Compare commits
1 Commits
feat/78-re
...
feat/29-bf
| Author | SHA1 | Date | |
|---|---|---|---|
| 2780bce4fd |
@@ -1,20 +0,0 @@
|
||||
{
|
||||
"version": 1,
|
||||
"isRoot": true,
|
||||
"tools": {
|
||||
"dotnet-stryker": {
|
||||
"version": "4.15.0",
|
||||
"commands": [
|
||||
"dotnet-stryker"
|
||||
],
|
||||
"rollForward": false
|
||||
},
|
||||
"dotnet-ef": {
|
||||
"version": "10.0.0",
|
||||
"commands": [
|
||||
"dotnet-ef"
|
||||
],
|
||||
"rollForward": false
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,17 +0,0 @@
|
||||
# Editor configuration, see http://editorconfig.org
|
||||
root = true
|
||||
|
||||
[*]
|
||||
indent_style = space
|
||||
indent_size = 2
|
||||
insert_final_newline = true
|
||||
trim_trailing_whitespace = true
|
||||
|
||||
# .NET sources use 4-space indent (dotnet format enforces this). The 2-space default
|
||||
# above is for the frontend (TS/HTML/CSS/JSON); C# keeps the .NET convention.
|
||||
[*.cs]
|
||||
indent_size = 4
|
||||
|
||||
[*.md]
|
||||
max_line_length = off
|
||||
trim_trailing_whitespace = false
|
||||
@@ -1,24 +0,0 @@
|
||||
---
|
||||
name: ADR proposal
|
||||
about: Propose a decision that needs recording before coding (CLAUDE.md §14)
|
||||
title: "ADR: "
|
||||
labels:
|
||||
- type:adr-proposal
|
||||
---
|
||||
|
||||
**Decision to be made:**
|
||||
|
||||
**Context / forces:** <!-- what makes this non-obvious; constraints, trade-offs -->
|
||||
|
||||
**Options considered:**
|
||||
1.
|
||||
2.
|
||||
|
||||
**Proposed option + why:**
|
||||
|
||||
**Consequences:** <!-- what becomes easier/harder; what we commit to -->
|
||||
|
||||
**Coupling rules touched (CLAUDE.md §8):** <!-- none, or which and why -->
|
||||
|
||||
> On acceptance, the ADR file (`docs/architecture/adr-NNNN-title.md`, Nygard
|
||||
> template) lands in the PR that implements the decision.
|
||||
@@ -1,21 +0,0 @@
|
||||
---
|
||||
name: Bug
|
||||
about: Something behaves incorrectly
|
||||
title: ""
|
||||
labels:
|
||||
- type:bug
|
||||
---
|
||||
|
||||
**What happened:**
|
||||
|
||||
**What you expected:**
|
||||
|
||||
**Steps to reproduce:**
|
||||
1.
|
||||
2.
|
||||
|
||||
**Environment:** <!-- branch/commit, OS, container engine, anything relevant -->
|
||||
|
||||
**Logs / evidence:**
|
||||
|
||||
**Suspected area:** <!-- e.g. area:bff, area:acl — add the matching area label -->
|
||||
@@ -1,31 +0,0 @@
|
||||
---
|
||||
name: Slice (user story)
|
||||
about: A backlog slice — independently demoable, encodes the Definition of Done
|
||||
title: "S-NN · "
|
||||
labels:
|
||||
- type:slice
|
||||
---
|
||||
|
||||
**Outcome:** <!-- one sentence; user-visible if possible -->
|
||||
|
||||
**Acceptance:**
|
||||
<!-- Gherkin scenarios or testable assertions -->
|
||||
-
|
||||
|
||||
**Touches:** <!-- services and folders -->
|
||||
|
||||
**Out of scope:** <!-- explicit non-goals -->
|
||||
|
||||
## Definition of Done
|
||||
|
||||
- [ ] This linked Gitea issue exists and is on the right milestone.
|
||||
- [ ] Failing test written and committed first (`test(scope): … (refs #NN)`).
|
||||
- [ ] Implementation makes the test pass (`feat(scope): … (refs #NN)`).
|
||||
- [ ] Refactor commit follows if structure improved.
|
||||
- [ ] Conventional Commit messages referencing this issue.
|
||||
- [ ] All Gitea Actions CI jobs green (or `make ci` green while no runner exists).
|
||||
- [ ] `docker compose up` from a fresh clone reaches green health checks within 3 minutes.
|
||||
- [ ] Docs touched if behaviour, contracts, or operations changed.
|
||||
- [ ] ADR added in `docs/architecture/` if a non-obvious decision was made.
|
||||
- [ ] Demo note appended to `docs/demo-script.md` if the slice is user-visible.
|
||||
- [ ] This issue closed by the merging PR (`closes #NN`).
|
||||
@@ -1,23 +0,0 @@
|
||||
<!-- Title: Conventional Commit style, e.g. feat(bff): … (closes #NN) -->
|
||||
|
||||
## What & why
|
||||
|
||||
<!-- Summary of the change and the slice/bug it addresses. -->
|
||||
|
||||
Closes #
|
||||
|
||||
## Definition of Done
|
||||
|
||||
- [ ] Linked Gitea issue (above).
|
||||
- [ ] Failing test committed before the implementation.
|
||||
- [ ] Implementation makes the test pass; refactor commit if structure improved.
|
||||
- [ ] Conventional Commits referencing the issue (`refs #NN`).
|
||||
- [ ] CI green — all Gitea Actions jobs (or `make ci` green while no runner exists).
|
||||
- [ ] `docker compose up` from a fresh clone reaches green health checks within 3 minutes.
|
||||
- [ ] Docs updated if behaviour, contracts, or operations changed.
|
||||
- [ ] ADR added in `docs/architecture/` if a non-obvious decision was made.
|
||||
- [ ] Demo note in `docs/demo-script.md` if user-visible.
|
||||
|
||||
## Notes for reviewers
|
||||
|
||||
<!-- Anything that helps review: trade-offs, follow-ups, known gaps. -->
|
||||
@@ -1,163 +0,0 @@
|
||||
name: CI
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
pull_request:
|
||||
branches: [main]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
# Self-hosted runner — see docs/runbooks/ci.md for the runner setup.
|
||||
# `uses:` are absolute, tag-pinned URLs (CLAUDE.md §8.7 / §15).
|
||||
|
||||
# Each job calls a `make` target — the same one developers run locally
|
||||
# (`make ci`). The Makefile is the single source of truth; see docs/runbooks/ci.md.
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: https://github.com/actions/checkout@v4
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
# Cache the NuGet package store so each .NET job restores from disk, not the network. There are
|
||||
# no lock files (so setup-dotnet's built-in cache doesn't apply); key on the project files. @v3
|
||||
# avoids the GHES guard that breaks @v4 on Gitea (gitea-actions-gotchas.md); cache is best-effort
|
||||
# — a miss just restores from the network. See issue #73.
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make lint
|
||||
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: https://github.com/actions/checkout@v4
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make build
|
||||
|
||||
unit:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: https://github.com/actions/checkout@v4
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make unit
|
||||
|
||||
# Frontend (Nx/Angular) lane: install with pnpm, then Nx lint + test + build.
|
||||
frontend:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: https://github.com/actions/checkout@v4
|
||||
- uses: https://github.com/pnpm/action-setup@v4
|
||||
with:
|
||||
version: 11
|
||||
- uses: https://github.com/actions/setup-node@v4
|
||||
with:
|
||||
node-version: '24'
|
||||
cache: 'pnpm'
|
||||
- run: make frontend
|
||||
|
||||
mutation:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: https://github.com/actions/checkout@v4
|
||||
- uses: https://github.com/actions/setup-dotnet@v4
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
- uses: https://github.com/actions/cache@v3
|
||||
with:
|
||||
path: ~/.nuget/packages
|
||||
key: nuget-${{ runner.os }}-${{ hashFiles('**/*.csproj') }}
|
||||
restore-keys: |
|
||||
nuget-${{ runner.os }}-
|
||||
- run: make mutation
|
||||
# Publish the Stryker HTML reports. `if: always()` uploads them even when the
|
||||
# ratchet fails — that is exactly when you want to inspect the survivors.
|
||||
# `continue-on-error` keeps the upload best-effort: the mutation *gate* is the
|
||||
# ratchet (make mutation's exit code), not the report, so a Gitea artifact-backend
|
||||
# 500 must not fail the job (gitea-actions-gotchas.md §4). Glob handles Stryker's
|
||||
# non-deterministic StrykerOutput/<timestamp>/ dir. Pinned @v3: @v4's bundled
|
||||
# @actions/artifact hard-aborts on non-github.com (GHES guard) — see the runbook.
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: acl-mutation-report
|
||||
path: services/acl/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: event-subscriber-mutation-report
|
||||
path: services/event-subscriber/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: domain-mutation-report
|
||||
path: services/domain/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: bff-mutation-report
|
||||
path: services/bff/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
|
||||
# One stage for every check that needs the live stack. On the single self-hosted
|
||||
# runner jobs run sequentially, so booting OpenZaak once (instead of once per job)
|
||||
# is the cheapest layout (issue #58). No setup-dotnet: the ACL test runs in a built
|
||||
# image and everything reaches services by container IP. Needs Docker + egress
|
||||
# (base images, nuget, selectielijst.openzaak.nl).
|
||||
verify-stack:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: https://github.com/actions/checkout@v4
|
||||
# Bring the full stack up + wait for health — this also is the DoD "compose up
|
||||
# reaches green health" smoke (it replaces the old compose-smoke job).
|
||||
- name: Bring up the full stack & wait for health
|
||||
run: make verify-up
|
||||
- name: ACL ↔ OpenZaak integration tests
|
||||
run: make verify-acl
|
||||
- name: OpenZaak → NRC notification delivery
|
||||
run: make verify-nrc
|
||||
- name: OpenZaak → NRC → Event Subscriber → projection-api
|
||||
run: make verify-projection
|
||||
- name: Domain → Flowable → ACL → OpenZaak
|
||||
run: make verify-domain
|
||||
- name: BFF → Keycloak + domain + projection
|
||||
run: make verify-bff
|
||||
- name: Self-service e2e (Playwright, login → submit → success)
|
||||
run: make verify-e2e
|
||||
# Log dump must precede teardown (which removes the containers).
|
||||
- name: Dump container logs on failure
|
||||
if: failure()
|
||||
run: docker compose -f infra/docker-compose.yml logs --no-color --tail=100 oz-init openzaak nrc-init nrc-web nrc-celery nrc-beat flowable-db flowable-rest flowable-init keycloak acl bff domain projection-db event-subscriber projection-api self-service 2>&1 || true
|
||||
- name: Tear down
|
||||
if: always()
|
||||
run: make down
|
||||
32
.gitignore
vendored
32
.gitignore
vendored
@@ -5,9 +5,6 @@ obj/
|
||||
[Rr]elease/
|
||||
*.user
|
||||
|
||||
# Reqnroll-generated test code (regenerated from *.feature on build)
|
||||
*.feature.cs
|
||||
|
||||
# Test results / coverage
|
||||
[Tt]est[Rr]esults/
|
||||
*.trx
|
||||
@@ -15,9 +12,6 @@ coverage*.json
|
||||
coverage*.xml
|
||||
*.coverage
|
||||
|
||||
# Stryker.NET mutation-testing reports (regenerated by `make mutation`)
|
||||
StrykerOutput/
|
||||
|
||||
# Rider / VS / VS Code
|
||||
.idea/
|
||||
.vs/
|
||||
@@ -28,32 +22,6 @@ node_modules/
|
||||
dist/
|
||||
.angular/
|
||||
|
||||
# Python / MkDocs
|
||||
.venv/
|
||||
site/
|
||||
|
||||
# OS
|
||||
.DS_Store
|
||||
Thumbs.db
|
||||
|
||||
# ── Frontend (Nx / Angular / pnpm) ──
|
||||
node_modules/
|
||||
dist/
|
||||
tmp/
|
||||
out-tsc/
|
||||
/coverage
|
||||
.angular/
|
||||
.nx/cache
|
||||
.nx/workspace-data
|
||||
.nx/self-healing
|
||||
.nx/migrate-runs
|
||||
.nx/polygraph
|
||||
vite.config.*.timestamp*
|
||||
vitest.config.*.timestamp*
|
||||
|
||||
.angular
|
||||
|
||||
# Playwright e2e (installed/generated in-container or on local runs)
|
||||
tests/e2e/node_modules/
|
||||
tests/e2e/test-results/
|
||||
tests/e2e/playwright-report/
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
# Add files here to ignore them from prettier formatting
|
||||
/dist
|
||||
/coverage
|
||||
/.nx/cache
|
||||
/.nx/workspace-data
|
||||
.angular
|
||||
|
||||
.nx/self-healing
|
||||
@@ -1,3 +0,0 @@
|
||||
{
|
||||
"singleQuote": true
|
||||
}
|
||||
41
BACKLOG.md
41
BACKLOG.md
@@ -151,47 +151,32 @@ The skeleton proves the spine end-to-end: a registration, a workflow, a zaak in
|
||||
|
||||
### S-08 · Self-Service portal (Angular, NL DS) — submit a registration
|
||||
|
||||
> **S-08 was split** (CLAUDE.md §13; issue #9 closed) into the sub-slices below — it bundled the
|
||||
> Nx bootstrap, the generated client, the NL DS + DigiD form, and a full-stack Playwright e2e, well
|
||||
> past 1–2 days. Each sub-slice is independently demoable and CI-green.
|
||||
|
||||
- **S-08a (#65)** · Nx monorepo + Angular tooling + CI Node lane. Placeholder `self-service` app; `nx lint/test/build` green in a new CI Node lane.
|
||||
- **S-08b (#66)** · Generated api-client lib from `services/bff/openapi.json` (never hand-written, §10) + a mocked-BFF unit test.
|
||||
- **S-08c (#67)** · Self-service submit form — NL Design System `libs/ui`, DigiD OIDC `libs/auth`, component tests (Angular Testing Library), axe WCAG 2.1 AA on the submit page.
|
||||
- **S-08d (#68)** · Playwright happy-path e2e (login → submit → success) against the full stack + compose serving + CI e2e lane.
|
||||
|
||||
**Out of scope (whole of S-08):** document upload, status tracking page.
|
||||
|
||||
### S-09 · Openbaar Register portal — public lookup *(#10)*
|
||||
|
||||
**Outcome:** The openbaar Angular app shows a search box. Anonymous. Queries the BFF's `/openbaar/register` which reads only the projection's **public-safe** fields. Shows the public-visibility half of the walking skeleton.
|
||||
|
||||
_Split from the original S-09 — scoped to the portal only; the approval flow is **S-09b (#75)**._
|
||||
**Outcome:** The self-service Angular app, in the Nx monorepo, lets a zorgprofessional log in via mock DigiD and submit a registration. NL Design System styling. Generated API client.
|
||||
|
||||
**Acceptance:**
|
||||
|
||||
- E2E test: after a zorgprofessional registers via self-service (S-08), the openbaar register shows the entry (as `INGEDIEND`).
|
||||
- Public-safe field whitelist enforced and tested (already in the BFF; add a portal component test + a11y check).
|
||||
- E2E test (Playwright): full happy path, login → submit → success page.
|
||||
- Component tests (Testing Library) for the form.
|
||||
- Accessibility audit (axe-core) passes WCAG 2.1 AA on the submit page.
|
||||
|
||||
**Touches:** `apps/openbaar/`, compose serving, e2e, docs.
|
||||
**Touches:** `apps/self-service/`, `libs/ui/`, `libs/auth/`, `libs/api-client/`, tests.
|
||||
|
||||
**Out of scope:** approval/status transition (S-09b), advanced search filters, sorting.
|
||||
**Out of scope:** document upload, status tracking page.
|
||||
|
||||
### S-09b · Approval flow — temp admin endpoint + status transition to projection *(#75)*
|
||||
### S-09 · Openbaar Register portal — public lookup
|
||||
|
||||
**Outcome:** A behandelaar approves a submitted registration via a temporary admin endpoint (no behandel-portal yet — S-12). The approval transitions the zaak status through the ACL → NRC → event-subscriber → projection, and the openbaar register then shows the entry as approved.
|
||||
**Outcome:** The openbaar Angular app shows a search box. Anonymous. Queries the BFF's `/openbaar/register` which reads only the projection's **public-safe** fields. Confirms the walking skeleton end-to-end.
|
||||
|
||||
**Acceptance:**
|
||||
|
||||
- A new terminal/approved status (e.g. `INGESCHREVEN`) exists and is projected.
|
||||
- Temporary admin approve endpoint transitions a registration via a real ZGW status set (behind the ACL, §8).
|
||||
- E2E: register (S-08) → approve → openbaar shows the entry as approved.
|
||||
- E2E test: zorgprofessional registers via self-service (S-08), behandelaar approves via a temporary admin endpoint (no behandel-portal yet), openbaar register shows the entry.
|
||||
- Public-safe field whitelist enforced and tested.
|
||||
|
||||
**Touches:** `services/domain`, `services/acl`, `services/event-subscriber`, `services/projection-api`, e2e.
|
||||
**Touches:** `apps/openbaar/`, projection-api hardening, tests.
|
||||
|
||||
**Out of scope:** behandel-portal UI (S-12), assessment logic (S-13), escalation (S-15).
|
||||
**Out of scope:** advanced search filters, sorting.
|
||||
|
||||
**End of walking skeleton** (S-09 + S-09b). Demo: submit → process → projection → public visibility. All CI gates green on Gitea Actions. Cut release `vYYYY.MM.0` and publish via Gitea Releases.
|
||||
**End of walking skeleton.** Demo: submit → process → projection → public visibility. All CI gates green on Gitea Actions. Cut release `vYYYY.MM.0` and publish via Gitea Releases.
|
||||
|
||||
---
|
||||
|
||||
|
||||
20
CHANGELOG.md
20
CHANGELOG.md
@@ -1,20 +0,0 @@
|
||||
# Changelog
|
||||
|
||||
All notable changes to this project. Generated from Conventional Commits by git-cliff.
|
||||
|
||||
## Unreleased
|
||||
|
||||
### CI
|
||||
- Gitea Actions pipeline + runner runbook (refs #30) (#37)
|
||||
|
||||
### Chores
|
||||
- Add idempotent Gitea backlog seeder
|
||||
- Remove bootstrap scripts from main (#35)
|
||||
|
||||
### Documentation
|
||||
- Split S-00 into sub-slices (refs #1) (#33)
|
||||
|
||||
### Features
|
||||
- Placeholder BFF + /health endpoint (closes #28) (#34)
|
||||
- Containerize BFF + compose-up smoke (closes #29) (#36)
|
||||
|
||||
289
Makefile
289
Makefile
@@ -1,289 +0,0 @@
|
||||
# Developer + CI entrypoints.
|
||||
#
|
||||
# These targets are the single source of truth for the checks. The Gitea
|
||||
# Actions workflow (.gitea/workflows/ci.yaml) invokes the SAME targets, so
|
||||
# `make ci` locally runs exactly what the pipeline runs — no drift. Until a
|
||||
# self-hosted runner is registered, `make ci` is the gate (see docs/runbooks/ci.md).
|
||||
|
||||
SLN := register-referentie.slnx
|
||||
COMPOSE := infra/docker-compose.yml
|
||||
# Long-running services with a healthcheck — the smoke polls these for readiness
|
||||
# (infra/wait-healthy.sh). One-shot init jobs (oz-init, nrc-init, flowable-init)
|
||||
# are not polled; they only need to have run. See docs/runbooks/gitea-actions-gotchas.md.
|
||||
WAIT_SVCS := openzaak nrc-web acl bff domain event-subscriber projection-api self-service openbaar
|
||||
# Config files (OpenZaak data.yaml, Keycloak realms, Flowable BPMN) are streamed
|
||||
# into external named volumes via `docker cp` (infra/seed-config.sh) instead of
|
||||
# bind-mounted, because bind mounts don't reach sibling containers on the
|
||||
# containerized CI runner. SEED populates them; run it before every `up`. The
|
||||
# volumes are `external`, so compose won't remove them — CFG_VOLS lists them for
|
||||
# explicit teardown. See docs/runbooks/gitea-actions-gotchas.md.
|
||||
SEED := bash infra/seed-config.sh
|
||||
CFG_VOLS := rr-oz-config rr-nrc-config rr-kc-realms rr-fl-bpmn
|
||||
# Local-only stack: same services but config is bind-mounted (no seed step), so a
|
||||
# plain `docker compose -f infra/docker-compose.local.yml up` works on any local
|
||||
# engine. This is the no-make / Windows-friendly path. See that file's header.
|
||||
LOCAL_COMPOSE := infra/docker-compose.local.yml
|
||||
OZ_COMPOSE := infra/openzaak/docker-compose.yml
|
||||
OZ_BASE := http://localhost:8000
|
||||
NRC_COMPOSE := infra/opennotificaties/docker-compose.yml
|
||||
NRC_BASE := http://localhost:8001
|
||||
KC_COMPOSE := infra/keycloak/docker-compose.yml
|
||||
KC_BASE := http://localhost:8180
|
||||
FL_COMPOSE := infra/flowable/docker-compose.yml
|
||||
FL_BASE := http://localhost:8090/flowable-rest/service
|
||||
STACK_FILES := -f $(OZ_COMPOSE) -f $(NRC_COMPOSE)
|
||||
|
||||
# On a rootless Podman dev box, point Docker CLI/Compose at the Podman socket —
|
||||
# but only if that socket exists and DOCKER_HOST isn't already set, so real
|
||||
# Docker hosts and CI runners are left untouched.
|
||||
PODMAN_SOCK := /run/user/$(shell id -u)/podman/podman.sock
|
||||
ifeq ($(wildcard $(PODMAN_SOCK)),$(PODMAN_SOCK))
|
||||
ifeq ($(origin DOCKER_HOST),undefined)
|
||||
export DOCKER_HOST := unix://$(PODMAN_SOCK)
|
||||
endif
|
||||
endif
|
||||
|
||||
.PHONY: ci lint build unit mutation frontend integration verify verify-up verify-acl verify-nrc verify-projection verify-bff verify-domain verify-notifications smoke up down local local-down changelog openzaak-up openzaak-smoke openzaak-seed openzaak-down stack-up stack-smoke stack-down keycloak-up keycloak-smoke keycloak-down flowable-up flowable-smoke flowable-down help
|
||||
|
||||
## ci: run the full pipeline — lint, build, unit, mutation, frontend, verify (mirrors Gitea Actions)
|
||||
## `verify` is the live-stack stage (full stack up once → ACL + notification checks).
|
||||
ci: lint build unit mutation frontend verify
|
||||
|
||||
## frontend: install deps and run the Nx lint/test/build for the portals (pnpm + Node required)
|
||||
# Tests run in their own phase, ahead of the build. The @angular/build:unit-test
|
||||
# (Vitest) runner spawns a worker with a hard-coded 60s/90s startup timeout that is
|
||||
# not configurable. When the ~5min production build shares the run-many pool, it
|
||||
# starves that worker of CPU on constrained CI runners and Vitest fails with
|
||||
# "Timeout waiting for worker to respond". Splitting the phases keeps tests off the
|
||||
# heavy build's back so the worker starts well inside its window.
|
||||
frontend:
|
||||
pnpm install --frozen-lockfile
|
||||
pnpm nx run-many -t lint test
|
||||
pnpm nx run-many -t build
|
||||
|
||||
## lint: verify formatting (no changes)
|
||||
lint:
|
||||
dotnet format $(SLN) --verify-no-changes
|
||||
|
||||
## build: release build
|
||||
build:
|
||||
dotnet build $(SLN) -c Release
|
||||
|
||||
## unit: run unit tests (excludes the container-backed Integration lane)
|
||||
unit:
|
||||
dotnet test $(SLN) -c Release --filter "Category!=Integration"
|
||||
|
||||
## mutation: run the Stryker.NET ratchet on each service with branching logic (fails below baseline)
|
||||
# Stryker is pinned as a local dotnet tool (.config/dotnet-tools.json); `tool restore`
|
||||
# makes `make mutation` work from a fresh clone. Each service owns its config + break
|
||||
# threshold (the ratchet, CLAUDE.md §5): each services/<svc>/stryker-config.json.
|
||||
# Scores never regress below baseline.
|
||||
mutation:
|
||||
dotnet tool restore
|
||||
cd services/acl && dotnet stryker
|
||||
cd services/event-subscriber && dotnet stryker
|
||||
cd services/domain && dotnet stryker
|
||||
cd services/bff && dotnet stryker
|
||||
|
||||
## smoke: seed config, bring the whole stack up, wait for health-checked services, tear down
|
||||
# SEED populates the external config volumes first (upstream images used verbatim;
|
||||
# only our acl/bff are built). `up -d --build` starts EVERYTHING. Readiness is
|
||||
# checked by infra/wait-healthy.sh polling the durable, health-checked services
|
||||
# ($(WAIT_SVCS)) via `docker inspect` — portable across docker compose and
|
||||
# podman-compose, and needing no `--wait` flag or host port access. The one-shots
|
||||
# (oz-init, flowable-init) aren't polled; they just need to have run.
|
||||
smoke:
|
||||
$(SEED) oz nrc kc fl
|
||||
docker compose -f $(COMPOSE) up -d --build
|
||||
bash -c 'WAIT_TIMEOUT=420 bash infra/wait-healthy.sh $(WAIT_SVCS); rc=$$?; docker compose -f $(COMPOSE) down --volumes; docker volume rm -f $(CFG_VOLS) >/dev/null 2>&1; exit $$rc'
|
||||
|
||||
## up: seed config volumes and start the full stack (use instead of bare
|
||||
## `docker compose up`, which can't self-seed the external config volumes)
|
||||
up:
|
||||
$(SEED) oz nrc kc fl
|
||||
docker compose -f $(COMPOSE) up -d --build
|
||||
|
||||
## down: stop and remove the local stack (incl. the external config volumes)
|
||||
down:
|
||||
docker compose -f $(COMPOSE) down --volumes
|
||||
-docker volume rm -f $(CFG_VOLS)
|
||||
|
||||
## local: bring up the bind-mount stack (no seed step) and wait for health
|
||||
## (Windows / no-make users: run `docker compose -f infra/docker-compose.local.yml up -d --build` directly)
|
||||
local:
|
||||
docker compose -f $(LOCAL_COMPOSE) up -d --build
|
||||
WAIT_TIMEOUT=420 bash infra/wait-healthy.sh $(WAIT_SVCS)
|
||||
|
||||
## local-down: stop and remove the bind-mount stack
|
||||
local-down:
|
||||
docker compose -f $(LOCAL_COMPOSE) down --volumes
|
||||
|
||||
## changelog: regenerate CHANGELOG.md from Conventional Commits (git-cliff)
|
||||
changelog:
|
||||
git-cliff --output CHANGELOG.md
|
||||
|
||||
# ── ZGW verification ───────────────────────────────────────────────────────
|
||||
# On the single runner CI jobs run sequentially, so the OpenZaak-dependent checks
|
||||
# share ONE full-stack bring-up: the `verify-stack` CI job runs `verify-up` then
|
||||
# `verify-acl` + `verify-nrc` as steps against the same stack (issue #58). The
|
||||
# check logic lives in stack-agnostic runners that reach services by container IP
|
||||
# (gitea-actions-gotchas.md §5/§6); `integration` / `verify-notifications` are local
|
||||
# convenience wrappers that bring up a lighter stack and call the same runners.
|
||||
|
||||
## verify-up: bring the FULL stack up and wait for health (CI verify-stack step 1;
|
||||
## subsumes the old compose-smoke health gate — the DoD "up reaches green" check).
|
||||
verify-up:
|
||||
$(SEED) oz nrc kc fl
|
||||
docker compose -f $(COMPOSE) up -d --build
|
||||
WAIT_TIMEOUT=420 bash infra/wait-healthy.sh $(WAIT_SVCS)
|
||||
|
||||
## verify-acl: ACL ↔ OpenZaak integration tests against the already-running stack.
|
||||
verify-acl:
|
||||
bash infra/run-acl-integration.sh
|
||||
|
||||
## verify-nrc: OpenZaak → NRC notification delivery against the already-running stack.
|
||||
verify-nrc:
|
||||
bash infra/run-notification-check.sh
|
||||
|
||||
## verify-projection: OpenZaak → NRC → Event Subscriber → projection-api end-to-end (S-06),
|
||||
## against the already-running stack.
|
||||
verify-projection:
|
||||
bash infra/run-projection-check.sh
|
||||
|
||||
## verify-domain: domain → Flowable → ACL → OpenZaak end-to-end (S-05), against the
|
||||
## already-running stack. Recreates the acl service to inject the seeded zaaktype URL.
|
||||
verify-domain:
|
||||
bash infra/run-domain-check.sh
|
||||
|
||||
## verify-bff: BFF end-to-end (S-07) against the up stack — token validation on self-service
|
||||
## + anonymous public-safe openbaar register (ADR-0010).
|
||||
verify-bff:
|
||||
bash infra/run-bff-check.sh
|
||||
|
||||
## verify-e2e: walking-skeleton Playwright e2e (S-08d) against the up stack — DigiD login →
|
||||
## submit → confirmation, driven inside the compose network.
|
||||
verify-e2e:
|
||||
bash infra/run-e2e-check.sh
|
||||
|
||||
## verify: local mirror of the CI verify-stack job — full stack up once, all checks,
|
||||
## tear down (always). For fast single-concern local iteration use `integration`
|
||||
## (oz-only) or `verify-notifications` (oz+nrc) instead.
|
||||
verify:
|
||||
$(SEED) oz nrc kc fl
|
||||
docker compose -f $(COMPOSE) up -d --build
|
||||
@bash -c 'set -e; rc=0; \
|
||||
WAIT_TIMEOUT=420 bash infra/wait-healthy.sh $(WAIT_SVCS) \
|
||||
&& bash infra/run-acl-integration.sh \
|
||||
&& bash infra/run-notification-check.sh \
|
||||
&& bash infra/run-projection-check.sh \
|
||||
&& bash infra/run-domain-check.sh \
|
||||
&& bash infra/run-bff-check.sh \
|
||||
&& bash infra/run-e2e-check.sh || rc=$$?; \
|
||||
docker compose -f $(COMPOSE) down --volumes >/dev/null 2>&1; \
|
||||
docker volume rm -f $(CFG_VOLS) >/dev/null 2>&1; \
|
||||
exit $$rc'
|
||||
|
||||
## integration: local convenience — ACL integration test against a throwaway
|
||||
## OpenZaak-only stack (fast iteration). CI uses verify-acl on the shared stack.
|
||||
integration:
|
||||
bash infra/run-integration.sh
|
||||
|
||||
## openzaak-up: start the OpenZaak stack (migrations run on first start)
|
||||
openzaak-up:
|
||||
$(SEED) oz
|
||||
docker compose -f $(OZ_COMPOSE) up -d
|
||||
|
||||
## openzaak-smoke: start OpenZaak, then assert it is up with auth enforced
|
||||
openzaak-smoke: openzaak-up
|
||||
@bash -c 'set -e; \
|
||||
echo "waiting for OpenZaak to respond..."; \
|
||||
for i in $$(seq 1 60); do \
|
||||
code=$$(curl -s -o /dev/null -w "%{http_code}" $(OZ_BASE)/zaken/api/v1/zaken || true); \
|
||||
[ -n "$$code" ] && [ "$$code" != "000" ] && break; sleep 3; \
|
||||
done; \
|
||||
echo "GET /zaken/api/v1/zaken (unauth) -> $$code (expect 403, auth enforced)"; test "$$code" = "403"; \
|
||||
admin=$$(curl -s -o /dev/null -w "%{http_code}" $(OZ_BASE)/admin/); \
|
||||
echo "GET /admin/ -> $$admin (expect 302)"; test "$$admin" = "302"; \
|
||||
root=$$(curl -s -o /dev/null -w "%{http_code}" $(OZ_BASE)/zaken/api/v1/); \
|
||||
echo "GET /zaken/api/v1/ -> $$root (expect 200)"; test "$$root" = "200"; \
|
||||
echo "OpenZaak smoke OK"'
|
||||
|
||||
## openzaak-seed: bring OpenZaak up and seed the BIG catalogus (idempotent)
|
||||
openzaak-seed: openzaak-up
|
||||
@bash -c 'for i in $$(seq 1 50); do \
|
||||
c=$$(curl -s -o /dev/null -w "%{http_code}" $(OZ_BASE)/catalogi/api/v1/ || true); \
|
||||
[ "$$c" = "200" ] && break; sleep 3; done; echo "OpenZaak ready ($$c)"'
|
||||
python3 infra/openzaak/seed_catalogus.py
|
||||
|
||||
## openzaak-down: stop and remove the OpenZaak stack (wipes data)
|
||||
openzaak-down:
|
||||
docker compose -f $(OZ_COMPOSE) down --volumes
|
||||
-docker volume rm -f rr-oz-config
|
||||
|
||||
## verify-notifications: local convenience — OpenZaak → NRC notification delivery
|
||||
## against a throwaway oz+nrc stack (S-01-c). CI uses verify-nrc on the shared stack.
|
||||
verify-notifications:
|
||||
bash infra/verify-notifications.sh
|
||||
|
||||
## stack-up: start OpenZaak + Open Notificaties together (shared network), with
|
||||
## OpenZaak publishing notifications to NRC (S-01-c).
|
||||
stack-up:
|
||||
$(SEED) oz nrc
|
||||
OZ_NOTIFICATIONS_DISABLED=false docker compose $(STACK_FILES) up -d
|
||||
|
||||
## stack-smoke: start both, assert OpenZaak (403/302/200) and NRC (302) are reachable
|
||||
stack-smoke: stack-up
|
||||
@bash -c 'set -e; \
|
||||
echo "waiting for OpenZaak + Open Notificaties..."; \
|
||||
for i in $$(seq 1 60); do \
|
||||
oz=$$(curl -s -o /dev/null -w "%{http_code}" $(OZ_BASE)/admin/ || true); \
|
||||
nrc=$$(curl -s -o /dev/null -w "%{http_code}" $(NRC_BASE)/admin/ || true); \
|
||||
[ "$$oz" = "302" ] && [ "$$nrc" = "302" ] && break; sleep 3; done; \
|
||||
z=$$(curl -s -o /dev/null -w "%{http_code}" $(OZ_BASE)/zaken/api/v1/zaken); \
|
||||
echo "OpenZaak /zaken (unauth) -> $$z (expect 403)"; test "$$z" = "403"; \
|
||||
echo "OpenZaak /admin/ -> $$oz (expect 302)"; test "$$oz" = "302"; \
|
||||
echo "Open Notificaties /admin/-> $$nrc (expect 302)"; test "$$nrc" = "302"; \
|
||||
echo "stack smoke OK"'
|
||||
|
||||
## stack-down: stop and remove both stacks (wipes data)
|
||||
stack-down:
|
||||
docker compose $(STACK_FILES) down --volumes
|
||||
-docker volume rm -f rr-oz-config rr-nrc-config
|
||||
|
||||
## keycloak-up: start Keycloak with the four imported realms
|
||||
keycloak-up:
|
||||
$(SEED) kc
|
||||
docker compose -f $(KC_COMPOSE) up -d
|
||||
|
||||
## keycloak-smoke: start Keycloak, then verify each realm logs in + returns its claim
|
||||
keycloak-smoke: keycloak-up
|
||||
@bash -c 'for i in $$(seq 1 60); do \
|
||||
c=$$(curl -s -o /dev/null -w "%{http_code}" $(KC_BASE)/realms/digid/.well-known/openid-configuration || true); \
|
||||
[ "$$c" = "200" ] && break; sleep 3; done; echo "Keycloak ready ($$c)"'
|
||||
python3 infra/keycloak/check_realms.py
|
||||
|
||||
## keycloak-down: stop and remove Keycloak
|
||||
keycloak-down:
|
||||
docker compose -f $(KC_COMPOSE) down --volumes
|
||||
-docker volume rm -f rr-kc-realms
|
||||
|
||||
## flowable-up: start Flowable (deploys registratie.bpmn on boot)
|
||||
flowable-up:
|
||||
$(SEED) fl
|
||||
docker compose -f $(FL_COMPOSE) up -d
|
||||
|
||||
## flowable-smoke: start Flowable, then verify a started instance waits on the external task
|
||||
flowable-smoke: flowable-up
|
||||
@bash -c 'for i in $$(seq 1 80); do \
|
||||
c=$$(curl -s -o /dev/null -w "%{http_code}" -u rest-admin:test $(FL_BASE)/repository/process-definitions?key=registratie || true); \
|
||||
[ "$$c" = "200" ] && break; sleep 3; done; echo "Flowable ready ($$c)"'
|
||||
python3 infra/flowable/verify.py
|
||||
|
||||
## flowable-down: stop and remove Flowable
|
||||
flowable-down:
|
||||
docker compose -f $(FL_COMPOSE) down --volumes
|
||||
-docker volume rm -f rr-fl-bpmn
|
||||
|
||||
## help: list available targets
|
||||
help:
|
||||
@grep -E '^## ' $(MAKEFILE_LIST) | sed 's/^## //'
|
||||
45
README.md
45
README.md
@@ -41,32 +41,31 @@ For the architecture rationale, see [docs/PRD.md §3](docs/PRD.md) and [docs/arc
|
||||
|
||||
**Prerequisites**
|
||||
|
||||
- .NET 10 SDK (for `make lint/build/unit`)
|
||||
- A container engine with Compose v2 — Docker, or rootless Podman (see [docs/runbooks/ci.md](docs/runbooks/ci.md) for the Podman + Compose-provider setup)
|
||||
- `make`, `curl`, `git`
|
||||
- ~4 GB free RAM, ~5 GB free disk (grows as services land)
|
||||
- Docker Engine (or Docker Desktop) with Compose v2
|
||||
- ~8 GB free RAM, ~10 GB free disk
|
||||
- Bash or PowerShell
|
||||
|
||||
**Clone**
|
||||
**Bring the stack up**
|
||||
|
||||
```bash
|
||||
git clone git@git.labs.respellion.tech:eho/register-referentie.git
|
||||
cd register-referentie
|
||||
git clone https://gitea.respellion.local/respellion/register-reference.git
|
||||
cd register-reference
|
||||
cp .env.example .env # edit if you change ports
|
||||
docker compose -f infra/docker-compose.yml up -d
|
||||
```
|
||||
|
||||
**Wired today (Iteration 0):** only the placeholder BFF exists so far. Get to green in under 10 minutes — run the full check gate, or just the running service:
|
||||
Health checks should be green within ~3 minutes on a developer machine. If something fails, see [docs/runbooks/local-startup.md](docs/runbooks/local-startup.md).
