Phase A2: Enforcement - Directory Core
Date: 2026-01-05
Module: mod-uni-directory
1. Security Compliance
All server actions in _actions/directory.ts and _actions/directory_profiles.ts have been retrofitted with the Golden Guard Pattern.
Guard Rules Applied
| Action | Role Requirement | Scope | Audit |
|---|---|---|---|
add/removeOccupant |
Admin, Staff, Board |
building |
✅ |
add/removeVehicle |
Admin, Staff, Board |
building |
✅ |
add/removePet |
Admin, Staff, Board |
building |
✅ |
assignPropertyManager |
Admin, Board, Owner |
building / unit |
✅ |
authorizeVendor |
Admin, Board, Staff, Owner |
building / unit |
✅ |
create/updateProfile |
Admin, Staff |
building |
✅ |
deleteProfile |
Admin |
building |
✅ |
seedUnit101 |
Admin |
building |
✅ |
Audit Schema
Every mutation now emits robust structured logs:
{
"event": "AUDIT_LOG",
"actor": "user_123",
"action": "AddOccupant",
"targetId": "unit_456",
"result": "attempt",
"hat": "staff",
"details": { "role": "tenant" }
}
2. Refactoring Notes
- Signature Change: All mutations now accept
context?: ContextStateas the last argument. Client components must pass this context (from the active session) to bypass the guard. - Legacy Removal:
requireRolehas been completely removed from these files. Trusted server-side verification (verifyContext) is now the only authority.
3. Verification
- Build: Passed (
pnpm build --filter=platform). - Type Safety:
ContextStateandUserRoleimports verified.
Status: Ready for UI Workbench Refactor (Gate 3).