# Scratchpad — Premium ABAC Exhaustive Remediation Sweep - Plan slug: `premium-abac-exhaustive-remediation-sweep` - Created: `2026-04-22` ## What This Is This is the working memory for the exhaustive post-remediation premium-ABAC sweep. It intentionally preserves the earlier 2026-04-22 remediation plan as a historical checkpoint and expands the remaining work into one comprehensive backlog covering lifecycle integrity, server-action parity, count/pagination honesty, linked-subresource semantics, and final close-out validation. ## Decisions - (2026-04-22) Create a **new** remediation plan instead of mutating `2026-04-22-premium-abac-remediation/`, so the earlier plan remains the historical record of the surgical pass. - (2026-04-22) This plan is the “leave no stone unturned” sweep for the premium-ABAC rollout. - (2026-04-22) API controller hardening is no longer enough; server actions, helper layers, counts, summaries, and linked-resource surfaces are now first-class remediation targets. - (2026-04-22) Aggregates, totals, tree counts, summary metrics, and file/URL helpers are security surfaces and must be treated as such. - (2026-04-22) Default principle for this sweep: reuse the shared kernel or a parent-authorized structural helper; do not create new shadow auth models. - (2026-04-22) Archive semantics decision: archiving a bundle will immediately disable active assignments to avoid misleading active-but-inert state. - (2026-04-22) Clone semantics decision: cloning a bundle without a published revision is rejected; cloning only uses published revisions. - (2026-04-22) Asset linked-child semantics decision: structural asset-owned data (maintenance/history) inherits parent asset authorization, while linked ticket/document payloads must satisfy intersection semantics (authorized parent asset + child resource-family authorization). ## Discoveries / Constraints ### Historical context - (2026-04-22) Existing premium-ABAC plan: `ee/docs/plans/2026-04-21-premium-abac-authorization-kernel/` - (2026-04-22) Existing surgical remediation plan: `ee/docs/plans/2026-04-22-premium-abac-remediation/` - (2026-04-22) Latest remediation checkpoint commit before this new plan: `cfa8cd208` — `fix(remediation): harden api parity and bundle lifecycle` ### Bundle lifecycle / EE control plane - (2026-04-22) `ensureDraftBundleRevision(...)` still has a revision-number race window: concurrent callers can compute the same `nextRevisionNumber`. - (2026-04-22) `ensureDraftBundleRevision(...)` copies published rules outside a single transaction boundary, so draft creation can succeed while rule copy fails partway. - (2026-04-22) EE actions call `ensureDraftBundleRevision(...)` before later write operations, leaving a stale-draft race window between draft acquisition and rule mutation/publish. - (2026-04-22) `publishBundleRevision(...)` currently needs a stronger policy around empty/invalid draft publish behavior. - (2026-04-22) `20260422143000_enforce_authorization_revision_lifecycle_uniqueness.cjs` needs a duplicate-row preflight, otherwise uniqueness-index creation can fail too quietly when historical duplicates already exist. - (2026-04-22) Assignment/archive semantics are still under-defined: archived bundles can leave confusing assignment state behind unless governance is tightened further. - (2026-04-22) Implemented: `ensureDraftBundleRevision(...)` is now wrapped in one transaction that locks the bundle row, serializes draft creation, and copies published rules atomically. - (2026-04-22) Implemented: draft mutation/publish EE actions now run `ensureDraft + write` in one transaction boundary for stale-state safety. - (2026-04-22) Implemented: `publishBundleRevision(...)` now rejects empty drafts with an actionable error. - (2026-04-22) Implemented: assignment creation now rejects archived bundles; assignment status updates now fail loudly for missing assignments and archived-bundle reactivation attempts. - (2026-04-22) Implemented: `archiveBundle(...)