284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
303 lines
9.1 KiB
JSON
303 lines
9.1 KiB
JSON
[
|
|
{
|
|
"id": "T001",
|
|
"description": "Review artifact: `CURRENT_AUTHORIZATION_BASELINE.md` captures current authorization behavior and salient file paths for tickets, documents, time, projects, assets, billing, client relationships, and API-key flows before migration cutovers proceed.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F001",
|
|
"F056"
|
|
]
|
|
},
|
|
{
|
|
"id": "T002",
|
|
"description": "Migration/contract: the new authorization control-plane schema creates bundles, revisions, rules, and generic assignments with tenant-scoped keys and no dependency on the legacy policy DSL tables.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F014",
|
|
"F015",
|
|
"F016",
|
|
"F017"
|
|
]
|
|
},
|
|
{
|
|
"id": "T003",
|
|
"description": "DB-backed integration: publishing a draft bundle revision makes only the published revision enforceable while preserving the stable bundle identity and existing assignments.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F019",
|
|
"F020"
|
|
]
|
|
},
|
|
{
|
|
"id": "T004",
|
|
"description": "Guard: assignment creation rejects cross-tenant or wrong-target references for role, team, user, and API-key bundle attachments.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F017",
|
|
"F018"
|
|
]
|
|
},
|
|
{
|
|
"id": "T005",
|
|
"description": "Integration: effective bundle resolution for a user combines role, team, and direct-user attachments as narrowing intersections rather than widening unions.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F022"
|
|
]
|
|
},
|
|
{
|
|
"id": "T006",
|
|
"description": "Guard/integration: API-key effective access is the intersection of user access and API-key bundle restrictions and never broadens the impersonated user's scope.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F023",
|
|
"F054"
|
|
]
|
|
},
|
|
{
|
|
"id": "T007",
|
|
"description": "Kernel contract: callers can resolve a single-resource decision, list/query scope, mutation guards, and explainability reasons through one shared authorization interface in both CE and EE modes.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F002",
|
|
"F003",
|
|
"F004",
|
|
"F005",
|
|
"F011"
|
|
]
|
|
},
|
|
{
|
|
"id": "T008",
|
|
"description": "Guard: if RBAC denies a resource/action, neither built-in kernel behavior nor configured bundles restore access.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F006"
|
|
]
|
|
},
|
|
{
|
|
"id": "T009",
|
|
"description": "Guard: configured premium bundles can only narrow access; multiple configured bundle rules for the same resource/action resolve as intersections.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F008",
|
|
"F022",
|
|
"F056"
|
|
]
|
|
},
|
|
{
|
|
"id": "T010",
|
|
"description": "Simulator: EE admins can evaluate both real principals/records and synthetic scenarios against draft and published bundle revisions and receive explainable decision output.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F032",
|
|
"F033"
|
|
]
|
|
},
|
|
{
|
|
"id": "T011",
|
|
"description": "Tier/edition guard: CE and non-entitled EE tiers cannot use configurable bundle-management actions or UI, while migrated builtin-kernel behavior still runs.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F003",
|
|
"F028",
|
|
"F029",
|
|
"F031",
|
|
"F034",
|
|
"F035",
|
|
"F055"
|
|
]
|
|
},
|
|
{
|
|
"id": "T012",
|
|
"description": "Happy path: a published starter or custom bundle can be attached to a role and immediately narrows effective ticket scope for users in that role.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F020",
|
|
"F022",
|
|
"F024",
|
|
"F025",
|
|
"F027",
|
|
"F039"
|
|
]
|
|
},
|
|
{
|
|
"id": "T013",
|
|
"description": "Regression/integration: migrated ticket list and direct-ticket authorization preserve baseline board/client narrowing semantics while honoring configured selected-client and selected-board bundle restrictions.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F037",
|
|
"F038",
|
|
"F039",
|
|
"F056"
|
|
]
|
|
},
|
|
{
|
|
"id": "T014",
|
|
"description": "Parity: the selected migrated ticket API path and the selected migrated ticket UI/server-action path resolve the same effective scope for the same user and tenant context.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F037",
|
|
"F053",
|
|
"F054",
|
|
"F056"
|
|
]
|
|
},
|
|
{
|
|
"id": "T015",
|
|
"description": "Regression/integration: migrated document authorization preserves baseline own/same-client/client-visible behavior while premium selected-client narrowing further restricts access without broadening it.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F040",
|
|
"F041",
|
|
"F056"
|
|
]
|
|
},
|
|
{
|
|
"id": "T016",
|
|
"description": "Guard/redaction: document-sensitive-field redaction hides configured fields on allowed records without changing record-level allow/deny behavior.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F010",
|
|
"F042"
|
|
]
|
|
},
|
|
{
|
|
"id": "T017",
|
|
"description": "Regression/integration: migrated time authorization preserves self, manager, reports-to, and tenant-wide semantics from the current delegation model.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F007",
|
|
"F043",
|
|
"F056"
|
|
]
|
|
},
|
|
{
|
|
"id": "T018",
|
|
"description": "Guard: premium time bundles can narrow access to self-only or self-plus-managed-users but cannot grant broader delegation than the builtin time model already allows.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F044",
|
|
"F056"
|
|
]
|
|
},
|
|
{
|
|
"id": "T019",
|
|
"description": "Regression/guard: migrated time approval flows preserve the selected not-self-approver and related state-transition restrictions after kernelization.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F009",
|
|
"F045",
|
|
"F056"
|
|
]
|
|
},
|
|
{
|
|
"id": "T020",
|
|
"description": "Regression/integration: migrated project authorization preserves selected own-comment / internal-user semantics and can further narrow project visibility by assignment, client portfolio, or team bundle rules.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F046",
|
|
"F047",
|
|
"F056"
|
|
]
|
|
},
|
|
{
|
|
"id": "T021",
|
|
"description": "Regression/integration: migrated asset authorization preserves baseline visibility while premium client/team/assignment bundles narrow access on the selected v1 asset surfaces.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F048",
|
|
"F049",
|
|
"F056"
|
|
]
|
|
},
|
|
{
|
|
"id": "T022",
|
|
"description": "Regression/integration: migrated billing authorization preserves selected quote/invoice visibility and approval/blocker semantics while client-portfolio narrowing applies when configured.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F050",
|
|
"F051",
|
|
"F056"
|
|
]
|
|
},
|
|
{
|
|
"id": "T023",
|
|
"description": "Guard/redaction: billing-sensitive-field redaction hides configured cost or financial fields on allowed records without broadening or denying the underlying record unexpectedly.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F010",
|
|
"F052"
|
|
]
|
|
},
|
|
{
|
|
"id": "T024",
|
|
"description": "EE UI/action: Bundle Library, Bundle Editor, and Assignment Manager allow draft editing, publish, assignment, disable, and archive flows without mutating the currently published revision in place.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F028",
|
|
"F029",
|
|
"F031"
|
|
]
|
|
},
|
|
{
|
|
"id": "T025",
|
|
"description": "EE UX: bundle rules and revisions display human-readable summaries that reflect resource sections, typed templates, and material draft changes.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F024",
|
|
"F025",
|
|
"F026",
|
|
"F030"
|
|
]
|
|
},
|
|
{
|
|
"id": "T026",
|
|
"description": "Guard: only authorized users can create bundles, edit drafts, publish revisions, manage assignments, or run the simulator.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F035"
|
|
]
|
|
},
|
|
{
|
|
"id": "T027",
|
|
"description": "Audit trail: bundle creation, draft edits, revision publication, and assignment changes persist enough metadata to explain who changed what and when.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F036"
|
|
]
|
|
},
|
|
{
|
|
"id": "T028",
|
|
"description": "Regression: CE migrated flows for the selected ticket, document, time, project, asset, and billing paths continue to work through the shared builtin kernel even though premium bundle management is unavailable.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F003",
|
|
"F037",
|
|
"F040",
|
|
"F043",
|
|
"F046",
|
|
"F048",
|
|
"F050",
|
|
"F055"
|
|
]
|
|
},
|
|
{
|
|
"id": "T029",
|
|
"description": "Explainability: effective authorization output for a migrated resource identifies the RBAC gate, builtin kernel rule path, and any configured bundle sources that further narrowed access.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F011",
|
|
"F032",
|
|
"F033"
|
|
]
|
|
},
|
|
{
|
|
"id": "T030",
|
|
"description": "Legacy-direction regression: migrated authorization paths no longer depend on end-user-authored DSL parsing or the old policy-engine runtime to make access decisions.",
|
|
"implemented": true,
|
|
"featureIds": [
|
|
"F013"
|
|
]
|
|
}
|
|
]
|