AgileWebs/thalos-domain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0c00dce7ee
thalos-domain/docs/migration/policy-behavior-invariants.md
José René White Enciso 0430af9396 feat(thalos-domain): add provider-aware policy invariants
2026-02-25 13:13:56 -06:00

589 B
Raw Blame History

Policy Behavior Invariants

Invariants

  • Equivalent policy inputs produce equivalent policy decisions.
  • Token decision fallback behavior remains stable until explicitly revised.
  • Provider semantics are explicit:
    • InternalJwt: standard identity permission evaluation.
    • AzureAd and Google: policy permission must remain within identity.* scope.
  • Service transport contracts remain stable during domain extraction.

Validation Approach

  • Capture pre/post decision examples for policy and token flows.
  • Validate delegation path: service orchestrates, domain decides.