Commit Graph

897 Commits

Author SHA1 Message Date
semantic-release-bot 7202265da1 chore(release): v2.23.0
## [2.23.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.22.1...v2.23.0) (2026-05-14)

###  Features

* **user-display:** KeycloakAdminUserResolver — Phase 2 on-demand lookup ([83caf9c](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/83caf9c3c80e947dc3ad4ff46a194903192ca1f3))
* **user-display:** persistent DB cache + Keycloak resolver hook (Phase 1+2 wiring) ([ec0c74a](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/ec0c74afdf627eab43310c987f009a7a3a1a89d4))

### 🐛 Fixes

* **ui:** UserCell в changelog/events/history — ещё 6 мест ([455ca2f](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/455ca2ff264f4955b5c5b1259c11ce4c3fdd48ce))
2026-05-14 12:00:15 +00:00
Александр Зимин a73549d38d Merge branch 'feat/user-display-persistent-cache' into 'main'
feat(user-display): persistent DB cache + Keycloak Admin lookup (Phase 1+2)

See merge request 2-6/2-6-4/terravault/ordinis!180
2026-05-14 11:52:20 +00:00
Andrei Zimin 83caf9c3c8 feat(user-display): KeycloakAdminUserResolver — Phase 2 on-demand lookup
Implements the Phase 2 hook from the previous commit. With this in
place, UserDisplayService.find chains:

  hot cache → DB (user_display_cache) → Keycloak Admin API

so any realm user resolves on first display, even if they never made
an authenticated request to ordinis. The resolved entry is persisted
via UserDisplayService.upsert with source=KEYCLOAK_ON_DEMAND, so the
next render of the same sub hits the DB tier (~ms) instead of going
back to Keycloak.

Implementation notes:

- Spring RestClient (modern blocking HTTP, replaces RestTemplate).
- client_credentials grant against
  {issuer}/realms/{realm}/protocol/openid-connect/token. Token cached
  in-memory minus a 30s safety margin from `expires_in`.
- 401 on user lookup wipes the cached token and surfaces a
  RuntimeException, so the next resolve refetches.
- 404 on user lookup → Optional.empty (definitive miss, sub not in
  realm). UserDisplayService logs and the caller falls back to short
  UUID. Negative cache TTL not implemented — added complexity not
  justified for the current realm size (~50 users).
- Bean activated only when ordinis.keycloak.admin.enabled=true AND
  the env vars are set. Default disabled — UserDisplayService treats
  KeycloakUserResolver as @Autowired(required = false), so a
  deployment without Keycloak admin creds keeps the previous behavior
  (DB cache only) instead of crashing on startup.

Application config:
- ORDINIS_KEYCLOAK_ADMIN_ENABLED      (false by default)
- ORDINIS_KEYCLOAK_ADMIN_URL          e.g. https://auth.nstart.space
- ORDINIS_KEYCLOAK_ADMIN_REALM        defaults to nstart
- ORDINIS_KEYCLOAK_ADMIN_CLIENT_ID    via vault (see docs-internal/keycloak-admin-setup.md)
- ORDINIS_KEYCLOAK_ADMIN_CLIENT_SECRET via vault

Setup runbook (docs-internal/keycloak-admin-setup.md) covers:
- creating the Keycloak service-account client + assigning view-users
- writing the secret into both vault instances (different per env)
- wiring vault.hashicorp.com agent-inject annotations into the chart
- verification steps + common failure modes

Phase 3 (scheduled bulk sync) is documented at the end of the runbook
but deferred — depends on observed cache miss rate after this lands.
2026-05-14 14:47:49 +03:00
Andrei Zimin ec0c74afdf feat(user-display): persistent DB cache + Keycloak resolver hook (Phase 1+2 wiring)
Closes "ток мой UUID отображается" pain reported on staging today: any
reviewer / maker / publisher / actor whose JWT sub never landed in the
JVM cache shows up as a short UUID in audit / reviews / changelog /
events / history / record drawer / webhook detail / record version
history. Restart the pod and even captured users disappear.

