The migration creates the interval column as integer (INT4) but the
entity and storage struct used i64 (INT8), causing a type mismatch
error on PostgreSQL.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The init container was only getting RUST_LOG, not the main env block.
This caused it to connect to the config file's database URL (SQLite)
instead of the BARYCENTER__DATABASE__URL env var (PostgreSQL),
resulting in migrations and user-sync running against the wrong
database.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The DeriveIden macro converted DeviceCode to device_code (singular),
but the SeaORM entity expects device_codes (plural). Adds a migration
to rename the table so queries match.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The config-rs crate uses '_' as the default prefix separator, so
BARYCENTER__DATABASE__URL was parsed as _database.url instead of
database.url. Adding prefix_separator("__") ensures double-underscore
env vars are correctly mapped to nested config keys.
Also makes the database section in the Helm ConfigMap conditional so
it can be omitted when the URL is provided via environment variable.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Include mermaid.min.js and a custom init script that converts
```mermaid code blocks to rendered diagrams at runtime. Supports
theme-aware rendering (light/dark). No preprocessor needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The fa-github icon font is not available in newer mdbook versions,
causing a "Missing font github" rendering error.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Builds the mdbook documentation and deploys to GitHub Pages on
pushes to main that modify book/ files. Also supports manual
dispatch via workflow_dispatch.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Expose authz API port (8082) in Dockerfile and create /app/policies
directory. Extend Helm chart with configurable authz section: inline
KDL policy ConfigMap, existing ConfigMap reference, policies volume
mount, Service port, and a NetworkPolicy restricting the authz port
to same-namespace traffic while leaving the OIDC port unrestricted.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a Zanzibar-style relationship-based access control engine with
OPA-style ABAC condition evaluation. Policies, roles, resources, and
grants are defined in KDL files loaded from a configured directory at
startup. Exposes a read-only REST API (POST /v1/check, /v1/expand,
GET /healthz) on a dedicated port when authz.enabled = true.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add docker-build job that runs on every push/PR
- Builds only amd64 platform for speed (vs multi-platform in release)
- Uses GitHub Actions cache for faster builds
- Prevents Dockerfile issues from reaching release workflow
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add COPY client-wasm to Dockerfile to include workspace member
- Update Rust base image from 1.91 to 1.92
- Fixes CI build failure: "failed to load manifest for workspace member client-wasm"
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add COPY instruction for migration directory to Dockerfile to fix
build failure. The migration crate is a path dependency required
by the main barycenter package.
Fixes Docker build error:
error: failed to get `migration` as a dependency of package `barycenter`
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Replace raw SQL CREATE TABLE statements with proper SeaORM migration
system. This eliminates verbose SQL logs on startup and provides
proper migration tracking and rollback support.
Changes:
- Add sea-orm-migration dependency and migration crate
- Create initial migration (m20250101_000001) with all 8 tables
- Update storage::init() to only connect to database
- Run migrations automatically in main.rs on startup
- Remove unused detect_backend() function and imports
The migration system properly handles both SQLite and PostgreSQL
backends with appropriate type handling (e.g., BIGSERIAL vs INTEGER
for auto-increment columns).
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add support for valueFrom in environment variables for both main
container and user-sync init container. This enables injecting
values from secrets, configMaps, fieldRefs, and resourceFieldRefs
instead of only hardcoded values.
Updated deployment template to use toYaml for env rendering,
allowing full Kubernetes env var specifications. Added comprehensive
documentation and examples in values.yaml.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add --config flag to both main container and user-sync init container
to explicitly specify the mounted config file path at /app/config/config.toml.
This fixes deserialization errors when the application couldn't find the
config file in the default working directory.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Enable public registration in integration tests via environment variable
BARYCENTER__SERVER__ALLOW_PUBLIC_REGISTRATION=true
- Fix environment variable prefix from CRABIDP to BARYCENTER to match
documentation in CLAUDE.md
- All 4 integration tests now pass successfully
Fixes:
- test_oauth2_authorization_code_flow
- test_openidconnect_authorization_code_flow
- test_security_headers
- test_token_endpoint_cache_control
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add userSync configuration to values.yaml (existingSecret only)
- Add conditional init container to deployment.yaml
- Create comprehensive README.md with:
- Installation and configuration instructions
- User sync workflow and examples
- Troubleshooting guide
- Security best practices
- Add examples/user-sync-secret.yaml with sample users
- Support declarative user management for Kubernetes/GitOps
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
