Sync wiki from project files
@@ -7,17 +7,22 @@ This page is generated from repository and product-directory project files.
|
|||||||
- [Product govoplan-split-concept-action-plan](Product govoplan-split-concept-action-plan) - `/mnt/DATA/Nextcloud/ADD ideas UG/Products/govoplan/split-concept-action-plan.md`
|
- [Product govoplan-split-concept-action-plan](Product govoplan-split-concept-action-plan) - `/mnt/DATA/Nextcloud/ADD ideas UG/Products/govoplan/split-concept-action-plan.md`
|
||||||
- [Repo-README](Repo-README) - `/mnt/DATA/git/govoplan-core/README.md`
|
- [Repo-README](Repo-README) - `/mnt/DATA/git/govoplan-core/README.md`
|
||||||
- [Repo-docs-ACCESS-RBAC-MODEL](Repo-docs-ACCESS-RBAC-MODEL) - `/mnt/DATA/git/govoplan-core/docs/ACCESS_RBAC_MODEL.md`
|
- [Repo-docs-ACCESS-RBAC-MODEL](Repo-docs-ACCESS-RBAC-MODEL) - `/mnt/DATA/git/govoplan-core/docs/ACCESS_RBAC_MODEL.md`
|
||||||
|
- [Repo-docs-ACTION-EFFECT-AUTOMATION-LAYER](Repo-docs-ACTION-EFFECT-AUTOMATION-LAYER) - `/mnt/DATA/git/govoplan-core/docs/ACTION_EFFECT_AUTOMATION_LAYER.md`
|
||||||
- [Repo-docs-CODEX-WORKFLOW](Repo-docs-CODEX-WORKFLOW) - `/mnt/DATA/git/govoplan-core/docs/CODEX_WORKFLOW.md`
|
- [Repo-docs-CODEX-WORKFLOW](Repo-docs-CODEX-WORKFLOW) - `/mnt/DATA/git/govoplan-core/docs/CODEX_WORKFLOW.md`
|
||||||
- [Repo-docs-CONFIGURATION-PACKAGES](Repo-docs-CONFIGURATION-PACKAGES) - `/mnt/DATA/git/govoplan-core/docs/CONFIGURATION_PACKAGES.md`
|
- [Repo-docs-CONFIGURATION-PACKAGES](Repo-docs-CONFIGURATION-PACKAGES) - `/mnt/DATA/git/govoplan-core/docs/CONFIGURATION_PACKAGES.md`
|
||||||
|
- [Repo-docs-DEPENDENCY-AUDITS](Repo-docs-DEPENDENCY-AUDITS) - `/mnt/DATA/git/govoplan-core/docs/DEPENDENCY_AUDITS.md`
|
||||||
- [Repo-docs-DEPLOYMENT-OPERATOR-GUIDE](Repo-docs-DEPLOYMENT-OPERATOR-GUIDE) - `/mnt/DATA/git/govoplan-core/docs/DEPLOYMENT_OPERATOR_GUIDE.md`
|
- [Repo-docs-DEPLOYMENT-OPERATOR-GUIDE](Repo-docs-DEPLOYMENT-OPERATOR-GUIDE) - `/mnt/DATA/git/govoplan-core/docs/DEPLOYMENT_OPERATOR_GUIDE.md`
|
||||||
- [Repo-docs-DOCUMENTATION-MAP](Repo-docs-DOCUMENTATION-MAP) - `/mnt/DATA/git/govoplan-core/docs/DOCUMENTATION_MAP.md`
|
- [Repo-docs-DOCUMENTATION-MAP](Repo-docs-DOCUMENTATION-MAP) - `/mnt/DATA/git/govoplan-core/docs/DOCUMENTATION_MAP.md`
|
||||||
- [Repo-docs-EVENTS-AND-AUDIT](Repo-docs-EVENTS-AND-AUDIT) - `/mnt/DATA/git/govoplan-core/docs/EVENTS_AND_AUDIT.md`
|
- [Repo-docs-EVENTS-AND-AUDIT](Repo-docs-EVENTS-AND-AUDIT) - `/mnt/DATA/git/govoplan-core/docs/EVENTS_AND_AUDIT.md`
|
||||||
- [Repo-docs-GITEA-ISSUES](Repo-docs-GITEA-ISSUES) - `/mnt/DATA/git/govoplan-core/docs/GITEA_ISSUES.md`
|
- [Repo-docs-GITEA-ISSUES](Repo-docs-GITEA-ISSUES) - `/mnt/DATA/git/govoplan-core/docs/GITEA_ISSUES.md`
|
||||||
- [Repo-docs-GOVERNANCE-MODEL](Repo-docs-GOVERNANCE-MODEL) - `/mnt/DATA/git/govoplan-core/docs/GOVERNANCE_MODEL.md`
|
- [Repo-docs-GOVERNANCE-MODEL](Repo-docs-GOVERNANCE-MODEL) - `/mnt/DATA/git/govoplan-core/docs/GOVERNANCE_MODEL.md`
|
||||||
- [Repo-docs-GOVOPLAN-MASTER-ROADMAP](Repo-docs-GOVOPLAN-MASTER-ROADMAP) - `/mnt/DATA/git/govoplan-core/docs/GOVOPLAN_MASTER_ROADMAP.md`
|
- [Repo-docs-GOVOPLAN-MASTER-ROADMAP](Repo-docs-GOVOPLAN-MASTER-ROADMAP) - `/mnt/DATA/git/govoplan-core/docs/GOVOPLAN_MASTER_ROADMAP.md`
|
||||||
|
- [Repo-docs-INTERFACE-ETHICS-AND-DESIGN-DOCTRINE](Repo-docs-INTERFACE-ETHICS-AND-DESIGN-DOCTRINE) - `/mnt/DATA/git/govoplan-core/docs/INTERFACE_ETHICS_AND_DESIGN_DOCTRINE.md`
|
||||||
- [Repo-docs-MODULE-ARCHITECTURE](Repo-docs-MODULE-ARCHITECTURE) - `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`
|
- [Repo-docs-MODULE-ARCHITECTURE](Repo-docs-MODULE-ARCHITECTURE) - `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`
|
||||||
- [Repo-docs-POLICY-CONTRACTS](Repo-docs-POLICY-CONTRACTS) - `/mnt/DATA/git/govoplan-core/docs/POLICY_CONTRACTS.md`
|
- [Repo-docs-POLICY-CONTRACTS](Repo-docs-POLICY-CONTRACTS) - `/mnt/DATA/git/govoplan-core/docs/POLICY_CONTRACTS.md`
|
||||||
|
- [Repo-docs-POSTBOX-E2EE-ARCHITECTURE](Repo-docs-POSTBOX-E2EE-ARCHITECTURE) - `/mnt/DATA/git/govoplan-core/docs/POSTBOX_E2EE_ARCHITECTURE.md`
|
||||||
- [Repo-docs-PUBLIC-SECTOR-INTEGRATION-STRATEGY](Repo-docs-PUBLIC-SECTOR-INTEGRATION-STRATEGY) - `/mnt/DATA/git/govoplan-core/docs/PUBLIC_SECTOR_INTEGRATION_STRATEGY.md`
|
- [Repo-docs-PUBLIC-SECTOR-INTEGRATION-STRATEGY](Repo-docs-PUBLIC-SECTOR-INTEGRATION-STRATEGY) - `/mnt/DATA/git/govoplan-core/docs/PUBLIC_SECTOR_INTEGRATION_STRATEGY.md`
|
||||||
- [Repo-docs-RELEASE-DEPENDENCIES](Repo-docs-RELEASE-DEPENDENCIES) - `/mnt/DATA/git/govoplan-core/docs/RELEASE_DEPENDENCIES.md`
|
- [Repo-docs-RELEASE-DEPENDENCIES](Repo-docs-RELEASE-DEPENDENCIES) - `/mnt/DATA/git/govoplan-core/docs/RELEASE_DEPENDENCIES.md`
|
||||||
- [Repo-docs-REMOTE-WEBUI-BUNDLES](Repo-docs-REMOTE-WEBUI-BUNDLES) - `/mnt/DATA/git/govoplan-core/docs/REMOTE_WEBUI_BUNDLES.md`
|
- [Repo-docs-REMOTE-WEBUI-BUNDLES](Repo-docs-REMOTE-WEBUI-BUNDLES) - `/mnt/DATA/git/govoplan-core/docs/REMOTE_WEBUI_BUNDLES.md`
|
||||||
- [Repo-docs-UI-UX-DECISION-LEDGER](Repo-docs-UI-UX-DECISION-LEDGER) - `/mnt/DATA/git/govoplan-core/docs/UI_UX_DECISION_LEDGER.md`
|
- [Repo-docs-UI-UX-DECISION-LEDGER](Repo-docs-UI-UX-DECISION-LEDGER) - `/mnt/DATA/git/govoplan-core/docs/UI_UX_DECISION_LEDGER.md`
|
||||||
|
- [Repo-docs-audits-2026-07-09-dependency-audit](Repo-docs-audits-2026-07-09-dependency-audit) - `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
<!-- codex-wiki-sync:e4c303086f9134064a521fb1 -->
|
<!-- codex-wiki-sync:1157fb3bc858ffd88cac0afc -->
|
||||||
|
|
||||||
> Mirrored from `/mnt/DATA/git/govoplan-core/README.md`.
