Sync Product govoplan-split-concept-action-plan from project files
453
Product govoplan-split-concept-action-plan.-.md
Normal file
453
Product govoplan-split-concept-action-plan.-.md
Normal file
@@ -0,0 +1,453 @@
|
||||
<!-- codex-wiki-sync:a312d27742fc63ee61d3595a -->
|
||||
|
||||
> Mirrored from `/mnt/DATA/Nextcloud/ADD ideas UG/Products/govoplan/split-concept-action-plan.md`.
|
||||
> Origin: `product:govoplan`.
|
||||
> Active tasks and changing state belong in Gitea issues; this wiki page is durable project context.
|
||||
|
||||
---
|
||||
# GovOPlaN Split Concept and Action Plan
|
||||
|
||||
Source: `split.md`
|
||||
|
||||
## Executive Concept
|
||||
|
||||
GovOPlaN should become a modular governance and workflow platform, not a monolithic Fachverfahren and not a thin event bus only.
|
||||
|
||||
The target structure is:
|
||||
|
||||
- **Kernel**: small platform runtime that composes modules.
|
||||
- **Platform modules**: cross-cutting capabilities such as access, tenancy, policy, audit, admin, operations.
|
||||
- **Service modules**: reusable capabilities such as files, mail, templates, recipients, notifications.
|
||||
- **Business modules**: public-sector workflows such as campaigns, cases, forms, approvals, appointments.
|
||||
- **Connector modules**: integrations with external public-sector systems and standards.
|
||||
|
||||
The core idea:
|
||||
|
||||
```text
|
||||
govoplan-kernel starts the platform.
|
||||
Installed modules register routes, models, migrations, permissions, UI routes, capabilities, and events.
|
||||
Modules cooperate through kernel contracts, not direct imports.
|
||||
```
|
||||
|
||||
This keeps every module independently installable while still allowing richer behavior when other modules are present.
|
||||
|
||||
## Target Architecture
|
||||
|
||||
### Kernel
|
||||
|
||||
The kernel owns only platform composition:
|
||||
|
||||
- app factory and server assembly
|
||||
- module discovery and registry
|
||||
- manifest validation
|
||||
- route aggregation
|
||||
- capability registry
|
||||
- command/event contracts
|
||||
- lifecycle hooks
|
||||
- configuration loading
|
||||
- database/session lifecycle
|
||||
- module migration orchestration
|
||||
- health and platform metadata
|
||||
- shared WebUI shell contracts
|
||||
- OpenAPI aggregation
|
||||
|
||||
The kernel must not own product semantics such as users, tenants, RBAC rules, audit policy, mail behavior, file behavior, or campaign behavior.
|
||||
|
||||
### Platform Modules
|
||||
|
||||
These are cross-cutting but still modules:
|
||||
|
||||
- `govoplan-access`: accounts, authentication, sessions, groups, memberships, RBAC, API keys, principal resolution, login adapters.
|
||||
- `govoplan-tenancy`: tenant registry, tenant lifecycle, tenant settings boundary, tenant switching, tenant deletion/erasure orchestration.
|
||||
- `govoplan-policy`: permission catalogue, hierarchical policy engine, delegation ceilings, explain decisions, impact simulation.
|
||||
- `govoplan-audit`: audit sink, audit queries, evidence exports, retention, compliance reports.
|
||||
- `govoplan-admin`: system/tenant admin UI and administrative workflows over access, tenancy, policy, audit, and operations.
|
||||
- `govoplan-ops`: monitoring, backup/restore, update/rollback, maintenance windows, system runbooks.
|
||||
|
||||
### Existing Service and Business Modules
|
||||
|
||||
Current modules keep their ownership:
|
||||
|
||||
- `govoplan-files`: managed files, file spaces, sharing, downloads, file metadata, future legal hold/version lock/DMS integration.
|
||||
- `govoplan-mail`: SMTP/IMAP profiles, credentials, mail policy, sending, append-to-Sent, mailbox views, future inbound mail-to-case.
|
||||
- `govoplan-campaign`: campaign authoring, validation, review/send control, reports, optional file/mail integration.
|
||||
|
||||
### Future Module Families
|
||||
|
||||
Recommended future modules:
|
||||
|
||||
- Work management: `govoplan-cases`, `govoplan-workflow`, `govoplan-tasks`, `govoplan-forms`, `govoplan-appointments`, `govoplan-templates`.
|
||||
- Communication/content: `govoplan-notifications`, expanded files/mail/campaign integrations.
|
||||
- Connectors: `govoplan-connectors`, `govoplan-fit-connect`, `govoplan-xoev`, `govoplan-xta-osci`, `govoplan-dms`, `govoplan-erp`, `govoplan-xrechnung`.
|
||||
- Citizen/public interaction: `govoplan-portal`, `govoplan-identity-trust`, `govoplan-payments`.
|
||||
- Insight/compliance: `govoplan-search`, `govoplan-reporting`, `govoplan-data-catalog`, `govoplan-compliance`.
|
||||
|
||||
## Non-Negotiable Design Principles
|
||||
|
||||
- Modules must run when optional sibling modules are physically absent.
|
||||
- Modules must not import optional module internals directly.
|
||||
- Optional behavior must go through kernel contracts: capabilities, metadata, registry queries, events, commands, and API boundaries.
|
||||
- Kernel owns database/session lifecycle and migration orchestration; modules own models and migrations.
|
||||
- Shared WebUI shell and generic components belong in core/kernel WebUI.
|
||||
- Module WebUI packages contribute nav/routes/pages through manifests and module contracts.
|
||||
- Every policy decision should be explainable, not just boolean.
|
||||
- Audit should subscribe to platform/domain events instead of being embedded in the kernel.
|
||||
- Production eventing should use an outbox pattern; in-process events are acceptable for local/dev.
|
||||
|
||||
## Staged Refactor Plan
|
||||
|
||||
### Phase 0: Stabilize Current Modular Baseline
|
||||
|
||||
Goal: make the current core/files/mail/campaign split reliable before deeper extraction.
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Document current module contract as the compatibility baseline.
|
||||
- [ ] Define which APIs are stable kernel contracts and which are temporary compatibility paths.
|
||||
- [ ] Add dependency-boundary checks that forbid direct optional module imports.
|
||||
- [ ] Keep module-matrix tests for core-only, files-only, mail-only, campaign-only, campaign+files, campaign+mail, full product.
|
||||
- [ ] Keep generated WebUI/test artifacts ignored.
|
||||
- [ ] Mark DataGrid work as explicitly deferred.
|
||||
|
||||
Acceptance criteria:
|
||||
|
||||
- Full product still runs.
|
||||
- Every supported module permutation builds and starts.
|
||||
- No optional module is required for another module to import.
|
||||
|
||||
### Phase 1: Freeze Kernel Contracts
|
||||
|
||||
Goal: make the kernel API explicit before extracting platform semantics.
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Move or clearly mark these as kernel-stable contracts:
|
||||
- `ModuleManifest`
|
||||
- `MigrationSpec`
|
||||
- capability factory contract
|
||||
- route factory contract
|
||||
- WebUI module contribution contract
|
||||
- resource ACL provider contract
|
||||
- tenant summary/delete-veto provider contract
|
||||
- lifecycle hook contract
|
||||
- event and command contracts
|
||||
- [ ] Add contract tests for manifests, route aggregation, migration registration, and capability discovery.
|
||||
- [ ] Add a documented deprecation policy for kernel API changes.
|
||||
- [ ] Add OpenAPI/route collision validation.
|
||||
- [ ] Add manifest schema/versioning.
|
||||
|
||||
Acceptance criteria:
|
||||
|
||||
- Modules can declare all backend and WebUI contributions without private imports.
|
||||
- The kernel can reject invalid manifests with actionable errors.
|
||||
|
||||
### Phase 2: Extract Access
|
||||
|
||||
Goal: turn current access/auth/RBAC functionality into a real platform module.
|
||||
|
||||
Target repository/package:
|
||||
|
||||
```text
|
||||
govoplan-access
|
||||
```
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Move accounts, authentication, sessions, API keys, groups, memberships, roles, role assignments, and principal resolution into access.
|
||||
- [ ] Keep compatibility imports under `govoplan_core.access.*` temporarily with deprecation warnings.
|
||||
- [ ] Move access permissions and default role templates into the access manifest.
|
||||
- [ ] Move access migrations into the access module migration registration.
|
||||
- [ ] Move login/session/admin access UI into access/admin module contributions.
|
||||
- [ ] Define `PrincipalResolver` and related protocols in the kernel.
