Context
Parent epic #10945 needs actionable deployment-pipeline subissues. The current Memory Core integration suite proves the fast trustProxyIdentity path, but @tobiu explicitly called out that the deployment-pipeline coverage needs to go far beyond heartbeat checks.
Duplicate sweep before filing:
gh issue list --search "OIDC Memory Core integration" found #10945 only.gh issue list --search "real OIDC GitHub auth deployed integration fixture Memory Core" found #10945 only.- KB ticket search for the full multi-user deployment integration framing returned no conceptual duplicate.
- Adjacent auth/deployment parents remain #9999, #10016, and #10691.
The Problem
The deployed integration tests currently rely on trusted reverse-proxy identity headers. That is useful for a fast local fixture, but it does not prove that an operator-style OIDC/GitHub-account path rejects invalid credentials, accepts valid identity, and propagates the resulting user identity into Memory Core request context.
Without this lane, the team can accidentally ship regressions where proxy-header smoke tests pass but real deployed auth is broken.
The Architectural Reality
Relevant surfaces:
ai/deploy/docker-compose.test.yml for the Dockerized KB/MC/Chroma/mock-embedding stack.test/playwright/playwright.config.integration.mjs for the integration runner.test/playwright/integration/fixtures/composeWebServer.mjs for stack lifecycle.test/playwright/integration/fixtures/mcpClient.mjs for Streamable HTTP MCP client calls and identity headers.learn/agentos/SharedDeployment.md and learn/agentos/DeploymentCookbook.md for deployed auth expectations.
Adjacent parents: #9999, #10016, #10691, #10945.
The Fix
Add a higher-fidelity auth fixture beyond direct trustProxyIdentity header injection. Decide the smallest viable substrate during intake: local OIDC mock, GitHub-token fixture, or explicitly blocked operator-staging fixture if real credentials are required.
The implementation should verify:
- missing/invalid identity is rejected;
- valid auth creates the expected request identity;
- user identity reaches Memory Core write/read context;
- direct client-spoofed identity headers cannot bypass the trusted auth layer.
Contract Ledger Matrix
| Target Surface |
Source of Authority |
Proposed Behavior |
Fallback |
Docs |
Evidence |
| Real-auth integration fixture |
#10945, #10016, deployment docs |
Exercise deployed auth beyond trustProxyIdentity shortcut |
If live OAuth credentials are required, mark blocked/InputRequired with exact operator prerequisite |
SharedDeployment + DeploymentCookbook auth sections |
Playwright integration spec rejects invalid auth and accepts validated identity |
| Memory Core request identity |
Memory Core auth/request context |
Authenticated user identity propagates into memory/session operations |
Preserve fast header fixture as MVP/local path |
MemoryCore auth docs if touched |
Cross-user read/write assertion through MCP calls |
Acceptance Criteria
Out of Scope
- Replacing the fast
trustProxyIdentity fixture entirely.
- Building production IdP infrastructure in repo without maintainer approval.
- Changing privacy/RLS semantics covered by #10010/#10011 except as needed for auth proof.
Related
Parent: #10945
Umbrella: #9999, #10016, #10691
Origin Session ID: c02fbf4e-870c-44c0-ba7e-e9ffacce094b
Retrieval Hint: query_raw_memories(query="real OIDC Memory Core deployment integration trustProxyIdentity")
Context
Parent epic #10945 needs actionable deployment-pipeline subissues. The current Memory Core integration suite proves the fast
trustProxyIdentitypath, but @tobiu explicitly called out that the deployment-pipeline coverage needs to go far beyond heartbeat checks.Duplicate sweep before filing:
gh issue list --search "OIDC Memory Core integration"found #10945 only.gh issue list --search "real OIDC GitHub auth deployed integration fixture Memory Core"found #10945 only.The Problem
The deployed integration tests currently rely on trusted reverse-proxy identity headers. That is useful for a fast local fixture, but it does not prove that an operator-style OIDC/GitHub-account path rejects invalid credentials, accepts valid identity, and propagates the resulting user identity into Memory Core request context.
Without this lane, the team can accidentally ship regressions where proxy-header smoke tests pass but real deployed auth is broken.
The Architectural Reality
Relevant surfaces:
ai/deploy/docker-compose.test.ymlfor the Dockerized KB/MC/Chroma/mock-embedding stack.test/playwright/playwright.config.integration.mjsfor the integration runner.test/playwright/integration/fixtures/composeWebServer.mjsfor stack lifecycle.test/playwright/integration/fixtures/mcpClient.mjsfor Streamable HTTP MCP client calls and identity headers.learn/agentos/SharedDeployment.mdandlearn/agentos/DeploymentCookbook.mdfor deployed auth expectations.Adjacent parents: #9999, #10016, #10691, #10945.
The Fix
Add a higher-fidelity auth fixture beyond direct
trustProxyIdentityheader injection. Decide the smallest viable substrate during intake: local OIDC mock, GitHub-token fixture, or explicitly blocked operator-staging fixture if real credentials are required.The implementation should verify:
Contract Ledger Matrix
trustProxyIdentityshortcutAcceptance Criteria
npm run test-integrationor documents an explicit blocked operator prerequisite.Out of Scope
trustProxyIdentityfixture entirely.Related
Parent: #10945 Umbrella: #9999, #10016, #10691
Origin Session ID: c02fbf4e-870c-44c0-ba7e-e9ffacce094b
Retrieval Hint:
query_raw_memories(query="real OIDC Memory Core deployment integration trustProxyIdentity")