Enterprise access control integration

2026-05-04 15:32:54 +02:00
parent ffab98be10
commit 5ecb52aece
9 changed files with 838 additions and 3 deletions
--- a/workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md
+++ b/workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md
@@ -0,0 +1,238 @@
+---
+id: MKTT-WP-0014
+type: workplan
+title: "Enterprise IAM Access-Control Integration"
+domain: markitect
+status: todo
+owner: markitect-tool
+topic_slug: markitect
+planning_priority: P2
+planning_order: 82
+depends_on_workplans:
+  - MKTT-WP-0009
+related_workplans:
+  - MKTT-WP-0006
+  - MKTT-WP-0007
+  - MKTT-WP-0008
+  - MKTT-WP-0011
+  - MKTT-WP-0013
+created: "2026-05-04"
+updated: "2026-05-04"
+state_hub_workstream_id: "86c22ccc-5f5a-4650-8495-76fe6c08e411"
+---
+
+# MKTT-WP-0014: Enterprise IAM Access-Control Integration
+
+## Purpose
+
+Turn the local access-control gateway into an enterprise-ready integration
+surface without making Markitect an identity provider or hard-coding one
+directory vendor.
+
+Markitect should act as the policy enforcement point for Markdown knowledge
+results. NetKingdom/key-cape-compatible SSO should supply identity claims.
+External policy engines and enterprise directories should attach through
+provider-neutral adapters.
+
+## Background
+
+`MKTT-WP-0009` implemented local labels, trust zones, path rules, query/search
+filtering, explainable decisions, and relationship/rule policy adapter
+boundaries. The enterprise follow-up research showed a clear canonical shape:
+
+- OIDC/SAML for authentication and signed identity assertions.
+- SCIM/LDAP/Graph/Keycloak admin APIs for directory and group information.
+- PEP/PDP/PIP/PAP separation for authorization architecture.
+- RBAC/ABAC/ReBAC policy models through mappable policy decision points.
+- NetKingdom IAM profile as the local identity contract, with key-cape as the
+  preferred lightweight/bootstrap path.
+
+Initial provider-neutral interfaces now exist in
+`markitect_tool.policy.adapters`:
+
+- `EnterpriseIdentity`
+- `IdentityClaimsAdapter`
+- `DirectoryGroupResolver`
+- `EnterprisePolicyMapper`
+- `DecisionLogStore`
+
+Documentation: `docs/enterprise-access-control-integration.md`.
+
+## Decision
+
+Implement concrete enterprise integration as an optional extension track. Core
+Markitect should keep accepting normalized `PolicySubject` and `PolicyObject`
+models, while enterprise adapters handle token verification, group freshness,
+claim mapping, durable decision logs, and external PDP calls.
+
+Do not map raw AD/LDAP/Entra group names directly to Markitect privileges.
+Always map:
+
+```text
+directory groups -> canonical roles/scopes/trust labels -> PolicySubject
+```
+
+## P14.1 - Define enterprise policy map schema
+
+```task
+id: MKTT-WP-0014-T001
+status: todo
+priority: high
+state_hub_task_id: "1894c50f-95c3-4e1a-bd4f-388f7624ebd7"
+```
+
+Define the mapping file that translates enterprise groups, roles, scopes,
+tenants, assurance levels, and emergency rules into Markitect labels, trust
+zones, allowed actions, and object constraints.
+
+Output: schema, examples, diagnostics, and tests.
+
+## P14.2 - Implement NetKingdom/key-cape identity claims adapter
+
+```task
+id: MKTT-WP-0014-T002
+status: todo
+priority: high
+state_hub_task_id: "8a177375-09b3-4898-a053-7601f82fcb29"
+```
+
+Implement an optional `IdentityClaimsAdapter` that consumes
+NetKingdom/key-cape-compatible OIDC discovery and JWTs.
+
+It must validate:
+
+- issuer
+- audience
+- expiry and issued-at
+- signature through JWKS
+- authorized party/client id where required
+- MFA/assurance claims for privileged actions
+
+Output: adapter, fixtures, negative tests, and clear diagnostics.
+
+## P14.3 - Implement enterprise subject mapper
+
+```task
+id: MKTT-WP-0014-T003
+status: todo
+priority: high
+state_hub_task_id: "6861d4bc-1bb8-440d-bb9e-33e20c7feb55"
+```
+
+Implement `EnterprisePolicyMapper` over the policy map schema. It should map
+verified identity claims and resolved groups into gateway-ready
+`PolicySubject` objects.
+
+Output: mapper, examples, and tests for roles, scopes, groups, trust zones,
+tenancy, and emergency access.
+
+## P14.4 - Add directory group resolution boundary
+
+```task
+id: MKTT-WP-0014-T004
+status: todo
+priority: medium
+state_hub_task_id: "56d6bad6-d706-47b3-b321-1f0e870ecc0d"
+```
+
+Implement a provider-neutral group-resolution layer for claims that are stale,
+partial, or too large for tokens. Start with a fake/test resolver and specify
+adapter hooks for SCIM, Microsoft Graph, LDAP, and Keycloak.
+
+Output: resolver contract, freshness metadata, overage handling, and tests.
+
+## P14.5 - Persist decision logs
+
+```task
+id: MKTT-WP-0014-T005
+status: todo
+priority: high
+state_hub_task_id: "f212662c-4ffc-4cac-ace2-a43777f4960c"
+```
+
+Implement a durable `DecisionLogStore` for policy decisions from query, search,
+context packages, workflows, exports, and assisted prompt assembly.
+
+Decision logs should record subject id, token hash, action, object id, policy
+version, decision effect, reason, redaction status, and provenance.
+
+Output: storage adapter, CLI inspection path, and tests.
+
+## P14.6 - Add external PDP examples
+
+```task
+id: MKTT-WP-0014-T006
+status: todo
+priority: medium
+state_hub_task_id: "573a198f-df0b-470a-b11c-9ac839c0845e"
+```
+
+Provide reference adapters or documented examples for:
+
+- OpenFGA/SpiceDB-style relationship checks through
+  `RelationshipPolicyAdapter`
+- OPA/Rego or Cedar-style rule checks through `RulePolicyAdapter`
+
+Output: examples, adapter stubs, and policy request/decision fixtures.
+
+## P14.7 - Integrate policy identity into workflows and context packages
+
+```task
+id: MKTT-WP-0014-T007
+status: todo
+priority: high
+state_hub_task_id: "c4650304-0e2b-49c5-8569-e69907c08ccc"
+```
+
+Make workflow and future context-package execution accept explicit enterprise
+identity and policy mapping configuration.
+
+Required concepts:
+
+- `subject_from_token`
+- `policy_map`
+- `required_assurance`
+- `emergency_justification`
+- decision-log sink
+
+Output: workflow/context integration design, examples, and tests.
+
+## P14.8 - Validate against NetKingdom IAM profile
+
+```task
+id: MKTT-WP-0014-T008
+status: todo
+priority: medium
+state_hub_task_id: "0486e0c2-2cb9-4902-9a09-9ec729e9e79f"
+```
+
+Build conformance tests against the local IAM profile:
+
+- required claims
+- human Authorization Code + PKCE expectations
+- service account claims
+- local development issuer rejection in production mode
+- emergency access audit requirements
+
+Output: test fixtures and conformance checklist.
+
+## Exit Criteria
+
+- A NetKingdom/key-cape-compatible OIDC identity can be validated and mapped to
+  a `PolicySubject`.
+- Enterprise groups, roles, scopes, trust zones, and labels are mapped through
+  a versioned policy map rather than raw directory names.
+- Query, search, workflow, and context-package boundaries can enforce policy
+  and emit durable decision logs.
+- Directory group overage and freshness are represented explicitly.
+- OpenFGA/SpiceDB and OPA/Cedar-style PDP integrations can attach without
+  replacing Markitect's local policy gateway.
+- The implementation remains optional and does not add enterprise IAM
+  dependencies to core Markdown parsing or deterministic processing.
+
+## Notes
+
+This workplan should be picked up before using Markitect context caches for
+production agent memory in enterprise settings. It does not need to block local
+research on `MKTT-WP-0008`, but it should gate production deployment of
+reactivatable cross-document context packages.