3847eb2036
This repo had no version control prior to this commit. The import is a
straight snapshot of the working tree at 2026-05-03; the deployed
binary on fihelvop01 was being rebuilt from this source via `make
build` + scp into place, with no upstream review path.
The snapshot already includes one in-flight fix made on 2026-05-03 to
internal/service/persona.go:GetSelfModel — the handler queried
`source` and `strength` columns plus an `is_active = true` filter on
persona.persona_commitments, none of which exist on that table (its
shape is session-bound commitments with `status`, `commitment_meta`,
etc.). The query returned a 500 every time SynapseHub bootstrapped a
persona's self-model, dropping the IdentityConstraints / Commitments /
ConscienceStandards layer from the assembled prompt. The patched
query reads existing columns only (commitment_text, commitment_type),
filters on `status='active'`, and synthesises Source="learned" /
Strength=1.0 to keep the SelfModel response shape stable for callers.
Verified live: `GET /api/v1/personas/70f7cfd9-.../self-model` now
returns 200 with `{identityConstraints:[],commitments:[],
conscienceStandards:[]}` instead of 500.
Future changes go through PRs against this repo — no more bin-only
deploys.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
69 lines
1.7 KiB
Go
69 lines
1.7 KiB
Go
package middleware
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"github.com/gofiber/fiber/v2"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
)
|
|
|
|
// JWTClaims contains extracted claims from the JWT
|
|
type JWTClaims struct {
|
|
Subject string `json:"sub"`
|
|
Email string `json:"email"`
|
|
Name string `json:"name"`
|
|
TenantID string `json:"tenantId"`
|
|
}
|
|
|
|
// JWTExtract extracts JWT claims from the Authorization header for audit context.
|
|
// This middleware does NOT validate the JWT — it only extracts claims.
|
|
// Authentication is handled by mTLS + API key. JWT is optional passthrough.
|
|
func JWTExtract() fiber.Handler {
|
|
return func(c *fiber.Ctx) error {
|
|
auth := c.Get("Authorization")
|
|
if auth == "" || !strings.HasPrefix(auth, "Bearer ") {
|
|
return c.Next()
|
|
}
|
|
|
|
tokenStr := strings.TrimPrefix(auth, "Bearer ")
|
|
|
|
// Parse without validation — we trust the API key for auth
|
|
parser := jwt.NewParser(jwt.WithoutClaimsValidation())
|
|
token, _, err := parser.ParseUnverified(tokenStr, jwt.MapClaims{})
|
|
if err != nil {
|
|
// Invalid JWT — ignore, not blocking
|
|
return c.Next()
|
|
}
|
|
|
|
claims, ok := token.Claims.(jwt.MapClaims)
|
|
if !ok {
|
|
return c.Next()
|
|
}
|
|
|
|
jwtClaims := &JWTClaims{}
|
|
if sub, ok := claims["sub"].(string); ok {
|
|
jwtClaims.Subject = sub
|
|
}
|
|
if email, ok := claims["email"].(string); ok {
|
|
jwtClaims.Email = email
|
|
}
|
|
if name, ok := claims["name"].(string); ok {
|
|
jwtClaims.Name = name
|
|
}
|
|
if tid, ok := claims["tenantId"].(string); ok {
|
|
jwtClaims.TenantID = tid
|
|
}
|
|
|
|
c.Locals("jwtClaims", jwtClaims)
|
|
return c.Next()
|
|
}
|
|
}
|
|
|
|
// GetJWTClaims retrieves JWT claims from context
|
|
func GetJWTClaims(c *fiber.Ctx) *JWTClaims {
|
|
if claims, ok := c.Locals("jwtClaims").(*JWTClaims); ok {
|
|
return claims
|
|
}
|
|
return nil
|
|
}
|