fix: remove broken GRANT/REVOKE EXECUTE ON WORKFLOW

[engalar]

Summary

• GRANT/REVOKE EXECUTE ON WORKFLOW silently wrote an AllowedModuleRoles field on the Workflow BSON document, but Workflows$Workflow has no such field in the Mendix metamodel (confirmed by generated metamodel types and BSON dump of Studio Pro output). Studio Pro ignored the phantom field entirely.
• Replaced the broken executor implementations with clear error messages explaining that workflow access is controlled through triggering microflows and UserTask targeting, not document-level roles.
• Removed the AllowedModuleRoles field from the Workflow struct and its BSON parser, and cleaned up SHOW SECURITY MATRIX workflow section, HELP output, and all documentation references.

Test plan

• make build succeeds
• make test passes
• GRANT EXECUTE ON WORKFLOW Mod.WF TO Mod.Role; returns clear error message
• Verify no regression in microflow/page GRANT/REVOKE (those still use AllowedModuleRoles correctly)

[github-actions]

AI Code Review

What Looks Good

• The PR correctly identifies and fixes a core bug: workflows lack a document-level AllowedModuleRoles field in the Mendix metamodel, so writing this field was ineffective (phantom field ignored by Studio Pro).
• Replaced silent failure with clear, actionable error messages explaining the correct way to control workflow access (via triggering microflows and UserTask targeting).
• Thoroughly removed all traces of the broken feature:
  • Updated documentation across multiple files (quick reference, language guides, feature matrix, workflow reference)
  • Removed AllowedModuleRoles field from Workflow struct and BSON parser
  • Cleaned up SECURITY MATRIX output and HELP text
  • Replaced executor implementations with informative errors
• Maintains consistency with Mendix's actual security model where workflow access is controlled at the microflow/UserTask level, not document-level roles.
• The diff shows focused changes only related to workflow access GRANT/REVOKE – no unrelated modifications.

Minor Issues

• The test plan has an unchecked item: [ ] Verify no regression in microflow/page GRANT/REVOKE (those still use AllowedModuleRoles correctly). While the changes are isolated to workflow access and microflow/page GRANT/REVOKE logic resides in separate functions (making regression unlikely), this verification should be completed before merging.
• Grammar/AST/visitor for GRANT/REVOKE EXECUTE ON WORKFLOW remain intact (only executor changed). This is acceptable for providing clear runtime errors rather than syntax errors, but note that a full feature removal would typically involve removing grammar rules. However, given the PR's goal of replacing silent failure with clear messaging (not making it a syntax error), the current approach is reasonable.

Recommendation

Approve – the PR correctly resolves the bug with minimal, focused changes and thorough documentation updates. The unchecked test item is low-risk (no changes to microflow/page GRANT/REVOKE logic) and should be verified per the test plan, but does not block approval given the make test pass confirmation in the PR body.

Note to author: Please complete the regression test for microflow/page GRANT/REVOKE access as indicated in the test plan before merging. This ensures the fix doesn't inadvertently affect functioning security commands for other element types.

---

Automated review via OpenRouter (Nemotron Super 120B) — workflow source