{ "ursId": "URS-002", "title": "Role-Based Access Control (Rep, Principal, Admin)", "timestamp": "2026-04-23T03:33:42.056Z", "durationMs": 109993, "config": { "inboxUrl": "http://localhost:61668", "dbHost": "localhost", "dbPort": 61669, "dbName": "cc_repinbox_dev" }, "setup": { "status": "pass" }, "scenarios": [ { "name": "Step 1: Sales Rep login and navigation menu", "status": "pass", "description": "Step 1: Sales Rep login and navigation menu", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-01-sales-rep-navigation.png" ], "explanation": "The Sales Representative role logs in and the sidebar navigation is inspected. Only items the role has permission to access are visible; administrative items such as Settings and Billing are hidden. This confirms that the application enforces role-based navigation visibility server-side.", "expectedAuditActions": [ "user_log:user:login" ], "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-01-sales-rep-nav.webm" }, { "name": "Step 2: Sales Rep can view orders", "status": "pass", "description": "Step 2: Sales Rep can view orders", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-02-sales-rep-orders.png" ], "explanation": "The Sales Rep navigates to the Orders page and it loads successfully without an error page. This confirms that the Sales Representative role includes the order-viewing permission and that permitted routes are accessible.", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-02-sales-rep-orders.webm" }, { "name": "Step 3: Sales Rep denied access to Role Management", "status": "pass", "description": "Step 3: Sales Rep denied access to Role Management", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-03-sales-rep-roles-denied.png" ], "explanation": "The Sales Rep attempts to navigate directly to /settings/roles by URL, bypassing the hidden navigation link. The test captures the HTTP response status from the initial navigation and accepts either of the two legitimate server-side denial mechanisms: (a) the route loader renders an \"Error Encountered\" page because the org:manage_roles permission check failed, or (b) the request is redirected to /login because the auth guard invalidated the session. The screencast chapter for this step records which mechanism fired (and the observed HTTP status). Either response proves server-side enforcement, not just link hiding.", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-03-sales-rep-roles-denied.webm" }, { "name": "Step 4: Sales Rep denied access to Billing", "status": "pass", "description": "Step 4: Sales Rep denied access to Billing", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-04-sales-rep-billing-denied.png" ], "explanation": "The Sales Rep attempts to navigate directly to /billing by URL. The test captures the HTTP response status and accepts either the error-page or login-redirect denial mechanism. The screencast chapter records the observed mechanism and status. This confirms that billing permissions are enforced at the route level for non-admin roles regardless of how the user constructs the request.", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-04-sales-rep-billing-denied.webm" }, { "name": "Step 5: Employee login and navigation menu", "status": "pass", "description": "Step 5: Employee login and navigation menu", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-05-employee-navigation.png" ], "explanation": "The Employee role logs in and the sidebar navigation is inspected. The Employee's visible navigation items differ from the Sales Rep's, confirming that each role has an independently configured permission set and that the navigation reflects that configuration accurately.", "expectedAuditActions": [ "user_log:user:login" ], "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-05-employee-nav.webm" }, { "name": "Step 6: Employee can view orders", "status": "pass", "description": "Step 6: Employee can view orders", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-06-employee-orders.png" ], "explanation": "The Employee navigates to the Orders page and it loads successfully, confirming that the Employee role includes the order-viewing permission and that access to shared features is properly granted across multiple roles.", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-06-employee-orders.webm" }, { "name": "Step 7: Employee denied access to Role Management", "status": "pass", "description": "Step 7: Employee denied access to Role Management", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-07-employee-roles-denied.png" ], "explanation": "The Employee attempts to navigate directly to /settings/roles by URL. The test captures the HTTP response status and accepts either denial mechanism (error page or login redirect). The screencast chapter records which mechanism fired. This confirms that org:manage_roles is admin-only and the same server-side check applies regardless of which non-admin role makes the request.", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-07-employee-roles-denied.webm" }, { "name": "Step 8: Admin login and navigation menu", "status": "pass", "description": "Step 8: Admin login and navigation menu", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-08-admin-navigation.png" ], "explanation": "The Admin role logs in and the full sidebar navigation is inspected. All expected admin-level navigation items are present, confirming that the admin role is assigned the complete set of permissions needed to manage the organization.", "expectedAuditActions": [ "user_log:user:login" ], "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-08-admin-nav.webm" }, { "name": "Step 9: Admin can access Settings", "status": "pass", "description": "Step 9: Admin can access Settings", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-09-admin-settings.png" ], "explanation": "The Admin navigates to the Settings page and it loads without error. This confirms that the settings access permission is correctly assigned to the admin role and that the route loader grants access as expected.", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-09-admin-settings.webm" }, { "name": "Step 10: Admin can access role management", "status": "pass", "description": "Step 10: Admin can access role management", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-10-admin-roles.png" ], "explanation": "The Admin navigates to /settings/roles. The test asserts both the HTTP layer (the navigation returns a 2xx status from the route loader, proving the org:manage_roles permission check passed server-side) and the UI layer (the page renders its specific \"Roles\" heading, a \"Create Role\" action link, and either the roles table or the documented empty-state message). A broken page that merely contained the word \"role\" somewhere would fail these assertions. Together with Step 3 (same route denied for Sales Rep) this proves the permission is correctly gated both ways.", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-10-admin-roles.webm" }, { "name": "Step 11: Anonymous user redirected to login", "status": "pass", "description": "Step 11: Anonymous user redirected to login", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-11-anonymous-redirect.png" ], "explanation": "An unauthenticated browser navigates directly to /orders/requests without a session cookie. The server-side route loader detects the missing authentication and redirects to /login. This confirms that authentication is required for all application routes and cannot be bypassed.", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-11-anonymous-denied.webm" }, { "name": "Step 12: Sales Rep blocked from multiple restricted URLs", "status": "pass", "description": "Step 12: Sales Rep blocked from multiple restricted URLs", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-12-01-settings-roles-denied.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-12-02-settings-members-denied.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-12-03-billing-denied.png", "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-12-04-settings-products-denied.png" ], "explanation": "The Sales Rep attempts to access four restricted URLs in sequence: /settings/roles, /settings/members, /billing, and /settings/products. Each request is blocked by the server-side permission check, and the test captures a separate screenshot for every URL so the compliance report has independent visual evidence per denial. Each screencast chapter also records which denial mechanism fired (error page vs. login redirect) along with the observed HTTP status. This confirms that RBAC enforcement is comprehensive across administrative routes, not limited to the pages tested individually in earlier steps.", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-12-cross-role-access.webm" }, { "name": "Step 13: Sales Rep blocked at HTTP layer by direct API calls", "status": "pass", "description": "Step 13: Sales Rep blocked at HTTP layer by direct API calls", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/screenshots/step-13-api-enforcement.png" ], "explanation": "The Sales Rep issues direct HTTP GET requests to restricted SvelteKit routes using page.request.get (which bypasses client-side navigation and UI redirects). Each response is asserted to be a 401, 403, or a 3xx redirect to /login — any 2xx would indicate the backend permitted the request, which is the failure mode this step is designed to catch. The exact status code and Location header for each URL are written to step-13-api-enforcement.json alongside the report so a reviewer can cite the wire-level response. This proves that permission enforcement is server-side and cannot be bypassed by a user who avoids the UI.", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z/videos/step-13-api-enforcement.webm" } ], "dbValidations": [ { "name": "User-role assignments match test configuration", "query": "SELECT u.email, u.name, r.name as role_name, r.id as role_id\n FROM user_roles ur\n JOIN users u ON u.id = ur.user_id\n JOIN roles r ON r.id = ur.role_id\n WHERE ur.user_id IN ($1, $2, $3)\n AND ur.organization_id = $4\n ORDER BY u.email", "status": "pass", "rows": [ { "email": "bob.kauffman@stellartech.com", "name": "Bob Kauffman", "role_name": "Sales Representative", "role_id": "d2e3f4a5-b6c7-8901-def0-123456789abc" }, { "email": "dan.distributor@stellartech.com", "name": "Dan Distributor", "role_name": "StellarTech Admin", "role_id": "40e1f2a3-b4c5-6789-4567-890123456789" }, { "email": "ryan.delauintana@stellartech.com", "name": "Ryan Delauintana", "role_name": "Employee", "role_id": "f4a5b6c7-d8e9-0123-f012-3456789abcde" } ], "assertion": "Bob=Sales Rep, Ryan=Employee, Dan=StellarTech Admin" }, { "name": "Permission counts follow role hierarchy", "query": "SELECT r.name as role_name, r.id as role_id, COUNT(p.permission) as permission_count\n FROM roles r\n LEFT JOIN permissions p ON p.actor_id = r.id\n WHERE r.id IN ($1, $2, $3)\n GROUP BY r.name, r.id\n ORDER BY permission_count ASC", "status": "pass", "rows": [ { "role_name": "Sales Representative", "role_id": "d2e3f4a5-b6c7-8901-def0-123456789abc", "permission_count": "9" }, { "role_name": "Employee", "role_id": "f4a5b6c7-d8e9-0123-f012-3456789abcde", "permission_count": "16" }, { "role_name": "StellarTech Admin", "role_id": "40e1f2a3-b4c5-6789-4567-890123456789", "permission_count": "96" } ], "assertion": "Sales Rep (9) < Employee (16) < Admin (96)" }, { "name": "Admin has settings/billing