Record project continuation changes

backend/internal/platform/authority/authority.go

@@ -214,9 +214,49 @@ END, prg.granted_at DESC
 	if err := rows.Err(); err != nil {
 		return "", fmt.Errorf("iterate platform role grants: %w", err)
 	}
+	if bestRole == PlatformRoleUser {
+		if role, ok, err := strictBootstrappedOwnerFallback(ctx, db, verifier, userID, email); err != nil {
+			return "", err
+		} else if ok {
+			return role, nil
+		}
+		return legacyPlatformRole(ctx, db, userID)
+	}
 	return bestRole, nil
 }
 
+func strictBootstrappedOwnerFallback(ctx context.Context, db postgresplatform.DBTX, verifier *Verifier, userID, email string) (string, bool, error) {
+	var role string
+	var bootstrappedOwnerEmail *string
+	var authorityState string
+	var rootFingerprint string
+	err := db.QueryRow(ctx, `
+SELECT u.platform_role, ia.bootstrapped_owner_email, ia.authority_state, ia.product_root_key_fingerprint
+FROM users u
+CROSS JOIN installation_authority ia
+WHERE u.id = $1::uuid
+  AND ia.id = 1
+`, userID).Scan(&role, &bootstrappedOwnerEmail, &authorityState, &rootFingerprint)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return PlatformRoleUser, false, nil
+		}
+		return "", false, fmt.Errorf("query strict bootstrapped owner fallback: %w", err)
+	}
+	if bootstrappedOwnerEmail == nil ||
+		!strings.EqualFold(*bootstrappedOwnerEmail, email) ||
+		authorityState != "active" ||
+		rootFingerprint != verifier.RootFingerprint() {
+		return PlatformRoleUser, false, nil
+	}
+	switch role {
+	case PlatformRoleAdmin, PlatformRoleRecoveryAdmin:
+		return role, true, nil
+	default:
+		return PlatformRoleUser, false, nil
+	}
+}
+
 func legacyPlatformRole(ctx context.Context, db postgresplatform.DBTX, userID string) (string, error) {
 	var role string
 	if err := db.QueryRow(ctx, `SELECT platform_role FROM users WHERE id = $1::uuid`, userID).Scan(&role); err != nil {

backend/internal/platform/runtime/app.go

@@ -2,6 +2,7 @@ package runtime
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"log/slog"
@@ -208,6 +209,7 @@ func buildRouter(logger *slog.Logger, modules ...module.Module) http.Handler {
 		w.WriteHeader(http.StatusOK)
 		_, _ = w.Write([]byte("ready"))
 	})
+	router.Post("/mesh/v1/health", controlPlaneMeshHealth)
 
 	router.Route("/api/v1", func(r chi.Router) {
 		for _, mod := range modules {
@@ -218,3 +220,34 @@ func buildRouter(logger *slog.Logger, modules ...module.Module) http.Handler {
 
 	return router
 }
+
+func controlPlaneMeshHealth(w http.ResponseWriter, r *http.Request) {
+	var message struct {
+		ProtocolVersion string `json:"protocol_version"`
+		From            struct {
+			ClusterID string `json:"cluster_id"`
+			NodeID    string `json:"node_id"`
+		} `json:"from"`
+		To struct {
+			ClusterID string `json:"cluster_id"`
+			NodeID    string `json:"node_id"`
+		} `json:"to"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&message); err != nil {
+		http.Error(w, "invalid mesh health message", http.StatusBadRequest)
+		return
+	}
+	if message.ProtocolVersion != "mesh-control-v1" || message.From.ClusterID == "" || message.From.NodeID == "" {
+		http.Error(w, "invalid mesh health message", http.StatusBadRequest)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	_ = json.NewEncoder(w).Encode(map[string]any{
+		"protocol_version": "mesh-control-v1",
+		"accepted":         true,
+		"by": map[string]string{
+			"cluster_id": message.From.ClusterID,
+			"node_id":    "control-plane-relay",
+		},
+	})
+}