# OpenZaak runbook The OpenZaak stack (`infra/openzaak/docker-compose.yml`) is a lean adaptation of the upstream open-zaak dev compose: PostGIS db, redis, a one-shot init that runs migrations, the OpenZaak API, and a celery worker. ## Quick test (`make`) ```bash make openzaak-up # start the stack (first run pulls images + migrates: 1-3 min) make openzaak-smoke # start + assert it's up with auth enforced (403/302/200) make openzaak-down # stop and wipe data ``` `make openzaak-smoke` polls until the API responds, then asserts: | Check | Expected | |---|---| | `GET /zaken/api/v1/zaken` (no JWT) | **403** — `PermissionDenied` ZGW fout (auth enforced) | | `GET /admin/` | **302** — admin login redirect | | `GET /zaken/api/v1/` | **200** — ZGW API schema root | > **403, not 401.** OpenZaak's ZGW APIs return `403 PermissionDenied` for a missing > or invalid JWT. The S-01 acceptance text says "401" — that's inaccurate; 403 is the > correct auth-enforced response. The admin UI is at ; the dev superuser is **admin / admin** (from the compose env — dev only). ## Prerequisites (rootless Podman) Same setup as the rest of the repo (see [ci.md](ci.md)): ```bash systemctl --user start podman.socket # the Docker-API socket the shim talks to ``` The Makefile auto-points `DOCKER_HOST` at the Podman socket when it exists, so the `make openzaak-*` targets work without extra env. ## Notes - **Not in `make ci`.** The OpenZaak smoke is a separate, heavier check (large image pull + migrations); it is intentionally kept out of `make ci` so the core gate stays fast. Run `make openzaak-smoke` when you touch the OpenZaak stack. - **No catalogus/zaaktypen yet.** Seeding the `BIG` catalogus + `BIG-registratie` zaaktype and a JWT client is the next slice (**S-01-b**); authenticated zaaktype listing isn't testable until then. - **Image tag.** Currently `openzaak/open-zaak:latest` via `${OPENZAAK_TAG}`; pin to a known-good tag as part of the catalogus-design ADR.