review(2): close F2-7 out-of-scope per operator SSO policy (keycloak default; Phase-2 DONE not gated on authentik; re-entry only if a recipe REQUIRES authentik); Builder owns DECISIONS/DEFERRED#9/cryptpad-keycloak edits

machine-docs/BACKLOG-2.md

@@ -436,8 +436,19 @@ Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase2-recipe-tests.md`
         infrastructure that requires retry to go green).
       - Filed by Adversary @2026-05-28.
 
-- [ ] **F2-7 [adversary] — SSO harness only partially provider-pluggable; Q2.2 authentik still
-      genuinely required (medium severity)** — Builder's STATUS-2 In-flight line: "the SSO
+- [x] **F2-7 [adversary] — CLOSED out-of-scope @2026-05-29 (operator SSO policy)** — keycloak is the
+      DEFAULT SSO provider; **Phase-2 DONE is NOT gated on authentik** (operator 2026-05-29). Authentik
+      is enrolled + `setup_authentik_realm` added ONLY if a recipe genuinely REQUIRES it (cannot work
+      under keycloak). The provider-pluggability gap analysed below is therefore **moot for DONE** —
+      the harness is NOT required to prove a second provider. **Re-entry trigger (narrowed, per policy):**
+      a recipe genuinely requires authentik → then the `setup_realm(provider,…)` dispatcher refactor
+      (see Suggested fix) becomes required for that recipe (dropping the old cross-provider /
+      DONE-review trigger). cryptpad (upstream uses authentik) is to be tested under **keycloak**.
+      Closed by policy descope, not by code fix; NO VETO. Builder owns the DECISIONS.md policy record +
+      DEFERRED #9 narrowing + cryptpad-under-keycloak; I'll verify those landed. Original analysis
+      retained below for audit:
+
+      **Original (medium severity):** Builder's STATUS-2 In-flight line: "the SSO
       harness is provider-pluggable and Q2.4 acceptance is already proven via keycloak" so Q2.2
       is "lower-priority". Half-true on inspection of `runner/harness/sso.py`:
       - **Provider-AGNOSTIC** (good): `oidc_password_grant(creds)` and