key-cape/README.md

46 lines
1.4 KiB
Markdown
Raw Normal View History

# KeyCape
2026-03-12 23:11:30 +00:00
*Prepare for Keycloak without Keycloak*
KeyCape is the lightweight IAM component of [NetKingdom](../net-kingdom/). It
implements the **NetKingdom IAM Profile** — a versioned OIDC/PKCE contract —
by orchestrating Authelia, LLDAP, and privacyIDEA. The same profile is
implemented by Keycloak in expanded-mode deployments.
Applications integrate against the profile, not against Keycape internals. This
makes the lightweight → expanded migration a tested, automated operation rather
than a rewrite.
## Status
**Specification phase.** The normative spec (v0.1) is complete. Implementation
workplans are the next step.
## Key Documents
- `wiki/KeyCapeSpecification_v0.1.md` — Architecture, design intent, objectives
- `wiki/KeyCapeSpecificationPack_v0.1.md` — Normative implementation spec:
canonical identity model, LDAP schema + validator rules, error taxonomy,
telemetry schema, migration contract, acceptance test matrix
## Architecture
```
Application
│ (NetKingdom IAM Profile)
KeyCape ←── profile enforcement, claim normalization, telemetry
/ | \
Auth LLDAP privacyIDEA
elia
```
**Expanded mode:** Replace KeyCape with Keycloak. Same profile, same tests pass.
## Domain
Part of the **NetKingdom** domain. Tracked in the Custodian State Hub under
domain `netkingdom`, repo slug `key-cape`.
See `CLAUDE.md` for agent session protocol and workplan conventions.