feat: add Lifecycle MCP Keycloak config

[vigneshrajsb]

Summary

• add disabled-by-default lifecycleMcp client values for public PKCE OAuth
• add lifecycle-mcp client scope rendering with resource audience and github_username mappers
• add optional anonymous client registration policy rendering for MCP Dynamic Client Registration
• document the new MCP values and bump lifecycle-keycloak chart to 0.7.4

Test Plan

• helm lint charts/lifecycle-keycloak
• helm template lifecycle-keycloak charts/lifecycle-keycloak --namespace lifecycle-app --api-versions k8s.keycloak.org/v2alpha1
• helm template lifecycle-keycloak charts/lifecycle-keycloak --namespace lifecycle-app --api-versions k8s.keycloak.org/v2alpha1 --show-only templates/lifecycle-realm-kri.yaml --set clients.lifecycleMcp.enabled=true --set clients.lifecycleMcp.resourceUrl=https://app.example.com/mcp --set clientRegistrationPolicies.anonymous.enabled=true
• ruby YAML parse of rendered lifecycle-realm-kri.yaml

[vigneshrajsb]

Added a visual HTML explainer for the existing Lifecycle Keycloak setup and the MCP additions: docs/lifecycle-keycloak-mcp-auth.html

[vigneshrajsb]

Published an OCI alpha chart from this PR branch for testing:\n\nsh\nhelm pull oci://ghcr.io/goodrxoss/helm-charts/lifecycle-keycloak --version 0.7.4-alpha.0\n\n\nDigest: sha256:596deb88c717b9e4e24866c042fa73e152e0cf8a154199fae614efe2d7795b86\n\nI also verified helm show chart and rendered templates/lifecycle-realm-kri.yaml from the pulled package with MCP values enabled.

[vigneshrajsb]

Published umbrella alpha chart for PR-branch testing:

helm pull oci://ghcr.io/goodrxoss/helm-charts/lifecycle --version 0.9.8-alpha.0

Digest: sha256:c7c9f4de2dd4dad928005f451eae8a60bbc75f937b50f0ce1c75a1c12ced4b4e

This umbrella alpha depends on lifecycle-keycloak:0.7.4-alpha.0 from GHCR. I verified the pulled artifact renders the MCP Keycloak additions (lifecycle-mcp, resource audience, github_username mapper, and DCR trusted-host policy). No repo files were changed for this alpha publish; the alpha versions were applied only in a temp packaging workspace.

[vigneshrajsb]

Pushed review fixes in 717bc35 and refreshed the alpha charts for testing:

helm pull oci://ghcr.io/goodrxoss/helm-charts/lifecycle-keycloak --version 0.8.0-alpha.0
helm pull oci://ghcr.io/goodrxoss/helm-charts/lifecycle --version 0.9.8-alpha.1

Digests:

• lifecycle-keycloak:0.8.0-alpha.0 -> sha256:a0b48f3e85538888f0972d82adfb693a7d83964358c57987706fa059ed723dcb
• lifecycle:0.9.8-alpha.1 -> sha256:a3429c81278193f25d86a76be90cd3475790e060e9ae8183d2d3dc0faa085983

The new alpha includes the loopback redirect wildcard defaults, hostSendingRegistrationRequestMustMatch=false, public-client-only DCR, no caller-supplied protocol mappers by default, maxClients=1000, required resourceUrl when MCP is enabled, and the open-items doc note for the realm-default scope question. I verified both pulled artifacts render successfully with the MCP values enabled.

[vigneshrajsb]

Added the clientScopes.lifecycleMcp.realmDefault fix in dfcf952.

What changed:

• clientScopes.lifecycleMcp.realmDefault defaults to true.
• When the MCP client or scope is enabled, the realm now renders:

defaultDefaultClientScopes:
  - lifecycle-mcp

That makes DCR-created clients inherit the MCP audience mapper and github_username mapper without relying on every MCP harness to request scope=lifecycle-mcp correctly. The docs now call out the blast-radius check for unrelated clients in the realm, and the empty allowed-protocol-mappers policy now renders as allowed-protocol-mappers: [].

Refreshed test alpha charts:

helm pull oci://ghcr.io/goodrxoss/helm-charts/lifecycle-keycloak --version 0.8.0-alpha.1
helm pull oci://ghcr.io/goodrxoss/helm-charts/lifecycle --version 0.9.8-alpha.2

Digests:

• lifecycle-keycloak:0.8.0-alpha.1 -> sha256:b2550712fe8668a231c129b89c9c4d73e64cf44f5d060428d257a3b8ba0b1efb
• lifecycle:0.9.8-alpha.2 -> sha256:08fd4b9ab8a9169cbd477db0b0d38e95976d14be1280b06c52f9cd2c8b4057ad

Verified the pulled alpha artifacts render successfully with MCP enabled and include defaultDefaultClientScopes.