringEnabled() {
+      return true;
+    },
+    fetchAllowedRoutes: () => monFetch(),
+  },
 }));
 
 import { useAllowedRoutesStore } from "@/stores/AllowedRoutesStore";
 
-const ok = (body: unknown) => ({ ok: true, status: 200, json: async () => body });
+const ok = (body: unknown) => ({ ok: true, status: 200, json: () => Promise.resolve(body) });
 
 describe("AllowedRoutesStore", () => {
-  beforeEach(() => { setActivePinia(createPinia()); scFetch.mockReset(); monFetch.mockReset(); });
+  beforeEach(() => {
+    setActivePinia(createPinia());
+    scFetch.mockReset();
+    monFetch.mockReset();
+  });
 
   it("merges Primary and Monitoring manifests into normalized keys", async () => {
     scFetch.mockResolvedValue(ok([{ method: "POST", urlTemplate: "/api/errors/{id}/retry" }]));
@@ -27,7 +36,7 @@ describe("AllowedRoutesStore", () => {
 
   it("fails open per instance: a 404 from one instance contributes nothing but does not throw", async () => {
     scFetch.mockResolvedValue(ok([{ method: "GET", urlTemplate: "/api/errors" }]));
-    monFetch.mockResolvedValue({ ok: false, status: 404, json: async () => ({}) });
+    monFetch.mockResolvedValue({ ok: false, status: 404, json: () => Promise.resolve({}) });
     const store = useAllowedRoutesStore();
     await store.refresh();
     expect(store.routes.has("GET /api/errors")).toBe(true);
diff --git a/src/Frontend/src/stores/AllowedRoutesStore.ts b/src/Frontend/src/stores/AllowedRoutesStore.ts
index 4e52f1805..f99f17cbe 100644
--- a/src/Frontend/src/stores/AllowedRoutesStore.ts
+++ b/src/Frontend/src/stores/AllowedRoutesStore.ts
@@ -5,7 +5,11 @@ import monitoringClient from "@/components/monitoring/monitoringClient";
 import { normalizeRouteKey } from "@/composables/routeMatching";
 import logger from "@/logger";
 
-export interface ManifestEntry { method: string; urlTemplate: string; [k: string]: unknown }
+export interface ManifestEntry {
+  method: string;
+  urlTemplate: string;
+  [k: string]: unknown;
+}
 
 // Holds the allowed-route manifest the current token may call, merged from the instances
 // ServicePulse calls directly (Primary + Monitoring). A Map (not a Set) preserves each entry so a
@@ -37,7 +41,7 @@ export const useAllowedRoutesStore = defineStore("AllowedRoutesStore", () => {
     try {
       const [primary, monitoring] = await Promise.all([
         fetchInstance(() => serviceControlClient.fetchFromServiceControl("my/routes")),
-        fetchInstance(() => monitoringClient.isMonitoringEnabled ? monitoringClient.fetchAllowedRoutes() : Promise.resolve(undefined)),
+        fetchInstance(() => (monitoringClient.isMonitoringEnabled ? monitoringClient.fetchAllowedRoutes() : Promise.resolve(undefined))),
       ]);
       const merged = new Map<string, ManifestEntry>();
       for (const list of [primary, monitoring]) {

From fde4a3b0fd0868b7ec5bfdb036c61e317ece4b08 Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 16:16:58 +0200
Subject: [PATCH 19/25] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Expose=20route-based?=
 =?UTF-8?q?=20capability=20getters=20on=20resource-owning=20stores?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Each store now calls useAllowedRoutes/canCall and exposes a typed computed
getter (canRetry, canEdit, canDelete, canRestore, canManageNotifications,
canTestNotifications, canManageRedirects, canDeleteEndpointInstance,
canDeleteMonitoredEndpoint). Components bind to store.canX via storeToRefs;
the old can("...") calls and usePermissions imports are removed from all
migrated files. Test updated from PermissionsStore to AllowedRoutesStore.
---
 .../HealthCheckNotifications.vue              |  8 +---
 .../configuration/RetryRedirects.vue          |  8 ++--
 .../heartbeats/EndpointInstances.vue          | 13 +++----
 .../messages/DeleteMessageButton.vue          |  6 +--
 .../messages/EditAndRetryButton.vue           |  5 +--
 .../messages/RestoreMessageButton.vue         |  6 +--
 .../messages/RetryMessageButton.vue           |  6 +--
 .../messages/messageButtonPermissions.spec.ts | 37 +++++++++++--------
 .../monitoring/EndpointInstances.vue          | 12 ++----
 src/Frontend/src/stores/HealthChecksStore.ts  | 10 ++++-
 .../src/stores/HeartbeatInstancesStore.ts     |  6 +++
 src/Frontend/src/stores/MessageStore.ts       | 12 ++++++
 .../stores/MonitoringEndpointDetailsStore.ts  |  8 +++-
 src/Frontend/src/stores/RedirectsStore.ts     |  9 ++++-
 14 files changed, 82 insertions(+), 64 deletions(-)

diff --git a/src/Frontend/src/components/configuration/HealthCheckNotifications.vue b/src/Frontend/src/components/configuration/HealthCheckNotifications.vue
index 56b5274dc..a79564e7f 100644
--- a/src/Frontend/src/components/configuration/HealthCheckNotifications.vue
+++ b/src/Frontend/src/components/configuration/HealthCheckNotifications.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { computed, onMounted, ref } from "vue";
+import { onMounted, ref } from "vue";
 import LicenseNotExpired from "../LicenseNotExpired.vue";
 import ServiceControlAvailable from "../ServiceControlAvailable.vue";
 import HealthCheckNotifications_EmailConfiguration from "./HealthCheckNotifications_ConfigureEmail.vue";
@@ -13,14 +13,10 @@ import PermissionGate from "@/components/PermissionGate.vue";
 import { faCheck, faEdit, faEnvelope, faExclamationTriangle } from "@fortawesome/free-solid-svg-icons";
 import { useHealthChecksStore } from "@/stores/HealthChecksStore";
 import { storeToRefs } from "pinia";
-import { usePermissions } from "@/composables/usePermissions";
 
 const healthChecksStore = useHealthChecksStore();
-const { emailNotifications } = storeToRefs(healthChecksStore);
+const { emailNotifications, canManageNotifications, canTestNotifications } = storeToRefs(healthChecksStore);
 
-const { can } = usePermissions();
-const canManageNotifications = computed(() => can("error:notifications:manage"));
-const canTestNotifications = computed(() => can("error:notifications:test"));
 const manageDeniedTooltip = "You don't have permission to manage notifications.";
 const testDeniedTooltip = "You don't have permission to send test notifications.";
 
diff --git a/src/Frontend/src/components/configuration/RetryRedirects.vue b/src/Frontend/src/components/configuration/RetryRedirects.vue
index 8b60cd5f2..b657f12fe 100644
--- a/src/Frontend/src/components/configuration/RetryRedirects.vue
+++ b/src/Frontend/src/components/configuration/RetryRedirects.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { computed, onMounted, ref } from "vue";
+import { onMounted, ref } from "vue";
 import LicenseNotExpired from "../LicenseNotExpired.vue";
 import ServiceControlAvailable from "../ServiceControlAvailable.vue";
 import NoData from "../NoData.vue";
@@ -15,13 +15,11 @@ import PermissionGate from "@/components/PermissionGate.vue";
 import { faClock } from "@fortawesome/free-regular-svg-icons";
 import { useRedirectsStore } from "@/stores/RedirectsStore";
 import LoadingSpinner from "../LoadingSpinner.vue";
-import { usePermissions } from "@/composables/usePermissions";
+import { storeToRefs } from "pinia";
 
 const redirectsStore = useRedirectsStore();
-
-const { can } = usePermissions();
+const { canManageRedirects } = storeToRefs(redirectsStore);
 // Creating, modifying and ending redirects all manage redirects.
-const canManageRedirects = computed(() => can("error:redirects:manage"));
 const redirectsDeniedTooltip = "You don't have permission to manage redirects.";
 
 const loadingData = ref(true);
diff --git a/src/Frontend/src/components/heartbeats/EndpointInstances.vue b/src/Frontend/src/components/heartbeats/EndpointInstances.vue
index 727efb004..421b64af1 100644
--- a/src/Frontend/src/components/heartbeats/EndpointInstances.vue
+++ b/src/Frontend/src/components/heartbeats/EndpointInstances.vue
@@ -22,7 +22,6 @@ import FAIcon from "@/components/FAIcon.vue";
 import PermissionGate from "@/components/PermissionGate.vue";
 import useHeartbeatInstancesStoreAutoRefresh from "@/composables/useHeartbeatInstancesStoreAutoRefresh";
 import { useEndpointSettingsStore } from "@/stores/EndpointSettingsStore";
-import { usePermissions } from "@/composables/usePermissions";
 
 enum Operation {
   Mute = "mute",
@@ -32,12 +31,10 @@ enum Operation {
 const route = useRoute();
 const router = useRouter();
 
-const { can } = usePermissions();
-const canDeleteEndpoints = computed(() => can("error:endpoints:delete"));
 const deleteDeniedTooltip = "You don't have permission to delete endpoints.";
 const endpointName = route.params.endpointName.toString();
 const { store } = useHeartbeatInstancesStoreAutoRefresh();
-const { filteredInstances, sortedInstances, instanceFilterString, sortByInstances } = storeToRefs(store);
+const { filteredInstances, sortedInstances, instanceFilterString, sortByInstances, canDeleteEndpointInstance } = storeToRefs(store);
 const endpointSettingsStore = useEndpointSettingsStore();
 const endpointSettings = ref<EndpointSettings[]>([endpointSettingsStore.defaultEndpointSettingsValue]);
 
@@ -176,8 +173,8 @@ async function toggleAlerts(instance: EndpointsView) {
       <no-data v-if="filteredValidInstances.length === 0" message="No endpoint instances found. For untracked endpoints, disconnected instances are automatically pruned.">
         <div class="delete-all">
           <span>You may</span>
-          <PermissionGate :allowed="canDeleteEndpoints" :reason="deleteDeniedTooltip">
-            <button type="button" @click="deleteAllInstances()" class="btn btn-danger btn-sm" :disabled="!canDeleteEndpoints"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
+          <PermissionGate :allowed="canDeleteEndpointInstance" :reason="deleteDeniedTooltip">
+            <button type="button" @click="deleteAllInstances()" class="btn btn-danger btn-sm" :disabled="!canDeleteEndpointInstance"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
           </PermissionGate>
           <span>this endpoint</span>
         </div>
@@ -203,8 +200,8 @@ async function toggleAlerts(instance: EndpointsView) {
                 </div>
               </div>
               <div role="cell" aria-label="actions" class="col-1 actions">
-                <PermissionGate v-if="instance.heartbeat_information?.reported_status !== EndpointStatus.Alive" :allowed="canDeleteEndpoints" :reason="deleteDeniedTooltip">
-                  <button type="button" @click="deleteInstance(instance)" class="btn btn-danger btn-sm" :disabled="!canDeleteEndpoints"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
+                <PermissionGate v-if="instance.heartbeat_information?.reported_status !== EndpointStatus.Alive" :allowed="canDeleteEndpointInstance" :reason="deleteDeniedTooltip">
+                  <button type="button" @click="deleteInstance(instance)" class="btn btn-danger btn-sm" :disabled="!canDeleteEndpointInstance"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
                 </PermissionGate>
               </div>
             </div>
diff --git a/src/Frontend/src/components/messages/DeleteMessageButton.vue b/src/Frontend/src/components/messages/DeleteMessageButton.vue
index 287985b0a..1dc9830c1 100644
--- a/src/Frontend/src/components/messages/DeleteMessageButton.vue
+++ b/src/Frontend/src/components/messages/DeleteMessageButton.vue
@@ -9,16 +9,14 @@ import { MessageStatus } from "@/resources/Message";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faTrash } from "@fortawesome/free-solid-svg-icons";
-import { usePermissions } from "@/composables/usePermissions";
 
 const store = useMessageStore();
-const { state } = storeToRefs(store);
-const { can } = usePermissions();
+const { state, canDelete } = storeToRefs(store);
 const isConfirmDialogVisible = ref(false);
 
 const failureStatus = computed(() => state.value.data.failure_status);
 const isDisabled = computed(() => failureStatus.value.retried || failureStatus.value.resolved);
-const isVisible = computed(() => can("error:messages:archive") && !failureStatus.value.archived && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
+const isVisible = computed(() => canDelete.value && !failureStatus.value.archived && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
 
 const handleConfirm = async () => {
   isConfirmDialogVisible.value = false;
diff --git a/src/Frontend/src/components/messages/EditAndRetryButton.vue b/src/Frontend/src/components/messages/EditAndRetryButton.vue
index add6c8ddc..54ac1c653 100644
--- a/src/Frontend/src/components/messages/EditAndRetryButton.vue
+++ b/src/Frontend/src/components/messages/EditAndRetryButton.vue
@@ -10,19 +10,16 @@ import { MessageStatus } from "@/resources/Message";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faPencil } from "@fortawesome/free-solid-svg-icons";
-import { usePermissions } from "@/composables/usePermissions";
 import PermissionGate from "@/components/PermissionGate.vue";
 
 const store = useMessageStore();
-const { state, edit_and_retry_config, editRetryResponse } = storeToRefs(store);
-const { can } = usePermissions();
+const { state, edit_and_retry_config, editRetryResponse, canEdit } = storeToRefs(store);
 const isConfirmDialogVisible = ref(false);
 const isEditIgnoredDialogVisible = ref(false);
 
