feat: 약관 동의 관리 추가

[parkjuyeong0312]

변경 내용

• 현재 약관 조회 API(GET /api/agreements/current)와 약관 원문 리소스를 추가했습니다.
• Google 로그인 요청에 약관 동의 여부를 반영하고, 신규 가입/재동의 필요 사용자 검증을 추가했습니다.
• 사용자 약관 동의 버전/시각을 users에 저장하고 재동의 API(POST /api/users/me/agreements)를 추가했습니다.
• 약관/정책 문서와 docs/ai/features.md, docs/ai/erd.md를 갱신했습니다.

변경 이유

• 회원 가입 및 약관 변경 시점에 서버 기준 현재 약관 동의 이력을 남기기 위해서입니다.
• 프론트가 약관 버전을 직접 보내지 않고 백엔드 설정과 서버 시간을 기준으로 동의 상태를 관리하기 위해서입니다.

테스트

• ./gradlew build
• /review-code-against-docs 스킬로 검증
• 그 외 수동 검증: /write-api-specs 기준으로 REST 어노테이션/DTO 계약 확인, /checking-md-conflicts 기준으로 Markdown 참조·중복 규칙 확인

체크리스트

• PR 제목이 커밋 컨벤션 형식을 따른다.
• 변경 사유를 PR 설명에 기록했다.
• 테스트 방법과 결과를 기록했다.
• 문서 변경이 필요한 경우 반영했다.

하네스 변경 체크리스트

• CLAUDE.md(AGENTS.md) 변경이 포함되어 있는가?
• 변경 사유가 PR 설명에 기록되어 있는가?
• 기존 규칙과 충돌하지 않는가?
• 팀원에게 변경 사항을 공유했는가?

Summary by CodeRabbit

릴리스 노트

• 새로운 기능

  • 이용약관 및 개인정보 처리방침 조회 기능 추가
  • 회원가입 및 로그인 시 약관 동의 프로세스 구현
  • 인증된 사용자의 약관 재동의 기능 추가

• 문서

  • 이용약관 및 개인정보 처리방침 원문 추가
  • 저작권 정책, 운영정책, 운영자 정보 공개 문서 추가
  • 배포 전 법적 정책 준비 체크리스트 문서 추가

[coderabbitai]

Warning

Review limit reached

@parkjuyeong0312, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 21 minutes and 32 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 5b6bbbe8-2025-42d5-b58c-2a4e8effb1f6

📥 Commits

Reviewing files that changed from the base of the PR and between 6b287b5 and de890e4.

📒 Files selected for processing (8)

• docs/ai/erd.md
• docs/ai/features.md
• src/main/java/com/howaboutus/backend/auth/service/AuthService.java
• src/main/java/com/howaboutus/backend/common/error/ErrorCode.java
• src/main/java/com/howaboutus/backend/user/entity/User.java
• src/main/resources/application.yaml
• src/main/resources/db/migration/V1.9__add_user_agreements.sql
• src/test/java/com/howaboutus/backend/auth/service/AuthServiceTest.java

📝 Walkthrough

Walkthrough

백엔드에서 약관 원문과 버전을 관리하고, 클라이언트는 동의 여부만 전송하는 약관 동의 시스템을 구현한다. 설정 기반 리소스 로딩, 공개 API, 로그인 시 검증, 인증 재동의 엔드포인트, 그리고 관련 정책 문서를 포함하는 완전한 스택.

Changes

백엔드 약관 동의 시스템

계층 / 파일(들)	요약
약관 설정 및 데이터베이스 스키마 src/main/java/com/howaboutus/backend/agreements/config/AgreementProperties.java, src/main/resources/application.yaml, src/main/resources/db/migration/V1__init.sql, src/main/java/com/howaboutus/backend/common/error/ErrorCode.java	app.agreements 설정으로 약관 버전과 리소스 경로를 관리하며, users 테이블에 동의 버전/시각 컬럼 4개 추가. 약관 관련 에러 코드(AGREEMENTS_NOT_ACCEPTED, AGREEMENTS_REACCEPTANCE_REQUIRED, AGREEMENT_CONFIGURATION_INVALID) 정의.
약관 문서 서비스 및 DTO src/main/java/com/howaboutus/backend/agreements/service/AgreementService.java, src/main/java/com/howaboutus/backend/agreements/service/dto/*, src/main/java/com/howaboutus/backend/agreements/controller/dto/*	설정된 약관 리소스를 읽어 현재 문서 목록/버전을 반환하는 AgreementService. 버전 검증, 재동의 필요 판단, 동의 여부 검증 메서드 포함. 문서 메타데이터와 내용을 담는 DTO들(AgreementVersions, AgreementDocumentResult, AgreementCurrentResponse, AgreementDocumentResponse).
공개 약관 조회 엔드포인트 src/main/java/com/howaboutus/backend/agreements/controller/AgreementController.java, src/main/java/com/howaboutus/backend/common/config/SecurityConfig.java, src/test/java/.../AgreementControllerTest.java	GET /api/agreements/current 엔드포인트를 통해 인증 없이 현재 약관 목록 조회. 보안 설정에서 /api/agreements/current 경로를 permitAll로 구성. 컨트롤러 테스트에서 응답 구조 검증.
사용자 약관 수락 저장 및 조회 src/main/java/com/howaboutus/backend/user/entity/User.java, src/main/java/com/howaboutus/backend/user/service/UserService.java, src/test/java/.../UserServiceTest.java	User 엔티티에 tosVersion, tosAcceptedAt, privacyVersion, privacyAcceptedAt 컬럼 추가. acceptAgreements(...) 메서드로 동의 상태 업데이트. UserService에서 사용자 조회/생성/재동의 메서드 구현. 테스트에서 약관 버전/시각 저장 검증.
인증 사용자 재동의 API src/main/java/com/howaboutus/backend/user/controller/UserAgreementController.java, src/main/java/com/howaboutus/backend/user/controller/dto/AcceptAgreementsRequest.java, src/test/java/.../UserAgreementControllerTest.java	POST /api/users/me/agreements에서 인증된 사용자가 최신 약관으로 재동의. 동의 여부 검증 후 userService.acceptCurrentAgreements() 호출하여 버전/시각 갱신. 성공 시 204 반환.
로그인 흐름에 약관 검증 통합 src/main/java/com/howaboutus/backend/auth/controller/AuthController.java, src/main/java/com/howaboutus/backend/auth/controller/dto/GoogleLoginRequest.java, src/main/java/com/howaboutus/backend/auth/service/AuthService.java, src/test/java/.../AuthServiceTest.java, src/test/java/.../AuthIntegrationTest.java	GoogleLoginRequest에 agreementsAccepted 필드 추가. AuthService.googleLogin(code, agreementsAccepted)로 신규 사용자는 동의 필수, 기존 사용자는 재동의 필요 여부 판단하여 토큰 발급. 로그인 테스트에서 다양한 동의 시나리오 검증.
통합 테스트 커버리지 src/test/java/com/howaboutus/backend/agreements/*, src/test/java/com/howaboutus/backend/auth/service/AuthServiceTest.java, src/test/java/com/howaboutus/backend/user/service/UserServiceTest.java	약관 서비스(문서 조회, 버전 검증, 설정 오류), 컨트롤러(공개 API 응답), 사용자 서비스(동의 저장/갱신), 인증 서비스(신규/기존 사용자 동의 흐름) 단위 테스트로 전체 약관 기능 커버.
정책 문서 및 구현 계획 src/main/resources/agreements/terms-of-service.md, src/main/resources/agreements/privacy-policy.md, docs/policy/copyright-policy.md, docs/policy/operation-policy.md, docs/policy/operator-info.md, docs/ai/*, docs/superpowers/*	TOS/개인정보 처리방침 원문 리소스 추가. 저작권, 운영, 운영자 정책 문서 신규 추가. 기능/ERD/구현 계획 문서 동기화. 법적 준비 체크리스트 및 설계 사양 상세화.

Sequence Diagrams

sequenceDiagram
  participant Client
  participant Backend
  participant AgreementService
  participant UserService
  
  Note over Client,Backend: 신규 사용자 로그인
  Client->>Backend: POST /auth/google/login (code, agreementsAccepted=true)
  Backend->>UserService: findGoogleUser(providerId)
  UserService-->>Backend: Optional.empty (신규 사용자)
  Backend->>AgreementService: validateAccepted(true)
  AgreementService-->>Backend: OK
  Backend->>AgreementService: currentVersions()
  AgreementService-->>Backend: AgreementVersions(v1.0, v1.0)
  Backend->>UserService: getOrCreateGoogleUser(..., versions, now)
  UserService-->>Backend: User created with agreement fields
  Backend-->>Client: AccessToken + RefreshToken
  
  Note over Client,Backend: 기존 사용자 재동의 필요
  Client->>Backend: POST /auth/google/login (code, agreementsAccepted=true)
  Backend->>UserService: findGoogleUser(providerId)
  UserService-->>Backend: User found (v1.0 → v2.0)
  Backend->>AgreementService: needsReacceptance(user)
  AgreementService-->>Backend: true
  Backend->>AgreementService: currentVersions()
  AgreementService-->>Backend: AgreementVersions(v2.0, v2.0)
  Backend->>UserService: acceptCurrentAgreements(userId, versions, now)
  UserService-->>Backend: Updated
  Backend-->>Client: AccessToken + RefreshToken

Loading

sequenceDiagram
  participant Client
  participant Backend
  
  Note over Client,Backend: 공개 약관 조회
  Client->>Backend: GET /api/agreements/current (인증 없음)
  Backend-->>Client: 200 OK { items: [TOS, PrivacyPolicy] }
  
  Note over Client,Backend: 인증 사용자 재동의
  Client->>Backend: POST /api/users/me/agreements (Authorization, agreementsAccepted=true)
  Backend-->>Client: 204 No Content

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

backend, test

Poem

🐰 약관을 무리 지어 담고,
사용자 동의를 꼼꼼히 저장하면,
공개 API와 로그인 흐름이 맞춰지고,
테스트가 모든 경로를 밝혀주니,
합법의 길 위에 백엔드가 피어난다! ✨

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	PR 제목 '약관 동의 관리 추가'는 변경사항의 핵심인 약관 동의 기능 추가를 명확하게 요약하고 있습니다.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

src/main/java/com/howaboutus/backend/common/config/SecurityConfig.java (1)

46-59: ⚡ Quick win

WebSocket 허용 규칙을 일반 공개 엔드포인트와 분리해 명시해 주세요.

/ws/**가 현재 일반 permitAll 목록에 함께 들어가 있어 보안 정책 가시성이 떨어집니다. WebSocket 매처를 분리한 별도 블록(또는 별도 requestMatchers 호출)로 명확히 분리하는 편이 좋습니다.

제안 수정안

.authorizeHttpRequests(authorize -> authorize
    .requestMatchers(
        "/v3/api-docs/**",
        "/swagger-ui.html",
        "/swagger-ui/**",
        "/springwolf/**",
        "/actuator/health",
        "/actuator/prometheus",
        "/actuator/caches",
        "/api/agreements/current",
        "/auth/google/login",
        "/auth/refresh",
-       "/auth/logout",
-       "/ws/**")
+       "/auth/logout")
    .permitAll()
+   .requestMatchers("/ws/**").permitAll() // WebSocket endpoint는 분리 명시
    .anyRequest().authenticated())

As per coding guidelines, "Explicitly allow WebSocket endpoints in Spring Security configuration separate from other endpoint permissions".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/java/com/howaboutus/backend/common/config/SecurityConfig.java`
around lines 46 - 59, In SecurityConfig, separate the WebSocket allowance from
the general permitAll list: remove "/ws/**" from the existing
requestMatchers(...).permitAll() block and add a dedicated
requestMatchers("/ws/**").permitAll() (or a distinct authorizeHttpRequests call)
so the WebSocket rule is explicit and isolated; update the SecurityConfig class
and the requestMatchers/permitAll chain references accordingly to keep other
endpoints unchanged.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/main/java/com/howaboutus/backend/user/entity/User.java`:
- Around line 73-81: The convenience overload User.ofGoogle(String providerId,
String email, String nickname, String profileImageUrl) improperly injects
AgreementVersions("1.0","1.0") and Instant.EPOCH which can falsify consent
history; remove this 4-arg overload (or mark it test-only) and force callers to
use the full factory signature that accepts AgreementVersions and acceptedAt,
i.e., update/remove the ofGoogle(...) overload and ensure all call sites use the
ofGoogle(...) variant that takes agreementVersions and acceptedAt (references:
User.ofGoogle, AgreementVersions, Instant.EPOCH).

In `@src/main/resources/db/migration/V1__init.sql`:
- Around line 14-17: Revert the column additions from V1__init.sql back to the
original state and instead create a new migration file (e.g.,
V2__add_user_agreement_columns.sql) that runs ALTER TABLE users ADD COLUMN for
tos_version, tos_accepted_at, privacy_version, and privacy_accepted_at; include
comments/instructions in the new migration to perform any necessary backfill and
then apply ALTER TABLE ... SET NOT NULL if you need to enforce non-null
constraints later to avoid Flyway checksum mismatches and runtime breaks.