` now disables active assignments as part of archive transition. - (2026-04-22) Implemented: lifecycle-uniqueness migration now preflights duplicate draft/published rows and emits a concrete repair query/path. ### Billing / quote server actions - (2026-04-22) `packages/billing/src/actions/quoteActions.ts` is still inconsistent: `getQuote`, `listQuotes`, and `approveQuote` use kernel logic, but many other reads/mutations remain RBAC-only. - (2026-04-22) `listQuotes` still reports `total: filteredData.length`, which is page-local post-filter count, not true authorized total. - (2026-04-22) Quote item helpers (`add/update/remove/reorder`) still need parent-quote authorization and item-to-quote integrity validation. - (2026-04-22) Converted-contract / converted-invoice lookup helpers can return quotes without reapplying quote narrowing. - (2026-04-22) PDF/preview/reminder/send/conversion/version flows need the same read-before-mutate parity now present in `ApiQuoteController.ts`. - (2026-04-22) Implemented shared quote-read authorization helper set in `packages/billing/src/actions/quoteActions.ts`: - `createQuoteAuthorizationKernel(...)` - `authorizeQuoteReadDecision(...)` - `getAuthorizedQuoteForRead(...)` - `assertQuoteReadAllowedForMutation(...)` - (2026-04-22) Implemented record-level quote auth for read helpers: - versions, conversion preview, converted-contract/invoice lookups, pdf file-id lookup, PDF download, preview render. - (2026-04-22) Implemented record-level quote auth for mutations: - update/delete, submit-for-approval, request-changes, send/resend/remind, create-revision, conversion flows, regenerate-pdf. - (2026-04-22) Implemented quote-item integrity guards: - item update cannot move across quotes. - add/update/remove/reorder now require parent quote authorization. - (2026-04-22) Implemented authorization-aware quote pagination totals by using `buildAuthorizationAwarePage(...)` and authorized `total/totalPages` semantics. ### Documents - (2026-04-22) `packages/documents/src/actions/documentActions.ts` now has partial auth-aware pagination, but many other surfaces remain RBAC-only or unauthenticated. - (2026-04-22) URL helper surfaces such as download/preview/thumbnail/image helper paths still need a complete kernel-backed story. - (2026-04-22) Bulk mutations (move, visibility, association, folder ops) still need record-level authorization. - (2026-04-22) `getDocumentCountsForEntities` and `getFolderStats` were flagged as especially risky because they can leak counts/sizes without real narrowing. - (2026-04-22) `documentPermissionUtils.ts` still acts as a weaker parallel permission model and should likely be bypassed or retired in favor of kernel-backed helpers. - (2026-04-22) `documentContentActions.ts` and `documentBlockContentActions.ts` were flagged for very weak or missing auth. - (2026-04-22) Implemented kernel-backed document URL helper hardening (`F016`) by adding/using authorized document resolvers: - new helper: `getAuthorizedDocumentById(...)` in `packages/documents/src/actions/documentActions.ts` - existing helper reused: `getAuthorizedDocumentByFileId(...)` - (2026-04-22) Hardened server URL routes to use authorized resolvers instead of raw RBAC-only document lookups: - `server/src/app/api/documents/[documentId]/download/route.ts` - `server/src/app/api/documents/[documentId]/preview/route.ts` - `server/src/app/api/documents/[documentId]/thumbnail/route.ts` - `server/src/app/api/documents/view/[fileId]/route.ts` - (2026-04-22) Hardened URL-returning document actions to require authorized-document lookup before returning URL values: - `getDocumentDownloadUrl` - `getDocumentThumbnailUrl` - `getDocumentPreviewUrl` - `getImageUrl` - (2026-04-22) Implemented document mutation hardening (`F017`) with shared mutation guards: - new helper: `assertAuthorizedDocumentSetForMutation(...)` in `packages/documents/src/actions/documentActions.ts` - update/delete/association/folder-mutation flows now fail closed when any targeted document is missing or unauthorized. - (2026-04-22) Hardened content/block-content document helpers (`F018`) so read/write/delete operations require: - resource-level RBAC permission (`document.read/update/delete`) - authorized parent-document resolution via `getAuthorizedDocumentById(...)` - (2026-04-22) Implemented aggregate hardening (`F019`) for document count surfaces: - `getDocumentCountsForEntities` now resolves associated documents and counts only kernel-authorized records. - `getFolderStats` now computes count/size from authorized document sets. - folder-tree count enrichment now removes hardcoded entity-type shortcuts and counts only authorized records. - (2026-04-22) Implemented `F020` by removing the remaining `documentPermissionUtils`-based entity-type prefilter from `getDocumentsByFolder(...)`; folder document visibility now depends on kernel-backed document authorization, not helper-layer shadow auth rules. - (2026-04-22) Closed `F021` via the same aggregate sweep: folder trees (`enrichFolderTreeWithCounts`), folder stats (`getFolderStats`), and entity count helpers now derive values from authorized-document sets only. - (2026-04-22) Typecheck status after `F018`: - `packages/documents` still has pre-existing TS errors in UI components (`block_data` typing in `CollaborativeEditor.tsx` and `Documents.tsx` family). - no new type errors remain in changed action files after remediation patching. ### Assets - (2026-04-22) `packages/assets/src/actions/assetActions.ts` only applies asset-level narrowing in a few places (`getAsset`, `getAssetDetailBundle`, `listAssets`). - (2026-04-22) `listAssets` still returns pre-narrowing totals. - (2026-04-22) `getAssetSummaryMetrics` was flagged as a zero-auth surface. - (2026-04-22) Relationship, maintenance, history, linked-ticket, and client-summary paths still mostly rely on RBAC only. - (2026-04-22) Asset detail bundles need an explicit policy decision about linked tickets/documents: parent asset read only, or parent + child intersection. - (2026-04-22) Implemented shared asset-read authorizer helpers (`F022`) in `packages/assets/src/actions/assetActions.ts`: - `createAssetReadAuthorizationKernel(...)` - `createAssetReadAuthorizationContext(...)` - `authorizeAssetReadDecision(...)` - `assertAssetReadAllowed(...)` - (2026-04-22) Implemented authorization-aware asset pagination totals (`F023`) by moving `listAssets` to `buildAuthorizationAwarePage(...)` and returning `authorizedPage.total`. - (2026-04-22) Implemented exhaustive asset read hardening (`F024`) in `packages/assets/src/actions/assetActions.ts`: - Added reusable helpers for ID-based asset auth enforcement across non-list surfaces: - `resolveAssetAuthorizationInputById(...)` - `assertAssetReadAllowedById(...)` - `createAuthorizedAssetReadContextForUser(...)` - `getAuthorizedAssetIdsForClient(...)` - Applied asset-level authorization checks to remaining read surfaces: - `getAssetRelationships` - `getAssetMaintenanceSchedules` - `getAssetMaintenanceReport` - `getAssetHistory` - `getAssetLinkedTickets` - `listEntityAssets` - `getClientMaintenanceSummary` - `getClientMaintenanceSummaries` - `getAssetSummaryMetrics` (previously zero-auth). - Client maintenance summaries now compute metrics over authorized asset sets only. - (2026-04-22) Implemented asset mutation hardening (`F025`) in `packages/assets/src/actions/assetActions.ts`: - Added asset-level authorization gating to: - `updateAsset` - `deleteAsset` - `createAssetRelationship` - `deleteAssetRelationship` - `createAssetAssociation` - `removeAssetAssociation` - `createMaintenanceSchedule` - `updateMaintenanceSchedule` - `deleteMaintenanceSchedule` - `recordMaintenanceHistory` - Added maintenance-history integrity check: schedule must belong to the provided asset. - (2026-04-22) Implemented linked-child intersection semantics (`F026`) in asset detail and linked-ticket/document reads: - `getAssetDetailBundle` now performs: - parent asset authorization for structural children - child `ticket`/`document` authorization filtering for linked payloads. - `fetchAssetLinkedTickets(...)` now supports child `ticket` kernel filtering. - `fetchAssetDocuments(...)` now supports child `document` kernel filtering. ### Projects / tasks / statuses - (2026-04-22) `packages/projects/src/actions/projectActions.ts` is partially hardened but still has remaining parity work. - (2026-04-22) Local exploratory edits are currently in progress in `projectActions.ts` and `projectAuthorization.contract.test.ts`; they are not yet committed and are not by themselves the exhaustive solution. - (2026-04-22) `packages/projects/src/actions/projectTaskActions.ts` remains broadly RBAC-only and does not consistently resolve/authorize the parent project. - (2026-04-22) `packages/projects/src/actions/projectTaskStatusActions.ts` was flagged for both RBAC-only paths and zero-check surfaces. - (2026-04-22) Cross-project move/duplicate/link flows are especially risky because they need authorization on both source and target projects. - (2026-04-22) Phase task counts and status-mapping task counts are auth-sensitive aggregate leaks, not just UX helpers. - (2026-04-22) Implemented `F027` project-actions parity sweep in `packages/projects/src/actions/projectActions.ts`: - phase mutations (`updatePhase`, `deletePhase`, `addProjectPhase`, `reorderPhase`) now resolve parent project and enforce `assertProjectReadAllowed(...)`. - project status mutations now authorize all project mappings tied to a status ID before update/delete (`resolveProjectIdsForStatus(...)` + per-project assert). - internal status resolution helper `getProjectTaskStatusesInternal(...)` now enforces parent-project authorization before returning phase/status data. - (2026-04-22) Implemented `F028-F029` parent-project gating across `projectTaskActions.ts`: - Added shared reusable parent-project gating helpers in task actions: - `createProjectReadAuthorizer(...)` - `assertProjectReadAllowedById(...)` - resolver helpers for task/phase/checklist/resource/ticket-link IDs. - Applied parent-project gating to task/checklist/dependency/resource/ticket-link reads and mutations. - `getLinkedTasksForTicketAction` now filters linked tasks to authorized project contexts only. - (2026-04-22) Implemented `F030` status-action gating in `projectTaskStatusActions.ts`: - Added project kernel authorization helper `assertProjectReadAllowed(...)`. - Applied parent-project gating to status mapping create/read/update/delete/reorder/copy/remove-phase flows. - Closed previously zero-check count surface by hardening `getStatusMappingTaskCount`. - (2026-04-22) Implemented `F031-F032` via task/status helper hardening: - aggregate helpers now require project authorization (`getPhaseTaskCounts`, `getProjectTaskData`, `getStatusMappingTaskCount`). - cross-project move/duplicate/link flows now enforce source + target project authorization (`moveTaskToPhase`, `duplicateTaskToPhase`, `addTicketLinkAction`). ### Time / remaining resource-family re-audit - (2026-04-22) The prior remediation fixed the `time_entry` resource key mismatch, but a broader re-audit is still needed to confirm there are no leftover helper/count leaks or RBAC-only delegation paths. - (2026-04-22) Re-audit (`F034`) found delegation gaps in time-sheet actions: - `requestChangesForTimeSheet` did not enforce delegation on the target subject. - non-owner path in `addCommentToTimeSheet` did not enforce delegation. - (2026-04-22) Implemented time/delegation remediation (`F034`) in: - `packages/scheduling/src/actions/timeSheetActions.ts` - `packages/scheduling/src/actions/timeEntryDelegationAuth.ts` - `packages/scheduling/tests/timeDelegationSweep.contract.test.ts` - `packages/scheduling/tests/timeEntryDelegationAuth.authorization.test.ts` - (2026-04-22) `requestChangesForTimeSheet` and non-owner comments now require `assertCanActOnBehalf(...)`. - (2026-04-22) Delegation helper now avoids unnecessary managed-user expansion for tenant-wide (`timesheet:read_all`) checks while preserving fail-closed behavior. ## Commands / Runbooks - (2026-04-22) Review current auth-remediation history: - `git log --oneline --decorate --reverse --ancestry-path $(git merge-base HEAD origin/main)..HEAD` - (2026-04-22) Review the latest remediation checkpoint commit: - `git show --stat cfa8cd208` - (2026-04-22) Inspect bundle lifecycle service: - `read server/src/lib/authorization/bundles/service.ts` - (2026-04-22) Inspect EE bundle actions: - `read ee/server/src/lib/actions/auth/authorizationBundleActions.ts` - (2026-04-22) Inspect hardened API controller patterns for reuse: - `read server/src/lib/api/controllers/ApiTicketController.ts` - `read server/src/lib/api/controllers/ApiProjectController.ts` - `read server/src/lib/api/controllers/ApiQuoteController.ts` - `read server/src/lib/api/controllers/authorizationAwarePagination.ts` - (2026-04-22) Inspect server-action domains: - `read packages/billing/src/actions/quoteActions.ts` - `read packages/documents/src/actions/documentActions.ts` - `read packages/assets/src/actions/assetActions.ts` - `read packages/projects/src/actions/projectActions.ts` - `read packages/projects/src/actions/projectTaskActions.ts` - `read packages/projects/src/actions/projectTaskStatusActions.ts` - (2026-04-22) Quick grep for auth-sensitive list/count/helper surfaces: - `rg -n "count\(|totalCount|pagination|hasPermission\(|authorizeResource\(|authorizeMutation\(" packages server ee` - (2026-04-22) Run targeted bundle hardening unit/contract tests: - `cd server && pnpm vitest src/test/unit/authorization/bundleLifecycleHardening.contract.test.ts src/test/unit/authorization/bundleManagement.contract.test.ts src/test/unit/migrations/authorizationBundleRevisionLifecycleUniquenessMigration.test.ts` - (2026-04-22) Run lifecycle integration tests (requires local Postgres): - `cd server && pnpm vitest src/test/integration/authorization/bundleLifecycleIntegrity.integration.test.ts` - (2026-04-22) Run quote parity contract test: - `cd server && pnpm vitest ../packages/billing/src/actions/quoteAuthorizationParity.contract.test.ts` - (2026-04-22) Run document URL authorization contract test: - `cd server && pnpm vitest src/test/unit/documents/documentUrlAuthorization.contract.test.ts` - (2026-04-22) Run focused document mutation/content regression tests: - `cd server && pnpm vitest src/test/unit/documentFolderOperations.test.ts ../packages/documents/tests/documentActions.authorization.contract.test.ts ../packages/documents/tests/documentContent.authorization.contract.test.ts --coverage.enabled false` - (2026-04-22) Run quote parity contract test for `T007-T010` status validation: - `cd server && pnpm vitest ../packages/billing/src/actions/quoteAuthorizationParity.contract.test.ts --coverage.enabled false` - (2026-04-22) Run package-level document typecheck: - `pnpm -C packages/documents typecheck` - (2026-04-22) Re-run count/folder hardening tests: - `cd server && pnpm vitest src/test/unit/documentFolderOperations.test.ts ../packages/documents/tests/documentActions.authorization.contract.test.ts --coverage.enabled false` - (2026-04-22) Run asset auth/pagination contract test: - `cd server && pnpm vitest ../packages/assets/src/actions/assetAuthorization.contract.test.ts --coverage.enabled false` - (2026-04-22) Run assets package typecheck after exhaustive hardening: - `pnpm -C packages/assets typecheck` - (2026-04-22) Run project-action parity contract test: - `cd server && pnpm vitest ../packages/projects/src/actions/projectAuthorization.contract.test.ts --coverage.enabled false` - (2026-04-22) Run projects package typecheck: - `pnpm -C packages/projects typecheck` - (2026-04-22) Run time/delegation re-audit validation tests: - `cd server && pnpm vitest ../packages/scheduling/tests/timeDelegationSweep.contract.test.ts ../packages/scheduling/tests/timeEntryDelegationAuth.authorization.test.ts --coverage.enabled false` - (2026-04-22) Run close-out artifact contract test: - `cd server && pnpm vitest src/test/unit/authorization/premiumAbacExhaustiveInventory.contract.test.ts --coverage.enabled false` ## Links / References - Original premium-ABAC plan: - `ee/docs/plans/2026-04-21-premium-abac-authorization-kernel/PRD.md` - `ee/docs/plans/2026-04-21-premium-abac-authorization-kernel/features.json` - `ee/docs/plans/2026-04-21-premium-abac-authorization-kernel/tests.json` - `ee/docs/plans/2026-04-21-premium-abac-authorization-kernel/CURRENT_AUTHORIZATION_BASELINE.md` - Surgical remediation plan: - `ee/docs/plans/2026-04-22-premium-abac-remediation/PRD.md` - `ee/docs/plans/2026-04-22-premium-abac-remediation/features.json` - `ee/docs/plans/2026-04-22-premium-abac-remediation/tests.json` - `ee/docs/plans/2026-04-22-premium-abac-remediation/SCRATCHPAD.md` - Key implementation files: - `server/src/lib/authorization/bundles/service.ts` - `server/src/lib/authorization/kernel/providers/bundleProvider.ts` - `server/src/lib/api/controllers/authorizationKernel.ts` - `server/src/lib/api/controllers/authorizationAwarePagination.ts` - `packages/billing/src/actions/quoteActions.ts` - `packages/documents/src/actions/documentActions.ts` - `packages/assets/src/actions/assetActions.ts` - `packages/projects/src/actions/projectActions.ts` - `packages/projects/src/actions/projectTaskActions.ts` - `packages/projects/src/actions/projectTaskStatusActions.ts` ## Open Questions - Should linked tickets/documents inside asset detail bundles require parent asset auth only, or intersection with child-resource auth? - For project-linked ticket/task surfaces, where exactly should inheritance stop so ticket auth is not weakened? - Should archiving a bundle automatically disable assignments for hygiene, or should assignments remain inert but active in the table? - If a bundle has never been published, should cloning copy its latest draft or reject the clone as ambiguous in-progress state? - Is `SCRATCHPAD.md` enough for the exhaustive surface matrix, or should we add a dedicated close-out artifact later? ## Progress Log - (2026-04-22) Chose plan shape **B** with the user: preserve the earlier remediation plan and create a new exhaustive sweep plan. - (2026-04-22) Ran parallel reviewer audits across five domains: - documents - billing quote server actions - assets - projects/tasks/statuses - bundle lifecycle / EE control plane - (2026-04-22) Reviewer findings confirmed that the remaining scope is materially larger than the earlier surgical remediation plan and warrants a dedicated exhaustive backlog. - (2026-04-22) Created this new plan folder and drafted a PRD/features/tests set centered on the reviewer findings plus the already-known parity backlog. - (2026-04-22) Completed `F001` by preserving explicit lineage/cross-links in the new PRD and scratchpad to both prior plans and prior checkpoint commit. - (2026-04-22) Completed lifecycle feature wave `F002-F010` in: - `server/src/lib/authorization/bundles/service.ts` - `ee/server/src/lib/actions/auth/authorizationBundleActions.ts` - `server/migrations/20260422143000_enforce_authorization_revision_lifecycle_uniqueness.cjs` - (2026-04-22) Added lifecycle regression coverage for `T001-T006` via: - `server/src/test/integration/authorization/bundleLifecycleIntegrity.integration.test.ts` - `server/src/test/unit/migrations/authorizationBundleRevisionLifecycleUniquenessMigration.test.ts` - `server/src/test/unit/authorization/bundleLifecycleHardening.contract.test.ts` - (2026-04-22) Validation status: - unit/contract tests pass for touched lifecycle contracts/migration. - integration suite is authored but currently cannot execute in this shell because Postgres is unavailable (`ECONNREFUSED 127.0.0.1:5432`). - (2026-04-22) Completed quote hardening feature wave `F011-F015` in: - `packages/billing/src/actions/quoteActions.ts` - `packages/billing/src/actions/quoteAuthorizationParity.contract.test.ts` - (2026-04-22) Completed document URL helper hardening `F016` in: - `packages/documents/src/actions/documentActions.ts` - `server/src/app/api/documents/[documentId]/download/route.ts` - `server/src/app/api/documents/[documentId]/preview/route.ts` - `server/src/app/api/documents/[documentId]/thumbnail/route.ts` - `server/src/app/api/documents/view/[fileId]/route.ts` - `server/src/test/unit/documents/documentUrlAuthorization.contract.test.ts` - (2026-04-22) Completed document mutation hardening `F017` in: - `packages/documents/src/actions/documentActions.ts` - `server/src/test/unit/documentFolderOperations.test.ts` (updated to validate new mutation-guard behavior) - `packages/documents/tests/documentActions.authorization.contract.test.ts` (expanded with `T012` mutation-surface contract coverage) - (2026-04-22) Completed document content/block-content hardening `F018` in: - `packages/documents/src/actions/documentContentActions.ts` - `packages/documents/src/actions/documentBlockContentActions.ts` - `packages/documents/tests/documentContent.authorization.contract.test.ts` (`T013`) - (2026-04-22) Completed document aggregate hardening `F019` in: - `packages/documents/src/actions/documentActions.ts` - `packages/documents/tests/documentActions.authorization.contract.test.ts` (`T014`) - `server/src/test/unit/documentFolderOperations.test.ts` (updated folder-stats expectations for auth-aware counting) - (2026-04-22) Completed `F020` (bypass divergent `documentPermissionUtils` shadow auth path) in: - `packages/documents/src/actions/documentActions.ts` - `packages/documents/tests/documentActions.authorization.contract.test.ts` - `server/src/test/unit/documentFolderOperations.test.ts` (removed entity-type helper mock assumptions) - (2026-04-22) Completed `F021` (authorized semantics for folder