Client-scoped read-only access to pal-e-docs project boards #13

New issue

Closed

opened 2026-05-09 20:27:40 +00:00 by forgejo_admin · 2 comments

forgejo_admin commented

2026-05-09 20:27:40 +00:00

Contributor

Type

Spike

Resolution

Option B — pal-enterprises proxy pattern. Decision documented in arch-multi-tenant. Follow-up feature ticket: #17.

Clients access their project board through pal-enterprises, which fetches data from pal-e-docs internally and renders a read-only view. Keycloak project_slug user attribute maps client to project. pal-e-docs stays internal.

All success criteria met:

Architecture decision documented with rationale
Keycloak role mapping strategy defined
Follow-up feature ticket created (#17)

### Type Spike ### Resolution **Option B — pal-enterprises proxy pattern.** Decision documented in [arch-multi-tenant](https://pal-e-docs.tail5b443a.ts.net/note/arch-multi-tenant). Follow-up feature ticket: #17. Clients access their project board through pal-enterprises, which fetches data from pal-e-docs internally and renders a read-only view. Keycloak `project_slug` user attribute maps client to project. pal-e-docs stays internal. All success criteria met: - [x] Architecture decision documented with rationale - [x] Keycloak role mapping strategy defined - [x] Follow-up feature ticket created (#17)

forgejo_admin commented

2026-05-10 02:37:27 +00:00

Author

Contributor

Scope Review: NEEDS_REFINEMENT

Review note: review-1190-2026-05-09

Issue body is well-structured and matches the spike template fully. Two traceability gaps prevent READY status:

[SCOPE] story:client-portal is not listed in project-pal-enterprises user-stories table. Create the entry (Role: Client, Metric: "Can view project board and status updates without seeing other clients' data").
[SCOPE] No arch-multi-tenant architecture note exists in pal-e-docs. Create placeholder before spike begins -- the spike itself will populate it.
[BODY] Related section should reference Keycloak infra dependencies: pal-e-platform #357 (NetworkPolicy) and #358 (Keycloak infra).

## Scope Review: NEEDS_REFINEMENT Review note: `review-1190-2026-05-09` Issue body is well-structured and matches the spike template fully. Two traceability gaps prevent READY status: - **[SCOPE]** `story:client-portal` is not listed in `project-pal-enterprises` user-stories table. Create the entry (Role: Client, Metric: "Can view project board and status updates without seeing other clients' data"). - **[SCOPE]** No `arch-multi-tenant` architecture note exists in pal-e-docs. Create placeholder before spike begins -- the spike itself will populate it. - **[BODY]** Related section should reference Keycloak infra dependencies: `pal-e-platform #357` (NetworkPolicy) and `#358` (Keycloak infra).

forgejo_admin commented

2026-05-10 02:41:54 +00:00

Author

Contributor

Scope Review: READY

Review note: review-1190-2026-05-09 (updated)

Re-review after three refinements applied. All previous NEEDS_REFINEMENT issues resolved:

story:client-portal user story entry verified in project-pal-enterprises
arch-multi-tenant architecture note exists as placeholder
Related section now includes #357 and #358 (Keycloak infra dependencies)

Ticket is ready for next_up.

## Scope Review: READY Review note: `review-1190-2026-05-09` (updated) Re-review after three refinements applied. All previous NEEDS_REFINEMENT issues resolved: - `story:client-portal` user story entry verified in project-pal-enterprises - `arch-multi-tenant` architecture note exists as placeholder - Related section now includes #357 and #358 (Keycloak infra dependencies) Ticket is ready for next_up.