fix(GRO-2089): correct Authentik customer credential source in §5.25 pre-conditions

The UAT_PLAYBOOK §5.25 (Customer Portal — Better Auth SSO Bridge) pre-condition incorrectly stated that the Authentik customer password comes from seed-uat-passwords:customer-password. That Secret holds the *Better Auth* email+password credential — a different identity store. The actual Authentik uat-customer password lives in authentik-uat-users-credentials:uat_customer_password, provisioned by infra/terraform/users.tf with lifecycle.ignore_changes = [password]. UAT testers were using the Better Auth value at the Authentik OIDC step and getting 401'd, blocking GRO-2026. Verified 2026-06-02: pulling the correct Secret value, signing in via SSO, and POST /api/portal/session-from-auth all succeed (returns 201 with valid portal session). Co-Authored-By: Paperclip <noreply@paperclip.ing>
Merge pull request 'Promote uat → main: GRO-2012 RescheduleFlow portalSessionId fallback' (#40 ) from uat into main
2026-06-02 14:40:01 +00:00 · 2026-06-01 19:10:08 +00:00 · 2026-05-26 02:16:28 +00:00 · 2026-05-24 18:15:24 +00:00
2 changed files with 17 additions and 1 deletions
@@ -0,0 +1,11 @@
+{
+  "mcpServers": {
+    "gitea": {
+      "type": "http",
+      "url": "https://git-mcp.farh.net/mcp",
+      "headers": {
+        "Authorization": "Bearer ${GITEA_TOKEN}"
+      }
+    }
+  }
+}
@@ -354,7 +354,12 @@ These cases cover the `CustomerPortal` initialisation path that bridges an Authe

 **Pre-conditions:**

- UAT is configured with Authentik SSO and the `seed-uat-passwords` Secret in `groombook-uat` provides the seeded customer credentials (`uat-seed-password-source` memory).
+- UAT is configured with Authentik SSO. The seeded customer **Authentik** password lives in the `authentik-uat-users-credentials` Secret in the `groombook-uat` namespace (key `uat_customer_password`) — **NOT** in `seed-uat-passwords:customer-password` (that Secret holds the *Better Auth* email+password credential, a separate identity store; see GRO-2089). Pull the Authentik password at the start of every run:
+  ```bash
+  CUSTOMER_AUTHENTIK=$(kubectl get secret authentik-uat-users-credentials -n groombook-uat \
+    -o jsonpath='{.data.uat_customer_password}' | base64 -d)
+  ```
+  The Authentik user is provisioned by Terraform (`infra/terraform/users.tf`); the `lifecycle.ignore_changes = [password]` block means the password is set on initial creation and never auto-rotated, so the value held in the live Secret is the one Authentik itself has. If Authentik rejects it, the user was re-provisioned out-of-band via the Authentik admin UI and the Secret has drifted from the live identity — fix the Secret (or the admin-set password) and re-run.
 - `POST /api/portal/session-from-auth` from [GRO-1866](https://paperclip.farhoodlabs.com/GRO/issues/GRO-1866) is deployed on UAT.
 - Clear cookies and localStorage between cases unless otherwise noted.
Author	SHA1	Message	Date
Flea Flicker	affb697708	fix(GRO-2089): correct Authentik customer credential source in §5.25 pre-conditions CI / Test (pull_request) Successful in 22s Details CI / Lint & Typecheck (pull_request) Successful in 28s Details CI / Build & Push Docker Image (pull_request) Successful in 15s Details The UAT_PLAYBOOK §5.25 (Customer Portal — Better Auth SSO Bridge) pre-condition incorrectly stated that the Authentik customer password comes from seed-uat-passwords:customer-password. That Secret holds the Better Auth email+password credential — a different identity store. The actual Authentik uat-customer password lives in authentik-uat-users-credentials:uat_customer_password, provisioned by infra/terraform/users.tf with lifecycle.ignore_changes = [password]. UAT testers were using the Better Auth value at the Authentik OIDC step and getting 401'd, blocking GRO-2026. Verified 2026-06-02: pulling the correct Secret value, signing in via SSO, and POST /api/portal/session-from-auth all succeed (returns 201 with valid portal session). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-02 14:40:01 +00:00
Scrubs McBarkley	fdff0977ad	Merge pull request 'Promote uat → main: GRO-2012 RescheduleFlow portalSessionId fallback' (#40 ) from uat into main CI / Test (push) Successful in 23s Details CI / Lint & Typecheck (push) Successful in 29s Details CI / Build & Push Docker Image (push) Successful in 16s Details Promote uat → main: GRO-2012 RescheduleFlow portalSessionId fallback Gate checks: - UAT: GRO-2023 done (CTO verified, `ec29f719`) - Security: GRO-2032 Barkley PASS - UAT_PLAYBOOK.md: TC-WEB-5.26 present Fix: CustomerPortal.tsx:329 sessionId={session?.id ?? portalSessionId} Fix commit: `f29f1828c8` Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-06-01 19:10:08 +00:00
Scrubs McBarkley	2aad7cb6a0	Merge pull request 'promote: uat → main (GRO-1757 SSO auto-provision fix)' (#21 ) from uat into main CI / Test (push) Successful in 13s Details CI / Lint & Typecheck (push) Successful in 21s Details CI / Build & Push Docker Image (push) Successful in 13s Details	2026-05-26 02:16:28 +00:00
Chris Farhood	0c41640f59	Add .mcp.json CI / Test (push) Successful in 20s Details CI / Lint & Typecheck (push) Successful in 27s Details CI / Build & Push Docker Image (push) Successful in 4m1s Details	2026-05-24 18:15:24 +00:00