corrosion-admin-panel

vantzs/corrosion-admin-panel

Fork 0

Commit Graph

Author	SHA1	Message	Date
Vantz Stockwell	00cff51ce5	feat(nats): per-license auth mechanism — agent user/password, scoped broker, generator (non-breaking) All checks were successful CI / backend-types (push) Successful in 10s Details CI / frontend-build (push) Successful in 17s Details CI / agent-tests (push) Successful in 1m23s Details Build Host Agent (Rust) / build (push) Successful in 1m38s Details CI / integration (push) Successful in 23s Details Closes the open broker (anonymous publish to any tenant's corrosion.*). Per-license isolation via NATS user/password + subject permissions: each license -> user=license_id, password=HMAC-SHA256(license_id, NATS_TOKEN_SECRET), scoped to corrosion.{license_id}.> + _INBOX. Backend uses a privileged internal user. - Agent (alpha.5): nats_user/nats_password config + env, user_and_password auth; falls back to token/anonymous (transition-safe) - Backend: connects with NATS_INTERNAL_USER/PASSWORD when set, else anon - scripts/generate-nats-auth.mjs: regenerates nats-auth.conf from the licenses table; NATS_AUTH_STAGE=open keeps a no_auth_user fallback (verify creds first), =enforce rejects anonymous - committed nats-auth.conf is the SAFE OPEN default (no secrets); the host copy carries real users and is not committed - compose: NATS_INTERNAL_USER/PASSWORD/NATS_TOKEN_SECRET, mount nats-auth.conf Entirely non-breaking until secrets+config deployed; staged cutover next. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-11 12:33:27 -04:00
Vantz Stockwell	175d6f0a7b	scaffold: Docker infrastructure — Compose, Nginx, NATS, Dockerfile 4-service stack (PostgreSQL 16, NATS JetStream, Rust API, Nginx), multi-stage Rust build with dependency caching, wildcard subdomain routing for public sites, WebSocket support, rate limiting zones. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-14 21:42:15 -05:00

Author

SHA1

Message

Date

Vantz Stockwell

00cff51ce5

feat(nats): per-license auth mechanism — agent user/password, scoped broker, generator (non-breaking)

CI / backend-types (push) Successful in 10s

Details

CI / frontend-build (push) Successful in 17s

Details

CI / agent-tests (push) Successful in 1m23s

Details

Build Host Agent (Rust) / build (push) Successful in 1m38s

Details

CI / integration (push) Successful in 23s

Details

Closes the open broker (anonymous publish to any tenant's corrosion.*).
Per-license isolation via NATS user/password + subject permissions:
each license -> user=license_id, password=HMAC-SHA256(license_id,
NATS_TOKEN_SECRET), scoped to corrosion.{license_id}.> + _INBOX. Backend
uses a privileged internal user.

- Agent (alpha.5): nats_user/nats_password config + env, user_and_password
  auth; falls back to token/anonymous (transition-safe)
- Backend: connects with NATS_INTERNAL_USER/PASSWORD when set, else anon
- scripts/generate-nats-auth.mjs: regenerates nats-auth.conf from the
  licenses table; NATS_AUTH_STAGE=open keeps a no_auth_user fallback
  (verify creds first), =enforce rejects anonymous
- committed nats-auth.conf is the SAFE OPEN default (no secrets); the
  host copy carries real users and is not committed
- compose: NATS_INTERNAL_USER/PASSWORD/NATS_TOKEN_SECRET, mount nats-auth.conf

Entirely non-breaking until secrets+config deployed; staged cutover next.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

2026-06-11 12:33:27 -04:00

Vantz Stockwell

175d6f0a7b

scaffold: Docker infrastructure — Compose, Nginx, NATS, Dockerfile

4-service stack (PostgreSQL 16, NATS JetStream, Rust API, Nginx),
multi-stage Rust build with dependency caching, wildcard subdomain
routing for public sites, WebSocket support, rate limiting zones.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-14 21:42:15 -05:00

2 Commits