GovOPlaN Access

govoplan-access is the platform module for GovOPlaN identity, authentication, sessions, API keys, RBAC, groups, users, and access administration.

The repository contains the extracted access seed implementation under src/govoplan_access/backend. Session, API-key, and password helper services, interactive auth routes, and administration routers are owned here. The public FastAPI request dependency API is exported from govoplan_access.auth; modules must not import the backend dependency module directly. Access-side admin service helpers remain here for users, groups, roles, system accounts, sessions, API keys, tenant access enforcement, admin/audit lookup capabilities, tenant owner provisioning, and governance-template materialization into access-owned groups and roles. Governance-template metadata CRUD lives in govoplan-admin. The transitional administration WebUI route shell and access-owned panels live under webui/src as @govoplan/access-webui. Generic system administration panels are contributed by @govoplan/admin-webui through core's admin.sections UI capability. Live access ORM models are defined here with access_* table names; tenant records live in govoplan-tenancy, governance templates in govoplan-admin, audit logs in govoplan-audit, and system settings in govoplan-core. The current access boundary is documented in:

  • /mnt/DATA/git/govoplan-core/docs/ACCESS_RBAC_MODEL.md
  • /mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md
  • docs/ACCESS_MODULE_BOUNDARY.md
  • docs/IDENTITY_ACCOUNT_FUNCTION_MODEL.md
  • docs/OPENDESK_IDENTITY_BOUNDARY.md

Initial Ownership

This module will own:

  • accounts and login identity
  • authentication routes and session lifecycle
  • API keys
  • legacy administration route contribution during the transition
  • tenant-local users
  • identity-to-account projection for explainable access decisions
  • organization-bound functions and function assignments
  • explicit delegation and acting-in-place facts
  • groups and memberships
  • roles and role assignments
  • principal resolution
  • permission evaluation
  • access administration backend routes
  • access administration WebUI route contributions
  • published FastAPI auth dependency API at govoplan_access.auth
  • access administration, tenant provisioning, and governance materializer capabilities
  • access-owned migrations

The governance-template routes under /admin/system/governance-templates are contributed by govoplan-admin; access must not register those routes.

govoplan-access depends on govoplan-tenancy; the registry loads tenancy before access for authenticated platform composition.

Principal Context

The stable principal DTO is govoplan_core.core.access.PrincipalRef. Access resolves sessions, API keys, and future service accounts into that DTO and serializes it as principal in auth API responses. Feature modules should use that DTO, primitive IDs, or the published govoplan_access.auth dependency API instead of importing access ORM models or backend dependency internals.

The detailed module boundary and serialization fields are documented in docs/ACCESS_MODULE_BOUNDARY.md.

WebUI Package

The repository root and webui/ directory both expose the package @govoplan/access-webui. The package contributes the /admin route and admin nav item through core's module WebUI contract. The route shell consumes module-owned admin.sections contributions from installed platform modules and continues to render access-owned tenant/user/group/role panels locally. Core supplies shared admin components, route rendering, and icon resolution.

The kernel remains responsible for module discovery, route aggregation, database/session lifecycle, migration orchestration, capability registry, and stable contracts.

Gitea Workflow

This repository uses the shared GovOPlaN Gitea issue workflow. Issue templates are installed under .gitea/, and the shared label taxonomy is copied to docs/gitea-labels.json.

From the core checkout, labels can be synced once a local GITEA_TOKEN is available:

cd /mnt/DATA/git/govoplan-core
./scripts/gitea-sync-labels.py --root /mnt/DATA/git/govoplan-access --apply

Development Install

From the core checkout:

cd /mnt/DATA/git/govoplan-core
./.venv/bin/python -m pip install -e ../govoplan-access
Description
GovOPlaN access module for identity, authentication, sessions, API keys, users, groups, roles, memberships, and RBAC administration.
Readme 706 KiB
Languages
Python 66.7%
TypeScript 33.3%