Automated PR provided by Codex via Gitea API. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #483
4.3 KiB
4.3 KiB
| name | description |
|---|---|
| tenantpilot-rbac-action-safety | Hard-gate TenantPilot RBAC, capability, global-search, and destructive/high-impact action safety. |
Purpose
Use this skill to keep TenantPilot authorization server-side, capability-driven, tenant/workspace-safe, and tested for both visible UI affordances and direct execution.
Activate When
- Adding or changing Filament actions, table actions, bulk actions, header actions, form actions, or controller mutations.
- Touching policies, gates, capabilities,
UiEnforcement,WorkspaceUiEnforcement, or global search. - Adding destructive or high-impact operations such as delete, force delete, restore, archive, retry, sync, snapshot, provider disable, credential rotation, publish, export, or evidence capture.
Do Not Activate When
- The task has no runtime authorization, action, global search, or mutation surface.
- The task only updates docs/tooling and explicitly cannot change runtime files.
Maturity
L4 hard gate.
Gate Type
hard-gate.
Source Evidence
docs/security-guidelines.mddocs/filament-guidelines.mddocs/testing-guidelines.mddocs/research/filament-v5-notes.mdspecs/402-resource-policy-authorization-proof-matrix/implementation-report.mdapps/platform/app/Support/Rbac/UiEnforcement.phpapps/platform/app/Support/Rbac/WorkspaceUiEnforcement.phpapps/platform/app/Policies/ProviderConnectionPolicy.phpapps/platform/tests/Feature/Filament/ProviderConnectionsUiEnforcementTest.phpapps/platform/tests/Feature/Rbac/AdminGlobalSearchContextSafetyTest.phpapps/platform/tests/Feature/Rbac/UiEnforcementDestructiveTest.php
External Anchors
- Filament v5 actions confirmation docs and global search docs cited in
docs/research/filament-v5-notes.md.
Required Repo Context
- The affected panel/resource/page/relation manager/action.
- Existing policy and capability constants.
UiEnforcementorWorkspaceUiEnforcementusage.- Direct execution tests for action handlers.
- Global search pages, title attributes, scoped queries, and View/Edit page posture.
Execution Checklist
- Enforce authorization in the handler through policy/gate/service, not only via hidden UI.
- Apply
UiEnforcementorWorkspaceUiEnforcementfor visible/disabled affordances. - Use canonical capability constants, not raw role strings.
- Make destructive/high-impact actions execute through
->action(...). - Require
->requiresConfirmation()for destructive/high-impact actions. - Write audit logs for mutating security/governance actions.
- Add tests for allowed, denied/disabled, direct execution denial, side effects, audit, and scope where behavior changes.
- Disable global search unless the resource has safe View/Edit pages, title attributes, scoped URLs, and non-member-safe results.
Stop Conditions
- Missing server-side authorization for a mutation or operation start.
- Destructive/high-impact action lacks
->action(...)or->requiresConfirmation(). - Hidden UI remains directly callable through Livewire/action APIs.
- Global search can reveal inaccessible records, labels, URLs, or relationship details.
- Authorization uses role strings or unregistered capability strings in new code.
- Mutating action lacks audit evidence where the domain requires auditability.
Required Evidence After Use
- Policy/gate/capability path.
- UI affordance path and direct execution path.
- Tests proving allowed and denied behavior.
- Confirmation of global search posture for changed resources.
- Audit behavior for mutating or high-impact actions.
Common Failure Modes
- Confusing action visibility with authorization.
- Assuming confirmation works on URL-only actions.
- Using per-record UI filters while leaving bulk/direct action paths open.
- Enabling global search on tenant-sensitive resources without safe detail routes.
- Returning 403 where deny-as-not-found 404 is required for non-member scope.
Quarantined Rules
Full Spec 416 quarantine list applies. Especially quarantined here: stale provider Healthy/Ready semantics; limited customer download vocabulary; raw provider/evidence payload default display; historical audits as current truth.
Review / Expiry
Review whenever RBAC planes, capabilities, Filament action rules, or global search posture change. No planned expiry.