# immich — parity map (Phase 2 P2) + recipe-specific tests (P3)

Reference corpus: `references/recipe-maintainer/recipe-info/immich/tests/` (health_check.py, oidc_login.py).

## Parity ports
| recipe-maintainer test | cc-ci test | what's verified |
|---|---|---|
| `health_check.py` | `tests/immich/functional/test_health_check.py::test_immich_returns_200` | HTTP 200/301/302 from `/` (immich web SPA served). |

## Recipe-specific functional tests (P3, ≥2 — characteristic behavior)
1. **`test_asset_upload.py::test_immich_upload_asset_readback_and_thumbnail`** — the §4.3
   create-an-object + read-it-back + characteristic feature: admin-sign-up → login → **upload an
   asset** (`POST /api/assets` multipart, 201 created with unique content) → **read it back**
   (`GET /api/assets/{id}` → 200, type IMAGE) → **immich generated a thumbnail/derivative**
   (`GET /api/assets/{id}/thumbnail` → 200, polled for the async generation). Real assertions on
   stored app state + the generated derivative — immich's whole purpose (photo ingest + derivatives).
   This single test covers BOTH the create+read-back floor AND the distinctive derivative-generation
   feature (≥2 characteristic behaviors). Verified against immich app version 2.7.5.

Backup data-integrity (P4): Phase-1d/1e lifecycle overlays — `ops.py` seeds a postgres `ci_marker`
(postgres/immich DB, backupbot-labelled); `test_upgrade/backup/restore.py` assert it survives.

## Non-ports (documented — §7.1)
- **`oidc_login.py`** — authentik-specific in the corpus. Per the operator SSO policy (DECISIONS
  "SSO-provider policy"), **keycloak is the default** and **Phase-2 DONE is NOT gated on authentik**;
  immich's OIDC is **optional** (immich boots + the §4.3 asset flow works with a local admin, no SSO).
  Porting an OIDC login test (under keycloak) is possible but not required for immich's gate; the
  §4.3 functional depth above is met without it. Recorded rather than silently omitted.