go.mod requires >= 1.25.0; previous Dockerfile pinned 1.24 which failed
at `go mod download` with: "go: go.mod requires go >= 1.25.0".
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Mirrors the portal CI pattern (platform/portal #14). Previous workflow
pushed to a future-prod registry that doesn't exist, then called an orca
CLI shape this version doesn't ship.
- Registry: registry.meghsakha.com
- Image path: breakpilot/tenant-registry
- Tags: :latest (webhook deploy) + :sha-<sha> (traceability)
- Webhook: HMAC-signed POST to the orca master
One-time setup before this can deploy:
1. Add Gitea Actions secrets to this repo: REGISTRY_USER, REGISTRY_PASS, ORCA_WEBHOOK_SECRET
2. On the orca master:
orca webhooks add --repo platform/tenant-registry \
--service breakpilot-tenant-registry --branch main
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
internal/keycloak Adapter (HTTPAdapter + Mock). POST /v1/tenants now provisions a KC organization + IT_ADMIN invite when admin_email is set; KC failures emit keycloak.provision_failed but don't roll back. POST /v1/internal/keycloak/claims resolves the current claim bundle for any (tenant_id|tenant_slug|user_attrs.*) lookup. Mock used in tests + when KEYCLOAK_ADMIN_URL is empty. HTTPAdapter tested against an in-process stub KC (httptest.Server).
Refs: M4.3
Full M4.2 deliverable: 16 endpoints (tenants CRUD + lifecycle, catalog, entitlements, API keys with argon2 hashing, audit append + filter), Store interface with pgx-backed Postgres + in-memory parallel implementations exercised by the same eachStore harness, openapi.yaml at 3.1 with kin-openapi contract test. M4.3 adds auth.
Refs: M4.2
Minimal Go service: /healthz + /v1/tenants/by-slug/:slug + /v1/tenants/:id with an in-memory store seeded with the acme tenant. Stdlib-only; pgx + JWT validation land in M4.1 follow-up.
Sharang Parnerkar
sharang