docs(auth): operator guide for oauth multi-tenant (PR-5)#219
Open
IgorShevchik wants to merge 3 commits into
Open
docs(auth): operator guide for oauth multi-tenant (PR-5)#219IgorShevchik wants to merge 3 commits into
IgorShevchik wants to merge 3 commits into
Conversation
Final rollout step (OAUTH-DESIGN.md §10): document the now-landed OAuth
flow for operators and finalize the env surface.
- .env.example: rewrite the OAuth block from staging language ("staged
across PR-2a..PR-2c", "Enable only AFTER PR-2c merges") to its final
form (the surface is landed and end-to-end live behind the flag). Add an
explicit migration warning that NUXT_MCP_AUTH_TOKEN is bypassed on /mcp
when the flag is on, and finalize the persistent-volume data-loss note.
- docs/DEPLOYMENT.md: add the six OAuth env vars to the environment table,
flag NUXT_MCP_AUTH_TOKEN as bypassed under OAuth, and add an "OAuth 2.0
multi-tenant (opt-in)" section with the migration warning, the
webhook->OAuth upgrade runbook, the single-instance caveat, and the
/api/oauth/_health observability note.
- README.md: soften the service-user note (OAuth is now available, opt-in,
off by default), surface the per-user OAuth option in the path table, and
add a "Multi-tenant OAuth 2.0" subsection under Connecting Claude.
- issue-scaffold.md: align the OAuth intro wording with the finalized
.env.example (Manual-QA scaffold-sync mirror).
Refs #217, OAUTH-DESIGN.md §10 PR-5.
…racy Round-1 /review fixes (5 agents) for the OAuth operator docs. Blockers: - docker-compose.yml/.example.yml: forward NUXT_BITRIX24_OAUTH_ADMIN_TOKEN to the container. The new docs instruct operators to set it, but neither compose file passed it through, so /api/oauth/_health would have stayed 503 NOT-CONFIGURED for non-localhost clients despite a correct .env. - docs/SECURITY.md: the "Out of scope: multi-tenant is not on the roadmap" line was false now that OAuth shipped. Replaced with an in-scope threat- model entry (sha256-hashed token store, immediate revoke, separate admin token, the NUXT_MCP_AUTH_TOKEN-bypass migration hazard); narrowed the out-of-scope item to multi-replica/HA OAuth only. - docs/DEPLOYMENT.md: "five vars below" -> "six" (the table lists six). Accuracy / consistency: - DEPLOYMENT.md + .env.example + issue-scaffold.md: document that once NUXT_BITRIX24_OAUTH_ADMIN_TOKEN is set the Bearer is required even from localhost (verified in _health.get.ts); add error_description to the WWW-Authenticate example (the header carries three fields). - DEPLOYMENT.md upgrade runbook: add a post-flip verification step (scripts/manual-qa-pr2c.sh) and note verify-deployment.sh is NOT OAuth-aware (its configured-Bearer assertion fails by design when the flag is on). - SECURITY.md rotation table: add CLIENT_SECRET and ADMIN_TOKEN rows. - OAUTH-DESIGN.md §10: mark PR-5 as landed (#219). Stale-reference cleanup (OAuth is landed, not "Phase-3"/"PR-2c"/"PR-2b"): - docker-compose*.yml comments, .env.example NUXT_AUDIT_DIR note, DEPLOYMENT.md NUXT_AUDIT_DIR + monitoring rows, SKILL.md, adding-tools.md. - CHANGELOG.md: add the OAuth 2.0 multi-tenant Unreleased entry. Refs #217, OAUTH-DESIGN.md §10 PR-5.
Runnable manual-QA for the operator-docs PR: greps the tree and reports PASS/FAIL for the facts that would break if the docs drifted from the code — ADMIN_TOKEN forwarded in both compose files, all 7 OAuth env vars present in .env.example + DEPLOYMENT.md, the NUXT_MCP_AUTH_TOKEN-bypass warning in all three surfaces, doc anchors resolve, "six vars" count, no stale PR-2c/Phase-3 wording, OAUTH-DESIGN §10 marks PR-5 (#219), CHANGELOG + scaffold-sync mirror. Mirrors the scripts/manual-qa-pr2c.* pattern (Bash + PowerShell). Read-only; ShellCheck job is advisory. Refs #219, OAUTH-DESIGN.md §10 PR-5.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The final step of the OAuth rollout (
OAUTH-DESIGN.md§10, PR-5). The code path landed across #209 → #210 → #213 → #216 → #218; this PR makes it operator-discoverable and finalizes the env surface. No code changes — docs +.env.exampleonly.The headline deliverable is the migration warning: when
NUXT_BITRIX24_OAUTH_ENABLED=true,NUXT_MCP_AUTH_TOKENis bypassed on/mcpand the endpoint accepts only per-user OAuth Bearers. An operator who flips the flag without migrating clients first will 401 every connected client. §10 explicitly required this warning to land in PR-5.What's in the diff
.env.example⚠ NUXT_MCP_AUTH_TOKEN is bypassedmigration warning; finalized the persistent-volume data-loss note (was “PR-5 will warn explicitly” — this is PR-5).docs/DEPLOYMENT.mdNUXT_MCP_AUTH_TOKENflagged‡ BYPASSED under OAuth; new “OAuth 2.0 multi-tenant (opt-in)” section with the migration warning, the webhook→OAuth upgrade runbook, the single-instance caveat, and the/api/oauth/_healthobservability note.README.mdskills/run-manual-qa/references/issue-scaffold.md.env.example(Manual-QA scaffold-sync mirror — required because.env.examplechanged).Migration warning (the load-bearing bit)
This warning now lives in all three operator surfaces:
.env.example,docs/DEPLOYMENT.md, andREADME.md.Test plan
.env.examplechanged →issue-scaffold.mdupdated in the same PR (Manual-QA scaffold-sync gate).#oauth-20-multi-tenant-opt-in,#multi-tenant-oauth-20--per-user-identity-opt-in).bx24_data:/data) verified againstdocker-compose.yml./api/oauth/install,/api/oauth/callback,/api/oauth/_health) and env-var spellings.Refs
OAUTH-DESIGN.md§10 → PR-5 (operator docs), the last rollout step.Changelog framing (no BREAKING CHANGE)
NUXT_MCP_AUTH_TOKEN-bypass migration warning across README / DEPLOYMENT /.env.example.Generated by Claude Code