feat(auth): add PRD for native Okta authentication identity

[RoseSecurity]

what

Note

This is my first PRD, so any feedback is appreciated!

Add PRD for native Okta authentication as a first-class identity provider in Atmos. Unlike the existing SAML-based integration, this introduces dedicated okta/* providers enabling:

• OAuth 2.0 Device Authorization Grant for CLI authentication
• Direct Okta API access with automatic token refresh
• AWS/Azure/GCP federation via OIDC (AssumeRoleWithWebIdentity)
• XDG-compliant credential storage (~/.config/atmos/okta/)

why

• Provides implementation reference following established auth patterns (AWS, Azure PRDs)
• Addresses user requests for native Okta support without browser-based SAML

Test plan

• PRD follows universal file isolation pattern
• Code samples reviewed for Atmos conventions
• Implementation checklist is complete and actionable

references

• docs: Add EKS kubeconfig authentication integration PRD #1884

Summary by CodeRabbit

• Documentation
  • Added a comprehensive Okta PRD defining goals, use cases (AWS OIDC federation, API access, multi-cloud), technical specification, token/file isolation and storage guidance, phased implementation roadmap, testing and security considerations, example policies, and an implementation checklist.
• Chores
  • Added a roadmap milestone for Native Okta Authentication (Device Code Flow).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

None

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.96%. Comparing base (def7a4b) to head (b5acac3).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1924   +/-   ##
=======================================
  Coverage   73.95%   73.96%           
=======================================
  Files         760      760           
  Lines       68654    68654           
=======================================
+ Hits        50775    50779    +4     
+ Misses      14458    14453    -5     
- Partials     3421     3422    +1     

Flag	Coverage Δ
unittests	73.96% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a Product Requirements Document for native Okta identity integration and updates the public roadmap with a new milestone for Okta Device Code Flow authentication and multi-cloud federation (AWS/Azure/GCP).

Changes

Cohort / File(s)	Change Summary
Okta Authentication PRD docs/prd/okta-auth-identity.md	Adds a comprehensive PRD specifying native Okta as a first-class identity provider: goals, problem statement, desired state, use cases (AWS OIDC federation, Okta API access, multi-cloud hub), token management, XDG file isolation patterns, env var mappings, file layout, provider/identity types, phased implementation plan, testing strategy, security considerations, error definitions, AWS trust examples, and deliverables/checklist.
Roadmap update website/src/data/roadmap.js	Appends a new milestone "Native Okta Authentication (Device Code Flow)" under Unified Authentication/DX for Q1-2026, referencing the okta-auth-identity PRD and describing device-code grant, multi-cloud federation, and direct Okta API access intent.

Sequence Diagram(s)

(omitted — documentation and roadmap updates only; no runtime control-flow changes introduced)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• docs: Add identity provider file isolation PRDs #1792 — Defines the universal identity-provider XDG file-isolation and env-var strategy that this PRD applies to Okta.

Suggested reviewers

• aknysh
• milldr

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding a PRD document for native Okta authentication, which aligns with the primary changeset additions to the documentation and roadmap.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch create-atmos-auth-identity-for-okta

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 61bd652 and b5acac3.

📒 Files selected for processing (1)

• website/src/data/roadmap.js

🚧 Files skipped from review as they are similar to previous changes (1)

• website/src/data/roadmap.js

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Acceptance Tests (windows)
• GitHub Check: Acceptance Tests (macos)
• GitHub Check: Summary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

docs/prd/okta-auth-identity.md (2)

35-42: Minor: Add closing punctuation to list items.

The bulleted list items under "Limitations" should end with periods for consistency. Example: "SAML-only: Only supports SAML assertions for AWS, not OAuth/OIDC tokens." (Note: This is optional per the learnings; LanguageTool flagged similar punctuation issues that can be deferred to documentation cleanup.)

---

419-573: Defer markdownlint hard-tab issues (MD010) to separate cleanup PR.

Lines 419–573 contain hard tabs in Go code blocks, triggering ~40 MD010 violations. Per established learnings (osterman, PR 1686), these formatting issues should be addressed in a dedicated documentation cleanup commit and should not block this PR. You can address them separately or defer to a follow-up.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 934d09f and a1fec9a.

