Identity & Access

Centralised authentication for every administrative surface.

The identity provider anchors role-based access for the admin console, docs MCP, and future automation agents. Deployment guardrails track issuer health, TLS posture, and allowed groups inside the status ledger.

Admin console Documentation Status dashboard
Guardrails

How access stays controlled

Identity hooks pair with forward-auth middleware so every sensitive surface inherits the same policies.

Group mapping

OIDC groups feed Traefik middlewares and admin sessions, keeping least-privilege in place.

TLS enforcement

Let’s Encrypt certificates are reissued automatically, and ops/checks.sh alerts on issuer drift.

Audit trails

Workspace prep snapshots note provisioning changes, while docs/social surfaces echo each deploy.

Next actions

Identity rollout milestones

We stage identity alongside the MCP gateway so automations and humans share the same login posture.

  • Enable the idp compose profile and connect Keycloak to the production Postgres.
  • Wire group claims into the admin portal, docs MCP, and future automation toolchains.
  • Publish onboarding steps inside the docs portal, mirroring progress on social updates.