From 1786c254d5d0124119c3cb816a3017b304404f46 Mon Sep 17 00:00:00 2001
From: Claude VM <claude@beletage.ro>
Date: Tue, 19 May 2026 16:02:36 +0300
Subject: [PATCH] =?UTF-8?q?diag(gis):=20/api/gis/me=20proxy=20=E2=86=92=20?=
 =?UTF-8?q?surface=20Authentik=20claims=20for=20scope=20debugging?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

f9bf2ca4 has 25 enrichment keys in gis_core.GisFeature but
parcela.get returns only 10 — all PII (NR_CF, ADRESA, PROPRIETARI)
redacted. Symptom of enrichment_scope=basic. Plan 003 §Faza B says
Arhitecti LDAP group should get full. Need to verify the mapping.

Calls gisApi.me() and returns the claims. Logs them server-side
(truncated to 500 chars). Marius hits the URL once, we see what
enrichment_scope his JWT actually carries.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/app/api/gis/me/route.ts | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 src/app/api/gis/me/route.ts

diff --git a/src/app/api/gis/me/route.ts b/src/app/api/gis/me/route.ts
new file mode 100644
index 0000000..f31b1f4
--- /dev/null
+++ b/src/app/api/gis/me/route.ts
@@ -0,0 +1,37 @@
+import { NextResponse } from "next/server";
+import { getAuthSession } from "@/core/auth/require-auth";
+import { gisApi, GisApiError } from "@/lib/gis-api-client";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+// Diagnostic proxy → gis-api /api/v1/me. Returns the claims Authentik
+// minted into the access_token, as gis-api sees them. Useful for
+// verifying that the Beletage LDAP group → enrichment_scope=full mapping
+// is actually firing for the pilot user.
+export async function GET() {
+  const session = await getAuthSession();
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  try {
+    const data = await gisApi.me();
+    console.log(
+      "[gis-me] claims=%s",
+      JSON.stringify((data as { claims?: unknown }).claims ?? data).slice(0, 500),
+    );
+    return NextResponse.json(data);
+  } catch (err) {
+    if (err instanceof GisApiError) {
+      return NextResponse.json(
+        { error: err.code, status: err.status, body: err.body },
+        { status: err.status },
+      );
+    }
+    const msg = err instanceof Error ? err.message : String(err);
+    return NextResponse.json(
+      { error: "internal_error", hint: msg.slice(0, 200) },
+      { status: 500 },
+    );
+  }
+}