@intentsolutionsio/vercel-pack 1.0.0 → 1.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +1 -1
- package/README.md +67 -44
- package/package.json +4 -4
- package/skills/vercel-advanced-troubleshooting/SKILL.md +185 -195
- package/skills/vercel-advanced-troubleshooting/references/errors.md +11 -0
- package/skills/vercel-advanced-troubleshooting/references/evidence-collection-framework.md +34 -0
- package/skills/vercel-advanced-troubleshooting/references/examples.md +11 -0
- package/skills/vercel-advanced-troubleshooting/references/systematic-isolation.md +56 -0
- package/skills/vercel-advanced-troubleshooting/references/timing-analysis.md +35 -0
- package/skills/vercel-architecture-variants/SKILL.md +227 -216
- package/skills/vercel-architecture-variants/references/errors.md +11 -0
- package/skills/vercel-architecture-variants/references/examples.md +12 -0
- package/skills/vercel-architecture-variants/references/variant-a-monolith-(simple).md +44 -0
- package/skills/vercel-architecture-variants/references/variant-b-service-layer-(moderate).md +72 -0
- package/skills/vercel-architecture-variants/references/variant-c-microservice-(complex).md +81 -0
- package/skills/vercel-ci-integration/SKILL.md +183 -73
- package/skills/vercel-ci-integration/references/errors.md +10 -0
- package/skills/vercel-ci-integration/references/examples.md +36 -0
- package/skills/vercel-ci-integration/references/implementation.md +54 -0
- package/skills/vercel-common-errors/SKILL.md +164 -60
- package/skills/vercel-common-errors/references/errors.md +53 -0
- package/skills/vercel-common-errors/references/examples.md +23 -0
- package/skills/vercel-cost-tuning/SKILL.md +158 -145
- package/skills/vercel-cost-tuning/references/cost-estimation.md +34 -0
- package/skills/vercel-cost-tuning/references/cost-reduction-strategies.md +40 -0
- package/skills/vercel-cost-tuning/references/errors.md +11 -0
- package/skills/vercel-cost-tuning/references/examples.md +15 -0
- package/skills/vercel-data-handling/SKILL.md +202 -155
- package/skills/vercel-data-handling/references/errors.md +11 -0
- package/skills/vercel-data-handling/references/examples.md +27 -0
- package/skills/vercel-data-handling/references/implementation.md +223 -0
- package/skills/vercel-debug-bundle/SKILL.md +163 -67
- package/skills/vercel-debug-bundle/references/errors.md +12 -0
- package/skills/vercel-debug-bundle/references/examples.md +24 -0
- package/skills/vercel-debug-bundle/references/implementation.md +54 -0
- package/skills/vercel-deploy-integration/SKILL.md +163 -156
- package/skills/vercel-deploy-integration/references/errors.md +11 -0
- package/skills/vercel-deploy-integration/references/examples.md +21 -0
- package/skills/vercel-deploy-integration/references/google-cloud-run.md +36 -0
- package/skills/vercel-deploy-integration/references/vercel-deployment.md +35 -0
- package/skills/vercel-deploy-preview/SKILL.md +164 -39
- package/skills/vercel-edge-functions/SKILL.md +185 -37
- package/skills/vercel-enterprise-rbac/SKILL.md +185 -170
- package/skills/vercel-enterprise-rbac/references/errors.md +11 -0
- package/skills/vercel-enterprise-rbac/references/examples.md +12 -0
- package/skills/vercel-enterprise-rbac/references/role-implementation.md +33 -0
- package/skills/vercel-enterprise-rbac/references/sso-integration.md +35 -0
- package/skills/vercel-hello-world/SKILL.md +141 -55
