# KeyCape

*Prepare for Keycloak without Keycloak*

KeyCape is the lightweight IAM component of [NetKingdom](../net-kingdom/). It
implements the **NetKingdom IAM Profile** — a versioned OIDC/PKCE contract —
by orchestrating Authelia, LLDAP, and privacyIDEA. The same profile is
implemented by Keycloak in expanded-mode deployments.

Applications integrate against the profile, not against Keycape internals. This
makes the lightweight → expanded migration a tested, automated operation rather
than a rewrite.

## Status

**Specification phase.** The normative spec (v0.1) is complete. Implementation
workplans are the next step.

## Key Documents

- `wiki/KeyCapeSpecification_v0.1.md` — Architecture, design intent, objectives
- `wiki/KeyCapeSpecificationPack_v0.1.md` — Normative implementation spec:
  canonical identity model, LDAP schema + validator rules, error taxonomy,
  telemetry schema, migration contract, acceptance test matrix

## Architecture

```
Application
    │  (NetKingdom IAM Profile)
    ▼
 KeyCape  ←── profile enforcement, claim normalization, telemetry
  /  |  \
Auth  LLDAP  privacyIDEA
elia
```

**Expanded mode:** Replace KeyCape with Keycloak. Same profile, same tests pass.

## Domain

Part of the **NetKingdom** domain. Tracked in the Custodian State Hub under
domain `netkingdom`, repo slug `key-cape`.

See `CLAUDE.md` for agent session protocol and workplan conventions.