alldigital/PSA
2
0
Fork 0
Code Issues Pull Requests Actions 15 Packages Projects Releases Wiki Activity
PSA/ee/docs/plans/2026-04-21-premium-abac-authorization-kernel/features.json
Hermes 284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Details
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Details
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
Details
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
Details
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Details
Integration Tests / Check for relevant changes (push) Waiting to run
Details
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Details
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Details
Mobile checks / Mobile unit tests (push) Waiting to run
Details
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Details
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Details
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Details
Temporal Readiness / fast-readiness (push) Waiting to run
Details
Temporal Readiness / docker-parity (push) Waiting to run
Details
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Details
Unit Tests / Skipped-test budget (push) Waiting to run
Details
Unit Tests / Nx affected unit tests (push) Waiting to run
Details
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Details
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Details
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
Details
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Details
Initial import of AlgaPSA codebase from PSA server 
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz

Source: /opt/alga-psa on psa.joliet.tech
2026-06-22 16:12:17 -05:00

527 lines
17 KiB
JSON
Raw Blame History

[
{
"id": "F001",
"description": "Create and maintain a plan-local current-behavior baseline artifact that documents today's authorization semantics across tickets, documents, time, projects, assets, billing, client-portal relationships, and API-key flows.",
"implemented": true,
"prdRefs": [
"Summary",
"Requirements",
"Rollout / Migration",
"Acceptance Criteria (Definition of Done)"
]
},
{
"id": "F002",
"description": "Define a shared authorization-kernel contract for single-resource authorization, list/query scope resolution, mutation authorization, field-redaction hooks, and explainability traces.",
"implemented": true,
"prdRefs": [
"Summary",
"Requirements",
"Data / API / Integrations"
]
},
{
"id": "F003",
"description": "Introduce a CE-compatible builtin authorization provider that evaluates only product-defined kernel behavior with no tenant-configurable premium overlays.",
"implemented": true,
"prdRefs": [
"Summary",
"Non-functional Requirements",
"Rollout / Migration"
]
},
{
"id": "F004",
"description": "Introduce an EE authorization provider that extends the shared kernel with tenant-configurable bundle-based narrowing overlays.",
"implemented": true,
"prdRefs": [
"Summary",
"Requirements",
"Non-functional Requirements"
]
},
{
"id": "F005",
"description": "Package the shared authorization runtime behind an edition-aware seam so feature code calls one stable interface instead of branching on `isEnterprise()`.",
"implemented": true,
"prdRefs": [
"Summary",
"Non-functional Requirements"
]
},
{
"id": "F006",
"description": "Keep RBAC as the mandatory prerequisite gate before any built-in or configurable authorization narrowing runs.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements",
"Security / Permissions"
]
},
{
"id": "F007",
"description": "Implement shared relationship resolvers for the core relationship semantics used throughout the product, including own, assigned, managed, same-client, client-portfolio, same-team, and selected-board relationships where applicable.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements"
]
},
{
"id": "F008",
"description": "Implement a shared scope-composition model that combines built-in and configured authorization as narrowing intersections rather than widening unions.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements",
"Security / Permissions"
]
},
{
"id": "F009",
"description": "Implement shared mutation-guard evaluation for stateful authorization constraints such as approval restrictions and visibility-only guards.",
"implemented": true,
"prdRefs": [
"Requirements",
"Security / Permissions"
]
},
{
"id": "F010",
"description": "Implement shared field-redaction hooks so migrated domains can hide sensitive fields without broadening record visibility.",
"implemented": true,
"prdRefs": [
"Summary",
"Functional Requirements"
]
},
{
"id": "F011",
"description": "Emit structured decision reasons from the authorization kernel that distinguish RBAC, built-in kernel behavior, and configured bundle-based narrowing.",
"implemented": true,
"prdRefs": [
"Requirements",
"Non-functional Requirements",
"Observability"
]
},
{
"id": "F012",
"description": "Add request-local caching for repeated relationship, assignment, bundle, and effective-scope resolution within a request.",
"implemented": true,
"prdRefs": [
"Non-functional Requirements",
"Rollout / Migration"
]
},
{
"id": "F013",
"description": "Retire the legacy policy DSL as the primary runtime direction for migrated authorization paths without depending on end-user-authored expressions.",
"implemented": true,
"prdRefs": [
"Problem",
"Non-goals",
"Functional Requirements",
"Acceptance Criteria (Definition of Done)"
]
},
{
"id": "F014",
"description": "Create an `authorization_bundles` control-plane structure for reusable premium authorization bundles.",
"implemented": true,
"prdRefs": [
"Requirements",
"Data / API / Integrations"
]
},
{
"id": "F015",
"description": "Create an `authorization_bundle_revisions` structure that stores draft, published, and archived bundle revisions separately from the stable bundle identity.",
"implemented": true,
"prdRefs": [
"Requirements",
"Data / API / Integrations"
]
},
{
"id": "F016",
"description": "Create an `authorization_bundle_rules` structure keyed to revisions that stores typed resource/action/template/effect rules plus structured configuration payloads.",
"implemented": true,
"prdRefs": [
"Requirements",
"Data / API / Integrations"
]
},
{
"id": "F017",
"description": "Create a generic `authorization_bundle_assignments` structure keyed by `target_type + target_id` for role, team, user, and API-key attachments.",
"implemented": true,
"prdRefs": [
"Requirements",
"Data / API / Integrations"
]
},
{
"id": "F018",
"description": "Validate bundle-assignment targets at write time so assignments only reference same-tenant roles, teams, users, or API keys that actually exist.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Security / Permissions"
]
},
{
"id": "F019",
"description": "Support bundle lifecycle states and revision lifecycle states so draft work is not enforced until explicitly published.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Rollout / Migration"
]
},
{
"id": "F020",
"description": "Make publishing a bundle revision atomically switch enforcement to the newly published revision for all active assignments of that bundle.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Rollout / Migration"
]
},
{
"id": "F021",
"description": "Support bundle archive semantics and disabled assignments so historical configuration can be retained without active enforcement.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Rollout / Migration"
]
},
{
"id": "F022",
"description": "Implement bundle-resolution logic that collects active assignments from roles, teams, users, and API keys and applies them as narrowing intersections.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Security / Permissions"
]
},
{
"id": "F023",
"description": "Ensure API-key bundle restrictions are intersected with the impersonated user's effective built-in and configured access rather than widening it.",
"implemented": true,
"prdRefs": [
"Users and Primary Flows",
"Functional Requirements",
"Security / Permissions"
]
},
{
"id": "F024",
"description": "Define and enforce the v1 typed template catalog for premium narrowing bundles instead of arbitrary expressions.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements"
]
},
{
"id": "F025",
"description": "Support core relationship-first scope templates such as own, assigned, managed, own-or-assigned, own-or-managed, selected-clients/client-portfolio, same-team, and selected-boards.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements"
]
},
{
"id": "F026",
"description": "Support high-value narrowing guards and redaction templates such as not-self-approver, client-visible-only, and hide-sensitive-fields for the first migrated resource families.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Security / Permissions"
]
},
{
"id": "F027",
"description": "Provide shipped system bundles / starter bundles that model common MSP operating boundaries such as assigned-client technician, project delivery team, time manager, restricted asset operator, and finance reviewer.",
"implemented": true,
"prdRefs": [
"Users and Primary Flows",
"UX / UI Notes",
"Functional Requirements"
]
},
{
"id": "F028",
"description": "Add a tier-gated EE Bundle Library surface for browsing, searching, cloning, and archiving authorization bundles.",
"implemented": true,
"prdRefs": [
"UX / UI Notes",
"Non-functional Requirements"
]
},
{
"id": "F029",
"description": "Add a tier-gated EE Bundle Editor that authors draft revisions through resource-oriented sections rather than raw rule grids.",
"implemented": true,
"prdRefs": [
"UX / UI Notes",
"Functional Requirements"
]
},
{
"id": "F030",
"description": "Add natural-language summaries for bundle rules, effective bundle descriptions, and revision changes so admins can understand configuration without reading raw JSON.",
"implemented": true,
"prdRefs": [
"UX / UI Notes"
]
},
{
"id": "F031",
"description": "Add a tier-gated EE Assignment Manager that shows which roles, teams, users, and API keys each bundle currently affects.",
"implemented": true,
"prdRefs": [
"UX / UI Notes",
"Users and Primary Flows"
]
},
{
"id": "F032",
"description": "Add a tier-gated EE Access Simulator that evaluates draft and published bundle behavior against real principals and real existing records.",
"implemented": true,
"prdRefs": [
"UX / UI Notes",
"Users and Primary Flows",
"Acceptance Criteria (Definition of Done)"
]
},
{
"id": "F033",
"description": "Extend the EE Access Simulator to support synthetic authorization scenarios when no suitable real principal or record exists.",
"implemented": true,
"prdRefs": [
"UX / UI Notes",
"Users and Primary Flows",
"Acceptance Criteria (Definition of Done)"
]
},
{
"id": "F034",
"description": "Provide upgrade / unavailable states that follow existing EE tier-gating patterns when configurable premium ABAC is not available in CE or in non-entitled EE tiers.",
"implemented": true,
"prdRefs": [
"UX / UI Notes",
"Non-functional Requirements"
]
},
{
"id": "F035",
"description": "Permission-gate bundle CRUD, publish, assignment, and simulator actions so authorization management itself is controlled by server-side checks.",
"implemented": true,
"prdRefs": [
"Security / Permissions",
"Functional Requirements"
]
},
{
"id": "F036",
"description": "Capture audit-relevant metadata for bundle and revision lifecycle events, including who created drafts, who published revisions, and which assignments are active.",
