Remove completed todo.md + html-css-foundation mockups; strip dead §N phase refs from comments/docs (simplify visual E2E to drop the mockup-comparison oracle)

This commit is contained in:
2026-06-23 22:49:28 +02:00
parent e22d24aa8a
commit a9f25a7692
143 changed files with 394 additions and 1538 deletions
+2 -2
View File
@@ -2,7 +2,7 @@
# plainpages (README: "OAuth2 provider"). The web app implements Hydra's login &
# consent steps at the URLs below, authenticating the user via their Kratos session;
# Hydra mints the tokens. DSN comes from the env (the per-service hydra DB). Only
# relevant when external apps log in through us — nothing first-party needs it (§6).
# relevant when external apps log in through us — nothing first-party needs it.
serve:
public:
port: 4444
@@ -10,7 +10,7 @@ serve:
port: 4445
# issuer = the public OAuth2 URL clients use; login/consent/logout hand the browser to
# our themed handlers (§6). Dev defaults (http) — prod overrides issuer via env (https).
# our themed handlers. Dev defaults (http) — prod overrides issuer via env (https).
urls:
self:
issuer: http://127.0.0.1:4444/
+1 -1
View File
@@ -8,7 +8,7 @@ import { Context, Namespace, SubjectSet } from "@ory/keto-namespace-types"
class User implements Namespace {}
// A subject set: a named collection of users (and nested groups), resolved transitively.
// The admin "Groups" screen (§5) manages membership; checks expand it automatically.
// The admin "Groups" screen manages membership; checks expand it automatically.
class Group implements Namespace {
related: {
members: (User | SubjectSet<Group, "members">)[]
+6 -6
View File
@@ -1,6 +1,6 @@
# Ory Kratos — identity & self-service auth. Identity schema (email, name) +
# password login; recovery & verification run on email codes. Every self-service
# flow returns to our own themed routes (§4 renders the fields). DSN + prod
# flow returns to our own themed routes (renders the fields). DSN + prod
# courier/secrets come from the env. Session→JWT tokenizer wired below (signing
# key in tokenizer/jwks.json).
serve:
@@ -24,7 +24,7 @@ selfservice:
code: # email one-time code — powers recovery + verification (not login)
enabled: true
# Social sign-in, OFF by default → clean clone is password-only. Activate via env only
# (no code; the whole-array form is the only env-settable one Kratos offers); §4 derives
# (no code; the whole-array form is the only env-settable one Kratos offers); derives
# the buttons from this list. SAML isn't in OSS Kratos — bridge it as OIDC (README).
# SELFSERVICE_METHODS_OIDC_ENABLED=true
# SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS=[{"id":"google","provider":"google",
@@ -41,7 +41,7 @@ selfservice:
ui_url: http://localhost:3000/login
after:
# After authenticating, land on our completion route — it mints the session JWT
# (roles from Keto → metadata_public projection → tokenize) and sets our cookie (§4).
# (roles from Keto → metadata_public projection → tokenize) and sets our cookie.
default_browser_return_url: http://localhost:3000/auth/complete
registration:
ui_url: http://localhost:3000/registration
@@ -82,7 +82,7 @@ identity:
url: file:///etc/config/kratos/identity.schema.json
# "Stay signed in" backbone: a long-lived Kratos session that the app re-mints the
# short-lived (~10m) JWT off (§4). Sliding refresh — an active session is extended
# short-lived (~10m) JWT off. Sliding refresh — an active session is extended
# back to full lifespan only once it's within earliest_possible_extend of expiry,
# so frequent users never lapse without a DB write per request.
session:
@@ -92,7 +92,7 @@ session:
name: plainpages_session
persistent: true # survive browser restarts
same_site: Lax
# Session→JWT tokenizer (§4): whoami(tokenize_as: plainpages) mints a short-lived,
# Session→JWT tokenizer: whoami(tokenize_as: plainpages) mints a short-lived,
# locally-verifiable JWT so the hot path never calls Ory. Claims come from the
# committed Jsonnet mapper (sub = identity id, email from traits, roles from the
# metadata_public projection); signed with tokenizer/jwks.json.
@@ -105,7 +105,7 @@ session:
claims_mapper_url: file:///etc/config/kratos/tokenizer/plainpages.jsonnet
jwks_url: file:///etc/config/kratos/tokenizer/jwks.json
# Dev throwaways — production supplies real secrets via env (§3). cipher = 32 chars.
# Dev throwaways — production supplies real secrets via env. cipher = 32 chars.
secrets:
cookie:
- PLEASE-CHANGE-ME-dev-kratos-cookie-secret
+1 -1
View File
@@ -1,4 +1,4 @@
// Session→JWT claims mapper for the `plainpages` tokenizer (§4). Kratos exposes the
// Session→JWT claims mapper for the `plainpages` tokenizer. Kratos exposes the
// session as `session`; `sub` is set from the identity id (subject_source: id) and
// can't be overridden here. roles come from metadata_public — the per-login projection
// of Keto roles the app refreshes at login (metadata_admin is NOT carried in the session