|
||||
|
||||
```bash
|
||||
make ci # lint + build + unit + container smoke — the CI gate
|
||||
```
|
||||
> **Wired today (Iteration 0):** only the placeholder BFF is in `infra/docker-compose.yml` so far. Bring it up and smoke-test its health endpoint:
|
||||
>
|
||||
> ```bash
|
||||
> docker compose -f infra/docker-compose.yml up -d --build --wait
|
||||
> curl http://localhost:8080/health # -> Healthy
|
||||
> ```
|
||||
>
|
||||
> `--wait` exits non-zero unless the container reports healthy, so this doubles as the compose-up smoke test. The remaining services and the URLs below land in later slices.
|
||||
|
||||
```bash
|
||||
docker compose -f infra/docker-compose.yml up -d --build --wait
|
||||
curl http://localhost:8080/health # -> Healthy
|
||||
```
|
||||
|
||||
`--wait` exits non-zero unless the container reports healthy, so it doubles as the compose-up smoke test. The remaining services and the URLs below land in later slices.
|
||||
|
||||
**Target service URLs** *(most land in later slices)*
|
||||
**Default URLs**
|
||||
|
||||
| Service | URL |
|
||||
|---|---|
|
||||
@@ -74,7 +73,7 @@ curl http://localhost:8080/health # -> Healthy
|
||||
| Openbaar register | http://localhost:4201 |
|
||||
| Behandel-portal | http://localhost:4202 |
|
||||
| Beheer-portal | http://localhost:4203 |
|
||||
| BFF | http://localhost:8080 |
|
||||
| BFF | http://localhost:5000 |
|
||||
| OpenZaak | http://localhost:8000 |
|
||||
| Open Notificaties | http://localhost:8001 |
|
||||
| Flowable | http://localhost:8080 |
|
||||
@@ -83,12 +82,10 @@ curl http://localhost:8080/health # -> Healthy
|
||||
|
||||
Test credentials, BSNs, and personas: see [docs/synthetic-data.md](docs/synthetic-data.md).
|
||||
|
||||
**Build the docs site**
|
||||
**Re-seed synthetic data**
|
||||
|
||||
```bash
|
||||
python3 -m venv .venv && .venv/bin/pip install mkdocs-material
|
||||
.venv/bin/mkdocs serve # live preview at http://localhost:8000
|
||||
.venv/bin/mkdocs build # static site in ./site
|
||||
./tools/seed.sh # or pwsh ./tools/seed.ps1
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
@@ -1,21 +0,0 @@
|
||||
# Multi-stage build for the openbaar portal (Angular → nginx).
|
||||
# Build context is the repo root (the app needs the pnpm workspace + libs). See infra/docker-compose.yml.
|
||||
FROM node:24-slim AS build
|
||||
WORKDIR /src
|
||||
RUN corepack enable && corepack prepare pnpm@11.5.2 --activate
|
||||
|
||||
# Restore first (cached unless the manifests change).
|
||||
COPY package.json pnpm-lock.yaml pnpm-workspace.yaml nx.json tsconfig.base.json eslint.config.mjs ./
|
||||
RUN pnpm install --frozen-lockfile
|
||||
|
||||
# Sources (only what the app + its libs need).
|
||||
COPY apps/openbaar apps/openbaar
|
||||
COPY libs libs
|
||||
RUN pnpm nx build openbaar
|
||||
|
||||
FROM nginx:1.27-alpine AS runtime
|
||||
COPY apps/openbaar/nginx.conf /etc/nginx/conf.d/default.conf
|
||||
COPY --from=build /src/dist/apps/openbaar/browser /usr/share/nginx/html
|
||||
# No runtime config: the openbaar register is anonymous (no OIDC authority to inject).
|
||||
|
||||
EXPOSE 80
|
||||
@@ -1,34 +0,0 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
import baseConfig from '../../eslint.config.mjs';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/angular'],
|
||||
...nx.configs['flat/angular-template'],
|
||||
...baseConfig,
|
||||
{
|
||||
files: ['**/*.ts'],
|
||||
rules: {
|
||||
'@angular-eslint/directive-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'attribute',
|
||||
prefix: 'app',
|
||||
style: 'camelCase',
|
||||
},
|
||||
],
|
||||
'@angular-eslint/component-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'element',
|
||||
prefix: 'app',
|
||||
style: 'kebab-case',
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: ['**/*.html'],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
@@ -1,23 +0,0 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
root /usr/share/nginx/html;
|
||||
index index.html;
|
||||
|
||||
# Resolve the BFF via Docker's embedded DNS at request time (variable proxy_pass), so nginx starts
|
||||
# even before the BFF is up and picks up restarts — instead of failing to load the config.
|
||||
resolver 127.0.0.11 ipv6=off valid=30s;
|
||||
|
||||
# Same-origin API: proxy the anonymous openbaar endpoint group to the bff service. The api-client
|
||||
# uses relative URLs, so the browser calls this origin and nginx forwards to the BFF — no CORS.
|
||||
location /openbaar/ {
|
||||
set $bff http://bff:8080;
|
||||
proxy_pass $bff;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# SPA fallback — Angular client-side routing.
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
}
|
||||
@@ -1,80 +0,0 @@
|
||||
{
|
||||
"name": "openbaar",
|
||||
"$schema": "../../node_modules/nx/schemas/project-schema.json",
|
||||
"projectType": "application",
|
||||
"prefix": "app",
|
||||
"sourceRoot": "apps/openbaar/src",
|
||||
"tags": [],
|
||||
"targets": {
|
||||
"build": {
|
||||
"executor": "@angular/build:application",
|
||||
"outputs": ["{options.outputPath}"],
|
||||
"defaultConfiguration": "production",
|
||||
"options": {
|
||||
"outputPath": "dist/apps/openbaar",
|
||||
"browser": "apps/openbaar/src/main.ts",
|
||||
"tsConfig": "apps/openbaar/tsconfig.app.json",
|
||||
"assets": [
|
||||
{
|
||||
"glob": "**/*",
|
||||
"input": "apps/openbaar/public"
|
||||
}
|
||||
],
|
||||
"styles": ["apps/openbaar/src/styles.css"]
|
||||
},
|
||||
"configurations": {
|
||||
"production": {
|
||||
"budgets": [
|
||||
{
|
||||
"type": "initial",
|
||||
"maximumWarning": "1mb",
|
||||
"maximumError": "2mb"
|
||||
},
|
||||
{
|
||||
"type": "anyComponentStyle",
|
||||
"maximumWarning": "4kb",
|
||||
"maximumError": "8kb"
|
||||
}
|
||||
],
|
||||
"outputHashing": "all"
|
||||
},
|
||||
"development": {
|
||||
"optimization": false,
|
||||
"extractLicenses": false,
|
||||
"sourceMap": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"serve": {
|
||||
"continuous": true,
|
||||
"executor": "@angular/build:dev-server",
|
||||
"defaultConfiguration": "development",
|
||||
"configurations": {
|
||||
"production": {
|
||||
"buildTarget": "openbaar:build:production"
|
||||
},
|
||||
"development": {
|
||||
"buildTarget": "openbaar:build:development"
|
||||
}
|
||||
}
|
||||
},
|
||||
"lint": {
|
||||
"executor": "@nx/eslint:lint"
|
||||
},
|
||||
"test": {
|
||||
"executor": "@angular/build:unit-test",
|
||||
"options": {
|
||||
"watch": false
|
||||
}
|
||||
},
|
||||
"serve-static": {
|
||||
"continuous": true,
|
||||
"executor": "@nx/web:file-server",
|
||||
"options": {
|
||||
"buildTarget": "openbaar:build",
|
||||
"staticFilePath": "dist/apps/openbaar/browser",
|
||||
"spa": true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 15 KiB |
@@ -1,19 +0,0 @@
|
||||
import { provideHttpClient } from '@angular/common/http';
|
||||
import {
|
||||
ApplicationConfig,
|
||||
provideBrowserGlobalErrorListeners,
|
||||
} from '@angular/core';
|
||||
import { provideRouter } from '@angular/router';
|
||||
import { appRoutes } from './app.routes';
|
||||
|
||||
/**
|
||||
* The openbaar register is a public, anonymous read: no DigiD, no auth interceptor. The app is served
|
||||
* same-origin as the BFF (nginx proxies /openbaar), so the api-client's relative calls stay same-origin.
|
||||
*/
|
||||
export const appConfig: ApplicationConfig = {
|
||||
providers: [
|
||||
provideBrowserGlobalErrorListeners(),
|
||||
provideRouter(appRoutes),
|
||||
provideHttpClient(),
|
||||
],
|
||||
};
|
||||
@@ -1 +0,0 @@
|
||||
<router-outlet></router-outlet>
|
||||
@@ -1,4 +0,0 @@
|
||||
import { Route } from '@angular/router';
|
||||
import { RegisterPage } from './register/register-page';
|
||||
|
||||
export const appRoutes: Route[] = [{ path: '', component: RegisterPage }];
|
||||
@@ -1,14 +0,0 @@
|
||||
import { provideRouter } from '@angular/router';
|
||||
import { render } from '@testing-library/angular';
|
||||
import { App } from './app';
|
||||
|
||||
describe('App', () => {
|
||||
it('renders the router outlet shell', async () => {
|
||||
const { container } = await render(App, {
|
||||
providers: [provideRouter([])],
|
||||
});
|
||||
|
||||
// The shell is a thin host for routed pages (the RegisterPage owns the heading).
|
||||
expect(container.querySelector('router-outlet')).toBeTruthy();
|
||||
});
|
||||
});
|
||||
@@ -1,12 +0,0 @@
|
||||
import { Component } from '@angular/core';
|
||||
import { RouterModule } from '@angular/router';
|
||||
|
||||
@Component({
|
||||
imports: [RouterModule],
|
||||
selector: 'app-root',
|
||||
templateUrl: './app.html',
|
||||
styleUrl: './app.css',
|
||||
})
|
||||
export class App {
|
||||
protected title = 'openbaar';
|
||||
}
|
||||
@@ -1,54 +0,0 @@
|
||||
<main utrecht-document class="utrecht-theme">
|
||||
<utrecht-article>
|
||||
<utrecht-heading-1>Openbaar BIG-register</utrecht-heading-1>
|
||||
<p utrecht-paragraph>
|
||||
Zoek in het openbare register van BIG-registraties. Alleen publieke gegevens worden getoond.
|
||||
</p>
|
||||
|
||||
<div role="search">
|
||||
<label for="register-search" utrecht-form-label>Zoek op referentie</label>
|
||||
<input
|
||||
id="register-search"
|
||||
type="search"
|
||||
utrecht-textbox
|
||||
[ngModel]="query()"
|
||||
(ngModelChange)="query.set($event)"
|
||||
[ngModelOptions]="{ standalone: true }"
|
||||
(keyup.enter)="search()"
|
||||
/>
|
||||
<button
|
||||
utrecht-button
|
||||
appearance="primary-action-button"
|
||||
type="button"
|
||||
[disabled]="loading()"
|
||||
(click)="search()"
|
||||
>
|
||||
Zoeken
|
||||
</button>
|
||||
</div>
|
||||
|
||||
@if (loading()) {
|
||||
<p utrecht-paragraph role="status">Bezig met laden…</p>
|
||||
} @else if (searched() && entries().length === 0) {
|
||||
<p utrecht-paragraph role="status">Geen inschrijvingen gevonden.</p>
|
||||
} @else if (entries().length > 0) {
|
||||
<table utrecht-table>
|
||||
<caption>Inschrijvingen in het openbaar register</caption>
|
||||
<thead>
|
||||
<tr>
|
||||
<th scope="col">Referentie</th>
|
||||
<th scope="col">Status</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
@for (entry of entries(); track entry.id) {
|
||||
<tr>
|
||||
<td>{{ entry.reference }}</td>
|
||||
<td>{{ entry.status }}</td>
|
||||
</tr>
|
||||
}
|
||||
</tbody>
|
||||
</table>
|
||||
}
|
||||
</utrecht-article>
|
||||
</main>
|
||||
@@ -1,59 +0,0 @@
|
||||
import { fireEvent, render, screen } from '@testing-library/angular';
|
||||
import { of } from 'rxjs';
|
||||
import { BffApiV1Service, type OpenbaarEntry } from 'api-client';
|
||||
import { axe } from 'vitest-axe';
|
||||
import { RegisterPage } from './register-page';
|
||||
|
||||
const sample: OpenbaarEntry[] = [
|
||||
{ id: 'zaak-abc', status: 'INGEDIEND', reference: 'REG-abc' },
|
||||
{ id: 'zaak-def', status: 'INGESCHREVEN', reference: 'REG-def' },
|
||||
];
|
||||
|
||||
function providers(get = vi.fn().mockReturnValue(of(sample))) {
|
||||
return {
|
||||
get,
|
||||
providers: [{ provide: BffApiV1Service, useValue: { getOpenbaarRegister: get } }],
|
||||
};
|
||||
}
|
||||
|
||||
describe('RegisterPage', () => {
|
||||
it('lists the public register entries from the BFF on open', async () => {
|
||||
const { get } = providers();
|
||||
await render(RegisterPage, { providers: providers(get).providers });
|
||||
|
||||
expect(get).toHaveBeenCalled();
|
||||
// The Referentie column shows the citizen's reference (matches the submit confirmation, #78),
|
||||
// not the internal zaak id.
|
||||
expect(await screen.findByText(/REG-abc/)).toBeTruthy();
|
||||
expect(screen.getByText(/INGEDIEND/)).toBeTruthy();
|
||||
expect(screen.getByText(/REG-def/)).toBeTruthy();
|
||||
});
|
||||
|
||||
it('searches by the entered term', async () => {
|
||||
const get = vi.fn().mockReturnValue(of(sample));
|
||||
await render(RegisterPage, { providers: providers(get).providers });
|
||||
|
||||
fireEvent.input(screen.getByRole('searchbox'), { target: { value: 'zaak-abc' } });
|
||||
fireEvent.click(screen.getByRole('button', { name: /zoek/i }));
|
||||
|
||||
expect(get).toHaveBeenLastCalledWith({ q: 'zaak-abc' });
|
||||
});
|
||||
|
||||
it('shows an empty-state message when the register has no matches', async () => {
|
||||
const get = vi.fn().mockReturnValue(of([] as OpenbaarEntry[]));
|
||||
await render(RegisterPage, { providers: providers(get).providers });
|
||||
|
||||
expect(await screen.findByText(/geen inschrijvingen gevonden/i)).toBeTruthy();
|
||||
});
|
||||
|
||||
it('has no WCAG 2.1 AA violations', async () => {
|
||||
document.documentElement.lang = 'nl';
|
||||
const { container } = await render(RegisterPage, { providers: providers().providers });
|
||||
|
||||
const results = await axe(container, {
|
||||
runOnly: { type: 'tag', values: ['wcag2a', 'wcag2aa', 'wcag21a', 'wcag21aa'] },
|
||||
});
|
||||
|
||||
expect(results.violations).toEqual([]);
|
||||
});
|
||||
});
|
||||
@@ -1,45 +0,0 @@
|
||||
import { Component, inject, signal } from '@angular/core';
|
||||
import { FormsModule } from '@angular/forms';
|
||||
import { BffApiV1Service, type OpenbaarEntry } from 'api-client';
|
||||
import { UtrechtComponentsModule } from 'ui';
|
||||
|
||||
/**
|
||||
* The openbaar (public) BIG-register: an anonymous search over the read projection's public-safe
|
||||
* view (id + status only — bsn/naam never leave the BFF; ADR-0010). Loads the full register on open
|
||||
* and filters by the search term via the BFF's `/openbaar/register?q=` endpoint (S-09).
|
||||
*/
|
||||
@Component({
|
||||
selector: 'app-register-page',
|
||||
imports: [FormsModule, UtrechtComponentsModule],
|
||||
templateUrl: './register-page.html',
|
||||
})
|
||||
export class RegisterPage {
|
||||
private readonly bff = inject(BffApiV1Service);
|
||||
|
||||
protected readonly query = signal('');
|
||||
protected readonly entries = signal<OpenbaarEntry[]>([]);
|
||||
protected readonly loading = signal(false);
|
||||
protected readonly searched = signal(false);
|
||||
|
||||
constructor() {
|
||||
// Show the full register on open; the search box narrows it.
|
||||
this.search();
|
||||
}
|
||||
|
||||
search(): void {
|
||||
const q = this.query().trim();
|
||||
this.loading.set(true);
|
||||
this.bff.getOpenbaarRegister(q ? { q } : {}).subscribe({
|
||||
next: (rows: OpenbaarEntry[]) => {
|
||||
this.entries.set(rows);
|
||||
this.loading.set(false);
|
||||
this.searched.set(true);
|
||||
},
|
||||
error: () => {
|
||||
this.entries.set([]);
|
||||
this.loading.set(false);
|
||||
this.searched.set(true);
|
||||
},
|
||||
});
|
||||
}
|
||||
}
|
||||
@@ -1,13 +0,0 @@
|
||||
<!doctype html>
|
||||
<html lang="nl">
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
<title>Openbaar BIG-register</title>
|
||||
<base href="/" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
<link rel="icon" type="image/x-icon" href="favicon.ico" />
|
||||
</head>
|
||||
<body>
|
||||
<app-root></app-root>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,6 +0,0 @@
|
||||
import { bootstrapApplication } from '@angular/platform-browser';
|
||||
import { App } from './app/app';
|
||||
import { appConfig } from './app/app.config';
|
||||
|
||||
// The openbaar register is anonymous (no DigiD, no runtime config) — bootstrap directly.
|
||||
bootstrapApplication(App, appConfig).catch((err) => console.error(err));
|
||||
@@ -1,2 +0,0 @@
|
||||
/* NL Design System theme — Utrecht design tokens (docs/frontend-decisions.md). */
|
||||
@import '@utrecht/design-tokens/dist/index.css';
|
||||
@@ -1,9 +0,0 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": []
|
||||
},
|
||||
"include": ["src/**/*.ts"],
|
||||
"exclude": ["src/**/*.spec.ts", "src/**/*.test.ts"]
|
||||
}
|
||||
@@ -1,31 +0,0 @@
|
||||
{
|
||||
"extends": "../../tsconfig.base.json",
|
||||
"compilerOptions": {
|
||||
"strict": true,
|
||||
"noImplicitOverride": true,
|
||||
"noPropertyAccessFromIndexSignature": true,
|
||||
"noImplicitReturns": true,
|
||||
"noFallthroughCasesInSwitch": true,
|
||||
"isolatedModules": true,
|
||||
"target": "es2022",
|
||||
"moduleResolution": "bundler",
|
||||
"emitDecoratorMetadata": false,
|
||||
"module": "preserve"
|
||||
},
|
||||
"angularCompilerOptions": {
|
||||
"enableI18nLegacyMessageIdFormat": false,
|
||||
"strictInjectionParameters": true,
|
||||
"strictInputAccessModifiers": true,
|
||||
"strictTemplates": true
|
||||
},
|
||||
"files": [],
|
||||
"include": [],
|
||||
"references": [
|
||||
{
|
||||
"path": "./tsconfig.app.json"
|
||||
},
|
||||
{
|
||||
"path": "./tsconfig.spec.json"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": ["vitest/globals"]
|
||||
},
|
||||
"include": ["src/**/*.ts", "src/**/*.d.ts"]
|
||||
}
|
||||
@@ -1,23 +0,0 @@
|
||||
# Multi-stage build for the self-service portal (Angular → nginx).
|
||||
# Build context is the repo root (the app needs the pnpm workspace + libs). See infra/docker-compose.yml.
|
||||
FROM node:24-slim AS build
|
||||
WORKDIR /src
|
||||
RUN corepack enable && corepack prepare pnpm@11.5.2 --activate
|
||||
|
||||
# Restore first (cached unless the manifests change).
|
||||
COPY package.json pnpm-lock.yaml pnpm-workspace.yaml nx.json tsconfig.base.json eslint.config.mjs ./
|
||||
RUN pnpm install --frozen-lockfile
|
||||
|
||||
# Sources (only what the app + its libs need).
|
||||
COPY apps/self-service apps/self-service
|
||||
COPY libs libs
|
||||
RUN pnpm nx build self-service
|
||||
|
||||
FROM nginx:1.27-alpine AS runtime
|
||||
COPY apps/self-service/nginx.conf /etc/nginx/conf.d/default.conf
|
||||
COPY --from=build /src/dist/apps/self-service/browser /usr/share/nginx/html
|
||||
# Compose-time OIDC config: the browser (Playwright, on the compose network) reaches Keycloak by
|
||||
# service name, so the token issuer matches the BFF's authority (host-consistent, ADR-0010).
|
||||
RUN printf '{ "authority": "http://keycloak:8080/realms/digid" }\n' > /usr/share/nginx/html/config.json
|
||||
|
||||
EXPOSE 80
|
||||
@@ -1,34 +0,0 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
import baseConfig from '../../eslint.config.mjs';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/angular'],
|
||||
...nx.configs['flat/angular-template'],
|
||||
...baseConfig,
|
||||
{
|
||||
files: ['**/*.ts'],
|
||||
rules: {
|
||||
'@angular-eslint/directive-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'attribute',
|
||||
prefix: 'app',
|
||||
style: 'camelCase',
|
||||
},
|
||||
],
|
||||
'@angular-eslint/component-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'element',
|
||||
prefix: 'app',
|
||||
style: 'kebab-case',
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: ['**/*.html'],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
@@ -1,29 +0,0 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name _;
|
||||
root /usr/share/nginx/html;
|
||||
index index.html;
|
||||
|
||||
# Resolve the BFF via Docker's embedded DNS at request time (variable proxy_pass), so nginx starts
|
||||
# even before the BFF is up and picks up restarts — instead of failing to load the config.
|
||||
resolver 127.0.0.11 ipv6=off valid=30s;
|
||||
|
||||
# Same-origin API: proxy the BFF endpoint groups to the bff service. The api-client uses relative
|
||||
# URLs, so the browser calls this origin and nginx forwards to the BFF — no CORS, and the DigiD
|
||||
# token (same-origin) is attached by the app's interceptor (S-08d/ADR-0010).
|
||||
location /self-service/ {
|
||||
set $bff http://bff:8080;
|
||||
proxy_pass $bff;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
location /openbaar/ {
|
||||
set $bff http://bff:8080;
|
||||
proxy_pass $bff;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# SPA fallback — Angular client-side routing.
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
}
|
||||
}
|
||||
@@ -1,80 +0,0 @@
|
||||
{
|
||||
"name": "self-service",
|
||||
"$schema": "../../node_modules/nx/schemas/project-schema.json",
|
||||
"projectType": "application",
|
||||
"prefix": "app",
|
||||
"sourceRoot": "apps/self-service/src",
|
||||
"tags": [],
|
||||
"targets": {
|
||||
"build": {
|
||||
"executor": "@angular/build:application",
|
||||
"outputs": ["{options.outputPath}"],
|
||||
"defaultConfiguration": "production",
|
||||
"options": {
|
||||
"outputPath": "dist/apps/self-service",
|
||||
"browser": "apps/self-service/src/main.ts",
|
||||
"tsConfig": "apps/self-service/tsconfig.app.json",
|
||||
"assets": [
|
||||
{
|
||||
"glob": "**/*",
|
||||
"input": "apps/self-service/public"
|
||||
}
|
||||
],
|
||||
"styles": ["apps/self-service/src/styles.css"]
|
||||
},
|
||||
"configurations": {
|
||||
"production": {
|
||||
"budgets": [
|
||||
{
|
||||
"type": "initial",
|
||||
"maximumWarning": "1mb",
|
||||
"maximumError": "2mb"
|
||||
},
|
||||
{
|
||||
"type": "anyComponentStyle",
|
||||
"maximumWarning": "4kb",
|
||||
"maximumError": "8kb"
|
||||
}
|
||||
],
|
||||
"outputHashing": "all"
|
||||
},
|
||||
"development": {
|
||||
"optimization": false,
|
||||
"extractLicenses": false,
|
||||
"sourceMap": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"serve": {
|
||||
"continuous": true,
|
||||
"executor": "@angular/build:dev-server",
|
||||
"defaultConfiguration": "development",
|
||||
"configurations": {
|
||||
"production": {
|
||||
"buildTarget": "self-service:build:production"
|
||||
},
|
||||
"development": {
|
||||
"buildTarget": "self-service:build:development"
|
||||
}
|
||||
}
|
||||
},
|
||||
"lint": {
|
||||
"executor": "@nx/eslint:lint"
|
||||
},
|
||||
"test": {
|
||||
"executor": "@angular/build:unit-test",
|
||||
"options": {
|
||||
"watch": false
|
||||
}
|
||||
},
|
||||
"serve-static": {
|
||||
"continuous": true,
|
||||
"executor": "@nx/web:file-server",
|
||||
"options": {
|
||||
"buildTarget": "self-service:build",
|
||||
"staticFilePath": "dist/apps/self-service/browser",
|
||||
"spa": true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
{
|
||||
"authority": "http://localhost:8180/realms/digid"
|
||||
}
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 15 KiB |
@@ -1,65 +0,0 @@
|
||||
import { provideHttpClient, withInterceptors } from '@angular/common/http';
|
||||
import { HttpTestingController, provideHttpClientTesting } from '@angular/common/http/testing';
|
||||
import { TestBed } from '@angular/core/testing';
|
||||
import { BffApiV1Service } from 'api-client';
|
||||
import { authInterceptor } from 'auth';
|
||||
import { AbstractSecurityStorage, ConfigurationService } from 'angular-auth-oidc-client';
|
||||
import { SECURE_API_ROUTES } from './app.config';
|
||||
|
||||
// Guards the DigiD token wiring end-to-end. The api-client calls the BFF with RELATIVE URLs, and the
|
||||
// angular-auth-oidc-client interceptor attaches the token only when `req.url` starts with a configured
|
||||
// secureRoute. A regression to an absolute origin (as once shipped) makes the relative URL never match,
|
||||
// so the submit goes out unauthenticated and fails silently. This drives the REAL interceptor and the
|
||||
// REAL api-client against the REAL production route value (SECURE_API_ROUTES); only the config source
|
||||
// and the token storage are faked, so the assertion turns on the actual route-matching.
|
||||
describe('self-service DigiD token wiring', () => {
|
||||
let http: HttpTestingController;
|
||||
let bff: BffApiV1Service;
|
||||
const token = 'digid-access-token';
|
||||
|
||||
beforeEach(() => {
|
||||
TestBed.configureTestingModule({
|
||||
providers: [
|
||||
provideHttpClient(withInterceptors([authInterceptor()])),
|
||||
provideHttpClientTesting(),
|
||||
{
|
||||
provide: ConfigurationService,
|
||||
useValue: {
|
||||
hasAtLeastOneConfig: () => true,
|
||||
getAllConfigurations: () => [{ configId: 'digid', secureRoutes: SECURE_API_ROUTES }],
|
||||
},
|
||||
},
|
||||
{
|
||||
// A signed-in session: the storage the interceptor's token lookup reads from.
|
||||
provide: AbstractSecurityStorage,
|
||||
useValue: {
|
||||
read: () => JSON.stringify({ authzData: token, authnResult: { id_token: 'id-token' } }),
|
||||
write: () => undefined,
|
||||
remove: () => undefined,
|
||||
clear: () => undefined,
|
||||
},
|
||||
},
|
||||
],
|
||||
});
|
||||
http = TestBed.inject(HttpTestingController);
|
||||
bff = TestBed.inject(BffApiV1Service);
|
||||
});
|
||||
|
||||
afterEach(() => http.verify());
|
||||
|
||||
it('attaches the bearer token to the relative self-service BFF call', () => {
|
||||
bff.postSelfServiceRegistrations().subscribe();
|
||||
|
||||
const req = http.expectOne('/self-service/registrations');
|
||||
expect(req.request.headers.get('Authorization')).toBe(`Bearer ${token}`);
|
||||
req.flush({ registrationId: 'reg-1', status: 'Ingediend' });
|
||||
});
|
||||
|
||||
it('leaves the anonymous openbaar register call unauthenticated', () => {
|
||||
bff.getOpenbaarRegister().subscribe();
|
||||
|
||||
const req = http.expectOne((r) => r.url === '/openbaar/register');
|
||||
expect(req.request.headers.has('Authorization')).toBe(false);
|
||||
req.flush([]);
|
||||
});
|
||||
});
|
||||
@@ -1,42 +0,0 @@
|
||||
import { provideHttpClient, withInterceptors } from '@angular/common/http';
|
||||
import {
|
||||
ApplicationConfig,
|
||||
provideBrowserGlobalErrorListeners,
|
||||
} from '@angular/core';
|
||||
import { provideRouter } from '@angular/router';
|
||||
import { authInterceptor, provideDigiadAuth } from 'auth';
|
||||
import { appRoutes } from './app.routes';
|
||||
|
||||
/** Environment-specific settings fetched from /config.json at startup (see main.ts). */
|
||||
export interface RuntimeConfig {
|
||||
/** The Keycloak `digid` realm issuer as the browser reaches it (dev: localhost; compose: keycloak:8080). */
|
||||
authority: string;
|
||||
}
|
||||
|
||||
/**
|
||||
* Route prefixes whose requests carry the DigiD token. These MUST match the **relative** URLs the
|
||||
* api-client actually calls (same-origin via the nginx proxy) — the interceptor matches on `req.url`,
|
||||
* which stays relative, so an absolute origin would never match and the token would go unattached.
|
||||
* `/openbaar/` is deliberately excluded: it is the anonymous public register.
|
||||
*/
|
||||
export const SECURE_API_ROUTES = ['/self-service/'];
|
||||
|
||||
/**
|
||||
* Build the app providers from runtime config. `redirectUrl` is the app's own origin (where Keycloak
|
||||
* redirects back). `secureRoutes` uses {@link SECURE_API_ROUTES} — relative prefixes, not the origin.
|
||||
*/
|
||||
export function appConfig(runtime: RuntimeConfig): ApplicationConfig {
|
||||
const origin = typeof window !== 'undefined' ? window.location.origin : '/';
|
||||
return {
|
||||
providers: [
|
||||
provideBrowserGlobalErrorListeners(),
|
||||
provideRouter(appRoutes),
|
||||
provideHttpClient(withInterceptors([authInterceptor()])),
|
||||
provideDigiadAuth({
|
||||
authority: runtime.authority,
|
||||
redirectUrl: origin,
|
||||
secureRoutes: SECURE_API_ROUTES,
|
||||
}),
|
||||
],
|
||||
};
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
<router-outlet></router-outlet>
|
||||
@@ -1,7 +0,0 @@
|
||||
import { Route } from '@angular/router';
|
||||
import { authenticatedGuard } from 'auth';
|
||||
import { RegistrationPage } from './registration/registration-page';
|
||||
|
||||
export const appRoutes: Route[] = [
|
||||
{ path: '', component: RegistrationPage, canActivate: [authenticatedGuard] },
|
||||
];
|
||||
@@ -1,15 +0,0 @@
|
||||
import { provideRouter } from '@angular/router';
|
||||
import { render, screen } from '@testing-library/angular';
|
||||
import { App } from './app';
|
||||
|
||||
describe('App', () => {
|
||||
it('renders the router outlet shell', async () => {
|
||||
const { container } = await render(App, {
|
||||
providers: [provideRouter([])],
|
||||
});
|
||||
|
||||
// The shell is a thin host for routed pages (the RegistrationPage owns the heading).
|
||||
expect(container.querySelector('router-outlet')).toBeTruthy();
|
||||
expect(screen).toBeTruthy();
|
||||
});
|
||||
});
|
||||
@@ -1,12 +0,0 @@
|
||||
import { Component } from '@angular/core';
|
||||
import { RouterModule } from '@angular/router';
|
||||
|
||||
@Component({
|
||||
imports: [RouterModule],
|
||||
selector: 'app-root',
|
||||
templateUrl: './app.html',
|
||||
styleUrl: './app.css',
|
||||
})
|
||||
export class App {
|
||||
protected title = 'self-service';
|
||||
}
|
||||
@@ -1,27 +0,0 @@
|
||||
<main utrecht-document class="utrecht-theme">
|
||||
<utrecht-article>
|
||||
<utrecht-heading-1>Zelfservice — BIG-registratie</utrecht-heading-1>
|
||||
|
||||
@if (submitted()) {
|
||||
<p utrecht-paragraph role="status">
|
||||
Uw registratie is ontvangen. Referentie: {{ reference() }}.
|
||||
</p>
|
||||
} @else {
|
||||
<p utrecht-paragraph>U bent ingelogd met BSN {{ bsn() }}.</p>
|
||||
@if (failed()) {
|
||||
<p utrecht-paragraph role="alert">
|
||||
Er ging iets mis bij het indienen van uw registratie. Probeer het opnieuw.
|
||||
</p>
|
||||
}
|
||||
<button
|
||||
utrecht-button
|
||||
appearance="primary-action-button"
|
||||
type="button"
|
||||
[disabled]="submitting()"
|
||||
(click)="submit()"
|
||||
>
|
||||
Registratie indienen
|
||||
</button>
|
||||
}
|
||||
</utrecht-article>
|
||||
</main>
|
||||
@@ -1,71 +0,0 @@
|
||||
import { signal } from '@angular/core';
|
||||
import { fireEvent, render, screen } from '@testing-library/angular';
|
||||
import { of, throwError } from 'rxjs';
|
||||
import { AuthService } from 'auth';
|
||||
import { BffApiV1Service } from 'api-client';
|
||||
import { axe } from 'vitest-axe';
|
||||
import { RegistrationPage } from './registration-page';
|
||||
|
||||
class FakeAuth extends AuthService {
|
||||
readonly isAuthenticated = signal(true);
|
||||
readonly bsn = signal<string | undefined>('123456782');
|
||||
login(): void {
|
||||
/* noop */
|
||||
}
|
||||
logout(): void {
|
||||
/* noop */
|
||||
}
|
||||
}
|
||||
|
||||
function providers(post = vi.fn().mockReturnValue(of({ registrationId: 'reg-9', status: 'Ingediend' }))) {
|
||||
return {
|
||||
post,
|
||||
providers: [
|
||||
{ provide: AuthService, useClass: FakeAuth },
|
||||
{ provide: BffApiV1Service, useValue: { postSelfServiceRegistrations: post } },
|
||||
],
|
||||
};
|
||||
}
|
||||
|
||||
describe('RegistrationPage', () => {
|
||||
it('shows the signed-in BSN', async () => {
|
||||
await render(RegistrationPage, { providers: providers().providers });
|
||||
expect(screen.getByText(/123456782/)).toBeTruthy();
|
||||
});
|
||||
|
||||
it('submits the registration and confirms', async () => {
|
||||
const { post, providers: p } = providers();
|
||||
await render(RegistrationPage, { providers: p });
|
||||
|
||||
fireEvent.click(screen.getByRole('button', { name: /indienen/i }));
|
||||
|
||||
expect(post).toHaveBeenCalledTimes(1);
|
||||
expect(await screen.findByText(/ontvangen/i)).toBeTruthy();
|
||||
});
|
||||
|
||||
it('shows an error and keeps the submit available when the BFF call fails', async () => {
|
||||
const { post, providers: p } = providers(vi.fn().mockReturnValue(throwError(() => new Error('BFF rejected'))));
|
||||
await render(RegistrationPage, { providers: p });
|
||||
|
||||
fireEvent.click(screen.getByRole('button', { name: /indienen/i }));
|
||||
|
||||
expect(post).toHaveBeenCalledTimes(1);
|
||||
// The failure is surfaced (not swallowed), the confirmation is not shown, and the user can retry.
|
||||
expect(await screen.findByRole('alert')).toBeTruthy();
|
||||
expect(screen.queryByText(/ontvangen/i)).toBeNull();
|
||||
expect(screen.getByRole('button', { name: /indienen/i })).toBeTruthy();
|
||||
});
|
||||
|
||||
it('has no WCAG 2.1 AA violations on the submit page', async () => {
|
||||
// The portal is Dutch; the real index.html sets lang. Set it here so the document-level
|
||||
// html-has-lang rule reflects the app, not the bare jsdom document.
|
||||
document.documentElement.lang = 'nl';
|
||||
const { container } = await render(RegistrationPage, { providers: providers().providers });
|
||||
|
||||
const results = await axe(container, {
|
||||
runOnly: { type: 'tag', values: ['wcag2a', 'wcag2aa', 'wcag21a', 'wcag21aa'] },
|
||||
});
|
||||
|
||||
expect(results.violations).toEqual([]);
|
||||
});
|
||||
});
|
||||
@@ -1,42 +0,0 @@
|
||||
import { Component, inject, signal } from '@angular/core';
|
||||
import { BffApiV1Service, type SubmitAccepted } from 'api-client';
|
||||
import { AuthService } from 'auth';
|
||||
import { UtrechtComponentsModule } from 'ui';
|
||||
|
||||
/**
|
||||
* The self-service submit page: a signed-in zorgprofessional confirms and submits their BIG
|
||||
* registration. The bsn comes from the DigiD token (not a form field), so this is a confirm-and-
|
||||
* submit flow that posts to the BFF and shows the returned reference (ADR-0010; S-08c).
|
||||
*/
|
||||
@Component({
|
||||
selector: 'app-registration-page',
|
||||
imports: [UtrechtComponentsModule],
|
||||
templateUrl: './registration-page.html',
|
||||
})
|
||||
export class RegistrationPage {
|
||||
private readonly auth = inject(AuthService);
|
||||
private readonly bff = inject(BffApiV1Service);
|
||||
|
||||
protected readonly bsn = this.auth.bsn;
|
||||
protected readonly submitting = signal(false);
|
||||
protected readonly reference = signal<string | undefined>(undefined);
|
||||
protected readonly submitted = signal(false);
|
||||
protected readonly failed = signal(false);
|
||||
|
||||
submit(): void {
|
||||
this.submitting.set(true);
|
||||
this.failed.set(false);
|
||||
this.bff.postSelfServiceRegistrations().subscribe({
|
||||
next: (accepted: SubmitAccepted) => {
|
||||
this.reference.set(accepted.registrationId);
|
||||
this.submitted.set(true);
|
||||
this.submitting.set(false);
|
||||
},
|
||||
// Surface the failure instead of swallowing it: re-enable the button so the user can retry.
|
||||
error: () => {
|
||||
this.failed.set(true);
|
||||
this.submitting.set(false);
|
||||
},
|
||||
});
|
||||
}
|
||||
}
|
||||
@@ -1,13 +0,0 @@
|
||||
<!doctype html>
|
||||
<html lang="nl">
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
<title>self-service</title>
|
||||
<base href="/" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
<link rel="icon" type="image/x-icon" href="favicon.ico" />
|
||||
</head>
|
||||
<body>
|
||||
<app-root></app-root>
|
||||
</body>
|
||||
</html>
|
||||
@@ -1,10 +0,0 @@
|
||||
import { bootstrapApplication } from '@angular/platform-browser';
|
||||
import { App } from './app/app';
|
||||
import { appConfig, type RuntimeConfig } from './app/app.config';
|
||||
|
||||
// Load environment config before bootstrap so the OIDC authority is set per environment
|
||||
// (dev: localhost; compose: keycloak:8080) from a single build — 12-factor (S-08d).
|
||||
fetch('config.json')
|
||||
.then((response) => response.json() as Promise<RuntimeConfig>)
|
||||
.then((config) => bootstrapApplication(App, appConfig(config)))
|
||||
.catch((err) => console.error(err));
|
||||
@@ -1,2 +0,0 @@
|
||||
/* NL Design System theme — Utrecht design tokens (docs/frontend-decisions.md). */
|
||||
@import '@utrecht/design-tokens/dist/index.css';
|
||||
@@ -1,9 +0,0 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": []
|
||||
},
|
||||
"include": ["src/**/*.ts"],
|
||||
"exclude": ["src/**/*.spec.ts", "src/**/*.test.ts"]
|
||||
}
|
||||
@@ -1,31 +0,0 @@
|
||||
{
|
||||
"extends": "../../tsconfig.base.json",
|
||||
"compilerOptions": {
|
||||
"strict": true,
|
||||
"noImplicitOverride": true,
|
||||
"noPropertyAccessFromIndexSignature": true,
|
||||
"noImplicitReturns": true,
|
||||
"noFallthroughCasesInSwitch": true,
|
||||
"isolatedModules": true,
|
||||
"target": "es2022",
|
||||
"moduleResolution": "bundler",
|
||||
"emitDecoratorMetadata": false,
|
||||
"module": "preserve"
|
||||
},
|
||||
"angularCompilerOptions": {
|
||||
"enableI18nLegacyMessageIdFormat": false,
|
||||
"strictInjectionParameters": true,
|
||||
"strictInputAccessModifiers": true,
|
||||
"strictTemplates": true
|
||||
},
|
||||
"files": [],
|
||||
"include": [],
|
||||
"references": [
|
||||
{
|
||||
"path": "./tsconfig.app.json"
|
||||
},
|
||||
{
|
||||
"path": "./tsconfig.spec.json"
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,8 +0,0 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": ["vitest/globals"]
|
||||
},
|
||||
"include": ["src/**/*.ts", "src/**/*.d.ts"]
|
||||
}
|
||||
45
cliff.toml
45
cliff.toml
@@ -1,45 +0,0 @@
|
||||
# git-cliff configuration — generates CHANGELOG.md from Conventional Commits.
|
||||
# Run via `make changelog`. See https://git-cliff.org.
|
||||
|
||||
[changelog]
|
||||
header = """
|
||||
# Changelog
|
||||
|
||||
All notable changes to this project. Generated from Conventional Commits by git-cliff.\n
|
||||
"""
|
||||
body = """
|
||||
{% if version %}\
|
||||
## {{ version }} — {{ timestamp | date(format="%Y-%m-%d") }}
|
||||
{% else %}\
|
||||
## Unreleased
|
||||
{% endif %}\
|
||||
{% for group, commits in commits | group_by(attribute="group") %}
|
||||
### {{ group | upper_first }}
|
||||
{% for commit in commits %}\
|
||||
- {{ commit.message | upper_first }}{% if commit.breaking %} **[BREAKING]**{% endif %}
|
||||
{% endfor %}\
|
||||
{% endfor %}\n
|
||||
"""
|
||||
trim = true
|
||||
|
||||
[git]
|
||||
conventional_commits = true
|
||||
filter_unconventional = true
|
||||
split_commits = false
|
||||
protect_breaking_commits = true
|
||||
tag_pattern = "v[0-9]*"
|
||||
# CalVer tags: YYYY.MM.PATCH
|
||||
filter_commits = false
|
||||
commit_parsers = [
|
||||
{ message = "^feat", group = "Features" },
|
||||
{ message = "^fix", group = "Bug Fixes" },
|
||||
{ message = "^perf", group = "Performance" },
|
||||
{ message = "^refactor", group = "Refactor" },
|
||||
{ message = "^docs", group = "Documentation" },
|
||||
{ message = "^test", group = "Tests" },
|
||||
{ message = "^ci", group = "CI" },
|
||||
{ message = "^build", group = "Build" },
|
||||
{ message = "^arch", group = "Architecture" },
|
||||
{ message = "^chore", group = "Chores" },
|
||||
{ message = ".*", group = "Other" },
|
||||
]
|
||||
@@ -1,58 +0,0 @@
|
||||
# ADR-0001: Loose coupling to upstream Common Ground modules
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-06-03
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Template note:** This is the first ADR and doubles as the worked example of
|
||||
the Nygard template. Copy its shape for new ADRs (`adr-NNNN-title.md`).
|
||||
|
||||
## Context
|
||||
|
||||
This reference application orchestrates several upstream Common Ground modules —
|
||||
OpenZaak (ZGW APIs), Open Notificaties (NRC), Objecten/Objecttypen, Flowable,
|
||||
Keycloak. Each is an independently developed, independently deployed peer. The
|
||||
temptation in a demo is to reach straight into a peer's database or couple to its
|
||||
internal schema to move faster. That coupling is exactly what makes Common Ground
|
||||
landscapes brittle and un-upgradeable in practice.
|
||||
|
||||
We need a stance, recorded up front, on how our services may talk to these peers.
|
||||
|
||||
## Decision
|
||||
|
||||
**We integrate with upstream modules only through their documented public APIs, and
|
||||
we isolate that integration behind explicit anti-corruption boundaries.**
|
||||
|
||||
Concretely (mirrors CLAUDE.md §8):
|
||||
|
||||
1. The **ACL** is the only code that talks to ZGW APIs; no other service constructs
|
||||
ZGW URLs.
|
||||
2. The **Workflow Client** is the only code that talks to Flowable; BPMN models hold
|
||||
no OpenZaak knowledge.
|
||||
3. **Portals talk only to the BFF** — never directly to a backend or a peer module.
|
||||
4. **No direct database access across services or to any peer.** Each service owns
|
||||
its schema; the Read Projection is a rebuildable derived artefact.
|
||||
5. **Idempotency at every event boundary** (the Event Subscriber tolerates duplicate
|
||||
and out-of-order NRC events).
|
||||
|
||||
Bending any of these is an ADR-worthy moment (CLAUDE.md §14): stop and open an
|
||||
`adr-proposal` issue first.
|
||||
|
||||
## Consequences
|
||||
|
||||
**Positive**
|
||||
|
||||
- Upstream modules can be upgraded or swapped behind their APIs without rippling
|
||||
through our services.
|
||||
- Coupling is visible and minimal — anti-corruption code lives in one named place.
|
||||
- The architecture teaches the Common Ground pattern by enforcing it.
|
||||
|
||||
**Negative / costs**
|
||||
|
||||
- More indirection: a translation layer (ACL, Workflow Client) instead of direct
|
||||
calls. Accepted — it's the point.
|
||||
- Eventual consistency across aggregates must be designed for, not assumed away.
|
||||
|
||||
**Follow-up**
|
||||
|
||||
- Each integration slice that touches a boundary references this ADR; new boundary
|
||||
decisions get their own ADR.
|
||||
@@ -1,53 +0,0 @@
|
||||
# ADR-0002: BIG catalogus design and OpenZaak seeding
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-06-03
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-01 (#2)
|
||||
|
||||
## Context
|
||||
|
||||
S-01 needs a reproducible `BIG` catalogus in OpenZaak with a **lean** `BIG-registratie`
|
||||
zaaktype (only schema-mandatory fields) plus a `bsn` eigenschap, and a JWT client that
|
||||
can list zaaktypen. We had to decide *how* to provision this idempotently at startup.
|
||||
|
||||
Findings from the OpenZaak image (`openzaak/open-zaak:latest`):
|
||||
- `setup_configuration` (run by the init container) is declarative and idempotent, with
|
||||
steps for **JWT secrets** and **applicaties** (`vng_api_common_credentials`,
|
||||
`vng_api_common_applicaties`) — but **no step for catalogi/zaaktypen**.
|
||||
- Catalogus/zaaktype/eigenschap can only be created through the **ZTC REST API**.
|
||||
- Publishing a zaaktype requires ≥1 roltype, ≥1 resultaattype and ≥2 statustypen.
|
||||
|
||||
## Decision
|
||||
|
||||
1. **Provision the JWT client declaratively** via `infra/openzaak/setup_configuration/data.yaml`:
|
||||
a `JWTSecret` (`big-reference-seed` / dev secret) and an `Applicatie` with
|
||||
`heeft_alle_autorisaties: true`. Idempotent, runs in the init container.
|
||||
2. **Seed the catalogus/zaaktype/eigenschap via the ZTC API** with an idempotent,
|
||||
stdlib-only script (`infra/openzaak/seed_catalogus.py`, `make openzaak-seed`). It mints
|
||||
a ZGW JWT from the provisioned client and matches existing objects (by `domein` /
|
||||
`identificatie` / `naam`, querying `status=alles` so concepts are seen) before creating.
|
||||
3. **Keep the zaaktype a CONCEPT (not published).** Publishing pulls in roltypen,
|
||||
statustypen and resultaattypen, which go beyond "schema-mandatory"; those arrive with
|
||||
the workflow/zaak slices that actually need a published type. Listing uses `status=alles`.
|
||||
4. **Disable outbound notifications** (`NOTIFICATIONS_DISABLED=true`) until Open Notificaties
|
||||
(NRC) lands in S-01-c — otherwise every ZTC write 500s trying to notify.
|
||||
5. **Fixed dev values:** RSIN `517439943` (elfproef-valid test value); the JWT secret is
|
||||
dev-only and documented as such.
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Reproducible & version-robust:** the API-driven seed doesn't depend on fixture PKs or
|
||||
a catalogi `setup_configuration` step that may change between versions.
|
||||
- **Teaches the pattern:** the seed talks to OpenZaak exactly the way the ACL will later —
|
||||
through the documented ZGW API, with a JWT (ADR-0001).
|
||||
- The seed is a script, but a **data loader is explicitly anticipated** (PRD §8); it lives
|
||||
under `infra/openzaak/`, not as ad-hoc tooling.
|
||||
- **Follow-ups:** re-enable notifications when NRC is up (S-01-c); publish the zaaktype (add
|
||||
the related types) when a slice needs to create real zaken; pin the OpenZaak image tag.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Fully declarative in `data.yaml`** — rejected: no catalogi/zaaktype step exists.
|
||||
- **Django `loaddata` fixture** — rejected: brittle, tied to model PKs and the exact image
|
||||
version; bypasses the API the rest of the system uses.
|
||||
@@ -1,44 +0,0 @@
|
||||
# ADR-0003: ACL default-fill strategy
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-06-04
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-04 (#5); builds on ADR-0001 (loose coupling)
|
||||
|
||||
## Context
|
||||
|
||||
The ACL is the only code that talks to ZGW APIs (ADR-0001 / CLAUDE.md §8.1). When the
|
||||
domain asks it to "open a zaak", the domain payload is intentionally free of ZGW
|
||||
specifics — it carries domain facts (e.g. the registrant's BSN), not OpenZaak fields. But
|
||||
OpenZaak's `POST /zaken` requires ZGW-mandatory fields: `bronorganisatie`,
|
||||
`verantwoordelijkeOrganisatie`, `startdatum`, `vertrouwelijkheidaanduiding`, and a
|
||||
`zaaktype` URL. Something has to supply those, and it must not leak into the domain.
|
||||
|
||||
## Decision
|
||||
|
||||
**The ACL default-fills the ZGW-mandatory zaak fields; the domain never sees them.**
|
||||
|
||||
- `bronorganisatie`, `verantwoordelijkeOrganisatie`, `vertrouwelijkheidaanduiding`, and the
|
||||
`zaaktype` URL come from **ACL configuration** (`AclDefaults` options) — not hardcoded,
|
||||
not from the domain. This keeps them operationally manageable (the beheer portal will
|
||||
edit them in S-15) and environment-specific (the seeded BIG zaaktype URL differs per env).
|
||||
- `startdatum` is derived from an injected **clock** (today's date), so it is
|
||||
deterministic in tests.
|
||||
- The mapping from domain payload → ZGW `ZaakRequest` lives entirely inside the ACL
|
||||
(`Application` builds the request from payload + defaults; `Infrastructure` serialises and
|
||||
POSTs it). No other service constructs ZGW payloads or URLs.
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** the domain stays ZGW-agnostic; ZGW knowledge is in one named place; defaults
|
||||
are config (testable, env-specific, later editable via the beheer portal).
|
||||
- **Cost:** the ACL must be configured per environment (the seeded zaaktype URL, the
|
||||
organisation RSINs). Missing/invalid config fails fast at the ACL boundary.
|
||||
- **Follow-ups:** mapping the BSN onto the zaak (eigenschap/rol), status transitions, and
|
||||
documents are explicitly out of scope for S-04 and get their own slices.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Defaults in the domain payload** — rejected: leaks ZGW concerns into the domain,
|
||||
violating ADR-0001.
|
||||
- **Hardcoded defaults in code** — rejected: not env-specific, not operationally editable.
|
||||
@@ -1,52 +0,0 @@
|
||||
# ADR-0004: Reqnroll as the BDD acceptance framework
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-06-04
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-04 (#5); supports CLAUDE.md §3 (BDD at the use-case level) and §11 (tests pyramid)
|
||||
|
||||
## Context
|
||||
|
||||
CLAUDE.md §11 mandates that each user-visible flow is driven by a Gherkin acceptance
|
||||
scenario living in `tests/acceptance/`, and §3 names "BDD at the use-case level" as a core
|
||||
engineering principle. The foundational slices (S-00…S-03) added no acceptance layer; S-04
|
||||
is the first slice with real domain behaviour to drive, so it is where the BDD framework is
|
||||
introduced. We need a .NET tool that:
|
||||
|
||||
- parses Gherkin `.feature` files and binds steps to C#,
|
||||
- integrates with the existing xUnit test runner (the repo standardises on xUnit), so
|
||||
acceptance tests run under the same `dotnet test` / `make ci` gate as everything else,
|
||||
- is actively maintained on modern .NET (we target net10.0).
|
||||
|
||||
## Decision
|
||||
|
||||
**Use [Reqnroll](https://reqnroll.net/) (`Reqnroll.xUnit`) for acceptance tests.**
|
||||
|
||||
- Reqnroll is the actively-maintained, open-source successor to SpecFlow (which is no longer
|
||||
maintained). It keeps the same Gherkin + `[Binding]` model, so the knowledge transfers.
|
||||
- `Reqnroll.xUnit` generates one xUnit test per scenario, so acceptance tests are discovered
|
||||
and run by the same runner as the unit tests — no second test framework, no extra CI step.
|
||||
- Acceptance projects live under `tests/acceptance/` per the PRD §9 layout. Generated
|
||||
`*.feature.cs` files are build artefacts and are git-ignored.
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** one assertion/runner stack (xUnit) across unit and acceptance tests; scenarios
|
||||
are written in business language (Dutch domain terms inline) and reviewed as the slice's
|
||||
contract; maintained tooling on net10.0.
|
||||
- **Cost:** a new dependency (`Reqnroll.xUnit`) and its xUnit v2 transitive graph. Reqnroll
|
||||
pulls `xunit.core` but not the assertion library, so the `xunit` metapackage is referenced
|
||||
explicitly to get `Assert`.
|
||||
- **Replaceable by:** hand-written xUnit "scenario" tests with a Given/When/Then helper, at
|
||||
the cost of losing Gherkin as the shared, readable contract — which is the whole point of §3.
|
||||
- **Follow-ups:** the real-OpenZaak integration test (Testcontainers) and the Stryker mutation
|
||||
baseline for S-04 are tracked as their own issues split off #5.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **SpecFlow** — rejected: unmaintained and without an official net10.0 story; Reqnroll is its
|
||||
drop-in successor.
|
||||
- **Plain xUnit Given/When/Then helpers** — rejected for user-visible flows: loses the
|
||||
business-readable Gherkin contract that §3/§11 require. Still fine for unit-level tests.
|
||||
- **Xunit.Gherkin.Quick** — rejected: lighter but less featureful (no hooks/scoped contexts,
|
||||
smaller community) than Reqnroll.
|
||||
@@ -1,68 +0,0 @@
|
||||
# ADR-0005: Stryker.NET for mutation testing, baseline on the ACL
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-06-25
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-04b (#47); proposed in #51; supports CLAUDE.md §5 (mutation ratchet) and §3 (Definition of Done)
|
||||
|
||||
## Context
|
||||
|
||||
CLAUDE.md §5 mandates Stryker on every PR with a **ratchet**: CI fails on a regression
|
||||
below the established baseline, and the baseline only ever moves up. §3 lists "mutation
|
||||
(ratchet)" as a Definition-of-Done gate for **every** slice. Yet no baseline existed — so,
|
||||
strictly, no slice could satisfy that gate. S-04b establishes it.
|
||||
|
||||
The ACL is the natural place to set the first baseline: it is the first service with real
|
||||
branching logic — `OpenZaakGateway` (HTTP contract, geo CRS headers, error handling),
|
||||
`ZgwToken` (HS256 JWT minting), and the `AclService` default-fill mapping. We need a tool
|
||||
that:
|
||||
|
||||
- mutates C# and runs the existing xUnit suite per mutant,
|
||||
- is reproducible (same version locally and in CI, no global install),
|
||||
- understands this repo's `.slnx` solution format (used repo-wide),
|
||||
- emits a break threshold CI can gate on.
|
||||
|
||||
## Decision
|
||||
|
||||
**Use [Stryker.NET](https://stryker-mutator.io/docs/stryker-net/) (`dotnet-stryker`),
|
||||
pinned as a local dotnet tool**, configured in solution mode against `Acl.slnx`.
|
||||
|
||||
- Pinned in `.config/dotnet-tools.json` (v4.15.0); `dotnet tool restore` makes
|
||||
`make mutation` reproducible from a fresh clone, locally and in CI — no global install.
|
||||
- **Solution mode** (`stryker-config.json` → `solution: Acl.slnx`) mutates the two projects
|
||||
under test (`Acl.Application`, `Acl.Infrastructure`); `Acl.Api` is untested and skipped.
|
||||
Stryker 4.15 reads `.slnx` directly, so no throwaway `.sln` shim is needed.
|
||||
- A `mutation` make target runs it; it is wired into `make ci` and a parallel Gitea Actions
|
||||
`mutation` job, keeping `make ci` an exact mirror of the pipeline.
|
||||
|
||||
**Baseline:** writing S-04b's tests surfaced that the ACL suite was thin — the initial
|
||||
score was **35%** (survivors: unasserted CRS headers, null guards, error paths, and JWT
|
||||
claims). Those tests were strengthened (killing the mutants honestly rather than lowering
|
||||
the bar), raising the score to **95%**. The enforced `break` threshold is set to **90%** —
|
||||
one-mutant headroom over the ~20-mutant surface, since a single mutant is ≈5%.
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** test *strength* is gated, not just coverage; the ratchet protects the ACL's
|
||||
ZGW contract logic; the baseline is repo-wide and ratchets upward per §5.
|
||||
- **Cost:** a new dependency (`dotnet-stryker`) and a slower CI job than unit tests (~25 s on
|
||||
the small ACL). Pinned + tool-restored, so reproducible.
|
||||
- **One accepted survivor:** a mutation of the empty-response *exception message string*.
|
||||
Asserting exception message text is brittle and the behaviour (type + control flow) is
|
||||
unchanged — treated as an equivalent mutant, not a test gap.
|
||||
- **Commitment:** later slices ratchet the threshold up deliberately, never down (§5). New
|
||||
services add their own mutation run as they gain branching logic (BFF, Domain, …).
|
||||
- **Replaceable by:** no realistic .NET alternative — Stryker.NET is the tool §5 already
|
||||
names; the fallback is no mutation testing, which §5 forbids.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Global `dotnet tool install -g`** — rejected: not reproducible/pinned per clone; the
|
||||
local manifest gives every checkout and the CI runner the same version.
|
||||
- **Mutate the whole `register-referentie.slnx`** — rejected for this slice: scopes the
|
||||
baseline to services with no logic yet (BFF skeleton), diluting the signal. Each service
|
||||
opts in as it gains logic.
|
||||
- **Application-only scope** — rejected: would leave `Acl.Infrastructure`'s HTTP/JWT logic —
|
||||
the riskiest code — unguarded by the ratchet.
|
||||
- **Coverage gate instead of mutation** — rejected: line coverage does not measure whether
|
||||
tests would *catch* a regression; that is the whole point of §5.
|
||||
@@ -1,92 +0,0 @@
|
||||
# ADR-0006: Provision the ACL integration test against the compose stack
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-06-29
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-04a (#46); proposed in #53; builds on ADR-0001 (loose coupling), ADR-0002 (catalogus design), ADR-0003 (default-fill); supports CLAUDE.md §11 (integration tests via real containers)
|
||||
|
||||
## Context
|
||||
|
||||
S-04 delivered the ACL's one operation — `OpenZaakGateway.OpenZaakAsync` — with unit
|
||||
tests against a stubbed `HttpMessageHandler` and a Reqnroll scenario over an in-memory
|
||||
stand-in. The deferred S-04 acceptance criterion (S-04a) is the one a stub cannot meet:
|
||||
|
||||
> Integration test using Testcontainers against real OpenZaak passes.
|
||||
|
||||
The test must drive the gateway against a **real** OpenZaak — real ZGW JWT auth, the real
|
||||
`POST /zaken/api/v1/zaken` contract, real CRS handling — and assert a zaak comes back.
|
||||
|
||||
Two ways to stand OpenZaak up were considered (the issue's open question): (a) a full
|
||||
**Testcontainers** graph started by the test, or (b) target the **running compose stack**
|
||||
the repo already defines (`infra/openzaak/docker-compose.yml`, `make openzaak-up`).
|
||||
|
||||
Investigation reversed the initially-favoured Testcontainers option:
|
||||
|
||||
1. **Testcontainers .NET has no docker-compose support.** OpenZaak needs PostGIS + Redis +
|
||||
a `setup_configuration` one-shot (the JWT client) + the API. Honouring "full graph" would
|
||||
mean re-implementing that five-service stack — init ordering, the config volume, health
|
||||
gating — by hand in C#, duplicating the maintained compose file and rotting with it. That
|
||||
rubs against CLAUDE.md §13 ("if a test is hard to write, the design is wrong").
|
||||
2. **The test cannot be hermetic anyway.** OpenZaak's Zaken API rejects a zaak against a
|
||||
*concept* zaaktype (`not-published`), and a *published* zaaktype requires ≥1 resultaattype,
|
||||
which OpenZaak validates by fetching the external **Selectielijst** reference API
|
||||
(`selectielijst.openzaak.nl`). So a real zaak POST already depends on outbound internet
|
||||
from the OpenZaak container — the self-containment that motivated Testcontainers is lost
|
||||
regardless of how the containers are started.
|
||||
|
||||
## Decision
|
||||
|
||||
**The ACL integration test targets the running compose stack; it does not start containers
|
||||
itself. No new test dependency is added.**
|
||||
|
||||
- A gated test project `Acl.IntegrationTests` (`[Trait("Category","Integration")]`) talks to
|
||||
OpenZaak with a plain `HttpClient`, reusing the same endpoint + JWT-client config the seed
|
||||
uses (`OZ_BASE` / `OZ_CLIENT_ID` / `OZ_SECRET`, defaulting to the local stack). It locates
|
||||
the published `BIG-REGISTRATIE` zaaktype via the Catalogi API and exercises the real
|
||||
`OpenZaakGateway` against it.
|
||||
- **The lane is kept out of the fast checks.** `make unit` runs with
|
||||
`--filter "Category!=Integration"`; Stryker is pinned to `Acl.Tests` (`test-projects`), so
|
||||
neither the unit nor the mutation lane needs a live stack. A `make integration` target
|
||||
(`infra/run-integration.sh`) brings up a throwaway OpenZaak and runs the lane locally.
|
||||
In CI the check runs as the `verify-acl` step of the consolidated `verify-stack` job
|
||||
(issue #58) — one shared full-stack bring-up. This matches `make` being the single
|
||||
source of truth (ADR-0005).
|
||||
- **Publishing is opt-in in the seed.** `infra/openzaak/seed_catalogus.py` gains an
|
||||
`OZ_PUBLISH=1` path that adds the relations OpenZaak's publish requires — two statustypen
|
||||
(begin/eind), a roltype, and a resultaattype whose Selectielijst procestype is matched onto
|
||||
the zaaktype — then publishes. The default seed (S-01 / ADR-0002) still leaves the zaaktype
|
||||
a concept; only `make integration` flips the switch.
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** a small, honest test over the real ZGW contract with no bespoke orchestration
|
||||
to maintain; the compose stack is exercised exactly as operators run it; no new dependency.
|
||||
- **It caught a real bug.** The gateway sent the zaak body via `JsonContent` without a
|
||||
`Content-Length`, so .NET framed it as `Transfer-Encoding: chunked`, which OpenZaak's uwsgi
|
||||
rejects with 400. A stubbed handler accepts either framing, so only a real OpenZaak surfaced
|
||||
it. Fixed by buffering the body (`LoadIntoBufferAsync`); guarded in the fast lane by a unit
|
||||
test asserting a `Content-Length` is set. This is the concrete justification for §11's
|
||||
integration tier.
|
||||
- **External dependency:** the integration job needs the OpenZaak container to reach
|
||||
`selectielijst.openzaak.nl`. It is a stable public reference API (the same one OpenZaak uses
|
||||
in production) but it is a network touchpoint, and a CI environment without egress would need
|
||||
a local Selectielijst service or a recorded fixture. `OZ_SELECTIELIJST` overrides the base URL.
|
||||
- **Cost:** the lane needs the stack up first, so it is separate from the fast lanes.
|
||||
- **Runs on the hosted runner.** A process *on* the runner can't reach the stack's published
|
||||
ports (Compose starts sibling containers via the host daemon — gitea-actions-gotchas.md §5,
|
||||
same split as §1), so `infra/run-integration.sh` runs both the seed and the test as containers
|
||||
*joined to the OpenZaak network*, reaching it by **container IP** (a single-label host like
|
||||
`openzaak` isn't URL-valid for OpenZaak's own `URLValidator`; an IPv4 literal is). Code is
|
||||
delivered by image build / `docker cp`, never bind mounts. The CI job therefore needs only
|
||||
Docker — no `setup-dotnet`. (This closed the follow-up that was originally split out as #55.)
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Full Testcontainers graph** — rejected: re-implements the compose stack in C# (brittle,
|
||||
duplicative) for no hermeticity gain, since the Selectielijst dependency remains.
|
||||
- **Single OpenZaak container (sqlite/locmem)** — rejected: diverges from the real
|
||||
PostGIS-backed, Redis-cached deployment; the Zaken API is a geo API and the divergence would
|
||||
undermine the contract the test exists to verify.
|
||||
- **Mock OpenZaak / record-replay** — rejected: that is what the existing stubbed-handler unit
|
||||
tests already do; it cannot exercise the real contract, and would not have caught the chunked
|
||||
body bug.
|
||||
@@ -1,77 +0,0 @@
|
||||
# ADR-0007: Wiring OpenZaak → Open Notificaties (NRC) for notifications
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-06-29
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-01-c (#56); completes S-01 (#2); unblocks the Event Subscriber (#7); builds on ADR-0002 (catalogus/seed) and ADR-0006 (runner-safe container harnesses)
|
||||
|
||||
## Context
|
||||
|
||||
S-01 brought OpenZaak + Open Notificaties (NRC) up in compose but **deferred the
|
||||
notification wiring**: OpenZaak ran with `NOTIFICATIONS_DISABLED=true` and NRC's
|
||||
`setup_configuration` was empty. The walking skeleton (PRD §12) needs the upstream
|
||||
event path — a zaak created in OpenZaak must publish a notification NRC fans out to
|
||||
subscribers — before the Event Subscriber (#7) can consume it.
|
||||
|
||||
The OpenZaak↔NRC handshake is intricate and several details are non-obvious; they
|
||||
were nailed down by iterating `setup_configuration` against the running stack.
|
||||
|
||||
## Decision
|
||||
|
||||
**Provision both sides declaratively via `setup_configuration`, authenticate with the
|
||||
existing `big-reference-seed` client, and run NRC's celery-beat so deliveries happen.**
|
||||
|
||||
- **OpenZaak** (`infra/openzaak/setup_configuration/data.yaml`): a `zgw_consumers`
|
||||
service `nrc` (api_type `nrc`, the NRC API root) plus `notifications_config` naming
|
||||
it. `NOTIFICATIONS_DISABLED` is flipped to `false` **only when NRC is present** —
|
||||
the full stack and the local twin set it; OpenZaak-only bring-ups (`openzaak-up`,
|
||||
the ACL integration test) default it back to `true` via `OZ_NOTIFICATIONS_DISABLED`
|
||||
so they don't 500 publishing to an absent NRC.
|
||||
- **NRC** (`infra/opennotificaties/setup_configuration/data.yaml`): the
|
||||
`big-reference-seed` JWT credential (to verify OpenZaak's token), a `zgw_consumers`
|
||||
`ac` service pointing at **OpenZaak's Autorisaties API**, the `autorisaties_api`
|
||||
step delegating authorization to that AC, and the `zaken` kanaal. NRC's init
|
||||
container switches from `migrate` to `/setup_configuration.sh`; its data.yaml is
|
||||
delivered through the `rr-nrc-config` external volume by `infra/seed-config.sh`
|
||||
(the same `docker cp` pattern as OpenZaak — bind mounts don't reach the CI runner's
|
||||
daemon).
|
||||
- **celery-beat is required.** NRC accepts a notification and writes a
|
||||
`ScheduledNotification`; a periodic `execute_notifications` task (celery-beat,
|
||||
every `NOTIFICATION_SEC_INTERVAL`s) drains it to the worker for delivery. The lean
|
||||
S-01 stack dropped beat — so notifications were accepted but never delivered. An
|
||||
`nrc-beat` service is added to every compose; the interval is lowered to 5s.
|
||||
|
||||
Verification is a runner-safe smoke (`infra/run-notification-check.sh`): it seeds a
|
||||
published BIG zaaktype, registers an abonnement to a webhook sink, creates a zaak, and
|
||||
asserts the sink receives the `zaken`/`create` notification — all from containers
|
||||
**inside** the compose network (ADR-0006). Locally it runs via `make verify-notifications`
|
||||
(a throwaway oz+nrc stack); in CI it runs as the `verify-nrc` step of the consolidated
|
||||
`verify-stack` job (one shared full-stack bring-up — issue #58).
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** the walking-skeleton event path works end to end; #7 can consume real
|
||||
notifications; the wiring is declarative and reproducible from a fresh `make`.
|
||||
- **Gotchas captured (see gitea-actions-gotchas.md):**
|
||||
- **Single-label hosts aren't URL-valid.** OpenZaak/NRC reject `http://openzaak…`
|
||||
/`http://nrc-web…` in URLs they validate (Django `URLValidator`); the verify
|
||||
harness reaches services and registers the sink callback **by container IP**.
|
||||
- **Abonnement callbacks must enforce auth.** NRC probes the callback during
|
||||
registration and refuses it (`no-auth-on-callback-url`) unless it returns 401
|
||||
without the configured `Authorization`; the sink enforces a bearer token.
|
||||
- **Cost:** an extra long-running service (`nrc-beat`) per stack, and the verify job
|
||||
needs egress (base images + `selectielijst.openzaak.nl`, since the published
|
||||
zaaktype the check creates a zaak against depends on it — ADR-0006).
|
||||
- **Dev-only credentials** reused (`big-reference-seed` / its secret) across publish,
|
||||
AC lookup, and seeding — acceptable for the reference app, not production.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **NRC with its own (non-AC) authorization** — rejected: delegating to OpenZaak's
|
||||
Autorisaties API is the upstream-intended model and reuses the applicatie that
|
||||
already grants `heeft_alle_autorisaties`.
|
||||
- **Keep beat out, deliver synchronously** — not an option: Open Notificaties 1.16
|
||||
delivers via scheduled notifications drained by beat; there is no sync path.
|
||||
- **A persistent abonnement in `setup_configuration`** instead of registering one in
|
||||
the verify harness — deferred: the real subscriber is #7; the harness's sink
|
||||
abonnement is throwaway and IP-specific.
|
||||
@@ -1,89 +0,0 @@
|
||||
# ADR-0008: The read projection — a shared, rebuildable store with a writer and a reader
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-06-30
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-06 (#7); builds on ADR-0001 (loose coupling), ADR-0007 (#56, OZ→NRC wiring); first EF Core usage in the repo
|
||||
|
||||
## Context
|
||||
|
||||
S-06 (#7) adds the upstream event path's destination: an **Event Subscriber** that consumes
|
||||
NRC notifications and a **read projection** the openbaar register reads. The walking-skeleton
|
||||
projection (PRD §8.4) holds one row per zaak — `id`, `bsn`, `naam_placeholder`, `status` —
|
||||
and must be **idempotent** (NRC redelivers and reorders, CLAUDE.md §8.6) and **rebuildable**
|
||||
(a derived artefact, never a write-only source of truth).
|
||||
|
||||
Two design questions had no obvious answer:
|
||||
|
||||
1. **Where does `bsn` come from?** The NRC `zaken`/`zaak`/`create` notification carries only the
|
||||
zaak URL plus the fixed `kenmerken` (`bronorganisatie`, `zaaktype`, `vertrouwelijkheidaanduiding`).
|
||||
It does **not** carry the bsn. Reading it means calling a ZGW API — which **only the ACL** may
|
||||
do (CLAUDE.md §8.1). The issue's "Touches" lists only `event-subscriber` + `projection-api`,
|
||||
not the ACL.
|
||||
2. **Who owns the projection schema?** The subscriber writes the projection; the projection-api
|
||||
reads it. CLAUDE.md §8.5 says "no direct DB access across services; each service owns its
|
||||
schema." Two deployables on one table looks like a violation.
|
||||
|
||||
## Decision
|
||||
|
||||
**One Postgres database is the read projection. The Event Subscriber writes it (projector) and
|
||||
the projection-api reads it (query); both are processes of the single "Read Projection" bounded
|
||||
context and share one schema, defined in a shared `Projection.ReadModel` library. `bsn` is
|
||||
deferred.**
|
||||
|
||||
- **Schema ownership.** The read model — `register_projection` plus the subscriber's
|
||||
`processed_notifications` log — lives in `services/projection-api/Projection.ReadModel`
|
||||
(EF Core + Npgsql). Both services reference it. This is the textbook CQRS read-model split
|
||||
(one writer, one reader over one derived store), **not** the cross-*domain* DB reach §8.5
|
||||
forbids: no domain owns write-state here; the projection is rebuildable (§8.4). §8.5 still
|
||||
holds for every domain database.
|
||||
- **Idempotency** is the primary key on `processed_notifications.key` (a deterministic key
|
||||
derived from the immutable notification content). A duplicate insert raises a unique violation,
|
||||
caught and reported as "already recorded", so the duplicate never reaches the projection. The
|
||||
projection upsert is itself idempotent on the zaak id, a second line of defence.
|
||||
- **Rebuild replays the log, not OpenZaak.** `POST /admin/rebuild` clears `register_projection`
|
||||
and reprojects every row in `processed_notifications`. So "rebuildable" needs **no** ZGW access
|
||||
(§8.1) and no ACL dependency — keeping S-06 within its stated scope.
|
||||
- **`bsn` and `naam_placeholder` are deferred.** They are columns (nullable) but the minimal slice
|
||||
populates only `id` + `status` (`INGEDIEND`) from the notification. Populating personal data
|
||||
requires reading the zaak **through the ACL** (§8.1) and is its own follow-up; the column shape
|
||||
is in place so that change is additive.
|
||||
- **New dependency: EF Core 10 + `Npgsql.EntityFrameworkCore.PostgreSQL`.** What it gives us: a
|
||||
migrated relational schema, LINQ queries, and a clean port implementation. What we'd write
|
||||
instead: hand-rolled SQL + a migration runner. Risk: ORM complexity and an extra dependency
|
||||
graph — bounded here to a tiny two-table read model. `dotnet-ef` is pinned as a local tool for
|
||||
migrations; `NuGetAuditMode=direct` keeps EF's design-time-only tooling transitive out of the
|
||||
audited, shipped graph.
|
||||
|
||||
The end-to-end path is verified by a runner-safe live-stack smoke (`infra/run-projection-check.sh`,
|
||||
the `verify-projection` step of the `verify-stack` job, #58): register an abonnement at the real
|
||||
Event Subscriber's callback, create a zaak, assert projection-api serves an `INGEDIEND` row — all
|
||||
in-network, reaching services by container IP (ADR-0006/0007).
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** the upstream event path reaches a queryable projection; idempotent and rebuildable
|
||||
without OpenZaak; S-06 stays inside its stated touch-set (no ACL change); the projection-api is
|
||||
ready for S-09 to tighten public-safe field filtering.
|
||||
- **Negative / deferred:**
|
||||
- `bsn`/`naam_placeholder` stay empty until a follow-up wires zaak reads via the ACL.
|
||||
- The abonnement is registered by the verify harness (by container IP), not provisioned
|
||||
persistently — ADR-0007 already deferred a persistent abonnement, and a single-label service
|
||||
host is not URL-valid for NRC, so persistent registration needs a dotted network alias. Tracked
|
||||
as a follow-up; a plain `make up` therefore needs the abonnement registered before the event
|
||||
path flows.
|
||||
- Two services share one database. Acceptable for a derived read model; revisit if the read and
|
||||
write sides ever need independent scaling or storage.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Subscriber reads OpenZaak directly to fill `bsn`** — rejected: breaks §8.1 (only the ACL talks
|
||||
to ZGW) and would need its own ADR to bend the rule.
|
||||
- **Extend the ACL with a zaak-read operation, consumed as a library** — viable and §8.1-clean, but
|
||||
it grows S-06 beyond its stated scope (touches the ACL) and pulls personal-data handling forward;
|
||||
deferred to a follow-up.
|
||||
- **projection-api owns the DB and exposes an internal write endpoint the subscriber calls** —
|
||||
rejected for the walking skeleton: adds an HTTP hop and a write surface on a read service for no
|
||||
current benefit over a shared, rebuildable read model.
|
||||
- **Separate databases for the log and the projection** — rejected as premature: both are the read
|
||||
side's private, rebuildable state; one DB is simpler and still honours §8.5's intent.
|
||||
@@ -1,88 +0,0 @@
|
||||
# ADR-0009: The Domain Service drives Flowable as an external-task job worker
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-06-30
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-05 (#6); proposal #60; builds on ADR-0001 (loose coupling, §8.1/§8.2), S-03 (#4, the `registratie` BPMN), S-04 (#5, the ACL `OpenZaak` operation)
|
||||
|
||||
## Context
|
||||
|
||||
S-05 (#6) adds the **BIG Domain Service**. Submitting a registration must: create a
|
||||
`Registration` aggregate, **start the Flowable `registratie` process** (S-03), have the
|
||||
`OpenZaakAanmaken` task **open a zaak via the ACL** (S-04), and store the resulting zaak URL
|
||||
back on the aggregate.
|
||||
|
||||
`OpenZaakAanmaken` is a Flowable **external-worker** service task (`flowable:type="external-worker"`,
|
||||
topic `OpenZaakAanmaken`). Flowable does not push it anywhere — it parks the job and waits for a
|
||||
worker to **acquire and lock** it, do the work, and **complete** it. Two coupling rules constrain
|
||||
who may do what:
|
||||
|
||||
- **§8.2 — the Workflow Client is the only code that talks to Flowable.** BPMN models never embed
|
||||
OpenZaak knowledge; they ask the Workflow Client to execute external tasks.
|
||||
- **§8.1 — the ACL is the only code that talks to ZGW.** The worker opens the zaak *through the ACL*,
|
||||
never by constructing ZGW URLs itself.
|
||||
|
||||
This is an ADR-worthy moment (§14): a service boundary is defined and both coupling rules are
|
||||
exercised. The open question is *how* the external task is driven.
|
||||
|
||||
## Decision
|
||||
|
||||
**The Domain Service drives the `OpenZaakAanmaken` task as a hosted external-task job worker
|
||||
(PRD §36). Orchestration is eventually consistent, not request-synchronous.**
|
||||
|
||||
- **`POST /registrations` is fast and side-effecting only on the domain side.** It creates the
|
||||
`Registration` aggregate in state `INGEDIEND`, persists it, and asks the Workflow Client to start
|
||||
one `registratie` process instance, recording the process-instance id on the aggregate. It returns
|
||||
immediately; it does **not** wait for the zaak to be opened.
|
||||
- **A hosted worker polls Flowable for `OpenZaakAanmaken` jobs.** It acquires and locks a job, calls
|
||||
the ACL `OpenZaak` operation (§8.1), attaches the returned zaak URL to the matching aggregate
|
||||
(`Registration.AttachZaak`), and completes the job in Flowable. The process then runs to its end
|
||||
event.
|
||||
- **The Workflow Client is the only Flowable client (§8.2).** It lives in the Domain Service's
|
||||
`Infrastructure` layer and speaks Flowable's REST API (start process-instance; acquire/lock/complete
|
||||
external-worker jobs). No other code — not the Application layer, not the BPMN — knows Flowable
|
||||
exists.
|
||||
- **The worker *logic* is an Application service over ports**, not Flowable-aware code. `OpenZaakWorker`
|
||||
takes an acquired job (topic + the registration id it carries), calls `IAclClient` and
|
||||
`IRegistrationStore`, and returns the zaak URL to complete with. The **polling loop** is a thin
|
||||
`BackgroundService` in `Infrastructure` that fetches jobs via the Workflow Client and feeds them to
|
||||
the worker. So the orchestration is covered by fast unit tests against fakes; only the REST framing
|
||||
needs a container integration test.
|
||||
|
||||
## Scope decisions for the minimal slice
|
||||
|
||||
- **Registration persistence is in-memory.** The walking skeleton's *read* path is fed by
|
||||
NRC → Event Subscriber → projection (S-06, #7), not by the domain database. An EF-backed domain
|
||||
store buys nothing the demo needs yet, so it is a documented follow-up; the `IRegistrationStore`
|
||||
port keeps that change additive. (PRD §88 envisions EF Core for the domain DB eventually.)
|
||||
- **The aggregate's state machine is minimal:** `INGEDIEND` on submission. Later flows (withdrawal,
|
||||
beoordeling, herregistratie) add states in their own slices — they are out of scope here.
|
||||
- **No bsn flows to ZGW yet.** The ACL `OpenZaak` operation already default-fills the ZGW-mandatory
|
||||
fields (ADR-0003) and takes the bsn as its domain payload; the domain hands it through unchanged.
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** the submit request is decoupled from ACL/OpenZaak latency; the documented Common
|
||||
Ground pattern (external-task worker) is realised; both coupling rules (§8.1, §8.2) hold with the
|
||||
Flowable knowledge isolated to one Infrastructure class; the orchestration is unit-testable.
|
||||
- **Negative / deferred:**
|
||||
- Eventual consistency: immediately after `POST /registrations` the aggregate has no zaak URL yet.
|
||||
Acceptable — the read side is the projection, not the domain store.
|
||||
- In-memory registration state is lost on restart; fine for the skeleton, replaced by an EF store
|
||||
in a follow-up.
|
||||
- The worker polls (no push); poll interval is a tuning knob, not a correctness concern, since
|
||||
Flowable holds the job until completed.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Synchronous acquire+complete inside the `POST /registrations` request** — rejected: simpler and
|
||||
deterministic, but couples the submit request to ACL/OpenZaak latency and failure, and is not the
|
||||
external-task worker pattern PRD §36 mandates. It would also make the request fail if OpenZaak is
|
||||
briefly down, instead of the job simply staying parked for the worker to retry.
|
||||
- **A standalone Workflow Client service, separate from the Domain Service** — rejected for this
|
||||
slice: the worker needs the domain's aggregate store and the ACL client anyway, and PRD §9 places
|
||||
the Workflow Client inside the Domain Service deployment. A separate process adds a hop and a
|
||||
shared store for no current benefit.
|
||||
- **Flowable pushes to a webhook instead of being polled** — rejected: Flowable's external-worker
|
||||
model is pull-based (acquire/lock/complete); a push shim would re-implement it with weaker
|
||||
delivery guarantees.
|
||||
@@ -1,74 +0,0 @@
|
||||
# ADR-0010: The BFF validates Keycloak tokens and is the portals' only backend
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-07-01
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-07 (#8); proposal #63; builds on ADR-0001 (loose coupling, §8.3), S-02 (#3, Keycloak realms), S-05 (#6, Domain Service), S-06 (#7, read projection)
|
||||
|
||||
## Context
|
||||
|
||||
S-07 (#8) adds the **BFF (Backend-for-Frontend)** — the single backend the Angular portals talk
|
||||
to (CLAUDE.md §8.3). For the walking skeleton it exposes two endpoints and fans out to services
|
||||
already built:
|
||||
|
||||
- `POST /self-service/registrations` → Domain Service `POST /registrations` (S-05).
|
||||
- `GET /openbaar/register?q=…` → projection-api `GET /register` (S-06).
|
||||
|
||||
It must validate tokens issued by Keycloak (S-02). This is an ADR-worthy moment (§14): a new
|
||||
dependency (JWT bearer authentication) and two new service boundaries (BFF→domain, BFF→projection).
|
||||
|
||||
## Decision
|
||||
|
||||
**The BFF is the portals' only backend; it validates Keycloak `digid`-realm JWTs on the
|
||||
self-service endpoint, leaves the openbaar lookup anonymous, and fans out to the domain and
|
||||
projection over typed HTTP clients.**
|
||||
|
||||
- **Auth model.** `POST /self-service/registrations` requires a valid `digid`-realm bearer token;
|
||||
the BFF reads the `bsn` claim and forwards it to the domain. Missing / invalid / expired token →
|
||||
**401**. `GET /openbaar/register` is **anonymous** — the openbaar register is a public lookup
|
||||
(S-09), so no token is required.
|
||||
- **Portals talk only to the BFF (§8.3).** They never call the Domain Service, ACL, projection, or
|
||||
OpenZaak directly. The BFF orchestrates via typed `HttpClient`s whose base URLs come from config.
|
||||
Downstream calls are unauthenticated on the internal network for the walking skeleton; a
|
||||
service-to-service auth story (e.g. client-credentials) is a later slice, not this one.
|
||||
- **Validation is `Microsoft.AspNetCore.Authentication.JwtBearer`** pointed at the Keycloak `digid`
|
||||
realm authority. **New dependency justification:** it gives us standards-based OIDC/JWT validation
|
||||
(signature, issuer, expiry, audience) maintained by the framework; rolling our own JWT validation
|
||||
would be error-prone security code; the risk is a first-party ASP.NET Core package — minimal.
|
||||
- **Tests mint their own tokens.** `WebApplicationFactory` tests override the bearer options with a
|
||||
**test signing key**, so valid / invalid / expired tokens are minted in-process without a live
|
||||
Keycloak. Real Keycloak validation is exercised by a live-stack `verify-bff` check.
|
||||
- **OpenAPI is generated and committed** (`services/bff/openapi.json`) from .NET's built-in OpenAPI,
|
||||
so S-08's Angular client is generated from the spec, never hand-written (§10).
|
||||
|
||||
## Known wrinkle — container OIDC issuer mismatch
|
||||
|
||||
Keycloak stamps tokens with an `iss` equal to its **browser-facing** URL (what the portal used to
|
||||
log in), which differs from the BFF's **in-container** authority (`http://keycloak:8080/realms/digid`).
|
||||
Strict issuer validation then rejects otherwise-valid tokens. Unit tests avoid this (test key).
|
||||
`verify-bff` handles it by aligning the configured authority/issuer with the token's `iss` (and, if
|
||||
needed, disabling metadata address rewriting). Recorded so it is not rediscovered each time.
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** the walking skeleton gains its front door; §8.3 holds with all portal traffic going
|
||||
through one backend; token validation is standard and testable without infra; the committed
|
||||
OpenAPI unblocks S-08.
|
||||
- **Negative / deferred:**
|
||||
- Downstream service-to-service auth is deferred (internal-network trust for now).
|
||||
- The openbaar endpoint is anonymous; when public-safe field filtering tightens (S-09) it stays
|
||||
anonymous but the projection query narrows.
|
||||
- The issuer-mismatch handling is dev-oriented; a production reverse-proxy setup would align the
|
||||
browser and internal issuer URLs instead.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Token-gate the openbaar endpoint too** — rejected: the openbaar register is public by design
|
||||
(S-09); requiring a login would contradict the slice's intent.
|
||||
- **Validate tokens by calling Keycloak's introspection endpoint per request** — rejected: adds a
|
||||
network hop per call and a Keycloak dependency on the hot path; local JWT signature validation via
|
||||
the realm's JWKS is the standard, faster choice.
|
||||
- **Hand-written JWT parsing** — rejected: security-sensitive code we shouldn't own when a
|
||||
first-party validator exists.
|
||||
- **Generate the OpenAPI client by hand / keep the spec uncommitted** — rejected: §10 requires a
|
||||
generated client from a committed spec.
|
||||
@@ -1,64 +0,0 @@
|
||||
# ADR-0011: Approval sets the zaak eindstatus via the ACL and projects INGESCHREVEN from the notification alone
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-07-13
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-09b (#75); split from S-09 (#10); builds on ADR-0001 (§8 loose coupling), ADR-0003 (ACL default-fill), ADR-0007 (OZ→NRC wiring), ADR-0008 (read projection), ADR-0009 (external-task worker)
|
||||
|
||||
## Context
|
||||
|
||||
The walking skeleton could submit a registration (INGEDIEND) and show it in the openbaar register,
|
||||
but nothing could **approve** it. S-09b adds a behandelaar approval that must make the entry publicly
|
||||
visible as a terminal status. There is no behandel-portal yet (S-12), so approval is triggered by a
|
||||
**temporary admin endpoint** on the Domain Service.
|
||||
|
||||
Two decisions are non-obvious (§14) and cross service boundaries:
|
||||
|
||||
1. **Who resolves the ZGW statustype?** Approval means "set the zaak to its final status", but the
|
||||
domain must stay ZGW-ignorant (§8.1 — only the ACL talks to ZGW) and does not know statustype URLs.
|
||||
2. **How does the projection learn the new status?** The status is set in OpenZaak, which notifies over
|
||||
NRC; the Event Subscriber projects it. But the subscriber **may not read OpenZaak** (§8.1), and an
|
||||
NRC `status`/`create` notification's `resourceUrl` is the *status* resource, not the zaak, and does
|
||||
not carry the statustype.
|
||||
|
||||
## Decision
|
||||
|
||||
**Approval flows Domain → ACL → OpenZaak → NRC → Event Subscriber → projection, using only the
|
||||
notification's own fields on the read side.**
|
||||
|
||||
- **Domain.** `Registration.Approve()` advances INGEDIEND → INGESCHREVEN (requires an opened zaak; a
|
||||
repeat is a no-op). The `ApproveRegistration` use case calls the ACL to set the zaak status, then
|
||||
advances the aggregate. A temporary `POST /registrations/{id}/approve` endpoint drives it.
|
||||
- **ACL.** A new `POST /statussen` operation takes only the zaak URL. The ACL resolves the zaaktype's
|
||||
**eindstatus** from the catalogus (`isEindstatus`, falling back to the highest `volgnummer`) and
|
||||
POSTs a ZGW status against the zaak. The domain never names statustypen — the ACL owns the ZGW
|
||||
translation (§8.1, ADR-0003).
|
||||
- **Event Subscriber.** It binds the NRC `hoofdObject` (always the zaak URL) and keys the projection on
|
||||
it, so a `zaken`/`status`/`create` notification updates the **same** row the zaak-create created,
|
||||
flipping it to INGESCHREVEN. It takes **any** status-create as the approval — in the walking skeleton
|
||||
the only status ever set after creation is the approval — so it never has to read OpenZaak to learn
|
||||
the statustype. The ZGW `resource` is retained in the notification log (new column) so a rebuild
|
||||
reproduces the right status.
|
||||
|
||||
## Consequences
|
||||
|
||||
- The domain↔ACL boundary stays clean: the domain hands over a zaak URL and says "approve"; ZGW
|
||||
statustype knowledge lives only in the ACL.
|
||||
- The projection remains rebuildable without OpenZaak (§8.1, ADR-0008): the log now records the ZGW
|
||||
resource, which is all a rebuild needs to reproject the status.
|
||||
- The openbaar register shows real lifecycle: INGEDIEND on submit, INGESCHREVEN on approval.
|
||||
- **Walking-skeleton assumption:** "any status-create ⇒ INGESCHREVEN" holds only while approval is the
|
||||
sole post-creation status transition. When more transitions arrive (beoordeling, afwijzing — S-12+),
|
||||
the subscriber must distinguish statustypen. The honest options then are to carry the statustype
|
||||
omschrijving in the notification `kenmerken`, or to have the ACL resolve it and re-notify — recorded
|
||||
here so future-me revisits this rather than assuming it generalises.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Inject the approved statustype URL into the ACL as config** (like the zaaktype URL). Rejected:
|
||||
couples ACL config to seed output and adds compose/run-domain-check plumbing; runtime eindstatus
|
||||
discovery keeps the ACL self-contained for one extra ZGW GET per approval.
|
||||
- **Have the Event Subscriber GET the status/statustype from OpenZaak** to map precisely. Rejected:
|
||||
violates §8.1 (only the ACL talks to ZGW) and makes the projection depend on OpenZaak being up.
|
||||
- **Record the derived status in the notification log** instead of the ZGW resource. Rejected: the log
|
||||
should retain notification *facts*, not projection semantics; the mapping stays in the projector.
|
||||
@@ -1,104 +0,0 @@
|
||||
# ADR-0012: One citizen-facing reference across self-service and the openbaar register
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-07-14
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** #78 (adr-proposal); builds on ADR-0008 (read projection), ADR-0001 (loose coupling), ADR-0009 (external-task worker / zaak creation)
|
||||
|
||||
## Context
|
||||
|
||||
A citizen submits through the self-service portal and is shown a confirmation with a
|
||||
**reference** so they can find their registration back in the public register. But the two
|
||||
sides showed **different identifiers**:
|
||||
|
||||
- The self-service confirmation shows the **domain `registrationId`** — a GUID minted by the
|
||||
domain aggregate (`RegistrationId.New()`) when the registration is created, before any zaak
|
||||
exists.
|
||||
- The openbaar register showed the **zaak id** — the UUID from the NRC `hoofdObject` URL,
|
||||
assigned by OpenZaak when the ACL opens the zaak.
|
||||
|
||||
These never match, so the reference on the confirmation was useless for looking the entry up.
|
||||
The two identifiers live on opposite sides of the ACL boundary and are generated by different
|
||||
systems at different times, so there is no way to reconcile them after the fact without a
|
||||
correlating value carried across the boundary.
|
||||
|
||||
The NRC notification the Event Subscriber consumes carries only the zaak URL plus the fixed
|
||||
`kenmerken` (`bronorganisatie`, `zaaktype`, `vertrouwelijkheidaanduiding`) — **not** the
|
||||
`registrationId`, the bsn, or the `identificatie`. ADR-0008 already recorded that filling any
|
||||
such field means reading the zaak **through the ACL** (§8.1) and deferred it as a follow-up.
|
||||
This is that follow-up, scoped to the one field the citizen actually needs.
|
||||
|
||||
## Decision
|
||||
|
||||
**Use the domain `registrationId` as the zaak's `identificatie`, and surface that single value
|
||||
as the citizen-facing `reference` on both portals. The Event Subscriber enriches the projection
|
||||
with the reference by reading the zaak through the ACL, and stores it in the replay log so
|
||||
rebuild stays log-only.**
|
||||
|
||||
Concretely, following the request path:
|
||||
|
||||
1. **Domain → ACL (write).** When the OpenZaak worker opens a zaak, it passes
|
||||
`registration.Id` to the ACL (`IAclClient.OpenZaakAsync(bsn, reference, …)`). The ACL sets
|
||||
it as the zaak's `identificatie` on `POST /zaken`. OpenZaak's `identificatie` is unique per
|
||||
`bronorganisatie` and ≤ 40 chars — a GUID string fits. The ACL remains the only code that
|
||||
constructs ZGW payloads (§8.1); the domain never sees a ZGW URL.
|
||||
2. **Event Subscriber → ACL (read).** On a notification, the subscriber asks the ACL for the
|
||||
zaak's reference via a new `POST /zaken/reference` endpoint (`{ zaakUrl } → { reference }`),
|
||||
which reads the zaak's `identificatie` through the ACL's OpenZaak gateway. The subscriber
|
||||
still never talks to ZGW itself (§8.1) — it depends only on the ACL, over HTTP.
|
||||
3. **Projection + replay log.** The reference is written both to the `register_projection` row
|
||||
**and** to the `processed_notifications` replay log (a new nullable `reference` column on
|
||||
each). Storing it in the log is what keeps ADR-0008's "**rebuild replays the log, not
|
||||
OpenZaak**" invariant true: `POST /admin/rebuild` reproduces the reference from the log
|
||||
without re-reading the ACL.
|
||||
4. **BFF + openbaar.** The public view (`OpenbaarProjection.PublicView`) exposes
|
||||
`id`, `status`, and `reference` (never bsn/naam), and the openbaar search matches on either
|
||||
`id` or `reference`. The openbaar register's "Referentie" column now renders `reference`.
|
||||
|
||||
The end-to-end guarantee is asserted in the Playwright walking-skeleton: the reference captured
|
||||
from the submit confirmation must appear as a cell in the public register.
|
||||
|
||||
### Why HTTP to the ACL, not the ACL as a library
|
||||
|
||||
ADR-0008 floated "extend the ACL with a zaak-read operation, consumed as a library." We instead
|
||||
call the ACL **over HTTP**, consistent with every other cross-service hop in this system
|
||||
(portals→BFF, domain→ACL). Sharing the ACL as a library would couple the subscriber to the
|
||||
ACL's infrastructure assembly and its ZGW client configuration, defeating the anti-corruption
|
||||
boundary. The HTTP endpoint keeps the ACL the single owner of ZGW access and its config.
|
||||
|
||||
## Consequences
|
||||
|
||||
**Positive**
|
||||
|
||||
- One reference, end to end: the citizen's confirmation value is exactly what the public
|
||||
register shows and searches by.
|
||||
- §8.1 stays intact — only the ACL reads or writes ZGW; the subscriber depends on the ACL, not
|
||||
OpenZaak.
|
||||
- Rebuild stays log-only (ADR-0008): the reference is replayed from `processed_notifications`,
|
||||
so `/admin/rebuild` needs no ACL/ZGW access.
|
||||
- The column additions are nullable and additive; older rows without a reference are tolerated.
|
||||
|
||||
**Negative / costs**
|
||||
|
||||
- A new coupling: the Event Subscriber now depends on the ACL being reachable
|
||||
(`Acl__BaseUrl`, compose `depends_on: acl`). A registration whose reference read fails will
|
||||
need the notification redelivered (NRC already redelivers; the projection upsert is
|
||||
idempotent).
|
||||
- One extra HTTP hop per notification (subscriber→ACL→OpenZaak) on the projection path. Bounded:
|
||||
one small GET per zaak, off the citizen's request path.
|
||||
- `identificatie` now carries semantic meaning (it equals the `registrationId`). If OpenZaak
|
||||
were ever configured to auto-generate `identificatie`, the correlation would break; the ACL
|
||||
setting it explicitly is now load-bearing.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Carry the `registrationId` in the notification** — rejected: NRC `kenmerken` are fixed and
|
||||
the notification content is not ours to extend; it would also couple the projection to a
|
||||
bespoke notification shape.
|
||||
- **Show the zaak id on the confirmation instead** — rejected: the zaak does not exist yet when
|
||||
the confirmation is returned (the worker opens it asynchronously, ADR-0009), so the domain has
|
||||
no zaak id to show at submit time.
|
||||
- **Store only on the projection row, re-read the ACL on rebuild** — rejected: it would make
|
||||
rebuild depend on the ACL/ZGW, breaking ADR-0008's log-only rebuild invariant.
|
||||
- **Reconcile the two ids in a lookup table** — rejected: adds write-only state and a second
|
||||
source of truth for a value that can simply be the same on both sides.
|
||||
@@ -1,250 +0,0 @@
|
||||
# Demo script
|
||||
|
||||
A running log of demoable outcomes, one section per slice. Each entry is a short,
|
||||
copy-pasteable walkthrough against a local `make up` stack.
|
||||
|
||||
---
|
||||
|
||||
## S-08d — Walking skeleton complete: browser → submit, end-to-end
|
||||
|
||||
**Outcome:** the self-service portal is served in the stack and the full front-of-house happy path
|
||||
runs in a real browser — **mock DigiD login → submit → confirmation** — closing the walking skeleton
|
||||
(portal → BFF → domain → Flowable → ACL → OpenZaak, with the openbaar register reading the projection).
|
||||
|
||||
```bash
|
||||
# 1. Bring the whole stack up (portal served on :8140, BFF :8080, Keycloak :8180).
|
||||
make up
|
||||
|
||||
# 2. Automated happy path — Playwright, inside the compose network (issuer-consistent):
|
||||
make verify-e2e # → login as jan-burger → submit → "ontvangen" confirmation
|
||||
|
||||
# 3. By hand: open the portal, log in as jan-burger / test123, click "Registratie indienen".
|
||||
open http://localhost:8140
|
||||
```
|
||||
|
||||
> The portal is served same-origin with the BFF (nginx proxies `/self-service` + `/openbaar`), so no
|
||||
> CORS; the OIDC authority comes from `/config.json` at runtime. See `docs/frontend-decisions.md`.
|
||||
|
||||
---
|
||||
|
||||
## S-08c — Self-service submit form (NL Design System + DigiD)
|
||||
|
||||
**Outcome:** a zorgprofessional logs in via mock DigiD and submits a BIG registration through the
|
||||
self-service portal (NL Design System styling); the page confirms with the reference returned by the
|
||||
BFF. The bsn comes from the DigiD token, so it's a confirm-and-submit flow (no bsn field).
|
||||
|
||||
```bash
|
||||
# 1. Bring the backend + Keycloak up (BFF on :8080, Keycloak on :8180).
|
||||
make up
|
||||
|
||||
# 2. Serve the portal (dev server); it redirects to Keycloak for DigiD login.
|
||||
pnpm nx serve self-service # → http://localhost:4200
|
||||
|
||||
# 3. In the browser: log in as the mock DigiD user jan-burger / test123, then submit.
|
||||
# The page shows the returned registration reference.
|
||||
```
|
||||
|
||||
> First real UI. The full **login → submit → success** happy path is automated in **S-08d**
|
||||
> (Playwright, against the compose-served app). Component tests + an axe WCAG 2.1 AA check on the
|
||||
> submit page run headless in the `frontend` CI lane. See `docs/frontend-decisions.md`.
|
||||
|
||||
---
|
||||
|
||||
## S-08a — Nx workspace + self-service portal skeleton
|
||||
|
||||
**Outcome:** the frontend foundation — an Nx (pnpm) monorepo with the `self-service` Angular app
|
||||
(standalone + signals), lint/test/build green in a CI Node lane. The login + submit form follow in
|
||||
S-08c.
|
||||
|
||||
```bash
|
||||
# From a fresh clone (Node 24 + pnpm 11):
|
||||
pnpm install # native builds are pre-approved in pnpm-workspace.yaml
|
||||
pnpm nx test self-service # Vitest component test
|
||||
pnpm nx build self-service # production build
|
||||
pnpm nx serve self-service # → http://localhost:4200 (placeholder page)
|
||||
# Or the CI-equivalent one-shot:
|
||||
make frontend # install + nx lint/test/build
|
||||
```
|
||||
|
||||
> Nx manages only `apps/`+`libs/`; the .NET services stay on `dotnet`/the Makefile. NL Design System
|
||||
> and the real form arrive in S-08c (#67); see `docs/frontend-decisions.md`.
|
||||
|
||||
---
|
||||
|
||||
## S-07 — BFF: the portals' single backend
|
||||
|
||||
**Outcome:** the BFF validates Keycloak `digid` tokens on the self-service submit (forwarding the
|
||||
bsn to the domain) and serves the openbaar register anonymously with only public-safe fields — the
|
||||
front door the portals (S-08/S-09) will talk to.
|
||||
|
||||
**The path:** portal → BFF `POST /self-service/registrations` (token-gated) → domain; and
|
||||
BFF `GET /openbaar/register` (anonymous) → projection-api. See ADR-0010.
|
||||
|
||||
```bash
|
||||
# 1. Bring the full stack up.
|
||||
make up
|
||||
|
||||
# 2. Drive the BFF end-to-end (401 without a token, 202 with a real digid token, anonymous openbaar).
|
||||
make verify-bff # → "OK — BFF: 401 without token, 202 with a digid token, anonymous ..."
|
||||
|
||||
# 3. Try it by hand (BFF on host port 8080).
|
||||
# a) A digid access token for the mock user jan-burger (bsn 123456782):
|
||||
tok=$(curl -s -X POST http://localhost:8180/realms/digid/protocol/openid-connect/token \
|
||||
-d grant_type=password -d client_id=big-portal -d username=jan-burger -d password=test123 \
|
||||
| python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
|
||||
|
||||
# b) Submit — without the token it is 401; with it, 202:
|
||||
curl -s -o /dev/null -w "no token -> %{http_code}\n" -X POST http://localhost:8080/self-service/registrations
|
||||
curl -s -o /dev/null -w "with token-> %{http_code}\n" -X POST http://localhost:8080/self-service/registrations \
|
||||
-H "Authorization: Bearer $tok"
|
||||
|
||||
# c) The openbaar register is anonymous and exposes only id + status (never the bsn):
|
||||
curl -fsS http://localhost:8080/openbaar/register | jq
|
||||
```
|
||||
|
||||
> The self-service token is validated against Keycloak's `digid` realm; the openbaar lookup needs no
|
||||
> token (S-09). The generated contract lives at `services/bff/openapi.json` — S-08's client is built
|
||||
> from it.
|
||||
|
||||
---
|
||||
|
||||
## S-05 — BIG Domain Service: submit a registration
|
||||
|
||||
**Outcome:** submitting a registration starts a Flowable process; the external-task worker
|
||||
opens a zaak via the ACL and records it on the aggregate — the upstream half of the skeleton
|
||||
that produces the zaak S-06 then projects.
|
||||
|
||||
**The path:** domain `POST /registrations` → Flowable `registratie` process → `OpenZaakAanmaken`
|
||||
worker → ACL → OpenZaak; `GET /registrations/{id}` shows the opened zaak (ADR-0009).
|
||||
|
||||
```bash
|
||||
# 1. Bring the full stack up (seeds config, builds our services, waits for health).
|
||||
make up
|
||||
|
||||
# 2. Drive the full path end-to-end. This also seeds a published BIG zaaktype and points the
|
||||
# ACL at it (the zaak's zaaktype URL is server-assigned, so it isn't known at bring-up).
|
||||
make verify-domain # → "OK — the domain opened a zaak and recorded it on the registration"
|
||||
|
||||
# 3. Submit one yourself (domain on host port 8130). Returns 202 + a Location to read back.
|
||||
loc=$(curl -fsS -D - -o /dev/null -X POST http://localhost:8130/registrations \
|
||||
-H 'Content-Type: application/json' -d '{"bsn":"123456782"}' | sed -n 's/\r$//; s/^[Ll]ocation: //p')
|
||||
|
||||
# 4. The worker opens the zaak off the request path (eventual consistency, ADR-0009); poll
|
||||
# until zaakUrl is filled. (Step 2 must have run first, so the ACL knows the zaaktype.)
|
||||
curl -fsS "http://localhost:8130$loc" | jq
|
||||
# → { "registrationId": "...", "status": "Ingediend", "zaakUrl": "http://.../zaken/api/v1/zaken/<uuid>" }
|
||||
```
|
||||
|
||||
> Registration state is in-memory for this slice (ADR-0009); the rebuildable read model is the
|
||||
> projection (S-06), fed by the very zaak this flow opens.
|
||||
|
||||
---
|
||||
|
||||
## S-06 — Event Subscriber + read projection
|
||||
|
||||
**Outcome:** a zaak created in OpenZaak flows through NRC to the Event Subscriber, which
|
||||
projects it into a rebuildable read projection the projection-api serves.
|
||||
|
||||
**The path:** OpenZaak → (notification) NRC → (abonnement callback) Event Subscriber →
|
||||
`register_projection` → projection-api `GET /register`.
