ArchPilotExecutable architecture guardrails

Search docs

Docs search

Validation rule

Back to Rule Catalog
AP-AUTH-001Authorization

Missing authorization enforcement

Flags protected operations without clear authorization enforcement evidence.

warningviolationNo auto-fix

How to fix

  1. Add the expected role, permission, or organization access check.
  2. Use the local authorization helper used by adjacent endpoints.
  3. Add tests for allowed and forbidden callers.

What it means

An endpoint or workflow appears to access protected data or actions without an authorization check.

Why it matters

Authentication only identifies a caller; authorization decides whether that caller can perform the action.

Common causes

  • A route has authentication but no role/scope check.
  • Authorization is hidden in a helper ArchPilot cannot identify.
  • A new mutation copied a read-only route pattern.

Example bad pattern

PATCH /organizations/:id/policy-config updates policy after only checking that a user is signed in.

Example good pattern

The endpoint requires organization admin access before updating policy configuration.

Related files/config

  • apps/api/src
  • apps/web/app/api
  • packages/db/prisma/schema.prisma

Related CLI commands

  • archpilot validate
  • archpilot validate --ci

Related docs

Rule CatalogAuthorizationPolicies & Governance
AP-AUTH-001 - Missing authorization enforcement | ArchPilot Docs