Files
apf_portal/docs/decisions
Julien Gautier 875d61d858
CI / scan (pull_request) Successful in 4m45s
CI / commits (pull_request) Successful in 4m46s
CI / check (pull_request) Successful in 5m12s
CI / a11y (pull_request) Successful in 4m19s
Docs site / build (pull_request) Successful in 5m38s
CI / perf (pull_request) Successful in 9m8s
feat(portal-bff): audit-stats endpoint — server-side aggregations with redis cache
PR 1 of the tabs + full-result charts chantier. New BFF endpoint
that powers the upcoming "Charts" tab on portal-admin's /audit page
with aggregations computed over the FULL filtered set rather than
the paginated slice that currently feeds the charts.

New route: GET /api/admin/audit/stats
  * Same query DTO shape as /audit (AdminAuditStatsQueryDto)
    minus pagination — stats endpoint always aggregates the whole
    filtered set.
  * Returns three projections:
    - dailyVolume: [{day: 'YYYY-MM-DD', count}]
    - outcomeBreakdown: [{outcome, count}]
    - eventTypeByDay: [{day, eventType, count}]
    + total (sum of dailyVolume.count) for the donut centre label.
  * Time bound: respects filters strictly (per chantier brief). No
    filter → aggregates across the full audit retention (365 days
    per ADR-0013). The Redis cache below absorbs repeated heavy
    queries.

New service: AuditStatsReader
  * Same role-locking posture as AuditReader — every query inside
    a transaction that opens with SET LOCAL ROLE audit_reader.
    SELECT-only on audit.events even if the BFF connection is
    otherwise privileged.
  * Parameterised SQL only. Filter values flow through positional
    parameters, never concatenated into the SQL string.
  * Three GROUP BY queries scoped by the same WHERE clause as the
    list endpoint's buildWhere (kept structurally in sync by
    convention, not extracted yet because the two readers'
    pagination shapes differ).

Redis cache: 5-min TTL per filters-hash
  * Cache key = `audit:stats:` + sha256(canonical-JSON of filters)
    truncated to 16 hex chars. Sorted-keys canonicalisation so the
    same filters in different argument orders map to the same
    key.
  * Cache writes are best-effort — Redis-write failure does not
    fail the response. The DB read already happened.
  * Spec covers: cache-hit path skips DB, cache-key stability across
    key ordering, write happens with EX 300, write failure tolerance.

Audit event: admin.audit.stats.query
  * New typed AuditWriter method (mirrors adminAuditQuery but
    captures `total` instead of `resultCount` — stats responses
    don't paginate, the value carries more "size of scan" signal).
  * Emitted on every stats call per ADR-0020's read-deterrence
    posture. Distinct event_type from admin.audit.query so an
    auditor can spot "scanned aggregations" vs "paged through
    rows" — different observation signals.

ADR-0013 amended (light): new "Reader endpoints" subsection
documents the two-endpoint reader surface + Redis cache caveat.
The events table grows four rows it was previously missing
(admin.access_denied, admin.audit.query, admin.audit.stats.query,
admin.users.query).

Verification:
  * 414 portal-bff specs pass (was 401; +13: 8 service-level + 5
    controller-level).
  * `pnpm nx lint test build --projects=portal-bff` — green.

PR 2 (SPA) lands next: Tabs UX (Table / Charts) + replaces the
client-side per-page computeds with consumption of this endpoint.
2026-05-16 23:07:51 +02:00
..

Architectural Decision Records

This project records architecturally-significant decisions as ADRs in the MADR 4.0.0 format. References: adr.github.io.

Why ADRs

ADRs capture the why behind a decision — context, drivers, options considered, trade-offs accepted — at the moment the decision is made. They make architecture reviewable, onboarding faster, and prevent the same debate from being re-litigated later.

Conventions

  • Format: MADR 4.0.0. Start from template.md.
  • Filename: NNNN-kebab-case-title.md, e.g. 0007-adopt-tailwind-for-design-tokens.md.
  • Numbering: globally sequential 4-digit prefix. Numbers never reset, never get reused — even when an ADR is superseded or deprecated.
  • Layout: flat folder. ADRs are not nested into category subfolders; topical organization happens via tags.
  • Tags: every ADR carries a tags: array in the MADR frontmatter, drawn from the tag vocabulary below. An ADR may carry several tags. Propose new tags (or renames) in the same PR that needs them; never invent ad-hoc tags inline.
  • Status lifecycle: proposedaccepted → optionally deprecated or superseded by [ADR-NNNN](NNNN-other.md). Update the YAML frontmatter; never delete an ADR.
  • Index maintenance: every ADR addition or status change must update the Index below in the same commit.

When to write an ADR

Write one whenever a development decision is non-trivial: tool or library choice, framework pattern, security control, perf budget, a11y target, naming convention, deprecation, breaking change, or any choice that future contributors would benefit from understanding the why of.

Tag vocabulary

The vocabulary below is the source of truth. It is intentionally coarse — propose extensions only when an existing tag genuinely doesn't fit, and avoid overly narrow tags.

Tag Scope
frontend UI, Angular, components, design system, client-side state
backend API, BFF, server-side services
security AuthN, AuthZ, sessions, CSP, dependency scanning, secret management
performance Perf budgets, caching, bundle size, Lighthouse
accessibility WCAG, a11y testing, keyboard, ARIA, contrast
infrastructure CI/CD, hosting, deployment, runtime
observability Logs, metrics, traces, correlation IDs, monitoring
data Persistence, schemas, migrations, data flow
process Team conventions, workflows, repo policy

Status: starter vocabulary, to be refined as ADRs accumulate. Update this table whenever a tag is added, renamed, or retired.

Index

ADRs are listed in numerical order. To slice by topic, filter on the Tags column.

# Title Status Tags Date
0001 Use ADRs to record architectural decisions accepted process 2026-04-29
0002 Adopt Nx monorepo with the apps preset accepted infrastructure, frontend, backend 2026-04-29
0003 Workspace and app naming convention accepted process 2026-04-29
0004 Frontend stack — Angular (latest LTS), standalone, zoneless, Signals, CSR-only, Vitest accepted frontend 2026-04-29
0005 Backend stack — NestJS over Express, Fastify, Hono accepted backend 2026-04-29
0006 Persistence — PostgreSQL with Prisma accepted data, backend 2026-04-29
0007 Pre-commit hooks and Conventional Commits accepted process 2026-04-29
0008 Identity model — multi-tenant Entra ID for workforce, dual-audience design for future External ID accepted security, data 2026-04-29
0009 Authentication flow — OIDC Authorization Code + PKCE via MSAL Node, BFF session pattern accepted security, backend 2026-04-29
0010 Session management — opaque session IDs in cookies, payload in self-hosted Redis with AES-GCM at rest accepted security, backend, infrastructure 2026-04-29
0011 MFA enforcement — Entra ID Conditional Access baseline, BFF claim sanity-check, step-up hooks designed-in accepted security 2026-04-29
0012 Observability — Pino structured logs + OpenTelemetry tracing, W3C Trace Context propagation, stdout + collector accepted observability, backend, frontend 2026-04-29
0013 Audit trail — separated append-only Postgres schema, decoupled from app logs accepted security, observability, data 2026-04-29
0014 Downstream API access — On-Behalf-Of pattern, unified DownstreamApiClient, audience-aware authorization accepted security, backend 2026-04-29
0015 CI/CD pipeline — Gitea Actions, trunk-based + squash-merge, thin YAML over portable scripts accepted infrastructure, process 2026-04-30
0016 Accessibility baseline — WCAG 2.2 AA + targeted AAA, Angular CDK + spartan-ng + Tailwind, APF panel testing accepted accessibility, frontend, process 2026-04-30
0017 Performance budgets — Core Web Vitals + Lighthouse CI gates, bundle budgets, BFF p95/p99 SLOs accepted performance, frontend, backend, process 2026-04-30
0018 Environment configuration — Angular environment.ts, BFF env vars, audit pool split accepted frontend, backend, infrastructure, process 2026-05-10
0019 Internationalisation — @angular/localize, build-time per-locale bundles, /fr + /en path-based routing accepted frontend, accessibility, performance, process 2026-05-11
0020 portal-admin — dedicated SPA for portal administration, sharing the existing BFF accepted frontend, backend, security, infrastructure, process 2026-05-11
0021 Phase-2 security baseline — helmet, CORS allowlist, double-submit CSRF, rate limiting, structured error envelope accepted security, backend 2026-05-13
0022 Documentation site — VitePress + Mermaid plugin, separate static deployment accepted process, infrastructure 2026-05-15
0023 Charts + dashboards — D3 + Observable Plot wrapped in libs/shared/charts accepted frontend, accessibility, performance 2026-05-16