284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
5.8 KiB
5.8 KiB
Premium ABAC Exhaustive Surface Inventory
- Plan:
2026-04-22-premium-abac-exhaustive-remediation-sweep - Last updated:
2026-04-22 - Scope lineage:
ee/docs/plans/2026-04-21-premium-abac-authorization-kernel/ee/docs/plans/2026-04-22-premium-abac-remediation/
Semantics Legend
RBAC ∩ Kernel ∩ Bundle: action requires RBAC and runtime kernel narrowing with bundle overlays.Structural Inheritance: child record inherits already-authorized parent resource.Linked Intersection: linked child payload must satisfy parent auth and child-resource auth.
Surface Matrix
| Domain | File / Surface | Chosen Semantics | Status | Validation |
|---|---|---|---|---|
| Bundle lifecycle | server/src/lib/authorization/bundles/service.ts draft creation/publish |
RBAC ∩ Kernel ∩ Bundle lifecycle invariants | Fixed | T001-T006, F039 |
| Bundle lifecycle | ee/server/src/lib/actions/auth/authorizationBundleActions.ts draft/write/publish/archive |
Transactional stale-state safety + assignment governance | Fixed | T001-T006, F039 |
| Bundle lifecycle | lifecycle uniqueness migration preflight | Fail-loud duplicate-row detection + repair guidance | Fixed | T005, F039 |
| Quotes | packages/billing/src/actions/quoteActions.ts reads/mutations/items/conversion |
RBAC ∩ Kernel ∩ Bundle for quote + item integrity | Fixed | T007-T010, F040 |
| Documents | packages/documents/src/actions/documentActions.ts read/mutation/count/folder |
RBAC ∩ Kernel ∩ Bundle with authorized count semantics | Fixed | T011-T014, F041 |
| Documents | URL routes: download/preview/thumbnail/view |
Kernel-authorized document lookup before URL/path response | Fixed | T011, F041 |
| Documents | content/block-content actions | Parent-document authorization required for R/W/D | Fixed | T013, F041 |
| Assets | packages/assets/src/actions/assetActions.ts list/read/summary |
RBAC ∩ Kernel ∩ Bundle (authorized totals + per-asset checks) | Fixed | T015-T016, F042 |
| Assets | maintenance/history/relationships/entity lists/client summaries | Parent asset authorization on all read surfaces | Fixed | T016, F024 |
| Assets | update/delete/association/relationship/maintenance mutations | Parent asset authorization + integrity checks | Fixed | T017, F025 |
| Assets | getAssetDetailBundle linked tickets/documents |
Structural Inheritance + Linked Intersection | Fixed | T018, F026 |
| Projects | packages/projects/src/actions/projectActions.ts phase/detail/status/tree/count surfaces |
Parent project authorization for read/update/delete | Fixed | T019, F027 |
| Project tasks | packages/projects/src/actions/projectTaskActions.ts task/checklist/dependency/resource/ticket-link |
Reusable parent-project gating via shared helpers | Fixed | T020, F028-F029 |
| Project statuses | packages/projects/src/actions/projectTaskStatusActions.ts mappings/phase status flows |
Parent project gating + zero-check count closure | Fixed | T021, F030 |
| Project aggregates | getPhaseTaskCounts, getProjectTaskData, getStatusMappingTaskCount |
Authorized-project-only cardinalities | Fixed | T022, F031 |
| Cross-project ops | task move/duplicate/link flows | Authorize source + target project contexts | Fixed | T023, F032 |
| Project linked tickets | ticket-link payload returns | Linked Intersection with ticket-resource auth | Fixed | F033, project contract test |
| Time/delegation | packages/scheduling/src/actions/timeEntryDelegationAuth.ts |
time_entry kernel checks + not-self-approver mutation guard |
Re-audited/fixed | T024, scheduling auth tests |
| Time/delegation | packages/scheduling/src/actions/timeSheetActions.ts comments/request-changes |
Delegation checks required for non-owner approver actions | Re-audited/fixed | T024, timeDelegationSweep.contract.test.ts |
| Non-API entry points | file/preview/composition routes using hardened actions | Inherit hardened action semantics; no parallel bypass path found in audited set | Re-audited | F035 rationale + route sampling in scratchpad |
| CE/EE seams | ee/server/src/lib/authorization/kernel.ts + bundle actions + shared kernel providers |
CE and EE both resolve runtime bundle narrowing via shared kernel contracts | Re-audited | F036, kernel seam contract references |
Re-Audit Notes
F034 — Time / Delegation
- Confirmed
time_entryresource key remains canonical in delegation kernel flows. - Closed delegation gap in
requestChangesForTimeSheetand non-owner comment path by requiringassertCanActOnBehalf(...). - Confirmed approval mutation guard (
not self approver) remains enforced in kernel mutation evaluation.
F035 — Non-API Entry Points
Audited representative non-API or composition surfaces that fan into hardened actions:
- Document URL routes in
server/src/app/api/documents/...call hardened document authorization actions. - Asset summary/maintenance/history/relationship routes under
server/src/app/api/v1/assets/...call hardened asset actions. - Project routes under
server/src/app/api/v1/projects/...call hardened project/task actions. - Quote routes under
server/src/app/api/v1/quotes/...call hardened quote actions.
No additional bypass-only path was identified in the audited set.
F036 — CE/EE Helper Seams
Audited CE/EE runtime seam usage:
ee/server/src/lib/authorization/kernel.tsee/server/src/lib/actions/auth/authorizationBundleActions.ts- Shared kernel provider usage in billing/documents/assets/projects/scheduling actions.
All audited seams continue to converge on shared kernel + bundle-provider runtime semantics; no new divergent shadow model was introduced in this sweep.
Validation Index
- Lifecycle:
T001-T006 - Quotes:
T007-T010 - Documents:
T011-T014 - Assets:
T015-T018 - Projects:
T019-T023 - Time/delegation re-audit:
T024 - Close-out artifact contract:
T025