feat(schema): add OIDC tables for embedded OIDC provider

[moshloop]

Summary

• Adds oidc_public_keys table for RSA public keys used by the JWKS endpoint (/.well-known/jwks.json)
• Adds oidc_auth_requests table for in-flight PKCE authorization requests (10-minute TTL, cleaned up by background job)
• Adds oidc_refresh_tokens table for opaque refresh tokens with rotation-family replay detection (30-day expiry)

These tables support the embedded OIDC provider being added to incident-commander (--oidc flag on top of --auth basic), enabling the incident-commander auth login CLI browser flow.

All three tables are purely additive — no existing tables are modified. Running without --oidc does not touch these tables.

Test plan

• Schema applies cleanly against a fresh database
• Schema applies cleanly as a migration from the current production schema (no destructive changes)

Summary by CodeRabbit

• New Features
  • Added support for OIDC authentication flows: storing auth requests, refresh tokens, and public keys to enable secure sign-in and token lifecycle management.
• Chores
  • Updated database schema and RBAC mappings to support the new authentication and token management capabilities.

[github-actions]

Benchstat (Other)

Base: beaa138bf936f9f15ac2568fc6d8b8446f246d89
Head: dedf57c16f2e2269b16869120dbdca4d7d4c5302

✅ 2 improvement(s)

Benchmark	Base	Head	Change	p-value
ResourceSelectorQueryBuild/name_and_type-4	61.92µ	61.41µ	-0.83%	0.041
ResourceSelectorQueryBuild/name-4	42.29µ	42.03µ	-0.62%	0.041

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                                       │ bench-base.txt │           bench-head.txt           │
                                                       │     sec/op     │    sec/op     vs base              │
InsertionForRowsWithAliases/external_users.aliases-4        588.4µ ± 2%   584.4µ ±  6%       ~ (p=0.699 n=6)
InsertionForRowsWithAliases/config_items.external_id-4      1.096m ± 9%   1.090m ± 12%       ~ (p=0.937 n=6)
ResourceSelectorConfigs/name-4                              196.3µ ± 2%   196.6µ ±  2%       ~ (p=0.937 n=6)
ResourceSelectorConfigs/name_and_type-4                     218.0µ ± 3%   215.4µ ±  5%       ~ (p=0.937 n=6)
ResourceSelectorConfigs/tags-4                              28.20m ± 3%   28.34m ±  3%       ~ (p=0.485 n=6)
ResourceSelectorQueryBuild/name-4                           42.29µ ± 1%   42.03µ ±  0%  -0.62% (p=0.041 n=6)
ResourceSelectorQueryBuild/name_and_type-4                  61.92µ ± 1%   61.41µ ±  1%  -0.83% (p=0.041 n=6)
ResourceSelectorQueryBuild/tags-4                           16.85µ ± 1%   16.80µ ±  2%       ~ (p=0.485 n=6)
geomean                                                     276.7µ        275.4µ        -0.45%

[github-actions]

Benchstat (RLS)

Base: beaa138bf936f9f15ac2568fc6d8b8446f246d89
Head: dedf57c16f2e2269b16869120dbdca4d7d4c5302

📊 8 minor regression(s) (all within 5% threshold)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/configs/With_RLS-4	123.6m	126.1m	+1.98%	0.002
RLS/Sample-15000/config_changes/With_RLS-4	129.3m	131.3m	+1.60%	0.002
RLS/Sample-15000/config_types/Without_RLS-4	3.931m	3.993m	+1.56%	0.002
RLS/Sample-15000/config_summary/With_RLS-4	741.4m	752.4m	+1.48%	0.002
RLS/Sample-15000/configs/Without_RLS-4	7.148m	7.212m	+0.89%	0.002
RLS/Sample-15000/config_detail/With_RLS-4	123.3m	124.2m	+0.71%	0.002
RLS/Sample-15000/config_detail/Without_RLS-4	3.884m	3.911m	+0.68%	0.041
RLS/Sample-15000/config_names/Without_RLS-4	12.76m	12.84m	+0.58%	0.026

✅ 4 improvement(s)

Benchmark	Base	Head	Change	p-value
RLS/Sample-15000/change_types/With_RLS-4	5.337m	5.223m	-2.12%	0.009
RLS/Sample-15000/config_classes/With_RLS-4	125.8m	124.1m	-1.40%	0.002
RLS/Sample-15000/analysis_types/With_RLS-4	3.928m	3.893m	-0.89%	0.041
RLS/Sample-15000/config_classes/Without_RLS-4	3.304m	3.281m	-0.69%	0.041

