tenant fixes

src/Signals/StellaOps.Signals/Program.cs

@@ -5,6 +5,7 @@ using Microsoft.Extensions.Options;
 using NetEscapades.Configuration.Yaml;
 using StellaOps.Auth.Abstractions;
 using StellaOps.Auth.ServerIntegration;
+using StellaOps.Auth.ServerIntegration.Tenancy;
 using StellaOps.Configuration;
 using StellaOps.Determinism;
 using StellaOps.Signals.Authentication;
@@ -89,6 +90,7 @@ builder.Services.AddTriageSuppressServices();
 builder.Services.AddSingleton<SignalsSealedModeMonitor>();
 builder.Services.AddProblemDetails();
 builder.Services.AddHealthChecks();
+builder.Services.AddStellaOpsTenantServices();
 builder.Services.AddStellaOpsCors(builder.Environment, builder.Configuration);
 builder.Services.AddRouting(options => options.LowercaseUrls = true);
 
@@ -310,6 +312,7 @@ if (!bootstrap.Authority.Enabled)
 app.UseStellaOpsCors();
 app.UseAuthentication();
 app.UseAuthorization();
+app.UseStellaOpsTenantMiddleware();
 app.TryUseStellaRouter(routerEnabled);
 
 app.MapHealthChecks("/healthz").AllowAnonymous();
@@ -330,7 +333,7 @@ app.MapGet("/readyz", (SignalsStartupState state, SignalsSealedModeMonitor seale
 // SCM/CI webhook endpoints (Sprint: SPRINT_20251229_013)
 app.MapScmWebhookEndpoints();
 
-var signalsGroup = app.MapGroup("/signals");
+var signalsGroup = app.MapGroup("/signals").RequireTenant();
 
 signalsGroup.MapGet("/ping", (HttpContext context, SignalsOptions options, SignalsSealedModeMonitor sealedModeMonitor) =>
 {