Add Workflows Engineer to invoice privileged roles

[lairwaves]

Description

Add Workflows Engineer to _PRIVILEGED_ROLES in the invoice validation cog so Workflows
Engineers get full invoice access without being restricted to their own project roster.

Follow-up from michaelmwu's suggestion on #290 .

How Has This Been Tested?

Existing unit tests in tests/unit/test_invoices_cog.py cover the privileged role access
path — all 14 tests pass.

Summary by CodeRabbit

• New Features
  • The Workflows Engineer role can now validate invoices; access messaging now lists all privileged roles dynamically.
• Tests
  • Invoice authorization tests updated to include the Workflows Engineer role and verify dynamic privileged-role messaging.

[coderabbitai]

Warning

Rate limit exceeded

@lairwaves has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 38 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: caa4f9e1-c6b0-4636-8782-87dbdc128895

📥 Commits

Reviewing files that changed from the base of the PR and between cc34a46 and 866130f.

📒 Files selected for processing (2)

• apps/discord_bot/src/five08/discord_bot/cogs/invoices.py
• tests/unit/test_invoices_cog.py

📝 Walkthrough

Walkthrough

This PR adds "Workflows Engineer" to the privileged roles allowed to validate invoices and updates the denial message and unit tests to reference the privileged-roles list.

Changes

Invoice Authorization

Layer / File(s)	Summary
Privileged roles and denial message apps/discord_bot/src/five08/discord_bot/cogs/invoices.py	The _PRIVILEGED_ROLES constant is expanded to include "Workflows Engineer", and the validate-invoice restricted-access message now lists allowed roles from that constant.
Unit tests for privileged roles tests/unit/test_invoices_cog.py	Tests import _PRIVILEGED_ROLES, add a mock_workflows_engineer_interaction fixture, update the denial-message assertion to check for any privileged role, and add a test ensuring a Workflows Engineer can validate without an ERP identity.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• 508-dev/508-workflows#290: Also touches /validate-invoice authorization logic and denial messaging.

Suggested reviewers

• michaelmwu

Poem

🐰 A new badge hops into the fold,
"Workflows Engineer" in the roles we hold.
Denials list the names, tests sing along,
One small change, the chorus grown strong. 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 62.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding the Workflows Engineer role to the privileged roles list for invoice validation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/discord_bot/src/five08/discord_bot/cogs/invoices.py (1)

117-123: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

User-facing denial message is now out of sync with _PRIVILEGED_ROLES.

The error message still enumerates only "Steering Committee members or confirmed ERP project members." With Workflows Engineer added to _PRIVILEGED_ROLES, a Workflows Engineer denied access (e.g., due to role hierarchy mismatch) would see a message that doesn't mention their role, which is confusing. Consider updating the message to reflect the new privileged role set, or generalize the wording.

📝 Proposed wording update

             if not include_all and not emails:
                 await interaction.followup.send(
-                    "Invoice validation is available to Steering Committee members "
-                    "or confirmed ERP project members.",
+                    "Invoice validation is available to Steering Committee or "
+                    "Workflows Engineer members, or confirmed ERP project members.",
                     ephemeral=True,
                 )

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/discord_bot/src/five08/discord_bot/cogs/invoices.py` around lines 117 -
123, The user-facing denial string in the invoices validation block (where
include_all and emails are checked before calling interaction.followup.send) is
stale relative to the _PRIVILEGED_ROLES set; update the message returned by
interaction.followup.send to either enumerate the current privileged roles
(including "Workflows Engineer") or use a generalized phrase like "privileged
roles (e.g., Steering Committee, confirmed ERP project members, Workflows
Engineers)" or "authorized project/committee members" so it aligns with
_PRIVILEGED_ROLES and avoids confusion when a Workflows Engineer is denied.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@apps/discord_bot/src/five08/discord_bot/cogs/invoices.py`:
- Around line 117-123: The user-facing denial string in the invoices validation
block (where include_all and emails are checked before calling
interaction.followup.send) is stale relative to the _PRIVILEGED_ROLES set;
update the message returned by interaction.followup.send to either enumerate the
current privileged roles (including "Workflows Engineer") or use a generalized
phrase like "privileged roles (e.g., Steering Committee, confirmed ERP project
members, Workflows Engineers)" or "authorized project/committee members" so it
aligns with _PRIVILEGED_ROLES and avoids confusion when a Workflows Engineer is
denied.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dc116aff-1522-4b94-8b56-d4d9d528a183

📥 Commits

Reviewing files that changed from the base of the PR and between e7f288a and 8ea51e2.

📒 Files selected for processing (1)

• apps/discord_bot/src/five08/discord_bot/cogs/invoices.py

[Copilot]

Pull request overview

Expands invoice-validation authorization in the Discord bot so the Workflows Engineer role is treated as privileged for viewing/validating invoices.

Changes:

• Adds Workflows Engineer to the invoice cog’s _PRIVILEGED_ROLES allowlist.
• Updates the “no ERP identity” denial message and adjusts the corresponding unit test assertion.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
apps/discord_bot/src/five08/discord_bot/cogs/invoices.py	Grants privileged invoice access to Workflows Engineer and updates the user-facing denial message.
tests/unit/test_invoices_cog.py	Updates unit test expectation to match the revised denial message.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (1)

tests/unit/test_invoices_cog.py (1)

157-157: ⚡ Quick win

Consider strengthening the assertion to verify all privileged roles appear.

The current assertion checks that at least one privileged role appears in the denial message. To more precisely verify that the message includes all configured privileged roles, consider:

✨ More precise assertion

-    assert any(role in sent for role in _PRIVILEGED_ROLES)
+    for role in _PRIVILEGED_ROLES:
+        assert role in sent

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/unit/test_invoices_cog.py` at line 157, The test currently asserts that
any privileged role appears in the denial message; update the assertion to
require that all privileged roles are present by checking every member of
_PRIVILEGED_ROLES against the message (use sent and _PRIVILEGED_ROLES to locate
the check), e.g. replace the any(...) check with an all(...) membership
assertion or an explicit subset check to ensure every role in _PRIVILEGED_ROLES
is contained in sent.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/unit/test_invoices_cog.py`:
- Line 157: The test currently asserts that any privileged role appears in the
denial message; update the assertion to require that all privileged roles are
present by checking every member of _PRIVILEGED_ROLES against the message (use
sent and _PRIVILEGED_ROLES to locate the check), e.g. replace the any(...) check
with an all(...) membership assertion or an explicit subset check to ensure
every role in _PRIVILEGED_ROLES is contained in sent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cd23d05a-c4c9-4b16-a1f5-46383a61cfd7

📥 Commits

Reviewing files that changed from the base of the PR and between 8ea51e2 and cc34a46.

📒 Files selected for processing (2)

• apps/discord_bot/src/five08/discord_bot/cogs/invoices.py
• tests/unit/test_invoices_cog.py