Identity & Access Wiring Map
Execution coordinates for the engineering agent. All paths relative to the wt-identity-access worktree (prd/identity-access branch).
Pages
| Screen | Route | File | Pattern to Copy |
|---|---|---|---|
| Permission Matrix | /settings/governance/roles | apps/dreamineering/drmg-sales/src/app/(app)/settings/governance/roles/page.tsx | apps/dreamineering/drmg-sales/src/app/(app)/settings/governance/audit/page.tsx |
| Invitations | /settings/governance/invitations | apps/dreamineering/drmg-sales/src/app/(app)/settings/governance/invitations/page.tsx | apps/dreamineering/drmg-sales/src/app/(app)/settings/governance/audit/page.tsx |
| Team Members | /settings/governance/users | apps/dreamineering/drmg-sales/src/app/(app)/settings/governance/users/page.tsx | apps/dreamineering/drmg-sales/src/app/(app)/settings/governance/audit/page.tsx |
| Accept Invite | /invite/[token] | apps/dreamineering/drmg-sales/src/app/(app)/invite/[token]/page.tsx | apps/dreamineering/drmg-sales/src/app/(app)/settings/governance/audit/page.tsx |
| Audit Log | /settings/governance/audit | apps/dreamineering/drmg-sales/src/app/(app)/settings/governance/audit/page.tsx | — (already built, reference implementation) |
Components
All at libs/app-client/app-drmg-sales-client/src/components/governance/:
| Component | File | Serves |
|---|---|---|
| PermissionToggleGrid | PermissionToggleGrid.tsx | Permission Matrix (Build #4) |
| InviteForm | InviteForm.tsx | Invitations (Build #5) |
| InvitationManager | InvitationManager.tsx | Invitations (Build #5, #6) |
| UserRolesTable | UserRolesTable.tsx | Team Members (Build #4) |
| AuditLogTable | AuditLogTable.tsx | Audit Log (already built) |
| AcceptInviteClient | AcceptInviteClient.tsx | Accept Invite (Build #6) |
Server Actions
| File | Actions | Permission Required |
|---|---|---|
actions/governance-admin.actions.ts | listRolesAction, listUserRolesAction, listRolePermissionsAction, listPermissionsAction, assignRoleToUserAction, revokeUserRoleAction, toggleRolePermissionAction | governance:manage |
actions/invitation.actions.ts | sendInvitationAction, revokeInvitationAction, listInvitationsAction, acceptInvitationAction, getInvitationByTokenAction | governance:manage (except accept/get = public) |
actions/governance.actions.ts | checkPermissionAction, getMyPermissionsAction, checkMultiplePermissionsAction | authenticated |
All actions at libs/app-server/app-drmg-sales-server/src/.
Infrastructure
| Layer | File | Purpose |
|---|---|---|
| Authorization | libs/app-server/.../lib/auth/with-permission.ts | assertPermission(context, action, resourceType) — default DENY |
| PolicyEngine | libs/domain/src/lib/governance__policy-engine/policy-engine.port.ts | canI(), authorize(), getUserPermissions() |
| Seed | libs/infrastructure/database/repositories/src/lib/governance/seed-governance-defaults.ts | seedResourceTypes(), seedDefaultGovernanceRoles() — idempotent |
| Schema | libs/infrastructure/database/schema/src/schema/schema-governance/ | 6 tables: resource_types, permissions, role_permissions, user_roles, access_audit, org_invitations |
| Composition | libs/app-server/.../composition/build-governance.ts | Wires PolicyEngine + repos into GovernanceBundle |
Existing Tests
| Type | File | Covers |
|---|---|---|
| e2e | apps/.../drmg-sales-e2e/src/e2e/identity-access/identity-invite-flow.authenticated.spec.ts | S1, Build #5, #6 |
| e2e | apps/.../drmg-sales-e2e/src/e2e/identity-access/permission-toggle.authenticated.spec.ts | S2, Build #4 |
| integration | actions/governance-admin.actions.integration.spec.ts | Role/permission CRUD |
| intent | apps/intents-e2e/src/intents/auth/governance-seed-defaults.intent.spec.ts | S5, Build #3 |
Seeds and Fixtures
- Seed command:
seed-governance-defaults.tsruns on deploy — creates 3 roles (Admin, Member, Viewer) and CRUD permissions for all entities ingovernance_resource_types - Test account: Owner account (Clerk) with Admin role — used by all e2e tests
- Reference table:
governance_resource_typesmust be populated before permission seed runs (seed function handles ordering) - Idempotent: Safe to re-run — checks for existing rows before INSERT
Implementation Guardrails
- Use
audit/page.tsxas the pattern for all governance pages (server-component-first,getGovernancePorts()composition) getGovernancePorts()returns{ policyEngine, userRoleRepo, rolePermissionRepo, permissionRepo, accessAuditRepo }— use this, do not create alternate composition- Domain uses British spelling (
organisationId,agentProfileId); server maps from American (organizationId) - New mutations must go through
actions/governance-admin.actions.tsoractions/invitation.actions.ts— do not create new action files - All permission checks use
assertPermission(context, action, resourceType)— do not bypass with direct DB queries - Reference table migration:
governance_resource_typesreplaces pgEnum — INSERT new entity types, do not modify enum