MCAT can now redirect users to MCIAS for SSO login (including passkey
support) instead of showing its own login form. SSO is opt-in via the
[sso] config section.
- Add SSO landing page with "Sign in with MCIAS" button
- Add /sso/redirect and /sso/callback routes
- Update mcdsl to v1.5.0 (sso package)
- Fix .gitignore: /mcat ignores only the root binary, not cmd/mcat/
- Track cmd/mcat/ source files (previously gitignored by accident)
Security:
- State cookie uses SameSite=Lax for cross-site redirect compatibility
- Session cookie remains SameSite=Strict after login
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove USER and VOLUME directives (cause layer unpacking failures in
rootless podman). Add ARG VERSION for build-time injection. Follow the
standard mcdoc/mcq Dockerfile pattern.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add MCR and VERSION variables, docker target to build the container
image with MCR tagging, and push target to push to MCR.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Replace internal/auth with mcdsl/auth
- Replace internal/config with mcdsl/config (embed config.Base)
- Replace internal/webserver/csrf.go with mcdsl/csrf
- Use mcdsl/web for session cookies and template rendering
- Use mcdsl/httpserver for server setup and StatusWriter
- Remove direct mcias client library dependency
- Update .golangci.yaml to v2 format (formatters section)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
