enterprise/flex-auth integration layer

2026-05-04 17:54:52 +02:00
parent e33f296bdb
commit 6cb3b7b172
17 changed files with 1240 additions and 23 deletions
--- a/docs/enterprise-access-control-integration.md
+++ b/docs/enterprise-access-control-integration.md
@@ -155,6 +155,26 @@ assurance metadata before any authorization decision is made. The core package
 now exposes protocol/data boundaries for this without taking a dependency on
 Keycloak, Entra, LDAP, SCIM, OpenFGA, OPA, or Cedar client libraries.

+The current Markitect-side implementation provides deterministic local
+building blocks:
+
+- `NetKingdomIdentityClaimsAdapter` validates required IAM-profile claims,
+  issuer, audience, token timestamps, roles/scopes, and production rejection of
+  local development issuers for already trusted claims or explicit JWT fixtures.
+- `EnterprisePolicyMap` and `LocalEnterprisePolicyMapper` map groups, roles,
+  and scopes into `PolicySubject` labels, trust zones, actions, and diagnostic
+  attributes.
+- `StaticDirectoryGroupResolver` models group freshness and overage without a
+  live directory dependency.
+- `FlexAuthResourceManifest` describes Markitect knowledge resources for
+  future flex-auth registration.
+- `LocalDecisionLogStore` provides a JSONL development/test sink for decision
+  records.
+
+Live OIDC discovery, JWKS signature verification, directory synchronization,
+central policy administration, and durable enterprise audit should be provided
+by flex-auth/key-cape-facing adapters rather than Markitect core.
+
 ## Canonical Subject Mapping

 Recommended normalized shape:
@@ -209,6 +229,13 @@ trust_zones:
    required_groups: [/markitect/readers]
 ```

+Command-line subject mapping:
+
+```text
+mkt policy subject examples/policy/netkingdom-claims.yaml \
+  --policy-map examples/policy/enterprise-policy-map.yaml
+```
+
 ## Data/Object Mapping

 Markdown remains the source-friendly object labeling layer:
@@ -222,6 +249,23 @@ policy:
 ---
 ```

+A Markitect knowledge base can publish an explicit flex-auth resource manifest:
+
+```yaml
+id: markitect-example-knowledge-base
+system: markitect-tool
+actions: [read, query, search, package, export]
+resources:
+  - id: knowledge-base:markitect-example
+    type: knowledge_base
+  - id: document:internal-note
+    type: document
+    parent: knowledge-base:markitect-example
+    path: examples/policy/private/internal-note.md
+    labels: [internal]
+    trust_zone: internal
+```
+
 For enterprise environments, object metadata should eventually include:

 - content labels/classification