|
|
4f6b60463b
|
Session re-mint on TTL expiry (todo §4); resolveSession flags a lapsed token, app.ts hot path re-mints via remintSession (roles re-read from Keto → fresh cookie) only when a live Kratos session backs it; a dead session clears the stale cookie
|
2026-06-18 10:25:05 +02:00 |
|
|
|
228a206469
|
Auth guards (todo §4); guards.ts: requireSession/can/check + GuardError, app.ts maps GuardError → 303 /login or 403 (never 500)
|
2026-06-18 10:10:15 +02:00 |
|
|
|
24eb6b1c68
|
JWKS fetch + cache + rotation (todo §4); cachingJwks: TTL cache + rotation-on-miss reload (throttled, last-good on error), createJwksProvider routes file/base64/http + primes at boot
|
2026-06-18 10:01:40 +02:00 |
|
|
|
c8b56b85eb
|
JWT session middleware (todo §4); authenticate(): verify the session cookie via cached JWKS (key by kid) → exp/nbf/iss/aud claims (clock skew) → ctx.user/roles; iss/aud opt-in; fail-closed
|
2026-06-18 09:53:37 +02:00 |
|
|
|
38157605d0
|
Login completion (todo §4); /auth/complete: roles from Keto → metadata_public projection → tokenize → plainpages_jwt cookie; fix tokenizer projection metadata_admin→metadata_public (whoami strips admin metadata)
|
2026-06-17 23:15:28 +02:00 |
|
|
|
26a7821611
|
Render SSO buttons per configured Kratos OIDC provider (todo §4); flow-view collects oidc nodes → auth-card submit buttons, server-side visibility, drop mockup #sso-toggle CSS
|
2026-06-17 18:20:45 +02:00 |
|
|
|
0928f9dd39
|
Render Kratos self-service flows as themed pages (todo §4); buildFlowView + views/auth.ejs + login/registration/recovery/verification/settings routes
|
2026-06-17 17:55:56 +02:00 |
|
|
|
2a64cfd409
|
Add Keto fetch client (todo §4); createKetoClient(): check / list / expand relations + write / delete tuples
|
2026-06-17 17:33:59 +02:00 |
|
|
|
5e96678fda
|
Add Kratos admin-API fetch client (todo §4); createKratosAdmin(): identity CRUD + surgical metadata_admin update (login role projection)
|
2026-06-17 17:22:02 +02:00 |
|
|
|
898dc7f2cf
|
Add Kratos public-API fetch client (todo §4); createKratosPublic(): self-service flow init/get/submit, whoami, session→JWT tokenize
|
2026-06-17 17:15:50 +02:00 |
|
|
|
fcf042fa66
|
Unify §3 test overlaps (todo §3); fold the 5× image-pin checks into one compose.test.ts scan + same-version sidecar test, drop the duplicate committed-JWKS re-validation in config.test.ts
|
2026-06-17 17:07:39 +02:00 |
|
|
|
360449e76b
|
Tighten §3 comments (todo §3); drop stale 'next §3 item' forward-refs, condense compose/Ory/bootstrap headers
|
2026-06-17 17:00:47 +02:00 |
|
|
|
e83cf4da88
|
Address project-wide review (todo §3); fix JWKS_URL default → tokenizer signing key + read-only web mount, cap bootstrap restart, --no-deps for unit commands
|
2026-06-17 16:49:37 +02:00 |
|
|
|
1fc6b42156
|
Document the only manual prep (todo §3); README 'What you must supply' — production secrets + optional SSO creds, everything else auto-generated
|
2026-06-17 16:32:54 +02:00 |
|
|
|
4d65665063
|
Bootstrap: print first-run login banner (URL + seeded creds + change-before-prod warning)
|
2026-06-17 16:22:48 +02:00 |
|
|
|
a6900217cb
|
One-command bootstrap (todo §3); idempotent first-boot seed: JWKS-if-absent, demo admin in Kratos, admin role in Keto
|
2026-06-17 16:18:21 +02:00 |
|
|
|
4af090f803
|
Split dev/prod compose wiring (todo §3); Ory readiness healthchecks, web gated on kratos+keto, dev-only host ports, Ory-free E2E
|
2026-06-17 16:06:05 +02:00 |
|
|
|
93e62d8661
|
Add Hydra service + migrate (todo §3); pin oryd/hydra:v26.2.0, OAuth2 issuer + login/consent URLs → our app routes
|
2026-06-17 15:45:37 +02:00 |
|
|
|
fa87280f46
|
Add Keto service + migrate (todo §3); OPL role/group/resource namespaces, fine-grained resource permits
|
2026-06-17 15:12:01 +02:00 |
|
|
|
6640dfc84e
|
Generate + mount the JWT signing JWKS (todo §3); ES256 gen-jwks tool, committed dev key, key-rotation docs
|
2026-06-17 13:24:31 +02:00 |
|
|
|
95c759d773
|
Wire Kratos session tokenizer template (todo §3); plainpages JWT (sub/email/roles), 10m TTL, Jsonnet claims mapper reading metadata_admin
|
2026-06-17 12:02:21 +02:00 |
|
|
|
0313f48112
|
Configure Kratos session settings (todo §3); branded cookie, 720h lifespan, 24h sliding-refresh window
|
2026-06-17 11:27:56 +02:00 |
|
|
|
d6960c9bad
|
Add optional env-activated Kratos OIDC/SSO providers (todo §3); off by default, committed claims mapper, SAML via OIDC bridge note
|
2026-06-17 10:58:31 +02:00 |
|
|
|
f2898696e6
|
Wire Kratos self-service flows to themed routes (todo §3); enable recovery/verification via email code, add mailpit dev courier + --watch-courier
|
2026-06-17 10:19:29 +02:00 |
