refactor(rbac): drop audit:read from owner/admin, simplify Auditor View gating

Per CS-189 product decision: owners/admins should not see the Auditor View
tab unless they explicitly opt in via a custom role granting audit:read.
Removing audit:read from the built-in owner/admin roles lets the standard
canAccessRoute('auditor') check do the work — the merged permissions
naturally cover owner,auditor / admin,auditor and custom roles with
audit:read, while hiding owner/admin alone.

audit:read is not referenced anywhere in the codebase outside
ROUTE_PERMISSIONS.auditor, so dropping it is safe. Owner/admin still
retain audit:create and audit:update for SOA management.

Deletes ~100 lines of special-case code that was previously needed to
distinguish implicit vs explicit audit:read:
- canAccessAuditorView
- resolveCustomRolePermissions
- resolveAuditorViewAccess
- requireAuditorViewAccess
- customPermissions plumbing through AppShellWrapper / AppSidebar /
  search groups / MainMenu / usePermissions

Tests updated to exercise the full resolution path
(resolveBuiltInPermissions + canAccessRoute).

Author: tofikwest

apps/api/src/training/permissions-regression.spec.ts

@@ -74,10 +74,11 @@ describe('Built-in role permissions — regression', () => {
       }
     });
 
-    it('should have audit create/read/update (no delete)', () => {
-      expect(perms.audit).toEqual(
-        expect.arrayContaining(['create', 'read', 'update']),
-      );
+    it('should have audit create/update only (no read, no delete)', () => {
+      // CS-189: audit:read is reserved for auditor-facing views; owner can
+      // still manage audit scope via create/update.
+      expect(perms.audit).toEqual(expect.arrayContaining(['create', 'update']));
+      expect(perms.audit).not.toContain('read');
       expect(perms.audit).not.toContain('delete');
     });
 

apps/app/src/app/(app)/[orgId]/auditor/layout.tsx

@@ -1,4 +1,4 @@
-import { requireAuditorViewAccess } from '@/lib/permissions.server';
+import { requireRoutePermission } from '@/lib/permissions.server';
 
 export default async function Layout({
   children,
@@ -8,10 +8,6 @@ export default async function Layout({
   params: Promise<{ orgId: string }>;
 }) {
   const { orgId } = await params;
-  // CS-189: stricter than `requireRoutePermission('auditor', orgId)` — the
-  // plain check let owner/admin through via their implicit audit:read.
-  // requireAuditorViewAccess enforces "built-in auditor OR custom role with
-  // explicit audit:read" to match the sidebar tab visibility.
-  await requireAuditorViewAccess(orgId);
+  await requireRoutePermission('auditor', orgId);
   return <>{children}</>;
 }

apps/app/src/app/(app)/[orgId]/components/AppShellWrapper.tsx

@@ -68,8 +68,6 @@ interface AppShellWrapperProps {
   isSecurityEnabled: boolean;
   hasAuditorRole: boolean;
   isOnlyAuditor: boolean;
-  /** CS-189: server-resolved Auditor View visibility — see resolveAuditorViewAccess. */
-  canAccessAuditorView: boolean;
   permissions: UserPermissions;
   user: {
     name: string | null;
@@ -101,7 +99,6 @@ function AppShellWrapperContent({
   isSecurityEnabled,
   hasAuditorRole,
   isOnlyAuditor,
-  canAccessAuditorView,
   permissions,
   user,
   isAdmin,
@@ -147,7 +144,6 @@ function AppShellWrapperContent({
     permissions,
     hasAuditorRole,
     isOnlyAuditor,
-    canAccessAuditorView,
     isQuestionnaireEnabled,
     isTrustNdaEnabled,
     isSecurityEnabled,
@@ -323,7 +319,6 @@ function AppShellWrapperContent({
                   hasAuditorRole={hasAuditorRole}
                   isOnlyAuditor={isOnlyAuditor}
                   permissions={permissions}
-                  canAccessAuditorView={canAccessAuditorView}
                 />
               )}
             </AppShellSidebar>

apps/app/src/app/(app)/[orgId]/components/AppSidebar.tsx

@@ -19,13 +19,6 @@ interface AppSidebarProps {
   hasAuditorRole: boolean;
   isOnlyAuditor: boolean;
   permissions: UserPermissions;
-  /**
-   * CS-189: Whether this user should see the Auditor View tab. Computed
-   * server-side (see resolveAuditorViewAccess) because it needs to
-   * distinguish owner/admin's implicit audit:read from a custom role's
-   * explicit audit:read.
-   */
-  canAccessAuditorView: boolean;
 }
 
 export function AppSidebar({
@@ -34,7 +27,6 @@ export function AppSidebar({
   hasAuditorRole,
   isOnlyAuditor,
   permissions,
-  canAccessAuditorView,
 }: AppSidebarProps) {
   const pathname = usePathname() ?? '';
 
