feat: implement service identity registration and panel integration

- **Auth**: Refactor permissions to distinguish between user and service subjects.
- **Identity**: Add sentinel endpoint for dynamic credential retrieval.
- **Services**: Scaffolding for `realm` service and `registrar`/`communicator` libraries.
- **Panel**: Externalize `API_BASE_URL` and implement dynamic sentinel auth.
- **Tests**: Add comprehensive integration tests for organization members and roles.
- **Chore**: Cleanup terraform state tracking and fix typos.

Author: gabber235

.gitignore

@@ -142,4 +142,9 @@ docker/surrealdb/database.db
 docker/nats
 .env
 
-**.task/**
+**.task/**
+
+# Terraform state files
+*.tfstate
+*.tfstate.backup
+*.tfstate.*.backup

.output.txt

@@ -42,7 +42,7 @@ class WindowClassRegistrar {
  public:
   ~WindowClassRegistrar() = default;
 
-  // Returns the singleton registar instance.
+  // Returns the singleton registrar instance.
   static WindowClassRegistrar* GetInstance() {
     if (!instance_) {
       instance_ = new WindowClassRegistrar();

app/windows/runner/win32_window.cpp

@@ -33,7 +33,7 @@ tasks:
         for taskfile in $TASKFILES; do
           DIR=$(dirname "$taskfile")
 
-          if ! (cd "$DIR" && task --list 2>/dev/null | grep -q "^{{.TASK_CMD}}"); then
+          if ! (cd "$DIR" && task --list 2>/dev/null | grep -q "^\* {{.TASK_CMD}}:"); then
             echo "⊘ $DIR (task '{{.TASK_CMD}}' not found, skipping)"
             continue
           fi
@@ -117,6 +117,18 @@ tasks:
           echo "  - $DIR"
         done
 
+  test:
+    desc: "Run integration tests (builds components if needed)"
+    cmds:
+      - task: build:all
+      - cd tests && cargo test {{.CLI_ARGS}}
+
+  test:all:
+    desc: "Run all integration tests in single binary (fastest)"
+    cmds:
+      - task: build:all
+      - cd tests && cargo test --test integration {{.CLI_ARGS}}
+
   default:
     desc: Show available tasks
     cmds:

backend/Taskfile.yml

@@ -21,7 +21,7 @@ spec:
             - handler
             - consumer
           config:
-            subscriptions: auth.permissions.typewriter
+            subscriptions: auth.permissions.typewriter-panel,auth.permissions.typewriter-services
         - namespace: seamlezz
           package: surrealdb
           interfaces:

backend/auth/auth-callout/.task/checksum/build

@@ -0,0 +1,111 @@
+use std::time::Duration;
+
+use nats_jwt_rs::types::{
+    Permission as NatsPermission, Permissions as NatsPermissions,
+    ResponsePermission as NatsResponsePermission,
+};
+use serde::{Deserialize, Serialize};
+
+use crate::typewriter;
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct DiscordData {
+    pub id: String,
+    pub username: String,
+    pub discriminator: Option<String>,
+    pub email: Option<String>,
+    pub avatar: Option<String>,
+    pub avatar_url: Option<String>,
+    #[serde(default)]
+    pub roles: Vec<String>,
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone, Default)]
+pub struct AuthentikClaims {
+    pub name: Option<String>,
+    pub preferred_username: Option<String>,
+    pub email: Option<String>,
+    #[serde(default)]
+    pub email_verified: bool,
+    #[serde(default)]
+    pub groups: Vec<String>,
+    pub discord: Option<DiscordData>,
+    pub avatar: Option<String>,
+    pub avatar_url: Option<String>,
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct User {
+    pub name: String,
+    pub email: Option<String>,
+    pub avatar: Option<String>,
+    pub avatar_url: Option<String>,
+}
+
+/// Build a permission response from NATS permissions and tags
+pub fn build_permission_response(
+    nats_permissions: NatsPermissions,
+    tags: Vec<String>,
+) -> typewriter::api::v1::PermissionResponse {
+    let proto_permissions = (&nats_permissions).into();
+    typewriter::api::v1::PermissionResponse {
+        permissions: Some(proto_permissions),
+        tags,
+    }
+}
+
+/// Build default NATS permissions structure with response limits
+pub fn build_nats_permissions(
+    allow_publish: Vec<String>,
+    allow_subscribe: Vec<String>,
+) -> NatsPermissions {
+    NatsPermissions {
+        publish: NatsPermission {
+            allow: allow_publish,
+            deny: vec![],
+        },
+        subscribe: NatsPermission {
+            allow: allow_subscribe,
+            deny: vec![],
+        },
+        resp: Some(NatsResponsePermission {
+            max_messages: 1,
+            ttl: Duration::from_secs(60),
+        }),
+    }
+}
+
+impl From<&NatsPermissions> for typewriter::models::v1::Permissions {
+    fn from(nats_permissions: &NatsPermissions) -> Self {
+        use prost_types::Duration;
+
+        let publish = Some(typewriter::models::v1::Permission {
+            allow: nats_permissions.publish.allow.clone(),
+            deny: nats_permissions.publish.deny.clone(),
+        });
+
+        let subscribe = Some(typewriter::models::v1::Permission {
+            allow: nats_permissions.subscribe.allow.clone(),
+            deny: nats_permissions.subscribe.deny.clone(),
+        });
+
+        let resp = nats_permissions.resp.as_ref().map(|r| {
+            let total_seconds = r.ttl.as_secs();
+            let nanos = r.ttl.subsec_nanos();
+
+            typewriter::models::v1::ResponsePermission {
+                max_messages: r.max_messages as i32,
+                ttl: Some(Duration {
+                    seconds: total_seconds as i64,
+                    nanos: nanos as i32,
+                }),
+            }
+        });
+
+        typewriter::models::v1::Permissions {
+            publish,
+            subscribe,
+            resp,
+        }
+    }
+}