Skip to content

debug(policy): emit [PolicyTrace USE] from /committed/:roleId endpoint#44

Open
sashyo wants to merge 1 commit into
mainfrom
debug/policy-trace-on-committed
Open

debug(policy): emit [PolicyTrace USE] from /committed/:roleId endpoint#44
sashyo wants to merge 1 commit into
mainfrom
debug/policy-trace-on-committed

Conversation

@sashyo
Copy link
Copy Markdown
Owner

@sashyo sashyo commented May 20, 2026

Summary

After PR #42 the SSH connect path fetches via the gateway-qualified /api/ssh-policies/committed/:roleId endpoint, but the [PolicyTrace USE] log was only on the legacy /for-ssh-user/:sshUser route. So fresh round-trips after #42 produce no server-side USE line to compare against SIGN/ATTACH — making it impossible to confirm bytes match end-to-end with logs alone.

Add the same trace to the new endpoint.

Test plan

  • Deploy keylessh web app
  • Connect SSH (gateway-qualified role) — confirm all three traces now appear and match: 
    [PolicyTrace SIGN]   role=ssh:Tide-GW:My Server:demo dtv_sha=…
[PolicyTrace USE]    role=ssh:Tide-GW:My Server:demo dtv_sha=…  ← new
[PolicyTrace ATTACH] role=ssh:Tide-GW:My Server:demo dtv_sha=…

@sashyo
debug(policy): emit [PolicyTrace USE] from the new committed/:roleId …
3487c6d 
…endpoint too

After PR #42 the client fetches via /api/ssh-policies/committed/:roleId
instead of the legacy /for-ssh-user/. The USE trace was only on the
legacy endpoint, so a fresh round-trip after #42 produced no server-side
USE line to compare against SIGN/ATTACH. Add the same trace to the new
endpoint so all three logs appear on every fetch.
@sashyo sashyo mentioned this pull request May 20, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sashyo