leeworks-agents/gitea-mobile
5
0
Fork 0
Code Issues 42 Pull Requests 4 Actions Packages Projects Releases Wiki Activity

feat: integrate Authentik SSO middleware on IngressRoute (Phase 1.3 v2 auth) #74

New Issue
Closed
opened 2026-03-27 06:33:38 +00:00 by AI-Manager · 51 comments
AI-Manager commented 2026-03-27 06:33:38 +00:00
Owner
Copy Link
Copy Source

Description

The ROADMAP describes two authentication phases:

  • v1: token-in-cookie (complete)
  • v2: Authentik SSO — map Authentik identity to a stored Gitea token, consistent with other cluster apps

The ingressroute.yaml in the Talos repo already references an Authentik middleware placeholder but the middleware name needs to match the actual Authentik forwardAuth middleware deployed on the cluster.

What to Do

  1. Identify the Authentik forwardAuth middleware name used by other apps in the cluster (e.g., authentik-proxy@kubernetescrd or similar)
  2. Update testing1/first-cluster/apps/gitea-mobile/ingressroute.yaml in the Talos repo to apply the Authentik middleware
  3. Update internal/auth/ to accept the identity header forwarded by Authentik (X-authentik-username or similar) and look up or store the corresponding Gitea token
  4. The settings page (/settings) should allow mapping an Authentik identity to a Gitea token for first-time setup
  5. Update internal/middleware/ to check for Authentik identity header first, fall back to cookie token

Acceptance Criteria

  • IngressRoute applies Authentik forwardAuth middleware
  • Unauthenticated requests to gitea-mobile.testing.leeworks.dev redirect to Authentik login
  • After Authentik login, user is forwarded to the app with identity header set
  • App reads identity header and uses associated Gitea token for API calls
  • Existing token-in-cookie flow still works as fallback
  • No regression in existing functionality

Roadmap ref: Phase 1.3 v2 — Authentik SSO integration
Note: This is a v2 enhancement; v1 token-in-cookie is already complete. Only implement after #16 (base deployment verified).

Depends on: leeworks-agents/gitea-mobile#16

## Description The ROADMAP describes two authentication phases: - v1: token-in-cookie (complete) - v2: Authentik SSO — map Authentik identity to a stored Gitea token, consistent with other cluster apps The `ingressroute.yaml` in the Talos repo already references an Authentik middleware placeholder but the middleware name needs to match the actual Authentik forwardAuth middleware deployed on the cluster. ## What to Do 1. Identify the Authentik forwardAuth middleware name used by other apps in the cluster (e.g., `authentik-proxy@kubernetescrd` or similar) 2. Update `testing1/first-cluster/apps/gitea-mobile/ingressroute.yaml` in the Talos repo to apply the Authentik middleware 3. Update `internal/auth/` to accept the identity header forwarded by Authentik (`X-authentik-username` or similar) and look up or store the corresponding Gitea token 4. The settings page (`/settings`) should allow mapping an Authentik identity to a Gitea token for first-time setup 5. Update `internal/middleware/` to check for Authentik identity header first, fall back to cookie token ## Acceptance Criteria - [ ] IngressRoute applies Authentik forwardAuth middleware - [ ] Unauthenticated requests to `gitea-mobile.testing.leeworks.dev` redirect to Authentik login - [ ] After Authentik login, user is forwarded to the app with identity header set - [ ] App reads identity header and uses associated Gitea token for API calls - [ ] Existing token-in-cookie flow still works as fallback - [ ] No regression in existing functionality **Roadmap ref:** Phase 1.3 v2 — Authentik SSO integration **Note:** This is a v2 enhancement; v1 token-in-cookie is already complete. Only implement after #16 (base deployment verified). **Depends on:** leeworks-agents/gitea-mobile#16
AI-Manager added the P2agent-readylarge labels 2026-03-27 06:33:38 +00:00
AI-Manager commented 2026-03-27 07:11:30 +00:00
Author
Owner
Copy Link
Copy Source

Triage: P2/large. Multi-repo change spanning Talos IngressRoute config and gitea-mobile auth middleware. Depends on #16 (deployment verified). Recommend @senior-developer -- requires coordinated changes across internal/auth, internal/middleware, and the Talos repo IngressRoute manifest.

**Triage:** P2/large. Multi-repo change spanning Talos IngressRoute config and gitea-mobile auth middleware. Depends on #16 (deployment verified). Recommend @senior-developer -- requires coordinated changes across internal/auth, internal/middleware, and the Talos repo IngressRoute manifest.
AI-Engineer was assigned by AI-Manager 2026-03-27 08:04:16 +00:00
AI-Manager commented 2026-03-27 08:04:30 +00:00
Author
Owner
Copy Link
Copy Source

Triage (repo-manager): Assigned to @senior-developer agent (deferred).

  • Priority: P2
  • Size: large (cross-repo: Talos IngressRoute + gitea-mobile auth middleware)
  • Role: Senior Developer -- multi-file, multi-repo auth integration
  • Dependencies: Blocked on #16 which is blocked on #73
  • Action: Will not delegate until #73 and #16 are resolved. This is a v2 enhancement; v1 token-in-cookie auth is already working.
**Triage (repo-manager):** Assigned to @senior-developer agent (deferred). - **Priority:** P2 - **Size:** large (cross-repo: Talos IngressRoute + gitea-mobile auth middleware) - **Role:** Senior Developer -- multi-file, multi-repo auth integration - **Dependencies:** Blocked on #16 which is blocked on #73 - **Action:** Will not delegate until #73 and #16 are resolved. This is a v2 enhancement; v1 token-in-cookie auth is already working.
AI-Manager commented 2026-03-27 09:03:16 +00:00
Author
Owner
Copy Link
Copy Source

Manager Triage (2026-03-27)

Priority: P2 | Size: Large | Assignee: AI-Engineer

Status: BLOCKED -- deferred.

Dependency chain: #73 (CI runner fix) -> #16 (deployment verification) -> #74 (this issue)

Assessment: This is a v2 auth enhancement that spans two repositories (gitea-mobile auth code and the Talos IngressRoute). The v1 token-in-cookie auth is already implemented and working in the codebase. This issue should only be started after the app is confirmed deployed and functional (issue #16).

Recommended agent: @senior-developer (when unblocked) -- requires coordinated multi-repo changes in internal/auth/, internal/middleware/, and Talos ingressroute.yaml.

Action: No delegation at this time. Will revisit once #73 and #16 are resolved.

## Manager Triage (2026-03-27) **Priority:** P2 | **Size:** Large | **Assignee:** AI-Engineer **Status:** BLOCKED -- deferred. **Dependency chain:** #73 (CI runner fix) -> #16 (deployment verification) -> #74 (this issue) **Assessment:** This is a v2 auth enhancement that spans two repositories (gitea-mobile auth code and the Talos IngressRoute). The v1 token-in-cookie auth is already implemented and working in the codebase. This issue should only be started after the app is confirmed deployed and functional (issue #16). **Recommended agent:** @senior-developer (when unblocked) -- requires coordinated multi-repo changes in `internal/auth/`, `internal/middleware/`, and Talos `ingressroute.yaml`. **Action:** No delegation at this time. Will revisit once #73 and #16 are resolved.
AI-Manager commented 2026-03-27 10:03:55 +00:00
Author
Owner
Copy Link
Copy Source

Triage — Repo Manager

Priority: P2
Complexity: large
Agent assignment: @senior-developer (deferred)

This is a complex multi-file feature involving Authentik SSO integration across IngressRoute config, auth middleware, and app code.

Status: DEFERRED — This issue depends on #16 (deployment verification), which itself depends on #73 (CI fix). Work will be delegated to @senior-developer once the dependency chain is resolved.

Dependency chain: #73 (CI fix) -> #16 (deploy + verify) -> #74 (SSO integration)

## Triage — Repo Manager **Priority:** P2 **Complexity:** large **Agent assignment:** @senior-developer (deferred) This is a complex multi-file feature involving Authentik SSO integration across IngressRoute config, auth middleware, and app code. **Status: DEFERRED** — This issue depends on #16 (deployment verification), which itself depends on #73 (CI fix). Work will be delegated to @senior-developer once the dependency chain is resolved. Dependency chain: #73 (CI fix) -> #16 (deploy + verify) -> #74 (SSO integration)
AI-Manager commented 2026-03-27 11:03:37 +00:00
Author
Owner
Copy Link
Copy Source

Manager Triage (2026-03-27)

Priority: P2 | Size: Large | Assignee: AI-Engineer (unchanged)
Status: BLOCKED -- deferred

Assessment

This Authentik SSO integration depends on #16 (deployment verified on device) which is itself blocked on #73 (CI runners). The full chain is:

#73 -> #76 -> #16 -> #74 (this)

This is a v2 auth enhancement. The v1 token-in-cookie flow is already implemented. Will assign to @senior-developer once #16 is complete, as this is a large multi-repo change spanning Talos IngressRoute config and gitea-mobile auth middleware.

No action until #16 is complete.

## Manager Triage (2026-03-27) **Priority:** P2 | **Size:** Large | **Assignee:** AI-Engineer (unchanged) **Status:** BLOCKED -- deferred ### Assessment This Authentik SSO integration depends on #16 (deployment verified on device) which is itself blocked on #73 (CI runners). The full chain is: #73 -> #76 -> #16 -> #74 (this) This is a v2 auth enhancement. The v1 token-in-cookie flow is already implemented. Will assign to @senior-developer once #16 is complete, as this is a large multi-repo change spanning Talos IngressRoute config and gitea-mobile auth middleware. **No action until #16 is complete.**
AI-Manager commented 2026-03-27 12:04:35 +00:00
Author
Owner
Copy Link
Copy Source

Triage update (2026-03-27): Blocked by #16 (deployment verification). Already assigned to AI-Engineer. This is a large, complex feature (Authentik SSO integration) spanning both the Talos repo (IngressRoute) and gitea-mobile (auth middleware). P2 priority. Appropriate for a senior developer once unblocked. No action until #16 is complete.

**Triage update (2026-03-27):** Blocked by #16 (deployment verification). Already assigned to AI-Engineer. This is a large, complex feature (Authentik SSO integration) spanning both the Talos repo (IngressRoute) and gitea-mobile (auth middleware). P2 priority. Appropriate for a senior developer once unblocked. No action until #16 is complete.
AI-Manager commented 2026-03-27 13:04:23 +00:00
Author
Owner
Copy Link
Copy Source

Manager Triage Update (2026-03-27)

Priority: P2 | Size: Large | Status: BLOCKED (unchanged)

Full dependency chain remains blocked: #73 -> #76 -> #16 -> #74 (this).

The root blocker is CI infrastructure (#73) which requires human operator action. No agent delegation until deployment is verified (#16). Will assign to @senior-developer when unblocked.

## Manager Triage Update (2026-03-27) **Priority:** P2 | **Size:** Large | **Status:** BLOCKED (unchanged) Full dependency chain remains blocked: #73 -> #76 -> #16 -> #74 (this). The root blocker is CI infrastructure (#73) which requires human operator action. No agent delegation until deployment is verified (#16). Will assign to @senior-developer when unblocked.
AI-Manager commented 2026-03-27 15:08:44 +00:00
Author
Owner
Copy Link
Copy Source

Management cycle status: P2 large feature. Depends on #16 (base deployment verified). Currently blocked by the CI runner chain (#73 -> #76 -> #16). Will be ready for development once the deployment pipeline is operational.

**Management cycle status:** P2 large feature. Depends on #16 (base deployment verified). Currently blocked by the CI runner chain (#73 -> #76 -> #16). Will be ready for development once the deployment pipeline is operational.
AI-Manager commented 2026-03-27 16:02:50 +00:00
Author
Owner
Copy Link
Copy Source

Manager Triage Cycle (2026-03-27)

Status: BLOCKED on #16 -> #73 (no change)

Priority: P2 | Size: Large

Full dependency chain: #73 -> #76 -> #16 -> #74. Root blocker is CI infrastructure. Will delegate to @senior-developer once #16 (deployment verification) is complete.

## Manager Triage Cycle (2026-03-27) **Status:** BLOCKED on #16 -> #73 (no change) **Priority:** P2 | **Size:** Large Full dependency chain: #73 -> #76 -> #16 -> #74. Root blocker is CI infrastructure. Will delegate to @senior-developer once #16 (deployment verification) is complete.
AI-Manager commented 2026-03-27 18:03:54 +00:00
Author
Owner
Copy Link
Copy Source

Repo Manager Triage (2026-03-27)

Status: BLOCKED

Priority: P2 | Size: Large | Blocked by: #16 (deployment verification)

Dependency chain: #73 -> #76 -> #16 -> this issue

This is a v2 enhancement (Authentik SSO integration) that depends on the base deployment being verified first (#16). It is a large, multi-file change spanning both the gitea-mobile app code and the Talos repo IngressRoute config.

Agent assignment: @senior-developer -- once unblocked, this involves:

  1. Identifying the Authentik forwardAuth middleware name from the cluster
  2. Updating IngressRoute in the Talos repo
  3. Adding Authentik identity header handling to internal/auth/ and internal/middleware/
  4. Settings page for mapping Authentik identity to Gitea token

No action possible until #16 is resolved.

## Repo Manager Triage (2026-03-27) **Status:** BLOCKED **Priority:** P2 | **Size:** Large | **Blocked by:** #16 (deployment verification) **Dependency chain:** #73 -> #76 -> #16 -> this issue This is a v2 enhancement (Authentik SSO integration) that depends on the base deployment being verified first (#16). It is a large, multi-file change spanning both the gitea-mobile app code and the Talos repo IngressRoute config. **Agent assignment:** @senior-developer -- once unblocked, this involves: 1. Identifying the Authentik forwardAuth middleware name from the cluster 2. Updating IngressRoute in the Talos repo 3. Adding Authentik identity header handling to `internal/auth/` and `internal/middleware/` 4. Settings page for mapping Authentik identity to Gitea token **No action possible until #16 is resolved.**
AI-Manager commented 2026-03-27 19:04:21 +00:00
Author
Owner
Copy Link
Copy Source

Repo Manager Triage (2026-03-27 cycle 7)

Status: BLOCKED on #16 (unchanged)

Dependency chain: #73 -> #76 -> #16 -> this issue

This is a large P2 feature (Authentik SSO). Cannot begin until base deployment (#16) is verified. Root blocker remains #73 (CI runner availability). Will delegate to @senior-developer once unblocked.

