coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

IAM Profile consumption doc + claim fixtures; close FLEX-WP-0005
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details

Browse Source 
Completes FLEX-WP-0005 T05 and closes the Foundations and Topaz
Alignment workstream.

docs/iam-profile-consumption.md captures flex-auth's input surface
against NetKingdom IAM Profile v0.1:
- boundary (flex-auth consumes verified claims; upstream layer
  validates signatures and audiences)
- normalized input envelope (matches Markitect's EnterpriseIdentity)
- required, recommended, and tolerated claim variations
- role-claim location union (top-level / realm_access / resource_access)
- scope encoding (string vs array)
- principal-type detection (human / service / emergency)
- group-overage and freshness expectations
- production vs local-development handling

examples/claims/ ships five contract fixtures:
- key-cape-lightweight.yaml (profile minimum)
- keycloak-heavy.yaml (full variation set + MFA)
- service-account.yaml (svc-* hub-to-hub)
- emergency.yaml (break-glass with incident metadata)
- keycloak-group-overage.yaml (Entra-style hasgroups: true)

All fixtures parse as valid YAML. They become contract tests for the
standalone evaluator (FLEX-WP-0002 P2.4) and the Topaz adapter
(FLEX-WP-0004 T01); both code paths must produce identical normalized
envelopes for the same fixture.

FLEX-WP-0005 workstream marked status=done in this file and completed
in the State Hub. FLEX-WP-0002 is now fully unblocked.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-05-16 09:09:36 +02:00
parent 7471e07cbb
commit f930e96568
8 changed files with 333 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
examples/claims/emergency.yaml Normal file
View File

@@ -0,0 +1,31 @@
# Claim envelope for an emergency (break-glass) human principal. Short
# expiry, emergency role, requires MFA per the profile, and triggers
# durable audit recording on every flex-auth decision that involves it.
#
# Reference: NetKingdom IAM Profile v0.1 §"Human Override and Emergency
# Access". flex-auth maps this to principal_type=emergency and emits a
# `record_emergency` obligation on every decision.
iss: https://sso.netkingdom.example/realms/netkingdom
sub: f1c4f64e-2c0c-4cda-8c9f-9f3f8f3a2b0e
aud:
- flex-auth
exp: 1767226200 # iat + 10 minutes; emergency tokens are short-lived
iat: 1767225600
auth_time: 1767225595
azp: ops-console
preferred_username: ada
email: ada@netkingdom.example
scope: openid profile hub:admin
roles:
- emergency
- admin
amr:
- pwd
- otp
- hwk
acr: "3"
emergency:
incident_id: INC-2026-0042
authorized_by: "team:platform-stewards"
reason: "credential rotation playbook step 4"