Skip to content

SEC-02: Claims-first identity (remove actor query/body IDs) #33

Closed
#108
Closed
SEC-02: Claims-first identity (remove actor query/body IDs)#33
#108
Labels
Priority Ibackendsecurity
@Chris0Jeky

Description

@Chris0Jeky
Chris0Jeky
opened on Feb 16, 2026

Source: docs/TaskdeckNextWorkChecklist.md (SEC-02)

Depends on:

  • SEC-01

Scope:

  • Retrofit remaining legacy controller families to claims-first identity.
  • Remove reliance on caller-supplied actor identity for protected operations.

Acceptance Criteria:

  • Protected endpoints derive actor identity from claims consistently.
  • Query/body actor IDs are not used for authorization decisions.
  • Existing happy paths remain intact.
  • Integration coverage added/updated for impacted families.

Suggested branch:

  • feature/security-claims-retrofit-phase2

Metadata

Metadata

Assignees

No one assigned

    Labels

    Priority Ibackendsecurity

    Projects

    Taskdeck Execution

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions