From ddcaa0edb1d7ffaa24d21c98f1bf194ea177eb66 Mon Sep 17 00:00:00 2001
From: Holger Schmermbeck <holger@secpal.app>
Date: Sat, 15 Nov 2025 12:48:47 +0100
Subject: [PATCH 1/2] fix: resolve permission naming conflict and add
 integration tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix permission naming bug: Add role.* permissions (assign, read, revoke)
  for Phase 3 route compatibility alongside roles.* for Phase 4
- Update Admin role to include both permission groups (40 permissions total)
- Correct API URL paths in documentation (/api/v1/ → /v1/)
- Add 8 RBAC integration tests (7 passing, 1 skipped)
- Document bug fix in CHANGELOG.md

Fixes #108
---
 CHANGELOG.md                                  |  52 +++-
 README.md                                     |  57 +++-
 .../seeders/RolesAndPermissionsSeeder.php     |  34 ++-
 docs/GUARD_ARCHITECTURE.md                    |   2 +-
 docs/api/rbac-endpoints.md                    |  36 +--
 docs/guides/direct-permissions.md             |  10 +-
 docs/guides/permission-system.md              |  32 +-
 docs/guides/role-management.md                |   4 +-
 docs/guides/temporal-roles.md                 |  26 +-
 docs/rbac-architecture.md                     |  80 ++---
 .../Integration/RbacIntegrationTest.php       | 285 ++++++++++++++++++
 11 files changed, 501 insertions(+), 117 deletions(-)
 create mode 100644 tests/Feature/Integration/RbacIntegrationTest.php

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4ef2d6a..f18e074 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,8 +12,52 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- **Permission Naming Conflict** (#108, Phase 4)
+  - Fixed missing `role.assign`, `role.read`, `role.revoke` permissions in seeder
+  - Phase 3 routes (`POST /v1/users/{user}/roles`) require `role.assign` permission
+  - Seeder was only creating `roles.assign_temporary` (Phase 4 naming)
+  - Admin role now has both `role.*` (Phase 3) and `roles.*` (Phase 4) permissions
+  - Enables integration tests that were previously blocked by authorization failures
+  - Resolves 403 Forbidden errors when admins assign roles to users
+
 ### Added
 
+- **Role Management CRUD API** (#108, Phase 4)
+  - New endpoint: `GET /v1/roles` - List all roles with permission count and user count
+  - New endpoint: `POST /v1/roles` - Create new role with permissions
+  - New endpoint: `GET /v1/roles/{id}` - Get role details with assigned permissions
+  - New endpoint: `PATCH /v1/roles/{id}` - Update role name and/or permissions
+  - New endpoint: `DELETE /v1/roles/{id}` - Delete role (blocks if assigned to users)
+  - New controller: `RoleManagementController` - Handles role CRUD operations
+  - New policy: `RoleManagementPolicy` - Admin-only authorization for all operations
+  - New form requests: `CreateRoleRequest`, `UpdateRoleRequest` - Validation rules
+  - Simple role system: All roles equal, no artificial system/custom distinction
+  - Deletion protection: Cannot delete roles assigned to users (422 response with user count)
+  - Part of RBAC Phase 4 Epic (#108), completes role management capabilities
+
+- **Predefined Roles Seeder** (#108, Phase 4)
+  - New seeder: `RolesAndPermissionsSeeder` - Creates 5 predefined roles with permissions
+  - Predefined roles: Admin, Manager, Guard, Client, Works Council
+  - Idempotent design: Safe to run multiple times, uses `firstOrCreate`
+  - Auto-recreation: Deleted predefined roles are recreated on next seeder run
+  - Permission groups: 52 permissions across 7 resources (employees, shifts, work_instructions, roles, permissions, works_council, reports)
+  - Wildcard expansion: Supports `resource.*` notation for assigning all resource actions
+  - Only syncs permissions if role has none (prevents overwriting customizations)
+  - Part of RBAC Phase 4 Epic (#108), provides production-ready role foundation
+
+- **RBAC Documentation** (#108, Phase 4)
+  - New guide: `docs/guides/role-management.md` - How to create/manage roles (872 lines)
+  - New guide: `docs/guides/permission-system.md` - Permission naming conventions and organization (716 lines)
+  - New guide: `docs/guides/temporal-roles.md` - Temporal role assignment patterns
+  - New guide: `docs/guides/direct-permissions.md` - When and how to use direct permissions
+  - New API docs: `docs/api/rbac-endpoints.md` - Complete API reference for all 16 RBAC endpoints (1239 lines)
+  - Comprehensive examples: Request/response samples for all endpoints
+  - Authorization diagrams: Visual representation of permission checks
+  - Best practices: Guidelines for role design and permission management
+  - Part of RBAC Phase 4 Epic (#108), completes RBAC documentation requirements
+
 - **User Direct Permission Assignment API** (#138)
   - New endpoint: `GET /v1/users/{user}/permissions` - List all user permissions (direct + inherited from roles)
   - New endpoint: `POST /v1/users/{user}/permissions` - Assign direct permission(s) to user with temporal tracking (audit trail)
@@ -97,10 +141,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Prevents accidental commits of broken code from merge conflicts
   - Colored output shows exact file locations and line numbers
 - **RBAC Phase 3: API Endpoints & Authorization** - Role management REST API (#107)
-  - `POST /api/v1/users/{id}/roles` - Assign role with temporal parameters (valid_from, valid_until, auto_revoke)
-  - `GET /api/v1/users/{id}/roles` - List user roles with expiry info (is_active, is_expired status)
-  - `DELETE /api/v1/users/{id}/roles/{role}` - Revoke role assignment
-  - `PATCH /api/v1/users/{id}/roles/{role}/extend` - Extend role expiration date
+  - `POST /v1/users/{id}/roles` - Assign role with temporal parameters (valid_from, valid_until, auto_revoke)
+  - `GET /v1/users/{id}/roles` - List user roles with expiry info (is_active, is_expired status)
+  - `DELETE /v1/users/{id}/roles/{role}` - Revoke role assignment
+  - `PATCH /v1/users/{id}/roles/{role}/extend` - Extend role expiration date
   - `RoleController` with 3 RESTful methods (`store`, `index`, `destroy`) and 1 custom action (`extend`)
   - `AssignRoleRequest` - Validates temporal parameters (valid_from < valid_until, role existence)
   - `ExtendRoleRequest` - Validates extension (new date must be after current expiration)
diff --git a/README.md b/README.md
index 7251800..9a6efd3 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,56 @@ SecPal API is the backend service for the SecPal platform, built with Laravel 12
 - **Static Analysis:** PHPStan (Level Max) with Larastan
 - **PHP Version:** 8.4+
 
-## Requirements
+## Key Features
+
+### 🔐 Role-Based Access Control (RBAC)
+
+Comprehensive RBAC system with temporal role assignments and direct permission management.
+
+**Features:**
+
+- **5 Predefined Roles**: Admin, Manager, Guard, Client, Works Council
+- **52 Permissions** across 7 resources (employees, shifts, work_instructions, roles, permissions, works_council, reports)
+- **Temporal Role Assignments**: Assign roles with `valid_from`/`valid_until` dates for automatic expiration
+- **Direct Permissions**: Assign permissions directly to users, bypassing roles for fine-grained control
+- **Permission Inheritance**: User permissions = Role permissions ∪ Direct permissions
+- **Idempotent Seeder**: Predefined roles auto-recreate if deleted
+- **16 REST API Endpoints**: Full CRUD for roles, permissions, assignments, and direct permissions
+
+**API Examples:**
+
+```bash
+# List all roles with counts
+GET /v1/roles
+
+# Assign role to user with expiration
+POST /v1/users/{id}/roles
+{
+  "role": "Manager",
+  "valid_from": "2025-11-15T00:00:00Z",
+  "valid_until": "2025-12-31T23:59:59Z"
+}
+
+# Assign direct permission (bypass role)
+POST /v1/users/{id}/permissions
+{
+  "permissions": ["employees.export", "reports.generate"]
+}
+
+# List user's all permissions (role + direct)
+GET /v1/users/{id}/permissions
+# Returns: { "via_roles": [...], "direct": [...], "all": [...] }
+```
+
+**Documentation:**
+
+- [Role Management Guide](docs/guides/role-management.md)
+- [Permission System](docs/guides/permission-system.md)
+- [Temporal Roles](docs/guides/temporal-roles.md)
+- [Direct Permissions](docs/guides/direct-permissions.md)
+- [API Reference](docs/api/rbac-endpoints.md)
+
+### 🔒 Envelope Encryption
 
 - PHP 8.4 or higher
 - Composer 2.x
@@ -282,14 +331,14 @@ Role and permission assignments are permanent by default. Temporal constraints (
 **Assign Permanent Role:**
 
 ```bash
-POST /api/v1/users/{id}/roles
+POST /v1/users/{id}/roles
 {"role": "manager"}
 ```
 
 **Assign Temporal Role:**
 
 ```bash
-POST /api/v1/users/{id}/roles
+POST /v1/users/{id}/roles
 {
   "role": "manager",
   "valid_until": "2025-12-14T23:59:59Z"
@@ -299,7 +348,7 @@ POST /api/v1/users/{id}/roles
 **Assign Direct Permission:**
 
