{ "schema": "agent-buildprint/publication.v1", "publish": true, "fileExcludes": [], "slug": "auth-teams-rbac-os", "title": "Auth, Teams & RBAC OS", "creator": "Agent Buildprint", "category": "Feature / Extension", "tier": "agent-grade", "status": "publishable-draft", "runtime": [ "Existing app auth" ], "stack": [ "Auth", "Teams", "RBAC", "Multi-tenant SaaS", "Audit logs" ], "iconKeys": [ "typescript", "json", "md" ], "difficulty": "Advanced", "featured": true, "summary": "Secure team accounts, memberships, roles, permissions, invites, audit logs, and tenant isolation around an existing auth provider.", "plainDescription": "A stack-adaptable Buildprint for adding teams, RBAC, invites, audit logs, server guards, and tenant isolation without replacing working auth by default.", "promise": "An agent-grade Auth, Teams & RBAC Buildprint that forces deep Phase 00 research and blocks completion unless every team-scoped route has direct server/API authorization tests.", "whatYouGet": [ "Phase 00 auth forensics and tenant research", "Permission vocabulary and role matrix", "Invite and membership lifecycle", "Server-side authorization contracts", "Full threat regression validation chapter" ], "whatYouNeed": [ "An existing app or auth provider to wrap", "Product decisions for team naming, owner/admin policy, billing/API-key scope", "Database migration path for tenant ownership" ], "architectureFlow": [ "Auth census", "Tenant map", "Permissions", "Server guards", "Lifecycle", "Validation" ], "includes": [ "Auth provider census", "Tenant boundary map", "Authorization audit", "Threat model", "RBAC matrix", "Permission engine", "Invite lifecycle", "Role mutation safety", "Audit log", "Migration and rollback plan", "Offline TypeScript proof", "Target-app conformance kit" ], "risks": [ "Auth provider rip-and-replace", "Frontend-only authorization", "Cross-tenant data leakage", "Client-provided teamId trust", "Self-escalation", "Last-owner deletion", "Invite replay", "Stale JWT permissions", "Audit logs leaking secrets" ], "checks": [ "Phase 00 artifacts exist before implementation", "Existing auth is reused by default", "Permission engine denies unknown/missing access by default", "Every team-scoped route has direct API authorization tests", "Invite expiry/revoke/single-use/exact-email policies are tested", "Role mutation blocks self-escalation and last-owner loss", "Audit metadata is redacted", "Offline proof harness is included in the manifest and passes npm --prefix proof test", "Target-app conformance kit is included and typechecks; completion requires it to pass against a real adapter or record blockers", "Migration/backfill/rollback/recovery path is documented" ], "trustBadges": [ { "label": "Phase 00 heavy", "detail": "Starts with auth forensics, tenant mapping, authz audit, threat model, and decision gate.", "tone": "success" }, { "label": "Offline proof included", "detail": "TypeScript proof covers deny-by-default, tenant isolation, invites, owner safety, and audit redaction.", "tone": "success" }, { "label": "Server-side authz", "detail": "Frontend visibility is never treated as security.", "tone": "warning" } ], "copyPrompt": "Use the Auth, Teams & RBAC OS Buildprint. First bootstrap exact snapshots: agb start https://agent-buildprint.com/buildprints/auth-teams-rbac-os/package.json . If agb is not installed, clone https://github.com/DomEscobar/agent-buildprint and run node agent-buildprint/bin/agb.js start https://agent-buildprint.com/buildprints/auth-teams-rbac-os/package.json . Then read .buildprint/next-agent.md and continue. Do not write Buildprint snapshots manually. Do Phase 00 auth forensics before coding. Reuse existing auth by default; do not claim done without server-side authorization tests on team-scoped routes." }