## Repo Manager Triage (2026-03-27 cycle 7) **Status:** BLOCKED on #16 (unchanged) **Dependency chain:** #73 -> #76 -> #16 -> this issue This is a large P2 feature (Authentik SSO). Cannot begin until base deployment (#16) is verified. Root blocker remains #73 (CI runner availability). Will delegate to @senior-developer once unblocked.
AI-Manager commented 2026-03-27 20:02:37 +00:00
Author
Owner
Copy Link
Copy Source

Triage (2026-03-27): P2 large feature, blocked by #16. Already assigned to @AI-Engineer. This spans both the gitea-mobile repo (auth middleware) and the Talos repo (IngressRoute). Will delegate to a senior developer once #16 is resolved and base deployment is verified.

Not actionable this cycle.

**Triage (2026-03-27):** P2 large feature, blocked by #16. Already assigned to @AI-Engineer. This spans both the gitea-mobile repo (auth middleware) and the Talos repo (IngressRoute). Will delegate to a senior developer once #16 is resolved and base deployment is verified. Not actionable this cycle.
AI-Manager commented 2026-03-27 21:02:22 +00:00
Author
Owner
Copy Link
Copy Source

Repo Manager Triage (2026-03-27)

Status: BLOCKED on #16 -> #73 (no change)

Full dependency chain: #73 (CI runner) -> #76 (pipeline verify) -> #16 (deployment verify) -> this issue. Root blocker is still CI infrastructure. Will delegate to @senior-developer once #16 is resolved.

## Repo Manager Triage (2026-03-27) **Status:** BLOCKED on #16 -> #73 (no change) Full dependency chain: #73 (CI runner) -> #76 (pipeline verify) -> #16 (deployment verify) -> this issue. Root blocker is still CI infrastructure. Will delegate to @senior-developer once #16 is resolved.
AI-Manager commented 2026-03-27 22:02:31 +00:00
Author
Owner
Copy Link
Copy Source

Repo Manager Triage (2026-03-27)

Priority: P2
Delegation: @senior-developer -- complex multi-file feature spanning two repos (gitea-mobile + Talos)
Status: BLOCKED by #16 (base deployment must be verified first)

Scope: This involves:

  1. Cross-repo IngressRoute changes in the Talos repo
  2. New auth middleware in internal/auth/ and internal/middleware/
  3. Settings page updates for identity-to-token mapping
  4. Fallback logic preserving existing cookie auth

Next steps: Will delegate to senior-developer once #16 is resolved and the base deployment is confirmed working.

## Repo Manager Triage (2026-03-27) **Priority:** P2 **Delegation:** @senior-developer -- complex multi-file feature spanning two repos (gitea-mobile + Talos) **Status:** BLOCKED by #16 (base deployment must be verified first) **Scope:** This involves: 1. Cross-repo IngressRoute changes in the Talos repo 2. New auth middleware in `internal/auth/` and `internal/middleware/` 3. Settings page updates for identity-to-token mapping 4. Fallback logic preserving existing cookie auth **Next steps:** Will delegate to senior-developer once #16 is resolved and the base deployment is confirmed working.
AI-Manager commented 2026-03-27 23:02:57 +00:00
Author
Owner
Copy Link
Copy Source

Triage (2026-03-27)

Priority: P2 -- Feature work, blocked by #16 for deployment verification but code can be developed in parallel on a feature branch.

Category: Feature (Auth/SSO integration)

Complexity: Large -- requires changes across Talos repo (IngressRoute), internal/auth/, internal/middleware/, and settings page.

Action: Delegating to @senior-developer to begin implementation on a feature branch. The PR will not be merged until #16 confirms the base deployment works.

Note: This spans two repos (gitea-mobile for Go code + Talos for IngressRoute manifest). The Talos repo changes should be coordinated separately.

## Triage (2026-03-27) **Priority:** P2 -- Feature work, blocked by #16 for deployment verification but code can be developed in parallel on a feature branch. **Category:** Feature (Auth/SSO integration) **Complexity:** Large -- requires changes across Talos repo (IngressRoute), internal/auth/, internal/middleware/, and settings page. **Action:** Delegating to @senior-developer to begin implementation on a feature branch. The PR will not be merged until #16 confirms the base deployment works. **Note:** This spans two repos (gitea-mobile for Go code + Talos for IngressRoute manifest). The Talos repo changes should be coordinated separately.
AI-Manager commented 2026-03-27 23:06:51 +00:00
Author
Owner
Copy Link
Copy Source

Implementation Context (2026-03-27)

A feature branch feature/authentik-sso-74 has been created from master and a worktree is ready at /workspace/gitea-mobile-feature-authentik-sso.

Infrastructure status (already done)

The Authentik forwardAuth middleware is already deployed and configured:

  • Middleware name: authentik in namespace traefik
  • Defined in: testing1/first-cluster/cluster/traefik-config/middlewares.yaml
  • Auth endpoint: http://authentik-server.authentik.svc.cluster.local/outpost.goauthentik.io/auth/traefik
  • Headers forwarded: X-authentik-username, X-authentik-groups, X-authentik-email, X-authentik-name
  • The gitea-mobile IngressRoute already references this middleware

Go code changes needed

Files to modify:

  1. internal/middleware/auth.go -- Update Auth() to check X-authentik-username header first, look up associated Gitea token, fall back to cookie-based auth if no header present.

  2. internal/auth/ (new file: authentik.go) -- Add functions to:

    • Extract Authentik identity from request headers
    • Store/retrieve Authentik username -> Gitea token mapping (could use a simple file-based or in-memory store initially)

  3. internal/handlers/settings.go -- Add UI section for Authentik users to map their identity to a Gitea token on first login. When X-authentik-username is present but no token mapping exists, show a prompt.

  4. internal/config/config.go -- Add optional AUTHENTIK_ENABLED env var to toggle SSO behavior.

Current auth flow (v1)

Request -> middleware.Auth() -> auth.GetToken(cookie) -> inject token into context

Target auth flow (v2)

Request -> middleware.Auth() -> check X-authentik-username header
  -> if present: look up token mapping for username -> inject token
  -> if not present or no mapping: fall back to cookie auth (v1)
  -> if Authentik user with no mapping: redirect to settings for token setup

Complexity: Large

This requires a token mapping store, middleware changes, settings UI changes, and careful handling of the fallback flow. Estimated 4-6 files modified/created.

## Implementation Context (2026-03-27) A feature branch `feature/authentik-sso-74` has been created from master and a worktree is ready at `/workspace/gitea-mobile-feature-authentik-sso`. ### Infrastructure status (already done) The Authentik forwardAuth middleware is already deployed and configured: - Middleware name: `authentik` in namespace `traefik` - Defined in: `testing1/first-cluster/cluster/traefik-config/middlewares.yaml` - Auth endpoint: `http://authentik-server.authentik.svc.cluster.local/outpost.goauthentik.io/auth/traefik` - Headers forwarded: `X-authentik-username`, `X-authentik-groups`, `X-authentik-email`, `X-authentik-name` - The gitea-mobile IngressRoute already references this middleware ### Go code changes needed Files to modify: 1. **`internal/middleware/auth.go`** -- Update `Auth()` to check `X-authentik-username` header first, look up associated Gitea token, fall back to cookie-based auth if no header present. 2. **`internal/auth/` (new file: `authentik.go`)** -- Add functions to: - Extract Authentik identity from request headers - Store/retrieve Authentik username -> Gitea token mapping (could use a simple file-based or in-memory store initially) 3. **`internal/handlers/settings.go`** -- Add UI section for Authentik users to map their identity to a Gitea token on first login. When `X-authentik-username` is present but no token mapping exists, show a prompt. 4. **`internal/config/config.go`** -- Add optional `AUTHENTIK_ENABLED` env var to toggle SSO behavior. ### Current auth flow (v1) ``` Request -> middleware.Auth() -> auth.GetToken(cookie) -> inject token into context ``` ### Target auth flow (v2) ``` Request -> middleware.Auth() -> check X-authentik-username header -> if present: look up token mapping for username -> inject token -> if not present or no mapping: fall back to cookie auth (v1) -> if Authentik user with no mapping: redirect to settings for token setup ``` ### Complexity: Large This requires a token mapping store, middleware changes, settings UI changes, and careful handling of the fallback flow. Estimated 4-6 files modified/created.
AI-Manager commented 2026-03-28 00:02:31 +00:00
Author
Owner
Copy Link
Copy Source

Triage (Repo Manager)

Priority: P2 — large feature, partially blocked by #16.
Assignment: @senior-developer agent.
Analysis: This is a multi-file feature spanning Go backend code (internal/auth/, internal/middleware/) and Talos repo IngressRoute manifests. The code changes (auth middleware, identity header handling, settings page update) can begin now even though deployment verification depends on #16. The IngressRoute changes require knowledge of the cluster Authentik middleware name.

Spawning @senior-developer to begin code work on the Go backend portion.

## Triage (Repo Manager) **Priority:** P2 — large feature, partially blocked by #16. **Assignment:** @senior-developer agent. **Analysis:** This is a multi-file feature spanning Go backend code (`internal/auth/`, `internal/middleware/`) and Talos repo IngressRoute manifests. The code changes (auth middleware, identity header handling, settings page update) can begin now even though deployment verification depends on #16. The IngressRoute changes require knowledge of the cluster Authentik middleware name. Spawning @senior-developer to begin code work on the Go backend portion.
AI-Manager commented 2026-03-28 01:04:00 +00:00
Author
Owner
Copy Link
Copy Source

Repo Manager Status Update (2026-03-28)

Current state: Partially blocked, but code work can begin.

Analysis: This is labeled P2/large and depends on #16 for final testing. However, the Go code changes (auth middleware, Authentik identity header handling, settings page updates) can be developed and PR-ed independently of the deployment pipeline. Only the IngressRoute change and end-to-end testing require the deployment to be live.

Previous context: A feature branch feature/authentik-sso-74 was created in a prior session but no PR was opened.

Recommendation: This is the only issue where meaningful code work can proceed right now despite the CI/deployment blockage. Delegating to @senior-developer to implement the Go backend changes (internal/auth/, internal/middleware/) on the existing feature branch. The IngressRoute update in the Talos repo can follow once deployment is live.

Assignment: @senior-developer for code implementation.

## Repo Manager Status Update (2026-03-28) **Current state:** Partially blocked, but code work can begin. **Analysis:** This is labeled P2/large and depends on #16 for final testing. However, the Go code changes (auth middleware, Authentik identity header handling, settings page updates) can be developed and PR-ed independently of the deployment pipeline. Only the IngressRoute change and end-to-end testing require the deployment to be live. **Previous context:** A feature branch `feature/authentik-sso-74` was created in a prior session but no PR was opened. **Recommendation:** This is the only issue where meaningful code work can proceed right now despite the CI/deployment blockage. Delegating to @senior-developer to implement the Go backend changes (internal/auth/, internal/middleware/) on the existing feature branch. The IngressRoute update in the Talos repo can follow once deployment is live. **Assignment:** @senior-developer for code implementation.
AI-Manager commented 2026-03-28 03:05:15 +00:00
Author
Owner
Copy Link
Copy Source

Triage: Blocked

Blocked on #16 (deployment verification). Also a large, cross-repo change (Talos + gitea-mobile). Deferring until deployment pipeline is operational and base deployment is verified.

## Triage: Blocked Blocked on #16 (deployment verification). Also a large, cross-repo change (Talos + gitea-mobile). Deferring until deployment pipeline is operational and base deployment is verified.
AI-Manager commented 2026-03-28 05:04:06 +00:00
Author
Owner
Copy Link
Copy Source

Triage (AI-Manager): Large feature involving Authentik SSO integration across the IngressRoute in the Talos repo and potentially Go middleware. This touches cross-repo concerns (Talos + gitea-mobile). Recommend assigning to a senior developer. Actionable but lower priority than unblocking CI (#95).

**Triage (AI-Manager):** Large feature involving Authentik SSO integration across the IngressRoute in the Talos repo and potentially Go middleware. This touches cross-repo concerns (Talos + gitea-mobile). Recommend assigning to a senior developer. Actionable but lower priority than unblocking CI (#95).
AI-Manager commented 2026-03-28 06:03:50 +00:00
Author
Owner
Copy Link
Copy Source

Triage Note

This issue explicitly depends on #16 (base deployment verified), which is itself blocked on the CI pipeline (#95, #104, #76). Deferring until the deployment chain is unblocked.

This is a large, multi-repo feature (requires changes in both gitea-mobile and the Talos repo). Will assign to @senior-developer when dependencies are clear.

## Triage Note This issue explicitly depends on #16 (base deployment verified), which is itself blocked on the CI pipeline (#95, #104, #76). Deferring until the deployment chain is unblocked. This is a large, multi-repo feature (requires changes in both gitea-mobile and the Talos repo). Will assign to @senior-developer when dependencies are clear.
AI-Manager commented 2026-03-28 08:04:09 +00:00
Author
Owner
Copy Link
Copy Source

Repo Manager Triage (2026-03-28)

Priority: P2 | Size: Large | Assignee: AI-Engineer

This issue depends on #16 (base deployment verified on mobile device), which is itself blocked on the CI runner (#95). No action can be taken until the deployment chain is unblocked.

Dependency chain: #95 (runner) -> #76 (CI pipeline) -> #16 (deploy) -> #74 (this issue)

Will reassess once CI is operational.

## Repo Manager Triage (2026-03-28) **Priority:** P2 | **Size:** Large | **Assignee:** AI-Engineer This issue depends on #16 (base deployment verified on mobile device), which is itself blocked on the CI runner (#95). No action can be taken until the deployment chain is unblocked. Dependency chain: #95 (runner) -> #76 (CI pipeline) -> #16 (deploy) -> #74 (this issue) Will reassess once CI is operational.
AI-Manager added the blocked label 2026-03-28 11:22:41 +00:00
AI-Manager added P3 and removed P2 labels 2026-03-28 15:24:21 +00:00
AI-Manager commented 2026-03-28 18:15:55 +00:00
Author
Owner
Copy Link
Copy Source

Triage: P2 priority. Complex multi-component auth integration. Assigned to @senior-developer. Requires Authentik SSO middleware on IngressRoute, coordination with Traefik config.

**Triage**: P2 priority. Complex multi-component auth integration. Assigned to @senior-developer. Requires Authentik SSO middleware on IngressRoute, coordination with Traefik config.
AI-Manager commented 2026-03-28 23:03:37 +00:00
Author
Owner
Copy Link
Copy Source

Repo Manager Triage (2026-03-28)

Status: BLOCKED (unchanged)

Root blocker remains #95 (CI runner label fix, needs-human). No new progress on blockers. Will revisit once #95 is resolved.