|
||||
- [ ] Ensure core-only startup still works enough to show shell/health, but access is required for authenticated product use.
|
||||
|
||||
Acceptance criteria:
|
||||
|
||||
- Kernel imports no access models directly.
|
||||
- Access can be installed as a module and provides authentication/RBAC.
|
||||
- Existing login and admin flows still work through module routes/UI contributions.
|
||||
|
||||
### Phase 3: Extract Tenancy
|
||||
|
||||
Goal: separate tenant lifecycle from access identity.
|
||||
|
||||
Target repository/package:
|
||||
|
||||
```text
|
||||
govoplan-tenancy
|
||||
```
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Move tenant registry, tenant settings, tenant lifecycle, tenant switching, and tenant deletion orchestration into tenancy.
|
||||
- [ ] Keep memberships and role assignments in access.
|
||||
- [ ] Define `TenantResolver` and tenant-context protocols in the kernel.
|
||||
- [ ] Define tenant lifecycle events: created, suspended, resumed, deletion requested, erasure completed.
|
||||
- [ ] Add delete-veto orchestration through module providers.
|
||||
- [ ] Add tenant lifecycle tests with files/mail/campaign installed and absent.
|
||||
|
||||
Acceptance criteria:
|
||||
|
||||
- Tenant data ownership is clear.
|
||||
- Modules can register tenant delete-veto and cleanup behavior.
|
||||
- Access and tenancy interact through protocols/capabilities, not circular imports.
|
||||
|
||||
### Phase 4: Extract Policy
|
||||
|
||||
Goal: make policy the common decision engine for access, tenancy, mail, retention, campaign, files, and future modules.
|
||||
|
||||
Target repository/package:
|
||||
|
||||
```text
|
||||
govoplan-policy
|
||||
```
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Define a common `PolicyDecision` object with:
|
||||
- `allowed`
|
||||
- `reason`
|
||||
- `requirements`
|
||||
- `matched_permissions`
|
||||
- `denied_by`
|
||||
- `source_path`
|
||||
- `policy_version`
|
||||
- [ ] Move hierarchical policy evaluation into policy.
|
||||
- [ ] Move delegation ceilings and "more restrictive only" validation into policy.
|
||||
- [ ] Add explain endpoints and UI component contract for policy source paths.
|
||||
- [ ] Add policy simulation before destructive/limiting changes.
|
||||
- [ ] Move mail/retention effective policy display onto shared policy components.
|
||||
- [ ] Add regression tests for non-viable lower-level options being hidden or disabled.
|
||||
|
||||
Acceptance criteria:
|
||||
|
||||
- UI can explain "how we got here" for effective policy without module-specific logic.
|
||||
- Saving invalid policy states is prevented in the UI, not only rejected by backend.
|
||||
- Policy changes can be simulated for impact before applying.
|
||||
|
||||
### Phase 5: Extract Audit
|
||||
|
||||
Goal: make audit an event-consuming platform module.
|
||||
|
||||
Target repository/package:
|
||||
|
||||
```text
|
||||
govoplan-audit
|
||||
```
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Define typed `PlatformEvent` envelope with actor, tenant, subject, resource, correlation, causation, classification, and payload.
|
||||
- [ ] Separate command bus from event bus.
|
||||
- [ ] Introduce outbox table and dispatcher for production-safe event delivery.
|
||||
- [ ] Move audit log storage/query/export into audit module.
|
||||
- [ ] Add event producers for access, tenancy, policy, files, mail, and campaign actions.
|
||||
- [ ] Add evidence bundle export as a later audit capability.
|
||||
|
||||
Acceptance criteria:
|
||||
|
||||
- Kernel does not own audit storage.
|
||||
- Audit records are produced by module events.
|
||||
- Events can be correlated across cases/files/mail/campaign/connectors.
|
||||
|
||||
### Phase 6: Split Admin UI
|
||||
|
||||
Goal: avoid one central admin page owning all platform semantics.
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Define admin route/nav contribution contract.
|
||||
- [ ] Move access admin pages to access module.
|
||||
- [ ] Move tenant admin pages to tenancy module.
|
||||
- [ ] Move policy admin pages to policy module.
|
||||
- [ ] Move audit admin pages to audit module.
|
||||
- [ ] Keep only shell-level admin layout and module aggregation in kernel/core WebUI.
|
||||
|
||||
Acceptance criteria:
|
||||
|
||||
- Installing a platform module contributes its admin pages.
|
||||
- Removing a module removes its admin pages without broken imports/routes.
|
||||
|
||||
### Phase 7: CI and Dependency Enforcement
|
||||
|
||||
Goal: make modularity enforceable.
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Add module permutation backend startup tests.
|
||||
- [ ] Add WebUI module permutation builds.
|
||||
- [ ] Add dependency import linting:
|
||||
- campaign must not directly import files/mail internals except through explicit optional adapters/capabilities.
|
||||
- files must not directly require campaign.
|
||||
- mail must not directly require campaign.
|
||||
- kernel must not import product/business module internals.
|
||||
- [ ] Add migration registration tests.
|
||||
- [ ] Add manifest schema tests.
|
||||
- [ ] Add compatibility import tests until old paths are removed.
|
||||
|
||||
Acceptance criteria:
|
||||
|
||||
- CI fails when optional module boundaries are violated.
|
||||
- CI proves each intended product composition can run.
|
||||
|
||||
## Product Roadmap
|
||||
|
||||
### Milestone A: Clean Platform Split
|
||||
|
||||
Priority: highest.
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Kernel contract freeze.
|
||||
- [ ] Access extraction.
|
||||
- [ ] Tenancy extraction.
|
||||
- [ ] Policy extraction.
|
||||
- [ ] Audit extraction.
|
||||
- [ ] Module-matrix CI.
|
||||
- [ ] Compatibility/deprecation plan.
|
||||
|
||||
Outcome:
|
||||
|
||||
GovOPlaN becomes a stable modular platform rather than a core-heavy product.
|
||||
|
||||
### Milestone B: Daily Administrative Work
|
||||
|
||||
Priority: next after clean split.
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Create `govoplan-cases` concept and MVP.
|
||||
- [ ] Create `govoplan-tasks` concept and MVP.
|
||||
- [ ] Extract/generalize reusable workflow/review patterns into `govoplan-workflow`.
|
||||
- [ ] Add `govoplan-forms`.
|
||||
- [ ] Add `govoplan-templates`.
|
||||
- [ ] Add `govoplan-recipients` / `govoplan-address-book`.
|
||||
- [ ] Link existing files/mail/campaign to cases.
|
||||
|
||||
Outcome:
|
||||
|
||||
Municipalities, universities, and public-sector teams can use GovOPlaN for concrete daily work.
|
||||
|
||||
### Milestone C: Public-Sector Integration Platform
|
||||
|
||||
Priority: after work management MVP.
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Build `govoplan-connectors` registry and connector runtime.
|
||||
- [ ] Add FIT-Connect connector.
|
||||
- [ ] Add XÖV validation/mapping module.
|
||||
- [ ] Add DMS/eAkte connector.
|
||||
- [ ] Add ERP/finance connector.
|
||||
- [ ] Add XRechnung workflow.
|
||||
- [ ] Add IDM/LDAP/OIDC/SAML/SCIM provisioning.
|
||||
|
||||
Outcome:
|
||||
|
||||
GovOPlaN coordinates existing systems instead of replacing every specialist application.
|
||||
|
||||
### Milestone D: Governance Control Plane
|
||||
|
||||
Priority: after platform and integration foundations.
|
||||
|
||||
Action items:
|
||||
|
||||
- [ ] Cross-module reporting.
|
||||
- [ ] Permission-aware search.
|
||||
- [ ] Data catalogue.
|
||||
- [ ] Compliance workspace.
|
||||
- [ ] Evidence bundle verifier.
|
||||
- [ ] Policy impact analysis.
|
||||
- [ ] Destructive tenant erasure orchestration.
|
||||
- [ ] Operations governance dashboard.
|
||||
|
||||
Outcome:
|
||||
|
||||
GovOPlaN becomes a governance, audit, and compliance layer over administrative work.
|
||||
|
||||
## Immediate Backlog Items
|
||||
|
||||
### P0: Architecture Safety
|
||||
|
||||
- [ ] Write a concise kernel responsibility statement in `MODULE_ARCHITECTURE.md`.
|
||||
- [ ] Add "kernel must not own product semantics" as an architecture rule.
|
||||
- [ ] Add a dependency-boundary test or lint script.
|
||||
- [ ] Add backend startup tests for supported module permutations.
|
||||
- [ ] Add manifest schema/version validation.