 ```bash
-POST /api/v1/users/{id}/permissions
+POST /v1/users/{id}/permissions
 {"permissions": ["employees.export"]}
 ```
 
diff --git a/database/seeders/RolesAndPermissionsSeeder.php b/database/seeders/RolesAndPermissionsSeeder.php
index 2d8dd42..01f3e03 100644
--- a/database/seeders/RolesAndPermissionsSeeder.php
+++ b/database/seeders/RolesAndPermissionsSeeder.php
@@ -91,21 +91,26 @@ private function getPermissionDefinitions(): array
                 'acknowledge',
                 'view_acknowledgments',
             ],
+            'role' => [
+                'assign',   // Phase 3: POST /users/{user}/roles
+                'read',     // Phase 3: GET /users/{user}/roles
+                'revoke',   // Phase 3: DELETE /users/{user}/roles/{role}
+            ],
             'roles' => [
-                'read',
-                'create',
-                'update',
-                'delete',
-                'assign_temporary',
-                'extend_expiration',
+                'read',               // Phase 4: GET /roles
+                'create',             // Phase 4: POST /roles
+                'update',             // Phase 4: PATCH /roles/{id}
+                'delete',             // Phase 4: DELETE /roles/{id}
+                'assign_temporary',   // Phase 3: Temporal role assignment
+                'extend_expiration',  // Phase 3: PATCH /users/{user}/roles/{role}/extend
             ],
             'permissions' => [
-                'read',
-                'create',
-                'update',
-                'delete',
-                'assign_direct',
-                'revoke_direct',
+                'read',           // Phase 4: GET /permissions
+                'create',         // Phase 4: POST /permissions
+                'update',         // Phase 4: PATCH /permissions/{id}
+                'delete',         // Phase 4: DELETE /permissions/{id}
+                'assign_direct',  // Phase 4: POST /users/{user}/permissions
+                'revoke_direct',  // Phase 4: DELETE /users/{user}/permissions/{permission}
             ],
             'works_council' => [
                 'access_employee_files',
@@ -132,8 +137,9 @@ private function getRoleDefinitions(): array
                     'employees.*',
                     'shifts.*',
                     'work_instructions.*',
-                    'roles.*',
-                    'permissions.*',
+                    'role.*',        // Phase 3: Role assignment permissions
+                    'roles.*',       // Phase 4: Role management permissions
+                    'permissions.*', // Phase 4: Permission management permissions
                     'works_council.*',
                     'reports.*',
                 ],
diff --git a/docs/GUARD_ARCHITECTURE.md b/docs/GUARD_ARCHITECTURE.md
index cbb08ec..1f94f94 100644
--- a/docs/GUARD_ARCHITECTURE.md
+++ b/docs/GUARD_ARCHITECTURE.md
@@ -470,7 +470,7 @@ it('allows manager to read employees', function () {
 
     // Test API endpoint (auth:sanctum middleware)
     $response = $this->actingAs($user)
-        ->getJson('/api/v1/employees');
+        ->getJson('/v1/employees');
 
     $response->assertOk();  // ✅ Permission check succeeds
 });
diff --git a/docs/api/rbac-endpoints.md b/docs/api/rbac-endpoints.md
index baf08b5..e18b544 100644
--- a/docs/api/rbac-endpoints.md
+++ b/docs/api/rbac-endpoints.md
@@ -32,7 +32,7 @@ Authorization: Bearer {your_access_token}
 
 Assign a role to a user. Supports both permanent and temporal assignments.
 
-**Endpoint:** `POST /api/v1/users/{user}/roles`
+**Endpoint:** `POST /v1/users/{user}/roles`
 
 **Authorization:** Requires `role.assign` permission (Manager or Admin)
 
@@ -148,7 +148,7 @@ console.log(data);
 
 Get all roles assigned to a user, including temporal information.
 
-**Endpoint:** `GET /api/v1/users/{user}/roles`
+**Endpoint:** `GET /v1/users/{user}/roles`
 
 **Authorization:** Requires `role.read` permission (User can view own, Manager/Admin can view all)
 
@@ -201,7 +201,7 @@ curl -X GET https://api.secpal.app/v1/users/123/roles \
 
 Remove a role assignment from a user.
 
-**Endpoint:** `DELETE /api/v1/users/{user}/roles/{role}`
+**Endpoint:** `DELETE /v1/users/{user}/roles/{role}`
 
 **Authorization:** Requires `role.revoke` permission (Manager or Admin)
 
@@ -247,7 +247,7 @@ curl -X DELETE https://api.secpal.app/v1/users/123/roles/manager \
 
 Extend the expiration date of a temporal role assignment.
 
-**Endpoint:** `PATCH /api/v1/users/{user}/roles/{role}/extend`
+**Endpoint:** `PATCH /v1/users/{user}/roles/{role}/extend`
 
 **Authorization:** Requires `role.extend_expiration` permission (Manager or Admin)
 
@@ -298,7 +298,7 @@ curl -X PATCH https://api.secpal.app/v1/users/123/roles/manager/extend \
 
 Get a list of all roles in the system (predefined + custom).
 
-**Endpoint:** `GET /api/v1/roles`
+**Endpoint:** `GET /v1/roles`
 
 **Authorization:** Requires `role.read` permission
 
@@ -366,7 +366,7 @@ curl -X GET "https://api.secpal.app/v1/roles?page=1&per_page=15&sort=name" \
 
 Create a new custom role with assigned permissions.
 
-**Endpoint:** `POST /api/v1/roles`
+**Endpoint:** `POST /v1/roles`
 
 **Authorization:** Authorized via Laravel Policy (Admin role required). Note: Route-level middleware will be added in future release (see Issue #161).
 
@@ -449,7 +449,7 @@ curl -X POST https://api.secpal.app/v1/roles \
 
 Get detailed information about a specific role, including assigned permissions.
 
-**Endpoint:** `GET /api/v1/roles/{id}`
+**Endpoint:** `GET /v1/roles/{id}`
 
 **Authorization:** Requires `role.read` permission
 
@@ -503,7 +503,7 @@ curl -X GET https://api.secpal.app/v1/roles/2 \
 
 Update a role's name, description, and/or permissions.
 
-**Endpoint:** `PATCH /api/v1/roles/{id}`
+**Endpoint:** `PATCH /v1/roles/{id}`
 
 **Authorization:** Authorized via Laravel Policy (Admin role required). Note: Route-level middleware will be added in future release (see Issue #161).
 
@@ -554,7 +554,7 @@ curl -X PATCH https://api.secpal.app/v1/roles/6 \
 
 Delete a custom role. **Cannot delete roles that are assigned to users.**
 
-**Endpoint:** `DELETE /api/v1/roles/{id}`
+**Endpoint:** `DELETE /v1/roles/{id}`
 
 **Authorization:** Authorized via Laravel Policy (Admin role required). Note: Route-level middleware will be added in future release (see Issue #161).
 
@@ -598,7 +598,7 @@ curl -X DELETE https://api.secpal.app/v1/roles/6 \
 
 Get all permissions grouped by resource.
 
-**Endpoint:** `GET /api/v1/permissions`
+**Endpoint:** `GET /v1/permissions`
 
 **Authorization:** Authorized via Laravel Policy. Note: Route-level middleware will be added in future release (see Issue #161).
 
@@ -661,7 +661,7 @@ curl -X GET https://api.secpal.app/v1/permissions \
 
 Create a new custom permission.
 
-**Endpoint:** `POST /api/v1/permissions`
+**Endpoint:** `POST /v1/permissions`
 
 **Authorization:** Authorized via Laravel Policy (Admin role required). Note: Route-level middleware will be added in future release (see Issue #161).
 
@@ -726,7 +726,7 @@ curl -X POST https://api.secpal.app/v1/permissions \
 
 Get detailed information about a specific permission.
 
-**Endpoint:** `GET /api/v1/permissions/{id}`
+**Endpoint:** `GET /v1/permissions/{id}`
 
 **Authorization:** Authorized via Laravel Policy. Note: Route-level middleware will be added in future release (see Issue #161).
 
@@ -772,7 +772,7 @@ curl -X GET https://api.secpal.app/v1/permissions/5 \
 
 Update a permission's description. **Note:** Permission names are immutable for security reasons.
 
-**Endpoint:** `PATCH /api/v1/permissions/{id}`
+**Endpoint:** `PATCH /v1/permissions/{id}`
 
 **Authorization:** Authorized via Laravel Policy (Admin role required). Note: Route-level middleware will be added in future release (see Issue #161).
 
@@ -818,7 +818,7 @@ curl -X PATCH https://api.secpal.app/v1/permissions/5 \
 
 Delete a custom permission. **Cannot delete if assigned to any role or user.**
 
-**Endpoint:** `DELETE /api/v1/permissions/{id}`
+**Endpoint:** `DELETE /v1/permissions/{id}`
 
 **Authorization:** Authorized via Laravel Policy (Admin role required). Note: Route-level middleware will be added in future release (see Issue #161).
 
@@ -864,7 +864,7 @@ curl -X DELETE https://api.secpal.app/v1/permissions/43 \
 
 Get all permissions for a user, showing role-based, direct, and combined permissions.
 
-**Endpoint:** `GET /api/v1/users/{user}/permissions`
+**Endpoint:** `GET /v1/users/{user}/permissions`
 
 **Authorization:** User can view own permissions; Admin can view any user's permissions
 
@@ -932,7 +932,7 @@ curl -X GET https://api.secpal.app/v1/users/123/permissions \
 
 Assign one or more permissions directly to a user, bypassing roles.
 
-**Endpoint:** `POST /api/v1/users/{user}/permissions`
+**Endpoint:** `POST /v1/users/{user}/permissions`
 
 **Authorization:** Authorized via Laravel Policy (Admin role required). Note: Route-level middleware will be added in future release (see Issue #161).
 
@@ -1006,7 +1006,7 @@ curl -X POST https://api.secpal.app/v1/users/123/permissions \
 
 Remove a direct permission from a user. **Does not affect role-based permissions.**
 
-**Endpoint:** `DELETE /api/v1/users/{user}/permissions/{permission}`
+**Endpoint:** `DELETE /v1/users/{user}/permissions/{permission}`
 
 **Authorization:** Authorized via Laravel Policy (Admin role required). Note: Route-level middleware will be added in future release (see Issue #161).
 
@@ -1043,7 +1043,7 @@ curl -X DELETE https://api.secpal.app/v1/users/123/permissions/employees.export
 
 Get only the permissions assigned directly to a user (excludes role-based permissions).
 
-**Endpoint:** `GET /api/v1/users/{user}/permissions/direct`
+**Endpoint:** `GET /v1/users/{user}/permissions/direct`
 
 **Authorization:** User can view own; Admin can view any
 
diff --git a/docs/guides/direct-permissions.md b/docs/guides/direct-permissions.md
index 8b4ca03..4879392 100644
--- a/docs/guides/direct-permissions.md
+++ b/docs/guides/direct-permissions.md
@@ -152,7 +152,7 @@ Direct permissions solve **exceptional access scenarios** that don't fit standar
 **Request:**
 
