Decouple scopes from tenancy schema
This commit is contained in:
@@ -47,8 +47,8 @@ helpers, and secret helpers. The extracted access implementation lives in
|
||||
`govoplan-access`; live ORM table definitions have been split across their
|
||||
platform owners using module-prefixed table names. The old core route,
|
||||
admin-service, and access-security re-export modules have been removed.
|
||||
Callers must use module-owned imports, the public `govoplan_access.auth` request
|
||||
dependency API, or kernel capabilities.
|
||||
Callers must use module-owned imports, the public `govoplan_core.auth` request
|
||||
dependency facade, or kernel capabilities.
|
||||
The remaining platform compatibility surfaces are temporary until the matching
|
||||
platform modules are fully self-contained:
|
||||
|
||||
@@ -114,25 +114,27 @@ Known access-related capability names are defined in
|
||||
- `security.secretProvider`
|
||||
- `audit.sink`
|
||||
|
||||
`govoplan-access` currently registers `access.principalResolver`,
|
||||
`govoplan-access` currently registers `auth.principalResolver`,
|
||||
`auth.permissionEvaluator`, `access.principalResolver`,
|
||||
`access.permissionEvaluator`, `access.directory`, `access.tenantProvisioner`,
|
||||
`access.administration`, and `access.governanceMaterializer`.
|
||||
`govoplan-tenancy` registers `tenancy.tenantResolver`. The minimal
|
||||
authenticated platform set is now `tenancy` plus `access`; the registry
|
||||
inserts `tenancy` before `access` when only feature modules are requested.
|
||||
authenticated platform set is now `access`; tenancy is optional and adds tenant
|
||||
administration plus tenant resolver behavior when installed.
|
||||
Feature modules should prefer these capabilities over direct reads of
|
||||
access/tenant ORM models when they need labels, group membership, default
|
||||
access provisioning, counts, audit actor labels, or tenant metadata.
|
||||
|
||||
FastAPI route dependencies for authenticated endpoints are access-owned and
|
||||
published from `govoplan_access.auth`. Routers may import that public API for
|
||||
FastAPI route dependencies for authenticated endpoints are imported from the
|
||||
core `govoplan_core.auth` facade. Routers may import that public API for
|
||||
`ApiPrincipal`, `get_api_principal`, `has_scope`, `require_scope`, and
|
||||
`require_any_scope`; they must not import access ORM models or
|
||||
`govoplan_access.backend.*` implementation internals.
|
||||
|
||||
Current live table ownership:
|
||||
|
||||
- `govoplan-tenancy`: `tenancy_tenants`
|
||||
- core scope table: `core_scopes` (used by access/core baseline; managed by
|
||||
`govoplan-tenancy` behavior when the tenancy module is installed)
|
||||
- `govoplan-access`: `access_accounts`, `access_users`, `access_groups`,
|
||||
`access_roles`, `access_system_role_assignments`,
|
||||
`access_user_group_memberships`, `access_user_role_assignments`,
|
||||
@@ -580,7 +582,27 @@ Examples:
|
||||
|
||||
## Cross-Module Integration
|
||||
|
||||
A module can declare required dependencies and optional dependencies. Optional behavior should be enabled by module presence and permissions, not by importing another module's WebUI internals.
|
||||
A module can declare required module dependencies, optional module
|
||||
dependencies, required capabilities, and optional capabilities. Required module
|
||||
dependencies are reserved for unavoidable startup ownership, such as a module
|
||||
that cannot import or mount without another module package. Most runtime
|
||||
relationships should be expressed as capabilities instead.
|
||||
|
||||
Auth/principal access is a capability contract, not a reason to hard-depend on
|
||||
the `govoplan-access` repository. Current routers import `govoplan_core.auth`;
|
||||
that facade delegates to access today and is the migration point for a future
|
||||
provider-neutral auth kernel. Feature manifests should require
|
||||
`auth.principalResolver` and `auth.permissionEvaluator`, while access remains
|
||||
the default installed provider.
|
||||
|
||||
Tenancy is optional. Existing scoped data still uses `tenant_id` as a scope
|
||||
identifier, backed by the core-owned `core_scopes` table. Access and
|
||||
organizations must not import the tenancy package or declare a hard dependency
|
||||
on it. Tenancy-specific administration and tenant resolver behavior live behind
|
||||
the tenancy module and its capabilities.
|
||||
|
||||
Optional behavior should be enabled by module presence, capabilities, and
|
||||
permissions, not by importing another module's WebUI internals.
|
||||
|
||||
Rules:
|
||||
|
||||
@@ -599,7 +621,7 @@ The repository includes `scripts/check_dependency_boundaries.py`. It enforces th
|
||||
- access source may not import files/mail/campaign internals
|
||||
- feature modules may not import access implementation internals
|
||||
- feature modules may not add new direct imports of sibling feature modules
|
||||
- FastAPI routers may import the published `govoplan_access.auth` dependency API
|
||||
- FastAPI routers import the core `govoplan_core.auth` dependency facade
|
||||
- the transitional allowlist is expected to stay empty
|
||||
|
||||
Any future exception is extraction debt and must be temporary, documented in the
|
||||
|
||||
Reference in New Issue
Block a user