2026-06-15: fix Uptime Kuma SSO active-active JWT mismatch

project-kitestacks-migration.md

@@ -488,6 +488,19 @@ Verified current live state on monk before making changes:
     `for i in 1 2 3 4 5 6; do curl -sSL --compressed https://status.kitestacks.com/dashboard | grep -q "Sign in with Authentik"; done`
     returned `button` for all 6 attempts, confirming both active connectors
     serve the button.
+- Post-test screenshot showed Uptime Kuma login page with red banner "Lost
+  connection to the socket server. Reconnecting..." after clicking the SSO
+  button. Root cause: active-active JWT mismatch. Uptime Kuma JWTs include a
+  signature using `setting.jwtSecret`; monk and kscloud1 had matching user
+  password hashes but different JWT secrets, so a token minted by one backend
+  failed if the browser's websocket connected to the other backend. Fixed
+  2026-06-15 by copying monk's exact `jwtSecret` into kscloud1's
+  `/app/data/kuma.db` using base64 transport (avoid shell expansion of secret
+  chars), then restarting kscloud1 Uptime Kuma. Verified both hashes now match:
+  `jwtSecret` length 60, sha3 prefix `FA67E6E9EDCC8E1D`. Public button check
+  still returns `button` 6/6. If a browser still has a pre-fix bad token in
+  localStorage, clear site data or click the Authentik button again to mint a
+  fresh token.
 
 Important security hygiene: local git remote for `~/claude-memory` contains an
 HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in