feat: add access module boundary migrations
This commit is contained in:
35
README.md
35
README.md
@@ -6,8 +6,10 @@ administration.
|
||||
|
||||
The repository contains the extracted access seed implementation under
|
||||
`src/govoplan_access/backend`. Session, API-key, and password helper services,
|
||||
interactive auth routes, FastAPI auth dependencies, and the legacy
|
||||
administration router are owned here. Access-side admin service helpers remain
|
||||
interactive auth routes, and administration routers are owned here. The public
|
||||
FastAPI request dependency API is exported from `govoplan_access.auth`; modules
|
||||
must not import the backend dependency module directly. Access-side admin
|
||||
service helpers remain
|
||||
here for users, groups, roles, system accounts, sessions, API keys, tenant
|
||||
access enforcement, admin/audit lookup capabilities, tenant owner
|
||||
provisioning, and governance-template materialization into access-owned groups
|
||||
@@ -16,13 +18,16 @@ transitional administration WebUI route shell and
|
||||
access-owned panels live under `webui/src` as `@govoplan/access-webui`. Generic
|
||||
system administration panels are contributed by `@govoplan/admin-webui` through
|
||||
core's `admin.sections` UI capability. Live access ORM models are defined here
|
||||
while retaining their historical table names; tenant records live in
|
||||
`govoplan-tenancy`, governance templates in `govoplan-admin`, audit logs in
|
||||
`govoplan-audit`, and system settings in `govoplan-core`. The staged
|
||||
extraction path is documented in:
|
||||
with `access_*` table names; tenant records live in `govoplan-tenancy`,
|
||||
governance templates in `govoplan-admin`, audit logs in `govoplan-audit`, and
|
||||
system settings in `govoplan-core`. The current access boundary is documented
|
||||
in:
|
||||
|
||||
- `/mnt/DATA/git/govoplan-core/docs/ACCESS_EXTRACTION_PLAN.md`
|
||||
- `/mnt/DATA/git/govoplan-core/docs/ACCESS_RBAC_MODEL.md`
|
||||
- `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`
|
||||
- `docs/ACCESS_MODULE_BOUNDARY.md`
|
||||
- `docs/IDENTITY_ACCOUNT_FUNCTION_MODEL.md`
|
||||
- `docs/OPENDESK_IDENTITY_BOUNDARY.md`
|
||||
|
||||
## Initial Ownership
|
||||
|
||||
@@ -33,13 +38,16 @@ This module will own:
|
||||
- API keys
|
||||
- legacy administration route contribution during the transition
|
||||
- tenant-local users
|
||||
- identity-to-account projection for explainable access decisions
|
||||
- organization-bound functions and function assignments
|
||||
- explicit delegation and acting-in-place facts
|
||||
- groups and memberships
|
||||
- roles and role assignments
|
||||
- principal resolution
|
||||
- permission evaluation
|
||||
- access administration backend routes
|
||||
- access administration WebUI route contributions
|
||||
- published FastAPI auth dependency API
|
||||
- published FastAPI auth dependency API at `govoplan_access.auth`
|
||||
- access administration, tenant provisioning, and governance materializer
|
||||
capabilities
|
||||
- access-owned migrations
|
||||
@@ -50,6 +58,17 @@ contributed by `govoplan-admin`; access must not register those routes.
|
||||
`govoplan-access` depends on `govoplan-tenancy`; the registry loads tenancy
|
||||
before access for authenticated platform composition.
|
||||
|
||||
## Principal Context
|
||||
|
||||
The stable principal DTO is `govoplan_core.core.access.PrincipalRef`. Access
|
||||
resolves sessions, API keys, and future service accounts into that DTO and
|
||||
serializes it as `principal` in auth API responses. Feature modules should use
|
||||
that DTO, primitive IDs, or the published `govoplan_access.auth` dependency API
|
||||
instead of importing access ORM models or backend dependency internals.
|
||||
|
||||
The detailed module boundary and serialization fields are documented in
|
||||
[docs/ACCESS_MODULE_BOUNDARY.md](docs/ACCESS_MODULE_BOUNDARY.md).
|
||||
|
||||
## WebUI Package
|
||||
|
||||
The repository root and `webui/` directory both expose the package
|
||||
|
||||
Reference in New Issue
Block a user