- package/skills/vercel-incident-runbook/SKILL.md +186 -138
- package/skills/vercel-incident-runbook/references/errors.md +11 -0
- package/skills/vercel-incident-runbook/references/examples.md +10 -0
- package/skills/vercel-incident-runbook/references/immediate-actions-by-error-type.md +41 -0
- package/skills/vercel-install-auth/SKILL.md +130 -53
- package/skills/vercel-known-pitfalls/SKILL.md +235 -233
- package/skills/vercel-known-pitfalls/references/errors.md +11 -0
- package/skills/vercel-known-pitfalls/references/examples.md +12 -0
- package/skills/vercel-load-scale/SKILL.md +197 -204
- package/skills/vercel-load-scale/references/capacity-planning.md +47 -0
- package/skills/vercel-load-scale/references/errors.md +11 -0
- package/skills/vercel-load-scale/references/examples.md +26 -0
- package/skills/vercel-load-scale/references/load-testing-with-k6.md +59 -0
- package/skills/vercel-load-scale/references/scaling-patterns.md +65 -0
- package/skills/vercel-local-dev-loop/SKILL.md +159 -71
- package/skills/vercel-local-dev-loop/references/errors.md +11 -0
- package/skills/vercel-local-dev-loop/references/examples.md +21 -0
- package/skills/vercel-local-dev-loop/references/implementation.md +60 -0
- package/skills/vercel-migration-deep-dive/SKILL.md +202 -187
- package/skills/vercel-migration-deep-dive/references/errors.md +11 -0
- package/skills/vercel-migration-deep-dive/references/examples.md +12 -0
- package/skills/vercel-migration-deep-dive/references/implementation-plan.md +80 -0
- package/skills/vercel-migration-deep-dive/references/pre-migration-assessment.md +39 -0
- package/skills/vercel-multi-env-setup/SKILL.md +167 -164
- package/skills/vercel-multi-env-setup/references/configuration-structure.md +59 -0
- package/skills/vercel-multi-env-setup/references/errors.md +11 -0
- package/skills/vercel-multi-env-setup/references/examples.md +11 -0
- package/skills/vercel-observability/SKILL.md +205 -195
- package/skills/vercel-observability/references/alert-configuration.md +40 -0
- package/skills/vercel-observability/references/errors.md +11 -0
- package/skills/vercel-observability/references/examples.md +13 -0
- package/skills/vercel-observability/references/metrics-collection.md +65 -0
- package/skills/vercel-performance-tuning/SKILL.md +212 -156
- package/skills/vercel-performance-tuning/references/caching-strategy.md +49 -0
- package/skills/vercel-performance-tuning/references/errors.md +11 -0
- package/skills/vercel-performance-tuning/references/examples.md +13 -0
- package/skills/vercel-policy-guardrails/SKILL.md +276 -193
- package/skills/vercel-policy-guardrails/references/errors.md +11 -0
- package/skills/vercel-policy-guardrails/references/eslint-rules.md +46 -0
- package/skills/vercel-policy-guardrails/references/examples.md +10 -0
- package/skills/vercel-prod-checklist/SKILL.md +219 -94
- package/skills/vercel-prod-checklist/references/errors.md +11 -0
- package/skills/vercel-prod-checklist/references/examples.md +25 -0
- package/skills/vercel-prod-checklist/references/implementation.md +60 -0
- package/skills/vercel-rate-limits/SKILL.md +187 -100
- package/skills/vercel-rate-limits/references/errors.md +11 -0
- package/skills/vercel-rate-limits/references/examples.md +46 -0
- package/skills/vercel-rate-limits/references/implementation.md +66 -0
- package/skills/vercel-reference-architecture/SKILL.md +226 -180
