2026-02-21 20:56:41 +00:00
1 changed files with 34 additions and 0 deletions
--- a/docs/scratchpads/362-auth-session-chain-debug.md
+++ b/docs/scratchpads/362-auth-session-chain-debug.md
@@ -204,3 +204,37 @@ Files updated:

 - `apps/api/src/common/interceptors/rls-context.integration.spec.ts`
  - Updated integration expectations to `set_config(...)`.
+
+## Deploy + Verify (RLS fix commit `8424a28`)
+
+Pipeline and deploy sequence:
+
+1. Commit `8424a28` pushed to `develop`.
+2. Woodpecker pipeline `mosaic/stack#515` completed successfully.
+3. Host deploy actions on `10.1.1.90`:
+   - Ran `/home/localadmin/mosaic/pull_all.sh`
+   - Updated swarm services (`stack_api`, `stack_web`, `stack_coordinator`, `stack_orchestrator`) to `:dev`
+
+Observed issue after first restart:
+
+- Playwright still reproduced `/auth/session` `500` after Authentik callback.
+- `stack_api` logs still showed old RLS SQL failure (`SET LOCAL ... $1`), indicating runtime image drift/stale task.
+
+Resolution:
+
+1. Checked host image digest for API:
+   - `git.mosaicstack.dev/mosaic/stack-api:dev` -> `sha256:fd0cbfe053ed27945577553d67da5cbda0bf71610006e5ccc197d5761e29a220`
+2. Forced swarm API service to exact digest:
+   - `docker service update --with-registry-auth --image git.mosaicstack.dev/mosaic/stack-api@sha256:fd0cbfe053ed27945577553d67da5cbda0bf71610006e5ccc197d5761e29a220 stack_api`
+3. Verified new running task uses digest-pinned image.
+
+Final verification (Playwright MCP):
+
+- Login flow: `https://app.mosaicstack.dev/login` -> Authentik (`jarvis` / `jarvis`) -> redirect back to app.
+- Session endpoint: `GET https://api.mosaicstack.dev/auth/session` -> `200`.
+- App landed authenticated on `https://app.mosaicstack.dev/tasks` (not bounced to login).
+
+Status:
+
+- Auth chain is functioning end-to-end after digest-forced API rollout.
+- Remaining console noise observed: missing `favicon.ico` (`404`) on app domain (non-blocking for auth).