feat: merge Authentik config export into health check command

- Consolidated --authentik and --authentik-config flags into a single --authentik flag that performs both health check and config export
- Added comprehensive configuration export to debug command showing brands, flows, stages, groups and applications
- Enhanced UpdateBrand API to return updated brand object for verification
- Removed redundant export_authentik.go file and moved functionality into debug.go
- Updated help text and examples to reflect simplifie

Author: CodeMonkeyCybersecurity

cmd/debug/hecate.go

@@ -8,12 +8,11 @@ import (
 )
 
 var (
-	hecateComponent       string
-	hecateAuthentikCheck  bool
-	hecateAuthentikConfig bool
-	hecateBionicGPTCheck  bool
-	hecatePath            string
-	hecateVerbose         bool
+	hecateComponent      string
+	hecateAuthentikCheck bool
+	hecateBionicGPTCheck bool
+	hecatePath           string
+	hecateVerbose        bool
 )
 
 var hecateCmd = &cobra.Command{
@@ -57,14 +56,6 @@ Authentik-specific diagnostics (--authentik flag):
   • Memory usage analysis
   • Backup status
 
-Authentik configuration export (--authentik-config flag):
-  • Brands configuration
-  • Flows (authentication, enrollment, recovery, etc.)
-  • Stages and stage bindings
-  • Groups and permissions
-  • Applications and providers
-  • Full observability of self-enrollment setup
-
 BionicGPT integration diagnostics (--bionicgpt flag):
   • Authentik → Caddy → BionicGPT triangle validation
   • Caddy forward_auth configuration check
@@ -79,17 +70,15 @@ BionicGPT integration diagnostics (--bionicgpt flag):
 
 Flags:
   --component <name>  Only check specific component (caddy|authentik|postgresql|redis|nginx|coturn)
-  --authentik         Run comprehensive Authentik pre-upgrade health check
-  --authentik-config  Export Authentik configuration (brands, flows, stages, groups, applications)
+  --authentik         Run comprehensive Authentik health check + configuration export
   --bionicgpt         Run BionicGPT integration diagnostics (Authentik-Caddy-BionicGPT)
   --path <path>       Path to Hecate installation (default: /opt/hecate)
   --verbose           Show detailed diagnostic output
 
 Examples:
   eos debug hecate                      # Full diagnostics + file display
   eos debug hecate --component authentik  # Only diagnose Authentik
-  eos debug hecate --authentik          # Full Authentik pre-upgrade check
-  eos debug hecate --authentik-config   # Export Authentik configuration
+  eos debug hecate --authentik          # Full Authentik health check + config export
   eos debug hecate --bionicgpt          # BionicGPT integration diagnostics
   eos debug hecate --path /custom/path  # Custom installation path
 
@@ -99,8 +88,7 @@ Output is automatically saved to ~/.eos/debug/eos-debug-hecate-{timestamp}.txt`,
 
 func init() {
 	hecateCmd.Flags().StringVar(&hecateComponent, "component", "", "Specific component to check")
-	hecateCmd.Flags().BoolVar(&hecateAuthentikCheck, "authentik", false, "Run comprehensive Authentik pre-upgrade check")
-	hecateCmd.Flags().BoolVar(&hecateAuthentikConfig, "authentik-config", false, "Export Authentik configuration (brands, flows, stages, groups, applications)")
+	hecateCmd.Flags().BoolVar(&hecateAuthentikCheck, "authentik", false, "Run comprehensive Authentik health check + configuration export")
 	hecateCmd.Flags().BoolVar(&hecateBionicGPTCheck, "bionicgpt", false, "Run BionicGPT integration diagnostics (Authentik-Caddy-BionicGPT triangle)")
 	hecateCmd.Flags().StringVar(&hecatePath, "path", "/opt/hecate", "Path to Hecate installation")
 	hecateCmd.Flags().BoolVar(&hecateVerbose, "verbose", false, "Show detailed diagnostic output")

pkg/authentik/brand.go

@@ -96,34 +96,47 @@ func (c *APIClient) GetBrand(ctx context.Context, pk string) (*BrandResponse, er
 	return &brand, nil
 }
 
