From a4c2e66afdad528e3c84ebc94f40ce9dcf8d96ec Mon Sep 17 00:00:00 2001
From: Firstyear <william@blackhats.net.au>
Date: Fri, 16 Feb 2024 11:58:41 +1000
Subject: [PATCH] Fix incorrect documentation elements (#2533)

This adds the account-policy section for credential-type-minimums
and fixes the replication config defaults to match the documented
behaviour.
---
 book/src/accounts/policy.md    | 15 +++++++++++++--
 server/core/src/repl/config.rs |  2 ++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/book/src/accounts/policy.md b/book/src/accounts/policy.md
index 2dbab8b4a..cc97769b6 100644
--- a/book/src/accounts/policy.md
+++ b/book/src/accounts/policy.md
@@ -12,8 +12,8 @@ assigned to `idm_admin` by default.
 
 ## Default Account Policy
 
-A default Account Policy is applied to `idm_all_accounts`. This provides the defaults that influence
-all accounts in Kanidm. This policy can be modified the same as any other group's policy.
+A default Account Policy is applied to `idm_all_persons`. This provides the defaults that influence
+all people in Kanidm. This policy can be modified the same as any other group's policy.
 
 ## Enforced Attributes
 
@@ -21,6 +21,16 @@ all accounts in Kanidm. This policy can be modified the same as any other group'
 
 The maximum length in seconds that an authentication session may exist for.
 
+### Credential Type Minimum
+
+The minimum security strength of credentials that may be assigned to this account. In order from
+weakest to strongest:
+
+* `any`
+* `mfa`
+* `passkey`
+* `attested_passkey`
+
 ### Password Minimum Length
 
 The minimum length for passwords (if they are allowed).
@@ -46,6 +56,7 @@ parts.
 | value                        | ordering                     |
 | ---------------------------- | ---------------------------- |
 | auth-expiry                  | smallest value               |
+| credential-type-minimum      | largest value                |
 | password-minimum-length      | largest value                |
 | privilege-expiry             | smallest value               |
 | webauthn-attestation-ca-list | intersection of equal values |
diff --git a/server/core/src/repl/config.rs b/server/core/src/repl/config.rs
index 1eb6cbb5c..4bac6b7a1 100644
--- a/server/core/src/repl/config.rs
+++ b/server/core/src/repl/config.rs
@@ -19,12 +19,14 @@ pub enum RepNodeConfig {
     Pull {
         #[serde(with = "x509b64")]
         supplier_cert: X509,
+        #[serde(default)]
         automatic_refresh: bool,
     },
     #[serde(rename = "mutual-pull")]
     MutualPull {
         #[serde(with = "x509b64")]
         partner_cert: X509,
+        #[serde(default)]
         automatic_refresh: bool,
     },
     /*