generated from coulomb/repo-seed
tegwick
f930e96568
Completes FLEX-WP-0005 T05 and closes the Foundations and Topaz Alignment workstream. docs/iam-profile-consumption.md captures flex-auth's input surface against NetKingdom IAM Profile v0.1: - boundary (flex-auth consumes verified claims; upstream layer validates signatures and audiences) - normalized input envelope (matches Markitect's EnterpriseIdentity) - required, recommended, and tolerated claim variations - role-claim location union (top-level / realm_access / resource_access) - scope encoding (string vs array) - principal-type detection (human / service / emergency) - group-overage and freshness expectations - production vs local-development handling examples/claims/ ships five contract fixtures: - key-cape-lightweight.yaml (profile minimum) - keycloak-heavy.yaml (full variation set + MFA) - service-account.yaml (svc-* hub-to-hub) - emergency.yaml (break-glass with incident metadata) - keycloak-group-overage.yaml (Entra-style hasgroups: true) All fixtures parse as valid YAML. They become contract tests for the standalone evaluator (FLEX-WP-0002 P2.4) and the Topaz adapter (FLEX-WP-0004 T01); both code paths must produce identical normalized envelopes for the same fixture. FLEX-WP-0005 workstream marked status=done in this file and completed in the State Hub. FLEX-WP-0002 is now fully unblocked. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
examples/
Runnable examples used both as documentation and as test fixtures.
Expected layout (filled in across FLEX-WP-0002 / FLEX-WP-0003 / FLEX-WP-0005):
examples/
claims/ # key-cape lightweight-mode and Keycloak heavy-mode
# claim envelopes (P5.5)
markitect/ # FlexAuthResourceManifest fixtures, decision
# fixtures, and Rego-in-Markdown policy packages
topaz/ # docker-compose + sample directory and policy
# for the Topaz alignment spike (P5.4)
policies/ # generic Rego-in-Markdown packages used by
# the standalone core tests