diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
index de80900..3d92769 100644
--- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
+++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
@@ -36,6 +36,11 @@
 
 
 
+# WARNING : this disables AND wipes ALL gitea_cicd_* per-app JWT roles
+# (created by tools/hashicorp-vault/iac/) every time it runs. Default is OFF
+# to preserve those roles across normal ansible runs ; opt-in only when you
+# really want to rebuild the OIDC backend from scratch (e.g. config drift on
+# bound_issuer or similar).
 - name: Delete existing Gitea OIDC backends if they exist
   include_tasks: vault_cmd.yml
   vars:
@@ -48,6 +53,7 @@
     - gitea_jwt
   loop_control:
     loop_var: backend_name
+  when: vault_oidc_force_reset | default(false) | bool
 
 - name: use tofu to provision vault
   block: