diff --git a/machine-docs/DECISIONS.md b/machine-docs/DECISIONS.md index c46f39e..53f55f2 100644 --- a/machine-docs/DECISIONS.md +++ b/machine-docs/DECISIONS.md @@ -706,3 +706,21 @@ DEFERRED.md 2026-05-29). Until then, heavy recipes are verified via their maxima (install+backup+restore+custom) with the upgrade tier flagged as a genuine env-level (disk) blocker per plan §7.1 (Adversary sign-off required). The cleanup runbook for an over-full host: `pkill -f run_recipe_ci.py`; `docker stack rm `; remove its volumes+secrets; `docker image prune -f`. + +## SSO-provider policy (operator, 2026-05-29) — keycloak is the DEFAULT; authentik is NOT a DONE gate +Standing policy for all Phase-2 (and later) recipe OIDC/SSO testing: +- **keycloak is the default SSO provider.** Default ALL recipe OIDC tests to keycloak (live-warm WC1). +- **Do NOT test authentik↔keycloak integration**, and do NOT enroll authentik merely to "prove + pluggability" / second-provider coverage. **Phase-2 DONE is NOT gated on authentik.** +- Enroll authentik + add `setup_authentik_realm` (the provider-pluggable backend in + `runner/harness/sso.py`) **ONLY if a recipe genuinely REQUIRES authentik** (cannot work under + keycloak). If it works with keycloak, use keycloak. +- **cryptpad:** its recipe-maintainer upstream SSO test uses authentik, but cc-ci tests cryptpad's OIDC + under **keycloak** (equally valid). Same for any recipe whose upstream happens to use authentik but + functions fine under keycloak. +- The OIDC FLOW primitives (`oidc_password_grant`, `assert_discovery_endpoint`) are already + provider-agnostic; only realm/client SETUP is provider-specific, and we only need the keycloak setup + (`setup_keycloak_realm`) unless/until a recipe forces authentik. +Consequences: DEFERRED #9 (authentik enrollment) re-entry trigger narrowed to "a recipe requires +authentik"; F2-7 (authentik backend) is not a DONE blocker. plan-sso-dep-testing.md §6 updated by the +orchestrator to match. diff --git a/machine-docs/DEFERRED.md b/machine-docs/DEFERRED.md index 8bd1451..6ce7ae8 100644 --- a/machine-docs/DEFERRED.md +++ b/machine-docs/DEFERRED.md @@ -150,10 +150,12 @@ before the build is called done) — but does **not** force closure. recipe-maintainer SSO test uses authentik but that parity port is already deferred above). The SSO harness's OIDC FLOW primitives (`oidc_password_grant`, `assert_discovery_endpoint`) are already provider-agnostic; only `setup_keycloak_realm` is keycloak-specific. -- **Re-entry trigger:** When Q3.4 cryptpad's deferred `oidc_login.py` parity is lifted (cryptpad's - upstream test uses authentik), OR when an additional Q4 recipe enrolls with `DEPS = ["authentik"]`, - OR Phase-2 DONE review (operator may insist on second-provider coverage proving the harness IS - pluggable, not just claimed). +- **Re-entry trigger (NARROWED per operator SSO policy 2026-05-29):** ONLY when a recipe **genuinely + REQUIRES authentik** (cannot work under keycloak). Dropped the former triggers — cryptpad's OIDC is + now tested under **keycloak** (its upstream uses authentik but keycloak is equally valid), and + **Phase-2 DONE is explicitly NOT gated on authentik** (no "prove pluggability"/second-provider/ + DONE-review trigger). keycloak is the default SSO provider for all recipe OIDC tests. See + DECISIONS.md "SSO-provider policy". - **Linked IDEA:** — ### 2026-05-29 — heavy-recipe upgrade tier needs more host disk (28GB too small) — CLOSED @2026-05-29