Koder id auth coverage
Koder ID Auth — Conformance & Coverage Registry
Tracks which Koder components implement specs/auth/oauth-flow.kmd and run the test template specs/auth/oauth-flow-test-template.kmd across their UI surfaces. Pre-release release engineering MUST verify the row for the releasing component shows green for the enabled surfaces.
Status values:
- *ASS*— all 12 cases (T1
T8 + I1I3 + N1-N4) green - *ASS¹*— all 12 cases green *odulo I1-staging SKIP* the wire
contract is covered by the G1 central oauth-stub and the SKIP is a deployment artifact (G2 —
stg.id.koder.devprovisioning) rather than a coverage gap. Promotes to PASS when G2 lands. - *ARTIAL*— some cases green, some pending (note which)
- *AIL*— test template implemented but blocking failure
- */A*— surface not shipped for this component
- *ODO*— implementation pending
- *KIP*— intentionally skipped with rationale
Surfaces
| ID | Surface | Notes |
|---|---|---|
| S1 | backend | server-side, no user UI; auth applies to API consumers |
| S2 | mobile (Flutter) | Android + iOS |
| S3 | desktop (Flutter) | Linux + macOS + Windows |
| S4 | tv (React TizenOS/WebOS) | device auth grant (RFC 8628) |
| S5 | web (Flutter Web or templ+HTMX) | |
| S6 | cli (Go cobra) | local loopback flow |
| S7 | tui (Bubble Tea) | local loopback flow |
| S8 | desktop shell (native, non-Flutter) | session-wide auth; Kolide; libsecret storage |
Conformance grid
Date is "last audit date" for the row. Update entry when conformance state changes.
| Date | Component | S1 | S2 | S3 | S4 | S5 | S6 | S7 | S8 | Notes |
|---|---|---|---|---|---|---|---|---|---|---|
| 2026 |
products/dev/flow (Koder Flow) (path corrected 2026services/foundation/flow) |
PARTIAL | N/A | N/A | N/A | PARTIAL | N/A | N/A | N/A | *eference implementation.*Conformance state after 2026services/foundation/id OAuth source id=1 active in DB); R2 ✓ (slug renamed KoderID → koder-id kebab via UPDATE login_source SET name='koder-id' WHERE id=1); R3 ✓ (authorize URL constructed correctly, verified via 307 chain from /user/oauth2/koder-id); R4 ✓ (callback handler returns 303 to /dashboard for authenticated session, native Gitea behavior); R5 ✓ (Jet vhost root removed 2026/ now goes to Gitea proxy → LANDING_PAGE = login → userlogin for anonymous, dashboard for authenticated); R6 ✓ (custom signin.tmpl in `varlibkoder/user/oauth2/koder-id, zero local form); R7 ⚠ (LinkAccountMode preserved in template but not e2e tested); R8 ✓ (Gitea default _koder_sid cookie, scope correct); R9 ⚠ (redirect_to preserve coded in template, not e2e tested). Full T1products/dev/flow/engine/tests/regression/oauth/ — 4 bash scripts covering R1 (issuer pin), R2 (notests/regression/oauth/T-SUITE-COVERAGE.kmd. CI gate via .koder-flow/workflows/oauth-regression.yml on path |
| 2026 |
services/foundation/id itself |
SKIP (R1.E1) | N/A | N/A | N/A | SKIP (R1.E1) | N/A | N/A | N/A | Dengine#103): the provider's own administration UIs (`account, admin-ui) ride cookie-session direct, NOT OAuth-to-self. Codified as oauth |
| 2026 |
products/horizontal/dek (Koder Dek web) |
N/A | PASS¹ | PASS¹ | N/A | PASS¹ | N/A | N/A | N/A | *romoted PARTIAL → PASS¹ on 2026stg.id.koder.dev); the central oauth |