{
  "id": "rbac_permissions",
  "label": "RBAC / Permissions Canonical",
  "phase": "phase-08",
  "category": "security_governance",
  "status": "ACTIVE_DH_MIRROR",
  "purpose": "Define which DEVON-DEV actors, roles, services and tools may perform each class of operation before the FSM, panel or backend lets the action proceed.",
  "function": "Prevent permission collapse by separating read, write, execute, install, configure, deploy, rollback, delete, production_access, secret_access and external_search into explicit authorization boundaries.",
  "permission_contract": {
    "requires_actor_identity": true,
    "requires_role": true,
    "requires_permission_set": true,
    "requires_operation_type": true,
    "requires_environment_scope": true,
    "requires_project_scope": true,
    "requires_tool_scope": true,
    "requires_fsm_gate": true,
    "requires_audit_link": true,
    "supports_read": true,
    "supports_write": true,
    "supports_execute": true,
    "supports_install": true,
    "supports_configure": true,
    "supports_deploy": true,
    "supports_rollback": true,
    "supports_delete": true,
    "supports_production_access": true,
    "supports_secret_access": true,
    "supports_external_search": true,
    "blocks_unknown_actor": true,
    "blocks_unknown_role": true,
    "blocks_permissionless_action": true,
    "blocks_secret_access_without_permission": true,
    "blocks_production_access_without_permission": true,
    "decision_authority": "NONE_FSM_DECIDES"
  },
  "permission_classes": [
    "read",
    "write",
    "execute",
    "install",
    "configure",
    "deploy",
    "rollback",
    "delete",
    "production_access",
    "secret_access",
    "external_search"
  ],
  "technology_requirements": [
    {
      "technology": "Auth Service",
      "required_for": "Identify operators, sessions, tokens, system actors and service actors before RBAC permission checks are evaluated.",
      "required_by_phase": "phase-08",
      "required_by_category": "rbac_permissions",
      "required_by_buckets": [
        "Prerequisites",
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until local authentication, session/token handling and stable actor identity exist",
      "validation_command": "MISSING until auth check can prove actor_id, session/token, role lookup and authentication result",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/rbac_permissions_canonical.json",
      "status_source": "Documentation Hub + future Auth Service + Audit Trail Store + Execution Ledger Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Auth Service, DEVON-DEV cannot know who or what is requesting a critical action, so permissions become unenforceable."
    },
    {
      "technology": "RBAC Service",
      "required_for": "Evaluate role-based permission boundaries for read, write, execute, install, configure, deploy, rollback, delete, production access, secret access and external search.",
      "required_by_phase": "phase-08",
      "required_by_category": "rbac_permissions",
      "required_by_buckets": [
        "Prerequisites",
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until role schema, permission matrix and enforcement point exist",
      "validation_command": "MISSING until RBAC check can prove actor, role, requested operation, resource, environment, allow/deny result and reason",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/rbac_permissions_canonical.json",
      "status_source": "Documentation Hub + future RBAC Service + FSM Decision Core + Audit Trail Store",
      "blocking_if_missing": true,
      "failure_impact": "Without RBAC Service, there is no enforceable boundary between reading, writing, executing, deploying, deleting, using secrets or touching production."
    },
    {
      "technology": "Policy Enforcement Point",
      "required_for": "Block unauthorized operations at the backend, FSM, tool boundary and panel action layer before the action reaches filesystem, shell, deploy, rollback, secret or external access surfaces.",
      "required_by_phase": "phase-08",
      "required_by_category": "rbac_permissions",
      "required_by_buckets": [
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until enforcement hooks exist in devon-api-core, FSM and tool boundary",
      "validation_command": "MISSING until denied action can prove enforcement point, actor, permission, resource, decision and audit record",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/rbac_permissions_canonical.json",
      "status_source": "Documentation Hub + future devon-api-core + FSM Decision Core + Tool Boundary + Execution Ledger",
      "blocking_if_missing": true,
      "failure_impact": "Without enforcement points, RBAC remains a registry that can be bypassed by direct backend, shell, tool or panel actions."
    },
    {
      "technology": "Permission Audit Link",
      "required_for": "Attach each allowed or denied permission decision to the Execution Ledger and Audit Trail for later accountability.",
      "required_by_phase": "phase-08",
      "required_by_category": "rbac_permissions",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until permission decisions emit ledger and audit references",
      "validation_command": "MISSING until permission decision can prove actor, role, permission, resource, allow/deny, ledger_event_id and audit_record_id",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/rbac_permissions_canonical.json",
      "status_source": "Documentation Hub + future Execution Ledger Store + Audit Trail Store + RBAC Service",
      "blocking_if_missing": true,
      "failure_impact": "Without Permission Audit Link, DEVON-DEV may block or allow access but cannot prove who requested it, why it passed or why it failed."
    }
  ],
  "depends_on": [
    "sec",
    "fsm_absolute_decision",
    "decision_rule_registry",
    "tool_registry",
    "policy_compiler",
    "config_registry",
    "human_approval_service",
    "audit_trail",
    "execution_ledger",
    "environment_registry",
    "secrets_management",
    "architecture_source_registry"
  ],
  "used_by": [
    "secrets_management",
    "multi_project_isolation",
    "data_governance",
    "compliance_legal_guardrails",
    "dependency_vulnerability_scanner",
    "license_third_party_governance",
    "filesystem_operations",
    "shell_execution",
    "production_deployment_gate",
    "backup_rollback",
    "external_knowledge_access",
    "future_execution_monitoring_panel"
  ]
}
