This issue is partly resolved so far:

What is resolved by 1.9.2:

External users cannot see source code (blocked from file browser) Internal comments hidden from external users (watermark cards) — this covers "hide time estimations and work records" External users can access issues

Not yet resolved: Closed source projects but open issue access — right now it's all-or-nothing per user type. Project-level visibility (PUBLIC/PRIVATE) isn't implemented yet. That's part of the GitHub authZ work (1.10+) Expose single file like README.md — not implemented. Artur's own suggestion of a "description page" instead is worth considering as a simpler alternative Cost estimations exposed selectively — not implemented, no cost/estimation fields exist yet Packages access — not implemented

1.9.2 delivers the internal/external comment visibility portion, and the remaining items (project visibility, selective file exposure, packages) are tracked in the GitHub authZ work and future issues. SZ-74 is broader than SZ-76 and SZ-77 — it's more of an epic than a single issue.

Status update (2026-03-18)

Layer 4 of SZ-73 (permission-based access gating) introduced role-based endpoint protection via @RequireRole and @RequireInternal AOP annotations. This establishes the enforcement pattern and the AccessTier model (LIGHT_READ / FULL_READ) that SZ-74 will build on.

However, SZ-74 remains open. The current role model is coarse — it gates endpoints globally by role tier, but does not support project-level visibility rules such as:

• A CUSTOMER role seeing issues but not source code on the same project
• Time estimates hidden from customers but visible to internal users
• Selective file exposure (e.g. README.md only)

Implementing SZ-74 will require data model changes (project-level visibility policies), new permission evaluation logic, and UI enforcement. The AOP enforcement infrastructure from SZ-73 Layer 4 is the right foundation, but the policy rules themselves still need to be designed and implemented.