docs(04-rbac-03): complete RBAC API enforcement plan — guards, test-message endpoint, integration tests

- 17 portal API endpoints guarded with Depends() RBAC guards - POST /agents/{aid}/test endpoint allows operators to QA agents - GET /tenants/{tid}/users, GET /admin/users listing endpoints - POST /admin/impersonate with AuditEvent audit trail - 56 integration tests covering full RBAC matrix and invite flow - STATE.md updated, ROADMAP.md phase 4 marked complete Awaiting human-verify checkpoint (Task 3) before phase is fully done
2026-03-24 17:18:52 -06:00
parent 9515c5374a
commit 94ada11fbd
3 changed files with 167 additions and 8 deletions
--- a/.planning/STATE.md
+++ b/.planning/STATE.md
@@ -3,14 +3,14 @@ gsd_state_version: 1.0
 milestone: v1.0
 milestone_name: milestone
 status: completed
-stopped_at: Completed 04-rbac-02-PLAN.md
-last_updated: "2026-03-24T23:08:36.666Z"
+stopped_at: Completed 04-rbac-03-PLAN.md (awaiting human-verify checkpoint)
+last_updated: "2026-03-24T23:18:30.300Z"
 last_activity: 2026-03-23 — Completed 03-02 onboarding wizard, Slack OAuth, BYO API keys
 progress:
  total_phases: 4
-  completed_phases: 3
+  completed_phases: 4
  total_plans: 18
-  completed_plans: 17
+  completed_plans: 18
  percent: 100
 ---

@@ -69,6 +69,7 @@ Progress: [██████████] 100%
 | Phase 03-operator-experience P05 | 2min | 2 tasks | 6 files |
 | Phase 04-rbac P01 | 8min | 3 tasks | 14 files |
 | Phase 04-rbac P02 | 5min | 3 tasks | 10 files |
+| Phase 04-rbac P03 | 8min | 2 tasks | 7 files |

 ## Accumulated Context

@@ -144,6 +145,8 @@ Recent decisions affecting current work:
 - [Phase 04-rbac]: Celery invite email task dispatched via lazy local import in invitations.py to avoid shared->orchestrator circular dep
 - [Phase 04-rbac]: base-ui DialogTrigger uses render prop not asChild — fixes TypeScript error in portal components
 - [Phase 04-rbac]: base-ui Select onValueChange typed as (string | null) — filter state setters use ?? '' to coerce null
+- [Phase 04-rbac]: Operator test-message endpoint uses require_tenant_member not require_tenant_admin — locked decision: operators can QA agent behavior without CRUD access
+- [Phase 04-rbac]: Impersonation logs via raw SQL INSERT into audit_events — consistent with audit table immutability design (UPDATE/DELETE revoked at DB level)

 ### Roadmap Evolution

@@ -159,6 +162,6 @@ None — all phases complete.

 ## Session Continuity

-Last session: 2026-03-24T23:08:36.663Z
-Stopped at: Completed 04-rbac-02-PLAN.md
+Last session: 2026-03-24T23:18:30.297Z
+Stopped at: Completed 04-rbac-03-PLAN.md (awaiting human-verify checkpoint)
 Resume file: None