feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy
- T01: Go module (keycape), full directory skeleton, Makefile, CI workflow - T02: spec/canonical-model.yaml with 6 entities + Go domain types - T03: spec/ldap-schema.yaml + validator binary with structural/semantic rules - T04: Error taxonomy — 4 stable error types, JSON format, HTTP helpers 28 tests pass, go vet clean, go build clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
f3b1cdcba4
commit
329e996619
21 changed files with 1992 additions and 0 deletions
25
CLAUDE.md
25
CLAUDE.md
|
|
@ -1,3 +1,7 @@
|
|||
# CLAUDE.md
|
||||
|
||||
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
|
||||
|
||||
# KeyCape — Claude Code Instructions
|
||||
|
||||
## What This Repo Is
|
||||
|
|
@ -94,6 +98,27 @@ Application ──→ NetKingdom IAM Profile
|
|||
5. **Telemetry** — demand visibility for unsupported features and auth events
|
||||
6. **Migration tooling** — export/validate for LLDAP → Keycloak path
|
||||
|
||||
## Normative Constraints (from spec — binding on implementation)
|
||||
|
||||
**Never silently emulate unsupported features.** Any request outside the profile MUST fail with a structured error from this taxonomy:
|
||||
- `feature_not_supported_by_profile` — outside the NetKingdom IAM Profile entirely
|
||||
- `available_in_keycloak_mode_only` — exists in expanded mode, absent here by design
|
||||
- `rejected_for_profile_safety` — would weaken profile guarantees or security discipline
|
||||
- `invalid_profile_usage` — supported endpoint/feature used incorrectly
|
||||
|
||||
**Security hard rules:** No handwritten cryptography. No handwritten password hashing. Use established protocol and crypto libraries. Strict redirect URI validation. Strict issuer consistency.
|
||||
|
||||
**Canonical identity model** is the source of truth for test fixtures, provisioning, migration, and validation — not any backend's native schema.
|
||||
|
||||
**Spec Pack structure** (`wiki/KeyCapeSpecificationPack_v0.1.md`) contains 7 normative components agents must read before implementing:
|
||||
1. Normative Specification — OIDC/PKCE contract, endpoints, scopes, claims, client model, MFA
|
||||
2. Canonical Identity Schema — User, Group, Membership, Client, Role, MFAEnrollmentReference, etc.
|
||||
3. Canonical LDAP Schema + Validator Rules — restricted LDAP expression of identity model
|
||||
4. Error Taxonomy — machine-readable/human-readable/loggable structured errors
|
||||
5. Telemetry Schema — event types, required fields (timestamp, env, client_id, endpoint, feature_category, correlation_id, …)
|
||||
6. Migration Contract — LLDAP → full LDAP, KeyCape → Keycloak migration paths
|
||||
7. Acceptance Test Matrix — lightweight baseline, IAM replacement, full expansion, negative profile tests
|
||||
|
||||
## Workplan Convention (ADR-001)
|
||||
|
||||
Workplans live in `workplans/<id>-<slug>.md` with YAML frontmatter:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue