Expose authz API port (8082) in Dockerfile and create /app/policies
directory. Extend Helm chart with configurable authz section: inline
KDL policy ConfigMap, existing ConfigMap reference, policies volume
mount, Service port, and a NetworkPolicy restricting the authz port
to same-namespace traffic while leaving the OIDC port unrestricted.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a Zanzibar-style relationship-based access control engine with
OPA-style ABAC condition evaluation. Policies, roles, resources, and
grants are defined in KDL files loaded from a configured directory at
startup. Exposes a read-only REST API (POST /v1/check, /v1/expand,
GET /healthz) on a dedicated port when authz.enabled = true.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add docker-build job that runs on every push/PR
- Builds only amd64 platform for speed (vs multi-platform in release)
- Uses GitHub Actions cache for faster builds
- Prevents Dockerfile issues from reaching release workflow
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add COPY client-wasm to Dockerfile to include workspace member
- Update Rust base image from 1.91 to 1.92
- Fixes CI build failure: "failed to load manifest for workspace member client-wasm"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add COPY instruction for migration directory to Dockerfile to fix
build failure. The migration crate is a path dependency required
by the main barycenter package.
Fixes Docker build error:
error: failed to get `migration` as a dependency of package `barycenter`
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Replace raw SQL CREATE TABLE statements with proper SeaORM migration
system. This eliminates verbose SQL logs on startup and provides
proper migration tracking and rollback support.
Changes:
- Add sea-orm-migration dependency and migration crate
- Create initial migration (m20250101_000001) with all 8 tables
- Update storage::init() to only connect to database
- Run migrations automatically in main.rs on startup
- Remove unused detect_backend() function and imports
The migration system properly handles both SQLite and PostgreSQL
backends with appropriate type handling (e.g., BIGSERIAL vs INTEGER
for auto-increment columns).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add support for valueFrom in environment variables for both main
container and user-sync init container. This enables injecting
values from secrets, configMaps, fieldRefs, and resourceFieldRefs
instead of only hardcoded values.
Updated deployment template to use toYaml for env rendering,
allowing full Kubernetes env var specifications. Added comprehensive
documentation and examples in values.yaml.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add --config flag to both main container and user-sync init container
to explicitly specify the mounted config file path at /app/config/config.toml.
This fixes deserialization errors when the application couldn't find the
config file in the default working directory.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Enable public registration in integration tests via environment variable
BARYCENTER__SERVER__ALLOW_PUBLIC_REGISTRATION=true
- Fix environment variable prefix from CRABIDP to BARYCENTER to match
documentation in CLAUDE.md
- All 4 integration tests now pass successfully
Fixes:
- test_oauth2_authorization_code_flow
- test_openidconnect_authorization_code_flow
- test_security_headers
- test_token_endpoint_cache_control
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add userSync configuration to values.yaml (existingSecret only)
- Add conditional init container to deployment.yaml
- Create comprehensive README.md with:
- Installation and configuration instructions
- User sync workflow and examples
- Troubleshooting guide
- Security best practices
- Add examples/user-sync-secret.yaml with sample users
- Support declarative user management for Kubernetes/GitOps
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