Three-tier resolve, replacing the in-memory-only cache that was the
"Альтернатива (на будущее)" TODO in the original UserDisplayService:

  1. JVM ConcurrentHashMap hot cache (~µs, capped at 10k).
  2. user_display_cache Postgres table (~ms, persistent across restart).
     New migration 0023 — sub PK + preferred_username + name + email +
     source enum + synced_at + updated_at, plus an index on synced_at
     for the scheduled bulk sync that lands later.
  3. Keycloak Admin API on-demand (Phase 2) — dispatched to optional
     KeycloakUserResolver bean. When the bean isn't wired (no Keycloak
     admin creds yet), the third tier is a no-op and UserCell falls
     back to short UUID exactly like before.

Source enum on every row — JWT_CAPTURE / KEYCLOAK_SYNC /
KEYCLOAK_ON_DEMAND — so the eventual scheduled sync can prefer JWT-
captured rows (richest claims as the user actually saw them) and the
on-demand fallback can be distinguished from bulk sync in audits.

JwtUserCaptureFilter and UserDisplayController are unchanged — they
already used UserDisplayService.put / find with the same signatures.
The behavior change is invisible at the API layer: same /admin/users/
{sub}/display endpoint, same 404 user_not_cached on miss; persistence
just survives pod restart now.

mergeFrom on UserDisplayCacheEntry deliberately keeps the existing
non-blank field when an update brings null — Keycloak sync may have a
richer email than JWT capture; don't blank it out.

Phase 2 will land a KeycloakAdminUserResolver impl + vault secret
plumbing on this same branch. Phase 3 (scheduled bulk sync via
@Scheduled) is a separate sprint — it needs the Keycloak admin client
already in place.
2026-05-14 14:45:14 +03:00
Andrei Zimin 455ca2ff26 fix(ui): UserCell в changelog/events/history — ещё 6 мест
После !178 (record drawer + RecordHistoryDrawer + webhook detail) ещё
осталось 6 точек где раньше рендерился UUID. Все они в "истории
словаря" и tab "События":

1. ChangelogDiffModal:57 — header "автор: <name>" в diff modal.
   Было: `{data.publishedBy.name}` (тип ChangelogPublisher.name —
   docstring буквально говорит "Backend пока эхает sub").
   Стало: <UserCell uuid={data.publishedBy.sub} />.

2. TimeTravelModal:686 — список изменений, имя автора рядом с датой.
3. TimeTravelModal:898 — RIGHT panel "История этой версии", dt/dd
   pair с автором.
4. TimeTravelModal ComparePanel:414 — "· {author}" suffix,
   author там DictionaryDetail.updatedBy (тоже UUID).

5. dictionaries.$name.tsx:2263 (events tab, EventsTabContent row) —
   `{r.userId ?? 'anonymous'}` raw. Сменил на UserCell для не-null
   userId, anonymous-fallback оставил без UserCell (нечего lookup'ать).

6. dictionaries.$name.tsx:2399 (history tab, HistoryTabContent entry)
   — `{entry.publishedBy.name}` raw.

Всё через тот же useUserDisplay hook что и в !177 — backend
endpoint /admin/users/{sub}/display + JwtUserCaptureFilter cache.
Если sub нет в cache, UserCell fallback'ит на shortened UUID
(текущее поведение из !177).

ChangelogPublisher type comment в src/api/client.ts уже намекал что
.name это placeholder — useUserDisplay теперь реально резолвит.
2026-05-14 14:33:20 +03:00
semantic-release-bot b5920e4d5f chore(release): v2.22.1
## [2.22.1](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.22.0...v2.22.1) (2026-05-14)

### 🐛 Fixes

* **ui:** wrap remaining UUIDs into UserCell — 3 missed spots ([93b2676](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/93b267699435d36c3bac9c465f400b60d6fcaa65))
2026-05-14 11:13:36 +00:00
Александр Зимин 1b1a9deb9f Merge branch 'fix/user-display-missed-spots' into 'main'
fix(ui): wrap remaining UUIDs into UserCell — 3 missed spots

