KES Auth Path Status
Token Acquisition Method
The canonical repo auth fixture remains the existing dev impersonation flow:
POST /auth/dev/impersonate
Loading module
Resolving locale, route permissions, and workspace projection.
Resolving locale, route permissions, and workspace projection.
Current scope: Guest
Category: 10_normative | Version: v1.0.0
Owner: DOCUMENT_CUSTODIAN | Review cycle: 90 days
Approval authority: GOVERNANCE_ADMIN
Documentation portal is read-only. Editing and mutation endpoints are disabled.
Kvary platform is originally created in Georgian. Where a Georgian version exists, Georgian is authoritative for platform UI, documentation, and legal interpretation.
Translations into other languages are provided for convenience. Some records may originate in other languages and carry their own source or legal locale for a specific flow, but where a Georgian version is available, the Georgian version prevails for platform-level wording and interpretation.
Metadata incomplete: Document ID, Version, Status, Owner Role, Last Review Date, Next Review Date, Change Log
The canonical repo auth fixture remains the existing dev impersonation flow:
POST /auth/dev/impersonatePOST /api/v1/auth/dev/impersonateThis sprint confirmed that this is still the intended token-acquisition method for dev happy-path checks.
In this Docker rehearsal environment, full svc-auth could not be used because it still fails to boot cleanly with the pre-existing native sharp linux runtime mismatch. Because of that, the working parity check used a contract-compatible access token fixture:
JWT_SECRETGateway behavior is unchanged.
requireGatewayAuth(...) in middleware.ts:
/auth/meConfirmed outcomes:
401 missing_bearer_token401 invalid_access_tokenKES host behavior is unchanged.
buildRequireServiceAuth(...) in auth.ts:
/auth/meThis sprint clarified the earlier failure stage:
401 invalid_access_token happened before /auth/meIn the isolated rehearsal stack, /auth/me was provided by the already-running contract-compatible auth stub from Sprint 93 because full svc-auth remained unavailable in this container environment.
Correct direct service mutation path:
/kes-orchestrator/process-mapCorrect gateway mutation path:
/api/v1/kes/orchestrator/process-mapThe earlier temporary API 404 is now classified precisely:
/api/v1KES mutation auth path is working for the checked first-cut runtime surface.
Confirmed with authenticated happy-path checks:
svc-kes hostNo KES-specific HTTP auth-path blocker remains for the checked routes.
The remaining auth caveat is environmental:
svc-auth was still unavailable in this Docker setup because of the existing native sharp runtime mismatchThat caveat does not look like a KES runtime drift issue.