# Phase 8: Authentik Integration

**Status:** ⬜ Not Started
**Parent plan:** [PLAN.md](./PLAN.md)
**Domain:** backend

## Objective
Implement Authentik integration for security monitoring: active sessions, login events, brute force detection, and user/group statistics.

## Tasks

- [ ] Task 1: Create `src/lib/server/integrations/authentik/schema.ts` — Zod schemas for auth config (`{ apiToken: string }`) and endpoint responses.
- [ ] Task 2: Create `src/lib/server/integrations/authentik/client.ts` — HTTP client for Authentik API v3. Auth via `Authorization: Bearer <apiToken>` header. Endpoints: `/api/v3/core/sessions/`, `/api/v3/events/events/?action=login`, `/api/v3/events/events/?action=login_failed`, `/api/v3/core/users/`, `/api/v3/core/groups/`.
- [ ] Task 3: Create `src/lib/server/integrations/authentik/transform.ts` — Transform: sessions → stat-card (count), login events → list with username/IP/timestamp/success, failed logins → brute force detection (>5 failures from same IP in 10 min = alert), user/group stats → stat-card.
- [ ] Task 4: Create `src/lib/server/integrations/authentik/index.ts` — Integration implementation. Endpoints: `sessions` (stat-card), `login-events` (list), `security-alerts` (alert-banner), `user-stats` (stat-card). testConnection: fetch authenticated user info.
- [ ] Task 5: Register Authentik integration in registry.

## Files to Modify/Create
- `src/lib/server/integrations/authentik/schema.ts` — new
- `src/lib/server/integrations/authentik/client.ts` — new
- `src/lib/server/integrations/authentik/transform.ts` — new
- `src/lib/server/integrations/authentik/index.ts` — new
- `src/lib/server/integrations/registry.ts` — modify: register Authentik

## Acceptance Criteria
- Active sessions count displayed as stat-card
- Login events list with username, IP, timestamp, success/failure
- Brute force detection: alert when >5 failed logins from same IP within 10 minutes
- User/group stats displayed as stat-card
- Security alerts surface via alert banner system
- Test connection validates API token

## Notes
- Authentik API v3 uses pagination — handle `?page=N&page_size=N`
- Brute force detection is computed client-side from event data, not a native Authentik feature
- The threshold (5 failures / 10 min) should be configurable via extra config
- Security alerts should integrate with the alert banner overlay from Phase 2

## Review Checklist
- [ ] All tasks completed
- [ ] Brute force detection logic is sound
- [ ] Code follows project conventions

## Handoff to Next Phase
<!-- Filled in after completion -->