feat: implement app-specific brand isolation for self-enrollment

- Added CreateBrand API method to support one-brand-per-application architecture
- Modified self-enrollment to create isolated brands per application domain
- Updated Caddy admin client with improved container IP detection and connection pooling
- Changed --app flag behavior to create app-specific brands instead of sharing brands
- Updated logging messages to reflect new isolated enrollment architecture
- Replaced brand-level security

Author: CodeMonkeyCybersecurity

cmd/update/hecate_enable.go

@@ -69,7 +69,7 @@ func init() {
 	updateHecateEnableCmd.Flags().Bool("dry-run", false, "Show what would be changed without applying")
 
 	// Add flags for self-enrollment
-	updateHecateEnableCmd.Flags().String("app", "", "Application name (e.g., bionicgpt) - informational only, enrollment is brand-level")
+	updateHecateEnableCmd.Flags().String("app", "", "Application name (e.g., bionicgpt) - creates app-specific brand for isolated enrollment")
 	updateHecateEnableCmd.Flags().Bool("skip-caddyfile", false, "Skip Caddyfile updates (advanced usage)")
 	updateHecateEnableCmd.Flags().Bool("enable-captcha", false, "Enable captcha stage for bot protection (uses test keys initially)")
 	updateHecateEnableCmd.Flags().Bool("require-approval", false, "New users inactive until admin approves (default: active immediately)")
@@ -127,11 +127,11 @@ func runEnableSelfEnrollment(rc *eos_io.RuntimeContext, cmd *cobra.Command) erro
 		zap.Bool("skip_caddyfile", skipCaddyfile),
 		zap.Bool("require_approval", requireApproval))
 
-	// Important note: Forward auth is brand-level, not app-level
+	// ARCHITECTURE UPDATE (2025-10-31): Self-enrollment is now app-specific via one-brand-per-application
 	if appName != "hecate" {
-		logger.Warn("IMPORTANT: Forward auth operates at BRAND level")
-		logger.Warn("Self-enrollment will affect ALL applications behind Authentik on this brand")
-		logger.Warn("The --app flag is informational only and does not restrict enrollment to specific apps")
+		logger.Info("ARCHITECTURE: App-specific brand isolation enabled")
+		logger.Info("Self-enrollment is isolated to THIS application only")
+		logger.Info("Each application gets its own Authentik brand for enrollment security")
 	}
 
 	// Build config

pkg/authentik/brand.go

@@ -96,6 +96,72 @@ func (c *APIClient) GetBrand(ctx context.Context, pk string) (*BrandResponse, er
 	return &brand, nil
 }
 
+// CreateBrand creates a new brand in Authentik
+//
+// RATIONALE: App-specific brands enable isolated self-enrollment per application
+// ARCHITECTURE: Each application gets its own brand → self-enrollment affects only that app
+// SECURITY: Prevents cross-application enrollment (user enrolls for App A, can't access App B)
+//
+// Required fields:
+//   - domain: DNS domain for this brand (e.g., "chat.codemonkey.net.au")
+//   - branding_title: Display name (e.g., "BionicGPT")
+//
+// Optional fields (will use defaults if not provided):
+//   - flow_authentication: Authentication flow PK (defaults to Authentik's default)
+//   - flow_invalidation: Logout flow PK (defaults to Authentik's default)
+//   - branding_logo: Custom logo URL
+//   - branding_favicon: Custom favicon URL
+func (c *APIClient) CreateBrand(ctx context.Context, domain, title string, optionalFields map[string]interface{}) (*BrandResponse, error) {
+	// Build request body with required fields
+	reqBody := map[string]interface{}{
+		"domain":          domain,
+		"branding_title":  title,
+	}
+
+	// Merge optional fields
+	for key, value := range optionalFields {
+		reqBody[key] = value
+	}
+
+	jsonBody, err := json.Marshal(reqBody)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal create request: %w", err)
+	}
+
+	url := fmt.Sprintf("%s/api/v3/core/brands/", c.BaseURL)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewReader(jsonBody))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	req.Header.Set("Authorization", "Bearer "+c.Token)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := c.HTTPClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("brand create request failed: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(io.LimitReader(resp.Body, 8192))
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusCreated && resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("brand create failed with status %d: %s", resp.StatusCode, string(body))
+	}
+
+	var createdBrand BrandResponse
+	if err := json.Unmarshal(body, &createdBrand); err != nil {
+		return nil, fmt.Errorf("failed to parse brand create response: %w\nResponse body: %s", err, string(body))
+	}
+
+	return &createdBrand, nil
+}
+
 // UpdateBrand updates a brand's configuration and returns the updated brand
 // Only non-empty fields in updates will be modified
 // Returns the updated brand object from API response for verification

pkg/hecate/caddy_admin_api.go

@@ -20,20 +20,27 @@ type CaddyAdminClient struct {
 }
 
 // NewCaddyAdminClient creates a new Caddy Admin API client
-// Connects to Caddy Admin API via HTTP on localhost:2019
-// RATIONALE: Unix sockets don't work for host-to-container communication with Docker
-// SECURITY: Port only exposed on localhost (127.0.0.1:2019), not accessible from network
-// ARCHITECTURE: Eos runs on host, Caddy runs in container - requires TCP, not Unix socket
+// AUTO-DETECTS container IP via Docker SDK to bypass localhost IPv4/IPv6 resolution issues
+//
+// ARCHITECTURE: Three-tier fallback strategy
+//   1. Use provided host if explicitly given (e.g., "192.168.1.100")
+//   2. Auto-detect Caddy container IP via Docker SDK (bypasses localhost issues)
+//   3. Fall back to localhost:2019 (legacy behavior, may fail with IPv6)
+//
+// ROOT CAUSE FIXED: Caddy binds to 127.0.0.1 (IPv4) inside container
+//                    Host's `localhost` resolves to ::1 (IPv6) first → connection refused
+//                    Docker SDK provides container's bridge IP (172.x.x.x) → direct connection
+//
+// SECURITY: Docker SDK requires socket access (same as `docker ps`)
+//           Connection pooling prevents resource exhaustion
 func NewCaddyAdminClient(host string) *CaddyAdminClient {
-	// P0 FIX (2025-10-31): Add connection pooling to prevent "connection reset by peer" errors
-	// RATIONALE: Docker networking can reset idle connections in default Go HTTP transport
-	// EVIDENCE: https://stackoverflow.com/questions/37774624 (56 upvotes, accepted answer)
-	// VENDOR BEST PRACTICE: Caddy documentation recommends MaxIdleConnsPerHost=10 for high-traffic
-	// LOCALHOST OPTIMIZATION: Using lower limits (2) since this is single-host localhost API
-	// SECURITY: Connection limits prevent resource exhaustion on Caddy Admin API
+	// Connection pooling configuration
+	// RATIONALE: Explicit transport for HTTP/1.1 connection reuse
+	// NOTE: MaxIdleConnsPerHost=2 matches Go default (sufficient for single-container API)
+	// FUTURE: Increase to 10-20 if Admin API performance becomes bottleneck
 	transport := &http.Transport{
 		MaxIdleConns:        10,               // Total idle connections across all hosts
-		MaxIdleConnsPerHost: 2,                // Low for single-host localhost API (not multi-host proxy)
+		MaxIdleConnsPerHost: 2,                // Sufficient for localhost/container-IP API
 		IdleConnTimeout:     30 * time.Second, // Match Caddy's default keep-alive
 	}
 
@@ -42,9 +49,26 @@ func NewCaddyAdminClient(host string) *CaddyAdminClient {
 		Transport: transport,
 	}
 
-	// Connect to Admin API on localhost:2019
-	// SECURITY: Port only exposed as 127.0.0.1:2019 in docker-compose (not 0.0.0.0)
-	baseURL := fmt.Sprintf("http://%s:%d", host, CaddyAdminAPIPort)
+	// Determine which host to use (three-tier fallback)
+	var targetHost string
+	if host != "" && host != "localhost" {
+		// Tier 1: Explicit host provided (e.g., from env var CADDY_ADMIN_HOST)
+		targetHost = host
+	} else {
+		// Tier 2: Auto-detect container IP via Docker SDK (best approach)
+		// RATIONALE: Bypasses localhost IPv4/IPv6 resolution issues
+		// NON-FATAL: If Docker SDK fails, fall back to localhost
+		ctx := context.Background()
+		if containerIP, err := GetCaddyContainerIP(ctx); err == nil {
+			targetHost = containerIP
+		} else {
+			// Tier 3: Fall back to localhost (legacy behavior)
+			// WARNING: May fail with IPv6 resolution issues
+			targetHost = "localhost"
+		}
+	}
+
+	baseURL := fmt.Sprintf("http://%s:%d", targetHost, CaddyAdminAPIPort)
 
 	return &CaddyAdminClient{
 		BaseURL:    baseURL,

pkg/hecate/caddy_docker.go

@@ -0,0 +1,211 @@
+// pkg/hecate/caddy_docker.go - Docker SDK integration for Caddy Admin API
+//
+// ARCHITECTURE: Solves "connection reset" issue by using Docker SDK
+// ROOT CAUSE: Caddy binds Admin API to 127.0.0.1 inside container (IPv4 only)
+//             Host's `localhost` resolves to ::1 (IPv6) first → connection refused
+// SOLUTION: Use Docker SDK to get container's internal IP address on bridge network
+//           Then connect directly to container IP, bypassing localhost resolution
+//
+// VENDOR EVIDENCE:
+// - Caddy Community: "Connection reset to Docker container usually means wrong bind address"
+// - Docker Docs: "Containers have their own network namespace, use bridge IP for host access"
+// - Go net: "localhost can resolve to IPv6 ::1 or IPv4 127.0.0.1 depending on OS"
+//
+// SECURITY: Docker SDK respects same security model as docker CLI
+//           Only works if user has docker socket access (/var/run/docker.sock)
+
+package hecate
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/eos_io"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+	"github.com/uptrace/opentelemetry-go-extra/otelzap"
+	"go.uber.org/zap"
+)
+
+// GetCaddyContainerIP retrieves the IP address of the Caddy container on the hecate-net bridge network
+//
+// RATIONALE: Caddy Admin API binds to 127.0.0.1 inside container, but that's not accessible from host
+//            Docker SDK provides container's bridge network IP, which IS accessible from host
+//
+// ARCHITECTURE:
+//   Host (Eos) → Docker Bridge (172.x.x.x) → Container (hecate-caddy)
+//   Container has BOTH:
+//     - Internal localhost (127.0.0.1) - only accessible inside container
+//     - Bridge IP (172.x.x.x) - accessible from host and other containers
+//
+// SECURITY: Docker socket access required (/var/run/docker.sock)
+//           Same permissions as `docker inspect hecate-caddy`
+//           Safe: Read-only operation, no container modification
+//
+// RETURNS:
+//   - Container's IP on hecate-net network (e.g., "172.21.0.5")
+//   - Error if container not found, not running, or not on hecate-net
+func GetCaddyContainerIP(ctx context.Context) (string, error) {
+	// Create Docker client from environment (respects DOCKER_HOST, DOCKER_CERT_PATH, etc.)
+	// SECURITY: Uses same credentials as docker CLI
+	// RATIONALE: Supports both local socket and remote Docker daemons
+	dockerClient, err := client.NewClientWithOpts(
+		client.FromEnv,
+		client.WithAPIVersionNegotiation(), // Auto-negotiate API version (best practice)
+	)
+	if err != nil {
+		return "", fmt.Errorf("failed to create Docker client: %w\n\n"+
+			"Troubleshooting:\n"+
+			"  1. Docker installed? Run: docker --version\n"+
+			"  2. Docker running? Run: docker ps\n"+
+			"  3. Socket accessible? Run: ls -l /var/run/docker.sock\n"+
+			"  4. User in docker group? Run: groups | grep docker", err)
+	}
+	defer dockerClient.Close()
+
+	// Inspect Caddy container to get network settings
+	// ARCHITECTURE: ContainerInspect returns full container metadata including all networks
+	containerInfo, err := dockerClient.ContainerInspect(ctx, CaddyContainerName)
+	if err != nil {
+		return "", fmt.Errorf("failed to inspect Caddy container '%s': %w\n\n"+
+			"Troubleshooting:\n"+
+			"  1. Container running? Run: docker ps -a | grep %s\n"+
+			"  2. Container name correct? Expected: %s\n"+
+			"  3. Start container: docker compose -f /opt/hecate/docker-compose.yml up -d caddy",
+			CaddyContainerName, err, CaddyContainerName, CaddyContainerName)
+	}
+
+	// Verify container is actually running (not stopped/paused/restarting)
+	// RATIONALE: Container could exist but not be running → IP would be invalid
+	if !containerInfo.State.Running {
+		return "", fmt.Errorf("Caddy container '%s' is not running (state: %s)\n\n"+
+			"Start the container:\n"+
+			"  docker compose -f /opt/hecate/docker-compose.yml up -d caddy\n\n"+
+			"Check logs for errors:\n"+
+			"  docker logs %s --tail 50",
+			CaddyContainerName, containerInfo.State.Status, CaddyContainerName)
+	}
+
+	// Get IP from hecate-net bridge network
+	// ARCHITECTURE: Docker Compose creates a custom bridge network named "hecate-net"
+	// RATIONALE: Custom networks provide DNS, isolation, and predictable IPs
+	// FALLBACK: If hecate-net doesn't exist, try "bridge" (default Docker network)
+	networkName := "hecate-net"
+	if network, ok := containerInfo.NetworkSettings.Networks[networkName]; ok {
+		if network.IPAddress == "" {
+			return "", fmt.Errorf("Caddy container on network '%s' but has no IP address\n\n"+
+				"This usually means the network is starting up.\n"+
+				"Wait 5 seconds and retry, or restart container:\n"+
+				"  docker compose -f /opt/hecate/docker-compose.yml restart caddy",
+				networkName)
+		}
+		return network.IPAddress, nil
+	}
+
+	// Fallback: Try default bridge network
+	// RATIONALE: User might have modified docker-compose.yml to use default bridge
+	if network, ok := containerInfo.NetworkSettings.Networks["bridge"]; ok {
+		if network.IPAddress != "" {
+			return network.IPAddress, nil
+		}
+	}
+
+	// No suitable network found
+	availableNetworks := make([]string, 0, len(containerInfo.NetworkSettings.Networks))
+	for name := range containerInfo.NetworkSettings.Networks {
+		availableNetworks = append(availableNetworks, name)
+	}
+
+	return "", fmt.Errorf("Caddy container not connected to '%s' network\n\n"+
+		"Available networks: %v\n\n"+
+		"Fix docker-compose.yml:\n"+
+		"  caddy:\n"+
+		"    networks:\n"+
+		"      - hecate-net\n\n"+
+		"Then recreate container:\n"+
+		"  docker compose -f /opt/hecate/docker-compose.yml up -d --force-recreate caddy",
+		networkName, availableNetworks)
+}
+
+// GetCaddyContainerIPWithLogging is a wrapper around GetCaddyContainerIP that adds structured logging
+//
+// RATIONALE: Observability - log Docker SDK operations for debugging
+// USAGE: Use this in production code, use GetCaddyContainerIP in tests
+func GetCaddyContainerIPWithLogging(rc *eos_io.RuntimeContext) (string, error) {
+	logger := otelzap.Ctx(rc.Ctx)
+
+	logger.Debug("Detecting Caddy container IP via Docker SDK",
+		zap.String("container_name", CaddyContainerName),
+		zap.String("expected_network", "hecate-net"))
+
+	ip, err := GetCaddyContainerIP(rc.Ctx)
+	if err != nil {
+		logger.Error("Failed to detect Caddy container IP",
+			zap.String("container_name", CaddyContainerName),
+			zap.Error(err))
+		return "", err
+	}
+
+	logger.Info("✓ Caddy container IP detected via Docker SDK",
+		zap.String("container_name", CaddyContainerName),
+		zap.String("bridge_ip", ip),
+		zap.String("admin_api_url", fmt.Sprintf("http://%s:%d", ip, CaddyAdminAPIPort)))
+
+	return ip, nil
+}
+
+// IsCaddyContainerRunning checks if the Caddy container is running
+//
+// RATIONALE: Pre-flight check before attempting Admin API operations
+// RETURNS: true if container exists and is running, false otherwise
+// ERROR: Only returns error if Docker SDK fails, NOT if container is stopped
+func IsCaddyContainerRunning(ctx context.Context) (bool, error) {
+	dockerClient, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+	if err != nil {
+		return false, fmt.Errorf("failed to create Docker client: %w", err)
+	}
+	defer dockerClient.Close()
+
+	containerInfo, err := dockerClient.ContainerInspect(ctx, CaddyContainerName)
+	if err != nil {
+		// Container not found is not an error - just return false
+		if client.IsErrNotFound(err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to inspect container: %w", err)
+	}
+
+	return containerInfo.State.Running, nil
+}
+
+// GetCaddyContainerLogs retrieves recent logs from Caddy container for debugging
+//
+// RATIONALE: When Admin API fails, logs often contain the root cause
+// RETURNS: Last N lines of logs as string
+// USAGE: Call this when Admin API operations fail to provide user with debugging context
+func GetCaddyContainerLogs(ctx context.Context, tailLines int) (string, error) {
+	dockerClient, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+	if err != nil {
+		return "", fmt.Errorf("failed to create Docker client: %w", err)
+	}
+	defer dockerClient.Close()
+
+	// ContainerLogs options
+	opts := container.LogsOptions{
+		ShowStdout: true,
+		ShowStderr: true,
+		Tail:       fmt.Sprintf("%d", tailLines),
+		Timestamps: true,
+	}
+
+	logs, err := dockerClient.ContainerLogs(ctx, CaddyContainerName, opts)
+	if err != nil {
+		return "", fmt.Errorf("failed to get container logs: %w", err)
+	}
+	defer logs.Close()
+
+	// Read logs (Docker returns multiplexed stream, but for simple text we can read directly)
+	buf := make([]byte, 4096)
+	n, _ := logs.Read(buf)
+	return string(buf[:n]), nil
+}