Automated PR provided by Codex via Gitea API. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #483
98 lines
4.3 KiB
Markdown
98 lines
4.3 KiB
Markdown
---
|
|
name: tenantpilot-rbac-action-safety
|
|
description: Hard-gate TenantPilot RBAC, capability, global-search, and destructive/high-impact action safety.
|
|
---
|
|
|
|
## Purpose
|
|
|
|
Use this skill to keep TenantPilot authorization server-side, capability-driven, tenant/workspace-safe, and tested for both visible UI affordances and direct execution.
|
|
|
|
## Activate When
|
|
|
|
- Adding or changing Filament actions, table actions, bulk actions, header actions, form actions, or controller mutations.
|
|
- Touching policies, gates, capabilities, `UiEnforcement`, `WorkspaceUiEnforcement`, or global search.
|
|
- Adding destructive or high-impact operations such as delete, force delete, restore, archive, retry, sync, snapshot, provider disable, credential rotation, publish, export, or evidence capture.
|
|
|
|
## Do Not Activate When
|
|
|
|
- The task has no runtime authorization, action, global search, or mutation surface.
|
|
- The task only updates docs/tooling and explicitly cannot change runtime files.
|
|
|
|
## Maturity
|
|
|
|
L4 hard gate.
|
|
|
|
## Gate Type
|
|
|
|
hard-gate.
|
|
|
|
## Source Evidence
|
|
|
|
- `docs/security-guidelines.md`
|
|
- `docs/filament-guidelines.md`
|
|
- `docs/testing-guidelines.md`
|
|
- `docs/research/filament-v5-notes.md`
|
|
- `specs/402-resource-policy-authorization-proof-matrix/implementation-report.md`
|
|
- `apps/platform/app/Support/Rbac/UiEnforcement.php`
|
|
- `apps/platform/app/Support/Rbac/WorkspaceUiEnforcement.php`
|
|
- `apps/platform/app/Policies/ProviderConnectionPolicy.php`
|
|
- `apps/platform/tests/Feature/Filament/ProviderConnectionsUiEnforcementTest.php`
|
|
- `apps/platform/tests/Feature/Rbac/AdminGlobalSearchContextSafetyTest.php`
|
|
- `apps/platform/tests/Feature/Rbac/UiEnforcementDestructiveTest.php`
|
|
|
|
## External Anchors
|
|
|
|
- Filament v5 actions confirmation docs and global search docs cited in `docs/research/filament-v5-notes.md`.
|
|
|
|
## Required Repo Context
|
|
|
|
- The affected panel/resource/page/relation manager/action.
|
|
- Existing policy and capability constants.
|
|
- `UiEnforcement` or `WorkspaceUiEnforcement` usage.
|
|
- Direct execution tests for action handlers.
|
|
- Global search pages, title attributes, scoped queries, and View/Edit page posture.
|
|
|
|
## Execution Checklist
|
|
|
|
- Enforce authorization in the handler through policy/gate/service, not only via hidden UI.
|
|
- Apply `UiEnforcement` or `WorkspaceUiEnforcement` for visible/disabled affordances.
|
|
- Use canonical capability constants, not raw role strings.
|
|
- Make destructive/high-impact actions execute through `->action(...)`.
|
|
- Require `->requiresConfirmation()` for destructive/high-impact actions.
|
|
- Write audit logs for mutating security/governance actions.
|
|
- Add tests for allowed, denied/disabled, direct execution denial, side effects, audit, and scope where behavior changes.
|
|
- Disable global search unless the resource has safe View/Edit pages, title attributes, scoped URLs, and non-member-safe results.
|
|
|
|
## Stop Conditions
|
|
|
|
- Missing server-side authorization for a mutation or operation start.
|
|
- Destructive/high-impact action lacks `->action(...)` or `->requiresConfirmation()`.
|
|
- Hidden UI remains directly callable through Livewire/action APIs.
|
|
- Global search can reveal inaccessible records, labels, URLs, or relationship details.
|
|
- Authorization uses role strings or unregistered capability strings in new code.
|
|
- Mutating action lacks audit evidence where the domain requires auditability.
|
|
|
|
## Required Evidence After Use
|
|
|
|
- Policy/gate/capability path.
|
|
- UI affordance path and direct execution path.
|
|
- Tests proving allowed and denied behavior.
|
|
- Confirmation of global search posture for changed resources.
|
|
- Audit behavior for mutating or high-impact actions.
|
|
|
|
## Common Failure Modes
|
|
|
|
- Confusing action visibility with authorization.
|
|
- Assuming confirmation works on URL-only actions.
|
|
- Using per-record UI filters while leaving bulk/direct action paths open.
|
|
- Enabling global search on tenant-sensitive resources without safe detail routes.
|
|
- Returning 403 where deny-as-not-found 404 is required for non-member scope.
|
|
|
|
## Quarantined Rules
|
|
|
|
Full Spec 416 quarantine list applies. Especially quarantined here: stale provider Healthy/Ready semantics; limited customer download vocabulary; raw provider/evidence payload default display; historical audits as current truth.
|
|
|
|
## Review / Expiry
|
|
|
|
Review whenever RBAC planes, capabilities, Filament action rules, or global search posture change. No planned expiry.
|