--- id: capability.iam.key-cape name: KeyCape Lightweight IAM (NetKingdom Profile) summary: Lightweight-mode implementation of the NetKingdom IAM Profile (versioned OIDC/PKCE contract), orchestrating Authelia, LLDAP, and privacyIDEA so applications integrate against the profile, not against implementation internals. owner: key-cape status: draft domain: infotech tags: - iam - oidc - netkingdom - security maturity: discovery: current: D4 target: D5 confidence: high rationale: README documents a versioned canonical contract (net-kingdom canon/standards/iam-profile_v0.2.md), explicit lightweight-vs-expanded (Keycloak) migration story, and a completed implementation status (all 23 workplan tasks, 21 green test packages). availability: current: A2 target: A3 confidence: high rationale: README states 'Implementation complete (v0.1)'; has both `.gitea/workflows/` and `.forgejo/workflows/` CI already in place — ahead of most siblings on the Forgejo transition. external_evidence: completeness: level: C2 confidence: low basis: scope_vs_intent_and_consumer_expectations satisfied_expectations: - full v0.1 implementation per its own workplan (23/23 tasks) - 21 test packages, all green - documented lightweight-to-expanded (Keycloak) migration path broken_expectations: [] out_of_scope_expectations: [] reliability: level: R1 confidence: low basis: consumer_quality_signals known_reliability_risks: - maturity claims rely on the repo's own workplan completion record, not independently re-verified in this sweep discovery: intent: Let applications integrate against a versioned IAM profile contract rather than against Keycape internals, so migrating from lightweight (Authelia/LLDAP/privacyIDEA) to expanded (Keycloak) mode is a tested operation, not a rewrite. includes: - NetKingdom IAM Profile v0.2 lightweight-mode orchestration (Authelia, LLDAP, privacyIDEA) - profile-contract conformance excludes: - expanded-mode (Keycloak) implementation itself (separate deployment target for the same profile) assumptions: [] use_cases: [] research_memos: [] availability: current_level: A2 target_level: A3 current_artifacts: - deployable lightweight-mode IAM stack target_artifacts: [] consumption_modes: - service (self-hosted deployment) relations: depends_on: [] supports: [] related_to: [] evidence: documentation: - README.md - workplans/KEY-WP-0001-keycape-implementation.md tests: - .gitea/workflows/ - .forgejo/workflows/ consumer_feedback: [] bug_reports: [] incidents: [] consumer_guidance: recommended_for: - NetKingdom deployments wanting a lightweight, self-hosted IAM profile implementation with a tested migration path to Keycloak not_recommended_for: - deployments already committed to expanded/Keycloak mode known_limitations: - v0.1 completion claim not independently re-verified during this coverage sweep promotion_history: [] --- # KeyCape Lightweight IAM (NetKingdom Profile) ## Overview KeyCape is the lightweight IAM component of NetKingdom, implementing the versioned NetKingdom IAM Profile (OIDC/PKCE) by orchestrating Authelia, LLDAP, and privacyIDEA — the same profile Keycloak implements in expanded-mode deployments, so migration is a tested operation rather than a rewrite. ## Assessment notes ### Discovery README documents a versioned canonical contract (net-kingdom canon/standards/iam-profile_v0.2.md), explicit lightweight-vs-expanded (Keycloak) migration story, and a completed implementation status (all 23 workplan tasks, 21 green test packages). ### Availability README states 'Implementation complete (v0.1)'; has both `.gitea/workflows/` and `.forgejo/workflows/` CI already in place — ahead of most siblings on the Forgejo transition. ### Completeness First-pass honest assessment from the REUSE-WP-0017 coverage campaign (reuse-surface). No external consumer feedback exists yet; levels reflect scope-vs-intent documentation quality, not internal code quality. ### Reliability No production consumer telemetry exists yet; reliability level is intentionally conservative pending REUSE-WP-0019 reuse-telemetry evidence. ## Promotion checklist - [x] ID follows `capability..` pattern - [x] Maturity enums match `specs/CapabilityMaturityStandard.md` - [x] `external_evidence` is populated separately from `maturity` - [ ] Relations reference valid capability IDs (none yet) - [x] Index entry added in `registry/indexes/capabilities.yaml`