See merge request 2-6/2-6-4/terravault/ordinis!178
2026-05-14 11:08:33 +00:00
Andrei Zimin 93b2676994 fix(ui): wrap remaining UUIDs into UserCell — 3 missed spots
MR !177 added /admin/users/{sub}/display + UserCell + useUserDisplay,
but only some renderers were migrated. Three places still rendered
raw UUID strings:

1. reviews.tsx:466 — record draft drawer ("Согласование draft" header)
   showed `{draft.makerId}` raw. Tables on the same page already use
   <UserCell uuid={d.makerId} />. Verified via prod staging:
   soloviev.da approved a record draft today and the drawer header
   showed the maker as "77ec2cc8-98e3-4d70-8037-94038fcbde67" instead
   of the username.
2. RecordHistoryDrawer.tsx:110 — version history `updatedBy` raw.
3. webhooks.$id.tsx:235 — webhook subscription `createdBy` raw.

All three switched to <UserCell uuid={...} />, matching the existing
pattern. Added the import where missing. Wrapped each in
inline-flex so the UserCell sits next to the label cleanly.

No backend / API changes — same /admin/users/{sub}/display endpoint
populated by JwtUserCaptureFilter (MR !177).
2026-05-14 14:07:02 +03:00
semantic-release-bot 969395e00d chore(release): v2.22.0
## [2.22.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.21.0...v2.22.0) (2026-05-14)

###  Features

* **admin:** scope-gated audit и outbox endpoints ([da17930](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/da17930def89b2fea51be1b8e45b4e5fabe752d1))
* **approval:** enforce per-dictionary approvalMinRole (Phase 2) ([5187845](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/5187845047ba20a6306f5dce8a65f1d4889811fa))
* **records:** close / bulk-close через draft когда approvalRequired ([d66db60](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/d66db60b8496a218501ebade77ff68cc232849d4))
* **users:** /admin/users/{sub}/display endpoint + UserCell uses it ([be90077](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/be90077520607998078a3df5bb5fbe24f1a1bf6e))

### 🐛 Fixes

* **reviews:** friendly error в ReviewDrawer вместо AxiosError ([9436068](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/94360681b6d6412d9d0ae4c5dd4b69600274a034))

### 📝 Docs

* **rbac:** обновить RBAC sections после Phase 1d + Phase 2 ([c41e345](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/c41e34545b7a23e24c24196c06a7889724f63338))
2026-05-14 10:37:30 +00:00
Александр Зимин 95c2b46dd3 Merge branch 'feat/user-display-endpoint' into 'main'
feat(users): /admin/users/{sub}/display endpoint + UserCell uses it

See merge request 2-6/2-6-4/terravault/ordinis!177
2026-05-13 16:42:46 +00:00
Александр Зимин be90077520 feat(users): /admin/users/{sub}/display endpoint + UserCell uses it 2026-05-13 16:42:46 +00:00
Александр Зимин 0a9deb51bd Merge branch 'feat/admin-role-gate-audit-outbox-webhooks' into 'main'
feat(admin): scope-gated audit и outbox endpoints

See merge request 2-6/2-6-4/terravault/ordinis!176
2026-05-13 16:42:12 +00:00
Александр Зимин da17930def feat(admin): scope-gated audit и outbox endpoints 2026-05-13 16:42:11 +00:00
Александр Зимин c8d90930e3 Merge branch 'feat/phase2-approval-min-role-enforcement' into 'main'
feat(approval): enforce per-dictionary approvalMinRole (Phase 2)

See merge request 2-6/2-6-4/terravault/ordinis!172
2026-05-13 16:42:09 +00:00
Александр Зимин 5187845047 feat(approval): enforce per-dictionary approvalMinRole (Phase 2) 2026-05-13 16:42:09 +00:00
Александр Зимин 6188062c34 Merge branch 'feat/close-via-draft-when-approval-required' into 'main'
feat(records): close / bulk-close через draft когда approvalRequired

