paliad

m/paliad

Fork 0

Commit Graph

Author	SHA1	Message	Date
m	3da11bd798	chore(t-paliad-081): doc + dead-code batch (F-5/F-10/F-11/F-15/F-16/F-17/F-18) Bundle of small audit findings, all doc-only or dead-code: - F-5: refresh stale escalation-contact comment in models.User — Settings UI dropdown shipped 2026-04-29 (t-paliad-066). - F-10: add "OBSOLETED by migration 018" note to migrations 004/005/006 so readers stop hunting for the live shape in obsolete files. - F-11: document the data-loss semantics of dropping paliad.partner_unit_events on the 027 down — audit rows are append-only telemetry, accepted loss on rollback. - F-15: drop the patholo_session / patholo_refresh cookie fallback added during the 2026-04-16 rebrand. Active users have long since been re-authed through the upgrade path; inactive users hit the normal /login flow. - F-16: refresh stale /api/departments comment in team_pages.go to /api/partner-units (renamed in t-paliad-070). - F-17: move internal/db/migrations/_dev/mock_supabase_auth.sql to internal/db/devtools/ so a future loosening of the //go:embed pattern can't accidentally ship the dev-only fixture. - F-18: update docs/project-status.md "Audit polish-2" entry — the batch shipped via t-paliad-067 / 068 / 073, follow-ups are now tracked under the 2026-04-30 re-audit + t-paliad-074. go build / vet / test clean.	2026-04-30 03:42:25 +02:00
m	1b2ef28334	feat(db): Phase A — paliad schema, RLS, migrations, golang-migrate Implements docs/design-kanzlai-integration.md §8 Phase A. Schema (paliad.): - users (extends auth.users) with office, practice_group, role - akten with visibility columns: owning_office, collaborators uuid[], firm_wide_visible (per design §2) - parteien, fristen, termine, dokumente, akten_events, notizen (polymorphic notes; notizen_exactly_one_parent CHECK) - proceeding_types, deadline_rules, holidays (reference data) - 4 feedback tables re-namespaced from public. into paliad.* (handler swap to direct DB is a follow-up; old public tables stay intact for now and continue serving via PostgREST) Visibility (paliad.can_see_akte): - single SQL function, used by every RLS policy - predicate: firm_wide_visible OR owning_office matches user's office OR auth.uid() ∈ collaborators OR user is admin - mirrored at app layer in Phase B (defense in depth) RLS (real, not permissive): - akten: visibility predicate; insert restricted to own office or admin; delete restricted to partners + admins - parteien/fristen/dokumente/akten_events: inherit via can_see_akte(akte_id) - termine: personal (akte_id NULL) visible only to creator; Akte-linked follow visibility predicate - notizen: paliad.notiz_is_visible() resolves polymorphic parent - reference tables: SELECT for any authenticated user - users: SELECT all; UPDATE/INSERT only self - feedback tables: INSERT for any authenticated user (write-only) Seed data (ported from KanzlAI seed_upc_timeline.sql): - 7 proceeding_types (INF, REV, CCR, APM, APP, AMD, ZPO_CIVIL) - 40 deadline_rules (32 UPC + 4 ZPO + 4 cross-type appeal spawns) including conditional logic: Reply rule code (RoP.029b → 029a) and Rejoinder duration (1mo → 2mo) flip when CCR active - 55 holidays (DE federal 2026/2027 + UPC summer 2026 + UPC winter 26/27) Indexes per audit §3.3 + visibility-predicate hot paths: - akten: (status, owning_office), (owning_office), partial on firm_wide_visible, GIN on collaborators - fristen: (status, due_date), (akte_id) - termine: (start_at), (akte_id) - akten_events: (akte_id, created_at DESC) - notizen: 4 partial indexes per parent type - users: (office), (role) Migration tooling: - golang-migrate/migrate/v4 with embed.FS source - Migrations live in internal/db/migrations/ (Go embed can't reach outside the package; this is the conventional Go layout for embedded migrations) - Applied at server startup before HTTP listener binds - DATABASE_URL is optional today (existing knowledge tools work without DB); becomes required once Phase B services land - Mock Supabase auth schema for local testing in internal/db/migrations/_dev/mock_supabase_auth.sql (excluded from embed pattern by the underscore prefix) Other changes: - Dockerfile: bump golang to 1.24, copy go.sum (audit §2.9), rename binary patholo → paliad - docker-compose.yml: add DATABASE_URL passthrough - README.md: rewritten to reflect Paliad brand + Phase A migration system Verified locally: - 11 migrations applied cleanly against postgres:16-alpine - RLS enabled on all 15 paliad.* tables (verified via pg_class.relrowsecurity) - Visibility predicate verified with 4-case scenario: - Alice (Munich associate): sees Munich + firm-wide + collab-on (t f t t) - Bob (Düsseldorf associate): sees Düsseldorf + firm-wide + collab-on (f t t t) - Carol (Munich partner): sees Munich + firm-wide only (t f t f) - Anonymous: sees firm-wide only (f f t f) - migrate down + re-up cycle clean (initial 007 down had ordering bug, fixed: drop policies before referenced function) - Existing endpoints (/, /login) return 302 + 200 — no regressions	2026-04-16 13:54:19 +02:00

Author

SHA1

Message

Date

3da11bd798

chore(t-paliad-081): doc + dead-code batch (F-5/F-10/F-11/F-15/F-16/F-17/F-18)

Bundle of small audit findings, all doc-only or dead-code:

- F-5: refresh stale escalation-contact comment in models.User —
  Settings UI dropdown shipped 2026-04-29 (t-paliad-066).
- F-10: add "OBSOLETED by migration 018" note to migrations 004/005/006
  so readers stop hunting for the live shape in obsolete files.
- F-11: document the data-loss semantics of dropping
  paliad.partner_unit_events on the 027 down — audit rows are
  append-only telemetry, accepted loss on rollback.
- F-15: drop the patholo_session / patholo_refresh cookie fallback
  added during the 2026-04-16 rebrand. Active users have long since
  been re-authed through the upgrade path; inactive users hit the
  normal /login flow.
- F-16: refresh stale /api/departments comment in team_pages.go to
  /api/partner-units (renamed in t-paliad-070).
- F-17: move internal/db/migrations/_dev/mock_supabase_auth.sql to
  internal/db/devtools/ so a future loosening of the //go:embed
  pattern can't accidentally ship the dev-only fixture.
- F-18: update docs/project-status.md "Audit polish-2" entry — the
  batch shipped via t-paliad-067 / 068 / 073, follow-ups are now
  tracked under the 2026-04-30 re-audit + t-paliad-074.

go build / vet / test clean.

2026-04-30 03:42:25 +02:00

1b2ef28334

feat(db): Phase A — paliad schema, RLS, migrations, golang-migrate

Implements docs/design-kanzlai-integration.md §8 Phase A.

Schema (paliad.*):
- users (extends auth.users) with office, practice_group, role
- akten with visibility columns: owning_office, collaborators uuid[],
  firm_wide_visible (per design §2)
- parteien, fristen, termine, dokumente, akten_events, notizen
  (polymorphic notes; notizen_exactly_one_parent CHECK)
- proceeding_types, deadline_rules, holidays (reference data)
- 4 feedback tables re-namespaced from public.* into paliad.*
  (handler swap to direct DB is a follow-up; old public tables stay
  intact for now and continue serving via PostgREST)

Visibility (paliad.can_see_akte):
- single SQL function, used by every RLS policy
- predicate: firm_wide_visible OR owning_office matches user's office
  OR auth.uid() ∈ collaborators OR user is admin
- mirrored at app layer in Phase B (defense in depth)

RLS (real, not permissive):
- akten: visibility predicate; insert restricted to own office or admin;
  delete restricted to partners + admins
- parteien/fristen/dokumente/akten_events: inherit via can_see_akte(akte_id)
- termine: personal (akte_id NULL) visible only to creator; Akte-linked
  follow visibility predicate
- notizen: paliad.notiz_is_visible() resolves polymorphic parent
- reference tables: SELECT for any authenticated user
- users: SELECT all; UPDATE/INSERT only self
- feedback tables: INSERT for any authenticated user (write-only)

Seed data (ported from KanzlAI seed_upc_timeline.sql):
- 7 proceeding_types (INF, REV, CCR, APM, APP, AMD, ZPO_CIVIL)
- 40 deadline_rules (32 UPC + 4 ZPO + 4 cross-type appeal spawns)
  including conditional logic: Reply rule code (RoP.029b → 029a) and
  Rejoinder duration (1mo → 2mo) flip when CCR active
- 55 holidays (DE federal 2026/2027 + UPC summer 2026 + UPC winter 26/27)

Indexes per audit §3.3 + visibility-predicate hot paths:
- akten: (status, owning_office), (owning_office), partial on
  firm_wide_visible, GIN on collaborators
- fristen: (status, due_date), (akte_id)
- termine: (start_at), (akte_id)
- akten_events: (akte_id, created_at DESC)
- notizen: 4 partial indexes per parent type
- users: (office), (role)

Migration tooling:
- golang-migrate/migrate/v4 with embed.FS source
- Migrations live in internal/db/migrations/ (Go embed can't reach
  outside the package; this is the conventional Go layout for embedded
  migrations)
- Applied at server startup before HTTP listener binds
- DATABASE_URL is optional today (existing knowledge tools work without
  DB); becomes required once Phase B services land
- Mock Supabase auth schema for local testing in
  internal/db/migrations/_dev/mock_supabase_auth.sql (excluded from
  embed pattern by the underscore prefix)

Other changes:
- Dockerfile: bump golang to 1.24, copy go.sum (audit §2.9), rename
  binary patholo → paliad
- docker-compose.yml: add DATABASE_URL passthrough
- README.md: rewritten to reflect Paliad brand + Phase A migration system

Verified locally:
- 11 migrations applied cleanly against postgres:16-alpine
- RLS enabled on all 15 paliad.* tables (verified via pg_class.relrowsecurity)
- Visibility predicate verified with 4-case scenario:
  - Alice (Munich associate): sees Munich + firm-wide + collab-on (t f t t)
  - Bob (Düsseldorf associate): sees Düsseldorf + firm-wide + collab-on (f t t t)
  - Carol (Munich partner): sees Munich + firm-wide only (t f t f)
  - Anonymous: sees firm-wide only (f f t f)
- migrate down + re-up cycle clean (initial 007 down had ordering bug,
  fixed: drop policies before referenced function)
- Existing endpoints (/, /login) return 302 + 200 — no regressions

2026-04-16 13:54:19 +02:00

2 Commits