docs(security): document AdminUI policy tiers (ConfigEditor/AuthenticatedRead) + R2-05 status
This commit is contained in:
@@ -150,3 +150,9 @@ surface), 03/S2/S3 block-bridging, 03/P1 surgical adds (guard prerequisite in pl
|
||||
per-plan task counts, effort, and suggested execution order: [`00-INDEX.md`](00-INDEX.md) §"Round 2
|
||||
plans". 193 bite-sized TDD tasks total, ~18–24 dev-days end-to-end; R2-01/02/03 (the re-review's
|
||||
new-and-sharp items) are ~2 days combined.
|
||||
|
||||
### Round-2 remediation — in progress
|
||||
|
||||
| Plan | Finding | Status | Branch @ commit | Notes |
|
||||
|---|---|---|---|---|
|
||||
| **R2-05 — AdminUI authorization** | 04/C-1 (High) | ✅ code-complete (offline); live pass deferred | `r2/05-adminui-authz` | One authz idiom: all 38 routable pages carry an explicit named-policy `@attribute` via new `AdminUiPolicies` constants (`Security/Auth/`). New `ConfigEditor` (Administrator+Designer) gates the 20-page config-authoring surface incl. the 8 driver pages that author live `ResilienceConfig` + `/api/script-analysis/*`; new `AuthenticatedRead` on the 16 read pages; `FleetAdmin`/`DriverOperator` unchanged (literals→constants). Anti-drift guard `PageAuthorizationGuardTests` (bans bare `[Authorize]`/`Roles=`/unknown-policy/unclassified) + `AdminUiPoliciesTests` semantics matrix. **Verification corrections folded in:** Reservations + ClusterRedundancy are read-only (→`AuthenticatedRead`, not `ConfigEditor`); Home carried no attribute at all (now `AuthenticatedRead`). Live `/run` positive pass deferred — docker-dev `DisableLogin=true` auto-authenticates as full-access admin, so it can only regression-check over-gating, not observe deny; the negative proof is CI-side (both guard tests). |
|
||||
|
||||
Reference in New Issue
Block a user