Skip to content

Phase 3C: Proof & Coverage (With Policy Update)

1. Security Coverage Map (Server-Side)

This map reflects the 2026-01-05 Policy: High-risk finance actions require Admin OR Board + Building Scope. Facet enforcement (Treasurer) is deferred.

Module Action Guard Type Gating Risk
Finance (Reconciliation) autoMatchAction verifyContext Admin OR Board HIGH
confirmMatchAction verifyContext Admin OR Board HIGH
commitReconciliation verifyContext Admin OR Board HIGH
deleteStatement verifyContext Admin (Strict) HIGH
Finance (Ledger) postJournalEntry verifyContext Admin OR Board HIGH
Finance (Payables) payBillAction verifyContext Admin OR Board HIGH
approveBillAction verifyContext Admin OR Board MED
createBillAction verifyContext Admin OR Board OR Staff LOW
Identity updateUserRole verifyContext Admin (System) CRITICAL
Governance recordManualVote verifyContext Admin HIGH

2. Policy Update: Finance Authority

Decision: "Admin OR Board" is the standardized simplified rule. Changes Applied:

  1. Golden Spec: Updated GOLDEN-SPEC-PLATFORM-CANONICAL.md to explicitly state "Any Board Member" is authorized for finance actions, deferring Treasurer facets.
  2. Code Normalization:
    • Removed TODO comments about "Temporary Clamp" in finance-reconciliation.ts.
    • Updated finance.ts: payBillAction from Admin-Only to Admin OR Board.
    • Updated finance-ledger.ts: postJournalEntry from Admin-Only to Admin OR Board.

3. Log Quality Check

  • Reconciliation: Uses logAudit helper (Actor, Hat, Scope, Action, Target, Result).
  • Ledger: Uses console.log with [Audit] prefix and standard fields (Actor, Desc).
  • Payables: Uses console.log with [Audit] prefix and standard fields (Actor, Bill, Amount).

4. Verification Checklist (Manual)

  1. Board Member Test:
    • Log in as Board Member (non-treasurer).
    • Attempt payBillAction -> MUST SUCCEED (New Policy).
    • Attempt postJournalEntry -> MUST SUCCEED (New Policy).
    • Attempt deleteStatement -> MUST FAIL (Admin Only restriction preserved).
  2. Scope Test:
    • Attempt payBillAction with scope: 'my_unit' -> MUST FAIL.
    • Attempt with scope: 'building' -> MUST SUCCEED.
  3. Role Change Test:
    • Board Member attempts to grant Admin Role -> MUST FAIL (Admin only).

Status: Policy Synchronized. Coverage Map Generated.