|
||||
- [ ] Keep compatibility imports documented before extraction begins.
|
||||
|
||||
### P0: Access Extraction Prep
|
||||
|
||||
- [ ] Inventory all current `govoplan_core.access`, auth, user, account, group, API key, role, and permission imports.
|
||||
- [ ] Identify which imports belong to future `govoplan-access`.
|
||||
- [ ] Define `PrincipalResolver` protocol in kernel.
|
||||
- [ ] Define access module manifest target.
|
||||
- [ ] Create extraction checklist for models, migrations, routes, services, WebUI pages, and tests.
|
||||
|
||||
### P0: Policy Extraction Prep
|
||||
|
||||
- [ ] Inventory current mail, retention, RBAC, delegation, and governance policy logic.
|
||||
- [ ] Define shared `PolicyDecision`.
|
||||
- [ ] Define policy source path format.
|
||||
- [ ] Define backend explain endpoint shape.
|
||||
- [ ] Define frontend effective-policy component contract.
|
||||
- [ ] Add UI tests for blocked/disallowed lower-level policy choices.
|
||||
|
||||
### P0: Audit/Event Prep
|
||||
|
||||
- [ ] Define typed event envelope.
|
||||
- [ ] Decide command bus versus event bus API shape.
|
||||
- [ ] Add correlation/causation ID support.
|
||||
- [ ] Define audit module MVP boundaries.
|
||||
- [ ] Identify domain events from access, tenancy, policy, files, mail, campaign.
|
||||
|
||||
### P1: Tenancy Extraction Prep
|
||||
|
||||
- [ ] Inventory tenant model and tenant setting usage.
|
||||
- [ ] Define `TenantResolver` protocol.
|
||||
- [ ] Separate tenant lifecycle from membership/roles.
|
||||
- [ ] Define tenant deletion and module cleanup/veto contract.
|
||||
|
||||
### P1: Admin UI Split Prep
|
||||
|
||||
- [ ] Inventory admin pages by owning future module.
|
||||
- [ ] Define admin route contribution contract.
|
||||
- [ ] Move generic admin layout into core WebUI.
|
||||
- [ ] Keep module-specific admin panels in owning modules.
|
||||
|
||||
### P1: Existing Module Hardening
|
||||
|
||||
- [ ] Ensure campaign uses files/mail only through capabilities/metadata/API boundaries.
|
||||
- [ ] Ensure files does not require campaign.
|
||||
- [ ] Ensure mail does not require campaign.
|
||||
- [ ] Keep mailbox, mail policy, mail credential inheritance, and file storage behavior covered by focused tests.
|
||||
|
||||
### P2: Future Product Concepts
|
||||
|
||||
- [ ] Write `govoplan-cases` concept.
|
||||
- [ ] Write `govoplan-workflow` concept.
|
||||
- [ ] Write `govoplan-connectors` concept.
|
||||
- [ ] Write `govoplan-policy` concept.
|
||||
- [ ] Write `govoplan-audit` concept.
|
||||
- [ ] Write `govoplan-idm` concept.
|
||||
|
||||
## Key Decisions Needed
|
||||
|
||||
- [ ] Should `govoplan-core` be renamed conceptually to `govoplan-kernel`, while keeping package compatibility for now?
|
||||
- [ ] Is access required for any useful product startup, or should kernel-only expose only health/shell/config pages?
|
||||
- [ ] Should tenants be extracted before policy, or after access but before policy?
|
||||
- [ ] Should admin be one platform module or split across access/tenancy/policy/audit?
|
||||
- [ ] Which event transport is the first production target: DB outbox only, Redis/Celery, or pluggable dispatch?
|
||||
- [ ] Which future module comes first after platform cleanup: cases, workflow, or connectors?
|
||||
|
||||
## Recommended Next Step
|
||||
|
||||
Start with a small architecture-hardening milestone:
|
||||
|
||||
1. Update module architecture docs with the kernel/platform module model.
|
||||
2. Add dependency-boundary checks.
|
||||
3. Add missing backend module permutation startup tests.
|
||||
4. Inventory access/auth/RBAC imports.
|
||||
5. Draft the `govoplan-access` extraction plan.
|
||||
|
||||
Do not start by physically moving access, tenancy, policy, and audit all at once. The safe path is contract freeze first, then one extraction at a time.
|
||||
Reference in New Issue
Block a user