feat(2): Q3.2 lasuite-drive SSO iteration — keycloak dep + OIDC test + MinIO storage round-trip

- recipe_meta: DEPS=[keycloak] enabled (base proven cold-green).
- setup_custom_tests.sh: wire OIDC env (explicit keycloak realm endpoints) + insert oidc_rpcs
  secret at bumped version + clear FranceConnect eidas1 acr + in-place redeploy (adapted from
  the proven lasuite-docs hook).
- functional/test_oidc_with_keycloak.py: SSO discovery + password grant + JWT claims vs dep
  keycloak realm 'lasuite-drive' (@requires_deps; F2-11 fails run on skip).
- functional/test_minio_storage.py: §4.3 specific — drive-media-storage bucket present + real
  upload->list->download round-trip via mc inside the minio container.
- PARITY.md: OIDC + MinIO rows landed; backup data-integrity (ci_marker) already real.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

tests/lasuite-drive/setup_custom_tests.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# lasuite-drive — post-deps setup hook (operator-2026-05-28 SSO-dep plan §3.2).
+#
+# Sibling of tests/lasuite-docs/setup_custom_tests.sh (same impress/La Suite OIDC env contract).
+# Runs AFTER the generic tiers and AFTER the keycloak dep is deployed + provisioned with a
+# realm/client/user by the harness. The orchestrator wrote $CCCI_DEPS_FILE with the keycloak dep's
+# domain + realm + client_id + client_secret + admin creds.
+#
+# This hook: (1) inserts the OIDC client secret as the recipe-conventional `oidc_rpcs` swarm secret
+# (at a bumped version, since abra already generated v1 and swarm forbids overwrite); (2) writes the
+# OIDC env vars into the running app's .env; (3) triggers an in-place `abra app deploy --force
+# --chaos` so the new env takes effect. NOT a fresh `abra app new` — the deploy-count guard (DG4.1)
+# still sees one app_new per app.
+#
+# Env supplied by the orchestrator:
+#   CCCI_APP_DOMAIN  — the running per-run lasuite-drive app domain
+#   CCCI_RECIPE      — "lasuite-drive"
+#   CCCI_DEPS_FILE   — JSON (dict shape: {keycloak: {domain, realm, client_id, client_secret, ...}})
+set -euo pipefail
+
+: "${CCCI_APP_DOMAIN:?missing}"
+: "${CCCI_DEPS_FILE:?missing}"
+test -s "$CCCI_DEPS_FILE" || { echo "  setup_custom_tests: deps file empty"; exit 1; }
+
+KC_DOMAIN=$(jq -r '.keycloak.domain'        "$CCCI_DEPS_FILE")
+KC_REALM=$( jq -r '.keycloak.realm'         "$CCCI_DEPS_FILE")
+KC_CLIENT=$(jq -r '.keycloak.client_id'     "$CCCI_DEPS_FILE")
+KC_SECRET=$(jq -r '.keycloak.client_secret' "$CCCI_DEPS_FILE")
+[ -n "$KC_DOMAIN" ] && [ "$KC_DOMAIN" != "null" ] || { echo "  setup_custom_tests: no keycloak.domain in deps"; exit 1; }
+[ -n "$KC_SECRET" ] && [ "$KC_SECRET" != "null" ] || { echo "  setup_custom_tests: no keycloak.client_secret"; exit 1; }
+
+echo "  lasuite-drive setup_custom_tests: wiring OIDC against keycloak dep ${KC_DOMAIN}"
+
+# 1) Insert the OIDC client secret at a bumped version (the recipe-maintainer pattern; abra already
+# generated oidc_rpcs:v1 randomly and swarm forbids overwriting a secret at the same version).
+ENV_PATH="$HOME/.abra/servers/default/${CCCI_APP_DOMAIN}.env"
+CUR_VER=$(grep -E '^\s*SECRET_OIDC_RPCS_VERSION=' "$ENV_PATH" | tail -1 | cut -d= -f2 | tr -d '"\r' || echo "v1")
+NEW_NUM=$(( ${CUR_VER#v} + 1 ))
+NEW_VER="v${NEW_NUM}"
+
+INSERT_LOG=$(abra app secret insert $CCCI_APP_DOMAIN oidc_rpcs $NEW_VER $KC_SECRET --no-input 2>&1) \
+  || INSERT_LOG=$(script -qec "abra app secret insert $CCCI_APP_DOMAIN oidc_rpcs $NEW_VER $KC_SECRET --no-input" /dev/null 2>&1) \
+  || { echo "  setup_custom_tests: abra app secret insert oidc_rpcs@$NEW_VER failed: $INSERT_LOG"; exit 1; }
+sed -i "s|^\s*SECRET_OIDC_RPCS_VERSION=.*|SECRET_OIDC_RPCS_VERSION=$NEW_VER|" "$ENV_PATH"
+echo "  setup_custom_tests: oidc_rpcs secret inserted at $NEW_VER (was $CUR_VER)"
+
+# 2) Write the OIDC env vars (explicit endpoints — deterministic, no reliance on ${AUTH_DOMAIN}
+# expansion). Drive's .env.sample templates the endpoints off ${AUTH_DOMAIN}; we set AUTH_DOMAIN too
+# for completeness and override each endpoint with the concrete keycloak realm URL.
+[ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >> "$ENV_PATH"
+write_env () {
+  local key="$1" val="$2"
+  sed -i "/^\s*#\?\s*${key}=/d" "$ENV_PATH"
+  [ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >> "$ENV_PATH"
+  printf '%s=%s\n' "$key" "$val" >> "$ENV_PATH"
+}
+write_env AUTH_DOMAIN                      "$KC_DOMAIN"
+write_env OIDC_REALM                       "$KC_REALM"
+write_env OIDC_OP_JWKS_ENDPOINT            "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/certs"
+write_env OIDC_OP_AUTHORIZATION_ENDPOINT   "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/auth"
+write_env OIDC_OP_TOKEN_ENDPOINT           "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/token"
+write_env OIDC_OP_USER_ENDPOINT            "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/userinfo"
+write_env OIDC_OP_LOGOUT_ENDPOINT          "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/logout"
+write_env OIDC_RP_CLIENT_ID                "$KC_CLIENT"
+write_env OIDC_RP_SIGN_ALGO                "RS256"
+write_env OIDC_RP_SCOPES                   "openid email profile"
+write_env OIDC_REDIRECT_ALLOWED_HOSTS      "[\"https://${KC_DOMAIN}\", \"https://${CCCI_APP_DOMAIN}\"]"
+# The recipe default acr_values=eidas1 is FranceConnect-specific; keycloak can't satisfy it and it
+# would break the interactive auth flow. Clear it so the keycloak OIDC client works.
+write_env OIDC_AUTH_REQUEST_EXTRA_PARAMS   "{}"
+
+# 3) In-place redeploy so the env + secret take effect (--force: redeploy unchanged recipe; --chaos:
+# no chaos prompt; --no-input: non-interactive). NOT a fresh app_new.
+abra app deploy "$CCCI_APP_DOMAIN" --force --chaos --no-input 2>&1 | tail -10
+
+echo "  lasuite-drive setup_custom_tests: OIDC wired + redeployed"