|
|
|
120e1a0929
|
Add kratos service + migrate (todo §3); pin oryd/kratos:v26.2.0, identity schema (email, name), bootable password config
|
2026-06-16 23:24:32 +02:00 |
|
|
|
bc15f00c44
|
Add postgres service (todo §3); pin postgres:18.4-alpine3.23, one DB per Kratos/Keto/Hydra via init.sql
|
2026-06-16 17:13:40 +02:00 |
|
|
|
a602f794d1
|
Consolidate tests (todo §2); merge HTTP static tests, fold 403 render into the live gated route, unify resolveViewPath cases
|
2026-06-16 16:42:46 +02:00 |
|
|
|
9489bd124b
|
Tighten code comments + README (todo §2); trim verbose §2 headers, drop stale planned/next-item markers, correct README status
|
2026-06-16 16:31:57 +02:00 |
|
|
|
a8ebf81588
|
Address whole-project review (todo §2); wire plugin hooks (onBoot/onRequest/onResponse), document template trust boundary, tidy discovery
|
2026-06-16 16:23:08 +02:00 |
|
|
|
ff7b55be4c
|
Wire branding into the app shell (todo §2); render config logo + default theme, fall back to the brand mark
|
2026-06-16 16:07:24 +02:00 |
|
|
|
952dd03cc2
|
Add config/menu.ts central override + branding (todo §2); loadMenuConfig validates+merges, override applied to nav, branding into shell
|
2026-06-16 15:52:03 +02:00 |
|
|
|
3cdefff233
|
Serve per-plugin static assets (todo §2); /public/<id>/ → plugins/<id>/public/ via routePublic, core public/ unaffected
|
2026-06-16 15:18:20 +02:00 |
|
|
|
fe89dd1c06
|
Add per-plugin view resolver (todo §2); render plugins/<id>/views/<view>.ejs with nested names + traversal guard, core partials reachable via include()
|
2026-06-16 13:41:02 +02:00 |
|
|
|
9b6684c653
|
Mount plugin routes via the router (todo §2); match method+path under /<id>, resolve :params, permission gate, RouteResult→response
|
2026-06-16 12:22:15 +02:00 |
|
|
|
ca3f6ba8ce
|
Discover plugins at boot (todo §2); scan plugins/, import + validate each plugin.ts default export, fail loud on bad plugin/conflict
|
2026-06-16 12:11:04 +02:00 |
|
|
|
09d616ddd3
|
Loosen plugin id rule (todo §2); allow digits and dashes anywhere (^[a-z0-9-]+$)
|
2026-06-16 11:53:14 +02:00 |
|
|
|
1623a81ddc
|
Refine plugin contract (todo §2); derive id/mount from folder (isValidPluginId), apiVersion literal not HOST_API_VERSION, nav icon = Lucide, drop redundant basePath
|
2026-06-16 10:58:29 +02:00 |
|
|
|
a0d39ef624
|
Make checkApiVersion semver-based (todo §2); strict parseSemver via official semver regex (no dep), major/minor compatibility rules
|
2026-06-16 10:46:02 +02:00 |
|
|
|
3be67ff8e4
|
Specify the plugin contract (todo §2); typed manifest + version/conflict rules in src/plugin.ts, authoritative docs/plugin-contract.md
|
2026-06-15 17:07:55 +02:00 |
|
|
|
f91e08c2a6
|
Add Full, parallel E2E principle (todo §1.1); AGENTS §6 + README, 404 E2E coverage, --build the runner so spec edits apply
|
2026-06-15 16:58:26 +02:00 |
|
|
|
645a316419
|
Make markup semantic + add semantic DOM principle (todo §1); page <h1>, skip link, row-header <th scope=row>, descriptive error pages
|
2026-06-15 16:53:07 +02:00 |
|
|
|
6f590148af
|
Add dockerized Playwright E2E (todo §1); screenshot live pages + foundation mockups, assert shared design-system styles match
|
2026-06-15 16:37:21 +02:00 |
|
|
|
947851b4ff
|
Replace placeholder index with the app-shell People dashboard (todo §1); wire parseListQuery/paginate/composeNav + partials into a real zero-JS list page
|
2026-06-15 15:57:42 +02:00 |
|
|
|
c06429e4d5
|
Add paginate helper (todo §1); page model with row window + ellipsis sequence for pagination.ejs, clamped/guarded inputs
|
2026-06-15 13:50:15 +02:00 |
|
|
|
20f49c1df7
|
Add parseListQuery helper (todo §1); read a list URL into { q, filters, sort, page, pageSize }, defaults+clamp, zero-throw
|
2026-06-15 13:38:34 +02:00 |
|
|
|
c2bcce9845
|
Add composeNav helper (todo §1); merge plugin nav fragments + central override (rename/group/order/hide), role-filter to a nav-tree model
|
2026-06-15 13:33:54 +02:00 |
|
|
|
bddc1f891d
|
Add menu/popover + theme-switch partials (todo §1); data-driven .menu (items/check-groups/positioning), Light/Auto/Dark switch, shell reuses both
|
2026-06-15 13:27:44 +02:00 |
|
|
|
7716e38d84
|
Add field + auth-card partials (todo §1); data-driven .field (label/icon/hint/server error) and auth-card shell (head/SSO/body/alt)
|
2026-06-15 13:16:36 +02:00 |
|
|
|
fcf2abdf17
|
Add data-driven pagination partial (todo §1); rows-per-page GET form + page-number links, zero-JS, query-param driven
|
2026-06-15 13:10:24 +02:00 |
|
|
|
cf1b74f09d
|
Add data-driven data-table partial (todo §1); sortable header links, row-select, typed cells/badges, kebab actions
|
2026-06-15 13:04:19 +02:00 |
|