📒 Files selected for processing (1)

• docs/prd/okta-auth-identity.md

🧰 Additional context used

📓 Path-based instructions (1)

docs/prd/**

📄 CodeRabbit inference engine (CLAUDE.md)

All Product Requirement Documents (PRDs) MUST be placed in docs/prd/ with kebab-case filenames

Files:

• docs/prd/okta-auth-identity.md

🧠 Learnings (5)

📓 Common learnings

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: docs/prd/tool-dependencies-integration.md:58-64
Timestamp: 2025-12-13T06:07:37.766Z
Learning: cloudposse/atmos: For PRD docs (docs/prd/*.md), markdownlint issues like MD040/MD010/MD034 can be handled in a separate documentation cleanup commit and should not block the current PR.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

📚 Learning: 2025-01-25T03:51:57.689Z

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

Applied to files:

• docs/prd/okta-auth-identity.md

📚 Learning: 2025-12-13T06:07:34.794Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: docs/prd/tool-dependencies-integration.md:58-64
Timestamp: 2025-12-13T06:07:34.794Z
Learning: For docs in the cloudposse/atmos repository under docs/prd/, markdownlint issues MD040, MD010, and MD034 should be deferred to a separate documentation cleanup commit and must not block the current PR. If needed, address these issues in a follow-up PR dedicated to documentation improvements.

Applied to files:

• docs/prd/okta-auth-identity.md

📚 Learning: 2025-11-10T20:03:56.875Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1775
File: pkg/auth/providers/aws/sso_provisioning.go:40-79
Timestamp: 2025-11-10T20:03:56.875Z
Learning: In the Atmos AWS SSO provider (pkg/auth/providers/aws/sso_provisioning.go), the OAuth access token from the AWS SSO device flow is intentionally stored in the `AccessKeyID` field of `AWSCredentials` during authentication. This token is then extracted and used for ListAccounts and ListAccountRoles API calls during identity provisioning. This design reuses the existing `AWSCredentials` type for token transport rather than creating a separate credential type.

Applied to files:

• docs/prd/okta-auth-identity.md

📚 Learning: 2025-09-08T01:25:44.958Z

Learnt from: osterman
Repo: cloudposse/atmos PR: 1466
File: website/docs/cli/commands/toolchain/usage.mdx:117-121
Timestamp: 2025-09-08T01:25:44.958Z
Learning: Final XDG Base Directory Specification implementation for atmos toolchain is complete and verified: toolchain/xdg_cache.go provides GetXDGCacheDir() and GetXDGTempCacheDir() functions, all hardcoded ~/.cache/tools-cache paths have been replaced with XDG-compliant paths using ${XDG_CACHE_HOME}/atmos-toolchain (or ~/.cache/atmos-toolchain fallback), and tests have been updated to expect the new path structure.

Applied to files:

• docs/prd/okta-auth-identity.md

🪛 Gitleaks (8.30.0)

docs/prd/okta-auth-identity.md

[high] 358-358: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 364-364: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 LanguageTool

docs/prd/okta-auth-identity.md

[grammar] ~41-~41: Please add a punctuation mark at the end of paragraph.
Context: ...t use modern OAuth Device Authorization Grant ### Desired State Organizations want ...

(PUNCTUATION_PARAGRAPH_END)

---

[typographical] ~60-~60: To join two clauses or introduce examples, consider using an em dash.
Context: ...ern](./auth-file-isolation-pattern.md)** - REQUIRED READING - Defines canoni...

(DASH_RULE)

---

[typographical] ~66-~66: To join two clauses or introduce examples, consider using an em dash.
Context: ...olation](./aws-auth-file-isolation.md)** - Reference Implementation - Shows ...

(DASH_RULE)

---

[typographical] ~71-~71: To join two clauses or introduce examples, consider using an em dash.
Context: ...ation](./azure-auth-file-isolation.md)** - Parallel Implementation - Shows A...

(DASH_RULE)

---

[grammar] ~101-~101: Please add a punctuation mark at the end of paragraph.
Context: ...thentication flow similar to az login or aws sso login ## Use Cases ### Use ...

