Implement NK-WP-0012 IAM profile specification

This commit is contained in:
2026-05-22 14:35:31 +02:00
parent 48cd174b00
commit c3f721397a
12 changed files with 1649 additions and 39 deletions

View File

@@ -197,8 +197,9 @@ priority: high
conformance checks against the Keycloak issuer (discovery document, PKCE,
token/claim shape, JWKS, userinfo). Verify an application configured for
the IAM Profile can authenticate against either the KeyCape or the
Keycloak issuer per the T1 selection rule. Document per-tenant issuer
selection.
Keycloak issuer per the T1 selection rule. Use the canonical
`canon/standards/iam-profile_v0.2.md` contract and the executable suite in
`tools/iam-profile-conformance/`. Document per-tenant issuer selection.
```task
id: NK-WP-0011-T7
@@ -254,5 +255,6 @@ production-readiness checklist.
assurance evidence sourced from a federated token.
- **railiance-platform**: OpenBao must expose a Keycloak auth role / ESO
path before T3; unseal/break-glass story must be ready.
- **IAM Profile spec**: must be versioned and have an executable
conformance check before T6 can pass (see "Missing" below).
- **IAM Profile spec**: resolved by NK-WP-0012. T6 consumes
`canon/standards/iam-profile_v0.2.md` and
`tools/iam-profile-conformance/`.

View File

@@ -4,13 +4,13 @@ type: workplan
title: "NetKingdom IAM Profile Specification"
domain: netkingdom
repo: net-kingdom
status: proposed
status: finished
owner: worsch
topic_slug: netkingdom
planning_priority: high
planning_order: 12
created: "2026-05-21"
updated: "2026-05-21"
updated: "2026-05-22"
depends_on:
- NK-WP-0006
state_hub_workstream_id: 9b8e4afc-eb71-47d9-8750-799a082b320a
@@ -86,7 +86,7 @@ Out of scope:
```task
id: NK-WP-0012-T1
state_hub_task_id: 284dda38-b778-445a-a7dc-9b5a12fa380f
status: todo
status: done
priority: high
```
@@ -101,7 +101,7 @@ breaking change is, how downstream is notified, how versions coexist).
```task
id: NK-WP-0012-T2
state_hub_task_id: 0070398d-b0a4-4c11-a6fa-000166e1108f
status: todo
status: done
priority: high
```
@@ -117,7 +117,7 @@ Remove hub-specific vocabulary from the core.
```task
id: NK-WP-0012-T3
state_hub_task_id: 6fc2a5e1-1480-42f1-86a2-3e714359e1ba
status: todo
status: done
priority: high
```
@@ -130,7 +130,7 @@ in the token). Align with NK-WP-0006 and the responsibility map.
```task
id: NK-WP-0012-T4
state_hub_task_id: 0e52ed45-afa7-4832-9d6a-1ebbbab43872
status: todo
status: done
priority: high
```
@@ -143,7 +143,7 @@ identity. This is the contract named in the responsibility map.
```task
id: NK-WP-0012-T5
state_hub_task_id: f0a62e77-b781-4625-b8bd-d191b48af58e
status: todo
status: done
priority: high
```
@@ -157,7 +157,7 @@ consumes; it must run against both a key-cape and a Keycloak issuer.
```task
id: NK-WP-0012-T6
state_hub_task_id: a1fd53a9-526f-4d87-89db-6073710c885d
status: todo
status: done
priority: medium
```
@@ -183,6 +183,20 @@ interface/reference docs.
- Downstream reference docs point at the canonical spec; the custodian v0.1
carries a deprecation/relocation note.
## Completion Notes
- ADR: `docs/adr/ADR-0011-iam-profile-ownership-and-version-governance.md`
- Canonical profile: `canon/standards/iam-profile_v0.2.md`
- Executable conformance suite:
`tools/iam-profile-conformance/iam_profile_conformance.py`
- Fixture tests cover key-cape-like and Keycloak-like issuers, local-dev
rejection in production mode, tenant claim enforcement, provider-native
role normalization warnings, and delegated-agent claim shape.
- Cross-repo reference docs updated without touching downstream
`INTENT.md`: key-cape README/spec references now point at v0.2, and
flex-auth consumption docs plus claim fixtures now include v0.2 tenant,
principal, and assurance inputs.
## Dependencies & Sequencing
- **Depends on NK-WP-0006** for the recursive tenant model the claims encode.
@@ -193,12 +207,17 @@ interface/reference docs.
**key-cape**/**Keycloak** as the implementations the conformance check
runs against — those repos implement, this workplan specifies and tests.
## Open Questions
## Resolved Questions
- Canonical role claim: `roles` vs `realm_access.roles`, or adapter
normalization of both (carried over from v0.1).
- Audience granularity: audience-per-service vs audience-per-endpoint.
- How agent principals differ from service accounts in claims and assurance
(delegated-authority agents vs plain workloads).
- Whether the conformance check is a standalone tool in net-kingdom or a
shared library other repos import.
- Canonical role claim: `roles` is canonical. `realm_access.roles` is a
transitional/provider-native source that must be mapped before
production consumption.
- Audience granularity: the core profile requires the receiving service
in `aud`; endpoint/resource granularity belongs to flex-auth
resource/action policy.
- Agent principals differ from service accounts through
`principal_type: agent`, an `agent` object, and delegated actor context
(`actor_sub` or `act.sub`) when applicable.
- The conformance check is a standalone tool in net-kingdom for v0.2.
Other repos consume it as an executable contract rather than importing
a shared library for now.