Authorization Matrix (Phase A Freeze)

Purpose

This document freezes the permission vocabulary used by gateway and auth flows in Phase A. It is a governance control to keep permission naming deterministic before Tender/Auction domain expansion.

No runtime behavior is introduced by this document.

Resources

• auth
• roles
• stakeholder
• admin
• user
• future: tender, auction, stakework

Actions

• read
• write
• submit
• review
• approve
• reject
• verify
• activate
• suspend
• access

Global Trust Gate

• Accounts marked as blacklisted MUST be denied all policy evaluations.
• Blacklist enforcement overrides permission, verification, and active account state.
• Denial reasonCode: blacklisted_account.

Current Permissions (Phase A Frozen Set)

auth:me.read

• Description: Read authenticated caller principal (/auth/me and gateway equivalent).
• Required account state: ACTIVE.
• Required verification state: UNVERIFIED or higher (no KYC hard gate in Phase A).
• Intended role holders: authenticated end users, admin operators.

roles:request.review

• Description: Review role requests (approve/reject/list review queue).
• Required account state: ACTIVE.
• Required verification state: governance policy-dependent; default is no additional hard gate in Phase A.
• Intended role holders: RBAC administrators, governance admins.

admin:access

• Description: Access admin-scoped endpoints at gateway/auth layers.
• Required account state: ACTIVE.
• Required verification state: governance policy-dependent.
• Intended role holders: platform administrators.

stakeholder:submit

• Description: Submit stakeholder onboarding profile.
• Required account state: ACTIVE.
• Required verification state: UNVERIFIED or higher in Phase A.
• Intended role holders: stakeholder applicants (land owner/supplier in current scope).

stakeholder:verify

• Description: Verify or activate submitted stakeholder profiles.
• Required account state: ACTIVE.
• Required verification state: governance policy-dependent.
• Intended role holders: compliance/review administrators.

tender:submit

• Description: Submit a tender draft into review queue (DRAFT -> SUBMITTED).
• Required account state: ACTIVE.
• Required verification state: none in Phase T0.
• Intended role holders: authenticated submitters (supplier/operator accounts).

tender:read.me

• Description: Read caller-owned tenders (GET /tenders/me).
• Required account state: ACTIVE.
• Required verification state: none in Phase T0.
• Intended role holders: authenticated submitters.

tender:review.queue

• Description: Access admin review queue for submitted tenders.
• Required account state: ACTIVE.
• Required verification state: none in Phase T0.
• Intended role holders: tender/governance reviewers.

tender:approve

• Description: Approve submitted tender (SUBMITTED -> APPROVED) with reviewer attribution.
• Required account state: ACTIVE.
• Required verification state: VERIFIED.
• Verification Gate:
  • Account verificationStatus MUST be VERIFIED.
• Intended role holders: tender/governance reviewers.

tender:reject

• Description: Reject submitted tender (SUBMITTED -> REJECTED) with reviewer attribution and reason.
• Required account state: ACTIVE.
• Required verification state: VERIFIED.
• Verification Gate:
  • Account verificationStatus MUST be VERIFIED.
• Intended role holders: tender/governance reviewers.

risk:recalculate.any

• Description: Gateway-scoped privileged operation to trigger risk recalculation for any actor identity.
• Required account state: ACTIVE.
• Required verification state: VERIFIED.
• Verification Gate:
  • Account verificationStatus MUST be VERIFIED.
  • emailVerified SHOULD be treated as baseline for privileged gateway operations.
• Intended role holders: governance reviewers, administrators.
• Notes:
  • Requires step-up 2FA at gateway before execution.

Freeze Governance Rule

Any new permission token MUST:

1. Be added to @kvary/rbac-domain permission catalog.
2. Be documented in this matrix before runtime usage.
3. Follow ${resource}:${action} taxonomy.