feat(auth): introduce explicit planning read permission

packages/db/src/system-role-config-defaults.ts

@@ -0,0 +1,46 @@
+import { ROLE_DEFAULT_PERMISSIONS, SystemRole } from "@capakraken/shared";
+
+export const SYSTEM_ROLE_CONFIG_DEFAULTS = [
+  {
+    role: SystemRole.ADMIN,
+    label: "Admin",
+    description: "Full platform administration and security management.",
+    color: "purple",
+    sortOrder: 1,
+  },
+  {
+    role: SystemRole.MANAGER,
+    label: "Manager",
+    description: "Operational delivery management across resources, projects, and staffing.",
+    color: "blue",
+    sortOrder: 2,
+  },
+  {
+    role: SystemRole.CONTROLLER,
+    label: "Controller",
+    description: "Read-heavy planning, resource, and financial oversight.",
+    color: "amber",
+    sortOrder: 3,
+  },
+  {
+    role: SystemRole.USER,
+    label: "User",
+    description: "Standard authenticated access with self-service capabilities only.",
+    color: "gray",
+    sortOrder: 4,
+  },
+  {
+    role: SystemRole.VIEWER,
+    label: "Viewer",
+    description: "Restricted read-only access for limited observation scenarios.",
+    color: "gray",
+    sortOrder: 5,
+  },
+] as const;
+
+export function buildSystemRoleConfigSeedData() {
+  return SYSTEM_ROLE_CONFIG_DEFAULTS.map((config) => ({
+    ...config,
+    defaultPermissions: ROLE_DEFAULT_PERMISSIONS[config.role],
+  }));
+}