(llm-first): context budget, validation, and eval harness, orchestration general-prompt
This commit is contained in:
MaKarin
@@ -1,79 +1,95 @@
|
||||
# Auth Rules
|
||||
|
||||
This repository keeps the current LLM-first CRUD generation architecture as the primary working baseline.
|
||||
<!-- prompt-version: 2.0 -->
|
||||
<!-- applies-to: client/src/auth/, server/src/auth/, toir-realm.json -->
|
||||
<!-- validated-by: tools/validate-generation.mjs §validateAuthChecks §validateRealmChecks -->
|
||||
|
||||
- Auth is part of the default generation path, not a post-generation addon.
|
||||
- `server/` is the active backend target output path.
|
||||
- `client/` is the active frontend target output path.
|
||||
- The generated runtime stays SPA + API + external Keycloak + PostgreSQL only.
|
||||
Use this document during the **Auth / Runtime / Realm** stage defined in `prompts/general-prompt.md`.
|
||||
|
||||
## Frontend auth invariants
|
||||
## Purpose
|
||||
|
||||
- Use `keycloak-js` with redirect-based login only.
|
||||
- Initialize Keycloak before rendering the SPA.
|
||||
- Use Authorization Code Flow + PKCE (`S256`).
|
||||
- Keep `authProvider`, `dataProvider`, `getIdentity()`, `getPermissions()`, and `checkError()` as stable provider seams.
|
||||
- Derive identity from token claims already present in the parsed token.
|
||||
- Do not call `loadUserProfile()` and do not depend on `/account` for the baseline app.
|
||||
- `401` must force re-authentication; `403` must stay an authorization error.
|
||||
- Keep token handling in memory and refresh through one shared in-flight operation.
|
||||
Generate and preserve the auth contracts that let the CRUD app run as a React Admin SPA backed by a NestJS API protected by external Keycloak.
|
||||
|
||||
## Working runtime defaults
|
||||
## Mandatory Inputs
|
||||
|
||||
Use the already working project defaults unless a prompt explicitly overrides them.
|
||||
- `prompts/general-prompt.md`
|
||||
- `prompts/runtime-rules.md`
|
||||
- current repository auth/runtime defaults
|
||||
|
||||
- Frontend Keycloak base URL example:
|
||||
- `VITE_KEYCLOAK_URL=https://sso.greact.ru`
|
||||
- Frontend realm and client example:
|
||||
- `VITE_KEYCLOAK_REALM=toir`
|
||||
- `VITE_KEYCLOAK_CLIENT_ID=toir-frontend`
|
||||
- Backend issuer and audience example:
|
||||
- `KEYCLOAK_ISSUER_URL=https://sso.greact.ru/realms/toir`
|
||||
- `KEYCLOAK_AUDIENCE=toir-backend`
|
||||
- CORS example:
|
||||
- `CORS_ALLOWED_ORIGINS=http://localhost:5173,https://toir-frontend.greact.ru`
|
||||
## Expected Outputs
|
||||
|
||||
Anti-regression rule:
|
||||
- `client/src/auth/`
|
||||
- `client/src/dataProvider.ts`
|
||||
- `server/src/auth/`
|
||||
- `toir-realm.json`
|
||||
|
||||
- Do not switch the baseline Keycloak example back to `http://localhost:8080` in generated `.env.example` files unless the prompt explicitly asks for a local Keycloak runtime.
|
||||
- Localhost Keycloak values may exist in private `.env.local` or `.env` overrides, but they are not the default project examples.
|
||||
## Frontend Auth Invariants
|
||||
|
||||
## Backend auth invariants
|
||||
- use `keycloak-js` with redirect-based login only
|
||||
- initialize Keycloak before rendering the SPA
|
||||
- use Authorization Code Flow + PKCE (`S256`)
|
||||
- keep `authProvider`, `dataProvider`, `getIdentity()`, `getPermissions()`, and `checkError()` as stable seams
|
||||
- derive identity from token claims already present in the token
|
||||
- do not call `loadUserProfile()`
|
||||
- `401` forces re-authentication; `403` remains an authorization error
|
||||
- keep token handling in memory with one shared in-flight refresh path
|
||||
|
||||
- Verify JWTs with `jose`.
