Align live console and policy governance clients

2026-03-10 01:37:42 +02:00
parent afb9711e61
commit 18246cd74c
14 changed files with 301 additions and 81 deletions
--- a/docs/api/console/samples/console-status-sample.json
+++ b/docs/api/console/samples/console-status-sample.json
@@ -1,7 +1,7 @@
 {
  "$schema": "https://stella-ops.org/api/console/console-status.schema.json",
  "_meta": {
-    "description": "Sample response for GET /console/status",
+    "description": "Sample response for GET /api/console/status",
    "task": "WEB-CONSOLE-23-002",
    "generatedAt": "2025-12-04T12:00:00Z"
  },
--- a/docs/implplan/SPRINT_20260309_010_FE_live_auth_scope_console_and_policy_alignment.md
+++ b/docs/implplan/SPRINT_20260309_010_FE_live_auth_scope_console_and_policy_alignment.md
@@ -0,0 +1,65 @@
+# Sprint 20260309-010 - FE Live Auth Scope, Console, and Policy Alignment
+
+## Topic & Scope
+- Repair the post-rebuild live failures that are now clearly contract/alignment defects instead of generic service outages: trust-signing authorization, console status frontdoor pathing, and policy-governance tenant drift.
+- Keep this iteration focused on live canonical routes already failing in the authenticated sweep: `/ops/platform-setup/trust-signing`, `/setup/trust-signing`, `/ops/operations/status`, `/ops/policy/trust-weights`, `/ops/policy/staleness`, and `/ops/policy/audit`.
+- Working directory: `src/Web/StellaOps.Web`.
+- Allowed cross-module edits: `devops/compose/docker-compose.stella-ops.yml`, `docs/api/console/samples/console-status-sample.json`, `docs/modules/ui/console-architecture.md`, `docs/implplan/SPRINT_20260309_002_FE_live_frontdoor_canonical_route_sweep.md`, `docs/implplan/SPRINT_20260309_009_FE_live_contract_alignment_titles_trust_feeds.md`.
+- Expected evidence: focused frontend specs, rebuilt/redeployed live stack, refreshed authenticated Playwright auth report, and a new canonical route sweep artifact.
+
+## Dependencies & Concurrency
+- Depends on `SPRINT_20260309_002_FE_live_frontdoor_canonical_route_sweep.md` for the current live failure inventory and on `SPRINT_20260309_009_FE_live_contract_alignment_titles_trust_feeds.md` for the completed trust-route frontend adapter.
+- Safe parallelism: keep code edits in `src/Web/StellaOps.Web/**` and the single compose auth bootstrap file only; do not edit backend service implementations in this sprint.
+
+## Documentation Prerequisites
+- `AGENTS.md`
+- `docs/implplan/AGENTS.md`
+- `src/Web/StellaOps.Web/AGENTS.md`
+- `docs/code-of-conduct/CODE_OF_CONDUCT.md`
+- `docs/qa/feature-checks/FLOW.md`
+- `docs/technical/architecture/console-admin-rbac.md`
+- `docs/security/console-security.md`
+- `docs/modules/ui/console-architecture.md`
+
+## Delivery Tracker
+
+### FE-AUTH-010-001 - Restore live trust-signing bootstrap scopes
+Status: DOING
+Dependency: none
+Owners: Developer, QA
+Task description:
+- Align the demo console bootstrap client scope request and allowed scope catalog with the live Platform trust-signing authorization policies so authenticated Playwright sessions can load the Trust & Signing overview and operator actions without `403` responses.
+- Keep the change limited to the scratch-setup compose bootstrap path used for clean redeploys.
+
+Completion criteria:
+- [ ] The compose bootstrap client requests and is allowed to receive the trust/signer scopes required by the setup trust pages.
+- [ ] A fresh authenticated session issued after redeploy includes the expected trust scopes.
+- [ ] Live `/ops/platform-setup/trust-signing` and `/setup/trust-signing` stop failing on `403`.
+
+### FE-AUTH-010-002 - Align console status and policy-governance clients with live frontdoor contracts
+Status: TODO
+Dependency: FE-AUTH-010-001
+Owners: Developer, Test Automation
+Task description:
+- Repoint console status polling/streaming onto the canonical frontdoor path used by the rebuilt stack and replace policy-governance placeholder tenant leakage with active tenant resolution so live query contracts do not collapse to stale demo IDs.
+- Repair stale audit module wiring where the policy audit shell still targets retired policy audit endpoints.
+
+Completion criteria:
+- [ ] `ConsoleStatusClient` no longer requests `/console/status` on the live frontdoor.
+- [ ] Policy-governance HTTP requests stop emitting `tenantId=acme-tenant` during authenticated live page loads.
+- [ ] The policy audit shell uses the live governance audit endpoint.
+- [ ] Focused frontend tests cover the console path and policy tenant/audit contract alignment.
+
+## Execution Log
+| Date (UTC) | Update | Owner |
+| --- | --- | --- |
+| 2026-03-09 | Sprint created after the fresh full rebuild improved the authenticated route sweep to 95/111 and isolated the remaining frontend-owned failures to trust-signing authorization, console status frontdoor pathing, and policy-governance tenant/audit drift. | Developer |
+
+## Decisions & Risks
+- Decision: treat the trust-signing `403` as a bootstrap scope defect, not a web routing defect; the previous sprint already moved the UI to the live `/api/v1/administration/trust-signing*` contract and removed the retired `404` paths.
+- Decision: fix policy-governance tenant drift centrally in the HTTP client layer for this iteration to clear the entire component family without colliding with the other agent's component-revival work.
+- Risk: the console status frontdoor contract is documented inconsistently (`/console/status` vs `/api/console/status`); this sprint will follow the live deployment/security docs and verify the result against the rebuilt stack.
+
+## Next Checkpoints
+- 2026-03-09: land the trust bootstrap scope repair and confirm new tokens include trust scopes.
+- 2026-03-09: land the console/policy client alignment and rerun the authenticated canonical route sweep.
--- a/docs/modules/ui/console-architecture.md
+++ b/docs/modules/ui/console-architecture.md
@@ -87,7 +87,7 @@ Key interactions:
 - **Tenant switch:** Picker issues `Authority /fresh-auth` when required, then refreshes UI caches (`ui.tenant.switch` log). Gateway injects canonical `X-StellaOps-Tenant` headers downstream (legacy `X-Stella-Tenant`/`X-Tenant-Id` aliases are compatibility-only during migration).  
 - **Aggregation-only reads:** Gateway proxies `/console/advisories`, `/console/vex`, `/console/findings`, etc., without mutating Concelier or Policy data. Provenance badges and merge hashes come directly from upstream responses.  
 - **Downloads parity:** `/console/downloads` merges DevOps signed manifest and Offline Kit metadata; UI renders digest, signature, and CLI parity command.  
- **Offline resilience:** Gateway exposes `/console/status` heartbeat. If unavailable, UI enters offline mode, disables SSE, and surfaces CLI fallbacks.
+- **Offline resilience:** Gateway exposes `/api/console/status` heartbeat. If unavailable, UI enters offline mode, disables SSE, and surfaces CLI fallbacks.

