ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
c737fd65a0
TenantAtlas/specs/402-resource-policy-authorization-proof-matrix/checklists/requirements.md
ahmido c5db3ea4d1 feat: add resource policy authorization proof matrix (#473) 
Automated PR provided by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #473
2026-06-23 07:52:12 +00:00

77 lines
4.6 KiB
Markdown
Raw Blame History

# Requirements Checklist: Spec 402 - Resource Policy & Authorization Proof Matrix
**Purpose**: Validate preparation quality for Spec 402 before implementation starts.
**Created**: 2026-06-23
**Feature**: `specs/402-resource-policy-authorization-proof-matrix/spec.md`
## Candidate Selection
- [x] The selected candidate was directly provided by the operator.
- [x] The candidate is linked to the Spec 400 P1 resource-policy matrix condition.
- [x] `docs/product/spec-candidates.md` was reviewed and currently reports no safe automatic next-best-prep target.
- [x] Close alternatives are deferred instead of hidden inside the primary scope.
- [x] The target does not reopen completed Specs 400 or 401.
- [x] No existing `specs/402-resource-policy-authorization-proof-matrix/` package existed before preparation.
- [x] Existing unrelated `402-screwfast-website-rebuild` branch collision is documented as context.
## Scope Quality
- [x] The spec is bounded to existing resource authorization proof and minimal hardening.
- [x] No new roles, permission product model, product surfaces, navigation, migrations, or broad RBAC redesign are included.
- [x] Admin and system panels are both explicitly in scope.
- [x] Workspace/environment isolation is explicitly in scope.
- [x] System/admin separation is explicitly in scope.
- [x] Global search, bulk actions, relation managers, controller-backed downloads/exports, and direct invocation are explicitly in scope.
- [x] Customer/reviewer boundary proof is included only where existing surfaces/tests represent that access.
- [x] Evidence currentness, management PDF staging validation, governance lifecycle, JSONB migration, and full browser audit are deferred.
## Constitution And Product Surface
- [x] Spec Candidate Check is filled out.
- [x] Approval class is exactly one class: Core Enterprise.
- [x] Score is recorded and above the minimum threshold.
- [x] Proportionality Review is completed because the matrix is a review artifact.
- [x] No runtime source of truth, persisted table, status family, enum, taxonomy, or framework is introduced.
- [x] Product Surface Contract is referenced because existing rendered authorization behavior may change.
- [x] UI Surface Impact is classified as existing-surface authorization hardening only.
- [x] Browser proof is required for representative rendered authorization behavior.
- [x] Human Product Sanity is required for changed rendered authorization behavior.
- [x] Completed-spec rewrite guardrail is explicit.
## Plan Quality
- [x] Plan identifies Laravel, Filament, Livewire, Pest, and Sail versions from repo context.
- [x] Plan names panel provider registration location.
- [x] Plan names likely affected repository surfaces.
- [x] Plan requires matrix-first work before adding policies or hardening code.
- [x] Plan distinguishes policies, gates/capabilities, scoped queries, global search, bulk actions, relation managers, controller routes, and system-panel capability middleware.
- [x] Plan requires existing capability services to remain authoritative where they already define product semantics.
- [x] Plan forbids cosmetic policy generation.
- [x] Plan includes rollout/deployment impact and expects no migrations/env/assets/queues/storage changes.
## Task Quality
- [x] Tasks are ordered by preparation, inventory, matrix, gap classification, tests, hardening, browser proof, and report close-out.
- [x] Tasks require negative tests for every fixed authorization gap.
- [x] Tasks include direct route/resource access tests.
- [x] Tasks include cross-workspace denial tests.
- [x] Tasks include system/admin separation tests.
- [x] Tasks include Filament action execution authorization tests.
- [x] Tasks include relation manager, bulk action, global search, and controller/download/export proof tasks.
- [x] Tasks include focused browser proof and explicitly forbid claiming full browser audit.
- [x] Tasks include dirty-state protocol before and after implementation.
- [x] Tasks include final implementation report sections A through M.
## Open Questions And Readiness
- [x] No open question blocks implementation preparation.
- [x] Product-ambiguous authorization decisions are required to be deferred rather than invented.
- [x] Spec Readiness Gate can pass after artifact analysis.
- [x] Candidate Selection Gate can pass as a manual operator-promoted candidate.
## Review Outcome
- [x] Review outcome class: `acceptable-special-case` for a bounded authorization proof matrix.
- [x] Workflow outcome: `keep`.
- [x] Final note location: future implementation report `specs/402-resource-policy-authorization-proof-matrix/implementation-report.md`.
Reference in New Issue View Git Blame Copy Permalink