Contract fixtures for the NetKingdom IAM Profile v0.2 claim shapes flex-auth must accept. Each file is the raw verified claim map as flex-auth receives it from the upstream identity layer (key-cape or Keycloak); flex-auth's normalization produces the same EnterpriseIdentity-shaped envelope for all of them.

See docs/iam-profile-consumption.md for the full consumption surface.

Fixture	Provider	Demonstrates
`key-cape-lightweight.yaml`	key-cape lightweight mode	Profile-conformant minimum: single audience, top-level `roles` array, explicit tenant/principal/assurance.
`keycloak-heavy.yaml`	Keycloak production	Full variation set: canonical `roles`, provider-native role sources, scope as space-separated string, MFA assurance, multiple audiences.
`service-account.yaml`	Either provider	Service account; `principal_type: service`, `service` + `operator` roles, no `preferred_username`, narrow scope.
`emergency.yaml`	Either provider	Break-glass human identity; `emergency` role, `assurance.level: break_glass`, short expiry, audit-trail metadata in an `emergency` claim.
`keycloak-group-overage.yaml`	Entra/Keycloak	Group-claim overage signal (`hasgroups: true`); flex-auth's directory resolver fetches the full set.

These fixtures are loaded by the standalone evaluator's contract tests (FLEX-WP-0002 P2.4) and by the Topaz adapter's contract tests (FLEX-WP-0004 T01). Both code paths MUST produce identical normalized envelopes for the same fixture.