 // Edit & retry is enabled by a ServiceControl setting (edit_and_retry_config). When it is on,
 // the button is shown to everyone but disabled (with a tooltip) for users without the edit
 // permission, rather than hidden.
-const canEdit = computed(() => can("error:messages:edit"));
 const editDeniedTooltip = "You don't have permission to edit and retry messages.";
 
 const failureStatus = computed(() => state.value.data.failure_status);
diff --git a/src/Frontend/src/components/messages/RestoreMessageButton.vue b/src/Frontend/src/components/messages/RestoreMessageButton.vue
index 36969f724..407098b86 100644
--- a/src/Frontend/src/components/messages/RestoreMessageButton.vue
+++ b/src/Frontend/src/components/messages/RestoreMessageButton.vue
@@ -8,14 +8,12 @@ import { TYPE } from "vue-toastification";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faUndo } from "@fortawesome/free-solid-svg-icons";
-import { usePermissions } from "@/composables/usePermissions";
 
 const store = useMessageStore();
-const { state } = storeToRefs(store);
-const { can } = usePermissions();
+const { state, canRestore } = storeToRefs(store);
 const isConfirmDialogVisible = ref(false);
 
-const isVisible = computed(() => can("error:messages:unarchive") && state.value.data.failure_status.archived);
+const isVisible = computed(() => canRestore.value && state.value.data.failure_status.archived);
 
 const handleConfirm = async () => {
   isConfirmDialogVisible.value = false;
diff --git a/src/Frontend/src/components/messages/RetryMessageButton.vue b/src/Frontend/src/components/messages/RetryMessageButton.vue
index dee67f722..534bf4515 100644
--- a/src/Frontend/src/components/messages/RetryMessageButton.vue
+++ b/src/Frontend/src/components/messages/RetryMessageButton.vue
@@ -9,16 +9,14 @@ import { MessageStatus } from "@/resources/Message";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faRefresh } from "@fortawesome/free-solid-svg-icons";
-import { usePermissions } from "@/composables/usePermissions";
 
 const store = useMessageStore();
-const { state } = storeToRefs(store);
-const { can } = usePermissions();
+const { state, canRetry } = storeToRefs(store);
 const isConfirmDialogVisible = ref(false);
 
 const failureStatus = computed(() => state.value.data.failure_status);
 const isDisabled = computed(() => failureStatus.value.retried || failureStatus.value.archived || failureStatus.value.resolved);
-const isVisible = computed(() => can("error:messages:retry") && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
+const isVisible = computed(() => canRetry.value && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
 
 const handleConfirm = async () => {
   isConfirmDialogVisible.value = false;
diff --git a/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts b/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
index 5ed2a2a7d..12edbdf64 100644
--- a/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
+++ b/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
@@ -7,28 +7,33 @@ import RetryMessageButton from "@/components/messages/RetryMessageButton.vue";
 import EditAndRetryButton from "@/components/messages/EditAndRetryButton.vue";
 import DeleteMessageButton from "@/components/messages/DeleteMessageButton.vue";
 import RestoreMessageButton from "@/components/messages/RestoreMessageButton.vue";
+import type { ManifestEntry } from "@/stores/AllowedRoutesStore";
 
-// Each failed-message action button is gated on its own ServiceControl permission. These
-// tests pin the per-action gating: with auth enabled + the descriptor loaded, the button
-// shows only when the matching permission is granted.
+// Each failed-message action button is gated on its own ServiceControl route. These
+// tests pin the per-action gating: with auth enabled + the manifest loaded, the button
+// shows only when the matching route is in the allowed set.
 interface ButtonCase {
   name: string;
   component: Component;
-  permission: string;
+  routeKey: string; // normalized route key in AllowedRoutesStore
   text: RegExp;
   archived: boolean; // Restore is only relevant on an archived message; the others on a live one
 }
 
-// Retry / Delete / Restore are hidden when the permission is denied. Edit & retry is handled
+// Retry / Delete / Restore are hidden when the route is not allowed. Edit & retry is handled
 // separately below: it is enabled by a setting and, when on, disabled (not hidden) without
 // the permission.
 const cases: ButtonCase[] = [
-  { name: "Retry", component: RetryMessageButton, permission: "error:messages:retry", text: /Retry message/i, archived: false },
-  { name: "Delete", component: DeleteMessageButton, permission: "error:messages:archive", text: /Delete message/i, archived: false },
-  { name: "Restore", component: RestoreMessageButton, permission: "error:messages:unarchive", text: /Restore/i, archived: true },
+  { name: "Retry", component: RetryMessageButton, routeKey: "POST /api/errors/retry", text: /Retry message/i, archived: false },
+  { name: "Delete", component: DeleteMessageButton, routeKey: "PATCH /api/errors/archive", text: /Delete message/i, archived: false },
+  { name: "Restore", component: RestoreMessageButton, routeKey: "PATCH /api/errors/unarchive", text: /Restore/i, archived: true },
 ];
 
-function renderButton(component: Component, permissions: string[], archived: boolean) {
+function makeRoutes(keys: string[]): Map<string, ManifestEntry> {
+  return new Map(keys.map((k) => [k, { method: "", urlTemplate: "" }]));
+}
+
+function renderButton(component: Component, allowedRouteKeys: string[], archived: boolean) {
   render(component, {
     global: {
       plugins: [
@@ -36,7 +41,7 @@ function renderButton(component: Component, permissions: string[], archived: boo
           stubActions: true,
           initialState: {
             auth: { authEnabled: true, isAuthenticated: true },
-            PermissionsStore: { permissions: new Set(permissions), loaded: true, loadAttempted: true },
+            AllowedRoutesStore: { routes: makeRoutes(allowedRouteKeys), loaded: true, loadAttempted: true },
             MessageStore: {
               state: { data: { id: "msg-1", status: MessageStatus.Failed, failure_status: { archived } } },
               edit_and_retry_config: { enabled: true, locked_headers: [], sensitive_headers: [] },
@@ -55,23 +60,23 @@ describe("failed-message action button permissions", () => {
     document.body.innerHTML = '<div id="modalDisplay"></div>';
   });
 
-  test.each(cases)("$name is shown when its permission is granted", ({ component, permission, text, archived }) => {
-    renderButton(component, [permission], archived);
+  test.each(cases)("$name is shown when its route is allowed", ({ component, routeKey, text, archived }) => {
+    renderButton(component, [routeKey], archived);
     expect(screen.queryByText(text)).not.toBeNull();
   });
 
-  test.each(cases)("$name is hidden when its permission is denied", ({ component, text, archived }) => {
+  test.each(cases)("$name is hidden when its route is not allowed", ({ component, text, archived }) => {
     renderButton(component, [], archived);
     expect(screen.queryByText(text)).toBeNull();
   });
 
-  test("Edit & retry is shown and enabled when error:messages:edit is granted", () => {
-    renderButton(EditAndRetryButton, ["error:messages:edit"], false);
+  test("Edit & retry is shown and enabled when edit route is allowed", () => {
+    renderButton(EditAndRetryButton, ["POST /api/edit/{}"], false);
     const button = screen.getByRole("button", { name: /Edit & retry/i }) as HTMLButtonElement;
     expect(button.disabled).toBe(false);
   });
 
-  test("Edit & retry is shown but disabled when error:messages:edit is denied", () => {
+  test("Edit & retry is shown but disabled when edit route is not allowed", () => {
     renderButton(EditAndRetryButton, [], false);
     const button = screen.getByRole("button", { name: /Edit & retry/i }) as HTMLButtonElement;
     expect(button.disabled).toBe(true);
diff --git a/src/Frontend/src/components/monitoring/EndpointInstances.vue b/src/Frontend/src/components/monitoring/EndpointInstances.vue
index 8f662e80b..611750e55 100644
--- a/src/Frontend/src/components/monitoring/EndpointInstances.vue
+++ b/src/Frontend/src/components/monitoring/EndpointInstances.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { computed, ref, onMounted } from "vue";
+import { ref, onMounted } from "vue";
 import { useRouter, RouterLink } from "vue-router";
 import { formatGraphDecimal, formatGraphDuration, smallGraphsMinimumYAxis } from "./formatGraph";
 import { storeToRefs } from "pinia";
@@ -14,17 +14,11 @@ import FAIcon from "@/components/FAIcon.vue";
 import { faEnvelope, faTrash } from "@fortawesome/free-solid-svg-icons";
 import monitoringClient from "./monitoringClient";
 import logger from "@/logger";
-import { usePermissions } from "@/composables/usePermissions";
-
-const { can } = usePermissions();
-// The remove control is a hover-revealed link (not a button), so gate its visibility
-// rather than disabling it.
-const canDeleteMonitoredEndpoints = computed(() => can("monitoring:endpoint:delete"));
 
 const isRemovingEndpointEnabled = ref<boolean>(false);
 const router = useRouter();
 const monitoringEndpointDetailsStore = useMonitoringEndpointDetailsStore();
-const { endpointDetails: endpoint, endpointName } = storeToRefs(monitoringEndpointDetailsStore);
+const { endpointDetails: endpoint, endpointName, canDeleteMonitoredEndpoint } = storeToRefs(monitoringEndpointDetailsStore);
 
 async function removeEndpoint(endpointName: string, instance: ExtendedEndpointInstance) {
   try {
@@ -153,7 +147,7 @@ onMounted(async () => {
 
                 <!--remove endpoint-->
                 <div class="col-xs-2 col-xl-1 no-side-padding">
-                  <a v-if="isRemovingEndpointEnabled && instance.isStale && canDeleteMonitoredEndpoints" class="remove-endpoint" @click="removeEndpoint(endpointName, instance)">
+                  <a v-if="isRemovingEndpointEnabled && instance.isStale && canDeleteMonitoredEndpoint" class="remove-endpoint" @click="removeEndpoint(endpointName, instance)">
                     <FAIcon :icon="faTrash" v-tippy="`Remove endpoint`" />
                   </a>
                 </div>
diff --git a/src/Frontend/src/stores/HealthChecksStore.ts b/src/Frontend/src/stores/HealthChecksStore.ts
index 9612b5632..6aff63c4c 100644
--- a/src/Frontend/src/stores/HealthChecksStore.ts
+++ b/src/Frontend/src/stores/HealthChecksStore.ts
@@ -1,11 +1,13 @@
 import type EmailSettings from "@/components/configuration/EmailSettings";
 import { acceptHMRUpdate, defineStore } from "pinia";
-import { ref } from "vue";
+import { computed, ref } from "vue";
 import serviceControlClient from "@/components/serviceControlClient";
 import type EmailNotifications from "@/resources/EmailNotifications";
 import type UpdateEmailNotificationsSettingsRequest from "@/resources/UpdateEmailNotificationsSettingsRequest";
 import { useEnvironmentAndVersionsStore } from "./EnvironmentAndVersionsStore";
 import logger from "@/logger";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 export const useHealthChecksStore = defineStore("HealthChecksStore", () => {
   const emailNotifications = ref<EmailSettings>({
@@ -22,6 +24,10 @@ export const useHealthChecksStore = defineStore("HealthChecksStore", () => {
   const environmentStore = useEnvironmentAndVersionsStore();
   const hasResponseStatusInHeaders = environmentStore.serviceControlIsGreaterThan("5.2");
 
+  const { canCall } = useAllowedRoutes();
+  const canManageNotifications = computed(() => canCall(ApiRoutes.manageNotifications));
+  const canTestNotifications = computed(() => canCall(ApiRoutes.testNotifications));
+
   async function refresh() {
     let result: EmailNotifications | null;
     try {
@@ -112,6 +118,8 @@ export const useHealthChecksStore = defineStore("HealthChecksStore", () => {
   return {
     refresh,
     emailNotifications,
+    canManageNotifications,
+    canTestNotifications,
     toggleEmailNotifications,
     saveEmailNotifications,
     testEmailNotifications,
diff --git a/src/Frontend/src/stores/HeartbeatInstancesStore.ts b/src/Frontend/src/stores/HeartbeatInstancesStore.ts
index 98d131bff..5e329e93a 100644
--- a/src/Frontend/src/stores/HeartbeatInstancesStore.ts
+++ b/src/Frontend/src/stores/HeartbeatInstancesStore.ts
@@ -7,6 +7,8 @@ import getSortFunction from "@/components/getSortFunction";
 import { useHeartbeatsStore } from "@/stores/HeartbeatsStore";
 import type { EndpointsView } from "@/resources/EndpointView";
 import serviceControlClient from "@/components/serviceControlClient";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 export enum ColumnNames {
   InstanceName = "name",
@@ -32,6 +34,9 @@ export const useHeartbeatInstancesStore = defineStore("HeartbeatInstancesStore",
   const sortedInstances = computed<EndpointsView[]>(() => endpointInstances.value.sort(getSortFunction(columnSortings.get(sortByInstances.value.property), sortByInstances.value.isAscending ? SortDirection.Ascending : SortDirection.Descending)));
   const filteredInstances = computed<EndpointsView[]>(() => sortedInstances.value.filter((instance) => !instanceFilterString.value || instance.host_display_name.toLowerCase().includes(instanceFilterString.value.toLowerCase())));
 
+  const { canCall } = useAllowedRoutes();
+  const canDeleteEndpointInstance = computed(() => canCall(ApiRoutes.deleteEndpointInstance));
+
   const refresh = () => store.refresh();
 
   watch(instanceFilterString, (newValue) => {
@@ -57,6 +62,7 @@ export const useHeartbeatInstancesStore = defineStore("HeartbeatInstancesStore",
     sortedInstances,
     filteredInstances,
     instanceFilterString,
+    canDeleteEndpointInstance,
     deleteEndpointInstance,
     toggleEndpointMonitor,
     sortByInstances,
diff --git a/src/Frontend/src/stores/MessageStore.ts b/src/Frontend/src/stores/MessageStore.ts
index 424f388bc..309a7ddb8 100644
--- a/src/Frontend/src/stores/MessageStore.ts
+++ b/src/Frontend/src/stores/MessageStore.ts
@@ -16,6 +16,8 @@ import type EditRetryResponse from "@/resources/EditRetryResponse";
 import type { EditedMessage } from "@/resources/EditMessage";
 import useEnvironmentAndVersionsAutoRefresh from "@/composables/useEnvironmentAndVersionsAutoRefresh";
 import { timeSpanToDuration } from "@/composables/formatter";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 interface Model {
   id?: string;
@@ -81,6 +83,12 @@ export const useMessageStore = defineStore("MessageStore", () => {
   const { configuration } = storeToRefs(configStore);
   const error_retention_period = computed(() => timeSpanToDuration(configuration.value?.data_retention?.error_retention_period).asHours());
 
+  const { canCall } = useAllowedRoutes();
+  const canRetry = computed(() => canCall(ApiRoutes.retryMessage, state.data));
+  const canEdit = computed(() => canCall(ApiRoutes.editMessage, state.data));
+  const canDelete = computed(() => canCall(ApiRoutes.deleteMessage, state.data));
+  const canRestore = computed(() => canCall(ApiRoutes.restoreMessage, state.data));
+
   async function loadEditAndRetryConfiguration() {
     try {
       const [, data] = await serviceControlClient.fetchTypedFromServiceControl<EditAndRetryConfig>("edit/config");
@@ -367,6 +375,10 @@ export const useMessageStore = defineStore("MessageStore", () => {
     state,
     edit_and_retry_config,
     editRetryResponse,
+    canRetry,
+    canEdit,
+    canDelete,
+    canRestore,
     reset,
     loadMessage,
     loadFailedMessage,
diff --git a/src/Frontend/src/stores/MonitoringEndpointDetailsStore.ts b/src/Frontend/src/stores/MonitoringEndpointDetailsStore.ts
index cb7fb3457..2b6556221 100644
--- a/src/Frontend/src/stores/MonitoringEndpointDetailsStore.ts
+++ b/src/Frontend/src/stores/MonitoringEndpointDetailsStore.ts
@@ -1,5 +1,5 @@
 import { defineStore, acceptHMRUpdate } from "pinia";
-import { ref } from "vue";
+import { computed, ref } from "vue";
 import MessageTypes from "@/components/monitoring/messageTypes";
 import { formatGraphDuration } from "../components/monitoring/formatGraph";
 import { type ExtendedEndpointDetails, type ExtendedEndpointInstance, type MessageType, type EndpointDetails, type EndpointDetailsError, isError } from "@/resources/MonitoringEndpoint";
@@ -10,6 +10,8 @@ import { emptyEndpointDetails } from "@/components/monitoring/endpoints";
 import { useMemoize } from "@vueuse/core";
 import useConnectionsAndStatsAutoRefresh from "@/composables/useConnectionsAndStatsAutoRefresh";
 import monitoringClient from "@/components/monitoring/monitoringClient";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 export const useMonitoringEndpointDetailsStore = defineStore("MonitoringEndpointDetailsStore", () => {
   const historyPeriodStore = useMonitoringHistoryPeriodStore();
@@ -43,6 +45,9 @@ export const useMonitoringEndpointDetailsStore = defineStore("MonitoringEndpoint
   const messageTypesUpdatedSet = ref<MessageType[]>([]);
   const negativeCriticalTimeIsPresent = ref<boolean>(false);
 
+  const { canCall } = useAllowedRoutes();
+  const canDeleteMonitoredEndpoint = computed(() => canCall(ApiRoutes.deleteMonitoredEndpoint));
+
   async function getEndpointDetails(name: string) {
     const { data, refresh } = getMemoisedEndpointDetails(name, historyPeriodStore.historyPeriod.pVal);
     if (!connectionStore.monitoringConnectionState.unableToConnect) await refresh();
@@ -115,6 +120,7 @@ export const useMonitoringEndpointDetailsStore = defineStore("MonitoringEndpoint
     messageTypesAvailable,
     messageTypesUpdatedSet,
     negativeCriticalTimeIsPresent,
+    canDeleteMonitoredEndpoint,
     updateMessageTypes,
     getEndpointDetails,
   };
diff --git a/src/Frontend/src/stores/RedirectsStore.ts b/src/Frontend/src/stores/RedirectsStore.ts
index 4c7d36499..1cc7dcc5f 100644
--- a/src/Frontend/src/stores/RedirectsStore.ts
+++ b/src/Frontend/src/stores/RedirectsStore.ts
@@ -1,10 +1,12 @@
 import type Redirect from "@/resources/Redirect";
 import type QueueAddress from "@/resources/QueueAddress";
 import { acceptHMRUpdate, defineStore } from "pinia";
-import { reactive } from "vue";
+import { computed, reactive } from "vue";
 import serviceControlClient from "@/components/serviceControlClient";
 import useEnvironmentAndVersionsAutoRefresh from "@/composables/useEnvironmentAndVersionsAutoRefresh";
 import type { RetryRedirect } from "@/components/configuration/RetryRedirectEdit.vue";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 export interface Redirects {
   data: Redirect[];
@@ -22,6 +24,9 @@ export const useRedirectsStore = defineStore("RedirectsStore", () => {
   const { store: environmentStore } = useEnvironmentAndVersionsAutoRefresh();
   const hasResponseStatusInHeader = environmentStore.serviceControlIsGreaterThan("5.2.0");
 
+  const { canCall } = useAllowedRoutes();
+  const canManageRedirects = computed(() => canCall(ApiRoutes.manageRedirects));
+
   async function getKnownQueues() {
     const [, data] = await serviceControlClient.fetchTypedFromServiceControl<QueueAddress[]>("errors/queues/addresses");
     redirects.queues = data.map((x) => x.physical_address);
@@ -79,7 +84,7 @@ export const useRedirectsStore = defineStore("RedirectsStore", () => {
     };
   }
 
-  return { refresh, redirects, retryPendingMessagesForQueue, createRedirect, updateRedirect, deleteRedirect };
+  return { refresh, redirects, canManageRedirects, retryPendingMessagesForQueue, createRedirect, updateRedirect, deleteRedirect };
 });
 
 if (import.meta.hot) {

From 160813f46a7bfc22e1bbc4f88d732166f4cd46eb Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 16:24:04 +0200
Subject: [PATCH 20/25] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Gate=20list/local-st?=
 =?UTF-8?q?ate=20actions=20on=20allowed=20routes?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../customchecks/CustomCheckView.vue          |  9 ++---
 .../failedmessages/DeletedMessageGroups.vue   |  7 ++--
 .../failedmessages/DeletedMessages.vue        |  7 ++--
 .../failedmessages/FailedMessages.vue         | 13 +++----
 .../failedmessages/MessageGroupList.vue       |  9 ++---
 .../messageGroupButtonPermissions.spec.ts     | 35 +++++++++++--------
 6 files changed, 46 insertions(+), 34 deletions(-)

diff --git a/src/Frontend/src/components/customchecks/CustomCheckView.vue b/src/Frontend/src/components/customchecks/CustomCheckView.vue
index 14a3ac0b8..038576823 100644
--- a/src/Frontend/src/components/customchecks/CustomCheckView.vue
+++ b/src/Frontend/src/components/customchecks/CustomCheckView.vue
@@ -8,15 +8,16 @@ import { faCheck, faList, faServer } from "@fortawesome/free-solid-svg-icons";
 import { faClock } from "@fortawesome/free-regular-svg-icons";
 import { hexToCSSFilter } from "hex-to-css-filter";
 import useCustomChecksStoreAutoRefresh from "@/composables/useCustomChecksStoreAutoRefresh";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
-defineProps<{ customCheck: CustomCheck }>();
+const props = defineProps<{ customCheck: CustomCheck }>();
 
 const { store } = useCustomChecksStoreAutoRefresh();
 const endpointColor = hexToCSSFilter("#929E9E").filter;
 
-const { can } = usePermissions();
-const canDismiss = computed(() => can("error:customchecks:delete"));
+const { canCall } = useAllowedRoutes();
+const canDismiss = computed(() => canCall(ApiRoutes.dismissCustomCheck, props.customCheck));
 const dismissDeniedTooltip = "You don't have permission to dismiss custom checks.";
 </script>
 
diff --git a/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue b/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue
index d78da3709..4d0a31355 100644
--- a/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue
+++ b/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue
@@ -12,7 +12,8 @@ import { TYPE } from "vue-toastification";
 import MetadataItem from "@/components/MetadataItem.vue";
 import ActionButton from "@/components/ActionButton.vue";
 import PermissionGate from "@/components/PermissionGate.vue";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 import { faArrowRotateRight, faEnvelope } from "@fortawesome/free-solid-svg-icons";
 import { faClock } from "@fortawesome/free-regular-svg-icons";
 import { useDeletedMessageGroupsStore, statusesForRestoreOperation, type ExtendedFailureGroupView, type Status } from "@/stores/DeletedMessageGroupsStore";
@@ -28,10 +29,10 @@ const { store } = autoRefresh();
 const { archiveGroups, classifiers, selectedClassifier } = storeToRefs(store);
 const router = useRouter();
 
