Permission enforcement on startup: enforce_permissions() checks store dir
(700), user files (600), signing key, TLS key, audit.log, revoked.json.
CLI and run_server() call it before any sensitive operation.
New modules:
security.py check_store(), enforce_permissions(), print_security_check()
audit.py log_event() — append-only TSV audit log (mode 600)
revoke.py revoke(jti), is_revoked(jti) — revocation list (mode 600)
New CLI commands:
security-check Print per-check pass/warn/fail report; exit 1 on failure
revoke-token <jti|jwt> Add JTI to revocation list; accepts raw JTI or full JWT
Serve integration:
Audit log written for auth request, token issuance, and userinfo calls
Revocation checked at /userinfo; revoked tokens return 401
Docs: security model section in LocalIdentity.md — threat model,
assumptions, non-guarantees, SELinux/AppArmor guidance, revocation usage.
138 tests passing (34 new for Stage 4).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add local-identity serve command: a minimal Authorization Code flow OIDC
server backed by file-store users. Implemented natively with no heavy
OIDC library — only stdlib http.server and the cryptography package.
New modules:
keys.py RSA-2048 signing key generation + JWKS helpers
tls.py Self-signed TLS certificate (localhost/127.0.0.1 SANs)
jwt_utils.py RS256 JWT creation and verification
serve.py OIDCHandler + make_handler() factory + run_server()
Endpoints: /.well-known/openid-configuration, /jwks, /auth, /token,
/userinfo. Server binds to 127.0.0.1 only; tokens carry iss: local-identity
which production Keycloak rejects by design.
104 tests passing (16 new for Stage 3).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Resolves the system identity mismatch between the Linux username (worsch)
and the bootstrap identity (tegwick / Bernd Worsch / custom email).
Resolution order for all three fields: flag > config > system derivation.
Config is updated on every init so --force reinits are idempotent without
repeating the flags.
- cli.py: extract _resolve_init_params(); add --username / --fullname args;
persist all three fields to config.yaml on init
- tests/test_cli.py: 13 new tests covering flag priority, config fallback,
system derivation, config persistence, idempotent --force reinit
54 tests passing.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Follows resolved decisions D4 and D5 (2026-03-01, Tegwick):
D4 — ESO chosen as secret injection strategy. NK-WP-0001 T01 Phase 0b
updated to specify ESO; T01 done-criteria updated to require a working ESO
test injection.
D5 — Local Identity implemented in-repo (not a separate repo). Four
deliverables:
- docs/LocalIdentity.md: capability overview, design principles, user
schema, OIDC provider description, risk mitigations, scope boundaries
- workplans/NK-WP-0002-local-identity.md: four-stage implementation plan
(core file store, bootstrap integration, minimal OIDC, security hardening)
with State Hub task IDs
- NK-WP-0001 updated: D2/D4/D5 rows resolved, T07 bootstrap section now
references NK-WP-0002 and documents the export→Keycloak migration path,
Open Questions condensed to two remaining artefacts
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Extend decisions table with D4 (secret injection, pending) and D5
(file-based bootstrap user store, pending with SWOT)
- Add explicit prerequisite block to T02: T01 Phase 0a must complete first
- Update T07: reference EP-NK-001 (LDAP/Entra extension point) by ID
- Condense Open Questions into a reference table pointing to State Hub artefacts
- Ecosystem ADR recommendation recorded as [repo:custodian] task in hub
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Initialises the net-kingdom project structure:
- README.md: updated title and description
- CLAUDE.md: project instructions and State Hub integration config
- wiki/: three reference docs (NetKingdom overview, ChatGPT and Grok
protoplans for the SSO/MFA platform)
- workplans/NK-WP-0001-sso-mfa-platform.md: combined workplan (8 phases,
8 tasks) synthesised from the two protoplans; registered in the
Custodian State Hub (workstream 39263c4b)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
