Goal
Implement the authentication layer for the operator dashboard, supporting both Tailscale-based auth and shared-secret auth, with proper binding and audit trail integration.
Success Criteria
- New
orchestrator/dashboard/auth.py module with two configurable backends (tailscale, shared_secret)
tailscale backend reads Tailscale-User-Login header and validates against dashboard_allowed_users allowlistshared_secret backend validates bearer tokens in Authorization header- Read endpoints accessible without auth only when bound to 127.0.0.1
- Write endpoints always require authentication
- Bind address configurable (default 127.0.0.1), with validation that non-127.0.0.1 binding requires auth backend
- All authenticated write actions logged to audit trail with {actor, action, payload, ts}
- Startup fails if non-127.0.0.1 binding is configured without a valid auth backend
Constraints
Part of #251
Re-queued Context
Last agent summary
Rendered prompt is 133369 bytes, exceeding the 100000-byte ceiling.
Blockers
- Prompt size 133369 bytes exceeds 100000-byte limit.
- Retrying with more prior-attempt context will not help; the task body itself must be trimmed.
Files changed
Goal
Implement the authentication layer for the operator dashboard, supporting both Tailscale-based auth and shared-secret auth, with proper binding and audit trail integration.
Success Criteria
orchestrator/dashboard/auth.pymodule with two configurable backends (tailscale, shared_secret)tailscalebackend readsTailscale-User-Loginheader and validates againstdashboard_allowed_usersallowlistshared_secretbackend validates bearer tokens inAuthorizationheaderConstraints
Part of #251
Re-queued Context
Last agent summary
Rendered prompt is 133369 bytes, exceeding the 100000-byte ceiling.
Blockers
Files changed