-const { can } = usePermissions();
+const { canCall } = useAllowedRoutes();
 // Restoring a deleted group is an unarchive; keep the button visible but disabled with a
 // tooltip when the user lacks the permission, instead of silently failing server-side.
-const canRestoreGroups = computed(() => can("error:recoverabilitygroups:unarchive"));
+const canRestoreGroups = computed(() => canCall(ApiRoutes.restoreGroup));
 const restoreDeniedTooltip = "You don't have permission to restore message groups.";
 
 const showRestoreGroupModal = ref(false);
diff --git a/src/Frontend/src/components/failedmessages/DeletedMessages.vue b/src/Frontend/src/components/failedmessages/DeletedMessages.vue
index 59060ccdd..11bc5ae1b 100644
--- a/src/Frontend/src/components/failedmessages/DeletedMessages.vue
+++ b/src/Frontend/src/components/failedmessages/DeletedMessages.vue
@@ -11,7 +11,8 @@ import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { TYPE } from "vue-toastification";
 import FAIcon from "@/components/FAIcon.vue";
 import PermissionGate from "@/components/PermissionGate.vue";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 import { faArrowRotateRight } from "@fortawesome/free-solid-svg-icons";
 import { storeToRefs } from "pinia";
 import { useStoreAutoRefresh } from "@/composables/useAutoRefresh";
@@ -29,10 +30,10 @@ const { messages, groupId, groupName, totalCount, pageNumber, selectedPeriod } =
 const showConfirmRestore = ref(false);
 const messageList = ref<IMessageList | undefined>();
 
-const { can } = usePermissions();
+const { canCall } = useAllowedRoutes();
 // Restoring messages is an unarchive; keep the button visible but disabled with a tooltip
 // when the user lacks the permission, instead of silently failing server-side.
-const canRestoreMessages = computed(() => can("error:messages:unarchive"));
+const canRestoreMessages = computed(() => canCall(ApiRoutes.restoreMessage));
 const restoreDeniedTooltip = "You don't have permission to restore messages.";
 
 function numberSelected() {
diff --git a/src/Frontend/src/components/failedmessages/FailedMessages.vue b/src/Frontend/src/components/failedmessages/FailedMessages.vue
index 1a38bf666..1277f865b 100644
--- a/src/Frontend/src/components/failedmessages/FailedMessages.vue
+++ b/src/Frontend/src/components/failedmessages/FailedMessages.vue
@@ -17,7 +17,8 @@ import type GroupOperation from "@/resources/GroupOperation";
 import { faArrowDownAZ, faArrowDownZA, faArrowDownShortWide, faArrowDownWideShort, faArrowRotateRight, faTrash, faDownload } from "@fortawesome/free-solid-svg-icons";
 import ActionButton from "@/components/ActionButton.vue";
 import PermissionGate from "@/components/PermissionGate.vue";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 import { useMessageStore } from "@/stores/MessageStore";
 import { useRecoverabilityStore } from "@/stores/RecoverabilityStore";
 import { useStoreAutoRefresh } from "@/composables/useAutoRefresh";
@@ -34,13 +35,13 @@ const { autoRefresh, isRefreshing, updateInterval } = useStoreAutoRefresh("recov
 const { store } = autoRefresh();
 const { messages, groupId, groupName, totalCount, pageNumber } = storeToRefs(store);
 
-const { can } = usePermissions();
+const { canCall } = useAllowedRoutes();
 // Keep the toolbar actions visible but disabled (with a tooltip) when the user lacks the
 // permission, so the capability stays discoverable and clicks don't silently fail server-side.
-const canRetryMessages = computed(() => can("error:messages:retry"));
-const canDeleteMessages = computed(() => can("error:messages:archive"));
-const canRetryGroup = computed(() => can("error:recoverabilitygroups:retry"));
-const canDeleteGroup = computed(() => can("error:recoverabilitygroups:archive"));
+const canRetryMessages = computed(() => canCall(ApiRoutes.retryMessage));
+const canDeleteMessages = computed(() => canCall(ApiRoutes.deleteMessage));
+const canRetryGroup = computed(() => canCall(ApiRoutes.retryGroup));
+const canDeleteGroup = computed(() => canCall(ApiRoutes.deleteGroup));
 const retryDeniedTooltip = "You don't have permission to retry messages.";
 const deleteDeniedTooltip = "You don't have permission to delete messages.";
 const retryAllDeniedTooltip = "You don't have permission to retry message groups.";
diff --git a/src/Frontend/src/components/failedmessages/MessageGroupList.vue b/src/Frontend/src/components/failedmessages/MessageGroupList.vue
index fcbc60572..977bbaf75 100644
--- a/src/Frontend/src/components/failedmessages/MessageGroupList.vue
+++ b/src/Frontend/src/components/failedmessages/MessageGroupList.vue
@@ -16,13 +16,14 @@ import { faClock } from "@fortawesome/free-regular-svg-icons";
 import ProgressMessage from "./ProgressMessage.vue";
 import ActionButton from "@/components/ActionButton.vue";
 import PermissionGate from "@/components/PermissionGate.vue";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
-const { can } = usePermissions();
+const { canCall } = useAllowedRoutes();
 // Group-level actions are gated on the recoverabilitygroups permissions. When the user
 // lacks them the buttons stay visible but disabled, with a tooltip explaining why.
-const canRetryGroups = computed(() => can("error:recoverabilitygroups:retry"));
-const canDeleteGroups = computed(() => can("error:recoverabilitygroups:archive"));
+const canRetryGroups = computed(() => canCall(ApiRoutes.retryGroup));
+const canDeleteGroups = computed(() => canCall(ApiRoutes.deleteGroup));
 const retryDeniedTooltip = "You don't have permission to request a retry for message groups.";
 const deleteDeniedTooltip = "You don't have permission to delete message groups.";
 
diff --git a/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts b/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts
index 3f2741f30..e857f2052 100644
--- a/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts
+++ b/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts
@@ -5,12 +5,15 @@ import { defineComponent, h, nextTick, ref } from "vue";
 import { createRouter, createMemoryHistory } from "vue-router";
 import type GroupOperation from "@/resources/GroupOperation";
 import MessageGroupList, { type IMessageGroupList } from "@/components/failedmessages/MessageGroupList.vue";
+import type { ManifestEntry } from "@/stores/AllowedRoutesStore";
+import { ApiRoutes } from "@/composables/apiRoutes";
+import { normalizeRouteKey } from "@/composables/routeMatching";
 
-// The group-level Retry/Delete actions are gated on the recoverabilitygroups permissions.
+// The group-level Retry/Delete actions are gated on the recoverabilitygroups allowed routes.
 // Unlike the per-message buttons (which hide), these stay VISIBLE but DISABLED when the
-// permission is missing, with a tooltip explaining why, so it's clear the action exists.
-const RETRY_PERMISSION = "error:recoverabilitygroups:retry";
-const DELETE_PERMISSION = "error:recoverabilitygroups:archive";
+// route is missing, with a tooltip explaining why, so it's clear the action exists.
+const RETRY_ROUTE_KEY = normalizeRouteKey(ApiRoutes.retryGroup.method, ApiRoutes.retryGroup.path);
+const DELETE_ROUTE_KEY = normalizeRouteKey(ApiRoutes.deleteGroup.method, ApiRoutes.deleteGroup.path);
 
 const group: GroupOperation = {
   id: "group-1",
@@ -30,7 +33,11 @@ vi.mock("@/components/failedmessages/messageGroupClient", () => ({
   }),
 }));
 
-async function renderGroupList(permissions: string[]) {
+function makeRoutes(keys: string[]): Map<string, ManifestEntry> {
+  return new Map(keys.map((k) => [k, { method: "", urlTemplate: "" }]));
+}
+
+async function renderGroupList(allowedRouteKeys: string[]) {
   const listRef = ref<IMessageGroupList>();
 
   const Harness = defineComponent({
@@ -49,7 +56,7 @@ async function renderGroupList(permissions: string[]) {
           stubActions: true,
           initialState: {
             auth: { authEnabled: true, isAuthenticated: true },
-            PermissionsStore: { permissions: new Set(permissions), loaded: true, loadAttempted: true },
+            AllowedRoutesStore: { routes: makeRoutes(allowedRouteKeys), loaded: true, loadAttempted: true },
           },
         }),
       ],
@@ -72,25 +79,25 @@ describe("failed-message group action button permissions", () => {
     document.body.innerHTML = '<div id="modalDisplay"></div>';
   });
 
-  test("Request retry is enabled when its permission is granted", async () => {
-    await renderGroupList([RETRY_PERMISSION, DELETE_PERMISSION]);
+  test("Request retry is enabled when its route is allowed", async () => {
+    await renderGroupList([RETRY_ROUTE_KEY, DELETE_ROUTE_KEY]);
     expect(button(/Request retry/i)?.disabled).toBe(false);
   });
 
-  test("Request retry stays visible but disabled when its permission is denied", async () => {
-    await renderGroupList([DELETE_PERMISSION]);
+  test("Request retry stays visible but disabled when its route is not allowed", async () => {
+    await renderGroupList([DELETE_ROUTE_KEY]);
     const retry = button(/Request retry/i);
     expect(retry).not.toBeNull();
     expect(retry?.disabled).toBe(true);
   });
 
-  test("Delete group is enabled when its permission is granted", async () => {
-    await renderGroupList([RETRY_PERMISSION, DELETE_PERMISSION]);
+  test("Delete group is enabled when its route is allowed", async () => {
+    await renderGroupList([RETRY_ROUTE_KEY, DELETE_ROUTE_KEY]);
     expect(button(/Delete group/i)?.disabled).toBe(false);
   });
 
-  test("Delete group stays visible but disabled when its permission is denied", async () => {
-    await renderGroupList([RETRY_PERMISSION]);
+  test("Delete group stays visible but disabled when its route is not allowed", async () => {
+    await renderGroupList([RETRY_ROUTE_KEY]);
     const del = button(/Delete group/i);
     expect(del).not.toBeNull();
     expect(del?.disabled).toBe(true);

From 05aad55f897db17c062e57c3d2288bfb622fb96a Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 16:28:46 +0200
Subject: [PATCH 21/25] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Render=20User=20Perm?=
 =?UTF-8?q?issions=20page=20as=20a=20route-derived=20capability=20list?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../configuration/UserPermissions.vue         | 322 ++++++++----------
 1 file changed, 136 insertions(+), 186 deletions(-)

