--- taskmaster_id: "4.4" status: "done" priority: "high" depends_on: ["2"] parent_id: "4" source: "taskmaster" generated_at: "2026-05-24T07:26:29.052Z" --- # 4.4 - Create authorization matrix for REST and Socket.IO - [x] 4.4 - Create authorization matrix for REST and Socket.IO #taskmaster #priority/high #status/done ⏫ 🆔 tm-4-4 ⛔ tm-2 ## Metadata | Field | Value | | --- | --- | | Taskmaster ID | 4.4 | | Status | done | | Priority | high | | Dependencies | 2 | | Parent | 4 - Define backend security and refactor strategy from latest audit | ## Description Map every endpoint and realtime event to access level, ownership checks, state preconditions, rate-limit tier, and audit-log requirement. ## Details Completed. Produced `09 - Audits/Authorization Matrix - REST and Socket.IO.md` and `09 - Audits/Realtime Authorization Spec.md`. Include public/authenticated/owner/buyer/seller/admin/support/service-role classifications. Socket.IO rooms must be server-derived from authenticated identity, not client-supplied user IDs. ## Verification No route or socket event remains unmapped; implementation tasks can reference matrix rows directly.