Skip to content

feat(sec): expand RBAC enforcement and telemetry #114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Mr-Dark-debug wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(sec): expand RBAC enforcement and telemetry #114

Mr-Dark-debug wants to merge 4 commits into from

Conversation

@Mr-Dark-debug
Copy link
Collaborator

@Mr-Dark-debug Mr-Dark-debug commented Oct 13, 2025

Summary

  • add SEC-001 migration introducing spaces schema, helper functions, and deny-by-default policies while mapping legacy role slugs
  • extend admin guard adoption with audited user management and publish API instrumentation emitting metrics, traces, and structured logs
  • document RBAC and observability updates, log new assumptions, and record weekly progress for the Phase-1 slice

Testing

  • npm run test:unit -- --run tests/unit/require-admin.test.ts

https://chatgpt.com/codex/tasks/task_e_68ec7f0baa4c832db76aaf9288be2623

@vercel
Copy link

vercel bot commented Oct 13, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
syntax-blogs Error Error Oct 26, 2025 5:59pm

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Oct 13, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Syntax-blogs/tests/unit/observability-metrics.test.ts

Lines 30 to 37 in 98b6377

it('records authz deny metrics with context tag', () => {
recordAuthzDeny('admin_users', { reason: 'role_check' })
expect(consoleSpy).toHaveBeenCalled()
const payload = consoleSpy.mock.calls.at(-1)?.[1] as string
expect(payload).toContain('"metric":"authz_denied_count"')
expect(payload).toContain('"context":"admin_users"')
expect(payload).toContain('"reason":"role_check"')

P1 Badge Align authz deny metric test with renamed tag

The recordAuthzDeny helper now emits a tag named resource (src/lib/observability/metrics.ts), but the unit test still asserts that the serialized payload contains a context field. This mismatch will cause tests/unit/observability-metrics.test.ts to fail once the test suite is executed. Update the assertion to look for "resource" (or rename the tag back to context) so the test reflects the current metric schema.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mr-Dark-debug