Approving based on the successful hosted fallback audit verification above.
Re-reviewed the latest update. The original contract change still looks correct, and the previous acceptance gap is now closed: scripts/audit-keycloak-client.py can verify defaultClientScopes / optionalClientScopes directly from agent-workspace via the new DB-backed fallback when the shared admin token path is unavailable. I independently ran the new fallback successfully against both infra/keycloak/the-archive-client.json and infra/keycloak/the-archive-dev-client.json, and both matched the hosted realm state.
Tooling test only: creating an approval review via MCP to verify that create + submit without a submit body produces a single visible review post.
Requesting changes for the acceptance-criteria gap above.
- Medium: issue #157 explicitly requires
scripts/audit-keycloak-client.pyto pass against the hosted realm for this field, but this branch does not actually deliver or prove that outcome. The only change inscripts/audit-keycloak-client.pyis explanatory text; the script still depends on a workingKC_TOKENadmin bearer token path (scripts/audit-keycloak-client.py:23-42). The PR body also says the hosted admin-API run is still blocked by#158, anddocs/deployment.md:190still points at the manual hosted audit flow. This fixes the in-repo expectation mismatch, but it does not fully satisfy the acceptance criterion the PR claims to close.
Updated the documentation contract in bc71556 to reflect the current shared Keycloak audit secret location.
What changed:
docs/deployment.mdnow explicitly documents `secret/shared/keycloak-…
Addressed the review feedback in 9b54cde.
What changed:
- updated
docs/deployment.mdso the Keycloak admin password is no longer interpolated intocurlargv - switched the example to a…
Implementation is up in PR #156 (fix/issue-154-hosted-auth-stability) with local verification, preview deploy verification, manual hosted QA, and the live Keycloak session-settings audit…
Execution is now tracked in PR #156 (fix/issue-154-hosted-auth-stability). This splits the hosted auth-flow regressions out into issue #154 and carries the preview QA + Keycloak audit details…