From 0d3232409d043cfbfcb9766c261fd06f5e7cd4ff Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 28 May 2026 07:34:56 +0100 Subject: [PATCH] backlog(2): Q2.1 keycloak DONE; Q2.3 absorbs the Q0.4 dep-resolver primitive --- machine-docs/BACKLOG-2.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/machine-docs/BACKLOG-2.md b/machine-docs/BACKLOG-2.md index 88b6d6e..1cf082b 100644 --- a/machine-docs/BACKLOG-2.md +++ b/machine-docs/BACKLOG-2.md @@ -41,15 +41,17 @@ Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase2-recipe-tests.md` by Builder. Awaiting Adversary cold re-verify. ### Q2 — SSO providers (keycloak + authentik) -- [ ] **Q2.1** — keycloak: port `tests/keycloak/oidc_integration.py` (the dependent-recipe test) and - `tests/health_check.py`. Add specific tests from plan §4.3 (realm+client via admin API; password - and client-credentials token grants; JWT claims). +- [x] **Q2.1** — keycloak: parity-port `test_health_check.py` + 2 NEW recipe-specific functional + tests (`test_password_grant_token.py` — JWT decode + claim validation; `test_create_client_and_use.py` — admin-API client CRUD + client_credentials grant). `oidc_integration.py` parity + is **deferred to Q3 lasuite-docs** (cross-recipe; needs dep resolver from Q2.3 + lasuite-docs + Phase-2 enrollment). Bumped DEPLOY_TIMEOUT + HTTP_TIMEOUT to 900s. Full e2e green via the + run path (commit `d5f5e86`). - [ ] **Q2.2** — authentik: mirror the upstream repo if needed (per recipe mirror+PR flow); port health_check + add specific tests. - [ ] **Q2.3** — Reusable SSO-setup/OIDC-flow harness primitive: deploy provider → setup realm/client/ test-user (port `recipe-info//setup__integration.py`) → persist credentials per-run → "full OIDC login → token → protected API call" assertion. Implement once in - `runner/harness/`; reused by every SSO-dependent recipe. + `runner/harness/`; reused by every SSO-dependent recipe. **Subsumes Q0.4 dep resolver primitive.** - [ ] **Q2.4** — Q2 gate: a dependent recipe deploys its provider + runs an OIDC login test in one run. ### Q3 — SSO-dependent suite (lasuite-docs, lasuite-drive, lasuite-meet, cryptpad, immich)