Claude VM
403b6b37f1
Authentik OIDC provider now requests `openid email profile enrichment` (from AUTHENTIK_SCOPES env, Infisical-fetched at boot). The enrichment scope triggers Authentik scope mapping pk=41b23bc3-bdd8-4a61-b975- 6e0eff56df72 which emits enrichment_scope + is_beletage_group claims based on LDAP group membership (Arhitecti/Administrators/Domain Admins → scope=full + is_beletage_group=true). jwt callback captures account.access_token on first sign-in; session callback exposes it as session.accessToken so api.gis.ac calls can forward it. Used by Faza D thin client (src/lib/gis-api-client.ts, pending) to authenticate against api.gis.ac. Without scope=enrichment, every architools user falls through to scope=none on api.gis.ac → 403 on every parcel/enrichment read. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>