adelorenzo/konstruct
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(04-rbac-01): complete RBAC foundation plan — migration, guards, invitations, tests

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Adolfo Delorenzo
2026-03-24 13:57:17 -06:00
parent 7b0594e7cc
commit 1fa4c3e3ad
4 changed files with 154 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.planning/STATE.md
View File

@@ -3,14 +3,14 @@ gsd_state_version: 1.0
milestone: v1.0
milestone_name: milestone
status: completed
stopped_at: Phase 4 context gathered
last_updated: "2026-03-24T19:09:47.443Z"
stopped_at: Completed 04-rbac-01-PLAN.md
last_updated: "2026-03-24T19:57:06.246Z"
last_activity: 2026-03-23 — Completed 03-02 onboarding wizard, Slack OAuth, BYO API keys
progress:
total_phases: 4
completed_phases: 3
total_plans: 15
completed_plans: 15
total_plans: 18
completed_plans: 16
percent: 100
---
@@ -67,6 +67,7 @@ Progress: [██████████] 100%
| Phase 03-operator-experience P03 | 8min | 2 tasks | 6 files |
| Phase 03-operator-experience P04 | 10min | 2 tasks | 8 files |
| Phase 03-operator-experience P05 | 2min | 2 tasks | 6 files |
| Phase 04-rbac P01 | 8min | 3 tasks | 14 files |
## Accumulated Context
@@ -136,6 +137,10 @@ Recent decisions affecting current work:
- [Phase 03-operator-experience]: Usage nav links to /usage tenant picker (not hardcoded tenantId) — supports multi-tenant operators
- [Phase 03-operator-experience]: BudgetAlertBadge renders neutral 'No limit set' for null budget_limit_usd — prevents false alarms
- [Phase 03-operator-experience]: All Phase 3 portal routers (portal, billing, channels, llm_keys, usage, webhook) mounted directly on gateway FastAPI app
- [Phase 04-rbac]: Role stored as TEXT+CHECK (not sa.Enum) per Phase 1 ADR to avoid Alembic DDL conflicts
- [Phase 04-rbac]: SHA-256 hash of raw invite token stored in DB — token_to_hash enables O(1) lookup without exposing token
- [Phase 04-rbac]: platform_admin bypasses tenant membership check entirely (no DB query) for simpler, faster guard logic
- [Phase 04-rbac]: Celery invite email task dispatched via lazy local import in invitations.py to avoid shared->orchestrator circular dep
### Roadmap Evolution
@@ -151,6 +156,6 @@ None — all phases complete.
## Session Continuity
Last session: 2026-03-24T19:09:47.440Z
Stopped at: Phase 4 context gathered
Resume file: .planning/phases/04-rbac/04-CONTEXT.md
Last session: 2026-03-24T19:57:06.244Z
Stopped at: Completed 04-rbac-01-PLAN.md
Resume file: None