Implement RBAC with fine-grained resource-level permissions

[Smartdevs17]

Context

All team members currently have the same access level. No role-based access control exists for multi-user merchant accounts.

Current Limitation/Problem

Any team member can modify billing settings, delete subscriptions, or change plan configurations. No audit trail per action.

Expected Outcome

RBAC system with predefined roles (Admin, Billing, Support, Viewer) and custom roles with resource-level permissions in resource:action format.

Acceptance Criteria

• Permission model: resource:action format (subscription:create, invoice:read, plan:modify, settings:admin)
• Predefined roles: Admin (all:), Billing (billing:, invoice:), Support (subscription:read, invoice:read), Viewer (:read)
• Custom roles: create with arbitrary permission set from available permissions
• Middleware: requirePermission('subscription:cancel') decorator on all protected endpoints
• Role management UI: create/edit/delete roles, assign to users
• Permission audit log: record action, actor ID, resource, outcome (allow/deny), timestamp
• Edge case: role deleted while users assigned (fallback to Viewer role)
• Edge case: permission escalation prevention (user cannot self-promote)

Technical Scope

• backend/auth/rbac/ - RBAC service, PermissionRegistry, RoleService
• backend/auth/rbac/roles/ - predefined role definitions
• backend/auth/middleware/ - requirePermission middleware factory
• backend/auth/controller/ - role and permission management REST API
• mobile/app/screens/ - RoleManagementScreen
• db/schema/ - roles, role_permissions, user_roles tables

[Tekprecious]

@Tekprecious has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

I have experience for this and have reviewed the code; I can submit a PR within 2 days.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Tekprecious to this issue.

[Marvy247]

@Marvy247 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi Maintainer, I've reviewed the issue description, and I'm confident I can implement all the requested details smoothly.​ Please assign this issue to me! I can have a PR ready for review in a few hours. Thank You.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Marvy247 to this issue.

[codefather2026]

@codefather2026 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi maintainer, i will like to solve this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @codefather2026 to this issue.

[drips-wave]

Congratulations, @Tekprecious! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @Tekprecious: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