Clarify invoice privileged role messaging

[lairwaves]

Description

Keep invoice full access anchored to Steering Committee-level access. Workflows Engineer already satisfies that through the shared Discord role hierarchy, so this PR avoids treating it as a separate invoice-specific role requirement.

Update the invoice denial copy to list both Steering Committee and Workflows Engineer, and add invoice-level regression coverage that Workflows Engineer gets full access without an ERP identity lookup.

How Has This Been Tested?

• uv run pytest tests/unit/test_invoices_cog.py tests/unit/test_role_decorators.py::TestHierarchicalRoles::test_check_user_roles_with_hierarchy_workflows_engineer_grants_steering_committee_access -q
• Commit hook: ruff passed
• Commit hook: ruff format passed
• Commit hook: mypy passed once, but rewrote uv.lock due the global uv exclude-newer setting; I reverted that lockfile churn and retried the commit with SKIP=mypy

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds "Workflows Engineer" to the privileged roles allowed to validate invoices and updates the denial message and unit tests to reference the privileged-roles list.

Changes

Invoice Authorization

Layer / File(s)	Summary
Privileged roles and denial message apps/discord_bot/src/five08/discord_bot/cogs/invoices.py	The _PRIVILEGED_ROLES constant is expanded to include "Workflows Engineer", and the validate-invoice restricted-access message now lists allowed roles from that constant.
Unit tests for privileged roles tests/unit/test_invoices_cog.py	Tests import _PRIVILEGED_ROLES, add a mock_workflows_engineer_interaction fixture, update the denial-message assertion to check for any privileged role, and add a test ensuring a Workflows Engineer can validate without an ERP identity.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• 508-dev/508-workflows#290: Also touches /validate-invoice authorization logic and denial messaging.

Suggested reviewers

• michaelmwu

Poem

🐰 A new badge hops into the fold,
"Workflows Engineer" in the roles we hold.
Denials list the names, tests sing along,
One small change, the chorus grown strong. 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 62.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title is related, but it emphasizes messaging more than the main change: adding Workflows Engineer to invoice privileged roles.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/discord_bot/src/five08/discord_bot/cogs/invoices.py (1)

117-123: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

User-facing denial message is now out of sync with _PRIVILEGED_ROLES.

The error message still enumerates only "Steering Committee members or confirmed ERP project members." With Workflows Engineer added to _PRIVILEGED_ROLES, a Workflows Engineer denied access (e.g., due to role hierarchy mismatch) would see a message that doesn't mention their role, which is confusing. Consider updating the message to reflect the new privileged role set, or generalize the wording.

📝 Proposed wording update

             if not include_all and not emails:
                 await interaction.followup.send(
-                    "Invoice validation is available to Steering Committee members "
-                    "or confirmed ERP project members.",
+                    "Invoice validation is available to Steering Committee or "
+                    "Workflows Engineer members, or confirmed ERP project members.",
                     ephemeral=True,
                 )

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/discord_bot/src/five08/discord_bot/cogs/invoices.py` around lines 117 -
123, The user-facing denial string in the invoices validation block (where
include_all and emails are checked before calling interaction.followup.send) is
stale relative to the _PRIVILEGED_ROLES set; update the message returned by
interaction.followup.send to either enumerate the current privileged roles
(including "Workflows Engineer") or use a generalized phrase like "privileged
roles (e.g., Steering Committee, confirmed ERP project members, Workflows
Engineers)" or "authorized project/committee members" so it aligns with
_PRIVILEGED_ROLES and avoids confusion when a Workflows Engineer is denied.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@apps/discord_bot/src/five08/discord_bot/cogs/invoices.py`:
- Around line 117-123: The user-facing denial string in the invoices validation
block (where include_all and emails are checked before calling
interaction.followup.send) is stale relative to the _PRIVILEGED_ROLES set;
update the message returned by interaction.followup.send to either enumerate the
current privileged roles (including "Workflows Engineer") or use a generalized
phrase like "privileged roles (e.g., Steering Committee, confirmed ERP project
members, Workflows Engineers)" or "authorized project/committee members" so it
aligns with _PRIVILEGED_ROLES and avoids confusion when a Workflows Engineer is
denied.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dc116aff-1522-4b94-8b56-d4d9d528a183

📥 Commits

Reviewing files that changed from the base of the PR and between e7f288a and 8ea51e2.

📒 Files selected for processing (1)

• apps/discord_bot/src/five08/discord_bot/cogs/invoices.py

[Copilot]

Pull request overview

Expands invoice-validation authorization in the Discord bot so the Workflows Engineer role is treated as privileged for viewing/validating invoices.

Changes:

• Adds Workflows Engineer to the invoice cog’s _PRIVILEGED_ROLES allowlist.
• Updates the “no ERP identity” denial message and adjusts the corresponding unit test assertion.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
apps/discord_bot/src/five08/discord_bot/cogs/invoices.py	Grants privileged invoice access to Workflows Engineer and updates the user-facing denial message.
tests/unit/test_invoices_cog.py	Updates unit test expectation to match the revised denial message.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (1)

tests/unit/test_invoices_cog.py (1)

157-157: ⚡ Quick win

Consider strengthening the assertion to verify all privileged roles appear.

The current assertion checks that at least one privileged role appears in the denial message. To more precisely verify that the message includes all configured privileged roles, consider:

✨ More precise assertion

-    assert any(role in sent for role in _PRIVILEGED_ROLES)
+    for role in _PRIVILEGED_ROLES:
+        assert role in sent

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/unit/test_invoices_cog.py` at line 157, The test currently asserts that
any privileged role appears in the denial message; update the assertion to
require that all privileged roles are present by checking every member of
_PRIVILEGED_ROLES against the message (use sent and _PRIVILEGED_ROLES to locate
the check), e.g. replace the any(...) check with an all(...) membership
assertion or an explicit subset check to ensure every role in _PRIVILEGED_ROLES
is contained in sent.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@tests/unit/test_invoices_cog.py`:
- Line 157: The test currently asserts that any privileged role appears in the
denial message; update the assertion to require that all privileged roles are
present by checking every member of _PRIVILEGED_ROLES against the message (use
sent and _PRIVILEGED_ROLES to locate the check), e.g. replace the any(...) check
with an all(...) membership assertion or an explicit subset check to ensure
every role in _PRIVILEGED_ROLES is contained in sent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cd23d05a-c4c9-4b16-a1f5-46383a61cfd7

📥 Commits

Reviewing files that changed from the base of the PR and between 8ea51e2 and cc34a46.

📒 Files selected for processing (2)

• apps/discord_bot/src/five08/discord_bot/cogs/invoices.py
• tests/unit/test_invoices_cog.py