Add REST policy attributes and ACL name normalization

Author: jturbide

CHANGELOG.md

@@ -15,10 +15,22 @@ history, the old changelog, and committed file changes. Older Zemit-era entries
 are summarized where the commit history is too granular to be useful as
 release notes.
 
-## 3.1.0 - Unreleased
+## 3.1.0 - 2026-06-11
 
 ### Added
 
+- Added controller/action policy attributes for REST permission declarations:
+  `AllowRoles`, `PermissionFeature`, and `AttachBehavior`. Attributes compile into
+  the existing permission config shape, support direct roles and feature-based
+  grants, and can attach action-scoped controller behaviors.
+- Added shared permission-name normalization so ACL checks accept camelCase and
+  dash-case action names while recommending dash-case as the canonical route and
+  permission key. Dispatcher security also accepts route-style controller aliases
+  while continuing to prefer controller class names.
+- Added the env-backed `acl.attributes` config switch (`ACL_ATTRIBUTES`). It
+  defaults to enabled so controller attributes work out of the box; config-only
+  applications can set it to `false` to skip controller reflection during
+  permission and behavior checks.
 - Added array-friendly REST/query policy setters and merge helpers. Controllers
   can now pass plain arrays to field, condition, join, eager-loading, count,
   distinct, cache, bind, group, having, column, order, and find policy methods;

ROADMAP.md

@@ -32,7 +32,8 @@ guidance in the relevant guide or shipped skill reference.
 
 ## Current Focus
 
-Target: `3.1.0` REST API ergonomics and scaffold readiness
+Target: `3.1.0` REST API ergonomics, controller policy attributes, and scaffold
+readiness
 
 Theme: keep REST controller declarations concise and predictable, then continue
 the scaffold work with a clear generated-file ownership contract.
@@ -44,6 +45,9 @@ Decision:
 - REST policy declaration ergonomics start the `3.1.0` development line:
   collection-backed setters should accept arrays while storing normalized
   collections internally.
+- Controller/action policy declarations can live beside controller code through
+  optional attributes, while the runtime still compiles them into the existing
+  permission config and ACL enforcement path.
 - The next schedulable block is REST controller scaffold readiness. Start with
   generated-file ownership before adding public scaffolding behavior.
 

guides/configuration.md

@@ -287,5 +287,16 @@ query behaviors, and roles.
 The identity/security system can enforce permissions across controllers,
 actions, models, methods, CLI tasks, and WebSocket tasks.
 
+Controller/action attributes are enabled by default and are merged into the same
+permission graph at runtime. Disable attribute scanning for config-only
+applications that want to avoid controller reflection. The default bootstrap
+config reads `ACL_ATTRIBUTES`:
+
+```php
+'acl' => [
+    'attributes' => Env::get('ACL_ATTRIBUTES', true),
+],
+```
+
 For row-level controller conditions and role inheritance, read
 [Identity And Permissions](identity-and-permissions.md).

guides/first-rest-resource.md

@@ -229,6 +229,54 @@ Feature permissions live in config:
 The config says which components a role can use. The controller's permission
 conditions decide which rows that role can access.
 
+The same controller actions can also be declared with attributes while keeping
+role assignment in config:
+
+```php
+use PhalconKit\Mvc\Controller\Attributes\PermissionFeature;
+
+#[PermissionFeature('manageProject', actions: '*')]
+#[PermissionFeature('viewProject', actions: [
+    'find',
+    'find-with',
+    'find-first',
+    'find-first-with',
+])]
+final class ProjectController extends AbstractController
+{
+}
+```
+
+With that style, the config only needs to assign features to roles and keep
+model-level permissions:
+
+```php
+'permissions' => [
+    'features' => [
+        'manageProject' => [
+            'components' => [
+                \App\Models\Project::class => ['*'],
+                \App\Models\ProjectUser::class => ['*'],
+            ],
+        ],
+        'viewProject' => [
+            'components' => [
+                \App\Models\Project::class => ['find'],
+                \App\Models\ProjectUser::class => ['find'],
+            ],
+        ],
+    ],
+    'roles' => [
+        'admin' => [
+            'features' => ['manageProject'],
+        ],
+        'researcher' => [
+            'features' => ['viewProject'],
+        ],
+    ],
+],
+```
+
 ## 6. Call The Resource
 
 Exact URLs depend on your route config. With the default module route shape,

guides/identity-and-permissions.md

@@ -92,6 +92,227 @@ controller behaviors. Roles receive features.
 Components can be controllers, controller actions, models, model methods, CLI
 tasks, or WebSocket tasks.
 
+Use controller class names as the canonical component key. Route-style
+controller aliases such as `project-user` are accepted during dispatcher
+security checks for compatibility, but class constants are easier to refactor.
+
+Use dash-case for action keys because these names match URLs:
+
+```php
+\App\Modules\Api\Controllers\ProjectController::class => [
+    'find',
+    'find-with',
+    'archive-project',
+],
+```
+
+Existing camelCase action config remains valid. PhalconKit normalizes dispatcher
+actions and ACL registrations so `findWith` and `find-with` refer to the same
+permission action. New docs and generated examples should prefer dash-case.
+
+## Controller Attributes
+
+Controllers may declare permissions with PHP attributes. Attributes are additive:
+they compile into the same `permissions` structure shown above, so existing
+config-driven features, roles, and inheritance remain valid.
+
+```php
+use Phalcon\Http\ResponseInterface;
+use PhalconKit\Mvc\Controller\Attributes\AllowRoles;
+use PhalconKit\Mvc\Controller\Attributes\AttachBehavior;
+use PhalconKit\Mvc\Controller\Attributes\PermissionFeature;
+use PhalconKit\Mvc\Controller\Behavior\Query\Conditions\RemoveDefaultPermissionCondition;
+
+#[PermissionFeature('project.view', actions: ['find', 'find-with'])]
+#[AllowRoles('admin', actions: '*')]
+final class ProjectController extends AbstractController
+{
+    #[PermissionFeature('project.write')]
+    #[AllowRoles(['admin', 'manager'])]
+    #[AttachBehavior(RemoveDefaultPermissionCondition::class, roles: 'admin')]
+    public function archiveProjectAction(): ResponseInterface
+    {
+        // ...
+    }
+}
+```
+
+Method-level attributes without `actions` use the method name after removing the
+`Action` suffix. In the example above, `archiveProjectAction()` maps to
+`archive-project`. Class-level attributes without `actions` apply to `*`.
+
+`PermissionFeature` declares which actions belong to a feature; roles still
+receive that feature through config:
+
+```php
+'permissions' => [
+    'roles' => [
+        'manager' => [
+            'features' => ['project.write'],
+        ],
+    ],
+],
+```
+
+`AllowRoles` grants controller actions directly to roles when a small app or a
+local workflow does not need a reusable feature. `AttachBehavior` can target
+roles, features, or both. When neither `roles` nor `features` is provided, the
+behavior attaches for the `everyone` context role.
+
+### Config-First Feature Example
+
+Use this style when permissions are owned centrally and several controllers,
+models, tasks, or WebSocket actions share the same feature.
+
+```php
+'permissions' => [
+    'features' => [
+        'project.view' => [
+            'components' => [
+                \App\Modules\Api\Controllers\ProjectController::class => [
+                    'find',
+                    'find-with',
+                    'find-first',
+                    'find-first-with',
+                ],
+                \App\Models\Project::class => ['find'],
+            ],
+        ],
+        'project.manage' => [
+            'components' => [
+                \App\Modules\Api\Controllers\ProjectController::class => ['*'],
+                \App\Models\Project::class => ['*'],
+            ],
+            'behaviors' => [
+                \App\Modules\Api\Controllers\ProjectController::class => [
+                    RemoveDefaultPermissionCondition::class,
+                ],
+            ],
+        ],
+    ],
+    'roles' => [
+        'admin' => [
+            'features' => ['project.manage'],
+        ],
+        'researcher' => [
+            'features' => ['project.view'],
+        ],
+    ],
+],
+```
+
+### Attribute-First Feature Example
+
+Use this style when the controller owns its own action surface but roles should
+still receive reusable features through config.
+
+```php
+#[PermissionFeature('project.view', actions: [
+    'find',
+    'find-with',
+    'find-first',
+    'find-first-with',
+])]
+#[PermissionFeature('project.manage', actions: '*')]
+#[AttachBehavior(RemoveDefaultPermissionCondition::class, features: 'project.manage')]
+final class ProjectController extends AbstractController
+{
+    #[PermissionFeature('project.manage')]
+    public function archiveProjectAction(): ResponseInterface
+    {
+        // archive-project
+    }
+}
+```
+
+The remaining config only assigns features to roles:
+
+```php
+'permissions' => [
+    'roles' => [
+        'admin' => [
+            'features' => ['project.manage'],
+        ],
+        'researcher' => [
+            'features' => ['project.view'],
+        ],
+    ],
+],
+```
+
+### Direct Role Attribute Example
+
+Use direct role attributes for small controllers or local actions that are not
+worth turning into global feature names.
+
+```php
+final class ProjectController extends AbstractController
+{
+    #[AllowRoles(['admin', 'manager'])]
+    public function archiveProjectAction(): ResponseInterface
+    {
+        // archive-project
+    }
+
+    #[AllowRoles('admin', actions: ['restore', 'force-delete'])]
+    public function restoreAction(): ResponseInterface
+    {
+        // restore
+    }
+}
+```
+
+Direct role attributes do not require matching `features` config. The role still
+has to be present in the current identity's ACL role list.
+
+### Behavior Example In Both Styles
+
+Action-scoped behavior through config:
+
+```php
+'permissions' => [
+    'roles' => [
+        'admin' => [
+            'behaviorActions' => [
+                \App\Modules\Api\Controllers\ProjectController::class => [
+                    'archive-project' => [
+                        RemoveDefaultPermissionCondition::class,
+                    ],
+                ],
+            ],
+        ],
+    ],
+],
+```
+
+The same behavior beside the action:
+
+```php
+final class ProjectController extends AbstractController
+{
+    #[AttachBehavior(RemoveDefaultPermissionCondition::class, roles: 'admin')]
+    public function archiveProjectAction(): ResponseInterface
+    {
+        // archive-project
+    }
+}
+```
+
+The existing `behaviors` key is still supported for non-action-scoped behavior
+attachment.
+
+Controller attributes use PHP's built-in Reflection API. Normal PHP 8.5 builds
+include Reflection; no extra Composer package or optional extension is required.
+Only the active controller class is inspected, and PhalconKit caches the result
+inside the process. Config-only applications can disable attribute scanning with
+`ACL_ATTRIBUTES=false` or config:
+
+```php
+'acl' => [
+    'attributes' => false,
+],
+```
+
 ## Row-Level Conditions
 
 Feature-level access answers whether a role may use a component. Row-level

guides/rest-api.md

@@ -252,6 +252,12 @@ normal list requests lighter.
 Feature permissions decide whether a role can use a controller/action. Row-level
 conditions decide which records that role can access.
 
+Permission action keys should be dash-case, matching route names such as
+`find-with` or `archive-project`. Controller methods remain normal PHP camelCase
+methods such as `findWithAction()` and `archiveProjectAction()`. PhalconKit
+accepts both names during ACL checks, but new config and attributes should use
+the route-style dash-case names.
+
 ```php
 public function initializePermissionConditions(): void
 {

guides/to-be-discussed.md

@@ -94,11 +94,11 @@ Keep for discussion:
   assignment. Remaining design work: a clearer replacement for boolean
   keep-missing sentinels, and explicit rules for sparse payloads that reactivate
   or update existing relation rows.
-- Controller behavior merging:
+- Controller behavior responses and merge semantics:
   `src/Mvc/Controller/Traits/Behavior.php`.
   Define whether controller behaviors should collect multiple event responses
-  and how feature/role permission merges should de-duplicate overlapping
-  entries.
+  and whether legacy feature/role permission merges should move from native
+  recursive merging to the attribute resolver's de-duplicating merge helper.
 - `findIn*` model helpers:
   `src/Mvc/Model/Traits/FindIn.php`.
   Expand beyond `findInById()` only after field validation, bind-type

src/Acl/Acl.php

@@ -92,7 +92,7 @@ public function get(array $componentsName = ['components'], ?array $permissions
                         continue;
                     }
 
-                    $aclAccess = is_array($accessList) ? array_values(array_unique(array_filter($accessList))) : [$accessList];
+                    $aclAccess = PermissionName::accessList($accessList);
                     $aclComponent = new Component($component);
                     $acl->addComponent($aclComponent, $aclAccess);
                     $acl->allow((string)$aclRole, (string)$aclComponent, $aclAccess);