--- id: MKTT-WP-0014 type: workplan title: "Enterprise IAM Access-Control Integration" domain: markitect status: todo owner: markitect-tool topic_slug: markitect planning_priority: P2 planning_order: 82 depends_on_workplans: - MKTT-WP-0009 related_workplans: - MKTT-WP-0006 - MKTT-WP-0007 - MKTT-WP-0008 - MKTT-WP-0011 - MKTT-WP-0013 created: "2026-05-04" updated: "2026-05-04" state_hub_workstream_id: "86c22ccc-5f5a-4650-8495-76fe6c08e411" --- # MKTT-WP-0014: Enterprise IAM Access-Control Integration ## Purpose Turn the local access-control gateway into an enterprise-ready integration surface without making Markitect an identity provider or hard-coding one directory vendor. Markitect should act as the policy enforcement point for Markdown knowledge results. NetKingdom/key-cape-compatible SSO should supply identity claims. External policy engines and enterprise directories should attach through provider-neutral adapters. ## Background `MKTT-WP-0009` implemented local labels, trust zones, path rules, query/search filtering, explainable decisions, and relationship/rule policy adapter boundaries. The enterprise follow-up research showed a clear canonical shape: - OIDC/SAML for authentication and signed identity assertions. - SCIM/LDAP/Graph/Keycloak admin APIs for directory and group information. - PEP/PDP/PIP/PAP separation for authorization architecture. - RBAC/ABAC/ReBAC policy models through mappable policy decision points. - NetKingdom IAM profile as the local identity contract, with key-cape as the preferred lightweight/bootstrap path. Initial provider-neutral interfaces now exist in `markitect_tool.policy.adapters`: - `EnterpriseIdentity` - `IdentityClaimsAdapter` - `DirectoryGroupResolver` - `EnterprisePolicyMapper` - `DecisionLogStore` Documentation: `docs/enterprise-access-control-integration.md`. ## Decision Implement concrete enterprise integration as an optional extension track. Core Markitect should keep accepting normalized `PolicySubject` and `PolicyObject` models, while enterprise adapters handle token verification, group freshness, claim mapping, durable decision logs, and external PDP calls. Do not map raw AD/LDAP/Entra group names directly to Markitect privileges. Always map: ```text directory groups -> canonical roles/scopes/trust labels -> PolicySubject ``` ## P14.1 - Define enterprise policy map schema ```task id: MKTT-WP-0014-T001 status: todo priority: high state_hub_task_id: "1894c50f-95c3-4e1a-bd4f-388f7624ebd7" ``` Define the mapping file that translates enterprise groups, roles, scopes, tenants, assurance levels, and emergency rules into Markitect labels, trust zones, allowed actions, and object constraints. Output: schema, examples, diagnostics, and tests. ## P14.2 - Implement NetKingdom/key-cape identity claims adapter ```task id: MKTT-WP-0014-T002 status: todo priority: high state_hub_task_id: "8a177375-09b3-4898-a053-7601f82fcb29" ``` Implement an optional `IdentityClaimsAdapter` that consumes NetKingdom/key-cape-compatible OIDC discovery and JWTs. It must validate: - issuer - audience - expiry and issued-at - signature through JWKS - authorized party/client id where required - MFA/assurance claims for privileged actions Output: adapter, fixtures, negative tests, and clear diagnostics. ## P14.3 - Implement enterprise subject mapper ```task id: MKTT-WP-0014-T003 status: todo priority: high state_hub_task_id: "6861d4bc-1bb8-440d-bb9e-33e20c7feb55" ``` Implement `EnterprisePolicyMapper` over the policy map schema. It should map verified identity claims and resolved groups into gateway-ready `PolicySubject` objects. Output: mapper, examples, and tests for roles, scopes, groups, trust zones, tenancy, and emergency access. ## P14.4 - Add directory group resolution boundary ```task id: MKTT-WP-0014-T004 status: todo priority: medium state_hub_task_id: "56d6bad6-d706-47b3-b321-1f0e870ecc0d" ``` Implement a provider-neutral group-resolution layer for claims that are stale, partial, or too large for tokens. Start with a fake/test resolver and specify adapter hooks for SCIM, Microsoft Graph, LDAP, and Keycloak. Output: resolver contract, freshness metadata, overage handling, and tests. ## P14.5 - Persist decision logs ```task id: MKTT-WP-0014-T005 status: todo priority: high state_hub_task_id: "f212662c-4ffc-4cac-ace2-a43777f4960c" ``` Implement a durable `DecisionLogStore` for policy decisions from query, search, context packages, workflows, exports, and assisted prompt assembly. Decision logs should record subject id, token hash, action, object id, policy version, decision effect, reason, redaction status, and provenance. Output: storage adapter, CLI inspection path, and tests. ## P14.6 - Add external PDP examples ```task id: MKTT-WP-0014-T006 status: todo priority: medium state_hub_task_id: "573a198f-df0b-470a-b11c-9ac839c0845e" ``` Provide reference adapters or documented examples for: - OpenFGA/SpiceDB-style relationship checks through `RelationshipPolicyAdapter` - OPA/Rego or Cedar-style rule checks through `RulePolicyAdapter` Output: examples, adapter stubs, and policy request/decision fixtures. ## P14.7 - Integrate policy identity into workflows and context packages ```task id: MKTT-WP-0014-T007 status: todo priority: high state_hub_task_id: "c4650304-0e2b-49c5-8569-e69907c08ccc" ``` Make workflow and future context-package execution accept explicit enterprise identity and policy mapping configuration. Required concepts: - `subject_from_token` - `policy_map` - `required_assurance` - `emergency_justification` - decision-log sink Output: workflow/context integration design, examples, and tests. ## P14.8 - Validate against NetKingdom IAM profile ```task id: MKTT-WP-0014-T008 status: todo priority: medium state_hub_task_id: "0486e0c2-2cb9-4902-9a09-9ec729e9e79f" ``` Build conformance tests against the local IAM profile: - required claims - human Authorization Code + PKCE expectations - service account claims - local development issuer rejection in production mode - emergency access audit requirements Output: test fixtures and conformance checklist. ## Exit Criteria - A NetKingdom/key-cape-compatible OIDC identity can be validated and mapped to a `PolicySubject`. - Enterprise groups, roles, scopes, trust zones, and labels are mapped through a versioned policy map rather than raw directory names. - Query, search, workflow, and context-package boundaries can enforce policy and emit durable decision logs. - Directory group overage and freshness are represented explicitly. - OpenFGA/SpiceDB and OPA/Cedar-style PDP integrations can attach without replacing Markitect's local policy gateway. - The implementation remains optional and does not add enterprise IAM dependencies to core Markdown parsing or deterministic processing. ## Notes This workplan should be picked up before using Markitect context caches for production agent memory in enterprise settings. It does not need to block local research on `MKTT-WP-0008`, but it should gate production deployment of reactivatable cross-document context packages.