|
> Mirrored from `/mnt/DATA/git/govoplan-core/README.md`.
|
||||||
> Origin: `repository`.
|
> Origin: `repository`.
|
||||||
@@ -7,7 +7,7 @@
|
|||||||
---
|
---
|
||||||
# govoplan-core
|
# govoplan-core
|
||||||
|
|
||||||
GovOPlaN core is the platform runner and shared foundation. It owns the server entry point, database/session primitives, tenant and RBAC infrastructure, governance policy, audit/auth helpers, module discovery, migration registration, and the shared WebUI shell. Feature code is supplied by installed modules.
|
GovOPlaN core is the platform runner and shared foundation. It owns the server entry point, database/session primitives, module discovery, migration orchestration, capability contracts, install/uninstall orchestration, and the shared WebUI shell. Platform and feature behavior is supplied by installed modules.
|
||||||
|
|
||||||
## Repository ownership
|
## Repository ownership
|
||||||
|
|
||||||
@@ -16,11 +16,14 @@ Core owns:
|
|||||||
- `govoplan_core.server.app:app`, the FastAPI entry point used by uvicorn
|
- `govoplan_core.server.app:app`, the FastAPI entry point used by uvicorn
|
||||||
- `GovoplanServerConfig`, module discovery, registry validation, and route aggregation
|
- `GovoplanServerConfig`, module discovery, registry validation, and route aggregation
|
||||||
- SQLAlchemy base/session helpers and module migration registration
|
- SQLAlchemy base/session helpers and module migration registration
|
||||||
- tenant/account/session/RBAC/governance/audit models and services
|
- kernel APIs for platform metadata, module lifecycle, health, and development diagnostics
|
||||||
- core API routes for auth, admin, platform metadata, audit, and system health
|
|
||||||
- `@govoplan/core-webui`, including login, CSRF/API helpers, shell layout, generic UI components, IconRail, DataGrid, access boundaries, and module route/nav contracts
|
- `@govoplan/core-webui`, including login, CSRF/API helpers, shell layout, generic UI components, IconRail, DataGrid, access boundaries, and module route/nav contracts
|
||||||
|
|
||||||
Feature modules own their backend routers, models, migrations, permissions, frontend packages, nav items, and route contributions. Core should not import feature pages directly; it imports module manifests and renders their route contributions.
|
Platform and feature modules own their backend routers, models, migrations,
|
||||||
|
permissions, frontend packages, nav items, and route contributions. Access,
|
||||||
|
tenancy, policy, audit, and admin behavior live in their owning platform
|
||||||
|
modules. Core should not import feature pages directly; it imports module
|
||||||
|
manifests and renders their route contributions.
|
||||||
|
|
||||||
## Governance docs
|
## Governance docs
|
||||||
|
|
||||||
@@ -33,7 +36,8 @@ Canonical policy documents live in `docs/`:
|
|||||||
- [DEPLOYMENT_OPERATOR_GUIDE.md](docs/DEPLOYMENT_OPERATOR_GUIDE.md)
|
- [DEPLOYMENT_OPERATOR_GUIDE.md](docs/DEPLOYMENT_OPERATOR_GUIDE.md)
|
||||||
- [CODEX_WORKFLOW.md](docs/CODEX_WORKFLOW.md)
|
- [CODEX_WORKFLOW.md](docs/CODEX_WORKFLOW.md)
|
||||||
|
|
||||||
Modules may define module-specific permissions and policy behavior, but the platform-level permission model and governance hierarchy belong here.
|
Modules define module-specific permissions and policy behavior. Shared DTOs and
|
||||||
|
composition rules live in core only where they are stable kernel contracts.
|
||||||
|
|
||||||
## Backend development
|
## Backend development
|
||||||
|
|
||||||
|
|||||||
128
Repo-docs-ACTION-EFFECT-AUTOMATION-LAYER.md
Normal file
128
Repo-docs-ACTION-EFFECT-AUTOMATION-LAYER.md
Normal file
@@ -0,0 +1,128 @@
|
|||||||
|
<!-- codex-wiki-sync:49ef87125712e15c51268e33 -->
|
||||||
|
|
||||||
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/ACTION_EFFECT_AUTOMATION_LAYER.md`.
|
||||||
|
> Origin: `repository`.
|
||||||
|
> Active tasks and changing state belong in Gitea issues; this wiki page is durable project context.
|
||||||
|
|
||||||
|
---
|
||||||
|
# Action, Effect, And Automation Layer
|
||||||
|
|
||||||
|
GovOPlaN needs an automation layer because administrative processes will not be
|
||||||
|
only linear screen flows. Workflows, schedules, imports, connectors, policies,
|
||||||
|
and external events all need to request governed actions without bypassing the
|
||||||
|
same safety rules that apply to human users.
|
||||||
|
|
||||||
|
The first implementation should live in `govoplan-workflow` and core contracts.
|
||||||
|
Create a separate `govoplan-automation` module only if action planning,
|
||||||
|
schedulers, rule execution, or cross-module automation become too broad for
|
||||||
|
workflow ownership.
|
||||||
|
|
||||||
|
## Layer Purpose
|
||||||
|
|
||||||
|
The automation layer should provide:
|
||||||
|
|
||||||
|
- a typed action catalogue
|
||||||
|
- a typed effect catalogue
|
||||||
|
- consequence preview before execution
|
||||||
|
- policy and permission checks
|
||||||
|
- idempotent execution
|
||||||
|
- audit and provenance records
|
||||||
|
- retry, quarantine, and manual exception handling
|
||||||
|
- system-actor execution without hiding responsibility
|
||||||
|
|
||||||
|
Automation is not a shortcut around module boundaries. It is a governed caller
|
||||||
|
of module capabilities.
|
||||||
|
|
||||||
|
## Action Definition
|
||||||
|
|
||||||
|
An `ActionDefinition` describes something a human or system actor can request.
|
||||||
|
|
||||||
|
Recommended fields:
|
||||||
|
|
||||||
|
- `action_key`
|
||||||
|
- owning module
|
||||||
|
- input schema
|
||||||
|
- actor requirements and required scopes
|
||||||
|
- required capabilities
|
||||||
|
- policy checks
|
||||||
|
- risk level
|
||||||
|
- reversibility class: reversible, compensatable, corrective-only, or
|
||||||
|
irreversible
|
||||||
|
- expected effects
|
||||||
|
- idempotency key strategy
|
||||||
|
- audit event names
|
||||||
|
- preview provider
|
||||||
|
|
||||||
|
Examples:
|
||||||
|
|
||||||
|
- create a case from a form submission
|
||||||
|
- assign a task
|
||||||
|
- generate a document from a template
|
||||||
|
- send a postbox message
|
||||||
|
- send an email notification
|
||||||
|
- append evidence to records
|
||||||
|
- create a payment request
|
||||||
|
- call an external connector
|
||||||
|
|
||||||
|
## Effect Definition
|
||||||
|
|
||||||
|
An `EffectDefinition` describes the expected and observed result of an action.
|
||||||
|
|
||||||
|
Recommended fields:
|
||||||
|
|
||||||
|
- `effect_key`
|
||||||
|
- affected module and resource references
|
||||||
|
- external system references where applicable
|
||||||
|
- created, changed, deleted, sent, notified, locked, or retained markers
|
||||||
|
- visibility and privacy classification
|
||||||
|
- audit event references
|
||||||
|
- rollback or compensation hints
|
||||||
|
- operator-facing explanation
|
||||||
|
|
||||||
|
Effects should be recorded even when execution fails partially. This makes
|
||||||
|
manual recovery and audit review possible.
|
||||||
|
|
||||||
|
## Execution Model
|
||||||
|
|
||||||
|
The runner should execute an action plan as follows:
|
||||||
|
|
||||||
|
1. Resolve actor context: human, delegated actor, or system actor.
|
||||||
|
2. Validate input schema.
|
||||||
|
3. Resolve required module capabilities.
|
||||||
|
4. Run permission and policy checks.
|
||||||
|
5. Generate a consequence preview.
|
||||||
|
6. Reserve or verify the idempotency key.
|
||||||
|
7. Execute the owning module capability.
|
||||||
|
8. Record observed effects.
|
||||||
|
9. Emit events and audit records.
|
||||||
|
10. Mark the command complete, retryable, quarantined, or requiring manual
|
||||||
|
intervention.
|
||||||
|
|
||||||
|
The runner must never advance workflow state past a required side effect unless
|
||||||
|
the action definition explicitly allows asynchronous completion and the pending
|
||||||
|
state is visible.
|
||||||
|
|
||||||
|
## Failure States
|
||||||
|
|
||||||
|
Automation should use explicit failure states:
|
||||||
|
|
||||||
|
- `blocked`: policy, permission, missing capability, or invalid input prevents
|
||||||
|
execution.
|
||||||
|
- `retryable`: transient transport, timeout, rate-limit, or lock conflict.
|
||||||
|
- `quarantined`: unexpected response, schema mismatch, unsafe partial result,
|
||||||
|
or unknown external state.
|
||||||
|
- `manual_required`: human decision or correction is needed.
|
||||||
|
- `compensation_required`: a later action must correct an already observed
|
||||||
|
side effect.
|
||||||
|
|
||||||
|
These states should be visible in workflow, task, and admin diagnostics.
|
||||||
|
|
||||||
|
## Boundary
|
||||||
|
|
||||||
|
Core may own stable DTOs, registry contracts, and generic audit/event hooks.
|
||||||
|
`govoplan-workflow` should own the first runner because workflow is the first
|
||||||
|
module that coordinates cross-module process actions.
|
||||||
|
|
||||||
|
Domain modules own their own action providers. For example, templates own
|
||||||
|
document generation actions, postbox owns postbox message actions, and
|
||||||
|
connectors own external handoff actions.
|
||||||
74
Repo-docs-DEPENDENCY-AUDITS.md
Normal file
74
Repo-docs-DEPENDENCY-AUDITS.md
Normal file
@@ -0,0 +1,74 @@
|
|||||||
|
<!-- codex-wiki-sync:ae21d8bbf9ec197990927237 -->
|
||||||
|
|
||||||
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/DEPENDENCY_AUDITS.md`.
|
||||||
|
> Origin: `repository`.
|
||||||
|
> Active tasks and changing state belong in Gitea issues; this wiki page is durable project context.
|
||||||
|
|
||||||
|
---
|
||||||
|
# Dependency Audits
|
||||||
|
|
||||||
|
GovOPlaN keeps dependency vulnerability checks reproducible but separate from
|
||||||
|
the fast local smoke suite, because both Python and npm audits need network
|
||||||
|
metadata and can fail for newly disclosed advisories without a source change.
|
||||||
|
|
||||||
|
## Local Workflow
|
||||||
|
|
||||||
|
Install the development audit dependency once:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd /mnt/DATA/git/govoplan-core
|
||||||
|
./.venv/bin/python -m pip install -r requirements-dev.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
Run both backend and WebUI production audits:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd /mnt/DATA/git/govoplan-core
|
||||||
|
bash scripts/check-dependency-audits.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
The script runs:
|
||||||
|
|
||||||
|
- `scripts/check-dependency-hygiene.sh` for pip resolver consistency, stale
|
||||||
|
legacy editable package metadata, deprecated framework constants, and the
|
||||||
|
Starlette `TestClient` deprecation smoke when test dependencies are present
|
||||||
|
- `python -m pip_audit --progress-spinner off`
|
||||||
|
- `npm audit --omit=dev` in `webui`
|
||||||
|
|
||||||
|
For fast local checks without vulnerability metadata lookups, run:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd /mnt/DATA/git/govoplan-core
|
||||||
|
CHECK_TESTCLIENT_DEPRECATIONS=1 bash scripts/check-dependency-hygiene.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
This is also part of `scripts/check-focused.sh`, so resolver drift and
|
||||||
|
deprecation regressions fail close to the code change that introduced them.
|
||||||
|
|
||||||
|
Override tool paths when testing from a disposable environment:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
PYTHON=/tmp/govoplan-audit/bin/python \
|
||||||
|
NPM=/home/zemion/.nvm/versions/node/v22.22.3/bin/npm \
|
||||||
|
bash scripts/check-dependency-audits.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
## CI Workflow
|
||||||
|
|
||||||
|
`.gitea/workflows/dependency-audit.yml` installs release dependencies from
|
||||||
|
tagged package refs, installs `pip-audit`, and runs the same script on pushes,
|
||||||
|
pull requests, and a weekly schedule.
|
||||||
|
|
||||||
|
The workflow intentionally uses release dependency refs instead of local
|
||||||
|
`file:` or editable sibling paths. Development lockfiles may keep local module
|
||||||
|
links, but release audit results should represent the installable product.
|
||||||
|
|
||||||
|
## Recording Results
|
||||||
|
|
||||||
|
When closing or triaging dependency-audit issues, add a short dated note under
|
||||||
|
`docs/audits/`. Record:
|
||||||
|
|
||||||
|
- the commands that were run
|
||||||
|
- whether Python and npm passed
|
||||||
|
- any advisories accepted as temporary risk
|
||||||
|
- follow-up issue links for required upgrades
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
<!-- codex-wiki-sync:6c0873d5054a4797a0bbf7d4 -->
|
<!-- codex-wiki-sync:ba0a5447263dd5ba18455a13 -->
|
||||||
|
|
||||||
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/DOCUMENTATION_MAP.md`.
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/DOCUMENTATION_MAP.md`.
|
||||||
> Origin: `repository`.
|
> Origin: `repository`.
|
||||||
@@ -20,6 +20,8 @@ operator, and roadmap pages.
|
|||||||
| Governance hierarchy | `GOVERNANCE_MODEL.md` | System, tenant, user/group, campaign policy inheritance and admin UI structure. |
|
| Governance hierarchy | `GOVERNANCE_MODEL.md` | System, tenant, user/group, campaign policy inheritance and admin UI structure. |
|
||||||
| Policy decision DTOs and provenance | `POLICY_CONTRACTS.md` | Shared explain/provenance shape; module-specific policy docs should link here. |
|
| Policy decision DTOs and provenance | `POLICY_CONTRACTS.md` | Shared explain/provenance shape; module-specific policy docs should link here. |
|
||||||
| Events and audit trace context | `EVENTS_AND_AUDIT.md` | Event dispatch semantics and audit payload conventions. |
|
| Events and audit trace context | `EVENTS_AND_AUDIT.md` | Event dispatch semantics and audit payload conventions. |
|
||||||
|
| Action/effect automation layer | `ACTION_EFFECT_AUTOMATION_LAYER.md` | Action/effect contracts, consequence preview, runner semantics, and module boundary for automation. |
|
||||||
|
| Postbox E2EE target architecture | `POSTBOX_E2EE_ARCHITECTURE.md` | Strategic encrypted postbox/mailbox model, key ownership, role mailbox semantics, and retraction limits. |
|
||||||
|
|
||||||
## Release And Operations
|
## Release And Operations
|
||||||
|
|
||||||
@@ -27,6 +29,7 @@ operator, and roadmap pages.
|
|||||||
| --- | --- | --- |
|
| --- | --- | --- |
|
||||||
| Runtime configuration and operator flow | `DEPLOYMENT_OPERATOR_GUIDE.md` | Production/staging configuration, migrations, backups, installer operation, and rollback drill. |
|
| Runtime configuration and operator flow | `DEPLOYMENT_OPERATOR_GUIDE.md` | Production/staging configuration, migrations, backups, installer operation, and rollback drill. |
|
||||||
| Release dependencies and catalogs | `RELEASE_DEPENDENCIES.md` | Release package refs, migration baselines, release lockfiles, catalog trust/licensing, catalog publishing, and release checklist. |
|
| Release dependencies and catalogs | `RELEASE_DEPENDENCIES.md` | Release package refs, migration baselines, release lockfiles, catalog trust/licensing, catalog publishing, and release checklist. |
|
||||||
|
| Dependency vulnerability audits | `DEPENDENCY_AUDITS.md` | Local and CI audit commands plus dated audit result notes. |
|
||||||
| Remote WebUI bundle design | `REMOTE_WEBUI_BUNDLES.md` | Experimental controlled-deployment design; normal releases still use package builds. |
|
| Remote WebUI bundle design | `REMOTE_WEBUI_BUNDLES.md` | Experimental controlled-deployment design; normal releases still use package builds. |
|
||||||
|
|
||||||
## Product And Module Planning
|
## Product And Module Planning
|
||||||
@@ -35,6 +38,7 @@ operator, and roadmap pages.
|
|||||||
| --- | --- | --- |
|
| --- | --- | --- |
|
||||||
| Product roadmap and module routing | `GOVOPLAN_MASTER_ROADMAP.md` | Product-level sequencing, implementation gates, issue routing, and missing-module decisions. |
|
| Product roadmap and module routing | `GOVOPLAN_MASTER_ROADMAP.md` | Product-level sequencing, implementation gates, issue routing, and missing-module decisions. |
|
||||||
| UI/UX decisions | `UI_UX_DECISION_LEDGER.md` | Binding guided-UI decisions, open decisions, impact index, and review checklist. |
|
| UI/UX decisions | `UI_UX_DECISION_LEDGER.md` | Binding guided-UI decisions, open decisions, impact index, and review checklist. |
|
||||||
|
| Interface ethics and design doctrine | `INTERFACE_ETHICS_AND_DESIGN_DOCTRINE.md` | Product-level doctrine for context, decision, consequence, contestability, responsibility, and traceability. |
|
||||||
| Public-sector integration posture | `PUBLIC_SECTOR_INTEGRATION_STRATEGY.md` | Strategy index; executable target inventory lives in `govoplan-connectors`. |
|
| Public-sector integration posture | `PUBLIC_SECTOR_INTEGRATION_STRATEGY.md` | Strategy index; executable target inventory lives in `govoplan-connectors`. |
|
||||||
| Configuration packages | `CONFIGURATION_PACKAGES.md` | Package model, provider contract, import/export flow, and tracking slices. |
|
| Configuration packages | `CONFIGURATION_PACKAGES.md` | Package model, provider contract, import/export flow, and tracking slices. |
|
||||||
|
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
<!-- codex-wiki-sync:0eac3d46fd9533b4f06bd825 -->
|
<!-- codex-wiki-sync:c9d4b75517b3704cc9f7f701 -->
|
||||||
|
|
||||||
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/GOVOPLAN_MASTER_ROADMAP.md`.
