▣ wi

Grading authz audit: práctica-grade permission scope vs Puia rule (comisión-wide adjunto/jtp/ayudante + titular-all)

Ref

PLUTO-141 (#1131)

Project

pluto

Status

done

Priority

urgent

Type

task

Assigned

audit-pluto-cc auditor

Created by

wi-cli-venus

Created

2026-06-16T06:14:06.530Z

Updated

2026-06-16T06:27:27.234Z

Closed

2026-06-16T06:27:27.234Z

Sub-items

Questions

Event log

• 2026-06-16T06:14:06.530Z · created · wi-cli-venus
• 2026-06-16T06:20:12.473Z · statusChanged · wi-cli-venus
  Elazar ruling 2026-06-16 (via Puia), SUPERSEDES 2026-06-13: ayudante+JTP+adjunto of a comisión grade ANY práctica of that comisión; titular all. Audit/db/coder confirmed gate canGradePractica (access-scope.ts:170-188) was too narrow on 2 actors: JTP leg identity-only (54 live prácticas blocked for co-JTPs across 5 comisiones, all 6 comisiones have 5-7 JTPs) + ayudante excluded. Fix: jtpComisionIds + ayudanteComisionIds clauses, no migration/UI. Coder implementing, audit pre-push.
• 2026-06-16T06:27:27.234Z · completed · wi-cli-venus
  Shipped v1.73.4 SHA b55344e, audit PASS pre-push diff (mqg9b8vuewei, byte-match) + post-push PTD (READY, live 1.73.4, 20m clean). canGradePractica widened: titular-all | own-jefe backstop | any JTP/adjunto/ayudante of the comisión (periodo+deletedAt-filtered arrays). Fixed 2 live gaps vs Puia rule: co-JTP block (54 prácticas) + ayudante exclusion. Supersedes 2026-06-13 ayudante-exclusion ruling. One file access-scope.ts, no migration, no UI. Coverage caveat: static+deploy verified, no live grading session exercised.