Skip to content

docs: fix CGS permission matrix and owner-role claims (HYPER-332)#140

Merged
aspiers merged 4 commits into
hypercerts-org:mainfrom
aspiers:adam/hyper-332-cgs-doc-fixes
May 29, 2026
Merged

docs: fix CGS permission matrix and owner-role claims (HYPER-332)#140
aspiers merged 4 commits into
hypercerts-org:mainfrom
aspiers:adam/hyper-332-cgs-doc-fixes

Conversation

@aspiers
Copy link
Copy Markdown
Contributor

@aspiers aspiers commented May 29, 2026

Summary

Cross-checked the Certified Group Service page (pages/architecture/certified-group-service.md) against the service source code and corrected two inaccuracies in the RBAC section. Companion to hypercerts-org/certified-group-service#25 (the in-repo doc fixes, now merged).

  • Permission matrix conflated "edit any record" into the member row. In the implementation, members can only edit/delete records they authored (putOwnRecord / deleteOwnRecord); editing or deleting any member's record requires admin (putAnyRecord / deleteAnyRecord). Split into separate own/any rows.
  • Owner role was described as promotable via role.set, with a "last-owner protection" claim. The owner role is in fact immutable — fixed at registration, and role.set / member.remove both reject it (CannotPromoteToOwner / CannotModifyOwner / CannotRemoveOwner). Ownership transfer is a separate, not-yet-implemented operation.

The other CGS-mentioning hub pages (overview, account-and-identity, certified-pdss, epds, glossary) were audited and are accurate — no changes needed. No "GPDS" / "group PDS" terminology violations anywhere.

Test plan

  • Claims verified against certified-group-service/src (rbac/permissions.ts, api/role/set.ts, api/member/remove.ts)
  • Reviewer preview of the rendered RBAC section at /architecture/certified-group-service

🤖 Generated with Claude Code

@aspiers @claude
docs: fix CGS permission matrix and owner-role claims (HYPER-332)
be00329 
Cross-checked the CGS hub page against the service source:

- Permission matrix conflated "edit any record" into the member row;
  members can only edit/delete records they authored. Editing any
  member's record requires admin.
- Owner role described as promotable via role.set; it is immutable,
  fixed at registration. Removed the "last-owner protection" claim in
  favour of full owner immutability (role.set and member.remove both
  reject the owner role).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 29, 2026 17:33
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 29, 2026

@aspiers is attempting to deploy a commit to the Hypercerts Foundation Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 29, 2026
edited
Loading

Warning

Review limit reached

@aspiers, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 29 minutes and 34 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 57bbf9bb-218c-4e7e-b43a-55cabe750a7f

📥 Commits

Reviewing files that changed from the base of the PR and between d0e5763 and fd0b0b5.

📒 Files selected for processing (1)
  • pages/architecture/certified-group-service.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 29, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
hypercerts-v0.2-documentation Ready Ready Preview, Comment May 29, 2026 7:50pm

Request Review

Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Certified Group Service (CGS) architecture documentation to match the service’s current RBAC behavior, correcting previously inaccurate permissions/role semantics.

Changes:

  • Refines the RBAC permission matrix to distinguish “own record” vs “any record” edit/delete capabilities.
  • Corrects the description of the owner role to reflect that it is immutable (not assignable/demotable via role.set / member.remove).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pages/architecture/certified-group-service.md Outdated
aspiers and others added 3 commits May 29, 2026 17:44
@aspiers @claude
docs: document cross-group membership listing and member_index (HYPER…
b760d0a 
…-332)

A deeper pass against the CGS source surfaced gaps the first review missed:

- The service-level endpoint app.certified.groups.membership.list (list
  every group the caller belongs to) was undocumented. Added a
  "Cross-group membership" section.
- The Authentication "Audience" check claimed aud is always a group DID;
  cross-group endpoints instead require aud = the service's own DID.
  Clarified both paths.
- The Storage section omitted the global member_index table that backs
  the cross-group query. Added it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@aspiers @claude
docs: match lexicon wording for membership listing (HYPER-332)
7c09a61 
Address CodeRabbit review on PR hypercerts-org#140: use "on this group service" (the
lexicon's own description wording) instead of "on this CGS instance" for
the cross-group membership endpoint.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@aspiers @claude
docs: fix self-removal rule to exclude owners (HYPER-332)
fd0b0b5 
Address Copilot review on PR hypercerts-org#140: the "self-removal always succeeds,
regardless of role" bullet contradicted the new owner-immutability rule.
Per src/api/member/remove.ts, the owner check throws CannotRemoveOwner
before any self-removal allowance, so an owner cannot remove themselves.
Reworded both bullets to make the owner exception explicit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@aspiers aspiers merged commit 8361f2d into hypercerts-org:main May 29, 2026
3 checks passed
@aspiers aspiers deleted the adam/hyper-332-cgs-doc-fixes branch May 29, 2026 23:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aspiers