Fix: wildcard permissions (GM modules visible), Admin link and module card

Co-authored-by: Cursor <cursoragent@cursor.com>

frontend/src/contexts/AuthContext.tsx

@@ -59,18 +59,26 @@ export function AuthProvider({ children }: { children: React.ReactNode }) {
   }, [])
 
   // Transform backend permissions format to frontend format
+  // Backend uses actions: ['*'] or ['read','create',...] - wildcard grants all
   const transformPermissions = (permissions: any[]): Permission[] => {
-    return permissions.map(p => ({
-      id: p.id,
-      module: p.module,
-      actions: p.actions,
-      canView: p.actions?.includes('read') || false,
-      canCreate: p.actions?.includes('create') || false,
-      canEdit: p.actions?.includes('update') || false,
-      canDelete: p.actions?.includes('delete') || false,
-      canExport: p.actions?.includes('export') || false,
-      canApprove: p.actions?.includes('approve') || false,
-    }))
+    const hasWildcard = (actions: string[] | any) => {
+      const arr = Array.isArray(actions) ? actions : []
+      return arr.includes('*') || arr.includes('all')
+    }
+    return permissions.map(p => {
+      const wildcard = hasWildcard(p.actions)
+      return {
+        id: p.id,
+        module: p.module,
+        actions: p.actions,
+        canView: wildcard || p.actions?.includes('read') || false,
+        canCreate: wildcard || p.actions?.includes('create') || false,
+        canEdit: wildcard || p.actions?.includes('update') || false,
+        canDelete: wildcard || p.actions?.includes('delete') || false,
+        canExport: wildcard || p.actions?.includes('export') || false,
+        canApprove: wildcard || p.actions?.includes('approve') || false,
+      }
+    })
   }
 
   const fetchUserData = async (token: string) => {