@@ -55,11 +47,7 @@ export function AppSidebar({
       id: 'auditor',
       path: `/${organization.id}/auditor`,
       name: 'Auditor View',
-      // CS-189: visibility is scoped to built-in `auditor` role or a custom
-      // org role that explicitly grants audit:read. Owner/admin's implicit
-      // permissions alone are not enough — see `canAccessAuditorView` in
-      // lib/permissions.ts for the full rule.
-      hidden: !canAccessAuditorView,
+      hidden: !canAccessRoute(permissions, 'auditor'),
     },
     {
       id: 'policies',

apps/app/src/app/(app)/[orgId]/components/app-shell-search-groups.tsx

@@ -26,8 +26,6 @@ interface AppShellSearchGroupsParams {
   permissions: UserPermissions;
   hasAuditorRole: boolean;
   isOnlyAuditor: boolean;
-  /** CS-189: resolved server-side — see AppShellWrapper. */
-  canAccessAuditorView: boolean;
   isQuestionnaireEnabled: boolean;
   isTrustNdaEnabled: boolean;
   isSecurityEnabled: boolean;
@@ -66,7 +64,6 @@ export const getAppShellSearchGroups = ({
   permissions,
   hasAuditorRole,
   isOnlyAuditor,
-  canAccessAuditorView,
   isQuestionnaireEnabled,
   isTrustNdaEnabled,
   isSecurityEnabled,
@@ -99,9 +96,7 @@ export const getAppShellSearchGroups = ({
           }),
         ]
       : []),
-    // CS-189: gate on the server-resolved canAccessAuditorView flag so
-    // owner/admin are hidden unless they explicitly opt in via a custom role.
-    ...(canAccessAuditorView
+    ...(can('auditor')
       ? [
           createNavItem({
             id: 'auditor',

apps/app/src/app/(app)/[orgId]/layout.tsx

@@ -2,15 +2,8 @@ import { getFeatureFlags } from '@/app/posthog';
 import { APP_AWS_ORG_ASSETS_BUCKET, s3Client } from '@/app/s3';
 import { TriggerTokenProvider } from '@/components/trigger-token-provider';
 import { serverApi } from '@/lib/api-server';
-import {
-  canAccessApp,
-  canAccessAuditorView,
-  parseRolesString,
-} from '@/lib/permissions';
-import {
-  resolveCustomRolePermissions,
-  resolveUserPermissions,
-} from '@/lib/permissions.server';
+import { canAccessApp, parseRolesString } from '@/lib/permissions';
+import { resolveUserPermissions } from '@/lib/permissions.server';
 import type { OrganizationFromMe } from '@/types';
 import { auth } from '@/utils/auth';
 import { GetObjectCommand } from '@aws-sdk/client-s3';
@@ -163,19 +156,6 @@ export default async function Layout({
   const hasAuditorRole = roles.includes(Role.auditor);
   const isOnlyAuditor = hasAuditorRole && roles.length === 1;
 
-  // CS-189: the Auditor View tab follows a stricter rule than bare
-  // audit:read — built-in `auditor` role OR a custom role with explicit
-  // audit:read. Resolve the custom-role permissions once so we don't
-  // second-guess the owner/admin's implicit all-permissions in the UI.
-  const customRolePermissions = await resolveCustomRolePermissions(
-    member.role,
-    requestedOrgId,
-  );
-  const auditorViewVisible = canAccessAuditorView(
-    member.role,
-    customRolePermissions,
-  );
-
   // User data for navbar
   const user = {
     name: session.user.name,
@@ -200,7 +180,6 @@ export default async function Layout({
         isSecurityEnabled={isSecurityEnabled}
         hasAuditorRole={hasAuditorRole}
         isOnlyAuditor={isOnlyAuditor}
-        canAccessAuditorView={auditorViewVisible}
         permissions={permissions}
         user={user}
         isAdmin={isUserAdmin}

apps/app/src/components/main-menu.tsx

@@ -1,6 +1,7 @@
 'use client';
 
 import { usePermissions } from '@/hooks/use-permissions';
+import { canAccessRoute } from '@/lib/permissions';
 import { Badge } from '@trycompai/ui/badge';
 import { Button } from '@trycompai/ui/button';
 import { cn } from '@trycompai/ui/cn';
@@ -70,11 +71,7 @@ export function MainMenu({
   const pathname = usePathname();
   const [activeStyle, setActiveStyle] = useState({ top: '0px', height: '0px' });
   const itemRefs = useRef<(HTMLDivElement | null)[]>([]);
-  // CS-189: Auditor View visibility is scoped to the built-in `auditor`
-  // role or a custom org role that explicitly grants audit:read — NOT to
-  // owner/admin's implicit all-permissions. See `canAccessAuditorView` in
-  // lib/permissions.ts for the full rule.
-  const { canAccessAuditorView } = usePermissions();
+  const { permissions } = usePermissions();
 
