Skip to main content

How do agents orchestrate the fix — and how do instruments verify it worked?

AGENT & INSTRUMENT DIAGRAM: IDENTITY & ACCESS
════════════════════════════════════════════════════════════

  AGENTS (who applies force)
  ──────────────────────────
  [ENG]  Engineering Team     — Fixes code, seeds data, builds tiers
  [NAV]  Dream Team (Nav)     — Commissions via browser, validates independently
  [CLK]  Clerk (External)     — Handles authentication, session management
  [USR]  Platform User        — Signs up, triggers onboarding flow

  INSTRUMENTS (what verifies/rewards)
  ────────────────────────────────────
  (CA)   ClerkAuthAdapter     — Validates session, resolves identity chain
  (PE)   PolicyEngine         — Enforces permission checks (canI method)
  (GUR)  governance_user_roles — Stores role assignments per org
  (GAA)  governance_access_audit — Logs access decisions
  (MTC)  Multi-Tenant Checklist — 54-item audit score (currently 22%)
  (BC)   Browser Commission   — Independent verification via browser

  FEEDBACK LOOPS
  ──────────────

  LOOP 1: AUTHENTICATION (working)
  ┌────────────────────────────────────────────────────┐
  │  [USR] → Sign in → [CLK] → Session valid?         │
  │    │                          │                     │
  │    │                    (CA) validates               │
  │    │                          │                     │
  │    │               ExternalAuthId → SystemUserId    │
  │    │                    → OrganisationId            │
  │    │                          │                     │
  │    └── ApplicationContext ◄───┘                     │
  └────────────────────────────────────────────────────┘
  STATUS: WORKING — the sensor reads correctly

  LOOP 2: AUTHORIZATION (broken)
  ┌────────────────────────────────────────────────────┐
  │  Server Action → (CA).validateContext()            │
  │    │                                               │
  │    ▼                                               │
  │  (PE).canI(context, action, resource)              │
  │    │                                               │
  │    ├── defaultAllow: true → BYPASS (current)       │
  │    │   ⚠ Sensor disconnected — no feedback         │
  │    │                                               │
  │    └── defaultAllow: false → Check (GUR)           │
  │         ├── 22P02 crash (wrong ID type) ← BUG     │
  │         ├── No role data → DENY                    │
  │         └── Role found → (GAA) logs → ALLOW/DENY   │
  └────────────────────────────────────────────────────┘
  STATUS: BROKEN — two bugs + missing data + sensor bypassed

  LOOP 3: COMMISSIONING (operational)
  ┌────────────────────────────────────────────────────┐
  │  [ENG] ships fix                                   │
  │    │                                               │
  │    ▼                                               │
  │  [NAV] opens browser → (BC) checks against PRD    │
  │    │                                               │
  │    ├── PASS → Advance tier, update commissioning   │
  │    └── FAIL → [NAV] reports evidence → [ENG] fixes │
  │                                                    │
  │  (MTC) re-audit after each tier                    │
  │    Score: 22% → target 80%+                        │
  └────────────────────────────────────────────────────┘
  STATUS: OPERATIONAL — the verification loop works

  LOOP 4: ONBOARDING (broken)
  ┌────────────────────────────────────────────────────┐
  │  [USR] signs up → [CLK] authenticates              │
  │    │                                               │
  │    ▼                                               │
  │  Auto-provision: create user + org                 │
  │    │                                               │
  │    ├── Role assignment: MISSING                    │
  │    │   No (GUR) row created → no permissions       │
  │    │                                               │
  │    └── [USR] hits dashboard → 22P02 → redirect loop│
  │         │                                          │
  │         ▼                                          │
  │    [ENG] manual DB fix (1-24h wait)                │
  └────────────────────────────────────────────────────┘
  STATUS: BROKEN — the actuator (role assignment) is missing

════════════════════════════════════════════════════════════

Control System Analysis

The authorization system is a control loop with disconnected components:

ComponentP&ID EquivalentStatusFix
SetpointTarget stateDefined (Admin/Member/Viewer roles)Seed role definitions
SensorPolicyEngine (canI)Bypassed (defaultAllow: true)Switch to defaultAllow: false
Controllergovernance_user_roles queryBroken (22P02 — wrong ID type)Fix query to use systemUserId
ActuatorRole assignmentMissing (no auto-bootstrap)Assign role during provisioning
Feedbackgovernance_access_auditBuilt but disconnectedWire after sensor reconnected

The fix sequence follows PID controller logic:

  1. Reconnect the sensor — fix the query so it reads correctly
  2. Restore the actuator — seed roles and assign on provision
  3. Enable the controller — switch defaultAllow to false
  4. Close the loop — audit trail captures every decision

Agent Responsibilities

AgentTier 0Tier 1Tier 2Tier 3+
EngineeringFix query, seed roles, break loopAuto-bootstrap, error pagesRBAC enforcement, testsInvites, org switch, billing
Nav (Dream)Verify: dashboard loads, admin accessibleVerify: fresh deploy auto-bootstrapsVerify: member can't access adminVerify: invite end-to-end
ClerkContinue auth (working)Org sync webhookSSO/SAML
UserReport lockout (done)Test onboardingTest role-based accessTest invite acceptance

Gate

Verification for A&ID completeness:

  • Every agent named (who applies force) — YES: Engineering, Nav, Clerk, User
  • Every instrument named (what verifies/rewards) — YES: CA, PE, GUR, GAA, MTC, BC
  • Feedback loops explicit — YES: 4 loops with status
  • Control system mapping to P&ID — YES: setpoint, sensor, controller, actuator, feedback

Demand-Side Jobs

JobStruggling MomentHidden ObjectionTier
Let Me InOwner deployed production app, can't access own dashboard"Don't weaken security to fix onboarding"T0
Control AccessEveryone sees everything or nothing — no middle ground"RBAC will take weeks instead of features"T2
Isolate DataNo enforcement beyond FK — query could leak across tenants"RLS is hard to debug when data doesn't show up"T2-T3
Invite MembersNo self-serve invite — admin needs developer to add users"What if I invite someone by mistake?"T3
Manage OrgNo billing, no settings scope, no activity visibility"Customers don't pay for settings pages"T4

Role Definitions

RoleDashboardCRM DataAdmin SettingsOrg ManagementInvite Users
AdminFullFull CRUDFullFullYes
MemberOwn orgFull CRUDView onlyNoNo
ViewerRead onlyRead onlyNoNoNo

Permission Model

Permissions follow {resource_type}:{action} pattern:

Resource TypeActionsAdminMemberViewer
dashboardreadYesYesYes
contactread, create, update, deleteAllAllread
dealread, create, update, deleteAllAllread
admin_settingsread, updateAllreadNo
org_membersread, invite, remove, change_roleAllNoNo
billingread, updateAllNoNo

Commissioning

Browser-based validation against this PRD. The builder never validates their own work.

ComponentTierStatusHow to Verify
Owner can access /dashboardT0BlockedNavigate to dashboard, confirm no redirect loop
Owner can access /adminT0BlockedNavigate to /admin, confirm admin panel renders
ADMIN_EMAILS env var configuredT0FailCheck Vercel dashboard
Roles seeded in databaseT0FailAdmin panel → user management
Auto-bootstrap Admin on first loginT1Not startedFresh deploy, new user sign-up, verify Admin role
Three roles defined and enforcedT2Not startedViewer cannot access admin routes
Cross-tenant isolationT2Not startedLog in as org1 user, attempt org2 data
Invite-by-email worksT3Not startedAdmin sends invite → correct org + role
Stripe billing on orgT4Not startedPayment creates invoice tied to org

Context