diff --git a/src/Frontend/src/components/configuration/UserPermissions.vue b/src/Frontend/src/components/configuration/UserPermissions.vue
index 6e2214f66..6763ff768 100644
--- a/src/Frontend/src/components/configuration/UserPermissions.vue
+++ b/src/Frontend/src/components/configuration/UserPermissions.vue
@@ -1,208 +1,156 @@
 <script setup lang="ts">
-import { computed, onMounted } from "vue";
-import { storeToRefs } from "pinia";
-import { faCheck } from "@fortawesome/free-solid-svg-icons";
+import { computed } from "vue";
+import { faCheck, faXmark } from "@fortawesome/free-solid-svg-icons";
 import FAIcon from "@/components/FAIcon.vue";
-import { usePermissionsStore } from "@/stores/PermissionsStore";
-import { usePermissions } from "@/composables/usePermissions";
-
-const store = usePermissionsStore();
-const { user, permissions, loadAttempted } = storeToRefs(store);
-const { fetchDescriptor } = usePermissions();
-
-// Permission strings are "instance:resource:action" (e.g. error:messages:retry).
-// We render one table per instance (Error/Audit/Monitoring), feature per row, action per
-// column, with a checkmark where the action is granted. All tables share the SAME columns
-// (ordered so the most widely shared actions come first: View, Delete, then the rest), so
-// the columns line up across instances. A column only shows its header label and checks for
-// instances that actually use it; otherwise it stays blank, keeping every table the same
-// width. Features and instances with no granted permission are omitted.
-const INSTANCE_ORDER = ["error", "audit", "monitoring"];
-const INSTANCE_LABELS: Record<string, string> = { error: "Error", audit: "Audit", monitoring: "Monitoring" };
-// Only the multi-word resources need a label; the rest are capitalized.
-const RESOURCE_LABELS: Record<string, string> = {
-  customchecks: "Custom checks",
-  recoverabilitygroups: "Recoverability groups",
-  eventlog: "Event log",
-};
-const ACTION_LABELS: Record<string, string> = {};
-const ACTION_ORDER = ["view", "retry", "edit", "archive", "unarchive", "manage", "test", "delete"];
-
-function label(code: string, overrides: Record<string, string>): string {
-  return overrides[code] ?? code.charAt(0).toUpperCase() + code.slice(1);
-}
-
-function rank(code: string, order: string[]): number {
-  const index = order.indexOf(code);
-  return index === -1 ? order.length : index;
-}
-
-interface Column {
-  action: string;
-  label: string;
-}
-interface FeatureRow {
-  resource: string;
-  label: string;
-  actions: Set<string>;
-  permissions: string[];
-}
-interface InstanceGroup {
-  instance: string;
-  label: string;
-  used: Set<string>;
-  features: FeatureRow[];
-}
-interface PermissionView {
-  columns: Column[];
-  instances: InstanceGroup[];
-}
-
-const view = computed<PermissionView>(() => {
-  const byInstance = new Map<string, Map<string, Set<string>>>();
-  const actionInstances = new Map<string, Set<string>>();
-
-  for (const permission of permissions.value) {
-    const [instance, resource, action] = permission.split(":");
-    if (!instance || !resource || !action) continue;
-
-    let features = byInstance.get(instance);
-    if (!features) {
-      features = new Map();
-      byInstance.set(instance, features);
-    }
-    let actions = features.get(resource);
-    if (!actions) {
-      actions = new Set();
-      features.set(resource, actions);
-    }
-    actions.add(action);
-
-    let instancesWithAction = actionInstances.get(action);
-    if (!instancesWithAction) {
-      instancesWithAction = new Set();
-      actionInstances.set(action, instancesWithAction);
-    }
-    instancesWithAction.add(instance);
-  }
-
-  // Shared columns, most widely shared first, so they align across the instance tables.
-  const columns = [...actionInstances.entries()]
-    .sort(([actionA, instancesA], [actionB, instancesB]) => instancesB.size - instancesA.size || rank(actionA, ACTION_ORDER) - rank(actionB, ACTION_ORDER) || actionA.localeCompare(actionB))
-    .map(([action]) => ({ action, label: label(action, ACTION_LABELS) }));
-
-  const instances = [...byInstance.entries()]
-    .sort(([a], [b]) => rank(a, INSTANCE_ORDER) - rank(b, INSTANCE_ORDER) || a.localeCompare(b))
-    .map(([instance, features]) => {
-      const used = new Set<string>();
-      for (const featureActions of features.values()) {
-        for (const action of featureActions) used.add(action);
-      }
-      const featureRows = [...features.entries()]
-        .map(([resource, featureActions]) => ({
-          resource,
-          label: label(resource, RESOURCE_LABELS),
-          actions: featureActions,
-          // The full permission strings the user holds for this feature, shown on hover.
-          permissions: [...featureActions].sort((a, b) => rank(a, ACTION_ORDER) - rank(b, ACTION_ORDER) || a.localeCompare(b)).map((action) => `${instance}:${resource}:${action}`),
-        }))
-        .sort((a, b) => a.label.localeCompare(b.label));
-      return { instance, label: label(instance, INSTANCE_LABELS), used, features: featureRows };
-    });
-
-  return { columns, instances };
-});
-
-onMounted(() => {
-  // Normally already loaded at app start; ensures the page works on direct navigation.
-  fetchDescriptor();
-});
+import { ApiRoutes } from "@/composables/apiRoutes";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+
+const { canCall } = useAllowedRoutes();
+
+// Static capability groupings: each area lists the API routes the user may or may not be able to call.
+// Permissions are derived at render time from canCall — no permission strings are involved.
+const groups = [
+  {
+    area: "Failed messages",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewFailedMessages },
+      { label: "Retry", ref: ApiRoutes.retryMessage },
+      { label: "Edit", ref: ApiRoutes.editMessage },
+      { label: "Delete", ref: ApiRoutes.deleteMessage },
+      { label: "Restore", ref: ApiRoutes.restoreMessage },
+    ],
+  },
+  {
+    area: "Recoverability groups",
+    caps: [
+      { label: "Retry group", ref: ApiRoutes.retryGroup },
+      { label: "Delete group", ref: ApiRoutes.deleteGroup },
+      { label: "Restore group", ref: ApiRoutes.restoreGroup },
+    ],
+  },
+  {
+    area: "Audit",
+    caps: [{ label: "View", ref: ApiRoutes.viewAuditMessages }],
+  },
+  {
+    area: "Monitoring",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewMonitoredEndpoints },
+      { label: "Remove endpoint", ref: ApiRoutes.deleteMonitoredEndpoint },
+    ],
+  },
+  {
+    area: "Custom checks",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewCustomChecks },
+      { label: "Dismiss", ref: ApiRoutes.dismissCustomCheck },
+    ],
+  },
+  {
+    area: "Event log",
+    caps: [{ label: "View", ref: ApiRoutes.viewEventLog }],
+  },
+  {
+    area: "Configuration — License",
+    caps: [{ label: "View", ref: ApiRoutes.viewLicense }],
+  },
+  {
+    area: "Configuration — Connections",
+    caps: [{ label: "View", ref: ApiRoutes.viewConnections }],
+  },
+  {
+    area: "Configuration — Notifications",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewNotifications },
+      { label: "Manage", ref: ApiRoutes.manageNotifications },
+      { label: "Test", ref: ApiRoutes.testNotifications },
+    ],
+  },
+  {
+    area: "Configuration — Redirects",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewRedirects },
+      { label: "Manage", ref: ApiRoutes.manageRedirects },
+    ],
+  },
+  {
+    area: "Configuration — Endpoints",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewEndpoints },
+      { label: "View heartbeats", ref: ApiRoutes.viewHeartbeats },
+      { label: "Remove instance", ref: ApiRoutes.deleteEndpointInstance },
+    ],
+  },
+  {
+    area: "Configuration — Throughput",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewThroughput },
+      { label: "Manage", ref: ApiRoutes.manageThroughput },
+    ],
+  },
+];
+
+const rows = computed(() =>
+  groups.map((g) => ({
+    area: g.area,
+    caps: g.caps.map((c) => ({ label: c.label, granted: canCall(c.ref) })),
+  }))
+);
 </script>
 
 <template>
   <section name="user-permissions">
     <div class="box">
       <h3>Your permissions</h3>
-      <p class="user-label">{{ user || "Unknown user" }}</p>
 
-      <template v-if="view.instances.length">
-        <section v-for="group in view.instances" :key="group.instance" class="instance">
-          <h4 class="instance-title">{{ group.label }}</h4>
-          <div class="table-scroll">
-            <table class="permissions-table">
-              <colgroup>
-                <col class="feature-col-width" />
-                <col v-for="column in view.columns" :key="column.action" class="action-col-width" />
-              </colgroup>
-              <thead>
-                <tr>
-                  <th scope="col" class="feature-col">Feature</th>
-                  <th scope="col" v-for="column in view.columns" :key="column.action">
-                    <span v-if="group.used.has(column.action)">{{ column.label }}</span>
-                  </th>
-                </tr>
-              </thead>
-              <tbody>
-                <tr v-for="feature in group.features" :key="feature.resource">
-                  <td class="feature-col" v-tippy="{ content: feature.permissions.join('<br>'), allowHTML: true }">{{ feature.label }}</td>
-                  <td v-for="column in view.columns" :key="column.action">
-                    <FAIcon v-if="feature.actions.has(column.action)" :icon="faCheck" class="check" :aria-label="`${feature.label} ${column.label} allowed`" />
-                  </td>
-                </tr>
-              </tbody>
-            </table>
-          </div>
-        </section>
-      </template>
-
-      <p v-else-if="loadAttempted" class="empty">No permissions are granted to this user.</p>
+      <table class="permissions-table">
+        <thead>
+          <tr>
+            <th scope="col" class="area-col">Area</th>
+            <th scope="col" class="cap-col">Capability</th>
+            <th scope="col" class="status-col">Allowed</th>
+          </tr>
+        </thead>
+        <tbody>
+          <template v-for="row in rows" :key="row.area">
+            <tr v-for="(cap, idx) in row.caps" :key="cap.label" class="cap-row">
+              <td v-if="idx === 0" :rowspan="row.caps.length" class="area-col area-cell">{{ row.area }}</td>
+              <td class="cap-col">{{ cap.label }}</td>
+              <td class="status-col">
+                <FAIcon v-if="cap.granted" :icon="faCheck" class="check" aria-label="Allowed" />
+                <FAIcon v-else :icon="faXmark" class="deny" aria-label="Not allowed" />
+              </td>
+            </tr>
+          </template>
+        </tbody>
+      </table>
     </div>
   </section>
 </template>
 
 <style scoped>
-.user-label {
-  color: #6c757d;
-  margin-bottom: 28px;
-}
-
-.instance {
-  margin-bottom: 32px;
-}
-.instance:last-child {
-  margin-bottom: 0;
-}
-
-.instance-title {
-  font-size: 16px;
-  font-weight: 600;
-  color: #2a2a2a;
-  margin: 0 0 8px;
-}
-
-.table-scroll {
-  overflow-x: auto;
-}
-
 .permissions-table {
   border-collapse: collapse;
   table-layout: fixed;
+  width: auto;
+}
+
+.area-col {
+  width: 260px;
 }
 
-.feature-col-width {
-  width: 220px;
+.cap-col {
+  width: 200px;
 }
 
-/* Fixed, compact action columns so the table shrinks to fit and stays left-aligned;
-   a view-only user sees just "Feature | View" together instead of a stretched column. */
-.action-col-width {
+.status-col {
   width: 90px;
+  text-align: center;
 }
 
 .permissions-table th,
 .permissions-table td {
   padding: 8px 12px;
-  text-align: center;
   font-size: 14px;
   border-bottom: 1px solid #f0f0f0;
 }
@@ -212,23 +160,25 @@ onMounted(() => {
   color: #6c757d;
   border-bottom: 2px solid #e9ecef;
   white-space: nowrap;
+  text-align: left;
 }
 
-/* More specific than the generic ".permissions-table td { text-align: center }" so the
-   feature names actually left-align. */
-.permissions-table th.feature-col,
-.permissions-table td.feature-col {
-  text-align: left;
+.permissions-table thead th.status-col {
+  text-align: center;
 }
 
-td.feature-col {
+.area-cell {
   font-weight: 600;
   color: #2a2a2a;
-  /* Hover shows the exact permission strings held for this feature. */
-  cursor: help;
+  vertical-align: top;
+  padding-top: 10px;
 }
 
 .check {
   color: #28a745;
 }
+
+.deny {
+  color: #dc3545;
+}
 </style>

From 480c5b5dedb702afe69ba82987f7fe54ab9b1dbc Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 16:32:31 +0200
Subject: [PATCH 22/25] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Remove=20permission-?=
 =?UTF-8?q?string=20gating=20model?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../composables/permissionMatching.spec.ts    |  55 ------
 .../src/composables/permissionMatching.ts     |  52 ------
 .../src/composables/scope-vectors.json        |  20 ---
 .../src/composables/usePermissions.spec.ts    | 163 ------------------
 .../src/composables/usePermissions.ts         |  42 -----
 src/Frontend/src/stores/PermissionsStore.ts   |  72 --------
 6 files changed, 404 deletions(-)
 delete mode 100644 src/Frontend/src/composables/permissionMatching.spec.ts
 delete mode 100644 src/Frontend/src/composables/permissionMatching.ts
 delete mode 100644 src/Frontend/src/composables/scope-vectors.json
 delete mode 100644 src/Frontend/src/composables/usePermissions.spec.ts
 delete mode 100644 src/Frontend/src/composables/usePermissions.ts
 delete mode 100644 src/Frontend/src/stores/PermissionsStore.ts

