paliad

m/paliad

Fork 0

Commit Graph

Author	SHA1	Message	Date
m	a61c1490e3	feat(t-paliad-139): Phase 3 — derived_peer authority extension to t-138 approval gate Wires DerivationService.EffectiveProjectRole into the t-paliad-138 approval ladder so partner-unit-derived members with derive_grants_authority=true can act as approvers (per design §4.2). When they sign off, the audit row records decision_kind='derived_peer' — a third value alongside the existing 'peer' and 'admin_override' — so the chronology discloses the derivation chain. Schema (migration 055 update) ----------------------------- - paliad.approval_requests.decision_kind CHECK extended to accept 'derived_peer'. Down migration restores the t-138 two-value CHECK. Live SQL dry-run confirmed the new value is accepted. Service layer ------------- - approval_levels.go: new constant DecisionKindDerivedPeer. - approval_service.go (4 sites widened with the derivation EXISTS branch): 1. canApprove — third resolution step after global_admin + direct/ ancestor team membership: matches partner-unit-derived members on path with derive_grants_authority=true and a unit_role whose approval_role_from_unit_role mapping meets the threshold. Returns DecisionKindDerivedPeer when this branch is the one that passed. 2. hasQualifiedApprover (the deadlock-check at submit time) — widened so a project with no direct approvers but an authority- granting unit attachment is still submittable. 3. ListPendingForApprover (the /inbox query) — third UNION ALL branch so derived authority sees their queue. 4. PendingCountForUser (the bell-badge query) — same widening so derived authority sees the count tick. All four queries reuse paliad.approval_role_from_unit_role(text) added by Phase 2 of migration 055. Frontend -------- - 2 i18n keys (DE+EN): approvals.decision_kind.derived_peer → "Genehmigt durch abgeleitetes Mitglied (Partner Unit)" / "Approved by derived member (Partner Unit)". Verlauf rendering of the third decision_kind value works through the existing translateEvent / decision_kind switch with no other change. 1606 keys total. Strict-default unchanged ------------------------ Derived members are visibility-only by default. Authority requires the project lead/admin to explicitly flip derive_grants_authority=true on the project_partner_units row (UI on /projects/{id} Team tab, Phase 2). This preserves the m-locked Q12 stance. Phase 3 closes the t-paliad-139 implementation. m's bug closes (Phase 1), the derivation schema is in place (Phase 2), and approval authority flows through the new ladder (Phase 3).	2026-05-06 16:45:19 +02:00
m	544bb63684	feat(t-paliad-139): Phase 2 — partner-unit derivation schema + Team-tab subsections Migration 055 adds the structural pieces the issue's PA-derivation premise needed (the design-§1.3 verify-before-trust check found all three were missing today): - paliad.partner_unit_members.unit_role text DEFAULT 'attorney' CHECK ('lead'\|'attorney'\|'senior_pa'\|'pa'\|'paralegal') — per-unit role distinction so derivation can target specific tiers without re- introducing a firm-wide rank column. The same human can be 'attorney' in one unit and 'lead' in another. - paliad.project_partner_units junction (project_id, partner_unit_id, derive_unit_roles[] DEFAULT {pa,senior_pa}, derive_grants_authority bool DEFAULT false, attached_at, attached_by) with composite PK and RLS (read = can_see_project; write = global_admin OR project lead). - paliad.approval_role_from_unit_role(text) helper used by Phase 3 when derived authority is consulted by the t-138 ladder. - paliad.can_see_project extended with one EXISTS branch — derivation walks the path: a user is visible on P if any (ancestor of P) is attached to a unit they are a member of with a matching unit_role. No RAISE EXCEPTION (Maria's build constraint). Day-1 deploy = zero behaviour change because every existing unit member defaults to unit_role='attorney' and the default derive_unit_roles is {pa,senior_pa}, so until both diverge no derivation happens. Backend services ---------------- - DerivationService (new, internal/services/derivation_service.go): AttachUnitToProject, DetachUnitFromProject, ListAttachedUnits, ListDerivedMembers (path-walking dedupe by closest attachment), ListDescendantStaffed (descendant-direct rows excluding ancestor- already-staffed), EffectiveProjectRole (returns role + source ∈ {direct, ancestor, derived} for the t-138 approval gate in Phase 3). - PartnerUnitService extensions: PartnerUnitMemberDetail gains UnitRole (db:"unit_role"). Constants UnitRoleLead/Attorney/SeniorPA/PA/Paralegal + isValidUnitRole. SetMemberRole(callerID, unitID, userID, role) with admin gate, prior- role read in tx, audit emit 'member_role_changed'. ListMembers and ListWithMembers SELECT projection now includes pum.unit_role. Handlers -------- - GET /api/projects/{id}/partner-units → ListAttachedUnits - POST /api/projects/{id}/partner-units → AttachUnitToProject - DELETE /api/projects/{id}/partner-units/{unit_id} → DetachUnitFromProject - GET /api/projects/{id}/team/derived → ListDerivedMembers - GET /api/projects/{id}/team/from-descendants → ListDescendantStaffed - PATCH /api/partner-units/{id}/members/{user_id}/role → SetMemberRole - Services bundle gains Derivation; cmd/server/main.go wires it. Frontend (Team-tab on /projects/{id}) ------------------------------------- Three new subsections rendered after the existing direct+ancestor table: - "Aus Unterprojekten" — descendant-direct rows with attribution arrow. - "Abgeleitet (Partner Unit)" — derived rows with [Sicht] / [Sicht & 4- Augen] badge per the m-locked honesty rule (§3.5). - "Partner Units" — attached-unit list with attach/detach controls (lead/admin only) and a form picker for derive_unit_roles + derive_grants_authority. Each subsection is hidden when its data is empty (Partner Units block also surfaces for managers when empty so they can attach). Loaders + state in projects-detail.ts; renderTeam orchestrates all four subsections; renderAttachedUnits owns the unit list + detach handlers; initAttachUnitForm wires the picker + checkbox role-set. canManagePartnerUnits gates the attach UI on global_admin OR direct 'lead' on the current project. i18n keys (DE+EN, ~30 new) under projects.team.section., projects.team.derived., projects.team.units., unit_role.. Codegen now emits 1605 keys (was 1494). CSS additions: .entity-section-heading (subsection h3), .derived-badge / .derived-badge--authority, .form-checkbox. Phase 3 (approval extension to honour derived_peer decision_kind) stacks on top — gates on EffectiveProjectRole returning ('role','derived') being wired into the t-138 canApprove + inbox SQL.	2026-05-06 16:41:41 +02:00

Author

SHA1

Message

Date

a61c1490e3

feat(t-paliad-139): Phase 3 — derived_peer authority extension to t-138 approval gate

Wires DerivationService.EffectiveProjectRole into the t-paliad-138
approval ladder so partner-unit-derived members with derive_grants_authority=true
can act as approvers (per design §4.2). When they sign off, the audit row
records decision_kind='derived_peer' — a third value alongside the existing
'peer' and 'admin_override' — so the chronology discloses the derivation
chain.

Schema (migration 055 update)
-----------------------------
  - paliad.approval_requests.decision_kind CHECK extended to accept
    'derived_peer'. Down migration restores the t-138 two-value CHECK.
    Live SQL dry-run confirmed the new value is accepted.

Service layer
-------------
  - approval_levels.go: new constant DecisionKindDerivedPeer.
  - approval_service.go (4 sites widened with the derivation EXISTS branch):
      1. canApprove — third resolution step after global_admin + direct/
         ancestor team membership: matches partner-unit-derived members
         on path with derive_grants_authority=true and a unit_role whose
         approval_role_from_unit_role mapping meets the threshold.
         Returns DecisionKindDerivedPeer when this branch is the one that
         passed.
      2. hasQualifiedApprover (the deadlock-check at submit time) —
         widened so a project with no direct approvers but an authority-
         granting unit attachment is still submittable.
      3. ListPendingForApprover (the /inbox query) — third UNION ALL
         branch so derived authority sees their queue.
      4. PendingCountForUser (the bell-badge query) — same widening so
         derived authority sees the count tick.
  All four queries reuse paliad.approval_role_from_unit_role(text) added
  by Phase 2 of migration 055.

Frontend
--------
  - 2 i18n keys (DE+EN): approvals.decision_kind.derived_peer →
    "Genehmigt durch abgeleitetes Mitglied (Partner Unit)" / "Approved by
    derived member (Partner Unit)". Verlauf rendering of the third
    decision_kind value works through the existing translateEvent /
    decision_kind switch with no other change. 1606 keys total.

Strict-default unchanged
------------------------
Derived members are visibility-only by default. Authority requires the
project lead/admin to explicitly flip derive_grants_authority=true on the
project_partner_units row (UI on /projects/{id} Team tab, Phase 2). This
preserves the m-locked Q12 stance.

Phase 3 closes the t-paliad-139 implementation. m's bug closes (Phase 1),
the derivation schema is in place (Phase 2), and approval authority
flows through the new ladder (Phase 3).

2026-05-06 16:45:19 +02:00

544bb63684

feat(t-paliad-139): Phase 2 — partner-unit derivation schema + Team-tab subsections

Migration 055 adds the structural pieces the issue's PA-derivation premise
needed (the design-§1.3 verify-before-trust check found all three were
missing today):

  - paliad.partner_unit_members.unit_role text DEFAULT 'attorney'
    CHECK ('lead'|'attorney'|'senior_pa'|'pa'|'paralegal') — per-unit role
    distinction so derivation can target specific tiers without re-
    introducing a firm-wide rank column. The same human can be 'attorney'
    in one unit and 'lead' in another.
  - paliad.project_partner_units junction (project_id, partner_unit_id,
    derive_unit_roles[] DEFAULT {pa,senior_pa}, derive_grants_authority bool
    DEFAULT false, attached_at, attached_by) with composite PK and RLS
    (read = can_see_project; write = global_admin OR project lead).
  - paliad.approval_role_from_unit_role(text) helper used by Phase 3 when
    derived authority is consulted by the t-138 ladder.
  - paliad.can_see_project extended with one EXISTS branch — derivation
    walks the path: a user is visible on P if any (ancestor of P) is
    attached to a unit they are a member of with a matching unit_role.

No RAISE EXCEPTION (Maria's build constraint). Day-1 deploy = zero
behaviour change because every existing unit member defaults to
unit_role='attorney' and the default derive_unit_roles is {pa,senior_pa},
so until both diverge no derivation happens.

Backend services
----------------
  - DerivationService (new, internal/services/derivation_service.go):
      AttachUnitToProject, DetachUnitFromProject, ListAttachedUnits,
      ListDerivedMembers (path-walking dedupe by closest attachment),
      ListDescendantStaffed (descendant-direct rows excluding ancestor-
      already-staffed), EffectiveProjectRole (returns role + source ∈
      {direct, ancestor, derived} for the t-138 approval gate in Phase 3).
  - PartnerUnitService extensions:
      PartnerUnitMemberDetail gains UnitRole (db:"unit_role"). Constants
      UnitRoleLead/Attorney/SeniorPA/PA/Paralegal + isValidUnitRole.
      SetMemberRole(callerID, unitID, userID, role) with admin gate, prior-
      role read in tx, audit emit 'member_role_changed'. ListMembers and
      ListWithMembers SELECT projection now includes pum.unit_role.

Handlers
--------
  - GET /api/projects/{id}/partner-units              → ListAttachedUnits
  - POST /api/projects/{id}/partner-units             → AttachUnitToProject
  - DELETE /api/projects/{id}/partner-units/{unit_id} → DetachUnitFromProject
  - GET /api/projects/{id}/team/derived               → ListDerivedMembers
  - GET /api/projects/{id}/team/from-descendants      → ListDescendantStaffed
  - PATCH /api/partner-units/{id}/members/{user_id}/role → SetMemberRole
  - Services bundle gains Derivation; cmd/server/main.go wires it.

Frontend (Team-tab on /projects/{id})
-------------------------------------
Three new subsections rendered after the existing direct+ancestor table:
  - "Aus Unterprojekten" — descendant-direct rows with attribution arrow.
  - "Abgeleitet (Partner Unit)" — derived rows with [Sicht] / [Sicht & 4-
    Augen] badge per the m-locked honesty rule (§3.5).
  - "Partner Units" — attached-unit list with attach/detach controls
    (lead/admin only) and a form picker for derive_unit_roles +
    derive_grants_authority.
Each subsection is hidden when its data is empty (Partner Units block
also surfaces for managers when empty so they can attach).

Loaders + state in projects-detail.ts; renderTeam orchestrates all
four subsections; renderAttachedUnits owns the unit list + detach
handlers; initAttachUnitForm wires the picker + checkbox role-set.
canManagePartnerUnits gates the attach UI on global_admin OR direct
'lead' on the current project.

i18n keys (DE+EN, ~30 new) under projects.team.section.*,
projects.team.derived.*, projects.team.units.*, unit_role.*. Codegen now
emits 1605 keys (was 1494).

CSS additions: .entity-section-heading (subsection h3),
.derived-badge / .derived-badge--authority, .form-checkbox.

Phase 3 (approval extension to honour derived_peer decision_kind) stacks
on top — gates on EffectiveProjectRole returning ('role','derived') being
wired into the t-138 canApprove + inbox SQL.

2026-05-06 16:41:41 +02:00

2 Commits