# Authentik Cutover

This cutover moves ATLAS customer identity from `LLDAP + Authelia` to
`authentik + Postgres` while preserving Stripe billing and Swarm stacks.

## Existing Customer Import

Before retiring LLDAP, export each customer with:

- current LDAP username
- email
- Stripe customer ID
- customer phone
- customer domain
- current stack name, usually `customer-<slug>`

Insert those records into the new `ss-atlas` Postgres tables:

- `accounts.primary_email`
- `accounts.stripe_customer_id`
- `accounts.phone`
- `accounts.subscription_status = 'active'`
- `instances.slug`
- `instances.stack_name`
- `instances.customer_domain`

Use the existing stack slug when possible so `/i/<slug>` URLs continue to work.

## First Social Login

On first Authentik login, `ss-atlas` links the Authentik identity to an account
by email when no exact provider subject is known yet. After that, the stable
`provider + subject` tuple in `account_identities` owns the login mapping.

## Stripe Reconciliation

Stripe remains the billing source of truth. Webhooks and `/success` both upsert
the same account rows using `stripe_customer_id`, and `billing_events` prevents
reprocessing the same Stripe event.

## Retiring Old Services

Only retire Authelia and LLDAP after:

- all active Stripe customers exist in Postgres
- at least one Authentik identity is linked for each active customer
- `/dashboard`, `/stack-manage`, and `/i/<slug>` work through Authentik
- subscription cancellation archives/removes the correct stack

Keep a database snapshot and Swarm volume backup before deleting old identity
volumes.