feat(master-data): scope detail reads to resource overview
This commit is contained in:
@@ -79,6 +79,28 @@ Reasoning:
|
||||
|
||||
- system role defaults define the effective permission model and therefore belong to the smallest operational audience
|
||||
|
||||
### `packages/api/src/router/country.ts`
|
||||
|
||||
- `list`, `resolveByIdentifier`, `getCityById`: `authenticated-safe-lookup`
|
||||
- `getByIdentifier`, `getById`: `resource-overview`
|
||||
- create, update, metro-city writes: `admin-only`
|
||||
|
||||
Reasoning:
|
||||
|
||||
- minimal country lookups are needed broadly for forms, filters, and location resolution
|
||||
- detailed country reads include metro-city detail plus `_count.resources`, so they should align with broad people-directory visibility
|
||||
|
||||
### `packages/api/src/router/org-unit.ts`
|
||||
|
||||
- `list`, `getTree`, `resolveByIdentifier`: `authenticated-safe-lookup`
|
||||
- `getByIdentifier`, `getById`: `resource-overview`
|
||||
- create, update, deactivate: `admin-only`
|
||||
|
||||
Reasoning:
|
||||
|
||||
- minimal org-unit lookups are low-risk master data
|
||||
- detailed org-unit reads expose `_count.resources` and parent/child context that maps the staffing structure
|
||||
|
||||
## Assistant Parity Rule
|
||||
|
||||
- assistant tool visibility must never widen the audience of the backing router
|
||||
|
||||
Reference in New Issue
Block a user