Add OIDC-based tenant auth and RBAC enforcement

[DevOpsMadDog]

Summary

• extend the overlay tenancy schema to merge tenant identity providers, allowed audiences, and storage directories
• add OIDC bearer token verification, tenant-specific storage, and RBAC enforcement for uploads and pipeline runs
• cover the new authentication flow with integration tests exercising OIDC success and failure scenarios

Testing

• pytest tests/test_end_to_end.py

---

https://chatgpt.com/codex/tasks/task_e_68e1bb2266e083298e97ef4d94eaff5e

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[chatgpt-codex-connector]

Enforce fallback to default RBAC roles

The RBAC check only looks up the action-specific key (e.g. upload) and a small alias map. When overlay configuration supplies roles as a simple list, _normalise_overlay stores them under roles.default (see fixops/configuration.py where non‑mapping roles are normalized to a "default" key). Because _enforce_rbac never consults this default entry, such tenants end up with no required roles and any bearer token is accepted. Add a lookup for roles_config.get("default") so that default roles are enforced for actions unless an explicit override exists.

Useful? React with 👍 / 👎.

[devin-ai-integration]

Closing as part of PR consolidation. Useful changes have been cherry-picked into PR #240.