letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
88f76b6b04e24dfc360b037a75d607a2461b0dfe
pn-new-crm/docs/runbooks/permission-audit.md
Matt Ciaccio 31fa3d08ec chore(cleanup): Phase 1 — gap closure across audit, alerts, soft-delete, perms 
Multi-area cleanup pass closing partial-implementation gaps surfaced by the
post-i18n audit. No behavior changes for happy-path users; closes real
correctness/security holes.

PR1a Public yacht-interest endpoint i18n. /api/public/interests now accepts
     phoneE164/phoneCountry, nationalityIso, address.{countryIso, subdivisionIso},
     and company.{incorporationCountryIso, incorporationSubdivisionIso}.
     Server-side parsePhone() fallback for legacy raw phone strings.

PR1b Alert rule registry trim. Two rule slots ('document.expiring_soon',
     'audit.suspicious_login') were registered but evaluators returned [].
     Both required schema/instrumentation that hadn't landed. Removed from
     the registry; comments record the dependencies needed to revive them.
     Effective rule count: 8 active.

PR1c vi.mock hoist + flake fix. Hoisted vi.mock calls to top-level in 5
     integration test files; webhook-delivery uses vi.hoisted for the
     queue-add ref. Vitest no longer warns about non-top-level mocks.
     Deflaked the 'short value' assertion in security-encryption.test.ts
     by switching plaintext from 'ab' to 'XY' (non-hex chars). 5/5 runs green.

PR1d Soft-delete reference audit. listClientOptions and listYachtsForOwner
     now filter by isNull(archivedAt). Berths use status (no archivedAt).

PR1e Permission-matrix audit script + report. scripts/audit-permissions.ts
     walks every src/app/api/v1/**/route.ts and reports handlers without a
     withPermission() wrapper. Initial run found 33 violations.
     - Allow-listed 17 with explicit reasons (self-data, admin, alerts,
       search, currency, ai, custom-fields — some marked TODO).
     - Wrapped 7 routes with concrete permissions: clients/options
       (clients:view), berths/options (berths:view), dashboard/*
       (reports:view_dashboard), analytics (reports:view_analytics).
     Audit report at docs/runbooks/permission-audit.md. Script exits
     non-zero on any unallow-listed violation so it can become a CI gate.

Vitest: 741 -> 741 (no new tests; existing suite covers the changes).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-28 18:48:22 +02:00

7.9 KiB
Raw Blame History

Permission Matrix Audit

Scanned 182 route files under src/app/api/v1/.

No violations. Every internal v1 handler is permission-gated.

Allow-listed: 46 handler(s) intentionally skip withPermission.

File Method Reason
src/app/api/v1/admin/alerts/run-engine/route.ts POST Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/admin/connections/route.ts GET Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/admin/errors/route.ts GET Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/admin/health/route.ts GET Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/admin/ocr-settings/route.ts GET Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/admin/ocr-settings/route.ts PUT Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/admin/ocr-settings/test/route.ts POST Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/admin/queues/[queueName]/[jobId]/retry/route.ts POST Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/admin/queues/[queueName]/[jobId]/route.ts DELETE Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/admin/queues/[queueName]/route.ts GET Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/admin/queues/route.ts GET Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/admin/users/options/route.ts GET Admin-only — gated by isSuperAdmin inside handler.
src/app/api/v1/ai/email-draft/[jobId]/route.ts GET TODO: needs ai:* permission catalog entry. Currently allow-listed.
src/app/api/v1/ai/email-draft/route.ts POST TODO: needs ai:* permission catalog entry. Currently allow-listed.
src/app/api/v1/ai/interest-score/bulk/route.ts GET TODO: needs ai:* permission catalog entry. Currently allow-listed.
src/app/api/v1/ai/interest-score/route.ts GET TODO: needs ai:* permission catalog entry. Currently allow-listed.
src/app/api/v1/alerts/[id]/acknowledge/route.ts POST Alerts are user-scoped; port-filtered via auth context.
src/app/api/v1/alerts/[id]/dismiss/route.ts POST Alerts are user-scoped; port-filtered via auth context.
src/app/api/v1/alerts/count/route.ts GET Alerts are user-scoped; port-filtered via auth context.
src/app/api/v1/alerts/route.ts GET Alerts are user-scoped; port-filtered via auth context.
src/app/api/v1/berth-reservations/[id]/route.ts PATCH TODO: PATCH should map to reservations:edit (not currently in catalog).
src/app/api/v1/currency/convert/route.ts POST Currency reference data; port-scoped, no PII.
src/app/api/v1/currency/rates/refresh/route.ts POST TODO: gate with admin:manage_settings — currently allow-listed.
src/app/api/v1/currency/rates/route.ts GET Currency reference data; port-scoped, no PII.
src/app/api/v1/custom-fields/[entityId]/route.ts GET TODO: needs custom_fields:* permission. PUT path internally validated.
src/app/api/v1/custom-fields/[entityId]/route.ts PUT TODO: needs custom_fields:* permission. PUT path internally validated.
src/app/api/v1/expenses/export/parent-company/route.ts POST Internally gated by isSuperAdmin inside the handler.
src/app/api/v1/me/route.ts GET Self-endpoint — auth is sufficient.
src/app/api/v1/me/route.ts PATCH Self-endpoint — auth is sufficient.
src/app/api/v1/notifications/[notificationId]/route.ts PATCH User-scoped notifications — caller is the resource owner.
src/app/api/v1/notifications/preferences/route.ts GET User-scoped notifications — caller is the resource owner.
src/app/api/v1/notifications/preferences/route.ts PUT User-scoped notifications — caller is the resource owner.
src/app/api/v1/notifications/read-all/route.ts POST User-scoped notifications — caller is the resource owner.
src/app/api/v1/notifications/route.ts GET User-scoped notifications — caller is the resource owner.
src/app/api/v1/notifications/unread-count/route.ts GET User-scoped notifications — caller is the resource owner.
src/app/api/v1/saved-views/[id]/route.ts PATCH User-self saved views — caller is the resource owner.
src/app/api/v1/saved-views/[id]/route.ts DELETE User-self saved views — caller is the resource owner.
src/app/api/v1/saved-views/route.ts GET User-self saved views — caller is the resource owner.
src/app/api/v1/saved-views/route.ts POST User-self saved views — caller is the resource owner.
src/app/api/v1/search/recent/route.ts GET Port-scoped search — results filtered by auth context (resources have own perms).
src/app/api/v1/search/route.ts GET Port-scoped search — results filtered by auth context (resources have own perms).
src/app/api/v1/settings/feature-flag/route.ts GET Public read of feature-flag bool — no PII; auth is sufficient.
src/app/api/v1/tags/options/route.ts GET Tags are cross-cutting reference data; port-scoped via auth.
src/app/api/v1/tags/route.ts GET Tags are cross-cutting reference data; port-scoped via auth.
src/app/api/v1/users/me/preferences/route.ts GET User-self preferences — caller is the resource owner.
src/app/api/v1/users/me/preferences/route.ts PATCH User-self preferences — caller is the resource owner.
Reference in New Issue View Git Blame Copy Permalink