ahmido
dd175c16a1
## Summary - tighten workspace RBAC and panel access boundaries - remove non-owner workspace membership management capability from workspace role mapping - add focused boundary coverage for admin panel, managed environments, providers, review packs, operation runs, finding exceptions, and workspace role capabilities - include spec artifacts for feature 309 ## Testing - cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Rbac/RoleMatrix/ManagerAccessTest.php tests/Feature/Rbac/WorkspaceMembershipsRelationManagerUiEnforcementTest.php tests/Feature/Rbac/AdminPanelAccessBoundaryTest.php tests/Feature/Rbac/FindingExceptionLifecycleAccessBoundaryTest.php tests/Feature/Rbac/ManagedEnvironmentAccessBoundaryTest.php tests/Feature/Rbac/OperationRunAccessBoundaryTest.php tests/Feature/Rbac/ProviderConnectionAccessBoundaryTest.php tests/Feature/Rbac/ReviewPackAccessBoundaryTest.php tests/Feature/Rbac/SystemPanelAccessBoundaryTest.php tests/Feature/Rbac/WorkspaceRoleCapabilityBoundaryTest.php tests/Unit/Auth/CapabilityResolverTest.php tests/Unit/Auth/WorkspaceRoleCapabilityMapTest.php - cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #364
2.6 KiB
2.6 KiB
Specification Quality Checklist: RBAC Role Matrix & Access Boundary Audit
Purpose: Validate specification completeness and quality before implementation planning/implementation.
Created: 2026-05-15
Feature: spec.md
Content Quality
- No application implementation was performed during preparation.
- Focus is on security, trust, auditability, and boundary correctness.
- The spec is repo-based and names the current evidence anchors.
- All mandatory repo-specific sections are completed or explicitly marked N/A.
- The candidate check required by SPEC-GATE-001 is completed.
- Candidate selection rationale and completed-spec guardrail result are recorded.
Requirement Completeness
- No
[NEEDS CLARIFICATION]markers remain. - Functional requirements are testable and boundary-oriented.
- Acceptance criteria cover role inventory, owner-only contradictions, panel boundaries, workspace isolation, environment isolation, sensitive actions, and no RBAC redesign.
- Edge cases are identified.
- Scope is clearly bounded to audit-first minimal hardening.
- Dependencies and assumptions are identified.
Constitution Alignment
- Workspace isolation and managed-environment isolation are explicit.
- RBAC-UX server-side source-of-truth rules are explicit.
- 404 vs 403 semantics are explicit.
- Capability registry usage is explicit.
- Test governance and lane classification are explicit.
- Proportionality review confirms no new persisted truth, role model, table, enum/status family, or broad framework is planned.
Feature Readiness
spec.mdexists.plan.mdexists.tasks.mdexists.- Tasks are ordered by read-only inventory, classification, tests first, minimal fixes, validation, and close-out.
- Tasks include focused tests and validation commands.
- Follow-up candidates are listed instead of hidden in scope.
- Related completed specs are treated as context only and are not modified.
Notes
- Preparation found a repo-real path correction:
WorkspaceRoleCapabilityMap.phpis underapps/platform/app/Services/Auth/, notapps/platform/app/Support/Auth/. - Preparation found a high-risk static contradiction to verify during implementation: Manager currently receives
WORKSPACE_MEMBERSHIP_MANAGEandTENANT_MEMBERSHIP_MANAGE, while the Constitution says Manager must not manage tenant memberships. - Preparation did not modify application code, tests, migrations, resources, routes, policies, models, services, jobs, views, or assets.