Adds the breakpilot platform multi-tenancy claims to the dev realm
so M7.x products (starting with compliance-scanner-agent) can
authenticate against the local CERTifAI stack end-to-end.
New tenant-context client scope, included by default on all three
clients, with six protocol mappers backed by user attributes:
tenant_id, tenant_slug, tenant_status, plan (strings)
org_roles, products (multi-valued)
Five test users cover every tenant_status branch:
admin@certifai.local (acme, active, IT_ADMIN + CXO)
user@certifai.local (acme, active, USER)
trial@acme.local (trialco, trial)
frozen@acme.local (frozenco, frozen) -> 402 on writes
archived@acme.local (archiveco, archived) -> 410 always
Enables Direct Access Grants on certifai-dashboard so password-
grant requests work for local API testing. This is the dev realm
only (KC_DB: dev-mem); prod realms inherit nothing from this file.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sharang Parnerkar
sharang