Permission tests

Permissions QC verifies that every protected route enforces its role guard correctly — for both positive (the right role gets in) and negative (the wrong role / no role doesn’t) paths. Permission bypass is one of the highest-severity defect categories: a leaked admin endpoint or an exposed founder draft can break trust irreparably.

Role matrix

anonymous

Unauthenticated visitor. Can read all public routes; cannot access /founder-account/* or admin surfaces.

founder

Authenticated user with founder role. Can access /founder-account/* (own profile, own startups, own submissions). Cannot access admin surfaces.

admin

Authenticated user with admin role. Can access all admin surfaces under /founder-account/admin/*. Inherits founder capabilities for their own account.

Permission checklist

• Anonymous user → /founder-account/dashboard → redirected to /signin (not 200, not 403).
• Founder role → /founder-account/admin/calendar → returns 404 (NOT 403 — 403 leaks the URL existence).
• Founder A → /founder-account/profile/founder-B-id → 404 or redirect to own profile (cross-user leak prevention).
• Admin → all surfaces → 200 with full functionality.
• Admin routes are missing from sitemap.xml — confirm with a grep on the rendered sitemap.
• Admin routes have <meta name="robots" content="noindex,follow"> in the SSR-rendered head.
• Session expiry: tokens older than the documented TTL force re-auth on protected routes; do not silently extend.