TenantAtlas/specs/309-rbac-role-matrix-access-boundary-audit/checklists/requirements.md
ahmido dd175c16a1 fix: tighten workspace RBAC access boundaries (#364)
## Summary
- tighten workspace RBAC and panel access boundaries
- remove non-owner workspace membership management capability from workspace role mapping
- add focused boundary coverage for admin panel, managed environments, providers, review packs, operation runs, finding exceptions, and workspace role capabilities
- include spec artifacts for feature 309

## Testing
- cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Rbac/RoleMatrix/ManagerAccessTest.php tests/Feature/Rbac/WorkspaceMembershipsRelationManagerUiEnforcementTest.php tests/Feature/Rbac/AdminPanelAccessBoundaryTest.php tests/Feature/Rbac/FindingExceptionLifecycleAccessBoundaryTest.php tests/Feature/Rbac/ManagedEnvironmentAccessBoundaryTest.php tests/Feature/Rbac/OperationRunAccessBoundaryTest.php tests/Feature/Rbac/ProviderConnectionAccessBoundaryTest.php tests/Feature/Rbac/ReviewPackAccessBoundaryTest.php tests/Feature/Rbac/SystemPanelAccessBoundaryTest.php tests/Feature/Rbac/WorkspaceRoleCapabilityBoundaryTest.php tests/Unit/Auth/CapabilityResolverTest.php tests/Unit/Auth/WorkspaceRoleCapabilityMapTest.php
- cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #364
2026-05-15 14:00:21 +00:00

49 lines
2.6 KiB
Markdown

# Specification Quality Checklist: RBAC Role Matrix & Access Boundary Audit
**Purpose**: Validate specification completeness and quality before implementation planning/implementation.
**Created**: 2026-05-15
**Feature**: [spec.md](../spec.md)
## Content Quality
- [x] No application implementation was performed during preparation.
- [x] Focus is on security, trust, auditability, and boundary correctness.
- [x] The spec is repo-based and names the current evidence anchors.
- [x] All mandatory repo-specific sections are completed or explicitly marked N/A.
- [x] The candidate check required by SPEC-GATE-001 is completed.
- [x] Candidate selection rationale and completed-spec guardrail result are recorded.
## Requirement Completeness
- [x] No `[NEEDS CLARIFICATION]` markers remain.
- [x] Functional requirements are testable and boundary-oriented.
- [x] Acceptance criteria cover role inventory, owner-only contradictions, panel boundaries, workspace isolation, environment isolation, sensitive actions, and no RBAC redesign.
- [x] Edge cases are identified.
- [x] Scope is clearly bounded to audit-first minimal hardening.
- [x] Dependencies and assumptions are identified.
## Constitution Alignment
- [x] Workspace isolation and managed-environment isolation are explicit.
- [x] RBAC-UX server-side source-of-truth rules are explicit.
- [x] 404 vs 403 semantics are explicit.
- [x] Capability registry usage is explicit.
- [x] Test governance and lane classification are explicit.
- [x] Proportionality review confirms no new persisted truth, role model, table, enum/status family, or broad framework is planned.
## Feature Readiness
- [x] `spec.md` exists.
- [x] `plan.md` exists.
- [x] `tasks.md` exists.
- [x] Tasks are ordered by read-only inventory, classification, tests first, minimal fixes, validation, and close-out.
- [x] Tasks include focused tests and validation commands.
- [x] Follow-up candidates are listed instead of hidden in scope.
- [x] Related completed specs are treated as context only and are not modified.
## Notes
- Preparation found a repo-real path correction: `WorkspaceRoleCapabilityMap.php` is under `apps/platform/app/Services/Auth/`, not `apps/platform/app/Support/Auth/`.
- Preparation found a high-risk static contradiction to verify during implementation: Manager currently receives `WORKSPACE_MEMBERSHIP_MANAGE` and `TENANT_MEMBERSHIP_MANAGE`, while the Constitution says Manager must not manage tenant memberships.
- Preparation did not modify application code, tests, migrations, resources, routes, policies, models, services, jobs, views, or assets.