fix: use stable engine authentik groups

server/authentik-sync.mjs

@@ -6,12 +6,9 @@ const platformGroups = {
   launcherUser: "nodedc:launcher:user",
   taskManagerAdmin: "nodedc:taskmanager:admin",
   taskManagerUser: "nodedc:taskmanager:user",
-  engineAdmin: "nodedc:engine:admin",
+  engineAdmin: "nodedc_admin",
-  engineEditor: "nodedc:engine:editor",
+  engineEditor: "nodedc_editor",
-  engineViewer: "nodedc:engine:viewer",
+  engineViewer: "nodedc_viewer",
-  engineLegacyAdmin: "nodedc_admin",
-  engineLegacyEditor: "nodedc_editor",
-  engineLegacyViewer: "nodedc_viewer",
 };
 const engineServiceSlugs = new Set(["nodedc", "engine", "nodedc-engine"]);
 const publicPoolClientId = "client_public_pool";
@@ -254,14 +251,14 @@ function isEngineService(service) {
 
 function resolveEngineRoleGroups(appRole) {
   if (appRole === "admin" || appRole === "owner") {
-    return [platformGroups.engineAdmin, platformGroups.engineLegacyAdmin];
+    return [platformGroups.engineAdmin];
   }
 
   if (appRole === "viewer") {
-    return [platformGroups.engineViewer, platformGroups.engineLegacyViewer];
+    return [platformGroups.engineViewer];
   }
 
-  return [platformGroups.engineEditor, platformGroups.engineLegacyEditor];
+  return [platformGroups.engineEditor];
 }
 
 function addGroups(target, groups) {

server/control-plane-store.mjs

@@ -40,14 +40,7 @@ const taskManagerInviteRoles = new Set(["guest", "member", "admin"]);
 const engineWorkflowAccessRequestStatuses = new Set(["new", "approved", "rejected", "cancelled"]);
 const engineWorkflowRoles = new Set(["viewer", "editor", "admin"]);
 const publicPoolClientId = "client_public_pool";
-const engineAuthentikGroups = [
+const engineAuthentikGroups = ["nodedc_admin", "nodedc_editor", "nodedc_viewer"];
-  "nodedc:engine:admin",
-  "nodedc:engine:editor",
-  "nodedc:engine:viewer",
-  "nodedc_admin",
-  "nodedc_editor",
-  "nodedc_viewer",
-];
 const publicPoolClient = {
   id: publicPoolClientId,
   type: "person",
@@ -2107,7 +2100,10 @@ function normalizeService(service) {
         ? "https://engine.nodedc.ru/logout"
         : service.logoutUrl,
     authentikApplicationSlug: service.authentikApplicationSlug === "nodedc" ? "nodedc-engine" : service.authentikApplicationSlug,
-    authentikGroupName: service.authentikGroupName === "service-nodedc" ? "nodedc:engine:viewer" : service.authentikGroupName,
+    authentikGroupName:
+      service.authentikGroupName === "service-nodedc" || service.authentikGroupName === "nodedc:engine:viewer"
+        ? "nodedc_viewer"
+        : service.authentikGroupName,
   };
 }
 

server/dev-server.mjs

@@ -2315,9 +2315,6 @@ function getAppCatalog() {
 }
 
 const engineRequiredGroups = [
-  "nodedc:engine:admin",
-  "nodedc:engine:editor",
-  "nodedc:engine:viewer",
   "nodedc_admin",
   "nodedc_editor",
   "nodedc_viewer",
@@ -2394,7 +2391,7 @@ async function requestEngineInternalJson(pathname, init = {}) {
     headers: {
       Accept: "application/json",
       Authorization: `Bearer ${config.internalAccessToken}`,
-      "X-Authentik-Groups": "nodedc_admin nodedc:engine:admin",
+      "X-Authentik-Groups": "nodedc_admin",
       "X-Authentik-Email": "launcher-internal@nodedc.ru",
       "X-Authentik-Username": "launcher-internal@nodedc.ru",
       ...(hasBody ? { "Content-Type": "application/json" } : {}),

src/shared/api/mockData.ts

@@ -91,7 +91,7 @@ export const mockServices: Service[] = [
     status: "active",
     order: 10,
     authentikApplicationSlug: "nodedc-engine",
-    authentikGroupName: "nodedc:engine:viewer",
+    authentikGroupName: "nodedc_viewer",
     createdAt: "2026-04-01T10:00:00Z",
     updatedAt: now,
   },