fix: Fall back to isPolicyAdmin when adminAccess is undefined for domain-level feeds

[Amsamms]

Explanation of Change

When a workspace admin navigates to Workspace > Company Cards and clicks "Assign Card" on a domain-level card feed (e.g., Chase), the action silently fails because adminAccess from SHARED_NVP_PRIVATE_ADMIN_ACCESS hasn't been loaded into Onyx (it's only populated when the user visits the Domain settings page).

This PR adds a fallback in useIsAllowedToIssueCompanyCard — when adminAccess is undefined (not yet loaded), it falls back to isPolicyAdmin instead of treating it as false. This is safe because:

1. The AssignCompanyCard API call validates admin permissions server-side
2. For legitimate domain admins (the affected users), isPolicyAdmin is true and the action proceeds correctly
3. Once the admin access data IS loaded, the explicit true/false value takes over

Fixed Issues

$ #86277
PROPOSAL: #86277 (comment)

Linked issue: https://github.com/Expensify/Expensify/issues/615675

Tests

1. Log in as a workspace admin
2. Navigate to Workspace > Company Cards for a workspace that has a domain-level card feed (e.g., Chase)
3. Do NOT visit the Domain settings page first
4. Click "Assign Card" on a card from the domain-level feed
5. Verify the assign card flow opens correctly instead of silently failing

• Verify that no errors appear in the JS console

Offline tests

1. While offline, attempt to assign a card from a domain-level feed
2. Verify the offline modal appears as expected (existing behavior, unchanged by this PR)

QA Steps

1. Log in as a workspace admin with a domain-level card feed (e.g., Chase)
2. Clear Onyx storage to ensure SHARED_NVP_PRIVATE_ADMIN_ACCESS is not cached
3. Navigate directly to Workspace > Company Cards
4. Click "Assign Card" on a card from the domain-level feed
5. Verify the assign card flow proceeds correctly

• Verify that no errors appear in the JS console

PR Author Checklist

• I linked the correct issue in the ### Fixed Issues section above
• I wrote clear testing steps that cover the changes made in this PR
  • I added steps for local testing in the Tests section
  • I added steps for the expected offline behavior in the Offline steps section
  • I added steps for Staging and/or Production testing in the QA steps section
  • I added steps to cover failure scenarios (i.e. verify an input displays the correct error message if the entered data is not correct)
  • I turned off my network connection and tested it while offline to ensure it matches the expected behavior (i.e. verify the default avatar icon is displayed if app is offline)
  • I tested this PR with a High Traffic account against the staging or production API to ensure there are no regressions (e.g. long loading states that impact usability).

[melvin-bot]

@situchan Please copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button]

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3496607e3a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Avoid granting domain access when admin state is unknown

When adminAccess is undefined, this fallback returns isPolicyAdmin, which lets any workspace admin pass the client-side permission check for domain feeds before domain membership is loaded. In useAssignCard, that value controls isAssigningCardDisabled, so a workspace admin who is not a domain admin can enter the assign-card flow and only fail later on API write, creating a false-authorized UX path. Keep the permission as denied/loading until domain admin access is explicitly known for that domain feed.

Useful? React with 👍 / 👎.