diff --git a/Repo-docs-MODULE-ARCHITECTURE.-.md b/Repo-docs-MODULE-ARCHITECTURE.-.md index cf9a01e..f4d73b4 100644 --- a/Repo-docs-MODULE-ARCHITECTURE.-.md +++ b/Repo-docs-MODULE-ARCHITECTURE.-.md @@ -1,4 +1,4 @@ - + > Mirrored from `/mnt/DATA/git/govoplan-core/docs/MODULE_ARCHITECTURE.md`. > Origin: `repository`. @@ -86,18 +86,27 @@ Known access-related capability names are defined in - `access.permissionEvaluator` - `access.resourceAccess` - `access.tenantProvisioner` +- `access.administration` +- `access.governanceMaterializer` - `tenancy.tenantResolver` - `security.secretProvider` - `audit.sink` `govoplan-access` currently registers `access.principalResolver`, -`access.permissionEvaluator`, `access.directory`, and -`access.tenantProvisioner`. `govoplan-tenancy` registers -`tenancy.tenantResolver`. The minimal authenticated platform set is now -`tenancy` plus `access`; the registry inserts `tenancy` before `access` when -only feature modules are requested. Feature modules should prefer these -capabilities over direct reads of access/tenant ORM models when they need -labels, group membership, default access provisioning, or tenant metadata. +`access.permissionEvaluator`, `access.directory`, `access.tenantProvisioner`, +`access.administration`, and `access.governanceMaterializer`. +`govoplan-tenancy` registers `tenancy.tenantResolver`. The minimal +authenticated platform set is now `tenancy` plus `access`; the registry +inserts `tenancy` before `access` when only feature modules are requested. +Feature modules should prefer these capabilities over direct reads of +access/tenant ORM models when they need labels, group membership, default +access provisioning, counts, audit actor labels, or tenant metadata. + +FastAPI route dependencies for authenticated endpoints are access-owned and +published from `govoplan_access.backend.auth.dependencies`. Routers may import +that dependency module directly until a more generic request-principal adapter +exists; they must not import access ORM models or other access implementation +internals. Current live table ownership: @@ -115,7 +124,10 @@ Current admin route ownership follows the same boundary: access contributes users, groups, roles, system accounts/roles, auth, sessions, and API-key administration; tenancy contributes tenant registry/settings routes; admin contributes system settings, overview, and governance-template routes; audit -contributes audit-log routes. +contributes audit-log routes. Governance template metadata and assignment +routes live in `govoplan-admin`; materializing those templates into +access-owned groups and roles is performed by the +`access.governanceMaterializer` capability. Current admin WebUI ownership mirrors that route split. `govoplan-access` contributes the `/admin` route shell and admin nav item. Other platform modules @@ -314,6 +326,8 @@ The repository includes `scripts/check_dependency_boundaries.py`. It enforces th - access source may not import files/mail/campaign internals - feature modules may not import access implementation internals - feature modules may not add new direct imports of sibling feature modules +- FastAPI routers may import the published + `govoplan_access.backend.auth.dependencies` dependency API - the transitional allowlist is expected to stay empty Any future exception is extraction debt and must be temporary, documented in the