"implemented": true,
"prdRefs": [
"UX / UI Notes",
"Observability"
]
},
{
"id": "F037",
"description": "Migrate ticket authorization for the selected v1 UI/server-action paths onto the shared kernel for list and single-record access evaluation.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Acceptance Criteria (Definition of Done)"
]
},
{
"id": "F038",
"description": "Preserve and kernelize selected-board ticket narrowing so current client-portal-style board scoping becomes a first-class shared authorization capability.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements",
"Rollout / Migration"
]
},
{
"id": "F039",
"description": "Support premium ticket narrowing bundles that can restrict ticket visibility and mutation by assignment, client portfolio, team scope, and selected boards.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements"
]
},
{
"id": "F040",
"description": "Migrate document authorization for the selected v1 UI/server-action paths onto the shared kernel while preserving ownership, same-client, and client-visible semantics.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Acceptance Criteria (Definition of Done)"
]
},
{
"id": "F041",
"description": "Support premium document narrowing bundles that can restrict document access by client portfolio and client-visible-only rules.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements"
]
},
{
"id": "F042",
"description": "Support document-sensitive-field redaction hooks for the selected v1 document surfaces without changing record-level visibility semantics.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Security / Permissions"
]
},
{
"id": "F043",
"description": "Migrate time / timesheet delegation and approval authorization onto the shared kernel while preserving self, manager, reports-to, and tenant-wide semantics where they already exist.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements",
"Acceptance Criteria (Definition of Done)"
]
},
{
"id": "F044",
"description": "Support premium time narrowing bundles that can restrict access to self-only or self-plus-managed-user scopes without broadening existing delegation behavior.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements"
]
},
{
"id": "F045",
"description": "Kernelize not-self-approver style time-related approval restrictions where they are part of the selected v1 approval flows.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Security / Permissions"
]
},
{
"id": "F046",
"description": "Migrate the selected v1 project authorization paths onto the shared kernel, including the existing own-comment / internal-user semantics that must remain intact.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Acceptance Criteria (Definition of Done)"
]
},
{
"id": "F047",
"description": "Support premium project narrowing bundles that can restrict project access by assignment, client portfolio, and team scope on the selected v1 project surfaces.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements"
]
},
{
"id": "F048",
"description": "Migrate the selected v1 asset authorization paths onto the shared kernel with explicit client/team/assignment segmentation hooks suitable for later remote-access-sensitive behavior.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Acceptance Criteria (Definition of Done)"
]
},
{
"id": "F049",
"description": "Support premium asset narrowing bundles that can restrict asset access by client portfolio, team scope, and assignment on the selected v1 asset surfaces.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements"
]
},
{
"id": "F050",
"description": "Migrate the selected v1 billing authorization paths onto the shared kernel while preserving existing quote/invoice visibility, approval, and blocker semantics.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Acceptance Criteria (Definition of Done)"
]
},
{
"id": "F051",
"description": "Support premium billing narrowing bundles that can restrict billing visibility by client portfolio and apply selected v1 approval-oriented guards without widening access.",
"implemented": true,
"prdRefs": [
"Goals",
"Functional Requirements"
]
},
{
"id": "F052",
"description": "Support billing-sensitive-field redaction hooks for the selected v1 billing surfaces where field-level hiding is part of the premium authorization story.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Open Questions"
]
},
{
"id": "F053",
"description": "Normalize migrated API/programmatic paths to resolve effective authorization through the shared kernel rather than duplicating feature-specific inline checks.",
"implemented": true,
"prdRefs": [
"Problem",
"Functional Requirements",
"Rollout / Migration"
]
},
{
"id": "F054",
"description": "Adopt shared-kernel authorization in the selected v1 API-key-backed ticket, document, time, project, asset, and billing endpoints where parity work is in scope.",
"implemented": true,
"prdRefs": [
"Functional Requirements",
"Rollout / Migration",
"Open Questions"
]
},
{
"id": "F055",
"description": "Ensure CE continues to use the shared built-in kernel path for migrated resource families even though configurable premium bundle management is unavailable.",
"implemented": true,
"prdRefs": [
"Summary",
"Goals",
"Rollout / Migration",
"Acceptance Criteria (Definition of Done)"
]
},
{
"id": "F056",
"description": "Validate that migrated resource-family cutovers preserve baseline behavior rather than silently broadening access, using the plan-local baseline artifact as the parity contract.",
"implemented": true,
"prdRefs": [
"Goals",
"Rollout / Migration",
"Acceptance Criteria (Definition of Done)"
]
}
]
Reference in New Issue View Git Blame Copy Permalink