feat(access): can() fallback to SecurityPrincipal getRoles()

[usernane]

Summary

When the internal role map is empty for a user, can() falls back to $user->getRoles().

Changes

• 4-line addition in AccessManager::can()
• 2 tests: fallback works, internal map still takes precedence

Related issues

Closes #381

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.75%. Comparing base (b982bd6) to head (a041a41).
⚠️ Report is 6 commits behind head on dev.

Additional details and impacted files

@@             Coverage Diff              @@
##                dev     #397      +/-   ##
============================================
+ Coverage     83.67%   83.75%   +0.08%     
- Complexity     3067     3086      +19     
============================================
  Files           103      104       +1     
  Lines          9018     9063      +45     
============================================
+ Hits           7546     7591      +45     
  Misses         1472     1472              

Flag	Coverage Δ
php-8.1	82.63% <ø> (+0.03%)	⬆️
php-8.2	82.63% <ø> (+0.03%)	⬆️
php-8.3	92.13% <100.00%> (+0.04%)	⬆️
php-8.4	92.13% <100.00%> (+0.04%)	⬆️
php-8.5	92.00% <100.00%> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
35 New issues
1 Accepted issue

Measures
28 Security Hotspots
0.0% Coverage on New Code
5.5% Duplication on New Code

See analysis details on SonarQube Cloud