Summary
Add an identity-spiffe plugin (sibling to identity-jwt under builtins/plugins/) that validates SPIFFE SVIDs and maps the SPIFFE ID into the subject/workload-identity extension.
identity-jwt validates bearer JWTs, but agent deployments increasingly authenticate with workload identity — SPIFFE SVID or k8s ServiceAccount — not a bearer JWT. The new plugin reuses the existing identity_resolve hook: validate an x509-SVID / JWT-SVID, then map spiffe://<trust-domain>/ns/<ns>/sa/<sa> into the subject extension so policy can key on workload identity.
User Story 1
- As an: operator running agents under SPIFFE/SPIRE
- I want: CPEX to resolve identity from a SPIFFE SVID
- So that: policies reference agents by workload identity, not bearer token or IP/hostname
Acceptance Criteria
Scenario: Valid SVID resolves to a subject
Given an agent presenting a valid x509-SVID or JWT-SVID
When identity_resolve runs
Then the SPIFFE ID is mapped into the subject extension
Scenario: Untrusted trust domain is rejected
Given an SVID from a trust domain not in the plugin's trust config
When identity_resolve runs
Then identity resolution fails and the request is denied
Scenario: Policy keys on workload identity
Given a resolved SPIFFE subject
When a route requires a specific workload identity
Then the policy matches on the SPIFFE ID
Design Sketch
Mirror the identity-jwt layout (config.rs, factory.rs, resolver.rs, trust config). Validate against a configured set of trusted SPIFFE trust domains; support both x509-SVID and JWT-SVID.
Additional Context
Scoped in the Praxis epic #678 alignment work (AgentPolicy data model + credential isolation, praxis sub-issues #680 and #686). Reuses the existing identity_resolve hook.
Summary
Add an
identity-spiffeplugin (sibling toidentity-jwtunderbuiltins/plugins/) that validates SPIFFE SVIDs and maps the SPIFFE ID into the subject/workload-identity extension.identity-jwtvalidates bearer JWTs, but agent deployments increasingly authenticate with workload identity — SPIFFE SVID or k8s ServiceAccount — not a bearer JWT. The new plugin reuses the existingidentity_resolvehook: validate an x509-SVID / JWT-SVID, then mapspiffe://<trust-domain>/ns/<ns>/sa/<sa>into the subject extension so policy can key on workload identity.User Story 1
Acceptance Criteria
Design Sketch
Mirror the
identity-jwtlayout (config.rs,factory.rs,resolver.rs, trust config). Validate against a configured set of trusted SPIFFE trust domains; support both x509-SVID and JWT-SVID.Additional Context
Scoped in the Praxis epic #678 alignment work (AgentPolicy data model + credential isolation, praxis sub-issues #680 and #686). Reuses the existing
identity_resolvehook.