generated from coulomb/repo-seed
Implement NK-WP-0012 IAM profile specification
This commit is contained in:
@@ -197,8 +197,9 @@ priority: high
|
||||
conformance checks against the Keycloak issuer (discovery document, PKCE,
|
||||
token/claim shape, JWKS, userinfo). Verify an application configured for
|
||||
the IAM Profile can authenticate against either the KeyCape or the
|
||||
Keycloak issuer per the T1 selection rule. Document per-tenant issuer
|
||||
selection.
|
||||
Keycloak issuer per the T1 selection rule. Use the canonical
|
||||
`canon/standards/iam-profile_v0.2.md` contract and the executable suite in
|
||||
`tools/iam-profile-conformance/`. Document per-tenant issuer selection.
|
||||
|
||||
```task
|
||||
id: NK-WP-0011-T7
|
||||
@@ -254,5 +255,6 @@ production-readiness checklist.
|
||||
assurance evidence sourced from a federated token.
|
||||
- **railiance-platform**: OpenBao must expose a Keycloak auth role / ESO
|
||||
path before T3; unseal/break-glass story must be ready.
|
||||
- **IAM Profile spec**: must be versioned and have an executable
|
||||
conformance check before T6 can pass (see "Missing" below).
|
||||
- **IAM Profile spec**: resolved by NK-WP-0012. T6 consumes
|
||||
`canon/standards/iam-profile_v0.2.md` and
|
||||
`tools/iam-profile-conformance/`.
|
||||
|
||||
@@ -4,13 +4,13 @@ type: workplan
|
||||
title: "NetKingdom IAM Profile Specification"
|
||||
domain: netkingdom
|
||||
repo: net-kingdom
|
||||
status: proposed
|
||||
status: finished
|
||||
owner: worsch
|
||||
topic_slug: netkingdom
|
||||
planning_priority: high
|
||||
planning_order: 12
|
||||
created: "2026-05-21"
|
||||
updated: "2026-05-21"
|
||||
updated: "2026-05-22"
|
||||
depends_on:
|
||||
- NK-WP-0006
|
||||
state_hub_workstream_id: 9b8e4afc-eb71-47d9-8750-799a082b320a
|
||||
@@ -86,7 +86,7 @@ Out of scope:
|
||||
```task
|
||||
id: NK-WP-0012-T1
|
||||
state_hub_task_id: 284dda38-b778-445a-a7dc-9b5a12fa380f
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
@@ -101,7 +101,7 @@ breaking change is, how downstream is notified, how versions coexist).
|
||||
```task
|
||||
id: NK-WP-0012-T2
|
||||
state_hub_task_id: 0070398d-b0a4-4c11-a6fa-000166e1108f
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
@@ -117,7 +117,7 @@ Remove hub-specific vocabulary from the core.
|
||||
```task
|
||||
id: NK-WP-0012-T3
|
||||
state_hub_task_id: 6fc2a5e1-1480-42f1-86a2-3e714359e1ba
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
@@ -130,7 +130,7 @@ in the token). Align with NK-WP-0006 and the responsibility map.
|
||||
```task
|
||||
id: NK-WP-0012-T4
|
||||
state_hub_task_id: 0e52ed45-afa7-4832-9d6a-1ebbbab43872
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
@@ -143,7 +143,7 @@ identity. This is the contract named in the responsibility map.
|
||||
```task
|
||||
id: NK-WP-0012-T5
|
||||
state_hub_task_id: f0a62e77-b781-4625-b8bd-d191b48af58e
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
@@ -157,7 +157,7 @@ consumes; it must run against both a key-cape and a Keycloak issuer.
|
||||
```task
|
||||
id: NK-WP-0012-T6
|
||||
state_hub_task_id: a1fd53a9-526f-4d87-89db-6073710c885d
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
```
|
||||
|
||||
@@ -183,6 +183,20 @@ interface/reference docs.
|
||||
- Downstream reference docs point at the canonical spec; the custodian v0.1
|
||||
carries a deprecation/relocation note.
|
||||
|
||||
## Completion Notes
|
||||
|
||||
- ADR: `docs/adr/ADR-0011-iam-profile-ownership-and-version-governance.md`
|
||||
- Canonical profile: `canon/standards/iam-profile_v0.2.md`
|
||||
- Executable conformance suite:
|
||||
`tools/iam-profile-conformance/iam_profile_conformance.py`
|
||||
- Fixture tests cover key-cape-like and Keycloak-like issuers, local-dev
|
||||
rejection in production mode, tenant claim enforcement, provider-native
|
||||
role normalization warnings, and delegated-agent claim shape.
|
||||
- Cross-repo reference docs updated without touching downstream
|
||||
`INTENT.md`: key-cape README/spec references now point at v0.2, and
|
||||
flex-auth consumption docs plus claim fixtures now include v0.2 tenant,
|
||||
principal, and assurance inputs.
|
||||
|
||||
## Dependencies & Sequencing
|
||||
|
||||
- **Depends on NK-WP-0006** for the recursive tenant model the claims encode.
|
||||
@@ -193,12 +207,17 @@ interface/reference docs.
|
||||
**key-cape**/**Keycloak** as the implementations the conformance check
|
||||
runs against — those repos implement, this workplan specifies and tests.
|
||||
|
||||
## Open Questions
|
||||
## Resolved Questions
|
||||
|
||||
- Canonical role claim: `roles` vs `realm_access.roles`, or adapter
|
||||
normalization of both (carried over from v0.1).
|
||||
- Audience granularity: audience-per-service vs audience-per-endpoint.
|
||||
- How agent principals differ from service accounts in claims and assurance
|
||||
(delegated-authority agents vs plain workloads).
|
||||
- Whether the conformance check is a standalone tool in net-kingdom or a
|
||||
shared library other repos import.
|
||||
- Canonical role claim: `roles` is canonical. `realm_access.roles` is a
|
||||
transitional/provider-native source that must be mapped before
|
||||
production consumption.
|
||||
- Audience granularity: the core profile requires the receiving service
|
||||
in `aud`; endpoint/resource granularity belongs to flex-auth
|
||||
resource/action policy.
|
||||
- Agent principals differ from service accounts through
|
||||
`principal_type: agent`, an `agent` object, and delegated actor context
|
||||
(`actor_sub` or `act.sub`) when applicable.
|
||||
- The conformance check is a standalone tool in net-kingdom for v0.2.
|
||||
Other repos consume it as an executable contract rather than importing
|
||||
a shared library for now.
|
||||
|
||||
Reference in New Issue
Block a user