Render Kratos return URLs for staging

test/ory_v26_compose_policy_test.sh

@@ -281,6 +281,32 @@ fi
 
 "$repo_root/scripts/render_ory_config.sh" >/dev/null
 
+stage_render_dir="$(mktemp -d)"
+stage_render_env="$(mktemp)"
+cat > "$stage_render_env" <<'EOF'
+USERFRONT_URL=https://sso.hmac.kr
+ADMINFRONT_URL=https://sadmin.hmac.kr
+DEVFRONT_URL=https://sdev.hmac.kr
+ORGFRONT_URL=https://sorg.hmac.kr
+KRATOS_UI_URL=https://sso.hmac.kr
+KRATOS_BROWSER_URL=https://sso.hmac.kr/auth
+KRATOS_ADMIN_URL=http://kratos:4434
+ORY_POSTGRES_PASSWORD=policy-test
+KRATOS_ALLOWED_RETURN_URLS_JSON=
+KRATOS_ALLOWED_RETURN_URLS_EXTRA=
+EOF
+ORY_CONFIG_ENV_FILES="$stage_render_env" ORY_CONFIG_OUTPUT_DIR="$stage_render_dir/ory" "$repo_root/scripts/render_ory_config.sh" >/dev/null
+stage_rendered_kratos="$stage_render_dir/ory/kratos/kratos.yml"
+if ! awk '/allowed_return_urls:/ { in_block=1; next } in_block && /^[[:space:]]+methods:/ { exit } in_block { print }' "$stage_rendered_kratos" | grep -q 'https://sso.hmac.kr'; then
+  echo "ERROR: rendered stage Kratos config must include the public userfront URL in allowed_return_urls." >&2
+  exit 1
+fi
+if awk '/allowed_return_urls:/ { in_block=1; next } in_block && /^[[:space:]]+methods:/ { exit } in_block { print }' "$stage_rendered_kratos" | grep -q 'http://localhost:5000'; then
+  echo "ERROR: rendered stage Kratos allowed_return_urls must not fall back to localhost." >&2
+  exit 1
+fi
+rm -rf "$stage_render_dir" "$stage_render_env"
+
 for generated_config in \
   "$repo_root/config/.generated/ory/kratos/kratos.yml" \
   "$repo_root/config/.generated/ory/hydra/hydra.yml" \