AgileWebs/thalos-domain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0c00dce7ee
thalos-domain/docs/migration/policy-behavior-invariants.md
José René White Enciso 0430af9396 feat(thalos-domain): add provider-aware policy invariants
2026-02-25 13:13:56 -06:00

14 lines
589 B
Markdown
Raw Blame History

# Policy Behavior Invariants
## Invariants
- Equivalent policy inputs produce equivalent policy decisions.
- Token decision fallback behavior remains stable until explicitly revised.
- Provider semantics are explicit:
- `InternalJwt`: standard identity permission evaluation.
- `AzureAd` and `Google`: policy permission must remain within `identity.*` scope.
- Service transport contracts remain stable during domain extraction.
## Validation Approach
- Capture pre/post decision examples for policy and token flows.
- Validate delegation path: service orchestrates, domain decides.
Reference in New Issue View Git Blame Copy Permalink