diff --git a/src/Frontend/src/composables/permissionMatching.spec.ts b/src/Frontend/src/composables/permissionMatching.spec.ts
deleted file mode 100644
index 7b175aafe..000000000
--- a/src/Frontend/src/composables/permissionMatching.spec.ts
+++ /dev/null
@@ -1,55 +0,0 @@
-import { describe, test, expect } from "vitest";
-import { matchesPattern, entryPermits, type PermissionEntry } from "@/composables/permissionMatching";
-import scopeVectors from "@/composables/scope-vectors.json";
-
-describe("permissionMatching", () => {
-  // Shared vectors: these MUST produce the same result in the ServiceControl
-  // ResourceScope/FilterByQueueScope tests. entryPermits with a resource is the
-  // frontend equivalent of the server's ResourceScope.Permits.
-  describe("scope-vectors.json (shared with ServiceControl)", () => {
-    test.each(scopeVectors.vectors)("$name", ({ allow, deny, resource, permits }) => {
-      const entry: PermissionEntry = { permission: "messages:view", scope: { allow, deny } };
-      expect(entryPermits(entry, resource)).toBe(permits);
-    });
-  });
-
-  describe("matchesPattern", () => {
-    test("universal wildcard matches everything", () => {
-      expect(matchesPattern("*", "anything")).toBe(true);
-    });
-
-    test("prefix crosses dots but excludes the bare prefix", () => {
-      expect(matchesPattern("sales.*", "sales.orders.eu")).toBe(true);
-      expect(matchesPattern("sales.*", "sales")).toBe(false);
-    });
-
-    test("is case-insensitive on both sides", () => {
-      expect(matchesPattern("Sales.Orders", "sales.orders")).toBe(true);
-      expect(matchesPattern("SALES.*", "sales.orders")).toBe(true);
-    });
-  });
-
-  describe("entryPermits scope semantics", () => {
-    test("null scope is unrestricted for any resource", () => {
-      const entry: PermissionEntry = { permission: "messages:retry", scope: null };
-      expect(entryPermits(entry, "anything")).toBe(true);
-    });
-
-    test("null scope passes the verb-level check", () => {
-      const entry: PermissionEntry = { permission: "messages:retry", scope: null };
-      expect(entryPermits(entry)).toBe(true);
-    });
-
-    test("verb-level check (no resource) passes for a scoped entry", () => {
-      // Holding the permission for *some* scope counts at the verb level.
-      const entry: PermissionEntry = { permission: "messages:retry", scope: { allow: ["sales.*"], deny: [] } };
-      expect(entryPermits(entry)).toBe(true);
-    });
-
-    test("resource-level check enforces the scope", () => {
-      const entry: PermissionEntry = { permission: "messages:retry", scope: { allow: ["sales.*"], deny: [] } };
-      expect(entryPermits(entry, "sales.orders")).toBe(true);
-      expect(entryPermits(entry, "finance.invoicing")).toBe(false);
-    });
-  });
-});
diff --git a/src/Frontend/src/composables/permissionMatching.ts b/src/Frontend/src/composables/permissionMatching.ts
deleted file mode 100644
index 4a5918c65..000000000
--- a/src/Frontend/src/composables/permissionMatching.ts
+++ /dev/null
@@ -1,52 +0,0 @@
-// DORMANT — not currently wired into the UI. ServiceControl does not yet expose
-// per-resource (per-queue) scopes; today's my/permissions/all returns a flat list of
-// permission strings (see usePermissions/PermissionsStore). This module is kept ready
-// for when the backend gains allow/deny scopes, at which point a PermissionEntry will
-// carry a ScopeDescriptor and can(permission, resource) can enforce it.
-
-// A scope's allow/deny resource patterns. null (on an entry) means unrestricted.
-export interface ScopeDescriptor {
-  allow: string[];
-  deny: string[];
-}
-
-// A single scoped permission grant (the future descriptor entry shape).
-export interface PermissionEntry {
-  permission: string;
-  scope: ScopeDescriptor | null;
-}
-
-// Resource-scope pattern matching. This MUST stay in lockstep with the
-// ServiceControl server-side rules: `ResourceScope.Matches` (C#) and
-// `FilterByQueueScope` (RavenDB query translation). The shared behaviour is
-// pinned by scope-vectors.json, which both this suite and the ServiceControl
-// test suite consume.
-//
-// Patterns:
-//   "*"        matches everything
-//   "prefix.*" prefix match crossing dots: "sales.*" matches "sales.orders"
-//              and "sales.secret.payroll", but NOT bare "sales"
-//   exact      case-insensitive equality
-//
-// Matching is case-insensitive: the server lowercases both sides (queue
-// addresses are stored lowercased in the index), so we do the same here.
-export function matchesPattern(pattern: string, resource: string): boolean {
-  const p = pattern.toLowerCase();
-  const r = resource.toLowerCase();
-  if (p === "*") return true;
-  if (p === r) return true;
-  if (p.endsWith(".*")) return r.startsWith(p.slice(0, -1)); // "sales.*" -> "sales."
-  return false;
-}
-
-// Whether a single permission entry permits access.
-//   scope null          -> unrestricted (any resource; verb-level true)
-//   resource undefined  -> verb-level check: holding the permission counts
-//   resource provided   -> allow AND NOT deny, deny wins
-export function entryPermits(entry: PermissionEntry, resource?: string): boolean {
-  if (entry.scope === null) return true;
-  if (resource === undefined) return true;
-  const allowed = entry.scope.allow.some((pattern) => matchesPattern(pattern, resource));
-  const denied = entry.scope.deny.some((pattern) => matchesPattern(pattern, resource));
-  return allowed && !denied;
-}
diff --git a/src/Frontend/src/composables/scope-vectors.json b/src/Frontend/src/composables/scope-vectors.json
deleted file mode 100644
index 29e0788b2..000000000
--- a/src/Frontend/src/composables/scope-vectors.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  "description": "Shared resource-scope test vectors. Consumed by ServicePulse (permissionMatching.spec.ts) and, later, by ServiceControl (ResourceScope/FilterByQueueScope tests) so all implementations of the matcher agree. permits = does scope {allow,deny} permit `resource`.",
-  "vectors": [
-    { "name": "exact allow matches", "allow": ["sales.orders"], "deny": [], "resource": "sales.orders", "permits": true },
-    { "name": "exact allow does not match other", "allow": ["sales.orders"], "deny": [], "resource": "finance.invoicing", "permits": false },
-    { "name": "prefix matches child", "allow": ["sales.*"], "deny": [], "resource": "sales.orders", "permits": true },
-    { "name": "prefix matches deeper child", "allow": ["sales.*"], "deny": [], "resource": "sales.secret.payroll", "permits": true },
-    { "name": "prefix does not match bare prefix", "allow": ["sales.*"], "deny": [], "resource": "sales", "permits": false },
-    { "name": "universal wildcard matches anything", "allow": ["*"], "deny": [], "resource": "anything.at.all", "permits": true },
-    { "name": "empty allow denies everything", "allow": [], "deny": [], "resource": "sales.orders", "permits": false },
-    { "name": "deny prefix wins over allow wildcard", "allow": ["*"], "deny": ["finance.*"], "resource": "finance.accounts", "permits": false },
-    { "name": "deny exact denies only exact", "allow": ["*"], "deny": ["finance"], "resource": "finance.payroll", "permits": true },
-    { "name": "deny exact matches exact", "allow": ["*"], "deny": ["finance"], "resource": "finance", "permits": false },
-    { "name": "carve-out: allow prefix, deny sub-prefix (public allowed)", "allow": ["sales.*"], "deny": ["sales.secret.*"], "resource": "sales.public.orders", "permits": true },
-    { "name": "carve-out: allow prefix, deny sub-prefix (secret denied)", "allow": ["sales.*"], "deny": ["sales.secret.*"], "resource": "sales.secret.data", "permits": false },
-    { "name": "case-insensitive prefix pattern", "allow": ["Sales.*"], "deny": [], "resource": "sales.orders", "permits": true },
-    { "name": "case-insensitive exact pattern", "allow": ["Finance.Payroll"], "deny": [], "resource": "finance.payroll", "permits": true },
-    { "name": "case-insensitive deny pattern", "allow": ["*"], "deny": ["Finance.*"], "resource": "finance.accounts", "permits": false }
-  ]
-}
diff --git a/src/Frontend/src/composables/usePermissions.spec.ts b/src/Frontend/src/composables/usePermissions.spec.ts
deleted file mode 100644
index 35e6bf73f..000000000
--- a/src/Frontend/src/composables/usePermissions.spec.ts
+++ /dev/null
@@ -1,163 +0,0 @@
-import { describe, test, expect, beforeEach, vi } from "vitest";
-import { createTestingPinia } from "@pinia/testing";
-import { setActivePinia } from "pinia";
-
-vi.mock("@/components/serviceControlClient", () => ({
-  default: { fetchFromServiceControl: vi.fn() },
-}));
-
-import serviceControlClient from "@/components/serviceControlClient";
-import logger from "@/logger";
-import { usePermissions } from "@/composables/usePermissions";
-import { usePermissionsStore } from "@/stores/PermissionsStore";
-import { useAuthStore } from "@/stores/AuthStore";
-
-const fetchFromServiceControl = vi.mocked(serviceControlClient.fetchFromServiceControl);
-
-// Minimal Response-like stub for the bits the composable reads.
-function response(status: number, body?: unknown): Response {
-  return {
-    ok: status >= 200 && status < 300,
-    status,
-    statusText: `status ${status}`,
-    json: () => Promise.resolve(body),
-  } as Response;
-}
-
-function withState(opts: { authEnabled: boolean; isAuthenticated: boolean; permissions: string[] | null }) {
-  const auth = useAuthStore();
-  auth.authEnabled = opts.authEnabled;
-  auth.isAuthenticated = opts.isAuthenticated;
-  if (opts.permissions !== null) {
-    usePermissionsStore().setDescriptor({ user: "alice", permissions: opts.permissions });
-  }
-  return usePermissions();
-}
-
-describe("usePermissions", () => {
-  beforeEach(() => {
-    setActivePinia(createTestingPinia({ stubActions: false }));
-    fetchFromServiceControl.mockReset();
-  });
-
-  describe("can / canAny (fail-open gating)", () => {
-    test("fails open when authorization is disabled", () => {
-      const { can, shouldGate } = withState({ authEnabled: false, isAuthenticated: true, permissions: [] });
-      expect(shouldGate.value).toBe(false);
-      expect(can("error:messages:retry")).toBe(true);
-    });
-
-    test("fails open when the user is not authenticated", () => {
-      const { can } = withState({ authEnabled: true, isAuthenticated: false, permissions: [] });
-      expect(can("error:messages:retry")).toBe(true);
-    });
-
-    test("fails open until the descriptor has loaded", () => {
-      const { can } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      expect(can("error:messages:retry")).toBe(true);
-    });
-
-    test("gates per permission once enabled, authenticated and loaded", () => {
-      const { can, shouldGate } = withState({ authEnabled: true, isAuthenticated: true, permissions: ["error:messages:view"] });
-      expect(shouldGate.value).toBe(true);
-      expect(can("error:messages:view")).toBe(true);
-      expect(can("error:messages:retry")).toBe(false);
-    });
-
-    test("canAny is true when any permission is held", () => {
-      const { canAny } = withState({ authEnabled: true, isAuthenticated: true, permissions: ["error:redirects:view"] });
-      expect(canAny(["error:licensing:view", "error:redirects:view"])).toBe(true);
-      expect(canAny(["error:licensing:view", "error:notifications:view"])).toBe(false);
-    });
-  });
-
-  describe("ready (gate-on-ready)", () => {
-    test("ready immediately when authorization is disabled (nothing to gate)", () => {
-      const { ready } = withState({ authEnabled: false, isAuthenticated: true, permissions: null });
-      expect(ready.value).toBe(true);
-    });
-
-    test("not ready while authenticated and the fetch has not settled", () => {
-      const { ready } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      expect(ready.value).toBe(false);
-    });
-
-    test("ready after a successful fetch settles", async () => {
-      const { ready, fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      fetchFromServiceControl.mockResolvedValue(response(200, { user: "alice", permissions: [] }));
-
-      await fetchDescriptor();
-
-      expect(ready.value).toBe(true);
-    });
-
-    test("ready after a failed fetch settles, and can() then fails open", async () => {
-      vi.spyOn(logger, "warn").mockImplementation(() => {});
-      const { ready, can, fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      fetchFromServiceControl.mockResolvedValue(response(500));
-
-      await fetchDescriptor();
-
-      expect(ready.value).toBe(true);
-      expect(can("error:messages:view")).toBe(true); // fail-open: loaded never became true
-    });
-  });
-
-  describe("fetchDescriptor", () => {
-    test("200 fetches my/permissions/all and populates the store", async () => {
-      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      fetchFromServiceControl.mockResolvedValue(response(200, { user: "alice", permissions: ["error:messages:view"] }));
-
-      await fetchDescriptor();
-
-      expect(fetchFromServiceControl).toHaveBeenCalledWith("my/permissions/all");
-      const store = usePermissionsStore();
-      expect(store.loaded).toBe(true);
-      expect(store.permissions.has("error:messages:view")).toBe(true);
-    });
-
-    test("a non-OK response leaves the store intact and warns", async () => {
-      const warn = vi.spyOn(logger, "warn").mockImplementation(() => {});
-      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: ["error:messages:view"] });
-      fetchFromServiceControl.mockResolvedValue(response(401));
-
-      await fetchDescriptor();
-
-      expect(usePermissionsStore().permissions.has("error:messages:view")).toBe(true); // unchanged
-      expect(warn).toHaveBeenCalled();
-      warn.mockRestore();
-    });
-
-    test("a thrown request is logged and leaves the store intact", async () => {
-      const error = vi.spyOn(logger, "error").mockImplementation(() => {});
-      const failure = new Error("boom");
-      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      fetchFromServiceControl.mockRejectedValue(failure);
-
-      await fetchDescriptor();
-
-      expect(usePermissionsStore().loaded).toBe(false);
-      expect(error).toHaveBeenCalledWith("Error fetching permissions", failure);
-      error.mockRestore();
-    });
-
-    test("concurrent calls share a single in-flight request", async () => {
-      let resolveFetch: (value: Response) => void = () => {};
-      const pending = new Promise<Response>((resolve) => (resolveFetch = resolve));
-      fetchFromServiceControl.mockReturnValue(pending);
-
-      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      const first = fetchDescriptor();
-      const second = fetchDescriptor();
-
-      expect(fetchFromServiceControl).toHaveBeenCalledTimes(1);
-
-      resolveFetch(response(200, { user: "alice", permissions: [] }));
-      await Promise.all([first, second]);
-
-      // Slot released after settling, so a later call fetches again.
-      await fetchDescriptor();
-      expect(fetchFromServiceControl).toHaveBeenCalledTimes(2);
-    });
-  });
-});
diff --git a/src/Frontend/src/composables/usePermissions.ts b/src/Frontend/src/composables/usePermissions.ts
deleted file mode 100644
index f3de7f88d..000000000
--- a/src/Frontend/src/composables/usePermissions.ts
+++ /dev/null
@@ -1,42 +0,0 @@
-import { computed } from "vue";
-import { storeToRefs } from "pinia";
-import { usePermissionsStore } from "@/stores/PermissionsStore";
-import { useAuthStore } from "@/stores/AuthStore";
-
-// Permission-aware composable. Consumers (button v-ifs, nav filters) are UX-only: they
-// hide what the user cannot do. ServiceControl remains the real authority; the descriptor
-// the store holds is a cache of the effective permission set the server would enforce.
-//
-// Gating is fail-open: it only kicks in once authorization is enabled, the user is
-// authenticated and the descriptor has loaded. Otherwise everything is shown, so the UI
-// is unchanged for auth-disabled and older-ServiceControl deployments.
-export function usePermissions() {
-  const store = usePermissionsStore();
-  const { authEnabled, isAuthenticated } = storeToRefs(useAuthStore());
-
-  const shouldGate = computed(() => authEnabled.value && isAuthenticated.value && store.loaded);
-
-  // Whether gating decisions can be made: true when there is nothing to gate (auth off or
-  // user not authenticated) or once a fetch has settled. Consumers use this to hold UI until
-  // permissions are known (gate-on-ready), so items don't appear and then disappear.
-  const ready = computed(() => !(authEnabled.value && isAuthenticated.value) || store.loadAttempted);
-
-  // Fetch (or join an in-flight fetch of) the current user's permissions.
-  function fetchDescriptor(): Promise<void> {
-    return store.refresh();
-  }
-
-  // Whether the current user holds `permission` (e.g. "error:messages:retry").
-  // Fail-open until gating applies.
-  function can(permission: string): boolean {
-    return !shouldGate.value || store.permissions.has(permission);
-  }
-
-  // Whether the user holds ANY of the given permissions. Handy for showing a parent nav
-  // item when the user can reach at least one child.
-  function canAny(permissions: string[]): boolean {
-    return permissions.some((permission) => can(permission));
-  }
-
-  return { fetchDescriptor, can, canAny, shouldGate, ready };
-}
diff --git a/src/Frontend/src/stores/PermissionsStore.ts b/src/Frontend/src/stores/PermissionsStore.ts
deleted file mode 100644
index 5fb1db7e3..000000000
--- a/src/Frontend/src/stores/PermissionsStore.ts
+++ /dev/null
@@ -1,72 +0,0 @@
-import { acceptHMRUpdate, defineStore } from "pinia";
-import { ref } from "vue";
-import serviceControlClient from "@/components/serviceControlClient";
-import logger from "@/logger";
-
-// The JSON shape returned by GET api/my/permissions/all (snake_case on the wire).
-// Permissions is a flat list of permission strings, e.g. "error:messages:retry".
-// (ServiceControl has no per-resource scopes yet; when it gains them this descriptor
-// will grow a scope per entry — see the dormant permissionMatching.ts.)
-export interface PermissionsDescriptor {
-  user: string;
-  permissions: string[];
-}
-
-// Holds the current user's effective permission set and loads it from ServiceControl.
-// A Set gives O(1) membership checks for usePermissions().can().
-export const usePermissionsStore = defineStore("PermissionsStore", () => {
-  const user = ref("");
-  const permissions = ref<Set<string>>(new Set());
-  const loaded = ref(false); // a descriptor was successfully applied
-  const loadAttempted = ref(false); // a fetch has settled (success OR failure)
-
-  // Per-store in-flight guard so concurrent callers share one request. Kept on the store
-  // (not module scope) so each Pinia instance — e.g. a re-mounted app — has its own, and a
-  // stale request can never resolve into a different store instance.
-  let inFlight: Promise<void> | null = null;
-
-  function setDescriptor(descriptor: PermissionsDescriptor) {
-    user.value = descriptor.user;
-    permissions.value = new Set(descriptor.permissions);
-    loaded.value = true;
-  }
-
-  async function load() {
-    try {
-      const response = await serviceControlClient.fetchFromServiceControl("my/permissions/all");
-
-      // Leave any existing descriptor intact on failure (fail-safe — don't widen or drop the
-      // user's permissions because of a transient error or a 401), and log it.
-      if (!response.ok) {
-        logger.warn(`Failed to fetch permissions: ${response.status} ${response.statusText}`);
-        return;
-      }
-
-      setDescriptor(await response.json());
-    } catch (error) {
-      logger.error("Error fetching permissions", error);
-    } finally {
-      // Even on failure, mark the attempt settled so gate-on-ready can proceed; can() then
-      // fails open because loaded stayed false.
-      loadAttempted.value = true;
-    }
-  }
-
-  // Fetch (or join an in-flight fetch of) the current user's permissions.
-  function refresh() {
-    return (inFlight ??= load().finally(() => (inFlight = null)));
-  }
-
-  function clear() {
-    user.value = "";
-    permissions.value = new Set();
-    loaded.value = false;
-    loadAttempted.value = false;
-  }
-
-  return { user, permissions, loaded, loadAttempted, setDescriptor, refresh, clear };
-});
-
-if (import.meta.hot) {
-  import.meta.hot.accept(acceptHMRUpdate(usePermissionsStore, import.meta.hot));
-}

