From 01348123e643e9eea23e246d3b3a2ac7741f7c9e Mon Sep 17 00:00:00 2001
From: saridsa2 <s.satya.suman@globaluniversityfoundation.com>
Date: Mon, 13 Apr 2026 06:47:01 +0530
Subject: [PATCH] fix: map HelixEngage Supervisor platform role to admin app
 role

Supervisor users were getting 'executive' role because only 'HelixEngage
Manager' was mapped to admin. This broke admin route access after the
RequireAdmin guard was added.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/auth/auth.controller.ts | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/auth/auth.controller.ts b/src/auth/auth.controller.ts
index 080d818..11408b6 100644
--- a/src/auth/auth.controller.ts
+++ b/src/auth/auth.controller.ts
@@ -107,11 +107,9 @@ export class AuthController {
 
             // Determine app role from platform roles
             let appRole = 'executive'; // default
-            if (roleLabels.includes('HelixEngage Manager')) {
+            if (roleLabels.includes('HelixEngage Manager') || roleLabels.includes('HelixEngage Supervisor')) {
                 appRole = 'admin';
             } else if (roleLabels.includes('HelixEngage User')) {
-                // Distinguish CC agent from executive by email convention or config
-                // For now, emails containing 'cc' map to cc-agent
                 const email = workspaceMember?.userEmail ?? body.email;
                 appRole = email.includes('cc') ? 'cc-agent' : 'executive';
             }