test(assistant): document self-service approval access
This commit is contained in:
@@ -218,6 +218,16 @@ Reasoning:
|
||||
- `listAssignable` is an operational lookup for delegation and assignment flows, which fits manager and admin audiences
|
||||
- user administration and effective-permission inspection expose high-sensitivity identity and authorization state and therefore should remain admin-only
|
||||
|
||||
### `packages/api/src/router/assistant.ts`
|
||||
|
||||
- `listPendingApprovals`: `self-service`
|
||||
- `chat`: authenticated shell with tool-level audience enforcement
|
||||
|
||||
Reasoning:
|
||||
|
||||
- `listPendingApprovals` reads pending approvals by `ctx.dbUser.id`, so it is a self-service view of the caller's own approval queue
|
||||
- `chat` requires authentication, but the effective data audience is enforced by assistant tool selection and backing router permissions rather than by a single broad router audience on the chat endpoint itself
|
||||
|
||||
## Assistant Parity Rule
|
||||
|
||||
- assistant tool visibility must never widen the audience of the backing router
|
||||
|
||||
Reference in New Issue
Block a user