stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add topology auth policies + journey findings notes

Browse Source 
Concelier:
- Register Topology.Read, Topology.Manage, Topology.Admin authorization
  policies mapped to OrchRead/OrchOperate/PlatformContextRead/IntegrationWrite
  scopes. Previously these policies were referenced by endpoints but never
  registered, causing System.InvalidOperationException on every topology
  API call.

Gateway routes:
- Simplified targets/environments routes (removed specific sub-path routes,
  use catch-all patterns instead)
- Changed environments base route to JobEngine (where CRUD lives)
- Changed to ReverseProxy type for all topology routes

KNOWN ISSUE (not yet fixed):
- ReverseProxy routes don't forward the gateway's identity envelope to
  Concelier. The regions/targets/bindings endpoints return 401 because
  hasPrincipal=False — the gateway authenticates the user but doesn't
  pass the identity to the backend via ReverseProxy. Microservice routes
  use Valkey transport which includes envelope headers. Topology endpoints
  need either: (a) Valkey transport registration in Concelier, or
  (b) Concelier configured to accept raw bearer tokens on ReverseProxy paths.
  This is an architecture-level fix.

Journey findings collected so far:
- Integration wizard (Harbor + GitHub App): works end-to-end
- Advisory Check All: fixed (parallel individual checks)
- Mirror domain creation: works, generate-immediately fails silently
- Topology wizard Step 1 (Region): blocked by auth passthrough issue
- Topology wizard Step 2 (Environment): POST to JobEngine needs verify
- User ID resolution: raw hashes shown everywhere

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-03-16 08:12:39 +02:00
parent 602df77467
commit da76d6e93e
223 changed files with 24763 additions and 489 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/implplan/SPRINT_20260316_001_Platform_first_time_user_experience_fixes.md
View File

@@ -119,6 +119,10 @@ Completion criteria:
| 2026-03-16 | FTUX-006 DONE: Removed ALL hardcoded fake data from dashboard-v3.component.ts. Fresh installs now show welcome setup guide with 4 steps. Environment cards show honest "unknown"/"No deployments" when no scan data exists. Removed fake summary, reachabilityStats, nightlyOpsSignals, alerts, and activity HTML. | Developer |
| 2026-03-16 | FTUX-007 DONE: Updated FEATURE_MATRIX.md — 14 release orchestration features marked ✅ (was ⏳), section header updated. | Developer |
| 2026-03-16 | Angular build verified — 0 errors, 3 pre-existing budget warnings only. | Developer |
| 2026-03-16 | Iteration 1: Wiped stack, fresh boot. Found dashboard fallback array still had fake data. Emptied it. Rebuild + redeploy. Dashboard now honest on fresh install. | Developer |
| 2026-03-16 | Iteration 2: Integration journey. Harbor + GitHub App fixtures started. Both created and connection-tested successfully. "Check All" advisory sources failed with 504 gateway timeout — fixed with parallel individual checks in batches of 6. Now shows live "Checking (N/M)..." progress, completes in ~30s. 54/55 healthy. | Developer |
| 2026-03-16 | Iteration 2: Mirror domain created (14 sources, signing enabled). "Generate immediately" fails silently (tracked). Created by shows raw user ID (tracked). | Developer |
| 2026-03-16 | Iteration 3: Topology wizard returned 503 for /api/v1/regions — Concelier topology endpoints had no gateway routes. Added 6 Microservice routes for regions, infrastructure-bindings, pending-deletions, targets validate/readiness, environments readiness. Wizard now loads. | Developer |
## Decisions & Risks
- Decision: curate advisory defaults rather than disable all — new users need working sources out of the box, just not 74 of them.