Permissions in Routing and UI

Three-layer model

1. Route-level guard (PermissionGuard)
2. Action-level UI gating (hide/disable based on permission)
3. Backend enforcement (source of truth)

Current behavior

• Super admin bypass is preserved.
• For users with permission lists from API, checks use permission IDs.
• Role fallback is used only when permissions are not present.

UX expectations

• Missing access to page -> unauthorized route flow
• Missing access to action -> hide/disable action controls
• Backend denial must still be handled gracefully in UI