enterprise/flex-auth integration layer

tests/test_workflow_engine.py

@@ -83,6 +83,39 @@ def test_load_workflow_file_preserves_standard_sections(tmp_path: Path):
     assert plan.steps[0]["id"] == "render"
 
 
+def test_load_workflow_file_preserves_policy_identity_permissions(tmp_path: Path):
+    workflow = tmp_path / "policy.workflow.md"
+    workflow.write_text(
+        """# Policy Workflow
+
+```yaml workflow
+metadata:
+  id: policy-aware
+inputs:
+  static:
+    value: ok
+permissions:
+  policy:
+    subject_from_token: examples/policy/netkingdom-claims.yaml
+    policy_map: examples/policy/enterprise-policy-map.yaml
+    required_assurance:
+      mfa: true
+    emergency_justification: INC-123
+    decision_log: .markitect/policy-decisions.jsonl
+  flex_auth:
+    resource_manifest: examples/policy/flex-auth-resource-manifest.yaml
+```
+""",
+        encoding="utf-8",
+    )
+
+    plan = load_workflow_file(workflow)
+
+    assert plan.permissions["policy"]["subject_from_token"] == "examples/policy/netkingdom-claims.yaml"
+    assert plan.permissions["policy"]["required_assurance"]["mfa"] is True
+    assert plan.permissions["flex_auth"]["resource_manifest"].endswith("flex-auth-resource-manifest.yaml")
+
+
 def test_workflow_runner_collects_sources_and_renders_output(tmp_path: Path):
     workflow = _write_workflow_fixture(tmp_path)
     plan = load_workflow_file(workflow)