From 6825cbde05b095b8137dd22854582d5ad05a1765 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carlos=20S=C3=A1nchez?= <casc84ab@gmail.com>
Date: Fri, 19 Jun 2026 13:55:45 +0200
Subject: [PATCH] feat(dag): add the security platform to the framework graph

Register the 14 new fireflyframework-security-* platform modules
(api, spi, core, webflux, resource-server, method-policy,
oauth2-client, authorization-server, test, and the opa/cerbos/openfga/
vault/r2dbc adapters) in the dependency DAG and the clone list, with
edges derived from each module's pom.xml. Also rename the five idp
repos to their new security-idp[-*] coordinates.

Without this, fwversion/release/setup skipped the entire security
family and still referenced the old fireflyframework-idp* repo names.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 internal/dag/graph.go    | 152 +++++++++++++++++++++++++--------------
 internal/setup/cloner.go |  24 +++++--
 2 files changed, 117 insertions(+), 59 deletions(-)

diff --git a/internal/dag/graph.go b/internal/dag/graph.go
index 0432223..0d8d637 100644
--- a/internal/dag/graph.go
+++ b/internal/dag/graph.go
@@ -23,10 +23,10 @@ import (
 
 // Graph represents a directed acyclic graph for dependency resolution.
 type Graph struct {
-	nodes    map[string]bool
-	edges    map[string]map[string]bool // edges[A][B] = true means A depends on B
-	reverse  map[string]map[string]bool // reverse[B][A] = true means B is depended upon by A
-	ordered  []string                   // insertion order for deterministic output
+	nodes   map[string]bool
+	edges   map[string]map[string]bool // edges[A][B] = true means A depends on B
+	reverse map[string]map[string]bool // reverse[B][A] = true means B is depended upon by A
+	ordered []string                   // insertion order for deterministic output
 }
 
 // New creates an empty graph.
@@ -240,8 +240,8 @@ func (g *Graph) Subgraph(nodes map[string]bool) *Graph {
 
 // dagJSON is the serialization format for ExportJSON.
 type dagJSON struct {
-	Layers [][]string            `json:"layers"`
-	Edges  map[string][]string   `json:"edges"`
+	Layers [][]string          `json:"layers"`
+	Edges  map[string][]string `json:"edges"`
 }
 
 // ExportJSON exports the graph as JSON with layers and edges.
@@ -323,54 +323,69 @@ func FrameworkGraph() *Graph {
 
 	// Aliases for readability
 	const (
-		parent           = "fireflyframework-parent"
-		bom              = "fireflyframework-bom"
-		kernel           = "fireflyframework-kernel"
-		utils            = "fireflyframework-utils"
-		validators       = "fireflyframework-validators"
-		plugins          = "fireflyframework-plugins"
-		cache            = "fireflyframework-cache"
-		cacheRedis       = "fireflyframework-cache-redis"
-		cacheHazelcast   = "fireflyframework-cache-hazelcast"
-		cacheJCache      = "fireflyframework-cache-jcache"
-		cachePostgres    = "fireflyframework-cache-postgres"
-		r2dbc            = "fireflyframework-r2dbc"
-		eda              = "fireflyframework-eda"
-		edaKafka         = "fireflyframework-eda-kafka"
-		edaRabbitMQ      = "fireflyframework-eda-rabbitmq"
-		edaPostgres      = "fireflyframework-eda-postgres"
-		cqrs             = "fireflyframework-cqrs"
-		eventsourcing    = "fireflyframework-eventsourcing"
-		orchestration    = "fireflyframework-orchestration"
-		client           = "fireflyframework-client"
-		web              = "fireflyframework-web"
-		core             = "fireflyframework-starter-core"
-		domain           = "fireflyframework-starter-domain"
-		data             = "fireflyframework-starter-data"
-		ecm              = "fireflyframework-ecm"
-		ecmEsigAdobe     = "fireflyframework-ecm-esignature-adobe-sign"
-		ecmEsigDocusign  = "fireflyframework-ecm-esignature-docusign"
-		ecmEsigLogalty   = "fireflyframework-ecm-esignature-logalty"
-		ecmStorageAWS    = "fireflyframework-ecm-storage-aws"
-		ecmStorageAzure  = "fireflyframework-ecm-storage-azure"
-		idp              = "fireflyframework-idp"
-		idpCognito       = "fireflyframework-idp-aws-cognito"
-		idpInternalDB    = "fireflyframework-idp-internal-db"
-		idpKeycloak      = "fireflyframework-idp-keycloak"
-		idpAzureAD       = "fireflyframework-idp-azure-ad"
-		notifications    = "fireflyframework-notifications"
-		notifFirebase    = "fireflyframework-notifications-firebase"
-		notifResend      = "fireflyframework-notifications-resend"
-		notifSendgrid    = "fireflyframework-notifications-sendgrid"
-		notifTwilio      = "fireflyframework-notifications-twilio"
-		ruleEngine       = "fireflyframework-rule-engine"
-		webhooks         = "fireflyframework-webhooks"
-		callbacks        = "fireflyframework-callbacks"
-		configServer     = "fireflyframework-config-server"
-		application      = "fireflyframework-starter-application"
-		backoffice       = "fireflyframework-backoffice"
-		observability    = "fireflyframework-observability"
-		agenticBridge    = "fireflyframework-agentic-bridge"
+		parent          = "fireflyframework-parent"
+		bom             = "fireflyframework-bom"
+		kernel          = "fireflyframework-kernel"
+		utils           = "fireflyframework-utils"
+		validators      = "fireflyframework-validators"
+		plugins         = "fireflyframework-plugins"
+		cache           = "fireflyframework-cache"
+		cacheRedis      = "fireflyframework-cache-redis"
+		cacheHazelcast  = "fireflyframework-cache-hazelcast"
+		cacheJCache     = "fireflyframework-cache-jcache"
+		cachePostgres   = "fireflyframework-cache-postgres"
+		r2dbc           = "fireflyframework-r2dbc"
+		eda             = "fireflyframework-eda"
+		edaKafka        = "fireflyframework-eda-kafka"
+		edaRabbitMQ     = "fireflyframework-eda-rabbitmq"
+		edaPostgres     = "fireflyframework-eda-postgres"
+		cqrs            = "fireflyframework-cqrs"
+		eventsourcing   = "fireflyframework-eventsourcing"
+		orchestration   = "fireflyframework-orchestration"
+		client          = "fireflyframework-client"
+		web             = "fireflyframework-web"
+		core            = "fireflyframework-starter-core"
+		domain          = "fireflyframework-starter-domain"
+		data            = "fireflyframework-starter-data"
+		ecm             = "fireflyframework-ecm"
+		ecmEsigAdobe    = "fireflyframework-ecm-esignature-adobe-sign"
+		ecmEsigDocusign = "fireflyframework-ecm-esignature-docusign"
+		ecmEsigLogalty  = "fireflyframework-ecm-esignature-logalty"
+		ecmStorageAWS   = "fireflyframework-ecm-storage-aws"
+		ecmStorageAzure = "fireflyframework-ecm-storage-azure"
+		idp             = "fireflyframework-security-idp"
+		idpCognito      = "fireflyframework-security-idp-aws-cognito"
+		idpInternalDB   = "fireflyframework-security-idp-internal-db"
+		idpKeycloak     = "fireflyframework-security-idp-keycloak"
+		idpAzureAD      = "fireflyframework-security-idp-azure-ad"
+		// Security platform — hexagon core + delivery modules + SPI adapters
+		secApi            = "fireflyframework-security-api"
+		secSpi            = "fireflyframework-security-spi"
+		secCore           = "fireflyframework-security-core"
+		secWebflux        = "fireflyframework-security-webflux"
+		secResource       = "fireflyframework-security-resource-server"
+		secMethod         = "fireflyframework-security-method-policy"
+		secOauth2         = "fireflyframework-security-oauth2-client"
+		secAuthz          = "fireflyframework-security-authorization-server"
+		secTest           = "fireflyframework-security-test"
+		secAdapterOpa     = "fireflyframework-security-adapter-opa"
+		secAdapterCerbos  = "fireflyframework-security-adapter-cerbos"
+		secAdapterOpenfga = "fireflyframework-security-adapter-openfga"
+		secAdapterVault   = "fireflyframework-security-adapter-vault"
+		secAdapterR2dbc   = "fireflyframework-security-adapter-r2dbc"
+		notifications     = "fireflyframework-notifications"
+		notifFirebase     = "fireflyframework-notifications-firebase"
+		notifResend       = "fireflyframework-notifications-resend"
+		notifSendgrid     = "fireflyframework-notifications-sendgrid"
+		notifTwilio       = "fireflyframework-notifications-twilio"
+		ruleEngine        = "fireflyframework-rule-engine"
+		webhooks          = "fireflyframework-webhooks"
+		callbacks         = "fireflyframework-callbacks"
+		configServer      = "fireflyframework-config-server"
+		application       = "fireflyframework-starter-application"
+		backoffice        = "fireflyframework-backoffice"
+		observability     = "fireflyframework-observability"
+		agenticBridge     = "fireflyframework-agentic-bridge"
 	)
 
 	// ── Layer 0: root ──────────────────────────────────────────────────
@@ -555,5 +570,34 @@ func FrameworkGraph() *Graph {
 	// notifications-resend uses the client module
 	g.AddEdge(notifResend, client)
 
+	// ── Security platform — hexagon, wired from actual pom.xml deps ────
+	// Core hexagon: api ← spi ← core ← webflux ← delivery
+	g.AddEdge(secApi, parent)
+	g.AddEdge(secApi, kernel)
+	g.AddEdge(secSpi, secApi)
+	g.AddEdge(secCore, secApi)
+	g.AddEdge(secCore, secSpi)
+	g.AddEdge(secWebflux, secApi)
+	g.AddEdge(secWebflux, secCore)
+	// Delivery modules
+	g.AddEdge(secResource, secWebflux)
+	g.AddEdge(secMethod, secCore)
+	g.AddEdge(secMethod, secWebflux)
+	g.AddEdge(secAuthz, secCore)
+	g.AddEdge(secAuthz, secSpi)
+	g.AddEdge(secOauth2, parent) // no internal fireflyframework deps (Spring-only)
+	g.AddEdge(secTest, secApi)
+	g.AddEdge(secTest, secSpi)
+	g.AddEdge(secTest, secWebflux)
+	// SPI adapters depend only on api + spi
+	for _, ad := range []string{secAdapterOpa, secAdapterCerbos, secAdapterOpenfga, secAdapterVault, secAdapterR2dbc} {
+		g.AddEdge(ad, secApi)
+		g.AddEdge(ad, secSpi)
+	}
+	// (security-idp base already depends on kernel via the kernel loop and observability via the reconcile block)
+	// The application starter is locked down by the resource server + reactive method policy
+	g.AddEdge(application, secResource)
+	g.AddEdge(application, secMethod)
+
 	return g
 }
diff --git a/internal/setup/cloner.go b/internal/setup/cloner.go
index 2a6ff12..695bf11 100644
--- a/internal/setup/cloner.go
+++ b/internal/setup/cloner.go
@@ -55,11 +55,25 @@ var FrameworkRepos = []string{
 	"fireflyframework-ecm-esignature-logalty",
 	"fireflyframework-ecm-storage-aws",
 	"fireflyframework-ecm-storage-azure",
-	"fireflyframework-idp",
-	"fireflyframework-idp-aws-cognito",
-	"fireflyframework-idp-azure-ad",
-	"fireflyframework-idp-internal-db",
-	"fireflyframework-idp-keycloak",
+	"fireflyframework-security-api",
+	"fireflyframework-security-spi",
+	"fireflyframework-security-core",
+	"fireflyframework-security-webflux",
+	"fireflyframework-security-resource-server",
+	"fireflyframework-security-method-policy",
+	"fireflyframework-security-oauth2-client",
+	"fireflyframework-security-authorization-server",
+	"fireflyframework-security-test",
+	"fireflyframework-security-adapter-opa",
+	"fireflyframework-security-adapter-cerbos",
+	"fireflyframework-security-adapter-openfga",
+	"fireflyframework-security-adapter-vault",
+	"fireflyframework-security-adapter-r2dbc",
+	"fireflyframework-security-idp",
+	"fireflyframework-security-idp-aws-cognito",
+	"fireflyframework-security-idp-azure-ad",
+	"fireflyframework-security-idp-internal-db",
+	"fireflyframework-security-idp-keycloak",
 	"fireflyframework-notifications",
 	"fireflyframework-notifications-firebase",
 	"fireflyframework-notifications-resend",