tegwick
fa27adbc77
- T16: canonical → Keycloak realm JSON (profile-safe: no identity brokering, implicit flow always false) - T17: canonical → LDIF for openldap/389ds/ad targets with pre-validation 27 migration tests pass. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
KeyCape
Prepare for Keycloak without Keycloak
KeyCape is the lightweight IAM component of NetKingdom. It implements the NetKingdom IAM Profile — a versioned OIDC/PKCE contract — by orchestrating Authelia, LLDAP, and privacyIDEA. The same profile is implemented by Keycloak in expanded-mode deployments.
Applications integrate against the profile, not against Keycape internals. This makes the lightweight → expanded migration a tested, automated operation rather than a rewrite.
Status
Specification phase. The normative spec (v0.1) is complete. Implementation workplans are the next step.
Key Documents
wiki/KeyCapeSpecification_v0.1.md— Architecture, design intent, objectiveswiki/KeyCapeSpecificationPack_v0.1.md— Normative implementation spec: canonical identity model, LDAP schema + validator rules, error taxonomy, telemetry schema, migration contract, acceptance test matrix
Architecture
Application
│ (NetKingdom IAM Profile)
▼
KeyCape ←── profile enforcement, claim normalization, telemetry
/ | \
Auth LLDAP privacyIDEA
elia
Expanded mode: Replace KeyCape with Keycloak. Same profile, same tests pass.
Domain
Part of the NetKingdom domain. Tracked in the Custodian State Hub under
domain netkingdom, repo slug key-cape.
See CLAUDE.md for agent session protocol and workplan conventions.