Передаем на тест

specs/016-multi-user-auth/spec.md

@@ -49,6 +49,30 @@ As an administrator, I want to assign specific plugin access rights to users so
 
 ---
 
+### User Story 4 - Role Management (Priority: P1)
+
+As an administrator, I want to create and manage roles with specific permissions so that I can easily assign standard access sets to users.
+
+**Why this priority**: Essential for scalable user management. Assigning individual permissions to every user is tedious and error-prone.
+
+**Acceptance Scenarios**:
+
+1. **Given** an administrator, **When** they navigate to the Role Management page, **Then** they see a list of all system roles.
+2. **Given** an administrator, **When** they create a new role "Auditor" with "READ" permission on "Logs", **Then** the role is saved and available for assignment.
+3. **Given** an administrator, **When** they update a role's permissions, **Then** all users with that role effectively gain/lose those permissions.
+
+**Why this priority**: Security is a core requirement. Without granular permissions, all authenticated users would have full administrative access, which defeats the purpose of multi-user support.
+
+**Independent Test**: Create two users with different permissions (e.g., User A has access to "Backup", User B does not). Verify User A can access the Backup tool while User B receives a 403 Forbidden error.
+
+**Acceptance Scenarios**:
+
+1. **Given** a user with "Backup" plugin permission, **When** they navigate to the Backup tool, **Then** the page loads successfully.
+2. **Given** a user WITHOUT "Backup" plugin permission, **When** they navigate to the Backup tool, **Then** they are denied access (UI hides the link, API returns 403).
+3. **Given** an administrator, **When** they edit a user's permissions, **Then** the changes take effect immediately or upon next login.
+
+---
+
 ### User Story 3 - ADFS Integration (Priority: P2)
 
 As a corporate user, I want to log in using my organization's ADFS credentials so that I don't have to manage a separate password.
@@ -78,17 +102,18 @@ As a corporate user, I want to log in using my organization's ADFS credentials s
 
 - **FR-001**: System MUST support local user authentication via username and password.
 - **FR-002**: System MUST support authentication via ADFS (Active Directory Federation Services) using standard federation protocols.
-- **FR-003**: System MUST provide a mechanism to manage users (Create, Read, Update, Delete) - restricted to administrators.
+- **FR-003**: System MUST provide a web-based interface to manage users (Create, Read, Update, Delete) - restricted to administrators.
 - **FR-004**: System MUST implement Role-Based Access Control (RBAC) where permissions are assigned to Roles, and Roles are assigned to Users.
 - **FR-005**: System MUST enforce permissions at the server level for all plugin execution requests.
 - **FR-006**: System MUST enforce permissions at the user interface level (hide navigation items/buttons for unauthorized plugins).
 - **FR-007**: System MUST securely store local user credentials.
 - **FR-008**: System MUST support Just-In-Time (JIT) provisioning for ADFS users ONLY if they belong to a mapped AD group.
 - **FR-009**: System MUST provide a CLI utility to create an initial administrator account to prevent lockout during first deployment.
-- **FR-010**: System MUST allow configuring mappings between Active Directory Groups and local System Roles.
+- **FR-010**: System MUST provide a web-based interface for configuring mappings between Active Directory Groups and local System Roles.
 - **FR-011**: System MUST use JWT (JSON Web Tokens) for API session management.
 - **FR-012**: System MUST persist authentication and authorization data in a dedicated SQLite database (`auth.db`).
 - **FR-013**: System MUST provide a unified login interface supporting both Local (Username/Password) and ADFS (SSO Button) authentication methods simultaneously.
+- **FR-014**: System MUST provide a web-based interface to manage Roles (Create, Update, Delete) and assign permissions to them.
 
 ### Key Entities