Skip to content

feat: OIDC-to-Policy bridge and Trust Registry#26

Merged
bordumb merged 10 commits intomainfrom
fn-16
Mar 5, 2026
Merged

feat: OIDC-to-Policy bridge and Trust Registry#26
bordumb merged 10 commits intomainfrom
fn-16

Conversation

@bordumb
Copy link
Contributor

@bordumb bordumb commented Mar 5, 2026

Summary

  • OIDC-to-Policy Bridge (oidc-policy feature): Adds OidcClaims → EvalContext adapter and wires policy evaluation into the token exchange flow. Policy denials return 403 with POLICY_DENIED code.
  • OIDC Trust Registry (oidc-trust feature): Adds TrustRegistry types with provider lookup, repo glob matching, capability intersection, and TTL capping. Trust checks run before policy evaluation and return specific 403 codes (PROVIDER_NOT_TRUSTED, REPOSITORY_NOT_ALLOWED, CAPABILITY_NOT_ALLOWED).
  • Both features are independent, optional, and feature-gated behind oidc-policy and oidc-trust respectively.

Test plan

  • 4 integration tests for policy-gated token exchange (policy_gate.rs)
  • 6 integration tests for trust-registry-gated exchange (trust_registry.rs)
  • 14 unit tests for trust registry types and matching (trust.rs)
  • 5 unit tests for OidcClaims→EvalContext adapter (policy_adapter.rs)
  • All 52 bridge tests pass with --all-features
  • All 211 policy crate tests pass
  • Clippy clean, cargo deny clean, WASM/cross-compile checks pass

🤖 Generated with Claude Code

bordumb added 10 commits March 5, 2026 03:00
@bordumb
feat(oidc-bridge): add oidc-policy feature flag with policy compilati…
f932b38 
…on in BridgeState
@bordumb
feat(oidc-bridge): implement OidcClaims-to-EvalContext adapter with u…
3aa0b11 
…nit tests
@bordumb
feat(oidc-bridge): wire policy evaluation into exchange flow
06b2cb7
@bordumb
fn-16.4: integration tests for policy-gated token exchange
a7bdef4
@bordumb
fn-17.1: trust registry types and matching logic in auths-policy
80bc697
@bordumb
fn-17.2: load trust registry from JSON config in auths-oidc-bridge
17242f0
@bordumb
fn-17.3: integrate trust registry checks into bridge admission flow
390be48
@bordumb
fn-17.4: integration tests for trust-registry-gated token exchange
96e691d
@bordumb
fix: use correct capability format (underscore) in policy and trust t…
2f63d9f 
…ests
@bordumb
chore: remove backwards compatibility tests and logs
f737234 
Pre-launch crates don't need fallback behavior for unconfigured
policy/trust-registry. Removed no-op pass-through tests and
warning logs that existed only for backwards compat.
@vercel
Copy link

vercel bot commented Mar 5, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auths Ready Ready Preview, Comment Mar 5, 2026 10:39am

@bordumb bordumb merged commit c139681 into main Mar 5, 2026
10 checks passed
@bordumb bordumb deleted the fn-16 branch March 5, 2026 10:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bordumb