(PUNCTUATION_PARAGRAPH_END)

---

[style] ~228-~228: Consider using the typographical ellipsis character here instead.
Context: ...oud/okta/env.go| | **Auth Context** |AWSAuthContext{...}|AzureAuthContext{...}|OktaAuth...

(ELLIPSIS)

---

[style] ~228-~228: Consider using the typographical ellipsis character here instead.
Context: ...uth Context** | AWSAuthContext{...} | AzureAuthContext{...} | OktaAuthContext{...} | | **Clean ...

(ELLIPSIS)

---

[style] ~228-~228: Consider using the typographical ellipsis character here instead.
Context: ...ntext{...}|AzureAuthContext{...}|OktaAuthContext{...}| | **Clean Logout** |rm -rf ~/.con...

(ELLIPSIS)

---

[typographical] ~382-~382: To join two clauses or introduce examples, consider using an em dash.
Context: ...olation Variables OKTA_CONFIG_DIR - Okta configuration directory - Example: ...

(DASH_RULE)

---

[typographical] ~389-~389: To join two clauses or introduce examples, consider using an em dash.
Context: ...figuration Variables OKTA_ORG_URL - Okta organization URL - Example: `https:...

(DASH_RULE)

---

[typographical] ~393-~393: To join two clauses or introduce examples, consider using an em dash.
Context: ...kta SDKs OKTA_OAUTH2_ACCESS_TOKEN - OAuth 2.0 access token - Used by: Okta T...

(DASH_RULE)

---

[typographical] ~397-~397: To join two clauses or introduce examples, consider using an em dash.
Context: ...t-lived operations OKTA_API_TOKEN - Long-lived API token - Used by: Okta Ter...

(DASH_RULE)

---

[typographical] ~401-~401: To join two clauses or introduce examples, consider using an em dash.
Context: ...api-token provider **OKTA_BASE_URL`** - Base URL (alias for org URL) - Used by: ...

(DASH_RULE)

---

[typographical] ~591-~591: To join two clauses or introduce examples, consider using an em dash.
Context: ...1. Create pkg/auth/cloud/okta/types.go - Token types 2. Create `pkg/auth/cloud/ok...

(DASH_RULE)

---

[typographical] ~592-~592: To join two clauses or introduce examples, consider using an em dash.
Context: ...2. Create pkg/auth/cloud/okta/files.go - Okta file manager with locking 3. Create...

(DASH_RULE)

---

[typographical] ~593-~593: To join two clauses or introduce examples, consider using an em dash.
Context: ...g 3. Create pkg/auth/cloud/okta/env.go - Environment preparation 4. Create `pkg/a...

(DASH_RULE)

---

[typographical] ~594-~594: To join two clauses or introduce examples, consider using an em dash.
Context: ...4. Create pkg/auth/cloud/okta/setup.go - Setup functions 5. Add OktaAuthContext...

(DASH_RULE)

---

[typographical] ~645-~645: To join two clauses or introduce examples, consider using an em dash.
Context: ...SetEnvironmentVariables -Logout()- Delegates to provider cleanup -Cred...

(DASH_RULE)

---

[typographical] ~646-~646: To join two clauses or introduce examples, consider using an em dash.
Context: ...CredentialsExist(), LoadCredentials()` - File-based credential management 2. Regi...

(DASH_RULE)

---

[typographical] ~835-~835: To join two clauses or introduce examples, consider using an em dash.
Context: ... ] Create pkg/auth/cloud/okta/types.go - Token types (OktaTokens) - [ ] Create ...

(DASH_RULE)

---

[typographical] ~836-~836: To join two clauses or introduce examples, consider using an em dash.
Context: ... ] Create pkg/auth/cloud/okta/files.go - Okta file manager with locking - [ ] Cre...

(DASH_RULE)

---

[typographical] ~837-~837: To join two clauses or introduce examples, consider using an em dash.
Context: ... [ ] Create pkg/auth/cloud/okta/env.go - Environment preparation (`PrepareEnviron...

(DASH_RULE)

---

[typographical] ~838-~838: To join two clauses or introduce examples, consider using an em dash.
Context: ... ] Create pkg/auth/cloud/okta/setup.go - Setup functions (SetupFiles, `SetAuthC...

