feat: role-based permissions — owner/partner/associate/paralegal/secretary (P0)

backend/internal/auth/tenant_resolver_test.go

@@ -10,23 +10,49 @@ import (
 )
 
 type mockTenantLookup struct {
+<<<<<<< HEAD
 	tenantID  *uuid.UUID
 	err       error
 	hasAccess bool
 	accessErr error
+||||||| 82878df
+	tenantID *uuid.UUID
+	err      error
+=======
+	tenantID *uuid.UUID
+	role     string
+	err      error
+>>>>>>> mai/pike/p0-role-based
 }
 
 func (m *mockTenantLookup) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
 	return m.tenantID, m.err
 }
 
+<<<<<<< HEAD
 func (m *mockTenantLookup) VerifyAccess(ctx context.Context, userID, tenantID uuid.UUID) (bool, error) {
 	return m.hasAccess, m.accessErr
 }
 
+||||||| 82878df
+=======
+func (m *mockTenantLookup) GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error) {
+	if m.role != "" {
+		return m.role, m.err
+	}
+	return "associate", m.err
+}
+
+>>>>>>> mai/pike/p0-role-based
 func TestTenantResolver_FromHeader(t *testing.T) {
 	tenantID := uuid.New()
+<<<<<<< HEAD
 	tr := NewTenantResolver(&mockTenantLookup{hasAccess: true})
+||||||| 82878df
+	tr := NewTenantResolver(&mockTenantLookup{})
+=======
+	tr := NewTenantResolver(&mockTenantLookup{role: "partner"})
+>>>>>>> mai/pike/p0-role-based
 
 	var gotTenantID uuid.UUID
 	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {