Sync GovOPlaN module state

This commit is contained in:
2026-07-10 21:57:20 +02:00
parent c71de86a1f
commit a7c486788e
18 changed files with 1527 additions and 137 deletions

View File

@@ -45,9 +45,10 @@ importing access internals:
`UserRef`, `GroupRef`, `RoleRef`, `IdentityRef`,
`OrganizationUnitRef`, `FunctionRef`, `FunctionAssignmentRef`,
`FunctionDelegationRef`, `AccessDecisionProvenance`,
`PrincipalResolver`, `AccessDirectory`, `AccessSemanticDirectory`,
`PermissionEvaluator`, `AccessExplanationService`,
`TenantAccessProvisioner`, `AccessAdministration`, and
`ApiPrincipalProvider`, `TenantContextSwitcher`, `PrincipalResolver`,
`AccessDirectory`, `AccessSemanticDirectory`, `PermissionEvaluator`,
`AccessExplanationService`, `TenantAccessProvisioner`,
`AccessAdministration`, and
`AccessGovernanceMaterializer`
- health, platform metadata, and module startup ordering
- generic security helpers that are not access-state semantics, such as
@@ -81,12 +82,21 @@ contracts. New module code should pass around `PrincipalRef` or primitive IDs.
- optional `acting_for_account_id` for acting-in-place flows
- optional display fields `email` and `display_name`
`/api/v1/auth/me`, `/api/v1/auth/login`, profile refreshes, and tenant switches
include this payload as `principal` alongside the existing compatibility
fields. Modules that need current user context should prefer
`auth.principal`/`AuthInfo.principal` in the WebUI and
`govoplan_core.auth` is now backed by the `auth.apiPrincipalProvider`
capability. The access module provides that capability; core no longer imports
access auth dependencies directly. `/api/v1/auth/me`, `/api/v1/auth/login`,
profile refreshes, and tenant switches include this payload as `principal`
alongside the existing compatibility fields. Modules that need current user
context should prefer `auth.principal`/`AuthInfo.principal` in the WebUI and
`principal.to_platform_principal()` in backend request handlers.
Interactive tenant context switching is exposed through
`auth.tenantContextSwitcher`. The existing `/api/v1/auth/switch-tenant` route
remains for API compatibility; `govoplan-tenancy` also contributes
`/api/v1/tenancy/switch-tenant`. Both delegate to the same access-owned session
switch behavior. Lifecycle code must use the capability instead of importing
`govoplan_access.backend.security.sessions`.
## Identity And Function Boundary
The full semantic model is documented in