Operator Frame

Global navigation, page frame, and live control-plane status.

The shell is intentionally persistent: left-side navigation, a shared header, and durable status surfaces remain stable while future workflow views swap in.

Lane

Done

Domain

bootstrap

State

done

Work Item

Typed detail boundary

Control-plane detail payloads expose explicit context, lane, approvals, execution state, and action metadata.

Snapshot 2026-03-27T08:10:14.119Z

Done Work Item

Auth middleware + RBAC route protection — all non-health routes require operator session

Implement auth and role middleware as specified in auth_identity_implementation_spec.md Section 7. Create: /auth/middleware/auth.middleware.ts (validates session/token from HTTP-only cookie, attaches user + roles to request context, rejects with 401 on missing/expired session), /auth/middleware/role.middleware.ts (checks required role from route config, rejects with 403 on insufficient role). Wire middleware into Next.js middleware.ts so ALL routes except /api/health, /login, and /api/auth/* are protected. Implement local-dev bypass mode (BYPASS_AUTH=true env flag for developer convenience — must never be set in production). Write tests for protected route rejection, role check denial, and bypass mode behavior.

bootstrapstate: done

Execution Context

ID
wi-BF-217
Branch
bf/BF-217-auth-middleware-rbac-route-protection
Validation
./scripts/validate-local.ps1
PR
none

Lifecycle Metadata

Lane
Done
Work type
feature
Source
done
Status
done
State
done
Done criteria
8

Queue Truth

Freshness: Fresh (snapshot age 0s)

Drift: none.

Reconciliation Guidance

  • No reconciliation required; item truth signals are consistent.

Prompt Context

./work-items/prompts/wi-BF-217.prompt.md

Implement auth and role middleware as specified in auth_identity_implementation_spec.md Section 7. Create: /auth/middleware/auth.middleware.ts (validates session/token from HTTP-only cookie, attaches user + roles to request context, rejects with 401 on missing/expired session), /auth/middleware/role.middleware.ts (checks required role from route config, rejects with 403 on insufficient role). Wire middleware into Next.js middleware.ts so ALL routes except /api/health, /login, and /api/auth/* are protected. Implement local-dev bypass mode (BYPASS_AUTH=true env flag for developer convenience — must never be set in production). Write tests for protected route rejection, role check denial, and bypass mode behavior.

Available Actions

  • Start executionBlocked

    Queue execution handoff for this work item.

    Recovery guidance

    Cause
    Done items stay closed; Start execution cannot move them backward.
    Policy context
    Lane transition policy blocks Start execution when the item is already Done.
    Next step
    Create a net-new work item if more delivery is needed instead of reopening this one.
    Safe retry
    Do not retry Start execution on a done item.

    identity: start-execution

    permission: factory.work-item.execute

    policy gate lane-transition: blocked (Done items stay closed; Start execution cannot move them backward.)

    POST /api/control-plane/items/wi-BF-217/actions/start-execution

  • Request reviewBlocked

    Mark this item ready for review lane handoff.

    Recovery guidance

    Cause
    Done items stay closed; Request review cannot move them backward.
    Policy context
    Lane transition policy blocks Request review when the item is already Done.
    Next step
    Create a net-new work item if more delivery is needed instead of reopening this one.
    Safe retry
    Do not retry Request review on a done item.

    identity: request-review

    permission: factory.work-item.request-review

    policy gate lane-transition: blocked (Done items stay closed; Request review cannot move them backward.)

    POST /api/control-plane/items/wi-BF-217/actions/request-review

  • Prepare releaseBlocked

    Run release-preparation checks for the work item.

    Recovery guidance

    Cause
    Add the pull request URL before running Prepare release.
    Policy context
    Pull request policy requires review traceability before Prepare release can run.
    Next step
    Attach the PR URL in the work item metadata, then retry Prepare release.
    Safe retry
    Retry Prepare release after the PR URL is attached.

    identity: prepare-release

    permission: factory.work-item.prepare-release

    policy gate lane-eligibility: pass

    policy gate pull-request: blocked (Add the pull request URL before running Prepare release.)

    POST /api/control-plane/items/wi-BF-217/actions/prepare-release

  • Record historyEnabled

    Capture history snapshots for audit and validation views.

    identity: record-history

    permission: factory.work-item.record-history

    policy gate context-visibility: pass

    POST /api/control-plane/items/wi-BF-217/actions/record-history