- Replace specific DPO name with generic privacy email across all legal templates
- Update DPA to clarify third-party services vs sub-processors distinction
- Add privacy policy and DPA cross-references in Terms
- Add intellectual property section to Terms
- Improve prompts UI with Yes/No buttons, section headers, and better visual hierarchy
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add /legal/terms with comprehensive ToS content
- Add terms link to footer navigation
- Add /legal/terms to defense.go whitelist for external access
- Update privacy policy and DPA templates with improved styling
- Refactor RBAC editor template formatting
- Add prompts AI setup documentation
- Include database migration scripts
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Removed the backward compatibility fallback that checked the old
dossier_access table from CanManageDossier/CanAccessDossier - it was
a security risk (hidden path that bypassed the new RBAC system).
Instead, added MigrateOldAccess() that converts existing dossier_access
entries to proper access grants on startup (idempotent - skips existing).
Migration rules:
- Self-references (accessor == target) skipped (owner access is automatic)
- can_edit = 1 → "rwdm" root grant
- can_edit = 0 → "r" root grant
- Role set to "Migrated" for tracking
Result: 12 grants migrated from old table.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
RBAC editor was failing with 403 Forbidden when trying to edit permissions
for users who have access via the old dossier_access table but not the new
access grants table.
Added fallback logic to CanManageDossier and CanAccessDossier:
1. Check new RBAC system (access table) first
2. If no grant found, check old dossier_access table
3. For manage: check can_edit = 1
4. For access: check status = 1
This allows existing access relationships to work with the new RBAC editor
while we migrate data from old to new system.
Fixes: "Forbidden" error when editing permissions for legacy access grants
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated "Edit" button in dossier Privacy section to open new RBAC editor
instead of old access editor. Users can now access granular per-category
permissions directly from the dossier page.
Location: Privacy section → Edit button next to each person with access
Route changed: /dossier/{id}/access/{grantee_id} → /dossier/{id}/rbac/{grantee_id}
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Replaced hardcoded "system-internal" with proper 16-char hex ID loaded
from environment, matching dossier ID format. Created actual dossier
for system accessor with name "System".
Changes:
- Generated random 16-char hex: 7b3a3ee1c2776dcd
- Added SYSTEM_ACCESSOR_ID to anthropic.env (staging & production)
- Created dossier for system accessor (name: "System", email: "system@internal")
- Load SystemAccessorID from config in ConfigInit()
- Initialize SystemContext after config load with proper ID
- Default fallback value in config.go
Benefits:
- Proper 16-char hex format matches all other dossier IDs
- Won't break code expecting 16-char IDs
- System operations show as "System" in audit logs
- Can be changed via .env without code changes
- Has actual dossier entry for referential integrity
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changed from empty accessorID bypassing checks to explicit SystemAccessorID
for better security and audit trail.
Before: accessorID == "" → bypass all checks (security risk)
After: accessorID == "system-internal" → bypass (explicit, auditable)
Changes:
- Added SystemAccessorID constant = "system-internal"
- Updated SystemContext to use SystemAccessorID
- Updated checkAccess() to check for specific ID
- Updated accessorIDFromContext() to return SystemAccessorID
- Updated all EntryList calls to use SystemAccessorID
- Updated auth.go helpers to use SystemAccessorID
Benefits:
- Explicit backdoor ID visible in audit logs
- No accidental bypass from empty strings
- Clear intent for system operations
- Can't collide with real hex dossier IDs (uses "system" prefix)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Complete refactor from AccessContext struct to simple accessorID string
parameter for RBAC enforcement, as requested. All access control remains
in lib layer - API/Portal just pass accessor + dossier to lib functions.
Changes:
- Added accessorIDFromContext() helper in lib/v2.go
- Updated all checkAccess() calls to extract accessorID from context
- Updated all EntryList() calls (nil → "" for system context)
- Fixed auth.go helper functions to extract accessorID
- Updated categories API to pass accessor through to lib
All RBAC enforcement stays in lib - no API-level access checks.
Empty accessorID bypasses checks (system/internal operations).
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Remove API-level access checks (requireDossierAccess)
- Pass user context to lib functions instead of system context
- Single enforcement point: lib.EntryList/EntryGet/etc check access
- Fixes EnsureCategoryEntry to use EntryWrite (correct function name)
All access control now happens at the lowest level in lib.
API and MCP layers just pass context through.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- EnsureCategoryEntry: creates category entry if needed
- GrantAccess: creates access grant with cache invalidation
- RevokeAccess: removes grant with cache invalidation
Category entries are automatically created when granting category-level access.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Remove special cat:{id} handling from permission resolution
- Categories are now just entries with parent_id=""
- Access flows naturally through parent_id chain hierarchy
- Three levels: root (entry_id="") > categories > individual entries
- Explicit denial supported with ops=""
- Updated documentation to reflect cleaner model
Next: deprecate dossier_access table, migrate to access grants
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Updated all genome functions to accept AccessContext parameter
- GenomeGetExtraction, GenomeGetTiers, GenomeGetTierByCategory,
GenomeGetVariants, GenomeGetVariantsByTier now pass context to EntryList
- API genome handler uses system context after dossier access check
- Categories endpoint uses system context for counting operations
- Fixes MCP query_genome returning 403/no data errors
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- New dossier_sections.go with DossierSection struct and BuildDossierSections()
- Single section_block template replaces 12+ copy-pasted HTML blocks
- All 26 categories supported with default handler for unknown ones
- /dossier/{id} now uses v2, /dossier/{id}/v1 keeps legacy
- Added missing translation keys for all section types
- CSS: added .section-children and .hidden-row classes
Exposes LLM triage + extraction as a standalone API for web/mobile clients.
Creates entries and prompts from free-form health input, returns structured
response with created resource IDs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
James
Johan Jongsma