From f5f86ed7f2a4946b4a554a26bb42ca3ac871c9ba Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Thu, 25 Jun 2026 16:36:04 +0200
Subject: [PATCH 23/25] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20Remove=20dead=20my/p?=
 =?UTF-8?q?ermissions=20test=20helper?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../test/preconditions/authentication.ts      | 63 -------------------
 1 file changed, 63 deletions(-)

diff --git a/src/Frontend/test/preconditions/authentication.ts b/src/Frontend/test/preconditions/authentication.ts
index 8bfdbc8bc..ba8a73014 100644
--- a/src/Frontend/test/preconditions/authentication.ts
+++ b/src/Frontend/test/preconditions/authentication.ts
@@ -51,66 +51,6 @@ export const hasAuthenticationDisabled =
     return authDisabledConfig;
   };
 
-/**
- * The full ServiceControl permission catalogue (writer/admin). Mirrors
- * ServiceControl's Auth/Permissions.cs. Used as the default for hasUserPermissions so
- * authenticated tests see the full UI unless they opt into a restricted set.
- */
-export const allPermissions: string[] = [
-  "error:messages:view",
-  "error:messages:retry",
-  "error:messages:archive",
-  "error:messages:unarchive",
-  "error:messages:edit",
-  "error:recoverabilitygroups:view",
-  "error:recoverabilitygroups:retry",
-  "error:recoverabilitygroups:archive",
-  "error:recoverabilitygroups:unarchive",
-  "error:endpoints:view",
-  "error:endpoints:manage",
-  "error:endpoints:delete",
-  "error:heartbeats:view",
-  "error:customchecks:view",
-  "error:customchecks:delete",
-  "error:sagas:view",
-  "error:eventlog:view",
-  "error:licensing:view",
-  "error:licensing:manage",
-  "error:notifications:view",
-  "error:notifications:manage",
-  "error:notifications:test",
-  "error:redirects:view",
-  "error:redirects:manage",
-  "error:queues:view",
-  "error:queues:delete",
-  "error:throughput:view",
-  "error:throughput:manage",
-  "error:connections:view",
-  "error:connections:manage",
-  "audit:message:view",
-  "audit:connection:view",
-  "audit:endpoint:view",
-  "audit:saga:view",
-  "monitoring:endpoint:view",
-  "monitoring:endpoint:delete",
-  "monitoring:connection:view",
-  "monitoring:license:view",
-];
-
-/**
- * Mocks GET my/permissions/all (the user's effective permission list).
- * @param permissions - the permission strings to grant (defaults to the full catalogue)
- * @param user - the subject name returned in the descriptor
- */
-export const hasUserPermissions =
-  (permissions: string[] = allPermissions, user = "test-user") =>
-  ({ driver }: SetupFactoryOptions) => {
-    const serviceControlInstanceUrl = window.defaultConfig.service_control_url;
-    driver.mockEndpoint(`${serviceControlInstanceUrl}my/permissions/all`, {
-      body: { user, permissions },
-    });
-  };
-
 /**
  * Authentication enabled with custom configuration
  * @param config - Custom auth configuration to return
@@ -126,9 +66,6 @@ export const hasAuthenticationEnabled =
     driver.mockEndpoint(`${serviceControlInstanceUrl}authentication/configuration`, {
       body: fullConfig,
     });
-    // When auth is enabled the app fetches the user's permissions; provide them by default
-    // (full access) so gate-on-ready can render. Tests can re-mock with a restricted set.
-    hasUserPermissions()({ driver });
     return fullConfig;
   };
 

From 5a11ee5211a4c6fb4616e8012089517c0b197540 Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Fri, 26 Jun 2026 06:44:04 +0200
Subject: [PATCH 24/25] =?UTF-8?q?=F0=9F=90=9B=20Fix=20Monitoring=20instanc?=
 =?UTF-8?q?e=20route=20paths=20(no=20/api=20prefix)=20in=20UI=20gating?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../configuration/UserPermissions.vue         | 20 +++++++++++--------
 .../components/monitoring/monitoringClient.ts |  4 +++-
 src/Frontend/src/composables/apiRoutes.ts     |  4 ++--
 .../src/composables/useAllowedRoutes.spec.ts  | 13 ++++++++++++
 .../src/stores/AllowedRoutesStore.spec.ts     | 16 +++++++++++++++
 5 files changed, 46 insertions(+), 11 deletions(-)

diff --git a/src/Frontend/src/components/configuration/UserPermissions.vue b/src/Frontend/src/components/configuration/UserPermissions.vue
index 6763ff768..ae81d3739 100644
--- a/src/Frontend/src/components/configuration/UserPermissions.vue
+++ b/src/Frontend/src/components/configuration/UserPermissions.vue
@@ -1,15 +1,10 @@
-<script setup lang="ts">
-import { computed } from "vue";
-import { faCheck, faXmark } from "@fortawesome/free-solid-svg-icons";
-import FAIcon from "@/components/FAIcon.vue";
+<script lang="ts">
 import { ApiRoutes } from "@/composables/apiRoutes";
-import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
-
-const { canCall } = useAllowedRoutes();
 
