activeUpdated Feb 19, 2026, 8:25 PM
Policy ID js7erp2nnyg30rzqbzbmmg2acs81eb9e
OAuth/OIDC metadata endpoints require contract tests. Rationale: - Well-known metadata endpoints are client contracts; regressions break integrations quickly. Scope: - PR review policy for Python service changes to OAuth/OIDC discovery metadata endpoints or their payload configuration. Trigger: - A PR adds or changes `/.well-known/*` OAuth/OIDC metadata behavior, route aliases, or metadata config fields. Approval checks: 1) Tests assert required contract fields for exposed metadata endpoints (for example issuer/auth/token/resource/jwks fields, as applicable to the endpoint). 2) If multiple alias routes are exposed for the same metadata contract, tests cover those aliases. 3) If response caching headers are intentionally set by implementation, tests assert expected cache behavior. Evidence: - Tests in diff show field-level contract assertions and status checks. - Alias coverage and cache-header assertions are present when relevant. Exception path: - Allow deviation only when all are true: 1) PR description includes `Policy Exception: python-oauth-metadata-contract-tests`. 2) PR explains why the change is not client-contract-impacting. 3) PR documents equivalent validation path. Decision: - Return NOT APPROVED when trigger is met and contract assurance is missing without a valid exception.