adelorenzo/konstruct
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(04-rbac): create phase plan — 3 plans in 3 waves

Browse Source
This commit is contained in:
Adolfo Delorenzo
2026-03-24 13:37:36 -06:00
parent 4706a87355
commit bf4adf0b21
4 changed files with 1008 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
.planning/ROADMAP.md
View File

@@ -15,6 +15,7 @@ Decimal phases appear between their surrounding integers in numeric order.
- [x] **Phase 1: Foundation** - Secure multi-tenant pipeline with Slack end-to-end and basic agent response (completed 2026-03-23)
- [x] **Phase 2: Agent Features** - Persistent memory, tool framework, WhatsApp integration, and human escalation (gap closure in progress) (completed 2026-03-24)
- [x] **Phase 3: Operator Experience** - Admin portal, tenant onboarding, and Stripe billing (gap closure in progress)
- [ ] **Phase 4: RBAC** - Three-tier role-based access control with email invitation flow
## Phase Details
@@ -75,23 +76,6 @@ Plans:
- [ ] 03-04-PLAN.md — Cost tracking dashboard with Recharts charts, budget alert badges, time range filtering
- [x] 03-05-PLAN.md — Gap closure: mount Phase 3 API routers on gateway, fix Slack OAuth and budget alert field name mismatches (completed 2026-03-24)
## Progress
**Execution Order:**
Phases execute in numeric order: 1 -> 2 -> 3
| Phase | Plans Complete | Status | Completed |
|-------|----------------|--------|-----------|
| 1. Foundation | 4/4 | Complete | 2026-03-23 |
| 2. Agent Features | 6/6 | Complete | 2026-03-24 |
| 3. Operator Experience | 5/5 | Complete | 2026-03-24 |
---
## Coverage Notes
**LLM-03 conflict resolved:** BYO API keys confirmed in v1 scope per user decision during Phase 3 context gathering. Implemented via Fernet encryption in Phase 3.
### Phase 4: RBAC
**Goal**: Three-tier role-based access control — platform admins manage the SaaS, customer admins manage their tenant, customer operators get read-only access — with email invitation flow for onboarding tenant users
**Depends on**: Phase 3
@@ -102,11 +86,31 @@ Phases execute in numeric order: 1 -> 2 -> 3
3. A customer operator can view agents and usage dashboards but cannot create, edit, or delete anything
4. A customer admin can invite a new user (admin or operator) by email — the invitee receives a link, clicks to activate, and sets their password
5. Portal navigation and API endpoints enforce role-based access — unauthorized actions return 403, not just hidden UI elements
**Plans**: 0 plans
**Plans**: 3 plans
Plans:
- [ ] TBD (run /gsd:plan-phase 4 to break down)
- [ ] 04-01-PLAN.md — Backend RBAC foundation: DB migration (is_admin -> role enum), ORM models (UserTenantRole, PortalInvitation), RBAC guard dependencies, invitation API + SMTP email, unit tests
- [ ] 04-02-PLAN.md — Portal RBAC integration: Auth.js JWT role claims, proxy role redirects, role-filtered nav, tenant switcher, impersonation banner, invite acceptance page, user management pages
- [ ] 04-03-PLAN.md — Wire RBAC guards to all existing API endpoints, impersonation audit logging, integration tests, human verification checkpoint
## Progress
**Execution Order:**
Phases execute in numeric order: 1 -> 2 -> 3 -> 4
| Phase | Plans Complete | Status | Completed |
|-------|----------------|--------|-----------|
| 1. Foundation | 4/4 | Complete | 2026-03-23 |
| 2. Agent Features | 6/6 | Complete | 2026-03-24 |
| 3. Operator Experience | 5/5 | Complete | 2026-03-24 |
| 4. RBAC | 0/3 | Planned | — |
---
## Coverage Notes
**LLM-03 conflict resolved:** BYO API keys confirmed in v1 scope per user decision during Phase 3 context gathering. Implemented via Fernet encryption in Phase 3.
---
*Roadmap created: 2026-03-23*
*Coverage: 25/25 v1 requirements mapped*
*Coverage: 25/25 v1 requirements + 6 RBAC requirements mapped*