Remove routeoidc labs flag

[evanphx]

Summary

• Promote OIDC route protection from labs feature to always-on (GA)
• Remove routeoidc from features.yaml and regenerate labs code
• Unwrap conditional CLI command registration (route protect, route unprotect, auth provider *)
• Remove if !labs.RouteOIDC() guard checks from command implementations and OIDC middleware
• Update docs to remove "Labs Feature" notices and regenerate command reference

Test plan

• go build ./... passes
• make lint — all issues pre-existing, none in changed files
• hack/it ./pkg/labs/... — 7 tests pass
• hack/it ./servers/httpingress/... — 50 tests pass
• Zero remaining references to routeoidc / RouteOIDC / FeatureRouteOIDC in source

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a7de21a5-5efe-4e1c-a4db-fe34235e5561

📥 Commits

Reviewing files that changed from the base of the PR and between 2a890dc and 61a47b6.

📒 Files selected for processing (2)

• cli/commands/commands.go
• docs/docs/commands.md

✅ Files skipped from review due to trivial changes (1)

• docs/docs/commands.md

🚧 Files skipped from review as they are similar to previous changes (1)

• cli/commands/commands.go

---

📝 Walkthrough

Walkthrough

The routeoidc labs feature was removed. CLI commands (auth provider add/list/show/remove, route protect/unprotect) no longer check the feature flag and are registered unconditionally. The HTTP ingress OIDC middleware now runs when a route has an OIDC provider configured, with persistent signing-key handling, full session/callback flows, claim injection, and cached per-route handlers. The routeoidc feature entry and generated predicate were deleted from pkg/labs, and documentation/examples were updated to remove routeoidc prerequisites.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}