feat(brief): WP-18 — ABAC capability spine (PRD-0002 phase P1)

Replace the FE-computed authorization anti-pattern in BriefStore.editable
(derived from the unverified X-Role header) with server-computed decision
flags, mirroring the existing HerregistratieDecisionsDto pattern:

- Backend: Authz.cs is the single authorization helper — the SAME check
  (Authz.CanActOn) both gates BriefStore.Review's mutations and computes
  the BriefDecisionsDto flags shipped on every brief response, so emit
  and enforce can never drift. New GET /me returns coarse, role-derived
  capabilities (PRD-0002 SS6).
- Every brief endpoint (including send, previously ungated on HttpContext)
  now returns a fresh BriefViewDto so decisions never go stale after a
  mutation.
- FE: brief.store.ts reads canEdit/canApprove/canReject/canSend off the
  loaded decisions instead of computing them from currentRole(); the
  brief.machine carries decisions through every status transition.
- New shared/domain/capability.ts + shared/application/access.store.ts +
  shared/infrastructure/me.adapter.ts: the general capability-spine
  infrastructure (AccessStore.can(), capabilityGuard) for future routes.

Deviates from the original WP-18 draft by NOT renaming auth/domain's
Session to a Principal union — ADR-0002 explicitly defers that refactor
until a second actor exists, and the brief workflow's drafter/approver
identity turned out to be a separate axis from the SSP login session
entirely. See docs/backlog/WP-18-abac-capability-spine.md for the full
as-built record.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-03 20:31:53 +02:00
parent cbb8ae548c
commit 7ec13d8b59
26 changed files with 4520 additions and 3185 deletions

View File

@@ -641,6 +641,25 @@
}
}
},
"/api/v1/me": {
"get": {
"tags": [
"BigRegister.Api, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
],
"responses": {
"200": {
"description": "OK",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/MeDto"
}
}
}
}
}
}
},
"/api/v1/brief": {
"get": {
"tags": [
@@ -679,7 +698,7 @@
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BriefDto"
"$ref": "#/components/schemas/BriefViewDto"
}
}
}
@@ -719,7 +738,7 @@
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BriefDto"
"$ref": "#/components/schemas/BriefViewDto"
}
}
}
@@ -758,7 +777,7 @@
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BriefDto"
"$ref": "#/components/schemas/BriefViewDto"
}
}
}
@@ -807,7 +826,7 @@
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BriefDto"
"$ref": "#/components/schemas/BriefViewDto"
}
}
}
@@ -846,7 +865,7 @@
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/BriefDto"
"$ref": "#/components/schemas/BriefViewDto"
}
}
}
@@ -1030,6 +1049,24 @@
},
"additionalProperties": false
},
"BriefDecisionsDto": {
"type": "object",
"properties": {
"canEdit": {
"type": "boolean"
},
"canApprove": {
"type": "boolean"
},
"canReject": {
"type": "boolean"
},
"canSend": {
"type": "boolean"
}
},
"additionalProperties": false
},
"BriefDto": {
"type": "object",
"properties": {
@@ -1123,6 +1160,9 @@
"$ref": "#/components/schemas/LibraryPassageDto"
},
"nullable": true
},
"decisions": {
"$ref": "#/components/schemas/BriefDecisionsDto"
}
},
"additionalProperties": false
@@ -1469,6 +1509,19 @@
},
"additionalProperties": false
},
"MeDto": {
"type": "object",
"properties": {
"capabilities": {
"type": "array",
"items": {
"type": "string"
},
"nullable": true
}
},
"additionalProperties": false
},
"ParagraphDto": {
"type": "object",
"properties": {