Initial scaffold with test plan

Skeleton for activeadmin-oidc: gemspec, Gemfile, Rakefile, lib/ entry
point, version, MIT license, README. Full TDD/BDD test plan locked in
docs/TEST_PLAN.md before any implementation code is written.

The gem will depend on omniauth_openid_connect for the OIDC protocol
layer and add ActiveAdmin-specific wiring: JIT user provisioning, role
mapping, email-migration fallback, Zitadel preset, login view override,
and an install generator.

Author: Fivell

.gitignore

@@ -0,0 +1,18 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/tmp/
+*.gem
+.DS_Store
+.rspec_status
+/Gemfile.lock
+/spec/dummy/log/
+/spec/dummy/tmp/
+/spec/dummy/db/*.sqlite3
+/spec/dummy/db/*.sqlite3-journal
+/spec/dummy/storage/

.rspec

@@ -0,0 +1,3 @@
+--require spec_helper
+--format documentation
+--color

.ruby-version

@@ -0,0 +1 @@
+3.3.10

Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec

LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Igor Fedoronchuk
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,32 @@
+# activeadmin-oidc
+
+> Status: pre-alpha — test plan only. No implementation yet.
+
+OpenID Connect single sign-on for [ActiveAdmin](https://activeadmin.info/), with a first-class [Zitadel](https://zitadel.com/) preset.
+
+This gem plugs generic OIDC SSO into ActiveAdmin's existing Devise stack. It builds on [`omniauth_openid_connect`](https://github.com/omniauth/omniauth_openid_connect) for the OIDC protocol and adds the wiring ActiveAdmin apps actually need: JIT user provisioning, role mapping from provider claims, a Zitadel preset for the nested `urn:zitadel:iam:org:project:roles` claim, a login-view override, and a single install generator.
+
+## Why not just follow the ActiveAdmin wiki?
+
+The [ActiveAdmin OAuth wiki recipe](https://github.com/activeadmin/activeadmin/wiki/Log-in-through-OAuth-providers) is a 200-line copy-paste that only covers Google and doesn't handle role mapping, account linking, or Zitadel's claim shape. This gem packages the wiring once so you can `rails g activeadmin_oidc:install` and be done.
+
+## What this gem does NOT reimplement
+
+The OIDC protocol layer — discovery, JWKS, token verification, PKCE, nonce, state — is delegated to the maintained upstream [`omniauth_openid_connect`](https://github.com/omniauth/omniauth_openid_connect) gem. This gem is a convention-over-configuration wrapper, not a new OIDC client.
+
+## Status and roadmap
+
+Design and test plan are locked. See [`docs/TEST_PLAN.md`](docs/TEST_PLAN.md) for the full TDD/BDD roadmap. Implementation follows red-green-refactor in this order:
+
+1. `Configuration`
+2. `Discovery` wrapper over omniauth_openid_connect discovery
+3. `RoleResolver`
+4. `UserProvisioner`
+5. `Presets::Zitadel`
+6. Rails engine, routes, `SessionsController`
+7. Install generator
+8. Security hardening pass
+
+## License
+
+MIT — see [`LICENSE.txt`](LICENSE.txt).

Rakefile

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+
+begin
+  require "rspec/core/rake_task"
+  RSpec::Core::RakeTask.new(:spec)
+  task default: :spec
+rescue LoadError
+  # rspec not available
+end

activeadmin-oidc.gemspec

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require_relative "lib/activeadmin/oidc/version"
+
+Gem::Specification.new do |spec|
+  spec.name        = "activeadmin-oidc"
+  spec.version     = ActiveAdmin::Oidc::VERSION
+  spec.authors     = ["Igor Fedoronchuk"]
+  spec.summary     = "OpenID Connect SSO for ActiveAdmin with a Zitadel preset"
+  spec.description = <<~DESC
+    activeadmin-oidc plugs generic OpenID Connect single sign-on into ActiveAdmin.
+    It builds on Devise + omniauth_openid_connect and adds JIT user provisioning,
+    role mapping from provider claims, a Zitadel preset, and a single install
+    generator that wires everything up.
+  DESC
+  spec.license  = "MIT"
+  spec.homepage = "https://github.com/fedoronchuk/activeadmin-oidc"
+
+  spec.required_ruby_version = ">= 3.3.0"
+
+  spec.files = Dir[
+    "lib/**/*",
+    "app/**/*",
+    "config/**/*",
+    "docs/**/*",
+    "README.md",
+    "LICENSE.txt"
+  ]
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "activeadmin",            ">= 3.0"
+  spec.add_dependency "devise",                 ">= 4.9"
+  spec.add_dependency "omniauth",               ">= 2.1"
+  spec.add_dependency "omniauth-rails_csrf_protection", ">= 1.0"
+  spec.add_dependency "omniauth_openid_connect", ">= 0.7"
+  spec.add_dependency "rails",                  ">= 7.2"
+
+  spec.add_development_dependency "rspec-rails",  ">= 6.0"
+  spec.add_development_dependency "webmock",      ">= 3.19"
+  spec.add_development_dependency "jwt",          ">= 2.7"
+  spec.add_development_dependency "sqlite3",      ">= 1.7"
+  spec.add_development_dependency "rake",         ">= 13.0"
+  spec.add_development_dependency "rubocop",      ">= 1.60"
+  spec.add_development_dependency "rubocop-rails", ">= 2.20"
+  spec.add_development_dependency "rubocop-rspec", ">= 2.25"
+
+  spec.metadata["rubygems_mfa_required"] = "true"
+end