keycloak init

generation/update-strategy.md

@@ -1,8 +1,40 @@
 # Update Strategy
 
-When DSL changes:
+When the DSL changes, regeneration must preserve the default auth-enabled runtime rather than falling back to CRUD-only output.
 
-1. Regenerate prisma.schema
-2. Run prisma migrate dev
-3. Regenerate Nest modules
-4. Regenerate React Admin resources
+## Required regeneration sequence
+
+1. Regenerate `prisma/schema.prisma`.
+2. Run `npx prisma migrate dev`.
+3. Regenerate NestJS entity modules, DTOs, controllers, and services.
+4. Regenerate backend auth infrastructure:
+   - `AuthModule`
+   - guards
+   - decorators
+   - typed authenticated principal
+   - typed config validation
+   - CRUD RBAC decorations
+5. Regenerate React Admin resources.
+6. Regenerate frontend auth infrastructure:
+   - `src/config/env.ts`
+   - `src/auth/keycloak.ts`
+   - `src/auth/authProvider.ts`
+   - authenticated `dataProvider.ts`
+   - `App.tsx` auth wiring
+   - `main.tsx` init-before-render flow
+7. Regenerate backend and frontend `.env.example` files so the auth env contract stays in sync.
+8. Regenerate the root-level Keycloak realm import artifact. The repository default example filename is `toir-realm.json`, but the generator must allow a project-specific equivalent.
+9. Re-run post-generation validation, including:
+   - auth dependency checks
+   - fail-fast env checks
+   - `/health` public check
+   - unauthenticated protected route -> `401`
+   - insufficient role -> `403`
+   - realm-template validation
+
+## Guardrails
+
+- Regeneration must not strip auth back out of the project.
+- Auth remains outside the DSL grammar, but it is part of the default generated runtime.
+- If a DSL change affects entities or routes, the generator must re-apply the default CRUD RBAC rules automatically.
+- If a DSL change affects runtime topology or naming, the generator must keep backend/frontend env examples, CORS rules, and the generated realm import artifact aligned with the generated app.