- package/skills/vercel-reference-architecture/references/errors.md +11 -0
- package/skills/vercel-reference-architecture/references/examples.md +13 -0
- package/skills/vercel-reference-architecture/references/key-components.md +65 -0
- package/skills/vercel-reference-architecture/references/project-structure.md +40 -0
- package/skills/vercel-reliability-patterns/SKILL.md +272 -211
- package/skills/vercel-reliability-patterns/references/circuit-breaker.md +36 -0
- package/skills/vercel-reliability-patterns/references/dead-letter-queue.md +48 -0
- package/skills/vercel-reliability-patterns/references/errors.md +11 -0
- package/skills/vercel-reliability-patterns/references/examples.md +11 -0
- package/skills/vercel-reliability-patterns/references/idempotency-keys.md +36 -0
- package/skills/vercel-sdk-patterns/SKILL.md +264 -92
- package/skills/vercel-sdk-patterns/references/errors.md +11 -0
- package/skills/vercel-sdk-patterns/references/examples.md +45 -0
- package/skills/vercel-sdk-patterns/references/implementation.md +67 -0
- package/skills/vercel-security-basics/SKILL.md +186 -96
- package/skills/vercel-security-basics/references/errors.md +10 -0
- package/skills/vercel-security-basics/references/examples.md +70 -0
- package/skills/vercel-security-basics/references/implementation.md +39 -0
- package/skills/vercel-upgrade-migration/SKILL.md +167 -67
- package/skills/vercel-upgrade-migration/references/errors.md +10 -0
- package/skills/vercel-upgrade-migration/references/examples.md +51 -0
- package/skills/vercel-upgrade-migration/references/implementation.md +29 -0
- package/skills/vercel-webhooks-events/SKILL.md +208 -132
- package/skills/vercel-webhooks-events/references/errors.md +11 -0
- package/skills/vercel-webhooks-events/references/event-handler-pattern.md +37 -0
- package/skills/vercel-webhooks-events/references/examples.md +16 -0
- package/skills/vercel-webhooks-events/references/signature-verification.md +33 -0
|
@@ -1,222 +1,237 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: vercel-enterprise-rbac
|
|
3
|
-
description:
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
3
|
+
description: 'Configure Vercel enterprise RBAC, access groups, SSO integration, and
|
|
4
|
+
audit logging.
|
|
5
|
+
|
|
6
|
+
Use when implementing team access control, configuring SAML SSO,
|
|
7
|
+
|
|
8
|
+
or setting up role-based permissions for Vercel projects.
|
|
9
|
+
|
|
7
10
|
Trigger with phrases like "vercel SSO", "vercel RBAC",
|
|
8
|
-
|
|
9
|
-
|
|
11
|
+
|
|
12
|
+
"vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".
|
|
13
|
+
|
|
14
|
+
'
|
|
15
|
+
allowed-tools: Read, Write, Edit, Bash(curl:*)
|
|
10
16
|
version: 1.0.0
|
|
11
17
|
license: MIT
|
|
12
18
|
author: Jeremy Longshore <jeremy@intentsolutions.io>
|
|
19
|
+
tags:
|
|
20
|
+
- saas
|
|
21
|
+
- vercel
|
|
22
|
+
- rbac
|
|
23
|
+
- enterprise
|
|
24
|
+
- sso
|
|
25
|
+
compatibility: Designed for Claude Code, also compatible with Codex and OpenClaw
|
|
13
26
|
---
|
|
14
|
-
|
|
15
27
|
# Vercel Enterprise RBAC
|
|
16
28
|
|
|
17
29
|
## Overview
|
|
18
|
-
|
|
30
|
+
|
|
31
|
+
Configure Vercel's role-based access control (RBAC) with team roles, project-level access groups, SSO/SAML integration, and audit logging. Covers the two access control planes: team-level (who can deploy) and application-level (who can access deployed content).