 // Static capability groupings: each area lists the API routes the user may or may not be able to call.
 // Permissions are derived at render time from canCall — no permission strings are involved.
-const groups = [
+// Defined at module scope (outside setup) so it is shared across component instances.
+export const groups = [
   {
     area: "Failed messages",
     caps: [
@@ -89,6 +84,15 @@ const groups = [
     ],
   },
 ];
+</script>
+
+<script setup lang="ts">
+import { computed } from "vue";
+import { faCheck, faXmark } from "@fortawesome/free-solid-svg-icons";
+import FAIcon from "@/components/FAIcon.vue";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+
+const { canCall } = useAllowedRoutes();
 
 const rows = computed(() =>
   groups.map((g) => ({
diff --git a/src/Frontend/src/components/monitoring/monitoringClient.ts b/src/Frontend/src/components/monitoring/monitoringClient.ts
index 92c77aa18..0c6b20785 100644
--- a/src/Frontend/src/components/monitoring/monitoringClient.ts
+++ b/src/Frontend/src/components/monitoring/monitoringClient.ts
@@ -95,7 +95,9 @@ class MonitoringClient {
     if (this.isMonitoringDisabled) {
       return undefined;
     }
-    return await authFetch(`${this.url}my/routes`);
+    // Unlike the other Monitoring endpoints (served at root), MyRoutesController has a class-level
+    // "api" route prefix (it is the shared controller used by both Primary and Monitoring instances).
+    return await authFetch(`${this.url}api/my/routes`);
   }
 
   public get isMonitoringEnabled() {
diff --git a/src/Frontend/src/composables/apiRoutes.ts b/src/Frontend/src/composables/apiRoutes.ts
index cf07ac88e..3ac666ace 100644
--- a/src/Frontend/src/composables/apiRoutes.ts
+++ b/src/Frontend/src/composables/apiRoutes.ts
@@ -8,7 +8,7 @@ export type RouteRef = { method: string; path: string };
 export const ApiRoutes = {
   // ---- nav / verb-level (GET routes gated by the matching :view permission) ----
   viewHeartbeats: { method: "GET", path: "/api/heartbeats/stats" }, // error:heartbeats:view (EndpointsMonitoringController)
-  viewMonitoredEndpoints: { method: "GET", path: "/api/monitored-endpoints" }, // monitoring:endpoint:view (DiagramApiController, Monitoring instance)
+  viewMonitoredEndpoints: { method: "GET", path: "/monitored-endpoints" }, // Monitoring instance serves at root (no /api prefix) — monitoring:endpoint:view (DiagramApiController)
   viewAuditMessages: { method: "GET", path: "/api/messages2" }, // error:messages:view (GetMessages2Controller)
   viewFailedMessages: { method: "GET", path: "/api/errors" }, // error:messages:view (GetAllErrorsController)
   viewCustomChecks: { method: "GET", path: "/api/customchecks" }, // error:customchecks:view (CustomCheckController)
@@ -33,5 +33,5 @@ export const ApiRoutes = {
   deleteGroup: { method: "POST", path: "/api/recoverability/groups/{}/errors/archive" },
   restoreGroup: { method: "POST", path: "/api/recoverability/groups/{}/errors/unarchive" },
   deleteEndpointInstance: { method: "DELETE", path: "/api/endpoints/{}" },
-  deleteMonitoredEndpoint: { method: "DELETE", path: "/api/monitored-instance/{}/{}" },
+  deleteMonitoredEndpoint: { method: "DELETE", path: "/monitored-instance/{}/{}" }, // Monitoring instance serves at root (no /api prefix)
 } as const satisfies Record<string, RouteRef>;
diff --git a/src/Frontend/src/composables/useAllowedRoutes.spec.ts b/src/Frontend/src/composables/useAllowedRoutes.spec.ts
index 9111a9dc7..2fa811f68 100644
--- a/src/Frontend/src/composables/useAllowedRoutes.spec.ts
+++ b/src/Frontend/src/composables/useAllowedRoutes.spec.ts
@@ -45,4 +45,17 @@ describe("useAllowedRoutes", () => {
     arrange(true, true, ["GET /api/errors"]);
     expect(useAllowedRoutes().canAnyCall([ApiRoutes.retryMessage, ApiRoutes.viewFailedMessages])).toBe(true);
   });
+
+  it("ready is false when auth on + authenticated but loadAttempted is false, then true after loadAttempted", () => {
+    const auth = useAuthStore();
+    auth.authEnabled = true;
+    auth.isAuthenticated = true;
+    const store = useAllowedRoutesStore();
+    store.routes = new Map();
+    store.loaded = false;
+    store.loadAttempted = false;
+    expect(useAllowedRoutes().ready.value).toBe(false);
+    store.loadAttempted = true;
+    expect(useAllowedRoutes().ready.value).toBe(true);
+  });
 });
diff --git a/src/Frontend/src/stores/AllowedRoutesStore.spec.ts b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
index e4c20aa4c..1f67451fd 100644
--- a/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
+++ b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
@@ -1,5 +1,7 @@
 import { describe, it, expect, beforeEach, vi } from "vitest";
 import { setActivePinia, createPinia } from "pinia";
+import { ApiRoutes } from "@/composables/apiRoutes";
+import { normalizeRouteKey } from "@/composables/routeMatching";
 
 const scFetch = vi.fn();
 const monFetch = vi.fn();
@@ -60,4 +62,18 @@ describe("AllowedRoutesStore", () => {
     expect(store.loaded).toBe(false);
     expect(store.loadAttempted).toBe(true);
   });
+
+  it("Monitoring manifest entry at root (no /api prefix) matches the ApiRoutes registry path", async () => {
+    // The Monitoring instance serves monitored-endpoints at root — no /api prefix.
+    // This test pins the cross-repo path contract: the manifest entry the Monitoring
+    // instance returns must round-trip through normalizeRouteKey to produce the same
+    // key as the registry uses for viewMonitoredEndpoints.
+    scFetch.mockResolvedValue(ok([]));
+    monFetch.mockResolvedValue(ok([{ method: "GET", urlTemplate: "/monitored-endpoints" }]));
+    const store = useAllowedRoutesStore();
+    await store.refresh();
+    const expectedKey = normalizeRouteKey(ApiRoutes.viewMonitoredEndpoints.method, ApiRoutes.viewMonitoredEndpoints.path);
+    expect(expectedKey).toBe("GET /monitored-endpoints");
+    expect(store.routes.has(expectedKey)).toBe(true);
+  });
 });

From a22ef9c87ad28a232d3f97837c1dc8c53bb33558 Mon Sep 17 00:00:00 2001
From: Ramon Smits <ramon.smits@gmail.com>
Date: Fri, 26 Jun 2026 07:17:46 +0200
Subject: [PATCH 25/25] =?UTF-8?q?=F0=9F=90=9B=20Read=20snake=5Fcase=20url?=
 =?UTF-8?q?=5Ftemplate=20from=20my/routes=20manifest?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ServiceControl serializes its HTTP API in snake_case, so the manifest field is
url_template, not urlTemplate. Reading the camelCase name yielded undefined keys
so gating never matched against a live server. Tests now use the real wire shape.
---
 .../failedmessages/messageGroupButtonPermissions.spec.ts  | 2 +-
 .../components/messages/messageButtonPermissions.spec.ts  | 2 +-
 src/Frontend/src/composables/useAllowedRoutes.spec.ts     | 2 +-
 src/Frontend/src/stores/AllowedRoutesStore.spec.ts        | 8 ++++----
 src/Frontend/src/stores/AllowedRoutesStore.ts             | 5 +++--
 5 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts b/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts
index e857f2052..55f02bcfa 100644
--- a/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts
+++ b/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts
@@ -34,7 +34,7 @@ vi.mock("@/components/failedmessages/messageGroupClient", () => ({
 }));
 
 function makeRoutes(keys: string[]): Map<string, ManifestEntry> {
-  return new Map(keys.map((k) => [k, { method: "", urlTemplate: "" }]));
+  return new Map(keys.map((k) => [k, { method: "", url_template: "" }]));
 }
 
 async function renderGroupList(allowedRouteKeys: string[]) {
diff --git a/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts b/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
index 12edbdf64..26c3fa017 100644
--- a/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
+++ b/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
@@ -30,7 +30,7 @@ const cases: ButtonCase[] = [
 ];
 
 function makeRoutes(keys: string[]): Map<string, ManifestEntry> {
-  return new Map(keys.map((k) => [k, { method: "", urlTemplate: "" }]));
+  return new Map(keys.map((k) => [k, { method: "", url_template: "" }]));
 }
 
 function renderButton(component: Component, allowedRouteKeys: string[], archived: boolean) {
diff --git a/src/Frontend/src/composables/useAllowedRoutes.spec.ts b/src/Frontend/src/composables/useAllowedRoutes.spec.ts
index 2fa811f68..8843a47c4 100644
--- a/src/Frontend/src/composables/useAllowedRoutes.spec.ts
+++ b/src/Frontend/src/composables/useAllowedRoutes.spec.ts
@@ -20,7 +20,7 @@ describe("useAllowedRoutes", () => {
     auth.authEnabled = enabled;
     auth.isAuthenticated = authed;
     const store = useAllowedRoutesStore();
-    store.routes = new Map(keys.map((k) => [k, { method: "", urlTemplate: "" }]));
+    store.routes = new Map(keys.map((k) => [k, { method: "", url_template: "" }]));
     store.loaded = keys.length > 0;
     store.loadAttempted = true;
   }
diff --git a/src/Frontend/src/stores/AllowedRoutesStore.spec.ts b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
index 1f67451fd..b8ffaf998 100644
--- a/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
+++ b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
@@ -27,8 +27,8 @@ describe("AllowedRoutesStore", () => {
   });
 
   it("merges Primary and Monitoring manifests into normalized keys", async () => {
-    scFetch.mockResolvedValue(ok([{ method: "POST", urlTemplate: "/api/errors/{id}/retry" }]));
-    monFetch.mockResolvedValue(ok([{ method: "DELETE", urlTemplate: "/api/monitored-instance/{n}/{i}" }]));
+    scFetch.mockResolvedValue(ok([{ method: "POST", url_template: "/api/errors/{id}/retry" }]));
+    monFetch.mockResolvedValue(ok([{ method: "DELETE", url_template: "/api/monitored-instance/{n}/{i}" }]));
     const store = useAllowedRoutesStore();
     await store.refresh();
     expect(store.routes.has("POST /api/errors/{}/retry")).toBe(true);
@@ -37,7 +37,7 @@ describe("AllowedRoutesStore", () => {
   });
 
   it("fails open per instance: a 404 from one instance contributes nothing but does not throw", async () => {
-    scFetch.mockResolvedValue(ok([{ method: "GET", urlTemplate: "/api/errors" }]));
+    scFetch.mockResolvedValue(ok([{ method: "GET", url_template: "/api/errors" }]));
     monFetch.mockResolvedValue({ ok: false, status: 404, json: () => Promise.resolve({}) });
     const store = useAllowedRoutesStore();
     await store.refresh();
@@ -69,7 +69,7 @@ describe("AllowedRoutesStore", () => {
     // instance returns must round-trip through normalizeRouteKey to produce the same
     // key as the registry uses for viewMonitoredEndpoints.
     scFetch.mockResolvedValue(ok([]));
-    monFetch.mockResolvedValue(ok([{ method: "GET", urlTemplate: "/monitored-endpoints" }]));
+    monFetch.mockResolvedValue(ok([{ method: "GET", url_template: "/monitored-endpoints" }]));
     const store = useAllowedRoutesStore();
     await store.refresh();
     const expectedKey = normalizeRouteKey(ApiRoutes.viewMonitoredEndpoints.method, ApiRoutes.viewMonitoredEndpoints.path);
diff --git a/src/Frontend/src/stores/AllowedRoutesStore.ts b/src/Frontend/src/stores/AllowedRoutesStore.ts
index f99f17cbe..5c19413a3 100644
--- a/src/Frontend/src/stores/AllowedRoutesStore.ts
+++ b/src/Frontend/src/stores/AllowedRoutesStore.ts
@@ -7,7 +7,8 @@ import logger from "@/logger";
 
 export interface ManifestEntry {
   method: string;
-  urlTemplate: string;
+  // ServiceControl serializes its HTTP API in snake_case, so the manifest field is `url_template`.
+  url_template: string;
   [k: string]: unknown;
 }
 
@@ -46,7 +47,7 @@ export const useAllowedRoutesStore = defineStore("AllowedRoutesStore", () => {
       const merged = new Map<string, ManifestEntry>();
       for (const list of [primary, monitoring]) {
         for (const entry of list ?? []) {
-          merged.set(normalizeRouteKey(entry.method, entry.urlTemplate), entry);
+          merged.set(normalizeRouteKey(entry.method, entry.url_template), entry);
         }
       }
       routes.value = merged;