docs(plan,spec): align enforce_owner_only_elevation to shipped parent-role authority #7
Reference in New Issue
Block a user
Delete Branch "feature/org-vault-doc-elevation-fix"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Aligns the plan and spec with the shipped
enforce_owner_only_elevation(incrates/relicario-server/src/main.rson main, commitaace6f1).docs/superpowers/plans/2026-06-06-enterprise-org-vault.md): its hook pseudocode still judged owner-elevation authority on the post-changesigner.role— a self-promoting Admin reads as Owner in the same commit and self-authorizes the promotion (the exact escalation the gate exists to stop).f249395had fixed only the skip-predicate, leaving this final check vulnerable. Now derivessigner_may_manage_ownersfromsigner_parent = parent_role(signer.member_id)(the signer's pre-commit role;None→ reject; genesis allowed) and gates on that — matching the shipped code line-for-line.…enterprise-org-vault-design.md): was already policy-correct in prose and did not carry the vulnerable implementation detail; strengthened §2 of the pre-receive-hook description with an explicit pre-commit-role note so the design record pins the property.Verification
main:crates/relicario-server/src/main.rs::enforce_owner_only_elevation— logic matches.grepconfirms nosigner.role.can_manage_ownersremains in either doc.signer.rolereferences are the legitimatecan_manage_members()write-gate + OK-message, which the shipped code uses identically.Docs-only; no code change. Clears the PM's tracked doc-correction task.
🤖 Generated with Claude Code
Pull request closed