Jean-Gabriel Gill-Couture
f316bd629b
All checks were successful
Run Check Script / check (pull_request) Successful in 2m31s
Role-gate follow-up from v0.3 plan Ch1: - `build_login_attempt` appends the `urn:zitadel:iam:org:project:roles` scope, so the gate no longer depends on Zitadel's out-of-band "Assert Roles on Authentication" checkbox (which silently broke it once). Idempotent if the scope is already present. - docs/guides/operator-dashboard-sso.md step 1b + config reference: drop the wrong checkbox instruction, document the in-band scope. Role extraction stays local to each crate (dashboard object-map; callout configurable claim path) — two small, genuinely-different parsers, not a shared crate. Lifting `require_role` to a composable layer is skipped as YAGNI — only `fleet-admin` exists; revisit at the second role.