VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/zddc/internal/handler
History
ZDDC bd219afeb7 feat(policy): config-edit is a standing permission, not elevation-gated 
Editing a .zddc you administer no longer requires toggling admin mode.
Elevation becomes purely additive — it only adds the WORM/destructive
overrides ("things you otherwise couldn't do"), never a prerequisite for
authority you already hold.

Mechanism: a new zddc.IsConfigEditor(chain, email) reports STANDING
config-edit authority — being a subtree admin (admins: cascade) OR holding
the `a` verb — without the elevation gate. InternalDecider.Allow grants
VerbA on that basis ABOVE the WORM clamp: config is not WORM-protected
data, and VerbA only ever authorises .zddc/.zddc.zip/role mutations, never
write/delete of records (those stay clamped + elevation-gated). The full
WORM/ACL bypass (IsActiveAdmin) is unchanged — still admins: + Elevated.

This flows for free to the client: EffectiveVerbsFromChainP loops
ActionAdmin through the decider, so /.profile/access + cap.has(node,'a')
light up the .zddc form editor with no client change, and ServeZddcFile
already gates raw .zddc reads on directory read ACL (config is visible).

A standing subtree admin can thus rewrite their subtree's policy
(admins:/ACL/roles) un-elevated — bounded to their scope (authority
cascades down only, never up), logged, and unable to touch WORM data or
secrets without elevating. That's "admin of X = owns X's policy."

