debug: add RBAC logging to RequireRoles middleware

backend/internal/api/middleware/auth_middleware.go

@@ -127,17 +127,28 @@ func (m *Middleware) OptionalHeaderAuthGuard(next http.Handler) http.Handler {
 func (m *Middleware) RequireRoles(roles ...string) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			roleValues := ExtractRoles(r.Context().Value(ContextRoles))
+			fmt.Printf("[RBAC DEBUG] === RequireRoles START for %s %s ===\n", r.Method, r.URL.Path)
+			fmt.Printf("[RBAC DEBUG] Required roles: %v\n", roles)
+
+			rawRoles := r.Context().Value(ContextRoles)
+			fmt.Printf("[RBAC DEBUG] Raw roles from context: %v (type: %T)\n", rawRoles, rawRoles)
+
+			roleValues := ExtractRoles(rawRoles)
+			fmt.Printf("[RBAC DEBUG] Extracted roles: %v\n", roleValues)
+
 			if len(roleValues) == 0 {
+				fmt.Printf("[RBAC DEBUG] FAILED: No roles found in context\n")
 				http.Error(w, "Roles not found", http.StatusForbidden)
 				return
 			}
 
 			if hasRole(roleValues, roles) {
+				fmt.Printf("[RBAC DEBUG] SUCCESS: User has required role\n")
 				next.ServeHTTP(w, r)
 				return
 			}
 
+			fmt.Printf("[RBAC DEBUG] FAILED: User roles %v do not match required %v\n", roleValues, roles)
 			http.Error(w, "Forbidden: insufficient permissions", http.StatusForbidden)
 		})
 	}