70 lines
4.1 KiB
Markdown
70 lines
4.1 KiB
Markdown
# Audience Scoping Backlog
|
|
|
|
**Date:** 2026-03-30
|
|
**Purpose:** Collect the remaining audience-scoping work into a single batch backlog so the small auth-hardening slices can be finished before broader architecture work starts.
|
|
|
|
## Status Snapshot
|
|
|
|
### Done
|
|
|
|
- `blueprint.listSummaries`: narrowed to `planning-read`
|
|
- `blueprint.getGlobalFieldDefs`: narrowed to `planning-read` with explicit auth coverage
|
|
- `entitlement.getBalance`, `entitlement.getBalanceDetail`: narrowed to self-service with elevated cross-resource access for controller, manager, and admin
|
|
- `vacation.previewRequest`: now enforces owned-resource access for normal users
|
|
- `holidayCalendar.resolveResourceHolidays`, `holidayCalendar.resolveResourceHolidaysDetail`: now enforce self-service ownership with elevated manager/admin reads
|
|
- `assistant.listPendingApprovals`: documented and covered as self-service
|
|
- `assistant.chat`: documented as an authenticated shell with tool-level audience enforcement
|
|
- `resource.chapters`: documented and covered as authenticated safe lookup
|
|
- `resource.importSkillMatrix`: documented as self-service and auth-verified
|
|
- `project.isImageGenConfigured`, `project.isDalleConfigured`: covered as authenticated low-risk configuration checks
|
|
- `notification` self-service and manager boundaries: auth-covered across list, unread counts, reminders, deletes, broadcasts, task creation, and assignment boundaries
|
|
- `assistant-tools` parity metadata: descriptions and parity assertions now match narrowed router audiences for resource overview, controller-only, self-service, and manager broadcast/task tools
|
|
- `comment` architecture phase 1: generic free-form entity comments replaced by an explicit supported-entity registry, currently limited to `estimate` with controller/manager/admin access plus entity-aware checks on list/count/create/resolve/delete
|
|
|
|
### Dirty Files To Avoid Mixing Into This Batch
|
|
|
|
- `packages/api/src/__tests__/assistant-tools-advanced.test.ts`
|
|
- `packages/api/src/router/notification.ts`
|
|
- `packages/api/src/__tests__/assistant-tools-import-export.test.ts`
|
|
- `packages/api/src/__tests__/notification-router.test.ts`
|
|
|
|
These files already have unrelated local edits. Audience parity work that would normally touch them should be deferred or handled through adjacent files and dedicated follow-up tests.
|
|
|
|
## Remaining Categories
|
|
|
|
### Completed In This Batch
|
|
|
|
- `packages/api/src/router/blueprint.ts` -> `getGlobalFieldDefs`
|
|
- `packages/api/src/router/assistant.ts` -> `listPendingApprovals`
|
|
- `packages/api/src/router/assistant.ts` -> `chat` matrix clarification
|
|
- `packages/api/src/router/resource.ts` -> `chapters`
|
|
- `packages/api/src/router/resource.ts` -> `importSkillMatrix`
|
|
- `packages/api/src/router/project.ts` -> `isImageGenConfigured`, `isDalleConfigured`
|
|
|
|
### No Further Small Slices Currently Ready
|
|
|
|
- the previously identified small hardening and tests/docs candidates have been completed, including the notification auth follow-up and assistant tool parity metadata cleanup
|
|
- the remaining audience work is now architectural (`comment.ts`) or depends on broader policy decisions rather than another ready-made auth slice
|
|
|
|
## Recommended Next Order
|
|
|
|
1. extend the comment entity registry only when a second real consumer exists and its backing audience is explicitly documented
|
|
|
|
## Slice Definition
|
|
|
|
Each “ready now” slice should follow the same template:
|
|
|
|
1. change the router audience only if the current procedure is too broad
|
|
2. add focused auth tests for unauthenticated, plain authenticated, and elevated callers as applicable
|
|
3. update [route-access-matrix.md](/home/hartmut/Documents/Copilot/capakraken/docs/route-access-matrix.md)
|
|
4. verify with targeted `vitest`
|
|
5. run `git diff --check`
|
|
6. commit in isolation
|
|
|
|
## Exit Criteria For This Batch
|
|
|
|
- every route in this document is classified as either `done`, `ready now`, `tests/docs only`, `needs architecture`, or `blocked`
|
|
- every formerly `ready now` route now has router-level authorization coverage or explicit low-risk documentation
|
|
- the access matrix documents all low-risk exceptions explicitly
|
|
- larger architecture work starts only after this batch is either completed or intentionally deferred
|