fix: improve keto sync reliability and initial rebac permissions for super admin

backend/internal/handler/dev_handler.go

@@ -363,8 +363,8 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
 			return false, nil
 		}
 
-		// Check with Keto: System:AppManager#member
-		allowed, err := h.Keto.CheckPermission(c.Context(), subject, "System", "AppManager", "member")
+		// Check with Keto: System:global#manage_all
+		allowed, err := h.Keto.CheckPermission(c.Context(), subject, "System", "global", "manage_all")
 		if err != nil {
 			// Fail closed for dev private endpoints: deny on permission backend error.
 			slog.Warn("Dev private permission check failed; denying access", "subject", subject, "error", err)
@@ -442,8 +442,8 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
 		}
 	}
 
-	// Check with Keto: System:AppManager#member
-	allowed, err := h.Keto.CheckPermission(c.Context(), tokenSubject, "System", "AppManager", "member")
+	// Check with Keto: System:global#manage_all
+	allowed, err := h.Keto.CheckPermission(c.Context(), tokenSubject, "System", "global", "manage_all")
 	if err != nil {
 		// Fail closed for dev private endpoints: deny on permission backend error.
 		slog.Warn("Dev private permission check failed; denying access", "subject", tokenSubject, "error", err)

backend/internal/handler/dev_handler_isolation_test.go

@@ -89,7 +89,7 @@ func TestDevHandler_Isolation(t *testing.T) {
 		})
 		app.Get("/api/v1/dev/clients", h.ListClients)
 
-		mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "AppManager", "member").Return(true, nil)
+		mockKeto.On("CheckPermission", mock.Anything, "user-a", "System", "global", "manage_all").Return(true, nil)
 
 		req := httptest.NewRequest(http.MethodGet, "/api/v1/dev/clients", nil)
 		resp, _ := app.Test(req, -1)

backend/internal/handler/dev_handler_test.go

@@ -121,7 +121,7 @@ func TestListClients_Success(t *testing.T) {
 	})
 
 	mockKeto := new(devMockKetoService)
-	mockKeto.On("CheckPermission", mock.Anything, mock.Anything, "System", "AppManager", "member").Return(true, nil)
+	mockKeto.On("CheckPermission", mock.Anything, mock.Anything, "System", "global", "manage_all").Return(true, nil)
 
 	h := &DevHandler{
 		Hydra: &service.HydraAdminService{
@@ -235,7 +235,7 @@ func TestListClients_ProtectedSystemClientHidden(t *testing.T) {
 	})
 
 	mockKeto := new(devMockKetoService)
-	mockKeto.On("CheckPermission", mock.Anything, mock.Anything, "System", "AppManager", "member").Return(true, nil)
+	mockKeto.On("CheckPermission", mock.Anything, mock.Anything, "System", "global", "manage_all").Return(true, nil)
 
 	h := &DevHandler{
 		Hydra: &service.HydraAdminService{
@@ -276,7 +276,7 @@ func TestListClients_ReservedSystemNameAliasHidden(t *testing.T) {
 	})
 
 	mockKeto := new(devMockKetoService)
-	mockKeto.On("CheckPermission", mock.Anything, mock.Anything, "System", "AppManager", "member").Return(true, nil)
+	mockKeto.On("CheckPermission", mock.Anything, mock.Anything, "System", "global", "manage_all").Return(true, nil)
 
 	h := &DevHandler{
 		Hydra: &service.HydraAdminService{
@@ -602,7 +602,7 @@ func TestGetStats_Success(t *testing.T) {
 	assert.Equal(t, int64(2), res.TotalClients)
 	assert.Equal(t, int64(7), res.AuthFailures)
 	assert.Equal(t, int64(3), res.ActiveSessions)
-	mockKeto.AssertNotCalled(t, "CheckPermission", mock.Anything, mock.Anything, "System", "AppManager", "member")
+	mockKeto.AssertNotCalled(t, "CheckPermission", mock.Anything, mock.Anything, "System", "global", "manage_all")
 }
 
 func TestDevHandler_NoAuditNoAction(t *testing.T) {