feat(cfold): canonicalize custom test layout

tests/lasuite-docs/custom/test_auth_required.py

@@ -0,0 +1,35 @@
+"""lasuite-docs — recipe-specific functional test (Phase 2 P3, ≥2 beyond parity).
+
+The defining property of lasuite-docs as configured by the recipe is that its **backend API is
+auth-protected** — OIDC tokens authorize access; anonymous requests are rejected. This test
+proves the auth middleware is wired correctly: a sample backend endpoint (`/api/v1.0/users/me/`)
+returns 401 Unauthorized without a token. Non-vacuous: a misconfigured backend serving anonymous
+access would return 200; a broken auth middleware would return 500; a wrong route would return
+404 — only a correctly-wired OIDC gate returns 401.
+
+Distinct from the OIDC password-grant test against the keycloak dep (`test_oidc_with_keycloak`):
+this proves **lasuite-docs's** own auth posture; that test proves the **SSO provider** can issue
+tokens. Together they exercise both sides of the OIDC flow's plumbing.
+
+Runs in the custom tier against the shared post-install deployment.
+"""
+
+from __future__ import annotations
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
+from harness import http as harness_http  # noqa: E402
+
+
+def test_users_me_requires_auth(live_app):
+    """GET /api/v1.0/users/me/ without a Bearer token must return 401, not 200/404/500."""
+    url = f"https://{live_app}/api/v1.0/users/me/"
+    # Retry with broad acceptance: any 4xx (or specific 401) indicates the route exists + auth is
+    # required. Reject 200 (anonymous access) and 5xx (broken backend).
+    status, _ = harness_http.retry_http_get(url, expect_status=(401, 403), max_wait=60, interval=3)
+    assert status in (401, 403), (
+        f"GET {url} returned {status}, expected 401 (auth required). "
+        f"200 = anonymous access leaked; 404 = route missing; 5xx = backend broken."
+    )