Cairn Identity

Pre-beta identity provider

Cairn Identity

A small, auditable OIDC provider focused on strict protocol behavior, tenant isolation, and operator evidence.

Read the docs Review gates
Release evidence
  1. Source hygiene CI-gated
  2. Dependency policy CI-gated locally; release receipt required
  3. Rust quality CI-gated
  4. Frontend quality CI-gated
  5. Database migrations CI-gated
  6. Containers CI-gated
  7. Deployed OIDC metadata Pending external evidence
  8. OpenID conformance Pending external evidence
  9. Browser origin defense Pending external evidence
  10. Security headers Pending external evidence
  11. SCIM provisioning Pending external evidence
  12. Email delivery Pending external evidence
  13. Restore drill Pending external evidence
  14. Key operations Pending external evidence
  15. Emergency access Pending external evidence
  16. Audit operations Pending external evidence
  17. Final release evidence Pending external evidence

Readiness boundary

Use the release gates before relying on CairnID for real authentication flows.

The current docs show 11 gate states pending external evidence and 6 local or CI-gated states. OpenID Foundation conformance evidence is still required.

Protocol scope

Strict OIDC core, deliberately narrow.

The launch surface is for engineers and reviewers who need to inspect what exists, what is excluded, and what evidence remains before beta.

Implemented endpoints

  • Discovery and JWKS
  • Authorization Code with PKCE
  • Token, UserInfo, introspection, and revocation
  • RP-initiated logout

Hard boundaries

  • Exact redirect URI matching
  • No implicit, hybrid, or password grants
  • Opaque access tokens stored as hashes
  • Client-bound code and refresh-token exchange

Operator controls

  • Signing-key and KEK operations
  • Preflight and release-evidence commands
  • Backup, restore, audit export, and drills
  • Read-only release-evidence MCP tools

Product surface

  • Organization-scoped admin model
  • TOTP, passkeys, and recovery codes
  • Account lifecycle email workflow
  • Bounded SCIM 2.0 subset

Evidence stack

Release gates from repository documentation.

The site parses the release-gate Markdown table at build time, so the public page follows the same evidence contract as the docs collection.

GateEvidenceStatus
Source hygiene bun run check:public-surface passes CI-gated
Dependency policy cargo deny check, cargo audit, bun run audit, and cairn-api operations dependency-policy-evidence pass CI-gated locally; release receipt required
Rust quality cargo fmt, cargo check, cargo test, and cargo clippy -D warnings pass CI-gated
Frontend quality bun run check, bun run test, bun run build, and bun run test:e2e pass CI-gated
Database migrations Postgres 17 migration tests pass against a disposable database CI-gated
Containers Compose validates, API image builds, web image builds, and image-level smoke checks pass CI-gated
Deployed OIDC metadata cairn-api operations oidc-metadata-smoke passes against the HTTPS API origin Pending external evidence
OpenID conformance Config OP and Basic OP suite runs pass using generated static registration/config artifacts Pending external evidence
Browser origin defense cairn-api operations browser-origin-smoke passes against the HTTPS API origin Pending external evidence
Security headers cairn-api operations security-headers-smoke passes against HTTPS API and web origins Pending external evidence
SCIM provisioning Built-in SCIM smoke and token-free Okta/Entra connector summaries pass Pending external evidence
Email delivery Provider smoke and lifecycle email smoke pass through the configured production command provider Pending external evidence
Restore drill cairn-api operations restore-check passes against a restored database Pending external evidence
Key operations Signing-key rotation and KEK re-encryption receipts pass evidence validation Pending external evidence
Emergency access Break-glass admin recovery drill passes and records audit evidence Pending external evidence
Audit operations NDJSON archive and retention purge receipts pass evidence validation Pending external evidence
Final release evidence cairn-api operations evidence-check <evidence-dir> passes with fresh artifacts and no unexpected files Pending external evidence

Documentation

Docs are typed Astro collection entries.

Each page carries validated title, description, category, order, and source metadata before it is rendered into the static site.

Start

  • Documentation Start here for CairnID architecture, API, deployment, operations, and release gates.
  • Architecture Runtime components, crate boundaries, API modules, storage, and deployment flow.

Reference

  • API Implemented HTTP, OIDC/OAuth, session, admin, MFA, account lifecycle, and SCIM APIs.

Operate

  • Deployment Local Compose, container runtime, environment variables, and build notes.
  • Operations Preflight, release evidence, backup, restore, key rotation, audit export, and drills.
  • MCP Local stdio MCP server exposing read-only release-evidence tools.

Trust

  • Security Posture Implemented controls, release evidence, gaps, and private reporting boundaries.
  • Release Gates Required evidence before CairnID can be recommended for production use.
  • Threat Model Assets, trust boundaries, controls, invariants, and residual risks.
  • Dependency Policy Dependency review, audit tooling, evidence receipts, and lockfile policy.
  • Product Security Policy Product/runtime supported versions, vulnerability reporting, triage targets, and disclosure handling.

Product

  • MFA TOTP, WebAuthn, recovery codes, session elevation, and MFA evidence.
  • Account Lifecycle Invitations, email verification, password recovery, notifications, and outbox delivery.
  • SCIM SCIM 2.0 provisioning subset, token rotation, smoke tests, and connector evidence.

Protocol

Project

  • Changelog Notable changes and release history for CairnID.
  • Product Support Policy Product/runtime support scope for usage questions, bug reports, and security reports.
  • Roadmap Planned beta gates, future protocol coverage, and ongoing project constraints.

Local quick start

Use Bun for JavaScript checks and a linker-capable Rust environment for compile tests.

JavaScript checks

bun install --frozen-lockfile
bun run check:public-surface
bun run check
bun run test

API and release checks

cargo fmt --all -- --check
cargo check --workspace --locked
cargo test --workspace --locked
cargo clippy --workspace --all-targets --locked -- -D warnings

Static site

bun run check
bun run build

Rust compile and test commands require a local toolchain with a working linker. Browser automation is not part of this site workflow.

Security reporting

Keep vulnerability reports out of public issues.

Authentication, authorization, OIDC, session, CSRF, MFA, token, signing-key, cross-organization access, audit, deployment, and secret-handling reports belong in the private reporting path described by the security policy.

Open security policy