fix(keycloak): collision-free canonical domain for live-warm providers; enroll keycloak

canonical_domain() routes any recipe in warm.WARM_DOMAINS (keycloak) to a distinct warm-canon-<recipe>
domain so the data-warm canonical promote can never collide with the live-warm OIDC provider at
warm-keycloak. keycloak WARM_CANONICAL=True (full canonical coverage without risking live SSO).

runner/harness/canonical.py

@@ -40,7 +40,17 @@ def is_enrolled(recipe: str) -> bool:
 
 
 def canonical_domain(recipe: str) -> str:
-    """Stable data-warm domain for the recipe's canonical."""
+    """Stable data-warm domain for the recipe's canonical.
+
+    For a recipe that is ALSO a live-warm provider (in `warm.WARM_DOMAINS` — e.g. keycloak, whose
+    always-on shared OIDC instance lives at `warm-keycloak…`), the data-warm canonical MUST use a
+    DISTINCT domain: otherwise the sweep's promote deploy/teardown at `warm-<recipe>` collides with —
+    and could disrupt — the live shared service that other recipes (lasuite-*/drone) depend on. Give
+    those recipes a collision-free `warm-canon-<recipe>` namespace (a separate stack/domain that can
+    never touch the live provider); every other recipe keeps the plain `warm-<recipe>` scheme
+    (zero blast radius on the 15 existing canonicals)."""
+    if recipe in warm.WARM_DOMAINS:
+        return f"warm-canon-{recipe}.ci.commoninternet.net"
     return warm.stable_domain(recipe)