fix(ory,lasuite): harden session security and fix logout + WebSocket routing

- Fix Hydra postLogoutRedirectUris for docs and people to match the
  actual URI sent by mozilla_django_oidc v5 (/api/v1.0/logout-callback/)
  instead of the root URL, resolving 599 logout errors.

- Fix docs y-provider WebSocket backend port: use Service port 443
  (not pod port 4444 which has no DNAT rule) in Pingora config.

- Tighten VSO VaultDynamicSecret rotation sync: add allowStaticCreds:true
  and reduce refreshAfter from 1h to 5m across all static-creds paths
  (kratos, hydra, gitea, hive, people, docs) so credential rotation is
  reflected within 5 minutes instead of up to 1 hour.

- Set Hydra token TTLs: access_token and id_token to 5m; refresh_token
  to 720h (30 days). Kratos session carries silent re-auth so the short
  access token TTL does not require users to log in manually.

- Set SESSION_COOKIE_AGE=3600 (1h) in docs and people backends. After
  1h, apps silently re-auth via the active Kratos session. Disabled
  identities (sunbeam user disable) cannot re-auth on next expiry.

base/devtools/vault-secrets.yaml

@@ -21,7 +21,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/gitea
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: StatefulSet
       name: gitea

base/ingress/pingora-config.yaml

@@ -53,7 +53,7 @@ data:
       # Real-time collaboration WebSocket (y-provider / Hocuspocus).
       [[routes.paths]]
       prefix    = "/collaboration/ws/"
-      backend   = "http://docs-y-provider.lasuite.svc.cluster.local:4444"
+      backend   = "http://docs-y-provider.lasuite.svc.cluster.local:443"
       websocket = true
 
     [[routes]]

base/lasuite/docs-values.yaml

@@ -118,11 +118,18 @@ backend:
       secretKeyRef:
         name: docs-django-secret
         key: DJANGO_SECRET_KEY
-    DJANGO_CONFIGURATION:        Production
+    DJANGO_CONFIGURATION:             Production
-    ALLOWED_HOSTS:               docs.DOMAIN_SUFFIX
+    ALLOWED_HOSTS:                    docs.DOMAIN_SUFFIX
-    DJANGO_ALLOWED_HOSTS:        docs.DOMAIN_SUFFIX
+    DJANGO_ALLOWED_HOSTS:             docs.DOMAIN_SUFFIX
-    DJANGO_CSRF_TRUSTED_ORIGINS: https://docs.DOMAIN_SUFFIX
+    DJANGO_CSRF_TRUSTED_ORIGINS:      https://docs.DOMAIN_SUFFIX
-    LOGIN_REDIRECT_URL:          /
+    LOGIN_REDIRECT_URL:               /
+    LOGOUT_REDIRECT_URL:              /
+    FRONTEND_HOMEPAGE_FEATURE_ENABLED: "false"
+    # Low cache timeout so theme changes propagate without pod restarts.
+    THEME_CUSTOMIZATION_CACHE_TIMEOUT: "30"
+    # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
+    # Lockout window: disabled identity cannot re-auth within 1h of expiry.
+    SESSION_COOKIE_AGE: "3600"
 
     # ── Y-Provider ────────────────────────────────────────────────────────────
     # Shared secret for backend ↔ y-provider auth.
@@ -132,12 +139,31 @@ backend:
         key: secret
     COLLABORATION_SERVER_URL:    http://docs-y-provider.lasuite.svc.cluster.local:4444
 
+  themeCustomization:
+    enabled: true
+    # La Gaufre v2: point at our self-hosted integration service.
+    # DOMAIN_SUFFIX is substituted by kustomize_build at deploy time.
+    file_content:
+      header:
+        logo: {}
+        icon:
+          src: "/assets/icon-docs.svg"
+          style:
+            width: "32px"
+            height: "auto"
+          alt: ""
+          withTitle: true
+      waffle:
+        apiUrl: "https://integration.DOMAIN_SUFFIX/api/v2/services.json"
+        widgetPath: "https://integration.DOMAIN_SUFFIX/api/v2/lagaufre.js"
+        label: "O Estúdio"
+        closeLabel: "Fechar"
+        newWindowLabelSuffix: " · nova janela"
+
 frontend:
   envVars:
     NEXT_PUBLIC_API_URL:              https://docs.DOMAIN_SUFFIX
     NEXT_PUBLIC_COLLABORATION_WS_URL: wss://docs.DOMAIN_SUFFIX/collaboration/ws/
-    # La Gaufre app launcher — served from our self-hosted integration service.
-    GAUFREJS_URL:                     https://integration.DOMAIN_SUFFIX/api/v1/gaufre.js
 
 yProvider:
   envVars:

base/lasuite/integration-deployment.yaml

@@ -21,7 +21,7 @@ data:
     {
       "services": [
         {
-          "name": "Documentos",
+          "name": "Docs",
           "url": "https://docs.DOMAIN_SUFFIX",
           "logo": "https://integration.DOMAIN_SUFFIX/logos/docs.svg"
         },

base/lasuite/oidc-clients.yaml

@@ -20,6 +20,8 @@ spec:
   scope: openid email profile
   redirectUris:
     - https://docs.DOMAIN_SUFFIX/api/v1.0/callback/
+  postLogoutRedirectUris:
+    - https://docs.DOMAIN_SUFFIX/api/v1.0/logout-callback/
   tokenEndpointAuthMethod: client_secret_post
   secretName: oidc-docs
   skipConsent: true
@@ -120,6 +122,8 @@ spec:
   scope: openid email profile
   redirectUris:
     - https://people.DOMAIN_SUFFIX/api/v1.0/callback/
+  postLogoutRedirectUris:
+    - https://people.DOMAIN_SUFFIX/api/v1.0/logout-callback/
   tokenEndpointAuthMethod: client_secret_post
   secretName: oidc-people
   skipConsent: true

base/lasuite/people-values.yaml

@@ -125,8 +125,11 @@ backend:
     ALLOWED_HOSTS:             people.DOMAIN_SUFFIX
     DJANGO_ALLOWED_HOSTS:      people.DOMAIN_SUFFIX
     DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
-    # Redirect to frontend SPA root after successful OIDC login.
+    # Redirect to frontend SPA root after successful OIDC login/logout.
     LOGIN_REDIRECT_URL:        /
+    LOGOUT_REDIRECT_URL:       /
+    # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
+    SESSION_COOKIE_AGE: "3600"
 
 # celeryWorker and celeryBeat intentionally have no envVars here.
 # The desk chart template automatically injects backend.envVars into all

base/lasuite/vault-secrets.yaml

@@ -44,7 +44,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/hive
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: Deployment
       name: hive
@@ -91,7 +92,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/people
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: Deployment
       name: people-backend
@@ -140,7 +142,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/docs
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: Deployment
       name: docs-backend

base/ory/hydra-values.yaml

@@ -15,6 +15,14 @@ hydra:
       logout: https://auth.DOMAIN_SUFFIX/logout
       error: https://auth.DOMAIN_SUFFIX/error
 
+    ttl:
+      # Short access tokens — API-level auth window is tight.
+      access_token: 5m
+      id_token: 5m
+      # Refresh tokens last 30 days; Kratos session carries silent re-auth.
+      # Revoking a Kratos session (sunbeam user disable) prevents refresh.
+      refresh_token: 720h
+
     serve:
       cookies:
         same_site_mode: Lax

base/ory/vault-secrets.yaml

@@ -73,7 +73,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/kratos
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: Deployment
       name: kratos
@@ -123,7 +124,8 @@ spec:
   vaultAuthRef: vso-auth
   mount: database
   path: static-creds/hydra
-  refreshAfter: 1h
+  allowStaticCreds: true
+  refreshAfter: 5m
   rolloutRestartTargets:
     - kind: Deployment
       name: hydra