Remove external reference points so the intent stands on its own at the
abstract, stable level. The IAM profile this repo implements is described
as a versioned profile contract rather than attributed to an external
owner, and the heavier comparison mode is described generically instead of
by product name. All of KeyCape's own substance is preserved — purpose,
primary utility, intended users, strategic role and boundaries, design
principles, maturity target, and stability note.
Relationships to other systems belong in interface contracts and the
orchestration responsibility map, not in intent.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The adapter was forwarding the downstream client's client_id and
redirect_uri to Authelia, which would always be rejected — Authelia
only recognises client_id=keycape and its registered callback URI.
Also removed downstream PKCE forwarding: KeyCape is a confidential
OIDC client to Authelia and authenticates via client_secret instead.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Makefile: add IMAGE_REGISTRY/IMAGE_REPO/IMAGE_TAG vars + image, push, image-tag targets
- .gitea/workflows/image.yaml: build+push on main push and v* tags via metadata-action
- README: Container Image section with pull/build/push/CI secret docs
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds workplan for containerising KeyCape and publishing to the self-hosted
Gitea registry on CoulombCore (92.205.130.254:32166) instead of GHCR. Covers
Makefile targets, Gitea Actions workflow, k3s insecure registry config, machine
account/token management, and a smoke test round-trip.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All implementation phases complete: OIDC server (Authorization Code + PKCE),
canonical identity model + LDAP validator, backend adapters (Authelia/LLDAP/
privacyIDEA), telemetry, enforcement middleware, migration tooling, and all
four replacement test scenarios (A–D). Tests pass with Go 1.23.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- T22: docker-compose.dev.yml dev stack, Dockerfile, root Makefile
- T18: Profile test suite (Scenario A) — 8 integration tests with real handlers
- T23: Server binary wiring all components, config validation, /healthz
- Config: ValidateConfig with startup validation
14 test packages pass.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- T09: /userinfo with RS256 JWT validation, scope-filtered claims
- T15: LLDAP→canonical export tool with validation, migration_event telemetry
- T21: Negative test suite (Scenario D) — all 7 unsupported features verified
All go tests passing.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
