feat(auth): introduce explicit planning read permission

packages/db/prisma/migrations/20260330_system_role_config_view_planning.sql

@@ -0,0 +1,63 @@
+INSERT INTO "system_role_configs" (
+  "role",
+  "label",
+  "description",
+  "defaultPermissions",
+  "color",
+  "sortOrder"
+)
+VALUES
+  (
+    'ADMIN',
+    'Admin',
+    'Full platform administration and security management.',
+    '["viewPlanning","viewCosts","useAssistantAdvancedTools","exportData","importData","approveVacations","manageBlueprints","viewAllResources","manageResources","manageProjects","manageAllocations","manageRoles","manageUsers","viewScores"]'::jsonb,
+    'purple',
+    1
+  ),
+  (
+    'MANAGER',
+    'Manager',
+    'Operational delivery management across resources, projects, and staffing.',
+    '["viewPlanning","viewCosts","exportData","importData","approveVacations","viewAllResources","manageResources","manageProjects","manageAllocations","manageRoles","viewScores"]'::jsonb,
+    'blue',
+    2
+  ),
+  (
+    'CONTROLLER',
+    'Controller',
+    'Read-heavy planning, resource, and financial oversight.',
+    '["viewPlanning","viewCosts","exportData","viewAllResources"]'::jsonb,
+    'amber',
+    3
+  ),
+  (
+    'USER',
+    'User',
+    'Standard authenticated access with self-service capabilities only.',
+    '[]'::jsonb,
+    'gray',
+    4
+  ),
+  (
+    'VIEWER',
+    'Viewer',
+    'Restricted read-only access for limited observation scenarios.',
+    '[]'::jsonb,
+    'gray',
+    5
+  )
+ON CONFLICT ("role") DO NOTHING;
+
+UPDATE "system_role_configs"
+SET
+  "defaultPermissions" = CASE
+    WHEN jsonb_typeof("defaultPermissions") = 'array'
+      AND NOT ("defaultPermissions" @> '["viewPlanning"]'::jsonb)
+      THEN "defaultPermissions" || '["viewPlanning"]'::jsonb
+    WHEN "defaultPermissions" IS NULL
+      THEN '["viewPlanning"]'::jsonb
+    ELSE "defaultPermissions"
+  END,
+  "updatedAt" = CURRENT_TIMESTAMP
+WHERE "role" IN ('ADMIN', 'MANAGER', 'CONTROLLER');