284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
1043 lines
27 KiB
JSON
1043 lines
27 KiB
JSON
[
|
|
{
|
|
"id": "R001",
|
|
"description": "Revert or isolate `.env.localtest` credential changes before committing remediation work.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Hygiene and baseline"
|
|
]
|
|
},
|
|
{
|
|
"id": "R002",
|
|
"description": "Revert or justify `package-lock.json` package version regressions before committing remediation work.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Hygiene and baseline"
|
|
]
|
|
},
|
|
{
|
|
"id": "R003",
|
|
"description": "Remove or deliberately commit only relevant review artifacts; do not accidentally commit transient `progress.md`.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Hygiene and baseline"
|
|
]
|
|
},
|
|
{
|
|
"id": "R004",
|
|
"description": "Record the current reviewed commit range and blockers in the remediation scratchpad.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Hygiene and baseline"
|
|
]
|
|
},
|
|
{
|
|
"id": "R005",
|
|
"description": "Establish a clean git status baseline for remediation commits excluding unrelated local changes.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Hygiene and baseline"
|
|
]
|
|
},
|
|
{
|
|
"id": "R006",
|
|
"description": "Move product_code NextAuth type augmentation to the shared auth package type declaration.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R007",
|
|
"description": "Remove conflicting product_code declaration from server-only NextAuth augmentation or make it exactly match the shared declaration.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R008",
|
|
"description": "Add product_code to JWT type augmentation consistently.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R009",
|
|
"description": "Add product_code to Session.user type augmentation consistently.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R010",
|
|
"description": "Add product_code to ExtendedUser or local auth runtime user shape where token/session mapping requires it.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R011",
|
|
"description": "Select product_code from tenants in tenant subscription/product info lookup.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R012",
|
|
"description": "Return product_code from fetchTenantSubscriptionInfo or equivalent auth helper.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R013",
|
|
"description": "Set token.product_code on initial sign-in for tenant users.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R014",
|
|
"description": "Refresh token.product_code on periodic tenant info refresh.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R015",
|
|
"description": "Map token.product_code into session.user.product_code in session callback.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R016",
|
|
"description": "Preserve existing plan mapping in auth callbacks.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R017",
|
|
"description": "Preserve existing addons mapping in auth callbacks.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R018",
|
|
"description": "Preserve existing trial fields in auth callbacks.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R019",
|
|
"description": "Make ProductProvider resolve AlgaDesk from session without unsafe casts where possible.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R020",
|
|
"description": "Define safe fallback behavior for sessions without product_code during rollout.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R021",
|
|
"description": "Add unit coverage proving an AlgaDesk session resolves `useProduct().isAlgaDesk` true.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R022",
|
|
"description": "Add regression coverage proving a PSA session resolves `useProduct().isPsa` true.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R023",
|
|
"description": "Run server typecheck after auth/session fixes.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"TypeScript and auth session"
|
|
]
|
|
},
|
|
{
|
|
"id": "R024",
|
|
"description": "Add statusCode=403 to ProductAccessError.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product error handling"
|
|
]
|
|
},
|
|
{
|
|
"id": "R025",
|
|
"description": "Keep PRODUCT_ACCESS_DENIED code stable on all product-denied errors.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product error handling"
|
|
]
|
|
},
|
|
{
|
|
"id": "R026",
|
|
"description": "Update API error handling to map product-denied errors with status or statusCode to HTTP 403.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product error handling"
|
|
]
|
|
},
|
|
{
|
|
"id": "R027",
|
|
"description": "Update standalone route handlers to return product-denied 403 instead of generic 500.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product error handling"
|
|
]
|
|
},
|
|
{
|
|
"id": "R028",
|
|
"description": "Add a helper for converting ProductAccessError to NextResponse where route handlers do not use API middleware.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product error handling"
|
|
]
|
|
},
|
|
{
|
|
"id": "R029",
|
|
"description": "Add tests for product-denied API middleware response shape.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product error handling"
|
|
]
|
|
},
|
|
{
|
|
"id": "R030",
|
|
"description": "Allow `/client-portal/client-settings` for AlgaDesk in portal route rules.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R031",
|
|
"description": "Keep `/client-portal/settings` behavior only if the route exists or is intentionally supported.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R032",
|
|
"description": "Treat `/msp/settings/notifications` as denied or upgrade-boundary for AlgaDesk unless explicitly narrowed.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R033",
