Reference IAM Profile v0.2

README.md

@@ -3,9 +3,11 @@
 *Prepare for Keycloak without Keycloak*
 
 KeyCape is the lightweight IAM component of [NetKingdom](../net-kingdom/). It
-implements the **NetKingdom IAM Profile** — a versioned OIDC/PKCE contract —
-by orchestrating Authelia, LLDAP, and privacyIDEA. The same profile is
-implemented by Keycloak in expanded-mode deployments.
+implements lightweight mode for the **NetKingdom IAM Profile** — a versioned
+OIDC/PKCE contract whose canonical core is now
+`../net-kingdom/canon/standards/iam-profile_v0.2.md` — by orchestrating
+Authelia, LLDAP, and privacyIDEA. The same profile is implemented by Keycloak
+in expanded-mode deployments.
 
 Applications integrate against the profile, not against Keycape internals. This
 makes the lightweight → expanded migration a tested, automated operation rather
@@ -20,7 +22,7 @@ than a rewrite.
 
 ```
 Application
-    │  (NetKingdom IAM Profile)
+    │  (NetKingdom IAM Profile v0.2)
     ▼
  KeyCape  ←── profile enforcement, claim normalization, telemetry
   /  |  \
@@ -28,7 +30,8 @@ Auth  LLDAP  privacyIDEA
 elia
 ```
 
-**Expanded mode:** Replace KeyCape with Keycloak. Same profile, same tests pass.
+**Expanded mode:** Replace KeyCape with Keycloak. Same profile contract, same
+conformance suite in `../net-kingdom/tools/iam-profile-conformance/`.
 
 ## Quick Start
 
@@ -105,8 +108,10 @@ KeyCape enforces the NetKingdom IAM Profile. Violations return structured errors
 | `rejected_for_profile_safety` | Would weaken security guarantees |
 | `invalid_profile_usage` | Supported feature used incorrectly |
 
-Enforced boundaries: no implicit flow, no wildcard redirect URIs, no dynamic client
-registration, no identity brokering, PKCE S256 required.
+Enforced boundaries: no implicit flow, no wildcard redirect URIs, no dynamic
+client registration, no identity brokering, PKCE S256 required. Profile v0.2
+also requires normalized tenant, principal type, groups, roles, scopes, and
+assurance evidence in tokens consumed by applications and flex-auth.
 
 ## Migration Tools
 

wiki/KeyCapeSpecification_v0.1.md

@@ -224,9 +224,13 @@ The lightweight stack shall be considered valid production infrastructure where
 
 ---
 
-## 8. NetKingdom IAM Profile v0.1
+## 8. NetKingdom IAM Profile
 
-This section defines the initial minimum profile to be supported.
+This section defines the initial minimum profile supported by the KeyCape v0.1
+specification. The canonical NetKingdom profile has since moved to
+`net-kingdom/canon/standards/iam-profile_v0.2.md`; KeyCape conformance should
+be measured against that profile and the executable suite in
+`net-kingdom/tools/iam-profile-conformance/`.
 
 ## 8.1 Supported authentication model
 
@@ -282,11 +286,15 @@ Initial standard claims may include:
 * `email` if present
 * `name` if present
 
-Optional NetKingdom-specific claims may include:
+NetKingdom profile v0.2 requires these normalized claims before applications
+or flex-auth consume a token:
 
-* groups
-* roles
-* tenant or environment markers if explicitly defined
+* `tenant`
+* `principal_type`
+* `groups`
+* `roles`
+* `scope` or `scp`
+* `assurance`
 
 Claim names, types, and semantics must be fixed by the profile and validated in tests.
 
@@ -786,9 +794,11 @@ Canonical fixtures conform if they pass canonical model and LDAP schema validati
 
 The following implementation artifacts should be created next:
 
-### 21.1 NetKingdom IAM Profile v0.1
+### 21.1 NetKingdom IAM Profile
 
-A more formal profile document with endpoint-by-endpoint detail.
+A formal canonical profile document now exists in net-kingdom as
+`canon/standards/iam-profile_v0.2.md`, with endpoint-by-endpoint detail,
+tenant/principal/assurance claims, and executable conformance checks.
 
 ### 21.2 Canonical identity model schema