Align live console and policy governance clients
This commit is contained in:
master
@@ -0,0 +1,65 @@
|
||||
# Sprint 20260309-010 - FE Live Auth Scope, Console, and Policy Alignment
|
||||
|
||||
## Topic & Scope
|
||||
- Repair the post-rebuild live failures that are now clearly contract/alignment defects instead of generic service outages: trust-signing authorization, console status frontdoor pathing, and policy-governance tenant drift.
|
||||
- Keep this iteration focused on live canonical routes already failing in the authenticated sweep: `/ops/platform-setup/trust-signing`, `/setup/trust-signing`, `/ops/operations/status`, `/ops/policy/trust-weights`, `/ops/policy/staleness`, and `/ops/policy/audit`.
|
||||
- Working directory: `src/Web/StellaOps.Web`.
|
||||
- Allowed cross-module edits: `devops/compose/docker-compose.stella-ops.yml`, `docs/api/console/samples/console-status-sample.json`, `docs/modules/ui/console-architecture.md`, `docs/implplan/SPRINT_20260309_002_FE_live_frontdoor_canonical_route_sweep.md`, `docs/implplan/SPRINT_20260309_009_FE_live_contract_alignment_titles_trust_feeds.md`.
|
||||
- Expected evidence: focused frontend specs, rebuilt/redeployed live stack, refreshed authenticated Playwright auth report, and a new canonical route sweep artifact.
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Depends on `SPRINT_20260309_002_FE_live_frontdoor_canonical_route_sweep.md` for the current live failure inventory and on `SPRINT_20260309_009_FE_live_contract_alignment_titles_trust_feeds.md` for the completed trust-route frontend adapter.
|
||||
- Safe parallelism: keep code edits in `src/Web/StellaOps.Web/**` and the single compose auth bootstrap file only; do not edit backend service implementations in this sprint.
|
||||
|
||||
## Documentation Prerequisites
|
||||
- `AGENTS.md`
|
||||
- `docs/implplan/AGENTS.md`
|
||||
- `src/Web/StellaOps.Web/AGENTS.md`
|
||||
- `docs/code-of-conduct/CODE_OF_CONDUCT.md`
|
||||
- `docs/qa/feature-checks/FLOW.md`
|
||||
- `docs/technical/architecture/console-admin-rbac.md`
|
||||
- `docs/security/console-security.md`
|
||||
- `docs/modules/ui/console-architecture.md`
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### FE-AUTH-010-001 - Restore live trust-signing bootstrap scopes
|
||||
Status: DOING
|
||||
Dependency: none
|
||||
Owners: Developer, QA
|
||||
Task description:
|
||||
- Align the demo console bootstrap client scope request and allowed scope catalog with the live Platform trust-signing authorization policies so authenticated Playwright sessions can load the Trust & Signing overview and operator actions without `403` responses.
|
||||
- Keep the change limited to the scratch-setup compose bootstrap path used for clean redeploys.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] The compose bootstrap client requests and is allowed to receive the trust/signer scopes required by the setup trust pages.
|
||||
- [ ] A fresh authenticated session issued after redeploy includes the expected trust scopes.
|
||||
- [ ] Live `/ops/platform-setup/trust-signing` and `/setup/trust-signing` stop failing on `403`.
|
||||
|
||||
### FE-AUTH-010-002 - Align console status and policy-governance clients with live frontdoor contracts
|
||||
Status: TODO
|
||||
Dependency: FE-AUTH-010-001
|
||||
Owners: Developer, Test Automation
|
||||
Task description:
|
||||
- Repoint console status polling/streaming onto the canonical frontdoor path used by the rebuilt stack and replace policy-governance placeholder tenant leakage with active tenant resolution so live query contracts do not collapse to stale demo IDs.
|
||||
- Repair stale audit module wiring where the policy audit shell still targets retired policy audit endpoints.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] `ConsoleStatusClient` no longer requests `/console/status` on the live frontdoor.
|
||||
- [ ] Policy-governance HTTP requests stop emitting `tenantId=acme-tenant` during authenticated live page loads.
|
||||
- [ ] The policy audit shell uses the live governance audit endpoint.
|
||||
- [ ] Focused frontend tests cover the console path and policy tenant/audit contract alignment.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-03-09 | Sprint created after the fresh full rebuild improved the authenticated route sweep to 95/111 and isolated the remaining frontend-owned failures to trust-signing authorization, console status frontdoor pathing, and policy-governance tenant/audit drift. | Developer |
|
||||
|
||||
## Decisions & Risks
|
||||
- Decision: treat the trust-signing `403` as a bootstrap scope defect, not a web routing defect; the previous sprint already moved the UI to the live `/api/v1/administration/trust-signing*` contract and removed the retired `404` paths.
|
||||
- Decision: fix policy-governance tenant drift centrally in the HTTP client layer for this iteration to clear the entire component family without colliding with the other agent's component-revival work.
|
||||
- Risk: the console status frontdoor contract is documented inconsistently (`/console/status` vs `/api/console/status`); this sprint will follow the live deployment/security docs and verify the result against the rebuilt stack.
|
||||
|
||||
## Next Checkpoints
|
||||
- 2026-03-09: land the trust bootstrap scope repair and confirm new tokens include trust scopes.
|
||||
- 2026-03-09: land the console/policy client alignment and rerun the authenticated canonical route sweep.
|
||||
Reference in New Issue
Block a user