status(2): Q2 CLAIMED — dep resolver + SSO harness + Q2.4 acceptance proven cold
Q2.1 keycloak: parity port + JWT password-grant test + client_credentials test (commitd5f5e86). Q2.2 authentik DEFERRED: SSO harness is provider-pluggable; Q2.4 already proven via keycloak. Q2.3 dep resolver + SSO-setup harness primitives (commit4d6b040, subsumes Q0.4). 28/28 unit PASS. Q2.4 ACCEPTANCE (commit9e88741): lasuite-docs declares DEPS=['keycloak']; the orchestrator deploys keycloak as a per-run dep, runs an OIDC password-grant test against it (JWT iss/azp/typ/ exp claim validation), then tears the dep down. deploy-count=2 (1 parent + 1 dep, DG4.1 reconciled with deps). Secondary fix (commit47f7cb4): centralized F2-3 Playwright try/except into runner/harness/browser.py::goto_with_retry; applied to all install overlays + custom-html playwright smoke. Lesson: when a hardening pattern bites once, generalize it before fixing in-place. Cold-verifiable on cc-ci: ssh cc-ci 'cc-ci-run -m pytest tests/unit -v' # 28 PASS ssh cc-ci 'RECIPE=lasuite-docs STAGES=install,custom cc-ci-run runner/run_recipe_ci.py' # DEPS resolves -> keycloak deploys -> install PASS -> OIDC test PASS -> dep teardown clean # deploy-count = 2 (expect 2) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -258,3 +258,57 @@ shouldn't be constrained by what the parity corpus tested.
|
||||
/realms/master (last status 502)` during the first attempt. The deployment dies before serving.
|
||||
This is likely the HTTP_TIMEOUT=600 not being enough for a cold-start JVM + mariadb on this
|
||||
host. Will investigate after Q1 RE-VERIFY lands.
|
||||
|
||||
## 2026-05-28 — Q2 CLAIMED — dep resolver + SSO harness + OIDC end-to-end
|
||||
|
||||
Q1 PASS landed. Then in one stretch:
|
||||
|
||||
**Q2.1 keycloak parity + 2 specific** (`d5f5e86`) — parity port + JWT password-grant test +
|
||||
client_credentials grant + JWT claim validation. Bumped DEPLOY_TIMEOUT+HTTP_TIMEOUT to 900s after
|
||||
the first attempt hit 502 from /realms/master at 600s (cold-start JVM+mariadb takes longer).
|
||||
|
||||
**Q2.3 — the foundational primitives** (`4d6b040`):
|
||||
- `runner/harness/deps.py` — read `DEPS = [...]` from a recipe's `recipe_meta.py`; orchestrator
|
||||
deploys each dep at a per-(parent, dep) domain before the recipe-under-test, tears down in
|
||||
reverse order in finally. DG4.1 expected count is now 1 + len(deps_state).
|
||||
- `runner/harness/sso.py` — `setup_keycloak_realm` (idempotent realm + confidential OIDC client
|
||||
+ test user with class-B per-run-generated password); `oidc_password_grant` (real OIDC
|
||||
password-grant flow); `assert_discovery_endpoint` (issuer matches per-run domain/realm).
|
||||
- 7 unit tests in `tests/unit/test_deps.py`. The unit-test `test_dep_domain_distinct_per_parent`
|
||||
caught a bug in my first dep_domain implementation (didn't include parent in the hash) — fixed
|
||||
before pushing. 28/28 unit tests PASS cold.
|
||||
|
||||
**Q2.4 acceptance** (`9e88741`): added `DEPS = ["keycloak"]` to lasuite-docs's recipe_meta and
|
||||
wrote `tests/lasuite-docs/functional/test_oidc_with_keycloak.py`. End-to-end on cc-ci:
|
||||
|
||||
```
|
||||
RECIPE=lasuite-docs STAGES=install,custom cc-ci-run runner/run_recipe_ci.py
|
||||
===== DEPS: ['keycloak'] =====
|
||||
dep: deploying keycloak -> keyc-c12afe.ci.commoninternet.net
|
||||
dep: keycloak ready @ keyc-c12afe.ci.commoninternet.net
|
||||
===== TIER: install ===== 2 PASS (generic + cc-ci overlay)
|
||||
===== TIER: custom ===== 1 PASS (test_oidc_password_grant_against_dep_keycloak)
|
||||
===== DEPS teardown =====
|
||||
===== RUN SUMMARY =====
|
||||
deploy-count = 2 (expect 2)
|
||||
```
|
||||
|
||||
The OIDC test asserts iss/azp/typ/exp on a real JWT — non-vacuous. The "dependent recipe deploys
|
||||
its provider and runs an OIDC login test in one run" gate acceptance is met.
|
||||
|
||||
**Q2.2 authentik DEFERRED.** Q2 acceptance is keycloak-proven; authentik enrollment is
|
||||
provider-pluggable (mirror the setup_keycloak_realm shape into a setup_authentik_provider when
|
||||
a recipe declares authentik as its dep). Logged in BACKLOG-2; will land when Q3 lights up an
|
||||
authentik-dependent recipe.
|
||||
|
||||
**Secondary fix during the stretch — F2-3 systemic** (`47f7cb4`): the same Playwright-error
|
||||
escape that bit n8n bit custom-html during the deps-smoke test. Centralized the fix in
|
||||
`runner/harness/browser.py::goto_with_retry` and applied to ALL install overlays + the
|
||||
custom-html playwright smoke. Cold-verified on custom-html (all 5 stages PASS).
|
||||
|
||||
**Lesson:** the F2-3 fix should have been centralized the first time, not just patched
|
||||
in-place on n8n. The cost of the rework was ~50 lines and one extra cold run. Worth it for the
|
||||
generality. From now on: when a recipe-overlay needs a robustness pattern, ask if it generalizes
|
||||
to a shared helper BEFORE fixing in-place.
|
||||
|
||||
Q2 CLAIMED; awaiting Adversary cold-verify. Continuing on Q3 (SSO-dependent suite) in parallel.
|
||||
|
||||
Reference in New Issue
Block a user