docs(plans): accept granular RBAC plan

[mcharles-square]

Summary

Adds the technical design for moving Proto Fleet from the current SUPER_ADMIN / ADMIN / RequireAdmin gate to a granular permission model with scoped role assignments, editable built-in roles, and per-org custom roles. Status: accepted — implementation will follow in subsequent PRs per the plan's own PR sequencing.

Key decisions baked in

• Three seeded roles. SUPER_ADMIN is immutable; ADMIN and FIELD_TECH are editable by SUPER_ADMIN but cannot be deleted. Two distinct error codes (BUILTIN_ROLE_IMMUTABLE vs BUILTIN_ROLE_NON_DELETABLE) so the UI can render the right copy.
• Permission catalog. Resource:action pairs (miner:reboot, rack:manage, fleet:read, etc.) with a read-pairing rule enforced at role save — any action permission requires its matching read partner.
• Scope semantics: narrowing (intersection-on-overlap). A site-scoped assignment overrides the org-scoped grant at that site; the org grant still applies everywhere else. This lets admins add a smaller site-scoped role to narrow a user without first removing their org assignment.
• Filter-don't-reject list semantics. A user with site-scoped fleet:read gets a filtered list, not a 403.
• Route-guard parity. Every primary-nav entry has a permission predicate; the nav hides AND the route redirects when the predicate is false. The administrative set {user:manage, role:manage, site:manage, apikey:manage, serverlog:read} defines Settings visibility. A <NoAccess> terminal page handles users with no available primary nav.
• Additive-only startup reconciliation for ADMIN / FIELD_TECH so operator edits survive upgrades; SUPER_ADMIN is fully reconciled to AllPermissions() on every boot.
• FIELD_TECH seed includes rack:read / rack:manage so field techs can organize the physical layout at their assigned sites.

Out of scope (deferred follow-ups)

• Building-level scope (only org + site for v1).
• Per-key API permission declarations / snapshot-at-issue.
• Audit-log table as a product surface.
• Deny rules / ABAC.

Implementation PR sequence

The plan calls out four PRs: foundation (schema + sqlc + proto + seed + backfill), security-critical (resolver + middleware + handler swap), role-management surface (RPC + admin UI), and E2E + contract tests. Each is independently shippable — the existing RequireAdmin keeps working until the security-critical PR lands the swap.

Test plan

• Plan file passes lefthook pre-commit hooks (markdown only).
• Reviewers confirm the decisions section, scope boundaries, and PR sequence match the team's intent before PR 1 starts.

[github-actions]

🔐 Codex Security Review

Note: This is an automated security-focused code review generated by Codex.
It should be used as a supplementary check alongside human review.
False positives are possible - use your judgment.

Scope summary

• Reviewed pull request diff only (254400167beb58371bcc5fe1172a47be1ca910a6...bac7657cbbe20a2a5edcb3678813605e351aa042, exact PR three-dot diff)
• Model: gpt-5.5

💡 Click "edited" above to see previous reviews for this PR.

---

Review Summary

Overall Risk: HIGH

Findings

[HIGH] Assignment Schema Does Not Enforce Org Ownership for Roles or Targets

• Category: Auth | SQLi/Database
• Location: docs/plans/2026-05-19-001-feat-granular-rbac-plan.md:538
• Description: user_organization_role.role_id references only role(id), while roles are supposed to be org-owned. The plan also has role/assignment RPCs taking bare role_id, assignment_id, and user_id, but the safety rules only call out scope validation, not role ownership, assignment ownership, or target-user membership validation.
• Impact: A bug in AssignRole, UpdateCustomRole, DeleteCustomRole, or UnassignRole could let one org use or mutate another org’s role/assignment by ID. This undermines the per-org RBAC boundary.
• Recommendation: Make role.organization_id non-null after backfill, add a composite FK from (role_id, organization_id) to role(id, organization_id), add membership enforcement for (user_id, organization_id), and require all role/assignment/user lookups to include session.Info.OrganizationID.

[HIGH] Resolver “First Match” Algorithm Can Bypass Site-Scoped Narrowing

• Category: Auth
• Location: docs/plans/2026-05-19-001-feat-granular-rbac-plan.md:902
• Description: The plan says Has returns true on the first assignment whose scope contains the resource scope. That conflicts with the chosen “site assignment overrides org assignment at that site” semantics.
• Impact: If an org-scoped ADMIN grant is evaluated before a narrower site-scoped FIELD_TECH grant, sensitive actions like miner:reboot, miner:update_pools, or firmware updates may be allowed at a site where the admin explicitly tried to narrow access.
• Recommendation: Implement Has as order-independent precedence: collect matching assignments, choose the narrowest applicable scope first, then allow if any role in that chosen scope has the permission. Add tests proving assignment order cannot change the result.

[HIGH] Planned U5 Migration Breaks the Staged Rollout

• Category: Reliability | SQLi/Database
• Location: docs/plans/2026-05-19-001-feat-granular-rbac-plan.md:839
• Description: U5 renames user_organization.role_id and installs a trigger that rejects writes, but the delivery plan says U1-U5 land first with “no behavior change.” Current auth/session/user-management code still depends on user_organization.role_id until later units.
• Impact: Applying the migration before all readers/writers are moved will break login role lookup, user creation, and existing sqlc queries, causing an outage rather than a safe soak.
• Recommendation: Keep the legacy column usable during the dual-write period, migrate all readers/writers in the same release before renaming, or provide a compatibility layer. Only add the “fail loudly” trigger after CI and runtime code no longer reference the legacy column.

[MEDIUM] Built-In Role UI Contradicts Editable ADMIN/FIELD_TECH Design

• Category: Frontend | Auth
• Location: docs/plans/2026-05-19-001-feat-granular-rbac-plan.md:1463
• Description: The plan repeatedly states ADMIN and FIELD_TECH are editable per org, but U11 specifies built-in roles are read-only in the RoleEditor and replace Save with Close.
• Impact: Operators cannot use the supported UI to remove sensitive permissions such as miner:update_pools or miner:firmware_update from ADMIN, or add expected remediation actions to FIELD_TECH.
• Recommendation: Make only SUPER_ADMIN read-only. ADMIN and FIELD_TECH should be editable but non-deletable, with clear warning copy and tests covering both built-in update flows.

Notes

This diff only adds an accepted planning document; no runtime code, migrations, generated protobufs, or frontend implementation changed yet. I did not find hardcoded pool, wallet, payout, or stratum addresses in the reviewed diff.

---

_{Generated by Codex Security Review |
Triggered by: @mcharles-square |
Review workflow run}

[Copilot]

Pull request overview

Adds an accepted technical design plan for evolving Proto Fleet authorization from the current coarse SUPER_ADMIN/ADMIN gate (RequireAdmin) to a granular, scoped permission model with role assignments, seeded built-in roles, and custom roles.

Changes:

• Introduces a comprehensive RBAC design document covering schema, resolver/middleware flow, permission catalog, and rollout sequencing.
• Specifies key security behaviors (fail-closed enforcement, cross-org IDOR checks, privilege-parity rules) and test strategy (unit + contract + E2E).