feat(alerts): add alerts permissions BED-8381

[mistahj67]

Description

• Add AlertsRead and AlertsManage permissions
• Update AlertsRead for Administrator, and Auditor
• Update AlertsManage for Administrator

Motivation and Context

Resolves BED-8381

Why is this change required? What problem does it solve?

How Has This Been Tested?

Ran migration and verified the permissions and role_permissions tables were updated

Please describe in detail how you tested your changes.
Include details of your testing environment, and the tests you ran to
see how your change affects other areas of the code, etc.

Screenshots (optional):

Types of changes

• Chore (a change that does not modify the application functionality)
• Database Migrations

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README #672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• New Features

  • Added two alert permissions: AlertsRead (view alerts) and AlertsManage (manage alerts).
  • Auditor role granted AlertsRead; Administrator granted both AlertsRead and AlertsManage.

• Chores

  • Database migration applied to persist new permissions and role assignments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 175d9242-89ce-4bdb-b3eb-2d396ae39f6a

📥 Commits

Reviewing files that changed from the base of the PR and between eaa2c02 and 95ef87e.

📒 Files selected for processing (3)

• cmd/api/src/auth/permission.go
• cmd/api/src/auth/role.go
• cmd/api/src/database/migration/migrations/20260527000001_v9_add_alerts_permissions.sql

🚧 Files skipped from review as they are similar to previous changes (3)

• cmd/api/src/database/migration/migrations/20260527000001_v9_add_alerts_permissions.sql
• cmd/api/src/auth/permission.go
• cmd/api/src/auth/role.go

---

📝 Walkthrough

Walkthrough

Adds two alert permissions (AlertsRead, AlertsManage) to the permission model, assigns AlertsRead to the Auditor role, and seeds both permissions and their role mappings via a Goose DB migration (Up inserts permissions and role links; Down removes them).

Changes

Alert Permissions Introduction

Layer / File(s)	Summary
Permission model extension cmd/api/src/auth/permission.go	PermissionSet adds AlertsRead and AlertsManage. Permissions() initializes them with model.NewPermission("alerts", ...), and All() includes them.
Role permission assignment cmd/api/src/auth/role.go	RoleAuditor template now includes permissions.AlertsRead.
Database migration cmd/api/src/database/migration/migrations/20260527000001_v9_add_alerts_permissions.sql	Up inserts the alerts Read and Manage permissions and creates role-permission links (Read → Administrator, Auditor; Manage → Administrator). Down removes those role links and deletes the permissions.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• sirisjo

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding alerts permissions (AlertsRead and AlertsManage) to the codebase, directly matching the changeset.
Description check	✅ Passed	The description covers the main changes, motivation (ticket BED-8381), and testing performed; however, the motivation section lacks detail on the problem being solved.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-8381

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@cmd/api/src/database/migration/migrations/20260527000001_v9_add_alerts_permissions.sql`:
- Line 34: Update the stale SQL comments that mention "Power User" so they match
the actual GRANT statements: change the comment(s) that currently read "Add
Alerts Read permission to Administrator, Power User, and Auditor roles" to
reflect that alerts.Read is granted only to Administrator and Auditor, and that
alerts.Manage is granted to Administrator; apply the same correction to the
other identical comment later in the file so the comments match the GRANT
statements for alerts.Read and alerts.Manage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 575df174-c3ec-4abe-94c4-66e30a08f1b2

📥 Commits

Reviewing files that changed from the base of the PR and between 0179ece and eaa2c02.

📒 Files selected for processing (3)

• cmd/api/src/auth/permission.go
• cmd/api/src/auth/role.go
• cmd/api/src/database/migration/migrations/20260527000001_v9_add_alerts_permissions.sql

🚧 Files skipped from review as they are similar to previous changes (1)

• cmd/api/src/auth/permission.go