feat: simplify RBAC roles and remove dev role switcher

- Simplified RBAC system to two roles: super_admin and user.
- Removed tenant_admin and rp_admin roles across backend and frontend.
- Removed Dev Role Switcher feature from adminfront.
- Updated all handlers, middlewares, and navigation to reflect the new role model.
- Fixed backend build errors and updated tests.

backend/internal/middleware/rbac.go

@@ -160,38 +160,7 @@ func RequireTenantMatch(config RBACConfig) fiber.Handler {
 			return c.Next()
 		}
 
-		// Tenant Admin check
-		if userRole == domain.RoleTenantAdmin {
-			targetTenantID := c.Params("tenantId")
-			if targetTenantID == "" {
-				targetTenantID = c.Params("id") // common for /tenants/:id
-			}
-
-			if targetTenantID == "" {
-				return c.Next() // No target specified, let Keto or next handler decide
-			}
-
-			// Check primary tenant match
-			if profile.TenantID != nil && *profile.TenantID == targetTenantID {
-				return c.Next()
-			}
-
-			// Check inherited manageable tenants
-			isAllowed := false
-			for _, t := range profile.ManageableTenants {
-				if t.ID == targetTenantID {
-					isAllowed = true
-					break
-				}
-			}
-
-			if !isAllowed {
-				slog.Warn("Tenant match failed", "userID", profile.ID, "targetTenantID", targetTenantID)
-				return errorJSON(c, fiber.StatusForbidden, "forbidden: you do not have access to this tenant")
-			}
-			return c.Next()
-		}
-
+		// Since only Super Admin is maintained for tenant management, others are rejected here
 		return errorJSON(c, fiber.StatusForbidden, "forbidden")
 	}
 }

backend/internal/middleware/rbac_test.go

@@ -64,21 +64,17 @@ func (m *MockKetoService) ListObjects(ctx context.Context, namespace, relation,
 	return args.Get(0).([]string), args.Error(1)
 }
 
-// Fixed MockKetoService to match service.KetoService exactly if possible.
-// Wait, middleware/rbac.go imports baron-sso-backend/internal/service.
-// So I should use service.RelationTuple.
-
 func TestRequireRole_Success(t *testing.T) {
 	app := fiber.New()
 	mockAuth := new(MockAuthProvider)
 	config := RBACConfig{
-		AllowedRoles: []string{"admin"},
+		AllowedRoles: []string{domain.RoleSuperAdmin},
 		AuthHandler:  mockAuth,
 	}
 
 	mockAuth.On("GetEnrichedProfile", mock.Anything).Return(&domain.UserProfileResponse{
 		ID:   "user1",
-		Role: "admin",
+		Role: domain.RoleSuperAdmin,
 	}, nil)
 
 	app.Get("/test", RequireRole(config), func(c *fiber.Ctx) error {
@@ -95,13 +91,13 @@ func TestRequireRole_SetsUserIDForAuditContext(t *testing.T) {
 	app := fiber.New()
 	mockAuth := new(MockAuthProvider)
 	config := RBACConfig{
-		AllowedRoles: []string{"admin"},
+		AllowedRoles: []string{domain.RoleSuperAdmin},
 		AuthHandler:  mockAuth,
 	}
 
 	mockAuth.On("GetEnrichedProfile", mock.Anything).Return(&domain.UserProfileResponse{
 		ID:   "user1",
-		Role: "admin",
+		Role: domain.RoleSuperAdmin,
 	}, nil)
 
 	app.Get("/test", RequireRole(config), func(c *fiber.Ctx) error {
@@ -124,13 +120,13 @@ func TestRequireRole_PreservesExistingUserID(t *testing.T) {
 	app := fiber.New()
 	mockAuth := new(MockAuthProvider)
 	config := RBACConfig{
-		AllowedRoles: []string{"admin"},
+		AllowedRoles: []string{domain.RoleSuperAdmin},
 		AuthHandler:  mockAuth,
 	}
 
 	mockAuth.On("GetEnrichedProfile", mock.Anything).Return(&domain.UserProfileResponse{
 		ID:   "profile-user",
-		Role: "admin",
+		Role: domain.RoleSuperAdmin,
 	}, nil)
 
 	app.Use(func(c *fiber.Ctx) error {
@@ -157,7 +153,7 @@ func TestRequireRole_Forbidden(t *testing.T) {
 	app := fiber.New()
 	mockAuth := new(MockAuthProvider)
 	config := RBACConfig{
-		AllowedRoles: []string{"admin"},
+		AllowedRoles: []string{domain.RoleSuperAdmin},
 		AuthHandler:  mockAuth,
 	}
 
@@ -231,7 +227,7 @@ func TestRequireTenantMatch_Forbidden(t *testing.T) {
 	tenant1 := "tenant1"
 	mockAuth.On("GetEnrichedProfile", mock.Anything).Return(&domain.UserProfileResponse{
 		ID:       "user1",
-		Role:     domain.RoleTenantAdmin,
+		Role:     "user", // Formerly tenant_admin, now mapped to user which is forbidden here for non-superadmin
 		TenantID: &tenant1,
 	}, nil)