docs(security): design proposal for eliminating dangerously_allow

[dkaygithub]

Summary

Design-only PR. Proposes an architectural strategy for driving dangerously_allow_all_data_access to zero across the 23 routes that currently bypass the field-level stripper.

The doc lives at docs/DANGEROUSLY-ALLOW-ELIMINATION.md and contains:

• Categorization of all 23 current bypasses by why they bypass (5 root causes)
• A proposed discriminated TransformSpec on RouteSpec replacing the boolean bypass with 9 narrow transformer primitives (ack, aggregate, processMeta, selfScalars, computedField, actionDispatch, kioskScope, withFreshContext, derivedFromInput/devOnly)
• Per-bypass mapping table → which transformer would replace each
• A 6-phase migration plan, ending with hard-removal of the dangerously_allow_all_data_access field and a CI lint rule that forbids the name
• Open questions (aggregate-shape registry style, action discriminant key, Prisma tracer cost)

The transformer kinds live in src/security/transformers/ — already under CODEOWNERS, so adding a transformer requires maintainer review but using one from a route handler is a normal PR.

What this PR is and isn't

• ✅ This PR adds only the design doc. No code changes.
• ❌ It does NOT implement any transformer.
• ❌ It does NOT migrate any of the 23 bypassed routes.

Implementation would follow as separate PRs per phase if the design is accepted.

Test plan

• Reviewer reads the doc end-to-end and pushes back on any transformer kind whose scope feels wrong or missing
• Reviewer confirms the bypass categorization against src/security/registry.ts matches their mental model
• Reviewer answers (or escalates) the three open questions at the bottom
• If approved: a follow-up PR opens for Phase 1 (foundational TransformSpec plumbing)

🤖 Generated with Claude Code