fix: Propagate tenant context when auth is disabled (#1252)

The metadataPropagationMiddleware strips incoming x-tenant-id headers
(security) and re-sets them from the auth context. When AUTH_ENABLED=false,
the auth context is empty, so the tenant header set by the tenant resolver
was stripped and never restored. This caused all tenant-scoped API calls
to fail with "tenant context missing" on the demo environment.

Add a fallback that reads tenant from the request context (set by the
tenant resolver middleware) when neither JWT nor API key identity is
present.

Also fix a frontend crash on the Positions page where .replace() was
called on a non-string statusTracking.currentStatus value.

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

frontend/src/pages/positions/detail.tsx

@@ -208,7 +208,7 @@ export function PositionDetailPage() {
                 <SkeletonField />
               ) : (
                 <span>
-                  {log?.statusTracking?.currentStatus?.replace(/_/g, ' ') ?? '—'}
+                  {typeof log?.statusTracking?.currentStatus === 'string' ? log.statusTracking.currentStatus.replace(/_/g, ' ') : '—'}
                 </span>
               )}
             </LabeledField>

frontend/src/pages/positions/index.tsx

@@ -84,8 +84,8 @@ export function PositionsPage() {
       accessorKey: 'statusTracking',
       header: 'Status',
       cell: ({ row }) => {
-        const status = row.original.statusTracking?.currentStatus ?? '—'
-        return <span className="text-sm">{status.replace(/_/g, ' ')}</span>
+        const status = row.original.statusTracking?.currentStatus
+        return <span className="text-sm">{typeof status === 'string' ? status.replace(/_/g, ' ') : '—'}</span>
       },
     },
     {

services/gateway/metadata.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/meridianhub/meridian/services/gateway/auth"
+	"github.com/meridianhub/meridian/shared/platform/tenant"
 )
 
 // metadataPropagationMiddleware is an HTTP middleware for the Vanguard transcoder
@@ -88,5 +89,14 @@ func writeIdentityMetadata(req *http.Request) {
 		if tenantID, ok := auth.GetTenantIDFromContext(ctx); ok && tenantID != "" {
 			req.Header.Set("x-tenant-id", tenantID)
 		}
+		return
+	}
+
+	// Fall back to tenant resolver context. When auth is disabled
+	// (AUTH_ENABLED=false), the tenant resolver middleware still injects the
+	// tenant ID into the request context via tenant.WithTenant(). Propagate
+	// it as a header so Vanguard forwards it as gRPC metadata.
+	if tenantID, ok := tenant.FromContext(ctx); ok && !tenantID.IsEmpty() {
+		req.Header.Set("x-tenant-id", string(tenantID))
 	}
 }

services/gateway/metadata_test.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/meridianhub/meridian/services/gateway/auth"
+	"github.com/meridianhub/meridian/shared/platform/tenant"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -233,3 +234,49 @@ func TestMetadataPropagationMiddleware_JWTPrioritizedOverAPIKey(t *testing.T) {
 	assert.Equal(t, AuthMethodJWT, capturedHeaders.Get("x-auth-method"))
 	assert.Equal(t, "jwt-tenant", capturedHeaders.Get("x-tenant-id"))
 }
+
+// TestMetadataPropagationMiddleware_TenantResolverFallback verifies that when
+// auth is disabled (no JWT or API key identity), the middleware falls back to
+// tenant context set by the tenant resolver middleware.
+func TestMetadataPropagationMiddleware_TenantResolverFallback(t *testing.T) {
+	var capturedHeaders http.Header
+
+	handler := metadataPropagationMiddleware(http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
+		capturedHeaders = r.Header.Clone()
+	}))
+
+	req := httptest.NewRequest(http.MethodPost, "/meridian.party.v1.PartyService/ListParties", nil)
+	// No auth context (AUTH_ENABLED=false), but tenant resolver injected tenant
+	ctx := tenant.WithTenant(req.Context(), tenant.TenantID("volterra_energy"))
+	req = req.WithContext(ctx)
+
+	handler.ServeHTTP(httptest.NewRecorder(), req)
+
+	// Tenant ID propagated from resolver context
+	assert.Equal(t, "volterra_energy", capturedHeaders.Get("x-tenant-id"))
+	// No auth identity headers
+	assert.Empty(t, capturedHeaders.Get("x-user-id"))
+	assert.Empty(t, capturedHeaders.Get("x-auth-method"))
+}
+
+// TestMetadataPropagationMiddleware_TenantResolverSpoofedHeaderStripped verifies
+// that spoofed x-tenant-id headers are stripped even when tenant resolver context
+// is used as fallback.
+func TestMetadataPropagationMiddleware_TenantResolverSpoofedHeaderStripped(t *testing.T) {
+	var capturedHeaders http.Header
+
+	handler := metadataPropagationMiddleware(http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
+		capturedHeaders = r.Header.Clone()
+	}))
+
+	req := httptest.NewRequest(http.MethodPost, "/test", nil)
+	req.Header.Set("x-tenant-id", "spoofed-tenant")
+	// Tenant resolver set the real tenant
+	ctx := tenant.WithTenant(req.Context(), tenant.TenantID("real_tenant"))
+	req = req.WithContext(ctx)
+
+	handler.ServeHTTP(httptest.NewRecorder(), req)
+
+	// Spoofed header replaced by resolver tenant
+	assert.Equal(t, "real_tenant", capturedHeaders.Get("x-tenant-id"))
+}