|
||||
|
||||
```bash
|
||||
# 1. Bring the full stack up (seeds config, builds our services, waits for health).
|
||||
make up
|
||||
|
||||
# 2. Register the Event Subscriber's abonnement and create a zaak, then read it back.
|
||||
# (The verify-projection check does exactly this end-to-end and asserts the result.)
|
||||
make verify-projection # → "OK — projection-api serves zaak <uuid> with status INGEDIEND"
|
||||
|
||||
# 3. Observe the projection directly via the read API (host port 8120).
|
||||
curl -fsS http://localhost:8120/register | jq
|
||||
# → [ { "id": "<zaak-uuid>", "status": "INGEDIEND", "bsn": null, "naamPlaceholder": null } ]
|
||||
|
||||
# 4. Idempotency + rebuild: replays don't duplicate; a rebuild repopulates from the
|
||||
# notification log (no OpenZaak access needed — ADR-0008).
|
||||
curl -fsS -X POST http://localhost:8110/admin/rebuild # Event Subscriber, host port 8110
|
||||
curl -fsS http://localhost:8120/register | jq 'length' # → unchanged
|
||||
```
|
||||
|
||||
> `bsn` / `naam_placeholder` are deferred (ADR-0008) — the notification doesn't carry them and
|
||||
> the subscriber may not read OpenZaak directly (§8.1). They surface in a later slice.
|
||||
|
||||
---
|
||||
|
||||
## S-09 — Openbaar Register portal (public visibility)
|
||||
|
||||
**Outcome:** the entry a zorgprofessional submits via self-service becomes publicly visible in the
|
||||
anonymous openbaar register portal — closing the walking-skeleton loop (submit → process → projection
|
||||
→ public visibility).
|
||||
|
||||
**The path:** self-service submit → BFF → domain → (zaak) OpenZaak → NRC → Event Subscriber →
|
||||
projection → openbaar portal reads the BFF's public-safe `GET /openbaar/register`.
|
||||
|
||||
```bash
|
||||
# 1. Bring the full stack up (self-service :8140, openbaar :8141).
|
||||
make up
|
||||
|
||||
# 2. Submit a registration via the self-service portal (mock DigiD: jan-burger / test123),
|
||||
# or drive the whole happy path automatically (login → submit → public visibility):
|
||||
make verify-e2e
|
||||
|
||||
# 3. Open the public register — no login. It lists the submitted entry (id + status only).
|
||||
# Only public-safe fields cross the BFF: bsn / naam never appear.
|
||||
open http://localhost:8141/ # search box; searches the BFF by referentie
|
||||
curl -fsS http://localhost:8140/openbaar/register | jq # same public-safe view via the BFF proxy
|
||||
# → [ { "id": "<zaak-uuid>", "status": "INGEDIEND" } ]
|
||||
```
|
||||
|
||||
> The register shows `INGEDIEND` on submit; approval flips it to `INGESCHREVEN` — see S-09b below.
|
||||
|
||||
---
|
||||
|
||||
## S-09b — Approval flow (public visibility flips to INGESCHREVEN)
|
||||
|
||||
**Outcome:** a behandelaar approves a submitted registration via a temporary admin endpoint (no
|
||||
behandel-portal yet — S-12). The approval sets the zaak's final status through the ACL, which flows
|
||||
back to the projection over NRC, and the openbaar register then shows the entry as `INGESCHREVEN`.
|
||||
|
||||
**The path:** `POST /registrations/{id}/approve` (domain) → ACL sets the zaak eindstatus (ZGW
|
||||
`/statussen`) → OpenZaak → NRC → Event Subscriber projects `INGESCHREVEN` → openbaar register.
|
||||
|
||||
```bash
|
||||
# 1. Full stack up, then drive submit → public INGEDIEND → approve → public INGESCHREVEN:
|
||||
make up
|
||||
make verify-e2e
|
||||
|
||||
# 2. Or by hand: submit (as in S-09), note the reference, then approve it.
|
||||
# The zaak is opened off the request path, so approve once GET shows a zaakUrl.
|
||||
ref="<registration-reference-from-the-confirmation>"
|
||||
curl -fsS http://localhost:8130/registrations/$ref | jq # domain (host port 8130): wait for .zaakUrl
|
||||
curl -fsS -X POST http://localhost:8130/registrations/$ref/approve -i # → 204 No Content
|
||||
|
||||
# 3. The public register now shows the entry as approved.
|
||||
curl -fsS http://localhost:8140/openbaar/register | jq
|
||||
# → [ { "id": "<zaak-uuid>", "status": "INGESCHREVEN" } ]
|
||||
```
|
||||
|
||||
> **End of walking skeleton** (S-09 + S-09b): submit → process → projection → public visibility, from
|
||||
> INGEDIEND through approval to INGESCHREVEN. The subscriber takes any post-creation status-set as the
|
||||
> approval (ADR-0011) — a walking-skeleton assumption that tightens when more transitions arrive (S-12+).
|
||||
|
||||
## #78 — One reference across both portals (ADR-0012)
|
||||
|
||||
Before this change the self-service confirmation and the openbaar register showed **different**
|
||||
identifiers, so a citizen could not look their registration back up. Now both show the same
|
||||
**reference**: the domain `registrationId` is set as the zaak's `identificatie` by the ACL, and the
|
||||
Event Subscriber enriches the projection with it by reading the zaak through the ACL (§8.1) — storing
|
||||
it in the replay log so rebuild stays log-only (ADR-0008).
|
||||
|
||||
**The path:** domain passes `registrationId` → ACL sets it as `zaak.identificatie` → NRC →
|
||||
Event Subscriber asks the ACL for the reference → projection row + replay log → openbaar register.
|
||||
|
||||
```bash
|
||||
# Submit as in S-09 and note the reference on the confirmation, then find it in the public register:
|
||||
ref="<registration-reference-from-the-confirmation>"
|
||||
curl -fsS "http://localhost:8140/openbaar/register?q=$ref" | jq
|
||||
# → [ { "id": "<zaak-uuid>", "status": "INGEDIEND", "reference": "<same-ref-as-confirmation>" } ]
|
||||
```
|
||||
|
||||
> The openbaar register's "Referentie" column and its search now use this reference — the exact value
|
||||
> the citizen saw on submit. Asserted end-to-end by the Playwright happy path.
|
||||
@@ -1,119 +0,0 @@
|
||||
# Frontend decisions
|
||||
|
||||
A running log of frontend tooling and component decisions (CLAUDE.md §10). One entry per
|
||||
decision; record *why*, and note any deviation from NL Design System.
|
||||
|
||||
---
|
||||
|
||||
## Workspace & tooling (S-08a, #65)
|
||||
|
||||
The portals live in an **Nx monorepo at the repository root**, alongside the .NET `services/`.
|
||||
|
||||
- **Package manager: pnpm.** Native build scripts are approved explicitly in `pnpm-workspace.yaml`
|
||||
under `allowBuilds` (pnpm 11 fails the install otherwise). Node 24, pnpm 11.
|
||||
- **Angular, standalone components + signals, no NgModules** (§10). Apps are generated with
|
||||
`@nx/angular:application`.
|
||||
- **Unit tests: Vitest** via Angular's built-in `@angular/build:unit-test` (the `vitest-angular`
|
||||
runner). **Angular Testing Library** is added for component tests when the first real components
|
||||
land (S-08c); the S-08a placeholder uses a plain `TestBed` render assertion.
|
||||
- **Lint: ESLint** (flat config, `@nx/eslint`).
|
||||
- **Nx is scoped to `apps/` + `libs/` only.** The `@nx/docker` and `@nx/dotnet` plugins are **not**
|
||||
installed — the .NET services are built by `dotnet`/the Makefile, and `@nx/docker` would otherwise
|
||||
infer every `services/*/Dockerfile` as an unnamed Nx project and break the project graph.
|
||||
- **No Nx Cloud.** `nxCloudId` is stripped from `nx.json`; remote caching would depend on an
|
||||
external service, and the repo is Gitea-only (§8.7). Nx's "configure-ai-agents" additions
|
||||
(`.claude/settings.json`, a CLAUDE.md section referencing a GitHub marketplace) are **not**
|
||||
committed for the same reason.
|
||||
- **CI:** a `frontend` job (`make frontend` → `pnpm install --frozen-lockfile` + `nx run-many -t
|
||||
lint test build`) runs on pnpm + Node, with pinned action URLs (§15).
|
||||
|
||||
**NL Design System:** not yet introduced — the S-08a app is a placeholder. NL DS components arrive
|
||||
with the submit form (S-08c, #67); any deviation from NL DS will be recorded here.
|
||||
|
||||
---
|
||||
|
||||
## API client generator (S-08b, #66)
|
||||
|
||||
`libs/api-client` is **generated from `services/bff/openapi.json`** — never hand-written (§10).
|
||||
|
||||
- **Generator: orval** (`client: 'angular'`), a **node-based** generator (no Java, unlike
|
||||
`openapi-generator`), so it runs in the pnpm/Node CI lane. It emits an injectable
|
||||
`BffApiV1Service` using Angular's `HttpClient` — which means the DigiD bearer token can be attached
|
||||
by an **`HttpInterceptor`** (S-08c), the idiomatic Angular approach; a fetch-based SDK would bypass
|
||||
the interceptor pipeline.
|
||||
- **Config:** `libs/api-client/orval.config.ts` (single-file output into `src/lib/generated/`,
|
||||
`clean: true`, prettier). **Regenerate with `nx run api-client:generate`** after the BFF spec
|
||||
changes; the output is deterministic (idempotent), and `src/lib/generated/` is never hand-edited.
|
||||
- **Tested** against a mocked BFF via `HttpClientTesting` (`libs/api-client/src/lib/bff-api.spec.ts`).
|
||||
- The BFF endpoints carry no `operationId`, so orval synthesises method names
|
||||
(`postSelfServiceRegistrations`, `getOpenbaarRegister`); adding explicit operation ids to the BFF
|
||||
is a possible later polish.
|
||||
|
||||
---
|
||||
|
||||
## Self-service form: NL DS, DigiD auth, testing (S-08c, #67)
|
||||
|
||||
- **NL Design System via `@utrecht/component-library-angular`** (`libs/ui`) + `@utrecht/design-tokens`
|
||||
(imported once in `apps/self-service/src/styles.css`). Utrecht is NL DS's reference Angular
|
||||
implementation. Its v3 components are **NgModule-based, not standalone**, so `libs/ui` re-exports
|
||||
`UtrechtComponentsModule` (and the component classes, so the AOT compiler resolves the template
|
||||
directives through the barrel); standalone components consume it via `imports: [UtrechtComponentsModule]`.
|
||||
§10's "no NgModules in new code" governs *our* code — consuming a third-party module is fine.
|
||||
- **DigiD login via `angular-auth-oidc-client`** (`libs/auth`): auth-code + PKCE against the Keycloak
|
||||
`digid` realm (public client `big-portal`). A small **`AuthService` abstraction** (bsn /
|
||||
isAuthenticated / login) wraps the library so components and the `authenticatedGuard` depend on a
|
||||
mockable surface; a **token `HttpInterceptor`** attaches the bearer to BFF calls (secure route).
|
||||
The OIDC `authority`/`secureApiOrigin` are dev defaults in `app.config.ts`; the compose-served app
|
||||
overrides them (S-08d), and the browser-vs-container issuer alignment is handled there (ADR-0010).
|
||||
- **Testing:** component tests use **`@testing-library/angular`** (§10) with `AuthService` and the
|
||||
api-client mocked; the **axe** (`vitest-axe`) check runs scoped to WCAG 2.1 AA tags
|
||||
(`wcag2a/2aa/21a/21aa`) with the document `lang` set, asserting zero violations on the submit page.
|
||||
The real DigiD browser round-trip is exercised in S-08d (Playwright).
|
||||
- **Module boundaries:** replaced the demo eslint `depConstraints` (`scope:shop`/`scope:shared`, left
|
||||
over from the Nx angular template) with a permissive `*` default; scope/type tags can be
|
||||
introduced when the portal set grows.
|
||||
|
||||
---
|
||||
|
||||
## Serving + e2e (S-08d, #68)
|
||||
|
||||
- **Served by nginx, same-origin as the BFF.** The compose `self-service` image serves the built app
|
||||
and **reverse-proxies** `/self-service/*` + `/openbaar/*` to the `bff` service. Because the
|
||||
api-client uses **relative URLs**, the browser calls the app's own origin → nginx forwards to the
|
||||
BFF: **no CORS**, and the DigiD token (same-origin) is attached by the interceptor. nginx resolves
|
||||
the BFF at request time (a `resolver` + variable `proxy_pass`) so it starts before the BFF is up.
|
||||
- **Runtime config.** The app fetches `/config.json` before bootstrap (`main.ts`); `appConfig` is a
|
||||
factory. The dev default (`public/config.json`) points at `localhost:8180`; the Docker image bakes
|
||||
the compose value (`keycloak:8080`). One build, per-environment OIDC authority.
|
||||
- **e2e runs inside the compose network.** `infra/run-e2e-check.sh` runs Playwright in a container on
|
||||
`cg`, so the browser reaches Keycloak as `keycloak:8080` — the **same issuer** the BFF validates
|
||||
against (resolves the browser-vs-container mismatch, ADR-0010). It uses the official
|
||||
`mcr.microsoft.com/playwright:<version>` image with browsers pre-baked, rather than downloading
|
||||
~150 MB of Chromium on every run (issue #73) — the image tag is kept in lockstep with
|
||||
`tests/e2e/package.json`'s `@playwright/test` version. The spec is copied in (`docker cp`), not
|
||||
mounted, so it leaves nothing root-owned on the host. Wired as `verify-e2e` in the `verify-stack`
|
||||
CI job.
|
||||
- **e2e treats the portal origin as secure.** In-network the portal is served over plain HTTP on a
|
||||
non-localhost origin (`http://self-service`), which is **not a secure context**, so Web Crypto
|
||||
(`crypto.subtle`) is unavailable. angular-auth-oidc-client needs it for the PKCE code challenge, so
|
||||
`authorize()` throws and the login redirect never fires. Production runs behind HTTPS where this is
|
||||
a non-issue; rather than terminate TLS in the throwaway stack, the Playwright config passes
|
||||
`--unsafely-treat-insecure-origin-as-secure` (honoured only by the full `channel: 'chromium'`
|
||||
build, not the default headless-shell). This emulates the production HTTPS secure context without
|
||||
touching the app or its production config.
|
||||
- `tests/e2e` is a standalone Playwright project (its own `package.json`), not an Nx project — it's a
|
||||
live-stack check like the other `verify-*` runners, not part of the `frontend` unit lane.
|
||||
|
||||
## Openbaar Register portal (S-09, #10)
|
||||
|
||||
- **Anonymous, no auth.** The openbaar register is a public read, so `apps/openbaar` has no
|
||||
`angular-auth-oidc-client`, no interceptor, and no `config.json` — `main.ts` bootstraps `appConfig`
|
||||
directly with just `provideHttpClient` + `provideRouter`. This is the deliberate contrast to
|
||||
self-service and keeps the app trivially cacheable/CDN-able.
|
||||
- **Same-origin via nginx, like self-service.** The compose `openbaar` image serves the built app and
|
||||
reverse-proxies `/openbaar` to the BFF; the api-client's relative calls stay same-origin (no CORS).
|
||||
Served on `:8141`, health-checked over IPv4 (`127.0.0.1`), no Keycloak dependency.
|
||||
- **Public-safe by construction.** The portal only ever sees the BFF's `OpenbaarProjection.PublicView`
|
||||
(id + status); `bsn`/`naam` never leave the BFF. The e2e asserts the bsn never renders.
|
||||
- **Loads on open, filters on search.** `RegisterPage` fetches the full register on construction and
|
||||
re-queries `/openbaar/register?q=` on search — no client-side filtering, the BFF owns the query.
|
||||
@@ -1,52 +0,0 @@
|
||||
# Working with Gitea: issues, milestones, PRs
|
||||
|
||||
Gitea is the **system of record** (CLAUDE.md §7). `BACKLOG.md` is a human-readable
|
||||
mirror of the active milestone — when they disagree, Gitea wins.
|
||||
|
||||
## Issues
|
||||
|
||||
- Open issues from the templates in `.gitea/ISSUE_TEMPLATE/`:
|
||||
- **Slice** — a backlog user story (`S-NN · …`), encodes the Definition of Done.
|
||||
- **Bug** — a defect.
|
||||
- **ADR proposal** — a decision to record before coding (CLAUDE.md §14).
|
||||
- Every issue gets `type:*` plus the relevant `area:*` label(s), and is assigned to
|
||||
its iteration **milestone** (`Iteration N — …`).
|
||||
- Splitting a slice that grew too big: see CLAUDE.md §13 and the "How to split a
|
||||
slice" section of `BACKLOG.md`.
|
||||
|
||||
## Branches & commits
|
||||
|
||||
- Trunk-based: short-lived branches off `main`, squash-merged. Never push to `main`.
|
||||
- Branch name: `<type>/<issue-number>-<slug>`, e.g. `feat/28-bff-health`.
|
||||
- Conventional Commits, each referencing its issue: `feat(bff): … (refs #28)`.
|
||||
- TDD order: the `test(...)` red commit precedes the `feat(...)` green commit.
|
||||
|
||||
## Pull requests
|
||||
|
||||
- Open with `tea pr create` (the Gitea CLI) or the web UI; the body uses
|
||||
`.gitea/PULL_REQUEST_TEMPLATE.md` and its DoD checklist.
|
||||
- The merging PR closes its issue via `closes #NN` in the squash-commit body.
|
||||
Work that isn't finished (e.g. CI green pending a runner) uses `refs #NN` and the
|
||||
issue stays open.
|
||||
- A PR needs a linked issue. Don't open one without it.
|
||||
|
||||
## CI gate
|
||||
|
||||
Until a self-hosted `respellion-linux` runner is registered, `make ci` is the gate
|
||||
(it runs the same checks the workflow does). See [runbooks/ci.md](runbooks/ci.md).
|
||||
|
||||
## CLI cheatsheet (`tea`)
|
||||
|
||||
```bash
|
||||
tea issues list --state open # backlog
|
||||
tea issue create --title "S-NN · …" --labels type:slice,area:bff --milestone "Iteration 1 — Walking Skeleton"
|
||||
tea pr create --base main --head <branch> --title "…" --description "… closes #NN"
|
||||
tea pr list # open PRs
|
||||
tea pr merge <n> --style squash # merge (after review)
|
||||
```
|
||||
|
||||
## Changelog & releases
|
||||
|
||||
`CHANGELOG.md` is generated from commits by `git-cliff` (`make changelog`), refreshed
|
||||
on tag. Versioning is **CalVer** `YYYY.MM.PATCH`; releases are published via Gitea
|
||||
Releases.
|
||||
@@ -1,23 +0,0 @@
|
||||
# register-referentie
|
||||
|
||||
A reference application demonstrating Respellion's Common Ground architecture
|
||||
pattern. Quality and architectural clarity over feature throughput — every commit
|
||||
should teach.
|
||||
|
||||
## Where to go
|
||||
|
||||
- **[Product Requirements](PRD.md)** — what we're building and why.
|
||||
- **[ADR-0001: Loose coupling](architecture/adr-0001-loose-coupling.md)** — the
|
||||
non-negotiable integration stance; the template for future ADRs.
|
||||
- **[Working in Gitea](gitea-workflow.md)** — issues, milestones, branches, PRs.
|
||||
- **[CI runbook](runbooks/ci.md)** — the pipeline and the `make ci` local gate.
|
||||
|
||||
## Quickstart
|
||||
|
||||
See the repository `README.md`. In short: clone, then either run the checks with
|
||||
`make ci`, or bring the BFF up with
|
||||
`docker compose -f infra/docker-compose.yml up -d --build --wait` and
|
||||
`curl http://localhost:8080/health`.
|
||||
|
||||
> This site is built with MkDocs Material (`mkdocs build`). It grows with the
|
||||
> backlog; sections appear as their slices land.
|
||||
@@ -1,151 +0,0 @@
|
||||
# CI runbook — Gitea Actions
|
||||
|
||||
> **Status: active.** The workflow `.gitea/workflows/ci.yaml` runs on Gitea's
|
||||
> hosted `ubuntu-latest` runner — no self-hosted runner required.
|
||||
> **`make ci` is still the local gate** — it runs the exact same checks
|
||||
> (the workflow calls the same `make` targets).
|
||||
|
||||
## The pipeline
|
||||
|
||||
`.gitea/workflows/ci.yaml` runs on every push and pull request to `main`. Each job
|
||||
calls a `make` target — the **single source of truth** for the checks, so local
|
||||
and CI cannot drift:
|
||||
|
||||
| Job | Target | Needs |
|
||||
|---|---|---|
|
||||
| `lint` | `make lint` → `dotnet format … --verify-no-changes` | .NET 10 SDK |
|
||||
| `build` | `make build` → `dotnet build … -c Release` | .NET 10 SDK |
|
||||
| `unit` | `make unit` → `dotnet test … -c Release --filter "Category!=Integration"` | .NET 10 SDK |
|
||||
| `mutation` | `make mutation` → `dotnet tool restore` → `dotnet stryker` (ACL); uploads the HTML report as an artifact | .NET 10 SDK |
|
||||
| `verify-stack` | the single live-stack stage — steps: `make verify-up` (full stack up + health, the DoD smoke) → `make verify-acl` (ACL ↔ OpenZaak) → `make verify-nrc` (OpenZaak → NRC delivery) → `make down` | container engine + egress (base images, nuget, `selectielijst.openzaak.nl`) |
|
||||
|
||||
> **Why one `verify-stack` job, not three.** The single self-hosted runner runs jobs
|
||||
> **sequentially**, so booting OpenZaak once (instead of once per check) is the
|
||||
> cheapest layout (issue #58). It subsumes the old `integration`, `notifications`, and
|
||||
> `compose-smoke` jobs — the bring-up step *is* the "compose up reaches green health"
|
||||
> gate. No `setup-dotnet`: the ACL test runs in a built image and every check reaches
|
||||
> services by **container IP** (the runner can't reach published ports — see
|
||||
> [gitea-actions-gotchas.md §5/§6](gitea-actions-gotchas.md)).
|
||||
|
||||
All `uses:` references are absolute, tag-pinned URLs (`https://github.com/actions/checkout@v4`,
|
||||
`https://github.com/actions/setup-dotnet@v4`) per CLAUDE.md §8.7 and §15 — Gitea
|
||||
Actions resolves them from GitHub.
|
||||
|
||||
> **`verify-stack` runs on a containerized runner.** Workspace bind mounts do
|
||||
> **not** reach the sibling containers Compose starts, so config/assets are
|
||||
> streamed into external named volumes via `docker cp` (`infra/seed-config.sh`),
|
||||
> and the upstream images are used verbatim (no build). If you add a service that
|
||||
> needs a repo file at runtime, seed it the same way — don't bind-mount it. Note:
|
||||
> bare `docker compose up` no longer self-seeds; use `make up`. See
|
||||
> [gitea-actions-gotchas.md](gitea-actions-gotchas.md).
|
||||
|
||||
## Mutation testing (the ratchet)
|
||||
|
||||
The `mutation` job enforces test *strength*, not just coverage (CLAUDE.md §5).
|
||||
[Stryker.NET](https://stryker-mutator.io/docs/stryker-net/) is pinned as a local
|
||||
dotnet tool (`.config/dotnet-tools.json`), so it runs identically locally and in CI:
|
||||
|
||||
```bash
|
||||
make mutation # dotnet tool restore + dotnet stryker on the ACL
|
||||
```
|
||||
|
||||
Config lives in [`services/acl/stryker-config.json`](../../services/acl/stryker-config.json).
|
||||
It runs in **solution mode** against `Acl.slnx`, mutating the two projects under test
|
||||
(`Acl.Application`, `Acl.Infrastructure`); `Acl.Api` has no tests and is skipped.
|
||||
|
||||
**Baseline (the ratchet):** the ACL is the first service with branching logic, so it
|
||||
sets the repo-wide baseline. Observed score **95%**; enforced `break` threshold **90%**
|
||||
(one-mutant headroom over the ~20-mutant surface). Stryker exits non-zero — failing the
|
||||
job — when the score drops below `break`. Per §5 the baseline only moves **up**, and only
|
||||
as a slice's stated outcome; never lower it. New services add their own mutation run as
|
||||
they gain logic.
|
||||
|
||||
The HTML report is written to `services/acl/StrykerOutput/<timestamp>/reports/` (git-ignored);
|
||||
open it to see survived vs. killed mutants.
|
||||
|
||||
In CI the `mutation` job publishes that report as the **`acl-mutation-report`** artifact
|
||||
(download it from the run's summary page). The upload step uses `if: always()`, so the
|
||||
report is available even when the ratchet *fails* — which is exactly when you want to inspect
|
||||
the survivors. It is the repo's first use of `actions/upload-artifact`, pinned to **`@v3`**:
|
||||
`@v4` refuses to run on Gitea (its `@actions/artifact` v2 library blocks any non-github.com
|
||||
server as "GHES"), while `@v3` speaks the artifact protocol Gitea implements. See
|
||||
[gitea-actions-gotchas.md §4](gitea-actions-gotchas.md) (§15).
|
||||
|
||||
## Running the stack locally without `make` (Windows / Docker Desktop)
|
||||
|
||||
`make` and the bash helpers assume a Unix shell. To bring the whole stack up on a
|
||||
machine without them (e.g. Windows + Docker Desktop), use the **local compose
|
||||
file**, which bind-mounts the config instead of seeding volumes — so it needs no
|
||||
`make`, no seed step, and no bash:
|
||||
|
||||
```bash
|
||||
docker compose -f infra/docker-compose.local.yml up -d --build # any engine
|
||||
docker compose -f infra/docker-compose.local.yml up -d --build --wait # Docker Desktop (Compose v2)
|
||||
docker compose -f infra/docker-compose.local.yml down --volumes
|
||||
```
|
||||
|
||||
On Linux/macOS the same thing is wrapped as `make local` / `make local-down`.
|
||||
|
||||
`infra/docker-compose.local.yml` mirrors the canonical `infra/docker-compose.yml`
|
||||
but swaps the external config volumes for bind mounts — valid locally because a
|
||||
local daemon can see the working directory (the seed/volume dance only exists for
|
||||
the containerized CI runner). Keep the two files in sync.
|
||||
|
||||
## Running CI locally (`make ci`)
|
||||
|
||||
`make ci` runs the exact same checks as the pipeline — handy to run before pushing:
|
||||
|
||||
```bash
|
||||
make ci # lint + build + unit + mutation + verify — mirrors the pipeline
|
||||
make lint # or a single stage
|
||||
make mutation # Stryker.NET ratchet on the ACL
|
||||
make verify # the live-stack stage: full stack up once → ACL + NRC checks → down
|
||||
```
|
||||
|
||||
> **`make verify`** mirrors the CI `verify-stack` job: it boots the full stack once and
|
||||
> runs both the ACL ↔ OpenZaak and OpenZaak → NRC checks against it. For fast,
|
||||
> single-concern local iteration use a lighter throwaway stack instead:
|
||||
>
|
||||
> ```bash
|
||||
> make integration # ACL ↔ OpenZaak only (no NRC)
|
||||
> make verify-notifications # OpenZaak → NRC delivery only
|
||||
> ```
|
||||
|
||||
**Prerequisites:** .NET 10 SDK, a container engine with Compose v2, and `curl`.
|
||||
|
||||
On a **rootless Podman** box (the default dev setup here), the `smoke` target needs
|
||||
the Podman API socket and a Compose provider:
|
||||
|
||||
```bash
|
||||
systemctl --user enable --now podman.socket # start the API socket
|
||||
ln -sf "$(command -v podman)" ~/.local/bin/docker # docker -> podman shim
|
||||
# install Docker Compose v2 into ~/.local/bin as `docker-compose` (the provider)
|
||||
```
|
||||
|
||||
The Makefile auto-points `DOCKER_HOST` at `/run/user/$(id -u)/podman/podman.sock`
|
||||
when that socket exists and `DOCKER_HOST` is unset, so `make smoke` "just works"
|
||||
locally while leaving real Docker hosts / CI runners untouched.
|
||||
|
||||
## Runner: `ubuntu-latest`
|
||||
|
||||
All jobs run on Gitea's hosted **`ubuntu-latest`** runner — no self-hosted runner
|
||||
setup is required. The hosted runner ships with Docker and Docker Compose v2, so
|
||||
`make smoke` (`docker compose … up --wait`) works without extra configuration.
|
||||
|
||||
If Gitea's hosted runners are unavailable and a self-hosted fallback is needed,
|
||||
register an `act_runner` with the `ubuntu-latest` label:
|
||||
|
||||
```bash
|
||||
VER=0.2.11
|
||||
curl -fsSL -o /usr/local/bin/act_runner \
|
||||
"https://dl.gitea.com/act_runner/${VER}/act_runner-${VER}-linux-amd64"
|
||||
chmod +x /usr/local/bin/act_runner
|
||||
|
||||
act_runner register --no-interactive \
|
||||
--instance https://git.labs.respellion.tech \
|
||||
--token <REGISTRATION_TOKEN> \
|
||||
--name respellion-ci-1 \
|
||||
--labels "ubuntu-latest:docker://node:20-bookworm"
|
||||
|
||||
act_runner daemon
|
||||
```
|
||||
@@ -1,40 +0,0 @@
|
||||
# Flowable runbook
|
||||
|
||||
Flowable (`infra/flowable/docker-compose.yml`) runs the **flowable-rest** engine on
|
||||
Postgres. The `workflows/registratie.bpmn` model is deployed via the REST API at boot by
|
||||
the `flowable-init` container. Host port **:8090**; REST API under
|
||||
`http://localhost:8090/flowable-rest/service/` (basic auth **rest-admin / test**, dev only).
|
||||
|
||||
## The model — `registratie`
|
||||
|
||||
A minimal "Registratie ontvangen" process: **start → external-worker task
|
||||
`OpenZaakAanmaken` → end**. The external task is where the Workflow Client / ACL will
|
||||
later create the zaak in OpenZaak (S-04/S-05); for now a started instance parks there.
|
||||
|
||||
## Quick test (`make`)
|
||||
|
||||
```bash
|
||||
make flowable-up # start engine + deploy registratie.bpmn on boot
|
||||
make flowable-smoke # start + verify a new instance waits on the external task
|
||||
make flowable-down # stop + wipe
|
||||
```
|
||||
|
||||
`make flowable-smoke` runs `infra/flowable/verify.py`, which:
|
||||
1. waits for the `registratie` process definition to be deployed,
|
||||
2. starts an instance and asserts it did **not** end immediately,
|
||||
3. asserts an execution is parked at activity **`OpenZaakAanmaken`**,
|
||||
4. deletes the test instance.
|
||||
|
||||
## Notes
|
||||
|
||||
- **Deploy on boot** is idempotent: `flowable-init` skips if a deployment named
|
||||
`registratie` already exists (so restarts on the same volume don't pile up versions).
|
||||
- **Dev creds:** `rest-admin` / `test`. Override via the flowable-rest app config for
|
||||
anything beyond local dev.
|
||||
- **Image** `flowable/flowable-rest:latest` — pin a tag when stabilising.
|
||||
- Start an instance by hand:
|
||||
```bash
|
||||
curl -s -u rest-admin:test -H 'Content-Type: application/json' \
|
||||
-d '{"processDefinitionKey":"registratie"}' \
|
||||
http://localhost:8090/flowable-rest/service/runtime/process-instances
|
||||
```
|
||||
@@ -1,198 +0,0 @@
|
||||
# Gitea Actions gotchas
|
||||
|
||||
How our CI (Gitea Actions on the hosted **`ubuntu-latest`** runner) differs from a
|
||||
local run, and the workarounds in this repo. Referenced by `CLAUDE.md` §8.7/§15.
|
||||
|
||||
**One root cause sits under most of this:** the runner executes the job **inside a
|
||||
container**, so when a step runs `docker compose up`, Compose starts the stack as
|
||||
**sibling containers** on the host's daemon. Anything that assumes the job and
|
||||
those containers share a filesystem — or a `localhost` — breaks.
|
||||
|
||||
| Gotcha | Fix | Lives in |
|
||||
|---|---|---|
|
||||
| Bind-mounted config arrives empty | `docker cp` config into external volumes | `infra/seed-config.sh` |
|
||||
| `docker compose up --wait` is unsupported / flaky | poll health with `docker inspect` | `infra/wait-healthy.sh` |
|
||||
| `pg_isready` passes before PostGIS is ready | add a `PostGIS_Version()` probe | the db healthchecks |
|
||||
| `upload-artifact@v4` fails ("not supported on GHES") | pin `@v3` | `.gitea/workflows/ci.yaml` (`mutation` job) |
|
||||
| `upload-artifact@v3` fails with "Artifact service responded with 500" | mark the upload `continue-on-error: true` (server-side; issue #62) | `.gitea/workflows/ci.yaml` (`mutation` job) |
|
||||
|
||||
---
|
||||
|
||||
## 1. Bind mounts don't reach the containers
|
||||
|
||||
**Symptom** — green locally, but `compose-smoke` fails with:
|
||||
|
||||
```
|
||||
oz-init-1 | CommandError: Yaml file `/app/setup_configuration/data.yaml` does not exist.
|
||||
```
|
||||
|
||||
Migrations run fine; only the step that reads a *mounted* file fails. The same
|
||||
trap hits `nrc-init`, `flowable-init`, and `keycloak`.
|
||||
|
||||
**Why** — a relative bind mount like `./openzaak/setup_configuration:/app/...` is
|
||||
resolved by Compose to a path *inside the job container*
|
||||
(`/workspace/.../setup_configuration`). The daemon then looks for that path on
|
||||
*its own host*, doesn't find it, and mounts an **empty directory**. (It works on a
|
||||
runner that executes jobs on the host — which is why moving to `ubuntu-latest`
|
||||
exposed it.)
|
||||
|
||||
**Fix** — use the upstream images verbatim (no build) and stream config into
|
||||
**external named volumes** with `docker cp`, which copies over the Docker API and
|
||||
so works wherever the daemon runs. `infra/seed-config.sh` creates each volume,
|
||||
mounts it in a throwaway helper, and copies the files in:
|
||||
|
||||
| Asset | Volume | Mounted at |
|
||||
|---|---|---|
|
||||
| OpenZaak `data.yaml` | `rr-oz-config` | `oz-init:/app/setup_configuration` |
|
||||
| Keycloak realms | `rr-kc-realms` | `keycloak:/opt/keycloak/data/import` |
|
||||
| `registratie.bpmn` | `rr-fl-bpmn` | `flowable-init:/work` |
|
||||
|
||||
The volumes are `external: true` with fixed names, so they resolve identically
|
||||
under docker compose and podman-compose. `make` seeds before every `up`; `make
|
||||
down` removes them. (Open Notificaties needs nothing — `nrc-init` migrates only.)
|
||||
|
||||
**Consequence — bare `docker compose up` can't self-seed external volumes:**
|
||||
|
||||
- **CI / Linux / macOS:** `make up` or `make smoke` (seed, then start).
|
||||
- **No-make / Windows:** `infra/docker-compose.local.yml` — a twin stack that
|
||||
**bind-mounts** the config instead. Bind mounts are fine *locally* because a
|
||||
local daemon can see your working directory, so
|
||||
`docker compose -f infra/docker-compose.local.yml up -d` just works.
|
||||
|
||||
**Why not the obvious alternatives**
|
||||
|
||||
- *Bake config into an image* (incl. an inline Dockerfile) — `docker compose up`
|
||||
would then work unaided, but it's a build; we wanted the upstream images as-is.
|
||||
- *Compose `configs:` with inline `content`* — Compose writes a client-side temp
|
||||
file and bind-mounts it, hitting the exact same problem.
|
||||
- *A host-executing runner* — bind mounts would work with zero seeding, but it
|
||||
reintroduces a self-hosted runner and undoes the move to `ubuntu-latest`.
|
||||
|
||||
---
|
||||
|
||||
## 2. Readiness: poll health, don't use `--wait`
|
||||
|
||||
`docker compose up --wait` looks ideal but fails us three ways:
|
||||
|
||||
- **podman-compose doesn't implement it** (`unrecognized arguments: --wait`) — so
|
||||
it would break local dev.
|
||||
- A project-wide `--wait` **treats a one-shot exiting `0` as a failure** unless
|
||||
something `depends_on` it with `service_completed_successfully`. `flowable-init`
|
||||
deploys the BPMN and exits with no dependant, so `--wait` fails the moment it
|
||||
does — last line `container infra-flowable-init-1 exited (0)`.
|
||||
- The containerized runner **can't reach published host ports**, so an external
|
||||
`curl localhost:8080/health` can't work either.