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/GOVOPLAN_MASTER_ROADMAP.md`.
|
||||||
> Origin: `repository`.
|
> Origin: `repository`.
|
||||||
@@ -32,12 +32,20 @@ The product should first provide a reliable administrative spine:
|
|||||||
- identities, roles, tenants, policy, audit, and governance
|
- identities, roles, tenants, policy, audit, and governance
|
||||||
- forms, files, cases, workflow, tasks, templates, and records
|
- forms, files, cases, workflow, tasks, templates, and records
|
||||||
- postboxes, notifications, mail, portal, appointments, and booking
|
- postboxes, notifications, mail, portal, appointments, and booking
|
||||||
|
- identity trust, role-bound postboxes, and eventually encrypted administrative
|
||||||
|
communication
|
||||||
- configuration packages that assemble modules into repeatable procedures
|
- configuration packages that assemble modules into repeatable procedures
|
||||||
- docs that explain the configured system, not the full theoretical product
|
- docs that explain the configured system, not the full theoretical product
|
||||||
|
|
||||||
Domain modules should come after the spine can run a reference procedure end to
|
Domain modules should come after the spine can run a reference procedure end to
|
||||||
end.
|
end.
|
||||||
|
|
||||||
|
The platform should be a governance-capable runtime for modules, connectors,
|
||||||
|
configuration, and administrative decisions. The kernel must stay free of domain
|
||||||
|
semantics while still providing the contracts needed for modules to explain what
|
||||||
|
they do, what they require, which effects they create, and how operators can
|
||||||
|
verify or reverse those effects.
|
||||||
|
|
||||||
## Design Principles
|
## Design Principles
|
||||||
|
|
||||||
- Modules must stay independently installable, enableable, and disableable.
|
- Modules must stay independently installable, enableable, and disableable.
|
||||||
@@ -48,6 +56,16 @@ end.
|
|||||||
- Operators should be able to configure the platform through the UI.
|
- Operators should be able to configure the platform through the UI.
|
||||||
- Every powerful configuration path needs preflight, preview, audit, rollback,
|
- Every powerful configuration path needs preflight, preview, audit, rollback,
|
||||||
RBAC, and policy checks.
|
RBAC, and policy checks.
|
||||||
|
- Context, decision, consequence, and traceability must be visible together for
|
||||||
|
consequential actions. The full doctrine lives in
|
||||||
|
`INTERFACE_ETHICS_AND_DESIGN_DOCTRINE.md`.
|
||||||
|
- Automation must use governed action/effect contracts, not hidden side
|
||||||
|
effects. The first automation layer is defined in
|
||||||
|
`ACTION_EFFECT_AUTOMATION_LAYER.md` and should start in `govoplan-workflow`
|
||||||
|
unless a separate automation module becomes justified.
|
||||||
|
- Encrypted postboxes are a strategic target. Early postbox, access, and
|
||||||
|
identity-trust contracts should stay compatible with the E2EE architecture in
|
||||||
|
`POSTBOX_E2EE_ARCHITECTURE.md`.
|
||||||
- Integration should be a first-class product path: connect to existing
|
- Integration should be a first-class product path: connect to existing
|
||||||
systems, consume their data, and publish governed outputs back to them.
|
systems, consume their data, and publish governed outputs back to them.
|
||||||
- GovOPlaN should scale from a small local installation to a larger deployment
|
- GovOPlaN should scale from a small local installation to a larger deployment
|
||||||
@@ -123,9 +141,12 @@ pattern exists.
|
|||||||
| Uploaded files and managed storage | `govoplan-files` |
|
| Uploaded files and managed storage | `govoplan-files` |
|
||||||
| Case record and lifecycle | `govoplan-cases` |
|
| Case record and lifecycle | `govoplan-cases` |
|
||||||
| Workflow transitions and automation | `govoplan-workflow` |
|
| Workflow transitions and automation | `govoplan-workflow` |
|
||||||
|
| Action/effect catalogue and automation runner | first `govoplan-workflow`; possible future `govoplan-automation` if it outgrows workflow |
|
||||||
| Internal work queues and tasks | `govoplan-tasks` |
|
| Internal work queues and tasks | `govoplan-tasks` |
|
||||||
| Appointment proposals and booking | `govoplan-appointments`, `govoplan-calendar` |
|
| Appointment proposals and booking | `govoplan-appointments`, `govoplan-calendar` |
|
||||||
| Postbox, email, and notifications | `govoplan-mail`, `govoplan-notifications` |
|
| Postbox, email, and notifications | `govoplan-postbox`, `govoplan-mail`, `govoplan-notifications` |
|
||||||
|
| Identity trust, device keys, and encrypted postbox key contracts | `govoplan-identity-trust`, `govoplan-access`, `govoplan-postbox` |
|
||||||
|
| Service directory/catalog | `govoplan-portal` |
|
||||||
| Permit/document generation | `govoplan-templates`, `govoplan-dms` |
|
| Permit/document generation | `govoplan-templates`, `govoplan-dms` |
|
||||||
| Payment capture and accounting handoff | `govoplan-payments`, `govoplan-ledger` |
|
| Payment capture and accounting handoff | `govoplan-payments`, `govoplan-ledger` |
|
||||||
| Roles, permissions, tenants, policy, audit | `govoplan-access`, `govoplan-tenancy`, `govoplan-policy`, `govoplan-audit` |
|
| Roles, permissions, tenants, policy, audit | `govoplan-access`, `govoplan-tenancy`, `govoplan-policy`, `govoplan-audit` |
|
||||||
@@ -235,8 +256,10 @@ Refine:
|
|||||||
- `govoplan-core`: module discovery, capabilities, events, migrations, release
|
- `govoplan-core`: module discovery, capabilities, events, migrations, release
|
||||||
catalog, configuration package runtime, WebUI shell.
|
catalog, configuration package runtime, WebUI shell.
|
||||||
- `govoplan-access`: identities, sessions, API keys, users, groups, roles,
|
- `govoplan-access`: identities, sessions, API keys, users, groups, roles,
|
||||||
memberships, RBAC decisions.
|
memberships, function assignments, delegation, RBAC decisions.
|
||||||
- `govoplan-tenancy`: tenant and organizational-unit boundaries.
|
- `govoplan-tenancy`: tenant and organizational-unit boundaries.
|
||||||
|
- `govoplan-identity-trust`: initial trust contracts for device keys, public key
|
||||||
|
directory, assurance, and later encrypted postbox key access.
|
||||||
- `govoplan-policy`: policy sources, policy decisions, retention inputs.
|
- `govoplan-policy`: policy sources, policy decisions, retention inputs.
|
||||||
- `govoplan-audit`: audit sink, audit routes, trace context, retention
|
- `govoplan-audit`: audit sink, audit routes, trace context, retention
|
||||||
cooperation.
|
cooperation.
|
||||||
@@ -254,6 +277,10 @@ Exit criteria:
|
|||||||
- module enablement and capability lookup are stable
|
- module enablement and capability lookup are stable
|
||||||
- configuration package preflight works for at least one simple package
|
- configuration package preflight works for at least one simple package
|
||||||
- audit and policy decisions are visible in admin flows
|
- audit and policy decisions are visible in admin flows
|
||||||
|
- access distinguishes identity, account, function, role, and right in durable
|
||||||
|
contracts
|
||||||
|
- action/effect automation contracts are specified before hidden side effects
|
||||||
|
spread across modules
|
||||||
- docs can show installed/enabled modules and configured routes
|
- docs can show installed/enabled modules and configured routes
|
||||||
|
|
||||||
### Wave 1: Permit-To-Payment MVP
|
### Wave 1: Permit-To-Payment MVP
|
||||||
@@ -274,7 +301,8 @@ Create or refine in this order:
|
|||||||
6. `govoplan-tasks`: work queues, assignments, due dates, and follow-ups.
|
6. `govoplan-tasks`: work queues, assignments, due dates, and follow-ups.
|
||||||
7. `govoplan-templates`: permit/decision document generation.
|
7. `govoplan-templates`: permit/decision document generation.
|
||||||
8. `govoplan-postbox`, `govoplan-mail`, `govoplan-notifications`: applicant and
|
8. `govoplan-postbox`, `govoplan-mail`, `govoplan-notifications`: applicant and
|
||||||
internal communication.
|
internal communication, with the postbox model compatible with later E2EE
|
||||||
|
and role-bound access.
|
||||||
9. `govoplan-calendar`, `govoplan-appointments`, `govoplan-booking`: appointment
|
9. `govoplan-calendar`, `govoplan-appointments`, `govoplan-booking`: appointment
|
||||||
or booking handoff for the reference process.
|
or booking handoff for the reference process.
|
||||||
10. `govoplan-payments`, `govoplan-ledger`, `govoplan-xrechnung`: payment
|
10. `govoplan-payments`, `govoplan-ledger`, `govoplan-xrechnung`: payment
|
||||||
@@ -528,7 +556,8 @@ Defer these until a reference journey proves the need:
|
|||||||
- broad BI/dataflow platform
|
- broad BI/dataflow platform
|
||||||
- every possible public-sector protocol adapter
|
- every possible public-sector protocol adapter
|
||||||
- rich LMS behavior beyond training administration
|
- rich LMS behavior beyond training administration
|
||||||
- advanced digital signing and trust features beyond certificate verification
|
- full qualified digital signing/trust services beyond the identity-trust and
|
||||||
|
encrypted-postbox contracts needed for early architecture safety
|
||||||
- mobile apps
|
- mobile apps
|
||||||
- AI assistants embedded into workflows
|
- AI assistants embedded into workflows
|
||||||
|
|
||||||
@@ -546,6 +575,12 @@ repositories or to explicit missing-module decisions.
|
|||||||
| Permit-to-payment configuration package | `govoplan-core` plus participating modules | `add-ideas/govoplan-core#214` |
|
| Permit-to-payment configuration package | `govoplan-core` plus participating modules | `add-ideas/govoplan-core#214` |
|
||||||
| Fully UI-managed configuration with safety controls | `govoplan-admin`, `govoplan-core`, `govoplan-policy`, `govoplan-access`, `govoplan-audit` | `add-ideas/govoplan-core#218` |
|
| Fully UI-managed configuration with safety controls | `govoplan-admin`, `govoplan-core`, `govoplan-policy`, `govoplan-access`, `govoplan-audit` | `add-ideas/govoplan-core#218` |
|
||||||
| Access as a module | `govoplan-access` | `add-ideas/govoplan-access#7` |
|
| Access as a module | `govoplan-access` | `add-ideas/govoplan-access#7` |
|
||||||
|
| Interface ethics and decision-consequence doctrine | `govoplan-core` plus all UI-owning modules | `add-ideas/govoplan-core#227` |
|
||||||
|
| Action/effect automation layer | first `govoplan-workflow`; possible future `govoplan-automation` | `add-ideas/govoplan-workflow#1` |
|
||||||
|
| E2EE role/function postbox architecture | `govoplan-postbox`, `govoplan-identity-trust`, `govoplan-access`, `govoplan-policy`, `govoplan-audit` | `add-ideas/govoplan-postbox#15`, `add-ideas/govoplan-identity-trust#1` |
|
||||||
|
| Identity, account, function, role, right semantic model | `govoplan-access` | `add-ideas/govoplan-access#9` |
|
||||||
|
| Role-based service directory/catalog | `govoplan-portal` | `add-ideas/govoplan-portal#1` |
|
||||||
|
| Unified inbox across tasks, postbox, notifications, and portal | `govoplan-core` coordination plus owning modules | `add-ideas/govoplan-tasks#1`, `add-ideas/govoplan-notifications#1` |
|
||||||
| OpenProject API / project management connector | `govoplan-connectors` | `add-ideas/govoplan-connectors#1` |
|
| OpenProject API / project management connector | `govoplan-connectors` | `add-ideas/govoplan-connectors#1` |
|
||||||
| Native project-management module decision | connector-first through `govoplan-connectors`; no native project module yet | `add-ideas/govoplan-core#196`, `add-ideas/govoplan-connectors#1` |
|
| Native project-management module decision | connector-first through `govoplan-connectors`; no native project module yet | `add-ideas/govoplan-core#196`, `add-ideas/govoplan-connectors#1` |
|
||||||
| Datasources for databases, CSV, files, APIs | no repository yet; start with connectors/files/reporting and create `govoplan-datasources` only after the first package proves shared source-catalog ownership | `add-ideas/govoplan-core#197` |
|
| Datasources for databases, CSV, files, APIs | no repository yet; start with connectors/files/reporting and create `govoplan-datasources` only after the first package proves shared source-catalog ownership | `add-ideas/govoplan-core#197` |
|
||||||
@@ -561,6 +596,7 @@ repositories or to explicit missing-module decisions.
|
|||||||
| Connectors module concept | `govoplan-connectors` | `add-ideas/govoplan-core#176` |
|
| Connectors module concept | `govoplan-connectors` | `add-ideas/govoplan-core#176` |
|
||||||
| Adrema-style address and distribution-list management | `govoplan-addresses` | `add-ideas/govoplan-addresses#1` |
|
| Adrema-style address and distribution-list management | `govoplan-addresses` | `add-ideas/govoplan-addresses#1` |
|
||||||
| Consume sources and become a governed source | `govoplan-connectors` plus possible future `govoplan-dataflow` | `add-ideas/govoplan-connectors#3`, `add-ideas/govoplan-core#198` |
|
| Consume sources and become a governed source | `govoplan-connectors` plus possible future `govoplan-dataflow` | `add-ideas/govoplan-connectors#3`, `add-ideas/govoplan-core#198` |
|
||||||
|
| Governed connector configuration, dry-run, and simulation runtime | `govoplan-connectors` | `add-ideas/govoplan-connectors#6` |
|
||||||
| Terminfindung and meeting scheduling polls | `govoplan-scheduling`; calendar primitives remain in calendar | `add-ideas/govoplan-core#193`, `add-ideas/govoplan-scheduling#1` |
|
| Terminfindung and meeting scheduling polls | `govoplan-scheduling`; calendar primitives remain in calendar | `add-ideas/govoplan-core#193`, `add-ideas/govoplan-scheduling#1` |
|
||||||
| Terminplaner and calendar primitives | `govoplan-calendar` | `add-ideas/govoplan-core#193`, `add-ideas/govoplan-calendar#1` |
|
| Terminplaner and calendar primitives | `govoplan-calendar` | `add-ideas/govoplan-core#193`, `add-ideas/govoplan-calendar#1` |
|
||||||
| Terminbuchung appointment booking | `govoplan-appointments` | `add-ideas/govoplan-core#193`, `add-ideas/govoplan-appointments#1` |
|
| Terminbuchung appointment booking | `govoplan-appointments` | `add-ideas/govoplan-core#193`, `add-ideas/govoplan-appointments#1` |
|
||||||
@@ -589,6 +625,10 @@ Boundary rationale lives in `MODULE_ARCHITECTURE.md`. Current decisions:
|
|||||||
- OpenProject is connector-first; no native projects module yet
|
- OpenProject is connector-first; no native projects module yet
|
||||||
- public-sector integration strategy stays in core; executable catalogue work
|
- public-sector integration strategy stays in core; executable catalogue work
|
||||||
lives in connectors
|
lives in connectors
|
||||||
|
- encrypted postbox and identity-trust are strategic contracts, not mail-module
|
||||||
|
behavior
|
||||||
|
- automation starts as workflow-owned action/effect execution and may split into
|
||||||
|
a dedicated module only after the runner becomes broader than workflow
|
||||||
|
|
||||||
The following modules are intentionally not created yet:
|
The following modules are intentionally not created yet:
|
||||||
|
|
||||||
|
|||||||
109
Repo-docs-INTERFACE-ETHICS-AND-DESIGN-DOCTRINE.md
Normal file
109
Repo-docs-INTERFACE-ETHICS-AND-DESIGN-DOCTRINE.md
Normal file
@@ -0,0 +1,109 @@
|
|||||||
|
<!-- codex-wiki-sync:8e1b1902044c7daf16abdb05 -->
|
||||||
|
|
||||||
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/INTERFACE_ETHICS_AND_DESIGN_DOCTRINE.md`.
|
||||||
|
> Origin: `repository`.
|
||||||
|
> Active tasks and changing state belong in Gitea issues; this wiki page is durable project context.
|
||||||
|
|
||||||
|
---
|
||||||
|
# GovOPlaN Interface Ethics And Design Doctrine
|
||||||
|
|
||||||
|
This document captures the product-level design doctrine for GovOPlaN. It is
|
||||||
|
more durable than an individual screen design and should guide admin,
|
||||||
|
configuration, workflow, policy, portal, and operational UI decisions.
|
||||||
|
|
||||||
|
GovOPlaN is meant to support administrative responsibility. The interface must
|
||||||
|
therefore make context, decision, consequence, and traceability visible enough
|
||||||
|
that users can act deliberately instead of being pushed through opaque
|
||||||
|
automation.
|
||||||
|
|
||||||
|
## Core Doctrine
|
||||||
|
|
||||||
|
1. Context, decision, and consequence belong together.
|
||||||
|
2. Decisions should not silently happen.
|
||||||
|
3. Transparency comes before convenience when rights, duties, records, money,
|
||||||
|
access, or legal effects are involved.
|
||||||
|
4. Explicit state is preferable to implicit state.
|
||||||
|
5. Navigation is not consent.
|
||||||
|
6. Responsibility cannot be delegated to the system.
|
||||||
|
7. Traceability is part of the action, not a later reporting feature.
|
||||||
|
8. Context loss is a product defect.
|
||||||
|
|
||||||
|
These rules do not mean every screen should become verbose. They mean the
|
||||||
|
interface must expose the right explanation at the moment of decision and keep
|
||||||
|
technical detail available without making it the default surface.
|
||||||
|
|
||||||
|
## Decision Surface Contract
|
||||||
|
|
||||||
|
Any action that changes records, rights, policies, retention, communication,
|
||||||
|
payments, external systems, or workflow state should answer these questions
|
||||||
|
before execution:
|
||||||
|
|
||||||
|
- What object, person, organization, or process is affected?
|
||||||
|
- Which authority or role allows the actor to do this?
|
||||||
|
- What will change immediately?
|
||||||
|
- What downstream effects may happen?
|
||||||
|
- Can the action be undone, superseded, or only corrected later?
|
||||||
|
- What evidence or audit entry will be created?
|
||||||
|
- Which policy, configuration, or missing capability blocks the action?
|
||||||
|
- Who can resolve a blocker?
|
||||||
|
|
||||||
|
The answer may be shown through inline labels, a review step, a side panel, a
|
||||||
|
problem list, or a confirmation dialog. The important point is that consequence
|
||||||
|
and responsibility are not hidden behind a generic submit button.
|
||||||
|
|
||||||
|
## Contestability
|
||||||
|
|
||||||
|
Administrative decisions are often contestable or reviewable. GovOPlaN should
|
||||||
|
therefore preserve the path from input to decision:
|
||||||
|
|
||||||
|
- source data and attachments
|
||||||
|
- workflow state and task assignment
|
||||||
|
- policy decisions and source path
|
||||||
|
- actor and delegation context
|
||||||
|
- generated document/template version
|
||||||
|
- external handoff result
|
||||||
|
- notification or postbox delivery evidence
|
||||||
|
- retention and record classification state
|
||||||
|
|
||||||
|
Where a user sees a decision, they should be able to reach the provenance that
|
||||||
|
explains how the system got there. This is especially important for denials,
|
||||||
|
locks, calculated defaults, generated documents, payment state, retention
|
||||||
|
state, and access decisions.
|
||||||
|
|
||||||
|
## Anti-Patterns
|
||||||
|
|
||||||
|
Avoid these patterns in GovOPlaN interfaces:
|
||||||
|
|
||||||
|
- Magical buttons that execute multiple side effects without preview.
|
||||||
|
- Process tunnels that hide where the user is in an administrative procedure.
|
||||||
|
- Silent automation that changes external systems without an audit-visible
|
||||||
|
command record.
|
||||||
|
- Friendly hiding that removes complexity at the cost of obscuring authority,
|
||||||
|
consequence, or accountability.
|
||||||
|
- Disabled controls without actionable explanation.
|
||||||
|
- Configuration screens that ask users to edit raw JSON as the normal path.
|
||||||
|
|
||||||
|
## Automation Rule
|
||||||
|
|
||||||
|
Automation must use the same governed action surface as a human actor. The
|
||||||
|
system may execute actions as a system actor, but it must still run through
|
||||||
|
policy checks, capability contracts, audit, idempotency, and failure handling.
|
||||||
|
|
||||||
|
When an automated decision is not clear, GovOPlaN should create a manual
|
||||||
|
exception, task, or review item instead of guessing silently.
|
||||||
|
|
||||||
|
## Relationship To UI Components
|
||||||
|
|
||||||
|
Shared components should make this doctrine easy to follow:
|
||||||
|
|
||||||
|
- preflight and problem-list components for blockers
|
||||||
|
- policy source path and effective decision displays
|
||||||
|
- action review panels for consequence preview
|
||||||
|
- audit/provenance links on decision outputs
|
||||||
|
- guided dialogs for risky configuration
|
||||||
|
- disabled-action explanations with actor and next step
|
||||||
|
- confirmation dialogs that distinguish reversible, corrective, and destructive
|
||||||
|
actions
|
||||||
|
|
||||||
|
The UI/UX decision ledger defines concrete implementation rules. This doctrine
|
||||||
|
defines why those rules exist.
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
<!-- codex-wiki-sync:704255187f2523e8832274ab -->
|
<!-- codex-wiki-sync:ef8e3029a6f4d806786e3d2a -->
|
||||||
|
|
||||||
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`.
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`.
|
||||||
> Origin: `repository`.
|
> Origin: `repository`.
|
||||||
@@ -139,15 +139,16 @@ published from `govoplan_access.auth`. Routers may import that public API for
|
|||||||
|
|
||||||
Current live table ownership:
|
Current live table ownership:
|
||||||
|
|
||||||
- `govoplan-tenancy`: `tenants`
|
- `govoplan-tenancy`: `tenancy_tenants`
|
||||||
- `govoplan-access`: `accounts`, `users`, `groups`, `roles`,
|
- `govoplan-access`: `access_accounts`, `access_users`, `access_groups`,
|
||||||
`system_role_assignments`, `user_group_memberships`,
|
`access_roles`, `access_system_role_assignments`,
|
||||||
`user_role_assignments`, `group_role_assignments`, `api_keys`,
|
`access_user_group_memberships`, `access_user_role_assignments`,
|
||||||
`auth_sessions`
|
`access_group_role_assignments`, `access_api_keys`,
|
||||||
- `govoplan-admin`: `governance_templates`,
|
`access_auth_sessions`
|
||||||
`governance_template_assignments`
|
- `govoplan-admin`: `admin_governance_templates`,
|
||||||
|
`admin_governance_template_assignments`
|
||||||
- `govoplan-audit`: `audit_log`
|
- `govoplan-audit`: `audit_log`
|
||||||
- `govoplan-core`: `system_settings`
|
- `govoplan-core`: `core_system_settings`
|
||||||
|
|
||||||
Current admin route ownership follows the same boundary: access contributes
|
Current admin route ownership follows the same boundary: access contributes
|
||||||
users, groups, roles, system accounts/roles, auth, sessions, and API-key
|
users, groups, roles, system accounts/roles, auth, sessions, and API-key
|
||||||
@@ -982,6 +983,13 @@ cd /mnt/DATA/git/govoplan-core
|
|||||||
./.venv/bin/python scripts/check_dependency_boundaries.py
|
./.venv/bin/python scripts/check_dependency_boundaries.py
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Focused module contract and permutation verification:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd /mnt/DATA/git/govoplan-core
|
||||||
|
bash scripts/check-module-matrix.sh
|
||||||
|
```
|
||||||
|
|
||||||
Core WebUI host verification:
|
Core WebUI host verification:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|||||||
141
Repo-docs-POSTBOX-E2EE-ARCHITECTURE.md
Normal file
141
Repo-docs-POSTBOX-E2EE-ARCHITECTURE.md
Normal file
@@ -0,0 +1,141 @@
|
|||||||
|
<!-- codex-wiki-sync:0bfa774c70e6377eec523d91 -->
|
||||||
|
|
||||||
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/POSTBOX_E2EE_ARCHITECTURE.md`.
|
||||||
|
> Origin: `repository`.
|
||||||
|
> Active tasks and changing state belong in Gitea issues; this wiki page is durable project context.
|
||||||
|
|
||||||
|
---
|
||||||
|
# Postbox End-To-End Encryption Architecture
|
||||||
|
|
||||||
|
This document records the strategic encryption target for GovOPlaN postboxes.
|
||||||
|
It does not require the first postbox implementation to ship full E2EE, but it
|
||||||
|
defines the architecture so early data models and APIs do not make the stronger
|
||||||
|
model impossible.
|
||||||
|
|
||||||
|
The core principle is that a postbox can become a trusted administrative
|
||||||
|
communication channel without requiring the server to see plaintext content.
|
||||||
|
The server may route, store, authorize, audit, retain, and expire messages while
|
||||||
|
message bodies and attachments remain client-encrypted.
|
||||||
|
|
||||||
|
## Goals
|
||||||
|
|
||||||
|
- asynchronous encrypted delivery for internal and portal-facing postboxes
|
||||||
|
- personal, organizational, role-bound, and function-bound postboxes
|
||||||
|
- attachments encrypted with the message
|
||||||
|
- access based on current role/function membership when configured
|
||||||
|
- honest retraction and expiry semantics
|
||||||
|
- auditable key access, delivery, and fetch events
|
||||||
|
- support for external recipients without platform accounts
|
||||||
|
- replaceable identity and trust providers
|
||||||
|
|
||||||
|
## Envelope Model
|
||||||
|
|
||||||
|
The target model is envelope encryption:
|
||||||
|
|
||||||
|
- Generate one random data encryption key per message or attachment set.
