# ADR-0003: ACL default-fill strategy - **Status:** Accepted - **Date:** 2026-06-04 - **Deciders:** Respellion engineering - **Relates to:** S-04 (#5); builds on ADR-0001 (loose coupling) ## Context The ACL is the only code that talks to ZGW APIs (ADR-0001 / CLAUDE.md §8.1). When the domain asks it to "open a zaak", the domain payload is intentionally free of ZGW specifics — it carries domain facts (e.g. the registrant's BSN), not OpenZaak fields. But OpenZaak's `POST /zaken` requires ZGW-mandatory fields: `bronorganisatie`, `verantwoordelijkeOrganisatie`, `startdatum`, `vertrouwelijkheidaanduiding`, and a `zaaktype` URL. Something has to supply those, and it must not leak into the domain. ## Decision **The ACL default-fills the ZGW-mandatory zaak fields; the domain never sees them.** - `bronorganisatie`, `verantwoordelijkeOrganisatie`, `vertrouwelijkheidaanduiding`, and the `zaaktype` URL come from **ACL configuration** (`AclDefaults` options) — not hardcoded, not from the domain. This keeps them operationally manageable (the beheer portal will edit them in S-15) and environment-specific (the seeded BIG zaaktype URL differs per env). - `startdatum` is derived from an injected **clock** (today's date), so it is deterministic in tests. - The mapping from domain payload → ZGW `ZaakRequest` lives entirely inside the ACL (`Application` builds the request from payload + defaults; `Infrastructure` serialises and POSTs it). No other service constructs ZGW payloads or URLs. ## Consequences - **Positive:** the domain stays ZGW-agnostic; ZGW knowledge is in one named place; defaults are config (testable, env-specific, later editable via the beheer portal). - **Cost:** the ACL must be configured per environment (the seeded zaaktype URL, the organisation RSINs). Missing/invalid config fails fast at the ACL boundary. - **Follow-ups:** mapping the BSN onto the zaak (eigenschap/rol), status transitions, and documents are explicitly out of scope for S-04 and get their own slices. ## Alternatives considered - **Defaults in the domain payload** — rejected: leaks ZGW concerns into the domain, violating ADR-0001. - **Hardcoded defaults in code** — rejected: not env-specific, not operationally editable.