← Back to registry
Feature Advanced by Agent Buildprint

Auth, Teams & RBAC OS

Add Auth, Teams & RBAC without letting an agent rip out existing auth, fake frontend-only permissions, or miss tenant isolation.

Open manifest GitHub folder

methodology

agent-ready
01 Contract spine
02 Implementation phases
03 Validation gates
04 Prompt handoff

Executable packet spine

The files or runtime artifacts a fresh agent must read or produce before claiming progress.

  • BUILDPRINT.md
  • SPEC.md
  • CONTRACTS.md
  • RBAC_MATRIX.md
  • API_ROUTES.md
  • UI_FLOWS.md
  • TEST_MATRIX.md
  • proof/src/index.ts
  • proof/test/rbac.test.ts
  • conformance/src/adapter-contract.ts
  • conformance/test/auth-rbac.conformance.test.ts
  • README.md
  • PLAN.md
  • VALIDATION_TEMPLATE.md
  • checks/acceptance.md

Proof gates

Checks that prevent a vague implementation from being reported as complete.

  • Phase 00 forensics must complete first
  • Permission engine denies by default
  • Every team-scoped route has direct API auth tests
  • Invites and role changes emit redacted audit events
  • Offline proof harness is included and testable
  • Target-app conformance suite must pass against a real adapter or record blockers

Risks covered

Failure modes the Buildprint makes visible before an agent can hide them in “done”.

  • Frontend-only authorization
  • Cross-tenant data leaks
  • Self-escalation or last-owner loss

What this ships

01

Auth forensics

02

Tenant boundary map

03

Permission engine

04

Invite lifecycle

05

Audit log

06

Offline TypeScript proof

07

Target-app conformance kit

Validation evidence

For newer phase-flow Buildprints, this names replay or outcome evidence. For older registry entries, it lists the included validation checks.

  • Phase 00 forensics must complete first
  • Permission engine denies by default
  • Every team-scoped route has direct API auth tests
  • Invites and role changes emit redacted audit events
  • Offline proof harness is included and testable
  • Target-app conformance suite must pass against a real adapter or record blockers

Copyable agent prompt

Manifest 
Use the Agent Buildprint: Auth, Teams & RBAC OS.

Bootstrap it with `agb start https://agent-buildprint.com/buildprints/auth-teams-rbac-os/package.json ./my-build` or inspect the GitHub folder. Follow BUILDPRINT.md as the authority spine. Do Phase 00 auth forensics and tenant research before coding. Reuse existing auth by default, enforce permissions server-side, and do not claim completion while any team-scoped route lacks direct authorization tests.