From d03ba062bf9b74c9955279b2137985711622071f Mon Sep 17 00:00:00 2001
From: knacky <knckydev@gmail.com>
Date: Thu, 21 May 2026 20:13:14 +0200
Subject: [PATCH] docs(spec): add D-008 (group RBAC vs F11) and D-009 (no
 ttp_version table)

D-008 frames the group-based RBAC layout as an OIDC-prep mechanism that must
seed exactly the three F11 spec roles and their canonical permission matrix.
Custom groups remain out of v1 scope.

D-009 reaffirms H32: replayability lives only on run.snapshot_json. The
ttp_version table listed in B0.2 must be dropped from the initial migration.
---
 tasks/spec-decisions.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/tasks/spec-decisions.md b/tasks/spec-decisions.md
index 2888fa9..d4f3c2a 100644
--- a/tasks/spec-decisions.md
+++ b/tasks/spec-decisions.md
@@ -56,3 +56,28 @@ Never re-displayable.
 **Decision.** Reverse proxy (Caddy + TLS + IP allowlist) handled by existing RT
 infrastructure. Mimic ships an HTTP listener on localhost only; the deployment
 playbook wires it behind the existing proxy.
+
+### D-008 — Group-based RBAC vs spec F11 fixed roles
+**Context.** Spec F11 declares 3 fixed roles (`rt_operator`, `rt_lead`,
+`soc_analyst`) with an explicit permission matrix. Sprint 0 plan (B0.6, D-003)
+introduces `group` / `permission` / `group_permission` / `user_group` tables to
+prepare OIDC v2 claim-to-group mapping without code change.
+**Decision.** Group-based model accepted as an implementation *layout*, **not** a
+scope extension:
+- The 3 spec roles MUST exist as the 3 seeded groups at bootstrap
+  (`rt_operator`, `rt_lead`, `soc_analyst`).
+- The F11 permission matrix is the canonical source: groups receive exactly the
+  permissions of their matching role; no custom permissions UI v1.
+- Custom groups, group editing UI, or per-engagement group overrides = OUT of v1.
+- Any drift between seeded group permissions and the F11 matrix is a spec
+  violation, not a configuration choice.
+
+### D-009 — `ttp_version` table forbidden (H32 reaffirmed)
+**Context.** Sprint 0 plan (B0.2) lists `ttp_version` among the initial tables.
+Spec hypothesis **H32** explicitly excludes this: *"Snapshot de rejouabilité =
+`run.snapshot_json` uniquement (pas de table `ttp_version` séparée —
+simplification MVP)"*.
+**Decision.** Drop `ttp_version` from the initial migration. The `ttp.version`
+column (informational, §8) is kept. Replayability lives **solely** on
+`run.snapshot_json`. Re-introducing `ttp_version` requires explicit spec amendment
+through the team-lead.