Skip to content

docs(permissions): Attachments Access page + ADR-0057 sys_upload_session guard note#3009

Merged
os-zhuang merged 1 commit into
mainfrom
claude/attachments-v1-followups-8jhvin
Jul 16, 2026
Merged

docs(permissions): Attachments Access page + ADR-0057 sys_upload_session guard note#3009
os-zhuang merged 1 commit into
mainfrom
claude/attachments-v1-followups-8jhvin

Conversation

@os-zhuang

Copy link
Copy Markdown
Contributor

Documentation for the attachment access/security model landed across #2984 + #2999 (framework) and #2538 (objectui), tracked in the now-closed #2970. No code changes.

New page — content/docs/permissions/attachments-access.mdx

A single authoritative summary of how access to record attachments is decided:

  • Parent-derived modelsys_attachment (join) + sys_file (blob) inherit the parent record's access (Salesforce ContentDocumentLink parity); Field.file/Field.image are a separate path.
  • enable.files opt-in gate (FILES_DISABLED).
  • Create — parent read + edit-on-parent (ATTACHMENT_PARENT_ACCESS); uploaded_by server-stamped.
  • Read/list — inherited parent visibility via a sys_attachment-scoped middleware (so total can't leak the hidden count).
  • Delete — uploader or parent editor (ATTACHMENT_DELETE_DENIED), with the member_default no-delete-baseline caveat (management needs a granted set).
  • Download — authenticated, parent-scoped, short-lived signed URL for attachments-scope files (AUTH_REQUIRED / ATTACHMENT_DOWNLOAD_DENIED); non-attachments files (avatars, field images) keep their <img>-embeddable capability URL.
  • Storage-byte lifecyclesys_file + sys_upload_session reap guards.
  • Enforcement-summary + error-code tables; cross-links to enable.files, the storage-service contract, Authorization Architecture, and ADR-0049/0057/0066.

Registered in permissions/meta.json (after Field-Level Security).

ADR-0057

Names sys_upload_session as the second reap-guard consumer in the reap-guards amendment (alongside sys_file).

Verification

  • check:doc-authoring ✓ (195 files clean).
  • All internal link targets verified to exist; ADR link uses the /adr/ route prefix (matching existing pages), meta.json is valid JSON, <Callout> is a component already used in this section.
  • The MDX build is covered by this PR's Build Docs CI job (runs on content/docs changes).

ℹ️ As before, the red Validate Dependencies check is the repo-wide retired-npm pnpm audit endpoint — unrelated to this diff.

🤖 Generated with Claude Code


Generated by Claude Code

…ion guard note

Documents the attachment access model landed across #2984/#2999/#2538
(#2970): parent-derived read/create/delete, inherited list visibility,
authenticated parent-scoped downloads, the enable.files opt-in gate, the
member_default no-delete-baseline caveat, the storage-byte lifecycle
(sys_file + sys_upload_session reap guards), and an enforcement-summary
+ error-code table. Registered in permissions/meta.json.

Also names sys_upload_session as the second reap-guard consumer in the
ADR-0057 amendment.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0187NT3Qer9oep5dCRb9b8Lt
@vercel

vercel Bot commented Jul 16, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
spec Ready Ready Preview, Comment Jul 16, 2026 4:50am

Request Review

@github-actions github-actions Bot added documentation Improvements or additions to documentation size/m labels Jul 16, 2026
@os-zhuang os-zhuang marked this pull request as ready for review July 16, 2026 04:56
@os-zhuang os-zhuang merged commit a23c32e into main Jul 16, 2026
15 checks passed
@os-zhuang os-zhuang deleted the claude/attachments-v1-followups-8jhvin branch July 16, 2026 04:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation size/m

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[attachments] v2 tracking: parent-visibility inheritance, authed downloads, remaining enforce-or-remove

2 participants