feat: local Keycloak mock for SmartEM frontend dev

[vredchenko]

Motivation

The SmartEM frontend Keycloak integration in smartem-frontend PR #74 currently has no local development story. Out of the box, npm run dev:smartem fails because http://localhost:5173 isn't in the SmartEM client's Valid Redirect URIs or Web Origins on identity-test.diamond.ac.uk — and getting those entries added is an admin round-trip that has to be repeated for every new dev port and every new developer.

This PR adds a self-contained Keycloak mock so the frontend team can develop and test the auth flow locally with no external dependencies, no shared identity-server config, and no permission round-trips.

What's included

keycloak-mock/ — a self-contained mock with two equivalent deployment forms, both reading from one realm export:

• dls-realm.json — single source of truth. Realm dls, public client SmartEM with PKCE S256, localhost redirect URIs and Web Origins, custom fedId claim mapper to mirror DLS realm claims, two seeded users.
• docker-compose.yml — Compose form, fastest standalone cycle.
• keycloak.yaml + kustomization.yaml — Kubernetes Deployment + Services + kustomize configMapGenerator for the realm JSON.

The Kustomize form is wired into the existing development overlay via k8s/environments/development/kustomization.yaml, so ./scripts/k8s/dev-k8s.sh up now brings up Keycloak alongside Postgres, RabbitMQ, etc. The Compose form is independent and useful for frontend devs who don't want the rest of the dev stack running.

Both forms read the same dls-realm.json, so realm edits propagate to whichever form a developer is using.

Docs

• docs/development/local-keycloak.md — full how-to (when to use which form, how to point the frontend at it, how to edit the realm, limits and non-goals).
• docs/development/index.md — added to the TOC.
• docs/architecture/keycloak-spa-authentication.md — added a "Local development" pointer; corrected the smartem-frontend → SmartEM client-name discrepancy that existed in the doc but didn't match the implementation.

Quick start

# Compose form
cd keycloak-mock && docker compose up -d

# Or k3s form (along with the rest of the dev stack)
./scripts/k8s/dev-k8s.sh up

Then in smartem-frontend/apps/smartem/.env.local:

VITE_KEYCLOAK_URL=http://localhost:8080
VITE_KEYCLOAK_REALM=dls
VITE_KEYCLOAK_CLIENT_ID=SmartEM
VITE_AUTH_ENABLED=true

Log in as devuser / devpass (or valuser / valpass).

Companion review

While building this I exercised the full auth flow end-to-end against the mock and uncovered two issues in smartem-frontend PR #74 that are independent of this change: an init-failure bug in AuthProvider that bricks the login button, and a check-sso redirect storm caused by missing silentCheckSsoRedirectUri. Details and suggested fixes are in a review comment on that PR.

Test plan

• kubectl kustomize keycloak-mock builds cleanly
• kubectl kustomize k8s/environments/development builds cleanly with Keycloak resources included
• docker compose up -d in keycloak-mock/ imports the dls realm and exposes admin console at http://localhost:8080
• ./scripts/k8s/dev-k8s.sh up brings Keycloak up alongside the rest of the stack, reachable at http://<node-ip>:30080
• Frontend (smartem-frontend PR Add app config #74 with the suggested AuthProvider fixes applied) successfully logs in via the mock and the account menu shows the user identity