resolutionflow

Author SHA1 Message Date

Author	SHA1	Message	Date
Michael Chihlas	fd8fab97bd	docs: update permissions audit with re-audit findings Re-audited after RBAC commit (`34daa26`). Key findings: - permissions.py is dead code (no endpoint imports it) - require_engineer_or_admin blocks team admins with viewer role - 49 endpoints bypass get_current_active_user - 3 critical issues still open (role field, XSS, secret key) - Updated implementation plan with new Phase B items Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-05 17:53:25 -05:00
Michael Chihlas	02bd97948e	docs: add permissions audit design doc and implementation plan Full-stack RBAC audit covering frontend UX, backend architecture, and adversarial analysis. Implementation plan phased by severity (Critical → High → Medium → Low). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-05 17:42:38 -05:00

Michael Chihlas

fd8fab97bd

docs: update permissions audit with re-audit findings

Re-audited after RBAC commit (34daa26). Key findings:
- permissions.py is dead code (no endpoint imports it)
- require_engineer_or_admin blocks team admins with viewer role
- 49 endpoints bypass get_current_active_user
- 3 critical issues still open (role field, XSS, secret key)
- Updated implementation plan with new Phase B items

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-05 17:53:25 -05:00

Michael Chihlas

02bd97948e

docs: add permissions audit design doc and implementation plan

Full-stack RBAC audit covering frontend UX, backend architecture,
and adversarial analysis. Implementation plan phased by severity
(Critical → High → Medium → Low).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-05 17:42:38 -05:00

2 Commits