Config Service — Epics
Service: config-service Epic prefix: CONFIG-EPIC Last updated: 2026-04-18
Epics
CONFIG-EPIC-01 — DAG-Based Config Node Management
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | Build ConfigNode DAG: 13 node types, acyclic invariant, soft-delete |
| Status | To Do |
| Priority | Must |
| Labels | service:config, domain:platform_configuration, slice:S0 |
| Components | config-node-crud, dag-validation, migrations |
| Fix version | M0 |
| FR references | FR-CONFIG-NODE-001, FR-CONFIG-NODE-002, FR-CONFIG-NODE-003, FR-CONFIG-NODE-004, FR-CONFIG-NODE-005 |
| Legacy FR refs | FR-CFG-NODE-001..005 (PLAT-CONFIG SPEC.md §4.1) |
| Dependencies | facility-service (hierarchy node IDs), platform-admin-service |
| Rollup status | Not started |
Business outcome: Establish the foundational DAG that every other config entity depends on, ensuring acyclicity and audit integrity for all configuration changes.
Description: The ConfigNode DAG is the backbone of the config-service. All 13 node types (GLOBAL, TENANT, ORG_NODE, MODULE, FEATURE, ACTION, ROLE, USER, UI_SCREEN, UI_COMPONENT, UI_ELEMENT, ACTION_BINDING, DESIGN_SYSTEM) must be created with validated parent-type constraints. DAG cycles must be rejected at write time. Soft-delete must be the only removal path to preserve audit trail. Every mutation must emit a CloudEvents 1.0 event via NATS.
Stories: CONFIG-US-001, CONFIG-US-002
CONFIG-EPIC-02 — 9-Step Configuration Resolution Pipeline
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | Implement GET /internal/config/resolve: 9-step license→ABAC→token pipeline |
| Status | To Do |
| Priority | Must |
| Labels | service:config, domain:platform_configuration, slice:S0 |
| Components | resolution-engine, role-bfs, cache, circuit-breakers |
| Fix version | M0 |
| FR references | FR-CONFIG-RESOLVE-001..009 |
| Legacy FR refs | FR-CFG-RESOLVE-001..009 (PLAT-CONFIG SPEC.md §4.2) |
| Dependencies | CONFIG-EPIC-01, facility-service, platform-admin-service, access-policy |
| Rollup status | Not started |
Business outcome: Replace the 5–7 API call fan-out pattern per UI boundary with a single compound resolution call, closing gaps L-01 through L-09 in the platform.
Description:
The resolution pipeline executes in order: hierarchy spine load, module license check, feature flag check, role graph BFS expansion (max depth 10), action grant verification, ABAC delegation to access-policy, user-level override application, optional UI config, optional design token merge. Each step has a short-circuit deny path. The result is an EvaluationResult with effect, reason, dataScope, and optional UI/token payloads. Redis caching with NATS-driven eviction keeps p95 < 100 ms.
Stories: CONFIG-US-003, CONFIG-US-004, CONFIG-US-005
CONFIG-EPIC-03 — Role Definition and Inheritance Graph
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | Role CRUD, role inheritance DAG, feature grants with explicit allow/deny |
| Status | To Do |
| Priority | Must |
| Labels | service:config, domain:platform_configuration, slice:S0 |
| Components | role-management, role-inheritance, role-feature-grants |
| Fix version | M0 |
| FR references | FR-CONFIG-ROLE-001..006 |
| Legacy FR refs | FR-CFG-ROLE-001..006 (PLAT-CONFIG SPEC.md §4.4) |
| Dependencies | CONFIG-EPIC-01, CONFIG-EPIC-02 |
| Rollup status | Not started |
Business outcome: Close gap L-03 (no role inheritance) by enabling abstract parent roles (ClinicalStaff) to propagate grants to concrete roles (NURSE, PHYSICIAN) via a validated BFS-expanded role graph.
Description:
Role definitions support isAbstract (cannot be directly assigned) and isSystem (SUPER_ADMIN-only). Role inheritance edges form a DAG with cycle detection. BFS expansion is bounded to depth 10. RoleFeatureGrant records specify grantedActions and deniedActions per role per feature; the effective permission set is union(granted) − union(denied) across all expanded roles.