|
||||
- Validate issuer + audience + signature via JWKS.
|
||||
- Resolve JWKS in this order:
|
||||
## Backend Auth Invariants
|
||||
|
||||
- verify JWTs with `jose`
|
||||
- validate issuer, audience, and signature via JWKS
|
||||
- resolve JWKS in this order:
|
||||
1. `KEYCLOAK_JWKS_URL`
|
||||
2. OIDC discovery at `/.well-known/openid-configuration`
|
||||
3. `${issuer}/protocol/openid-connect/certs`
|
||||
- Extract roles only from `realm_access.roles`.
|
||||
- Keep `/health` public and all generated CRUD routes protected by default.
|
||||
- extract roles only from `realm_access.roles`
|
||||
- keep `/health` public
|
||||
- generated CRUD routes stay protected by default
|
||||
|
||||
## Auth anti-regression invariants
|
||||
## Working Runtime Defaults
|
||||
|
||||
- The accepted JWKS resolution chain above is the only baseline truth path. Do not document one order and implement another.
|
||||
- If auth implementation changes, `prompts/auth-rules.md` and `prompts/validation-rules.md` must be updated in the same change.
|
||||
- Do not skip OIDC discovery when no explicit `KEYCLOAK_JWKS_URL` is provided.
|
||||
- Do not switch role extraction to alternative claims unless the prompt explicitly changes the baseline contract.
|
||||
- Do not reintroduce localhost Keycloak defaults into shared baseline examples.
|
||||
Keep these defaults unless a task explicitly overrides them:
|
||||
|
||||
## Realm artifact contract
|
||||
- `VITE_KEYCLOAK_URL=https://sso.greact.ru`
|
||||
- `VITE_KEYCLOAK_REALM=toir`
|
||||
- `VITE_KEYCLOAK_CLIENT_ID=toir-frontend`
|
||||
- `KEYCLOAK_ISSUER_URL=https://sso.greact.ru/realms/toir`
|
||||
- `KEYCLOAK_AUDIENCE=toir-backend`
|
||||
- `CORS_ALLOWED_ORIGINS=http://localhost:5173,https://toir-frontend.greact.ru`
|
||||
|
||||
- A physical root-level `*-realm.json` artifact is mandatory output.
|
||||
- The artifact must be importable, versioned, and aligned with generated backend/frontend env contracts.
|
||||
- It must parameterize:
|
||||
Anti-regression rule:
|
||||
|
||||
- do not revert shared examples to localhost Keycloak defaults unless a task explicitly requests a local Keycloak baseline
|
||||
|
||||
## Realm Artifact Contract
|
||||
|
||||
The root realm artifact is mandatory and must:
|
||||
|
||||
- be importable and versioned
|
||||
- align with generated frontend/backend env contracts
|
||||
- parameterize:
|
||||
- realm name
|
||||
- frontend client id
|
||||
- backend client id / audience
|
||||
- local and production frontend URLs
|
||||
- artifact filename
|
||||
- It must explicitly deliver:
|
||||
- explicitly deliver:
|
||||
- `sub`
|
||||
- `aud`
|
||||
- `realm_access.roles`
|
||||
- It must define:
|
||||
- define:
|
||||
- realm roles `admin`, `editor`, `viewer`
|
||||
- a public SPA client with PKCE S256
|
||||
- a bearer-only backend client
|
||||
- an explicit audience client scope
|
||||
- explicit protocol mappers for baseline identity and role claims
|
||||
- protocol mappers for baseline identity and role claims
|
||||
|
||||
## Completion Expectations
|
||||
|
||||
Auth/runtime generation is incomplete if any of the following is true:
|
||||
|
||||
- frontend and backend auth seams drift from each other
|
||||
- JWKS resolution order changes
|
||||
- `/health` stops being public
|
||||
- shared Keycloak defaults regress to localhost examples
|
||||
- the realm artifact no longer matches backend/frontend expectations
|
||||
|
||||
Reference in New Issue
Block a user