CreateTenant now defaults trial_ends_at to NOW() + 14 days when the
new tenant lands in status='trial'. Demo-kind tenants get
status='demo' (per PLATFORM_ARCHITECTURE.md §5d) and trial_ends_at
stays NULL — those flow through the M13.2 demo-provisioning path.
Both store implementations (Memory + Postgres) updated; tests assert
the 14-day window for customers and the absent end for demo kind.
Unblocks M12.1 (portal trial banner can render a real countdown).
Refs: M4.1 + M12.1
internal/keycloak Adapter (HTTPAdapter + Mock). POST /v1/tenants now provisions a KC organization + IT_ADMIN invite when admin_email is set; KC failures emit keycloak.provision_failed but don't roll back. POST /v1/internal/keycloak/claims resolves the current claim bundle for any (tenant_id|tenant_slug|user_attrs.*) lookup. Mock used in tests + when KEYCLOAK_ADMIN_URL is empty. HTTPAdapter tested against an in-process stub KC (httptest.Server).
Refs: M4.3
Full M4.2 deliverable: 16 endpoints (tenants CRUD + lifecycle, catalog, entitlements, API keys with argon2 hashing, audit append + filter), Store interface with pgx-backed Postgres + in-memory parallel implementations exercised by the same eachStore harness, openapi.yaml at 3.1 with kin-openapi contract test. M4.3 adds auth.
Refs: M4.2
Minimal Go service: /healthz + /v1/tenants/by-slug/:slug + /v1/tenants/:id with an in-memory store seeded with the acme tenant. Stdlib-only; pgx + JWT validation land in M4.1 follow-up.
sharang