Summary
Turn the mock client-cert auth into a real one. In live/live-auth the AuthProvider calls the manager's WhoAmI and renders the verified operator (cn/serial/level); mock keeps the dev stub. Adds a denied state when no valid operator certificate is presented, and sends credentials on the fleet client so the browser presents its client cert.
Motivation
Slice A of productionize: the manager now serves mTLS client-cert auth and exposes WhoAmI (CryptOS-PKI/api#43, manager #17). The browser cannot read its own installed client cert, so the web reads the verified identity/level from the manager.
Scope
Operator gains level (viewer|operator|admin); AuthStatus gains denied.
- AuthProvider calls
fleetClient().whoAmI({}) in live/live-auth; keeps the 600ms stub in mock.
- Auth gate renders a denied screen.
- Fleet client transport sends
credentials: include.
- Refresh the vendored
fleet_pb.ts from the merged api (adds the whoAmI client method).
Summary
Turn the mock client-cert auth into a real one. In live/live-auth the AuthProvider calls the manager's
WhoAmIand renders the verified operator (cn/serial/level); mock keeps the dev stub. Adds a denied state when no valid operator certificate is presented, and sends credentials on the fleet client so the browser presents its client cert.Motivation
Slice A of productionize: the manager now serves mTLS client-cert auth and exposes
WhoAmI(CryptOS-PKI/api#43, manager #17). The browser cannot read its own installed client cert, so the web reads the verified identity/level from the manager.Scope
Operatorgainslevel(viewer|operator|admin);AuthStatusgainsdenied.fleetClient().whoAmI({})in live/live-auth; keeps the 600ms stub in mock.credentials: include.fleet_pb.tsfrom the merged api (adds thewhoAmIclient method).