Tier-2 Forgejo migration pilot — container image CI
Find a file
tegwick 3ee8090a98 feat: implement T09, T15, T21 — userinfo endpoint, LLDAP export, negative tests
- T09: /userinfo with RS256 JWT validation, scope-filtered claims
- T15: LLDAP→canonical export tool with validation, migration_event telemetry
- T21: Negative test suite (Scenario D) — all 7 unsupported features verified

All go tests passing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-13 02:08:03 +01:00
.claude feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy 2026-03-13 01:27:54 +01:00
.github/workflows feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy 2026-03-13 01:27:54 +01:00
docs/adr feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy 2026-03-13 01:27:54 +01:00
spec feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy 2026-03-13 01:27:54 +01:00
src feat: implement T09, T15, T21 — userinfo endpoint, LLDAP export, negative tests 2026-03-13 02:08:03 +01:00
wiki chore: track specification documents 2026-03-13 00:30:46 +01:00
workplans feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy 2026-03-13 01:27:54 +01:00
.gitignore Initial commit 2026-03-12 23:11:30 +00:00
CLAUDE.md feat: implement T01-T04 — Go module, canonical model, LDAP validator, error taxonomy 2026-03-13 01:27:54 +01:00
LICENSE Initial commit 2026-03-12 23:11:30 +00:00
README.md feat: prime repo — CLAUDE.md + README, register in state-hub 2026-03-13 00:23:19 +01:00

KeyCape

Prepare for Keycloak without Keycloak

KeyCape is the lightweight IAM component of NetKingdom. It implements the NetKingdom IAM Profile — a versioned OIDC/PKCE contract — by orchestrating Authelia, LLDAP, and privacyIDEA. The same profile is implemented by Keycloak in expanded-mode deployments.

Applications integrate against the profile, not against Keycape internals. This makes the lightweight → expanded migration a tested, automated operation rather than a rewrite.

Status

Specification phase. The normative spec (v0.1) is complete. Implementation workplans are the next step.

Key Documents

  • wiki/KeyCapeSpecification_v0.1.md — Architecture, design intent, objectives
  • wiki/KeyCapeSpecificationPack_v0.1.md — Normative implementation spec: canonical identity model, LDAP schema + validator rules, error taxonomy, telemetry schema, migration contract, acceptance test matrix

Architecture

Application
    │  (NetKingdom IAM Profile)
    ▼
 KeyCape  ←── profile enforcement, claim normalization, telemetry
  /  |  \
Auth  LLDAP  privacyIDEA
elia

Expanded mode: Replace KeyCape with Keycloak. Same profile, same tests pass.

Domain

Part of the NetKingdom domain. Tracked in the Custodian State Hub under domain netkingdom, repo slug key-cape.

See CLAUDE.md for agent session protocol and workplan conventions.