trees/counts/summary metrics) in: - `packages/documents/src/actions/documentActions.ts` - `packages/documents/tests/documentActions.authorization.contract.test.ts` (`T014`) - `server/src/test/unit/documentFolderOperations.test.ts` - (2026-04-22) Completed asset shared read-authorizer + pagination totals wave (`F022-F023`) in: - `packages/assets/src/actions/assetActions.ts` - `packages/assets/src/actions/assetAuthorization.contract.test.ts` (`T015`) - (2026-04-22) Completed asset exhaustive hardening wave (`F024-F026`) in: - `packages/assets/src/actions/assetActions.ts` - `packages/assets/src/actions/assetAuthorization.contract.test.ts` (`T016-T018`) - (2026-04-22) Completed asset regression-coverage feature (`F042`) by expanding asset contract coverage for: - remaining reads (relationships/maintenance/history/linked tickets/client summaries/entity-linked assets/summary metrics) - remaining mutations (asset update/delete, relationships/associations, maintenance mutations) - linked child-resource intersection semantics in detail bundles. - (2026-04-22) Validation status for asset exhaustive wave: - `cd server && pnpm vitest ../packages/assets/src/actions/assetAuthorization.contract.test.ts --coverage.enabled false` passed. - `pnpm -C packages/assets typecheck` passed. - (2026-04-22) Completed `F027` (projectActions phase/detail/status/tree parity hardening) in: - `packages/projects/src/actions/projectActions.ts` - `packages/projects/src/actions/projectAuthorization.contract.test.ts` (`T019`) - (2026-04-22) Validation status for `F027`: - `cd server && pnpm vitest ../packages/projects/src/actions/projectAuthorization.contract.test.ts --coverage.enabled false` passed. - `pnpm -C packages/projects typecheck` passed. - (2026-04-22) Completed project task/status hardening wave (`F028-F032`) in: - `packages/projects/src/actions/projectTaskActions.ts` - `packages/projects/src/actions/projectTaskStatusActions.ts` - `packages/projects/src/actions/projectAuthorization.contract.test.ts` (`T020-T023`) - (2026-04-22) Completed `F033` project structural-child semantics in: - `packages/projects/src/actions/projectTaskActions.ts` (linked ticket data now intersects with ticket-resource auth). - `packages/projects/src/actions/projectAuthorization.contract.test.ts` (`F033` assertion block). - (2026-04-22) Completed exhaustive re-audit and close-out artifact wave (`F034-F038`) in: - `packages/scheduling/src/actions/timeEntryDelegationAuth.ts` - `packages/scheduling/src/actions/timeSheetActions.ts` - `packages/scheduling/tests/timeDelegationSweep.contract.test.ts` (`T024`) - `packages/scheduling/tests/timeEntryDelegationAuth.authorization.test.ts` (`T024`) - `ee/docs/plans/2026-04-22-premium-abac-exhaustive-remediation-sweep/EXHAUSTIVE_SURFACE_INVENTORY.md` (`F037`) - `ee/docs/plans/2026-04-21-premium-abac-authorization-kernel/CURRENT_AUTHORIZATION_BASELINE.md` (`F038`) - `server/src/test/unit/authorization/premiumAbacExhaustiveInventory.contract.test.ts` (`T025`) - (2026-04-22) Completed `F043` project regression coverage by expanding contract assertions for: - `T019` projectActions parity - `T020` task/checklist/dependency/resource/ticket-link gating - `T021` status-action parent gating + zero-check remediation - `T022` aggregate/count helper protection - `T023` cross-project source/target authorization. - (2026-04-22) Validation status for project task/status wave: - `cd server && pnpm vitest ../packages/projects/src/actions/projectAuthorization.contract.test.ts --coverage.enabled false` passed (7 tests). - `pnpm -C packages/projects typecheck` passed. - (2026-04-22) Validation status for re-audit + close-out wave: - `cd server && pnpm vitest ../packages/scheduling/tests/timeDelegationSweep.contract.test.ts ../packages/scheduling/tests/timeEntryDelegationAuth.authorization.test.ts --coverage.enabled false` passed. - close-out artifact contract `premiumAbacExhaustiveInventory.contract.test.ts` authored (executed in this wave). - (2026-04-22) Marked quote parity regression tests `T007-T010` complete after re-validating: - `packages/billing/src/actions/quoteAuthorizationParity.contract.test.ts` - (2026-04-22) Marked document URL regression test `T011` complete: - `server/src/test/unit/documents/documentUrlAuthorization.contract.test.ts`