permissions that Sales Rep lacks", "query": "SELECT r.name as role_name, r.id as role_id, p.permission\n FROM roles r\n JOIN permissions p ON p.actor_id = r.id\n WHERE r.id IN ($1, $2)\n AND p.permission IN (\n 'org:manage_roles',\n 'org:manage_users',\n 'org:manage_organization_settings',\n 'billing:view',\n 'billing:create',\n 'forms:manage'\n )\n ORDER BY r.name, p.permission", "status": "pass", "rows": [ { "role_name": "StellarTech Admin", "role_id": "40e1f2a3-b4c5-6789-4567-890123456789", "permission": "billing:create" }, { "role_name": "StellarTech Admin", "role_id": "40e1f2a3-b4c5-6789-4567-890123456789", "permission": "billing:view" }, { "role_name": "StellarTech Admin", "role_id": "40e1f2a3-b4c5-6789-4567-890123456789", "permission": "forms:manage" }, { "role_name": "StellarTech Admin", "role_id": "40e1f2a3-b4c5-6789-4567-890123456789", "permission": "org:manage_organization_settings" }, { "role_name": "StellarTech Admin", "role_id": "40e1f2a3-b4c5-6789-4567-890123456789", "permission": "org:manage_roles" }, { "role_name": "StellarTech Admin", "role_id": "40e1f2a3-b4c5-6789-4567-890123456789", "permission": "org:manage_users" } ], "assertion": "Admin should have org:manage_roles, billing:view, etc. while Sales Rep should not" }, { "name": "All test users scoped to same organization", "query": "SELECT u.email, o.name as org_name, ur.organization_id\n FROM user_roles ur\n JOIN users u ON u.id = ur.user_id\n JOIN organizations o ON ur.organization_id = o.id\n WHERE ur.user_id IN ($1, $2, $3)\n AND ur.organization_id = $4\n ORDER BY u.email", "status": "pass", "rows": [ { "email": "bob.kauffman@stellartech.com", "org_name": "StellarTech Medical Solutions", "organization_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901" }, { "email": "dan.distributor@stellartech.com", "org_name": "StellarTech Medical Solutions", "organization_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901" }, { "email": "ryan.delauintana@stellartech.com", "org_name": "StellarTech Medical Solutions", "organization_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901" } ], "assertion": "All three test users should belong to StellarTech Medical Solutions" }, { "name": "No orphaned permissions in StellarTech org", "query": "SELECT p.actor_id, p.permission, p.organization_id\n FROM permissions p\n WHERE p.organization_id = $1\n AND NOT EXISTS (\n SELECT 1 FROM roles r WHERE r.id = p.actor_id\n )\n LIMIT 10", "status": "pass", "rows": [], "assertion": "All permissions should reference valid roles" } ], "overallStatus": "pass", "outputDir": "/Users/jason/projects/casecohort/code/validation_test_results/urs-002-role-based-access-control/2026-04-23T03-33-42-054Z", "auditStartTime": "2026-04-23T03:33:40.173Z", "auditEventEvidence": [ { "createdAt": "2026-04-23T03:33:49.227Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:33:56.883Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:34:04.893Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:34:12.943Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:34:21.054Z", "eventType": "user_log", "action": "user:login", "userEmail": "ryan.delauintana@stellartech.com", "userId": "28c9d0e1-f2a3-4567-2345-678901234567", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "ryan.delauintana@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:34:28.478Z", "eventType": "user_log", "action": "user:login", "userEmail": "ryan.delauintana@stellartech.com", "userId": "28c9d0e1-f2a3-4567-2345-678901234567", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "ryan.delauintana@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:34:36.192Z", "eventType": "user_log", "action": "user:login", "userEmail": "ryan.delauintana@stellartech.com", "userId": "28c9d0e1-f2a3-4567-2345-678901234567", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "ryan.delauintana@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:34:43.933Z", "eventType": "user_log", "action": "user:login", "userEmail": "dan.distributor@stellartech.com", "userId": "c3d4e5f6-a7b8-9012-cdef-123456789012", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "dan.distributor@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:34:51.329Z", "eventType": "user_log", "action": "user:login", "userEmail": "dan.distributor@stellartech.com", "userId": "c3d4e5f6-a7b8-9012-cdef-123456789012", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "dan.distributor@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:34:59.233Z", "eventType": "user_log", "action": "user:login", "userEmail": "dan.distributor@stellartech.com", "userId": "c3d4e5f6-a7b8-9012-cdef-123456789012", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "dan.distributor@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:35:12.721Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:35:26.719Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" } ], "auditQuery": "SELECT\n ae.created_at,\n ae.event_type,\n ae.action,\n ae.user_id,\n u.email AS user_email,\n ae.organization_id,\n o.name AS organization_name,\n ae.object_id,\n ae.secondary_object_id,\n ae.payload,\n ae.route,\n ae.trace_id\n FROM audit_events ae\n LEFT JOIN users u ON u.id = ae.user_id\n LEFT JOIN organizations o ON o.id = ae.organization_id\n WHERE ae.created_at >= $1\n AND ae.organization_id = ANY($2::uuid[])\n ORDER BY ae.created_at ASC", "auditAssertions": [ { "stepName": "Step 1: Sales Rep login and navigation menu", "expectedAction": "user_log:user:login", "found": true }, { "stepName": "Step 5: Employee login and navigation menu", "expectedAction": "user_log:user:login", "found": true }, { "stepName": "Step 8: Admin login and navigation menu", "expectedAction": "user_log:user:login", "found": true } ], "emailAssertions": [] }