forked from fa/breadcrumb-the-shire
Third pilot of the cluster rollout — first action that exercises
forbiddenStrategy:'deny' in production. The CONTEXT-stage vorspiel
collapses into one declarative actionEditContext call; the SUBMIT
branch keeps its explicit Guard::deny() (Two-Level-Authorize).
Confirms the analyst hypothesis: actionEditContext with
forbiddenStrategy:'deny' is enough — no helper extension needed.
Helper file stays 0-diff. The 'deny' path was built in step 1 and
verified by testAuthorizeAndExtractCapabilitiesUsesGuardDenyStrategy,
but only now proven against a real production caller.
Three drift decisions from steps 2/3 reproduced:
* notFoundFlashScopeKey: 'role_not_found' to preserve the existing
Flash dedup-scope-key.
* t() consistency: both Flash::success('Role updated', …) calls now
flow through t() — German users see fully translated messages.
* Defensive scope consumption: $canManageAllRoles reads
$tenantScope['scope'] === 'all'. Roles are global, so
$tenantScope['ids'] is intentionally not consumed; an inline
comment documents that.
Roles-specific: PermissionService-warmup absence is preserved (Roles
don't need it — Departments/Tenants do, but cross-cluster consistency
is not a goal here, behavioral identity is).
ActionContextCsrfPairingContractTest now covers three callers
(departments-edit, tenants-edit, roles-edit) and stays green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>