net-kingdom

coulomb/net-kingdom

Fork 0

generated from coulomb/repo-seed

Commit Graph

Author	SHA1	Message	Date
tegwick	dad8365e6a	feat(local-identity): Stage 2 — Keycloak export & bootstrap integration (NK-WP-0002-T02) export.py: - split_fullname(): last-token strategy (Bernd Worsch → firstName/lastName) - _deterministic_id(): uuid5(DNS, "local-identity.{realm}.{username}") for stable, re-import-idempotent Keycloak IDs - user_to_keycloak(): full Keycloak Admin REST API user representation; production_identity mapping applied to username + realm; isolation attributes (local_identity_environment, local_identity_generated) always present; validate_keycloak_user() called on every conversion to catch schema drift - bulk_export_body(): partial import body (ifResourceExists/realm/users) cli.py: add `export` subcommand - export <username> single user, prints Keycloak JSON - export (no args) bulk; primary users only; stderr note on skipped test users - export --include-test bulk; all users including generated - --realm / --if-resource-exists flags docs/LocalIdentity.md: add two new sections - Keycloak import procedure: export → partialImport API → password reset → retire - Isolation guarantee: attribute schema, Keycloak Condition authenticator config, production_identity mapping walkthrough tests/test_export.py: 34 new tests (88 total, all passing) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-02 00:23:39 +01:00
tegwick	6ed0061962	feat(local-identity): add NK-WP-0002 workplan and LocalIdentity.md Follows resolved decisions D4 and D5 (2026-03-01, Tegwick): D4 — ESO chosen as secret injection strategy. NK-WP-0001 T01 Phase 0b updated to specify ESO; T01 done-criteria updated to require a working ESO test injection. D5 — Local Identity implemented in-repo (not a separate repo). Four deliverables: - docs/LocalIdentity.md: capability overview, design principles, user schema, OIDC provider description, risk mitigations, scope boundaries - workplans/NK-WP-0002-local-identity.md: four-stage implementation plan (core file store, bootstrap integration, minimal OIDC, security hardening) with State Hub task IDs - NK-WP-0001 updated: D2/D4/D5 rows resolved, T07 bootstrap section now references NK-WP-0002 and documents the export→Keycloak migration path, Open Questions condensed to two remaining artefacts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-01 23:49:06 +01:00

Author

SHA1

Message

Date

tegwick

dad8365e6a

feat(local-identity): Stage 2 — Keycloak export & bootstrap integration (NK-WP-0002-T02)

export.py:
  - split_fullname(): last-token strategy (Bernd Worsch → firstName/lastName)
  - _deterministic_id(): uuid5(DNS, "local-identity.{realm}.{username}") for stable,
    re-import-idempotent Keycloak IDs
  - user_to_keycloak(): full Keycloak Admin REST API user representation;
    production_identity mapping applied to username + realm; isolation attributes
    (local_identity_environment, local_identity_generated) always present;
    validate_keycloak_user() called on every conversion to catch schema drift
  - bulk_export_body(): partial import body (ifResourceExists/realm/users)

cli.py: add `export` subcommand
  - export <username>         single user, prints Keycloak JSON
  - export (no args)          bulk; primary users only; stderr note on skipped test users
  - export --include-test     bulk; all users including generated
  - --realm / --if-resource-exists flags

docs/LocalIdentity.md: add two new sections
  - Keycloak import procedure: export → partialImport API → password reset → retire
  - Isolation guarantee: attribute schema, Keycloak Condition authenticator config,
    production_identity mapping walkthrough

tests/test_export.py: 34 new tests (88 total, all passing)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-02 00:23:39 +01:00

tegwick

6ed0061962

feat(local-identity): add NK-WP-0002 workplan and LocalIdentity.md

Follows resolved decisions D4 and D5 (2026-03-01, Tegwick):

D4 — ESO chosen as secret injection strategy. NK-WP-0001 T01 Phase 0b
updated to specify ESO; T01 done-criteria updated to require a working ESO
test injection.

D5 — Local Identity implemented in-repo (not a separate repo). Four
deliverables:
- docs/LocalIdentity.md: capability overview, design principles, user
  schema, OIDC provider description, risk mitigations, scope boundaries
- workplans/NK-WP-0002-local-identity.md: four-stage implementation plan
  (core file store, bootstrap integration, minimal OIDC, security hardening)
  with State Hub task IDs
- NK-WP-0001 updated: D2/D4/D5 rows resolved, T07 bootstrap section now
  references NK-WP-0002 and documents the export→Keycloak migration path,
  Open Questions condensed to two remaining artefacts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-01 23:49:06 +01:00

2 Commits