The happy path clicked Goedkeuren and immediately navigated to the openbaar register, which
cancelled the in-flight POST /behandel/registrations/{id}/decide (nginx 499) — the decision
never reached the domain, so the registration stayed INGEDIEND and the final INGESCHREVEN
assertion failed. Wait for the decide response (204) before navigating away.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add the behandel service (:8142, nginx → BFF, depends on Keycloak for the medewerker realm) to
docker-compose, add it to the smoke's WAIT_SVCS and the CI failure-log dump.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The walking-skeleton happy path now drives the real S-12 flow: after submit, a behandelaar logs
in to the behandel portal (medewerker realm), finds the registration in the werkbak by its
reference, and clicks Goedkeuren — replacing the temporary domain admin endpoint. Treat the
behandel origin as secure too, for its PKCE login.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Scaffold apps/behandel (mirrors self-service): medewerker-realm OIDC login, the werkbak page
listing registrations awaiting beoordeling (GET /behandel/werkbak) with goedkeuren/afwijzen
actions (POST /behandel/registrations/{id}/decide) that refresh the list, plus Dockerfile and
same-origin nginx reverse proxy for /behandel/ (ADR-0013; S-12).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drives the behandel-portal frontend: the werkbak lists registrations awaiting beoordeling, a
decision (goedkeuren/afwijzen) posts to the BFF and refreshes, an empty werkbak and a load
failure are surfaced, the page is WCAG 2.1 AA clean, and the medewerker token attaches to the
relative /behandel/ calls (and not to the anonymous openbaar register).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The behandel-portal authenticates staff against the Keycloak `medewerker` realm. Add
MedewerkerAuthService (reads nested realm_access.roles), provideMedewerkerAuth, a roles/hasRole
surface on the shared AuthService, and a realm-roles protocol mapper so the frontend can read
the behandelaar/teamlead roles from the token. Per ADR-0013 the BFF remains the security boundary.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>