Add MFA Sidecar to the catalog

[wonko6x9]

Problem / rationale

MFA Sidecar adds a browser-first MFA perimeter in front of selected YunoHost apps and paths.

It exists to cover a practical gap: YunoHost's normal SSO path does not provide native MFA for arbitrary downstream apps. MFA Sidecar provides a dedicated portal, operator-managed host/path protection rules, explicit break-glass behavior, and recovery-oriented documentation.

Package status

Current package version: 0.4.0~ynh1

This package is not a thin wrapper around Authelia. It includes:

• custom policy/render/apply pipeline
• custom admin UI and sidecar user management
• YunoHost-aware discovery of domains/apps
• managed nginx auth-request injection for selected targets
• explicit break-glass controls
• packaged operator/recovery docs

Validation summary

Validated on a real YunoHost box:

• fresh install works with install dir under /var/www/mfa_sidecar
• services start and run correctly from the /var/www install path
• root-mounted protected targets work
• subpath-mounted protected targets work (for example /webmail)
• shared sidecar session behavior across multiple protected targets works
• disable / re-enable loops work
• break-glass behavior works

Repo-local smoke/regression tests are also included for the major failures found during real-box validation.

Notable design choices

Vendored pinned Authelia artifact

The package currently ships a pinned Authelia release artifact and verifies it with sha256.

This is deliberate: MFA Sidecar sits on the login path for protected apps, so reproducible install/upgrade behavior matters more here than generic preference for live upstream fetches. The packaged artifact is the same one exercised in real-box validation.

Loopback-bound admin UI

The admin UI binds to localhost and relies on the YunoHost/nginx fronting layer for operator access. This trust boundary is documented explicitly in the package docs.

Docs and screenshots

Representative admin UI screenshots are included in the package repo under doc/screenshots/.

Reviewer notes

Reviewer-facing notes are included in the package repo here:

• docs/SUBMISSION-NOTES.md
• docs/SECURITY-NOTES.md
• docs/LIVE-BOX-VERIFICATION.md

[oleole39]

Hello,

• the app is expected to be transferred to Yunohost-App organisation before being added to catalog. An admin will first have to invite you to the organization and then you can follow these steps: https://doc.yunohost.org/en/dev/packaging/misc/packaging_apps_git#yunohost-apps-organization
• the added_date property in the toml entry should not be included in this PR. It will automatically be added when the entry will effectively be merged.

[wonko6x9]

Hello,

* the app is expected to be transferred to Yunohost-App organisation before being added to catalog. An admin will first have to invite you to the organization and then you can follow these steps: https://doc.yunohost.org/en/dev/packaging/misc/packaging_apps_git#yunohost-apps-organization

* the `added_date` property in the toml entry should not be included in this PR. It will automatically be added when the entry will effectively be merged.

Thanks for the clarification. I’ve removed the added_date field from the PR.
As for the repository transfer, I understand the app is expected to be moved to the YunoHost-Apps organization before catalog inclusion. At this point I believe I’ve completed everything currently possible on my side, and I’m ready to follow the documented transfer process once an admin invites me to the organization.

[wonko6x9]

Hi — PR #3410 has been refreshed with recent updates and cleaned back down to the intended catalog entry + logo only. I believe the branch side is in good shape again. Could someone please review the current state, run/trigger the needed validation on your side, and let me know the next step for the YunoHost-Apps org transfer/invite process?

[wonko6x9]

!testme

[tituspijean]

Hello, your submission, its code, and its documentation will be (hopefully) reviewed during next contributors meeting next week. We will publish our feedback afterwards.

[tituspijean]

Thank you for this contribution. It is however massive to review. For such a first contribution, clearly implementing a feature that's on the YunoHost roadmap, you should have discussed with us beforehand.

Additionally, the doc folder is extremely verbose and does not follow our usual casual and to-the-point tone. The structure of the package does not follow example_ynh. The documentation, the code, and even this PR feel generated by a LLM and it makes them unreadable.

The complexity, massiveness of the code, and the use of AI makes this package unmaintainable.
Consequently, we will not accept it in the YunoHost catalog.
We can transfer the repository back to you with no issue.

If you still want to package apps, you are welcome. But there are human beings behind YunoHost: we need you to chat with us first and during the whole process, it's really very important for us.