Align IAM Profile consumption with v0.2

examples/claims/README.md

@@ -1,6 +1,6 @@
 # examples/claims/
 
-Contract fixtures for the NetKingdom IAM Profile v0.1 claim shapes
+Contract fixtures for the NetKingdom IAM Profile v0.2 claim shapes
 flex-auth must accept. Each file is the *raw verified claim map* as
 flex-auth receives it from the upstream identity layer (key-cape or
 Keycloak); flex-auth's normalization produces the same
@@ -11,10 +11,10 @@ surface.
 
 | Fixture | Provider | Demonstrates |
 | --- | --- | --- |
-| `key-cape-lightweight.yaml` | key-cape lightweight mode | Profile-conformant minimum: single audience, top-level `roles` array, single-factor `amr=pwd`. |
-| `keycloak-heavy.yaml` | Keycloak production | Full variation set: `realm_access.roles` + `resource_access.<client>.roles`, scope as space-separated string, MFA via `amr=otp`, multiple audiences. |
-| `service-account.yaml` | Either provider | Hub-to-hub service account; `service` + `operator` roles, no `preferred_username`, narrow scope. |
-| `emergency.yaml` | Either provider | Break-glass human identity; `emergency` role, short expiry, hardware MFA, audit-trail metadata in an `emergency` claim. |
+| `key-cape-lightweight.yaml` | key-cape lightweight mode | Profile-conformant minimum: single audience, top-level `roles` array, explicit tenant/principal/assurance. |
+| `keycloak-heavy.yaml` | Keycloak production | Full variation set: canonical `roles`, provider-native role sources, scope as space-separated string, MFA assurance, multiple audiences. |
+| `service-account.yaml` | Either provider | Service account; `principal_type: service`, `service` + `operator` roles, no `preferred_username`, narrow scope. |
+| `emergency.yaml` | Either provider | Break-glass human identity; `emergency` role, `assurance.level: break_glass`, short expiry, audit-trail metadata in an `emergency` claim. |
 | `keycloak-group-overage.yaml` | Entra/Keycloak | Group-claim overage signal (`hasgroups: true`); flex-auth's directory resolver fetches the full set. |
 
 These fixtures are loaded by the standalone evaluator's contract tests

examples/claims/emergency.yaml

@@ -2,9 +2,9 @@
 # expiry, emergency role, requires MFA per the profile, and triggers
 # durable audit recording on every flex-auth decision that involves it.
 #
-# Reference: NetKingdom IAM Profile v0.1 §"Human Override and Emergency
-# Access". flex-auth maps this to principal_type=emergency and emits a
-# `record_emergency` obligation on every decision.
+# Reference: NetKingdom IAM Profile v0.2 "Emergency And Break-Glass
+# Access". flex-auth maps the emergency role plus break_glass assurance to
+# a `record_emergency` obligation on every decision.
 
 iss: https://sso.netkingdom.example/realms/netkingdom
 sub: f1c4f64e-2c0c-4cda-8c9f-9f3f8f3a2b0e
@@ -13,6 +13,8 @@ aud:
 exp: 1767226200    # iat + 10 minutes; emergency tokens are short-lived
 iat: 1767225600
 auth_time: 1767225595
+tenant: tenant:platform
+principal_type: human
 azp: ops-console
 preferred_username: ada
 email: ada@netkingdom.example
@@ -20,11 +22,22 @@ scope: openid profile hub:admin
 roles:
   - emergency
   - admin
+groups:
+  - /platform/stewards
 amr:
   - pwd
   - otp
   - hwk
 acr: "3"
+assurance:
+  level: break_glass
+  methods:
+    - pwd
+    - otp
+    - hwk
+  mfa: true
+  source: keycloak
+  at: 1767225595
 emergency:
   incident_id: INC-2026-0042
   authorized_by: "team:platform-stewards"

examples/claims/key-cape-lightweight.yaml

@@ -2,8 +2,8 @@
 # authenticated human user. Profile-conformant minimum: required claims
 # only, single audience, simple roles list, OIDC standard amr values.
 #
-# Reference: docs/iam-profile-consumption.md, NetKingdom IAM Profile v0.1
-# §"Required Claims" and §"Local Development Profile".
+# Reference: docs/iam-profile-consumption.md, NetKingdom IAM Profile v0.2
+# "Core Claims" and "Local Development Profile".
 
 iss: https://idp.netkingdom.local/keycape
 sub: user-7f9e2b
@@ -11,6 +11,8 @@ aud:
   - flex-auth
 exp: 4102444800  # 2100-01-01, kept far-future for stable fixtures
 iat: 1767225600  # 2026-01-01
+tenant: tenant:platform
+principal_type: human
 preferred_username: ada
 email: ada@netkingdom.local
 name: Ada Lovelace
@@ -22,3 +24,10 @@ amr:
 acr: "1"
 groups:
   - /markitect/readers
+assurance:
+  level: aal1
+  methods:
+    - pwd
+  mfa: false
+  source: key-cape
+  at: 1767225600

examples/claims/keycloak-heavy.yaml

@@ -14,6 +14,8 @@ aud:
 exp: 4102444800
 iat: 1767225600
 auth_time: 1767225590
+tenant: tenant:platform
+principal_type: human
 azp: markitect-cli
 preferred_username: ada
 email: ada@netkingdom.example
@@ -22,6 +24,8 @@ name: Ada Lovelace
 given_name: Ada
 family_name: Lovelace
 scope: openid profile email hub:read hub:write hub:capability
+roles:
+  - operator
 realm_access:
   roles:
     - default-roles-netkingdom
@@ -40,4 +44,12 @@ amr:
   - pwd
   - otp
 acr: "2"
+assurance:
+  level: aal2
+  methods:
+    - pwd
+    - otp
+  mfa: true
+  source: keycloak
+  at: 1767225590
 sid: 4c0a3a8a-3a47-4f2f-8e89-9e5f9b0a0a0a

examples/claims/service-account.yaml

@@ -3,8 +3,7 @@
 # operation it performs. No preferred_username (service identities are
 # named after the service and environment per the profile).
 #
-# Reference: NetKingdom IAM Profile v0.1 §"Service Account Flow" and
-# §"Hub-to-Hub Service Account Pattern".
+# Reference: NetKingdom IAM Profile v0.2 "Service Account Flow".
 
 iss: https://sso.netkingdom.example/realms/netkingdom
 sub: svc-markitect-tool-prod
@@ -12,9 +11,19 @@ aud:
   - flex-auth
 exp: 4102444800
 iat: 1767225600
+tenant: tenant:platform
+principal_type: service
 azp: svc-markitect-tool-prod
 client_id: svc-markitect-tool-prod
 scope: hub:read hub:capability
 roles:
   - service
   - operator
+groups: []
+assurance:
+  level: aal1
+  methods:
+    - client_secret
+  mfa: false
+  source: keycloak
+  at: 1767225600