Close IAM Profile integration gate
This commit is contained in:
@@ -84,6 +84,14 @@ mapping, readiness-summary inputs, and read-model gaps. This closes the T14
|
||||
definition gate while leaving deployed evidence, cutover coupling, and UI work
|
||||
for T16/T17/T18.
|
||||
|
||||
2026-06-27 T03 closeout: Core Hub now has a reusable IAM Profile verifier and
|
||||
FastAPI dependency plus `tests/test_iam_profile.py`, which proves OIDC
|
||||
discovery, JWKS signature validation, authorization-code + PKCE token issuance,
|
||||
protected endpoint access, required IAM Profile claims, missing-token rejection,
|
||||
wrong-audience rejection, and production rejection of local-development issuers.
|
||||
This closes the identity integration template while leaving production issuer
|
||||
wiring for the deployed Core Hub gates.
|
||||
|
||||
## Remaining Gates
|
||||
|
||||
- Run `make deployed-smoke` or `make operator-cli CLI_ARGS="deployed-smoke ..."`
|
||||
|
||||
@@ -104,14 +104,14 @@ Resume from `docs/daily-triage-stabilization-status.md` and
|
||||
| issue-core | ArgoCD service is healthy on port `8765`; image `0.2.1`; ExternalSecret Ready; authenticated smoke created Gitea issue `175`. | activity-core still needs `ISSUE_CORE_API_KEY`, URL port `8765`, `ISSUE_SINK_TYPE=rest`, and a safe emission smoke. |
|
||||
| Forgejo | Migration inventory/design lane is active but pre-cutover. | Production design decisions, SMTP/email recovery, package registry, Actions, backup/restore, migration drill, cutover approval. |
|
||||
| artifact-store | D7.1 is done; D7.2 has an opt-in live MinIO compatibility harness and manual smoke docs. No live secret handoff is recorded. | Run D7.2 against an approved MinIO-compatible endpoint, then route D7.3 STS vending through identity/platform custody before changing credential behavior. |
|
||||
| FOS hub | Old NK-WP-0001 Keycloak prerequisite is cancelled; NK-WP-0002 local identity and IAM Profile v0.2 are done; hub-core extraction/dev-hub work is done; CUST-WP-0025 Phase 3 has been rewritten for Core Hub. | Keep `CUST-WP-0025-T03` as the identity integration test, then execute the rewritten Core Hub ops evidence, deployed smoke/cutover, and UI first-screen gates. |
|
||||
| FOS hub | Old NK-WP-0001 Keycloak prerequisite is cancelled; NK-WP-0002 local identity, IAM Profile v0.2, and the Core Hub FastAPI IAM Profile integration test are done; hub-core extraction/dev-hub work is done; CUST-WP-0025 Phase 3 has been rewritten for Core Hub. | Execute the rewritten Core Hub deployed smoke/cutover and UI first-screen gates: `CUST-WP-0025-T16`, `T17`, and `T18`. |
|
||||
|
||||
## Next-Pick List
|
||||
|
||||
1. Execute the remaining rewritten `CUST-WP-0025` Core Hub gates: identity
|
||||
integration (`T03`), deployed smoke and activity-core proof (`T16`), cutover
|
||||
decision coupling (`T17`), and first UI screens (`T18`). T14 is complete as
|
||||
the ops evidence/read-model contract definition gate.
|
||||
1. Execute the remaining rewritten `CUST-WP-0025` Core Hub gates: deployed
|
||||
smoke and activity-core proof (`T16`), cutover decision coupling (`T17`),
|
||||
and first UI screens (`T18`). T03 and T14 are complete as the identity
|
||||
integration template and ops evidence/read-model contract gates.
|
||||
2. Keep `CUST-WP-0047` and `CUST-WP-0049` as legacy evidence/fallback until
|
||||
Core Hub deployed smoke evidence or an explicit supersede decision closes
|
||||
them.
|
||||
|
||||
@@ -91,7 +91,7 @@ Cross-reference: net-kingdom NK-WP-0002.
|
||||
|
||||
```task
|
||||
id: CUST-WP-0025-T03
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "e9894ac9-add3-45a6-9893-ea67c6e5e260"
|
||||
```
|
||||
@@ -104,7 +104,17 @@ Write a minimal test service + integration test that:
|
||||
|
||||
This test becomes the template for hub-core auth middleware.
|
||||
|
||||
2026-06-27 sequencing update: this remains the real open identity gate, but it should target the current NetKingdom IAM Profile v0.2 contract and either local-identity or KeyCape lightweight issuer, not the archived `NK-WP-0001` Keycloak path.
|
||||
2026-06-27 sequencing update: this was kept as the real identity gate, targeted at the current NetKingdom IAM Profile v0.2 contract and either local-identity or KeyCape lightweight issuer, not the archived `NK-WP-0001` Keycloak path.
|
||||
|
||||
Completed 2026-06-27: Core Hub now has a reusable FastAPI IAM Profile verifier
|
||||
and dependency in `/home/worsch/core-hub/src/core_hub/iam_profile.py`.
|
||||
`tests/test_iam_profile.py` proves a fixture IAM Profile issuer can expose OIDC
|
||||
discovery/JWKS, issue an authorization-code + PKCE token, call a protected
|
||||
FastAPI endpoint, and validate issuer, audience, expiry, roles, groups, scopes,
|
||||
tenant, principal type, and assurance claims. Negative tests reject missing
|
||||
bearer tokens, wrong audience, and production use of local-development issuers.
|
||||
This closes the identity integration template without requiring NetKingdom repo
|
||||
changes or production secrets.
|
||||
|
||||
### T04 — Canon standard: IAM Profile specification
|
||||
|
||||
|
||||
@@ -454,8 +454,8 @@ mega-hub pattern.
|
||||
|
||||
Recommended order:
|
||||
|
||||
1. Keep `CUST-WP-0025-T03` as the remaining identity integration gate, targeting
|
||||
the current IAM Profile v0.2 contract and local-identity or KeyCape issuer.
|
||||
1. Keep the completed `CUST-WP-0025-T03` IAM Profile verifier/test as the
|
||||
template for Core Hub auth consumers and future production issuer wiring.
|
||||
2. Execute the rewritten Core Hub Phase 3 lane: ops evidence contract/read-model
|
||||
gaps, deployed Core Hub smoke, activity-core Core Hub sink smoke,
|
||||
migration/cutover readiness, and whynot-aligned first UI screens.
|
||||
@@ -501,8 +501,8 @@ Progress 2026-06-27 Core Hub ops evidence contract:
|
||||
- The spec defines API resources, non-secret evidence fields, event vocabulary,
|
||||
service-inventory-to-widget/event mapping, readiness-summary inputs, and
|
||||
read-model gaps to close before UI expansion or cutover claims.
|
||||
- T07 sequencing now keeps `T03`, `T16`, `T17`, and `T18` open; T14 no longer
|
||||
blocks the Core Hub replacement lane.
|
||||
- T07 sequencing now keeps `T16`, `T17`, and `T18` open; T14 no longer blocks
|
||||
the Core Hub replacement lane.
|
||||
|
||||
Progress 2026-06-27 CUST-WP-0052 closeout:
|
||||
|
||||
@@ -511,9 +511,19 @@ Progress 2026-06-27 CUST-WP-0052 closeout:
|
||||
HelixForge/Railiance Forge practice, and posted non-secret State Hub
|
||||
requirements to `railiance-apps` and `railiance-forge`.
|
||||
- The remaining T07 gates are execution gates, not sequencing ambiguity:
|
||||
`CUST-WP-0025-T03` identity integration, `T16/T17` deployed
|
||||
evidence/cutover waits, and `T18` Core Hub operator UI first screens. `T14`
|
||||
is complete as the ops evidence contract definition gate.
|
||||
`T16/T17` deployed evidence/cutover waits and `T18` Core Hub operator UI
|
||||
first screens. `T14` is complete as the ops evidence contract definition
|
||||
gate.
|
||||
|
||||
Progress 2026-06-27 IAM Profile integration:
|
||||
|
||||
- Completed `CUST-WP-0025-T03` by adding Core Hub's reusable IAM Profile
|
||||
verifier/dependency and a FastAPI fixture integration test covering OIDC
|
||||
discovery, JWKS, authorization-code + PKCE token issuance, protected endpoint
|
||||
access, required IAM Profile claims, missing-token rejection, wrong-audience
|
||||
rejection, and production rejection of local-development issuers.
|
||||
- Remaining T07 gates are now `CUST-WP-0025-T16`, `T17`, and `T18`; identity no
|
||||
longer blocks the Core Hub replacement lane.
|
||||
|
||||
## Task: Create The Stable Pickup Checkpoint
|
||||
|
||||
|
||||
Reference in New Issue
Block a user