Problem: All 46+ services share one PostgreSQL database and connection
pool. When Concelier runs advisory sync jobs (heavy writes), the shared
pool starves Authority's OIDC token validation, causing login timeouts.
Fix: Create a dedicated stellaops_authority database on the same Postgres
instance. Authority gets its own connection string with an independent
Npgsql connection pool (Maximum Pool Size=20, Minimum Pool Size=2).
Changes:
- 00-create-authority-db.sql: Creates stellaops_authority database
- 04b-authority-dedicated-schema.sql: Applies full Authority schema
(tables, indexes, RLS, triggers, seed data) to the dedicated DB
- docker-compose.stella-ops.yml: New x-postgres-authority-connection
anchor pointing to stellaops_authority. Authority service env updated.
Shared pool reduced to Maximum Pool Size=50.
The existing stellaops_platform.authority schema remains for backward
compatibility. Authority reads/writes from the isolated database.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Concelier:
- Register Topology.Read, Topology.Manage, Topology.Admin authorization
policies mapped to OrchRead/OrchOperate/PlatformContextRead/IntegrationWrite
scopes. Previously these policies were referenced by endpoints but never
registered, causing System.InvalidOperationException on every topology
API call.
Gateway routes:
- Simplified targets/environments routes (removed specific sub-path routes,
use catch-all patterns instead)
- Changed environments base route to JobEngine (where CRUD lives)
- Changed to ReverseProxy type for all topology routes
KNOWN ISSUE (not yet fixed):
- ReverseProxy routes don't forward the gateway's identity envelope to
Concelier. The regions/targets/bindings endpoints return 401 because
hasPrincipal=False — the gateway authenticates the user but doesn't
pass the identity to the backend via ReverseProxy. Microservice routes
use Valkey transport which includes envelope headers. Topology endpoints
need either: (a) Valkey transport registration in Concelier, or
(b) Concelier configured to accept raw bearer tokens on ReverseProxy paths.
This is an architecture-level fix.
Journey findings collected so far:
- Integration wizard (Harbor + GitHub App): works end-to-end
- Advisory Check All: fixed (parallel individual checks)
- Mirror domain creation: works, generate-immediately fails silently
- Topology wizard Step 1 (Region): blocked by auth passthrough issue
- Topology wizard Step 2 (Environment): POST to JobEngine needs verify
- User ID resolution: raw hashes shown everywhere
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
