coulomb/key-cape
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
37801904564f807a29f894f9d5ebabb8d9a53b1c
key-cape/CLAUDE.md
tegwick 3780190456 feat: prime repo — CLAUDE.md + README, register in state-hub 
- CLAUDE.md: session protocol, architecture overview, spec pointers,
  workplan convention, state-hub repo ID (8a99bb74, netkingdom domain)
- README.md: replace repo-seed placeholder with KeyCape description

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-13 00:23:19 +01:00

112 lines
3.6 KiB
Markdown
Raw Blame History

# KeyCape — Claude Code Instructions
## What This Repo Is
**KeyCape** is the lightweight IAM component of NetKingdom.
> *"Prepare for Keycloak without Keycloak"*
KeyCape implements the **NetKingdom IAM Profile** — a versioned OIDC/PKCE contract
that NetKingdom applications integrate against. It orchestrates:
| Component | Role |
|--------------|-------------------------------|
| Authelia | OIDC provider / session / tokens |
| LLDAP | Lightweight identity directory |
| privacyIDEA | MFA authority |
Keycape is intentionally replaceable by **Keycloak** in expanded mode. All apps
must target the profile, not Keycape or Keycloak incidentals.
## Custodian State Hub Integration
- **Domain:** `netkingdom`
- **Repo ID:** `8a99bb74-1ec0-4478-ac70-35a7cddb0e3c`
- **State Hub API:** `http://127.0.0.1:8000` (run `cd ~/the-custodian/state-hub && make api` if offline)
### Session Protocol
**Start of every session:**
```
get_domain_summary("netkingdom")
```
This gives the full picture of active workstreams, blocking decisions, and recent
progress for the NetKingdom domain at ~10% of the cost of `get_state_summary()`.
**During work:**
- `record_decision()` for any architectural choice (profile extensions, backend selection, etc.)
- `add_progress_event()` for milestones, blockers, discoveries
- `resolve_decision()` once a decision is closed
**End of every session:**
```
add_progress_event(summary="...", event_type="...", workstream_id="<active ws id>")
```
After modifying workplan files, run:
```
cd ~/the-custodian/state-hub && make fix-consistency REPO=key-cape
```
## Key Documents
| Document | Path | Purpose |
|---|---|---|
| Keycape Specification v0.1 | `wiki/KeyCapeSpecification_v0.1.md` | Architecture, design intent, objectives |
| Normative Specification Pack v0.1 | `wiki/KeyCapeSpecificationPack_v0.1.md` | Normative spec for implementation agents: identity model, LDAP schema, error taxonomy, telemetry, migration contract, acceptance test matrix |
## Architecture
```
key-cape/
wiki/ # Specifications (read before implementing)
workplans/ # Implementation workplans (ADR-001 convention)
src/ # Implementation (to be created)
tests/ # Test suite (to be created)
```
### Lightweight mode stack
```
Application ──→ NetKingdom IAM Profile
KeyCape ←── config translation, claim normalization
/ | \
Authelia LLDAP privacyIDEA
```
### Expanded mode stack (Keycape → Keycloak)
```
Application ──→ NetKingdom IAM Profile
Keycloak (same profile, different runtime)
/ \
LDAP privacyIDEA
```
## Implementation Priorities (from spec)
1. **Profile endpoints** — OIDC discovery, authorization, token, JWKS, userinfo
2. **Canonical identity model** — product-neutral user/group/client schema
3. **Claim normalization** — stable claim set regardless of backend quirks
4. **Unsupported-feature enforcement** — structured errors, never silent emulation
5. **Telemetry** — demand visibility for unsupported features and auth events
6. **Migration tooling** — export/validate for LLDAP → Keycloak path
## Workplan Convention (ADR-001)
Workplans live in `workplans/<id>-<slug>.md` with YAML frontmatter:
```yaml
id: KEY-WP-0001
type: workplan
title: "..."
domain: netkingdom
repo: key-cape
status: todo|active|done
owner: Bernd
topic_slug: netkingdom
```
Tasks are embedded as `## Task Title\n```task\nid: ...\nstatus: todo\n```\n` blocks.
Reference in New Issue View Git Blame Copy Permalink