generated from coulomb/repo-seed
239 lines
7.0 KiB
Markdown
239 lines
7.0 KiB
Markdown
---
|
|
id: MKTT-WP-0014
|
|
type: workplan
|
|
title: "Enterprise IAM Access-Control Integration"
|
|
domain: markitect
|
|
status: todo
|
|
owner: markitect-tool
|
|
topic_slug: markitect
|
|
planning_priority: P2
|
|
planning_order: 82
|
|
depends_on_workplans:
|
|
- MKTT-WP-0009
|
|
related_workplans:
|
|
- MKTT-WP-0006
|
|
- MKTT-WP-0007
|
|
- MKTT-WP-0008
|
|
- MKTT-WP-0011
|
|
- MKTT-WP-0013
|
|
created: "2026-05-04"
|
|
updated: "2026-05-04"
|
|
state_hub_workstream_id: "86c22ccc-5f5a-4650-8495-76fe6c08e411"
|
|
---
|
|
|
|
# MKTT-WP-0014: Enterprise IAM Access-Control Integration
|
|
|
|
## Purpose
|
|
|
|
Turn the local access-control gateway into an enterprise-ready integration
|
|
surface without making Markitect an identity provider or hard-coding one
|
|
directory vendor.
|
|
|
|
Markitect should act as the policy enforcement point for Markdown knowledge
|
|
results. NetKingdom/key-cape-compatible SSO should supply identity claims.
|
|
External policy engines and enterprise directories should attach through
|
|
provider-neutral adapters.
|
|
|
|
## Background
|
|
|
|
`MKTT-WP-0009` implemented local labels, trust zones, path rules, query/search
|
|
filtering, explainable decisions, and relationship/rule policy adapter
|
|
boundaries. The enterprise follow-up research showed a clear canonical shape:
|
|
|
|
- OIDC/SAML for authentication and signed identity assertions.
|
|
- SCIM/LDAP/Graph/Keycloak admin APIs for directory and group information.
|
|
- PEP/PDP/PIP/PAP separation for authorization architecture.
|
|
- RBAC/ABAC/ReBAC policy models through mappable policy decision points.
|
|
- NetKingdom IAM profile as the local identity contract, with key-cape as the
|
|
preferred lightweight/bootstrap path.
|
|
|
|
Initial provider-neutral interfaces now exist in
|
|
`markitect_tool.policy.adapters`:
|
|
|
|
- `EnterpriseIdentity`
|
|
- `IdentityClaimsAdapter`
|
|
- `DirectoryGroupResolver`
|
|
- `EnterprisePolicyMapper`
|
|
- `DecisionLogStore`
|
|
|
|
Documentation: `docs/enterprise-access-control-integration.md`.
|
|
|
|
## Decision
|
|
|
|
Implement concrete enterprise integration as an optional extension track. Core
|
|
Markitect should keep accepting normalized `PolicySubject` and `PolicyObject`
|
|
models, while enterprise adapters handle token verification, group freshness,
|
|
claim mapping, durable decision logs, and external PDP calls.
|
|
|
|
Do not map raw AD/LDAP/Entra group names directly to Markitect privileges.
|
|
Always map:
|
|
|
|
```text
|
|
directory groups -> canonical roles/scopes/trust labels -> PolicySubject
|
|
```
|
|
|
|
## P14.1 - Define enterprise policy map schema
|
|
|
|
```task
|
|
id: MKTT-WP-0014-T001
|
|
status: todo
|
|
priority: high
|
|
state_hub_task_id: "1894c50f-95c3-4e1a-bd4f-388f7624ebd7"
|
|
```
|
|
|
|
Define the mapping file that translates enterprise groups, roles, scopes,
|
|
tenants, assurance levels, and emergency rules into Markitect labels, trust
|
|
zones, allowed actions, and object constraints.
|
|
|
|
Output: schema, examples, diagnostics, and tests.
|
|
|
|
## P14.2 - Implement NetKingdom/key-cape identity claims adapter
|
|
|
|
```task
|
|
id: MKTT-WP-0014-T002
|
|
status: todo
|
|
priority: high
|
|
state_hub_task_id: "8a177375-09b3-4898-a053-7601f82fcb29"
|
|
```
|
|
|
|
Implement an optional `IdentityClaimsAdapter` that consumes
|
|
NetKingdom/key-cape-compatible OIDC discovery and JWTs.
|
|
|
|
It must validate:
|
|
|
|
- issuer
|
|
- audience
|
|
- expiry and issued-at
|
|
- signature through JWKS
|
|
- authorized party/client id where required
|
|
- MFA/assurance claims for privileged actions
|
|
|
|
Output: adapter, fixtures, negative tests, and clear diagnostics.
