Implement server-authoritative roles and Shift+Z admin flows

2026-02-27 03:37:20 -05:00
parent 6ab3325263
commit 52584197e9
14 changed files with 1777 additions and 180 deletions
--- a/docs/controls.md
+++ b/docs/controls.md
@@ -16,6 +16,7 @@ This document is the authoritative keymap for the client.
 - `U`: Speak connected users
 - `N`: Edit nickname
 - `/`: Start chat
+- `Shift+Z`: Admin menu (when role permissions allow)
 - `,` / `.`: Previous/next message
 - `<` / `>`: First/last message

@@ -75,6 +76,20 @@ Applies to effect select, user/item list modes, item selection, item property li
 - `Space`: Read tooltip/help for current option (where metadata is available)
 - First-letter navigation: jump to next matching entry

+## Admin Modes
+
+- `Shift+Z`: Open admin menu
+- Admin menu options are permission-gated and include:
+  - role management
+  - change user role
+  - ban user
+  - unban user
+- In admin role management:
+  - role list includes role user-counts
+  - `Enter` on role opens permission toggles
+  - `Enter` on `Add role` opens role name editor
+  - role delete prompts replacement role selection
+
 ## Piano Use Mode

 - `1-9` (and `0` for the 10th slot): Switch instrument preset quickly
--- a/docs/protocol-notes.md
+++ b/docs/protocol-notes.md
@@ -14,6 +14,13 @@ This is a behavior guide for packet semantics beyond raw schemas.
 - `auth_login`: authenticate with username/password.
 - `auth_resume`: resume prior session via stored session token.
 - `auth_logout`: revoke current session and disconnect.
+- `admin_roles_list`: request server role list (with user counts + permission sets).
+- `admin_role_create`: create role.
+- `admin_role_update_permissions`: replace one role permission set.
+- `admin_role_delete`: delete role with replacement role reassignment.
+- `admin_users_list`: request user list for admin actions.
+- `admin_user_set_role`: set target user role.
+- `admin_user_ban` / `admin_user_unban`: disable/enable user account.
 - `update_position`: client movement intent; server enforces world bounds and movement rate policy.
 - `teleport_complete`: client signals teleport landing; server rebroadcasts spatial landing cue.
 - `update_nickname`: nickname change request (server enforces uniqueness).
@@ -28,6 +35,10 @@ This is a behavior guide for packet semantics beyond raw schemas.

 - `auth_required`: authentication challenge after websocket connect.
 - `auth_result`: auth success/failure and session/account metadata.
+- `auth_permissions`: server-pushed live role/permission refresh for current session.
+- `admin_roles_list`: role list response payload.
+- `admin_users_list`: user list response payload.
+- `admin_action_result`: structured result for admin actions.
 - `welcome`: initial snapshot with users/items plus server UI/world metadata.
 - `signal`: forwarded WebRTC offer/answer/ICE.
 - `update_position`, `update_nickname`, `user_left`: presence updates.
@@ -72,6 +83,7 @@ This is a behavior guide for packet semantics beyond raw schemas.
  - `userId`
  - `username`
  - `role`
+  - `permissions`
  - `policy` (`usernameMinLength`, `usernameMaxLength`, `passwordMinLength`, `passwordMaxLength`)
 - `auth_required.authPolicy`: server auth limits advertised before login/register submit.
 - `auth_result.authPolicy`: server auth limits echoed on auth success/failure responses.
@@ -103,6 +115,8 @@ This is a behavior guide for packet semantics beyond raw schemas.
  - repeated auth failures are rate-limited by IP and IP+identity windows
  - auth failures include small randomized response jitter to reduce high-resolution probing
 - Client validates incoming packet shapes and applies runtime behavior.
+- Server is authoritative for role/permission checks on every privileged packet.
+- `voice.send` permission changes are pushed at runtime via `auth_permissions`.
 - Sound/media field normalization uses shared server policy helpers:
  - `none/off` normalize to empty values
  - bare filenames normalize to `sounds/<name>` for sound-reference fields
--- a/docs/runtime-flow.md
+++ b/docs/runtime-flow.md
@@ -9,6 +9,7 @@
   - includes `authPolicy` limits for username/password.
 5. Client sends `auth_login`, `auth_register`, or `auth_resume`.
 6. Server sends `auth_result`.
+   - includes role + permissions for authenticated session.
 7. Server sends `welcome` with users/items snapshot.
 8. Client:
   - applies `welcome.worldConfig.gridSize` for authoritative grid bounds/rendering
@@ -44,6 +45,10 @@ Core incoming message effects:
 - `signal`: WebRTC negotiation and ICE exchange.
 - `auth_required`: prompt client to authenticate before gameplay messages.
 - `auth_result`: auth success/failure with optional session token + account metadata + `authPolicy`.
+- `auth_permissions`: live permission refresh (role + permission set) after role/permission admin changes.
+- `admin_roles_list`: role metadata + user counts + permission keys for role management UI.
+- `admin_users_list`: user metadata list for role/ban admin flows.
+- `admin_action_result`: success/error for role/user admin mutations.
 - `update_position`: update peer position; may play movement/teleport world sound.
 - `teleport_complete`: play peer teleport landing sound at final tile.
 - `update_nickname`: update peer display name.
@@ -67,6 +72,12 @@ Core incoming message effects:
 - If reconnect lands on a different `welcome.serverInfo.instanceId`, client announces server restart.
 - Connect/reconnect status message is emitted from `welcome` and includes server version.

+## Authorization Runtime
+
+- Server enforces item/chat/nickname/voice/admin permissions for each packet.
+- Role and permission changes apply live to connected users without reconnect.
+- `voice.send` revocation is pushed immediately via `auth_permissions`; client mutes outbound voice track.
+
 ## Disconnect/Cleanup

 On disconnect: