Restrict homematic.set_install_mode service to admins

[balloob]

Proposed change

Switch the homematic.set_install_mode service from a bare hass.services.register to async_register_admin_service, so only admin users can put the HomeMatic radio interface into pairing/install mode.

Pairing mode is bus management rather than raw device I/O — same shape as ZHA permit (admin-gated) and Z-Wave add_node (admin-gated). Aligning this service with that precedent.

When adding a new admin in the UI, we mention: "The user group feature is a work in progress. The user will be unable to administer the instance via the UI. We're still auditing all management API endpoints to ensure that they correctly limit access to administrators." This PR is part of that audit.

The integration's setup is sync, so async_register_admin_service is dispatched via run_callback_threadsafe, mirroring how hass.services.register itself bridges into the event loop.

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request:
• Link to developer documentation pull request:
• Link to frontend pull request:

Checklist

• I understand the code I am submitting and can explain how it works.
• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works.
• Any generated code has been carefully reviewed for correctness and compliance with project standards.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies a diff between library versions and ideally a link to the changelog/release notes is added to the PR description.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[home-assistant]

Hey there @pvizeli, mind taking a look at this pull request as it has been labeled with an integration (homematic) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of homematic can trigger bot actions by commenting:

• @home-assistant close Closes the pull request.
• @home-assistant mark-draft Mark the pull request as draft.
• @home-assistant ready-for-review Remove the draft status from the pull request.
• @home-assistant rename Awesome new title Renames the pull request.
• @home-assistant reopen Reopen the pull request.
• @home-assistant unassign homematic Removes the current integration label and assignees on the pull request, add the integration domain after the command.
• @home-assistant update-branch Update the pull request branch with the base branch.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component, problem in config, problem in device, feature-request) to the pull request.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component, problem in config, problem in device, feature-request) on the pull request.

[Copilot]

Pull request overview

This PR tightens access control in the HomeMatic integration by making the homematic.set_install_mode service admin-only, aligning it with other integrations’ “pairing/permit” style management operations.

Changes:

• Replaces hass.services.register with async_register_admin_service for homematic.set_install_mode.
• Bridges the admin-service registration from the sync setup() context into the event loop via run_callback_threadsafe.

[Copilot]

Add an integration test that verifies homematic.set_install_mode is rejected for non-admin users (and allowed for admin users) when called with a user context, to prevent regressions in the new admin-only behavior.

[balloob]

@copilot apply changes based on this feedback

[Copilot]

Added two integration tests in tests/components/homematic/test_init.py (commit dd6c467):

• test_set_install_mode_non_admin_rejected – calls the service with a read-only user context and asserts Unauthorized is raised.
• test_set_install_mode_admin_allowed – calls the service with an admin user context, asserts it succeeds, and verifies setInstallMode was called with the correct arguments ("ccu2", t=60, mode=1, address=None).