paliad

m/paliad

Author	SHA1	Message	Date
mAi	7a359989a9	feat(db): t-paliad-218 — gap-tolerant migration runner with applied-set tracker Replaces the golang-migrate single-counter tracker with a hand-rolled runner over embed.FS that tracks applied state as a set in paliad.applied_migrations (version PK, name, applied_at, checksum). Closes the parallel-merge skip-hole the 2026-05-20 mig-103 incident exposed (m/paliad#44): a migration whose version is missing from applied_migrations runs on the next deploy regardless of which higher versions are already applied. Gaps are first-class. Slice 1 of the design at docs/design-migration-runner-applied-set-2026-05-20.md. All eight design decisions m-picked = inventor recommendation. Runner contract: - Ensure paliad schema → pg_advisory_lock(hash('paliad.applied_migrations')) → CREATE TABLE IF NOT EXISTS applied_migrations. - bootstrapFromLegacyTracker: if applied_migrations is empty and the legacy paliad.paliad_schema_migrations row is present and clean, INSERT rows 1..N for every on-disk version with checksum=NULL via ON CONFLICT DO NOTHING. Hard-fail if legacy tracker is dirty (operator must recover). - scanEmbeddedMigrations: hard-fail on two .up.sql files sharing a version prefix — the failure mode the post-mortem exposed. - checkNameAgreement: hard-fail on rename-after-apply mismatch (disk name for an already-applied version != DB name). - applyOne: SQL body + INSERT(version, name, now(), sha256(file_bytes)) in one transaction. All-or-nothing per migration. Checksums populated on apply for future drift detection; rows backfilled from the legacy tracker carry NULL (we can't fabricate a hash for what golang-migrate applied historically). Verify-on-deploy intentionally deferred to a focused follow-up — single if-block flip when m wants it. Up-only runner. .down.sql files stay in embed.FS as reference; manual roll-back path is psql + DELETE FROM paliad.applied_migrations WHERE version=N. Zero call sites for migrate.Down in the codebase today. Drops github.com/golang-migrate/migrate/v4 from go.mod (no other importers; verified via grep). Tests: - internal/db/migrate_test.go: TestMigrations_DryRun walks pending = on_disk \\ applied (read from paliad.applied_migrations, missing-table → empty set), runs each in BEGIN/ROLLBACK against the scratch DB. - cmd/server/main_smoke_test.go: TestBootSmoke asserts the applied set equals the on-disk set exactly (not just max-version-match) — catches the skip class the post-mortem documented. Dirty-flag check removed (rows are committed or absent, not 'dirty'). - All 45 service-test call sites of db.ApplyMigrations work unchanged (same signature, same fresh-DB behavior). Follow-up: mig 108_drop_legacy_trackers (DROP paliad.paliad_schema_migrations and public.paliad_schema_migrations) after one or two deploys of burn-in on this slice.	2026-05-20 12:59:16 +02:00
mAi	28c7215458	feat(export): t-paliad-214 Slice 1 backend — personal sync export endpoint + xlsx/json/csv writer Adds GET /api/me/export streaming a deterministic .zip bundle of the caller's RLS-visible projection (per design §2.3): projects, deadlines, appointments, parties, notes, documents (metadata), audit events, approval requests, checklist instances + personal sidecars (me row, caldav config without ciphertext, views, pins, card layouts, paliadin turns) + reference data (proceeding_types, event_types, deadline_rules, courts, countries, holidays …) + restricted users_referenced sheet. Bundle shape: paliad-export.xlsx + paliad-export.json + per-sheet CSVs (UTF-8 BOM, RFC 4180) + README.txt + __meta.json. Outer zip is byte-deterministic — sorted file list, fixed Modified time on every entry, sorted JSON keys. Two runs at same row-state → identical bytes. ExportService.WritePersonal owns the SQL recipe + column discovery + PII deny-regex (?i)secret\|token\|password\|api[_-]?key\|private[_-]?key + per-sheet DropColumns belt-and-braces (e.g. user_caldav_config .password_encrypted explicitly dropped on top of the regex). Audit row written to paliad.system_audit_log before the run, patched with row_counts + file_size_bytes after. Migration 102 creates paliad.system_audit_log (generic event_type + actor_id/email + scope + scope_root + metadata jsonb). Idempotent CREATE TABLE IF NOT EXISTS + indexes; RLS enabled with self-read + admin-read policies. AuditService.ListEntries gains a 6th UNION branch so the new table surfaces on /admin/audit-log. excelize/v2 added to go.mod for xlsx generation. Pure-function tests pin formatCellValue value-coercion, PII regex, CSV quoting + BOM + umlaut survival, JSON shape, meta key order stability, filename slugify, and byte-determinism of the bundle assembly. Design: docs/design-paliad-data-export-2026-05-19.md §7 Slice 1.	2026-05-19 12:51:52 +02:00
