mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 15:21:35 +00:00
shankar0123
06cea1ce0f
Self-audit on cbb47aa flagged that the negative-path-#12 deferral
(scope_id for nonexistent resource → 404) was acknowledged in the
commit message but not in the source. A future operator scanning
internal/repository/postgres/auth.go would not learn about the
gap.
Adds an explicit TODO(bundle-2) comment next to RoleRepository.AddPermission
documenting:
- what's missing today (no FK between role_permissions.scope_id
and the resource tables);
- why the gate still works at request time (no rows match the
bogus scope so EffectivePermissions returns empty);
- the cleaner end-state (HTTP 404 at grant time);
- what's required to land it (migration confirming existing
rows reference real resources);
- the cross-reference to cowork/auth-bundle-1-prompt.md path #12.
Cosmetic, single-file change. No test churn.