auth

docs/REFERENCE.md

@@ -1140,17 +1140,24 @@ persistence:
     enabled: true   # User files, 10Gi
 ```
 
-**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80).
+**Architecture**: Three-container pod — frontend (Next.js :8001), backend (API :8000), Caddy (reverse proxy :80). Auth sidecar injected via Kyverno policy (OIDC mode, port 9001).
 
-**TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer.
+**Ingress**: IngressRoute (not chart's built-in Ingress) targeting sidecar port 9001 directly. Chart's `ingress.enabled: false`. Separate cert-manager Certificate resource for TLS.
+
+**Why IngressRoute**: Chart hardcodes Service `targetPort: http` → Caddy port 80. Cannot override via values. IngressRoute bypasses Service, routes directly to sidecar pod port.
+
+**TLS**: cert-manager Certificate resource with `letsencrypt-prod` ClusterIssuer.
 
 **Storage**: SQLite database (1Gi PVC) + uploads (10Gi PVC), both ReadWriteOnce — single replica only.
 
+**SSO**: Keycloak OIDC via `forte` realm (client ID: `chibisafe`). Self-service client config Secret (`keycloak-client-chibisafe`) triggers registrar to create KC client and sync credentials to `chibisafe-oidc-credentials`.
+
 **Endpoints**:
 - Web UI: `https://chibisafe.forteapps.net`
 
 **Secrets**:
 - `chibisafe-tls` — auto-managed by cert-manager
+- `chibisafe-oidc-credentials` (registrar-managed) — OIDC client ID + secret
 
 ### AI Code Review (ai-review)