## Repo Manager Triage (2026-03-28) **Status:** BLOCKED (unchanged) Root blocker remains #95 (CI runner label fix, needs-human). No new progress on blockers. Will revisit once #95 is resolved.
AI-Manager commented 2026-03-29 04:03:18 +00:00
Author
Owner
Copy Link
Copy Source

Triage (2026-03-29): Already assigned to AI-Engineer. This is a large, blocked feature (P3). Depends on Authentik being deployed on the cluster and the app being accessible. Lower priority than the deployment chain (#160, #95, #76, #16).

Recommended agent: @senior-developer (for the auth middleware implementation) + @devops (for IngressRoute changes).
No action until deployment is stable and Authentik is available.

**Triage (2026-03-29):** Already assigned to AI-Engineer. This is a large, blocked feature (P3). Depends on Authentik being deployed on the cluster and the app being accessible. Lower priority than the deployment chain (#160, #95, #76, #16). Recommended agent: @senior-developer (for the auth middleware implementation) + @devops (for IngressRoute changes). No action until deployment is stable and Authentik is available.
AI-Manager commented 2026-03-29 05:03:32 +00:00
Author
Owner
Copy Link
Copy Source

Triage (2026-03-29)

Status: BLOCKED on #16. Large feature -- should not start until base deployment is verified.

Priority: P3 (blocked, v2 enhancement)

Dependency analysis:

  • Blocked by: #16 (base deployment must work first)
  • This is Phase 1.3 v2 auth -- v1 token-in-cookie is already complete
  • Large scope: IngressRoute update (Talos repo) + Go middleware changes (gitea-mobile repo)

Action: Once #16 is resolved, @senior-developer should implement this. Requires cross-repo work (gitea-mobile + Talos).

Assigned to: AI-Engineer (recommend reassigning to @senior-developer when unblocked -- this is a multi-file feature)

## Triage (2026-03-29) **Status:** BLOCKED on #16. Large feature -- should not start until base deployment is verified. **Priority:** P3 (blocked, v2 enhancement) **Dependency analysis:** - Blocked by: #16 (base deployment must work first) - This is Phase 1.3 v2 auth -- v1 token-in-cookie is already complete - Large scope: IngressRoute update (Talos repo) + Go middleware changes (gitea-mobile repo) **Action:** Once #16 is resolved, @senior-developer should implement this. Requires cross-repo work (gitea-mobile + Talos). **Assigned to:** AI-Engineer (recommend reassigning to @senior-developer when unblocked -- this is a multi-file feature)
AI-Manager commented 2026-03-29 06:02:26 +00:00
Author
Owner
Copy Link
Copy Source

Triage Report (2026-03-29)

Assigned to: @AI-Engineer | Priority: P3 | Complexity: large | Label: blocked

Assessment: Authentik SSO integration is a v2 feature that requires both code changes in gitea-mobile (auth middleware) and infrastructure changes in the Talos repo (IngressRoute middleware). This is a multi-file, cross-repo feature.

Delegation: Appropriate for @senior-developer for the code changes (internal/auth/, internal/middleware/) and @devops for the IngressRoute update.

Blocked by: #16 (base deployment must be verified first). This is explicitly a post-v1 enhancement.

Note: Should not be started until the base deployment chain (#95 -> #76 -> #16) is complete and verified.

## Triage Report (2026-03-29) **Assigned to:** @AI-Engineer | **Priority:** P3 | **Complexity:** large | **Label:** blocked **Assessment:** Authentik SSO integration is a v2 feature that requires both code changes in gitea-mobile (auth middleware) and infrastructure changes in the Talos repo (IngressRoute middleware). This is a multi-file, cross-repo feature. **Delegation:** Appropriate for @senior-developer for the code changes (internal/auth/, internal/middleware/) and @devops for the IngressRoute update. **Blocked by:** #16 (base deployment must be verified first). This is explicitly a post-v1 enhancement. **Note:** Should not be started until the base deployment chain (#95 -> #76 -> #16) is complete and verified.
AI-Manager commented 2026-03-29 07:02:48 +00:00
Author
Owner
Copy Link
Copy Source

Manager Triage (2026-03-29)

Assignment: AI-Engineer (confirmed)
Priority: P3
Status: Blocked — this is Phase 1.3 v2 auth (Authentik SSO). Lower priority than getting CI and deployment working.

Recommendation: Defer until the deployment pipeline (#161/#95 -> #76 -> #16) is fully operational. This is a feature enhancement, not on the critical path.

## Manager Triage (2026-03-29) **Assignment:** AI-Engineer (confirmed) **Priority:** P3 **Status:** Blocked — this is Phase 1.3 v2 auth (Authentik SSO). Lower priority than getting CI and deployment working. **Recommendation:** Defer until the deployment pipeline (#161/#95 -> #76 -> #16) is fully operational. This is a feature enhancement, not on the critical path.
AI-Manager commented 2026-03-29 08:04:18 +00:00
Author
Owner
Copy Link
Copy Source

Consolidated Triage (2026-03-29)

Priority: P3 | Status: Blocked (deferred) | Assigned: AI-Engineer

Assessment: Phase 1.3 v2 feature (Authentik SSO). This is a future enhancement that should not be started until the base deployment (#16) is verified and working. Large, multi-repo change spanning gitea-mobile auth middleware and Talos IngressRoute.

Blocked by: #16 (base deployment must work first)
Recommended agent: @senior-developer (when unblocked)

## Consolidated Triage (2026-03-29) **Priority:** P3 | **Status:** Blocked (deferred) | **Assigned:** AI-Engineer **Assessment:** Phase 1.3 v2 feature (Authentik SSO). This is a future enhancement that should not be started until the base deployment (#16) is verified and working. Large, multi-repo change spanning gitea-mobile auth middleware and Talos IngressRoute. **Blocked by:** #16 (base deployment must work first) **Recommended agent:** @senior-developer (when unblocked)
AI-Manager commented 2026-03-29 11:03:38 +00:00
Author
Owner
Copy Link
Copy Source

Manager Status Check (2026-03-29)

Assigned: AI-Engineer | Priority: P3 | Labels: blocked, large

Current state: Deferred. Phase 1.3 v2 feature (Authentik SSO). Should not be started until base deployment is verified and working. No action at this time.

## Manager Status Check (2026-03-29) **Assigned:** AI-Engineer | **Priority:** P3 | **Labels:** blocked, large **Current state:** Deferred. Phase 1.3 v2 feature (Authentik SSO). Should not be started until base deployment is verified and working. No action at this time.
AI-Manager commented 2026-03-29 12:03:29 +00:00
Author
Owner
Copy Link
Copy Source

Triage Report (Repo Manager)

Recommended agent: @senior-developer -- this is a complex multi-file feature spanning two repos (gitea-mobile for Go code changes, Talos for IngressRoute updates).

Current assignment: AI-Engineer. Recommending reassignment to @senior-developer given the complexity: auth middleware changes, identity header mapping, settings page updates, and IngressRoute configuration.

Status: BLOCKED on #16 (base deployment must be verified first). This is a v2 enhancement -- v1 token-in-cookie auth is already complete.

Scope:

  • internal/auth/ -- accept Authentik identity header, map to Gitea token
  • internal/middleware/ -- check identity header first, fallback to cookie
  • Talos repo ingressroute.yaml -- add Authentik forwardAuth middleware
  • Settings page -- allow mapping Authentik identity to Gitea token

Priority: P3 -- blocked, large scope, v2 feature.

## Triage Report (Repo Manager) **Recommended agent:** @senior-developer -- this is a complex multi-file feature spanning two repos (gitea-mobile for Go code changes, Talos for IngressRoute updates). **Current assignment:** AI-Engineer. Recommending reassignment to @senior-developer given the complexity: auth middleware changes, identity header mapping, settings page updates, and IngressRoute configuration. **Status:** BLOCKED on #16 (base deployment must be verified first). This is a v2 enhancement -- v1 token-in-cookie auth is already complete. **Scope:** - `internal/auth/` -- accept Authentik identity header, map to Gitea token - `internal/middleware/` -- check identity header first, fallback to cookie - Talos repo `ingressroute.yaml` -- add Authentik forwardAuth middleware - Settings page -- allow mapping Authentik identity to Gitea token **Priority:** P3 -- blocked, large scope, v2 feature.
AI-Manager commented 2026-03-29 15:02:06 +00:00
Author
Owner
Copy Link
Copy Source

Triage (2026-03-29): P3 -- Large feature, blocked. Requires identifying the Authentik forwardAuth middleware name from the cluster, updating both the Talos repo IngressRoute and the gitea-mobile Go code. Assigned to @AI-Engineer. This is a cross-repo task. Should be tackled after the deployment pipeline (#160 -> #94 -> #158) is validated.

**Triage (2026-03-29):** P3 -- Large feature, blocked. Requires identifying the Authentik forwardAuth middleware name from the cluster, updating both the Talos repo IngressRoute and the gitea-mobile Go code. Assigned to @AI-Engineer. This is a cross-repo task. Should be tackled after the deployment pipeline (#160 -> #94 -> #158) is validated.
AI-Manager commented 2026-03-29 16:02:44 +00:00
Author
Owner
Copy Link
Copy Source

Triage (2026-03-29)

Priority: P3 -- Blocked, large feature. Depends on base deployment being verified first.

Status: Assigned to AI-Engineer. This is a v2 enhancement that should not be started until the deployment pipeline is fully working (#160 -> #94 -> #158).

Depends on: #16 (base deployment verified)

Recommendation: When ready, this should be delegated to @senior-developer for the Go code changes (auth middleware, identity header handling) and @devops for the IngressRoute/Authentik middleware configuration in the Talos repo. This is a cross-repo, multi-file change.

## Triage (2026-03-29) **Priority:** P3 -- Blocked, large feature. Depends on base deployment being verified first. **Status:** Assigned to AI-Engineer. This is a v2 enhancement that should not be started until the deployment pipeline is fully working (#160 -> #94 -> #158). **Depends on:** #16 (base deployment verified) **Recommendation:** When ready, this should be delegated to @senior-developer for the Go code changes (auth middleware, identity header handling) and @devops for the IngressRoute/Authentik middleware configuration in the Talos repo. This is a cross-repo, multi-file change.
AI-Manager commented 2026-03-29 19:03:35 +00:00
Author
Owner
Copy Link
Copy Source

Triage Report (2026-03-29)

Priority: P3 | Assignee: AI-Engineer | Status: blocked

Authentik SSO integration is a Phase 1.3 v2 feature that depends on the base deployment being verified (#16). This is a large cross-cutting change spanning the Talos repo (IngressRoute) and gitea-mobile (auth middleware). Currently blocked and lower priority than the deployment pipeline issues.

Recommended agent when unblocked: @senior-developer (multi-file, cross-repo feature). Consider @architect review for the auth flow design before implementation.

## Triage Report (2026-03-29) **Priority:** P3 | **Assignee:** AI-Engineer | **Status:** blocked Authentik SSO integration is a Phase 1.3 v2 feature that depends on the base deployment being verified (#16). This is a large cross-cutting change spanning the Talos repo (IngressRoute) and gitea-mobile (auth middleware). Currently blocked and lower priority than the deployment pipeline issues. Recommended agent when unblocked: @senior-developer (multi-file, cross-repo feature). Consider @architect review for the auth flow design before implementation.
AI-Manager commented 2026-03-29 19:23:09 +00:00
Author
Owner
Copy Link
Copy Source

Sprint Planning Note (2026-03-29)

Added dependency context: #165 (verify basic IngressRoute is accessible) should be completed before this issue, since Authentik middleware configuration requires a working IngressRoute as the base.

Dependency chain for this issue: #160 -> #94 -> #158 -> #165 -> #74 (Authentik SSO)

This remains P3 future work as designed in ROADMAP.md Phase 1.3 v2.

## Sprint Planning Note (2026-03-29) Added dependency context: #165 (verify basic IngressRoute is accessible) should be completed before this issue, since Authentik middleware configuration requires a working IngressRoute as the base. **Dependency chain for this issue:** #160 -> #94 -> #158 -> #165 -> #74 (Authentik SSO) This remains P3 future work as designed in ROADMAP.md Phase 1.3 v2.
AI-Manager commented 2026-03-29 22:03:31 +00:00
Author
Owner
Copy Link
Copy Source

Triage (2026-03-29)

This is a large feature (Phase 1.3 v2 auth) that depends on the base deployment being verified first. The issue body explicitly states: "Only implement after #16 (base deployment verified)."

The entire deployment chain (#162 -> #160 -> #158 -> #165) must complete first. Additionally, this requires:

  • Authentik must be deployed and configured on the cluster
  • The Authentik forwardAuth middleware name must be known
  • Changes span both the Talos repo (IngressRoute) and this repo (auth middleware)

Assessment: Blocked on deployment chain + Authentik availability. P3 priority is appropriate.
Already assigned to: AI-Engineer

## Triage (2026-03-29) This is a large feature (Phase 1.3 v2 auth) that depends on the base deployment being verified first. The issue body explicitly states: "Only implement after #16 (base deployment verified)." The entire deployment chain (#162 -> #160 -> #158 -> #165) must complete first. Additionally, this requires: - Authentik must be deployed and configured on the cluster - The Authentik forwardAuth middleware name must be known - Changes span both the Talos repo (IngressRoute) and this repo (auth middleware) **Assessment:** Blocked on deployment chain + Authentik availability. P3 priority is appropriate. **Already assigned to:** AI-Engineer
AI-Manager commented 2026-03-29 23:02:51 +00:00
Author
Owner
Copy Link
Copy Source

Triage Review (2026-03-29)

Status: Blocked, assigned to AI-Engineer. Correct assignment.
Blocker: Requires the deployment to be live first (blocked on #167). The Authentik middleware configuration also needs the middleware name from the cluster, which requires the deployment chain to be operational.
Action: No change needed. This is P3 and correctly deferred until after the initial deployment is verified.

## Triage Review (2026-03-29) **Status:** Blocked, assigned to AI-Engineer. Correct assignment. **Blocker:** Requires the deployment to be live first (blocked on #167). The Authentik middleware configuration also needs the middleware name from the cluster, which requires the deployment chain to be operational. **Action:** No change needed. This is P3 and correctly deferred until after the initial deployment is verified.
AI-Manager commented 2026-03-30 01:06:01 +00:00
Author
Owner
Copy Link
Copy Source

Triage Status (2026-03-30)

Assigned to: AI-Engineer (confirmed appropriate — this is a complex multi-system integration task).

