From 4158f05cff7396057e143b5c402fc875ec493e8c Mon Sep 17 00:00:00 2001 From: tegwick Date: Sun, 28 Jun 2026 00:20:05 +0200 Subject: [PATCH] Close IAM Profile integration gate --- docs/core-hub-replacement-evidence.md | 8 +++++++ ...ructure-stabilization-pickup-checkpoint.md | 10 ++++---- workplans/CUST-WP-0025-fos-hub-bootstrap.md | 14 +++++++++-- ...1-infrastructure-stabilization-metaplan.md | 24 +++++++++++++------ 4 files changed, 42 insertions(+), 14 deletions(-) diff --git a/docs/core-hub-replacement-evidence.md b/docs/core-hub-replacement-evidence.md index 863b289..c09aad9 100644 --- a/docs/core-hub-replacement-evidence.md +++ b/docs/core-hub-replacement-evidence.md @@ -84,6 +84,14 @@ mapping, readiness-summary inputs, and read-model gaps. This closes the T14 definition gate while leaving deployed evidence, cutover coupling, and UI work for T16/T17/T18. +2026-06-27 T03 closeout: Core Hub now has a reusable IAM Profile verifier and +FastAPI dependency plus `tests/test_iam_profile.py`, which proves OIDC +discovery, JWKS signature validation, authorization-code + PKCE token issuance, +protected endpoint access, required IAM Profile claims, missing-token rejection, +wrong-audience rejection, and production rejection of local-development issuers. +This closes the identity integration template while leaving production issuer +wiring for the deployed Core Hub gates. + ## Remaining Gates - Run `make deployed-smoke` or `make operator-cli CLI_ARGS="deployed-smoke ..."` diff --git a/docs/infrastructure-stabilization-pickup-checkpoint.md b/docs/infrastructure-stabilization-pickup-checkpoint.md index c96b2cf..f291d05 100644 --- a/docs/infrastructure-stabilization-pickup-checkpoint.md +++ b/docs/infrastructure-stabilization-pickup-checkpoint.md @@ -104,14 +104,14 @@ Resume from `docs/daily-triage-stabilization-status.md` and | issue-core | ArgoCD service is healthy on port `8765`; image `0.2.1`; ExternalSecret Ready; authenticated smoke created Gitea issue `175`. | activity-core still needs `ISSUE_CORE_API_KEY`, URL port `8765`, `ISSUE_SINK_TYPE=rest`, and a safe emission smoke. | | Forgejo | Migration inventory/design lane is active but pre-cutover. | Production design decisions, SMTP/email recovery, package registry, Actions, backup/restore, migration drill, cutover approval. | | artifact-store | D7.1 is done; D7.2 has an opt-in live MinIO compatibility harness and manual smoke docs. No live secret handoff is recorded. | Run D7.2 against an approved MinIO-compatible endpoint, then route D7.3 STS vending through identity/platform custody before changing credential behavior. | -| FOS hub | Old NK-WP-0001 Keycloak prerequisite is cancelled; NK-WP-0002 local identity and IAM Profile v0.2 are done; hub-core extraction/dev-hub work is done; CUST-WP-0025 Phase 3 has been rewritten for Core Hub. | Keep `CUST-WP-0025-T03` as the identity integration test, then execute the rewritten Core Hub ops evidence, deployed smoke/cutover, and UI first-screen gates. | +| FOS hub | Old NK-WP-0001 Keycloak prerequisite is cancelled; NK-WP-0002 local identity, IAM Profile v0.2, and the Core Hub FastAPI IAM Profile integration test are done; hub-core extraction/dev-hub work is done; CUST-WP-0025 Phase 3 has been rewritten for Core Hub. | Execute the rewritten Core Hub deployed smoke/cutover and UI first-screen gates: `CUST-WP-0025-T16`, `T17`, and `T18`. | ## Next-Pick List -1. Execute the remaining rewritten `CUST-WP-0025` Core Hub gates: identity - integration (`T03`), deployed smoke and activity-core proof (`T16`), cutover - decision coupling (`T17`), and first UI screens (`T18`). T14 is complete as - the ops evidence/read-model contract definition gate. +1. Execute the remaining rewritten `CUST-WP-0025` Core Hub gates: deployed + smoke and activity-core proof (`T16`), cutover decision coupling (`T17`), + and first UI screens (`T18`). T03 and T14 are complete as the identity + integration template and ops evidence/read-model contract gates. 