IAM/Refdata service boundary cleanup

Table of Contents

This page is a capture in the next bucket of the product backlog — a pre-sprint idea, not yet pulled into a sprint as a story.

ores.iam.core currently crosses the service boundary in two places. These are pre-existing violations noted in the plan and must be fixed to ensure correct RLS enforcement and clean service ownership. See "Known pre-existing violations" in plan.

Tasks

  • [ ] bootstrap_handler.hpp: replace direct ores_refdata_parties_tbl write with refdata.v1.parties.save NATS call
  • [ ] auth_handler.hpp: replace direct ores_refdata_parties_tbl query (auth_lookup_party) with refdata.v1.parties.get-by-principal NATS call (add endpoint to ores.refdata if missing)
  • [ ] Verify RLS policies still enforced end-to-end after refactor
  • [ ] Remove cross-schema table includes from ores.iam.core CMake deps

Emacs 29.1 (Org mode 9.6.6)