# Beaver Standalone App Instance

This branch narrows Beaver to a clean standalone app instance that an external orchestrator can deploy.

## Product Boundary

The app instance provides:

- Chat and task workspace
- Files, tools, skills, memory, schedules, and runtime pages
- Backend API and WebSocket access behind the same origin
- Keycloak SSO login with Authorization Code Flow + PKCE
- JWT-based user identity using Keycloak `sub`

The app instance does not provide:

- Local registration or password login
- User ID lifecycle management
- Per-user instance creation
- Hostname routing
- Deployment control-plane APIs
- Keycloak client provisioning

## External Responsibilities

The external orchestrator owns:

- Container lifecycle
- Public URL, TLS, reverse proxy, and port mapping
- Data volume provisioning
- `config.json` provisioning
- Keycloak redirect URI and web origin registration
- Multi-instance or tenant mapping, if needed later

## Current SSO Values

```text
issuer:       https://keycloak.bwgdi.com/realms/beaver
client_id:    beaver-agnet
web_origin:   http://172.19.0.245:18080
redirect_uri: http://172.19.0.245:18080/auth/callback
post_logout_redirect_uri: http://172.19.0.245:18080/logout/callback
```

## Source Material

- [Project README](../../../README.md)
- [App Instance README](../../../app-instance/README.md)
- [Backend README](../../../app-instance/backend/README.md)
- [UI/UX Page Docs](../../ui-ux/README.md)