Skip to main content

TODO / Backlog (AuthZ, Roles, and Related Surfaces)

Note: The refactoring tasks related to service boundaries and communication patterns are guided by the principles outlined in ADR-0008: Modular, Event-Driven Service Architecture.

Keep this list updated as work lands or dependencies unblock. Intended for any dev to pick up when ready.

Pending capability wiring (blocked on missing handlers/surfaces)

  • Media: Cap media.manage is seeded and mapped to Owner/Global Admin/Org Admin. Wire Require(media.manage) on media asset/variant handlers once those endpoints exist; add 401/403/200 smokes and a small Go integration test.
  • Glossary: Cap glossary.manage is seeded. Guard glossary term/alias/override endpoints when they ship; add smokes/Go tests.
  • Locales: Cap locales.manage is seeded. Guard any locale management routes when added; add smokes/Go tests.

Reporting/Results tightening (needs reporting APIs)

  • Apply reporting.view / reporting.view_named to reporting endpoints (beyond existing submissions.view) when reporting surfaces are implemented; add smokes for 401/403/200.
  • Remediation Phase 3 (deferred): impact preview (who pass/fail), approvals/dual control, intervention workflows, batch creation helpers (tag-based/bulk). Phase 1–2 backend foundations (batches w/ lifecycle, history-based revert, list/detail/apply/revert API) are done.
  • Outcomes boundary:
    • Implement outcomes.ScoringEngine for delivery submissions and wire ResultsService to depend on it.
    • Implement outcomes.ProgressTracker to replace direct programme progress updates; emit updates from score changes/remediation apply.
    • Add unit tests around these interfaces before swapping handlers/services over.

Session issuance alignment

  • Current scripts mint sessions with explicit roleIds. When an auth flow issues sessions based on stored user→role bindings, switch scripts/tests to that path and add an auth integration test proving caps resolve from DB roles.

Documentation upkeep

  • Update docs/security/roles-and-access-control.md route→cap matrix as new guarded routes (media/glossary/locales/reporting) land.

Notes

  • Capability seeds and default role mappings already include media.manage, glossary.manage, locales.manage. Debug routes are gated by roles.read; internal test-email requires reporting.view_named.
  • Org-scoped role bindings and org-aware capability resolution are in place. Use the existing pattern (Require, auth_env.sh, .dev/jwt-secret) when adding new smokes/tests.

Compliance Centre follow-ups

  • Retention/Anonymisation engine: policy storage and worker now cover anonymize_user + evidence_delete + telemetry_delete with blocked/partial receipts and required policies. Next: extend to future domains (observation/proctoring/media-first) when those modules land; keep idempotency/“emit once” constraints as new domains are added.
  • Restrict processing (legal hold): handler/worker emit receipts and block forget/retention; broaden enforcement coverage and add more negative-path tests.
  • Audit taxonomy coverage: extend compliance ledger/audit hooks to all high-stakes events (remediation apply/revert, assignment creation/redeem, certificate issuance, evidence scrubs); align with compliance-ledger-taxonomy.md.
  • Handler authz matrix: /api/v1/compliance/* routes are now documented in OpenAPI with DTOs; caps enforced with 401/403/200 smokes. Keep matrix/docs in sync as new surfaces appear.