chore(deps): update docker.io/library/nextcloud docker tag to v33

[renovate-bot-cbcoutinho]

This PR contains the following updates:

Package	Update	Change
docker.io/library/nextcloud (source)	major	32.0.6 → 33.0.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[claude]

Review: Nextcloud 32 → 33 Major Version Upgrade

This Renovate PR bumps the Nextcloud Docker image from 32.0.6 → 33.0.0 — a major version update. A few things worth considering before merging:

What looks good

• SHA256 digest is pinned (ff2cbaab...), so the image is immutable and tamper-evident. Good practice.
• The change is minimal and isolated to docker-compose.yml.

Considerations for a major version bump

1. API compatibility
Nextcloud 33 is a major release that may include changes to app APIs. This project integrates with several internal Nextcloud APIs:

• Notes API (/apps/notes/api/v1/)
• CalDAV/CardDAV (remote.php/dav/)
• WebDAV (remote.php/webdav/)
• Deck, Tables, Cookbook apps

It's worth confirming that none of these have changed signatures or deprecations in NC33. The Nextcloud 33 release notes and developer docs are the right place to check.

2. App compatibility
Bundled apps (Notes, Deck, Tables, Cookbook) may have new minimum version requirements under NC33. If the Docker image ships updated app versions, the API contracts might differ.

3. Integration tests
Given the depth of the integration test suite (smoke, integration, OAuth, Keycloak), these should be run against this new image before merging. The CI results will tell the real story:

docker-compose up --build -d app mcp
uv run pytest -m smoke -v
uv run pytest -m "integration and not oauth" -v

4. Volume compatibility
If you're running an existing dev environment with the nextcloud Docker volume, a major Nextcloud upgrade may require a database migration (occ upgrade) or a fresh volume. The healthcheck in compose should catch most issues, but it's worth a clean start (docker compose down -v && docker compose up) when testing this.

Verdict

The change itself is correct and well-formed. The risk is entirely in what Nextcloud 33 changed — which is only knowable through the integration test suite. If CI passes green, this is safe to merge. If any integration tests regress, the failure messages should point to the specific API breakage.

[claude]

Dependency Update Review: Nextcloud 32.0.6 → 33.0.0

This is a major version bump generated by Renovate Bot. The change itself is minimal (one line in docker-compose.yml), but a major Nextcloud version upgrade warrants careful review.

What's Good

• SHA digest pinning is preserved on the new image (sha256:ff2cbaab...), maintaining supply-chain integrity.
• The patch application script (20-apply-cors-bearer-token-patch.sh) already has graceful handling for the case where the patch is already merged upstream — it checks with patch --dry-run and skips silently if the patch can't be applied.
• Third-party apps installed via app:install will auto-resolve to NC33-compatible versions from the app store.

Key Risk: CORS Middleware Patch Compatibility

The repo applies a custom patch to Nextcloud core's CORSMiddleware.php (see app-hooks/patches/cors-bearer-token.patch) that allows Bearer tokens to bypass CORS/CSRF checks. This is critical for OAuth/OIDC authentication to work with app APIs (Notes, Calendar, etc.).

The patch targets upstream PR nextcloud/server#55878. Nextcloud 33 may have already merged this fix, in which case the patch is correctly skipped and everything works. But the failure mode in the script deserves attention:

if patch -p1 --dry-run < "$PATCH_FILE" > /dev/null 2>&1; then
    patch -p1 < "$PATCH_FILE"
    echo "✓ Patch applied successfully"
else
    echo "⚠ Warning: Patch failed to apply (may already be applied or file changed)"
    exit 0  # Silent success!
fi

If NC33 changed the surrounding context of CORSMiddleware.php without merging the fix, the patch would silently be skipped and Bearer token auth would be broken for app-specific APIs. The script has no way to distinguish "already fixed upstream" from "file changed, patch offset mismatch".

Recommendation: After merging, run the full OAuth integration test suite (uv run pytest -m oauth -v) and check the container logs during startup to confirm whether the patch applied or was skipped:

docker compose logs app 2>&1 | grep -E "(CORS|Patch|Bearer)"

If it was skipped, verify that NC33's CORSMiddleware.php already contains the Bearer token fix before concluding things are safe.

Minor: Orphaned Patch File

app-hooks/patches/0001-Fix-Bearer-token-authentication-causing-session-logo.patch patches user_oidc's Backend.php but is never applied by any hook script (confirmed by reviewing all scripts under app-hooks/post-installation/). The 10-install-user_oidc-app.sh script even comments: "The user_oidc app_api session flag patch is NOT required when using the CORSMiddleware Bearer token patch". This file is dead code. Not a blocker, but worth cleaning up to avoid confusion.

Integration Test Coverage

This PR touches the development/CI environment only. Before merging, the following test suites should pass cleanly against NC33:

uv run pytest tests/unit/ -v                    # Baseline (unaffected)
uv run pytest -m smoke -v                       # Smoke tests  
uv run pytest -m "integration and not oauth" -v # Core API compatibility
uv run pytest -m oauth -v                       # OAuth/CORS patch verification

Pay particular attention to Notes API tests, since that's the primary API requiring the CORS patch.

Summary

Concern	Severity	Status
CORS patch may silently fail against NC33	Medium	Needs verification after merge
Third-party app compatibility with NC33	Low	Auto-resolved via app store
SHA digest pinned correctly	✓	Good
Orphaned 0001-Fix-Bearer-token...patch file	Low	Cosmetic cleanup opportunity

Overall: Safe to merge with post-merge verification of the OAuth integration tests.

[claude]

Review: Nextcloud 32 → 33 Major Version Bump

This is a Renovate-generated major version bump for the Nextcloud Docker image used in the integration test environment.

What changed

docker.io/library/nextcloud:32.0.6@sha256:5c4e09f72... → 33.0.0@sha256:d53f6cb35...

---

Positives ✅

• SHA digest pinning is preserved — the image reference still includes a content-addressable digest, which prevents tag mismatch attacks and ensures reproducibility.
• Automated via Renovate — consistent update hygiene; no manual drift from the official image.
• Minimal scope — only docker-compose.yml is touched (1 line changed), no application code or test fixture changes.

---

Points to verify before merging

1. Nextcloud app compatibility (highest risk)

The project uses several Nextcloud apps whose API contracts could change between major releases:

• Notes app — REST API at /apps/notes/api/v1/
• Deck app — REST API with card/board endpoints
• Tables app — REST API
• Cookbook app — REST API

Verify that the bundled or auto-updated app versions in Nextcloud 33 are still API-compatible with the client code in nextcloud_mcp_server/client/.

2. OIDC/OAuth integration

The OIDC app (third_party/oidc) is compiled separately from PHP source and mounted into the container. Nextcloud 33 may require a different version of user_oidc that introduces breaking changes to:

• OAuth authorization code flow (tested via Playwright in tests/server/oauth/)
• OIDC token structure/audience handling (ADR-005, ADR-002)
• DCR (RFC 7591) registration endpoint

The CI workflow builds the OIDC app with PHP 8.4 (.github/workflows/test.yml:37) — confirm Nextcloud 33's bundled PHP runtime is compatible.

3. CalDAV / CardDAV protocol handling

While CalDAV and CardDAV are standard protocols, Nextcloud occasionally changes its server-side implementation details (e.g., ETag formats, scheduling behavior, property namespaces). The calendar and contacts integration tests should catch regressions here.

4. WebDAV SEARCH / PROPFIND changes

The project uses SEARCH requests against WebDAV (nextcloud_mcp_server/client/webdav.py) which relies on Nextcloud-specific extensions. Confirm this endpoint continues to behave identically in NC33.

5. No docker-compose.yml startup ordering changes needed

The healthcheck for the app service (curl .../status.php | grep installed:true) should still work in NC33 since status.php is a stable endpoint. No action needed here.

---

CI coverage

The test workflow (.github/workflows/test.yml) spins up the full docker-compose stack and runs pytest -m unit -m smoke. However, note that the -m unit -m smoke flag runs tests that are both unit and smoke marked (logical AND), which may not exercise all integration paths. The OAuth and integration test suites are the real validation for Nextcloud API compatibility — ensure those pass locally or in a branch CI run before merging.

---

Summary

The change is mechanically correct and the digest pinning pattern is maintained. The main concern is the major version jump and whether the Nextcloud 33 environment is fully compatible with the compiled OIDC app and the REST/WebDAV/CalDAV client code. If the full CI suite (including OAuth tests) passes green, this is safe to merge.

[renovate-bot-cbcoutinho]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 33.x releases. But if you manually upgrade to 33.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.