diff --git a/registry/capabilities/capability.iam.key-cape.md b/registry/capabilities/capability.iam.key-cape.md new file mode 100644 index 0000000..0c096ec --- /dev/null +++ b/registry/capabilities/capability.iam.key-cape.md @@ -0,0 +1,125 @@ +--- +id: capability.iam.key-cape +name: KeyCape Lightweight IAM (NetKingdom Profile) +summary: Lightweight-mode implementation of the NetKingdom IAM Profile (versioned OIDC/PKCE contract), + orchestrating Authelia, LLDAP, and privacyIDEA so applications integrate against the profile, not against + implementation internals. +owner: key-cape +status: draft +domain: infotech +tags: +- iam +- oidc +- netkingdom +- security +maturity: + discovery: + current: D4 + target: D5 + confidence: high + rationale: README documents a versioned canonical contract (net-kingdom canon/standards/iam-profile_v0.2.md), + explicit lightweight-vs-expanded (Keycloak) migration story, and a completed implementation status + (all 23 workplan tasks, 21 green test packages). + availability: + current: A2 + target: A3 + confidence: high + rationale: README states 'Implementation complete (v0.1)'; has both `.gitea/workflows/` and `.forgejo/workflows/` + CI already in place — ahead of most siblings on the Forgejo transition. +external_evidence: + completeness: + level: C2 + confidence: low + basis: scope_vs_intent_and_consumer_expectations + satisfied_expectations: + - full v0.1 implementation per its own workplan (23/23 tasks) + - 21 test packages, all green + - documented lightweight-to-expanded (Keycloak) migration path + broken_expectations: [] + out_of_scope_expectations: [] + reliability: + level: R1 + confidence: low + basis: consumer_quality_signals + known_reliability_risks: + - maturity claims rely on the repo's own workplan completion record, not independently re-verified + in this sweep +discovery: + intent: Let applications integrate against a versioned IAM profile contract rather than against Keycape + internals, so migrating from lightweight (Authelia/LLDAP/privacyIDEA) to expanded (Keycloak) mode + is a tested operation, not a rewrite. + includes: + - NetKingdom IAM Profile v0.2 lightweight-mode orchestration (Authelia, LLDAP, privacyIDEA) + - profile-contract conformance + excludes: + - expanded-mode (Keycloak) implementation itself (separate deployment target for the same profile) + assumptions: [] + use_cases: [] + research_memos: [] +availability: + current_level: A2 + target_level: A3 + current_artifacts: + - deployable lightweight-mode IAM stack + target_artifacts: [] + consumption_modes: + - service (self-hosted deployment) +relations: + depends_on: [] + supports: [] + related_to: [] +evidence: + documentation: + - README.md + - workplans/KEY-WP-0001-keycape-implementation.md + tests: + - .gitea/workflows/ + - .forgejo/workflows/ + consumer_feedback: [] + bug_reports: [] + incidents: [] +consumer_guidance: + recommended_for: + - NetKingdom deployments wanting a lightweight, self-hosted IAM profile implementation with a tested + migration path to Keycloak + not_recommended_for: + - deployments already committed to expanded/Keycloak mode + known_limitations: + - v0.1 completion claim not independently re-verified during this coverage sweep +promotion_history: [] +--- + +# KeyCape Lightweight IAM (NetKingdom Profile) + +## Overview + +KeyCape is the lightweight IAM component of NetKingdom, implementing the versioned NetKingdom IAM Profile (OIDC/PKCE) by orchestrating Authelia, LLDAP, and privacyIDEA — the same profile Keycloak implements in expanded-mode deployments, so migration is a tested operation rather than a rewrite. + +## Assessment notes + +### Discovery + +README documents a versioned canonical contract (net-kingdom canon/standards/iam-profile_v0.2.md), explicit lightweight-vs-expanded (Keycloak) migration story, and a completed implementation status (all 23 workplan tasks, 21 green test packages). + +### Availability + +README states 'Implementation complete (v0.1)'; has both `.gitea/workflows/` and `.forgejo/workflows/` CI already in place — ahead of most siblings on the Forgejo transition. + +### Completeness + +First-pass honest assessment from the REUSE-WP-0017 coverage campaign +(reuse-surface). No external consumer feedback exists yet; levels reflect +scope-vs-intent documentation quality, not internal code quality. + +### Reliability + +No production consumer telemetry exists yet; reliability level is +intentionally conservative pending REUSE-WP-0019 reuse-telemetry evidence. + +## Promotion checklist + +- [x] ID follows `capability..` pattern +- [x] Maturity enums match `specs/CapabilityMaturityStandard.md` +- [x] `external_evidence` is populated separately from `maturity` +- [ ] Relations reference valid capability IDs (none yet) +- [x] Index entry added in `registry/indexes/capabilities.yaml` diff --git a/registry/indexes/capabilities.yaml b/registry/indexes/capabilities.yaml index f944e47..af664bf 100644 --- a/registry/indexes/capabilities.yaml +++ b/registry/indexes/capabilities.yaml @@ -1,4 +1,21 @@ version: 1 -updated: '2026-06-16' +updated: '2026-07-06' domain: helix_forge -capabilities: [] +capabilities: +- id: capability.iam.key-cape + name: KeyCape Lightweight IAM (NetKingdom Profile) + summary: Lightweight-mode implementation of the NetKingdom IAM Profile (versioned OIDC/PKCE contract), + orchestrating Authelia, LLDAP, and privacyIDEA so applications integrate against the profile, not + against implementation internals. + vector: D4 / A2 / C2 / R1 + domain: infotech + status: draft + owner: key-cape + path: registry/capabilities/capability.iam.key-cape.md + tags: + - iam + - oidc + - netkingdom + - security + consumption_modes: + - service (self-hosted deployment)