# Admin V2 - Access Matrix

## Roles

- `super_admin`: full V2 access
- `manager`: full V2 access
- `coordinator`: no V2 access (403)
- any other role or unauthenticated user: no V2 access

## Route Matrix

| V2 Route | super_admin | manager | coordinator |
|---|---:|---:|---:|
| `filament.pages.v2` | ✅ | ✅ | ❌ |
| `filament.pages.v2/cardex/users` | ✅ | ✅ | ❌ |
| `filament.pages.v2/cardex/families` | ✅ | ✅ | ❌ |
| `filament.pages.v2/cardex/coaches` | ✅ | ✅ | ❌ |
| `filament.pages.v2/cardex/employees` | ✅ | ✅ | ❌ |
| `filament.pages.v2/orders` | ✅ | ✅ | ❌ |
| `filament.pages.v2/catalog` | ✅ | ✅ | ❌ |
| `filament.pages.v2/settings` | ✅ | ✅ | ❌ |
| `filament.pages.v2/settings/place` | ✅ | ✅ | ❌ |

## Rollout Flags

- Global enable: `FEATURE_ADMIN_V2=true`
- Cohort enable when global is off:
  - `FEATURE_ADMIN_V2_ROLLOUT_USER_PUBLIC_IDS=<comma-separated-public-ids>`
  - `FEATURE_ADMIN_V2_ROLLOUT_USER_EMAILS=<comma-separated-emails>`

Evaluation order:
1. if global flag is ON: feature enabled for everyone (role checks still apply)
2. if global flag is OFF: feature enabled only for allowlisted users by `public_id` or email
3. role gate still applies (`super_admin`/`manager` only)

## Automated Validation

Covered by:
- `tests/Feature/Filament/AdminV2AccessMatrixTest.php`
- `tests/Feature/Filament/AdminV2ShellTest.php`