coulomb/key-cape
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
37 Commits 1 Branch 0 Tags
d076e7ee7b1725f5d6e2084107664a85df25a112
Commit Graph

37 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
tegwick
d076e7ee7b chore(consistency): sync task status from DB [auto]
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details 
Updated by fix-consistency on 2026-06-22:
  - update .custodian-brief.md for key-cape
 2026-06-22 18:02:26 +02:00
tegwick
c4f281a376 Human-review .repo-classification.yaml (CUST-WP-0050 follow-up)
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-06-22 17:56:17 +02:00
tegwick
bee021735c Add .repo-classification.yaml (CUST-WP-0050 T11 agent first-pass) 2026-06-22 17:47:37 +02:00
tegwick
c9838a4811 Add credential routing instructions for all agent runtimes
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details 
Propagate shared credential-routing section (Codex, Claude, Grok, llm-connect)
from state-hub template via scripts/propagate_credential_routing.py.
 2026-06-18 22:48:38 +02:00
tegwick
593b5af8dc Add capability registry scaffold (REUSE-WP-0014-T05 B03)
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-06-16 01:53:59 +02:00
tegwick
d6d41dd84f Fix OpenBao OIDC token exchange compatibility
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-06-01 21:20:54 +02:00
tegwick
06d20c3379 Load LLDAP organizational unit config
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-05-25 00:28:33 +02:00
tegwick
937cb39de6 Require MFA during bootstrap mode
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-05-25 00:09:40 +02:00
tegwick
56d279a8e6 Use basic auth for Authelia token exchange
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-05-24 18:04:28 +02:00
tegwick
1d68639225 Align KeyCape image namespace with deployment
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-05-24 17:17:37 +02:00
tegwick
7e22fcf3c7 bootrapping support
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-05-24 17:03:01 +02:00
tegwick
393abf3e0e Reference IAM Profile v0.2
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-05-22 14:35:29 +02:00
tegwick
f45784f951 Make INTENT.md self-coherent
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details 
Remove external reference points so the intent stands on its own at the
abstract, stable level. The IAM profile this repo implements is described
as a versioned profile contract rather than attributed to an external
owner, and the heavier comparison mode is described generically instead of
by product name. All of KeyCape's own substance is preserved — purpose,
primary utility, intended users, strategic role and boundaries, design
principles, maturity target, and stability note.

Relationships to other systems belong in interface contracts and the
orchestration responsibility map, not in intent.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-21 01:50:08 +02:00
tegwick
465a778c1f Refresh agent instruction files
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-05-18 16:55:43 +02:00
tegwick
10868739a8 Added INTENT.md file
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-05-03 17:37:45 +02:00
tegwick
a626dd5d4e Scope update from repo-scoping refactor
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details
2026-05-01 12:26:34 +02:00
tegwick
926adfb3aa chore(session): read .custodian-brief.md before MCP call in session init
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-26 17:48:52 +01:00
tegwick
cfa12e978d chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-03-26:
  - update .custodian-brief.md for key-cape
 2026-03-26 17:47:47 +01:00
Bernd Worsch
a6af43b332 fix(authelia): use adapter's own client_id/redirect_uri in AuthorizeURL
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details 
The adapter was forwarding the downstream client's client_id and
redirect_uri to Authelia, which would always be rejected — Authelia
only recognises client_id=keycape and its registered callback URI.
Also removed downstream PKCE forwarding: KeyCape is a confidential
OIDC client to Authelia and authenticates via client_secret instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-25 03:15:36 +00:00
Bernd Worsch
18dbad68ed feat(close): mark KEY-WP-0002 done — all 6 tasks complete
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 23:33:28 +00:00
Bernd Worsch
7822ba0703 feat(image): KEY-WP-0002 T01/T02/T06 — Makefile image targets, Gitea Actions workflow, README CI docs
Some checks failed
Build and Publish Container Image / build-and-push (push) Has been cancelled
Details 
- Makefile: add IMAGE_REGISTRY/IMAGE_REPO/IMAGE_TAG vars + image, push, image-tag targets
- .gitea/workflows/image.yaml: build+push on main push and v* tags via metadata-action
- README: Container Image section with pull/build/push/CI secret docs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 23:27:39 +00:00
tegwick
393ef3ca76 feat(workplan): KEY-WP-0002 — build & publish KeyCape image to Gitea OCI registry
Some checks failed
CI / Build and Test (push) Has been cancelled
Details 
Adds workplan for containerising KeyCape and publishing to the self-hosted
Gitea registry on CoulombCore (92.205.130.254:32166) instead of GHCR. Covers
Makefile targets, Gitea Actions workflow, k3s insecure registry config, machine
account/token management, and a smoke test round-trip.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 00:18:12 +01:00
tegwick
303663e48b Enhanced scope with provided capabilities
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
2026-03-19 21:41:24 +01:00
tegwick
80bf79de46 docs: add SCOPE.md for rapid orientation
Some checks failed
CI / Build and Test (push) Has been cancelled
Details 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-17 23:10:44 +01:00
tegwick
ece58bc363 feat(close): mark KEY-WP-0001 done — all 23 tasks complete, tests passing
Some checks failed
CI / Build and Test (push) Has been cancelled
Details 
All implementation phases complete: OIDC server (Authorization Code + PKCE),
canonical identity model + LDAP validator, backend adapters (Authelia/LLDAP/
privacyIDEA), telemetry, enforcement middleware, migration tooling, and all
four replacement test scenarios (A–D). Tests pass with Go 1.23.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 02:49:13 +01:00
tegwick
847abcba73 feat: implement T19, T20 — Scenario B/C replacement tests; complete workplan
Some checks failed
CI / Build and Test (push) Has been cancelled
Details 
- T19: Scenario B tests — IAM swap correctness (7 tests: profile safety, client mapping, user/group preservation)
- T20: Scenario C tests — full expansion correctness (6 tests: LDIF round-trip, target differences, MFA orthogonality)
- CI scripts: test-scenario-b.sh, test-scenario-c.sh
- README: complete documentation with quick start, endpoints, migration guide
- Workplan: all acceptance criteria checked off

