git.stella-ops.org

stella-ops.org/git.stella-ops.org

Fork 0

Commit Graph

Author	SHA1	Message	Date
master	52d1512e7e	chore(web): refresh playwright mirror-operator-journey fixtures Updated auth state, report JSON, and screenshot snapshots captured from the latest live-stack run of the mirror operator journey and front-door auth flows. Includes tmp-feedmirror-auth/state fixtures used by the feed-mirror UI verification path. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-13 21:59:38 +03:00
master	6660676341	Fix scan route: register in security-risk.routes.ts (active route file) The scan route was added to security.routes.ts which isn't loaded by the app router. The app loads security-risk.routes.ts at /security/*. Added the scan route to security-risk.routes.ts so /security/scan resolves. Verified: Scan Image page loads at /security/scan with heading, image input, and submit button. 111/111 canonical routes passing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-16 16:59:16 +02:00
master	da76d6e93e	Add topology auth policies + journey findings notes Concelier: - Register Topology.Read, Topology.Manage, Topology.Admin authorization policies mapped to OrchRead/OrchOperate/PlatformContextRead/IntegrationWrite scopes. Previously these policies were referenced by endpoints but never registered, causing System.InvalidOperationException on every topology API call. Gateway routes: - Simplified targets/environments routes (removed specific sub-path routes, use catch-all patterns instead) - Changed environments base route to JobEngine (where CRUD lives) - Changed to ReverseProxy type for all topology routes KNOWN ISSUE (not yet fixed): - ReverseProxy routes don't forward the gateway's identity envelope to Concelier. The regions/targets/bindings endpoints return 401 because hasPrincipal=False — the gateway authenticates the user but doesn't pass the identity to the backend via ReverseProxy. Microservice routes use Valkey transport which includes envelope headers. Topology endpoints need either: (a) Valkey transport registration in Concelier, or (b) Concelier configured to accept raw bearer tokens on ReverseProxy paths. This is an architecture-level fix. Journey findings collected so far: - Integration wizard (Harbor + GitHub App): works end-to-end - Advisory Check All: fixed (parallel individual checks) - Mirror domain creation: works, generate-immediately fails silently - Topology wizard Step 1 (Region): blocked by auth passthrough issue - Topology wizard Step 2 (Environment): POST to JobEngine needs verify - User ID resolution: raw hashes shown everywhere Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-16 08:12:39 +02:00

Author

SHA1

Message

Date

master

52d1512e7e

chore(web): refresh playwright mirror-operator-journey fixtures

Updated auth state, report JSON, and screenshot snapshots captured from
the latest live-stack run of the mirror operator journey and front-door
auth flows. Includes tmp-feedmirror-auth/state fixtures used by the
feed-mirror UI verification path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-13 21:59:38 +03:00

master

6660676341

Fix scan route: register in security-risk.routes.ts (active route file)

The scan route was added to security.routes.ts which isn't loaded by the
app router. The app loads security-risk.routes.ts at /security/*. Added
the scan route to security-risk.routes.ts so /security/scan resolves.

Verified: Scan Image page loads at /security/scan with heading, image
input, and submit button. 111/111 canonical routes passing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-16 16:59:16 +02:00

master

da76d6e93e

Add topology auth policies + journey findings notes

Concelier:
- Register Topology.Read, Topology.Manage, Topology.Admin authorization
  policies mapped to OrchRead/OrchOperate/PlatformContextRead/IntegrationWrite
  scopes. Previously these policies were referenced by endpoints but never
  registered, causing System.InvalidOperationException on every topology
  API call.

Gateway routes:
- Simplified targets/environments routes (removed specific sub-path routes,
  use catch-all patterns instead)
- Changed environments base route to JobEngine (where CRUD lives)
- Changed to ReverseProxy type for all topology routes

KNOWN ISSUE (not yet fixed):
- ReverseProxy routes don't forward the gateway's identity envelope to
  Concelier. The regions/targets/bindings endpoints return 401 because
  hasPrincipal=False — the gateway authenticates the user but doesn't
  pass the identity to the backend via ReverseProxy. Microservice routes
  use Valkey transport which includes envelope headers. Topology endpoints
  need either: (a) Valkey transport registration in Concelier, or
  (b) Concelier configured to accept raw bearer tokens on ReverseProxy paths.
  This is an architecture-level fix.

Journey findings collected so far:
- Integration wizard (Harbor + GitHub App): works end-to-end
- Advisory Check All: fixed (parallel individual checks)
- Mirror domain creation: works, generate-immediately fails silently
- Topology wizard Step 1 (Region): blocked by auth passthrough issue
- Topology wizard Step 2 (Environment): POST to JobEngine needs verify
- User ID resolution: raw hashes shown everywhere

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-16 08:12:39 +02:00

3 Commits