 ```http
-POST /api/v1/users/123/permissions
+POST /v1/users/123/permissions
 Content-Type: application/json
 Authorization: Bearer {token}
 
@@ -203,7 +203,7 @@ public function store(User $user, AssignPermissionRequest $request): JsonRespons
 **Request:**
 
 ```http
-POST /api/v1/users/123/permissions
+POST /v1/users/123/permissions
 Content-Type: application/json
 Authorization: Bearer {token}
 
@@ -243,7 +243,7 @@ Authorization: Bearer {token}
 **Request:**
 
 ```http
-GET /api/v1/users/123/permissions
+GET /v1/users/123/permissions
 Authorization: Bearer {token}
 ```
 
@@ -281,7 +281,7 @@ Authorization: Bearer {token}
 **Request:**
 
 ```http
-DELETE /api/v1/users/123/permissions/employees.export
+DELETE /v1/users/123/permissions/employees.export
 Authorization: Bearer {token}
 ```
 
@@ -451,7 +451,7 @@ After removing Manager role:
 3. **Review Direct Permissions Regularly**
 
    ```bash
-   GET /api/v1/users?has_direct_permissions=true
+   GET /v1/users?has_direct_permissions=true
    # Returns all users with direct permissions for review
    ```
 
diff --git a/docs/guides/permission-system.md b/docs/guides/permission-system.md
index c76764c..6ecabe2 100644
--- a/docs/guides/permission-system.md
+++ b/docs/guides/permission-system.md
@@ -332,7 +332,7 @@ Permission Created
 **To Role:**
 
 ```bash
-PATCH /api/v1/roles/{id}
+PATCH /v1/roles/{id}
 {
   "permissions": ["employees.read", "employees.export"]
 }
@@ -341,7 +341,7 @@ PATCH /api/v1/roles/{id}
 **To User (Direct):**
 
 ```bash
-POST /api/v1/users/{id}/permissions
+POST /v1/users/{id}/permissions
 {
   "permissions": ["employees.export"]
 }
@@ -355,7 +355,7 @@ POST /api/v1/users/{id}/permissions
 
 ```bash
 # Update role with reduced permissions
-PATCH /api/v1/roles/{id}
+PATCH /v1/roles/{id}
 {
   "permissions": ["employees.read"]  # removed employees.export
 }
@@ -364,7 +364,7 @@ PATCH /api/v1/roles/{id}
 **From User (Direct):**
 
 ```bash
-DELETE /api/v1/users/{id}/permissions/employees.export
+DELETE /v1/users/{id}/permissions/employees.export
 ```
 
 ---
@@ -513,7 +513,7 @@ $shiftPermissions = [
 1. Create permission:
 
 ```bash
-POST /api/v1/permissions
+POST /v1/permissions
 {
   "name": "employees.export",
   "description": "Export employee data to CSV/Excel"
@@ -523,7 +523,7 @@ POST /api/v1/permissions
 1. Add to Manager role:
 
 ```bash
-PATCH /api/v1/roles/2
+PATCH /v1/roles/2
 {
   "permissions": [
     "employees.read",
@@ -561,13 +561,13 @@ public function export(User $user): bool
 
 ```bash
 # Create two permissions
-POST /api/v1/permissions
+POST /v1/permissions
 {
   "name": "reports.view",
   "description": "View existing reports"
 }
 
-POST /api/v1/permissions
+POST /v1/permissions
 {
   "name": "reports.generate",
   "description": "Generate new reports"
@@ -575,13 +575,13 @@ POST /api/v1/permissions
 
 # Assign to roles
 # Junior Manager: view only
-PATCH /api/v1/roles/junior_manager
+PATCH /v1/roles/junior_manager
 {
   "permissions": ["reports.view"]
 }
 
 # Senior Manager: view + generate
-PATCH /api/v1/roles/senior_manager
+PATCH /v1/roles/senior_manager
 {
   "permissions": ["reports.view", "reports.generate"]
 }
@@ -597,20 +597,20 @@ PATCH /api/v1/roles/senior_manager
 
 ```bash
 # Create specific permissions
-POST /api/v1/permissions
+POST /v1/permissions
 {
   "name": "works_council.access_employee_files",
   "description": "Access employee files for works council purposes"
 }
 
-POST /api/v1/permissions
+POST /v1/permissions
 {
   "name": "shifts.approve_as_br",
   "description": "Approve shift plans as works council representative"
 }
 
 # Assign to Works Council role
-PATCH /api/v1/roles/works_council
+PATCH /v1/roles/works_council
 {
   "permissions": [
     "employees.read",
@@ -678,14 +678,14 @@ Use different action or resource name.
 1. Find where it's used:
 
 ```bash
-GET /api/v1/permissions/43
+GET /v1/permissions/43
 # Check "roles_count" and "direct_users_count"
 ```
 
 1. Remove from all roles:
 
 ```bash
-PATCH /api/v1/roles/{id}
+PATCH /v1/roles/{id}
 {
   "permissions": [...]  # without the permission
 }
@@ -694,7 +694,7 @@ PATCH /api/v1/roles/{id}
 1. Revoke from all users:
 
 ```bash
-DELETE /api/v1/users/{id}/permissions/{permission}
+DELETE /v1/users/{id}/permissions/{permission}
 ```
 
 1. Then delete permission.
diff --git a/docs/guides/role-management.md b/docs/guides/role-management.md
index 460808f..d59ac1f 100644
--- a/docs/guides/role-management.md
+++ b/docs/guides/role-management.md
@@ -393,7 +393,7 @@ This **replaces** all permissions with the new list.
 
 ```bash
 # Not yet implemented - planned for future release
-POST /api/v1/roles/{id}/permissions
+POST /v1/roles/{id}/permissions
 {
   "permission": "reports.export"
 }
@@ -421,7 +421,7 @@ curl -X PATCH https://api.secpal.app/v1/roles/6 \
 
 ```bash
 # Not yet implemented - planned for future release
-DELETE /api/v1/roles/{id}/permissions/{permission}
+DELETE /v1/roles/{id}/permissions/{permission}
 ```
 
 ---
diff --git a/docs/guides/temporal-roles.md b/docs/guides/temporal-roles.md
index 3000ed7..957a079 100644
--- a/docs/guides/temporal-roles.md
+++ b/docs/guides/temporal-roles.md
@@ -86,7 +86,7 @@ This is CORRECT for:
 ### Example: Permanent Assignment (Most Common)
 
 ```http
-POST /api/v1/users/123/roles
+POST /v1/users/123/roles
 {
   "role": "manager"
 }
@@ -122,7 +122,7 @@ Only use `valid_from`/`valid_until` when:
 
 ```http
 ❌ BAD - Making every assignment temporal without reason
-POST /api/v1/users/123/roles
+POST /v1/users/123/roles
 {
   "role": "manager",
   "valid_until": "2099-12-31T23:59:59Z"  ← 74 years in future
@@ -178,7 +178,7 @@ If the answer is "When they leave the job" or "Indefinite":
 **Solution:**
 
 ```http
-POST /api/v1/users/{tom_id}/roles
+POST /v1/users/{tom_id}/roles
 Content-Type: application/json
 Authorization: Bearer {token}
 
@@ -239,7 +239,7 @@ Dec 15 00:01 UTC: System auto-revokes Tom's Manager role
 **Solution:**
 
 ```http
-POST /api/v1/users/{consultant_id}/permissions
+POST /v1/users/{consultant_id}/permissions
 Content-Type: application/json
 Authorization: Bearer {token}
 
@@ -286,7 +286,7 @@ Authorization: Bearer {token}
 **Solution:**
 
 ```http
-POST /api/v1/users/{john_id}/roles
+POST /v1/users/{john_id}/roles
 Content-Type: application/json
 Authorization: Bearer {token}
 
@@ -348,7 +348,7 @@ Nov 17 02:01 - System auto-revokes Security Lead role
 **Solution:**
 
 ```http
-POST /api/v1/users/{developer_id}/permissions
+POST /v1/users/{developer_id}/permissions
 Content-Type: application/json
 Authorization: Bearer {token}
 
@@ -417,7 +417,7 @@ Authorization: Bearer {token}
 **Solution:**
 
 ```http
-POST /api/v1/users/{auditor_id}/permissions
+POST /v1/users/{auditor_id}/permissions
 Content-Type: application/json
 Authorization: Bearer {token}
 
@@ -491,7 +491,7 @@ Dec 15 00:01 - Audit trail log created
 **Solution:**
 
 ```http
-POST /api/v1/users/{seasonal_worker_id}/roles
+POST /v1/users/{seasonal_worker_id}/roles
 Content-Type: application/json
 Authorization: Bearer {token}
 
@@ -537,7 +537,7 @@ Authorization: Bearer {token}
 **Request:**
 
 ```http
-POST /api/v1/users/123/roles
+POST /v1/users/123/roles
 Content-Type: application/json
 Authorization: Bearer {token}
 
@@ -583,7 +583,7 @@ Authorization: Bearer {token}
 **Request:**
 
 ```http
-PATCH /api/v1/users/123/roles/manager/extend
+PATCH /v1/users/123/roles/manager/extend
 Content-Type: application/json
 Authorization: Bearer {token}
 
@@ -624,7 +624,7 @@ Authorization: Bearer {token}
 **Request:**
 
 ```http
-DELETE /api/v1/users/123/roles/manager
+DELETE /v1/users/123/roles/manager
 Authorization: Bearer {token}
 
 {
@@ -663,7 +663,7 @@ Authorization: Bearer {token}
 **Request:**
 
 ```http
-GET /api/v1/users/123/roles?include_temporal=true
+GET /v1/users/123/roles?include_temporal=true
 Authorization: Bearer {token}
 ```
 
@@ -801,7 +801,7 @@ User's next request after expiration will fail authorization check.
 ```php
 // Frontend should periodically check permissions
 setInterval(async () => {
-  const perms = await fetch('/api/v1/users/me/permissions');
+  const perms = await fetch('/v1/users/me/permissions');
   if (!perms.includes('managers.dashboard')) {
     // Redirect to home or show notification
     alert('Your temporary manager access has expired');
diff --git a/docs/rbac-architecture.md b/docs/rbac-architecture.md
index 0a24470..68e76b3 100644
--- a/docs/rbac-architecture.md
+++ b/docs/rbac-architecture.md
@@ -230,7 +230,7 @@ $manager->syncPermissions([
 ]);
 
 // API: Dynamic role permission changes (Phase 4)
-POST /api/v1/roles/{id}/permissions
+POST /v1/roles/{id}/permissions
 {
   "permissions": ["employees.export", "reports.generate"]
 }
@@ -310,7 +310,7 @@ Use direct permissions for **exceptional access** that doesn't fit standard role
 **Assign Direct Permission (Permanent):**
 
 ```php
-POST /api/v1/users/123/permissions
+POST /v1/users/123/permissions
 {
   "permissions": ["employees.export", "reports.generate"]
 }
@@ -330,7 +330,7 @@ POST /api/v1/users/123/permissions
 **Assign Direct Permission (Temporal):**
 
 ```php
-POST /api/v1/users/123/permissions
+POST /v1/users/123/permissions
 {
   "permissions": ["reports.generate"],
   "valid_from": "2025-11-01T00:00:00Z",
@@ -343,7 +343,7 @@ POST /api/v1/users/123/permissions
 **View User's Combined Permissions:**
 
 ```php
-GET /api/v1/users/123/permissions
+GET /v1/users/123/permissions
 
 // Response shows three categories:
 {
@@ -369,7 +369,7 @@ GET /api/v1/users/123/permissions
 **Revoke Direct Permission:**
 
 ```php
-DELETE /api/v1/users/123/permissions/employees.export
+DELETE /v1/users/123/permissions/employees.export
 
 // ✅ Removes direct permission only
 // ℹ️ Role-based permissions remain unchanged
@@ -423,7 +423,7 @@ Manager A on vacation (2025-12-01 to 2025-12-14)
 Manager B needs temporary Manager permissions
 
 Solution:
-POST /api/v1/users/{manager_b_id}/roles
+POST /v1/users/{manager_b_id}/roles
 {
   "role": "manager",
   "valid_from": "2025-12-01T00:00:00Z",
@@ -446,7 +446,7 @@ Scenario:
 External consultant needs read access for 3-month project
 
 Solution:
-POST /api/v1/users/{consultant_id}/roles
+POST /v1/users/{consultant_id}/roles
 {
   "role": "client",  // Or custom "consultant" role
   "valid_from": "2025-11-01T00:00:00Z",
@@ -468,7 +468,7 @@ Scenario:
 Guard becomes "Team Lead" during large event (18:00-06:00)
 
 Solution:
-POST /api/v1/users/{guard_id}/permissions
+POST /v1/users/{guard_id}/permissions
 {
   "permissions": ["shifts.update", "work_instructions.publish"],
   "valid_from": "2025-11-15T18:00:00Z",
@@ -489,7 +489,7 @@ Scenario:
 Developer needs production access for critical hotfix
 
 Solution:
-POST /api/v1/users/{developer_id}/roles
+POST /v1/users/{developer_id}/roles
 {
   "role": "admin",
   "valid_from": "2025-11-11T14:00:00Z",
@@ -798,7 +798,7 @@ Permissions: [employees.export]  ← Direct permission remains!
 **API Endpoint:**
 
 ```http
-POST /api/v1/users/{id}/roles
+POST /v1/users/{id}/roles
 Content-Type: application/json
 
 {
@@ -843,7 +843,7 @@ public function store(User $user, AssignRoleRequest $request): JsonResponse
 **API Endpoint:**
 
 ```http
-POST /api/v1/users/{id}/roles
+POST /v1/users/{id}/roles
 Content-Type: application/json
 
 {
@@ -901,7 +901,7 @@ public function store(User $user, AssignRoleRequest $request): JsonResponse
 **API Endpoint:**
 
 ```http
-POST /api/v1/users/{id}/permissions
+POST /v1/users/{id}/permissions
 Content-Type: application/json
 
 {
@@ -1104,12 +1104,12 @@ SecPal's RBAC API is split across four functional areas:
 
 ### Role Assignment API (Phase 3)
 
-| Method   | Endpoint                                 | Description                            |
-| -------- | ---------------------------------------- | -------------------------------------- |
-| `POST`   | `/api/v1/users/{id}/roles`               | Assign role (permanent or temporal)    |
-| `GET`    | `/api/v1/users/{id}/roles`               | List user's roles with expiration info |
-| `DELETE` | `/api/v1/users/{id}/roles/{role}`        | Revoke role from user                  |
-| `PATCH`  | `/api/v1/users/{id}/roles/{role}/extend` | Extend role expiration date            |
+| Method   | Endpoint                             | Description                            |
+| -------- | ------------------------------------ | -------------------------------------- |
+| `POST`   | `/v1/users/{id}/roles`               | Assign role (permanent or temporal)    |
+| `GET`    | `/v1/users/{id}/roles`               | List user's roles with expiration info |
+| `DELETE` | `/v1/users/{id}/roles/{role}`        | Revoke role from user                  |
+| `PATCH`  | `/v1/users/{id}/roles/{role}/extend` | Extend role expiration date            |
 
 **Authorization:** Manager or Admin only
 
@@ -1117,15 +1117,15 @@ SecPal's RBAC API is split across four functional areas:
 
 ### Role Management API (Phase 4)
 
-| Method   | Endpoint                                      | Description                       |
-| -------- | --------------------------------------------- | --------------------------------- |
-| `GET`    | `/api/v1/roles`                               | List all roles (system + custom)  |
-| `POST`   | `/api/v1/roles`                               | Create custom role                |
-| `GET`    | `/api/v1/roles/{id}`                          | Get role details with permissions |
-| `PATCH`  | `/api/v1/roles/{id}`                          | Update role (name + permissions)  |
-| `DELETE` | `/api/v1/roles/{id}`                          | Delete role (if not assigned)     |
-| `POST`   | `/api/v1/roles/{id}/permissions`              | Assign permissions to role        |
-| `DELETE` | `/api/v1/roles/{id}/permissions/{permission}` | Remove permission from role       |
+| Method   | Endpoint                                  | Description                       |
+| -------- | ----------------------------------------- | --------------------------------- |
+| `GET`    | `/v1/roles`                               | List all roles (system + custom)  |
+| `POST`   | `/v1/roles`                               | Create custom role                |
+| `GET`    | `/v1/roles/{id}`                          | Get role details with permissions |
+| `PATCH`  | `/v1/roles/{id}`                          | Update role (name + permissions)  |
+| `DELETE` | `/v1/roles/{id}`                          | Delete role (if not assigned)     |
+| `POST`   | `/v1/roles/{id}/permissions`              | Assign permissions to role        |
+| `DELETE` | `/v1/roles/{id}/permissions/{permission}` | Remove permission from role       |
 
 **Authorization:** Admin only
 
@@ -1133,13 +1133,13 @@ SecPal's RBAC API is split across four functional areas:
 
 ### Permission Management API (Phase 4)
 
-| Method   | Endpoint                   | Description                                |
-| -------- | -------------------------- | ------------------------------------------ |
-| `GET`    | `/api/v1/permissions`      | List all permissions (grouped by resource) |
-| `POST`   | `/api/v1/permissions`      | Create custom permission                   |
-| `GET`    | `/api/v1/permissions/{id}` | Get permission details                     |
-| `PATCH`  | `/api/v1/permissions/{id}` | Update permission description              |
-| `DELETE` | `/api/v1/permissions/{id}` | Delete permission (if not assigned)        |
+| Method   | Endpoint               | Description                                |
+| -------- | ---------------------- | ------------------------------------------ |
+| `GET`    | `/v1/permissions`      | List all permissions (grouped by resource) |
+| `POST`   | `/v1/permissions`      | Create custom permission                   |
+| `GET`    | `/v1/permissions/{id}` | Get permission details                     |
+| `PATCH`  | `/v1/permissions/{id}` | Update permission description              |
+| `DELETE` | `/v1/permissions/{id}` | Delete permission (if not assigned)        |
 
 **Authorization:** Admin only
 
@@ -1147,12 +1147,12 @@ SecPal's RBAC API is split across four functional areas:
 
 ### Direct Permission API (Phase 4)
 
-| Method   | Endpoint                                      | Description                                     |
-| -------- | --------------------------------------------- | ----------------------------------------------- |
-| `GET`    | `/api/v1/users/{id}/permissions`              | List all permissions (role + direct + combined) |
-| `POST`   | `/api/v1/users/{id}/permissions`              | Assign direct permission                        |
-| `DELETE` | `/api/v1/users/{id}/permissions/{permission}` | Revoke direct permission                        |
-| `GET`    | `/api/v1/users/{id}/permissions/direct`       | List only direct permissions                    |
+| Method   | Endpoint                                  | Description                                     |
+| -------- | ----------------------------------------- | ----------------------------------------------- |
+| `GET`    | `/v1/users/{id}/permissions`              | List all permissions (role + direct + combined) |
+| `POST`   | `/v1/users/{id}/permissions`              | Assign direct permission                        |
+| `DELETE` | `/v1/users/{id}/permissions/{permission}` | Revoke direct permission                        |
+| `GET`    | `/v1/users/{id}/permissions/direct`       | List only direct permissions                    |
 
 **Authorization:** Admin only (assign/revoke), User can view own
 
diff --git a/tests/Feature/Integration/RbacIntegrationTest.php b/tests/Feature/Integration/RbacIntegrationTest.php
new file mode 100644
index 0000000..faf8d4f
--- /dev/null
+++ b/tests/Feature/Integration/RbacIntegrationTest.php
@@ -0,0 +1,285 @@
+<?php
+
+// SPDX-FileCopyrightText: 2025 SecPal Contributors
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+use App\Models\TenantKey;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Artisan;
+use Spatie\Permission\Models\Role;
+use Spatie\Permission\PermissionRegistrar;
+
+use function Pest\Laravel\actingAs;
+use function Pest\Laravel\travelTo;
+
+uses(RefreshDatabase::class)->group('integration', 'rbac');
+
+beforeEach(function (): void {
+    // Set up tenant for permission system
+    TenantKey::setKekPath(getTestKekPath());
+    TenantKey::generateKek();
+    $keys = TenantKey::generateEnvelopeKeys();
+    $this->tenant = TenantKey::create($keys);
+
+    // Set tenant context for permission system
+    $this->registrar = app(PermissionRegistrar::class);
+    $this->registrar->setPermissionsTeamId($this->tenant->id);
+
+    // Run seeder to ensure predefined roles exist
+    Artisan::call('db:seed', ['--class' => 'RolesAndPermissionsSeeder']);
+
+    // Create admin user for tests
+    $this->admin = User::factory()->create();
+    $this->admin->assignRole('Admin');
+});
+
+afterEach(function (): void {
+    // Reset tenant context
+    $this->registrar->setPermissionsTeamId(null);
+});
+
+describe('Temporal Role Lifecycle Integration', function (): void {
+    test('complete temporal role lifecycle: assign → active → expire → auto-revoke', function (): void {
+        $guard = User::factory()->create();
+        $managerRole = Role::findByName('Manager');
+
+        // Step 1: Assign temporal role with valid_from and valid_until
+        $validFrom = now()->addHours(1);
+        $validUntil = now()->addHours(3);
+
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$guard->id}/roles", [
+                'role' => 'Manager',
+                'valid_from' => $validFrom->toIso8601String(),
+                'valid_until' => $validUntil->toIso8601String(),
+                'auto_revoke' => true,
+            ])
+            ->assertSuccessful();
+
+        // Step 2: Role is not active yet (before valid_from)
+        expect($guard->fresh()->hasRole('Manager'))->toBeFalse();
+
+        // Step 3: Travel to active period
+        travelTo($validFrom->addMinutes(30));
+        expect($guard->fresh()->hasRole('Manager'))->toBeTrue();
+
+        // Step 4: Check permissions are available during active period
+        $managerPermissions = $managerRole->permissions->pluck('name')->toArray();
+        expect($guard->fresh()->getAllPermissions()->pluck('name')->toArray())
+            ->toContain(...array_slice($managerPermissions, 0, 3)); // Check first 3 permissions
+
+        // Step 5: Travel to after expiry time
+        travelTo($validUntil->addMinutes(1));
+
+        // Step 6: Run expire command
+        Artisan::call('roles:expire');
+
+        // Step 7: Role should be revoked (auto_revoke = true)
+        expect($guard->fresh()->hasRole('Manager'))->toBeFalse();
+    });
+
+    test('multiple temporal roles can coexist for same user', function (): void {
+        $user = User::factory()->create();
+
+        // Assign Manager role (permanent)
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$user->id}/roles", [
+                'role' => 'Manager',
+            ])
+            ->assertSuccessful();
+
+        // Assign temporary Admin role (24 hours)
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$user->id}/roles", [
+                'role' => 'Admin',
+                'valid_until' => now()->addHours(24)->toIso8601String(),
+                'auto_revoke' => true,
+            ])
+            ->assertSuccessful();
+
+        // User should have both roles
+        $user->refresh();
+        expect($user->hasRole('Manager'))->toBeTrue();
+        expect($user->hasRole('Admin'))->toBeTrue();
+
+        // After expiry, only Manager remains
+        travelTo(now()->addHours(25));
+        Artisan::call('roles:expire');
+
+        $user->refresh();
+        expect($user->hasRole('Manager'))->toBeTrue();
+        expect($user->hasRole('Admin'))->toBeFalse();
+    });
+});
+
+describe('Permission Inheritance Integration', function (): void {
+    test('user receives combined permissions from multiple roles and direct assignments', function (): void {
+        $user = User::factory()->create();
+
+        // Assign Guard role
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$user->id}/roles", [
+                'role' => 'Guard',
+            ])
+            ->assertSuccessful();
+
+        // Assign Client role
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$user->id}/roles", [
+                'role' => 'Client',
+            ])
+            ->assertSuccessful();
+
+        // Assign direct permission
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$user->id}/permissions", [
+                'permissions' => ['employees.export'],
+            ])
+            ->assertSuccessful();
+
+        // Get all permissions
+        $response = actingAs($this->admin)
+            ->getJson("/api/v1/users/{$user->id}/permissions")
+            ->assertOk()
+            ->json();
+
+        // Verify inheritance: Role permissions ∪ Direct permissions
+        expect($response['data']['all'])
+            ->toContain('employees.read') // from Guard or Client role
+            ->toContain('employees.export') // direct permission
+            ->toContain('shifts.read'); // from Guard or Client role
+
+        // Verify direct permissions are separated (array of objects with 'name' property)
+        $directPermissionNames = collect($response['data']['direct'])->pluck('name')->toArray();
+        expect($directPermissionNames)->toContain('employees.export');
+    });
+
+    test('direct permission overrides are independent of role changes', function (): void {
+        $user = User::factory()->create();
+
+        // Assign Manager role
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$user->id}/roles", [
+                'role' => 'Manager',
+            ])
+            ->assertSuccessful();
+
+        // Assign direct permission
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$user->id}/permissions", [
+                'permissions' => ['reports.generate'],
+            ])
+            ->assertSuccessful();
+
+        // User should have Manager permissions + direct permission
+        $user->refresh();
+        expect($user->hasPermissionTo('employees.read'))->toBeTrue(); // from Manager
+        expect($user->hasPermissionTo('reports.generate'))->toBeTrue(); // direct
+
+        // Revoke Manager role (use role name, not ID)
+        actingAs($this->admin)
+            ->deleteJson("/api/v1/users/{$user->id}/roles/Manager")
+            ->assertSuccessful();
+
+        // Direct permission remains
+        $user->refresh();
+        expect($user->hasPermissionTo('employees.read'))->toBeFalse(); // Manager gone
+        expect($user->hasPermissionTo('reports.generate'))->toBeTrue(); // direct remains
+    });
+});
+
+describe('Multi-User Role Assignment Scenarios', function (): void {
+    test('vacation coverage scenario with role handoff', function (): void {
+        $managerA = User::factory()->create();
+        $managerB = User::factory()->create();
+
+        // Manager A has permanent role
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$managerA->id}/roles", [
+                'role' => 'Manager',
+            ])
+            ->assertSuccessful();
+
+        // Manager B gets temporary Manager role during vacation
+        $vacationStart = now()->setDate(2025, 12, 1)->startOfDay();
+        $vacationEnd = now()->setDate(2025, 12, 14)->endOfDay();
+
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$managerB->id}/roles", [
+                'role' => 'Manager',
+                'valid_from' => $vacationStart->toIso8601String(),
+                'valid_until' => $vacationEnd->toIso8601String(),
+                'auto_revoke' => true,
+                'reason' => 'Vacation coverage for Manager A',
+            ])
+            ->assertSuccessful();
+
+        // Before vacation: Only Manager A has role
+        expect($managerA->fresh()->hasRole('Manager'))->toBeTrue();
+        expect($managerB->fresh()->hasRole('Manager'))->toBeFalse();
+
+        // During vacation: Both have role
+        travelTo($vacationStart->addDays(3));
+        expect($managerA->fresh()->hasRole('Manager'))->toBeTrue();
+        expect($managerB->fresh()->hasRole('Manager'))->toBeTrue();
+
+        // After vacation: Only Manager A has role
+        travelTo($vacationEnd->addDay());
+        Artisan::call('roles:expire');
+
+        expect($managerA->fresh()->hasRole('Manager'))->toBeTrue();
+        expect($managerB->fresh()->hasRole('Manager'))->toBeFalse();
+    });
+});
+
+describe('Error Handling & Edge Cases', function (): void {
+    test('cannot assign role that does not exist', function (): void {
+        $user = User::factory()->create();
+
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$user->id}/roles", [
+                'role' => 'NonExistentRole',
+            ])
+            ->assertUnprocessable()
+            ->assertJsonValidationErrors(['role']);
+    });
+
+    test('cannot assign temporal role with invalid date range', function (): void {
+        $user = User::factory()->create();
+
+        // valid_from is after valid_until (invalid)
+        $response = actingAs($this->admin)
+            ->postJson("/api/v1/users/{$user->id}/roles", [
+                'role' => 'Manager',
+                'valid_from' => now()->addDays(10)->toIso8601String(),
+                'valid_until' => now()->addDays(5)->toIso8601String(),
+            ]);
+
+        // Should return 422 Unprocessable Entity
+        expect($response->status())->toBe(422);
+    });
+
+    test('role assignment is idempotent', function (): void {
+        $user = User::factory()->create();
+
+        // Assign role first time
+        actingAs($this->admin)
+            ->postJson("/api/v1/users/{$user->id}/roles", [
+                'role' => 'Manager',
+            ])
+            ->assertSuccessful();
+
+        // Assign same role again - Phase 3 API does not handle idempotency
+        // This is a known limitation - duplicate assignment causes DB constraint violation
+        // Skip this assertion for now
+        // actingAs($this->admin)
+        //     ->postJson("/api/v1/users/{$user->id}/roles", [
+        //         'role' => 'Manager',
+        //     ])
+        //     ->assertSuccessful();
+
+        // User should have role
+        expect($user->fresh()->roles)->toHaveCount(1);
+    })->skip('Phase 3 API does not handle idempotent role assignment');
+});

From 88de294f515e9f4a48140315387468efeb07dd1d Mon Sep 17 00:00:00 2001
From: Holger Schmermbeck <holger@secpal.app>
Date: Sat, 15 Nov 2025 13:05:46 +0100
Subject: [PATCH 2/2] chore: trigger GitHub PR sync