Document Oracle CORS and service sanity checks

Author: Sam-Bolling

docs/research/new-publisher-source-planning/New_Publisher_Implementation_Checklist_2026-05-26.md

@@ -73,6 +73,7 @@ This checklist captures the repeatable workflow proven during the Environment Ag
 - Verify backend observations directly.
 - Verify Explorer visibility on the correct preset.
 - Verify production bundle content after pushing Explorer changes.
+- Verify the public reverse proxy from the production Explorer origin so browser CORS failures are caught, not just command-line endpoint success.
 - Record any server warnings separately from publisher failures.
 
 ## 9. Documentation
@@ -99,6 +100,7 @@ A new publisher is not done until all of these are true:
 - runtime can publish at least one clean live cycle,
 - observations can be read back from CSAPI,
 - Explorer can find and explain the resources,
+- the production Explorer can load the public endpoint without CORS-blocked OSH requests,
 - side-card/popup output is domain-meaningful,
 - docs explain source, model, commands, validation, and limitations,
 - commits are pushed to the relevant repositories.

docs/research/new-publisher-source-planning/Oracle_Caddy_CORS_Operational_Note_2026-05-26.md

@@ -0,0 +1,72 @@
+# Oracle Caddy CORS Operational Note - 2026-05-26
+
+## Summary
+
+The public Oracle endpoint at `https://129-80-248-53.sslip.io/sensorhub/api` is fronted by Caddy and proxies to SensorHub on `localhost:8181`.
+
+Production Explorer loads OSH resources from Cloudflare Pages at `https://ogc-csapi-explorer.pages.dev`. Browser requests failed when both Caddy and SensorHub emitted CORS response headers, producing a duplicate `Access-Control-Allow-Origin` value such as:
+
+```text
+*, https://ogc-csapi-explorer.pages.dev
+```
+
+Browsers reject that response even though command-line clients can still read the endpoint.
+
+## Live Fix
+
+The Caddy reverse proxy for SensorHub should strip upstream CORS headers before Caddy emits the public CORS policy.
+
+Relevant `/etc/caddy/Caddyfile` reverse proxy block:
+
+```caddy
+reverse_proxy localhost:8181 {
+    header_down -Access-Control-Allow-Origin
+    header_down -Access-Control-Allow-Credentials
+    header_up Authorization "Basic <sensorhub-basic-auth>"
+}
+```
+
+Do not commit the raw `Authorization` value to git. Keep it only in host-local server configuration or a host-local secret mechanism.
+
+## Validation
+
+After changing Caddy, validate the config and reload:
+
+```bash
+sudo caddy validate --config /etc/caddy/Caddyfile
+sudo systemctl reload caddy
+sudo systemctl status caddy --no-pager
+```
+
+Then verify the public endpoint from the production Explorer origin:
+
+```powershell
+$resp = Invoke-WebRequest -Method Head `
+  -Uri 'https://129-80-248-53.sslip.io/sensorhub/api' `
+  -Headers @{ Origin = 'https://ogc-csapi-explorer.pages.dev' }
+
+$resp.Headers.GetEnumerator() |
+  Where-Object { $_.Key -match 'Access-Control|Vary' } |
+  ForEach-Object { "$($_.Key): $($_.Value -join ', ')" }
+```
+
+Expected result includes exactly one `Access-Control-Allow-Origin` value:
+
+```text
+Access-Control-Allow-Origin: *
+```
+
+The production Explorer smoke test should then reach `https://ogc-csapi-explorer.pages.dev/map`, finish loading features, and show the new source filters without a duplicate-origin CORS console error.
+
+## 2026-05-26 Verification
+
+The live Oracle host was patched and production-verified after the Met Office, BGS, Environment Agency Hydrology, and UK-AIR Explorer polish pass.
+
+Observed production Explorer result:
+
+- URL: `https://ogc-csapi-explorer.pages.dev/map`
+- Feature count: `810 FEATURES`
+- Source filters: `EA Hydrology4`, `UK-AIR4`, `BGS / UKGEOS9`, `Met Office15`
+- CORS duplicate-origin error: not present
+- Met Office deployed-system card: opened successfully with `Weather Observation Site`, recent readings, and the Charterhall weather-station representative image
+- BGS deployed-system card: opened successfully with the UKGEOS borehole representative image and groundwater readings

docs/research/new-publisher-source-planning/Oracle_New_Publisher_Service_Sanity_Check_2026-05-26.md

