stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Align policy simulation auth passthrough at the frontdoor

Browse Source
This commit is contained in:
master
2026-03-10 01:55:51 +02:00
parent d16d7a1692
commit 72084355a6
7 changed files with 109 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
docs/implplan/SPRINT_20260309_018_Router_policy_simulation_frontdoor_translation.md Normal file
View File

@@ -0,0 +1,50 @@
# Sprint 20260309-018 - Router Policy Simulation Frontdoor Translation
## Topic & Scope
- Restore frontdoor reachability for the live Policy Simulation history tools after the backend compatibility handlers were repaired.
- Fix the actual frontdoor root cause: router auth passthrough approval drift for `/policy/shadow*` and `/policy/simulations*`, not just raw path translation.
- Verify the repaired paths with direct frontdoor probes and authenticated Playwright navigation against `https://stella-ops.local`.
- Working directory: `src/Router/StellaOps.Gateway.WebService`.
- Allowed coordination edits: `devops/compose/router-gateway-local.json`, `devops/compose/router-gateway-local.reverseproxy.json`, `docs/modules/router/architecture.md`, `src/Router/__Tests/StellaOps.Gateway.WebService.Tests/**`.
- Expected evidence: gateway auth policy diff, router config diff, focused direct HTTP probes, authenticated Playwright route/action artifacts.
## Dependencies & Concurrency
- Depends on `SPRINT_20260309_011_Platform_live_remaining_route_contract_repair.md` for the backend `/policy/simulations*` handlers and focused gateway tests.
- Safe parallelism: do not touch unrelated route rewrites already in progress in the router JSON files; stage only the policy simulation auth/passthrough hunks for this commit.
## Documentation Prerequisites
- `AGENTS.md`
- `docs/code-of-conduct/CODE_OF_CONDUCT.md`
- `docs/qa/feature-checks/FLOW.md`
- `docs/modules/policy/architecture.md`
## Delivery Tracker
### ROUTER-POLICY-SIM-018-001 - Align policy simulation frontdoor auth passthrough
Status: DOING
Dependency: none
Owners: Developer, QA
Task description:
- Extend the canonical local router config, reverse-proxy fallback config, and source gateway defaults so authenticated frontdoor requests for Policy simulation history, compare, verify, and pin actions reach `policy-gateway.stella-ops.local` with DPoP/JWT passthrough preserved.
- Keep the gateway's approved passthrough allow-list explicit and auditable instead of silently depending on a stale hardcoded prefix set.
- Preserve auth headers and avoid disturbing unrelated dirty route edits from other agents.
Completion criteria:
- [ ] `https://stella-ops.local/policy/shadow/results`, `.../simulations/history`, `.../compare`, and `.../{id}/verify` no longer fail because gateway auth passthrough was stripped.
- [ ] Only the policy simulation passthrough hunks are staged for the commit.
- [ ] Authenticated Playwright can load the live history page and exercise its key actions through the frontdoor.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-03-09 | Sprint created after live retesting proved the Policy gateway served the simulation history contract while the frontdoor still returned `404` because the canonical router config translated `/policy/shadow*` but not `/policy/simulations*`. | Developer |
| 2026-03-09 | Live router logs showed the browser was already sending auth for `/policy/shadow/results` and `/policy/simulations/history`, but the gateway stripped Authorization/DPoP because the prefixes were missing from the approved passthrough allow-list. This sprint now fixes the gateway/config drift directly. | Developer |
## Decisions & Risks
- Decision: keep auth passthrough fail-closed, but move the approved prefix set into explicit gateway/config data so live route additions do not silently drift away from the code path that strips auth headers.
- Decision: keep the policy fix scoped to `/policy/shadow` and `/policy/simulations` rather than broadening every `/policy/*` route.
- Risk: the router JSON files are already dirty from unrelated route work; stage only the specific policy passthrough additions and leave the rest untouched.
## Next Checkpoints
- 2026-03-09: land the gateway/config passthrough fix and redeploy the frontdoor.
- 2026-03-09: rerun authenticated Policy Simulation history navigation with Playwright.