docs(architecture): add enterprise identity federation doc and update git workflow rules#975
Open
sriaradhyula wants to merge 11 commits intomainfrom
Open
docs(architecture): add enterprise identity federation doc and update git workflow rules#975sriaradhyula wants to merge 11 commits intomainfrom
sriaradhyula wants to merge 11 commits intomainfrom
Conversation
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
1 similar comment
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
sriaradhyula
added
documentation
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
… git workflow rules Add the Enterprise Identity Federation and User Impersonation architecture document to docs/docs/architecture/, covering OAuth 2.0 Token Exchange (RFC 8693), OBO delegation, Keycloak integration, and the full chain-of-trust design for CAIPE agents acting on behalf of authenticated users. Also update CLAUDE.md, .cursorrules, and .specify/.cursorrules to reflect the git worktree-based development workflow and the corrected branch naming convention: prebuild/<type>/<description> (e.g. prebuild/docs/enterprise-identity-federation). Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
…ederation doc The document referenced 'Pattern 2' without defining other patterns, making the label confusing. Replaced all instances with the architectural name each reference already used: 'One-Time User Consent with Identity Linking'. Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
Replace all organization-specific references with generic equivalents: - sri@cisco.com → user@example.com - cisco.okta.com → your-org.okta.com - @Sri-GH → @myusername - 'Cisco Okta SSO' → 'Enterprise IdP (Okta)' - '(e.g., Cisco)' prose removed; reframed as generic enterprise environment Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
…eric placeholders Replace the Keycloak identity provider JSON config block with fully generic placeholders so the document reads as reference architecture rather than a Cisco-specific runbook: - alias: okta-enterprise → enterprise-idp - displayName: 'Enterprise IdP (Okta)' kept, example clarified - all URLs: your-org.okta.com → <idp-domain> - clientId: caipe-keycloak-client → <keycloak-client-id> - clientSecret vault key: okta-client-secret → idp-client-secret - matching alias filter in Python snippet updated to enterprise-idp Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
Rules changes (CLAUDE.md, .cursorrules, .specify/.cursorrules removal) extracted to prebuild/chore/git-worktree-workflow-rules (PR #976). This branch now contains only the architecture doc and spec. Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
…agrams Add two new architecture docs with Mermaid diagrams: - slack-bot-authorization.md: End-to-end authorization topology, pre-authorization identity binding (Okta→Keycloak), runtime token exchange sequence with 4 scope validation gates, multi-agent scope isolation, JWT delegation chain, and error recovery flows. Clearly labels WebSocket (Socket Mode) for Slack↔Bot and A2A Protocol for Bot↔CAIPE communication. - slack-io-guardrails.md: Input/output guardrail architecture for the Slack bot pipeline. Input guardrails (length, secrets, PII, prompt injection, content policy) and output guardrails (credential scan, PII leak, hallucination markers, content safety, format sanitization) with pluggable chain pattern, configuration schema, and observability/metrics integration. Also adds both docs plus enterprise-identity-federation to the docs sidebar, and cross-references the authorization diagrams from the federation doc. Signed-off-by: Sri Aradhyula <sraradhy@cisco.com> Made-with: Cursor
…tt chart Converts the CAIPE Architecture Evolution slide into a Docusaurus markdown page with a Mermaid Gantt chart covering the roadmap from static distributed agents through dynamic/single unification and persona-based profiles. Signed-off-by: Sri Aradhyula <sraradhy@cisco.com> Made-with: Cursor
Spec 096: policy engine comparison (Cedar, CEL, Casbin, OPA/Rego), AgentGateway/Keycloak/Slack-Webex external authz research, and supporting architecture docs (identity federation, Slack authorization and I/O guardrails, architecture evolution) consolidated under docs/docs/specs. Signed-off-by: Sri Aradhyula <sraradhy@cisco.com> Made-with: Cursor
Rename docs/docs/specs/096-policy-engine-comparison to 093-agent-enterprise-identity; update spec number (093), feature branch name, and research context lines. Signed-off-by: Sri Aradhyula <sraradhy@cisco.com> Made-with: Cursor
…mparison Keep git branch name unchanged for the open PR; document spec folder slug 093-agent-enterprise-identity in the same line. Signed-off-by: Sri Aradhyula <sraradhy@cisco.com> Made-with: Cursor
Fold documentation-site and contributor-workflow checklist from former 095-enterprise-identity-federation-docs into 093 spec.md and README. Remove redundant 095 spec file. Signed-off-by: Sri Aradhyula <sraradhy@cisco.com> Made-with: Cursor
sriaradhyula
force-pushed
the
prebuild/docs/enterprise-identity-federation
branch
from
7f5642c to
a11d743
Compare
Contributor
|
✅ No proprietary content detected. This PR is clear for review! |
Contributor
📊 Test Coverage ReportMain Tests Coverage
📁 Coverage Artifacts
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/docs/architecture/enterprise-identity-federation.md— architecture document covering OAuth 2.0 Token Exchange (RFC 8693), On-Behalf-Of (OBO) delegation, Keycloak integration, and the chain-of-trust design for CAIPE agents acting on behalf of authenticated usersCLAUDE.mdgit workflow section to document the git worktree approach and correctedprebuild/<type>/<description>branch naming convention.cursorrulesDevelopment Workflow section with worktree commands and correct branch name examples.specify/.cursorruleswith a Git Worktree Workflow section under Development Standards.specify/specs/enterprise-identity-federation-docs.mdtracking this changeTest plan
docs/docs/architecture/enterprise-identity-federation.mdrenders correctly in Docusaurusprebuild/<type>/...branch naming