Tests: new TestStandingConfigEdit (decider matrix incl. WORM-transcending
config-edit + data-write still gated); updated the old "un-elevated admin
cannot edit .zddc" invariants (TruthTable, ZddcPut/DeleteMatrix,
NoSilentBypass now scoped to WORM/out-of-scope, profile PathVerbs) to the
new model. Full suite green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 17:00:54 -05:00
..
accepthandler.go feat(server): flat top-level party peers + pure-WORM archive (impl) 2026-06-03 11:40:09 -05:00
accepthandler_test.go test(handler,cmd): update suites for flat-peer layout 2026-06-03 12:15:56 -05:00
admin_helpers.go chore: elevation slot in every tool + docs + helper file splits + smell cleanup 2026-05-14 12:15:41 -05:00
archivehandler.go feat(http): include missing_verb in ACL-deny 403 bodies 2026-05-21 08:14:49 -05:00
archivehandler_test.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
auth_invariants_test.go feat(policy): config-edit is a standing permission, not elevation-gated 2026-06-05 17:00:54 -05:00
authcheck.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
authcheck_test.go refactor: unified listing protocol + form-editor retirement + admin elevation 2026-05-14 12:15:07 -05:00
converthandler.go feat(editor): hint recognized front-matter fields via server placeholder 2026-06-05 08:23:25 -05:00
converthandler_test.go feat(editor): add revision/status/tracking_number FM hints + filename-mismatch warning 2026-06-05 08:34:28 -05:00
converttemplate.go feat(server): multi-template MD→HTML with .zddc.d/templates cascade 2026-06-04 14:18:40 -05:00
converttemplate_test.go feat(server): multi-template MD→HTML with .zddc.d/templates cascade 2026-06-04 14:18:40 -05:00
cors.go feat(server): authenticated CRUD + verb-based RBAC with WORM archive folders 2026-05-05 15:58:04 -05:00
cors_test.go feat(zddc-server): admin debug page + X-Auth-Request-Email default + hidden-segment guard 2026-04-28 14:02:06 -05:00
default-mdl.form.yaml refactor(records): converge all record-write paths on WriteWithHistory 2026-05-21 14:48:52 -05:00
default-mdl.table.yaml feat(records): simplest default tracking number + folder-bound originator 2026-05-21 14:31:49 -05:00
default-project-mdl.form.yaml feat(form): ui:mirrorFrom — reflect a sibling field into a read-only field 2026-05-21 15:44:43 -05:00
default-project-mdl.table.yaml feat(records): simplest default tracking number + folder-bound originator 2026-05-21 14:31:49 -05:00
default-project-rsk.form.yaml feat(form): ui:mirrorFrom — reflect a sibling field into a read-only field 2026-05-21 15:44:43 -05:00
default-project-rsk.table.yaml refactor: nest lifecycle slots per-party + add virtual top-level aggregators 2026-05-21 07:57:45 -05:00
default-rsk.form.yaml refactor(records): converge all record-write paths on WriteWithHistory 2026-05-21 14:48:52 -05:00
default-rsk.table.yaml feat: per-party RSK + project-level SSR/MDL/RSK rollup tables 2026-05-18 21:47:56 -05:00
default-ssr.form.yaml feat(forms): cascade-driven filename composition + audit on row create 2026-05-19 09:55:07 -05:00
default-ssr.table.yaml feat: per-party RSK + project-level SSR/MDL/RSK rollup tables 2026-05-18 21:47:56 -05:00
defaults_matrix_test.go feat(zddc): retire defaults.zddc.yaml; .zddc.zip is the policy carrier (phase 6) 2026-06-05 11:35:21 -05:00
directory.go feat(http): include missing_verb in ACL-deny 403 bodies 2026-05-21 08:14:49 -05:00
directory_test.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
errors.go feat(http): include missing_verb in ACL-deny 403 bodies 2026-05-21 08:14:49 -05:00
fileapi.go feat(zddc): retire defaults.zddc.yaml; .zddc.zip is the policy carrier (phase 6) 2026-06-05 11:35:21 -05:00
fileapi_test.go feat(server): admin folder move + recursive delete (file API) 2026-06-04 21:01:51 -05:00
formhandler.go feat(server): table/form specs resolve from .zddc.d/ + server-inject the table spec 2026-06-04 10:20:55 -05:00
formhandler_test.go test(handler,cmd): update suites for flat-peer layout 2026-06-03 12:15:56 -05:00
history.go refactor(history): store under .zddc.d/history/; drop .history carve-out + dead .devshell 2026-06-02 13:48:41 -05:00
history_test.go test(handler,cmd): update suites for flat-peer layout 2026-06-03 12:15:56 -05:00
logring.go feat(zddc-server): user profile page replaces /.admin/ 2026-04-29 16:32:02 -05:00
logring_test.go feat(zddc-server): admin debug page + X-Auth-Request-Email default + hidden-segment guard 2026-04-28 14:02:06 -05:00
mdhistory_test.go refactor(history): store under .zddc.d/history/; drop .history carve-out + dead .devshell 2026-06-02 13:48:41 -05:00
middleware.go feat(server): honor ?admin=true|false elevation on every endpoint 2026-06-04 13:13:30 -05:00
middleware_test.go feat(server): honor ?admin=true|false elevation on every endpoint 2026-06-04 13:13:30 -05:00
paths.go feat(server): collapse dot-guard into one admin-gated .zddc.d reserve 2026-06-03 13:23:00 -05:00
planreview.go feat(server): flat top-level party peers + pure-WORM archive (impl) 2026-06-03 11:40:09 -05:00
planreview_test.go test(handler,cmd): update suites for flat-peer layout 2026-06-03 12:15:56 -05:00
profile_assets.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
profilehandler.go perf(server): scope /.profile/access?path= to the requested location only 2026-06-01 13:23:22 -05:00
profilehandler_test.go feat(policy): config-edit is a standing permission, not elevation-gated 2026-06-05 17:00:54 -05:00
profilepage.go feat(profile): project-create — drop parent picker, add role groups, record creator 2026-06-05 08:55:55 -05:00
profileprojects.go fix(project-create): seed role membership only; grant team rwc on mdl/rsk 2026-06-05 09:29:34 -05:00
profileprojects_test.go fix(project-create): seed role membership only; grant team rwc on mdl/rsk 2026-06-05 09:29:34 -05:00
projecthandler.go refactor(zddc-server): demote routing-shape redirects from 301 to 302 2026-05-10 14:37:02 -05:00
projecthandler_test.go refactor(landing): project landing is now a single-file SPA, not server-rendered 2026-05-10 07:57:30 -05:00
projectshandler.go fix(policy): read-path ACL honors admin bypass via AllowFromChainP 2026-05-18 09:54:46 -05:00
schemahandler.go feat(zddc): .zddc JSON Schema (machine grammar) with structure/option tiers 2026-06-05 14:54:07 -05:00
sidecar.go feat(server): collapse dot-guard into one admin-gated .zddc.d reserve 2026-06-03 13:23:00 -05:00
singleflight.go feat(zddc): MD→{docx,html,pdf} server-side conversion via stock pandoc + chromium containers 2026-05-13 10:33:56 -05:00
ssrhandler.go feat(zddc): retire defaults.zddc.yaml; .zddc.zip is the policy carrier (phase 6) 2026-06-05 11:35:21 -05:00
ssrhandler_test.go test(handler,cmd): update suites for flat-peer layout 2026-06-03 12:15:56 -05:00
static.go Initial commit 2026-04-27 11:05:47 -05:00
subtreezip.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
subtreezip_test.go refactor: virtual file extensions for subtree zip + MD conversion 2026-05-14 12:23:37 -05:00
tablehandler.go feat(server): table/form specs resolve from .zddc.d/ + server-inject the table spec 2026-06-04 10:20:55 -05:00
tablehandler_test.go feat(server): table/form specs resolve from .zddc.d/ + server-inject the table spec 2026-06-04 10:20:55 -05:00
tables.html chore(embedded): cut v0.0.27-beta 2026-06-05 07:41:23 -05:00
tokenhandler.go feat(server): self-issued bearer tokens + --no-auth flag 2026-05-08 07:40:28 -05:00
tokenhandler_test.go feat(server): self-issued bearer tokens + --no-auth flag 2026-05-08 07:40:28 -05:00
virtualviewhandler.go feat(server): flat top-level party peers + pure-WORM archive (impl) 2026-06-03 11:40:09 -05:00
wormbypass_test.go test(handler,cmd): update suites for flat-peer layout 2026-06-03 12:15:56 -05:00
zddcfile.go feat(zddc): retire defaults.zddc.yaml; .zddc.zip is the policy carrier (phase 6) 2026-06-05 11:35:21 -05:00
zddcfile_test.go feat(zddc): retire defaults.zddc.yaml; .zddc.zip is the policy carrier (phase 6) 2026-06-05 11:35:21 -05:00
ziphandler.go feat(zddc): serve a .zip as a virtual directory (zipfs + dispatch intercept) 2026-05-12 12:17:47 -05:00
ziphandler_test.go feat(zddc): serve a .zip as a virtual directory (zipfs + dispatch intercept) 2026-05-12 12:17:47 -05:00
zipwrite.go feat(server): edit-in-place for the .zddc.zip config bundle, with in-zip history 2026-06-05 14:28:06 -05:00
zipwrite_rt_test.go feat(server): edit-in-place for the .zddc.zip config bundle, with in-zip history 2026-06-05 14:28:06 -05:00