CLAUDE.md

# CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

## Project

Cameleer SaaS — multi-tenant SaaS platform wrapping the Cameleer observability stack (Java agent + server) for Apache Camel applications. Customers get managed observability for their Camel integrations without running infrastructure.

## Ecosystem

This repo is the SaaS layer on top of two proven components:

- **cameleer3** (sibling repo) — Java agent using ByteBuddy for zero-code instrumentation of Camel apps. Captures route executions, processor traces, payloads, metrics, and route graph topology. Deploys as `-javaagent` JAR.
- **cameleer3-server** (sibling repo) — Spring Boot observability backend. Receives agent data via HTTP, pushes config/commands via SSE. PostgreSQL + OpenSearch storage. React SPA dashboard. JWT auth with Ed25519 config signing.
- **cameleer-website** — Marketing site (Astro 5)
- **design-system** — Shared React component library (`@cameleer/design-system` on Gitea npm registry)

Agent-server protocol is defined in `cameleer3/cameleer3-common/PROTOCOL.md`. The agent and server are mature, proven components — this repo wraps them with multi-tenancy, billing, and self-service onboarding.

## Architecture Context

The existing cameleer3-server already has single-tenant auth (JWT, RBAC, bootstrap tokens, OIDC). The SaaS layer must:
- Add multi-tenancy (tenant isolation of agent data, diagrams, configs)
- Provide self-service signup, billing, and team management
- Generate per-tenant bootstrap tokens for agent registration
- Proxy or federate access to tenant-specific cameleer3-server instances
- Enforce usage quotas and metered billing

### Routing (single-domain, path-based via Traefik)

All services on one hostname. Two env vars control everything: `PUBLIC_HOST` + `PUBLIC_PROTOCOL`.

| Path | Target | Notes |
|------|--------|-------|
| `/platform/*` | cameleer-saas:8080 | SPA + API (`server.servlet.context-path: /platform`) |
| `/server/*` | cameleer3-server-ui:80 | Server dashboard (strip-prefix + `BASE_PATH=/server`) |
| `/` | redirect → `/platform/` | Via `docker/traefik-dynamic.yml` |
| `/*` (catch-all) | cameleer-logto:3001 (priority=1) | Custom sign-in UI, OIDC, interaction |

- SPA assets at `/_app/` (Vite `assetsDir: '_app'`) to avoid conflict with Logto's `/assets/`
- Logto `ENDPOINT` = `${PUBLIC_PROTOCOL}://${PUBLIC_HOST}` (same domain, same origin)
- TLS: self-signed cert init container (`traefik-certs`) for dev, ACME for production
- Root `/` → `/platform/` redirect via Traefik file provider (`docker/traefik-dynamic.yml`)
- LoginPage auto-redirects to Logto OIDC (no intermediate button)

### Custom sign-in UI (`ui/sign-in/`)

Separate Vite+React SPA replacing Logto's default sign-in page. Visually matches cameleer3-server LoginPage.

- Built as custom Logto Docker image (`cameleer-logto`): `ui/sign-in/Dockerfile` = node build stage + `FROM ghcr.io/logto-io/logto:latest` + COPY dist over `/etc/logto/packages/experience/dist/`
- Uses `@cameleer/design-system` components (Card, Input, Button, FormField, Alert)
- Authenticates via Logto Experience API (4-step: init → verify password → identify → submit → redirect)
- `CUSTOM_UI_PATH` env var does NOT work for Logto OSS — must volume-mount or replace the experience dist directory
- Favicon bundled in `ui/sign-in/public/favicon.svg` (served by Logto, not SaaS)

### Auth enforcement

- All API endpoints enforce OAuth2 scopes via `@PreAuthorize("hasAuthority('SCOPE_xxx')")` annotations
- Tenant isolation enforced by `TenantIsolationInterceptor` (a single `HandlerInterceptor` on `/api/**` that resolves JWT org_id to TenantContext and validates `{tenantId}`, `{environmentId}`, `{appId}` path variables; fail-closed, platform admins bypass)
- 13 OAuth2 scopes on the Logto API resource (`https://api.cameleer.local`): 10 platform scopes + 3 server scopes (`server:admin`, `server:operator`, `server:viewer`), served to the frontend from `GET /platform/api/config`
- Server scopes map to server RBAC roles via JWT `scope` claim (server reads `rolesClaim: "scope"`)
- Org role `admin` gets `server:admin`, org role `member` gets `server:viewer`
- Custom `JwtDecoder` in `SecurityConfig.java` — ES384 algorithm, `at+jwt` token type, split issuer-uri (string validation) / jwk-set-uri (Docker-internal fetch), audience validation (`https://api.cameleer.local`)

