key-cape/registry/capabilities/capability.iam.key-cape.md
tegwick 326f7d1f07 Draft capability entry (reuse-surface REUSE-WP-0017-T04, cohort 2)
Honest first-pass maturity vector grounded in README/docs/tests present
in this repo; no invented evidence. Flagged for human review before
publish. See reuse-surface history/2026-07-06-coverage-classification.md.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-06 19:41:37 +02:00

4.5 KiB

id name summary owner status domain tags maturity external_evidence discovery availability relations evidence consumer_guidance promotion_history
capability.iam.key-cape KeyCape Lightweight IAM (NetKingdom Profile) Lightweight-mode implementation of the NetKingdom IAM Profile (versioned OIDC/PKCE contract), orchestrating Authelia, LLDAP, and privacyIDEA so applications integrate against the profile, not against implementation internals. key-cape draft infotech
iam
oidc
netkingdom
security
discovery availability
current target confidence rationale
D4 D5 high README documents a versioned canonical contract (net-kingdom canon/standards/iam-profile_v0.2.md), explicit lightweight-vs-expanded (Keycloak) migration story, and a completed implementation status (all 23 workplan tasks, 21 green test packages).
current target confidence rationale
A2 A3 high README states 'Implementation complete (v0.1)'; has both `.gitea/workflows/` and `.forgejo/workflows/` CI already in place — ahead of most siblings on the Forgejo transition.
completeness reliability
level confidence basis satisfied_expectations broken_expectations out_of_scope_expectations
C2 low scope_vs_intent_and_consumer_expectations
full v0.1 implementation per its own workplan (23/23 tasks)
21 test packages, all green
documented lightweight-to-expanded (Keycloak) migration path
level confidence basis known_reliability_risks
R1 low consumer_quality_signals
maturity claims rely on the repo's own workplan completion record, not independently re-verified in this sweep
intent includes excludes assumptions use_cases research_memos
Let applications integrate against a versioned IAM profile contract rather than against Keycape internals, so migrating from lightweight (Authelia/LLDAP/privacyIDEA) to expanded (Keycloak) mode is a tested operation, not a rewrite.
NetKingdom IAM Profile v0.2 lightweight-mode orchestration (Authelia, LLDAP, privacyIDEA)
profile-contract conformance
expanded-mode (Keycloak) implementation itself (separate deployment target for the same profile)
current_level target_level current_artifacts target_artifacts consumption_modes
A2 A3
deployable lightweight-mode IAM stack
service (self-hosted deployment)
depends_on supports related_to
documentation tests consumer_feedback bug_reports incidents
README.md
workplans/KEY-WP-0001-keycape-implementation.md
.gitea/workflows/
.forgejo/workflows/
recommended_for not_recommended_for known_limitations
NetKingdom deployments wanting a lightweight, self-hosted IAM profile implementation with a tested migration path to Keycloak
deployments already committed to expanded/Keycloak mode
v0.1 completion claim not independently re-verified during this coverage sweep

KeyCape Lightweight IAM (NetKingdom Profile)

Overview

KeyCape is the lightweight IAM component of NetKingdom, implementing the versioned NetKingdom IAM Profile (OIDC/PKCE) by orchestrating Authelia, LLDAP, and privacyIDEA — the same profile Keycloak implements in expanded-mode deployments, so migration is a tested operation rather than a rewrite.

Assessment notes

Discovery

README documents a versioned canonical contract (net-kingdom canon/standards/iam-profile_v0.2.md), explicit lightweight-vs-expanded (Keycloak) migration story, and a completed implementation status (all 23 workplan tasks, 21 green test packages).

Availability

README states 'Implementation complete (v0.1)'; has both .gitea/workflows/ and .forgejo/workflows/ CI already in place — ahead of most siblings on the Forgejo transition.

Completeness

First-pass honest assessment from the REUSE-WP-0017 coverage campaign (reuse-surface). No external consumer feedback exists yet; levels reflect scope-vs-intent documentation quality, not internal code quality.

Reliability

No production consumer telemetry exists yet; reliability level is intentionally conservative pending REUSE-WP-0019 reuse-telemetry evidence.

Promotion checklist

  • ID follows capability.<domain>.<name> pattern
  • Maturity enums match specs/CapabilityMaturityStandard.md
  • external_evidence is populated separately from maturity
  • Relations reference valid capability IDs (none yet)
  • Index entry added in registry/indexes/capabilities.yaml