Public homeHelpmekaar / access and boundaries
This route explains why access can be allowed, masked, guarded, or denied, and which proof Helpmekaar keeps when support or rails work needs stronger controls.
Next safe step
Start with the deny-by-default decision matrix, then inspect the masked support-safe case slice and the audited break-glass timeline.
This route should behave like a truth-and-boundary explainer, not like a member help desk or a hidden admin screen.
Access map
Each session is anchored to a stable actor ref, member context, and stokvel context where relevant.
The same human can appear in both worlds, but only through distinct community and rails sessions.
Policy decisions evaluate scope, role, relationship, and state before allowing any action.
Support-safe projections stay masked by default and raw evidence stays behind audited elevation.
Denied entry, masked reads, break-glass requests, approvals, and expiry events all produce traceable records.
Help-first reading
Helpmekaar should show whether access is allowed, masked, guarded, or denied before any deeper detail appears.
The route should keep support, rails, and break-glass ownership visible so a denied outcome does not feel like a black box.
Users should see the safe next route or proof lane instead of generic admin language or a dead-end utility page.
Identity anchors
Own-member context only.
Cannot silently become sponsor or rails support work.
Same human later appears in rails support, but not in this session.
Community sponsor scope cannot open rails tools or support-safe lookups.
Same human as sponsor session, but with a separate rails scope.
Support stays masked and read-only unless audited break-glass is approved.
Can investigate financial mismatch posture, not member-facing approvals.
Restricted evidence still requires break-glass and admin approval.
Approves privileged evidence access and platform-safety controls.
Still does not become a member or governance decision-maker.
Authorization decisions
| Session | Action | Target | Outcome | Reason |
|---|---|---|---|---|
| Member primary session | View member dashboard | Van der Merwe household | allowed | Own-member read is allowed in community scope. |
| Member primary session | View support-safe case slice | Support case SUP-18 | denied | Support-safe case views are never available in community scope. |
| Sponsor review session | Review sponsor-stage claim | Claim CLM-440 | allowed | Sponsor-stage review is allowed only for the linked sponsor member. |
| Sponsor review session | View support-safe case slice | Support case SUP-18 | denied | Support-safe case views are never available in community scope. |
| Rails support session | View support-safe case slice | Support case SUP-18 | masked | Rails operational roles get the masked projection only. |
| Rails support session | Review sponsor-stage claim | Claim CLM-440 | denied | Sponsor review depends on community scope, sponsor relationship, and current claim state. |
| Rails finance session | View restricted raw evidence | Raw provider callback payload | guarded | Restricted evidence needs an approved break-glass grant. |
| Rails admin session | Declare platform degraded state | Incident INC-05 | allowed | Only rails ops or admin may declare degraded platform state. |
Masked support-safe case slice
Break-glass posture
Audit timeline
Support-safe case views are never available in community scope.
Rails operational roles get the masked projection only.
Need raw callback evidence for a member escalation that the masked support slice cannot explain.
Approved BGR-001 until 2026-03-26T09:35:00Z.
BGG-001 expired automatically after its short-lived access window.