biiproject-kit-v2/database/seeders/RolesAndPermissionsSeeder.php

<?php

namespace Database\Seeders;

use Illuminate\Database\Seeder;
use Spatie\Permission\Models\Permission;
use Spatie\Permission\Models\Role;
use Spatie\Permission\PermissionRegistrar;

class RolesAndPermissionsSeeder extends Seeder
{
    public function run(): void
    {
        app()[PermissionRegistrar::class]->forgetCachedPermissions();

        $permissions = [
            // User Management
            'user.view',
            'user.create',
            'user.edit',
            'user.delete',
            'user.restore',
            'user.force-delete',
            'user.export',
            'user.import',

            // Role Management
            'role.view',
            'role.create',
            'role.delete',
            'role.manage',

            // Notification broadcast
            'notifications.view',
            'notifications.send',

            // Activity Logs
            'activity-logs.view',
            'activity-logs.delete',

            // System Settings
            'settings.view',
            'settings.edit',
            'settings.test-email',

            // Internal Documentation
            'documentation.view',
        ];

        foreach ($permissions as $permission) {
            Permission::firstOrCreate(['name' => $permission, 'guard_name' => 'web']);
            Permission::firstOrCreate(['name' => $permission, 'guard_name' => 'api']);
        }

        // user — read-only basic access
        $user = Role::firstOrCreate(['name' => 'user', 'guard_name' => 'web']);
        $user->syncPermissions([
            'user.view',
        ]);

        // admin — full operational, governance, and reporting access, no raw system configuration
        $admin = Role::firstOrCreate(['name' => 'admin', 'guard_name' => 'web']);
        $admin->syncPermissions([
            'user.view',
            'user.create',
            'user.edit',
            'user.delete',
            'user.restore',
            'user.export',
            'user.import',
            'role.view',
            'role.create',
            'role.delete',
            'role.manage',
            'notifications.view',
            'notifications.send',
            'activity-logs.view',
        ]);

        // super-admin — absolute root access
        $superAdmin = Role::firstOrCreate(['name' => 'super-admin', 'guard_name' => 'web']);
        $superAdmin->syncPermissions(Permission::where('guard_name', 'web')->get());
    }
}