When a user lacks permission, the app should (a) not let them do data entry it
will reject and (b) subtly say who can. General mechanism + the key gates.
Server — compute & expose "who can <verb> here":
- zddc.WhoCan(chain, verb) → Authority{Roles, People}: the acl.permissions
grantees holding the verb across the cascade (roles + their members) plus the
admins (who bypass). New whocan.go + whocan_test.go.
- AccessView gains path_who_can (profilehandler.go), populated only for verbs the
caller LACKS and only when they can read the path (mirrors .zddc readability),
so one cap.at() answers "can I?" and "if not, who?".
- writeForbiddenWho enriches the 403 body with who_can for the missing verb
(errors.go); authorizeAction uses it (fileapi.go) as the safety net for denials
that weren't pre-checked.
Shared — shared/cap.js:
- cap.whoCan(view, verb) + cap.denyHint(view, verb) → {text, title}, role-first
("Only the document controller can create here") with the people in the tooltip.
- handleForbidden appends the hint (from the 403 body, else the cached view), so
every tool that already routes 403s through it (form save, tables save, browse)
now explains who can — for free.
Key gates:
- Browse party-create (the reported bug): pre-check create authority on ssr/ and
the slot BEFORE opening the picker — if the user can do neither, show the hint
instead of the form; if only existing parties are usable, disable "+ New party"
with the who-can hint. The post-hoc 403 catch now names who can too.
- Tables +Add row disabled state shows the who-can hint.
Plus: subtle /_apps/{browse,archive,classifier}.html links in the landing footer.
Tests: Go WhoCan unit test (role/person split, admin bypass, dedupe); cap.spec.js
(denyHint role-first/people/fallback, whoCan, handleForbidden enrichment) — 5
green; Go handler+zddc+policy suites green. (Pre-existing stale browse toolbar
test browse.spec.js:274 unaffected.)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two UI fixes:
- "By existing" catalog columns were far too wide. The seltable forced the
table to width:100% (auto-layout then stretches columns) and — in the
classifier's copy — the per-column filter <input>s had no styling, so each
fell back to its ~170px intrinsic width and dictated the column width. Set
the table to width:auto (cells are already nowrap → fit header/longest cell)
and style .seltable__colfilter to fill its column (min-width:2rem,
box-sizing:border-box) so the inputs never widen a column. Applied to both
the classifier copy and shared/seltable.css (same fix for the tables tool's
"Add from archive" table).
- The left Folder Tree rendered folders and files in raw scan order. Sort both
at render — case-insensitive, natural (so "Rev 2" precedes "Rev 10") — via a
non-mutating slice().sort() at each render point in tree.js.
Tests: a new spec asserts the natural/case-insensitive tree order; 62 classify
+ classifier green (108 across classify/classifier/tables/tables-mdl).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The MDL owns the workflow of registering deliverables; this is the
catch-up path for files that already exist in the archive but were never
listed. On the project MDL rollup (<project>/mdl/, addable:false), a new
"+ From archive" toolbar button opens an overlay that walks the project
archive into the shared seltable (per-column autofilter + ctrl-shift
selection), dedupes the selection to one deliverable per tracking number,
and PUTs a deliverable .yaml into each originator's archive/<originator>/
mdl/. Identity fields are split positionally from the tracking number per
the project's own table columns (originator is folder-pinned, so omitted
from the body); the server composes/validates the filename. Existing
deliverables are skipped; created/skipped/failed are reported.
- tables/js/mdl-from-archive.js: walkArchive / dedupe / deliverableFromFile
/ instantiateOne + the overlay UI; setup() shows the button only on an
/mdl/ rollup over http, gated on archive create permission.
- shared/seltable.css: promoted seltable base styles + per-column filter
row + the overlay chrome (bundled into tables; classifier keeps its
inline copy).
- main.js wires setup(ctx); template.html adds the (hidden) button;
build.sh bundles ../shared/seltable.{js,css} + the new module.
- tests/tables-mdl.spec.js (new project): split/dedupe/walk/instantiate
against in-page mock FS handles; 7 green. tables suite still 47 green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Move classifier/js/seltable.js → shared/seltable.js so both the classifier and
the tables tool can use it (the MDL realignment splits work across both). Adds
per-column autofilter inputs (one per column, AND-combined) on top of the
programmatic global filter; selection + select-filtered + ctrl-Enter unchanged.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
