fix(keycloak): collision-free canonical domain for live-warm providers; enroll keycloak

canonical_domain() routes any recipe in warm.WARM_DOMAINS (keycloak) to a distinct warm-canon-<recipe>
domain so the data-warm canonical promote can never collide with the live-warm OIDC provider at
warm-keycloak. keycloak WARM_CANONICAL=True (full canonical coverage without risking live SSO).

tests/keycloak/recipe_meta.py

@@ -7,10 +7,12 @@ DEPLOY_TIMEOUT = (
 )
 HTTP_TIMEOUT = 900
 
-# canon §2.B EXCEPTION (recorded in DECISIONS): keycloak is NOT a data-warm canonical. It is the
-# project's LIVE-WARM OIDC dep provider — an always-on shared service at the SAME stable domain a
-# data-warm canonical would use (warm-keycloak.ci.commoninternet.net). Enrolling it would make the
-# sweep's promote deploy/teardown collide with the live provider that lasuite-*/drone depend on for
-# SSO. keycloak is instead kept current by the sweep's roll_warm_infra step (the health-gated
-# warm/infra reconciler, WC1.1) — so it never lacks coverage. WARM_CANONICAL stays False.
-WARM_CANONICAL = False
+# phase redfix: keycloak IS now a data-warm canonical. The original canon §2.B exception de-enrolled
+# it because its canonical would have used the SAME domain as the live-warm OIDC provider
+# (warm-keycloak.ci.commoninternet.net), so the sweep's promote deploy/teardown would collide with the
+# live service lasuite-*/drone depend on. That collision is now structurally impossible:
+# `canonical.canonical_domain()` routes any recipe in `warm.WARM_DOMAINS` (keycloak) to a distinct
+# `warm-canon-<recipe>` domain/stack, so the data-warm canonical and the live-warm provider are
+# separate deployments that can never touch each other. keycloak therefore gets full data-warm
+# canonical coverage (a real promote on its latest release) without risking the live OIDC service.
+WARM_CANONICAL = True