feat(orchestrator): Proxmox BFF route (CF-Access service token proxy)

Adds a narrow, safelisted BFF surface so the Solace Bank Group PLC portal (and other browser clients) can reach the Cloudflare Access protected Proxmox API without requiring the user to complete a CF-Access SSO flow in-browser. Endpoints: GET /api/proxmox/health — configuration probe (503 when unset) GET /api/proxmox/cluster/status — aggregated cluster node status Required orchestrator env: PROXMOX_API_URL PROXMOX_CF_ACCESS_CLIENT_ID PROXMOX_CF_ACCESS_CLIENT_SECRET When env is missing the endpoints return 503 with an actionable JSON body and the frontend stays in its mocked state — no crashes, no partial deploys.
2026-04-19 08:29:13 +00:00
parent b118b2be9c
commit ecd5412923
3 changed files with 158 additions and 0 deletions
--- a/orchestrator/src/index.ts
+++ b/orchestrator/src/index.ts
@@ -99,6 +99,13 @@ app.get("/api/plans/:planId/status", getExecutionStatus);
 app.post("/api/plans/:planId/abort", auditLog("ABORT_PLAN", "plan"), abortExecution);
 app.post("/api/webhooks", registerWebhook);

+// Proxmox BFF — forwards browser requests to the CF-Access protected
+// Proxmox API using a server-side service token. See
+// orchestrator/src/integrations/proxmox.ts for required env.
+import { proxmoxHealth, proxmoxClusterStatus } from "./api/proxmox";
+app.get("/api/proxmox/health", proxmoxHealth);
+app.get("/api/proxmox/cluster/status", proxmoxClusterStatus);
+
 app.get("/api/plans/:planId/status/stream", streamPlanStatus);

 // Error handling middleware