next build.
For faster local iteration on only the enterprise route/provider contract:
Required On-Prem Shape
Use OIDC auth, S3-compatible storage, and the OpenAI gateway for the current on-prem provider path. For Keycloak-compatible deployments, use the realm issuer URL asOIDC_ISSUER_URL.
config/onprem-s3-oidc-openai.example.json. Keep secrets in the runtime secret manager; use JSON config for non-secret provider shape.
The OIDC provider adapter verifies RS256 bearer/access tokens using the issuer discovery document and JWKS endpoint. Browser sign-in and callback routing remain deployment-specific; verify that flow against the selected IdP before customer handoff.
Disabled State Expectations
When a capability is disabled, the UI must hide or disable the feature and the server route must returncapability_disabled with HTTP 403.
Manual UI Gate
Manual QA is required for enterprise handoff because these checks cover customer-visible integration states that are not fully represented by route tests. SaaS staging:- App shell renders with no config error.
- Sign-in works with WorkOS staging credentials.
- Chat send and conversation list work.
- File content URLs and output content URLs load.
- Automation callback path still works when automations are enabled.
- Settings/system shows redacted WorkOS, Stripe test, R2, OpenRouter, Convex, and capability state.
- App shell renders with the minimal config.
- Billing, SSO, webhooks, API key management, vector search, and automation entries are hidden or show the documented disabled state.
- Primary chat and file surfaces either work with configured providers or show a precise documented disabled state.
- Basic file listing remains available even when vector search is disabled.
- Config view shows OIDC, S3-compatible storage, OpenAI gateway, and disabled billing in redacted form.
- No secrets, access keys, session secrets, API keys, webhook secrets, or internal service tokens appear in the browser.
- Chat uses the configured OpenAI default model/allowlist.
- File upload/content paths use the S3-compatible provider or show a clear disabled state if storage credentials are absent.
- Hidden billing, integration, SSO, webhook, and API key entries remain hidden.
- Navigation does not leave broken gaps, empty dividers, or unreachable routes.
- Disabled-state text fits without overlapping controls.
Release Sign-Off
Record thenpm run check:phase6 result and the manual UI gate result in the release notes for any enterprise/on-prem distribution.