 ---

@@ -97,9 +97,9 @@ Live surfaces use HTTP/1.1 SSE with heartbeat frames to keep operators informed

 | Endpoint | Payload | Source | Behaviour |
 |----------|---------|--------|-----------|
-| `/console/status/stream` | `statusChanged`, `ingestionDelta`, `attestorQueue`, `offlineBanner` events | Concelier WebService, Excititor WebService, Attestor metrics | 5 s heartbeat; gateway disables proxy buffering (`X-Accel-Buffering: no`) and sets `Cache-Control: no-store`. |
-| `/console/runs/{id}/stream` | `stateChanged`, `segmentProgress`, `deltaSummary`, `log` | Scheduler WebService SSE fan-out | Event payloads carry `traceId`, `runId`, `tenant`; UI reconnects with exponential backoff and resumes using `Last-Event-ID`. |
-| `/console/telemetry/stream` | `metricSample`, `alert`, `collectorStatus` | Observability aggregator | Gated by `ui.telemetry` scope; disabled when `CONSOLE_TELEMETRY_SSE_ENABLED=false`. |
+| `/api/console/status/stream` | `statusChanged`, `ingestionDelta`, `attestorQueue`, `offlineBanner` events | Concelier WebService, Excititor WebService, Attestor metrics | 5 s heartbeat; gateway disables proxy buffering (`X-Accel-Buffering: no`) and sets `Cache-Control: no-store`. |
+| `/api/console/runs/{id}/stream` | `stateChanged`, `segmentProgress`, `deltaSummary`, `log` | Scheduler WebService SSE fan-out | Event payloads carry `traceId`, `runId`, `tenant`; UI reconnects with exponential backoff and resumes using `Last-Event-ID`. |
+| `/api/console/telemetry/stream` | `metricSample`, `alert`, `collectorStatus` | Observability aggregator | Gated by `ui.telemetry` scope; disabled when `CONSOLE_TELEMETRY_SSE_ENABLED=false`. |

 Sequence overview:

@@ -110,7 +110,7 @@ sequenceDiagram
    participant GW as Console Gateway
    participant SCHED as Scheduler WebService

-    UI->>GW: GET /console/runs/42/stream (Authorization + DPoP)
+    UI->>GW: GET /api/console/runs/42/stream (Authorization + DPoP)
    GW->>SCHED: GET /runs/42/stream (X-Stella-Tenant)
    SCHED-->>GW: event: stateChanged data: {...}
    GW-->>UI: event: stateChanged data: {..., traceId}
@@ -122,7 +122,7 @@ sequenceDiagram

 Offline behaviour:

- If SSE fails three times within 60 s, UI falls back to polling (`/console/status`, `/console/runs/{id}`) every 30 s and shows an amber banner.  
+- If SSE fails three times within 60 s, UI falls back to polling (`/api/console/status`, `/api/console/runs/{id}`) every 30 s and shows an amber banner.  
 - When `console.offlineMode=true`, SSE endpoints return `204` immediately; UI suppresses auto-reconnect to preserve resources.

 ---