Add Claude Code memory snapshot and restore instructions

claude-memory/project-sso.md

@@ -0,0 +1,32 @@
+---
+name: project-sso
+description: "Authentik SSO setup status for kitestacks.com — what's done vs pending"
+metadata: 
+  node_type: memory
+  type: project
+  originSessionId: 301d23e2-6920-42b0-a27d-eba4e667b7f7
+---
+
+Authentik SSO configured 2026-06-08 to cover all kitestacks.com services.
+Full reference: `docs/authentik-sso-setup.md` in the Forgejo repo.
+
+**Config files updated (done):**
+- `apps/authentik/docker-compose.yml` — kitestacks network declared
+- `apps/kavita/config/appsettings.json` — OIDC enabled, Authority set
+- BookStack retired — not used, all books on Kavita
+- `apps/openproject/docker-compose.yml` — OIDC env vars + network
+- `apps/openproject/.env` — OPENPROJECT_OIDC_SECRET placeholder
+- Grafana and OpenWebUI already had OIDC env vars (just need Authentik apps created)
+
+**Pending manual steps:**
+1. Create Authentik OAuth2/OIDC providers + applications in admin UI for: Grafana, OpenWebUI, Kavita, OpenProject, Forgejo
+2. Create Authentik Proxy Providers for: Shaarli, Uptime Kuma, LiteLLM; assign to Embedded Outpost
+3. Configure Forgejo OAuth2 source via Forgejo admin UI (Site Admin → Auth Sources)
+4. Fill client secrets in `.env` files and restart containers
+5. Update Cloudflare tunnel routes: links.kitestacks.com → authentik:9000, status.kitestacks.com → authentik:9000, llm.kitestacks.com → authentik:9000
+6. After OpenProject container recreation (v13→v15 upgrade), update tunnel: tasks.kitestacks.com → openproject:80
+
+**Excluded from SSO:** Portainer, Prometheus, Node Exporter, OpenRouter, BookStack (retired)
+
+**Why:** User requested Authentik SSO for all services; OpenRouter/Prometheus/node-exporter/Portainer excluded by user request.
+**How to apply:** When user asks about SSO, check this memory for current status before suggesting next steps.