docs(security): document requireAuth anonymous-deny across all HTTP surfaces (#2567)#2993
Merged
Merged
Conversation
…urfaces (#2567) The api.requireAuth schema description + JSDoc claimed the anonymous-deny posture applied to REST /data/* only. Post-#2567 the same value governs every entry point that reaches object data (REST /data, /meta, GraphQL, raw-hono /data) via the shared shouldDenyAnonymous decision. Update the source-of-truth zod describe/JSDoc (regenerating references/api/rest-server.mdx) and the hand-written permissions/authorization.mdx "Anonymous deny" enforcement-chain row to reflect the uniform, by-surface posture and the single requireAuth:false opt-out. Doc-only; no behavior change. spec rest-server tests 54/54, doc-authoring guard clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01ShknNUYoSTspJLBiqorD8V
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
📓 Docs Drift CheckThis PR changes 1 package(s): 97 hand-written doc(s) reference the affected code and may need an implementation-accuracy re-verification:
|
os-zhuang
marked this pull request as ready for review
July 16, 2026 02:29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Doc follow-up to #2567 (Phases 1 & 2 merged as #2973 / #2987). Doc-only — no behavior change.
Why
The docs still described the anonymous-deny posture as REST
/data/*-only, which is now stale: after #2567 the sameapi.requireAuthvalue governs every HTTP entry point that reaches object data — REST/data, the metadata endpoints (/meta), the dispatcher GraphQL endpoint (/graphql), and the raw-hono standard/dataroutes — through one shared decision (shouldDenyAnonymous). The docs-drift check flagged this.Changes
packages/spec/src/api/rest-server.zod.ts(source of truth) — therequireAuth.describe()+ JSDoc now state the posture is uniform across all four surfaces and name the singlerequireAuth: falseopt-out. This is what feeds the config's inline docs and the generated reference.content/docs/references/api/rest-server.mdx— regenerated from the schema (auto-generated file; only therequireAuthrow changed).content/docs/permissions/authorization.mdx— the hand-written "Anonymous deny" enforcement-chain row now reflects all four surfaces, cites the sharedshouldDenyAnonymous(called by RESTenforceAuth, the dispatcher handlers, and honodenyAnonymous), and mentions the source-enumerating conformance ratchet.Verification
@objectstack/specrest-server tests: 54/54check:doc-authoring: clean (194 files)check:release-notes: OK; changeset added (@objectstack/specpatch)requireAuthdoc.🤖 Generated with Claude Code
https://claude.ai/code/session_01ShknNUYoSTspJLBiqorD8V
Generated by Claude Code