- Rust 39.5%
- Svelte 29.7%
- TypeScript 27%
- CSS 1.9%
- Shell 1.1%
- Other 0.8%
| guest | feat(idp): gate baas:admin scope behind is_admin (platform-operator entitlement for baas S10) | |
| migrations/idp | Initial commit: reperfect OIDC IdP extracted from baas | |
| scripts | Initial commit: reperfect OIDC IdP extracted from baas | |
| web | Initial commit: reperfect OIDC IdP extracted from baas | |
| .gitignore | Initial commit: reperfect OIDC IdP extracted from baas | |
| AGENTS.md | Initial commit: reperfect OIDC IdP extracted from baas | |
| baas.toml | Initial commit: reperfect OIDC IdP extracted from baas | |
| README.md | Initial commit: reperfect OIDC IdP extracted from baas | |
| rust-toolchain.toml | Initial commit: reperfect OIDC IdP extracted from baas | |
idp — reperfect OIDC identity provider
The first app that deploys onto baas, and the one that
dogfoods platform auth: baas authenticates its own operators against this IdP, with the out-of-band
BAAS_ADMIN_TOKEN as the break-glass path when the IdP is down.
The function renders no UI. guest/ is a pure JSON API (a WASI 0.3 component, wasi:http/handler);
the two SPAs are static single-page apps that talk to it over CORS.
Parts
guest/— the IdP JSON API as awasm32-wasip3component. Its own Cargo workspace; depends on the guest SDKfaasby git dep (codeberg.org/reperfect/faas). Endpoints and behaviour:AGENTS.md.web/login/— the login SPA (Svelte 5 + Tailwind v4 + TS, Bun). This is the OIDCauthorization_endpoint: it reads the OAuth request from its query, POSTs credentials to the API/login, and navigates the browser to the returnedredirect_uri. Serves at127.0.0.1:5173in dev.web/admin/— the management console SPA. An OAuth client of the IdP (public, PKCE-only); drives the/admin/*JSON API. Serves at127.0.0.1:5174in dev.baas.toml— the deploy manifest (projectidp, one postgres resource, thesigning_seedsecret, the/HTTP trigger).migrations/idp/*.sql— schema, applied bybaas migrate idp.schema/idp.sqlis the derivedpg_dumpsnapshot (never source of truth).
Build
Guest (needs the wasm32-wasip3 sysroot — run scripts/setup-wasip3.sh once per toolchain install):
cargo build --manifest-path guest/Cargo.toml --target wasm32-wasip3 --release
# -> guest/target/wasm32-wasip3/release/guest_idp.wasm
SPAs:
cd web/login && bun install && bun run check && bun run build
cd web/admin && bun install && bun run check && bun run build
@reperfect/brand (Martian Mono + design tokens) is a git dep of each SPA; bun install copies it into
node_modules, so the dev server serves the font with no fs.allow override.
Deploy onto baas
The baas CLI comes from the platform repo. From this repo root:
- Apply the schema:
baas migrate idp --env dev - Set the signing key (vault, not the manifest):
baas secret set idp/dev/idp signing_seed=<32B base64url> --control-db <url> - Serve locally, or push the component and deploy by digest:
- local:
baas serve --env dev --addr 127.0.0.1:8100 --control-db <url> - published:
baas push idp --registry <repo>printsoci://...@sha256:...; set that as the componentsourceandbaas serve/baas deploy.
- local:
The issuer must equal the serve --addr. authorize_url points at the login SPA; cors_origins
allowlists the browser origins (both SPA ports) permitted to call credentialed endpoints. Host the SPAs
and the API on the same registrable domain, or third-party-cookie blocking breaks the SSO session cookie.
Admin API
Contract (auth model, endpoints, error codes) is in AGENTS.md under "Admin API".