feat(blueprint): scope summary reads to planning audience
This commit is contained in:
@@ -135,6 +135,19 @@ Reasoning:
|
||||
- management-level groups carry chargeability targets and resource-linked counts that feed planning and reporting workflows, so they should not stay on broad authenticated reads
|
||||
- the list is consumed by resource editing, reporting filters, and admin configuration, which all fit the explicit planning audience better than generic `protectedProcedure`
|
||||
|
||||
### `packages/api/src/router/blueprint.ts`
|
||||
|
||||
- `listSummaries`: `planning-read`
|
||||
- `resolveByIdentifier`: `authenticated-safe-lookup`
|
||||
- remaining reads stay unchanged in this rollout
|
||||
- create, update, delete, global-flag writes: `admin-only`
|
||||
|
||||
Reasoning:
|
||||
|
||||
- `listSummaries` exposes `_count.projects`, so the assistant-facing summary list should not remain a broad authenticated read
|
||||
- `resolveByIdentifier` already returns a narrow lookup shape suitable for low-risk name/id resolution
|
||||
- broader blueprint read routes still support existing UI flows and need a separate follow-up slice before they can be tightened safely
|
||||
|
||||
### `packages/api/src/router/holiday-calendar.ts`
|
||||
|
||||
- `listCalendars`, `listCalendarsDetail`, `getCalendarByIdentifier`, `getCalendarByIdentifierDetail`, `getCalendarById`: `admin-only`
|
||||
|
||||
Reference in New Issue
Block a user