Commit 233a2cc
spec(security): RBAC runtime enforcement specification (#1640)
## Summary
- Adds `specs/security/rbac-enforcement.spec.md` — defines how the
ambient-api-server enforces scope-aware authorization at runtime
- Bridges the gap between the existing RBAC data model (roles, bindings,
permissions) and actual access control
- 10 requirements with concrete Given/When/Then scenarios covering:
scope-aware evaluation, list filtering, bootstrap, credential
self-service, admin seeding, RoleBinding mutation guards, gRPC parity,
service caller bypass, integration testing, and production rollout
## Key design decisions
- **Bootstrap via project creation** — `POST /projects` is auth-exempt;
auto-creates `project:owner` binding atomically
- **User auto-provisioned from JWT** — no explicit registration, no
permissions granted
- **Credential self-service** — `POST /credentials` auth-exempt; binding
to projects requires `project:owner`
- **Scope-aware enforcement** — a binding for Project A cannot access
Project B
- **List endpoints return filtered results, not 403** — empty list for
zero access (matches K8s behavior)
- **Escalation prevention** — editors cannot grant owner; last-owner
deletion returns 409
- **Admin seeded via CLI** — breaks the chicken-and-egg bootstrap
problem
- **Rollout gated behind config flag** — no big-bang cutover
## Test plan
- [ ] Spec reviewed for format compliance against `specs/index.spec.md`
- [ ] Cross-referenced against existing specs: `ambient-model.spec.md`,
`security.spec.md`, `sso-authentication.spec.md`
- [ ] No terminology collisions with Ambient domain model
- [ ] No implementation details in spec (no function names, file paths,
pseudocode)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent 1b01260 commit 233a2cc
1 file changed
Lines changed: 597 additions & 0 deletions
0 commit comments