@@ -0,0 +1,95 @@
+# Oracle New Publisher Service Sanity Check - 2026-05-26
+
+## Summary
+
+After the production Explorer CORS and new-source visibility fixes, the Oracle host and public CSAPI endpoint were checked for the four newly added publisher sources:
+
+- Environment Agency Hydrology
+- UK-AIR
+- BGS SensorThings / UKGEOS
+- Met Office Weather DataHub Land Observations
+
+## Live Endpoint Read-Back
+
+Public endpoint checked:
+
+```text
+https://129-80-248-53.sslip.io/sensorhub/api
+```
+
+Root deployment read-back succeeded for all four new publisher demos:
+
+| Source | Deployment UID | Server ID | Result |
+| --- | --- | --- | --- |
+| Environment Agency Hydrology | `urn:os4csapi:deployment:environment-agency-hydrology-demo:v1` | `05d0` | present |
+| UK-AIR | `urn:os4csapi:deployment:uk-air-demo:v1` | `05g0` | present |
+| BGS SensorThings | `urn:os4csapi:deployment:bgs-sensorthings-demo:v1` | `05ig` | present |
+| Met Office DataHub | `urn:os4csapi:deployment:met-office-datahub-demo:v1` | `05l0` | present |
+
+## Oracle Service State
+
+Core public path services were active:
+
+```text
+caddy.service: active
+sensorhub.service: active
+met-office-datahub-publisher.service: active
+```
+
+The Oracle service inventory shows `met-office-datahub-publisher.service` installed and running as the persistent service for the newest access-gated publisher.
+
+No persistent systemd units were discovered for Environment Agency Hydrology, UK-AIR, or BGS SensorThings during this check. Those publishers have been bootstrapped and one-shot published successfully, and their live CSAPI root deployments remain present, but they are not yet represented by dedicated Oracle scheduler/service units in the same way as Met Office.
+
+## Public CORS Check
+
+Production-origin CORS check from `https://ogc-csapi-explorer.pages.dev` returned a single public origin header:
+
+```text
+Access-Control-Allow-Origin: *
+```
+
+This confirms the live Caddy fix is still in place and avoids the previous duplicate-origin browser failure.
+
+## Controlled-Repo Issue Draft
+
+The local environment did not provide a GitHub issue tool, `gh` CLI, or GitHub API token at the time of this check. If an issue is filed, file it only in a controlled OS4CSAPI repository, preferably `OS4CSAPI/OSHConnect-Python`.
+
+Suggested title:
+
+```text
+Install persistent Oracle services for EA Hydrology, UK-AIR, and BGS publishers
+```
+
+Suggested body:
+
+```markdown
+## Summary
+
+Environment Agency Hydrology, UK-AIR, and BGS SensorThings were implemented, bootstrapped, one-shot published, and verified in production Explorer, but the Oracle host currently only has Met Office installed as a persistent new-publisher service.
+
+## Current State
+
+- `met-office-datahub-publisher.service` is installed and active.
+- No dedicated systemd units were discovered for:
+  - Environment Agency Hydrology
+  - UK-AIR
+  - BGS SensorThings / UKGEOS
+- Live CSAPI root deployments are present:
+  - `urn:os4csapi:deployment:environment-agency-hydrology-demo:v1` -> `05d0`
+  - `urn:os4csapi:deployment:uk-air-demo:v1` -> `05g0`
+  - `urn:os4csapi:deployment:bgs-sensorthings-demo:v1` -> `05ig`
+  - `urn:os4csapi:deployment:met-office-datahub-demo:v1` -> `05l0`
+
+## Proposed Work
+
+Add host-local systemd service/timer units or equivalent scheduler entries for the three one-shot-verified publishers, using the existing Oracle service pattern and without committing any secrets.
+
+## Acceptance Criteria
+
+- Environment Agency Hydrology publishes on a bounded recurring cadence.
+- UK-AIR publishes on a bounded recurring cadence.
+- BGS SensorThings publishes on a bounded recurring cadence appropriate for its source update frequency.
+- Units use host-local environment/secret files only.
+- `systemctl status` and journal checks are documented.
+- Production Explorer still loads the public endpoint without CORS-blocked OSH requests.
+```