identity: trust-gated federated identity + cross-instance mapping (Phase 4 complete, +13)

federation.sx — peer-asserted subjects, advisory and trust-gated. An assertion is accepted only from an explicitly trusted peer (else {error, untrusted}) and is flagged {peer_asserted, Peer}, never promoted to local authority; acl decides what a peer-asserted identity may do. Cross- instance subject mapping namespaces remote subjects by peer ({federated, Peer, Remote}) so two peers' "alice" never collide, with optional explicit aliasing. Adds an audit-completeness test. New tests/federation.sx. All four phases done — 124/124. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-07 01:29:08 +00:00
parent a5c22c5a01
commit e448220b33
7 changed files with 179 additions and 10 deletions
--- a/lib/identity/tests/audit.sx
+++ b/lib/identity/tests/audit.sx
@@ -1,8 +1,8 @@
 ;; identity/tests/audit.sx — the grant audit ledger. Every grant
 ;; transition is recorded; the ledger is queryable per subject and
 ;; chronological. Covers issue/refresh/revoke wiring through the token
-;; registry, reuse-triggered revoke, per-subject isolation, and direct
-;; ledger use.
+;; registry, reuse-triggered revoke, per-subject isolation, completeness,
+;; and direct ledger use.

 (define id-audit-test-count 0)
 (define id-audit-test-pass 0)
@@ -79,6 +79,14 @@
    "A = identity_audit:start(),\n     Reg = identity_tokens:start(A),\n     identity_tokens:issue(Reg, alice, web, read),\n     identity_tokens:issue(Reg, bob, cli, write),\n     length(identity_audit:all(A))")
  2)

+;; ── completeness: no grant transition is dropped ─────────────────
+
+(id-audit-test
+  "the ledger is complete across a mixed transition stream"
+  (ida-ev
+    "A = identity_audit:start(),\n     Reg = identity_tokens:start(A),\n     identity_tokens:issue(Reg, alice, web, read),\n     {ok, _G, R} = identity_tokens:issue_grant(Reg, alice, cli, read),\n     identity_tokens:refresh(Reg, R),\n     {ok, B} = identity_tokens:issue(Reg, bob, web, read),\n     identity_tokens:revoke(Reg, B),\n     length(identity_audit:all(A))")
+  5)
+
 ;; ── start/0 stays unaudited (no regression) ──────────────────────

 (id-audit-test