m	3e20806aee	fix(security): verify JWT signatures + plug 4 other critical gaps (t-paliad-016) C-1. Session JWT signature verification (authZ bypass fix) - Add SUPABASE_JWT_SECRET env var; fail-fast at startup if unset. - auth.Client.VerifyToken uses github.com/golang-jwt/jwt/v5 to verify HS256 signatures, reject alg=none, enforce exp/nbf/iat. - Middleware stores verified claims in request context; WithUserID reads only verified claims (no more raw-cookie sub decoding). - API requests get 401 on missing/invalid token (was 302 redirect). - Refresh flow only runs on expiry; other signature failures reject outright and clear cookies. C-2. Dashboard Termine cross-user privacy leak - dashboard_service.loadUpcomingAppointments now mirrors TerminService.canSee: personal Termine (akte_id IS NULL) are creator-only; admins do NOT see other users' personal Termine. C-3. Role gate on Parteien + Termine mutations - ParteienService.Delete now partner/admin only (matches FristService). - TerminService.Update / Delete on Akte-linked Termine now require partner/admin (or the original creator). Personal Termine stay creator-only. C-4. Email gate → ALLOWED_EMAIL_DOMAINS whitelist - isHoganLovellsEmail → isAllowedEmailDomain reading the env var (default: hoganlovells.com,hlc.com,hlc.de). Case-insensitive, whitespace-tolerant. - login.tsx placeholder: name@hoganlovells.com → name@hlc.com - Error strings + login.hint (de/en) rewritten for HLC branding. C-5. Docker compose env wiring - docker-compose.yml gains SUPABASE_JWT_SECRET, CALDAV_ENCRYPTION_KEY, and ALLOWED_EMAIL_DOMAINS passthrough; commented-out ANTHROPIC_API_KEY line for Phase H readiness. Tests - auth_test.go: valid/wrong-secret/expired/alg-none/missing-sub/garbage token cases for VerifyToken. - handlers/auth_test.go: default + env-override cases for the email whitelist. - go build ./..., go vet ./..., go test ./... all clean.	2026-04-18 02:23:50 +02:00
m	bcc4939af2	feat(services): Phase B — sqlx pool, services, Akten/Frist endpoints Implements docs/design-kanzlai-integration.md §8 Phase B. Pool & infrastructure: - internal/db/pool.go — sqlx connection pool via DATABASE_URL (lazy, sync.Once, returns nil if unset) - cmd/server/main.go wires pool + services on startup; skips gracefully if DATABASE_URL unset (existing endpoints still work) Services (internal/services/): - holidays.go — ported from KanzlAI. Audit §1.6 fix: replaces unguarded map with sync.Map of yearEntry (sync.Once per year), race-safe under concurrent readers. - deadline_calculator.go — ported. days/weeks/months + before/after timing + holiday/weekend adjustment via HolidayService. - deadline_rule_service.go — ported, DB-backed. List, GetRuleTree, GetFullTimeline (recursive CTE for cross-type spawns), GetByIDs, ListProceedingTypes. - user_service.go — reads paliad.users; GetByID returns (nil, nil) for users who haven't onboarded yet (safe default = no visibility). - akte_service.go — new. Office-scoped visibility enforced at the app layer (defense-in-depth alongside RLS). ListVisibleForUser uses the visibility predicate directly in SQL so indexes can drive the query. Create/Update/Delete enforce role gates: associates can only create in their own office * only admins can move an Akte between offices * only partners/admins can toggle firm_wide_visible * only partners/admins can delete (soft, status='archived') Writes an akten_events row on create, status change, firm-wide toggle, collaborator change. - parteien_service.go — ported. Visibility inherited from the parent Akte via AkteService.GetByID gate. Sentinel errors: - services.ErrNotVisible → handlers return 404 (never leak existence) - services.ErrForbidden → 403 - services.ErrInvalidInput → 400 Auth context: - internal/auth/user.go — WithUserID middleware extracts the `sub` claim from the Supabase JWT session cookie and injects uuid.UUID into the request context. Runs after Client.Middleware (which already validated the cookie expiry). Handlers use auth.UserIDFromContext(). Handlers (internal/handlers/): - akten.go — full CRUD for /api/akten + /api/akten/{id}/parteien. All require DB configured (503 otherwise) and authenticated user (401 otherwise). Returns 404 for non-visible IDs. - deadline_rules_db.go — GET /api/deadline-rules, GET /api/proceeding-types-db, POST /api/deadlines/calculate. The /api/deadlines/calculate endpoint lives alongside the existing in-memory /api/tools/fristenrechner; Phase C swaps the UI over and deletes the in-memory rule tree. - handlers.Register now takes an optional Services bundle; when DATABASE_URL unset the DB-backed endpoints return 503 with a clear error message. Tests (internal/services/): - holidays_test.go — Easter algorithm (5 years spot-checked), German federal holidays, weekend + Neujahr adjustment, concurrent cache reads under -race. - deadline_calculator_test.go — days/weeks/months calc, before timing, Karfreitag→Ostermontag skip (lands on Tue 2026-04-07), batch with zero-duration rule. - akte_service_test.go — live DB test behind `TEST_DATABASE_URL` (skip otherwise). Verifies 4-Akte × 3-user visibility model AND role enforcement (associate can't delete, can't cross-office-create, invalid office rejected). Manual verification: - `go build ./...