fix: persist environment in JWT claims for auto-heal recovery

Add 'env' claim to agent JWTs (set at registration, carried through refresh). Auto-heal on heartbeat/SSE now reads environment from the JWT instead of hardcoding 'default', so agents retain their correct environment after server restart. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 16:12:25 +02:00
parent 346e38ee1d
commit 72ec87a3ba
4 changed files with 36 additions and 21 deletions
--- a/cameleer3-server-core/src/main/java/com/cameleer3/server/core/security/JwtService.java
+++ b/cameleer3-server-core/src/main/java/com/cameleer3/server/core/security/JwtService.java
@@ -18,17 +18,17 @@ public interface JwtService {
     * @param application the {@code group} claim (application name)
     * @param roles       the {@code roles} claim (e.g. {@code ["AGENT"]}, {@code ["ADMIN"]})
     */
-    record JwtValidationResult(String subject, String application, List<String> roles) {}
+    record JwtValidationResult(String subject, String application, String environment, List<String> roles) {}

    /**
     * Creates a signed access JWT with the given subject, application, and roles.
     */
-    String createAccessToken(String subject, String application, List<String> roles);
+    String createAccessToken(String subject, String application, String environment, List<String> roles);

    /**
     * Creates a signed refresh JWT with the given subject, application, and roles.
     */
-    String createRefreshToken(String subject, String application, List<String> roles);
+    String createRefreshToken(String subject, String application, String environment, List<String> roles);

    /**
     * Validates an access token and returns the full validation result.
@@ -46,12 +46,20 @@ public interface JwtService {

    // --- Backward-compatible defaults (delegate to role-aware methods) ---

+    default String createAccessToken(String subject, String application, List<String> roles) {
+        return createAccessToken(subject, application, "default", roles);
+    }
+
    default String createAccessToken(String subject, String application) {
-        return createAccessToken(subject, application, List.of());
+        return createAccessToken(subject, application, "default", List.of());
+    }
+
+    default String createRefreshToken(String subject, String application, List<String> roles) {
+        return createRefreshToken(subject, application, "default", roles);
    }

    default String createRefreshToken(String subject, String application) {
-        return createRefreshToken(subject, application, List.of());
+        return createRefreshToken(subject, application, "default", List.of());
    }

    default String validateAndExtractAgentId(String token) {