update

Author: anu19981

README.md

@@ -166,19 +166,33 @@ just smithy-build       # regenerate the Rust client SDK
 ## Authentication
 
 **Local dev runs with auth disabled.** The `.env.example` template sets
-`AUTH_ENABLED=false`, and Keycloak is disabled by default in
-`process-compose.yml`, so `just run` does **not** start an OIDC provider. The
-Admin UI and API are open — just navigate to `http://localhost:3030/admin`.
+`AUTH_ENABLED=false`, and the dev stack does **not** start an OIDC provider, so
+`just run` leaves the Admin UI and API open — just navigate to
+`http://localhost:3030/admin`.
 
 ### Enabling Keycloak (optional)
 
-To test the real OIDC login flow locally (requires Docker):
+Keycloak is **not** bundled in the dev stack. To test the real OIDC login flow
+locally, run it standalone (requires Docker), then point the service at it:
+
+1. Start Keycloak with the bundled realm:
+
+   ```bash
+   docker run --rm --name pba-keycloak \
+     -p 8180:8080 -m 2g \
+     -v "$(pwd)/keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro" \
+     -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
+     -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
+     -e JAVA_OPTS_KC_HEAP="-XX:MaxRAMPercentage=50 -Xms256m -Xmx1024m -XX:UseSVE=0" \
+     quay.io/keycloak/keycloak:26.0 \
+     start-dev --import-realm
+   ```
+
+   > `-XX:UseSVE=0` works around a JVM crash on Apple Silicon (M-series); the
+   > heap flags and `-m 2g` keep Keycloak from starving the rest of the stack.
 
-1. In `process-compose.yml`, set `disabled: false` on the `keycloak` process,
-   and re-add the `keycloak` block under `pba-service`'s `depends_on` (a
-   commented template is left in place there).
 2. Set `AUTH_ENABLED=true` in your `.env`.
-3. `just run` — Keycloak now starts alongside the other services.
+3. `just run` (or `just run-service`) — the service now uses Keycloak for auth.
 
 **Admin UI:** Navigate to `http://localhost:3030/admin` — you'll be redirected
 to Keycloak to log in. Default credentials: `admin@pba.local` / `admin`

process-compose.yml

@@ -25,32 +25,6 @@ processes:
     availability:
       restart: "no"
 
-  keycloak:
-    # Disabled by default — local dev runs with AUTH_ENABLED=false in .env so no
-    # OIDC provider is needed. Set `disabled: false` and ensure AUTH_ENABLED=true
-    # if you want to test the Keycloak login flow.
-    disabled: true
-    command: |
-      docker run --rm --name pba-keycloak \
-        -p 8180:8080 \
-        -m 2g \
-        -v "$(pwd)/keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro" \
-        -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
-        -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
-        -e JAVA_OPTS_KC_HEAP="-XX:MaxRAMPercentage=50 -Xms256m -Xmx1024m -XX:UseSVE=0" \
-        quay.io/keycloak/keycloak:26.0 \
-        start-dev --import-realm
-    readiness_probe:
-      http_get:
-        host: 127.0.0.1
-        port: 8180
-        path: /realms/pba/.well-known/openid-configuration
-      initial_delay_seconds: 15
-      period_seconds: 3
-      failure_threshold: 20
-    shutdown:
-      command: docker rm -f pba-keycloak
-
   tigerbeetle:
     command: |
       if [ ! -f .tb_data/dev/0_0.tigerbeetle ]; then
@@ -75,10 +49,6 @@ processes:
         condition: process_completed_successfully
       tigerbeetle:
         condition: process_healthy
-      # keycloak dependency removed — auth disabled in dev. Re-add this block
-      # alongside enabling the keycloak process if you want OIDC login locally:
-      #   keycloak:
-      #     condition: process_healthy
     readiness_probe:
       http_get:
         host: 127.0.0.1