adelorenzo/konstruct
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(05-04): complete RBAC gap closure and wizard error fix plan

Browse Source 
- Added 05-04-SUMMARY.md
- Updated STATE.md with decisions and session info
- Updated ROADMAP.md with Phase 5 plan progress (4/4 complete)
This commit is contained in:
Adolfo Delorenzo
2026-03-24 20:52:31 -06:00
parent b287a95014
commit 999c6ce55b
3 changed files with 86 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.planning/ROADMAP.md
View File

@@ -122,7 +122,7 @@ Phases execute in numeric order: 1 -> 2 -> 3 -> 4 -> 5
| 2. Agent Features | 6/6 | Complete | 2026-03-24 | | 2. Agent Features | 6/6 | Complete | 2026-03-24 |
| 3. Operator Experience | 5/5 | Complete | 2026-03-24 | | 3. Operator Experience | 5/5 | Complete | 2026-03-24 |
| 4. RBAC | 3/3 | Complete | 2026-03-24 | | 4. RBAC | 3/3 | Complete | 2026-03-24 |
| 5. Employee Design | 3/4 | Gap Closure | 2026-03-25 | | 5. Employee Design | 4/4 | Complete | 2026-03-25 |
--- ---

15
.planning/STATE.md
View File

@@ -3,14 +3,14 @@ gsd_state_version: 1.0
milestone: v1.0 milestone: v1.0
milestone_name: milestone milestone_name: milestone
status: completed status: completed
stopped_at: Completed 05-03 employee design human verification — Phase 5 complete stopped_at: Completed 05-04 RBAC gap closure and wizard error fix
last_updated: "2026-03-25T02:42:02.720Z" last_updated: "2026-03-25T02:52:23.275Z"
last_activity: 2026-03-23 — Completed 03-02 onboarding wizard, Slack OAuth, BYO API keys last_activity: 2026-03-23 — Completed 03-02 onboarding wizard, Slack OAuth, BYO API keys
progress: progress:
total_phases: 5 total_phases: 5
completed_phases: 5 completed_phases: 5
total_plans: 21 total_plans: 22
completed_plans: 21 completed_plans: 22
percent: 100 percent: 100
--- ---
@@ -73,6 +73,7 @@ Progress: [██████████] 100%
| Phase 05-employee-design P01 | 7min | 2 tasks | 9 files | | Phase 05-employee-design P01 | 7min | 2 tasks | 9 files |
| Phase 05-employee-design PP02 | 5min | 2 tasks | 15 files | | Phase 05-employee-design PP02 | 5min | 2 tasks | 15 files |
| Phase 05-employee-design P03 | 2min | 1 tasks | 0 files | | Phase 05-employee-design P03 | 2min | 1 tasks | 0 files |
| Phase 05-employee-design P04 | 1min | 2 tasks | 3 files |
## Accumulated Context ## Accumulated Context
@@ -156,6 +157,8 @@ Recent decisions affecting current work:
- [Phase 05-employee-design]: Wizard state held in React useState — persona text in URL would be impractical; step position exposed via URL searchParam only - [Phase 05-employee-design]: Wizard state held in React useState — persona text in URL would be impractical; step position exposed via URL searchParam only
- [Phase 05-employee-design]: Channels step is informational in v1 — agent routing is tenant-scoped, not per-agent; no channel-agent join table in v1 - [Phase 05-employee-design]: Channels step is informational in v1 — agent routing is tenant-scoped, not per-agent; no channel-agent join table in v1
- [Phase 05-employee-design]: All three creation paths (template, wizard, advanced) confirmed working by human review before Phase 5 marked complete - [Phase 05-employee-design]: All three creation paths (template, wizard, advanced) confirmed working by human review before Phase 5 marked complete
- [Phase 05-employee-design]: /agents/new added to CUSTOMER_OPERATOR_RESTRICTED — startsWith check covers all sub-paths automatically
- [Phase 05-employee-design]: catch re-throw in handleDeploy is minimal fix — existing createAgent.error UI was correctly wired, just never received the error
### Roadmap Evolution ### Roadmap Evolution
@@ -171,6 +174,6 @@ None — all phases complete.
## Session Continuity ## Session Continuity
Last session: 2026-03-25T02:42:02.717Z Last session: 2026-03-25T02:52:23.271Z
Stopped at: Completed 05-03 employee design human verification — Phase 5 complete Stopped at: Completed 05-04 RBAC gap closure and wizard error fix
Resume file: None Resume file: None

