Compare commits

..

7 Commits

Author SHA1 Message Date
6e65738c04 fix(bff): pin test JWT schemes to a static config so no OIDC metadata fetch (refs #13)
All checks were successful
CI / lint (pull_request) Successful in 1m28s
CI / build (pull_request) Successful in 1m18s
CI / unit (pull_request) Successful in 1m40s
CI / frontend (pull_request) Successful in 3m2s
CI / mutation (pull_request) Successful in 6m16s
CI / verify-stack (pull_request) Successful in 5m14s
The medewerker scheme intermittently hung ~2s fetching OIDC metadata from its
(unreachable) test authority and then 401'd — clearing Authority alone left
JwtBearer's PostConfigure free to build a ConfigurationManager under CI timing. Give
both test schemes a StaticConfigurationManager so metadata is never fetched, making
token validation deterministic. Also harden AddRealmRoles to never throw (a throw in
OnTokenValidated surfaces as a 401) — a malformed realm_access yields no roles (403).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-15 11:24:36 +02:00
e0db3ace6e test(acceptance): implement GetWerkbakAsync on the acceptance domain stub (refs #13)
Some checks failed
CI / lint (pull_request) Successful in 1m25s
CI / build (pull_request) Successful in 1m13s
CI / unit (pull_request) Failing after 1m17s
CI / frontend (pull_request) Successful in 2m44s
CI / mutation (pull_request) Successful in 5m18s
CI / verify-stack (pull_request) Has been cancelled
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-15 11:09:54 +02:00
6f5a61dea6 docs(architecture): ADR-0013 — behandel-portal wiring (auth, werkbak, decision) (refs #13)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-15 11:09:14 +02:00
1a6daecc47 feat(bff): medewerker-realm auth + behandelaar policy + GET /behandel/werkbak (refs #13)
Adds a second JWT bearer scheme for the medewerker realm; on validation it lifts
Keycloak's realm_access.roles onto the principal so the behandelaar policy can
require the role. /behandel/werkbak proxies the domain werkbak behind that policy
(401 without a token, 403 without the role). openapi.json + api-client regenerated;
Keycloak__MedewerkerAuthority wired into compose.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-15 11:07:11 +02:00
08515b9bba test(bff): /behandel/werkbak needs a medewerker token with the behandelaar role (refs #13)
Red — the medewerker JWT scheme, the behandelaar policy, and the werkbak endpoint
do not exist yet (endpoint 404s).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-15 11:03:36 +02:00
69db103e0e feat(domain): werkbak query + GET /behandel/werkbak (refs #13)
The Werkbak use-case reads the open Beoordelen tasks (§8.2) and enriches each with
its aggregate's bsn + status; exposed as GET /behandel/werkbak for the BFF to proxy.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-15 11:01:33 +02:00
ffd59c0aac test(domain): werkbak query lists open beoordelingen enriched from the store (refs #13)
Red — the Werkbak use-case and WerkbakItem do not exist yet.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-15 11:00:46 +02:00

Diff Content Not Available