|
|
19
32
|
|
|
20
33
|
## Prerequisites
|
|
21
|
-
- Vercel Enterprise tier subscription
|
|
22
|
-
- Identity Provider (IdP) with SAML/OIDC support
|
|
23
|
-
- Understanding of role-based access patterns
|
|
24
|
-
- Audit logging infrastructure
|
|
25
34
|
|
|
26
|
-
|
|
35
|
+
- Vercel Pro or Enterprise plan
|
|
36
|
+
- Identity Provider (IdP) with SAML 2.0 support (for SSO)
|
|
37
|
+
- Understanding of your organization's access requirements
|
|
27
38
|
|
|
28
|
-
|
|
29
|
-
|------|-------------|----------|
|
|
30
|
-
| Admin | Full access | Platform administrators |
|
|
31
|
-
| Developer | Read/write, no delete | Active development |
|
|
32
|
-
| Viewer | Read-only | Stakeholders, auditors |
|
|
33
|
-
| Service | API access only | Automated systems |
|
|
39
|
+
## Instructions
|
|
34
40
|
|
|
35
|
-
|
|
41
|
+
### Step 1: Understand Vercel's Role Model
|
|
42
|
+
|
|
43
|
+
**Team-Level Roles:**
|
|
44
|
+
|
|
45
|
+
| Role | Deploy Prod | Manage Projects | Manage Billing | Manage Members |
|
|
46
|
+
|------|-------------|-----------------|----------------|----------------|
|
|
47
|
+
| Owner | Yes | Yes | Yes | Yes |
|
|
48
|
+
| Member | Yes | Yes | No | No |
|
|
49
|
+
| Developer | Preview only | Limited | No | No |
|
|
50
|
+
| Viewer | No | Read-only | No | No |
|
|
51
|
+
| Security (Enterprise) | No | Security settings | No | No |
|
|
52
|
+
|
|
53
|
+
**Extended Permissions (Enterprise):**
|
|
54
|
+
Layer on top of base roles for granular control:
|
|
55
|
+
|
|
56
|
+
- Deploy to production
|
|
57
|
+
- Manage environment variables
|
|
58
|
+
- Manage domains
|
|
59
|
+
- Access runtime logs
|
|
60
|
+
- Manage integrations
|
|
61
|
+
|
|
62
|
+
### Step 2: Configure Team Members via API
|
|
63
|
+
|
|
64
|
+
```bash
|
|
65
|
+
# Invite a team member
|
|
66
|
+
curl -X POST "https://api.vercel.com/v1/teams/team_xxx/members" \
|
|
67
|
+
-H "Authorization: Bearer $VERCEL_TOKEN" \
|
|
68
|
+
-H "Content-Type: application/json" \
|
|
69
|
+
-d '{
|
|
70
|
+
"email": "developer@company.com",
|
|
71
|
+
"role": "DEVELOPER"
|
|
72
|
+
}'
|
|
73
|
+
|
|
74
|
+
# List team members
|
|
75
|
+
curl -s -H "Authorization: Bearer $VERCEL_TOKEN" \
|
|
76
|
+
"https://api.vercel.com/v2/teams/team_xxx/members" \
|
|
77
|
+
| jq '.members[] | {name: .name, email: .email, role: .role}'
|
|
78
|
+
|
|
79
|
+
# Update a member's role
|
|
80
|
+
curl -X PATCH "https://api.vercel.com/v1/teams/team_xxx/members/user_xxx" \
|
|
81
|
+
-H "Authorization: Bearer $VERCEL_TOKEN" \
|
|
82
|
+
-H "Content-Type: application/json" \
|
|
83
|
+
-d '{"role": "MEMBER"}'
|
|
84
|
+
|
|
85
|
+
# Remove a team member
|
|
86
|
+
curl -X DELETE "https://api.vercel.com/v1/teams/team_xxx/members/user_xxx" \
|
|
87
|
+
-H "Authorization: Bearer $VERCEL_TOKEN"
|
|
88
|
+
```
|
|
36
89
|
|
|
37
|
-
|
|
38
|
-
enum VercelRole {
|
|
39
|
-
Admin = 'admin',
|
|
40
|
-
Developer = 'developer',
|
|
41
|
-
Viewer = 'viewer',
|
|
42
|
-
Service = 'service',
|
|
43
|
-
}
|
|
90
|
+
### Step 3: Access Groups (Project-Level Permissions)
|
|
44
91
|
|
|
45
|
-
|
|
46
|
-
read: boolean;
|
|
47
|
-
write: boolean;
|
