domverse 5d589915f7 fix: split LAPI auth — bouncer key for read, machine JWT for delete ...

LAPI does not let machine JWTs hit GET /v1/decisions even after the machine
is validated (returns 403 access forbidden). Conversely, bouncer X-Api-Key
does not satisfy DELETE /v1/decisions (returns 401 "cookie token is empty").

The webapp now holds both credentials and routes each call to the right
authority. Adds LAPI_BOUNCER_KEY env var + Gitea secret.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-06-16 23:58:20 +02:00

2.4 KiB

Raw Blame History

View Raw