Skip to content

docs: add in-repo specs for SSO, permissions, and admin layers#13

Open
awais786 wants to merge 1 commit into
mainfrom
docs/in-repo-specs
Open

docs: add in-repo specs for SSO, permissions, and admin layers#13
awais786 wants to merge 1 commit into
mainfrom
docs/in-repo-specs

Conversation

@awais786
Copy link
Copy Markdown
Collaborator

@awais786 awais786 commented May 21, 2026

Summary

  • New docs/specs/ directory holding repo-owned capability specs (replacing reliance on external rule sets)
  • Three specs added: workspace SSO (OIDC + SAML), role-based permissions, and the two admin layers (instance vs workspace)
  • CLAUDE.md extended with three summary sections pointing at the new specs

Why

Past sessions kept re-exploring the same surface (workflow gating, admin layers, SSO providers) because the knowledge lived in an external repo. Folding it into docs/specs/ makes the contract reviewable in the same PR as the code that implements it, and travels with the repo.

What's in each spec

  • docs/specs/sso.mdWorkspaceSSOIdentityProvider entity, the five /auth/oidc|saml/* routes, OIDC/SAML strategies, dual gating (EnterpriseFeaturesEnabledGuard + BillingEntitlementKey.SSO), login resolution, frontend useSSO flow, gotchas
  • docs/specs/permissions.mdSettingsPermissionGuard, the PermissionFlagType split into Settings flags (bypassed by canUpdateAllSettings) and Tool flags (bypassed by canAccessAllTools), checkRolePermissions logic, the second enforcement layer in workspace-roles-permissions-cache.service.ts that hides workflow data when the flag is off, worked workflow example
  • docs/specs/admin-panel.mdcanAccessFullAdminPanel instance flag vs workspace Admin role, AdminPanelGuard, /admin-panel-graphql-api endpoint, JWT-baked admin flag and the sign-out-required gotcha, promotion paths
  • docs/specs/README.md — index + conventions for keeping specs in sync with code

Scope

This spec set describes upstream Twenty as it lives in this repo. Fork-only behaviour (proxy-login controller, ProxyAuthMiddleware, AUTH_TYPE=SSO header-trust path) is explicitly out of scope and is noted as such in docs/specs/sso.md so future readers don't grep for code that isn't here.

Test plan

  • Spot-check cited file:line references resolve in the working tree
  • Confirm CLAUDE.md renders cleanly (new sections: Access Control & Permissions, SSO, Specs)
  • No code changes — lint/typecheck/tests not required

🤖 Generated with Claude Code

@awais786 @claude
docs: add in-repo specs for SSO, permissions, and admin layers
e9afd3b 
Replace reliance on external rule repos with repo-owned specs under
docs/specs/. Each spec describes observed contract (not aspirational
design) with file:line citations so reviewers can verify against code.

- docs/specs/sso.md: OIDC/SAML providers, routes, strategies, dual
  gating (Enterprise licence + per-workspace BillingEntitlementKey.SSO)
- docs/specs/permissions.md: SettingsPermissionGuard, PermissionFlagType
  split (settings vs tool flags), checkRolePermissions logic, and the
  object-permission cache that hides workflow data from non-permitted
  roles
- docs/specs/admin-panel.md: two-layer admin model
  (canAccessFullAdminPanel vs workspace Admin role), AdminPanelGuard,
  JWT-baked admin flag and the sign-out requirement after DB flips
- CLAUDE.md: summary sections (Access Control, SSO, Specs) pointing at
  the new specs

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@awais786