|
||||
|
||||
**Fix** — `infra/wait-healthy.sh` polls each durable service (`openzaak nrc-web
|
||||
acl bff`, listed as `WAIT_SVCS` in the `Makefile`) with `docker ps` + `docker
|
||||
inspect '{{.State.Health.Status}}'` until it reports `healthy`. It uses only
|
||||
primitives both runtimes support, reads the **in-container** healthcheck (no host
|
||||
port needed), and ignores the one-shots (they only need to have run).
|
||||
`WAIT_TIMEOUT` defaults to 420 s — enough for the cold OpenZaak migrate (~90 s)
|
||||
plus app start.
|
||||
|
||||
---
|
||||
|
||||
## 3. `pg_isready` passes before PostGIS is ready
|
||||
|
||||
`pg_isready` succeeds as soon as the TCP port is open — *before* the
|
||||
`postgis/postgis` image has finished running `CREATE EXTENSION postgis`. An init
|
||||
container that starts migrating in that window can fail on a missing PostGIS. So
|
||||
the db healthchecks add a `SELECT PostGIS_Version()` probe, making dependents wait
|
||||
for the extension, not just the port.
|
||||
|
||||
---
|
||||
|
||||
## 4. `actions/upload-artifact@v4` refuses to run on Gitea
|
||||
|
||||
**Symptom** — the `mutation` job's `make mutation` step passes (95% score), but the
|
||||
upload step right after it fails the job:
|
||||
|
||||
```
|
||||
::error::@actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+
|
||||
are not currently supported on GHES.
|
||||
❌ Failure - Main https://github.com/actions/upload-artifact@v4
|
||||
```
|
||||
|
||||
**Why** — `upload-artifact@v4` bundles `@actions/artifact` v2, which inspects the
|
||||
server URL and **hard-aborts on anything that isn't `github.com`**, treating Gitea
|
||||
as an unsupported GitHub Enterprise Server. The check fires regardless of whether
|
||||
the Gitea server can actually store artifacts (1.24+ can). It is the *action*, not
|
||||
the server, that refuses.
|
||||
|
||||
**Fix** — pin **`actions/upload-artifact@v3`** (and `download-artifact@v3` if ever
|
||||
needed). v3 uses the older artifact protocol that Gitea implements, and has no GHES
|
||||
guard. Inputs are the same (`name`, `path`, `if-no-files-found`), so it is a drop-in
|
||||
swap. Do **not** bump to `@v4` until act_runner advertises github.com-compatible
|
||||
artifact support.
|
||||
|
||||
**Second failure mode — the server's artifact backend returns 500.** Even on the
|
||||
correctly-pinned `@v3`, uploads can fail with:
|
||||
|
||||
```
|
||||
Create Artifact Container - Attempt 5 of 5 failed with error: Artifact service responded with 500
|
||||
::error::Create Artifact Container failed: Artifact service responded with 500
|
||||
```
|
||||
|
||||
This is the **Gitea server's** artifact storage failing (not the action's GHES guard),
|
||||
so it is outside the repo's control. Because the `mutation` job's upload steps run with
|
||||
`if: always()`, that 500 would fail the job even though the ratchet passed. **Fix:** mark
|
||||
the uploads `continue-on-error: true` (issue #62). The mutation *gate* is the Stryker
|
||||
ratchet — `make mutation`'s exit code fails the job on a real regression — so the report
|
||||
upload is best-effort: when the server's artifact storage is restored, reports publish
|
||||
again with no workflow change.
|
||||
|
||||
---
|
||||
|
||||
## 5. A runner process can't reach a service container's published port
|
||||
|
||||
**Symptom** — green locally, but a CI step that runs *on the runner* and talks to a
|
||||
compose service over `localhost` fails. The ACL integration test's seed died with:
|
||||
|
||||
```
|
||||
OpenZaak ready (000)
|
||||
urllib.error.URLError: <urlopen error [Errno 111] Connection refused>
|
||||
make: *** [Makefile:114: integration] Error 1
|
||||
```
|
||||
|
||||
OpenZaak was demonstrably up — uwsgi had been serving for ~2 minutes — yet
|
||||
`curl`/`urllib` to `localhost:8000` from the runner were refused the whole time.
|
||||
|
||||
**Why** — the same sibling-container split as §1. Compose starts the stack via the
|
||||
host daemon, so `ports: ["8000:8000"]` publishes to the *daemon host*, not to the job
|
||||
container. From the runner, `localhost:8000` has nothing listening. (`make smoke`
|
||||
sidesteps this by polling readiness via `docker inspect` (§2), never a service port.)
|
||||
|
||||
**Fix** — don't talk to service ports from the runner. Either check state via `docker
|
||||
inspect` (health), or run the client **inside the compose network** so it reaches the
|
||||
service by name (`http://openzaak:8000`). For a test/seed that needs the repo's own
|
||||
code, deliver it via a **built image** (not a bind mount — §1), then
|
||||
`docker run --network <stack>_cg …`.
|
||||
|
||||
**Applied** — `make integration` (ADR-0006) and `make verify-notifications` (ADR-0007)
|
||||
do exactly this: they run the seed/test/driver as containers on the stack network and
|
||||
reach services by **container IP** (see §6).
|
||||
|
||||
---
|
||||
|
||||
## 6. OpenZaak / NRC reject single-label hosts in URLs
|
||||
|
||||
**Symptom** — talking to OpenZaak or NRC by compose **service name** fails where a URL
|
||||
is validated: catalogus/zaaktype filters, the zaak `zaaktype` URL, and abonnement
|
||||
`callbackUrl` come back `400 "Voer een geldige URL in."` — even though the host
|
||||
resolves and is reachable.
|
||||
|
||||
**Why** — these apps validate URLs with Django's `URLValidator`, which rejects a
|
||||
**single-label** host like `openzaak` or `nrc-web` (no dot, and not `localhost`).
|
||||
`localhost` passes (so it's invisible in host-port-based local runs); in-network the
|
||||
reality is a service name or an IPv4 literal — and only the IP passes.
|
||||
|
||||
**Fix** — in-network tooling reaches OpenZaak/NRC by **container IP**
|
||||
(`docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}'`), not
|
||||
service name; the notif verify harness also registers the sink callback by IP.
|
||||
(`infra/run-acl-integration.sh`, `infra/run-notification-check.sh`.)
|
||||
|
||||
**Related — abonnement callbacks must enforce auth.** NRC probes a callback when an
|
||||
abonnement is registered and refuses it (`no-auth-on-callback-url`) unless it returns
|
||||
**401** without the configured `Authorization`. The verify sink
|
||||
(`infra/notification-sink.py`) enforces a bearer token for exactly this reason.
|
||||
@@ -1,37 +0,0 @@
|
||||
# Keycloak runbook
|
||||
|
||||
Keycloak (`infra/keycloak/docker-compose.yml`) runs in dev mode with four realms
|
||||
imported at boot from `infra/keycloak/realms/`: **digid**, **eherkenning**, **eidas**,
|
||||
**medewerker**. It mocks the Dutch identity brokers so portals can do real OIDC logins
|
||||
locally. Host port **:8180**.
|
||||
|
||||
## Quick test (`make`)
|
||||
|
||||
```bash
|
||||
make keycloak-up # start Keycloak + import realms (~30-60s first boot)
|
||||
make keycloak-smoke # start + verify every realm logs in and returns its claim
|
||||
make keycloak-down # stop + wipe
|
||||
```
|
||||
|
||||
`make keycloak-smoke` runs `infra/keycloak/check_realms.py`, which does a password-grant
|
||||
login per realm and asserts the identifying claim:
|
||||
|
||||
| Realm | User | Claim asserted |
|
||||
|---|---|---|
|
||||
| digid | jan-burger | `bsn` |
|
||||
| eherkenning | acme-ondernemer | `kvk` |
|
||||
| eidas | pierre-dupont | `eidas_id` |
|
||||
| medewerker | merel-behandelaar | role `behandelaar` |
|
||||
|
||||
All test users / credentials are in [../synthetic-data.md](../synthetic-data.md).
|
||||
|
||||
## Notes
|
||||
|
||||
- **Admin console:** <http://localhost:8180/> — `admin` / `admin` (dev only).
|
||||
- **Client `big-portal`** is public with `standardFlowEnabled` (browser redirect login)
|
||||
*and* `directAccessGrantsEnabled` (password grant, used by the smoke test).
|
||||
- **Dev store:** in-memory H2 via `start-dev`; realms re-import on each boot, so changes
|
||||
made in the admin UI don't persist. Edit the realm JSONs to make durable changes.
|
||||
- **Image** pinned to `quay.io/keycloak/keycloak:26.1`.
|
||||
- Claims are injected by OIDC protocol mappers on `big-portal` (user attribute → token
|
||||
claim); `medewerker` roles come through `realm_access.roles`.
|
||||
@@ -1,44 +0,0 @@
|
||||
# Open Notificaties (NRC) runbook
|
||||
|
||||
The Open Notificaties stack (`infra/opennotificaties/docker-compose.yml`) is a lean
|
||||
adaptation of the upstream dev compose: PostGIS db, redis (also the Celery broker), a
|
||||
one-shot migrate-init, the API, and a celery worker. It shares the **`cg`** Docker
|
||||
network with the OpenZaak stack so the two can reach each other by service name.
|
||||
|
||||
NRC is published on host **:8001** (OpenZaak holds :8000).
|
||||
|
||||
## Quick test (`make`) — both platforms together
|
||||
|
||||
```bash
|
||||
make stack-up # OpenZaak + Open Notificaties on the shared network
|
||||
make stack-smoke # start both + assert reachable (OZ 403/302/200, NRC 302)
|
||||
make stack-down # stop + wipe both
|
||||
```
|
||||
|
||||
`make stack-smoke` runs `docker compose -f infra/openzaak/... -f infra/opennotificaties/... up -d`
|
||||
and asserts:
|
||||
|
||||
| Check | Expected |
|
||||
|---|---|
|
||||
| OpenZaak `GET /zaken/api/v1/zaken` (no JWT) | 403 (auth enforced) |
|
||||
| OpenZaak `GET /admin/` | 302 |
|
||||
| Open Notificaties `GET /admin/` | 302 |
|
||||
|
||||
NRC admin UI: <http://localhost:8001/admin/> (dev superuser **admin / admin**).
|
||||
|
||||
## Notification wiring is deferred to S-06
|
||||
|
||||
Both platforms are **up and reachable**, but OpenZaak→NRC notification *delivery* is not
|
||||
wired yet, and OpenZaak still runs with `NOTIFICATIONS_DISABLED=true`. The bidirectional
|
||||
auth wiring (NRC `setup_configuration`: Services + Authorization to OpenZaak's
|
||||
Autorisaties API + JWT secrets + Kanalen + Abonnementen; OpenZaak's NotificationConfig)
|
||||
lands with **S-06 (Event Subscriber)** — the slice that actually consumes events. NRC's
|
||||
`setup_configuration/data.yaml` is intentionally minimal (migrations only) until then.
|
||||
|
||||
This matches S-01's acceptance, which asks only that the platforms *come up in compose*
|
||||
and a health check confirms them reachable.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Same rootless-Podman setup as the rest of the repo — see [ci.md](ci.md) and
|
||||
[openzaak.md](openzaak.md). `systemctl --user start podman.socket` once per session.
|
||||
@@ -1,82 +0,0 @@
|
||||
# OpenZaak runbook
|
||||
|
||||
The OpenZaak stack (`infra/openzaak/docker-compose.yml`) is a lean adaptation of the
|
||||
upstream open-zaak dev compose: PostGIS db, redis, a one-shot init that runs
|
||||
migrations, the OpenZaak API, and a celery worker.
|
||||
|
||||
## Quick test (`make`)
|
||||
|
||||
```bash
|
||||
make openzaak-up # start the stack (first run pulls images + migrates: 1-3 min)
|
||||
make openzaak-smoke # start + assert it's up with auth enforced (403/302/200)
|
||||
make openzaak-seed # start + seed the BIG catalogus (idempotent)
|
||||
make openzaak-down # stop and wipe data
|
||||
```
|
||||
|
||||
## Seed the BIG catalogus
|
||||
|
||||
`make openzaak-seed` brings the stack up and runs `infra/openzaak/seed_catalogus.py`,
|
||||
which creates (idempotently, via the ZTC API):
|
||||
|
||||
- catalogus **BIG**
|
||||
- a lean **BIG-REGISTRATIE** zaaktype (concept; only schema-mandatory fields)
|
||||
- a **bsn** eigenschap on it
|
||||
|
||||
then confirms the JWT client can list it. See **ADR-0002** for the design (why the
|
||||
zaaktype stays a concept, why notifications are disabled, why the API not a fixture).
|
||||
|
||||
**JWT client** (provisioned declaratively by `setup_configuration/data.yaml`, **dev only**):
|
||||
|
||||
| | |
|
||||
|---|---|
|
||||
| client_id | `big-reference-seed` |
|
||||
| secret | `insecure-dev-secret-change-me` |
|
||||
| authorizations | `heeft_alle_autorisaties` (all) |
|
||||
|
||||
The seed mints a ZGW JWT (HS256) from these and calls `/catalogi/api/v1/...`.
|
||||
|
||||
`make openzaak-smoke` polls until the API responds, then asserts:
|
||||
|
||||
| Check | Expected |
|
||||
|---|---|
|
||||
| `GET /zaken/api/v1/zaken` (no JWT) | **403** — `PermissionDenied` ZGW fout (auth enforced) |
|
||||
| `GET /admin/` | **302** — admin login redirect |
|
||||
| `GET /zaken/api/v1/` | **200** — ZGW API schema root |
|
||||
|
||||
> **403, not 401.** OpenZaak's ZGW APIs return `403 PermissionDenied` for a missing
|
||||
> or invalid JWT. The S-01 acceptance text says "401" — that's inaccurate; 403 is the
|
||||
> correct auth-enforced response.
|
||||
|
||||
The admin UI is at <http://localhost:8000/admin/>; the dev superuser is **admin /
|
||||
admin** (from the compose env — dev only).
|
||||
|
||||
## Prerequisites (rootless Podman)
|
||||
|
||||
Same setup as the rest of the repo (see [ci.md](ci.md)):
|
||||
|
||||
```bash
|
||||
systemctl --user start podman.socket # the Docker-API socket the shim talks to
|
||||
```
|
||||
|
||||
The Makefile auto-points `DOCKER_HOST` at the Podman socket when it exists, so the
|
||||
`make openzaak-*` targets work without extra env.
|
||||
|
||||
## Notes
|
||||
|
||||
- **Not in `make ci`.** The OpenZaak smoke is a separate, heavier check (large image
|
||||
pull + migrations); it is intentionally kept out of `make ci` so the core gate
|
||||
stays fast. Run `make openzaak-smoke` when you touch the OpenZaak stack.
|
||||
- **Notifications disabled.** `NOTIFICATIONS_DISABLED=true` — otherwise ZTC writes 500
|
||||
trying to notify. Open Notificaties is now up (see [opennotificaties.md](opennotificaties.md)),
|
||||
but OZ→NRC delivery wiring + re-enabling lands with **S-06**.
|
||||
- **Zaaktype is a concept**, not published (publishing needs roltypen/statustypen/
|
||||
resultaattypen — beyond the lean seed). List with `?status=alles`.
|
||||
- **Image tag.** Pinned to `openzaak/open-zaak:1.28.2` via `${OPENZAAK_TAG}` (bump
|
||||
deliberately, not via `:latest`).
|
||||
- **Config arrives via a volume, not a bind mount.** `setup_configuration/data.yaml`
|
||||
is streamed into the external `rr-oz-config` volume by `infra/seed-config.sh`
|
||||
(`docker cp`) and mounted at `/app/setup_configuration`, so the init container
|
||||
finds it on Gitea's containerized CI runner too (bind mounts don't reach sibling
|
||||
containers there). The image is the upstream `openzaak/open-zaak` verbatim — no
|
||||
build. Run via `make openzaak-up` (seeds first). See
|
||||
[gitea-actions-gotchas.md](gitea-actions-gotchas.md).
|
||||
@@ -1,35 +0,0 @@
|
||||
# Synthetic data
|
||||
|
||||
All credentials here are **dev-only** synthetic test data — never real personal data,
|
||||
never used outside local development.
|
||||
|
||||
## Keycloak realms (S-02)
|
||||
|
||||
Keycloak runs at <http://localhost:8180> (admin console: **admin / admin**). Four realms
|
||||
are imported at boot from `infra/keycloak/realms/`. Each has a public OIDC client
|
||||
**`big-portal`** (standard flow + direct access grants enabled, redirect URIs `*` for dev).
|
||||
|
||||
All test users share the password **`test123`**.
|
||||
|
||||
| Realm | Mimics | User | Identifying claim |
|
||||
|---|---|---|---|
|
||||
| `digid` | DigiD (burgers) | `jan-burger` | `bsn` = `123456782` |
|
||||
| `eherkenning` | eHerkenning (bedrijven) | `acme-ondernemer` | `kvk` = `12345678` |
|
||||
| `eidas` | eIDAS (EU) | `pierre-dupont` | `eidas_id` = `FR/NL/AB-1234-5678` |
|
||||
| `medewerker` | Internal staff | `merel-behandelaar` | role `behandelaar` |
|
||||
| `medewerker` | Internal staff | `tom-teamlead` | roles `behandelaar`, `teamlead` |
|
||||
|
||||
The identifying claims are injected via OIDC protocol mappers on `big-portal`
|
||||
(user-attribute → token claim); `medewerker` roles appear in `realm_access.roles`.
|
||||
|
||||
## Get a token (for testing)
|
||||
|
||||
```bash
|
||||
curl -s -X POST \
|
||||
http://localhost:8180/realms/digid/protocol/openid-connect/token \
|
||||
-d grant_type=password -d client_id=big-portal \
|
||||
-d username=jan-burger -d password=test123 -d scope=openid | jq -r .access_token
|
||||
```
|
||||
|
||||
Decode the JWT payload to see the `bsn` claim. `make keycloak-smoke` checks every realm
|
||||
automatically.
|
||||
@@ -1,48 +0,0 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/base'],
|
||||
...nx.configs['flat/typescript'],
|
||||
...nx.configs['flat/javascript'],
|
||||
{
|
||||
ignores: [
|
||||
'**/dist',
|
||||
'**/vite.config.*.timestamp*',
|
||||
'**/vitest.config.*.timestamp*',
|
||||
],
|
||||
},
|
||||
{
|
||||
files: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
|
||||
rules: {
|
||||
'@nx/enforce-module-boundaries': [
|
||||
'error',
|
||||
{
|
||||
enforceBuildableLibDependency: true,
|
||||
allow: ['^.*/eslint(\\.base)?\\.config\\.[cm]?[jt]s$'],
|
||||
// Permissive default — apps/libs are untagged for now. Introduce scope/type tags
|
||||
// when the portal set grows (docs/frontend-decisions.md).
|
||||
depConstraints: [
|
||||
{
|
||||
sourceTag: '*',
|
||||
onlyDependOnLibsWithTags: ['*'],
|
||||
},
|
||||
],
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: [
|
||||
'**/*.ts',
|
||||
'**/*.tsx',
|
||||
'**/*.cts',
|
||||
'**/*.mts',
|
||||
'**/*.js',
|
||||
'**/*.jsx',
|
||||
'**/*.cjs',
|
||||
'**/*.mjs',
|
||||
],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
@@ -1,372 +0,0 @@
|
||||
# LOCAL development stack — runs with a plain `docker compose up`, no make / no
|
||||
# seed step / no bash. Use this on a local engine (Docker Desktop on Windows or
|
||||
# macOS, or rootless Podman on Linux).
|
||||
#
|
||||
# docker compose -f infra/docker-compose.local.yml up -d --build # podman
|
||||
# docker compose -f infra/docker-compose.local.yml up -d --build --wait # Docker Desktop
|
||||
# docker compose -f infra/docker-compose.local.yml down --volumes
|
||||
#
|
||||
# It is identical to infra/docker-compose.yml EXCEPT that the three config inputs
|
||||
# (OpenZaak data.yaml, Keycloak realms, Flowable BPMN) are **bind-mounted** from
|
||||
# the repo instead of being streamed into external volumes by infra/seed-config.sh.
|
||||
# Bind mounts work here because a local daemon can see your working directory —
|
||||
# the seed dance only exists for the containerized CI runner, where it can't. See
|
||||
# docs/runbooks/gitea-actions-gotchas.md.
|
||||
#
|
||||
# `infra/docker-compose.yml` remains the CI-canonical stack; keep the two in sync.
|
||||
#
|
||||
# Port map (host):
|
||||
# 8000 OpenZaak · 8001 Open Notificaties · 8080 BFF · 8090 Flowable REST
|
||||
# 8100 ACL · 8180 Keycloak (all admin: admin / admin — dev only)
|
||||
|
||||
services:
|
||||
|
||||
# ── OpenZaak (S-01) ──────────────────────────────────────────────────────
|
||||
oz-db:
|
||||
image: docker.io/postgis/postgis:17-3.5
|
||||
environment:
|
||||
POSTGRES_USER: openzaak
|
||||
POSTGRES_PASSWORD: openzaak
|
||||
POSTGRES_DB: openzaak
|
||||
command: postgres -c max_connections=300
|
||||
volumes:
|
||||
- oz-db:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U openzaak -d openzaak && psql -U openzaak -d openzaak -c 'SELECT PostGIS_Version();' -q 2>/dev/null"]
|
||||
interval: 5s
|
||||
timeout: 5s
|
||||
retries: 30
|
||||
start_period: 15s
|
||||
networks: [cg]
|
||||
|
||||
oz-redis:
|
||||
image: docker.io/library/redis:7
|
||||
networks: [cg]
|
||||
|
||||
oz-init:
|
||||
image: docker.io/openzaak/open-zaak:${OPENZAAK_TAG:-1.28.2}
|
||||
environment: &oz-env
|
||||
DJANGO_SETTINGS_MODULE: openzaak.conf.docker
|
||||
SECRET_KEY: ${OZ_SECRET_KEY:-dev-only-not-for-production}
|
||||
DB_HOST: oz-db
|
||||
DB_NAME: openzaak
|
||||
DB_USER: openzaak
|
||||
DB_PASSWORD: openzaak
|
||||
IS_HTTPS: "no"
|
||||
ALLOWED_HOSTS: "*"
|
||||
CACHE_DEFAULT: oz-redis:6379/0
|
||||
CACHE_AXES: oz-redis:6379/0
|
||||
CELERY_BROKER_URL: redis://oz-redis:6379/1
|
||||
CELERY_RESULT_BACKEND: redis://oz-redis:6379/1
|
||||
DISABLE_2FA: "true"
|
||||
# Publish notifications to NRC (always present in this twin). See ADR-0007.
|
||||
NOTIFICATIONS_DISABLED: "false"
|
||||
OPENZAAK_SUPERUSER_USERNAME: admin
|
||||
DJANGO_SUPERUSER_PASSWORD: admin
|
||||
OPENZAAK_SUPERUSER_EMAIL: admin@localhost
|
||||
RUN_SETUP_CONFIG: "true"
|
||||
command: /setup_configuration.sh
|
||||
# Bind mount (`:z` relabels for SELinux on Linux; a no-op on Docker Desktop).
|
||||
volumes:
|
||||
- ./openzaak/setup_configuration:/app/setup_configuration:ro,z
|
||||
depends_on:
|
||||
oz-db:
|
||||
condition: service_healthy
|
||||
oz-redis:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
openzaak:
|
||||
image: docker.io/openzaak/open-zaak:${OPENZAAK_TAG:-1.28.2}
|
||||
environment: *oz-env
|
||||
healthcheck:
|
||||
test: ["CMD", "python", "-c", "import requests,sys; sys.exit(0 if requests.head('http://localhost:8000/admin/').status_code in (200,302) else 1)"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 10
|
||||
start_period: 30s
|
||||
ports:
|
||||
- "8000:8000"
|
||||
depends_on:
|
||||
oz-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
oz-celery:
|
||||
image: docker.io/openzaak/open-zaak:${OPENZAAK_TAG:-1.28.2}
|
||||
environment: *oz-env
|
||||
command: /celery_worker.sh
|
||||
depends_on:
|
||||
oz-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
# ── Open Notificaties / NRC (S-01-c) ─────────────────────────────────────
|
||||
nrc-db:
|
||||
image: docker.io/postgis/postgis:17-3.5
|
||||
environment:
|
||||
POSTGRES_USER: opennotificaties
|
||||
POSTGRES_PASSWORD: opennotificaties
|
||||
POSTGRES_DB: opennotificaties
|
||||
command: postgres -c max_connections=300
|
||||
volumes:
|
||||
- nrc-db:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U opennotificaties -d opennotificaties"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 10
|
||||
networks: [cg]
|
||||
|
||||
nrc-redis:
|
||||
image: docker.io/library/redis:7
|
||||
networks: [cg]
|
||||
|
||||
nrc-init:
|
||||
# Migrations + setup_configuration (S-01-c): the JWT credential, Autorisaties-API
|
||||
# delegation, and the `zaken` kanaal that let OpenZaak publish. Config is
|
||||
# bind-mounted here (this twin is the local/no-make path). See ADR-0007.
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: &nrc-env
|
||||
DJANGO_SETTINGS_MODULE: nrc.conf.docker
|
||||
SECRET_KEY: ${NRC_SECRET_KEY:-dev-only-not-for-production}
|
||||
DB_HOST: nrc-db
|
||||
DB_NAME: opennotificaties
|
||||
DB_USER: opennotificaties
|
||||
DB_PASSWORD: opennotificaties
|
||||
IS_HTTPS: "no"
|
||||
ALLOWED_HOSTS: "*"
|
||||
CACHE_DEFAULT: nrc-redis:6379/0
|
||||
CACHE_AXES: nrc-redis:6379/0
|
||||
CELERY_BROKER_URL: redis://nrc-redis:6379/1
|
||||
CELERY_RESULT_BACKEND: redis://nrc-redis:6379/1
|
||||
DISABLE_2FA: "true"
|
||||
OPENNOTIFICATIES_SUPERUSER_USERNAME: admin
|
||||
DJANGO_SUPERUSER_PASSWORD: admin
|
||||
OPENNOTIFICATIES_SUPERUSER_EMAIL: admin@localhost
|
||||
RUN_SETUP_CONFIG: "true"
|
||||
NOTIFICATION_SEC_INTERVAL: "5"
|
||||
command: /setup_configuration.sh
|
||||
volumes:
|
||||
- ./opennotificaties/setup_configuration:/app/setup_configuration:ro,z
|
||||
depends_on:
|
||||
nrc-db:
|
||||
condition: service_healthy
|
||||
nrc-redis:
|
||||
condition: service_started
|
||||
openzaak:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
nrc-web:
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: *nrc-env
|
||||
healthcheck:
|
||||
test: ["CMD", "python", "-c", "import requests,sys; sys.exit(0 if requests.head('http://localhost:8000/admin/').status_code in (200,302) else 1)"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 10
|
||||
start_period: 30s
|
||||
ports:
|
||||
- "8001:8000"
|
||||
depends_on:
|
||||
nrc-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
nrc-celery:
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: *nrc-env
|
||||
command: /celery_worker.sh
|
||||
depends_on:
|
||||
nrc-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
# Celery beat drains scheduled notifications to subscribers — required for
|
||||
# delivery, not optional. See ADR-0007.
|
||||
nrc-beat:
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: *nrc-env
|
||||
command: /celery_beat.sh
|
||||
depends_on:
|
||||
nrc-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
# ── Keycloak (S-02) ──────────────────────────────────────────────────────
|
||||
keycloak:
|
||||
image: quay.io/keycloak/keycloak:26.1
|
||||
command: ["start-dev", "--import-realm"]
|
||||
environment:
|
||||
KC_BOOTSTRAP_ADMIN_USERNAME: admin
|
||||
KC_BOOTSTRAP_ADMIN_PASSWORD: admin
|
||||
KEYCLOAK_ADMIN: admin
|
||||
KEYCLOAK_ADMIN_PASSWORD: admin
|
||||
KC_HEALTH_ENABLED: "true"
|
||||
KC_HTTP_ENABLED: "true"
|
||||
ports:
|
||||
- "8180:8080"
|
||||
volumes:
|
||||
- ./keycloak/realms:/opt/keycloak/data/import:ro,z
|
||||
networks: [cg]
|
||||
|
||||
# ── Flowable (S-03) ──────────────────────────────────────────────────────
|
||||
flowable-db:
|
||||
image: docker.io/library/postgres:16
|
||||
environment:
|
||||
POSTGRES_USER: flowable
|
||||
POSTGRES_PASSWORD: flowable
|
||||
POSTGRES_DB: flowable
|
||||
volumes:
|
||||
- flowable-db:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U flowable -d flowable"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 10
|
||||
networks: [cg]
|
||||
|
||||
flowable-rest:
|
||||
image: docker.io/flowable/flowable-rest:latest
|
||||
environment:
|
||||
SPRING_DATASOURCE_DRIVER-CLASS-NAME: org.postgresql.Driver
|
||||
SPRING_DATASOURCE_URL: jdbc:postgresql://flowable-db:5432/flowable
|
||||
SPRING_DATASOURCE_USERNAME: flowable
|
||||
SPRING_DATASOURCE_PASSWORD: flowable
|
||||
ports:
|
||||
- "8090:8080"
|
||||
depends_on:
|
||||
flowable-db:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
flowable-init:
|
||||
image: docker.io/curlimages/curl:latest
|
||||
restart: "no"
|
||||
volumes:
|
||||
- ../workflows/registratie.bpmn:/work/registratie.bpmn:ro,z
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
base=http://flowable-rest:8080/flowable-rest/service/repository/deployments
|
||||
until curl -sf -u rest-admin:test "$$base" >/dev/null 2>&1; do echo "waiting for flowable-rest..."; sleep 3; done
|
||||
if curl -s -u rest-admin:test "$$base?name=registratie" | grep -q '"name":"registratie"'; then
|
||||
echo "registratie already deployed; skip"
|
||||
else
|
||||
curl -sf -u rest-admin:test -F 'file=@/work/registratie.bpmn;filename=registratie.bpmn' "$$base" >/dev/null && echo "deployed registratie"
|
||||
fi
|
||||
depends_on:
|
||||
flowable-rest:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
# ── ACL ──────────────────────────────────────────────────────────────────
|
||||
acl:
|
||||
build:
|
||||
context: ../services/acl
|
||||
dockerfile: Dockerfile
|
||||
image: register-referentie/acl:dev
|
||||
environment:
|
||||
Acl__OpenZaak__BaseUrl: http://openzaak:8000/
|
||||
Acl__OpenZaak__ClientId: big-reference-seed
|
||||
Acl__OpenZaak__Secret: insecure-dev-secret-change-me
|
||||
Acl__Defaults__Bronorganisatie: "517439943"
|
||||
Acl__Defaults__VerantwoordelijkeOrganisatie: "517439943"
|
||||
Acl__Defaults__Vertrouwelijkheidaanduiding: openbaar
|
||||
Acl__Defaults__ZaaktypeUrl: ${ACL_ZAAKTYPE_URL:-http://openzaak:8000/catalogi/api/v1/zaaktypen/00000000-0000-0000-0000-000000000000}
|
||||
ports:
|
||||
- "8100:8080"
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-fsS", "http://localhost:8080/health"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
openzaak:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
# ── BFF ──────────────────────────────────────────────────────────────────
|
||||
bff:
|
||||
build:
|
||||
context: ../services/bff
|
||||
dockerfile: Dockerfile
|
||||
image: register-referentie/bff:dev
|
||||
ports:
|
||||
- "8080:8080"
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-fsS", "http://localhost:8080/health"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
networks: [cg]
|
||||
|
||||
# ── Read projection (S-06) ────────────────────────────────────────────────
|
||||
projection-db:
|
||||
image: docker.io/library/postgres:16
|
||||
environment:
|
||||
POSTGRES_USER: projection
|
||||
POSTGRES_PASSWORD: projection
|
||||
POSTGRES_DB: projection
|
||||
volumes:
|
||||
- projection-db:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U projection -d projection"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 10
|
||||
networks: [cg]
|
||||
|
||||
event-subscriber:
|
||||
build:
|
||||
context: ..
|
||||
dockerfile: services/event-subscriber/Dockerfile
|
||||
image: register-referentie/event-subscriber:dev
|
||||
environment:
|
||||
ConnectionStrings__Projection: Host=projection-db;Database=projection;Username=projection;Password=projection
|
||||
EventSubscriber__Webhook__AuthToken: ${NOTIFICATION_WEBHOOK_TOKEN:-Bearer big-reference-notifications}
|
||||
ports:
|
||||
- "8110:8080"
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-fsS", "http://localhost:8080/health"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 15s
|
||||
depends_on:
|
||||
projection-db:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
projection-api:
|
||||
build:
|
||||
context: ..
|
||||
dockerfile: services/projection-api/Dockerfile
|
||||
image: register-referentie/projection-api:dev
|
||||
environment:
|
||||
ConnectionStrings__Projection: Host=projection-db;Database=projection;Username=projection;Password=projection
|
||||
ports:
|
||||
- "8120:8080"
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-fsS", "http://localhost:8080/health"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 15s
|
||||
depends_on:
|
||||
projection-db:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
volumes:
|
||||
oz-db:
|
||||
nrc-db:
|
||||
flowable-db:
|
||||
projection-db:
|
||||
|
||||
networks:
|
||||
cg:
|
||||
@@ -1,356 +1,14 @@
|
||||
# Development stack — boots all infra services plus the ACL and BFF.
|
||||
#
|
||||
# Consolidates infra/openzaak/, infra/opennotificaties/, infra/keycloak/,
|
||||
# and infra/flowable/ and adds the ACL and BFF services.
|
||||
#
|
||||
# Port map (host):
|
||||
# 8000 OpenZaak ZGW API (admin: admin / admin)
|
||||
# 8001 Open Notificaties (admin: admin / admin)
|
||||
# 8080 BFF GET /health → Healthy
|
||||
# 8090 Flowable REST http://localhost:8090/flowable-rest/service/
|
||||
# 8100 ACL GET /health → Healthy POST /zaken
|
||||
# 8110 Event Subscriber GET /health → Healthy POST /notifications
|
||||
# 8120 projection-api GET /health → Healthy GET /register
|
||||
# 8180 Keycloak (admin: admin / admin)
|
||||
# Local development stack. Grows service-by-service with each slice.
|
||||
# S-00-b: the placeholder BFF with a /health check.
|
||||
#
|
||||
# docker compose -f infra/docker-compose.yml up -d --build --wait
|
||||
#
|
||||
# After first boot, seed the BIG catalogus and note the zaaktype URL:
|
||||
# python infra/openzaak/seed_catalogus.py
|
||||
# Then set ACL_ZAAKTYPE_URL in a .env file or your shell and re-up the acl
|
||||
# service:
|
||||
# export ACL_ZAAKTYPE_URL=http://openzaak:8000/catalogi/api/v1/zaaktypen/<uuid>
|
||||
# docker compose -f infra/docker-compose.yml up -d acl
|
||||
|
||||
# curl http://localhost:8080/health # -> Healthy
|
||||
services:
|
||||
|
||||
# ── OpenZaak (S-01) ──────────────────────────────────────────────────────
|
||||
oz-db:
|
||||
image: docker.io/postgis/postgis:17-3.5
|
||||
environment:
|
||||
POSTGRES_USER: openzaak
|
||||
POSTGRES_PASSWORD: openzaak
|
||||
POSTGRES_DB: openzaak
|
||||
command: postgres -c max_connections=300
|
||||
volumes:
|
||||
- oz-db:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
# pg_isready only checks TCP; the second clause verifies PostGIS is installed
|
||||
# so oz-init migrations can safely start (avoids race on cold container start).
|
||||
test: ["CMD-SHELL", "pg_isready -U openzaak -d openzaak && psql -U openzaak -d openzaak -c 'SELECT PostGIS_Version();' -q 2>/dev/null"]
|
||||
interval: 5s
|
||||
timeout: 5s
|
||||
retries: 30
|
||||
start_period: 15s
|
||||
networks: [cg]
|
||||
|
||||
oz-redis:
|
||||
image: docker.io/library/redis:7
|
||||
networks: [cg]
|
||||
|
||||
oz-init:
|
||||
image: docker.io/openzaak/open-zaak:${OPENZAAK_TAG:-1.28.2}
|
||||
environment: &oz-env
|
||||
DJANGO_SETTINGS_MODULE: openzaak.conf.docker
|
||||
SECRET_KEY: ${OZ_SECRET_KEY:-dev-only-not-for-production}
|
||||
DB_HOST: oz-db
|
||||
DB_NAME: openzaak
|
||||
DB_USER: openzaak
|
||||
DB_PASSWORD: openzaak
|
||||
IS_HTTPS: "no"
|
||||
ALLOWED_HOSTS: "*"
|
||||
CACHE_DEFAULT: oz-redis:6379/0
|
||||
CACHE_AXES: oz-redis:6379/0
|
||||
CELERY_BROKER_URL: redis://oz-redis:6379/1
|
||||
CELERY_RESULT_BACKEND: redis://oz-redis:6379/1
|
||||
DISABLE_2FA: "true"
|
||||
# Publish notifications to NRC (always present in this full stack). The NRC
|
||||
# service + notifications_config are provisioned by setup_configuration
|
||||
# (infra/openzaak/setup_configuration/data.yaml). See ADR-0007 / S-01-c.
|
||||
NOTIFICATIONS_DISABLED: "false"
|
||||
OPENZAAK_SUPERUSER_USERNAME: admin
|
||||
DJANGO_SUPERUSER_PASSWORD: admin
|
||||
OPENZAAK_SUPERUSER_EMAIL: admin@localhost
|
||||
RUN_SETUP_CONFIG: "true"
|
||||
command: /setup_configuration.sh
|
||||
# data.yaml is streamed into this external volume by infra/seed-config.sh
|
||||
# before start (bind mounts don't reach sibling containers on the CI runner).
|
||||
volumes:
|
||||
- oz-config:/app/setup_configuration:ro
|
||||
depends_on:
|
||||
oz-db:
|
||||
condition: service_healthy
|
||||
oz-redis:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
openzaak:
|
||||
image: docker.io/openzaak/open-zaak:${OPENZAAK_TAG:-1.28.2}
|
||||
environment: *oz-env
|
||||
healthcheck:
|
||||
test: ["CMD", "python", "-c", "import requests,sys; sys.exit(0 if requests.head('http://localhost:8000/admin/').status_code in (200,302) else 1)"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 10
|
||||
start_period: 30s
|
||||
ports:
|
||||
- "8000:8000"
|
||||
depends_on:
|
||||
oz-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
oz-celery:
|
||||
image: docker.io/openzaak/open-zaak:${OPENZAAK_TAG:-1.28.2}
|
||||
environment: *oz-env
|
||||
command: /celery_worker.sh
|
||||
depends_on:
|
||||
oz-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
# ── Open Notificaties / NRC (S-01-c) ─────────────────────────────────────
|
||||
nrc-db:
|
||||
image: docker.io/postgis/postgis:17-3.5
|
||||
environment:
|
||||
POSTGRES_USER: opennotificaties
|
||||
POSTGRES_PASSWORD: opennotificaties
|
||||
POSTGRES_DB: opennotificaties
|
||||
command: postgres -c max_connections=300
|
||||
volumes:
|
||||
- nrc-db:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U opennotificaties -d opennotificaties"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 10
|
||||
networks: [cg]
|
||||
|
||||
nrc-redis:
|
||||
image: docker.io/library/redis:7
|
||||
networks: [cg]
|
||||
|
||||
nrc-init:
|
||||
# Plain base image — nrc-init runs migrations only (see command below), so it
|
||||
# needs no baked config.
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: &nrc-env
|
||||
DJANGO_SETTINGS_MODULE: nrc.conf.docker
|
||||
SECRET_KEY: ${NRC_SECRET_KEY:-dev-only-not-for-production}
|
||||
DB_HOST: nrc-db
|
||||
DB_NAME: opennotificaties
|
||||
DB_USER: opennotificaties
|
||||
DB_PASSWORD: opennotificaties
|
||||
IS_HTTPS: "no"
|
||||
ALLOWED_HOSTS: "*"
|
||||
CACHE_DEFAULT: nrc-redis:6379/0
|
||||
CACHE_AXES: nrc-redis:6379/0
|
||||
CELERY_BROKER_URL: redis://nrc-redis:6379/1
|
||||
CELERY_RESULT_BACKEND: redis://nrc-redis:6379/1
|
||||
DISABLE_2FA: "true"
|
||||
OPENNOTIFICATIES_SUPERUSER_USERNAME: admin
|
||||
DJANGO_SUPERUSER_PASSWORD: admin
|
||||
OPENNOTIFICATIES_SUPERUSER_EMAIL: admin@localhost
|
||||
RUN_SETUP_CONFIG: "true"
|
||||
# nrc-beat fires `execute_notifications` this often to drain scheduled
|
||||
# notifications to subscribers (upstream default 20s). See ADR-0007.
|
||||
NOTIFICATION_SEC_INTERVAL: "5"
|
||||
# Runs migrations + setup_configuration (S-01-c): the JWT credential, the
|
||||
# Autorisaties-API delegation, and the `zaken` kanaal that let OpenZaak publish.
|
||||
# data.yaml is streamed into rr-nrc-config by infra/seed-config.sh (bind mounts
|
||||
# don't reach sibling containers on the CI runner). See data.yaml + ADR-0007.
|
||||
command: /setup_configuration.sh
|
||||
volumes:
|
||||
- nrc-config:/app/setup_configuration:ro
|
||||
depends_on:
|
||||
nrc-db:
|
||||
condition: service_healthy
|
||||
nrc-redis:
|
||||
condition: service_started
|
||||
openzaak:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
nrc-web:
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: *nrc-env
|
||||
healthcheck:
|
||||
test: ["CMD", "python", "-c", "import requests,sys; sys.exit(0 if requests.head('http://localhost:8000/admin/').status_code in (200,302) else 1)"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 10
|
||||
start_period: 30s
|
||||
ports:
|
||||
- "8001:8000"
|
||||
depends_on:
|
||||
nrc-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
nrc-celery:
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: *nrc-env
|
||||
command: /celery_worker.sh
|
||||
depends_on:
|
||||
nrc-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
# Celery beat drains the ScheduledNotification rows the API creates on publish
|
||||
# and hands them to the worker. Without it, notifications are accepted but never
|
||||
# delivered to subscribers — required, not optional. See ADR-0007.
|
||||
nrc-beat:
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: *nrc-env
|
||||
command: /celery_beat.sh
|
||||
depends_on:
|
||||
nrc-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
# ── Keycloak (S-02) ──────────────────────────────────────────────────────
|
||||
keycloak:
|
||||
image: quay.io/keycloak/keycloak:26.1
|
||||
command: ["start-dev", "--import-realm"]
|
||||
environment:
|
||||
KC_BOOTSTRAP_ADMIN_USERNAME: admin
|
||||
KC_BOOTSTRAP_ADMIN_PASSWORD: admin
|
||||
KEYCLOAK_ADMIN: admin
|
||||
KEYCLOAK_ADMIN_PASSWORD: admin
|
||||
KC_HEALTH_ENABLED: "true"
|
||||
KC_HTTP_ENABLED: "true"
|
||||
ports:
|
||||
- "8180:8080"
|
||||
# realm exports are streamed into this external volume by infra/seed-config.sh.
|
||||
volumes:
|
||||
- kc-realms:/opt/keycloak/data/import:ro
|
||||
networks: [cg]
|
||||
|
||||
# ── Flowable (S-03) ──────────────────────────────────────────────────────
|
||||
flowable-db:
|
||||
image: docker.io/library/postgres:16
|
||||
environment:
|
||||
POSTGRES_USER: flowable
|
||||
POSTGRES_PASSWORD: flowable
|
||||
POSTGRES_DB: flowable
|
||||
volumes:
|
||||
- flowable-db:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U flowable -d flowable"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 10
|
||||
networks: [cg]
|
||||
|
||||
flowable-rest:
|
||||
image: docker.io/flowable/flowable-rest:latest
|
||||
environment:
|
||||
SPRING_DATASOURCE_DRIVER-CLASS-NAME: org.postgresql.Driver
|
||||
SPRING_DATASOURCE_URL: jdbc:postgresql://flowable-db:5432/flowable
|
||||
SPRING_DATASOURCE_USERNAME: flowable
|
||||
SPRING_DATASOURCE_PASSWORD: flowable
|
||||
ports:
|
||||
- "8090:8080"
|
||||
depends_on:
|
||||
flowable-db:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
flowable-init:
|
||||
image: docker.io/curlimages/curl:latest
|
||||
restart: "no"
|
||||
# registratie.bpmn is streamed into this external volume by infra/seed-config.sh.
|
||||
volumes:
|
||||
- fl-bpmn:/work:ro
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
base=http://flowable-rest:8080/flowable-rest/service/repository/deployments
|
||||
until curl -sf -u rest-admin:test "$$base" >/dev/null 2>&1; do echo "waiting for flowable-rest..."; sleep 3; done
|
||||
if curl -s -u rest-admin:test "$$base?name=registratie" | grep -q '"name":"registratie"'; then
|
||||
echo "registratie already deployed; skip"
|
||||
else
|
||||
curl -sf -u rest-admin:test -F 'file=@/work/registratie.bpmn;filename=registratie.bpmn' "$$base" >/dev/null && echo "deployed registratie"
|
||||
fi
|
||||
depends_on:
|
||||
flowable-rest:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
# ── ACL ──────────────────────────────────────────────────────────────────
|
||||
acl:
|
||||
build:
|
||||
context: ../services/acl
|
||||
dockerfile: Dockerfile
|
||||
image: register-referentie/acl:dev
|
||||
environment:
|
||||
# Overridable so verify-domain can point the ACL at the same OpenZaak host that
|
||||
# owns the seeded zaaktype URL (host-consistent zaak creation, ADR-0009).
|
||||
Acl__OpenZaak__BaseUrl: ${ACL_OPENZAAK_BASEURL:-http://openzaak:8000/}
|
||||
Acl__OpenZaak__ClientId: big-reference-seed
|
||||
Acl__OpenZaak__Secret: insecure-dev-secret-change-me
|
||||
Acl__Defaults__Bronorganisatie: "517439943"
|
||||
Acl__Defaults__VerantwoordelijkeOrganisatie: "517439943"
|
||||
Acl__Defaults__Vertrouwelijkheidaanduiding: openbaar
|
||||
# Override with the real zaaktype URL after running seed_catalogus.py.
|
||||
Acl__Defaults__ZaaktypeUrl: ${ACL_ZAAKTYPE_URL:-http://openzaak:8000/catalogi/api/v1/zaaktypen/00000000-0000-0000-0000-000000000000}
|
||||
ports:
|
||||
- "8100:8080"
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-fsS", "http://localhost:8080/health"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
openzaak:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
# ── BIG Domain Service (S-05) ──────────────────────────────────────────────
|
||||
# Orchestrates a registration: POST /registrations creates the aggregate and
|
||||
# starts the registratie Flowable process; a hosted worker acquires the
|
||||
# OpenZaakAanmaken job, opens a zaak via the ACL and completes it (ADR-0009).
|
||||
# Talks only to Flowable (Workflow Client, §8.2) and the ACL (§8.1).
|
||||
domain:
|
||||
build:
|
||||
context: ../services/domain
|
||||
dockerfile: Dockerfile
|
||||
image: register-referentie/domain:dev
|
||||
environment:
|
||||
Flowable__BaseUrl: http://flowable-rest:8080/flowable-rest/
|
||||
Flowable__Username: rest-admin
|
||||
Flowable__Password: test
|
||||
Acl__BaseUrl: http://acl:8080/
|
||||
ports:
|
||||
- "8130:8080"
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-fsS", "http://localhost:8080/health"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
acl:
|
||||
condition: service_healthy
|
||||
flowable-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
# ── BFF ──────────────────────────────────────────────────────────────────
|
||||
bff:
|
||||
build:
|
||||
context: ../services/bff
|
||||
dockerfile: Dockerfile
|
||||
image: register-referentie/bff:dev
|
||||
environment:
|
||||
# The BFF is the portals' only backend; it validates digid tokens and fans out (ADR-0010).
|
||||
# Keycloak (start-dev) derives the issuer from the request host, so the BFF authority and the
|
||||
# verify token request both use keycloak:8080 to keep the issuer consistent.
|
||||
Keycloak__Authority: http://keycloak:8080/realms/digid
|
||||
Downstream__Domain__BaseUrl: http://domain:8080/
|
||||
Downstream__Projection__BaseUrl: http://projection-api:8080/
|
||||
ports:
|
||||
- "8080:8080"
|
||||
healthcheck:
|
||||
@@ -359,151 +17,3 @@ services:
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
domain:
|
||||
condition: service_healthy
|
||||
projection-api:
|
||||
condition: service_healthy
|
||||
keycloak:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
# ── Read projection (S-06) ────────────────────────────────────────────────
|
||||
# One Postgres DB backing the rebuildable read projection (PRD §8.4): the Event
|
||||
# Subscriber writes it, projection-api reads it. See ADR-0008.
|
||||
projection-db:
|
||||
image: docker.io/library/postgres:16
|
||||
environment:
|
||||
POSTGRES_USER: projection
|
||||
POSTGRES_PASSWORD: projection
|
||||
POSTGRES_DB: projection
|
||||
volumes:
|
||||
- projection-db:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U projection -d projection"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 10
|
||||
networks: [cg]
|
||||
|
||||
# Consumes NRC notifications (abonnement callback) and projects zaak-created events
|
||||
# into register_projection. Build context is the repo root: it shares the read model
|
||||
# in services/projection-api/Projection.ReadModel.
|
||||
event-subscriber:
|
||||
build:
|
||||
context: ..
|
||||
dockerfile: services/event-subscriber/Dockerfile
|
||||
image: register-referentie/event-subscriber:dev
|
||||
environment:
|
||||
ConnectionStrings__Projection: Host=projection-db;Database=projection;Username=projection;Password=projection
|
||||
# The subscriber enriches the projection with each zaak's reference (identificatie) by asking
|
||||
# the ACL — the only code allowed to read ZGW (§8.1, #78).
|
||||
Acl__BaseUrl: http://acl:8080/
|
||||
# The bearer Open Notificaties must present on the abonnement callback. NRC's
|
||||
# registration probe expects a 401 without it (ADR-0007). Dev-only token.
|
||||
EventSubscriber__Webhook__AuthToken: ${NOTIFICATION_WEBHOOK_TOKEN:-Bearer big-reference-notifications}
|
||||
ports:
|
||||
- "8110:8080"
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-fsS", "http://localhost:8080/health"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 15s
|
||||
depends_on:
|
||||
projection-db:
|
||||
condition: service_healthy
|
||||
acl:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
# The read side of the projection. Shares Projection.ReadModel, so build context is root.
|
||||
projection-api:
|
||||
build:
|
||||
context: ..
|
||||
dockerfile: services/projection-api/Dockerfile
|
||||
image: register-referentie/projection-api:dev
|
||||
environment:
|
||||
ConnectionStrings__Projection: Host=projection-db;Database=projection;Username=projection;Password=projection
|
||||
ports:
|
||||
- "8120:8080"
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-fsS", "http://localhost:8080/health"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 15s
|
||||
depends_on:
|
||||
projection-db:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
# ── Self-Service portal (S-08d) ────────────────────────────────────────────
|
||||
# nginx serves the Angular app and reverse-proxies /self-service + /openbaar to the BFF
|
||||
# (same-origin, no CORS). The Playwright e2e drives it inside this network so the DigiD
|
||||
# token issuer (keycloak:8080) matches the BFF's authority (ADR-0010).
|
||||
self-service:
|
||||
build:
|
||||
context: ..
|
||||
dockerfile: apps/self-service/Dockerfile
|
||||
image: register-referentie/self-service:dev
|
||||
ports:
|
||||
- "8140:80"
|
||||
healthcheck:
|
||||
# 127.0.0.1, not localhost: nginx listens on IPv4 only, but localhost resolves to ::1 first.
|
||||
test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1/ || exit 1"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
bff:
|
||||
condition: service_healthy
|
||||
keycloak:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
# The openbaar (public) register portal: nginx serves the Angular app and reverse-proxies
|
||||
# /openbaar to the BFF. Anonymous — no DigiD, no Keycloak dependency (S-09).
|
||||
openbaar:
|
||||
build:
|
||||
context: ..
|
||||
dockerfile: apps/openbaar/Dockerfile
|
||||
image: register-referentie/openbaar:dev
|
||||
ports:
|
||||
- "8141:80"
|
||||
healthcheck:
|
||||
# 127.0.0.1, not localhost: nginx listens on IPv4 only, but localhost resolves to ::1 first.
|
||||
test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1/ || exit 1"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
bff:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
volumes:
|
||||
oz-db:
|
||||
nrc-db:
|
||||
flowable-db:
|
||||
projection-db:
|
||||
# Config volumes — created and populated out-of-band by infra/seed-config.sh
|
||||
# (docker cp), because bind mounts don't reach sibling containers on the CI
|
||||
# runner. `external` keeps the names deterministic; the seed step manages them.
|
||||
oz-config:
|
||||
external: true
|
||||
name: rr-oz-config
|
||||
nrc-config:
|
||||
external: true
|
||||
name: rr-nrc-config
|
||||
kc-realms:
|
||||
external: true
|
||||
name: rr-kc-realms
|
||||
fl-bpmn:
|
||||
external: true
|
||||
name: rr-fl-bpmn
|
||||
|
||||
networks:
|
||||
cg:
|
||||
|
||||
@@ -1,70 +0,0 @@
|
||||
# Flowable (S-03): the flowable-rest engine on Postgres.
|
||||
# The registratie.bpmn model is deployed via the REST API on startup by flowable-init.
|
||||
#
|
||||
# docker compose -f infra/flowable/docker-compose.yml up -d
|
||||
# # REST API (basic auth) under http://localhost:8090/flowable-rest/service/
|
||||
#
|
||||
# Host port 8090 (8000/8001/8080/8180 are taken by OpenZaak/NRC/BFF/Keycloak).
|
||||
services:
|
||||
flowable-db:
|
||||
image: docker.io/library/postgres:16
|
||||
environment:
|
||||
POSTGRES_USER: flowable
|
||||
POSTGRES_PASSWORD: flowable
|
||||
POSTGRES_DB: flowable
|
||||
volumes:
|
||||
- flowable-db:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U flowable -d flowable"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 10
|
||||
networks: [cg]
|
||||
|
||||
flowable-rest:
|
||||
image: docker.io/flowable/flowable-rest:latest
|
||||
environment:
|
||||
SPRING_DATASOURCE_DRIVER-CLASS-NAME: org.postgresql.Driver
|
||||
SPRING_DATASOURCE_URL: jdbc:postgresql://flowable-db:5432/flowable
|
||||
SPRING_DATASOURCE_USERNAME: flowable
|
||||
SPRING_DATASOURCE_PASSWORD: flowable
|
||||
ports:
|
||||
- "8090:8080"
|
||||
depends_on:
|
||||
flowable-db:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
# Deploys workflows/registratie.bpmn via the REST API once flowable-rest is up.
|
||||
# Idempotent: skips if a deployment named "registratie" already exists.
|
||||
flowable-init:
|
||||
image: docker.io/curlimages/curl:latest
|
||||
restart: "no"
|
||||
# registratie.bpmn is streamed into this external volume by infra/seed-config.sh.
|
||||
volumes:
|
||||
- fl-bpmn:/work:ro
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
base=http://flowable-rest:8080/flowable-rest/service/repository/deployments
|
||||
until curl -sf -u rest-admin:test "$$base" >/dev/null 2>&1; do echo "waiting for flowable-rest..."; sleep 3; done
|
||||
if curl -s -u rest-admin:test "$$base?name=registratie" | grep -q '"name":"registratie"'; then
|
||||
echo "registratie already deployed; skip"
|
||||
else
|
||||
curl -sf -u rest-admin:test -F 'file=@/work/registratie.bpmn;filename=registratie.bpmn' "$$base" >/dev/null && echo "deployed registratie"
|
||||
fi
|
||||
depends_on:
|
||||
flowable-rest:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
volumes:
|
||||
flowable-db:
|
||||
# populated out-of-band by infra/seed-config.sh (docker cp) — see that script.
|
||||
fl-bpmn:
|
||||
external: true
|
||||
name: rr-fl-bpmn
|
||||
|
||||
networks:
|
||||
cg:
|
||||
@@ -1,54 +0,0 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Smoke-check Flowable: the registratie process is deployed, and starting an
|
||||
instance parks it on the OpenZaakAanmaken external task. Stdlib only.
|
||||
"""
|
||||
import base64, json, sys, time, urllib.error, urllib.request
|
||||
|
||||
BASE = "http://localhost:8090/flowable-rest/service"
|
||||
AUTH = "Basic " + base64.b64encode(b"rest-admin:test").decode()
|
||||
|
||||
|
||||
def call(method, path, payload=None):
|
||||
data = json.dumps(payload).encode() if payload is not None else None
|
||||
req = urllib.request.Request(BASE + path, data=data, method=method, headers={
|
||||
"Authorization": AUTH, "Content-Type": "application/json", "Accept": "application/json"})
|
||||
with urllib.request.urlopen(req, timeout=30) as r:
|
||||
return r.status, json.loads(r.read() or "null")
|
||||
|
||||
|
||||
def main():
|
||||
# 1. process definition deployed? (wait for the async init-container deploy)
|
||||
defs = {"total": 0}
|
||||
for _ in range(40):
|
||||
_, defs = call("GET", "/repository/process-definitions?key=registratie")
|
||||
if defs["total"] >= 1:
|
||||
break
|
||||
time.sleep(3)
|
||||
assert defs["total"] >= 1, "registratie process definition not deployed"
|
||||
print(f"process definition 'registratie' deployed (total={defs['total']})")
|
||||
|
||||
# 2. start an instance
|
||||
st, pi = call("POST", "/runtime/process-instances", {"processDefinitionKey": "registratie"})
|
||||
assert st == 201, f"start failed: {st} {pi}"
|
||||
pid = pi["id"]
|
||||
assert pi.get("ended") is False, "instance ended immediately — external task not reached"
|
||||
print(f"started instance {pid} (ended={pi.get('ended')})")
|
||||
|
||||
# 3. waiting on the external task?
|
||||
_, ex = call("GET", f"/runtime/executions?processInstanceId={pid}")
|
||||
activities = [e.get("activityId") for e in ex["data"]]
|
||||
assert "OpenZaakAanmaken" in activities, f"not waiting at OpenZaakAanmaken: {activities}"
|
||||
print(f"instance is waiting at the external task: {activities}")
|
||||
|
||||
# 4. cleanup
|
||||
try:
|
||||
call("DELETE", f"/runtime/process-instances/{pid}")
|
||||
print("cleaned up instance")
|
||||
except urllib.error.HTTPError:
|
||||
pass
|
||||
|
||||
print("flowable smoke OK")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@@ -1,60 +0,0 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Smoke-check the Keycloak realms: each realm's OIDC login works (password grant)
|
||||
and returns its expected identifying claim. Stdlib only. Exits non-zero on failure.
|
||||
"""
|
||||
import base64, json, sys, urllib.error, urllib.parse, urllib.request
|
||||
|
||||
BASE = "http://localhost:8180"
|
||||
CLIENT = "big-portal"
|
||||
PWD = "test123"
|
||||
|
||||
# realm, user, claim ("__roles__" => check realm_access.roles), expected-contains
|
||||
CHECKS = [
|
||||
("digid", "jan-burger", "bsn", "123456782"),
|
||||
("eherkenning", "acme-ondernemer", "kvk", "12345678"),
|
||||
("eidas", "pierre-dupont", "eidas_id", "FR/NL"),
|
||||
("medewerker", "merel-behandelaar", "__roles__", "behandelaar"),
|
||||
]
|
||||
|
||||
|
||||
def decode(jwt):
|
||||
p = jwt.split(".")[1]
|
||||
p += "=" * (-len(p) % 4)
|
||||
return json.loads(base64.urlsafe_b64decode(p))
|
||||
|
||||
|
||||
def grant(realm, user):
|
||||
data = urllib.parse.urlencode({
|
||||
"grant_type": "password", "client_id": CLIENT,
|
||||
"username": user, "password": PWD, "scope": "openid",
|
||||
}).encode()
|
||||
req = urllib.request.Request(
|
||||
f"{BASE}/realms/{realm}/protocol/openid-connect/token", data=data,
|
||||
headers={"Content-Type": "application/x-www-form-urlencoded"})
|
||||
with urllib.request.urlopen(req, timeout=20) as r:
|
||||
return json.loads(r.read())
|
||||
|
||||
|
||||
def main():
|
||||
ok = True
|
||||
for realm, user, claim, expect in CHECKS:
|
||||
try:
|
||||
at = decode(grant(realm, user)["access_token"])
|
||||
if claim == "__roles__":
|
||||
val = at.get("realm_access", {}).get("roles", [])
|
||||
good = expect in val
|
||||
else:
|
||||
val = at.get(claim)
|
||||
good = val is not None and expect in str(val)
|
||||
print(f"{realm:12} {user:18} login OK | {claim} = {val} "
|
||||
f"[{'OK' if good else 'UNEXPECTED'}]")
|
||||
ok = ok and good
|
||||
except urllib.error.HTTPError as e:
|
||||
ok = False
|
||||
print(f"{realm:12} {user:18} LOGIN FAILED {e.code}: {e.read()[:200]!r}")
|
||||
print("keycloak smoke OK" if ok else "keycloak smoke FAILED")
|
||||
sys.exit(0 if ok else 1)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@@ -1,35 +0,0 @@
|
||||
# Keycloak (S-02) with four pre-seeded realms imported at boot:
|
||||
# digid · eherkenning · eidas · medewerker
|
||||
# Dev mode, H2 in-memory store, realm JSONs imported from ./realms.
|
||||
#
|
||||
# docker compose -f infra/keycloak/docker-compose.yml up -d
|
||||
# curl -s -o /dev/null -w '%{http_code}\n' \
|
||||
# http://localhost:8180/realms/digid/.well-known/openid-configuration # -> 200
|
||||
#
|
||||
# Admin console: http://localhost:8180/ (admin / admin — dev only)
|
||||
services:
|
||||
keycloak:
|
||||
image: quay.io/keycloak/keycloak:26.1
|
||||
command: ["start-dev", "--import-realm"]
|
||||
environment:
|
||||
KC_BOOTSTRAP_ADMIN_USERNAME: admin
|
||||
KC_BOOTSTRAP_ADMIN_PASSWORD: admin
|
||||
# Older var names too, harmless on 26.x:
|
||||
KEYCLOAK_ADMIN: admin
|
||||
KEYCLOAK_ADMIN_PASSWORD: admin
|
||||
KC_HEALTH_ENABLED: "true"
|
||||
KC_HTTP_ENABLED: "true"
|
||||
ports:
|
||||
- "8180:8080"
|
||||
# realm exports are streamed into this external volume by infra/seed-config.sh.
|
||||
volumes:
|
||||
- kc-realms:/opt/keycloak/data/import:ro
|
||||
networks: [cg]
|
||||
|
||||
volumes:
|
||||
kc-realms:
|
||||
external: true
|
||||
name: rr-kc-realms
|
||||
|
||||
networks:
|
||||
cg:
|
||||
@@ -1,43 +0,0 @@
|
||||
{
|
||||
"realm": "digid",
|
||||
"enabled": true,
|
||||
"displayName": "Mock DigiD",
|
||||
"clients": [
|
||||
{
|
||||
"clientId": "big-portal",
|
||||
"enabled": true,
|
||||
"publicClient": true,
|
||||
"standardFlowEnabled": true,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"redirectUris": ["*"],
|
||||
"webOrigins": ["*"],
|
||||
"protocolMappers": [
|
||||
{
|
||||
"name": "bsn",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-usermodel-attribute-mapper",
|
||||
"config": {
|
||||
"user.attribute": "bsn",
|
||||
"claim.name": "bsn",
|
||||
"jsonType.label": "String",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"userinfo.token.claim": "true"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"users": [
|
||||
{
|
||||
"username": "jan-burger",
|
||||
"enabled": true,
|
||||
"firstName": "Jan",
|
||||
"lastName": "Burger",
|
||||
"email": "jan.burger@example.nl",
|
||||
"emailVerified": true,
|
||||
"credentials": [{ "type": "password", "value": "test123", "temporary": false }],
|
||||
"attributes": { "bsn": ["123456782"] }
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,43 +0,0 @@
|
||||
{
|
||||
"realm": "eherkenning",
|
||||
"enabled": true,
|
||||
"displayName": "Mock eHerkenning",
|
||||
"clients": [
|
||||
{
|
||||
"clientId": "big-portal",
|
||||
"enabled": true,
|
||||
"publicClient": true,
|
||||
"standardFlowEnabled": true,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"redirectUris": ["*"],
|
||||
"webOrigins": ["*"],
|
||||
"protocolMappers": [
|
||||
{
|
||||
"name": "kvk",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-usermodel-attribute-mapper",
|
||||
"config": {
|
||||
"user.attribute": "kvk",
|
||||
"claim.name": "kvk",
|
||||
"jsonType.label": "String",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"userinfo.token.claim": "true"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"users": [
|
||||
{
|
||||
"username": "acme-ondernemer",
|
||||
"enabled": true,
|
||||
"firstName": "Anita",
|
||||
"lastName": "Ondernemer",
|
||||
"email": "anita@acme.nl",
|
||||
"emailVerified": true,
|
||||
"credentials": [{ "type": "password", "value": "test123", "temporary": false }],
|
||||
"attributes": { "kvk": ["12345678"] }
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,43 +0,0 @@
|
||||
{
|
||||
"realm": "eidas",
|
||||
"enabled": true,
|
||||
"displayName": "Mock eIDAS",
|
||||
"clients": [
|
||||
{
|
||||
"clientId": "big-portal",
|
||||
"enabled": true,
|
||||
"publicClient": true,
|
||||
"standardFlowEnabled": true,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"redirectUris": ["*"],
|
||||
"webOrigins": ["*"],
|
||||
"protocolMappers": [
|
||||
{
|
||||
"name": "eidas_id",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-usermodel-attribute-mapper",
|
||||
"config": {
|
||||
"user.attribute": "eidas_id",
|
||||
"claim.name": "eidas_id",
|
||||
"jsonType.label": "String",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"userinfo.token.claim": "true"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"users": [
|
||||
{
|
||||
"username": "pierre-dupont",
|
||||
"enabled": true,
|
||||
"firstName": "Pierre",
|
||||
"lastName": "Dupont",
|
||||
"email": "pierre.dupont@example.fr",
|
||||
"emailVerified": true,
|
||||
"credentials": [{ "type": "password", "value": "test123", "temporary": false }],
|
||||
"attributes": { "eidas_id": ["FR/NL/AB-1234-5678"] }
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,44 +0,0 @@
|
||||
{
|
||||
"realm": "medewerker",
|
||||
"enabled": true,
|
||||
"displayName": "Medewerkers",
|
||||
"roles": {
|
||||
"realm": [
|
||||
{ "name": "behandelaar", "description": "Behandelt registratieaanvragen" },
|
||||
{ "name": "teamlead", "description": "Teamleider behandeling" }
|
||||
]
|
||||
},
|
||||
"clients": [
|
||||
{
|
||||
"clientId": "big-portal",
|
||||
"enabled": true,
|
||||
"publicClient": true,
|
||||
"standardFlowEnabled": true,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"redirectUris": ["*"],
|
||||
"webOrigins": ["*"]
|
||||
}
|
||||
],
|
||||
"users": [
|
||||
{
|
||||
"username": "merel-behandelaar",
|
||||
"enabled": true,
|
||||
"firstName": "Merel",
|
||||
"lastName": "Behandelaar",
|
||||
"email": "merel@big.example.nl",
|
||||
"emailVerified": true,
|
||||
"credentials": [{ "type": "password", "value": "test123", "temporary": false }],
|
||||
"realmRoles": ["behandelaar"]
|
||||
},
|
||||
{
|
||||
"username": "tom-teamlead",
|
||||
"enabled": true,
|
||||
"firstName": "Tom",
|
||||
"lastName": "Teamlead",
|
||||
"email": "tom@big.example.nl",
|
||||
"emailVerified": true,
|
||||
"credentials": [{ "type": "password", "value": "test123", "temporary": false }],
|
||||
"realmRoles": ["behandelaar", "teamlead"]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -1,39 +0,0 @@
|
||||
#!/usr/bin/env python3
|
||||
"""A throwaway webhook sink for verifying the OpenZaak → NRC notification path.
|
||||
|
||||
NRC delivers abonnement callbacks here as POSTs; each body is printed to stdout
|
||||
(prefixed `NOTIFICATION `) so the verify harness can assert on `docker logs`.
|
||||
|
||||
NRC refuses to register an abonnement whose callback is unauthenticated
|
||||
(`no-auth-on-callback`): when validating it sends a probe and expects the callback
|
||||
to reject a request without the configured `Authorization` value. So this sink
|
||||
enforces that header (EXPECTED_AUTH env) — 401 without it, 204 with it.
|
||||
|
||||
Stdlib only. Listens on :9000. See infra/verify-notifications.sh / S-01-c (#56).
|
||||
"""
|
||||
import http.server
|
||||
import os
|
||||
import sys
|
||||
|
||||
EXPECTED_AUTH = os.environ.get("EXPECTED_AUTH", "Bearer notification-sink-token")
|
||||
|
||||
|
||||
class Handler(http.server.BaseHTTPRequestHandler):
|
||||
def do_POST(self):
|
||||
length = int(self.headers.get("content-length", 0))
|
||||
body = self.rfile.read(length).decode("utf-8", "replace")
|
||||
if self.headers.get("Authorization") != EXPECTED_AUTH:
|
||||
self.send_response(401)
|
||||
self.end_headers()
|
||||
return
|
||||
print("NOTIFICATION " + body, flush=True)
|
||||
self.send_response(204)
|
||||
self.end_headers()
|
||||
|
||||
def log_message(self, *args): # silence default request logging
|
||||
pass
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
http.server.HTTPServer(("0.0.0.0", 9000), Handler).serve_forever()
|
||||
sys.exit(0)
|
||||
@@ -1,120 +0,0 @@
|
||||
# Open Notificaties (NRC) stack (S-01-c). Lean adaptation of the upstream dev compose:
|
||||
# db (PostGIS) + redis (also the Celery broker) + migrate-init + the API + a celery worker.
|
||||
#
|
||||
# Shares the `cg` network with the OpenZaak stack so the two can reach each other.
|
||||
# Run BOTH together (NRC needs OpenZaak's Autorisaties API for auth wiring):
|
||||
#
|
||||
# docker compose -f infra/openzaak/docker-compose.yml -f infra/opennotificaties/docker-compose.yml up -d
|
||||
# curl -s -o /dev/null -w '%{http_code}\n' http://localhost:8001/admin/ # -> 302
|
||||
#
|
||||
# NRC is published on host :8001 (OpenZaak holds :8000).
|
||||
services:
|
||||
nrc-db:
|
||||
image: docker.io/postgis/postgis:17-3.5
|
||||
environment:
|
||||
POSTGRES_USER: opennotificaties
|
||||
POSTGRES_PASSWORD: opennotificaties
|
||||
POSTGRES_DB: opennotificaties
|
||||
command: postgres -c max_connections=300
|
||||
volumes:
|
||||
- nrc-db:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
# pg_isready only checks TCP; the second clause verifies PostGIS is installed
|
||||
# so nrc-init migrations can safely start (avoids race on cold container start).
|
||||
test: ["CMD-SHELL", "pg_isready -U opennotificaties -d opennotificaties && psql -U opennotificaties -d opennotificaties -c 'SELECT PostGIS_Version();' -q 2>/dev/null"]
|
||||
interval: 5s
|
||||
timeout: 5s
|
||||
retries: 30
|
||||
start_period: 15s
|
||||
networks: [cg]
|
||||
|
||||
nrc-redis:
|
||||
image: docker.io/library/redis:7
|
||||
networks: [cg]
|
||||
|
||||
nrc-init:
|
||||
# Plain base image — nrc-init runs migrations only (see command below).
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: &nrc-env
|
||||
DJANGO_SETTINGS_MODULE: nrc.conf.docker
|
||||
SECRET_KEY: ${NRC_SECRET_KEY:-dev-only-not-for-production}
|
||||
DB_HOST: nrc-db
|
||||
DB_NAME: opennotificaties
|
||||
DB_USER: opennotificaties
|
||||
DB_PASSWORD: opennotificaties
|
||||
IS_HTTPS: "no"
|
||||
ALLOWED_HOSTS: "*"
|
||||
CACHE_DEFAULT: nrc-redis:6379/0
|
||||
CACHE_AXES: nrc-redis:6379/0
|
||||
CELERY_BROKER_URL: redis://nrc-redis:6379/1
|
||||
CELERY_RESULT_BACKEND: redis://nrc-redis:6379/1
|
||||
DISABLE_2FA: "true"
|
||||
OPENNOTIFICATIES_SUPERUSER_USERNAME: admin
|
||||
DJANGO_SUPERUSER_PASSWORD: admin
|
||||
OPENNOTIFICATIES_SUPERUSER_EMAIL: admin@localhost
|
||||
RUN_SETUP_CONFIG: "true"
|
||||
# Delivery cadence: nrc-beat fires `execute_notifications` this often to drain
|
||||
# scheduled notifications to subscribers. Upstream default is 20s; 5s keeps the
|
||||
# walking-skeleton + the verify smoke responsive.
|
||||
NOTIFICATION_SEC_INTERVAL: "5"
|
||||
# Runs migrations + setup_configuration (S-01-c): the JWT credential, the
|
||||
# Autorisaties-API delegation, and the `zaken` kanaal that let OpenZaak publish
|
||||
# notifications. data.yaml is streamed into this external volume by
|
||||
# infra/seed-config.sh (same pattern as oz-init). See data.yaml + ADR-0006.
|
||||
command: /setup_configuration.sh
|
||||
volumes:
|
||||
- nrc-config:/app/setup_configuration:ro
|
||||
depends_on:
|
||||
nrc-db:
|
||||
condition: service_healthy
|
||||
nrc-redis:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
nrc-web:
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: *nrc-env
|
||||
healthcheck:
|
||||
test: ["CMD", "python", "-c", "import requests,sys; sys.exit(0 if requests.head('http://localhost:8000/admin/').status_code in (200,302) else 1)"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 10
|
||||
start_period: 30s
|
||||
ports:
|
||||
- "8001:8000"
|
||||
depends_on:
|
||||
nrc-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
nrc-celery:
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: *nrc-env
|
||||
command: /celery_worker.sh
|
||||
depends_on:
|
||||
nrc-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
# Celery beat: periodically fires `execute_notifications`, which drains the
|
||||
# ScheduledNotification rows the API creates on publish and hands them to the
|
||||
# worker for delivery. Without beat, notifications are accepted but never
|
||||
# delivered to subscribers — so it is required, not optional. See ADR-0007.
|
||||
nrc-beat:
|
||||
image: docker.io/openzaak/open-notificaties:${OPENNOTIFICATIES_TAG:-1.16.1}
|
||||
environment: *nrc-env
|
||||
command: /celery_beat.sh
|
||||
depends_on:
|
||||
nrc-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
volumes:
|
||||
nrc-db:
|
||||
# populated out-of-band by infra/seed-config.sh (docker cp) — see that script.
|
||||
nrc-config:
|
||||
external: true
|
||||
name: rr-nrc-config
|
||||
|
||||
networks:
|
||||
cg:
|
||||
@@ -1,41 +0,0 @@
|
||||
# Open Notificaties (NRC) setup_configuration (S-01-c, #56).
|
||||
# Wires NRC so OpenZaak can publish notifications:
|
||||
# - the JWT credential OpenZaak authenticates with,
|
||||
# - delegation of authorization checks to OpenZaak's Autorisaties API (AC),
|
||||
# - the `zaken` kanaal OpenZaak publishes zaak events on.
|
||||
# Dev-only credentials — not for production. Steps from nrc.setup_configuration.
|
||||
|
||||
# 1. JWT credential NRC uses to verify the token OpenZaak presents.
|
||||
vng_api_common_credentials_config_enable: true
|
||||
vng_api_common_credentials:
|
||||
items:
|
||||
- identifier: big-reference-seed
|
||||
secret: insecure-dev-secret-change-me
|
||||
|
||||
# 2. The Autorisaties API (OpenZaak's AC) NRC consults to authorize publishers.
|
||||
zgw_consumers_config_enable: true
|
||||
zgw_consumers:
|
||||
services:
|
||||
- identifier: openzaak-ac
|
||||
label: OpenZaak Autorisaties API
|
||||
api_type: ac
|
||||
api_root: http://openzaak:8000/autorisaties/api/v1/
|
||||
auth_type: zgw
|
||||
client_id: big-reference-seed
|
||||
secret: insecure-dev-secret-change-me
|
||||
|
||||
# 3. Delegate authorization to that AC.
|
||||
autorisaties_api_config_enable: true
|
||||
autorisaties_api:
|
||||
authorizations_api_service_identifier: openzaak-ac
|
||||
|
||||
# 4. The kanaal OpenZaak publishes zaak events on.
|
||||
notifications_kanalen_config_enable: true
|
||||
notifications_kanalen_config:
|
||||
items:
|
||||
- naam: zaken
|
||||
documentatie_link: https://github.com/VNG-Realisatie/gemma-zaken
|
||||
filters:
|
||||
- bronorganisatie
|
||||
- zaaktype
|
||||
- vertrouwelijkheidaanduiding
|
||||
@@ -1,104 +0,0 @@
|
||||
# OpenZaak stack (S-01). Lean adaptation of the upstream open-zaak dev compose:
|
||||
# db (PostGIS) + redis + a one-shot init (migrations) + the API + a celery worker.
|
||||
# Dropped from upstream for leanness: nginx, celery-beat, flower, OTEL.
|
||||
#
|
||||
# docker compose -f infra/openzaak/docker-compose.yml up -d --wait
|
||||
# curl -i http://localhost:8000/zaken/api/v1/zaken # -> 401 (auth required)
|
||||
#
|
||||
# NOTE: image pinned to a tag (not :latest) once a known-good tag is chosen; see
|
||||
# the catalogus-design ADR. Using a tag var with a sensible default for now.
|
||||
services:
|
||||
oz-db:
|
||||
image: docker.io/postgis/postgis:17-3.5
|
||||
environment:
|
||||
POSTGRES_USER: openzaak
|
||||
POSTGRES_PASSWORD: openzaak
|
||||
POSTGRES_DB: openzaak
|
||||
command: postgres -c max_connections=300
|
||||
volumes:
|
||||
- oz-db:/var/lib/postgresql/data
|
||||
healthcheck:
|
||||
# pg_isready only checks TCP; the second clause verifies PostGIS is installed
|
||||
# so oz-init migrations can safely start (avoids race on cold container start).
|
||||
test: ["CMD-SHELL", "pg_isready -U openzaak -d openzaak && psql -U openzaak -d openzaak -c 'SELECT PostGIS_Version();' -q 2>/dev/null"]
|
||||
interval: 5s
|
||||
timeout: 5s
|
||||
retries: 30
|
||||
start_period: 15s
|
||||
networks: [cg]
|
||||
|
||||
oz-redis:
|
||||
image: docker.io/library/redis:7
|
||||
networks: [cg]
|
||||
|
||||
oz-init:
|
||||
image: docker.io/openzaak/open-zaak:${OPENZAAK_TAG:-1.28.2}
|
||||
environment: &oz-env
|
||||
DJANGO_SETTINGS_MODULE: openzaak.conf.docker
|
||||
SECRET_KEY: ${OZ_SECRET_KEY:-dev-only-not-for-production}
|
||||
DB_HOST: oz-db
|
||||
DB_NAME: openzaak
|
||||
DB_USER: openzaak
|
||||
DB_PASSWORD: openzaak
|
||||
IS_HTTPS: "no"
|
||||
ALLOWED_HOSTS: "*"
|
||||
CACHE_DEFAULT: oz-redis:6379/0
|
||||
CACHE_AXES: oz-redis:6379/0
|
||||
CELERY_BROKER_URL: redis://oz-redis:6379/1
|
||||
CELERY_RESULT_BACKEND: redis://oz-redis:6379/1
|
||||
DISABLE_2FA: "true"
|
||||
# Notifications are OFF by default so OpenZaak-only bring-ups (openzaak-up,
|
||||
# the ACL integration test) don't 500 trying to reach an absent NRC. When
|
||||
# OpenZaak runs together with the NRC stack, set OZ_NOTIFICATIONS_DISABLED=false
|
||||
# (make stack-up does) to publish; the NRC service + notifications_config that
|
||||
# name it are provisioned by setup_configuration (data.yaml, S-01-c).
|
||||
NOTIFICATIONS_DISABLED: "${OZ_NOTIFICATIONS_DISABLED:-true}"
|
||||
OPENZAAK_SUPERUSER_USERNAME: admin
|
||||
DJANGO_SUPERUSER_PASSWORD: admin
|
||||
OPENZAAK_SUPERUSER_EMAIL: admin@localhost
|
||||
RUN_SETUP_CONFIG: "true"
|
||||
command: /setup_configuration.sh
|
||||
# data.yaml is streamed into this external volume by infra/seed-config.sh.
|
||||
volumes:
|
||||
- oz-config:/app/setup_configuration:ro
|
||||
depends_on:
|
||||
oz-db:
|
||||
condition: service_healthy
|
||||
oz-redis:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
openzaak:
|
||||
image: docker.io/openzaak/open-zaak:${OPENZAAK_TAG:-1.28.2}
|
||||
environment: *oz-env
|
||||
healthcheck:
|
||||
test: ["CMD", "python", "-c", "import requests,sys; sys.exit(0 if requests.head('http://localhost:8000/admin/').status_code in (200,302) else 1)"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 10
|
||||
start_period: 30s
|
||||
ports:
|
||||
- "8000:8000"
|
||||
depends_on:
|
||||
oz-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
oz-celery:
|
||||
image: docker.io/openzaak/open-zaak:${OPENZAAK_TAG:-1.28.2}
|
||||
environment: *oz-env
|
||||
command: /celery_worker.sh
|
||||
depends_on:
|
||||
oz-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
volumes:
|
||||
oz-db:
|
||||
# populated out-of-band by infra/seed-config.sh (docker cp) — see that script.
|
||||
oz-config:
|
||||
external: true
|
||||
name: rr-oz-config
|
||||
|
||||
networks:
|
||||
cg:
|
||||
@@ -1,221 +0,0 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Idempotent seed of the BIG catalogus into OpenZaak via the ZTC API.
|
||||
|
||||
Creates (if absent):
|
||||
- catalogus "BIG"
|
||||
- a lean "BIG-registratie" zaaktype (only schema-mandatory fields)
|
||||
- a "bsn" eigenschap on that zaaktype
|
||||
- then publishes the zaaktype.
|
||||
|
||||
Auth uses the JWT client provisioned by setup_configuration (see ADR-0002).
|
||||
Stdlib only — no pip deps. Re-running is safe (matches existing by identifier).
|
||||
"""
|
||||
import base64, hashlib, hmac, json, os, sys, time, urllib.error, urllib.request
|
||||
|
||||
BASE = os.environ.get("OZ_BASE", "http://localhost:8000")
|
||||
CLIENT_ID = os.environ.get("OZ_CLIENT_ID", "big-reference-seed")
|
||||
SECRET = os.environ.get("OZ_SECRET", "insecure-dev-secret-change-me")
|
||||
ZTC = f"{BASE}/catalogi/api/v1"
|
||||
RSIN = "517439943" # elfproef-valid test RSIN
|
||||
|
||||
# Opt-in: also publish the zaaktype so OpenZaak's Zaken API accepts a zaak against
|
||||
# it (a concept zaaktype is rejected with `not-published`). Off by default — the
|
||||
# S-01 compose seed keeps it a concept (ADR-0002). The ACL integration test
|
||||
# (S-04a, #46) sets OZ_PUBLISH=1. Publishing requires ≥2 statustypen, ≥1 roltype
|
||||
# and ≥1 resultaattype; the resultaattype is validated against the external
|
||||
# Selectielijst reference API, so this path needs outbound access to it. See ADR-0006.
|
||||
PUBLISH = os.environ.get("OZ_PUBLISH", "").lower() in ("1", "true", "yes")
|
||||
SELECTIELIJST = os.environ.get(
|
||||
"OZ_SELECTIELIJST", "https://selectielijst.openzaak.nl/api/v1").rstrip("/")
|
||||
|
||||
|
||||
def token():
|
||||
b64 = lambda b: base64.urlsafe_b64encode(b).rstrip(b"=")
|
||||
hdr = {"alg": "HS256", "typ": "JWT"}
|
||||
pl = {"iss": CLIENT_ID, "iat": int(time.time()), "client_id": CLIENT_ID,
|
||||
"user_id": "seed", "user_representation": "seed"}
|
||||
seg = b64(json.dumps(hdr, separators=(",", ":")).encode()) + b"." + \
|
||||
b64(json.dumps(pl, separators=(",", ":")).encode())
|
||||
sig = b64(hmac.new(SECRET.encode(), seg, hashlib.sha256).digest())
|
||||
return (seg + b"." + sig).decode()
|
||||
|
||||
|
||||
def api(method, path, body=None):
|
||||
url = path if path.startswith("http") else f"{ZTC}{path}"
|
||||
data = json.dumps(body).encode() if body is not None else None
|
||||
req = urllib.request.Request(url, data=data, method=method, headers={
|
||||
"Authorization": "Bearer " + token(),
|
||||
"Content-Type": "application/json",
|
||||
"Accept": "application/json",
|
||||
})
|
||||
try:
|
||||
with urllib.request.urlopen(req, timeout=30) as r:
|
||||
return r.status, json.loads(r.read() or "null")
|
||||
except urllib.error.HTTPError as e:
|
||||
return e.code, json.loads(e.read() or "null")
|
||||
|
||||
|
||||
def find(path):
|
||||
status, body = api("GET", path)
|
||||
if status != 200:
|
||||
sys.exit(f"GET {path} -> {status}: {body}")
|
||||
return body.get("results", [])
|
||||
|
||||
|
||||
def selectielijst(path):
|
||||
"""GET the external Selectielijst reference API (no auth). Used only when publishing."""
|
||||
req = urllib.request.Request(f"{SELECTIELIJST}{path}", headers={"Accept": "application/json"})
|
||||
with urllib.request.urlopen(req, timeout=30) as r:
|
||||
return json.loads(r.read())
|
||||
|
||||
|
||||
def publish_zaaktype(zt):
|
||||
"""Add the relations OpenZaak requires to publish, then publish (idempotent).
|
||||
|
||||
Publish validation (verified against OpenZaak 1.28.2) demands: ≥2 statustypen
|
||||
(begin + eind), ≥1 roltype, ≥1 resultaattype. A resultaattype needs a
|
||||
Selectielijst `selectielijstklasse` whose procestype matches the zaaktype's
|
||||
`selectielijstProcestype`, plus a `resultaattypeomschrijving`.
|
||||
"""
|
||||
have_st = {s.get("volgnummer") for s in find(f"/statustypen?zaaktype={zt['url']}&status=alles")}
|
||||
for volgnummer, omschrijving in [(1, "Ontvangen"), (2, "Afgehandeld")]:
|
||||
if volgnummer not in have_st:
|
||||
st, body = api("POST", "/statustypen", {
|
||||
"omschrijving": omschrijving, "zaaktype": zt["url"], "volgnummer": volgnummer})
|
||||
if st != 201:
|
||||
sys.exit(f"create statustype {volgnummer} -> {st}: {json.dumps(body, indent=2)}")
|
||||
print(f"create statustype {volgnummer} ({omschrijving})")
|
||||
|
||||
if find(f"/roltypen?zaaktype={zt['url']}&status=alles"):
|
||||
print("skip roltype Aanvrager")
|
||||
else:
|
||||
st, body = api("POST", "/roltypen", {
|
||||
"zaaktype": zt["url"], "omschrijving": "Aanvrager", "omschrijvingGeneriek": "initiator"})
|
||||
if st != 201:
|
||||
sys.exit(f"create roltype -> {st}: {json.dumps(body, indent=2)}")
|
||||
print("create roltype Aanvrager")
|
||||
|
||||
if find(f"/resultaattypen?zaaktype={zt['url']}&status=alles"):
|
||||
print("skip resultaattype Geregistreerd")
|
||||
else:
|
||||
resultaat = selectielijst("/resultaten?pageSize=1")["results"][0]
|
||||
omschrijvingen = selectielijst("/resultaattypeomschrijvingen")
|
||||
oms = (omschrijvingen if isinstance(omschrijvingen, list) else omschrijvingen["results"])[0]["url"]
|
||||
# The selectielijstklasse and the zaaktype must share a procestype.
|
||||
st, body = api("PATCH", zt["url"], {"selectielijstProcestype": resultaat["procesType"]})
|
||||
if st != 200:
|
||||
sys.exit(f"set procestype -> {st}: {json.dumps(body, indent=2)}")
|
||||
st, body = api("POST", "/resultaattypen", {
|
||||
"zaaktype": zt["url"], "omschrijving": "Geregistreerd",
|
||||
"resultaattypeomschrijving": oms, "selectielijstklasse": resultaat["url"],
|
||||
"archiefnominatie": "blijvend_bewaren",
|
||||
"brondatumArchiefprocedure": {"afleidingswijze": "afgehandeld"},
|
||||
})
|
||||
if st != 201:
|
||||
sys.exit(f"create resultaattype -> {st}: {json.dumps(body, indent=2)}")
|
||||
print("create resultaattype Geregistreerd")
|
||||
|
||||
if zt.get("concept", True):
|
||||
st, body = api("POST", f"{zt['url']}/publish")
|
||||
if st != 200:
|
||||
sys.exit(f"publish zaaktype -> {st}: {json.dumps(body, indent=2)}")
|
||||
print(f"publish zaaktype BIG-REGISTRATIE ({zt['url']})")
|
||||
else:
|
||||
print("skip publish (already published)")
|
||||
|
||||
|
||||
def main():
|
||||
# 1. Catalogus
|
||||
existing = [c for c in find(f"/catalogussen?domein=BIG") if c.get("domein") == "BIG"]
|
||||
if existing:
|
||||
cat = existing[0]
|
||||
print(f"skip catalogus BIG ({cat['url']})")
|
||||
else:
|
||||
st, cat = api("POST", "/catalogussen", {
|
||||
"domein": "BIG", "rsin": RSIN,
|
||||
"contactpersoonBeheerNaam": "BIG Beheer",
|
||||
})
|
||||
if st != 201:
|
||||
sys.exit(f"create catalogus -> {st}: {cat}")
|
||||
print(f"create catalogus BIG ({cat['url']})")
|
||||
|
||||
# 2. Zaaktype (concept)
|
||||
# status=alles so concept zaaktypen are matched too (else we'd duplicate).
|
||||
zts = [z for z in find(f"/zaaktypen?catalogus={cat['url']}&status=alles")
|
||||
if z.get("identificatie") == "BIG-REGISTRATIE"]
|
||||
if zts:
|
||||
zt = zts[0]
|
||||
print(f"skip zaaktype BIG-REGISTRATIE ({zt['url']}) concept={zt.get('concept')}")
|
||||
else:
|
||||
st, zt = api("POST", "/zaaktypen", {
|
||||
"identificatie": "BIG-REGISTRATIE",
|
||||
"omschrijving": "BIG-registratie",
|
||||
"vertrouwelijkheidaanduiding": "openbaar",
|
||||
"doel": "Registratie van een zorgprofessional in het BIG-register",
|
||||
"aanleiding": "Aanvraag tot registratie",
|
||||
"indicatieInternOfExtern": "extern",
|
||||
"handelingInitiator": "indienen",
|
||||
"onderwerp": "BIG-registratie",
|
||||
"handelingBehandelaar": "behandelen",
|
||||
"doorlooptijd": "P30D",
|
||||
"opschortingEnAanhoudingMogelijk": False,
|
||||
"verlengingMogelijk": False,
|
||||
"publicatieIndicatie": False,
|
||||
"productenOfDiensten": [],
|
||||
"referentieproces": {"naam": "BIG-registratie"},
|
||||
"catalogus": cat["url"],
|
||||
"besluittypen": [],
|
||||
"gerelateerdeZaaktypen": [],
|
||||
"beginGeldigheid": "2026-01-01",
|
||||
"versiedatum": "2026-01-01",
|
||||
"verantwoordelijke": RSIN,
|
||||
})
|
||||
if st != 201:
|
||||
sys.exit(f"create zaaktype -> {st}: {json.dumps(zt, indent=2)}")
|
||||
print(f"create zaaktype BIG-REGISTRATIE ({zt['url']})")
|
||||
|
||||
# 3. bsn eigenschap (only addable while concept)
|
||||
eigs = [e for e in find(f"/eigenschappen?zaaktype={zt['url']}&status=alles")
|
||||
if e.get("naam") == "bsn"]
|
||||
if eigs:
|
||||
print("skip eigenschap bsn")
|
||||
elif zt.get("concept", True):
|
||||
st, eig = api("POST", "/eigenschappen", {
|
||||
"naam": "bsn",
|
||||
"definitie": "Burgerservicenummer van de zorgprofessional",
|
||||
"zaaktype": zt["url"],
|
||||
"specificatie": {"groep": "aanvrager", "formaat": "tekst",
|
||||
"lengte": "9", "kardinaliteit": "1", "waardenverzameling": []},
|
||||
})
|
||||
if st != 201:
|
||||
sys.exit(f"create eigenschap -> {st}: {json.dumps(eig, indent=2)}")
|
||||
print("create eigenschap bsn")
|
||||
else:
|
||||
print("warn zaaktype already published; cannot add bsn eigenschap")
|
||||
|
||||
# 4. Optionally publish. By default the zaaktype stays a concept: publishing
|
||||
# requires roltypen, resultaattypen and statustypen, beyond the "lean /
|
||||
# schema-mandatory" zaaktype S-01 asks for (ADR-0002). Set OZ_PUBLISH=1 to add
|
||||
# those relations and publish — needed so a real zaak POST is accepted, which
|
||||
# the ACL integration test (S-04a, #46) exercises. See ADR-0006.
|
||||
if PUBLISH:
|
||||
# Re-fetch: the bsn-eigenschap branch above may hold a stale concept flag.
|
||||
zt = next(z for z in find(f"/zaaktypen?catalogus={cat['url']}&status=alles")
|
||||
if z.get("identificatie") == "BIG-REGISTRATIE")
|
||||
publish_zaaktype(zt)
|
||||
|
||||
# 5. Verify the JWT client can list the zaaktype (concepts included).
|
||||
zaaktypen = find(f"/zaaktypen?catalogus={cat['url']}&status=alles")
|
||||
names = [z.get("identificatie") for z in zaaktypen]
|
||||
print(f"zaaktypen in BIG: {names}")
|
||||
assert "BIG-REGISTRATIE" in names, "BIG-REGISTRATIE not listed"
|
||||
state = "published" if PUBLISH else "concept"
|
||||
# Machine-readable line so callers (e.g. infra/run-domain-check.sh) can capture the
|
||||
# zaaktype URL to configure the ACL's default-fill (ADR-0003/0009).
|
||||
zt_url = next(z["url"] for z in zaaktypen if z.get("identificatie") == "BIG-REGISTRATIE")
|
||||
print(f"ZAAKTYPE_URL {zt_url}")
|
||||
print(f"OK — BIG catalogus seeded (BIG-REGISTRATIE {state} + bsn eigenschap)")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
@@ -1,41 +0,0 @@
|
||||
# OpenZaak setup_configuration (idempotent, declarative).
|
||||
# Provisions the JWT client the seed + ACL use to call OpenZaak's APIs.
|
||||
# Dev-only credentials — not for production.
|
||||
#
|
||||
# Steps come from vng_api_common.contrib.setup_configuration (see ADR-0002).
|
||||
|
||||
vng_api_common_credentials_config_enable: true
|
||||
vng_api_common_credentials:
|
||||
items:
|
||||
- identifier: big-reference-seed
|
||||
secret: insecure-dev-secret-change-me
|
||||
|
||||
vng_api_common_applicaties_config_enable: true
|
||||
vng_api_common_applicaties:
|
||||
items:
|
||||
# uuid must be given explicitly as a string (the step's auto-default is a
|
||||
# UUID object that fails its own validation).
|
||||
- uuid: "11111111-1111-4111-8111-111111111111"
|
||||
client_ids:
|
||||
- big-reference-seed
|
||||
label: BIG reference seed client
|
||||
heeft_alle_autorisaties: true
|
||||
|
||||
# ── OpenZaak → Open Notificaties (NRC) publishing (S-01-c, #56) ─────────────
|
||||
# The NRC service OpenZaak posts notifications to, authenticating with the same
|
||||
# big-reference-seed client (NRC verifies the JWT and authorizes it via the AC).
|
||||
zgw_consumers_config_enable: true
|
||||
zgw_consumers:
|
||||
services:
|
||||
- identifier: nrc
|
||||
label: Open Notificaties
|
||||
api_type: nrc
|
||||
api_root: http://nrc-web:8000/api/v1/
|
||||
auth_type: zgw
|
||||
client_id: big-reference-seed
|
||||
secret: insecure-dev-secret-change-me
|
||||
|
||||
# Point OpenZaak's notifications at that service. Requires NOTIFICATIONS_DISABLED=false.
|
||||
notifications_config_enable: true
|
||||
notifications_config:
|
||||
notifications_api_service_identifier: nrc
|
||||
@@ -1,37 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Run the ACL integration tests (Category=Integration) against the OpenZaak that is
|
||||
# ALREADY running — works for any stack: oz-only (`make integration`), the standalone
|
||||
# oz+nrc stack, or the full compose stack (the CI `verify-stack` job). Seeds a
|
||||
# published BIG zaaktype (idempotent), then builds + runs the test image on the stack
|
||||
# network, reaching OpenZaak by container IP (a single-label host isn't URL-valid;
|
||||
# the runner can't reach published ports — see gitea-actions-gotchas.md §5/§6).
|
||||
#
|
||||
# Does NOT manage the stack lifecycle: the caller owns bring-up + teardown. Plain
|
||||
# docker primitives only (docker/podman-portable). See ADR-0006.
|
||||
set -euo pipefail
|
||||
|
||||
here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
root="$(cd "$here/.." && pwd)"
|
||||
|
||||
# The OpenZaak API container, matched across compose projects + docker/podman naming
|
||||
# (`<project>[-_]openzaak[-_]<n>`); the delimiters exclude oz-db / oz-redis / oz-init.
|
||||
oz="$(docker ps -q --filter 'name=[-_]openzaak[-_]' | head -1)"
|
||||
[ -n "$oz" ] || { echo "ERROR: no running OpenZaak container found — bring the stack up first" >&2; exit 1; }
|
||||
net="$(docker inspect -f '{{range $k,$_ := .NetworkSettings.Networks}}{{$k}}{{"\n"}}{{end}}' "$oz" | head -1)"
|
||||
oz_ip="$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$oz")"
|
||||
oz_base="http://$oz_ip:8000"
|
||||
echo ">> OpenZaak at $oz_base on network $net"
|
||||
|
||||
echo ">> seeding a published BIG zaaktype (idempotent)"
|
||||
sid="$(docker create --network "$net" -e "OZ_BASE=$oz_base" -e OZ_PUBLISH=1 \
|
||||
python:3-slim python /seed.py)"
|
||||
docker cp "$here/openzaak/seed_catalogus.py" "$sid:/seed.py" >/dev/null
|
||||
docker start -a "$sid"
|
||||
docker rm -f "$sid" >/dev/null
|
||||
|
||||
echo ">> building the integration test image"
|
||||
docker build -f "$root/services/acl/Dockerfile.integration" -t rr-acl-integration "$root/services/acl"
|
||||
|
||||
echo ">> running the ACL integration tests (inside the network)"
|
||||
docker run --rm --network "$net" -e "OZ_BASE=$oz_base" rr-acl-integration
|
||||
@@ -1,58 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Verify the BFF end-to-end (S-07) against an ALREADY-RUNNING full stack. The BFF is the portals'
|
||||
# only backend (§8.3): it validates Keycloak digid tokens on the self-service submit and serves the
|
||||
# openbaar register anonymously with only public-safe fields (ADR-0010).
|
||||
#
|
||||
# Checks, in-network (services reached by container IP; Keycloak by its service name so the token's
|
||||
# host-derived issuer matches the BFF's authority — see the compose bff env and ADR-0010):
|
||||
# 1. POST /self-service/registrations without a token -> 401
|
||||
# 2. mint a real digid access token (direct grant) and POST it -> 202 (forwarded to the domain)
|
||||
# 3. GET /openbaar/register (anonymous) -> 200 JSON array, never a bsn
|
||||
#
|
||||
# Does NOT manage the stack lifecycle (the caller owns bring-up + teardown). Plain docker primitives.
|
||||
set -euo pipefail
|
||||
|
||||
ip() { docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$1"; }
|
||||
|
||||
bff="$(docker ps -q --filter 'name=[-_]bff[-_]' | head -1)"
|
||||
kc="$(docker ps -q --filter 'name=keycloak' | head -1)"
|
||||
[ -n "$bff" ] || { echo "ERROR: no running bff container — bring the stack up first" >&2; exit 1; }
|
||||
[ -n "$kc" ] || { echo "ERROR: no running keycloak container — bring the stack up first" >&2; exit 1; }
|
||||
net="$(docker inspect -f '{{range $k,$_ := .NetworkSettings.Networks}}{{$k}}{{"\n"}}{{end}}' "$bff" | head -1)"
|
||||
bff_ip="$(ip "$bff")"
|
||||
echo ">> bff=$bff_ip network=$net"
|
||||
|
||||
# Helper: run curl inside a throwaway container on the stack network (reaches services by name/IP).
|
||||
net_curl() { docker run --rm --network "$net" curlimages/curl:latest "$@"; }
|
||||
|
||||
echo ">> 1. self-service submit without a token must be 401"
|
||||
code="$(net_curl -s -o /dev/null -w '%{http_code}' -X POST "http://$bff_ip:8080/self-service/registrations" \
|
||||
-H 'Content-Type: application/json' -d '{}')"
|
||||
echo " -> $code"; [ "$code" = "401" ] || { echo "FAIL: expected 401, got $code" >&2; exit 1; }
|
||||
|
||||
echo ">> 2. minting a digid token (direct grant) via keycloak:8080 (host-consistent issuer)"
|
||||
token=""
|
||||
for _ in $(seq 1 20); do
|
||||
token="$(net_curl -s -X POST "http://keycloak:8080/realms/digid/protocol/openid-connect/token" \
|
||||
-H 'Content-Type: application/x-www-form-urlencoded' \
|
||||
--data-urlencode 'grant_type=password' --data-urlencode 'client_id=big-portal' \
|
||||
--data-urlencode 'username=jan-burger' --data-urlencode 'password=test123' \
|
||||
| sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p')"
|
||||
[ -n "$token" ] && break
|
||||
sleep 3
|
||||
done
|
||||
[ -n "$token" ] || { echo "FAIL: could not obtain a digid access token" >&2; exit 1; }
|
||||
echo " -> got a token"
|
||||
|
||||
echo ">> 2b. self-service submit with the token must be 202"
|
||||
code="$(net_curl -s -o /dev/null -w '%{http_code}' -X POST "http://$bff_ip:8080/self-service/registrations" \
|
||||
-H "Authorization: Bearer $token" -H 'Content-Type: application/json' -d '{}')"
|
||||
echo " -> $code"; [ "$code" = "202" ] || { echo "FAIL: expected 202, got $code" >&2; docker logs "$bff" 2>&1 | tail -15 >&2; exit 1; }
|
||||
|
||||
echo ">> 3. openbaar register (anonymous) must be 200 JSON, never a bsn"
|
||||
body="$(net_curl -s "http://$bff_ip:8080/openbaar/register")"
|
||||
echo "$body" | grep -q '^\[' || { echo "FAIL: openbaar did not return a JSON array: $body" >&2; exit 1; }
|
||||
if echo "$body" | grep -q '"bsn"'; then echo "FAIL: openbaar leaked a bsn field" >&2; exit 1; fi
|
||||
|
||||
echo "OK — BFF: 401 without token, 202 with a digid token, anonymous public-safe openbaar register"
|
||||
@@ -1,68 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Verify the BIG Domain Service end-to-end (S-05) against an ALREADY-RUNNING full stack:
|
||||
# domain → Flowable (start the registratie process + external-task worker) → ACL → OpenZaak.
|
||||
# Submits a registration to the domain and asserts the worker opens a zaak in OpenZaak and
|
||||
# records its URL on the aggregate (ADR-0009).
|
||||
#
|
||||
# The seeded zaaktype URL is server-assigned, so it isn't knowable at initial bring-up. This
|
||||
# script therefore seeds a published BIG zaaktype and recreates the `acl` service configured to
|
||||
# default-fill it — pointing the ACL at the SAME OpenZaak host that owns the URL, so zaak creation
|
||||
# is host-consistent (exactly the configuration the ACL integration test proves, ADR-0006). That
|
||||
# one recreate aside, the caller owns stack bring-up + teardown.
|
||||
#
|
||||
# All in-network, reaching services by container IP (a single-label host isn't URL-valid; the
|
||||
# runner can't reach published ports — gitea-actions-gotchas.md §5/§6). Plain docker primitives.
|
||||
set -euo pipefail
|
||||
|
||||
here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
root="$(cd "$here/.." && pwd)"
|
||||
compose="$root/infra/docker-compose.yml"
|
||||
|
||||
ip() { docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$1"; }
|
||||
|
||||
oz="$(docker ps -q --filter 'name=[-_]openzaak[-_]' | head -1)"
|
||||
dom="$(docker ps -q --filter 'name=domain' | head -1)"
|
||||
[ -n "$oz" ] || { echo "ERROR: no running OpenZaak container — bring the stack up first" >&2; exit 1; }
|
||||
[ -n "$dom" ] || { echo "ERROR: no running domain container — bring the stack up first" >&2; exit 1; }
|
||||
net="$(docker inspect -f '{{range $k,$_ := .NetworkSettings.Networks}}{{$k}}{{"\n"}}{{end}}' "$oz" | head -1)"
|
||||
oz_ip="$(ip "$oz")"; dom_ip="$(ip "$dom")"
|
||||
oz_base="http://$oz_ip:8000"
|
||||
echo ">> openzaak=$oz_ip domain=$dom_ip network=$net"
|
||||
|
||||
echo ">> seeding a published BIG zaaktype (idempotent) and capturing its URL"
|
||||
sid="$(docker create --network "$net" -e "OZ_BASE=$oz_base" -e OZ_PUBLISH=1 python:3-slim python /seed.py)"
|
||||
docker cp "$here/openzaak/seed_catalogus.py" "$sid:/seed.py" >/dev/null
|
||||
zt_url="$(docker start -a "$sid" | sed -n 's/^ZAAKTYPE_URL //p' | head -1)"
|
||||
docker rm -f "$sid" >/dev/null
|
||||
[ -n "$zt_url" ] || { echo "ERROR: seed did not report a ZAAKTYPE_URL" >&2; exit 1; }
|
||||
echo ">> zaaktype: $zt_url"
|
||||
|
||||
echo ">> recreating the acl service pointed at the seeded zaaktype (host-consistent)"
|
||||
ACL_ZAAKTYPE_URL="$zt_url" ACL_OPENZAAK_BASEURL="$oz_base/" docker compose -f "$compose" up -d acl
|
||||
WAIT_TIMEOUT="${WAIT_TIMEOUT:-120}" bash "$here/wait-healthy.sh" acl
|
||||
|
||||
echo ">> submitting a registration to the domain"
|
||||
loc="$(docker run --rm --network "$net" curlimages/curl:latest \
|
||||
-fsS -D - -o /dev/null -X POST "http://$dom_ip:8080/registrations" \
|
||||
-H 'Content-Type: application/json' -d '{"bsn":"123456782"}' \
|
||||
| sed -n 's/\r$//; s/^[Ll]ocation: //p' | head -1)"
|
||||
[ -n "$loc" ] || { echo "ERROR: POST /registrations returned no Location" >&2; exit 1; }
|
||||
echo ">> registration accepted at $loc"
|
||||
|
||||
echo ">> polling the domain until the worker records the opened zaak"
|
||||
for _ in $(seq 1 30); do
|
||||
body="$(docker run --rm --network "$net" curlimages/curl:latest \
|
||||
-fsS "http://$dom_ip:8080$loc" 2>/dev/null || true)"
|
||||
if echo "$body" | grep -q '/zaken/api/v1/zaken/'; then
|
||||
echo "OK — the domain opened a zaak and recorded it on the registration:"
|
||||
echo "$body" | cut -c1-300
|
||||
exit 0
|
||||
fi
|
||||
sleep 2
|
||||
done
|
||||
echo "FAIL — the registration never received a zaak URL" >&2
|
||||
echo "--- domain log ---" >&2; docker logs "$dom" 2>&1 | tail -15 >&2
|
||||
acl="$(docker ps -q --filter 'name=[-_]acl[-_]' | head -1)"
|
||||
[ -n "$acl" ] && { echo "--- acl log ---" >&2; docker logs "$acl" 2>&1 | tail -15 >&2; }
|
||||
exit 1
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user