Make tenancy an optional access integration
This commit is contained in:
@@ -64,6 +64,27 @@ Access declares tenancy as an optional module integration. It uses the
|
||||
core-owned `core_scopes` table as the scope table, but it must not import
|
||||
`govoplan_tenancy` or require the tenancy package to start.
|
||||
|
||||
## Core-Only Startup Contract
|
||||
|
||||
A core-only installation must be able to start far enough to expose process
|
||||
health, module metadata, and the unauthenticated shell needed for installation
|
||||
or recovery work. It is not a usable authenticated product installation.
|
||||
|
||||
Authenticated product use requires the `access` module or another module that
|
||||
provides the same kernel auth capabilities:
|
||||
|
||||
- `auth.apiPrincipalProvider`
|
||||
- `auth.principalResolver`
|
||||
- `auth.permissionEvaluator`
|
||||
- `auth.tenantContextSwitcher`
|
||||
|
||||
Access contributes the default implementations for those capabilities plus the
|
||||
interactive `/api/v1/auth/*` routes. Product modules should express auth needs
|
||||
as required capabilities or route permission requirements instead of importing
|
||||
access internals. Runtime configurations that intentionally omit access should
|
||||
hide authenticated navigation and return capability errors for authenticated
|
||||
product routes rather than failing process startup.
|
||||
|
||||
## Principal Context Contract
|
||||
|
||||
The stable runtime principal is `govoplan_core.core.access.PrincipalRef`.
|
||||
|
||||
Reference in New Issue
Block a user