2. Keep `CUST-WP-0047` and `CUST-WP-0049` as legacy evidence/fallback until Core Hub deployed smoke evidence or an explicit supersede decision closes them. diff --git a/workplans/CUST-WP-0025-fos-hub-bootstrap.md b/workplans/CUST-WP-0025-fos-hub-bootstrap.md index 4e6630c..c46e155 100644 --- a/workplans/CUST-WP-0025-fos-hub-bootstrap.md +++ b/workplans/CUST-WP-0025-fos-hub-bootstrap.md @@ -91,7 +91,7 @@ Cross-reference: net-kingdom NK-WP-0002. ```task id: CUST-WP-0025-T03 -status: todo +status: done priority: medium state_hub_task_id: "e9894ac9-add3-45a6-9893-ea67c6e5e260" ``` @@ -104,7 +104,17 @@ Write a minimal test service + integration test that: This test becomes the template for hub-core auth middleware. -2026-06-27 sequencing update: this remains the real open identity gate, but it should target the current NetKingdom IAM Profile v0.2 contract and either local-identity or KeyCape lightweight issuer, not the archived `NK-WP-0001` Keycloak path. +2026-06-27 sequencing update: this was kept as the real identity gate, targeted at the current NetKingdom IAM Profile v0.2 contract and either local-identity or KeyCape lightweight issuer, not the archived `NK-WP-0001` Keycloak path. + +Completed 2026-06-27: Core Hub now has a reusable FastAPI IAM Profile verifier +and dependency in `/home/worsch/core-hub/src/core_hub/iam_profile.py`. +`tests/test_iam_profile.py` proves a fixture IAM Profile issuer can expose OIDC +discovery/JWKS, issue an authorization-code + PKCE token, call a protected +FastAPI endpoint, and validate issuer, audience, expiry, roles, groups, scopes, +tenant, principal type, and assurance claims. Negative tests reject missing +bearer tokens, wrong audience, and production use of local-development issuers. +This closes the identity integration template without requiring NetKingdom repo +changes or production secrets. ### T04 — Canon standard: IAM Profile specification diff --git a/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md b/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md index 7bee89d..499fc7d 100644 --- a/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md +++ b/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md @@ -454,8 +454,8 @@ mega-hub pattern. Recommended order: -1. Keep `CUST-WP-0025-T03` as the remaining identity integration gate, targeting - the current IAM Profile v0.2 contract and local-identity or KeyCape issuer. +1. Keep the completed `CUST-WP-0025-T03` IAM Profile verifier/test as the + template for Core Hub auth consumers and future production issuer wiring. 2. Execute the rewritten Core Hub Phase 3 lane: ops evidence contract/read-model gaps, deployed Core Hub smoke, activity-core Core Hub sink smoke, migration/cutover readiness, and whynot-aligned first UI screens. @@ -501,8 +501,8 @@ Progress 2026-06-27 Core Hub ops evidence contract: - The spec defines API resources, non-secret evidence fields, event vocabulary, service-inventory-to-widget/event mapping, readiness-summary inputs, and read-model gaps to close before UI expansion or cutover claims. -- T07 sequencing now keeps `T03`, `T16`, `T17`, and `T18` open; T14 no longer - blocks the Core Hub replacement lane. +- T07 sequencing now keeps `T16`, `T17`, and `T18` open; T14 no longer blocks + the Core Hub replacement lane. Progress 2026-06-27 CUST-WP-0052 closeout: @@ -511,9 +511,19 @@ Progress 2026-06-27 CUST-WP-0052 closeout: HelixForge/Railiance Forge practice, and posted non-secret State Hub requirements to `railiance-apps` and `railiance-forge`. - The remaining T07 gates are execution gates, not sequencing ambiguity: - `CUST-WP-0025-T03` identity integration, `T16/T17` deployed - evidence/cutover waits, and `T18` Core Hub operator UI first screens. `T14` - is complete as the ops evidence contract definition gate. + `T16/T17` deployed evidence/cutover waits and `T18` Core Hub operator UI + first screens. `T14` is complete as the ops evidence contract definition + gate. + +Progress 2026-06-27 IAM Profile integration: + +- Completed `CUST-WP-0025-T03` by adding Core Hub's reusable IAM Profile + verifier/dependency and a FastAPI fixture integration test covering OIDC + discovery, JWKS, authorization-code + PKCE token issuance, protected endpoint + access, required IAM Profile claims, missing-token rejection, wrong-audience + rejection, and production rejection of local-development issuers. +- Remaining T07 gates are now `CUST-WP-0025-T16`, `T17`, and `T18`; identity no + longer blocks the Core Hub replacement lane. ## Task: Create The Stable Pickup Checkpoint