Skip to content

Commit 0b5aaea

Browse files
committed
Define identity permissions and visibility model for GameFoundryStudio - PR_26152_065-identity-permissions-model
1 parent ed39ec8 commit 0b5aaea

2 files changed

Lines changed: 303 additions & 0 deletions

File tree

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
# PR_26152_065 Identity Permissions Model Validation
2+
3+
## Scope
4+
5+
Docs-only planning update focused on ownership and security.
6+
7+
Changed:
8+
- `docs/dev/specs/IDENTITY_PERMISSIONS_MODEL.md`
9+
10+
No runtime files, database implementation, storage implementation, authentication implementation, CSS files, HTML files, JavaScript files, TypeScript files, JSON files, Admin pages, Account pages, or GameFoundryStudio pages were changed.
11+
12+
## Validation
13+
14+
Playwright impacted: No. This PR is documentation/planning only.
15+
16+
Lanes executed:
17+
- contract documentation/static validation - because this PR only creates an identity permissions planning document.
18+
19+
Lanes skipped:
20+
- runtime, integration, engine, samples, recovery/UAT - no runtime, handoff, engine, sample, or recovery behavior changed.
21+
22+
Samples decision: SKIP because samples are not in scope and no Samples files changed.
23+
24+
Commands:
25+
- Inline Node validation for required identity permissions model content.
26+
- `git diff --check -- docs/dev/specs/IDENTITY_PERMISSIONS_MODEL.md`
27+
- `git status --short -uall`
28+
- `git diff --name-only -- "*.css" "*.html" "*.js" "*.ts" "*.json"`
29+
30+
Results:
31+
- PASS: `docs/dev/specs/IDENTITY_PERMISSIONS_MODEL.md` exists.
32+
- PASS: Identity components are documented: User, Profile, External identity provider, Account status.
33+
- PASS: Roles are documented: Owner, Admin, Moderator, Creator, Contributor, Reviewer, Player, Guest.
34+
- PASS: Permissions are documented: View, Create, Edit, Delete, Share, Publish, Review, Approve, Moderate, Administer.
35+
- PASS: Visibility modes are documented: Private, Shared, Project, Team, Unlisted, Public, Marketplace, Admin only.
36+
- PASS: Rule documented: No database object can be created without an owner.
37+
- PASS: Rule documented: No shareable object can exist without visibility.
38+
- PASS: Rule documented: No editable object can exist without permissions.
39+
- PASS: Rule documented: Owner has full control unless restricted by platform policy.
40+
- PASS: Rule documented: Admin can administer platform-level records.
41+
- PASS: Rule documented: Moderator can moderate community/public records.
42+
- PASS: Rule documented: Contributor can edit only granted scopes.
43+
- PASS: Rule documented: Reviewer can review/approve only granted scopes.
44+
- PASS: Rule documented: Guest can view only public content.
45+
- PASS: Security boundaries are documented for user-owned data, project-owned data, public data, marketplace data, admin-only data, and moderation data.
46+
- PASS: Next sequence is documented: Users/Identity -> Roles/Permissions -> Visibility -> Projects -> Storage -> Tool State persistence.
47+
- PASS: Document explicitly lists non-goals for runtime, database/storage, authentication, Admin, Account, Tool State persistence implementation, and CSS/HTML/JS/TS/JSON changes.
48+
- PASS: No CSS files changed.
49+
- PASS: No HTML files changed.
50+
- PASS: No JavaScript, TypeScript, or JSON files changed.
51+
- PASS: No repo-wide tests were run.
52+
- PASS: No tests outside the docs scope were run.
53+
54+
Expected PASS behavior:
55+
- Reviewers can use the identity permissions model as a planning contract without any runtime, database, authentication, page, or CSS behavior changes.
56+
57+
Expected WARN behavior:
58+
- This PR defines planning direction only. Implementation requires later explicit identity/auth/storage/runtime PRs.
Lines changed: 245 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,245 @@
1+
# Identity Permissions Model
2+
3+
## Status
4+
5+
This is a planning document for GameFoundryStudio identity, roles, permissions, visibility, and security boundaries.
6+
7+
It stays focused on ownership and security. It does not define storage schema, database tables, API routes, authentication implementation, authorization middleware, page behavior, or runtime behavior.
8+
9+
This document does not authorize runtime changes, database implementation, authentication implementation, page changes, CSS changes, JavaScript changes, or schema migrations.
10+
11+
## Core Rules
12+
13+
- No database object can be created without an owner.
14+
- No shareable object can exist without visibility.
15+
- No editable object can exist without permissions.
16+
- Owner has full control unless restricted by platform policy.
17+
- Admin can administer platform-level records.
18+
- Moderator can moderate community/public records.
19+
- Contributor can edit only granted scopes.
20+
- Reviewer can review/approve only granted scopes.
21+
- Guest can view only public content.
22+
- Permissions must be evaluated against the object and scope, not only against the current route or UI surface.
23+
- Visibility must be explicit and must not be inferred from missing data.
24+
- Platform policy can restrict any role when required for safety, legal, moderation, abuse prevention, or operational integrity.
25+
26+
## Identity
27+
28+
Identity is the security foundation that connects a person or platform actor to platform-owned and user-owned records.