(DASH_RULE)

---

[typographical] ~841-~841: To join two clauses or introduce examples, consider using an em dash.
Context: ...ate pkg/auth/types/okta_credentials.go - Credential type implementing `ICredentia...

(DASH_RULE)

---

[typographical] ~940-~940: To join two clauses or introduce examples, consider using an em dash.
Context: ...ern](./auth-file-isolation-pattern.md)** - Canonical pattern (REQUIRED READING) 2. ...

(DASH_RULE)

---

[typographical] ~941-~941: To join two clauses or introduce examples, consider using an em dash.
Context: ...olation](./aws-auth-file-isolation.md)** - Reference implementation 3. **[Azure Aut...

(DASH_RULE)

---

[typographical] ~942-~942: To join two clauses or introduce examples, consider using an em dash.
Context: ...ation](./azure-auth-file-isolation.md)** - Azure implementation 4. **[Auth Context ...

(DASH_RULE)

---

[typographical] ~943-~943: To join two clauses or introduce examples, consider using an em dash.
Context: ...PRD](./auth-context-multi-identity.md)** - AuthContext design 5. **[XDG Base Direct...

(DASH_RULE)

---

[typographical] ~944-~944: To join two clauses or introduce examples, consider using an em dash.
Context: ..../xdg-base-directory-specification.md)** - XDG compliance patterns 6. **[Okta OAuth...

(DASH_RULE)

---

[typographical] ~945-~945: To join two clauses or introduce examples, consider using an em dash.
Context: ...ides/device-authorization-grant/main/)** - Okta documentation ## Changelog | Date...

(DASH_RULE)

🪛 markdownlint-cli2 (0.18.1)

docs/prd/okta-auth-identity.md

422-422: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

423-423: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

424-424: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

425-425: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

426-426: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

427-427: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

428-428: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

429-429: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

440-440: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

441-441: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

442-442: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

443-443: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

444-444: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

445-445: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

459-459: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

460-460: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

461-461: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

462-462: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

463-463: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

473-473: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

474-474: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

494-494: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

495-495: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

496-496: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

497-497: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

498-498: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

499-499: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

500-500: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

536-536: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

537-537: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

538-538: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

539-539: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

540-540: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

568-568: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

569-569: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

570-570: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

571-571: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

572-572: Hard tabs
Column: 1

(MD010, no-hard-tabs)

---

573-573: Hard tabs
Column: 1

(MD010, no-hard-tabs)

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Acceptance Tests (windows)
• GitHub Check: Acceptance Tests (macos)
• GitHub Check: Summary

🔇 Additional comments (4)

docs/prd/okta-auth-identity.md (4)

356-366: Gitleaks warnings are false positives.

Gitleaks flagged lines 358 and 364 for "Generic API Key" detection. These lines contain example JWT tokens used in documentation to illustrate the tokens.json file structure. They are plaintext placeholders (e.g., eyJhbGciOiJSUzI1NiIs...), not real secrets. This is expected in documentation and does not pose a security risk.

---

586-680: LGTM: Implementation plan and testing strategy are well-structured.

The phased breakdown (core infrastructure → device provider → AWS federation → API identity → docs/testing) is realistic and follows established patterns. Testing strategy covers both unit and integration tests appropriately. Security considerations are thorough, addressing token lifecycle and attack surface reduction.

---

805-845: LGTM: Adherence checklist and implementation checklist are comprehensive.

Both checklists provide clear, actionable items tied to deliverables and phases. The status column (Planned) appropriately reflects the PRD stage. This will serve as an excellent tracking mechanism during implementation.

---

1-945: LGTM: Comprehensive PRD with solid design and implementation roadmap.

The document clearly articulates the problem (SAML-only limitations), desired state (native OAuth/OIDC), and a phased implementation plan grounded in established patterns (AWS/Azure PRDs). Technical specifications are detailed, security considerations are thorough, and the implementation checklist provides actionable items.

File path & naming: Correct (docs/prd/okta-auth-identity.md follows kebab-case requirement).

Content quality: Well-structured sections covering design goals, use cases, technical mapping, provider/identity types, file isolation, environment variables, code architecture, testing strategy, and documentation plan.

Note on deferred items (per learnings): The hard-tab formatting issues (MD010) and minor LanguageTool style suggestions (em-dashes, punctuation) can be addressed in a separate documentation cleanup PR and do not block this PRD.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

website/src/data/roadmap.js (2)

145-151: Add this PR to the initiative's PR list.

PR #1924 should be added to the prs array following the pattern of other PRD PRs (e.g., #1884 on line 148).

🔎 Suggested addition

       prs: [
         { number: 1894, title: 'Add Azure OIDC/Workload Identity Federation provider' },
         { number: 1859, title: 'Add ECR authentication' },
         { number: 1884, title: 'Add EKS kubeconfig authentication integration PRD' },
         { number: 1887, title: 'Add PRD for aws/login provider (native SDK auth)' },
         { number: 1683, title: 'Update auth docs and implement GitHub providers' },
+        { number: 1924, title: 'Add PRD for native Okta authentication identity' },
       ],

---

121-121: Update progress percentage to 74%.

The auth initiative has 14 shipped milestones out of 19 total (14/19 = 73.68%), which rounds to 74% progress. Update the value from 85% per the roadmap calculation guidelines.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e8129eb and 426bb2f.

📒 Files selected for processing (1)

• website/src/data/roadmap.js

🧰 Additional context used

📓 Path-based instructions (2)

website/**

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

website/**: Update website documentation in the website/ directory when adding new features, ensure consistency between CLI help text and website documentation, and follow the website's documentation structure and style
Keep website code in the website/ directory, follow the existing website architecture and style, and test website changes locally before committing
Keep CLI documentation and website documentation in sync and document new features on the website with examples and use cases

Files:

• website/src/data/roadmap.js

website/src/data/roadmap.js

📄 CodeRabbit inference engine (CLAUDE.md)

For PRs labeled minor/major, update roadmap.js: add milestone to relevant initiative with status: 'shipped', link to changelog with changelog: 'your-blog-slug', link to PR with pr: <pr-number>, update initiative progress percentage as (shipped milestones / total milestones) * 100

Files:

• website/src/data/roadmap.js

🧠 Learnings (2)

📓 Common learnings

Learnt from: osterman
Repo: cloudposse/atmos PR: 1686
File: docs/prd/tool-dependencies-integration.md:58-64
Timestamp: 2025-12-13T06:07:37.766Z
Learning: cloudposse/atmos: For PRD docs (docs/prd/*.md), markdownlint issues like MD040/MD010/MD034 can be handled in a separate documentation cleanup commit and should not block the current PR.

Learnt from: Listener430
Repo: cloudposse/atmos PR: 934
File: tests/fixtures/scenarios/docs-generate/README.md.gotmpl:99-118
Timestamp: 2025-01-25T03:51:57.689Z
Learning: For the cloudposse/atmos repository, changes to template contents should be handled in dedicated PRs and are typically considered out of scope for PRs focused on other objectives.

Learnt from: aknysh
Repo: cloudposse/atmos PR: 944
File: go.mod:206-206
Timestamp: 2025-01-17T00:18:57.769Z
Learning: For indirect dependencies with license compliance issues in the cloudposse/atmos repository, the team prefers to handle them in follow-up PRs rather than blocking the current changes, as these issues often require deeper investigation of the dependency tree.

📚 Learning: 2026-01-01T18:25:25.942Z

Learnt from: CR
Repo: cloudposse/atmos PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-01T18:25:25.942Z
Learning: Applies to website/src/data/roadmap.js : For PRs labeled `minor`/`major`, update roadmap.js: add milestone to relevant initiative with `status: 'shipped'`, link to changelog with `changelog: 'your-blog-slug'`, link to PR with `pr: <pr-number>`, update initiative `progress` percentage as `(shipped milestones / total milestones) * 100`

Applied to files:

• website/src/data/roadmap.js

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Acceptance Tests (macos)
• GitHub Check: Acceptance Tests (windows)
• GitHub Check: Summary

🔇 Additional comments (1)

website/src/data/roadmap.js (1)

141-141: Well-structured milestone addition.

The Native Okta Authentication milestone is well-written with clear benefits and proper placement in the auth initiative roadmap. The description effectively communicates the OAuth 2.0 Device Authorization Grant approach and multi-cloud federation capabilities.

[github-actions]

These changes were released in v1.204.0-rc.1.