cc-ci/tests/lasuite-docs/PARITY.md

# Parity — lasuite-docs

Phase-2 P2 mapping table. The Adversary cold-verifies parity by reading the source
`recipe-info/lasuite-docs/tests/<file>` and the cc-ci file side-by-side.

| recipe-maintainer file | cc-ci file | what's verified | status |
|---|---|---|---|
| `recipe-info/lasuite-docs/tests/health_check.py` | `tests/lasuite-docs/functional/test_health_check.py` | The app serves over HTTPS and returns a successful response (200/301/302). The cc-ci port preserves the assertion shape, adapted to the ephemeral per-run domain via `live_app`. | **ported** |
| `recipe-info/lasuite-docs/tests/oidc_login.py` | `tests/lasuite-docs/functional/test_oidc_with_keycloak.py` (Q2.4 acceptance, partial port) + `test_auth_required.py` (proves the gate is wired) | The original's flow: deploy keycloak + setup realm/client/user + obtain JWT + use it against lasuite-docs's protected API. The cc-ci pair: (a) `test_oidc_with_keycloak` deploys keycloak as a Q2.3 dep, sets up realm/client/user, obtains a real JWT, validates iss/azp/typ/exp claims; (b) `test_auth_required` proves lasuite-docs's backend API requires auth (401). Step-(c) — actually USING the JWT against lasuite-docs — requires wiring the dep keycloak's client_secret + OIDC env into lasuite-docs's `.env` at install time; **see "Deferred (Q3.1 follow-up)" below**. | **partial; see follow-up** |
| `recipe-info/lasuite-docs/tests/upload_conversion.py` | (Q3.1 follow-up — needs OIDC env wired into lasuite-docs first) | The original uploads .md + .docx via authenticated `POST /api/v1.0/documents/<id>/upload` and asserts the y-provider + docspec conversion paths fire. The cc-ci port requires authentication, which requires OIDC env wiring (see below). | **deferred** |

## Recipe-specific tests (Phase-2 P3, ≥2 beyond parity)

| cc-ci file | what's verified | rationale |
|---|---|---|
| `tests/lasuite-docs/functional/test_oidc_with_keycloak.py` | Deploys keycloak as a per-run **dep** (Q2.3 resolver via `DEPS = ["keycloak"]`), sets up a realm/client/user, exercises the OIDC discovery endpoint + the password-grant flow against the dep keycloak, validates the returned JWT's iss/azp/typ/exp claims. | The recipe is **OIDC-dependent** by design; proving the SSO provider deploys + issues tokens + the JWT contract is intact is a defining lasuite-docs behavior (and the Q2 gate acceptance test). |
| `tests/lasuite-docs/functional/test_auth_required.py` | GETs `/api/v1.0/users/me/` without a token; asserts **401 Unauthorized** (or 403). Non-vacuous: distinguishes a correctly-wired OIDC gate (401) from anonymous access (200), missing route (404), and broken backend (5xx). | Proves lasuite-docs's **own** auth posture (distinct from the SSO provider's token issuance). Together with `test_oidc_with_keycloak` this exercises both sides of the OIDC flow's plumbing. |

Two specific tests — the ≥2 floor is met. Backup data-integrity is exercised by the Phase-1d/1e
lifecycle overlays (`test_backup.py`/`test_restore.py` + `ops.py`).

## Deferred to Q3.1 follow-up (P2 oidc_login.py + upload_conversion.py full ports)

`oidc_login.py` and `upload_conversion.py` both exercise lasuite-docs's **authenticated** API
with a real OIDC-issued JWT. To round these out, the cc-ci side needs:

1. **OIDC env wiring on parent**: `tests/lasuite-docs/install_steps.sh` reads `$CCCI_DEPS_FILE`
   to find the per-run keycloak dep's domain, calls `harness.sso.setup_keycloak_realm` to get a
   `(realm, client_id, client_secret, user, password)` tuple, then:
   - Inserts `SECRET_OIDC_RPCS_VERSION=v1` + the secret value via `abra app secret insert`.
   - Appends to lasuite-docs's `.env`: `OIDC_REALM`, `OIDC_CLIENT_ID`, `OIDC_OP_*` URLs pointing
     at the dep keycloak.
2. **Authenticated test**: a new `tests/lasuite-docs/functional/test_create_doc.py` performs the
   password grant against the dep keycloak, presents the JWT to lasuite-docs's
   `POST /api/v1.0/documents/` (create a doc), asserts the doc is fetched back via
   `GET /api/v1.0/documents/<id>/` — the §4.3 prescribed create-and-read-back.
3. **upload_conversion.py port** as a separate file exercising the .md + .docx upload paths once
   auth is wired.

These items are tracked in `BACKLOG-2.md` and will land before the Q3 gate is claimed.

## Backup data-integrity (P4)

Already exercised by the Phase-1d/1e lifecycle overlays
(`tests/lasuite-docs/{test_backup.py,test_restore.py,ops.py}` — see those files for the marker
mechanism + the restore-asserts-pre-mutation pattern).

## Playwright (P6)

`tests/lasuite-docs/test_install.py::test_serving_and_frontend` loads the live Docs frontend SPA
via Chromium (now using `harness.browser.goto_with_retry` for F2-3 hardening). Adequate for the
lifecycle install P6 surface; a deeper UI flow (create-a-doc in the editor) would land alongside
the OIDC-wiring follow-up above.

## Non-ports

None — every recipe-maintainer parity test has either a cc-ci port landed or a documented Q3.1
follow-up (this file + BACKLOG-2.md). No silent omissions.