first commit

compose/.env.example

@@ -0,0 +1,9 @@
+COMPOSE_PROJECT_NAME=pm-keycloak
+KC_DB_PASSWORD=keycloak
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=admin
+
+# Client secrets (keycloak-config-cli)
+DEMO_BACKEND_SECRET=change-me
+DEMO_USER_PASSWORD=change-me
+

compose/.gitignore

@@ -0,0 +1,2 @@
+.env
+postgres_data/

compose/docker-compose.yml

@@ -0,0 +1,53 @@
+services:
+  keycloak:
+    image: quay.io/keycloak/keycloak:26.5.4
+    command: start-dev
+    environment:
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: ${KC_DB_PASSWORD:-keycloak}
+      KC_HOSTNAME_STRICT: "false"
+      KC_HTTP_PORT: 8080
+      KC_HEALTH_ENABLED: "true"
+      KC_BOOTSTRAP_ADMIN_USERNAME: ${KEYCLOAK_ADMIN:-admin}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
+    ports:
+      - "8080:8080"
+    networks:
+      - compose
+    healthcheck:
+      test: ["CMD-SHELL", "exec 3<>/dev/tcp/localhost/9000 && echo -e 'GET /health/ready HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n' >&3 && cat <&3 | grep -q 'UP'"]
+      interval: 15s
+      timeout: 10s
+      retries: 10
+      start_period: 30s
+
+  keycloak-config-cli:
+    image: public.ecr.aws/bitnami/keycloak-config-cli:latest
+    platform: linux/amd64
+    environment:
+      KEYCLOAK_URL: http://keycloak:8080
+      KEYCLOAK_USER: ${KEYCLOAK_ADMIN:-admin}
+      KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
+      KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true"
+      KEYCLOAK_AVAILABILITYCHECK_TIMEOUT: 120s
+      IMPORT_FILES_LOCATIONS: /config/*
+      IMPORT_MANAGED_REALM: full
+      DEMO_BACKEND_SECRET: ${DEMO_BACKEND_SECRET}
+      DEMO_USER_PASSWORD: ${DEMO_USER_PASSWORD}
+      BACKLOG_AGENT_SECRET: ${BACKLOG_AGENT_SECRET}
+      A2A_GATEWAY_SECRET: ${A2A_GATEWAY_SECRET}
+      LLM_GATEWAY_SECRET: ${LLM_GATEWAY_SECRET}
+      TOOLS_GATEWAY_SECRET: ${TOOLS_GATEWAY_SECRET}
+    volumes:
+      - ./keycloak-config:/config:ro
+    networks:
+      - compose
+    depends_on:
+      keycloak:
+        condition: service_healthy
+
+networks:
+  compose:
+    external: true

compose/keycloak-config/demo-realm.yaml

@@ -0,0 +1,99 @@
+realm: demo
+displayName: Demo
+enabled: true
+registrationAllowed: false
+loginWithEmailAllowed: true
+duplicateEmailsAllowed: false
+resetPasswordAllowed: true
+editUsernameAllowed: false
+bruteForceProtected: true
+
+clientScopes:
+  - name: app:read
+    description: Read access to application resources
+    protocol: openid-connect
+  - name: app:write
+    description: Write access to application resources
+    protocol: openid-connect
+
+roles:
+  realm:
+    - name: app-user
+      description: Standard application user
+    - name: app-admin
+      description: Application administrator
+
+clients:
+  - clientId: demo-app
+    name: Demo Application
+    enabled: true
+    protocol: openid-connect
+    publicClient: true
+    standardFlowEnabled: true
+    directAccessGrantsEnabled: true
+    serviceAccountsEnabled: false
+    redirectUris:
+      - "http://localhost:3000/*"
+    webOrigins:
+      - "http://localhost:3000"
+    defaultClientScopes:
+      - web-origins
+      - acr
+      - profile
+      - roles
+      - email
+    optionalClientScopes:
+      - app:read
+      - app:write
+    protocolMappers:
+      - name: demo-backend-audience
+        protocol: openid-connect
+        protocolMapper: oidc-audience-mapper
+        config:
+          included.client.audience: demo-backend
+          access.token.claim: "true"
+
+  - clientId: demo-app-pkce
+    name: Demo Application (PKCE)
+    enabled: true
+    protocol: openid-connect
+    publicClient: true
+    standardFlowEnabled: true
+    directAccessGrantsEnabled: false
+    serviceAccountsEnabled: false
+    attributes:
+      pkce.code.challenge.method: S256
+    redirectUris:
+      - "http://localhost:3000/*"
+    webOrigins:
+      - "http://localhost:3000"
+    defaultClientScopes:
+      - web-origins
+      - acr
+      - profile
+      - roles
+      - email
+
+  - clientId: demo-backend
+    name: Demo Backend
+    enabled: true
+    protocol: openid-connect
+    publicClient: false
+    standardFlowEnabled: false
+    directAccessGrantsEnabled: false
+    serviceAccountsEnabled: true
+    secret: $(env:DEMO_BACKEND_SECRET)
+
+users:
+  - username: demo-user
+    email: demo@example.com
+    firstName: Demo
+    lastName: User
+    enabled: true
+    emailVerified: true
+    credentials:
+      - type: password
+        value: $(env:DEMO_USER_PASSWORD)
+        temporary: false
+    realmRoles:
+      - app-user

compose/keycloak-config/master-realm.yaml

@@ -0,0 +1,3 @@
+# Minimal master realm patch — do not remove critical built-in elements
+realm: master
+displayName: Master