chore(deploy): wire OIDC runtime configuration

docs/DEPLOYMENT.md

@@ -94,117 +94,82 @@ chown -R innercontext:innercontext /opt/innercontext
 cat > /opt/innercontext/shared/backend/.env <<'EOF'
 DATABASE_URL=postgresql+psycopg://innercontext:change-me@<pg-ip>/innercontext
 GEMINI_API_KEY=your-key
+
+# OIDC Configuration
+OIDC_ISSUER=https://auth.example.com
+OIDC_CLIENT_ID=innercontext-backend
+OIDC_DISCOVERY_URL=https://auth.example.com/.well-known/openid-configuration
+OIDC_ADMIN_GROUPS=admins
+OIDC_MEMBER_GROUPS=members
+
+# Bootstrap Admin (Optional, used for initial setup)
+# BOOTSTRAP_ADMIN_OIDC_ISSUER=https://auth.example.com
+# BOOTSTRAP_ADMIN_OIDC_SUB=user-sub-from-authelia
+# BOOTSTRAP_ADMIN_EMAIL=admin@example.com
+# BOOTSTRAP_ADMIN_NAME="Admin User"
+# BOOTSTRAP_HOUSEHOLD_NAME="My Household"
 EOF
 
 cat > /opt/innercontext/shared/frontend/.env.production <<'EOF'
 PUBLIC_API_BASE=http://127.0.0.1:8000
 ORIGIN=http://innercontext.lan
+
+# Session and OIDC
+SESSION_SECRET=generate-a-long-random-string
+OIDC_ISSUER=https://auth.example.com
+OIDC_CLIENT_ID=innercontext-frontend
+OIDC_DISCOVERY_URL=https://auth.example.com/.well-known/openid-configuration
 EOF
-
-chmod 600 /opt/innercontext/shared/backend/.env
-chmod 600 /opt/innercontext/shared/frontend/.env.production
-chown innercontext:innercontext /opt/innercontext/shared/backend/.env
-chown innercontext:innercontext /opt/innercontext/shared/frontend/.env.production
 ```
 
-### 4) Grant deploy sudo permissions
+## OIDC Setup (Authelia)
 
-```bash
-cat > /etc/sudoers.d/innercontext-deploy << 'EOF'
-innercontext ALL=(root) NOPASSWD: \
-    /usr/bin/systemctl restart innercontext, \
-    /usr/bin/systemctl restart innercontext-node, \
-    /usr/bin/systemctl restart innercontext-pricing-worker, \
-    /usr/bin/systemctl is-active innercontext, \
-    /usr/bin/systemctl is-active innercontext-node, \
-    /usr/bin/systemctl is-active innercontext-pricing-worker
-EOF
+This project uses OIDC for authentication. You need an OIDC provider like Authelia.
 
-chmod 440 /etc/sudoers.d/innercontext-deploy
-visudo -c -f /etc/sudoers.d/innercontext-deploy
+### Authelia Client Configuration
 
-# Must work without password or TTY prompt:
-sudo -u innercontext sudo -n -l
+Add the following to your Authelia `configuration.yml`:
+
+```yaml
+identity_providers:
+  oidc:
+    clients:
+      - id: innercontext-frontend
+        description: InnerContext Frontend
+        secret: '$pbkdf2-sha512$...' # Not used for public client, but Authelia may require it
+        public: true
+        authorization_policy: one_factor
+        redirect_uris:
+          - http://innercontext.lan/auth/callback
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signed_response_alg: none
+
+      - id: innercontext-backend
+        description: InnerContext Backend
+        secret: '$pbkdf2-sha512$...'
+        public: false
+        authorization_policy: one_factor
+        redirect_uris: []
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signed_response_alg: none
 ```
 
-If `sudo -n -l` fails, deployments will fail during restart/rollback with:
-`sudo: a terminal is required` or `sudo: a password is required`.
+### Bootstrap Admin
 
-### 5) Install systemd and nginx configs
-
-After first deploy (or after copying repo content to `/opt/innercontext/current`), install configs:
-
-```bash
-cp /opt/innercontext/current/systemd/innercontext.service /etc/systemd/system/
-cp /opt/innercontext/current/systemd/innercontext-node.service /etc/systemd/system/
-cp /opt/innercontext/current/systemd/innercontext-pricing-worker.service /etc/systemd/system/
-systemctl daemon-reload
-systemctl enable innercontext
-systemctl enable innercontext-node
-systemctl enable innercontext-pricing-worker
-
-cp /opt/innercontext/current/nginx/innercontext.conf /etc/nginx/sites-available/innercontext
-ln -sf /etc/nginx/sites-available/innercontext /etc/nginx/sites-enabled/innercontext
-rm -f /etc/nginx/sites-enabled/default
-nginx -t && systemctl reload nginx
-```
-
-## Local Machine Setup
-
-`~/.ssh/config`:
-
-```
-Host innercontext
-    HostName <lxc-ip>
-    User innercontext
-```
-
-Ensure your public key is in `/home/innercontext/.ssh/authorized_keys`.
-
-## Deploy Commands
-
-From repository root on external machine:
-
-```bash
-./deploy.sh              # full deploy (default = all)
-./deploy.sh all
-./deploy.sh backend
-./deploy.sh frontend
-./deploy.sh list
-./deploy.sh rollback
-```
-
-Optional overrides:
-
-```bash
-DEPLOY_SERVER=innercontext ./deploy.sh all
-DEPLOY_ROOT=/opt/innercontext ./deploy.sh backend
-DEPLOY_ALLOW_DIRTY=1 ./deploy.sh frontend
-```
-
-## What `deploy.sh` Does
-
-For `backend` / `frontend` / `all`:
-
-1. Local checks (strict, fail-fast)
-2. Acquire `/opt/innercontext/.deploy.lock`
-3. Create `<timestamp>` release directory
-4. Upload selected component(s)
-5. Link shared env files in the release directory
-6. `uv sync` + `alembic upgrade head` (backend scope)
-7. Upload `scripts/`, `systemd/`, `nginx/`
-8. Switch `current` to the prepared release
-9. Restart affected services
-10. Run health checks
-11. Remove old releases (keep last 5)
-12. Write deploy entry to `/opt/innercontext/deploy.log`
-
-If anything fails after promotion, script auto-rolls back to previous release.
+To create the first user and household, set the `BOOTSTRAP_ADMIN_*` environment variables in the backend `.env` file and restart the backend. The backend will automatically create the user and household on startup if they don't exist. After the first successful login, you can remove these variables.
 
 ## Health Checks
 
-- Backend: `http://127.0.0.1:8000/health-check`
-- Frontend: `http://127.0.0.1:3000/`
+- Backend: `http://127.0.0.1:8000/health-check` (returns 200)
+- Frontend: `http://127.0.0.1:3000/` (returns 200 or 302 redirect to login)
 - Worker: `systemctl is-active innercontext-pricing-worker`
 
 Manual checks: