🧭 Type of Feature
🧭 Epic
Title: Declarative SSO team mapping via environment variable
Goal: Allow administrators to configure Entra ID group-to-team mapping via an environment variable, enabling GitOps workflows.
Why now: The team_mapping for SSO providers can only be configured via the Admin API, but get_predefined_sso_providers() hard-codes "team_mapping": {} for the Entra provider. On every pod restart, the bootstrap overwrites the DB mapping with {} (the existing preservation logic at line 417 only works when the env mapping is falsy — which it always is). This makes it impossible to declaratively manage team mapping in Kubernetes/Helm values.
🧑🏻💻 User Story 1
As a: platform administrator deploying ContextForge on Kubernetes
I want: to set Entra ID group-to-team mapping via an environment variable (e.g. in Helm values)
So that: team mapping survives pod restarts without manual Admin API calls, enabling GitOps
✅ Acceptance Criteria
Scenario: Team mapping from environment variable
Given SSO_ENTRA_TEAM_MAPPING is set to '{"group-id-abc": {"team_id": "dev-team", "role": "member"}}'
When the gateway starts and bootstraps SSO providers
Then the Entra provider's team_mapping includes the env-defined mapping
Scenario: DB overrides merge with env
Given SSO_ENTRA_TEAM_MAPPING has group-A mapped
And an admin added group-B via the Admin API
When the gateway restarts
Then both group-A (from env) and group-B (from DB) are present
And DB values take precedence for conflicting keys
🧑🏻💻 User Story 2
As a: DevOps engineer
I want: team mapping configuration version-controlled in git alongside other Helm values
So that: changes are auditable and reproducible across environments
🔗 MCP Standards Check
🔄 Alternatives Considered
- Admin API only: Current approach — requires manual call after every restart, not GitOps-friendly
- Persistent volume for config: Over-engineered for a single JSON dict
📓 Additional Context
Note: Okta provider already has SSO_OKTA_TEAM_MAPPING env var support (via JSON parsing in get_predefined_sso_providers). This PR brings Entra ID to parity.
Related: #3655 (SSO team mapping improvements)
🧭 Type of Feature
🧭 Epic
Title: Declarative SSO team mapping via environment variable
Goal: Allow administrators to configure Entra ID group-to-team mapping via an environment variable, enabling GitOps workflows.
Why now: The
team_mappingfor SSO providers can only be configured via the Admin API, butget_predefined_sso_providers()hard-codes"team_mapping": {}for the Entra provider. On every pod restart, the bootstrap overwrites the DB mapping with{}(the existing preservation logic at line 417 only works when the env mapping is falsy — which it always is). This makes it impossible to declaratively manage team mapping in Kubernetes/Helm values.🧑🏻💻 User Story 1
As a: platform administrator deploying ContextForge on Kubernetes
I want: to set Entra ID group-to-team mapping via an environment variable (e.g. in Helm values)
So that: team mapping survives pod restarts without manual Admin API calls, enabling GitOps
✅ Acceptance Criteria
🧑🏻💻 User Story 2
As a: DevOps engineer
I want: team mapping configuration version-controlled in git alongside other Helm values
So that: changes are auditable and reproducible across environments
🔗 MCP Standards Check
🔄 Alternatives Considered
📓 Additional Context
Note: Okta provider already has
SSO_OKTA_TEAM_MAPPINGenv var support (via JSON parsing inget_predefined_sso_providers). This PR brings Entra ID to parity.Related: #3655 (SSO team mapping improvements)