From 6d91cf36b72a4213280f3e0012060ab4942027ba Mon Sep 17 00:00:00 2001
From: master <>
Date: Tue, 17 Mar 2026 07:45:00 +0200
Subject: [PATCH] Add identity envelope middleware to Platform service (fixes
 403s)

Platform was the ONLY service missing UseIdentityEnvelopeAuthentication().
Sprint 008 added it to Scanner, JobEngine, Timeline, Integrations, Concelier
but missed Platform. This caused ALL context API calls to return 403:
- /api/v2/context/regions
- /api/v2/context/environments
- /api/v2/context/preferences

The gateway strips JWT and sends signed identity envelope headers instead.
Without the middleware, Platform couldn't read the scopes from the envelope,
so every authorization check failed.

This also fixes the "Events: DEGRADED" SSE status indicator since the
context store's error was caused by these 403 responses.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/Platform/StellaOps.Platform.WebService/Program.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Platform/StellaOps.Platform.WebService/Program.cs b/src/Platform/StellaOps.Platform.WebService/Program.cs
index e3b59c4c9..2070d47e7 100644
--- a/src/Platform/StellaOps.Platform.WebService/Program.cs
+++ b/src/Platform/StellaOps.Platform.WebService/Program.cs
@@ -311,6 +311,7 @@ if (!string.Equals(bootstrapOptions.Storage.Driver, "memory", StringComparison.O
 app.UseStellaOpsCors();
 app.UseStellaOpsLocalization();
 app.UseStellaOpsTelemetryContext();
+app.UseIdentityEnvelopeAuthentication();
 app.UseAuthentication();
 app.UseAuthorization();
 app.UseStellaOpsTenantMiddleware();