-// UpdateBrand updates a brand's configuration
+// UpdateBrand updates a brand's configuration and returns the updated brand
 // Only non-empty fields in updates will be modified
-func (c *APIClient) UpdateBrand(ctx context.Context, pk string, updates map[string]interface{}) error {
+// Returns the updated brand object from API response for verification
+func (c *APIClient) UpdateBrand(ctx context.Context, pk string, updates map[string]interface{}) (*BrandResponse, error) {
 	jsonBody, err := json.Marshal(updates)
 	if err != nil {
-		return fmt.Errorf("failed to marshal update request: %w", err)
+		return nil, fmt.Errorf("failed to marshal update request: %w", err)
 	}
 
 	// P0 FIX: Correct API endpoint path
 	url := fmt.Sprintf("%s/api/v3/core/brands/%s/", c.BaseURL, pk)
 	req, err := http.NewRequestWithContext(ctx, http.MethodPatch, url, bytes.NewReader(jsonBody))
 	if err != nil {
-		return fmt.Errorf("failed to create request: %w", err)
+		return nil, fmt.Errorf("failed to create request: %w", err)
 	}
 
 	req.Header.Set("Authorization", "Bearer "+c.Token)
 	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "application/json") // Request JSON response
 
 	resp, err := c.HTTPClient.Do(req)
 	if err != nil {
-		return fmt.Errorf("brand update request failed: %w", err)
+		return nil, fmt.Errorf("brand update request failed: %w", err)
 	}
 	defer func() { _ = resp.Body.Close() }()
 
+	// Read response body for both success and error cases
+	body, err := io.ReadAll(io.LimitReader(resp.Body, 8192))
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %w", err)
+	}
+
 	if resp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(io.LimitReader(resp.Body, 1024))
-		return fmt.Errorf("brand update failed with status %d: %s", resp.StatusCode, string(body))
+		return nil, fmt.Errorf("brand update failed with status %d: %s", resp.StatusCode, string(body))
+	}
+
+	// Parse response body to get updated brand
+	var updatedBrand BrandResponse
+	if err := json.Unmarshal(body, &updatedBrand); err != nil {
+		return nil, fmt.Errorf("failed to parse brand update response: %w\nResponse body: %s", err, string(body))
 	}
 
-	return nil
+	return &updatedBrand, nil
 }

pkg/authentik/debug.go

@@ -115,6 +115,23 @@ func RunAuthentikDebug(rc *eos_io.RuntimeContext, config *DebugConfig) error {
 		zap.Int("failed", countFailed(allResults)),
 		zap.Int("warnings", countWarnings(allResults)))
 
+	// 14. Configuration Export - Show complete Authentik state
+	fmt.Println()
+	fmt.Println("=========================================")
+	fmt.Println("Authentik Configuration Export")
+	fmt.Println("=========================================")
+	fmt.Println()
+
+	if err := displayAuthentikConfiguration(rc, config.HecatePath); err != nil {
+		logger.Warn("Failed to export Authentik configuration",
+			zap.Error(err))
+		fmt.Printf("\n❌ Configuration export failed: %v\n", err)
+		fmt.Println("\nYou can manually check configuration in Authentik UI:")
+		fmt.Println("  • http://localhost:9000/if/admin/#/core/brands")
+		fmt.Println("  • http://localhost:9000/if/admin/#/flow/flows")
+		fmt.Println("  • http://localhost:9000/if/admin/#/identity/groups")
+	}
+
 	return nil
 }
 
