feat(keycloak): M4.3 — Admin API adapter + claim resolver

internal/keycloak Adapter (HTTPAdapter + Mock). POST /v1/tenants now provisions a KC organization + IT_ADMIN invite when admin_email is set; KC failures emit keycloak.provision_failed but don't roll back. POST /v1/internal/keycloak/claims resolves the current claim bundle for any (tenant_id|tenant_slug|user_attrs.*) lookup. Mock used in tests + when KEYCLOAK_ADMIN_URL is empty. HTTPAdapter tested against an in-process stub KC (httptest.Server). Refs: M4.3
2026-05-19 11:51:09 +00:00
parent ffab866c87
commit 9138731eea
22 changed files with 1379 additions and 27 deletions
@@ -50,7 +50,10 @@ func TestCatalogTrialRequest(t *testing.T) {
 		_, body := h.do("POST", "/v1/tenants", map[string]any{
 			"slug": "trial-target", "name": "Trial Target",
 		})
-		fresh := decode[store.Tenant](t, body)
+		freshWrap := decode[struct {
+			Tenant *store.Tenant `json:"tenant"`
+		}](t, body)
+		fresh := freshWrap.Tenant

 		resp, body := h.do("POST", "/v1/catalog/trial-request", map[string]any{
 			"tenant_id": fresh.ID, "product": "compliance",