From 69923b648cf36d7cece6f874bff84a358a9bb766 Mon Sep 17 00:00:00 2001 From: master <> Date: Mon, 9 Mar 2026 07:52:46 +0200 Subject: [PATCH] fix(infra): repair gateway route ownership and add JobEngine/pack-registry scopes - Route /api/v1/jobengine to jobengine service (was orchestrator) - Route /api/v1/sources and /api/v1/witnesses to scanner service - Add orch:quota and pack-registry scopes to platform OIDC token - Align compose-local manifests with gateway appsettings.json Co-Authored-By: Claude Opus 4.6 --- devops/compose/docker-compose.stella-ops.yml | 2 +- devops/compose/envsettings-override.json | 2 +- devops/compose/router-gateway-local.json | 12 ++++++------ .../compose/router-gateway-local.reverseproxy.json | 4 ++-- .../StellaOps.Gateway.WebService/appsettings.json | 5 +++-- 5 files changed, 13 insertions(+), 12 deletions(-) diff --git a/devops/compose/docker-compose.stella-ops.yml b/devops/compose/docker-compose.stella-ops.yml index ee9b533af..19746b942 100644 --- a/devops/compose/docker-compose.stella-ops.yml +++ b/devops/compose/docker-compose.stella-ops.yml @@ -353,7 +353,7 @@ services: Platform__EnvironmentSettings__TokenEndpoint: "https://stella-ops.local/connect/token" Platform__EnvironmentSettings__RedirectUri: "https://stella-ops.local/auth/callback" Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://stella-ops.local/" - Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate registry.admin timeline:read timeline:write" + Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read orch:quota analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate packs.read packs.write packs.run packs.approve registry.admin timeline:read timeline:write" STELLAOPS_ROUTER_URL: "http://router.stella-ops.local" STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local" STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local" diff --git a/devops/compose/envsettings-override.json b/devops/compose/envsettings-override.json index 139695039..7fdd4d38c 100644 --- a/devops/compose/envsettings-override.json +++ b/devops/compose/envsettings-override.json @@ -6,7 +6,7 @@ "tokenEndpoint": "https://stella-ops.local/connect/token", "redirectUri": "https://stella-ops.local/auth/callback", "postLogoutRedirectUri": "https://stella-ops.local/", - "scope": "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate registry.admin timeline:read timeline:write", + "scope": "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read orch:quota analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate packs.read packs.write packs.run packs.approve registry.admin timeline:read timeline:write", "audience": "stella-ops-api", "dpopAlgorithms": [ "ES256" diff --git a/devops/compose/router-gateway-local.json b/devops/compose/router-gateway-local.json index aff884280..fa2b0cbe3 100644 --- a/devops/compose/router-gateway-local.json +++ b/devops/compose/router-gateway-local.json @@ -118,9 +118,9 @@ "PreserveAuthHeaders": true }, { - "Type": "Microservice", + "Type": "ReverseProxy", "Path": "/api/v1/jobengine", - "TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/jobengine", + "TranslatesTo": "http://jobengine.stella-ops.local/api/v1/jobengine", "PreserveAuthHeaders": true }, { @@ -328,9 +328,9 @@ "PreserveAuthHeaders": true }, { - "Type": "Microservice", + "Type": "ReverseProxy", "Path": "/api/v1/sources", - "TranslatesTo": "http://sbomservice.stella-ops.local/api/v1/sources", + "TranslatesTo": "http://scanner.stella-ops.local/api/v1/sources", "PreserveAuthHeaders": true }, { @@ -340,9 +340,9 @@ "PreserveAuthHeaders": true }, { - "Type": "Microservice", + "Type": "ReverseProxy", "Path": "/api/v1/witnesses", - "TranslatesTo": "http://attestor.stella-ops.local/api/v1/witnesses", + "TranslatesTo": "http://scanner.stella-ops.local/api/v1/witnesses", "PreserveAuthHeaders": true }, { diff --git a/devops/compose/router-gateway-local.reverseproxy.json b/devops/compose/router-gateway-local.reverseproxy.json index 13b123e22..00421437a 100644 --- a/devops/compose/router-gateway-local.reverseproxy.json +++ b/devops/compose/router-gateway-local.reverseproxy.json @@ -277,7 +277,7 @@ { "Type": "ReverseProxy", "Path": "/api/v1/sources", - "TranslatesTo": "http://sbomservice.stella-ops.local/api/v1/sources", + "TranslatesTo": "http://scanner.stella-ops.local/api/v1/sources", "PreserveAuthHeaders": true }, { @@ -289,7 +289,7 @@ { "Type": "ReverseProxy", "Path": "/api/v1/witnesses", - "TranslatesTo": "http://attestor.stella-ops.local/api/v1/witnesses", + "TranslatesTo": "http://scanner.stella-ops.local/api/v1/witnesses", "PreserveAuthHeaders": true }, { diff --git a/src/Router/StellaOps.Gateway.WebService/appsettings.json b/src/Router/StellaOps.Gateway.WebService/appsettings.json index ba301959a..d7c3c517a 100644 --- a/src/Router/StellaOps.Gateway.WebService/appsettings.json +++ b/src/Router/StellaOps.Gateway.WebService/appsettings.json @@ -84,6 +84,7 @@ { "Type": "ReverseProxy", "Path": "/api/approvals", "TranslatesTo": "http://orchestrator.stella-ops.local/api/approvals" }, { "Type": "ReverseProxy", "Path": "/api/v1/platform", "TranslatesTo": "http://platform.stella-ops.local/api/v1/platform" }, { "Type": "ReverseProxy", "Path": "/api/v1/scanner", "TranslatesTo": "http://scanner.stella-ops.local/api/v1/scanner" }, + { "Type": "ReverseProxy", "Path": "/api/v1/jobengine", "TranslatesTo": "http://jobengine.stella-ops.local/api/v1/jobengine", "PreserveAuthHeaders": true }, { "Type": "ReverseProxy", "Path": "/api/v1/findings", "TranslatesTo": "http://findings.stella-ops.local/api/v1/findings", "PreserveAuthHeaders": true }, { "Type": "ReverseProxy", "Path": "/api/v1/integrations", "TranslatesTo": "http://integrations.stella-ops.local/api/v1/integrations", "PreserveAuthHeaders": true }, { "Type": "ReverseProxy", "Path": "/api/v1/policy", "TranslatesTo": "http://policy-gateway.stella-ops.local/api/v1/policy" }, @@ -115,9 +116,9 @@ { "Type": "ReverseProxy", "Path": "/api/v1/determinization", "TranslatesTo": "http://policy-engine.stella-ops.local/api/v1/determinization" }, { "Type": "ReverseProxy", "Path": "/api/v1/opsmemory", "TranslatesTo": "http://opsmemory.stella-ops.local/api/v1/opsmemory" }, { "Type": "ReverseProxy", "Path": "/api/v1/secrets", "TranslatesTo": "http://scanner.stella-ops.local/api/v1/secrets" }, - { "Type": "ReverseProxy", "Path": "/api/v1/sources", "TranslatesTo": "http://sbomservice.stella-ops.local/api/v1/sources" }, + { "Type": "ReverseProxy", "Path": "/api/v1/sources", "TranslatesTo": "http://scanner.stella-ops.local/api/v1/sources" }, { "Type": "ReverseProxy", "Path": "/api/v1/workflows", "TranslatesTo": "http://orchestrator.stella-ops.local/api/v1/workflows" }, - { "Type": "ReverseProxy", "Path": "/api/v1/witnesses", "TranslatesTo": "http://attestor.stella-ops.local/api/v1/witnesses" }, + { "Type": "ReverseProxy", "Path": "/api/v1/witnesses", "TranslatesTo": "http://scanner.stella-ops.local/api/v1/witnesses" }, { "Type": "ReverseProxy", "Path": "/api/gate", "TranslatesTo": "http://policy-gateway.stella-ops.local/api/gate", "PreserveAuthHeaders": true }, { "Type": "ReverseProxy", "Path": "/api/risk-budget", "TranslatesTo": "http://policy-engine.stella-ops.local/api/risk-budget" }, { "Type": "ReverseProxy", "Path": "/api/fix-verification", "TranslatesTo": "http://scanner.stella-ops.local/api/fix-verification" },