|
48
|
-
delete: boolean;
|
|
49
|
-
admin: boolean;
|
|
50
|
-
}
|
|
92
|
+
Access Groups assign teams of people to specific projects with specific roles:
|
|
51
93
|
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
service: { read: true, write: true, delete: false, admin: false },
|
|
57
|
-
};
|
|
94
|
+
1. Go to **Team Settings > Access Groups**
|
|
95
|
+
2. Create a group (e.g., "Frontend Team", "Backend Team")
|
|
96
|
+
3. Add members to the group
|
|
97
|
+
4. Assign the group to specific projects with a role
|
|
58
98
|
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
99
|
+
```
|
|
100
|
+
Example Access Group Setup:
|
|
101
|
+
├── Frontend Team → [project-web, project-docs] → Member role
|
|
102
|
+
├── Backend Team → [project-api, project-worker] → Member role
|
|
103
|
+
├── DevOps Team → [all projects] → Member role
|
|
104
|
+
└── QA Team → [all projects] → Viewer role
|
|
65
105
|
```
|
|
66
106
|
|
|
67
|
-
|
|
107
|
+
### Step 4: SSO / SAML Configuration
|
|
68
108
|
|
|
69
|
-
|
|
109
|
+
In the Vercel dashboard: **Team Settings > Authentication > SAML Single Sign-On**
|
|
70
110
|
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
};
|
|
111
|
+
1. Enable SAML SSO
|
|
112
|
+
2. Configure your IdP (Okta, Azure AD, Google Workspace):
|
|
113
|
+
- ACS URL: `https://vercel.com/api/auth/saml/acs`
|
|
114
|
+
- Entity ID: `https://vercel.com`
|
|
115
|
+
- Name ID format: `emailAddress`
|
|
116
|
+
3. Enter IdP metadata URL or upload certificate
|
|
117
|
+
4. Map SAML attributes to Vercel fields
|
|
79
118
|
|
|
80
|
-
// Map IdP groups to Vercel roles
|
|
81
|
-
const groupRoleMapping: Record<string, VercelRole> = {
|
|
82
|
-
'Engineering': VercelRole.Developer,
|
|
83
|
-
'Platform-Admins': VercelRole.Admin,
|
|
84
|
-
'Data-Team': VercelRole.Viewer,
|
|
85
|
-
};
|
|
86
119
|
```
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
const oauthClient = new OAuth2Client({
|
|
94
|
-
clientId: process.env.VERCEL_OAUTH_CLIENT_ID!,
|
|
95
|
-
clientSecret: process.env.VERCEL_OAUTH_CLIENT_SECRET!,
|
|
96
|
-
redirectUri: 'https://app.yourcompany.com/auth/vercel/callback',
|
|
97
|
-
scopes: read, write, deploy,
|
|
98
|
-
});
|
|
120
|
+
SAML Attribute Mapping:
|
|
121
|
+
├── email → user email (required)
|
|
122
|
+
├── firstName → display name
|
|
123
|
+
├── lastName → display name
|
|
124
|
+
└── groups → Vercel team roles (optional)
|
|
99
125
|
```
|
|
100
126
|
|
|
101
|
-
|
|
127
|
+
**Enforce SSO for all team members:**
|
|
128
|
+
Once enabled, toggle "Require SAML for login" — all members must authenticate through SSO.
|
|
102
129
|
|
|
103
|
-
|
|
104
|
-
interface VercelOrganization {
|
|
105
|
-
id: string;
|
|
106
|
-
name: string;
|
|
107
|
-
ssoEnabled: boolean;
|
|
108
|
-
enforceSso: boolean;
|
|
109
|
-
allowedDomains: string[];
|
|
110
|
-
defaultRole: VercelRole;
|
|
111
|
-
}
|
|
112
|
-
|
|
113
|
-
async function createOrganization(
|
|
114
|
-
config: VercelOrganization
|
|
115
|
-
): Promise<void> {
|
|
116
|
-
await vercelClient.organizations.create({
|
|
117
|
-
...config,
|
|
118
|
-
settings: {
|
|
119
|
-
sso: {
|
|
120