` + `go vet ./...` clean - `go test ./internal/services/ -race` passes (DB tests skip without URL) - With TEST_DATABASE_URL set, all visibility + role tests pass - Live HTTP smoke test with forged JWT cookie: /api/deadline-rules returns 40 rules * /api/proceeding-types-db returns 7 types * /api/deadlines/calculate INF + 2026-04-15 returns calculated deadlines * /api/akten returns [] (user has no paliad.users row yet — safe default) * /login, / still work (no regressions)	2026-04-16 14:25:55 +02:00
m	1b2ef28334	feat(db): Phase A — paliad schema, RLS, migrations, golang-migrate Implements docs/design-kanzlai-integration.md §8 Phase A. Schema (paliad.): - users (extends auth.users) with office, practice_group, role - akten with visibility columns: owning_office, collaborators uuid[], firm_wide_visible (per design §2) - parteien, fristen, termine, dokumente, akten_events, notizen (polymorphic notes; notizen_exactly_one_parent CHECK) - proceeding_types, deadline_rules, holidays (reference data) - 4 feedback tables re-namespaced from public. into paliad.* (handler swap to direct DB is a follow-up; old public tables stay intact for now and continue serving via PostgREST) Visibility (paliad.can_see_akte): - single SQL function, used by every RLS policy - predicate: firm_wide_visible OR owning_office matches user's office OR auth.uid() ∈ collaborators OR user is admin - mirrored at app layer in Phase B (defense in depth) RLS (real, not permissive): - akten: visibility predicate; insert restricted to own office or admin; delete restricted to partners + admins - parteien/fristen/dokumente/akten_events: inherit via can_see_akte(akte_id) - termine: personal (akte_id NULL) visible only to creator; Akte-linked follow visibility predicate - notizen: paliad.notiz_is_visible() resolves polymorphic parent - reference tables: SELECT for any authenticated user - users: SELECT all; UPDATE/INSERT only self - feedback tables: INSERT for any authenticated user (write-only) Seed data (ported from KanzlAI seed_upc_timeline.sql): - 7 proceeding_types (INF, REV, CCR, APM, APP, AMD, ZPO_CIVIL) - 40 deadline_rules (32 UPC + 4 ZPO + 4 cross-type appeal spawns) including conditional logic: Reply rule code (RoP.029b → 029a) and Rejoinder duration (1mo → 2mo) flip when CCR active - 55 holidays (DE federal 2026/2027 + UPC summer 2026 + UPC winter 26/27) Indexes per audit §3.3 + visibility-predicate hot paths: - akten: (status, owning_office), (owning_office), partial on firm_wide_visible, GIN on collaborators - fristen: (status, due_date), (akte_id) - termine: (start_at), (akte_id) - akten_events: (akte_id, created_at DESC) - notizen: 4 partial indexes per parent type - users: (office), (role) Migration tooling: - golang-migrate/migrate/v4 with embed.FS source - Migrations live in internal/db/migrations/ (Go embed can't reach outside the package; this is the conventional Go layout for embedded migrations) - Applied at server startup before HTTP listener binds - DATABASE_URL is optional today (existing knowledge tools work without DB); becomes required once Phase B services land - Mock Supabase auth schema for local testing in internal/db/migrations/_dev/mock_supabase_auth.sql (excluded from embed pattern by the underscore prefix) Other changes: - Dockerfile: bump golang to 1.24, copy go.sum (audit §2.9), rename binary patholo → paliad - docker-compose.yml: add DATABASE_URL passthrough - README.md: rewritten to reflect Paliad brand + Phase A migration system Verified locally: - 11 migrations applied cleanly against postgres:16-alpine - RLS enabled on all 15 paliad.* tables (verified via pg_class.relrowsecurity) - Visibility predicate verified with 4-case scenario: - Alice (Munich associate): sees Munich + firm-wide + collab-on (t f t t) - Bob (Düsseldorf associate): sees Düsseldorf + firm-wide + collab-on (f t t t) - Carol (Munich partner): sees Munich + firm-wide only (t f t f) - Anonymous: sees firm-wide only (f f t f) - migrate down + re-up cycle clean (initial 007 down had ordering bug, fixed: drop policies before referenced function) - Existing endpoints (/, /login) return 302 + 200 — no regressions	2026-04-16 13:54:19 +02:00

5 Commits