|
|
|
|
## P14.3 - Implement enterprise subject mapper
|
|
|
|
```task
|
|
id: MKTT-WP-0014-T003
|
|
status: todo
|
|
priority: high
|
|
state_hub_task_id: "6861d4bc-1bb8-440d-bb9e-33e20c7feb55"
|
|
```
|
|
|
|
Implement `EnterprisePolicyMapper` over the policy map schema. It should map
|
|
verified identity claims and resolved groups into gateway-ready
|
|
`PolicySubject` objects.
|
|
|
|
Output: mapper, examples, and tests for roles, scopes, groups, trust zones,
|
|
tenancy, and emergency access.
|
|
|
|
## P14.4 - Add directory group resolution boundary
|
|
|
|
```task
|
|
id: MKTT-WP-0014-T004
|
|
status: todo
|
|
priority: medium
|
|
state_hub_task_id: "56d6bad6-d706-47b3-b321-1f0e870ecc0d"
|
|
```
|
|
|
|
Implement a provider-neutral group-resolution layer for claims that are stale,
|
|
partial, or too large for tokens. Start with a fake/test resolver and specify
|
|
adapter hooks for SCIM, Microsoft Graph, LDAP, and Keycloak.
|
|
|
|
Output: resolver contract, freshness metadata, overage handling, and tests.
|
|
|
|
## P14.5 - Persist decision logs
|
|
|
|
```task
|
|
id: MKTT-WP-0014-T005
|
|
status: todo
|
|
priority: high
|
|
state_hub_task_id: "f212662c-4ffc-4cac-ace2-a43777f4960c"
|
|
```
|
|
|
|
Implement a durable `DecisionLogStore` for policy decisions from query, search,
|
|
context packages, workflows, exports, and assisted prompt assembly.
|
|
|
|
Decision logs should record subject id, token hash, action, object id, policy
|
|
version, decision effect, reason, redaction status, and provenance.
|
|
|
|
Output: storage adapter, CLI inspection path, and tests.
|
|
|
|
## P14.6 - Add external PDP examples
|
|
|
|
```task
|
|
id: MKTT-WP-0014-T006
|
|
status: todo
|
|
priority: medium
|
|
state_hub_task_id: "573a198f-df0b-470a-b11c-9ac839c0845e"
|
|
```
|
|
|
|
Provide reference adapters or documented examples for:
|
|
|
|
- OpenFGA/SpiceDB-style relationship checks through
|
|
`RelationshipPolicyAdapter`
|
|
- OPA/Rego or Cedar-style rule checks through `RulePolicyAdapter`
|
|
|
|
Output: examples, adapter stubs, and policy request/decision fixtures.
|
|
|
|
## P14.7 - Integrate policy identity into workflows and context packages
|
|
|
|
```task
|
|
id: MKTT-WP-0014-T007
|
|
status: todo
|
|
priority: high
|
|
state_hub_task_id: "c4650304-0e2b-49c5-8569-e69907c08ccc"
|
|
```
|
|
|
|
Make workflow and future context-package execution accept explicit enterprise
|
|
identity and policy mapping configuration.
|
|
|
|
Required concepts:
|
|
|
|
- `subject_from_token`
|
|
- `policy_map`
|
|
- `required_assurance`
|
|
- `emergency_justification`
|
|
- decision-log sink
|
|
|
|
Output: workflow/context integration design, examples, and tests.
|
|
|
|
## P14.8 - Validate against NetKingdom IAM profile
|
|
|
|
```task
|
|
id: MKTT-WP-0014-T008
|
|
status: todo
|
|
priority: medium
|
|
state_hub_task_id: "0486e0c2-2cb9-4902-9a09-9ec729e9e79f"
|
|
```
|
|
|
|
Build conformance tests against the local IAM profile:
|
|
|
|
- required claims
|
|
- human Authorization Code + PKCE expectations
|
|
- service account claims
|
|
- local development issuer rejection in production mode
|
|
- emergency access audit requirements
|
|
|
|
Output: test fixtures and conformance checklist.
|
|
|
|
## Exit Criteria
|
|
|
|
- A NetKingdom/key-cape-compatible OIDC identity can be validated and mapped to
|
|
a `PolicySubject`.
|
|
- Enterprise groups, roles, scopes, trust zones, and labels are mapped through
|
|
a versioned policy map rather than raw directory names.
|
|
- Query, search, workflow, and context-package boundaries can enforce policy
|
|
and emit durable decision logs.
|
|
- Directory group overage and freshness are represented explicitly.
|
|
- OpenFGA/SpiceDB and OPA/Cedar-style PDP integrations can attach without
|
|
replacing Markitect's local policy gateway.
|
|
- The implementation remains optional and does not add enterprise IAM
|
|
dependencies to core Markdown parsing or deterministic processing.
|
|
|
|
## Notes
|
|
|
|
This workplan should be picked up before using Markitect context caches for
|
|
production agent memory in enterprise settings. It does not need to block local
|
|
research on `MKTT-WP-0008`, but it should gate production deployment of
|
|
reactivatable cross-document context packages.
|