Enterprise — OIDC and reverse proxies

Enterprise builds can pair OIDC sign-in with lenses-access.json RBAC. Keep loopback binding until the proxy terminates TLS and injects identity headers deliberately.

Updated

What it is

Enterprise builds can pair OIDC sign-in with lenses-access.json RBAC. Keep loopback binding until the proxy terminates TLS and injects identity headers deliberately.

Telemetry and governance POST endpoints still honor local-first defaults. Historical governance decisions (audit logging, bearer flows)—including the material summarized as ADR 013 for contributors—are indexed from the Maintainer handbook on GitHub; this public handbook avoids deep-linking individual ADR files.

Environment

OIDC-related LENSES_OIDC_* variables are summarized in Configuration reference and flagged in env matrix.

Verify

Login completes without redirect loops and /api/auth/status reflects the expected session when exercised through the same hostname operators publish.

What to do next