tegwick
22f7a7dc50
- T05: /.well-known/openid-configuration — profile-only features advertised - T08: /jwks — RS256 JWK Set, stdlib crypto only, key rotation support - T13: Structured telemetry — Event types, LogEmitter/NoopEmitter/MultiEmitter, context helpers 38 server tests pass, go vet clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
KeyCape
Prepare for Keycloak without Keycloak
KeyCape is the lightweight IAM component of NetKingdom. It implements the NetKingdom IAM Profile — a versioned OIDC/PKCE contract — by orchestrating Authelia, LLDAP, and privacyIDEA. The same profile is implemented by Keycloak in expanded-mode deployments.
Applications integrate against the profile, not against Keycape internals. This makes the lightweight → expanded migration a tested, automated operation rather than a rewrite.
Status
Specification phase. The normative spec (v0.1) is complete. Implementation workplans are the next step.
Key Documents
wiki/KeyCapeSpecification_v0.1.md— Architecture, design intent, objectiveswiki/KeyCapeSpecificationPack_v0.1.md— Normative implementation spec: canonical identity model, LDAP schema + validator rules, error taxonomy, telemetry schema, migration contract, acceptance test matrix
Architecture
Application
│ (NetKingdom IAM Profile)
▼
KeyCape ←── profile enforcement, claim normalization, telemetry
/ | \
Auth LLDAP privacyIDEA
elia
Expanded mode: Replace KeyCape with Keycloak. Same profile, same tests pass.
Domain
Part of the NetKingdom domain. Tracked in the Custodian State Hub under
domain netkingdom, repo slug key-cape.
See CLAUDE.md for agent session protocol and workplan conventions.