stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add topology auth policies + journey findings notes

Browse Source 
Concelier:
- Register Topology.Read, Topology.Manage, Topology.Admin authorization
  policies mapped to OrchRead/OrchOperate/PlatformContextRead/IntegrationWrite
  scopes. Previously these policies were referenced by endpoints but never
  registered, causing System.InvalidOperationException on every topology
  API call.

Gateway routes:
- Simplified targets/environments routes (removed specific sub-path routes,
  use catch-all patterns instead)
- Changed environments base route to JobEngine (where CRUD lives)
- Changed to ReverseProxy type for all topology routes

KNOWN ISSUE (not yet fixed):
- ReverseProxy routes don't forward the gateway's identity envelope to
  Concelier. The regions/targets/bindings endpoints return 401 because
  hasPrincipal=False — the gateway authenticates the user but doesn't
  pass the identity to the backend via ReverseProxy. Microservice routes
  use Valkey transport which includes envelope headers. Topology endpoints
  need either: (a) Valkey transport registration in Concelier, or
  (b) Concelier configured to accept raw bearer tokens on ReverseProxy paths.
  This is an architecture-level fix.

Journey findings collected so far:
- Integration wizard (Harbor + GitHub App): works end-to-end
- Advisory Check All: fixed (parallel individual checks)
- Mirror domain creation: works, generate-immediately fails silently
- Topology wizard Step 1 (Region): blocked by auth passthrough issue
- Topology wizard Step 2 (Environment): POST to JobEngine needs verify
- User ID resolution: raw hashes shown everywhere

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-03-16 08:12:39 +02:00
parent 602df77467
commit da76d6e93e
223 changed files with 24763 additions and 489 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
package-lock.json generated
View File

@@ -8,7 +8,7 @@
"name": "stellaops-docs",
"version": "0.1.0",
"dependencies": {
"@openai/codex": "^0.80.0",
"@openai/codex": "^0.115.0-alpha.24",
"ajv": "^8.17.1",
"ajv-formats": "^2.1.1",
"yaml": "^2.4.5"
@@ -18,13 +18,123 @@
}
},
"node_modules/@openai/codex": {
"version": "0.80.0",
"resolved": "https://registry.npmjs.org/@openai/codex/-/codex-0.80.0.tgz",
"integrity": "sha512-U1DWDy7eTjx+SF32Wx9oO6cyX1dd9WiRvIW4XCP3FVcv7Xq7CSCvDrFAdzpFxPNPg6CLz9a4qtO42yntpcJpDw==",
"version": "0.115.0-alpha.24",
"resolved": "https://registry.npmjs.org/@openai/codex/-/codex-0.115.0-alpha.24.tgz",
"integrity": "sha512-fjeg+bslp5nK9PzcZuc11IX027nUHqmQroJCKhQ0O9ddqs7q2aEktBd8cv6iU8XRQBZrPjW/0+mzyXuHPA22rw==",
"license": "Apache-2.0",
"bin": {
"codex": "bin/codex.js"
},
"engines": {
"node": ">=16"
},
"optionalDependencies": {
"@openai/codex-darwin-arm64": "npm:@openai/codex@0.115.0-alpha.24-darwin-arm64",
"@openai/codex-darwin-x64": "npm:@openai/codex@0.115.0-alpha.24-darwin-x64",
"@openai/codex-linux-arm64": "npm:@openai/codex@0.115.0-alpha.24-linux-arm64",
"@openai/codex-linux-x64": "npm:@openai/codex@0.115.0-alpha.24-linux-x64",
"@openai/codex-win32-arm64": "npm:@openai/codex@0.115.0-alpha.24-win32-arm64",
"@openai/codex-win32-x64": "npm:@openai/codex@0.115.0-alpha.24-win32-x64"
}
},
"node_modules/@openai/codex-darwin-arm64": {
"name": "@openai/codex",
"version": "0.115.0-alpha.24-darwin-arm64",
"resolved": "https://registry.npmjs.org/@openai/codex/-/codex-0.115.0-alpha.24-darwin-arm64.tgz",
"integrity": "sha512-/vlH+wSZkHEsI6rdIB1Tcfjr5y1r8v8dV5XDre6dPZXDBp8o40BI3jfbRgVBPdrgWyb7SEKPcuJRjwu3FXoYKA==",
"cpu": [
"arm64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"darwin"
],
"engines": {
"node": ">=16"
}
},
"node_modules/@openai/codex-darwin-x64": {
"name": "@openai/codex",
"version": "0.115.0-alpha.24-darwin-x64",
"resolved": "https://registry.npmjs.org/@openai/codex/-/codex-0.115.0-alpha.24-darwin-x64.tgz",
"integrity": "sha512-xAT5XmQOj0NLg3yu+QdBtgot5XPn4lw4w7ztaQwgf+OzilFwD69rmNH/rIXSUknvQmOFnKug0GtNjjKgdyctPw==",
"cpu": [
"x64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"darwin"
],
"engines": {
"node": ">=16"
}
},
"node_modules/@openai/codex-linux-arm64": {
"name": "@openai/codex",
"version": "0.115.0-alpha.24-linux-arm64",
"resolved": "https://registry.npmjs.org/@openai/codex/-/codex-0.115.0-alpha.24-linux-arm64.tgz",
"integrity": "sha512-IRhOx+qASa5d/YwnLzbvwsgFySMUg8lzB81PQgoDSAmsuRWcqA/uu9PCsQN9YKMjH4YFk6BMsfB+Ni40ZZUJ+Q==",
"cpu": [
"arm64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"linux"
],
"engines": {
"node": ">=16"
}
},
"node_modules/@openai/codex-linux-x64": {
"name": "@openai/codex",
"version": "0.115.0-alpha.24-linux-x64",
"resolved": "https://registry.npmjs.org/@openai/codex/-/codex-0.115.0-alpha.24-linux-x64.tgz",
"integrity": "sha512-76LiFBGrp0d6EHY7sedQDXzNity6/xEEUbeSUZ7/k+Sa9hlob4E9Ti9Rz+ARLJLhObbHxQBYCRMsO9mIs8er+w==",
"cpu": [
"x64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"linux"
],
"engines": {
"node": ">=16"
}
},
"node_modules/@openai/codex-win32-arm64": {
"name": "@openai/codex",
"version": "0.115.0-alpha.24-win32-arm64",
"resolved": "https://registry.npmjs.org/@openai/codex/-/codex-0.115.0-alpha.24-win32-arm64.tgz",
"integrity": "sha512-b6j+GVd4BCjDOf/ruYWKYXnEo5QfBsLeJjUjlQ6KzAdnh7i1Xw8nZ32O4yVLm+ciUgVhf+2HvbPuEMdNQqF4ZQ==",
"cpu": [
"arm64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"win32"
],
"engines": {
"node": ">=16"
}
},
"node_modules/@openai/codex-win32-x64": {
"name": "@openai/codex",
"version": "0.115.0-alpha.24-win32-x64",
"resolved": "https://registry.npmjs.org/@openai/codex/-/codex-0.115.0-alpha.24-win32-x64.tgz",
"integrity": "sha512-E51iK8gIjIe2KJlclXoxZ0b1UnSpJcT1q3NsvI7TAb+tg64p7dcMDBv4RV+Cm2OpQC/+RujLvzu50WzR4SRPBg==",
"cpu": [
"x64"
],
"license": "Apache-2.0",
"optional": true,
"os": [
"win32"
],
"engines": {
"node": ">=16"
}