feat(picloud): opportunistic principal middleware on the data plane

The data-plane (POST /execute/{id} + user-route fallback) is unauthenticated by default — public scripts get hit by anonymous HTTP traffic. But some calls are authed (dashboard test-runs, API-key invocations) and v1.1.x services will want to see the caller via `cx.principal` for audit / authz once those features land. - New manager-core::attach_principal_if_present middleware. Always inserts Extension<Option<Principal>>: Some on resolved bearer/cookie, None on absent or malformed token. Fail-open on DB blip so a transient infra failure can't 500 anonymous traffic. - Wired in picloud build_app, scoped to the data-plane and user-routes routers only. The admin path keeps using require_authenticated; no double-resolve on the same token. - orchestrator-core handlers (execute_by_id, user_route_handler) now extract Extension<Option<Principal>> and pass it to build_exec_request. Replaces the temporary `None` placeholders from the previous commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 18:53:27 +02:00
parent dea776b2a3
commit 902dd78027
4 changed files with 70 additions and 18 deletions
--- a/crates/manager-core/src/lib.rs
+++ b/crates/manager-core/src/lib.rs
@@ -59,8 +59,8 @@ pub use auth_bootstrap::{
 };
 #[allow(deprecated)]
 pub use auth_middleware::{
-    require_admin, require_authenticated, AuthState, AuthedAdmin, API_KEY_PREFIX,
-    API_KEY_PREFIX_LEN, SESSION_COOKIE,
+    attach_principal_if_present, require_admin, require_authenticated, AuthState, AuthedAdmin,
+    API_KEY_PREFIX, API_KEY_PREFIX_LEN, SESSION_COOKIE,
 };
 pub use authz::{can, require, AuthzDenied, AuthzError, AuthzRepo, Capability, Decision};
 pub use log_sink::PostgresExecutionLogSink;