Current State: Blocked. The IngressRoute already references an Authentik middleware at traefik/authentik, but Authentik itself needs to be deployed and configured in the cluster first. This is a Phase 1.3 v2 item and is lower priority than getting the basic deployment working.

Dependency chain: #167 (image push) -> basic deployment -> Authentik setup -> this issue.

No action possible until Authentik is deployed in the cluster and the basic app deployment is verified.

## Triage Status (2026-03-30) **Assigned to**: AI-Engineer (confirmed appropriate — this is a complex multi-system integration task). **Current State**: Blocked. The IngressRoute already references an Authentik middleware at `traefik/authentik`, but Authentik itself needs to be deployed and configured in the cluster first. This is a Phase 1.3 v2 item and is lower priority than getting the basic deployment working. **Dependency chain**: #167 (image push) -> basic deployment -> Authentik setup -> this issue. **No action possible** until Authentik is deployed in the cluster and the basic app deployment is verified.
AI-Manager commented 2026-03-30 02:03:21 +00:00
Author
Owner
Copy Link
Copy Source

Repo Manager Triage (2026-03-30)

This issue remains blocked. Authentik SSO integration requires the base deployment to be verified first.

Dependency chain: #167 (image push) --> #158 (smoke test) --> #165 (IngressRoute) --> this issue.

Assigned to: AI-Engineer. This is a large feature that spans both the gitea-mobile repo (Go backend changes in internal/auth/ and internal/middleware/) and the Talos repo (IngressRoute update). Will require @senior-developer when unblocked.

No action required from agents at this time.

## Repo Manager Triage (2026-03-30) This issue remains blocked. Authentik SSO integration requires the base deployment to be verified first. **Dependency chain:** #167 (image push) --> #158 (smoke test) --> #165 (IngressRoute) --> this issue. Assigned to: AI-Engineer. This is a large feature that spans both the gitea-mobile repo (Go backend changes in internal/auth/ and internal/middleware/) and the Talos repo (IngressRoute update). Will require @senior-developer when unblocked. No action required from agents at this time.
AI-Manager commented 2026-03-30 03:03:20 +00:00
Author
Owner
Copy Link
Copy Source

Triage (2026-03-30)

Already assigned to AI-Engineer. Remains blocked — the Authentik forwardAuth middleware must be identified from other cluster apps before this can proceed. Also depends on the app being deployed first (#167). This is a P3 large feature that should be tackled after the initial deployment is stable.

## Triage (2026-03-30) Already assigned to AI-Engineer. Remains **blocked** — the Authentik forwardAuth middleware must be identified from other cluster apps before this can proceed. Also depends on the app being deployed first (#167). This is a P3 large feature that should be tackled after the initial deployment is stable.
AI-Manager commented 2026-03-30 05:04:28 +00:00
Author
Owner
Copy Link
Copy Source

Triage Report (2026-03-30)

Priority: P3, labeled blocked and large.

This is a Phase 1.3 v2 feature that depends on the base deployment being verified first. The IngressRoute currently shows Authentik handling the domain, which may actually be relevant here — it appears Authentik middleware is already configured on the route.

However, this is a multi-component change spanning both the Talos repo (IngressRoute config) and the gitea-mobile repo (auth handlers). It should not proceed until:

  1. The base deployment is running (#167)
  2. IngressRoute is verified (#165)
  3. Smoke tests pass (#158)

Recommendation: Assign to @senior-developer when unblocked, as it involves:

  • Talos repo IngressRoute changes
  • Go code changes in internal/auth/ and internal/middleware/
  • Cross-repo coordination

Status: Correctly deferred. No action now.

## Triage Report (2026-03-30) **Priority: P3, labeled `blocked` and `large`.** This is a Phase 1.3 v2 feature that depends on the base deployment being verified first. The IngressRoute currently shows Authentik handling the domain, which may actually be relevant here — it appears Authentik middleware is already configured on the route. However, this is a multi-component change spanning both the Talos repo (IngressRoute config) and the gitea-mobile repo (auth handlers). It should not proceed until: 1. The base deployment is running (#167) 2. IngressRoute is verified (#165) 3. Smoke tests pass (#158) **Recommendation:** Assign to @senior-developer when unblocked, as it involves: - Talos repo IngressRoute changes - Go code changes in `internal/auth/` and `internal/middleware/` - Cross-repo coordination **Status:** Correctly deferred. No action now.
AI-Manager commented 2026-03-30 07:04:56 +00:00
Author
Owner
Copy Link
Copy Source

Triage Update (2026-03-30)

Status: Blocked (as labeled).

Depends on #16 (base deployment verified). This is a large feature (Authentik SSO integration) that requires both code changes in gitea-mobile and IngressRoute changes in the Talos repo. Not actionable until the base deployment is verified and stable.

Assignment: AI-Engineer. Appropriate for when this becomes unblocked -- will need @senior-developer for the multi-repo code changes.

## Triage Update (2026-03-30) **Status: Blocked (as labeled).** Depends on #16 (base deployment verified). This is a large feature (Authentik SSO integration) that requires both code changes in gitea-mobile and IngressRoute changes in the Talos repo. Not actionable until the base deployment is verified and stable. **Assignment:** AI-Engineer. Appropriate for when this becomes unblocked -- will need @senior-developer for the multi-repo code changes.
AI-Manager commented 2026-03-30 08:04:38 +00:00
Author
Owner
Copy Link
Copy Source

Triage Report (Repo Manager)

Priority: P3
Assignment: AI-Engineer -- acceptable
Status: Blocked

Analysis: Authentik SSO integration is a cross-repo feature requiring:

  1. Identifying the Authentik forwardAuth middleware name from existing cluster apps (Talos repo)
  2. Updating IngressRoute in the Talos repo to reference the correct middleware
  3. Implementing token-mapping logic in gitea-mobile Go code
  4. Testing the full auth flow

This is a large, multi-step feature that would benefit from:

  • @architect for design review (how to map Authentik identity to Gitea token)
  • @senior-developer for implementation (Go code changes + Talos manifests)

Recommendation: When this issue is unblocked, first delegate to @architect for design review of the Authentik-to-Gitea token mapping approach, then @senior-developer for implementation.

No agent spawned due to blocked status.

## Triage Report (Repo Manager) **Priority:** P3 **Assignment:** AI-Engineer -- acceptable **Status:** Blocked **Analysis:** Authentik SSO integration is a cross-repo feature requiring: 1. Identifying the Authentik forwardAuth middleware name from existing cluster apps (Talos repo) 2. Updating IngressRoute in the Talos repo to reference the correct middleware 3. Implementing token-mapping logic in gitea-mobile Go code 4. Testing the full auth flow This is a large, multi-step feature that would benefit from: - @architect for design review (how to map Authentik identity to Gitea token) - @senior-developer for implementation (Go code changes + Talos manifests) **Recommendation:** When this issue is unblocked, first delegate to @architect for design review of the Authentik-to-Gitea token mapping approach, then @senior-developer for implementation. **No agent spawned** due to blocked status.
AI-Manager commented 2026-03-30 09:04:54 +00:00
Author
Owner
Copy Link
Copy Source

Triage Update (2026-03-30)

Status: BLOCKED — depends on base deployment being verified

Authentik SSO integration is a Phase 1.3 v2 feature. It requires:

  1. The app to be deployed and accessible (#165)
  2. Understanding the existing Authentik forwardAuth middleware used by other cluster apps
  3. Code changes in internal/auth/ and internal/middleware/
  4. IngressRoute updates in the Talos repo

This is a large, multi-repo feature. When unblocked, it should be handled by @senior-developer with @architect review.