@@ -1721,3 +1738,148 @@ func displayPreUpgradeSummary(results []AuthentikCheckResult) {
 	fmt.Println("  eos update hecate --authentik")
 	fmt.Println()
 }
+
+// displayAuthentikConfiguration exports and displays complete Authentik configuration
+// Integrated into debug command to provide full observability
+func displayAuthentikConfiguration(rc *eos_io.RuntimeContext, hecatePath string) error {
+	logger := otelzap.Ctx(rc.Ctx)
+
+	// Read .env file to get API token
+	envPath := filepath.Join(hecatePath, ".env")
+	logger.Debug("Reading Authentik API token from .env",
+		zap.String("env_path", envPath))
+
+	envFile, err := os.ReadFile(envPath)
+	if err != nil {
+		return fmt.Errorf("failed to read .env file: %w\nPath: %s", err, envPath)
+	}
+
+	// Parse AUTHENTIK_TOKEN from .env
+	var apiToken string
+	for _, line := range strings.Split(string(envFile), "\n") {
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "AUTHENTIK_TOKEN=") {
+			apiToken = strings.TrimPrefix(line, "AUTHENTIK_TOKEN=")
+			apiToken = strings.Trim(apiToken, "\"'") // Remove quotes
+			break
+		}
+	}
+
+	if apiToken == "" {
+		return fmt.Errorf("AUTHENTIK_TOKEN not found in .env file\nPath: %s", envPath)
+	}
+
+	logger.Debug("✓ API token found in .env")
+
+	// Authentik URL (localhost:9000 for host access)
+	authentikURL := fmt.Sprintf("http://%s:%d", shared.GetInternalHostname(), shared.PortAuthentik)
+
+	// Create Authentik API client
+	authentikClient := NewClient(authentikURL, apiToken)
+
+	// Fetch and display brands
+	logger.Debug("Fetching brands configuration")
+	brands, err := authentikClient.ListBrands(rc.Ctx)
+	if err != nil {
+		return fmt.Errorf("failed to list brands: %w", err)
+	}
+
+	fmt.Printf("BRANDS (%d)\n", len(brands))
+	fmt.Println("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━")
+	for _, brand := range brands {
+		fmt.Printf("  • %s\n", brand.BrandingTitle)
+		fmt.Printf("    Domain: %s\n", brand.Domain)
+		fmt.Printf("    Brand UUID: %s\n", brand.PK)
+		if brand.FlowEnrollment != "" {
+			fmt.Printf("    Enrollment Flow: %s ✓\n", brand.FlowEnrollment)
+		} else {
+			fmt.Printf("    Enrollment Flow: Not configured\n")
+		}
+		fmt.Println()
+	}
+
+	// Fetch and display flows
+	logger.Debug("Fetching flows configuration")
+	flows, err := authentikClient.ListFlows(rc.Ctx, "") // All designations
+	if err != nil {
+		return fmt.Errorf("failed to list flows: %w", err)
+	}
+
+	fmt.Printf("\nFLOWS (%d)\n", len(flows))
+	fmt.Println("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━")
+
+	// Group flows by designation
+	flowsByDesignation := make(map[string][]FlowResponse)
+	for _, flow := range flows {
+		flowsByDesignation[flow.Designation] = append(flowsByDesignation[flow.Designation], flow)
+	}
+
+	for designation, flows := range flowsByDesignation {
+		fmt.Printf("\n  %s FLOWS:\n", strings.ToUpper(designation))
+		for _, flow := range flows {
+			fmt.Printf("    • %s (%s)\n", flow.Title, flow.Slug)
+			fmt.Printf("      Flow PK: %s\n", flow.PK)
+
+			// Show stages for this flow
+			bindings, err := authentikClient.GetFlowStages(rc.Ctx, flow.PK)
+			if err != nil {
+				logger.Debug("Failed to fetch stages for flow",
+					zap.String("flow_slug", flow.Slug),
+					zap.Error(err))
+			} else {
+				fmt.Printf("      Stages: %d\n", len(bindings))
+			}
+		}
+	}
+
+	// Fetch and display groups
+	logger.Debug("Fetching groups configuration")
+	groups, err := authentikClient.ListGroups(rc.Ctx, "") // All groups
+	if err != nil {
+		return fmt.Errorf("failed to list groups: %w", err)
+	}
+
+	fmt.Printf("\n\nGROUPS (%d)\n", len(groups))
+	fmt.Println("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━")
+	for _, group := range groups {
+		fmt.Printf("  • %s\n", group.Name)
+		if group.IsSuperuser {
+			fmt.Println("    Role: Superuser")
+		} else {
+			fmt.Println("    Role: Standard user")
+		}
+		if attrs, ok := group.Attributes["eos_managed"].(bool); ok && attrs {
+			fmt.Println("    Managed by: Eos ✓")
+		}
+		fmt.Println()
+	}
+
+	// Fetch and display applications
+	logger.Debug("Fetching applications configuration")
+	applications, err := authentikClient.ListApplications(rc.Ctx)
+	if err != nil {
+		return fmt.Errorf("failed to list applications: %w", err)
+	}
+
+	fmt.Printf("APPLICATIONS (%d)\n", len(applications))
+	fmt.Println("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━")
+	for _, app := range applications {
+		fmt.Printf("  • %s (%s)\n", app.Name, app.Slug)
+		if app.Provider != 0 {
+			fmt.Printf("    Provider PK: %d", app.Provider)
+			if app.ProviderObj.Name != "" {
+				fmt.Printf(" (%s)", app.ProviderObj.Name)
+			}
+			fmt.Println()
+		}
+		if app.MetaLaunchURL != "" {
+			fmt.Printf("    Launch URL: %s\n", app.MetaLaunchURL)
+		}
+		fmt.Println()
+	}
+
+	fmt.Println("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━")
+
+	logger.Debug("✓ Authentik configuration export complete")
+	return nil
+}

pkg/hecate/debug.go

@@ -55,7 +55,6 @@ func RunHecateDebug(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string
 	// Get flags
 	component, _ := cmd.Flags().GetString("component")
 	authentikCheck, _ := cmd.Flags().GetBool("authentik")
-	authentikConfig, _ := cmd.Flags().GetBool("authentik-config")
 	bionicgptCheck, _ := cmd.Flags().GetBool("bionicgpt")
 	hecatePath, _ := cmd.Flags().GetString("path")
 	verbose, _ := cmd.Flags().GetBool("verbose")
@@ -64,7 +63,6 @@ func RunHecateDebug(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string
 		zap.String("component_filter", component),
 		zap.String("path", hecatePath),
 		zap.Bool("authentik_check", authentikCheck),
-		zap.Bool("authentik_config", authentikConfig),
 		zap.Bool("bionicgpt_check", bionicgptCheck))
 
 	// If --bionicgpt flag is set, run BionicGPT integration diagnostics
@@ -76,12 +74,8 @@ func RunHecateDebug(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string
 		return RunBionicGPTIntegrationDebug(rc, config)
 	}
 
-	// If --authentik-config flag is set, export Authentik configuration
-	if authentikConfig {
-		return runAuthentikConfigExport(rc, hecatePath)
-	}
-
 	// If --authentik flag is set, run comprehensive Authentik check
+	// Now includes configuration export integrated into the command
 	// Delegate to pkg/authentik for business logic
 	if authentikCheck {
 		config := &authentik.DebugConfig{
@@ -842,60 +836,3 @@ func displayContainerStatus(rc *eos_io.RuntimeContext, hecatePath string) []Heca
 
 // runAuthentikConfigExport exports Authentik configuration for observability
 // P0 OBSERVABILITY: Shows users what self-enrollment has configured
-func runAuthentikConfigExport(rc *eos_io.RuntimeContext, hecatePath string) error {
-	logger := otelzap.Ctx(rc.Ctx)
-
-	logger.Info("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━")
-	logger.Info("Authentik Configuration Export")
-	logger.Info("━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━")
-
-	// Read .env file to get API token
-	envPath := filepath.Join(hecatePath, ".env")
-	logger.Info("Reading Authentik API token from .env",
-		zap.String("env_path", envPath))
-
-	envFile, err := os.ReadFile(envPath)
-	if err != nil {
-		return fmt.Errorf("failed to read .env file: %w\nPath: %s\nEnsure Hecate is installed: eos create hecate", err, envPath)
-	}
-
-	// Parse AUTHENTIK_TOKEN from .env
-	var apiToken string
-	for _, line := range strings.Split(string(envFile), "\n") {
-		line = strings.TrimSpace(line)
-		if strings.HasPrefix(line, "AUTHENTIK_TOKEN=") {
-			apiToken = strings.TrimPrefix(line, "AUTHENTIK_TOKEN=")
-			apiToken = strings.Trim(apiToken, "\"'") // Remove quotes
-			break
-		}
-	}
-
-	if apiToken == "" {
-		return fmt.Errorf("AUTHENTIK_TOKEN not found in .env file\nPath: %s\nEnsure self-enrollment is enabled: eos update hecate --enable self-enrollment", envPath)
-	}
-
-	logger.Info("✓ API token found in .env")
-
-	// Authentik URL (localhost:9000 for host access)
-	authentikURL := fmt.Sprintf("http://%s:%d", AuthentikHost, AuthentikPort)
-
-	// Export configuration
-	report, err := ExportAuthentikConfig(rc, authentikURL, apiToken)
-	if err != nil {
-		return fmt.Errorf("failed to export Authentik configuration: %w", err)
-	}
-
-	// Format and display report
-	formattedReport := FormatAuthentikReport(report)
-	fmt.Print(formattedReport)
-
-	logger.Info("✓ Authentik configuration export complete")
-	logger.Info("")
-	logger.Info("NEXT STEPS:")
-	logger.Info("  • Review brands configuration to verify enrollment flow is set")
-	logger.Info("  • Check groups to see self-enrolled user permissions")
-	logger.Info("  • Verify flows contain expected stages")
-	logger.Info("  • Configure application policies for group access")
-
-	return nil
-}