Same locale-prefix 404 fix as gscAdmin: kit AdminShell no longer
prepends /{locale} to internal URLs, since gscMy's app tree has no
[locale] segment.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The kit's AdminShell resolves DbMenuItem.translationKey via
next-intl. gscMy's i18n config has a getMessageFallback that
returns the key verbatim when no translation exists, so passing
the legacy human-readable name ("Dashboard", "Profile", …) as
the translationKey makes the sidebar render correctly without
needing new translations.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The kit's session.user.id is a NextAuth UUID — opaque, per-session
plumbing. The canonical cross-service identity is the FreeIPA uid
exposed as `gscSid` in the kit session. Grants written by gscMy
must use that key so gscAdmin's authz lookup (which uses the
same gscSID-as-key convention) hits them.
- All /api/pam/* routes now require `user.gscSid` instead of `user.id`
- authz.hasRole/requireRole/hasAnyRole take `{gscSid,roles}` shape
- whoami debug endpoint now shows gscSid for verification
- New helper src/lib/session-helpers.ts:getGscsid() for callers
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Temporary endpoint to verify what `realm_access.roles` Keycloak puts
into the access token vs. what NextAuth lands in session.user.roles.
Remove once the eligibility plumbing is confirmed working.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Without it, NextAuth's Keycloak issuer-discovery fetch goes direct
and Calico default-deny drops it → /access-denied?error=Configuration.
EnvHttpProxyAgent reads HTTP(S)_PROXY at startup.
Mirrors gscAdmin/src/instrumentation.ts. + undici ^6.25.0.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Initial commit for gscMy carved out as its own repo (was tracked
loosely under the monorepo's web/ which is gitignored).
What this contains:
- Auth: next-auth v5 via @gsc/web-kit createAuth (Keycloak only,
identity sourced from claims, no admin.users writes)
- Chrome: @gsc/web-kit AdminShell — replaces the legacy MyShell.
Sidebar JSON config carried over and mapped to DbMenuItem.
- Middleware: createAuthMiddleware. Public: /access-denied,
/auth/keycloak, /signed-out, /api/health, /api/pam/approve.
- RP-initiated signout at /api/auth/signout → Keycloak end_session →
/signed-out (mirrors gscAdmin).
- Phosphor-iconned access-denied + signed-out landing pages.
PAM/JIT request flow (ported from gscAdmin's pre-strip git history):
- /access page (Active + Eligible tables, request modal with
duration slider + justification + optional MFA)
- API: /api/pam/{eligible, active, audit, request, approve/:token,
revoke/:id}
- src/lib/{authz, pam, pam-mail, pam-mfa}.ts — same files as
gscAdmin had before the strip. PAM tables (admin.privilege_*)
are shared with gscAdmin; gscMy uses the same Prisma model defs.
- Top-bar widget shows active grants with countdown + revoke.
Build/Deploy: Dockerfile (monorepo-root context), k8s manifests for
my.gosec.internal, self-signed TLS placeholder, DNS A record.
Keycloak gsc-my client extended to include my.gosec.internal/* in
redirect_uris + web_origins.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
