chore: sync GovOPlaN module split state

This commit is contained in:
2026-07-10 12:51:21 +02:00
parent 18e6c3eb9b
commit 13fd7fc3bd
50 changed files with 12678 additions and 1109 deletions

View File

@@ -53,6 +53,71 @@ does not import campaign internals; campaign share/existence checks use the core
Platform RBAC and governance rules are documented in `govoplan-core/docs/`.
Managed files can carry source provenance for connector and import workflows.
Upload callers may provide `source_provenance_json` and `source_revision`; the
module stores those values under file metadata, returns normalized
`source_provenance` and `source_revision` fields in file responses, and carries
them into managed campaign attachment matches for frozen execution evidence.
Connector policy preflight is available through
`POST /api/v1/files/connector-policy/evaluate`, and provenance-bearing uploads
can pass `connector_policy_json` to enforce the same policy before file content
is read. Policy payloads contain ordered `sources`; each source has
`scope_type`, optional `scope_id`, optional `label`, and a `policy` object. The
policy object supports `allow`/`allowlist`/`whitelist` and
`deny`/`denylist`/`blacklist` rules for `connectors`, `providers`,
`external_ids`, `external_paths`, and `external_urls`. Deny rules win across the
hierarchy; allow rules narrow access at each source that defines them.
Connector endpoint settings are exposed through governed connector profiles.
Profiles can be supplied as JSON through
`GOVOPLAN_FILES_CONNECTOR_PROFILES_JSON`, or from a JSON file path through
`GOVOPLAN_FILES_CONNECTOR_PROFILES_FILE`. Each profile has an `id`, `provider`,
`endpoint_url`, governance `scope_type`/`scope_id`, optional `capabilities`, and
credential references such as `password_env`, `token_env`, or `secret_ref`.
`GET /api/v1/files/connectors/profiles` returns only profiles visible to the
current principal (system, tenant, user, group, or accessible campaign scope) and
redacts secret values and environment variable names. Use the returned
`policy_sources` with connector policy preflight before importing files.
`GET /api/v1/files/connectors/providers` exposes provider descriptors for
Seafile, Nextcloud, WebDAV, SMB, NFS, and local filesystem connectors. The
descriptor declares implementation status, optional dependencies, permission
mapping, sync/index strategy, conflict handling, preview behavior, and audit
events so provider coverage remains visible without forcing every optional
protocol dependency to be installed.
`GET /api/v1/files/connectors/profiles/{profile_id}/browse` provides read-only
connector browsing. Browse entries use a shared `library`/`folder`/`file` shape,
run profile policy with the `browse` operation, and support Seafile,
WebDAV/Nextcloud, and SMB when the optional `smb` extra is installed. Seafile
profiles browse libraries and directories via Seafile's read-only API; profiles
can still opt into WebDAV browsing by setting `metadata.webdav_endpoint_url` or
`metadata.browse_protocol` to `webdav`.
`POST /api/v1/files/connectors/profiles/{profile_id}/import` imports a Seafile
or WebDAV/Nextcloud/SMB file into managed storage through the same governance,
conflict handling, source provenance, and connector audit path as direct
uploads. The Seafile provider uses account-token auth and the native file
download-link API; Nextcloud and generic WebDAV profiles use authenticated `GET`
requests against the configured WebDAV endpoint. SMB profiles use
`smb://server[:port]/share[/path]` endpoints and environment-backed credentials
through `smbprotocol`.
Local connector development assets live in `dev/connectors/`. The compose stack
boots Nextcloud, Seafile, WebDAV, and SMB endpoints for provider development and
manual interoperability testing.
Connector and collaboration ownership boundaries are documented in
`docs/CONNECTOR_BOUNDARY.md` and `docs/DOCUMENT_COLLABORATION_BOUNDARY.md`.
ZIP uploads are processed without buffering the whole archive in memory. The API
spools incoming ZIP request bodies to a bounded temporary file, then extracts
members with per-file and total extracted-size limits before storing managed
files.
Bulk rename and transfer APIs are owner-scoped: callers must provide the active
user or group file space with `owner_type` and `owner_id`. The storage layer
keeps a named legacy file-only helper for historical callers that lack owner
context, and regression tests cover its write-access checks.
## Release packaging
The repository root includes a `package.json` for git-based WebUI installs. It exports the package `@govoplan/files-webui` from `webui/src` so release builds can depend on tagged git refs instead of local `file:` paths.