diff --git a/Repo-docs-ACCESS-EXTRACTION-PLAN.-.md b/Repo-docs-ACCESS-EXTRACTION-PLAN.-.md index 9d9af5f..a1b8c68 100644 --- a/Repo-docs-ACCESS-EXTRACTION-PLAN.-.md +++ b/Repo-docs-ACCESS-EXTRACTION-PLAN.-.md @@ -1,4 +1,4 @@ - + > Mirrored from `/mnt/DATA/git/govoplan-core/docs/ACCESS_EXTRACTION_PLAN.md`. > Origin: `repository`. @@ -75,9 +75,11 @@ The active implementation still uses core-owned models and services: - `src/govoplan_core/api/v1/audit.py` - `src/govoplan_core/db/bootstrap.py` -Core also still hosts WebUI access/admin/auth surfaces. Those should become -access/admin module route contributions once the backend ownership split is -stable. +Core still hosts the generic login/settings shell and shared WebUI primitives. +The legacy administration page has moved to the `govoplan-access` WebUI package +and is contributed as the `/admin` route by the access module. Individual admin +panels can now be split further into access, admin, tenancy, policy, and audit +WebUI contributions without changing the core shell route wiring again. ### Current Module Consumers @@ -243,19 +245,33 @@ Acceptance criteria: Move active identity/access models out of `govoplan_core.db.models`. +Current state: the stable table naming strategy is to keep legacy table names +and move SQLAlchemy class definitions under their platform owners. Core keeps +`govoplan_core.db.models` as a compatibility re-export. The earlier +`access_*` candidate tables are not active metadata. + +Current table ownership: + +- `govoplan-tenancy`: `tenants` +- `govoplan-access`: `accounts`, tenant memberships in `users`, `groups`, + `roles`, role/group assignment tables, `api_keys`, and `auth_sessions` +- `govoplan-admin`: governance templates and assignments +- `govoplan-audit`: audit log +- `govoplan-core`: system settings + Tasks: -- Decide the stable table naming strategy. -- Map legacy model names to access-owned model classes. -- Keep database table names where possible to avoid data migration churn. -- Add Alembic migration metadata owned by access. -- Keep compatibility aliases in core while modules migrate. -- Update bootstrap/create-all compatibility paths. +- [x] Decide the stable table naming strategy. +- [x] Map legacy model names to access-owned model classes. +- [x] Keep database table names where possible to avoid data migration churn. +- [x] Add Alembic migration metadata owned by the platform module owners. +- [x] Keep compatibility aliases in core while modules migrate. +- [x] Update bootstrap/create-all compatibility paths. Acceptance criteria: - Existing development databases migrate without data loss. -- New databases initialize with access-owned metadata. +- New databases initialize with module-owned metadata. - Core no longer owns live account/user/group/role/session/API-key model definitions except compatibility aliases. @@ -391,9 +407,12 @@ Acceptance criteria: - [x] Replace core `create_all` feature-model imports with module registry metadata discovery. - [x] Remove transitional boundary checker allowlist entries. -- [ ] Move legacy admin service and model ownership out of the access - compatibility implementation into access, tenancy, policy, audit, and core - settings modules. +- [x] Move live legacy model definitions out of core and into + `govoplan-access` while preserving existing table names. +- [x] Split the transitional access-owned legacy model graph further into + tenancy, audit, admin, access, and core settings ownership. +- [x] Reverse the tenancy/access dependency direction so `govoplan-access` + depends on `govoplan-tenancy`, and the registry inserts tenancy before access. - [x] Replace tenancy-to-access default role seeding with an access tenant-provisioner capability. - [x] Replace feature-module direct user/group/tenant model imports. @@ -402,7 +421,7 @@ Acceptance criteria: - [x] `govoplan-campaign` - [x] Replace files/mail/campaign direct cross-module SQL lookups with provider/capability contracts. -- [ ] Move access admin WebUI pages to module route contributions. +- [x] Move access admin WebUI pages to module route contributions. - [x] Remove transitional boundary checker allowlist entries as each contract lands. - [ ] Move campaign-scoped mail policy ownership fully behind an API/event @@ -413,12 +432,13 @@ Acceptance criteria: - Is `govoplan-access` required for any authenticated deployment, while core-only remains a diagnostics/settings shell? -- Should tenant models move with access first, or should `govoplan-tenancy` be - created before moving live models? -- Which table names must remain stable for painless migrations? +- Tenant models live in `govoplan-tenancy`; `govoplan-access` depends on + tenancy for authenticated platform composition. +- Historical table names remain stable for painless migrations. - Should secret encryption remain a kernel primitive or become an access-owned capability? -- Should audit move before policy provenance, or after access/tenancy are split? +- Audit log storage lives in `govoplan-audit`; policy provenance can build on + that module boundary. - How long should core keep compatibility route paths for existing clients? ## Verification