Add `make openzaak-up`, `make openzaak-smoke`, and `make openzaak-down` so
the OpenZaak stack is testable in one command, matching the `make ci`
pattern. openzaak-smoke polls until the API responds, then asserts auth is
enforced (403) and the admin/schema endpoints are reachable (302/200).
Document it in docs/runbooks/openzaak.md (kept out of `make ci` — it's a
heavier, separate check).
Verified: `make openzaak-smoke` is green end-to-end.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add infra/openzaak/docker-compose.yml — a lean adaptation of the upstream
open-zaak dev stack: PostGIS db, redis, a one-shot init that runs database
migrations, the OpenZaak API, and a celery worker. (Dropped nginx, beat,
flower, OTEL for leanness.) Images fully qualified (docker.io/...) for
rootless Podman.
Verified locally: stack comes up; migrations run; GET /admin/ -> 302,
GET /zaken/api/v1/ -> 200, and an unauthenticated GET /zaken/api/v1/zaken
-> 403 PermissionDenied (a proper ZGW fout) — i.e. auth is enforced.
Note: the S-01 acceptance says "401", but OpenZaak's ZGW APIs return 403
for missing/invalid JWT. Auth-enforced intent is met; the issue text
should be corrected to 403. Remaining S-01 work: BIG catalogus + zaaktype
seed + JWT client (then list zaaktypen), and Open Notificaties — so this
refs (not closes) #10.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>