# Gate 06 — Access control

**State at `v1.1.0`: ✅ PASS** as a policy; mechanical enforcement deferred to plan upgrade (Gate 09 in Phase 2).

## Required items

| Item                                                                               | Required | State                                             |
| ---------------------------------------------------------------------------------- | -------- | ------------------------------------------------- |
| Azure SSO integration shipped (v3.0.0 + carried forward)                           | yes      | ✅ PASS                                            |
| CODEOWNERS file with explicit owner per surface                                    | yes      | ✅ PASS                                            |
| Repository visibility = PRIVATE                                                    | yes      | ✅ PASS                                            |
| Secrets stored only in GitHub Actions Secrets / org Vault                          | yes      | ✅ PASS                                            |
| Two-person review on any change to `.github/`, `Dockerfile`, secrets-related files | partial  | Reviewer discipline only — GitHub Free constraint |

## CODEOWNERS coverage

| Path                          | Owner      |
| ----------------------------- | ---------- |
| `*` (default fallback)        | `@nkap360` |
| `.github/` (CI/automation)    | `@nkap360` |
| `Dockerfile`, `.dockerignore` | `@nkap360` |
| `src/`, `web/`                | `@nkap360` |
| `tests/`                      | `@nkap360` |
| `SECURITY.md`                 | `@nkap360` |
| `.pre-commit-config.yaml`     | `@nkap360` |

When a second engineer joins, the file is updated in the same PR that grants them write access. See [`DEV_PROCESS.md`](https://github.com/NKAP360-dev/edge-governance/blob/main/DEV_PROCESS.md) §5.

## Application-side RBAC

* JWT-based auth signed with `JWT_SECRET`.
* Workspace-scoped queries — every PocketBase access goes through `require_workspace_role()`.
* Platform admin override is logged in `admin_actions`.
* Quarterly access review: owner re-reads `admin_actions` for the prior 90 days.

## Why it matters

Banking auditors will ask "who can push code, who can deploy, who can read customer data". The answer must be a paper trail, not a verbal assurance.

## Compliance mapping

* ISO 27001 Annex A.5.15 (Access control).
* ISO 27001 Annex A.5.18 (Access rights — reviewing).
* ISO 27001 Annex A.6.1 (Information security responsibilities).
* DORA Art 9 (ICT-related risk — protection and prevention).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.edge.nyami.fr/banking-readiness/gate-06-access-control.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.