# Parity — lasuite-docs Phase-2 P2 mapping table. The Adversary cold-verifies parity by reading the source `recipe-info/lasuite-docs/tests/` and the cc-ci file side-by-side. | recipe-maintainer file | cc-ci file | what's verified | status | |---|---|---|---| | `recipe-info/lasuite-docs/tests/health_check.py` | `tests/lasuite-docs/functional/test_health_check.py` | The app serves over HTTPS and returns a successful response (200/301/302). The cc-ci port preserves the assertion shape, adapted to the ephemeral per-run domain via `live_app`. | **ported** | | `recipe-info/lasuite-docs/tests/oidc_login.py` | `tests/lasuite-docs/functional/test_oidc_with_keycloak.py` (Q2.4 acceptance, partial port) + `test_auth_required.py` (proves the gate is wired) | The original's flow: deploy keycloak + setup realm/client/user + obtain JWT + use it against lasuite-docs's protected API. The cc-ci pair: (a) `test_oidc_with_keycloak` deploys keycloak as a Q2.3 dep, sets up realm/client/user, obtains a real JWT, validates iss/azp/typ/exp claims; (b) `test_auth_required` proves lasuite-docs's backend API requires auth (401). Step-(c) — actually USING the JWT against lasuite-docs — requires wiring the dep keycloak's client_secret + OIDC env into lasuite-docs's `.env` at install time; **see "Deferred (Q3.1 follow-up)" below**. | **partial; see follow-up** | | `recipe-info/lasuite-docs/tests/upload_conversion.py` | (Q3.1 follow-up — needs OIDC env wired into lasuite-docs first) | The original uploads .md + .docx via authenticated `POST /api/v1.0/documents//upload` and asserts the y-provider + docspec conversion paths fire. The cc-ci port requires authentication, which requires OIDC env wiring (see below). | **deferred** | ## Recipe-specific tests (Phase-2 P3, ≥2 beyond parity) | cc-ci file | what's verified | rationale | |---|---|---| | `tests/lasuite-docs/functional/test_oidc_with_keycloak.py` | Deploys keycloak as a per-run **dep** (Q2.3 resolver via `DEPS = ["keycloak"]`), sets up a realm/client/user, exercises the OIDC discovery endpoint + the password-grant flow against the dep keycloak, validates the returned JWT's iss/azp/typ/exp claims. | The recipe is **OIDC-dependent** by design; proving the SSO provider deploys + issues tokens + the JWT contract is intact is a defining lasuite-docs behavior (and the Q2 gate acceptance test). | | `tests/lasuite-docs/functional/test_auth_required.py` | GETs `/api/v1.0/users/me/` without a token; asserts **401 Unauthorized** (or 403). Non-vacuous: distinguishes a correctly-wired OIDC gate (401) from anonymous access (200), missing route (404), and broken backend (5xx). | Proves lasuite-docs's **own** auth posture (distinct from the SSO provider's token issuance). Together with `test_oidc_with_keycloak` this exercises both sides of the OIDC flow's plumbing. | Two specific tests — the ≥2 floor is met. Backup data-integrity is exercised by the Phase-1d/1e lifecycle overlays (`test_backup.py`/`test_restore.py` + `ops.py`). ## Deferred to Q3.1 follow-up (P2 oidc_login.py + upload_conversion.py full ports) `oidc_login.py` and `upload_conversion.py` both exercise lasuite-docs's **authenticated** API with a real OIDC-issued JWT. To round these out, the cc-ci side needs: 1. **OIDC env wiring on parent**: `tests/lasuite-docs/install_steps.sh` reads `$CCCI_DEPS_FILE` to find the per-run keycloak dep's domain, calls `harness.sso.setup_keycloak_realm` to get a `(realm, client_id, client_secret, user, password)` tuple, then: - Inserts `SECRET_OIDC_RPCS_VERSION=v1` + the secret value via `abra app secret insert`. - Appends to lasuite-docs's `.env`: `OIDC_REALM`, `OIDC_CLIENT_ID`, `OIDC_OP_*` URLs pointing at the dep keycloak. 2. **Authenticated test**: a new `tests/lasuite-docs/functional/test_create_doc.py` performs the password grant against the dep keycloak, presents the JWT to lasuite-docs's `POST /api/v1.0/documents/` (create a doc), asserts the doc is fetched back via `GET /api/v1.0/documents//` — the §4.3 prescribed create-and-read-back. 3. **upload_conversion.py port** as a separate file exercising the .md + .docx upload paths once auth is wired. These items are tracked in `BACKLOG-2.md` and will land before the Q3 gate is claimed. ## Backup data-integrity (P4) Already exercised by the Phase-1d/1e lifecycle overlays (`tests/lasuite-docs/{test_backup.py,test_restore.py,ops.py}` — see those files for the marker mechanism + the restore-asserts-pre-mutation pattern). ## Playwright (P6) `tests/lasuite-docs/test_install.py::test_serving_and_frontend` loads the live Docs frontend SPA via Chromium (now using `harness.browser.goto_with_retry` for F2-3 hardening). Adequate for the lifecycle install P6 surface; a deeper UI flow (create-a-doc in the editor) would land alongside the OIDC-wiring follow-up above. ## Non-ports None — every recipe-maintainer parity test has either a cc-ci port landed or a documented Q3.1 follow-up (this file + BACKLOG-2.md). No silent omissions.