generated from coulomb/repo-seed
tegwick
f930e96568
Completes FLEX-WP-0005 T05 and closes the Foundations and Topaz Alignment workstream. docs/iam-profile-consumption.md captures flex-auth's input surface against NetKingdom IAM Profile v0.1: - boundary (flex-auth consumes verified claims; upstream layer validates signatures and audiences) - normalized input envelope (matches Markitect's EnterpriseIdentity) - required, recommended, and tolerated claim variations - role-claim location union (top-level / realm_access / resource_access) - scope encoding (string vs array) - principal-type detection (human / service / emergency) - group-overage and freshness expectations - production vs local-development handling examples/claims/ ships five contract fixtures: - key-cape-lightweight.yaml (profile minimum) - keycloak-heavy.yaml (full variation set + MFA) - service-account.yaml (svc-* hub-to-hub) - emergency.yaml (break-glass with incident metadata) - keycloak-group-overage.yaml (Entra-style hasgroups: true) All fixtures parse as valid YAML. They become contract tests for the standalone evaluator (FLEX-WP-0002 P2.4) and the Topaz adapter (FLEX-WP-0004 T01); both code paths must produce identical normalized envelopes for the same fixture. FLEX-WP-0005 workstream marked status=done in this file and completed in the State Hub. FLEX-WP-0002 is now fully unblocked. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
examples/claims/
Contract fixtures for the NetKingdom IAM Profile v0.1 claim shapes
flex-auth must accept. Each file is the raw verified claim map as
flex-auth receives it from the upstream identity layer (key-cape or
Keycloak); flex-auth's normalization produces the same
EnterpriseIdentity-shaped envelope for all of them.
See docs/iam-profile-consumption.md for the full consumption
surface.
| Fixture | Provider | Demonstrates |
|---|---|---|
key-cape-lightweight.yaml |
key-cape lightweight mode | Profile-conformant minimum: single audience, top-level roles array, single-factor amr=pwd. |
keycloak-heavy.yaml |
Keycloak production | Full variation set: realm_access.roles + resource_access.<client>.roles, scope as space-separated string, MFA via amr=otp, multiple audiences. |
service-account.yaml |
Either provider | Hub-to-hub service account; service + operator roles, no preferred_username, narrow scope. |
emergency.yaml |
Either provider | Break-glass human identity; emergency role, short expiry, hardware MFA, audit-trail metadata in an emergency claim. |
keycloak-group-overage.yaml |
Entra/Keycloak | Group-claim overage signal (hasgroups: true); flex-auth's directory resolver fetches the full set. |
These fixtures are loaded by the standalone evaluator's contract tests
(FLEX-WP-0002 P2.4) and by the Topaz adapter's contract tests
(FLEX-WP-0004 T01). Both code paths MUST produce identical
normalized envelopes for the same fixture.