Enterprise access control integration

tests/test_builtin_extension_catalog.py

@@ -96,4 +96,5 @@ def test_builtin_policy_descriptor_exposes_cli_and_adapter_boundary():
         "policy_filter",
     }
     assert "mkt policy check" in descriptor.cli["commands"]
+    assert "IdentityClaimsAdapter" in descriptor.metadata["external_adapters"]
     assert "RelationshipPolicyAdapter" in descriptor.metadata["external_adapters"]

tests/test_policy_gateway.py

@@ -4,7 +4,14 @@ from pathlib import Path
 from click.testing import CliRunner
 
 from markitect_tool.cli import main
-from markitect_tool.policy import LocalLabelPolicy, LocalLabelPolicyGateway
+from markitect_tool.policy import (
+    DirectoryGroupResolution,
+    DirectoryGroupResolutionRequest,
+    EnterpriseIdentity,
+    EnterprisePolicyMapRequest,
+    LocalLabelPolicy,
+    LocalLabelPolicyGateway,
+)
 
 
 POLICY_TEXT = """id: example-policy
@@ -187,6 +194,59 @@ def test_mkt_cache_query_filters_indexed_documents_by_policy(tmp_path: Path):
     assert data["policy"]["denied"] == 1
 
 
+def test_enterprise_identity_maps_to_policy_subject():
+    identity = EnterpriseIdentity(
+        issuer="https://sso.example.test/realms/netkingdom",
+        subject="user-123",
+        preferred_username="ada",
+        roles=["viewer"],
+        scopes=["markitect:read"],
+        groups=["/markitect/readers"],
+        assurance={"mfa": True},
+        directory={"source": "keycloak"},
+    )
+
+    subject = identity.to_policy_subject(
+        allowed_labels=["public", "internal"],
+        trust_zones=["public", "internal"],
+        allowed_actions=["query", "search"],
+    )
+
+    assert subject.id == "oidc:https://sso.example.test/realms/netkingdom#user-123"
+    assert subject.roles == ["viewer"]
+    assert subject.allowed_labels == ["public", "internal"]
+    assert subject.allowed_actions == ["query", "search"]
+    assert subject.attributes["issuer"] == "https://sso.example.test/realms/netkingdom"
+    assert subject.attributes["groups"] == ["/markitect/readers"]
+    assert subject.attributes["assurance"]["mfa"] is True
+
+
+def test_enterprise_policy_adapter_requests_serialize_cleanly():
+    group_request = DirectoryGroupResolutionRequest(
+        subject_id="oidc:https://sso.example.test/realms/netkingdom#user-123",
+        issuer="https://sso.example.test/realms/netkingdom",
+        claims={"hasgroups": True},
+    )
+    group_result = DirectoryGroupResolution(
+        groups=["/markitect/readers"],
+        source="keycloak",
+        refreshed_at="2026-05-04T10:00:00Z",
+        overage=True,
+    )
+    map_request = EnterprisePolicyMapRequest(
+        identity=EnterpriseIdentity(
+            issuer="https://sso.example.test/realms/netkingdom",
+            subject="user-123",
+        ),
+        policy_map={"groups": {"/markitect/readers": {"allowed_labels": ["internal"]}}},
+        groups=group_result.groups,
+    )
+
+    assert group_request.to_dict()["claims"] == {"hasgroups": True}
+    assert group_result.to_dict()["overage"] is True
+    assert map_request.to_dict()["identity"]["canonical_id"].endswith("#user-123")
+
+
 def _policy_mapping() -> dict:
     return {
         "id": "example-policy",