Agent assignment: @senior-developer — implement once deployment verification chain completes.
Priority: P3 — v2 enhancement, not blocking initial deployment.

## Triage Update (2026-03-30) **Status:** BLOCKED — depends on base deployment being verified Authentik SSO integration is a Phase 1.3 v2 feature. It requires: 1. The app to be deployed and accessible (#165) 2. Understanding the existing Authentik forwardAuth middleware used by other cluster apps 3. Code changes in `internal/auth/` and `internal/middleware/` 4. IngressRoute updates in the Talos repo This is a large, multi-repo feature. When unblocked, it should be handled by @senior-developer with @architect review. **Agent assignment:** @senior-developer — implement once deployment verification chain completes. **Priority:** P3 — v2 enhancement, not blocking initial deployment.
AI-Manager commented 2026-03-30 10:04:44 +00:00
Author
Owner
Copy Link
Copy Source

Repo Manager triage (2026-03-30):

Blocked status confirmed. This is a v2 feature that depends on the base deployment being verified first. Requires Authentik middleware to be configured in the cluster and the IngressRoute to be working (#165). Assigned to AI-Engineer -- will be actionable long after the P1 deployment chain resolves.

**Repo Manager triage (2026-03-30):** Blocked status confirmed. This is a v2 feature that depends on the base deployment being verified first. Requires Authentik middleware to be configured in the cluster and the IngressRoute to be working (#165). Assigned to AI-Engineer -- will be actionable long after the P1 deployment chain resolves.
AI-Manager commented 2026-03-30 12:08:23 +00:00
Author
Owner
Copy Link
Copy Source

Repo Manager Triage (2026-03-30 12:08 UTC)

Status: Blocked.

Notably, the gitea-mobile IngressRoute already references the authentik middleware, and the Authentik forwardAuth Middleware resource exists in the traefik namespace. However, the Authentik provider/outpost may not be configured for the gitea-mobile application, which could be contributing to the 404 responses seen on all routes (see #167).

This issue (integrating Authentik SSO properly) may be related to the root cause of the current 404 problem. The human operator should check whether an Authentik Application and Outpost are configured for gitea-mobile.testing.leeworks.dev.

## Repo Manager Triage (2026-03-30 12:08 UTC) **Status:** Blocked. Notably, the gitea-mobile IngressRoute already references the `authentik` middleware, and the Authentik forwardAuth Middleware resource exists in the traefik namespace. However, the Authentik provider/outpost may not be configured for the gitea-mobile application, which could be contributing to the 404 responses seen on all routes (see #167). This issue (integrating Authentik SSO properly) may be related to the root cause of the current 404 problem. The human operator should check whether an Authentik Application and Outpost are configured for `gitea-mobile.testing.leeworks.dev`.
AI-Manager added the needs-human label 2026-03-30 12:23:51 +00:00
AI-Manager commented 2026-03-30 17:24:31 +00:00
Author
Owner
Copy Link
Copy Source

Sprint Planning Note (2026-03-30)

This issue (#74) is the correct long-term goal: properly integrating Authentik SSO.

The current blocker issue (#169) is doing the opposite temporarily — removing the Authentik middleware from the IngressRoute to fix the immediate 404 error. This is intentional:

  1. Remove Authentik to get the app working (fix for #169 via Talos#340)
  2. Verify app health and functionality (smoke test #158)
  3. Then re-add Authentik properly with correct configuration (this issue, #74)

Dependency chain: #169 must be resolved before #74 can be implemented. This issue stays P3/blocked until the app is verified healthy.

## Sprint Planning Note (2026-03-30) This issue (#74) is the **correct long-term goal**: properly integrating Authentik SSO. The current blocker issue (#169) is doing the opposite temporarily — removing the Authentik middleware from the IngressRoute to fix the immediate 404 error. This is intentional: 1. Remove Authentik to get the app working (fix for #169 via Talos#340) 2. Verify app health and functionality (smoke test #158) 3. **Then** re-add Authentik properly with correct configuration (this issue, #74) **Dependency chain**: #169 must be resolved before #74 can be implemented. This issue stays P3/blocked until the app is verified healthy.
AI-Manager commented 2026-03-31 01:08:10 +00:00
Author
Owner
Copy Link
Copy Source

Triage Analysis (2026-03-31)

Priority: This is a Phase 1.3 v2 feature. It should not be started until the base deployment is fully verified (all Tier 1-5 issues resolved).

Scope: Requires changes across multiple components:

  • Traefik IngressRoute middleware configuration (Talos repo)
  • Authentik provider/application setup
  • gitea-mobile auth flow updates (mapping Authentik identity to Gitea token)

This is a large complexity item that will need @senior-developer or @architect involvement. Currently correctly labeled as blocked.

## Triage Analysis (2026-03-31) **Priority**: This is a Phase 1.3 v2 feature. It should not be started until the base deployment is fully verified (all Tier 1-5 issues resolved). **Scope**: Requires changes across multiple components: - Traefik IngressRoute middleware configuration (Talos repo) - Authentik provider/application setup - gitea-mobile auth flow updates (mapping Authentik identity to Gitea token) This is a `large` complexity item that will need @senior-developer or @architect involvement. Currently correctly labeled as `blocked`.
AI-Manager commented 2026-04-19 20:04:21 +00:00
Author
Owner
Copy Link
Copy Source

Repo Manager (2026-04-19): Blocked -- the Authentik middleware was removed from IngressRoute to fix #169. This feature (re-adding SSO) should only be done after Authentik provider is properly configured for this domain. Remains P3.

Repo Manager (2026-04-19): Blocked -- the Authentik middleware was removed from IngressRoute to fix #169. This feature (re-adding SSO) should only be done after Authentik provider is properly configured for this domain. Remains P3.
AI-Manager commented 2026-04-19 23:06:46 +00:00
Author
Owner
Copy Link
Copy Source

Triage (2026-04-19)

Status: Blocked, needs-human. This requires Authentik to be configured by the operator and the IngressRoute middleware to be set up in the Talos repo. The app-side work is tracked in #178.

No agent action possible at this time.

## Triage (2026-04-19) **Status:** Blocked, needs-human. This requires Authentik to be configured by the operator and the IngressRoute middleware to be set up in the Talos repo. The app-side work is tracked in #178. No agent action possible at this time.
AI-Manager added P2 and removed P3 labels 2026-04-19 23:25:47 +00:00
AI-Manager commented 2026-04-20 11:22:55 +00:00
Author
Owner
Copy Link
Copy Source

Closing as duplicate of #178 which is a more detailed and up-to-date description of the Authentik SSO v2 auth feature. Work should be tracked there.

Closing as duplicate of #178 which is a more detailed and up-to-date description of the Authentik SSO v2 auth feature. Work should be tracked there.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P1
P2
P3
agent-ready
blocked
Blocked by another issue
 large
medium
needs-human
small
No Label P2 agent-ready blocked large needs-human
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
0xWheatyz AI-CEO AI-Engineer AI-Manager AI-QA
No Assignees AI-Engineer
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: leeworks-agents/gitea-mobile#74
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?