|
-
enabled: config.ssoEnabled,
|
|
121
|
-
enforced: config.enforceSso,
|
|
122
|
-
domains: config.allowedDomains,
|
|
123
|
-
},
|
|
124
|
-
},
|
|
125
|
-
});
|
|
126
|
-
}
|
|
127
|
-
```
|
|
128
|
-
|
|
129
|
-
## Access Control Middleware
|
|
130
|
+
### Step 5: Application-Level Auth with Middleware
|
|
130
131
|
|
|
131
132
|
```typescript
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
message: `Missing permission: ${requiredPermission}`,
|
|
142
|
-
});
|
|
143
|
-
}
|
|
144
|
-
|
|
145
|
-
next();
|
|
146
|
-
};
|
|
147
|
-
}
|
|
133
|
+
// middleware.ts — enforce auth on deployed application routes
|
|
134
|
+
import { NextRequest, NextResponse } from 'next/server';
|
|
135
|
+
import { verifyJWT } from '@/lib/auth';
|
|
136
|
+
|
|
137
|
+
const ROLE_ROUTES: Record<string, string[]> = {
|
|
138
|
+
'/admin': ['admin'],
|
|
139
|
+
'/dashboard': ['admin', 'member'],
|
|
140
|
+
'/api/admin': ['admin'],
|
|
141
|
+
};
|
|
148
142
|
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
requireVercelPermission('delete'),
|
|
152
|
-
deleteResourceHandler
|
|
153
|
-
);
|
|
154
|
-
```
|
|
143
|
+
export async function middleware(request: NextRequest) {
|
|
144
|
+
const { pathname } = request.nextUrl;
|
|
155
145
|
|
|
156
|
-
|
|
146
|
+
// Check if route requires auth
|
|
147
|
+
const requiredRoles = Object.entries(ROLE_ROUTES)
|
|
148
|
+
.find(([prefix]) => pathname.startsWith(prefix));
|
|
157
149
|
|
|
158
|
-
|
|
159
|
-
interface VercelAuditEntry {
|
|
160
|
-
timestamp: Date;
|
|
161
|
-
userId: string;
|
|
162
|
-
role: VercelRole;
|
|
163
|
-
action: string;
|
|
164
|
-
resource: string;
|
|
165
|
-
success: boolean;
|
|
166
|
-
ipAddress: string;
|
|
167
|
-
}
|
|
150
|
+
if (!requiredRoles) return NextResponse.next();
|
|
168
151
|
|
|
169
|
-
|
|
170
|
-
|
|
152
|
+
const token = request.cookies.get('session')?.value;
|
|
153
|
+
if (!token) {
|
|
154
|
+
return pathname.startsWith('/api')
|
|
155
|
+
? NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
|
156
|
+
: NextResponse.redirect(new URL('/login', request.url));
|
|
157
|
+
}
|
|
171
158
|
|
|
172
|
-
|
|
173
|
-
if (
|
|
174
|
-
|
|
159
|
+
const payload = await verifyJWT(token);
|
|
160
|
+
if (!payload || !requiredRoles[1].includes(payload.role)) {
|
|
161
|
+
return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
|
|
175
162
|
}
|
|
163
|
+
|
|
164
|
+
// Pass user info to API routes via headers
|
|
165
|
+
const response = NextResponse.next();
|
|
166
|
+
response.headers.set('x-user-id', payload.sub);
|
|
167
|
+
response.headers.set('x-user-role', payload.role);
|
|
168
|
+
return response;
|
|
176
169
|
}
|
|
170
|
+
|
|
171
|
+
export const config = {
|
|
172
|
+
matcher: ['/admin/:path*', '/dashboard/:path*', '/api/admin/:path*'],
|
|
173
|
+
};
|
|
177
174
|
```
|
|
178
175
|
|
|
179
|
-
|
|
176
|
+
### Step 6: Audit Logging
|
|
180
177
|
|
|
181
|
-
|
|
182
|
-
Map organizational roles to Vercel permissions.
|
|
178
|
+
Vercel Enterprise includes audit logs in **Team Settings > Audit Log**.
|
|
183
179
|
|
|
184
|
-
|
|
185
|
-
Set up SAML or OIDC integration with your IdP.
|
|
180
|
+
Events tracked:
|
|
186
181
|
|
|
187
|
-
|
|
188
|
-
|
|
182
|
+
- Team member added/removed/role changed
|
|
183
|
+
- Project created/deleted
|
|
184
|
+
- Deployment to production
|
|
185
|
+
- Environment variable created/updated/deleted
|
|
186
|
+
- Domain added/removed
|
|
187
|
+
- Integration installed/uninstalled
|
|
188
|
+
- SSO configuration changes
|
|
189
189
|
|
|
190
|
-
|
|
191
|
-
|
|
190
|
+
```bash
|
|
191
|
+
# Export audit logs via API (Enterprise)
|
|
192
|
+
curl -s -H "Authorization: Bearer $VERCEL_TOKEN" \
|
|
193
|
+
"https://api.vercel.com/v1/teams/team_xxx/audit-log?limit=100" \
|
|
194
|
+
| jq '.events[] | {action: .action, user: .user.email, createdAt: .createdAt, resource: .resource}'
|
|
195
|
+
```
|
|
196
|
+
|
|
197
|
+
## RBAC Checklist
|
|
198
|
+
|
|
199
|
+
| Check | Status |
|
|
200
|
+
|-------|--------|
|
|
201
|
+
| Team roles assigned per least privilege | Required |
|
|
202
|
+
| Production deploy restricted to Member+ | Required |
|
|
203
|
+
| Access Groups configured per project | Recommended |
|
|
204
|
+
| SSO/SAML enforced for all members | Enterprise |
|
|
205
|
+
| Audit logging exported to SIEM | Enterprise |
|
|
206
|
+
| Application-level auth in middleware | Required |
|
|
207
|
+
| Off-boarding removes Vercel access via IdP | Required |
|
|
192
208
|
|
|
193
209
|
## Output
|
|
194
|
-
- Role definitions implemented
|
|
195
|
-
- SSO integration configured
|
|
196
|
-
- Permission middleware active
|
|
197
|
-
- Audit trail enabled
|
|
198
210
|
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
| Token expired | Short TTL | Refresh token logic |
|
|
205
|
-
| Audit gaps | Async logging failed | Check log pipeline |
|
|
211
|
+
- Team roles configured with least-privilege access
|
|
212
|
+
- Access Groups scoping members to specific projects
|
|
213
|
+
- SSO/SAML enforced for all team authentication
|
|
214
|
+
- Application-level RBAC in Edge Middleware
|
|
215
|
+
- Audit logs exported for compliance
|
|
206
216
|
|
|
207
|
-
##
|
|
217
|
+
## Error Handling
|
|
208
218
|
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
219
|
+
| Error | Cause | Solution |
|
|
220
|
+
|-------|-------|----------|
|
|
221
|
+
| Member can't deploy to prod | Developer role (preview only) | Change to Member or Owner role |
|
|
222
|
+
| SSO login fails | IdP metadata URL expired | Update SAML configuration |
|
|
223
|
+
| Access Group not applied | Member not in group | Add member to the Access Group |
|
|
224
|
+
| Audit log missing events | Free/Pro plan limitation | Upgrade to Enterprise for audit logs |
|
|
225
|
+
| Off-boarded user still has access | SSO not enforced | Enable "Require SAML for login" |
|
|
215
226
|
|
|
216
227
|
## Resources
|
|
217
|
-
|
|
218
|
-
- [
|
|
219
|
-
- [
|
|
228
|
+
|
|
229
|
+
- [Vercel RBAC](https://vercel.com/docs/rbac)
|
|
230
|
+
- [Access Roles](https://vercel.com/docs/rbac/access-roles)
|
|
231
|
+
- [Access Groups](https://vercel.com/docs/rbac/access-groups)
|
|
232
|
+
- [Extended Permissions](https://vercel.com/docs/rbac/access-roles/extended-permissions)
|
|
233
|
+
- [Managing Team Members](https://vercel.com/docs/rbac/managing-team-members)
|
|
220
234
|
|
|
221
235
|
## Next Steps
|
|
222
|
-
|
|
236
|
+
|
|
237
|
+
For migration strategies, see `vercel-migration-deep-dive`.