|
|
"description": "Treat `/msp/settings/extensions` as denied or upgrade-boundary for AlgaDesk.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R034",
|
|
"description": "Treat broad `/msp/settings/integrations` and integration callback paths as denied for AlgaDesk except focused email-channel paths.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R035",
|
|
"description": "Keep `/msp/settings?tab=email` allowed only for focused Email Channels configuration.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R036",
|
|
"description": "Keep `/msp/settings?tab=knowledge-base` allowed for focused KB configuration.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R037",
|
|
"description": "Correct AlgaDesk API KB allowlist to `/api/v1/kb-articles`.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R038",
|
|
"description": "Add deny rules for `/api/v1/financial`.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R039",
|
|
"description": "Add deny rules for `/api/v1/quotes`.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R040",
|
|
"description": "Add deny rules for `/api/v1/contracts` and contract-line route variants.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R041",
|
|
"description": "Add deny rules for `/api/v1/services`, `/api/v1/service-types`, and `/api/v1/products`.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R042",
|
|
"description": "Add deny rules for `/api/v1/accounting-exports` and accounting integration API families.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R043",
|
|
"description": "Add deny rules for `/api/v1/platform-*`, `/api/v1/admin`, and tenant-management APIs.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R044",
|
|
"description": "Add deny rules for `/api/v1/feature-flags` and platform feature flag APIs unless admin-only PSA behavior requires otherwise.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R045",
|
|
"description": "Add deny rules for `/api/v1/documents` while preserving ticket attachment and KB-safe routes.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R046",
|
|
"description": "Add deny rules for automation/workflow API families.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R047",
|
|
"description": "Add deny rules for AI/chat API families including non-v1 chat routes.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R048",
|
|
"description": "Add deny rules for assets/RMM route families.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R049",
|
|
"description": "Add deny rules for scheduling/time route families.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R050",
|
|
"description": "Add deny rules for surveys route families.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R051",
|
|
"description": "Add deny rules for extensions route families.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R052",
|
|
"description": "Add representative registry tests for exact allowed AlgaDesk routes.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R053",
|
|
"description": "Add representative registry tests for exact denied AlgaDesk routes.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R054",
|
|
"description": "Add representative registry tests for unknown AlgaDesk route/API fail-closed behavior.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R055",
|
|
"description": "Add representative registry tests proving PSA remains allowed for PSA route/API groups.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Product surface registry correction"
|
|
]
|
|
},
|
|
{
|
|
"id": "R056",
|
|
"description": "Replace raw AlgaDesk children rendering in MspLayoutClient with a real AlgaDesk shell component.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R057",
|
|
"description": "Render an AlgaDesk sidebar in the AlgaDesk MSP shell.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R058",
|
|
"description": "Render a header/app chrome in the AlgaDesk MSP shell.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R059",
|
|
"description": "Render a main content container matching normal page layout expectations.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R060",
|
|
"description": "Avoid ActivityDrawerProvider in AlgaDesk shell unless explicitly needed for help desk.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R061",
|
|
"description": "Avoid SchedulingProviderWithCallbacks in AlgaDesk shell.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R062",
|
|
"description": "Avoid project integration providers in AlgaDesk shell.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R063",
|
|
"description": "Avoid asset/document full-management providers in AlgaDesk shell except ticket/KB-safe providers.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R064",
|
|
"description": "Avoid AIChatContextProvider in AlgaDesk shell unless AI is explicitly excluded from UI and provider has no user-facing effect.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R065",
|
|
"description": "Keep TagProvider and required i18n/session/tier/product providers in AlgaDesk shell.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R066",
|
|
"description": "Fix SidebarWithFeatureFlags generic return types so filtered sections typecheck as NavigationSection arrays.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R067",
|
|
"description": "Ensure product-filtered settings sections typecheck without unsafe broad casts.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R068",
|
|
"description": "Keep PSA MspLayoutClient path using DefaultLayout unchanged for PSA tenants.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R069",
|
|
"description": "Add a shell test that AlgaDesk renders sidebar/header, not only raw children.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"AlgaDesk MSP shell remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R070",
|
|
"description": "Create a server-side helper to resolve current tenant product and route behavior for an explicit pathname.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R071",
|
|
"description": "Create a server-side helper to return upgrade boundary/notFound before page data fetching.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R072",
|
|
"description": "Apply server-side guard to `/msp/billing` before billing data loads.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R073",
|
|
"description": "Apply server-side guard to `/msp/projects` and project child routes before project data loads.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R074",
|
|
"description": "Apply server-side guard to `/msp/assets` and asset child routes before asset data loads.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R075",
|
|
"description": "Apply server-side guard to scheduling and dispatch pages before schedule data loads.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R076",
|
|
"description": "Apply server-side guard to time entry and approvals pages before time data loads.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R077",
|
|
"description": "Apply server-side guard to workflow pages before workflow data loads.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R078",
|
|
"description": "Apply server-side guard to surveys pages before survey data loads.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R079",
|
|
"description": "Apply server-side guard to extensions pages before extension data loads.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R080",
|
|
"description": "Apply server-side guard to reports and service request pages before excluded data loads.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R081",
|
|
"description": "Apply server-side guard to excluded client portal billing/project/device/document/appointment/service-request/extension pages.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R082",
|
|
"description": "Keep client-side ProductRouteBoundary as secondary UI fallback only.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R083",
|
|
"description": "Add tests proving excluded page loaders do not call their data actions for AlgaDesk.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R084",
|
|
"description": "Add tests proving representative PSA excluded routes still render for PSA tenants.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Server-side route enforcement"
|
|
]
|
|
},
|
|
{
|
|
"id": "R085",
|
|
"description": "Centralize product API enforcement in authenticate/context creation or another unavoidable API controller path.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R086",
|
|
"description": "Remove reliance on individual base CRUD methods for product API enforcement.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R087",
|
|
"description": "Audit overridden controller methods for product enforcement coverage.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R088",
|
|
"description": "Ensure ApiProjectController overridden list/get/task methods cannot bypass product API gate.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R089",
|
|
"description": "Ensure financial controller methods cannot bypass product API gate.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R090",
|
|
"description": "Ensure invoice controller methods cannot bypass product API gate.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R091",
|
|
"description": "Ensure quote controller methods cannot bypass product API gate.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R092",
|
|
"description": "Ensure asset/RMM controller methods cannot bypass product API gate.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R093",
|
|
"description": "Ensure custom tag/client/contact methods preserve allowed AlgaDesk behavior while still passing product gate.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R094",
|
|
"description": "Add product guards to standalone chat API routes.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R095",
|
|
"description": "Add product guards to standalone email routes while preserving allowed email-to-ticket paths.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R096",
|
|
"description": "Add product guards to standalone extension and integration API routes.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R097",
|
|
"description": "Return structured 403 PRODUCT_ACCESS_DENIED for denied AlgaDesk API requests.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R098",
|
|
"description": "Keep allowed AlgaDesk ticket/client/contact/KB/email APIs functional.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R099",
|
|
"description": "Keep PSA API behavior unchanged for PSA tenants.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"API enforcement remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R100",
|
|
"description": "Filter API endpoint metadata by product for AlgaDesk.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Metadata and OpenAPI remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R101",
|
|
"description": "Filter OpenAPI paths by product for AlgaDesk.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Metadata and OpenAPI remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R102",
|
|
"description": "Filter API docs output by product for AlgaDesk.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Metadata and OpenAPI remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R103",
|
|
"description": "Filter generated permission metadata by product for AlgaDesk.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Metadata and OpenAPI remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R104",
|
|
