Add per-user Claude auth renewal

Each workstation user needs a continuously valid Claude token under their own Enterprise identity. Store only that user's OAuth state in an isolated Vault path, renew and verify it automatically, recover from Vault when possible, and alert when interactive SSO is required.
2026-06-20 20:10:40 +00:00 · 2026-06-20 20:10:40 +00:00 · 5549fc3672
commit 5549fc3672
parent 834c5e6a2a
11 changed files with 408 additions and 28 deletions
--- a/stacks/monitoring/modules/monitoring/loki.tf
+++ b/stacks/monitoring/modules/monitoring/loki.tf
@ -274,6 +274,20 @@ resource "kubernetes_config_map" "loki_alert_rules" {
                runbook     = "docs/runbooks/t3-version-bump.md"
              }
            },
+            {
+              # Per-user Claude refresh/backup/restore exhausted its automatic
+              # recovery path. This is actionable: that user needs interactive SSO,
+              # or the scoped Vault token/bootstrap needs repair.
+              alert  = "WorkstationClaudeAuthInvalid"
+              expr   = "sum by (unit) (count_over_time({job=\"devvm-journal\", identifier=\"claude-auth-sync\"} |~ \"FAIL\" [15m])) > 0"
+              for    = "0m"
+              labels = { severity = "warning" }
+              annotations = {
+                summary     = "Per-user Claude authentication recovery failed on {{ $labels.unit }}"
+                description = "The Workstation renewal agent could not validate Claude auth, renew its scoped Vault token, or recover from the Vault backup. Follow the per-user SSO recovery runbook."
+                runbook     = "docs/runbooks/claude-auth-renew-workstation.md"
+              }
+            },
          ]
        },
        {