# examples/claims/

Contract fixtures for the NetKingdom IAM Profile v0.1 claim shapes
flex-auth must accept. Each file is the *raw verified claim map* as
flex-auth receives it from the upstream identity layer (key-cape or
Keycloak); flex-auth's normalization produces the same
`EnterpriseIdentity`-shaped envelope for all of them.

See `docs/iam-profile-consumption.md` for the full consumption
surface.

| Fixture | Provider | Demonstrates |
| --- | --- | --- |
| `key-cape-lightweight.yaml` | key-cape lightweight mode | Profile-conformant minimum: single audience, top-level `roles` array, single-factor `amr=pwd`. |
| `keycloak-heavy.yaml` | Keycloak production | Full variation set: `realm_access.roles` + `resource_access.<client>.roles`, scope as space-separated string, MFA via `amr=otp`, multiple audiences. |
| `service-account.yaml` | Either provider | Hub-to-hub service account; `service` + `operator` roles, no `preferred_username`, narrow scope. |
| `emergency.yaml` | Either provider | Break-glass human identity; `emergency` role, short expiry, hardware MFA, audit-trail metadata in an `emergency` claim. |
| `keycloak-group-overage.yaml` | Entra/Keycloak | Group-claim overage signal (`hasgroups: true`); flex-auth's directory resolver fetches the full set. |

These fixtures are loaded by the standalone evaluator's contract tests
(`FLEX-WP-0002 P2.4`) and by the Topaz adapter's contract tests
(`FLEX-WP-0004 T01`). Both code paths MUST produce identical
normalized envelopes for the same fixture.