Context
Wave-12 (PR #2010) closed the engine-side default-OPEN write hole behind an opt-in flag (openregister:enforce_default_closed, default false). The flag is the staging ground for a next-major release where the default flips to true, requiring every schema author to declare an explicit authorization block on schemas that hold tenant-scoped or app-private data.
Today's audit (/tmp/wave11-or-engine-primitives.md Section B1) flagged openbuilt_register.json as the proximate case, but every fleet *_register.json without an authorization block is open for create/update/delete to any authenticated user under the current default.
Scope
For every Conduction app under apps-extra/ and in the broader fleet (decidesk, docudesk, mydash, opencatalogi, openconnector, openbuilt, openregister, openzaak, pipelinq, procest, scholiq, shillinq, softwarecatalog, zaakafhandelapp, larpingapp, planix, …):
- Enumerate every
*_register.json (and schema JSON file ingested by lib/Repair/InitializeRegister.php).
- For each file lacking an
authorization block, decide one of:
- Add the block with sensible defaults (e.g.
create/update/delete: ["users"] for shared data, ["admin"] for system/registry data).
- Opt in to open writes by setting
"public": true on the schema (rare — should be the exception for genuinely anonymous-submission forms).
- Ship one PR per app, gated by Hydra's standard review pipeline.
Definition of done
- Every fleet
*_register.json and schema JSON either declares authorization or explicitly opts in via "public": true.
- The
openregister:enforce_default_closed flag can be flipped from false to true without breaking any leaf app.
- A coordinated next-major OR release flips the default.
Audit command
# Enumerate files missing an authorization block:
grep -L '"authorization"' apps-extra/*/registers/*.json apps-extra/*/openspec/specs
References
Context
Wave-12 (PR #2010) closed the engine-side default-OPEN write hole behind an opt-in flag (
openregister:enforce_default_closed, defaultfalse). The flag is the staging ground for a next-major release where the default flips totrue, requiring every schema author to declare an explicitauthorizationblock on schemas that hold tenant-scoped or app-private data.Today's audit (
/tmp/wave11-or-engine-primitives.mdSection B1) flaggedopenbuilt_register.jsonas the proximate case, but every fleet*_register.jsonwithout anauthorizationblock is open for create/update/delete to any authenticated user under the current default.Scope
For every Conduction app under
apps-extra/and in the broader fleet (decidesk, docudesk, mydash, opencatalogi, openconnector, openbuilt, openregister, openzaak, pipelinq, procest, scholiq, shillinq, softwarecatalog, zaakafhandelapp, larpingapp, planix, …):*_register.json(and schema JSON file ingested bylib/Repair/InitializeRegister.php).authorizationblock, decide one of:create/update/delete: ["users"]for shared data,["admin"]for system/registry data)."public": trueon the schema (rare — should be the exception for genuinely anonymous-submission forms).Definition of done
*_register.jsonand schema JSON either declaresauthorizationor explicitly opts in via"public": true.openregister:enforce_default_closedflag can be flipped fromfalsetotruewithout breaking any leaf app.Audit command
References
/tmp/wave11-or-engine-primitives.mdSection B1