   const items: MenuItem[] = [
     {
@@ -100,7 +97,7 @@ export function MainMenu({
       disabled: false,
       icon: ClipboardCheck,
       protected: false,
-      hidden: !canAccessAuditorView,
+      hidden: !canAccessRoute(permissions, 'auditor'),
     },
     {
       id: 'controls',

apps/app/src/hooks/use-permissions.ts

@@ -10,7 +10,6 @@ import {
   hasPermission,
   parseRolesString,
   isBuiltInRole,
-  canAccessAuditorView,
   type UserPermissions,
 } from '@/lib/permissions';
 
@@ -76,18 +75,11 @@ export function usePermissions() {
     }
   }
 
-  // CS-189: separate "did a custom role grant this permission" from the
-  // merged permissions, so the Auditor View visibility check can distinguish
-  // an owner's implicit audit:read from a custom role's explicit audit:read.
-  const customPermissions = customData?.permissions ?? {};
-
   return {
     permissions,
-    customPermissions,
     obligations,
     roles: roleNames,
     hasPermission: (resource: string, action: string) =>
       hasPermission(permissions, resource, action),
-    canAccessAuditorView: canAccessAuditorView(roleString, customPermissions),
   };
 }

apps/app/src/lib/permissions.server.ts

@@ -6,7 +6,6 @@ import { headers } from 'next/headers';
 import { redirect } from 'next/navigation';
 import {
   type UserPermissions,
-  canAccessAuditorView,
   canAccessRoute,
   getDefaultRoute,
   mergePermissions,
@@ -93,82 +92,3 @@ export async function requireRoutePermission(
     redirect(defaultRoute ?? '/no-access');
   }
 }
-
-/**
- * CS-189: Resolve only the permissions granted by the user's CUSTOM org
- * roles (i.e. not from built-in roles). Needed for the Auditor View
- * visibility rule, which wants to know whether a custom role explicitly
- * grants `audit:read` — owner/admin's implicit all-permissions don't count.
- */
-export async function resolveCustomRolePermissions(
-  roleString: string | null | undefined,
-  orgId: string,
-): Promise<UserPermissions> {
-  const { customRoleNames } = resolveBuiltInPermissions(roleString);
-  const result: UserPermissions = {};
-  if (customRoleNames.length === 0) return result;
-
-  const customRoles = await db.organizationRole.findMany({
-    where: { organizationId: orgId, name: { in: customRoleNames } },
-    select: { permissions: true },
-  });
-
-  for (const role of customRoles) {
-    if (!role.permissions) continue;
-    const parsed =
-      typeof role.permissions === 'string'
-        ? JSON.parse(role.permissions)
-        : role.permissions;
-    if (parsed && typeof parsed === 'object') {
-      mergePermissions(result, parsed as Record<string, string[]>);
-    }
-  }
-  return result;
-}
-
-/**
- * Server-side Auditor View access check. Mirrors the client-side
- * `canAccessAuditorView` but pulls the custom-role permissions from the
- * DB for the current user. Returns null if the user isn't in the org.
- */
-export async function resolveAuditorViewAccess(
-  orgId: string,
-): Promise<{ canAccess: boolean; roleString: string | null } | null> {
-  const session = await auth.api.getSession({
-    headers: await headers(),
-  });
-  if (!session?.user?.id) return null;
-
-  const member = await db.member.findFirst({
-    where: {
-      userId: session.user.id,
-      organizationId: orgId,
-      deactivated: false,
-    },
-    select: { role: true },
-  });
-  if (!member) return null;
-
-  const customPerms = await resolveCustomRolePermissions(member.role, orgId);
-  return {
-    canAccess: canAccessAuditorView(member.role, customPerms),
-    roleString: member.role,
-  };
-}
-
-/**
- * Route guard for the Auditor View page. Replaces `requireRoutePermission(
- * 'auditor', orgId)` — the plain permission check let owner/admin through
- * via their implicit `audit:read`. This helper enforces the stricter
- * "built-in auditor OR custom role with audit:read" rule.
- */
-export async function requireAuditorViewAccess(orgId: string): Promise<void> {
-  const result = await resolveAuditorViewAccess(orgId);
-  if (result?.canAccess) return;
-
-  const permissions = await resolveCurrentUserPermissions(orgId);
-  const defaultRoute = permissions
-    ? getDefaultRoute(permissions, orgId)
-    : null;
-  redirect(defaultRoute ?? '/no-access');
-}