feat(2): Q2.1 — keycloak Phase-2 parity + functional (full e2e green)
- tests/keycloak/PARITY.md: parity table (health_check ported); oidc_integration.py
noted as Q3-deferred (cross-recipe test needs lasuite-docs + dep resolver).
- tests/keycloak/functional/test_health_check.py: parity port of
recipe-info/keycloak/tests/health_check.py — SOURCE comment.
- tests/keycloak/functional/test_password_grant_token.py: NEW recipe-specific —
password grant against /realms/master/protocol/openid-connect/token; decodes
the JWT payload; asserts iss=https://<live_app>/realms/master, azp=admin-cli,
typ=Bearer, exp in future, iat reasonable past. Reuses kc_admin.py helpers.
- tests/keycloak/functional/test_create_client_and_use.py: NEW recipe-specific —
admin creates a UUID-named confidential client via admin API → uses client
credentials grant to obtain a service-account token → decodes JWT, asserts azp
matches the new clientId, iss matches per-run domain → idempotent DELETE cleanup.
- tests/keycloak/recipe_meta.py: bumped DEPLOY_TIMEOUT + HTTP_TIMEOUT 600 -> 900
(cold-start JVM + mariadb migration intermittently exceeds 600s on a 2-vCPU host;
observed 502 fallback after 600s in run #1).
Cold-verifiable on cc-ci (log /root/ccci-q2-keycloak-r3.log):
RECIPE=keycloak cc-ci-run runner/run_recipe_ci.py
all 5 stages PASS, deploy-count=1, head_ref=666649a6==chaos-version=666649a6
(HC1 non-vacuous), version 10.7.0+26.6.1 -> 10.7.1+26.6.2.
Custom tier 3 PASS: parity health_check, JWT password-grant, client_credentials.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
autonomic-bot
d5f5e86c7b