"description": "Filter metadata stats/counts so AlgaDesk counts only visible endpoints/schemas/permissions.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Metadata and OpenAPI remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R105",
|
|
"description": "Filter schemas/models that are exclusively PSA-only from AlgaDesk metadata where feasible.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Metadata and OpenAPI remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R106",
|
|
"description": "Document any shared schemas intentionally still visible to AlgaDesk.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Metadata and OpenAPI remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R107",
|
|
"description": "Preserve complete PSA metadata/OpenAPI output for PSA tenants.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Metadata and OpenAPI remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R108",
|
|
"description": "Integrate relevant contact-detail AlgaDesk mode changes from the current uncommitted working tree.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Contact and document leak remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R109",
|
|
"description": "Prevent AlgaDesk `/msp/contacts/[id]?tab=documents` from fetching contact documents.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Contact and document leak remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R110",
|
|
"description": "Prevent AlgaDesk ContactDetails from rendering the Documents tab.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Contact and document leak remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R111",
|
|
"description": "Preserve PSA contact document fetching on `tab=documents`.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Contact and document leak remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R112",
|
|
"description": "Preserve PSA ContactDetails Documents tab rendering.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Contact and document leak remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R113",
|
|
"description": "Add product composition tests for AlgaDesk and PSA contact detail behavior.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Contact and document leak remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R114",
|
|
"description": "Fix T015 Playwright helper signatures to match actual helper APIs.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R115",
|
|
"description": "Fix T015 route assumptions for portal ticket creation so it targets a real creation flow.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R116",
|
|
"description": "Add cleanup for tenants and related data created by AlgaDesk Playwright tests.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R117",
|
|
"description": "Fix package-level ticket detail test runner failure or move test to a runnable server Vitest context.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R118",
|
|
"description": "Audit source-string contract tests and rename any that remain as contract/static tests.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R119",
|
|
"description": "Replace T016/T017 inbound email source-string coverage with DB-backed behavior coverage or mark as external-prerequisite tests.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R120",
|
|
"description": "Replace T019 API source-string coverage with real API-key request coverage for allowed and denied routes.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R121",
|
|
"description": "Replace T020 metadata source-string coverage with real metadata/OpenAPI endpoint coverage.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R122",
|
|
"description": "Ensure DB-backed tests have clear prerequisites and skip/fail behavior appropriate for CI.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R123",
|
|
"description": "Run focused unit tests for product resolver, registry, product context, shell, settings, contact detail, and error handling.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R124",
|
|
"description": "Run focused integration tests for product_code migration and representative API gates when DB is available.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R125",
|
|
"description": "Run Playwright list and at least one smoke execution path when browser environment is available.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Test remediation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R126",
|
|
"description": "Add a note to the parent scratchpad that this remediation plan supersedes implementation tracking until blockers are resolved.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Parent plan reconciliation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R127",
|
|
"description": "Reset or correct parent tests.json implemented booleans for tests proven non-runnable or source-only if the team chooses to keep parent status authoritative.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Parent plan reconciliation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R128",
|
|
"description": "Reset or correct parent features.json implemented booleans for features contradicted by remediation blockers if the team chooses to keep parent status authoritative.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Parent plan reconciliation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R129",
|
|
"description": "Keep this remediation features.json entirely false until fixes are verified.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Parent plan reconciliation"
|
|
]
|
|
},
|
|
{
|
|
"id": "R130",
|
|
"description": "Keep this remediation tests.json entirely false until tests are verified.",
|
|
"implemented": true,
|
|
"prdRefs": [
|
|
"Parent plan reconciliation"
|
|
]
|
|
}
|
|
]
|