coulomb/key-cape
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
20 Commits 1 Branch 0 Tags
cfa12e978df539a2acc32c437d20f0be269c45be
Commit Graph

20 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
tegwick
cfa12e978d chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-03-26:
  - update .custodian-brief.md for key-cape
 2026-03-26 17:47:47 +01:00
Bernd Worsch
a6af43b332 fix(authelia): use adapter's own client_id/redirect_uri in AuthorizeURL
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details 
The adapter was forwarding the downstream client's client_id and
redirect_uri to Authelia, which would always be rejected — Authelia
only recognises client_id=keycape and its registered callback URI.
Also removed downstream PKCE forwarding: KeyCape is a confidential
OIDC client to Authelia and authenticates via client_secret instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-25 03:15:36 +00:00
Bernd Worsch
18dbad68ed feat(close): mark KEY-WP-0002 done — all 6 tasks complete
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 23:33:28 +00:00
Bernd Worsch
7822ba0703 feat(image): KEY-WP-0002 T01/T02/T06 — Makefile image targets, Gitea Actions workflow, README CI docs
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details 
- Makefile: add IMAGE_REGISTRY/IMAGE_REPO/IMAGE_TAG vars + image, push, image-tag targets
- .gitea/workflows/image.yaml: build+push on main push and v* tags via metadata-action
- README: Container Image section with pull/build/push/CI secret docs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 23:27:39 +00:00
tegwick
393ef3ca76 feat(workplan): KEY-WP-0002 — build & publish KeyCape image to Gitea OCI registry
Some checks failed
CI / Build and Test (push) Has been cancelled
Details 
Adds workplan for containerising KeyCape and publishing to the self-hosted
Gitea registry on CoulombCore (92.205.130.254:32166) instead of GHCR. Covers
Makefile targets, Gitea Actions workflow, k3s insecure registry config, machine
account/token management, and a smoke test round-trip.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 00:18:12 +01:00
tegwick
303663e48b Enhanced scope with provided capabilities
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
2026-03-19 21:41:24 +01:00
tegwick
80bf79de46 docs: add SCOPE.md for rapid orientation
Some checks failed
CI / Build and Test (push) Has been cancelled
Details 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-17 23:10:44 +01:00
tegwick
ece58bc363 feat(close): mark KEY-WP-0001 done — all 23 tasks complete, tests passing
Some checks failed
CI / Build and Test (push) Has been cancelled
Details 
All implementation phases complete: OIDC server (Authorization Code + PKCE),
canonical identity model + LDAP validator, backend adapters (Authelia/LLDAP/
privacyIDEA), telemetry, enforcement middleware, migration tooling, and all
four replacement test scenarios (A–D). Tests pass with Go 1.23.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 02:49:13 +01:00
tegwick
847abcba73 feat: implement T19, T20 — Scenario B/C replacement tests; complete workplan
Some checks failed
CI / Build and Test (push) Has been cancelled
Details 
- T19: Scenario B tests — IAM swap correctness (7 tests: profile safety, client mapping, user/group preservation)
- T20: Scenario C tests — full expansion correctness (6 tests: LDIF round-trip, target differences, MFA orthogonality)
- CI scripts: test-scenario-b.sh, test-scenario-c.sh
- README: complete documentation with quick start, endpoints, migration guide
- Workplan: all acceptance criteria checked off

All 23 tasks done. 15 test packages, all green. go vet clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 02:36:29 +01:00
tegwick
c18adb6441 feat: implement T22, T18, T23 — dev stack, profile tests, server binary 
- T22: docker-compose.dev.yml dev stack, Dockerfile, root Makefile
- T18: Profile test suite (Scenario A) — 8 integration tests with real handlers
- T23: Server binary wiring all components, config validation, /healthz
- Config: ValidateConfig with startup validation

14 test packages pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 02:18:36 +01:00
tegwick
fa27adbc77 feat: implement T16, T17 — Keycloak realm import transformer, LDIF generator 
- T16: canonical → Keycloak realm JSON (profile-safe: no identity brokering, implicit flow always false)
- T17: canonical → LDIF for openldap/389ds/ad targets with pre-validation

27 migration tests pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 02:13:04 +01:00
tegwick
3ee8090a98 feat: implement T09, T15, T21 — userinfo endpoint, LLDAP export, negative tests 
- T09: /userinfo with RS256 JWT validation, scope-filtered claims
- T15: LLDAP→canonical export tool with validation, migration_event telemetry
- T21: Negative test suite (Scenario D) — all 7 unsupported features verified

All go tests passing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 02:08:03 +01:00
tegwick
4097a7de8b feat: implement T06, T07 — authorization endpoint, token endpoint 
- T06: /authorize with full PKCE validation, Authelia delegation, MFA check
- T07: /token with RS256 JWT issuance (stdlib only), PKCE verification, scope-filtered claims

50 OIDC tests pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 01:56:57 +01:00
tegwick
d05c73dc19 feat: implement T11, T12 — Authelia adapter, privacyIDEA adapter 
- T11: AutheliaAdapter delegating login UI and session; Authelia tokens never leak to profile layer
- T12: PrivacyIDEAAdapter delegating MFA 100% — no MFA logic in KeyCape

21 adapter tests pass, vet clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 01:50:31 +01:00
tegwick
b0adbc5daa feat: implement T14, T10 — enforcement middleware, LLDAP adapter 
- T14: Unsupported feature registry with 7 pre-registered profile boundaries
- T10: LLDAP adapter implementing UserRepository; validator-gated reads

24 tests pass, go vet clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 01:45:21 +01:00
tegwick
22f7a7dc50 feat: implement T05, T08, T13 — OIDC discovery, JWKS, telemetry pipeline 
- T05: /.well-known/openid-configuration — profile-only features advertised
- T08: /jwks — RS256 JWK Set, stdlib crypto only, key rotation support
- T13: Structured telemetry — Event types, LogEmitter/NoopEmitter/MultiEmitter, context helpers

38 server tests pass, go vet clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 01:35:34 +01:00
tegwick
329e996619 feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy 
- T01: Go module (keycape), full directory skeleton, Makefile, CI workflow
- T02: spec/canonical-model.yaml with 6 entities + Go domain types
- T03: spec/ldap-schema.yaml + validator binary with structural/semantic rules
- T04: Error taxonomy — 4 stable error types, JSON format, HTTP helpers

28 tests pass, go vet clean, go build clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 01:27:54 +01:00
tegwick
f3b1cdcba4 chore: track specification documents 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 00:30:46 +01:00
tegwick
3780190456 feat: prime repo — CLAUDE.md + README, register in state-hub 
- CLAUDE.md: session protocol, architecture overview, spec pointers,
  workplan convention, state-hub repo ID (8a99bb74, netkingdom domain)
- README.md: replace repo-seed placeholder with KeyCape description

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 00:23:19 +01:00
Coulomb Social
97d3fceea6 Initial commit 2026-03-12 23:11:30 +00:00