Part of the metadata liveness audit umbrella #1878 (P0 security cluster).
Problem
Destructive record lifecycle operations are not gated by RBAC. allowTransfer / allowRestore / allowPurge are omitted from OPERATION_TO_PERMISSION (permission-evaluator.ts:8-16), so:
- ownership transfer,
- undelete (restore), and
- hard-delete / GDPR purge
run without any permission check. These are exactly the operations that most need RBAC gating.
Decision required (enforce or remove)
- Enforce: add
transfer/restore/purge entries to OPERATION_TO_PERMISSION and ensure the corresponding routes/services consult the evaluator before executing.
- Remove: if these ops are intentionally unrestricted, drop the
allowTransfer/allowRestore/allowPurge permission props from the spec.
Evidence
docs/audits/2026-06-security-identity-property-liveness.md
permission-evaluator.ts:8-16 (OPERATION_TO_PERMISSION)
Part of the metadata liveness audit umbrella #1878 (P0 security cluster).
Problem
Destructive record lifecycle operations are not gated by RBAC.
allowTransfer/allowRestore/allowPurgeare omitted fromOPERATION_TO_PERMISSION(permission-evaluator.ts:8-16), so:run without any permission check. These are exactly the operations that most need RBAC gating.
Decision required (enforce or remove)
transfer/restore/purgeentries toOPERATION_TO_PERMISSIONand ensure the corresponding routes/services consult the evaluator before executing.allowTransfer/allowRestore/allowPurgepermission props from the spec.Evidence
docs/audits/2026-06-security-identity-property-liveness.mdpermission-evaluator.ts:8-16(OPERATION_TO_PERMISSION)