Fix critical journey blockers: audit endpoints, registry mock, topology auth
Fix #20 — Audit log empty: Wire app.MapAuditEndpoints() in JobEngine Program.cs. The endpoint file existed but was never registered, so /api/v1/jobengine/audit returned 404 and the Timeline unified aggregation service got 0 events. Fix #22 — Registry search returns mock data: Replace the catchError() synthetic mock fallback in searchImages() with an empty array return. The release wizard will now show "no results" instead of fabricating fake "payment-service" with "sha256:payment..." digests. getImageDigests() returns an empty-tags placeholder on failure. Fix #13 — Topology wizard 401 (identity envelope passthrough): Add TryAuthenticateFromIdentityEnvelope() to Concelier's JwtBearer OnMessageReceived handler. When no JWT bearer token is present (stripped by gateway's IdentityHeaderPolicyMiddleware on ReverseProxy routes), the handler reads X-StellaOps-Identity-Envelope + signature headers, verifies the HMAC-SHA256 signature using the shared signing key, and populates ClaimsPrincipal with subject/tenant/scopes/roles from the envelope. This enables ReverseProxy routes to Concelier topology endpoints to authenticate the same way Microservice/Valkey routes do. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
@@ -200,6 +200,7 @@ app.MapReleaseEndpoints();
|
||||
app.MapApprovalEndpoints();
|
||||
app.MapReleaseDashboardEndpoints();
|
||||
app.MapReleaseControlV2Endpoints();
|
||||
app.MapAuditEndpoints();
|
||||
|
||||
// Refresh Router endpoint cache
|
||||
app.TryRefreshStellaRouterEndpoints(routerEnabled);
|
||||
|
||||
Reference in New Issue
Block a user