See merge request 2-6/2-6-4/terravault/ordinis!175
2026-05-13 16:41:09 +00:00
Александр Зимин d66db60b84 feat(records): close / bulk-close через draft когда approvalRequired 2026-05-13 16:41:09 +00:00
Александр Зимин b027c94e15 Merge branch 'fix/review-drawer-friendly-error' into 'main'
fix(reviews): friendly error в ReviewDrawer вместо AxiosError

See merge request 2-6/2-6-4/terravault/ordinis!173
2026-05-13 16:41:05 +00:00
Александр Зимин 94360681b6 fix(reviews): friendly error в ReviewDrawer вместо AxiosError 2026-05-13 16:41:05 +00:00
Александр Зимин ced69c4312 Merge branch 'docs/rbac-cleanup-and-composite-mapper-howto' into 'main'
docs(rbac): обновить RBAC sections после Phase 1d + Phase 2

See merge request 2-6/2-6-4/terravault/ordinis!174
2026-05-13 16:41:03 +00:00
Александр Зимин c41e34545b docs(rbac): обновить RBAC sections после Phase 1d + Phase 2 2026-05-13 16:41:03 +00:00
semantic-release-bot 0e165f69ca chore(release): v2.21.0
## [2.21.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.20.0...v2.21.0) (2026-05-13)

###  Features

* **records:** auto-route create/edit через draft когда approvalRequired ([6eb56cf](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/6eb56cffe4383d6d488fcd0a17f710b83b0a7585))
2026-05-13 15:34:51 +00:00
Александр Зимин 5629b85af7 Merge branch 'feat/auto-route-create-to-draft-when-approval-required' into 'main'
feat(records): auto-route create/edit через draft когда approvalRequired

See merge request 2-6/2-6-4/terravault/ordinis!171
2026-05-13 15:29:11 +00:00
Александр Зимин 6eb56cffe4 feat(records): auto-route create/edit через draft когда approvalRequired 2026-05-13 15:29:11 +00:00
semantic-release-bot daa4b284c9 chore(release): v2.20.0
## [2.20.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.19.2...v2.20.0) (2026-05-13)

###  Features

* **my-drafts:** schema drafts тоже в "Мои черновики" ([f096b57](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/f096b5746d256220f569616813b8ec886b27247d))
2026-05-13 12:54:56 +00:00
Александр Зимин 7a173adf5d Merge branch 'feat/my-schema-drafts-endpoint' into 'main'
feat(my-drafts): schema drafts тоже в "Мои черновики"

See merge request 2-6/2-6-4/terravault/ordinis!170
2026-05-13 12:45:45 +00:00
Александр Зимин f096b5746d feat(my-drafts): schema drafts тоже в "Мои черновики" 2026-05-13 12:45:45 +00:00
Александр Зимин 1b20db5059 Merge branch 'chore/auto-bump-staging-image' into 'main'
chore(ci): propose-image-bump патчит staging values тоже

See merge request 2-6/2-6-4/terravault/ordinis!169
2026-05-13 12:33:50 +00:00
Александр Зимин aad33c3bf1 chore(ci): propose-image-bump патчит staging values тоже 2026-05-13 12:33:50 +00:00
semantic-release-bot 4af79669f8 chore(release): v2.19.2
## [2.19.2](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.19.1...v2.19.2) (2026-05-13)

### 🐛 Fixes

* **auth:** read roles из access_token, не id_token (sidebar reviews hidden bug) ([b6ee703](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/b6ee703577eb868b4dc452b64b87e3ba779b3596))
2026-05-13 11:45:51 +00:00
Александр Зимин ab23f9a471 Merge branch 'fix/sidebar-roles-from-access-token' into 'main'
fix(auth): read roles из access_token, не id_token (sidebar reviews hidden bug)

See merge request 2-6/2-6-4/terravault/ordinis!168
2026-05-13 11:39:45 +00:00
Александр Зимин b6ee703577 fix(auth): read roles из access_token, не id_token (sidebar reviews hidden bug) 2026-05-13 11:39:45 +00:00
semantic-release-bot a25a997f34 chore(release): v2.19.1
## [2.19.1](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.19.0...v2.19.1) (2026-05-13)

### 🐛 Fixes

* **webhook:** scope_filter Hibernate ordinal bug + UI toggle для active ([d4ee30a](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/d4ee30a7dd09119b5d38c50b5dda212b5b3e8f88))
2026-05-13 11:20:20 +00:00
Александр Зимин b1b66bf6a8 Merge branch 'fix/webhook-scope-filter-enum-storage' into 'main'
fix(webhook): scope_filter Hibernate ordinal bug + UI toggle active

See merge request 2-6/2-6-4/terravault/ordinis!167
2026-05-13 11:05:09 +00:00
semantic-release-bot e03743b250 chore(release): v2.19.0
## [2.19.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.18.0...v2.19.0) (2026-05-13)

###  Features

* **sidebar:** role-based visibility для /reviews ([5fb1658](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/5fb1658880ad62cc641a939ae9344ec93ca594ad))

### 🐛 Fixes

* **auth:** @Autowired на WorkflowRoles main ctor ([4fe7f1e](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/4fe7f1e800b4ebe304a8011f5fc2cbb0bab67f40))
2026-05-13 11:04:11 +00:00
Zimin A.N. d4ee30a7dd fix(webhook): scope_filter Hibernate ordinal bug + UI toggle для active
Два бага в /webhooks (user report):

1. **500 при выборе scope в форме**

POST /admin/webhooks/subscriptions с scopeFilter:["PUBLIC"] возвращал 500.

Root cause: WebhookSubscription.scopeFilter был List<DataScope> с
@JdbcTypeCode(SqlTypes.ARRAY). Hibernate сериализовал enum в TEXT[] как
ordinal (е.g. {0} для PUBLIC), а DB CHECK constraint
chk_webhook_scope_filter ожидает строковые имена. Insert падал
DataIntegrityViolationException → 500.

Fix: field теперь List<String> (raw enum names). Getter/setter
конвертируют в/из DataScope — API surface (DTO, service signatures,
WebhookDispatcher) не меняется.

2. **Нет toggle active/inactive в UI**

useUpdateWebhook hook был, но не использовался в UI. Status показывался
только read-only badge'ом. Невозможно деактивировать webhook через UI.

Fix: добавлен toggle button рядом с Status badge на /webhooks/:id.
Sends PUT с inverted active flag (backend treats PUT как full replace,
поэтому пересобираем full payload).

i18n: 'webhooks.action.activate' / 'deactivate' default labels (RU).
2026-05-13 14:02:35 +03:00
Александр Зимин 4bdc7d2245 Merge branch 'feat/sidebar-role-based-visibility' into 'main'
feat(sidebar): role-based visibility для /reviews

See merge request 2-6/2-6-4/terravault/ordinis!166
2026-05-13 10:54:24 +00:00
Zimin A.N. 5fb1658880 feat(sidebar): role-based visibility для /reviews
Phase 1d enhancement: 'Согласования' пункт сайдбара скрыт если у user'а
нет approver/reviewer ролей. Раньше показывался любому authenticated —
оператор без reviewer прав видел queue, кликал и получал пустую
страницу (или 403 если бы пробовал approve).

Visibility rules:
- 'Мои черновики' — auth (maker может быть любой)
- 'Согласования' — auth + (ordinis:schema:reviewer OR ordinis:record:reviewer
  OR ordinis:admin super-role) — иначе hidden
- 'Outbox' / 'Webhooks' / 'Аудит' — auth (admin-y но backend не gated
  отдельной ролью)

Новый NavItem.reviewerOnly flag — фильтр в visibleSections учитывает
оба flag'а (authRequired + reviewerOnly).

