KIS-TOiR/generation/update-strategy.md

Update Strategy

When the DSL changes, regeneration must preserve the default auth-enabled runtime rather than falling back to CRUD-only output.

Required regeneration sequence

1. Regenerate prisma/schema.prisma.
2. Run npx prisma migrate dev.
3. Regenerate NestJS entity modules, DTOs, controllers, and services.
4. Regenerate backend auth infrastructure:
   • AuthModule
   • guards
   • decorators
   • typed authenticated principal
   • typed config validation
   • CRUD RBAC decorations
5. Regenerate React Admin resources.
6. Regenerate frontend auth infrastructure:
   • src/config/env.ts
   • src/auth/keycloak.ts
   • src/auth/authProvider.ts
   • authenticated dataProvider.ts
   • App.tsx auth wiring
   • main.tsx init-before-render flow
7. Regenerate backend and frontend .env.example files so the auth env contract stays in sync.
8. Regenerate the root-level Keycloak realm import artifact. The repository default example filename is toir-realm.json, but the generator must allow a project-specific equivalent.
9. Re-run post-generation validation, including:
   • auth dependency checks
   • fail-fast env checks
   • /health public check
   • unauthenticated protected route -> 401
   • insufficient role -> 403
   • realm-template validation

Guardrails

• Regeneration must not strip auth back out of the project.
• Auth remains outside the DSL grammar, but it is part of the default generated runtime.
• If a DSL change affects entities or routes, the generator must re-apply the default CRUD RBAC rules automatically.
• If a DSL change affects runtime topology or naming, the generator must keep backend/frontend env examples, CORS rules, and the generated realm import artifact aligned with the generated app.