Stories: CONFIG-US-006, CONFIG-US-007
CONFIG-EPIC-04 — User Node Overrides
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | Time-bounded ExplicitAllow / ExplicitDeny overrides per user per node |
| Status | To Do |
| Priority | Must |
| Labels | service:config, domain:platform_configuration, slice:S1 |
| Components | user-overrides, override-cascade |
| Fix version | M1 |
| FR references | FR-CONFIG-USR-001, FR-CONFIG-USR-002, FR-CONFIG-USR-003 |
| Legacy FR refs | FR-CFG-USR-001..003 (PLAT-CONFIG SPEC.md §4.6) |
| Dependencies | CONFIG-EPIC-02, CONFIG-EPIC-03 |
| Rollup status | Not started |
Business outcome: Enable Tenant Admins to grant or deny specific clinical actions to individual users at specific facility nodes (e.g. nurse night-dispensing authorization), with mandatory justification and time bounds for audit and compliance.
Description:
UserNodeOverride records are the highest-priority tier in the resolution pipeline. ExplicitAllow overrides any prior denial from ABAC or role grants. ExplicitDeny is final and cannot be overridden. Both require a non-empty justification. Overrides are time-bounded; expired overrides are silently ignored. An ExplicitAllow cascades to UI element visibility for bound actions at the override node.
Stories: CONFIG-US-008, CONFIG-US-009
CONFIG-EPIC-05 — UI Element Visibility Configuration
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | UIDefinition + UIVisibilityRule: server-driven UI guards per role/user |
| Status | To Do |
| Priority | Must |
| Labels | service:config, domain:platform_configuration, slice:S1 |
| Components | ui-definitions, ui-visibility-rules, ui-resolver |
| Fix version | M1 |
| FR references | FR-CONFIG-UI-001..004 |
| Legacy FR refs | FR-CFG-UI-001..004 (PLAT-CONFIG SPEC.md §4.3) |
| Dependencies | CONFIG-EPIC-02, CONFIG-EPIC-03 |
| Rollup status | Not started |
Business outcome: Close gap L-04 (hardcoded UI guards) by moving UI element visibility into server-driven configuration, enabling role-appropriate UI rendering without per-component frontend logic.
Description:
UIDefinition registers UI elements (screens, components, elements, action bindings) as config nodes. UIVisibilityRule specifies per-role and per-user visibility overrides. Role rules are applied first; user rules override conflicting role rules. The result is a UIElementConfig[] tree returned as part of EvaluationResult when includeUI=true.
Stories: CONFIG-US-010, CONFIG-US-011
CONFIG-EPIC-06 — Design Token Management and Merge
| Field | Value |
|---|---|
| Issue type | Epic |
| Summary | Scoped design tokens: Global→Tenant→Module→User LWW merge chain |
| Status | To Do |
| Priority | Should |
| Labels | service:config, domain:platform_configuration, slice:S1 |
| Components | design-tokens, token-resolver, locale-support |
| Fix version | M1 |
| FR references | FR-CONFIG-DS-001..004 |
| Legacy FR refs | FR-CFG-DS-001..004 (PLAT-CONFIG SPEC.md §4.5) |
| Dependencies | CONFIG-EPIC-01, CONFIG-EPIC-02 |
| Rollup status | Not started |
Business outcome: Close gap L-05 (no module/user-level theming) by enabling tenant branding and per-module design tokens to be resolved in a single call, supporting RTL/LTR layout direction, custom fonts (Noto Nastaliq Urdu for ps-AF), and per-locale overrides.
Description:
Design tokens are stored per scope (global, tenant, module, user) and merged with LWW priority: User > Module > OrgNode > Tenant > Global. Locale-specific tokens override non-locale tokens for the same key when the request locale matches. The merged token map is returned as Record<string, string> in EvaluationResult when includeTokens=true. Tenant Admins manage tenant/module/user-scope tokens; SUPER_ADMIN manages global tokens.
Stories: CONFIG-US-012, CONFIG-US-013