coulomb/markitect-tool
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

enterprise/flex-auth integration layer

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-04 17:54:52 +02:00
parent e33f296bdb
commit 6cb3b7b172
17 changed files with 1240 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
examples/policy/enterprise-policy-map.yaml Normal file
View File

@@ -0,0 +1,58 @@
id: markitect-enterprise-policy-map
issuer: https://sso.example.test/realms/netkingdom
audiences:
- markitect-tool
defaults:
allowed_labels:
- public
trust_zones:
- public
groups:
/markitect/readers:
allowed_labels:
- public
- internal
trust_zones:
- public
- internal
actions:
- read
- query
- search
/markitect/stewards:
allowed_labels:
- public
- internal
- restricted
trust_zones:
- public
- internal
- restricted
actions:
- read
- query
- search
- package
- export
roles:
viewer:
actions:
- read
- query
- search
scopes:
markitect:read:
actions:
- read
- query
- search
trust_zones:
internal:
required_groups:
- /markitect/readers
restricted:
required_groups:
- /markitect/stewards
metadata:
owner: flex-auth
version: example

28
examples/policy/external-pdp-requests.yaml Normal file
View File

@@ -0,0 +1,28 @@
relationship_request:
subject: oidc:https://sso.example.test/realms/netkingdom#user-123
relation: reader
object_id: document:internal-note
namespace: markitect/document
context:
action: query
trust_zone: internal
resource_path: examples/policy/private/internal-note.md
rule_request:
subject:
id: oidc:https://sso.example.test/realms/netkingdom#user-123
roles:
- viewer
groups:
- /markitect/readers
assurance:
mfa: true
action: query
object:
id: document:internal-note
type: document
labels:
- internal
trust_zone: internal
context:
policy_map_id: markitect-enterprise-policy-map
workflow_id: assisted-review-boundary

34
examples/policy/flex-auth-resource-manifest.yaml Normal file
View File

@@ -0,0 +1,34 @@
id: markitect-example-knowledge-base
system: markitect-tool
actions:
- read
- query
- search
- package
- export
resources:
- id: knowledge-base:markitect-example
type: knowledge_base
labels:
- public
trust_zone: public
owner: team:platform-architecture
- id: document:public-note
type: document
parent: knowledge-base:markitect-example
path: examples/policy/public-note.md
labels:
- public
trust_zone: public
owner: team:platform-architecture
- id: document:internal-note
type: document
parent: knowledge-base:markitect-example
path: examples/policy/private/internal-note.md
labels:
- internal
trust_zone: internal
owner: team:platform-architecture
metadata:
source: markitect example policy fixtures
flex_auth_contract: resource-registration-v0

19
examples/policy/netkingdom-claims.yaml Normal file
View File

@@ -0,0 +1,19 @@
iss: https://sso.example.test/realms/netkingdom
sub: user-123
aud:
- markitect-tool
exp: 4102444800
iat: 1767225600
preferred_username: ada
email: ada@example.test
name: Ada Lovelace
scope: openid profile markitect:read hub:read
azp: markitect-cli
realm_access:
roles:
- viewer
groups:
- /markitect/readers
amr:
- pwd
- otp

35
examples/workflows/policy-aware-review.workflow.md Normal file
View File

@@ -0,0 +1,35 @@
# Policy-Aware Review Workflow
```yaml workflow
metadata:
id: policy-aware-review
intent:
summary: Declare enterprise identity and policy mapping for a review workflow.
inputs:
note:
file: ../policy/private/internal-note.md
selector: sections[heading=Decision]
steps:
shape:
kind: shape
data:
note: ${sources.note.items}
outputs:
review:
path: out/policy-aware-review.md
content: ${steps.shape.value.note}
permissions:
policy:
subject_from_token: examples/policy/netkingdom-claims.yaml
policy_map: examples/policy/enterprise-policy-map.yaml
required_assurance:
mfa: true
decision_log: .markitect/policy-decisions.jsonl
flex_auth:
resource_manifest: examples/policy/flex-auth-resource-manifest.yaml
responsibilities:
system:
enforces_policy: true
human:
reviews_denials: true
```