Skip to main content

Console Activation Stream

OP-067 through OP-070 convert the AWS dev console from an observatory-style dashboard into an interactive multi-tenant console with authenticated API documentation.

Why It Matters

The backend and console already have real Phase 1 workflows: tickets, alerts, enrollment tokens, assets, discovery policies, compliance policy forking, auditor exports, SCIM setup, SIEM search, and Intune posture. The UI is role-aware through frontend/src/lib/role-capabilities.ts.

Those workflows still need a real login/session shell. Without authentication, the console cannot reliably derive tenant, role, and actor context from the backend, so mutation controls hide and the product feels read-only.

Sequence

  1. OP-067 deploys Keycloak in AWS dev through Helm, with realm import, ingress at auth.watchtower-app.mergematter.io, OIDC environment wiring for api-service, and an EKS capacity preflight. The current single-node AWS dev shape is already at pod capacity, so Keycloak requires added arm64 capacity or a larger node before deploy.
  2. OP-068 adds frontend-owned /auth/* login/callback/logout routes, OIDC callback handling with PKCE, httpOnly session cookies, real /api/v1/session retrieval for role/tenant/actor context, and current-user bearer forwarding for same-origin mutation routes under /console-api/oneprotect/*. Frontend auth and mutation proxy routes stay out of /api/* because AWS app ingress routes /api/* to FastAPI. AWS dev also sets ONEPROTECT_CONSOLE_PUBLIC_URL so Keycloak callback URLs and frontend auth callback/logout redirects use https://watchtower-app.mergematter.io rather than the internal Next.js listen origin.
  3. OP-069 adds super-admin tenant management APIs and UI so demo/pilot tenants and bootstrap tenant admins can be created safely. This is implemented with audited system-admin-only APIs, Settings-page UI, and Keycloak user bootstrap for tenant-facing roles.
  4. OP-070 exposes FastAPI's built-in Swagger UI and OpenAPI JSON behind the same authenticated OIDC session, with polished metadata, role-oriented tags, required-role endpoint descriptions, and a console link.
  5. OP-071 hardens tenant user bootstrap so Keycloak creation and verification must succeed before OneProtect commits tenant_admin, operator, or auditor role assignments. Missing Keycloak config, weak passwords, or verification drift fail closed with structured remediation.

Guardrails

  • Role-aware rendering uses backend-derived session role, not a frontend flag.
  • Mutation controls remain hidden for unauthorized roles.
  • Backend authorization, audit, redaction, and tenant isolation remain authoritative.
  • API documentation must reuse the API service and OIDC session; no separate Swagger pod or public unauthenticated docs surface.
  • Swagger organization should use role-oriented tags (platform-admin, tenant-admin, operator, auditor, public) with tag descriptions and required-role endpoint descriptions.
  • Proxied deployments must configure the public console URL before enabling OIDC login; forwarded/container request origins are not a reliable source for browser callback URLs or final auth route redirects behind ALB/Ingress.
  • Tenant-facing bootstrap users must verify in Keycloak before SQL commit; do not reintroduce create-without-Keycloak success paths.
  • SCIM remains the enterprise lifecycle integration path; super-admin tenant management is for bootstrap/demo/pilot onboarding.
  • Tenant self-service signup is Phase 2.

Non-Scope

This feature note documents the stream and the implemented OP-067/OP-068/OP-069 activation pieces. OP-070 adds authenticated Swagger route protection. The stream still does not implement SDK generation, an external developer portal, SCIM/agent/SSH/runtime expansion, or a separate docs pod.