76
.planning/phases/05-employee-design/05-04-SUMMARY.md Normal file
View File

@@ -0,0 +1,76 @@
---
phase: 05-employee-design
plan: "04"
subsystem: portal
tags: [rbac, ux, bugfix, gap-closure]
dependency_graph:
requires: [05-03]
provides: [EMPL-04-complete]
affects: [proxy.ts, agents-page, wizard-deploy]
tech_stack:
added: []
patterns: [useSession role gate, proxy RBAC restriction, TanStack Query error re-throw]
key_files:
created: []
modified:
- packages/portal/proxy.ts
- packages/portal/app/(dashboard)/agents/page.tsx
- packages/portal/components/wizard-steps/step-review.tsx
decisions:
- "/agents/new added to CUSTOMER_OPERATOR_RESTRICTED — startsWith check already covers all sub-paths (wizard, templates, advanced)"
- "Button hidden with role guard in addition to proxy redirect — security at proxy, UX polish at component"
- "catch re-throw is minimal fix — existing createAgent.error UI was correctly wired, just never received the error"
metrics:
duration: "~1 min"
completed: "2026-03-25"
tasks: 2
files: 3
requirements: [EMPL-04]
---
# Phase 5 Plan 4: RBAC Gap Closure and Wizard Error Fix Summary
**One-liner:** Closed two verification gaps — proxy RBAC blocks /agents/new for operators and wizard deploy errors now surface to user via TanStack Query mutation state.
## Tasks Completed
| Task | Name | Commit | Files |
|------|------|--------|-------|
| 1 | Add /agents/new to proxy RBAC restrictions and hide New Employee button | 8b697aa | proxy.ts, agents/page.tsx |
| 2 | Fix wizard deploy error handling to surface errors to user | 67b3690 | step-review.tsx |
## What Was Built
### Task 1: Frontend RBAC Gap Closure
Two changes to close the operator access gap for agent creation:
**proxy.ts** — Added `"/agents/new"` to `CUSTOMER_OPERATOR_RESTRICTED` array. The existing `startsWith` check at line 59 automatically extends protection to all sub-paths (`/agents/new/templates`, `/agents/new/wizard`, `/agents/new/advanced`). No additional logic needed.
**agents/page.tsx** — Added `useSession` import from `next-auth/react`, extracted `role` from session, and wrapped the New Employee button in a conditional render: `{role && role !== "customer_operator" && (<Button ...>)}`. The button is hidden entirely for operators — the proxy redirect is the security enforcement; button hiding is UX polish to avoid visible-but-blocked affordances.
### Task 2: Wizard Deploy Error Fix
**step-review.tsx** — Added `throw err` in the catch block of `handleDeploy`. The `mutateAsync` call throws on failure; catching without re-throwing caused TanStack Query to never update `createAgent.error` or `createAgent.isError`. The existing error display div at lines 141-145 was correctly wired — it simply never received the error. Re-throwing allows the mutation state to update, and the error div renders automatically.
## Deviations from Plan
None — plan executed exactly as written.
## Success Criteria Verification
- [x] proxy.ts CUSTOMER_OPERATOR_RESTRICTED includes "/agents/new"
- [x] agents/page.tsx New Employee button conditionally rendered based on session role
- [x] step-review.tsx catch block re-throws error so mutation error state is set
- [x] All three changes are minimal, surgical fixes — only 3 files modified, exactly as specified
## Self-Check: PASSED
Files exist:
- packages/portal/proxy.ts — FOUND
- packages/portal/app/(dashboard)/agents/page.tsx — FOUND
- packages/portal/components/wizard-steps/step-review.tsx — FOUND
Commits exist:
- 8b697aa — FOUND (feat: RBAC restriction + button hide)
- 67b3690 — FOUND (fix: re-throw deploy error)