Done Work Item
Access settings route and UI — /settings/access operator scope grants and role visibility
Implement the /settings/access route for operator access management. Display: current operator's assigned roles and permissions, list of all operators (name, email, roles, last active), role assignment UI (admin-only: assign/remove role from operator), scope grant visibility (what actions each role can perform). GET /api/control-plane/settings/access returns current session operator and all operators (admin only). POST /api/control-plane/settings/access/roles to assign/remove roles (admin only, audited via BF-237 telemetry). Denied action: non-admin operators see read-only view of their own permissions. All changes write audit_event records.
Execution Context
- ID
- wi-BF-238
- Branch
- bf/BF-238-access-settings-route-ui
- Validation
- ./scripts/validate-local.ps1
- PR
- https://github.com/SingletonTheory/build-factory-bootstrap/pull/313
Lifecycle Metadata
- Lane
- Done
- Work type
- feature
- Source
- done
- Status
- done
- State
- done
- Done criteria
- 8
Queue Truth
Freshness: Fresh (snapshot age 0s)
Drift: none.
Reconciliation Guidance
- No reconciliation required; item truth signals are consistent.
Prompt Context
./work-items/prompts/wi-BF-238.prompt.md
Implement the /settings/access route for operator access management. Display: current operator's assigned roles and permissions, list of all operators (name, email, roles, last active), role assignment UI (admin-only: assign/remove role from operator), scope grant visibility (what actions each role can perform). GET /api/control-plane/settings/access returns current session operator and all operators (admin only). POST /api/control-plane/settings/access/roles to assign/remove roles (admin only, audited via BF-237 telemetry). Denied action: non-admin operators see read-only view of their own permissions. All changes write audit_event records.
Available Actions
- Start executionBlocked
Queue execution handoff for this work item.
Recovery guidance
- Cause
- Done items stay closed; Start execution cannot move them backward.
- Policy context
- Lane transition policy blocks Start execution when the item is already Done.
- Next step
- Create a net-new work item if more delivery is needed instead of reopening this one.
- Safe retry
- Do not retry Start execution on a done item.
identity: start-execution
permission: factory.work-item.execute
policy gate lane-transition: blocked (Done items stay closed; Start execution cannot move them backward.)
POST /api/control-plane/items/wi-BF-238/actions/start-execution
- Request reviewBlocked
Mark this item ready for review lane handoff.
Recovery guidance
- Cause
- Done items stay closed; Request review cannot move them backward.
- Policy context
- Lane transition policy blocks Request review when the item is already Done.
- Next step
- Create a net-new work item if more delivery is needed instead of reopening this one.
- Safe retry
- Do not retry Request review on a done item.
identity: request-review
permission: factory.work-item.request-review
policy gate lane-transition: blocked (Done items stay closed; Request review cannot move them backward.)
POST /api/control-plane/items/wi-BF-238/actions/request-review
- Prepare releaseEnabled
Run release-preparation checks for the work item.
identity: prepare-release
permission: factory.work-item.prepare-release
policy gate lane-eligibility: pass
policy gate pull-request: pass
POST /api/control-plane/items/wi-BF-238/actions/prepare-release
- Record historyEnabled
Capture history snapshots for audit and validation views.
identity: record-history
permission: factory.work-item.record-history
policy gate context-visibility: pass
POST /api/control-plane/items/wi-BF-238/actions/record-history