backlog(2): Q2.1 keycloak DONE; Q2.3 absorbs the Q0.4 dep-resolver primitive

machine-docs/BACKLOG-2.md

@@ -41,15 +41,17 @@ Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase2-recipe-tests.md`
       by Builder. Awaiting Adversary cold re-verify.
 
 ### Q2 — SSO providers (keycloak + authentik)
-- [ ] **Q2.1** — keycloak: port `tests/keycloak/oidc_integration.py` (the dependent-recipe test) and
-      `tests/health_check.py`. Add specific tests from plan §4.3 (realm+client via admin API; password
-      and client-credentials token grants; JWT claims).
+- [x] **Q2.1** — keycloak: parity-port `test_health_check.py` + 2 NEW recipe-specific functional
+      tests (`test_password_grant_token.py` — JWT decode + claim validation; `test_create_client_and_use.py` — admin-API client CRUD + client_credentials grant). `oidc_integration.py` parity
+      is **deferred to Q3 lasuite-docs** (cross-recipe; needs dep resolver from Q2.3 + lasuite-docs
+      Phase-2 enrollment). Bumped DEPLOY_TIMEOUT + HTTP_TIMEOUT to 900s. Full e2e green via the
+      run path (commit `d5f5e86`).
 - [ ] **Q2.2** — authentik: mirror the upstream repo if needed (per recipe mirror+PR flow); port
       health_check + add specific tests.
 - [ ] **Q2.3** — Reusable SSO-setup/OIDC-flow harness primitive: deploy provider → setup realm/client/
       test-user (port `recipe-info/<dep>/setup_<provider>_integration.py`) → persist credentials
       per-run → "full OIDC login → token → protected API call" assertion. Implement once in
-      `runner/harness/`; reused by every SSO-dependent recipe.
+      `runner/harness/`; reused by every SSO-dependent recipe. **Subsumes Q0.4 dep resolver primitive.**
 - [ ] **Q2.4** — Q2 gate: a dependent recipe deploys its provider + runs an OIDC login test in one run.
 
 ### Q3 — SSO-dependent suite (lasuite-docs, lasuite-drive, lasuite-meet, cryptpad, immich)