Применено и к desktop Sidebar и к MobileSidebar (DRY refactor — отдельный
task).
2026-05-13 13:52:40 +03:00
Александр Зимин efe3fe08e5 Merge branch 'fix/workflow-roles-autowire-ctor' into 'main'
fix(auth): @Autowired на WorkflowRoles main ctor (super-role override fix)

See merge request 2-6/2-6-4/terravault/ordinis!165
2026-05-13 10:51:38 +00:00
Zimin A.N. 4fe7f1e800 fix(auth): @Autowired на WorkflowRoles main ctor
Класс имеет два constructor'а (main + test). Без явной @Autowired
аннотации Spring может выбрать no-arg ctor → props=null →
rolesClaimPath() fallback на realm_access.roles несмотря на
env var ORDINIS_AUTH_ROLES_CLAIM=resource_access.ordinis.roles.

Симптом: 403 forbidden_role с message 'Требуется realm role:
ordinis:schema:reviewer' для user с ordinis:admin в
resource_access.ordinis.roles (super-role override не работал
потому что currentRoles() возвращал пустой set из неправильного
claim path).

Fix: @Autowired на main ctor — Spring выбирает его, props
инжектится, rolesClaim читается из env var правильно.
2026-05-13 13:49:07 +03:00
Александр Зимин 19f560e60a Merge branch 'chore/restore-nstart-runner-tag' into 'main'
chore(ci): restore nstart tag (revert !157)

See merge request 2-6/2-6-4/terravault/ordinis!164
2026-05-13 10:33:21 +00:00
semantic-release-bot e183ff1d6c chore(release): v2.18.0
## [2.18.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.17.0...v2.18.0) (2026-05-13)

###  Features

* **auth:** WorkflowRoles configurable claim path + ordinis:admin super-role ([36c06ae](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/36c06ae1da52ebf515eaa5227c942f8343071188))
2026-05-13 10:29:04 +00:00
Zimin A.N. 09e9b80b0c chore(ci): restore nstart tag на default runner constraint
Revert MR !157 (removal). Shared runner pool снова показал queue
contention в часы пик. nstart-tagged выделенный pool обратно — лучше
predictable wait times для CI.

resource_group docker-builds-v2 (для parallel docker builds) остаётся
без изменений — orthogonal к runner tag selection.
2026-05-13 13:28:17 +03:00
Александр Зимин d0f49250eb Merge branch 'feat/phase-1d-configurable-claim-path-admin-override' into 'main'
feat(auth): configurable claim path + ordinis:admin super-role

See merge request 2-6/2-6-4/terravault/ordinis!163
2026-05-13 10:20:59 +00:00
Zimin A.N. 36c06ae1da feat(auth): WorkflowRoles configurable claim path + ordinis:admin super-role
User report: token has roles в resource_access.ordinis.roles (client-scoped),
backend WorkflowRoles читал hardcoded realm_access.roles → forbidden_role
для всех reviewer actions.

Backend:
- WorkflowRoles: depends OrdinisAuthProperties → reads via rolesClaim path
  (же что ScopeContext). Default realm_access.roles, на staging/prod env
  var ORDINIS_AUTH_ROLES_CLAIM=resource_access.ordinis.roles (уже wired
  в helm helper).
- Nested claim path resolver — mirror ScopeContext.readClaimByPath
- New super-role ADMIN ('ordinis:admin') — holder автоматически проходит
  любой workflow check без явного назначения отдельных ролей. Convenience
  для small teams.

Frontend (usePermissions.ts):
- tokenRoles() читает оба claim path (realm_access.roles +
  resource_access.ordinis.roles) и объединяет — UI gate работает
  независимо от backend config
- hasRole() recognizes 'ordinis:admin' как super-role override
- ROLE_ADMIN exported

Docs:
- docs/operator/rbac.md: добавлен ordinis:admin row, JWT claim path note,
  Admin profile updated (super-role vs composite explanation)
2026-05-13 13:17:54 +03:00
semantic-release-bot 031a582167 chore(release): v2.17.0
## [2.17.0](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/compare/v2.16.4...v2.17.0) (2026-05-13)

###  Features

* **auth:** Phase 1d — backend role enforcement для workflow ([24aa94d](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/24aa94d13007b7d2d9716a6afb7fdbc54a32d8ba))

### ♻️ Refactoring

* **auth:** domain-specific role names (consistent convention) ([c5b00ff](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/c5b00ff62314942f6b2cee09993d9ddd8648e8e2))

### 📝 Docs

* **rbac:** добавить матрицу realm-ролей Keycloak ([1dba947](https://git.nstart.cloud/2-6/2-6-4/terravault/ordinis/commit/1dba9476db036d4f5688d409aae4c39b5b5a441c))
2026-05-13 10:06:16 +00:00
Александр Зимин 47b47f4abc Merge branch 'feat/phase-1d-workflow-roles' into 'main'
feat(auth): Phase 1d — backend role enforcement для workflow

See merge request 2-6/2-6-4/terravault/ordinis!162
2026-05-13 09:57:44 +00:00
Zimin A.N. ce3a29f08d test(e2e): assign ordinis:record:reviewer role в reviewer JWT tokens
Phase 1d enforcement в DraftService.approve()/.reject() требует
realm role 'ordinis:record:reviewer'. Test fixtures используют
JwtTestSupport.signJwt() — добавляем role в JWT для reviewer'ов.

Changes в ApprovalWorkflowE2ETest:
- Новый helper reviewerTokenFor(subject) — internal scope + record:reviewer
- 4 reviewer call sites (bob/dave/julia/leo) → reviewerTokenFor()
- eve-solo (selfApproveBlocked test) тоже → reviewerTokenFor() чтобы
  достичь self-approve check, иначе forbidden_role срабатывает раньше

Maker callsites (alice/carol/frank/ivan/kate) остаются на tokenFor()
без reviewer role — backend гейтит только approve/reject методы.

Fix для 4 failures в pipeline 6898:
- happyFlow_submitApprove_recordLiveAndOutboxEvent
- rejectFlow_keepsDraft_noLiveRecord
- selfApproveBlocked_409
- rejectWithoutComment_400
2026-05-13 12:55:15 +03:00
Zimin A.N. 1dba9476db docs(rbac): добавить матрицу realm-ролей Keycloak
operator/rbac.md — новая страница с полной матрицей RBAC:
- Scope ACL (ordinis:client:public/internal/restricted)
- Workflow роли (schema:reviewer, schema:publisher, record:reviewer)
- Action matrix (endpoint → required scope + role)
- Типичные профили (consumer, maker, reviewer, publisher, admin)
- Composite role 'ordinis:admin' для one-shot assignment
- Keycloak setup инструкция (Admin Console шаги)
- Диагностика типичных 403 ошибок

toc.yaml — link в раздел Руководство оператора.
operator/index.md, reviewer/index.md — cross-references к rbac.md.

Покрывает Phase 1d enforcement (MR !162) — пользователи теперь
знают какие роли назначать в Keycloak realm 'nstart'.
2026-05-13 12:47:50 +03:00
Zimin A.N. c5b00ff623 refactor(auth): domain-specific role names (consistent convention)
User feedback: универсальный 'ordinis:approver' отступал от convention
'ordinis:<domain>:<action>'. Меняю на domain-specific:

WorkflowRoles constants:
- APPROVER → SCHEMA_REVIEWER ('ordinis:schema:reviewer')
- PUBLISHER → SCHEMA_PUBLISHER ('ordinis:schema:publisher')
- Новая RECORD_REVIEWER ('ordinis:record:reviewer')

Applied:
- SchemaDraftService.decide() → require SCHEMA_REVIEWER
- SchemaDraftService.publish() → require SCHEMA_PUBLISHER
- DraftService.approve() / .reject() → require RECORD_REVIEWER

Frontend usePermissions.ts:
- ROLE_APPROVER + ROLE_PUBLISHER → ROLE_SCHEMA_REVIEWER +
  ROLE_SCHEMA_PUBLISHER + ROLE_RECORD_REVIEWER
- Новый hook useCanReviewRecord() для record draft actions

Keycloak setup (updated):
- ordinis:schema:reviewer
- ordinis:schema:publisher
- ordinis:record:reviewer
(Composite role 'ordinis:admin' = all три + scope roles — для удобства.)
2026-05-13 12:44:23 +03:00