feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy

- T01: Go module (keycape), full directory skeleton, Makefile, CI workflow
- T02: spec/canonical-model.yaml with 6 entities + Go domain types
- T03: spec/ldap-schema.yaml + validator binary with structural/semantic rules
- T04: Error taxonomy — 4 stable error types, JSON format, HTTP helpers

28 tests pass, go vet clean, go build clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/internal/domain/model.go

@@ -0,0 +1,68 @@
+// Package domain contains the canonical identity model for KeyCape.
+// This is the source of truth for all user, group, client, and MFA data.
+// All provisioning, tests, and migrations derive from these types.
+package domain
+
+import "time"
+
+// User is the canonical identity entity — source of truth for all user data.
+type User struct {
+	ID             string            `yaml:"id" json:"id"`
+	Username       string            `yaml:"username" json:"username"`
+	DisplayName    string            `yaml:"displayName" json:"displayName"`
+	Email          string            `yaml:"email" json:"email"`
+	Enabled        bool              `yaml:"enabled" json:"enabled"`
+	Groups         []string          `yaml:"groups" json:"groups"`
+	Roles          []string          `yaml:"roles" json:"roles"`
+	MFAEnrollment  *MFAEnrollment    `yaml:"mfaEnrollment,omitempty" json:"mfaEnrollment,omitempty"`
+	LDAPAttributes map[string]string `yaml:"ldapAttributes,omitempty" json:"ldapAttributes,omitempty"`
+}
+
+// Group is a named collection of users.
+type Group struct {
+	ID          string   `yaml:"id" json:"id"`
+	Name        string   `yaml:"name" json:"name"`
+	Description string   `yaml:"description" json:"description"`
+	Members     []string `yaml:"members" json:"members"`
+}
+
+// Role is a named permission set.
+type Role struct {
+	ID          string `yaml:"id" json:"id"`
+	Name        string `yaml:"name" json:"name"`
+	Description string `yaml:"description" json:"description"`
+}
+
+// Client is a registered OIDC client (static in v0.1 — no dynamic registration).
+type Client struct {
+	ClientID      string   `yaml:"clientId" json:"clientId"`
+	DisplayName   string   `yaml:"displayName" json:"displayName"`
+	RedirectURIs  []string `yaml:"redirectUris" json:"redirectUris"`
+	AllowedScopes []string `yaml:"allowedScopes" json:"allowedScopes"`
+	GrantTypes    []string `yaml:"grantTypes" json:"grantTypes"`
+	ClientType    string   `yaml:"clientType" json:"clientType"` // "confidential" | "public"
+	SecretRef     string   `yaml:"secretRef,omitempty" json:"secretRef,omitempty"`
+}
+
+// Membership links a user to a group.
+type Membership struct {
+	UserID  string `yaml:"userId" json:"userId"`
+	GroupID string `yaml:"groupId" json:"groupId"`
+}
+
+// MFAEnrollment records that a user has enrolled MFA via privacyIDEA.
+type MFAEnrollment struct {
+	UserID     string    `yaml:"userId" json:"userId"`
+	Provider   string    `yaml:"provider" json:"provider"` // "privacyidea"
+	State      string    `yaml:"state" json:"state"`       // "enabled" | "disabled" | "pending"
+	EnrolledAt time.Time `yaml:"enrolledAt,omitempty" json:"enrolledAt,omitempty"`
+}
+
+// Directory is the full canonical identity directory snapshot.
+// Used for provisioning, validation, and migration operations.
+type Directory struct {
+	Users   []User   `yaml:"users" json:"users"`
+	Groups  []Group  `yaml:"groups" json:"groups"`
+	Roles   []Role   `yaml:"roles" json:"roles"`
+	Clients []Client `yaml:"clients" json:"clients"`
+}