OPC # 0002: Improvements to Client provisioning workflows

Co-authored-by: Copilot <copilot@github.com>

ControlPlane.Worker/Services/ClarityContainerService.cs

@@ -553,13 +553,13 @@ public class ClarityContainerService(
         // ── Postgres ──────────────────────────────────────────────────────────
         if (stack.Postgres == ComponentMode.OwnContainer)
         {
-            sb.AppendLine($"""
-                  pg-{s}:
+            sb.AppendLine($$"""
+                  pg-{{s}}:
                     image: postgres:16
                     restart: unless-stopped
                     environment:
                       POSTGRES_USER: clarity
-                      POSTGRES_PASSWORD: ${{POSTGRES_PASSWORD:-clarity-dev}}
+                      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-clarity-dev}
                       POSTGRES_DB: clarity
                     expose:
                       - "5432"
@@ -574,7 +574,7 @@ public class ClarityContainerService(
                       - clarity-net
                     labels:
                       clarity.managed: "true"
-                      clarity.subdomain: {s}
+                      clarity.subdomain: {{s}}
                       clarity.component: postgres
                 """);
         }
@@ -591,20 +591,20 @@ public class ClarityContainerService(
                   """
                 : string.Empty;
 
-            sb.AppendLine($"""
-                  kc-{s}:
+            sb.AppendLine($$"""
+                  kc-{{s}}:
                     image: quay.io/keycloak/keycloak:latest
                     restart: unless-stopped
                     command: start-dev
                     environment:
                       KEYCLOAK_ADMIN: admin
-                      KEYCLOAK_ADMIN_PASSWORD: ${{KEYCLOAK_ADMIN_PASSWORD:-admin}}
+                      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin}
                       KC_DB: postgres
-                      KC_DB_URL_HOST: pg-{s}
+                      KC_DB_URL_HOST: pg-{{s}}
                       KC_DB_URL_DATABASE: keycloak
                       KC_DB_USERNAME: clarity
-                      KC_DB_PASSWORD: ${{POSTGRES_PASSWORD:-clarity-dev}}
-                      KC_HOSTNAME: {kcHostname}
+                      KC_DB_PASSWORD: ${POSTGRES_PASSWORD:-clarity-dev}
+                      KC_HOSTNAME: {{kcHostname}}
                       KC_HOSTNAME_STRICT: "false"
                       KC_HTTP_ENABLED: "true"
                     expose:
@@ -614,11 +614,11 @@ public class ClarityContainerService(
                     networks:
                       - clarity-net
                     extra_hosts:
-                      - "{kcHostname}:host-gateway"
-                {dependsBlock}
+                      - "{{kcHostname}}:host-gateway"
+                {{dependsBlock}}
                     labels:
                       clarity.managed: "true"
-                      clarity.subdomain: {s}
+                      clarity.subdomain: {{s}}
                       clarity.component: keycloak
                 """);
         }
@@ -626,14 +626,14 @@ public class ClarityContainerService(
         // ── Vault ─────────────────────────────────────────────────────────────
         if (stack.Vault == ComponentMode.OwnContainer)
         {
-            sb.AppendLine($"""
-                  vault-{s}:
+            sb.AppendLine($$"""
+                  vault-{{s}}:
                     image: hashicorp/vault:latest
                     restart: unless-stopped
                     cap_add:
                       - IPC_LOCK
                     environment:
-                      VAULT_DEV_ROOT_TOKEN_ID: ${{VAULT_TOKEN:-vault-dev-root}}
+                      VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_TOKEN:-vault-dev-root}
                       VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
                     expose:
                       - "8200"
@@ -643,7 +643,7 @@ public class ClarityContainerService(
                       - clarity-net
                     labels:
                       clarity.managed: "true"
-                      clarity.subdomain: {s}
+                      clarity.subdomain: {{s}}
                       clarity.component: vault
                 """);
         }
@@ -651,14 +651,14 @@ public class ClarityContainerService(
         // ── MinIO ─────────────────────────────────────────────────────────────
         if (stack.Minio == ComponentMode.OwnContainer)
         {
-            sb.AppendLine($"""
-                  minio-{s}:
+            sb.AppendLine($$"""
+                  minio-{{s}}:
                     image: minio/minio:latest
                     restart: unless-stopped
                     command: server /data --console-address ":9001"
                     environment:
-                      MINIO_ROOT_USER: ${{MINIO_ROOT_USER:-minio}}
-                      MINIO_ROOT_PASSWORD: ${{MINIO_ROOT_PASSWORD:-minio-dev}}
+                      MINIO_ROOT_USER: ${MINIO_ROOT_USER:-minio}
+                      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-minio-dev}
                     expose:
                       - "9000"
                       - "9001"
@@ -669,7 +669,7 @@ public class ClarityContainerService(
                       - clarity-net
                     labels:
                       clarity.managed: "true"
-                      clarity.subdomain: {s}
+                      clarity.subdomain: {{s}}
                       clarity.component: minio
                 """);
         }