Blueprint overwriting non configured settings

[Hutch79]

Describe the Bug

I use these labels on my compose stacks:

- pangolin.public-resources.linkwarden.auth.sso-enabled=true
- pangolin.public-resources.linkwarden.auth.auto-login-idp=1

Since it states in the wiki, that configured blueprint settings will not overwrite UI settings, I'd expect this to not overwrite my UI role and sso-user configuration.
Unfortunately, on every redeploy, my roles and users get cleared out.
It may off course be that I misinterpreted the Docs.

I understand that these settings belong to each other, but when I have never set these labels, I'd still expect blueprints to not overwrite UI settings.

Docs AI Answer regarding this (I know AI is nowhere perfect and loves to invent stuff ^^')

If you only set sso-enabled: true and auto-login-idp in your blueprint, it will NOT overwrite your existing sso-users list. Blueprints only overwrite the specific fields you define in the compose labels. Fields you don't specify in the blueprint will retain their existing values from the UI.

---

Some background unrelated to the issue itself

Personally, I don't want to version my access control. I also want to be able to change access quickly and without redeploying the service.
Therefore, I do not want to define users or groups in my compose.

Despite that, I want to enable/disable the SSO via GitOps, since this is a change not done often.

Environment

• OS Type & Version: Debian 13 (Pangonlin, gerbil, traefik, postgres - Running on external VPS) - NixOS 25.11 (Newt - Running in VM)
• Pangolin Version:1.14.1 (image: fosrl/pangolin:postgresql-1.14)
• Gerbil Version: 1.3.0 (image: fosrl/gerbil:1.3.0)
• Traefik Version: 3.5 (image: traefik:v3.5)
• Newt Version: 1.8.1 (image: fosrl/newt)

To Reproduce

1. Set up a compose and add blueprint labels to enable SSO.
2. Verify blueprint got applied
3. Set at least one sso-user
4. Redeploy your compose
5. Verify sso-users got removed

Expected Behavior

Only overwrite properties explicitly set in blueprints.
When the
sso-users array is left empty, don't overwrite it.

Advanced Solution

When removing all previously configured sso-users from the config, it should clear the list.
Basically do a diff from old and new blueprint and apply this.

Old config:

- pangolin.public-resources.linkwarden.auth.sso-enabled=true
- pangolin.public-resources.linkwarden.auth.auto-login-idp=1
- pangolin.public-resources.linkwardenauth.sso-users[0]=user1.example.ch
- pangolin.public-resources.linkwardenauth.sso-users[0]=user2.example.ch

new config:

- pangolin.public-resources.linkwarden.auth.sso-enabled=true
- pangolin.public-resources.linkwarden.auth.auto-login-idp=1

[github-actions]

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

[Hutch79]

This is a feature request. As long as there is no implementation or the devs say „not doing that“, you shall not close this.