docs(plan,spec): align enforce_owner_only_elevation to shipped parent-role authority #7

Closed
alee wants to merge 0 commits from feature/org-vault-doc-elevation-fix into main
Owner

Summary

Aligns the plan and spec with the shipped enforce_owner_only_elevation (in crates/relicario-server/src/main.rs on main, commit aace6f1).

  • Plan (docs/superpowers/plans/2026-06-06-enterprise-org-vault.md): its hook pseudocode still judged owner-elevation authority on the post-change signer.role — a self-promoting Admin reads as Owner in the same commit and self-authorizes the promotion (the exact escalation the gate exists to stop). f249395 had fixed only the skip-predicate, leaving this final check vulnerable. Now derives signer_may_manage_owners from signer_parent = parent_role(signer.member_id) (the signer's pre-commit role; None → reject; genesis allowed) and gates on that — matching the shipped code line-for-line.
  • Spec (…enterprise-org-vault-design.md): was already policy-correct in prose and did not carry the vulnerable implementation detail; strengthened §2 of the pre-receive-hook description with an explicit pre-commit-role note so the design record pins the property.

Verification

  • Plan's edited function compared line-for-line against main:crates/relicario-server/src/main.rs::enforce_owner_only_elevation — logic matches.
  • grep confirms no signer.role.can_manage_owners remains in either doc.
  • Remaining signer.role references are the legitimate can_manage_members() write-gate + OK-message, which the shipped code uses identically.

Docs-only; no code change. Clears the PM's tracked doc-correction task.

🤖 Generated with Claude Code

## Summary Aligns the **plan** and **spec** with the *shipped* `enforce_owner_only_elevation` (in `crates/relicario-server/src/main.rs` on main, commit `aace6f1`). - **Plan** (`docs/superpowers/plans/2026-06-06-enterprise-org-vault.md`): its hook pseudocode still judged owner-elevation authority on the **post-change `signer.role`** — a self-promoting Admin reads as Owner in the same commit and self-authorizes the promotion (the exact escalation the gate exists to stop). `f249395` had fixed only the *skip-predicate*, leaving this final check vulnerable. Now derives `signer_may_manage_owners` from `signer_parent = parent_role(signer.member_id)` (the signer's **pre-commit** role; `None` → reject; genesis allowed) and gates on that — matching the shipped code line-for-line. - **Spec** (`…enterprise-org-vault-design.md`): was already **policy-correct** in prose and did *not* carry the vulnerable implementation detail; strengthened §2 of the pre-receive-hook description with an explicit pre-commit-role note so the design record pins the property. ## Verification - Plan's edited function compared line-for-line against `main:crates/relicario-server/src/main.rs::enforce_owner_only_elevation` — logic matches. - `grep` confirms no `signer.role.can_manage_owners` remains in either doc. - Remaining `signer.role` references are the legitimate `can_manage_members()` write-gate + OK-message, which the shipped code uses identically. Docs-only; no code change. Clears the PM's tracked doc-correction task. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
alee added 1 commit 2026-06-20 17:45:30 +00:00
The plan's pre-receive-hook pseudocode judged owner-elevation authority on the
post-change `signer.role` (so a self-promoting Admin reads as Owner in the same
commit and self-authorizes the promotion — the exact escalation the gate exists
to stop). f249395 had fixed only the skip-predicate, leaving this final check
vulnerable. Align the plan's `enforce_owner_only_elevation` to the SHIPPED fix
(relicario-server/src/main.rs, aace6f1): derive `signer_may_manage_owners` from
`signer_parent = parent_role(signer.member_id)` (the signer's PRE-commit role;
None -> reject; genesis allowed) and gate on that, never the post-change role.

The spec was already policy-correct in prose ("a member-role-change granting
owner/admin must be signed by an owner") and did NOT carry the vulnerable
implementation detail; strengthened it with an explicit pre-commit-role note so
the design record pins the property and no one re-derives the vulnerable form.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TJo44YM3UbBjro2fG6NrKy
alee closed this pull request 2026-06-20 17:48:07 +00:00

Pull request closed

Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: alee/relicario#7