All 23 tasks done. 15 test packages, all green. go vet clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 02:36:29 +01:00
tegwick
c18adb6441 feat: implement T22, T18, T23 — dev stack, profile tests, server binary 
- T22: docker-compose.dev.yml dev stack, Dockerfile, root Makefile
- T18: Profile test suite (Scenario A) — 8 integration tests with real handlers
- T23: Server binary wiring all components, config validation, /healthz
- Config: ValidateConfig with startup validation

14 test packages pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 02:18:36 +01:00
tegwick
fa27adbc77 feat: implement T16, T17 — Keycloak realm import transformer, LDIF generator 
- T16: canonical → Keycloak realm JSON (profile-safe: no identity brokering, implicit flow always false)
- T17: canonical → LDIF for openldap/389ds/ad targets with pre-validation

27 migration tests pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 02:13:04 +01:00
tegwick
3ee8090a98 feat: implement T09, T15, T21 — userinfo endpoint, LLDAP export, negative tests 
- T09: /userinfo with RS256 JWT validation, scope-filtered claims
- T15: LLDAP→canonical export tool with validation, migration_event telemetry
- T21: Negative test suite (Scenario D) — all 7 unsupported features verified

All go tests passing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 02:08:03 +01:00
tegwick
4097a7de8b feat: implement T06, T07 — authorization endpoint, token endpoint 
- T06: /authorize with full PKCE validation, Authelia delegation, MFA check
- T07: /token with RS256 JWT issuance (stdlib only), PKCE verification, scope-filtered claims

50 OIDC tests pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 01:56:57 +01:00
tegwick
d05c73dc19 feat: implement T11, T12 — Authelia adapter, privacyIDEA adapter 
- T11: AutheliaAdapter delegating login UI and session; Authelia tokens never leak to profile layer
- T12: PrivacyIDEAAdapter delegating MFA 100% — no MFA logic in KeyCape

21 adapter tests pass, vet clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 01:50:31 +01:00
tegwick
b0adbc5daa feat: implement T14, T10 — enforcement middleware, LLDAP adapter 
- T14: Unsupported feature registry with 7 pre-registered profile boundaries
- T10: LLDAP adapter implementing UserRepository; validator-gated reads

24 tests pass, go vet clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 01:45:21 +01:00
tegwick
22f7a7dc50 feat: implement T05, T08, T13 — OIDC discovery, JWKS, telemetry pipeline 
- T05: /.well-known/openid-configuration — profile-only features advertised
- T08: /jwks — RS256 JWK Set, stdlib crypto only, key rotation support
- T13: Structured telemetry — Event types, LogEmitter/NoopEmitter/MultiEmitter, context helpers

38 server tests pass, go vet clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 01:35:34 +01:00
tegwick
329e996619 feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy 
- T01: Go module (keycape), full directory skeleton, Makefile, CI workflow
- T02: spec/canonical-model.yaml with 6 entities + Go domain types
- T03: spec/ldap-schema.yaml + validator binary with structural/semantic rules
- T04: Error taxonomy — 4 stable error types, JSON format, HTTP helpers

28 tests pass, go vet clean, go build clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 01:27:54 +01:00
tegwick
f3b1cdcba4 chore: track specification documents 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 00:30:46 +01:00
tegwick
3780190456 feat: prime repo — CLAUDE.md + README, register in state-hub 
- CLAUDE.md: session protocol, architecture overview, spec pointers,
  workplan convention, state-hub repo ID (8a99bb74, netkingdom domain)
- README.md: replace repo-seed placeholder with KeyCape description

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-13 00:23:19 +01:00
Coulomb Social
97d3fceea6 Initial commit 2026-03-12 23:11:30 +00:00