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/duty/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                               │ bench-base.txt │          bench-head.txt           │
                                               │     sec/op     │   sec/op     vs base              │
RLS/Sample-15000/catalog_changes/Without_RLS-4      5.272m ± 2%   5.274m ± 1%       ~ (p=0.937 n=6)
RLS/Sample-15000/catalog_changes/With_RLS-4         128.3m ± 1%   128.3m ± 0%       ~ (p=0.818 n=6)
RLS/Sample-15000/config_changes/Without_RLS-4       5.237m ± 1%   5.214m ± 1%       ~ (p=0.093 n=6)
RLS/Sample-15000/config_changes/With_RLS-4          129.3m ± 1%   131.3m ± 1%  +1.60% (p=0.002 n=6)
RLS/Sample-15000/config_detail/Without_RLS-4        3.884m ± 1%   3.911m ± 2%  +0.68% (p=0.041 n=6)
RLS/Sample-15000/config_detail/With_RLS-4           123.3m ± 0%   124.2m ± 0%  +0.71% (p=0.002 n=6)
RLS/Sample-15000/config_names/Without_RLS-4         12.76m ± 1%   12.84m ± 1%  +0.58% (p=0.026 n=6)
RLS/Sample-15000/config_names/With_RLS-4            125.0m ± 1%   124.7m ± 1%       ~ (p=0.937 n=6)
RLS/Sample-15000/config_summary/Without_RLS-4       60.99m ± 1%   60.62m ± 1%       ~ (p=0.240 n=6)
RLS/Sample-15000/config_summary/With_RLS-4          741.4m ± 1%   752.4m ± 0%  +1.48% (p=0.002 n=6)
RLS/Sample-15000/configs/Without_RLS-4              7.148m ± 0%   7.212m ± 0%  +0.89% (p=0.002 n=6)
RLS/Sample-15000/configs/With_RLS-4                 123.6m ± 0%   126.1m ± 0%  +1.98% (p=0.002 n=6)
RLS/Sample-15000/analysis_types/Without_RLS-4       3.956m ± 3%   3.897m ± 5%       ~ (p=0.065 n=6)
RLS/Sample-15000/analysis_types/With_RLS-4          3.928m ± 4%   3.893m ± 2%  -0.89% (p=0.041 n=6)
RLS/Sample-15000/analyzer_types/Without_RLS-4       3.736m ± 1%   3.716m ± 1%       ~ (p=0.093 n=6)
RLS/Sample-15000/analyzer_types/With_RLS-4          3.755m ± 2%   3.768m ± 1%       ~ (p=0.394 n=6)
RLS/Sample-15000/change_types/Without_RLS-4         5.286m ± 1%   5.288m ± 1%       ~ (p=0.818 n=6)
RLS/Sample-15000/change_types/With_RLS-4            5.337m ± 3%   5.223m ± 2%  -2.12% (p=0.009 n=6)
RLS/Sample-15000/config_classes/Without_RLS-4       3.304m ± 1%   3.281m ± 1%  -0.69% (p=0.041 n=6)
RLS/Sample-15000/config_classes/With_RLS-4          125.8m ± 0%   124.1m ± 1%  -1.40% (p=0.002 n=6)
RLS/Sample-15000/config_types/Without_RLS-4         3.931m ± 1%   3.993m ± 0%  +1.56% (p=0.002 n=6)
RLS/Sample-15000/config_types/With_RLS-4            125.1m ± 0%   124.8m ± 1%       ~ (p=0.065 n=6)
geomean                                             19.22m        19.24m       +0.05%

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: af4ff611-bc20-4f93-9a38-c338d7c0c15d

📥 Commits

Reviewing files that changed from the base of the PR and between adf0b2a and dedf57c.

📒 Files selected for processing (2)

• rbac/objects.go
• schema/oidc.hcl

---

Walkthrough

Adds a new HCL schema file that creates three PostgreSQL tables for OIDC: oidc_public_keys (key storage), oidc_auth_requests (authorization request state), and oidc_refresh_tokens (refresh token tracking), each with defaults, constraints, and indexes for lifecycle management.

Changes

Cohort / File(s)	Summary
OIDC schema file schema/oidc.hcl	Adds three tables under schema.public: oidc_public_keys (id, algorithm default "RS256", public_key bytea, created_at, expires_at), oidc_auth_requests (authorization request fields, created_at, non-null expires_at, partial unique index on code, index on expires_at), and oidc_refresh_tokens (token lifecycle fields, created_at, non-null expires_at, unique index on token, indexes on subject, rotation_id, and expires_at).
RBAC mappings rbac/objects.go	Extends dbResourceObjMap to include oidc_auth_requests, oidc_public_keys, and oidc_refresh_tokens, all mapped to policy.ObjectAuthConfidential.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(schema): add OIDC tables for embedded OIDC provider' accurately and concisely summarizes the main change: adding three new OIDC-related database tables to the schema.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/oidc-tables

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feat/oidc-tables

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@schema/oidc.hcl`:
- Around line 104-107: The index definition oidc_auth_requests_code_idx
currently lacks uniqueness; update the index block for
oidc_auth_requests_code_idx (the index on column.code) to include unique = true
so the authorization codes are enforced as unique at the schema level, and then
regenerate/apply the migration so the database enforces the constraint.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bbeb01e9-673a-4d30-ad51-d5e90302f2dc

📥 Commits

Reviewing files that changed from the base of the PR and between beaa138 and adf0b2a.

📒 Files selected for processing (1)

• schema/oidc.hcl