29+
30+
Identity components:
31+
- User
32+
- Profile
33+
- External identity provider
34+
- Account status
35+
36+
### User
37+
38+
Purpose:
39+
- User is the primary platform account record.
40+
- User owns identity-linked data and may own projects, assets, comments, ratings, marketplace items, and other records.
41+
42+
Security notes:
43+
- Every User must have a stable internal id.
44+
- User identity data is private by default.
45+
- User-owned data must not become public unless a shareable object with explicit visibility exposes it.
46+
- User records are not portable manifests.
47+
48+
### Profile
49+
50+
Purpose:
51+
- Profile is the user-facing identity surface.
52+
- Profile may expose display name, creator identity, avatar, public biography, links, badges, and public activity summaries.
53+
54+
Security notes:
55+
- Profile visibility must be explicit.
56+
- Profile data should not expose private User, credential, provider, or account-status data.
57+
- Moderator or Admin actions may restrict a public Profile under platform policy.
58+
59+
### External Identity Provider
60+
61+
Purpose:
62+
- External identity provider links a User to an authentication source such as OAuth, SSO, email provider, or future identity service.
63+
64+
Security notes:
65+
- Provider identifiers and credentials are private.
66+
- Provider tokens, secrets, and verification internals are never portable export data.
67+
- External identity provider records are platform-controlled even when attached to a User.
68+
69+
### Account Status
70+
71+
Purpose:
72+
- Account status describes whether a User can access, create, share, publish, or administer platform records.
73+
74+
Planned statuses:
75+
- Active
76+
- Pending
77+
- Suspended
78+
- Disabled
79+
- Deleted
80+
81+
Security notes:
82+
- Account status may restrict otherwise granted permissions.
83+
- Suspended, disabled, or deleted accounts must not silently retain active publishing, marketplace, moderation, or admin capabilities.
84+
- Account status changes should be auditable in a later implementation.
85+
86+
## Roles
87+
88+
| Role | Purpose | Boundary |
89+
| --- | --- | --- |
90+
| Owner | Accountable owner of an object, project, release, asset, or listing. | Full control unless restricted by platform policy. |
91+
| Admin | Platform-level administrator. | Can administer platform-level records and operational settings. |
92+
| Moderator | Community/public policy moderator. | Can moderate community, public, marketplace, rating, comment, and report surfaces. |
93+
| Creator | User creating projects, assets, manifests, releases, or marketplace content. | Can create and manage owned creator content. |
94+
| Contributor | Granted participant in a project or object scope. | Can edit only granted scopes. |
95+
| Reviewer | Granted review/approval participant. | Can review or approve only granted scopes. |
96+
| Player | User consuming playable or public game content. | Can view/play allowed content and may create allowed feedback. |
97+
| Guest | Unauthenticated or minimally identified visitor. | Can view only public content. |
98+
99+
## Permissions
100+
101+
| Permission | Meaning | Typical Roles |
102+
| --- | --- | --- |
103+
| View | Read an object or surface. | Owner, Admin, Moderator, Creator, Contributor, Reviewer, Player, Guest when public. |
104+
| Create | Create a new object in an allowed scope. | Owner, Admin, Creator, Contributor when granted. |
105+
| Edit | Modify an existing editable object. | Owner, Admin, Creator, Contributor when granted. |
106+
| Delete | Delete, archive, retire, or remove an object. | Owner, Admin, Moderator for moderated content when policy allows. |
107+
| Share | Change sharing or invite access. | Owner, Admin, Creator when granted. |
108+
| Publish | Produce a release or public/marketplace-facing output. | Owner, Admin, Creator, Contributor when explicitly granted. |
109+
| Review | Inspect content for approval, quality, localization, safety, or publishing readiness. | Reviewer, Moderator, Admin, Owner when policy allows. |
110+
| Approve | Mark reviewed content as approved for a workflow. | Reviewer, Moderator, Admin, Owner when policy allows. |
111+
| Moderate | Hide, restrict, restore, lock, flag, or enforce policy on community/public content. | Moderator, Admin. |
112+
| Administer | Manage platform-level records, settings, policies, and operational surfaces. | Admin. |
113+
114+
## Permission Rules
115+
116+
- Permissions are granted by role, ownership, object policy, project membership, platform policy, or explicit workflow assignment.
117+
- Permissions must be scoped to an object, project, team, marketplace item, release, community surface, or platform area.
118+
- Contributor permissions do not imply Publish, Review, Approve, Moderate, or Administer.
119+
- Reviewer permissions do not imply Edit, Publish, Moderate, or Administer outside the granted review scope.
120+
- Moderator permissions do not imply ownership of moderated content.
121+
- Admin permissions do not make Admin the owner of user-owned or project-owned data.
122+
- Player permissions do not imply creator permissions.
123+
- Guest permissions are limited to View on public content.
124+
- Delete should be distinguished from archive, retire, hide, or moderation removal in later implementation work.
125+
126+
## Visibility
127+
128+
| Visibility | Meaning | Security Boundary |
129+
| --- | --- | --- |
130+
| Private | Visible only to owner and explicitly authorized services or participants. | Default for user-owned and project-owned working data. |
131+
| Shared | Visible to explicitly invited users or granted principals. | Direct share boundary. |
132+
| Project | Visible to project participants according to project roles. | Project membership boundary. |
133+
| Team | Visible to a defined team or organization group. | Team membership boundary. |
134+
| Unlisted | Accessible by explicit link or association but not discoverable. | Link/access boundary. |
135+
| Public | Visible and discoverable to public users. | Public web boundary. |
136+
| Marketplace | Visible in marketplace discovery or listing surfaces. | Marketplace and moderation boundary. |
137+
| Admin only | Visible only to Admin or authorized platform service roles. | Platform operation boundary. |
138+
139+
## Visibility Rules
140+
141+
- Every shareable object must have one explicit visibility value.
142+
- Visibility cannot be null, missing, or inferred.
143+
- Public visibility does not automatically grant Edit, Delete, Publish, Review, Approve, Moderate, or Administer.
144+
- Marketplace visibility requires marketplace policy and moderation readiness.
145+
- Admin only data must not leak through public, project, marketplace, export, or manifest payloads.
146+
- Moderation visibility can override public or marketplace discoverability under platform policy.
147+
148+
## Security Boundaries
149+
150+
### User-Owned Data
151+
152+
Definition:
153+
- Records owned directly by a User, such as Profile data, personal settings, user-created comments, ratings, and user-owned assets.
154+
155+
Rules:
156+
- User-owned data requires a User owner.
157+
- Export may include safe user-facing fields when policy allows.
158+
- Private identity, credential, provider, and account-status internals must not be exposed through portable manifests.
159+
160+
### Project-Owned Data
161+
162+
Definition:
163+
- Records owned through a Project, such as Tool States, Assets, Palettes, Game Manifest records, Releases, and project-linked Marketplace Items.
164+
165+
Rules:
166+
- Project-owned data requires a Project owner and project permission policy.
167+
- Project visibility controls project-level access.
168+
- Child objects may need separate visibility when shared outside the project.
169+
170+
### Public Data
171+
172+
Definition:
173+
- Records visible to unauthenticated users or all authenticated users, such as public profiles, public releases, public comments, public community content, or public project surfaces.
174+
175+
Rules:
176+
- Public data still has an owner.
177+
- Public data still has permissions.
178+
- Public data may be moderated, hidden, or retired under platform policy.
179+
180+
### Marketplace Data
181+
182+
Definition:
183+
- Records exposed through marketplace listing, discovery, asset, game, template, bundle, or creator surfaces.
184+
185+
Rules:
186+
- Marketplace data requires owner, visibility, permissions, listing policy, and moderation readiness.
187+
- Marketplace data may reference project-owned or user-owned source records without transferring ownership.
188+
- Marketplace transaction or operational data is not portable manifest data.
189+
190+
### Admin-Only Data
191+
192+
Definition:
193+
- Platform operational records, policy records, security records, system settings, audit records, and protected moderation/admin surfaces.
194+
195+
Rules:
196+
- Admin-only data is platform-controlled.
197+
- Admin-only data may be visible to Admin and authorized Service roles.
198+
- Admin-only data must not appear in user exports, manifests, marketplace payloads, or public data.
199+
200+
### Moderation Data
201+
202+
Definition:
203+
- Reports, enforcement decisions, hidden states, review notes, policy flags, moderation queues, and moderation audit history.
204+
205+
Rules:
206+
- Moderation data is platform-controlled or moderator-scoped.
207+
- Moderation state may affect public or marketplace visibility.
208+
- Moderation internals are not portable export/import data.
209+
- Moderation actions should be auditable in a future implementation.
210+
211+
## Next Sequence
212+
213+
Platform implementation should proceed in this order:
214+
215+
```text
216+
Users/Identity
217+
-> Roles/Permissions
218+
-> Visibility
219+
-> Projects
220+
-> Storage
221+
-> Tool State persistence
222+
```
223+
224+
Sequence rules:
225+
- Users/Identity must exist before durable ownership.
226+
- Roles/Permissions must exist before editable shared objects.
227+
- Visibility must exist before shareable objects.
228+
- Projects must exist before project-owned tool state, assets, palettes, manifests, releases, or marketplace content.
229+
- Storage must exist before Tool State persistence.
230+
- Tool State persistence must not arrive before ownership, permissions, visibility, and project boundaries are defined.
231+
232+
## Non-Goals
233+
234+
This document does not:
235+
- define database storage
236+
- define SQL schema
237+
- define API routes
238+
- implement authentication
239+
- implement authorization checks
240+
- implement storage
241+
- implement Tool State persistence
242+
- implement Admin pages
243+
- implement Account pages
244+
- change runtime behavior
245+
- change CSS, HTML, JavaScript, TypeScript, or JSON files

0 commit comments

Comments
 (0)