- GET /api/document-types: returns {id, name, code} from
leaudit_document_types, with optional ?ids=1,2,3 filter
- GET /api/documents/list: added userId, dateFrom, dateTo
query params for filtering by uploading user and date range
Previously provincial_admin also skipped entry module area
filtering, making areas configuration meaningless for them.
Now only super_admin bypasses — provincial_admin and below
must match their area against the module's areas list.
Add _assertPermission() that checks role_permissions table for
specific permission keys (super_admin bypasses). Wire it into
CreateRole (rbac:roles:create), UpdateRole (rbac:roles:update),
and DeleteRole (rbac:roles:delete). Previously only the coarse
can_manage role check was enforced, making the permission grants
in role_permissions purely cosmetic for these endpoints.
- Add region column to leaudit_documents + LeauditDocument model
- AuditServiceImpl: read region from document.region, not APP_REGION
- RuleServiceImpl: ListBindings/CreateBinding accept Region parameter
- RuleBindingCreateDTO: add region field
- RuleController: pass region from query param/DTO to service
- APP_REGION removed from binding queries; region flows from document
Region is now per-document: each document carries its region at upload
time, and rules are matched to the document's region at run time.
- DB: add region column to leaudit_rule_sets + leaudit_rule_type_bindings
- DB: change UNIQUE constraint from (rule_type) to (rule_type, region)
- Config: add APP_REGION to app.toml + AppSettings + __init__.pyi
- AuditServiceImpl: filter bindings by APP_REGION
- RuleServiceImpl: ListBindings/CreateBinding use APP_REGION
- Seed script: accept --region arg, tag rules by region
- OssPathUtils: BuildRuleYamlKey already accepts Region parameter
Each region can now have its own independent copy of the same rule_type,
stored in separate OSS paths and DB rows, keyed by region.
wren