Tenant auto creation

Phase 2

Keycloak API

Connection timeout / 5xx

Simple retry

3s fixed

STEP_FAILED ── admin notified

Phase 3

Vault API

Connection timeout / 5xx

Simple retry

3s fixed

STEP_FAILED ── admin notified

Phase 4

Cloudflare API

429 rate limit / 5xx

Exponential backoff

2s → 4s → 8s

STEP_FAILED ── admin can retry

Phase 4

Cloudflare API

409 conflict (exists)

Skip (idempotent)

-

Treat as success

Phase 5

GitHub API

403 / 5xx

Simple retry

5s fixed

STEP_FAILED ── manual PR needed

Phase 6

Health check

Endpoint not ready

Polling

15s interval

TIMEOUT ── admin can retry

Any

Admin retry

Button click

Resume from failed step

-

Admin decides

Keycloak created

+ OIDC client registration, admin user creation, role assignment, theme & email config, token lifespans, password policy

Vault created

+ Identity engine, KV-v2 engine, K8s auth role for pod injection, access policies, agent sidecar config

Domains created

+ Redis Streams dispatch (BE → WR), per-environment DNS (prod/staging/dev), idempotent duplicate handling

DNS → Git Action

+ Branch creation, Helm values.yaml modification per env, auto-approve validation, squash merge

Deployment

+ ArgoCD sync detection, cert-manager TLS provisioning, structured health check polling

Completed

+ Billing setup, theme sync, settings sync, tenant-events stream (→ finops-service), audit log with actor tracking

(new)

+ Client-side validation, subdomain uniqueness check, env prefix generation, SSE progress updates, retry from failed step