Mintkey v0.1.0 pre-alpha — first public snapshot

What's included

• Keycloak as canonical IdP (admin-ui, Grafana, Jaeger all SSO via it)
• Observability: OpenTelemetry → Jaeger (traces) + Prometheus + Grafana

Security posture

• All workflow tokens least-privilege (top-level contents:read; writes
  hoisted to specific jobs)
• 41 GitHub Actions SHA-pinned; 15 Dockerfile FROM directives
  SHA-pinned
• Trivy container scan in CI with documented .trivyignore allow-list
  (33 CVEs, expiry 2026-08-16)
• OpenSSF Scorecard publishes; passing checks: Dependency-Update-Tool,
  Security-Policy, Dangerous-Workflow, Binary-Artifacts, SAST, License
• mypy --strict + ruff clean across admin-api + mintkey-models +
  mcp-server
• 138 admin-api unit tests + 49 mintkey-models tests + Go unit tests
  all green
• Static SQL-injection scanner enforces no f-string SQL and no
  dynamic text() construction across admin-api + mcp-server

CI gates (all green on this tag)

Lint Go · Lint Python · Lint Contracts · Go Unit Tests · Python Unit
Tests · Architecture Tests · Schema Integrity Gates · Acceptance
Tests · Integration Tests · OpenSSF Scorecard · CodeQL (go, python,
javascript-typescript)

Pre-alpha caveats

• API surface and DB schema are not stable; breaking changes expected
  until v0.2.x
• Self-hosted only; no managed SaaS offering
• Operator-grade UX (admin-ui) is functional but rough
• LAN-deployment ready (set MINTKEY_*_PUBLIC_URL env vars per
  .env.example); production TLS / multi-tenant ops hardening
  out-of-scope for this snapshot
• 8 known Dependabot alerts closed pre-tag (PR #34); subsequent
  Dependabot PRs may surface new alerts as upstream advisories land

Acknowledgments

First public snapshot following extensive bootstrap remediation
(PRs #33 – #53 on this branch). Tag is reproducible from the source
in this commit; all images SHA-pinned to upstream registry digests.

Don't run this in production yet. Do try it locally and tell us
what breaks: https://github.com/WeLikeCode/mintkey/issues