Capabilities

Documentation Map

Overview
Quick Start
Installation
Configuration
Operations
Troubleshooting
Release Notes
Compatibility
Architecture
API Reference
Capabilities
OSS Inventory
Channel: stable
Source repo: JaddaHelpifyr/jhf-heddle

Capabilities

Stable External Capabilities

`keycloak-realm-runtime`

Title: Keycloak realm runtime and discovery
Stability: stable
Exposure: external
Primary API surface: GET /realms/helpifyr/.well-known/openid-configuration, compose.yaml (compose.yaml)

`identity-claim-language`

Title: Canonical identity claim language
Stability: stable
Exposure: external
Primary API surface: config/identity/claim-vocabulary.v2.yaml (config/identity/claim-vocabulary.v2.yaml), docs/TOKEN_CLAIM_CONTRACT.md (docs/TOKEN_CLAIM_CONTRACT.md)

`technical-principal-model`

Title: Canonical technical principal model for C1 automation
Stability: stable
Exposure: external
Primary API surface: config/identity/technical-principal-model.v1.yaml (config/identity/technical-principal-model.v1.yaml), scripts/validate-technical-principal-model.py (scripts/validate-technical-principal-model.py)

`fabric-authorized-claim-emission`

Title: Claim emission constrained to Fabric-authorized projection inputs
Stability: stable
Exposure: external
Primary API surface: config/identity/fabric-authorized-claim-emission.v1.yaml (config/identity/fabric-authorized-claim-emission.v1.yaml), scripts/validate-fabric-authorized-claim-emission.py (scripts/validate-fabric-authorized-claim-emission.py)

`session-refresh-revocation-posture`

Title: Deterministic session refresh and revocation fail-closed posture
Stability: stable
Exposure: external
Primary API surface: config/identity/session-refresh-revocation.v1.yaml (config/identity/session-refresh-revocation.v1.yaml), scripts/validate-session-refresh-revocation.py (scripts/validate-session-refresh-revocation.py)

`authoring-runtime-boundary-posture`

Title: No-business-role-authoring and no-direct-runtime-provisioning guardrails
Stability: stable
Exposure: external
Primary API surface: config/identity/authoring-runtime-boundary.v1.yaml (config/identity/authoring-runtime-boundary.v1.yaml), scripts/validate-authoring-runtime-boundary.py (scripts/validate-authoring-runtime-boundary.py)

`breakglass-lifecycle-expiry-posture`

Title: Breakglass principal lifecycle and expiry fail-closed posture
Stability: stable
Exposure: external
Primary API surface: config/identity/breakglass-lifecycle-expiry.v1.yaml (config/identity/breakglass-lifecycle-expiry.v1.yaml), scripts/validate-breakglass-lifecycle-expiry.py (scripts/validate-breakglass-lifecycle-expiry.py)

`bootstrap-lifecycle-deactivation-posture`

Title: Bootstrap principal lifecycle and deactivation fail-closed posture
Stability: stable
Exposure: external
Primary API surface: config/identity/bootstrap-lifecycle-deactivation.v1.yaml (config/identity/bootstrap-lifecycle-deactivation.v1.yaml), scripts/validate-bootstrap-lifecycle-deactivation.py (scripts/validate-bootstrap-lifecycle-deactivation.py)

`downstream-breakglass-projection-posture`

Title: Downstream claim posture for breakglass-eligible Fabric projections
Stability: stable
Exposure: external
Primary API surface: config/identity/downstream-breakglass-projection-posture.v1.yaml (config/identity/downstream-breakglass-projection-posture.v1.yaml), scripts/validate-downstream-breakglass-projection-posture.py (scripts/validate-downstream-breakglass-projection-posture.py)

`expiry-revocation-session-kill-posture`

Title: Deterministic revocation and session kill behavior after expiry
Stability: stable
Exposure: external
Primary API surface: config/identity/expiry-revocation-session-kill.v1.yaml (config/identity/expiry-revocation-session-kill.v1.yaml), scripts/validate-expiry-revocation-session-kill.py (scripts/validate-expiry-revocation-session-kill.py)

`disable-delete-fail-closed-posture`

Title: Stackwide fail-closed disable/delete principal posture
Stability: stable
Exposure: external
Primary API surface: config/identity/disable-delete-fail-closed.v1.yaml (config/identity/disable-delete-fail-closed.v1.yaml), scripts/validate-disable-delete-fail-closed.py (scripts/validate-disable-delete-fail-closed.py)

`superadmin-bootstrap-recovery-propagation`

Title: Superadmin bootstrap, recovery-only mode, and disable/delete session-kill propagation posture
Stability: stable
Exposure: external
Primary API surface: config/identity/superadmin-bootstrap-recovery-propagation.v1.yaml (config/identity/superadmin-bootstrap-recovery-propagation.v1.yaml), scripts/validate-superadmin-bootstrap-recovery.py (scripts/validate-superadmin-bootstrap-recovery.py), docs/SUPERADMIN_BOOTSTRAP_RECOVERY.md (docs/SUPERADMIN_BOOTSTRAP_RECOVERY.md)

`future-module-auth-onboarding`

Title: Canonical future-module auth onboarding and claim/profile extension posture
Stability: stable
Exposure: external
Primary API surface: config/identity/future-module-auth-onboarding.v1.yaml (config/identity/future-module-auth-onboarding.v1.yaml), config/clients/future-module-client-template.v1.yaml (config/clients/future-module-client-template.v1.yaml), scripts/validate-future-module-onboarding.py (scripts/validate-future-module-onboarding.py), docs/FUTURE_MODULE_ONBOARDING.md (docs/FUTURE_MODULE_ONBOARDING.md)

`oidc-client-bootstrap-contracts`

Title: Downstream OIDC bootstrap contracts
Stability: stable
Exposure: external
Primary API surface: config/clients (config/clients), docs/OIDC_SURFACES_AND_BOOTSTRAPS.md (docs/OIDC_SURFACES_AND_BOOTSTRAPS.md)

`vaultwarden-oidc-bootstrap-contract`

Title: Canonical Vaultwarden OIDC bootstrap contract and claim posture
Stability: stable
Exposure: external
Primary API surface: config/clients/vaultwarden-keystore-client-template.yaml (config/clients/vaultwarden-keystore-client-template.yaml), scripts/validate-vaultwarden-oidc-bootstrap.py (scripts/validate-vaultwarden-oidc-bootstrap.py), docs/VAULTWARDEN_OIDC_BOOTSTRAP.md (docs/VAULTWARDEN_OIDC_BOOTSTRAP.md)

`jhf-web-external-oidc-service-contract`

Title: External OIDC service-principal contract for jhf-web draft publish
Stability: stable
Exposure: external
Primary API surface: config/clients/jhf-web-blog-draft-service-client-template.yaml (config/clients/jhf-web-blog-draft-service-client-template.yaml), scripts/validate-jhf-web-blog-draft-oidc-contract.py (scripts/validate-jhf-web-blog-draft-oidc-contract.py), docs/JHF_WEB_OIDC_SERVICE_CONTRACT.md (docs/JHF_WEB_OIDC_SERVICE_CONTRACT.md)

`loom-oidc-bridge`

Title: Loom public OIDC bridge surface
Stability: stable
Exposure: external
Primary API surface: loom_oidc_bridge/app.py (loom_oidc_bridge/app.py), GET/POST /auth/oidc/*, GET /api/v1/auth/oidc/status

Stable Internal Capabilities

`fabric-combination-consumer`

Title: Read-only Fabric combination consumer posture
Stability: stable
Exposure: internal
Primary API surface: config/fabric/combination-readiness-consumer.yaml (config/fabric/combination-readiness-consumer.yaml), docs/FABRIC_COMBINATION_CONSUMER.md (docs/FABRIC_COMBINATION_CONSUMER.md)

`plane-unified-access-consumer`

Title: Read-only Plane unified-access consumer contract
Stability: stable
Exposure: internal
Primary API surface: config/fabric/plane-unified-access-consumer.yaml (config/fabric/plane-unified-access-consumer.yaml), docs/FABRIC_PLANE_UNIFIED_ACCESS_CONSUMER.md (docs/FABRIC_PLANE_UNIFIED_ACCESS_CONSUMER.md)

`agent-federation-read-api`

Title: Agent federation read API and preview
Stability: stable
Exposure: internal
Primary API surface: agent_reconcile_api/app.py (agent_reconcile_api/app.py), GET /api/v1/identity/agent-reconcile/*

`technical-sync-contract`

Title: Import-only technical sync consumer contract
Stability: stable
Exposure: internal
Primary API surface: config/sync/technical-sync-consumer-template.yaml (config/sync/technical-sync-consumer-template.yaml), scripts/validate-technical-sync-surface.py (scripts/validate-technical-sync-surface.py)

`realm-bootstrap-validation`

Title: Realm scope and export baseline validation
Stability: stable
Exposure: internal
Primary API surface: scripts/validate-realm-scope-baseline.py (scripts/validate-realm-scope-baseline.py), scripts/verify-realm-export.ps1 (scripts/verify-realm-export.ps1)

`runtime-guardrails-v1`

Title: CPU-safe runtime guardrails verifier (bounded diagnostics, cleanup, idempotent rerun)
Stability: stable
Exposure: internal
Primary API surface: scripts/verify-runtime-guardrails-v1.py (scripts/verify-runtime-guardrails-v1.py), docs/RUNTIME_GUARDRAILS_V1.md (docs/RUNTIME_GUARDRAILS_V1.md)

`sso-v4-claim-session-core`

Title: Stackwide SSO-v4 claim, stale-revision, and global session invalidation core
Stability: stable
Exposure: internal
Primary API surface: config/identity/stackwide-claim-session-core.v1.yaml (config/identity/stackwide-claim-session-core.v1.yaml), scripts/validate-stackwide-claim-session-core.py (scripts/validate-stackwide-claim-session-core.py), docs/SSO_V4_CLAIM_SESSION_CORE.md (docs/SSO_V4_CLAIM_SESSION_CORE.md)

`sso-v4-admitted-surface-contracts`

Title: Normalized admitted surface technical auth contracts
Stability: stable
Exposure: internal
Primary API surface: config/clients/admitted-surfaces.v1.yaml (config/clients/admitted-surfaces.v1.yaml), scripts/validate-admitted-surface-client-contracts.py (scripts/validate-admitted-surface-client-contracts.py), docs/ADMITTED_SURFACE_CLIENT_CONTRACTS.md (docs/ADMITTED_SURFACE_CLIENT_CONTRACTS.md)

Experimental Or Transitional Capabilities

`plane-oidc-bridge`

Title: Plane public OIDC bridge surface
Stability: experimental
Exposure: external
Primary API surface: plane_oidc_bridge/app.py (plane_oidc_bridge/app.py), GET/POST /auth/oidc/*, GET /api/v1/auth/oidc/status

`agent-reconcile-mutation-worker`

Title: Agent reconcile mutation worker
Stability: partial
Exposure: internal
Primary API surface: scripts/agent_reconcile_worker.py (scripts/agent_reconcile_worker.py), POST /api/v1/identity/agent-reconcile/worker/run

`loom-browserless-e2e-verify`

Title: Loom browserless end-to-end verifier
Stability: partial
Exposure: internal
Primary API surface: scripts/verify-loom-oidc-e2e.py (scripts/verify-loom-oidc-e2e.py)

`loom-smoke-credential-path`

Title: Automation-grade Loom smoke credential path (file/env sourced)
Stability: partial
Exposure: internal
Primary API surface: scripts/validate_live_proxy_sso_smoke.py (scripts/validate_live_proxy_sso_smoke.py), scripts/reset-loom-smoke-user-password.py (scripts/reset-loom-smoke-user-password.py), scripts/secret_input.py (scripts/secret_input.py)

Current Gaps

no repo-owned Plane session handoff or Plane user provisioning capability is implemented; this remains owner work outside jhf-heddle
no local business-truth capability exists for Plane eligibility, departments, teams, or project membership, and none may be invented here

License: AGPLv3
Project: https://helpifyr.com

Documentation Map​

Capabilities

Stable External Capabilities​

keycloak-realm-runtime​

identity-claim-language​

technical-principal-model​

fabric-authorized-claim-emission​

session-refresh-revocation-posture​

authoring-runtime-boundary-posture​

breakglass-lifecycle-expiry-posture​

bootstrap-lifecycle-deactivation-posture​

downstream-breakglass-projection-posture​

expiry-revocation-session-kill-posture​

disable-delete-fail-closed-posture​

superadmin-bootstrap-recovery-propagation​

future-module-auth-onboarding​

oidc-client-bootstrap-contracts​

vaultwarden-oidc-bootstrap-contract​

jhf-web-external-oidc-service-contract​

loom-oidc-bridge​

Stable Internal Capabilities​

fabric-combination-consumer​

plane-unified-access-consumer​

agent-federation-read-api​

technical-sync-contract​

realm-bootstrap-validation​

runtime-guardrails-v1​

sso-v4-claim-session-core​

sso-v4-admitted-surface-contracts​

Experimental Or Transitional Capabilities​

plane-oidc-bridge​

agent-reconcile-mutation-worker​

loom-browserless-e2e-verify​

loom-smoke-credential-path​

Current Gaps​

Documentation Map

Stable External Capabilities

`keycloak-realm-runtime`

`identity-claim-language`

`technical-principal-model`

`fabric-authorized-claim-emission`

`session-refresh-revocation-posture`

`authoring-runtime-boundary-posture`

`breakglass-lifecycle-expiry-posture`

`bootstrap-lifecycle-deactivation-posture`

`downstream-breakglass-projection-posture`

`expiry-revocation-session-kill-posture`

`disable-delete-fail-closed-posture`

`superadmin-bootstrap-recovery-propagation`

`future-module-auth-onboarding`

`oidc-client-bootstrap-contracts`

`vaultwarden-oidc-bootstrap-contract`

`jhf-web-external-oidc-service-contract`

`loom-oidc-bridge`

Stable Internal Capabilities

`fabric-combination-consumer`

`plane-unified-access-consumer`

`agent-federation-read-api`

`technical-sync-contract`

`realm-bootstrap-validation`

`runtime-guardrails-v1`

`sso-v4-claim-session-core`

`sso-v4-admitted-surface-contracts`

Experimental Or Transitional Capabilities

`plane-oidc-bridge`

`agent-reconcile-mutation-worker`

`loom-browserless-e2e-verify`

`loom-smoke-credential-path`

Current Gaps