You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Category: chore Summary: Mark the Keycloak-lookup RPC and its keycloak_id proto fields as deprecated. Phase 1 of a 2-phase decom — this phase ships the deprecation surface only; actual removal is tracked in #100.
Current behavior: MilpacService.GetUserViaKeycloakId (/api/v1/milpac/keycloak/{keycloak_id}) still ships. The Keycloak auth path was removed in PR #45 and the last known consumer of the lookup path stopped using it in cavbot2 PR #83 on 2026-05-15, but the RPC, the underlying datastore method, and the keycloak_id field on every profile message are all still generated and still served. The OpenAPI spec carries no deprecation indication, so any latent consumer has no signal that the surface is going away.
Desired behavior:
After this change ships:
The GetUserViaKeycloakId RPC carries the proto-level deprecation option.
The keycloak_id field on Profile and the equivalent field on every other profile message that exposes it carry the field-level deprecation annotation.
Regenerated *.pb.go / *.pb.gw.go reflect the deprecation, with no runtime behavior change — endpoint still works.
Regenerated openapi/assets/*.swagger.json shows "deprecated": true on the /api/v1/milpac/keycloak/{keycloak_id} operation and on the keycloak_id schema property, so consumers see the deprecation in the docs UI.
buf lint and buf breaking --against develop both pass — adding a deprecation marker is not a breaking change.
go build ./... and the existing test suite pass unchanged.
Key interfaces:
proto/milpacs.proto — the GetUserViaKeycloakId rpc and every keycloak_id field across the profile messages.
Regenerated proto/*.pb.go, proto/*.pb.gw.go, and openapi/assets/milpacs.swagger.json must be committed alongside the proto change (per CLAUDE.md "Manual review gates": proto touches require committing regenerated artifacts).
tickets.proto is not affected — keycloak fields are milpacs-only.
Acceptance criteria:
proto/milpacs.proto: GetUserViaKeycloakId is marked with option deprecated = true;.
proto/milpacs.proto: every keycloak_id field is marked deprecated via the field-level annotation.
make generate succeeds; regenerated artifacts are committed.
make lint (buf lint + buf breaking against develop) passes.
go build ./... succeeds.
Existing tests for the RPC (TestGetUserViaKeycloakId_* in servers/grpc/milpacs_test.go) still pass — endpoint behavior is unchanged.
openapi/assets/milpacs.swagger.json shows "deprecated": true on the operation and on the keycloak_id schema property.
Adding a Deprecation HTTP response header at runtime (could be a separate enhancement if wanted later).
Why split
Phase 1 ships now — small, no decisions, no dependencies. Phase 2 (#100) is blocked on Phase 1 shipping in a release, one release cycle elapsing, and #92 analytics confirming zero traffic on the endpoint.
Agent Brief
Category: chore
Summary: Mark the Keycloak-lookup RPC and its
keycloak_idproto fields as deprecated. Phase 1 of a 2-phase decom — this phase ships the deprecation surface only; actual removal is tracked in #100.Current behavior:
MilpacService.GetUserViaKeycloakId(/api/v1/milpac/keycloak/{keycloak_id}) still ships. The Keycloak auth path was removed in PR #45 and the last known consumer of the lookup path stopped using it in cavbot2 PR #83 on 2026-05-15, but the RPC, the underlying datastore method, and thekeycloak_idfield on every profile message are all still generated and still served. The OpenAPI spec carries no deprecation indication, so any latent consumer has no signal that the surface is going away.Desired behavior:
After this change ships:
GetUserViaKeycloakIdRPC carries the proto-level deprecation option.keycloak_idfield onProfileand the equivalent field on every other profile message that exposes it carry the field-level deprecation annotation.*.pb.go/*.pb.gw.goreflect the deprecation, with no runtime behavior change — endpoint still works.openapi/assets/*.swagger.jsonshows"deprecated": trueon the/api/v1/milpac/keycloak/{keycloak_id}operation and on thekeycloak_idschema property, so consumers see the deprecation in the docs UI.buf lintandbuf breaking --against developboth pass — adding a deprecation marker is not a breaking change.go build ./...and the existing test suite pass unchanged.Key interfaces:
proto/milpacs.proto— theGetUserViaKeycloakIdrpc and everykeycloak_idfield across the profile messages.proto/*.pb.go,proto/*.pb.gw.go, andopenapi/assets/milpacs.swagger.jsonmust be committed alongside the proto change (per CLAUDE.md "Manual review gates": proto touches require committing regenerated artifacts).tickets.protois not affected — keycloak fields are milpacs-only.Acceptance criteria:
proto/milpacs.proto:GetUserViaKeycloakIdis marked withoption deprecated = true;.proto/milpacs.proto: everykeycloak_idfield is marked deprecated via the field-level annotation.make generatesucceeds; regenerated artifacts are committed.make lint(buf lint + buf breaking against develop) passes.go build ./...succeeds.TestGetUserViaKeycloakId_*inservers/grpc/milpacs_test.go) still pass — endpoint behavior is unchanged.openapi/assets/milpacs.swagger.jsonshows"deprecated": trueon the operation and on thekeycloak_idschema property.Out of scope:
tickets.proto.DeprecationHTTP response header at runtime (could be a separate enhancement if wanted later).Why split
Phase 1 ships now — small, no decisions, no dependencies. Phase 2 (#100) is blocked on Phase 1 shipping in a release, one release cycle elapsing, and #92 analytics confirming zero traffic on the endpoint.