feat(keycloak): add tenant-context client scope + M7.1 test users #41

Open

sharang wants to merge 1 commits from feat/m7.1-realm-claims into main

pull from: feat/m7.1-realm-claims

merge into: sharang:main

sharang:main

sharang:feat/compliance-scanner-link

sharang:feat/litellm-usage-stats

sharang:feat/keycloak-theme-social-footer

sharang:feat/CAI-2

sharang:feat/CAI-4

sharang:feat/CAI-1

Conversation 0 Commits 1 Files Changed 1

+202 -6

sharang commented 2026-05-20 15:21:19 +00:00

Owner

Copy Link

Copy Source

Summary

Adds the breakpilot platform multi-tenancy claims to the dev realm so M7.x products (starting with compliance-scanner-agent) can authenticate against the local CERTifAI stack end-to-end.

• New tenant-context client scope, default on all three clients
• 6 protocol mappers: tenant_id, tenant_slug, tenant_status, plan (strings); org_roles, products (multi-valued)
• 5 test users covering every tenant_status branch:
  • admin@certifai.local (acme, active, IT_ADMIN + CXO)
  • user@certifai.local (acme, active, USER)
  • trial@acme.local (trialco, trial)
  • frozen@acme.local (frozenco, frozen) -> 402 on writes
  • archived@acme.local (archiveco, archived) -> 410 always
• directAccessGrantsEnabled: true on certifai-dashboard for scripted local testing

Test plan

• docker compose up -d keycloak boots cleanly
• Password grant against each user decodes a token with all 6 claims correctly
• Compliance-scanner-agent (PR #82) validates each token, gates writes for frozen, blocks archived

Notes

This is the dev realm only — KC_DB: dev-mem, in-memory, recreated on every container start. Production realms are not affected.

## Summary Adds the breakpilot platform multi-tenancy claims to the dev realm so M7.x products (starting with `compliance-scanner-agent`) can authenticate against the local CERTifAI stack end-to-end. - New `tenant-context` client scope, default on all three clients - 6 protocol mappers: `tenant_id`, `tenant_slug`, `tenant_status`, `plan` (strings); `org_roles`, `products` (multi-valued) - 5 test users covering every `tenant_status` branch: - `admin@certifai.local` (acme, active, IT_ADMIN + CXO) - `user@certifai.local` (acme, active, USER) - `trial@acme.local` (trialco, trial) - `frozen@acme.local` (frozenco, frozen) -> 402 on writes - `archived@acme.local` (archiveco, archived) -> 410 always - `directAccessGrantsEnabled: true` on `certifai-dashboard` for scripted local testing ## Test plan - [x] `docker compose up -d keycloak` boots cleanly - [x] Password grant against each user decodes a token with all 6 claims correctly - [x] Compliance-scanner-agent (PR #82) validates each token, gates writes for frozen, blocks archived ## Notes This is the dev realm only — `KC_DB: dev-mem`, in-memory, recreated on every container start. Production realms are not affected.

sharang added 1 commit 2026-05-20 15:21:19 +00:00

feat(keycloak): add tenant-context client scope + M7.1 test users ... bd6d4572e0

Adds the breakpilot platform multi-tenancy claims to the dev realm
so M7.x products (starting with compliance-scanner-agent) can
authenticate against the local CERTifAI stack end-to-end.

New tenant-context client scope, included by default on all three
clients, with six protocol mappers backed by user attributes:

  tenant_id, tenant_slug, tenant_status, plan (strings)
  org_roles, products (multi-valued)

Five test users cover every tenant_status branch:

  admin@certifai.local  (acme, active, IT_ADMIN + CXO)
  user@certifai.local   (acme, active, USER)
  trial@acme.local      (trialco, trial)
  frozen@acme.local     (frozenco, frozen)   -> 402 on writes
  archived@acme.local   (archiveco, archived) -> 410 always

Enables Direct Access Grants on certifai-dashboard so password-
grant requests work for local API testing. This is the dev realm
only (KC_DB: dev-mem); prod realms inherit nothing from this file.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Some checks are pending

Hide all checks

CI / Tests (push) Has been skipped

Details

CI / Format (pull_request) Successful in 4s

Details

CI / Format (push) Successful in 21s

Details

CI / Clippy (push) Successful in 2m59s

Details

CI / Security Audit (push) Has been skipped

Details

CI / Clippy (pull_request) Successful in 2m59s

Details

CI / Security Audit (pull_request) Has been skipped

Details

CI / Tests (pull_request) Has been skipped

Details

CI / Deploy (push) Has been skipped

Details

CI / Deploy (pull_request) Has been skipped

Details

CI / E2E Tests (push) Has been skipped

Details

CI / E2E Tests (pull_request) Has been skipped

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin feat/m7.1-realm-claims:feat/m7.1-realm-claims

git checkout feat/m7.1-realm-claims

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

sharang (Sharang Parnerkar)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sharang/certifai#41