adelorenzo/konstruct
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(04-rbac-01): complete RBAC foundation plan — migration, guards, invitations, tests

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Adolfo Delorenzo
2026-03-24 13:57:17 -06:00
parent 7b0594e7cc
commit 1fa4c3e3ad
4 changed files with 154 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
.planning/REQUIREMENTS.md
View File

@@ -49,12 +49,12 @@ Requirements for beta-ready release. Each maps to roadmap phases.
### RBAC & User Management
- [ ] **RBAC-01**: Platform admin role with full access to all tenants, agents, users, and platform settings
- [ ] **RBAC-02**: Customer admin role scoped to a single tenant with full control over agents, channels, billing, API keys, and user management
- [ ] **RBAC-03**: Customer operator role scoped to a single tenant with read-only access to agents, conversations, and usage dashboards
- [ ] **RBAC-04**: Customer admin can invite users (admin or operator) by email — invitee receives activation link to set password and enable access
- [x] **RBAC-01**: Platform admin role with full access to all tenants, agents, users, and platform settings
- [x] **RBAC-02**: Customer admin role scoped to a single tenant with full control over agents, channels, billing, API keys, and user management
- [x] **RBAC-03**: Customer operator role scoped to a single tenant with read-only access to agents, conversations, and usage dashboards
- [x] **RBAC-04**: Customer admin can invite users (admin or operator) by email — invitee receives activation link to set password and enable access
- [ ] **RBAC-05**: Portal navigation, pages, and UI elements adapt based on user role (platform admin sees tenant picker, customer admin sees their tenant, operator sees read-only views)
- [ ] **RBAC-06**: API endpoints enforce role-based authorization — unauthorized actions return 403 Forbidden, not just hidden UI
- [x] **RBAC-06**: API endpoints enforce role-based authorization — unauthorized actions return 403 Forbidden, not just hidden UI
## v2 Requirements
@@ -129,12 +129,12 @@ Which phases cover which requirements. Updated during roadmap creation.
| PRTA-04 | Phase 3 | Complete |
| PRTA-05 | Phase 3 | Complete |
| PRTA-06 | Phase 3 | Complete |
| RBAC-01 | Phase 4 | Pending |
| RBAC-02 | Phase 4 | Pending |
| RBAC-03 | Phase 4 | Pending |
| RBAC-04 | Phase 4 | Pending |
| RBAC-01 | Phase 4 | Complete |
| RBAC-02 | Phase 4 | Complete |
| RBAC-03 | Phase 4 | Complete |
| RBAC-04 | Phase 4 | Complete |
| RBAC-05 | Phase 4 | Pending |
| RBAC-06 | Phase 4 | Pending |
| RBAC-06 | Phase 4 | Complete |
**Coverage:**
- v1 requirements: 25 total (all complete)