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
# Error Handling Reference
|
|
2
|
+
|
|
3
|
+
| Issue | Cause | Solution |
|
|
4
|
+
|-------|-------|----------|
|
|
5
|
+
| SSO login fails | Wrong callback URL | Verify IdP config |
|
|
6
|
+
| Permission denied | Missing role mapping | Update group mappings |
|
|
7
|
+
| Token expired | Short TTL | Refresh token logic |
|
|
8
|
+
| Audit gaps | Async logging failed | Check log pipeline |
|
|
9
|
+
|
|
10
|
+
---
|
|
11
|
+
*[Tons of Skills](https://tonsofskills.com) by [Intent Solutions](https://intentsolutions.io) | [jeremylongshore.com](https://jeremylongshore.com)*
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
## Examples
|
|
2
|
+
|
|
3
|
+
### Quick Permission Check
|
|
4
|
+
|
|
5
|
+
```typescript
|
|
6
|
+
if (!checkPermission(user.role, 'write')) {
|
|
7
|
+
throw new ForbiddenError('Write permission required');
|
|
8
|
+
}
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
---
|
|
12
|
+
*[Tons of Skills](https://tonsofskills.com) by [Intent Solutions](https://intentsolutions.io) | [jeremylongshore.com](https://jeremylongshore.com)*
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
# Role Implementation
|
|
2
|
+
|
|
3
|
+
## Role Implementation
|
|
4
|
+
|
|
5
|
+
```typescript
|
|
6
|
+
enum VercelRole {
|
|
7
|
+
Admin = 'admin',
|
|
8
|
+
Developer = 'developer',
|
|
9
|
+
Viewer = 'viewer',
|
|
10
|
+
Service = 'service',
|
|
11
|
+
}
|
|
12
|
+
|
|
13
|
+
interface VercelPermissions {
|
|
14
|
+
read: boolean;
|
|
15
|
+
write: boolean;
|
|
16
|
+
delete: boolean;
|
|
17
|
+
admin: boolean;
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
const ROLE_PERMISSIONS: Record<VercelRole, VercelPermissions> = {
|
|
21
|
+
admin: { read: true, write: true, delete: true, admin: true },
|
|
22
|
+
developer: { read: true, write: true, delete: false, admin: false },
|
|
23
|
+
viewer: { read: true, write: false, delete: false, admin: false },
|
|
24
|
+
service: { read: true, write: true, delete: false, admin: false },
|
|
25
|
+
};
|
|
26
|
+
|
|
27
|
+
function checkPermission(
|
|
28
|
+
role: VercelRole,
|
|
29
|
+
action: keyof VercelPermissions
|
|
30
|
+
): boolean {
|
|
31
|
+
return ROLE_PERMISSIONS[role][action];
|
|
32
|
+
}
|
|
33
|
+
```
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
# Sso Integration
|
|
2
|
+
|
|
3
|
+
## SSO Integration
|
|
4
|
+
|
|
5
|
+
### SAML Configuration
|
|
6
|
+
|
|
7
|
+
```typescript
|
|
8
|
+
// Vercel SAML setup
|
|
9
|
+
const samlConfig = {
|
|
10
|
+
entryPoint: 'https://idp.company.com/saml/sso',
|
|
11
|
+
issuer: 'https://vercel.com/saml/metadata',
|
|
12
|
+
cert: process.env.SAML_CERT,
|
|
13
|
+
callbackUrl: 'https://app.yourcompany.com/auth/vercel/callback',
|
|
14
|
+
};
|
|
15
|
+
|
|
16
|
+
// Map IdP groups to Vercel roles
|
|
17
|
+
const groupRoleMapping: Record<string, VercelRole> = {
|
|
18
|
+
'Engineering': VercelRole.Developer,
|
|
19
|
+
'Platform-Admins': VercelRole.Admin,
|
|
20
|
+
'Data-Team': VercelRole.Viewer,
|
|
21
|
+
};
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
### OAuth2/OIDC Integration
|
|
25
|
+
|
|
26
|
+
```typescript
|
|
27
|
+
import { OAuth2Client } from 'vercel';
|
|
28
|
+
|
|
29
|
+
const oauthClient = new OAuth2Client({
|
|
30
|
+
clientId: process.env.VERCEL_OAUTH_CLIENT_ID!,
|
|
31
|
+
clientSecret: process.env.VERCEL_OAUTH_CLIENT_SECRET!,
|
|
32
|
+
redirectUri: 'https://app.yourcompany.com/auth/vercel/callback',
|
|
33
|
+
scopes: read, write, deploy,
|
|
34
|
+
});
|
|
35
|
+
```
|