---

Nitpick comments:
In `@src/main/java/com/howaboutus/backend/common/config/SecurityConfig.java`:
- Around line 46-59: In SecurityConfig, separate the WebSocket allowance from
the general permitAll list: remove "/ws/**" from the existing
requestMatchers(...).permitAll() block and add a dedicated
requestMatchers("/ws/**").permitAll() (or a distinct authorizeHttpRequests call)
so the WebSocket rule is explicit and isolated; update the SecurityConfig class
and the requestMatchers/permitAll chain references accordingly to keep other
endpoints unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: eb252bb8-8ced-42cd-a777-ab8655146325

📥 Commits

Reviewing files that changed from the base of the PR and between afa2ad9 and 6b287b5.

📒 Files selected for processing (38)

• docs/ai/README.md
• docs/ai/erd.md
• docs/ai/features.md
• docs/legal/policy-preparation.md
• docs/policy/copyright-policy.md
• docs/policy/operation-policy.md
• docs/policy/operator-info.md
• docs/policy/privacy-policy.md
• docs/policy/terms-of-service.md
• docs/superpowers/plans/2026-06-08-backend-agreements.md
• docs/superpowers/specs/2026-06-08-backend-agreements-design.md
• src/main/java/com/howaboutus/backend/agreements/config/AgreementProperties.java
• src/main/java/com/howaboutus/backend/agreements/controller/AgreementController.java
• src/main/java/com/howaboutus/backend/agreements/controller/dto/AgreementCurrentResponse.java
• src/main/java/com/howaboutus/backend/agreements/controller/dto/AgreementDocumentResponse.java
• src/main/java/com/howaboutus/backend/agreements/service/AgreementService.java
• src/main/java/com/howaboutus/backend/agreements/service/dto/AgreementDocumentResult.java
• src/main/java/com/howaboutus/backend/agreements/service/dto/AgreementVersions.java
• src/main/java/com/howaboutus/backend/auth/controller/AuthController.java
• src/main/java/com/howaboutus/backend/auth/controller/dto/GoogleLoginRequest.java
• src/main/java/com/howaboutus/backend/auth/service/AuthService.java
• src/main/java/com/howaboutus/backend/common/config/SecurityConfig.java
• src/main/java/com/howaboutus/backend/common/error/ErrorCode.java
• src/main/java/com/howaboutus/backend/user/controller/UserAgreementController.java
• src/main/java/com/howaboutus/backend/user/controller/dto/AcceptAgreementsRequest.java
• src/main/java/com/howaboutus/backend/user/entity/User.java
• src/main/java/com/howaboutus/backend/user/service/UserService.java
• src/main/resources/agreements/privacy-policy.md
• src/main/resources/agreements/terms-of-service.md
• src/main/resources/application.yaml
• src/main/resources/db/migration/V1__init.sql
• src/test/java/com/howaboutus/backend/agreements/controller/AgreementControllerTest.java
• src/test/java/com/howaboutus/backend/agreements/service/AgreementServiceTest.java
• src/test/java/com/howaboutus/backend/auth/AuthIntegrationTest.java
• src/test/java/com/howaboutus/backend/auth/controller/AuthControllerTest.java
• src/test/java/com/howaboutus/backend/auth/service/AuthServiceTest.java
• src/test/java/com/howaboutus/backend/user/controller/UserAgreementControllerTest.java
• src/test/java/com/howaboutus/backend/user/service/UserServiceTest.java

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

기본 오버로드가 동의 이력을 왜곡할 수 있습니다.

ofGoogle(... 4개 인자)가 AgreementVersions("1.0","1.0")와 Instant.EPOCH를 강제로 넣어 생성하면, 실제 동의 시점/서버 현재 버전과 불일치한 이력이 저장됩니다. 이 오버로드는 제거하거나 테스트 전용으로 제한하고, 프로덕션 경로에서는 agreementVersions와 acceptedAt를 반드시 명시적으로 받도록 강제하는 편이 안전합니다.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/main/java/com/howaboutus/backend/user/entity/User.java` around lines 73 -
81, The convenience overload User.ofGoogle(String providerId, String email,
String nickname, String profileImageUrl) improperly injects
AgreementVersions("1.0","1.0") and Instant.EPOCH which can falsify consent
history; remove this 4-arg overload (or mark it test-only) and force callers to
use the full factory signature that accepts AgreementVersions and acceptedAt,
i.e., update/remove the ofGoogle(...) overload and ensure all call sites use the
ofGoogle(...) variant that takes agreementVersions and acceptedAt (references:
User.ofGoogle, AgreementVersions, Instant.EPOCH).

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud