Meridian — an identity platform built as seven interlocking projects
A standards-aligned IAM stack — the kind a mid-size company would run to centralize authentication, sessions, federation, and access control. Each project is a standalone, reviewable codebase with its own signature architectural challenge: not seven CRUD apps with login screens, but seven distinct problem shapes.
Architecture
The projects
-
keysmith
Cryptographic key lifecycle as a service — zero-downtime rotation, envelope encryption, and a hardened minimal JOSE layer.
Challenge: Rotating signing keys without ever breaking a verifier, with the safety invariants proven at construction time instead of hoped for at 3am.
Gostdlib cryptoJOSEAES-GCM demo: deploy pending -
idp
A multi-tenant OAuth 2.0 / OpenID Connect authorization server built to survive a standards reviewer.
Challenge: Protocol correctness at scale — eight RFCs implemented exactly, with the concurrency-sensitive security properties proven by single-statement database atomicity.
-
sessiond
Server-side sessions as a service — opaque tokens in Redis, cross-node revocation with a provable staleness bound.
Challenge: Distributed state — making revocation propagate to every node while keeping the hot validate path cheap, with a cache-consistency argument you can state in one sentence.
GoRedisLuaminiredis demo: deploy pending -
sentinel
Adaptive security decisions — distributed rate limiting, lockout, risk scoring, and a tamper-evident audit chain verified in two languages.
Challenge: High-throughput stream decisions with a compliance-grade paper trail — every answer explainable, every event in a hash chain a stdlib-Python auditor can verify without Go.
GoPythonhash chainsliding window demo: deploy pending -
bridge
An SSO federation gateway — the RP side of OIDC implemented from scratch against live, occasionally-broken upstreams.
Challenge: External-dependency resilience — correct discovery, state, nonce, PKCE, and ID-token verification against providers you don't operate, including the Entra tenanted-issuer sharp edge.
-
portal
The self-service identity portal — password reset, email change, TOTP MFA, and session management over a Postgres job queue.
Challenge: Async workflow security — the account-lifecycle flows that rarely get engineering care, enumeration-safe and driven by FOR UPDATE SKIP LOCKED.
-
console
An RBAC control plane that never answers with a bare yes/no — every decision carries a full evaluation trace.
Challenge: Authorization modeling — scoped roles with explicit denies, explainability as the product, and an API dog-fooded through its own engine.
Live demos are pending an AWS account. Everything is built deploy-ready (each service runs
locally with make run-dev / npm run dev); demo links activate when credentials
arrive. Until then, each card links to the code, README, and threat model — the parts a reviewer actually
reads first.