coulomb/markitect-tool
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ecb52aece42dd411414539574066460fcda8baf
markitect-tool/workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md

7.0 KiB
Raw Blame History

id, type, title, domain, status, owner, topic_slug, planning_priority, planning_order, depends_on_workplans, related_workplans, created, updated, state_hub_workstream_id
id type title domain status owner topic_slug planning_priority planning_order depends_on_workplans related_workplans created updated state_hub_workstream_id
MKTT-WP-0014 workplan Enterprise IAM Access-Control Integration markitect todo markitect-tool markitect P2 82
MKTT-WP-0009
MKTT-WP-0006
MKTT-WP-0007
MKTT-WP-0008
MKTT-WP-0011
MKTT-WP-0013
2026-05-04 2026-05-04 86c22ccc-5f5a-4650-8495-76fe6c08e411

MKTT-WP-0014: Enterprise IAM Access-Control Integration

Purpose

Turn the local access-control gateway into an enterprise-ready integration surface without making Markitect an identity provider or hard-coding one directory vendor.

Markitect should act as the policy enforcement point for Markdown knowledge results. NetKingdom/key-cape-compatible SSO should supply identity claims. External policy engines and enterprise directories should attach through provider-neutral adapters.

Background

MKTT-WP-0009 implemented local labels, trust zones, path rules, query/search filtering, explainable decisions, and relationship/rule policy adapter boundaries. The enterprise follow-up research showed a clear canonical shape:

  • OIDC/SAML for authentication and signed identity assertions.
  • SCIM/LDAP/Graph/Keycloak admin APIs for directory and group information.
  • PEP/PDP/PIP/PAP separation for authorization architecture.
  • RBAC/ABAC/ReBAC policy models through mappable policy decision points.
  • NetKingdom IAM profile as the local identity contract, with key-cape as the preferred lightweight/bootstrap path.

Initial provider-neutral interfaces now exist in markitect_tool.policy.adapters:

  • EnterpriseIdentity
  • IdentityClaimsAdapter
  • DirectoryGroupResolver
  • EnterprisePolicyMapper
  • DecisionLogStore

Documentation: docs/enterprise-access-control-integration.md.

Decision

Implement concrete enterprise integration as an optional extension track. Core Markitect should keep accepting normalized PolicySubject and PolicyObject models, while enterprise adapters handle token verification, group freshness, claim mapping, durable decision logs, and external PDP calls.

Do not map raw AD/LDAP/Entra group names directly to Markitect privileges. Always map:

directory groups -> canonical roles/scopes/trust labels -> PolicySubject

P14.1 - Define enterprise policy map schema

id: MKTT-WP-0014-T001
status: todo
priority: high
state_hub_task_id: "1894c50f-95c3-4e1a-bd4f-388f7624ebd7"

Define the mapping file that translates enterprise groups, roles, scopes, tenants, assurance levels, and emergency rules into Markitect labels, trust zones, allowed actions, and object constraints.

Output: schema, examples, diagnostics, and tests.

P14.2 - Implement NetKingdom/key-cape identity claims adapter

id: MKTT-WP-0014-T002
status: todo
priority: high
state_hub_task_id: "8a177375-09b3-4898-a053-7601f82fcb29"

Implement an optional IdentityClaimsAdapter that consumes NetKingdom/key-cape-compatible OIDC discovery and JWTs.

It must validate:

  • issuer
  • audience
  • expiry and issued-at
  • signature through JWKS
  • authorized party/client id where required
  • MFA/assurance claims for privileged actions

Output: adapter, fixtures, negative tests, and clear diagnostics.

P14.3 - Implement enterprise subject mapper

id: MKTT-WP-0014-T003
status: todo
priority: high
state_hub_task_id: "6861d4bc-1bb8-440d-bb9e-33e20c7feb55"

Implement EnterprisePolicyMapper over the policy map schema. It should map verified identity claims and resolved groups into gateway-ready PolicySubject objects.

Output: mapper, examples, and tests for roles, scopes, groups, trust zones, tenancy, and emergency access.

P14.4 - Add directory group resolution boundary

id: MKTT-WP-0014-T004
status: todo
priority: medium
state_hub_task_id: "56d6bad6-d706-47b3-b321-1f0e870ecc0d"

Implement a provider-neutral group-resolution layer for claims that are stale, partial, or too large for tokens. Start with a fake/test resolver and specify adapter hooks for SCIM, Microsoft Graph, LDAP, and Keycloak.

Output: resolver contract, freshness metadata, overage handling, and tests.

P14.5 - Persist decision logs

id: MKTT-WP-0014-T005
status: todo
priority: high
state_hub_task_id: "f212662c-4ffc-4cac-ace2-a43777f4960c"

Implement a durable DecisionLogStore for policy decisions from query, search, context packages, workflows, exports, and assisted prompt assembly.

Decision logs should record subject id, token hash, action, object id, policy version, decision effect, reason, redaction status, and provenance.

Output: storage adapter, CLI inspection path, and tests.

P14.6 - Add external PDP examples

id: MKTT-WP-0014-T006
status: todo
priority: medium
state_hub_task_id: "573a198f-df0b-470a-b11c-9ac839c0845e"

Provide reference adapters or documented examples for:

  • OpenFGA/SpiceDB-style relationship checks through RelationshipPolicyAdapter
  • OPA/Rego or Cedar-style rule checks through RulePolicyAdapter

Output: examples, adapter stubs, and policy request/decision fixtures.

P14.7 - Integrate policy identity into workflows and context packages

id: MKTT-WP-0014-T007
status: todo
priority: high
state_hub_task_id: "c4650304-0e2b-49c5-8569-e69907c08ccc"

Make workflow and future context-package execution accept explicit enterprise identity and policy mapping configuration.

Required concepts:

  • subject_from_token
  • policy_map
  • required_assurance
  • emergency_justification
  • decision-log sink

Output: workflow/context integration design, examples, and tests.

P14.8 - Validate against NetKingdom IAM profile

id: MKTT-WP-0014-T008
status: todo
priority: medium
state_hub_task_id: "0486e0c2-2cb9-4902-9a09-9ec729e9e79f"

Build conformance tests against the local IAM profile:

  • required claims
  • human Authorization Code + PKCE expectations
  • service account claims
  • local development issuer rejection in production mode
  • emergency access audit requirements

Output: test fixtures and conformance checklist.

Exit Criteria

  • A NetKingdom/key-cape-compatible OIDC identity can be validated and mapped to a PolicySubject.
  • Enterprise groups, roles, scopes, trust zones, and labels are mapped through a versioned policy map rather than raw directory names.
  • Query, search, workflow, and context-package boundaries can enforce policy and emit durable decision logs.
  • Directory group overage and freshness are represented explicitly.
  • OpenFGA/SpiceDB and OPA/Cedar-style PDP integrations can attach without replacing Markitect's local policy gateway.
  • The implementation remains optional and does not add enterprise IAM dependencies to core Markdown parsing or deterministic processing.

Notes

This workplan should be picked up before using Markitect context caches for production agent memory in enterprise settings. It does not need to block local research on MKTT-WP-0008, but it should gate production deployment of reactivatable cross-document context packages.

Reference in New Issue View Git Blame Copy Permalink