diff --git a/.planning/ROADMAP.md b/.planning/ROADMAP.md index 5a2f236..ee700fc 100644 --- a/.planning/ROADMAP.md +++ b/.planning/ROADMAP.md @@ -122,7 +122,7 @@ Phases execute in numeric order: 1 -> 2 -> 3 -> 4 -> 5 | 2. Agent Features | 6/6 | Complete | 2026-03-24 | | 3. Operator Experience | 5/5 | Complete | 2026-03-24 | | 4. RBAC | 3/3 | Complete | 2026-03-24 | -| 5. Employee Design | 3/4 | Gap Closure | 2026-03-25 | +| 5. Employee Design | 4/4 | Complete | 2026-03-25 | --- diff --git a/.planning/STATE.md b/.planning/STATE.md index 640d13a..cf8ac3e 100644 --- a/.planning/STATE.md +++ b/.planning/STATE.md @@ -3,14 +3,14 @@ gsd_state_version: 1.0 milestone: v1.0 milestone_name: milestone status: completed -stopped_at: Completed 05-03 employee design human verification — Phase 5 complete -last_updated: "2026-03-25T02:42:02.720Z" +stopped_at: Completed 05-04 RBAC gap closure and wizard error fix +last_updated: "2026-03-25T02:52:23.275Z" last_activity: 2026-03-23 — Completed 03-02 onboarding wizard, Slack OAuth, BYO API keys progress: total_phases: 5 completed_phases: 5 - total_plans: 21 - completed_plans: 21 + total_plans: 22 + completed_plans: 22 percent: 100 --- @@ -73,6 +73,7 @@ Progress: [██████████] 100% | Phase 05-employee-design P01 | 7min | 2 tasks | 9 files | | Phase 05-employee-design PP02 | 5min | 2 tasks | 15 files | | Phase 05-employee-design P03 | 2min | 1 tasks | 0 files | +| Phase 05-employee-design P04 | 1min | 2 tasks | 3 files | ## Accumulated Context @@ -156,6 +157,8 @@ Recent decisions affecting current work: - [Phase 05-employee-design]: Wizard state held in React useState — persona text in URL would be impractical; step position exposed via URL searchParam only - [Phase 05-employee-design]: Channels step is informational in v1 — agent routing is tenant-scoped, not per-agent; no channel-agent join table in v1 - [Phase 05-employee-design]: All three creation paths (template, wizard, advanced) confirmed working by human review before Phase 5 marked complete +- [Phase 05-employee-design]: /agents/new added to CUSTOMER_OPERATOR_RESTRICTED — startsWith check covers all sub-paths automatically +- [Phase 05-employee-design]: catch re-throw in handleDeploy is minimal fix — existing createAgent.error UI was correctly wired, just never received the error ### Roadmap Evolution @@ -171,6 +174,6 @@ None — all phases complete. ## Session Continuity -Last session: 2026-03-25T02:42:02.717Z -Stopped at: Completed 05-03 employee design human verification — Phase 5 complete +Last session: 2026-03-25T02:52:23.271Z +Stopped at: Completed 05-04 RBAC gap closure and wizard error fix Resume file: None diff --git a/.planning/phases/05-employee-design/05-04-SUMMARY.md b/.planning/phases/05-employee-design/05-04-SUMMARY.md new file mode 100644 index 0000000..1cf57c5 --- /dev/null +++ b/.planning/phases/05-employee-design/05-04-SUMMARY.md @@ -0,0 +1,76 @@ +--- +phase: 05-employee-design +plan: "04" +subsystem: portal +tags: [rbac, ux, bugfix, gap-closure] +dependency_graph: + requires: [05-03] + provides: [EMPL-04-complete] + affects: [proxy.ts, agents-page, wizard-deploy] +tech_stack: + added: [] + patterns: [useSession role gate, proxy RBAC restriction, TanStack Query error re-throw] +key_files: + created: [] + modified: + - packages/portal/proxy.ts + - packages/portal/app/(dashboard)/agents/page.tsx + - packages/portal/components/wizard-steps/step-review.tsx +decisions: + - "/agents/new added to CUSTOMER_OPERATOR_RESTRICTED — startsWith check already covers all sub-paths (wizard, templates, advanced)" + - "Button hidden with role guard in addition to proxy redirect — security at proxy, UX polish at component" + - "catch re-throw is minimal fix — existing createAgent.error UI was correctly wired, just never received the error" +metrics: + duration: "~1 min" + completed: "2026-03-25" + tasks: 2 + files: 3 +requirements: [EMPL-04] +--- + +# Phase 5 Plan 4: RBAC Gap Closure and Wizard Error Fix Summary + +**One-liner:** Closed two verification gaps — proxy RBAC blocks /agents/new for operators and wizard deploy errors now surface to user via TanStack Query mutation state. + +## Tasks Completed + +| Task | Name | Commit | Files | +|------|------|--------|-------| +| 1 | Add /agents/new to proxy RBAC restrictions and hide New Employee button | 8b697aa | proxy.ts, agents/page.tsx | +| 2 | Fix wizard deploy error handling to surface errors to user | 67b3690 | step-review.tsx | + +## What Was Built + +### Task 1: Frontend RBAC Gap Closure + +Two changes to close the operator access gap for agent creation: + +**proxy.ts** — Added `"/agents/new"` to `CUSTOMER_OPERATOR_RESTRICTED` array. The existing `startsWith` check at line 59 automatically extends protection to all sub-paths (`/agents/new/templates`, `/agents/new/wizard`, `/agents/new/advanced`). No additional logic needed. + +**agents/page.tsx** — Added `useSession` import from `next-auth/react`, extracted `role` from session, and wrapped the New Employee button in a conditional render: `{role && role !== "customer_operator" && (