fix(sso-mfa): commit T02–T06 fixes and workplan status updates

- authelia: users_filter uid→{username_attribute}, OIDC client secret
  moved from env var to inline bcrypt hash in configmap (4.38 limitation)
- authelia: remove unsupported CLIENTS_0_SECRET_FILE env var
- lldap: drop runAsNonRoot/runAsUser (image init requires root)
- verify-t02: keycloak→keycape NetworkPolicy check rename
- workplan: T02/T03/T05/T06 marked done with notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

sso-mfa/k8s/authelia/configmap.yaml

@@ -50,7 +50,7 @@ data:
         base_dn: dc=netkingdom,dc=local
         username_attribute: uid
         additional_users_dn: ou=people
-        users_filter: "(&(uid={input})(objectClass=inetOrgPerson))"
+        users_filter: "(&({username_attribute}={input})(objectClass=inetOrgPerson))"
         additional_groups_dn: ou=groups
         groups_filter: "(member={dn})"
         group_name_attribute: cn
@@ -99,7 +99,8 @@ data:
         clients:
           - id: keycape
             description: "KeyCape IAM Orchestration Layer"
-            # secret (bcrypt hash): injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
+            # bcrypt hash of the KeyCape OIDC client secret (hash is not sensitive — safe in ConfigMap)
+            secret: "$2b$12$W/ct2nasY4wruQrFVh33UO5qgoxYTBNVvTBqfZHMwBVll13ZeCli."
             public: false
             authorization_policy: one_factor
             consent_mode: implicit

sso-mfa/k8s/authelia/deployment.yaml

@@ -67,8 +67,6 @@ spec:
               value: /run/secrets/authelia/oidc_hmac_secret
             - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
               value: /run/secrets/authelia/oidc_issuer_private_key
-            - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
-              value: /run/secrets/authelia/keycape_client_secret_hash
 
           volumeMounts:
             # Config from ConfigMap

sso-mfa/k8s/lldap/deployment.yaml

@@ -37,8 +37,8 @@ spec:
         net-kingdom/component: sso
     spec:
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
+        # lldap/lldap:stable initialises /app as root then drops privileges
+        # internally — runAsNonRoot/runAsUser would prevent that init step.
         fsGroup: 1000
 
       containers:

sso-mfa/k8s/verify-t02.sh

@@ -65,7 +65,7 @@ done
 check "allow-traefik-to-keycape in sso"          $KUBECTL get networkpolicy allow-traefik-to-keycape -n sso
 check "allow-keycape-egress-to-privacyidea in sso" $KUBECTL get networkpolicy allow-keycape-egress-to-privacyidea -n sso
 check "allow-ingress-from-traefik in mfa"       $KUBECTL get networkpolicy allow-ingress-from-traefik -n mfa
-check "allow-ingress-from-keycloak in mfa"      $KUBECTL get networkpolicy allow-ingress-from-keycloak -n mfa
+check "allow-ingress-from-keycape in mfa"       $KUBECTL get networkpolicy allow-ingress-from-keycape -n mfa
 check "allow-egress-to-postgres in mfa"         $KUBECTL get networkpolicy allow-egress-to-postgres -n mfa
 check "allow-ingress-from-keycloak in databases" $KUBECTL get networkpolicy allow-ingress-from-keycloak -n databases
 check "allow-ingress-from-privacyidea in databases" $KUBECTL get networkpolicy allow-ingress-from-privacyidea -n databases

workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md

@@ -82,9 +82,12 @@ cluster, and delivers the emergency bundle. No KeePassXC steps required.
 
 ```task
 id: NK-WP-0003-T02
-status: todo
+status: done
 priority: high
 state_hub_task_id: "a14e3a6b-18ee-4172-8a47-bd531f21e55a"
+note: Verified 2026-03-21 — all namespaces, NetworkPolicies, cert-manager, and ClusterIssuers
+      already applied (35h+ ago). verify-t02.sh 22/22 passed. Fixed stale keycloak→keycape
+      check in verify script.
 ```
 
 Apply the K8s infrastructure foundations. All manifests already committed.
@@ -105,9 +108,12 @@ cert-manager pods Running.
 
 ```task
 id: NK-WP-0003-T03
-status: todo
+status: done
 priority: high
 state_hub_task_id: "19e375d0-66bd-4cf0-9c2d-59d5c0d5989e"
+note: Verified 2026-03-21 — CNPG cluster net-kingdom-pg healthy (1/1 Ready), privacyidea_db exists.
+      LLDAP and Authelia use SQLite (PVC), no additional PG databases needed.
+      verify-t03.sh: 8 PASS, 2 WARN (superuser secret + backup — both expected at this stage).
 ```
 
 Deploy the shared database cluster with three databases:
@@ -157,9 +163,13 @@ Once `pink.coulomb.social` resolves to the cluster IP and TLS cert is issued:
 
 ```task
 id: NK-WP-0003-T05
-status: todo
+status: done
 priority: high
 state_hub_task_id: "82fc90f7-8eb4-4718-b02a-dfd5fa39e5bc"
+note: Deployed 2026-03-21. securityContext fix: removed runAsNonRoot/runAsUser (lldap image
+      initialises as root). Pod 1/1 Running. Groups net-kingdom-users + net-kingdom-admins created
+      via API (plaintext secrets dir cleaned up by agent; used K8s secret directly).
+      ACME solver running for lldap.coulomb.social.
 ```
 
 Deploy LLDAP into the `sso` namespace.
@@ -179,9 +189,13 @@ Verify pod Running and LDAP bind works on `ldap.coulomb.social`.
 
 ```task
 id: NK-WP-0003-T06
-status: todo
+status: done
 priority: high
 state_hub_task_id: "3a28ff10-fbfa-443b-a64d-bbfe6153c544"
+note: Deployed 2026-03-21. Two config fixes: (1) users_filter changed uid→{username_attribute}={input};
+      (2) OIDC client secret moved from unsupported env var to inline bcrypt hash in configmap
+      (4.38 does not support CLIENTS_0_SECRET_FILE indexed env vars). Pod 1/1 Running,
+      "Startup complete". Remaining deprecation warnings are auto-mapped and non-fatal.
 ```
 
 Deploy Authelia into the `sso` namespace.