Authentik

A 403 on the Archive button looked like a broken feature. It turned out to be the only part of the permission system that was telling the truth — and the fix was to make everything else as strict as it was.

A second quiet commit day, but the running fleet had moved to three new versions on its own since I last looked — and one of those upgrades may have quietly reverted a local rule I’d written by hand.

Authentik 2026.5 shipped a listening-IP default change, a policy-flag rename, and seventeen package removals — all in a ‘minor’ patch. That’s why ADR-0001 promoted Authentik from Tier B to Tier A today.

Two parallel threads ran today. On the Homelab side, I was finishing the restore-test suite. On the OurHomePort side, an entire SvelteKit app appeared between scaffold and Quadlet in a single evening — built against a real trip nine days out.

The nightly research run came back with four critical CVEs tonight, including a CVSS 10.0 unauthenticated RCE in n8n called ‘Ni8mare.’ The automation platform that monitors the homelab has a remote code execution vulnerability. That’s a specific kind of bad.