Initial import — snapshot from admin host /srv/gosec/gsc-ops-api

This repo had no version control prior to this commit. The import is a straight snapshot of the working tree at 2026-05-03; the deployed binary on fihelvop01 was being rebuilt from this source via `make build` + scp into place, with no upstream review path. The snapshot already includes one in-flight fix made on 2026-05-03 to internal/service/persona.go:GetSelfModel — the handler queried `source` and `strength` columns plus an `is_active = true` filter on persona.persona_commitments, none of which exist on that table (its shape is session-bound commitments with `status`, `commitment_meta`, etc.). The query returned a 500 every time SynapseHub bootstrapped a persona's self-model, dropping the IdentityConstraints / Commitments / ConscienceStandards layer from the assembled prompt. The patched query reads existing columns only (commitment_text, commitment_type), filters on `status='active'`, and synthesises Source="learned" / Strength=1.0 to keep the SelfModel response shape stable for callers. Verified live: `GET /api/v1/personas/70f7cfd9-.../self-model` now returns 200 with `{identityConstraints:[],commitments:[], conscienceStandards:[]}` instead of 500. Future changes go through PRs against this repo — no more bin-only deploys. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 20:06:02 +02:00
commit 3847eb2036
68 changed files with 12982 additions and 0 deletions
--- a/internal/schema/objectclasses.go
+++ b/internal/schema/objectclasses.go
@@ -0,0 +1,230 @@
+package schema
+
+// registerObjectClasses registers all 45 GoSec LDAP objectClass definitions.
+func (r *Registry) registerObjectClasses() {
+	// ── AUXILIARY user objectClasses (21) ────────────────────────
+
+	r.addObjectClass("gscTenantUser", "AUXILIARY",
+		[]string{"gscTenantId"},
+		[]string{"gscTenantName", "gscTenantDomain", "gscTenantStatus", "gscUserTenantHash", "gscUserTenantHashSalt", "gscUserTenantHashVersion", "gscUserTenantHashCreatedAt", "gscUserTenantHashVerifiedAt", "gscCustomerId", "gscSID", "gscSIDCustomerPart", "gscSIDTenantPart", "gscSIDSpecial1", "gscSIDSpecial2", "gscSIDUserPart", "gscCreatedAt", "gscModifiedAt", "gscCreatedBy", "gscModifiedBy"},
+		"tenant")
+
+	r.addObjectClass("gscMailUser", "AUXILIARY",
+		[]string{"gscMailEnabled"},
+		[]string{"gscMailQuota", "gscMailAlias", "gscMailForward", "gscMailAutoReply", "gscMailAutoReplyMessage", "gscMailTransport", "gscMailDomain"},
+		"mail")
+
+	r.addObjectClass("gscConfUser", "AUXILIARY",
+		[]string{"gscConfEnabled"},
+		[]string{"gscConfRole", "gscConfMaxParticipants", "gscConfRecordingEnabled", "gscConfDefaultRoom"},
+		"conf")
+
+	r.addObjectClass("gscFtpUser", "AUXILIARY",
+		[]string{"gscFtpEnabled"},
+		[]string{"gscFtpQuota", "gscFtpHomeDir", "gscFtpUploadBandwidth", "gscFtpDownloadBandwidth", "gscFtpAllowedIPs"},
+		"ftp")
+
+	r.addObjectClass("gscFileUser", "AUXILIARY",
+		[]string{"gscFileEnabled"},
+		[]string{"gscFileQuota", "gscFileHomeDir", "gscFileVersioning", "gscFileMaxFileSize"},
+		"file")
+
+	r.addObjectClass("gscShareUser", "AUXILIARY",
+		[]string{"gscShareEnabled"},
+		[]string{"gscShareExternalEnabled", "gscShareMaxRecipients", "gscShareDefaultExpiry", "gscSharePasswordRequired"},
+		"sharing")
+
+	r.addObjectClass("gscCalUser", "AUXILIARY",
+		[]string{"gscCalEnabled"},
+		[]string{"gscCalDefaultCalendar", "gscCalTimezone", "gscCalFreeBusyPublic", "gscCalDelegates"},
+		"calendar")
+
+	r.addObjectClass("gscTelUser", "AUXILIARY",
+		[]string{"gscTelEnabled"},
+		[]string{"gscTelExtension", "gscTelDID", "gscTelVoicemailEnabled", "gscTelVoicemailPin", "gscTelCallForward", "gscTelCallGroup", "gscTelRecordCalls"},
+		"telephony")
+
+	r.addObjectClass("gscContactsUser", "AUXILIARY",
+		[]string{"gscContactsEnabled"},
+		[]string{"gscContactsShared", "gscContactsMaxContacts", "gscContactsExportEnabled"},
+		"contacts")
+
+	r.addObjectClass("gscAIUser", "AUXILIARY",
+		[]string{"gscAIEnabled"},
+		[]string{"gscAIModel", "gscAIMaxTokens", "gscAIFeatures", "gscAIUsageQuota"},
+		"ai")
+
+	r.addObjectClass("gscDlpUser", "AUXILIARY",
+		[]string{"gscDlpEnabled"},
+		[]string{"gscDlpPolicyDN", "gscDlpExempt"},
+		"dlp")
+
+	r.addObjectClass("gscSensitivityUser", "AUXILIARY",
+		[]string{"gscSensitivityEnabled"},
+		[]string{"gscSensitivityDefaultLabel"},
+		"sensitivity")
+
+	r.addObjectClass("gscEncryptionUser", "AUXILIARY",
+		[]string{"gscEncryptionEnabled"},
+		[]string{"gscEncryptionKeyDN"},
+		"encryption")
+
+	r.addObjectClass("gscRetentionUser", "AUXILIARY",
+		[]string{"gscRetentionEnabled"},
+		[]string{"gscRetentionPolicyDN"},
+		"retention")
+
+	r.addObjectClass("gscEDiscoveryUser", "AUXILIARY",
+		[]string{"gscEDiscoveryEnabled"},
+		[]string{"gscEDiscoveryCustodian"},
+		"ediscovery")
+
+	r.addObjectClass("gscAdvancedAuditUser", "AUXILIARY",
+		[]string{"gscAuditEnabled"},
+		[]string{"gscAuditLevel"},
+		"audit")
+
+	r.addObjectClass("gscIAMUser", "AUXILIARY",
+		[]string{"gscIAMEnabled"},
+		[]string{"gscIAMMFARequired", "gscIAMMFAMethod", "gscIAMPasswordPolicy", "gscIAMSessionTimeout", "gscIAMMaxSessions", "gscIAMIPRestrictions", "gscIAMRiskLevel"},
+		"iam")
+
+	r.addObjectClass("gscCollaborationUser", "AUXILIARY",
+		[]string{"gscCollabEnabled"},
+		[]string{"gscCollabTeamsEnabled", "gscCollabChannelsEnabled", "gscCollabExternalEnabled"},
+		"collaboration")
+
+	r.addObjectClass("gscBarrierUser", "AUXILIARY",
+		[]string{"gscBarrierEnabled"},
+		[]string{"gscBarrierSegmentDN"},
+		"barriers")
+
+	r.addObjectClass("gscGuestUser", "AUXILIARY",
+		[]string{"gscGuestEnabled"},
+		[]string{"gscGuestType", "gscGuestOrganization", "gscGuestExternalEmail", "gscGuestVerified", "gscGuestFederatedIdpDN", "gscGuestFederatedId", "gscGuestAccessScope", "gscGuestPermissionLevel", "gscGuestResourceDN", "gscGuestInvitedBy", "gscGuestInvitedAt", "gscGuestExpiresAt", "gscGuestLastAccessAt", "gscGuestAccessCount"},
+		"guest")
+
+	r.addObjectClass("gscKmsUser", "AUXILIARY",
+		[]string{"gscKmsEnabled"},
+		[]string{"gscKmsRole", "gscKmsKeyAccess", "gscKmsMaxKeys", "gscKmsAllowedAlgorithms", "gscKmsAllowedOperations", "gscKmsApprovalRequired", "gscKmsAuditEnabled", "gscKmsLastKeyAccess", "gscKmsKeyCount", "gscKmsPolicyDN", "gscKmsHsmAccess"},
+		"kms-user")
+
+	// ── STRUCTURAL entity objectClasses (18) ────────────────────
+
+	r.addObjectClass("gscTenant", "STRUCTURAL",
+		[]string{"gscTenantId", "gscTenantName"},
+		[]string{"gscTenantDomain", "gscTenantStatus", "gscTenantQuota", "gscTenantMaxUsers", "gscTenantCreatedAt", "gscTenantServices", "gscTenantAdminDN", "gscTenantParentDN", "gscDescription", "gscEnabled", "gscNotes", "gscCreatedAt", "gscModifiedAt", "gscCreatedBy", "gscModifiedBy"},
+		"tenant")
+
+	r.addObjectClass("gscResource", "STRUCTURAL",
+		[]string{"gscResourceId", "gscResourceName", "gscResourceType"},
+		[]string{"gscResourceEmail", "gscResourceCapacity", "gscResourceLocation", "gscResourceBookable", "gscResourceApprovalRequired", "gscResourceOwnerDN", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"resource")
+
+	r.addObjectClass("gscDlpPolicy", "STRUCTURAL",
+		[]string{"gscDlpPolicyName"},
+		[]string{"gscDlpPolicyType", "gscDlpPolicyRules", "gscDlpPolicyAction", "gscDlpPolicyPriority", "gscDlpPolicyScope", "gscDlpPolicyStatus", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"dlp")
+
+	r.addObjectClass("gscSensitivityLabel", "STRUCTURAL",
+		[]string{"gscSensitivityLabelName"},
+		[]string{"gscSensitivityLabelPriority", "gscSensitivityLabelColor", "gscSensitivityLabelTooltip", "gscSensitivityLabelScope", "gscSensitivityEncryptionRequired", "gscSensitivityWatermark", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"sensitivity")
+
+	r.addObjectClass("gscEncryptionPolicy", "STRUCTURAL",
+		[]string{"gscEncryptionPolicyName"},
+		[]string{"gscEncryptionPolicyType", "gscEncryptionAlgorithm", "gscEncryptionKeyLength", "gscEncryptionScope", "gscEncryptionPolicyStatus", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"encryption")
+
+	r.addObjectClass("gscRetentionPolicy", "STRUCTURAL",
+		[]string{"gscRetentionPolicyName"},
+		[]string{"gscRetentionPolicyType", "gscRetentionDuration", "gscRetentionAction", "gscRetentionScope", "gscRetentionPolicyStatus", "gscRetentionExcludeFolders", "gscRetentionLegalHold", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"retention")
+
+	r.addObjectClass("gscEDiscoveryCase", "STRUCTURAL",
+		[]string{"gscEDiscoveryCaseName"},
+		[]string{"gscEDiscoveryCaseStatus", "gscEDiscoveryCaseCreatedAt", "gscEDiscoveryCaseClosedAt", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"ediscovery")
+
+	r.addObjectClass("gscEDiscoveryHold", "STRUCTURAL",
+		[]string{"gscEDiscoveryHoldName"},
+		[]string{"gscEDiscoveryHoldScope", "gscEDiscoveryHoldStatus", "gscEDiscoveryHoldCreatedAt", "gscEDiscoverySearchQuery", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"ediscovery")
+
+	r.addObjectClass("gscAuditPolicy", "STRUCTURAL",
+		[]string{"gscAuditPolicyName"},
+		[]string{"gscAuditPolicyScope", "gscAuditPolicyActions", "gscAuditPolicyStatus", "gscAuditRetentionDays", "gscAuditAlertEnabled", "gscAuditAlertRecipients", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"audit")
+
+	r.addObjectClass("gscConditionalAccessPolicy", "STRUCTURAL",
+		[]string{"gscIAMCAPolicyName"},
+		[]string{"gscIAMCAPolicyConditions", "gscIAMCAPolicyActions", "gscIAMCAPolicyStatus", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"iam")
+
+	r.addObjectClass("gscCollaborationPolicy", "STRUCTURAL",
+		[]string{"gscCollabPolicyName"},
+		[]string{"gscCollabPolicyScope", "gscCollabPolicyActions", "gscCollabPolicyStatus", "gscCollabMaxTeamSize", "gscCollabGuestAccessEnabled", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"collaboration")
+
+	r.addObjectClass("gscBarrierSegment", "STRUCTURAL",
+		[]string{"gscBarrierSegmentName"},
+		[]string{"gscBarrierSegmentMembers", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"barriers")
+
+	r.addObjectClass("gscBarrierPolicy", "STRUCTURAL",
+		[]string{"gscBarrierPolicyName"},
+		[]string{"gscBarrierPolicyType", "gscBarrierPolicySegments", "gscBarrierPolicyAction", "gscBarrierPolicyStatus", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"barriers")
+
+	r.addObjectClass("gscGuestPolicy", "STRUCTURAL",
+		[]string{"gscGuestPolicyName"},
+		[]string{"gscGuestPolicyScope", "gscGuestPolicyAction", "gscGuestPolicyStatus", "gscGuestMaxDuration", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"guest")
+
+	r.addObjectClass("gscFederatedIdp", "STRUCTURAL",
+		[]string{"gscGuestIdpName"},
+		[]string{"gscGuestIdpType", "gscGuestIdpEntityId", "gscGuestIdpMetadataURL", "gscGuestIdpDomains", "gscGuestIdpStatus", "gscDescription", "gscEnabled", "gscCreatedAt", "gscModifiedAt"},
+		"guest")
+
+	r.addObjectClass("gscManagedKey", "STRUCTURAL",
+		[]string{"gscKeyId", "gscKeyName", "gscKeyAlgorithm"},
+		[]string{"gscKeyLength", "gscKeyType", "gscKeyStatus", "gscKeyCreatedAt", "gscKeyExpiresAt", "gscKeyRotatedAt", "gscKeyOwnerDN", "gscKeyTenantDN", "gscKeyOperations", "gscKeyMaterial", "gscKeyPublicKey", "gscKeyFingerprint", "gscKeyVersion", "gscKeyPreviousVersionDN", "gscKeyHsmBacked", "gscKeyHsmSlot", "gscKeyAutoRotate", "gscKeyRotationDays"},
+		"managed-key")
+
+	r.addObjectClass("gscKmsPolicy", "STRUCTURAL",
+		[]string{"gscKmsPolicyId", "gscKmsPolicyName"},
+		[]string{"gscKmsPolicyType", "gscKmsPolicyEffect", "gscKmsPolicyPrincipalDN", "gscKmsPolicyResourceDN", "gscKmsPolicyOperations", "gscKmsPolicyConditions", "gscKmsPolicyPriority", "gscKmsPolicyStatus", "gscKmsPolicyCreatedAt", "gscKmsPolicyModifiedAt", "gscKmsPolicyTenantDN", "gscKmsPolicyMaxKeyAge", "gscKmsPolicyRequireHsm"},
+		"kms-policy")
+
+	r.addObjectClass("gscHsmConfig", "STRUCTURAL",
+		[]string{"gscHsmConfigId", "gscHsmConfigName"},
+		[]string{"gscHsmConfigType", "gscHsmConfigVendor", "gscHsmConfigModel", "gscHsmConfigConnectionString", "gscHsmConfigSlots", "gscHsmConfigStatus", "gscHsmConfigMaxKeys", "gscHsmConfigTenantDN"},
+		"hsm-config")
+
+	// ── AUXILIARY object objectClasses (6) ──────────────────────
+
+	r.addObjectClass("gscAuditObject", "AUXILIARY",
+		[]string{"gscAuditEnabled"},
+		[]string{"gscAuditLevel", "gscAuditPolicyName"},
+		"audit")
+
+	r.addObjectClass("gscMeetingRoom", "AUXILIARY",
+		[]string{"gscResourceId", "gscResourceType"},
+		[]string{"gscResourceCapacity", "gscResourceLocation", "gscResourceBookable"},
+		"resource")
+
+	r.addObjectClass("gscSharedMailbox", "AUXILIARY",
+		[]string{"gscMailEnabled"},
+		[]string{"gscMailQuota", "gscMailAlias", "gscMailDomain"},
+		"mail")
+
+	r.addObjectClass("gscEquipment", "AUXILIARY",
+		[]string{"gscResourceId", "gscResourceType"},
+		[]string{"gscResourceName", "gscResourceLocation", "gscResourceBookable"},
+		"resource")
+
+	r.addObjectClass("gscKmsTenant", "AUXILIARY",
+		[]string{"gscKmsTenantEnabled"},
+		[]string{"gscKmsTenantMaxKeys", "gscKmsTenantAllowedAlgorithms", "gscKmsTenantKeyRotationDays", "gscKmsTenantHsmEnabled", "gscKmsTenantHsmPartition", "gscKmsTenantAutoRotate", "gscKmsTenantKeyCount", "gscKmsTenantQuota", "gscKmsTenantDefaultAlgorithm", "gscKmsTenantDefaultKeyLength", "gscKmsTenantPolicyDN"},
+		"kms-tenant")
+}