flex-auth/examples/claims/README.md

# examples/claims/

Contract fixtures for the NetKingdom IAM Profile v0.2 claim shapes
flex-auth must accept. Each file is the *raw verified claim map* as
flex-auth receives it from the upstream identity layer (key-cape or
Keycloak); flex-auth's normalization produces the same
`EnterpriseIdentity`-shaped envelope for all of them.

See `docs/iam-profile-consumption.md` for the full consumption
surface.

| Fixture | Provider | Demonstrates |
| --- | --- | --- |
| `key-cape-lightweight.yaml` | key-cape lightweight mode | Profile-conformant minimum: single audience, top-level `roles` array, explicit tenant/principal/assurance. |
| `keycloak-heavy.yaml` | Keycloak production | Full variation set: canonical `roles`, provider-native role sources, scope as space-separated string, MFA assurance, multiple audiences. |
| `service-account.yaml` | Either provider | Service account; `principal_type: service`, `service` + `operator` roles, no `preferred_username`, narrow scope. |
| `emergency.yaml` | Either provider | Break-glass human identity; `emergency` role, `assurance.level: break_glass`, short expiry, audit-trail metadata in an `emergency` claim. |
| `keycloak-group-overage.yaml` | Entra/Keycloak | Group-claim overage signal (`hasgroups: true`); flex-auth's directory resolver fetches the full set. |

These fixtures are loaded by the standalone evaluator's contract tests
(`FLEX-WP-0002 P2.4`) and by the Topaz adapter's contract tests
(`FLEX-WP-0004 T01`). Both code paths MUST produce identical
normalized envelopes for the same fixture.