Close IAM Profile integration gate
This commit is contained in:
@@ -84,6 +84,14 @@ mapping, readiness-summary inputs, and read-model gaps. This closes the T14
|
||||
definition gate while leaving deployed evidence, cutover coupling, and UI work
|
||||
for T16/T17/T18.
|
||||
|
||||
2026-06-27 T03 closeout: Core Hub now has a reusable IAM Profile verifier and
|
||||
FastAPI dependency plus `tests/test_iam_profile.py`, which proves OIDC
|
||||
discovery, JWKS signature validation, authorization-code + PKCE token issuance,
|
||||
protected endpoint access, required IAM Profile claims, missing-token rejection,
|
||||
wrong-audience rejection, and production rejection of local-development issuers.
|
||||
This closes the identity integration template while leaving production issuer
|
||||
wiring for the deployed Core Hub gates.
|
||||
|
||||
## Remaining Gates
|
||||
|
||||
- Run `make deployed-smoke` or `make operator-cli CLI_ARGS="deployed-smoke ..."`
|
||||
|
||||
@@ -104,14 +104,14 @@ Resume from `docs/daily-triage-stabilization-status.md` and
|
||||
| issue-core | ArgoCD service is healthy on port `8765`; image `0.2.1`; ExternalSecret Ready; authenticated smoke created Gitea issue `175`. | activity-core still needs `ISSUE_CORE_API_KEY`, URL port `8765`, `ISSUE_SINK_TYPE=rest`, and a safe emission smoke. |
|
||||
| Forgejo | Migration inventory/design lane is active but pre-cutover. | Production design decisions, SMTP/email recovery, package registry, Actions, backup/restore, migration drill, cutover approval. |
|
||||
| artifact-store | D7.1 is done; D7.2 has an opt-in live MinIO compatibility harness and manual smoke docs. No live secret handoff is recorded. | Run D7.2 against an approved MinIO-compatible endpoint, then route D7.3 STS vending through identity/platform custody before changing credential behavior. |
|
||||
| FOS hub | Old NK-WP-0001 Keycloak prerequisite is cancelled; NK-WP-0002 local identity and IAM Profile v0.2 are done; hub-core extraction/dev-hub work is done; CUST-WP-0025 Phase 3 has been rewritten for Core Hub. | Keep `CUST-WP-0025-T03` as the identity integration test, then execute the rewritten Core Hub ops evidence, deployed smoke/cutover, and UI first-screen gates. |
|
||||
| FOS hub | Old NK-WP-0001 Keycloak prerequisite is cancelled; NK-WP-0002 local identity, IAM Profile v0.2, and the Core Hub FastAPI IAM Profile integration test are done; hub-core extraction/dev-hub work is done; CUST-WP-0025 Phase 3 has been rewritten for Core Hub. | Execute the rewritten Core Hub deployed smoke/cutover and UI first-screen gates: `CUST-WP-0025-T16`, `T17`, and `T18`. |
|
||||
|
||||
## Next-Pick List
|
||||
|
||||
1. Execute the remaining rewritten `CUST-WP-0025` Core Hub gates: identity
|
||||
integration (`T03`), deployed smoke and activity-core proof (`T16`), cutover
|
||||
decision coupling (`T17`), and first UI screens (`T18`). T14 is complete as
|
||||
the ops evidence/read-model contract definition gate.
|
||||
1. Execute the remaining rewritten `CUST-WP-0025` Core Hub gates: deployed
|
||||
smoke and activity-core proof (`T16`), cutover decision coupling (`T17`),
|
||||
and first UI screens (`T18`). T03 and T14 are complete as the identity
|
||||
integration template and ops evidence/read-model contract gates.
|
||||
2. Keep `CUST-WP-0047` and `CUST-WP-0049` as legacy evidence/fallback until
|
||||
Core Hub deployed smoke evidence or an explicit supersede decision closes
|
||||
them.
|
||||
|
||||
Reference in New Issue
Block a user