### Server integration (cameleer3-server env vars)

| Env var | Value | Purpose |
|---------|-------|---------|
| `CAMELEER_OIDC_ISSUER_URI` | `${PUBLIC_PROTOCOL}://${PUBLIC_HOST}/oidc` | Token issuer claim validation |
| `CAMELEER_OIDC_JWK_SET_URI` | `http://logto:3001/oidc/jwks` | Docker-internal JWK fetch |
| `CAMELEER_OIDC_TLS_SKIP_VERIFY` | `true` | Skip cert verify for OIDC discovery (dev only — disable in production) |
| `CAMELEER_CORS_ALLOWED_ORIGINS` | `${PUBLIC_PROTOCOL}://${PUBLIC_HOST}` | Allow browser requests through Traefik |
| `BASE_PATH` (server-ui) | `/server` | React Router basename + `<base>` tag |

### Bootstrap (`docker/logto-bootstrap.sh`)

Idempotent script run via `logto-bootstrap` init container. Phases:
1. Wait for Logto + server health
2. Get Management API token (reads `m-default` secret from DB)
3. Create Logto apps (SPA, Traditional with `skipConsent`, M2M with Management API role)
3b. Create API resource scopes (10 platform + 3 server scopes)
4. Create roles (platform-admin, org admin/member with API resource scope assignments)
5. Create users (SaaS admin with platform-admin role + Logto console access, tenant admin)
6. Create organization, add users with org roles
7. Configure cameleer3-server OIDC (`rolesClaim: "scope"`, `audience`, `defaultRoles: ["VIEWER"]`)
8. Configure Logto sign-in branding (Cameleer colors `#C6820E`/`#D4941E`, logo from `/platform/logo.svg`)
9. Cleanup seeded Logto apps
10. Write bootstrap results to `/data/logto-bootstrap.json`

SaaS admin credentials (`SAAS_ADMIN_USER`/`SAAS_ADMIN_PASS`) work for both the SaaS platform and the Logto console (port 3002).

## Related Conventions

- Gitea-hosted: `gitea.siegeln.net/cameleer/`
- CI: `.gitea/workflows/` — Gitea Actions
- K8s target: k3s cluster at 192.168.50.86
- Docker images: CI builds and pushes all images — Dockerfiles use multi-stage builds, no local builds needed
  - `cameleer-saas` — SaaS app (frontend + JAR baked in)
  - `cameleer-logto` — custom Logto with sign-in UI baked in
- Docker builds: `--no-cache`, `--provenance=false` for Gitea compatibility
- `docker-compose.dev.yml` — exposes ports for direct access, sets `SPRING_PROFILES_ACTIVE: dev`. No volume mounts — all artifacts come from CI-built images
- Design system: import from `@cameleer/design-system` (Gitea npm registry)

## Disabled Skills

- Do NOT use any `gsd:*` skills in this project. This includes all `/gsd:` prefixed commands.
Add moat-strengthening features design spec Comprehensive design document for three defensibility features: - Live Route Debugger (replay-based, zero production impact) - Payload Flow Lineage (targeted per-processor capture + diff) - Cross-Service Trace Correlation + Topology Map (network effect) Gitea issues: cameleer/cameleer3 #57-#72 (MOAT label) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-29 16:14:04 +02:00			`# CLAUDE.md`

			`This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.`

			`## Project`

			`Cameleer SaaS — multi-tenant SaaS platform wrapping the Cameleer observability stack (Java agent + server) for Apache Camel applications. Customers get managed observability for their Camel integrations without running infrastructure.`

			`## Ecosystem`

			`This repo is the SaaS layer on top of two proven components:`

			- cameleer3 (sibling repo) — Java agent using ByteBuddy for zero-code instrumentation of Camel apps. Captures route executions, processor traces, payloads, metrics, and route graph topology. Deploys as `-javaagent` JAR.
			`- cameleer3-server (sibling repo) — Spring Boot observability backend. Receives agent data via HTTP, pushes config/commands via SSE. PostgreSQL + OpenSearch storage. React SPA dashboard. JWT auth with Ed25519 config signing.`
			`- cameleer-website — Marketing site (Astro 5)`
			- design-system — Shared React component library (`@cameleer/design-system` on Gitea npm registry)

			Agent-server protocol is defined in `cameleer3/cameleer3-common/PROTOCOL.md`. The agent and server are mature, proven components — this repo wraps them with multi-tenancy, billing, and self-service onboarding.

			`## Architecture Context`

			`The existing cameleer3-server already has single-tenant auth (JWT, RBAC, bootstrap tokens, OIDC). The SaaS layer must:`
			`- Add multi-tenancy (tenant isolation of agent data, diagrams, configs)`
			`- Provide self-service signup, billing, and team management`
			`- Generate per-tenant bootstrap tokens for agent registration`
			`- Proxy or federate access to tenant-specific cameleer3-server instances`
			`- Enforce usage quotas and metered billing`

docs: update architecture docs for single-domain /platform routing Reflects current state: path-based routing, SaaS at /platform, Logto catch-all, TLS init container, server integration env vars, custom JwtDecoder for ES384, skip consent for SSO. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 09:43:14 +02:00			`### Routing (single-domain, path-based via Traefik)`

			All services on one hostname. Two env vars control everything: `PUBLIC_HOST` + `PUBLIC_PROTOCOL`.

			`\| Path \| Target \| Notes \|`
			`\|------\|--------\|-------\|`
			\| `/platform/*` \| cameleer-saas:8080 \| SPA + API (`server.servlet.context-path: /platform`) \|
			\| `/server/*` \| cameleer3-server-ui:80 \| Server dashboard (strip-prefix + `BASE_PATH=/server`) \|
			\| `/` \| redirect → `/platform/` \| Via `docker/traefik-dynamic.yml` \|
docs: update architecture for custom sign-in UI and CI pipeline - CLAUDE.md: add custom sign-in UI section, update routing table, document auto-redirect, CI-built images, no local builds, dev override without volume mounts - Design spec: reflect final implementation — custom Logto image, no CUSTOM_UI_PATH, no init containers, bundled favicon Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 16:29:37 +02:00			\| `/*` (catch-all) \| cameleer-logto:3001 (priority=1) \| Custom sign-in UI, OIDC, interaction \|
docs: update architecture docs for single-domain /platform routing Reflects current state: path-based routing, SaaS at /platform, Logto catch-all, TLS init container, server integration env vars, custom JwtDecoder for ES384, skip consent for SSO. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 09:43:14 +02:00
			- SPA assets at `/_app/` (Vite `assetsDir: '_app'`) to avoid conflict with Logto's `/assets/`
			- Logto `ENDPOINT` = `${PUBLIC_PROTOCOL}://${PUBLIC_HOST}` (same domain, same origin)
			- TLS: self-signed cert init container (`traefik-certs`) for dev, ACME for production
			- Root `/` → `/platform/` redirect via Traefik file provider (`docker/traefik-dynamic.yml`)
docs: update architecture for custom sign-in UI and CI pipeline - CLAUDE.md: add custom sign-in UI section, update routing table, document auto-redirect, CI-built images, no local builds, dev override without volume mounts - Design spec: reflect final implementation — custom Logto image, no CUSTOM_UI_PATH, no init containers, bundled favicon Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 16:29:37 +02:00			`- LoginPage auto-redirects to Logto OIDC (no intermediate button)`

			### Custom sign-in UI (`ui/sign-in/`)

			`Separate Vite+React SPA replacing Logto's default sign-in page. Visually matches cameleer3-server LoginPage.`

			- Built as custom Logto Docker image (`cameleer-logto`): `ui/sign-in/Dockerfile` = node build stage + `FROM ghcr.io/logto-io/logto:latest` + COPY dist over `/etc/logto/packages/experience/dist/`
			- Uses `@cameleer/design-system` components (Card, Input, Button, FormField, Alert)
			`- Authenticates via Logto Experience API (4-step: init → verify password → identify → submit → redirect)`
			- `CUSTOM_UI_PATH` env var does NOT work for Logto OSS — must volume-mount or replace the experience dist directory
			- Favicon bundled in `ui/sign-in/public/favicon.svg` (served by Logto, not SaaS)
docs: update architecture docs for single-domain /platform routing Reflects current state: path-based routing, SaaS at /platform, Logto catch-all, TLS init container, server integration env vars, custom JwtDecoder for ES384, skip consent for SSO. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 09:43:14 +02:00
			`### Auth enforcement`

