[Debt] Remove permission catalog duplication between access and core #14

Closed
opened 2026-07-13 17:21:08 +02:00 by zemion · 1 comment
Owner

Created from add-ideas/govoplan#3 after triaging /mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260711-1857/jscpd/jscpd-report.json.

Evidence

jscpd reports duplicated permission catalog data between:

  • src/govoplan_access/backend/permissions/catalog.py lines 12-42
  • src/govoplan_core/security/permissions.py lines 103-114

Permission catalog duplication is risky because access and core can drift on labels, descriptions, grouping, or legacy scope interpretation.

Desired Shape

Establish one canonical source for permission catalog metadata while preserving module ownership and avoiding a reverse dependency from core into access.

Acceptance Criteria

  • The duplicated permission metadata has one canonical owner or a documented compatibility bridge.
  • Access remains the owner of access-specific permissions; core keeps only kernel/shared permission primitives.
  • Existing permission listing/admin tests continue to pass.
  • jscpd no longer reports this catalog clone, or remaining compatibility duplication is documented with a removal path.
Created from add-ideas/govoplan#3 after triaging `/mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260711-1857/jscpd/jscpd-report.json`. ## Evidence jscpd reports duplicated permission catalog data between: - `src/govoplan_access/backend/permissions/catalog.py` lines 12-42 - `src/govoplan_core/security/permissions.py` lines 103-114 Permission catalog duplication is risky because access and core can drift on labels, descriptions, grouping, or legacy scope interpretation. ## Desired Shape Establish one canonical source for permission catalog metadata while preserving module ownership and avoiding a reverse dependency from core into access. ## Acceptance Criteria - The duplicated permission metadata has one canonical owner or a documented compatibility bridge. - Access remains the owner of access-specific permissions; core keeps only kernel/shared permission primitives. - Existing permission listing/admin tests continue to pass. - jscpd no longer reports this catalog clone, or remaining compatibility duplication is documented with a removal path.
Author
Owner

Codex State: done

Summary

  • Moved legacy scope aliases into a shared core compatibility table and made core/access import the same object.
  • Replaced access-local duplicated legacy permission definitions with a compatibility bridge derived from core legacy permission definitions, while keeping active access permissions owned by access manifests.
  • Added a permission catalog contract test covering shared alias identity, legacy grant parity, and representative non-access platform scopes in the access compatibility catalog.

Changed Files

  • src/govoplan_access/backend/permissions/catalog.py
  • tests/test_permission_catalog_contract.py
  • ../govoplan-core/src/govoplan_core/security/scope_aliases.py
  • ../govoplan-core/src/govoplan_core/security/permissions.py

Verification

  • python -m py_compile for changed Python files
  • python -m ruff check for changed Python files
  • python -m unittest discover -s tests (govoplan-access): 15 passed
  • python -m unittest tests.test_module_system.ModuleSystemTests.test_tenant_wildcard_grants_module_tenant_scopes tests.test_api_smoke.ApiSmokeTests.test_refined_permissions_are_narrow_and_enforce_delegation_ceiling tests.test_api_smoke.ApiSmokeTests.test_file_and_raw_mail_permissions_are_independently_enforced: 3 passed
  • npx --yes jscpd --absolute --min-tokens 80 ... touched API/catalog files: Found 0 clones
  • git diff --check in core/access/admin/mail/campaign
## Codex State: done ### Summary - Moved legacy scope aliases into a shared core compatibility table and made core/access import the same object. - Replaced access-local duplicated legacy permission definitions with a compatibility bridge derived from core legacy permission definitions, while keeping active access permissions owned by access manifests. - Added a permission catalog contract test covering shared alias identity, legacy grant parity, and representative non-access platform scopes in the access compatibility catalog. ### Changed Files - `src/govoplan_access/backend/permissions/catalog.py` - `tests/test_permission_catalog_contract.py` - `../govoplan-core/src/govoplan_core/security/scope_aliases.py` - `../govoplan-core/src/govoplan_core/security/permissions.py` ### Verification - `python -m py_compile for changed Python files` - `python -m ruff check for changed Python files` - `python -m unittest discover -s tests (govoplan-access): 15 passed` - `python -m unittest tests.test_module_system.ModuleSystemTests.test_tenant_wildcard_grants_module_tenant_scopes tests.test_api_smoke.ApiSmokeTests.test_refined_permissions_are_narrow_and_enforce_delegation_ceiling tests.test_api_smoke.ApiSmokeTests.test_file_and_raw_mail_permissions_are_independently_enforced: 3 passed` - `npx --yes jscpd --absolute --min-tokens 80 ... touched API/catalog files: Found 0 clones` - `git diff --check in core/access/admin/mail/campaign`
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-access#14
No description provided.