The engineering guide
Ten chapters on how Meridian was actually built — the design decisions, the sharp edges, and the bugs. Written for engineers: every chapter cites the real ADRs and shows real code from the repo.
- Why build an identity platform
The scope, the decomposition into interlocking projects, and what makes each one architecturally distinct. - Keys before tokens
keysmith — four-state rotation with construction-time invariants, envelope encryption, and why the JOSE layer is hand-built. - The authorization server
idp — the RFC map, refresh-family reuse detection, single-statement atomicity, and the html/template escaping bug. - Sessions at scale
sessiond — why browser sessions are opaque tokens, Lua-script atomicity, and pub/sub invalidation with a provable staleness bound. - Adaptive defense
sentinel — sliding-window limits, lockout that can't be weaponized, a deterministic risk pipeline, and a hash-chained audit log verified from two languages. - Federating identity
bridge — the sharp edges of RP-side OIDC, why you never match accounts by email, and circuit breakers for IdPs you don't operate. - The human side
portal — enumeration-safe recovery flows, TOTP from the RFC up, and Postgres as a job queue. - Authorization you can explain
console — RBAC with decision traces as the contract, deny-overrides precedence, and an API dog-fooded through its own engine. - Running it
The deployed stack — ECS Fargate, RDS, ElastiCache, CloudWatch on a real AWS account — CI security gates, and what is honestly still pending. - Lessons learned
An honest synthesis — the bugs that taught something, what building this way was like, and what would be different next time.