fix: restore historical order visibility for HartOMat admins

backend/app/api/routers/notifications.py

@@ -9,6 +9,7 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, func, update, or_, and_
 
 from app.database import get_db
+from app.domains.auth.models import PM_ROLES
 from app.models.audit_log import AuditLog
 from app.models.user import User
 from app.utils.auth import get_current_user
@@ -45,7 +46,7 @@ class MarkReadRequest(BaseModel):
 def _visibility_filter(user: User):
     """Rows visible to this user: targeted at them, or broadcast (null) if admin/PM."""
     targeted = AuditLog.target_user_id == user.id
-    if user.role.value in ("admin", "project_manager"):
+    if user.role.value in PM_ROLES:
         broadcast = AuditLog.target_user_id.is_(None)
         return and_(AuditLog.notification == True, or_(targeted, broadcast))  # noqa: E712
     return and_(AuditLog.notification == True, targeted)  # noqa: E712

backend/app/api/routers/order_items.py

@@ -14,6 +14,7 @@ from app.models.cad_file import CadFile
 from app.models.order import Order, OrderStatus
 from app.models.order_item import OrderItem, ItemStatus
 from app.models.user import User
+from app.domains.auth.models import PM_ROLES
 from app.schemas.order import OrderItemOut
 from app.utils.auth import get_current_user
 
@@ -25,7 +26,7 @@ router = APIRouter(prefix="/orders", tags=["order_items"])
 # ---------------------------------------------------------------------------
 
 def _is_privileged(user: User) -> bool:
-    return user.role.value in ("admin", "project_manager")
+    return user.role.value in PM_ROLES
 
 
 async def _get_order_and_item(

backend/app/api/routers/orders.py

@@ -24,6 +24,7 @@ from app.models.product import Product
 from app.models.output_type import OutputType
 from app.models.cad_file import CadFile
 from app.models.user import User
+from app.domains.auth.models import PM_ROLES
 from app.schemas.order import OrderCreate, OrderOut, OrderDetailOut, OrderItemOut, RejectOrderRequest
 from app.schemas.order_line import OrderLineCreate, OrderLineOut
 from app.schemas.product import ProductOut
@@ -35,7 +36,7 @@ router = APIRouter(prefix="/orders", tags=["orders"])
 
 
 def _is_privileged(user: User) -> bool:
-    return user.role.value in ("admin", "project_manager")
+    return user.role.value in PM_ROLES
 
 
 def _result_path_to_url(result_path: str) -> str | None:

backend/app/api/routers/uploads.py

@@ -10,6 +10,7 @@ from pydantic import BaseModel
 
 from app.config import settings
 from app.database import get_db
+from app.domains.auth.models import PM_ROLES
 from app.models.cad_file import CadFile, ProcessingStatus
 from app.models.order import Order
 from app.models.order_item import OrderItem
@@ -491,7 +492,7 @@ async def add_material_alias_from_validation(
     from app.domains.materials.models import Material, MaterialAlias
 
     # Gate to admin/PM
-    if user.role.value not in ("admin", "project_manager"):
+    if user.role.value not in PM_ROLES:
         raise HTTPException(status_code=403, detail="Admin or project_manager required")
 
     # Verify the validation exists

backend/app/domains/admin/dashboard_service.py

@@ -10,6 +10,7 @@ from datetime import datetime
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
+from app.domains.auth.models import PM_ROLES
 from app.domains.admin.models import DashboardConfig
 
 logger = logging.getLogger(__name__)
@@ -59,7 +60,7 @@ def get_default_widgets_for_role(role: str) -> list[dict]:
     admin / project_manager: KPI + analytics defaults.
     client: RecentRenders + ProductionStats only.
     """
-    if role in ("admin", "project_manager"):
+    if role in PM_ROLES:
         return [w.copy() for w in _DEFAULT_ADMIN_WIDGETS]
     return [w.copy() for w in _DEFAULT_CLIENT_WIDGETS]