fix(sso-mfa): commit T02–T06 fixes and workplan status updates

- authelia: users_filter uid→{username_attribute}, OIDC client secret
  moved from env var to inline bcrypt hash in configmap (4.38 limitation)
- authelia: remove unsupported CLIENTS_0_SECRET_FILE env var
- lldap: drop runAsNonRoot/runAsUser (image init requires root)
- verify-t02: keycloak→keycape NetworkPolicy check rename
- workplan: T02/T03/T05/T06 marked done with notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

sso-mfa/k8s/authelia/configmap.yaml

@@ -50,7 +50,7 @@ data:
         base_dn: dc=netkingdom,dc=local
         username_attribute: uid
         additional_users_dn: ou=people
-        users_filter: "(&(uid={input})(objectClass=inetOrgPerson))"
+        users_filter: "(&({username_attribute}={input})(objectClass=inetOrgPerson))"
         additional_groups_dn: ou=groups
         groups_filter: "(member={dn})"
         group_name_attribute: cn
@@ -99,7 +99,8 @@ data:
         clients:
           - id: keycape
             description: "KeyCape IAM Orchestration Layer"
-            # secret (bcrypt hash): injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
+            # bcrypt hash of the KeyCape OIDC client secret (hash is not sensitive — safe in ConfigMap)
+            secret: "$2b$12$W/ct2nasY4wruQrFVh33UO5qgoxYTBNVvTBqfZHMwBVll13ZeCli."
             public: false
             authorization_policy: one_factor
             consent_mode: implicit

sso-mfa/k8s/authelia/deployment.yaml

@@ -67,8 +67,6 @@ spec:
               value: /run/secrets/authelia/oidc_hmac_secret
             - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
               value: /run/secrets/authelia/oidc_issuer_private_key
-            - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
-              value: /run/secrets/authelia/keycape_client_secret_hash
 
           volumeMounts:
             # Config from ConfigMap

sso-mfa/k8s/lldap/deployment.yaml

@@ -37,8 +37,8 @@ spec:
         net-kingdom/component: sso
     spec:
       securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000
+        # lldap/lldap:stable initialises /app as root then drops privileges
+        # internally — runAsNonRoot/runAsUser would prevent that init step.
         fsGroup: 1000
 
       containers:

sso-mfa/k8s/verify-t02.sh

@@ -65,7 +65,7 @@ done
 check "allow-traefik-to-keycape in sso"          $KUBECTL get networkpolicy allow-traefik-to-keycape -n sso
 check "allow-keycape-egress-to-privacyidea in sso" $KUBECTL get networkpolicy allow-keycape-egress-to-privacyidea -n sso
 check "allow-ingress-from-traefik in mfa"       $KUBECTL get networkpolicy allow-ingress-from-traefik -n mfa
-check "allow-ingress-from-keycloak in mfa"      $KUBECTL get networkpolicy allow-ingress-from-keycloak -n mfa
+check "allow-ingress-from-keycape in mfa"       $KUBECTL get networkpolicy allow-ingress-from-keycape -n mfa
 check "allow-egress-to-postgres in mfa"         $KUBECTL get networkpolicy allow-egress-to-postgres -n mfa
 check "allow-ingress-from-keycloak in databases" $KUBECTL get networkpolicy allow-ingress-from-keycloak -n databases
 check "allow-ingress-from-privacyidea in databases" $KUBECTL get networkpolicy allow-ingress-from-privacyidea -n databases