2026-06-15: clarify Uptime Kuma native SSO requirement

project-kitestacks-migration.md

@@ -433,6 +433,20 @@ Verified current live state on monk before making changes:
   the Cloudflare Tunnel public hostname for `status.kitestacks.com` from
   `http://uptime-kuma:3001` to `http://authentik:9000` (or equivalent
   Authentik service target in the Tunnel UI).
+- Correction after user tested: user does NOT want front-door proxy behavior
+  for Uptime Kuma. Desired UX is an in-app "single sign on" button on the
+  Uptime Kuma login screen, like Grafana/Forgejo style native OAuth. Authentik
+  proxy redirect is not acceptable for this requirement.
+- Confirmed in the installed Uptime Kuma 1.23.17 frontend:
+  `/app/src/components/Login.vue` only renders username, password, remember-me,
+  and login submit controls. No native OAuth/OIDC/SSO button exists in this
+  version's login component, and local source search only found monitor OAuth
+  client-credentials support, not app login SSO.
+- If staying on Uptime Kuma 1.23.17, revert Cloudflare route for
+  `status.kitestacks.com` back to `http://uptime-kuma:3001`; otherwise users
+  get Authentik first and then still see Kuma's local login. Native in-app SSO
+  would require an Uptime Kuma version/plugin/fork with login OIDC support or
+  custom app code, not the Authentik proxy provider.
 
 Important security hygiene: local git remote for `~/claude-memory` contains an
 HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in