--- name: tenantpilot-rbac-action-safety description: Hard-gate TenantPilot RBAC, capability, global-search, and destructive/high-impact action safety. --- ## Purpose Use this skill to keep TenantPilot authorization server-side, capability-driven, tenant/workspace-safe, and tested for both visible UI affordances and direct execution. ## Activate When - Adding or changing Filament actions, table actions, bulk actions, header actions, form actions, or controller mutations. - Touching policies, gates, capabilities, `UiEnforcement`, `WorkspaceUiEnforcement`, or global search. - Adding destructive or high-impact operations such as delete, force delete, restore, archive, retry, sync, snapshot, provider disable, credential rotation, publish, export, or evidence capture. ## Do Not Activate When - The task has no runtime authorization, action, global search, or mutation surface. - The task only updates docs/tooling and explicitly cannot change runtime files. ## Maturity L4 hard gate. ## Gate Type hard-gate. ## Source Evidence - `docs/security-guidelines.md` - `docs/filament-guidelines.md` - `docs/testing-guidelines.md` - `docs/research/filament-v5-notes.md` - `specs/402-resource-policy-authorization-proof-matrix/implementation-report.md` - `apps/platform/app/Support/Rbac/UiEnforcement.php` - `apps/platform/app/Support/Rbac/WorkspaceUiEnforcement.php` - `apps/platform/app/Policies/ProviderConnectionPolicy.php` - `apps/platform/tests/Feature/Filament/ProviderConnectionsUiEnforcementTest.php` - `apps/platform/tests/Feature/Rbac/AdminGlobalSearchContextSafetyTest.php` - `apps/platform/tests/Feature/Rbac/UiEnforcementDestructiveTest.php` ## External Anchors - Filament v5 actions confirmation docs and global search docs cited in `docs/research/filament-v5-notes.md`. ## Required Repo Context - The affected panel/resource/page/relation manager/action. - Existing policy and capability constants. - `UiEnforcement` or `WorkspaceUiEnforcement` usage. - Direct execution tests for action handlers. - Global search pages, title attributes, scoped queries, and View/Edit page posture. ## Execution Checklist - Enforce authorization in the handler through policy/gate/service, not only via hidden UI. - Apply `UiEnforcement` or `WorkspaceUiEnforcement` for visible/disabled affordances. - Use canonical capability constants, not raw role strings. - Make destructive/high-impact actions execute through `->action(...)`. - Require `->requiresConfirmation()` for destructive/high-impact actions. - Write audit logs for mutating security/governance actions. - Add tests for allowed, denied/disabled, direct execution denial, side effects, audit, and scope where behavior changes. - Disable global search unless the resource has safe View/Edit pages, title attributes, scoped URLs, and non-member-safe results. ## Stop Conditions - Missing server-side authorization for a mutation or operation start. - Destructive/high-impact action lacks `->action(...)` or `->requiresConfirmation()`. - Hidden UI remains directly callable through Livewire/action APIs. - Global search can reveal inaccessible records, labels, URLs, or relationship details. - Authorization uses role strings or unregistered capability strings in new code. - Mutating action lacks audit evidence where the domain requires auditability. ## Required Evidence After Use - Policy/gate/capability path. - UI affordance path and direct execution path. - Tests proving allowed and denied behavior. - Confirmation of global search posture for changed resources. - Audit behavior for mutating or high-impact actions. ## Common Failure Modes - Confusing action visibility with authorization. - Assuming confirmation works on URL-only actions. - Using per-record UI filters while leaving bulk/direct action paths open. - Enabling global search on tenant-sensitive resources without safe detail routes. - Returning 403 where deny-as-not-found 404 is required for non-member scope. ## Quarantined Rules Full Spec 416 quarantine list applies. Especially quarantined here: stale provider Healthy/Ready semantics; limited customer download vocabulary; raw provider/evidence payload default display; historical audits as current truth. ## Review / Expiry Review whenever RBAC planes, capabilities, Filament action rules, or global search posture change. No planned expiry.