|
||||||
|
- Encrypt content with an authenticated encryption algorithm.
|
||||||
|
- Wrap the data encryption key for each authorized recipient or role mailbox.
|
||||||
|
- Store only ciphertext, wrapped keys, signed manifests, and governed metadata
|
||||||
|
on the server.
|
||||||
|
|
||||||
|
Algorithm choices should remain replaceable behind a crypto profile. The first
|
||||||
|
profile should prefer standard, reviewed primitives such as HPKE for key
|
||||||
|
wrapping and AEAD encryption for content.
|
||||||
|
|
||||||
|
## Identity And Device Keys
|
||||||
|
|
||||||
|
The platform should distinguish:
|
||||||
|
|
||||||
|
- account identity
|
||||||
|
- tenant membership
|
||||||
|
- role/function assignment
|
||||||
|
- device key
|
||||||
|
- postbox binding
|
||||||
|
|
||||||
|
Identity providers and directories can authenticate users and provide membership
|
||||||
|
facts, but they must not see postbox private keys or message plaintext.
|
||||||
|
|
||||||
|
The trust layer should provide:
|
||||||
|
|
||||||
|
- public key directory
|
||||||
|
- account or identity signing keys
|
||||||
|
- per-device encryption keys
|
||||||
|
- device registration and revocation
|
||||||
|
- key rotation and epoch tracking
|
||||||
|
- recovery policy hooks
|
||||||
|
|
||||||
|
## Role And Function Postboxes
|
||||||
|
|
||||||
|
Role-bound access needs special handling. A postbox can be bound to an
|
||||||
|
organizational unit and a role or function. Current members can access current
|
||||||
|
messages according to policy; former members should lose access to not-yet
|
||||||
|
fetched material when revocation is still technically enforceable.
|
||||||
|
|
||||||
|
The target design should support role encryption keys or an equivalent
|
||||||
|
rewrapping service:
|
||||||
|
|
||||||
|
- sender encrypts the content key for the role/function postbox
|
||||||
|
- access service verifies current membership and required assurance
|
||||||
|
- trust service rewraps the content key to the actor's current device key
|
||||||
|
- audit records the key access decision and fetch event
|
||||||
|
|
||||||
|
Key epochs are required when role membership changes. Older messages may remain
|
||||||
|
readable according to policy, but new access must use the current epoch.
|
||||||
|
|
||||||
|
## External Recipients
|
||||||
|
|
||||||
|
External recipients may need one-time or time-limited access without a full
|
||||||
|
platform account. The target model should support capability links or invitation
|
||||||
|
tokens that are:
|
||||||
|
|
||||||
|
- scoped to specific message or attachment resources
|
||||||
|
- time-limited
|
||||||
|
- optionally one-time
|
||||||
|
- protected by an out-of-band secret, passphrase, or stronger external identity
|
||||||
|
proof
|
||||||
|
- revocable before key fetch
|
||||||
|
- fully audited
|
||||||
|
|
||||||
|
## Retraction Semantics
|
||||||
|
|
||||||
|
GovOPlaN should be honest about retraction.
|
||||||
|
|
||||||
|
Before a recipient fetches a key or decrypts content, the system can revoke
|
||||||
|
tokens, remove wrapped-key access, expire links, and delete ciphertext according
|
||||||
|
to retention policy.
|
||||||
|
|
||||||
|
After a recipient has decrypted or copied plaintext, the system cannot make the
|
||||||
|
recipient forget it. The platform can only record access, revoke future access,
|
||||||
|
notify parties, and apply legal or organizational controls.
|
||||||
|
|
||||||
|
The UI must explain this distinction whenever it offers expiry, retraction, or
|
||||||
|
message withdrawal.
|
||||||
|
|
||||||
|
## Server Responsibilities
|
||||||
|
|
||||||
|
The server remains important even when content is encrypted:
|
||||||
|
|
||||||
|
- store ciphertext and signed manifests
|
||||||
|
- store routing and policy metadata
|
||||||
|
- enforce access before key release or rewrapping
|
||||||
|
- provide public key directory access
|
||||||
|
- emit notifications without plaintext content
|
||||||
|
- record audit events
|
||||||
|
- enforce retention and expiry where possible
|
||||||
|
- expose diagnostics for delivery and key-access failures
|
||||||
|
|
||||||
|
## Module Ownership
|
||||||
|
|
||||||
|
- `govoplan-postbox` owns postbox bindings, postbox messages, message metadata,
|
||||||
|
and postbox UI.
|
||||||
|
- `govoplan-identity-trust` owns device keys, public key directory, key epochs,
|
||||||
|
and assurance integration.
|
||||||
|
- `govoplan-access` owns current identity, membership, function, delegation, and
|
||||||
|
permission decisions.
|
||||||
|
- `govoplan-policy` owns retention, retraction, and security policy decisions.
|
||||||
|
- `govoplan-audit` owns durable audit traces.
|
||||||
|
- `govoplan-files` owns managed file storage when encrypted postbox attachments
|
||||||
|
are backed by file objects.
|
||||||
|
|
||||||
|
No module should import another module's internals to decrypt content. All
|
||||||
|
interaction must use capabilities, DTOs, and audited service contracts.
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
<!-- codex-wiki-sync:c05642771c1033cf77380992 -->
|
<!-- codex-wiki-sync:fdd627b54750063ec1e0e28a -->
|
||||||
|
|
||||||
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/RELEASE_DEPENDENCIES.md`.
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/RELEASE_DEPENDENCIES.md`.
|
||||||
> Origin: `repository`.
|
> Origin: `repository`.
|
||||||
@@ -226,6 +226,20 @@ through deployment configuration. Fetching trusted keys from the same public
|
|||||||
origin as the catalog is convenient, but that origin must not become the only
|
origin as the catalog is convenient, but that origin must not become the only
|
||||||
trust root.
|
trust root.
|
||||||
|
|
||||||
|
## Dependency Audits
|
||||||
|
|
||||||
|
Dependency vulnerability checks are documented in
|
||||||
|
[`DEPENDENCY_AUDITS.md`](DEPENDENCY_AUDITS.md). The local audit runner is:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd /mnt/DATA/git/govoplan-core
|
||||||
|
bash scripts/check-dependency-audits.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
The Gitea workflow in `.gitea/workflows/dependency-audit.yml` runs the same
|
||||||
|
check against release dependency refs on pushes, pull requests, and a weekly
|
||||||
|
schedule.
|
||||||
|
|
||||||
Keyring entries support:
|
Keyring entries support:
|
||||||
|
|
||||||
- `key_id`
|
- `key_id`
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
<!-- codex-wiki-sync:fae974d5371b76359b3c4983 -->
|
<!-- codex-wiki-sync:91222f6c262bbdd968906192 -->
|
||||||
|
|
||||||
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/UI_UX_DECISION_LEDGER.md`.
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/UI_UX_DECISION_LEDGER.md`.
|
||||||
> Origin: `repository`.
|
> Origin: `repository`.
|
||||||
@@ -22,6 +22,11 @@ with every option at once. Non-technical users should be able to complete common
|
|||||||
workflows through guided, plain-language flows. Expert and diagnostic detail may
|
workflows through guided, plain-language flows. Expert and diagnostic detail may
|
||||||
exist, but it must be deliberately layered.
|
exist, but it must be deliberately layered.
|
||||||
|
|
||||||
|
The ethical design doctrine in `INTERFACE_ETHICS_AND_DESIGN_DOCTRINE.md` is the
|
||||||
|
normative baseline for this ledger. A screen can be visually quiet and still be
|
||||||
|
ethically complete only when it preserves context, consequence,
|
||||||
|
contestability, responsibility, and traceability at the point of action.
|
||||||
|
|
||||||
## Binding Decisions
|
## Binding Decisions
|
||||||
|
|
||||||
| ID | Decision | Status | Applies To |
|
| ID | Decision | Status | Applies To |
|
||||||
@@ -35,6 +40,11 @@ exist, but it must be deliberately layered.
|
|||||||
| UX-007 | Creation/editing should prefer modals or focused step flows when it reduces page clutter. Overview and comparison screens remain full-page. | Accepted | Settings/admin surfaces |
|
| UX-007 | Creation/editing should prefer modals or focused step flows when it reduces page clutter. Overview and comparison screens remain full-page. | Accepted | Settings/admin surfaces |
|
||||||
| UX-008 | Similar concepts must use shared placement and components: server/credential/policy rows, problem lists, review steps, advanced panels, confirmation modals, and empty/error states. | Accepted | Core WebUI and module WebUIs |
|
| UX-008 | Similar concepts must use shared placement and components: server/credential/policy rows, problem lists, review steps, advanced panels, confirmation modals, and empty/error states. | Accepted | Core WebUI and module WebUIs |
|
||||||
| UX-009 | Preflight and diagnostics are product UX. Validation, policy, permission, dependency, and capability failures must be written for operators before exposing internal details. | Accepted | Installer, connectors, policy, package import |
|
| UX-009 | Preflight and diagnostics are product UX. Validation, policy, permission, dependency, and capability failures must be written for operators before exposing internal details. | Accepted | Installer, connectors, policy, package import |
|
||||||
|
| UX-010 | Context, decision, and consequence must be visible together for actions that affect rights, duties, records, money, communication, retention, external systems, or workflow state. | Accepted | Workflow, admin, portal, policy, connector, records, payments |
|
||||||
|
| UX-011 | Navigation is not consent. Route changes, panel switches, and passive selection must not execute consequential actions without an explicit action surface. | Accepted | All WebUI surfaces |
|
||||||
|
| UX-012 | Automated actions must remain inspectable. The UI must show the system actor, trigger, policy result, observed effects, and failure/manual-intervention state when automation changes administrative state. | Accepted | Workflow, automation, connectors, tasks, audit |
|
||||||
|
| UX-013 | Contestable decisions must expose provenance. Denials, locks, generated outputs, calculated defaults, policy decisions, access decisions, and retention decisions need a reachable source path. | Accepted | Policy, access, templates, workflow, retention, records |
|
||||||
|
| UX-014 | Retraction, expiry, undo, rollback, and delete controls must state the real limit of the operation. Corrective or future-only actions must not be described as if they undo already observed effects. | Accepted | Postbox, files, records, installer, workflow, payments |
|
||||||
|
|
||||||
## Confirmed Implementation Decisions
|
## Confirmed Implementation Decisions
|
||||||
|
|
||||||
@@ -167,6 +177,8 @@ converted or reviewed.
|
|||||||
| Module install/uninstall | Operationally risky, currently inherently technical. | Operator wizard with preflight, maintenance, daemon handoff, review, and rollback explanation. |
|
| Module install/uninstall | Operationally risky, currently inherently technical. | Operator wizard with preflight, maintenance, daemon handoff, review, and rollback explanation. |
|
||||||
| Configuration packages | Could become package JSON editing. | Package catalog/import wizard using provider data requirements and problem lists. |
|
| Configuration packages | Could become package JSON editing. | Package catalog/import wizard using provider data requirements and problem lists. |
|
||||||
| Retention/privacy | High-risk settings need explanation and provenance. | Layered editor with plain-language consequences and review. |
|
| Retention/privacy | High-risk settings need explanation and provenance. | Layered editor with plain-language consequences and review. |
|
||||||
|
| Automation/workflow commands | Hidden side effects would undermine accountability. | Action/effect preview, system-actor display, command record, retry/quarantine/manual states, and audit links. |
|
||||||
|
| Postbox and encrypted communication | Retraction and access can be misunderstood. | Honest key-fetch/decryption state, expiry limits, recipient/device access provenance, and delivery evidence. |
|
||||||
| API keys | Security-sensitive creation and scope selection. | Scoped creation wizard, least-privilege suggestions, clear expiry/owner explanation. |
|
| API keys | Security-sensitive creation and scope selection. | Scoped creation wizard, least-privilege suggestions, clear expiry/owner explanation. |
|
||||||
| User settings | Needs clarity and persistence across profile/interface/preferences. | Simple settings sections with immediate feedback and no double-click navigation traps. |
|
| User settings | Needs clarity and persistence across profile/interface/preferences. | Simple settings sections with immediate feedback and no double-click navigation traps. |
|
||||||
|
|
||||||
@@ -185,6 +197,11 @@ Every new or changed admin/configuration surface should answer:
|
|||||||
help, and review?
|
help, and review?
|
||||||
- Is there a review or preflight step before broad, destructive, or risky
|
- Is there a review or preflight step before broad, destructive, or risky
|
||||||
changes?
|
changes?
|
||||||
|
- Does the action surface show consequence, reversibility, and audit evidence
|
||||||
|
when rights, duties, records, money, communication, external systems, or
|
||||||
|
workflow state are affected?
|
||||||
|
- If automation is involved, can the user see the trigger, system actor,
|
||||||
|
observed effects, and failure/manual-intervention state?
|
||||||
- Are technical details available without being the first thing the user sees?
|
- Are technical details available without being the first thing the user sees?
|
||||||
|
|
||||||
## Revision Rule
|
## Revision Rule
|
||||||
|
|||||||
78
Repo-docs-audits-2026-07-09-dependency-audit.md
Normal file
78
Repo-docs-audits-2026-07-09-dependency-audit.md
Normal file
@@ -0,0 +1,78 @@
|
|||||||
|
<!-- codex-wiki-sync:576ede02ac9fec1bc104f3eb -->
|
||||||
|
|
||||||
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`.
|
||||||
|
> Origin: `repository`.
|
||||||
|
> Active tasks and changing state belong in Gitea issues; this wiki page is durable project context.
|
||||||
|
|
||||||
|
---
|
||||||
|
# Dependency Audit - 2026-07-09
|
||||||
|
|
||||||
|
Commands:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd /mnt/DATA/git/govoplan-core
|
||||||
|
bash scripts/check-dependency-audits.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
Status: remediated.
|
||||||
|
|
||||||
|
Initial result:
|
||||||
|
|
||||||
|
- Python audit failed: 24 advisories were reported across `cryptography`,
|
||||||
|
`pip`, `python-multipart`, `pyzipper`, and `starlette`.
|
||||||
|
- npm production audit passed: `npm audit --omit=dev` reported 0
|
||||||
|
vulnerabilities.
|
||||||
|
|
||||||
|
Python findings:
|
||||||
|
|
||||||
|
| Package | Installed | Advisory count | Minimum reported fix |
|
||||||
|
| --- | ---: | ---: | --- |
|
||||||
|
| `cryptography` | `44.0.0` | 5 | `48.0.1` |
|
||||||
|
| `pip` | `26.0.1` | 3 | `26.1.2` |
|
||||||
|
| `python-multipart` | `0.0.17` | 7 | `0.0.31` |
|
||||||
|
| `pyzipper` | `0.3.6` | 1 | `0.4.0` |
|
||||||
|
| `starlette` | `0.41.3` | 8 | `1.3.1` |
|
||||||
|
|
||||||
|
Private GovOPlaN packages were skipped by `pip-audit` because they are not
|
||||||
|
published on PyPI. That is expected for local editable development installs.
|
||||||
|
|
||||||
|
The remediation below upgrades those dependencies and records the compatibility
|
||||||
|
checks run against core, files, and campaign behavior.
|
||||||
|
|
||||||
|
## Remediation
|
||||||
|
|
||||||
|
Remediation applied on 2026-07-09:
|
||||||
|
|
||||||
|
- upgraded core's FastAPI floor to `fastapi>=0.139,<1`, resolving Starlette to
|
||||||
|
`starlette==1.3.1`
|
||||||
|
- upgraded core's cryptography floor to `cryptography>=48.0.1,<50`, resolving
|
||||||
|
to `cryptography==49.0.0`
|
||||||
|
- declared the files module upload parser dependency as
|
||||||
|
`python-multipart>=0.0.31,<1`, resolving to `python-multipart==0.0.32`
|
||||||
|
- upgraded the campaign ZIP dependency to `pyzipper>=0.4,<1`, resolving to
|
||||||
|
`pyzipper==0.4.0`
|
||||||
|
- upgraded the local audit environment to `pip==26.1.2`
|
||||||
|
- removed the obsolete local `govoplan-module-multimailer` editable install
|
||||||
|
from the audit environment so the audit reflects the split module product
|
||||||
|
|
||||||
|
Post-remediation result:
|
||||||
|
|
||||||
|
- `bash scripts/check-dependency-audits.sh`: passed, no known Python
|
||||||
|
vulnerabilities found and npm production audit reported 0 vulnerabilities.
|
||||||
|
- `python -m pip check`: passed.
|
||||||
|
- `bash scripts/check-module-matrix.sh`: passed.
|
||||||
|
- `python -m unittest tests.test_api_smoke`: passed.
|
||||||
|
- campaign encrypted/plain ZIP smoke with `pyzipper==0.4.0`: passed.
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
- `pip-audit` still reports private GovOPlaN packages as skipped because they
|
||||||
|
are not published on PyPI. That is expected for editable local development
|
||||||
|
installs.
|
||||||
|
- `httpx2>=2.5,<3` is included in development requirements so Starlette's
|
||||||
|
`TestClient` uses the non-deprecated backend. `httpx==0.28.1` remains in dev
|
||||||
|
requirements for tests that mock connector HTTP responses directly.
|
||||||
|
- Split-module API routers now use Starlette's renamed
|
||||||
|
`HTTP_422_UNPROCESSABLE_CONTENT` status constant. This preserves the 422
|
||||||
|
status code while avoiding the deprecated `HTTP_422_UNPROCESSABLE_ENTITY`
|
||||||
|
alias.
|
||||||
Reference in New Issue
Block a user