Commit Graph

906 Commits

Author SHA1 Message Date
Александр Зимин fe136c9b79 Merge branch 'fix/schema-editor-approval-aware' into 'main'
fix(ui): DictionaryEditorDialog disables Save when draft workflow needed

See merge request 2-6/2-6-4/terravault/ordinis!183
2026-05-14 12:33:43 +00:00
Александр Зимин 898cb345ec fix(ui): DictionaryEditorDialog disables Save when draft workflow needed 2026-05-14 12:33:43 +00:00
Александр Зимин 9ec723dd17 Merge branch 'feat/record-draft-audit-outbox' into 'main'
feat(drafts): audit + outbox для record-draft lifecycle (audit findings)

See merge request 2-6/2-6-4/terravault/ordinis!184
2026-05-14 12:32:06 +00:00
Александр Зимин 0003fb6801 feat(drafts): audit + outbox для record-draft lifecycle (audit findings) 2026-05-14 12:32:06 +00:00
Александр Зимин a7bda82724 Merge branch 'fix/approval-cascade-and-minrole' into 'main'
fix(approval): close 2 more bypass paths from security audit

See merge request 2-6/2-6-4/terravault/ordinis!182
2026-05-14 12:32:03 +00:00
Александр Зимин 4e0902706e fix(approval): close 2 more bypass paths from security audit 2026-05-14 12:32:03 +00:00
semantic-release-bot ce3b495561 chore(release): v2.23.1
## [2.23.1](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.23.0...v2.23.1) (2026-05-14)

### 🐛 Fixes

* **schema:** enforce approvalRequired on PUT /{name} + PATCH /{name}/schema ([018ebff](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/018ebff2072952828f6b5e7dbd6b19f204e0432a))
2026-05-14 12:15:02 +00:00
Александр Зимин 27c03c3e58 Merge branch 'fix/schema-edit-approval-gate' into 'main'
fix(schema): enforce approvalRequired on PUT/PATCH schema endpoints

See merge request 2-6/2-6-4/terravault/ordinis!181
2026-05-14 12:07:24 +00:00
Andrei Zimin 018ebff207 fix(schema): enforce approvalRequired on PUT /{name} + PATCH /{name}/schema
Reported 2026-05-14: editing schema on an approvalRequired dictionary
applied inline without going through the schema-draft maker-checker
workflow. Two endpoints both lacked the gate that DictionaryRecordService
already had for record CRUD:

1. PUT /api/v1/admin/dictionaries/{name}
   (frontend SchemaDrivenForm "edit schema" save button hits this).
   DictionaryDefinitionService.updateSchema overwrote schemaJson directly.
   Bonus backdoor: same request could simultaneously flip
   approvalRequired:true→false and rewrite the schema in one transaction
   — review-bypass via toggle.

2. PATCH /api/v1/admin/dictionaries/{name}/schema (inline non-breaking
   patch — description / title / minimum / maximum / enum-add). Frontend
   doesn't currently call this, but backend exposed it without a gate.

Both now reject with `422 approval_required` carrying the schema-drafts
URL in the message. Frontend's existing serverErrorMessage in
DictionaryEditorDialog already surfaces backend `message` to the user,
so no UI changes needed for correctness. UX polish (hide "Save" /
show "Create draft" CTA when approvalRequired=true) is a follow-up.

The PUT gate is narrow on purpose: schemaChanged OR approvalRequired
toggle-off. Pure metadata edits (display name, description, locales,
projection flag) on an approvalRequired dict still go through inline
— those don't affect record validation, no review needed.
2026-05-14 15:05:09 +03:00
semantic-release-bot 7202265da1 chore(release): v2.23.0
## [2.23.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.22.1...v2.23.0) (2026-05-14)

###  Features

* **user-display:** KeycloakAdminUserResolver — Phase 2 on-demand lookup ([83caf9c](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/83caf9c3c80e947dc3ad4ff46a194903192ca1f3))
* **user-display:** persistent DB cache + Keycloak resolver hook (Phase 1+2 wiring) ([ec0c74a](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/ec0c74afdf627eab43310c987f009a7a3a1a89d4))

### 🐛 Fixes

* **ui:** UserCell в changelog/events/history — ещё 6 мест ([455ca2f](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/455ca2ff264f4955b5c5b1259c11ce4c3fdd48ce))
2026-05-14 12:00:15 +00:00
Александр Зимин a73549d38d Merge branch 'feat/user-display-persistent-cache' into 'main'
feat(user-display): persistent DB cache + Keycloak Admin lookup (Phase 1+2)

See merge request 2-6/2-6-4/terravault/ordinis!180
2026-05-14 11:52:20 +00:00
Andrei Zimin 83caf9c3c8 feat(user-display): KeycloakAdminUserResolver — Phase 2 on-demand lookup
Implements the Phase 2 hook from the previous commit. With this in
place, UserDisplayService.find chains:

  hot cache → DB (user_display_cache) → Keycloak Admin API

so any realm user resolves on first display, even if they never made
an authenticated request to ordinis. The resolved entry is persisted
via UserDisplayService.upsert with source=KEYCLOAK_ON_DEMAND, so the
next render of the same sub hits the DB tier (~ms) instead of going
back to Keycloak.

Implementation notes:

- Spring RestClient (modern blocking HTTP, replaces RestTemplate).
- client_credentials grant against
  {issuer}/realms/{realm}/protocol/openid-connect/token. Token cached
  in-memory minus a 30s safety margin from `expires_in`.
- 401 on user lookup wipes the cached token and surfaces a
  RuntimeException, so the next resolve refetches.
- 404 on user lookup → Optional.empty (definitive miss, sub not in
  realm). UserDisplayService logs and the caller falls back to short
  UUID. Negative cache TTL not implemented — added complexity not
  justified for the current realm size (~50 users).
- Bean activated only when ordinis.keycloak.admin.enabled=true AND
  the env vars are set. Default disabled — UserDisplayService treats
  KeycloakUserResolver as @Autowired(required = false), so a
  deployment without Keycloak admin creds keeps the previous behavior
  (DB cache only) instead of crashing on startup.

Application config:
- ORDINIS_KEYCLOAK_ADMIN_ENABLED      (false by default)
- ORDINIS_KEYCLOAK_ADMIN_URL          e.g. https://auth.nstart.space
- ORDINIS_KEYCLOAK_ADMIN_REALM        defaults to nstart
- ORDINIS_KEYCLOAK_ADMIN_CLIENT_ID    via vault (see docs-internal/keycloak-admin-setup.md)
- ORDINIS_KEYCLOAK_ADMIN_CLIENT_SECRET via vault

Setup runbook (docs-internal/keycloak-admin-setup.md) covers:
- creating the Keycloak service-account client + assigning view-users
- writing the secret into both vault instances (different per env)
- wiring vault.hashicorp.com agent-inject annotations into the chart
- verification steps + common failure modes

Phase 3 (scheduled bulk sync) is documented at the end of the runbook
but deferred — depends on observed cache miss rate after this lands.
2026-05-14 14:47:49 +03:00
Andrei Zimin ec0c74afdf feat(user-display): persistent DB cache + Keycloak resolver hook (Phase 1+2 wiring)
Closes "ток мой UUID отображается" pain reported on staging today: any
reviewer / maker / publisher / actor whose JWT sub never landed in the
JVM cache shows up as a short UUID in audit / reviews / changelog /
events / history / record drawer / webhook detail / record version
history. Restart the pod and even captured users disappear.

Three-tier resolve, replacing the in-memory-only cache that was the
"Альтернатива (на будущее)" TODO in the original UserDisplayService:

  1. JVM ConcurrentHashMap hot cache (~µs, capped at 10k).
  2. user_display_cache Postgres table (~ms, persistent across restart).
     New migration 0023 — sub PK + preferred_username + name + email +
     source enum + synced_at + updated_at, plus an index on synced_at
     for the scheduled bulk sync that lands later.
  3. Keycloak Admin API on-demand (Phase 2) — dispatched to optional
     KeycloakUserResolver bean. When the bean isn't wired (no Keycloak
     admin creds yet), the third tier is a no-op and UserCell falls
     back to short UUID exactly like before.

Source enum on every row — JWT_CAPTURE / KEYCLOAK_SYNC /
KEYCLOAK_ON_DEMAND — so the eventual scheduled sync can prefer JWT-
captured rows (richest claims as the user actually saw them) and the
on-demand fallback can be distinguished from bulk sync in audits.

JwtUserCaptureFilter and UserDisplayController are unchanged — they
already used UserDisplayService.put / find with the same signatures.
The behavior change is invisible at the API layer: same /admin/users/
{sub}/display endpoint, same 404 user_not_cached on miss; persistence
just survives pod restart now.

mergeFrom on UserDisplayCacheEntry deliberately keeps the existing
non-blank field when an update brings null — Keycloak sync may have a
richer email than JWT capture; don't blank it out.

Phase 2 will land a KeycloakAdminUserResolver impl + vault secret
plumbing on this same branch. Phase 3 (scheduled bulk sync via
@Scheduled) is a separate sprint — it needs the Keycloak admin client
already in place.
2026-05-14 14:45:14 +03:00
Andrei Zimin 455ca2ff26 fix(ui): UserCell в changelog/events/history — ещё 6 мест
После !178 (record drawer + RecordHistoryDrawer + webhook detail) ещё
осталось 6 точек где раньше рендерился UUID. Все они в "истории
словаря" и tab "События":

1. ChangelogDiffModal:57 — header "автор: <name>" в diff modal.
   Было: `{data.publishedBy.name}` (тип ChangelogPublisher.name —
   docstring буквально говорит "Backend пока эхает sub").
   Стало: <UserCell uuid={data.publishedBy.sub} />.

2. TimeTravelModal:686 — список изменений, имя автора рядом с датой.
3. TimeTravelModal:898 — RIGHT panel "История этой версии", dt/dd
   pair с автором.
4. TimeTravelModal ComparePanel:414 — "· {author}" suffix,
   author там DictionaryDetail.updatedBy (тоже UUID).

5. dictionaries.$name.tsx:2263 (events tab, EventsTabContent row) —
   `{r.userId ?? 'anonymous'}` raw. Сменил на UserCell для не-null
   userId, anonymous-fallback оставил без UserCell (нечего lookup'ать).

6. dictionaries.$name.tsx:2399 (history tab, HistoryTabContent entry)
   — `{entry.publishedBy.name}` raw.

Всё через тот же useUserDisplay hook что и в !177 — backend
endpoint /admin/users/{sub}/display + JwtUserCaptureFilter cache.
Если sub нет в cache, UserCell fallback'ит на shortened UUID
(текущее поведение из !177).

ChangelogPublisher type comment в src/api/client.ts уже намекал что
.name это placeholder — useUserDisplay теперь реально резолвит.
2026-05-14 14:33:20 +03:00
semantic-release-bot b5920e4d5f chore(release): v2.22.1
## [2.22.1](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.22.0...v2.22.1) (2026-05-14)

### 🐛 Fixes

* **ui:** wrap remaining UUIDs into UserCell — 3 missed spots ([93b2676](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/93b267699435d36c3bac9c465f400b60d6fcaa65))
2026-05-14 11:13:36 +00:00
Александр Зимин 1b1a9deb9f Merge branch 'fix/user-display-missed-spots' into 'main'
fix(ui): wrap remaining UUIDs into UserCell — 3 missed spots

See merge request 2-6/2-6-4/terravault/ordinis!178
2026-05-14 11:08:33 +00:00
Andrei Zimin 93b2676994 fix(ui): wrap remaining UUIDs into UserCell — 3 missed spots
MR !177 added /admin/users/{sub}/display + UserCell + useUserDisplay,
but only some renderers were migrated. Three places still rendered
raw UUID strings:

1. reviews.tsx:466 — record draft drawer ("Согласование draft" header)
   showed `{draft.makerId}` raw. Tables on the same page already use
   <UserCell uuid={d.makerId} />. Verified via prod staging:
   soloviev.da approved a record draft today and the drawer header
   showed the maker as "77ec2cc8-98e3-4d70-8037-94038fcbde67" instead
   of the username.
2. RecordHistoryDrawer.tsx:110 — version history `updatedBy` raw.
3. webhooks.$id.tsx:235 — webhook subscription `createdBy` raw.

All three switched to <UserCell uuid={...} />, matching the existing
pattern. Added the import where missing. Wrapped each in
inline-flex so the UserCell sits next to the label cleanly.

No backend / API changes — same /admin/users/{sub}/display endpoint
populated by JwtUserCaptureFilter (MR !177).
2026-05-14 14:07:02 +03:00
semantic-release-bot 969395e00d chore(release): v2.22.0
## [2.22.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.21.0...v2.22.0) (2026-05-14)

###  Features

* **admin:** scope-gated audit и outbox endpoints ([da17930](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/da17930def89b2fea51be1b8e45b4e5fabe752d1))
* **approval:** enforce per-dictionary approvalMinRole (Phase 2) ([5187845](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/5187845047ba20a6306f5dce8a65f1d4889811fa))
* **records:** close / bulk-close через draft когда approvalRequired ([d66db60](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/d66db60b8496a218501ebade77ff68cc232849d4))
* **users:** /admin/users/{sub}/display endpoint + UserCell uses it ([be90077](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/be90077520607998078a3df5bb5fbe24f1a1bf6e))

### 🐛 Fixes

* **reviews:** friendly error в ReviewDrawer вместо AxiosError ([9436068](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/94360681b6d6412d9d0ae4c5dd4b69600274a034))

### 📝 Docs

* **rbac:** обновить RBAC sections после Phase 1d + Phase 2 ([c41e345](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/c41e34545b7a23e24c24196c06a7889724f63338))
2026-05-14 10:37:30 +00:00
Александр Зимин 95c2b46dd3 Merge branch 'feat/user-display-endpoint' into 'main'
feat(users): /admin/users/{sub}/display endpoint + UserCell uses it

See merge request 2-6/2-6-4/terravault/ordinis!177
2026-05-13 16:42:46 +00:00
Александр Зимин be90077520 feat(users): /admin/users/{sub}/display endpoint + UserCell uses it 2026-05-13 16:42:46 +00:00
Александр Зимин 0a9deb51bd Merge branch 'feat/admin-role-gate-audit-outbox-webhooks' into 'main'
feat(admin): scope-gated audit и outbox endpoints

See merge request 2-6/2-6-4/terravault/ordinis!176
2026-05-13 16:42:12 +00:00
Александр Зимин da17930def feat(admin): scope-gated audit и outbox endpoints 2026-05-13 16:42:11 +00:00
Александр Зимин c8d90930e3 Merge branch 'feat/phase2-approval-min-role-enforcement' into 'main'
feat(approval): enforce per-dictionary approvalMinRole (Phase 2)

See merge request 2-6/2-6-4/terravault/ordinis!172
2026-05-13 16:42:09 +00:00
Александр Зимин 5187845047 feat(approval): enforce per-dictionary approvalMinRole (Phase 2) 2026-05-13 16:42:09 +00:00
Александр Зимин 6188062c34 Merge branch 'feat/close-via-draft-when-approval-required' into 'main'
feat(records): close / bulk-close через draft когда approvalRequired

See merge request 2-6/2-6-4/terravault/ordinis!175
2026-05-13 16:41:09 +00:00
Александр Зимин d66db60b84 feat(records): close / bulk-close через draft когда approvalRequired 2026-05-13 16:41:09 +00:00
Александр Зимин b027c94e15 Merge branch 'fix/review-drawer-friendly-error' into 'main'
fix(reviews): friendly error в ReviewDrawer вместо AxiosError

See merge request 2-6/2-6-4/terravault/ordinis!173
2026-05-13 16:41:05 +00:00
Александр Зимин 94360681b6 fix(reviews): friendly error в ReviewDrawer вместо AxiosError 2026-05-13 16:41:05 +00:00
Александр Зимин ced69c4312 Merge branch 'docs/rbac-cleanup-and-composite-mapper-howto' into 'main'
docs(rbac): обновить RBAC sections после Phase 1d + Phase 2

See merge request 2-6/2-6-4/terravault/ordinis!174
2026-05-13 16:41:03 +00:00
Александр Зимин c41e34545b docs(rbac): обновить RBAC sections после Phase 1d + Phase 2 2026-05-13 16:41:03 +00:00
semantic-release-bot 0e165f69ca chore(release): v2.21.0
## [2.21.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.20.0...v2.21.0) (2026-05-13)

###  Features

* **records:** auto-route create/edit через draft когда approvalRequired ([6eb56cf](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/6eb56cffe4383d6d488fcd0a17f710b83b0a7585))
2026-05-13 15:34:51 +00:00
Александр Зимин 5629b85af7 Merge branch 'feat/auto-route-create-to-draft-when-approval-required' into 'main'
feat(records): auto-route create/edit через draft когда approvalRequired

See merge request 2-6/2-6-4/terravault/ordinis!171
2026-05-13 15:29:11 +00:00
Александр Зимин 6eb56cffe4 feat(records): auto-route create/edit через draft когда approvalRequired 2026-05-13 15:29:11 +00:00
semantic-release-bot daa4b284c9 chore(release): v2.20.0
## [2.20.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.19.2...v2.20.0) (2026-05-13)

###  Features

* **my-drafts:** schema drafts тоже в "Мои черновики" ([f096b57](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/f096b5746d256220f569616813b8ec886b27247d))
2026-05-13 12:54:56 +00:00
Александр Зимин 7a173adf5d Merge branch 'feat/my-schema-drafts-endpoint' into 'main'
feat(my-drafts): schema drafts тоже в "Мои черновики"

See merge request 2-6/2-6-4/terravault/ordinis!170
2026-05-13 12:45:45 +00:00
Александр Зимин f096b5746d feat(my-drafts): schema drafts тоже в "Мои черновики" 2026-05-13 12:45:45 +00:00
Александр Зимин 1b20db5059 Merge branch 'chore/auto-bump-staging-image' into 'main'
chore(ci): propose-image-bump патчит staging values тоже

See merge request 2-6/2-6-4/terravault/ordinis!169
2026-05-13 12:33:50 +00:00
Александр Зимин aad33c3bf1 chore(ci): propose-image-bump патчит staging values тоже 2026-05-13 12:33:50 +00:00
semantic-release-bot 4af79669f8 chore(release): v2.19.2
## [2.19.2](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.19.1...v2.19.2) (2026-05-13)

### 🐛 Fixes

* **auth:** read roles из access_token, не id_token (sidebar reviews hidden bug) ([b6ee703](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/b6ee703577eb868b4dc452b64b87e3ba779b3596))
2026-05-13 11:45:51 +00:00
Александр Зимин ab23f9a471 Merge branch 'fix/sidebar-roles-from-access-token' into 'main'
fix(auth): read roles из access_token, не id_token (sidebar reviews hidden bug)

See merge request 2-6/2-6-4/terravault/ordinis!168
2026-05-13 11:39:45 +00:00
Александр Зимин b6ee703577 fix(auth): read roles из access_token, не id_token (sidebar reviews hidden bug) 2026-05-13 11:39:45 +00:00
semantic-release-bot a25a997f34 chore(release): v2.19.1
## [2.19.1](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.19.0...v2.19.1) (2026-05-13)

### 🐛 Fixes

* **webhook:** scope_filter Hibernate ordinal bug + UI toggle для active ([d4ee30a](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/d4ee30a7dd09119b5d38c50b5dda212b5b3e8f88))
2026-05-13 11:20:20 +00:00
Александр Зимин b1b66bf6a8 Merge branch 'fix/webhook-scope-filter-enum-storage' into 'main'
fix(webhook): scope_filter Hibernate ordinal bug + UI toggle active

See merge request 2-6/2-6-4/terravault/ordinis!167
2026-05-13 11:05:09 +00:00
semantic-release-bot e03743b250 chore(release): v2.19.0
## [2.19.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.18.0...v2.19.0) (2026-05-13)

###  Features

* **sidebar:** role-based visibility для /reviews ([5fb1658](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/5fb1658880ad62cc641a939ae9344ec93ca594ad))

### 🐛 Fixes

* **auth:** @Autowired на WorkflowRoles main ctor ([4fe7f1e](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/4fe7f1e800b4ebe304a8011f5fc2cbb0bab67f40))
2026-05-13 11:04:11 +00:00
Zimin A.N. d4ee30a7dd fix(webhook): scope_filter Hibernate ordinal bug + UI toggle для active
Два бага в /webhooks (user report):

1. **500 при выборе scope в форме**

POST /admin/webhooks/subscriptions с scopeFilter:["PUBLIC"] возвращал 500.

Root cause: WebhookSubscription.scopeFilter был List<DataScope> с
@JdbcTypeCode(SqlTypes.ARRAY). Hibernate сериализовал enum в TEXT[] как
ordinal (е.g. {0} для PUBLIC), а DB CHECK constraint
chk_webhook_scope_filter ожидает строковые имена. Insert падал
DataIntegrityViolationException → 500.

Fix: field теперь List<String> (raw enum names). Getter/setter
конвертируют в/из DataScope — API surface (DTO, service signatures,
WebhookDispatcher) не меняется.

2. **Нет toggle active/inactive в UI**

useUpdateWebhook hook был, но не использовался в UI. Status показывался
только read-only badge'ом. Невозможно деактивировать webhook через UI.

Fix: добавлен toggle button рядом с Status badge на /webhooks/:id.
Sends PUT с inverted active flag (backend treats PUT как full replace,
поэтому пересобираем full payload).

i18n: 'webhooks.action.activate' / 'deactivate' default labels (RU).
2026-05-13 14:02:35 +03:00
Александр Зимин 4bdc7d2245 Merge branch 'feat/sidebar-role-based-visibility' into 'main'
feat(sidebar): role-based visibility для /reviews

See merge request 2-6/2-6-4/terravault/ordinis!166
2026-05-13 10:54:24 +00:00
Zimin A.N. 5fb1658880 feat(sidebar): role-based visibility для /reviews
Phase 1d enhancement: 'Согласования' пункт сайдбара скрыт если у user'а
нет approver/reviewer ролей. Раньше показывался любому authenticated —
оператор без reviewer прав видел queue, кликал и получал пустую
страницу (или 403 если бы пробовал approve).

Visibility rules:
- 'Мои черновики' — auth (maker может быть любой)
- 'Согласования' — auth + (ordinis:schema:reviewer OR ordinis:record:reviewer
  OR ordinis:admin super-role) — иначе hidden
- 'Outbox' / 'Webhooks' / 'Аудит' — auth (admin-y но backend не gated
  отдельной ролью)

Новый NavItem.reviewerOnly flag — фильтр в visibleSections учитывает
оба flag'а (authRequired + reviewerOnly).

Применено и к desktop Sidebar и к MobileSidebar (DRY refactor — отдельный
task).
2026-05-13 13:52:40 +03:00
Александр Зимин efe3fe08e5 Merge branch 'fix/workflow-roles-autowire-ctor' into 'main'
fix(auth): @Autowired на WorkflowRoles main ctor (super-role override fix)

See merge request 2-6/2-6-4/terravault/ordinis!165
2026-05-13 10:51:38 +00:00
Zimin A.N. 4fe7f1e800 fix(auth): @Autowired на WorkflowRoles main ctor
Класс имеет два constructor'а (main + test). Без явной @Autowired
аннотации Spring может выбрать no-arg ctor → props=null →
rolesClaimPath() fallback на realm_access.roles несмотря на
env var ORDINIS_AUTH_ROLES_CLAIM=resource_access.ordinis.roles.

Симптом: 403 forbidden_role с message 'Требуется realm role:
ordinis:schema:reviewer' для user с ordinis:admin в
resource_access.ordinis.roles (super-role override не работал
потому что currentRoles() возвращал пустой set из неправильного
claim path).

Fix: @Autowired на main ctor — Spring выбирает его, props
инжектится, rolesClaim читается из env var правильно.
2026-05-13 13:49:07 +03:00
Александр Зимин 19f560e60a Merge branch 'chore/restore-nstart-runner-tag' into 'main'
chore(ci): restore nstart tag (revert !157)

See merge request 2-6/2-6-4/terravault/ordinis!164
2026-05-13 10:33:21 +00:00