Project Status

MFA Sidecar is an active open-source project for bringing a browser-first MFA perimeter to selected YunoHost apps and paths.

Current release status

Current package line: 0.4.0~ynh1

This release reflects real-box validation, not just repository tests.

What has been validated

On a real YunoHost box, MFA Sidecar has been validated for:

fresh install to the current /var/www/mfa_sidecar install path
healthy startup of the sidecar admin service and Authelia service
root-mounted protected targets
subpath protected targets such as /webmail
shared sidecar session behavior across protected apps
disable / re-enable behavior
break-glass style recovery behavior

Hard-won fixes already incorporated

Recent work included fixes for:

missing nginx bridge includes for protected auth endpoints
subpath matching issues such as /webmail vs /webmail/
half-rollback behavior when disabling protection
package removal cleanup
install-dir migration to align with YunoHost expectations
excessive nginx reload churn during lifecycle operations
Authorization header contamination in auth subrequests
reserved/disallowed admin sidecar username handling

Current posture

MFA Sidecar is now mature enough for broader real-world testing and project submission, but it is still being improved in public and with real operational feedback.

That is intentional.

The project is trying to be:

honest about sharp edges
recoverable under stress
practical for real operators
explicit about trust boundaries and tradeoffs

Source and docs

For the current code, release history, and technical documentation, see the project repository and linked documentation pages.