VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/zddc/internal/zddc
History
ZDDC 736f422f82 fix(roles): restate document_controller at project_team slot grants 
DCs are typically internal employees and ARE in project_team (when
project_team is the realistic *@example.com wildcard). The cascade's
"deepest level that has any matching principal wins" semantic means
a project_team:cr grant at the slot level would shadow the DC's
party-level rwcda — leaving DCs limited to project_team's grant.

Fix: at every slot with a project_team-specific grant, restate
document_controller's role grant. The within-level union of all
matched principals then gives the DC rwcda ∪ cr = rwcda. No cascade
semantics change; just verbose defaults.

  working/   project_team: cr, document_controller: rwcda  (new DC line)
  staging/   project_team: cr, document_controller: rwcda  (upgraded from rwcd —
                                                            adds `a` for
                                                            Plan Review's
                                                            staging/<tracking>/.zddc)
  reviewing/ project_team: cr, document_controller: rwcda  (new DC line)

Test fixture flipped from disjoint-role members to the realistic
project_team: ["*@example.com"]; verifies DC's rwcda survives the
wildcard via within-level union at each slot.

Docs updated:
  - AGENTS.md "Standard roles": describes the role-restate pattern
    + flags the internal-observer-via-wildcard caveat (operators
    needing internal observers should avoid the *@ wildcard for
    project_team).
  - ARCHITECTURE.md "Standard roles": same model description; drops
    the now-incorrect "subtree-admin of every archive/<party>/"
    line, replaces with the auto_own_roles role grant.
  - planreview_test.go fixture comment: reflects that the test
    uses root-admin to bypass ACLs, with non-root-admin DC path
    covered by standardroles tests' auto-own .zddc simulation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 11:03:42 -05:00
..
acl.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
acl_test.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
admin.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
admin_test.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
cascade.go feat(zddcfile): ?effective=1 composed-cascade inspection query 2026-05-21 09:39:29 -05:00
cascade_test.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
defaults.go feat(zddc): Phase 1 — embedded defaults.zddc + inherit + show-defaults 2026-05-11 14:46:51 -05:00
defaults.zddc.yaml fix(roles): restate document_controller at project_team slot grants 2026-05-21 11:03:42 -05:00
defaults_test.go feat(zddc): Phase 1 — embedded defaults.zddc + inherit + show-defaults 2026-05-11 14:46:51 -05:00
ensure.go feat(roles): in-flight ratchet + auto_own_roles, drop DC subtree-admin 2026-05-21 10:51:07 -05:00
ensure_test.go refactor: nest lifecycle slots per-party + add virtual top-level aggregators 2026-05-21 07:57:45 -05:00
field_codes.go feat(zddc-server): server-stamped audit + history for record YAMLs 2026-05-19 09:48:58 -05:00
file.go feat(roles): in-flight ratchet + auto_own_roles, drop DC subtree-admin 2026-05-21 10:51:07 -05:00
file_test.go feat(zddc): inherit:false fence + strict-mode refusal 2026-05-07 10:59:20 -05:00
folder.go feat(zddc): MD→{docx,html,pdf} server-side conversion via stock pandoc + chromium containers 2026-05-13 10:33:56 -05:00
folder_test.go feat(zddc): add ParseTransmittalFolder + IsTrnOrSubTracking helpers 2026-05-07 09:14:19 -05:00
inherit_test.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
lookups.go feat(roles): in-flight ratchet + auto_own_roles, drop DC subtree-admin 2026-05-21 10:51:07 -05:00
lookups_test.go refactor: nest lifecycle slots per-party + add virtual top-level aggregators 2026-05-21 07:57:45 -05:00
roles.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
roles_test.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
scan.go feat: lockstep release infra + cascade/.archive fixes + profile perf + page redesign 2026-05-01 20:11:38 -05:00
scan_test.go feat: lockstep release infra + cascade/.archive fixes + profile perf + page redesign 2026-05-01 20:11:38 -05:00
special.go feat(roles): in-flight ratchet + auto_own_roles, drop DC subtree-admin 2026-05-21 10:51:07 -05:00
special_test.go chore(zddc): migrate mkdir auto-own hook to the cascade, drop dead predicates 2026-05-12 10:42:49 -05:00
standardroles_test.go fix(roles): restate document_controller at project_team slot grants 2026-05-21 11:03:42 -05:00
validate.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
validate_test.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
virtualreceived.go refactor: nest lifecycle slots per-party + add virtual top-level aggregators 2026-05-21 07:57:45 -05:00
virtualviews.go refactor: nest lifecycle slots per-party + add virtual top-level aggregators 2026-05-21 07:57:45 -05:00
virtualviews_test.go refactor: nest lifecycle slots per-party + add virtual top-level aggregators 2026-05-21 07:57:45 -05:00
walker.go feat(roles): in-flight ratchet + auto_own_roles, drop DC subtree-admin 2026-05-21 10:51:07 -05:00
walker_test.go feat(zddc): Phase 2 — paths: walker, recursive cascade 2026-05-11 14:55:12 -05:00
worm.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
worm_test.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00
writer.go feat: form-data system v0 (sixth tool + zddc-server endpoints) 2026-05-02 20:12:16 -05:00
writer_test.go refactor(audit): pre-release cleanup pass 2026-05-18 16:28:07 -05:00