284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
79 lines
5.8 KiB
Markdown
79 lines
5.8 KiB
Markdown
# Premium ABAC Exhaustive Surface Inventory
|
|
|
|
- Plan: `2026-04-22-premium-abac-exhaustive-remediation-sweep`
|
|
- Last updated: `2026-04-22`
|
|
- Scope lineage:
|
|
- `ee/docs/plans/2026-04-21-premium-abac-authorization-kernel/`
|
|
- `ee/docs/plans/2026-04-22-premium-abac-remediation/`
|
|
|
|
## Semantics Legend
|
|
|
|
- `RBAC ∩ Kernel ∩ Bundle`: action requires RBAC and runtime kernel narrowing with bundle overlays.
|
|
- `Structural Inheritance`: child record inherits already-authorized parent resource.
|
|
- `Linked Intersection`: linked child payload must satisfy parent auth and child-resource auth.
|
|
|
|
## Surface Matrix
|
|
|
|
| Domain | File / Surface | Chosen Semantics | Status | Validation |
|
|
| --- | --- | --- | --- | --- |
|
|
| Bundle lifecycle | `server/src/lib/authorization/bundles/service.ts` draft creation/publish | RBAC ∩ Kernel ∩ Bundle lifecycle invariants | Fixed | `T001-T006`, `F039` |
|
|
| Bundle lifecycle | `ee/server/src/lib/actions/auth/authorizationBundleActions.ts` draft/write/publish/archive | Transactional stale-state safety + assignment governance | Fixed | `T001-T006`, `F039` |
|
|
| Bundle lifecycle | lifecycle uniqueness migration preflight | Fail-loud duplicate-row detection + repair guidance | Fixed | `T005`, `F039` |
|
|
| Quotes | `packages/billing/src/actions/quoteActions.ts` reads/mutations/items/conversion | RBAC ∩ Kernel ∩ Bundle for quote + item integrity | Fixed | `T007-T010`, `F040` |
|
|
| Documents | `packages/documents/src/actions/documentActions.ts` read/mutation/count/folder | RBAC ∩ Kernel ∩ Bundle with authorized count semantics | Fixed | `T011-T014`, `F041` |
|
|
| Documents | URL routes: `download/preview/thumbnail/view` | Kernel-authorized document lookup before URL/path response | Fixed | `T011`, `F041` |
|
|
| Documents | content/block-content actions | Parent-document authorization required for R/W/D | Fixed | `T013`, `F041` |
|
|
| Assets | `packages/assets/src/actions/assetActions.ts` list/read/summary | RBAC ∩ Kernel ∩ Bundle (authorized totals + per-asset checks) | Fixed | `T015-T016`, `F042` |
|
|
| Assets | maintenance/history/relationships/entity lists/client summaries | Parent asset authorization on all read surfaces | Fixed | `T016`, `F024` |
|
|
| Assets | update/delete/association/relationship/maintenance mutations | Parent asset authorization + integrity checks | Fixed | `T017`, `F025` |
|
|
| Assets | `getAssetDetailBundle` linked tickets/documents | Structural Inheritance + Linked Intersection | Fixed | `T018`, `F026` |
|
|
| Projects | `packages/projects/src/actions/projectActions.ts` phase/detail/status/tree/count surfaces | Parent project authorization for read/update/delete | Fixed | `T019`, `F027` |
|
|
| Project tasks | `packages/projects/src/actions/projectTaskActions.ts` task/checklist/dependency/resource/ticket-link | Reusable parent-project gating via shared helpers | Fixed | `T020`, `F028-F029` |
|
|
| Project statuses | `packages/projects/src/actions/projectTaskStatusActions.ts` mappings/phase status flows | Parent project gating + zero-check count closure | Fixed | `T021`, `F030` |
|
|
| Project aggregates | `getPhaseTaskCounts`, `getProjectTaskData`, `getStatusMappingTaskCount` | Authorized-project-only cardinalities | Fixed | `T022`, `F031` |
|
|
| Cross-project ops | task move/duplicate/link flows | Authorize source + target project contexts | Fixed | `T023`, `F032` |
|
|
| Project linked tickets | ticket-link payload returns | Linked Intersection with ticket-resource auth | Fixed | `F033`, project contract test |
|
|
| Time/delegation | `packages/scheduling/src/actions/timeEntryDelegationAuth.ts` | `time_entry` kernel checks + not-self-approver mutation guard | Re-audited/fixed | `T024`, scheduling auth tests |
|
|
| Time/delegation | `packages/scheduling/src/actions/timeSheetActions.ts` comments/request-changes | Delegation checks required for non-owner approver actions | Re-audited/fixed | `T024`, `timeDelegationSweep.contract.test.ts` |
|
|
| Non-API entry points | file/preview/composition routes using hardened actions | Inherit hardened action semantics; no parallel bypass path found in audited set | Re-audited | `F035` rationale + route sampling in scratchpad |
|
|
| CE/EE seams | `ee/server/src/lib/authorization/kernel.ts` + bundle actions + shared kernel providers | CE and EE both resolve runtime bundle narrowing via shared kernel contracts | Re-audited | `F036`, kernel seam contract references |
|
|
|
|
## Re-Audit Notes
|
|
|
|
### F034 — Time / Delegation
|
|
|
|
- Confirmed `time_entry` resource key remains canonical in delegation kernel flows.
|
|
- Closed delegation gap in `requestChangesForTimeSheet` and non-owner comment path by requiring `assertCanActOnBehalf(...)`.
|
|
- Confirmed approval mutation guard (`not self approver`) remains enforced in kernel mutation evaluation.
|
|
|
|
### F035 — Non-API Entry Points
|
|
|
|
Audited representative non-API or composition surfaces that fan into hardened actions:
|
|
|
|
- Document URL routes in `server/src/app/api/documents/...` call hardened document authorization actions.
|
|
- Asset summary/maintenance/history/relationship routes under `server/src/app/api/v1/assets/...` call hardened asset actions.
|
|
- Project routes under `server/src/app/api/v1/projects/...` call hardened project/task actions.
|
|
- Quote routes under `server/src/app/api/v1/quotes/...` call hardened quote actions.
|
|
|
|
No additional bypass-only path was identified in the audited set.
|
|
|
|
### F036 — CE/EE Helper Seams
|
|
|
|
Audited CE/EE runtime seam usage:
|
|
|
|
- `ee/server/src/lib/authorization/kernel.ts`
|
|
- `ee/server/src/lib/actions/auth/authorizationBundleActions.ts`
|
|
- Shared kernel provider usage in billing/documents/assets/projects/scheduling actions.
|
|
|
|
All audited seams continue to converge on shared kernel + bundle-provider runtime semantics; no new divergent shadow model was introduced in this sweep.
|
|
|
|
## Validation Index
|
|
|
|
- Lifecycle: `T001-T006`
|
|
- Quotes: `T007-T010`
|
|
- Documents: `T011-T014`
|
|
- Assets: `T015-T018`
|
|
- Projects: `T019-T023`
|
|
- Time/delegation re-audit: `T024`
|
|
- Close-out artifact contract: `T025`
|