Fix Heimdall principal claims pattern for client IDs (LFXV2-922)

README.md

@@ -713,7 +713,7 @@ LOG_LEVEL=debug make run
 - **Heimdall Integration**: All messages validated against JWT service
 - **Multiple Audiences**: Configurable audience validation
 - **Principal Parsing**: Authorization header and X-On-Behalf-Of delegation support
-- **Machine User Detection**: `clients@` prefix identification
+- **Machine User Detection**: `@clients` suffix identification
 
 **Input Validation:**
 

internal/infrastructure/auth/auth_repository.go

@@ -173,12 +173,12 @@ func (r *AuthRepository) ParsePrincipals(ctx context.Context, headers map[string
 			}
 			authorizedPrincipals = append(authorizedPrincipals, principalEntity)
 
-			if strings.HasPrefix(principal, constants.MachineUserPrefix) {
+			if strings.HasSuffix(principal, constants.MachineUserSuffix) {
 				isMachineUser = true
 				r.logger.Info("Machine user detected in authorization header",
 					"auth_id", authID,
 					"principal", r.safePrincipalLog(principal),
-					"machine_user_prefix", constants.MachineUserPrefix)
+					"machine_user_suffix", constants.MachineUserSuffix)
 			}
 
 			r.logger.Debug("Authorization principal parsed successfully",
@@ -491,5 +491,5 @@ func (r *AuthRepository) safePrincipalLog(principal string) string {
 
 // isMachineUser checks if a principal is a machine user
 func (r *AuthRepository) isMachineUser(principal string) bool {
-	return strings.HasPrefix(principal, constants.MachineUserPrefix)
+	return strings.HasSuffix(principal, constants.MachineUserSuffix)
 }

internal/infrastructure/auth/auth_repository_test.go

@@ -459,7 +459,7 @@ func TestAuthRepository_HelperMethods(t *testing.T) {
 
 	t.Run("isMachineUser", func(t *testing.T) {
 		// Test machine user
-		result := repo.isMachineUser(constants.MachineUserPrefix + "test-machine")
+		result := repo.isMachineUser("test-machine" + constants.MachineUserSuffix)
 		assert.True(t, result)
 
 		// Test regular user

pkg/constants/auth.go

@@ -14,7 +14,7 @@ const (
 	BearerPrefix = "bearer "
 
 	// Machine user identifier
-	MachineUserPrefix = "clients@"
+	MachineUserSuffix = "@clients"
 
 	// Error messages for authentication
 	ErrInvalidToken          = "invalid token"