feat: auth hardening — scope enforcement, tenant isolation, and docs Add @PreAuthorize annotations to all API controllers (14 endpoints across 6 controllers) enforcing OAuth2 scopes: apps:manage, apps:deploy, billing:manage, observe:read, platform:admin. Enforce tenant isolation: TenantResolutionFilter now rejects cross-tenant access on /api/tenants/{id}/* paths. New TenantOwnershipValidator checks environment/app ownership for paths without tenantId. Platform admins bypass both layers. Fix frontend: OrgResolver split into two useEffect hooks so scopes refresh on org switch. Scopes now served from /api/config (single source of truth). Bootstrap cleaned — standalone org permissions removed. Update docs/architecture.md, docs/user-manual.md, and CLAUDE.md to reflect all auth hardening changes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 15:32:53 +02:00			- All API endpoints enforce OAuth2 scopes via `@PreAuthorize("hasAuthority('SCOPE_xxx')")` annotations
refactor: merge tenant isolation into single HandlerInterceptor Replace TenantResolutionFilter + TenantOwnershipValidator (15 manual calls across 5 controllers) with a single TenantIsolationInterceptor that uses Spring HandlerMapping path variables for fail-closed tenant isolation. New endpoints with {tenantId}, {environmentId}, or {appId} path variables are automatically isolated without manual code. Simplify OrgResolver from dual-token fetch to single token — Logto merges all scopes into either token type. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 15:48:04 +02:00			- Tenant isolation enforced by `TenantIsolationInterceptor` (a single `HandlerInterceptor` on `/api/**` that resolves JWT org_id to TenantContext and validates `{tenantId}`, `{environmentId}`, `{appId}` path variables; fail-closed, platform admins bypass)
docs: update architecture with bootstrap phases, scopes, branding - CLAUDE.md: add bootstrap phase listing, document 13 scopes (10 platform + 3 server), server role mapping via scope claim, admin console access, sign-in branding - Mark server-role-mapping and logto-admin-branding specs as implemented Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 10:46:39 +02:00			- 13 OAuth2 scopes on the Logto API resource (`https://api.cameleer.local`): 10 platform scopes + 3 server scopes (`server:admin`, `server:operator`, `server:viewer`), served to the frontend from `GET /platform/api/config`
			- Server scopes map to server RBAC roles via JWT `scope` claim (server reads `rolesClaim: "scope"`)
			- Org role `admin` gets `server:admin`, org role `member` gets `server:viewer`
fix: security hardening — remove dead routes, add JWT audience validation - Remove broken observe/dashboard Traefik routes (server accessed via /server only) - Remove unused acme volume - Add JWT audience claim validation (https://api.cameleer.local) in SecurityConfig - Secure bootstrap output file with chmod 600 - Add dev-only comments on TLS_SKIP_VERIFY and credential logging Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 19:15:03 +02:00			- Custom `JwtDecoder` in `SecurityConfig.java` — ES384 algorithm, `at+jwt` token type, split issuer-uri (string validation) / jwk-set-uri (Docker-internal fetch), audience validation (`https://api.cameleer.local`)
docs: update architecture docs for single-domain /platform routing Reflects current state: path-based routing, SaaS at /platform, Logto catch-all, TLS init container, server integration env vars, custom JwtDecoder for ES384, skip consent for SSO. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 09:43:14 +02:00
			`### Server integration (cameleer3-server env vars)`

			`\| Env var \| Value \| Purpose \|`
			`\|---------\|-------\|---------\|`
			\| `CAMELEER_OIDC_ISSUER_URI` \| `${PUBLIC_PROTOCOL}://${PUBLIC_HOST}/oidc` \| Token issuer claim validation \|
			\| `CAMELEER_OIDC_JWK_SET_URI` \| `http://logto:3001/oidc/jwks` \| Docker-internal JWK fetch \|
fix: security hardening — remove dead routes, add JWT audience validation - Remove broken observe/dashboard Traefik routes (server accessed via /server only) - Remove unused acme volume - Add JWT audience claim validation (https://api.cameleer.local) in SecurityConfig - Secure bootstrap output file with chmod 600 - Add dev-only comments on TLS_SKIP_VERIFY and credential logging Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 19:15:03 +02:00			\| `CAMELEER_OIDC_TLS_SKIP_VERIFY` \| `true` \| Skip cert verify for OIDC discovery (dev only — disable in production) \|
docs: update architecture docs for single-domain /platform routing Reflects current state: path-based routing, SaaS at /platform, Logto catch-all, TLS init container, server integration env vars, custom JwtDecoder for ES384, skip consent for SSO. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 09:43:14 +02:00			\| `CAMELEER_CORS_ALLOWED_ORIGINS` \| `${PUBLIC_PROTOCOL}://${PUBLIC_HOST}` \| Allow browser requests through Traefik \|
			\| `BASE_PATH` (server-ui) \| `/server` \| React Router basename + `<base>` tag \|
feat: auth hardening — scope enforcement, tenant isolation, and docs Add @PreAuthorize annotations to all API controllers (14 endpoints across 6 controllers) enforcing OAuth2 scopes: apps:manage, apps:deploy, billing:manage, observe:read, platform:admin. Enforce tenant isolation: TenantResolutionFilter now rejects cross-tenant access on /api/tenants/{id}/* paths. New TenantOwnershipValidator checks environment/app ownership for paths without tenantId. Platform admins bypass both layers. Fix frontend: OrgResolver split into two useEffect hooks so scopes refresh on org switch. Scopes now served from /api/config (single source of truth). Bootstrap cleaned — standalone org permissions removed. Update docs/architecture.md, docs/user-manual.md, and CLAUDE.md to reflect all auth hardening changes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-05 15:32:53 +02:00
docs: update architecture with bootstrap phases, scopes, branding - CLAUDE.md: add bootstrap phase listing, document 13 scopes (10 platform + 3 server), server role mapping via scope claim, admin console access, sign-in branding - Mark server-role-mapping and logto-admin-branding specs as implemented Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 10:46:39 +02:00			### Bootstrap (`docker/logto-bootstrap.sh`)

			Idempotent script run via `logto-bootstrap` init container. Phases:
			`1. Wait for Logto + server health`
			2. Get Management API token (reads `m-default` secret from DB)
			3. Create Logto apps (SPA, Traditional with `skipConsent`, M2M with Management API role)
			`3b. Create API resource scopes (10 platform + 3 server scopes)`
			`4. Create roles (platform-admin, org admin/member with API resource scope assignments)`
			`5. Create users (SaaS admin with platform-admin role + Logto console access, tenant admin)`
			`6. Create organization, add users with org roles`
			7. Configure cameleer3-server OIDC (`rolesClaim: "scope"`, `audience`, `defaultRoles: ["VIEWER"]`)
			8. Configure Logto sign-in branding (Cameleer colors `#C6820E`/`#D4941E`, logo from `/platform/logo.svg`)
			`9. Cleanup seeded Logto apps`
			10. Write bootstrap results to `/data/logto-bootstrap.json`

			SaaS admin credentials (`SAAS_ADMIN_USER`/`SAAS_ADMIN_PASS`) work for both the SaaS platform and the Logto console (port 3002).

Add moat-strengthening features design spec Comprehensive design document for three defensibility features: - Live Route Debugger (replay-based, zero production impact) - Payload Flow Lineage (targeted per-processor capture + diff) - Cross-Service Trace Correlation + Topology Map (network effect) Gitea issues: cameleer/cameleer3 #57-#72 (MOAT label) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-29 16:14:04 +02:00			`## Related Conventions`

			- Gitea-hosted: `gitea.siegeln.net/cameleer/`
			- CI: `.gitea/workflows/` — Gitea Actions
			`- K8s target: k3s cluster at 192.168.50.86`
docs: update architecture for custom sign-in UI and CI pipeline - CLAUDE.md: add custom sign-in UI section, update routing table, document auto-redirect, CI-built images, no local builds, dev override without volume mounts - Design spec: reflect final implementation — custom Logto image, no CUSTOM_UI_PATH, no init containers, bundled favicon Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-06 16:29:37 +02:00			`- Docker images: CI builds and pushes all images — Dockerfiles use multi-stage builds, no local builds needed`
			- `cameleer-saas` — SaaS app (frontend + JAR baked in)
			- `cameleer-logto` — custom Logto with sign-in UI baked in
			- Docker builds: `--no-cache`, `--provenance=false` for Gitea compatibility
			- `docker-compose.dev.yml` — exposes ports for direct access, sets `SPRING_PROFILES_ACTIVE: dev`. No volume mounts — all artifacts come from CI-built images
Add moat-strengthening features design spec Comprehensive design document for three defensibility features: - Live Route Debugger (replay-based, zero production impact) - Payload Flow Lineage (targeted per-processor capture + diff) - Cross-Service Trace Correlation + Topology Map (network effect) Gitea issues: cameleer/cameleer3 #57-#72 (MOAT label) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-29 16:14:04 +02:00			- Design system: import from `@cameleer/design-system` (Gitea npm registry)

			`## Disabled Skills`

			- Do NOT use any `gsd:*` skills in this project. This includes all `/gsd:` prefixed commands.